The past couple of years have marked continued growth in the applications and services of the Internet of Things (IoT). This has attracted the attention of new operators as well as institutional, corporate, and private investors in every sector of the economy, and as a result, new businesses are springing up rapidly. These include many start-up companies that are producing various kinds of useful IoT devices and Smart Applications (smart apps). While this can be seen as a boost for innovation in the IoT, some of these companies produce IoT devices and smart apps with security vulnerabilities. In this paper, we propose the IoT Hardware Platform Security Advisor (IoT-HarPSecA), a security framework intended to provide support to such IoT producers. IoT-HarPSecA offers three functionality features, namely security requirement elicitation, security best practice guidelines for secure development, and above all, a feature that recommends specific LightWeight Cryptographic Algorithms (LWCAs) for both software and hardware implementations. Accordingly, IoT-HarPSecA is composed of three main components, namely Security Requirements Elicitation (SRE) component, Security Best Practice Guidelines (SBPG) component, and LightWeight Cryptographic Algorithms Recommendation (LWCAR) component, each of them servicing one of the aforementioned features. We implement a command-line tool in C++ to serve as an interface between users and the proposed framework. IoT-HarPSecA can be employed during the early stages of IoT systems design, and it can also be used to facilitate the implementation of security in existing IoT systems. This paper presents a detailed description, design, and implementation of the SRE, SBPG, and LWCAR components of the proposed framework. Using real-world practical scenarios, we show how IoT-HarPSecA can be used to elicit security requirements and recommend appropriate LWCAs based on user inputs. While a full performance evaluation of the SRE and SBPG components is beyond the scope of this paper, we present a detailed performance evaluation of the LWCAR component, which shows that IoT-HarPSecA can serve as a roadmap for secure IoT development.
I. INTRODUCTION
Internet of Things (IoT) devices are becoming increasingly popular and their applications can be found in almost every
The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Maaz Rehan . field of human activity, which contributed greatly to the mass adoption of the IoT technology. They include new smart consumer products and legacy infrastructure systems that have been around for years but only recently embedded with the technology that enabled them to connect to the Internet. These smart devices offer many benefits, including efficient management of urban infrastructure in many smart cities [1] and the ability to remotely monitor patients more closely [2] . They also provide the ability to monitor and manage objects in the physical world, as well as optimize the performance of systems and processes in industries using the Industrial Internet of Things (IIoT) technology [3] .
Today, a dynamic industry is evolving around the IoT and IIoT that is changing the face of the digital economy in every sector. As a consequence, many well-known technology companies are investing heavily in the IoT [4] and racing to dominate the market by producing different kinds of connected devices and Smart Applications (smart apps), also known as IoT apps. Along the same line, a number of start-up companies, as well as electronics hobbyists are also producing IoT devices and smart apps [5] . It is worth noting though that most of the devices and smart apps produced, irrespective of make or brand, will eventually be connected to the Internet. Studies of recent IoT hacking incidents [6] , [7] , however, reveal that IoT devices and smart apps that are not designed with security in mind often exhibit vulnerabilities. Thus, malicious hackers could leverage any pre-existing vulnerabilities in these devices or smart apps to create serious security breaches like Distributed Denial-of-Service (DDoS) attack, which is capable of crippling an entire infrastructure system [8] .
While some established companies are often reluctant to give security their highest priority in a quest to offer competitive prices and reduce time to market [9] , many engineers and developers in IoT start-up companies, as well as electronics hobbyists, lack security expertise [5] . This presents a major challenge in the development of secure IoT devices and smart apps. For instance, the security challenges for people with little or no security expertise arguably include how to identify the security requirements of an IoT system; how to obtain the security best practice guidelines for a specific IoT system; and how to select the right LightWeight Cryptographic Algorithms (LWCAs) for a particular application. These issues raise questions about data security and user privacy, which constitute significant barriers to the universal adoption of the IoT.
In this paper, we propose the IoT Hardware Platform Security Advisor (IoT-HarPSecA), a security framework aimed at facilitating the design and implementation of secure IoT devices and smart apps. The proposed framework is designed to provide the necessary technical guidance to non-security experts actively involved in a variety of IoT and IIoT product development processes. IoT-HarPSecA framework essentially features three distinct components that provide different functionalities: (1) the Security Requirements Elicitation (SRE) component, which elicits security requirements for a given IoT system; (2) the Security Best Practice Guidelines (SBPG) component that generates a set of security best practice guidelines for secure development of IoT systems; and, most of all, (3) the LightWeight Cryptographic Algorithms Recommendation (LWCAR) component that facilitates the choice of specific LWCAs. Our study shows that the existing IoT security frameworks [10] - [16] do not seem to address these issues, therefore, this framework is an attempt to fill this research gap. To the best of our knowledge, this work is the first approach to provide these types of security supports to this class of IoT producers.
We develop a command-line tool in C++ to allow users to interact with the proposed framework. The inputs and output of the tool depend on what option or feature is selected by a user (i.e., what service a user is requesting). For example, the SRE and the SBPG options implement questionnaires about the development of IoT projects, and the user response to a questionnaire constitutes the inputs. Their outputs are security requirements and security best practice guidelines, respectively. For the LWCAR option, users can select whether their request is for software or hardware implementation. The inputs to the LWCAR aspect of the tool are the user security requirements, hardware specifications, application domain, message payload size, and energy requirement (in the case of hardware implementation requests), and the output includes the needed security mechanisms and the corresponding recommended LWCAs.
The basic concept of the IoT-HarPSecA was first introduced in [17] as a possible countermeasure to IoT security threats. In addition, a brief description of the LWCAR component of the proposed framework and some preliminary results have been presented in [18] . This paper presents a detailed description, design, and implementation of the LWCAR component. It also presents a detailed design and implementation of two additional components of the IoT-HarPSecA framework, namely the SRE and SBPG components. However, space constraints preclude the inclusion of the evaluation of the results of the SRE and SBPG components. Therefore, this paper presents a detailed evaluation of only the results of the main component of the proposed framework, namely the LWCAR component. The major contributions of this paper include:
• detailed exploration of some important aspects of LightWeight Cryptography (LWC) and LWCAs;
• detailed discussions of software and hardware design and implementation considerations for LWCAs;
• design and implementation of the SRE, SBPG, and LWCAR components of the IoT-HarPSecA framework tool;
• development of a human expert knowledge representation in the form of experts decision-making procedure in the fields of LWC and IoT;
• detailed evaluation of the performance of the proposed LWCAR component of the IoT-HarPSecA framework tool. The workflow of the remaining part of this paper is summarized as follows: Section II provides a background for this work and highlights some security issues in the IoT. Section III provides a detailed overview of some aspects of LWC and LWCAs. Section IV presents a detailed description and design of the proposed IoT-HarPSecA framework; it also presents a detailed implementation of the proposed IoT-HarPSecA framework tool. Section V evaluates the performance of the LWCAR component of the IoT-HarPSecA framework tool. Finally, Section VI presents the conclusion and future work.
II. BACKGROUND
Virtually every player with a stake in the IoT is well aware of the security issues associated with connected devices [19] . While other emerging technologies like cloud computing also have security challenges, and solutions have been proposed [20] , [21] , IoT security presents unique challenges such as the relative simplicity and scale of attacks as well as lack of advanced security features. This underscores the importance of finding more effective and practical solutions that can facilitate the design and development of secure IoT systems.
As highlighted, partly, in the introduction, the major questions and concerns of non-security experts involved in the design and development of IoT devices and smart apps may include: (1) how to identify the security requirements of an IoT system, (2) what specific security best practice guidelines to follow for the design of a particular IoT system, (3) which security mechanism to choose for a given security requirement, and (4) what cryptographic algorithms provide the right mechanisms for a given set of security requirements.
Although a number of IoT security solutions and a few lightweight security frameworks attempt to address many problems in the area of IoT security and privacy, such as Endto-End (E2E) security [22] , [23] , privacy preservation [24] , [25] , and blockchain-based security solutions 1 [26] , [27] , these questions remain unresolved. Consequently, the framework proposed in this paper seeks to provide answers to these important questions. The steps in the proposed framework have been simplified and coded into the IoT-HarPSecA framework tool to provide the user with an easy-to-use interface for making and processing a request.
A. A BRIEF OVERVIEW OF SECURITY CHALLENGES IN THE IoT
Although every cipher that is practical is breakable or imperfect [28] , there exist a variety of standard symmetric and asymmetric cryptographic algorithms that are considered semantically secure. Despite the significant overhead associated with their implementation, these algorithms work well on systems with reasonable memory capabilities and processing power. An example of each of the above encryption schemes is Advanced Encryption Standard (AES), and Elliptic Curve Cryptography (ECC), respectively.
However, many edge devices in the IoT, such as Wireless Sensor Networks (WSNs) and Radio Frequency Identification (RFID) tags, as well as embedded systems are resource-constrained in terms of processing power, memory, and battery life [29] . Hence, it is impractical to implement these traditional security algorithms on them. This is because 1 Security solutions based on a decentralized and fully transparent database, peer-to-peer interaction, and tamper-proof distributed ledger that can prevent unauthorized operations on IoT data; such security solutions can also create a more resilient ecosystem with no single points of failure. such devices are incapable of performing the complex computations associated with conventional cryptographic algorithms [30] , which may require many rounds or iterations to encrypt or decrypt. On the other hand, however, less complex algorithms may compromise the desired level of security [31] , which creates a trade-off between cost of security and performance.
Nevertheless, the need for specialized security solutions to prevent unauthorized access, modification or misuse of data in the IoT is of paramount importance. This has become even more apparent in recent years as IoT has become a major target for malicious hackers and other cybercriminals because of the potential financial gain [32] and its economic impact which is already tangible [8] . This can be attributed to the large volume of data IoT systems are generating, resulting from the growing number of IoT devices being deployed in various domains, which can be best described as an era of pervasive computing [30] .
While the value of the IoT lies in the data it generates [33] , most of the IoT end nodes responsible for generating the data (which often have access to limited resources) are typically deployed in an unattended manner where attackers may have direct physical access to them. As a result, these devices are exposed to different types of attacks, including tampering, eavesdropping and Denial-of-Service (DoS) attacks, and hence the need for appropriate security measures to protect them.
Ensuring the security of IoT devices is particularly important when one considers the type of data that could potentially be exposed to cyber threats, which may include sensitive personal information, geo-location information, time-sensitive, or even life-critical data of patients. Therefore, the abovementioned trade-off needs to be managed carefully in order to create cryptographic algorithms that will have good performance in constrained environments, where security, simplicity of design and, of course, implementation are crucial.
Essentially, this is the main focus of LWC research, an interesting research area which investigates the design and implementation of lightweight and compact cryptographic algorithms for resource-constrained devices [34] . Since this paper focuses more on the LWCAR component of the proposed framework, in the following section, we discuss some aspects of LWC and LWCAs.
III. AN OVERVIEW OF LIGHTWEIGHT CRYPTOGRAPHY
Pervasive computing technologies are enabling all sorts of things to connect to the Internet, some of which are characterized by limited energy as well as computational and storage resources. What usually comes to fore when implementing security in such constrained environments are memory requirements, circuit area, and energy drain of the primitive to be implemented. Therefore, as highlighted in the previous section, standard algorithms are often prohibitively expensive for implementation in such environments.
