skip to main content
10.1145/3445969.3450423acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

Transparent End-to-End Security for Publish/Subscribe Communication in Cyber-Physical Systems

Published: 26 April 2021 Publication History

Abstract

The ongoing digitization of industrial manufacturing leads to a decisive change in industrial communication paradigms. Moving from traditional one-to-one to many-to-many communication, publish/subscribe systems promise a more dynamic and efficient exchange of data. However, the resulting significantly more complex communication relationships render traditional end-to-end security futile for sufficiently protecting the sensitive and safety-critical data transmitted in industrial systems. Most notably, the central message brokers inherent in publish/subscribe systems introduce a designated weak spot for security as they can access all communication messages. To address this issue, we propose ENTRUST, a novel solution for key server-based end-to-end security in publish/subscribe systems. ENTRUST transparently realizes confidentiality, integrity, and authentication for publish/subscribe systems without any modification of the underlying protocol. We exemplarily implement ENTRUST on top of MQTT, the de-facto standard for machine-to-machine communication, showing that ENTRUST can integrate seamlessly into existing publish/subscribe systems.

Supplementary Material

MP4 File (SAT-CPS21_ibrahim.mp4)
Presentation video.

References

[1]
Frederik Armknecht, Paul Walther, Gene Tsudik, Martin Beck, and Thorsten Strufe. 2020. ProMACs: Progressive and Resynchronizing MACs for Continuous Efficient Authentication of Message Streams. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS '20). ACM, 211--223. https://doi.org/10.1145/3372297.3423349
[2]
Luigi Atzori, Antonio Iera, and Giacomo Morabito. 2010. The Internet of Things: A survey. Computer Networks, Vol. 54, 15, 2787--2805. https://doi.org/10.1016/j.comnet.2010.05.010
[3]
Andrew Banks and Rahul Gupta. 2014. MQTT Version 3.1.1. OASIS Standard.
[4]
Smriti Bhatt, A Tawalbeh Lo'ai, Pankaj Chhetri, and Paras Bhatt. 2019. Authorizations in Cloud-Based Internet of Things: Current Trends and Use Cases. In Proceedings of the 2019 4th International Conference on Fog and Mobile Edge Computing (FMEC '19). IEEE, 241--246. https://doi.org/10.1109/FMEC.2019.8795309
[5]
Cristian Borcea, Yuriy Polyakov, Kurt Rohloff, and Gerard Ryan. 2017. PICADOR: End-to-end encrypted Publish--Subscribe information distribution with proxy re-encryption. Future Generation Computer Systems, Vol. 71, 177--191. https://doi.org/10.1016/j.future.2016.10.013
[6]
Markus Dahlmanns, Johannes Lohmöller, Ina Berenice Fink, Jan Pennekamp, Klaus Wehrle, and Martin Henze. 2020. Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments. In Proceedings of the ACM Internet Measurement Conference (IMC '20). ACM, 101--110. https://doi.org/10.1145/3419394.3423666
[7]
Prajit Kumar Das, Sandeep Narayanan, Nitin Kumar Sharma, Anupam Joshi, Karuna Joshi, and Tim Finin. 2016. Context-Sensitive Policy Based Security in Internet of Things. In Proceedings of the 2016 IEEE International Conference on Smart Computing (SMARTCOMP '16). IEEE. https://doi.org/10.1109/SMARTCOMP.2016.7501684
[8]
Fabrizio De Santis, Andreas Schauer, and Georg Sigl. 2017. ChaCha20-Poly1305 Authenticated Encryption for High-Speed Embedded IoT Applications. In Proceedings of the Design, Automation & Test in Europe Conference & Exhibition (DATE '17). IEEE, 692--697. https://doi.org/10.23919/DATE.2017.7927078
[9]
Tim Dierks and Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246. https://doi.org/10.17487/RFC5246
[10]
Michael Dodson, Alastair R. Beresford, and Daniel R. Thomas. 2020. When will my PLC support Mirai? The security economics of large-scale attacks against Internet-connected ICS devices. In Proceedings of the 2020 APWG Symposium on Electronic Crime Research (eCrime '20). IEEE.
[11]
Dacfey Dzung, Martin Naedele, Thomas P. Von Hoff, and Mario Crevatin. 2005. Security for Industrial Communication Systems. Proc. IEEE, Vol. 93, 6, 1152--1177. https://doi.org/10.1109/JPROC.2005.849714
[12]
Eclipse Foundation. 2010. Eclipse Mosquitto. https://mosquitto.org/.
[13]
Pasi Eronen and Hannes Tschofenig. 2005. Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). IETF RFC 4279. https://doi.org/10.17487/RFC4279
[14]
Patrick Th. Eugster, Pascal A. Felber, Rachid Guerraoui, and Anne-Marie Kermarrec. 2003. The Many Faces of Publish/Subscribe. Comput. Surveys, Vol. 35, 2, 114--131. https://doi.org/10.1145/857076.857078
