The following is an excerpt from Securing the Internet of Things by authors Shancang Li and Li Da Xu and published by Elsevier/Syngress. This section from chapter four outlines commonly used security protection technologies in constrained IoT environments.
4.3.1 Identify-Based Authentication
Technically, IoT consists of uncountable devices, sensors, or actuators or simply objectives connected to services in the Internet. These objectives are from different vendors, communities, or standard groups. Most of these devices speak different protocols, which make the IoT hard to be implemented. In this case, the devices identify management as one of the most important common technologies, which should be able to coordinate different protocols, standards, scenarios. From a security point of view, security protection should be provided for "Identities of things" in heterogeneous communication and machine-to-machine security. The security challenges are related to identification, authentication, privacy, trustworthiness, and confidentiality. The identification is one of the most important challenges in security of IoT. IoT consists of variety of smart devices like intelligent sensors, smart objectives, computer, back-bone servers, cloud clusters, etc. All of them should be uniquely identified for addressing capabilities and for providing a means to communicate with each other. From the viewpoint of security, the security protection mechanism should be able to identify the message generators, transmitters, and receivers. Existing identification schemes, for example, RFID objective identifier, EPC global, NFC, IPv4, IPv6, etc., have been developed for existing networks, however, how to securely manage devices in IoT environment is still a challenge.
The commonly used protocols for identity authentication include:
- One-way authentication, which authenticates two nodes. For example, node 1 and node 2 have a common secret key Xuh. Node selects r ∈ GF (P) which will be used to create session key. Tu is time stamp of nodes. The secret key created by node 1 is L=h(Xuh⊕Tu), then node 1 encrypts r with L as R=EL and encrypts Tu with Xuh as Tus= EXuh(Tuh). MAC1=MAC(Xuh'R||ICAP1), where ICAP1 is a data structure represented by an identity based on node 1. Now, node 1 sends the following parameters to node 2 (R'Tus' MAC1). Node 2 generates its time stamp as Tcurrent and decrypt Tus to get Tu and compare it with Tcurrent. If Tcurrent>Tu', it is valid. Now in node 2 calculate L and decrypt R to get r. It also calculates MAC'1 and it will verify this with MAC1 received from node 1. Fig. 4.3 shows the protocol.
- Mutual-authentication, which is part of authentication authenticates node 2 to node 1. Node 2 builds a MAC as MAC2=MAC(r||ICAP2) and also encrypts r with Xuh as R'=EXuh(r). Then it sends (R', MAC2) to node 1. Node 1 verifies MAC2 and decrypts R' and compares received r with this r'. Fig. 4.4 shows the protocol.
Two of the best-known uses of PKC are:
- Public-key encryption, a message is encrypted with a recipient's public key. The message can only be decrypted by the matching private key, who is assumed to be the owner of the key and the person associated with the public key. This is used in an attempt to ensure confidentiality.
- Digital signatures. A message is signed with the sender's private key and can be verified by anyone who has access to the sender's public key. This verification provides that the sender had access to the private key, and therefore is likely to be the person associated with the public key. This ensures that the message has not been tampered with.
4.3.2 Digital Signature
A problem with the use of public-key cryptography is confidence/proof that a particular public key is authentic. It is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party.
The usual approach to the problem is to sue PKI, in which one or more third parties -- known as CAs -- certify ownership of key pairs. To date, no fully satisfactory solution to the "public-key authentication problem" has been found.
The symmetric key algorithms are quite efficient, but the key distribution is difficult at IoT end devices. The key distribution requires a secure connection between the key distribution sever and the IoT nodes. PKC and asymmetric cryptography are two effective ways of providing confidentiality and authentication. In contrast to the symmetric cryptography, the PKC is based on mathematically hard problem to solve, whereas hard in this context refers to the complexity of calculation. The public-key encryption is based on "trapdoor" functions, which are easy to compute, but hard to reverse without additional information. The RSA is a widely used public-key algorithm, in which the hard problem is finding the prime factors of a composite number. In PKC cryptosystem, generally is a key pair, the public key and the private key, the public key is made accessible to the public and the private key is kept at a safe place. The public keys are generally used in two ways.
- Public-key encryption, in which one is capable of encrypting a message with the public key of an entity, where only the entity with the corresponding private key is capable of decrypting the cipher text.
- Digital signatures in which a cipher text generated with the private key can be decrypted by anyone who has the public key. This verification proves that the sender had access to the private key and therefore is likely to be the person associated with the public key.
In PKC system, public/private key pairs can be easily generated for encryption and decryption. The security strength in a PKC system lies in how difficult to determine a properly generated private key from its public key. In this case, the length of private key is important for avoiding brute-force attacks.
The RSA is one of the first practical public-key cryptosystems, which is based on the practical difficulty of factoring the product of two large prime numbers. If the public key is large enough, only the one knowing the prime numbers can feasibly decode the message. The RSA is a relative slow algorithm for encryption; however, it is commonly used to pass encrypted shared keys for symmetric key cryptography. Since RSA encryption is an expensive operation, in IoT it is rather used in combination with symmetric cryptography. The shared symmetric key is encrypted with RSA, the security of encryption in general is dependent on the length of the key. For RSA, a key length of 1024 bits (128 bytes) is required, to have an equivalent security level of symmetric key cryptography with a key length of 128 bit (16 bytes). The large key size of RSA will cause expensive computation costs.
Securing the Internet of Things
Written by Shancang Li and Li Da Xu
Pulished by Elsevier/Syngress
Get your copy of Securing the Internet of Things here.
