IoT End-to-End Security Overview
•
4 likes•3,822 views
This document discusses security best practices for connecting IoT devices to AWS IoT. It recommends using TLS mutual authentication with X.509 certificates to securely connect devices. AWS IoT supports MQTT and HTTP protocols. Strong identity is ensured by generating unique certificates per device. Fine-grained access control is provided by attaching authorization policies to certificates. Mobile applications can also securely access devices via AWS Cognito identity pools.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to IoT End-to-End Security Overview
Similar to IoT End-to-End Security Overview (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (19)
IoT End-to-End Security Overview
- 1. Copyright © 2016 AWS and affiliates, all rights reserved IoT End-to-End Security Overview Assaf Naner, Enterprise Solution Architect
- 2. Copyright © 2016 AWS and affiliates, all rights reserved Agenda • Connected Devices • AWS IoT Overview • The risks • Protecting the device • Requirements – Securing Devices – Securing users and applications – Thing identity
- 3. Copyright © 2016 AWS and affiliates, all rights reserved All things around us are getting connected
- 4. Copyright © 2016 AWS and affiliates, all rights reserved Things will proliferate 2013 2015 2020 Vertical Industry Generic Industry Consumer Automotive Many Some Lots
- 5. Copyright © 2016 AWS and affiliates, all rights reserved AWS IoT
- 6. Copyright © 2016 AWS and affiliates, all rights reserved Publish / Subscribe Standard Protocol Support MQTT, HTTP, WebSockets Long Lived Connections Receive signals from the cloud Secure by Default • Connect securely via X509 Certs • and TLS 1.2 Client Mutual Auth
- 7. Copyright © 2016 AWS and affiliates, all rights reserved
- 8. Copyright © 2016 AWS and affiliates, all rights reserved The Risk I’m a thing
- 9. Copyright © 2016 AWS and affiliates, all rights reserved Protecting the device
- 10. Copyright © 2016 AWS and affiliates, all rights reserved Protecting the device • Secure booting – SW on device is verified with digital signatures • Access control - role based access controls in OS (least privilege) • Update and patching – OS and application patching
- 11. Copyright © 2016 AWS and affiliates, all rights reserved Requirements • Secure Communications with Things • Strong Thing Identity • Fine-grained Authorization for: – Things – People • Constrains: – Device are small, constrained in computing power and memory capacity – Device updates
- 12. Copyright © 2016 AWS and affiliates, all rights reserved Mutual Auth TLS
- 13. Copyright © 2016 AWS and affiliates, all rights reserved Mutual Auth TLS
- 14. Copyright © 2016 AWS and affiliates, all rights reserved Mutual Auth TLS
- 15. Copyright © 2016 AWS and affiliates, all rights reserved The Risk - What about users and applications? I’m a thing
- 16. Copyright © 2016 AWS and affiliates, all rights reserved Signing AWS API Requests API: AWS Signature Version 4
- 17. Copyright © 2016 AWS and affiliates, all rights reserved Security is too expensive
- 18. Copyright © 2016 AWS and affiliates, all rights reserved Elliptical Curve Cryptography (ECC) ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 Elliptical curve logarithm vs RSA integer factorization Smaller key sizes for same security ECDHE – key exchange algorithm (forward secrecy with ephemeral keys) ECDSA – signature algorithm with EC private keys (authentication)
- 19. Copyright © 2016 AWS and affiliates, all rights reserved Summary Device AWS IoT Users & App AWS IoT Server Auth TLS + Cert TLS + Cert Client Auth TLS + Cert AWS API Keys (SigV4) Confidentiality TLS TLS Protocol MQTT HTTP
- 20. Copyright © 2016 AWS and affiliates, all rights reserved Requirements • Secure Communications with Things • Strong Thing Identity • Fine-grained Authorization for: – Things – People • Constrains: – Device are small, constrained in computing power and memory capacity – Device updates
- 21. Copyright © 2016 AWS and affiliates, all rights reserved Strong Thing Identity • Private Key are not saved on AWS • You can generate your own keys (CSR)
- 22. Copyright © 2016 AWS and affiliates, all rights reserved Strong Thing Identity – client generated key pair CSR
- 23. Copyright © 2016 AWS and affiliates, all rights reserved Strong Thing Identity – client generated key pair CSR
- 24. Copyright © 2016 AWS and affiliates, all rights reserved TLS Mutual Authentication • Create CSR • Create X.509 Certificate from CSR • Activate the Certificate • Create Policy • Attach Policy to Certificate • * Certificate must be issued by AWS IoT
