aSSURE Data Security
draft-lucas-assure-data-security-00

Document Type Active Internet-Draft (individual)
Last updated 2017-09-13
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
opsawg                                                          Lucas 
Internet Draft                            Cisco International Limited 
Intended status: Standards track                   September 13, 2017 
Expires: March 17, 2018 
                                     
                          aSSURE Data Security 
                draft-lucas-assure-data-security-00.txt 

Abstract 
    
   aSSURE uses industry standards and best practice to provide a 
   secure communications platform for device configuration and life 
   cycle management across the entire range of smart devices, from 
   the largest servers through to more constrained devices, with 
   minimal human involvement. Based on extensions to current standard 
   methods, aSSURE also provides secure end to end communication 
   across any network type. 
    
   A new approach allows key distribution and encrypted channels to 
   be established between devices that support RSA, EC and/or simple 
   shared secrets. For devices that only support shared secrets, key 
   derivation algorithms ensure that forward and backward compatible 
   secrecy is supported so that secure change of ownership can be 
   obtained. Owners prove ownership via a "case ID" known by the 
   manufacturer and the "Trusted Authority" ID Server but not known 
   by the device. 
    
   aSSURE defines end-to-end encryption links, called "channels", so 
   that pairs of devices communicate with a unique set of encryption 
   keys. These unique keys, coupled with the end-to-end encryption, 
   mean communication is both secure and private. 
    
   DTLS supports both certificates and pre-shared keys, but does not 
   cover key distribution or management. DTLS does not support 
   client-specific pre-shared keys because the client cannot identify 
   itself during the handshake. Herein are all the APIs required to 
   support key distribution and management as well as an extension to 
   the DTLS handshake that allows the client identity to be provided. 
 
   aSSURE cleanly integrates with the Open Interconnect Consortium 
   (OIC) architecture. Both use CBOR encoded data with CoAP over UDP 
   and DTLS. aSSURE URIs do not collide with OIC URIs and aSSURE 
   channels can be used as a secure transport for OIC requests. 
    
Status of this Memo 
    
   This Internet-Draft is submitted in full conformance with the 
   provisions of BCP 78 and BCP 79. 
    
   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF). Note that other groups may also distribute 
   working documents as Internet-Drafts. The list of current 
   Internet- 

Lucas                    Expires March 17, 2018             [Page 1] 

Internet-Draft           aSSURE Data Security          September 2017 
    

   Drafts is at http://datatracker.ietf.org/drafts/current/. 
    
   Internet-Drafts are draft documents valid for a maximum of six 
   months and may be updated, replaced, or obsoleted by other 
   documents at any time. It is inappropriate to use Internet-Drafts 
   as reference material or to cite them other than as "work in 
   progress." 
    
   This Internet-Draft will expire on March 17, 2018. 
    
Copyright Notice 
    
   Copyright (c) 2017 IETF Trust and the persons identified as the 
   document authors. All rights reserved. 
    
   This document is subject to BCP 78 and the IETF Trust's Legal 
   Provisions Relating to IETF Documents 
   (http://trustee.ietf.org/license-info) in effect on the date of 
   publication of this document. Please review these documents 
   carefully, as they describe your rights and restrictions with 
   respect to this document. Code Components extracted from this 
   document must include Simplified BSD License text as described in 
   Section 4.e of the Trust Legal Provisions and are provided without 
   warranty as described in the Simplified BSD License. 
                        

Lucas                   Expires March 17, 2018              [Page 2] 

Internet-Draft           aSSURE Data Security          September 2017 
    

Table of Contents 
 
1. INTRODUCTION..................................................... 7 
2. THE ROLE OF ASSURE IN AN IOT ENVIRONMENT......................... 8 
2.1. Background..................................................... 8 
2.2. Who am I allowed to talk to?................................... 8 
2.3. How can I authenticate them?................................... 9 
2.4. What am I allowed to tell them?................................ 9 
2.5. What are they allowed to tell me?.............................. 9 
2.6. How can I ensure that our communication is private?............ 9 
3. TERMINOLOGY..................................................... 10 
4. THE ROLE OF THE MANAGEMENT SYSTEM IN ASSURE..................... 10 
4.1. Overview...................................................... 10 
4.2. Creation of Communication Topologies.......................... 10 
Show full document text