[15]
Jingcheng Gao, Jing Liu, Bharat Rajan, Rahul Nori et al. 2014. SCADA communication and security issues. Security and Communication Networks, Vol. 7, 1, 175--194. https://doi.org/10.1002/sec.698
[16]
Dennis J. Gaushell and Wayne R. Block. 1993. SCADA Communication Techniques and Standards. IEEE Computer Applications in Power, Vol. 6, 3, 45--50. https://doi.org/10.1109/67.222741
[17]
René Glebke, Martin Henze, Klaus Wehrle, Philipp Niemietz et al. 2019. A Case for Integrated Data Processing in Large-Scale Cyber-Physical Systems. In Proceedings of the 52nd Hawaii International Conference on System Sciences (HICSS '19). AIS, 7252--7261. https://doi.org/10.24251/HICSS.2019.871
[18]
Lars Gleim, Jan Pennekamp, Martin Liebenberg, Melanie Buchsbaum et al. 2020. FactDAG: Formalizing Data Interoperability in an Internet of Production. IEEE Internet of Things Journal, Vol. 7, 4, 3243--3253. https://doi.org/10.1109/JIOT.2020.2966402
[19]
Robert Godfrey, David Ingham, and Rafael Schloming. 2014. OASIS Advanced Message Queuing Protocol (AMQP) Version 1.0. OASIS Standard.
[20]
Maanak Gupta, Mahmoud Abdelsalam, Sajad Khorsandroo, and Sudip Mittal. 2020. Security and Privacy in Smart Farming: Challenges and Opportunities. IEEE Access, Vol. 8, 34564--34584. https://doi.org/10.1109/ACCESS.2020.2975142
[21]
Martin Henze. 2020. The Quest for Secure and Privacy-preserving Cloud-based Industrial Cooperation. In Proceedings of the 2020 IEEE Conference on Communications and Network Security (CNS '20). IEEE. https://doi.org/10.1109/CNS48642.2020.9162199 Proceedings of the 6th International Workshop on Security and Privacy in the Cloud (SPC '20).
[22]
Martin Henze, Roman Matzutt, Jens Hiller, Erik Mühmer et al. 2020. Complying with Data Handling Requirements in Cloud Storage Systems. IEEE Transactions on Cloud Computing. https://doi.org/10.1109/TCC.2020.3000336
[23]
Martin Henze, Benedikt Wolters, Roman Matzutt, Torsten Zimmermann, and Klaus Wehrle. 2017. Distributed Configuration, Authorization and Management in the Cloud-based Internet of Things. In Proceedings of the 2017 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom '17). IEEE, 185--192. https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.236
[24]
René Hummen, Hanno Wirtz, Jan Henrik Ziegeldorf, Jens Hiller, and Klaus Wehrle. 2013. Tailoring End-to-End IP Security Protocols to the Internet of Things. In Proceedings of the 2013 21st IEEE International Conference on Network Protocols (ICNP '13). IEEE. https://doi.org/10.1109/ICNP.2013.6733571
[25]
International Electrotechnical Commission. 2014. Industrial communication networks - Fieldbus specifications. IEC 61158.
[26]
Yan Jia, Luyi Xing, Yuhang Mao, Dongfang Zhao et al. 2020. Burglars' IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP '20). IEEE, 465--481. https://doi.org/10.1109/SP40000.2020.00051
[27]
Bernd Klauer, Jan Haase, Dominik Meyer, and Marcel Eckert. 2017. Wireless sensor/actuator device configuration by NFC with secure key exchange. In 2017 IEEE AFRICON. IEEE, 473--478. https://doi.org/10.1109/AFRCON.2017.8095528
[28]
Hugo Krawczyk and Pasi Eronen. 2010. HMAC-based Extract-and-Expand Key Derivation Function (HKDF). IETF RFC 5869. https://doi.org/10.17487/RFC5869
[29]
Sam Kumar, Yuncong Hu, Michael P. Andersen, Raluca Ada Popa, and David E. Culler. 2019. JEDI: Many-to-Many End-to-End Encryption and Key Delegation for IoT. In Proceedings of the 28th USENIX Security Symposium (SEC '19). USENIX Association, 1519--1536.
[30]
Heiner Lasi, Peter Fettke, Hans-Georg Kemper, Thomas Feld, and Michael Hoffmann. 2014. Industry 4.0. Business & Information Systems Engineering, Vol. 6, 4, 239--242. https://doi.org/10.1007/s12599-014-0334--4
[31]
Pieter Maene, Johannes Götzfried, Ruan De Clercq, Tilo Müller, Felix Freiling, and Ingrid Verbauwhede. 2017. Hardware-Based Trusted Computing Architectures for Isolation and Attestation. IEEE Trans. Comput., Vol. 67, 3, 361--374. https://doi.org/10.1109/TC.2017.2647955
[32]
Federico Maggi, Rainer Vosseler, and Davide Quarta. 2018. The Fragility of Industrial IoT's Data Backbone: Security and Privacy Issues in MQTT and CoAP Protocols. Technical Report. Trend Micro Research.
[33]
Lukas Malina, Gautam Srivastava, Petr Dzurenda, Jan Hajny, and Radek Fujdiak. 2019. A Secure Publish/Subscribe Protocol for Internet of Things. In Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES '19). ACM. https://doi.org/10.1145/3339252.3340503
[34]
