IETF Logo Mail Archive

Re: [saag] IoT Authentication

Dirk.von-Hugo@telekom.de Thu, 16 September 2021 13:15 UTC

Return-Path: <Dirk.von-Hugo@telekom.de>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E39C3A2892 for <saag@ietfa.amsl.com>; Thu, 16 Sep 2021 06:15:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Level:
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kv_jFwuJRSTk for <saag@ietfa.amsl.com>; Thu, 16 Sep 2021 06:14:59 -0700 (PDT)
Received: from mailout41.telekom.de (mailout41.telekom.de [194.25.225.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AC253A288E for <saag@ietf.org>; Thu, 16 Sep 2021 06:14:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1631798099; x=1663334099; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Cy82WBcjdJyTAS0+CYyutEhsSQPF5fGzbAijqINkaRE=; b=q/UcKEoakRfy6V2ydeAlkapySDAX9M1MlgBiITDRRH7IG2LmYrMQWtjZ jssQWPd2T7oDhjYo+b8QZLnG4qq04kZPZPwzRo9T5ndpYtQA1RSBRGOqr cLs9QhGAwElypp4GkSTeixXSWONvhxEAmAkHknXLbPToB0vyYG262+5d0 c458qMFptkLqe4pGP/BQKiX/q/Hhke/ZMz/NcSaVjZ9CfEbxyKiHw1ezJ zV5tg7KBVsY2xG7hzIM5s+FaxHZUT7UFGxu5vWkoRnuK/CZKJFLrDxkKz YcMb0js2dbPUS83V7YUWxwbpegYUzLKdkRe3JtlKuATrBXxVnHurr2N89 w==;
IronPort-SDR: 78MPlaCbwwkZ5jeGkI6cCKdiZKWYmGfbxzzpSUVx4h3gaIXZ/bZVsr1coBkvnZhQbVoVAtI+dt 5CniurKMN0WQ==
IronPort-Data: A9a23:5XSh56hOD8LvRPJGARBL1USDX161RRIKZh0ujC45NGQN5FlHY01jehtvUW6PaK3ZY2b0fd9/bNvj9ENS6sWDnIdqHlZs/C82EC5H+JHPbTi7wuccHM8zwvUuxCuL1u1GAjX7BJ1yHiK0SiuFaOC79CEtjP/QHNIQNcafUsxPbV49IMseoUI78wIJqtYAbemRW2thi/uryyHsEAPNNwpPD44hw/nrRCWDHBjFkGhwUlQWPZintbJF/pUfJMp3yaqZdxMUTmTId9NWSdovzJnhlo/Y1y4BJ4KVo/D3fwsWB7/UIQWUjHNSHaOlh3CupARriuBia6NaMxoLzW7T9zxy4IwlWZiYZQYzPevSn+JYcwRXFAliMKlL+7jCZ3Sy2SCW5xacKyqymKwG4EYeeNdwFvxMKXpH/PMwKT0RYFaEne3e/V4RYoGAnew6IMS6LJJZtnwm0XTYC+orW5bKR+PB4tow4dv5vegWdd62WibTQWAHgMz8XiBy
IronPort-HdrOrdr: A9a23:KVa7va1UN32ZJbuwspBPaQqjBe5xeYIsimQD101hICG9Lfbo9fxGzc5rtiMc1gxwZJh5o6HwBEGBKUmsjKKdkrNhTYtKOzOW+ldATbsSrrcKrAeQZhEWmtQtspuINpIOduEYAGIQsS+Y2nj8Lz9D+qj6zEnAv463oxgCLHAOGsVdBkVCe3mm+yVNNVZ77PECZeKhD7981kCdkAMsH7+G7xc+Lo7+Ttvw/q4OgyRqOzcXrC21yR+44r/zFBaVmj0EVSlU/Lsk+W/Z1yTk+6SKqZiAu1vh/l6Wy64TtMrqy9NFCsDJoNMSMC/QhgGhY5kkc6GevQoyvPqk5D8R4Z7xSlYbToJOAkHqDzmISCjWqlLdOfEVmiXfIGqj8CLeSArCNW8H4oR69N5km1DimjkdVZlHodB2NiSixsRq5Fr77VHAzsmNWBdwmkWup30+1eYVknxESIMbLKRctIoF4SpuYdg99Q/Bmc0a+dNVfY3hDTdtABqnRmGcunMqzM2nX3w1EBvDSk8eutaN2zwTmHxi1UMXyMEWg39FrfsGOth5zvWBNr4tmKBFT8cQY644DOAdQdGvAmiIRR7XKmqdLVnuCalCMXPQrJz85qkz+YiRCdI15Yp3nI6EXEJTtGY0dU6rAcqS3IdT+hSIW2m5VSSF8LAV23G4gMy2eFPPC1zCdLkDqbrWnxwvOLySZx/oAuMjPxbKFxqZJbp0
Received: from qde9xy.de.t-internal.com ([10.171.254.32]) by mailout41.dmznet.de.t-internal.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 16 Sep 2021 15:14:55 +0200
IronPort-SDR: QnVHkHDaGMung+T4+Rs+XctFByajWzcMJspsJ72qmfAmBLnCYmJVVsbas2xN4qvbAtfUNuFCQs AsO9yw5PvAXInYx8bZnQYdmp/8LgBVp1c=
X-IronPort-AV: E=Sophos;i="5.85,298,1624312800"; d="scan'208";a="377014795"
