Theoretical use of ACME (or derived protocol) In Mutual Authentication in "Internet of Things" systems


#1

I have recently been looking at IoT and systems like https://www.smartthings.com, these systems seem in the majority seem to be lacking in authentication or encryption and/or rely on “cloud” systems that cease working when servers or internet connections have problems.

I have been thinking of the concept of using “micro” CAs in “hub” devices that client devices can register with and be
automatically issued client certificates, for the purposes of mutual authentication, using the ACME, or similar, protocol

This could work automatically localy in combination with discovery protocols, or more generaly over WAN or the internet

While i know something about information security i’m not that familiar with the intricacies of PKI, im interested in opinions on the feasibility, and potential issues, of this concept.


#2

@fireblade, that Internet of Things security problem is a very tough one!

The design of ACME is focused around the PKI problem of proving associations between cryptographic keys and names; every cert that Let’s Encrypt issues using ACME contains a list of subject names and also a subject public key, and the point of the certificate is to say that the certificate authority has confirmed that it’s OK to use a particular subject public key when talking to someone who uses one of those subject names. For example, Let’s Encrypt issued one certificate, using ACME, that says that it’s OK to use the RSA public key (10001, bc6a865c19c03c9316b06c48a2a9bc56f4e1a6707c2120e4c8cb61548c57ed262f922518291440ba636779f9880351a8e66bfeb165eb97798ecadde356475c0b8ed8970bc3446843589d5e3b3e36db6182ecebab0cdccba22e1000a8fbf10d98eae309ea31ba3d9cd6cd333025d3e2b16ae0f93d69d02aba06461bba6792b9dde2c14834fbb6b04b769de58fc8dd56d60234a498bc83c4c6fdcef377b294fb61c9a68c52e6cdadb3005299a7ad4da06cbfbad0c0fc8de0e3b476e4ec805e4ac602ac136eeae5dfbe88a9d12eb38226308d1dc529c9051ce9d1affa8b6ba8e0406b1bf14011e87e07e527229f36e00725a6640d127db402ed9120aa26d1ba282d) when talking to someone using the name www.unhappybirthday.com.

ACME itself consists mostly of mechanisms that certificate authorities can issue to requesters in order to try to satisfy themselves that ① the requesters actually want to associate particular cryptographic keys with particular names, and ② the requesters actually control those names. This is what we call domain validation.

So, that’s what our technology can do. To apply it in another context, you need to figure out whether there are names that could be associated with cryptographic keys, how entities can figure out what those names mean, and how they can figure out who is entitled to use them.