An Implementing A Continuous Authentication Protocol To Improve Robustness Security Threats On IoT Using ESP8266

The Internet of Things (IoT) is a network of physical things that are outfitted with sensors, software, and other technologies that are able to communicate and exchange data with other devices and systems over the Internet. Because of the diversity of their surroundings, IoT systems are sensitive to network attacks. The IoT could be the source of these dangers and attacks. There are a lot of devices that communicate with each other via the IoT, and one of the most critical components of this is to maintain IoT security. IoT devices are a prime target for attackers and pose a serious risk of impersonation during a call. Proposals to prevent session hijacking in device-to-device communication are made in this research study. User-to-device authentication relies on usernames and passwords, but continuous authentication doesn't. This protocol relies on device features and contextual information. Moreover, this protocol reduces the synchronization losses using shadow IDs and emergency key. In addition, the protocol’s robustness will be tested by providing security and performance analysis

Breaking Anonymity of Some Recent Lightweight RFID Authentication Protocols

Due to their impressive advantages, Radio Frequency IDentification (RFID) systems are ubiquitously found in various novel applications. These applications are usually in need of quick and accurate authentication or identification. In many cases, it has been shown that if such systems are not properly designed, an adversary can cause security and privacy concerns for end-users. In order to deal with these concerns, impressive endeavors have been made which have resulted in various RFID authentications being proposed. In this study, we analyze three lightweight RFID authentication protocols proposed in Wireless Personal Communications (2014), Computers & Security (2015) and Wireless Networks (2016). We show that none of the studied protocols provides the desired security and privacy required by the end-users. We present various security and privacy attacks such as secret parameter reveal, impersonation, DoS, traceability, and forward traceability against the studied protocols. Our attacks are mounted in the Ouafi–Phan RFID formal privacy model which is a modified version of the well-known Juels–Weis privacy model

A Study on Comparing the Performance of Low Cost RFID Authentication Protocols

Abstract ----Radio frequency identification (RFID) is a new technology that is used everywhere as RFID tags will be applied to every-day items in order to yield great productivity gains or "smart" applications for users. The use of RFID tags opens up the possibility for various attacks violating user privacy. This paper describes a complete analysis of various authentication protocols in three perspectives, namely data protection, tracking protection, and forward security

Criptografía ligera en dispositivos de identificación por radiofrecuencia- RFID

Esta tesis se centra en el estudio de la tecnología de identificación por radiofrecuencia (RFID), la cual puede ser considerada como una de las tecnologías más prometedoras dentro del área de la computación ubicua. La tecnología RFID podría ser el sustituto de los códigos de barras. Aunque la tecnología RFID ofrece numerosas ventajas frente a otros sistemas de identificación, su uso lleva asociados riesgos de seguridad, los cuales no son fáciles de resolver. Los sistemas RFID pueden ser clasificados, atendiendo al coste de las etiquetas, distinguiendo principalmente entre etiquetas de alto coste y de bajo coste. Nuestra investigación se centra fundamentalmente en estas últimas. El estudio y análisis del estado del arte nos ha permitido identificar la necesidad de desarrollar soluciones criptográficas ligeras adecuadas para estos dispositivos limitados. El uso de soluciones criptográficas estándar supone una aproximación correcta desde un punto de vista puramente teórico. Sin embargo, primitivas criptográficas estándar (funciones resumen, código de autenticación de mensajes, cifradores de bloque/flujo, etc.) exceden las capacidades de las etiquetas de bajo coste. Por tanto, es necesario el uso de criptografía ligera._______________________________________This thesis examines the security issues of Radio Frequency Identification (RFID) technology, one of the most promising technologies in the field of ubiquitous computing. Indeed, RFID technology may well replace barcode technology. Although it offers many advantages over other identification systems, there are also associated security risks that are not easy to address. RFID systems can be classified according to tag price, with distinction between high-cost and low-cost tags. Our research work focuses mainly on low-cost RFID tags. An initial study and analysis of the state of the art identifies the need for lightweight cryptographic solutions suitable for these very constrained devices. From a purely theoretical point of view, standard cryptographic solutions may be a correct approach. However, standard cryptographic primitives (hash functions, message authentication codes, block/stream ciphers, etc.) are quite demanding in terms of circuit size, power consumption and memory size, so they make costly solutions for low-cost RFID tags. Lightweight cryptography is therefore a pressing need. First, we analyze the security of the EPC Class-1 Generation-2 standard, which is considered the universal standard for low-cost RFID tags. Secondly, we cryptanalyze two new proposals, showing their unsuccessful attempt to increase the security level of the specification without much further hardware demands. Thirdly, we propose a new protocol resistant to passive attacks and conforming to low-cost RFID tag requirements. In this protocol, costly computations are only performed by the reader, and security related computations in the tag are restricted to very simple operations. The protocol is inspired in the family of Ultralightweight Mutual Authentication Protocols (UMAP: M2AP, EMAP, LMAP) and the recently proposed SASI protocol. The thesis also includes the first published cryptanalysis of xi SASI under the weakest attacker model, that is, a passive attacker. Fourthly, we propose a new protocol resistant to both passive and active attacks and suitable for moderate-cost RFID tags. We adapt Shieh et.’s protocol for smart cards, taking into account the unique features of RFID systems. Finally, because this protocol is based on the use of cryptographic primitives and standard cryptographic primitives are not supported, we address the design of lightweight cryptographic primitives. Specifically, we propose a lightweight hash function (Tav-128) and a lightweight Pseudo-Random Number Generator (LAMED and LAMED-EPC).We analyze their security level and performance, as well as their hardware requirements and show that both could be realistically implemented, even in low-cost RFID tags

