Hannes Tschofenig

Personal blog about various IETF and Internet related activities

 
 
Dec 15
23
2015

Last week Simon Lemay and I gave a tutorial about the Lightweight Machine-to-Machine (LWM2M) standard developed by the Open Mobile Alliance (OMA) to participants from the IETF ACE working group.

LWM2M offers several features that are relevant for Internet of Things security and also for the work in the IETF ACE working group, such as

  • Software Updates
  • Distribution of keys and access control policies (during a process called bootstrapping in the specification)
  • Remote Device and Application Configuration
  • Diagnostics

In summary, LWM2M is a device lifecycle management solution that builds on IETF protocols designed to be lightweight, such as CoAP, various CoAP extensions (such as Resource Directory), and DTLS.

Our slide deck should give you an idea what we have been talking about.

You can also download the PPTX version of the slide from here.

We also recorded the webinar and you can find it here. (The recording was done using Cisco’s Webex and the video was then converted to MP4 using the Cisco provided Network Recording Player.)

The OMA LWM2M specification has been around for a while and therefore various testfests (i.e., interoperability events) have been held already. Another one is coming next month — more information can be found at http://openmobilealliance.org/event/oma-testfest-sandiego/.

Dec 15
22
2015

During the second week of November 2015 ARM TechCon took place in Santa Clara/California. The event is packed with presentations (from ARM and from partners) and new technology gets announced, such as the TrustZone for v8-M architecture. TrustZone for v8-M brings TrustZone functionality, which was previously available only to Cortex A class devices, to Cortex M class devices. Needless to say that this will lead to a huge security improvement.

In addition to all the exciting keynotes, tech talks, and tutorials Samuel Erdtman and I presented a demo that utilized OAuth 2.0 for Internet of Things devices. Our architecture is simple to describe and is shown in the figure below. We used an OAuth 2.0 authorization server enhanced with the latest proof-of-possession key functionality (as developed in the IETF OAuth working group). This authorization server issued access tokens after a successful login of the user (and assuming it had been authorized for this particular door lock). The access token was then stored on an Android-based smart phone app, which used Bluetooth Smart to communicate with the door lock. The door lock is a product sold by Nexus Technology and has been enhanced with the Bluetooth Smart radio offered by a Nordic board. For the communication over Bluetooth Smart a custom service and profile was defined, as it is common with many Bluetooth Smart-enabled devices. To protect the against attacks, the Android app utilized the symmetric key obtained from the authorization server and constructed a request using that key. In order for the door lock to verify the request it had to process and verify the received access token (which was in the JSON Web Token (JWT) format), extracted the encrypted symmetric key, and utilized that symmetric key to verify the request. Note that we had indeed used the JSON-encoding instead of the more efficient CBOR/COSE encoding developed in the IETF COSE working group due to availability of code for the JWT functionality. Despite the size of the access token (in comparison to the MTU size of the Bluetooth Smart radio) the transmission was so fact that it was not recognizable by a human. While the Nordic board was only using a Cortex M0+ it had no problems with the symmetric key operations.

DoorLock ARM TechCon 2015

To offer more details we also produced a slide deck that explained the relevant technologies in more detail.

We are planning to release our source code so that others can use the implementation as a basis for their prototypes. We are currently working on a CBOR/COSE-based version (thereby replacing the JSON-based encoding of the access token) and we would also like to see how a version using public key cryptography would perform.

OAuth 2.0 helped us to solve a common problem in the Internet of Things environment, namely authorization and access control, using an already standardized protocol framework.

Here are some pictures from the mbed booth where we showed our demo to interested parties.

ARM TechCon 2015 mbed Booth with Door Lock

Door Lock

Aug 15
25
2015

Earlier this year I presented some performance results to the IETF LWIG working group. Here is the slide deck I presented to the community.

The slides are also available for download.

