HO CHI MINH CITY UNIVERSITY OF TECHNOLOGYFACULTY OF COMPUTER SCIENCE AND ENGINEERING REPORTCAPSTONE PROJECT A FOG COMPUTING ARCHITECTURE INTEGRATING BLOCKCHAIN AND INTERNET OF THINGS FOR
Motivation
As we all know, the Internet of Things (IoT) technology has emerged and grown rapidly in the last few years and it’s expected that the Health- care IoT market share will be around 39% percent of total IoT devices by 2025 [1] Said advancement will bring significant benefits to many sec- tors, including healthcare by transforming the healthcare industry itself with the introduction of the Internet of Medical Things (IoMT) concept, where medical devices are interconnected in a way that anyone, anywhere, and anytime may have access to The evolution and rise of IoMT can play a noteworthy role in improving the quality of life of ordinary peo- ple by enabling IoMT-based healthcare monitoring systems that provide personalized and user-centric healthcare services overcoming constraints such as time and location For facilitating services to patients and doctors in real-time Some of the healthcare time-sensitive applications such as Electrocardiogram (ECG), and Electroencephalogram (EEG) monitoring require the constant evaluation of medical reports and Patient Health Data (PHD) This all could be possible with the use of healthcare IoT devices in medical agencies and industries However, the number of IoT devices and their increasing use has generated a large volume and veracity of data traf- fic The handling of high IoT data traffic has become a major issue and concern using centralized features of cloud servers Currently, the IoT- Cloud system is facing lots of challenges such as single point of failure due to centralized operation, malicious attacks, privacy leakage, and managing distributed IoT devices The data transmission between healthcare IoT and cloud requires the trust, identification of devices, and authentication of users for network security and secure transmission of Patient’s Health Data.
For such reasons, fog computing decentralized computing infrastructure has been implemented to process, compute, and store data, as those ap- plications are located somewhere between the data source and the cloud.Bringing the advantages and power of the cloud closer to where data is cre- ated and acted upon Unfortunately, however, according to the best of our knowledge, the wide range of different communication technologies (e.g., WLANs, Bluetooth, Zigbee) and types of IoMT devices (e.g., biosensors, actuators, wireless access points) in IoMT-based healthcare monitoring systems, as well as the fact that the transmission between patients and healthcare providers of personal and confidential healthcare information (e.g., patient’s details and vital signs) is done through the internet, are factors that pose many security and privacy challenges.
Such numerous challenges can’t be solved by the implementation of fog computing alone This in return has increased the risks related to pa- tient security and confidentiality There will be a risk of patients’ privacy exposure, data eavesdropping, ownership of medical health data, and loca- tion privacy Intruders and hackers can now easily attack the IoT network by replication the data and changing the identity of healthcare IoT devices.
In this context, blockchain technology, revenue for industrial applications of which will be 19.9 billion dollars by 2025, as per the report of Tractia, an intelligent firm, has been foreseen by the industry and research commu- nity as a disruptive technology that can be integrated into novel security solutions for IoT-fog networks The implementation of a Blockchain-based security solution will bring many benefits that will solve the problem of IoT-fog networks.
• Securing IoT devices prevents IoT devices from being accessed by an unknown source and may alter some data on the system or what the devices sent.
• Resisting unauthorized access tamper proof transmission of medical as well as patient personal data.
• Attempt to solve the size and cost problem Present some possible solu- tions.
Objectives
The aim of the thesis is to propose a fog computing integrated blockchain model The model focuses on building a feasible solution for the health- care domain, possibly contributing to future research and implementations. This could be achieved in phase 1:
- Identifying ways in which blockchain technology can support fog com- puting paradigm to bring benefits superior to classical solutions such as Public Key infrastructure.
- Identify a simple and secure protocol between fog nodes to establish encryption and authentication keys.
- Proposing a common fog-chain architecture used in Internet of Health- care Things (IoHT) (or Internet of Medical Things (IoMT)) between different models.
Phase 2 will be implemented following the plan below:
- Identify a healthcare standard, guideline, or best-practice to follow and use as a baseline for model implementation System selection and add- ons will be decided with the aim of fitting said standard and guideline.
- Design a system architecture that would fit with the proposed plans and fulfill the requirements planned out, then implement said proposal.
- Continue to improve the models while comparing them to existing models and systems and make changes when needed, when newer and better additions could be made, or when it couldn’t meet the planned standards.
- Based on our model implementation, result, and comparisons, we will formulate a clear picture of what has been achieved, report on it and formulate plans for possible future works.
Scope
For the main objective, this thesis aims to integrate blockchain to fog com- puting paradigm to provide security and privacy to user’s data.
On the desired results, this thesis will provide a proof-of-concept for the fog-chain (fog computing integrating blockchain) protects user data pri- vacy and, therefore, enhances the security for IoT architecture.
On the time to work, this thesis will consist of two main phases:
• First phase: Computer Engineering project with the span of 15 weeks.
• Second phase: Capstone Project with the span of 15 weeks.
Thesis Structure
Following the introduction, this paper consists of 7 chapters The content of each chapters are stated below:
• Chapter 1: Introduction Provides an overview of this thesis, ad- dressing the security and privacy of fog computing paradigms in IoT models, and the need for a new security method.
