Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [leshan-dev] LwM2M bootstrapping purpose 
There are two sets of credentials :
- the "LwM2M server credentials" (also called "device management", or DM credentials) - the "LwM2M bootstrap server credentials" (let's call them "bootstrap credentials", or BS credentials - no profanity intended).
It is possible to rewrite BS credentials on a device, at bootstrap time, so you can rotate both set of credentials.
From my understanding, if BS credentials are stolen for a device, both the BS server and DM server should invalidate credentials for this device.
Neither the "real" device nor the masquerading device will be able to communicate, until you "physically" set new BS credentials on the "real" device.
I would say the situation is akin to getting your primary email password stolen ; an attacker can use it to get all your other account's passwords (social media, other emails, etc...), or reset them. Not much you can do unless contacting other services and get new credentials.
The bottom line is clearly : don't get BS or DM credentials stolen, and rotate them ;) 

Or am I missing something ?

On 19/04/2016 19:05, Kiran Pradeep wrote:

I tried reading post(in medium) by Julien Vermillard on bootstrapping.
But I couldn't understand the exact problem it was trying to solve.
Julien in comments mentioned about rotating keys which I couldn't
understand and so posting here. Kindly guide to appropriate forum in
case this list, takes only development related queries only.

I understood the point of invalidating LwM2M server credentials so
that new keys could be issued if LwM2M server keys are stolen. But
what if bootstrap credentials itself are stolen ? Then the rogue
entity, could easily ask the bootstrap server for LwM2M credentials
and do what ever it feels like. The bootstrap keys is going to have to
be fixed for the device lifetime, since they are written in factory
itself. What is the point I am missing ?

Thanks,
Kiran.
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/leshan-dev


--
Pierre-Henri Trivier
AirVantage Software Engineer
phtrivier@xxxxxxxxxxxxxxxxxx
Tel : +33(0)5 61 00 06 68
Fax : +33(0)5 61 00 51 46

Sierra Wirelesss
Lake Park
ZAC de l'Hers - Allée du Lac
BP 87216-31672 Labège Cedex
France
www.sierrawireless.com

This message and any attachments (the "Message") are confidential and intended solely for the addressees.
Any unauthorized modification, edition, use or dissemination is prohibited.
Sierra Wireless shall be liable for the Message if altered, changed, falsified or edited, diffused without authorization.

Back to the top