Download - The Future of Authentication for IoT
All Rights Reserved | FIDO Alliance | Copyright 20171
THE FUTURE OF AUTHENTICATION FOR THE
INTERNET OF THINGS
FIDO ALLIANCE WEBINARMARCH 28, 2017
All Rights Reserved | FIDO Alliance | Copyright 20172
INTRODUCTION TO THE FIDO ALLIANCE
ANDREW SHIKIARSENIOR DIRECTOR OF MARKETING
MARCH 28, 2017
All Rights Reserved | FIDO Alliance | Copyright 20173
THE FACTS ON FIDO
The FIDO Alliance is an open, global industry association of250+ organizations with a focused mission:
300+FIDO Certified solutions
3 BILLION+Available to protect
user accounts worldwide
Today, its members provide the world’s largest ecosystem for standards-based, interoperable authentication
AUTHENTICATION STANDARDS
based on public key cryptography to solve the password problem
All Rights Reserved | FIDO Alliance | Copyright 20174
DRIVEN BY 250 MEMBERSBoard of Directors comprised of leading global brands and technology providers
+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS
All Rights Reserved | FIDO Alliance | Copyright 20175
WHY FIDO?The World Has a Password Problem
Security
Usability
63% of data breaches in 2015 involved weak, default, or stolen passwords-Verizon 2016 Data Breach Report
For users, they’re clumsy, hard to remember and they need to be changed all the time
65% Increase in phishing attacks over the number of attacks recorded in 20152
-Anti-Phishing Working Group
There were 1093 data breaches in 2016, a 40% increase from 2015- Identity Theft Resource Center, 2016
SECU
RITY
USABILITYPoor Easy
Wea
kSt
rong
PASSWORDS
All Rights Reserved | FIDO Alliance | Copyright 20176
WHY FIDO?OTPs improve security but aren’t easy enough to use -and are still phishable
SMS RELIABILITYTOKEN NECKLACE USER CONFUSION STILL PHISHABLESECU
RITY
USABILITYPoor Easy
Wea
kSt
rong
OTPs
SecurityUsability
THE WORLD HAS A “SHARED SECRETS” PROBLEMAll Rights Reserved | FIDO Alliance | Copyright 20177
WE NEED ANEW MODEL
All Rights Reserved | FIDO Alliance | Copyright 20178
All Rights Reserved | FIDO Alliance | Copyright 20179
HOW ARE WE DOING IT?
ECOSYSTEMSTANDARDS
DEPLOYMENTS
USER EXPERIENCE
All Rights Reserved | FIDO Alliance | Copyright 201710
HOW OLD AUTHENTICATION WORKS
ONLINE CONNECTION
The user authenticates themselves online by presenting a human-readable “shared secret”
All Rights Reserved | FIDO Alliance | Copyright 201711
HOW FIDO AUTHENTICATION WORKSLOCAL CONNECTION
ONLINE CONNECTION
The device authenticates the user online using
public key cryptography
The user authenticates “locally” to their device
(by various means)
All Rights Reserved | FIDO Alliance | Copyright 201712
SIMPLER AUTHENTICATION
Reduces reliance on complex passwords
Single gestureto log on
Same authentication on multiple devices
Works with commonly used devices
Fast and convenient
All Rights Reserved | FIDO Alliance | Copyright 201713
STRONGERAUTHENTICATION
Based on public key cryptography
No server-side shared secrets
Keys stay on device
No 3rd party in the protocol
Biometrics, if used, never leave device
No link-ability between services or accounts
USABILITY
SECU
RITY
Poor Easy
Wea
kSt
rong
All Rights Reserved | FIDO Alliance | Copyright 201714
FIDO — A NEW PARADIGM:
=authentication
STRONGER& SIMPLER
All Rights Reserved | FIDO Alliance | Copyright 201715
FIDO-ENABLED APPS + SERVICES
3 BILLIONAVAILABLE TO PROTECT
ACCOUNTS WORLDWIDE
All Rights Reserved | FIDO Alliance | Copyright 201716
BUT WAIT…
All Rights Reserved | FIDO Alliance | Copyright 201717
THE WORLD HAS AN IOT SECURITY PROBLEM
All Rights Reserved | FIDO Alliance | Copyright 201719
WE NEED A NEW AUTHENTICATION MODEL FOR CONNECTED USERS & DEVICES
All Rights Reserved | FIDO Alliance | Copyright 201720
THANK YOUANDREW SHIKIAR
SR. DIRECTOR OF [email protected]
All Rights Reserved | FIDO Alliance | Copyright 2017
THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS
ROLF LINDEMANN, NOK NOK LABS
Thanks to this app you can
maneuver the new Forpel using your
smartphone!
Too bad it’s not my car.
What‘s the challenge
All Rights Reserved | FIDO Alliance | Copyright 2017
Source: HP Enterprise IoT Home Security Systems
22
Context
Secure firmware protects one
“healthy” part from infected
partsStrong
authentication makes sure only
legitimate entities get
accessNeed strong
fundament, e.g. a CPU supporting ARM TrustZone, Intel SGX, etc.
