Southeast University, Upsec Inc. H. Fang Internet-Draft Upsec Inc. Intended status: Standards Track H. Fu Expires: 14 October 2022 Southeast University L. Jin Upsec Inc. Y. Jiang A. Hu Southeast University 12 April 2022 Interface specification for physical layer fingerprint access authentication framework of IoT devices draft-hao-physical-layer-fingerprint-interface-00 Abstract This document is for access authentication framework of Internet of Things (IoT) devices using physical layer fingerprint. This document specifies the interface functions of the authentication framework. This document applies to the construction and management of secure access at the edge of the IoT. This document assumes that the reader is familiar with the concepts of physical layer fingerprint technique. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 14 October 2022. Fang, et al. Expires 14 October 2022 [Page 1] Internet-Draft RFF ACCESS April 2022 Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Objectives of physical layer fingerprint access authentication framework . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Functional objectives . . . . . . . . . . . . . . . . . . 4 3.2. Non-functional objectives . . . . . . . . . . . . . . . . 4 4. Physical layer fingerprint access authentication framework . 5 4.1. Structure of the Physical layer fingerprint access authentication framework . . . . . . . . . . . . . . . . 5 4.2. Interface functions for physical layer fingerprint access authentication . . . . . . . . . . . . . . . . . . . . . 6 4.2.1. Full whitelist request . . . . . . . . . . . . . . . 6 4.2.2. Incremental whitelist request . . . . . . . . . . . . 6 4.2.3. Blacklisting . . . . . . . . . . . . . . . . . . . . 7 4.2.4. Unblacklisting . . . . . . . . . . . . . . . . . . . 7 5. Interface Specification . . . . . . . . . . . . . . . . . . . 7 5.1. Full whitelist request interface . . . . . . . . . . . . 7 5.2. Incremental whitelist request interface . . . . . . . . . 8 5.3. Blacklisting interface . . . . . . . . . . . . . . . . . 8 5.4. Unblacklisting interface . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Fang, et al. Expires 14 October 2022 [Page 2] Internet-Draft RFF ACCESS April 2022 1. Introduction Device authentication is important to ensure the security of Internet of Things (IoT). The classical device authentication techniques are based on MAC address, preshared key or digital certificate [I-D.linning-authentication-physical-layer]. However, MAC address can be imitated. As the IoT becomes more diverse and pervasive, the implementation of the pre-shared key and digital certificate becomes increasingly complex. Physical layer fingerprint is a promising technique for IoT device authentication[Ref_1]. It corresponds to extract the inherent physical layer features of the device from the received signal. These physical layer features have shown uniqueness and persistence, hence can be used for device authentication. Because that the physical layer fingerprint access authentication requires only the signal received from the IoT device, a suitable access authentication framework needs to be defined. An authentication framework has been proposed in [I-D.dawei-access-authentication-physical-layer], with the basic functions of the framework, specification of fingerprint expression and control message. In this document, based on the same access authentication model, the objectives of the access authentication framework and interface specifications have been proposed, to ensure the effectiveness and facilitate the integration of the access authentication framework with the existing IoT network. 2. Glossary IoT Device Access Gateway A device works for network connection, control and management, deployed at the boundary between the perception layer and the network layer of the IoT. It realizes the communication between the IoT devices and the network layer. Physical layer fingerprint authentication device A device works for training, identifying and authenticating IoT devices. 3. Objectives of physical layer fingerprint access authentication framework Fang, et al. Expires 14 October 2022 [Page 3] Internet-Draft RFF ACCESS April 2022 3.1. Functional objectives The physical layer fingerprint access authentication framework should achieve the following functional objectives: a) The physical layer fingerprint access authentication framework shall be independent of the application system, to help establish a trust relationship between the application system and IoT devices and provide prerequisites for further determining whether the IoT devices can access the main network of the application system. b) The physical layer fingerprint access authentication framework should be independent of the specific physical layer communication protocols of IoT devices, and can support all possible physical layer communication protocols. c) The physical layer fingerprint access authentication framework should maintain the accuracy of the used physical layer fingerprint extraction and identification mechanism. d) The interface defined by the physical layer fingerprint access authentication framework should not require the IoT device access gateway of the original application system to give additional physical layer configuration parameters. 