Network Working Group H. Tschofenig Internet-Draft ARM Ltd. Intended status: Best Current Practice February 14, 2014 Expires: August 18, 2014 Authentication and Authorization for Constrained Environments (ACE): Overview of Existing Security Protocols draft-tschofenig-ace-overview-00.txt Abstract This document surveys existing three party authentication and authorization protocols for use with Internet of Things use cases. The discussed protocol frameworks are Kerberos, OAuth, ABFAB, and the certificate model. The aim is to understand whether any of the available standardized security protocols are re-usable for constrained environments. A future version of this document will provide a more detailed analysis against the requirements. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 18, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Tschofenig Expires August 18, 2014 [Page 1] Internet-Draft ACE Overview February 2014 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. 1. Introduction [I-D.seitz-ace-usecases] introduces a number of use cases that require device-to-device authentication whereby both devices may be constrained. [I-D.ietf-lwig-terminology] discusses the different types of constraints of these devices. This document aims to raise the high-level question about the possible re-use of existing three party authentication and key exchange protocols for use in IoT environments. This version of the document does not aim to map requirements derived from the use cases against these protocols. Such a detailed analysis is premature at this point when use case descriptions are still in flux. The starting assumption for the architectures in this document is that a device (a client) wants to access some resource (referred as service in this document). It unfortunately does not have any relationship with the server offering that service. Figure 1 shows the scenario graphically. +-----------+ no prior +-----------+ | Client | relationship | Service | | | | | +-----------+ +-----------+ Figure 1: Two Party Scenario. Imagine that the client is a light-switch and the service is a light- bulb. Today, companies solve this case by using a pairing protocol (at the link layer typically) where the two devices execute a special imprinting/pairing protocol to establish an initial key by using out- of-band (OOB) channel. This OOB channel can come in many forms: o Using an alternative communication channel, such as a USB stick, Ethernet cable o Human involvement by comparing hashed keys, entering passkeys, scanning QR codes o Second wireless connectivity (e.g., infrared) Tschofenig Expires August 18, 2014 [Page 2] Internet-Draft ACE Overview February 2014 o Proximity-based information The pairing is a suitable approach where wireless communication replaces a wired communication technology previously used. For example, a headset connected to a music player using a wired connection is replaced with the wireless version. Not all use cases do, however, allow users to pair their device with other devices upfront. Consider an enterprise with electronic door locks. It is hard to imagine an employee who has to pair their digital key with every door in the building first before they use the system. Requiring every device to pair with every other device upfront is often inconvenient or not feasible. Hence, this document does not explore pairing solutions further. To offer an improved user experience with better scalability properties a device might either share credentials with some trusted third party. There are various ways how credentials can be shared with these trusted third parties. For example, credentials may be provisioned during the manufacturing process or devices may have been paired with the trusted third party (in case the trusted third party is local to the user). In fact, today is it very common for IoT devices to have at least credentials pre-provisioned for use with the vendor / manufacturer of the device to allow software updates to be provided securely. Thus, we move to a model where the device (client) shares some credentials with a trusted third party. This trusted third party does not need to be a server on the Internet; ideally it could also be operated locally within someones' home, within an enterprise, or within a factory. This three party architecture is shown in Figure 2. Tschofenig Expires August 18, 2014 [Page 3] Internet-Draft ACE Overview February 2014 +-----------+ | Trusted | +--------------------------->|Third Party| | Key +-----------+ | ^ | | | | | | Key | | | | | | v v +-----------+ no prior +-----+-----+ | | relationship | | | Client | <..................