oauth 2.0 and the internet of things (iot) (jacob ideskog)

OAuth 2.0 and The Internet of ThingsA brief overview of security architecture in the world of IoTJacob Ideskog – Identity Specialist at Twobo Technologies

Copyright © 2016 Twobo Technologies AB. All rights reserved

OAuth 2.0


OAuth


Actors


Resource Owner (RO) Authorization Server (AS)

ClientResource Server (RS)

Actors




This user

Actors




Wants this app

Actors




To access data HERE

Actors


Resource Owner (RO)

Authorization Server (AS)


Authentication Server

The client requests access to a Resource


Resource Owner (RO)

Client


Resource Server (RS)


The AS requires the RO to authenticate


Resource Owner (RO)

Client




The AS issues the tokens


Resource Owner (RO)

Client




The Client presents the token to the RS


Resource Owner (RO)

Client





The RS validates the Token


Resource Owner (RO)



Access!


Resource Owner (RO)

Client




A note about the access token


$

Why did that work?


Zoom in


Resource Owner (RO)

Client





Resource Owner (RO)

Client




- Everybody must use TLS- We know who we talk to- We use Bearer tokens- We encrypt the communication- Massive trust infrastructure


Constrained environments


Problems


- Battery powered- Mostly or always offline- Limited calculation

capabilities- Attractive target for attack

Protocols


XMPP

HTTPHTTP/2CoAP

Custom

Security


Example 1


We’re lacking the central point of trust (PKI)


Back to OAuth



Prove who you are


Prove who you are


User Authentication Device Authentication

Start as usual




Start as usual




authorization_code = XYZ

Start as usual




authorization_code = XYZ

The user is authenticated

OAuth with Proof of Possession



client_id = device123client_secret = supersecretscope = read_ekgaudience = ekg_device_ABCauthorization_code = XYZ...key = a_shortlived_key

Request access token

Provide ephemeral key




access_token = 0ddfbmd-dnndjv…

Response with access token

Token is ”bound” to the key_id




access_token = 0ddfbmd-dnndjv…

Response with access token

Token is ”bound” to the key_id

The client is authenticated




access_token”start_session”



Authorization Server (AS)access_token



Authorization Server (AS)key




OK

Disconnected devices


Example 2


Disconnected flow



Client Resource Server (RS)

client_id = ekg_device_ABCclient_secret = supersecretscope = read_resultaudience = connected_tube_123token = original_token...key = a_shortlived_key

Disconnected flow




access_token (JWT)

The JWT with a JWE


Header:{ "alg": "RS256", ... }

Body:{ "iss": "issuer.company.com", "sub": "24400320”, "aud": "connected_tube_123", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf": { "jwe": "eyJhbGciOiJSU0...”}

Header:{ "alg": "RSA-OAEP", "enc": "A128CBC-HS256”}

Body:{ ... "kty": "oct", "alg": "HS256", "k": "ZoRSOrFzN_FzUA5XKMYoVHyzf...” ... }

signed encrypted

But with IoT we can use:


CWTCBOR Web Token (CWT)

Pre-provisoned with AS Trust




Disconnected flow




access_token (JWT)

Disconnected flow




1. Validate JWT2. Extract JWE3. Decrypt JWE

Disconnected flow




OK

Disconnected flow




Summary


• OAuth is all about Trust• OAuth depends on TLS

• With Proof of Posession it can solve IoT

• Constrained environments can be

• Online or offline• Pre-provisioned with Trust• Does not depend on TLS

oauth 2.0 and the internet of things (iot) (jacob ideskog)

Technology