End-to-end security scheme for mobility enabled healthcare Internet of Things

We propose an end-to-end security scheme for mobility enabled healthcare Internet of Things (IoT). The proposed scheme consists of (i) a secure and efficient end-user authentication and authorization architecture based on the certificate based DTLS handshake, (ii) secure end-to-end communication based on session resumption, and (iii) robust mobility based on interconnected smart gateways. The smart gateways act as an intermediate processing layer (called fog layer) between IoT devices and sensors (device layer) and cloud services (cloud layer). In our scheme, the fog layer facilitates ubiquitous mobility without requiring any reconfiguration at the device layer. The scheme is demonstrated by simulation and a full hardware/software prototype. Based on our analysis, our scheme has the most extensive set of security features in comparison to related approaches found in literature. Energy-performance evaluation results show that compared to existing approaches, our scheme reduces the communication overhead by 26% and the communication latency between smart gateways and end users by 16%. In addition, our scheme is approximately 97% faster than certificate based and 10% faster than symmetric key based DTLS. Compared to our scheme, certificate based DTLS consumes about 2.2 times more RAM and 2.9 times more ROM resources. On the other hand, the RAM and ROM requirements of our scheme are almost as low as in symmetric key-based DTLS. Analysis of our implementation revealed that the handover latency caused by mobility is low and the handover process does not incur any processing or communication overhead on the sensors.     

A secure fog-based platform for SCADA-based IoT critical infrastructure

The rapid proliferation of Internet of things (IoT) devices, such as smart meters and water valves, into industrial critical infrastructures and control systems has put stringent performance and scalability requirements on modern Supervisory Control and Data Acquisition (SCADA) systems. While cloud computing has enabled modern SCADA systems to cope with the increasing amount of data generated by sensors, actuators, and control devices, there has been a growing interest recently to deploy edge data centers in fog architectures to secure low-latency and enhanced security for mission-critical data. However, fog security and privacy for SCADA-based IoT critical infrastructures remains an under-researched area. To address this challenge, this contribution proposes a novel security “toolbox” to reinforce the integrity, security, and privacy of SCADA-based IoT critical infrastructure at the fog layer. The toolbox incorporates a key feature: a cryptographic-based access approach to the cloud services using identity-based cryptography and signature schemes at the fog layer. We present the implementation details of a prototype for our proposed secure fog-based platform and provide performance evaluation results to demonstrate the appropriateness of the proposed platform in a real-world scenario. These results can pave the way toward the development of a more secure and trusted SCADA-based IoT critical infrastructure, which is essential to counter cyber threats against next-generation critical infrastructure and industrial control systems. The results from the experiments demonstrate a superior performance of the secure fog-based platform, which is around 2.8 seconds when adding five virtual machines (VMs), 3.2 seconds when adding 10 VMs, and 112 seconds when adding 1000 VMs, compared to the multilevel user access control platform.     

物联网通信协议的安全研究综述

国际标准化组织IEEE和IETF正携手为物联网制定一套高可靠、低功耗、可接入互联网的无线通信协议栈。IEEE主要负责制定物联网通信协议的物理层和链路层的标准,如IEEE802.15.4-2006标准,其中IEEE802.15.4e是最新的链路层的标准。IETF主要负责制定物联网通信协议的网络层及以上标准,如6LoWPAN,RPL和CoAP标准,其可以将资源受限的传感器节点接入互联网。网络安全是物联网大规模发展的基础,必须设计一套安全高效的机制保障通信协议的正常运行。文中详细介绍了物联网通信协议栈,重点分析和讨论了其安全方面的最新研究进展。最后总结和展望了物联网安全通信协议的研究方向。     

基于区块链的物联网认证机制综述

随着物联网(Internet of Things, IoT)技术的高速发展,各类智能设备数量激增,身份认证成为保障IoT安全的首要需求.区块链作为一种分布式账本技术,提供了去信任的协作环境和安全的数据管理平台,使用区块链技术驱动IoT认证成为学术界和工业界关注的热点.基于云计算和云边协同两种架构分析IoT身份认证机制设计的主要需求,总结区块链技术应用于IoT场景面临的挑战;梳理现有IoT身份认证机制的工作,并将其归结为基于密钥的认证、基于证书的认证和基于身份的认证;分析应用区块链技术的IoT认证工作,并根据认证对象和附加属性对相关文献进行归纳和总结.从形式化和非形式化两个方向总结基于区块链的IoT认证机制的安全性分析方法.最后展望了未来研究方向.     

