onem2m - facing the challenges of m2m security and privacy
TRANSCRIPT
![Page 1: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/1.jpg)
© 2014 oneM2M14-Nov-14 1
Facing the Challenges of M2M Security and Privacy
Phil HawkesPrincipal Engineer at Qualcomm Inc.
[email protected] www.oneM2M.org
![Page 2: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/2.jpg)
© 2014 oneM2M14-Nov-14 2
Overview
• oneM2M Architecture: a quick review• Challenges
1. Large variety of scenarios2. Any device in any deployment 3. A device cannot make autonomous “judgment calls”
on privacy
• SolutionsA. Secure communication B. Remote provisioning C. Access control policies
• Future Challenges
![Page 3: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/3.jpg)
© 2014 oneM2M14-Nov-14 3
oneM2M Architecture: A Quick Review
• Entities– Nodes (=Devices)
– Common Service Entity (CSE)
– Application Entity (AE)
• Interactions:– Mca: AE-to-CSE
– Mcc, Mcc’: CSE-to-CSE
– RESTful
• For more info see webinar Taking a look inside oneM2M
CSE
CSE CSE
CSE CSE
AE
AE
AE
AE
AE
AE
AE
CSE
Field Domain
InfrastructureDomain
![Page 4: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/4.jpg)
© 2014 oneM2M14-Nov-14 4
Challenges
1. Large variety of scenarios
2. Any device in any deployment
3. A device cannot make autonomous “judgment calls” on privacy
![Page 5: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/5.jpg)
© 2014 oneM2M14-Nov-14 5
Challenges
1. Large variety of deployments– “Assets” that need protecting can be unique to a
deployment• Content confidentiality, content integrity, anonymity, traffic
efficiency
– Environment can be unique to a deployment• Does wired or wireless transport layer provide adequate
security?• Tamper-resistance considerations
– (Continued on next slide)
2. Any device in any deployment 3. A device cannot make autonomous “judgment
calls” on privacy
![Page 6: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/6.jpg)
© 2014 oneM2M14-Nov-14 6
Challenges
1. Large variety of deployments (continued)
– Variety of authentication scenarios
• Pre-shared Key provisioned to both by end-points
• PKI/Certificates (asymmetric cryptography)
• Centralized authentication
2. Any device in any deployment
3. A device cannot make autonomous “judgment calls” on privacy
![Page 7: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/7.jpg)
© 2014 oneM2M14-Nov-14 7
Challenges
1. Large variety of deployment scenarios2. Any device in any deployment
– Interoperability: agree on minimal set of cipher suites– Credential management
a. Provisioning at manufactureb. Human-assisted provisioning during deployment
– e.g. manual entry, via USB
c. Remote provisioning of fielded devicesd. Derivation from pre-existing credentials (e.g. transport
network)Note: a, b are enabled but not specified by oneM2M
3. A device cannot make autonomous “judgment calls” on privacy
![Page 8: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/8.jpg)
© 2014 oneM2M14-Nov-14 8
Challenges1. Large variety of scenarios
2. Any device in any deployment
3. A device cannot make autonomous “judgment calls” on privacy– M2M/IoT may expose information about our lives
without our awareness
– Privacy = who can access information about me
– CSE needs to determine: “Should I allow access?”