The idea of my presentation at the Dallas IETF meeting was to get others to enhance the performance investigations to gain a better idea of what can be expected when using state-of-the-art crypto in IETF protocols as part of their IoT platform. The results could be summarized in an IETF draft, such as in the IETF TLS minimal draft of the LWIG group.

Subsequently, I also worked with my co-worker Manuel on a submission to the NIST lightweight cryptography workshop where we summarized our work. The submission summarizes the main findings.


The paper is also available for download.

It turns out to be difficult to find someone who is interested in doing some performance analysis.

Here is what I believe we need:

  • Verification of the existing results.
  • More data from other crypto libraries (or even DTLS/TLS stacks).
  • Tests run on other hardware platforms (such as the Cortex M7).
  • Tests beyond performance, such as RAM usage, flash size, etc.
  • Tests that focus on other algorithms.

If you are interested in this topic and would like to contribute to the work please drop me an email (Hannes.Tschofenig AT arm.com) or via Skype (HannesTschofenig). I am also happy to take a look at prior work you did.

I am convinced it is useful for many engineers and researchers to know how fast the currently available algorithms are on modern IoT hardware.

Apr 15
3
2015

Dave Thaler, Mary Barnes, and I had the honor to talk to the participants of the IETF#92 meeting in Dallas/Texas about the recently published Smart Object Architecture document, see RFC 7452. The presentation was given during the technical plenary of the Internet Architecture Board (IAB).

A recording of the talk was produced for remote participants.

The slide deck below contains many links to articles offering additional background material. If you encounter problems with the links embedded in the PDF file distributed as part of the IETF meeting proceedings please use the Powerpoint slides instead (those are available for download). We hope that those will be useful for you to educate the community about the messages conveyed in RFC 7452 and the need to take security and privacy in Internet of Things / Smart Object deployments into account.

 

 

Jan 15
16
2015
IIW Meeting Room at the Computer History Museum
Picture of the meeting venue at the Computer History Museum
taken before the show started.

 

When I attended the last Internet Identity workshop in Mountain View, California Justin Richer gave an OpenID Connect tutorial. I decided to record it since it could be useful for others as well. While my camera ran out of power half-way through the tutorial I believe Justin got the core idea across (and most of the discussion that followed afterwards got skipped).

Anyway, here are the two videos:

OpenID Connect Tutorial (1/2)

OpenID Connect Tutorial (2/2)

More info about OpenID Connect can be found at http://openid.net/connect/.

Internet Identity Workshop
Unconferences, like the IIW, require re-creating
a new agenda every day. A wall with cards is used by
the participants to arrange a satisfactory schedule. 
Jan 15
10
2015

[Warning: This is not one of my IETF/Internet standardization blog posts.]

It is known to many that I like running; I also talk about it, show pictures from various running events, and offer recommendations. Hence, it is not unreasonable to ask me what recommendations I can offer for someone who wants to start running. Since I got that question a couple of times already I thought I should write a few notes down, as a reference.

It is actually quite simple. So, here are my suggestions:

1) Go to a sports doctor first.

Regardless how old you are and fit you believe you are schedule a visit to a sports doctor. Your motivation to start running will likely vary but you at least want to find out whether there is any problem with your gait. This will also help you to better know what types of shoes to buy since you might need shoes with special insoles or shoes with support for overprontation. Of course, it helps to know if there are some other (potentially not yet known health issues). The latter part is particularly important if you are older and/or overweight.This initial step will help you to prevent all sorts of injuries later, which will inevitably show up as you increase your mileage and intensity (even though you cannot imagine that right now). The money (if you have to pay something at all) then it will be well spent.

Don’t just take the short-cut and use one of these ‘we will find your right shoe’ at fairs or sport shops. They are “nice” but are often done by people with no idea what they are doing.

Finding a suitable sports doctor might be a challenge but you want to search for someone with an education in sport medicine/orthopaedic medicine. Maybe you even find someone who is focused on training athletes. That might sound like an overkill since you are just starting and you are an amateur (and not a professional) but the underlying issues are the same and you can benefit from the expertise gained with professionals.

