ABSTRACT
The security of protocols and the absence of design-related weaknesses and vulnerabilities is crucial for the prevention of cyber attacks. This paper provides the first formal model for EnOcean, an IoT protocol widely used in home automation systems. Based on EnOcean’s security specification a formal model of its teach-in and high security authentication is created in the applied pi calculus. In an automated security analysis with the security protocol model checker ProVerif several security requirements are checked. While the analysis shows that all the secrecy statements can be verified, it identifies some weaknesses for the authentication. Based on an analysis of the potential attacks, we suggest a provable fix for the detected attacks.
- Martín Abadi, Bruno Blanchet, and Cédric Fournet. 2007. Just fast keying in the pi calculus. ACM Transactions on Information and System Security (TISSEC) 10, 3(2007), 9–es.Google ScholarDigital Library
- Martín Abadi and Cédric Fournet. 2001. Mobile values, new names, and secure communication. Acm Sigplan Notices 36, 3 (2001), 104–115.Google ScholarDigital Library
- Roberto O Andrade, Iván Ortiz-Garcés, and María Cazares. 2020. Cybersecurity attacks on Smart Home during Covid-19 pandemic. In 2020 Fourth World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4). IEEE, 398–404.Google ScholarCross Ref
- David Basin, Cas Cremers, and Catherine Meadows. 2018. Model Checking Security Protocols. In Handbook of Model Checking. Springer, 727–762.Google Scholar
- David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS ’18). ACM, New York, NY, USA, 1383–1396. https://doi.org/10.1145/3243734.3243846Google ScholarDigital Library
- Jordi Batalla, Athanasios Vasilakos, and Mariusz Gajewski. 2017. Secure Smart Homes: Opportunities and Challenges. Comput. Surveys 50 (09 2017), 1–32. https://doi.org/10.1145/3122816Google ScholarDigital Library
- Karthikeyan Bhargavan, Cédric Fournet, Ricardo Corin, and Eugen Zalinescu. 2008. Cryptographically verified implementations for TLS. In Proceedings of the 15th ACM conference on Computer and communications security. 459–468.Google ScholarDigital Library
- Bruno Blanchet, Ben Smyth, Vincent Cheval, and Marc Sylvestre. 2020. ProVerif 2.02pl1: Automatic Cryptographic Protocol Verifier,User Manual and Tutorial.Google Scholar
- Richard Chang and Vitaly Shmatikov. 2007. Formal Analysis of Authentication in Bluetooth Device Pairing. (2007). FCS-ARSPA07.Google Scholar
- F. Conceicao, N. Oualha, and D. Zeghlache. 2017. Security Establishment for IoT Environments in 5G: Direct MTC-UE Communications. In 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC). 1–5. https://doi.org/10.1109/PIMRC.2017.8292693Google ScholarDigital Library
- Cas Cremers and Martin Dehnel-Wild. 2019. Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion. In Network and Distributed Systems Security (NDSS) Symposium 2019. Internet Society.Google ScholarCross Ref
- Danny Dolev and Andrew Yao. 1983. On the security of public key protocols. IEEE Transactions on information theory 29, 2 (1983), 198–208.Google ScholarDigital Library
- EnOceanAlliance. [n.d.]. Security of EnOcean Radio networks v2.5. https://www.enocean-alliance.org/wp-content/uploads/2019/04/Security-of-EnOcean-Radio-Networks-v2_5.pdfGoogle Scholar
- Katharina Hofer-Schmitz and Branka Stojanović. 2020. Towards Formal Verification of IoT Protocols: A Review. Computer Networks (2020), 107233.Google ScholarCross Ref
- ISO/IEC. [n.d.]. ISO/IEC 14543-3-10:2012. http://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/05/98/59865.htmlGoogle Scholar
- Georgios Kambourakis, Constantinos Kolias, Dimitrios Geneiatakis, Georgios Karopoulos, Georgios Michail Makrakis, and Ioannis Kounelis. 2020. A State-of-the-Art Review on the Security of Mainstream IoT Wireless PAN Protocol Stacks. Symmetry 12, 4 (2020), 579.Google ScholarCross Ref
- K Keerthi, Indrani Roy, Aritra Hazra, and Chester Rebeiro. 2019. Formal Verification for Security in IoT Devices. In Security and Fault Tolerance in Internet of Things. Springer, 179–200.Google Scholar
- Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. 2017. Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 435–450.Google ScholarCross Ref
- Gavin Lowe. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In International Workshop on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 147–166.Google ScholarCross Ref
- S. Marksteiner, V. J. E. Jimenez, H. Valiant, and H. Zeiner. 2017. An Overview of Wireless IoT Protocol Security in the Smart Home Domain. In 2017 Internet of Things Business Models, Users, and Networks. 1–8. https://doi.org/10.1109/CTTE.2017.8260940Google Scholar
- Roger M Needham and Michael D Schroeder. 1978. Using encryption for authentication in large networks of computers. Commun. ACM 21, 12 (1978), 993–999.Google ScholarDigital Library
- Mark Dermot Ryan and Ben Smyth. 2011. Applied pi calculus.Formal Models and Techniques for Analyzing Security Protocols 5 (2011), 112–142.Google Scholar
- J. Zhang, L. Yang, W. Cao, and Q. Wang. 2020. Formal Analysis of 5G EAP-TLS Authentication Protocol Using Proverif. IEEE Access 8(2020), 23674–23688. https://doi.org/10.1109/ACCESS.2020.2969474Google ScholarCross Ref
Recommendations
Formal verification of the W3C web authentication protocol
HoTSoS '18: Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of SecurityThe science of security can be set on firm foundations via the formal verification of protocols. New protocols can have their design validated in a mechanized manner for security flaws, allowing protocol designs to be scientifically compared in a ...
An enhanced lightweight anonymous biometric based authentication scheme for TMIS
In recent past, Mir and Nikooghadam presented an enhanced biometrics based authentication scheme using lightweight symmetric key primitives for telemedicine networks. This scheme was introduced in an anticipation to the former biometrics based ...
An enhanced privacy preserving remote user authentication scheme with provable security
Very recently, Kumari et al. proposed a symmetric key and smart card-based remote user password authentication scheme to enhance Chung et al.'s scheme. They claimed their enhanced scheme to provide anonymity while resisting all known attacks. In this ...
Comments