Luận văn thạc sĩ Khoa học máy tính: Authentication protocol for resource constrained devices in the internet of things

Overview

The Internet of Things (IoT), which was first introduced by Kevin Ashton [3] in 1999, has opened new opportunities for the research community to study its wide variety of aspects in the area of wireless communications and networking in the past few years.

By utilizing the potential of Internet connectivity, the IoT is now becoming a popular trend in the technology industry Its greatest benefit comes from highly heterogeneous interconnected devices and systems, covering every shape, size, and functionality As shown in Figure 1.1, it is forecasted that around 75.4 billions of devices will be connected to the Internet by 2025 [1] These objects in the IoT have capabilities of communicating and interacting with each other to exchange their data, providing monitoring of the environment around to enable and giving responses to changes in the system’s environment Such capabilities are promising in totally changing human lifestyle, making it safer, more convenient and comfortable This motivation has at- tracted and encouraged many researchers to participate in designing and inventing novel solutions and applications for the IoT.

IoT development also comes with urgent requirements about the provision of security and privacy as the number of deployed IoT devices rapidly increases Gartner reports that 20% of organizations suffer at least one IoT security attack in the last three years [2] Prior technology trends, e.g., cloud computing and big data, seem to have quite similar security requirements with the IoT Nonetheless, the IoT unique nature introduces new challenges to security requirements, which are much different from

Figure 1.1: The global market of IoT devices estimations by years. previous technology trends For example, big data solutions are not required to deal with an uncontrolled environment and constrained resources, while cloud computing hardly deals with the mobility of devices and physical accessibility of sensors [3].

The security requirements for IoT systems depend on their domains of applications They include the needs of confidentiality, integrity, and authenticity Among those, authenticity is the major requirement for the IoT [4], which provides the proof that a connection is established with an authenticated entity Authentication is an important factor in which each connected object’s identity is required to be verified before they can securely communicate as well as access various IoT resources Besides,privacy is considered to be one of the most dominant challenges in the IoT [5] Highly interconnected objects in the IoT produce a huge amount of transmitted data These data may contain different kinds of information directly involved users’ daily lives through their devices so that IoT applications can provide corresponding services.The involvement of users’ behaviors, preferences as well as private data has raised the concern about the risk of leakage of privacy, which becomes a huge obstacle when putting IoT applications into use For such reasons, effective and efficient authentication protocols and privacy-preserving techniques (like anonymity) to protect users’ private information are essential to provide the security of every IoT system.

Major purposes of the thesis

With the provided overview of opportunities as well as security challenges in the IoT,this thesis aims to study an authentication protocol for resource-constrained devices in such systems In details, the main purposes of this thesis include:

• Researching the nature and characteristics of the IoT environment as well as its devices: The research needs to show the features that differentiate the IoT from other traditional systems, especially the resource constraints of devices.

• Proposing an authentication protocol for devices in IoT which guarantees privacy-preserving: IoT systems have a massive number of devices connected and exchanging data with each other in an uncontrolled and untrusted environment In addition, such devices may vary in their categories, size, shape and functionality Hence, a common authentications protocol which provides secure communication needs to be something that can be used across the devices Au- thentication protocols are supposed to guarantee one entity connects and trans- mits/receives data to/from legitimate devices Moreover, authentication steps often have the risk of exposing sensitive information of participants Thus, the protocol studied in this research also concerns protecting ones’ private information from being exposed during the authentication stages.

• Proposing an authentication protocol applicable to resource-constrained devices: As previously stated, the limitation in resources of IoT devices is an important characteristic not to be ignored when studying solutions for IoT systems because this will decides their feasibility in practice Therefore, the proposed solution needs to be suitable for resource-constrained devices.

• Evaluating the proposed protocol in terms of security and efficiency in resource- consuming to assess its feasibility to resource-constrained devices.

Contributions

Scientific contributions

• The thesis contributes a new authentication solution for devices in a resource- constrained environment with privacy-preserving.

• This work simultaneously proposes a way to apply the elliptic curve cryptography into designing a protocol that helps entities mutually authenticate each other.

• From an existing protocol that originally only supports the authentication between devices and the cloud servers, this research extends and improves it so that it can provide secure communication for direct connections of device-to-device, as well as enables the distributed architecture which enhances the efficiency of resource consumption of edge devices.

Practical contributions

• This research contributes a new authentication solution that can be used for low- powered devices with limited computational capabilities, especially in the IoT environment.

• The research also raises and addresses not only the security but also the privacy aspects of devices in the IoT.

Research scope

In fact, IoT has a very large context that includes many different kinds of systems. Therefore, in the scope of this thesis, I only focus on the devices having resource constraints in the IoT So from now on anytime a device is mentioned in this thesis, it refers to the low-powered one with very limited resources The research also only focuses on one of the most popular distributed network architecture widely deployed in many IoT system described in Figure 1.2 The objects in this model are generalized into only three entities:

• Devices: Edge nodes with limited resources that account for the largest proportion of the systems Devices can directly communicate with gateways and with each other.

• Gateways:The intermediary between devices and servers, each of which controls a subnetwork including a number of devices.

• Centralized servers: The central controller and storage of the whole system which resides on clouds.

The advantages of this model are all the complex computations and large-size

Figure 1.2: The network architecure considered in the scope of this thesis. data can be handled by gateways or servers so that it can lower the burden on the end devices and help them save their resources.

Thesis outline

The rest of the thesis is organized as follows:

• Chapter 2 provides the backgrounds including a thorough study about the IoT and the cryptographic materials that will be used in later chapters.

• Chapter 3 outlines some related works that have been presented in the same field of authentication solutions.

• Chapter 4 is where I propose the authentication protocol to be used for the resource-constrained IoT devices which also protects the private information.

• Chapter 5presents the security analysis where I prove the correctness as well as the security of the newly proposed protocol.

• Chapter 6 is the performance analysis in which I will analyze the efficiency of resource consumption of the proposed protocol compared with the base scheme.

• Chapter 7 concludes the work in this thesis, discusses and re-emphasizes the contributions as well as proposes the future works.

Internet of Things overview

IoT properties

Unlike traditional systems such as enterprise applications, cloud computing or BigData, IoT systems are uniquely identified by several properties These properties also raise the challenges that we need to deal with when working in the field Related IoT research [3] identified four distinguishing properties of IoT in terms of security and privacy challenges, which are: the uncontrolled environment, the heterogeneity, the need for scalability and the resource constraints of IoT devices.

• Uncontrolled environment: The uncontrolled environment of IoT is caused by the main fact that things can travel to unreliable surroundings possibly without supervision In other words, this property composes three sub-properties which are: mobility, physical accessibility and trust.

• Mobility: Connectivity in networks of IoT systems are not expected to be stable or always available.

• Physical accessibility: More often than not, sensors in IoT remains unprotected and can be publicly accessed by outsiders, e.g., traffic control cameras and weather sensors.

• Trust: It is unlikely to achieve a priori trusted relationships for the huge number of devices and users Therefore, it is essential to have mechanisms that automat- ically validate and manage the trust of things, services and users in IoT systems.

• Heterogeneity: IoT has to integrate a wide range of devices from many different manufacturers so their version compatibility and interoperability need to be guaranteed.

• Scalability: The vast amount of IoT interconnected things requires highly scalable protocols.

• Resource Constraints:A large proportion of involved devices in the IoT has low energy power and computational capability Therefore, proposed solutions requiring complex computations and high energy consumption cannot be applied to the IoT in practice.

Cloud computing with the IoT

The rapid development of IoT generates a vast amount of data requiring massive computing power, resources, storage and bandwidth However, the resource constraints of IoT devices like small size, limited storage, low processing capacity result in the lack of many important features such as scalability, reliability and efficiency that are required for IoT environments Besides, the large amount of data has complicated the processing, computing load on devices and control systems, as well as put heavy pressure on the network traffic and the Internet infrastructure This is where cloud computing comes into play The advancement of Cloud Computing gave enterprises virtually unlimited computing power and storage, which can address these issues for IoT systems The integration of cloud computing and IoT enables centralized data storage and management, powerful data processing capabilities, scalable resources allocation and rapid application deployment with minimal cost [11].

IoT architecture based on Cloud Computing often comprises two layers, as described in Figure 2.2 The top layer includes the centralized data storage, processing and control layer which allows access to large-scale data from devices and objects in the bottom layer The bottom layer has billions of IoT devices connected with each other and the cloud The sensed data from the IoT devices are sent to a central server or a cloud by using communication infrastructure [4] In other words, in this architecture devices completely depend on their cloud servers for any tasks such as computing, storing, accessing applications, guaranteeing security and so on Any actions of nodes in the same networks are involved with the administration of their server This model is widely applied in practice, especially in IoT systems due to the fact that such systems have considerable diversity in their devices with very different resource capabilities and other features Thus, focusing on servers as the centralized management systems without the need of paying too much attention on the device end’s details make this model easier to be employed and justified.

