Federating Access to IoT using OAuth

a few yes technical mn items at my my old friend Paul freemantle gonna talk about security on intent of things um meeting a PhD currently innocence seats you all of the the the B S O 2 um so Paul were so let me get much from the working and it's just that 1 half have to try and do so on my own I'm Paul and I'm I'm a keen supporter of the concept of federated identity so who have you use a water or a loss to excellent right so that will make my life a lot easier today so I wonder do is firstly just talk a little bit about federated identity access management that's me very quick because of you know about that and and a little bit about was to i'm gonna talk a very briefly about and Q t t which

particle of been using it's a lightweight messaging protocol this we designed

around pieties got other kind devices and then I had put the 2 together hopefully with a solid we know some it's the devil broken 3 times this morning already so if it actually works so will be very happy indeed you buy me a beer after its and then I'll talk about lessons learned and next steps some federation is is

important and and his friend Pontus security because the the big problem we've had with

security and the internet has been centralized security where firstly people have failures and secondly

is not in your control and the sum especially as the number of users on the Internet has

grown massively basically people had to move to federated models and that's why I was true then so popular I

see the same challenge with I devices which is that they all they're all billions of them already the growing very rapidly we can't expect them to use centralized traditional when user ID password touch security models we're just ongoing work and this scale to click and federated identity Texas motions really important because it allows you to retain control of your password and user ID non for should the way most people use this as the giver to face but instead Apple Google and and they trust them and of course that itself is a challenge but the point is that if you give it some of you do trust then uh they don't handed out to anyone else and and this is this came about uh a loss came about specifically from problems like linked in saying give me your Gmail user ID password all going grab your your contact list and I promise not to send the e-mails not to do anything else and actually that currently facing a lawsuit in the US saying that they did more than they said they would so as to basically says it's up to me to to give a

token or to authorize a token for linked tend to say how much are they can

access what what they can do and how long that lost and that's also variable from

and and also to is is a very

seems to be that the most used federated protocol it's used by get Hobbits used by the linked in Gmail Facebook and and many many others so it seems to be a a good of good approach leads to to start using it and really why Federated In management fire T while the the most important thing from my perspective is it's your device you ought to be your data you know to be under your control where you publish updates data who can access it how they can access if my house is connected to the Internet maybe I want to let my mom you know my neighbors check on the health of that while I'm away but only 1 why I don't want anybody else coming along and saying hey the lights have been on nobody's been living there for a week and then again but so it's very important that that you can have of your data and I think that's been a big failure

in in in IT devices so far a lot of people have thought about it Benedict failure on the Internet of role is something that was slowly fixing another reason a very technical reasons the tokens are much better model for managing identity in a in a device the most

server-to-server communications these days that the designed properly rely on tokens

because a token is the user ID password is for not for device and another thing that that depends on you all of implementation but you can potentially manage the the tokens in the Scopes quite well so you can it made bet that token a device and then manager over time so tokens what

called the basic idea is you you get a token islands you then passed just the token to the resource so this to

key parties in IDP the identity provider and the resources of the resource server is what's trying to what are you trying to access resources on you always trying to get access to your resources and the IDP is the authentication server in this case all the physicians and so as I said at a loss to vary widely implemented

I think it's pretty good but there are people who have criticisms particularly over the

concept of the bearer tokens which is basically if you have this token you all you have full control so obviously the stealing of bearer tokens is an issue and that's a very big issue in IT devices all talk about that at the end of of course that never any certainty with or with security protocols the certainty is that hasn't broken yet found there is some researchers who have done a model of that using a framework from MIT Kigali and they don't some formal model involves 2 so that gives you some more security it isn't just use for they should be there is a draft spec for using the fossil so basically fill lying to log on the source so it's getting some traction outside that GDP this is a 3 legged awards I'm going so talk through this in the demo more on but but it's all put the slides up on the on the web afterwards and you if you would assess the graph some other briefly gonna talk about an QTT resistant QTT before of the the of the given the no that's interesting thank you to invite probably OK so the notion of a person who's got Facebook Messenger on their 5 OK so more of you use them to teach you just enough of then key TCZ protocol that came out of IBM and but no uh out of 1 guy in IBM who happens not to be used to call them and so is not your normal IBM standard but it's very very light where a simple and doesn't you and and just does what what it needs to and so it was really designed for a pipeline in Alaska this pipeline monitoring guys came to IBM and they said would go and q series in on in all systems we want to connect all monitoring think stations on the pipeline to warrant Q Sears system so we

can we can follow the flow of the oil and so some modern goes there are lots of it would be an MQ series on the monitoring stations and and they were like well as a 14 hundred bytes of header with MQ series and each extra by 78 thousand dollars a day because we're going to a satellite and this is about 15 years ago and it was very very expensive so they're like now don't think we can do that so basically designed a particle with the true Whitehead and that the best thing that's happened and QTT is its recently really that of a lot of it has moved to eclipse so there's a number of projects in eclipse in the end to end the group there around creating open-source brokers there's a uh a C-based to see brokers loss and the 1 mosquito a new 1 from job is just about to be donated lots lots of clients in different languages and there's other clients and other things as well is also being standardized by oasis from some people have had bad expenses about but basically this just gone through with some very minor clarifications and this I think read a process that there's also a lighter-weight version physically called and TTS & I'm not going to go into that but that's actually very