- 25. Copyright © 2016 AWS and affiliates, all rights reserved Takeaways • Use a unique certificate for each device / thing – this is will help with authorization • You can use your own keys – use CSR for public certificate • Revoke unused certificates - in particular when moving to production $ aws iot list-certificates { "certificateDescriptions": [ { "certificateArn": "arn:aws:iot:us-east-1:123456972007:cert/d7677b0…SNIP…026d9", "status": "REVOKED", "certificateId": "d7677b0…SNIP…026d9" ] "creationDate": 1443070900.491 } ] }
- 26. Copyright © 2016 AWS and affiliates, all rights reserved Requirements • Secure Communications with Things • Strong Thing Identity • Fine-grained Authorization for: – Things – People • Constrains: – Device are small, constrained in computing power and memory capacity – Device updates
- 27. Copyright © 2016 AWS and affiliates, all rights reserved Policy and certificates • Policy - consists of one or more statements, each of which describes one set of permissions. • Certificate – uniquely identify a device • Policy is attached to one or more device certificate (best practice is to have one certificate per device)
- 28. Copyright © 2016 AWS and affiliates, all rights reserved Policy and certificates Device Policy Truck 1 Allow to connect and publish Truck 2 Allow to connect / publish / subscribe Truck 3 Allow to connect / publish /subscribe / unsubscribe
- 29. Copyright © 2016 AWS and affiliates, all rights reserved Policy actions • Connect • Publish • Subscribe • Unsubscribe • Receive
- 30. Copyright © 2016 AWS and affiliates, all rights reserved Connect policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Connect" ], "Resource":"arn:aws:iot:us-east-1:123456972007: client/MY-THING-NAME" } ] }
- 31. Copyright © 2016 AWS and affiliates, all rights reserved Publish policy { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iot:Publish" ], "Resource":"arn:aws:iot:us-east-1:123456972007: topic/$aws/things/MyThing/shadow/update" } ] }
- 32. Copyright © 2016 AWS and affiliates, all rights reserved Requirements • Secure Communications with Things • Strong Thing Identity • Fine-grained Authorization for: – Things – People • Constrains: – Device are small, constrained in computing power and memory capacity – Device updates
- 33. Copyright © 2016 AWS and affiliates, all rights reserved Manage Certificates { "Version":"2012-10-17", "Statement":[ { “SID”: “ManageCerts”, "Effect":"Allow", "Action":[ "iot:CreateCertificateAndKeys” , “iot:DescribeCertificate”, “iot:UpdateCertificate” ], "Resource":”*" } ] }
- 34. Copyright © 2016 AWS and affiliates, all rights reserved Applications
- 35. Copyright © 2016 AWS and affiliates, all rights reserved Mobile AMAZON COGNITO
- 36. Copyright © 2016 AWS and affiliates, all rights reserved Mobile Users and Things AMAZON COGNITO 1 2 3 4 5
- 37. Copyright © 2016 AWS and affiliates, all rights reserved Policy for Cognito with IoT Cognito authenticated user identity pool role policy: { "Effect": "Allow", "Action": [ "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "iot:GetThingShadow", "iot:UpdateThingShadow" ], "Resource": "*" } Specific policy for Joe IoT Cognito user: { "Effect": "Allow", "Action": "iot:UpdateThingShadow", "Resource": "arn:aws:iot:…:thing/joe-sprinkler123" }
- 38. Copyright © 2016 AWS and affiliates, all rights reserved Wrap up – Two Secure Protocol API: AWS Signature Version 4 HTTP MQTT
- 39. Copyright © 2016 AWS and affiliates, all rights reserved Wrap-up Device AWS IoT Users & App AWS IoT Server Auth TLS + Cert TLS + Cert Client Auth TLS + Cert AWS API Keys (SigV4) Confidentiality TLS TLS Protocol MQTT HTTP Identification AWS ARNs AWS ARNs Authorization AWS Policy AWS Policy
- 40. Copyright © 2016 AWS and affiliates, all rights reserved Check and balances • Look for suspicious activity in your code • Identify activity signatures • Examples: – Same certificate used from multiple IPs or used simultaneously from two devices – Check if certificates were compromised • Enable 2nd level of authorization for suspicious devices – revoke the certificate first. Ask user to reinitiate the device • Look for rogue activity in the logic of your application
- 41. Copyright © 2016 AWS and affiliates, all rights reserved aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS
Editor's Notes
- Everyone has their own predictions for how the population of Things will grow. They’re all over the place, but one thing they agree on is that the population is going to grow. It’s our belief that over time everything that can be internet connected will be. That’s “lots” of things, even by Amazon standards.
