Efficient Security Protocols for Constrained Devices

During the last decades, more and more devices have been connected to the Internet.Today, there are more devices connected to the Internet than humans.An increasingly more common type of devices are cyber-physical devices.A device that interacts with its environment is called a cyber-physical device.Sensors that measure their environment and actuators that alter the physical environment are both cyber-physical devices.Devices connected to the Internet risk being compromised by threat actors such as hackers.Cyber-physical devices have become a preferred target for threat actors since the consequence of an intrusion disrupting or destroying a cyber-physical system can be severe.Cyber attacks against power and energy infrastructure have caused significant disruptions in recent years.Many cyber-physical devices are categorized as constrained devices.A constrained device is characterized by one or more of the following limitations: limited memory, a less powerful CPU, or a limited communication interface.Many constrained devices are also powered by a battery or energy harvesting, which limits the available energy budget.Devices must be efficient to make the most of the limited resources.Mitigating cyber attacks is a complex task, requiring technical and organizational measures.Constrained cyber-physical devices require efficient security mechanisms to avoid overloading the systems limited resources.In this thesis, we present research on efficient security protocols for constrained cyber-physical devices.We have implemented and evaluated two state-of-the-art protocols, OSCORE and Group OSCORE.These protocols allow end-to-end protection of CoAP messages in the presence of untrusted proxies.Next, we have performed a formal protocol verification of WirelessHART, a protocol for communications in an industrial control systems setting.In our work, we present a novel attack against the protocol.We have developed a novel architecture for industrial control systems utilizing the Digital Twin concept.Using a state synchronization protocol, we propagate state changes between the digital and physical twins.The Digital Twin can then monitor and manage devices.We have also designed a protocol for secure ownership transfer of constrained wireless devices. Our protocol allows the owner of a wireless sensor network to transfer control of the devices to a new owner.With a formal protocol verification, we can guarantee the security of both the old and new owners.Lastly, we have developed an efficient Private Stream Aggregation (PSA) protocol.PSA allows devices to send encrypted measurements to an aggregator.The aggregator can combine the encrypted measurements and calculate the decrypted sum of the measurements.No party will learn the measurement except the device that generated it

Security and blockchain convergence with internet of multimedia things : current trends, research challenges and future directions

The Internet of Multimedia Things (IoMT) orchestration enables the integration of systems, software, cloud, and smart sensors into a single platform. The IoMT deals with scalar as well as multimedia data. In these networks, sensor-embedded devices and their data face numerous challenges when it comes to security. In this paper, a comprehensive review of the existing literature for IoMT is presented in the context of security and blockchain. The latest literature on all three aspects of security, i.e., authentication, privacy, and trust is provided to explore the challenges experienced by multimedia data. The convergence of blockchain and IoMT along with multimedia-enabled blockchain platforms are discussed for emerging applications. To highlight the significance of this survey, large-scale commercial projects focused on security and blockchain for multimedia applications are reviewed. The shortcomings of these projects are explored and suggestions for further improvement are provided. Based on the aforementioned discussion, we present our own case study for healthcare industry: a theoretical framework having security and blockchain as key enablers. The case study reflects the importance of security and blockchain in multimedia applications of healthcare sector. Finally, we discuss the convergence of emerging technologies with security, blockchain and IoMT to visualize the future of tomorrow's applications. © 2020 Elsevier Lt

