Internet DRAFT - draft-tschofenig-ace-overview
draft-tschofenig-ace-overview
Network Working Group H. Tschofenig
Internet-Draft ARM Ltd.
Intended status: Best Current Practice February 14, 2014
Expires: August 18, 2014
Authentication and Authorization for Constrained Environments (ACE):
Overview of Existing Security Protocols
draft-tschofenig-ace-overview-00.txt
Abstract
This document surveys existing three party authentication and
authorization protocols for use with Internet of Things use cases.
The discussed protocol frameworks are Kerberos, OAuth, ABFAB, and the
certificate model. The aim is to understand whether any of the
available standardized security protocols are re-usable for
constrained environments. A future version of this document will
provide a more detailed analysis against the requirements.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Tschofenig Expires August 18, 2014 [Page 1]
�
Internet-Draft ACE Overview February 2014
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
1. Introduction
[I-D.seitz-ace-usecases] introduces a number of use cases that
require device-to-device authentication whereby both devices may be
constrained. [I-D.ietf-lwig-terminology] discusses the different
types of constraints of these devices.
This document aims to raise the high-level question about the
possible re-use of existing three party authentication and key
exchange protocols for use in IoT environments. This version of the
document does not aim to map requirements derived from the use cases
against these protocols. Such a detailed analysis is premature at
this point when use case descriptions are still in flux.
The starting assumption for the architectures in this document is
that a device (a client) wants to access some resource (referred as
service in this document). It unfortunately does not have any
relationship with the server offering that service. Figure 1 shows
the scenario graphically.
+-----------+ no prior +-----------+
| Client | relationship | Service |
| | | |
+-----------+ +-----------+
Figure 1: Two Party Scenario.
Imagine that the client is a light-switch and the service is a light-
bulb.
Today, companies solve this case by using a pairing protocol (at the
link layer typically) where the two devices execute a special
imprinting/pairing protocol to establish an initial key by using out-
of-band (OOB) channel. This OOB channel can come in many forms:
o Using an alternative communication channel, such as a USB stick,
Ethernet cable
o Human involvement by comparing hashed keys, entering passkeys,
scanning QR codes
o Second wireless connectivity (e.g., infrared)
Tschofenig Expires August 18, 2014 [Page 2]
�
Internet-Draft ACE Overview February 2014
o Proximity-based information
The pairing is a suitable approach where wireless communication
replaces a wired communication technology previously used. For
example, a headset connected to a music player using a wired
connection is replaced with the wireless version. Not all use cases
do, however, allow users to pair their device with other devices
upfront. Consider an enterprise with electronic door locks. It is
hard to imagine an employee who has to pair their digital key with
every door in the building first before they use the system.
Requiring every device to pair with every other device upfront is
often inconvenient or not feasible. Hence, this document does not
explore pairing solutions further. To offer an improved user
experience with better scalability properties a device might either
share credentials with some trusted third party. There are various
ways how credentials can be shared with these trusted third parties.
For example, credentials may be provisioned during the manufacturing
process or devices may have been paired with the trusted third party
(in case the trusted third party is local to the user). In fact,
today is it very common for IoT devices to have at least credentials
pre-provisioned for use with the vendor / manufacturer of the device
to allow software updates to be provided securely.
Thus, we move to a model where the device (client) shares some
credentials with a trusted third party. This trusted third party
does not need to be a server on the Internet; ideally it could also
be operated locally within someones' home, within an enterprise, or
within a factory.
This three party architecture is shown in Figure 2.
Tschofenig Expires August 18, 2014 [Page 3]
�
Internet-Draft ACE Overview February 2014
+-----------+
| Trusted |
+--------------------------->|Third Party|
| Key +-----------+
| ^
| |
| |
| | Key
| |
| |
| |
v v
+-----------+ no prior +-----+-----+
| | relationship | |
| Client | <..................>| Service |
+-----------+ +-----------+
Figure 2: Three Party Scenario.
This three party architecture and messaging pattern has been explored
with prior IETF work and this document lists the most relevant
efforts (on a high level).
The goal of the communication exchange is that the client has been
authorized to access the service, and is able to secure the exchange
of information. The client and the service may, optionally, possess
keying material for future use of the service with the benefit of
better performance for future interactions.
Note: This document does not aim to cover the use cases in their
entirety. First, we assume that the security protocol interaction
for link layer authentication is outside the scope. The focus of
this document is on the application layer interactions when accessing
services. Second, this document does not survey access control
policy languages and mechanisms for managing these access control
policies. These policies are important since many of the systems
described below only provide an answer to the question 'Who is the
holder of this key?' and standards for answering the question 'Can
this key be used for this purpose?' (authorization) are often
realized in a proprietary way.
