Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Future of Authentication for IoT

3,332 views

Published on

The rapid expansion of the Internet of Things has fostered convenience and connectedness for consumers. It has also opened the door for creative hackers. Recently, hackers used hundreds of thousands of common internet-connected devices in consumers’ homes, without the owners’ knowledge, to launch a DDoS attack that temporarily brought down crucial parts of the internet’s infrastructure.

Attacks in the past have shown that passwords in IoT devices provide insufficient security. Additionally, IoT devices are too constrained for implementing biometric functions.

The question then becomes how to authenticate to such devices and can the industry adopt a standardized approach despite a highly fragmented IoT landscape. This presentation by Rolf Lindemann of Nok Nok Labs, explores how FIDO Authentication can provide convenient and strong authentication in an array of IoT use cases.

Published in: Technology

The Future of Authentication for IoT

  1. 1. All Rights Reserved | FIDO Alliance | Copyright 20171 THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS FIDO ALLIANCE WEBINAR MARCH 28, 2017
  2. 2. All Rights Reserved | FIDO Alliance | Copyright 20172 INTRODUCTION TO THE FIDO ALLIANCE ANDREW SHIKIAR SENIOR DIRECTOR OF MARKETING MARCH 28, 2017
  3. 3. All Rights Reserved | FIDO Alliance | Copyright 20173 THE FACTS ON FIDO The FIDO Alliance is an open, global industry association of 250+ organizations with a focused mission: 300+ FIDO Certified solutions 3 BILLION+ Available to protect user accounts worldwide Today, its members provide the world’s largest ecosystem for standards-based, interoperable authentication AUTHENTICATION STANDARDS based on public key cryptography to solve the password problem
  4. 4. All Rights Reserved | FIDO Alliance | Copyright 20174 DRIVEN BY 250 MEMBERS Board of Directors comprised of leading global brands and technology providers + SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS
  5. 5. All Rights Reserved | FIDO Alliance | Copyright 20175 WHY FIDO? The World Has a Password Problem Security Usability 63% of data breaches in 2015 involved weak, default, or stolen passwords -Verizon 2016 Data Breach Report For users, they’re clumsy, hard to remember and they need to be changed all the time 65% Increase in phishing attacks over the number of attacks recorded in 20152 -Anti-Phishing Working Group There were 1093 data breaches in 2016, a 40% increase from 2015 - Identity Theft Resource Center, 2016 SECURITY USABILITY Poor Easy WeakStrong PASSWORDS
  6. 6. All Rights Reserved | FIDO Alliance | Copyright 20176 WHY FIDO? OTPs improve security but aren’t easy enough to use - and are still phishable SMS RELIABILITY TOKEN NECKLACE USER CONFUSION STILL PHISHABLE SECURITY USABILITY Poor Easy WeakStrong OTPs SecurityUsability
  7. 7. THE WORLD HAS A “SHARED SECRETS” PROBLEM All Rights Reserved | FIDO Alliance | Copyright 20177
  8. 8. WE NEED A NEW MODEL All Rights Reserved | FIDO Alliance | Copyright 20178
  9. 9. All Rights Reserved | FIDO Alliance | Copyright 20179 HOW ARE WE DOING IT? ECOSYSTEM STANDARDS DEPLOYMENTS USER EXPERIENCE
  10. 10. All Rights Reserved | FIDO Alliance | Copyright 201710 HOW OLD AUTHENTICATION WORKS ONLINE CONNECTION The user authenticates themselves online by presenting a human-readable “shared secret”
  11. 11. All Rights Reserved | FIDO Alliance | Copyright 201711 HOW FIDO AUTHENTICATION WORKS LOCAL CONNECTION ONLINE CONNECTION The device authenticates the user online using public key cryptography The user authenticates “locally” to their device (by various means)
  12. 12. All Rights Reserved | FIDO Alliance | Copyright 201712 SIMPLER AUTHENTICATION Reduces reliance on complex passwords Single gesture to log on Same authentication on multiple devices Works with commonly used devices Fast and convenient
