Independent Submission                                         J. Gilger
Request for Comments: 7397                                 H. Tschofenig
Category: Informational                                    December 2014
ISSN: 2070-1721
        
Independent Submission                                         J. Gilger
Request for Comments: 7397                                 H. Tschofenig
Category: Informational                                    December 2014
ISSN: 2070-1721
        

Report from the Smart Object Security Workshop

来自智能对象安全研讨会的报告

Abstract

摘要

This document provides a summary of a workshop on 'Smart Object Security' that took place in Paris on March 23, 2012. The main goal of the workshop was to allow participants to share their thoughts about the ability to utilize existing and widely deployed security mechanisms for smart objects.

本文档概述了2012年3月23日在巴黎举行的“智能对象安全”研讨会。研讨会的主要目标是让参与者分享他们对利用现有和广泛部署的智能对象安全机制的能力的想法。

This report summarizes the discussions and lists the conclusions and recommendations to the Internet Engineering Task Force (IETF) community.

本报告总结了讨论情况,并向互联网工程任务组(IETF)社区列出了结论和建议。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7397.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7397.

Copyright Notice

版权公告

Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Terminology .....................................................3
   3. Workshop Structure ..............................................3
      3.1. Requirements and Use Cases .................................4
      3.2. Implementation Experience ..................................7
      3.3. Authorization .............................................10
      3.4. Provisioning of Credentials ...............................12
   4. Summary ........................................................14
   5. Security Considerations ........................................15
   6. References .....................................................16
      6.1. Normative References ......................................16
      6.2. Informative References ....................................16
   Appendix A. Program Committee .....................................18
   Appendix B. Published Workshop Material ...........................18
   Appendix C. Accepted Position Papers ..............................18
   Appendix D. Workshop Participants .................................21
   Acknowledgements ..................................................22
   Authors' Addresses ................................................23
        
   1. Introduction ....................................................2
   2. Terminology .....................................................3
   3. Workshop Structure ..............................................3
      3.1. Requirements and Use Cases .................................4
      3.2. Implementation Experience ..................................7
      3.3. Authorization .............................................10
      3.4. Provisioning of Credentials ...............................12
   4. Summary ........................................................14
   5. Security Considerations ........................................15
   6. References .....................................................16
      6.1. Normative References ......................................16
      6.2. Informative References ....................................16
   Appendix A. Program Committee .....................................18
   Appendix B. Published Workshop Material ...........................18
   Appendix C. Accepted Position Papers ..............................18
   Appendix D. Workshop Participants .................................21
   Acknowledgements ..................................................22
   Authors' Addresses ................................................23
        
1. Introduction
1. 介绍

In early 2011, the Internet Architecture Board (IAB) solicited position statements for a workshop on 'Interconnecting Smart Objects with the Internet', aiming to get feedback from the wider Internet community on their experience with deploying IETF protocols in constrained environments. The workshop took place in Prague on March 25, 2011. During the workshop, a range of topics were discussed, including architecture, routing, energy efficiency, and security. RFC 6574 [RFC6574] summarizes the discussion and suggests several next steps.

2011年初,互联网体系结构委员会(IAB)征求了“智能对象与互联网互联”研讨会的立场声明,旨在从更广泛的互联网社区获得关于其在受限环境中部署IETF协议的经验的反馈。研讨会于2011年3月25日在布拉格举行。研讨会期间,讨论了一系列主题,包括架构、路由、能效和安全性。RFC 6574[RFC6574]总结了讨论,并提出了下一步的几点建议。

During the months following the workshop, new IETF initiatives were started, such as the Light-Weight Implementation Guidance (LWIG) working group, and hackathons were organized at IETF 80 and IETF 81 to better facilitate the exchange of ideas.

在研讨会结束后的几个月内,新的IETF举措开始了,如轻量级实施指南(LWIG)工作组,并在IETF 80和IETF 81上组织了黑客竞赛,以更好地促进思想交流。

Contributions regarding security from the IETF Constrained RESTful Environments (CoRE) working group and the IETF Transport Layer Security (TLS) working group made it clear that further discussions on security were necessary and that those would have to incorporate implementation and deployment experience as well as a shared understanding of how various building blocks fit into a larger architecture.

IETF受限RESTful环境(CoRE)工作组和IETF传输层安全(TLS)关于安全性的贡献工作组明确表示,有必要进一步讨论安全问题,这些讨论必须结合实施和部署经验,以及对各种构建块如何融入更大体系结构的共同理解。

The workshop on 'Smart Object Security' was organized to bring together various disconnected discussions about smart object security happening in different IETF working groups and industry fora. It was a one-day workshop held prior to the IETF 83 in Paris on March 23, 2012.

“智能对象安全”研讨会旨在汇集不同IETF工作组和行业论坛中关于智能对象安全的各种不连贯的讨论。这是在IETF 83于2012年3月23日在巴黎举行之前举行的为期一天的研讨会。

The workshop organizers were particularly interested in getting input on the following topics, as outlined in the call for position papers:

讲习班组织者特别有兴趣获得关于以下主题的投入,如《职位呼吁》文件所述:

o What techniques for issuing credentials have been deployed?

o 已部署了哪些颁发凭据的技术?

o What extensions are useful to make existing security protocols more suitable for smart objects?

o 哪些扩展有助于使现有安全协议更适合智能对象?

o What type of credentials are frequently used?

o 经常使用哪种类型的凭据?

o What experience has been gained when implementing and deploying application-layer, transport-layer, network-layer, and link-layer security mechanisms (or a mixture of all of them)?

o 在实施和部署应用层、传输层、网络层和链路层安全机制(或所有这些机制的混合)时获得了哪些经验?

o How can "clever" implementations make security protocols a better fit for constrained devices?

o “聪明”的实现如何使安全协议更适合受约束的设备?

o Are there lessons we can learn from existing deployments?

o 我们是否可以从现有部署中吸取教训?

This document lists some of the recurring discussion topics at the workshop. It also offers recommendations from the workshop participants.

本文档列出了研讨会上反复出现的一些讨论主题。它还提供了研讨会参与者的建议。

Note that this document is a report on the proceedings of the workshop. The views and positions documented in this report are those of the workshop participants and do not necessarily reflect the views of the authors or the Internet Architecture Board (IAB).

请注意,本文件是研讨会会议记录的报告。本报告中记录的观点和立场是研讨会参与者的观点和立场,不一定反映作者或互联网架构委员会(IAB)的观点。

2. Terminology
2. 术语

This document uses security terminology from [RFC4949] and terms related to smart objects from [RFC6574].

本文档使用[RFC4949]中的安全术语和[RFC6574]中与智能对象相关的术语。

3. Workshop Structure
3. 车间结构

With 35 accepted position papers, there was a wealth of topics to talk about during the one-day workshop. The program committee decided to divide the discussion into four topic areas ("Requirements and Use Cases", "Implementation Experience", "Authorization", and "Providing Credentials"), with two or three invited talks per slot to

在为期一天的研讨会上,有35份被接受的立场文件,有大量的话题可以讨论。项目委员会决定将讨论分为四个主题领域(“需求和用例”、“实施经验”、“授权”和“提供凭证”),每个时段邀请两到三次演讲

get a discussion started. This section will summarize the points raised by the invited speakers as well as the essence of the ensuing discussions.

开始讨论。本节将总结受邀发言者提出的要点以及随后讨论的要点。

3.1. Requirements and Use Cases
3.1. 需求和用例

To design a security solution, an initial starting point is to understand the communication relationships, the constraints, and the security threats. The typical IETF Security Considerations section describes security threats, security requirements, and security solutions at the level of a single protocol or a single document. To offer a meaningful solution for a smart object deployment, it is, however, necessary to go beyond this limited view to the analysis of the larger ecosystem. The security analysis documented in [RFC3552] and in [RFC4101] still provides valuable guidance.

要设计安全解决方案,首先要了解通信关系、约束和安全威胁。典型的IETF安全注意事项部分描述了单个协议或单个文档级别的安全威胁、安全要求和安全解决方案。然而,为了为智能对象部署提供有意义的解决方案,有必要超越这一有限的视角,分析更大的生态系统。[RFC3552]和[RFC4101]中记录的安全分析仍然提供了有价值的指导。

Typical questions that arise are:

出现的典型问题有:

1. Who are the involved actors?

1. 参与的演员是谁?

