![Page 1: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/1.jpg)
IDENTITY IN THE IOT – THEIRS AND OURS
Paul Madsen, Office of the CTO
![Page 2: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/2.jpg)
2
![Page 3: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/3.jpg)
Agenda
1. Things – their identities 2. Things - our identities
3
![Page 4: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/4.jpg)
Agenda
1. Things – their identities 2. Things - our identities
4
![Page 5: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/5.jpg)
What does it mean for a thing to have an identity? • Things will have attributes that distinguish it from other things • Things will have means to prove to other things that they a) belong to
a class of things or b) are a particular thing • Things will have means to verify that other things a) belong to a class
of things or b) are a particular thing • Things will be provisioned with certain attributes at origin but over
time may add additional attributes • Things have a finite lifetime, at the end of which some portions of their
identity may need to be cancelled • In their 50s, things will have an identity crisis – divorce their spouse,
join a gym and buy a sports car. 5
![Page 6: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/6.jpg)
6
You (mostly) can’t have security without iden7ty
![Page 7: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/7.jpg)
7
Security
Authen7ca7on
Iden7ty
Confiden7ality Audit
![Page 8: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/8.jpg)
Things will operate on behalf of ….
8
![Page 9: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/9.jpg)
Things will operate on behalf of ….
9
Gym Track
Beer keg
Cars
Bridge
![Page 10: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/10.jpg)
Things will operate on behalf of ….
10
Gym Track
Beer keg
Cars
Bridge
![Page 11: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/11.jpg)
11
How do we give users meaningful control over their things and their ability to operate on their behalf? 1. Ini7al authoriza7on 2. Ongoing visibility 3. Eventual revoca7on
![Page 12: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/12.jpg)
Copyright © 2013 Ping Identity Corp. All rights reserved. 12
![Page 13: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/13.jpg)
13
How are passwords working out for us?
![Page 14: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/14.jpg)
Password anti-pattern
Sites asks YOU for your GOOGLE password so it can access your Google stuff.
![Page 15: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/15.jpg)
Tsk tsk! • Client must store passwords • Teaches users to be indiscriminate with their
passwords • More difficult to move to multi-factor and federated
authentication • Doesn’t support granular permissions, e.g. X can
read but not write • Doesn’t support knowledge/differentiation of the
access granted • Doesn’t support (easy) revocation – to be sure of
turning off access users must change password
![Page 16: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/16.jpg)
Tokens instead of passwords
Copyright © 2013 Ping Identity Corp. All rights reserved. 16
• Rather than clients using passwords on their API messages, token authentication models have the client first exchange the password for a token and then use tokens on subsequent messages
• Token can represent the authorized combination of client & user
• Advantages
– Allows for granular consent
– Revocable
– No need to store passwords on device/thing
• OAuth 2.0 and OpenID Connect 1.0 key standards
![Page 17: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/17.jpg)
1
3
4 2
3
4
5
![Page 18: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/18.jpg)
1
3
4 2
3
4
5
OAuth/Connect
OAuth/Connect
OAuth/Connect
![Page 19: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/19.jpg)
1
3
4 2
3
4
5
OAuth/Connect
OAuth/Connect
OAuth/Connect
OAuth/Connect?
OAuth/Connect?
![Page 20: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/20.jpg)
State of the art?
Copyright © 2013 Ping Identity Corp. All rights reserved. 20
IoT protocols Security
MQTT
CoAP
TLS/DTLS
passwords
![Page 21: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/21.jpg)
Binding OAuth to MQTT
21
• Paul Fremantle has been exploring using OAuth access tokens on MQTT messages as alterna7ve to passwords (as MQTT spec now supports)
• An Arduino obtains an OAuth token from an authoriza7on server and then uses on Connect message
• hXp://www.slideshare.net/pizak/securing-‐the-‐internet-‐of-‐things
![Page 22: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/22.jpg)
Agenda
1. Things – their identities 2. Things - our identities
22
![Page 23: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/23.jpg)
Authentication Taxonomy
Copyright © 2014 Ping Identity Corp. All rights reserved. 23
Ini7a7on
Ac7ve/explicit
Passive/implicit
Once Con7nuous Sampling
![Page 24: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/24.jpg)
Authentication Taxonomy
Copyright © 2014 Ping Identity Corp. All rights reserved. 24
Ini7a7on
Ac7ve/explicit
Passive/implicit
Once Con7nuous Sampling
Password, OTP, mobile, fingerprint, voice
![Page 25: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/25.jpg)
Somethings are changing
Copyright © 2014 Ping Identity Corp. All rights reserved. 25
Know
Have
Are
Know
Have
Are
Trend
![Page 26: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/26.jpg)
Have and have nots
Copyright © 2013 Ping Identity Corp. All rights reserved. 26
RSA SecureID Wallet cards etc USB tokens
![Page 27: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/27.jpg)
Authentication Taxonomy
Copyright © 2014 Ping Identity Corp. All rights reserved. 27
Ini7a7on
Ac7ve/explicit
Passive/implicit
Once Con7nuous Sampling
IP address, geo-‐loca7on
Password, OTP, mobile, fingerprint, voice
![Page 28: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/28.jpg)
Explicit giving way to implicit
Copyright © 2014 Ping Identity Corp. All rights reserved. 28
Explicit factors
Implicit factors
Trend
Explicit factors
Implicit factors
![Page 29: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/29.jpg)
29
The things that we more and more surround ourselves with can enable ‘con7nuous authen7ca7on’
![Page 30: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/30.jpg)
Copyright © 2014 Ping Identity Corp. All rights reserved. 30
Ini7a7on
Ac7ve/explicit
Passive/implicit
Once Con7nuous Sampling
IP address, geo-‐loca7on
Keystroke, EKG, voice, proximity, transac7onal
IP address, geo-‐loca7on
Authentication Taxonomy
Password, OTP, mobile, fingerprint, voice
![Page 31: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/31.jpg)
Continuous authentication modes
Copyright © 2014 Ping Identity Corp. All rights reserved. 31
• Identify the gait
• Recognize the face
• Listen to the voice
• Sense how user holds phone
• Measure pushup pace ….
Demands local sensors
![Page 32: CIS14: Identifying Things (and Things Identifying Us)](https://reader034.vdocument.in/reader034/viewer/2022052410/54b6bb9c4a79593e4f8b4704/html5/thumbnails/32.jpg)
32
My things thank your things for their aXen7on