SecureSense: End-to-end secure communication architecture for the cloud-connected Internet of Things

Constrained Application Protocol (CoAP) has become the de-facto web standard for the IoT. Unlike traditional wireless sensor networks, Internet-connected smart thing deployments require security. CoAP mandates the use of the Datagram TLS (DTLS) protocol as the underlying secure communication protocol. In this paper we implement DTLS-protected secure CoAP for both resource-constrained IoT devices and a cloud backend and evaluate all three security modes (pre-shared key, raw-public key, and certificate-based) of CoAP in a real cloud-connected IoT setup. We extend Sics^thSense– a cloud platform for the IoT– with secure CoAP capabilities, and compliment a DTLS implementation for resource-constrained IoT devices with raw-public key and certificate-based asymmetric cryptography. To the best of our knowledge, this is the first effort toward providing end-to-end secure communication between resource-constrained smart things and cloud back-ends which supports all three security modes of CoAP both on the client side and the server side. SecureSense– our End-to-End (E2E) secure communication architecture for the IoT– consists of all standard-based protocols, and implementation of these protocols are open source and BSD-licensed. The SecureSense evaluation benchmarks and open source and open license implementation make it possible for future IoT product and service providers to account for security overhead while using all standardized protocols and while ensuring interoperability among different vendors. The core contributions of this paper are: (i) a complete implementation for CoAP security modes for E2E IoT security,  (ii) IoT security and communication protocols for a cloud platform for the IoT, and (iii) detailed experimental evaluation and benchmarking of E2E security between a network of smart things and a cloud platform.     

Fog computing for next-generation Internet of Things: Fundamental,state-of-the-art and research challenges

In recent times, the Internet of Things (IoT) applications, including smart transportation, smart healthcare, smart grid, smart city, etc. generate a large volume of real-time data for decision making. In the past decades, real-time sensory data have been offloaded to centralized cloud servers for data analysis through a reliable communication channel. However, due to the long communication distance between end-users and centralized cloud servers, the chances of increasing network congestion, data loss, latency, and energy consumption are getting significantly higher. To address the challenges mentioned above, fog computing emerges in a distributed environment that extends the computation and storage facilities at the edge of the network. Compared to centralized cloud infrastructure, a distributed fog framework can support delay-sensitive IoT applications with minimum latency and energy consumption while analyzing the data using a set of resource-constraint fog/edge devices. Thus our survey covers the layered IoT architecture, evaluation metrics, and applications aspects of fog computing and its progress in the last four years. Furthermore, the layered architecture of the standard fog framework and different state-of-the-art techniques for utilizing computing resources of fog networks have been covered in this study. Moreover, we included an IoT use case scenario to demonstrate the fog data offloading and resource provisioning example in heterogeneous vehicular fog networks. Finally, we examine various challenges and potential solutions to establish interoperable communication and computation for next-generation IoT applications in fog networks.     

A verifiable privacy-preserving data collection scheme supporting multi-party computation in fog-based smart grid

Incorporation of fog computing with low latency,preprocession(e.g.,data aggregation)and location awareness,can facilitate fine-grained collection of smart metering data in smart grid and promotes the sustainability and efficiency of the grid.Recently,much attention has been paid to the research on smart grid,especially in protecting privacy and data aggregation.However,most previous works do not focus on privacy-preserving data aggregation and function computation query on enormous data simultaneously in smart grid based on fog computation.In this paper,we construct a novel verifiable privacy-preserving data collection scheme supporting multi-party computation(MPC),named VPDC-MPC,to achieve both functions simultaneously in smart grid based on fog computing.VPDC-MPC realizes verifiable secret sharing of users’data and data aggregation without revealing individual reports via practical cryptosystem and verifiable secret sharing scheme.Besides,we propose an efficient algorithm for batch verification of share consistency and detection of error reports if the external adversaries modify the SMs’report.Furthermore,VPDC-MPC allows both the control center and users with limited resources to obtain arbitrary arithmetic analysis(not only data aggregation)via secure multi-party computation between cloud servers in smart grid.Besides,VPDC-MPC tolerates fault of cloud servers and resists collusion.We also present security analysis and performance evaluation of our scheme,which indicates that even with tradeoff on computation and communication overhead,VPDC-MPC is practical with above features.     

Design,implementation and experimental evaluation of an end-to-end vertical handover scheme on NCTUns simulator

This paper presents the simulation study of “Host based autonomous Mobile Address Translation” using NCTUns simulator. It is a network layer, end-to-end vertical handover solution, based upon modification of “Mobile IP with address Translation”. Vertical handover approaches generally require new network elements, a new layer in TCP/IP stack, or fixing a protocol at a particular layer. To enhance handover experience, recent approaches focus on reducing signalling, localizing the registration, creating hierarchies, using proxy, preparing handover in advance, predicting target network, or exploiting multicasting and path extension techniques. These approaches, however, demand change in the network infrastructure to support mobility and limit the scope of mobility. Despite end-to-end signalling, the Host based autonomous Mobile Address Translation scheme ensures minimum service disruption and distinctly allows global mobility of the mobile node without requiring any modification in the network. We have simulated the mobility of a multi-interface mobile node in a heterogeneous network environment composed of WiFi (IEEE802.11a, IEEE802.11b) and WiMAX (IEEE802.16e) access networks. Performance of the scheme is evaluated taking into account wide range of end-to-end delays between mobile node and the correspondent node, various speeds of the mobile node and different packet loss rates of the network. Based on our detailed simulation study, it has been observed that this scheme offers reduced service disruption time, packet loss and packet latency. The service disruption time is found to be significantly low (typically in the range of 10 ms) compared to that of Mobile IP (which is in the order of 100 ms); this makes this new scheme perfectly suitable for real time applications. Low service disruption time consequently reduces the packet loss by manyfold and the packet latency remains unaffected during and after handover due to translation of address at the source. The results suggest that this protocol is a viable vertical handover solution due to its simplicity, scalability, low overhead and ready deployability.     

基于雾计算的工业互联网安全数据访问方法

针对工业互联网应用场景中的低时延、低功耗和安全性要求,提出一种雾计算架构的工业互联网数据安全访问方法,基于属性集生成对应的非对称密钥对进行加密消息并存储在云端服务器,由雾节点层来完成密文的部分加解密任务,消除对云服务层的信任依赖和降低设备层的计算开销负担。雾节点层和云服务层对密文数据来说是半信任状态,它们无法根据密文获取任何原始消息,只有授权的设备使用私钥才能完成完全解密获取原始消息,实现工业互联网中端到端的高效安全数据访问方式。通过性能分析验证,提出的方法相比其他方案计算开销和响应延迟更低,安全隐私性更可靠。     

Cyber Secure Framework for Smart Containers Based on Novel Hybrid DTLS Protocol

The Internet of Things (IoTs) is apace growing, billions of IoT devices are connected to the Internet which communicate and exchange data among each other. Applications of IoT can be found in many fields of engineering and sciences such as healthcare, traffic, agriculture, oil and gas industries, and logistics. In logistics, the products which are to be transported may be sensitive and perishable, and require controlled environment. Most of the commercially available logistic containers are not integrated with IoT devices to provide controlled environment parameters inside the container and to transmit data to a remote server. This necessitates the need for designing and fabricating IoT based smart containers. Due to constrained nature of IoT devices, these are prone to different cyber security attacks such as Denial of Service (DoS), Man in Middle (MITM) and Replay. Therefore, designing efficient cyber security framework are required for smart container. The Datagram Transport Layer Security (DTLS) Protocol has emerged as the de facto standard for securing communication in IoT devices. However, it is unable to minimize cyber security attacks such as Denial of Service and Distributed Denial of Service (DDoS) during the handshake process. The main contribution of this paper is to design a cyber secure framework by implementing novel hybrid DTLS protocol in smart container which can efficiently minimize the effects of cyber attacks during handshake process. The performance of our proposed framework is evaluated in terms of energy efficiency, handshake time, throughput and packet delivery ratio. Moreover, the proposed framework is tested in IoT based smart containers. The proposed framework decreases handshake time more than 9% and saves 11% of energy efficiency for transmission in compare of the standard DTLS, while increases packet delivery ratio and throughput by 83% and 87% respectively.     

Design and analysis of secure host-based mobility protocol for wireless heterogeneous networks

Mobility protocols allow hosts to change their location or network interface while maintaining ongoing sessions. While such protocols can facilitate vertical mobility in a cost-efficient and access agnostic manner, they are not sufficient to address all security issues when used in scenarios requiring local mobility management. In this paper, we propose a new scheme that makes Host Identity Protocol (HIP) able to serve as an efficient and secure mobility protocol for wireless heterogeneous networks while preserving all the advantages of the base HIP functions as well. Our proposal, called Heterogeneous Mobility HIP (HMHIP), is based on hierarchical topology of rendezvous Servers (RVSs), signaling delegation, and inter-RVS communication to enable secure and efficient network mobility support in the HIP layer. Formal security analysis using the AVISPA tool and performance evaluation of this method are provided; they confirm the safety and efficiency of the proposed solution. HMHIP reduces handover latency and packet overhead during handovers by achieving registration locally.     

A secure fog-based platform for SCADA-based IoT critical infrastructure

The rapid proliferation of Internet of things (IoT) devices, such as smart meters and water valves, into industrial critical infrastructures and control systems has put stringent performance and scalability requirements on modern Supervisory Control and Data Acquisition (SCADA) systems. While cloud computing has enabled modern SCADA systems to cope with the increasing amount of data generated by sensors, actuators, and control devices, there has been a growing interest recently to deploy edge data centers in fog architectures to secure low-latency and enhanced security for mission-critical data. However, fog security and privacy for SCADA-based IoT critical infrastructures remains an under-researched area. To address this challenge, this contribution proposes a novel security “toolbox” to reinforce the integrity, security, and privacy of SCADA-based IoT critical infrastructure at the fog layer. The toolbox incorporates a key feature: a cryptographic-based access approach to the cloud services using identity-based cryptography and signature schemes at the fog layer. We present the implementation details of a prototype for our proposed secure fog-based platform and provide performance evaluation results to demonstrate the appropriateness of the proposed platform in a real-world scenario. These results can pave the way toward the development of a more secure and trusted SCADA-based IoT critical infrastructure, which is essential to counter cyber threats against next-generation critical infrastructure and industrial control systems. The results from the experiments demonstrate a superior performance of the secure fog-based platform, which is around 2.8 seconds when adding five virtual machines (VMs), 3.2 seconds when adding 10 VMs, and 112 seconds when adding 1000 VMs, compared to the multilevel user access control platform.     

IoT‐fog‐cloud based architecture for smart systems: Prototypes of autism and COVID‐19 monitoring systems

Making resources closer to the user might facilitate the integration of new technologies such as edge, fog, cloud computing, and big data. However, this brings many challenges shall be overridden when distributing a real‐time stream processing, executing multiapplication in a safe multitenant environment, and orchestrating and managing the services and resources into a hybrid fog/cloud federation. In this article, first, we propose a business process model and notation (BPMN) extension to enable the Internet of Things (IoT)‐aware business process (BP) modeling. The proposed extension takes into consideration the heterogeneous IoT and non‐IoT resources, resource capacities, quality of service constraints, and so forth. Second, we present a new IoT‐fog‐cloud based architecture, which (i) supports the distributed inter and intralayer communication as well as the real‐time stream processing in order to treat immediately IoT data and improve the entire system reliability, (ii) enables the multiapplication execution within a multitenancy architecture using the single sign‐on technique to guarantee the data integrity within a multitenancy environment, and (iii) relies on the orchestration and federation management services for deploying BP into the appropriate fog and/or cloud resources. Third, we model, by using the proposed BPMN 2.0 extension, smart autistic child and coronavirus disease 2019 monitoring systems. Then we propose the prototypes for these two smart systems in order to carry out a set of extensive experiments illustrating the efficiency and effectiveness of our work.     

Semantic service provisioning for smart objects: Integrating IoT applications into the web

Internet of Things (IoT) applications residing on the Web are the next logical development of the recent effort from academia and industry to design and standardize new communication protocols for smart objects. This paper proposes the service provisioning architecture for smart objects with semantic annotation to enables the integration of IoT applications into the Web. We aim to bring smart object services to the Web and make them accessible by plenty of existing Web APIs in consideration of its constraints such as limited resources (ROM, RAM, and CPU), low-power microcontrollers, and low-bitrate communication links.     

适用于物联网环境的无证书广义签密方案

无证书广义签密方案不仅可以解决证书管理和密钥托管问题,而且可以根据实际需求分别作为加密方案、签名方案或签密方案,在资源受限的物联网环境中具有广泛的应用场景。但是,通过具体的攻击方法证明Karati等的方案不能抵抗伪造攻击,文中总结了攻击者成功伪造的原因。针对上述问题,提出了一种无双线性配对的无证书广义签密方案,并在随机预言模型下基于计算性Diffie-Hellman问题和离散对数问题对该方案进行了安全性证明。性能评估结果表明,与现有方案相比,该方案在计算代价及通信开销方面具有优势,适用于资源受限的物联网设备之间数据的安全传输。     

Classification of Request-Based Mobility Load Balancing in Fog Computing

Every day, more and more data is being produced by the Internet of Things (IoT) applications. IoT data differ in amount, diversity, veracity, and velocity. Because of latency, various types of data handling in cloud computing are not suitable for many time-sensitive applications. When users move from one site to another, mobility also adds to the latency. By placing computing close to IoT devices with mobility support, fog computing addresses these problems. An efficient Load Balancing Algorithm (LBA) improves user experience and Quality of Service (QoS). Classification of Request (CoR) based Resource Adaptive LBA is suggested in this research. This technique clusters fog nodes using an efficient K-means clustering algorithm and then uses a Decision Tree approach to categorize the request. The decision-making process for time-sensitive and delay-tolerable requests is facilitated by the classification of requests. LBA does the operation based on these classifications. The MobFogSim simulation program is utilized to assess how well the algorithm with mobility features performs. The outcome demonstrates that the LBA algorithm’s performance enhances the total system performance, which was attained by (90.8%). Using LBA, several metrics may be examined, including Response Time (RT), delay (d), Energy Consumption (EC), and latency. Through the on-demand provisioning of necessary resources to IoT users, our suggested LBA assures effective resource usage.     

A lightweight attribute-based encryption scheme for the Internet of Things

Internet of Things (IoT) is an emerging network paradigm, which realizes the interconnections among the ubiquitous things and is the foundation of smart society. Since IoT are always related to user’s daily life or work, the privacy and security are of great importance. The pervasive, complex and heterogeneous properties of IoT make its security issues very challenging. In addition, the large number of resources-constraint nodes makes a rigid lightweight requirement for IoT security mechanisms. Presently, the attribute-based encryption (ABE) is a popular solution to achieve secure data transmission, storage and sharing in the distributed environment such as IoT. However, the existing ABE schemes are based on expensive bilinear pairing, which make them not suitable for the resources-constraint IoT applications. In this paper, a lightweight no-pairing ABE scheme based on elliptic curve cryptography (ECC) is proposed to address the security and privacy issues in IoT. The security of the proposed scheme is based on the ECDDH assumption instead of bilinear Diffie–Hellman assumption, and is proved in the attribute based selective-set model. By uniformly determining the criteria and defining the metrics for measuring the communication overhead and computational overhead, the comparison analyses with the existing ABE schemes are made in detail. The results show that the proposed scheme has improved execution efficiency and low communication costs. In addition, the limitations and the improving directions of it are also discussed in detail.     

雾计算中支持外包与撤销的属性基加密方案

雾计算将云计算的计算能力、数据分析应用等扩展到网络边缘,可满足物联网设备的低时延、移动性等要求,但同时也存在数据安全和隐私保护问题。传统云计算中的属性基加密技术不适用于雾环境中计算资源有限的物联网设备,并且难以管理属性变更。为此,提出一种支持加解密外包和撤销的属性基加密方案,构建“云-雾-终端”的三层系统模型,通过引入属性组密钥的技术,实现动态密钥更新,满足雾计算中属性即时撤销的要求。在此基础上,将终端设备中部分复杂的加解密运算外包给雾节点,以提高计算效率。实验结果表明,与KeyGen、Enc等方案相比,该方案具有更优的计算高效性和可靠性。     

A location-based fog computing optimization of energy management in smart buildings: DEVS modeling and design of connected objects

Nowadays, smart buildings rely on Internet of things (IoT) technology derived from the cloud and fog computing paradigms to coordinate and collaborate between connected objects. Fog is characterized by low latency with a wider spread and geographically distributed nodes to support mobility, real-time interaction, and location-based services. To provide optimum quality of user life in modern buildings, we rely on a holistic Framework, designed in a way that decreases latency and improves energy saving and services efficiency with different capabilities. Discrete EVent system Specification (DEVS) is a formalism used to describe simulation models in a modular way. In this work, the sub-models of connected objects in the building are accurately and independently designed, and after installing them together, we easily get an integrated model which is subject to the fog computing Framework. Simulation results show that this new approach significantly, improves energy efficiency of buildings and reduces latency. Additionally, with DEVS, we can easily add or remove sub-models to or from the overall model, allowing us to continually improve our designs.     

Enabling end-to-end secure communication between wireless sensor networks and the Internet

In the paradigms of the Internet of Things (IoT) as well as the evolving Web of Things (WoT) and the emerging Wisdom Web of Things (W2T), not only can the data collected by the sensor nodes (i.e., the things) in the wireless sensor networks (WSNs) be transmitted to and processed at Internet nodes and subsequently transformed into information, knowledge, wisdom and eventually into services to serve humans, but human users can also access, control and manage the sensor nodes in the WSNs through nodes in the Internet. Since data are the basis for enabling applications and services in W2T, it becomes imperative that enabling technologies for end-to-end security be developed to secure data communication between Internet user nodes and sensor server nodes to protect the exchange of data. However, traditional security protocols developed for the Internet rely mostly on symmetric authentication and key management based on public key algorithms, thus are deemed to be unsuitable for WSNs due to resource constraints in the sensor nodes. Specifically, acting as the server nodes in this scenario, sensor nodes cannot take on the heavy duty like regular servers in the Internet. Meanwhile, current security mechanisms developed for WSNs have mainly focused on the establishment of keys between neighboring nodes at the link layer and thus are not considered to be effective for end-to-end security in the W2T scenario. In this paper, we propose an end-to-end secure communication scheme for W2T in WSNs in which we follow an asymmetric approach for authentication and key management using signcryption and symmetric key encryption. In our proposed scheme, a great part of the work for authentication and access control is shifted to a gateway between a WSN and the Internet to reduce the burden and energy consumption in the sensor nodes. In addition, our scheme can ensure the privacy of user identities and key negotiation materials, and denial of service (DoS) attacks targeted at the sensor nodes can be effectively blocked at the gateway. We will also conduct quantitative analysis and an experiment to show that our proposed scheme can enhance the effectiveness of end-to-end security while reducing the cost of sensor nodes in terms of computation, communication and storage overhead as well as the latency of handshaking compared to similar schemes that are based on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.     

基于代理重加密的消息队列遥测传输协议端到端安全解决方案

针对消息队列遥测传输（MQTT）协议缺乏保护物联网（IoT）设备间通信信息的内置安全机制,以及MQTT代理在新的零信任安全理念下的可信性受到质疑的问题,提出了一种基于代理重加密实现MQTT通信中发布者与订阅者间端到端数据安全传输的解决方案。首先,使用高级加密标准（AES）对传输数据进行对称加密,以确保数据在整个传输过程中的机密性;然后,采用将MQTT代理定义为半诚实参与方的代理重加密算法来加密传输AES对称加密使用的会话密钥,从而消除对MQTT代理的隐式信任;其次,将重加密密钥生成的计算工作从客户端转移到可信第三方,使得所提方案适用于资源受限的IoT设备;最后,使用Schnorr签名算法对消息进行数字签名,以提供数据来源的真实性、完整性和不可否认性。与现有MQTT安全方案相比,所提方案用和不提供端到端安全性的轻量级方案相当的计算和通信开销获取了MQTT通信的端到端安全特性。     

基于标识密码的数据报传输层安全协议

TLS作为目前应用最为广泛的安全传输协议,只能保证可靠传输TCP上数据的安全性.DTLS（datagram TLS）在TLS协议架构上进行了修改,能够为UDP提供安全保护.但DTLS在会话建立过程中仍然需要依赖第三方认证中心和证书完成通信双方的认证,连接建立过程时间长,安全开销大,不能满足物联网等资源受限的网络通信环境.将标识密码引入DTLS中,避免了握手协议中处理证书所带来的各种开销,在计算会话密钥的同时完成通信双方的认证;并使用新的密钥协商协议重新设计DTLS的握手协议,减少交互次数和消息数量,缩短连接建立时间.实验结果表明,基于标识密码的DTLS在不降低安全性的同时,将通信建立时间缩短了近50%.     

雾计算中支持计算外包的微型属性加密方案

密文策略属性加密为基于云存储的物联网系统提供了一对多的访问控制,然而现有方案中存在开销大、粒度粗等问题.基于此,结合雾计算技术提出了一种支持计算外包的微型属性加密方案.该方案缩短了密钥与密文的长度,减少了客户端的存储开销;将部分计算转载到雾节点,提高了加解密效率;具有更加丰富的策略表达能力,并且可以快速验证外包解密的正...     

A novel fog-computing-assisted architecture of E-healthcare system for pregnant women

Recently, there is a tremendous rise and adoption of smart wearable devices in smart healthcare applications. Moreover, the advancement in sensors and communication technology empowers to detect and analyse physiological data of an individual from the wearable device. At present, the smart wearable device based on internet of things is assisting the pregnancy woman to continuously monitor their health status for avoiding the severity. The physiological data analysis of wearable device is processed with the assistance of fog computing due to limited computational and energy capability in the wearable device. Additionally, fog computing overcomes the excess latency that is created by cloud computing during physiological data analysis. In this article, a smart health monitoring IoT and fog-assisted framework are proposed for obtaining and processing the temperature, blood pressure, ECG, and pulse oximeter parameters of the pregnant woman. Based on real time series data, the rule-based algorithm logged in the wearable device with fog computing to analyse the critical health conditions of pregnant women. The proposed wearable device is validated and tested on 80 pregnant women in real time, and wearable device is delivering the 98.75% accuracy in providing health recommendations.