Some usage scenarios look very simple at first but then, after a longer investigation, turn out to be quite complex. The smart meter deployment, for example, certainly belongs to one of the more complex deployments due to the history of the energy sector (see [RFC6272]).

一些使用场景一开始看起来非常简单,但经过更长时间的调查后,结果证明非常复杂。例如,由于能源行业的历史,智能电表的部署肯定属于更复杂的部署之一(参见[RFC6272])。

2. Who provisions credentials?

2. 谁提供证书?

Credentials may, for example, be provisioned by the end user, the hardware manufacturer, an application service provider, or other parties. With security provided at multiple layers, credentials from multiple parties may need to be provisioned.

例如,凭证可以由最终用户、硬件制造商、应用服务提供商或其他方提供。在多层提供安全性的情况下,可能需要提供来自多方的凭据。

3. What constraints are imposed on the design?

3. 对设计施加了哪些约束?

For example, a constraint can be the need to interwork with existing infrastructure. From an architectural point of view, an important question is whether security is terminated at the border router (or proxy server) at the customer's premise or if end-to-end security to servers in the Internet is required. A more detailed discussion can be found at [SMART-OBJECT].

例如,一个约束可能是需要与现有基础设施交互。从体系结构的角度来看,一个重要的问题是安全性是否在客户所在地的边界路由器(或代理服务器)处终止,或者是否需要对Internet中的服务器进行端到端安全性。有关更详细的讨论,请访问[SMART-OBJECT]。

4. What type of authorization is required by the identified actors?

4. 确定的参与者需要什么类型的授权?

This may, for example, be authorization to get access to the network or authorization at the application layer. Authorization decisions may be binary or may consist of complex, role-based access control policies.

例如,这可以是访问网络的授权或应用层的授权。授权决策可以是二进制的,也可以由复杂的、基于角色的访问控制策略组成。

5. What tasks are expected by the customer who deploys the solution?

5. 部署解决方案的客户期望完成哪些任务?

An end customer may, for example, be expected to enter short PIN codes to pair devices, need to update the firmware, or need to connect to an appliance via a web browser to make more sophisticated configuration settings. The familiarity of end users with Internet-based devices certainly increases constantly, but user-interface challenges contribute to a large number of security weaknesses of the Internet and therefore have to be taken into account.

例如,终端客户可能需要输入短PIN码以配对设备,需要更新固件,或者需要通过web浏览器连接到设备以进行更复杂的配置设置。最终用户对基于互联网的设备的熟悉程度肯定会不断增加,但用户界面的挑战会造成互联网的大量安全弱点,因此必须加以考虑。

To illustrate the differences, consider a mass-market deployment for end customers in comparison to a deployment that is targeting enterprise customers. In the latter case, enterprise system administrators are likely to utilize different management systems to provision security and other system-relevant parameters.

为了说明差异,考虑与针对企业客户的部署相比,最终客户的大规模市场部署。在后一种情况下,企业系统管理员可能会利用不同的管理系统来提供安全性和其他系统相关参数。

Paul Chilton illustrated the security and usability requirements in a typical end-user scenario for small-scale smart lighting systems [PaulChilton]. These systems present a substantial challenge for providing usable and secure communication because they are supposed to be cheap and very easy to set up, ideally as easy as their "dumb" predecessors. The example of IP-enabled light bulbs shows that the more constrained devices are, the more difficult it is to get security right. For this reason, and the required usability, light bulbs might just be the perfect example for examining the viability of security solutions.

Paul Chilton举例说明了小型智能照明系统典型终端用户场景中的安全性和可用性要求[PaulChilton]。这些系统在提供可用且安全的通信方面面临着巨大的挑战,因为它们被认为是廉价且非常容易设置的,理想情况下与它们的“愚蠢”前辈一样容易。启用IP的灯泡的例子表明,设备越受限制,就越难保证安全。出于这个原因,以及所需的可用性,灯泡可能只是检验安全解决方案可行性的完美例子。

Rudolf van der Berg focused on large-scale deployments of smart objects, such as eBook readers, smart meters, and automobiles. The use of mobile cellular networks is attractive because they are networks with adequate coverage and capacity on a global scale. In order to make use of mobile networks, you need to make use of authentication based on Subscriber Identity Modules (SIMs). However, at this moment, the SIM is controlled by the network operator. These companies could also use EAP-SIM (Extensible Authentication Protocol SIM) [RFC4186] authentication in, for example, wireless LANs.

鲁道夫·范德伯格(Rudolf van der Berg)专注于大规模部署智能对象,如电子书阅读器、智能电表和汽车。移动蜂窝网络的使用很有吸引力,因为它们在全球范围内具有足够的覆盖范围和容量。为了使用移动网络,您需要使用基于用户身份模块(SIM)的身份验证。但是,此时,SIM卡由网络运营商控制。这些公司还可以在例如无线局域网中使用EAP-SIM(可扩展认证协议SIM)[RFC4186]认证。

The end-user interaction may differ depending on the credentials being used: for a light bulb deployed in the user's home, it is expected that the user somehow configures devices so that only, for example, family members can turn them on and off. Smart objects that are equipped with SIM-based credential infrastructure do not require credential management by the end user since credential management by the operator can be assumed. Switching cellular operators may, however, pose challenges for these devices.

最终用户交互可能因所使用的凭据而异:对于部署在用户家中的灯泡,预期用户会以某种方式配置设备,以便仅(例如)家庭成员可以打开和关闭设备。配备基于SIM卡的凭证基础设施的智能对象不需要最终用户进行凭证管理,因为可以假设操作员进行凭证管理。然而,切换蜂窝运营商可能对这些设备构成挑战。

Furthermore, we have a technology that will be both deployed by end users and large enterprise customers. While the protocol building blocks may be the same, there is certainly a big difference between deployments for large-scale industrial applications and deployments for regular end users in terms of the architecture. Between these two, the security requirements differ significantly, as do the threats. It is difficult, if not impossible, to develop a single security architecture that fulfills the needs of all users while at the same time meeting the constraints of all kinds of smart objects.

此外,我们有一项技术,将由最终用户和大型企业客户部署。虽然协议构建块可能是相同的,但在体系结构方面,大型工业应用程序的部署和常规最终用户的部署之间肯定存在很大差异。在这两者之间,安全要求和威胁也有很大不同。即使不是不可能,也很难开发满足所有用户需求的单一安全体系结构,同时满足各种智能对象的约束。

In the consumer market, security should not incur any overhead during installation. If an end user has to invest more time or effort to secure a smart object network, he or she will likely not do it. Consumer products will often be retrofitted into the existing infrastructure, bought, and installed by consumers themselves. This means that devices will have to come pre-installed to some extent and will most likely interoperate only with the infrastructure provided by the vendor, i.e., the devices will be able to connect to the Internet but will only interoperate with the servers provided by the vendor selling the device.

在消费市场中,安全性不应在安装过程中产生任何开销。如果最终用户必须投入更多的时间或精力来保护智能对象网络,他或她可能不会这样做。消费者产品通常会被改装到现有的基础设施中,由消费者自己购买和安装。这意味着设备必须在一定程度上预先安装,并且很可能仅与供应商提供的基础设施进行互操作,即设备将能够连接到互联网,但仅与销售设备的供应商提供的服务器进行互操作。

Closed systems (one bulb, one switch) typically work out of the box, as they have been extensively tested and often come with factory-configured security credentials. Problems do arise when additional devices are added or when these closed systems get connected to the Internet. It is still very common to ship devices with default passwords. It is, however, not acceptable that a device is in a vulnerable, but Internet-connected, state before it has been correctly configured by a consumer. It is easy to conceive that many consumers do not configure their devices properly and may therefore make it easy for an adversary to take control of the device by, for example, using the default password or outdated firmware.

封闭系统(一个灯泡,一个开关)通常是开箱即用的,因为它们已经过广泛的测试,并且通常带有工厂配置的安全凭证。当添加其他设备或这些封闭系统连接到Internet时,问题确实会出现。装运带有默认密码的设备仍然很常见。但是,在消费者正确配置设备之前,设备处于易受攻击但已连接互联网的状态是不可接受的。很容易想象,许多消费者没有正确配置他们的设备,因此可能很容易让对手控制设备,例如,使用默认密码或过时的固件。

Once security threats for a specific deployment scenario have been identified, an assessment takes place to decide what security requirements can be identified and what security properties are desirable for the solution. As part of this process, a conscious decision needs to take place about which countermeasures will be used to mitigate certain threats. For some security threats, the assessment may also lead to the conclusion that the threat is considered out-of-scope and, therefore, no technical protection is applied. Different businesses are likely to come to different conclusions about the priorities for protection and what security requirements will be derived.