>| Service | +-----------+ +-----------+ Figure 2: Three Party Scenario. This three party architecture and messaging pattern has been explored with prior IETF work and this document lists the most relevant efforts (on a high level). The goal of the communication exchange is that the client has been authorized to access the service, and is able to secure the exchange of information. The client and the service may, optionally, possess keying material for future use of the service with the benefit of better performance for future interactions. Note: This document does not aim to cover the use cases in their entirety. First, we assume that the security protocol interaction for link layer authentication is outside the scope. The focus of this document is on the application layer interactions when accessing services. Second, this document does not survey access control policy languages and mechanisms for managing these access control policies. These policies are important since many of the systems described below only provide an answer to the question 'Who is the holder of this key?' and standards for answering the question 'Can this key be used for this purpose?' (authorization) are often realized in a proprietary way. While Figure 1 shows three parties the protocols described in Section 2 have been generalized to four or even multi-party scenario. The result is shown in Figure 2. Tschofenig Expires August 18, 2014 [Page 4] Internet-Draft ACE Overview February 2014 +-----------+ +-----------+ | Trusted | Agreement w/key | Trusted | | Third |<-------------------->| Third | | Party A | | Party B | +-----------+ +-----------+ ^ ^ | | | Key | Key | | | | | | | | v v +-----------+ no prior +-----+-----+ | | relationship | | | Client | <..................>| Service | +-----------+ +-----------+ Figure 3: Generalization of Three Party Scenario. 2. Three Party Security Frameworks This section introduces four authentication and authorization frameworks standardized in the IETF. The description is intentionally kept at a high level and a reader is encouraged to consult the referenced documents for details and various options these protocols offer. The terminology with each of these protocols is lightly different and appropriate mappings have been applied. To demonstrate the level of maturity of these frameworks availability of products, source code, and deployment experience is mentioned for each of these frameworks. Note, however, that this experience does not imply suitability for use with the IoT environment. 2.1. Application Bridging for Federated Access Beyond Web Architecture This section describes the Application Bridging for Federated Access Beyond Web architecture [I-D.ietf-abfab-arch], which builds on the Authentication, Authorization and Accounting (AAA) framework. The AAA framework re-uses the Extensible Authentication Protocol (EAP) [RFC5247] and EAP methods for the authentication protocol capabilities. A detailed description of the AAA keying framework can be found in [RFC5247]. Tschofenig Expires August 18, 2014 [Page 5] Internet-Draft ACE Overview February 2014 +--------------+ | Identity | | Provider | | (IdP) | +-^----------^-+ * EAP o RADIUS * o * o +-------------+ +-v----------v--+ | | | | | Client | EAP/EAP Method | Relying | | |<****************>| Party | | | GSS-API | | | |<---------------->| | | | Application | | | | Data | | | |<================>| | +-------------+ +---------------+ Terminology Mapping: - The term 'Relying Party' corresponds to the 'service'. - The term 'Identity Provider' corresponds to the 'trusted third party'. Figure 4: ABFAB Architecture. With the message exchange shown in Figure 4 the client wants to obtain access to a service and starts interacting with that service. Since no prior relationship between the client and the service is assumed the EAP message exchanges is relayed by the service and the EAP server component of the IdP. Between the client and the service these EAP payloads are encapsulated within the GSS-API. After a successful authentication and authorization session keys are delivered from the IdP to the service and can then be used to secure the application layer data exchange between the client and the service. While the use of EAP and the AAA architecture has mostly found use for network access authentication the work on ABFAB applies this architecture to application layer services. Pros: o Re-uses existing protocols: RADIUS, GSS-API, EAP, EAP methods. Tschofenig Expires August 18, 2014 [Page 6] Internet-Draft ACE Overview February 2014 o Security properties of the AAA / EAP framework well studied and large deployments of the AAA framework exist. o Products and open source code exists for EAP, EAP methods, RADIUS, and the GSS-API. The extensions needed for ABFAB also have been implemented but they are less mature compared to the EAP/AAA deployment. o Large range of EAP methods available offering all possible authentication and key exchange protocols for authentication between the client and the AAA server. These mechanisms have been deployed and are in widespread use today. While many EAP methods have been standardized only a few are in widespread use in non-IoT environments. However, there are many (open source) implementations available such that further experience concerning IoT suitability can be gathered. o IoT devices might use the AAA/EAP architecture for network access authentication (e.g., WLAN-based, IEEE 802.15.4-based ZigBee-IP deployments). o The AAA framework also supports authentication in a federated environment. o Authorization information is conveyed within RADIUS (and potentially in SAML assertions, as envisioned by ABFAB). Cons: o The initial authentication