While Figure 1 shows three parties the protocols described in
Section 2 have been generalized to four or even multi-party scenario.
The result is shown in Figure 2.
Tschofenig Expires August 18, 2014 [Page 4]
�
Internet-Draft ACE Overview February 2014
+-----------+ +-----------+
| Trusted | Agreement w/key | Trusted |
| Third |<-------------------->| Third |
| Party A | | Party B |
+-----------+ +-----------+
^ ^
| |
| Key | Key
| |
| |
| |
| |
v v
+-----------+ no prior +-----+-----+
| | relationship | |
| Client | <..................>| Service |
+-----------+ +-----------+
Figure 3: Generalization of Three Party Scenario.
2. Three Party Security Frameworks
This section introduces four authentication and authorization
frameworks standardized in the IETF. The description is
intentionally kept at a high level and a reader is encouraged to
consult the referenced documents for details and various options
these protocols offer. The terminology with each of these protocols
is lightly different and appropriate mappings have been applied.
To demonstrate the level of maturity of these frameworks availability
of products, source code, and deployment experience is mentioned for
each of these frameworks. Note, however, that this experience does
not imply suitability for use with the IoT environment.
2.1. Application Bridging for Federated Access Beyond Web Architecture
This section describes the Application Bridging for Federated Access
Beyond Web architecture [I-D.ietf-abfab-arch], which builds on the
Authentication, Authorization and Accounting (AAA) framework. The
AAA framework re-uses the Extensible Authentication Protocol (EAP)
[RFC5247] and EAP methods for the authentication protocol
capabilities. A detailed description of the AAA keying framework can
be found in [RFC5247].
Tschofenig Expires August 18, 2014 [Page 5]
�
Internet-Draft ACE Overview February 2014
+--------------+
| Identity |
| Provider |
| (IdP) |
+-^----------^-+
* EAP o RADIUS
* o
* o
+-------------+ +-v----------v--+
| | | |
| Client | EAP/EAP Method | Relying |
| |<****************>| Party |
| | GSS-API | |
| |<---------------->| |
| | Application | |
| | Data | |
| |<================>| |
+-------------+ +---------------+
Terminology Mapping:
- The term 'Relying Party' corresponds to the 'service'.
- The term 'Identity Provider' corresponds to the
'trusted third party'.
Figure 4: ABFAB Architecture.
With the message exchange shown in Figure 4 the client wants to
obtain access to a service and starts interacting with that service.
Since no prior relationship between the client and the service is
assumed the EAP message exchanges is relayed by the service and the
EAP server component of the IdP. Between the client and the service
these EAP payloads are encapsulated within the GSS-API. After a
successful authentication and authorization session keys are
delivered from the IdP to the service and can then be used to secure
the application layer data exchange between the client and the
service.
While the use of EAP and the AAA architecture has mostly found use
for network access authentication the work on ABFAB applies this
architecture to application layer services.
Pros:
o Re-uses existing protocols: RADIUS, GSS-API, EAP, EAP methods.
Tschofenig Expires August 18, 2014 [Page 6]
�
Internet-Draft ACE Overview February 2014
o Security properties of the AAA / EAP framework well studied and
large deployments of the AAA framework exist.
o Products and open source code exists for EAP, EAP methods, RADIUS,
and the GSS-API. The extensions needed for ABFAB also have been
implemented but they are less mature compared to the EAP/AAA
deployment.
o Large range of EAP methods available offering all possible
authentication and key exchange protocols for authentication
between the client and the AAA server. These mechanisms have been
deployed and are in widespread use today. While many EAP methods
have been standardized only a few are in widespread use in non-IoT
environments. However, there are many (open source)
implementations available such that further experience concerning
IoT suitability can be gathered.
o IoT devices might use the AAA/EAP architecture for network access
authentication (e.g., WLAN-based, IEEE 802.15.4-based ZigBee-IP
deployments).
o The AAA framework also supports authentication in a federated
environment.
o Authorization information is conveyed within RADIUS (and
potentially in SAML assertions, as envisioned by ABFAB).
Cons:
o The initial authentication and authorization exchange requires
real-time interaction between the AAA server and the service.
o Deployments have so far used this architecture mainly for network
access and for specific applications (VoIP) only. Experience with
other applications, as ABFAB envisions, is rather limited.
o ABFAB architecture uses layering of EAP within the GSS-API, which
adds additional overhead. A binding for the transport of EAP
payloads in CoAP, for example, does not exist.
o No unified authorization policy language has been defined for the
AAA/EAP architecture. Instead, RADIUS attributes carry
information about access control decisions.