While there are no strict criteria for classifying a cryptographic algorithm as lightweight, LWCAs must fulfill certain criteria. They should: (1) provide acceptable level of security, (2) consume less Central Processing Unit (CPU) time, (3) have extremely low memory requirements, (4) consume very low power, and (5) occupy a very small circuit area on hardware. Lightweight cryptography can, therefore, be defined as a specialized cryptography with good performance, tailored for devices that feature low computational capabilities, less memory and/or small area footprint. In the following subsections, we discuss different types of LWCAs, LWC design and implementation considerations, and LWC for IoT.
A. TYPES OF LIGHTWEIGHT CRYPTOGRAPHIC ALGORITHMS
The demand for secure, efficient, low-energy, and yet implementable cryptographic primitives that can fit the most constrained environments is dramatically increasing. Thus, in recent years, significant progress has been made in addressing this fundamental issue through different LWC research initiatives [31] , [35] , [36] . Today, there are many types of lightweight symmetric ciphers as well as a few of their asymmetric counterparts. Lightweight symmetric ciphers comprise of block and stream ciphers. Other LWCAs include hash functions, Message Authentication Code (MAC), and Authenticated Encryption (AE) algorithms.
1) LIGHTWEIGHT BLOCK CIPHERS
Block ciphers are the most versatile of the symmetric ciphers, and based on algorithm structure, they can be classified into two basic categories, namely, Substitution-Permutation Network (SPN) and Feistel Network (FN).
The inputs to the SPN are each block of the plaintext and the key, however, many round keys are derived from the main key which are used in the operations [37] . To produce the ciphertext block, SPN applies several rounds of substitution boxes (S-boxes) as well as permutation boxes (P-boxes) in an alternating manner, also called substitution and permutation functions, to the plaintext and the round keys [38] . The substitution (i.e., replacement of certain number of bits with other according to some rules) and permutation (i.e., manipulation of the order of bits using some algorithm) functions provide confusion and diffusion, respectively. While diffusion prevents attackers from deducing any key by creating complex statistical relationship between ciphertext and plaintext, confusion creates intricate relationship between the encryption key bits and ciphertexts, making deduction of key bits extremely difficult [39] .
These operations are typically achieved through Exclusive-OR (XOR) and bitwise rotation, which are efficient and easy to implement in hardware. To decrypt an encrypted message using SPN, the encryption rounds must be reversed by reversing the S-boxes/P-boxes, and also the order of the application of the round keys must be reversed [37] . The structure of SPN provides good resistance against most cryptographic attacks. It also has more inherent parallelism, and hence algorithms based on SPN can be faster in software on high-end devices with multiple processing units than their FN counterparts.
However, low-end devices with few processing units cannot benefit from the inherent parallelism.
Like in SPN, the plaintext in FN is processed in a number of rounds to get the ciphertext, and the number of rounds required determines the number of round keys (i.e., subkeys) which must be generated from the master key. However, in Feistel structure, the plaintext input block is divided into left (L) and right (R) halves, and an encryption function, f , is applied only to the R half [38] . For example, in the first round, the function takes the round key K i and R i−1 as inputs and produce the output f (K i , R i−1 ). This output is then XORed with L i−1 , where i = 1, 2, 3, . . . , n. The last step of each round is the permutation step which simply swaps L and R, such that the R for the next round would be the L for the current round. Similarly, the L for the next round would be the R for the current round. The process of decryption in FN is almost identical to that of the encryption, the only difference being the reversal of the round keys used in the encryption [40] .
Some advantages that make the FN a better choice for lightweight cipher design are that the encryption and decryption functions are almost the same, and that the round function is only applied to half the input block. This implies that FN performs less computation than the SPN, and hence ciphers based on the FN can be implemented with nearly half the size of code or circuitry needed in SPN [40] . Nevertheless, the disadvantage of the scheme for lightweight applications is that it requires many number of rounds to make the algorithm complex and hence secure, which translates to more time to encrypt and decrypt.
The strength of FN depends on the following parameters: number of rounds -the more the number of rounds, the more security; subkey generation algorithm -the complex the algorithm, the more difficult for cryptanalysis to generate the secret key; and round function -the complex the function, the greater the resistance to cryptanalysis. Other parameters are: block size -the larger the block size, the more the security; and key size -the larger the key size, the more the security. The design of FN depends on the number of rounds, subkey generation algorithm, and the round function used.
One example of both conventional and lightweight ciphers based on the SPN are AES and PRESENT, respectively. Similarly, an example of both conventional and lightweight ciphers based on the FN are Data Encryption Standard (DES) and CLEFIA, respectively.
2) LIGHTWEIGHT STREAM CIPHERS
Lightweight stream ciphers are symmetric-key ciphers that encrypt one bit or one byte of plaintext at a time. The design of stream ciphers is similar to the ideal cipher, also known as One-Time Pad (OTP), the only cipher that is perfectly secure and fully immune to brute force attacks [41] . This is because the key used in OTP is truly random, and it is at least as long as the message. Stream ciphers use an infinite keystream of unpredictable (in feasible time) pseudorandom bits generated from a secret key (K ), the only part that should be truly random in this algorithm, and an initialization vector (IV ). The keystream generator is typically based on Linear Feedback Shift Registers (LFSRs) and Non-linear Feedback Shift Registers (NFSRs) [42] . To encrypt a message P, 1 bit of the keystream is XORed with 1 bit of the plaintext to generate 1 bit of the ciphertext. For instance, given 1 bit of plaintext P i , 1 bit of ciphertext C i , and 1 bit of keystream Ks i , encryption and decryption can be represented by Equations (1) and (2), respectively:
In Equations (1) and (2), E represents an encryption/decryption function, which in the case of stream ciphers is modulo 2, i.e.,
Modulo 2 addition is used since it is equivalent to the XOR operation. From Equation (2) it can be seen that the decryption process is very simple, because it is the same XOR operation. It is very important that the key be reproducible by the communicating parties. The security of this scheme depends on the keystream, hence the keystream should be very random. A good statistical property for ciphertext is that for a perfectly random keystream bit Ks i , i.e.,
a ciphertext output bit C i should have a 50% chance of being 0 or 1. Stream ciphers can be divided into synchronous and asynchronous stream ciphers [43] . In synchronous stream ciphers, the keystream depends only on the key. However, in asynchronous stream ciphers the keystream depends both on the key and the ciphertext. Lightweight stream ciphers are more compact, and are designed to minimize space and computation time, and thus faster in hardware and software compared to block ciphers. One example of both conventional and lightweight stream ciphers are RC4 and chacha20, respectively.
3) LIGHTWEIGHT CRYPTOGRAPHIC HASH FUNCTIONS
A hash function is any function that takes an input string of arbitrary-length and outputs a fixed-size of alphanumeric string, usually called digest, hash fingerprints, or hash values. Formally, it can be defined as an efficient and deterministic algorithm H : P → D that maps a given input from a finite arbitrary-length message space P = {0, 1} * to an output within a finite fixed-length space D = {0, 1} n (i.e., a finite set of bit strings). Hence, H : {0, 1} * → {0, 1} n , where * represents an arbitrary input size, and n the size of hash value [44] . On the other hand, a cryptographic hash function is a special type that in addition must have certain properties in order to be considered secure and suitable for cryptography. The ideal cryptographic hash function properties are: (1) Pre-Image Resistance: given a digest d, it should be computationally infeasible to find a message p such that d = H (p);
(2) Second Pre-Image Resistance: given a digest d and a message p such that d = H (p), it should be computationally infeasible to find another message p (where p = p), such that the two messages hash to the same digest, i.e., d = H (p ) = H (p); and (3) Collision Resistant: it should be computationally infeasible to find two different messages with the same hash, i.e., computationally infeasible to find p, p such that H (p) = H (p ) [44] .
Most modern hash functions are designed by constructing a collision resistant compression function that takes a fixedlength input and outputs a shorter fixed-length output, and then extending its input domain by applying some composition scheme iteratively [45] . Hence, the two fundamental building blocks are: a compression function and domain extender. A compression function can be derived from a block cipher or a permutation, or designed from scratch. Popular methods of constructing compression functions from traditional block ciphers include Davies-Meyer, Matyas-Meyer-Oseas, and Miyaguchi-Preneel.
However, since hash functions are expected to take arbitrary-length inputs, there is a need to securely extend the domain of the compression function, which can be achieved by using composition principles or iterative techniques. Thus, a domain extender (also called a composition scheme) is a generic construction that transforms a given compression function with fixed-length input into a function with arbitrary-length input [46] . The iterative structures in the composition schemes allow for a sequential message processing. Today, most of the iterative techniques used in cryptographic hash function designs are based on the Merkle-Damgård (MD) or Sponge constructions. Many standard cryptographic hash functions are based on the MD construction (or its variants since there have been successful attacks on the MD construction) iterating a Davies-Meyer as their underlying compression function.
Typically, hash function footprint is largely determined by the number of internal state bits (as well as the key schedule for block cipher based designs), which dominates the total area requirements of hash functions. For example, the internal states for SHA-3 is 1600 bits [47] . Thus, a major challenge in designing lightweight hash functions is how to strike a perfect balance between security and memory requirements. One option is to build a domain extender on top of a lightweight block cipher using Davies-Meyer or other constructions. But it has been shown in [48] that this is not an optimal solution for reducing the footprint. However, it has been demonstrated convincingly in [49] , [50] that by using permutation-based Sponge construction, the state size can be reduced to almost halve.
Consequently, the design of lightweight cryptographic hash functions is mostly based on Sponge construction [51] . The sponge construction depends on a specific-length permutation (or transformation) as well as a strict padding rule to ensure mapping variable-length input to variable-length output. A sponge function takes a binary string of any length as input, and returns a binary string of any desired length, i.e., it takes input element of Z * 2 and returns an element of Z n 2 , where n is a user-specified value. Cryptographic hash functions are major targets for cryptanalysts as they constitute essential building blocks for many security applications [52] . For example, they are used to achieve some security goals, such as authenticity; they are also used for password protection, digital time stamping, certificate revocation management, etc. One example of both conventional and lightweight cryptographic hash functions are SHA-3 and Keccak, respectively. The cryptographic hash functions discussed so far belong to the Keyless category, which produces an output that depends only on the input message. The other category is known as Keyed cryptographic hash function, which produces an output that depends both on the input message and a key, also referred to as MAC.
4) LIGHTWEIGHT MESSAGE AUTHENTICATION CODE (MAC)
Like the Keyless hash functions, MACs are non-invertible functions that are used to produce a fixed-length output from an arbitrary-length input message. As highlighted above, the main difference between the Keyless hash functions and MACs (i.e., Keyed hash functions) is that a MAC also takes a secret key K as an input in addition to the message P to be authenticated. Using the same notations as in the case of the Keyless version, a MAC can be defined formally as a deterministic algorithm H : P × K → D that maps a given input from a finite arbitrary-length domain space P and a given key from a finite fixed-length key space K to an output in a finite fixed-length space D, where K = {0, 1} k . Hence, H : {0, 1} * × {0, 1} k → {0, 1} n . MAC functions are used as cryptographic checksums for authentication and message integrity checks [53] . The scheme consists of a tag-generation and tag-verification algorithms. For example, assuming the sender and receiver have securely shared a secrete key K , the sender uses the taggeneration algorithm to compute a tag t (also called checksum) for a message P (using the secret key K ) and sends both P and t to the receiver. Upon reception of the message (which may have been tampered with en route), the receiver runs the tag-verification algorithm to check the message-tag pair using the same secret key. If the check is successful, the algorithm returns 1, and the receiver accepts the message; otherwise it returns 0, and the message is rejected.
