...
Things or objects in the IoT often have a relationship to real persons. These could be owner(s), manufacturer(s), user(s), administrator(s) or many other functions. A product might be owned by a manufacturer first and subsequently by a user who bought the product. The owner, user or administrator of an object might change over time. Ownership and identity relationships in the IoT have an impact on other identity related processes like e.g. authentication, authorization. The owner of a thing might be challenged for authentication or be asked for authorization policies.
User Consent Receipts
Identity Assurance Framework
| Anchor | ||||
|---|---|---|---|---|
|
Is the huge address pool of IPv6 a
...
solution for Identities in IoT (tbd)?
Public classic IP-addresses (IPv4 addresses) are a rare resource. So the IT industry developed various approches approaches to deal with this situation. Mechanisms like "Network Address Translation (NAT)" or "Sub-netting" were developed to use address ranges in an optimal way. Access provider providers use IP-address pools and "re-use" IP-addresses by dynamic assigmentassignment. IP-address problem is not new. It is has been an issue for many years. Recently the problem seems to get worth worse because bilions billions of new devices appear with the Internet of Things. Not all, but many of them, also need also an IP-Address.
The huge address space of IPv6 seems to solve this problem. And moreover sometimes IPv6 is seen as a universal address for the IoT. So why not give every IoT device a IPv6 address?
Apart from the fact that many many IoT devices do not even have an IP stack the idea is not feasable feasible A thing like a sensor or actuator can break, and the device may have a new IP-address. So a software system that wants to communicate with a thing would fail if it uses the IP-address directly. So it needs a mapping and discovery mechanism that translates the hardware address (IPv6 or even something else) to an identifier that is handled by the software system.
...
But if that webcam is part of a smartphone, does it remain a single device? As a component of a smartphone, it is accompanied by a variety of other sensors (e.g., camera, microphone, touch screen) as well as a processor (the phone's CPU), and several actuators (e.g., speaker, video monitor, radio transmitter). These various components may be accessed separately or in various groupings to provide disparate services. Similarly, I may be willing to give the babysitter access to turn the speaker off when my baby goes to sleep, but not to the camerat camera which I want to keep always on. This raises the question, "Does the phone constitute a single device?"
...
Protection mechanisms are not new to the internet. Why there is a challenge in IoT?
In the 'classic' identity management certain protection methods have been established over the years to protect an identity from fraud and misuse. We have authentication methods to proof identities, secure channels to transmit identity attributes and passwords and other data are stored encrypted.
Security concepts like integrity, availability, authenticity, non-repudiation are built in classic identity protocols like SAML and OpenID. In the Internet of Things the situation is different. Here, many communication protocols are not based on internet protocol. Many sensors or actuators have just restricted resources in terms of energy, bandwidth, connectivity. Protocols like enOcean[www.enocean.com] or KNX[www.knx.org] use only few bytes to send commands or receive values. There is no room for encryption, challenge response procedure or other security mechanisms.
...
old content follows - to be revised
Authentication
The classic authentication mechanisms (ex.: login /password) may not directly work in the IoT. Objects have to provide some sort of lightweight token or certificate for an authentication where no user (providing a password) is involved. For stronger authentication means of individuals we usually combine two or multiple factors. These factors are based on following proofs:
...