PAT_Resource_Server Contiki

Introduction

ATOS Research & Innovation has implemented the PAT protocol Privacy-Enhanced-Tokens in RE-Mote platform. The main objective of this document taken from ATOS Wiki is to provide a deploy and configuration with RE-Mote devices Privacy-Enhanced Tokens for Authorization in Constrained Environments (ACE) that proposes a procedure to build tokens in constrained environments and a protocol to use them that allow:

• Authorizing clients that try to get access to the resources of a constrained server
• Establishing secure channels to enforce privacy, confidentiality and integrity of exchanged information

Architecture and components

The typical architecture for constrained IoT domains is the following:

In this demo, the following components are needed:

1. One server connected to the Internet. It will be used to execute the Authorization Server.
2. One Raspberry-Pi connected to the Internet. It will be one of the elements of the IoT Gateway. It will execute also the Client.
3. 2x RE-Mote
   • One executing the Resource Server itself.
   • The other performs the function of a border router. The border router will be connected to the IoT Gateway and will ensure connectivity between the 2.4Ghz IEEE 802.15.4 and the Internet
4. 2 x 2.4Ghz external antennas for each Re-Mote.

IoT Gateway, border router and Resource server (Raspberry PI)

Requireriments

1. Download and install the correct version of arm-gcc for your development OS
2. Make sure your gateway supports the on-board USB/UART converter (SiLabs CP2104). You can download a driver for your OS from here
3. Copper (Cu) addon for Firefox

IoT Gateway and Border router

• Clone PAT-ResourceServer-Contiki:

$ git clone https://gitlab.atosresearch.eu/ari/PAT-ResourceServer-Contiki.git

• Build the tunslip6 tool:

$ cd contiki
$ cd tools
$ make tunslip6
$ sudo cp tunslip6 /usr/local/bin

• Connect one of the RE-Motes to the Raspberry. Assuming no other ttyUSB devices are connected to your PC then it will be enumerated as /dev/ttyUSB0. You have to use the micro-USB connector that is on the same side than the 5-pin connector.
• You can see which ports have been used in /dev/ or using lsusb. dmesg could be useful to get further information.
• Border Router and Network creation. From the root folder of the project:

$ cd contiki
$ cd  examples/ipv6/rpl-border-router

• Open project-conf.h and delete the lines below:

#ifndef UIP_CONF_BUFFER_SIZE
#define UIP_CONF_BUFFER_SIZE    140
#endif

• Compile border-router firmware with the following command:

sudo make TARGET=zoul BOARD=remote PORT=/dev/ttyUSB0 border-router.upload

The output will be:

  CC        ../../../cpu/cc2538/./ieee-addr.c
  CC        ../../../cpu/cc2538/cc2538.lds
  CC        ../../../cpu/cc2538/./startup-gcc.c
  CC        border-router.c
  LD        border-router.elf
arm-none-eabi-objcopy -O binary --gap-fill 0xff border-router.elf border-router.bin
python ../../../tools/cc2538-bsl/cc2538-bsl.py -e -w -v -p /dev/ttyUSB0  -b 460800 -a 0x00202000 border-router.bin
Opening port /dev/ttyUSB0, baud 500000
Reading data from border-router.bin
Connecting to target...
    Target id 0xb964, CC2538
Erasing 524288 bytes starting at address 0x200000
    Erase done
Writing 516096 bytes starting at address 0x202000
    Write done                                
Verifying by comparing CRC32 calculations.
    Verified (match: 0x02cbfba1)
rm obj_zoul/startup-gcc.o border-router.co

If you get something like:

ERROR: Can't connect to target. Ensure boot loader is started. (no answer on synch sequence)

The remote is not in bootloader's mode. Press the reset button (placed in the same side as the two 3-pin connectors) while holding the user button (placed in the same side as the 5-pin connector).

