OCF Security Specification VERSION 2.0.2 | April 2019 CONTACT [email protected] Copyrigh t Open Connectivity Foundation, Inc. © 2019. Al l Rights Reserved. 1 LEGAL DISCLAIMER 2 NOTHING CONTAINED IN THIS DOCUMENT SHALL BE DEEMED AS GRANTING YOU ANY 3 KIND OF LICENSE IN ITS CONTENT, EITHER EXPRESSLY OR IMPLIEDLY, OR TO ANY 4 INTELLECTUAL PROPERTY OWNED OR CONTROLLED BY A NY OF THE AUTHORS OR 5 DEVELOPERS OF THIS DOCUMENT. THE INFORMA TION CONTA INED HEREIN IS PROV IDE D 6 ON AN "AS IS" BASIS, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, 7 THE AUTHORS AND DEVELOPERS OF THIS SPECIFICATION HEREBY DIS CLA IM ALL OTHE R 8 WARRA NTIES AND CONDITIONS, E ITHE R E XPRESS OR IMPLIE D, STA TUTORY OR A T 9 COMMON LAW, INCLUDING, B UT NOT LIMITE D TO, IMP LIE D WARRA NTIES OF 10 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OPEN INTERCONNE CT 11 CONSORTIUM, INC. FURTHER DIS CLA IMS A NY AND ALL WARRANTIES OF NON- 12 INFRINGEMENT, ACCURACY OR LACK OF VIRUSES. 13 The OCF logo is a trademark of Open Connectivity Foundation, Inc. in the United States or other 14 countries. *Other names and brands may be claimed as the property of others. 15 Copyright © 2016-2019 Open Connectivity Foundation, Inc. All rights reserved. 16 Copying or other form of reproduction and/or distribution of these works are strictly prohibited Copy right Open Connectivity Foundation, Inc. © 2016-2019. All rights Reserved 17 CONTENTS 18 1 Scope.................................................................................................. 1 19 2 Normative Referenc es .............................................................................. 1 20 3 Terms, definitions, and abbreviated terms ....................................................... 3 21 3.1 Terms and definitions ........................................................................ 3 22 3.2 Abbreviated terms ............................................................................ 6 23 4 Document Conventions and Organization .......................................................10 24 4.1 Conventions ..................................................................................10 25 4.2 Notation .......................................................................................10 26 4.3 Data ty pes ....................................................................................11 27 4.4 Document structure ..........................................................................11 28 5 Security Overview ..................................................................................12 29 5.1 Preamble ......................................................................................12 30 5.2 Access Control ...............................................................................14 31 5.2.1 ACL Architecture .......................................................................16 32 5.2.2 Access Control Scoping Levels ......................................................19 33 5.3 Onboarding Overview .......................................................................21 34 5.3.1 Onboarding General ...................................................................21 35 5.3.2 Onboarding Steps ......................................................................23 36 5.3.3 Establishing a Device Owner .........................................................24 37 5.3.4 Provisioning for Normal Operation ...................................................25 38 5.3.5 Device Provisioning for OCF Cloud and Device Registration Overview ........25 39 5.3.6 OCF Compliance Management System .............................................25 40 5.4 Provisioning...................................................................................26 41 5.4.1 Provisioning General...................................................................26 42 5.4.2 Provisioning other services ...........................................................26 43 5.4.3 Provisioning Credentials for Normal Operation ....................................27 44 5.4.4 Role Assignment and Provisioning for Normal Operation ........................27 45 5.4.5 ACL provisioning .......................................................................27 46 5.5 Secure Resource Manager (SRM) .........................................................27 47 5.6 Credential Overview .........................................................................28 48 6 Security for the Discovery Proc ess...............................................................29 49 6.1 Preamble ......................................................................................29 50 6.2 Security Considerations for Discovery ....................................................29 51 7 Security Provisioning ...............................................................................32 52 7.1 Device Identity................................................................................32 53 7.1.1 General Device Identity................................................................32 54 7.1.2 Device Identity for Devic es with UAID [Deprecated] ..............................32 55 7.2 Device Owners hip............................................................................32 56 7.3 Device Owners hip Trans fer Methods......................................................33 57 7.3.1 OTM implementation requirements ..................................................33 58 7.3.2 SharedKey Credential Calculation ...................................................35 59 7.3.3 Certificate Credential Generation ....................................................35 Copy right Open Connectivity Foundation, Inc. © 2016-2019. All rights Reserved 60 7.3.4 Just-Works OTM........................................................................35 61 7.3.5 Random PIN Based OTM .............................................................37 62 7.3.6 Manufacturer Certificate Based OTM................................................39 63 7.3.7 Vendor Specific O TMs .................................................................42 64 7.3.8 Establishing Owner Credentials ......................................................43 65 7.3.9 Security considerations regarding selecting an Ownership Transfer Method ..51 66 7.3.10 Security Profile Assignment...........................................................51 67 7.4 Provisioning...................................................................................52 68 7.4.1 Provisioning Flows .....................................................................52 69 7.5 Device Provisioning for OCF Cloud .......................................................57 70 7.5.1 Cloud Provisioning General ...........................................................57 71 7.5.2 Device Provisioning by Mediator .....................................................57 72 8 Device Onboarding State Definitions ............................................................58 73 8.1 Device Onboarding General ................................................................58 74 8.2 Device Onboarding-Reset State Definition ...............................................60 75 8.3 Device Ready-for-OTM State Definition ..................................................60 76 8.4 Device Ready-for-Provisioning State Definition .........................................61 77 8.5 Device Ready-for-Normal-Operation State Definition ...................................61 78 8.6 Device Soft Res et State Definition ........................................................62 79 9 Security Credential Management .................................................................65 80 9.1 Preamble ......................................................................................65 81 9.2 Credential Lifecycle..........................................................................65 82 9.2.1 Credential Lifecycle General..........................................................65 83 9.2.2 Creation..................................................................................65 84 9.2.3 Deletion ..................................................................................65 85 9.2.4 Refresh ..................................................................................65 86 9.2.5 Revocation ..............................................................................65 87 9.3 Credential Typ es .............................................................................66 88 9.3.1 Preamble ................................................................................66 89 9.3.2 Pair-wise Symmetric Key Credentials ...............................................66 90 9.3.3 Group Symmetric Key Credentials ...................................................66 91 9.3.4 Asymmetric Authentication Key Credentials ........................................67 92 9.3.5 Asymmetric Key Encryption Key Credentials .......................................67 93 9.3.6 Certificate Credentials .................................................................68 94 9.3.7 Password Credentials .................................................................68 95 9.4 Certificate Based Key Management .......................................................68 96 9.4.1 Overview.................................................................................68 97 9.4.2 X.509 Digital Certific ate Profiles .....................................................69 98 9.4.3 Certificate Revocation List (CRL) Profile............................................78