Internet-Draft | IoT networking security guidelines | April 2023 |
Moran | Expires 26 October 2023 | [Page] |
The IETF has developed security technologies that help to secure the Internet of Things even over constrained networks and when targetting constrained nodes. These technologies can be used independenly or can be composed into larger systems to mitigate a variety of threats. This documents illustrates an overview over these technologies and highlights their relationships. Ultimately, a threat model is presented as a basis to derive requirements that interconnect existing and emerging solution technologies.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 26 October 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This memo serves as an entry-point to detail which technologies are available for use in IoT networks and to enable IoT designers to discover technologies that may solve their problems. This draft addresses.¶
Many baseline security requirements documents have been drafted by standards setting organisations, however these documents typically do not specify the technologies available to satisfy those requirements. They also do not express the next steps if an implementor wants to go above and beyond the baseline in order to differentiate their products and enable even better security. This memo defines the mapping from some IoT baseline security requirements definitions to ietf and related security technologies. It also highlights some gaps in those IoT baseline security requirements.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
At time of writing, there are IoT baseline security requirements provided by several organisations:¶
Requirements that pertain to hardware, procedure, and policy compliance are noted, but do not map to ietf and related technologies. NIST's requirements ([NIST-Baseline]) are very broad and already have mappings to ENISA baseline security recommendations.¶
ENISA GP-PS-10: Establish and maintain asset management procedures and configuration controls for key network and information systems. NIST Device Identification: The IoT device can be uniquely identified logically and physically.¶
These requirements are architectural requirements, however [RFC4122] can be used for identifiers.¶
ENISA GP-TM-01: Employ a hardware-based immutable root of trust.¶
This is an architectural requirement.¶
ENISA GP-TM-02: Use hardware that incorporates security features to strengthen the protection and integrity of the device - for example, specialized security chips / coprocessors that integrate security at the transistor level, embedded in the processor, providing, among other things, a trusted storage of device identity and authentication means, protection of keys at rest and in use, and preventing unprivileged from accessing to security sensitive code. Protection against local and physical attacks can be covered via functional security.¶
NIST Data Protection: The ability to use demonstrably secure cryptographic modules for standardized cryptographic algorithms (e.g., encryption with authentication, cryptographic hashes, digital signature validation) to prevent the confidentiality and integrity of the device’s stored and transmitted data from being compromised¶
This is an architectural requirement.¶
ENISA GP-TM-03: Trust must be established in the boot environment before any trust in any other software or executable program can be claimed.¶
Satisfying this requirement can be done in several ways, increasing in security guarantees:¶
ENISA GP-TM-04: Sign code cryptographically to ensure it has not been tampered with after signing it as safe for the device, and implement run-time protection and secure execution monitoring to make sure malicious attacks do not overwrite code after it is loaded.¶
Satisfying this requirement requires a secure invocation mechanism. In monolithic IoT software images, this is accomplished by Secure Boot. In IoT devices with more fully-featured operating systems, this is accomplished with an operating system-specific code signing practice.¶
Secure Invocation can be achieved using the SUIT Manifest format, which provides for secure invocation procedures. See [I-D.ietf-suit-manifest].¶
To satisfy the associated requirement of run-time protection and secure execution monitoring, the use of a TEE is recommended to protect sensitive processes. The TEEP protocol (see [I-D.ietf-teep-architecture]) is recommended for managing TEEs.¶
ENISA GP-TM-05: Control the installation of software in operating systems, to prevent unauthenticated software and files from being loaded onto it.¶
NIST Software Update:¶
Many fully-featured operating systems have dedicated means of implementing this requirement. The SUIT manifest (See [I-D.ietf-suit-manifest]) is recommended as a means of providing secure, authenticated software update. Where the software is deployed to a TEE, TEEP (See [I-D.ietf-teep-protocol]) is recommended for software update and management.¶
NIST Device Configuration:¶
Configuration can be delivered to a device either via a firmware update, such as in [I-D.ietf-suit-manifest], or via a runtime configuration interface, such as [LwM2M].¶
ENISA GP-TM-06: Enable a system to return to a state that was known to be secure, after a security breach has occured or if an upgrade has not been successful.¶
While there is no specificaiton for this, it is also required in [RFC9019]¶
