ETSI TR 118 512-2016 oneM2M End-to-End Security and Group Authentication (V2 0 0 oneM2M TR-0012 version 2 0 0)《oneM2M(物联网协议联盟) 端对端安全和组身份验证(V2 0 0 oneM2M TR-0012 版本2 0 0)》.pdf

1、 ETSI TR 118 512 V2.0.0 (2016-09) oneM2M; End-to-End Security and Group Authentication (oneM2M TR-0012 version 2.0.0) TECHNICAL REPORT ETSI ETSI TR 118 512 V2.0.0 (2016-09) 2(oneM2M TR-0012 version 2.0.0) Reference DTR/oneM2M-000012 Keywords IoT, M2M, security ETSI 650 Route des Lucioles F-06921 Sop

2、hia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The p

3、resent document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such ve

4、rsions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the

5、 current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification

6、No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the

7、foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for

8、the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 118 512 V2.0.0 (2016-09) 3(oneM2M TR-0012 version 2.0.0) Contents Intellectual Property Rights 7g3Foreword . 7g31 Scope 8g32 References 8

9、g32.1 Normative references . 8g32.2 Informative references 8g33 Definitions, symbols and abbreviations . 10g33.1 Definitions 10g33.2 Symbols 11g33.3 Abbreviations . 11g34 Conventions 12g35 Use Cases . 12g35.1 Use Case of End-to-End Authentication in Key Distribution . 12g35.1.1 Description 12g35.1.2

10、 Actors 12g35.1.3 Pre-conditions . 13g35.1.4 Normal Flow . 13g35.1.5 Potential requirements 13g35.2 Use Case of Static Group Authentication (Smart Meter Reading) . 14g35.2.1 Description 14g35.2.2 Actors 14g35.2.3 Pre-conditions . 14g35.2.4 Normal flow 14g35.2.5 Potential requirements 15g35.3 Use Cas

11、e of Dynamic Group Authentication (Remote Vehicle Management) 15g35.3.1 Description 15g35.3.2 Actors 15g35.3.3 Pre-conditions . 15g35.3.4 Normal Flow . 15g35.3.5 Potential requirements 16g35.3.5.1 Static group potential requirements . 16g35.3.5.2 Dynamic group potential requirements . 16g35.4 Use Ca

12、se for Secure Group Communication 16g35.4.1 Description 16g35.4.2 Actors 16g35.4.3 Pre-conditions . 17g35.4.4 Normal Flow . 17g35.4.5 Potential requirements 17g35.5 Use case of End-to-End Authentication . 18g35.5.1 Description 18g35.5.2 Actors 18g35.5.3 Pre-Conditions 18g35.5.4 Normal Flow . 18g35.5

13、.5 Potential Requirements . 19g35.6 Use case of End-to-End Message Authentication using Delegated Means 19g35.6.1 Description 19g35.6.2 Actors 19g35.6.3 Pre-Conditions 20g35.6.4 Normal Flow . 20g35.6.5 Potential Requirements . 20g35.7 Use case of End-to-End Data Integrity . 21g35.7.1 Description 21g

14、35.7.2 Actors 21g35.7.3 Pre-Conditions 21g3ETSI ETSI TR 118 512 V2.0.0 (2016-09) 4(oneM2M TR-0012 version 2.0.0) 5.7.4 Normal Flow . 22g35.7.5 Potential Requirements . 22g35.8 Use case for providing security adaptation at each hop 23g35.8.1 Description 23g35.8.2 Actors 23g35.8.3 Pre-conditions . 24g

15、35.8.4 Normal Flow . 24g35.8.5 Potential Requirements . 24g36 Candidate Architecture . 24g36.1 Group Authentication Architecture Proposal . 24g36.1.1 Architecture of Static Group Authentication 24g36.1.1.0 Introduction . 24g36.1.1.1 Nodes 25g36.1.1.2 Reference Points . 25g36.1.2 Group Authentication

16、 Requirements 25g36.2 End-to-End Security Framework (ESF) Proposal 1 . 26g36.2.0 Overview 26g36.2.1 End-to-End Security Framework Introduction 26g36.2.2 ESF Security Layer High Level Architecture . 28g36.2.2.1 ESF Security Layer Overview. 28g36.2.2.2 ESF Security Layer Requirements 28g36.2.2.2.0 Ove

17、rview . 28g36.2.2.2.1 Generic Requirements for the ESF Security Layer 29g36.2.2.2.1.1 Generic ESF Security Layer Macro-Considerations 29g36.2.2.2.1.2 Generic ESF Payload Security Requirements 29g36.2.2.2.1.3 Generic ESF Key Establishment Requirements . 29g36.2.2.2.1.4 Generic ESF Facilitation Requir