Are RNGs Achilles’ heel of RFID Security and Privacy Protocols ?

Security and privacy concerns have been growing with the increased usage of the RFID technology in our daily lives. To mitigate these issues, numerous privacy-friendly authentication protocols have been published in the last decade. Random number generators (RNGs) are commonly used in RFID tags to provide security and privacy of RFID protocols. RNGs might be weak spot of a protocol scheme and misusing of RNGs causes security and privacy problems. However, having a secure RNG with large entropy might be a trade-off between security and cost for low-cost RFID tags. Furthermore, a RNG used in RFID tag may not work properly in time. Therefore, we claim that vulnerability of using a RNG may deeply influence the security and privacy level of the system. To the best of our knowledge, this concern has not been considered in RFID literature. Motivated by this need, in this study, we first revisit Vaudenay\u27s privacy model which combines the early models and presents a new mature and elegant privacy model with different adversary classes. Then, we enhance the model by introducing a new oracle, which allows analyzing the usage of RNGs in RFID protocols. We also analyze a couple of proposed protocols under our improved model

Towards end-to-end security in internet of things based healthcare

Healthcare IoT systems are distinguished in that they are designed to serve human beings, which primarily raises the requirements of security, privacy, and reliability. Such systems have to provide real-time notifications and responses concerning the status of patients. Physicians, patients, and other caregivers demand a reliable system in which the results are accurate and timely, and the service is reliable and secure. To guarantee these requirements, the smart components in the system require a secure and efficient end-to-end communication method between the end-points (e.g., patients, caregivers, and medical sensors) of a healthcare IoT system. The main challenge faced by the existing security solutions is a lack of secure end-to-end communication. This thesis addresses this challenge by presenting a novel end-to-end security solution enabling end-points to securely and efficiently communicate with each other. The proposed solution meets the security requirements of a wide range of healthcare IoT systems while minimizing the overall hardware overhead of end-to-end communication. End-to-end communication is enabled by the holistic integration of the following contributions. The first contribution is the implementation of two architectures for remote monitoring of bio-signals. The first architecture is based on a low power IEEE 802.15.4 protocol known as ZigBee. It consists of a set of sensor nodes to read data from various medical sensors, process the data, and send them wirelessly over ZigBee to a server node. The second architecture implements on an IP-based wireless sensor network, using IEEE 802.11 Wireless Local Area Network (WLAN). The system consists of a IEEE 802.11 based sensor module to access bio-signals from patients and send them over to a remote server. In both architectures, the server node collects the health data from several client nodes and updates a remote database. The remote webserver accesses the database and updates the webpage in real-time, which can be accessed remotely. The second contribution is a novel secure mutual authentication scheme for Radio Frequency Identification (RFID) implant systems. The proposed scheme relies on the elliptic curve cryptography and the D-Quark lightweight hash design. The scheme consists of three main phases: (1) reader authentication and verification, (2) tag identification, and (3) tag verification. We show that among the existing public-key crypto-systems, elliptic curve is the optimal choice due to its small key size as well as its efficiency in computations. The D-Quark lightweight hash design has been tailored for resource-constrained devices. The third contribution is proposing a low-latency and secure cryptographic keys generation approach based on Electrocardiogram (ECG) features. This is performed by taking advantage of the uniqueness and randomness properties of ECG's main features comprising of PR, RR, PP, QT, and ST intervals. This approach achieves low latency due to its reliance on reference-free ECG's main features that can be acquired in a short time. The approach is called Several ECG Features (SEF)-based cryptographic key generation. The fourth contribution is devising a novel secure and efficient end-to-end security scheme for mobility enabled healthcare IoT. The proposed scheme consists of: (1) a secure and efficient end-user authentication and authorization architecture based on the certificate based Datagram Transport Layer Security (DTLS) handshake protocol, (2) a secure end-to-end communication method based on DTLS session resumption, and (3) support for robust mobility based on interconnected smart gateways in the fog layer. Finally, the fifth and the last contribution is the analysis of the performance of the state-of-the-art end-to-end security solutions in healthcare IoT systems including our end-to-end security solution. In this regard, we first identify and present the essential requirements of robust security solutions for healthcare IoT systems. We then analyze the performance of the state-of-the-art end-to-end security solutions (including our scheme) by developing a prototype healthcare IoT system

