Introduction
This post is a continuation of a series of articles, written by the Citrix Labs R & D associates about IoT.
have defined the workplace in the previous posts, defines the role of the Internet of Things in the Citrix software, identifies many security challenges unique to the IoT, analyzed the information security "CIA" triad fundamentals and described a simple IoT frame with a device layer gateway layer and service layer.
In this article, we examine two specific security models that can be used to build security directly into IoT devices. The memorably called "Resurrecting Duckling" and the classic Biba security models provide a useful lens through which we can start the form of safe IoT is taking shape to be seen.
Examples of the current state of the IoT device security, consider the HP Research study of 10 popular (but unnamed) IoT devices ranging from door locks to hubs that control multiple devices , found that 0% of the collected personal data devices, 80% strong passwords was not necessary and 70% sent unencrypted data. Similarly, a researcher on Kaspersky Lab chopped his own IoT enabled home and over 14 vulnerabilities found in 20 minutes, some as serious as an administrative root password, the "1" and readable configuration files was user data.
The obvious conclusion was reached in these reports that for the Internet of Things equipment safety are fully realized, sets the device security in the equipment of its foundation must build. Security can not be an afterthought, which is added later. It is unacceptable to forego security, just because it is an "entertainment" device that will be outdated, and out of production in 12 months, because we all know that the equipment will be in use for years in the to join hands of the consumer, even if the manufacturer has evolved.
the rest of this post reviews models potential security IoT devices for the protection and Citrix describes own Octoblu IoT platform implementation of the models.
The Resurrecting Duckling security model
The Resurrecting Duckling security model name, the first one from Frank Stajano 02 implored, comes from the following metaphor. A duckling out of his egg thresholds when his mother see the first moving object of his looks that makes a noise; irrespective of his looks. This phenomenon is called imprinting. After printing, the duckling will follow his mother's instructions and no one else until his death. The metaphor is used to describe how could implement IoT devices safe, temporary connections via ad hoc networks.
When applied to the IoT, the "egg" is the factory sealed box which encloses the device. If it is removed, and is turned on, the device is its owner as the first unit recognizes it to send a secret key. This key may be a password, a UUID, a cryptographic key, or even a biometric signature. Once the key is received, the unit "claimed" and not a newborn longer and will remain loyal to its owner, until death. "Death" of devices is an important concept in this model, because this is how a device can change hands. Death is the only way to return the unit back to the prenatal state, so it can be printed by a new master.
Devices death can be made to occur in certain scenarios, when a medical instrument is dropped into the disinfection container, for example. Another scenario is a simple timeout so that the unit of "age", dies for rental equipment might. are yet other devices will only die if so by their owner instructed (for example, if the device is lost, stolen or sold), so that only the current authorized user can transfer the control of the device.
Below find a simple state diagram the Resurrecting Duckling security model and summarizes its four main principles.
Following Multiple Masters
mother / duckling relationship works well illustrated to secure personal devices with only one owner, but in the real world of the Internet the things we expect many people with the same equipment as well as many devices to interact with each other. The printed duckling is faithful to his mother for her entire life, but it should also be happy to talk to others. There is even the direction of the other follow, as long as the mother duck says that it's okay to do so
To accommodate this, the model is extended, so that there are two different ways, will be master , is the long-term mother / duckling relationship that lasts for the life of the ducklings. The second is a master / slave or peer-to-peer relationship, which in nature, lasting only temporarily is complete as a short transaction as long as necessary. The first type of relationship requires the secret key embossing, while the second is not the case.
Imagine the duckling as IoT device with a number of properties that can be read, and actions they can perform. The security model demands that the IoT device policy rules is to have for each of the component functions the credentials of a person (or other device) has to provide the device to access the specific properties and methods. These rules can grant or deny privileges to one of the possible device functions. A request in this model is that when a person / device presents the embossing button on the device, it can upload new policy rules in it. Against the background of this policy for the safety of the equipment are critical, they will most likely be created by the device manufacturer.