Focus of today‘s
presentation
All Rights Reserved | FIDO Alliance | Copyright 201723
Scope
Cloud Services
All Rights Reserved | FIDO Alliance | Copyright 201724
Addressed by FIDO & W3C Web Authentication, not the
core focus of this talk
Scope
Cloud Services
“Primary interaction” devices, i.e. devicesa) which we typically have in our possession andb) that have a user interface
Devices that are not primary interaction devices, e.g. smart light bulbs, WIFI routers, smart fridges, smart thermostats, connected cars, smart door locks, …
Devices that are not primary interaction devices, e.g. smart light bulbs, WIFI routers, smart fridges, smart thermostats, connected cars, smart door locks, …
All Rights Reserved | FIDO Alliance | Copyright 201725
Primary Interaction Devices
• Primary interaction device have the capability to verify the user through their user interface.
• They can connect to another device or to a cloud service• They can implement a FIDO Authenticator allowing the
user to strongly and conveniently authenticate to devices or cloud services. Trust Execution Environments and/or Secure Elements add security.
All Rights Reserved | FIDO Alliance | Copyright 201726
Scope
Focus of this talk
User to standalone devices
All Rights Reserved | FIDO Alliance | Copyright 201727
Scope
Cloud Services
User to cloud-connected devices
Focus of this talk
All Rights Reserved | FIDO Alliance | Copyright 201728
Scope
Cloud Services
Device-to-DeviceAuthentication
All Rights Reserved | FIDO Alliance | Copyright 2017
Device-to-CloudAuthentication
29
IoT Device
IoT Device
Background
Perimeter
Internet
Infected Device
Attacks
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
IoT Device
All Rights Reserved | FIDO Alliance | Copyright 201730
Background
All Rights Reserved | FIDO Alliance | Copyright 201731
Attack Scenarios
IoT Device IoT Device
1. Exploit firmware vulnerabilities
2. Enter at the front-door: Impersonate user
Need Strong Authentication to protect against such attacks. Our focus.
Legitimate authentication
TrustZone for ARMv8-M provides protection layers that help keeping attacks local to one software module (“enclave”). Not in focus of this talk
All Rights Reserved | FIDO Alliance | Copyright 201732
User to Device Authentication
All Rights Reserved | FIDO Alliance | Copyright 201733
User to Device interaction
Device
Without keyboard
and display
?
All Rights Reserved | FIDO Alliance | Copyright 201734
User to Device interaction
IoT Device
Without keyboard
and display
User needs some computing device with
user input interface and display
1
Security: Device could be infected, so users don’t want to reveal bearer tokens (like passwords, etc.) to it
2
The Device only “sees” some other Device – no user.
How can the Device know whether there is a user and whether the
other device is trusted?
Convenience: Devices want to support arbitrary user verification methods, e.g. PINs, Fingerprint, Face, … - with limited computing power
All Rights Reserved | FIDO Alliance | Copyright 201735
… did we see that before?
DeviceTLS / DTLS or
other secure channel
All Rights Reserved | FIDO Alliance | Copyright 2017
See https://fidoalliance.org/events/fido-alliance-seminar-hongkong/
36
User to Device Authentication
AuthenticatorUser verification FIDO Authentication
Require user gesture before private key can be used
Challenge
(Signed) ResponsePrivate key
dedicated to one appPublic key
IoT Device
All Rights Reserved | FIDO Alliance | Copyright 201737
First Authenticator Registration (Example)
IoT Device
Device in factory default settings state
1
2Press
“register button”
3Start registration process (for first authenticator)
All Rights Reserved | FIDO Alliance | Copyright 201738
Standalone Devices
Cloud Services
Smart Light Bulbs
WIFI Router
…
All Rights Reserved | FIDO Alliance | Copyright 2017
User to standalone devices
39
Devices with Cloud Dependency
Cloud Services
User to cloud-connected devices
Rental Cars
Door locks
…
Parcel Lockers
Thermostats
Cloud Dependency: We want the cloud service being able to grant access to the device to a specific user
But: Do not rely on stable internet connection at time of access
All Rights Reserved | FIDO Alliance | Copyright 201740
How does it work with central authorization infrastructure?
FIDO Stack
Mobile App
SDK
1. Traditional FIDO Registration (one-time)
Cloud Service
Device
0. (OOB) Inject trust anchor
2. Traditional FIDO Authentication
3. Signed JWT w/PoP (FIDO Uauth) Public Key(see RFC7800)
All Rights Reserved | FIDO Alliance | Copyright 201741
How does it work with central authorization infrastructure?
FIDO Stack
Mobile App
SDK
1. Traditional FIDO Registration (one-time)
Cloud Service
Device
0. (OOB) Inject trust anchor
2. Traditional FIDO Authentication
3. Signed JWT w/PoP (FIDO Uauth) Public Key(see RFC7800)
All Rights Reserved | FIDO Alliance | Copyright 2017
JOSE Payload:
JWS signature, computed by Cloud Service
{“kid”:“1e8gfc4”,“alg”:“ES256”}
JOSE Header:
{"iss": "https://server.example.com","aud": "https://client.example.org","exp": 1361398824,"cnf":{
"jwk":{"kty": "EC","use": "sig","crv": "P-256","x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM","y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA"
}}
}
42
How does it work with central authorization infrastructure?