一旦确定了特定部署场景的安全威胁,就会进行评估,以确定可以确定哪些安全需求以及解决方案需要哪些安全属性。作为这一过程的一部分,需要有意识地决定将使用哪些对策来缓解某些威胁。对于某些安全威胁,评估还可能得出结论,认为该威胁超出范围,因此不适用任何技术保护。不同的企业可能会对保护的优先级以及将产生的安全需求得出不同的结论。

Which security threats are worthwhile to protect against is certainly in the eye of the beholder and remains an entertaining discussion even among security specialists. For some of the workshop

哪些安全威胁值得防范显然是旁观者的看法,即使是在安全专家之间,也是一个有趣的讨论。对于一些研讨会

participants, the security threats against a smart lighting system were considered relatively minor compared to other smart home appliances. Clearly, the threats depend on the specific application domain, but there is a certain danger that deployments of vulnerable smart objects will increase. As the systems evolve and become more pervasive, additional security features may be required and may be difficult to incorporate into the already installed base, particularly if smart objects have no software update mechanism incorporated in their initial design. Smart objects that require human interaction to perform software updates will likely be problematic in the future. This is particularly true for devices that are expected to have service schedules of five to twenty-five years. Experience shows that security breaches that are considered pranks usually evolve very rapidly to become destructive attacks.

与其他智能家用电器相比,智能照明系统的安全威胁相对较小。显然,这些威胁取决于特定的应用程序域,但存在一定的危险,即易受攻击的智能对象的部署将增加。随着系统的发展和普及,可能需要额外的安全功能,并且可能很难将其纳入已安装的基础中,特别是如果智能对象的初始设计中没有软件更新机制。需要人工交互才能执行软件更新的智能对象将来可能会出现问题。这对于预计服务时间为五到二十五年的设备尤其如此。经验表明,被视为恶作剧的安全漏洞通常会迅速演变为破坏性攻击。

Apart from the security requirements of individual households and users, it is also important to look at the implications of vulnerabilities in large-scale smart object deployments, for example, in smart meters and the power grid.

除了单个家庭和用户的安全要求外,还必须研究大规模智能对象部署(例如智能电表和电网)中漏洞的影响。

Finally, there is the usual wealth of other requirements that need to be taken into account, such as ability for remote configuration and software updates, the ability to deal with transfer of ownership of a device, avoidance of operator or vendor lock-in, crypto agility, minimal production, license and IPR costs, etc.

最后,通常还需要考虑大量其他要求,如远程配置和软件更新能力、处理设备所有权转移的能力、避免操作员或供应商锁定、加密灵活性、最低生产、许可和知识产权成本等。

3.2. Implementation Experience
3.2. 实施经验

The second slot of the workshop was dedicated to reports from first-hand implementation experience. Various participants had provided position papers exploring different security protocols and cryptographic primitives. There were three invited talks that covered tiny implementations of the Constrained Application Protocol (CoAP) protected by Datagram Transport Layer Security (DTLS), a TLS implementation using raw public keys, and general experience with implementing public key cryptography on smart object devices.

讲习班的第二个时段专门讨论来自第一手实施经验的报告。不同的参与者提供了探索不同安全协议和密码原语的立场文件。有三次受邀演讲,内容涉及受数据报传输层安全(DTLS)保护的受限应用程序协议(CoAP)的微型实现、使用原始公钥的TLS实现,以及在智能对象设备上实现公钥加密的一般经验。

All three presenters demonstrated that implementations of IETF security protocols on various constraint devices are feasible. This was confirmed by other workshop participants as well. The overall code size and performance of finished implementations will depend on the chosen feature set. It is fairly obvious that more features translate to a more complex outcome. Luckily, IETF security protocols in general (and TLS/DTLS is no exception) can be customized in a variety of ways to fit a specific deployment environment. As such, an engineer will have to decide which features are important for a given deployment scenario and what trade-offs can be made. There was also the belief that IETF security protocols offer useful

所有三位演示者都证明了在各种约束设备上实现IETF安全协议是可行的。其他研讨会参与者也证实了这一点。完成的实现的总体代码大小和性能将取决于所选的功能集。很明显,更多的特性转化为更复杂的结果。幸运的是,IETF安全协议(TLS/DTLS也不例外)可以通过多种方式进行定制,以适应特定的部署环境。因此,工程师必须决定哪些功能对于给定的部署场景是重要的,以及可以进行哪些权衡。还有人认为IETF安全协议提供了有用的信息

customization features (such as different ciphersuites in TLS/DTLS) to select the desired combination of algorithms and cryptographic primitives. The need to optimize available security protocols further or to even develop new cryptographic primitives for smart objects was questioned and not seen as worthwhile by many participants.

自定义功能(例如TLS/DTL中的不同密码套件),以选择所需的算法和加密原语组合。进一步优化现有安全协议,甚至为智能对象开发新的加密原语的必要性受到质疑,许多参与者认为这不值得。

The three common constraints for security implementations on smart objects are code size, energy consumption, and bandwidth. The importance of tailoring a solution to one of these constraints depends on the specific deployment environment. It might be difficult to develop a solution that addresses all constraints at the same time. For example, minimizing memory use may lead to increased communication overhead.

智能对象上安全实现的三个常见约束是代码大小、能耗和带宽。根据这些约束之一定制解决方案的重要性取决于特定的部署环境。可能很难开发一个同时解决所有约束的解决方案。例如,最小化内存使用可能会增加通信开销。

Waiting for the next generation of hardware typically does not magically lift the constraints faced today. The workshop participants again reinforced the message that was made at the earlier smart object workshop [RFC6574] regarding future developments in the smart object space:

等待下一代硬件通常不会神奇地解除今天面临的限制。研讨会参与者再次强调了早期智能对象研讨会[RFC6574]上关于智能对象空间未来发展的信息:

While there are constantly improvements being made, Moore's law tends to be less effective in the embedded system space than in personal computing devices: gains made available by increases in transistor count and density are more likely to be invested in reductions of cost and power requirements than into continual increases in computing power.

尽管不断有改进,但摩尔定律在嵌入式系统领域的效果往往不如在个人计算设备领域:晶体管数量和密度增加带来的收益更有可能投资于降低成本和功率需求,而不是持续提高计算能力。

The above statement is applicable to smart object designs in general, not only for security. Thus, it is expected that designers will continue having to deal with various constraints of smart objects in the future. A short description of the different classes of smart objects can be found in [RFC7228], which also provides security-related guidance. The workshop participants noted that making security protocols suitable for smart objects must not water down their effectiveness. Security functionality will demand some portion of the overall code size. It will have an impact on the performance of communication interactions, lead to higher energy consumption, and certainly make the entire product more complex. Still, omitting security functionality because of various constraints is not an option. The experience with implementing available security protocols was encouraging even though the need to make various architectural design decisions for selecting the right set of protocols and protocol extensions that everyone must agree on was pointed out. Sometimes, the leading constraint is energy consumption, and in other cases, it is main memory, CPU performance,

上述声明一般适用于智能对象设计,而不仅仅是为了安全。因此,预计未来设计者将继续处理智能对象的各种约束。在[RFC7228]中可以找到不同类别智能对象的简短描述,其中还提供了与安全相关的指导。研讨会参与者指出,制定适用于智能对象的安全协议不得降低其有效性。安全功能将需要总代码大小的一部分。它将对通信交互的性能产生影响,导致更高的能耗,并且肯定会使整个产品更加复杂。尽管如此,由于各种限制而忽略安全功能仍然不是一个选项。实施现有安全协议的经验令人鼓舞,尽管有人指出,需要做出各种架构设计决策,以选择每个人都必须同意的一组正确的协议和协议扩展。有时,主要的限制是能耗,而在其他情况下,则是主内存、CPU性能、,

or bandwidth. In any case, for an optimization, it is important to look at the entire system rather than a single protocol or even a specific algorithm.

