🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BS ISO/IEC 30118-2:2018

BS ISO/IEC 30118-2:2018

$215.11

Information technology. Open Connectivity Foundation (OCF) Specification – Security specification

Published By Publication Date Number of Pages
BSI 2018 212
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Category:

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This specification defines security objectives, philosophy, resources and mechanism that impacts OCF base layers of the OCF Core Specification. The OCF Core Specification contains informative security content. The OCF Security specification contains security normative content and may contain informative content related to the OCF base or other OCF specifications.

PDF Catalog

PDF Pages PDF Title
2 undefined
6 Blank Page
18 1 Scope
2 Normative References
19 3 Terms, Definitions, Symbols and Abbreviations
3.1 Terms and definitions
21 3.2 Symbols and Abbreviations
22 3.3 Conventions
23 4 Document Conventions and Organization
4.1 Notation
4.2 Data types
24 4.3 Document structure
25 5 Security Overview
27 5.1 Access Control
28 5.1.1 ACL Architecture
29 5.1.1.1 Use of local ACLs
5.1.1.2 Use of Access Manager Service
31 5.1.2 Access Control Scoping Levels
32 5.2 Onboarding Overview
34 5.2.1 OnBoarding Steps
35 5.2.2 Establishing a Device Owner
36 5.2.2.1 Preparing the Device for provisioning
5.2.3 Provisioning for Normal Operation
37 5.3 Provisioning
5.3.1 Provisioning a bootstrap service
5.3.2 Provisioning other services
38 5.3.3 Credential provisioning
5.3.4 Role assignment and provisioning
5.3.5 ACL provisioning
39 5.4 Secure Resource Manager (SRM)
5.5 Credential Overview
41 6 Security for the Discovery Process
6.1 Security Considerations for Discovery
44 7 Security Provisioning
7.1 Device Identity
7.1.1 Device Identity for Devices with UAID
45 7.1.1.1 Validation of UAID
46 7.2 Device Ownership
7.3 Device Ownership Transfer Methods
7.3.1 OTM implementation requirements
47 7.3.2 SharedKey Credential Calculation
48 7.3.3 Certificate Credential Generation
7.3.4 Just-Works Owner Transfer Method
49 7.3.4.1 Security Considerations
50 7.3.5 Random PIN Based Owner Transfer Method
7.3.5.1 Random PIN Owner Transfer Sequence
51 7.3.5.2 Security Considerations
52 7.3.6 Manufacturer Certificate Based Owner Transfer Method
7.3.6.1 Certificate Profiles
54 7.3.6.2 Certificate Owner Transfer Sequence Security Considerations
55 7.3.6.3 Manufacturer Certificate Based Owner Transfer Method Sequence
56 7.3.6.4 Security Considerations
7.3.7 Vendor Specific Owner Transfer Methods
7.3.7.1 Vendor-specific Owner Transfer Sequence Example
57 7.3.7.2 Security Considerations
7.3.8 Establishing Owner Credentials
68 7.3.9 Security considerations regarding selecting an Ownership Transfer Method
7.4 Provisioning
7.4.1 Provisioning Flows
69 7.4.1.1 Client-directed Provisioning
70 7.4.1.2 Server-directed Provisioning
72 7.4.1.3 Server-directed Provisioning Involving Multiple Support Services
74 7.5 Bootstrap Example
75 8 Device Onboarding State Definitions
76 8.1 Device Onboarding-Reset State Definition
77 8.2 Device Ready-for-OTM State Definition
8.3 Device Ready-for-Provisioning State Definition
78 8.4 Device Ready-for-Normal-Operation State Definition
8.5 Device Soft Reset State Definition
81 9 Security Credential Management
9.1 Credential Lifecycle
9.1.1 Creation
9.1.2 Deletion
9.1.3 Refresh
82 9.1.4 Revocation
9.2 Credential Types
9.2.1 Pair-wise Symmetric Key Credentials
9.2.2 Group Symmetric Key Credentials
83 9.2.3 Asymmetric Authentication Key Credentials
9.2.3.1 External Creation of Asymmetric Authentication Key Credentials
9.2.4 Asymmetric Key Encryption Key Credentials
84 9.2.5 Certificate Credentials
9.2.6 Password Credentials
9.3 Certificate Based Key Management
9.3.1 Overview
85 9.3.2 Certificate Format
9.3.2.1 Certificate Profile and Fields
87 9.3.2.2 Supported Certificate Extensions
89 9.3.2.3 Cipher Suite for Authentication, Confidentiality and Integrity