FIDO Stack
Mobile App
SDK
1. Traditional FIDO Registration (one-time)
Cloud Service
Device
0. (OOB) Inject trust anchor
2. Traditional FIDO Authentication
3. Signed JWT w/PoP (FIDO Uauth) Public Key(see RFC7800)
4. FIDO Authentication to device with signed JWT w/ PoP (FIDO) Public Key as additional data
All Rights Reserved | FIDO Alliance | Copyright 201743
Gallagher Unlocks the Internet of Things with Nok Nok
44
Source: Philafrenzy, Wikipedia45
Source: Klaus Mueller, wikipedia46
Device to Device & Device to Cloud Authentication
All Rights Reserved | FIDO Alliance | Copyright 201747
Scope
Device to deviceauthentication
All Rights Reserved | FIDO Alliance | Copyright 2017
User to device authentication
48
User to Device Authentication
AuthenticatorUser verification FIDO Authentication
Require user gesture before private key can be used
Challenge
(Signed) ResponsePrivate key
dedicated to one RPPublic key
IoT Device
How an Authenticator verifies the user and whether it
verifies the user depends on the Authenticator model and is represented in the Metadata
Statement.
All Rights Reserved | FIDO Alliance | Copyright 201749
Device to Device Authentication
Authenticator FIDO Authentication
Challenge
(Signed) ResponsePublic key
IoT Device
There are “Silent” Authenticators, never requiring
any user interaction.
… and such Authenticator might be embedded in a
device
All Rights Reserved | FIDO Alliance | Copyright 201750
Device to Cloud Authentication
Authenticator FIDO Authentication
Challenge
(Signed) ResponsePublic key
It makes no difference to the IoT device nor to the FIDO Authenticator whether it authenticates to another
device or to a cloud service
Cloud Service
All Rights Reserved | FIDO Alliance | Copyright 201751
Device to Cloud Authentication
Authenticator FIDO Authentication
Challenge
(Signed) ResponsePublic key
It makes no difference to the IoT device nor to the FIDO Authenticator whether it authenticates to another
device or to a cloud service
Cloud Service
… and the Authenticator can be embedded in smart
fridges, smart thermostats and other IoT devices.
All Rights Reserved | FIDO Alliance | Copyright 201752
Conclusion
1. Authentication is the first experience of users with services and several device types.
2. Authentication needs to be convenient for the user and strong enough for the purpose.
3. We can do better than passwords + OTP. Look at the FIDO specifications for strong & convenient authentication, see www.fidoalliance.org.
4. FIDO supports “silent” Authenticators. These Authenticators can be implemented in IoT devices.
5. FIDO authentication responses can be verified in small devices, allowing FIDO authentication to those IoT device.
6. FIDO can be combined with PoP Keys (RFC7800) in order to support authentication to “cloud connected” IoT devices
All Rights Reserved | FIDO Alliance | Copyright 201753
FIDO Authenticator Concept
FIDO Authenticator
UserVerification /
PresenceAttestation Key
Authentication Key(s)
Injected at manufacturing, doesn’t change
Generated at runtime (on Registration)
Optional Components
Transaction Confirmation
Display
All Rights Reserved | FIDO Alliance | Copyright 201754
Silent Authenticators
1. Definition, see FIDO Glossary
2. User Verification Method, see FIDO Registry
3. Metadata Statement, see FIDO Metadata Statements
All Rights Reserved | FIDO Alliance | Copyright 201755
Relying Party (example.com)
accountInfo, challenge, [cOpts]
rpId, ai, hash(clientData), cryptoP, [exts]verify usergenerate:key kpub
key kpriv
credential c c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts], signature(tbs)
c,kpub,clientData,ac,tbs, s
store:key kpub
c
s
PlatformAuthenticatorselect Authenticator according to cOpts;
determine rpId, get tlsData;clientData := {challenge, origin, rpId, hAlg, tlsData}
cOpts: crypto params, credential black list, extensions
cdh
FIDO Registration
ai
tbs
ac: attestation certificate chain
All Rights Reserved | FIDO Alliance | Copyright 201756
Authenticator Platform Relying Party
rpId, [c,] hash(clientData)
select Authenticator according to policy;check rpId, get tlsData (i.e. channel id, etc.);
lookup key handle h;clientData := {challenge, rpId, tlsData}
clientData,cntr,[exts],signature(cdh,cntr,exts)
clientData, cntr, exts, s
lookup kpub
from DBcheck:exts +signatureusingkey kpub
s
cdh
challenge, [aOpts]
FIDO Authentication
verify userfind key kpriv
cntr++;process exts
All Rights Reserved | FIDO Alliance | Copyright 2017
All Rights Reserved | FIDO Alliance | Copyright 201757