或者带宽。在任何情况下,对于优化来说,重要的是查看整个系统,而不是单个协议或特定算法。

Equally important to the code size of the protocols being used in a deployed product are various other design decisions, such as the communication model, the number of communication partners, the interoperability requirements, and the threats that are being dealt with. Mohit Sethi noted that even the execution time for relatively expensive operations like asymmetric signature generation and verification are within acceptable limits for very constrained devices, like an Arduino UNO. In either case, public key cryptography will likely only be used for the initial communication setup to establish symmetric session keys. Perhaps surprisingly, the energy cost of transmitting data wirelessly dwarfs even expensive computations like public key cryptography. Since wireless reception is actually the most power-consuming task on a smart object, protocols have to be designed accordingly.

对已部署产品中使用的协议的代码大小同样重要的是各种其他设计决策,例如通信模型、通信伙伴的数量、互操作性要求以及正在处理的威胁。Mohit Sethi指出,对于非常受限的设备(如Arduino UNO),即使是相对昂贵的操作(如不对称签名生成和验证)的执行时间也在可接受的范围内。在这两种情况下,公钥加密可能仅用于初始通信设置,以建立对称会话密钥。也许令人惊讶的是,无线传输数据的能源成本甚至使昂贵的计算(如公钥加密)相形见绌。由于无线接收实际上是智能对象上最耗电的任务,因此必须相应地设计协议。

The workshop participants shared the view that the complexity of security protocols is a result of desired features. Redesigning a protocol with the same set of features will, quite likely, lead to a similar outcome in terms of code size, memory consumption, and performance. It was, however, also acknowledged that the security properties offered by DTLS/TLS/IKEv2-IPsec may not be needed for all deployment environments. DTLS, for example, offers an authentication and key exchange framework combined with channel security offering data-origin authentication, integrity protection, and (optionally) confidentiality protection.

研讨会与会者一致认为,安全协议的复杂性是预期功能的结果。重新设计具有相同功能集的协议很可能会在代码大小、内存消耗和性能方面产生类似的结果。但是,也承认DTLS/TLS/IKEv2 IPsec提供的安全属性可能并不适用于所有部署环境。例如,DTLS提供身份验证和密钥交换框架,并结合通道安全性,提供数据源身份验证、完整性保护和(可选)机密性保护。

The biggest optimization in terms of code size can be gained when looking at the complete protocol stack, rather than only cryptographic algorithms. This also includes software update mechanisms and configuration mechanisms, all of which have to work together. What may not have been investigated enough is the potential of performing cross-layer and cross-protocol optimization. We also need to think about how many protocols for security setup we want to have. Due to the desire to standardize generic building blocks, the ability to optimize for specific deployment environments has been reduced.

在代码大小方面的最大优化可以在查看完整的协议堆栈时获得,而不仅仅是密码算法。这还包括软件更新机制和配置机制,所有这些都必须协同工作。可能尚未充分研究的是执行跨层和跨协议优化的潜力。我们还需要考虑需要多少安全设置协议。由于希望标准化通用构建块,因此针对特定部署环境进行优化的能力有所降低。

Finally, it was noted that scalability of security protocols does not imply usability. This means that while smart object technology might currently be developed in large-scale industrial environments, it should be equally usable for consumers who want to equip their home with just a few light bulbs.

最后,有人指出,安全协议的可伸缩性并不意味着可用性。这意味着,虽然智能对象技术目前可能在大规模工业环境中得到发展,但对于那些只想在家里安装几个灯泡的消费者来说,它应该同样可用。

For details about the investigated protocol implementations, please consult the position papers, such as the ones by Bergmann et al., Perelman et al., Tschofenig, and Raza et al. (see Appendix C).

有关所调查协议实施的详细信息,请参考立场文件,如Bergmann等人、Perelman等人、Tschofenig和Raza等人的立场文件(见附录C)。

3.3. Authorization
3.3. 批准

The discussion slot on authorization was meant to provide an idea of what kind of authorization decisions are common in smart object networks. Authorization is defined as an "approval that is granted to a system entity to access a system resource" [RFC4949].

关于授权的讨论旨在提供智能对象网络中常见的授权决策类型。授权定义为“授予系统实体访问系统资源的批准”[RFC4949]。

Authorization requires a view on the entire smart object lifecycle to determine when and how a device was added to a specific environment, what permissions have been granted for this device, and how users are allowed to interact with it. On a high level, there are two types of authorization schemes. First, there are those systems that utilize an authenticated identifier and match it against an access control list. Second, there are trait-based authorization mechanisms that separate the authenticated identifier from the authorization rights and utilize roles and other attributes to determine whether to grant or deny access to a protected resource.

授权需要查看整个智能对象生命周期,以确定何时以及如何将设备添加到特定环境中,为该设备授予了哪些权限,以及如何允许用户与其交互。在高层,有两种类型的授权方案。首先,有些系统使用经过身份验证的标识符,并将其与访问控制列表相匹配。其次,存在基于特征的授权机制,这些机制将经过身份验证的标识符与授权权限分开,并利用角色和其他属性来确定是否授予或拒绝对受保护资源的访问。

Richard Barnes looked at earlier communication security work and argued that the model that dominates the web today will not be enough for the smart object environment. Simply identifying users by their credentials and servers via certificates is not something that translates well to smart object networks because it binds all the capabilities to the credentials. The evolution in access control is moving in the direction of granting third parties certain capabilities, with OAuth [RFC6749] being an example of a currently deployed technology. Access to a resource using OAuth can be done purely based on the capabilities rather than on the authenticated identifier.

理查德·巴恩斯(Richard Barnes)研究了早期的通信安全工作,认为当今主导网络的模型对于智能对象环境来说是不够的。简单地通过凭证和服务器识别用户并不能很好地转换为智能对象网络,因为它将所有功能绑定到凭证。访问控制的发展正朝着授予第三方某些能力的方向发展,OAuth[RFC6749]就是当前部署的技术的一个例子。使用OAuth访问资源可以完全基于功能,而不是基于经过身份验证的标识符。

At the time of the workshop, OAuth was very much focused on HTTP-based protocols with early efforts to integrate OAuth into the Simple Authentication and Security Layer (SASL) and the Generic Security Service Application Program Interface (GSS-API) [SASL-OAUTH]. Further investigations need to be done to determine the suitability of OAuth as a protocol for the smart object environment.

在研讨会期间,OAuth非常关注基于HTTP的协议,早期致力于将OAuth集成到简单身份验证和安全层(SASL)和通用安全服务应用程序接口(GSS-API)[SASL-OAuth]。需要进行进一步的调查,以确定OAuth作为智能对象环境协议的适用性。

Richard believed that it is important to separate authentication from authorization right from the beginning and to consider how users are supposed to interact with these devices to introduce them into their specific usage environment (and to provision them with credentials) and to manage access from different parties.

李察认为,重要的是将认证与授权权从一开始就分开,并考虑用户应该如何与这些设备交互以将它们引入到其特定的使用环境中(并提供凭据),并管理来自不同方的访问。

The relationship between the policy enforcement point and the policy decision point plays an important role regarding the standardization needs and the type of information that needs to be conveyed between these two entities.

政策执行点和政策决策点之间的关系对于标准化需求以及这两个实体之间需要传递的信息类型起着重要作用。

For example, in an Authentication, Authorization, and Accounting (AAA) context, the authorization decision happens at the AAA server (after the user requesting access to a network or some application-level services had been authenticated). Then, the decision about granting access (or rejecting it) is communicated from the AAA server to the AAA client at the end of the network access authentication procedure. The AAA client then typically enforces the authorization decision over the lifetime of the granted user session. The dynamic authorization extension [RFC5176] to the RADIUS protocol, for example, also allows the RADIUS server to make dynamic changes to a previously granted user session. This includes support for disconnecting users and changing authorizations applicable to a user session.

例如,在身份验证、授权和记帐(AAA)上下文中,授权决策发生在AAA服务器上(请求访问网络或某些应用程序级服务的用户经过身份验证之后)。然后,在网络访问认证过程结束时,将关于授予访问(或拒绝访问)的决定从AAA服务器传送到AAA客户端。AAA客户端通常在授权用户会话的生命周期内强制执行授权决策。例如,RADIUS协议的动态授权扩展[RFC5176]还允许RADIUS服务器对先前授予的用户会话进行动态更改。这包括支持断开用户连接和更改适用于用户会话的授权。

The authorization decisions can range from 'only devices with passwords can use the network' to very detailed application-specific authorization policies. The decisions are likely to be more sophisticated in those use cases where ownership of devices may be transferred from one person to another one, group membership concepts may be needed, access rights may be revocable, and fine-grained access rights have to be used. The authorization decisions may also take environmental factors into account, such as proximity of devices to each other, physical location of the device asking access, or the level of authentication. With the configuration of authorization policies, questions arise regarding who will create them and where these policies are stored. This immediately raises questions about how devices are identified and who is allowed to create these policies.

