Upsec Inc.

No.9 Mozhou Donglu, Jiangning Nanjing JiangSu 211111 China fanghao@upsec.cn

Southeast University

No.2 SiPaiLou Nanjing JiangSu 210096 China hfu@seu.edu.cn

Upsec Inc.

No.9 Mozhou Donglu, Jiangning Nanjing JiangSu 211111 China jinling@upsec.cn

Southeast University

No.2 SiPaiLou Nanjing JiangSu 210096 China jiangyu@seu.edu.cn

Southeast University

No.2 SiPaiLou Nanjing JiangSu 210096 China aqhu@seu.edu.cn

Southeast University, Upsec Inc. This document is for access authentication framework of Internet of Things (IoT) devices using physical layer fingerprint. This document specifies the interface functions of the authentication framework. This document applies to the construction and management of secure access at the edge of the IoT. This document assumes that the reader is familiar with the concepts of physical layer fingerprint technique. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Device authentication is important to ensure the security of Internet of Things (IoT). The classical device authentication techniques are based on MAC address, preshared key or digital certificate . However, MAC address can be imitated. As the IoT becomes more diverse and pervasive, the implementation of the pre-shared key and digital certificate becomes increasingly complex. Physical layer fingerprint is a promising technique for IoT device authentication. It corresponds to extract the inherent physical layer features of the device from the received signal. These physical layer features have shown uniqueness and persistence, hence can be used for device authentication. Because that the physical layer fingerprint access authentication requires only the signal received from the IoT device, a suitable access authentication framework needs to be defined. An authentication framework has been proposed in , with the basic functions of the framework, specification of fingerprint expression and control message. In this document, based on the same access authentication model, the objectives of the access authentication framework and interface specifications have been proposed, to ensure the effectiveness and facilitate the integration of the access authentication framework with the existing IoT network.

IoT Device Access Gateway A device works for network connection, control and management, deployed at the boundary between the perception layer and the network layer of the IoT. It realizes the communication between the IoT devices and the network layer. Physical layer fingerprint authentication device A device works for training, identifying and authenticating IoT devices.

The physical layer fingerprint access authentication framework should achieve the following functional objectives:a) The physical layer fingerprint access authentication framework shall be independent of the application system, to help establish a trust relationship between the application system and IoT devices and provide prerequisites for further determining whether the IoT devices can access the main network of the application system. b) The physical layer fingerprint access authentication framework should be independent of the specific physical layer communication protocols of IoT devices, and can support all possible physical layer communication protocols. c) The physical layer fingerprint access authentication framework should maintain the accuracy of the used physical layer fingerprint extraction and identification mechanism. d) The interface defined by the physical layer fingerprint access authentication framework should not require the IoT device access gateway of the original application system to give additional physical layer configuration parameters.

The physical layer fingerprint access authentication framework should achieve the following non-functional objectives:a) The physical layer fingerprint access authentication framework does not specify a specific physical layer fingerprint extraction and identification mechanism. b) The interface defined by the physical layer fingerprint access authentication framework does not specify a specific interface access authentication mechanism, but to avoid abuse of the defined interface, the necessary security authentication shall exist between the physical layer fingerprint access authentication device and the IoT device access gateway of the application system. c) The physical layer fingerprint access authentication framework is independent of the specific operating system or platform, but the implementation of the physical layer fingerprint access authentication device may be relevant to a specific operating system or platform. d) The interfaces defined by the physical layer fingerprint access authentication framework should enable integration with legacy systems.

The structure of the physical layer fingerprint access authentication framework is shown in Fig. 1. The physical layer fingerprint access authentication is composed of two parts: the physical layer fingerprint authentication device and the IoT device access gateway. The physical layer fingerprint authentication device adopts a distributed architecture and can simultaneously serve multiple IoT devices to access the gateway.

