IoT Day 2016: Cloud Services for IoT Semantic Interoperability
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
90
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. John Burry, AWS Principal Solutions Architect February 25, 2016 Best Practices for IoT Security in the Cloud
-
Upload
amazon-web-services -
Category
Technology
-
view
3.654 -
download
4
Transcript of February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
John Burry, AWS Principal Solutions Architect
February 25, 2016
Best Practices for IoT Security in the Cloud
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IoT Security
All things around us are getting connected
All things around us are getting connected
Things will proliferate
2013 2015 2020
Vertical IndustryGeneric IndustryConsumerAutomotiveMany
Some
Lots
Connected ≠ Smart
Internet 1985 IoT 2015
Gopher HTTP
FTP MQTT
NNTP CoAP
Telnet XMPP
Archie AQMP
In reality, it is even more complex
Layer Standards
Application HTTP, MQTT, AMQP, CoAP, XMPP
Network IPv4, IPv6, 6LoWPAN, ZigBee, Z-Wave, Insteon
Physical Ethernet, CAN, USB, 802.11, Bluetooth, 802.15.4, SPI
A Simple Goal
But my data isn’t sensitive!
Why do IoT at all?
Changes happen inthe realworld!
The Risk
Changes happen inthe realworld!
Bad
The Risk
Changes happen inthe realworld!
Bad
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
The System
DynamoDB LambdaKinesis
The System
DynamoDB LambdaKinesis
The System
DynamoDB LambdaKinesis
The System
DynamoDB LambdaKinesis
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
Network Traffic Is Complex
04:07:18.045065 IP 85.119.83.194.1883 > 10.0.0.67.51210: Flags [P.], seq 1586864891:1586864913, ack 820274045, win 227, options [nop,nop,TS val 2390025928 ecr 577393885], length 22 0x0000: 4500 004a 3694 4000 2d06 639e 5577 53c2 0x0010: 0a00 0043 075b c80a 5e95 a2fb 30e4 637d 0x0020: 8018 00e3 66cd 0000 0101 080a 8e74 e6c8 0x0030: 226a 54dd 3214 0007 666f 6f2f 6261 7200 0x0040: 0454 656d 703a 2038 3346
Network Tools Are Up To It
MQ Telemetry Transport Protocol Publish Message 0011 0010 = Header Flags: 0x32 (Publish Message) 0011 .... = Message Type: Publish Message (3) .... 0... = DUP Flag: Not set .... .01. = QOS Level: Acknowledged deliver (1) .... ...0 = Retain: Not set Msg Len: 20 Topic: foo/bar Message Identifier: 1 Message: Temp: 83F
Mutual Auth TLS
Mutual Auth TLS
Mutual Auth TLS
Talking to Non-Things
DynamoDB LambdaKinesis
AWS Auth + TLS
One Service, Two Protocols
MQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
Back To Certs and Keys
AWS-Generated Keypair
CreateKeysAndCertificate()
AWS-Generated Keypair
CreateKeysAndCertificate()
AWS-Generated Keypair
CreateKeysAndCertificate()
Actual Commands
$ aws iot create-keys-and-certificate --set-as-active{ "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "keyPair": { "PublicKey": "-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----", "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----" }, "certificateId": "d7677b0…SNIP…026d9"}
AWS-Generated Keypair
CreateKeysAndCertificate()
Client Generated Keypair
CSR
Certificate Signing Request
Dear Certificate Authority,I’d really like a certificate for %NAME%, as identified
by the keypair with public key %PUB_KEY%. If you could sign a certificate for me with those parameters, it’d be super spiffy.
