sensor-threat.rst - OpenGrok cross reference for /Zephyr-latest/doc/security/sensor-threat.rst

Lines Matching +full:data +full:- +full:valid +full:- +full:time
1 .. _sensor-threat:
11 pressure in a pipe), which sends this data to an SoC running a
13 relays this sensor data to this service. The cloud service is also able
14 to send configuration data to the device, as well as software update
17 .. figure:: media/sensor-model.svg
28 This model also focuses on communicating via the MQTT-over-TLS protocol,
38 1. **The bootloader**. This is a small code/data image contained in
39    on-device flash that is the first code to run. In order to establish
43    programmed into the device, early in production [th-imboot]_.
52       [th-authrepl]_.
55       shall be done in a timely manner [th-timely-update]_.
60       [th-atomic-update]_.
64    are allowed to sign the certificate on the server. For cloud-provider
68    [th-root-certs]_, [th-root-check]_.
85    of code necessary shall have access to them. [th-secret-storage]_
87 5. **Current date/time**. TLS certificate verification requires
88    knowledge of the current date and time in order to determine if the
89    current time falls within the certificate's current validity time.
91    client to sign a message containing a time window that the token is
92    valid. Certificate validation requires the device's notion of date and
93    time to be accurate within a day or so. Token generation generally
94    requires the time to be accurate within 5-10 minutes.
96    It may be possible to approximate secure time by querying an
97    external time server.  Secure NTP is possibly beyond the
99    time are denial of service (the device rejects valid certificates),
101    possible to trick the device into generating tokens that are valid in
103    certificate to be able to intercept this. [th-time]_
105 6. **Sensor data**. The data received from the sensor itself, and
109 7. **Device configuration**. Various configuration data, such as the
110    hostname of the service to connect to, the address of a time server,
111    frequency and parameters of when sensor data is sent to the service,
112    and other need to be kept by the device. This configuration data will
114    should be allowed only from authorized parties. [th-conf]_
117    device shall log information about security-pertinent events. IoT
121    resource-available environment. Types of events that should be logged
132    [th-logs]_
138 where data or assets are communicated between entities of the system.
190       configuration information. On resource-constrained devices, it is
203    data, and can range from having the sensor mounted on the same PCB as
210    DNS results or attempt man-in-the-middle attacks
214    service [th-all-tls]_. The TLS stack shall be configured to use only cipher suites
220       [th-tls-ciphers]_.
223       server shall be verified [th-root-check]_.
234            certificate chain has a valid signature path from a root
244            notion of the current time.
250       [th-tls-client-auth]_.
256           certificates can be self-signed, or signed by a CA. Since the
257           service provider maintains a list of valid certificates
262       ii. **Token-based authentication**. It is also possible for the
265           be transmitted in this packet. Instead, a token-based
275       modern, accepted cryptographic random-bit generator to generate
276       these random numbers. It shall use either a Non-Deterministic
279       by an entropy source within the SoC.  Please see NIST SP 800-90A
280       for information on approved RBGs and NIST SP 800-90B for
281       information on testing a device's entropy source [th-entropy]_.
283 4. **Communication with the time service**. Ideally, the device shall
284    contain hardware that maintains a secure time. However, most SoCs in
286    an external time service.
288    describe the Simple Network Time Protocol that can be used to query
289    the current time from a network time server.
294    operation, re-provisioning, and destruction.
298       image, a device secret, and initial configuration data
299       [th-initial-provision]_. In
304       [th-initial-secret]_.
309    c. **Re-provisioning**. Sometimes it is necessary to re-provision a
312       data, as well as the cloud service data associated with the
316       [th-reprovision]_.
321       [th-destruction]_. Possibilities include:
343 .. [th-imboot] Must boot with an immutable bootloader.
345 .. [th-authrepl] Application image shall only be replaced with an
348 .. [th-timely-update]
351 .. [th-atomic-update]
354 .. [th-root-certs]
357 .. [th-root-check]
358    TLS must verify root certificate from server is valid.
360 .. [th-secret-storage]
364 .. [th-time]
366    date/time.
368 .. [th-conf]
369    The system must receive, and keep configuration data.
371 .. [th-logs]
372    The system must log security-related events, and either store them
375 .. [th-all-tls]
378 .. [th-tls-ciphers]
382 .. [th-tls-client-auth]
386 .. [th-entropy]
387    The TLS layer shall use a modern, accepted cryptographic random-bit
390 .. [th-initial-provision]
391    The device shall have a per-device secret loaded before deployment.
393 .. [th-initial-secret]
397 .. [th-reprovision]
400 .. [th-destruction]
408    See https://www.slideshare.net/kartben/iot-developer-survey-2018. As