ETSI TS 118 103 V2.4.1 (2016-09)

TECHNICAL SPECIFICATION
oneM2M;
Security solutions
(oneM2M TS-0003 version 2.4.1 Release 2)

(oneM2M TS-0003 version 2.4.1 Release 2) 2 ETSI TS 118 103 V2.4.1 (2016-09)

Reference
RTS/oneM2M-000003v200
Keywords
IoT, M2M, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
(oneM2M TS-0003 version 2.4.1 Release 2) 3 ETSI TS 118 103 V2.4.1 (2016-09)

Contents
Intellectual Property Rights . 9
Foreword . 9
1 Scope . 10
2 References . 10
2.1 Normative references . 10
2.2 Informative references . 12
3 Definitions, symbols and abbreviations . 13
3.1 Definitions . 13
3.2 Symbols . 18
3.3 Abbreviations . 18
4 Conventions . 19
5 Security Architecture . 20
5.1 Overview . 20
5.1.0 Introduction. 20
5.1.1 Identification and Authentication . 21
5.1.2 Authorization . 21
5.1.3 Identity Management . 22
5.2 Security Layers . 22
5.2.1 Security Service Layer . 22
5.2.2 Secure Environment Abstraction Layer . 22
5.3 Integration within overall oneM2M architecture . 23
6 Security Services and Interactions . 23
6.1 Security Integration in oneM2M flow of events. 23
6.1.1 Interactions between layers . 23
6.1.2 High level sequence of events. 24
6.1.2.1 Enrolment phase . 24
6.1.2.2 Operational phase . 25
6.1.2.2.1 M2M Service Access . 25
6.1.2.2.2 Authorization to access M2M resources . 26
6.2 Security Service Layer . 26
6.2.1 Access Management . 26
6.2.1.1 Authentication . 26
6.2.2 Authorization Architecture . 27
6.2.3 Security Administration . 29
6.2.3.0 Introduction . 29
6.2.3.1 Security Pre-Provisioning of SE . 29
6.2.3.2 Remote security administration of SE . 29
6.2.4 Identity Protection . 29
6.2.5 Sensitive Data Handling . 29
6.2.5.0 Introduction . 29
6.2.5.1 Sensitive Functions . 30
6.2.5.2 Secure Storage . 30
6.2.6 Trust Enabler security functions . 30
6.3 Secure Environment Abstraction Layer Components . 31
6.3.1 Secure Environment . 31
6.3.2 SE Plug-in . 31
6.3.3 Secure Environment Abstraction . 31
7 Authorization . 32
7.1 Access Control Mechanism . 32
7.1.1 General Description . 32
7.1.2 Parameters of the Request message . 33
7.1.3 Format of privileges and selfPrivileges Attributes . 34
7.1.4 Access Control Decision . 36
ETSI
(oneM2M TS-0003 version 2.4.1 Release 2) 4 ETSI TS 118 103 V2.4.1 (2016-09)

