Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Millions of Devices

821 views

Published on

Provides an overview of how LWM2M and DNS-SD/DNS-SEC can be used together to provide for secure communications, remote management and provisioning of constrained devices in the Internet of Things using open source software components leshan and Tiaki created in the eclipse IoT community.

Published in: Software

Securing Millions of Devices

  1. 1. Securing Millions of Devices Régis Piccand Verisign, Inc. Kai Hudalla Bosch Software Innovations GmbH
  2. 2. What is the Problem? Photon by particle.io very little RAM limited power supply few MHz only low bandwidth must be cheap out in the field (≠ LAN) Industrial scale IoT solutions require cheap, small & power efficient sensors & connectivity but still require strong security (authentication, confidentiality, integrity). Cloud/Data Center 1..[mb]illions 0..n Securely connecting a dozen of these in your lab is easy. Connecting & managing [mb]illions of these via internet is a challenge.
  3. 3. Lightweight M2M .. is a protocol (stack) from the Open Mobile Alliance specifically designed for managing constrained devices. UDP SMS DTLS CoAP LW-M2M Resources Connectionless communication suitable for low power/bandwidth environments Datagram TLS for confidentiality and integrity (RFC 6347) REST like web transfer protocol targeted at constrained environments with small bandwidth (10s of kbit/s) (RFC 7252) Device management operations/interactions: bootstrap & register device, read/write/execute/observe resource(s) Management objects (pre-defined & custom): Device, LWM2M Server, Firmware Update, Location, Connectivity Monitoring etc.
  4. 4. Example Object & Request The Device object (ID: 3) provides metadata about the device and is mandatory for all LWM2M Clients to implement. URI format: /{ObjectID}/{InstanceID}/{ResourceID} Cloud/Data Center LWM2M Client LWM2M Server GET /3/0/0 “Particle” GET /3/0/1 Manufacturer Device single instance only Model Number “Photon” Photon by particle.io
  5. 5. Your Solution Leshan Eclipse Leshan … provides libraries that help people develop their own Lightweight M2M server and client. Californium Pure Java implementation of Datagram TLS supporting PSK, X.509 & RawPublicKey based authentication, ECDHE based key exchange Pure Java implementation of CoAP over UDP, easy to use API for accessing & implementing resources Pure Java implementation of LWM2M: - set of JARs (easily embeddable) - fat JAR for running standalone (test) server - OSGi Managed Service implementation - Standard LWM2M Objects + (some) IPSO Smart Objects supported out-of-the-box - Custom Objects supported by means of API & XML files Scandium Projects are being developed within the context of the Eclipse IoT Working Group. For more information go to:
  6. 6. The Provisioning Problem ● Devices must know where they should be connecting to (bootstrap server, message broker, cloud service, etc.) ● Hard-coding the configuration is limiting - not every device should connect to the same services, service endpoints can change overtime… https://mantivities.wordpress.com ● LWM2M provides 4 bootstrapping modes ○ 2 hard-coded options, either in flash or smartcard ○ 2 dynamic options; ■ either client or server initiates bootstrap process ■ bootstrap server writes config data to the device ● How does a device reliably and securely determine the correct endpoint?
  7. 7. Tiaki To The Rescue ● Tiaki is a Secure Service Discovery SDK ● Tiaki allows clients to look up service details (endpoint, port, priority, weight, type) and configuration securely from DNS ● Tiaki is based on the DNS Service Discovery (DNS-SD) and DNS Security Extensions (DNSSEC) IETF Standards ● Tiaki validates signatures to authenticate the origin and integrity of data ● Tiaki is available for C, Java and as a command-line interface
  8. 8. Service Discovery Logical Flow _services._dns-sd._udp.example.com. PTR _mqtt._tcp.example.com _mqtt._tcp.example.com. PTR eclipse-broker._mqtt._tcp.example.com eclipse-broker._mqtt._tcp.example.com. SRV iot.eclipse.org 1883 eclipse-broker._mqtt._tcp.example.com. TXT "server=Mosquitto" "qos=2“
  9. 9. DNS Security Extensions Logical Flow
  10. 10. How To Use Tiaki Command line $ java -jar iot-discovery-jcli-1.0.jar -i -s mqtt -d example.com iot.eclipse.org:1883 "server=Mosquitto" "version=1.3.1“ Java SDK DnsServicesDiscovery discoverer = new DnsServicesDiscovery(); Fqdn fullyQualifiedDomainName = new Fqdn("example.com"); CompoundLabel serviceType = new CompoundLabel("mqtt"); Set<ServiceInstance> discoveryResult = discoverer.listServiceInstances(fullyQualifiedDomainName, serviceType); for (ServiceInstance instance : discoveryResult) { System.out.println(instance); } https://projects.eclipse.org/projects/iot.tiaki https://github.com/verisign/iot-discovery-jcli | https://github.com/verisign/iot-discovery-services
  11. 11. What you should take away ★ LWM2M is great for managing constrained devices! ★ Californium 1.0 release expected for Nov 2015 ★ Leshan 1.0 release to follow up shortly after ★ Tiaki helps with initial provisioning of devices (e.g. LWM2M clients) thanks to SECURE Service Discovery ★ Initial Contribution being processed Tiaki not (yet) targeted at constrained devices, your help is needed to make that happen!
  12. 12. Try it, get in touch :-) rpiccand@verisign.com kai.hudalla@bosch-si.com

×