Formalizing the above descriptions: (1) let a keygeneration algorithm GEN take a security parameter 1 n and produce a uniformly distributed secret key K , where |K | ≥ n, i.e., K ← GEN (1 n ); (2) a given tag-generation algorithm MAC takes as an input a secret key K and a message P, and returns a tag t such that t ← MAC k (P); and (3) a given tagverification algorithm VER takes a secret key K , a message P and a tag t, and returns 1 if t = MAC k (P), otherwise it returns 0 [53] . Note, however, that the tag-verification algorithm simply runs the tag-generation algorithm on the received message and the secret key of the receiver, and compares the newly generated tag with the one received.
In the asymmetric key cryptography setting, the MAC counterpart is known as digital signature, which provides a better authenticity since in addition to message integrity verification, it also verifies the identity of the sender. Digital signature also has two algorithms: a signature generation algorithm and a verification algorithm [54] . Thus, the sender signs the message with his/her private key, and the receiver verifies the message using the public key of the sender.
In the case of MAC, since all communicating parties have the secret key, any party can produce and verify a tag, meaning that a given tagged message could have been produce by any of the parties. On the contrary, in the case of digital signatures, since every party has a unique public and secret key pair, once a party signs a message with his/her private key, it remains bound to the party, since (presumably) no one else knows his/her secret key [54] . Hence, apart from authentication and message integrity, digital signatures also provide another important security service known as nonrepudiation -a property that ensures that a participant cannot later deny taking part in a particular action.
There are different lightweight approaches to deal with authentication and corrupted message issues in the IoT. For example, embedding digital certificates, signed by the manufacturer, into devices can solve authentication and key exchange problems in some IoT applications [55] . However, there are many devices that cannot cope with this approach. This is because digital certificates rely on public key cryptography, which requires more memory due to longer keys, and may be computationally expensive for some devices [56] .
A lighter alternative is lightweight Cipher-based Message Authentication Code (CMAC) [57] . Lightweight CMAC algorithms can be built using block ciphers, provided these underlying block ciphers are lightweight themselves. This is demonstrated in [58] , where the lightweight block ciphers SIMON, SPECK, and LEA were used as the underlying primitives for a lightweight CMAC. One example of both conventional and lightweight MAC algorithms are CBC-MAC-DES and SipHash, respectively.
5) LIGHTWEIGHT AUTHENTICATED ENCRYPTION (AE)
Arguably, encryption (used to provide confidentiality for a message) is the most widely known security concept, but it lacks the mechanism to check the authenticity of the message. However, in practice, the two security goals (i.e., confidentiality and authenticity in the sense of data origin authentication) are often desirable [59] , [60] , since encryption that is not accompanied by message authentication has limited value in some applications. To achieve these two security goals, two separate algorithms are usually implemented. However, implementing two security algorithms on some resourceconstrained IoT devices can drain the limited resources available such as energy source, code space or silicon area, and hence the need for lightweight AE algorithms. An AE is a symmetric key cryptographic primitive that simultaneously provides message confidentiality and authenticity under a single key [60] .
Authenticated Encryption with Associated Data (AEAD) additionally provides the ability to check the integrity and authenticity of additional information called Associated Data (AD), such as packet header which is a public data that travels alongside the ciphertext and must be authenticated with the ciphertext [61] . An AEAD scheme takes plaintext P, initialization vector IV or nonce, and AD (which we refer to here as a header H ) as arguments. P is encrypted by the underlying cipher using a secret key K , producing a ciphertext C. C is authenticated along with H yielding a tag T , truncated to a suitable length. The output, which consists of C appended to T , C||T , can be decrypted and verified with the same secret key K used in the encryption process [60] . Note that in order to decrypt correctly, AD must be sent along with tagged-ciphertext. To minimize waste of resources, ciphertext authentication is preferred over plaintex authentication, so that invalid messages can be discarded earlier by simply checking the authentication tag without having to decrypt the whole message.
Generic composition of encryption and MAC algorithms is the classical method for achieving data confidentiality and authenticity. In the past few years, for example, the variants of generic composition schemes Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC [62] were used in the old versions of these important security protocols, namely Secure Shell (SSH), Transport Layer Security (TLS), and Internet Protocol security (IPsec), respectively. Besides being nonoptimal and inefficient (since the scheme needs to process the message twice), this approach is difficult and may be prone to implementation errors [61] .
Therefore, several efficient and secure AE designs have been proposed in recent years, including Galois/Counter Mode (GCM), Counter-with-CBC-MAC (CCM), and Offset Codebook Mode (OCB). In addition, the sponge functions proposed lately promise to be useful building blocks for resource-efficient types of AE algorithms. One example of conventional and lightweight AE algorithms are OCB and ACORN, respectively.
B. LIGHTWEIGHT CRYPTOGRAPHY DESIGN AND IMPLEMENTATION CONSIDERATIONS
Lightweight cryptography targets a diverse range of IoT devices in different application domains, including implantable medical devices, wearables, vehicle security systems, and smart meters. The diversity of IoT devices ranges from a simple standalone sensor device enabling telemetry (i.e., gathering data from remote places) to a complex machine participating in an industrial process. Typically, different IoT devices utilize different communication protocols, and are powered by a variety of energy sources, such as disposable or rechargeable batteries, or renewable energy sources. Accordingly, the security requirements and the manner in which security is designed and implemented in these devices differ drastically [63] . For instance, while there are IoT devices that can handle any lightweight security algorithm, the extremely resource-constrained devices can only afford to devote a small portion of their circuit area and/or computing power to security. Thus, an algorithm that can take up much of the scarce space on such devices is not a viable candidate.
It is important to note that providing security is not the main purpose of IoT devices [31] . As a matter of fact, security is an overhead on top of the actual functionality of a device, and if not properly designed and/or implemented, it may even hinder the intended operations of the device or application. Therefore, the design and implementation of LWCAs deserve special attention, especially considering that optimizing the three design goals (i.e., security, cost, and performance) in the IoT setting is very difficult [35] .
Notwithstanding the implementation difficulties, LWCAs can be implemented both in software and hardware. There are, however, important considerations to take into account when implementing LWCAs: (1) block cipher choice: depending on the application, a very short key and/or a very short block algorithms may not provide the desired level of security. This is because the cryptanalytic strength of most symmetric key ciphers lies in their key length, therefore, a very short key length may increase the probability of keyrelated attacks. Similarly, while block size does not play an important role in the security of a cipher, the security of a mode of operation (since block ciphers are often used in modes of operation) depends on the block size of the cipher in addition to the security of the underlying cipher. In Cipher Block Chaining (CBC) mode, for example, a very short block size can cause collision problems. For instance, if block size is n bits, then according to the birthday paradox, there may be a collision after about 2 n/2 block encryptions. Hence, if n = 32, there may be collision after about 2 16 block encryptions [64] ;
(2) good security and good performance are at odds with each other. Although this trade-off is not peculiar to LWC, it is especially more critical in this context because of the aforementioned constraints related to many IoT devices; (3) the choice of an implementation option should be based on hardware capabilities, as well as on the application; and (4) any implementation option should target an optimum use of resources.
Below we provide detailed discussions on both software and hardware design and implementation considerations, as they often have different and sometimes conflicting properties and demands. For example, while bit permutation is a trivial task in hardware which can be easily achieved by simple re-wiring, in software it is usually a very difficult task to perform. In contrast, implementing a substitution table is not a trivial task in hardware, but it can be easily implemented in software [65] . Thus, lightweightness in software does not necessarily mean lightweightness in hardware and vice versa.
1) SOFTWARE CONSIDERATIONS
The primary design goals for software implementation of LWC are to minimize memory requirements, maximize throughput, and to optimize power consumption of a cipher. The memory mainly consists of Random Access Memory (RAM) and Read-Only Memory (ROM). Analyzing memory usage is critical and fundamental, as it provides useful information on the implementability of a security algorithm in a constrained environment.
Methods of cipher implementation vary according to the device and the application. Where speed is not so important, an algorithm can be implemented in a high-level programming language, such as C, C++, and Java. But many cryptographic engineers prefer the portability of C code to other high-level programming languages [66] , and the fact that it allows the programmer to have a lot of control over memory usage. As a result, the C implementations of many cryptographic algorithms are readily available. For higher speed applications, however, an assembly language, or machine language (which is very tedious, error-prone, and rarely used today) can be used.
The core performance metrics often used for evaluating software design and implementation of LWCAs are code size (ROM), RAM usage, execution time, and energy consumption [66] , [67] . The design and implementation of IoT devices typically require a careful control of the limited resources available, including the scarce memory. By leveraging some special features in device memory and C programming, data can be allocated in memory in such a way that would allow one to manage and control certain allocated data properties, such as size, scope, location, access, and lifetime. This will greatly help in optimizing the design and implementation of cryptographic algorithms since knowing how data is allocated in physical Microcontroller Unit (MCU) memory is of utmost importance in optimizing performance and speed. Therefore, as a background to memory usage, we provide a high-level description of some aspects of memory layout of embedded C programs.
Most MCUs today are based on the Harvard architecture, and unlike in the Von-Neumann architecture [68] , the program memory and data memory on the Harvard architecture are separate memories, as shown in Fig. 1 . These memories are also known as the program and data segments, which can be simply referred to as the flash and RAM, respectively. These blocks of memories map compiled segments of a program to a physical address space through the linker file. The program memory, which is non-volatile, stores the compiled program and a small part of the data. It is further divided into sub-segments, which includes the .text, .const (or .rodata in some architectures), and .cint/.pint subsegments. The text section (which is usually the largest) stores the written program, including the main function, user defined functions, and standard library code. The const/readonly section stores constant variable data, which is difficult to overwrite at runtime. Its size depends on software implementation. The compilers on Harvard architecture-based MCUs use special instructions to access constant variables. The .cint/.pint (the names depend on architecture, compiler, or C standard) are the initialization sections where initialized data values are stored (e.g., global initialized variables), and are loaded into the data memory at startup. Their sizes also depend on software implementation.
The data memory, which is usually volatile, stores the program operands like the variables on which the program executable operates on. Its content changes regularly throughout the program execution as data is loaded into the CPU registers, and the results are stored back into the memory. The data memory is also divided into sub-segments, which include .data, Block Started by Symbol (.bss), the heap, and the stack. The size of each sub-segment depends on how the program is written. The data section stores non-zero initialized global and static data (including static local variables). The data in this section is allocated at compile time, and will persist in memory until the end of the program. The .bss region stores zero initialized and uninitialized global and static data. The heap is used to store dynamically allocated data. While a heap space is reserved at compile time, data is allocated at runtime, and lifetime of data is directly managed by the programmer (usually longer than a function, but less than the program), hence memory can be used over and over again. The malloc, calloc, relloc, and free functions are used to allocate data, reallocate data, and free a heap memory space, respectively [69] . Note that it is very important to free the heap memory that is no longer needed by the program. The stack stores most local variables and temporary data. Like the heap, memory space is reserved at compile time but data allocation is done at runtime, and data will only exist for the length of a function or block of code, meaning that the memory can be reused by other functions. Hence, the stack shrinks and grows as the program runs. However, writing a program that exhibits a large data size/type (such as many local variables, input parameters, return data, nested interrupts, and nested subroutines) can potentially overflow the allocated stack region [70] . This is because reserved space on the stack is of specific size determined at compile time.
