Internet Engineering Task Force (IETF)                     L. Seitz, Ed.
Request for Comments: 7744                           SICS Swedish ICT AB
Category: Informational                                   S. Gerdes, Ed.
ISSN: 2070-1721                                  Universitaet Bremen TZI
                                                             G. Selander
                                                                Ericsson
                                                                 M. Mani
                                                                   Itron
                                                                S. Kumar
                                                        Philips Research
                                                            January 2016
        
Internet Engineering Task Force (IETF)                     L. Seitz, Ed.
Request for Comments: 7744                           SICS Swedish ICT AB
Category: Informational                                   S. Gerdes, Ed.
ISSN: 2070-1721                                  Universitaet Bremen TZI
                                                             G. Selander
                                                                Ericsson
                                                                 M. Mani
                                                                   Itron
                                                                S. Kumar
                                                        Philips Research
                                                            January 2016
        

Use Cases for Authentication and Authorization in Constrained Environments

受限环境中身份验证和授权的用例

Abstract

摘要

Constrained devices are nodes with limited processing power, storage space, and transmission capacities. In many cases, these devices do not provide user interfaces, and they are often intended to interact without human intervention.

受限设备是处理能力、存储空间和传输容量有限的节点。在许多情况下,这些设备不提供用户界面,它们通常用于在没有人工干预的情况下进行交互。

This document includes a collection of representative use cases for authentication and authorization in constrained environments. These use cases aim at identifying authorization problems that arise during the life cycle of a constrained device and are intended to provide a guideline for developing a comprehensive authentication and authorization solution for this class of scenarios.

本文档包括在受限环境中进行身份验证和授权的代表性用例集合。这些用例旨在识别在受约束设备的生命周期中出现的授权问题,并旨在为此类场景开发全面的身份验证和授权解决方案提供指导。

Where specific details are relevant, it is assumed that the devices use the Constrained Application Protocol (CoAP) as a communication protocol. However, most conclusions apply generally.

在特定细节相关的情况下,假设设备使用受限应用协议(CoAP)作为通信协议。然而,大多数结论普遍适用。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7744.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7744.

Copyright Notice

版权公告

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................4
      1.1. Terminology ................................................4
   2. Use Cases .......................................................5
      2.1. Container Monitoring .......................................5
           2.1.1. Bananas for Munich ..................................6
           2.1.2. Authorization Problems Summary ......................7
      2.2. Home Automation ............................................8
           2.2.1. Controlling the Smart Home Infrastructure ...........8
           2.2.2. Seamless Authorization ..............................8
           2.2.3. Remotely Letting in a Visitor .......................9
           2.2.4. Selling the House ...................................9
           2.2.5. Authorization Problems Summary ......................9
      2.3. Personal Health Monitoring ................................10
           2.3.1. John and the Heart Rate Monitor ....................11
           2.3.2. Authorization Problems Summary .....................12
      2.4. Building Automation .......................................13
           2.4.1. Device Life Cycle ..................................13
                  2.4.1.1. Installation and Commissioning ............13
                  2.4.1.2. Operational ...............................14
                  2.4.1.3. Maintenance ...............................15
                  2.4.1.4. Recommissioning ...........................16
                  2.4.1.5. Decommissioning ...........................16
           2.4.2. Public Safety ......................................17
                  2.4.2.1. A Fire Breaks Out .........................17
           2.4.3. Authorization Problems Summary .....................18
      2.5. Smart Metering ............................................19
           2.5.1. Drive-By Metering ..................................19
           2.5.2. Meshed Topology ....................................20
           2.5.3. Advanced Metering Infrastructure ...................20
           2.5.4. Authorization Problems Summary .....................21
      2.6. Sports and Entertainment ..................................22
           2.6.1. Dynamically Connecting Smart Sports Equipment ......22
           2.6.2. Authorization Problems Summary .....................23
      2.7. Industrial Control Systems ................................23
           2.7.1. Oil Platform Control ...............................23
           2.7.2. Authorization Problems Summary .....................24
   3. Security Considerations ........................................24
      3.1. Attacks ...................................................25
      3.2. Configuration of Access Permissions .......................26
      3.3. Authorization Considerations ..............................26
      3.4. Proxies ...................................................28
   4. Privacy Considerations .........................................28
   5. Informative References .........................................28
   Acknowledgments ...................................................29
   Authors' Addresses ................................................30
        
   1. Introduction ....................................................4
      1.1. Terminology ................................................4
   2. Use Cases .......................................................5
      2.1. Container Monitoring .......................................5
           2.1.1. Bananas for Munich ..................................6
           2.1.2. Authorization Problems Summary ......................7
      2.2. Home Automation ............................................8
           2.2.1. Controlling the Smart Home Infrastructure ...........8
           2.2.2. Seamless Authorization ..............................8
           2.2.3. Remotely Letting in a Visitor .......................9
           2.2.4. Selling the House ...................................9
           2.2.5. Authorization Problems Summary ......................9
      2.3. Personal Health Monitoring ................................10
           2.3.1. John and the Heart Rate Monitor ....................11
           2.3.2. Authorization Problems Summary .....................12
      2.4. Building Automation .......................................13
           2.4.1. Device Life Cycle ..................................13
                  2.4.1.1. Installation and Commissioning ............13
                  2.4.1.2. Operational ...............................14
                  2.4.1.3. Maintenance ...............................15
                  2.4.1.4. Recommissioning ...........................16
                  2.4.1.5. Decommissioning ...........................16
           2.4.2. Public Safety ......................................17
                  2.4.2.1. A Fire Breaks Out .........................17
           2.4.3. Authorization Problems Summary .....................18
      2.5. Smart Metering ............................................19
           2.5.1. Drive-By Metering ..................................19
           2.5.2. Meshed Topology ....................................20
           2.5.3. Advanced Metering Infrastructure ...................20
           2.5.4. Authorization Problems Summary .....................21
      2.6. Sports and Entertainment ..................................22
           2.6.1. Dynamically Connecting Smart Sports Equipment ......22
           2.6.2. Authorization Problems Summary .....................23
      2.7. Industrial Control Systems ................................23
           2.7.1. Oil Platform Control ...............................23
           2.7.2. Authorization Problems Summary .....................24
   3. Security Considerations ........................................24
      3.1. Attacks ...................................................25
      3.2. Configuration of Access Permissions .......................26
      3.3. Authorization Considerations ..............................26
      3.4. Proxies ...................................................28
   4. Privacy Considerations .........................................28
   5. Informative References .........................................28
   Acknowledgments ...................................................29
   Authors' Addresses ................................................30
        
1. Introduction
1. 介绍

Constrained devices [RFC7228] are nodes with limited processing power, storage space, and transmission capacities. These devices are often battery-powered and in many cases do not provide user interfaces.

受限设备[RFC7228]是处理能力、存储空间和传输容量有限的节点。这些设备通常由电池供电,在许多情况下不提供用户界面。

Constrained devices benefit from being interconnected using Internet protocols. However, deploying common security protocols can sometimes be difficult because of device or network limitations. Regardless, adequate security mechanisms are required to protect these constrained devices, which are expected to be integrated in all aspects of everyday life, from attackers wishing to gain control over the device's data or functions.

受限制的设备受益于使用Internet协议进行互连。然而,由于设备或网络的限制,部署通用安全协议有时会很困难。无论如何,需要足够的安全机制来保护这些受限制的设备,这些设备预计将集成到日常生活的各个方面,以防攻击者希望控制设备的数据或功能。

This document comprises a collection of representative use cases for the application of authentication and authorization in constrained environments. These use cases aim at identifying authorization problems that arise during the life cycle of a constrained device. Note that this document does not aim at collecting all possible use cases.

本文档包含一组在受限环境中应用身份验证和授权的代表性用例。这些用例旨在识别在受约束设备的生命周期中出现的授权问题。请注意,本文档并不旨在收集所有可能的用例。

We assume that the communication between the devices is based on the Representational State Transfer (REST) architectural style, i.e., a device acts as a server that offers resources such as sensor data and actuators. The resources can be accessed by clients, sometimes without human intervention (M2M). In some situations, the communication will happen through intermediaries (e.g., gateways, proxies).

我们假设设备之间的通信基于代表性状态转移(REST)架构风格,即,设备充当提供传感器数据和执行器等资源的服务器。客户端可以访问资源,有时无需人工干预(M2M)。在某些情况下,通信将通过中介(例如网关、代理)进行。

Where specific detail is necessary, it is assumed that the devices communicate using CoAP [RFC7252], although most conclusions are generic.

在需要具体细节的情况下,假设设备使用CoAP进行通信[RFC7252],尽管大多数结论是通用的。

1.1. Terminology
1.1. 术语

Readers are required to be familiar with the terms defined in [RFC7228].

读者需要熟悉[RFC7228]中定义的术语。

2. Use Cases
2. 用例

This section includes the use cases; each use case first presents a general description of the application environment, then one or more specific use cases, and finally a summary of the authorization-related problems to be solved. The document aims at listing the relevant authorization problems and not to provide an exhaustive list. It might not be possible to address all of the listed problems with a single solution; there might be conflicting goals within or among some requirements.

本节包括用例;每个用例首先给出应用程序环境的一般描述,然后是一个或多个特定用例,最后是要解决的授权相关问题的摘要。该文件旨在列出相关授权问题,而不是提供详尽的清单。可能不可能用单一解决方案解决所有列出的问题;某些需求内部或之间可能存在相互冲突的目标。

There are various reasons for assigning a function (client or server) to a device. The function may even change over time; e.g., the device that initiates a conversation is temporarily assigned the role of client, but could act as a server in another context. The definition of the function of a device in a certain use case is not in scope of this document. Readers should be aware that there might be reasons for each setting and that endpoints might even have different functions at different times.

将功能(客户端或服务器)分配给设备有多种原因。功能甚至可能随时间而改变;e、 例如,启动对话的设备暂时被分配了客户端角色,但可以在另一个上下文中充当服务器。特定用例中设备功能的定义不在本文档的范围内。读者应该知道,每个设置可能都有其原因,端点甚至可能在不同的时间具有不同的功能。

2.1. Container Monitoring
2.1. 集装箱监控

The ability of sensors to communicate environmental data wirelessly opens up new application areas. Sensor systems make it possible to continuously track and transmit characteristics such as temperature, humidity, and gas content while goods are transported and stored.

传感器无线传输环境数据的能力开辟了新的应用领域。传感器系统可以在货物运输和储存过程中连续跟踪和传输温度、湿度和气体含量等特性。

Sensors in this scenario have to be associated with the appropriate pallet of the respective container. Sensors, as well as the goods, belong to specific customers.

在这种情况下,传感器必须与相应集装箱的相应托盘相关联。传感器和货物都属于特定客户。

While in transit, goods often pass stops where they are transloaded to other means of transportation, e.g., from ship transport to road transport.

在运输过程中,货物经常经过中转站,然后转运到其他运输方式,例如从船舶运输到公路运输。

Perishable goods need to be stored at a constant temperature and with proper ventilation. Real-time information on the state of the goods is needed by both the transporter and the vendor. Transporters want to prioritize goods that will expire soon. Vendors want to react when goods are spoiled to continue to fulfill delivery obligations.

易腐货物需要在恒温和适当通风条件下储存。运输商和供应商都需要货物状态的实时信息。运输商希望优先考虑即将到期的货物。供应商希望在货物损坏时作出反应,以继续履行交货义务。

The Intelligent Container <http://www.intelligentcontainer.com> is an example project that explores solutions to continuously monitor perishable goods.