Signed (Cryptographically),
- The holder of the private key
Client Generated Keypair
CSR
Client Generated Keypair
CSR
CreateCertificateFromCSR(CSR))
Client Generated Keypair
CSR
CreateCertificateFromCSR(CSR))
Client Generated Keypair
CreateCertificateFromCSR(CSR)
Client Generated Keypair
CreateCertificateFromCSR(CSR)
Client Generated Keypair
CreateCertificateFromCSR(CSR)
Actual Commands
$ openssl genrsa –out ThingKeypair.pem 2048Generating RSA private key, 2048 bit long modulus....+++...+++e is 65537 (0x10001)
$ openssl req -new –key ThingKeypair.pem –out Thing.csr-----Country Name (2 letter code) [XX]:USState or Province Name (full name) []:NYLocality Name (eg, city) [Default City]:New YorkOrganization Name (eg, company) [Default Company Ltd]:ACMEOrganizational Unit Name (eg, section) []:MakersCommon Name (eg, your name or your server's hostname) []:John SmithEmail Address []:[email protected]
Actual Commands
$ aws iot create-certificate-from-csr \ --certificate-signing-request file://Thing.csr \ --set-as-active{ "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b", "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "certificateId": "b5a396e…SNIP…400877b"}
Private Key Protection – Test & Dev
$ openssl genrsa -out ThingKeypair.pem 2048Generating RSA private key, 2048 bit long modulus......................+++.................................+++e is 65537 (0x10001)
$ ls -l ThingKeypair.pem-rw-rw-r-- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
$ chmod 400 ThingKeypair.pem ; ls -l ThingKeypair.pem-r-------- 1 ec2-user ec2-user 1679 Sep 25 14:10 ThingKeypair.pem
Private Key Protection – Software Threats
chrootSELinuxOTP Fuses
Private Key Protection – Hardware Threats
TPMsSmartcardsLocks and BoxesFIPS-style hardware
Identity Revocation
$ aws iot list-certificates{ "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "ACTIVE", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443070900.491, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ]}
Identity Revocation
$ aws iot update-certificate --certificate-id "d7677b0…SNIP…026d9" --new-status REVOKED
$ aws iot list-certificates{ "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "REVOKED", "certificateId": "d7677b0…SNIP…026d9" "lastModifiedDate": 1443192020.792, "certificatePem": "-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----", "ownedBy": "123456972007", "creationDate": 1443070900.491 } ]}
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
Managing Things
DynamoDB LambdaKinesis
Managing Things
DynamoDB LambdaKinesis
{ "Version": "2012-10-17", "Statement": [ { "Sid": ”ManageCerts", "Action": [ "iot:CreateCertificateAndKeys", "iot:CreateCertificateFromCsr", "iot:DescribeCertificate", "iot:UpdateCertificate", "iot:DeleteCertificate", "iot:ListCertificates” ], "Effect": "Allow", "Resource": "*" } ]}
Managing Things
DynamoDB LambdaKinesis
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RevokeOneThing", "Action": [ "iot:UpdateCertificate" ], "Effect": "Allow", "Resource": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.42.54" } } } ]}
Identity Federation
DynamoDB LambdaKinesis
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
Data Access Control – AWS APIs
DynamoDB LambdaKinesis
Data Access Control – AWS APIs
DynamoDB LambdaKinesis
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:GetThingShadow" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:thing/MyThing"] }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] } ]}
Mobile Users as Things
DynamoDB LambdaKinesis
Mobile Users as Things
DynamoDB LambdaKinesis
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:GetThingShadow" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: thing/${cognito-identity.amazonaws.com:aud}"] }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things/ ${cognito-identity.amazonaws.com:aud}/shadow/update"] } ]}
Data Access Control - MQTT
DynamoDB LambdaKinesis
Data Access Control - MQTT
DynamoDB LambdaKinesis
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ]}
Actual Commands$ cat MyThingPolicy.json{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update"] }, { "Effect":"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":["arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/MyThing/shadow/*" ] } ]}
