< draft-hsothers-iotsens-ps-00.txt   draft-hsothers-iotsens-ps-01.txt >
Network Working Group D. von Hugo Network Working Group D. von Hugo
Internet-Draft Deutsche Telekom Internet-Draft Deutsche Telekom
Intended status: Standards Track B. Sarikaya Intended status: Standards Track B. Sarikaya
Expires: 21 April 2022 18 October 2021 Expires: 29 July 2022 25 January 2022
Problem Statement for Internet of Things Sensing The Need for New Authentication Methods for Internet of Things
draft-hsothers-iotsens-ps-00 draft-hsothers-iotsens-ps-01.txt
Abstract Abstract
The document attempts to establish hardware based Internet of Things The document attempts to establish the need for new authentication
authentication as a future networking area beyond 5G going into 6G methods in the Internet of Things (IoT) as a future networking area
for standardization. The problem of hardware authentication is beyond 5G going into 6G for standardization. Several scenarios are
discussed and its relationship with Wireless Local Area network described where the current authentication protocols do not work or
collaborative and/or multi-band sensing is established and then are insufficient. Next we discuss a few new approaches such as
recent research efforts in the area are indicated. Wireless LAN/6G sensing and LED light based which can be further
explored.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 21 April 2022. This Internet-Draft will expire on 29 July 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 4
2. Hardware Based Authentication . . . . . . . . . . . . . . . . 4 3. Need for New Authentication Models . . . . . . . . . . . . . 4
3. State of the Academic Approaches to IoT Authentication . . . 5 4. Academic Approaches to Sensing Based IoT Authentication . . . 5
4. IoT Authentication Protocols . . . . . . . . . . . . . . . . 6 5. IoT Authentication Protocols . . . . . . . . . . . . . . . . 6
5. Hardware IoT Authentication Problem . . . . . . . . . . . . . 6 6. IoT Authentication Problem . . . . . . . . . . . . . . . . . 7
5.1. Architectural and Procedural Issues for Future IP-based 6.1. Architectural and Procedural Issues for Future IP-based
IoT-Authentication . . . . . . . . . . . . . . . . . . . 7 IoT-Authentication . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
Future networking to make full use of 5G capabilities or even Future networking to make full use of 5G capabilities or even
resembling an evolution to beyond 5G will have to exploit a much more resembling an evolution to beyond 5G will have to exploit a much more
heterogeneous environment in terms of network and device connectivity heterogeneous environment in terms of network and device connectivity
technologies and applications. In addition ease of use for customers technologies and applications. In addition, ease of use for
and human-independent operation of a multitude of devices and customers and human-independent operation of a multitude of devices
machines (things) has to be provided. and machines (things) has to be provided.
Therefore current authentication models like 802.1X [IEEE802.1X] Therefore current authentication models like 802.1X [IEEE802.1X]
which are based on human intervention do not fit well. Also this which are based on human intervention do not fit well. Also this
model does not scale well for the Internet of Things (IoT). What we model does not scale well for the Internet of Things (IoT).
need is hardware based admission model. Such a model will enable
many new applications as we explain more in this document.
IEEE 802.11 [IEEE802.11] has a project on Wireless LAN (WLAN sensing) We can summarize the use cases we are currently considering here:
and 802.11bf task group (TG) in charge of this project [BFSFD]. Use Authenticating the device that is playing a melody, or a person has
cases for 802.11bf TG includes room sensing, i.e., presence just touched; authenticating devices, i.e. smart teapot with certain
detection, counting the number of people in the room, localization of manifests, like blinking red and blue; authenticate the device when a
active people, audio with user detection, gesture recognition at camera is pointed at it; and the like [Henning].
different ranges, device proximity detection, home appliance control.
There are also health care related use cases like breathing/heart
rate detection, surveillance of persons of interest, building a 3D
picture of an environment, as, e.g., in-car sensing for driver
sleepiness detection [BFUseCases].
Hardware based authentication that we address in this document builds In looking for possible approaches for new authentication methods, we
on similar use cases. We can summarize the use cases we are have identified a few which will be shortly introduced in this
currently considering here: Authenticating the device that is playing document.
a melody, or a person has just touched; authenticating devices, i.e.
smart teapot with certain manifests, like blinking red and blue; Detection and interpretation of audio signals by microphones and
authenticate the device when a camera is pointed at it; and the like corresponding
[Henning]. 802.11bf sensing project provides proper framework for software has been under investigation since some time and
hardware based authentication because 802.11 or Wi-Fi devices are can be achieved with high precision nowadays. Coding of haptic
more and more diverse spanning from personal computers, smartphones, information is currently under standardisation at IEEE P.1918
televisions, tablets, and all sorts of IoT devices or sensors. [P1918].
