22 research outputs found
IoT Content Object Security with OSCORE and NDN: A First Experimental Comparison
The emerging Internet of Things (IoT) challenges the end-to-end transport of
the Internet by low power lossy links and gateways that perform protocol
translations. Protocols such as CoAP or MQTT-SN are degraded by the overhead of
DTLS sessions, which in common deployment protect content transfer only up to
the gateway. To preserve content security end-to-end via gateways and proxies,
the IETF recently developed Object Security for Constrained RESTful
Environments (OSCORE), which extends CoAP with content object security features
commonly known from Information Centric Networks (ICN).
This paper presents a comparative analysis of protocol stacks that protect
request-response transactions. We measure protocol performances of CoAP over
DTLS, OSCORE, and the information-centric Named Data Networking (NDN) protocol
on a large-scale IoT testbed in single- and multi-hop scenarios. Our findings
indicate that (a) OSCORE improves on CoAP over DTLS in error-prone wireless
regimes due to omitting the overhead of maintaining security sessions at
endpoints, and (b) NDN attains superior robustness and reliability due to its
intrinsic network caches and hop-wise retransmissions
Access Management in Lightweight IoT: A Comprehensive review of ACE-OAuth framework
With the expansion of Internet of Things (IoT), the need for secure and scalable authentication and
authorization mechanism for resource-constrained devices is becoming increasingly important. This
thesis reviews the authentication and authorization mechanisms in resource-constrained Internet of
Things (IoT) environments. The thesis focuses on the ACE-OAuth framework, which is a lightweight
and scalable solution for access management in IoT. Traditional access management protocols are not
well-suited for the resource-constrained environment of IoT devices. This makes the lightweight
devices vulnerable to cyber-attacks and unauthorized access. This thesis explores the security
mechanisms and standards, the protocol flow and comparison of ACE-OAuth profiles. It underlines
their potential risks involved with the implementation. The thesis delves into the existing and
emerging trends technologies of resource-constrained IoT and identifies limitations and potential
threats in existing authentication and authorization methods.
Furthermore, comparative analysis of ACE profiles demonstrated that the DTLS profile enables
constrained servers to effectively handle client authentication and authorization. The OSCORE
provides enhanced security and non-repudiation due to the Proof-of-Possession (PoP) mechanism,
requiring client to prove the possession of cryptographic key to generate the access token.
The key findings in this thesis, including security implications, strengths, and weaknesses for ACE
OAuth profiles are covered in-depth. It shows that the ACE-OAuth framework’s strengths lie in its
customization capabilities and scalability. This thesis demonstrates the practical applications and
benefits of ACE-OAuth framework in diverse IoT deployments through implementation in smart
home and factory use cases. Through these discussions, the research advances the application of
authentication and authorization mechanisms and provides practical insights into overcoming the
challenges in constrained IoT settings
SECURE AND OPTIMIZED METHOD OF PROVIDING TRUSTWORTHINESS FOR IOT SENSORS IN LOW-POWER WAN DEPLOYMENTS
Currently there are multiple ways of verifying the identity and integrity of Internet of Things (IoT) sensors based on, for example, the Trusted Computing Group’s (TCG’s) Guidance for Securing Network Equipment, software-centered approaches such as using a checksum, and using an in-band and out-of-band approaches for integrity validation. In each of these approaches, trustworthiness may be based on limited artifacts. As well, none of these approaches employ quantum resistant secure key exchange methods between a Long Range (LoRa) Wide Area Network (LoRa) (LoRaWAN) Gateway and sensors. To address these challenges techniques are presented herein that apply an attestation method to the Constrained Application Protocol (CoAP), which is used between a LoRa Gateway and sensors, to provide proof of integrity and freshness of proof of integrity (in other words, trustworthiness) to IoT sensor devices. An Attestation ID that is derived through an attestation method is shared in data traffic (i.e., in-band) securely using a Post-Quantum Cryptography (PQC) method
Networking Group Content: RESTful Multiparty Access to a Data-centric Web of Things
Content replication to many destinations is a common use case in the Internet
of Things (IoT). The deployment of IP multicast has proven inefficient, though,
due to its lack of layer-2 support by common IoT radio technologies and its
synchronous end-to-end transmission, which is highly susceptible to
interference. Information-centric networking (ICN) introduced hop-wise
multi-party dissemination of cacheable content, which has proven valuable in
particular for low-power lossy networking regimes. Even NDN, however, the most
prominent ICN protocol, suffers from a lack of deployment.