– Can’t ask human to make case-by-case judgment call
– CSE needs clear rules
![Page 9: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/9.jpg)
© 2014 oneM2M14-Nov-14 9
Challenges & Solutions
1. Large variety of scenarios
2. Any device in any deployment
3. A device cannot make “judgment calls” on privacy
A. Secure communicationvarious authentication options
B. Remote provisioning various authentication options
C. Access Control Policiesexpresses wide variety of rules
![Page 10: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/10.jpg)
© 2014 oneM2M14-Nov-14 10
Secure Communication:Example
CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
E-HealthWeb-application
![Page 11: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/11.jpg)
© 2014 oneM2M14-Nov-14 11
Secure Communication:Example
CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
1. AE1 passes sensor reading to CSE1
CoAP
UDP
![Page 12: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/12.jpg)
© 2014 oneM2M14-Nov-14 12
Secure Communication:Example
CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
1. AE1 passes sensor reading to CSE1
2. CSE1 forwards sensor reading to CSE2
HTTP
TCP
CoAP
UDP
![Page 13: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/13.jpg)
© 2014 oneM2M14-Nov-14 13
Secure Communication:Example
CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
1. AE1 passes sensor reading to CSE1
2. CSE1 forwards sensor reading to CSE2
3. AE2 retrieves sensor reading from CSE2
CoAP
UDP
HTTP
TCP
HTTP
TCP
![Page 14: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/14.jpg)
© 2014 oneM2M14-Nov-14 14
Secure Communication
• Hop-by-Hop
– Transited CSEs see clear text
– Trusted to behave
CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
![Page 15: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/15.jpg)
© 2014 oneM2M14-Nov-14 15
Secure Communication
CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
CoAP
DTLS
UDP
• Hop-by-Hop
• TLS/DTLS v1.2
– DTLS if UDP transport
![Page 16: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/16.jpg)
© 2014 oneM2M14-Nov-14 16
Secure Communication
• Hop-by-Hop
• TLS/DTLS v1.2
– DTLS if UDP transport
– TLS if TCP transport
– Sometimes write (D)TLS or just TLS for both CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
HTTP
TLS
TCP
HTTP
TLS
TCP
![Page 17: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/17.jpg)
© 2014 oneM2M14-Nov-14 17
Secure Communication
• Hop-by-Hop
• TLS/DTLS v1.2
• AE-CSE
– AE: TLS Client (C)
– CSE: TLS Server (S)
CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
C S
C S
![Page 18: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/18.jpg)
© 2014 oneM2M14-Nov-14 18
Secure Communication
• Hop-by-Hop
• TLS/DTLS v1.2
• AE-CSE
– AE: TLS Client (C)
– CSE: TLS Server (S)
• CSE-CSE
– CSE1: TLS Client (C)
– CSE2: TLS Server (S)
CSE2
CSE1
AE2
AE1
InfrastructureDomain
Field Domain
Sensor Gateway
M2M SP’s Server
Web AppServer
C S
C
C SS
![Page 19: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/19.jpg)
© 2014 oneM2M14-Nov-14 19
Authentication Options
• Pre-Shared Key (PSK)– TLS Client & Server provisioned with a shared key#
• Certificate– TLS Client & Server both have certificates
• M2M Authentication Function (MAF) – MAF operated by 3rd Party or M2M Service Provider– TLS Client and MAF provisioned with a shared key#
– MAF assists authentication of TLS Client & Server
#This shared key can be remotely provisioned
![Page 20: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/20.jpg)
© 2014 oneM2M14-Nov-14 20
Certificates
• Somewhat aligned with CoAP Security RFC7252
• X.509/PKIX (RFC 5280)
• RawPublicKey Certificates
– Contains only X.509 SubjectPublicKeyInfo element
– Suits less complex deployments & debugging
• Certificates chaining to a trust anchor. E.g.
– Device Certificate (e.g. manufacturer issued)
– M2M SP issued certificate identifying CSE or AE
![Page 21: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/21.jpg)
© 2014 oneM2M14-Nov-14 21
Remote Provisioning
• Process provisioning a shared key to two entities
• M2M Enrolment Function (MEF)– Assists remote provisioning
– Operated by 3rd Party or M2M Service Provider
