IoT–Cloud collaboration to establish a secure connection for lightweight devices

Internet of Things (IoT) technologies allow everyday objects including small devices in sensor networks to be capable of connecting to the Internet. Such an innovative technology can lead to positive changes in human life. However, if there is no proper security mechanism, private and sensitive data around humans can be revealed to the public Internet. In this aspect, this paper considers security issues of the IoT. In particular, we focus on various challenges in deploying Datagram Transport Layer Security (DTLS) protocol into a resource constrained environment. DTLS provides secure communication with UDP-based applications the same as TLS does for TCP-based applications. Several standard organizations such as IETF, oneM2M and OMA recommend using the DTLS as a default secure scheme for CoAP which is a new standard specified for resource-constrained environments. To find a practical way to deploy the DTLS in such a constrained IoT environments, we propose an IoT–Cloud collaboration system, where DTLS handshake delegation is the main component. We also implement and evaluate the proposed system in our real IoT testbed, where constrained devices are interconnected with each other in a multi-hop fashion. Evaluation results show that the proposed scheme dramatically reduces DTLS handshake latency, implementation code size and energy consumption.     

ECC-CoAP: Elliptic Curve Cryptography Based Constraint Application Protocol for Internet of Things

Constraint Application Protocol (CoAP), an application layer based protocol, is a compressed version of HTTP protocol that is used for communication between lightweight resource constraint devices in Internet of Things (IoT) network. The CoAP protocol is generally associated with connectionless User Datagram Protocol (UDP) and works based on Representational State Transfer architecture. The CoAP is associated with Datagram Transport Layer Security (DTLS) protocol for establishing a secure session using the existing algorithms like Lightweight Establishment of Secure Session for communication between various IoT devices and remote server. However, several limitations regarding the key management, session establishment and multi-cast message communication within the DTLS layer are present in CoAP. Hence, development of an efficient protocol for secure session establishment of CoAP is required for IoT communication. Thus, to overcome the existing limitations related to key management and multicast security in CoAP, we have proposed an efficient and secure communication scheme to establish secure session key between IoT devices and remote server using lightweight elliptic curve cryptography (ECC). The proposed ECC-based CoAP is referred to as ECC-CoAP that provides a CoAP implementation for authentication in IoT network. A number of well-known cryptographic attacks are analyzed for validating the security strength of the ECC-CoAP and found that all these attacks are well defended. The performance analysis of the ECC-CoAP shows that our scheme is lightweight and secure.

     

基于云计算的物联网安全问题研究

介绍了云计算和物联网的概念,分析二者融合的必要性以及结合的基本平台,提出了基于云计算的物联网体系结构。研究了基于云计算物联网三层体系结构所面临的安全威胁,针对安全威胁给出一种基于云计算的物联网安全体系结构,并且给出一种基于云计算的物联网应用层云用户认证的认证方案,即引用数据库技术中对于模式的划分规则和权限分配方法,可以对基于云计算的物联网用户进行严格认证,保证数据的安全。     

An Efficient Secure Authentication and Key Establishment Scheme for M2M Communication in 6LoWPAN in Unattended Scenarios

Machine-to-machine (M2M) is an important part of Internet of Things (IoT), and is used to describe those technologies applied in wireless communication automatically between mechanics or electronics instruments. With the rapid development and wide application of the Internet of Things, IETF is assigned to design IPv6 over low power wireless personal area network (6LoWPAN). The address of IPv6 is indefinite, which means it can satisfy addressing requirements for M2M. The 6LoWPAN standard has clarified important issues in M2M, but communication security has not been effectively resolved. In this article, we analyzed the existing security protocol for M2M communication in 6LoWPAN. The analysis result shows that the protocol has the defect of data leakage after the node is captured. In addition, the EAKES6Lo protocol is also vulnerable to sinkhole attacks and plaintext-chosen attacks. Based on the above analysis, an M2M communication mutual authentication protocol based on 6LoWPAN in unattended operation is proposed. The protocol establishes a reasonable secret key distribution mechanism and designs an anti-capture attack detection method for unattended nodes to resist attacks, such as replay attacks, sinkhole attacks, plaintext-chosen attacks, and physical capture attacks. Finally, the security of the protocol is proved by BAN.

     

Security Challenges in the IP-based Internet of Things

A direct interpretation of the term Internet of Things refers to the use of standard Internet protocols for the human-to-thing or thing-to-thing communication in embedded networks. Although the security needs are well-recognized in this domain, it is still not fully understood how existing IP security protocols and architectures can be deployed. In this paper, we discuss the applicability and limitations of existing Internet protocols and security architectures in the context of the Internet of Things. First, we give an overview of the deployment model and general security needs. We then present challenges and requirements for IP-based security solutions and highlight specific technical limitations of standard IP security protocols.     