Tag Ownership Transfer in Radio Frequency Identification Systems: A Survey of Existing Protocols and Open Challenges

Radio frequency identification (RFID) is a modern approach to identify and track several assets at once in a supply chain environment. In many RFID applications, tagged items are frequently transferred from one owner to another. Thus, there is a need for secure ownership transfer (OT) protocols that can perform the transfer while, at the same time, protect the privacy of owners. Several protocols have been proposed in an attempt to fulfill this requirement. In this paper, we provide a comprehensive and systematic review of the RFID OT protocols that appeared over the years of 2005-2018. In addition, we compare these protocols based on the security goals which involve their support of OT properties and their resistance to attacks. From the presented comparison, we draw attention to the open issues in this field and provide suggestions for the direction that future research should follow. Furthermore, we suggest a set of guidelines to be considered in the design of new protocols. To the best of our knowledge, this is the first comprehensive survey that reviews the available OT protocols from the early start up to the current state of the art

Les protocoles de sécurité serverless légers pour l’internet des objets

This thesis addresses the security and privacy challenges relevant to the resource constrained devices in the era of pervasive computing. Pervasive computing, a term coined by Schechter to describe the idea of computing services available anytime, anywhere and on demand, is characterized by seamless interactions between heterogeneous players in the Internet. This phenomenon allows intelligent chips, sensors or microcontrollers to be embedded into everyday objects to enable them generate, communicate and share information. Pervasive computing accelerates technological evolution by integrating small and resource constrained devices to the Internet arena, eventually opening doors to new services requiring seamless interactions and integrations with the existing technologies, infrastructures and services. The nature of the information generated, stored and shared by resource constrained devices may require proper security and privacy guarantees. Towards that end, the classical security solutions are not ideal candidates to solve the security and privacy challenges in pervasive systems for two reasons. First, classical security protocols require a lot of resources from the host devices while most of the pervasive devices have very strict resource constraints. Second, most classical security solutions work in a connected mode, which requires constant communication between devices and centralized servers for authentication and authorization purposes. However, pervasive devices may be working in isolated areas with intermittent network coverage and connectivity. Thus, it is ideal to come up with alternative solutions suitable for heterogeneous pervasive devices to smoothly interact, authenticate and securely share information. One of the suitable alternative solutions is the serverless protocols. The term “serverless protocol” refers to the mechanism of enabling centrally controlled devices to autonomously authenticate one another, or other heterogeneous devices, without an active participation of the centralized authentication or authorization servers. Serverless protocols prioritize on securing proximity communication between heterogeneous devices while optimizing on the little resources available. In this thesis, we tackle the challenges of pervasive systems by proposing lightweight and efficient serverless protocols for authenticating heterogeneous pervasive devices during proximity communication. Our proposed protocols derive their originality from the fact that they do not require the communicating parties to have prior relationships with each other, nor to have any previously shared authentication information with each other. Moreover, our proposed solutions incorporate context information to enforce automatic parameter expiry. This property is not supported by most of the earlier versions of the serverless protocol schemes, hence making them vulnerable to different attacks. Three novel contributions are proposed in this thesis. First, we propose a serverless lightweight