• Mechanisms for establishing shared key– TLS Client & MEF perform (D)TLS, export shared key
• PSK
• Certificates
– Derived from Network Access credentials• Network Access Provider assists in mutual authentication
• Generic Bootstrapping Architecture (GBA) 3GPP TS 33.220
![Page 22: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/22.jpg)
© 2014 oneM2M14-Nov-14 22
Access Control Requirements
• oneM2M uses a RESTful architecture
– API: request to perform an operation on a resource
– Operations: Create, Retrieve, Update, Delete
– Webinar Taking a look inside oneM2M has more info
• CSEs can’t make resource access judgement calls
• CSE need clear rules dictating, for each resource
– WHO (which CSEs and AEs) are authorized to access,
– WHAT operations (see above), and under…
– WHICH circumstances (e.g. time, location of entity)
![Page 23: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/23.jpg)
© 2014 oneM2M14-Nov-14 23
Access Control Policies (ACP) Resources
Resource1
Resource4
Resource3
Resource2
ACP1
ACP3
ACP2
ACP Rule1
ACP Rule2
links contains
ACP Rule3
Resource access is authorized upon satisfying at least one ACP rule in one of the linked ACPs
![Page 24: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/24.jpg)
© 2014 oneM2M14-Nov-14 24
Resource1
Resource4
Resource3
Resource2
ACP1
ACP3
ACP2
ACP Rule1
ACP Rule2
links contains
WHO: entities CSE-IDAE-ID
WHICH: circumstancesTime, location, IP address
WHAT: operationsCreate,RetrieveUpdateDelete
with conditions on
ACP Rule3
ACP rule is satisfied if WHO and WHAT and WHICH are satisfied by requesting entity, requested operation and circumstances
Access Control Policies (ACP) Resources
![Page 25: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/25.jpg)
© 2014 oneM2M14-Nov-14 25
oneM2M Security Documents
• TR-0008 “Analysis of Security Solutions for the oneM2M System”
http://onem2m.org/images/files/deliverables/oneM2M_TR-0008-Security-V1_0_0.doc
• TS-0003 “Security Solutions”
http://onem2m.org/images/files/deliverables/TS-0003-Security_Solutions-V-2014-08.pdf
• Latest versions available from ftp://ftp.onem2m.org/Work%20Programme/WI0007/
![Page 26: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/26.jpg)
© 2014 oneM2M14-Nov-14 26
Limitations of initial release
• A “minimum deployable solution” addressing short term needs
• Focus: Vertically deployed industrial applications– Centralized client-server architectures
– Most devices have limited number of static connections
– Deployments are managed by skilled workforce
– Nodes are trusted to behave
• Our solutions meet these needs while having a place in future M2M/IoT (consumer) scenarios
![Page 27: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/27.jpg)
© 2014 oneM2M14-Nov-14 27
Future Challenges
• Decentralization
– Increasingly complex interactions
• Sharing Information between deployments
• Complex authentication and authorization scenarios
• Confidentiality & integrity concerns
– Unskilled Consumers managing their “Things”
• Technological Challenges:
– End-to-End (multi-hop) message security
– Many connections per device
– Authentication & Authorization mechanisms
![Page 28: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/28.jpg)
© 2014 oneM2M14-Nov-14 28
Conclusion:Challenges & Solutions
1. Large variety of scenarios
2. Any device in any deployment
3. A device cannot make “judgment calls” on privacy
A. Secure communicationvarious authentication options
B. Remote provisioning various authentication options
C. Access Control Policiesexpresses wide variety of rules
![Page 29: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/29.jpg)
© 2014 oneM2M14-Nov-14 29
Join us for the next webinar
27 November 2014 at 0700 UTC
“On Management, Abstraction & Semantics”
by Dr. Yongjing ZhangStandard Research Project Leadat Huawei Technologies Co., Ltd
http://www.onem2m.org/btchannel.cfm
![Page 30: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/30.jpg)
© 2014 oneM2M14-Nov-14 30
Check out the recorded webinars
“How standardization enables the next internet evolution”
by Marc JadoulStrategic Marketing Director, Alcatel-Lucent
