Post on 04-Jan-2016
description
How much Security for Switching a Light Bulb –The SOA Way
Sebastian Unger,Stefan Pfeiffer, Dirk Timmermann
University of Rostock, Germany
Institute of Applied Microelectronics and Computer Engineering
Motivation
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 2
Q: What will you get from this presentation (or from reading the paper)?
Motivation
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 3
Motivation
Q: What will you get from this presentation (or from reading the paper)?
A: Introduction to problems with security for distributed embedded devices
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 4
Agenda
• Introductive scenario and derived key
features
• State of the art and problem statements
• Outlook
• Conclusion
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 5
Scenario: Light Bulbs – The classical approach
light bulbs
switches
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 6
Scenario: Security Key Features
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 7
Scenario: Security Key Features
Authenticity
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 8
Scenario: Security Key Features
Authenticity
Integrity
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 9
Scenario: Security Key Features
Authenticity
Integrity
Confidentiality
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 10
Scenario: Security Key Features
Authenticity
Integrity
Confidentiality
Authorization
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 11
Scenario: Security Key Features
Authenticity
Integrity
Confidentiality
Authorization
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 12
Scenario: Light Bulbs – The IoT approach
light bulbs
switches
SOA engine
digitalSTROM-module
SOA engine
PLC-module
Internet /LAN
SOA engine
smart-phone
SOA engine
PC
SOA engine
IoT wall-switch
ZigBEE
digitalSTROMIEEE 802.15.4
PLC
WiFi
Ethernet
6LoWPAN-module
SOA engine
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 13
Scenario: Security Key Features IoT
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 14
Scenario: Security Key Features IoT
Seemless integration of new devices, includes negotiation of suitable authentication
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 15
Scenario: Security Key Features IoT
Seemless integration of new devices, includes negotiation of suitable authentication
Securely remove devices from network
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 16
Scenario: Security Key Features IoT
Seemless integration of new devices, includes negotiation of suitable authentication
Securely remove devices from network
Let participants gather security information about each other
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 17
Scenario: Security Key Features IoT
Seemless integration of new devices, includes negotiation of suitable authentication
Securely remove devices from network
Let participants gather security information about each other
Plus: all this across different trust domains
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 18
Scenario: Security Key Features IoT
Seemless integration of new devices, includes negotiation of suitable authentication
Securely remove devices from network
Let participants gather security information about each other
Plus: all this across different trust domains
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 19
Problem Statement
Development of (new) security concepts is cumbersome and expensive
Technology designers tend to fall back on existing security techniques (even, if they are not ideal)
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 20
Terminology
What are those techniques and why are the not ideal?
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 21
MAC Layer Security
subnet subnet
Same key for everyone
- or -
Different key for everyone
MACLayer
Security ≙router
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 22
IP Sec
Transport ModeTunnel Mode
subnet subnet
routernode IPSec Gateway
IPSec is complex!
Vendor A Vendor B
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 23
Transport Layer Security (TLS aka. SSL)
TLS
PHYMAC
Internet
TransportApplication
TCP!
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 24
Conclusion Network Stack Security
• Existing basic security mechanisms not ideal for embedded
devices
• Solve single aspects only and are not suitable for embedded
devices
Security should be covered on application layer
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 25
Cooltown[1] Amigo[2]
Hydra/Linksmart[3]
PEIS[4]
SM4ALL[5]
ubiSOAP(PLASTIC)[6]
PECES[7]
MundoCore[9]
GREEN[8]
Gaia[10]
MobiPADS[11]
iCOCOA[12]PACE[13]
Cooltown[1]
PEIS[4]
SM4ALL[5]MundoCore[9]
GREEN[8]MobiPADS[11]
iCOCOA[12]PACE[13]
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 26
Application Layer Security: Academic Reserach Projects
Conclusion Application Layer Security
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 27
• Security often not considered at all
• If considered, then…
… employed technologies not suitable for embedded devices
… only single issues solved
No interoperability between approaches
Web Services
WS-Security Suite
Do not reinvent the wheel
Instead:
• Find existing solution from different domain
• isolate core concepts
• develop methodology to transport core
concepts to domain of embedded devices
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 28
Outlook: Future Work
Web ServicesDevices Profile for
WS-Security SuiteDevices Profile for
Do not reinvent the wheel
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 29
Outlook: Future Work
• Communication technology for distributed systems
• Base technology (Web Services) already adapted to embedded
devices (DPWS)
• WS Security suite offers all requested core features (message and
connection level security, trust and authorization brokering, …)
• Abstract Web Services to create security concept for any service-
oriented communication technology
• Open technology fosters interoperability
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 30
Future Work in Detail
• Although often employed, existing basic technologies
(IPSec, TLS, …) not ideal
• Many approaches on application layer security exist but
• they often solve single aspects only
• are not interoperable
Future WS Compact Security has the potential to form a basis for an
interoperable security concept for distributed embedded devices
(disregarding the base technology)
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 31
Conclusion
Bibliography (1)
[1] Barton, John; Kindberg, Tim: The Cooltown User Experience / Hewlett Packard Laboratories Palo Alto. 2001. Technical
Report
[2] IST Amigo Project: Ambient Intelligence for the networked home environment (Project Description). September 2004
[3] Eisenhauer, M.; Rosengren, P.; Antolin, P.: A Development Platform for Integrating Wireless Devices and Sensors into
Ambient Intelligence Systems. SECON Workshops 2009
[4] Saffiotti, A. et al.: The PEIS-Ecology Project: vision and results. In: IEEE/RSJ Int. Conf. on Intelligent Robots and
Systems (IROS). 2008
[5] Baldoni, R.: An Embedded Middleware Platform for Pervasive and Immersive Environments for-All. SECON
Workshops 2009
[6] PLASTIC Consortium: A B3G Service Platform: The IST PLASTIC Projects. Technical Report
[7] Handte, M. et al.: D4.1 Secure Middleware Specification - Version 1.4 / Peces - Pervasive computing in embedded
systems. 2010. Technical Report
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 32
Bibliography (2)
[8] Sivaharan, T et al.: GREEN: A Configurable and Re-Configurable Publish-Subscribe Middleware for Pervasive
Computing. In: Building 3760 LNCS (2005)
[9] Aitenbichler, M. et al.: MundoCore: A Light-weight Infrastructure for Pervasive Computing. In: Pervasive and Mobile
Computing (2007)
[10] Román, M. et al.: Gaia: a middleware platform for active spaces. In: SIG-MOBILE Mob. Comput. Commun. Rev. 6
(2002)
[11] Chan, A.; Chuang, S.-N.: MobiPADS: A Reflective Middleware for Context-Aware Mobile Computing. In: IEEE Trans.
Softw. Eng. 29 (2003)
[12] Ben Mokhtar, S et al.: COCOA: COnversation-based service COmposition in pervAsive computing environments with
QoS support. In: Journal of Systems and Software 80 (2007)
[13] Henricksen, K. et al.: Middleware for Distributed Context-Aware Systems. In: On the Move to Meaningful Internet
Systems 2005: CoopIS, DOA, and ODBASE
[14] Ellison, C.: UPnP Security Ceremonies Design Document.
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 33
Thank you!
Any questions?
Thank you very much for your attention!
08/30/2012 Sebastian Unger – University of Rostock – sebastian.unger@uni-rostock.de 34