Hardware-secured and transparent multi-stakeholder data exchange for industrial IoT

Authentic and confidential, but at the same time traceable and transparent, data exchange among multiple stakeholders is a key challenge in Industrial Internet of Things (IIoT) applications. Specifically, smart service connectivity requires the secure and transparent acquisition of equipment status information, which we call snapshots, from globally distributed equipment instances at customer sites by the equipment vendor. Related work has proposed to use a Message Queue Telemetry Transport (MQTT) Broker and hardware-secured Transport Layer Security (TLS) with client authentication. However, this approach lacks strong cryptographic end-to-end protection of snapshots. Here we show a hardware-rooted snapshot protection system that utilizes a Broker-based messaging infrastructure, hybrid encryption and a single-pass Elliptic Curve Menezes-Qu-Vanstone (ECMQV) scheme. We evaluate our concept by means of a prototype implementation and discuss security and performance implications. Our approach provides strong end-to-end data protection, while at the same time enabling customers to trace what data has been transferred off their equipment. We believe that our concept can serve as a template for a multitude of Industrial Internet of Things applications, which by their very nature call for strong security.

[1]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type , 2007, RFC.

[2]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[3]  Markku-Juhani O. Saarinen Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes , 2012, FSE.

[4]  Russ Housley,et al.  Advanced Encryption Standard (AES) Key Wrap Algorithm , 2002, RFC.

[5]  Kazumaro Aoki,et al.  SEC X.2: Recommended Elliptic Curve Domain Parameters , 2008 .

[6]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) , 2002, RFC.

[7]  Kagermann Henning Recommendations for implementing the strategic initiative INDUSTRIE 4.0 , 2013 .

[8]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[9]  Peter Priller,et al.  Case study: From legacy to connectivity migrating industrial devices into the world of smart services , 2014, Proceedings of the 2014 IEEE Emerging Technology and Factory Automation (ETFA).

[10]  Johannes Winter,et al.  Hardware-security technologies for industrial IoT: TrustZone and security controller , 2015, IECON 2015 - 41st Annual Conference of the IEEE Industrial Electronics Society.

[11]  Elaine B. Barker,et al.  Recommendation for key management: , 2019 .

[12]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[13]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[14]  Peter Priller,et al.  Securing smart maintenance services: Hardware-security and TLS for MQTT , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[15]  Simon Blake-Wilson,et al.  Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS) , 2002, RFC.

[16]  N. Koblitz The Uneasy Relationship Between Mathematics and Cryptography , 2007 .

[17]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography | NIST , 2006 .