The rapid expansion of the Internet of Things has fostered convenience and connectedness for consumers. It has also opened the door for creative hackers. Recently, hackers used hundreds of thousands of common internet-connected devices in consumers’ homes, without the owners’ knowledge, to launch a DDoS attack that temporarily brought down crucial parts of the internet’s infrastructure.
Attacks in the past have shown that passwords in IoT devices provide insufficient security. Additionally, IoT devices are too constrained for implementing biometric functions.
The question then becomes how to authenticate to such devices and can the industry adopt a standardized approach despite a highly fragmented IoT landscape. This presentation by Rolf Lindemann of Nok Nok Labs, explores how FIDO Authentication can provide convenient and strong authentication in an array of IoT use cases.
The Ultimate Guide to Choosing WordPress Pros and Cons
The Future of Authentication for IoT
1. All Rights Reserved | FIDO Alliance | Copyright 20171
THE FUTURE OF
AUTHENTICATION FOR THE
INTERNET OF THINGS
FIDO ALLIANCE WEBINAR
MARCH 28, 2017
2. All Rights Reserved | FIDO Alliance | Copyright 20172
INTRODUCTION TO
THE FIDO ALLIANCE
ANDREW SHIKIAR
SENIOR DIRECTOR OF MARKETING
MARCH 28, 2017
3. All Rights Reserved | FIDO Alliance | Copyright 20173
THE FACTS ON FIDO
The FIDO Alliance is an open,
global industry association of
250+ organizations with a
focused mission:
300+
FIDO Certified solutions
3 BILLION+
Available to protect
user accounts worldwide
Today, its members provide
the world’s largest ecosystem
for standards-based,
interoperable authentication
AUTHENTICATION
STANDARDS
based on public key cryptography
to solve the password problem
4. All Rights Reserved | FIDO Alliance | Copyright 20174
DRIVEN BY 250 MEMBERS
Board of Directors comprised of leading global brands and technology providers
+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS
5. All Rights Reserved | FIDO Alliance | Copyright 20175
WHY FIDO?
The World Has a
Password Problem
Security
Usability
63% of data breaches in 2015
involved weak, default, or
stolen passwords
-Verizon 2016 Data Breach Report
For users, they’re clumsy,
hard to remember and
they need to be changed
all the time
65% Increase in phishing
attacks over the number of
attacks recorded in 20152
-Anti-Phishing Working Group
There were 1093 data
breaches in 2016, a 40%
increase from 2015
- Identity Theft Resource Center, 2016
SECURITY
USABILITY
Poor Easy
WeakStrong
PASSWORDS
6. All Rights Reserved | FIDO Alliance | Copyright 20176
WHY FIDO?
OTPs improve security but
aren’t easy enough to use -
and are still phishable
SMS RELIABILITY
TOKEN NECKLACE USER CONFUSION
STILL PHISHABLE
SECURITY
USABILITY
Poor Easy
WeakStrong
OTPs
SecurityUsability
7. THE WORLD HAS A “SHARED SECRETS” PROBLEM
All Rights Reserved | FIDO Alliance | Copyright 20177
8. WE NEED A
NEW MODEL
All Rights Reserved | FIDO Alliance | Copyright 20178
9. All Rights Reserved | FIDO Alliance | Copyright 20179
HOW ARE WE DOING IT?
ECOSYSTEM
STANDARDS
DEPLOYMENTS
USER EXPERIENCE
10. All Rights Reserved | FIDO Alliance | Copyright 201710
HOW OLD AUTHENTICATION WORKS
ONLINE CONNECTION
The user authenticates themselves online by
presenting a human-readable “shared secret”
11. All Rights Reserved | FIDO Alliance | Copyright 201711
HOW FIDO AUTHENTICATION WORKS
LOCAL CONNECTION
ONLINE CONNECTION
The device
authenticates the
user online using
public key
cryptography
The user
authenticates
“locally” to
their device
(by various means)
12. All Rights Reserved | FIDO Alliance | Copyright 201712
SIMPLER
AUTHENTICATION
Reduces reliance on
complex passwords
Single gesture
to log on
Same authentication
on multiple devices
Works with commonly
used devices
Fast and convenient
13. All Rights Reserved | FIDO Alliance | Copyright 201713
STRONGER
AUTHENTICATION
Based on public
key cryptography
No server-side
shared secrets
Keys stay
on device
No 3rd party in
the protocol
Biometrics, if used,
never leave device
No link-ability between
services or accounts
17. All Rights Reserved | FIDO Alliance | Copyright 201717
THE WORLD HAS AN IOT SECURITY PROBLEM
18. All Rights Reserved | FIDO Alliance | Copyright 201719
WE NEED A NEW
AUTHENTICATION MODEL FOR
CONNECTED USERS & DEVICES
19. All Rights Reserved | FIDO Alliance | Copyright 201720
THANK YOU
ANDREW SHIKIAR
SR. DIRECTOR OF MARKETING
ANDREW@FIDOALLIANCE.ORG
20. All Rights Reserved | FIDO Alliance | Copyright 2017
THE FUTURE OF AUTHENTICATION
FOR THE INTERNET OF THINGS
ROLF LINDEMANN, NOK NOK LABS
Thanks to this
app you can
maneuver the
new Forpel
using your
smartphone!
