[dev] Security in IoTivity

2016-12-26 Thread Prakash Karthikeyan 
Thanks,
Karthikeyan Prakash.

On Mon, Dec 26, 2016 at 10:59 AM, Gregg Reynolds  wrote:

>
>
> On Fri, Dec 23, 2016 at 6:58 PM, Heldt-Sheller, Nathan <
> nathan.heldt-sheller at intel.com> wrote:
>
>> I think this question was already answered by Prakash on Tuesday 12/20,
>>
>
> I'm not entirely sure, because the Spec is not exactly a paragon of
> clarity, but my view is that Prakash's answer was incorrect.  Or at least
> unclear.  He said:
>
> "IoTivity Secured Servers can be discovered by any Secured Clients. There
> is nothing like authorization to check whether it is authenticated device."
>
>

> To be honest, I am not at all sure what that means, but I'm pretty sure
> it's wrong.  To me, "secured" means exactly that encryption,
> authentication, and authorization are enabled.  (But "secured" is used very
> loosely in Iotivity, so who knows?)  "Secured Servers" and "Secured
> Clients" is pretty close to meaningless, since the obvious next question is
> "Secured how, and for what?".  A credentialed client that is not granted
> permission to read/discover resource "foo" by the server's ACL is still a
> "Secured Client".
>

This process as I mentioned is only on the initial setup of the Client and
Server Communication. In IoTivity it is mentioned as the Ownership Transfer
which happens after the discovery part. Initially the Client discovers all
the servers which holds Owned=False credential and it can be discovered by
any of the clients. After the server is done with OT the ACL comes into
picture. Once the OT is done, the server hold the credential about the
client which are granted permission to discover. My reply was intended to
the particular question and not generalised.

The

>
> The Security spec v. 1.1.1 says, on page 26:
>
> "To achieve extensibility and scalability, this specification does not
> provide a mandate on discoverability of each individual resource.
> Instead, the OIC server, holding the resource will rely on ACLs for each
> resource to determine if the requester (the client) is authorized to see/
> handle any of the resources."
>
> The problem (IMO) is that the specs are rather poorly written.  Or maybe
> "very poorly written" would be more honest. g.
>
> The critical point is that "discovery" is  not an OCF operation.  It's
> something you do with GET and multicasting, and creds, and ACLs, just like
> any other resource action.  See p. 100 of the security spec, which includes
> "discover" in the "R" access policy - to allow discovery, your ACL must
> include that, AFAIK.  There is not, to my knowledge, anything in the Spec
> that addresses discovery as distinct from GET etc.  So the discoverability
> of resources is subject to the same security constraints as any others,
> which means in particular - to address the OP's question - that it is not
> the case that "any client capable of discovering whatever device running
> the stack".  Since a "device" is just a resource, like any other.
>
> HTH
>
> gregg
>
> ___
> iotivity-dev mailing list
> iotivity-dev at lists.iotivity.org
> https://lists.iotivity.org/mailman/listinfo/iotivity-dev
>
>
-- next part --
An HTML attachment was scrubbed...
URL:

[dev] Security in IoTivity

2016-12-20 Thread Prakash Karthikeyan 
Welcome ! :)

Thanks,
Karthikeyan Prakash,
Software Engineer,



On Tue, Dec 20, 2016 at 1:52 PM, Khaled Elsayed 
wrote:

