DNS/DANE Collision-Based Distributed and Dynamic Authentication for Microservices in IoT †

IoT devices provide real-time data to a rich ecosystem of services and applications. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core networks. To alleviate the core of the network, other technologies like fog computing can be used. On the security side, designers of IoT low-cost devices and applications often reuse old versions of development frameworks and software components that contain vulnerabilities. Many server applications today are designed using microservice architectures where components are easier to update. Thus, IoT can benefit from deploying microservices in the fog as it offers the required flexibility for the main players of ubiquitous computing: nomadic users. In such deployments, IoT devices need the dynamic instantiation of microservices. IoT microservices require certificates so they can be accessed securely. Thus, every microservice instance may require a newly-created domain name and a certificate. The DNS-based Authentication of Named Entities (DANE) extension to Domain Name System Security Extensions (DNSSEC) allows linking a certificate to a given domain name. Thus, the combination of DNSSEC and DANE provides microservices’ clients with secure information regarding the domain name, IP address, and server certificate of a given microservice. However, IoT microservices may be short-lived since devices can move from one local fog to another, forcing DNSSEC servers to sign zones whenever new changes occur. Considering DNSSEC and DANE were designed to cope with static services, coping with IoT dynamic microservice instantiation can throttle the scalability in the fog. To overcome this limitation, this article proposes a solution that modifies the DNSSEC/DANE signature mechanism using chameleon signatures and defining a new soft delegation scheme. Chameleon signatures are signatures computed over a chameleon hash, which have a property: a secret trapdoor function can be used to compute collisions to the hash. Since the hash is maintained, the signature does not have to be computed again. In the soft delegation schema, DNS servers obtain a trapdoor that allows performing changes in a constrained zone without affecting normal DNS operation. In this way, a server can receive this soft delegation and modify the DNS zone to cope with frequent changes such as microservice dynamic instantiation. Changes in the soft delegated zone are much faster and do not require the intervention of the DNS primary servers of the zone.

[1]  Kevin Ashton,et al.  That ‘Internet of Things’ Thing , 1999 .

[2]  Paul E. Hoffman,et al.  The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[3]  Robert Simon Sherratt,et al.  Secure store and forward proxy for dynamic IoT applications over M2M networks , 2016, IEEE Transactions on Consumer Electronics.

[4]  G. Paquet,et al.  E-Governance and Smart Communities , 2001 .

[5]  Stefan Santesson Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name , 2007, RFC.

[6]  Darko Huljenic,et al.  Basic principles of Machine-to-Machine communication and its impact on telecommunications industry , 2011, 2011 Proceedings of the 34th International Convention MIPRO.

[7]  Pooyan Jamshidi,et al.  Microservices Architecture Enables DevOps: Migration to a Cloud-Native Architecture , 2016, IEEE Software.

[8]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[9]  Xiaohui Liang,et al.  GRS: The green, reliability, and security of emerging machine to machine communications , 2011, IEEE Communications Magazine.

[10]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 2003, RFC.

[11]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[12]  Hannes Tschofenig,et al.  Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things , 2016, RFC.

[13]  Lianping Chen,et al.  Continuous Delivery: Huge Benefits, but Challenges Too , 2015, IEEE Software.

[14]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[15]  Ben Laurie,et al.  Computing: Secure the Internet , 2012, Nature.

[16]  Robert Simon Sherratt,et al.  Proxy re-encryption schemes for IoT and crowd sensing , 2016, 2016 IEEE International Conference on Consumer Electronics (ICCE).

[17]  Marta E. Mangelsdorf How Secure Is the Internet , 2007 .

[18]  Luis Rodero-Merino,et al.  Finding your Way in the Fog: Towards a Comprehensive Definition of Fog Computing , 2014, CCRV.

[19]  Dave Evans,et al.  How the Next Evolution of the Internet Is Changing Everything , 2011 .

[20]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 1999, RFC.

[21]  David Chaum,et al.  Convertible Undeniable Signatures , 1990, CRYPTO.

[22]  Nei Kato,et al.  Toward intelligent machine-to-machine communications in smart grid , 2011, IEEE Communications Magazine.

[23]  Yael Tauman Kalai,et al.  Improved Online/Offline Signature Schemes , 2001, CRYPTO.

[24]  Arun Prakash,et al.  Machine-to-Machine (M2M) communications: A survey , 2016, J. Netw. Comput. Appl..

