IoT–Cloud collaboration to establish a secure connection for lightweight devices

Internet of Things (IoT) technologies allow everyday objects including small devices in sensor networks to be capable of connecting to the Internet. Such an innovative technology can lead to positive changes in human life. However, if there is no proper security mechanism, private and sensitive data around humans can be revealed to the public Internet. In this aspect, this paper considers security issues of the IoT. In particular, we focus on various challenges in deploying Datagram Transport Layer Security (DTLS) protocol into a resource constrained environment. DTLS provides secure communication with UDP-based applications the same as TLS does for TCP-based applications. Several standard organizations such as IETF, oneM2M and OMA recommend using the DTLS as a default secure scheme for CoAP which is a new standard specified for resource-constrained environments. To find a practical way to deploy the DTLS in such a constrained IoT environments, we propose an IoT–Cloud collaboration system, where DTLS handshake delegation is the main component. We also implement and evaluate the proposed system in our real IoT testbed, where constrained devices are interconnected with each other in a multi-hop fashion. Evaluation results show that the proposed scheme dramatically reduces DTLS handshake latency, implementation code size and energy consumption.     

A survey on communication protocols and performance evaluations for Internet of Things

The Internet of Things (IoT) is a large-scale network of devices capable of sensing, data processing, and communicating with each other through different communication protocols. In today's technology ecosystem, IoT interacts with many application areas such as smart city, smart building, security, traffic, remote monitoring, health, energy, disaster, agriculture, industry. The IoT network in these scenarios comprises tiny devices, gateways, and cloud platforms. An IoT network is able to keep these fundamental components in transmission under many conditions with lightweight communication protocols taking into account the limited hardware features (memory, processor, energy, etc.) of tiny devices. These lightweight communication protocols affect the network traffic, reliability, bandwidth, and energy consumption of the IoT application. Therefore, determining the most proper communication protocol for application developers emerges as an important engineering problem. This paper presents a straightforward overview of the lightweight communication protocols, technological advancements in application layer for the IoT ecosystem. The survey then analyzes various recent lightweight communication protocols and reviews their strengths and limitations. In addition, the paper explains the experimental comparison of Constrained Applications Protocol (CoAP), Message Queuing Telemetry (MQTT), and WebSocket protocols, more convenient for tiny IoT devices. Finally, we discuss future research directions of communication protocols for IoT.     

TAKAP:A Lightweight Three-Party Authenticated Key Agreement Protocol with User Anonymity

The three-party authenticated key agree-ment protocol is a significant cryptographic mechanism for secure communication,which encourages two entities to authenticate each other and generate a shared session key with the assistance of a trusted party (remote server) via a public channel.Recently,Wang et al.put forward a three-party key agreement protocol with user anonymity and alleged that their protocol is able to resist all kinds of attacks and provide multifarious security features in Computer Engineering & Science,No.3,2018.Unfortunately,we show that Wang et al.'s protocol is vulnerable to the password guessing attack and fails to satisfy user anonymity and perfect secrecy.To solve the aforementioned problems,a lightweight chaotic map-based Three-party authenticated key agreement protocol(short for TAKAP) is proposed,which not only could provide privacy protection but also resist a wide variety of security attacks.Furthermore,it is formally proved under Burrows-Abadi-Needham (BAN) logic.Simultaneously,the performance analysis in this paper demonstrates that the proposed TAKAP protocol is more secure and efficient compared with other relevant protocols.     

