Download presentation
1
<Confidential>
Security Framework for IoT a Plug-and-Play identification & authentication scheme for the Internet of Things Thierry Van de Velde, IP & Optical Networks (ION) BG, Packet Core BU <Confidential>
2
<Confidential>
Introduction The demand for a new Security Framework for the IoT Mobile and Fixed Internet Service Providers need a uniform Security Framework to extend their services from SIM-based or Home-based user equipment to Objects (End Entities) authenticated via X.509 Security Certificates (Cert) The Security Framework should allow today’s mobile and fixed subscribers to enrol (claim) Objects in a simple, intuitive and ubiquitous way : scanning a QR code printed on the object or inside the package (hidden by a peelable label) By claiming these Objects they get attached to the MSISDN/ISDN number, placed in a virtual Home environment (L2/L3/L7) and they become portable to any other ISP together with the mobile or fixed subscription The Security Framework should allow validating the authenticity of each object before admitting it to the virtual Home environment : counterfeit objects shall be rejected on the basis that the scanned QR code is not the result of a hash of the Factory Certificate, encrypted via the Object’s Private Key <Confidential>
3
Authentication, Authorization & Security Framework for the IoT
ePDG PGW AAA MDM SMP Operator RootCA CMS SubCA CMS RVA FSCA Cert’ Factory SubCA Post-Load Client RootCA Cert CA SubCA Cert SCA Registration & Validation Authority Factory generates public-private key pair for an Object PLC Bluetooth Device Detection Alert (Connected Object name) M2M template QR code scan leads to Private URL being validated (PGW enriches http header with MSISDN) RVA demands Proof of Possession of Factory Private Key, then generates a Factory Cert for the Object Manual or CMPv2 cr (Subject, SubjectPublicKeyInfo) Execute Bluetooth Command (Activate BT 4.2 IPSP) Router or NAT IPv6 ePDG discovery by resolving Factory certificate’s IssuerName.epdg.3gppnetworks.org CMPv2 using IAK cr (cert request) or p10cr (PKCS#10) Initial Auth Key X Signed using CMS SubCA Private Key Validiated via CMS SubCA Cert Stores QR code at Private URL cp cert response (EncCert) Connected Object ePDG connection establishment EAP-TLS auth (Factory CertABC) PKCS#12 RFC7292? SafeContents {(Signed Factory Cert, QR code)} Factory CertABC SCA CMPv2 cr (cert request) to any URL ePDG/PGW redirects any CMPv2 cr to the Operator’s CMS RVA CMPv2 cp (cert response) with certifiedKeyPair (Operator Cert, privateKey) Operator CertXYZ SCA Object Cert & Factory algorithm are used to generate each QR Code from each Factory Cert A second Cert is generated by the Operator’s CMS RVA and signed by the CMS SubCA Object Manufacturer ePDG discovery via Operator Certificate’s OperatorID.epdg.3gppnetworks.org Validiated via CMS SubCA Cert preinstalls Factory Cert and private key in each Object EAP-TLS auth (Operator CertXYZ) <Confidential>
4
<Confidential>
This new Security Framework for IoT is original, scalable and superior to SIMs SIM cards can be inserted in counterfeit objects, which may then attack or spy on other objects in the virtual Home (vHome) to which they get connected The New Security Framework fro IoT is access-agnostic : each new Object must be claimed via a pre-authenticated other Object (smartphone or tablet with QR scanner) but it may access the ePDG via any technology (Bluetooth, Wi-Fi, etc) By convention the Objects should : discover their ePDG or VPN gateway by submitting the Subject name on their Certificate to public DNS format : ManufacturerOrOperator.epdg.3gppnetworks.org Thereafter issue a CMPv2 Certificate Request as long as the Factory Certificate is being used to access the ePDG/PGW The PGW should block all other traffic except CMPv2 or DNS The Operator Certificate is then installed by the Registration & Validation Authority (Plug & Play) <Confidential>
5
The ultra-connected home
