Skip to main content
SpringerLink
Log in

End-to-End Protection of IoT Communications Through Cryptographic Enforcement of Access Control Policies

  • Conference paper
  • First Online:
Data and Applications Security and Privacy XXXVI (DBSec 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13383))

Included in the following conference series:

  • 587 Accesses

Abstract

It is crucial to ensure the security and privacy of communications in Internet of Things (IoT) scenarios that process an increasingly large amount of sensitive data. In this context, we propose a cryptographic enforcement mechanism of access control policies to guarantee the confidentiality and integrity of messages exchanged with the MQTT protocol in presence of external attackers, malicious insiders and “honest-but-curious” service providers. A preliminary performance evaluation with a prototype implementation in an open-source tool shows the overhead is acceptable in relevant use case scenarios and provides a higher level of security with respect to other approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://outreach.eclipse.foundation/iot-edge-developer-2021.

  2. 2.

    https://github.com/stfbk/CryptoAC.

  3. 3.

    An extended version of this work with more details on the CAC scheme is at https://st.fbk.eu/complementary/assets/DBSEC2022/DBSEC2022_Extended.pdf.

  4. 4.

    https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake/.

  5. 5.

    https://www.iso.org/standard/69466.html.

  6. 6.

    https://mosquitto.org/.

  7. 7.

    https://www.amqp.org/.

  8. 8.

    The code is freely available at https://github.com/stfbk/CryptoAC.

  9. 9.

    https://kotlinlang.org/docs/multiplatform.html.

  10. 10.

    https://www.jetbrains.com/lp/devecosystem-2019/.

  11. 11.

    https://outreach.eclipse.foundation/iot-edge-developer-2021.

  12. 12.

    https://libsodium.gitbook.io/doc/.

  13. 13.

    https://www.privateinternetaccess.com/blog/libsodium-audit-results/.

  14. 14.

    https://github.com/ionspin/kotlin-multiplatform-libsodium.

  15. 15.

    https://www.nist.gov/news-events/news/2018/04/nist-issues-first-call-lightweight-cryptography-protect-small-electronics.

  16. 16.

    https://www.eclipse.org/paho/.

  17. 17.

    https://owasp.org/www-community/OWASP_Validation_Regex_Repository.

  18. 18.

    https://mosquitto.org/.

  19. 19.

    https://redis.io/.

  20. 20.

    Increasing the number of clients would only assess the scalability of the MQTT broker since the encryption/decryption are performed client-side.

  21. 21.

    https://mosquitto.org/man/mosquitto_sub-1.html.

  22. 22.

    https://mosquitto.org/man/mosquitto_pub-1.html.

  23. 23.

    https://st.fbk.eu/complementary/assets/DBSEC2022/experimental_results.xlsx.

  24. 24.

    https://ark.intel.com/content/www/us/en/ark/products/65730/intel-xeon-processor-e31240-v2-8m-cache-3-40-ghz.html.

References

  1. Ahmad, T., Morelli, U., Ranise, S.: Deploying access control enforcement for IoT in the cloud-edge continuum with the help of the CAP theorem. In: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies, pp. 213–220. ACM (2020)

    Google Scholar 

  2. Ahmad, T., Morelli, U., Ranise, S., Zannone, N.: A lazy approach to access control as a service (ACaaS) for IoT: an AWS case study. In: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, SACMAT 2018, pp. 235–246. Association for Computing Machinery, New York (2018)

    Google Scholar 

  3. Ahmad, T., Morelli, U., Ranise, S., Zannone, N.: Extending access control in AWS IoT through event-driven functions: an experimental evaluation using a smart lock system. Int. J. Inf. Secur. 21(2), 379–408 (2021)

    Article  Google Scholar 

  4. Armando, A., Grasso, M., Oudkerk, S., Ranise, S., Wrona, K.: Content-based information protection and release in NATO operations. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies - SACMAT 2013, p. 261. ACM Press (2013)

    Google Scholar 

  5. Armando, A., Oudkerk, S., Ranise, S., Wrona, K.: Formal modelling of content-based protection and release for access control in NATO operations. In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Zincir Heywood, N. (eds.) FPS-2013. LNCS, vol. 8352, pp. 227–244. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05302-8_14

    Chapter  Google Scholar 

  6. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)

    Article  MathSciNet  Google Scholar 

  7. Berlato, S., Carbone, R., Lee, A.J., Ranise, S.: Formal modelling and automated trade-off analysis of enforcement architectures for cryptographic access control in the cloud. ACM Trans. Priv. Secur. 25(1), 1–37 (2021)

