Device Authorization using OAuth2 and OpenAM

This blog post was first published @ identityrelationshipmanagement.blogspot.co.uk, included here with permission.

IoT and smart device style use cases, often require the need to authorize a device to act on behalf of a user.  A common example is things like smart TV’s, home appliances or wearables, that are powerful enough to communicate over HTTPS, and will often access services and APIs on the end user’s behalf.

How can that be done securely, without sharing credentials?  Well, OAuth2 can come to the rescue. Whilst not part of the ratified standard, many of the OAuth2 IETF drafts, describe how this could be acheived using what’s known as the “Device Flow”  This flow leverages the same components of the other OAuth2 flows, with a few subtle differences.

Firstly, the device is generally not known to have a great UI, that can handle decent human interaction – such as logging in or authorizing a consent request.  So, the consenting aspect, needs to be handled on a different device, that does have standard UI capabilities.  The concept, is to have the device trigger a request, before passing the authorization process off to the end user on a different device – basically accessing a URL to “authorize and pair” the device.

 

From an OpenAM perspective, we create a standard OAuth2 (or OIDC) agent profile with the necessary client identifier and secret (or JWT config) with the necessary scope.  The device starts the process by send a POST request to /oauth2/device/code end point, with arguments such as the scope, client ID and nonce in the URL.  If the request is successful, the response is a JSON payload, with a verification URL, device_code and user_code payload.
The end user views the URL and code (or perhaps notified via email or app) and in a separate device, goes to the necessary URL to enter the code.
This triggers the standard OAuth2 consent screen – showing which scopes the device is trying to access.
Once approved, the end user dashboard in the OpenAM UI shows the authorization – which importantly can be revoked at any time by the end user to “detach” the device.

 

Once authorized, the device can then call the ../oauth2/device/token? endpoint with the necessary client credentials and device_code, to receive the access and refresh token payload – or OpenID Connect JWT token as well.

 

 

The device can then start accessing resources on the users behalf – until the user revokes the bearer token.

NB – this OAuth2 flow is only available in the nightly OpenAM 13.0 build.

DeviceEmulator code that tests the flows is available here.

techUK: Securing the IoT – Workshop Review

This week saw the techUK host a workshop on securing the Internet of Things and overcoming the risks associated with an increasingly connected world. The event (#IoTSecurity) attracted a variety of speakers from the public and private sector and brought about some interesting topics and further questions on this ever changing landscape.

Embedded Device and Host Device Life Cycle Disparity

Stephen Pattison from ARM, introduced the event, and brought up and interesting view of the challenge with keeping IoT devices up to date - either with firmware, software or hardware improvements.  He observed there is often a disparity between the small inexpensive sensor, actuator, or controller type components and the host device with respect to life span.  For example, a car may last 15 years, whilst a tracking component may last 36 months.  The rip and replace nature of general consumerism has subtle issues with respect to the IoT landscape, where the re-provisioning of new embedded devices, or the improvement in existing devices is often overlooked.

IoT Security Issues versus Opportunities

Duncan Brown, European Security Research Director at IDC, outlined some of the key problems facing the IoT landscape from a security perspective.  The main factors contributing to the security issue, can basically be broken down into the number of physical devices and the amount of data those devices generate.  The sheer volume of connected devices, opens up a new attack vector, with often the network these devices operate on, only being as secure as the weakest link.  That weakest link is often a low powered and poorly protected device, which allows a land and expand pivot style attack, which if successful, can quickly allow attacks on to more powerful computing resources.  The second main factor is associated with the yottabytes (a trillion terabytes !) of data IoT devices related devices are capable of collecting.  That data needs to be protected in transit and also at rest, where transparent access control and sharing protocols need to be applied.  These issues of course, are now opening up new sub-industries, where security assessments, device certifications, software audits and consultancy practices can provide services for.

As with many consumer related interactions, IoT also create an 'elastic security compromise'.  You seemingly can only have 2, out of enjoyable user experience, low risk and low cost.

Indirect Attacks

David Rogers, CEO of Copper Horse Solutions, with his specialism in mobile security, focused on describing how some of the challenges facing the telco operators over the last 10 years, can now be applied to the IoT space. With many newly manufactured cars by 2017 going to contain SIM technology, attack vector, data collecting and data sharing aspects of driving will increase substantially.  David made a subtle observation with respect to how IoT attacks could develop.