Using an objects' position to grant authentication could be achieved
via geometrical information
(as e.g., position and orientation of a trusted device like the
camera) or via radio sensing.
IEEE 802.11 has a project on Wireless LAN (WLAN sensing) and 802.11bf
task group (TG) in charge of this project [BFSFD]. Use cases for
802.11bf TG includes room sensing, i.e., presence detection, counting
the number of people in the room, localization of active people,
audio with user detection, gesture recognition at different ranges,
device proximity detection, home appliance control. There are also
health care related use cases like breathing/heart rate detection,
surveillance of persons of interest, building a 3D picture of an
environment, in car sensing for driver sleepiness detection
[BFUseCases].
TGbf is also working on Specification Framework Document with an TGbf is also working on Specification Framework Document with an
outline of each of the functional blocks that will be a part of the outline of each the functional blocks that will be a part of the
final amendment like wireless LAN sensing procedure [BFSFD]. TGbf final amendment like wireless LAN sensing procedure [BFSFD]. TGbf
sensing is based on obtaining physical Channel State Information sensing is based on obtaining physical Channel State Information
(CSI) measurements between a transmitter and receiver WLAN nodes, (CSI) measurements between a transmitter and receiver WLAN nodes,
called stations (STA). Using these measurements, presence of called stations (STA). Using these measurements, presence of
obstacles between a transmitter and receiver can be detected and obstacles between a transmitter and receiver can be detected and
tracked. This way, using feature extraction and classification tracked. This way, using feature extraction and classification of
provided by means of artificial intelligence (AI), more higher level artificial intelligence (AI), more higher level tasks like human
tasks like human activity recognition and object detection are activity recognition and object detection are available for
available for authentication purposes, while hardware based authentication purposes, while corresponding authentication context
authentication use cases can be achieved through computation of phase information can be obtained through computation of phase differences,
differences, etc. etc.
TGbf Wi-Fi Sensing (SENS) is achieved by signaling between just an TGbf Wi-Fi Sensing (SENS) is achieved by signaling between just an
initiator and a responder. TGbf may also define more effective initiator and a responder. TGbf may also define more effective
collaborative SENS (in short, CSENS) where multiple SENS-enabled collaborative SENS (in short, CSENS) where multiple SENS-enabled
devices can collaborate as a group in an orderly fashion to capture devices can collaborate as a group in an orderly fashion to capture
additional information about the surrounding environment [Rest21]. additional information about the surrounding environment [Rest21].
1.1. Conventions and Terminology 2. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Sensing (SENS) is defined as the usage of received Wi-Fi signals from Sensing (SENS) is defined as the usage of received Wi-Fi signals from
a Station (STA) to detect features (i.e., range, velocity, angular, a Station (STA) to detect features (i.e., range, velocity, angular,
motion, presence or proximity, gesture, etc.) of intended targets motion, presence or proximity, gesture, etc.) of intended targets
(i.e., object, human, animal, etc.) in a given environment (i.e., (i.e., object, human, animal, etc.) in a given environment (i.e.,
house, office, room, vehicle, enterprise, etc.). house, office, room, vehicle, enterprise, etc.).
Collaborative sensing (CSENS) defines the operation in which multiple Collaborative sensing (CSENS) defines the operation in which multiple
SENS enabled devices can collaborate as a group in an orderly fashion SENS enabled devices can collaborate as a group in an orderly fashion
to capture additional information about the surrounding environment to capture additional information about the surrounding environment
and allow for more precise detection, thus enabling a more reliable and allow for more precise detection thus enabling a more reliable
authentication. authentication.
Multi-band sensing is defined as sensing using both sub-7-GHz Channel Multi-band sensing is defined as sensing using both sub-7-GHz Channel
State Information (CSI) measurements that provide indication of State Information (CSI) measurements that provide indication of
relatively large motions and that can propagate through obstacles relatively large motions and that can propagate through obstacles
(e.g., walls) and 60-GHz Received Signal Strength Indicator (RSSI) (e.g., walls) and 60-GHz Received Signal Strength Indicator (RSSI)
measurements at mmWave that provide highly-directional information measurements at mmWave that provide highly-directional information
through the usage of beamforming toward a given receiver, but have through the usage of beam forming toward a given receiver, but have
small range due to the presence of blockers (e.g., walls). small range due to the presence of blockers (e.g., walls).