X-MGA-submission: MDEXlgKt/HFmKwN82BNr/vmlFBb2SBT7eVk+R1Uv4qq+78npULamy/2JOPbppI050vnf5RUgg75PA0XIhaBPEXrf3uUMTiRHxE9E3oIK0F7KISTPvjRqKFJm51701tolMBeLakHAHcuFv0qD+NqG+R6x97q/mTMP2/hKVTZA1Frglg==
Received: from he199744.emea1.cds.t-internal.com ([10.169.119.52]) by QDE9Y1.de.t-internal.com with ESMTP/TLS/ECDHE-RSA-AES128-SHA256; 16 Sep 2021 15:14:55 +0200
Received: from HE199745.EMEA1.cds.t-internal.com (10.169.119.53) by HE199744.emea1.cds.t-internal.com (10.169.119.52) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Thu, 16 Sep 2021 15:14:54 +0200
Received: from HE104162.emea1.cds.t-internal.com (10.171.40.37) by HE199745.EMEA1.cds.t-internal.com (10.169.119.53) with Microsoft SMTP Server (TLS) id 15.0.1497.23 via Frontend Transport; Thu, 16 Sep 2021 15:14:54 +0200
Received: from DEU01-BE0-obe.outbound.protection.outlook.com (104.47.7.174) by O365mail04.telekom.de (172.30.0.231) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Thu, 16 Sep 2021 15:14:55 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hZI3TOwCTIVQQiYvJ4WR2ojNi4+eTd2QGAmhf6NdXzPXrb5aeZNCQbgb+1IpNp7BdZk8LEqO9JbHeJ7JDbGUUz3MkcMcPEwew3NKOqF/NkWwbNHVra5smrszKuX5+woDiTZtkx56MYTIURs26wPEOfdXWjUBWYjzlxfmI39lDQNU6LCt5y+GVXrVRCzNC4iq7W8R9WWQboFp0uNW66/kGruiiT0zxaEUOjzBXjV+TwhLh6rK2LpQmdWWNoeeYyF8Y0nBy2u9VDNQIzayEEenv2Trus0tBBTWA9wlPiFHZul4pGlLs6xtE24IE7tYDWnBfWMRPPQD8oo5/DYs+5jtvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Cy82WBcjdJyTAS0+CYyutEhsSQPF5fGzbAijqINkaRE=; b=VWSVJKRBNsCE5k2kX16esIkLFmFgwONXm9IxsOVg3wbeg4AL16zhekyRhb42b1957xy4wa5zo8LGSIWJSPaJxN6uY17bKJ1131nuKoxiyQWC5v5+b9AZ4PrTJVIgwcDL3GEeniQp4JFlxJR5btizbtR8kXXaJs+b+wueYTa7z2KK0gdcU52id+JEaUCEXx9J4QTn51p4FDtG4VU8ZtnFZkomtF7kqB+BIll/724s/3HyX966LFmcuVonQga7jerZzMdYR0zkPGK1Ax+IFgAfkKW/O32WhH+QwR7Bw8lIzHDOnsF/S2nI4QaIvF9etY+HfwgzHSfA1UtF+WSYiRIsRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=telekom.de; dmarc=pass action=none header.from=telekom.de; dkim=pass header.d=telekom.de; arc=none
Received: from FR0P281MB0527.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:26::11) by FR0P281MB0833.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:51::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.6; Thu, 16 Sep 2021 13:14:48 +0000
Received: from FR0P281MB0527.DEUP281.PROD.OUTLOOK.COM ([fe80::8905:4929:b2c8:6375]) by FR0P281MB0527.DEUP281.PROD.OUTLOOK.COM ([fe80::8905:4929:b2c8:6375%2]) with mapi id 15.20.4500.010; Thu, 16 Sep 2021 13:14:48 +0000
From: Dirk.von-Hugo@telekom.de
To: mcr+ietf@sandelman.ca, sarikaya@ieee.org
CC: saag@ietf.org
Thread-Topic: [saag] IoT Authentication
Thread-Index: AQHXqkOvpFOVNkmnFkeXY8Xbjeg+AKulkbSAgAES67A=
Date: Thu, 16 Sep 2021 13:14:48 +0000
Message-ID: <FR0P281MB05272BC50C9C69AD40CCA5B6D1DC9@FR0P281MB0527.DEUP281.PROD.OUTLOOK.COM>
References: <CAC8QAccvc=HTNdnoN2gYRhLHR3g_PNSsJo16a0tT8DG3MRM6sA@mail.gmail.com> <5301.1631738943@localhost>
In-Reply-To: <5301.1631738943@localhost>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=telekom.de;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0e35ac4b-b656-4c6a-87b1-08d97913f5b4
