Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blockchain and IAM for IOT Edge Authentication

107 views

Published on

We present how blockchain technology can power IOT (internet of things) edge authentication which is critical for security and reliability of millions of iot applications in business, manufacturing, transportation, healthcare, banking etc. sectors.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Blockchain and IAM for IOT Edge Authentication

  1. 1. Blockchain & IAM for IoT: Edge Authentication Presented by: Sesh Raj, President DSAPPS INC ©2018DSAPPSINC
  2. 2. ©2018DSAPPSINC
  3. 3. ©2018DSAPPSINC
  4. 4. Question: What is IAM (identity and access management) for IOT? ©2018DSAPPSINC
  5. 5. Traditional IOT IAM managed by cloud Reference: AWS IOT
  6. 6. Comparing Traditional IAM and IOT IAM Traditional IAM IOT IAM End points to manage Typically < 100,000 Can be millions System administration IT and Security departments Operational personnel, plant and business managers Auditing User-centric Device-centric Authenticating process Passwords, biometrics PKI certificates, device behaviors, biometrics Provisioning and registration process Static Dynamic, application driven Self-services Typically web based Also support Bluetooth, DSRC etc. wireless communication
  7. 7. The challenge Establishing identity through X.509 certificates provides a strong authentication system. However, in the IoT domain, many devices may not have enough memory to store a certificate or may not even have the required CPU power to execute the cryptographic operations of validating the X.509 certificates (or any type of public key operation). ©2018DSAPPSINC
  8. 8. Question:What is IOT edge authentication? ©2018DSAPPSINC
  9. 9. The need for IOT edge authentication Faster response times: Without a round-trip to the cloud, data latency is reduced, lowering the time it takes to glean actionable insights from that data. Lowering IoT solution costs: Can process, clean and analyze mission critical data closer to the device itself saving on processing and analysis costs and reduce the amount of data that flows back and forth between the cloud and the edge of the network. Added security and compliance: Edge authentication can scan for malware, filter out sensitive personally identifiable information and process it locally, Dependable operation even with intermittent connectivity: Enables manufacturing equipment and other smart devices to operate without disruption even when they’re offline or Internet connectivity is intermittent. Interoperability between new and legacy devices: Easier to integrate new and legacy end points with edge computing. ©2018DSAPPSINC
  10. 10. Question: How do we track identity on the edge without a central server? ©2018DSAPPSINC
  11. 11. IOT Gateways Reference: https://internetofthingsagenda.techtarget.com/feature/ Using-an-IoT-gateway-to-connect-the-Things-to-the-cloud Reference: National Institute of Standards and George Mason University
  12. 12. ©2018DSAPPSINC Reference: https:// docs.microsoft.com/en-us/azure/iot- hub/iot-hub-devguide-endpoints
  13. 13. IOT Gateway Architecture Operating System Example: Linux or Android OS HAL (Hardware Abstraction Layer) Supports reusability and portability of the IoT software. IoT Sensors Stack Software stacks that serve as interfaces with IoT sensors modules. Examples: ZigBee, 6LoWPAN, EnOcean, BLE, Modbus, PROFIBUS Device Management and Configuration Configuration and settings to interface with different types of Sensor devices. Security Ensure robust data security, device security and network security. FOTA Firmware Over The Air (FOTA) updates with latest versions of security patches, OS, Firewalls and more. Data Communication Protocols Connect with the Cloud over Ethernet, Wi-Fi or a 4G/3G modem via UDP or TCP IP protocol. MQTT, CoAP, XMPP, AMQP utilized. Data Management Includes data streaming, data filtering and data storing. Cloud Connectivity Manager Connectivity, device state, heartbeat message, and gateway device authentication with the cloud. Custom Application Manage data between sensor node and gateway and from gateway to cloud. Gateway Data Transfer To connect to the internet for data transfer using Ethernet, 4G/3G/GPRS modem or Wifi. Reference:https://www.embitel.com/blog/embedded-blog/understanding-how-an-iot-gateway-architecture-works
  14. 14. ©2018DSAPPSINC