mutual authentication protocol for heterogeneous devices. The first contribution includes a formal validation using the AVISPA tool. Second, we propose two complementing protocols using RFID (Radio-Frequency Identification) as a core technology. The first protocol performs mass authentication between an RFID reader and a group of tags and the second protocol performs a secure search for a target tag among a group of tags. The second contribution includes two formal validations; one is done using the AVISPA tool and the other is done using the CryptoVerif tool. After a thorough study of serverless protocols, we propose our third contribution, a concise guide on how to develop secure and efficient serverless protocols relevant to the pervasive systemsLes avancées technologiques permettent d'intégrer des capteurs et des modules de communication dans les objets du quotidien pour les rendre intelligents et faciliter leur intégration sur l'Internet. L'Internet du futur sera sans nul doute celui des objets connectés. Les objets connectés génèrent, collectent, stockent et partagent des informations entre eux et aussi avec les serveurs d'authentification centralisés. La plupart des informations collectées doivent être protégées pendant le stockage et le transfert. Par le passé, divers protocoles assurant une sécurité robuste basés sur la cryptographie asymétrique et d’autres sur la cryptographie symétrique ont été proposés dans la littérature. Du fait que les objets connectés possèdent de faibles capacités de calcul, de mémoire et d'énergie, et que l'accès au medium radio est très consommateur en ressources, les protocoles cryptographiques traditionnels ne sont pas adaptés aux objets connectés. Il y a lieu donc d'adapter ou de concevoir des protocoles propres et conformes à leurs exigences. Dans cette thèse, nous abordons les défis de sécurité et de vie privée pertinents aux systèmes pervasifs avec des contraintes de ressources strictes. Nous regardons les protocoles d'authentification serverless, qui sont des mécanismes d'authentification qui ne nécessitent pas la présence du serveur central au cours de la phase d'authentification entre deux objets connectés. Tout d'abord, nous fournissons les caractéristiques et les besoins pour les protocoles serverless. Grâce à ces besoins et caractéristiques, nous avons fait des recherches, des analyses complètes et des comparaisons des protocoles serverless existants en termes de sécurité, de vie privée et de performances. Nous examinons leurs capacités à résister à diverses attaques et leurs aptitudes à minimiser l’usage des ressources. Après quoi, notre objectif est de proposer des protocoles de sécurité serverless permettant aux objets de s’authentifier tout en garantissant efficacité, passage à l’échelle et efficacité énergétique, l'énergie étant une ressource très critique qui a une influence directe sur la durée de vie d’un objet connecté. Trois nouvelles contributions sont proposées dans cette thèse. Notre première contribution est un protocole léger serverless d'authentification mutuelle pour les objets connectés hétérogènes. La première contribution fournit trois avantages par rapport aux protocoles existants. Cette contribution répond aux exigences des systèmes pervasifs. La validation de notre proposition a été faite en utilisant l'outil AVISPA et la validation informelle en utilisant sécurité et de vie privée des jeux. Notre deuxième contribution comprend deux protocoles complémentaires dans le domaine des technologies RFID. Le premier protocole vise à l'authentification de masse entre un lecteur RFID et un groupe d'étiquettes tandis que le deuxième protocole effectue une recherche sécurisée pour une étiquette cible parmi un groupe d'étiquettes dans le voisinage du lecteur. Les deux protocoles proposés tiennent compte des contraintes de ressources des étiquettes RFID. Après une étude approfondie des protocoles serverless, nous avons proposé une troisième contribution, un guide pour la conception des protocoles serverless sécurisé et efficaces pour les systèmes pervasifs. Le guide contient six principes et six meilleures pratiques en vue d'élaborer des protocoles serverless. Le guide est destiné à aider à la conception de protocoles serverless efficaces, sécurisés et simples en évitant des erreurs couramment faites dans les protocoles existant