Having highlighted the memory layout of embedded C programs, below we outline the four aforementioned performance metrics:
• Code Size: The code size is the binary program size representing the program footprint stored in the flash memory (program memory), which is usually measured in bytes. The total code size is obtained by adding the .text section of the program memory and the .data section of the data memory (since the .cint/.pint sections of the program memory are loaded into data memory at runtime). Sometimes the size of the .bss is not considered, for example, in the Fair Evaluation of Lightweight Cryptographic Systems (FELICS) framework [66] , the .bss section is not considered since the framework forbids the use of global uninitialized variables;
• RAM Usage: The RAM usage is divide into .data usage and stack usage. The .data may contain the data to encrypt, round keys, master key, or initialization vectors [66] . However, the RAM is not for storing large fixed data such as Look-Up Tables (LUTs) . Large data like LUTs should be allocated on the flash to save the valuable space on the RAM. The stack may contain local variables, return address after interrupts, and subroutine calls;
• Execution Time: Although the speed of an algorithm on an MCU is related to its performance [67] , achieving high speed at the cost of high overhead due to complex key schedule would be counterproductive. Therefore, latency must be taken into consideration as well [71] .
In addition, there is need to find acceptable ways to enhance performance, as well as ways for evaluating the swiftness of execution time of an algorithm. While there is no standard speed measurement procedure that cuts across all hardware platforms, a general approach to determining execution time of an algorithm would be to calculate the absolute difference between the system timer number of cycles at the end and the beginning of a given operation;
• Energy Consumption: Despite the technological advancements in battery technology, there is no commensurate improvement in energy storage capacity, especial for very small footprint devices [72] . As a result, energy consumption still remains a major constraint in the IoT. While transmission overhead is a major source of energy drain, intensive computations, such as execution of cryptographic algorithms can also cause excessive energy drain in resource-constrained devices. Thus, energy efficiency should be a key consideration in the design of usable security solutions for this space. To determine the magnitude of consumed energy in a device, there is a need to obtain the power (i.e., the rate at which energy is consumed). Thus, power consumption can be calculated by multiplying the device current consumption by the operating voltage, i.e.,
where P is power, I is current, and V is voltage. Hence, energy consumption (E) is equal to the product of the average power consumption and the operation time (T ), i.e.,
Therefore, to optimize energy consumption, designers must strive to minimize power consumption and/or reduce execution time.
2) HARDWARE CONSIDERATIONS
While software implementations of lightweight cryptosystems are inexpensive (since they utilize existing system resources), more flexible, easy to deploy, as well as easy to upgrade and update, they are relatively slower in comparison to their hardware counterparts. They also provide a very low level of protection for crypto variables such as crypto-keys. The hardware implementations, on the other hand, are much faster [42] , typically by several orders of magnitude. Additionally, many hardware security solutions are tamper-resistant, and hence compromising cryptographic security parameters such as retrieving secret keys would be much harder. In fact, in some hardware solutions, such attempts will trigger the module to delete its internal memory. Another important aspect is that hardware implementation allows designers to implement the exact desired functionality without redundant components [73] , and hence they are typically considered more suitable for ultra-constrained IoT devices. Hardware security can be achieved using hardwareassisted MCUs, dedicated hardware, or onboard implementation, as in the case of some IoT devices, and most especially the highly constrained devices such as RFID tags [48] . Such devices have very limited silicon area and very little energy available. In particular, the passive RFID tags are so constrained that they do not have any software-programmable processor. This implies that hardware implementation is the only feasible option available for implementing security in such devices. In addition, they do not even have a battery and must harvest power from the radio waves transmitted from a reader [73] , and therefore designers must cope with this tight power budget.
Although optimizing all of the three aforementioned design goals at once is a very difficult task, even in the case of lightweight hardware implementation, designers should provide better trade-offs in this space. Particularly, by reducing the implementation cost of LWCAs as much as possible, while at the same time not losing track of the appropriate level of security. The key performance metrics that describe the efficiency of hardware implementations of cryptographic primitives are circuit area, energy consumption (which has already been outlined in the previous subsection), throughput, and latency [31] .
• Circuit Area: refers to a measure of physical circuit area needed to implement a primitive. In digital electronics, this is basically a function of the number of fundamental building blocks called logic gates that have two inputs and one output, such as NAND and NOR gates. The smaller the area, the better;
• Throughput: is a measure of the average units of data processed in each clock cycle, and in this context it is usually expressed in bytes per cycle. The higher it is, the better;
• Latency: refers to the time taken by a circuit to process an input data (a byte or block of data) and produce the corresponding output (a byte or block of data). The lower it is, the better.
Unlike software implementations that are coded using traditional programming languages like C and C++, a hardware implementation of LWC is best designed and programmed using a Hardware Description Language (HDL). An HDL is a language used to describe the structure and the behavior of digital electronic hardware designs. Two examples of HDLs are Very High Speed Integrated Circuit HDL (VHDL) and Verilog [74] , which are used to map a circuit logic description to logic blocks. HDL designs can be implemented on a variety of hardware development environments, however, Application Specific Integrated Circuits (ASICs) and Field Programmable Gate Arrays (FPGAs) are currently the most popular platforms used for hardware implementations of cryptographic algorithms.
An ASIC is a custom manufactured microchip or Integrated Circuit (IC) specially designed for a particular purpose, for example, customized for a specific functionality required by the end product of one client. Modern ASICs can contain over 100 million logic gates. Since ASICs are designed only for a needed application, they are often more efficient in performance, very small in size (which can help to shrink the size of a product), and hence consume very little energy. They also provide very strong access control to cryptographic keys; and if carefully designed, the unit cost of ASICs can be considerably less [68] . However, the downside of this platform is that its initial development cost (which includes physical layout and subsequent fabrication in a semiconductor foundry) can be very high. Moreover, the process must be carefully monitored to ensure that the final design meets the given design requirements, and that the device operates well in real-world applications.
The FPGA, on the other hand, is an IC that allows users to create their own digital circuits using the onboard array of Configurable Logic Blocks (CLBs) connected via programmable interconnects. The logic blocks of most FPGAs contain memory elements, which can be complete blocks of memory or simple flip-flops. Using an HDL, users can configure and reconfigure the device, if need be, to a desired functionality or application requirements. Similarly, the FPGAs on circuit boards are usually programmed by the manufacturer, however, if there is need for update or upgrade, such FPGAs can be reprogrammed to effect desired changes. This is a key feature that distinguishes FPGAs from ASICs [75] , which are custom manufactured only for specific applications. Reduced cost (FPGA tools are cheap or free) and shorter time of development, as well as simpler design cycle are other features that distinguish FPGAs from ASICs. In FPGAs, layout (physical design), fabrication, and verification of physical defects are not required.
Furthermore, considering that FPGAs are highly flexible, reconfigurable, and can be dynamically reprogrammed in the field, an insignificant error in the design of an algorithm would not invalidate the device, since a software patch could be released to fix the bug. Though they provide a weaker access control to crypto-keys than in ASICs, it is usually stronger than in software implementations.
However, FPGAs are typically slower than ASICs, larger in size, and hence consume more power [74] , and are more costly (i.e., in terms of unit cost). These drawbacks are mainly due to the programmable routing interconnect, accounting for almost 90% of the total circuit area [75] . Although recent developments in the FPGAs are narrowing down the gap between them and the ASICs (now attaining up to a maximum frequency of 500MHz), most of the enhanced features of FPGAs concern functionality and not performance. Therefore, FPGAs are still less efficient than ASICs.
While circuit area has been highlighted as a major performance metric in hardware implementation of lightweight cryptographic primitives, there is no accurate and acceptable way to measure or estimate circuit area across different platforms. For example, an ASIC design mapped to two different technology libraries would give two different areas. This is also the case when two different families of FPGAs are compared. Consequently, both the academia and the industry have adopted a technology-independent method for determining circuit area in their quest to solve the problem in the ASIC space. The measurement standard is known as Gate Equivalent (GE), which can be obtained by diving the total area A of a design (technology-dependent) in µm 2 by the area of the smallest two-input NAND gate N A (technology-dependent) available in the particular technology [74] , i.e.,
GE =
Despite the existence of a few works on area estimation model for the FPGAs [76] , there is still no accurate uniform area estimation model for these devices. For example, the top two FPGA companies, Xilinx and Altera, have different measurement standards. The measurement standards for the Xilinx FPGAs are CLBs or Slices. One CLB element contains a pair of slices, and at a minimum, each slice is composed of four LUTs and eight storage elements (flip-flops). In the case of the Altera FPGAs, the measurement standards are Logic Array Blocks (LAB), Adaptive LogicModules (ALMs) or Logic Elements (LEs) [77] .
Above all, converting from ASIC GEs to FPGA number of slices is a major challenge as ASIC designs do not map to the same FPGA area due to differences in technology and development processes. Despite attempts by some researchers to measure the gap between FPGAs and ASICs [78] , there is still no easy and acceptable way to find the equivalent gate count of FPGAs.
As a vital component of microchip design reuse, the Intellectual Property core (IP core) is key to the continued advancement of the Electronic Design Automation (EDA), a trend that has revolutionized the electronics industry. Today, IP cores are essential building blocks of hardware designs using ASICs and FPGAs. Thus, the use of existing LWC algorithm IP cores that have been properly designed can facilitate the implementation of lightweight hardware primitives [79] . However, such IP cores must be those whose security is mature, having undergone a sufficient number of tests and reviews.
C. LIGHTWEIGHT CRYPTOGRAPHY FOR IoT
In response to the constant need for secure and highperformance LWCAs suitable for IoT applications, research and development of LWC have been on the rise in recent years. As a consequent, quite a number of LWCAs have been standardized by different international and national organizations. For example, in 2012, the International Organization for Standardization (ISO) has specified two block ciphers suitable for LWC as the ISO/IEC (29192-2P:2012), namely PRESENT and CLEFIA [80] . Similarly, in 2013, the Research Directorate of the US National Security Agency (NSA) proposed two block ciphers, SIMON and SPECK, specifically designed for very constrained platforms [81] . In addition, the international cryptographic community has, over the years, made significant efforts in the development of other LWCAs, which include ciphers such as TWINE, Piccolo, PRINCE, and LED [82] .
In an analogous manner, a lightweight cryptographic technology guideline has been provided by the Cryptography Research and Evaluation Committee (CRYPTREC) in Japan [31] . The guideline contains the results of a comprehensive study that reviewed different LWCAs that have potential applications in resource-constrained environments. In the proposed framework that will be presented in the next section, we utilize many of the cryptographic algorithms evaluated by CRYPTREC. Table 1 presents a summary of the cryptographic algorithms presented by CRYPTREC. Comparing the performance of these algorithms is not the focus of this article. Hence the table only presents the algorithms and shows a few parameters of the block and streams ciphers, as well as a few parameters of the MAC algorithm. For more details on the remaining parameters of these and other algorithms see [31] . Note that Table 1 shows SipHash as the only MAC algorithm because according to [31] , it is the only mature lightweight MAC algorithm that has undergone sufficient number of reviews at the time of their study.
IV. THE PROPOSED FRAMEWORK
In [12] , an IoT framework has been defined as a conceptual structure made up of guiding rules, protocols, or standards intended to simplify the design and implementation of IoT devices and smart apps. In this section, we propose the IoT-HarPSecA framework, and in line with the above definition, the main goal of the proposed framework is to facilitate the design and implementation of secure IoT devices and smart apps as mentioned in Section I.