• Chapter 2: Background Knowledge This chapter provides basic concepts and principles that need to be ensured when comes to propos- ing a model.
• Chapter 3: Related research Based on the scope and the objec- tives in Chapter 1 and the theory in Chapter 2, related research will be analyzed and used as a reference for the proposed model.
• Chapter 4 Model proposing This chapter shows a proposed model as a solution to tackle fog computing integrating blockchain is- sues on security and privacy, focusing on healthcare matters.
• Chapter 5: Model implementation Based on all research thus far we will attempt to implement the models proposed in Chapter 4, in line with the standards that had been laid out Changes could be based on the feasibility of the system and challenges as they arise.
• Chapter 6: Evaluation and Results We will attempt to draw com- parisons between our current system and some others either existing standards or solutions to determine the effectiveness of our design.
• Chapter 7: Conclusions With all of the data we have collected thus far and our model implementation, We will make some conclusions and make plans for future improvement of our models.
The structure of the whole thesis will be presented in theCapstone project.
Summary
The widespread adoption of Internet of Things (IoT) has given rise to a complex and diverse landscape, presenting substantial security challenges. The IoT-cloud architecture is exposed to vulnerabilities that may lead to improper service behaviour as a consequence of data exposure, tampering, or loss The connectivity between edge devices and cloud servers is espe- cially susceptible to these attacks To address these concerns, fog comput- ing has been proposed as a strategy to ease the burden on the cloud layer. However, as a cloud extension situated closer to the edge, fog computing in- herits security and privacy issues similar to traditional cloud environments.
In response to this contemporary technological landscape, the integration of fog computing and blockchain has emerged as a promising solution to enhance security and connectivity within the IoT infrastructure This the- sis addresses these innovations, exploring their potential, to reduce exist- ing security concerns and fortify the integrity of data transmission in the complex architecture of the Internet of Things The paper examines the underlying principles of fog computing and blockchain, their relevance to IoT security, and the benefits of their integration The disscussion con- cludes by outlining future research trends in this area.
The main objective of this thesis including ensuring security for data pub- lished by user to the internet in IoT architecture (as shown in Figure 1.1) and investigate the use case of the proposed model in specific applications.The scope of this project surrounds aiming for a proof-of-concept (PoC) in the specific use case of protecting patient’s data in Internet of HealthcareThings (IoHT).
Figure 1.1: IoT with fog computing architecture
Chapter 2 talks about the concept and theory in fog computing, blockchain,fog computing integrating blockchain and their issues in security and pri- vacy Hence, identify architecture to address those problems and provide a solutions to the industry.
Fog Computing
Over the years, computing paradigms have evolved from distributed, par- allel and grid to cloud computing, which leads to the widespread use of cloud paradigms nowadays The fundamental limitation is the connectiv- ity between the cloud and edge devices for end users Which means cloud computing is not a suitable solution for latency-sensitive applications[2]. Some examples like connected vehicles, fire detection and firefighting, smart grid and content delivery could be reviewed as such[3, 4, 5] Furthermore, cloud-base applications are distributed in general and consist of multiple components[6] This could worsen the latency due to overhead induced by inter-cloud communications Sometimes, cloud providers may have no data center[7].
In 2012, Cisco introduced the concept of Fog computing to improve network infrastructure to counter those challenges To put it simply, fog computing is “cloud closer to the ground” With fog, the processing of some applica- tion components (e.g., latency-sensitive ones) can take place at the edge of the network, while others (e.g Delay-tolerant tasks and intensify com- putational components), can happen in the cloud Fog computing acts as an extender to cloud computing in terms of computing, storage and net- working services Low-latency in fog computing can be achieved due to its
“close to ground” attribute, thanks to it, processes could take place at the network edge, close to end users or end devices, by fog nodes Moreover, fog computing has the ability to enable processing at specific locations, and gather data generated from end users, using proxies, access points and routers as edge devices.
According to OpenFog, fog computing is ”a horizontal, system-level archi- tecture that distributes computing, storage, control and networking func- tions closer to the users along a cloud-to-thing continuum”.[8]
• Very large number of nodes
• Support for on-line analytic and interplay with the Cloud
However, even though its role was to intermediate connection between IoT devices and cloud, it does not replace the cloud[9] Due to Fog Comput- ing being a cloud computing extension, it inherits the same issues that cloud computing is facing[10] The most notifiable issues are security and privacy[11] Many attempts were made to mitigate those problems, but these solutions could not be applied to fog computing due to its limited resources and unique characteristics such as decentralized structure, mo- bility (change the users and the location of the fog node), and different providers of fog devices[12, 13, 14] Hence, fog computing needs a better solution to overcome its security and privacy issues[11] However, since fog computing is decentralized, which raises other issues related to scalability,because there will be more and more IoT devices connected.