智能集装箱<http://www.intelligentcontainer.com>是一个探索持续监控易腐货物的解决方案的示例项目。

2.1.1. Bananas for Munich
2.1.1. 慕尼黑的香蕉

A fruit vendor grows bananas in Costa Rica for the German market. It instructs a transport company to deliver the goods via ship to Rotterdam where they are picked up by trucks and transported to a ripening facility. A Munich supermarket chain buys ripened bananas from the fruit vendor and transports them from the ripening facility to the individual markets with their own company's trucks.

一个水果小贩在哥斯达黎加为德国市场种植香蕉。它指示一家运输公司将货物通过船运至鹿特丹,然后由卡车将货物运至成熟设施。慕尼黑的一家连锁超市从水果供应商那里购买成熟的香蕉,并用自己公司的卡车将其从成熟设施运输到各个市场。

The fruit vendor's quality management wants to assure the quality of their products; thus, it equips the banana boxes with sensors. The state of the goods is monitored consistently during shipment and ripening, and abnormal sensor values are recorded (U1.2). Additionally, the sensor values are used to control the climate within the cargo containers (U1.1, U1.5, U1.7). Therefore, the sensors need to communicate with the climate-control system. Since an incorrect sensor value leads to a wrong temperature, and thus to spoiled goods, the integrity of the sensor data must be assured (U1.2, U1.3). The banana boxes within a container will, in most cases, belong to the same owner. Adjacent containers might contain goods and sensors of different owners (U1.1).

水果供应商的质量管理想要确保其产品的质量;因此,它为香蕉盒配备了传感器。在装运和成熟过程中,始终监控货物的状态,并记录异常传感器值(U1.2)。此外,传感器值用于控制货柜(U1.1、U1.5、U1.7)内的气候。因此,传感器需要与气候控制系统通信。由于不正确的传感器值会导致错误的温度,从而导致货物变质,因此必须确保传感器数据的完整性(U1.2、U1.3)。在大多数情况下,容器内的香蕉盒属于同一所有者。相邻容器可能包含不同所有者的货物和传感器(U1.1)。

The personnel that transloads the goods must be able to locate the goods meant for a specific customer (U1.1, U1.6, U1.7). However, the fruit vendor does not want to disclose sensor information pertaining to the condition of the goods to other companies and therefore wants to assure the confidentiality of this data (U1.4). Thus, the transloading personnel is only allowed to access logistic information (U1.1). Moreover, the transloading personnel is only allowed to access the data for the time of the transloading (U1.8).

运输货物的人员必须能够找到特定客户的货物(U1.1、U1.6、U1.7)。然而,水果供应商不希望向其他公司披露与货物状况有关的传感器信息,因此希望确保该数据的机密性(U1.4)。因此,转运人员只能访问物流信息(U1.1)。此外,转运人员仅允许访问转运时的数据(U1.8)。

Due to the high water content of the fruits, the propagation of radio waves is hindered, thus often inhibiting direct communication between nodes [Jedermann14]. Instead, messages are forwarded over multiple hops (U1.9). The sensors in the banana boxes cannot always reach the Internet during the journey (U1.10). Sensors may need to use relay stations owned by the transport company to connect to endpoints on the Internet.

由于果实含水量高,无线电波的传播受到阻碍,因此通常会抑制节点之间的直接通信[Jedermann14]。相反,消息通过多跳转发(U1.9)。在旅途中,香蕉盒中的传感器无法始终连接到互联网(U1.10)。传感器可能需要使用运输公司拥有的中继站来连接到互联网上的端点。

In the ripening facility bananas are stored until they are ready to be sold. The banana box sensors are used to control the ventilation system and to monitor the degree of ripeness of the bananas. Ripe bananas need to be identified and sold before they spoil (U1.2, U1.8).

香蕉在成熟设施中储存,直到准备出售。香蕉箱传感器用于控制通风系统和监测香蕉的成熟度。成熟的香蕉需要在变质前进行鉴定和出售(U1.2、U1.8)。

The supermarket chain gains ownership of the banana boxes when the bananas have ripened and are ready to leave the ripening facility.

当香蕉成熟并准备离开成熟设施时,连锁超市获得香蕉盒的所有权。

2.1.2. Authorization Problems Summary
2.1.2. 授权问题摘要

U1.1: Fruit vendors and container owners want to grant different authorizations for their resources and/or endpoints to different parties.

U1.1:水果供应商和容器所有者希望向不同方授予其资源和/或端点的不同授权。

U1.2: The fruit vendor requires the integrity and authenticity of the sensor data that pertains to the state of the goods for climate control and to ensure the quality of the monitored recordings.

U1.2:水果供应商要求与货物状态相关的传感器数据的完整性和真实性,以进行气候控制,并确保监控记录的质量。

U1.3: The container owner requires the integrity and authenticity of the sensor data that is used for climate control.

U1.3:容器所有者要求用于气候控制的传感器数据的完整性和真实性。

U1.4: The fruit vendor requires the confidentiality of the sensor data that pertains the state of the goods and the confidentiality of location data, e.g., to protect them from targeted attacks from competitors.

U1.4:水果供应商要求对与货物状态相关的传感器数据进行保密,并对位置数据进行保密,例如,保护其免受竞争对手的定向攻击。

U1.5: The fruit vendor may need different protection for several different types of data on the same endpoint, e.g., sensor data and the data used for logistics.

U1.5:水果供应商可能需要对同一端点上的几种不同类型的数据进行不同的保护,例如传感器数据和用于物流的数据。

U1.6: The fruit vendor and the transloading personnel require the authenticity and integrity of the data that is used to locate the goods, in order to ensure that the goods are correctly treated and delivered.

U1.6:水果供应商和转运人员要求用于定位货物的数据的真实性和完整性,以确保货物得到正确处理和交付。

U1.7: The container owner and the fruit vendor may not be present at the time of access and cannot manually intervene in the authorization process.

U1.7:容器所有者和水果供应商在进入时可能不在场,并且不能手动干预授权过程。

U1.8: The fruit vendor, container owner, and transloading company want to grant temporary access permissions to a party, in order to avoid giving permanent access to parties that are no longer involved in processing the bananas.

U1.8:水果供应商、集装箱所有人和转运公司希望向一方授予临时访问权限,以避免向不再参与香蕉加工的各方授予永久访问权限。

U1.9: The fruit vendor, container owner, and transloading company want their security objectives to be achieved, even if the messages between the endpoints need to be forwarded over multiple hops.

U1.9:水果供应商、容器所有者和转运公司希望实现其安全目标,即使端点之间的消息需要通过多个跃点转发。

U1.10: The constrained devices might not always be able to reach the Internet but still need to enact the authorization policies of their principals.

U1.10:受约束的设备可能并不总是能够访问Internet,但仍然需要制定其主体的授权策略。

U1.11: Fruit vendors and container owners want to be able to revoke authorization on a malfunctioning sensor.

U1.11:水果供应商和容器所有者希望能够撤销对故障传感器的授权。

2.2. Home Automation
2.2. 家庭自动化

One application of the Internet of Things is home automation systems. Such a system can connect household devices that control, for example, heating, ventilation, lighting, home entertainment, and home security to the Internet making them remotely accessible and manageable.

物联网的一个应用是家庭自动化系统。这样一个系统可以将控制供暖、通风、照明、家庭娱乐和家庭安全的家用设备连接到互联网,使它们可以远程访问和管理。

Such a system needs to accommodate a number of regular users (inhabitants, close friends, cleaning personnel) as well as a heterogeneous group of dynamically varying users (visitors, repairmen, delivery men).

这样的系统需要容纳大量的常规用户(居民、密友、清洁人员)以及动态变化的用户(访客、维修人员、送货人员)的异构组。

As the users are not typically trained in security (or even computer use), the configuration must use secure default settings, and the interface must be well adapted to novice users.

由于用户通常没有接受过安全培训(甚至计算机使用),因此配置必须使用安全默认设置,并且界面必须适合新手用户。

2.2.1. Controlling the Smart Home Infrastructure
2.2.1. 控制智能家居基础设施

Alice and Bob own a flat that is equipped with home automation devices such as HVAC and shutter control, and they have a motion sensor in the corridor that controls the light bulbs there (U2.5).

Alice和Bob拥有一套配有家庭自动化设备(如HVAC和快门控制)的公寓,他们在走廊上有一个运动传感器,用于控制那里的灯泡(U2.5)。

Alice and Bob can control the shutters and the temperature in each room using either wall-mounted touch panels or an Internet connected device (e.g., a smartphone). Since Alice and Bob both have full-time jobs, they want to be able to change settings remotely, e.g., turn up the heating on a cold day if they will be home earlier than expected (U2.5).

Alice和Bob可以使用壁挂式触摸屏或互联网连接设备(如智能手机)控制每个房间的百叶窗和温度。由于Alice和Bob都有全职工作,他们希望能够远程更改设置,例如,如果他们比预期提前到家(U2.5),则在寒冷的日子打开暖气。

The couple does not want people in radio range of their devices, e.g., their neighbors, to be able to control them without authorization. Moreover, they don't want burglars to be able to deduce behavioral patterns from eavesdropping on the network (U2.8).

这对夫妇不希望他们设备的无线电范围内的人,例如他们的邻居,能够在未经授权的情况下控制他们。此外,他们不希望窃贼能够从网络窃听中推断出行为模式(U2.8)。

2.2.2. Seamless Authorization
2.2.2. 无缝授权

Alice buys a new light bulb for the corridor and integrates it into the home network, i.e., makes resources known to other devices in the network. Alice makes sure that the new light bulb and her other devices in the network get to know the authorization policies for the new device. Bob is not at home, but Alice wants him to be able to control the new device with his devices (e.g., his smartphone) without the need for additional administration effort (U2.7). She provides the necessary configurations for that (U2.9, U2.10).

Alice为走廊购买了一个新灯泡,并将其集成到家庭网络中,即使网络中的其他设备知道资源。Alice确保新灯泡和网络中的其他设备了解新设备的授权策略。Bob不在家,但Alice希望他能够用自己的设备(如智能手机)控制新设备,而无需额外的管理工作(U2.7)。她为此提供了必要的配置(U2.9、U2.10)。

2.2.3. Remotely Letting in a Visitor
2.2.3. 远程接纳来访者

Alice and Bob have equipped their home with automated connected door-locks and an alarm system at the door and the windows. The couple can control this system remotely.

Alice和Bob在家里安装了自动连接门锁,并在门窗处安装了报警系统。这对夫妇可以远程控制这个系统。

Alice and Bob have invited Alice's parents over for dinner, but are stuck in traffic and cannot arrive in time; whereas Alice's parents are using the subway and will arrive punctually. Alice calls her parents and offers to let them in remotely, so they can make themselves comfortable while waiting (U2.1, U2.6). Then, Alice sets temporary permissions that allow them to open the door and shut down the alarm (U2.2). She wants these permissions to be only valid for the evening since she does not like it if her parents are able to enter the house as they see fit (U2.3, U2.4).

艾丽丝和鲍勃邀请了艾丽丝的父母过来吃饭,但由于交通堵塞,不能及时到达;而爱丽丝的父母正在乘地铁,而且会准时到达。Alice打电话给她的父母,提出让他们远程进入,这样他们在等待的时候就可以感到舒适了(U2.1,U2.6)。然后,Alice设置临时权限,允许他们打开门并关闭警报(U2.2)。她希望这些许可只在晚上有效,因为她不喜欢她的父母能够进入他们认为合适的房子(U2.3,U2.4)。

When Alice's parents arrive at Alice and Bob's home, they use their smartphone to communicate with the door-lock and alarm system (U2.5, U2.9). The permissions Alice issued to her parents only allow limited access to the house (e.g., opening the door, turning on the lights). Certain other functions, such as checking the footage from the surveillance cameras, are not accessible to them (U2.3).

