Abstract
It is crucial to ensure the security and privacy of communications in Internet of Things (IoT) scenarios that process an increasingly large amount of sensitive data. In this context, we propose a cryptographic enforcement mechanism of access control policies to guarantee the confidentiality and integrity of messages exchanged with the MQTT protocol in presence of external attackers, malicious insiders and “honest-but-curious” service providers. A preliminary performance evaluation with a prototype implementation in an open-source tool shows the overhead is acceptable in relevant use case scenarios and provides a higher level of security with respect to other approaches.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
An extended version of this work with more details on the CAC scheme is at https://st.fbk.eu/complementary/assets/DBSEC2022/DBSEC2022_Extended.pdf.
- 4.
- 5.
- 6.
- 7.
- 8.
The code is freely available at https://github.com/stfbk/CryptoAC.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
Increasing the number of clients would only assess the scalability of the MQTT broker since the encryption/decryption are performed client-side.
- 21.
- 22.
- 23.
- 24.
References
Ahmad, T., Morelli, U., Ranise, S.: Deploying access control enforcement for IoT in the cloud-edge continuum with the help of the CAP theorem. In: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies, pp. 213–220. ACM (2020)
Ahmad, T., Morelli, U., Ranise, S., Zannone, N.: A lazy approach to access control as a service (ACaaS) for IoT: an AWS case study. In: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, SACMAT 2018, pp. 235–246. Association for Computing Machinery, New York (2018)
Ahmad, T., Morelli, U., Ranise, S., Zannone, N.: Extending access control in AWS IoT through event-driven functions: an experimental evaluation using a smart lock system. Int. J. Inf. Secur. 21(2), 379–408 (2021)
Armando, A., Grasso, M., Oudkerk, S., Ranise, S., Wrona, K.: Content-based information protection and release in NATO operations. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies - SACMAT 2013, p. 261. ACM Press (2013)
Armando, A., Oudkerk, S., Ranise, S., Wrona, K.: Formal modelling of content-based protection and release for access control in NATO operations. In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Zincir Heywood, N. (eds.) FPS-2013. LNCS, vol. 8352, pp. 227–244. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05302-8_14
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)
Berlato, S., Carbone, R., Lee, A.J., Ranise, S.: Formal modelling and automated trade-off analysis of enforcement architectures for cryptographic access control in the cloud. ACM Trans. Priv. Secur. 25(1), 1–37 (2021)
Calabretta, M., Pecori, R., Veltri, L.: A token-based protocol for securing MQTT communications. In: 2018 26th International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1–6. IEEE (2018)
Colombo, P., Ferrari, E.: Access control enforcement within MQTT-based internet of things ecosystems. In: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, pp. 223–234. ACM (2018)
Djoko, J.B., Lange, J., Lee, A.J.: NeXUS: practical and secure access control on untrusted storage platforms using client-side SGX. In: 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 401–413. IEEE (2019)
Elemam, E., Bahaa-Eldin, A.M., Shaker, N.H., Sobh, M.A.: A secure MQTT protocol, telemedicine IoT case study. In: 2019 14th International Conference on Computer Engineering and Systems (ICCES), pp. 99–105. IEEE (2019)
Garrison, W.C., Shull, A., Myers, S., Lee, A.J.: On the practicality of cryptographically enforcing dynamic access control policies in the cloud. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 819–838 (2016)
Heer, T., Garcia-Morchon, O., Hummen, R., Keoh, S.L., Kumar, S.S., Wehrle, K.: Security challenges in the IP-based internet of things. Wirel. Pers. Commun. 61(3), 527–542 (2011)
Kurnikov, A., Paverd, A., Mannan, M., Asokan, N.: Keys in the clouds: auditable multi-device access to cryptographic credentials. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–10. ACM (2018)
Malina, L., Srivastava, G., Dzurenda, P., Hajny, J., Fujdiak, R.: A secure publish/subscribe protocol for internet of things. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10. ACM (2019)
Palmieri, A., Prem, P., Ranise, S., Morelli, U., Ahmad, T.: MQTTSA: a tool for automatically assisting the secure deployments of MQTT brokers. In: 2019 IEEE World Congress on Services (SERVICES), vol. 2642–939X, pp. 47–53 (2019)
Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45608-2_3
Sanjuan, E.B., Cardiel, I.A., Cerrada, J.A., Cerrada, C.: Message queuing telemetry transport (MQTT) security: a cryptographic smart card approach. IEEE Access 8, 115051–115062 (2020)
Segarra, C., Delgado-Gonzalo, R., Schiavoni, V.: MQT-TZ: hardening IoT brokers using ARM TrustZone: (practical experience report). In: 2020 International Symposium on Reliable Distributed Systems (SRDS), pp. 256–265. IEEE (2020)
Zeadally, S., Das, A.K., Sklavos, N.: Cryptographic technologies and protocol standards for internet of things. Internet Things 14, 100075 (2019)
Acknowledgements
This work has been partially supported by “Futuro & Conoscenza Srl”, jointly created by the FBK and the Italian National Mint and Printing House (IPZS), Italy.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Pseudocode of the Cryptographic Access Control Scheme
A Pseudocode of the Cryptographic Access Control Scheme
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Berlato, S., Morelli, U., Carbone, R., Ranise, S. (2022). End-to-End Protection of IoT Communications Through Cryptographic Enforcement of Access Control Policies. In: Sural, S., Lu, H. (eds) Data and Applications Security and Privacy XXXVI. DBSec 2022. Lecture Notes in Computer Science, vol 13383. Springer, Cham. https://doi.org/10.1007/978-3-031-10684-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-10684-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-10683-5
Online ISBN: 978-3-031-10684-2
eBook Packages: Computer ScienceComputer Science (R0)