http://www.onem2m.org/btchannel.cfm
“Taking a look inside” by Nicolas Damour
Senior Manager for Business and Innovation Development, Sierra Wireless
![Page 31: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/31.jpg)
© 2014 oneM2M14-Nov-14 31
Join us at theoneM2M showcase event
9 December 2014, Sophia-Antipolis, France(free of charge, but online registration is required)
• OneM2M project partners, rationale and goals
• OneM2M Service Layer Specification release
• Showcase demos that demonstrate oneM2M “live"
http://www.onem2m.org/Showcase
Followed by the ETSI M2M workshop
![Page 32: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/32.jpg)
© 2014 oneM2M14-Nov-14 32
Q & A
![Page 33: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/33.jpg)
© 2014 oneM2M14-Nov-14 33
Backup Slides
![Page 34: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/34.jpg)
© 2014 oneM2M14-Nov-14 34
PSK-Based Authentication
Client Server
![Page 35: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/35.jpg)
© 2014 oneM2M14-Nov-14 35
PSK
Client Server
1. Provision identical PSK, PSK-ID to A, B
PSK, PSK-ID PSK, PSK-ID
![Page 36: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/36.jpg)
© 2014 oneM2M14-Nov-14 36
PSK
2. TLS/DTLSA provides PSK-ID
B identifies PSK from PSK-ID
Client ServerPSK, PSK-ID PSK, PSK-ID
![Page 37: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/37.jpg)
© 2014 oneM2M14-Nov-14 37
PSK
2. (D)TLSA provides PSK-ID
B identifies PSK from PSK-ID
• Advantages: – Simple Concept
• Challenges: – May need multiple
keys provisioned
– Doesn’t scale well
Client ServerPSK, PSK-ID PSK, PSK-ID
![Page 38: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/38.jpg)
© 2014 oneM2M14-Nov-14 38
PKI/Certificate-Based Authentication
Client Server
![Page 39: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/39.jpg)
© 2014 oneM2M14-Nov-14 39
PKI
Client Server
Client’s Cert Server’s Cert
1. Provision certificate 1’. Provision certificate
![Page 40: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/40.jpg)
© 2014 oneM2M14-Nov-14 40
PKI
Client Server
2. Configure trust anchors 2’. Configure trust anchors
Client’s Cert Server’s Cert
Client’s Trust Anchors
Server’sTrust Anchors
![Page 41: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/41.jpg)
© 2014 oneM2M14-Nov-14 41
PKI
Client Server
Client’s Cert Server’s Cert
Client’s Trust Anchors
Server’sTrust Anchors2. (D)TLS
Validate client cert against
server’s trust anchors
Validate server’s cert against
client’s trust anchors
![Page 42: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/42.jpg)
© 2014 oneM2M14-Nov-14 42
MAF Assisted
(D)TLS Client
MAF(D)TLS Server
![Page 43: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/43.jpg)
© 2014 oneM2M14-Nov-14 43
MAF Assisted
(D)TLS Client
1. Provision symmetric key Km, KmId
MAF(D)TLS Server
Km, KmID Km, KmId
![Page 44: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/44.jpg)
© 2014 oneM2M14-Nov-14 44
MAF Assisted
(D)TLS Client
2. Generate Kc, KcId from Km
MAF(D)TLS Server
Km, KmID Km, KmId
Kc, KcId Kc, KcId
![Page 45: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/45.jpg)
© 2014 oneM2M14-Nov-14 45
MAF Assisted
(D)TLS Client
MAF(D)TLS Server
3a. (D)TLS: KcId
Kc, KcId Kc, KcId
![Page 46: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/46.jpg)
© 2014 oneM2M14-Nov-14 46
MAF Assisted
(D)TLS Client
MAF(D)TLS Server
3a. (D)TLS: KcId 3b. KcId
Kc, KcId Kc, KcId
![Page 47: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/47.jpg)
© 2014 oneM2M14-Nov-14 47
MAF Assisted
(D)TLS Client
MAF(D)TLS Server
3a. (D)TLS: KcId 3b. KcId
3c. KcKc, KcIdKc, KcIdKc, KcId
![Page 48: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/48.jpg)
© 2014 oneM2M14-Nov-14 48
MAF Assisted
(D)TLS Client
MAF(D)TLS Server
3a. (D)TLS: KcId 3b. KcId
(D)TLS w/ Kc 3b. KcKc, KcIdKc, KcIdKc, KcId
![Page 49: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/49.jpg)
© 2014 oneM2M14-Nov-14 49
Remote Provisioning PArticipants
• Process provisions a shared key to two entities
• M2M Enrolment Function (MEF)
– Assists remote provisioning
– Operated by 3rd Party or M2M Service Provider
• Enrolee