当Alice的父母到达Alice和Bob家时,他们用智能手机与门锁和报警系统(U2.5,U2.9)通信。爱丽丝发给父母的许可证只允许有限的人进入房子(例如,打开门,打开灯)。某些其他功能,例如检查监控摄像机的镜头,他们无法访问(U2.3)。

Alice and Bob also issue similarly restricted permissions to e.g., cleaners, repairmen, or their nanny (U2.3).

Alice和Bob还向清洁工、修理工或他们的保姆(U2.3)颁发类似的受限权限。

2.2.4. Selling the House
2.2.4. 卖房子

Alice and Bob have to move because Alice is starting a new job. They therefore decide to sell the house and transfer control of all automated services to the new owners (U2.11). Before doing so, they want to erase privacy-relevant data from the logs of the automated systems, while the new owner is interested to keep some historic data e.g., pertaining to the behavior of the heating system (U2.12). At the time of transfer of ownership of the house, the new owners also want to make sure that permissions issued by the previous owners to access the house or connected devices (in the case where device management may have separate permissions from house access) are no longer valid (U2.13).

爱丽丝和鲍勃不得不搬家,因为爱丽丝要开始新的工作了。因此,他们决定将房子出售,并将所有自动化服务的控制权移交给新业主(U2.11)。在这样做之前,他们希望从自动化系统的日志中删除隐私相关数据,而新所有者有兴趣保留一些历史数据,例如与供暖系统行为有关的数据(U2.12)。在转让房屋所有权时,新业主还希望确保前业主颁发的访问房屋或连接设备的权限(在设备管理可能具有独立于房屋访问权限的情况下)不再有效(U2.13)。

2.2.5. Authorization Problems Summary
2.2.5. 授权问题摘要

U2.1: A home owner (Alice and Bob in the example above) wants to spontaneously provision authorization means to visitors.

U2.1:房屋所有者(上例中的Alice和Bob)希望自发地向访客提供授权手段。

U2.2: A home owner wants to spontaneously change the home's access control policies.

U2.2:房屋所有者希望自发地更改房屋的访问控制策略。

U2.3: A home owner wants to apply different access rights for different users (including other inhabitants).

U2.3:房屋所有者希望为不同的用户(包括其他居民)应用不同的访问权限。

U2.4: The home owners want to grant access permissions to someone during a specified time frame.

U2.4:房屋所有者希望在指定的时间范围内向某人授予访问权限。

U2.5: The smart home devices need to be able to securely communicate with different control devices (e.g., wall-mounted touch panels, smartphones, electronic key fobs, and device gateways).

U2.5:智能家居设备需要能够与不同的控制设备(例如,壁挂式触摸屏、智能手机、电子遥控钥匙和设备网关)安全通信。

U2.6: The home owner wants to be able to configure authorization policies remotely.

U2.6:房屋所有者希望能够远程配置授权策略。

U2.7: Authorized users want to be able to obtain access with little effort.

U2.7:授权用户希望能够轻松获得访问权限。

U2.8: The owners of the automated home want to prevent unauthorized entities from being able to deduce behavioral profiles from devices in the home network.

U2.8:自动化家庭的所有者希望防止未经授权的实体能够从家庭网络中的设备推断行为特征。

U2.9: Usability is particularly important in this scenario since the necessary authorization related tasks in the life cycle of the device (commissioning, operation, maintenance, and decommissioning) likely need to be performed by the home owners who, in most cases, have little knowledge of security.

U2.9:在这种情况下,可用性尤其重要,因为设备生命周期中必要的授权相关任务(调试、操作、维护和退役)可能需要由业主执行,而在大多数情况下,业主对安全性知之甚少。

U2.10: Home owners want their devices to seamlessly (and in some cases even unnoticeably) fulfill their purpose. Therefore, the authorization administration effort needs to be kept at a minimum.

U2.10:房主希望他们的设备能够无缝地(在某些情况下甚至是不明显地)实现他们的目的。因此,授权管理工作需要保持在最低限度。

U2.11: Home owners want to be able to transfer ownership of their automated systems when they sell the house.

U2.11:房屋所有者希望在出售房屋时能够转让其自动系统的所有权。

U2.12: Home owners want to be able to sanitize the logs of the automated systems when transferring ownership without deleting important operational data.

U2.12:业主希望在转移所有权时能够清理自动化系统的日志,而不删除重要的操作数据。

U2.13: When a transfer of ownership occurs, the new owner wants to make sure that access rights created by the previous owner are no longer valid.

U2.13:发生所有权转让时,新所有者希望确保前一所有者创建的访问权限不再有效。

2.3. Personal Health Monitoring
2.3. 个人健康监测

Personal health monitoring devices, i.e., eHealth devices, are typically battery-driven and located physically on or in the user to monitor some bodily function, such as temperature, blood pressure, or

个人健康监测设备,即电子健康设备,通常由电池驱动,位于用户身体上或内部,以监测某些身体功能,如温度、血压或血压

pulse rate. These devices typically connect to the Internet through an intermediary base station, using wireless technologies and through this connection they report the monitored data to some entity, which may either be the user or a medical caregiver.

脉搏率。这些设备通常使用无线技术通过中间基站连接到互联网,并通过此连接将监控数据报告给某个实体,该实体可能是用户或医疗护理人员。

Medical data has always been considered very sensitive, and therefore requires good protection against unauthorized disclosure. A frequent, conflicting requirement is the capability for medical personnel to gain emergency access, even if no specific access rights exist. As a result, the importance of secure audit logs increases in such scenarios.

医疗数据一直被认为是非常敏感的,因此需要对未经授权的披露提供良好的保护。一个经常发生的、相互冲突的要求是医务人员获得紧急访问权的能力,即使不存在特定的访问权。因此,在这种情况下,安全审计日志的重要性增加了。

Since the users are not typically trained in security (or even computer use), the configuration must use secure default settings, and the interface must be well adapted to novice users. Parts of the system must operate with minimal maintenance. Especially frequent changes of battery are unacceptable.

由于用户通常没有接受过安全培训(甚至没有计算机使用培训),因此配置必须使用安全默认设置,并且界面必须适合新手用户。系统部件必须在最少维护的情况下运行。尤其是频繁更换电池是不可接受的。

There is a plethora of wearable health monitoring technology and the need for open industry standards to ensure interoperability between products has lead to initiatives such as Continua Alliance <http://continuaalliance.org> and Personal Connected Health Alliance <http://www.pchalliance.org>.

有过多的可穿戴健康监测技术,并且需要开放的行业标准来确保产品之间的互操作性,这导致了诸如Continua联盟之类的倡议<http://continuaalliance.org>个人健康联盟<http://www.pchalliance.org>.

2.3.1. John and the Heart Rate Monitor
2.3.1. 约翰和心率监测器

John has a heart condition that can result in sudden cardiac arrests. He therefore uses a device called "HeartGuard" that monitors his heart rate and his location (U3.7). In the event of a cardiac arrest, it automatically sends an alarm to an emergency service, transmitting John's current location (U3.1). Either the device has long-range connectivity itself (e.g., via GSM) or it uses some intermediary, nearby device (e.g., John's smartphone) to transmit such an alarm. To ensure John's safety, the device is expected to be in constant operation (U3.3, U3.6).

约翰的心脏病可能导致心脏骤停。因此,他使用一种称为“心脏护卫”的设备来监测他的心率和位置(U3.7)。在心脏骤停的情况下,它会自动向紧急服务机构发送警报,传输John的当前位置(U3.1)。设备本身具有远程连接(例如,通过GSM),或者使用一些中间设备(例如,John的智能手机)来传输此类警报。为确保John的安全,预计该装置将持续运行(U3.3、U3.6)。

The device includes an authentication mechanism to prevent other persons who get physical access to it from acting as the owner and altering the access control and security settings (U3.8).

该设备包括一个身份验证机制,以防止物理访问该设备的其他人充当所有者并更改访问控制和安全设置(U3.8)。

John can configure a list of people that get notified in an emergency, for example his daughter Jill. Furthermore, the device stores data on John's heart rate, which can later be accessed by a physician to assess the condition of John's heart (U3.2).

John可以配置在紧急情况下得到通知的人员列表,例如他的女儿Jill。此外,该设备还存储了约翰心率的数据,医生随后可以访问这些数据来评估约翰的心脏状况(U3.2)。

However, John is a privacy-conscious person and is worried that Jill might use HeartGuard to monitor his location even when there is no emergency. Furthermore, he doesn't want his health insurance to get

然而,约翰是一个有隐私意识的人,他担心吉尔可能会在没有紧急情况的情况下使用HeartGuard监控他的位置。此外,他不希望自己的健康保险得到保障

access to the HeartGuard data, or even to the fact that he is wearing a HeartGuard, since they might refuse to renew his insurance if they decided he was too great of a risk for them (U3.8).

访问HeartGuard数据,甚至了解他佩戴HeartGuard的事实,因为如果他们认为他对他们来说风险太大,他们可能会拒绝续保(U3.8)。

Finally, John, while being comfortable with modern technology and able to operate it reasonably well, is not trained in computer security. Therefore, he needs an interface for the configuration of the HeartGuard security that is easy to understand and use (U3.5). If John does not understand the meaning of a setting, he tends to leave it alone, assuming that the manufacturer has initialized the device to secure settings (U3.4).

最后,约翰虽然熟悉现代技术并能很好地操作它,但没有受过计算机安全方面的培训。因此,他需要一个易于理解和使用的HeartGuard安全配置接口(U3.5)。如果John不理解设置的含义,他倾向于忽略设置,假设制造商已将设备初始化为安全设置(U3.4)。

Note: Monitoring of some state parameter (e.g., an alarm button) and the position of a person also fits well into a nursing service context. This is particularly useful for people suffering from dementia, where the relatives or caregivers need to be notified of the whereabouts of the person under certain conditions. In that case, it is not the patient that decides about access.

注:监测某些状态参数(如报警按钮)和人员位置也符合护理服务环境。这对患有痴呆症的人特别有用,在某些情况下,需要通知其亲属或护理者此人的下落。在这种情况下,不是患者决定访问。

2.3.2. Authorization Problems Summary
2.3.2. 授权问题摘要

U3.1: The wearer of an eHealth device (John in the example above) wants to preconfigure special access rights in the context of an emergency.

U3.1:电子健康设备的佩戴者(上例中的约翰)希望在紧急情况下预先设定特殊访问权限。

U3.2: The wearer of an eHealth device wants to selectively allow different persons or groups access to medical data.

U3.2:电子健康设备的佩戴者希望有选择地允许不同的人或群体访问医疗数据。

U3.3: Battery changes are very inconvenient and sometimes impractical, so battery life impacts on the authorization mechanisms need to be minimized.

U3.3:电池更换非常不方便,有时不切实际,因此需要将电池寿命对授权机制的影响降至最低。

U3.4: Devices are often used with default access control settings that might threaten the security objectives of the device's users.

U3.4:设备通常与默认访问控制设置一起使用,这可能会威胁设备用户的安全目标。

U3.5: Wearers of eHealth devices are often not trained in computer use, especially computer security.