2. Hardware Based Authentication 3. Need for New Authentication Models
Aim of this document is to lay ground for the need for new Aim of this document is to lay ground for the need for new
authentication models in the framework of devices (e.g., machines in authentication models in the framework of devices (e.g., machines in
IoT communication) within a (wireless or wireline-based) network. IoT communication) within a (wireless or wireline-based) network.
Currently employed authentication models (such as e.g., 802.1X Currently employed authentication models (such as e.g., 802.1X
certificate model) is based on a human being using the machine and certificate model) is based on a human being using the machine and
providing credentials (e.g., user name/password or a permitted providing credentials (e.g., user name/password or a permitted
digital certificate) to the authenticator. Similarly, for user digital certificate) to the authenticator. Similarly, for user
equipment (UE) to access a cellular network the device has to be equipment (UE) to access a cellular network the device has to be
equipped with a USIM and the user has to provide a secret key, i.e., equipped with a USIM and the user has to provide a secret key, i.e.,
PIN (Personal Identification Number). With the use case of massive PIN (Personal Identification Number). With the use case of massive
IoT (mIoT) as foreseen, e.g., in 5G and with an increasing amount of IoT (mIoT) as foreseen, e.g., in 5G and with an increasing amount of
devices within a household (smart home) and/or in the ownership of a devices within a household (smart home) and/or in the ownership of a
customer (smart watch etc.) the need for an ease-of-use hardware- customer (smart watch etc.) the need for an ease-of-use admission
based admission model arises. model arises.
Focusing on corresponding procedures starting with detection Focusing on corresponding procedures starting with detection
(sensing) of a new device and subsequent mutual authenticating of the (sensing) of a new device and subsequent mutual authenticating of the
device by and to the network a set of potential technologies are device by and to the network a set of potential technologies are
identified and described to allow for analysis in terms of criteria identified and described to allow for analysis in terms of criteria
as reliable operation (working), scalability, ease of use and as reliable operation (working), scalability, ease of use and
convenience, security, and many more. Sensing is critical to convenience, security, and many more. Sensing could be a basis for
Hardware Based Authentication because sensing (together with new authentication models yet to be found because sensing (together
intelligent interpretation using possibly neural network models) will with intelligent interpretation using possibly neural network models)
allow the detection of the device playing a melody, blinking red and will allow the detection of the device playing a melody, blinking red
blue, being pointed at, or somebody just touched and the like. and blue, being pointed at, or somebody just touched and the like.
Furthermore, the method should be applicable to future generations of Furthermore, the method should be applicable to future generations of
network and of users, upcoming new applications and devices, assuming network and of users, upcoming new applications and devices, assuming
that todays established standard procedures do not fulfill the that todays established standard procedures do not fulfill the
requirements sufficiently. requirements sufficiently.
Hardware based authentication should leverage collaborative and New authentication methods could leverage collaborative and multi-
multi-band sensing technologies to enable sensing with much higher band sensing technologies to enable sensing with much higher
precision and capacity using the state-of-art equipment. Also precision and capacity using the state-of-art equipment. Also
equally important is the use of all artificial intelligence and equally important is the use of all artificial intelligence and
neural networks research results developed by the academia. neural networks research results developed by the academia.
3. State of the Academic Approaches to IoT Authentication 4. Academic Approaches to Sensing Based IoT Authentication
A detailed review on current topics in IoT Security, Device The following list of literature on sensor data and WiFi sensing for
Authentication and Access Control was provided in [Inayat]. The
following list of literature on sensor data and WiFi sensing for
securing and authenticating a user and a device shows the wide range securing and authenticating a user and a device shows the wide range
of approaches and interest in this topic [Rest21]. of approaches and interest in this topic [Rest21].
[Ma], [Wang], [Zhu], [Wang2], and [Qian] provide a holistic overview [Ma], [Wang], [Zhu], [Wang2], [Qian] provide a holistic overview on
on the evolution of Wi-Fi technology and on investigations in the evolution of Wi-Fi technology and on investigations in
opportunistic applications of Wi-Fi signals for gesture and motion opportunistic applications of Wi-Fi signals for gesture and motion
detection. detection.
[Henning2] is investigating geospatial access control for IoT. There [Henning2] is investigating geospatial access control for IoT. There
are attribute, role and identity based, time based and geospatial are attribute, role and identity based, time based and geospatial
access control techniques. Real-world IoT access control policies access control techniques. Real-world IoT access control policies
will be a combination of all three, leading to powerful access will be a combination of all three, leading to powerful access
control techniques to use in practice such as in university campus. control techniques to use in practice such as in university campus.