3.2. Non-functional objectives The physical layer fingerprint access authentication framework should achieve the following non-functional objectives: a) The physical layer fingerprint access authentication framework does not specify a specific physical layer fingerprint extraction and identification mechanism. b) The interface defined by the physical layer fingerprint access authentication framework does not specify a specific interface access authentication mechanism, but to avoid abuse of the defined interface, the necessary security authentication shall exist between the physical layer fingerprint access authentication device and the IoT device access gateway of the application system. c) The physical layer fingerprint access authentication framework is independent of the specific operating system or platform, but the implementation of the physical layer fingerprint access authentication device may be relevant to a specific operating system or platform. Fang, et al. Expires 14 October 2022 [Page 4] Internet-Draft RFF ACCESS April 2022 d) The interfaces defined by the physical layer fingerprint access authentication framework should enable integration with legacy systems. 4. Physical layer fingerprint access authentication framework 4.1. Structure of the Physical layer fingerprint access authentication framework The structure of the physical layer fingerprint access authentication framework is shown in Fig. 1. The physical layer fingerprint access authentication is composed of two parts: the physical layer fingerprint authentication device and the IoT device access gateway. The physical layer fingerprint authentication device adopts a distributed architecture and can simultaneously serve multiple IoT devices to access the gateway. +----------------+ +----------------+ +------------+ | | | IoT device | | | | IoT device | <----> | access gateway | <----> | Intranet | |(Claiming party)| | (Relying party)| | | | | | | | | +----------------+ +----------------+ +------------+ ^ ^ | | -Full whitelist request | | -Incremental whitelist request | | -Blacklisting | | -Unblacklisting | v | +------------------------------+ +-----> | | | Physical layer fingerprint | | authentication device | | (Verifier) | | | +------------------------------+ Figure 1: Structure of the physical layer fingerprint access authentication framework The main function of the physical layer fingerprint authentication device is to complete the extraction and authentication of the fingerprint of the IoT device through a certain identity authentication mechanism, and to submit the authentication result in the form of assertion to the IoT device access gateway. The physical layer fingerprint authentication device does not limit the specific identity authentication mechanism, but only provides a unified interface, and the specific authentication interaction process with Fang, et al. Expires 14 October 2022 [Page 5] Internet-Draft RFF ACCESS April 2022 the IoT device is completed by the implementation of each authentication mechanism itself. The physical layer fingerprint authentication device corresponds to the verifier in the authentication model of [I-D.dawei-access-authentication-physical-layer]. The IoT device access gateway interacts with the physical layer fingerprint authentication device to assist in the authentication process of the IoT device accessing the main network of the application system. The IoT device access gateway and the application system together correspond to the relying party in the authentication model of [I-D.dawei-access-authentication-physical-layer]. The communication between the IoT device access gateway and the physical layer fingerprint authentication device is by default protected by a trusted channel. If the application system and the physical layer fingerprint authentication device are integrated together, i.e., the verifier and the relying party are unified entities, this trusted channel becomes the internal data transmission in the system. If the application system and the physical layer fingerprint authentication device are located in different systems and need to communicate with each other remotely, this trusted channel is an encrypted channel between them. 4.2. Interface functions for physical layer fingerprint access authentication 4.2.1. Full whitelist request The physical layer fingerprint authentication device requests the full whitelist of IoT devices from the IoT device access gateway through this interface. Based on the full whitelist, the physical layer fingerprint authentication device performs fingerprint extraction and authentication for all whitelisted devices. 4.2.2. Incremental whitelist request The physical layer fingerprint authentication device requests the IoT device whitelist incremental list from the IoT device access gateway through this interface, and based on the whitelist incremental list, the physical layer fingerprint authentication device performs fingerprint extraction and authentication for the added whitelist devices. Fang, et al. Expires 14 October 2022 [Page 6] Internet-Draft RFF ACCESS April 2022 4.2.3. Blacklisting When the physical layer fingerprint authentication device identifies that the status of one device in the whitelist has been changed from legal to illegal, this authentication result should be submitted to the IoT device access gateway, and at the same time, the IoT device access gateway adds this device to the blacklist and intercepts it. 4.2.4. Unblacklisting When the physical layer fingerprint authentication device identifies that the status of one device in the whitelist has changed from illegal to legal, this authentication result should be submitted to the IoT device access gateway, and at the same time, the IoT device access gateway withdraws this device from the interception blacklist. 