Tschofenig Expires August 18, 2014 [Page 7]
�
Internet-Draft ACE Overview February 2014
2.2. Kerberos
Kerberos [RFC4120] is authentication system for distributed
environments that has enjoyed deployment for more than three decades.
The security properties have been extensively studied and various
implementations exist.
+----------------+
| Authentication |
| Server (AS) |
+----------------+
^ /
Request / /
Ticket / /
/ /Ticket
/ /{SK}C-KDC
/ /
/ /
/ /
/ v
+-----------+ +-----------+
| | Ticket + Authenticator | |
| Client |---------------------------->| Server |
| |<===========================>| |
+-----------+ Application Data +-----------+
Terminology Mapping:
- The term AS corresponds to the 'trusted third party.'
- The term Server corresponds to the 'service'.
Figure 5: Kerberos.
The Kerberos exchange shown in Figure 5 illustrates a client who
wants to get access to a server. It first has to interact with the
Authentication Server (AS) to request a ticket. In response, the AS
provides a ticket, which is a data structure encrypted with a key
known only between the server and the AS. This ticket includes
information about the client, a session key (SK) for later use, and
various other security relevant information elements. The client
also obtains the session key encrypted with a key it shares with the
AS.
When a service access is required then the client interacts with the
server and presents the ticket along with an Authenticator. The
Authenticator demonstrates that the client was able to decrypt the
session key with the key it shares with the AS and that it was able
Tschofenig Expires August 18, 2014 [Page 8]
�
Internet-Draft ACE Overview February 2014
to apply this key to compute a keyed message digest over several
fields, including a time-stamp, when accessing the service. The
time-stamp avoids replay attacks.
Pros:
o Re-uses existing protocol: Kerberos
o Security properties well studied and large deployments exist.
o Products and open source service exist.
o Most parts of Kerberos, particularly the ticket concept, are
designed with symmetric key cryptography, which improves
performance. The Kerberos ticket is consequently fairly small and
uses a binary encoding.
o Kerberos also supports cross-realm authentication for scalable
deployments.
o Kerberos also specifies a UDP-based transport.
o The message exchanges between the client and the service can be
tailored to the need of the application.
Cons:
o Each ticket is only usable for a single service (intentionally).
As such, new tickets have to be requested whenever the client
wants to access a new service or when the ticket expired.
o For the authentication between the client and the KDC a limited
number of authentication protocols have been specified.
o Kerberos uses ASN.1 for encoding of the ticket and various
messages. This may increase implementation complexity but the
binary encoding is more efficient than other encodings, like XML
or JSON.
o No standardized access control policy has been standardized for
inclusion inside a ticket. Proprietary policies are, however,
used in real-world deployments.
o A CoAP binding for the KRB_PRIV and the KRB_SAFE message exchanges
used to secure application data between the client and the service
have not been defined.
Tschofenig Expires August 18, 2014 [Page 9]
�
Internet-Draft ACE Overview February 2014
2.3. OAuth
The OAuth protocol is a recent development for the Web, which re-uses
the Kerberos interaction pattern with influences from the Web /
mobile app space. It initially aimed to solve the problem of
delegated access to protected resources where websites asked users to
share their long-term password. Over time OAuth has been used in
other use cases that require delegated access.
+-------------+
|Authorization|
|Server (AS) |
+-------------+
^ /
Request / /
Access / /
Token / /Access Token
/ /
/ /
/ /
/ /
O / v
/|\ +-----------+ +-----------+
| -----> | | Access Token | Resource |
/ \ <----- | Client |----------------->| Server |
Resource | |<================>| (RS) |
Owner +-----------+ Application Data +-----------+
Terminology Mapping:
- The term AS corresponds to the 'trusted third party'.
- The term RS corresponds to the 'service'.
Figure 6: Simplified OAuth Architecture.
Figure 6 shows the high-level OAuth message exchange. The canonical
OAuth example allows a web user (resource owner) to grant a printing
service (client) access to her private photos stored at a photo
sharing service (resource server), without sharing her username and
password. Instead, she authenticates directly with the authorization
server which issues the printing service delegation-specific
credentials.