ENISA GP-TM-07: Use protocols and mechanisms able to represent and manage trust and trust relationships.¶
EST (https://datatracker.ietf.org/doc/html/rfc7030) and LwM2M Bootstrap ([LwM2M]) provide a mechanism to replace trust anchors (manage trust/trust relationships).¶
ENISA GP-TM-08: Any applicable security features should be enabled by default, and any unused or insecure functionalities should be disabled by default.¶
NIST Logical Access to Interfaces:¶
These are procedural requirements, rather than a protocol or document requirement.¶
ENISA GP-TM-09: Establish hard to crack, device-individual default passwords.¶
This is a procedural requirement, rather than a protocol or document requirement.¶
The data protection requirements are largely procedural/architectural. While this memo can recommend using TEEs to protect data, and TEEP ([I-D.ietf-teep-architecture]) to manage TEEs, implementors must choose to architect their software in such a way that TEEs are helpful in meeting these requirements.¶
ENISA Data Protection requirements:¶
NIST Data Protection:¶
Safety and reliability requirements are procedural/architectural. Implementors should ensure they have processes and architectures in place to meet these requirements.¶
ENISA Safety and Reliability requirements:¶
Technical requirements for Software Updates are provided for in SUIT ([I-D.ietf-suit-manifest]) and TEEP ([I-D.ietf-teep-protocol]). Procedural and architectural requirements should be independently assessed by the implementor.¶
ENISA Software Update Requirements:¶
ENISA GP-TM-21: Design the authentication and authorisation schemes (unique per device) based on the system-level threat models.¶
This is a procedural / architectural requirement.¶
ENISA applies the following requirements to Password-based authentication:¶
As an alternative, implementors are encouraged to consider passwordless schemes, such as FIDO.¶
ENISA defines the following physical security requirements. These are hardware-architectural requirements and not covered by protocol and format specifications.¶
ENISA makes the following architectural cryptography requirements for IoT devices:¶
GP-TM-38: Guarantee the different security aspects -confidentiality (privacy), integrity, availability and authenticity- of the information in transit on the networks or stored in the IoT application or in the Cloud.¶
This Data Security requirement can be fulfilled using COSE [RFC8152] for ensuring the authenticity, integrity, and confidentiality of data either in transit or at rest. Secure Transport (see Section 4.11.2) technologies can be used to protect data in transit.¶
ENISA GP-TM-39: Ensure that communication security is provided using state-of-the-art, standardised security protocols, such as TLS for encryption. ENISA GP-TM-40: Ensure credentials are not exposed in internal or external network traffic.¶
This requirement is satisfied by several standards:¶
ENISA GP-TM-41: Guarantee data authenticity to enable reliable exchanges from data emission to data reception. Data should always be signed whenever and wherever it is captured and stored.¶
The authenticity of data can be protected using COSE [RFC8152].¶
ENISA GP-TM-42: Do not trust data received and always verify any interconnections. Discover, identify and verify/authenticate the devices connected to the network before trust can be established, and preserve their integrity for reliable solutions and services.¶
Verifying communication partners can be done in many ways. Key technologies supporting authentication of communication partners are:¶
ENISA GP-TM-43: IoT devices should be restrictive rather than permissive in communicating.¶
This Requirement can be enabled and enforced using Manufacturer Usage Descriptions, which codify expected communication (See [RFC8520])¶
ENISA GP-TM-44: Make intentional connections. Prevent unauthorised connections to it or other devices the product is connected to, at all levels of the protocols.¶
This requirement can be satisfied through authenticating connections (TLS / DTLS mutual authentication. See [RFC8446] / [RFC9147]) and declaring communication patterns (Manufacturer Usage Descriptions. See [RFC8520])¶
Architectural / Procedural requirements:¶
ENISA Architectural / Procedural requirements:¶
ENISA GP-TM-52: Ensure web interfaces fully encrypt the user session, from the device to the backend services, and that they are not susceptible to XSS, CSRF, SQL injection, etc.¶
This requirement can be partially satisfied through use of TLS or QUIC (See [RFC8446] and [RFC9000])¶
Architectural / Procedural requirements:¶
ENISA GP-TM-54: Data input validation (ensuring that data is safe prior to use) and output filtering.¶
Architectural / Procedural requirements:¶
ENISA GP-TM-55: Implement a logging system that records events relating to user authentication, management of accounts and access rights, modifications to security rules, and the functioning of the system. Logs must be preserved on durable storage and retrievable via authenticated connections.¶
NIST Cybersecurity State Awareness¶
Certain logs and indicators of cybersecurity state can be transported via RATS: See [I-D.ietf-rats-eat]. Where associated with SUIT firmware updates, logs can be transported using SUIT Reports. See [I-D.ietf-suit-report].¶
Architectural / Procedural requirements:¶
No additional security considerations are required; they are laid out in the preceeding sections.¶