> Thanks a lot for the informative reply. This is a useful set of documents.
>
>
> On Tue, Dec 20, 2016 at 10:18 AM, Prakash Karthikeyan <
> prakash.karthikeyan at smartron.com> wrote:
>
>> Hi Kaled,
>>
>> Please find replies In-line.
>>
>> Thanks,
>> Karthikeyan Prakash,
>> Software Engineer,
>>
>>
>>
>> On Tue, Dec 20, 2016 at 12:55 PM, Khaled Elsayed 
>> wrote:
>>
>>> Hi,
>>>
>>> I am trying to gather some information on the security features in
>>> iotivity. I know DTLS is used, but is there anything like authorization
>>> from devices when they are discovered? Is any client capable of discovering
>>> whatever device running the stack? Is there a document that explain
>>> iotivity security with some good details?
>>>
>>
>> IoTivity Secured Servers can be discovered by any Secured Clients. There
>> is nothing like authorization to check whether it is authenticated device.
>> The next step after discovery is OT (Ownership Transfer). This Document (
>> https://openconnectivity.org/wp-content/uploads/2016/01/Habib-Virji.pdf)
>> can provide you details about overall architecture and building/running
>> samples.
>>
>> http://events.linuxfoundation.org/sites/events/files/slides/
>> LinuxConEU2015_IoTivitySecurity_0.pdf
>> Provisioning - https://wiki.iotivity.org/provisioning
>>
>>>
>>> Also, this Internet Draft https://tools.ietf.org/html/dr
>>> aft-ietf-core-object-security-01 just came out and it proposes using
>>> CBOR for application layer security. I know CBOR is used in the iotivity
>>> stack, so is this ID along the same line of thought in iotivity or is the
>>> model different?
>>>
>>> CBOR is essentially used in IoTivity to encode the payload it also used
>> in store/retrieve the credentials, Device details etc.,. People here can
>> give you more precise details in CBOR in IoTivity
>>
>>
>>
>>> Best regards,
>>>
>>> Khaled
>>>
>>>
>>>
>>> ___
>>> iotivity-dev mailing list
>>> iotivity-dev at lists.iotivity.org
>>> https://lists.iotivity.org/mailman/listinfo/iotivity-dev
>>>
>>>
>>
>> ___
>> iotivity-dev mailing list
>> iotivity-dev at lists.iotivity.org
>> https://lists.iotivity.org/mailman/listinfo/iotivity-dev
>>
>>
>
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20161220/aa36e094/attachment.html>

[dev] Security in IoTivity

2016-12-20 Thread Prakash Karthikeyan 
Hi Kaled,

Please find replies In-line.

Thanks,
Karthikeyan Prakash,
Software Engineer,



On Tue, Dec 20, 2016 at 12:55 PM, Khaled Elsayed 
wrote:

> Hi,
>
> I am trying to gather some information on the security features in
> iotivity. I know DTLS is used, but is there anything like authorization
> from devices when they are discovered? Is any client capable of discovering
> whatever device running the stack? Is there a document that explain
> iotivity security with some good details?
>

IoTivity Secured Servers can be discovered by any Secured Clients. There is
nothing like authorization to check whether it is authenticated device. The
next step after discovery is OT (Ownership Transfer). This Document (
https://openconnectivity.org/wp-content/uploads/2016/01/Habib-Virji.pdf)
can provide you details about overall architecture and building/running
samples.

http://events.linuxfoundation.org/sites/events/files/slides/LinuxConEU2015_IoTivitySecurity_0.pdf
Provisioning - https://wiki.iotivity.org/provisioning

>
> Also, this Internet Draft https://tools.ietf.org/html/
> draft-ietf-core-object-security-01 just came out and it proposes using
> CBOR for application layer security. I know CBOR is used in the iotivity
> stack, so is this ID along the same line of thought in iotivity or is the
> model different?
>
> CBOR is essentially used in IoTivity to encode the payload it also used in
store/retrieve the credentials, Device details etc.,. People here can give
you more precise details in CBOR in IoTivity



> Best regards,
>
> Khaled
>
>
>
> ___
> iotivity-dev mailing list
> iotivity-dev at lists.iotivity.org
> https://lists.iotivity.org/mailman/listinfo/iotivity-dev
>
>
-- next part --
An HTML attachment was scrubbed...
URL:

[dev] Provisioning Client Error

2016-12-14 Thread Prakash Karthikeyan 
  Debug build output


 Discovering All Un/Owned Devices on Network..
14:28.827 DEBUG: OIC_PM_UTILITY: IN PMDeviceDiscovery
14:28.855 INFO: OIC_RI_STACK: Entering OCDoResource
14:28.871 DEBUG: OIC_CA_CONN_MGR: CAGenerateToken
14:28.871 DEBUG: OIC_CA_PRTCL_MSG: token len:8, token:
14:28.871 DEBUG: OIC_CA_PRTCL_MSG: 29 CD BA AB F2 FB E3 46
14:28.871 INFO: OIC_RI_CLIENTCB: Adding client callback with token
14:28.871 INFO: OIC_RI_CLIENTCB: 29 CD BA AB F2 FB E3 46
14:28.871 INFO: OIC_RI_CLIENTCB: Added Callback for uri :
/oic/sec/doxm?Owned=FALSE
14:28.871 DEBUG: OIC_RM_UTIL: IN
14:28.871 DEBUG: OIC_RM_UTIL: IN
14:28.871 ERROR: OIC_RM_UTIL: Invalid input:options
14:28.871 INFO: OIC_RM_UTIL: Route option is not present
14:28.871 DEBUG: OIC_RM_RAP: IN
14:28.871 DEBUG: OIC_RM_RAP: createoption dlen 0 slen [0]
14:28.871 DEBUG: OIC_RM_RAP: Source and destination is not present
14:28.871 DEBUG: OIC_RM_RAP: OptValue NOR Message Type
14:28.871 INFO: OIC_RM_RAP: Option Length is 1
14:28.871 DEBUG: OIC_RM_RAP: OUT
14:28.871 DEBUG: OIC_RM_UTIL: OUT
14:28.871 DEBUG: OIC_CA_CONN_MGR: CASendRequest
14:28.871 ERROR: OIC_RI_STACK: CASendRequest failed with CA error 13
14:28.871 ERROR: OIC_RI_STACK: OCDoResource error
14:28.871 INFO: OIC_RI_CLIENTCB: Deleting token
14:28.871 INFO: OIC_RI_CLIENTCB: 29 CD BA AB F2 FB E3 46
14:28.871 DEBUG: OIC_CA_CONN_MGR: CADestroyToken
14:28.871 DEBUG: OIC_CA_CONN_MGR: OUT
14:28.871 INFO: OIC_RI_CLIENTCB: Deleting callback with uri
/oic/sec/doxm?Owned=FALSE
14:28.871 DEBUG: OIC_PM_UTILITY: IN DeviceDiscoveryDeleteHandler
14:28.871 DEBUG: OIC_PM_UTILITY: OUT DeviceDiscoveryDeleteHandler
14:28.871 DEBUG: OIC_CA_CONN_MGR: CADestroyToken
14:28.871 DEBUG: OIC_CA_CONN_MGR: OUT
14:28.871 ERROR: OIC_PM_UTILITY: OCStack resource error
14:28.871 ERROR: OIC_OCPMAPI: Error in unowned discovery
14:28.871 ERROR: provisioningclient: OCGetDevInfoFromNetwork API error
14:28.871 ERROR: provisioningclient: _10_DISCOV_ALL_DEVS_: error


Thanks,
Karthikeyan Prakash,
Software Engineer,



On Tue, Dec 13, 2016 at 9:23 PM, Thiago Macieira 
wrote:

> On ter?a-feira, 13 de dezembro de 2016 16:51:39 PST Prakash Karthikeyan
> wrote:
> > Segmentation fault (core dumped)
>
> The application crashed.
>
> Please provide the backtrace from a debug build.
>
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
>   Software Architect - Intel Open Source Technology Center
>
> ___
> iotivity-dev mailing list
> iotivity-dev at lists.iotivity.org
> https://lists.iotivity.org/mailman/listinfo/iotivity-dev
>
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20161214/f9f6e0bf/attachment.html>

[dev] Provisioning Client Error

2016-12-13 Thread Prakash Karthikeyan 
Dear Developers,

I am working on provisioning client program to implement some extra
functions. I made few changes inside the program. I am getting the below
error when I initialize discovery. Can someone help with this?

