A real time demonstrative analysis of lightweight payload encryption in resource constrained devices based on mqtt

06.03.2018 tarihli ve 30352 sayılı Resmi Gazetede yayımlanan “Yükseköğretim Kanunu İle Bazı Kanun Ve Kanun Hükmünde Kararnamelerde Değişiklik Yapılması Hakkında Kanun” ile 18.06.2018 tarihli “Lisansüstü Tezlerin Elektronik Ortamda Toplanması, Düzenlenmesi ve Erişime Açılmasına İlişkin Yönerge” gereğince tam metin erişime açılmıştır.Kısıtlı cihazların kaynakları, yani bellek (ROM ve RAM), CPU ve pil ömrü (varsa) sınırlıdır. Genellikle, veri toplayan sensörler, makinadan makineye (M2M) veya servisleri ve elektrikli ev aletlerini kontrol eden akıllı cihazlar için puanlar. Bu tür aygıtlar bir ağa bağlandığında "nesnelerin Internet'i" nin (IoT) bir parçasını oluştururlar. Message Queue Telemetry Transport (yani MQTT), hafif, açık, basit, istemci-sunucu yayın/abone mesajlaşma taşıma protokolüdür. Güvenilir iletişim için üç Hizmet Kalitesi (QoS) seviyesini destekleyen çoğu kaynak kısıtlamalı IoT cihazı için kullanışlıdır ve verimlidir. Cihazdan Cihaza (D2D) ve nesnelerin Internet'i (IoT) bağlamları gibi kısıtlı ortamlarda iletişim için gerekli olan bir protokoldür. MQTT protokolü, güvenli soket katmanı (SSL) sertifikalarına dayalı taşıma katmanı güvenliği (TLS) dışında somut güvenlik mekanizmalarından yoksundur. Bununla birlikte, bu güvenlik protokollerinin en hafif değildir ve özellikle kısıtlı cihazlar için ağ yüklerini artırır. IoT cihazlarının yaklaşık %70'inde özellikle de istemci tarafında veri şifrelemesi yoktur ve TLS için mükemmel bir alternatif olabilir. Bu tezde, farklı Hizmet Kalitesi (QoS) ve veri yüklerin değişken boyutu için kısıtlı bir cihaz üzerinde MQTT protokolünün ağ performansı üzerindeki etkisini göstermek için bir deney düzeneği tasarlanmıştır. Bu çalışmanın yeni kısmı, yüklerin istemci tarafında şifrelenmesini ve ağ performansı üzerindeki etkisini kapsıyor. Denemelerde, verilere 128-bits ileileri şifreleme standardı (AES) hafif bir şifreleme uygulanmıştır. Mesajlar, farklı yük boyutlarına dayanan bir komisyoncu sunucusu aracılığıyla gerçek kablolu alt uçtakı yayıncılık istemcisi ve düşük uçtakı abone istemcisi üzerinden MQTT'deki üç farklı QoS seviyesini kullanarak aktarılır. Paketler, şifreleme ve şifre çözme işlem süresinin ölçülmesiyle birlikte uçtan uca gecikme, verimlilik ve mesaj kaybı analiz etmek için yakalanır. Deney sonuçlarına göre, şifrelenmemiş (şifresiz metin) yükün daha düşük bir ağ yük etkisine sahip olduğu ve bu nedenle, yüzde kaybı ve mesaj tesliminde, şifreli yüke göre MQTT'yi kullanarak nispeten daha iyi bir ağ performansı ürettiği sonucuna varılmıştır.Constrained devices are limited in resources namely, memory (ROM and RAM), CPU and battery life (if available). They are often used as sensors that collects data, machine to machine (M2M) or smart devices that control services and electrical appliances. When such devices are connected to a network they form what is called "things" and in a whole, they form part of the "Internet of Things" (IoT). Message Queue Telemetry Transport (MQTT) is a common light weight, open, simple, client-server publish/subscribe messaging transport protocol useful and efficient for most resource constrained IoT devices that supports three Quality of Service (QoS) levels for reliable communication. It is an essential protocol for communication in constrained environments such as Device to Device (D2D) and Internet of Things (IoT) contexts. MQTT protocol is devoid of concrete security mechanisms apart from Transport Layer Security (TLS) based on Secure Socket Layer (SSL) certificates. However, this is not the lightest of security protocols and increases network overheads especially for constrained devices. About 70 % of most ordinary IoT devices also lack data encryption especially at the client-end which could have been a perfect alternative for TLS. In this thesis, an experimental setup is designed to demonstrate the effect on network performance of MQTT protocol on a constrained device for different Quality of Service (QoS) and variable size of payloads. The novel part of this study covers client-side encryption of payloads and its effect over network performance. In the experiments, a lightweight encryption of 128-bits Advanced Encryption Standard (AES) is applied on the data. The messages are transferred using the three different QoS levels in MQTT over real wired low-end publish client and low-end subscriber client via a broker server based on different payload sizes. The packets are captured to analyze end-to-end latency, throughput and message loss along with the measurement of encryption and decryption processing time. According to the results of the experiment, it was concluded that, non-encrypted (plaintext) payload have a lower network load effect and hence produces a relatively better network performance using MQTT in terms of percentage loss and message delivery than the encrypted payload

