| Internet-Draft | RFF ACCESS | April 2022 |
| Fang, et al. | Expires 14 October 2022 | [Page] |
This document is for access authentication framework of Internet of Things (IoT) devices using physical layer fingerprint. This document specifies the interface functions of the authentication framework. This document applies to the construction and management of secure access at the edge of the IoT. This document assumes that the reader is familiar with the concepts of physical layer fingerprint technique.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 October 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Device authentication is important to ensure the security of Internet of Things (IoT). The classical device authentication techniques are based on MAC address, preshared key or digital certificate [I-D.linning-authentication-physical-layer]. However, MAC address can be imitated. As the IoT becomes more diverse and pervasive, the implementation of the pre-shared key and digital certificate becomes increasingly complex.¶
Physical layer fingerprint is a promising technique for IoT device authentication[Ref_1]. It corresponds to extract the inherent physical layer features of the device from the received signal. These physical layer features have shown uniqueness and persistence, hence can be used for device authentication.¶
Because that the physical layer fingerprint access authentication requires only the signal received from the IoT device, a suitable access authentication framework needs to be defined. An authentication framework has been proposed in [I-D.dawei-access-authentication-physical-layer], with the basic functions of the framework, specification of fingerprint expression and control message. In this document, based on the same access authentication model, the objectives of the access authentication framework and interface specifications have been proposed, to ensure the effectiveness and facilitate the integration of the access authentication framework with the existing IoT network.¶
IoT Device Access Gateway¶
Physical layer fingerprint authentication device¶
The physical layer fingerprint access authentication framework should achieve the following functional objectives:¶
a) The physical layer fingerprint access authentication framework shall be independent of the application system, to help establish a trust relationship between the application system and IoT devices and provide prerequisites for further determining whether the IoT devices can access the main network of the application system.¶
b) The physical layer fingerprint access authentication framework should be independent of the specific physical layer communication protocols of IoT devices, and can support all possible physical layer communication protocols.¶
c) The physical layer fingerprint access authentication framework should maintain the accuracy of the used physical layer fingerprint extraction and identification mechanism.¶
d) The interface defined by the physical layer fingerprint access authentication framework should not require the IoT device access gateway of the original application system to give additional physical layer configuration parameters.¶
The physical layer fingerprint access authentication framework should achieve the following non-functional objectives:¶
a) The physical layer fingerprint access authentication framework does not specify a specific physical layer fingerprint extraction and identification mechanism.¶
b) The interface defined by the physical layer fingerprint access authentication framework does not specify a specific interface access authentication mechanism, but to avoid abuse of the defined interface, the necessary security authentication shall exist between the physical layer fingerprint access authentication device and the IoT device access gateway of the application system.¶
c) The physical layer fingerprint access authentication framework is independent of the specific operating system or platform, but the implementation of the physical layer fingerprint access authentication device may be relevant to a specific operating system or platform.¶
d) The interfaces defined by the physical layer fingerprint access authentication framework should enable integration with legacy systems.¶
The structure of the physical layer fingerprint access authentication framework is shown in Fig. 1. The physical layer fingerprint access authentication is composed of two parts: the physical layer fingerprint authentication device and the IoT device access gateway. The physical layer fingerprint authentication device adopts a distributed architecture and can simultaneously serve multiple IoT devices to access the gateway.¶
+----------------+ +----------------+ +------------+
| | | IoT device | | |
| IoT device | <----> | access gateway | <----> | Intranet |
|(Claiming party)| | (Relying party)| | |
| | | | | |
+----------------+ +----------------+ +------------+
^ ^
| | -Full whitelist request
| | -Incremental whitelist request
| | -Blacklisting
| | -Unblacklisting
| v
| +------------------------------+
+-----> | |
| Physical layer fingerprint |
| authentication device |
| (Verifier) |
| |
+------------------------------+
The main function of the physical layer fingerprint authentication device is to complete the extraction and authentication of the fingerprint of the IoT device through a certain identity authentication mechanism, and to submit the authentication result in the form of assertion to the IoT device access gateway. The physical layer fingerprint authentication device does not limit the specific identity authentication mechanism, but only provides a unified interface, and the specific authentication interaction process with the IoT device is completed by the implementation of each authentication mechanism itself. The physical layer fingerprint authentication device corresponds to the verifier in the authentication model of [I-D.dawei-access-authentication-physical-layer].¶
