1、 ETSI TR 118 508 V1.0.0 (2014-07) Analysis of Security Solutions for the oneM2M System Technical Report ETSI ETSI TR 118 508 V1.0.0 (2014-07) 2Reference DTR/oneM2M-000008 Keywords Countermeasures, M2M, Security, Threat Analysis, Vulnerabilities ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Ce
2、dex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org The present document may be made avail
3、able in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only
4、prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other
5、 ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced or utilized in any form o
6、r by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all
7、 media. European Telecommunications Standards Institute 2014. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organiza
8、tional Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 118 508 V1.0.0 (2014-07) 3Contents Intellectual Property Rights 5g3Foreword . 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and ab
9、breviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Conventions 8g35 Overview 9g35.1 oneM2M Security Context and Domains . 9g35.2 Applications . 9g35.3 Common Services. 9g35.4 Underlying Network . 10g36 Generic Security Mechanisms 10g36.1 Secure Storage 10g36.2 Sensitive Functions. 11g36.3
10、Secure Connection 11g37 Security Vulnerabilities and Threats 11g37.1 Introduction 11g37.2 Discovery of Long-Term Service-Layer Keys Stored in M2M Devices or M2M Gateways . 12g37.3 Deletion of Long-Term Service-Layer Keys stored in M2M Devices or M2M Gateways 12g37.4 Replacement of Long-Term Service-
11、Layer Keys stored in M2M Devices or M2M Gateways . 13g37.5 Discovery of Long-Term Service-Layer Keys stored in M2M Infrastructure 13g37.6 Deletion of Long-Term Service-Layer Keys stored in M2M Infrastructure equipment . 14g37.7 Discovery of sensitive Data in M2M Devices or M2M Gateways . 14g37.8 Gen
12、eral Eavesdropping on M2M Service-Layer Messaging between Entities 15g37.9 Alteration of M2M Service-Layer Messaging between Entities 15g37.10 Replay of M2M Service-Layer Messaging between Entities . 16g37.11 Unauthorized or corrupted Applications or Software in M2M Devices/Gateways 16g37.12 M2M Sys
13、tem Interdependencies Threats and cascading Impacts 17g37.13 M2M Security Context Awareness 17g37.14 Eaves Dropping/Man in the Middle Attack 18g37.15 Transfer of keys via independent security element 18g37.16 Buffer Overflow . 19g37.17 Injection 19g37.18 Session Management and Broken Authentication
14、19g37.19 Security Misconfiguration 20g37.20 Insecure Cryptographic Storage . 20g37.21 Invalid Input Data . 21g37.22 Cross Scripting . 21g38 Countermeasures 21g38.1 Introduction 21g38.2 Countermeasures 22g38.2.1 Tamper resistant Storage of long-term Service-Layer Keys within M2M Devices/Gateways . 22
15、g38.2.2 Secure Storage of long-term Service-Layer Keys within M2M Infrastructure Equipment. 22g38.2.3 Non-access to Service-Layer Keys stored within HSM/server-HSM . 22g38.2.4 Secure Execution of sensitive Functions in M2M Devices/M2M Gateways 23g38.2.5 Physical/logical Binding of HSM to M2M Device/
16、Gateway 23g38.2.6 Strong Authentication for Access to long-term Service-Layer Keys 23g3ETSI ETSI TR 118 508 V1.0.0 (2014-07) 48.2.7 Use of Security Associations, mutual Authentication and Confidentiality . 24g38.2.8 Proven Resistance to Man-in-the-Middle Attacks 24g38.2.9 Limited Life Session Keys b
17、ound to Service Layer 24g38.2.10 Replay Protection 25g38.2.11 Keys can be derived from M2M Service-layer keys . 25g38.2.12 Integrity Verification 25g38.2.13 Policy based Actions . 26g38.2.14 Shared Asset Inventory . 26g38.2.15 Sensitivity Assessment . 26g38.2.16 Risk Assessment . 26g38.2.17 Context
18、Inventory and Assessment on Sensitivity 27g38.2.18 Risk Assessment . 27g38.2.19 Secure Communication Link 27g38.2.20 Secure Coding Practices . 27g38.2.21 Prevent Injection of un-trusted Data . 27g38.2.22 Security Controls 28g38.2.23 Clean Application Architecture 28g38.2.24 Standard Algorithms . 28g