Implementation and Analysis of Communication Protocols in Internet of Things

Internet of Things (IoT) is the future of all the present-day devices around the globe. Giving them internet connectivity makes IoT the next frontier of technology. Possibilities are limitless as the devices communicate and interact with each other which make it even more interesting for the global markets. For example, Rolls-Royce announced that it would use the Microsoft Azure IoT suite and also the Intelligence suite of Cortana to keep track of the fuel usage, for performance analysis, to optimize the fly routes etc. which improves the airline efficiency. The devices must communicate with each other, the data from these devices must be collected by the servers, and the data is then analyzed or provided to the people. For all this to happen, there is a need for efficient protocols to ensure that the communication is secure and to avoid loss of data. This research is about the implementation and analysis of various protocols that can be used for the communication in IoT. Various protocols with various capabilities are required for different environments. The internet today supports hundreds of protocols from which choosing the best would be a great challenge. But each protocol is different in its own way when we have the specifics like security, reliability, range of communication etc. This research emphasizes on the best available protocols and the environments that suit them the most. It provides an implementation of some of the protocols and analyzes the protocols according to the results obtained. The data collected from the sensors/devices through a protocol is also subject to predictive analysis which improves the scope of the project to performing data analysis on the data collected through IoT

Access Control and Service-Oriented Architectures.

Access Control and Service-Oriented Architectures" investigates in which way logical access control can be achieved effectively, in particular in highly dynamic environments such as service-oriented architectures (SOA's). The author combines state-of-the-art best-practice and projects these onto the SOA. In doing so, he identifies strengths of current approaches, but also pinpoints weaknesses. These weaknesses are subsequently mitigated by introducing an innovative new framework called EFSOC. The framework is validated empirically and preliminary implementations are discussed.

MQTT-Auth: a Token-based Solution to Endow MQTT with Authentication and Authorization Capabilities

Security in the Internet of Things is a current hot topic and it may comprise different aspects such as confidentiality and integrity of personal data, as well as the authentication and the authorization to access smart objects that are spreading more and more in our every-day lives. In this work we focus on MQTT (Message Queue Telemetry Transport), a message-based communication protocol explicitly designed for low-power machine-to-machine communications and based on the publish-subscribe paradigm. First of all, we provide an accurate analysis of some of the most recent security solutions and improvements of MQTT found in the literature. Secondly, we describe in detail a novel secure solution, called MQTT-Auth, to protect specific topics in MQTT. This solution is based on the AugPAKE security algorithm for guaranteeing confidentiality, and onto two tokens which permit to authenticate the usage of a topic and to guarantee authorization in accessing a topic respectively. MQTT-Auth can also be easily extended to a hierarchical structure of topics and entities. Finally, we compare MQTT-Auth with some solutions for securing MQTT being present in the relevant literature, and we provide some details on how MQTT-Auth has been implemented and successfully tested

IoT-MQTT based denial of service attack modelling and detection

Internet of Things (IoT) is poised to transform the quality of life and provide new business opportunities with its wide range of applications. However, the bene_ts of this emerging paradigm are coupled with serious cyber security issues. The lack of strong cyber security measures in protecting IoT systems can result in cyber attacks targeting all the layers of IoT architecture which includes the IoT devices, the IoT communication protocols and the services accessing the IoT data. Various IoT malware such as Mirai, BASHLITE and BrickBot show an already rising IoT device based attacks as well as the usage of infected IoT devices to launch other cyber attacks. However, as sustained IoT deployment and functionality are heavily reliant on the use of e_ective data communication protocols, the attacks on other layers of IoT architecture are anticipated to increase. In the IoT landscape, the publish/- subscribe based Message Queuing Telemetry Transport (MQTT) protocol is widely popular. Hence, cyber security threats against the MQTT protocol are projected to rise at par with its increasing use by IoT manufacturers. In particular, the Internet exposed MQTT brokers are vulnerable to protocolbased Application Layer Denial of Service (DoS) attacks, which have been known to cause wide spread service disruptions in legacy systems. In this thesis, we propose Application Layer based DoS attacks that target the authentication and authorisation mechanism of the the MQTT protocol. In addition, we also propose an MQTT protocol attack detection framework based on machine learning. Through extensive experiments, we demonstrate the impact of authentication and authorisation DoS attacks on three opensource MQTT brokers. Based on the proposed DoS attack scenarios, an IoT-MQTT attack dataset was generated to evaluate the e_ectiveness of the proposed framework to detect these malicious attacks. The DoS attack evaluation results obtained indicate that such attacks can overwhelm the MQTT brokers resources even when legitimate access to it was denied and resources were restricted. The evaluations also indicate that the proposed DoS attack scenarios can signi_cantly increase the MQTT message delay, especially in QoS2 messages causing heavy tail latencies. In addition, the proposed MQTT features showed high attack detection accuracy compared to simply using TCP based features to detect MQTT based attacks. It was also observed that the protocol _eld size and length based features drastically reduced the false positive rates and hence, are suitable for detecting IoT based attacks

