ETSI TR 118 512 V2.0.0 (2016-09)

ETSI TR 118 512 V2.0.0 (2016-09)






TECHNICAL REPORT
oneM2M;
End-to-End Security and Group Authentication
(oneM2M TR-0012 version 2.0.0)

---------------------- Page: 1 ----------------------
(oneM2M TR-0012 version 2.0.0) 2 ETSI TR 118 512 V2.0.0 (2016-09)





Reference
DTR/oneM2M-000012
Keywords
IoT, M2M, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
(oneM2M TR-0012 version 2.0.0) 3 ETSI TR 118 512 V2.0.0 (2016-09)


Contents
Intellectual Property Rights . 7
Foreword . 7
1 Scope . 8
2 References . 8
2.1 Normative references . 8
2.2 Informative references . 8
3 Definitions, symbols and abbreviations . 10
3.1 Definitions . 10
3.2 Symbols . 11
3.3 Abbreviations . 11
4 Conventions . 12
5 Use Cases . 12
5.1 Use Case of End-to-End Authentication in Key Di stributio n . 12
5.1.1 Description . 12
5.1.2 Actors . 12
5.1.3 Pre-conditions . 13
5.1.4 Normal Flow . 13
5.1.5 Potential requirements . 13
5.2 Use Case of Static Group Authentication (Smart Meter Reading) . 14
5.2.1 Description . 14
5.2.2 Actors . 14
5.2.3 Pre-conditions . 14
5.2.4 Normal flow . 14
5.2.5 Potential requirements . 15
5.3 Use Case of Dynamic Group Authentication (Remote Vehicle Management) . 15
5.3.1 Description . 15
5.3.2 Actors . 15
5.3.3 Pre-conditions . 15
5.3.4 Normal Flow . 15
5.3.5 Potential requirements . 16
5.3.5.1 Static group potential requirements . 16
5.3.5.2 Dynamic group potential requirements . 16
5.4 Use Case for Secure Group Communication . 16
5.4.1 Description . 16
5.4.2 Actors . 16
5.4.3 Pre-conditions . 17
5.4.4 Normal Flow . 17
5.4.5 Potential requirements . 17
5.5 Use case of End-to-End Authentication . 18
5.5.1 Description . 18
5.5.2 Actors . 18
5.5.3 Pre-Conditions . 18
5.5.4 Normal Flow . 18
5.5.5 Potential Requirements . 19
5.6 Use case of End-to-End Message Authentication using Delegated Means . 19
5.6.1 Description . 19
5.6.2 Actors . 19
5.6.3 Pre-Conditions . 20
5.6.4 Normal Flow . 20
5.6.5 Potential Requirements . 20
5.7 Use case of End-to-End Data Integrity . 21
5.7.1 Description . 21
5.7.2 Actors . 21
5.7.3 Pre-Conditions . 21
ETSI

---------------------- Page: 3 ----------------------
(oneM2M TR-0012 version 2.0.0) 4 ETSI TR 118 512 V2.0.0 (2016-09)


5.7.4 Normal Flow . 22
5.7.5 Potential Requirements . 22
5.8 Use case for providing security adaptation at each hop. 23
5.8.1 Description . 23
5.8.2 Actors . 23
5.8.3 Pre-conditions . 24
5.8.4 Normal Flow . 24
5.8.5 Potential Requirements . 24
6 Candidate Architecture . 24
6.1 Group Authentication Architecture Proposal . 24
6.1.1 Architecture of Static Group Authentication . 24
6.1.1.0 Introduction . 24
6.1.1.1 Nodes . 25
6.1.1.2 Reference Points . 25
6.1.2 Group Authentication Requirements . 25
6.2 End-to-End Security Framework (ESF) Proposal 1 . 26
6.2.0 Overview . 26
6.2.1 End-to-End Security Framework Introduction. 26
6.2.2 ESF Security Layer High Level Architecture . 28
6.2.2.1 ESF Security Layer Overview. 28
6.2.2.2 ESF Security Layer Requirements . 28
6.2.2.2.0 Overview . 28
6.2.2.2.1 Generic Requirements for the ESF Security Layer. 29
6.2.2.2.1.1 Generic ESF Security Layer Macro-Considerations . 29
6.2.2.2.1.2 Generic ESF Payload Security Requirements . 29
6.2.2.2.1.3 Generic ESF Key Establishment Requirements . 29
6.2.2.2.1.4 Generic ESF Facilitation Requirements . 30
6.2.2.2.1.5 Generic ESF Envelope Serialization Requirements . 30
6.2.2.2.2 ESF-S1 Requirements . 31
6.2.2.2.2.1 ESF-S1 Macro-Considerations . 31
6.2.2.2.2.2 ESF-S1 Payload Security Requirements . 31
6.2.2.2.2.3 ESF-S1 Key Establishment Requirements . 31
6.2.2.2.2.4 ESF-S1-Specific ESF Facilitation Require me nts . 32
6.2.2.2.2.5 ESF-S1 Envelope Serialization Requirements . 33
6.2.2.2.3 ESF-Sm Requirements . 33
6.2.2.2.3.1 ESF-Sm Macro-Considerations . 33
6.2.2.2.3.2 ESF-Sm Payload Security Requirements . 33
6.2.2.2.3.3 ESF-Sm Key Establishment Requirements . 34
6.2.2.2.3.4 ESF-Sm-Specific ESF Facilitation Requirements. 34
6.2.2.2.3.5 ESF-Sm Envelope Requirements . 35
6.2.2.3 ESF-S1 Processing flow . 35
6.2.2.4 ESF-Sm Processing Flow . 38
6.2.3 ESF Preparation Layer and ESF Integration Layer Processing . 39
6.2.3.1 ESF Specifications for ESF Target Data Class 1 . 39
6.2.3.1.1 Profile for ESF Target Data Class 1 . 39
6.2.3.1.2 ESF Target Data Class 1 Processing at the Sending EEP . 39
6.2.3.1.3 ESF Target Data Class 1 Processing at the Receiving EEP . 40
6.2.3.2 ESF Specifications for ESF Target Data Class 2 . 40
6.2.3.2.1 Profile for ESF Target Data Class 2 . 40
6.2.3.2.2 ESF Target Data Class 2 Processing at the Sending EEP . 40
6.2.3.2.3 ESF Target Data Class 2 Processing at the Receiving EEP . 41
6.2.3.3 ESF Specifications for ESF Target Data Class 3 . 42
6.2.3.3.1 Profile for ESF Target Data Class 3 . 42
6.2.3.3.2 ESF Target Data Class 3 Processing at the Sending EEP . 42
6.2.3.3.3 ESF Target Data Class 3 Processing at the Receiving EEP . 43
7 Available Options . 44
7.1 Review of Existing Technology . 44
7.1.1 Review of Object-Based Security Technology . 44
7.1.1.1 Introduction to Object-Based Security Technology . 44
7.1.1.2 Secure/Multipurpose Internet Mail Extensions (S/MIME) . 45
ETSI

