Re: [6tisch] joining security start and end states

[Tom Phinney]

This discussion keeps circling back to a need for some type of private initial binding process between a device that is to be newly introduced to a network and some agent of the network. In ISA100.11a and other industrial protocols, we tend to call that process "provisioning" to keep the terminology distinct from the later "commissioning" process when the device is actually installed in a physical plant and brought actively into the network. In the industrial space the provisioning process often can be performed months in advance, when a device is placed in inventory at a plant site as a usable spare, although when the physical device is itself large -- e.g., a 3 m diameter valve -- initial provisioning is likely to occur as the first phase of installation and commissioning. Consideration of the above scenario makes it clear that the provisioning process needs to communicate one or more site-specific credentials (of some type), in a local temporal and spatially secure manner, that later forms the basis for establishing mutual authentication, even though the identity of the eventual target network for the device may not be determinable at the time that the provisioning process occurs (e.g., when the device is placed in inventory). Rather than go on and on about alternative A) below, perhaps our time would be better spent in focusing on the above-summarized process to find acceptable secure alternatives to alternative A) that can provide the needed basis for subsequent mutual authentication. In other words, I am suggesting a change in focus for this discussion based on the presumption that alternative A) will be seen in the future as always unacceptable. If that is the case, what can we propose as a relatively painless, virtually product-cost-free alternative that all 6TiSCH devices can be required to support. It was in that spirit that I proposed using an LED as a low-sensitivity photodiode (which admittedly is a 2-terminal device, not what I had sleepily misstated as a 3-terminal device), together with a smartphone. The smartphone need not be connected to the target network if it merely serves as an optical relay proxy to convey credentials between a device currently in the network and the new device. Conveying a device credential to a network agent or proxy might be performed simply by having the smartphone scan a QR code on the device or its packaging, then conveying that optically or by RF to the proxy or agent, or by normal WiFi or cell connection to a site JCE. Clearly the above is an inadequate solution as stated, which would require further extension; it is placed on the table only to stimulate thought about how a human agent and a contemporary ubiquitous device such as a smartphone might be used as a short-duration relatively-secure channel between the device and a network proxy. The key element is that, for many IoT devices, it is the human installer or human agent for the site where the device will be installed that is acting as an authenticating intermediary in tying the device-to-be-installed to the site's network(s). -Tom ===== On 2015.05.07 07:20, Thomas Watteyne wrote: Kris, We need a way for people who say "I don't want the hassle of security, and I can't afford a chip with ECC" (e.g. start state A) to still transition to something that is secure after the join process is over. That would be great, but if a node starts from A, I don't see how it can authenticate the network, and the network authenticate the node. I must be missing something. The simplest is B: a node is configured during commisioning with a key, a shared secret withe the JCE. If the node/JCE can challenge each other with that key, they have authenticated each other. Through this mechanism, the JCE can setup all the keying material used during the operational stage of the network. I feel like the above paragraph is generally agreed upon. Thomas On Tue, May 5, 2015 at 6:39 PM, Kris Pister <k...@berkeley.edu> wrote: Let's see if we can get agreement at a high level on what we're trying to do during the joining process. Things that a mote might start with (one or more of): A) nothing B) PSK(s) C) raw public/private key D) certificate(s) from    i) manufacturer/distributor/installer    ii) consortium (e.g. Corner Grocers Alliance)    iii) end user/owner (e.g. Charlie's Market)    iv) desired network(s) Things that a mote might end with: 1) L2 key(s) for MIC (and optionally encryption) 2) DTLS session with JCE if present 3) DTLS session with PCE if present 4) L2 keys for 6top communication to neighbors 5) locally-significant certificate for future joins The mote might start with things in {B, C, D} at manufacture, or by some out of band commissioning step as suggested by Tero and Timothy. The keys that a mote gets in 1 and 4 may all be generated by a single entity (e.g. JCE) or they may be generated locally from one or more Master Keys. Some of the things in the desired end state (like 1 or 5) might have been installed already (like B or D.iv). We need a way for people who say "I don't want the hassle of security, and I can't afford a chip with ECC" (e.g. start state A) to still transition to something that is secure after the join process is over. ksjp _______________________________________________ 6tisch mailing list 6tisch@ietf.org https://www.ietf.org/mailman/listinfo/6tisch _______________________________________________ 6tisch mailing list 6tisch@ietf.org https://www.ietf.org/mailman/listinfo/6tisch

_______________________________________________
6tisch mailing list
6tisch@ietf.org
https://www.ietf.org/mailman/listinfo/6tisch