Tobias Marktscheffel, Wolfram Gottschlich, Wolfgang Popp, Philemon Werli et al. 2016. QR code based mutual authentication protocol for Internet of Things. In Proceedings of the 2016 IEEE 17th International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM '16). IEEE. https://doi.org/10.1109/WoWMoM.2016.7523562
[35]
Modbus-IDA. 2006. MODBUS Application Protocol Specification V1.1b .
[36]
Hirotaka Niisato. 2014. MQTT for Photon, Spark Core. https://github.com/hirotakaster/MQTT .
[37]
OPC Foundation. 2017. OPC Unified Architecture -- Part 14: PubSub. OPC 10000--14: OPC Unified Architecture.
[38]
Shrideep Pallickara and Geoffrey Fox. 2003. NaradaBrokering: A Distributed Middleware Framework and Architecture for Enabling Durable Peer-to-Peer Grids. In Proceedings of the 4th ACM/IFIP/USENIX International Middleware Conference (Middleware '03), Vol. 2672. Springer, 41--61. https://doi.org/10.1007/3--540--44892--6_3
[39]
Shrideep Pallickara, Marlon Pierce, Harshawardhan Gadgil, Geoffrey Fox, Yan Yan, and Yi Huang. 2006. A Framework for Secure End-to-End Delivery of Messages in Publish/Subscribe Systems. In Proceedings of the 2006 7th IEEE/ACM International Conference on Grid Computing (GRID '06). IEEE, 215--222. https://doi.org/10.1109/ICGRID.2006.311018
[40]
Cristina Panait and Dan Dragomir. 2015. Measuring the performance and energy consumptionof AES in wireless sensor networks. In Proceedings of the 2015 Federated Conference on Computer Science and Information Systems (FedCSIS '15). IEEE, 1261--1266. https://doi.org/10.15439/2015F322
[41]
Jan Pennekamp, Erik Buchholz, Yannik Lockner, Markus Dahlmanns et al. 2020 a. Privacy-Preserving Production Process Parameter Exchange. In Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC '20). ACM, 510--525. https://doi.org/10.1145/3427228.3427248
[42]
Jan Pennekamp, René Glebke, Martin Henze, Tobias Meisen et al. 2019 a. Towards an Infrastructure Enabling the Internet of Production. In Proceedings of the 2019 IEEE International Conference on Industrial Cyber Physical Systems (ICPS '19). IEEE, 31--37. https://doi.org/10.1109/ICPHYS.2019.8780276
[43]
Jan Pennekamp, Martin Henze, Simo Schmidt, Philipp Niemietz et al. 2019 b. Dataflow Challenges in an Internet of Production: A Security & Privacy Perspective. In Proceedings of the ACM Workshop on Cyber-Physical Systems Security & Privacy (CPS-SPC '19). ACM, 27--38. https://doi.org/10.1145/3338499.3357357
[44]
Jan Pennekamp, Patrick Sapel, Ina Berenice Fink, Simon Wagner et al. 2020 b. Revisiting the Privacy Needs of Real-World Applicable Company Benchmarking. In Proceedings of the 8th Workshop on Encrypted Computing & Applied Homomorphic Cryptography (WAHC '20) .
[45]
Eric Rescorla and Nagendra Modadugu. 2012. Datagram Transport Layer Security Version 1.2. IETF RFC 6347. https://doi.org/10.17487/RFC6347
[46]
Rodrigo Roman, Jianying Zhou, and Javier Lopez. 2013. On the features and challenges of security and privacy in distributed internet of things. Computer Networks, Vol. 57, 10, 2266--2279. https://doi.org/10.1016/j.comnet.2012.12.018
[47]
Mohamed Sabt, Mohammed Achemlal, and Abdelmadjid Bouabdallah. 2015. Trusted Execution Environment: What It is, and What It is Not. In Proceedings of the 2015 IEEE IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom '15), Vol. 1. IEEE, 57--64. https://doi.org/10.1109/Trustcom.2015.357
[48]
Ahmad-Reza Sadeghi, Christian Wachsmann, and Michael Waidner. 2015. Security and Privacy Challenges in Industrial Internet of Things. In Proceedings of the 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC '15). ACM. https://doi.org/10.1145/2744769.2747942
[49]
Carlos Segarra, Ricard Delgado-Gonzalo, and Valerio Schiavoni. 2020. MQT-TZ: Secure MQTT Broker for Biomedical Signal Processing on the Edge. Studies in Health Technology and Informatics, Vol. 270, 332--336. https://doi.org/10.3233/SHTI200177 Proceedings of 2020 Medical Informatics Europe on Digital Personalized Health and Medicine (MIE '20).
[50]
Meena Singh, M. A. Rajan, V. L. Shivraj, and Purushothaman Balamuralidhar. 2015. Secure MQTT for Internet of Things (IoT). In Proceedings of the 2015 5th International Conference on Communication Systems and Network Technologies (CSNT '15). IEEE, 746--751. https://doi.org/10.1109/CSNT.2015.16
[51]
Anton V. Uzunov. 2016. A survey of security solutions for distributed publish/subscribe systems. Computers & Security, Vol. 61, 94--129. https://doi.org/10.1016/j.cose.2016.04.008
[52]
Rhys Weatherley. 2012. Arduino Cryptography Library. https://github.com/rweather/arduinolibs .
[53]
Michael E. Whitman and Herbert J. Mattord. 2011. Principles of Information Security 4th ed.). Course Technology Press.

