OAuth 2.0 for Internet of Things
During the second week of November 2015 ARM TechCon took place in Santa Clara/California. The event is packed with presentations (from ARM and from partners) and new technology gets announced, such as the TrustZone for v8-M architecture. TrustZone for v8-M brings TrustZone functionality, which was previously available only to Cortex A class devices, to Cortex M class devices. Needless to say that this will lead to a huge security improvement.
In addition to all the exciting keynotes, tech talks, and tutorials Samuel Erdtman and I presented a demo that utilized OAuth 2.0 for Internet of Things devices. Our architecture is simple to describe and is shown in the figure below. We used an OAuth 2.0 authorization server enhanced with the latest proof-of-possession key functionality (as developed in the IETF OAuth working group). This authorization server issued access tokens after a successful login of the user (and assuming it had been authorized for this particular door lock). The access token was then stored on an Android-based smart phone app, which used Bluetooth Smart to communicate with the door lock. The door lock is a product sold by Nexus Technology and has been enhanced with the Bluetooth Smart radio offered by a Nordic board. For the communication over Bluetooth Smart a custom service and profile was defined, as it is common with many Bluetooth Smart-enabled devices. To protect the against attacks, the Android app utilized the symmetric key obtained from the authorization server and constructed a request using that key. In order for the door lock to verify the request it had to process and verify the received access token (which was in the JSON Web Token (JWT) format), extracted the encrypted symmetric key, and utilized that symmetric key to verify the request. Note that we had indeed used the JSON-encoding instead of the more efficient CBOR/COSE encoding developed in the IETF COSE working group due to availability of code for the JWT functionality. Despite the size of the access token (in comparison to the MTU size of the Bluetooth Smart radio) the transmission was so fact that it was not recognizable by a human. While the Nordic board was only using a Cortex M0+ it had no problems with the symmetric key operations.
To offer more details we also produced a slide deck that explained the relevant technologies in more detail.
We are planning to release our source code so that others can use the implementation as a basis for their prototypes. We are currently working on a CBOR/COSE-based version (thereby replacing the JSON-based encoding of the access token) and we would also like to see how a version using public key cryptography would perform.
OAuth 2.0 helped us to solve a common problem in the Internet of Things environment, namely authorization and access control, using an already standardized protocol framework.
Here are some pictures from the mbed booth where we showed our demo to interested parties.