• Execute:

sudo tunslip6 -v2 -s /dev/ttyUSB0 aaaa::1/64

The BR will print something like this:

********SLIP started on ``/dev/tty.usbserial-000013FFB''
opened tun device ``/dev/tun0''
ifconfig tun0 inet6 up
ifconfig tun0 inet6 aaaa::1/64 add
sysctl -w net.inet6.ip6.forwarding=1
net.inet6.ip6.forwarding: 1 -> 1
ifconfig tun0

tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::82e6:50ff:fe24:89e6%tun0 prefixlen 64 optimistic scopeid 0xd
    inet6 aaaa::1 prefixlen 64 tentative
    nd6 options=1<PERFORMNUD>
    open (pid 97689)
*** Address:aaaa::1 => aaaa:0000:0000:0000
Got configuration message of type P
Setting prefix aaaa::
Server IPv6 addresses:
 aaaa::212:4b00:430:4f12
 fe80::212:4b00:430:4f12

• Bear in mind that these last lines get printed by the BR, NOT by tunslip6. This means that you will only see them the first time the BR is reset, not every time you run tunslip6.
• Copy the second-last line the IPv6 address and execute:

$ curl  http://[ipv6_address]

Resource Server (Raspberry PI)

From the root folder of the project:

$ cd pat-resource-server-contiki

Modify the following file BEFORE building and deploying: project-conf.k

• AUTHORIZATION_MANAGER_URI: Url where the authorization server will listen
• SHARED_KEY_WITH_AS: Shared key between the resource server and the authorization server
• Compile the resource server firmware:

$ sudo make TARGET=zoul BOARD=remote

• Upload the firmware to the second RE-Mote:

$ sudo python ../contiki/tools/cc2538-bsl/cc2538-bsl.py -e -w -v -p /dev/ttyUSB1  -b 460800 -a 0x00202000 pat-resource-server-example.bin

Client (Raspberry PI)

Requirements

• Java JRE 1.8

$ sudo apt-get install openjdk-8-jdk

• Maven

$ sudo apt-get install mvn

Deployment process

• Clone the following projects:
• PAT-Common
• PAT-Authorization Server
• PAT-ResourceServer-Java
• PAT-Client Java
• For each one of them:

$ mvn install

• From the root folder of PAT-ResourceServer-Contiki

$ cd freeboard_client
$ mvn package

• Modify config.properties file according to your configuration.
• Execute:

java -jar target/pat.client-freeboard-0.0.1-SNAPSHOT-jar-with-dependencies.jar

Authorization server

Requirements

• Docker

Deployment process

• Clone project PAT-AuthServer

$ git clone https://gitlab.atosresearch.eu/ari/ACE-PAT-AuthServer.git

• Modify [authorization policies file] (https://gitlab.atosresearch.eu/ari/ACE-PAT-AuthServer/blob/master/src/test/resources/auth_policies.json) to cover your resource server and client. For instance:

"[fd00::212:4b00:60d:5fb1]":{
        "hmac_function":"POLY1305",
        "cipher":"CHACHA20_POLY1305",
        "resources":{
            "coap://[fd00::212:4b00:60d:5fb1]/pat/status":
            {
                "62.42.121.155":1,
                "127.0.0.1":5
            }
        }
    } 

• The meaning of this information is the following: ** Resource server IPv6 address: fd00::212:4b00:60d:5fb1 ** hmac_function / cipher: They define cryptographic algorithms used by the protocol ** Resources exposed by the Resource Server: ** [coap://[fd00::212:4b00:60d:5fb1]/pat/status] (coap://%5Bfd00::212:4b00:60d:5fb1%5D/pat/status). Two clients have access: ** 62.42.121.155 to perform GET operations ** 127.0.0.1 to perform GET+PUT operations
• Build the docker image:

$ sudo docker build -t {developer_name}/pat-auth-server .

• Run the authorization server:

docker run --net host -t {developer_name}/pat-auth-server

Web dashboard

• In dashboard.json, replace [fd00::212:4b00:60d:5fb1] with the IP address of your resource server.
• Create an account in http://freeboard.io/
• Create a new dashboard
• Import dashboard.json