Real Time Control for Intelligent 6G Networks

The benefits of telemetry for optical networking have been shown in the literature, and several telemetry architectures have been defined. In general, telemetry data is collected from observation points in the devices and sent to a central system running besides the Software Defined Networking (SDN) controller. In this project, we try to develop a telemetry architecture that supports intelligent data aggregation and nearby data collection. Several frameworks and technologies have been explored to ensure that they fit well into the architecture's composition. A description of these different technologies is presented in this work, along with a comparison between their main features and downsides. Some intelligent techniques, aka. Algorithms have been stated and tested within architecture, showing their benefits by reducing the amount of data processed. In the design of this architecture, the main issues related to distributed systems have been faced, and some initial solutions have been proposed. In particular, several security solutions have been explored to deal with threats but also with scalability and performance issues, trying to find a balance between performance and security. Finally, two use cases are presented, showing a real implementation of the architecture that has been presented at conferences and validated within the project's development

Security in Internet of Things: networked smart objects.

Internet of Things (IoT) is an innovative paradigm approaching both industries and humans every-day life. It refers to the networked interconnection of every-day objects, which are equipped with ubiquitous intelligence. It not only aims at increasing the ubiquity of the Internet, but also at leading towards a highly distributed network of devices communicating with human beings as well as with other devices. Thanks to rapid advances in underlying technologies, IoT is opening valuable opportunities for a large number of novel applications, that promise to improve the quality of humans lives, facilitating the exchange of services. In this scenario, security represents a crucial aspect to be addressed, due to the high level of heterogeneity of the involved devices and to the sensibility of the managed information. Moreover, a system architecture should be established, before the IoT is fully operable in an efficient, scalable and interoperable manner. The main goal of this PhD thesis concerns the design and the implementation of a secure and distributed middleware platform tailored to IoT application domains. The effectiveness of the proposed solution is evaluated by means of a prototype and real case studies

Integration of Event Processing with Service-oriented Architectures and Business Processes

Data sources like the Internet of Things or Cyber-physical Systems provide enormous amounts of real-time information in form of streams of events. The use of such event streams enables reactive software components as building blocks in a new generation of systems. Businesses, for example, can benefit from the integration of event streams; new services can be provided to customers, or existing business processes can be improved. The development of reactive systems and the integration with existing application landscapes, however, is challenging. While traditional system components follow a pull-based request/reply interaction style, event-based systems follow a push-based interaction scheme; events arrive continuously and application logic is triggered implicitly. To benefit from push-based and pull-based interactions together, an intuitive software abstraction is necessary to integrate push-based application logic with existing systems. In this work we introduce such an abstraction: we present Event Stream Processing Units (SPUs) - a container model for the encapsulation of event-processing application logic at the technical layer as well as at the business process layer. At the technical layer SPUs provide a service-like abstraction and simplify the development of scalable reactive applications. At the business process layer SPUs make event processing explicitly representable. SPUs have a managed lifecycle and are instantiated implicitly - upon arrival of appropriate events - or explicitly upon request. At the business process layer SPUs encapsulate application logic for event stream processing and enable a seamless transition between process models, executable process representations, and components at the IT layer. Throughout this work, we focus on different aspects of the SPU container model: we first introduce the SPU container model and its execution semantics. Since SPUs rely on a publish/subscribe system for event dissemination, we discuss quality of service requirements in the context of event processing. SPUs rely on input in form of events; in event-based systems, however, event production is logically decoupled, i.e., event producers are not aware of the event consumers. This influences the system development process and requires an appropriate methodology. Fur this purpose we present a requirements engineering approach that takes the specifics of event-based applications into account. The integration of events with business processes leads to new business opportunities. SPUs can encapsulate event processing at the abstraction level of business functions and enable a seamless integration with business processes. For this integration, we introduce extensions to the business process modeling notations BPMN and EPCs to model SPUs. We also present a model-to-execute workflow for SPU-containing process models and implementation with business process modeling software. The SPU container model itself is language-agnostic; thus, we present Eventlets as SPU implementation based on Java Enterprise technology. Eventlets are executed inside a distributed middleware and follow a lifecycle. They reduce the development effort of scalable event processing applications as we show in our evaluation. Since the SPU container model introduces an additional layer of abstraction we analyze the overhead in terms of performance and show that Eventlets can compete with traditional event processing approaches in terms of performance. SPUs can be used to process sensitive data, e.g., in health care environments. Thus, privacy protection is an important requirement for certain use cases and we sketch the application of a privacy-preserving event dissemination scheme to protect event consumers and producers from curious brokers. We also quantify the resulting overhead introduced by a privacy-preserving brokering scheme in an evaluation

Access control and service-oriented architectures

Access Control and Service-Oriented Architectures" investigates in which way logical access control can be achieved effectively, in particular in highly dynamic environments such as service-oriented architectures (SOA's). The author combines state-of-the-art best-practice and projects these onto the SOA. In doing so, he identifies strengths of current approaches, but also pinpoints weaknesses. These weaknesses are subsequently mitigated by introducing an innovative new framework called EFSOC. The framework is validated empirically and preliminary implementations are discussed.