and authorization exchange requires real-time interaction between the AAA server and the service. o Deployments have so far used this architecture mainly for network access and for specific applications (VoIP) only. Experience with other applications, as ABFAB envisions, is rather limited. o ABFAB architecture uses layering of EAP within the GSS-API, which adds additional overhead. A binding for the transport of EAP payloads in CoAP, for example, does not exist. o No unified authorization policy language has been defined for the AAA/EAP architecture. Instead, RADIUS attributes carry information about access control decisions. Tschofenig Expires August 18, 2014 [Page 7] Internet-Draft ACE Overview February 2014 2.2. Kerberos Kerberos [RFC4120] is authentication system for distributed environments that has enjoyed deployment for more than three decades. The security properties have been extensively studied and various implementations exist. +----------------+ | Authentication | | Server (AS) | +----------------+ ^ / Request / / Ticket / / / /Ticket / /{SK}C-KDC / / / / / / / v +-----------+ +-----------+ | | Ticket + Authenticator | | | Client |---------------------------->| Server | | |<===========================>| | +-----------+ Application Data +-----------+ Terminology Mapping: - The term AS corresponds to the 'trusted third party.' - The term Server corresponds to the 'service'. Figure 5: Kerberos. The Kerberos exchange shown in Figure 5 illustrates a client who wants to get access to a server. It first has to interact with the Authentication Server (AS) to request a ticket. In response, the AS provides a ticket, which is a data structure encrypted with a key known only between the server and the AS. This ticket includes information about the client, a session key (SK) for later use, and various other security relevant information elements. The client also obtains the session key encrypted with a key it shares with the AS. When a service access is required then the client interacts with the server and presents the ticket along with an Authenticator. The Authenticator demonstrates that the client was able to decrypt the session key with the key it shares with the AS and that it was able Tschofenig Expires August 18, 2014 [Page 8] Internet-Draft ACE Overview February 2014 to apply this key to compute a keyed message digest over several fields, including a time-stamp, when accessing the service. The time-stamp avoids replay attacks. Pros: o Re-uses existing protocol: Kerberos o Security properties well studied and large deployments exist. o Products and open source service exist. o Most parts of Kerberos, particularly the ticket concept, are designed with symmetric key cryptography, which improves performance. The Kerberos ticket is consequently fairly small and uses a binary encoding. o Kerberos also supports cross-realm authentication for scalable deployments. o Kerberos also specifies a UDP-based transport. o The message exchanges between the client and the service can be tailored to the need of the application. Cons: o Each ticket is only usable for a single service (intentionally). As such, new tickets have to be requested whenever the client wants to access a new service or when the ticket expired. o For the authentication between the client and the KDC a limited number of authentication protocols have been specified. o Kerberos uses ASN.1 for encoding of the ticket and various messages. This may increase implementation complexity but the binary encoding is more efficient than other encodings, like XML or JSON. o No standardized access control policy has been standardized for inclusion inside a ticket. Proprietary policies are, however, used in real-world deployments. o A CoAP binding for the KRB_PRIV and the KRB_SAFE message exchanges used to secure application data between the client and the service have not been defined. Tschofenig Expires August 18, 2014 [Page 9] Internet-Draft ACE Overview February 2014 2.3. OAuth The OAuth protocol is a recent development for the Web, which re-uses the Kerberos interaction pattern with influences from the Web / mobile app space. It initially aimed to solve the problem of delegated access to protected resources where websites asked users to share their long-term password. Over time OAuth has been used in other use cases that require delegated access. +-------------+ |Authorization| |Server (AS) | +-------------+ ^ / Request / / Access / / Token / /Access Token / / / / / / / / O / v /|\ +-----------+ +-----------+ | -----> | | Access Token | Resource | / \ <----- | Client |----------------->| Server | Resource | |<================>| (RS) | Owner +-----------+ Application Data +-----------+ Terminology Mapping: - The term AS corresponds to the 'trusted third party'. - The term RS corresponds to the 'service'. Figure 6: Simplified OAuth Architecture. Figure 6 shows the high-level OAuth message exchange. The canonical OAuth example allows a web user (resource owner) to grant a printing service (client) access to her private photos stored at a photo sharing service (resource server), without sharing her username and password. Instead, she authenticates