Actual Commands$ aws iot create-policy\ --policy-name MyThingPolicy\ --policy-document file://MyThingPolicy.json{ "policyName": "MyThingPolicy", "policyArn": "arn:aws:iot:us-east-1:123456972007:policy/MyThingPolicy", "policyDocument": "...SNIP...", "policyVersionId": "1"}
$ aws iot attach-principal-policy\ --principal "arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b”\ --policy-name "MyThingPolicy"
Protocol Convergence
MQTT + Mutual Auth TLS AWS Auth + HTTPS
Server Auth TLS + Cert TLS + Cert
Client Auth TLS + Cert AWS API Keys
Confidentiality TLS TLS
Protocol MQTT HTTP
Identification AWS ARNs AWS ARNs
Authorization AWS Policy AWS Policy
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
Rules and Services
DynamoDB LambdaKinesis
Actual Commands$ cat ThingRoleTrustPolicy.json { "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Service":"iot.amazonaws.com" }, "Action":"sts:AssumeRole" } ]}
Actual Commands$ aws iam create-role\ --role-name thing-actions-role\ --assume-role-policy-document file://ThingRoleTrustPolicy.json{ "Role": { "AssumeRolePolicyDocument": …SNIP… "RoleId": "AROAIQ4HBGG7V7F27E32K", "CreateDate": "2015-09-27T16:29:56.438Z", "RoleName": "thing-actions-role", "Path": "/", "Arn": "arn:aws:iam::123456972007:role/thing-actions-role" }}
Actual Commands$ cat ThingRolePolicy.json{ "Version": "2012-10-17", "Statement": [ { "Sid": "DDBAccess", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Effect": "Allow", "Resource": "arn:aws:dynamodb:us-east-1:123456972007:table/MyThingTable" }, ]}
Actual Commands$ aws iam create-policy\ --policy-name thing-role-policy\ --policy-document file://ThingRolePolicy.json
{ "Policy": { "PolicyName": "thing-role-policy", "CreateDate": "2015-09-27T16:32:17.998Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "ANPAINCEAOD5EEXOLZWAI", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::123456972007:policy/thing-role-policy", "UpdateDate": "2015-09-27T16:32:17.998Z" }}
$ aws iam attach-role-policy\ --role-name "thing-actions-role"\ --policy-arn "arn:aws:iam::123456972007:policy/thing-role-policy"
Building AWS Things
Industrial ExampleManufacturer End UserVendor
Key Pair
Certificate
App
Key Pair
Certificate
App
Industrial ExampleManufacturer End UserVendor
CreateCertificateFromCSR(CSR)
Industrial Example
Key Pair
Certificate
App
Manufacturer End UserVendor
Industrial Example
Key Pair
Certificate
App
Manufacturer End UserVendor
Consumer Example
Consumer Example
Key Pair
Certificate
App
Manufacturer Vendor
Consumer Example
Key Pair
Certificate
App
Manufacturer VendorCreateKeysAndCertificate()
Consumer Example
Key Pair
Certificate
App
Manufacturer End UserVendor
Claiming a Thing
service.awsthermostat.com
Claiming a Thing
service.awsthermostat.com
hell
o()
Claiming a Thing
service.awsthermostat.com
hell
o()
CognitoLogin
Claiming a Thing
service.awsthermostat.com
hell
o()
CognitoLogin
Claiming a Thing
service.awsthermostat.com
hell
o()
CognitoLogin
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topic/$aws/things /%COGNITO_ID%/shadow/update" ] }, "Effect:"Allow", "Action":[ "iot:Subscribe", "iot:Receive" ], "Resource":[ "arn:aws:iot:us-east-1:123456972007:topicfilter/$aws /things/%COGNITO_ID%/shadow/*" ] } ]}
Using a Thing
{ "Version": "2012-10-17", "Statement": [{ "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"*" }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": [ "arn:aws:iot:us-east-1:123456972007: topic/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/update" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe", "iot:Receive" ], "Resource": [ "arn:aws:iot:us-east-1:123456972007: topicfilter/$aws/things/${cognito-identity.amazonaws.com:aud}/shadow/*" ] }]}
Consumer Example
Key Pair
Certificate
App
Manufacturer End UserVendor
Requirements
Secure Communications with ThingsStrong Thing IdentityFine-grained Authorization for:
Thing ManagementPub/Sub Data AccessAWS Service Access
Two Secure Protocols
Bootstrapping Identity
CreateKeysAndCertificate()
CSR
CreateCertificateFromCSR(CSR)
Flexible, Consistent Access Control
DynamoDB LambdaKinesis
Thank you!