Security issues in Internet of Things

The main idea behind the concept of the Internet of Things (IoT) is to connect all kinds of everyday objects, thus enabling them to communicate to each other and enabling people to communicate to them. IoT is an extensive concept that encompasses a wide range of technologies and applications. This document gives an introduction to what the IoT is, its fundamental characteristics and the enabling technologies that are currently being used. However, the technologies for the IoT are still evolving and maturing, leading to major challenges that need to be solved for a successful deployment of the IoT. Security is one of the most significant ones. Security issues may represent the greatest obstacle to general acceptance of the IoT. This document presents an assessment of the IoT security goals, its threats and the security requirements to achieve the goals. A survey on a representative set of already deployed IoT technologies is done to assess the current state of the art with regards to security. For each solution, a description of its functionality, its security options and the issues found in the literature is given. Finally, the common issues are identified and a set of future solutions are given.La idea principal detrás del concepto de Internet de las cosas (IoT) es conectar todo tipo de objetos cotidianos, para permitir comunicarse entre sí y que personas se comuniquen con ellos. IoT es un amplio concepto que abarca una extensa gama de tecnologías y aplicaciones. Este documento da una introducción a lo que es el IoT, sus características fundamentales y las tecnologías que se están utilizando actualmente. Sin embargo, las tecnologías usadas en el IoT todavía están en evolución y madurando, dando lugar a grandes desafíos que deben resolverse para un despliegue exitoso del IoT. La seguridad es uno de las más significativos. Los problemas de seguridad pueden representar el mayor obstáculo para la aceptación general del IoT. Este documento presenta una evaluación de los objetivos de seguridad en el IoT, sus amenazas y los requisitos necesarios para alcanzar dichos objetivos. Se realiza un estudio sobre un conjunto representativo de tecnologías IoT en uso para evaluar su estado actual respecto a la seguridad. Para cada solución, se da una descripción de su funcionalidad, sus protecciones y los problemas encontrados. Finalmente, se identifican los problemas comunes y se dan un conjunto de soluciones futuras.La idea principal darrera del concepte d'Internet de les coses (IoT) és connectar tot tipus d'objectes quotidians, per permetre comunicar-se entre sí i que les persones es comuniquin amb ells. IoT és un ampli concepte que engloba una extensa gamma de tecnologies i aplicacions. Aquest document dona una introducció al que és el IoT, les seves característiques fonamentals i les tecnologies que s'estan utilitzant actualment. No obstant, les tecnologies utilitzades en el IoT encara estan evolucionant i madurant, donant lloc a grans reptes que s'han de resoldre per a un desplegament exitós del IoT. La seguretat és un dels reptes més significatius. Els problemes de seguretat poden representar el major obstacle per l'acceptació general de l'IoT. Aquest document presenta una avaluació dels objectius de seguretat en el Iot, les seves amenaces i els requisits necessaris per assolir aquests objectius. Es realitza un estudi sobre un conjunt representatiu de tecnologies IoT en ús per avaluar el seu estat actual respecte a la seguretat. Per cada solució, es dona una descripció de la seva funcionalitat, les seves proteccions i els problemes trobats. Finalment, s'identifiquen els problemes comuns i es donen un conjunt de solucions futures

Post-Quantum Authentication in TLS 1.3: A Performance Study

The potential development of large-scale quantum computers is raising concerns among IT and security research professionals due to their ability to solve (elliptic curve) discrete logarithm and integer factorization problems in polynomial time. All currently used public key algorithms would be deemed insecure in a post-quantum (PQ) setting. In response, the National Institute of Standards and Technology (NIST) has initiated a process to standardize quantum-resistant crypto algorithms, focusing primarily on their security guarantees. Since PQ algorithms present significant differences over classical ones, their overall evaluation should not be performed out-of-context. This work presents a detailed performance evaluation of the NIST signature algorithm candidates and investigates the imposed latency on TLS 1.3 connection establishment under realistic network conditions. In addition, we investigate their impact on TLS session throughput and analyze the trade-off between lengthy PQ signatures and computationally heavy PQ cryptographic operations. Our results demonstrate that the adoption of at least two PQ signature algorithms would be viable with little additional overhead over current signature algorithms. Also, we argue that many NIST PQ candidates can effectively be used for less time-sensitive applications, and provide an in-depth discussion on the integration of PQ authentication in encrypted tunneling protocols, along with the related challenges, improvements, and alternatives. Finally, we propose and evaluate the combination of different PQ signature algorithms across the same certificate chain in TLS. Results show a reduction of the TLS handshake time and a significant increase of a server\u27s TLS tunnel connection rate over using a single PQ signature scheme