directly with the authorization server which issues the printing service delegation-specific credentials. Pros: Tschofenig Expires August 18, 2014 [Page 10] Internet-Draft ACE Overview February 2014 o Re-uses existing protocols: OAuth Core [RFC6749], OAuth Bearer Token [RFC6750] OAuth MAC Token [I-D.ietf-oauth-v2-http-mac]/ HOTK [I-D.tschofenig-oauth-hotk], JWT [I-D.ietf-oauth-json-web-token]. o Large deployments in the Web environment exist, which use the OAuth Bearer Token. o Products and open source service exist. o OAuth is flexible with regard to the used cryptography. A standardized format for the access token has been described with the JSON Web Token (JWT). For security protection of the JWT various specifications from the JOSE working group are available. o The message exchanges between the client and the service can be tailored to the need of the application. Bindings are available for HTTPS and SASL [I-D.ietf-kitten-sasl-oauth]. o With regard to the offered security mechanism the interaction between the client and the resource server gives several choices: The OAuth Bearer Token requires a TLS exchange between the client and the resource server. The MAC Token specification is conceptually similar to Kerberos; a version based on asymmetric cryptography exists as well (see HOTK). Cons: o For an environment with more than one authorization server or where the authorization server is located in a different domain than the resource server the standardization work is still in progress. Efforts have mostly be done in Kantara with the User- Managed-Access (UMA) working group. o A binding for CoAP does not exist for the client to authorization server nor for the client to resource server. o The OAuth architecture does not standardize the authentication procedure of the resource owner to the authorization server itself. This is a common approach for the Web environment where a number of different authentication protocols are in use in the browser. As such, the protocol works with any authentication mechanism. 2.4. Certificate Model Prior work on the Public Key Infrastructure, certificate formats, certificate extensions, and various certificate management protocols can be re-used in the IoT context. With respect to the use cases Tschofenig Expires August 18, 2014 [Page 11] Internet-Draft ACE Overview February 2014 described in [I-D.seitz-ace-usecases] certificates may be short-lived and might need to contain attributes (which may be used for making access control decisions) rather than purely relying on the identity of users and their devices. For the purpose of dynamic provisioning short-lived certificates, this document envisions to re-use a subset of the functionality offered by protocols like the Certificate Management over CMS (CMC) [RFC5272], the Certificate Management Protocol (CMP) [RFC4210], the Simple Certificate Enrollment Protocol [I-D.nourse-scep], Certification Request Syntax Standard - PKCS#10 [RFC2315] (with TLS or with PKCS#7 [RFC2986] ). While these protocols offer slightly different features, on a high-level the all fulfill the same function. Note that the management of trust anchors may be provided by a different protocol, such as Trust Anchor Management Protocol (TAMP) [RFC5934]. Of course, certificates do not necessarily need to be short-lived and could even be provisioned during the manufacturing process and never changed during the lifetime of the device. The drawback of such an approach is, however, that mechanisms for certificate revocation have to be provided. Furthermore, privacy concerns might be arise since the same client certificate content will be shown to every service rather than information that is only relevant for a specific purpose. +-------------+ |Certification| | Authority | +-------------+ ^ / Request / / (Short) / / Lived / /(Short) Lived Cert / / Certificate / / / / / / / v +-----------+ +-----------+ | | DTLS with certificate | | | | or app layer msg w/cert | | | Client |---------------------------->| Service | | |<===========================>| | +-----------+ Application Data +-----------+ Figure 7: Certificate Model. Tschofenig Expires August 18, 2014 [Page 12] Internet-Draft ACE Overview February 2014 Pros: o Re-uses existing protocols: DTLS (or application protocol), CMP/ CMC/PKCS#10/SCEP, specifications (certificate format - RFC 6818 [RFC6818]), and concepts (PKI). o Large deployments on the Web and with enterprise system exist. o Products and open source code exists. o The certificate format offers flexibility in terms of content. New extensions have been defined over time. o Certificates can be used with DTLS without any additional modifications. Certificates can also used with application security mechanisms. o Authorization information may be placed in an extension of a public key certificate or in a separate attribute certificate [RFC3281]. Earlier work on KeyNote [RFC2704]could be re-used as it provides a more flexible authorization policy language. o A single certificate can be used with a number of different services. o Various PKI management protocols have been defined and they offer some flexibility. The properties vary on the specific use