During the last few years, with the rise of Blockchain offers secure solutions providing trust, accountability, tracability and integrity of data sharing, to secure data distributedly [15, 16, 17], a new solution to secure fogging was made, Fogchain As the name implies, it is a model by unionize fog computing and blockchain into one container at a fogging level Below is a figure depicts FogChain’s main innovation compared to traditional approach.[18]
Figure 2.1: Comparison of fogchain and fogging model
Blockchain
Proof of Work (PoW)
The dominant feature of the block chain consensus algorithm was tradition- ally embodied in the concept of Proof of Work The fundamental principle of this protocol involves requiring nodes to engage in solving a computa- tionally demanding problem before they are eligible to propose a new block. The node that successfully solves this problem proceeds to mine the new block and disseminates the information to other nodes within the network. Verification of the block’s accuracy by other nodes is straightforward, as it relies on the information contained within the block itself This simplicity arises from the interdependence of hash values in the block chain, where the hash of each new block is contingent upon all preceding hash values in the block chain [20]
In the context of Bitcoin, a reward is granted to the initial node that successfully discovers a specific hash through the hashing process of cer- tain information The accurate hash, constituting a SHA-256 string, is formed by incorporating the block’s transactions, the hash of the previ- ous block, and the nonce The nonce involves achieving a specific number of leading zero bits While two of the three parameters in the SHA-256 hash remain constant, the nonce, being the third parameter, is determined through a brute-force approach, as it represents the only known method for identifying the correct hash [21]
Proof of Stake (PoS)
The fundamental concept of this algorithm lies in the fact that participants or nodes possessing a greater stake in the blockchain can contribute blocks more frequently Typically, for each anticipated new block, a block signer is randomly chosen from the list of participants based on their weight, which corresponds to the amount of stake they hold Consequently, the compu- tational effort required to mine a block is significantly reduced compared to PoW, thanks to the absence of the need for hash power [21]
In the proof-of-stake consensus mechanism, collaborative efforts among computers determine the node responsible for validating the subsequent block in a network Members of the network possessing a specific stake in the crypto currency are chosen randomly to generate new blocks and authenticate novel transactions, subsequently receiving rewards for their contributions.
The likelihood of being selected to validate a block and receive transaction fees is proportionate to the magnitude of one’s stake, reflecting the volume of the currency held in the respective wallet Notably, individuals with a more substantial stake in the crypto currency enjoy elevated probabilities of being chosen for these validation tasks.
The concept of proof of stake has evolved to encompass models enabling individuals with limited crypto currency holdings to consolidate their re- sources within stake pools, facilitating the collective earning of rewards. Additionally, alternate methodologies have emerged, enabling the equi- table distribution of transaction fees among validators.
Despite its departure from the widely adopted proof-of-work method, proof of stake offers several pivotal advantages, prominently including expedited transaction processing, reduced financial overhead, and diminished energy consumption.
Security features of blockchain
The transaction within the blockchain incorporates digital signatures, and the current blockchain employs the ECDSA public key algorithm to gener- ate these signatures Generating a digital signature involves encrypting the message with the sender’s private key The utilization of digital signatures serves to authenticate and establish non-repudiation of the transaction originator Upon receiving the generated digital signature, the recipient uses the public key of the sender to decrypt it and verify the sender’s iden- tity.
Additionally, security features are inherent in the block generation pro- cess The blockchain, being a distributed database with no central server, prevents a single point of failure The block generation process involves applying the SHA-256 hash function to both the recorded information and the nonce This ensures that the validity of the block hash can be con- firmed, thereby guaranteeing data integrity.[22]
Public blockchain networks typically allow anyone to join and for partici- pants to remain anonymous A public blockchain uses internet-connected computers to validate transactions and achieve consensus Bitcoin is prob- ably the most well-known example of a public blockchain, and it achieves consensus through ”bitcoin mining.” Computers on the bitcoin network, or “miners,” try to solve a complex cryptographic problem to create proof of work and thereby validate the transaction Outside of public keys, there are few identity and access controls in this type of network.
Private blockchains use identity to confirm membership and access privi- leges and typically only permit known organizations to join Together, the organizations form a private, members-only ”business network.” A private blockchain in a permissioned network achieves consensus through a process called ”selective endorsement,” where known users verify the transactions.Only members with special access and permissions can maintain the trans- action ledger This network type requires more identity and access controls.
Fogchain
In this section, we describe the desired proposed model called FogChain.
As the name suggests, FogChain comprehends the union of Fog computing and Blockchain technologies, which means we aim to have both co-existing, collaborating, and running in the same container at a Fog computing level.
Fog computing by nature is a decentralized network that is by proximity very close to IoT devices and still can communicate with cloud computing, all of said factors raise some concerns over security and make the inte- gration of blockchain technology into the cloud-fog-IoT networks a very alluring remedy for the problems This integration plays a crucial role in enhancing the decentralized nature of fog-computing environments by ensuring security, and transparency while improving overall operational efficiency Despite the substantial advantages, a thorough approach, that takes advantage of the advancement of technology in the coming years, and tackles specific requirements of diverse applications is crucial for realizing the full benefits of this integration.
The integration of blockchain with fog computing serves many purposes, from enhancing performance, security, and privacy to tackling the data management and scalability problem while bringing some benefits of blockchain to the fog computing like improving access control and trust in the net- work The impact of blockchain on fog computing security and privacy is shown in Figure 2.3.
Figure 2.3: Benefit of Blockchain in Fog computing
What role can blockchain play in fog computing security and privacy?
Security
Data can be harmed by a variety of security risks For instance, a collection of Fog malicious nodes and other devices may initiate botnet attacks that can fully collapse the provisioning of the IoT service [23] A threat to per- mission and confidentiality is not only accessibility but also a central point of failure as the service provider could be tampered with or misuse the data of the IoT user [24] Furthermore, identity spoofing and traffic data analysis will lead to attacks that violate anonymity and integrity, including Byzantine attacks, modification attacks, and injection attacks [25] Data manipulation and change of data can result in losses of varying severity
[26] Therefore, ensuring protection is of the utmost importance [27, 14,
28] These purposes are discussed in the following sub-sections.
