ECC based inter-device authentication and authorization scheme using MQTT for IoT networks

https://doi.org/10.1016/j.jisa.2019.02.005Get rights and content

Abstract

Internet of Things (IoT) has emerged from the proliferation of smart and inter-connected devices ranging from tiny sensors to complex Fog and Cloud nodes, various networking technologies, and communication protocols. These IoT devices permeate in our lives through various applications including smart homes, healthcare, defence, transportation, and so forth. Although IoT provides a way of interaction among the physical world objects and the Internet, these connected devices have created a new dimension of security challenges associated with the vulnerabilities present in them. These challenges can be tackled to some extent by deploying a rigid authentication and access control model. In this paper, we propose a novel light-weight authentication and authorization framework suitable for distributed IoT environment using Elliptical Curve Cryptography (ECC) and Message Queuing Telemetry Transport (MQTT). Moreover, we implement the scheme, and analyse and compare its various security and performance aspects with other schemes.

Introduction

Digital world has witnessed the wired Internet emerging, with each personal computer getting linked virtually with the advent of the wireless technologies [1]. However, this development is being pre-dominated by the foreseen possibilities of Internet of Things (IoT) devices. IoT is a novel technological paradigm in the telecommunication field which is a collaboration of physical objects, such as smart devices, that are embedded with highly efficient sensors and actuators, finding their applications in smart homes, smart cities, healthcare, and so on. With its great capabilities, IoT is transforming the world of conventional Internet into a smart inter-connected world where each device is proficient to share its information in an intelligent manner [2]. Impact of IoT can be seen from various aspects of potential end users, whether they are private or commercial users.

Undoubtedly, exponential growth of these devices has made a significant change in the economic and social growth of the society. However, major development in the field is facing potential security threats associated with each layer of its framework. These threats are swiftly invading the Internet-enabled devices by transforming into large size attacks. Attack methodologies like botnets have come into pictures that are able to generate powerful Distributed Denial of Service (DDoS) attacks. One of the most prominent example of these attacks is Mirai, which is capable of creating several Gbps of traffic with the help of IoT devices [3]. Surprisingly, this is not the only malware which can target IoT devices. There are several others as well that can compromise these devices easily due to lack of security software installed in these devices, unlike personal computers. Among many reasons, one of the most common reasons is weak passwords. Sometimes the devices have hard-coded credentials or users never change the default credentials stored on the devices.

In order to provide efficient security solutions in terms of privacy, confidentiality, authentication, and integrity, researchers have done significant work in the field of cryptographic techniques. Because of heterogeneity and different constraints, traditional cryptographic techniques cannot be implemented over IoT devices. However, light-weight cryptographic primitives have the potential to provide equivalent or better security than any other traditional technique by utilizing limited resources to perform only a few computations [4].

While dealing with secure IoT infrastructure, authentication and authorization play an imperative role. One-way authentication is unable to provide security for both the communicating parties. Alternative solution to this problem is mutual authentication in which both the parties get authenticated before the actual transmission. Elliptic Curve Cryptography (ECC), which is an asymmetric key cryptographic technique, is appropriate for situations where resources are limited [5]. Different authentication techniques based on ECC have been developed, but some failed to provide mutual authentication [6], [7], some do not support Device-to-Device (D2D) level authentication [8], [9], and some do not support authentication at protocol level [10]. In this regard, we propose a novel inter-device authentication and authorization scheme, based on ECC and Message Queuing Telemetry Transport (MQTT) suitable for resource-constrained IoT networks.

The major contributions of the proposed work are summarized as follows:

  • We illustrate the efficiency of using MQTT with ECC over MQTT with no encryption methodology.

  • We implement our proposed scheme on Automated Validation of Internet Security Protocols and Applications (AVISPA) and Access Control Policy Testing (ACPT) tools to ensure its correctness.

  • We present detailed formal and informal security and performance analysis to show how our scheme is better than some of the other related schemes proposed in the past.

