Category Archives: Internet of Things

Secrecy and IP – There is public, there is private and there is secret.

Leave a reply

If you ask a networking person what a private (IP-)address is, you get one answer: An IP address which is not routable on the internet. There are some IP ranges which have been set aside for use in private networks and won’t work on the internet. For this reason they are sometimes referred to as “non-routable addresses”. Which is why they tend to be used in movies. Type them into your browser and nothing happens. Unless you are in a local network which have routes for them. Emphasis on local. Addresses that start with “10.” and “192.168.” are the most commonly used, and there are a few others as well. Architects tend to think a private address is one that you own.

But what is a public IP address ? That very much depends on who you ask. Network people will say it is it is an address which in not private. An IT architect will say it is an address which is accessible from outside your network. Security would say one which the public can access.

In some sense they are all correct, and that is why the issue is so confused. Because over all of this reigns security. And more particularly secrecy. There are far too many in the IT business who equate security and secrecy. To be sure the two are not opposing concepts for the most part but they intersect only intermittently – and not often. Some think IP security is mainly about secrecy. If the enemy does not know an address, he can’t attack it.

Ah, would that that were so. This is why the difference between public and private is so important. If an architect thinks that a public address is one that other people know about and a private address is one that is secret, the architect might want to keep the address information secret. Only distributed in secure communication; kept in password protected files and in secure document stores etc.

But how secret can an externally accessible IP address really be.

It is illustrative to think in term of physical addresses: A person lives on a secure address. But the house is still there; Numbered sequentially as you like; and the street is public. Anyone can drive to the house at any time. How secure is that? Let’s further suppose that those looking for the occupant of the secure address know that the house has been provided by a company that owns a particular street (public IP range discoverable in DNS). It is a fair guess that the right house is on that street. What does that do to security? If the house is a fortress, it doesn’t matter. But if you base your house security on it being undiscoverable, nothing good.

NAT-ing does nothing useful here. It is like having all your mail sent to the post office and have the post office forward it to your house. Someone can still mail you a remotely detonated bomb (malware). The post office will forward it just the same. (wait a day; trigger it; look for smoke; and you have the right house)

But there is another way: A private road (non-routable/private addresses) cut off from the public road system; you have to be authorized and be lifted in. That is a secure address. Not a full replacement for security at the address of course – you still lock the doors – but the address information is secure as in scanning will not discover it. No looking inside mailboxes on a street you can’t get to.

How to achieve this happy state of affairs. Enter the muddle.

Virtual Private Networks. With “private” here referring both to private addresses as defined above (non-routable) and as in you own it. VPNs are sometimes referred to as encrypted tunnels. Typically based on IPSec but there are other possibilities. Any IP address can be used in a VPN but using a VPN you can have your non-routable “10-dot” address be accessible from anywhere, even over the internet.

And this is done. What strikes me as peculiar is when VPN is used with public/routable addresses. The address is still discoverable, because it is public and no amount of secrecy will change that. The house is on a public street – no matter that the occupant is not listed in the phone book and has his mail sent to the post office. It will be a part of a range that has some other member of it in a public DNS. Therefore it is discoverable through scanning. This is also why services should not run on default ports. And all services running on default port should be disabled as far as possible. Knowing an IP is only half the battle, you still need the right port if you are going to attack something.

Add VPN to the public address and unknown traffic will be prevented from reaching it. Which negates any need to keep it secret – not that you could even if you wanted too. Which leaves no role for secrecy when it comes to IP addresses.

Why even use a public address if you are going to use VPN? They are neither free nor plentiful. Well, you shouldn’t. But if you do, it must be for reasons of convenience. They are unique after all. There is no need to agree a private/non-routable address with the counterparty so as not to cause a conflict with something else in their network. Adding NAT-ing here is just silly as it simply adds confusion and does nothing for security. With one exception: if there is a failure to agree on a single mutually acceptable private address among multiple parties. If there is a hold out, there might have to be NAT-ing between that party and the others.