As highlighted in Section I, IoT-HarPSecA is composed of three main components, namely the SRE, SBPG, and the LWCAR components, each having a different functionality feature. A user can select only one functionality at a time, as shown in Fig. 2 . IoT-HarPSecA is modular in design, and the modularity in the design of each of the components allows for easy integration of new functionalities; it also allows for easy upgrading of existing functionalities. In the following subsections, we present a summary of the design and description of the modules in each of the components of the IoT-HarPSecA framework. We also provide a summary of the implementation of the tool that can be used to interact with the proposed framework.
A. DESIGN AND DESCRIPTION OF THE SECURITY REQUIREMENTS ELICITATION COMPONENT
Although a security requirement is usually considered as a non-functional requirement, it is a very important feature that prescribes what a system or an application needs in order to achieve a particular security objective. Thus, identifying the security requirements of an IoT system is a major step towards providing proper security protections. For definitions and detailed discussions of security requirements in the context of IoT, see [17] , [83] , [84] .
A high-level depiction of the SRE component architecture is shown in Fig. 3 . The proposed architecture consists of five functional modules, namely the user interface, security requirements generator, storage and updates, admin interface, and the output interface.
1) USER INTERFACE
This serves as a conduit between the proposed framework and the users. Depending on how the IoT-HarPSecA framework tool is implemented, the user interface can be a Command Line Interface (CLI) or a Graphical User Interface (GUI). But in this paper, it is a CLI. Upon registration and login, the user is taken to the main menu consisting of 14 options: options 1 to 4 are for the SRE component, 5 to 8 for the SBPG component, 9 to 12 for the LWCAR component, etc., as shown in Fig. 4(a) .
By selecting option 1, a user is taken to the SRE component console window to make a request. However, prior to making a request, the user must choose a unique request ID starting with an R and followed by four numeric digits. While the R represents security requirements, the rationale for choosing four numeric digits is explained in [18] .
After entering a unique request ID, the user is prompted to select an application domain, he/she is also asked to select whether the IoT system is in its early phase of development or it is an existing system. This enables the tool to appropriately manage the way the questions are rendered.
Finally, the tool unfolds the questions in the questionnaire one after the other. The questionnaire consists of 16 questions, which include: Will the system have a user? Will it have a user login? Will it store any user information? Will it store any other information? What type of information will it store? ( 
normal, sensitive, or critical) Will it send data to a cloud? Can someone with bad intention have access to it?
Although the questionnaire consists of 16 questions, the total number of questions that can be presented to a user depends on his/her response to some of the previous questions. For example, if a user's answer to the first question presented above is no, he/she will not be presented with the second question. The input generator extracts the required data from the user response to the questionnaire and feeds it to the security requirements generator. It also stores the extracted data in the database to allow the user to process the request at a later time.
2) SECURITY REQUIREMENTS GENERATOR
This functional module consists of three components: user response analyzer, security requirements selector, and requirements aggregator. The user response analyzer evaluates the input data from the input generator and extracts specific information from every answer provided by the user, such as yes, no, sensitive information or critical information, etc. This information is used by the security requirement selector to select an appropriate security requirement from a pool of security requirements in the database. The requirement aggregator collects the individual security requirements for a given user, compiles them into a set of security requirements, and then pushes them to the output interface.
3) STORAGE AND UPDATES
The storage and updates module is a repository which basically consists of a MySQL database. Since the module is similar in the three components, we describe it only in this subsection and mention the items stored in each instance of the module for each of the three components.
This module is where the user and admin accounts, as well as the SRE, SBPG, and LWCAR components requests of users, are stored. The database also stores the pool of security requirements of the SRE component and a set of security best practice guidelines for the SBPG component. Other items stored in the database are the security requirements, security mechanisms, and the LWCAs used in the LWCAR component. These resources are entered manually by the administrator, and whenever the need arises they can be updated by the administrator.
4) ADMIN INTERFACE
This can also be referred to as the administrator control panel. The admin menu of the IoT-HarPSecA framework tool consisting of 8 options is shown in Fig. 4(b) . Since this module is the same for the SRE, SBPG, and LWCAR components, it will only be described herein. While the tool has provision for the creation of admin accounts, it is not designed with a default admin account and a hard-coded password. The administrator has to register as admin, and he/she will automatically be given the username Admin1. Usually, there is only one administrator, however, if need be, Admin1 can authorize the creation of a second admin account as deemed necessary, which can have any username. To protect the passwords of both users and admin, we employed salted password hashing using the SHA256 hashing algorithm.
Only authorized administrators can log into the admin interface, and once logged in, an administrator is trusted and assumed to be non-hostile, and hence will have access to all administrative tasks. With these privileges, an administrator can add, edit, or delete some records in the database. For example, an administrator can manage user accounts; perform updates on lightweight security algorithms; and delete SRE, SBPG, and LWCAR requests. However, besides the ability to completely delete a user request and a user registration, an administrator cannot manipulate any user request, nor can he/she influence the decision of the IoT-HarPSecA framework tool.
5) OUTPUT INTERFACE
Each component of the IoT-HarPSecA features an output interface module with some similarities in their description. Therefore, the module is only described in this subsection, but we provide a description of the output in each instance of the module for each of the components.
For each component, the output interface simply communicates the output to the user. For example, the output interface module of the SRE component of the IoT-HarPSecA framework tool outputs the generated security requirements to the user. Similarly, the output interface module of the SBPG component produces a report consisting of a set of security best practice guidelines. In the same vein, the output interface module of the LWCAR component displays a table consisting of the user security requirements, their corresponding recommended security mechanisms and the lightweight security algorithms that provide them.
Apart from the output interface module of the SBPG component that only prints its output to a text file due to the large output; the outputs of the other two modules are printed both on the screen and to a text file. In all cases, the text file outputs are formatted in markdown.
When the result of the LWCAR component is displayed, users are asked if they would like to see a detailed result. If a user selects yes, a detailed result will be displayed which will include brief descriptions of the LWCAs and a few websites where the user could read more about the algorithms, or even find full implementation details. In instances where a user had used the SRE tool, the definitions and brief explanations on how to achieve the remaining security requirements generated by the SRE component, for which no LWCAs can be recommended, are also provided in the detailed result.
B. DESIGN AND DESCRIPTION OF THE SECURITY BEST PRACTICE GUIDELINES COMPONENT
Like other aspects of information security, IoT security can never be guaranteed because new vulnerabilities are being discovered every day. This necessitates the need for regular review of security policies and practices relating to different operating environments and specific use cases, and hence the need for security best practice guidelines for specific IoT systems. IoT security best practice guidelines essentially provide advice to designers and developers on how to secure IoT systems and products. However, the designer or developer is left to decide how best to implement it. Fig. 5 shows a high-level depiction of the SBPG component architecture. Like the SRE component, the proposed architecture of the SBPG component also consists of five functional modules, namely the user interface, report generator, storage and updates, admin interface, and the output interface. While the architectures of the SRE and SBPG components look similar, most of their modules are different in design.
1) USER INTERFACE
Selecting option 5 in the main menu shown in Fig. 4(a) takes a user to the SBPG component console window, where he/she can make a request after choosing a unique request ID starting with a B, which represents security best practices and followed by four numeric digits. Upon entering a request ID, a user is prompted to select the phase of system development and architecture(s) that best describes his/her IoT system, after which the questions in the questionnaire are presented.
Coincidentally, this questionnaire is also composed of 16 questions, including: Will the system have a provision for user registration? Who will register users? Will the system allow users to enter any input? Will the system store user information? What type of authentication will be implemented? Will it store data in a database? Will it allow file 
upload? Will it generate a log file?
As in the previous case, the number of questions depends entirely on the user response to the questionnaire. For instance, if the user response to the first question presented above is no, the second question will be skipped. The input generator extracts important information from the user response, which constitutes the user input that is fed to both the report generator and the storage and updates modules.
2) REPORT GENERATOR
This module consists of three components: user response analyzer, security guidelines sorter, and report compiler. The user response analyzer is responsible for assessing and processing the input data from the input generator, which in conjunction with the security guidelines sorter selects the most appropriate guidelines from a set of predefined security guidelines stored in the database. The report compiler arranges the individual security best practice guidelines for a given user, compiles them into a report, and then sends the report to the output interface.
C. DESIGN AND DESCRIPTION OF THE LIGHTWEIGHT CRYPTOGRAPHIC ALGORITHMS RECOMMENDATION COMPONENT
While selecting LWCAs can be a daunting task for nonsecurity experts, it is even much harder to implement a security algorithm properly and accurately in either software or hardware. To make matters worse, implementation vulnerabilities may not be discovered early enough until a device or organization is attacked. Thus, accurate implementation of security algorithms is extremely critical in cryptography, and hence it is imperative that users take measures against side-channel attacks in addition to reviewing cryptanalytic attacks. As a consequence, the following important assumption, which is the core rationale behind the concept of the design of the LWCAR component of the IoT-HarPSecA framework is made: All users are capable of implementing the recommended algorithms properly and accurately. Fig. 6 depicts a high-level architecture of the LWCAR component of the proposed IoT-HarPSecA framework. It consists of six functional modules, namely user interface, filtering and query processing, security manager, storage and updates, admin interface, and output interface.
1) USER INTERFACE
A user will be taken to the LWCAR component console window by selecting option 9 in the main menu (see Fig. 4(a) ). He/she can make a request after choosing a unique request ID starting with S or H (depending on whether the request is for software or hardware implementation) followed by four numeric digits. The user will then be prompted to select the development phase of the IoT system (i.e., whether the system is in its early phase of development, or it is an existing system). The inputs expected from a user are (1) hardware specifications, (2) payload size, (3) power requirements (for hardware implementations only), (4) security requirements, and (5) application domain: a: HARDWARE SPECIFICATIONS For software implementation requests, and for IoT systems under development, users are prompted to select their hardware platform type (AVR, MSP, ARM, PIC, Single Board Computer (SBC), or other). They are also prompted to enter their flash memory size, RAM size, and processor frequency. But for existing systems, the user is expected to provide flash memory and RAM sizes for each security requirement. However, for hardware implementation requests, the hardware platform options are only two, namely ASIC and FPGA. Additionally, users are expected to provide the GE and throughput for each security requirement, however, this task is simplified for the user since the tool displays a range of values that serve as a guide for the user. 
b: MESSAGE PAYLOAD SIZE
Users are prompted to select a payload size: small (1-128 bytes), average (129-256 bytes), large (> 256 bytes), continuous (e.g., audio and video), or unknown.
c: POWER REQUIREMENTS
This is only applicable to the hardware implementation requests, where users are prompted to select between lowpower or ultra-low-power options.
d: SECURITY REQUIREMENTS
The security requirements options that users must select from are: data confidentiality, integrity, authentication, user privacy, non-repudiation, and confidentiality plus authenticity. Users are asked if they have used the SRE component of the tool, and if the answer is yes, they are asked if they want to import their generated security requirements, or they want to select the security requirements manually. If they want to import their security requirements, they are asked to enter the request ID they used for the SRE request. Upon entering the SRE request ID and pressing enter, the aforementioned security requirements found in the generated list, will automatically be imported. Users that have not used the SRE tool must select their security requirements manually.
e: APPLICATION DOMAIN
There is a long list of application domains users can choose from, including smart home, smart healthcare, industrial automation, smart retail, etc. Users can use the other option to specify their application domain if it is not found in the list.
