Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Identity for IoT: An Authentication Framework for the IoT

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
Wird geladen in …3
×

Hier ansehen

1 von 17 Anzeige

Identity for IoT: An Authentication Framework for the IoT

Herunterladen, um offline zu lesen

John Bradley, Ping Identity, gave this presentation at the AllSeen Alliance's Partner Programme at Mobile World Congress 2015.

About Ping Identity: Ping Identity provides next-generation identity security solutions. With more than 1,200 enterprise customers worldwide, including half of the Fortune 100, Ping Identity delivers professional-grade identity security solutions that meet the needs of organizations managing workforce, customer, and partner identities. Identity at Internet scale is a concept that will be required as the industry builds services that encompass billions of connected devices and identities.

John Bradley, Ping Identity, gave this presentation at the AllSeen Alliance's Partner Programme at Mobile World Congress 2015.

About Ping Identity: Ping Identity provides next-generation identity security solutions. With more than 1,200 enterprise customers worldwide, including half of the Fortune 100, Ping Identity delivers professional-grade identity security solutions that meet the needs of organizations managing workforce, customer, and partner identities. Identity at Internet scale is a concept that will be required as the industry builds services that encompass billions of connected devices and identities.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Identity for IoT: An Authentication Framework for the IoT (20)

Anzeige

Weitere von AllSeen Alliance (20)

Aktuellste (20)

Anzeige

Identity for IoT: An Authentication Framework for the IoT

  1. 1. AN AUTHENTICATION FRAMEWORK FOR THE IOT John Bradley Copyright © 2014 Ping Identity Corp.All rights reserved. 1
  2. 2. Premise Copyright © 2014 Ping Identity Corp.All rights reserved. 2 •  The full promise of the Internet of Things (IoT) can only be realized if the many and varied interactions between users, things, cloud services and applications can be authenticated. •  User delegated consent will be necessary for any scenario where potentially privacy sensitive data is collected and transferred (wearables, home automation, health, etc). •  OAuth 2.0 and OpenID Connect 1.0 are two authentication and authorization standards that promise to serve as important tools for the IoT’s authentication and authorization requirements
  3. 3. Who are the actors Copyright © 2014 Ping Identity Corp.All rights reserved. 3 • Things/devices • Users • Applications • Clouds • Gateways
  4. 4. Who are the actors Copyright © 2014 Ping Identity Corp.All rights reserved. 4 • Things/devices • Users • Applications • Clouds • Gateways All of which need to be authenticated
  5. 5. Authentication & Authorization Model Copyright © 2014 Ping Identity Corp.All rights reserved. 5 •  IoT Actors authenticate by presenting security tokens on their calls/messages to each other •  Tokens represent relationship between the relevant user and the calling actor (and any consents/permissions associated with that relationship •  Upon receiving a message, an actor validates the token to verify the request is consistent with the relationship/permissions •  If consent is removed, token is revoked, and access disabled •  OAuth 2.0 & OpenID Connect 1.0 are two authentication & authorization frameworks that enable this model
  6. 6. OAuth 2.0 Copyright © 2014 Ping Identity Corp.All rights reserved. 6 •  OAuth 2.0 is an IETF standard authentication & authorization framework for securing application access to RESTful APIs •  OAuth allows a Client (an application that desires information) to send an API query to a Resource Server (RS), the application hosting the desired information, such that the RS can authenticate that the message was indeed sent by the Client. •  The Client authenticates to the RS through the inclusion of an access token on its API call—a token previously provided to the Client by an Authorization Server (AS). •  In those scenarios that the API in question protects access to a User’s identity attributes, it may be the case that the access token will only be issued by the AS after the User has explicitly given consent to the Client accessing those attributes.
  7. 7. OpenID Connect 1.0 Copyright © 2014 Ping Identity Corp.All rights reserved. 7 •  OpenID Connect 1.0 is an OIDF standard that profiles and extends OAuth 2.0 to add an identity layer—creating a single framework that promises to secure APIs, mobile native applications and browser applications in a single, cohesive architecture. •  OpenID Connect adds two notable identity constructs to OAuth’s token issuance model. –  An identity token—the delivery of which, from one party to another, can enable a federated SSO user experience for a user. –  A standardized identity attribute API—at which a client can retrieve the desired identity attributes for a given user. •  If your use case requires something more than authentication and authorization of API calls, Connect’s features that go beyond OAuth become relevant.
  8. 8. Representative IoT architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 8 • Fitbit makes Aria smart scale • Scale syncs through home Wifi to Fitbit cloud for display & analysis through web & native applications • 3rd party services can access weight data to provide additional insight
  9. 9. Architecture requirements Copyright © 2014 Ping Identity Corp.All rights reserved. 9 • User weight data is personal and must be protected against compromise • Additionally, weight data must only be shared by Fitbit when consistent with user policy
  10. 10. Architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 10 FitBit Proprietary 3rd party services REST API REST API
  11. 11. Architecture Copyright © 2014 Ping Identity Corp.All rights reserved. 11 FitBit Proprietary 3rd party services REST API REST API Lets examine how OAuth & Connect can apply here
  12. 12. Cloud to cloud Copyright © 2014 Ping Identity Corp.All rights reserved. 12 •  TrendWeight offers additional insight & analysis of weight data •  Pulls scale data from Fitbit cloud REST endpoints •  TrendWeight should use OAuth to authenticate their API calls as being on behalf of particular user •  Because user is involved in token issuance, privacy enabling model
  13. 13. Cloud to Cloud Copyright © 2014 Ping Identity Corp.All rights reserved. 13 Login & consent Weight data
  14. 14. Revocation of authorization Copyright © 2014 Ping Identity Corp.All rights reserved. 14 User can remove permissions assigned 3rd parties
  15. 15. Native Application Copyright © 2014 Ping Identity Corp.All rights reserved. 15 •  Users can view their weight data & trends from ioS & Android native applications •  Native applications pull data from Fitbit cloud REST endpoints •  Native applications should use OAuth to authenticate their API calls as being on behalf of particular user
  16. 16. Device to gateway Copyright © 2014 Ping Identity Corp.All rights reserved. 16 •  Devices communicate with each other and the gateway via the local network— sharing data, sending control messages, etc. •  These local interactions may not use HTTP, but instead a application protocol more optimized to the constraints (CPU size, battery, etc.) of devices. •  Such application protocols include XMPP, MQTT and CoAP. •  Work has begun in exploring how to bind OAuth & Connect to such IoT optimized protocols, e.g.ACE effort in IETF
  17. 17. Conclusion Copyright © 2014 Ping Identity Corp.All rights reserved. 17 • Authentication & authorization of actors is fundamental to IoT security • Mechanisms must be secure, scalable and privacy respecting • OAuth & Connect promise to provide important pieces of authn & authz framework for IoT

×