No, a VPN tunnel should be from one private, non-routable address to another. Not that this needs to be point-to-point. You can route all kinds of traffic though a single VPN tunnel. Your routing tables control that.

Server A has address 10.1.0.10 and sends traffic to Server B at 10.2.0.10 over a VPN. And vice versa. They belong to two separate organization and separate private networks.

The VPN tunnel has openings 10.1.0.1 and 10.2.0.1 respectively. Server A routes traffic bound for 10.2.0.10, to 10.1.0.1. Server B routes traffic bound for 10.1.0.10, to 10.2.0.1.

All of these addresses could be freely published and it would do any external attacker no good at all. Security without secrecy.

sailing the data ocean

Leave a reply

What if there was a way for access to data could be authorized everywhere. If you were authorized to access a piece of data you could get access to it wherever it happened to be located.

This is not the way things work at the moment for sure, but if it could be made to work in a convenient way, what should it be like ?

When the first web browser arose some 20+ years ago. Static html pages and other media and document files where available by calling a URL over the HTTP protocol. Security was added – at first pretty coarse grained: If you were logged in you could access pretty much anything. It got better.
Comprehensive tools became available to centrally manage all web access to any document, with the finest granularity. The writing of the rules of who should access to do what, when and where, could be delegated out to those who actually were in a position to know.
But crucially, these tools could only manage access to stuff directly under their control. Often operating in a reverse-proxy mode intercepting HTTP traffic. APIs were available through which other applications could tap into them to take advantage of access control rules contained in them, to do their own authorization. In this way the data under the control of a unified set of access control rules could be made corporate wide. Access to all of a data in a corporation being governed by rules maintained in one place. Everyone would play together in the same data security pool.
In practice this never happened. (re-)Writing applications to take advantage of the API of the chosen security software platform , was too expensive. Other tools emerged to export the security rules from one software platform to another, leaving them to do their own enforcement through their own rule infrastructures. This didn’t work very well because it was too complicated. Rules are fundamentally about meaning, and meaning doesn’t translate easily. Never the less this was an attempt to federate authorization.

Data protected by the same access control rule infrastructure is part of the same pool. A database is a single pool. It has its own internal security governing access to individual pieces of data contained in it, but has no reach outside. The database maintains it’s own list of who gets to access which column in what tables.
A server has it’s own internal arrangement for governing access to the data in its own file systems. It may also have access remote file systems. Some remote file systems would be on other servers, which would govern access (NFS, FTP, Samba etc.) and would therefore not be part of the server’s own pool.

If authorizations could be federated between pools all data would exist in one big virtual pool.
A virtual pool made of multiple physical pools; individual databases, file servers etc. At present this is difficult as there may be user federation between some data pools, but each pool has it’s one authorization, it’s own way to enforce access rules. The rules in one are not known, or directly enforceable in another. There is no federated authorization.

Lets further suppose that any piece of data in this virtual data pool, data ocean really, is accessible over TCP with a URI. The URI may have various formats depending on what type of physical pool is being addressed.
For example, this would be the syntax of an URI accessing a directory (LDAP) store

ldap[s]://hostname:port/base_dn?attributes?scope?filter

And this to access a individual file, using HTTP(S)

https://host:port/path

Access to one of the secure web reverse-proxies mention above, would look like this too.

The would be many others. Note that the username and password does not appear. There would not be any prompting for this information either.
Access control would be through PAML tokens, passed in the headers. A SSL handshake would take place to establish the requesting entity’s authorization for the tokens presented.
All physical pools are defined by the entity that control access to it, and all of these entities, be they LDAP server and file/web server in the URI examples above must be equipped to handle PAML tokens to verify the authorization for the request. Through the acceptance of these PAML token the pools together form a virtual data ocean. Any application can call on data anywhere else and present PAML tokens for authorization.