---------------------- Page: 4 ----------------------
(oneM2M TR-0012 version 2.0.0) 5 ETSI TR 118 512 V2.0.0 (2016-09)


7.1.1.2.1 High Level Description of S/MIME . 45
7.1.1.2.2 Considerations regarding of S/MIME . 46
7.1.1.2.2.1 CoAP identification of S/MIME media types . 46
7.1.1.2.2.2 Formatting, Parsing and Canonicalization Complexity for S/MIME . 46
7.1.1.3 OpenPGP . 46
7.1.1.3.1 High Level Description of OpenPGP . 46
7.1.1.3.2 Considerations for OpenPGP . 46
7.1.1.3.2.1 CoAP identification of the OpenPGP media type . 46
7.1.1.3.2.2 Formatting, Parsing and Canonicalization Complexity for OpenPGP . 46
7.1.1.4 XML Security . 47
7.1.1.4.1 High Level Description of XML Security . 47
7.1.1.4.2 Considerations for XML Security . 47
7.1.1.4.2.1 CoAP identification of the XML Security media type . 47
7.1.1.4.2.2 Formatting, Parsing and Canonicalization Complexity for XML Security . 47
7.1.1.4.2.3 Canonicalization and XML Security . 48
7.1.1.5 JSON Security . 48
7.1.1.5.1 High Level Description of JSON Security . 48
7.1.1.5.2 Considerations for JSON Security . 48
7.1.1.5.2.1 CoAP identification of the JSON Security media type . 48
7.1.1.5.2.2 Formatting, Parsing and Canonicalization Complexity for JSON Security . 48
7.2 Group Authentication . 49
7.2.1 Group Authentication Solution 1 . 49
7.3 A Solution for providing security of data "at-rest" . 52
7.3.1 General procedure for hosting and accessing secure data . 52
7.3.2 Bootstrapped procedure for providing data security . 54
7.3.2.1 Overall Description . 54
7.3.2.2 Detailed Description. 54
7.4 A Solution for providing End-to-End Message Authentication using Symmetric Key . 60
7.4.1 End-to-End Security Credential(s) Generation Process . 60
7.4.1.1 Overall Description . 60
7.4.1.2 Detailed Description. 60
7.5 Proposal for determining detailed Security Requirements, Features and associated Algorithms . 63
7.5.1 Security Determination Process . 63
7.5.1.1 Overall Description . 63
7.5.1.2 Detailed Description. 63
8 Release 2 End-to-End Security and Rationale. 65
8.1 Overview of Release 2 End-to-End Security Features . 65
8.2 Release 2 End-to-End Security of Data (ESData) . 65
8.2.1 End-to-End Security of Data (ESData) Overview . 65
8.2.2 End-to-End Security of Data (ESData) Functional Architecture . 65
8.3 Release 2 End-to-End Security of Primitives (ESPrim) . 67
8.3.1 End-to-End Security of Primitives (ESPrim) Overview . 67
8.3.2 End-to-End Security of Primitives (ESPrim) Functional Architecture . 67
8.4 Release 2 End-to-End Security Certificate-based Key Establishment (ESCertKE) . 68
8.4.1 End-to-End Security Certificate-based Key Establishment (ESCertKE) Overview . 68
8.4.2 End-to-End Security Certificate-based Key Establishment (ESCertKE) Functional Architecture . 68
8.5 Release 2 MAF Security Framework . 69
8.5.1 MAF Security Framework Overview . 69
8.5.2 MAF Security Framework Functional Architecture . 70
8.6 Changes to Release 1 Features in Release 2 . 71
8.6.1 Changes to Remote Security Provisioning Frameworks (RSPFs) . 71
8.6.2 Changes to Security Association Establishment Frameworks (SAEFs) . 71
9 Conclusions and recommendations . 71
Annex A: Problem Statement for needing End-to-End Data Security . 72
A.1 Introduction . 72
Annex B: Use case for remote attestation . 75
B.1 Description . 75
ETSI

---------------------- Page: 5 ----------------------
(oneM2M TR-0012 version 2.0.0) 6 ETSI TR 118 512 V2.0.0 (2016-09)


B.2 Actors . 75
B.3 Pre-conditions . 76
B.4 Normal flow . 76
B.5 Potential requirements . 76
Annex C: Bibliography . 77
History . 78

ETSI

---------------------- Page: 6 ----------------------
(oneM2M TR-0012 version 2.0.0) 7 ETSI TR 118 512 V2.0.0 (2016-09)


Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can
...