Secure communication in CloudIoT through design of a lightweight authentication and session key agreement scheme

Internet of Things (IoT) is a newly emerged paradigm where multiple embedded devices, known as things, are connected via the Internet to collect, share, and analyze data from the environment. In order to overcome the limited storage and processing capacity constraint of IoT devices, it is now possible to integrate them with cloud servers as large resource pools. Such integration, though bringing applicability of IoT in many domains, raises concerns regarding the authentication of these devices while establishing secure communications to cloud servers. Recently, Kumari et al proposed an authentication scheme based on elliptic curve cryptography (ECC) for IoT and cloud servers and claimed that it satisfies all security requirements and is secure against various attacks. In this paper, we first prove that the scheme of Kumari et al is susceptible to various attacks, including the replay attack and stolen-verifier attack. We then propose a lightweight authentication protocol for secure communication of IoT embedded devices and cloud servers. The proposed scheme is proved to provide essential security requirements such as mutual authentication, device anonymity, and perfect forward secrecy and is robust against security attacks. We also formally verify the security of the proposed protocol using BAN logic and also the Scyther tool. We also evaluate the computation and communication costs of the proposed scheme and demonstrate that the proposed scheme incurs minimum computation and communication overhead, compared to related schemes, making it suitable for IoT environments with low processing and storage capacity.     

Secure multi‐factor remote user authentication scheme for Internet of Things environments

Because of the exponential growth of Internet of Things (IoT), several services are being developed. These services can be accessed through smart gadgets by the user at any place, every time and anywhere. This makes security and privacy central to IoT environments. In this paper, we propose a lightweight, robust, and multi‐factor remote user authentication and key agreement scheme for IoT environments. Using this protocol, any authorized user can access and gather real‐time sensor data from the IoT nodes. Before gaining access to any IoT node, the user must first get authenticated by the gateway node as well as the IoT node. The proposed protocol is based on XOR and hash operations, and includes: (i) a 3‐factor authentication (ie, password, biometrics, and smart device); (ii) mutual authentication ; (iii) shared session key ; and (iv) key freshness . It satisfies desirable security attributes and maintains acceptable efficiency in terms of the computational overheads for resource constrained IoT environment. Further, the informal and formal security analysis using AVISPA proves security strength of the protocol and its robustness against all possible security threats. Simulation results also prove that the scheme is secure against attacks.     

DTLS based security and two-way authentication for the Internet of Things

In this paper, we introduce the first fully implemented two-way authentication security scheme for the Internet of Things (IoT) based on existing Internet standards, specifically the Datagram Transport Layer Security (DTLS) protocol. By relying on an established standard, existing implementations, engineering techniques and security infrastructure can be reused, which enables easy security uptake. Our proposed security scheme is therefore based on RSA, the most widely used public key cryptography algorithm. It is designed to work over standard communication stacks that offer UDP/IPv6 networking for Low power Wireless Personal Area Networks (6LoWPANs). Our implementation of DTLS is presented in the context of a system architecture and the scheme’s feasibility (low overheads and high interoperability) is further demonstrated through extensive evaluation on a hardware platform suitable for the Internet of Things.     

Strongly secure ID‐based authenticated key agreement protocol for mobile multi‐server environments

To provide mutual authentication and communication confidentiality between mobile clients and servers, numerous identity‐based authenticated key agreement (ID‐AKA) protocols were proposed to authenticate each other while constructing a common session key. In most of the existing ID‐AKA protocols, ephemeral secrets (random values) are involved in the computations of the common session key between mobile client and server. Thus, these ID‐AKA protocols might become vulnerable because of the ephemeral‐secret‐leakage (ESL) attacks in the sense that if the involved ephemeral secrets are compromised, an adversary could compute session keys and reveal the private keys of participants in an AKA protocol. Very recently, 2 ID‐AKA protocols were proposed to withstand the ESL attacks. One of them is suitable for single server environment and requires no pairing operations on the mobile client side. The other one fits multi‐server environments, but requires 2 expensive pairing operations. In this article, we present a strongly secure ID‐AKA protocol resisting ESL attacks under mobile multi‐server environments. By performance analysis and comparisons, we demonstrate that our protocol requires the lowest communication overhead, does not require any pairing operations, and is well suitable for mobile devices with limited computing capability. For security analysis, our protocol is provably secure under the computational Diffie‐Hellman assumption in the random oracle model.     