Pros:
Tschofenig Expires August 18, 2014 [Page 10]
�
Internet-Draft ACE Overview February 2014
o Re-uses existing protocols: OAuth Core [RFC6749], OAuth Bearer
Token [RFC6750] OAuth MAC Token [I-D.ietf-oauth-v2-http-mac]/ HOTK
[I-D.tschofenig-oauth-hotk], JWT [I-D.ietf-oauth-json-web-token].
o Large deployments in the Web environment exist, which use the
OAuth Bearer Token.
o Products and open source service exist.
o OAuth is flexible with regard to the used cryptography. A
standardized format for the access token has been described with
the JSON Web Token (JWT). For security protection of the JWT
various specifications from the JOSE working group are available.
o The message exchanges between the client and the service can be
tailored to the need of the application. Bindings are available
for HTTPS and SASL [I-D.ietf-kitten-sasl-oauth].
o With regard to the offered security mechanism the interaction
between the client and the resource server gives several choices:
The OAuth Bearer Token requires a TLS exchange between the client
and the resource server. The MAC Token specification is
conceptually similar to Kerberos; a version based on asymmetric
cryptography exists as well (see HOTK).
Cons:
o For an environment with more than one authorization server or
where the authorization server is located in a different domain
than the resource server the standardization work is still in
progress. Efforts have mostly be done in Kantara with the User-
Managed-Access (UMA) working group.
o A binding for CoAP does not exist for the client to authorization
server nor for the client to resource server.
o The OAuth architecture does not standardize the authentication
procedure of the resource owner to the authorization server
itself. This is a common approach for the Web environment where a
number of different authentication protocols are in use in the
browser. As such, the protocol works with any authentication
mechanism.
2.4. Certificate Model
Prior work on the Public Key Infrastructure, certificate formats,
certificate extensions, and various certificate management protocols
can be re-used in the IoT context. With respect to the use cases
Tschofenig Expires August 18, 2014 [Page 11]
�
Internet-Draft ACE Overview February 2014
described in [I-D.seitz-ace-usecases] certificates may be short-lived
and might need to contain attributes (which may be used for making
access control decisions) rather than purely relying on the identity
of users and their devices.
For the purpose of dynamic provisioning short-lived certificates,
this document envisions to re-use a subset of the functionality
offered by protocols like the Certificate Management over CMS (CMC)
[RFC5272], the Certificate Management Protocol (CMP) [RFC4210], the
Simple Certificate Enrollment Protocol [I-D.nourse-scep],
Certification Request Syntax Standard - PKCS#10 [RFC2315] (with TLS
or with PKCS#7 [RFC2986] ). While these protocols offer slightly
different features, on a high-level the all fulfill the same
function. Note that the management of trust anchors may be provided
by a different protocol, such as Trust Anchor Management Protocol
(TAMP) [RFC5934].
Of course, certificates do not necessarily need to be short-lived and
could even be provisioned during the manufacturing process and never
changed during the lifetime of the device. The drawback of such an
approach is, however, that mechanisms for certificate revocation have
to be provided. Furthermore, privacy concerns might be arise since
the same client certificate content will be shown to every service
rather than information that is only relevant for a specific purpose.
+-------------+
|Certification|
| Authority |
+-------------+
^ /
Request / /
(Short) / /
Lived / /(Short) Lived
Cert / / Certificate
/ /
/ /
/ /
/ v
+-----------+ +-----------+
| | DTLS with certificate | |
| | or app layer msg w/cert | |
| Client |---------------------------->| Service |
| |<===========================>| |
+-----------+ Application Data +-----------+
Figure 7: Certificate Model.
Tschofenig Expires August 18, 2014 [Page 12]
�
Internet-Draft ACE Overview February 2014
Pros:
o Re-uses existing protocols: DTLS (or application protocol), CMP/
CMC/PKCS#10/SCEP, specifications (certificate format - RFC 6818
[RFC6818]), and concepts (PKI).
o Large deployments on the Web and with enterprise system exist.
o Products and open source code exists.
o The certificate format offers flexibility in terms of content.
New extensions have been defined over time.
o Certificates can be used with DTLS without any additional
modifications. Certificates can also used with application
security mechanisms.
o Authorization information may be placed in an extension of a
public key certificate or in a separate attribute certificate
[RFC3281]. Earlier work on KeyNote [RFC2704]could be re-used as
it provides a more flexible authorization policy language.
o A single certificate can be used with a number of different
services.
o Various PKI management protocols have been defined and they offer
some flexibility. The properties vary on the specific use cases.
Cons:
o The certificate format and the PKI management protocols use ASN.1.
o No UDP or CoAP transport is defined for CMC/CMP/SCEP. For PKCS#10
no transport is defined at all.
o The public key infrastructure only focuses on asymmetric
cryptography. A separate body of work is available for
provisioning symmetric keys (like one-time-keys), such as the
Portable Symmetric Key Container (PSKC) [RFC6030] and Dynamic
Symmetric Key Provisioning Protocol (DSKPP) ([RFC6063]).
o Protocols for certificate enrollment are in use but many
deployments use their own strategy for distributing certificates
(typically long-lived) to their users.
o Asymmetric cryptography is computationally more expensive than
symmetric cryptography but offers additional security benefits.
