Patterns of Authentication and Self-Announcement in IoT

https://discoverdev.io is a site that curates the best developer resources around. Visit our website for more and signup to our mailing list! ---------- Recorded at AppSecUSA 2016 in Washington, DC https://2016.appsecusa.org/ Patterns of Authentication and Self-Announcement in the Internet of Things (IoT) The need to connect ‘things’ to each other in the IoT ecosystem introduces new security requirements for authentication and self-announcement due to four major characteristics of IoT 1. Physical access and infinite time available to adversaries to take apart devices 2. Lower computation power of standalone devices 3. Unforeseen and emergent behavior of the system if arbitrary nodes are compromised 4. Endless possibility of privacy intrusion based on data intelligence and indirect identity inference. In this work the IoT systems are modelled using a number of elements: person, machine/device, service, server, client (esp. mobile), and passive marker. New authentication scenarios emerge when these items introduce themselves to each other on trusted or untrusted networks. The majority of authentication and self-announcement needs could be modelled using the above elements. For major authentication and self-announcement scenarios, possible authentication patterns are presented. Here are four examples of how these patterns apply to sample IoT scenarios: • Home automation as enabled by NEST devices • Device collaboration in Zigbee-based networks • Smart inventory management using NFC/RFID • Remote device control based on XMPP (SASL authentication) The minimum computation power (capability to perform cryptographic operations) and privacy preserving considerations are analyzed in each case. Farbod H Foomany A senior application security researcher (technical lead) at security compass. He has a bachelor degree in electrical engineering (control systems), Masters degree in artificial intelligence and robotics, and has completed a PhD with main research on security aspects of using voice-print and other biometrics in criminological and security applications. Farbod is currently involved in a project that aims to investigate and formulate the security requirements of system design/development in the internet of things (IoT) ecosystem. Farbod has published and presented his work on signal processing and security in several conferences and journals such IEEE conferences/journals, ISACA journal, crime science conferences and crime reduction networks. Amir Pourafshar Application Security Researcher, Security Compass Amir Pourafshar is an application security researcher at Security Compass. Amir is currently part of a research team working on an IoT project that aims to investigate and formulate the security requirements of system design/development in internet of things (IoT) ecosystem. Amir has done his masters in computer science at Information Security Centre of eXcellence (University of New Brunswick). - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project