Architecture of security association establishment based on bootstrapping technologies for enabling secure IoT infrastructures

https://doi.org/10.1016/j.future.2019.01.038Get rights and content

Highlights

  • We design an extension of LO-CoAP-EAP to derive cryptographic material, which is employed at different layers to establish a security association between two endpoints.

  • We design and implement a process to establish the EDHOC credentials based on the use of PSK, RPK and certificates authentication modes.

  • We deploy our integration proposal based on LO-CoAP-EAP and EDHOC on real hardware devices, and compare with state-of-the-art protocols, such as PANA.

  • The evaluation results demonstrate the resulting approach is a feasible solution to be applied in IoT scenarios, in order to establish and refresh security associations between two endpoints.

Abstract

The next generation of IoT scenarios must consider security aspects as a first class component. As a core aspect, key management is crucial for the establishment of security associations between endpoints. According to it, in this work we propose a novel architecture of security association establishment based on bootstrapping technologies in order to manage the life-cycle of cryptographic keys in IoT. Based on our previous work, we propose a key derivation process by using a lightweight bootstrapping mechanism specifically designed for IoT. Then, the derived cryptographic material is used as an authentication credential of the EDHOC protocol, which represents a standardization effort for key agreement in IoT. EDHOC is an application layer alternative to the DTLS handshake, in order to provide end-to-end security properties even in the presence of intermediate entities, such as proxies. Evaluation results prove the feasibility of our approach, which represents one of the first efforts to consider application layer security approaches for the IoT.

Introduction

Security aspects represent an extremely limiting factor for the deployment of IoT solutions [1]. As a core aspect, key management embraces the activities to handle the entire lifecycle of cryptographic keys including their generation, storage and establishment [2]. Like in the current Internet, these cryptographic keys need to be employed by IoT endpoints to establish security associations for data protection. Indeed, in some cases such endpoints could manage particularly sensitive data (e.g., in eHealth scenarios [3]). Consequently, the lack of a suitable key management mechanism could harm users’ privacy, specially if these data are intended to be further analyzed or correlated [4] [5]. However, the realization of key management approaches for IoT must overcome scalability, flexibility and performance issues, specially in the case of resource-constrained devices. Furthermore, typical transport layer approaches (i.e., based on TLS [6]) are no able to provide end-to-end security in the presence of intermediate entities, such as proxies and brokers.

To mitigate this issue, recent standardization efforts are focused on the application layer security into IoT constrained scenarios. In particular, the Ephemeral Diffie–Hellman Over COSE (EDHOC) [7] represents an authenticated and lightweight application-layer key management approach that provides perfect forward secrecy (PFS) [8]. EDHOC represents an ongoing initiative that is being evolved within the scope of the Authentication and Authorization for Constrained Environments (ACE) WG1 of the IETF. The approach is based on the use of CBOR Object Signing and Encryption (COSE) [9], which is a compacted evolution of JSON Object Signing and Encryption (JOSE) [10], so that message overhead is reduced. EDHOC provides a high level of flexibility by enabling different authentication modes: pre-shared key (PSK), raw public key (RPK) and certificates. However, according to EDHOC specification, authentication credentials are previously established by out-of-band mechanisms, so it does not define any concrete approach to address this aspect.

This work aims to fill this gap through the integration with bootstrapping technologies, so that EDHOC authentication credentials are derived from the cryptographic material generated by the bootstrapping process. In the context of IoT, the bootstrapping is usually referred as the initial process by which a device securely joins a network [11]. In particular, we consider the integration with LO-CoAP-EAP [12], which provides a lightweight bootstrapping service that is specifically designed for IoT. LO-CoAP-EAP makes use of the Constrained Application Protocol (CoAP) [13] to transport Extensible Authentication Protocol (EAP) messages [14]. Consequently, it leverages the use of Authentication, Authorization and Accounting (AAA) infrastructures [15] for scalability reasons, while CoAP provides a more lightweight approach as a EAP lower layer protocol compared to well-known protocols, such as the Protocol for carrying Authentication for Network Access (PANA) [16]. Indeed, it should be noted that LO-CoAP-EAP is derived from CoAP-EAP [17], which represents an ongoing standardization effort. Based on the integration between LO-CoAP-EAP and EDHOC, the main contributions of this paper are:

  • Design and implementation of an extension for the LO-CoAP-EAP protocol that enables to establish EDHOC credentials based on the use of PSK, RPK or certificates authentication modes.

  • Deployment of the integration of LO-CoAP-EAP and EDHOC on real IoT devices.

  • Performance evaluation of the proposed approach by considering different practical aspects, such as message size, runtime, number of hops between the endpoints and link loss ratio.

  • Comparison of our proposal by considering another state-of-the-art bootstrapping protocol, specifically, PANA.

  • Integration of the proposed approach’s components into a Smart Building scenario.

