Indraj: digital certificate enrollment for battery-powered wireless devices

A public key infrastructure (PKI) has been widely deployed and well tested on the Internet. However, this standard practice of delivering scalable security has not yet been extended to the rapidly growing Internet of Things (IoT). Thanks to vendor hardware support and standardization of resource-efficient communication protocols, asymmetric cryptography is no longer unfeasible on small devices. To migrate IoT from poorly scalable, pair-wise symmetric encryption to PKI, a major obstacle remains: how do we certify the public keys of billions of small devices without manual checks or complex logistics? The process of certifying a public key in form of a digital certificate is called enrollment. In this paper, we design an enrollment protocol, called Indraj, to automate enrollment of certificate-based digital identities on resource-constrained IoT devices. Reusing the semantics of the Enrollment over Secure Transport (EST) protocol designed for Internet hosts, Indraj optimizes resource usage by leveraging an IoT stack consisting of Constrained Application Protocol (CoAP), Datagram Transport Layer Security (DTLS) and IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN). We evaluate our implementation on a low power 32-bit MCU, showing the feasibility of our protocol in terms of latency, power consumption and memory usage. Asymmetric cryptography enabled by automatic certificate enrollment will finally turn IoT devices into well behaved, first-class citizens on the Internet.

[1]  Joakim Eriksson,et al.  BSD-based elliptic curve cryptography for the open Internet of Things , 2015, 2015 7th International Conference on New Technologies, Mobility and Security (NTMS).

[2]  Panagiotis Papadimitratos,et al.  SecureSense: End-to-end secure communication architecture for the cloud-connected Internet of Things , 2017, Future Gener. Comput. Syst..

[3]  Peter Van der Stok,et al.  EST over secure CoAP (EST-coaps) , 2020 .

[4]  Stephen Farrell,et al.  Internet X.509 Public Key Infrastructure Certificate Management Protocols , 1999, RFC.

[5]  Panagiotis Papadimitratos,et al.  Lightweight X.509 Digital Certificates for the Internet of Things , 2017, InterIoT/SaSeIoT.

[6]  Matthias Kovatsch,et al.  Californium: Scalable cloud services for the Internet of Things with CoAP , 2014, 2014 International Conference on the Internet of Things (IOT).

[7]  Utz Roedig,et al.  Secure communication for the Internet of Things - a comparison of link-layer security and IPsec for 6LoWPAN , 2014, Secur. Commun. Networks.

[8]  Thiemo Voigt,et al.  Lithe: Lightweight Secure CoAP for the Internet of Things , 2013, IEEE Sensors Journal.

[9]  Dan Harkins,et al.  Enrollment over Secure Transport , 2013, RFC.

[10]  Donald E. Eastlake,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011, RFC.

[11]  Carsten Bormann,et al.  The Constrained Application Protocol (CoAP) , 2014, RFC.

[12]  Gennaro Boggia,et al.  Standardized Protocol Stack for the Internet of (Important) Things , 2013, IEEE Communications Surveys & Tutorials.

[13]  Adam Dunkels,et al.  The ContikiMAC Radio Duty Cycling Protocol , 2011 .

[14]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[15]  Jim Schaad,et al.  Certificate Management over CMS (CMC): Transport Protocols , 2008, RFC.

[16]  Philip Levis,et al.  RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks , 2012, RFC.

[17]  Jim Schaad,et al.  Certificate Management over CMS (CMC) , 2008, RFC.

[18]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) , 2002, RFC.

[19]  Adam Dunkels,et al.  Enabling large-scale storage in sensor networks with the Coffee file system , 2009, 2009 International Conference on Information Processing in Sensor Networks.

[20]  Burton S. Kaliski,et al.  PKCS #10: Certification Request Syntax Specification Version 1.7 , 2000, RFC.

[21]  Carsten Bormann,et al.  Block-Wise Transfers in the Constrained Application Protocol (CoAP) , 2016, RFC.

[22]  Hannes Tschofenig,et al.  Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) , 2005, RFC.

[23]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[24]  Pascal Thubert,et al.  Compression Format for IPv6 Datagrams over IEEE 802.15.4-Based Networks , 2011, RFC.

[25]  Stephen Farrell,et al.  Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP) , 2005, RFC.

[26]  David A. McGrew,et al.  AES-CCM Cipher Suites for Transport Layer Security (TLS) , 2012, RFC.

[27]  Toerless Eckert,et al.  Bootstrapping Remote Secure Key Infrastructures (BRSKI) , 2020 .

[28]  Donald Eastlake rd,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011 .

[29]  David A. McGrew,et al.  AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS , 2014, RFC.

[30]  Hannes Tschofenig,et al.  Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things , 2016, RFC.

[31]  Peter Gutmann Simple Certificate Enrolment Protocol , 2020, RFC.

[32]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.