2) Sign up at a gym (and go there).

This again might surprise you but you need to work on your muscles since running is a full-body sport. You need to improve your muscles at the core of your body (which will most likely be under-developed anyway). You need to strengthen your muscles of the stomach and the back. You will also have to work on your lower part of the body since you want to increase stability.

It is a common misconception that running will already ensure that these other muscles are trained. They are not. If you do not train these muscles you will get injured more easily and you will most likely have pain at different parts of your body (including back, hip, knee, bottom, etc.). Funny enough you will get the pain with a bit of time delay, which makes it very difficult to figure out what the exact reason was. Also, the pain may appear at a place you do not assume (due to the complex structure of the body). In any case, I think this advice is particularly important if you run on trails and in mountains.

3) Get good shoes (and many of them).

Obviously, you will have to buy running shoes. Which shoes to buy will depend on the terrain you are most likely to run in. I would strongly suggest that you run in all terrains and during the entire year (all weather conditions). Why? First, it is less boring and second your body (and particularly your feet) do not get used to a particular style of ground (like road running on asphalt or concrete).

Different types of shoes offer very different properties. Shoes for road running offer little traction support but lots of cushion. Shoes for running mountains will need much more traction (and maybe less cushion, particularly if you are using them only for uphill running). Running during the winter in a cold climate with snow and ice will require shoes with spikes and with insulation (so that you feet do not feel numb after 30 minutes running). As said earlier you will also have to take your posture assessment into account when buying shoes.

Why do I suggest you to buy many pairs? This is part of the ‘provide variation for your body’ story. First, you will hopefully run on different terrain (as suggested earlier) and second even running on the same terrain with different types of shoes will give you a very different experience (and the same is true for your feet as well). Running with minimalistic shoes one day and with regular road running shoes the other day on the same route will feel very different.

If you have the chance to add trail running running to your routine then you want shoes that do not cause you to slip. You might also want some protection against sharp rocks, tree roots, or other stuff.

Note that it is perfectly fine to walk some parts of your running route, particularly if the elevation makes it difficult for you to run the entire course. It is not a shame to walk (even for a runner). With ultra-marathon running you will see everyone (expect for the world leading professionals) walking uphill to safe energy for the later part of the race.

Here is what I am currently using:

Winter Running Shoe

  • Icebug DTS Dri BUGrip

I use this shoe in the winter since it has both studs in the sole and is water resistant. While you can buy products where you can put spikes over your shoes when you need that extra grip those do not give running shoes any water resistance (of course). However, the mesh used by most running shoes offers maximum ventilation to let moisture escape. Unfortunately, this is not very useful for the winter since your feet will be frozen (or at least feel very uncomfortable) even during a short run. Waterproof socks, like those offered by SealSkinz, will give you an extra layer of protection but require your shoes to be bought one size larger (at least) to accommodate for the extra layer of socks. I use SealSkinz socks in addition to Injinji sock liners.

Trail/Mountain Running Shoes

  • Icebug ANIMA BUGrip
  • Icebug Acceleritas 2
  • Innov 8 X Talon 212
  • Salomon Speedcross 3

Since I run a lot on trails I have a number of trail running shoes. For running mountains (uphill only) my favorite is the Innov 8 shoe since it has excellent grip. The Icebug Anima BUGrip is the best since it has lots of studs in the sole and also delivers excellent grip on nearly every terrain. Of course, you don’t want to use it on the road since you would ruing the studs fairly quickly. I use this shoe both in the summer and in the winter. I like it so much that I bought several pairs of it.

Road Running Shoes

  • ASICS Gel Nimbus 14
  • Brook Trance 10

There is not much to say about road running shoes. They may offer overpronation support (if you need it) and typically have a fair amount of cushion to deal with impact of running on a hard surface.

Long Distance Running Shoes

  • Brooks Cascadia 8
  • Hoka One One Stinson B

My favorite here is the Brooks Cascadia and I bought it twice since it worked so well for me in ultra-marathons. While it is said to be a trail running shoe I don’t really see it as such since it completely fails you once the ground is wet. I am looking forward to try the Brooks PureGrit 3 in the near future since it is said to have much better grip.

Minimalistic Running Shoes

  • New Balance Minimus
  • Vibram FiveFinger
  • Saucony Kinvara

I use these shoes only to improve my running style. I have never used them in a race but I did use them in pretty much every terrain (except for mud). They are fun to try but be careful to
start slowly since your feet will need time to get used to them.

3) Nutrition.

Of course, everyone will tell you to eat healthy. Nothing to add to that. If you are not overweight then you will find it easier to run. But don’t get fooled: if you are loosing too much weight then you might just run into problems as well. So, try to maintain a health diet.

Various sports equipment, like sports watches and fitness bands, measure your calorie consumption and it might be easy to believe that you can now eat more since you do all this sport. If you use any of these devices you will notice one important thing: running is a very efficient sport (in terms of the calories you consume per hour compared to other sports like biking or swimming) but you will still be surprised how few calories you consume with a tough run. You should also know that these measurements are not really useful as absolute values since it is hard to measure energy consumption overall. Hence, if you use more than one device you will observe a huge variation. My conclusion after using them for years is that the measured calorie consumption is not really useful for anything. So, don’t get too obsessed about it or even use it as a way to plan your workouts.

Also, don’t be too focused on using energy gels or other products during runs (because advertisement tells you). If you run is too short (everything below 90 mins) then they will not really help you to improve your performance in my opinion. If you run longer than 90 mins then you should take some food with you and everything will basically work. Energy gels are not rocket fuel (even though they sometimes taste like that). Take a banana or a sandwich with you and you will be fine. Anything you like works (as long as it has carbohydrates).

Having something to drink with you is important since dehydration settles in fairly quickly (particularly if it is warm or windy). Water is good enough – you don’t need anything in the water (as long as you take in some additional minerals and salt). Again, this will really only matter if you do long runs (more than 90 mins).

4) Take it easy and have fun.

This is probably the most important advice. I hope you are running because you like it and not because you feel obligated to do it to impress your friends, loose weight, participation in certain running events, etc. Run when you feel like you should go running and enjoy the environment. Run where you see something nice, where you enjoy the scenery, or to meet like-minded persons. Don’t run if you feel fatigued or ill. Training plans are also mostly stupid. Running is more than just collecting miles (kilometers).

If you stay motivated (because you like it) then you will gain much more in the long term.

I also do not believe that you need to train for running events in particular. If you maintain a good fitness level over the entire year then you can just participate in any run that meets your current level. (Of course, it makes no sense to sign up to events that are just far beyond your current fitness level. For example, it is not a good idea to sign up to an ultra-marathon if you haven’t even run a marathon yet. I have seen people doing that and they even managed to finish the race but it was not a pleasant experience for them.)

Note, however, that I am not saying that you shouldn’t try to train along the course of a future running event. Many organizers publish the GPS tracks for their events and so it makes sense to run there prior to the race, if you have the chance to do so. Knowing the terrain you are going to run in a race will help you to know where the difficult segments are, and how the terrain looks like.

I personally like to participate in running events from time to time but I also like to create my own “adventures”. By adventures I mean I put my own running route together on the PC and then load it to my Garmin eTrex 20 and follow the route.

5) Gear.

Needless to say that you need additional equipment beyond running shoes. What exactly you need depends on things like the environment, the weather, the season, the duration of the run, etc. I think the sports watch is something to discuss since many manufacturers have not switched to a service model that requires you to upload all your training data to their website. Sometimes you cannot even configure all settings of your watch anymore without using their cloud services. That’s a bit crazy IMHO.