– Entity requesting to be provisioned
• Enrolment Target
– Other entity that will ends up with the shared key
![Page 50: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/50.jpg)
© 2014 oneM2M14-Nov-14 50
Remote ProvisioningM2M Enrolment
FunctionEnrolee
Enrolment Target
![Page 51: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/51.jpg)
© 2014 oneM2M14-Nov-14 51
Remote Provisioning
Mutual Authentication
M2M Enrolment FunctionEnrolee
Enrolment Target
![Page 52: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/52.jpg)
© 2014 oneM2M14-Nov-14 52
Remote Provisioning
Mutual Authentication
M2M Enrolment FunctionEnrolee
Enrolment Target
Generate Ke, KeId Generate Ke, KeId
Ke, KeIdKe, KeId
![Page 53: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/53.jpg)
© 2014 oneM2M14-Nov-14 53
Remote ProvisioningM2M Enrolment
FunctionEnrolee
Enrolment Target
Ke, KeIdKe, KeId
![Page 54: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/54.jpg)
© 2014 oneM2M14-Nov-14 54
Remote ProvisioningM2M Enrolment
FunctionEnrolee
Enrolment Target
Ke, KeIdKe, KeId
KeId
![Page 55: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/55.jpg)
© 2014 oneM2M14-Nov-14 55
Remote ProvisioningM2M Enrolment
FunctionEnrolee
Enrolment Target
Ke, KeIdKe, KeId
KeId
+ EnrolmentTarget ID
+ EnrolmentTarget ID
Shared KeyShared Key
![Page 56: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/56.jpg)
© 2014 oneM2M14-Nov-14 56
Remote ProvisioningM2M Enrolment
FunctionEnrolee
Enrolment Target
KeId
Shared KeyShared Key
Shared Key
![Page 57: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/57.jpg)
© 2014 oneM2M14-Nov-14 57
Remote ProvisioningM2M Enrolment
FunctionEnrolee
Enrolment Target
Shared Key
Shared Key
![Page 58: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/58.jpg)
© 2014 oneM2M14-Nov-14 58
GBA
UE
(hosts TLS
Client)
Network Access Authentication Server
(HSS, HLR, AAA)
TLSServer
Network Access Credentials
GBA Bootstrap Server Function
(plays role of MEF)
Network Access Credentials
![Page 59: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/59.jpg)
© 2014 oneM2M14-Nov-14 59
GBA
UE
(hosts TLS
Client)
Network Access Authentication Server
(HSS, HLR, AAA)
TLSServer
Network Access Credentials
GBA Bootstrap Server Function
(plays role of MEF)
Network Access Credentials
![Page 60: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/60.jpg)
© 2014 oneM2M14-Nov-14 60
GBA
UE
(hosts TLS
Client)
Network Access Authentication Server
(HSS, HLR, AAA)
TLSServer
Network Access Credentials
Network Access Credentials
GBA Bootstrap Server Function
(plays role of MEF)
B-TID, Ks
B-TID, Ks
![Page 61: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/61.jpg)
© 2014 oneM2M14-Nov-14 61
GBA
UE
(hosts TLS
Client)
Network Access Authentication Server
(HSS, HLR, AAA)
TLSServer
GBA Bootstrap Server Function
(plays role of MEF)
B-TID, Ks
(D)TLS: B-TID
B-TID, Ks
![Page 62: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/62.jpg)
© 2014 oneM2M14-Nov-14 62
GBA
UE
(hosts TLS
Client)
Network Access Authentication Server
(HSS, HLR, AAA)
TLSServer
GBA Bootstrap Server Function
(plays role of MEF)
B-TID, Ks
B-TID(D)TLS: B-TID
B-TID, Ks
![Page 63: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/63.jpg)
© 2014 oneM2M14-Nov-14 63
GBA
UE
(hosts TLS
Client)
Network Access Authentication Server
(HSS, HLR, AAA)
TLSServer
GBA Bootstrap Server Function
(plays role of MEF)
B-TID, Ks
Shared Key
(D)TLS: B-TID B-TID
TLS Server FQDN
B-TID, Ks
Shared Key
![Page 64: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/64.jpg)
© 2014 oneM2M14-Nov-14 64
GBA
UE
(hosts TLS
Client)
Network Access Authentication Server
(HSS, HLR, AAA)
TLSServer
GBA Bootstrap Server Function
(plays role of MEF)
Shared Key
Shared Key
Shared Key
(D)TLS: B-TID B-TID
Shared Key
![Page 65: oneM2M - Facing the challenges of M2M security and privacy](https://reader034.vdocuments.mx/reader034/viewer/2022050613/587d1e7f1a28ab1c2f8b4d8b/html5/thumbnails/65.jpg)
© 2014 oneM2M14-Nov-14 65
GBA
UE
(hosts TLS
Client)
Network Access Authentication Server
(HSS, HLR, AAA)
TLSServer
GBA Bootstrap Server Function
(plays role of MEF)
Shared Key
Shared Key
Continue (D)TLS
(D)TLS: B-TID