Internet-Draft RFF ACCESS April 2022
Fang, et al. Expires 14 October 2022 [Page]
Workgroup:
Southeast University, Upsec Inc.
Internet-Draft:
draft-hao-physical-layer-fingerprint-interface-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
H. Fang
Upsec Inc.
H. Fu
Southeast University
L. Jin
Upsec Inc.
Y. Jiang
Southeast University
A. Hu
Southeast University

Interface specification for physical layer fingerprint access authentication framework of IoT devices

Abstract

This document is for access authentication framework of Internet of Things (IoT) devices using physical layer fingerprint. This document specifies the interface functions of the authentication framework. This document applies to the construction and management of secure access at the edge of the IoT. This document assumes that the reader is familiar with the concepts of physical layer fingerprint technique.

Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 14 October 2022.

Table of Contents

1. Introduction

Device authentication is important to ensure the security of Internet of Things (IoT). The classical device authentication techniques are based on MAC address, preshared key or digital certificate [I-D.linning-authentication-physical-layer]. However, MAC address can be imitated. As the IoT becomes more diverse and pervasive, the implementation of the pre-shared key and digital certificate becomes increasingly complex.

Physical layer fingerprint is a promising technique for IoT device authentication[Ref_1]. It corresponds to extract the inherent physical layer features of the device from the received signal. These physical layer features have shown uniqueness and persistence, hence can be used for device authentication.

Because that the physical layer fingerprint access authentication requires only the signal received from the IoT device, a suitable access authentication framework needs to be defined. An authentication framework has been proposed in [I-D.dawei-access-authentication-physical-layer], with the basic functions of the framework, specification of fingerprint expression and control message. In this document, based on the same access authentication model, the objectives of the access authentication framework and interface specifications have been proposed, to ensure the effectiveness and facilitate the integration of the access authentication framework with the existing IoT network.

2. Glossary

IoT Device Access Gateway

Physical layer fingerprint authentication device

3. Objectives of physical layer fingerprint access authentication framework

3.1. Functional objectives

The physical layer fingerprint access authentication framework should achieve the following functional objectives:

a) The physical layer fingerprint access authentication framework shall be independent of the application system, to help establish a trust relationship between the application system and IoT devices and provide prerequisites for further determining whether the IoT devices can access the main network of the application system.

b) The physical layer fingerprint access authentication framework should be independent of the specific physical layer communication protocols of IoT devices, and can support all possible physical layer communication protocols.

c) The physical layer fingerprint access authentication framework should maintain the accuracy of the used physical layer fingerprint extraction and identification mechanism.

d) The interface defined by the physical layer fingerprint access authentication framework should not require the IoT device access gateway of the original application system to give additional physical layer configuration parameters.

3.2. Non-functional objectives

The physical layer fingerprint access authentication framework should achieve the following non-functional objectives:

a) The physical layer fingerprint access authentication framework does not specify a specific physical layer fingerprint extraction and identification mechanism.

b) The interface defined by the physical layer fingerprint access authentication framework does not specify a specific interface access authentication mechanism, but to avoid abuse of the defined interface, the necessary security authentication shall exist between the physical layer fingerprint access authentication device and the IoT device access gateway of the application system.

c) The physical layer fingerprint access authentication framework is independent of the specific operating system or platform, but the implementation of the physical layer fingerprint access authentication device may be relevant to a specific operating system or platform.

d) The interfaces defined by the physical layer fingerprint access authentication framework should enable integration with legacy systems.

4. Physical layer fingerprint access authentication framework

4.1. Structure of the Physical layer fingerprint access authentication framework

The structure of the physical layer fingerprint access authentication framework is shown in Fig. 1. The physical layer fingerprint access authentication is composed of two parts: the physical layer fingerprint authentication device and the IoT device access gateway. The physical layer fingerprint authentication device adopts a distributed architecture and can simultaneously serve multiple IoT devices to access the gateway.

+----------------+        +----------------+        +------------+
|                |        |   IoT device   |        |            |
|   IoT device   | <----> | access gateway | <----> |  Intranet  |
|(Claiming party)|        | (Relying party)|        |            |
|                |        |                |        |            |
+----------------+        +----------------+        +------------+
           ^                       ^
           |                       | -Full whitelist request
           |                       | -Incremental whitelist request
           |                       | -Blacklisting
           |                       | -Unblacklisting
           |                       v
           |       +------------------------------+
           +-----> |                              |
                   |  Physical layer fingerprint  |
                   |     authentication device    |
                   |          (Verifier)          |
                   |                              |
                   +------------------------------+




Figure 1: Structure of the physical layer fingerprint access authentication framework

The main function of the physical layer fingerprint authentication device is to complete the extraction and authentication of the fingerprint of the IoT device through a certain identity authentication mechanism, and to submit the authentication result in the form of assertion to the IoT device access gateway. The physical layer fingerprint authentication device does not limit the specific identity authentication mechanism, but only provides a unified interface, and the specific authentication interaction process with the IoT device is completed by the implementation of each authentication mechanism itself. The physical layer fingerprint authentication device corresponds to the verifier in the authentication model of [I-D.dawei-access-authentication-physical-layer].