These watches provide an increasing number of features but some, as mentioned earlier, are not really exact measurements. So, it depends a lot what functionality you are planning to use. I argue that most functionality is pretty useless except for the heart-rate. Knowing the heart rate allows you to know in what intensity zone you are training and how long you will be able to sustain the pace. The heart rate data will only be meaningful if you know your minimum and maximum heart rate and your threshold between the anaerobic and the aerobic zone. Will learn this information when you do your test at the sports doctor (see item #1). This data will vary also between different types of sport and quite naturally between persons. So, don’t compare the absolute hear rate values with your friends. It will be a meaningless comparison!

I have been using sports watches for many years already I have to come to the conclusion that I am actually using very few of their features. The raw data is often uninteresting (such as number of kilometers per run, per week, or per month) and more sophisticated numbers (such as Training Effect, EPOC, or fitness level indicators) often have an unknown meaning (i.e., the sports equipment manufacturers or software providers don’t explain you enough so that you could compute the values your own). There is always some “secret sauce” in those algorithms. So, you might initially be excited about the specific numbers the watch/program calculates for a specific run but then over time you will notice that these numbers are often counter-intuitive. Some sports watches and training programs recommend workouts or indicate the required recovery period. I have been puzzled so many times about the suggestions or indicated values that I have a hard time to believe in those anymore (particularly since the vendors do not disclose their algorithms and often do not even provide a meaningful description of their semantic). Either these vendors assume that you have a PhD in sports medicine (and you are already familiar with the state of the art of the literature) or they assume that you will never understand it anyway.

I stop the rant about sports watches here and let you decide.

Let me switch to the more useful gear and show you what I use. Note that I use this equipment for longer runs in the Austrian mountains. If you run elsewhere you will need to adjust appropriately. (You will quickly see why I don’t agree that running is a cheap sport….)

