BS ISO/IEC 30118-2:2021:2022 Edition

$215.11

Information technology. Open Connectivity Foundation (OCF) Specification – Security specification

Published By	Publication Date	Number of Pages
BSI	2022	204

Guaranteed Safe Checkout

Category: BSI

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Description

PDF Catalog

PDF Pages	PDF Title
2	undefined
11	Foreword
12	Introduction
15	1 Scope 2 Normative References
17	3 Terms, definitions and abbreviated terms 3.1 Terms and definitions
19	3.2 Symbols and abbreviated terms
21	4 Document conventions and organization 4.1 Conventions 4.2 Notation
22	4.3 Data types 4.4 Document structure 5 Security overview 5.1 Preamble
24	5.2 Access control 5.2.1 Access control general
25	5.2.2 ACL architecture
26	5.3 Onboarding overview 5.3.1 Onboarding general
28	5.3.2 Onboarding steps
29	5.3.3 Establishing a Device Owner
30	5.3.4 Provisioning for Normal Operation 5.3.5 OCF Compliance Management System 5.4 Provisioning 5.4.1 Provisioning general
31	5.4.2 Access control provisioning 5.4.3 Credential provisioning 5.4.4 Role provisioning 5.5 Secure Resource Manager (SRM)
32	5.6 Credential overview 5.7 Event logging 5.7.1 Event logging general
33	6 Security for the discovery process 6.1 Preamble 6.2 Security considerations for discovery
35	7 Security provisioning 7.1 Device identity 7.1.1 General Device identity 7.1.2 Device identity for devices with UAID [Deprecated] 7.2 Device ownership
36	7.3 Device Ownership Transfer Methods 7.3.1 OTM implementation requirements
37	7.3.2 SharedKey credential calculation
38	7.3.3 Certificate credential generation 7.3.4 Just-Works OTM 7.3.4.1 Just-Works OTM general
39	7.3.4.2 Security considerations 7.3.5 Random PIN based OTM 7.3.5.1 Random PIN based OTM general 7.3.5.2 Random PIN based Owner Transfer sequence
41	7.3.5.3 Security considerations
42	7.3.6 Manufacturer Certificate Based OTM 7.3.6.1 Manufacturer Certificate Based OTM general 7.3.6.2 Certificate Profiles 7.3.6.3 Certificate Owner Transfer sequence security considerations
43	7.3.6.4 Manufacturer Certificate Based OTM sequence
44	7.3.6.5 Security considerations 7.3.7 Vendor specific OTMs 7.3.7.1 Vendor specific OTM general 7.3.7.2 Vendor-specific Owner Transfer Sequence Example
45	7.3.7.3 Security considerations 7.3.8 Establishing Owner Credentials
48	7.3.9 Security profile assignment
49	7.4 Provisioning 7.4.1 Provisioning flows 7.4.1.1 Provisioning flows general 7.4.1.2 Client-directed provisioning
50	7.4.1.3 Server-directed provisioning [DEPRECATED] 7.4.1.4 Server-directed provisioning involving multiple support services [DEPRECATED] 8 Device Onboarding state definitions 8.1 Device Onboarding general
51	8.2 Device Onboarding-Reset state definition
52	8.3 Device Ready-for-OTM State definition
53	8.4 Device Ready-for-Provisioning State Definition 8.5 Device Ready-for-Normal-Operation state definition
54	8.6 Device Soft Reset State definition
55	9 Security Credential management 9.1 Preamble 9.2 Credential lifecycle 9.2.1 Credential lifecycle general 9.2.2 Creation 9.2.3 Deletion 9.2.4 Refresh
56	9.2.5 Revocation 9.3 Credential types 9.3.1 Preamble 9.3.2 Pair-wise symmetric key credentials 9.3.3 Group symmetric key credentials
57	9.3.4 Asymmetric authentication key credentials 9.3.4.1 Asymmetric authentication key credentials general 9.3.4.2 External creation of asymmetric authentication key credentials 9.3.5 Asymmetric Key Encryption Key credentials
58	9.3.6 Certificate credentials 9.3.7 Password credentials 9.4 Certificate based key management 9.4.1 Overview
59	9.4.2 X.509 digital certificate profiles 9.4.2.1 Digital certificate profile general 9.4.2.2 Certificate profile and fields 9.4.2.2.1 Root CA certificate profile
60	9.4.2.2.2 Intermediate CA certificate profile
61	9.4.2.2.3 End-Entity Black certificate profile
64	9.4.2.2.4 OCF Compliance X.509v3 Extension
65	9.4.2.2.5 Manufacturer Usage Description (MUD) X.509v3 Extension 9.4.2.2.6 OCF Security Claims X.509v3 Extension 9.4.2.2.7 OCF Certified Product List Attributes X.509v3 Extension
66	9.4.2.3 Supported certificate extensions
68	9.4.2.4 Cipher suite for authentication, confidentiality and integrity 9.4.2.5 Encoding of certificate 9.4.3 Certificate Revocation List (CRL) Profile [deprecated] 9.4.4 Resource model 9.4.5 Certificate provisioning
69	9.4.6 CRL provisioning [deprecated] 10 Device authentication 10.1 Device authentication general