  15. 15. Key Requirements for IOT Edge Authentication • Has to replace central authority with distributed apps, should not depend on a single point of failure, means to distribute trust • Need distributed storage of device security data that is immutable • Automated process to add and update devices without need for manual authorization and authentication process, via code driven smart contract • Have the means to flag abnormal behavior and quarantine devices through group consensus on what is normal Answer - Blockchain technology
  16. 16. Blockchain Concepts • Decentralized, peer-to-peer networks, where each par5cipant maintains a copy of a shared, append-only (i.e., otherwise immutable) ledger of digitally signed transac5on records • Maintain synchronized replicas through a consensus protocol • Safeguard the immutability of the ledger, even when some par5cipants are faulty or malicious ©2018DSAPPSINC Append only Shared Ledger Managed by Permissions with visible, authenticated and verifiable transactions Support for Smart Contracts programmed to execute with transactions Consensus for adding new members and flagging abnormal behavior
  17. 17. The benefits of Blockchain Allows trust to be dispersed highly securely making IAM at the edge fast and light without central server reliance thus removing single point of failure Creates an IAM-centric ecosystem that keeps track of identities, entitlements, entitlement assignment, and access events, all autonomously. Provides for the five security pillars: Availability, Auditability, Accountability, Integrity and Confidentiality. ©2018DSAPPSINC
  18. 18. IAM Requirements provided by Blockchain • Track device identity profiles and attributes • Validate identity and transaction data leveraging smart contracts • Create and maintain IAM permission policies • Maintain data trust • Auditable records for validation • Control data visibility ©2018DSAPPSINC
  19. 19. Question: How can we implement IAM policies on the edge? ©2018DSAPPSINC
  20. 20. Support in Blockchain for IAM security policies func (s *SmartContract) Init(APIstub shim.ChaincodeStubInterface) sc.Response { return shim.Success(nil) } func (s *SmartContract) Invoke(APIstub shim.ChaincodeStubInterface) sc.Response { function, args := APIstub.GetFunctionAndParameters() if function == "queryCar" { return s.queryCar(APIstub, args) } else if function == "initLedger" { return s.initLedger(APIstub) } else if function == "createCar" { return s.createCar(APIstub, args) } else if function == "queryAllCars" { return s.queryAllCars(APIstub) } else if function == "changeCarOwner" { return s.changeCarOwner(APIstub, args) Smart Contracts - Enforce who can perform what actions Access Control Language - ACL rules determine which users/roles are permitted to create, read, update or delete member elements. Certifying authority - Certifies X509 certificates rule networkControlPermission { description: "networkControl can access network commands" participant: "org.acme.vehicle.auction.networkControl" operation: ALL resource: "org.hyperledger.composer.system.Network" action: ALLOW } Certificate: Data: Version: 3 (0x2) Serial Number: 10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6 Signature Algorithm: sha256WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 Validity Not Before: Nov 21 08:00:00 2016 GMT Subject Public Key Info: Public-Key: (256 bit) pub: 04:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5: af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e: Shared Configuration - Policies dictating modification of elements in configuration
  21. 21. Sample Implementations ©2018DSAPPSINC
  22. 22. Hyperledger Architecture
  23. 23. Hyperledger Fabric - peer nodes with smart contracts and ledgers
  24. 24. Peer Identities via X509 certificate
  25. 25. Hyperledger Fabric CA (Certificate Authority) Register identity, connect to LDAP Issue enrollment certificates Renew and revoke certificates
  26. 26. Azure Blockchain Workbench ©2018DSAPPSINC
  27. 27. IBM Watson IOT Platform with Blockchain ©2018DSAPPSINC
  28. 28. Managing IOT Edge Security Blockchain Spec Device authentication Design Blockchain ledger and cloud services Launch IOT edge authentication Provide IAM policies and smart contracts Update IAM policies Update analytics Add Devices Create/update security policies Coordinate with security team Track exceptions Resolve exceptions Real time analytics ©2018DSAPPSINC
  29. 29. Sesh Raj, DSAPPS INC email: sales1@dsapps.com text: 408-940-5003 www.dsapps.com Contact ©2018DSAPPSINC

×