All user inputs are fed into the filtering and query processing module for input screening and processing. Fig. 7 presents the workflow of both the software and hardware implementation requests.
2) FILTERING AND QUERY PROCESSING
This Module manages user entries and performs the important task of screening for errors, and invalidating unwanted entries from a user request. It basically acts as a preprocessor that ensures that input data is carefully screened to avoid misleading results. It assesses user request and ensures that entries conform to the data format specified in the LWCAR component. Entries that do not conform to the prevailing standard are rejected, and users are asked to re-enter their requests again. When valid inputs are entered, the preprocessed user requests are fed into the security manager for further processing; the same requests are also stored in the database for later processing.
3) SECURITY MANAGER
This module is central to the design and subsequent operation of the LWCAR component of the IoT-HarPSecA framework as it acts as the decision maker. It starts by determining user request type (i.e., whether it is a software or hardware implementation request). For software implementation requests, the decision maker checks the capability of the hardware (e.g., MCU flash and RAM sizes). However, if the hardware is a SBC, it only checks these parameters to ensure that they are typical of a SBC, and if not, it generates an error message to alert the user. This is because most, if not all, SBCs can run standard security algorithms. Moreover, for both software and hardware implementation requests, the sensitivity of the application domain is key to selecting the appropriate cryptographic algorithms. For example, only the most efficient algorithms are selected for critical application areas, including healthcare, smart elderly monitoring, banking, retail, smart grid, and other sensitive application domains.
The security manager analyzes a user request and makes intelligent decisions based on user inputs and matching security metrics from a predefined metric pool in the database and a set of rules, which serve as a knowledge base and an inference engine. Using this inference engine, it processes the available information and draws conclusions by mapping user security requirements to pre-defined security mechanisms in order to select the appropriate security algorithms. Similarly, based on the request type, the sensitivity of the application domain, power requirement (in the case of a hardware implementation), as well as the message payload type, the security manager chooses the most appropriate security algorithms. Using the encryption mechanism and the payload parameter as an example, the security manager decides based on the payload parameter whether a block cipher or a stream cipher is the optimum choice (e.g., for a continuous message payload, a stream cipher would be the most appropriate). More details on the knowledge base, inference engine, definition of the rules, and how LWCAs are selected are provided in [18] .
Essentially, the SRE tool generates many security requirements, and when users import their generated security requirements from the tool, the whole list is imported into the security manager. However, only data confidentiality, integrity, authentication, user privacy, and non-repudiation are considered for algorithm recommendation. Nonetheless, where applicable, the security manager provides some insight on how users can meet the remaining security requirements for which no cryptographic algorithms can be recommended. Additionally, since the generated list of security requirements does not include confidentiality plus authenticity, the decision-maker checks the generated lists for confidentiality (and/or privacy) and integrity. If found, users are advised to consider returning to the main menu and select option 10 to modify their requests (see Fig. 4(a) ) and include confidentiality plus authenticity, whose security mechanism is authenticated encryption, which can provide both confidentiality and/or privacy as well as authenticity.
D. IoT-HarPSecA TOOL IMPLEMENTATION
In this subsection, we present the implementation of the tool that allows users to interact with the proposed IoT-HarPSecA framework. The tool is built to realize the functionality of the proposed framework, and hence it is also composed of the aforementioned components of the proposed framework. Thus, the IoT-HarPSecA framework tool is also made up of the SRE, SBPG, and LWCAR components. The console application is implemented in C++, and it can run on different operating systems such as Windows and Linux. The flexibility in the implementation allows for fine-tuning of some parameters in order to improve the performance of the tool; it also enables the addition of new features, such as the integration of new metrics. A MySQL database is used for maintaining all information in the IoT-HarPSecA framework tool, such as user requests, user registration data, and the aforementioned security metrics. The complete source code, which is released under the Apache License, Version 2.0 (SPDX-License-Identifier: Apache-2.0), is available on Github at https://github.com/mgsamaila/IoT-HarPSecA_Tool as well as on the project Github page: https://github.com/ SECURIoTESIGN/SECURIoTESIGN.
The tool consists of four dialogue-oriented console menus, namely the login menu, registration/login menu, main menu, and admin menu, each having different options from which a user or an administrator can choose from. Both users and administrator(s) must register and be authenticated before logging in. Their accounts details are securely stored in two different MySQL database tables. In particular, the stored passwords are protected with a salted SHA256 hash. The screenshots of the last two menus of the tool have already been shown in Fig. 4(a) and Fig. 4(b) , respectively. Below, we summarize the implementation of the three components of the IoT-HarPSecA framework tool.
1) IMPLEMENTATION OF THE SRE and SBPG COMPONENTS
Algorithm 1 summarizes the implementation flow for the SRE component. It describes the procedure for making a request, as well as outlines the procedure and main stages of the questionnaire design. In Algorithm 1, it is assumed that the IoT system is in its early phase of development, and hence the use of Will in the questions.
The description of the SBPG component implementation can be summarized as in Algorithm 2. The algorithm describes the procedure for making a request and represents the stages of the SBPG component questionnaire design. In Algorithm 2, it is assumed that the IoT system is an existing system, and hence the use of Does in the questions.
Algorithm 1 Summary of the Main Stages of the SRE Tool Implementation
Input: application domain, phase of system development, response to questionnaire. Output: a set of security requirements. Initialization: 1: Enter a request ID; 2: Select application domain; 3: Select system development phase.
Questionnaire administration: 4: Will the system have a user? (yes 1 or no 1 ); 5: if yes 1 then 6:
Will the system have a user login? (yes 2 or no 2 ); 7: end if 8: if yes 1 then 9:
Will it store any user information? (yes 3 or no 3 ); 10: end if 11: if yes 3 then 12: Will it store any other information? (yes 4 or no 4 ); 13: else 14: Will it store any information? (yes 5 or no 5 ); 15: end if 16: if yes 3 or yes 5 then 17: What type of information? (normal, sensitive, or critical); 18: end if 19: if yes 3 or yes 4 or yes 5 then 20: Will the information be sent to an entity? (yes 6 or no 6 ); 21: end if 22: Will it be connected to the Internet? (yes 7 or no 7 ); 23: Will it send data to a cloud? (yes 8 or no 8 ); 24: Will it store data in a database? (yes 9 or no 9 ); 25: Will it receive regular updates? (yes 10 or no 10 ); 26: Will it use third-party software? (yes 11 or no 11 ); 27: Is there possibility of eavesdropping? (yes 12 or no 12 ); 28: Could messages sent between system components be captured and replayed? (yes 13 or no 13 ); 29: Can someone try to impersonate a user? (yes 14 or no 14 ); 30: Can someone with bad intentions gain physical access to the system? (yes 15 or no 15 ); 31: return Security requirements.
2) IMPLEMENTATION OF THE LWCAR COMPONENT
The procedure for making a request for both software and hardware implementations have already been depicted in Fig. 7 above. Therefore, Algorithm 3 only summarizes the procedure for processing a request in the LWCAR component of the IoT-HarPSecA.
Most of the metric parameters used in the implementation of the LWCAR component are obtained from the CRYPTREC Cryptographic Technology Guideline [31] as well as from the FELICS framework [66] . In the implementation, we use kilobyte (kB) as the unit of memory measurement for the software implementation requests due to the limited amount of memory on the resource-constrained Algorithm 2 Summary of the Main Stages of the SBPG Tool Implementation Input: phase of system development, IoT system architecture, response to questionnaire. Output: security best practice guidelines. Initialization: 1: Enter a request ID; 2: Select system development phase; 3: Choose IoT system architecture.
Questionnaire administration: 4: Does the system have a user? (yes 1 or no 1 ); 5: if yes 1 then 6: Does it have a provision for user registration? (yes 2 or no 2 ); 7: end if 8: if yes 2 then 9:
Who register users? (admin, users themselves); 10: end if 11: if yes 2 then 12: Is there user login? (yes 3 or no 3 ); 13: end if 14: if yes 1 then 15: Does it allow users to enter any input? (yes 4 or no 4 ); 16 : end if 17: if yes 1 or yes 4 then 18: Does it store user information? (yes 5 or no 5 ); 19 : end if 20: if yes 5 then 21: Does it store any other information? (yes 6 or no 6 ); 22: else 23: Does it store any information? (yes 7 or no 7 ); 24: end if 25: if yes 5 or yes 7 then 26: What type of information? (normal, sensitive, or critical); 27: end if 28: What is the current authentication type? (no authentication, username and password, etc.); 29: Does it store data in a database? (yes 8 or no 8 ); 30: What is the type of data storage? (SQL, NoSQL, Local storage, etc.); 31: What type of database is used? (SQL server, MySQL, SQLite, etc.); 32: What programming language is use? (C/C + +, Java, Ruby, Python, PHP, Javascript, etc.); 33: Does it allow file uploads? (yes 9 or no 9 ); 34: Does it generate a log file? (yes 10 or no 10 ); 35: return Security best practice guidelines.
MCU devices. Although SBCs have a reasonable amount of memory, the kB is still used for them as well for uniformity purposes. Megahertz (MHz) is used as the unit of processor clock frequency measurement for both MCUs and SBCs for the same reasons. Two metrics are used for the implementation of each of the hardware request options available: Algorithm 3 Summary of the Main Stages of the Implementation of the Request Processing Aspect of the LWCAR Tool Input: hardware specifications, payload size, power requirement, security requirements, application domain. Output: security mechanisms, recommended LWCAs.
1: Begin 2: Enter a request ID; 3: Check request type (for software or hardware implementation); 4: while RAM and flash memory sizes are okay do 5: Check sensitivity of application domain (sensitive, not sensitive); 6: Check message payload type (small, average, large, continuous, unknown); 7: if request is for hardware implementation then 8: Check power requirement (low power, ultra low power); 9: end if 10: end while 11: Select the right security mechanism; 12: Recommend the most appropriate LWCA; 13: return Security mechanisms and corresponding LWCAs. 14: End circuit area and throughput for the ASICs, and circuit area as well as the maximum operating frequency for the FPGAs. As discussed in the previous section, GEs and number of slices are used as the unit of circuit area measurements for the ASIC and FPGA platforms, respectively. For the second metric, in each case, Kilobits Per Second (kbps) and MHz are adopted as the units for throughput and maximum operating frequency, respectively.
The implementation also includes some error detection mechanisms that warn users of obviously erroneous or inconsistent data entry. For instance, the tool warns users that their hardware specifications are not typical of SBCs if they mistakenly select a SBC instead of an MCU. It also generates a warning when an MCU capability is too constrained for the algorithms in the database, as well as alerts a user when an invalid request ID is entered. Furthermore, if a user enters a non-unique request ID, the tool notifies the user that the entered request ID already exists in the database. In such a situation, the user is asked to press enter to go back to the main menu and repeat the process with a unique request ID.
V. PERFORMANCE EVALUATION
In this section, we present a series of usability tests aimed at evaluating the performance of the proposed IoT-HarPSecA framework. However, as it was stated in the introduction, this paper presents the evaluation of the results of only the LWCAR component due to space constraints. For example, a full-length result generated by the SBPG component can run to several pages. Furthermore, the LWCAR feature is considered to be the major functionality of the proposed framework.
This performance evaluation is an important step towards validating the effectiveness of the proposed framework.