Too bad it’s
not my car.
21. What‘s the challenge
All Rights Reserved | FIDO Alliance | Copyright 2017
Source: HP Enterprise IoT Home Security Systems
22
22. Context
Secure firmware
protects one
“healthy” part
from infected
parts
Strong
authentication
makes sure only
legitimate
entities get
access
Need strong
fundament, e.g.
a CPU supporting
ARM TrustZone,
Intel SGX, etc.
Focus of
today‘s
presentation
All Rights Reserved | FIDO Alliance | Copyright 201723
24. Addressed by FIDO & W3C
Web Authentication, not the
core focus of this talk
Scope
Cloud
Services
“Primary interaction” devices,
i.e. devices
a) which we typically have in our
possession and
b) that have a user interface
Devices that are not primary
interaction devices, e.g. smart
light bulbs, WIFI routers, smart
fridges, smart thermostats,
connected cars, smart door
locks, …
Devices that are not primary
interaction devices, e.g. smart
light bulbs, WIFI routers, smart
fridges, smart thermostats,
connected cars, smart door
locks, …
All Rights Reserved | FIDO Alliance | Copyright 201725
25. Primary Interaction Devices
• Primary interaction device have the capability to verify
the user through their user interface.
• They can connect to another device or to a cloud service
• They can implement a FIDO Authenticator allowing the
user to strongly and conveniently authenticate to devices
or cloud services. Trust Execution Environments and/or
Secure Elements add security.
All Rights Reserved | FIDO Alliance | Copyright 201726
26. Scope
Focus of this talk
User to standalone devices
All Rights Reserved | FIDO Alliance | Copyright 201727
31. Attack Scenarios
IoT Device IoT Device
1. Exploit firmware vulnerabilities
2. Enter at the front-door: Impersonate user
Need Strong Authentication
to protect against such
attacks. Our focus.
Legitimate
authentication
TrustZone for ARMv8-M
provides protection layers
that help keeping attacks
local to one software
module (“enclave”).
Not in focus of this talk
All Rights Reserved | FIDO Alliance | Copyright 201732
32. User to Device Authentication
All Rights Reserved | FIDO Alliance | Copyright 201733
33. User to Device interaction
Device
Without
keyboard
and display
?
All Rights Reserved | FIDO Alliance | Copyright 201734
34. User to Device interaction
IoT Device
Without
keyboard
and display
User needs some
computing device with
user input interface and
display
1
Security: Device could be infected, so
users don’t want to reveal bearer
tokens (like passwords, etc.) to it
2
The Device only “sees” some other
Device – no user.
How can the Device know whether
there is a user and whether the
other device is trusted?
Convenience: Devices want to support
arbitrary user verification methods,
e.g. PINs, Fingerprint, Face, … - with
limited computing power
All Rights Reserved | FIDO Alliance | Copyright 201735
35. … did we see that before?
Device
TLS / DTLS or
other secure channel
All Rights Reserved | FIDO Alliance | Copyright 2017
See https://fidoalliance.org/events/fido-alliance-seminar-hongkong/
36
36. User to Device Authentication
AuthenticatorUser verification FIDO Authentication
Require user gesture before
private key can be used
Challenge
(Signed) Response
Private key
dedicated to one app
Public key
IoT Device
All Rights Reserved | FIDO Alliance | Copyright 201737
37. FirstAuthenticator Registration (Example)
IoT Device
Device in
factory default
settings state
1
2
Press
“register
button”
3
Start registration
process (for first
authenticator)
All Rights Reserved | FIDO Alliance | Copyright 201738
39. Devices with Cloud Dependency
Cloud
Services
User to cloud-connected devices
Rental Cars
Door locks
…
Parcel Lockers
Thermostats
Cloud Dependency: We want the cloud
service being able to grant access to
the device to a specific user
But: Do not rely on stable internet
connection at time of access
All Rights Reserved | FIDO Alliance | Copyright 201740
40. How does it work with central authorization infrastructure?
FIDO Stack
Mobile
App
SDK
1. Traditional FIDO Registration (one-time)
Cloud Service
Device
0. (OOB) Inject trust
anchor
2. Traditional FIDO Authentication
3. Signed JWT w/PoP (FIDO Uauth) Public Key
(see RFC7800)