Such access control or authorization techniques will likely be used Such access control or authorization techniques will likely be used
in conjunction with Hardware Based Authentication. in conjunction with these new IoT Authentication models.
Other notable literature includes [Al-Qaness] on the so-called Other notable literature includes [Al-Qaness] on the so-called
device-free CSI-based Wi-Fi sensing mechanism, [Pahlavan] using Wi-Fi device-free CSI-based Wi-Fi sensing mechanism, [Pahlavan] using Wi-Fi
signals for gesture and motion detection as well as for signals for gesture and motion detection as well as for
authentication and security, [Lui] distinguishing between Line-of- authentication and security, [Lui] distinguishing between Line-of-
Sight (LOS) and Non-Line-of-Sight (NLOS) conditions in case of Sight (LOS) and Non-Line-of-Sight (NLOS) conditions in case of
obstacles appearing between the transmitter and the receiver [Guo] obstacles appearing between the transmitter and the receiver [Guo]
studying HuAc (Human Activity Recognition) as a combination of WiFi- studying HuAc (Human Activity Recognition) as a combination of WiFi-
based and Kinect-based activity recognition system, [FURQAN] based and Kinect-based activity recognition system, [FURQAN]
analyzing the wireless sensing and radio environment awareness analyzing the wireless sensing and radio environment awareness
skipping to change at page 6, line 4 skipping to change at page 6, line 20
adverse channel conditions, i.e., presence of noise and interference adverse channel conditions, i.e., presence of noise and interference
from other technologies. from other technologies.
[Restuccia] investigates data driven algorithms, neural networks, [Restuccia] investigates data driven algorithms, neural networks,
especially convolutional neural network (CNN) or digital signal especially convolutional neural network (CNN) or digital signal
processing (DSP) block to classify complex sensing phenomena. Also processing (DSP) block to classify complex sensing phenomena. Also
[Liao] and [Liao2] proposed to enhance security of industrial [Liao] and [Liao2] proposed to enhance security of industrial
wireless sensor networks (IWSNs) by neural network based algorithms wireless sensor networks (IWSNs) by neural network based algorithms
for sensor nodes' authentication and implementations in IWSNs have for sensor nodes' authentication and implementations in IWSNs have
shown that an improved convolution preprocessing neural network shown that an improved convolution preprocessing neural network
(CNN)-based algorithm requires few computing resources and has (CPNN)-based algorithm requires few computing resources and has
extremely low latency, thus enabling a lightweight multi-node PHY- extremely low latency, thus enabling a lightweight multi-node PHY-
layer authentication. layer authentication.
Further research on these and similar issues can be found in [Tian], Further research on these and similar issues can be found in [Tian],
[Bai], and [Axente]. [Bai] [Axente].
4. IoT Authentication Protocols 5. IoT Authentication Protocols
Since IoT applications cover a broad range of domains from smart Since IoT applications cover a broad range of domains from smart
cities, industry, and homes to personal (e.g., wearable) devices, cities, industry, and homes to personal (e.g., wearable) devices,
including security and privacy sensitive areas as e-health, and can including security and privacy sensitive areas as e-health, and can
reach a huge number of entities the security requirements in terms of reach a huge number of entities the security requirements in terms of
preventing unauthorized access to data are very high. Therefore very preventing unauthorized access to data are very high. Therefore very
robust authentication mechanisms have to be applied. At the same robust authentication mechanisms have to be applied. At the same
time depending on the specific scenario a trade-off between resources time depending on the specific scenario a trade-off between resources
as processing power and memory and security protocol complexity has as processing power and memory and security protocol complexity has
to be considered. Also a plethora of attack scenarios has to be in to be considered. Also a plethora of attack scenarios has to be in
focus as well as scalability of the considered implicit and explicit focus as well as scalability of the considered implicit and explicit
hardware- and software-based authentication procedures. [RFC8576] hardware- and software-based authentication procedures. [RFC8576]
serves as a reference for details about IoT specific security serves as a reference for details about IoT specific security
considerations including the area of authentication and documents considerations including the area of authentication and documents
their specific security challenges, threat models, and possible their specific security challenges, threat models, and possible
mitigations. mitigations. Also the OAuth [RFC6749] protocol is referred to which
extends traditional client-server authentication by providing a third
A more recent work surveys secure bootstrapping and onboarding party client with a token instead of allowing it to use the resource
protocols [I-D.irtf-t2trg-secure-bootstrapping-00] developed by IETF
as well as other standards developing organizations such as IEEE,
FIDO alliance, Open Connectivity Foundation (OCF), Open Mobile
Alliance (OMA).
