ETSI TS 118 103 V2.12.1 (2019-04)

ETSI TS 118 103 V2.12.1 (2019-04)






TECHNICAL SPECIFICATION
oneM2M;
Security solutions
(oneM2M TS-0003 version 2.12.1 Release 2A)

---------------------- Page: 1 ----------------------
oneM2M TS-0003 version 2.12.1 Release 2A 2 ETSI TS 118 103 V2.12.1 (2019-04)



Reference
RTS/oneM2M-000003v2A
Keywords
IoT, M2M, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2019.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners.
®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
oneM2M TS-0003 version 2.12.1 Release 2A 3 ETSI TS 118 103 V2.12.1 (2019-04)
Contents
Intellectual Property Rights . 11
Foreword . 11
1 Scope . 12
2 References . 12
2.1 Normative references . 12
2.2 Informative references . 14
3 Definition of terms, symbols and abbreviations . 16
3.1 Terms . 16
3.2 Symbols . 21
3.3 Abbreviations . 21
4 Conventions . 22
5 Security Architecture . 23
5.1 Overview . 23
5.1.0 Introduction. 23
5.1.1 Identification and Authentication . 25
5.1.2 Authorization . 25
5.1.3 Identity Management . 25
5.2 Security Layers . 25
5.2.1 Security Service Layer . 25
5.2.2 Secure Environment Abstraction Layer . 26
5.3 Integration within overall oneM2M architecture . 26
6 Security Services and Interactions . 27
6.1 Security Integration in oneM2M flow of events. 27
6.1.1 Interactions between layers . 27
6.1.2 High level sequence of events. 27
6.1.2.1 Enrolment phase . 27
6.1.2.2 Operational phase . 28
6.1.2.2.1 M2M Service Access . 28
6.1.2.2.2 Authorization to access M2M resources . 29
6.2 Security Service Layer . 29
6.2.1 Access Management . 29
6.2.1.1 Authentication . 29
6.2.2 Authorization Architecture . 30
6.2.3 Security Administration . 32
6.2.3.0 Introduction . 32
6.2.3.1 Security Pre-Provisioning of SE . 32
6.2.3.2 Remote security administration of SE . 32
6.2.4 Identity Protection . 32
6.2.5 Sensitive Data Handling . 32
6.2.5.0 Introduction . 32
6.2.5.1 Sensitive Functions . 33
6.2.5.2 Secure Storage . 33
6.2.6 Trust Enabling security functions . 33
6.3 Secure Environment Abstraction Layer Components . 34
6.3.1 Secure Environment . 34
6.3.2 SE Plug-in . 34
6.3.3 Secure Environment Abstraction . 34
7 Authorization . 35
7.1 Access Control Mechanism . 35
7.1.1 General Description . 35
7.1.2 Parameters of the Request message . 36
7.1.3 Format of privileges and selfPrivileges Attributes . 37
7.1.4 Access Control Decision . 40
ETSI