x-ms-traffictypediagnostic: FR0P281MB0833:
x-microsoft-antispam-prvs: <FR0P281MB083328A518F434CCEE810EACD1DC9@FR0P281MB0833.DEUP281.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Z7Xb2jp4gNT11vSoy8RZfkVvfkEAPzYkHcjGieVU9K2TqWJORpfzRSKZdpJcXhx22ay+3a6QFagT6GslYal6NwD6ot3lHWqcNjgfB6Q4cufGYPFgJb+LRa1hxSL07jEKv0jtwckXvNRmcX3/AhOe82egR9OUs4KndivK2bJ/CDG1GjKJDZ/SWEo+8MgjyKPZhyu6hJvPIyUFqyXsWaOazAIs91al6mUopgcCEXy0a0jajrHcZlncsCYqoT62E/oLFpS6b8MOzJ/N70UTsHoN0CWyXcC6py5Wh6bS/5G9aG0PrIVGcb+Xb5yZiVIsg9Z9ZxXzN3PgZqdBQkdX1ulAk9ljsmWHeeHeND/hPlF9W/E/iVSpr441bybW4o44/78q2kRisOIzInm3E2PFI1eGap0gBoYOzEsaeieucbHsh01pMD8B8Pp6h457PYwuF15fbv5eOqMgUKTbEqufZt77BVUuEEQyF/XZxJJt0xSzf5q6TuVHjHZcXE4XsOaMCqV7mwSAlHi+vv15J2px5+YyN/umQ3+tn1Q3WjWm7s9Qp6i89dHQmzclzPJFXCNksSkX3ZdJ/Yc43vFEDWvGnjnULyKlV0OJlSOjTDCjv3rBl8d06pVbqat6WxpZ7Z+pzocg5eNvFhQr2AEKNSMJHz3DBz76clECZ9bd7C6o+Z1kp2VSG257KLc9FEE4iq2fi5jqDUgUG3HOih+MRAvOtkck9g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:FR0P281MB0527.DEUP281.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(346002)(396003)(366004)(136003)(39860400002)(26005)(7696005)(33656002)(52536014)(5660300002)(186003)(53546011)(66556008)(478600001)(2906002)(110136005)(71200400001)(66946007)(76116006)(66476007)(64756008)(38100700002)(966005)(316002)(8676002)(122000001)(55016002)(4326008)(38070700005)(86362001)(6506007)(9686003)(8936002)(83380400001)(66446008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8oN/ehcg9ccEwl899pYQrZskCFDndYGLm8gAH/QolVKo9G1Mjqvm/8jJxSSiONdSNNbYs/dw9UsBY0bzGSGK/1faZEU+ZRqybviOv+qj9myfxXPd2sK8c5OsLZAElD5gf1W+paFkaOO7v9BrM1OMWTZW5H8KslfleHBjlhP0/bcEmaZ8soajUARDvtsYIKuZFjyR3bU1tiEzH8UrpiTYGp+45idSDH7RtS28ap1ygUiQUePagcDnTCHZZ67yaloMJDSpqFu9brBA63cd+R2M9b8RxOaYcbGXPlYGhslo3mSJQPoDmuKVnW6HJAevYcH5sA96CHERyNloOf0ubPhF0zHc2bPFqV35hyzjDeNJa2RPLQlNe72rb42c3FiEglvdiamS0DM5OEdzXU3PFfHEDDQxgDZ35xeEdOacaQllC0kuem396F9v1iqdG5/I162bOjeFfVnuQyit1inYsIZ7kThCJ9IDO7fyorJfwtv7rEgD95dT9qNyZzNp/q2Q7B68h8a6PY/HQxy5pLN/VnuE7DAIF6x/a3krg/IOiL2aB96OCpJOlQgkEaLOu4V5dm3fu1ZAxNCZ6LXKgkSn/fEC/uNwm5g4v8Tq6bDGtFtdWzImiSvaHR1Su7gnePmWFkPPOutn3eljXoUQfGm57Ga1La4oAvckR4VYrUw3ANWuUQ8DU53G8B1X3bv6ndleY2954Sm0bVjcRW7XR4iTCUyIP2V6oBnIZ6XuyDekf+T7Lo8=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: FR0P281MB0527.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e35ac4b-b656-4c6a-87b1-08d97913f5b4
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2021 13:14:48.2647 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ga43CYItzLR4AfScvNeMZ2v5XLnvZv1JS4i5kL2jJcvoAagV4q/5Hr8m7ReJ9h7dBhvnI9b0ZIrtnkIBTqIA29GADNomqRs5TOKi+6DWJgk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR0P281MB0833
X-OriginatorOrg: telekom.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/rvPXfoC1fLQbf6E65VAbzLJRHJQ>
Subject: Re: [saag] IoT Authentication
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Sep 2021 13:15:05 -0000