All Rights Reserved | FIDO Alliance | Copyright 201741
41. How does it work with central authorization infrastructure?
FIDO Stack
Mobile
App
SDK
1. Traditional FIDO Registration (one-time)
Cloud Service
Device
0. (OOB) Inject trust
anchor
2. Traditional FIDO Authentication
3. Signed JWT w/PoP (FIDO Uauth) Public Key
(see RFC7800)
All Rights Reserved | FIDO Alliance | Copyright 2017
JOSE Payload:
JWS signature, computed by Cloud Service
{“kid”:“1e8gfc4”,“alg”:“ES256”}
JOSE Header:
{
"iss": "https://server.example.com",
"aud": "https://client.example.org",
"exp": 1361398824,
"cnf":{
"jwk":{
"kty": "EC",
"use": "sig",
"crv": "P-256",
"x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM",
"y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA"
}
}
}
42
42. How does it work with central authorization infrastructure?
FIDO Stack
Mobile
App
SDK
1. Traditional FIDO Registration (one-time)
Cloud Service
Device
0. (OOB) Inject trust
anchor
2. Traditional FIDO Authentication
3. Signed JWT w/PoP (FIDO Uauth) Public Key
(see RFC7800)
4. FIDO Authentication to device
with signed JWT w/ PoP (FIDO)
Public Key as additional data
All Rights Reserved | FIDO Alliance | Copyright 201743
48. User to Device Authentication
AuthenticatorUser verification FIDO Authentication
Require user gesture before
private key can be used
Challenge
(Signed) Response
Private key
dedicated to one RP
Public key
IoT Device
How an Authenticator verifies
the user and whether it
verifies the user depends on
the Authenticator model and is
represented in the Metadata
Statement.
All Rights Reserved | FIDO Alliance | Copyright 201749
49. Device to Device Authentication
Authenticator FIDO Authentication
Challenge
(Signed) Response
Public key
IoT Device
There are “Silent”
Authenticators, never requiring
any user interaction.
… and such Authenticator
might be embedded in a
device
All Rights Reserved | FIDO Alliance | Copyright 201750
50. Device to Cloud Authentication
Authenticator FIDO Authentication
Challenge
(Signed) Response
Public key
It makes no difference to the
IoT device nor to the FIDO
Authenticator whether it
authenticates to another
device or to a cloud service
Cloud Service
All Rights Reserved | FIDO Alliance | Copyright 201751
51. Device to Cloud Authentication
Authenticator FIDO Authentication
Challenge
(Signed) Response
Public key
It makes no difference to the
IoT device nor to the FIDO
Authenticator whether it
authenticates to another
device or to a cloud service
Cloud Service
… and the Authenticator can
be embedded in smart
fridges, smart thermostats
and other IoT devices.
All Rights Reserved | FIDO Alliance | Copyright 201752
52. Conclusion
1. Authentication is the first experience of users with services and several
device types.
2. Authentication needs to be convenient for the user and strong enough
for the purpose.
3. We can do better than passwords + OTP. Look at the FIDO specifications
for strong & convenient authentication, see www.fidoalliance.org.
4. FIDO supports “silent” Authenticators. These Authenticators can be
implemented in IoT devices.
5. FIDO authentication responses can be verified in small devices, allowing
FIDO authentication to those IoT device.
6. FIDO can be combined with PoP Keys (RFC7800) in order to support
authentication to “cloud connected” IoT devices
All Rights Reserved | FIDO Alliance | Copyright 201753
53. FIDO Authenticator Concept
FIDO Authenticator
User
Verification /
Presence
Attestation Key
Authentication Key(s)
Injected at
manufacturing,
doesn’t change
Generated at
runtime (on
Registration)
Optional
Components
Transaction
Confirmation
Display
All Rights Reserved | FIDO Alliance | Copyright 201754
54. SilentAuthenticators
1. Definition, see FIDO Glossary
2. User Verification Method, see FIDO Registry
3. Metadata Statement, see FIDO Metadata Statements
All Rights Reserved | FIDO Alliance | Copyright 201755
55. Relying Party
(example.com)
accountInfo, challenge, [cOpts]
rpId, ai, hash(clientData), cryptoP, [exts]
verify user
generate:
key kpub
key kpriv
credential c
c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts],
signature(tbs)
c,kpub,clientData,ac,tbs, s
store:
key kpub
c
s
PlatformAuthenticator
select Authenticator according to cOpts;
determine rpId, get tlsData;
clientData := {challenge, origin, rpId, hAlg, tlsData}
cOpts: crypto params, credential black list,
extensions
cdh
FIDO Registration
ai
tbs
ac: attestation certificate chain
All Rights Reserved | FIDO Alliance | Copyright 201756
56. Authenticator Platform Relying Party
rpId, [c,] hash(clientData)
select Authenticator according to policy;
check rpId, get tlsData (i.e. channel id, etc.);
lookup key handle h;
clientData := {challenge, rpId, tlsData}
clientData,cntr,[exts],signature(cdh,cntr,exts)
clientData, cntr, exts, s
lookup kpub
from DB
check:
exts +
signature
using
key kpub
s
cdh
challenge, [aOpts]
FIDOAuthentication
verify user
find
key kpriv
cntr++;
process exts
All Rights Reserved | FIDO Alliance | Copyright 2017
All Rights Reserved | FIDO Alliance | Copyright 201757