cases. Cons: o The certificate format and the PKI management protocols use ASN.1. o No UDP or CoAP transport is defined for CMC/CMP/SCEP. For PKCS#10 no transport is defined at all. o The public key infrastructure only focuses on asymmetric cryptography. A separate body of work is available for provisioning symmetric keys (like one-time-keys), such as the Portable Symmetric Key Container (PSKC) [RFC6030] and Dynamic Symmetric Key Provisioning Protocol (DSKPP) ([RFC6063]). o Protocols for certificate enrollment are in use but many deployments use their own strategy for distributing certificates (typically long-lived) to their users. o Asymmetric cryptography is computationally more expensive than symmetric cryptography but offers additional security benefits. Tschofenig Expires August 18, 2014 [Page 13] Internet-Draft ACE Overview February 2014 3. Conclusion Several existing protocols can be used to meet the use cases outlined in [I-D.seitz-ace-usecases]. Each technology presented here offers a number of possibilities for profiling to make them work on for constrained devices. Despite the range of available security protocols, the use cases suggest that there is a need to profile and to extend those in order to make them fit for the constrained environment. The right choice of authentication and authorization protocol will heavily depend on the envisioned usage environment. It is, however, also worth noting that several aspects that are not discussed in this document although they appear as requirements in the use case document, namely o a language for describing access control policies, o the encoding of these policies, and o the container for associating these policies with keying material. 4. Security Considerations This entire document is about security. 5. IANA Considerations This document does not require any actions by IANA. 6. Acknowledgements The author would like to thank Stefanie Gerdes for her review comments. 7. Informative References [I-D.ietf-abfab-arch] Howlett, J., Hartman, S., Tschofenig, H., Lear, E., and J. Schaad, "Application Bridging for Federated Access Beyond Web (ABFAB) Architecture", draft-ietf-abfab-arch-10 (work in progress), December 2013. [I-D.ietf-kitten-sasl-oauth] Mills, W., Showalter, T., and H. Tschofenig, "A set of SASL Mechanisms for OAuth", draft-ietf-kitten-sasl- oauth-12 (work in progress), December 2013. Tschofenig Expires August 18, 2014 [Page 14] Internet-Draft ACE Overview February 2014 [I-D.ietf-lwig-terminology] Bormann, C., Ersue, M., and A. Keranen, "Terminology for Constrained Node Networks", draft-ietf-lwig-terminology-06 (work in progress), December 2013. [I-D.ietf-oauth-json-web-token] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", draft-ietf-oauth-json-web-token-15 (work in progress), January 2014. [I-D.ietf-oauth-v2-http-mac] Richer, J., Mills, W., Tschofenig, H., and P. Hunt, "OAuth 2.0 Message Authentication Code (MAC) Tokens", draft-ietf- oauth-v2-http-mac-05 (work in progress), January 2014. [I-D.nourse-scep] Pritikin, M., Nourse, A., and J. Vilhuber, "Simple Certificate Enrollment Protocol", draft-nourse-scep-23 (work in progress), September 2011. [I-D.seitz-ace-usecases] Seitz, L., Gerdes, S., and G. Selander, "ACE use cases", draft-seitz-ace-usecases-00 (work in progress), February 2014. [I-D.tschofenig-oauth-hotk] Bradley, J., Hunt, P., Nadalin, A., and H. Tschofenig, "The OAuth 2.0 Authorization Framework: Holder-of-the-Key Token Usage", draft-tschofenig-oauth-hotk-03 (work in progress), January 2014. [RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315, March 1998. [RFC2704] Blaze, M., Feigenbaum, J., Ioannidis, J., and A. Keromytis, "The KeyNote Trust-Management System Version 2", RFC 2704, September 1999. [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification Request Syntax Specification Version 1.7", RFC 2986, November 2000. [RFC3281] Farrell, S. and R. Housley, "An Internet Attribute Certificate Profile for Authorization", RFC 3281, April 2002. Tschofenig Expires August 18, 2014 [Page 15] Internet-Draft ACE Overview February 2014 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, July 2005. [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)", RFC 4210, September 2005. [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework", RFC 5247, August 2008. [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS (CMC)", RFC 5272, June 2008. [RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor Management Protocol (TAMP)", RFC 5934, August 2010. [RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric Key Container (PSKC)", RFC 6030, October 2010. [RFC6063] Doherty, A., Pei, M., Machani, S., and M. Nystrom, "Dynamic Symmetric Key Provisioning Protocol (DSKPP)", RFC 6063, December 2010. [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012. [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, October 2012. [RFC6818] Yee, P., "Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 6818, January 2013. Author's Address Hannes Tschofenig ARM Ltd. 110 Fulbourn Rd Cambridge CB1 9NJ Great Britain Email: Hannes.tschofenig@gmx.net URI: http://www.tschofenig.priv.at Tschofenig Expires August 18, 2014 [Page 16]