A Cloud-Centric Ecosystem Approach to Ease IoT Development
•Transferir como PPTX, PDF•
0 gostou•755 visualizações
To create a successful Internet of Things, connected devices and applications must be able to easily, securely and intelligently interact across silos. The cloud platform supporting interoperability among different vendors creates an ecosystem. Multiple players each focus on their core strength (devices, applications, analytics, etc.) and build an end-to-end IoT solution collectively on the ecosystem, without integration pain. We will go over the methodology that ARTIK Cloud uses to support interoperability. In addition, we will discuss the security, specifically secure device registration.
Recomendados
Recomendados
Mais conteúdo relacionado
Semelhante a A Cloud-Centric Ecosystem Approach to Ease IoT Development
Semelhante a A Cloud-Centric Ecosystem Approach to Ease IoT Development (20)
Último
Último (20)
A Cloud-Centric Ecosystem Approach to Ease IoT Development
- 1. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon A cloud-centric ecosystem approach to ease IoT development www.iot-devcon.com Yujing Wu Developer Evangelist Oleg Gryb Sr. Manager in Security
- 2. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon artik.cloud As a device developer, you created an innovative thing…
- 3. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Step 1: Connect the new awesome device to the Internet artik.cloud A lot of options to implement a system where this device interacts with apps/things created by YOU
- 4. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon artik.cloud Step 2: How to make it smart? o Make it interact with many other things from different vendors o Customized integration with each of other things is not scalable and not future proof
- 5. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Today: IoT = collections of silo systems artik.cloud
- 6. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon New Smart City Service New Smart Building App New Home Security Service Not Yet Invented artik.cloud Vision: Connect EVERYTHING and enable …
- 7. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon artik.cloud Realize vision: IoT Open data exchange platform Data Sources Applications New class of applications services Make connections, not silos. Any device Any cloud Any data Rich Open APIs Devices, apps, and services easily work together cross vendors and vertical markets. Cloud is the best place to achieve this level of interoperability
- 8. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon • Three capabilities make interoperability possible o Device Manifest o Diverse ways to interact with devices and 3rd party clouds o Powerful cross-silo rule engine artik.cloud
- 9. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon artik.cloud o Accept diverse type of data o Expose data format/capability of a device type to other developers Brings in data from devices: device Manifest
- 10. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Multiple ways for a device to communicate: o REST o WebSocket o MQTT o CoAP artik.cloud
- 11. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon artik.cloud o Cloud Connector o Subscription and Notification o Build your custom integration Cloud Connector Brings in data from 3rd party clouds
- 12. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon o Manage rules through use portal o Manage rules programmatically through API calls Make devices interact: rules engine
- 13. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon artik.cloud vendor A vendor B vendor C Open data exchange platform Open Ecosystem o Build comprehensive solutions without integration pain o Applications from A use devices built by B and C o Devices built by B and C are exposed to developers from other companies o Each of the players focuses on what they do best
- 14. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon artik.cloud REST websocket mqtt coap websocket Have flexibility when implementing the system to talk to ARTIK Cloud Cloud Connector Subscribe & Notify
- 15. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Secure Device Registration Protocol www.iot-devcon.com Yujing Wu Developer Evangelist Oleg Gryb Sr. Manager in Security
- 16. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Artik Cloud Security Team and Security Process artik.cloud
- 17. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Secure Device Registration – Problems we Solve • Secure device identification • Secure device authentication • Secure user and device paring • Preventing device spoofing by other devices or HTTP clients artik.cloud
- 18. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon What we use to solve it: • A private key and a certificate signed by a trusted CA • Certificate associated with the private key guarantees device authenticity • TLS with mutual authentication prevents spoofing and provided a reliable device authentication • Each device should have a unique certificate within a given vendor to achieve our goal • CA certificate should be trusted in Artik Cloud artik.cloud
- 19. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Secure User Auth and Pairing w/ Device • User should be authenticated against Artik Cloud to be able to register a device • Artik Cloud generates a challenge code • User needs to enter this code at Artik Cloud portal to complete the registration artik.cloud
- 21. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Security Considerations • We use TLS 1.2 with mutual client/server auth • We use GCM block ciphers to avoid CBC weakness and attacks like beast • Symmetric cipher is AES-128. This is to reduce the load on device, hash – SHA256 • ECDHE with EC brainpoolP256r1 artik.cloud
- 23. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Getting a PIN sdrclient -cert artik_dev1.cer -key artik_dev1.key -dtid dtc5ecf0abccaa428c853e144c964ad727 -vdid vd01 –reg s-api.artik.cloud … sdrapi(sdrpost): Sending reg request: sdrclient: Got pin, enter it to a browser: pin=NBSYL5SG artik.cloud
- 25. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon To send data you can use a command like this: sdrclient -key artik_dev1.key -cert artik_dev1.cer -data '{"sdid":"9be9867e8ca94125a233e271d7150ff0" ,"data":{"data":"testdata"}}’ -token ac63daad3c874a08bdf7c7819c74aea9 -v artik.cloud
- 26. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Conclusion • Not all IoT devices are equal security wise • But you do need to think about secure protocols when data is sensitive (e.g. medical applications) artik.cloud
- 27. ________________________________________________________________________ #IoTDevCon @artikcloud #IoTDevCon Thanks for coming! Got questions? Talk to us after the presentation Find us at https://artik.cloud Follow us on Twitter and LinkedIn Official twitter account: @artikcloud Yujing: @yujingwu https://www.linkedin.com/in/yujingwu Oleg: @oleggryb https://www.linkedin.com/in/ogryb artik.cloud
Notas do Editor
- Greet and introduce speakers Good morning everyone. Thank you for being here. The session is about … My name is Yujing Wu and I am developer evangelist Samsung Strategy & Innovation Center. Joining me here is my colleague Oleg Gryb. He is senior manger working in security domain. In the late part of this talk, you will hear from him. At the end of this talk, you will have the basic understanding of our point view of interoperability, our methodology to address that and security aspects of the cloud platform. We will take questions at the end if time permits.