The tests will also help to verify whether the proposed IoT-HarPSecA framework tool functions correctly in conformity with the design objectives. The process of setting up the usability tests involves creating some testing tasks for different use cases similar to typical real-world usage for the user to complete using the tool. Subsequently, three performance metrics that will be presented in the next subsection are used to analyze and evaluate the results of the tests.
A. USABILITY TESTING SET-UP
To test the functionality of the LWCAR component of the tool, as well as to ensure that it is intuitive to use, we created four test scenarios: two for software implementation requests, and two for hardware implementation requests. Essentially, for resource-constrained platforms, the number of security requirements should be kept as few as possible. However, for the less constrained platforms, such as SBCs, a user may have as many security requirements as possible. Hence for the software implementation use case, there are two application scenarios based on the type of platform: (1) a scenario where the user security requirements are not more than three, and (2) a scenario where a user has more security requirements. The two types of hardware used in the hardware implementation request test scenarios are the ASICs and FPGAs, which currently are the only platforms supported for hardware implementation request in the IoT-HarPSecA framework. These tests are designed to be carried out by a group of subjects.
As highlighted in the description of the user interface of the LWCAR component in the previous section, users that have used the SRE tool can import their security requirements into the LWCAR tool. Thus, in addition to the four test scenarios mentioned above, we created a standalone test scenario to demonstrate and validate this functionality, which will be the fifth test scenario. In the following we describe the aforementioned tests.
1) SOFTWARE IMPLEMENTATION TEST SCENARIO WITH MCUs
In this scenario, a user designing an IoT system using an MCU (or a smart app that will run on an MCU) wants to know the specific LWCAs for software implementation that will satisfy the security requirements of the IoT system he/she wants to design.
2) SOFTWARE IMPLEMENTATION TEST SCENARIO WITH SBCs
This scenario also consists of a software implementation request, in which a user building a smart device using a SBC (or a smart app that will run on a SBC) hardware is requesting to know the right LWCAs that will meet the security requirements of his/her IoT system. 
3) HARDWARE IMPLEMENTATION TEST SCENARIO WITH ASICs
In this scenario, a user is requesting to know the appropriate LWCAs that will provide the security mechanisms needed to fulfill the security requirements of the new IoT system he/she is building using an ASIC.
4) HARDWARE IMPLEMENTATION TEST SCENARIO WITH FPGAs
In this hardware implementation request scenario, a user is using an FPGA hardware to design an IoT system and needs to know the LWCAs for hardware implementation that may be used to achieve the security requirements of the IoT system he/she is designing.
5) A TEST SCENARIO THAT DEMONSTRATES IMPORTING SECURITY REQUIREMENTS FROM THE SRE TOOL INTO THE LWCAR TOOL
In this test scenario, a user first used the SRE tool to generate his/her security requirements, and then imports the generated security requirements into the LWCAR tool as part of his/her inputs.
The usability tests involved inviting unbiased participants (i.e., subjects) to perform the tests on the IoT-HarPSecA framework tool. Besides a brief introduction of the tool at the beginning, subjects were allowed to independently carry out the tests, and they were allowed to select the scenarios they wanted to test for.
To assess the performance of the LWCAR component of the proposed framework, the following performance metrics are used: 1) comparison of the decision-making process of the LWCAR component of the IoT-HarPSecA versus the decision-making process of human experts;
2) decision accuracy of the LWCAR component of the IoT-HarPSecA framework tool; 3) simplicity and ease of use.
B. RESULTS OVERVIEW
The tests were conducted on a Windows 10 desktop computer running the IoT-HarPSecA framework tool, and the subjects that carried out the first four tests (i.e., tests 1-4) consist of 17 volunteers both males and females with age ranging between 18 and 49 years. For privacy purposes and in order to encourage more people to volunteer for the tests, no name was required on the evaluation form and age range was used instead of a specific age. Most of the subjects were developers with different levels of programming experience, and the remaining few were computer and electronics engineers. The information obtained from the subjects includes request ID numbers, age range, level of security expertise, programming or electronics/computer engineering proficiency, and simplicity of use of the tool. The time taken for each request and the recommended algorithms were obtained from the tool. Table 2 presents the data in the performance evaluation form as completed by the 17 subjects, and Fig. 8 shows the screenshots of the data of the actual requests of the subjects as stored in the database. The 14 columns in Fig. 8(a) are: request ID, hardware type, CPU, flash memory size, RAM size, CPU clock speed, application domain, payload size, and security requirements 1-to-6, mentioned in Section IV. Similarly, the unique columns in Fig. 8(b) and (c) are: energy requirement, circuit area (cct_area) 1-to-6 and throughput (tp) 1-to-6 (for the security requirements 1-to-6). This is because, for a hardware implementation request, a user is expected to estimate the circuit area and throughput for each of the selected security requirements, as highlighted in Section IV. Note that in the case of hardware implementation request using FPGAs, the cct_area and tp in Fig. 8(b) and (c) also represent the number of slices and maximum operating frequency, respectively, since all hardware requests are stored in the same MySQL database table.
To make filling the form much easier for participants, we adopted the following assessment format. Age range: 18-29, 30-39, 40-49, 50-59 (A, B, C, D); Security experience: none, a little, adequate, very experienced, an expert (A, B, C, D, E); field of expertise: developer (programmer), computer engineer, electronics engineer (P, C, E); proficiency level: none, a little, proficient, very proficient, an expert (A, B, C, D, E); and simplicity of making a request: very difficult, difficult, average, easy, very easy (A, B, C, D, E). The security expertise, proficiency level, and the simplicity of use metrics can be easily converted to a 0-to-10 numeric rating scale (i.e., 0, 2.5, 5, 7.5, 10), as shown in Table 2 . The data obtained from scaling the three metrics are used to present the results graphically in Fig. 11, Fig. 12, and Fig. 13 , which are more intuitive and interpretable than the data in the evaluation form presented in Table 2 and the summary of the final results shown in Table 3 .
While Fig. 9 and Fig. 10 present the final results of the processed software and hardware requests, respectively, for only four subjects, a summary of the results for all subjects are presented in Table 3 . Note that because of space constraints we only presented the basic results in Fig. 9 and Fig. 10 . The results of the fifth test scenario represent an example of a detailed result produced by the LWCAR component of the IoT-HarPSecA framework tool.
In the case of the fifth test scenario, we will consider the results of only one subject due to space constraints. The subject with request ID R2143 first used the SRE component of the IoT-HarPSecA framework tool to determine the security requirements of the IoT system he was planning to design. The rationale for selecting this subject is based on his response to the questionnaire. In particular, his response to all of the questions with the Yes or No options were Yes as shown in the summary of the request presented in Table 4 . As a result, the SRE component of the tool generated a long list of security requirements, showcasing the maximum number of security requirements the tool can generate, as shown in Fig. 14. Similarly, using request ID S2143, the subject used the LWCAR component of the tool to ascertain the LWCAs for software implementation that will provide the mechanisms for achieving the generated security requirements given hardware specifications and the other parameters. When prompted, the subject decided to import his security requirements from the SRE component, as depicted in the summarized request presented in Table 5 .
The LWCAR tool can produce both a short version of results (see Fig. 9 and Fig. 10 ) as well as a detailed report on results. Note that a detailed report can be quite long, making it difficult to fit into a single page, especially if a user imports his/her security requirements from the SRE tool. For example, to be able to capture the screenshot of the entire report for the subject with request ID S2143, the detailed report is divided into Fig. 15, Fig. 16 , and Fig. 17 .
C. EVALUATION AND DISCUSSION
In this subsection, we evaluate the performance of the LWCAR component of the IoT-HarPSecA. In the following, we analyze and discuss the results presented above in light of the three performance metrics mentioned in subsection A. Although we have presented a result produced by the SRE tool in Fig. 14, the performance evaluation of the SRE and SBPG components is outside the scope of this paper.
1) COMPARISON OF THE ALGORITHM SELECTION PROCESS OF THE LWCAR COMPONENT OF IoT-HarPSecA VERSUS THE DECISION MAKING PROCESS OF HUMAN EXPERTS
Different experts usually approach a given problem in quite different ways and they often have different opinions for making a decision about the same issue. Therefore, modeling expert decision-making process can be a difficult task that can be represented by complex mathematical equations. For the purpose of this evaluation, however, we attempt to develop an expert knowledge representation, in the form of a selection procedure, that reflects how experts use their IoT and LWC knowledge to select an appropriate LWCA for a given security requirement [71] , [85] . This is achieved by exploring the reasoning underlying the decision-making process of human experts in the fields of LWC and IoT. We also compare the proposed selection procedure with the decision-making process of the IoT-HarPSecA to see how IoT-HarPSecA measures up to the decision-making process of human experts [31] , [66] .
Below we present a concise procedure for selecting a lightweight security algorithm for IoT applications, which a typical human expert would follow: 1) Given an IoT device or application development project and a particular hardware platform, a human expert would start by considering the environment in which the IoT device or application will operate; 2) Consider the sensitivity of the application domain; 3) Determine the necessary security requirements needed to secure the device or application; 
4)
Consider the message payload size that the device will be sending/receiving; 5) consider the hardware specifications on which the candidate algorithm will run: for software implementation, the hardware specifications include hardware type (e.g., MCU or SBC), CPU, RAM size, flash memory size, and CPU clock speed. For hardware implementation, the specifications include type of implementation platform (e.g., FPGA or ASIC), circuit area, throughput (or number of slices and maximum operating frequency), and energy requirement; 6) Consider the desired security level (32-bit, 64-bit, or 128-bit); 
7)
Consider the security level, key sizes (and block sizes in case of a block cipher) of potential algorithms; 8) Consider the energy requirements of potential algorithms, keeping in mind the power specifications of target hardware; 9) Integrate these information to make judgments that underlie the algorithm selection decisions. Arguably, the above procedure mimics the intuitive judgment of a typical human expert in the fields of LWC and IoT. Although the sequence of the steps may vary more or less, most of the steps in the above procedure are similar to those in the IoT-HarPSecA decision-making process already described in the previous section. This shows significant correlations between the IoT-HarPSecA decision-making process and the judgment of human experts in these fields.
Unlike human experts, computer programs may not provide very detailed explanations and rational reasons for a particular decision because they are logical machines that deal with 0s and 1s rather than literal information. Nonetheless, based on user inputs, the tool is capable of providing a detailed report that can contain some useful information that may help users during LWCAs implementations, such as brief descriptions of the algorithms, where to obtain a detailed implementation guide, and additional references for further study (see Fig. 15, Fig. 16,  and Fig. 17 ).
The tool also offers some suggestions about the choice of security requirements that may help users to optimize the implementation of the algorithms. For example, if the security requirements of a user include confidentiality/privacy and integrity, the tool will advise the user to consider returning to the main menu in order to modify his/her security requirements by including confidentiality & authenticity since the mechanism that provides confidentiality & authenticity is the authenticated encryption. This is because as discussed in Section III, an authenticated encryption algorithm is capable of providing message integrity and message origin authentication in addition to protecting data confidentiality and/or user privacy (see Fig. 16 ).
The tool also provides some warning messages that can guide the user when making a request and during implementation. For example, in Fig. 9(a) and Fig. 17 , a warning message was printed due to the hardware limitations and the number of user security requirements. The *No matching Algo found! warning message will also be printed if a user hardware capabilities (e.g., RAM, and/or flash memory) do not match the specifications of the lightest algorithm (in the database) corresponding to the user security requirement in question. 