Cyber Secure Framework for Smart Containers Based on Novel Hybrid DTLS Protocol

The Internet of Things (IoTs) is apace growing, billions of IoT devices are connected to the Internet which communicate and exchange data among each other. Applications of IoT can be found in many fields of engineering and sciences such as healthcare, traffic, agriculture, oil and gas industries, and logistics. In logistics, the products which are to be transported may be sensitive and perishable, and require controlled environment. Most of the commercially available logistic containers are not integrated with IoT devices to provide controlled environment parameters inside the container and to transmit data to a remote server. This necessitates the need for designing and fabricating IoT based smart containers. Due to constrained nature of IoT devices, these are prone to different cyber security attacks such as Denial of Service (DoS), Man in Middle (MITM) and Replay. Therefore, designing efficient cyber security framework are required for smart container. The Datagram Transport Layer Security (DTLS) Protocol has emerged as the de facto standard for securing communication in IoT devices. However, it is unable to minimize cyber security attacks such as Denial of Service and Distributed Denial of Service (DDoS) during the handshake process. The main contribution of this paper is to design a cyber secure framework by implementing novel hybrid DTLS protocol in smart container which can efficiently minimize the effects of cyber attacks during handshake process. The performance of our proposed framework is evaluated in terms of energy efficiency, handshake time, throughput and packet delivery ratio. Moreover, the proposed framework is tested in IoT based smart containers. The proposed framework decreases handshake time more than 9% and saves 11% of energy efficiency for transmission in compare of the standard DTLS, while increases packet delivery ratio and throughput by 83% and 87% respectively.     

SINGLETON: A lightweight and secure end-to-end encryption protocol for the sensor networks in the Internet of Things based on cryptographic ratchets

For many systems, safe connectivity is an important requirement, even if the transmitting machines are resource-constrained. The advent of the Internet of Things (IoT) has also increased the demand for low-power devices capable of connecting with each other or sending data to a central processing site. The IoT allows many applications in a smart environment, such as outdoor activity control, smart energy, infrastructure management, environmental sensing, or cyber-security issues. Security in such situations remains an open challenge because of the resource-constrained design of sensors and objects, or the multi-purpose adversaries may target the process during the life cycle of a smart sensor. This paper discusses widely used protocols that provide safe communications for various applications in IoT and also different attacks are defined. In this paper, to protect the IoT objects and sensors, we propose a comprehensive and lightweight security protocol based on Cryptographic Ratchets. That is, an encrypted messaging protocol using the Double Ratchet Algorithm is defined which we call Singleton, and the implementation of protocol is tested and compared to the implementation of the IoT standard protocols and a post-quantum version of the protocol. Various cryptographic primitives are also evaluated, and their suitability for use in the protocol is tested. The results show that the protocol as the building stone not only enables efficient resource-wise protocols and architectures but also provides advanced and scalable IoT sensors. Our design and analysis demonstrate that Singleton security architecture can be easily integrated into existing network protocols such as IEEE 802.15.4 or OMA LWM2M, which offers several benefits that existing approaches cannot offer both performance and important security services. For chat applications such as WhatsApp, Skype, Facebook Private Messenger, Google Allo, and Signal, a cryptographic ratchet-based protocol provides end-to-end encryption, forward secrecy, backward secrecy, authentication, and deniability.

     

基于标识密码的数据报传输层安全协议

TLS作为目前应用最为广泛的安全传输协议,只能保证可靠传输TCP上数据的安全性.DTLS（datagram TLS）在TLS协议架构上进行了修改,能够为UDP提供安全保护.但DTLS在会话建立过程中仍然需要依赖第三方认证中心和证书完成通信双方的认证,连接建立过程时间长,安全开销大,不能满足物联网等资源受限的网络通信环境.将标识密码引入DTLS中,避免了握手协议中处理证书所带来的各种开销,在计算会话密钥的同时完成通信双方的认证;并使用新的密钥协商协议重新设计DTLS的握手协议,减少交互次数和消息数量,缩短连接建立时间.实验结果表明,基于标识密码的DTLS在不降低安全性的同时,将通信建立时间缩短了近50%.     

The yoking-proof-based authentication protocol for cloud-assisted wearable devices

Along with the development of IoT applications, wearable devices are becoming popular for monitoring user data to provide intelligent service support. The wearable devices confront severe security issues compared with traditional short-range communications. Due to the limitations of computation capabilities and communication resources, it brings more challenges to design security solutions for the resource-constrained wearable devices in IoT applications. In this work, a yoking-proof-based authentication protocol (YPAP) is proposed for cloud-assisted wearable devices. In the YPAP, a physical unclonable function and lightweight cryptographic operators are jointly applied to realize mutual authentication between a smart phone and two wearable devices, and yoking-proofs are established for the cloud server to perform simultaneous verification. Meanwhile, Rubin logic-based security formal analysis is performed to prove that the YPAP has theoretical design correctness. It indicates that the proposed YPAP is flexible for lightweight wearable devices in IoT applications.     

Secured Cloud Communication Using Lightweight Hash Authentication with PUF

Internet-of-Things (IoT) is an awaited technology in real-world applications to process daily tasks using intelligent techniques. The main process of data in IoT involves communication, integration, and coordination with other real-world applications. The security of transferred, stored, and processed data in IoT is not ensured in many constraints. Internet-enabled smart devices are widely used among populations for all types of applications, thus increasing the popularity of IoT among widely used server technologies. Smart grid is used in this article with IoT to manage large data. A smart grid is a collection of numerous users in the network with the fastest response time. This article aims to provide high authentication to the smart grid, which constitutes secure communication in cloud-based IoT. Many IoT devices are deployed openly in all places. This open-access is vulnerable toward cloning attacks. Authentication is a significant process that provides strength while attacking. The security of the cloud and IoT must be computationally high. A lightweight authentication using hashing technique is proposed considering the aforementioned condition. The main factor of the authentication involves physically unclonable functions, which are utilized in improving the performance of the authentication. The proposed approach is evaluated with the existing techniques. Results show that the performance of the proposed algorithm provides high robust security.     

A lightweight remote user authentication scheme for IoT communication using elliptic curve cryptography

Internet of things (IoT) has become a new era of communication technology for performing information exchange. With the immense increment of usage of smart devices, IoT services become more accessible. To perform secure transmission of data between IoT network and remote user, mutual authentication, and session key negotiation play a key role. In this research, we have proposed an ECC-based three-factor remote user authentication scheme that runs in the smart device and preserves privacy, and data confidentiality of the communicating user. To support our claim, multiple cryptographic attacks are analyzed and found that the proposed scheme is not vulnerable to those attacks. Finally, the computation and communication overheads of the proposed scheme are compared with other existing protocols to confirm that the proposed scheme is lightweight. A formal security analysis using AVISPA simulation tool has been done that confirms the proposed scheme is robust against relevant security threats.

     

Design,code generation and simulation of IoT environments with mobility devices by using model-driven development: SimulateIoT-Mobile

Systems based on the Internet of Things (IoT) are continuously growing in many areas such as smart cities, home environments, buildings, agriculture, industry, etc. Device mobility is one of the key aspects of these IoT systems, but managing it could be a challenge. Mobility exposes the IoT environment or Industrial IoT (IIoT) to situations such as packet loss, increased delay or jitter, dynamism in the network topology, new security threats, etc. In addition, there is no standard for mobility management for the most commonly used IoT protocols, such as MQTT or CoAP. Consequently, managing IoT mobility is a hard, error-prone and tedious task. However, increasing the abstraction level from which the IoT systems are designed helps to tackle the underlying technology complexity. In this regard, Model-driven development approaches can help to both reduce the IoT application time to market and tackle the technological complexity to develop IoT applications. In this paper, a Domain-Specific Language based on SimulateIoT is proposed for the design, code generation and simulation of IoT systems with mobility management for the MQTT protocol. The IoT systems generated integrate the sensors, actuators, fog nodes, cloud nodes and the architecture that supports mobility, which are deployed as microservices on Docker containers and composed suitability. Finally, two case studies focused on animal tracking and a Personal mobility device (PMD) based on bicycles IoT systems are presented to show the IoT solutions deployed.     

On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake

DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key provisioning mode does not scale well with the number of clients, it may result in scalability issues on the server side, and it complicates key re-provisioning in dynamic scenarios. This paper presents a single and efficient security architecture which addresses both issues, by substantially limiting the impact of DoS, and reducing the number of keys stored on the server side to one unit only. Our approach does not break the existing standard and does not require any additional message exchange between DTLS client and server. Our experimental results show that our approach requires a shorter amount of time to complete a handshake execution and consistently reduces the time a DTLS server is exposed to a DoS instance. We also show that it considerably improves a DTLS server in terms of service availability and robustness against DoS attack.     

SMER: a secure method of exchanging resources in heterogeneous internet of things

The number of IoT (internet of things) connected devices increases rapidly. These devices have different operation systems and therefore cannot communicate with each other. As a result, the data they collected is limited within their own platform. Besides, IoT devices have very constrained resources like weak MCU (micro control unit) and limited storage. Therefore, they need direct communication method to cooperate with each other, or with the help of nearby devices with rich resources. In this paper, we propose a secure method to exchange resources (SMER) between heterogeneous IoT devices. In order to exchange resources among devices, SMER adopts a compensable mechanism for resource exchange and a series of security mechanisms to ensure the security of resource exchanges. Besides, SMER uses a smart contract based scheme to supervise resource exchange, which guarantees the safety and benefits of IoT devices. We also introduce a prototype system and make a comprehensive discussion.     

A novel DNA based password authentication system for global roaming in resource-limited mobile environments

Mobile environments are highly vulnerable to security threats and pose a great challenge for the wireless and mobile networks being used today. Because the mode of a wireless channel is open, these networks do not carry any inherent security and hence are more prone to attacks. Therefore, designing a secure and robust protocol for authentication in a global mobile network is always a challenging. In these networks, it is crucial to provide authentication to establish a secure communication between the Mobile User (MU), Foreign Agent (FA) and Home Agent (HA). In order to secure communication among these entities, a number of authentication protocols have been proposed. The main security flaw of the existing authentication protocols is that attackers have the ability to impersonate a legal user at any time. Moreover, the existing authentication protocols in the literature are exposed to various kind of cryptographic attacks. Besides, the authentication protocols require larger key length and more computation overhead. To remedy these weaknesses in mobility networks, DNA (Deoxyribo Nucleic Acid) based authentication scheme using Hyper Elliptic Curve Cryptosystem (HECC) is introduced. It offers greater security and allows an MU, FA and HA to establish a secure communication channel, in order to exchange the sensitive information over the radio link. The proposed system derive benefit from HECC, which is smaller in terms of key size, more computational efficiency. In addition, the security strength of this authentication system is validated through widely accepted security verification tool called ProVerif. Further, the performance analysis shows that the DNA based authentication system using HECC is secure and practically implementable in the resource-constrained mobility nodes.

     

物联网无线协议安全综述

近些年来,随着物联网的快速发展,其应用场景涵盖智慧家庭、智慧城市、智慧医疗、智慧工业以及智慧农业.相比于传统的以太网,物联网能够将各种传感设备与网络结合起来,实现人、电脑和物体的互联互通.形式多样的物联网协议是实现物联网设备互联互通的关键,物联网协议拥有不同的协议栈,这使得物联网协议往往能表现出不同的特性.目前应用较广...     

An efficient steganographic approach for protecting communication in the Internet of Things (IoT) critical infrastructures

ABSTRACT

With the manifestation of the Internet of Things (IoT) and fog computing, the quantity of edge devices is escalating exponentially all over the world, providing better services to the end user with the help of existing and upcoming communication infrastructures. All of these devices are producing and communicating a huge amount of data and control information around this open IoT environment. A large amount of this information contains personal and important information for the user as well as for the organization. The number of attack vectors for malicious users is high due to the openness, distributed nature, and lack of control over the whole IoT environment. For building the IoT as an effective service platform, end users need to trust the system. For this reason, security and privacy of information in the IoT is a great concern in critical infrastructures such as the smart home, smart city, smart healthcare, smart industry, etc. In this article, we propose three information hiding techniques for protecting communication in critical IoT infrastructure with the help of steganography, where RGB images are used as carriers for the information. We hide the information in the deeper layer of the image channels with minimum distortion in the least significant bit (lsb) to be used as indication of data. We analyze our technique both mathematically and experimentally. Mathematically, we show that the adversary cannot predict the actual information by analysis. The proposed approach achieved better imperceptibility and capacity than the various existing techniques along with better resistance to steganalysis attacks such as histogram analysis and RS analysis, as proven experimentally.     

