Blockchain and IAM for IOT Edge Authentication

5. Traditional IOT IAM managed by cloud Reference: AWS IOT

6. Comparing Traditional IAM and IOT IAM Traditional IAM IOT IAM End points to manage Typically < 100,000 Can be millions System administration IT and Security departments Operational personnel, plant and business managers Auditing User-centric Device-centric Authenticating process Passwords, biometrics PKI certiﬁcates, device behaviors, biometrics Provisioning and registration process Static Dynamic, application driven Self-services Typically web based Also support Bluetooth, DSRC etc. wireless communication

7. The challenge Establishing identity through X.509 certificates provides a strong authentication system. However, in the IoT domain, many devices may not have enough memory to store a certificate or may not even have the required CPU power to execute the cryptographic operations of validating the X.509 certificates (or any type of public key operation). ©2018DSAPPSINC

9. The need for IOT edge authentication Faster response times: Without a round-trip to the cloud, data latency is reduced, lowering the time it takes to glean actionable insights from that data. Lowering IoT solution costs: Can process, clean and analyze mission critical data closer to the device itself saving on processing and analysis costs and reduce the amount of data that flows back and forth between the cloud and the edge of the network. Added security and compliance: Edge authentication can scan for malware, filter out sensitive personally identifiable information and process it locally, Dependable operation even with intermittent connectivity: Enables manufacturing equipment and other smart devices to operate without disruption even when they’re offline or Internet connectivity is intermittent. Interoperability between new and legacy devices: Easier to integrate new and legacy end points with edge computing. ©2018DSAPPSINC

11. IOT Gateways Reference: https://internetofthingsagenda.techtarget.com/feature/ Using-an-IoT-gateway-to-connect-the-Things-to-the-cloud Reference: National Institute of Standards and George Mason University

13. IOT Gateway Architecture Operating System Example: Linux or Android OS HAL (Hardware Abstraction Layer) Supports reusability and portability of the IoT software. IoT Sensors Stack Software stacks that serve as interfaces with IoT sensors modules. Examples: ZigBee, 6LoWPAN, EnOcean, BLE, Modbus, PROFIBUS Device Management and Configuration Configuration and settings to interface with different types of Sensor devices. Security Ensure robust data security, device security and network security. FOTA Firmware Over The Air (FOTA) updates with latest versions of security patches, OS, Firewalls and more. Data Communication Protocols Connect with the Cloud over Ethernet, Wi-Fi or a 4G/3G modem via UDP or TCP IP protocol. MQTT, CoAP, XMPP, AMQP utilized. Data Management Includes data streaming, data filtering and data storing. Cloud Connectivity Manager Connectivity, device state, heartbeat message, and gateway device authentication with the cloud. Custom Application Manage data between sensor node and gateway and from gateway to cloud. Gateway Data Transfer To connect to the internet for data transfer using Ethernet, 4G/3G/GPRS modem or Wifi. Reference:https://www.embitel.com/blog/embedded-blog/understanding-how-an-iot-gateway-architecture-works

15. Key Requirements for IOT Edge Authentication • Has to replace central authority with distributed apps, should not depend on a single point of failure, means to distribute trust • Need distributed storage of device security data that is immutable • Automated process to add and update devices without need for manual authorization and authentication process, via code driven smart contract • Have the means to ﬂag abnormal behavior and quarantine devices through group consensus on what is normal Answer - Blockchain technology

16. Blockchain Concepts • Decentralized, peer-to-peer networks, where each par5cipant maintains a copy of a shared, append-only (i.e., otherwise immutable) ledger of digitally signed transac5on records • Maintain synchronized replicas through a consensus protocol • Safeguard the immutability of the ledger, even when some par5cipants are faulty or malicious ©2018DSAPPSINC Append only Shared Ledger Managed by Permissions with visible, authenticated and veriﬁable transactions Support for Smart Contracts programmed to execute with transactions Consensus for adding new members and ﬂagging abnormal behavior

17. The benefits of Blockchain Allows trust to be dispersed highly securely making IAM at the edge fast and light without central server reliance thus removing single point of failure Creates an IAM-centric ecosystem that keeps track of identities, entitlements, entitlement assignment, and access events, all autonomously. Provides for the five security pillars: Availability, Auditability, Accountability, Integrity and Confidentiality. ©2018DSAPPSINC

18. IAM Requirements provided by Blockchain • Track device identity proﬁles and attributes • Validate identity and transaction data leveraging smart contracts • Create and maintain IAM permission policies • Maintain data trust • Auditable records for validation • Control data visibility ©2018DSAPPSINC

20. Support in Blockchain for IAM security policies func (s *SmartContract) Init(APIstub shim.ChaincodeStubInterface) sc.Response { return shim.Success(nil) } func (s *SmartContract) Invoke(APIstub shim.ChaincodeStubInterface) sc.Response { function, args := APIstub.GetFunctionAndParameters() if function == "queryCar" { return s.queryCar(APIstub, args) } else if function == "initLedger" { return s.initLedger(APIstub) } else if function == "createCar" { return s.createCar(APIstub, args) } else if function == "queryAllCars" { return s.queryAllCars(APIstub) } else if function == "changeCarOwner" { return s.changeCarOwner(APIstub, args) Smart Contracts - Enforce who can perform what actions Access Control Language - ACL rules determine which users/roles are permitted to create, read, update or delete member elements. Certifying authority - Certifies X509 certificates rule networkControlPermission { description: "networkControl can access network commands" participant: "org.acme.vehicle.auction.networkControl" operation: ALL resource: "org.hyperledger.composer.system.Network" action: ALLOW } Certificate: Data: Version: 3 (0x2) Serial Number: 10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6 Signature Algorithm: sha256WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 Validity Not Before: Nov 21 08:00:00 2016 GMT Subject Public Key Info: Public-Key: (256 bit) pub: 04:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5: af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e: Shared Configuration - Policies dictating modification of elements in configuration

22. Hyperledger Architecture

23. Hyperledger Fabric - peer nodes with smart contracts and ledgers

24. Peer Identities via X509 certiﬁcate

25. Hyperledger Fabric CA (Certificate Authority) Register identity, connect to LDAP Issue enrollment certificates Renew and revoke certificates

28. Managing IOT Edge Security Blockchain Spec Device authentication Design Blockchain ledger and cloud services Launch IOT edge authentication Provide IAM policies and smart contracts Update IAM policies Update analytics Add Devices Create/update security policies Coordinate with security team Track exceptions Resolve exceptions Real time analytics ©2018DSAPPSINC

Blockchain and IAM for IOT Edge Authentication

dsapps

Blockchain and IAM for IOT Edge Authentication