1 / 26

The Principles of IoT Security A Hands-on Course

The Principles of IoT Security A Hands-on Course. Class 4 : Network Security. February 2, 2017 Charles J. Lord, PE President, Consultant, Trainer Blue Ridge Advanced Design and Automation. This Week’s Agenda. 1/30 Intro to IoT Security 1/31 Hardware Security Challenges 2/1 Data Security

pdoug
Download Presentation

The Principles of IoT Security A Hands-on Course

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Principles of IoT Security A Hands-on Course Class 4 : Network Security February 2, 2017 Charles J. Lord, PEPresident, Consultant, TrainerBlue Ridge Advanced Design and Automation

  2. This Week’s Agenda 1/30 Intro to IoT Security1/31 Hardware Security Challenges 2/1 Data Security 2/2 Network Security 2/3Other Security Issues in the IoT

  3. This Week’s Agenda 1/30 Intro to IoT Security1/31 Hardware Security Challenges 2/1 Data Security 2/2 Network Security 2/3Other Security Issues in the IoT

  4. IoT Network Security • Commissioning and decommissioning • Device Authentication • Network Authentication • Channel Security • IPsec • SSL, SSH • WEP / WPA • Others

  5. Commissioning • Depending on the protocol used, commissioning can be one of the ‘big challenges’ of IoT nodes • Many approaches • Manual configuration • Hardwired • NFC or BT commissioning • Wired (typically USB)

  6. Manual configuration • Network ID set by dip switches or pin jumpers • X-10 • Garage Door Openers • Expensive to make • Failure prone • Mechanical failure / contamination • User failure Question 1 - Other devices that used dip switches for configuration?

  7. Hardwired • Cheapest to make – device has a hardwired ID • Typically based on the MAC address • Gateway or local network controller must be programmed to accept this new ID in network • Easy to clone, particularly in 802.11x • WIFI access point example

  8. NFC or BT commissioning • “ease of use” • There’s an app for that • Great way to sell NFC hardware • BT has to be distance sensitive • Can be easy to clone, depending on security of commissioning app

  9. Wired • Plugs into PC (or tablet with correct cable) • Can use sophisticated authentication (or not) • Requires USB port • Drivers can be an issue • A lot of PC / MAC / Linux / iOS / Android to maintain • USB ports are notorious dirt magnets

  10. Decommissioning • Network alarms on device disappearance • In mesh networks – what if device was a router? • How does the absence affect the network? • Alarm sensor • Temp sensor for thermostat • Medical sensor • How to remove network memory from device

  11. Device Authentication • ACL (access control list) – ‘login’ • Network ID • Known to network? • Multi-level authentication • ACL plus a challenge key • Fixed vs dynamic network configuration • Must guard against cloning or spoofing Question 2 – Other ways a device may authenticate?

  12. Network Authentication • “Am I in the right place?” • Anti-spoofing or anti-phishing • PKI certificate authority • RSA • Reverse ACL

  13. Channel Security How do we protect our data packets? • IPsec • SSL • SSH • TLS • DTLS • Tunneling / Encapsulation

  14. IPsec • Internet Protocol Security • Operates at the Network layer (#3) • Authenticates and encrypts each IP packet • Establishes mutual authentication between agents at the beginning of the session • Negotiates cryptographic keys to be used during the session.

  15. Authentication Header

  16. Encapsulating Security Payload

  17. More on IPsec • Crypto includes: • Hashing, including SHA-1 and SHA-2 • AES-CBC • AES-GCM • 3DES • Typically works in “Transport Mode” • Payload is encrypted • Routing is not encrypted, but Authentication Header keeps from being mis-routed (e.g. port change)

  18. SSL • Secure Sockets Layer • Works at the Session Layer (#5) • Establishes a secure link between two points in a network • Public Key Certificates • Incorporated in and replaced by TLS

  19. SSH • Secure Shell • Works at the Application Layer • Origin in BSD Unix • Encrypts application – level data throughout all layers from point to point • Often used for login to remote systems • Typically uses TCP port 22

  20. TLS • Replacement of SSL • Covers both transport and session layers • Current version 1.2 (RFC 5246) • Supports many public key standards from basic AES through 3DES and many ellipticals • Supports both block cipher and stream cipher • Works with TCP

  21. DTLS • Datagram Transport Level Security • Can cover from transport to application levels • Derived from TLS streaming mode • Supports UDP packets • Less overhead than TLS while providing protection for the payload (datagram) • Popular in IoT with CoAP Question 3 – CoAP stands for? And does what?

  22. Tunneling / Encapsulation • Can be part of IPsec • Both payload and routing headers are encrypted and are the new payload • Can support one protocol over another (IPv6 over IPv4, IPv6 over PAN, etc) • Basic mechanism for VPNs

  23. What to Use? • Again, the security level will dictate, as well as the topology and exposure to attack or eavesdropping • Does the discovery of who is talking to whom matter? • How secure does the data have to be? • What algorithms are • Available as either software or hardwired • Within the processor’s abilities? • Tomorrow – we sum it all up!

  24. This Week’s Agenda 1/30 Intro to IoT Security1/31 Hardware Security Challenges 2/1 Data Security 2/2 Network Security 2/3Other Security Issues in the IoT

  25. Please stick around as I answer your questions! • Please give me a moment to scroll back through the chat window to find your questions • I will stay on chat as long as it takes to answer! • I am available to answer simple questions or to consult (or offer in-house training for your company)c.j.lord@ieee.orghttp://www.blueridgetechnc.comhttp://www.linkedin.com/in/charleslordTwitter: @charleslordhttps://www.github.com/bradatraining

More Related