A lightweight attribute-based encryption scheme for the Internet of Things

Internet of Things (IoT) is an emerging network paradigm, which realizes the interconnections among the ubiquitous things and is the foundation of smart society. Since IoT are always related to user’s daily life or work, the privacy and security are of great importance. The pervasive, complex and heterogeneous properties of IoT make its security issues very challenging. In addition, the large number of resources-constraint nodes makes a rigid lightweight requirement for IoT security mechanisms. Presently, the attribute-based encryption (ABE) is a popular solution to achieve secure data transmission, storage and sharing in the distributed environment such as IoT. However, the existing ABE schemes are based on expensive bilinear pairing, which make them not suitable for the resources-constraint IoT applications. In this paper, a lightweight no-pairing ABE scheme based on elliptic curve cryptography (ECC) is proposed to address the security and privacy issues in IoT. The security of the proposed scheme is based on the ECDDH assumption instead of bilinear Diffie–Hellman assumption, and is proved in the attribute based selective-set model. By uniformly determining the criteria and defining the metrics for measuring the communication overhead and computational overhead, the comparison analyses with the existing ABE schemes are made in detail. The results show that the proposed scheme has improved execution efficiency and low communication costs. In addition, the limitations and the improving directions of it are also discussed in detail.     

ECCbAS: An ECC based authentication scheme for healthcare IoT systems

Smart technology is a concept for efficiently managing smart things such as vehicles, buildings, home appliances, healthcare systems and others, through the use of networks and the Internet. Smart architecture makes use of technologies such as the Internet of Things (IoT), fog computing, and cloud computing. The Smart Medical System (SMS), which is focused on communication networking and sensor devices, is one of the applications used in this architecture. In a smart medical system, a doctor uses cloud-based applications such as mobile devices, wireless body area networks, and other cloud-based apps to provide online therapy to patients. Consequently, with the advancement and growth of IoT and 6G wireless technology, privacy and security have emerged as two of the world’s most important issues. Recently, Sureshkumar et al. proposed an authentication scheme for medical wireless sensor networks (MWSN) by using an Elliptic Curve Cryptography (ECC) based lightweight authentication protocol and claimed that it provides better security for smart healthcare systems. This paper will demonstrate that this protocol is susceptible to attacks such as traceability, integrity contradiction, and de-synchronization with the complexity of one run of the protocol and a success probability of one. Furthermore, we also propose an ECC based authentication scheme called ECCbAS to address the Sureshkumar et al. protocol’s vulnerabilities and demonstrate its security using a variety of non-formal and formal methods.     

基于受限网络应用层协议的物联网应用代理研究与实现

针对物联网(IoT)三层结构的研发独立性带来的应用研发高技术瓶颈问题,提出了基于受限网络应用层协议（CoAP）的解决方案。该方案在实现CoAP的基础上开发了CoAP-HTTP网络代理,允许用户通过浏览器直接访问物联网节点,进行资源发现、数据查询和资源订阅等。经测试,代理模式未影响系统的响应速率,代理运行稳定,可支持多用户同时对物联网节点数据访问。CoAP代理模式能够有效帮助应用开发人员规避底层开发与数据交换开发复杂性,辅助其独立生成新的应用,为物联网应用开发提供了新的思路。     

How to evaluate an Internet of Things system: Models,case studies,and real developments

The paper proposes the use of Node-RED, a flow-based programming tool targeted to Internet of Things (IoT), along with a series of case studies related to different IoT contexts, which demonstrate Node-RED's potentialities and outcomings toward the realization of well-structured IoT environments. The analyzed applications potentially include a wide range of domains, ranging from smart cities, smart buildings, smart homes/offices, smart retailing, to smart transportation, smart logistics, smart agriculture, smart health, military scenarios, and so on. The motivations behind the presented work are related to the fact that IoT application fields usually involve the same technologies and communication protocols, which are frequently adopted for totally different purposes. Issues such as systems' interoperabiliy, scalability, security and privacy naturally emerge, due to the huge amount of heterogeneous devices acting in the IoT environment itself and to the wireless nature of information transmissions. As a consequence, it is fundamental to dispose of adequate tools for supporting developers in design the network architecture and messages' exchange, in order to realize efficient and effective IoT network infrastructures.