Part 2. Device Security
Device Credential Management
- Stored Root Certificate
-
Each camera shall have the Example Licensing Authority Root Certificate stored in the camera.
The Credential Management Structure is signed using the Private Key of the Example Licensing Authority (as defined in the X.509 certificate stored in the device) and shall be encrypted with the unique Public Key corresponding to the Private Key of the device. The Device Private Key is also programmed into the device on manufacture.
When the end user wishes to assign the camera to the Example Account Service Provider, they initiate the application for the Example Service Provider which in turn initiates an OAuth2 session with the Example License Authority. The user uses the factory configured credentials to enable the Example License Authority to generate a token for the Example Account Service.
The Example License Authority provides the following Object to the Device.
- This object is known as the "Example LA Credential Object".
-
This object contains reference to the Example Account Service Provider that the camera is being linked and an expiry time for the message.
- For example, if the message is received outside of the time defined by the start and expiry times it should be ignored.
- This object is delivered by the Example Account Service after it has received the Token from the Example Licensing Authority and is able to login to the device.
{ "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "title": "Example LA Credential Object", "additionalProperties": false, "properties": { "Unique ID": { "type": "string", "description": "Permanent ID of the device. Readable by end user." }, "Example Account Service": { "type": "object", "properties": { "Example Account Service ID": { "type": "string", "description": "Unique ID for the Example Account Service Provider" }, "Example Account Service Name": { "type": "string" }, "Example Account Service X.509 Version Number": { "type": "string", "description": "Version number of certificate for Example Account Service" }, "Example Account Service X.509 Serial Number": { "type": "string", "description": "Unique Serial number of the certificate of the Example Account Service Provider" }, "Example Account Service X.509 URI": { "type": "string" }, "Expiry": { "type": "string", "description": "Time in seconds from 1970-01-01T0:0:0 in Seconds. After this date the Object should no longer be accepted." }, "Revoked JSON Token IDs": { "type": "array", "description": "JSON Token IDs (jti) that are revoked ", "items": [ { "type": "string" } ] } } }, "Device Seller ID": { "type": "string", "description": "ID of brand or seller of camera. When checking the X.509 certificate for the code image signature this ID must match that of the X.509 certificate." }, "Code Signing Certificate": { "type": "string", "description": "X.509 Certificate containing verification key for firmware upgrades. The Example LA will use this field to update the certificate from the device manufacturer to the device seller." } } }The preceding JSON object shall be signed using the Example License Authority Private Key and encrypted using an AES Key delivered encrypted by the Public Key associated with the device.
- The Example Account Service uses the same token to log into the device and to supply the device with a Credential Object.
- This object is known as the Example Account Service Credential Object.
- The Credential JSON object is signed using the combination of the Example License Authority Private Key and encrypted using a key transported using the Device Public Key.
- The Example Account Service can configure the device with the following JSON object.
{ "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "title": "Example Account Service Security Object", "additionalProperties": false, "properties": { "Device ID": { "type": "number" }, "Revoked JSON Token IDs (jti)": { "type": "array", "description": "List of revoked JTI values", "additionalItems": false, "items": [ { "type": "string", "description": "jti values that are revoked" } ] }, "File Inspection": { "type": "object", "properties": { "File Inspection Mode": { "type": "boolean", "description": "If TRUE the YARA files listed in the YARA file list array must be processed on each packet" }, "YARA Files": { "type": "array", "items": [ { "type": "object", "title": "YARA File", "properties": { "YARA File URI": { "type": "string" }, "Hash": { "type": "string", "description": "Hash value of the YARA file used to validate the YARA file" }, "YARA File Encryption Key": { "type": "string", "description": "Key Used to Encrypt the YARA file. Encryption performed after Hash has been generated." } } } ] } } }, "Domain Blacklist": { "type": "array", "items": [ { "type": "string", "description": "Blocked Domain Name" } ] }, "Domain Whitelist": { "type": "object", "properties": { "Domain Name Whitelist Mode": { "type": "boolean", "description": "If TRUE then only these domain names are allowed." }, "Domain Name List": { "type": "array", "items": [ { "type": "string", "description": "White Listed Domain Name" } ] } } }, "Ports Blocked": { "type": "array", "description": "Any ports in this list must be blocked.", "items": [ { "type": "number" } ] }, "Ports Enabled": { "type": "object", "properties": { "Enforcement": { "type": "boolean", "description": "If TRUE only ports specified in this list may be open." }, "Port Number": { "type": "array", "items": [ { "type": "number" } ] } } }, "Certificate Blacklist": { "type": "object", "description": "List of X.509 certificates that are not valid", "properties": { "Certificate": { "type": "object", "properties": { "Issuer": { "type": "string" }, "Serial Number": { "type": "string" } } } } }, "Certificate Whitelist": { "type": "object", "properties": { "Whitelist Mode": { "type": "boolean", "description": "If true then only Certificates in the list may be used." }, "Certificate": { "type": "object", "properties": { "Issuer": { "type": "string" }, "Serial Number": { "type": "string" } } } } }, "TLS Root Certificates": { "type": "array", "items": [ { "type": "string", "title": "TLS Root Certificate", "description": "Root Certificate used to validate X.509 certificate provided by server or client interacting with device." } ] }, "TLS Configuration": { "type": "object", "properties": { "Certificate": { "type": "string", "description": "X.509 Certificate to be used for securing TLS communication. This field may be used to update the Certificate that was installed during manufacture." }, "Private Key": { "type": "string" }, "OCSP URL": { "type": "string", "title": "OCSP URL", "description": "Location of OCSP service" } } } } }The preceding JSON object is signed using the Private Key of the Example Account Service and encrypted using an AES key encrypted with the Public Key of the device.