IoT Content Object Security with OSCORE and NDN: A First Experimental Comparison

The emerging Internet of Things (IoT) challenges the end-to-end transport of the Internet by low power lossy links and gateways that perform protocol translations. Protocols such as CoAP or MQTT-SN are degraded by the overhead of DTLS sessions, which in common deployment protect content transfer only up to the gateway. To preserve content security end-to-end via gateways and proxies, the IETF recently developed Object Security for Constrained RESTful Environments (OSCORE), which extends CoAP with content object security features commonly known from Information Centric Networks (ICN). This paper presents a comparative analysis of protocol stacks that protect request-response transactions. We measure protocol performances of CoAP over DTLS, OSCORE, and the information-centric Named Data Networking (NDN) protocol on a large-scale IoT testbed in single- and multi-hop scenarios. Our findings indicate that (a) OSCORE improves on CoAP over DTLS in error-prone wireless regimes due to omitting the overhead of maintaining security sessions at endpoints, and (b) NDN attains superior robustness and reliability due to its intrinsic network caches and hop-wise retransmissions

Access Management in Lightweight IoT: A Comprehensive review of ACE-OAuth framework

With the expansion of Internet of Things (IoT), the need for secure and scalable authentication and authorization mechanism for resource-constrained devices is becoming increasingly important. This thesis reviews the authentication and authorization mechanisms in resource-constrained Internet of Things (IoT) environments. The thesis focuses on the ACE-OAuth framework, which is a lightweight and scalable solution for access management in IoT. Traditional access management protocols are not well-suited for the resource-constrained environment of IoT devices. This makes the lightweight devices vulnerable to cyber-attacks and unauthorized access. This thesis explores the security mechanisms and standards, the protocol flow and comparison of ACE-OAuth profiles. It underlines their potential risks involved with the implementation. The thesis delves into the existing and emerging trends technologies of resource-constrained IoT and identifies limitations and potential threats in existing authentication and authorization methods. Furthermore, comparative analysis of ACE profiles demonstrated that the DTLS profile enables constrained servers to effectively handle client authentication and authorization. The OSCORE provides enhanced security and non-repudiation due to the Proof-of-Possession (PoP) mechanism, requiring client to prove the possession of cryptographic key to generate the access token. The key findings in this thesis, including security implications, strengths, and weaknesses for ACE OAuth profiles are covered in-depth. It shows that the ACE-OAuth framework’s strengths lie in its customization capabilities and scalability. This thesis demonstrates the practical applications and benefits of ACE-OAuth framework in diverse IoT deployments through implementation in smart home and factory use cases. Through these discussions, the research advances the application of authentication and authorization mechanisms and provides practical insights into overcoming the challenges in constrained IoT settings

SECURE AND OPTIMIZED METHOD OF PROVIDING TRUSTWORTHINESS FOR IOT SENSORS IN LOW-POWER WAN DEPLOYMENTS

Currently there are multiple ways of verifying the identity and integrity of Internet of Things (IoT) sensors based on, for example, the Trusted Computing Group’s (TCG’s) Guidance for Securing Network Equipment, software-centered approaches such as using a checksum, and using an in-band and out-of-band approaches for integrity validation. In each of these approaches, trustworthiness may be based on limited artifacts. As well, none of these approaches employ quantum resistant secure key exchange methods between a Long Range (LoRa) Wide Area Network (LoRa) (LoRaWAN) Gateway and sensors. To address these challenges techniques are presented herein that apply an attestation method to the Constrained Application Protocol (CoAP), which is used between a LoRa Gateway and sensors, to provide proof of integrity and freshness of proof of integrity (in other words, trustworthiness) to IoT sensor devices. An Attestation ID that is derived through an attestation method is shared in data traffic (i.e., in-band) securely using a Post-Quantum Cryptography (PQC) method

Networking Group Content: RESTful Multiparty Access to a Data-centric Web of Things

Content replication to many destinations is a common use case in the Internet of Things (IoT). The deployment of IP multicast has proven inefficient, though, due to its lack of layer-2 support by common IoT radio technologies and its synchronous end-to-end transmission, which is highly susceptible to interference. Information-centric networking (ICN) introduced hop-wise multi-party dissemination of cacheable content, which has proven valuable in particular for low-power lossy networking regimes. Even NDN, however, the most prominent ICN protocol, suffers from a lack of deployment. In this paper, we explore how multiparty content distribution in an information-centric Web of Things (WoT) can be built on CoAP. We augment the CoAP proxy by request aggregation and response replication functions, which together with proxy caches enable asynchronous group communication. In a further step, we integrate content object security with OSCORE into the CoAP multicast proxy system, which enables ubiquitous caching of certified authentic content. In our evaluation, we compare NDN with different deployment models of CoAP, including our data-centric approach in realistic testbed experiments. Our findings indicate that multiparty content distribution based on CoAP proxies performs equally well as NDN, while remaining fully compatible with the established IoT protocol world of CoAP on the Internet