Cited By

View all
  • (2024)Achieving Accountability and Data Integrity in Message Queuing Telemetry Transport Using Blockchain and Interplanetary File SystemFuture Internet10.3390/fi1607024616:7(246)Online publication date: 13-Jul-2024
  • (2024)Pub/Sub Meets MLS: End-to-End Encrypted Group Data Sharing Over Publish-Subscribe2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619724(1-6)Online publication date: 3-Jun-2024
  • (2024)Quantum-Resistant and Secure MQTT CommunicationProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670463(1-8)Online publication date: 30-Jul-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SAT-CPS '21: Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems
April 2021
116 pages
ISBN:9781450383196
DOI:10.1145/3445969
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 April 2021

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. cyber-physical system security
  2. end-to-end security
  3. publish-subscribe security

Qualifiers

  • Research-article

Funding Sources

Conference

CODASPY '21
Sponsor:

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)66
  • Downloads (Last 6 weeks)3
Reflects downloads up to 27 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Achieving Accountability and Data Integrity in Message Queuing Telemetry Transport Using Blockchain and Interplanetary File SystemFuture Internet10.3390/fi1607024616:7(246)Online publication date: 13-Jul-2024
  • (2024)Pub/Sub Meets MLS: End-to-End Encrypted Group Data Sharing Over Publish-Subscribe2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619724(1-6)Online publication date: 3-Jun-2024
  • (2024)Quantum-Resistant and Secure MQTT CommunicationProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670463(1-8)Online publication date: 30-Jul-2024
  • (2024)Protocol-Level Kafka Controls in a Customizable Proxy2024 IEEE 20th International Conference on e-Science (e-Science)10.1109/e-Science62913.2024.10678687(1-2)Online publication date: 16-Sep-2024
  • (2024)MQTT-I: Achieving End-to-End Data Flow Integrity in MQTTIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.3358630(1-18)Online publication date: 2024
  • (2024)REEDS: An Efficient Revocable End-to-End Encrypted Message Distribution System for IoTIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.335381121:5(4526-4542)Online publication date: 1-Sep-2024
  • (2024)End to End Encrypted Messaging Application Using ORDEX2024 6th International Conference on Electrical, Control and Instrumentation Engineering (ICECIE)10.1109/ICECIE63774.2024.10815684(1-8)Online publication date: 23-Nov-2024
  • (2024)A Framework for Secure Internet of Things Applications2024 10th International Conference on Control, Decision and Information Technologies (CoDIT)10.1109/CoDIT62066.2024.10708208(2845-2850)Online publication date: 1-Jul-2024
  • (2024)Securing Sensing in Supply Chains: Opportunities, Building Blocks, and DesignsIEEE Access10.1109/ACCESS.2024.335077812(9350-9368)Online publication date: 2024
  • (2024)End to End secure data exchange in value chains with dynamic policy updatesFuture Generation Computer Systems10.1016/j.future.2024.04.053158:C(333-345)Online publication date: 1-Sep-2024
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media