U3.5:电子健康设备的佩戴者通常未接受计算机使用培训,尤其是计算机安全培训。

U3.6: Security mechanisms themselves could provide opportunities for denial-of-service (DoS) attacks, especially on the constrained devices.

U3.6:安全机制本身可能为拒绝服务(DoS)攻击提供机会,特别是在受限制的设备上。

U3.7: The device provides a service that can be fatal for the wearer if it fails. Accordingly, the wearer wants the device to have a high degree of resistance against attacks that may cause the device to fail to operate partially or completely.

U3.7:该设备提供的服务如果出现故障,可能会对佩戴者造成致命伤害。因此,佩戴者希望设备具有高度的抗攻击能力,以抵抗可能导致设备部分或完全无法操作的攻击。

U3.8: The wearer of an eHealth device requires the integrity and confidentiality of the data measured by the device.

U3.8:电子健康设备的佩戴者要求设备测量数据的完整性和保密性。

2.4. Building Automation
2.4. 楼宇自动化

Buildings for commercial use such as shopping malls or office buildings nowadays are equipped increasingly with semi-automatic components to enhance the overall living quality and to save energy where possible. This includes for example heating, ventilation and air condition (HVAC) as well as illumination and security systems such as fire alarms. These components are being increasingly managed centrally in a Building and Lighting Management System (BLMS) by a facility manager.

如今,商业建筑,如购物中心或办公楼,越来越多地配备半自动部件,以提高整体生活质量,并尽可能节约能源。例如,这包括供暖、通风和空调(HVAC)以及照明和安全系统,如火灾警报。这些组件越来越多地由设施经理在建筑物和照明管理系统(BLMS)中集中管理。

Different areas of these buildings are often exclusively leased to different companies. However, they also share some of the common areas of the building. Accordingly, a company must be able to control the lighting and HVAC system of its own part of the building and must not have access to control rooms that belong to other companies.

这些建筑的不同区域通常专门租给不同的公司。但是,它们也共享建筑的一些公共区域。因此,公司必须能够控制建筑物自身部分的照明和HVAC系统,并且不得进入属于其他公司的控制室。

Some parts of the building automation system such as entrance illumination and fire-alarm systems are controlled either by all parties together or by a facility-management company.

楼宇自动化系统的某些部分,如入口照明和火灾报警系统,由各方共同控制或由设施管理公司控制。

2.4.1. Device Life Cycle
2.4.1. 设备生命周期
2.4.1.1. Installation and Commissioning
2.4.1.1. 安装和调试

Installation of the building automation components often start even before the construction work is completed. Lighting is one of the first components to be installed in new buildings. A lighting plan created by a lighting designer provides the necessary information related to the kind of lighting devices (luminaires, sensors, and switches) to be installed along with their expected behavior. The physical installation of the correct lighting devices at the right locations are done by electricians based on the lighting plan. They ensure that the electrical wiring is performed according to local regulations and lighting devices, which may be from multiple manufacturers, are connected to the electrical power supply properly. After the installation, lighting can be used in a default out-of-box mode, e.g., at full brightness when powered on. After this step (or in parallel in a different section of the building), a lighting commissioner adds the devices to the building domain (U4.1) and performs the proper configuration of the lights as prescribed in the lighting plan. This involves, for example, grouping to ensure that light points react together, more or less synchronously (U4.8) and defining lighting scenes for particular areas of the building. The

建筑自动化组件的安装通常在施工工作完成之前就开始了。照明是新建筑中首批安装的部件之一。照明设计师创建的照明平面图提供了与要安装的照明设备(灯具、传感器和开关)类型及其预期行为相关的必要信息。电工根据照明计划,在正确的位置实际安装正确的照明设备。他们确保按照当地法规进行电气布线,并且可能来自多个制造商的照明设备正确连接到电源。安装后,照明可以在默认的开箱即用模式下使用,例如,通电时以全亮度使用。完成此步骤后(或在建筑的不同部分并行),照明专员将设备添加到建筑域(U4.1),并按照照明平面图中的规定对灯光进行正确配置。例如,这涉及到分组,以确保光点或多或少同步地共同反应(U4.8),并为建筑的特定区域定义照明场景。这个

commissioning is often done in phases, either by one or more commissioners, on different floors. The building lighting network at this stage may be in different network islands with no connectivity between them due to lack of the IT infrastructure.

调试通常分阶段进行,由一名或多名专员在不同楼层进行。由于缺乏IT基础设施,本阶段的建筑照明网络可能位于不同的网络孤岛中,它们之间并没有连接。

After this, other building components, like HVAC and security systems, are similarly installed by electricians and later commissioned by their respective domain professionals. Similar configurations related to grouping (U4.8) are required to ensure, e.g., HVAC equipment is controlled by the closest temperature sensor.

此后,其他建筑构件,如HVAC和安全系统,同样由电工安装,随后由各自领域的专业人员进行调试。需要与分组(U4.8)相关的类似配置,以确保HVAC设备由最近的温度传感器控制。

For the building IT systems, the Ethernet wiring is initially laid out in the building according to the IT plan. The IT network is often commissioned after the construction is completed to avoid any damage to sensitive networking and computing equipment. The commissioning is performed by an IT engineer with additional switches (wired and/or wireless), IP routers, and computing devices. Direct Internet connectivity for all installed/commissioned devices in the building is only available at this point. The BLMS that monitors and controls the various building automation components is only connected to the field devices at this stage. The different network islands (for lighting and HVAC) are also joined together without any further involvement of domain specialists, such as lighting or HVAC commissioners.

对于建筑IT系统,以太网布线最初根据IT计划在建筑内布置。IT网络通常在施工完成后进行调试,以避免对敏感网络和计算设备造成任何损坏。调试由IT工程师使用额外的交换机(有线和/或无线)、IP路由器和计算设备执行。建筑物内所有已安装/调试设备的直接互联网连接仅在此时可用。监测和控制各种楼宇自动化组件的BLMS在此阶段仅连接到现场设备。不同的网络岛(用于照明和暖通空调)也连接在一起,无需领域专家(如照明或暖通空调专员)的进一步参与。

2.4.1.2. Operational
2.4.1.2. 操作的

The building automation system is now finally ready, and the operational access is transferred to the facility management company of the building (U4.2). The facility manager is responsible for monitoring and ensuring that the building automation system meets the needs of the building occupants. If changes are needed, the facility-management company hires an external installation and commissioning company to perform the changes.

楼宇自动化系统现在终于准备就绪,操作访问权转移到大楼的设施管理公司(U4.2)。设施经理负责监控并确保楼宇自动化系统满足楼宇住户的需求。如果需要变更,设施管理公司雇佣外部安装和调试公司进行变更。

Different parts of the building are rented out to different companies for office space. The tenants are provided access to use the automated HVAC, lighting, and physical access control systems deployed. The safety of the occupants is also managed using automated systems, such as a fire-alarm system, which is triggered by several smoke detectors that are spread out across the building.

大楼的不同部分出租给不同的公司作为办公空间。租户可以使用所部署的自动暖通空调、照明和物理门禁系统。居住者的安全也通过自动化系统进行管理,如火灾报警系统,该系统由分布在整个建筑的多个烟雾探测器触发。

Company A's staff moves into the newly furnished office space. Most lighting is controlled by presence sensors that control the lighting of a specific group of lights based on the authorization rules in the BLMS. Additionally, employees are allowed to manually override the lighting brightness and color in their offices by using the switches

A公司的员工搬进新装修的办公空间。大多数照明由状态传感器控制,该传感器根据BLMS中的授权规则控制特定灯光组的照明。此外,允许员工使用开关手动控制办公室的照明亮度和颜色

or handheld controllers. Such changes are allowed only if the authorization rules exist in the BLMS. For example, lighting in the corridors may not be manually adjustable.

或手持控制器。仅当BLMS中存在授权规则时,才允许进行此类更改。例如,走廊中的照明可能无法手动调整。

At the end of the day, lighting is dimmed or switched off if no occupancy is detected, even if manually overridden during the day.

在一天结束时,如果未检测到任何占用情况,即使白天手动超控,照明也会变暗或关闭。

On a later date, Company B also moves into the same building, and shares some of the common spaces and associated building automation components with Company A (U4.2, U4.9).

稍后,B公司也搬入同一栋大楼,并与a公司(U4.2、U4.9)共享一些公共空间和相关的楼宇自动化组件。

2.4.1.3. Maintenance
2.4.1.3. 维修

Company A's staff is annoyed that the lighting switches off too often in their rooms if they work silently in front of their computers. Company A notifies the facility manager of the building to increase the delay before lights switch off. The facility manager can either configure the new values directly in the BLMS or, if additional changes are needed on the field devices, hire commissioning Company C to perform the needed changes (U4.4).

A公司的工作人员感到恼火的是,如果他们在电脑前默默地工作,他们的房间里的照明就会经常关闭。公司A通知大楼的设施经理在灯光关闭前增加延迟时间。设施经理可以直接在BLMS中配置新值,或者,如果需要对现场设备进行额外更改,则雇佣调试公司C执行所需更改(U4.4)。

Company C gets the necessary authorization from the facility-management company to interact with the BLMS. The commissioner's tool gets the necessary authorization from the BLMS to send a configuration change to all lighting devices in Company A's offices to increase the delay before they switch off.

C公司从设施管理公司获得与土地管理局互动的必要授权。专员的工具从土地管理局获得必要的授权,向a公司办公室的所有照明设备发送配置更改,以增加关闭前的延迟。

At some point, the facility-management company wants to update the firmware of lighting devices in order to eliminate software bugs. Before accepting the new firmware, each device checks the authorization of the facility-management company to perform this update (U4.13).

在某个时候,设施管理公司希望更新照明设备的固件,以消除软件缺陷。在接受新固件之前,每个设备检查设施管理公司执行此更新的授权(U4.13)。

A network-diagnostic tool of the BLMS detects that a luminaire in one of Company A's offices is no longer connected to the network. The BLMS alerts the facility manager to replace the luminaire. The facility manager replaces the old broken luminaire and informs the BLMS of the identity (e.g., the Media Access Control (MAC) address) of the newly added device. Then, the BLMS authorizes the new device in the system and seamlessly transfers all the permissions of the previous broken device to the replacement device (U4.12).

BLMS的网络诊断工具检测到A公司某个办公室的灯具不再连接到网络。BLMS提醒设施经理更换灯具。facility manager更换旧的损坏灯具,并将新添加设备的标识(例如,媒体访问控制(MAC)地址)通知BLMS。然后,BLMS对系统中的新设备进行授权,并将先前损坏设备的所有权限无缝转移到替换设备(U4.12)。

2.4.1.4. Recommissioning
2.4.1.4. 重新委任

A vacant area of the building has recently been leased to Company A. Before moving into its new office, Company A wishes to replace the lighting with more energy efficient and better light quality luminaries. They hire an installation and commissioning Company C to redo the illumination. Company C is instructed to integrate the new lighting devices, which may be from multiple manufacturers, into the existing lighting infrastructure of the building, which includes presence sensors, switches, controllers, etc. (U4.1).

