Application Layer Key Establishment for End-to-End Security in IoT

In most Internet of Things (IoT) deployments, intermediate entities are usually employed for efficiency and scalability reasons. These intermediate proxies break end-to-end security when using even the state-of-the-art transport layer security (TLS) solutions. In this direction, the recent object security for constrained RESTful environments (OSCORE) has been standardized to enable end-to-end security even in the presence of malicious proxies. In this article, we focus on the key establishment process based on application-layer techniques. In particular, we evaluate the ephemeral Diffie–Hellman over COSE (EDHOC), the de facto key establishment protocol for OSCORE. Based on EDHOC, we propose CompactEDHOC, as a lightweight alternative, in which negotiation of security parameters is extracted from the core protocol. In addition to providing end-to-end security properties, we perform extensive evaluation using real IoT hardware and simulation tools. Our evaluation results prove EDHOC-based proposals as an effective and efficient approach for the establishment of a security association in IoT-constrained scenarios.

[1]  Paul E. Hoffman,et al.  Internet Key Exchange Protocol Version 2 (IKEv2) , 2010, RFC.

[2]  Ludwig Seitz,et al.  Object Security for Constrained RESTful Environments (OSCORE) , 2019, RFC.

[3]  Antonio F. Gómez-Skarmeta,et al.  Enhancing LoRaWAN Security through a Lightweight and Authenticated Key Management Approach , 2018, Sensors.

[4]  Carsten Bormann,et al.  ECDHE-PSK AES-CCM Cipher Suites with Forward Secrecy for Transport Layer Security (TLS) , 2014 .

[5]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[6]  Panagiotis Papadimitratos,et al.  SecureSense: End-to-end secure communication architecture for the cloud-connected Internet of Things , 2017, Future Gener. Comput. Syst..

[7]  Georg Carle,et al.  DTLS based security and two-way authentication for the Internet of Things , 2013, Ad Hoc Networks.

[8]  Hannes Tschofenig,et al.  Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things , 2016, RFC.

[9]  Ralph E. Droms,et al.  Manufacturer Usage Description Specification , 2019, RFC.

[10]  Antonio F. Gómez-Skarmeta,et al.  Architecture of security association establishment based on bootstrapping technologies for enabling secure IoT infrastructures , 2019, Future Gener. Comput. Syst..

[11]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[12]  Shahid Raza,et al.  TinyIKE: Lightweight IKEv2 for Internet of Things , 2019, IEEE Internet of Things Journal.

[13]  Hannes Tschofenig,et al.  Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth) , 2020, RFC.

[14]  Hugo Krawczyk,et al.  Perfect Forward Secrecy , 2011, Encyclopedia of Cryptography and Security.

[15]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[16]  Hugo Krawczyk,et al.  HMAC-based Extract-and-Expand Key Derivation Function (HKDF) , 2010, RFC.

[17]  Sugata Sanyal,et al.  Survey of Security and Privacy Issues of Internet of Things , 2015, ArXiv.

[18]  Andrzej Duda,et al.  OSCAR: Object security architecture for the Internet of Things , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[19]  Fernand Meyer,et al.  A comparative study of LPWAN technologies for large-scale IoT deployment , 2019, ICT Express.

[20]  Hannes Tschofenig,et al.  Securing the Internet of Things: A Standardization Perspective , 2014, IEEE Internet of Things Journal.

[21]  Dan Garcia-Carrillo,et al.  Multihop Bootstrapping With EAP Through CoAP Intermediaries for IoT , 2018, IEEE Internet of Things Journal.

[22]  Klaus Wehrle,et al.  Towards viable certificate-based authentication for the internet of things , 2013, HotWiSec '13.

[23]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[24]  William E. Burr,et al.  Recommendation for Key Management, Part 1: General (Revision 3) , 2006 .

[25]  Jorge Sá Silva,et al.  Application-Layer Security for the WoT: Extending CoAP to Support End-to-End Message Security for Internet-Integrated Sensing Applications , 2013, WWIC.

[26]  Behcet Sarikaya,et al.  Secure IoT Bootstrapping: A Survey , 2020 .

[27]  Carsten Bormann,et al.  The Constrained Application Protocol (CoAP) , 2014, RFC.

[28]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[29]  Chiara Petrioli,et al.  Security as a CoAP resource: An optimized DTLS implementation for the IoT , 2015, 2015 IEEE International Conference on Communications (ICC).

[30]  Alexandros Krontiris,et al.  Evaluation of Certificate Enrollment over Application Layer Security , 2018 .

[31]  John Mattsson,et al.  Requirements for a Lightweight AKE for OSCORE , 2019 .

[32]  Bernard Tourancheau,et al.  Securing Complex IoT Platforms with Token Based Access Control and Authenticated Key Establishment , 2017, 2017 International Workshop on Secure Internet of Things (SIoT).

[33]  Francesca Palombini,et al.  Comparison of CoAP Security Protocols , 2020 .

[34]  Óscar García-Morchón,et al.  Securing the IP-based internet of things with HIP and DTLS , 2013, WiSec '13.

[35]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[36]  Adam Dunkels,et al.  Cross-Level Sensor Network Simulation with COOJA , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[37]  Jim Schaad,et al.  CBOR Object Signing and Encryption (COSE) , 2017, RFC.

[38]  Thiemo Voigt,et al.  Lithe: Lightweight Secure CoAP for the Internet of Things , 2013, IEEE Sensors Journal.

[39]  David A. McGrew,et al.  An Interface and Algorithms for Authenticated Encryption , 2008, RFC.

[40]  Antonio F. Gómez-Skarmeta,et al.  Protecting personal data in IoT platform scenarios through encryption-based selective disclosure , 2018, Comput. Commun..

[41]  Namhi Kang,et al.  Lightweight secure communication for CoAP-enabled Internet of Things using delegated DTLS handshake , 2014, 2014 International Conference on Information and Communication Technology Convergence (ICTC).

[42]  Eric Rescorla,et al.  The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 , 2020, RFC.

[43]  Margaret Salter,et al.  Fundamental Elliptic Curve Cryptography Algorithms , 2011, RFC.

[44]  Francesca Palombini,et al.  Requirements for CoAP End-To-End Security , 2017 .

[45]  Carsten Bormann,et al.  CoRE Resource Directory , 2019 .

[46]  Francesca Palombini,et al.  Ephemeral Diffie-Hellman Over COSE (EDHOC) , 2019 .

[47]  Simon Josefsson,et al.  Edwards-Curve Digital Signature Algorithm (EdDSA) , 2017, RFC.

[48]  Adam Dunkels,et al.  The ContikiMAC Radio Duty Cycling Protocol , 2011 .

[49]  Paul E. Hoffman,et al.  Concise Binary Object Representation (CBOR) , 2020, RFC.