18、ements . 30g36.2.2.2.1.5 Generic ESF Envelope Serialization Requirements . 30g36.2.2.2.2 ESF-S1 Requirements . 31g36.2.2.2.2.1 ESF-S1 Macro-Considerations 31g36.2.2.2.2.2 ESF-S1 Payload Security Requirements 31g36.2.2.2.2.3 ESF-S1 Key Establishment Requirements . 31g36.2.2.2.2.4 ESF-S1-Specific ESF

19、Facilitation Requirements . 32g36.2.2.2.2.5 ESF-S1 Envelope Serialization Requirements . 33g36.2.2.2.3 ESF-Sm Requirements 33g36.2.2.2.3.1 ESF-Sm Macro-Considerations . 33g36.2.2.2.3.2 ESF-Sm Payload Security Requirements . 33g36.2.2.2.3.3 ESF-Sm Key Establishment Requirements 34g36.2.2.2.3.4 ESF-Sm

20、-Specific ESF Facilitation Requirements 34g36.2.2.2.3.5 ESF-Sm Envelope Requirements . 35g36.2.2.3 ESF-S1 Processing flow 35g36.2.2.4 ESF-Sm Processing Flow 38g36.2.3 ESF Preparation Layer and ESF Integration Layer Processing 39g36.2.3.1 ESF Specifications for ESF Target Data Class 1 39g36.2.3.1.1 P

21、rofile for ESF Target Data Class 1 39g36.2.3.1.2 ESF Target Data Class 1 Processing at the Sending EEP 39g36.2.3.1.3 ESF Target Data Class 1 Processing at the Receiving EEP . 40g36.2.3.2 ESF Specifications for ESF Target Data Class 2 40g36.2.3.2.1 Profile for ESF Target Data Class 2 40g36.2.3.2.2 ES

22、F Target Data Class 2 Processing at the Sending EEP 40g36.2.3.2.3 ESF Target Data Class 2 Processing at the Receiving EEP . 41g36.2.3.3 ESF Specifications for ESF Target Data Class 3 42g36.2.3.3.1 Profile for ESF Target Data Class 3 42g36.2.3.3.2 ESF Target Data Class 3 Processing at the Sending EEP

23、 42g36.2.3.3.3 ESF Target Data Class 3 Processing at the Receiving EEP . 43g37 Available Options . 44g37.1 Review of Existing Technology . 44g37.1.1 Review of Object-Based Security Technology . 44g37.1.1.1 Introduction to Object-Based Security Technology 44g37.1.1.2 Secure/Multipurpose Internet Mail

24、 Extensions (S/MIME) . 45g3ETSI ETSI TR 118 512 V2.0.0 (2016-09) 5(oneM2M TR-0012 version 2.0.0) 7.1.1.2.1 High Level Description of S/MIME 45g37.1.1.2.2 Considerations regarding of S/MIME . 46g37.1.1.2.2.1 CoAP identification of S/MIME media types 46g37.1.1.2.2.2 Formatting, Parsing and Canonicaliz

25、ation Complexity for S/MIME . 46g37.1.1.3 OpenPGP . 46g37.1.1.3.1 High Level Description of OpenPGP 46g37.1.1.3.2 Considerations for OpenPGP . 46g37.1.1.3.2.1 CoAP identification of the OpenPGP media type 46g37.1.1.3.2.2 Formatting, Parsing and Canonicalization Complexity for OpenPGP . 46g37.1.1.4 X

26、ML Security . 47g37.1.1.4.1 High Level Description of XML Security . 47g37.1.1.4.2 Considerations for XML Security . 47g37.1.1.4.2.1 CoAP identification of the XML Security media type . 47g37.1.1.4.2.2 Formatting, Parsing and Canonicalization Complexity for XML Security 47g37.1.1.4.2.3 Canonicalizat

27、ion and XML Security 48g37.1.1.5 JSON Security . 48g37.1.1.5.1 High Level Description of JSON Security 48g37.1.1.5.2 Considerations for JSON Security . 48g37.1.1.5.2.1 CoAP identification of the JSON Security media type 48g37.1.1.5.2.2 Formatting, Parsing and Canonicalization Complexity for JSON Sec

28、urity . 48g37.2 Group Authentication . 49g37.2.1 Group Authentication Solution 1 49g37.3 A Solution for providing security of data “at-rest“ . 52g37.3.1 General procedure for hosting and accessing secure data . 52g37.3.2 Bootstrapped procedure for providing data security . 54g37.3.2.1 Overall Descri

29、ption . 54g37.3.2.2 Detailed Description 54g37.4 A Solution for providing End-to-End Message Authentication using Symmetric Key 60g37.4.1 End-to-End Security Credential(s) Generation Process 60g37.4.1.1 Overall Description . 60g37.4.1.2 Detailed Description 60g37.5 Proposal for determining detailed

30、Security Requirements, Features and associated Algorithms . 63g37.5.1 Security Determination Process 63g37.5.1.1 Overall Description . 63g37.5.1.2 Detailed Description 63g38 Release 2 End-to-End Security and Rationale 65g38.1 Overview of Release 2 End-to-End Security Features . 65g38.2 Release 2 End

31、-to-End Security of Data (ESData) 65g38.2.1 End-to-End Security of Data (ESData) Overview 65g38.2.2 End-to-End Security of Data (ESData) Functional Architecture 65g38.3 Release 2 End-to-End Security of Primitives (ESPrim) . 67g38.3.1 End-to-End Security of Primitives (ESPrim) Overview . 67g38.3.2 En

32、d-to-End Security of Primitives (ESPrim) Functional Architecture . 67g38.4 Release 2 End-to-End Security Certificate-based Key Establishment (ESCertKE) . 68g38.4.1 End-to-End Security Certificate-based Key Establishment (ESCertKE) Overview . 68g38.4.2 End-to-End Security Certificate-based Key Establ

33、ishment (ESCertKE) Functional Architecture . 68g38.5 Release 2 MAF Security Framework . 69g38.5.1 MAF Security Framework Overview . 69g38.5.2 MAF Security Framework Functional Architecture . 70g38.6 Changes to Release 1 Features in Release 2 . 71g38.6.1 Changes to Remote Security Provisioning Framew

34、orks (RSPFs) 71g38.6.2 Changes to Security Association Establishment Frameworks (SAEFs) . 71g39 Conclusions and recommendations 71g3Annex A: Problem Statement for needing End-to-End Data Security . 72g3A.1 Introduction 72g3Annex B: Use case for remote attestation . 75g3B.1 Description . 75g3ETSI ETS

35、I TR 118 512 V2.0.0 (2016-09) 6(oneM2M TR-0012 version 2.0.0) B.2 Actors . 75g3B.3 Pre-conditions . 76g3B.4 Normal flow . 76g3B.5 Potential requirements 76g3Annex C: Bibliography 77g3History 78g3ETSI ETSI TR 118 512 V2.0.0 (2016-09) 7(oneM2M TR-0012 version 2.0.0) Intellectual Property Rights IPRs e

36、ssential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or poten

37、tially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No

38、 guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Partnership Project oneM2M (oneM2M

39、). ETSI ETSI TR 118 512 V2.0.0 (2016-09) 8(oneM2M TR-0012 version 2.0.0) 1 Scope The present document provides options and analyses for the security features and mechanisms providing end-to-end security and group authentication for oneM2M. The scope of this technical report includes use cases, threa

40、t analyses, high level architecture, generic requirements, available options, evaluation of options, and detailed procedures for executing end-to-end security and group authentication. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edit

41、ion number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected loc

42、ation might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not appli

43、cable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including

44、 any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to

45、 a particular subject area. i.1 ETSI TS 118 111: “oneM2M; Common Terminology (oneM2M TS-0011)“. i.2 W3C Recommendation: “Canonical XML Version 1.0“, 2001. NOTE: Available at http:/www.w3.org/TR/xml-c14n. i.3 IETF RFC 7165: “Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)“. i

46、.4 IETF RFC 5166: “An Interface and Algorithms for Authenticated Encryption“, 2008. i.5 oneM2M drafting rules. NOTE: Available at http:/www.onem2m.org/images/files/oneM2M-Drafting-Rules.pdf. i.6 ETSI TS 118 101: “oneM2M; Functional Architecture (oneM2M TS-0001)“. i.7 ETSI TS 118 102: “oneM2M; Requir

47、ements (oneM2M TS-0002)“. i.8 ETSI TS 118 103: “oneM2M; Security solutions (oneM2M TS-0003)“. i.9 ETSI TS 118 104: “oneM2M; Service Layer Core Protocol Specification (oneM2M TS-0004)“. ETSI ETSI TR 118 512 V2.0.0 (2016-09) 9(oneM2M TR-0012 version 2.0.0) i.10 W3C Recommendation “XML Signature Syntax

48、 and Processing v1.1“, 2013. NOTE: Available at http:/www.w3.org/TR/xmldsig-core1/. i.11 W3C Recommendation: “XML Encryption Syntax and Processing v1.1“, 2013. NOTE: Available at http:/www.w3.org/TR/xmlenc-core1/. i.12 IETF RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2“. i.13 IE

49、TF RFC 6347: “Datagram Transport Layer Security Version 1.2“. i.14 IETF RFC 4648: “The Base16, Base32, and Base64 Data Encodings“. i.15 IETF RFC 4301: “Security Architecture for the Internet Protocol“, 2005. i.16 IETF RFC 4880: “OpenPGP Message Format“, 2007. i.17 IETF RFC 5751: “Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification“, 2010. i.18 Ferguson, Niels Unicode Normalization Forms“, Unicode 5.1.0, March 2008. NOTE: Available at http:/www.unicode.org. i.45 IETF RFC 2014: “HMAC: Keyed-Hashing f