- We built AWS IoT with that experience in mind. AWS IoT is a FULLY MANAGED service for connected devices. Keep that in mind as we discuss the features and you explore your options for IoT partners. IoT is plural and you often don’t know the what extent… we grow w/ your business. Device Gateway (Messages... These messages typically come from devices...) Secured by... (new patterns specifically for devices) Rules Engine (looking at all the messages… pull in context or send for integrations) Device Shadow Registry (metadata, device mgmt features)
- Pub / Sub broker… talking points on screen
- We illustrate this as the device making the connection… but in practice it’s much more complex.
- The extent to which you protect your IoT deployment should be driven by the most expensive decision that you could make based on your IoT data, in addition to the native sensitivity of the data itself. Even if they only gain access to eavesdrop on the data, without altering or removing any of it, they’ll still have significant insight into your business.
- Mention FIPS-140, level 1-4
- Anyone in this room can download the amazon.com certificate. It really is public data. Not just "not sensitive", but public. We send a copy of it to your browser every time you log in to Amazon. But that private key, that we’re going to protect very carefully. Possession of that key allows you to cryptographically prove your identity as Amazon.com. In the AWS IoT world, everything MQTT is TLS 1.2, and with a restricted set of strong cipher suites. Now that we’ve got TLS established and the server is authenticated, we have message integrity and confidentiality, but we have absolutely no idea who the client is. That’s why you have to sign in to your account when you go to amazon.com. Mutual auth….
- Anyone in this room can download the amazon.com certificate. It really is public data. Not just "not sensitive", but public. We send a copy of it to your browser every time you log in to Amazon. But that private key, that we’re going to protect very carefully. Possession of that key allows you to cryptographically prove your identity as Amazon.com. In the AWS IoT world, everything MQTT is TLS 1.2, and with a restricted set of strong cipher suites. Now that we’ve got TLS established and the server is authenticated, we have message integrity and confidentiality, but we have absolutely no idea who the client is. That’s why you have to sign in to your account when you go to amazon.com. Mutual auth….
- Anyone in this room can download the amazon.com certificate. It really is public data. Not just "not sensitive", but public. We send a copy of it to your browser every time you log in to Amazon. But that private key, that we’re going to protect very carefully. Possession of that key allows you to cryptographically prove your identity as Amazon.com. In the AWS IoT world, everything MQTT is TLS 1.2, and with a restricted set of strong cipher suites. Now that we’ve got TLS established and the server is authenticated, we have message integrity and confidentiality, but we have absolutely no idea who the client is. That’s why you have to sign in to your account when you go to amazon.com. Mutual auth….
- The extent to which you protect your IoT deployment should be driven by the most expensive decision that you could make based on your IoT data, in addition to the native sensitivity of the data itself. Even if they only gain access to eavesdrop on the data, without altering or removing any of it, they’ll still have significant insight into your business.
- Authenticated requests require a signature that you create by using your access keys, these are ’access key’ and ‘secret access keys’. API requests are signed with secret access key using HMAC.
- TLS Cipher Suites Key exchange authentication (keypairs) Block cipher Message digest
- The private key has never moved from where it was generated. That makes it more likely that we’ll get the protocol right, that we won’t expose the private key. The ultimate version of this protocol is one where the private key is stored in some cryptographic hardware key store on the Thing, and the private key cannot be extracted. In at least some cases, this keypair will be burned into the device in the factory. Because we own the CA that is used for AWS IoT, and all certificate operations occur over authenticated AWS APIs, this is very amenable to automation, even at very high scale.
- Certificates can be shared by multiple devices… or assigned uniquely Revoked, reinstated, deleted, etc. This is all done using aws as the certificate authority. Our enterprise customers (smart agriculture, automotive, energy) have said this is great for testing, but they need more flexibility in production
- Use ’aws iot list-certificate’ to check certificates’ status Side note: It’s important that every one of your Things have a unique certificate. If they don’t, they will appear to our service to all be the same Thing. You won’t be able to differentiate between them in policy or in the data that they publish. It’s also important that every one of your things have a unique keypair. While it is possible to put the same keypair on each thing and generate different certs for them, if you have a key exposure and need to rotate keys, your entire product line will be at risk.
- These are the similar to REST API verbs
- 1 – Hello 2- Register/Login with Cognito 3 – Authenticate 4- Insert policy with Cognito ID to device 5 – User – device can ’talk’ to eachother This is a simplified process obviously