Whilst many laugh at the prospect of their digital fridge or washing machine being hacked as a gimmick, the net result of a large scale attack on home automation, isn't necessarily placing the immediate home owner as the victim.  The attacker in this case, could well be targeting the insurance market - which would face a deluge of claims if their washing machine suddenly flooded for example.

Privacy Challenges

Sian John, Security Strategist at Symantec, then focused on the IoT standards and privacy landscape. She argued that IoT is in fact rapidly becoming the 'Internet of Everything', where increased connectivity is being applied to every aspect of everyday life.  Whilst this may delivery better service or convenient experiences, this also opens up new security vulnerabilities and issues with regards to consumer data privacy.  Whilst the IoT ecosystem is clearly focused on physical devices, Sian argued that there is in fact a triad of forces at work: namely people, things and data (albeit I prefer 'people, data and devices...').  Often, the weakest link is the people aspect, who are often concerned with regards to personal data privacy, but don't have the knowledge or understanding with regards to terms of condition, consent questioning or device configuration.

Sian also pointed out that many consumers have a deep distrust of both technology vendors and social network operators when it comes to personal data privacy.

Overall, it seemed the discussions were focused on the need for a strong and varied security ecosystem, that can focus on the entire 'chip to cloud' life cycle of IoT data, where the identity of both the devices and people associated with those devices is strongly managed.

By Simon Moffatt











techUK: Securing the IoT – Workshop Review

This week saw the techUK host a workshop on securing the Internet of Things and overcoming the risks associated with an increasingly connected world. The event (#IoTSecurity) attracted a variety of speakers from the public and private sector and brought about some interesting topics and further questions on this ever changing landscape.

Embedded Device and Host Device Life Cycle Disparity

Stephen Pattison from ARM, introduced the event, and brought up and interesting view of the challenge with keeping IoT devices up to date - either with firmware, software or hardware improvements.  He observed there is often a disparity between the small inexpensive sensor, actuator, or controller type components and the host device with respect to life span.  For example, a car may last 15 years, whilst a tracking component may last 36 months.  The rip and replace nature of general consumerism has subtle issues with respect to the IoT landscape, where the re-provisioning of new embedded devices, or the improvement in existing devices is often overlooked.

IoT Security Issues versus Opportunities

Duncan Brown, European Security Research Director at IDC, outlined some of the key problems facing the IoT landscape from a security perspective.  The main factors contributing to the security issue, can basically be broken down into the number of physical devices and the amount of data those devices generate.  The sheer volume of connected devices, opens up a new attack vector, with often the network these devices operate on, only being as secure as the weakest link.  That weakest link is often a low powered and poorly protected device, which allows a land and expand pivot style attack, which if successful, can quickly allow attacks on to more powerful computing resources.  The second main factor is associated with the yottabytes (a trillion terabytes !) of data IoT devices related devices are capable of collecting.  That data needs to be protected in transit and also at rest, where transparent access control and sharing protocols need to be applied.  These issues of course, are now opening up new sub-industries, where security assessments, device certifications, software audits and consultancy practices can provide services for.

As with many consumer related interactions, IoT also create an 'elastic security compromise'.  You seemingly can only have 2, out of enjoyable user experience, low risk and low cost.

Indirect Attacks

David Rogers, CEO of Copper Horse Solutions, with his specialism in mobile security, focused on describing how some of the challenges facing the telco operators over the last 10 years, can now be applied to the IoT space. With many newly manufactured cars by 2017 going to contain SIM technology, attack vector, data collecting and data sharing aspects of driving will increase substantially.  David made a subtle observation with respect to how IoT attacks could develop.

Whilst many laugh at the prospect of their digital fridge or washing machine being hacked as a gimmick, the net result of a large scale attack on home automation, isn't necessarily placing the immediate home owner as the victim.  The attacker in this case, could well be targeting the insurance market - which would face a deluge of claims if their washing machine suddenly flooded for example.