nice particle well is a sort of

flow this is a a full reliable flow which basically guarantees each message gets to each subscriber exactly once Our which is why it's quite heavy this basic 3 choices of so this you can say no reliability this message may may not at that it will definitely get there but it may get them more than once that's true it's 1 and this is it will get the exactly once so that requires the sort of handshape now the Arduino and cutesy client can only do pure 0 so there's no reliability but you can bridge that into a broker and then have the broker too hard levels of reliability and distributing the data so In my

demo what I'm gonna do is i'm gonna embeds and token on here now actually would tokens this 2 different things this the access token tioners the bearer token and there's a refresher connects a token typically times out and and so you know only have to go and say well when it's time that I'm going to go with my refreshed token back to the server the main IDP and get

a new version of token now the problem is that an HTTP call now I don't have room on my Arduino for the HTTP and QTT libraries and the actual job I want to do which is a which is of God from a little the accelerometer on here and I will publish information from so I have an ITC library to to so what I did was I basically said OK well 1 1 option would basically to make access to with a very very long lifetime and embed that onto the box that's some firstly is up to the i will provide you provided so this knowledge to the work if you want to make this generic and work with any so what I did was I created a new component called a refresher which basically transferring the

HTP thing into computing so i at the

start I'm going to go 10 Delgado invalid their token and I'm going to try it's gonna fail so the anger publish onto that on 2 different topic they refresh token and get back the testimony than the R is disconnect reconnect with the new system so it'll but faked to

demonstrate this process that normally would happen you once day or something but under lecture happens every time and then it's gonna publish that to the to the broker and

the broker has a plug-in wrote in Python which uses some which basically makes a call just the off

introspection API which is a RESTful call into the RDP to say what's gone does this have token have the scope of basically the access control so and I encoded the scope was a bit of Jason saying you can read or write to the set of 2 topics so that's a that's how I included the the scope thinking so then that the ordering of AC tries to publish particular topic and the service saying does this user have does this this device have the credential and they also have a subscriber that's going to see also use the same mechanism to get its subscription and basically all data from that little clip any questions it will become a little bit clearer with the donor is not a beautiful graphic demo like the first one was those of a repressed by that but also the world will change when 1 should all bunch of back moments I'm using uh all of this is open source but this bet is just Dehak basically the visit also over here which is which is from my company but it's open pure Apache open source and if there is a a sort pseudo standard inspection EPI forgetting the stroke From here but we don't implement yet we're gonna at it so I have just yeah have something that's that's that's just transferring that I could make the soap calling here that this offers but I really like opened and will have to start from Python a bridge that into the standard call as can be in the next release of sun that's a sort of hack but apart from that and this API here is where number 1 is

coming in is completely standard that specified by the really I think your spec should specify this 1 as well the and for some reason the standardization of this in the ITF is cost all that and and 1 because this is a

useful API to say give me a token Now let me know what the lifetime laughter can is what the scope of this insightful which is what this means for some reason that sort of Salinas was behind the scenes by the old guys so

the I and II because of the the way this is failed so many times today i'm gonna

of I should buy possible most of splitting show you just completed so the 1st step would be basically when you create your device so you need to to talk push that refresh token into here so the 1st thing I do

is I go to a a window here and I

have a little um a little that create tokens script the and this basically just does a

redirect to my ID so this is a redirect to the IDP saying in the weather

resource services on on not this in my job on your hand you over to the to the 0

will so this is like when you go to facebook and it says do you want to give this up mission to do this so and and I don't have a sense of self certificate on here so this is the same as it's trust so this is now you have to log in and say who you are is giving permission to this so I put in my credentials and then use from and this and Bingo and then it says uh and then that scope should really be some meaningful statement do you want to publish uh June to allow this device to publish your

topic we should be what it says are eyeing I've got it in a sort of IID of God adjacent string and there was some problems of the wave Jason stored because it's space delimited scopes you know of so I by 64 encode wages so it's not very useful but but it gives you the idea so that obscure strength as gets gives people permission to to publish to this particular topic and then I mean I'm

having breakthroughs in Denmark so then I get

some token refraction Barrett tokens with a lifetime they now have to be zapped into my oddly enough but under avoid that for the moment and if it fails in the Chinese so I'm hoping that the that that's why you a different ID because I'm hoping that I haven't ever written the tokens and when mother water so have some tokens already written here and then I would and

then basically what's gonna happen now is

in the Pollock 1 of my many windows which has got my broken to so this is my mosquito broker with the extra bit of current inadmissible was looking the plugged in