电力物联网双层网格抗捕获攻击密钥分配算法

针对电力物联网智能终端有限的存储、计算和通信资源,现有运行管理算法大多偏重于降低节点功耗,导致终端安全抗捕获的性能受限。为在保障电力物联网终端节点运行性能的同时提升抗物理捕获攻击能力,提出一种轻量级密钥管理方案。通过集中器节点部署增加管控中央区域,形成了一种新型的双层网格部署模型。基于新结构提出一种双阶段的密钥信息分配算法。各阶段根据各子区域节点数目设置Blom矩阵空间的安全阈值,大幅提高了电力信息网络连通性和抗捕获性能。仿真结果证明,当被捕获终端比例为5.5%时,该方案对应的通信链路失效概率较t-UKP和SPECC方案最大降低63%和68%。     

基于RFID的物联网安全性研究

通过物联网的研究历史和现状进行了总结和分析,阐述和分析物联网以及RFID的组成和工作原理,并根据这些内容对现有技术中存在的一些安全隐私问题进行重点研究。针对关于RFID的攻击手段,分别介绍基于物理机制的解决方案以及基于密码技术的解决方案。为了满足RFID系统对安全隐私方面的需求,并改善原有安全协议中的缺陷,提出一个基于时间戳的挑战——应答模式的双向认证协议。     

面向物联网的隐私数据安全问题研究

随着社会的发展,物联网已成为社会发展的重要新兴产业,在各个领域中广泛应用。物联网是基于互联网技术产生的,在物联网的运行过程中势必会产生大量数据,这些数据都是客户的隐私,切实保护好客户隐私是物联网进一步发展的首要条件。在面向物联网的隐私数据安全问题时,相关技术人员一定要清楚威胁物联网隐私数据安全的主要途径,加大安全防护力度,保护人们的隐私。文章从信息获取、信息传输以及信息处理3个途径,对隐私数据安全问题进行探讨,并提出一些加大隐私安全防护的举措。     

Group and hierarchical key management for secure communications in internet of things

Different devices with different characteristics form a network to communicate among themselves in Internet of Things (IoT). Thus, IoT is of heterogeneous in nature. Also, Internet plays a major role in IoT. So, issues related to security in Internet become issues of IoT also. Hence, the group and hierarchical management scheme for solving security issues in Internet of Things is proposed in this paper. The devices in the network are formed into groups. One of the devices is selected as a leader of each group. The communication of the devices from each group takes place with the help of the leader of the corresponding group using encrypted key to enhance the security in the network. Blom's key predistribution technique is used to establish secure communication among any nodes of group. The hierarchy is maintained such that the security can be increased further, but the delay is increased as it takes time to encrypt at every level of hierarchy. Hence, the numbers of levels of hierarchy need to be optimized such that delay is balanced. Hence, this algorithm is more suitable for delay‐tolerant applications. The performance of the proposed Algorithm is evaluated and is proved to perform better when compared with the legacy systems like Decentralized Batch‐based Group Key Management Protocol for Mobile Internet of Things (DBGK).     

A secure multifactor remote user authentication scheme for Internet of Multimedia Things environment

To attain ubiquitous connectivity of everything, Internet of Things (IoT) systems must include “multimedia things.” Internet of Multimedia Things (IoMT) is a heterogeneous network of smart multimedia things connected together and with other physical devices to the Internet so as to achieve globally available multimedia services and applications. Due to the ever increasing amount of multimedia data in IoT environments, securing these systems becomes crucial. This is because these systems are easily susceptible to attacks when information or any service is accessed by the users. In this paper, we propose a secure three‐factor remote user authentication scheme for IoMT systems using ECC. The formal security proof performed using ROR model and BAN logic confirms that an attacker will not be able to extract sensitive user information. Through informal security analysis, we justify the resistance of the scheme against several security attacks. The performance comparison shows that the scheme is efficient in terms of computational cost, security features, and attack resistance. Furthermore, simulation of the scheme using AVISPA and Proverif proves that the scheme is secure against all active and passive attacks.     

基于D-S的时钟同步竞争安全算法

针对物联网时钟同步安全研究的不足,提出了一种时钟同步安全算法.首先,基于投票竞争的理念,给出了时钟同步安全算法过程;然后,为了解决此过程中涉及到的网络通信延迟不确定难题,提出了基于D-S理论的解决方法;最后,进行了仿真测试实验,结果表明在网络通信延迟不确定情况下,所提同步算法能容忍内部节点攻击,提高了时钟同步的安全性.     

物联网中一种抗大规模天线阵列窃听者的噪声注入方案

物联网中无线传输的安全难题是制约其发展的重要瓶颈,物联网终端受限的计算能力与硬件配置以及配备大规模天线阵列的窃听者给物理层安全技术带来了新的挑战。针对该问题,该文提出一种可对抗大规模天线阵列窃听者的轻量级噪声注入策略。首先,对所提出的噪声注入策略进行介绍,并分析了该策略的安全性;然后,基于该策略得到了系统吞吐量的闭式表达式,并对时隙分配系数和功率分配系数进行优化设计。理论和仿真结果表明,通过对物联网系统参数进行设计,所提出的噪声注入策略能够实现私密信息的安全传输。     

基于区块链的物联网技术应用

随着区块链技术的不断发展,其应用变得越来越普及。文章主要针对区块链的数据结构及整体架构进行分析,并审视了区块链为物联网带来的挑战;最后从物联网数据交易系统方面、电网管理方面、车联网方面以及防伪安全管理方面,细化阐述了基于区块链的物联网技术应用,以期为基于区块链的物联网技术发展提供可靠支持。     