  13. 13. All Rights Reserved | FIDO Alliance | Copyright 201713 STRONGER AUTHENTICATION Based on public key cryptography No server-side shared secrets Keys stay on device No 3rd party in the protocol Biometrics, if used, never leave device No link-ability between services or accounts
  14. 14. USABILITY SECURITY Poor Easy WeakStrong All Rights Reserved | FIDO Alliance | Copyright 201714 FIDO — A NEW PARADIGM: =authentication STRONGER & SIMPLER
  15. 15. All Rights Reserved | FIDO Alliance | Copyright 201715 FIDO-ENABLED APPS + SERVICES 3 BILLION AVAILABLE TO PROTECT ACCOUNTS WORLDWIDE
  16. 16. All Rights Reserved | FIDO Alliance | Copyright 201716 BUT WAIT…
  17. 17. All Rights Reserved | FIDO Alliance | Copyright 201717 THE WORLD HAS AN IOT SECURITY PROBLEM
  18. 18. All Rights Reserved | FIDO Alliance | Copyright 201719 WE NEED A NEW AUTHENTICATION MODEL FOR CONNECTED USERS & DEVICES
  19. 19. All Rights Reserved | FIDO Alliance | Copyright 201720 THANK YOU ANDREW SHIKIAR SR. DIRECTOR OF MARKETING ANDREW@FIDOALLIANCE.ORG
  20. 20. All Rights Reserved | FIDO Alliance | Copyright 2017 THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS ROLF LINDEMANN, NOK NOK LABS Thanks to this app you can maneuver the new Forpel using your smartphone! Too bad it’s not my car.
  21. 21. What‘s the challenge All Rights Reserved | FIDO Alliance | Copyright 2017 Source: HP Enterprise IoT Home Security Systems 22
  22. 22. Context Secure firmware protects one “healthy” part from infected parts Strong authentication makes sure only legitimate entities get access Need strong fundament, e.g. a CPU supporting ARM TrustZone, Intel SGX, etc. Focus of today‘s presentation All Rights Reserved | FIDO Alliance | Copyright 201723
  23. 23. Scope Cloud Services All Rights Reserved | FIDO Alliance | Copyright 201724
  24. 24. Addressed by FIDO & W3C Web Authentication, not the core focus of this talk Scope Cloud Services “Primary interaction” devices, i.e. devices a) which we typically have in our possession and b) that have a user interface Devices that are not primary interaction devices, e.g. smart light bulbs, WIFI routers, smart fridges, smart thermostats, connected cars, smart door locks, … Devices that are not primary interaction devices, e.g. smart light bulbs, WIFI routers, smart fridges, smart thermostats, connected cars, smart door locks, … All Rights Reserved | FIDO Alliance | Copyright 201725
  25. 25. Primary Interaction Devices • Primary interaction device have the capability to verify the user through their user interface. • They can connect to another device or to a cloud service • They can implement a FIDO Authenticator allowing the user to strongly and conveniently authenticate to devices or cloud services. Trust Execution Environments and/or Secure Elements add security. All Rights Reserved | FIDO Alliance | Copyright 201726
  26. 26. Scope Focus of this talk User to standalone devices All Rights Reserved | FIDO Alliance | Copyright 201727
  27. 27. Scope Cloud Services User to cloud-connected devices Focus of this talk All Rights Reserved | FIDO Alliance | Copyright 201728
  28. 28. Scope Cloud Services Device-to-Device Authentication All Rights Reserved | FIDO Alliance | Copyright 2017 Device-to-Cloud Authentication 29
  29. 29. IoT Device IoT Device Background Perimeter Internet Infected Device Attacks IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device All Rights Reserved | FIDO Alliance | Copyright 201730
  30. 30. Background All Rights Reserved | FIDO Alliance | Copyright 201731
  31. 31. Attack Scenarios IoT Device IoT Device 1. Exploit firmware vulnerabilities 2. Enter at the front-door: Impersonate user Need Strong Authentication to protect against such attacks. Our focus. Legitimate authentication TrustZone for ARMv8-M provides protection layers that help keeping attacks local to one software module (“enclave”).  Not in focus of this talk All Rights Reserved | FIDO Alliance | Copyright 201732
