论文信息 - DNS-Based Dynamic Authentication for Microservices in IoT

DNS-Based Dynamic Authentication for Microservices in IoT

IoT devices provide with real-time data to a rich ecosystems of services and applications that will be of uttermost importance for ubiquitous computing. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core netkworks. Designers may opt for microservice architectures and fog computing to address this challenge while offering the required flexibility for the main players of ubiquitous computing: nomadic users. Microservices require strong security support for Fog computing, to rely on nodes in the boundary of the network for secure data collection and processing. IoT low cost devices face outdated certificates and security support, due to the elapsed time from manufacture to deployment. In this paper we propose a solution based on microservice architectures and DNSSEC, DANE and chameleon signatures to overcome these difficulties. We will show how trap doors included in the certificates allow a secure and flexible delegation for off-loading data collection and processing to the fog. The main result is showing this requires minimal manufacture device configuration, thanks to DNSSEC support.

Andrés Marín López | Daniel Díaz Sánchez | Florina Almenáres Mendoza | Patricia Arias Cabarcos

[1] Marta E. Mangelsdorf. How Secure Is the Internet , 2007 .

[2] Scott Rose,et al. Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[3] Giuseppe Ateniese,et al. On the Key Exposure Problem in Chameleon Hashes , 2004, SCN.

[4] Warwick Ford,et al. Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 1999, RFC.

[5] Jeff Hodges,et al. HTTP Strict Transport Security (HSTS) , 2012, RFC.

[6] Paul E. Hoffman,et al. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[7] Moxie Marlinspike,et al. Trust Assertions for Certificate Keys , 2013 .

[8] Stefan Santesson. Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name , 2007, RFC.

[9] Scott Rose,et al. Resource Records for the DNS Security Extensions , 2005, RFC.

[10] Andrei Broder,et al. Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[11] David Chaum,et al. Convertible Undeniable Signatures , 1990, CRYPTO.

[12] Hugo Krawczyk,et al. Chameleon Hashing and Signatures , 1998, IACR Cryptol. ePrint Arch..

[13] J. Alex Halderman,et al. Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.