A Comprehensive and Lightweight Security Architecture to Secure the IoT Throughout the Lifecycle of a Device Based on HIMMO

Abstract

Smart objects are devices with computational and communication capabilities connected to the Internet forming the so called Internet of Things (IoT). The IoT enables many applications, for instance outdoor lighting control, smart energy and water management, or environmental sensing in a smart city environment. Security in such scenarios remains an open challenge due to the resource-constrained nature of devices and networks or the multiple ways in which opponents can attack the system during the lifecycle of a smart object. This paper firstly reviews security and operational goals in an IoT scenario inspired in a smart city environment. Then, we present a comprehensive and lightweight security architecture to secure the IoT throughout the lifecycle of a device. Our solution relies on the lightweight HIMMO scheme – a novel key pre-distribution scheme that is both collusion resistance and efficient – as the building stone enabling not only efficient resource-wise but also advanced and scalable IoT protocols and architectures. Our design and analysis show that our HIMMO-based security architecture can be easily integrated in existing communication protocols such as IEEE 802.15.4 or OMA LWM2M providing a number of advantages that existing solutions cannot provide both performance and operation-wise.

A HIMMO

HIMMO is a Key Pre-Distribution Scheme (KPS), a concept introduced by Matsumoto and Imai in 1987 [10]. Blundo et al. [14] present an elegant and efficient KPS based on symmetric polynomials. However, their KPS is prone to collusion attacks: if an attacker has compromised \(\alpha +1\) nodes, where \(\alpha \) is the degree of the polynomial in any variable, then he can crack the complete system by using simple (Lagrange) interpolation. There was no known KPS that is both efficient and not prone to efficient attacks of multiple colluding (or compromised) nodes (see [2] for further references) until recently the HIMMO scheme solved this problem. This section reviews the operation of the HIMMO scheme that enables any pair of devices in a system to directly agree on a common symmetric-key based on their identifiers and a secret key generating polynomial as introduced in [15]. Like Blundo’s scheme, HIMMO is based on symmetric polynomials, but it introduces new features to make simple interpolation attacks by colluding nodes infeasible. The underlying security principles on which HIMMO relies have been analyzed in [16, 17]. Furthermore, this section describes two protocol extensions of the HIMMO scheme as described in [2].

We use the following notation: for each integer x and positive integer M, we denote by \(\langle x \rangle _M\) the unique integer \(y\in \{0,1,\ldots ,M-1\} \text{ such } \text{ that } x\equiv y\) mod M.

1.1 A.1 HIMMO Operation

Like any KPS, HIMMO requires a TTP, and three phases can be distinguished in its operation [10].

In the setup phase, the TTP selects positive integers B, b, m and \(\alpha \), where \(m\ge 2\). The number B is the bit length of the identifiers that will be used in the system, while b denotes the bit length of the keys that will be generated. The TTP generates the public modulus N, an odd number of length exactly \((\alpha +1)B+b\) bits (so \(2^{(\alpha +1)B+b-1} < N < 2^{(\alpha +1)B+b}\)). It also randomly generates m distinct secret moduli \(q_1,\ldots ,q_m\) of the form \(q_i=N-2^b\beta _i\), where \(0\le \beta _i <2^B\) and at least one of \(\beta _1,\ldots , \beta _m\) is odd. Finally, the TTP generates the secret root keying material, that consists of the coefficients of m bi-variate symmetric polynomials of degree at most \(\alpha \) in each variable. For \(1\le i\le m\), the i-th root keying polynomial \(R^{(i)}(x,y)\) is written as

$$\begin{aligned} R^{(i)}(x,y) = \sum _{j=0}^{\alpha } \sum _{k=0}^{\alpha } R_{j,k}^{(i)} x^jy^k \end{aligned}$$

$$\begin{aligned} \text{ with } 0\le R_{j,k}^{(i)}=R_{k,j}^{(i)} \le q_i -1 . \end{aligned}$$

In the keying material extraction phase, the TTP provides each node \(\xi \) in the system, with \(0\le \xi < 2^B\), the coefficients of the key generating polynomial \(G_\xi \):

$$\begin{aligned} G_{\xi }(y) = \sum _{k=0}^{\alpha } G_{\xi ,k} y^k \end{aligned}$$

(1)

where

$$\begin{aligned} G_{\xi ,k} = \bigl \langle \sum _{i=1}^m \langle \sum _{j=0}^{\alpha } R_{j,k}^{(i)} \xi ^j \rangle _{q_i} \bigr \rangle _{N}. \end{aligned}$$

(2)

In the key generation phase, a node \(\xi \) wishing to communicate with node \(\eta \) with \(0\le \eta < 2^B\), computes:

$$\begin{aligned} K_{\xi ,\eta } = \bigl \langle \langle G_\xi (\eta ) \rangle _N \bigr \rangle _{2^b} \end{aligned}$$

(3)