2) DECISION ACCURACY OF THE LWCAR COMPONENT OF THE IoT-HarPSecA FRAMEWORK TOOL
While we do not claim that the IoT-HarPSecA framework tool accurately mimics the reasoning process of human experts, the tool arguably produces accurate decisions about its inputs. This can be justified by comparing the user requests presented in Fig. 8 and Table 5 with the corresponding final results in Fig. 9, Fig. 10 , and Table 3 , as well as the detailed report presented in Fig. 15, Fig. 16, and Fig. 17 .
For example, the software implementation requests for the subject with request ID S4219 in Fig. 8(a) consists of the following information: hardware -MCU (RL78), CPU -16-bit, flash memory size -64kB, RAM size -4kB, CPU clock speed -16MHz, application domain -smart retail (sensitive), payload size -small, security requirements -data confidentiality, message integrity, authentication, user privacy, and confidentiality & authenticity. Based on the given security requirements, it can be seen from Fig. 9 (a) that the tool accurately provided the security mechanisms needed (i.e., encryption, hash function, MAC, and authenticated encryption). Also, based on the hardware specifications, the sensitivity of the application domain, and the message payload size, the tool recommended the appropriate LWCAs. For instance, for data confidentiality and user privacy, it recommended the lightweight block cipher SPECK (SPECK64/96) with a block size of 64 and the key length of 96, which takes less CPU time and occupies small space on the ROM. Similarly, for message integrity, it recommended VOLUME 8, 2020 PHOTON-80/20/16 from the PHOTON lightweight hash function family specially designed for very constrained devices. PHOTON-80/20/16 has a hash output size of 80 bits, and input and output bitrate of 20 and 16, respectively. The algorithm uses an internal permutation of P 100 . In the case of authentication, however, the tool printed *No matching algo found! because there is no algorithm matching the security requirement. This will be discussed in more detail in the following paragraphs. Furthermore, for confidentiality & authenticity, the tool recommended the AEAD algorithm CLOC-TWINE, which is optimized for short inputs or small message payloads.
For the hardware implementation requests, the hardware platform for the subject with request ID H1598 in Fig. 10(a) is FPGA, and his security requirements are data confidentiality, authentication, and data confidentiality & authenticity, as shown in Fig. 8(b) and (c). While the tool recommended a lightweight authenticated encryption algorithm (ACORN) for the third security requirement, it printed *No matching algo found! for the first two security requirements. The reasons will be explained in the following paragraphs. On the other hand, the hardware platform for the subject with request ID H3456 is ASIC, and his security requirements are data confidentiality, user privacy, and confidentiality & authenticity (see Fig. 8 and (c) ). But in this case, the LWCAR tool recommended LWCAs for all of the security requirements, as shown in Fig. 10(b) , for the reasons that will be explained in the next paragraph. Most research on hardware implementation performance of LWCAs mainly targets ASIC implementations, for which exhaustive reviews and evaluations have been conducted [31] . Therefore, in the lightweight block cipher, stream cipher, and hash function performance evaluations presented by CRYPTREC, only GEs, cycles/blocks (for block ciphers) as well as throughput are provided, and no number of slices and maximum operating frequency for FPGAs were provided. However, a sufficient number of evaluations have been conducted in the case of lightweight authenticated encryption algorithms for the FPGAs. Therefore, CRYPTREC has provided the number of slices and maximum operating frequency along with the GEs and throughput for the lightweight authenticated encryption algorithms they presented. This is reflected in the design and implementation of the hardware request aspect of the LWCAR component of the IoT-HarPSecA framework tool described in the previous section. As a consequent, if the security requirements of a user with hardware implementation request using an FPGA platform includes data confidentiality (and/or user privacy), or integrity, the tool will print No algorithm matching the security requirement is found!. This can be seen in the case of the requests of the subjects with the request IDs H1598 and H2648 in Fig. 10 (a) and in Table 3 , respectively.
Regarding the algorithm for authentication, apart from the fact that SipHash is the only lightweight MAC algorithm that has undergone a sufficient number of evaluations as mentioned in Section III, the algorithm has quite a limited use in the implementation of the LWCAR component of the tool. This is because it is optimized only for software implementation, explaining why the tool printed *No matching Algo found! in the final results for the subject with request ID H1598 as shown in Fig. 10(a) . Additionally, the SipHash algorithm works well only on 64-bit processors, which explains why the tool did not recommend the algorithm in the final results for the subject with request ID S4219 as shown in Fig. 9(a) since the CPU of the MCU is 16-bit (see Fig. 8(a) ). However, looking at the final results for the subjects with request IDs S6868 (see Table 3 ) and S8888 (see Fig. 9(b) ), it can be seen that the same algorithm has been recommended since in both cases the hardware use 64-bit processors, as shown in Fig. 8(a) .
Despite the above-mentioned limitations, however, the subject with request ID S4219 has the option to implement the recommended AE algorithm, namely CLOC-TWINE, which can provide data confidentiality and authenticity. Similarly, the first two security requirements (i.e., data confidentiality and authentication) in the request of the subject with request ID H1598 can be achieved by implementing the recommended AE algorithm (i.e., ACORN), which is capable of providing both confidentiality and authenticity.
In an analogous way to the case of the SipHash algorithm, we have not yet included any lightweight digital signature algorithm in the database, which currently contains 97 different secure LWCAs. This is because to the best of our knowledge, there is no standardized or widely used lightweight digital signature algorithm that has undergone a sufficient number of reviews to warrant inclusion in the database. Therefore, if a user security requirements include non-repudiation, the tool will print: No algorithm matching the security requirement is found!, as shown in Fig. 9 (b) and in Table 3 .
3) SIMPLICITY AND EASE OF USE
Efficient performance plays a more important and fundamental role in determining the usability of a tool compared to its simplicity of use. However, while simplicity is not the best parameter for measuring usability, an easy-to-use user interface is a desirable feature for many users. Although there are many ways to evaluate the simplicity of a tool, a good approach is to allow potential users to try the tool and provide their feedback. To this end, we have designed a performance evaluation form which the 17 subjects have completed as mentioned previously, and as it can be seen in Table 2 , simplicity of use is among the evaluation criteria.
Irrespective of the type of tool, users will usually have different perceptions of simplicity. The user interface of the IoT-HarPSecA framework tool is currently not a GUI, but it is easy to use. We have provided some useful notifications that can guide users as they interact with the tool to ease task execution. For example, when making a hardware request, users are provided with the range of values of GEs, throughput, number of slices, and maximum operating frequencies for the available algorithms to prevent them from entering values outside the allowable range defined by the designers of the algorithms. Table 2 shows the two criteria used for evaluating the simplicity and ease of use of the LWCAR component of the tool, namely simplicity of use and request completion time in seconds. Fig. 11 shows the professional competence and security experience of the subjects. The figure shows that 8 subjects have a little security experience, while 3 subjects have no security experience at all (i.e., 2.5 and 0, respectively, on the numeric rating scale). Yet in Fig. 12(b) , 76% of the 17 subjects agree with the authors that the tool is easy to use, 6% indicates that it is very easy, and 18% say it is average. Fig. 12(a) shows the simplicity scores of individual subjects. Finally, Fig. 13 shows the request completion time for each subject. From Fig. 13 , it can be seen that the time taken to make a hardware request is longer. This is due to the fact that for each security requirement, a user needs to enter the number of GEs and throughput for ASICs, or the number of slices and maximum operating frequency for FPGAs, but such information is not needed when making a software implementation request.
VI. CONCLUSION AND FUTURE WORK
In this era of technology where everything is turning smart, security and privacy are becoming more widely recognized as being among the top issues holding back wider adoption of the IoT technology, and hence the need for heightened security and privacy in the IoT ecosystem. However, ensuring appropriate security and privacy in the IoT presents unique challenges. Therefore, the wider adoption of IoT requires robust solutions and frameworks to handle these challenges. Integrating security right from the conception, planning and design stages up to production is key to overcoming most of these challenges.
Thus, in this paper, we have proposed an easy-to-use security framework to provide support to designers, engineers, and developers that are actively involved in the design and development of IoT devices and smart apps, particularly those without adequate security experience. For example, the proposed IoT-HarPSecA framework can be employed by designers, engineers, or developers in IoT start-up companies in the early stages of IoT system developments. The proposed framework can also be used to facilitate the implementation of security in existing IoT systems.
We have presented a detailed description, design, and implementation of each of the three components of the proposed framework, namely the SRE component, SBPG component, and LWCAR component. The SRE component can be used to elicit security requirements for an IoT system that is under development, or exiting IoT systems. Similarly, the SBPG component can be employed to generate security best practice guidelines that can be used for implementing security in a given IoT system. In the same vein, the LWCAR component can help in selecting lightweight security algorithms for software or hardware implementation. This component of the IoT-HarPSecA framework particularly recommends suitable LWCAs to users based on their inputs.
In addition, we have conducted different functionality and usability tests on the LWCAR component of the IoT-HarPSecA framework tool, where 17 subjects evaluated the performance and simplicity of use of the tool in different usage scenarios for both software and hardware implementation requests. The tests results proved that the LWCAR component of the proposed framework can efficiently recommend LWCAs based on user inputs. Finally, we have performed a detailed evaluation of the results obtained, which further showed that the LWCAR component of the proposed framework can help engineers/designers, developers and electronics hobbyists with little or no security expertise to select the appropriate LWCAs for their projects with much ease.
The limitations of this work are mainly related to the lack of enough LWCAs for use in the LWCAR component of the proposed framework. These limitations are imposed by the fact that we do not want to include algorithms that have not undergone enough evaluation by the lightweight cryptography community.
Future work is underway to evaluate the performance of the SRE and SBPG components of the proposed framework. The development of this framework is an ongoing project, and hence additional functionalities will be added as the need arises. For example, we will keep on searching for lightweight security algorithms that have undergone several tests and evaluations to add to the database, especially digital signature and MAC lightweight algorithms, as well as more lightweight algorithms for FPGA hardware implementation. Furthermore, we will extend the features of the tool to include virtually every possible security requirements that users may have. There is also a plan to develop a GUI for the IoT-HarPSecA framework tool. JOÃO B. F. SEQUEIROS received the bachelor's and master's degrees in computer science and engineering from the Universidade da Beira Interior, in 2014 and 2016, respectively, where he is currently pursuing the Ph.D. degree under the title Towards a Framework for System and Attack Modeling and Mapping of Security Requirements for the Internet of Things. His dissertation focused on the development of a box for automated network-based security assessments. His main research and interest areas are network and application security, cryptography, cybersecurity, and the IoT security. He enjoys developing in C, Java, Python, and C#, and likes to challenge his knowledge in network management, modeling software, game development, and database management systems.
TIAGO SIMÕES received the bachelor's degree in computer science and engineering from the University of Beira Interior, in 2010, where he was awarded with a scholarship of integration in research by Fundação para a Ciência e a Tecnologia (FCT), and the master's degree in computer engineering in 2012 and the Ph.D. degree in computer science and engineering from the University of Beira Interior, in 2019, through a Ph.D. grant funded by FCT. He lectured several graduate and undergraduate courses. He is currently a Researcher with the Instituto de Telecomunicações (IT). He has authored or coauthored several journal and conference papers in different fields. His current main research and interest areas are network and application security, and the IoT security. 