Hybrid post-quantum cryptography in network protocols

Tese (doutorado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Ciência da Computação, Florianópolis, 2023.A segurança de redes é essencial para as comunicações do dia-a-dia. Protocolos como o Transport Layer Security (TLS) e o Automatic Certificate Management Environment (ACME) permitem comunicações seguras para várias aplicações. O TLS fornece canais seguros com autenticação de pares comunicantes, desde que estes pares já possuam um certificado digital para comprovar sua identidade. Já o protocolo ACME contribui com a adoção de TLS com funcionalidades para envio e gerenciamento de certificados digitais. Tanto o TLS quanto o ACME dependem da Criptografia de Chaves Públicas para autenticação e troca de chaves (Key Exchange - KEX). No entanto, o advento do Computador Quântico Criptograficamente Relevante (CQCR) enfraquece os protocolos de KEX e certificados digitais criados com a criptografia clássica usada atualmente, tais como RSA e Diffie-Hellman. Dada a grande adoção do TLS e ACME, esta ameaça alcança uma escala global. Neste contexto, trata-se de tese dos desafios da adoção da Criptografia Pós-Quântica (CPQ) no TLS e ACME, focando-se na abordagem recomendada chamada de CPQ híbrido (ou modo híbrido). A CPQ é criada usando suposições matemáticas diferentes das em uso atualmente. Essas suposições são viáveis ??para construção de esquemas criptográficos resistentes ao computador quântico, pois não se conhece algoritmo (clássico ou quântico) eficiente. Porém, a transição para CPQ é assunto complexo. No modo híbrido, a transição para CPQ é suavizada, pois ela é combinada com a criptografia tradicional. Assim, esta tese defende uma estratégia de adoção de CPQ pelo modo híbrido com as seguintes contribuições: um estudo secundário classificando e mostrando a eficiência e segurança do modo híbrido; uma ferramenta para verificar as garantias quantum-safe em conexões TLS de usuários; um estudo e uma otimização para a emissão de certificados digitais com CPQ no ACME; o projeto e implementação de uma abordagem híbrida para uma alternativa de TLS chamada KEMTLS; e um conceito híbrido inovador, com implementação, para autenticação usando certificados embrulhados. Na maioria dos cenários de avaliações com modo híbrido propostos neste trabalho, as previsões de desempenho não são significativas quando comparadas com a implantação de CPQ sem o modo híbrido. O conceito inovador da autenticação híbrida também habilitou um plano de contingência para o modo híbrido, contribuindo com a adoção do CPQ. Por meio das propostas e avaliações em diferentes cenários, abordagens e protocolos, esta tese soma esforços em direção ao uso de CPQ híbrido para mitigar os efeitos preocupantes da ameaça quântica à criptografia.Abstract: Network security is essential for today?s communications. Protocols such as Transport Layer Security (TLS) and Automatic Certificate Management Environment (ACME) enable secure communications for various applications. TLS provides secure channels with peer authentication, given that the peer already has a digital certificate to prove its identity. ACME contributes to TLS adoption with facilities for issuing and managing digital certificates. Both protocols depend on Public-Key Cryptography for authentication and Key Exchange (KEX) of symmetric key material. However, the advent of a Cryptographically Relevant Quantum Computer (CRQC) weakens KEX and digital certificates built with today?s classical cryptography (like RSA and Diffie-Hellman). Given the widespread adoption of TLS and ACME, such a threat reaches a global scale. In this context, this thesis aims at the challenges of adopting Post- Quantum Cryptography (PQC) in TLS and ACME, focusing on the recommended approach called Hybrid PQC (or hybrid mode). PQC is created using different mathematical assumptions in which there is no known efficient solution by classical and quantum computers. Hybrids ease the PQC transition by combining it with classical cryptography. This thesis defends the hybrid mode adoption by the following contributions: a secondary study classifying and showing hybrid mode efficiency and security; a tool for users checking their TLS connections for quantum-safe guarantees; a study and an optimized approach for issuance of PQC digital certificates in ACME; a design and implementation of a hybrid approach for the TLS alternative called KEMTLS; and a novel hybrid concept (and implementation) for authentication using wrapped digital certificates. In all proposed hybrid mode evaluations, the penalty in performance was non-significant when compared to PQC-only deployment, except in certain situations. The novel concept for hybrid authentication also allows a contingency plan for hybrids, contributing to the PQC adoption. By proposing and evaluating different scenarios, approaches and protocols, this thesis sums efforts towards using hybrid PQC to mitigate the worrisome effects of the quantum threat to cryptography