The ECC is an alternative to common PKC because of the resistance against powerful index-calculus attacks. The ECC allows efficient implementation due to a significant smaller bit size of the operands over resource-constrained environment. ECC is another public-key cryptography approach that works based on elliptic curves over finite fields. ECC's smaller key size is 256 as shown in Table 4.2. It is more efficient than RSA and it is more suitable for resource-limited devices in IoT. The basic idea of ECC is the general assumption that the elliptic curve discrete logarithm problem is infeasible or at least not solvable in a reasonable time.
The IETF recommends the AES-CCM in combination with ECC for constrained devices. In this section, we will explain how ECC is used to perform a secure key exchange and create digital signatures.
- ECC concept
- Secure key exchange
- Digital signature
The equation of an elliptic curve has the following form:
The set of EC points are on this curve. A feature of EC is that the result of addition of two points on the curve lies again on the curve. The same holds as well for multiplication. Assume P is a known point on a given EC, and d is a secret random number which serves as the private key, the public key Q, and the private key d have the following relation:
Then, the public key Q is again a point on the same curve. Although Q and P are publicly known and Q is the result of adding P and d times to itself, it is mathematically a hard problem to compute d.
Public keys are created by multiplying the generator. Using the routines for arithmetic, other routines can be built that will compute scalar multiples of the generating point, kP, or of other points Q=dG. Public keys are created by multiplying the generator, that is Q is the public key for d if Q=dP on the elliptic curve. Key generation is the production of (d' D) is therefore very basic and efficient in ECC. In RSA key generation involves coming up with large prime numbers and takes much longer.
Assume user Q wants to sign a message m, he/she first computes K=kP for k random, since this can be complete before the message is in hand, so it is often completed over powerful service and passed to the constrained nodes in IoT. If the message m can be signed by computing with much less intensive modular computations over nodes:
in which n is the pointer order and the signature on message m is (r' s). If one knows the public key D, then he can verify this signature on m as:
if the r and r' are the same, it means it is acceptable. In practical, the applications that require cryptography system can quickly generate signatures and a number of speeding up verification based on ECC have been developed.
The ECC has small key sizes and is able to generate efficient signature. The strength and efficiency of ECC makes it an ideal for many IoT applications over resource-limited devices. The ECC is suitable for securing IoT environment where more resource-constrained devices are interconnected, such as intelligent sensors, wireless sensor nodes, and e-healthcare devices.
4.3.3 Raw Public Key
In resource-constrained IoT devices, such as intelligent sensors or RFID tag, the certificate chains or even single certificate may be too big to process. Recently, the RPKs are recommended by IEFT instead of the certificates for TLS and DTLS. The RPK requires the out-of-band validation of the public key:
- Obtaining the public key via DNS-based authentication of named entities or authentication via DNS security extensions
- Predeployment of RPKs is beneficial in IoT-constrained devices which are configured before deployment with the public key of the back-end service.
The RPK contains the subject Public-Key Information of a certificate which carries the public key values and the algorithm identifier of the cryptographic algorithm used to generate it. RPKs allow for omitting large certificates from the handshake; however, it requires an out-of-band technique for the verification of the public key.
Read the entire chapter
Download the PDF of chapter four courtesy of Elsevier.
It should be noted that if an IoT gateway node supports the RPK certificates, it must support specific cipher suites such as TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (CoAP) and TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. The end IoT nodes must support at least one of the above cipher suites. The client node uses the value of the "Public Key or Identify" resource for its RPK certificate to determine the expected value of the server's RPK and the value "Secret Key" resource for its private key. The client must check whether the RPK presented by the server exactly matches with the stored public key. The RPK mode is appropriate for IoT nodes deployments where there is an existing trust relationship between the client and server. The server must store its own private and public keys, and must have a stored copy of the expected client public key. The server must check that the RPK present by the IoT client exactly matches with the stored public key. In some application scenarios, such as smartcard, the RPK certificates provisioning needs no preexisting trust relationship between server and client. The preestablished trust relationship is simply between the server and the smartcards.
4.3.4 X.509 Certificates
X.509 is an important standard in cryptography, which is designed for a PKI to manage digital certificates and public-key encryption. The X.509 is a key part of the TLS and it is widely used in web, mobile, and email security. In X.509, an organization that needs a signed certificate requests one via a certificate signing request (CSR). To do this (1) they first generate a key pair, keeping the private key secret and using it to sign the CSR, which contains the public key that is used to verify the signature of the CSR and the distinguished name (DN) and (2) the certification authority issues a certificate binding a public key to particular DN.
The Firefox, Chrome, Safari, etc. come with a predetermined set of root certificates preinstalled, so SSL certificates from large vendors will work instantly. In effect the browsers' developer determine which CAs are trusted third parties for the browser's users (Fig. 4.5).
X.509 certificates are the dominating type of certificates and are consequently used in the certificate-based model of DTLS. In this section, we briefly address the concepts of X.509.
The X.509 certificates are encoded into Base64 which is a binary-to-text encoding scheme. The basic structure is:
Reprinted with permission from Elsevier/Syngress, Copyright © 2017
Dr. Shancang Li is a senior lecturer in the cyber security research unit, Department of Computer Science and Creative Technologies at University of the West of England, Bristol, UK. He previously worked as a lecturer at Edinburgh Napier University and a security researcher in cryptographic group at University of Bristol. In the past few years, Dr. Li conducted mobile/digital forensics research across a range of industries and technologies. His security background includes network penetration testing, wireless security, mobile security and digital forensics.
Dr. Li Da Xu is a professor and eminent scholar at Old Dominion University, Norfolk, Virginia, USA . He is an IEEE Fellow and an academician of Russian Academy of Engineering. Dr. Xu received his B.S. and M.S. degrees in Information Science from University of Science and Technology of China, and his Ph.D. in Systems Science from Portland State University. His areas of expertise include enterprise information systems, enterprise integration, business intelligence, database, data warehousing, data mining and intelligent systems.