The use of Blockchain to implement encryption without relying on a third party has proven to be of great value to the IoT and Fog Computing systems [29] Blockchain can provide transactive networks such as Bitcoin with protection due to in-built security, auditability, fault-tolerant architec- ture, and decentralized public key infrastructure against multiple threats
[16] Because a specific Blockchain address is possessed by each partici- pant, the Blockchain-based approach is immune to false authentication [30,
31, 32] Moreover, by enforcing transaction fees in public Blockchain (e.g.,sending, depositing, or withdrawing crypto, or as a reward for users that
2.4 What role can blockchain play in fog computing security and privacy? assist in the verification and validation of transactions), the Blockchain can prohibit malevolent users from launching Denial of Service (DoS) attacks
[33, 34, 35, 36] In other words, it makes large-scale attacks more costly to execute [36] Therefore, Blockchain can provide a high level of security and privacy for transactions in the Fog Computing environment [37, 38,
Many studies have reported that Blockchain can enhance and support the security of Fog Computing, in general without specifically mentioning any particular field security Still, several new and innovative solutions have been proposed with various applications.
Tanweer Alam et al [41] works on exploring if a middleware framework could improve the security of fog computing-IoT data transmission, lever- aging the capabilities of the emerging blockchain technology While de- signing and implementing an actual blockchain-based middleware layer in the Internet of Things architecture, and proving that [41] does benefit se- curity greatly while in some cases also improving the performance of fog computing-IoT system [42] It proves that Blockchain can play a signifi- cant role in the future of Internet of smart device networks.
Ashik et al [39], studies an Ethereum base blockchain solution and how it could potentially be applied in a smart home application The inte- gration of Blockchain into the system has proven that it could help resist conventional attacks forcing attackers to either spend more time and re- sources or pick a new target.
Most focus on the protection of data and the transfer link between each party, with the inherent security advantage of Blockchain greatly aiding the work Specifically the medical field, where much of patient sensitive and private data could be exposed to such attacks, Blockchain integration plays an important role.
When it comes to healthcare-related data, Shynu et al [43] work on disease prediction models, health data collected by IoT will be preprocessed by fog computing before storage in Blockchain or compared with data in the Cloud Even though the implementation Blockchain technology protects the patient’s private data but still, leaving some backdoor channel for vi- tal data that can drastically affect the patient’s health to be accessed by authorized medical workers.
Thomas et al [44] discuss the vulnerability of the current healthcare in- dustry is facing, between needing to adapt to the growing technological infrastructure focused on IoT, smart devices to aid in the treatment and monitoring processes, and the need to protect patient data from malicious actors Blockchain is clearly the solution to these challenges, however, he also warns that Blockchain is not a silver bullet to be used in every situation, but must only be implemented through careful consideration.
Besides providing security implementation, blockchain can also aid in Fraud detection, with the integration of blockchain into a fog computing network, fraudulent acts can be easily detected as the nature of blockchain makes it hard for any single party to trick the system for long.
On the topic of healthcare, Sivasangari et al [45] presented a Blockchain with Fog Computing integration design to identify security threats at the cloud layer, resulting in a reduction in IoT security attacks The system will embed Blockchain on fog nodes and divide the IoT layer into two part, the first is the normal IoT devices, the second is a layer called “Fog Gate- way” which act as a barrier to stop data from leaking in or out The act of letting Blockchain handle the security functions of fog nodes for IoT applications has shown to be effective and efficient in this deployment.
Confidentiality serves as the assurance that data is exclusively accessible to authorized users or nodes, safeguarding private and confidential infor- mation from comprehension by unauthorized entities [46] This principle
2.4 What role can blockchain play in fog computing security and privacy? is integral to an organization’s efforts to uphold the secrecy and privacy of data, entailing the control of information access to prevent unautho- rized sharing, whether intentional or accidental Effective management of confidentiality ensures that individuals lacking proper authorization are barred from accessing crucial business assets, while those requiring access are granted the necessary privileges.
For example, personnel engaged in an organization’s financial activities may have access to spreadsheets, bank accounts, and pertinent financial information, while other employees and specific executives may not be granted such access The enforcement of stringent restrictions is impera- tive to uphold these policies and regulate information visibility.
Confidentiality breaches can manifest in various forms, encompassing di- rect attacks targeting unauthorized systems, infiltrations of applications and databases for data theft or manipulation, and the use of techniques like man-in-the-middle attacks or network spying to intercept and manip- ulate data Some attackers seek to escalate system privileges for enhanced access.
Not all confidentiality violations are intentional, as human error or inad- equate security controls can contribute Instances include the failure to protect passwords, sharing of credentials, or neglecting to encrypt com- munications, thereby enabling attackers to intercept information Theft of hardware, such as computers or login devices, provides another avenue for unauthorized access.
Privacy
Messages including identity, location, and other personal data are used by many apps and services As a result, maintaining one’s privacy is critical. The rising demand for Fog Computing systems is creating a huge amount of sensitive data This section discusses privacy-related purposes including privacy support, identification privacy, data privacy, and location privacy.
