Authentication and Identity Management: About Security and Things

Do you know where your data sets go to? More specifically, do you know who knows? Strong authentication and identity management will play an increasingly crucial role as companies and organizations move toward the goal of a totally connected world.

In increasing number of Things are being connected today and we are heading toward a world where – everything that benefits from being connected will be connected. The Internet of Things (IoT) makes big promises in what new services and applications it can offer us. New use cases will happen over time when Things get connected and we realize all the benefits we can get out of them.

At the same time, we also need to see technical advances in order to reach the full potential of IoT. Connecting Things means that we want them to communicate but, for this to happen, the Things need mechanisms to exchange data and they should understand each other – they should have some kind of common language.

Identity management is an important aspect of IoT.
_{Bengt Sahlin, Ericsson}

The technical term used is semantic interoperability. Semantic interoperability is getting increased attention today, and there are ongoing efforts to enable it. As an example, a workshop was recently arranged by the Internet Architecture Board (IAB) to discuss semantic interoperability in the harmonization of information and data models.

Individual Things have very different natures and, hence, also have different characteristics, such as computational capabilities and power restrictions. All these different characteristics need to be taken into account when designing the mechanisms for building communication networks of the future.

Basic Mechanisms

Not surprisingly, many standardization organizations are working on improving the technology needed for IoT. For example, the Internet Engineering Task Force (IETF) has specified basic mechanisms for use on the Internet and it is working on improving these procedures and on specifying new ones to meet future communication demands. For IoT, for example, the hypertext transfer protocol (HTTP) can be used for communication but, for Things with more restricted resources, another lightweight alternative has been specified, the constrained application protocol (CoAP). In the 3rd Generation Partnership Project (3GPP), there are radio technologies being developed and enhanced called Extended Coverage GSM (EC-GSM), Narrowband Internet of Things (NB-IoT), and Long-term Evolution Machine Type Communication (LTE-M). A couple of main characteristics of these new systems are improved, extended coverage and energy efficiency.

To enable the full potential of IoT, it should go without saying that security and privacy also need to be handled well. Identity management is an important aspect of IoT. Every Thing needs an identity so that it can be recognized and ensure that communication is running between the correct devices.

There are many good security systems available to protect the integrity and confidentiality of communications and to enforce and handle identity management. For the HTTP and CoAP protocols, Transport Layer Security (TLS) and Datagram TLS (DTLS) can be used to protect the communication. New protocols for application layer security, such as Object Security of CoAP (OSCoAP) and Ephemeral Dife-Hellman Over COSE (EDHOC) are being developed, to support end-to-end security as well as the application of CoAP in new IoT settings. These protocols are based on the Concise Binary Object Representation (CBOR) encoded message syntax, which is expected to become an important standard for compact secure messages.

There is also a need for access control, to make sure that the Things are only performing actions requested by authorized entities. For example, any given Thing in a house should only be accessed by devices or systems appointed by the homeowners, not the neighbors or any unsanctioned devices A lightweight, open authorization framework suitable for IoT is being built as an offshoot from the widely deployed web framework OAuth 2.0.

Acknowledging the wide variety of IoT deployments, this framework allows the definition of profiles adapted to different communications standards, such as HTTP, CoAP, and Bluetooth, and security specifications, such as TLS, DTLS, and OSCoAP. 3GPP has defined its own security mechanisms for protecting its radio communications. Technical details of these systems can be found under Technical Specifications 43.020, 33.102, and 33.401, which can be found in the list maintained by 3GPP’s SA3 security working group.

Authentication and Identity Management: Automated Setup

Another important aspect to consider is how to set up the security when a Thing is connected to a network. As many Things are expected to be connected, it is desirable that the setup should be automated as much as possible and, if human intervention is needed, ought to be as easy as possible.
One example of automated setup is Ericsson NomadicLab’s work on digital signage. Printed advertising signs are giving way to electronic displays, wirelessly fed by cloud-based services. The display screens need to be correctly configured and authorized before the HTML5 advertising content can be shown. The NomadicLab researchers are working on how making these connections can be deskilled through the use of mobile phone cameras and QR codes. In addition to providing communication system security, it is also important to secure the devices themselves. Many of the Things that are getting connected were not originally designed for IoT use and it is important to ensure that connecting any device will not increase the risk of malicious access. IoT manufacturers may also lack experience and expertise in the area of data communication.

Augmented Operations: Ericsson’s DevOps framework for efficient deployment and operations of NFV-based services enables elastic router configuration to dynamically expand or reduce its capacity. (Click to enlarge)

One of the early successes for consumer IoT implementation is the connected home concept, especially for lighting control. Even though these were engineered to connect to a smartphone app over Wi-Fi, there are numerous accounts by security experts of vulnerabilities being exploited. In 2014, David Bryan and Daniel Crowley, security researchers at Trustwave, documented how lights in a house in Oregon could be switched on and off by a stranger in San Francisco. Hacks like this have awakened the connected home suppliers to security issues but, even today, these still happen far too often.

The security industry needs to continue helping the IoT community by raising awareness of the need for robust security and by providing the security frameworks that will be a cornerstone in the success of building an Internet of Things capable of safely connecting billions of devices.

READ MORE ARTICLES