Privacy Challenges

Sian John, Security Strategist at Symantec, then focused on the IoT standards and privacy landscape. She argued that IoT is in fact rapidly becoming the 'Internet of Everything', where increased connectivity is being applied to every aspect of everyday life.  Whilst this may delivery better service or convenient experiences, this also opens up new security vulnerabilities and issues with regards to consumer data privacy.  Whilst the IoT ecosystem is clearly focused on physical devices, Sian argued that there is in fact a triad of forces at work: namely people, things and data (albeit I prefer 'people, data and devices...').  Often, the weakest link is the people aspect, who are often concerned with regards to personal data privacy, but don't have the knowledge or understanding with regards to terms of condition, consent questioning or device configuration.

Sian also pointed out that many consumers have a deep distrust of both technology vendors and social network operators when it comes to personal data privacy.

Overall, it seemed the discussions were focused on the need for a strong and varied security ecosystem, that can focus on the entire 'chip to cloud' life cycle of IoT data, where the identity of both the devices and people associated with those devices is strongly managed.

By Simon Moffatt











Zero Trust and the Age of Global Connectivity

Global connectivity is omnipresent when it comes to smart phones and tablets.  It's not so much a case of looking for a power adapter when on the road, it's constantly about 3G and 4G signal strength or availability of contract hotspot wifi services.  However, global connectivity has also had a profound impact on enterprises.  There is no longer a rudimentary partitioning of network infrastructure into
public and private areas.  The firewalls of old have been replaced by application firewalls, data loss prevention operations and advanced tracing, tracking and event monitoring.  The internal 'trusted' network no longer exists.  Employees often pose the biggest threat to information assets, even though they are trusted with legitimate accounts on protected internal machines.

Zero Trust as a New Model

Zero Trust is a recent security approach that looks to move away from network segmentation and focus more on data and resources and who can access them, when and from where.  This helps to remove the antiquated approach of being on trusted grounds, which often helps create a singularity point which malware and hackers can focus upon.  By defining more context around individual information assets or services, allows for the opening up of those resources to globally connected devices, whilst securing access based on the who, where and why and not just their network location.  Access is permitted on the traditional 'need to know' basis, whilst being under continual review.  This would require all access to start from a minimal (if none-existent) level, whilst every connection being tracked and monitored.

Internet of Things & Modern Connectivity

I wrote recently of Protection & The Internet of Things and how, with the proliferation of previously 'dumb' devices enriching the Internet, comes a need for increased security context and reliance on the identity of things.  By extending a 'zero trust' model to this brave new world of increased interconnectedness, we can start to see the benefits of things like personalised search results, personalised home and environment settings, dynamic ordering and choice removal.  All devices, services and assets should start from a place of zeroaccess, with trust relations being built between identities and data which the devices can help bridge and create connections.

Zero Trust or Zero Protection?

But should the assumption be of zero trust or zero protection?  Many penetration testing organisations and web security auditors, promote the message that an organisation will be hacked at some point, so it's advisable to put in place recovery plans.  By focusing simply on prevention, an organisation can be opened up to irreversible damage if a breach were to occur.  So, do we take that approach to all services, devices and identities?  Perhaps.  With the increased level of services, API's, identity providers and data being created and consumed, existing models for security relationships are open to many potential failures that could impact the Confidentiality, Integrity and Availability paradigm of traditional security.  Do we follow a zero trust model or simply say, well my phone will be hacked at some point, so I will not rely on it so explicitly?  Time will tell.

By Simon Moffatt







Zero Trust and the Age of Global Connectivity

Global connectivity is omnipresent when it comes to smart phones and tablets.  It's not so much a case of looking for a power adapter when on the road, it's constantly about 3G and 4G signal strength or availability of contract hotspot wifi services.  However, global connectivity has also had a profound impact on enterprises.  There is no longer a rudimentary partitioning of network infrastructure into
public and private areas.  The firewalls of old have been replaced by application firewalls, data loss prevention operations and advanced tracing, tracking and event monitoring.  The internal 'trusted' network no longer exists.  Employees often pose the biggest threat to information assets, even though they are trusted with legitimate accounts on protected internal machines.

Zero Trust as a New Model

Zero Trust is a recent security approach that looks to move away from network segmentation and focus more on data and resources and who can access them, when and from where.  This helps to remove the antiquated approach of being on trusted grounds, which often helps create a singularity point which malware and hackers can focus upon.  By defining more context around individual information assets or services, allows for the opening up of those resources to globally connected devices, whilst securing access based on the who, where and why and not just their network location.  Access is permitted on the traditional 'need to know' basis, whilst being under continual review.  This would require all access to start from a minimal (if none-existent) level, whilst every connection being tracked and monitored.

