7.7 Authentication and Identification
7.7.1 <identity> resource
Secure Environments shall provide a service to AEs or CSEs to establish an Identity and provide authentication of this Identity. The <identity> resource shall represent the services offered by the Secure Environment to enable the establishment of a secure Identity. The services include the following:
- generation of an Identity and associated key material within the secure environment;
- using the associated key material for authenticating the generated Identity.
The <identity> resource shall contain the child resources specified in table 7.7.1-1.
Table 7.7.1-1: Child resources of <identity> resource
| Child Resources of <identity> | Child Resource Type | Multiplicity | Description |
|---|---|---|---|
| authenticate | <authenticate> | 0..1 | See clause 7.7.3 |
| generateKey | <generateKey> | 0..1 | See clause 7.7.4 |
Attributes in <Identity> are shown in table 7.7.1-2.
Table 7.7.1-2: Attributes of <identity> resource
| Attributes of <identity> | Multiplicity | RW/ RO/ WO |
Description |
|---|---|---|---|
| resourceType | 1 | RO | Defines the resource type. |
| resourceID | 1 | RO | Defines an identifier for the resource. This attribute shall be provided by the creator. The creator shall assign a resourceID which is unique within its context. |
| resourceName | 1 | WO | This attribute is the name for the resource that is used for 'hierarchical addressing method' to represent the parent-child relationships of resources. |
| parentID | 1 | RO | This attribute is the resourceID of the parent of this resource. |
| expirationTime | 1 | RW | Time/date after which the resource will be deleted by the Hosting CSE. |
| accessControlPolicyIDs | 0..1 (L) | RW | Is used to control access to the resource. If no accessControlPolicyIDs are provided at the time of creation, the accessControlPolicyIDs of the parent resource is linked to this attribute. |
| creationTime | 1 | RO | Time/date of creation of the resource. The creationTime is set by the CSE hosting the SE when the resource is created. |
| lastModifiedTime | 1 | RO | Last modification time/date of the resource. This attribute is mandatory. The lastModifiedTime value is set by the Hosting CSE when the resource is created,and the lastModifiedTime value is updated when the resource is updated. |
| idName | 1 | WO | Contains the name of the identity. |
| keyData | 0..1 | WO | Contains the value of a key. |
| idData | 0..1 | RW | Contains information associated to the identity and which is necessary for the authentication protocol. The detailed structure depends on the authentication protocol and could comprise among others public key material, protocol identifier, certificates. |
| originatorAuthenticationData | 0..1 | RW | Contains information provided by the Originator and which is necessary for the authentication protocol. The detailed structure depends on the authentication protocol and could comprise among others nonces, certificates, signatures. |
| receiverAuthenticationData | 0..1 | RO | Contains information provided by the Receiver and which is necessary for the authentication protocol. The detailed structure depends on the authentication protocol and could comprise among others nonces, certificates, signatures. |
Table 7.7.1-3: Data types of <identity> resource specific attributes
| Name |
Request Optionality | Data type |
|
|---|---|---|---|
| Create | Update | ||
| idName | M | NP | xs:string |
| keyData | O | NP | xs:byte |
| idData | O | O | xs:anyType |
| originatorAuthenticationData | O | O | xs:anyType |
| receiverAuthenticationData | NP | NP | xs:anyType |
7.7.2 <identity> Resource Procedures
7.7.2.1 CREATE <identity>
This procedure shall be used for creating a <identity> resource.
Table 7.7.2.1-1: <identity> CREATE
| <identity> CREATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID Content: The resource content shall provide the information as defined in clause 7.7.1 |
| Processing at Originator before sending Request | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with the specific details for: Content: Address of the created <identity> resource, according to clause 10.1.1.1 of oneM2M TS0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
If <generateKey> is created, the key to be used shall be generated and stored in keyData, in such a case keyInformation shall be filled with the public part of the generated key.
7.7.2.2 RETRIEVE <identity>
This procedure shall be used for retrieving the identity and retrieve authentication data according the used authentication protocol.
Table 7.7.2.2-1: <identity> RETRIEVE
| <identity> RETRIEVE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
According to clause 10.1.2 of oneM2M TS-0001 [2] with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with specific details for: Content: Attributes of the <identity> resources as defined in clause 7.7.1 |
| Processing at Originator after receiving Response | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.2 of oneM2M TS-0001 [2] |
7.7.2.3 UPDATE <identity>
This procedure shall be used for updating the <identity resource> and sending authentication data according the used authentication protocol.
Table 7.7.2.3-1: <identity> UPDATE
| <identity> UPDATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID Content: attributes of the <cipher> resource which is to be updated as defined in clause 7.5.1 |
| Processing at Originator before sending Request | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.3 of oneM2M TS-0001 [2] |
7.7.2.4 DELETE <identity>
This procedure shall be used for deleting an <identity> resource.
Table 7.7.2.4-1: <identity> DELETE
| <Identity> DELETE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 <a href="#ref_2">[2]</a> apply with the specific details for: _To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.4.1 of oneM2M TS-0001 <a href="#_ref_2">[2]</a> |
| Processing at Receiver | According to clause 10.1.4.1 of oneM2M TS-0001 <a href="#_ref_2">[2]</a> |
| Information in Response message | According to clause 10.1.4.1 of oneM2M TS-0001 <a href="#_ref_2">[2]</a> |
| Processing at Originator after receiving Response | According to clause 10.1.4.1 of oneM2M TS-0001 <a href="#_ref_2">[2]</a> |
| Exceptions | According to clause 10.1.4.1 of oneM2M TS-0001 <a href="#_ref_2">[2]</a> |
7.7.3 <authenticate> Resource
The <authenticate> resource is a virtual resource because it does not have a representation. It is the child resource of an <identity> resource. When a RETRIEVE request addresses the <authenticate> resource, the originatorAuthenticationData, keyData and idData shall be used to calculate a value which shall be stored in retrieverAuthenticationData.
Depending on the authentication protocol it may be necessary to repeat the process of UPDATE originatorAuthenticationData , RETRIEVE <authenticate> and RETRIEVE retrieverAuthenticationData several times.
The <authenticate> resource inherits access control policies that apply to the parent <identity> resource.
7.7.4 <generateKey> Resource
The <generateKey> resource is a virtual resource because it does not have a representation. When a RETRIEVE request addresses the <generateKey> resource, the keyData attribute shall be filled with a key generated according the algorithm attribute.
The <generateKey> resource inherits access control policies that apply to the parent resource.