Similar to security, Blockchain contributes greatly to enhancing privacy within fog computing It’s critical that those data remain private as the proximity of Fog Computing to IoT means it usually carries sensitive and personal data of the users To do that, Fog Computing must accurately identify, authenticate, and verify the users, IoT devices, and sensors to prevent third parties from compromising the system’s security and privacy. Several studies have reported that Blockchain can enhance the privacy of Fog Computing, in general, as follows For example, the use of Consor- tium Blockchain in conjunction with the Transport Layer Security Protocol (TLSP) maintains security and privacy while reducing the requirement for a third party [70].
Since Blockchain has a built-in mechanism for ensuring the integrity of the data stored within each block and on the whole chain, its integration into Fog Computing will ensure that the sensitive data cannot be altered or deleted Attack on data from the outside will also be protected through access control and authentication features, only trusted parties and partici- pants can access data inside Blockchain, preventing leakage of private data.
Each device or node within the fog computing network has a unique iden- tity recorded on the blockchain This ensures that sensitive information associated with individual identities is securely stored and accessed only by authorized parties, reducing the risk of identity-related privacy breaches, and by incorporating cryptography techniques within smart contracts, data exchanged between devices in the fog computing network can be securely encrypted.
This section discusses the privacy-related purposes including identifcation privacy, data privacy, and location privacy.
Identity privacy guarantees that the identity of a peer or node is hidden
2.4 What role can blockchain play in fog computing security and privacy? from the rest of the network BC-based identity management integrating access control method was developed by [209] Self-certifed cryptography is used to perform network entity authentication and registration.
To protect data privacy, we must ensure that only authorized nodes have access to the data Another major challenge of FC is data privacy [71] Ac- cordingly, several studies have been conducted utilizing BC technology to improve FC data privacy also For instance, self-certified cryptography was deployed to recognize the registration and authentication of network enti- ties and Bloom filter-based access control mechanisms To secure commu- nication, a self-authenticated public key lightweight secret key agreement protocol was deployed This combined mechanism ensures data authenti- cation and confidentiality [72].
The third component of FC privacy that should be considered is location privacy The location of nodes transmitting or receiving data must be known only by authorized nodes [73].
Data management
Another issue of Fog Computing is data management due to the hetero- geneity and distributed nature of the Internet of Things devices in the Fog Computing environment [12] This section explains how Blockchain with Fog Computing integration may help to solve several data management problems, focusing on data management-related purposes including stor- age, sharing, and validation.
One of the main problem facing fog computing - blockchain integration is that while blockchain can take on the role of data storage, storing large quantities of data directly on the Blockchain results in a huge increase in size And since, the previous transactions cannot easily be removed from a
Blockchain’s history, rising storage needs would soon transform a fog node acting as a peer of the Blockchain into a substantial cost issue, preventing nodes with low resources from participating [74].
To mitigate that problem, Cech et al [75] aim to keeps only simply the hash value of the data in the blockchain, with this the system can give the same assurances while using far less storage Since a calculated hash value has a fixed length regardless of the amount of data The real data can then be saved differently or elsewhere Upon retrieval, the data’s integrity may be checked by recalculating its hash value and comparing it.
Scalability
If Fog Computing is used in conjunction with Blockchain, it poses scala- bility issues The transaction efficiency in the Blockchain, which includes throughput and confirmation delay as important parameters, is far too low for Fog Computing [76] In particular, it discusses several Blockchain-based solutions to reduce the scalability issues linked with implementing Proof- of-work-based Blockchain in Fog Computing As a result, the suggested solutions rely on Proof-of-work with scalability augmentation techniques, as plasma and Software-define Networking approaches.
However, these are limited in terms of scalability and have significant power requirements Other solutions used different consensus mechanisms while sacrificing security, privacy, or decentralization.
AES-256
Introduction to the AES-256 encryption algorithm 43
The AES-256 algorithm was created as a successor to the Data Encryption Standard (DES), which exhibited vulnerabilities to brute-force attacks A cornerstone of modern cryptographic protocols is specified under the Ri- jndael algorithm It operates as a symmetric block cipher, capable of pro- cessing data blocks of 128 bits, utilizing cipher keys with lengths of 256 bits.
The AES-256 encryption is trusted by cryptographer experts for its re- silience and adaptability to safeguard classified data and secure data trans- mission To do this, the AES-256 encryption algorithm employs a 256-bit key length, facilitating robust encryption and decryption of message blocks. The encryption comprises 14 rounds of 256-bit keys, each encryption round involves a series of processing steps encompassing substitution, transposi- tion, and mixing of plaintext to yield ciphertext Such size makes it almost impervious to all attackers.
While it was first conceived to protect governmental data, it has since tran- scended to become an industry benchmark for information encryption Its status as an open standard underscores its versatility, enabling widespread adoption across diverse sectors, including public, private, commercial, and non-commercial realms.
Notation and convention
In adherence to the AES standard, both the input and output sequences for the AES algorithm consist of 128-bit sequences and binary digits These sequences, often denoted as blocks, are characterized by their length, which consistently remains at 128 bits.
Similarly, the Cipher Key utilized in the AES algorithm comprises a se- quence of 256 bits Any deviation from these specified lengths is deemed impermissible within the purview of this standard.