7.1.5 Description of the Access Decision Algorithm . 37
7.2 AE Impersonation Prevention . 38
7.2.1 Registrar verification of AE-ID . 38
7.2.2 Verification Using End-to-End Security of Primitives (ESPrim) . 39
7.3 Dynamic Authorization . 40
7.3.1 Purpose of the Dynamic Authorization . 40
7.3.2 Dynamic Authorization Stage 2 Details. 41
7.3.2.1 Dynamic Authorization Reference Model . 41
7.3.2.2 Direct Dynamic Authorization . 43
7.3.2.3 Indirect Dynamic Authorization . 45
7.3.2.4 Token Structure . 48
7.3.2.5 Token Evaluation . 49
7.3.2.6 oneM2M JSON Web Tokens (JWTs) . 49
7.3.2.6.1 Introduction to oneM2M JWTs . 49
7.3.2.6.2 oneM2M JWT Profile . 49
7.3.2.6.3 oneM2M JWT Procedures . 51
7.4 Role Based Access Control . 51
7.4.1 Role Based Access Control Architecture . 51
7.4.2 Role Issuing Procedure . 53
7.4.2.1 Introduction . 53
7.4.2.2 Role Assignment Procedure . 53
7.4.2.3 Issuing Token Associated with Role . 54
7.4.3 Role Based Access Control Procedure. 55
8 Security Frameworks . 56
8.1 General Introductions to the Security Frameworks . 56
8.1.0 General . 56
8.1.1 General Introduction to the Symmetric Key Security Framework. 56
8.1.2 General Introduction to the Certificate-Based Security Framework . 56
8.1.2.0 Introduction . 56
8.1.2.1 Public Key Certificate Flavours . 56
8.1.2.2 Certification Path Validation and Certificate Status Verification . 57
8.1.2.3 Credential Configuration for Certificate-Based Security Framework . 58
8.1.2.4 Information Needed for Certificate Authentication of another Entity . 58
8.1.2.5 Certificate Verification . 59
8.1.3 General Introduction to the GBA (Generic Bootstrapping Architecture) Framework . 60
8.2 Security Association Establishment Frameworks . 61
8.2.1 Overview on Security Association Establishment Frameworks . 61
8.2.2 Detailed Security Association Establishment Frameworks . 65
8.2.2.1 Provisioned Symmetric Key Security Association Establishment Frameworks . 65
8.2.2.2 Certificate-Based Security Association Establishment Frameworks . 66
8.2.2.3 MAF-Based Symmetric Key Security Association Establishment Frameworks . 68
8.3 Remote Security Provisioning Frameworks . 71
8.3.1 Overview on Remote Security Provisioning Frameworks . 71
8.3.1.1 Purpose of Remote Security Provisioning Frameworks . 71
8.3.1.2 Overview on Remote Security Provisioning Frameworks . 72
8.3.2 Detailed Remote Security Provisioning Framework . 74
8.3.2.1 Pre-Provisioned Symmetric Key Remote Security Provisioning Framework . 74
8.3.2.2 Certificate-Based Remote Security Provisioning Framework . 79
8.3.2.3 GBA-Based Remote Security Provisioning Framework . 80
8.3.3 Common Remote Security Provisioning Framework Procedures . 83
8.3.3.1 Certificate Enrolment Procedure call flow . 83
8.4 End-to-End Security of Primitives (ESPrim) . 83
8.4.1 Purpose of E2E Security of Primitives (ESPrim) . 83
8.4.2 End-to-End Security of Primitives (ESPrim) Architecture . 84
8.4.3 End-to-End Security of Primitives (ESPrim) Protocol Details . 91
8.4.3.1 End-to-End Security of Primitives (ESPrim) Parameter Definitions . 91
8.4.3.1.1 originatorESPrimRandObject parameter definition . 91
8.4.3.1.2 receiverESPrimRandObject parameter definition. 91
8.4.3.1.3 e2eSecInfo resource attribute definition . 92
8.4.3.2 ESPrim Object formatting and processing using the JWE Compact Serialization . 92
8.5 End-to-End Security of Data (ESData) . 94
ETSI
(oneM2M TS-0003 version 2.4.1 Release 2) 5 ETSI TS 118 103 V2.4.1 (2016-09)

8.5.1 Purpose of ESData . 94
8.5.2 ESData Architecture . 95
8.5.2.1 List of ESData Security Classes and ESData Protection Options . 95
8.5.2.2 Encryption-Only ESData Security Class . 96
8.5.2.2.1 Encryption-Only ESData Security Class Overview . 96
8.5.2.2.2 Encryption using Provisioned Symmetric ESData Key. 97
8.5.2.2.3 Encryption using Trust Enabling Function . 97
8.5.2.2.4 Encryption using Target End-Point Certificates . 98
8.5.2.3 Signature-Only ESData Security Class . 98
8.5.2.3.1 Signature-Only ESData Security Class Overview . 98
8.5.2.3.2 Digital Signature using Source End-Point Certificate . 100
8.5.2.4 Nested Sign-then-Encrypt . 100
8.5.3 End-to-End Security of Data (ESData) Protocol Details . 101
8.5.3.1 Introduction . 101
8.5.3.2 Encryption-Only ESData Security Class Protocol Details . 101
8.5.3.3 Signature-Only ESData Security Class Protocol Details . 103
8.5.3.4 Nested-Sign-then-Encrypt ESData Security Class Protocol Details . 104
8.6 Remote Security Frameworks for End-to-End Security . 104
8.6.1 Overview on Remote Provisioning and Registration of Credentials for End-to-End Security . 104
8.6.1.1 Introduction . 104
8.6.1.2 Overall Description of Registration and Remote Provisioning for End-to-End Security . 104
8.6.2 Remote Security Provisioning Process for End-to-End Security Credentials . 106
8.6.3 Detailed Description on Source-Generated End-to-End Credentials . 109
8.7 End-to-End Certificate-based Key Establishment (ESCertKE) . 111
8.7.1 Purpose of ESCertKE . 111
8.7.2 ESCertKE Architecture . 111
8.7.2.1 ESCertKE Reference Model . 111
8.7.2.2 ESCertKE Procedure Message Flow . 111
8.8 MAF Security Framework Details . 114
8.8.1 Introduction to the MAF Security Framework Details . 114
8.8.2 MAF Security Framework Processing and Information Flows . 116
8.8.2.1 Introduction . 116
8.8.2.2 MAF Handshake Procedure . 116
8.8.2.3 MAF Client Registration Procedure . 116
8.8.2.4 MAF Client Configuration Retrieval Procedure . 117
8.8.2.5 MAF Client Registration Update Procedure . 118
8.8.2.6 MAF Client De-Registration Procedure . 119
8.8.2.7 MAF Key Registration Procedure . 120
8.8.2.8 MAF Key Retrieval Procedure . 122
8.8.2.9 MAF Key Registration Update Procedure . 123
8.8.2.10 MAF Key De-Registration Procedure . 124
8.8.3 MAF Client Configuration Details . 124
8.8.3.1 MAF Client Credential Configuration Details . 124
8.8.3.2 MAF Client Registration Configuration Details . 125
8.8.3.3 MAF Key Registration Configuration Details . 126
9 Security Framework Procedures and Parameters . 126
9.0 Introduction . 126
9.1 Security Association Establishment Framework Procedures and Parameters . 127
9.1.1 Credential Configuration Parameters . 127
9.1.1.0 Introduction . 127
9.1.1.1 Credential Configuration of Entity A and Entity B . 127
9.1.1.2 Credential Configuration of M2M Authentication Functions . 128
9.1.2 Association Configuration Procedures and Parameters . 128
9.1.2.0 Introduction . 128
9.1.2.1 Association Configuration of Entity A and Entity B . 128
9.1.2.1.1 Association Configuration of Entity A . 128
9.1.2.1.2 Association Configuration of Entity B . 129
9.1.2.2 Association Configuration of M2M Authentication Functions . 129
9.2 Remote Security Provisioning Framework Procedures and Parameters . 130
9.2.1 Bootstrap Credential Configuration Procedures and Parameters . 130
9.2.1.0 Introduction . 130
ETSI
(oneM2M TS-0003 version 2.4.1 Release 2) 6 ETSI TS 118 103 V2.4.1 (2016-09)

9.2.1.1 Bootstrap Credential Configuration of Enrolee . 130
9.2.1.2 Bootstrap Credential Configuration of M2M Enrolment Functions. 131
9.2.2 Bootstrap Instruction Configuration Procedures and Parameters . 131
9.2.2.0 Introduction . 131
9.2.2.1 Bootstrap Instruction Configuration of Enrolees . 131
9.2.2.2 Void. 132
9.2.2.3 Bootstrap Instruction Configuration of M2M Enrolment Functions . 132
9.2.2.4 Bootstrap Instruction Configuration of UNSP Authentication Server . 133
9.2.3 End-to-End Credential Configuration Procedures and Parameters . 133
9.2.3.0 Introduction . 133
9.2.3.1 End-to-End Credential Configuration of Source ESF End-Points and Target ESF End-Points . 133
9.2.3.2 End-to-End Credential Configuration at the M2M Trust Enabler Functions . 134
9.2.3.3 Configuration parameters for enabling End-to-End Security at Source ESF End-Points and
Target ESF End-Points . 135
10 Protocol and Algorithm Details . 136
10.1 Certificate-Based Security Framework Details . 136
10.1.1 Certificate Profiles . 136
10.1.1.0 General . 136
10.1.1.1 Common Certificate Details . 136
10.1.1.2 Raw Public Key Certificate Profile . 136
10.1.1.3 Details Common to Certificates with Certificate Chains . 136
10.1.1.4 Profile for Device Certificates and their Certificate Chains . 136
10.1.1.4.1 Profile for Device Certificates . 136
10.1.1.4.2 Profile for Certificate Authority Certificates for Device Certificates . 137
10.1.1.5 Profile for AE-ID Certificates and their Certificate Chains . 137
10.1.1.6 Profile for FQDN Certificates and their Certificate Chains . 137
10.1.1.7 Profile for CSE-ID Certificates and their Certificate Chains . 137
10.1.2 Public Key Identifiers . 138
10.1.3 Support Requirements for each Public Key Certificate Flavour . 138
10.2 TLS and DTLS Details . 138
10.2.1 TLS and DTLS Versions . 138
10.2.2 TLS and DTLS Ciphersuites for TLS-PSK-Based Security Frameworks . 139
10.2.3 TLS and DTLS Ciphersuites for Certificate-Based Security Frameworks . 139
10.3 Key Export and Key Derivation Details . 140
10.3.1 TLS Key Export Details . 140
10.3.2 Derivation of Master Credential from Enrolment Key . 140
10.3.3 Derivation of Provisioned Secure Connection Key from Enrolment Key . 141
10.3.4 Generating KeID . 141
10.3.5 Generating Key Identifier for the MAF Security Framework . 141
10.3.6 Derivation of End-to-End Master Key from Provisioned Secure Connection Key . 141
10.3.6.1 Introduction . 141
10.3.6.2 Key Extraction and Expansion of End-to-End Master Key . 142
10.3.7 Derivation of Usage-Constrained Symmetric Keys from Enrolment Key . 142
10.3.8 sessionESPrimKey Derivation Algorithms . 143
10.3.8.1 Introduction . 143
10.3.8.2 HMAC-SHA256 sessionESPrimKey Derivation Algorithm . 143
10.4 Credential-ID Details . 143
10.5 KpsaID . 144
10.6 KmID Format . 144
10.7 Enrolment Expiry . 144
11 Privacy Protection Architecture using Privacy Policy Manager（PPM) . 144
11.1 Introduction . 144
11.2 Relationship between components of PPM and oneM2M . 145
11.3 Privacy Policy Management in oneM2M Architecture . 145
11.3.1 Introduction. 145
11.3.2 Involved Entities . 145
11.3.3 Management Flow in PPM Architecture . 146
11.3.3.0 Introduction . 146
11.3.3.1 Joining an IN-CSE . 146
11.3.3.2 Subscription to a service by IN-AE . 147
ETSI
(oneM2M TS-0003 version 2.4.1 Release 2) 7 ETSI TS 118 103 V2.4.1 (2016-09)