This leave quite a bit of scope for application architecture. The use of a PAML token require access to the private key of the user to which the PAML token was issued. Which means that if a user is engaged in a transaction with an application and this application needs access to data kept somewhere else on behalf of the user, the application can only present its own PAML token, not forward those it has received from the users. The user must at a minimum contact this other data store directly and engage in a SSL handshake. This way the user’s ownership of the public key is established for the benefit of the data store. The application can then pass the PAML token received from the user on to the data store and the store would now know that the PAML tokens are OK to use; or the user could make the data retrieval directly and pass the data to the application that needs it. Sort of like a data federation.

Note that PAML token are tied to data, not any particular host environment. Among other things this means that the requesting client may send the server a considerable number of tokens in order to establish authorization for all required data. The server will grant the union of all these tokens.

The smoke alarm joins the Internet of Things

Leave a reply

An inconspicuous example IoT enabled household devices. The smoke alarm.

These things run on batteries and those batteries run out. A little ahead of time they give of an annoying beep to inform you of this. To test them you press a button, to get a beep. So manual acts are required in the field of smoke alarms. It is no secret that this is widely neglected. A great proportion of smoke alarms are sitting without a battery when late night beeping commenced and a fresh battery was not at hand. Some people replace the batteries at the same time every year and so waste both their time and their money.

There are third parties who have an interest in whether or not the smoke alarm in a household are operational. In a multi-family structure the other householders clearly do. The local fire department certainly. Smoke alarms give them an early warning that something might be amiss without necessarily amounting to a full scale alarm. Data analysis over time and many devices will give them data to help identity both false positives and false negatives. Insurance companies most definitely would like to know about smoke alarms. Their policies might be made contingent on alarms being in place and operational. With the money saved split between the parties.

The field of smoke alarms is primed and ready for improvement. Enter the internet of things.

Clearly this tiny device will never have anything other than a limited software stack. Running an LDAP client to authenticate users against a directory server is too far fetched. Yet if the fire department is to be able to probe a whole ecology of WI-FI connected smoke alarms those devices must have a way to verify that the incoming request is authorized. Ideally something stand alone. RESTful; A one-shot request; Stateless. All are desirable qualities.

PAML tokens have the authorization qualities we’re looking for. The user (fire department) establishes an SSL session with the device and the PAML token is thereby established as belonging to the user as well as having been issued by the owner of the device. Using a PAML token implies a both client and server authentication through the cryptographic handshakes that take place, but without having to maintain a list of permitted Certificate Authorities on the device. A very significant practical advantage.

How to secure it on the Internet of Things

Leave a reply

The internet of things is not a new idea but in the hype curve it is now definitely on the upswing. Disillusionment should be setting in soon, before the real delivery of value gets started.

I  had an amusing conversation with the CEO of a startup in the business of providing software for monitoring “things” on the Internet of Things. Amusing in that whenever I asked him about how access to these devises was secured, he said that you didn’t access them directly, only a virtual representation.  I then followed up with “so they are not connected to the internet then ?” to which he answered yes, they were. I returned to my original question. Repeat. We went though this cycle about 4 or five times. We had a pretty good bit going there; should have taken it on the road. As a CEO of a startup he could have used the money I’m sure. I am also sure that having your security model be a joke on the standup-circuit would perhaps be ill advised.

That still leaves the larger question. What should be security model be for the Internet of Things.

In some sense we have had IoT for a long time already. But the “T” in IoT are not the PCs and servers we are used to.  These new devices will not be running a full stack of software. They won’t  be able to and even if they were (computing resources gets ever cheaper) it would be hugely wasteful. And a management nightmare too.

Though I’m sure many software vendors will emerge to help us with it. And Microsoft would be perfectly happy to sell a copy of Windows to every fridge and toaster built.

No, these devices will have a simplified software stack. As simple as possible. Requires less hardware, and less is cheaper. Perhaps cheaper by only a few cents, or less, but when you number your devices in the billions, every little bit adds of pretty fast. Simple is also easier to maintain and leaves less room for error (read: bugs).

Considering only the security side of things. What are the minimum security features required ?

Privacy: The devices have to be able communicate privately – which means encryption.

Integrity: The devices have to be able communicate reliably. The data streams must not be tampered with. This ties in with encryption in the TSL/SSL protocols.