19、38.2.25 Protection of Storage by Privileges . 28g38.2.26 Whitelist 28g39 Security Requirements . 29g39.1 Authentication requirements 29g39.1.1 Levels of Assurance for Authentication 29g39.2 Authorization requirements 29g39.3 Privacy related requirements 30g39.4 RBAC Token Based Feature Requirements
20、. 30g310 Authorization and Access Control . 30g310.1 Authorization 30g310.1.1 Solutions for token based authorization 30g310.1.1.1 Solution 1: OAuth . 30g310.1.1.1.1 Status of Specification . 30g310.1.1.1.2 Usage Scenario 31g310.2 Access Control Management 32g310.2.1 Role Based Access Control (RBAC)
21、 33g310.2.1.1 RBAC Overview . 33g310.2.1.2 Benefits of RBAC . 34g310.2.1.3 Limitations of RBAC 34g310.2.2 Attribute Based Access Control (ABAC) . 35g310.2.2.1 ABAC Overview. 35g310.2.2.2 Benefits of ABAC . 36g310.2.2.3 Limitations of ABAC 36g311 GBA (Generic Bootstrapping Architecture) framework 37g
22、311.1 GBA overview 37g312 Suitable Security and Privacy Procedures and Processes . 38g312.1 Trust Enabling Architecture . 39g312.2 Enroling M2M Nodes and M2M applications for oneM2M services . 39g312.3 M2M initial provisioning Procedures . 40g312.3.1 M2M Node Enrolment and Service Provisioning . 40g
23、312.3.2 M2M Application enrolment 40g312.4 M2M operational security procedures 41g312.4.1 Identification of CSE and AE . 41g312.4.2 Authentication of CSE and AE . 41g312.4.3 M2M Security Association Establishment 41g312.4.4 M2M Authorization procedure . 42g3Annex A: Bibliography 43g3History 44g3ETSI
24、 ETSI TR 118 508 V1.0.0 (2014-07) 5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI
25、 SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no inv
26、estigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Repo
27、rt (TR) has been produced by ETSI Partnership Project oneM2M (oneM2M). ETSI ETSI TR 118 508 V1.0.0 (2014-07) 61 Scope The scope of the present document is to create a common understanding on security within oneM2M systems. To achieve that, security services are explained, threats analysed and securi
28、ty requirements within oneM2M identified and derived from use cases. In addition the present document discusses how security mechanisms relate to the oneM2M architecture. Suitable security procedures and mechanisms are defined within i.12. 2 References References are either specific (identified by d
29、ate of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly
30、available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary fo
31、r the application of the present document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 oneM2M drafting rules. i.2 ETSI TR 118 504 (TR
32、-0004): “Definitions and Acronyms“. i.3 ETSI TS 118 001 (TS-0001): “oneM2M Functional Architecture“. i.4 ISO/IEC 29115: “Information technology- Security Techniques - Entity authentication assurance framework“. i.5 ETSI TS 102 221 (V11.0.0): “Smart Cards; UICC-Terminal interface; Physical and logica
33、l characteristics (Release 11)“. i.6 ETSI TS 102 671 (V9.1.0): “Smart Cards; Machine to Machine UICC; Physical and logical characteristics (Release 9)“. i.7 ISO/IEC 15408: “Information technology - Security techniques - Evaluation criteria for IT security“. i.8 ETSI TS 133 220 “Digital cellular tele
34、communications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) (3GPP TS 33.220)“. i.9 ANSI INCITS 359-2004: “American National Standard for Information Technology-Role Based Access Control“
35、. i.10 NIST Interagency Report 7316: “Assessment of Access Control Systems“. i.11 Draft NIST Special Publication 800-162: “Guide to Attribute Based Access Control (ABAC) Definition and Considerations“. ETSI ETSI TR 118 508 V1.0.0 (2014-07) 7i.12 ETSI TS 118 003 (TS-0003): “oneM2M Security Solutions“
36、. i.13 IETF RFC 6749 (October 2012): “The OAuth 2.0 Authorization Framework“. i.14 IETF RFC 5849: “The OAuth 1.0 Protocol“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in i.2 and the following apply: end-to-end security: s