I am sure that no changes has been made inside the discoverAllDevices()
function.

Discovering Only Unowned Devices on Network..
04:54.122 DEBUG: OIC_PM_UTILITY: IN PMDeviceDiscovery
04:54.122 INFO: OIC_RI_STACK: Entering OCDoResource
04:54.122 DEBUG: OIC_CA_CONN_MGR: CAGenerateToken
04:54.122 DEBUG: OIC_CA_PRTCL_MSG: token len:8, token:
04:54.122 DEBUG: OIC_CA_PRTCL_MSG: 76 5A 2E 63 33 9F C9 9A
04:54.122 INFO: OIC_RI_CLIENTCB: Adding client callback with token
04:54.122 INFO: OIC_RI_CLIENTCB: 76 5A 2E 63 33 9F C9 9A
04:54.122 INFO: OIC_RI_CLIENTCB: Added Callback for uri :
/oic/sec/doxm?Owned=FALSE
04:54.122 DEBUG: OIC_RM_UTIL: IN
04:54.122 DEBUG: OIC_RM_UTIL: IN
04:54.122 ERROR: OIC_RM_UTIL: Invalid input:options
04:54.122 INFO: OIC_RM_UTIL: Route option is not present
Segmentation fault (core dumped)

Thanks,
Karthikeyan Prakash,
Software Engineer,
-- next part --
An HTML attachment was scrubbed...
URL: 

-- next part --
A non-text attachment was scrubbed...
Name: Screenshot from 2016-12-13 16-46-40.png
Type: image/png
Size: 72562 bytes
Desc: not available
URL:

[dev] Basic questions on IoTivity security

2016-11-29 Thread Prakash Karthikeyan 

Hi Max,
With my experience in working with IoTivity, the secured flag is not going to 
change anything in maximum general server/client examples provided. 
You can find these general examples in /out/../../resource/examples
1. The secured flag is meant to create a resource with options to communicate 
via a secured channel using tinyDTLS or mbedTLS. 
These are mentioned in SVR's while creating a resource.
There are different steps involved before the regular communications with the 
server created with secured flag (On-Boarding, Provisioning etc.,). Hope this 
link helps you to find out different steps in that. 
Link: https://openconnectivity.org/wp-content/uploads/2016/01/Habib-Virji.pdf
The examples when you build using the secured flag are mentioned in the PDF 
from above link. 
2. The server which is created with secured flag needs Storage, Ownership 
transfer method etc., Which are not implemented in regular server/client 
examples.
Non-Secured and Secured UDP communication ports are different and mentioned in 
the specs.
You can go through scons files under different folders to findout which files 
are included when building with SECURED=1 flag.
Hope above details answers your question.
--
Regards,
Karthikeyan Prakash
Blog: http://goo.gl/mN65Dl Tuesday, 29 November 2016, 09:31PM +05:30 from Max 
Kholmyansky  max001 at gmail.com :

>Hi,
>
>2 basic questions:
>
>1. What's the exact difference between SECURED=1 and SECURED=0 compiled 
>library versions?
>Is "1" a superset of ?"0"? Implementing a different behavior? What exactly "0" 
>cannot do?
>
>2. If a server resource is created as "secure" (with?OC_SECURE flag):
>I understand it means that "it can be accessed in both non-secure and secure 
>(DTLS) way" - right?
>If this is the case, how does the IoTivity client determine whether or not to 
>use encryption?
>
>Thanks in advance,
>
>Max
>
>Software Architect - Tekoia Ltd.
>___
>iotivity-dev mailing list
>iotivity-dev at lists.iotivity.org
>https://lists.iotivity.org/mailman/listinfo/iotivity-dev
-- next part --
An HTML attachment was scrubbed...
URL: