Architecture of security association establishment based on bootstrapping technologies for enabling secure IoT infrastructures
Introduction
Security aspects represent an extremely limiting factor for the deployment of IoT solutions [1]. As a core aspect, key management embraces the activities to handle the entire lifecycle of cryptographic keys including their generation, storage and establishment [2]. Like in the current Internet, these cryptographic keys need to be employed by IoT endpoints to establish security associations for data protection. Indeed, in some cases such endpoints could manage particularly sensitive data (e.g., in eHealth scenarios [3]). Consequently, the lack of a suitable key management mechanism could harm users’ privacy, specially if these data are intended to be further analyzed or correlated [4] [5]. However, the realization of key management approaches for IoT must overcome scalability, flexibility and performance issues, specially in the case of resource-constrained devices. Furthermore, typical transport layer approaches (i.e., based on TLS [6]) are no able to provide end-to-end security in the presence of intermediate entities, such as proxies and brokers.
To mitigate this issue, recent standardization efforts are focused on the application layer security into IoT constrained scenarios. In particular, the Ephemeral Diffie–Hellman Over COSE (EDHOC) [7] represents an authenticated and lightweight application-layer key management approach that provides perfect forward secrecy (PFS) [8]. EDHOC represents an ongoing initiative that is being evolved within the scope of the Authentication and Authorization for Constrained Environments (ACE) WG1 of the IETF. The approach is based on the use of CBOR Object Signing and Encryption (COSE) [9], which is a compacted evolution of JSON Object Signing and Encryption (JOSE) [10], so that message overhead is reduced. EDHOC provides a high level of flexibility by enabling different authentication modes: pre-shared key (PSK), raw public key (RPK) and certificates. However, according to EDHOC specification, authentication credentials are previously established by out-of-band mechanisms, so it does not define any concrete approach to address this aspect.
This work aims to fill this gap through the integration with bootstrapping technologies, so that EDHOC authentication credentials are derived from the cryptographic material generated by the bootstrapping process. In the context of IoT, the bootstrapping is usually referred as the initial process by which a device securely joins a network [11]. In particular, we consider the integration with LO-CoAP-EAP [12], which provides a lightweight bootstrapping service that is specifically designed for IoT. LO-CoAP-EAP makes use of the Constrained Application Protocol (CoAP) [13] to transport Extensible Authentication Protocol (EAP) messages [14]. Consequently, it leverages the use of Authentication, Authorization and Accounting (AAA) infrastructures [15] for scalability reasons, while CoAP provides a more lightweight approach as a EAP lower layer protocol compared to well-known protocols, such as the Protocol for carrying Authentication for Network Access (PANA) [16]. Indeed, it should be noted that LO-CoAP-EAP is derived from CoAP-EAP [17], which represents an ongoing standardization effort. Based on the integration between LO-CoAP-EAP and EDHOC, the main contributions of this paper are:
- •
Design and implementation of an extension for the LO-CoAP-EAP protocol that enables to establish EDHOC credentials based on the use of PSK, RPK or certificates authentication modes.
- •
Deployment of the integration of LO-CoAP-EAP and EDHOC on real IoT devices.
- •
Performance evaluation of the proposed approach by considering different practical aspects, such as message size, runtime, number of hops between the endpoints and link loss ratio.
- •
Comparison of our proposal by considering another state-of-the-art bootstrapping protocol, specifically, PANA.
- •
Integration of the proposed approach’s components into a Smart Building scenario.
The remainder of the paper is organized as follows. Section 2 describes existing proposals related to the establishment of security associations in IoT scenarios. Then, Section 3 presents EDHOC and LO-CoAP-EAP as the main building blocks of our work. Section 4 describes the proposed architecture, as well as the associated design considerations. Section 5 provides a detailed description of the proposed approach, which is instantiated in a smart building scenario in Section 6. Then, an evaluation of our proposal is given in Section 7. Finally, Section 8 concludes the paper with an outlook of our future work in this area.
Section snippets
Related work
During last years, security issues have been widely considered as the main obstacle for the adoption of IoT-enabled services. Indeed, the development of such services still has to cope with security challenges related to authentication, authorization, access control, confidentiality or privacy aspects [18], [19]. Furthermore, the IoT ecosystem is being currently enhanced through the integration of emerging technologies, such as 5G, which is intended to address the demanding communication
Preliminaries
As already mentioned, our proposal is based on the integration of LO-CoAP-EAP and EDHOC. Consequently, this section aims to provide an overview of both technologies.
Security associations establishment
As already described, we consider EDHOC for establishment of end-to-end security associations (SAs) between two IoT endpoints. However, such protocol does not specify how these entities establish the required credentials for their authentication, that is, the pre-shared key, public keys or certificates. According to it, we propose the usage of LO-CoAP EAP as a bootstrapping protocol to establish such credentials.
Interactions description
By considering the proposed architecture, in this section we describe the interactions defined in our proposal between the Smart Object and the Controller in order to establish a security association.
IoT use case: Building Automation
Building Automation (BA) is a useful environment to show the importance of the proposed security architecture. In this environment, Smart Objects are deployed to collect critical building information that must be transmitted to allow data-driven applications to perform automatic operations for energy efficiency, security alarms or access control aspects. With the integration of IoT technologies, BA is achieving a broader dimension through the so-called Industrial IoT (IIoT) [61], in which
Evaluation results
In this section, we provide a performance analysis of our proposal by comparing different configurations for each phase, that is, the Bootstrapping, the Credential Establishment and the SA Establishment. Furthermore, we also analyze certain security properties related to the protocols integrating our solution, that is, LO-CoAP-EAP and EDHOC.
Conclusions and future work
Key management represents a crucial aspect to build more secure IoT-enabled scenarios. According to it, this work proposed an integrative approach to manage the life-cycle of cryptographic material, which is employed to establish security associations between a Smart Object and the Controller that manages the access to a certain IoT security domain. In particular, we proposed the integration of the LO-CoAP-EAP bootstrapping protocol as an enabler of the EDHOC protocol, by considering different
Acknowledgments
This work has been partially funded by the H2020 EU ANASTACIA project (731558), the H2020 SerIoT project (780139), and the H2020 EU Plug-n-Harvest project (768735), also in part by the ODIN Solutions S.L. (DI-16-08432), CHIST-ERA PCIN-2016-010, and PEANA UNMU13-2E-2536 (FEDER ).
Salvador Pérez ( [email protected]) received the B.Sc degree in Computer Science in 2013 and the Ms.C degree in New Technologies in Computer Science in 2015 from the University of Murcia, Spain. He is currently working towards the Ph.D. degree and as a researcher at the same university in the Department of Information and Communications Engineering. His main research interests are focused on defining data-centric security approaches to be deployed in IoT scenarios.
References (70)
- et al.
Privacy-preserving fusion of iot and big data for e-health
Future Gener. Comput. Syst.
(2018) - et al.
Efficient location privacy algorithm for internet of things (iot) services and applications
J. Netw. Comput. Appl.
(2017) - et al.
L2p2: A location-label based approach for privacy preserving in lbs
Future Gener. Comput. Syst.
(2017) - et al.
Dtls based security and two-way authentication for the internet of things
Ad Hoc Netw.
(2013) - et al.
Securesense: end-to-end secure communication architecture for the cloud-connected Internet of Things
Future Gener. Comput. Syst.
(2017) - et al.
Industrial iot in 5g environment towards smart manufacturing
J. Ind. Inf. Integr.
(2018) - et al.
Guest Editorial: security and privacy for multimedia in the internet of things (iot)
Multimedia Tools Appl.
(2018) - et al.
Recommendation for key management part 1: General (revision 3)
NIST Spec. Publ.
(2012) - et al.
The transport layer security (TLS) protocol version 1.2
Tech. rep.
(2008) - et al.
Ephemeral diffie-hellman over cose (edhoc)
Tech. rep.
(2018)
Perfect forward secrecy
Cbor object signing and encryption (cose)
Tech. rep.
Use cases and requirements for JSON object signing and en- cryption (JOSE)
Tech. rep.
The constrained application protocol (coap)
Protocol for carrying authentication for network access (pana)
Securing the Internet of Things
Datagram transport layer security version 1.2
Tech. rep.
IPv6 over low-power wireless personal area networks (6lowpans): overview, assumptions, problem statement, and goals
Tech. rep.
Lithe: Lightweight secure coap for the internet of things
IEEE Sens. J.
Towards viable certificate-based authentication for the internet of things
Proceedings of the 2nd ACM Workshop on Hot Topics on Wireless Network Security and Privacy
Requirements for coap end-to-end security
Tech. rep.