37、ervice provided by the M2M System to M2M Applications that establishes trusted security credentials to secure connections between applicative entities, independently of other parties involved Hardware Security Module (HSM): separate and tamper resistant physical computing device, e.g. as defined in
38、i.5 and i.6, able to perform security procedures related to oneM2M Service functions NOTE: The HSM is used within the M2M Device or M2M Gateway and is different from a Server-HSM used within a network infrastructure node/component. long-term service-layer key: key used for service-layer relevant sec
39、urity operations NOTE: The key is valid permanently or for a significant period of time, i.e. no temporarily derived key material. pseudonym: alias identity within the context of the Pseudonymity service defined in ISO/IEC 15408 i.7 security association: logical relationship between 2 nodes that are
40、 associated with a communication link and identify the nature of the security service (confidentiality, integrity, authentication or authorisation), the required algorithm and key NOTE: Security Associations are not communications links. Security Associations can take a number of forms . Security As
41、sociations can be established for single transactions (and thus their establishment can form part of the transaction itself) or for session based associations (in such instances the association is generally established independently of the individual transactions that are to be secured). security me
42、chanism: process (or a device incorporating such a process) that can be used in a system to implement a security service that is provided by or within the system security policy: set of rules and practices that specify or regulate how a system or organization provides security services to protect re
43、sources security service: processing or communication capability that is provided by a system to give a specific kind of protection to resources where these resources may reside within the system or any other system sensitive function: function which requires protection from unauthorized monitoring,
44、 tampering or execution that is operating on sensitive data/credentials or key material, e.g. derivation of keys from M2M long-term service-layer keys and cryptographic algorithms server-HSM: dedicated computing device, able to perform security procedures related to oneM2M service functions and inte
45、grated within M2M network infrastructure servers UICC: secure element as specified in TS 102 221 i.5 3.2 Abbreviations For the purposes of the present document, the abbreviations given in i.2 and the following apply: ABAC Attribute-Based Access Control AE Application EntityAE/CSE Application Entity/
46、Common Service Entity ETSI ETSI TR 118 508 V1.0.0 (2014-07) 8AKA Authentication and Key Agreement API Application Programming Interface ASN/MN Appliaction Service Node/ Middle Node BSF Bootstrapping Server Function CSE Common Service Entity CSF Common Service Function DoS Denial of Service DSD Dynam
47、ic Separation of Duty DTLS Datagram Transport Layer Security ETSI SCP ETSI Technical Committee Smart Card Platform GBA Generic Bootstrapping Architecture GBA_ME GBA in Mobile Equipment GBA_U GBA in UICC GUSS GBA User Security Settings HSM Hardware Security Module HSS Home Subscriber System HTML Hype
48、r Text Markup Language HTTP Hyper Text Transfer Protocol IETF Internet Engineering Task Force IP Internet Protocol IP/TCP Internet Protocol / Transport Control Protocol IP/UDP Internet Protocol / User Datagram Protocol LAN Local Area Network LDAP Lightweight Directory Access Protocol ME Mobile Equip
49、mentNAF Network Authentication Function OAUTH Open Authentication OBS Objects OPS Operations OS Operating System RBAC Role Based Access Control SE Secure Environment SIP Session Initiation Protocol SLF Subscriber Locator function SP Service Provider SQL Structured Query Language SSD Static Separation of Duty TLS Transaction Layer Security URI Universal Resource Indicator WAN Wide Area Network 4 Conventions The key words “Shall“, “Shall not“, “May“, “Need not“, “Should“, “Should not“ in the present document are to be interpreted as des