Embedded devices are today important elements of critical infrastructures like networking (routers, managed switches, firewalls), telecommunications, electric/gas/water utility automation (intelligent electronic devices, communicating e.g. standardized communication networks and systems in substation in accordance with IEC 61850), and industrial automation (PLCs, process controllers, drives robot controllers). During their operational lifetime, these embedded servers have to be accessed directly and/or remotely by human users and software processes to issue commands, to obtain measurements or status information, to diagnose failures, and to change settings and applications. As these devices are critical for their respective system, access to them should be restricted and strictly controlled. Current authentication schemes for embedded devices—mainly password based—do not provide the necessary security and scalable manageability. When discussing authentication and access control mechanisms one has to differentiate between two fundamentally different usage scenarios: the commercial scenario and the embedded device scenario:
In a commercial environment, as schematically shown in FIG. 1, which includes office work and e-commerce applications, hundreds or thousands of users and clients C access a relatively small set of services and servers S in a limited number of locations. Both the users and the servers are member of a single or very small number of authentication domains (e.g. Windows or Kerberos domains). In case of multiple authentication domains, single-sign on schemes may be used to emulate a single authentication domain to the user. User accounts can be managed efficiently because they are stored on a limited number of centralized authentication servers AA to which application servers refer the authentication decision via networks that are always available.
In contrast to the commercial environment, an embedded device environment, as schematically shown in FIG. 2, has only a comparatively small number of human users (operators, maintenance staff) and client workplaces C. These users typically belong to multiple organizations (CA, CB or CC), and each user, e.g. a vendor service engineer, must have the ability to access a large number of embedded devices acting as servers S. These embedded servers are distributed physically and organizationally, and thus belong to different authentication domains. In fact, in the typical embedded environment today each embedded device is its own authentication domain, which contains its own user base, because of a historical need for each device to be able to operate in full independence of other hosts and outside communication links to maximize resiliency and dependability of the system controlled by this embedded device. Such decentralized user management faces the additional challenge that the local storage and computational capabilities of embedded devices are typically much lower than those of commercial authentication and access control servers.
Due to the high demands on availability that are imposed on embedded devices, trade-off decisions on selecting authentication and access control options for embedded devices have so far deemphasized security. There is thus a strong need for a secure and efficiently manageable authentication and access control scheme for embedded devices.
A number of different authentication and access control schemes exist in the literature as well as in widely deployed IT systems.
Password-based access control and authentication directly on the embedded device is the most common mechanism today. It suffers from several major weaknesses: Access is in practice not revocable, because it is based on knowledge, and reconfiguring all affected servers would be impracticable. Also, storage limitations on the devices typically limit the number of user accounts and thus require group credentials, which prevent individual accountability. If users use the same password for multiple devices then the compromise of a single device leads to a compromise of the whole system.
The best known centralized scheme is the Kerberos authentication service which is also used for Microsoft Windows domain authentication. The Kerberos authentication service is described in detail in the two publications ‘The Kerberos Network Authentication Service’, J. Kohl and C. Neuman, RFC 1510, September 1993 and ‘Kerberos: An Authentication Service for Computer Networks’ B. Neumann and T. Ts'o, IEEE Communications Magazine, 32(9):33-38, September 1994, which are incorporated hereinto by reference. Kerberos works with capabilities called ‘tickets’. After successful authentication the user obtains a ‘ticket granting ticket’, which can later be used to obtain an actual ticket for a target server from one or more ticket granting servers. The target server itself only checks the ticket, but not the actual user identity, for its access control decision. Kerberos uses shared secrets and symmetric cryptography to protect authenticity and confidentiality of communication between participants. Every target server has to be configured with an individual secret key which it shares with the central authentication server. This does not scale for embedded device scenarios with hundreds of devices. Kerberos itself is only concerned with authentication and access control, but not with protecting the resulting session.
Variations of Kerberos with public key cryptography have been proposed in ‘Distributed Authentication in Kerberos Using Public Key Cryptography’, M. Sirbu and J. Chuang, Proceedings of the Internet Society Symposium on Network and Distributed System Security NDSS'97, 1997. The public key based authentication process was separated from the access control process but not the access control process from the access to the target service. Therefore it is still necessary for each server to maintain access control lists for each user.
‘SPKI Requirements’, C. M. Ellison, RFC 2692, September 1999 and ‘Simple Public Key Certificate’, C. M. Ellison, B. Frantz, B. Lampson, R. Rivest, B. M. Thomas, and T. Ylonen, draft-ietf-spki-cert-structure-06.txt, July 1999, which are incorporated hereinto by reference describe SPKI (Simple Public Key Certificate), which is a public key based authentication and access control protocol and authentication message format. Main focus is on sophisticated rights delegation and derivation algorithms. SPKI provides no means for session protection against tampering or replay. The SPKI message format may be used within the context of the present disclosure to transport capabilities.
‘Security Assertion Markup Language, V2.0 Technical Overview’, J. Hughes and E. Maler, sstc-saml-techoverview-2.0-draft-08, September 2005, which is incorporated hereinto by reference, describes SAML is an XML based syntax for encoding capabilities, which may potentially be used within the context of the present disclosure to transport capabilities, but is limited due to the fact that standard SAML can only express yes/no type of access decisions, no complex permission statements. SAML also defines a number of authentication and authorization transfer protocols for single sign on and server federation, but these require online access of the server device to the authentication and access control server.
ITU. Information technology—Open Systems Interconnection—The Directory: Public-key and attribute certificate frameworks, ITU Recommendation X.509, March 2000, which is incorporated hereinto by reference, describes X509, which is a standard to encode digital certificates and additional attributes which may be used within the context of the present disclosure to transport capabilities.
‘The Secure Shell Protocol Architecture’, T. Ylonen and C. Lonvick, RFC 4251, January 2006, describes SSH (secure shell Protocol), which is an alternative session protection protocol with an optional public key based authentication scheme. Access control is based on ACLs stored on the server devices and for authentication the public key of each legitimate user has to be preconfigured on each server device.