  • Jacket: I use several jackets depending on the weather condition and the time of the year. During the summer is always take a windbreaker jackets with me. Those are fairly lightweight and give you good protection. With bad weather or in the winter I also take a waterproof jacket with me. I use a jacket from Marmot with a hood. The brand name does not really matter since these waterproof jacket appear to be very similar (maybe I am wrong).
  • Trousers: I prefer to use compression long tights from SKINS even during the summer. First, in the mountains it is always a bit colder and the long tights protect my legs against injuries (when running cross country). Second, the compression gives me a more robust feeling. I also run in shorts, for example the X-BIONIC compression shorts.
  • T-Shirts: Buy a selection of t-shirts with short and long sleeves. You will obviously want to pick a shirt that is suitable for running. There is a wide range of different styles available and you will have to figure out what you like. In many cases, you will also get t-shirts at races (often included in the registration fee) and those are nice since they remind you about past events.
  • Headlamp and Flash Light: When you run in the dark you obviously need a headlamp and/or a flash light. I use both whereby the flash light is a backup. After long research I have decided to buy the Fenix PD35, which has 960 Lumen and is fairly lightweight. I use them with 18650 Li-ion batteries. Picking a headlamp is actually fairly easy IMHO: just pick Lupine Neo X2 or Piko X4. I tried the Piko X4 it is just perfect. The 1200 Lumen give you great visibility, and it is so lightweight (with the small battery) that you barely notice it. (There is the negative side-effect when it comes to the price though…)
  • Gloves. I often take my waterproof SealSkinz gloves with me. When it is really cold then I also use the Pearl iZUMi P.R.O. Softshell Lobster winter gloves. They even keep you warm when you go cycling in the winter in Finland.
  • Hat, cap or bandana. I always use a hat, cap or bandana (Buff) to avoid having sweat in my face and to deal with the sun, wind, cold temperatures. I use a Buff to protect against inhaling cold air but also to protect my neck.
  • First aid kit + rescue whistle and survival blanket: You never know when you need it.
  • Running backbag: I use two running backbags, namely the Salomon S-Lab Advanced Skin Hydro 12 and the Raidlight Ultra Olmo 12L. The Salmon backbag has a great fit (i.e., it does not move around) and has enough pockets and zippers. The Salomon backbag also comes with a whistle and a survival blanket (if I remember correctly). The downside is that it is fairly small. While it is supposed to have a volume of 12l I really doubt that. The Raidlight Ultra Olmo 12L also has a volume of 12l and I can fit twice as much stuff in there. There is, however, a downside to the Raidlight backbag: the fabric they have chosen creates friction and will ruin most of your cloth. Don’t buy it until they have fixed that problem. I still use it after I found out what jackets and what t-shirts work with it (after I managed to destroy several). Both of the backbags allow you to put water flasks in the front. The Raidlight backbag also came with two water bottles.
  • Camera: I often take a camera with me to take pictures and movies of places that look interesting. Of course, there are many of those when you go for a run (particularly in the morning or the evening). The camera I use is an Olympus Tough TG-2. It is fairly lightweight, has a decent spec, and is waterproof, shockproof, crushproof, freezeproof, and dustproof. It does not have any movable parts that can break.
  • Phone. I take the phone with me in case of an emergency (for nothing else). I don’t listen to music while I run since I want to pay attention to the environment and prefer not to get distracted.
  • GPS: I use the eTrex 20 for navigation. I create my route at home using the Garmin Basecamp tool (sometimes using the routes published by race event organizers) and follow those routes. It is an extra device to carry around but it is fairly lightweight and it does what it is supposed to do. I carry it in my hand (and if I don’t need it put it back into one of the pockets of my backbag). It is waterproof, runs on ordinary AA batteries, and works very energy efficient (unlike mobile phones). The user interface is old fashioned but works well with navigation. The eTrex 20 uses a joystick for navigation on the screen, which is pretty useful if you use gloves. Touch screens don’t work too well when the screen is wet (in case you are sweating or if it is raining) and touch screens also do not react nicely to gloves.
  • Trekking Poles: On steep hills and in mountains it is useful to have trekking poles with you. They help you increase your average speed and reduce the impact on your legs, knees, ankles, and feet. In many long trail runs you will notice that the majority uses trekking poles. I am quite happy with my Black Diamond Ultra Distance Z-Poles even though I rarely use them. These poles are fairly lightweight (=290 g/10.2 oz for the 120 cm size) since they are made of carbon fiber. The only downside with this model is that the poles are not adjustable in length.
  • Gaiters: I will write about those in another blog post since I have a love/hate relationship with gaiters.

I should also add that I always take a backup set of jacket, pants, t-shirt, and hat with me when I go on longer runs in the mountains. If you have to stop somewhere it only takes a few minutes to feel cold or even freeze. This is a long list (and a lot of stuff to carry), you will say. That’s correct but it is better to be prepared and carrying a little bit more isn’t such a big deal once you get used to it.

Note: For many (longer) trail runs most of the above listed equipment is mandatory. Hence, you will need to buy it if you want to participate in some of those runs.

There is a lot more to say but I stop here for now.

Dec 14
8
2014

[UPDATED: 14. January 2015]

Early 2014 we organized a couple of webinars to hear about technologies that allowed to provide authentication of Internet of Things devices and to control access to resources. We learned more about OAuth, Kerberos, and the PKI/certificate model and all talks have been recorded and can be found at http://www.tschofenig.priv.at/wp/?p=1012

In a recent chat with Eve Maler, who co-chairs the Kantara User-Managed Access (UMA) working group, she volunteered to explain their ongoing work to us. Eve is employed by Forgerock, a company developing identity management solutions, and has been working in the identity management space for a very long time.

UMA is a profile and application of OAuth that defines how resource owners can control resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy. Recent investigations have shown promise for applying UMA to Internet of Things authorization use cases.

The webinar took place on January 13th 2015 at 8am PST.

The slides and the recording in arf and in mp4 format are available for download.




Forgot?

Categories

Tags

Hannes Tschofenig's Recent Tweets