AppSec California 2015

Traditional PKI focuses on binding a public key to the keyholder’s identity, which is implicitly assumed to be a well-defined, relatively static thing (such as individual’s full name or email address, or the hostname of a public webserver). However, in the envisioned smart grid, for example, the relevant properties of the keyholder are not just the device’s identity (i.e. this is a meter made by ACME or this is a refrigerator made by GE) but its context: This is a refrigerator in the apartment rented by Alice, who buys power from X.

This context information will not necessarily be known until device installation and also may change dynamically. What if Alice sells her fridge on Craigslist or sublets her apartment to Bob? What if repair personnel replace Alice’s meter? This information may also not be particularly simple. What if Alice’s landlord owns many apartment buildings, and changes power vendors to get a better rate?

If our cryptographic infrastructure is going to enable relying parties to make the right judgments about IoT devices (such as the example provided using Smart Grid), this additional contextual information needs to be available. We can try to modify a traditional identity-based PKI to attest to these more dynamic kinds of identities, and we can also try to adapt the largely experimental world of attribute certificates to supplement the identity certificates in the smart-grid PKI. Either of these approaches will break new ground.

Alternatively, we can leave the identity PKI in place and use some other method of maintaining and distributing this additional data; which would require supplementing our scalable PKI with a non-scalable database.

In any of these approaches, we also need to think about who is authorized to make these dynamic updates or who is authoritative for making these types of attestations. Who witnesses that Alice has sold her refrigerator? Thinking about this organizational structure IoT devices also complicates the revocation problem. If we can’t quite figure out who it is that speaks for where a device currently lives, how will we figure out who it is who is authorized to say it has been compromised?

In this presentation, all of these issues and more will be explored and actionable guidelines will be proposed to build a secure and scalable system of IDs and attributes for the complex networked world that awaits us all.