The bits within these sequences are systematically numbered, commencing from zero and concluding at one less than the sequence length, be it the block length or the key length Each bit is assigned a unique index denoted by the symbol ”i” falling within the ranges of 0 ≤ i ¡ 256, contingent upon the block length and key length as stipulated above.
The fundamental unit for processing within the AES algorithm is a byte, which constitutes a sequence of eight bits treated as a cohesive entity The input, output, and Cipher Key bit sequences undergo processing as arrays of bytes This transformation is achieved by partitioning the sequences into contiguous groups of eight bits, forming arrays of bytes.
For any input, output, or Cipher Key denoted by ”a,” the resultant array of bytes is referenced using one of two forms: ”an” or ”a[n].” Here, ”n” denotes the index of the byte within the array, falling within specified ranges as follows:
All byte values in the AES algorithm will be presented as the concatenation of its individual bit values (0 or 1) between braces in the order b7, b6, b5, b4, b3, b2, b1, b0 These bytes are interpreted as finite field elements using a polynomial representation: b 7 x 7 +b 6 x 6 +b 5 x 5 +b 4 x 4 +b 3 x 3 +b 2 x 2 +b 1 x+b 0 = P 7 i=0 b i x i
Finite field elements, such as 01100011, are commonly represented by bi- nary notation, where each digit corresponds to a power of x in the polyno- mial expression For brevity, hexadecimal notation is often used, with each group of four bits denoted by a single character For instance, 01100011 is represented as 63, with the higher-order bits on the left.
In certain cases, finite field operations involve an additional bit (b8) to the left of an 8-bit byte This extra bit, when present, appears as ’01’ preceding the 8-bit byte For example, a 9-bit sequence is denoted as ’011b’.
Arrays of bytes within the AES algorithm are structured in the following manner: a 0 a 1 a 2 a 31
Each array ”a” comprises bytes derived from the 256-bit input sequence, with each byte encompassing eight bits The byte ordering within the array is established based on the arrangement of bits within the 256-bit input sequence, denoted as: input 0 input 1 input 2 input 253 input 254 input 255
The first byte ”a 0 ” is formed by extracting bits ”input0” through ”input7” from the input sequence Subsequent bytes ”a 1 ” through ”a 3 1” are con- structed similarly, each encompassing a contiguous group of eight bits from the input sequence This systematic allocation ensures a coherent repre- sentation of the input sequence within the array structure And the general equation will be as follows: an = input8n, input8n+ 1, input8n+ 2 , input8n+ 7
The AES algorithm conducts its operations on a two-dimensional array of bytes known as the State Comprising four rows, each containing N b bytes, whereN b represents the block length divided by 32, the State array, denoted by the symbol s, serves as the primary data structure for AES-
256 transformations Each byte within the State possesses two indices: a row number rr in the range 0 ≤ rl8 and a column number c in the range
During the initiation of the Cipher and Inverse Cipher operations, the in- put – represented by the array of bytes in 0 , in 1 ˙,in 31 is transposed into the
State array, a process depicted in Fig 3 Subsequent to the execution of Cipher or Inverse Cipher operations on this State array, its resulting configuration is then transferred to the output array as out 0 , out 1 ˙,out 31
Cipher or Inverse Cipher will be directly transposition into the State array from an array, according to the scheme: s r,c = in r+4c for 0 ≤r < 4 and 0 ≤ c < 8
The State array in the AES-256 algorithm is structured such that each column comprises 8 bytes, collectively forming 64-bit words The row in- dex r serves as an identifier for the 8 bytes within each word The State can be conceptualized as a linear sequence of 64-bit words, denoted as w 0 , w 1 , w 2 , w 3 , with each word corresponding to a column in the State ar- ray The column index c serves as a positional marker within this one- dimensional array, facilitating efficient access to individual words.
And upon the conclusion of the Cipher and Inverse Cipher operations, the State array is mapped onto the output array, according to the scheme: out r+4c = s r,c for 0 ≤r < 4 and 0 ≤ c < 8
Algorithm Specification
In the AES-256 algorithm, the input block, output block, and State each have a length of 256 bits, denoted by Nb = 4 This value reflects the num- ber of 32-bit words (columns) present in the State array.
Additionally, the length of the Cipher Key, denoted as K, is 256 bits This key length is represented by Nk = 8, indicating the number of 32-bit words (columns) in the Cipher Key.
The number of rounds to be executed during the AES-256 algorithm is fixed at Nr = 14, corresponding to Nk = 8.
The permissible combinations of Key-Block-Round are illustrated in Fig.
4, adhering to the standards outlined in this context Implementation con- siderations regarding key length, block size, and the number of rounds are addressed accordingly.
Both the Cipher and Inverse Cipher in the AES-256 algorithm employ a round function consisting of four byte-oriented transformations: byte sub- stitution using an S-box, row shifting within the State array, column data mixing, and Round Key addition Detailed descriptions of these transfor- mations and their inverses can be found in Sections 5.1.1 to 5.1.4 and 5.3.1 to 5.3.4.
The Cipher and Inverse Cipher procedures are elaborated upon in Sections 5.1 and 5.3, respectively, while the Key Schedule is delineated in Section 5.2.
At the commencement of the AES-256 Cipher, the input data undergoes a crucial step of copying into the State array, following the conventions outlined in Sec 3.4 Subsequently, an initial Round Key addition primes the State for transformation, with the round function applied iteratively for 14 rounds, aligning with the extended key length.
Integral to this process is the key schedule, a vital component derived from a one-dimensional array of four-byte words, meticulously generated through the Key Expansion routine detailed in Sec 5.2.
The Cipher operation itself is succinctly captured in the pseudocode pro- vided in Fig 5 This code outlines the series of transformations—SubBytes(),ShiftRows(), MixColumns(), and AddRoundKey()—that shape the State array during each round Furthermore, the key schedule, denoted by the array w[ ]w[ ], plays a pivotal role throughout this process and is further expounded upon in Sec 5.2.
Fig 5 illustrates the uniformity of the Cipher’s iterative rounds, totaling
14 in all, save for the final round which excludes the MixColumns() trans- formation This distinction underscores the nuanced nature of AES-256 encryption.
1 C i p h e r ( b y t e in [4* Nb ] , b y t e out [4* Nb ] , w o r d w [ Nb *( Nr +1) ])
20 A d d R o u n d K e y ( state , w [ Nr * Nb , ( Nr +1) * Nb - 1 ] )
• AddRoundKey(): Transformation in the Cipher and Inverse Cipher in which a Round Key is added to the State using an XOR operation.The length of a Round Key equals the size of the State (i.e., for Nb 2.5 AES-256
4, the Round Key length equals 128 bits/16 bytes).
• MixColumns(): Transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one an- other) to produce new columns.
• ShiftRows(): Transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets.
• SubBytes(): Transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently.
The AES-256 algorithm undergoes a Key Expansion process to generate a comprehensive key schedule from the Cipher Key, K This expansion gen- erates a total of Nb(Nr + 1) words, where Nb denotes the block length and Nr represents the number of rounds Initially, Nb words are required, with each of the subsequent Nr rounds necessitating Nb words of key data. The resulting key schedule forms a linear array of 4-byte words, denoted as [w i ], with i ranging from 0 to Nb(Nr + 1).
The expansion of the input key into the key schedule follows a structured approach outlined in the provided pseudocode (Fig 11) The SubWord() function, as described in Section 5.1.1 and illustrated in Fig 7, applies the S-box transformation to each byte within a four-byte input word to gen- erate an output word Similarly, the RotWord() function cyclically shifts the bytes within a word and returns the resulting word Additionally, the round constant word array, Rcon[i], comprises values derived from powers of x (where x is denoted as 02) in the Galois Field GF(2 8 ), as elaborated upon in Section 4.2.
The Key Expansion routine for AES-256 entails filling the initial Nk words of the expanded key with the Cipher Key Subsequently, each following word, w i , is computed as the XOR of the previous word, w i−1 , and the word located Nk positions earlier, w i−N k For words positioned at mul- tiples of Nk, a specific transformation is applied to w i−1 before the XOR operation This transformation comprises a cyclic byte shift (RotWord()) followed by a table lookup transformation (SubWord()) applied to all four bytes of the word.
It’s noteworthy that for AES-256 with Nk = 8, if the condition i-4 is a multiple of Nk, the SubWord() transformation is executed on w i−1 before the XOR operation This adaptation is integral to the nuanced Key Ex- pansion process specific to AES-256.
1 K e y E x p a n s i o n ( b y t e key [4* Nk ] , w o r d w [ Nb *( Nr +1) ] , Nk )
20 e l s e if ( Nk > 6 and i mod Nk = 4)
• RotWord(): Function used in the Key Expansion routine that takes
2.5 AES-256 a four-byte word and performs a cyclic permutation.
• SubWord(): Function used in the Key Expansion routine that takes a four-byte input word and applies an S-box to each of the four bytes to produce an output word.
The AES algorithm allows for the straightforward creation of an Inverse Cipher by simply inverting and executing the Cipher transformations in reverse order The individual transformations utilized in the Inverse Ci- pher—InvShiftRows(), InvSubBytes(), InvMixColumns(), and AddRound- Key()—are elaborated upon in subsequent subsections.
The Inverse Cipher operation is succinctly depicted in the provided pseu- docode (Fig 12) Similar to the Cipher operation, the key schedule de- noted by the array w[ ]w[ ] is utilized in the Inverse Cipher.
This approach ensures a seamless reversal of the encryption process, en- abling the decryption of data encrypted using the AES algorithm.
1 I n v C i p h e r ( b y t e in [4* Nb ] , b y t e out [4* Nb ] , w o r d w [ Nb *( Nr +1) ])
5 A d d R o u n d K e y ( state , w [ Nr * Nb , ( Nr +1) * Nb - 1 ] ) // See Sec 5 1 4
• AddRoundKey(): Transformation in the Cipher and Inverse Cipher in which a Round Key is added to the State using an XOR operation. The length of a Round Key equals the size of the State (i.e., for Nb 4, the Round Key length equals 128 bits/16 bytes).
• InvMixColumns(): Transformation in the Inverse Cipher that is the inverse of MixColumns().
• InvShiftRows(): Transformation in the Inverse Cipher that is the inverse of ShiftRows().
• InvSubBytes(): Transformation in the Inverse Cipher that is the in- verse of SubBytes().