---------------------- Page: 3 ----------------------
oneM2M TS-0003 version 2.12.1 Release 2A 4 ETSI TS 118 103 V2.12.1 (2019-04)
7.1.5 Description of the Access Decision Algorithm . 40
7.2 AE Impersonation Prevention . 43
7.2.1 Registrar verification of AE-ID . 43
7.2.2 Verification Using End-to-End Security of Primitives (ESPrim) . 44
7.3 Dynamic Authorization . 45
7.3.1 Purpose of the Dynamic Authorization . 45
7.3.2 Dynamic Authorization Stage 2 Details. 45
7.3.2.1 Dynamic Authorization Reference Model . 45
7.3.2.2 Direct Dynamic Authorization . 47
7.3.2.3 Indirect Dynamic Authorization . 50
7.3.2.4 Token Structure . 52
7.3.2.5 Token Evaluation . 53
7.3.2.6 oneM2M JSON Web Tokens (JWTs) . 54
7.3.2.6.1 Introduction to oneM2M JWTs . 54
7.3.2.6.2 oneM2M JWT Profile . 54
7.3.2.6.3 oneM2M JWT Procedures . 55
7.4 Role Based Access Control . 56
7.4.1 Role Based Access Control Architecture . 56
7.4.2 Role Issuing Procedure . 57
7.4.2.1 Introduction . 57
7.4.2.2 Role Assignment Procedure . 57
7.4.2.3 Issuing Token Associated with Role . 58
7.4.3 Role Based Access Control Procedure. 60
8 Security Frameworks . 61
8.1 General Introductions to the Security Frameworks . 61
8.1.0 General . 61
8.1.1 General Introduction to the Symmetric Key Security Frameworks . 61
8.1.2 General Introduction to the Certificate-Based Security Frameworks . 61
8.1.2.0 Introduction . 61
8.1.2.1 Public Key Certificate Flavours . 61
8.1.2.2 Certification Path Validation and Certificate Status Verification . 62
8.1.2.3 Credential Configuration for Certificate-Based Security Framework . 63
8.1.2.4 Information Needed for Certificate Authentication of another Entity . 63
8.1.2.5 Certificate Verification . 64
8.1.3 General Introduction to the GBA (Generic Bootstrapping Architecture) Framework . 65
8.2 Security Association Establishment Frameworks . 66
8.2.1 Overview on Security Association Establishment Frameworks . 66
8.2.2 Detailed Security Association Establishment Frameworks . 70
8.2.2.1 Provisioned Symmetric Key Security Association Establishment Frameworks . 70
8.2.2.2 Certificate-Based Security Association Establishment Frameworks . 72
8.2.2.3 MAF-Based Symmetric Key Security Association Establishment Frameworks . 74
8.3 Remote Security Provisioning Frameworks . 77
8.3.1 Overview on Remote Security Provisioning Frameworks . 77
8.3.1.1 Purpose of Remote Security Provisioning Frameworks . 77
8.3.1.2 High Level Flow . 78
8.3.2 Detailed Remote Security Provisioning Framework . 81
8.3.2.1 Pre-Provisioned Symmetric Key Remote Security Provisioning Framework . 81
8.3.2.2 Certificate-Based Remote Security Provisioning Framework . 86
8.3.2.3 GBA-Based Remote Security Provisioning Framework . 87
8.3.3 Void . 90
8.3.4 Enrolment Exchange . 90
8.3.4.1 Enrolment Exchange Procedures . 90
8.3.4.2 MEF Client Registration . 90
8.3.4.3 Symmetric Key Provisioning . 90
8.3.4.4 Certificate Provisioning . 91
8.3.4.5 Device Configuration . 91
8.3.4.6 MEF Client Command . 91
8.3.5 Symmetric Key Provisioning Details . 93
8.3.5.1 Introduction . 93
8.3.5.2 MEF Security Framework Processing and Information Flows . 94
8.3.5.2.1 Introduction . 94
ETSI