70	10.2 Device authentication with symmetric key credentials 10.3 Device authentication with raw asymmetric key credentials 10.4 Device authentication with certificates 10.4.1 Device authentication with certificates general
71	10.4.2 Role assertion with certificates
72	10.4.3 OCF PKI Roots 10.4.4 PKI Trust Store
73	10.4.5 Path Validation and extension processing 11 Message integrity and confidentiality 11.1 Preamble 11.2 Session protection with DTLS 11.2.1 DTLS protection general 11.2.2 Unicast session semantics 11.3 Cipher suites 11.3.1 Cipher suites general
74	11.3.2 Cipher suites for Device Ownership Transfer 11.3.2.1 Just Works Method cipher suites 11.3.2.2 Random PIN Method cipher suites 11.3.2.3 Certificate Method cipher suites 11.3.3 Cipher Suites for symmetric keys
75	11.3.4 Cipher auites for asymmetric credentials
76	12 Access control 12.1 ACL generation and management 12.2 ACL evaluation and enforcement 12.2.1 ACL evaluation and enforcement general 12.2.2 Host reference matching 12.2.3 Resource wildcard matching
77	12.2.4 Multiple criteria matching 12.2.5 Subject matching using wildcards
78	12.2.6 Subject matching using roles 12.2.7 ACL evaluation 12.2.7.1 ACE2 matching algorithm
79	12.2.7.2 ACL considerations for batch request to the Atomic Measurement Resource Type 12.2.7.3 ACL considerations for a batch OCF Interface request to a Collection 12.2.7.4 ACL Considerations on creation of a new Resource
80	13 Security Resources 13.1 Security Resources general
82	13.2 Device Owner Transfer Resource 13.2.1 Device Owner Transfer Resource General
85	13.2.2 OCF defined OTMs 13.3 Credential Resource 13.3.1 Credential Resource general
90	13.3.2 Properties of the Credential Resource 13.3.2.1 Credential ID 13.3.2.2 Subject UUID
91	13.3.2.3 Role ID 13.3.2.4 Credential type 13.3.2.5 Public data 13.3.2.6 Private data 13.3.2.7 Optional data 13.3.2.8 Period 13.3.2.9 Credential Refresh Method type definition [deprecated] 13.3.2.10 Credential usage
92	13.3.2.11 Resource Owner 13.3.3 Key formatting 13.3.3.1 Symmetric key formatting 13.3.3.2 Asymmetric keys 13.3.3.3 Asymmetric keys with certificate 13.3.3.4 Passwords
93	13.3.4 Credential Refresh Method details [deprecated] 13.4 Certificate Revocation List 13.4.1 CRL Resource definition [deprecated] 13.5 ACL Resources 13.5.1 ACL Resources general 13.5.2 OCF Access Control List (ACL) BNF defines ACL structures.
94	13.5.3 ACL Resource
99	13.6 Access Manager ACL Resource [deprecated] 13.7 Signed ACL Resource [deprecated] 13.8 Provisioning Status Resource
105	13.9 Certificate Signing Request Resource 13.10 Roles Resource
107	13.11 Auditable Events List Resource 13.11.1 Auditable Events List Resource general
110	13.12 Security Virtual Resources (SVRs) and Access Policy
111	13.13 SVRs, discoverability and OCF Endpoints 13.14 Additional privacy consideration for Core Resources
112	13.15 Easy Setup Resource Device state
114	13.16 List of Auditable Events
116	13.17 Security Domain Information Resource
117	14 Security hardening guidelines/ execution environment security 14.1 Preamble 14.2 Execution environment elements 14.2.1 Execution environment elements general 14.2.2 Secure storage 14.2.2.1 Secure storage general
118	14.2.2.2 Hardware secure storage
119	14.2.2.3 Software storage 14.2.2.4 Additional security guidelines and best practices
120	14.2.3 Secure execution engine 14.2.4 Trusted input/output paths 14.2.5 Secure clock
121	14.2.6 Approved algorithms 14.2.7 Hardware tamper protection 14.3 Secure Boot 14.3.1 Concept of software module authentication
123	14.3.2 Secure Boot process 14.3.3 Robustness requirements 14.3.3.1 Robustness general 14.3.3.2 Next steps
124	14.4 Attestation 14.5 Software Update 14.5.1 Overview 14.5.2 Recognition of current differences
125	14.5.2.1 Checking availability of new software 14.5.3 Software Version Validation 14.5.4 Software Update 14.5.4.1 State of Device after software update
126	14.5.5 Recommended usage 14.6 Non-OCF Endpoint interoperability 14.7 Security levels
127	14.8 Security Profiles 14.8.1 Security Profiles general
128	14.8.2 Identification of Security Profiles (Normative) 14.8.2.1 Security Profiles in prior documents 14.8.2.2 Security Profile Resource definition Table 59 defines the Properties of “/oic/sec/sp” Resource.
129	The following OIDs are defined to uniquely identify Security Profiles. Future Security Profiles or changes to existing Security Profiles may result in a new ocfSecurityProfileOID. 14.8.3 Security Profiles 14.8.3.1 Security Profiles general 14.8.3.2 Security Profile Unspecified (sp-unspecified-v0) 14.8.3.3 Security Profile Baseline v0 (sp-baseline-v0)