It can be shown that \(K_{\xi ,\eta }\) and \(K_{\eta ,\xi }\) need not be equal. However, as shown in Theorem 1 in [2], for all identifiers \(\xi \) and \(\eta \) with \(0\le \xi ,\eta \le 2^B\),

$$ K_{\xi ,\eta } \in \{ \langle K_{\eta ,\xi } + j N\rangle _{2^b} \mid 0\le |j| \le 2m \} $$

In order to perform key reconciliation , i.e. to make sure that \(\xi \) and \(\eta \) use the same key to protect their future communications, the initiator of the key generation (say node \(\xi \)) sends to the other node, simultaneously with an encrypted message, information on \(K_{\xi ,\eta }\) that enables node \(\eta \) to select \(K_{\xi ,\eta }\) from the candidate set \(C=\{\langle K_{\eta ,\xi }+jN\rangle _{2^b} \mid 0 \le |j|\le 2m \}\). No additional communication thus is required for key reconciliation. The key \(K_{\xi ,\eta }\) will be used for securing future communication between \(\xi \) and \(\eta \). As an example of helper data used for key reconciliation, node \(\xi \) sends to node \(\eta \) the number \(\sigma _{\xi ,\eta }=\langle K_{\xi ,\eta }\rangle _{2^s}\), where \(s=\lceil \log _2 (4m+1)\rceil \). Node \(\eta \) can efficiently obtain the integer j such that \(|j|\le 2m \) and \(K_{\xi ,\eta }\equiv K_{\eta ,\xi } + jN\) mod \(2^b\) by using that \(jN\equiv K_{\xi ,\eta }-K_{\eta ,\xi }\equiv \sigma _{\xi , \eta } -K_{\eta ,\xi }\) mod \(2^s\). As N is odd, the latter equation allows for determination of j. As \(\sigma _{\xi , \eta }\) reveals the s least significant bits of \(K_{\xi ,\eta }\), only the \(b-s\) most significant bits \(K_{\xi ,\eta }\), that is, the number \(\lfloor 2^{-s} K_{\xi ,\eta }\rfloor \), should be used as key.

1.2 A.2 Implicit Certification and Verification of Credentials

Implicit certification and verification of credentials is further enabled on top of the basic HIMMO scheme. A node that wants to register with the system provides the TTP with its credentials, e.g., device type, manufacturing date, etc. The TTP, which can also add further information to the node’s credentials such as a unique node identifier or the issue date of the keying material and its expiration date, obtains the node’s identity as \(\xi = H(credentials)\), where H is a public hash function. When a first node with identity \(\xi \) wants to securely send a message M to a second node with identity \(\eta \), the following steps are taken.

• Step 1: Node \(\xi \) computes a common key \(K_{\xi ,\eta }\) with node \(\eta \). It uses the computed common key to encrypt and authenticate its credentials and message M, say \(e = E_{K_{\xi ,\eta }}(\textit{credentials}|M)\).

• Step 2: Node \(\xi \) sends \((\xi , e,\sigma _{\xi ,\eta })\) to node \(\eta \), where \(\sigma _{\xi ,\eta }\) is helper data helping node \(\eta \) to find \(K_{\xi ,\eta }\).

• Step 3: Node \(\eta \) receives (\(\xi ',e',\sigma _{\xi ,\eta }')\). Using \(\sigma _{\xi ,\eta }'\), it computes its common key \(K_{\eta ,\xi '}\) with \(\xi '\) to decrypt \(e'\) obtaining the message M and verifying the authenticity of the received message. Furthermore, it checks whether the \(credentials'\) in \(e'\) correspond with \(\xi '\), that is, it validates if \(\xi '=H(credentials')\).

This method not only allows for direct secure communication of message M, but also for implicit certification and verification of \(\xi \)’s credentials because the key generating polynomial assigned to a node is linked to its credentials by means of H. If the output size of H is long enough, e.g., 256 bits, the input (i.e., the credentials) contains a unique node identifier, and if H is a secure one-way hash function, then it is infeasible for an attacker to find any other set of credentials leading to the same identity \(\xi \). The fact that credential verification might be prone to birthday attacks motivates the choice for the relation between identifier and key sizes, namely, \(B=2b\). In this way, the scheme provides an equivalent security level for credential verification and key generation. The capability for credential verification enables e.g. the verification of the expiration date of the credentials (and the keying material) of a node, or verification of the access roles of the sender node \(\xi \).

1.3 A.3 Enhancing Privacy by Using Multiple TTPs

Using multiple TTPs was introduced by Matsumoto and Imai [10] for KPS and can also be elegantly supported by HIMMO [2]. In this scheme, a number of TTPs provide a node with keying materials linked to the node’s identifier during the keying material extraction phase. Upon reception, the device combines the different keying materials by adding the coefficients of the key generating polynomials modulo N. Key generation is performed as usual. This scheme enjoys two interesting properties without increasing the resource requirements of the nodes. First, privacy is enhanced since a single TTP cannot eavesdrop the communication links. In fact, all TTPs should collude to monitor the communication links. Secondly, compromising a sub-set of TTPs does not break the overall system.