---------------------- Page: 4 ----------------------
oneM2M TS-0003 version 2.12.1 Release 2A 5 ETSI TS 118 103 V2.12.1 (2019-04)
8.3.5.2.2 MEF Handshake Procedure . 94
8.3.5.2.3 MEF Client Registration Procedure. 95
8.3.5.2.4 MEF Client Configuration Retrieval Procedure . 96
8.3.5.2.5 MEF Client Registration Update Procedure . 97
8.3.5.2.6 MEF Client De-Registration Procedure . 97
8.3.5.2.7 MEF Key Registration Procedure . 98
8.3.5.2.8 MEF Key Retrieval Procedure . 100
8.3.5.2.9 MEF Key Registration Update Procedure . 101
8.3.5.2.10 MEF Key De-Registration Procedure . 102
8.3.5.3 Mapping to Protocol in ETSI TS 118 132 . 102
8.3.6 Certificate Provisioning Procedure Details . 102
8.3.6.1 Introduction . 102
8.3.6.2 Certificate Provisioning procedures using EST . 103
8.3.6.2.1 Introduction . 103
8.3.6.2.2 Initial Certificate Provisioning procedure using EST . 104
8.3.6.2.3 Certificate Re-Provisioning procedure using EST . 105
8.3.6.3 Certificate Provisioning procedures using SCEP . 106
8.3.6.3.1 Introduction . 106
8.3.6.3.2 Details of Certificate Provisioning procedures using SCEP . 106
8.3.7 MEF Client Configuration Details . 107
8.3.7.1 MEF Client Credential Configuration Details . 107
8.3.7.2 MEF Client Registration Configuration Details . 108
8.3.7.3 MEF Key Registration Configuration Details . 109
8.3.8 Profile for Device Configuration within an Enrolment Exchange . 109
8.3.9 MEF Client Command Processing . 110
8.3.9.1 Introduction . 110
8.3.9.2 MEF Client Command Retrieve Procedure . 110
8.3.9.3 MEF Client Command Update procedure . 112
8.3.9.4 The cmdDescription element . 112
8.3.9.5 The cmdStatusCode element . 113
8.3.9.5.1 Introduction . 113
8.3.9.5.2 cmdStatusCode MEF_CLIENT_CMD_ISSUED . 113
8.3.9.5.3 cmdStatusCode MEF_CLIENT_CMD_REISSUED . 113
8.3.9.5.4 cmdStatusCode MEF_CLIENT_CMD_OK . 114
8.3.9.5.5 cmdStatusCode MEF_CLIENT_CMD_REPEATED_CMD_ID . 114
8.3.9.5.6 cmdStatusCode MEF_CLIENT_CMD_CLASS_NOT_SUPPORTED . 114
8.3.9.5.7 cmdStatusCode MEF_CLIENT_CMD_BAD_ARGUMENTS . 114
8.3.9.5.8 cmdStatusCode MEF_CLIENT_CMD_UNACCEPTABLE_ARGUMENTS . 114
8.3.9.5.9 cmdStatusCode MEF_CLIENT_CMD_CERT_PROV_SERVER_ERROR . 114
8.3.9.5.10 cmdStatusCode MEF_CLIENT_CMD_CERT_PROV_CLIENT_ERROR . 114
8.3.9.5.11 cmdStatusCode MEF_CLIENT_CMD_DEV_CFG_SERVER_ERROR . 114
8.3.9.5.12 cmdStatusCode MEF_CLIENT_CMD_DEV_CFG_CLIENT_ERROR . 114
8.3.9.5.13 cmdStatusCode MEF_CLIENT_CMD_MO_NODE_NOT_FOUND . 114
8.3.9.5.14 cmdStatusCode MEF_CLIENT_CMD_MO_NODE_TYPE_CONFLICT . 114
8.3.9.5.15 cmdStatusCode MEF_CLIENT_CMD_MO_NODE_BAD_ARGS . 115
8.3.9.5.16 cmdStatusCode MEF_CLIENT_CMD_MO_NODE_UNACCEPTABLE_ARGS . 115
8.3.9.5.17 cmdStatusCode MEF_CLIENT_CMD_MO_NODE_INCONSISTENT_CONFIG . 115
8.3.9.5.18 cmdStatusCode MEF_CLIENT_CMD_MO_NODE_PROCESSING_FAILED . 115
8.3.9.6 NO_MORE_COMMANDS MEF Client Command Class-specific Processes . 115
8.3.9.7 CERT_PROV MEF Client Command Class-specific Processes . 116
8.3.9.8 DEV_CFG MEF Client Command Class-specific Processes . 117
8.3.9.9 MO_NODE MEF Client Command Class-specific Processes . 118
8.3.9.9.1 Generic MO_NODE Processes. 118
8.3.9.9.2 [authenticationProfile]-specific Processes . 119
8.3.9.9.3 Process [authenticationProfile] MO Node with pre-provisioned symmetric key . 121
8.3.9.9.4 Process [authenticationProfile] MO Node with MEF-established symmetric key . 122
8.3.9.9.5 Process [authenticationProfile] MO Node with MAF-established symmetric key . 123
8.3.9.9.6 Process [authenticationProfile] MO Node with Certificate . 124
8.3.9.9.7 [trustAnchorCred]-specific Processes . 124
8.3.9.9.8 [MAFClientRegCfg]-specific Processes . 125
8.4 End-to-End Security of Primitives (ESPrim) . 126
8.4.1 Purpose of E2E Security of Primitives (ESPrim) . 126
ETSI

---------------------- Page: 5 ----------------------
oneM2M TS-0003 version 2.12.1 Release 2A 6 ETSI TS 118 103 V2.12.1 (2019-04)
8.4.2 End-to-End Security of Primitives (ESPrim) Architecture . 126
8.4.3 End-to-End Security of Primitives (ESPrim) Protocol Details . 134
8.4.3.1 End-to-End Security of Primitives (ESPrim) Parameter Definitions . 134
8.4.3.1.1 originatorESPrimRandObject parameter definition . 134
8.4.3.1.2 receiverESPrimRandObject parameter definition. 135
8.4.3.1.3 e2eSecInfo resource attribute definition . 135
8.4.3.2 ESPrim Object formatting and processing using the JWE Compact Serialization . 135
8.5 End-to-End Security of Data (ESData) . 138
8.5.1 Purpose of ESData . 138
8.5.2 ESData Architecture .
...