授权决策的范围从“只有具有密码的设备才能使用网络”到非常详细的特定于应用程序的授权策略。在设备所有权可能从一个人转移到另一个人、可能需要组成员概念、访问权可能可撤销以及必须使用细粒度访问权的情况下,决策可能更加复杂。授权决策还可以考虑环境因素,例如设备彼此的接近程度、请求访问的设备的物理位置或认证级别。在配置授权策略时,会出现有关谁将创建它们以及这些策略存储在何处的问题。这立即引发了关于如何识别设备以及允许谁创建这些策略的问题。

Since smart objects may be limited in terms of code size, persistent storage, and Internet connectivity, established authorization schemes may not be well suited for such devices. Obviously, delegating every authorization decision to another node in the network incurs a certain network overhead, while storing sophisticated access control policies directly on the smart object might be prohibitive because of the size of such a ruleset. Jan Janak presented one approach to distribute access control policies to smart objects within a single administrative domain.

由于智能对象可能在代码大小、持久存储和互联网连接方面受到限制,因此已建立的授权方案可能不适合此类设备。显然,将每个授权决策委托给网络中的另一个节点会产生一定的网络开销,而将复杂的访问控制策略直接存储在智能对象上可能会因为此类规则集的大小而被禁止。Jan Janak提出了一种将访问控制策略分发到单个管理域中的智能对象的方法。

In those cases where access control decisions are bound to the identifiers of devices and humans need to either create or verify these access control policies, the choice of identifier matters for readability and accessibility purposes.

在访问控制决策绑定到设备标识符的情况下,人类需要创建或验证这些访问控制策略,标识符的选择对于可读性和可访问性非常重要。

A single mechanism will likely not help with solving the wide range of authorization tasks. From the discussions, it was not clear whether there is a need for new authorization mechanisms or whether existing mechanisms can be reused. Examples of available protocols with built-in authorization mechanisms are Kerberos, OAuth, EAP/AAA, attribute certificates, etc. In many cases, it is even conceivable that the authorization decisions are internal to the system and that there is no need to standardize any additional authorization mechanisms or protocols at all. In fact, many of the authentication and key exchange protocols have authorization mechanisms built in.

单一机制可能无助于解决范围广泛的授权任务。从讨论中,不清楚是否需要新的授权机制,或者是否可以重用现有机制。具有内置授权机制的可用协议示例有Kerberos、OAuth、EAP/AAA、属性证书等。在许多情况下,甚至可以想象授权决策是系统内部的,根本不需要标准化任何其他授权机制或协议。事实上,许多身份验证和密钥交换协议都内置了授权机制。

3.4. Provisioning of Credentials
3.4. 提供凭据

When a smart object is to be introduced into an environment, like a home or an enterprise network, it usually has to be provisioned with some credentials first. The credentials that are configured at the smart object and at some entity in the network are often an implicit authorization to access the network or some other resource. The provisioned information at the smart object will include some identifier of the smart object, keying material, and other configuration information (e.g., specific servers it has to interact with).

当智能对象要引入到环境中(如家庭或企业网络)时,通常必须首先为其提供一些凭据。在智能对象和网络中的某些实体上配置的凭据通常是访问网络或某些其他资源的隐式授权。在智能对象处提供的信息将包括智能对象的一些标识符、键控材料和其他配置信息(例如,它必须与之交互的特定服务器)。

Some devices will be pre-configured with default security codes or passwords, or will have per-device or per-user credentials pre-configured, when they are bought or when they arrive at the customer.

在购买或到达客户处时,某些设备将预先配置默认安全代码或密码,或者将预先配置每个设备或每个用户的凭据。

There is a limited set of solutions available (based on the available interface support). The solutions for imprinting vary between the enterprise and the consumer household scenarios. For large-scale deployments, the time needed to pair two objects further excludes other schemes that rely on manual steps.

可用的解决方案有限(基于可用的接口支持)。印记的解决方案因企业和消费者家庭场景而异。对于大规模部署,配对两个对象所需的时间进一步排除了依赖手动步骤的其他方案。

Johannes Gilger dealt with the very basic ideas behind pairing schemes, including the kinds of out-of-band channels that could be employed and their limitations. Imprinting and pairing protocols usually establish a security association between two equal devices, such as Bluetooth-equipped cell phones. To deal with man-in-the-middle attacks during this phase, various forms of additional verification checks exist. For example, devices with a display allow numeric values to be shown on each device and let the user verify whether they match. For other devices that have a keypad, a PIN may need to be entered by the user. Where and how a smart object is to be paired with other devices in the network can differ substantially from the specific use cases and the hardware capabilities of devices. Note that pairing is not necessarily something that is only done once

Johannes Gilger阐述了配对方案背后的基本思想,包括可以使用的带外信道类型及其局限性。印记和配对协议通常在两个相同的设备之间建立安全关联,例如配备蓝牙的手机。为了在此阶段处理中间人攻击,存在各种形式的附加验证检查。例如,具有显示器的设备允许在每个设备上显示数值,并允许用户验证它们是否匹配。对于具有键盘的其他设备,用户可能需要输入PIN。智能对象在何处以及如何与网络中的其他设备配对可能与设备的特定用例和硬件功能有很大不同。请注意,配对不一定是只做一次的事情

during the lifetime of a device. Is group pairing something to be looked at? Or can any group key establishment be reduced to pairwise pairing with a central master device?

在设备的生命周期内。团队配对是否值得关注?或者可以将任何组密钥建立简化为与中央主设备成对配对吗?

Cullen Jennings presented a model for smart objects based on a deployment used for IP phones. The idea was that the smart object "phones home", i.e., contacts a server offered by the manufacturer, when it is first switched on. This initial interaction can then be used for managing the device and provisioning keying material for further use. Proof of ownership could be done by identifying the user who purchased the device. This is an approach that is increasingly being done today. Another option is some kind of secret information enclosed in the packaging.

Cullen Jennings提出了一个基于IP电话部署的智能对象模型。其想法是,智能对象“电话回家”,即在首次打开时与制造商提供的服务器联系。然后,可以使用此初始交互来管理设备并提供密钥材料以供进一步使用。所有权证明可以通过识别购买设备的用户来完成。这是一种如今越来越多地采用的方法。另一种选择是包装中包含某种秘密信息。

For interface-constrained devices, the solution of using (semi)- public information in combination with an online manufacturer during imprinting seems like a possible solution. This solution approach created a lot of discussion among the participants, as it assumes an Internet connection and means that the manufacturer effectively knows about the trust relationships of all the devices it sells.

对于界面受限的设备,在压印期间与在线制造商结合使用(半)公开信息的解决方案似乎是一种可能的解决方案。这种解决方案方法在参与者中引发了大量讨论,因为它假设存在互联网连接,这意味着制造商有效地了解其销售的所有设备的信任关系。

A few questions did arise with such a model: Will there be third parties that have a business interest in providing something like key distribution and key escrow over the lifetime of a smart object? For constrained devices, will it always be possible to fall back to the existing security associations between device and manufacturer to create new associations? Obviously, we do not want the lifetime of a smart object limited by the manufacturer product support lifespan. What happens if a manufacturer goes bankrupt, changes its business scope, or gets bought by another company? Will end customers not be able to use their smart objects anymore in such a case, or will they lose the ability to resell their devices because the ownership can no longer be transferred?

这种模型确实产生了一些问题:在智能对象的生命周期内,是否会有第三方对提供密钥分发和密钥托管之类的服务感兴趣?对于受约束的设备,是否始终可以回到设备和制造商之间现有的安全关联来创建新关联?显然,我们不希望智能对象的寿命受到制造商产品支持寿命的限制。如果制造商破产、改变其业务范围或被另一家公司收购,会发生什么情况?在这种情况下,最终客户是否将无法再使用其智能对象,或者他们是否会因为所有权无法再转让而失去转售其设备的能力?

