ETSI TS 118 103 V1.1.0 (2016-03)

ETSI TS 118 103 V1.1.0 (2016-03)






TECHNICAL SPECIFICATION
oneM2M;
Security solutions
(oneM2M TS-0003 version 1.4.2 Release 1)

---------------------- Page: 1 ----------------------
oneM2M TS-0003 version 1.4.2 Release 1 2 ETSI TS 118 103 V1.1.0 (2016-03)



Reference
RTS/oneM2M-000003v110
Keywords
IoT, M2M, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
oneM2M TS-0003 version 1.4.2 Release 1 3 ETSI TS 118 103 V1.1.0 (2016-03)
Contents
Intellectual Property Rights . 7
Foreword . 7
1 Scope . 8
2 References . 8
2.1 Normative references . 8
2.2 Informative references . 10
3 Definitions, symbols and abbreviations . 11
3.1 Definitions . 11
3.2 Symbols . 14
3.3 Abbreviations . 14
4 Conventions . 15
5 Security Architecture . 15
5.1 Overview . 15
5.1.1 Introduction. 15
5.1.1 Identification and Authentication . 17
5.1.2 Authorization . 17
5.1.3 Identity Management . 17
5.2 Security Layers . 17
5.2.1 Security Service Layer . 17
5.2.2 Secure Environment Abstraction Layer . 18
5.3 Integration within overall oneM2M architecture . 18
6 Security Services and Interactions . 18
6.1 Security Integration in oneM2M flow of events. 18
6.1.1 Interactions between layers . 18
6.1.2 High level sequence of events. 19
6.1.2.1 Enrolment phase . 19
6.1.2.2 Operational phase . 20
6.1.2.2.1 M2M Service Access . 20
6.1.2.2.2 Authorization to access M2M resources . 21
6.2 Security Service Layer . 21
6.2.1 Access Management . 21
6.2.1.1 Authentication . 21
6.2.2 Authorization Architecture . 21
6.2.3 Security Administration . 24
6.2.3.0 Introduction . 24
6.2.3.1 Security Pre-Provisioning of SE . 24
6.2.3.2 Remote security administration of SE . 24
6.2.4 Identity Protection . 24
6.2.5 Sensitive Data Handling . 24
6.2.5.0 Introduction . 24
6.2.5.1 Sensitive Functions . 25
6.2.5.2 Secure Storage . 25
6.2.6 Trust Enabler security functions . 25
6.3 Secure Environment Abstraction Layer Components . 25
6.3.1 Secure Environment . 25
6.3.2 SE Plug-in . 26
6.3.3 Secure Environment Abstraction . 26
7 Authorization . 26
7.1 Access Control Mechanism . 26
7.1.1 General Description . 26
7.1.2 Parameters of the Request message . 27
7.1.3 Format of privileges and selfprivileges Attributes . 28
7.1.4 Access Control Decision . 30
7.1.5 Description of the Access Decision Algorithm . 30
ETSI

---------------------- Page: 3 ----------------------
oneM2M TS-0003 version 1.4.2 Release 1 4 ETSI TS 118 103 V1.1.0 (2016-03)
7.2 AE Impersonation Prevention . 32
8 Security Frameworks . 33
8.1 General Introductions to the Security Frameworks . 33
8.1.0 General . 33
8.1.1 General Introduction to the Symmetric Key Security Framework. 33
8.1.2 General Introduction to the Certificate-Based Security Framework . 33
8.1.2.0 Introduction . 33
8.1.2.1 Public Key Certificate Flavours . 33
8.1.2.2 Path Validation and Certificate Status Verification . 34
8.1.2.3 Credential Configuration for Certificate-Based Security Framework . 35
8.1.2.4 Information Needed for Certificate Authentication of another Entity . 35
8.1.2.5 Certificate Verification . 36
8.1.3 General Introduction to the GBA (Generic Bootstrapping Architecture) Framework . 37
8.2 Security Association Establishment Frameworks . 38
8.2.1 Overview on Security Association Establishment Frameworks . 38
8.2.2 Detailed Security Association Establishment Frameworks . 41
8.2.2.1 Provisioned Symmetric Key Security Association Establishment Frameworks . 41
8.2.2.2 Certificate-Based Security Association Establishment Frameworks . 43
8.2.2.3 MAF-Based Symmetric Key Security Association Establishment Frameworks . 45
8.3 Remote Security Provisioning Frameworks . 48
8.3.1 Overview on Remote Security Provisioning Frameworks . 48
8.3.1.1 Purpose of Remote Security Provisioning Frameworks . 48
8.3.1.2 Overview on Remote Security Provisioning Frameworks . 48
8.3.2 Detailed Remote Security Provisioning Framework . 52
8.3.2.1 Pre-Provisioned Symmetric Key Remote Security Provisioning Framework . 52
8.3.2.2 Certificate-Based Remote Security Provisioning Framework . 55
8.3.2.3 GBA-Based Remote Security Provisioning Framework . 56
9 Security Framework Procedures and Parameters . 59
9.0 Introduction . 59
9.1 Security Association Establishment Framework Procedures and Parameters . 59
9.1.1 Credential Configuration Parameters . 59
9.1.1.0 Introduction . 59
9.1.1.1 Credential Configuration of Entity A and Entity B . 59
9.1.1.2 Credential Configuration of M2M Authentication Functions . 60
9.1.2 Association Configuration Procedures and Parameters . 60
9.1.2.0 Introduction . 60
9.1.2.1 Association Configuration of Entity A and Entity B . 60
9.1.2.1.1 Association Configuration of Entity A . 60
9.1.2.1.2 Association Configuration of Entity B . 61
9.1.2.2 Association Configuration of M2M Authentication Functions . 61
9.2 Remote Security Provisioning Framework Procedures and Parameters . 62
9.2.1 Bootstrap Credential Configuration Procedures and Parameters . 62
9.2.1.0 Introduction . 62
9.2.1.1 Bootstrap Credential Configuration of Enrolee . 62
9.2.1.2 Bootstrap Credential Configuration of M2M Enrolment Functions. 62
9.2.2 Bootstrap Instruction Configuration Procedures and Parameters . 63
9.2.2.0 Introduction . 63
9.2.2.1 Bootstrap Instruction Configuration of Enrolees . 63
9.2.2.2 Void. 64
9.2.2.3 Bootstrap Instruction Configuration of M2M Enrolment Functions . 64
9.2.2.4 Bootstrap Instruction Configuration of UNSP Authentication Server . 64
10 Protocol and Algorithm Details . 65
10.1 Certificate-Based Security Framework Details . 65
10.1.1 Certificate Profiles . 65
10.1.1.0 General . 65
10.1.1.1 Common Certificate Details . 65
10.1.1.2 Raw Public Key Certificate Profile . 65
10.1.1.3 Details Common to Certificates with Certificate Chains . 65
10.1.1.4 Profile for Device Certificates and their Certificate Chains . 65
10.1.1.4.1 Profile for Device Certificates . 65
ETSI

---------------------- Page: 4 ----------------------
oneM2M TS-0003 version 1.4.2 Release 1 5 ETSI TS 118 103 V1.1.0 (2016-03)
10.1.1.4.2 Profile for Certificate Authority Certificates for Device Certificates . 66
10.1.1.5 Profile for AE-ID Certificates and their Certificate Chains . 66
10.1.1.6 Profile for FQDN Certificates and their Certificate Chains . 66
10.1.1.7 Profile for CSE-ID Certificates and their Certificate Chains . 66
10.1.2 Public Key Identifiers . 67
10.1.3 Support Requirements for each Public Key Certificate Flavour . 67
10.2 TLS and DTLS Details . 67
10.2.1 TLS and DTLS Versions . 67
10.2.2 TLS and DTLS Ciphersuites for TLS-PSK-Based Security Frameworks . 68
10.2.3 TLS and DTLS Ciphersuites for Certificate-Based Security Frameworks . 68
10.3 Key Export and Key Derivation Details . 69
10.3.1 TLS Key Export Details . 69
10.3.2 Derivation of Master Credential from Enrolment Key . 69
10.3.3 Derivation of Provisioned Secure Connection Key from Enrolment Key . 69
10.3.4 Generating KeId . 70
10.3.5 Generating KcId . 70
10.4 Credential-ID Details . 70
10.5 KpsaId . 70
10.6 KmId Format . 71
10.7 Enrolment Expiry . 71
Annex A (informative): Mapping of 3GPP GBA terminology . 72
Annex B (informative): General Mutual Authentication Mechanism . 73
B.0 Introduction . 73
B.1 Group Authentication . 73
Annex C (normative): Security protocols associated to specific SE technologies. 75
C.0 Introduction . 75
C.1 UICC . 75
C.2 Other secure element and embedded secure element with ISO/IEC 7816-4 interface . 75
C.3 Trusted Execution Environment . 75
C.4 SE to CSE binding . 75
Annex D (normative): UICC security framework to support oneM2M Services . 76
D.0 Introduction . 76
D.1 Access Network UICC-based oneM2M Service Framework. 77
D.1.1 Access Network UICC-based oneM2M Service Framework characteristics . 77
D.1.2 M2M Service Framework discovery for Access Network UICC . 77
D.1.3 Content of files at the DF level . 78
1M2M
D.1.3.0 Introduction. 78
D.1.3.1 EF (oneM2M Service Table) . 78
1M2MST
D.1.3.2 EF (oneM2M Subscription Identifier) . 80
1M2MSID
D.1.3.3 EF (oneM2M Service Provider Identifier) . 80
1M2MSPID
D.1.3.4 EF (M2M Node Identifier) . 81
M2MNID
D.1.3.5 EF (local CSE Identifier) . 81
CSEID
D.1.3.6 EF (M2M Application Identifiers list) . 81
M2MAE-ID
D.1.3.7 EF (M2M IN-CSE IDs list) . 82
INCSEIDS
D.1.3.8 EF (MAF-FQDN). 82
MAFFQDN
D.1.3.9 EF (M2M Enrolment Function Identifier) . 83
MEFID
D.2 oneM2M Service Module application for symmetric credentials on UICC (1M2MSM) . 84
D.2.0 Introduction . 84
D.2.1 oneM2M Service Module application file structure . 84
D.2.1.0 Introduction. 84
D.2.1.1 Content of UICC files at the Master File (MF) level . 84
D.2.1.2 Content of files at the 1M2MSM ADF (Application DF) level . 84
ETSI

---------------------- Page: 5 ----------------------
oneM2M TS-0003 version 1.4.2 Release 1 6 ETSI TS 118 103 V1.1.0 (2016-03)
D.2.2 oneM2M Subscription related procedures for M2M Service . 85
D.2.2.0 Introduction. 85
D.2.2.1 Initialization - 1M2MSM Application selection . 85
D.2.2.2 1M2MSM session termination . 85
D.2.2.3 oneM2M Service discovery procedure . 85
D.2.2.4 oneM2M Service provisioning procedures . 85
D.2.2.5 oneM2M Application Identifiers provisioning procedure . 85
D.2.2.6 oneM2M Secure provisioning related procedures . 86
D.2.2.7 oneM2M Security Association related procedures . 86
Annex E (informative): Precisions for the UICC framework to support M2M Services . 87
E.0 Introduction . 87
E.1 Suggested content of the EFs at pre-personalization . 87
E.2 EF changes via Data Download or CAT applications . . 87
E.3 List of SFI values at the ADF or DF level . 88
M2MSM M2M
E.4 UICC related tags defined in annex J .
...