+----------------+ +----------------+ +------------+ | | | IoT device | | | | IoT device | <----> | access gateway | <----> | Intranet | |(Claiming party)| | (Relying party)| | | | | | | | | +----------------+ +----------------+ +------------+ ^ ^ | | -Full whitelist request | | -Incremental whitelist request | | -Blacklisting | | -Unblacklisting | v | +------------------------------+ +-----> | | | Physical layer fingerprint | | authentication device | | (Verifier) | | | +------------------------------+

The main function of the physical layer fingerprint authentication device is to complete the extraction and authentication of the fingerprint of the IoT device through a certain identity authentication mechanism, and to submit the authentication result in the form of assertion to the IoT device access gateway. The physical layer fingerprint authentication device does not limit the specific identity authentication mechanism, but only provides a unified interface, and the specific authentication interaction process with the IoT device is completed by the implementation of each authentication mechanism itself. The physical layer fingerprint authentication device corresponds to the verifier in the authentication model of . The IoT device access gateway interacts with the physical layer fingerprint authentication device to assist in the authentication process of the IoT device accessing the main network of the application system. The IoT device access gateway and the application system together correspond to the relying party in the authentication model of . The communication between the IoT device access gateway and the physical layer fingerprint authentication device is by default protected by a trusted channel. If the application system and the physical layer fingerprint authentication device are integrated together, i.e., the verifier and the relying party are unified entities, this trusted channel becomes the internal data transmission in the system. If the application system and the physical layer fingerprint authentication device are located in different systems and need to communicate with each other remotely, this trusted channel is an encrypted channel between them.

The physical layer fingerprint authentication device requests the full whitelist of IoT devices from the IoT device access gateway through this interface. Based on the full whitelist, the physical layer fingerprint authentication device performs fingerprint extraction and authentication for all whitelisted devices.

The physical layer fingerprint authentication device requests the IoT device whitelist incremental list from the IoT device access gateway through this interface, and based on the whitelist incremental list, the physical layer fingerprint authentication device performs fingerprint extraction and authentication for the added whitelist devices.

When the physical layer fingerprint authentication device identifies that the status of one device in the whitelist has been changed from legal to illegal, this authentication result should be submitted to the IoT device access gateway, and at the same time, the IoT device access gateway adds this device to the blacklist and intercepts it.

When the physical layer fingerprint authentication device identifies that the status of one device in the whitelist has changed from illegal to legal, this authentication result should be submitted to the IoT device access gateway, and at the same time, the IoT device access gateway withdraws this device from the interception blacklist.

This interface needs to provide the following requests and responses: Requests:a) Protocol versionThe version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway. b) Gateway identifierThe unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. Responses:a) Full whitelistThe full amount of data of the whitelisted IoT devices set in the IoT device access gateway, generally including the following parts: device MAC address, IP address, etc. b) Policy expiration timeThe policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.

This interface needs to provide the following requests and responses:Requests:a) Protocol versionThe version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway. b) Gateway identifierThe unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. Responses:a) Incremental whitelistThe incremental whitelist data of IoT devices set in the IoT device access gateway, generally including the following parts: device MAC address, IP address, etc. b) Policy expiration timeThe policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time.

This interface needs to provide the following requests and responses:Requests:a) Protocol versionThe version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway. b) Gateway identifierThe unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. c) Device informationInformation of device to be blacklisted, generally including the following parts: device MAC address, IP address, etc. d) Authentication resultThe current authenticatin result. Responses:a) Gateway identifierThe unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. b) Policy expiration timeThe policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time. c) Device informationInformation of device just blacklisted, generally including the following parts: device MAC address, IP address, etc.

This interface needs to provide the following requests and responses:Requests:a) Protocol versionThe version of the protocol between the physical layer fingerprint authentication device and the IoT device access gateway. b) Gateway identifierThe unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. c) Device informationInformation of device to be unblacklisted, generally including the following parts: device MAC address, IP address, etc. d) Authentication resultThe current authentication result. Responses:a) Gateway identifierThe unique identifier of the IoT device access gateway for use when the physical layer fingerprint authentication device interacts with the IoT device access gateway for information. b) Policy expiration timeThe policy expiration time specifies the valid time of the whitelist, and the physical layer fingerprint authentication device identifies and authenticates the current whitelisted device within this valid time. c) Device informationInformation of device just un-blacklisted, generally including the following parts: device MAC address, IP address, etc.

This document includes no request to IANA.

This section will address only security considerations associated with the use of physical layer fingerprint access authentication framework. It is necessary to ensure that the IoT device access gateway and the physical layer fingerprint authentication device are in a secure and trusted environment.