Lastly, the Open Authorization (OAuth) [RFC6749] protocol in the area
of authorization is a standard for access delegation. It extends
traditional client-server authentication by providing a third party
client with a token instead of allowing it to use the resource
owner's credentials to access protected resources while such token owner's credentials to access protected resources while such token
resembles a different set of credentials than those of the resource resembles a different set of credentials than those of the resource
owner. owner.
5. Hardware IoT Authentication Problem 6. IoT Authentication Problem
Most of the state-of-art hardware identification techniques to Most of the state-of-art identification techniques to authenticate
authenticate the user use finger prints a.k.a. touch id and facial the user use finger prints a.k.a. touch id and facial identification
identification and they use detection by hardware i.e. touch, and they use detection by touch, accelerometer, and gyro sensors or
accelerometer, and gyro sensors or cameras. They are based on cameras. They are based on creating a signature, or the user's
creating a signature, or the user's already stored password [Wang3]. already stored password [Wang3].
On the other hand to authenticate a device based on a set of On the other hand to authenticate a device based on a set of
characteristic parameters which should be flexibly chosen by the characteristic parameters which should be flexibly chosen by the
owner and subsequently made known to the authentication system will owner and subsequently made known to the authentication system will
require a certain level of processing and storage capacity either require a certain level of processing and storage capacity either
within the local system components (e.g., the device itself and the within the local system components (e.g., the device itself and the
wireless point of attachment or access point) and/or within the wireless point of attachment or access point) and/or within the
network (e.g., an edge cloud instance or a central data base). The network (e.g., an edge cloud instance or a central data base). The
result of the detection process (e.g., radio wave analysis outcome in result of the detection process (e.g., radio wave analysis outcome in
terms of parameters as modulation scheme, number of carriers, and terms of parameters as modulation scheme, number of carriers, and
fingerprinting) has to be compared with the required (correct) fingerprinting) has to be compared with the required (correct)
parameter values which are safely stored within the network parameter values which are safely stored within the network
components. On all levels of handling these data, i.e., storage, components. On all levels of handling these data, i.e., storage,
processing, and transport via a communication network, the integrity processing, and transport via a communication network, the integrity
of the content has to be preserved. One should keep in mind, that of the content has to be preserved. One should keep in mind, that
any unintended authentication request should be prevented to minimize any unintended authentication request should be prevented to minimize
the risk of occasional attachment to networks and subsequent exposure the risk of occasional attachment to networks and subsequent exposure
to attack to sensitive user data. to attack to sensitive user data.
5.1. Architectural and Procedural Issues for Future IP-based IoT- 6.1. Architectural and Procedural Issues for Future IP-based IoT-
Authentication Authentication
Here we will discuss possible solutions on IP level and identify Authentication for IoT may rely on a protocol such as 6LowPAN (Low-
benefits and potential gaps towards the requirements of next power Wireless Personal Area Network) which is defined for optimizing
generation IoT systems. On IP or network layer for IPv6 IPsec the efficient routing of IPv6 packets for resource constrained
protocol suite is mandatory and provides end-to-end security for machine- type communication applications.
authentication procedures, ensuring confidentiality and integrity of
the transmitted data. Authentication for IoT may rely on a protocol
as 6LowPAN (Low-power Wireless Personal Area Network) which is
defined for optimizing the efficient routing of IPv6 packets for
resource constrained machine- type communication applications.
When compared to a fully certificate-based authentication, however, a
hardware-based AAA mechanism relying e.g., on WiFi sensing gesture
detection does not require the user to know any key, identifier, or
password for the device to be authenticated. A pre-defined type of
access to the device (e.g., physical, photographic or video
representation, unique description in terms of parameters, etc.)
shall be sufficient for authentication.
[RFC8995] on 'Bootstrapping Remote Secure Key Infrastructure' (BRSKI) [RFC8995] on 'Bootstrapping Remote Secure Key Infrastructure' (BRSKI)
deals with authentication of devices, including sending deals with authentication of devices, including sending
authorizations to the device as to what network they should join, and authorizations to the device as to what network they should join, and
how to authenticate that network by specifying automated how to authenticate that network by specifying automated
bootstrapping of an Autonomic Control Plane (ACP). Secure Key bootstrapping of an Autonomic Control Plane (ACP). Secure Key
Infrastructure (SKI) bootstrapping using manufacturer-installed X.509 Infrastructure (SKI) bootstrapping using manufacturer- installed
certificates combined with a manufacturer's authorizing service, both X.509 certificates combined with a manufacturer's authorizing
online and offline, is called the Bootstrapping Remote Secure Key service, both online and offline, is called the Bootstrapping Remote
Infrastructure (BRSKI) protocol. Bootstrapping a new device can Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new
occur when using a routable address and a cloud service, only link- device can occur when using a routable address and a cloud service,
local connectivity, or limited/disconnected networks and includes only link- local connectivity, or limited/disconnected networks and
support for deployment models with less stringent security includes support for deployment models with less stringent security
requirements. When the cryptographic identity of the new SKI is requirements. When the cryptographic identity of the new SKI is
successfully deployed to the device, completion of bootstrapping is successfully deployed to the device, completion of bootstrapping is
achieved. A locally issued certificate can be deployed to the device achieved. A locally issued certificate can be deployed to the device
via the established secure connection as well. via the established secure connection as well.