Challenges with existing residential service model Consumer viewpoint Exposed to increasing home network complexity Full visibility on home networking issues But lacking tools and skills to troubleshoot issues No means to control or review device usage policies Paying for service but lacking the experience Service provider viewpoint Home network is “hidden” behind a single IP No visibility on home networking issues Poor in-home wiring or Wi-Fi reachability issues In-home routing or device connectivity issues Delivering the service but lacking in support IP: x Connected home Smart phone IPTV Phone Gaming console Tablet Laptop Home security Health monitoring Home utility management Bathroom Home office Den Bed room Hall Living room One of the key challenges both service providers and consumers are struggling with is the proliferation of devices in the home. Today’s connected single family home can easily contain a dozen of consumer devices, appliances and gadgets that are scattered throughout the home. Consumers are exposed to an increasing complexity but have limited tools and expertise to troubleshoot any home networking issues themselves. Moreover they have limited control over the performance of individual user devices. However, the service provider’s are currently not in a good position to help address these consumer issues since the home network is typically hidden behind a single IP address. There is no visibility on home networking issues that can arise for example from poor in-home wiring, Wi-Fi reachability or device misconfiguration. They are responsible for the service but lack the tools and capability to support their consumers. Confidential
6
Virtualized Residential Gateway architecture
SROS 14R1 – Beta Quality 14R3 - GA Virtualized Residential Gateway architecture Reducing complexity by moving selected RGW functionality into the network… Helpdesk Agent Dashboard Home Analytics Dashboard User Cloud Dashboard Home Device Management TR-069 Data collection Radius vRGW Bridged RGW Access Aggregation Service Edge …and extending the home network with network-centric and cloud-based service capabilities At present we already have all the components in place to deploy the vRGW architecture with Home Device Management and we demonstrated this recently at the Broadband Worldforum in London. In subsequent release of SR OS we’re investing in Network Enhanced functionalities such as home-aware address management, service chaining and home LAN extension, which opens new avenues for Value Added Services. Confidential
7
Authentication, Authorization & Security Framework for Bridged Residential GW
BRG vRGW AAA MNO PGW Operator RootCA CMS SubCA CMS RVA FSCA Cert’ Factory SubCA RootCA Cert CA SubCA Cert SCA Registration & Validation Authority Factory generates public-private key pair for an Object QR code scan leads to Private URL being validated (MNO can enrich the HTTP header with the MSISDN) Validiated via CMS SubCA Cert RVA demands Proof of Possession of Factory Private Key, then generates a Factory Cert for the Object Manual or CMPv2 cr (Subject, SubjectPublicKeyInfo) EAPOL EAP-TLS over RADIUS (Factory CertABC) CMPv2 using IAK cr (cert request) or p10cr (PKCS#10) Initial Auth Key X Signed using CMS SubCA Private Key DHCP Discover, Offer, Request, Ack Object is placed in quarantine Stores QR code at Private URL cp cert response (EncCert) Connected Object PKCS#12 RFC7292? SafeContents {(Signed Factory Cert, QR code)} Factory CertABC SCA CMPv2 cr (cert request) to any URL ePDG/PGW redirects any CMPv2 cr to the Operator’s CMS RVA CMPv2 cp (cert response) with certifiedKeyPair (Operator Cert, privateKey) Operator CertXYZ SCA Object Cert & Factory algorithm are used to generate each QR Code from each Factory Cert A second Cert is generated by the Operator’s CMS RVA and signed by the CMS SubCA Object Manufacturer Validiated via CMS SubCA Cert EAPOL EAP-TLS over RADIUS (Operator CertXYZ) preinstalls Factory Cert and private key in each Object DHCP Discover, Offer, Request, Ack Object is connected to virtual Home <Confidential>
8
Expanding the human possibilities of technology
5G for people and things Expanding the human possibilities of technology Sensors Wearables P. D. Machines Everyone is an innovator – easier and faster to innovate Give back 2hrs/day… never be in a rush Towards zero road fatalities, > half a million lives saved Zero loss water distribution Healthier people with connected wearables, remote medics Less transport costs and fuel consumption Never lost - always find an address – always on time 50% higher industry productivity by connected cyber physical systems Safer in connected homes Individual Society Economy When you quantify some of those expected benefits - that is when the proposition for individuals, society and economy becomes exciting. Take autonomous driving – there are around 1.3 million deaths on the road each year, which is more than double the amount killed by malaria worldwide. There are also 50 million people injured in traffic accidents, globally. Now of course you need the latency and response times to be instantaneous for these cars, which is a far cry from the 15 to 20 milliseconds that today’s best LTE networks are currently able to achieve. Put it another way. If driver error is the cause of about 90 percent of all car crashes, and autonomous driving and connected cars would result in “only” 50 percent fewer annual fatalities, that would be more than half a million lives saved, every year and millions more with fewer injuries. Consider the potential reduction in CO2 emissions. The pollution from transportation is expected to increase nearly six-fold, in China for example, from 190 megatons every year, to more than 1100 megatons, in 35 years’ time. Connected cars, smart navigation and autonomous driving could reduce millions of tons of CO2 and help cities become cleaner. Health care is another example. I think many in the audience are aware that it is increasingly difficult for health service providers to guarantee standards of care, particularly among aging populations, and where post-operative care is critical after an operation or treatment. Public
9
2017 : Cloudification / Hyperscale / DevOps
Separation of virtualised control plane and virtualised or physical user planes (NPU) Analytics 5G mMTC 5G cMTC NetAct VNFM SDM AAA LTE-M NB LTE-M 5G eMBB EC-GSM Service Capability Exposure Framework REST API SDL vRAN cWLC vSR cMM cMG VSP Macro RAN Virtualised Service Functions VNF Internet IMS Video optimisation Caching … IP/MPLS 2G 3G DataCenter Edge / SSG MG-UP (AGW) PE IAR Small Cells Enterprise SR-UP PE eMBB physical EPC PE/IAR : 7950 XRS Provider Edge / Internet Access Router SeGW : 7750 SR Security Gateway (IPSec) WLAN GW : 7750 SR Trusted WLAN Access GW & Proxy BNG : 7750 SR Broadband Network Gateway cFNS : cloud Flexi Network Server (MME/SGSN) cWLC : cloud WireLess Controller (for Wi-Fi) SDL : Nokia Shared Data Layer SDM : Subscriber Data Manager (HLR/HSS/AuC) vMG : virtualised Mobile Gateway (SPGW, ePDG, TDF/SFC) vSR : virtualised Service Router (PE, vBNG, vWLGW) VSP : Nuage Virtualised Services Platform (SDN) VNFM : Virtualised Network Function Manager vRAN : virtualised RAN (BBU) eMBB : enhanced Mobile BroadBand mMTC : massive Machine Type Communications cMTC : critical Machine Type Communications Airscale Wi-Fi Fixed Broadband mMTC cMTC <Confidential>
10
Overview of the IoT market
Potentially 20 Bn Objects could move in here! The devices’ perspective Internet of Things : Communication without Human Intervention 30 Bn Objects by 2025 (Machina Research 2015) Directly Attached 3GPP IoT 3GPP UE (DCE) controlled by Object (DTE) through AT commands Non-3GPP IoT No 3GPP RAN at all between Object and PDN Indirectly Attached 3GPP IoT 3GPP UE used as Routed, Bridged GW or NAT by non-3GPP Object Short Range Object Connected Object Zigbee Bluetooth Low Energy ZWave Wi-Fi 3 Bn Objects by 2025 … 802.3 Ethernet Long Range Object 5G cMTC 5G mMTC 3GPP User Equipment LPWA 5G eMBB 802.11ah HaLow LoRa NB LTE-M LTE-M LTE-A 3 Bn by 2020 NB CIOT EC-GSM 6LPWAN Sigfox LTE Low Power Wide Area : 4 Bn Objects by 2025 <Confidential>
11
Another classification of these access technologies
Licensed and Unlicensed spectrum; delay tolerance; authentication NOKIA MN preference Licensed Spectrum Connected Idle PSM 3GPP R12/R13 eMTC Cat-O “Cat-1.4MHz” 1.4 MHz or shared, 6 PRB <1 Mbps, PSM--> eDRX LTE-A 3GPP R14 eMTC LTE-M “Cat-200KHz” 200 KHz or shared, 1 PRB <150 Kbps LTE LTE-M NB LTE-M 3GPP R13 200 KHz dedicated 3GPP R13 EDGE 2.4MHz or shared 10 Kbps in GERAN Delay Sensitive Traffic NB-IoT EC-GSM Delay Tolerant Traffic 5G cMTC 5G eMBB 5G mMTC EAP/NAS? tbd Bluetooth Low Energy LoRa Supports Open Interconnect Consortium CRUDN API to oic://org/object?query 6LPWAN b/g/n 802.1x EAP 802.11i WPA2 DHCP Halow a/n/ac/ax Sigfox Unlicensed Spectrum <Confidential>
12
Specific types of UE to be expected…
In the four quadrants Licensed Spectrum Delay Sensitive Traffic Delay Tolerant Traffic Unlicensed Spectrum <Confidential>
13
A dilemma for the IoT Operator
Connect Things to IP networks (VPNs)? or make them actionable through APIs? AAA PDN SCEF/AS NS RBAC UE CS EUI64 CRUDN API RESTful XML resource L2 Encryption L2 Integrity RAN DB Applications Ecosystem Storage of reported data AS : LoRa Application Server NS : LoRa Network Server CS : Customer Server Mobility Manager PDN IP VPN UE RAN Host Gateway UE IP Service Provider model <Confidential>
14
Authentication, Authorization & Security Framework in 5G