90 9.3.2.4 Encoding of Certificate
9.3.3 CRL Format
9.3.3.1 CRL Profile and Fields
91 9.3.3.2 Encoding of CRL
9.3.4 Resource Model
9.3.5 Certificate Provisioning
92 9.3.6 CRL Provisioning
95 10 Device Authentication
10.1 Device Authentication with Symmetric Key Credentials
10.2 Device Authentication with Raw Asymmetric Key Credentials
10.3 Device Authentication with Certificates
96 10.3.1 Role Assertion with Certificates
98 11 Message Integrity and Confidentiality
11.1 Session Protection with DTLS
11.1.1 Unicast Session Semantics
11.2 Cipher Suites
11.2.1 Cipher Suites for Device Ownership Transfer
11.2.1.1 Just Works Method Cipher Suites
11.2.1.2 Random PIN Method Cipher Suites
99 11.2.1.3 Certificate Method Cipher Suites
11.2.2 Cipher Suites for Symmetric Keys
11.2.3 Cipher Suites for Asymmetric Credentials
100 12 Access Control
12.1 ACL Generation and Management
12.2 ACL Evaluation and Enforcement
12.2.1 Host Reference Matching
12.2.2 Resource Type Matching
12.2.3 Interface Matching
12.2.4 Multiple Criteria Matching
101 12.2.5 Resource Wildcard Matching
102 12.2.6 Subject Matching using Wildcards
12.2.7 Subject Matching using Roles
12.2.8 ACL Evaluation
103 13 Security Resources
104 13.1 Device Owner Transfer Resource
109 13.1.1 OCF defined owner transfer methods
13.2 Credential Resource
115 13.2.1 Properties of the Credential Resource
13.2.1.1 Credential ID
13.2.1.2 Subject UUID
116 13.2.1.3 Role ID
13.2.1.4 Credential Type
13.2.1.5 Public Data
13.2.1.6 Private Data
13.2.1.7 Optional Data
13.2.1.8 Period
13.2.1.9 Credential Refresh Method Type Definition
117 13.2.1.1 Credential Usage
Credential Usage indicates to the Device the circumstances in which a credential should be used. Five values are defined:
 oic.sec.cred.trustca: This certificate is a trust anchor for the purposes of certificate chain validation, as defined in section 10.3.
 oic.sec.cred.cert: This credusage is used for certificates for which the Device possesses the private key and uses it for identity authentication in a secure session, as defined in section 10.3.
118  oic.sec.cred.rolecert: This credusage is used for certificates for which the Device possesses the private key and uses to assert one or more roles, as defined in section 10.3.1.
 oic.sec.cred.mfgtrustca: This certificate is a trust anchor for the purposes of the Manufacturer Certificate Based Owner Transfer Method as defined in section 7.3.6.
 oic.sec.cred.mfgcert: This certificate is used for certificates for which the Device possesses the private key and uses it for authentication in the Manufacturer Certificate Based Owner Transfer Method as defined in section 7.3.6.
13.2.2 Key Formatting
13.2.2.1 Symmetric Key Formatting
13.2.2.2 Asymmetric Keys
13.2.2.3 Asymmetric Keys with Certificate
13.2.2.4 Passwords
13.2.3 Credential Refresh Method Details
13.2.3.1.1 Provisioning Service
13.2.3.1.2 Pre-Shared Key
119 13.2.3.1.3 Random PIN
13.2.3.1.4 SKDC
13.2.3.1.5 PKCS10
120 13.2.3.2 Resource Owner
13.3 Certificate Revocation List
13.3.1 CRL Resource Definition
13.4 ACL Resources
13.4.1 OCF Access Control List (ACL) BNF defines ACL structures.
121 13.4.2 ACL Resource
131 13.5 Access Manager ACL Resource
13.6 Signed ACL Resource
13.7 Provisioning Status Resource
140 13.8 Certificate Signing Request Resource
141 13.9 Roles resource
142 13.10 Security Virtual Resources (SVRs) and Access Policy
13.11 SVRs, Discoverability and Endpoints
143 13.12 Privacy Consideration for Core and SVRs
145 14 Core Interaction Patterns Security
14.1 Observer
14.2 Subscription/Notification
14.3 Groups
14.4 Publish-subscribe Patterns and Notification
146 15 Security Hardening Guidelines/ Execution Environment Security
15.1 Execution environment elements
15.1.1 Secure Storage
147 15.1.1.1 Hardware secure storage
148 15.1.1.2 Software Storage
15.1.1.3 Additional Security Guidelines and Best Practices
15.1.2 Secure execution engine