Key issues with AES-256
• Key Length Requirements: An AES implementation must support the key lengths of 256 bits (meaning Nk = 8), the key length may cause problems with computational time and resources needed.
• Keys management: While AES system allows for implementations to support two or all three key lengths to enhance interoperability, in- cluding 128 or 192 bits However, it’s also important to note that the use of shorter key lengths, such as 128 or 192 bits, may potentially introduce security risks, since shorter key lengths are more susceptible
2.5 AES-256 to attack, compromising the system and bypassing AES-256.
• Keys generation: AES 256-bit keys are essential for cryptographic security, if the end-user decides to take a shortcut or if the process has been compromised then this can turn into a major weakness.
• Data Leakage: Side-channel attacks while rare, can happen and if attackers exploit information leakage to understand encryption algo- rithms, they can take advantage of said information to enter the sys- tem.
• Improper Installation: There is a potential risk of related-key at- tacks compromising the system when AES-256 is improperly installed or improperly configured.
Through the basic concepts stated above, some of the fogchain architecture will be addressed in this chapter, and their solutions to mitigate its issues in security and privacy with the use of blockchain
3.1 Tiago M Fern´ andez-Caram´ es and Paula Fraga-Lamas model
3.1 Tiago M Fern´ andez-Caram´ es and Paula Fraga-
Tiago et al [77] propose a comprehensive architecture that leverages Ethereum blockchain for the storage of data acquired from Continuous Glucose Mon- itoring (CGM) sensors This design is strategically implemented to ensure that the stored data is exclusively accessible to legitimate users, capitaliz- ing on the inherent security features of the Ethereum blockchain.
Figure 3.1: Blockchain IoT Architecture in Healthcare
As illustrated in Figure 3.1, the operational dynamics of the system are straightforward Following the placement of the sensor on the patient’s arm, periodic readings are obtained by interfacing with a smartphone.These readings can be uploaded to either Nightscout or Ethereum, pro- viding remote users with access to the crucial health data Notably, if the readings surpass a pre-determined threshold, specified through a managing web application on the front-end, the system promptly triggers warnings to the patient or their designated caretakers.
Concerning the information stored in Ethereum, the accessibility varies based on the scenario It may be available to remote users on the public Ethereum blockchain, or restricted to a chosen group of users operating an internal blockchain In both instances, beyond merely storing relevant data, the Ethereum blockchain supports the execution of smart contracts coded in Solidity, adding programmable functionality to the system.
An important aspect highlighted in this model is the emphasis on data privacy ensured by the Ethereum blockchain, a distinction from the con- ventional server proposed using Django This underscores the security advantages of employing blockchain technology in healthcare systems, par- ticularly when dealing with sensitive medical data [77].
3.2 Laila Fetjah, Kebira Azbeg, Ouail Ouchetto and Said Jai Andaloussi model
3.2 Laila Fetjah, Kebira Azbeg, Ouail Ouchetto and
Laila Fetjah et al [78] propose a smart healthcare architecture using blockchain and fog computing in order to protect patients privacy data By combining a set of technologies, including IoT devices, Blockchain, FC and CC, the proposed architecture:
As the authors said, this architecture is HIPAA-compliant and could be compartmentalized into three layers:
This layer captures the patient’s data, encrypts them, and sends them to be stored in the IPFS A decentralized application (Dapp) is used to interact with the Blockchain in the next layer With Dapp, one can interact with one’s physician, grant and/or revoke access, add and/or delete devices while having total control over one’s data and devices.
More specifically, a set of medical devices first acts to collect differ- ent health measurements such as blood pressure, glucose level, sleep patterns, heart rate and patient’s weight, which are necessary to track one’s health and wellness Smart medical devices such as electronic wearable(s) and smart sensors are then employed to automatically capture one’s health data and track one’s physical activity prior to forwarding these data to one’s smart-phone The smart-phone will then encrypt the data before sending them to the IPFS for storage.
An intermediate layer sandwiched between medical devices and the cloud nodes, the fog layer comprises a set of interconnected nodes called fog nodes These nodes are used to process data and provide real-time analysis to the patient A Blockchain network assures the connection among these nodes and the analysis is assured by the smart contracts deployed in the Blockchain network.
Supporting a high computing capacity and distributed storage, this layer comprises a set of nodes connected to the previous layer by the same Blockchain network All participating nodes belonging to hospi- tals, pharmacies, clinics and public health organizations in this layer will constitute a distributed cloud Notably, these nodes are used as mining nodes for our Blockchain.
The cloud layer also provides the ability to physicians to follow their patients’ health and supports other organizations with the ability to extract information for statistical and research purposes Here, the linked entities can use AI to analyze and interpret patient data to sug- gest treatments, identify diseases or generate proactive predictions.
Moving on, according to this study, the role of the blockchain in the archi- tecture can be listed as follows:
• Secure the data and preserve the data privacy;
3.2 Laila Fetjah, Kebira Azbeg, Ouail Ouchetto and Said Jai Andaloussi model
• Handle access control for devices - each device owner in the Blockchain registers its presence; thus, all devices are already accounted by the Blockchain - the unknown devices will not be able to send data unless it also has an a priori registration;
• Handle access control for linked healthcare institutions;
• Store a link to data stored in the IPFS to protect data integrity and non-repudiation;
• Provide real-time analysis by hosting ML models in the Blockchain.