RAN AGC AGW AAA HSS Operator RootCA CMS SubCA CMS RVA FSCA Cert’ Factory SubCA 5G UE RootCA Cert CA SubCA Cert SCA Registration & Validation Authority Factory generates public-private key pair for an Object PLC F1-C : EAP over NAS F6 : EAP SWx auth QR code scan leads to Private URL being validated RVA demands Proof of Possession (PoP) of Factory Private Key, then generates public-private key pair Manual or CMPv2 cr (Subject, SubjectPublicKeyInfo) Connect to bridged context (vHome) SWx auth Bridge L2 5G-Uu : Connection or Contention F1-U : L2oGRE Signed using CMS SubCA Private Key CMPv2 using IAK cr (cert request) or p10cr (PKCS#10) Initial Auth Key X Validiated via CMS SubCA Cert Stores QR code at Private URL cp cert response (certifiedKeyPair(EncCert, privateKey)) Connected Object AGW conn. establishment (PDCP-HL) EAP-TLS (Factory CertABC) PKCS#12 RFC7292? SafeContents {(Signed Factory Cert, QR code)} Factory CertABC SCA CMPv2 cr (cert request) to any URL AGW redirects any CMPv2 cr to the Operator’s CMS RVA CMPv2 cp (cert response) with certifiedKeyPair (Operator Cert, privateKey) Operator CertXYZ SCA Object private key & Factory algorithm are used to generate each QR Code from each Cert A second Cert is generated by the Operator’s CMS RVA and signed by the CMS SubCA Object Manufacturer ePDG discovery via Operator Certificate’s OperatorID.epdg.3gppnetworks.org Validiated via CMS SubCA Cert preinstalls Factory Cert and private key in each Object EAP-TLS auth (Operator CertXYZ) <Confidential>
15
Qualcomm UE <> Whispernet integration for MuLTEfire MWC’16 demo
Covers the Authentication protocol extensions (EAP) Qualcomm UE MLF eNB EAP AKA’ LTE Emulator and App Server Use case: Offload MNO traffic to Neutral Host MuLTEfire network Flow: UE with MNO SIM attaches to Neutral Host MuLTEfire network and is authenticated with MNO AAA Protocol: LTE NAS modified to add EAP (EAP-AKA’ is the actual used version) Evolution: Neutral Host retail scenario (e.g. Private LTE). Only difference is Certificate authentication (EAP-TLS; only configuration change for Nokia) Press release & video: Link <Change information classification in footer>
16
Similar Example IBM teams with TI on 'silicon tokens' to authenticate the Internet of Things IBM has announced a new cloud-based 'silicon token' authentication service to manage the identity of embedded devices from cradle to grave. IBM says it's working with Texas Instruments to create a Secure Registry Service for IoT devices - an authentication service for silicon embedded in devices and other systems. The service will be hosted in IBM's cloud, and will rely on a silicon token that will help securely manage the identity of devices. It will also facilitate the transmission of data from IoT sensors in the field back to its cloud. internet-of-things/ <Change information classification in footer>
18
Copyright and confidentiality
The contents of this document are proprietary and confidential property of Nokia. This document is provided subject to confidentiality obligations of the applicable agreement(s). This document is intended for use of Nokia’s customers and collaborators only for the purpose for which this document is submitted by Nokia. No part of this document may be reproduced or made available to the public or to any third party in any form or means without the prior written permission of Nokia. This document is to be used by properly trained professional personnel. Any use of the contents in this document is limited strictly to the use(s) specifically created in the applicable agreement(s) under which the document is submitted. The user of this document may voluntarily provide suggestions, comments or other feedback to Nokia in respect of the contents of this document ("Feedback"). Such Feedback may be used in Nokia products and related specifications or other documentation. Accordingly, if the user of this document gives Nokia Feedback on the contents of this document, Nokia may freely use, disclose, reproduce, license, distribute and otherwise commercialize the feedback in any Nokia product, technology, service, specification or other documentation. The contents of this document are provided "as is". Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to the accuracy, reliability or contents of this document. NOKIA SHALL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENT or for any loss of data or income or any special, incidental, consequential, indirect or direct damages howsoever caused, that might arise from the use of this document or any contents of this document. Nokia operates a policy of ongoing development. Nokia reserves the right to make changes and improvements to any of the products and/or services described in this document or withdraw this document at any time without prior notice. This document and the product(s) it describes are protected by copyright according to the applicable laws. Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their respective owners. <Confidential>
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.