Figure 2.2: A two layered architecture in which End/IoT devices strongly depending on the Cloud

Despite the benefits achieved when cloud computing is integrated into IoT are attractive, this architecture nevertheless puts too much workload on the servers as well as possibly breaks down the whole system when these servers become out of usage It can severely suffer when attackers flood a huge number of physical objects into the network at an unexpected scale Also, this centralization of resources largely separates IoT devices and the cloud, which results in the increment of the average network latency [12] Furthermore, integration with cloud computing does not offer the ability for IoT devices and end-users to use delay-sensitive applications such as smart traffic lights because of communication delay.

Fog computing with the IoT

Fog computing, introduced by Cisco in 2012, is defined as “an extension of the cloud computing Paradigm to the edge of the network that provides computation, storage, and networking services between end devices and traditional cloud servers” [13] Fog computing provides an intermediary layer between the cloud infrastructure and its connected IoT devices, allowing it to analyze and process data closer to where it is coming from The general architecture of fog computing is described in Figure 2.3, namely, Cloud-Fog-Device framework and Fog-Device framework This framework consists of three distinct layers: the device layer, the fog layer and the cloud layer Be- cause the fog layer is more physically closer to the device layer, it provides more efficient connections between devices and analytics endpoints with lower latency Over- all, it can reduce the bandwidth needed compared to the scenario when data have to be sent all the way back to a centralized center for storing and processing as in traditional cloud computing systems Communications between layers can be achieved with the use of various wired communication technologies such as Ethernet, optical fiber, or wireless ones like Bluetooth, ZigBee, LTE, etc or both [14].

Figure 2.3: Three-Layer Architecture of Fog Computing [15].

The fog layer consists of network equipment, such as routers, bridges, gateways, switches, base stations and local servers These devices are distributed between the IoT devices and the cloud servers in the Cloud-Fog-Device framework This layer has certain computing and storage power to reduce the processing load on resource- constrained IoT devices The difference from traditional communications via the In- ternet as in Cloud computing is that some low-range, real-time and latency-sensitive communication protocols can be applied for the connection between layers, especially between the fog and the IoT device layer Compared with cloud computing, fog computing has five distinguished features: location awareness, geographic distribution, low latency, large-scale IoT applications support and decentralization [16].

Above are the two most popular models of an IoT eco-system in which all machines directly are connected and controlled by centralized servers/gateways in the networks. These servers or gateways are often deployed with powerful storage and computing resources so that they can handle complicated processes and computations for their client nodes The sensed data from the IoT devices are sent to a central server or a cloud by using communication infrastructure [17] In other words, in this model client nodes completely depend on their servers for any tasks such as computing, storing, accessing the Internet and applications, guaranteeing security and so on Any actions of nodes in the same networks are involved with the administration of their server. This model is widely applied in practice, especially in IoT systems since such systems have considerable diversity in their devices with very different resource capabilities and other features Thus, focusing on servers as the centralized management systems without the need for paying too much attention to the device end’s details make this model easier to be employed and justified On the other hand, it nevertheless puts too much workload on the servers as well as possibly breaks down the whole system when these servers become out of usage This model can severely suffer when attackers flood a huge number of physical objects into the network at an unexpected scale.

To restrain the dependence on servers, scientists thought about the Device-to-Device (D2D) communication [18, 19, 20] Unlike Human-to-Human (H2H) communications, there is no human interaction in D2D Hence, devices must be designed for self-establishing connections and authentications with others There are two kinds of

D2D: Standalone D2D and Network-Assisted D2D These two structures differ by the existence of a helping infrastructure to organize communication and resource utiliza- tion In Network-Assisted D2D, a gateway is required for the operation, and devices are connected by cellular networks This requires a high capacity and energy efficiency mobile networks, which is not affordable in some countries and areas About Standalone D2D, devices initiate requests for communicating with nearby devices by short-range connection mechanisms such as Bluetooth One device will send signals to express its connection request with other devices Consequently, devices will need to authenticate not only with the servers but also among themselves This will be useful in case there is no connection from devices to servers, i.e power blackout and servers do not have the backup power resource In this case, the IoT systems still work because most of the embedded devices have the battery within and will be unaffected by a local area power outage So, they can continue their connection with others without interruption As a result, one device needs to itself verify that it is connecting to legit devices without servers The list of things in the network system then has to be stored and well managed by each node, which will be a problem for small devices. Because most of the smart devices are designed for specific tasks, they have very limited resources in the term of memory, energy, and CPU, which means they cannot run the complex algorithms for registration or authentication or store too much data.

It is clear that authentications in the two models above are having themselves many advantages and also weaknesses, raising the motivations of finding a better way to retain their good characteristics while avoiding their outages.

Public key cryptography

Public-key encryption

With public-key encryption, each public key is published and its corresponding private key of an entity is kept secret Data that are encrypted with the public key can only be decrypted with its private key as shown in Figure 2.4 As we can see, this scheme allows anyone with the public key encrypt the data and only the person who owns the corresponding private key can decrypt and read the content of the original data Public-key encryption nevertheless requires more processing than symmetric- key encryption, thus may not be suitable for encrypting a large amount of data One approach to address this weakness is to use the public-key scheme to encrypt and send symmetric keys only These symmetric keys later can be used to encrypt the actual exchange data This approach is used by the SSL/TLS protocols.

Figure 2.4: Encryption/Decryption in Public-key cryptosystems.

Compared with symmetric-key encryption, public-key encryption requires more processing and may not be feasible for encrypting and decrypting large amounts of data However, it is possible to use public-key encryption to send a symmetric key,which can then be used to encrypt additional data This is the approach used by theSSL/TLS protocols.

Public-key digital signature

A public-key scheme also allows encrypting its data with a private key and using the corresponding public to decrypt those data It is possible to use a private key for encryption and the corresponding public key for decryption This is a technique for digitally signing data Instead of encrypting the data itself, this technique is to create a one-way hash of the data, then use the private key to encrypt the hash The encrypted hash, along with other information such as the hashing algorithm, is known as a digital signature [22].

Figure 2.5: Using a Digital Signature to Validate Data Integrity

Figure 2.5 describes the use of a digital signature to validate data integrity The original data along with its signature are transferred from a sender to a recipient The digital signature is generated by first creating a one-way hashed data from the original data After that, this hashed data are encrypted using the sender’s private key. When the recipient receives these two items (the original data and its digital signature), he/she validates the data integrity by decrypting the digital signature using the claimed-to-be sender with its public key then applying the same one-hash algorithm.

If the final hash operation results in the identical hashes, the validity of the data can be confirmed.

Elliptic curve cryptography

Elliptic curve (EC) was independently introduced to design public-key cryptographic systems by Miller (1986) [23] and Koblitz (1987) [24] Comparing to the other widely used public-key schemes - RSA, EC uses a smaller key size at a given security level. Table 2.1 describes the comparison between the running time of the two schemes at80−,112−, 128−, and 256−bit respectively This parameter represents the amount of work required to perform an exhaustive search key of the corresponding size on SKIPJACK, Triple-DES, AES-Small, AES-Medium, and AES-Large symmetric encryption algorithms In other words, with the same key size, EC cryptosystems are harder to break, i.e give a higher security level than RSA systems Besides, the advantages gained from this measurement include faster computations, and smaller keys and certificates, which can be derived that ECC is more suitable for resource-constrained (e.g limited processing power, bandwidth, storage, power consumption, etc.) environments.

Table 2.1: RSA and EC key sizes for equivalent security levels and corresponding bitlengths for EC parameter n and RSA modulus n [21]

Security level (bits) EC parameter n RSA modulus n

An EC is defined to be a set of points satisfying equation (2.1) along with a point at infinity. y 2 = x 3 + ax + b (2.1)

The basic operation on the EC is point multiplication or scalar multiplication which refers to the computation Q = kP where k is an integer and P, Q are points on an EC E defined over a finite prime field F q The security of all ECC protocols is based on the hardness of the EC discrete logarithm and other related problems: the elliptic curve Diffie-Hellman problem and the elliptic curve decision Diffie-Hellman problem.

Definition 1 The elliptic curve discrete logarithm problem (ECDLP) is: Given an elliptic curve E defined over a finite field F q , a point P ∈ E(F q ) of order n , and a point Q ∈ E , it is computationally hard to find the integer l ∈ [0, n − 1] such that

Q = lP The integer l is called the discrete logarithm of Q to the base P , denoted l = log P Q

Definition 2 The elliptic curve Diffie-Hellman problem (ECDHP) is: Given an elliptic curve E defined over a finite field F q , a point P ∈ E(F q ) of order n , and points

A = aP , B = bP ∈ E , it is computationally hard to find the point C = abP

Definition 3 The elliptic curve decision Diffie-Hellman problem (ECDDHP) is: Given an elliptic curve E defined over a finite field F q , a point P ∈ E(F q ) of order n , and points A = aP , B = bP , and C = cP ∈ E , it is computationally hard to determine whether C = abP

BAN-logic

BAN-logic overview

Burrows–Abadi–Needham logic, or BAN-logic, was introduced by Burrows, Abadi and Needham in 1990 In this work, they provided a logic of authentication, which is in fact a set of rules for defining and analyzing authentication exchange protocols The study of BAN-logic came from the need of an ability to make protocols assumptions explicit and then transform them with deduction rules to come to further conclusions. Such logics of authentication like BAN-logic bring many benefits [25]:

• Correctness: The logic of authentication can provide the proof of whether a protocol meets its security goals or not.

• Efficiency: The logic of authentication can improve the efficiency of a protocol by eliminating redundant messages which do not contribute to the achievement of the security goals.

• Applicability: The logic of authentication provides the formal clarifications on a protocol’s assumptions in order to judge its applicability in practice.

BAN-logic aims to answer the following questions:

• What conclusions does this protocol achieve?

• Which assumptions needed for this protocol?

• Does this protocol have unnecessary actions, which can be left out without weakening the security?

• Can anything be sent plain (without being encrypted) but still not weakening the security?

The BAN logic makes it possible to reason in a simple way over cryptographic protocols in a formal way It can be used in the design of a cryptographic protocol because the use of a formal language in the design process can exclude faults.

Notations

• P ⇒ X: P has jurisdiction over X , which means P has completely control over the formulaX.

• P |∼ X:P once said X The principalP at some time sent a message including the statementX.

• #(X): The formula X is fresh, that is,X has not been sent in a message at any time before the current run of the protocol.

• P ← → K Q: P andQ share a secret keyK P and Qcan use K to communicate to each other and it is only known to them.

• 7− K → B: P hasK as a public key The corresponding secret key (the inverse ofK, denotedK −1 ) will never be discovered by any other principal.

• A ( − X + B − : The formula X is a secret known only to P and Q, and possibly to principals trusted by them Only P andQ may useX to prove their identities to one another.

• hXi Y : This representsX combined with the formulaY; it is intended thatY be a secret, and that its presence prove the identity of whoever uttershXi Y

Typical protocol goals

A protocol that establishes a session key k for A and B typically has the goal that at the end of a successful run it can be proved that:

To show that A and B know that the other agent knows about the key, the following statement should also hold:

• The message meaning rule for shared key:

• The message meaning rule for public key:

• The message meaning rule for shared secret:

P |≡ P ← → k Q in which withXthe necessary elements for a key is meant.

Protocol analysis with BAN-logic

There are three main stages to the analysis of a protocol using BAN logic.

• Step 1:The first step is to express the assumptions and goals as formulas (also known as statements) in symbolic notations so that the logic can proceed from a known state so as to be able to ascertain whether the goals are in fact reached.

• Step 2:The second stage is to transform the protocol steps also into formulas in symbolic notation.

• Step 3: Lastly, a set of deduction rules called postulates are applied The postulates should lead from the assumptions, via intermediate formulas, to the authentication goals.

Authentication plays an important role in every system which is one of the security aspects to protect them from possible attacks This process helps to allow only legitimate entities to access a system and its resources or creates secure communications between objects to avoid data leakage As this is an essential process, the last few years have witnessed many authentication schemes proposed dealing with the constrained environment of the IoT Proposing an authentication protocol is to suggest a way in which we can first verify if an object has the rights to connect and communicate with one or some other objects in the same systems, and then establish secure channels between them so that they can talk to each other without worrying about their partners’ identities Solutions for the above goals can be categorized into two main groups, which are the ones using asymmetric cryptosystems and the rest using symmetric schemes [26].

Authentication protocol taxonomy

Symmetric key schemes

Solutions in the second group are based on symmetric cryptographic schemes in which the protocols aim to securely distribute the symmetric keys, i.e secret keys, to the whole system Those keys will be used for encrypting and decrypting later communications The main challenges for such solutions are how these keys can be generated and safely distributed to target objects while not being stolen by any hack- ers attacking into these processes The mechanism of random key pre-distribution was proposed by the authors in [27] In this scheme, firstly a large pool of keys is generated After that, keys will be randomly selected and distribute to device nodes So, any two nodes may have some shared key pair with certain probabilities Therefore, this scheme does not guarantee there is always a pairwise key between all devices.

If there are unfortunately not, they will use their secure channel established before to exchange the key In details, one device will generate a random key and send it via the channel to the other one There have been many protocols proposed inspired by this scheme [28][29][30] In other approaches, symmetric keys can be distributed for each of two-node using an offline key distribution mechanism [31] or via the support from an intermediate trusted server.

Asymmetric key schemes

This is a very common approach for proposing authentication schemes based on the Public Key Cryptography [32] to establish secure communication between two or more parties The Public Key Cryptography has been extensively used and deployed especially in the context of the Internet Most of the schemes in this group can be classified into two categories: key transportation based on the public key encryption and key agreement based on the asymmetric technique.

The Transport Layer Security (TLS) [33] is a popular standard protocol in which digital certificates of websites are distributed to their clients as public keys in order to verify identities of servers and secure the communications following However, TLS is not suitable for IoT because of its strict underlying TCP transport protocol which is not a good choice for limited resource devices To deal with the above issue of TLS,another transport protocol – Datagram Transport Layer Security (DTLS) [34] which operates on Unreliable Transport Protocol (UDP) but still provides the same security level has been proposed to replace TLS In 2012, [35] proposed an implementation forDTLS on sensors with Trusted Platform Module (TPM) installed Despite its advantages of high security and data integrity with reasonable energy amount consumed,the need of deploying TPM hardware for each sensor is expensive and not scalable.The approach using raw public keys to encrypt messages exchanged with the assumption that everyone knows each other’s public keys in a system is also an option.

Rabin et al [36] proposed a protocol with the design quite similar to RSA, which is a public key cryptosystem widely used for secure data transmission Although their proposed scheme consumed energy as much as RSA for encryption, encryption using this scheme is much faster because it needs only one squaring for each message Nonethe- less, the requirement of a high cost of computations and energy makes it inconvenient when applying to IoT systems Recent researches [37, 38] tried to replace RSA with Elliptic Curve Cryptography (ECC), which has been proved to achieve less energy in consideration of the same security levels [39] Overall, this approach requires public keys to be first distributed and stored in each device in the whole network In other words, the key distribution mechanism is the main challenge of such solutions And the fact that each device has to maintain others’ public keys makes them inefficient in the aspect of storage and scalability.

Key agreement protocol based on asymmetric techniques is an approach when the parties derive or agree on a shared secret key between them The Diffie-Hellman protocol is a widely known instance for such an approach Nonetheless, Diffie-Hellman protocols are usually expensive thus not advisable for low-powered IoT devices Sev- eral more efficient and lightweight variants like ECDH which uses ECC have been proposed for constrained environments.

Authentication using ECC

ECC, an approach to public-key cryptography, was introduced by Miller [23] andKoblitz [24] ECC is considered to be more suitable for building up lightweight public key cryptosystems due to its smaller key size and lower arithmetic requirement compared with the popular RSA in the same security level [40] Therefore, ECC has been widely considered to replace RSA in public-key cryptosystems Many remote authentication schemes have been implemented based on it to reduce the computation loads for small devices [41,42,43,44,45,46,47,48] However in these schemes devices still need to verify the associated certificates by performing additional computations.Moreover, they do not support mutual authentication and session key establishment between devices and remote servers Realizing these disadvantages, Yang et al proposed an ID-based remote mutual authentication with key agreement scheme on ECC[44] Their scheme does not require public keys for all devices Later, Islam et al identified that Yang et al.’s scheme suffered from several attacks, failed to protect users’ anonymity and did not offer the session key forward secrecy as well as [45] They suggested an improvement to fix these issues Nonetheless, Truong et al [46] showed that this scheme still suffered from known session-specific temporary information and denial of service when the server’s database was leaked In the same research direction, Debiao et al.[47] proposed an ID-based client authentication scheme for the client-server environment on ECC and proved their scheme to be provably secure. Unfortunately, Wang and Ma [48] later claimed that Debiao et al.’s scheme was, in fact, insecure to an active adversary like reflection or parallel session attacks and did not provide privacy protection.

The study [43] suggests an authentication protocol between devices and cloud servers using cookie data stored at the device ends The centralized cloud server takes responsibility for registering every device in its network After that, the server and devices are proposed to mutually authenticate each other using encrypted shared se- crets with ECC At the end of the authentication phase, the server and the device by applying an extension of the Diffie-Hellman key exchange method successfully agree on a common session key to be used for securing their communications later on As communication between devices and the cloud server is the only one proposed to be authenticated, we can infer that the underlying architecture of this model is based on the client-server architecture popularly used in cloud computing applications The protocol proves itself to be efficient in terms of security, computational cost, and energy consumption by using ECC for authenticating devices.

Nevertheless, [43] also exposes several disadvantages The lacking support forD2D authentication is one of the main weaknesses According to [49], the first and foremost requirement for IoT systems is to supply the communication between devices This is because devices are the main users in the IoT systems And D2D au- tomatic communication without any interruption from a centralized control is expected to be the intrinsic part of the IoT [50] In fact, D2D communication refers to the paradigm where direct connectivity between devices takes place without routing the data through other network architecture These communications introduce several benefits such as high data transmission rate, reliable communications even when the network fails, energy-efficiency as devices use lower transmission power in close range, etc [51] D2D communication is also required to be secure to protect the data transmitted Therefore, it is necessary to also provide mutual authentication between devices Other disadvantages which has not been addressed in all previous works related to the scheme include the privacy problem and the proposed network architecture In both described schemes, the identity of a device is exposed every time its authentication with the server occurs This fact raises another concern over the privacy of devices using this scheme Considering the network architecture, IoT systems are well known by their highly connected devices networks which are deployed with many different kinds of communication protocols Thus, to assume every device is directly connected to a single centralized server via the same communication and networking protocol is not feasible in the broadest scenario of the IoT The state-of-art designs for IoT systems require having one or more intermediate layers, e.g gateways, base stations, etc., to support such heterogeneity of device connections, as well as help to lower the burden of centralized servers That way, devices can be deployed in a distributing manner with suitable networking setups and configurations A gateway or base station is responsible for a particular number of devices to form a subnetwork.

In these subnetworks, a wide variety of low-power short-range wireless technologies can be applied to provide efficient, low-power and low-latency connectivity among devices and gateways This architecture subsequently reduces the bandwidth and the power needed by constrained devices compared to when they have to connect and send data themselves all the way to the centralized servers for processing In addition,different technologies and systems specific to every application domain, such as in- trusion detection systems, can be integrated into each subnetwork without affecting the rest network.

In this chapter, the proposed protocol will be described in detail The network architecture which is suitable for the context of IoT systems is first introduced.

Network architecture

The proposed network architecture includes an intermediate layer of gateways lying between the centralized server and devices as shown in Figure 4.1 This modification results in a three-layer network model The uppermost layer consists of a centralized server that stores authentication data of every entity in the system This centralized server provides device authentication services to gateways through a secure channel which is assumed to have already been established between them Right below this layer is the layer of gateways Each gateway manages a subnetwork of several devices. And the bottom layer consists of devices in general Overall, there are three major types of connections existing in this network model:server-to-gateway, gateway-to- device, anddevice-to-deviceconnections.

• Centralized server (S): The centralized server has high computational capabilities and resources This server holds a long-term private key X which is l h -bit long It is responsible for storing and managing the authentication data of every other device or gateway in the network It is also the only place where such data are securely stored and allows only privileged authorities to access For this reason, the centralize server takes part in the authentication process in which it supports gateways in verifying devices when they want to join their subnetworks.

Figure 4.1: The network architecture for the proposed authentication protocol.

The communications between the servers and gateways are assumed to be safe. Such communications may be made through secure channels or involved with some available authentication and key agreement schemes, which will not be included in the scope of this thesis.

• Gateway (GW i ): Each gateway is the controller of its subnetwork This entity is also supposed to have high computational power and resources, and to manage a list of devices Communications with its devices are secured by their corresponding short-term session keys which are generated at the end of the authentication phase for joining.

• Device (D i): Registered embed devices can join one or more subnetworks Their registration information is stored at the centralized server They can communicate with their gateways as well as with other devices in the same subnetworks.

Security and privacy requirements

Both security and privacy are key requirements for the current authentication solution The privacy goals to be achieved by the proposed authentication process are as follows:

• Identity privacy preservation:Gateways and other devices are not able to extract a device’s real identity by analyzing its intercepted messages during the authentication process.

• Unlinkability: Gateways and other devices cannot to link between messages of different authentication attempts They cannot tell if it is the same device at different times a device logs into the same or different subnetworks In short, malicious gateways or devices cannot track a device’s actions through its messages.

• Tracibility:Only the trusted centralized server can extract a device’s real identity when it is necessary, e.g when tracing criminal activities.

The most important privacy requirement of the proposed model is that the real identity of an arbitrary device must only be known by the trusted server This also means this identity should not be exposed in the authentication processes to other gateways or devices Therefore I need some kinds of virtual identities which others can use to identify the device in a short period In other words, these short-term identities are valid only in the current session of the device with the others The fact that the devices using different virtual identities for different authentication rounds guarantees their privacy since no one, except for the trusted server, is able to extract and track the devices by their real identities In order to achieve these goals, I present three types of identities of each device which will be used in the scheme:

• Device identity ( ID i ): The real identity of the device D i which is only known by the trusted centralized server This identity is uniquely chosen byD i when it registers with the centralized server.

• Virtual identity ( V ID i ):The virtual identity is generated right after the registration phase and is stored at the device to be used for later authentication phases. This way the real identity will not be exposed while being used, even if the device is compromised Like the real identity, the virtual identity of a device is not shared with the others When the virtual identity is exposed to malicious devices or gateways, the device can just simply ask the centralized server to generate another virtual identity.

• Session Identity ( SID i ): The session identity is generated for each session of a device in a subnetwork This identity is known by the gateway and all other devices to identify a device in the current subnetwork Different session identities are generated for different sessions to prevent attackers from tracking a device’s actions In other words, devices are now able to stay anonymous to others.

Authentication scheme

Registration phase

Every device first joins the system by registering with the trusted centralized server through a secure channel (Figure 4.2) A device chooses a unique identity ID i and sends it to the server On receiving the registration, the server generates a random numberR i ofl H bits Using the device’s identity received, it calculatesCK i and corresponding CK i 0 , the cookie data to be used for later the device authentication, as (4.1) and (4.2).EXP_T IM E i is an expiry time in which the current registration remains valid Other values T i, A i and A 0 i are also computed as (4.3), (4.4) and (4.5) respectively.

Table 4.1: Descriptions of the notations used in this thesis.

D i An end device i in the system

GW i A gatewate i in the system

S The trusted registration server of the system

X The private key of the registration server

G An additive group implemented by an elliptic curve

G A generator of the group G (public parameter) EXP _T IM E i Expiry time of a session between D i and S

SK i A session key between device i and the server

SK ij A session key between device i and device j

H (Y ) The hash operation on Y which outputs a l H -bit string h(Y ) The hash operation on Y which outputs a l h -bit string × Elliptic curve linear point multiplication k Concatenation operation

{Y } k Symmetric encryption of Y with a key k

An additional step for this phase is computing the virtual identity usingID i and

The valuesID i , V ID i , A 0 i , T i and EXP_T IM E i are stored in the database of the server whileV ID i,CK i 0 andA iare sent back and stored at the device.

Subnetwork joining phase

This phase aims to achieve the mutual authentication between a device and a gateway

GW jof the network it attempts to join Firstly the deviceD igenerates a random nonce

N 1 ofl h -bit Using this nonce, the device applies an XOR between its virtual identity

Request to register with ID i

−−−−−−−−−−−−−−−−−−−−−→ Generate a random string R i of length l H − bit

V ID 0 i = H(ID i k R i ) Store {V ID i , CK i 0 , A i } V ID i ,CK

←−−−−−−−−−−−−−−−−−−−−− Store{A i , ID i , V ID i , EXP _T IM E i }

Figure 4.2: The registration phase between a device and the trusted server through a secure channel of the proposed scheme.

V ID i and the hash value of (N 1 × P K X ) to get the session identity (SID i ) for the current session as (4.7) whereP K X = X × G, the public key of the server.

After that, two valuesP 1 andP 2 are computed as (4.8) and (4.9), and sent with SID i to the current gatewayGW j in a request to join its subnetwork.

After that, two valuesP 1 andP 2 are sent withSID i to the current gatewayGW j in a request to join its subnetwork.

Upon receiving the request, since the gateway has no data to verify the device, it has to ask the centralized server to authenticate the request So the request is then for- warded to the server It is assumed that all the communications between the gateway and the server are secure and will not be further discussed in this thesis’s scope.

At the server end, it tries to extract the virtual identityV ID i of the device from the request In order to do this, the server first needs the recompute the value of

N 1 × P K X using the received value ofP 1 as (4.10).

Because only the server possesses the private keyX, I can be sure that no other entity can calculate this V ID i to track the device With the value V ID i , the server retrieves the corresponding values ID i , T i and EXP_T IM E i from its database and calculatesCK i as (4.2) whereR i is recomputed byR i = T i ⊕ H(X) Next, it calculates

P 2 0 as (4.11) and verifies the message by checking whetherP 2 0 equals the receivedP 2

If it does not, the authentication process fails and immediately terminates Otherwise, the server generates a random nonce N 2 (l h -bit) to calculate P 3 and P 4 as (4.12) and (4.13) Finally, it replies the gateway withP 3 ,P 4 andN 2

Upon receiving the server’s response, the gateway is now sure that the joining request is valid, i.e it is generated by D i It keeps N 2 and replies P 3 and P 4 to the device.

When receiving P 3 and P 4 from the gateway, the device retrieves A i from its memory and calculatesP 4 0 as (4.14) and verifies this value by comparingP 4 0 andP 4.

If the two values are not the same, the device terminates the process Otherwise, it is guaranteed that the gateway is authenticated Next, it computesT 1 as (4.15) and uses it for calculatingV iand the session keySK i as (4.16) and (4.17).

The value of V i will be used by the gateway to confirm the freshness of the authentication request The device sends this value to the gateway and stores (SK i,

GW j ,SID i ) to its memory to be used in later communications with the gateway.

The gateway upon receivingV i verifies the value by calculating itself the value

V i 0 as (4.18) and comparing the two values.

If this final test passes, the common session key is computed by the gateway

GW j as (4.19) It stores this key and SID i before finally ending the authentication process successfully The summary of this phase is shown in Figure 4.3.

D2D Authentication Phase

Assume that two devices D 1 and D 2 have joined the subnetwork under control of the gatewayGW j with corresponding session keysSK 1 0 andSK 2 0 The authentication process starts when D 1 wants to securely communicate with D 2 The authentication steps are quite the same as between them and the gateway as follows.

Firstly,D 1 generates a random nonce ofl h bits,N 1 , then uses it to calculateP 1 and P 2 as (4.20) and (4.21) Instead of CK i 0 as in the joining phase, this time SK 1, the shared session key between it and the gateway, is used to prove its authenticity as shown in (4.22) Next it initializes an authentication request containingSID i ,P 1 and

P 2 and sends it to theD 2

Upon receiving the request, D 2 generates a random nonce N 2 (l h -bit) and then calculates P4 as (4.23).

Using the session keySK 2 created in the joining phase to encrypt the values ofSID 1 ,P 1 ,P 2 andP 3 ,D 2 can securely sends them to the gatewayGW j

Figure 4.3: The authentication process when a device joins a subnetwork with the verification from the trusted server of the proposed scheme.

The gateway is responsible for verifying the request by calculatingT 1 as (4.24) and uses it to calculate the value P 2 0 as (4.25) (and comparing it to the value P 2 received).

The process is continued whenP 2 = P 2 0 GW j calculatesP 4 as (4.26), encrypts the value along with the received value P 3 0 (P 3 0 = P 3 ) by SK 2 0 and sends back to the

The valueP 3 0 is sent back fromGW jtoD 2to prove the freshness of this message. Assume that an attacker may impersonateGW j by replaying an old encrypted message withSK 2 , the valueP 3 0 received letsD 2 know that it is truly a fresh response fromGW j for the current D2D authentication session asP 3 0 = P 3 , which is freshly generated by

D 2 itself This response is also a verification from the gatewayGW j about the validity of the D 1 ’s authentication request Thus, D 2 continues the process by sending the value ofP 4andP 3 toD 1.

On receivingP 4 ,D 1 is able to authenticateD 2 by verifying this value by calcu- latingP 4 0 fromP 3 ,N 1 andSK i as (4.27) then comparing the two values If they match each other,D 1 calculates the session keySK 12 by (4.28) Finally, it sends an arbitrary message known by both devices encrypted by the newly computed session key SK 12 and sends it to D 2 In the proposed scheme, I choose P 1 as the message to be encrypted bySK 12 The value of the computed session key is stored andD 1 terminates the authentication process.

D 2 when receiving the encrypted message starts to calculate the session key using P 1 and N 2 as (4.29) If it can successfully decrypt the message using this session key (SK 12 0 ), the freshness of the original authentication request is guaranteed It

If message M can be decrypted with SK 0 12 to get P 1 then store {SK 12 0 , SID 1 }

Figure 4.4: The D2D authentication phase between two device with the verification of their gateway of the proposed scheme. thus stores this session key to its memory and terminates the authentication process successfully The whole process for this phase is displayed in Figure 4.4.

In this chapter, I prove that the proposed authentication protocol is secure and resilient to different attacks by conducting a thorough security analysis of the scheme My work includes a formal security analysis with Burrows-Abadi-Needham Logic (BAN- logic) as well as an informal analysis to prove the resilience of the proposed scheme to different popular attacks.

Formal analysis

Subnetwork joining authentication

A 10 : t S presents thatS is a trustworthy principal toGW j , i.e GW j |≡ #(t S )

(1) From the fact thatD i generatesN 1 we get:

(2) We applyR 14 to the fact thatD i chooses a random nonceN 1 to derive:

(3) From the fact thatS generatesN 2 we get:

(4) We applyR 14 to the fact thatS chooses a random nonceN 2 to derive:

(5) We applyR 13 toS 2 to derive:

(8) We applyR 1 0toA 7 andS 7 to derive:

S 8 : S / (α N 1 , hα N 1 i CK i ) (9) We applyR 9 toS 8to derive:

(10) We applyR 3 toA 5 andS 9 to derive:

(12) We applyR 1 toA 8andS 11to derive:

S 12 : GW j |≡ S |∼ (α N 2 , N 2 , hα N 1 , α N 2 i A i , t S ) (13) We applyR 12 toA 1 0to derive:

S 13 : GW j |≡ #(α N 2 , N 2 , hα N 1 , α N 2 i A i , t S ) (14) We applyR 4 toS 12 andS 13to derive:

S 14 : GW j |≡ S |≡ (α N 2 , N 2 , hα N 1 , α N 2 i A i , t S ) (15) We applyR 6 toS 14 to derive:

S 19 : D i / (α N 2 , h(α N 1 , α N 2 )i A i ) (19) We applyR 9 toS 19 to derive:

(21) We applyR 13 toS 2 to get:

(28) We applyR 4 toS 5 andS 29 to derive:

(31) In D i’s view, S takes responsible for safely distributing session keys between D i and GW j to GW j Therefore, if D i believes that S believes the trust of a shared key, it also believesGW j (whom the key is distributed to) has the same belief, which (withS 32 ) leads to

(32) As the protocol takes the advantage of the ECDLP and ECDHP, we can derive the following statements to support further process of deriving belief ofD iand

S 44 : GW j |≡ D i |≡ D i ←−→ SK i G(Goal 4) (41) We applyR 15 toA 14 andS 41 to derive:

D2D authentication

A 13 : If D 1 |≡ GW j |≡ X then D 1 |≡ D 2 |≡ X This assumption comes from the public knowledge of the network about the gateway GW j’s control in the D2D authentication process.

(1) From the fact thatD 1 generatesN 1 we get:

(2) We applyR 14 to the fact thatD 1 chooses a random nonceN 1 to derive:

(4) From the fact thatD 2generatesN 2 we get:

(5) We applyR 14 to the fact thatD 2 chooses a random nonceN 2 to derive:

(6) We applyR 13 toS 5to derive:

1 ) (8) We applyR 9 toS 7 to derive:

(9) ApplyingR 3 toA 2andS 8 we get:

(10) ApplyingR 12 toA 2 andS 3 we get:

(11) We applyR 4 toS 9 andS 10to derive:

(14) We applyR 16 toS 15 andA 10 to derive:

(15) FromS 16 andS 2 we derive: (asSK 12 = H(α N 1 k α N 1 N 2 ))

(16) We applyR 1 6toS 1 7andS 15 to derive:

(19) As the protocol takes the advantage of the ECDLP and ECDHP, we can derive the following statements to support further process of deriving belief of D 1 andD 2 :

(26) We applyR 1 5toS 27 andA 12to derive:

(27) FromS 16 andS 2 we derive: (asSK 12 = H(α N 1 k α N 1 N 2 ))

Informal analysis

Security properties

The most important security property offered by the proposed scheme is the mutual authentication between entities The authentication is mutual, or two-way, as each entity, in turn, sends messages containing data to authenticate itself to the other In the subnetwork joining phase, the request message sent from the device (D i ) to the gateway (GW j ) including in it its cookie data which can be used to authenticate its identity to GW j indirectly via the help of the server (S) Next, the device also receives the response containing a shared secret between it and

S, which is considered as a confirmation from the trusted serverS about the validity ofGW j Therefore,D i indirectly authenticatesGW j via the control ofS In a similar manner, the D2D authentication phase also achieves mutual authentication between devices In its authentication request,D 1 includes its session key which can help authenticate itself to D 2 via the support of their gateway GW j. And D 1 receives the reply created with the same session key which can only be generated by the gateway G thus indirectly provesD 2 ’s authenticity.

Confidentiality refers to the use of cipher algorithms, the provision of a key agreement scheme as well as the confidentiality of users/devices’ private data.

