Hi All,
As per Security specification, Device Provisioning is a step whereby ?device ownership? is enforced by provisioning ?credentials? and ?access control lists? in the new device. One of the Device Provisioning methods which OIC Security TG intends to support within Iotivity framework is ?Just Works?. This method is mainly suitable for devices which do not have any kind of display or keyboard interface. This method is similar to Bluetooth Secure Simple Pairing?s Just Works <http://en.wikipedia.org/wiki/Bluetooth#Pairing> mechanism. ?Just Works? mechanism is implemented by initiating a Diffie-Hellman key exchange between two devices to arrive at a shared secret and then use the derived shared secret to encrypt data transfer between the two devices. After consultation within OIC Security TG, Woochul and his team added support for TLS_ECDH_anon_WITH_AES_128_CBC_SHA cipher suite within ?tinydtls? library. Since this is an anonymous TLS key exchange without authentication, there is always a risk of Man In the Middle (MITM) attack. We have requested tinydtls author to accept our patch <http://sourceforge.net/p/tinydtls/tickets/17/> , but we have not received any feedback yet. This patch was reviewed in Iotivity Gerrit Review 407 <https://gerrit.iotivity.org/gerrit/#/c/407/> by iotivity security team. Since this cipher-suite is the basic building block for ?Just works? mechanism, we need this to be checked-in ?secure-M3? branch so that developers can continue working on other aspects of ?Just Works? feature. Delay in merging this feature will cause subsequent delays in releasing other security features (Access Control, Device Authentication etc) within Iotivity framework. But, we also want to avoid forking tinydtls by diverging a lot from upstream repo. So we are requesting guidance from Iotivity Maintainers/Sub-Maintainers on how can security team move forward in this situation? Thanks Sachin 503-264-8071 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20150403/dfdd1484/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7768 bytes Desc: not available URL: <http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20150403/dfdd1484/attachment.p7s>