Internet of Things & Modern Connectivity

I wrote recently of Protection & The Internet of Things and how, with the proliferation of previously 'dumb' devices enriching the Internet, comes a need for increased security context and reliance on the identity of things.  By extending a 'zero trust' model to this brave new world of increased interconnectedness, we can start to see the benefits of things like personalised search results, personalised home and environment settings, dynamic ordering and choice removal.  All devices, services and assets should start from a place of zeroaccess, with trust relations being built between identities and data which the devices can help bridge and create connections.

Zero Trust or Zero Protection?

But should the assumption be of zero trust or zero protection?  Many penetration testing organisations and web security auditors, promote the message that an organisation will be hacked at some point, so it's advisable to put in place recovery plans.  By focusing simply on prevention, an organisation can be opened up to irreversible damage if a breach were to occur.  So, do we take that approach to all services, devices and identities?  Perhaps.  With the increased level of services, API's, identity providers and data being created and consumed, existing models for security relationships are open to many potential failures that could impact the Confidentiality, Integrity and Availability paradigm of traditional security.  Do we follow a zero trust model or simply say, well my phone will be hacked at some point, so I will not rely on it so explicitly?  Time will tell.

By Simon Moffatt







Protection & The Internet of Things

The 'Internet of Things' is one of the technical heatwaves that has genuinely got me excited over the last 24 months or so.  I've been playing with computers since I was 8 and like to think of myself as being pretty tech-savvy.  I can code in a number of languages, understand different architectural approaches easily and pick up new technical trends naturally.  However, the concept of the truly connected world with 'things' interconnected and graphed together, is truly mind blowing.  The exciting thing for me, is that I don't see the outcome.  I don't see the natural technical conclusion of devices and objects being linked to a single unique identity, where information can flow in multiple directions, originating from different sources and being made available in contextual bundles.  There is no limit.



They'll be No 'Connected', Just 'On'

Today we talk about connectivity, wifi hotspots and 4G network coverage.  The powerful difference between being on and off line.  As soon as you're off line, you're invisible.  Lost, unable to get the information you need, to interact with your personal and professional networks. This concept is slowly dying.  The 'Internet' is no longer a separate object that we connect with explicitly.  Very soon, the internet will be so intrinsically tied to us, that without it, basic human interactions and decision making will become stunted.  That is why I refer to objects just being 'on' - or maybe just 'being', but that is a little too sci-fi for me.  Switching an object on, or purchasing it, enabling it, checking in to it, will make that device become 'smart' and tied to us.  It will have an IP address and be able to communicate, send messages, register, interact and contain specific contextual information.  A simple example is the many running shoe companies that now provide GPS, tracking and training support information for a new running shoe.  That information is specific to an individual, centrally correlated and controlled, and then shared socially to allow better route planning and training techniques, to be created and exchanged.


Protection, Identity & Context

But what about protection?  What sort of protection?  Why does this stuff need protecting in the first place? And from what?  The more we tie individual devices to our own unique identity, the more information, services and objects we can consume, purchase and share.  Retailers see the benefit in being able to provide additional services and contextual information to a customer, as it makes them stickier to their brand.  The consumer and potential customer receives a more unique service, requiring less explicit searching and decision making.  Everything becomes personalised, which results in faster and more personalised acquisition of services and products.

However, that information exchange requires protection.  Unique identities need to be created - either for the physical person, or the devices that are being interacted with.  These identities will also need owners, custodians and access policies that govern the who, what and when, with regards to interactions.  The running shoe example may seem unimportant, but apply that logic to your fridge - seems great to be able to manage and monitor the contents of your refrigerator.  Automatic ordering and so on, seems like a dream.  But how might that affect your health insurance policy?  What about when you go on holiday and don't order any food for 3 weeks?  Ideal fodder for a burglar.  The more we connect to our own digitalpersona, the more those interactions need authentication, authorization and identity management.