6. IANA Considerations LED light based authentication attempts to authenticate hard to reach
IoT devices using LED light indicator available on the device. Here
LED light is used as an out-of-band channel in addition to a wireless
LAN peer-to-peer connection to the device using a smartphone over TLS
connection which is not secured. Smartphone initially obtains
device's public key certificate. Smartphone as the client requests
certificate fingerprint over visible LED light channel. Device
transmits fingerprint by modulating LED. Client receives data with
camera and decodes. Client compares TLS certificate fingerprint with
received fingerprint to complete authentication. LED light based
authentication does not support multiple ways of getting the hash
value from the device. Although most devices have LED type of output
leading to visible light communication, some devices have speaker
type of output and not readily visible [Lins18], [Oden18].
Note that LED light based authentication is similar to EAP-NOOB,
Nimble out-of-band authentication for EAP [RFC9140] where Zigbee or
802.15.4 channel is the main channel and blinking LED light is used
as out-of-band channel. In the main channel, the device is connected
to the Internet over 802.15.4 channel to a controller (a laptop,
acting as a Wi-Fi access point) which connects over the Internet to
AAA server as EAP server where the user has an account. In the OOB
channel, the device is connected to a smartphone using blinking LED
light and the smartphone is connected to AAA server using its 4G/5G
air interface. OOB channel enables the device to send critical data
needed i.e. a secret nonce to EAP server. EAP-NOOB protocol
architecture includes RADIUS which is used to encode EAP messages and
constrained Application Protocol, CoAP which is a simplified HTTP.
CoAP is used in transporting the nonce. EAP-NOOB requires AAA server
and user account on the server, i.e. human interaction.
When compared to a fully certificate-based or secure key
infrastructure based authentication, however, a mechanism relying on
WiFi sensing gesture detection does not require the user to know any
key, identifier, or password for the device to be authenticated. A
pre-defined type of access to the device (e.g., physical,
photographic or video representation, unique description in terms of
parameters, etc.) shall be sufficient for authentication.
7. IANA Considerations
TBD. TBD.
7. Security Considerations 8. Security Considerations
This document raises no new security concerns but tries to identify This document raises no new security concerns but tries to identify
how to increase security in future IoT by discussing the issues of how to increase security in future IoT by discussing the issues of
robust but easy to apply authentication mechanisms. robust but easy to apply authentication mechanisms.
8. Acknowledgements 9. Acknowledgements
TBD. Discussions with Jan Janak, Henning Schulzrinne helped us improve the
draft.
9. References 10. References
9.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 10.2. Informative References
[Al-Qaness] [Al-Qaness]
Al-Qaness, M.A.A., Abd Elaziz, M., Kim, S., Ewees, A.A., Al-Qaness, M.A.A., Abd Elaziz, M., Kim, S., Ewees, A.A.,
Abbasi, A.A., Alhaj, Y.A., and A. Hawbani, "Channel State Abbasi, A.A., Alhaj, Y.A., and A. Hawbani, "Channel State
Information (CSI) from Pure Communication to Sense and Information (CSI) from Pure Communication to Sense and
Track Human Motion: A Survey", Sensors 2019, 19(15), Track Human Motion: A Survey", Sensors 2019, 19(15),
3329 , July 2019. 3329 , July 2019.
[Axente] Axente, M.-S., Dobre, C., Ciobanu, R.-I., and R. [Axente] Axente, M.-S., Dobre, C., Ciobanu, R.-I., and R.
Purnichescu-Purtan, "Gait Recognition as an Authentication Purnichescu-Purtan, "Gait Recognition as an Authentication
skipping to change at page 10, line 5 skipping to change at page 11, line 10
[IEEE802.11] [IEEE802.11]
IEEE, "IEEE Std. 802.11-2016", December 2016, IEEE, "IEEE Std. 802.11-2016", December 2016,
<https://standards.ieee.org/findstds/ <https://standards.ieee.org/findstds/
standard/802.11-2016.html>. standard/802.11-2016.html>.