Authorization: If the device is able to receive and act on requests , there has to be a way to check the authorization for those requests.

The need to authentication is typically driven by the need for authorization – first you establish who somebody is, then what they are allowed to do – but with PAML tokens this is not so. Authentication is therefore optional, depending on security protocol.

 

 

portable anonymous authorization tokens

Leave a reply

Is this a contradiction in terms? A token with which you can gain authorized access to data resource without giving your identity ? It sounds a bit fanciful to say the least. And even if it didn’t why would we even want it ?
I suggest that it is not, and that we do; and I’d like to propose, design and develop a technology that makes it possible.

First things first, what precisely do I mean by these terms.

Portable: The user can use the exact same token multiple places. Further, the access control enforcement entity need make no call to an external access control policy store in order to make a decision based on the token.

Anonymous: The token contains no personal information about the user, and the entity receiving the token, using it to establish that the user is indeed authorized to access the resource in question, can not establish the user’s identity with the token. Nor is the users identity needed in order to perform the authorization. Proper ownership of the token is established through PKI and cryptographic handshakes.

Authorization: the token is for authorization only, no authentication. If for granting access to resources the user’s identity is required, it must be established some other way.

Token: it is a piece of data. text or binary, XML or plain text. Opaque or not. Mostly passed in the HTTP headers between client and server in the client-server web model. But other ways should be just as workable, Smart cards for example. Headers have limited size, so HTTP POST must be available. In my proposal I’ll stick with XML as the format of the token. SAML tokens are passed in headers now; this token can be passed in the same way.

A fundamental question is whether or not anonymous authorization is even desirable. How can you maintain authorizations without having a database of your users in order to keep track of who you gave the access to.

And if you have a database of all your users and all the access they have, why not authenticate them and check the database for what access they should have and grant or deny their requests accordingly. No need to have special access tokens. This is how things are done now.

I suggest that this is not very efficient for ultra-large scale or distributed solutions. Every single request to be looked up against a database of access control lists. Granted, those ACL databases can themselves be cloned and distributed out to all access control enforcement points. And this is done. Excellent performance is achievable. At the expense of a complex and elaborate setup.

But it requires all these access enforcement points to be in contact with a central system to get fresh copies of the ACL database. And what about portability ? Will the enforcement point accept ACL databases from multiple sources. This may not make much sense if there data is in one place; Just have the one policy creation point and one user store. But if the data is in multiple locations ? As in a distributed system. Will all of these enforcement points authenticate the user against the same user store and authorize the requests against the same policy store? If you have enough copies of both it can be made to scale, but it is hardly efficient. User federation does not help.

With a truly portable token the enforcement point need make no reference to any other access control policy source to be able authorize or reject the request. There is then no need for high performance user stores and distributed access control policies. This significant. There are far more authorization operations than there are authentication operations. An arrangement where the two are not linked is more robust and scaleable. True, a user should only be authenticated once per session, but that still requires a user store to be available. Even with federation. So a token that can be used without a user database is to be preferred from a performance point of view.

 

NB. This is purely technical examination of these issues. From a business point of view things are quite different: The users identity is a valuable commodity that should be gathered up as much as possible along with whatever action the user takes. The legal aspect is neutral: the user’s request is properly authorized either way.

Here is a high-level view of REST-ful use of a data access token.

Portable access token

portable access token outline of usage.

 

1 User request a token from the data owner. The token can bundle multiple different requests to access data belonging to the owner.

2 Owner grants the token request after approving all the token grants access to. Sending the finished token back to the user.

Note: It makes no difference which party initiates the process of creating the token. At the end both parties have agreed what request are granted by the token, and that is enough. The owner will always have the last word, and can add limitations such as timing without input from the user, but then the user can always decline to use the token.

later

3. send token along with request.

4. check token and check user’s request against the token.

The enforcement point make no reference against a user database or rules database and therefore the token need contain no information directly identifying the user. The token can not be truly anonymous since the user must be able to establish that the user is proper user of the token, but this will not be in the form of a username.