my we know the and it has music no it's not the standard and just treatment and with with that I was just somewhere else on the window so what's happened here is that it's basically the oddly node his connected and has tried to connect with a dummy token which is the 0 1 2 3 4 so that's my expired and it's failed to go back and you got the wrong credentials and that's reconnected as with the with really this should be connected to different parts this point this should be saying under talk to my deeply and connected and and get my and refreshment I've got a fudge that by having a on the same broke rose the results so that's that's actually a big security all but it's easily fixed so then it's now we know that there's a simple script called refresher is basically converts when QTT which is that takes that token and sends it to the IDP and says here we go so what this refresh token for a real new access token that republishes it back on 10 QTT where the current picks it up disconnects and then it now reconnects to the token as you can see I'm now getting some uh data from my in from my uh accelerometer here and the whole thing

dies alone but because gonna cashing in here so for every single publishers doing it's making a city people smile of server and so cruddy Python script running in the broker and I have a feeling it's it's not garbage collected properly in the summary really and is annoying but because it's visually doing you thousands and thousands of features we request against the source of the so it was that's easily fixed by firstly getting someone who actually what code to do it and and secondly so they're putting some cashing in there which is of this because when you get back that start from the introspection server forged about most slots

so yeah when it gets

this scope here it gets a lifetime for that token so it can and so can I know that the whole is that this

holds ordering is authorized to publish for the next 60 minutes so now I can catch that the so so OK not not the most exciting demos but I think would have demonstrated here is firstly there are some tricky bits in using a war honor up such a small device it's not the actual token as easy as just a for 1340 by character but the re fresh little flow there is a pain because you've got you know you've got whatever your COA PON QTC protocol and then some new Mentadent http request over somewhere else the so by swapping it out and using the same protocol for both of those I get round that some interesting things here so lessons learnt well my and

QTT and I to C code took up 90 % 7 % of the memory my during so I really didn't have room for the

HTTP library as well and in fact I had to cut out some of the other 2 C code to to actually get it all in so another big issue is that it's a huge security flaw sending is refreshed token access token without some kind of encryption

so there's no TLS on on this ordering so I think that's something that we need to solve is how to do encryptions of it's a problem for anything from setting user ID and password that's society so I don't feel it's any worse with loss but it's only a problem that these resolving in this scenario I would assume that i've going to have to have some local security to solve that work with some kind of Wi-Fi security from using a Wi-Fi network and 1 of the challenges here is that the old implementations you know are all yeah they'll follow suspect respect have lots of little options and so when you in such a small device those of options matter so for example the refresh token can get changed every time it gets every time you use it it could get changed now I think that's a problem in a device like this because it's with no reliability so my send out a message saying please change why refreshed token and then the network dies or gets tongue or something and I never get the new refreshed OK now the old one's dead this hard coded need from here I haven't had a chance of dated Hollister get you refers to it so there are some challenges with different will specs and you need the right settings on those implementations to to suit so I wanna make sure that I have a very long lifetime among 1st token on this device which might not be appropriate in a mobile phone where it's easy to get the person to log and resent it but on embedded devices heart um what is it

that and it's so I think the other thing is that some vowels implementations let you

update the spec so the stop for it for token but others don't they just assume OK you want a different scope you're going kill that token and do that login thing I showed you again course on embedded devices known 1 so for those devices you need to build to update the stroke without changing the time like so so I've got my devices in my house and then suddenly I have a softer update in the through something different published a different topic or different target I need to build update the stroke without changing the token and I told you this was a bit of a security flaw in the way that I have had it all going through the resource server which is I'm QTT broker relations had to brokers but there's more of a deal at 1 of the other challenges is there is no and QTT is really appeal pub sub model says no well defined way if they are just was and is refreshed token back to just this device so what I did was I basically created a topic hierarchy such clients in the client ID and ii uh implanted custom security role in my in my security at to say the only this device can can pop subscribe to that topic so only this device is going to get data but I feel that should at least be a so there should be some kind of standard model for lot in maybe not in the spec itself but In the kind of in general way that people use in QTC so the next step so I wanna do the same thing for the for the Constrained Application Protocol on the other right the particles that won't arm of a study to fix my implementation did work

but early just in and I think there's that little flow with QTT t or with COA people to be defined in the same

way that is friction to here's how you do a refresh on a different protocol i if anyone's interested in this or has any other ideas on on federated so but things that should be used with please contact me on I'm interested in collaborating and this contact me and here which any questions we

can actually have time for questions maybe just 1

1 question it God my watch we had 2 minutes if you replace the going intervene the you know our some device that actually can cast memory and CPU for incremental QS World proper authentication instead of 1 of the so so I agree I mean I think that's important and but as far as I know there's no TLS library any ordering of so I think that needs to be written so if anyone wants to do that please please do that we really import really useful I the other option would be something like you know there are some the CCA elliptic cryptography chips the right cheek they're like 40 50 cents um which would also probably allow you to do it on a on a really cheap device like this with controller so I think it is a balance is nitida in hardware with a shield or and then and then it's sort of overtaken by improving CPU's but on the other hand to those there's a bit controls get cheaper and cheaper and so the ability of tell us on a really really cheap devices also useful tips this we'll be complemented bottled water on us because that just as well thank you very much so we have a five-minute minute break and then we will talk on the next