Hi Michael,
thanks for the pointers! Very helpful, indeed .... although some is already well-known 😉 
Best Regards
Dirk 
-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: Mittwoch, 15. September 2021 22:49
To: sarikaya@ieee.org
Cc: IETF SAAG <saag@ietf.org>; von Hugo, Dirk <Dirk.von-Hugo@telekom.de>
Subject: Re: [saag] IoT Authentication


Behcet Sarikaya <sarikaya2012@gmail.com> wrote:
    > Can anyone point to a recent survey draft/RFC on IoT authentication
    > techniques developed/being developed in various WGs so far?

What exactly are you talking about?
You write *authentication*, but do you mean authorization?
I know that you know the difference, so I wonder exactly what you mean.

ACE has done lots of interesting work, but it about authorization, not authentication.

RFC8995 (BRSKI) deals with authentication of devices, including sending authorizations to the device as to what network they should join, and how to authenticate that network.

I have a few documents that started in ANIMA:
  1) draft-richardson-anima-masa-considerations (*)
     Mostly about IDevID and other related trust anchors such that
     devices can later be authenticated.

  2) draft-richardson-t2trg-idevid-considerations
     Forked off above, dealing with how the PKI used for above can
     be evaluated.

  3) draft-richardson-anima-registrar-considerations (*)
     about how an operator builds and manages the infrastructure
     to authenticate devices.

(*) sorry, expired, but documents will get refreshed this month.

In addition. t2trg has:
  https://datatracker.ietf.org/doc/draft-irtf-t2trg-secure-bootstrapping/

it refers to many things, including https://datatracker.ietf.org/doc/draft-ietf-emu-eap-noob/
which is on the verge of RFC.

Today, most vertically integrated systems deploy static keys to the devices to authenticate the "cloud" service to the IoT device.  Whether or not the, they authenticate the device at all is often unknown without an NDA.

v2.23.0 | Report a Bug | By Email