大楼的一块空地最近租给了A公司。在搬进新办公室之前,A公司希望用更节能、质量更好的灯具来代替照明设备。他们雇佣了一家安装调试公司C来重做照明。指示C公司将来自多家制造商的新照明设备集成到建筑物的现有照明基础设施中,包括存在传感器、开关、控制器等(U4.1)。

Company C gets the necessary authorization from the facility-management company to interact with the existing BLMS (U4.4). To prevent disturbance to other occupants of the building, Company C is provided authorization to perform the commissioning only during non-office hours and only to modify configuration on devices belonging to the domain of Company A's space (U4.5). Before removing existing devices, all security and configuration material that belongs to the domain is deleted and the devices are set back to factory state (U4.3). This ensures that these devices may be reused at other installations or in other parts of the same building without affecting future operations. After installation (wiring) of the new lighting devices, the commissioner adds the devices into Company A's lighting domain.

C公司从设施管理公司获得与现有BLM(U4.4)互动的必要授权。为防止对建筑物的其他占用者造成干扰,C公司被授权仅在非办公时间内进行调试,并且仅修改属于A公司空间(U4.5)领域的设备的配置。删除现有设备之前,将删除属于域的所有安全和配置资料,并将设备设置回出厂状态(U4.3)。这确保了这些设备可以在同一建筑物的其他装置或其他部分重复使用,而不会影响未来的运行。安装(接线)新照明设备后,专员将设备添加到A公司的照明领域。

Once the devices are in the correct domain, the commissioner authorizes the interaction rules between the new lighting devices and existing devices, like presence sensors (U4.7). For this, the commissioner creates the authorization rules on the BLMS that define which lights form a group and which sensors/switches/controllers are allowed to control which groups (U4.8). These authorization rules may be context based, like time of the day (office or non-office hours) or location of the handheld lighting controller, etc. (U4.5).

一旦设备位于正确的域中,专员授权新的照明设备和现有设备之间的交互规则,如存在传感器(U4.7)。为此,专员在BLM上创建授权规则,定义哪些灯组成一个组,以及允许哪些传感器/开关/控制器控制哪些组(U4.8)。这些授权规则可以基于上下文,如一天中的时间(办公或非办公时间)或手持照明控制器的位置等(U4.5)。

2.4.1.5. Decommissioning
2.4.1.5. 退役

Company A has noticed that the handheld controllers are often misplaced and hard to find when needed. So most of the time, staff use the existing wall switches for manual control. Company A decides it would be better to completely remove handheld controllers and asks Company C to decommission them from the lighting system (U4.4).

A公司注意到手持控制器经常放错地方,需要时很难找到。因此,大多数情况下,员工使用现有的墙壁开关进行手动控制。公司A决定最好完全移除手持控制器,并要求公司C将其从照明系统(U4.4)中退役。

Company C again gets the necessary authorization from the facility-management company to interact with the BLMS. The commissioner now deletes any rules that allowed handheld controllers authorization to control the lighting (U4.3, U4.6). Additionally, the commissioner instructs the BLMS to push these new rules to prevent cached rules at

C公司再次从设施管理公司获得与土地管理局互动的必要授权。专员现在删除任何允许手持控制器授权控制照明的规则(U4.3、U4.6)。此外,专员指示土地管理局推动这些新规则,以防止在

the end devices from being used. Any cryptographic key material belonging to the site in the handheld controllers is also removed, and they are set to the factory state (U4.3).

禁止使用终端设备。手持控制器中属于站点的任何加密密钥材料也将被删除,并将其设置为出厂状态(U4.3)。

2.4.2. Public Safety
2.4.2. 公共安全

As part of the building safety code, the fire department requires that the building have sensors that sense the level of smoke, heat, etc., when a fire breaks out. These sensors report metrics that are then used by a back-end server to map safe areas and unsafe areas within a building and possibly the structural integrity of the building before firefighters may enter it. Sensors may also be used to track where human/animal activity is within the building. This will allow people stuck in the building to be guided to safer areas and allow the suggestion of possible actions that they may take (e.g., using a client application on their phones or giving loudspeaker directions) in order to bring them to safety. In certain cases, other organizations such as the police, ambulance, and federal organizations are also involved and therefore the co-ordination of tasks between the various entities have to be carried out using efficient messaging and authorization mechanisms.

作为《建筑安全规范》的一部分,消防部门要求建筑物配备传感器,以便在火灾发生时感知烟雾、热量等的水平。这些传感器报告指标,然后后端服务器使用这些指标在消防员进入建筑物之前绘制建筑物内的安全区域和不安全区域,以及建筑物的结构完整性。传感器也可用于跟踪建筑物内的人/动物活动。这将允许被困在建筑物内的人员被引导到更安全的区域,并允许建议他们可能采取的行动(例如,在手机上使用客户端应用程序或发出扬声器指示),以便将他们带到安全的地方。在某些情况下,警察、救护车和联邦组织等其他组织也参与其中,因此,必须使用高效的消息传递和授权机制来协调各实体之间的任务。

2.4.2.1. A Fire Breaks Out
2.4.2.1. 发生了火灾

James, who works for Company A, turns on the air conditioning in his office on a really hot day. Lucy, who works for Company B, wants to make tea using an electric kettle. After she turns it on, she goes outside to talk to a colleague until the water is boiling. Unfortunately, her kettle has a malfunction that causes overheating and results in a smoldering fire of the kettle's plastic case.

在A公司工作的詹姆斯在一个非常炎热的日子打开办公室的空调。露西在B公司工作,她想用电水壶泡茶。打开电源后,她出去和同事聊天,直到水烧开为止。不幸的是,她的水壶出现故障,导致过热,并导致水壶塑料外壳冒烟起火。

Due to the smoke coming from the kettle, the fire alarm is triggered. Alarm sirens throughout the building are switched on simultaneously (using a group communication scheme) to alert the staff of both companies (U4.8). Additionally, the ventilation system of the whole building is closed off to prevent the smoke from spreading and to withdraw oxygen from the fire. The smoke cannot get into James' office, even though he turned on his air conditioning, because the fire alarm overrides the manual setting by sending commands (using group communication) to switch off all the air conditioning (U4.10).

由于水壶冒出烟雾,火灾警报被触发。大楼内的警报器同时开启(使用集团通信方案),以提醒两家公司的员工(U4.8)。此外,整个建筑的通风系统被关闭,以防止烟雾蔓延,并从火灾中吸走氧气。烟雾无法进入詹姆斯的办公室,即使他打开了空调,因为火灾警报通过发送命令(使用组通信)关闭所有空调(U4.10)来覆盖手动设置。

The fire department is notified of the fire automatically and arrives within a short time. They automatically get access to all parts of the building according to an emergency authorization policy (U4.4, U4.5). After inspecting the damage and extinguishing the smoldering fire, a firefighter resets the fire alarm because only the fire department is authorized to do that (U4.4, U4.11).

消防部门会自动收到火灾通知,并在短时间内到达。他们根据紧急授权政策(U4.4、U4.5)自动进入建筑物的所有部分。在检查损坏情况并扑灭阴燃火灾后,消防员重置火灾警报,因为只有消防部门有权这样做(U4.4、U4.11)。

2.4.3. Authorization Problems Summary
2.4.3. 授权问题摘要

U4.1: During commissioning, the building owner or the companies add new devices to their administrative domain. Access control should then apply to these devices seamlessly.

U4.1:在调试期间,建筑业主或公司向其管理领域添加新设备。然后,访问控制应无缝地应用于这些设备。

U4.2: During a handover, the building owner or the companies integrate devices that formerly belonged to a different administrative domain to their own administrative domain. Access control of the old domain should then cease to apply, with access control of the new domain taking over.

U4.2:在移交期间,建筑物所有人或公司将以前属于不同管理域的设备集成到自己的管理域中。然后,旧域的访问控制将停止应用,新域的访问控制将接管。

U4.3: During decommissioning, the building owner or the companies remove devices from their administrative domain. Access control should cease to apply to these devices and relevant credentials need to be erased from the devices.

U4.3:在退役期间,建筑物所有人或公司从其管理范围内移除设备。访问控制应停止应用于这些设备,并且需要从设备中删除相关凭据。

U4.4: The building owner and the companies want to be able to delegate specific access rights for their devices to others.

U4.4:建筑物所有者和公司希望能够将其设备的特定访问权限委托给其他人。

U4.5: The building owner and the companies want to be able to define context-based authorization rules.

U4.5:建筑物所有者和公司希望能够定义基于上下文的授权规则。

U4.6: The building owner and the companies want to be able to revoke granted permissions and delegations.

U4.6:建筑物所有者和公司希望能够撤销授予的权限和委托。

U4.7: The building owner and the companies want to allow authorized entities to send data to their endpoints (default deny).

U4.7:建筑物所有者和公司希望允许授权实体向其端点发送数据(默认拒绝)。

U4.8: The building owner and the companies want to be able to authorize a device to control several devices at the same time using a group communication scheme.

U4.8:建筑物所有者和公司希望能够授权一台设备使用组通信方案同时控制多台设备。

U4.9: The companies want to be able to interconnect their own subsystems with those from a different operational domain while keeping the control over the authorizations (e.g., granting and revoking permissions) for their endpoints and devices.

U4.9:公司希望能够将自己的子系统与来自不同操作域的子系统互连,同时保持对其端点和设备的授权(例如,授予和撤销权限)的控制。

U4.10: The authorization mechanisms must be able to cope with extremely time-sensitive operations that have to be carried out quickly.

U4.10:授权机制必须能够处理必须快速执行的极为时间敏感的操作。

U4.11: The building owner and the public safety authorities want to be able to perform data origin authentication on messages sent and received by some of the systems in the building.

U4.11:建筑物所有者和公共安全机构希望能够对建筑物内某些系统发送和接收的消息执行数据源身份验证。

U4.12: The building owner should be allowed to replace an existing device with a new device providing the same functionality within their administrative domain. Access control from the replaced device should then apply to these new devices seamlessly.

U4.12:应允许建筑物所有人使用在其管理域内提供相同功能的新设备替换现有设备。然后,被替换设备的访问控制应无缝地应用于这些新设备。

U4.13: When software on a device is updated, this update needs to be authenticated and authorized.

U4.13:当更新设备上的软件时,需要对该更新进行身份验证和授权。

2.5. Smart Metering
2.5. 智能计量

Automated measuring of customer consumption is an established technology for electricity, water, and gas providers. Increasingly, these systems also feature networking capability to allow for remote management. Such systems are in use for commercial, industrial, and residential customers and require a certain level of security, in order to avoid economic loss to the providers, vulnerability of the distribution system, as well as disruption of services for the customers.

客户消费的自动测量是电力、水和天然气供应商的既定技术。这些系统还越来越多地具有联网功能,以便进行远程管理。此类系统用于商业、工业和住宅客户,需要一定程度的安全性,以避免供应商的经济损失、配电系统的脆弱性以及对客户服务的中断。

The smart metering equipment for gas and water solutions is battery-driven and communication should be used sparingly due to battery consumption. Therefore, these types of meters sleep most of the time, and only wake up every minute/hour to check for incoming instructions. Furthermore, they wake up a few times a day (based on their configuration) to upload their measured metering data.

用于天然气和水解决方案的智能计量设备由电池驱动,由于电池消耗,应节约使用通信。因此,这些类型的仪表大部分时间处于睡眠状态,每分钟/小时才醒来检查输入指令。此外,他们每天醒来几次(根据他们的配置)上传测量的计量数据。

Different networking topologies exist for smart metering solutions. Based on environment, regulatory rules, and expected cost, one or a mixture of these topologies may be deployed to collect the metering information. Drive-by metering is one of the most current solutions deployed for collection of gas and water meters.