130	14.8.3.4 Security Profile Black (sp-black-v0) 14.8.3.4.1 Black Profile general 14.8.3.4.2 Devices Targeted for Security Profile Black v0 14.8.3.4.3 Requirements for Certification at Security Profile Black (normative)
131	14.8.3.5 Security Profile Blue v0 (sp-blue-v0) 14.8.3.5.1 Blue Profile General 14.8.3.5.2 Platforms and Devices for Security Profile Blue v0 14.8.3.5.3 Requirements for Certification at Security Profile Blue v0
133	14.8.3.6 Security Profile Purple v0 (sp-purple-v0)
134	15 Device Type specific requirements 15.1 Bridging security 15.1.1 Universal requirements for Bridging to another Ecosystem
135	15.1.2 Additional security requirements specific to bridged protocols 15.1.2.1 Additional security requirements specific to the AllJoyn protocol
136	15.1.2.2 Additional security requirements specific to the Bluetooth LE protocol 15.1.2.3 Additional security requirements specific to the oneM2M protocols 15.1.2.4 Additional security requirements specific to the U+ protocol 15.1.2.5 Additional security requirements specific to the Z-Wave protocol 15.1.2.6 Additional security requirements specific to the Zigbee protocol 15.1.2.7 Additional security requirements specific to the EnOcean Radio protocol
137	Annex A (informative) Access control examples A.1 Example OCF ACL Resource
138	Annex B (informative) Execution environment security profiles
139	Annex C (normative) Resource Type definitions C.1 List of Resource Type definitions C.2 Access Control List-2 C.2.1 Introduction C.2.2 Well-known URI C.2.3 Resource type C.2.4 OpenAPI 2.0 definition
147	C.2.5 Property definition C.2.6 CRUDN behaviour
148	C.3 Credential C.3.1 Introduction C.3.2 Well-known URI C.3.3 Resource type C.3.4 OpenAPI 2.0 definition
157	C.3.5 Property definition C.3.6 CRUDN behaviour C.4 Certificate Signing Request C.4.1 Introduction C.4.2 Well-known URI C.4.3 Resource type
158	C.4.4 OpenAPI 2.0 definition
159	C.4.5 Property definition C.4.6 CRUDN behaviour
160	C.5 Device Owner Transfer Method C.5.1 Introduction C.5.2 Well-known URI C.5.3 Resource type C.5.4 OpenAPI 2.0 definition
163	C.5.5 Property definition
164	C.5.6 CRUDN behaviour
165	C.6 Device provisioning status C.6.1 Introduction C.6.2 Well-known URI C.6.3 Resource type C.6.4 OpenAPI 2.0 definition
168	C.6.5 Property definition
172	C.6.6 CRUDN behaviour C.7 Asserted roles C.7.1 Introduction C.7.2 Well-known URI C.7.3 Resource type C.7.4 OpenAPI 2.0 definition
180	C.7.5 Property definition
181	C.7.6 CRUDN behaviour C.8 Security Profile C.8.1 Introduction C.8.2 Well-known URI C.8.3 Resource type C.8.4 OpenAPI 2.0 definition
183	C.8.5 Property definition
184	C.8.6 CRUDN behaviour C.9 Auditable Event List C.9.1 Introduction C.9.2 Well-known URI C.9.3 Resource type C.9.4 OpenAPI 2.0 definition
188	C.9.5 Property definition
191	C.9.6 CRUDN behaviour C.10 OCF Security Domain information C.10.1 Introduction C.10.2 Well-known URI C.10.3 Resource type C.10.4 OpenAPI 2.0 definition
193	C.10.5 Property definition
194	C.10.6 CRUDN behaviour
195	Annex D (informative) OID definitions
197	Annex E (informative) Security considerations specific to Bridged Protocols E.1 Security considerations specific to the AllJoyn Protocol E.2 Security considerations specific to the Bluetooth LE Protocol
198	E.3 Security considerations specific to the oneM2M Protocol E.4 Security considerations specific to the U+ Protocol E.5 Security considerations specific to the Z-Wave Protocol
200	E.6 Security considerations specific to the Zigbee Protocol E.7 Security considerations specific to the the EnOcean Radio Protocol

Additional information

Status	Definitive
Pages	204
Publication Date	2022-03-08
ISBN	978 0 539 16185 4
Standard Number	BS ISO/IEC 30118-2:2021
Title	Information technology. Open Connectivity Foundation (OCF) Specification – Security specification
Identical National Standard Of	ISO/IEC 30118-2
Replaces	BS ISO/IEC 30118-2:2018
Descriptors	Specification (approval), Domestic, Electronic equipment and components, Domestic electrical installations, Information technology
Publisher	BSI
Committee	ICT/1
ICS Codes	35.200 - Interface and interconnection equipment

Preview PDF


PDF Format	Searchable	Printable	Preview Now

BS ISO/IEC 30118-2:2021:2022 Edition

PDF Catalog

Related products