Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIS14: Identifying Things (and Things Identifying Us)

1,605 views

Published on

Paul Madsen, Ping Identity
Discussing a security and identity model for things that do not make the existing password problem orders of magnitude worse (perhaps using identity protocols like OAuth & OpenID Connect), and how our things might facilitate our own interactions with applications.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CIS14: Identifying Things (and Things Identifying Us)

  1. 1. IDENTITY IN THE IOT – THEIRS AND OURS Paul Madsen, Office of the CTO
  2. 2. 2
  3. 3. Agenda 1. Things – their identities 2. Things - our identities 3
  4. 4. Agenda 1. Things – their identities 2. Things - our identities 4
  5. 5. What does it mean for a thing to have an identity? •  Things will have attributes that distinguish it from other things •  Things will have means to prove to other things that they a) belong to a class of things or b) are a particular thing •  Things will have means to verify that other things a) belong to a class of things or b) are a particular thing •  Things will be provisioned with certain attributes at origin but over time may add additional attributes •  Things have a finite lifetime, at the end of which some portions of their identity may need to be cancelled •  In their 50s, things will have an identity crisis – divorce their spouse, join a gym and buy a sports car. 5
  6. 6. 6 You  (mostly)  can’t   have  security   without  iden7ty    
  7. 7. 7 Security   Authen7ca7on   Iden7ty   Confiden7ality   Audit  
  8. 8. Things will operate on behalf of …. 8
  9. 9. Things will operate on behalf of …. 9 Gym   Track   Beer   keg   Cars   Bridge  
  10. 10. Things will operate on behalf of …. 10 Gym   Track   Beer   keg   Cars   Bridge  
  11. 11. 11 How  do  we  give  users  meaningful   control  over  their  things  and  their   ability  to  operate  on  their  behalf?   1.    Ini7al  authoriza7on   2.    Ongoing  visibility   3.    Eventual  revoca7on  
  12. 12. Copyright © 2013 Ping Identity Corp.All rights reserved. 12
  13. 13. 13 How  are   passwords  working   out  for  us?  
  14. 14. Password anti-pattern Sites  asks  YOU  for  your  GOOGLE  password  so  it   can  access  your  Google  stuff.  
  15. 15. Tsk tsk! •  Client must store passwords •  Teaches users to be indiscriminate with their passwords •  More difficult to move to multi-factor and federated authentication •  Doesn’t support granular permissions, e.g. X can read but not write •  Doesn’t support knowledge/differentiation of the access granted •  Doesn’t support (easy) revocation – to be sure of turning off access users must change password
  16. 16. Tokens instead of passwords Copyright © 2013 Ping Identity Corp.All rights reserved. 16 •  Rather than clients using passwords on their API messages, token authentication models have the client first exchange the password for a token and then use tokens on subsequent messages •  Token can represent the authorized combination of client & user •  Advantages –  Allows for granular consent –  Revocable –  No need to store passwords on device/thing •  OAuth 2.0 and OpenID Connect 1.0 key standards
  17. 17. 1   3   4   2   3   4   5  
  18. 18. 1   3   4   2   3   4   5   OAuth/ Connect   OAuth/ Connect   OAuth/ Connect  
  19. 19. 1   3   4   2   3   4   5   OAuth/ Connect   OAuth/ Connect   OAuth/ Connect   OAuth/ Connect?   OAuth/ Connect?  
  20. 20. State of the art? Copyright © 2013 Ping Identity Corp.All rights reserved. 20 IoT  protocols   Security   MQTT   CoAP   TLS/DTLS   passwords  
  21. 21. Binding OAuth to MQTT 21 •  Paul  Fremantle  has  been  exploring   using  OAuth  access  tokens  on  MQTT   messages  as  alterna7ve  to  passwords   (as  MQTT  spec  now  supports)   •  An  Arduino  obtains  an  OAuth  token   from  an  authoriza7on  server  and   then  uses  on  Connect  message   •  hXp://www.slideshare.net/pizak/ securing-­‐the-­‐internet-­‐of-­‐things  
  22. 22. Agenda 1. Things – their identities 2. Things - our identities 22
  23. 23. Authentication Taxonomy Copyright © 2014 Ping Identity Corp.All rights reserved. 23 Ini7a7on   Ac7ve/ explicit   Passive/ implicit   Once   Con7nuous   Sampling  
  24. 24. Authentication Taxonomy Copyright © 2014 Ping Identity Corp.All rights reserved. 24 Ini7a7on   Ac7ve/ explicit   Passive/ implicit   Once   Con7nuous   Sampling   Password,  OTP,   mobile,   fingerprint,  voice  
  25. 25. Somethings are changing Copyright © 2014 Ping Identity Corp.All rights reserved. 25 Know   Have   Are   Know   Have   Are   Trend  
  26. 26. Have and have nots Copyright © 2013 Ping Identity Corp.All rights reserved. 26 RSA  SecureID   Wallet  cards  etc   USB  tokens  
  27. 27. Authentication Taxonomy Copyright © 2014 Ping Identity Corp.All rights reserved. 27 Ini7a7on   Ac7ve/ explicit   Passive/ implicit   Once   Con7nuous   Sampling   IP  address,   geo-­‐loca7on   Password,  OTP,   mobile,   fingerprint,  voice  
  28. 28. Explicit giving way to implicit Copyright © 2014 Ping Identity Corp.All rights reserved. 28 Explicit   factors   Implicit   factors                              Trend   Explicit   factors   Implicit   factors  
  29. 29. 29 The  things  that  we  more   and  more  surround   ourselves  with  can   enable  ‘con7nuous   authen7ca7on’  
  30. 30. Copyright © 2014 Ping Identity Corp.All rights reserved. 30 Ini7a7on   Ac7ve/ explicit   Passive/ implicit   Once   Con7nuous   Sampling   IP  address,   geo-­‐loca7on   Keystroke,  EKG,   voice,  proximity,   transac7onal   IP  address,   geo-­‐loca7on   Authentication Taxonomy Password,  OTP,   mobile,   fingerprint,  voice  
  31. 31. Continuous authentication modes Copyright © 2014 Ping Identity Corp.All rights reserved. 31 • Identify the gait • Recognize the face • Listen to the voice • Sense how user holds phone • Measure pushup pace …. Demands  local  sensors  
  32. 32. 32 My  things  thank   your  things  for   their  aXen7on  

×