Browse Prior Art Database

SECURITY FOR IOT DEVICES

IP.com Disclosure Number: IPCOM000246103D
Publication Date: 2016-May-06
Document File: 6 page(s) / 64K

Publishing Venue

The IP.com Prior Art Database

Related People

Tirumaleswar Reddy: AUTHOR [+2]

Abstract

Presented herein is a mechanism for controlling how security devices can validate a (Datagram) Transport Layer Security ((D)TLS) handshake and act as a (D)TLS proxy for the secure connection between an IoT device and client. This is achieved by having both the IoT device and the client register themselves with the authorization server (AS). The firewall communicates with the AS to learn the certificate used by the IoT device and the certificate used by the client to validate the (D)TLS handshake. If the firewall is additionally acting as a (D)TLS proxy, then both the IoT device and the client are informed by the AS that their (D)TLS peer is the certificate of the (D)TLS proxy (rather than the certificate of the other peer). This forces the (D)TLS proxy to always be required on the communication path, and prevents the devices from connecting without the (D)TLS proxy being on path.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 33% of the total text.

Page 01 of 6

SECURITY FOR IOT DEVICES

AUTHORS:

Tirumaleswar Reddy Dan Wing

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein is a mechanism for controlling how security devices can validate a (Datagram) Transport Layer Security ((D)TLS) handshake and act as a (D)TLS proxy for the secure connection between an IoT device and client. This is achieved by having both the IoT device and the client register themselves with the authorization server (AS). The firewall communicates with the AS to learn the certificate used by the IoT device and the certificate used by the client to validate the (D)TLS handshake. If the firewall is additionally acting as a (D)TLS proxy, then both the IoT device and the client are informed by the AS that their (D)TLS peer is the certificate of the (D)TLS proxy (rather than the certificate of the other peer). This forces the (D)TLS proxy to always be required on the communication path, and prevents the devices from connecting without the
(D)TLS proxy being on path.

DETAILED DESCRIPTION

     The normal mechanism of proxying (intercepting) Transport Layer Security (TLS) connections such as HTTPS is to install a Certificate Authority (CA) root on the client, so that the client trusts the TLS proxy's (spoofed) certificate it generates for the communication. This mechanism is effective because only the client validates the server's certificate; that is, the server does not validate the client's certificate. This mechanism does not work if the server validates the client's certificate, because the (D)TLS proxy does not possess the client's private key which is necessary for the (D)TLS proxy to complete the (D)TLS handshake with the TLS server.

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 6

    Datagram (D)TLS proxy is an important function for security devices like firewall and Intrusion Prevention System (IPS) to decrypt traffic for inspection. Prior to inspecting the traffic inside (D)TLS, one of the security functions of the (D)TLS proxy is to validate the server's certificate, specifically the domain name and issuer. This validation is useful because some devices do not validate certificates properly.

    OAuth 2.0 can be used as an authorization framework with Internet of Things (IoT) deployments. https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-00 discusses

OAuth 2.0 mechanism used by the clients to gain access to the Internet of Thing (IoT) device. The IoT device and client register themselves with the authorization server (AS), the client gets the access token and IoT device certificate from the authorization server (AS). The client then conveys the access token in Constrained Application Protocol (COAP) request to the IoT device. IoT device validates the token, extracts the client certificate encrypted in the access token and responds to the client. The client and the IoT device then run the (D)TLS handshake exchanging the certificates to mutually authenticate each other. The above draft discusses two modes of (D)TLS security:...