Network‐layer security for the Internet of Things using TinyOS and BLIP

The design of standard communications and security mechanisms for resource‐constrained sensing applications and devices may provide an important contribution for its integration with the Internet and consequently towards the realization of what we nowadays identify as the Internet of Things. This vision will only be realizable if appropriate security mechanisms are available, and in this context we target the design and experimental evaluation of security mechanisms for communications at the network‐layer with sensing devices (smart objects) using the standard IPv6 protocol. Our work proposes and evaluates the usage of new compressed security headers for the network layer with smart objects. We implement and evaluate what is, as far as we know, the first proposal of security at the network layer experimentally evaluated using the TinyOS operating system and its networking stack. As we verify in the course of our evaluation study, various scenarios employing network‐layer secure communications involving smart objects are feasible, particularly when security mechanisms are designed to benefit from cross‐layer interactions that allow the optimization of expensive cryptographic operations. Copyright © 2012 John Wiley & Sons, Ltd.     

项目化的物联网教学模式研究

本文针对现有物联网教学模式存在与实际工程项目结合不紧密的问题,提出一种项目化的物联网教学方法。文章首先分析了传统教学模式存在的不足,然后介绍了项目化教学模式,并以智能家居安防监控系统为例说明了项目化教学的具体方法。该教学模式把工程项目案例与物联网教学相结合,使学生在项目开发过程中全面了解物联网体系架构、锻炼项目开发能力,培养更加符合社会需求的物联网研发人才。     

一种适用于工业控制系统的加密传输方案

随着工业物联网(IoT)、云计算等信息技术与工业控制系统(ICS)的整合,工业数据的安全正面临着极大风险。为了能在这样一个复杂的分布式环境中保护数据的机密性和完整性,该文采用基于属性的加密(ABE)算法,设计一种集数据加密、访问控制、解密外包、数据验证为一体的通信方案,同时具有密文长度恒定的特点。最后,从正确性、安全性和性能开销3个方面对方案进行详细的分析,并通过仿真验证得出该算法具有低解密开销的优势。     

Capability-based IoT access control using blockchain

Internet of Things (IoT) devices facilitate intelligent service delivery in a broad range of settings, such as smart offices, homes and cities. However, the existing IoT access control solutions are mainly based on conventional identity management schemes and use centralized architectures. There are known security and privacy limitations with such schemes and architectures, such as the single-point failure or surveillance (e.g., device tracking). Hence, in this paper, we present an architecture for capability-based IoT access control utilizing the blockchain and decentralized identifiers to manage the identity and access control for IoT devices. Then, we propose a protocol to provide a systematic view of system interactions, to improve security. We also implement a proof-of-concept prototype of the proposed approach and evaluate the prototype using a real-world use case. Our evaluation results show that the proposed solution is feasible, secure, and scalable.     

On demand network-wide VPN deployment in GPRS

Mobile Internet requires enhanced security services available to all mobile subscribers in a dynamic fashion. A network-wide virtual private network deployment scenario over the General Packet Radio Service is proposed and analyzed from a security viewpoint. The proposed security scheme improves the level of protection that is currently supported in GPRS and facilitates the realization of mobile Internet. It secures data transmission over the entire network route from a mobile user to a remote server by utilizing the default GPRS ciphering over the radio interface, and by deploying an IP VPN over the GPRS core, as well as on the public Internet. Thus, on-demand VPN services are made available for all GPRS network subscribers and roaming users. The VPN functionality, which is based on the IPsec framework, is outsourced to the network infrastructure to eliminate the potential computational overhead on the mobile device. The VPN initialization and key agreement procedures are based on an Internet Key Exchange protocol proxy scheme, which enables the mobile station to initiate VPN establishment, while shifting the complex key negotiation to the network infrastructure. The deployed VPN operates transparently to the mobile subscribers' movement. The required enhancements for security service provision can be integrated in the existing network infrastructure; therefore, the propose security scheme can be employed as an add-on feature to the GPRS standard.     

物联网安全技术发展及防护手段的探究

随着物联网技术的发展,物联网安全问题也逐渐受到重视。文中首先介绍了物联网安全技术的发展现状,包括安全协议、安全机制和安全服务等。然后,介绍了物联网防护手段,包括安全策略、认证机制、安全机制和安全管理等。最后,提出了未来物联网安全技术的发展趋势和建议,希望能提升物联网的安全性。     

Ajax技术在物联网信息系统中的应用

物联网信息系统是物联网生态系统中的关键组成部分。文章介绍了物联网信息系统的基本设计方案,并在此基础上,介绍了基于Ajax技术的Web应用程序模型。Ajax技术应用于物联网信息系统的实时信息展示及历史数据查询,具有无刷新页面、响应速度快等优势。这种异步通信方式,使用户获得了更自然流畅的体验,实现了近似于桌面应用程序的交互效果。这样的系统可以负责收集从自然生态系统到建筑和工厂等各种设置的信息,从而应用于物联网的各个领域。