Concise binary object representation (CBOR)
Tech. Rep.
Object security for constrained restful environments (oscore)
Tech. rep.
Securing complex iot platforms with token based access control and authenticated key establishment
International Workshop on Secure Internet of Things (SIoT)
The oauth 2.0 authorization framework
Tech. Rep.
Cited by (13)
Survey on recent advances in IoT application layer protocols and machine learning scope for research directions
2022, Digital Communications and NetworksCitation Excerpt :In Ref. [69], Demir et al. proposed an ML-based CoAP protocol with an RTO computation strategy that adopted ML-based technique. Several articles [58–62,73–75] have focused on CoAP protocol security. A Constrained Extensible Protocol (CoEP) was introduced in Ref. [58] for a secure and lightweight IoT application layer protocol, embedding authentication, confidentiality, and integrity for efficient security-based data transmissions.
A survey on IoT application layer protocols, security challenges, and the role of explainable AI in IoT (XAIoT)
2024, International Journal of Information SecuritySecurity Enhancement of Joint Procedure Based on Improved Elliptic Curve Cryptography in LoRaWAN
2023, Wireless Personal Communications
Salvador Pérez ( [email protected]) received the B.Sc degree in Computer Science in 2013 and the Ms.C degree in New Technologies in Computer Science in 2015 from the University of Murcia, Spain. He is currently working towards the Ph.D. degree and as a researcher at the same university in the Department of Information and Communications Engineering. His main research interests are focused on defining data-centric security approaches to be deployed in IoT scenarios.
Dan Garcia-Carrillo ( [email protected]) received the B.Eng. degree in technologies in computer science (with a specialization in networks and telecommunications) from the University of Murcia, Murcia, Spain, in and 2014, respectively. He is currently pursuing the Ph.D. degree with a specialization in security related to authentication for Internet of Things under an industrial Ph.D. grant to ODIN Solutions, S.L. at the University of Murcia.
Rafael Marín-López ( [email protected]) received the B.E., M.E., and Ph.D. degrees in computer sciences from the University of Murcia, Murcia, Spain, in 1998, 2000, and 2008, respectively. He is a full-time Associate Lecturer with the Department Information and Communications Engineering, University of Murcia. He did a pre-doctoral internship with Toshiba America Research, Piscataway, NJ, USA, from 2005 to 2006. Since 2003, he has been collaborating actively in standardization. In particular, he has participated in the IETF in diverse working groups (WGs) and is currently active in LP-WAN WG and I2NSF WG. He has co-authored RFC 5193, RFC 5609, RFC 5637, the standard IEEE 802.21a, and several Internet-Drafts. His current research interests include authentication, authorization, access control, and key distribution in different types of networks and services. He is currently exploring security aspects in Internet of Things and software-defined networks.
José L. Hernandez-Ramos ( [email protected]) received the M.Sc. and Ph.D. degrees in computer science from the University of Murcia, Spain. He was a research fellow in the Department of Information and Communications Engineering at the University of Murcia, before joining the Joint Research Centre of the European Commission in Ispra, Italy, in 2018 as a project officer. He has participated in different European research projects, such as SocIoTal and SMARTIE. His research interests are mainly related to the application of security and privacy mechanisms for the Internet of Things.
Rafael Marín-Pérez ( [email protected]) is a Technology Manager of OdinS. He received his Ph.D. in Computer Science, at University of Murcia in 2012 in the research field of Wireless Sensor Networks. Since 2006, he worked as full-time researcher on EU projects like ANASTACIA, Smartie, IoT6 and GEN6, as well in national projects such as SAVIA, HospiSegur, MCiudad and MARTA. He gained his expertise on the innovation areas of low-power wireless technologies (Zigbee, Sigfox, LORA and LTE-M) and IoT communication protocols (6lowpan, MQTT, COAP, etc). His main interests are the research and development of monitoring and tele-control solutions, especially focused on Smart Cities and Industry 4.0.
Antonio F. Skarmeta ( [email protected]) received the M.S. degree in computer science from the University of Granada, and B.S. (Hons.) and the Ph.D. degrees in computer science from the University of Murcia, Spain. Since 2009 he has been a full professor at the same department and University. His main interests are the integration of security services, identity, IoT, and smart cities. He has published more than 200 international papers, and he has been a member of several program committees.