15.1.3 Trusted input/output paths
149 15.1.4 Secure clock
15.1.5 Approved algorithms
15.1.6 Hardware tamper protection
150 15.2 Secure Boot
15.2.1 Concept of software module authentication
151 15.2.2 Secure Boot process
15.2.3 Robustness requirements
152 15.2.3.1 Next steps
15.3 Attestation
15.4 Software Update
15.4.1 Overview:
15.4.2 Recognition of Current Differences
15.4.3 Software Version Validation
15.4.4 Software Update
153 15.4.5 Recommended Usage
15.5 Non-OCF Endpoint interoperability
15.7 Security Levels
154 16 Appendix A: Access Control Examples
16.1 Example OCF ACL Resource
16.2 Example Access Manager Service
155 17 Appendix B: Execution Environment Security Profiles
156 18 Appendix C: RAML Definition
A.1 OICSecurityAclResource
A.1.1 Introduction
A.1.2 Example URI
A.1.3 Resource Type
A.1.4 RAML Definition
160 A.1.5 Property Definition
A.1.6 CRUDN behavior
A.2 OICSecurityAcl2Resource
A.2.1 Introduction
A.2.2 Example URI
161 A.2.3 Resource Type
A.2.4 RAML Definition
165 A.2.5 Property Definition
A.2.6 CRUDN behavior
A.2.7 Referenced JSON schemas
A.2.8 oic.sec.didtype.json
A.2.9 Property Definition
A.2.10 Schema Definition
A.2.11 oic.sec.ace2.json
A.2.12 Property Definition
166 A.2.13 Schema Definition
168 A.2.14 oic.sec.roletype.json
A.2.15 Property Definition
A.2.16 Schema Definition
A.2.17 oic.sec.time-pattern.json
A.2.18 Property Definition
A.2.19 Schema Definition
169 A.2.20 oic.sec.crudntype.json
A.2.21 Property Definition
A.2.22 Schema Definition
170 A.3 OICSecurityAmaclResource
A.3.1 Introduction
A.3.2 Example URI
A.3.3 Resource Type
A.3.4 RAML Definition
173 A.3.5 Property Definition
A.3.6 CRUDN behavior
A.4 OICSecuritySignedAclResource
A.4.1 Introduction
A.4.2 Example URI
A.4.3 Resource Type
A.4.4 RAML Definition
179 A.4.5 Property Definition
A.4.6 CRUDN behavior
A.4.7 Referenced JSON schemas
A.4.8 oic.sec.sigtype.json
A.4.9 Property Definition
A.4.10 Schema Definition
180 A.5 OICSecurityDoxmResource
A.5.1 Introduction
A.5.2 Example URI
A.5.3 Resource Type
A.5.4 RAML Definition
184 A.5.5 Property Definition
185 A.5.6 CRUDN behavior
A.5.7 Referenced JSON schemas
A.5.8 oic.sec.doxmtype.json
A.5.9 Property Definition
A.5.10 Schema Definition
A.5.11 oic.sec.credtype.json
A.5.12 Property Definition
A.5.13 Schema Definition
186 A.6 OICSecurityPstatResource
A.6.1 Introduction
A.6.2 Example URI
A.6.3 Resource Type
A.6.4 RAML Definition
190 A.6.5 Property Definition
191 A.6.6 CRUDN behavior
A.6.7 Referenced JSON schemas
A.6.8 oic.sec.dostype.json
A.6.9 Property Definition
A.6.10 Schema Definition
192 A.6.11 oic.sec.dpmtype.json
A.6.12 Property Definition
A.6.13 Schema Definition
A.6.14 oic.sec.pomtype.json
A.6.15 Property Definition
193 A.6.16 Schema Definition
A.6.17
A.7 OICSecurityCredentialResource
A.7.1 Introduction
A.7.2 Example URI
A.7.3 Resource Type
A.7.4 RAML Definition
197 A.7.5 Property Definition
A.7.6 CRUDN behavior
A.7.7 Referenced JSON schemas
A.7.8 oic.sec.roletype.json
A.7.9 Property Definition
198 A.7.10 Schema Definition
A.7.11 oic.sec.credtype.json
A.7.12 Property Definition
A.7.13 Schema Definition
199 A.7.14 oic.sec.pubdatatype.json
A.7.15 Property Definition
A.7.16 Schema Definition
A.7.17 oic.sec.privdatatype.json
A.7.18 Property Definition
200 A.7.19 Schema Definition
A.7.20 oic.sec.optdatatype.json
A.7.21 Property Definition
201 A.7.22 Schema Definition
A.7.23 oic.sec.crmtype.json
A.7.24 Property Definition
A.7.25 Schema Definition
202 A.8 OICSecurityCsrResource
A.8.1 Introduction
A.8.2 Example URI
A.8.3 Resource Type
A.8.4 RAML Definition
203 A.8.5 Property Definition
A.8.6 CRUDN behavior
A.9 OICSecurityRolesResource
A.9.1 Introduction
204 A.9.2 Example URI
A.9.3 Resource Type
A.9.4 RAML Definition
207 A.9.5 Property Definition
A.9.6 CRUDN behavior
A.10 OICSecurityCrlResource
A.10.1 Introduction
A.10.2 Example URI
A.10.3 Resource Type
A.10.4 RAML Definition
210 A.10.5 Property Definition
211 A.10.6 CRUDN behavior

Related products

BS ISO/IEC 30118-2:2018
$215.11