智能计量解决方案存在不同的网络拓扑。基于环境、监管规则和预期成本,可以部署一种或多种拓扑来收集计量信息。驱动式计量是用于收集煤气表和水表的最新解决方案之一。

Various stakeholders have a claim on the metering data. Utility companies need the data for accounting, the metering equipment may be operated by a third-party service operator who needs to maintain it, and the equipment is installed in the premises of the consumers, measuring their consumption, which entails privacy questions.

不同的利益相关者对计量数据有权利要求。公用事业公司需要会计数据,计量设备可能由需要维护它的第三方服务运营商操作,并且设备安装在消费者的场所,测量他们的消费量,这涉及隐私问题。

2.5.1. Drive-By Metering
2.5.1. 驱动计量

A service operator offers smart metering infrastructures and related services to various utility companies. Among these is a water provider, who in turn supplies several residential complexes in a city. The smart meters are installed in the end customer's homes to measure water consumption and thus generate billing data for the utility company. They can also be used to shut off the water if the bills are not paid (U5.1, U5.3). The meters do this by sending and

服务运营商向各公用事业公司提供智能计量基础设施和相关服务。其中包括一家供水公司,该公司反过来为一座城市的多个住宅区供水。智能电表安装在终端客户的家中,用于测量用水量,从而为公用事业公司生成计费数据。如果账单未支付,它们也可用于关闭水(U5.1、U5.3)。仪表通过发送和发送数据来实现这一点

receiving data to and from a base station (U5.2). Several base stations are installed around the city to collect the metering data. However, in the denser urban areas, the base stations would have to be installed very close to the meters. This would require a high number of base stations and expose this more expensive equipment to manipulation or sabotage. The service operator has therefore chosen another approach, which is to drive around with a mobile base station and let the meters connect to that in regular intervals in order to gather metering data (U5.4, U5.6, U5.8).

接收与基站之间的数据(U5.2)。城市周围安装了几个基站来收集计量数据。然而,在人口密集的城市地区,基站必须安装在离仪表非常近的地方。这将需要大量的基站,并使这种更昂贵的设备受到操纵或破坏。因此,服务运营商选择了另一种方法,即使用移动基站四处行驶,让电表定期连接到移动基站,以收集计量数据(U5.4、U5.6、U5.8)。

2.5.2. Meshed Topology
2.5.2. 网格拓扑

In another deployment, the water meters are installed in a building that already has power meters installed, the latter are mains powered, and are therefore not subject to the same power saving restrictions. The water meters can therefore use the power meters as proxies, in order to achieve better connectivity. This requires the security measures on the water meters to work through intermediaries (U5.9).

在另一种部署中,水表安装在已经安装了电表的建筑物中,后者由电源供电,因此不受相同的节电限制。因此,水表可以使用功率表作为代理,以实现更好的连接。这要求水表上的安全措施通过中介机构工作(U5.9)。

2.5.3. Advanced Metering Infrastructure
2.5.3. 先进的计量基础设施

A utility company is updating its old utility distribution network with advanced meters and new communication systems, known as an Advanced Metering Infrastructure (AMI). AMI refers to a system that measures, collects, and analyzes usage, and interacts with metering devices such as electricity meters, gas meters, heat meters, and water meters, through various communication media either on request (on-demand) or on predefined schedules. Based on this technology, new services make it possible for consumers to control their utility consumption (U5.2, U5.7) and reduce costs by supporting new tariff models from utility companies, and more accurate and timely billing. However, the end consumers do not want unauthorized persons to gain access to this data. Furthermore, the fine-grained measurement of consumption data may induce privacy concerns, since it may allow others to create behavioral profiles (U5.5, U5.10).

一家公用事业公司正在用先进的电表和新的通信系统(称为先进计量基础设施(AMI))更新其旧的公用事业配电网络。AMI指的是一种系统,可根据要求(按需)或预定义的时间表,通过各种通信媒体测量、收集和分析使用情况,并与电表、煤气表、热量表和水表等计量设备进行交互。基于这项技术,新服务使消费者能够控制其公用事业消费(U5.2、U5.7),并通过支持公用事业公司的新电价模型和更准确、及时的计费来降低成本。但是,终端消费者不希望未经授权的人员访问此数据。此外,消费数据的细粒度测量可能会引起隐私问题,因为它可能允许其他人创建行为模式(U5.5、U5.10)。

The technical solution is based on levels of data aggregation between smart meters located at the consumer premises and the Meter Data Management (MDM) system located at the utility company (U5.9). For reasons of efficiency and cost, end-to-end connectivity is not always feasible, so metering data is stored and aggregated in various intermediate devices before being forwarded to the utility company, and in turn accessed by the MDM. The intermediate devices may be operated by a third-party service operator on behalf of the utility company (U5.7). One responsibility of the service operator is to make sure that meter readings are performed and delivered in a regular, timely manner. An example of a Service Level Agreement

该技术解决方案基于位于消费者场所的智能电表和位于公用事业公司(U5.9)的电表数据管理(MDM)系统之间的数据聚合级别。出于效率和成本的考虑,端到端连接并不总是可行的,因此计量数据在转发给公用事业公司之前,会存储并聚合在各种中间设备中,然后由MDM访问。中间装置可由第三方服务运营商代表公用事业公司(U5.7)进行操作。服务运营商的一项责任是确保定期、及时地执行和交付仪表读数。服务级别协议的一个示例

between the service operator and the utility company is, for example, at least 95% of the meters have readings recorded during the last 72 hours.

例如,在服务运营商和公用事业公司之间,至少95%的仪表在过去72小时内记录了读数。

2.5.4. Authorization Problems Summary
2.5.4. 授权问题摘要

U5.1: Devices are installed in hostile environments where they are physically accessible by attackers (including dishonest customers). The service operator and the utility company want to make sure that an attacker cannot use data from a captured device to attack other parts of their infrastructure.

U5.1:设备安装在恶意环境中,攻击者(包括不诚实的客户)可以物理访问这些设备。服务运营商和公用事业公司希望确保攻击者不能使用捕获设备的数据攻击其基础设施的其他部分。

U5.2: The utility company wants to control which entities are allowed to send data to, and read data from, their endpoints.

U5.2:公用事业公司希望控制允许哪些实体向其端点发送数据和从中读取数据。

U5.3: The utility company wants to ensure the integrity of the data stored on their endpoints.

U5.3:公用事业公司希望确保存储在其端点上的数据的完整性。

U5.4: The utility company wants to protect such data transfers to and from their endpoints.

U5.4:公用事业公司希望保护与端点之间的此类数据传输。

U5.5: Consumers want to access their own usage information and also prevent unauthorized access by others.

U5.5:消费者希望访问自己的使用信息,并防止他人未经授权访问。

U5.6: The devices may have intermittent Internet connectivity but still need to enact the authorization policies of their principals.

U5.6:设备可能具有间歇性互联网连接,但仍需要制定其主体的授权策略。

U5.7: Neither the service operator nor the utility company are always present at the time of access and cannot manually intervene in the authorization process.

U5.7:服务运营商和公用事业公司在访问时都不在场,不能手动干预授权过程。

U5.8: When authorization policies are updated it is impossible, or at least very inefficient to contact all affected endpoints directly.

U5.8:当授权策略更新时,直接联系所有受影响的端点是不可能的,或者至少是非常低效的。

U5.9: Authorization and authentication must work even if messages between endpoints are stored and forwarded over multiple nodes.

U5.9:即使端点之间的消息在多个节点上存储和转发,授权和身份验证也必须有效。

U5.10: Consumers may not want the service operator, the utility company or others to have access to a fine-grained level of consumption data that allows the creation of behavioral profiles.

U5.10:消费者可能不希望服务运营商、公用事业公司或其他人能够访问允许创建行为配置文件的细粒度消费数据。

2.6. Sports and Entertainment
2.6. 体育和娱乐

In the area of leisure-time activities, applications can benefit from the small size and weight of constrained devices. Sensors and actuators with various functions can be integrated into fitness equipment, games, and even clothes. Users can carry their devices around with them at all times.

在休闲活动领域,应用程序可以受益于受限设备的小尺寸和重量。具有各种功能的传感器和执行器可以集成到健身设备、游戏甚至衣服中。用户可以随时随身携带设备。

Usability is especially important in this area since users will often want to spontaneously interconnect their devices with others. Therefore, the configuration of access permissions must be simple and fast and not require much effort at the time of access.

可用性在这一领域尤为重要,因为用户通常希望自己的设备与其他设备自动互连。因此,访问权限的配置必须简单、快速,并且在访问时不需要花费太多精力。

Continuously monitoring allows authorized users to create behavioral or movement profiles, that correspond to the devices' intended use, and unauthorized access to the collected data would allow an attacker to create the same profiles. Moreover, the aggregation of data can seriously increase the impact on the privacy of the users.

持续监控允许授权用户创建符合设备预期用途的行为或移动配置文件,未经授权访问收集的数据将允许攻击者创建相同的配置文件。此外,数据的聚合会严重增加对用户隐私的影响。

2.6.1. Dynamically Connecting Smart Sports Equipment
2.6.1. 动态连接智能运动设备

Jody is an enthusiastic runner. To keep track of her training progress, she has smart running shoes that measure the pressure at various points beneath her feet to count her steps, detect irregularities in her stride, and help her to improve her posture and running style. On a sunny afternoon, she goes to the Finnbahn track near her home to work out. She meets her friend Lynn, who shows her the smart fitness watch she bought a few days ago. The watch can measure the wearer's pulse, show speed and distance, and keep track of the configured training program. The girls realize that the watch can be connected with Jody's shoes and can display the information the shoes provide.

乔迪是个热情的跑步者。为了跟踪她的训练进度,她有一双智能跑鞋,可以测量脚下各点的压力,以计算她的步幅,发现步幅中的不规则情况,并帮助她改善姿势和跑步风格。在一个阳光明媚的下午,她去她家附近的芬巴恩赛道锻炼。她遇到了她的朋友林恩,她给她看了几天前买的智能健身手表。手表可以测量佩戴者的脉搏,显示速度和距离,并跟踪配置的训练计划。女孩们意识到手表可以与乔迪的鞋子连接,可以显示鞋子提供的信息。

Jody asks Lynn to let her try the watch and lend it to her for the afternoon. Lynn agrees, but she doesn't want Jody to access her training plan (U6.4). She configures the access policies for the watch so that Jody's shoes are allowed to access the display and measuring features but cannot read or add training data (U6.1, U6.2). Jody's shoes connect to Lynn's watch at the press of a button, because Jody already configured access rights for devices that belong to Lynn a while ago (U6.3). Jody wants the device to report the data back to her fitness account while she borrows it, so she allows it to access her account temporarily.

乔迪请林恩让她试试这块手表,下午借给她用。Lynn同意,但她不想让Jody访问她的培训计划(U6.4)。她为手表配置访问策略,以便允许Jody的鞋子访问显示和测量功能,但不能读取或添加训练数据(U6.1、U6.2)。Jody的鞋子只需按下一个按钮就可以连接到Lynn的手表,因为Jody刚才已经为属于Lynn的设备配置了访问权限(U6.3)。Jody希望设备在借用时将数据报告回她的健身帐户,因此她允许设备临时访问她的帐户。

After an hour, Jody gives the watch back and both girls terminate the connection between their devices.

一个小时后,乔迪把手表还给了她,两个女孩终止了他们设备之间的连接。

2.6.2. Authorization Problems Summary
2.6.2. 授权问题摘要

U6.1: Sports equipment owners want to be able to grant access rights dynamically when needed.

U6.1:运动设备所有者希望能够在需要时动态授予访问权限。

U6.2: Sports equipment owners want the configuration of access rights to work with very little effort.