Tschofenig Expires August 18, 2014 [Page 13]
�
Internet-Draft ACE Overview February 2014
3. Conclusion
Several existing protocols can be used to meet the use cases outlined
in [I-D.seitz-ace-usecases]. Each technology presented here offers a
number of possibilities for profiling to make them work on for
constrained devices. Despite the range of available security
protocols, the use cases suggest that there is a need to profile and
to extend those in order to make them fit for the constrained
environment.
The right choice of authentication and authorization protocol will
heavily depend on the envisioned usage environment.
It is, however, also worth noting that several aspects that are not
discussed in this document although they appear as requirements in
the use case document, namely
o a language for describing access control policies,
o the encoding of these policies, and
o the container for associating these policies with keying material.
4. Security Considerations
This entire document is about security.
5. IANA Considerations
This document does not require any actions by IANA.
6. Acknowledgements
The author would like to thank Stefanie Gerdes for her review
comments.
7. Informative References
[I-D.ietf-abfab-arch]
Howlett, J., Hartman, S., Tschofenig, H., Lear, E., and J.
Schaad, "Application Bridging for Federated Access Beyond
Web (ABFAB) Architecture", draft-ietf-abfab-arch-10 (work
in progress), December 2013.
[I-D.ietf-kitten-sasl-oauth]
Mills, W., Showalter, T., and H. Tschofenig, "A set of
SASL Mechanisms for OAuth", draft-ietf-kitten-sasl-
oauth-12 (work in progress), December 2013.
Tschofenig Expires August 18, 2014 [Page 14]
�
Internet-Draft ACE Overview February 2014
[I-D.ietf-lwig-terminology]
Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained Node Networks", draft-ietf-lwig-terminology-06
(work in progress), December 2013.
[I-D.ietf-oauth-json-web-token]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", draft-ietf-oauth-json-web-token-15 (work in
progress), January 2014.
[I-D.ietf-oauth-v2-http-mac]
Richer, J., Mills, W., Tschofenig, H., and P. Hunt, "OAuth
2.0 Message Authentication Code (MAC) Tokens", draft-ietf-
oauth-v2-http-mac-05 (work in progress), January 2014.
[I-D.nourse-scep]
Pritikin, M., Nourse, A., and J. Vilhuber, "Simple
Certificate Enrollment Protocol", draft-nourse-scep-23
(work in progress), September 2011.
[I-D.seitz-ace-usecases]
Seitz, L., Gerdes, S., and G. Selander, "ACE use cases",
draft-seitz-ace-usecases-00 (work in progress), February
2014.
[I-D.tschofenig-oauth-hotk]
Bradley, J., Hunt, P., Nadalin, A., and H. Tschofenig,
"The OAuth 2.0 Authorization Framework: Holder-of-the-Key
Token Usage", draft-tschofenig-oauth-hotk-03 (work in
progress), January 2014.
[RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
Version 1.5", RFC 2315, March 1998.
[RFC2704] Blaze, M., Feigenbaum, J., Ioannidis, J., and A.
Keromytis, "The KeyNote Trust-Management System Version
2", RFC 2704, September 1999.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
November 2000.
[RFC3281] Farrell, S. and R. Housley, "An Internet Attribute
Certificate Profile for Authorization", RFC 3281, April
2002.
Tschofenig Expires August 18, 2014 [Page 15]
�
Internet-Draft ACE Overview February 2014
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
[RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen,
"Internet X.509 Public Key Infrastructure Certificate
Management Protocol (CMP)", RFC 4210, September 2005.
[RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible
Authentication Protocol (EAP) Key Management Framework",
RFC 5247, August 2008.
[RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS
(CMC)", RFC 5272, June 2008.
[RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor
Management Protocol (TAMP)", RFC 5934, August 2010.
[RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric
Key Container (PSKC)", RFC 6030, October 2010.
[RFC6063] Doherty, A., Pei, M., Machani, S., and M. Nystrom,
"Dynamic Symmetric Key Provisioning Protocol (DSKPP)", RFC
6063, December 2010.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
6749, October 2012.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", RFC 6750, October 2012.
[RFC6818] Yee, P., "Updates to the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 6818, January 2013.
Author's Address
Hannes Tschofenig
ARM Ltd.
110 Fulbourn Rd
Cambridge CB1 9NJ
Great Britain
Email: Hannes.tschofenig@gmx.net
URI: http://www.tschofenig.priv.at
Tschofenig Expires August 18, 2014 [Page 16]