  32. 32. User to Device Authentication All Rights Reserved | FIDO Alliance | Copyright 201733
  33. 33. User to Device interaction Device Without keyboard and display ? All Rights Reserved | FIDO Alliance | Copyright 201734
  34. 34. User to Device interaction IoT Device Without keyboard and display User needs some computing device with user input interface and display 1 Security: Device could be infected, so users don’t want to reveal bearer tokens (like passwords, etc.) to it 2 The Device only “sees” some other Device – no user. How can the Device know whether there is a user and whether the other device is trusted? Convenience: Devices want to support arbitrary user verification methods, e.g. PINs, Fingerprint, Face, … - with limited computing power All Rights Reserved | FIDO Alliance | Copyright 201735
  35. 35. … did we see that before? Device TLS / DTLS or other secure channel All Rights Reserved | FIDO Alliance | Copyright 2017 See https://fidoalliance.org/events/fido-alliance-seminar-hongkong/ 36
  36. 36. User to Device Authentication AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key IoT Device All Rights Reserved | FIDO Alliance | Copyright 201737
  37. 37. FirstAuthenticator Registration (Example) IoT Device Device in factory default settings state 1 2 Press “register button” 3 Start registration process (for first authenticator) All Rights Reserved | FIDO Alliance | Copyright 201738
  38. 38. Standalone Devices Cloud Services Smart Light Bulbs WIFI Router … All Rights Reserved | FIDO Alliance | Copyright 2017 User to standalone devices 39
  39. 39. Devices with Cloud Dependency Cloud Services User to cloud-connected devices Rental Cars Door locks … Parcel Lockers Thermostats Cloud Dependency: We want the cloud service being able to grant access to the device to a specific user But: Do not rely on stable internet connection at time of access All Rights Reserved | FIDO Alliance | Copyright 201740
  40. 40. How does it work with central authorization infrastructure? FIDO Stack Mobile App SDK 1. Traditional FIDO Registration (one-time) Cloud Service Device 0. (OOB) Inject trust anchor 2. Traditional FIDO Authentication 3. Signed JWT w/PoP (FIDO Uauth) Public Key (see RFC7800) All Rights Reserved | FIDO Alliance | Copyright 201741
  41. 41. How does it work with central authorization infrastructure? FIDO Stack Mobile App SDK 1. Traditional FIDO Registration (one-time) Cloud Service Device 0. (OOB) Inject trust anchor 2. Traditional FIDO Authentication 3. Signed JWT w/PoP (FIDO Uauth) Public Key (see RFC7800) All Rights Reserved | FIDO Alliance | Copyright 2017 JOSE Payload: JWS signature, computed by Cloud Service {“kid”:“1e8gfc4”,“alg”:“ES256”} JOSE Header: { "iss": "https://server.example.com", "aud": "https://client.example.org", "exp": 1361398824, "cnf":{ "jwk":{ "kty": "EC", "use": "sig", "crv": "P-256", "x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM", "y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA" } } } 42
  42. 42. How does it work with central authorization infrastructure? FIDO Stack Mobile App SDK 1. Traditional FIDO Registration (one-time) Cloud Service Device 0. (OOB) Inject trust anchor 2. Traditional FIDO Authentication 3. Signed JWT w/PoP (FIDO Uauth) Public Key (see RFC7800) 4. FIDO Authentication to device with signed JWT w/ PoP (FIDO) Public Key as additional data All Rights Reserved | FIDO Alliance | Copyright 201743
  43. 43. Gallagher Unlocks the Internet of Things with Nok Nok 44
  44. 44. Source: Philafrenzy, Wikipedia45
  45. 45. Source: Klaus Mueller, wikipedia46
  46. 46. Device to Device & Device to Cloud Authentication All Rights Reserved | FIDO Alliance | Copyright 201747
