ISO_IEC_30118-2_2021.pdf

Information technology Open Connectivity Foundation(OCF)SpecificationPart 2:SecurityspecificationTechnologies de linformation Specification de la Fondation pour la connectivit ouverte(Fondation OCF)Partie 2:Spcification de scuritINTERNATIONAL STANDARDISO/IEC 30118-2Second edition 2021-10Reference number ISO/IEC 30118-2:2021(E)ISO/IEC 2021iiISO/IEC 30118-2:2021(E)COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2021All rights reserved.Unless otherwise specified,or required in the context of its implementation,no part of this publication may be reproduced or utilized otherwise in any form or by any means,electronic or mechanical,including photocopying,or posting on the internet or an intranet,without prior written permission.Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCP 401 Ch.de Blandonnet 8CH-1214 Vernier,GenevaPhone:+41 22 749 01 11Email:copyrightiso.orgWebsite:www.iso.orgPublished in Switzerland ISO/IEC 2021 All rights reserved ISO/IEC 30118-2:2021(E)ISO/IEC 2021 All rights reserved iii Contents Page Foreword.ix Introduction.x 1 Scope.1 2 Normative References.1 3 Terms,definitions and abbreviated terms.3 3.1 Terms and definitions.3 3.2 Symbols and abbreviated terms.5 4 Document conventions and organization.7 4.1 Conventions.7 4.2 Notation.7 4.3 Data types.8 4.4 Document structure.8 5 Security overview.8 5.1 Preamble.8 5.2 Access control.10 5.2.1 Access control general.10 5.2.2 ACL architecture.11 5.3 Onboarding overview.12 5.3.1 Onboarding general.12 5.3.2 Onboarding steps.14 5.3.3 Establishing a Device Owner.15 5.3.4 Provisioning for Normal Operation.16 5.3.5 OCF Compliance Management System.16 5.4 Provisioning.16 5.4.1 Provisioning general.16 5.4.2 Access control provisioning.17 5.4.3 Credential provisioning.17 5.4.4 Role provisioning.17 5.5 Secure Resource Manager(SRM).17 5.6 Credential overview.18 5.7 Event logging.18 5.7.1 Event logging general.18 6 Security for the discovery process.19 6.1 Preamble.19 6.2 Security considerations for discovery.19 7 Security provisioning.21 7.1 Device identity.21 7.1.1 General Device identity.21 7.1.2 Device identity for devices with UAID Deprecated.21 7.2 Device ownership.21 7.3 Device Ownership Transfer Methods.22 7.3.1 OTM implementation requirements.22 7.3.2 SharedKey credential calculation.23 7.3.3 Certificate credential generation.24 7.3.4 Just-Works OTM.24 ISO/IEC 30118-2:2021(E)iv ISO/IEC 2021 All rights reserved 7.3.5 Random PIN based OTM.25 7.3.6 Manufacturer Certificate Based OTM.28 7.3.7 Vendor specific OTMs.30 7.3.8 Establishing Owner Credentials.31 7.3.9 Security profile assignment.34 7.4 Provisioning.35 7.4.1 Provisioning flows.35 8 Device Onboarding state definitions.36 8.1 Device Onboarding general.36 8.2 Device Onboarding-Reset state definition.37 8.3 Device Ready-for-OTM State definition.38 8.4 Device Ready-for-Provisioning State Definition.39 8.5 Device Ready-for-Normal-Operation state definition.39 8.6 Device Soft Reset State definition.40 9 Security Credential management.41 9.1 Preamble.41 9.2 Credential lifecycle.41 9.2.1 Credential lifecycle general.41 9.2.2 Creation.41 9.2.3 Deletion.41 9.2.4 Refresh.41 9.2.5 Revocation.42 9.3 Credential types.42 9.3.1 Preamble.42 9.3.2 Pair-wise symmetric key credentials.42 9.3.3 Group symmetric key credentials.42 9.3.4 Asymmetric authentication key credentials.43 9.3.5 Asymmetric Key Encryption Key credentials.43 9.3.6 Certificate credentials.44 9.3.7 Password credentials.44 9.4 Certificate based key management.44 9.4.1 Overview.44 9.4.2 X.509 digital certificate profiles.45 9.4.3 Certificate Revocation List(CRL)Profile deprecated.54 9.4.4 Resource model.54 9.4.5 Certificate provisioning.54 9.4.6 CRL provisioning deprecated.55 10 Device authentication.55 10.1 Device authentication general.55 10.2 Device authentication with symmetric key credentials.56 10.3 Device authentication with raw asymmetric key credentials.56 10.4 Device authentication with certificates.56 10.4.1 Device authentication with certificates general.56 10.4.2 Role assertion with certificates.57 10.4.3 OCF PKI Roots.58 10.4.4 PKI Trust Store.58 10.4.5 Path Validation and extension processing.59 ISO/IEC 30118-2:2021(E)ISO/IEC 2021 All rights reserved v 11 Message integrity and confidentiality.59 11.1 Preamble.59 11.2 Session protection with DTLS.59 11.2.1 DTLS protection general.59 11.2.2 Unicast session semantics.59 11.3 Cipher suites.59 11.3.1 Cipher suites general.59 11.3.2 Cipher suites for Device Ownership Transfer.60 11.3.3 Cipher Suites for symmetric keys.60 11.3.4 Cipher auites for asymmetric credentials.61 12 Access control.62 12.1 ACL generation and management.62 12.2 ACL evaluation and enforcement.62 12.2.1 ACL evaluation and enforcement general.62 12.2.2 Host reference matching.62 12.2.3 Resource wildcard matching.62 12.2.4 Multiple criteria matching.63 12.2.5 Subject matching using wildcards.63 12.2.6 Subject matching using roles.64 12.2.7 ACL evalu