Protecting EST Payloads with OSCORE: IETF Internet Draft

draft-selander-ace-coap-est-oscore-04This document specifies public-key certificate enrollment procedures protected with lightweight application-layer security protocols suitable for Internet of Things (IoT) deployments. The protocols leverage payload formats defined in Enrollment over Secure Transport (EST) and existing IoT standards including the Constrained Application Protocol (CoAP), Concise Binary Object Representation (CBOR) and the CBOR Object Signing and Encryption (COSE) format

SECURE BOOTSTRAPPING AND ACCESS CONTROL IN NDN-BASED SMART HOME SYSTEMS

Smart home systems utilize network-enabled sensors to collect environmental data and provide various services to home residents. Such a system must be designed with security mechanisms to protect the safety and privacy of the residents. More specifically, we need to secure the production, dissemination, and consumption of smart home data, as well as prevent any unauthorized access to the services provided by the system. In this work, we study how to build a secure smart home system in the context of Named Data Networking, a future Internet architecture that has unique advantages in securing Internet of Things. We focus on solving two security problems: (a) mutual authentication between a new device and an existing smart home system to bootstrap the device, and (b) controlling access to smart home data. We designed a naming hierarchy for a smart home system and the corresponding trust model. Based on the naming and trust model, we designed bootstrapping protocols which enforce mutual cryptographic challenges, and a programming template which facilitates Name-based Access Control. We have designed and implemented an application that incorporates these solutions. Evaluation result shows: (a) the bootstrapping protocols can defend against replay attacks with a small computation overhead, and (b) Name-Based Access Control can provide accurate time schedules to restrict access to fine-grained data types with a small computation overhead

Towards Flexible Integration of 5G and IIoT Technologies in Industry 4.0: A Practical Use Case

The Industry 4.0 revolution envisions fully interconnected scenarios in the manufacturing industry to improve the efficiency, quality, and performance of the manufacturing processes. In parallel, the consolidation of 5G technology is providing substantial advances in the world of communication and information technologies. Furthermore, 5G also presents itself as a key enabler to fulfill Industry 4.0 requirements. In this article, the authors first propose a 5G-enabled architecture for Industry 4.0. Smart Networks for Industry (SN4I) is introduced, an experimental facility based on two 5G key-enabling technologies—Network Functions Virtualization (NFV) and Software-Defined Networking (SDN)—which connects the University of the Basque Country’s Aeronautics Advanced Manufacturing Center and Faculty of Engineering in Bilbao. Then, the authors present the deployment of a Wireless Sensor Network (WSN) with strong access control mechanisms into such architecture, enabling secure and flexible Industrial Internet of Things (IIoT) applications. Additionally, the authors demonstrate the implementation of a use case consisting in the monitoring of a broaching process that makes use of machine tools located in the manufacturing center, and of services from the proposed architecture. The authors finally highlight the benefits achieved regarding flexibility, efficiency, and security within the presented scenario and to the manufacturing industry overall.This work was supported in part by the Spanish Ministry of Economy, Industry and Competitiveness through the State Secretariat for Research, Development and Innovation under the “Adaptive Management of 5G Services to Support Critical Events in Cities (5G-City)” TEC2016-76795-C6-5-R and “Towards zero touch network and services for beyond 5G (TRUE5G)” PID2019-108713RB-C54 projects and in part by the Department of Economic Development and Competitiveness of the Basque Government through the 5G4BRIS KK-2020/00031 research project

Trust assessment in 32 KiB of RAM : multi-application trust-based task offloading for resource-constrained IoT nodes

There is an increasing demand for Internet of Things (IoT) systems comprised of resource-constrained sensor and actuator nodes executing increasingly complex applications, possibly simultaneously. IoT devices will not be able to execute computationally expensive tasks and will require more powerful computing nodes, called edge nodes, for such execution, in a process called computation offloading. When multiple powerful nodes are available, a selection problem arises: which edge node should a task be submitted to? This problem is even more acute when the system is subjected to attacks, such as DoS, or network perturbations such as system overload. In this paper, we present a trust model-based system architecture for computation offloading, based on behavioural evidence. The system architecture provides confidentiality, authentication and non-repudiation of messages in required scenarios and will operate within the resource constraints of embedded IoT nodes. We demonstrate the viability of the architecture with an example deployment of Beta Reputation System trust model on real hardware

Requirements for a Lightweight AKE for OSCORE: IETF Internet Draft

draft-ietf-lake-reqs-04This document compiles the requirements for a lightweight authenticated key exchange protocol for OSCORE. This draft has completed a working group last call (WGLC) in the LAKE working group. Post-WGLC, the requirements are considered sufficiently stable for the working group to proceed with its work. It is not currently planned to publish this draft as an RFC