The remainder of the paper is organized as follows. Section 2 describes existing proposals related to the establishment of security associations in IoT scenarios. Then, Section 3 presents EDHOC and LO-CoAP-EAP as the main building blocks of our work. Section 4 describes the proposed architecture, as well as the associated design considerations. Section 5 provides a detailed description of the proposed approach, which is instantiated in a smart building scenario in Section 6. Then, an evaluation of our proposal is given in Section 7. Finally, Section 8 concludes the paper with an outlook of our future work in this area.

Section snippets

Related work

During last years, security issues have been widely considered as the main obstacle for the adoption of IoT-enabled services. Indeed, the development of such services still has to cope with security challenges related to authentication, authorization, access control, confidentiality or privacy aspects [18], [19]. Furthermore, the IoT ecosystem is being currently enhanced through the integration of emerging technologies, such as 5G, which is intended to address the demanding communication

Preliminaries

As already mentioned, our proposal is based on the integration of LO-CoAP-EAP and EDHOC. Consequently, this section aims to provide an overview of both technologies.

Security associations establishment

As already described, we consider EDHOC for establishment of end-to-end security associations (SAs) between two IoT endpoints. However, such protocol does not specify how these entities establish the required credentials for their authentication, that is, the pre-shared key, public keys or certificates. According to it, we propose the usage of LO-CoAP EAP as a bootstrapping protocol to establish such credentials.

Interactions description

By considering the proposed architecture, in this section we describe the interactions defined in our proposal between the Smart Object and the Controller in order to establish a security association.

IoT use case: Building Automation

Building Automation (BA) is a useful environment to show the importance of the proposed security architecture. In this environment, Smart Objects are deployed to collect critical building information that must be transmitted to allow data-driven applications to perform automatic operations for energy efficiency, security alarms or access control aspects. With the integration of IoT technologies, BA is achieving a broader dimension through the so-called Industrial IoT (IIoT) [61], in which

Evaluation results

In this section, we provide a performance analysis of our proposal by comparing different configurations for each phase, that is, the Bootstrapping, the Credential Establishment and the SA Establishment. Furthermore, we also analyze certain security properties related to the protocols integrating our solution, that is, LO-CoAP-EAP and EDHOC.

Conclusions and future work

Key management represents a crucial aspect to build more secure IoT-enabled scenarios. According to it, this work proposed an integrative approach to manage the life-cycle of cryptographic material, which is employed to establish security associations between a Smart Object and the Controller that manages the access to a certain IoT security domain. In particular, we proposed the integration of the LO-CoAP-EAP bootstrapping protocol as an enabler of the EDHOC protocol, by considering different

Acknowledgments

This work has been partially funded by the H2020 EU ANASTACIA project (731558), the H2020 SerIoT project (780139), and the H2020 EU Plug-n-Harvest project (768735), also in part by the ODIN Solutions S.L. (DI-16-08432), CHIST-ERA PCIN-2016-010, and PEANA UNMU13-2E-2536 (FEDER ).

Salvador Pérez ( [email protected]) received the B.Sc degree in Computer Science in 2013 and the Ms.C degree in New Technologies in Computer Science in 2015 from the University of Murcia, Spain. He is currently working towards the Ph.D. degree and as a researcher at the same university in the Department of Information and Communications Engineering. His main research interests are focused on defining data-centric security approaches to be deployed in IoT scenarios.

References (70)

  • KrawczykH.

    Perfect forward secrecy

  • SchaadJ.

    Cbor object signing and encryption (cose)

    Tech. rep.

    (2017)
  • BarnesR.

    Use cases and requirements for JSON object signing and en- cryption (JOSE)

    Tech. rep.

    (2014)
  • O. Garcia-Morchon, S. Kumar, M. Sethi, State-of-the-Art and Challenges for the Internet of Things Security,...
  • D. Garcia-Carrillo, R. Marin-Lopez, A. Kandasamy, A. Pelov, A coap-based network access authentication service for...
  • ShelbyZ. et al.

    The constrained application protocol (coap)

  • D. Simon, D.B.D.A. Ph.D., P. Eronen, Extensible Authentication Protocol (EAP) Key Management Framework, RFC 5247 (Aug....
  • G. Gross, C. de Laat, D. Spence, L.H. Gommans, J. Vollbrecht, Generic AAA Architecture, RFC 2903 (Aug. 2000) URL...
  • ForsbergD. et al.

    Protocol for carrying authentication for network access (pana)

  • D. Garcia, R. Lopez, Eap-based authentication service for coap, Tech. rep., IETF, Internet-Draft, Apr. 2016, work in...
  • LiS. et al.

    Securing the Internet of Things

    (2017)
  • Y. Lu, L. Da Xu, Internet of things (iot) cybersecurity research: a review of current research topics, IEEE Internet of...
  • S. Li, L. Da Xu, S. Zhao, 5g internet of things: A survey, Journal of Industrial Information...
  • RescorlaE. et al.

    Datagram transport layer security version 1.2

    Tech. rep.

    (2012)
  • KushalnagarN. et al.

    IPv6 over low-power wireless personal area networks (6lowpans): overview, assumptions, problem statement, and goals

    Tech. rep.

    (2007)
  • RazaS. et al.

    Lithe: Lightweight secure coap for the internet of things

    IEEE Sens. J.

    (2013)
  • HummenR. et al.

    Towards viable certificate-based authentication for the internet of things

    Proceedings of the 2nd ACM Workshop on Hot Topics on Wireless Network Security and Privacy

    (2013)
  • SelanderG. et al.

    Requirements for coap end-to-end security

    Tech. rep.

    (2017)
  • O.G.-M.S. Kumar, S. Keoh, Dtls relay for constrained environments, Internet-Draft draft-kumar-dice-dtls-relay-02, IETF...
  • BormannC. et al.

    Concise binary object representation (CBOR)

    Tech. Rep.

    (2013)
  • SelanderG. et al.

    Object security for constrained restful environments (oscore)

    Tech. rep.

    (2018)
  • S. Aragon, M. Tiloca, S. Raza, Ipsec profile of ace, Internet- Draft draft-aragon-ace-ipsec-profile-01, IETF...
  • L. Alliance, Lorawan specification version 10, LoRa...
  • ClaeysT. et al.

    Securing complex iot platforms with token based access control and authenticated key establishment

    International Workshop on Secure Internet of Things (SIoT)

    (2017)
  • HardtD.

    The oauth 2.0 authorization framework

    Tech. Rep.

    (2012)
  • Cited by (13)

    View all citing articles on Scopus

    Salvador Pérez ( [email protected]) received the B.Sc degree in Computer Science in 2013 and the Ms.C degree in New Technologies in Computer Science in 2015 from the University of Murcia, Spain. He is currently working towards the Ph.D. degree and as a researcher at the same university in the Department of Information and Communications Engineering. His main research interests are focused on defining data-centric security approaches to be deployed in IoT scenarios.

    Dan Garcia-Carrillo ( [email protected]) received the B.Eng. degree in technologies in computer science (with a specialization in networks and telecommunications) from the University of Murcia, Murcia, Spain, in and 2014, respectively. He is currently pursuing the Ph.D. degree with a specialization in security related to authentication for Internet of Things under an industrial Ph.D. grant to ODIN Solutions, S.L. at the University of Murcia.

    Rafael Marín-López ( [email protected]) received the B.E., M.E., and Ph.D. degrees in computer sciences from the University of Murcia, Murcia, Spain, in 1998, 2000, and 2008, respectively. He is a full-time Associate Lecturer with the Department Information and Communications Engineering, University of Murcia. He did a pre-doctoral internship with Toshiba America Research, Piscataway, NJ, USA, from 2005 to 2006. Since 2003, he has been collaborating actively in standardization. In particular, he has participated in the IETF in diverse working groups (WGs) and is currently active in LP-WAN WG and I2NSF WG. He has co-authored RFC 5193, RFC 5609, RFC 5637, the standard IEEE 802.21a, and several Internet-Drafts. His current research interests include authentication, authorization, access control, and key distribution in different types of networks and services. He is currently exploring security aspects in Internet of Things and software-defined networks.

    José L. Hernandez-Ramos   ( [email protected]) received the M.Sc. and Ph.D. degrees in computer science from the University of Murcia, Spain. He was a research fellow in the Department of Information and Communications Engineering at the University of Murcia, before joining the Joint Research Centre of the European Commission in Ispra, Italy, in 2018 as a project officer. He has participated in different European research projects, such as SocIoTal and SMARTIE. His research interests are mainly related to the application of security and privacy mechanisms for the Internet of Things.

    Rafael Marín-Pérez ( [email protected]) is a Technology Manager of OdinS. He received his Ph.D. in Computer Science, at University of Murcia in 2012 in the research field of Wireless Sensor Networks. Since 2006, he worked as full-time researcher on EU projects like ANASTACIA, Smartie, IoT6 and GEN6, as well in national projects such as SAVIA, HospiSegur, MCiudad and MARTA. He gained his expertise on the innovation areas of low-power wireless technologies (Zigbee, Sigfox, LORA and LTE-M) and IoT communication protocols (6lowpan, MQTT, COAP, etc). His main interests are the research and development of monitoring and tele-control solutions, especially focused on Smart Cities and Industry 4.0.

    Antonio F. Skarmeta ( [email protected]) received the M.S. degree in computer science from the University of Granada, and B.S. (Hons.) and the Ph.D. degrees in computer science from the University of Murcia, Spain. Since 2009 he has been a full professor at the same department and University. His main interests are the integration of security services, identity, IoT, and smart cities. He has published more than 200 international papers, and he has been a member of several program committees.

    View full text