5. Interface Specification 5.1. Full whitelist request interface This interface needs to provide the following requests and responses: Requests: a) Protocol version The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway. b) Gateway identifier The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. Responses: a) Full whitelist The full amount of data of the whitelisted IoT devices set in the IoT device access gateway, generally including the following parts: device MAC address, IP address, etc. b) Policy expiration time Fang, et al. Expires 14 October 2022 [Page 7] Internet-Draft RFF ACCESS April 2022 The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time. 5.2. Incremental whitelist request interface This interface needs to provide the following requests and responses: Requests: a) Protocol version The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway. b) Gateway identifier The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. Responses: a) Incremental whitelist The incremental whitelist data of IoT devices set in the IoT device access gateway, generally including the following parts: device MAC address, IP address, etc. b) Policy expiration time The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time. 5.3. Blacklisting interface This interface needs to provide the following requests and responses: Requests: a) Protocol version The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway. Fang, et al. Expires 14 October 2022 [Page 8] Internet-Draft RFF ACCESS April 2022 b) Gateway identifier The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. c) Device information Information of device to be blacklisted, generally including the following parts: device MAC address, IP address, etc. d) Authentication result The current authenticatin result. Responses: a) Gateway identifier The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. b) Policy expiration time The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time. c) Device information Information of device just blacklisted, generally including the following parts: device MAC address, IP address, etc. 5.4. Unblacklisting interface This interface needs to provide the following requests and responses: Requests: a) Protocol version The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway. b) Gateway identifier Fang, et al. Expires 14 October 2022 [Page 9] Internet-Draft RFF ACCESS April 2022 The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. c) Device information Information of device to be unblacklisted, generally including the following parts: device MAC address, IP address, etc. d) Authentication result The current authentication result. Responses: a) Gateway identifier The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. b) Policy expiration time The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time. c) Device information Information of device just un-blacklisted, generally including the following parts: device MAC address, IP address, etc. 6. IANA Considerations This document includes no request to IANA. 7. Security Considerations This section will address only security considerations associated with the use of physical layer fingerprint access authentication framework. It is necessary to ensure that the IoT device access gateway and the physical layer fingerprint authentication device are in a secure and trusted environment. 8. References 8.1. Normative References Fang, et al. Expires 14 October 2022 [Page 10] Internet-Draft RFF ACCESS April 2022 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . 8.2. Informative References [I-D.dawei-access-authentication-physical-layer] Fang, D., Hu, A., FU, H., and Y. Jiang, "IoT Access Authentication Framework based on Radio Frequency Fingerprint and Fingerprint Expression Specification", Work in Progress, Internet-Draft, draft-dawei-access- authentication-physical-layer-00, 16 February 2022, . [I-D.linning-authentication-physical-layer] Peng, L. and A. Hu, "Authentication by Physical Layer Features", Work in Progress, Internet-Draft, draft- linning-authentication-physical-layer-00, 8 October 2018, . [Ref_1] Danev, Boris., "https://dl.acm.org/doi/10.1145/2379776.2379782", 2012. Authors' Addresses Hao Fang Upsec Inc. No.9 Mozhou Donglu, Jiangning Nanjing JiangSu, 211111 China Email: fanghao@upsec.cn Hua Fu Southeast University No.2 SiPaiLou Nanjing JiangSu, 210096 China Email: hfu@seu.edu.cn Fang, et al. Expires 14 October 2022 [Page 11] Internet-Draft RFF ACCESS April 2022 Ling Jin Upsec Inc. No.9 Mozhou Donglu, Jiangning Nanjing JiangSu, 211111 China Email: jinling@upsec.cn Yu Jiang Southeast University No.2 SiPaiLou Nanjing JiangSu, 210096 China Email: jiangyu@seu.edu.cn Aiqun Hu Southeast University No.2 SiPaiLou Nanjing JiangSu, 210096 China Email: aqhu@seu.edu.cn Fang, et al. Expires 14 October 2022 [Page 12]