The IoT device access gateway interacts with the physical layer fingerprint authentication device to assist in the authentication process of the IoT device accessing the main network of the application system. The IoT device access gateway and the application system together correspond to the relying party in the authentication model of [I-D.dawei-access-authentication-physical-layer].¶
The communication between the IoT device access gateway and the physical layer fingerprint authentication device is by default protected by a trusted channel. If the application system and the physical layer fingerprint authentication device are integrated together, i.e., the verifier and the relying party are unified entities, this trusted channel becomes the internal data transmission in the system. If the application system and the physical layer fingerprint authentication device are located in different systems and need to communicate with each other remotely, this trusted channel is an encrypted channel between them.¶
The physical layer fingerprint authentication device requests the full whitelist of IoT devices from the IoT device access gateway through this interface. Based on the full whitelist, the physical layer fingerprint authentication device performs fingerprint extraction and authentication for all whitelisted devices.¶
The physical layer fingerprint authentication device requests the IoT device whitelist incremental list from the IoT device access gateway through this interface, and based on the whitelist incremental list, the physical layer fingerprint authentication device performs fingerprint extraction and authentication for the added whitelist devices.¶
When the physical layer fingerprint authentication device identifies that the status of one device in the whitelist has been changed from legal to illegal, this authentication result should be submitted to the IoT device access gateway, and at the same time, the IoT device access gateway adds this device to the blacklist and intercepts it.¶
When the physical layer fingerprint authentication device identifies that the status of one device in the whitelist has changed from illegal to legal, this authentication result should be submitted to the IoT device access gateway, and at the same time, the IoT device access gateway withdraws this device from the interception blacklist.¶
This interface needs to provide the following requests and responses:¶
Requests:¶
a) Protocol version¶
The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway.¶
b) Gateway identifier¶
The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.¶
Responses:¶
a) Full whitelist¶
The full amount of data of the whitelisted IoT devices set in the IoT device access gateway, generally including the following parts: device MAC address, IP address, etc.¶
b) Policy expiration time¶
The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.¶
This interface needs to provide the following requests and responses:¶
Requests:¶
a) Protocol version¶
The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway.¶
b) Gateway identifier¶
The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.¶
Responses:¶
a) Incremental whitelist¶
The incremental whitelist data of IoT devices set in the IoT device access gateway, generally including the following parts: device MAC address, IP address, etc.¶
b) Policy expiration time¶
The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.¶
This interface needs to provide the following requests and responses:¶
Requests:¶
a) Protocol version¶
The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway.¶
b) Gateway identifier¶
The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.¶
c) Device information¶
Information of device to be blacklisted, generally including the following parts: device MAC address, IP address, etc.¶
d) Authentication result¶
The current authenticatin result.¶
Responses:¶
a) Gateway identifier¶
The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.¶
b) Policy expiration time¶
The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.¶
c) Device information¶
Information of device just blacklisted, generally including the following parts: device MAC address, IP address, etc.¶
This interface needs to provide the following requests and responses:¶
Requests:¶
a) Protocol version¶
The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway.¶
b) Gateway identifier¶
The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.¶
c) Device information¶
Information of device to be unblacklisted, generally including the following parts: device MAC address, IP address, etc.¶
d) Authentication result¶
The current authentication result.¶
Responses:¶
a) Gateway identifier¶
The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.¶
b) Policy expiration time¶
The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.¶
c) Device information¶
Information of device just un-blacklisted, generally including the following parts: device MAC address, IP address, etc.¶
This document includes no request to IANA.¶
This section will address only security considerations associated with the use of physical layer fingerprint access authentication framework. It is necessary to ensure that the IoT device access gateway and the physical layer fingerprint authentication device are in a secure and trusted environment.¶