    Article  Google Scholar 

  8. Calabretta, M., Pecori, R., Veltri, L.: A token-based protocol for securing MQTT communications. In: 2018 26th International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1–6. IEEE (2018)

    Google Scholar 

  9. Colombo, P., Ferrari, E.: Access control enforcement within MQTT-based internet of things ecosystems. In: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, pp. 223–234. ACM (2018)

    Google Scholar 

  10. Djoko, J.B., Lange, J., Lee, A.J.: NeXUS: practical and secure access control on untrusted storage platforms using client-side SGX. In: 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 401–413. IEEE (2019)

    Google Scholar 

  11. Elemam, E., Bahaa-Eldin, A.M., Shaker, N.H., Sobh, M.A.: A secure MQTT protocol, telemedicine IoT case study. In: 2019 14th International Conference on Computer Engineering and Systems (ICCES), pp. 99–105. IEEE (2019)

    Google Scholar 

  12. Garrison, W.C., Shull, A., Myers, S., Lee, A.J.: On the practicality of cryptographically enforcing dynamic access control policies in the cloud. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 819–838 (2016)

    Google Scholar 

  13. Heer, T., Garcia-Morchon, O., Hummen, R., Keoh, S.L., Kumar, S.S., Wehrle, K.: Security challenges in the IP-based internet of things. Wirel. Pers. Commun. 61(3), 527–542 (2011)

    Article  Google Scholar 

  14. Kurnikov, A., Paverd, A., Mannan, M., Asokan, N.: Keys in the clouds: auditable multi-device access to cryptographic credentials. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–10. ACM (2018)

    Google Scholar 

  15. Malina, L., Srivastava, G., Dzurenda, P., Hajny, J., Fujdiak, R.: A secure publish/subscribe protocol for internet of things. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10. ACM (2019)

    Google Scholar 

  16. Palmieri, A., Prem, P., Ranise, S., Morelli, U., Ahmad, T.: MQTTSA: a tool for automatically assisting the secure deployments of MQTT brokers. In: 2019 IEEE World Congress on Services (SERVICES), vol. 2642–939X, pp. 47–53 (2019)

    Google Scholar 

  17. Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45608-2_3

    Chapter  MATH  Google Scholar 

  18. Sanjuan, E.B., Cardiel, I.A., Cerrada, J.A., Cerrada, C.: Message queuing telemetry transport (MQTT) security: a cryptographic smart card approach. IEEE Access 8, 115051–115062 (2020)

    Article  Google Scholar 

  19. Segarra, C., Delgado-Gonzalo, R., Schiavoni, V.: MQT-TZ: hardening IoT brokers using ARM TrustZone: (practical experience report). In: 2020 International Symposium on Reliable Distributed Systems (SRDS), pp. 256–265. IEEE (2020)

    Google Scholar 

  20. Zeadally, S., Das, A.K., Sklavos, N.: Cryptographic technologies and protocol standards for internet of things. Internet Things 14, 100075 (2019)

    Article  Google Scholar 

Download references

Acknowledgements

This work has been partially supported by “Futuro & Conoscenza Srl”, jointly created by the FBK and the Italian National Mint and Printing House (IPZS), Italy.

Author information

Authors and Affiliations

  1. Department of Informatics, Bioengineering, Robotics and Systems Engineering, University of Genoa, Genoa, Italy

    Stefano Berlato

  2. Department of Mathematics, University of Trento, Trento, Italy

    Silvio Ranise

  3. Security and Trust Research Unit, Fondazione Bruno Kessler, Trento, Italy

    Stefano Berlato, Umberto Morelli, Roberto Carbone & Silvio Ranise

Authors
  1. Stefano Berlato
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Umberto Morelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Roberto Carbone
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Silvio Ranise
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefano Berlato .

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, West Bengal, India

    Shamik Sural

  2. Department of Information Systems and Analytics, Santa Clara University, Santa Clara, CA, USA

    Haibing Lu

A Pseudocode of the Cryptographic Access Control Scheme

A Pseudocode of the Cryptographic Access Control Scheme

Fig. 2.
figure 2figure 2

Role-based Cryptographic Access Control for IoT Using MQTT

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2022 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Berlato, S., Morelli, U., Carbone, R., Ranise, S. (2022). End-to-End Protection of IoT Communications Through Cryptographic Enforcement of Access Control Policies. In: Sural, S., Lu, H. (eds) Data and Applications Security and Privacy XXXVI. DBSec 2022. Lecture Notes in Computer Science, vol 13383. Springer, Cham. https://doi.org/10.1007/978-3-031-10684-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-10684-2_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-10683-5

  • Online ISBN: 978-3-031-10684-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation