SEI-ACE Implementation Supports Secure IoT in Edge Environments
January 14, 2019 • Article
January 14, 2018—The SEI has released an implementation for authentication and authorization of Internet of Things (IoT) devices for use in edge environments. As part of the SEI’s mission to transition the technologies it develops to the larger software engineering community, the SEI has made this implementation, SEI-ACE, freely available in its open-source code repository on GitHub.
SEI researchers Sebastián Echeverría, Dan Klinedinst, and Grace Lewis based this implementation on an Internet Engineering Task Force (IETF) proposal for authentication and authorization in resource-constrained environments (ACE).
First responders, the military, medics, and other field personnel increasingly rely on IoT devices to support operations in edge environments in which network connectivity is often disconnected, intermittent, and limited (DIL). Threats in these environments often include sabotage, capture, and the impersonation of both IoT devices and their clients. To address these challenges, strong yet decentralized authentication and authorization mechanisms are necessary. This is what motivated the SEI team to develop SEI-ACE.
“The SEI-ACE code, and especially the resource-constrained version, are a crucial contribution to the IETF standardization process, because they allow interoperability testing with other implementations of the ACE framework, which is a condition for the IETF standardization process to move forward,” said Dr. Ludwig Seitz, senior researcher at the Security Lab of the RISE Research Institutes of Sweden. Seitz is the main author of the ACE draft. “The constrained implementation is especially important because all other publicly available implementations are aimed at less-constrained device classes,” said Seitz.
The constrained resource server implementation is targeted at Class 2 IoT devices, which are limited to approximately 50KB of memory and 250KB of storage. “This enables secure deployment of very low power sensors and actuators and supports common IoT networks such as Bluetooth Low Energy and Zigbee,” said Klinedinst.
“SEI-ACE can be used by anyone interested in the secure integration of IoT devices in their systems,” said Lewis, principal investigator for the Authentication and Authorization for IoT Devices in Edge Environments research project that created SEI-ACE.
Echeverría notes the team developed a number of new extensions to ACE to add functionality. “Besides being an implementation of ACE, SEI-ACE adds optional functionalities that are out-of-scope for ACE but needed in hostile DIL environments. These include support for bootstrapping and securely distributing credentials as well as the ability to revoke tokens due to devices being compromised. SEI-ACE implements this while still being fully ACE compliant,” said Echeverría.
“As ACE continues to make progress through the IETF standardization process we will continue to create awareness that not all IoT devices operate in stable and connected environments, such as home and industry, and that standards need to account for less stable edge environments,” said Lewis.
The SEI-ACE implementation contains code for the ACE client, authorization server, unconstrained resource server, constrained resource server, and supporting libraries.
Interested developers can download the code from the SEI GitHub repository: https://github.com/SEI-TTG/ace-client/wiki.