One important design decision is that the compromise of the manufacturer must not have any impact on the smart objects, which have already been imprinted to their new owners. Furthermore, the question arises of how to transfer ownership, e.g., when reselling a device. While this may not be a requirement for all devices, there will likely be classes of large or expensive devices where support for transferring the ownership is an absolute necessity.

一个重要的设计决策是,制造商的妥协不得对智能对象产生任何影响,因为智能对象已经印上了新所有者的印记。此外,还出现了如何转让所有权的问题,例如在转售设备时。虽然这可能不是所有设备的要求,但可能会有大型或昂贵设备的类别,其中支持所有权转移是绝对必要的。

Industrial users are comfortable when they have to rely on the manufacturer during the imprinting phase, but they want to be in exclusive control over their devices afterwards.

工业用户在压印阶段必须依赖制造商时会感到舒适,但他们希望在压印之后能够独家控制自己的设备。

There are many classes of devices where we could assume online connectivity to be present; otherwise, these devices would not make sense in the first place. But, there are also other devices that need to be imprinted completely offline.

有很多种类的设备,我们可以假设存在在线连接;否则,这些设备一开始就没有意义。但是,也有其他设备需要完全离线打印。

Is it important to worry about security vulnerabilities, such as man-in-the-middle attacks, during the very short imprinting phase? Is it realistic that an adversary is in close proximity to mount an attack? Especially for devices with limited capabilities, such as light bulbs, the concerns seemed rather small.

在很短的印记阶段,担心安全漏洞(如中间人攻击)是否重要?一个对手离发动攻击很近是现实的吗?特别是对于功能有限的设备,如灯泡,问题似乎不大。

What happens if such a device is not enrolled by the customer but still connected in a "naked" state? How does this impact security, and is it possible for an attacker to perform a "drive-by" enrollment procedure of many devices? How should a device behave in this situation? The safest option (for the user at least) would be to not allow the device to work with full functionality if it has not been enrolled. This concern is particularly applicable for cases where smart objects are sold with default passwords or passwords using semi-public information; an example is Raspberry Pi computers with Linux images that use a default password [RaspberryPi].

如果客户未注册此类设备,但仍以“裸”状态连接,会发生什么情况?这对安全性有何影响?攻击者是否有可能对许多设备执行“按需驾驶”注册过程?在这种情况下,设备应该如何工作?最安全的选择(至少对用户而言)是,如果设备尚未注册,则不允许其使用全部功能。这种担忧尤其适用于智能对象使用默认密码或使用半公开信息的密码销售的情况;例如,带有Linux映像的Raspberry Pi计算机使用默认密码[RaspberryPi]。

4. Summary
4. 总结

Designing for a smart object environment is about making an optimization decision that needs to take technical aspects, usage scenarios, security threats, and business models into account. Some design constraints may be considered fixed while others are flexible. Compromises will need to be made, but they should not be made at the expense of security functionality.

为智能对象环境设计是指做出优化决策,需要考虑技术方面、使用场景、安全威胁和业务模型。一些设计约束可能被认为是固定的,而另一些则是灵活的。需要做出妥协,但不应以牺牲安全功能为代价。

Designing a software update mechanism into the system is crucial to ensure that functionality can be enhanced and vulnerabilities can be fixed. Also, security threats are perceived differently over time. For example, many people considered pervasive monitoring less important prior to the Snowden revelations.

在系统中设计软件更新机制对于确保功能增强和漏洞修复至关重要。此外,随着时间的推移,人们对安全威胁的看法也有所不同。例如,在斯诺登事件曝光之前,许多人认为普遍监控不那么重要。

New research and standardization on cryptographic algorithms (like encryption algorithms, hash functions, keyed message digests, and public key crypto systems) that are tailored to smart object environments was not seen as worthwhile by the participants. A huge range of algorithms already exist, and standardized authentication and key exchange protocols can be customized to use almost any selection of algorithms available today.

参与者认为,针对智能对象环境定制的加密算法(如加密算法、哈希函数、密钥消息摘要和公钥加密系统)的新研究和标准化并不值得。已经存在大量的算法,并且可以定制标准化的身份验证和密钥交换协议,以使用当今几乎任何可用的算法选择。

The integration of various building blocks into a complete system was considered important, and this document highlights a number of those areas in Section 3. Searching for a single, universally applicable

将各种构件集成到一个完整的系统中被认为是重要的,本文件在第3节中重点介绍了其中的一些领域。寻找单一的、普遍适用的

smart object security architecture was seen as a hopeless journey given the large number of use cases, business models, and constraints.

考虑到大量的用例、业务模型和约束,智能对象安全体系结构被视为一次无望的旅程。

In response to the workshop, follow-up work happened in a number of areas (and standardization activities are still ongoing). Here are a few examples:

针对研讨会,在一些领域开展了后续工作(标准化活动仍在进行)。以下是几个例子:

o The Light-Weight Implementation Guidance (LWIG) working group was created to offer a venue to collect experiences from implementers of IP stacks, including security protocols, in constrained devices. The ability to tune IETF protocols via extensions and parameter choices gives implementers a lot of flexibility to meet the constraints of a smart object environment.

o 创建轻量级实施指南(LWIG)工作组是为了提供一个场所,从受限设备中的IP堆栈(包括安全协议)实施者那里收集经验。通过扩展和参数选择优化IETF协议的能力为实现者提供了很大的灵活性,以满足智能对象环境的约束。

o The DTLS In Constrained Environments (DICE) working group was formed to define a DTLS profile that is suitable for Internet of Things applications and is reasonably implementable on many constrained devices, and to define how the DTLS record layer can be used to transmit multicast messages securely. DTLS is seen as an important enabling technology for securing communication interactions by smart objects.

o DTLS In Constraint Environments(DICE)工作组成立的目的是定义适合物联网应用且可在许多受约束设备上合理实现的DTLS配置文件,并定义如何使用DTLS记录层安全地传输多播消息。DTLS被视为通过智能对象保护通信交互的一项重要使能技术。

o A new working group has been formed to standardize an authentication and authorization protocol for constrained environments offering a dynamic and fine-grained access control mechanism where clients and resource servers are constrained and therefore have to make use of a trusted third party. At the time of writing this document, the Authentication and Authorization for Constrained Environments (ACE) working group has just been started.

o 已成立一个新的工作组,以标准化受约束环境的身份验证和授权协议,提供动态和细粒度的访问控制机制,其中客户端和资源服务器受到约束,因此必须使用受信任的第三方。在编写本文档时,受限环境的身份验证和授权(ACE)工作组刚刚启动。

5. Security Considerations
5. 安全考虑

This whole document is a report on the 'Smart Object Security Workshop'. The focus of this workshop was on security only; privacy was not part of the workshop agenda.

整个文档是关于“智能对象安全研讨会”的报告。本次研讨会的重点仅在于安全;隐私不是研讨会议程的一部分。

6. References
6. 工具书类
6.1. Normative References
6.1. 规范性引用文件

[RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object Workshop", RFC 6574, April 2012, <http://www.rfc-editor.org/info/rfc6574>.

[RFC6574]Tschofenig,H.和J.Arkko,“智能对象研讨会的报告”,RFC 6574,2012年4月<http://www.rfc-editor.org/info/rfc6574>.

6.2. Informative References
6.2. 资料性引用

[PaulChilton] Chilton, P., "Experiences and Challenges in using constrained Smart Objects", March 2012, <http://www.lix.polytechnique.fr/hipercom/ SmartObjectSecurity/papers/PaulChilton.pdf>.

[PaulChilton]Chilton,P.,“使用受限智能对象的经验和挑战”,2012年3月<http://www.lix.polytechnique.fr/hipercom/ SmartObjectSecurity/papers/PaulChilton.pdf>。

[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, July 2003, <http://www.rfc-editor.org/info/rfc3552>.

[RFC3552]Rescorla,E.和B.Korver,“关于安全考虑的RFC文本编写指南”,BCP 72,RFC 3552,2003年7月<http://www.rfc-editor.org/info/rfc3552>.

[RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101, June 2005, <http://www.rfc-editor.org/info/rfc4101>.

[RFC4101]Rescorla,E.和IAB,“编写协议模型”,RFC 41012005年6月<http://www.rfc-editor.org/info/rfc4101>.