Rest of the paper is structured as follows. Section 2 highlights some of the related work done in the field. Section 3 includes a discussion on the preliminary concepts involved in the development of our scheme including ECC, MQTT, hash functions and underlying policy models. In Section 4, we discuss the working of our proposed scheme in detail along with the underlying entities involved. Section 5 presents the implementation results of the proposed scheme on AVISPA and ACPT tools. Sections 6 and 7 discuss the security and performance aspects, respectively, of the proposed scheme and present a comparison with other related schemes from the past. Finally, Section 8 concludes the paper with future work.

Section snippets

Related work

A number of inter-device authentication mechanisms have been proposed so far based on Kerberos [11], [1], pre-shared keys [12], [13], and public-key certificates [14]. All these schemes have their own advantages and drawbacks with respect to different operational scenarios. For instance, Kerberos based schemes require presence of a central server in the absence of which users cannot log in, thus, is susceptible to DoS attacks. Pre-shared keys based authentication mechanisms are susceptible to

Preliminaries

In this section, we discuss the basic concepts involved in the formulation of our scheme including ECC, MQTT and secure one-way collision-resistant hash function. We also discuss in detail the underlying technologies including Cloud Computing, Fog Computing and Network Function Virtualization (NFV) along with the access control policy determination models UCON and CapBAC.

The proposed scheme

In this section, we discuss our proposed scheme in detail including the system entities involved, system model and mathematical formulation of the scheme.

Implementation and results

In this section, we discuss the preliminary concepts about the tools used for the implementation of our proposed scheme along with the results obtained on them.

Security analysis

In this section, we present the informal and formal security analysis of our proposed scheme including how this scheme deals with different security attacks. In addition, we compare the results of our scheme with other related schemes.

Performance analysis

In this section, we present the performance analysis of the proposed scheme by computing the total cost incurred by the mathematical operations involved in the scheme, the number of terms involved during the communication or messages in transit, along with its comparison with the performance of other related schemes [17], [19], [20], [21]. Table 7 shows the comparison of the computational cost of our scheme with other related schemes.

From Table 7, it can be seen that the number of hash

Conclusion and future scope

IoT provides a platform where physical world objects meet the Internet in order to serve users through various applications. However, these connected devices bring a new dimension of security challenges due to the vulnerabilities associated with them or at different levels of IoT architecture. Authentication and authorization model is one of the solution among the available ones to protect the networking environment. However, the model should be designed by considering the heterogeneity and

References (40)

  • R. Amin et al.

    A novel user authentication and key agreement protocol for accessing multi-medical server usable in tmis

    J Med Syst

    (2015)
  • L. Xu et al.

    Cryptanalysis and improvement of a user authentication scheme preserving uniqueness and anonymity for connected health care

    J Med Syst

    (2015)
  • B.S. Adiga et al.

    An identity based encryption using elliptic curve cryptography for secure m2m communication

  • M.A. Kâafar et al.

    A Kerberos-based authentication architecture for wireless lans

  • Bersani F, & Tschofenig H. (2007). The EAP-PSK protocol: aA pre-shared key extensible authentication protocol (EAP)...
  • Clancy T, & Tschofenig H. (2009). Extensible authentication protocol-generalized pre-shared key (EAP-GPSK) Method (No....
  • M. Benantar
    (2012)
  • K.V. Nguyen

    Simplifying peer-to-peer device authentication using identity-based cryptography

  • W. Bae

    Inter-device mutual authentication and formal verification in M2M environment

    J Digit Converg

    (2014)
  • N. Park et al.

    Mutual authentication scheme in secure internet of things technology for comfortable lifestyle

    Sensors

    (2015)
  • Cited by (70)

    • A secure three-factor authentication scheme for IoT environments

      2022, Journal of Parallel and Distributed Computing
      Citation Excerpt :

      Traditional cryptography methods cannot be used, due to their different limitations, on IoT devices. However, it is possible to utilize lightweight cryptography regarding the limited number of resources existing in IoT [24]. So far, numerous authentication schemes and key agreements have been presented to meet these needs.

    View all citing articles on Scopus
    View full text