[25]  H M D Utidjian,et al.  The Proposed Standard , 1976 .

[26]  Sajjad Haider Shami,et al.  Evolution of Communication Technologies for Smart Grid applications , 2013 .

[27]  Patrick Goldsack,et al.  The Asymptotic Configuration of Application Components in a Distributed System , 1998 .

[28]  Robert Simon Sherratt,et al.  A Survey on Wireless Body Area Networks for eHealthcare Systems in Residential Environments , 2016, Sensors.

[29]  Nick Feamster,et al.  Improving network management with software defined networking , 2013, IEEE Commun. Mag..

[30]  Xu Chen,et al.  MOCA: a lightweight mobile cloud offloading architecture , 2013, MobiArch '13.

[31]  Ivan Stojmenovic,et al.  Fog computing: A cloud to the ground support for smart things and machine-to-machine networks , 2014, 2014 Australasian Telecommunication Networks and Applications Conference (ATNAC).

[32]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[33]  Juan Felipe Botero Vega,et al.  Network Functions Virtualization: A Survey , 2016, IEEE Latin America Transactions.

[34]  Jeffrey G. Andrews,et al.  What Will 5G Be? , 2014, IEEE Journal on Selected Areas in Communications.

[35]  C. Rogers,et al.  Smart Cities: Contradicting Definitions and Unclear Measures , 2014 .

[36]  Daren C. Brabham Crowdsourcing as a model for problem solving: Leveraging the collective intelligence of online communities for public good , 2010 .

[37]  Doug Johnson,et al.  Computing in the Clouds. , 2010 .

[38]  Andrés Marín López,et al.  TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications , 2019, IEEE Communications Surveys & Tutorials.

[39]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[40]  Peter E. Yee Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2013, RFC.

[41]  Stamatis Karnouskos,et al.  M2M to IoT – The Vision , 2014 .

[42]  Felix Wortmann,et al.  Internet of Things , 2015, Business & Information Systems Engineering.

[43]  A. Molisch,et al.  IEEE 802.15.4a channel model-final report , 2004 .

[44]  Douglas Stebila,et al.  X.509v3 Certificates for Secure Shell Authentication , 2011, RFC.

[45]  Sara J. Graves,et al.  CASA and LEAD: adaptive cyberinfrastructure for real-time multiscale weather forecasting , 2006, Computer.

[46]  Jennifer Healey,et al.  2006's Wearable Computing Advances and Fashions , 2007, IEEE Pervasive Computing.

[47]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[48]  Peng Liang,et al.  A systematic mapping study on the combination of software architecture and agile development , 2016, J. Syst. Softw..

[49]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[50]  R. H. Glitho,et al.  Application architectures for machine to machine communications: Research agenda vs. state-of-the art , 2011, 7th International Conference on Broadband Communications and Biomedical Applications.

[51]  David W. Chadwick Understanding X.500 - the directory , 1994 .

[52]  Serguei Leontiev,et al.  Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 2006, RFC.

[53]  Stefania Sesia,et al.  LTE - The UMTS Long Term Evolution, Second Edition , 2011 .

[54]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[55]  Giuseppe Ateniese,et al.  On the Key Exposure Problem in Chameleon Hashes , 2004, SCN.

[56]  Bin Guo,et al.  From participatory sensing to Mobile Crowd Sensing , 2014, 2014 IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM WORKSHOPS).

[57]  R. Hollands Will the real smart city please stand up? , 2008, The Routledge Companion to Smart Cities.

[58]  Raja Lavanya,et al.  Fog Computing and Its Role in the Internet of Things , 2019, Advances in Computer and Electrical Engineering.

[59]  Filip De Turck,et al.  Network Function Virtualization: State-of-the-Art and Research Challenges , 2015, IEEE Communications Surveys & Tutorials.

[60]  Jesus Alonso-Zarate,et al.  Challenges of massive access in highly dense LTE-advanced networks with machine-to-machine communications , 2014, IEEE Wireless Communications.

[61]  Hugo Krawczyk,et al.  Chameleon Hashing and Signatures , 1998, IACR Cryptol. ePrint Arch..

[62]  M. Deakin,et al.  From intelligent to smart cities , 2011 .

[63]  Shuang-Hua Yang,et al.  A zigbee-based home automation system , 2009, IEEE Transactions on Consumer Electronics.

[64]  Sneha A. Dalvi,et al.  Internet of Things for Smart Cities , 2017 .