Jun. 6, 2016
Whitepaper
DRAFT [Concept Paper] Identity and Access Management for Smart Home Devices
The National Cybersecurity Center of Excellence (NCCoE)
is seeking comments from industry on the challenges of identification,
authentication, and authorization for devices in the Internet of Things
(IoT) space; specifically requirements for
authentication and authorization of autonomous non-person entities (NPE)
found in smart home devices. Areas of interest include the following:
• models for the lifecycle of IoT and/or smart home devices
• threat vectors and attack surfaces of smart home devices throughout
their lifecycle
• using commercially available technology, methods for the
identification, authentication, and authorization of smart home devices
including:
o core requirements in addressing these three capabilities
o implementation challenges
o potential security weaknesses or gaps
o mechanisms for NPE-to-NPE, NPE-to-Network, and NPE-to-Cloud
authentication
o mechanisms for binding device, APIs, and user identity with
applicable authentication contexts
o privacy risks to individuals raised by improving smart home device
identification and authentication
o mechanisms that enable improved identification and authentication
of smart home devices while maintaining individuals’ privacy
• models for handling encryption on constrained devices
• business cases for the identification, authentication, and
authorization of smart home devices for which the NCCoE could build a
demonstrable solution
Based upon community feedback on these topics, the NCCoE will consider
instantiating a project to engage in building an example solution using
commercially available technology.
Comments due: No due date--accepted on an ongoing basis.
Submit comments using the link below.