一种轻量可信的物联网通信协议

随着万物互联时代的到来,面对海量异构终端的互联需求,传统基于应用层网关的协议栈转换方案存在性能差、无法保障端到端安全等问题。提出了一种轻量可信的物联网 IP 通信协议,是网络 5.0产业和技术创新联盟协议与接口组的主要研究方向,避免应用层网关的部署,降低物联网设备的计算与存储开销,保障端到端通信安全。     

Authenticated key agreement scheme for fog-driven IoT healthcare system

The convergence of cloud computing and Internet of Things (IoT) is partially due to the pragmatic need for delivering extended services to a broader user base in diverse situations. However, cloud computing has its limitation for applications requiring low-latency and high mobility, particularly in adversarial settings (e.g. battlefields). To some extent, such limitations can be mitigated in a fog computing paradigm since the latter bridges the gap between remote cloud data center and the end devices (via some fog nodes). However, fog nodes are often deployed in remote and unprotected places. This necessitates the design of security solutions for a fog-based environment. In this paper, we investigate the fog-driven IoT healthcare system, focusing only on authentication and key agreement. Specifically, we propose a three-party authenticated key agreement protocol from bilinear pairings. We introduce the security model and present the formal security proof, as well as security analysis against common attacks. We then evaluate its performance, in terms of communication and computation costs.

     

Privacy‐preserving registration protocol for mobile network

In this paper, we propose a novel privacy‐preserving registration protocol that combines the verifier local revocation group signature with mobile IP. The protocol could achieve strong security guarantee, such as user anonymity via a robust temporary identity, local user revocation with untraceability support, and secure key establishment against home server and eavesdroppers. Various kinds of adversary attacks can be prevented by the proposed protocol, especially that deposit‐case attack does not work here. Meanwhile, a concurrent mechanism and a dynamical revocation method are designed to minimize the handover authentication delay and the home registration signals. The theoretical analysis and simulation results show that the proposed scheme could provide high security level besides lightweight computational cost and efficient communication performance. For instance, compared with Yang's scheme, the proposed protocol could decrease the falling speed of handover authentication delay up to about 40% with privacy being preserved. Copyright © 2012 John Wiley & Sons, Ltd.     

一种基于DTLS协议的VPN方案设计

DTLS(Datagram Transport Layer Security)协议是TLS协议的变体,用于在不可靠传输网络上对应用层数据提供安全保护.文中介绍了DTLS协议,提出一种基于DTLS协议的应用层VPN解决方案,并进行了仿真.     

SRGH: A secure and robust group‐based handover AKA protocol for MTC in LTE‐A networks

Machine‐type communication (MTC) is defined as an automatic aggregation, processing, and exchange of information among intelligent devices without humans intervention. With the development of immense embedded devices, MTC is emerging as the leading communication technology for a wide range of applications and services in the Internet of Things (IoT). For achieving the reliability and to fulfill the security requirements of IoT‐based applications, researchers have proposed some group‐based handover authentication and key agreement (AKA) protocols for mass MTCDs in LTE‐A networks. However, the realization of secure handover authentication for the group of MTCDs in IoT enabled LTE‐A network is an imminent issue. Whenever mass MTCDs enter into the coverage area of target base‐station simultaneously, the protocols incur high signaling congestion. In addition, the existing group‐based handover protocols suffer from the huge network overhead and numerous identified problems such as lack of key forward/backward secrecy, privacy‐preservation. Moreover, the protocols fail to avoid the key escrow problem and vulnerable to malicious attacks. To overcome these issues, we propose a secure and robust group‐based handover (SRGH) AKA protocol for mass MTCDs in LTE‐A network. The protocol establishes the group key update mechanism with forward/backward secrecy. The formal security proof demonstrates that the protocol achieves all the security properties including session key secrecy and data integrity. Furthermore, the formal verification using the AVISPA tool shows the correctness and informal analysis discusses the resistance from various security problems. The performance evaluation illustrates that the proposed protocol obtains substantial efficiency compared with the existing group‐based handover AKA protocols.     