[RFC4186] Haverinen, H. and J. Salowey, "Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM)", RFC 4186, January 2006, <http://www.rfc-editor.org/info/rfc4186>.

[RFC4186]Haverinen,H.和J.Salowey,“全球移动通信系统(GSM)用户身份模块(EAP-SIM)的可扩展认证协议方法”,RFC 4186,2006年1月<http://www.rfc-editor.org/info/rfc4186>.

[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007, <http://www.rfc-editor.org/info/rfc4949>.

[RFC4949]Shirey,R.,“互联网安全词汇表,第2版”,RFC 49492007年8月<http://www.rfc-editor.org/info/rfc4949>.

[RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 5176, January 2008, <http://www.rfc-editor.org/info/rfc5176>.

[RFC5176]Chiba,M.,Dommety,G.,Eklund,M.,Mitton,D.,和B.Aboba,“远程认证拨号用户服务(RADIUS)的动态授权扩展”,RFC 51762008年1月<http://www.rfc-editor.org/info/rfc5176>.

[RFC6272] Baker, F. and D. Meyer, "Internet Protocols for the Smart Grid", RFC 6272, June 2011, <http://www.rfc-editor.org/info/rfc6272>.

[RFC6272]Baker,F.和D.Meyer,“智能电网的互联网协议”,RFC 62722011年6月<http://www.rfc-editor.org/info/rfc6272>.

[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012, <http://www.rfc-editor.org/info/rfc6749>.

[RFC6749]Hardt,D.,“OAuth 2.0授权框架”,RFC 6749,2012年10月<http://www.rfc-editor.org/info/rfc6749>.

[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for Constrained-Node Networks", RFC 7228, May 2014, <http://www.rfc-editor.org/info/rfc7228>.

[RFC7228]Bormann,C.,Ersue,M.和A.Keranen,“受限节点网络的术语”,RFC 7228,2014年5月<http://www.rfc-editor.org/info/rfc7228>.

[RaspberryPi] Raspberry Pi Foundation, "Raspberry Pi", February 2013, <http://www.raspberrypi.org>.

树莓Pi基金会,“树莓Pi”,2013年2月,<http://www.raspberrypi.org>.

[SASL-OAUTH] Mills, W., Showalter, T., and H. Tschofenig, "A set of SASL Mechanisms for OAuth", Work in Progress, draft-ietf-kitten-sasl-oauth-18, November 2014.

[SASL-OAUTH]Mills,W.,Showalter,T.,和H.Tschofenig,“OAUTH的一套SASL机制”,正在进行的工作,草稿-ietf-kitten-SASL-OAUTH-18,2014年11月。

[SMART-OBJECT] Tschofenig, H., Arkko, J., Thaler, D., and D. McPherson, "Architectural Considerations in Smart Object Networking", Work in Progress, draft-iab-smart-object-architecture-06, October 2014.

【智能对象】Tschofenig,H.,Arkko,J.,Thaler,D.,和D.McPherson,“智能对象网络中的架构考虑”,正在进行的工作,草稿-iab-SMART-OBJECT-architecture-062014年10月。

Appendix A. Program Committee
附录A.项目委员会

The workshop was organized by the following individuals:

讲习班由下列个人组织:

o Hannes Tschofenig o Jari Arkko o Carsten Bormann o Peter Friess o Cullen Jennings o Antonio Skarmeta o Zach Shelby o Thomas Heide Clausen

o Hannes Tschofenig o Jari Arkko o Carsten Bormann o Peter Friess o Cullen Jennings o Antonio Skarmeta o Zach Shelby o Thomas Heide Clausen

Appendix B. Published Workshop Material
附录B.已出版的研讨会材料

o Main Workshop Page <http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity>

o 车间主页<http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity>

o Position Papers <http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/ papers>

o 立场文件<http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/ 论文>

o Slides <http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/ slides>

o 幻灯片<http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/ 幻灯片>

Appendix C. Accepted Position Papers
附录C.接受的立场文件

1. Michael Richardson, "Challenges in Smart Object Security: too many layers, not enough ram"

1. Michael Richardson,“智能对象安全的挑战:层太多,ram不够”

2. Mitsuru Kanda, Yoshihiro Ohba, Subir Das, Stephen Chasko, "PANA applicability in constrained environments"

2. 神田三郎、大叶吉弘、萨比尔·达斯、斯蒂芬·查斯科,“约束环境中的泛适用性”

3. Randy Bush, "An Operational View of Trust Needs of Moving Objects"

3. Randy Bush,“移动对象信任需求的操作视图”

4. Andrei Gurtov, Ilya Nikolaevsky, Andrey Lukyanenko, "Using HIP DEX for Key Management and Access Control in Smart Objects"

4. Andrei Gurtov,Ilya Nikolaevsky,Andrey Lukyanenko,“在智能对象中使用HIP-DEX进行密钥管理和访问控制”

5. Jens-Matthias Bohli, "Access Tokens for the IoT"

5. Jens Matthias Bohli,“物联网访问代币”

6. Martina Brachmann, Oscar Garcia-Morchon, Sye-Loong Keoh, Sandeep S. Kumar, "Security Considerations around End-to-End Security in the IP-based Internet of Things"

6. Martina Brachmann、Oscar Garcia Morchon、Sye Long Keoh、Sandeep S.Kumar,“基于IP的物联网中端到端安全的安全考虑”

7. Kazunori Miyazawa, "Convergence of Smart Objects in industrial wireless sensor network"

7. 宫泽一郎,“工业无线传感器网络中智能对象的融合”

8. Thomas Bartzsch, Dirk Burggraf, Laura Cristina Gheorghe, Alexis Olivereau, Nouha Oualha, Emil Slusanschi, Dan Tudose, Markus Wehner, Sven Zeisberg, "AAA-based Infrastructure for Industrial Wireless Sensor Networks"

8. Thomas Bartzsch、Dirk Burggraf、Laura Cristina Gheorghe、Alexis Olivereau、Nouha Oualha、Emil Slussanschi、Dan Tudose、Markus Wehner、Sven Zeisberg,“基于AAA的工业无线传感器网络基础设施”

9. Fida Khattak, Philip Ginzboorg, Valtteri Niemi, Jan-Erik Ekberg, "Role of Border Router in 6LoWPAN Security"

9. Fida Khattak、Philip Ginzboorg、Valtteri Niemi、Jan Erik Ekberg,“边境路由器在全球安全中的作用”

10. Thomas Fossati, Angelo Castellani, Salvatore Loreto, "(Un)trusted Intermediaries in CoAP"

10. Thomas Fossati,Angelo Castellani,Salvatore Loreto,“CoAP中的(联合国)可信中介机构”

11. Rene Hummen, Christian Roeller, Klaus Wehrle, "Modeling User-defined Trust Overlays for the IP-based Internet of Things"

11. Rene Hummen,Christian Roeller,Klaus Wehrle,“为基于IP的物联网建模用户定义的信任覆盖”

12. Sam Hartman, Margaret Wasserman, "Federation, ABFAB and Smart Devices"

12. Sam Hartman,Margaret Wasserman,“联邦、ABFAB和智能设备”

13. Cary Bran, Joseph Stachula, "Device Pairing: Lessons Learned"

13. Cary Bran,Joseph Stachula,“设备配对:经验教训”

14. Jan Janak, Hyunwoo Nam, Henning Schulzrinne, "On Access Control in the Internet of Things"

14. Jan Janak,Hyunboo Nam,Henning Schulzrinne,“关于物联网中的访问控制”

15. Rene Struik, "Cryptography and Security for Highly Constrained Networks"

15. Rene Struik,“高度受限网络的加密和安全”

16. Zhen Cao, Hui Deng, Judy Zhu, "The Architecture of Open Security Capability"

16. 曹震,邓辉,朱朱迪,“开放式安全能力的体系结构”

17. Sujing Zhou, Zhenhua Xie, "On Cryptographic Approaches to Internet-Of-Things Security"

17. 周苏静,谢振华,“物联网安全的密码方法研究”