Fault-Tolerant, Scalable and Interoperable IoT Platform

Tese de mestrado, Engenharia Informática (Engenharia de Software) Universidade de Lisboa, Faculdade de Ciências, 2020Nowadays the growth of Internet usage is quite visible. Everyday the number of devices connected to the Internet increases, everything may be a smart device capable of interacting with the Internet, from smartphones, smartwatches, refrigerators and much more. All of these devices are called things in the Internet of Things. Many of them are usually constrained devices due to it’s size, usually very small with low capacities such as memory and/or processing power. These kind of devices need to be very efficient in all of their actives. For example, the battery lifetime should be maximized as possible so that the necessity to change each device’s battery could be minimized. There are many technologies that allow communication between devices. Besides the technologies, protocols may be involved in the communication between each device in an IoT system. Communication Protocols define the behaviour that is followed by things when communicating with each other. For example, in some protocols acknowledgments must be used to ensure data arrival, while in others this feature is not enforced. There are many communication Protocols available in the literature. The use of communication protocols and communication models bring many benefits to IoT systems, but they may also benefit from using the cloud. One of the biggest struggles in IoT is the fact that things are very constrained devices in terms of resources (CPU and RAM). With the cloud this would no longer be an issue. Plus, the cloud is able of providing device management, scalability, storage and real time transmission. The characteristics of the communication protocols were studied and an innovative system architecture based on micro-services, Kubernetes and Kafka is proposed in this thesis. This proposal tries to address issues such as scalability, interoperability, fault tolerance, resiliency, availability and simple management of large IoT systems. Supported by Kubernetes, which is an open-source technology that allows micro-services to be extensible, configurable and automatically managed with fault tolerance and Kafka, which is a distributed event log that uses the publish-subscribe pattern, the proposed architecture is able to deal with high number of devices producing and consuming data at the same time. The proposed Fault-Tolerant and Interoperable IoT Architecture is a cluster composed of many components (micro-services) that were implemented using docker containers. The current implementation of the system supports the MQTT, CoAP and REST protocols for data incoming and the same plus websockets for data output. Since the system is based on micro-services, more protocols may be added in a simple way (just a new micro-service must be added). The system is able to convert any protocol into another protocol, e.g., if a message arrives at the system through MQTT protocol, it can be consumed using the CoAP or REST protocol. When messages are sent to the system the payload is stored in Kafka independently of the protocol, and when clients request it, it is consumed from Kafka and encapsulated by the client protocol to be sent to the client. In order to evaluate and demonstrate the capabilities of our proposal a set of experiments were made, which allows to collect information about the performance of the Communication Protocols, the system as a whole, Kubernetes and Kafka. From the experiments we were able to conclude that the message size is not so much important, since the system is able to deal with messages from 39 bytes to 2000 bytes. Since we are designing the system for IoT applications, we considered that messages with 2000 Bytes are big messages. Also, it was recognized that the system is able to recover from crashed nodes and to respond well in terms of average delay and packet loss when low and high throughput are compared. In this situation, there is a significant impact of the RAM usage, but the system still works without problems. In terms of scalability, the evaluation of the system through its cluster under-layer platform (Kubernetes) allowed us to understand that there is no direct relation between the time spent toconstant. However, the same conclusion is not true for the number of instances that are needed at high layer (application layer). Here, time spent to increase the number of instances of a specific application is directly proportional to the number of instances that are already running. In respect to data redundancy and persistence, the experiments showed that the average delay and packet loss of a message sent from a Producer to a Receiver is approximately the same regardless of the number of Kafka instances being used. Additionally, using a high number of partitions has a negative impact on the system’s behaviour

IntegraDos: facilitating the adoption of the Internet of Things through the integration of technologies