Context plays an important part here too.  Objects - like people in our own social graphs - have many touch points and information flows.  A car is a simple example.  It will have a manufacturer (who is interested in safety, performance and so on), a retailer (who is interested in usage, ownership years), the owner (perhaps interested in servicing, crash history) and then other parties such as governments and police.  Not to mention potential future owners and insurance companies.  The context to which an interacting party comes from, will obviously determine what information they can consume and contribute to.  That will also need managing from an authorization perspective.


Whilst the 'Internet of Things' may seem like buzz, it has a profound impact on how we interact with physical, previously inanimate objects.  As soon as digitize and contextualize them, we can reap significant benefits when it comes to implicit information searching and tailor made services.  But, for that to work effectively, a correct balance with identity and access control needs to be found.

By Simon Moffatt

Image courtesy of http://www.sxc.hu/photo/472281



Protection & The Internet of Things

The 'Internet of Things' is one of the technical heatwaves that has genuinely got me excited over the last 24 months or so.  I've been playing with computers since I was 8 and like to think of myself as being pretty tech-savvy.  I can code in a number of languages, understand different architectural approaches easily and pick up new technical trends naturally.  However, the concept of the truly connected world with 'things' interconnected and graphed together, is truly mind blowing.  The exciting thing for me, is that I don't see the outcome.  I don't see the natural technical conclusion of devices and objects being linked to a single unique identity, where information can flow in multiple directions, originating from different sources and being made available in contextual bundles.  There is no limit.



They'll be No 'Connected', Just 'On'

Today we talk about connectivity, wifi hotspots and 4G network coverage.  The powerful difference between being on and off line.  As soon as you're off line, you're invisible.  Lost, unable to get the information you need, to interact with your personal and professional networks. This concept is slowly dying.  The 'Internet' is no longer a separate object that we connect with explicitly.  Very soon, the internet will be so intrinsically tied to us, that without it, basic human interactions and decision making will become stunted.  That is why I refer to objects just being 'on' - or maybe just 'being', but that is a little too sci-fi for me.  Switching an object on, or purchasing it, enabling it, checking in to it, will make that device become 'smart' and tied to us.  It will have an IP address and be able to communicate, send messages, register, interact and contain specific contextual information.  A simple example is the many running shoe companies that now provide GPS, tracking and training support information for a new running shoe.  That information is specific to an individual, centrally correlated and controlled, and then shared socially to allow better route planning and training techniques, to be created and exchanged.


Protection, Identity & Context

But what about protection?  What sort of protection?  Why does this stuff need protecting in the first place? And from what?  The more we tie individual devices to our own unique identity, the more information, services and objects we can consume, purchase and share.  Retailers see the benefit in being able to provide additional services and contextual information to a customer, as it makes them stickier to their brand.  The consumer and potential customer receives a more unique service, requiring less explicit searching and decision making.  Everything becomes personalised, which results in faster and more personalised acquisition of services and products.

However, that information exchange requires protection.  Unique identities need to be created - either for the physical person, or the devices that are being interacted with.  These identities will also need owners, custodians and access policies that govern the who, what and when, with regards to interactions.  The running shoe example may seem unimportant, but apply that logic to your fridge - seems great to be able to manage and monitor the contents of your refrigerator.  Automatic ordering and so on, seems like a dream.  But how might that affect your health insurance policy?  What about when you go on holiday and don't order any food for 3 weeks?  Ideal fodder for a burglar.  The more we connect to our own digitalpersona, the more those interactions need authentication, authorization and identity management.

Context plays an important part here too.  Objects - like people in our own social graphs - have many touch points and information flows.  A car is a simple example.  It will have a manufacturer (who is interested in safety, performance and so on), a retailer (who is interested in usage, ownership years), the owner (perhaps interested in servicing, crash history) and then other parties such as governments and police.  Not to mention potential future owners and insurance companies.  The context to which an interacting party comes from, will obviously determine what information they can consume and contribute to.  That will also need managing from an authorization perspective.


Whilst the 'Internet of Things' may seem like buzz, it has a profound impact on how we interact with physical, previously inanimate objects.  As soon as digitize and contextualize them, we can reap significant benefits when it comes to implicit information searching and tailor made services.  But, for that to work effectively, a correct balance with identity and access control needs to be found.

By Simon Moffatt

Image courtesy of http://www.sxc.hu/photo/472281