11.3.3.3 Request for personal data to the IN-CSE . 149
11.4 Privacy Policy Manager Implementation Models . 151
11.4.1 Using Terms and Conditions Mark-up Language . 151
11.4.1.0 Introduction . 151
11.4.1.1 Registration of Application Service Provider Privacy Policy . 152
11.4.1.2 Registration of End User Privacy Preferences . 153
11.4.1.3 Creating a customized Privacy Policy for each end user. 153
12 Security-Specific oneM2M Data Type Definitions . 154
12.1 Introduction . 154
12.2 Simple Security-Specific oneM2M Data Types . 154
12.3 Enumerated Security-Specific oneM2M Data Types . 154
12.3.1 Introduction. 154
12.3.2 Enumeration type definitions . 154
12.3.2.1 sec:credIDTypeID . 154
12.4 Complex Security-Specific oneM2M Data Types . 155
12.4.1 sec:tefClientCfg . 155
12.4.2 sec:tefClientRegCfg . 156
12.4.3 sec:tefKeyRegCfg . 156
Annex A (informative): Mapping of 3GPP GBA terminology . 157
Annex B (informative): General Mutual Authentication Mechanism . 158
B.0 Introduction . 158
B.1 Group Authentication . 159
Annex C (normative): Security protocols associated to specific SE technologies. 160
C.0 Introduction . 160
C.1 UICC . 160
C.2 Other secure element and embedded secure element with ISO 7816 interface . 160
C.3 Trusted Execution Environment . 160
C.4 SE to CSE binding . 160
Annex D (normative): UICC security framework to support oneM2M Services . 161
D.0 Introduction . 161
D.1 Access Network UICC-based oneM2M Service Framework. 162
D.1.1 Access Network UICC-based oneM2M Service Framework characteristics . 162
D.1.2 M2M Service Framework discovery for Access Network UICC . 162
D.1.3 Content of files at the DF level . 163
1M2M
D.1.3.0 Introduction. 163
D.1.3.1 EF (oneM2M Service Table) . 163
1M2MST
D.1.3.2 EF (oneM2M Subscription Identifier) . 165
1M2MSID
D.1.3.3 EF (oneM2M Service Provider Identifier) . 165
1M2MSPID
D.1.3.4 EF (M2M Node Identifier) . 166
M2MNID
D.1.3.5 EF (local CSE Identifier) . 166
CSEID
D.1.3.6 EF (M2M Application Identifiers list) . 166
M2MAE-ID
D.1.3.7 EF (M2M IN-CSE IDs list) . 167
INCSEIDS
D.1.3.8 EF (MAF-FQDN). 167
MAFFQDN
D.1.3.9 EF (M2M Enrolment Function Identifier) . 168
MEFID
D.2 oneM2M Service Module application for symmetric credentials on UICC (1M2MSM) . 169
D.2.0 Introduction . 169
D.2.1 oneM2M Service Module application file structure . 169
D.2.1.0 Introduction.
...