[IEEE802.1X] [IEEE802.1X]
IEEE, "Institute of Electrical and Electronics Engineers, IEEE, "Institute of Electrical and Electronics Engineers,
"802.1X - Port Based Network Access Control"", January "802.1X - Port Based Network Access Control"", January
2020. 2020.
[Inayat] Ali, I., Sabir, S., and Z. Ullah, "Internet of Things
Security, Device Authentication and Access Control: A
Review", International Journal of Computer Science and
Information Security (IJCSIS), Vol. 14, No. 8 , August
2016.
[Liao] Liao, R.-F., Wen, H., Wu, J., Pan, F., Xu, A., Jiang, Y., [Liao] Liao, R.-F., Wen, H., Wu, J., Pan, F., Xu, A., Jiang, Y.,
Xie, F., and M. Cao, "Deep-learning-based physical layer Xie, F., and M. Cao, "Deep-learning-based physical layer
authentication for industrial wireless sensor networks", authentication for industrial wireless sensor networks",
Sensors 2019, 19(11), 2440 , May 2019. Sensors 2019, 19(11), 2440 , May 2019.
[Liao2] Liao, R.-F., Wen, H., Wen, H., Xie, F., Pan, F., Pan, F., [Liao2] Liao, R.-F., Wen, H., Wen, H., Xie, F., Pan, F., Pan, F.,
and F. Xie, "Multiuser Physical Layer Authentication in and F. Xie, "Multiuser Physical Layer Authentication in
Internet of Things With Data Augmentation", IEEE Internet Internet of Things With Data Augmentation", IEEE Internet
of Things Journal, vol. 7, no. 3, pp. 2077-2088 , March of Things Journal, vol. 7, no. 3, pp. 2077-2088 , March
2020. 2020.
[Lins18] Linssen, A., "Secure Authentication of Remote IoT Devices
Using Visible Light Communication: Transmitter Design and
Implementation", Columbia University , 2018,
<https://www.cs.columbia.edu/~hgs/papers/
Lins18_Secure.pdf>.
[Lui] Liu, J., Wang, L., Fang, J., Guo, L., Lu, B., and L. Shu, [Lui] Liu, J., Wang, L., Fang, J., Guo, L., Lu, B., and L. Shu,
"Multi-Target Intense Human Motion Analysis and Detection "Multi-Target Intense Human Motion Analysis and Detection
Using Channel State Information", Sensors 2018, 18(10), Using Channel State Information", Sensors 2018, 18(10),
3379 , October 2018. 3379 , October 2018.
[Ma] Ma, Y., Arshad, et al, S., and , "Location-and Person- [Ma] Ma, Y., Arshad, et al, S., and , "Location-and Person-
Independent Activity Recognition with WiFi, Deep Neural Independent Activity Recognition with WiFi, Deep Neural
Networks, and Reinforcement Learning,", 2021. Networks, and Reinforcement Learning,", 2021.
[Ma2] Ma, Y. and G. Zhou, et al, "WiFi Sensing with Channel [Ma2] Ma, Y. and G. Zhou, et al, "WiFi Sensing with Channel
State Information: A Survey,", ACM Computing Surveys State Information: A Survey,", ACM Computing Surveys
(CSUR), , vol. 52, no. 3, pp. 1-36, 2019. (CSUR), , vol. 52, no. 3, pp. 1-36, 2019.
[Oden18] Odental, H., "Secure Authentication of Remote IoT Devices
Using Visible Light Communication: Receiver Design and
Implementation", Columbia University , 2018,
<https://www.cs.columbia.edu/~hgs/papers/
Oden18_Secure.pdf>.
[P1918] IEEE Standards Working Group 1918.1, "Tactile Internet",
July 2016.
[Pahlavan] Pahlavan, K. and P. Krishnamurthy, "Evolution and Impact [Pahlavan] Pahlavan, K. and P. Krishnamurthy, "Evolution and Impact
of Wi Fi Technology and Applications: A Historical of Wi Fi Technology and Applications: A Historical
Perspective", Springer Science+Business Media, LLC, part Perspective", Springer Science+Business Media, LLC, part
of Springer Nature 2020 , November 2020. of Springer Nature 2020 , November 2020.
[Qian] Xian, K. and C. Wu, et al, "Widar: Decimeter-level Passive [Qian] Xian, K. and C. Wu, et al, "Widar: Decimeter-level Passive
Tracking via Velocity Monitoring with Commodity WiFi,", Tracking via Velocity Monitoring with Commodity WiFi,",
Proc. of ACM MobiCom, , 2017. Proc. of ACM MobiCom, , 2017.
