| 基于MQTT协议扩展的IoT设备完整性监控 |
| |
| 引用本文: | 齐兵,秦宇,李敏虹,谢宏,尚科彤,冯伟,李为. 基于MQTT协议扩展的IoT设备完整性监控[J]. 计算机系统应用, 2022, 31(11): 68-78 |
| |
| 作者姓名: | 齐兵 秦宇 李敏虹 谢宏 尚科彤 冯伟 李为 |
| |
| 作者单位: | 中国科学院大学, 北京 100049;中国科学院 软件研究所 可信计算与信息保障实验室, 北京 100190;深圳供电局有限公司, 深圳 518028 |
| |
| 基金项目: | 国家重点研发计划(2020YFE0200600); 国家自然科学基金(61872343); 中国科学院青年创新促进会 |
| |
| 摘 要: | 随着物联网飞速发展,设备数量呈指数级增长,随之而来的IoT安全问题也受到了越来越多的关注.通常IoT设备完整性认证采用软件证明方法实现设备完整性校验,以便及时检测出设备中恶意软件执行所导致的系统完整性篡改.但现有IoT软件证明存在海量设备同步证明性能低、通用IoT通信协议难以扩展等问题.针对这些问题,本文提供一种轻量级的异步完整性监控方案,在通用MQTT协议上扩展软件证明安全认证消息,异步推送设备完整性信息,在保障IoT系统高安全性的同时,提高了设备完整性证明验证效率.我们的方案实现了以下3方面安全功能:以内核模块方式实现设备完整性度量功能,基于MQTT的设备身份和完整性轻量级认证扩展,基于MQTT扩展协议的异步完整性监控.本方案能够抵抗常见的软件证明和MQTT协议攻击,具有轻量级异步软件证明、通用MQTT安全扩展等特点.最后在基于MQTT的IoT认证原型系统的实验结果表明, IoT节点的完整性度量、MQTT协议连接认证、PUBLISH报文消息认证性能较高,都能满足海量IoT设备完整性监控的应用需求.
|
| 关 键 词: | 物联网安全 完整性度量 MQTT协议安全扩展 软件证明 可信计算 |
| 收稿时间: | 2022-02-24 |
| 修稿时间: | 2022-03-15 |
Integrity Monitoring for IoT Device Based on MQTT Protocol Extension |
| |
| QI Bing,QIN Yu,LI Min-Hong,XIE Hong,SHANG Ke-Tong,FENG Wei,LI Wei. Integrity Monitoring for IoT Device Based on MQTT Protocol Extension[J]. Computer Systems& Applications, 2022, 31(11): 68-78 |
| |
| Authors: | QI Bing QIN Yu LI Min-Hong XIE Hong SHANG Ke-Tong FENG Wei LI Wei |
| |
| Affiliation: | University of Chinese Academy of Sciences, Beijing 100049, China;Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China;Shenzhen Power Supply Co. Ltd., Shenzhen 518028, China |
| |
| Abstract: | With the rapid development of the Internet of Things (IoT), the number of IoT devices has grown exponentially, which is accompanied by the increasing attention to IoT security. Generally, IoT devices adopt software attestation to verify the integrity of the software environment, so that system integrity tampering caused by the execution of malicious software can be detected timely. However, the existing software attestation suffers from poor performance in the synchronous attestation of massive IoT devices and the difficulty in extending the general IoT communication protocol. To address these problems, this study proposes a lightweight asynchronous integrity monitoring scheme. The scheme extends the security authentication message of software attestation on the general message queuing telemetry transport (MQTT) protocol and asynchronously pushes the integrity information of devices. It improves not only the security of IoT systems but also the efficiency of integrity attestation and verification. The following three security functions are realized: device integrity measurement in a kernel module; lightweight authentication extension of device identity and integrity based on MQTT; asynchronous integrity monitoring based on MQTT extension protocol. This scheme can resist common software attestation attacks and MQTT protocol attacks and has the characteristics of lightweight asynchronous software attestation and general MQTT security extension. The experimental results of the prototype system of IoT authentication based on MQTT show the high performance of the integrity measurement of IoT nodes, MQTT protocol connection authentication and PUBLISH message authentication, which can meet the application requirements of integrity monitoring of massive IoT devices. |
| |
| Keywords: | IoT security integrity measurement message queuing telemetry transport (MQTT) protocol security extension software attestation trusted computing |
|
| 点击此处可从《计算机系统应用》浏览原始摘要信息 |
|
点击此处可从《计算机系统应用》下载全文 |
|