In both of the subnetwork joining phase and the D2D authentication phase of the proposed scheme, the final goal is to establish a shared session key between entities for later securing their communications Also, the proposed protocol successfully protects devices’ private data such as their real identities, their cookie data, and their session keys as well Those private data are not sent directly through the network in plain text They are always combined with random nonces and wrapped with one-way hash functions, which makes it impossible to derive the original values of such data, thus guarantees their confidentiality.

An important advantage offered by the proposed protocol in comparison with the previous works is privacy provision Device privacy is reflected through the concealment of the real identities of devices by an introduction of virtual identity and session identity The virtual identity, V ID i = H(ID i k R i ), hides the real identity ID i With V ID i , devices do not need to store their ID i in their local memory Hence, even if the devices are compromised, attackers can only extract their virtual identities Those devices then just have to request the server for new virtual identities and drop the compromised ones It is also noted that because V ID i is computed with a random number (R i) So the attackers who are assumed to have bothV ID i and ID i of a device are still not able to confirm the equivalence of V ID i = ? H(ID i k R i ) without the knowledge of R i For that reason, attackers cannot derive any useful information about the device’s identity.

Another aspect of privacy provided by the proposed scheme is the unlinkability.Linkability considers the scenario that attackers who do not know the real identity of a device still can track its actions by recognizing some particular values corresponding to that device in different messages In other words, if we only use the virtual identities, an attacker can notice that the same value ofV ID i sent over and over again for a device As a result, he/she can infer which messages originated from the same device The use of session identities in the proposed protocol thus helps to provide unlinkability As the session identities of a device changes every time it requests to join a subnetwork, attackers cannot trace its action among different authentication sessions.

In the proposed protocol, each communication session uses a unique session key generated at the end of the authentication phases (both of the subnetwork joining phase and the D2D authentication phase) This key is only valid in its session and not involved with any special key such as the server’s private key Even if attackers compromise such special keys, the whole communications of devices stay encrypted and safe In case one of the session keys is leaked to attackers, they can only use it for conversations in that respective session Messages of the other sessions stay unaffected Therefore, the perfect forward/backward secrecy is guaranteed with the proposed scheme.

Resilience to attacks

• Resilience to replay attack: This is an attack where valid data packet transmis- sions are captured by attackers and later repeated.

– Replay attack in subnetwork joining phase: In this phase an attacker may replay an old joining request of a device i to a subnetwork, i.e (SID i , P 1 ,

P 2) This replayed message subsequently passes even the validation step at the server because it can only check the generator of the message, not its freshness Nevertheless, in order to successfully break the authentication, the attacker is required to calculate a fresh value V i which is computed as (4.18) from A i and N 1 , which are both known by only D i itself Without these values, the attacker is not able to compute V i , thus also not able to authenticate itself to the gateway So no new session key is agreed or up- dated for the current session in the attempt of replaying the joining request messages In another attempt of replaying responses from the gateway to the device, the attack immediately fails due to it is impossible to compute the corresponding value ofP 4 = H(P 2 k N 2 × A 0 i )for a specific requested value of(P 1 , P 2 , SID i ), which requires the knowledge of the shared secret between the device and the server,A i.

– Replay attack in D2D authentication phase:In this phase, replaying the authentication request from a device also fails at the final verification message to confirm the freshness of this request because it needs the session key between the genuine device and the gateway to obtain the value of the agreed key between devices (as computed by (4.28)) Replaying the messages other than the authentication requests, i.e the responses from the gateway or the second device is not impossible due to the incompatibility between these requests and the replayed responses in different sessions In other words, for each request, there is only one corresponding response Attackers thus cannot reuse old responses in previous sessions for new requests.

• Resilience to impersonation attack:This is an attack where an adversary attempts to impersonate legitimate entities in a system by obtaining their identities.

– Impersonation attack in subnetwork joining phase: In this phase, an adversary can try to generate a joining request with the session identity of another device to impersonate it This session identity can easily be acquired by cap- turing previous plain request messages made by the legitimate device How- ever, besides the session identity, the adversary also needs its secret cookie data to generate the valid value of correspondingP 2 as (4.9) Therefore, this attempt fails at the verification step of the trusted server.

– Impersonation attack in D2D authentication phase:Besides the session identity, the requesting device also has to use its session key to compute the values included in the request message So attackers without the valid session key of a device will fail to impersonate it with only its session identity.

• Resilience to known session key attack:In this attack, an adversary after compro- mising a session key try to obtain another session key The proposed protocol is resilient to this kind of attack because in both of the subnetwork joining phase and the D2D authentication phase, the session keys are computed by nonces (N 1,

N 2) randomly generated by both parties Therefore, even knowing a particular session key does not help attackers derive the values of other session keys.

• Resilience to offline dictionary attack: In the scheme, all the values used for authentication such as cookie data (CK i ),A i and session keys are generated with random numbers and hash functions As it does not use any meaningful words or paraphrase, the protocol is resilient to offline dictionary attack.

• Resilience to the leak of verifier attack: This is an attack when malicious users have permission to access the database of verifiers, i.e the trusted server for the subnetwork joining phase and the gateways in the D2D authentication phase For the subnetwork joining phase, in case the database of the trusted server is leaked to attackers, they are not able to retrieve the session keys established between devices and gateways in the system as these data are not stored by the server Also, the session keys are generated with only random nonces, so even when attackers can retrieve related data of every device and gateway, they cannot use them to recompute the session keys as well Therefore communications within subnetwork remain safe even when the trusted server database is leaked Similarly, the session keys established between devices in the D2D authentication phase are not stored in the gateways’ database In fact, gateways do not know of the session keys as well as are not able to compute them during the authentication phase It is explained by the fact that the value ofN 2, which is essential for calculating the final session key, is generated at the devices and not sent to the gateways in the process As a result, communications between devices in a subnetwork are safe from the threat of gateway’s database leakage.

• Resilience to man-in-the-middle attack: This is an attack when an attacker attempts to relay or even manipulate the communications between two parties who believe they are directly communicating with each other In the subnetwork joining phase, an adversary can stand between a device and a gateway and relay communications between them The device and the gateway believe they are taking to each other while in fact they are talking to the adversary The attack first starts when the device sends a joining request(P 1 , P 2 , SID i )to the adversary The adversary then forwards the request to the real gateway in order to impersonate the device This request successfully passes the verification at the gateway with the help of the authentication server The adversary thus receives the response including the valuesP 3 andP 4 from the gateway, and forwards it back to the device By verifying this response, the device can now authenticate the other entity as the gateway without any doubt We can see that the adversary has successfully tricked the device and the gateway until now Fortunately, the final goal which is to obtain the agreed session key cannot be achieved by the adversary An important feature of the proposed protocol is that the gateway needs to compute the session key itself using the random nonce which is not exposed to others With- out this value, the adversary will fail to compute the session key Hence, this kind of attack does not affect the subnetwork joining phase The same analysis can be conducted for the D2D authentication phase.

Table 5.1 summarizes the security offered by the proposed scheme in comparison with previous works.

Table 5.1: Comparisons with previous schemes

Flexible infrastructure XResistance to replay attack X XResistance to impersonation attack X XResistance to known session key attack X XResistance to offline dictionary attack X XResistance to leak of verifier attack X XResistance to man-in-the-middle attack X X

As mentioned above, the resource-constrained nature of IoT devices is one of the major barriers for the deployment into practical systems of authentication solutions in particular, as well as security solutions in general The evaluation of the feasibility of an authentication scheme is essential and important Therefore, in this chapter, I will present the analysis of the performance of the proposed solution, which will be considered and compared to the previous base-scheme The analysis contains different performance aspects such as authentication cost, communication delay as well as the required resource consumption In fact, the above parameters are important indica- tors, which affect the overall performance, is suitable for evaluating the performance of any authentication protocol As described in the previous section, there are three major types of entities in the proposed scheme which are registration servers, gateways and end devices However, the analysis will mostly focus on end devices, which are supposed to be resource-constrained objects.

Computational cost

Computational energy cost

In order to further analyze the computation costs of both protocols, I now try calculating the costs in terms of energy consumption for each one As the proposed protocol uses different cryptographic algorithms including hashing, elliptic curve cryptography and symmetric cryptography, which have many options, I first choose specific configurations for such algorithms that will be used throughout the following analysis The hash function SHA-1 is chosen for hashing operations For the elliptic curve, a strong and secured variant for which ECDLP and ECDH are believed to hold - Curve m-221, is used (6.1) presents the equation of this curve The order ofGis thus

221-bit, i.e l h is 221-bit Symmetric encryption/decryption is supposed to use AES with128-bit key size in ECB mode Table 6.2 summarizes the configurations on these cryptographic algorithms The device is assumed to be used is Tmote Sky (also known as TesloB) Table 6.2 also presents the energy consumption estimated for operations taken in both schemes According to the results in [52], SHA-1 consumes 57 àJ per operation An Elliptic Curve Diffie-Hellman operation consumes only 9.48àJ [43]. And encryption and decryption with AES need only 9 àJ for each operation with 128-bit data [51].

