AppSec USA 2016

The need to connect ‘things’ to each other in the IoT ecosystem introduces new security requirements for authentication and self-announcement due to four major characteristics of IoT
1. Physical access and infinite time available to adversaries to take apart devices 
2. Lower computation power of standalone devices 
3. Unforeseen and emergent behavior of the system if arbitrary nodes are compromised 
4. Endless possibility of privacy intrusion based on data intelligence and indirect identity inference. 
In this work the IoT systems are modelled using a number of elements: person, machine/device, service, server, client (esp. mobile), and passive marker. New authentication scenarios emerge when these items introduce themselves to each other on trusted or untrusted networks. The majority of authentication and self-announcement needs could be modelled using the above elements. For major authentication and self-announcement scenarios, possible authentication patterns are presented. Here are four examples of how these patterns apply to sample IoT scenarios: 
• Home automation as enabled by NEST devices
• Device collaboration in Zigbee-based networks
• Smart inventory management using NFC/RFID
• Remote device control based on XMPP (SASL authentication)
The minimum computation power (capability to perform cryptographic operations) and privacy preserving considerations are analyzed in each case.