we believe that we are on the verge of the internet of ... · recursive dns server iot platform...
TRANSCRIPT
We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything we’ve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.
1
IDENTITY
SECURITY BEGINS WITH
IDENTITY User name and password
IDENTITY Smartcard
IDENTITY Biometrics
IDENTITY Certificate
IDENTITY API KEY
AE5021 B3209A FEA409
IDENTITY TRUST
IDENTITY TRUST
IDENTITY APPLYING THESE MECHANISMS TO IOT AND M2M
AE5021 B3209A FEA409
IDENTITY PROGRAMMATIC PHYSICAL
AE5021 B3209A FEA409
IDENTITY PROGRAMMATIC PHYSICAL
CERTIFICATES PUBLIC KEY INFRASTRUCTURE (PKI)
l Trusted and well established technology l Allows for mutual authentication
l Can be used for message signing
CERTIFICATES
CERTIFICATES
CERTIFICATES
CERTIFICATES COST
$$$$$ $$$$$ $$$$$
CERTIFICATES COST
$$$$$ $$$$$ $$$$$
CERTIFICATES SECURITY
CERTIFICATES SECURITY - Revocation
Certificate Revocation List
Online Certificate Status Protocol
CERTIFICATE AUTHORITY
CERTIFICATES SECURITY - Revocation
Certificate Revocation List
Online Certificate Status Protocol
CERTIFICATE AUTHORITY
CERTIFICATES SECURITY - Revocation
Certificate Revocation List
Online Certificate Status Protocol
CERTIFICATE AUTHORITY
CERTIFICATES SECURITY - TRUST
CERTIFICATE AUTHORITY
CERTIFICATES SECURITY - TRUST
CERTIFICATE AUTHORITIES
CERTIFICATES SECURITY - TRUST
CERTIFICATE AUTHORITIES
device123.example.com
device123.example.com
Certificate Authority A
Certificate Authority B
CERTIFICATES MANAGEMENT
CERTIFICATES INTEROPERABILITY
FOO.COM CERTIFICATE AUTHORITY
BAR.COM CERTIFICATE AUTHORITY
CERTIFICATES INTEROPERABILITY
FOO.COM CERTIFICATE AUTHORITY
BAR.COM CERTIFICATE AUTHORITY
CHALLENGES How do we deploy PKI at Internet of Things scale. l Keep cost low l Be interoperable l Deploy at scale l Improve security
DANE
DNS-BASED AUTHENTICATION OF NAMED ENTITIES
DNSSEC Provides a secure global registry l Highly scalable
DNSSEC Provides a secure global registry l Highly scalable l Globally distributed
DNSSEC Provides a secure global registry l Highly scalable l Globally distributed l Resilient
DNSSEC Provides a secure global registry l Highly scalable l Globally distributed l Resilient l Standards based
DNSSEC Provides a secure global registry l Highly scalable l Globally distributed l Resilient l Standards based l Ubiquitous
DNSSEC Provides a secure global registry l Highly scalable l Globally distributed l Resilient l Standards based l Ubiquitous l Secure
DNSSEC Provides a secure global registry l Secure
l Cryptographically signed l Supports delegation
. root key
.com key
.example.com key
zone.example.com
….... ….... …....
DANE RFC 6698 - establishes new record types for DNS Allows publishing of certificate data in DNS Data integrity validated by cryptographic signature
zone.example.com
….... ….... …....
DANE RFC 6698 - establishes new record types for DNS l Effectively replaces local CA store as means of validating certificates l Allows records to be queried in real time l Allows records to be cached for specific amount of time l Removes the need for CRLs and OCSP l Can work with CA issued certificates or self signed certificates
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com
deviceX.example.com
…....
Device provisioning
Public key is published in DNS Device creates public/private keypair
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com
deviceX.example.com
…....
DNS “TLSA” record maps device name to public key
Device only needs name does not need published IP address
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com
deviceX.example.com
…....
IoT Platform
Sensor initiates TLS connection to IoT Platform
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com
deviceX.example.com
…....
IoT Platform
TLS handshake includes device name and public key
Sensor
Keys
IoT Platform
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com
deviceX.example.com
….... Recursive DNS Server
IoT Platform queries secure DNS
for public key for device
Sensor
Keys
IoT Platform
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com
deviceX.example.com
….... Recursive DNS Server
IoT Platform retrieves public key from secure DNS Server
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com
deviceX.example.com
…....
IoT Platform compares device's published
key with the key used during negotiation
= ?
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com
deviceX.example.com
…....
The keys match so the client certificate
is validated
DANE Advantages of DANE l Highly scalable l Economically viable l Highly secure
l Limited scope of trust l Instant revocation l Transparency
WHAT NOW ?
50
COMMUNITY ENGAGEMENT Working with the community on DANE enablement across the stack including crypto libraries and common runtime frameworks.
FEEDBACK We'd love to talk! email us at [email protected]