[Rest21] Restuccia, F., "IEEE 802.11bf: Toward Ubiquitous Wi-Fi [Rest21] Restuccia, F., "IEEE 802.11bf: Toward Ubiquitous Wi-Fi
skipping to change at page 11, line 19 skipping to change at page 12, line 33
[RFC8576] Garcia-Morchon, O., Kumar, S., and M. Sethi, "Internet of [RFC8576] Garcia-Morchon, O., Kumar, S., and M. Sethi, "Internet of
Things (IoT) Security: State of the Art and Challenges", Things (IoT) Security: State of the Art and Challenges",
RFC 8576, DOI 10.17487/RFC8576, April 2019, RFC 8576, DOI 10.17487/RFC8576, April 2019,
<https://www.rfc-editor.org/info/rfc8576>. <https://www.rfc-editor.org/info/rfc8576>.
[RFC8995] Pritikin, M., Richardson, M., Eckert, T., Behringer, M., [RFC8995] Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
and K. Watsen, "Bootstrapping Remote Secure Key and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995, Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995,
May 2021, <https://www.rfc-editor.org/info/rfc8995>. May 2021, <https://www.rfc-editor.org/info/rfc8995>.
[RFC9140] Aura, T., Sethi, M., and A. Peltonen, "Nimble Out-of-Band
Authentication for EAP (EAP-NOOB)", RFC 9140,
DOI 10.17487/RFC9140, December 2021,
<https://www.rfc-editor.org/info/rfc9140>.
[Tian] Tian, Q., Lin, Y., Guo, X., Wang, J., AlFarraj, O., and A. [Tian] Tian, Q., Lin, Y., Guo, X., Wang, J., AlFarraj, O., and A.
Tolba, "An Identity Authentication Method of a MIoT Device Tolba, "An Identity Authentication Method of a MIoT Device
Based on Radio Frequency (RF) Fingerprint Technology", Based on Radio Frequency (RF) Fingerprint Technology",
Sensors 2020, 20(4), 1213 , February 2020. Sensors 2020, 20(4), 1213 , February 2020.
[Wang] Wang, X. and C. Yang, et al, "TensorBeat: Tensor [Wang] Wang, X. and C. Yang, et al, "TensorBeat: Tensor
Decomposition for Monitoring Multiperson Breathing Beats Decomposition for Monitoring Multiperson Breathing Beats
with Commodity WiFi,", ACM Transactions on Intelligent with Commodity WiFi,", ACM Transactions on Intelligent
Systems and Technology (TIST), , vol. 9, no. 1, pp. 1-27, Systems and Technology (TIST), , vol. 9, no. 1, pp. 1-27,
2017. 2017.
[Wang2] Wang, X. and C. Yang, et al, "PhaseBeat: Exploiting CSI [Wang2] Wang, X. and C. Yang, et al, "PhaseBeat: Exploiting CSI
Phase Data for Vital Sign Monitoring with Commodity WiFi Phase Data for Vital Sign Monitoring with Commodity WiFi
Devices,", Proc. of IEEE ICDCS, , 2017. Devices,", Proc. of IEEE ICDCS, , 2017.
[Wang3] Wang, H., Lymberopoulos, D., and J. Liu, "Sensor-Based [Wang3] Wang, H., Lymberopoulos, D., and J. Liu, "Sensor-Based
User Authentication", EWSN 2015, LNCS 8965, 168 , 2015. User Authentication", EWSN 2015, LNCS 8965, 168 , 2015.
[Zhu] Zhu, H. and F. Xiao, et al, "R-TTWD: Robust device-free [Zhu] Xiao, et al, F., "R-TTWD: Robust device-free through-the-
through-the-wall detection of moving human with WiFi,", wall detection of moving human with WiFi,", IEEE Journal
IEEE Journal on Selected Areas in Communications, , on Selected Areas in Communications, , vol. 35, no. 5,
vol. 35, no. 5, pp. 1090-1103, 2017. pp. 1090-1103, 2017.
Acknowledgements
Authors' Addresses Authors' Addresses
Dirk von Hugo Dirk von Hugo
Deutsche Telekom Deutsche Telekom
Deutsche-Telekom-Allee 9 Deutsche-Telekom-Allee 9
64295 Darmstadt 64295 Darmstadt
Germany Germany
Email: Dirk.von-Hugo@telekom.de Email: Dirk.von-Hugo@telekom.de
 End of changes. 47 change blocks. 
142 lines changed or deleted 183 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/