U6.2:运动设备所有者希望访问权限的配置能够轻松工作。

U6.3: Sports equipment owners want to be able to preconfigure access policies that grant certain access permissions to endpoints with certain attributes (e.g., endpoints of a certain user) without additional configuration effort at the time of access.

U6.3:体育设备所有者希望能够预先配置访问策略,在访问时无需额外配置,即可向具有特定属性的端点(例如,特定用户的端点)授予特定访问权限。

U6.4: Sports equipment owners want to protect the confidentiality of their data for privacy reasons.

U6.4:出于隐私原因,体育器材所有者希望保护其数据的机密性。

2.7. Industrial Control Systems
2.7. 工业控制系统

Industrial control systems (ICS) and especially supervisory control and data acquisition systems (SCADA) use a multitude of sensors and actuators in order to monitor and control industrial processes in the physical world. Example processes include manufacturing, power generation, and refining of raw materials.

工业控制系统(ICS)特别是监控和数据采集系统(SCADA)使用大量传感器和执行器来监控物理世界中的工业过程。示例过程包括原材料的制造、发电和精炼。

Since the advent of the Stuxnet worm, it has become obvious to the general public how vulnerable these kind of systems are, especially when connected to the Internet [Karnouskos11]. The severity of these vulnerabilities are exacerbated by the fact that many ICS are used to control critical public infrastructure, such as nuclear power, water treatment, or traffic control. Nevertheless, the economical advantages of connecting such systems to the Internet can be significant if appropriate security measures are put in place (U7.5).

自Stuxnet蠕虫出现以来,公众已经清楚地认识到此类系统的脆弱性,特别是当连接到互联网时[Karnouskos11]。许多ICS被用于控制关键公共基础设施,如核电、水处理或交通管制,这一事实加剧了这些脆弱性的严重性。然而,如果采取适当的安全措施(U7.5),将此类系统连接到互联网的经济优势可能非常显著。

2.7.1. Oil Platform Control
2.7.1. 石油平台控制

An oil platform uses an industrial control system to monitor data and control equipment. The purpose of this system is to gather and process data from a large number of sensors and control actuators such as valves and switches to steer the oil extraction process on the platform. Raw data, alarms, reports, and other information are also available to the operators, who can intervene with manual commands. Many of the sensors are connected to the controlling units by direct wire, but the operator is slowly replacing these units by wireless ones, since this makes maintenance easier (U7.4).

石油平台使用工业控制系统监控数据和控制设备。该系统的目的是收集和处理来自大量传感器和控制执行器(如阀门和开关)的数据,以引导平台上的采油过程。原始数据、警报、报告和其他信息也可供操作员使用,操作员可以通过手动命令进行干预。许多传感器通过直连线连接到控制单元,但操作员正在缓慢地用无线单元更换这些单元,因为这使得维护更容易(U7.4)。

Some of the controlling units are connected to the Internet, to allow for remote administration, since it is expensive and inconvenient to fly in a technician to the platform (U7.3).

一些控制单元连接到互联网,以便进行远程管理,因为技术人员乘坐飞机到平台(U7.3)既昂贵又不方便。

The main interest of the operator is to ensure the integrity of control messages and sensor readings (U7.1). Access in some cases needs to be restricted, e.g., the operator wants wireless actuators only to accept commands by authorized control units (U7.2).

操作员的主要目的是确保控制信息和传感器读数(U7.1)的完整性。在某些情况下需要限制访问,例如,操作员希望无线执行器仅接受授权控制单元(U7.2)的命令。

The owner of the platform also wants to collect auditing information for liability reasons (U7.1).

平台所有者还希望出于责任原因收集审计信息(U7.1)。

Different levels of access apply e.g., for regular operators vs. maintenance technician vs. auditors of the platform (U7.6).

不同的访问级别适用于平台的常规操作员、维护技术人员和审计员(U7.6)。

2.7.2. Authorization Problems Summary
2.7.2. 授权问题摘要

U7.1: The operator of the platform wants to ensure the integrity and confidentiality of sensor and actuator data.

U7.1:平台操作员希望确保传感器和致动器数据的完整性和保密性。

U7.2: The operator wants to ensure that data coming from sensors and commands sent to actuators are authentic.

U7.2:操作员希望确保来自传感器的数据和发送到执行器的命令是真实的。

U7.3: Some devices do not have direct Internet connection, but they still need to implement current authorization policies.

U7.3:某些设备没有直接的Internet连接,但它们仍然需要实施当前的授权策略。

U7.4: Devices need to authenticate the controlling units, especially those using a wireless connection.

U7.4:设备需要验证控制单元,尤其是使用无线连接的控制单元。

U7.5: The execution of unauthorized commands or the failure to execute an authorized command in an ICS can lead to significant financial damage and threaten the availability of critical infrastructure services. Accordingly, the operator wants authentication and authorization mechanisms that provide a very high level of security.

U7.5:在ICS中执行未经授权的命令或未能执行授权的命令可能会导致严重的财务损失,并威胁到关键基础设施服务的可用性。因此,运营商需要提供非常高级别安全性的身份验证和授权机制。

U7.6: Different users should have different levels of access to the control system (e.g., operator vs. auditor).

U7.6:不同的用户应具有不同的控制系统访问权限(例如,操作员与审计员)。

3. Security Considerations
3. 安全考虑

As the use cases listed in this document demonstrate, constrained devices are used in various environments. These devices are small and inexpensive and this makes it easy to integrate them into many aspects of everyday life. With access to vast amounts of valuable data and possible control of important functions, these devices need to be protected from unauthorized access. Protecting seemingly innocuous data and functions will lessen the possible effects of aggregation; attackers collecting data or functions from several sources can gain insights or a level of control not immediately obvious from each of these sources on its own.

正如本文档中列出的用例所示,受约束设备可用于各种环境。这些设备体积小、价格便宜,因此很容易将它们集成到日常生活的许多方面。由于可以访问大量有价值的数据,并可能控制重要功能,因此需要保护这些设备不受未经授权的访问。保护看似无害的数据和函数将减少聚合的可能影响;从多个来源收集数据或函数的攻击者可以单独从每个来源获得不明显的洞察力或控制级别。

Not only the data on the constrained devices themselves is threatened, the devices might also be abused as an intrusion point to infiltrate a network. Once an attacker gains control over the device, it can be used to attack other devices as well. Due to their limited capabilities, constrained devices appear as the weakest link in the network; hence, they pose an attractive target for attackers.

不仅受约束设备上的数据本身受到威胁,这些设备还可能被滥用为入侵点,从而渗透到网络中。一旦攻击者获得对设备的控制权,它也可以用来攻击其他设备。由于其有限的能力,受限设备成为网络中最薄弱的环节;因此,它们对攻击者来说是一个有吸引力的目标。

This section summarizes the security problems highlighted by the use cases above and provides guidelines for the design of protocols for authentication and authorization in constrained RESTful environments.

本节总结了上述用例所强调的安全问题,并为受限RESTful环境中身份验证和授权协议的设计提供了指导。

3.1. Attacks
3.1. 攻击

This document lists security problems that users of constrained devices want to solve. Further analysis of attack scenarios is not in scope of the document. However, there are attacks that must be considered by solution developers.

本文档列出了受约束设备的用户希望解决的安全问题。本文档不包括对攻击场景的进一步分析。但是,解决方案开发人员必须考虑一些攻击。

Because of the expected large number of devices and their ubiquity, constrained devices increase the danger from Pervasive Monitoring [RFC7258] attacks. Solution Designers should consider this in the design of their security solution and provide for protection against this type of attack. In particular, messages containing sensitive data that are sent over unprotected channels should be encrypted if possible.

由于预期的大量设备及其普遍性,受约束的设备增加了普及监控[RFC7258]攻击的危险。解决方案设计者应该在设计他们的安全解决方案时考虑这一点,并为此类攻击提供保护。特别是,如果可能,应加密通过未受保护的通道发送的包含敏感数据的消息。

Attacks aimed at altering data in transit (e.g., to perpetrate fraud) are a problem that is addressed in many web security protocols such as TLS or IPsec. Developers need to consider these types of attacks, and make sure that the protection measures they implement are adapted to the constrained environment.

旨在改变传输中的数据(例如,实施欺诈)的攻击是许多web安全协议(如TLS或IPsec)中解决的问题。开发人员需要考虑这些类型的攻击,并确保它们所实施的保护措施适合于受限环境。

As some of the use cases indicate, constrained devices may be installed in hostile environments where they are physically accessible (see Section 2.5). Protection from physical attacks is not in the scope of this document, but it should be kept in mind by developers of authorization solutions.

如一些用例所示,受约束的设备可能安装在物理上可访问的敌对环境中(参见第2.5节)。防止物理攻击不在本文档的范围内,但授权解决方案的开发人员应牢记这一点。

Denial-of-service (DoS) attacks threaten the availability of services a device provides and constrained devices are especially vulnerable to these types of attacks because of their limitations. Attackers can illicit a temporary or, if the battery is drained, permanent failure in a service simply by repeatedly flooding the device with connection attempts; for some services (see Section 2.3), availability is especially important. Solution designers must be particularly careful to consider the following limitations in every part of the authorization solution:

拒绝服务(DoS)攻击威胁到设备提供的服务的可用性,受约束的设备由于其局限性特别容易受到此类攻击。攻击者可以通过反复尝试连接设备,在服务中造成临时或永久性故障(如果电池耗尽);对于某些服务(见第2.3节),可用性尤其重要。解决方案设计者必须特别小心在授权解决方案的每一部分考虑以下限制:

o Battery usage

o 电池使用

o Number of required message exchanges

o 所需的消息交换次数

o Size of data that is transmitted (e.g., authentication and access control data)

o 传输的数据大小(例如,身份验证和访问控制数据)

o Size of code required to run the protocols

o 运行协议所需的代码大小

o Size of RAM memory and stack required to run the protocols

o 运行协议所需的RAM内存和堆栈大小

o Resources blocked by partially completed exchanges (e.g., while one party is waiting for a transaction time to run out)

o 被部分完成的交换阻塞的资源(例如,当一方等待交易时间结束时)

Solution developers also need to consider whether the session should be protected from information disclosure and tampering.

解决方案开发人员还需要考虑是否应该保护会话不受信息泄露和篡改。

3.2. Configuration of Access Permissions
3.2. 访问权限的配置

o The access control policies need to be enforced (all use cases): The information that is needed to implement the access control policies needs to be provided to the device that enforces the authorization and applied to every incoming request.

o 需要实施访问控制策略(所有用例):需要将实施访问控制策略所需的信息提供给实施授权的设备,并应用于每个传入请求。

o A single resource might have different access rights for different requesting entities (all use cases).

o 对于不同的请求实体(所有用例),单个资源可能具有不同的访问权限。

Rationale: In some cases, different types of users need different access rights, as opposed to a binary approach where the same access permissions are granted to all authenticated users.