18. Nancy Cam-Winget, Monique Morrow, "Security Implications to Smart Addressable Objects"

18. Nancy Cam Winget,Monique Morrow,“智能可寻址对象的安全含义”

19. Jouni Korhonen, "Applying Generic Bootstrapping Architecture for use with Constrained Devices"

19. Jouni Korhonen,“将通用引导架构应用于受约束设备”

20. Olaf Bergmann, Stefanie Gerdes, Carsten Bormann, "Simple Keys for Simple Smart Objects"

20. Olaf Bergmann、Stefanie Gerdes、Carsten Bormann,“用于简单智能对象的简单钥匙”

21. Mohit Sethi, Jari Arkko, Ari Keranen, Heidi-Maria Rissanen, "Practical Considerations and Implementation Experiences in Securing Smart Object Networks"

21. Mohit Sethi,Jari Arkko,Ari Keranen,Heidi Maria Rissanen,“保护智能对象网络的实际考虑和实施经验”

22. Paul Chilton, "Experiences and Challenges in using constrained Smart Objects"

22. Paul Chilton,“使用受约束智能对象的经验和挑战”

23. Vladislav Perelman, Mehmet Ersue, "TLS with PSK for Constrained Devices"

23. Vladislav Perelman,Mehmet Ersue,“用于受限设备的带PSK的TLS”

24. Richard Barnes, "Security for Smart Objects beyond COMSEC: Principals and Principles"

24. Richard Barnes,“通信安全之外的智能对象安全:原则和原则”

25. Rudolf van der Berg, "OECD Publication on Machine-to-Machine Communications: Connecting Billions of Devices", OECD Digital Economy Papers, No. 192, OECD Publishing

25. 鲁道夫·范德伯格,“经合组织关于机器对机器通信的出版物:连接数十亿台设备”,《经合组织数字经济论文》,第192期,经合组织出版

26. Cullen Jennings, "Transitive Trust Enrollment for Constrained Devices"

26. Cullen Jennings,“受约束设备的可传递信任注册”

27. Barbara Fraser, Paul Duffy, Maik Seewald, "Smart Objects: Security Challenges from the Power Sector"

27. Barbara Fraser,Paul Duffy,Maik Seewald,“智能对象:电力行业的安全挑战”

28. Hannes Tschofenig, "Smart Object Security: Considerations for Transport Layer Security Implementations"

28. Hannes Tschofenig,“智能对象安全:传输层安全实现的注意事项”

29. Johannes Gilger, Ulrike Meyer, "Secure Pairing & Context Management"

29. Johannes Gilger,Ulrike Meyer,“安全配对和上下文管理”

30. Klaas Wierenga, "Scalable Authentication for Smart Objects"

30. Klaas Wierenga,“智能对象的可扩展身份验证”

31. Dirk Stegemann, Jamshid Shokrollahi, "Security in the Internet of Things - Experiences from Use Cases"

31. Dirk Stegemann,Jamshid Shokrollahi,“物联网中的安全——来自用例的经验”

32. Alper Yegin, "Credentials for Smart Objects: A Challenge for the Industry"

32. Alper Yegin,“智能对象的凭证:行业的挑战”

33. Shahid Raza, Thiemo Voigt, Vilhelm Jutvik, "Lightweight IKEv2: A Key Management Solution for both the Compressed IPsec and the IEEE 802.15.4 Security"

33. Shahid Raza,Thiemo Voigt,Vilhelm Jutvik,“轻量级IKEv2:用于压缩IPsec和IEEE 802.15.4安全性的密钥管理解决方案”

34. Eric Rescorla, "A Brief Survey of Imprinting Options for Constrained Devices"

34. Eric Rescorla,“受限制设备的压印选项简介”

35. Fred Baker, "Security in distributed telemetry and control networks"

35. Fred Baker,“分布式遥测和控制网络的安全性”

Appendix D. Workshop Participants
附录D.讲习班参加者

We would like to thank the following participants for attending the workshop:

我们要感谢以下与会者参加研讨会:

o Jari Arkko o Carsten Bormann o Cullen Jennings o Antonio Skarmeta o Sean Turner o Thomas Heide Clausen o Hannes Tschofenig o Michael Richardson o Yoshihiro Ohba o Subir Das o Randy Bush o Andrei Gurtov o Ilya Nikolaevsky o Andrey Lukyanenko o Jens-Matthias Bohli o Kazunori Miyazawa o Philip Ginzboorg o Fida Khattak o Angelo Castellani o Salvatore Loreto o Rene Hummen o Klaus Wehrle o Sam Hartman o Margaret Wasserman o Cary Bran o Jan Janak o Rene Struik o Zhen Cao o Hui Deng o Zhou Sujing o Xie Zhenhua o Monique Morrow o Nancy Cam-Winget o Jouni Korhonen o Ari Keranen o Paul Chilton o Vladislav Perelman o Mehmet Ersue o Richard Barnes o Rudolf van der Berg o Barbara Fraser o Johannes Gilger o Sye Loong Keoh

o 雅丽·阿尔科、卡斯滕·鲍曼、卡伦·詹宁斯、安东尼奥·斯卡梅塔、肖恩·特纳、托马斯·海德·克劳森、汉内斯·茨霍芬尼、迈克尔·理查森、大叶吉弘、苏比尔·达斯、兰迪·布什、安德烈·古尔托夫、伊利亚·尼古拉耶夫斯基、安德烈·卢基亚南科、延斯·马蒂亚斯·博利、卡祖诺里·宫泽娃、菲利普·金兹堡、菲达·哈塔克、安吉洛·卡斯蒂利亚、萨尔瓦多洛雷托·勒内·胡门、克劳斯·韦勒、山姆·哈特曼、玛格丽特·瓦瑟曼、卡里·布兰、扬·雅纳克、勒内·斯特鲁克、曹操、惠登、周素静、解振华、莫尼克·莫罗、南希·坎文格、朱尼·科霍宁、阿里·科拉宁、保罗·奇尔顿、弗拉迪斯拉夫·佩雷尔曼、梅米特·埃斯鲁、理查德·巴恩斯、鲁道夫·范德伯格、芭芭拉·弗雷泽、约翰Gilger o Sye Long Keoh

o Olaf Bergmann o Stefanie Gerdes o Klaus Hartke o Oualha Nouha o Alexis Olivereau o Alper Yegin o Klaas Wierenga o Jiazi Yi o Juan Antonio Cordero Fuertes o Antonin Bas o David Schinazi o Valerie Lecomte o Ulrich Herberg o Shahid Raza o Stephen Farrell o Eric Rescorla o Thomas Fossati o Mohit Sethi o Alan Duric o Guido Moritz o Sebstian Unger o Hans Loehr

o 奥拉夫·伯格曼、史蒂芬妮·杰拉德、克劳斯·哈特克、奥瓦利亚·努哈、亚历克西斯·奥利弗劳、阿尔珀·耶金、克拉斯·韦伦加、加齐伊、胡安·安东尼奥·科德罗·弗尔特斯、安东宁·巴斯特、大卫·希纳粹主义、瓦莱丽·勒孔特、乌尔里希·赫伯格、沙希德·拉扎、斯蒂芬·法雷尔、埃里克·雷斯科拉、托马斯·福萨蒂、莫希特·塞蒂、艾伦·杜里克、吉多·莫里茨、塞巴斯蒂安·安格汉斯·勒尔

Acknowledgements

致谢

We would like to thank the participants and the authors of the position papers for their input.

我们要感谢与会者和立场文件的作者的投入。

Special thanks go to Thomas Heide Clausen and Ecole Polytechnique (Paris) for providing the venue and organization.

特别感谢托马斯·海德·克劳森(Thomas Heide Clausen)和巴黎理工学院(Ecole Polytechnique,巴黎)为我们提供场地和组织。

Finally, we would like to thank Rudolf van der Berg for his review comments.

最后,我们要感谢鲁道夫·范德伯格的评论。

Authors' Addresses

作者地址

Johannes Gilger Mies-van-der-Rohe-Str. 15 Aachen 52074 Germany

德国亚琛市15号约翰内斯·吉尔格·米斯-范-德-罗街52074号

   Phone: +49 (0)241 80 20 781
   EMail: Gilger@ITSec.RWTH-Aachen.de
        
   Phone: +49 (0)241 80 20 781
   EMail: Gilger@ITSec.RWTH-Aachen.de
        

Hannes Tschofenig Hall in Tirol 6060 Austria

奥地利蒂罗尔的汉内斯·茨霍芬尼大厅6060

   EMail: Hannes.tschofenig@gmx.net
   URI:   http://www.tschofenig.priv.at
        
   EMail: Hannes.tschofenig@gmx.net
   URI:   http://www.tschofenig.priv.at