  47. 47. Scope Device to device authentication All Rights Reserved | FIDO Alliance | Copyright 2017 User to device authentication 48
  48. 48. User to Device Authentication AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one RP Public key IoT Device How an Authenticator verifies the user and whether it verifies the user depends on the Authenticator model and is represented in the Metadata Statement. All Rights Reserved | FIDO Alliance | Copyright 201749
  49. 49. Device to Device Authentication Authenticator FIDO Authentication Challenge (Signed) Response Public key IoT Device There are “Silent” Authenticators, never requiring any user interaction. … and such Authenticator might be embedded in a device All Rights Reserved | FIDO Alliance | Copyright 201750
  50. 50. Device to Cloud Authentication Authenticator FIDO Authentication Challenge (Signed) Response Public key It makes no difference to the IoT device nor to the FIDO Authenticator whether it authenticates to another device or to a cloud service Cloud Service All Rights Reserved | FIDO Alliance | Copyright 201751
  51. 51. Device to Cloud Authentication Authenticator FIDO Authentication Challenge (Signed) Response Public key It makes no difference to the IoT device nor to the FIDO Authenticator whether it authenticates to another device or to a cloud service Cloud Service … and the Authenticator can be embedded in smart fridges, smart thermostats and other IoT devices. All Rights Reserved | FIDO Alliance | Copyright 201752
  52. 52. Conclusion 1. Authentication is the first experience of users with services and several device types. 2. Authentication needs to be convenient for the user and strong enough for the purpose. 3. We can do better than passwords + OTP. Look at the FIDO specifications for strong & convenient authentication, see www.fidoalliance.org. 4. FIDO supports “silent” Authenticators. These Authenticators can be implemented in IoT devices. 5. FIDO authentication responses can be verified in small devices, allowing FIDO authentication to those IoT device. 6. FIDO can be combined with PoP Keys (RFC7800) in order to support authentication to “cloud connected” IoT devices All Rights Reserved | FIDO Alliance | Copyright 201753
  53. 53. FIDO Authenticator Concept FIDO Authenticator User Verification / Presence Attestation Key Authentication Key(s) Injected at manufacturing, doesn’t change Generated at runtime (on Registration) Optional Components Transaction Confirmation Display All Rights Reserved | FIDO Alliance | Copyright 201754
  54. 54. SilentAuthenticators 1. Definition, see FIDO Glossary 2. User Verification Method, see FIDO Registry 3. Metadata Statement, see FIDO Metadata Statements All Rights Reserved | FIDO Alliance | Copyright 201755
  55. 55. Relying Party (example.com) accountInfo, challenge, [cOpts] rpId, ai, hash(clientData), cryptoP, [exts] verify user generate: key kpub key kpriv credential c c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts], signature(tbs) c,kpub,clientData,ac,tbs, s store: key kpub c s PlatformAuthenticator select Authenticator according to cOpts; determine rpId, get tlsData; clientData := {challenge, origin, rpId, hAlg, tlsData} cOpts: crypto params, credential black list, extensions cdh FIDO Registration ai tbs ac: attestation certificate chain All Rights Reserved | FIDO Alliance | Copyright 201756
  56. 56. Authenticator Platform Relying Party rpId, [c,] hash(clientData) select Authenticator according to policy; check rpId, get tlsData (i.e. channel id, etc.); lookup key handle h; clientData := {challenge, rpId, tlsData} clientData,cntr,[exts],signature(cdh,cntr,exts) clientData, cntr, exts, s lookup kpub from DB check: exts + signature using key kpub s cdh challenge, [aOpts] FIDOAuthentication verify user find key kpriv cntr++; process exts All Rights Reserved | FIDO Alliance | Copyright 2017 All Rights Reserved | FIDO Alliance | Copyright 201757

×