理由:在某些情况下,不同类型的用户需要不同的访问权限,这与二进制方法不同,二进制方法将相同的访问权限授予所有经过身份验证的用户。

o A device might host several resources where each resource has its own access control policy (all use cases).

o 一个设备可能承载多个资源,其中每个资源都有自己的访问控制策略(所有用例)。

o The device that makes the policy decisions should be able to evaluate context-based permissions such as location or time of access (see Sections 2.2, 2.3, and 2.4). Access may depend on local conditions, e.g., access to health data in an emergency. The device that makes the policy decisions should be able to take such conditions into account.

o 做出策略决策的设备应该能够评估基于上下文的权限,例如访问的位置或时间(请参见第2.2、2.3和2.4节)。访问可能取决于当地条件,例如在紧急情况下访问健康数据。做出策略决策的设备应该能够考虑这些条件。

3.3. Authorization Considerations
3.3. 授权注意事项

o Devices need to be enabled to enforce authorization policies without human intervention at the time of the access request (see Sections 2.1, 2.2, 2.4, and 2.5).

o 需要启用设备,以便在访问请求时在无需人工干预的情况下实施授权策略(请参见第2.1、2.2、2.4和2.5节)。

o Authorization solutions need to consider that constrained devices might not have Internet access at the time of the access request (see Sections 2.1, 2.3, 2.5, and 2.6).

o 授权解决方案需要考虑在访问请求时受限的设备可能没有Internet访问(见第2.1、2.3、2.5和2.6段)。

o It should be possible to update access control policies without manually re-provisioning individual devices (see Sections 2.2, 2.3, 2.5, and 2.6).

o 应该可以在不手动重新配置单个设备的情况下更新访问控制策略(请参阅第2.2、2.3、2.5和2.6节)。

Rationale: Peers can change rapidly which makes manual re-provisioning unreasonably expensive.

理由:对等点可能会快速变化,这使得手动重新调配成本不合理。

o Authorization policies may be defined to apply to a large number of devices that might only have intermittent connectivity. Distributing policy updates to every device for every update might not be a feasible solution (see Section 2.5).

o 授权策略可以定义为应用于大量可能只有间歇性连接的设备。为每个更新向每个设备分发策略更新可能不是一个可行的解决方案(请参见第2.5节)。

o It must be possible to dynamically revoke authorizations (see Section 2.4 for example).

o 必须能够动态撤销授权(例如,参见第2.4节)。

o The authentication and access control protocol can put undue burden on the constrained system resources of a device participating in the protocol. An authorization solution must take the limitations of the constrained devices into account (all use cases, see also Section 3.1).

o 认证和访问控制协议会给参与该协议的设备的受限系统资源带来不适当的负担。授权解决方案必须考虑受约束设备的限制(所有用例,另请参见第3.1节)。

o Secure default settings are needed for the initial state of the authentication and authorization protocols (all use cases).

o 身份验证和授权协议(所有用例)的初始状态需要安全的默认设置。

Rationale: Many attacks exploit insecure default settings, and experience shows that default settings are frequently left unchanged by the end users.

理由:许多攻击利用不安全的默认设置进行攻击,经验表明,最终用户经常保持默认设置不变。

o Access to resources on other devices should only be permitted if a rule exists that explicitly allows this access (default deny) (see Section 2.4 for example).

o 只有当存在明确允许访问的规则(默认拒绝)时,才允许访问其他设备上的资源(例如,请参见第2.4节)。

o Usability is important for all use cases. The configuration of authorization policies as well as the gaining access to devices must be simple for the users of the devices. Special care needs to be taken for scenarios where access control policies have to be configured by users that are typically not trained in security (see Sections 2.2, 2.3, and 2.6).

o 可用性对于所有用例都很重要。对于设备用户来说,授权策略的配置以及对设备的访问必须简单。对于访问控制策略必须由未接受过安全培训的用户配置的情况,需要特别注意(请参见第2.2、2.3和2.6节)。

o Software updates are an important operation for which correct authorization is crucial. Additionally, authenticating the receiver of a software update is also important, for example, to make sure that the update has been received by the intended device.

o 软件更新是一项重要的操作,正确的授权至关重要。此外,认证软件更新的接收器也很重要,例如,以确保预期设备已接收到更新。

3.4. Proxies
3.4. 代理

In some cases, the traffic between endpoints might go through intermediary nodes (e.g., proxies, gateways). This might affect the function or the security model of authentication and access control protocols e.g., end-to-end security between endpoints with Datagram Transport Layer Security (DTLS) might not be possible (see Section 2.5).

在某些情况下,端点之间的流量可能会通过中间节点(例如代理、网关)。这可能会影响身份验证和访问控制协议的功能或安全模型,例如,端点之间的端到端安全性可能无法与数据报传输层安全性(DTLS)实现(见第2.5节)。

4. Privacy Considerations
4. 隐私考虑

The constrained devices in focus of this document either collect data from the physical world via sensors or affect their surroundings via actuators. The collected and processed data often can be associated with individuals. Since sensor data may be collected and distributed on a regular interval, a significant amount of information about an individual can be collected and used as input for learning algorithms as part of big data analysis and used in an automated decision making process.

本文重点介绍的受约束设备要么通过传感器从物理世界收集数据,要么通过执行器影响周围环境。收集和处理的数据通常与个人有关。由于传感器数据可以定期收集和分发,因此可以收集和使用有关个人的大量信息作为学习算法的输入,作为大数据分析的一部分,并用于自动决策过程。

Offering privacy protection for individuals is important to guarantee that only authorized entities are allowed to access collected data, to trigger actions, to obtain consent prior to the sharing of data, and to deal with other privacy-related threats outlined in RFC 6973.

为个人提供隐私保护对于确保只有经授权的实体才能访问收集的数据、触发行动、在共享数据之前获得同意以及处理RFC 6973中概述的其他隐私相关威胁非常重要。

RFC 6973 was written as guidance for engineers designing technical solutions. For a short description about the deployment-related aspects of privacy and further references relevant for the Internet of Things sector, please see Section 7 of RFC 7452.

RFC 6973是作为工程师设计技术解决方案的指南而编写的。有关部署相关隐私方面的简要说明以及与物联网行业相关的更多参考资料,请参见RFC 7452第7节。

5. Informative References
5. 资料性引用

[Jedermann14] Jedermann, R., Poetsch, T., and C. LLoyd, "Communication techniques and challenges for wireless food quality monitoring", Philosophical Transactions of the Royal Society A Mathematical, Physical and Engineering Sciences, May 2014, <http://rsta.royalsocietypublishing.org/ content/372/2017/20130304.short>.

[Jedermann 14]Jedermann,R.,Poetsch,T.,和C.LLoyd,“无线食品质量监测的通信技术和挑战”,皇家学会哲学学报,数学、物理和工程科学,2014年5月<http://rsta.royalsocietypublishing.org/ content/372/2017/20130304.short>。

[Karnouskos11] Karnouskos, S., "Stuxnet Worm Impact on Industrial Cyber-Physical System Security", IECON 2011 - 37th Annual Conference on IEEE Industrial Electronics Society, pp. 4490-4494 10.1109/econ.2011.612.0048, November 2011, <http://ieeexplore.ieee.org/xpl/ articleDetails.jsp?arnumber=6120048>.

[Karnouskos11]Karnouskos,S.,“Stuxnet蠕虫对工业网络物理系统安全的影响”,IECON 2011-IEEE工业电子学会第37届年会,第4490-4494页10.1109/econ.2011.612.0048,2011年11月<http://ieeexplore.ieee.org/xpl/ articleDetails.jsp?arnumber=6120048>。

[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for Constrained-Node Networks", RFC 7228, DOI 10.17487/RFC7228, May 2014, <http://www.rfc-editor.org/info/rfc7228>.

[RFC7228]Bormann,C.,Ersue,M.和A.Keranen,“受限节点网络的术语”,RFC 7228,DOI 10.17487/RFC7228,2014年5月<http://www.rfc-editor.org/info/rfc7228>.

[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, June 2014, <http://www.rfc-editor.org/info/rfc7252>.

[RFC7252]Shelby,Z.,Hartke,K.,和C.Bormann,“受限应用协议(CoAP)”,RFC 7252,DOI 10.17487/RFC7252,2014年6月<http://www.rfc-editor.org/info/rfc7252>.

[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, <http://www.rfc-editor.org/info/rfc7258>.

[RFC7258]Farrell,S.和H.Tschofenig,“普遍监控是一种攻击”,BCP 188,RFC 7258,DOI 10.17487/RFC7258,2014年5月<http://www.rfc-editor.org/info/rfc7258>.

Acknowledgments

致谢

The authors would like to thank Olaf Bergmann, Sumit Singhal, John Mattson, Mohit Sethi, Carsten Bormann, Martin Murillo, Corinna Schmitt, Hannes Tschofenig, Erik Wahlstroem, Andreas Baeckman, Samuel Erdtman, Steve Moore, Thomas Hardjono, Kepeng Li, Jim Schaad, Prashant Jhingran, Kathleen Moriarty, and Sean Turner for reviewing and/or contributing to the document. Also, thanks to Markus Becker, Thomas Poetsch, and Koojana Kuladinithi for their input on the container monitoring use case. Furthermore, the authors thank Akbar Rahman, Chonggang Wang, Vinod Choyi, and Abhinav Somaraju who contributed to the building automation use case.

作者要感谢Olaf Bergmann、Sumit Singhal、John Mattson、Mohit Sethi、Carsten Bormann、Martin Murillo、Corinna Schmitt、Hannes Tschofenig、Erik Wahlstroem、Andreas Baeckman、Samuel Erdtman、Steve Moore、Thomas Hardjono、Kepeng Li、Jim Schaad、Prashant Jhingran、Kathleen Moriarty、,肖恩·特纳(Sean Turner)审查和/或参与该文件。另外,还要感谢Markus Becker、Thomas Poetsch和Koojana Kuladinhi对容器监控用例的输入。此外,作者感谢阿克巴尔·拉赫曼、王崇刚、维诺德·乔伊和阿比纳夫·索马拉朱,他们为楼宇自动化用例做出了贡献。

Ludwig Seitz and Goeran Selander worked on this document as part of EIT-ICT Labs activity PST-14056; and as part of the CelticPlus project CyberWI, with funding from Vinnova.

作为EIT-ICT实验室活动PST-14056的一部分,Ludwig Seitz和Goeran Selander编写了本文件;作为CelticPlus项目CyberWI的一部分,由Vinnova提供资金。

Authors' Addresses

作者地址

Ludwig Seitz (editor) SICS Swedish ICT AB Scheelevaegen 17 Lund 223 70 Sweden

Ludwig Seitz(编辑)SICS瑞典ICT AB Scheelevategen 17 Lund 223 70瑞典

   Email: ludwig@sics.se
        
   Email: ludwig@sics.se
        

Stefanie Gerdes (editor) Universitaet Bremen TZI Postfach 330440 Bremen 28359 Germany

Stefanie Gerdes(编辑)不莱梅大学邮政学院330440不莱梅28359德国

   Phone: +49-421-218-63906
   Email: gerdes@tzi.org
        
   Phone: +49-421-218-63906
   Email: gerdes@tzi.org
        

Goeran Selander Ericsson Faroegatan 6 Kista 164 80 Sweden

Goeran Selander Ericsson Faroegatan 6 Kista 164 80瑞典

   Email: goran.selander@ericsson.com
        
   Email: goran.selander@ericsson.com
        

Mehdi Mani Itron 52, rue Camille Desmoulins Issy-les-Moulineaux 92130 France

Mehdi Mani Itron 52号,法国卡米尔-德斯穆林伊西-莱斯穆莱诺92130号

   Email: Mehdi.Mani@itron.com
        
   Email: Mehdi.Mani@itron.com
        

Sandeep S. Kumar Philips Research High Tech Campus Eindhoven 5656 AA The Netherlands

Sandeep S.Kumar Philips Research高科技园区埃因霍温5656 AA荷兰

   Email: sandeep.kumar@philips.com
        
   Email: sandeep.kumar@philips.com