The estimations of the data length to be encrypted and transmitted are presented in Table 6.3 These estimations will be used to calculate the number of encryption/decryption operations performed Table 6.4 shows the energy consumption comparison between the enhanced scheme and previous schemes. y 2 = x 3 + 117050x 2 + x mod p 221 − 3 (6.1)

Table 6.2: Summary of energy consumption per operation.

Notation Description Energy consumption (àJ )

T s Symmetric encryption/decryption with AES per 128-bit block

T e Elliptic curve multiplication using Curve M-221

As shown in Table 6.4, a device in Phase 1 with the proposed scheme consumes the same energy amount of 47,685 àJ as the base-scheme In Phase 2, i.e D2D authentication, the proposed scheme shows a difference in performance between two devices taking part in it D 1 , i.e the initiating device, needs to take 4 hash operations, encryption on 4 blocks of 128-bit and 3 elliptic curve multiplication operations. The higher number of multiplication operations results in higher energy consumption, which is 28,704àJ approximately Comparing with D 2 , i.e the requested device, it needs one hash operation, encryption/decryption operation on 14 data block of 128- bit referred from Table 6.3, and two multiplication operations on the elliptic curve As a result, the requested deviceD 2 only consumes 19,143àJ The difference in energy required for each device in this phase shows an interesting property: the requested device needs to spend considerably fewer resources for processing an authentication request from the initiating device In fact, this property is an advantage in the scenario of a DDoS attack, in which an attacker attempts to overwhelm the target with a huge number of invalid requests In those cases, we do not want the target device to waste too much energy resources on processing those requests before the attack is detected, which can be provided by the D2D authentication phase Unfortunately, I am not able to directly compare the computational cost be the proposed protocol and the base- scheme as there is no authentication phase for communications between devices in their work But it is obvious that the largest amount of energy one device consumes for D2D authentication, i.e 28,704 àJ, is only half of the amount needed for such device to authenticate itself with the gateway/server in Phase 1.

Table 6.3: Data length of values used in both the proposed scheme and the base-scheme.

Phase Device Operation Proposed protocol [43]

Processing time

I set up the experiments to measure the processing time taken by each device using the proposed protocol The implementation was written in Python and was run on Intel i5-8250U, CPU 1.60GHz×8 The average processing time of devices in the protocols are summarized in Table 6.6 The results show that in both protocols it takes a device only 0.521s approximately to do all the operations needed for the authentication with the gateway or the server The authentication between devices takes a little less time, which is 0.427s for the initiating device (Device 1) and 0.225s for the responding device (Device 2).

Table 6.5: Processing time of devices in seconds.

Phase Device Proposed protocol Base-scheme

Communication overhead

Communication overhead herein comprises the cost for sending messages and the cost consumed due to the delay when waiting for other entities to complete processing and response the results So this cost will depend on the length of transmitted messages as well as the processing time of repliers Assuming that the average time for transmit- ting each bit on connections in a subnetwork and outside, i.e the connections to the servers is T local and T global respectively Table 6.6 gives the total transmission length of each device in the schemes Hence, the communication overhead for a device in the authentication phase between it and the server in [43] equals the sum of the transmission time and the processing time of the server which is1396T global + 0.497(s) Sim- ilarly, the corresponding overhead for a device using the proposed scheme is the sum of the transmission time between it and the gateway, the transmission time between the gateway and the server and the processing time at both the gateway and the server,which is1268T local + 1664T global + 0.121 + 0.377 = 1268T local + 1664T global + 0.498 (s).

We can see from the two results that in the proposed scheme the communication overhead of a device is more than base-scheme by approximately1268T local + 268T global It should be noted that sinceT local represents the transmission time in the local network area whileT global stands for the transmission time to a cloud server over the Internet, the value ofT local , in reality, would be much smaller thanT global In addition, the data transmitted are also small, so the rise in communication overhead and delay of the proposed scheme are considered acceptable as it is done only once at the beginning of each communication session Moreover, the benefits it brings are rewarding as in later communication when much larger data need to be transmitted from a device to clouds, it only needs to send to its nearby gateway instead of making a long way over the Internet to reach the clouds, hence saving much of its resources.

Table 6.6: Transmission length of each entity in the proposed protocol and in the base scheme in the joining phase.

Proposed protocol (2) Gateway − → Server 128 + {442 + 128 + 128} 128 896T global

Recently, the Internet of Things (IoT) has emerged as one of the building blocks of future digital industrial technologies The ability of interconnecting heterogeneous devices generating and exchanging a huge amount of data has opened an new era in which many advanced services that greatly enhances our life quality are now provided. Along with its huge open opportunities, it is also coming with different challenges, in which security issues are especially getting more and more attention The connectivity nature of IoT devices introduces the urgent needs of secure communication between entities in IoT systems by authenticating their identities with the other parties That is when the authentication protocol solutions come to play to address this issue In fact, authentication is not something new but a necessary component of any system The transmitted data between devices during such authentication may contain different kinds of information directly involved users’ private daily behaviors and preferences. The risk of exposing such data makes it uncomfortable for users to try the solutions without the privacy-preserving guaranteed On the other hand, the IoT with its unique characteristics make it challenging to apply traditional security solutions, especially the resource-constraints of a large proportion of devices in the IoT.

The purpose of this thesis hence is to propose a new authentication protocol which support mutually authentication between entities in IoT systems while preserving their privacy Also, the proposed scheme needs to be suitable for the devices with limited resources For such reasons, in this thesis I use the elliptic curve cryptography, which has been popularly known for its efficient resource consumption, to design the authentication scheme The new protocol is proposed for distributed network architecture where light-weight IoT devices do not directly communicate with the centralized server, but via authorized gateways to form different subnetworks This architecture brings a flexible and efficient organizational structure for the systems, in which it does not constrain the number of network protocols to be used More im- portantly, this new proposal offers the flexibility for large distributed networks with lightweight IoT devices, which is also reflecting real-world scenarios The authentication scheme includes three main phases: (1) registration phase of a device to the server, (2) authentication phase with a gateway when a device joins its subnetwork, and (3) authentication between two devices in a subnetwork The proposed authentication schemes’ correctness is proven using a formal analysis with BAN-logic in order to show that the mutual authentication and session key agreement between participants can be achieved securely I also provide additional analysis on their resilience to different kinds of popular attacks while preserving devices’ privacy From an existing protocol which originally only supports the authentication between a devices and the cloud servers, this research extends and improves it so that it can provide secured communication for direct connections among device-to-device, as well as enables the distributed architecture which enhances the efficiency of resource consumption of edge devices Performance analysis including computational and communication overhead analysis conducted in the research also confirms the efficiency of the proposed protocol over the base scheme The main weakness of the research is that it lacks the actual implementation and deployment on real devices (with limited resources and computational power) to assess its performance in practice on consuming resources, which is mainly due to the limit of time and the difficulty of finding proper measuring devices to precisely measure energy consumption.

Further research on the issue of privacy protection in the protocol to improve the security level of the proposed scheme can be carried out Since most of (lightweight) IoT devices nowadays have sensors to detect changes in the real world, the information they contain may accordingly be sensitive and should not be exposed The association of the authentication process and a variety of privacy protection demands in the real- world applications (e.g., [53], [54], [20], [55]) are possibilities to extend the security capabilities of the protocol, especially with resource-constrained IoT devices On this account, what data can be shared between two devices after completing authenticating is an interesting problem of great interest that should be further studied.

[1] L Columbus Roundup of internet of things forecasts and market estimates https://www.forbes.com/sites/louiscolumbus/2016/11/27/roundup-of- internet-of-things-forecasts-and-market-estimates-2016 Accessed: 2018-Nov- 10.

[2] Daniela Maresch and Johannes Gartner Make disruptive technological change happen-the case of additive manufacturing Technological Forecasting and So- cial Change, 2018.

[3] Emmanouil Vasilomanolakis, J¨org Daubert, Manisha Luthra, Vangelis Gazis, Alex Wiesmaier, and Panayotis Kikiras On the security and privacy of internet of things architectures and systems In2015 International Workshop on Secure Internet of Things (SIoT), pages 49–57 IEEE, 2015.

[4] Luigi Atzori, Antonio Iera, and Giacomo Morabito The internet of things: A survey Computer networks, 54(15):2787–2805, 2010.

[5] Carlo Maria Medaglia and Alexandru Serbanati An overview of privacy and security issues in the internet of things In The internet of things, pages 389–

[6] Xiaolin Jia, Quanyuan Feng, Taihua Fan, and Quanshui Lei Rfid technology and its applications in internet of things (iot) In2012 2nd international conference on consumer electronics, communications and networks (CECNet), pages 1282–

[7] Ruth Ande, Bamidele Adebisi, Mohammad Hammoudeh, and Jibran Saleem.Internet of things: Evolution and technologies from a security perspective Sus- tainable Cities and Society, 2019.