- You are a developer. You have created an innovative thing (for example touch free bio sensor, coffee machine, smart switches). You want to connect this thing to Internet and be able to control it or visualize its data. You have a couple of options here. You can create your own apps and own cloud. Even better, you bring your device data to a few available IoT cloud platform, which will collect, transport, store and analysis the data and a way for your app to control your devices. Easiest option,
- Connect everything for IoT… connect cars, traffic…, However, to make your device even more useful, you want your devices to interact with other type of devices and other apps which are not created by you. For example, the coffee machine can control the amount of coffin based on the energy level measured by a wearable device. Talk to smart cook…. Now, this becomes more difficult to achieve compared to the earlier scenario. You really need to platform….. You may end to do integration with different types of devices/cloud. Such integration is not scalable and not future proof.
- It should be easy to connect every type of things including one have not yet invented An app developer can easily build app that use the device types not from his organization In addition, we believe that the rich insight about users can only come from diverse data. There should be a easy way for analytics applications to get diverse data. Live in siloed world. limit data analysis to siloed data, This cannot generate rich insight about users. Rich insight about users does not come from Rich data analysis about users can It should be easy to do rich data analysis from diverse type of data instead of siloed data
- ARTIK Cloud is introduced to realize the vision – to make connection among different types of things easily instead of creating another silos ARTIK Cloud is data exchange platform. It allows devices, apps, services easily work together across vendors and vertical markets. The achieve this level of interoperability, the right place for us to do it is in cloud, not locally (at gateway or device level) ARTIK Cloud is completely open. Can work with Samsung and non samsung devices, It can work with 3rd party clouds. We have supported device from 30 brands. ARTIK Cloud provides open and rich APIs, powerful development tools and rich SDK, we also build sophisticated security and permission management in the cloud. Agnostic to underlying wireless protocols
- Two options to cloud: If you have created a new type of device, it is very easy for you to bring your devices into ARTIK Cloud. Developers use Device Manifest to describe the attributes and capability of your device types. (what action is possible for that type device) Once you define the device Manifest, it is easy to send data or receive command from or to your devices. In terms of communication protocols, we support HTTP for REST API calls, websocket, MQtt and CoAP. ================= We provide a way for developer to describe the attributes and capability of your device types. (what action is possible for that type device) We call it device Manifest. Every device type has a Manifest. We provide two ways for you to create device Manifest: UI and Groovy code for Advanced Manifest This is key component of ARTIK Cloud solution.
- Devices: Multiple protocols HTTP WebSockets MQTT CoAP You do not need to build the customized solution to get data from different cloud services. Do customized integration Simply use our Cloud Connector framework Devices never worked together before Data store No need to build data access API
- There are many capabilities of ARTIK Cloud I do not have time to go over. Talk to us after the session.
- Make it extremely ….. Diversity : mqtt and web
- Beyond data exchange capability, ARTIK Cloud has many other capability like sophisticated permission management and powerful development tools, which I do not have time to address. However, I want to emphasize that security is very important part of our cloud offering. Let me handle over the talk to my colleague security expert Oleg to talk about security.
- AC Security team handles all aspects of security in our org. We’re trying to be just as agile as our DevOps team is. Our approach of achieving this is descried in details in this video. Since I don’t have much time, I’ll focus on one thing – building security architecture for Artik Cloud. More specifically, I’m going to talk about Secure Device Registration or SDR as we call it.
- What is SDR and what kind of problems we’re trying to solve. If you deal with sensitive information such like medical data or personal identifiable data, it’s important to meet certain criteria.
- To solve the described problem we use PKI based mutual server/client authentication, which relies on certificates and private keys stored on both client (device) and a server. Each device vendor should be associated with a CA in our approach. The vendor is responsible for creating CA, clients certificates and keys and storing them securely in his infrastructure. AC should make a vendor’s CA trusted before vendor’s clients can securely connect to AC. Since each certificate is unique, there is no way to spoof a device after it has been resgitered.
- Another security feature is a secure device to a device owner pairing, which doesn’t allow to register the same device to a different user or use API to spoof device traffic.
- Registration starts on a device when a user hits “register” button 2-way SSL will be used to start a conversation between a device and AC Client’s certificate will be verified to make sure that it’s signed by a trusted CA AC will generate a long nonce and a relatively short PIN. The latter will be displayed on a device. The owner of the device will take that PIN and completes a registration on AC’s user portal by entering device type, device name and PIN.
- In the demo, I will simulate a real device with an SDR client that have an access to a device key and certificate. This is how my command line will look like: -cert and –key used to specify device’s certificate and the key -dtid is an internal device type ID available at AC’s dev portal -vdid – a unique (with a vendor) device ID s-api.artik.cloud is an ARTIK Cloud endpoint