TR-0038 SAE requirements
M2M services are offered by CSEs to AEs and/or other CSEs. To be able to use M2M services offered by one CSE, the AEs and/or CSEs need to be mutually identified and authenticated by that CSE, in order to provide protection from unauthorized access and Denial of Service attacks.
This mutual authentication enables to additionally provide encryption and integrity protection for the exchange of messages across a single Mca, Mcc or Mcc' reference point. In addition, communicating AEs that require similar protection for their own information exchanges can be provisioned to apply the same security method to their communications. This is the purpose of the Security Association Establishment (SAE) procedure.
When CoAP binding of oneM2M primitives is used, i.e. the Underlying Network communication uses UDP/IP transport, Authentication is performed by means of a DTLS Handshake.
When HTTP, MQTT or WebSocket binding of oneM2M primitives is used, i.e. the Underlying Network communication uses TCP/IP transport, Authentication is performed by means of a TLS Handshake.
For the use cases in this guideline document it is assumed that HTTP binding is employed between all applicable pairs of entities (see also TR-0025)
In order to exemplify the use of all three Security Association Establishment Frameworks (SAEF) defined in TS-0003 the following use cases are described:
Provisioned Symmetric Key SAE between Door Locks and Home Gateway,
Pre-provisioned Certificate Based SAE between Home Gateway and IN-CSE,
MAF Based Symmetric Key SAEF between the smartphone and IN-CSE.
Communication between the MN-AE and MN-CSE internally to the Home Gateway is assumed to not require Security Association Establishment.