También, han sido analizados los componentes para una integración del IoT y cloud computing, concluyendo en la arquitectura Lambda-CoAP. Y por último, los desafíos para una integración del IoT y Blockchain han sido analizados junto con una evaluación de las posibilidades de los dispositivos del IoT para incorporar nodos de Blockchain. Las contribuciones de esta tesis doctoral contribuyen a acercar la adopción del IoT en la sociedad, y por tanto, a la expansión de esta prominente tecnología. Fecha de lectura de Tesis: 17 de diciembre 2018.El Internet de las Cosas (IoT) fue un nuevo concepto introducido por K. Asthon en 1999 para referirse a un conjunto identificable de objetos conectados a través de RFID. Actualmente, el IoT se caracteriza por ser una tecnología ubicua que está presente en un gran número de áreas, como puede ser la monitorización de infraestructuras críticas, sistemas de trazabilidad o sistemas asistidos para el cuidado de la salud. El IoT está cada vez más presente en nuestro día a día, cubriendo un gran abanico de posibilidades con el fin de optimizar los procesos y problemas a los que se enfrenta la sociedad. Es por ello por lo que el IoT es una tecnología prometedora que está continuamente evolucionando gracias a la continua investigación y el gran número de dispositivos, sistemas y componentes emergidos cada día. Sin embargo, los dispositivos involucrados en el IoT se corresponden normalmente con dispositivos embebidos con limitaciones de almacenamiento y procesamiento, así como restricciones de memoria y potencia. Además, el número de objetos o dispositivos conectados a Internet contiene grandes previsiones de crecimiento para los próximos años, con unas expectativas de 500 miles de millones de objetos conectados para 2030. Por lo tanto, para dar cabida a despliegues globales del IoT, además de suplir las limitaciones que existen, es necesario involucrar nuevos sistemas y paradigmas que faciliten la adopción de este campo. El principal objetivo de esta tesis doctoral, conocida como IntegraDos, es facilitar la adopción del IoT a través de la integración con una serie de tecnologías. Por un lado, ha sido abordado cómo puede ser facilitada la gestión de sensores y actuadores en dispositivos físicos sin tener que acceder y programar las placas de desarrollo. Por otro lado, un sistema para programar aplicaciones del IoT portables, adaptables, personalizadas y desacopladas de los dispositivos ha sido definido

Kommunikation und Bildverarbeitung in der Automation

In diesem Open-Access-Tagungsband sind die besten Beiträge des 9. Jahreskolloquiums "Kommunikation in der Automation" (KommA 2018) und des 6. Jahreskolloquiums "Bildverarbeitung in der Automation" (BVAu 2018) enthalten. Die Kolloquien fanden am 20. und 21. November 2018 in der SmartFactoryOWL, einer gemeinsamen Einrichtung des Fraunhofer IOSB-INA und der Technischen Hochschule Ostwestfalen-Lippe statt. Die vorgestellten neuesten Forschungsergebnisse auf den Gebieten der industriellen Kommunikationstechnik und Bildverarbeitung erweitern den aktuellen Stand der Forschung und Technik. Die in den Beiträgen enthaltenen anschaulichen Beispiele aus dem Bereich der Automation setzen die Ergebnisse in den direkten Anwendungsbezug

Security model for the Open Messaging Interface (O-MI) Protocol

The continuous improvements of computing, networking, storage and sensing technologies together with diffusion of “always-on” internet connectivity is boosting the development of the so-called Internet of Things (IoT). The number of IoT vendors is also rapidly growing, providing solutions for all levels of the IoT stack. Despite the universal agreement on the need of a standardized technology stack (following the model of the world-wide-web), there is a proliferation of industry-driven domain specific standards that are hindering the development of a single IoT ecosystem. An attempt to solve this situation is the introduction of O-MI (Open Messaging Interface) and O-DF (Open Data Format), two domain independent standards published by the Open Group. The standards do not define any specific security model, and this thesis work tries to define suitable access control and authentication mechanisms that can regulate the rights of different principals and operations defined in these standards. First, an introduction of the O-MI and O-DF standards, including a comparison with existing standards is provided. Then, envisioned security model is presented, together with the implementation details of the plug-in module developed for the O-MI and O-DF reference implementation

SInCom 2015

2nd Baden-Württemberg Center of Applied Research Symposium on Information and Communication Systems, SInCom 2015, 13. November 2015 in Konstan