W3C

- DRAFT -

Security task force

26 Nov 2015

Agenda

See also: IRC log

Attendees

Present
Oliver, Dave, David_Rogers, Edoardo, Tibor, Yingying
Regrets
Chair
Oliver
Scribe
dsr

Contents

<scribe> scribenick: dsr

IoTSF - David Rogers

David introduces the background on the need for IoT security and the launch of the IoTSF.

Introduction to the IoTSF steering committee

The obvious questions, e.g. why yet another standards body?

We don’t intend to be a standards body, and as we are covering so many sectors that would be impractical anyway

Mission: to secure the IoT aid its adoption and maximise its benefits

We will promote best practices

We are funded by our members.

We’re having a meeting next week to get our work underway

There are lots of news stories around IoT insecurity

What about security certification? There is such a diverse set of mechanisms and standards that this can only approached on a domain by domain basis

We’re also looking at self declaration - where companies state which standards they conform to

<drogersuk> https://iotsecurityfoundation.org/events/

any questions?

Oliver thanks David for his presentation.

Oliver: so you primarily focus on testing and deal with self certification, right?

David: Companies will be able to do self-testing. We will identify existing standards and practices that we consider necessary, and we will also provide further guidance where we have identified gaps.

Oliver asks about the practical details involved

David displays us the PCI security standards self certification form

see https://www.pcisecuritystandards.org/

This has a list of questions for companies to fill out.

We would expect third party companies to provide services to companies to assist with self certification.

David: OWASP is widely quoted, but doesn’t necessarily provide the level of assurance required

We want to go a lot further than that

David: we would like to reference W3C specifications, and would be very happy to liaise with you. I am happy to act as the contact person for that.

It would be great if W3C could send someone to our of our future meetings.

Oliver: next year would be appropriate, given our schedule for finishing our initial report

David dropps off the call

Web of Things Framework Security - Tibor Pardi

Tibor: I am based in the UK and am an open source developer

Tibor introduces the open source project for the web of things at https://github.com/w3c/web-of-things-framework

This is an experimental project at this stage. I am currently the only active development right now, but hope we will get others later.

I asked to be included to exchange ideas and seek guidelines from security experts.

It would be great to have advice to ensure that the open source work is going in a good direction.

The project explores the use of JSON-LD as a basis for describing the scripting interface for things in terms of properties, actions and events.

This is an event driven design which reduces the dependency across the software modules.

The main part of the framework is the thing module which connects scripts to the transport modules.

We have transport modules for HTTP, WebSockets, CoaP and P2P

We’ve started a security document at https://github.com/w3c/web-of-things-framework/blob/master/security.md

Security is an integral part of the system. This covers authentication, access control, data integrity, device provisioning and secure upgrade, and the use of the ARM Trust Zone for managing crypto keys

For authentication, I have used UML to illustrate the 2 types of authentication we need to support.

This includes support for third party authentication servers e.g. OpenID Connect, as well as direct authentication approaches. The resource constraints for low power device is a challenge and may preclude some approaches.

We may therefore need some WoT specific solutions for low power devices

Our current approach uses ECC and public/private key pairs.

Once the public/private key pair is provisioned (e.g. prior to configuring the device), messages can be secured using AES 128 and 256 symmetric keys

The key exchange solution uses the Diffie Hellman alglorithm.

We are complying with existing standards throughout.

We’re using the open standard security token format - JSON Web Tokens (JWT), as well as JSON Web Signatures, etc.

Tibor shows a UML diagram covering message handling.

At this point I am really keen to get some expert review to ensure that I am on the right track

Some questions include the role of RSA on low power devices, what about Telehash and quantum crypto?

RSA is a big burden and may be too demanding for lower power devices.

See http://telehash.org which describes an encrypted mesh protocol for P2P applications

IBM and Samsung are looking at Telehash so perhaps we should too.

In the long term, there are concerns about quantum computing which could be very disruptive.

Oliver thanks Tibor for an excellent presentation. This is going in the right direction. We should find time for more detailed discussions.

There are some differences in terminology but apart from that we are thinking along the same lines.

Tibor: I only recently became aware of the WoT Security TF and have now joined the IG.

I can update the Github document to align more closely as we proceed.

Oliver: we’ve been working on a technology survey with a view to producing a report. You’ve taken an implementation perspective. We should continue to discuss the details and see opportunities for strong alignment.

I think personally that you are going in the right direction. I too am doing implementation work at Siemens and following a very similar path

We can work towards interoperability testing as we clarify the details.

Oliver: At Siemens, we don’t exclude RSA upfront. On more powerful devices (IETF class 2 and up) RSA is fine. It is too heavy for devices with less power.

Tibor: IoT gateways will be sufficiently powerful to support RSA

Dave: Oliver, perhaps we can discuss opportunities around security for the January plugfest?

Tibor: I will try my best to come to Nice and am working on Beaglebone and Raspberry Pi, and would expect to present these

Oliver: let’s try to make that work out
... let me talk about the recipe we’re working on

Dave: lets get all of these slides on the WoT IG wiki

Oliver presents some slides on a proposal for security enabling WoT for the January plugfest

Oliver: we want to initially show case DTLS and TLS.

We want to adopt the IETF ACE WG architectural model

This includes clients, resource servers, authorization managers and authorisation servers.

We want to reuse things like OAuth and JWT, along with self-contained security tokens (to avoid additional round trips)

We thus want to employ a 4 corner model

The client only needs to know about the application manager, not the application server.

We (Siemens) are preparing a how-to document

There isn’t a lot of time though until the face to face.

Oliver asks Tibor for his comments

Tibor: I would be happy to collaborate as few people are as yet aware of the W3C framework

Are the AM and AS components accessed via Siemens proprietary protocols?

Oliver: no, we’re using OAuth and open source compoents.

We’ve had to tune the protocols a bit

The client is completely standard compliant and lightweight

We’re looking for low effort solutions involving one or two person weeks

Tibor: what are you thinking in term of the client component?

Oliver: the client could be a laptop and the server an ARM based IoT board

Some of the clients were JavaScript based and running in web browsers.

Tibor: this should be okay as we have a lot of modules in the project

Oliver: the complexity is mostly on the server (servient) component

There are some tables on the Sapporo face to face plugfest materials.

I will try to find some time to get back to you with more details comments on the Github project in the next few days.

Oliver: I got back to the T2TRG with some comments. I am focusing on the plugfest.

We also want direction from the IG on the overall report structure and length.

[today is Thanksgiving so not everyone could join]

Dave: Looking forward to progress towards switching to Github for the security report.

Oliver: AOB?
... end of meeting …

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2015/11/26 14:30:45 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/mechaniss/mechanisms/
Succeeded: s/model/module/
Succeeded: s/shows a/shows a UML/
Found ScribeNick: dsr
Inferring Scribes: dsr
Present: Oliver Dave David_Rogers Edoardo Tibor Yingying
Agenda: https://lists.w3.org/Archives/Public/public-wot-ig/2015Nov/0040.html
Got date from IRC log name: 26 Nov 2015
Guessing minutes URL: http://www.w3.org/2015/11/26-wot-sp-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.
[End of scribe.perl diagnostic output]