[8] Yuqiuge Hao and Petri Helo The role of wearable devices in meeting the needs of cloud manufacturing: A case study Robotics and Computer-Integrated Man- ufacturing, 45:168–179, 2017.

[9] Everything you need to know about iot applications. https://www.simplilearn.com/iot-applications-article Accessed: 2019-Nov-30.

[10] Internet of things applications area – iot applications market. https://iotworm.com/internet-of-things-applications-area/ Accessed: 2019- Nov-30.

[11] Nguyen Cong Luong, Dinh Thai Hoang, Ping Wang, Dusit Niyato, Dong In Kim, and Zhu Han Data collection and wireless communication in internet of things (iot) using economic analysis and pricing models: A survey IEEE Communica- tions Surveys & Tutorials, 18(4):2546–2590, 2016.

[12] Rodrigo Roman, Javier Lopez, and Masahiro Mambo Mobile edge computing, fog et al.: A survey and analysis of security threats and challenges Future Generation Computer Systems, 78:680–698, 2018.

[13] Flavio Bonomi, Rodolfo Milito, Jiang Zhu, and Sateesh Addepalli Fog computing and its role in the internet of things InProceedings of the first edition of the MCC workshop on Mobile cloud computing, pages 13–16 ACM, 2012.

[14] Vivek Kumar Sehgal, Anubhav Patrick, Ashutosh Soni, and Lucky Rajput. Smart human security framework using internet of things, cloud and fog computing InIntelligent distributed computing, pages 251–263 Springer, 2015.

[15] Ikram Ud Din, Mohsen Guizani, Suhaidi Hassan, Byung-Seo Kim, Muham- mad Khurram Khan, Mohammed Atiquzzaman, and Syed Hassan Ahmed The internet of things: A review of enabled technologies and future challenges.IEEE Access, 7:7606–7640, 2018.

[16] Jianbing Ni, Kuan Zhang, Xiaodong Lin, and Xuemin Sherman Shen Secur- ing fog computing for internet of things applications: Challenges and solutions.

[17] Zeeshan Ali Khan Using energy-efficient trust management to protect iot networks for smart cities Sustainable cities and society, 40:1–15, 2018.

[18] Rawan Alkurd, Raed M Shubair, and Ibrahim Abualhaol Survey on device- to-device communications: Challenges and design issues In 2014 IEEE 12th International New Circuits and Systems Conference (NEWCAS), pages 361–364.

[19] Kim Khanh Tran, Minh Khue Pham, and Tran Khanh Dang A light-weight tightening authentication scheme for the objects’ encounters in the meetings In

International Conference on Future Data and Security Engineering, pages 83–

[20] Tran Khanh Dang and Khanh TK Tran The meeting of acquaintances:

A cost-efficient authentication scheme for light-weight objects with transient trust level and plurality approach Security and Communication Networks,

[21] Darrel Hankerson, Alfred J Menezes, and Scott Vanstone Guide to elliptic curve cryptography Computing Reviews, 46(1):13, 2005.

[22] Introduction to public-key cryptography https://access.redhat.com/documentation/en- US/Red_Hat_Certificate_System_Common_Criteria_Certification/8.1/html/Deploy- _and_Install_Guide/Introduction_to_Public_Key_Cryptography.html Ac- cessed: 2019-Nov-30.

[23] Victor S Miller Use of elliptic curves in cryptography In Conference on the theory and application of cryptographic techniques, pages 417–426 Springer,

[24] Neal Koblitz Elliptic curve cryptosystems Mathematics of computation,

[25] Michael Burrows, Martin Abadi, and Roger Michael Needham A logic of authentication Proceedings of the Royal Society of London A Mathematical and Physical Sciences, 426(1871):233–271, 1989.

[26] Kim Thuat Nguyen, Maryline Laurent, and Nouha Oualha Survey on secure communication protocols for the internet of things Ad Hoc Networks, 32:17–

[27] Laurent Eschenauer and Virgil D Gligor A key-management scheme for distributed sensor networks InProceedings of the 9th ACM conference on Com- puter and communications security, pages 41–47 ACM, 2002.

[28] Haowen Chan, Adrian Perrig, and Dawn Song Random key predistribution schemes for sensor networks 2003.

[29] Takashi Ito, Hidenori Ohta, Nori Matsuda, and Takeshi Yoneda A key predistribution scheme for secure sensor networks using probability density function of node deployment InProceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks, pages 69–75 ACM, 2005.

[30] David D Hwang, Bo-Cheng Charles Lai, and Ingrid Verbauwhede Energy- memory-security tradeoffs in distributed sensor networks InInternational Con- ference on Ad-Hoc Networks and Wireless, pages 70–81 Springer, 2004.

[31] Shahid Raza, Simon Duquennoy, Tony Chung, Dogan Yazar, Thiemo Voigt, and Utz Roedig Securing communication in 6lowpan with compressed ipsec In

2011 International Conference on Distributed Computing in Sensor Systems and Workshops (DCOSS), pages 1–8 IEEE, 2011.

[32] GS Simmons An introduction to shared secret and/or shared control schemes and their application Contemporary cryptology, 1992.

[33] Tim Dierks and Christopher Allen The tls protocol version 1.0, 1999.

[34] Eric Rescorla and Nagendra Modadugu Datagram transport layer security version 1.2, 2012.

[35] Thomas Kothmayr, Corinna Schmitt, Wen Hu, Michael Br¨unig, and Georg Carle.

A dtls based end-to-end security architecture for the internet of things with two-way authentication In 37th Annual IEEE Conference on Local Computer Networks-Workshops, pages 956–963 IEEE, 2012.

[36] Michael O Rabin Digitalized signatures and public-key functions as intractable as factorization Technical report, Massachusetts Inst of Tech Cambridge Lab for Computer Science, 1979.

[37] Debiao He and Sherali Zeadally An analysis of rfid authentication schemes for internet of things in healthcare environment using elliptic curve cryptography.

IEEE internet of things journal, 2(1):72–83, 2014.

[38] Shehzad Ashraf Chaudhry, Mohammad Sabzinejad Farash, Husnain Naqvi, and Muhammad Sher A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography Electronic Commerce Re- search, 16(1):113–139, 2016.

[39] Nils Gura, Arun Patel, Arvinderpal Wander, Hans Eberle, and Sheueling Chang Shantz Comparing elliptic curve cryptography and rsa on 8-bit cpus In In- ternational workshop on cryptographic hardware and embedded systems, pages

[40] Zhe Liu, Xinyi Huang, Zhi Hu, Muhammad Khurram Khan, Hwajeong Seo, and

Lu Zhou On emerging family of elliptic curves to secure internet of things: Ecc comes of age IEEE Transactions on Dependable and Secure Computing,

[41] Sheetal Kalra and Sandeep K Sood Secure authentication scheme for iot and cloud servers Pervasive and Mobile Computing, 24:210–223, 2015.

[42] Chin-Chen Chang, Hsiao-Ling Wu, and Chin-Yu Sun Notes on “secure authentication scheme for iot and cloud servers” Pervasive and Mobile Computing,

[43] King-Hang Wang, Chien-Ming Chen, Weicheng Fang, and Tsu-Yang Wu A secure authentication scheme for internet of things Pervasive and Mobile Com- puting, 42:15–26, 2017.

[44] Jen-Ho Yang and Chin-Chen Chang An id-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem.

[45] Sk Hafizul Islam and GP Biswas A more efficient and secure id-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem Journal of Systems and Software, 84(11):1892–1898, 2011.

[46] Toan-Thinh Truong, Minh-Triet Tran, and Anh-Duc Duong Improvement of the more efficient and secure id-based remote mutual authentication with key agreement scheme for mobile devices on ecc In2012 26th International Conference on Advanced Information Networking and Applications Workshops, pages 698–

[47] He Debiao, Chen Jianhua, and Hu Jin An id-based client authentication with key agreement protocol for mobile client–server environment on ecc with provable security Information Fusion, 13(3):223–230, 2012.

[48] Ding Wang and Chun-Guang Ma Cryptanalysis of a remote user authentication scheme for mobile client–server environment based on ecc Information Fusion,

Tiêu đề	Authentication Protocol for Resource Constrained Devices in the Internet of Things
Tác giả	Pham Duc Minh Chau
Người hướng dẫn	Assoc. Prof. Dang Tran Khanh
Trường học	Ho Chi Minh City University of Technology
Chuyên ngành	Computer Science
Thể loại	Master Thesis
Năm xuất bản	2019
Thành phố	Ho Chi Minh City

Định dạng
Số trang	125
Dung lượng	1,75 MB