In this paper, we explore how multiparty content distribution in an
information-centric Web of Things (WoT) can be built on CoAP. We augment the
CoAP proxy by request aggregation and response replication functions, which
together with proxy caches enable asynchronous group communication. In a
further step, we integrate content object security with OSCORE into the CoAP
multicast proxy system, which enables ubiquitous caching of certified authentic
content. In our evaluation, we compare NDN with different deployment models of
CoAP, including our data-centric approach in realistic testbed experiments. Our
findings indicate that multiparty content distribution based on CoAP proxies
performs equally well as NDN, while remaining fully compatible with the
established IoT protocol world of CoAP on the Internet
Protecting EST Payloads with OSCORE: IETF Internet Draft
draft-selander-ace-coap-est-oscore-04This document specifies public-key certificate enrollment procedures protected with lightweight application-layer security protocols suitable for Internet of Things (IoT) deployments. The protocols leverage payload formats defined in Enrollment over Secure Transport (EST) and existing IoT standards including the Constrained Application Protocol (CoAP), Concise Binary Object Representation (CBOR) and the CBOR Object Signing and Encryption (COSE) format
SECURE BOOTSTRAPPING AND ACCESS CONTROL IN NDN-BASED SMART HOME SYSTEMS
Smart home systems utilize network-enabled sensors to collect environmental data and provide various services to home residents. Such a system must be designed with security mechanisms to protect the safety and privacy of the residents. More specifically, we need to secure the production, dissemination, and consumption of smart home data, as well as prevent any unauthorized access to the services provided by the system. In this work, we study how to build a secure smart home system in the context of Named Data Networking, a future Internet architecture that has unique advantages in securing Internet of Things. We focus on solving two security problems: (a) mutual authentication between a new device and an existing smart home system to bootstrap the device, and (b) controlling access to smart home data. We designed a naming hierarchy for a smart home system and the corresponding trust model. Based on the naming and trust model, we designed bootstrapping protocols which enforce mutual cryptographic challenges, and a programming template which facilitates Name-based Access Control. We have designed and implemented an application that incorporates these solutions. Evaluation result shows: (a) the bootstrapping protocols can defend against replay attacks with a small computation overhead, and (b) Name-Based Access Control can provide accurate time schedules to restrict access to fine-grained data types with a small computation overhead
Towards Flexible Integration of 5G and IIoT Technologies in Industry 4.0: A Practical Use Case
The Industry 4.0 revolution envisions fully interconnected scenarios in the manufacturing industry to improve the efficiency, quality, and performance of the manufacturing processes. In parallel, the consolidation of 5G technology is providing substantial advances in the world of communication and information technologies. Furthermore, 5G also presents itself as a key enabler to fulfill Industry 4.0 requirements. In this article, the authors first propose a 5G-enabled architecture for Industry 4.0. Smart Networks for Industry (SN4I) is introduced, an experimental facility based on two 5G key-enabling technologies—Network Functions Virtualization (NFV) and Software-Defined Networking (SDN)—which connects the University of the Basque Country’s Aeronautics Advanced Manufacturing Center and Faculty of Engineering in Bilbao. Then, the authors present the deployment of a Wireless Sensor Network (WSN) with strong access control mechanisms into such architecture, enabling secure and flexible Industrial Internet of Things (IIoT) applications. Additionally, the authors demonstrate the implementation of a use case consisting in the monitoring of a broaching process that makes use of machine tools located in the manufacturing center, and of services from the proposed architecture. The authors finally highlight the benefits achieved regarding flexibility, efficiency, and security within the presented scenario and to the manufacturing industry overall.This work was supported in part by the Spanish Ministry of Economy, Industry and Competitiveness through the State Secretariat for Research, Development and Innovation under the “Adaptive Management of 5G Services to Support Critical Events in Cities (5G-City)” TEC2016-76795-C6-5-R and “Towards zero touch network and services for beyond 5G (TRUE5G)” PID2019-108713RB-C54 projects and in part by the Department of Economic Development and Competitiveness of the Basque Government through the 5G4BRIS KK-2020/00031 research project
Trust assessment in 32 KiB of RAM : multi-application trust-based task offloading for resource-constrained IoT nodes
There is an increasing demand for Internet of Things (IoT) systems comprised of resource-constrained sensor and actuator nodes executing increasingly complex applications, possibly simultaneously. IoT devices will not be able to execute computationally expensive tasks and will require more powerful computing nodes, called edge nodes, for such execution, in a process called computation offloading. When multiple powerful nodes are available, a selection problem arises: which edge node should a task be submitted to? This problem is even more acute when the system is subjected to attacks, such as DoS, or network perturbations such as system overload. In this paper, we present a trust model-based system architecture for computation offloading, based on behavioural evidence. The system architecture provides confidentiality, authentication and non-repudiation of messages in required scenarios and will operate within the resource constraints of embedded IoT nodes. We demonstrate the viability of the architecture with an example deployment of Beta Reputation System trust model on real hardware
Requirements for a Lightweight AKE for OSCORE: IETF Internet Draft
draft-ietf-lake-reqs-04This document compiles the requirements for a lightweight authenticated key exchange protocol for OSCORE. This draft has completed a working group last call (WGLC) in the LAKE working group. Post-WGLC, the requirements are considered sufficiently stable for the working group to proceed with its work. It is not currently planned to publish this draft as an RFC