The IoT device access gateway interacts with the physical layer fingerprint authentication device to assist in the authentication process of the IoT device accessing the main network of the application system. The IoT device access gateway and the application system together correspond to the relying party in the authentication model of [I-D.dawei-access-authentication-physical-layer].

The communication between the IoT device access gateway and the physical layer fingerprint authentication device is by default protected by a trusted channel. If the application system and the physical layer fingerprint authentication device are integrated together, i.e., the verifier and the relying party are unified entities, this trusted channel becomes the internal data transmission in the system. If the application system and the physical layer fingerprint authentication device are located in different systems and need to communicate with each other remotely, this trusted channel is an encrypted channel between them.

4.2. Interface functions for physical layer fingerprint access authentication

4.2.1. Full whitelist request

The physical layer fingerprint authentication device requests the full whitelist of IoT devices from the IoT device access gateway through this interface. Based on the full whitelist, the physical layer fingerprint authentication device performs fingerprint extraction and authentication for all whitelisted devices.

4.2.2. Incremental whitelist request

The physical layer fingerprint authentication device requests the IoT device whitelist incremental list from the IoT device access gateway through this interface, and based on the whitelist incremental list, the physical layer fingerprint authentication device performs fingerprint extraction and authentication for the added whitelist devices.

4.2.3. Blacklisting

When the physical layer fingerprint authentication device identifies that the status of one device in the whitelist has been changed from legal to illegal, this authentication result should be submitted to the IoT device access gateway, and at the same time, the IoT device access gateway adds this device to the blacklist and intercepts it.

4.2.4. Unblacklisting

When the physical layer fingerprint authentication device identifies that the status of one device in the whitelist has changed from illegal to legal, this authentication result should be submitted to the IoT device access gateway, and at the same time, the IoT device access gateway withdraws this device from the interception blacklist.

5. Interface Specification

5.1. Full whitelist request interface

This interface needs to provide the following requests and responses:

Requests:

a) Protocol version

The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway.

b) Gateway identifier

The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.

Responses:

a) Full whitelist

The full amount of data of the whitelisted IoT devices set in the IoT device access gateway, generally including the following parts: device MAC address, IP address, etc.

b) Policy expiration time

The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.

5.2. Incremental whitelist request interface

This interface needs to provide the following requests and responses:

Requests:

a) Protocol version

The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway.

b) Gateway identifier

The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.

Responses:

a) Incremental whitelist

The incremental whitelist data of IoT devices set in the IoT device access gateway, generally including the following parts: device MAC address, IP address, etc.

b) Policy expiration time

The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.

5.3. Blacklisting interface

This interface needs to provide the following requests and responses:

Requests:

a) Protocol version

The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway.

b) Gateway identifier

The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.

c) Device information

Information of device to be blacklisted, generally including the following parts: device MAC address, IP address, etc.

d) Authentication result

The current authenticatin result.

Responses:

a) Gateway identifier

The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.

b) Policy expiration time

The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.

c) Device information

Information of device just blacklisted, generally including the following parts: device MAC address, IP address, etc.

5.4. Unblacklisting interface

This interface needs to provide the following requests and responses:

Requests:

a) Protocol version

The version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway.

b) Gateway identifier

The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.

c) Device information

Information of device to be unblacklisted, generally including the following parts: device MAC address, IP address, etc.

d) Authentication result

The current authentication result.

Responses:

a) Gateway identifier

The unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information.

b) Policy expiration time

The policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.

c) Device information

Information of device just un-blacklisted, generally including the following parts: device MAC address, IP address, etc.

6. IANA Considerations

This document includes no request to IANA.

7. Security Considerations

This section will address only security considerations associated with the use of physical layer fingerprint access authentication framework. It is necessary to ensure that the IoT device access gateway and the physical layer fingerprint authentication device are in a secure and trusted environment.

8. References

8.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.

8.2. Informative References

[I-D.dawei-access-authentication-physical-layer]
Fang, D., Hu, A., FU, H., and Y. Jiang, "IoT Access Authentication Framework based on Radio Frequency Fingerprint and Fingerprint Expression Specification", Work in Progress, Internet-Draft, draft-dawei-access-authentication-physical-layer-00, , <https://www.ietf.org/archive/id/draft-dawei-access-authentication-physical-layer-00.txt>.
[I-D.linning-authentication-physical-layer]
Peng, L. and A. Hu, "Authentication by Physical Layer Features", Work in Progress, Internet-Draft, draft-linning-authentication-physical-layer-00, , <http://www.ietf.org/internet-drafts/draft-linning-authentication-physical-layer-00.txt>.
[Ref_1]
Danev, Boris., "https://dl.acm.org/doi/10.1145/2379776.2379782", .

Authors' Addresses

Hao Fang
Upsec Inc.
No.9 Mozhou Donglu, Jiangning
Nanjing
JiangSu, 211111
China
Hua Fu
Southeast University
No.2 SiPaiLou
Nanjing
JiangSu, 210096
China
Ling Jin
Upsec Inc.
No.9 Mozhou Donglu, Jiangning
Nanjing
JiangSu, 211111
China
Yu Jiang
Southeast University
No.2 SiPaiLou
Nanjing
JiangSu, 210096
China
Aiqun Hu
Southeast University
No.2 SiPaiLou
Nanjing
JiangSu, 210096
China

mirror server hosted at Truenetwork, Russian Federation.