The various strategies for the device at different integrity levels, both public and private, or can could be chosen, even as granular as per user. This creates the need for a multi-layer health model, ie the model Biba security, as illustrated below. This security model can be summarized by its three main characteristics, provide:
- The simple integrity property - The data can be read from a higher integrity level
- The Star integrity property - data can be written to a lower integrity level
- The Invocation property - The user may not require service (call) from a higher integrity level
In this example, someone the public interface has no credentials to read data from the device. However, the public interface can not write data to a higher level of security, yet they can call a function in a higher security level. Someone the private interface can write using data and call methods of a lower layer of security, but these higher layer of security data from the lower layers of security to read unfamiliar.
is to manage cloud service (mother duck) makes it possible to carry out the special effect of the upload of a new policy to a duckling. Apart from the fact that a person or thing that can present the required credentials for launching any action by permits duck policy. This enables peer-to-peer interaction between things without being the mother duck.
threat model for Ducklings Resurrecting
The secret key given to the device when printed is obvious that the high target value in this model. To protect the key during the on-boarding process, it needs to be delivered through a channel that maintains the confidentiality and integrity. Moreover, a degree of protection against forgery is also necessary, difficult and expensive "murder" it suitably to make (maliciously printable restore), the device without any damage. In this sense, it is necessary, the secret key as difficult to recover from the device to make it so that it can not be used for impersonation. Finally, the secret key for each device should be unique, so if a single device is compromised, only the data that is on the device at risk, and not the entire network.
A perfect example of the need for tamper-proof physical security is described in this article, where a security researcher an attached bulb chops access the Wi-Fi connection to gain credentials. While counterfeiting security is required in order to reduce this risk in the device layer, it does capabilities for security as well as the higher layers is needed. For example, need to do in a safe way for the gateway or cloud service outputs in charge of the secret key. It's a good idea to take a security situation which it assumes already hacked. Against this background, these layers should also use real-time analytics to identify anomalous behavior of potentially unauthorized devices.
Octoblu Implements Resurrecting Duckling imprinting
Add Citrix Octoblu platform imprinting process is implemented by a UUID, and tokens to IoT device assigning the Microblu OS is running. If you connect with the Octoblu cloud service, devices are authenticated with their UUID and tokens. If a device does not have an owner, it is state in an unclaimed (printable). The device and its properties are searchable by authenticated resources on the same network. The device can then be used (see claim API). Once a device (printed) is claimed, it will not be visible to the public, unless the owner of the device.
Octoblu also gives you the option of registered devices to further secure access to configure permission by white-lists and black-lists. It can be used for each of the permissions to be stored in the device properties, a white list or a black list. The lists contain the UUIDs of devices that access or banned by the communication be granted to the secure device. Although this approach does not implement all the features of the security model Biba, it has a device or a person requiring a secure token to provide before they can access a particular function of the device.
Conclusion
A IoT system that "secure-by-design" relies on devices that have security features in the manufacturer from the very beginning. With security models such Resurrecting Duckling and Biba as a guide, we can (although not completely) to derive the following set of requirements for securing IoT devices:
- device identity and enrollment - Use to create secret key at enrollment or onboarding identity and a degree of trust between a specific device and the rest of the IoT system. A device that cryptography is used trustworthy than one that is not
- Imprinting -. After device'sidentity the IoT management system should enter the claimed or imprinted condition restricting use of the device to a single administration. For example, suppose a homeowner enrolls a connected door lock in its IoT management service, the barrier should be after in. After this is done, the claim switch the lock refused enrollment in another IoT management service until the first IoT-service resets. If not claimed, what someone stop with malicious intent to find a way to your castle gain claim and entry into your house
- Tamper evident / resistant - It must be easy to tell if one thing was physically impaired, and even if physically impaired, it must be impractical to extract valuable information
- isolation -. if a single device is compromised in a network of things, only the data on this unit should be in danger, and not the entire network. This usually means on the device for encryption to prevent symmetric group key
- multi-layer integrity -. multiple master and peer-to-peer interactions support, the device several layers of security such as public interfaces must be open for all and private interfaces where authentication is required before the unit with the user or other device interact. The data to prevent carefully controlled between the different security levels of contamination
- software updates is exchanged -. This requirement is not explicitly written into the security models discussed in this paper, but we all know that errors found in the software and exploited by those with malicious intent. Thus IoT devices (like the chopped bulb above example) to secure, there must be a framework to promote, distribute, and install software updates to close security gaps after they found. This is essentially a function of the higher layers of the IoT system, but devices must be upgradable in the field.
to meet, even after all of the requirements listed here, the device security can be easily compromised if the gateway or cloud service layers are not as well protected.
Come back soon, because we'll cover next time security models for the gateway and cloud service layers of IoT frame.
0 Komentar