Group and hierarchical key management for secure communications in internet of things

Different devices with different characteristics form a network to communicate among themselves in Internet of Things (IoT). Thus, IoT is of heterogeneous in nature. Also, Internet plays a major role in IoT. So, issues related to security in Internet become issues of IoT also. Hence, the group and hierarchical management scheme for solving security issues in Internet of Things is proposed in this paper. The devices in the network are formed into groups. One of the devices is selected as a leader of each group. The communication of the devices from each group takes place with the help of the leader of the corresponding group using encrypted key to enhance the security in the network. Blom's key predistribution technique is used to establish secure communication among any nodes of group. The hierarchy is maintained such that the security can be increased further, but the delay is increased as it takes time to encrypt at every level of hierarchy. Hence, the numbers of levels of hierarchy need to be optimized such that delay is balanced. Hence, this algorithm is more suitable for delay‐tolerant applications. The performance of the proposed Algorithm is evaluated and is proved to perform better when compared with the legacy systems like Decentralized Batch‐based Group Key Management Protocol for Mobile Internet of Things (DBGK).     

Efficient and flexible password authenticated key agreement for Voice over Internet Protocol Session Initiation Protocol using smart card

Providing a suitable key agreement protocol for session initiation protocol is crucial to protecting the communication among the users over the open channel. This paper presents an efficient and flexible password authenticated key agreement protocol for session initiation protocol associated with Voice over Internet Protocol. The proposed protocol has many unique properties, such as session key agreement, mutual authentication, password updating function and the server not needing to maintain a password or verification table, and so on. In addition, our protocol is secure against the replay attack, the impersonation attack, the stolen‐verifier attack, the man‐in‐the‐middle attack, the Denning–Sacco attack, and the offline dictionary attack with or without the smart card. Copyright © 2013 John Wiley & Sons, Ltd.     

An efficient remote user authentication and key agreement protocol for mobile client–server environment from pairings

With the continue evaluation of mobile devices in terms of the capabilities and services, security concerns increase dramatically. To provide secured communication in mobile client–server environment, many user authentication protocols from pairings have been proposed. In 2009, Goriparthi et al. proposed a new user authentication scheme for mobile client–server environment. In 2010, Wu et al. demonstrated that Goriparthi et al.’s protocol fails to provide mutual authentication and key agreement between the client and the server. To improve security, Wu et al. proposed an improved protocol and demonstrated that their protocol is provably secure in random oracle model. Based on Wu et al.’s work, Yoon et al. proposed another scheme to improve performance. However, their scheme just reduces one hash function operation at the both of client side and the server side. In this paper, we present a new user authentication and key agreement protocol using bilinear pairings for mobile client–server environment. Performance analysis shows that our protocol has better performance than Wu et al.’s protocol and Yoon et al.’s protocol. Then our protocol is more suited for mobile client–server environment. Security analysis is also given to demonstrate that our proposed protocol is provably secure against previous attacks.     

Cryptanalysis and improvement of a three‐party password‐based authenticated key exchange protocol with user anonymity using extended chaotic maps

Three‐party password‐authenticated key exchange (3PAKE) protocols allow two clients to agree on a secret session key through a server via a public channel. 3PAKE protocols have been designed using different arithmetic aspects including chaotic maps. Recently, Lee et al. proposed a 3PAKE protocol using Chebyshev chaotic maps and claimed that their protocol has low computation and communication cost and can also resist against numerous attacks. However, this paper shows that in spite of the computation and communication efficiency of the Lee et al. protocol, it is not secure against the modification attack. To conquer this security weakness, we propose a simple countermeasure, which maintains the computation and communication efficiency of the Lee et al. protocol. Copyright © 2014 John Wiley & Sons, Ltd.     

A fault‐tolerant group key agreement protocol exploiting dynamic setting

A fault‐tolerant group key agreement is an essential infrastructure for Internet communication among all involved participants; it can establish a secure session key no matter how many malicious participants exit simultaneously in an effort to disrupt the key agreement process. Recently, Zhao et al. proposed an efficient fault‐tolerant group key agreement protocol named efficient group key agreement that can resist denial‐of‐service attacks, reply attacks, man‐in‐middle attacks, and common modulus attacks; it can also preserve forward secrecy with lower computational cost than previous protocols. We show that it is still vulnerable to active attacks by malicious participants and modify the corresponding security weakness adaptively. Furthermore, we propose an efficient fault‐tolerant group key agreement based on a binary tree structure and enhance it to a dynamic setting where participants can leave or join the group arbitrarily according to their preferences with instant session key refreshment. Additionally, our session key refreshment is based on secure key updating to protect forward/backward confidentiality and is resistant to active/passive attacks. The performance analysis shows that our proposed protocol has lower computational cost and little additional communication cost exploiting dynamic setting. Copyright © 2013 John Wiley & Sons, Ltd.     

A secure and efficient remote patient‐monitoring authentication protocol for cloud‐IoT

The ongoing Cloud‐IoT (Internet of Things)–based technological advancements have revolutionized the ways in which remote patients could be monitored and provided with health care facilities. The real‐time monitoring of patient's health leads to dispensing the right medical treatment at the right time. The health professionals need to access patients' sensitive data for such monitoring, and if treated with negligence, it could also be used for malevolent objectives by the adversary. Hence, the Cloud‐IoT–based technology gains could only be conferred to the patients and health professionals, if the latter authenticate one another properly. Many authentication protocols are proposed for remote patient health care monitoring, but with limitations. Lately, Sharma and Kalra (DOI: 10.1007/s40998‐018‐0146‐5) present a remote patient‐monitoring authentication scheme based on body sensors. However, we discover that the scheme still bears many drawbacks including stolen smart card attack, session key compromise, and user impersonation attacks. In view of those limitations, we have designed an efficient authentication protocol for remote patient health monitoring that counters all the above‐mentioned drawbacks. Moreover, we prove the security features of our protocol using BAN logic‐based formal security analysis and validate the results in ProVerif automated security tool.     

Chaotic Map Based Mobile Dynamic ID Authenticated Key Agreement Scheme

When it comes to key agreement protocol, mutual authentication is regarded as a crucial security requirement. Yet, conventional authenticated key agreement using static ID cannot provide user anonymity if the communication content is compromised. A dynamic ID authentication scheme is a better alternative for maintaining user’s privacy. Based on the Chebyshev chaotic map, the author proposes a mobile dynamic ID authenticated key agreement scheme which allows mobile users to gain resources of remote servers. By optimizing the server computation, our scheme aims at increasing the concurrent process capacity of remote servers. We also demonstrate that the proposed scheme is secure against existential active attacks and outperforms related works.     

A Full Connectable and High Scalable Key Pre-distribution Scheme Based on Combinatorial Designs for Resource-Constrained Devices in IoT Network

Considering the internet of things (IoT), end nodes such as wireless sensor network, RFID and embedded systems are used in many applications. These end nodes are known as resource-constrained devices in the IoT network. These devices have limitations such as computing and communication power, memory capacity and power. Key pre-distribution schemes (KPSs) have been introduced as a lightweight solution to key distribution in these devices. Key pre-distribution is a special type of key agreement that aims to select keys called session keys in order to establish secure communication between devices. One of these design types is the using of combinatorial designs in key pre-distribution, which is a deterministic scheme in key pre-distribution and has been considered in recent years. In this paper, by introducing a key pre-distribution scheme of this type, we stated that the model introduced in the two benchmarks of KPSs comparability had full connectivity and scalability among the designs introduced in recent years. Also, in recent years, among the combinatorial design-based key pre-distribution schemes, in order to increase resiliency as another criterion for comparing KPSs, attempts were made to include changes in combinatorial designs or they combine them with random key pre-distribution schemes and hybrid schemes were introduced that would significantly reduce the design connectivity. In this paper, using theoretical analysis and maintaining full connectivity, we showed that the strength of the proposed design was better than the similar designs while maintaining higher scalability.