Authentication protocol for resource constrained devices in the internet of thing

VIETNAM NATIONAL UNIVERSITY HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY --- PHAM DUC MINH CHAU AUTHENTICATION PROTOCOL FOR RESOURCE CONSTRAINED DEVICES IN THE INTERNET OF THINGS Majors

VIETNAM NATIONAL UNIVERSITY

HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY

-

PHAM DUC MINH CHAU

AUTHENTICATION PROTOCOL FOR RESOURCE CONSTRAINED DEVICES

IN THE INTERNET OF THINGS

Majors: Computer ScienceID: 60480101

MASTER THESIS

Ho Chi Minh City, December 2019

THE WORK IS DONE AT HO CHI MINH CITY UNIVERSITY OF

TECHNOLOGY – VNU – HCM

Scientific supervisor: Assoc Prof Dang Tran Khanh

The reviewer 1: Dr Phan Trong Nhan

The reviewer 2: Assoc Prof Nguyen Tuan Dang

This master thesis is defended at Ho Chi Minh City University of Technology – VNU – HCM on 30th December 2019 The master thesis assessment committee includes: 1 Assoc Prof Nguyen Thanh Binh

2 Dr Le Hong Trang

3 Dr Phan Trong Nhan

4 Assoc Prof Nguyen Tuan Dang

5 Assoc Prof Huynh Trung Hieu

Confirmation of the Chairman of the assessment committee and the Head of the specialized management department after the thesis has been corrected (if any) CHAIRMAN OF THE HEAD OF FACULTY OF ASSESSMENT COMMITTEE COMPUTER SCIENCE AND ENGINEERING

VNU – HO CHI MINH CITY

HO CHI MINH CITY UNIVERSITY

Student name: PHAM DUC MINH CHAU Student ID: 1770316

Date of birth: 12-07-1994 Place of birth: Ho Chi Minh City

Major: Computer Science Major ID: 60480101

I THESIS TITLE: Authentication Protocol for Resource Constrained Devices in

the Internet of Things

II TASKS AND CONTENTS: Proposing an authentication protocol for

resource-constrained devices in the Internet of Things which also offers privacy-preserving

III DATE OF THE THESIS ASSIGNMENT: 11/02/2019

IV DATE OF THE THESIS COMPLETION: 08/12/2019

V SUPERVISOR: Assoc Prof Dang Tran Khanh

Ho Chi Minh City, … December 2019

(Sign and full name)

I would like to express my gratitude to my supervisor Assoc Prof Dang Tran Khanhfor the continuous support of my Master study and related research I am thankfulfor his patience, advice and all the opportunities he has given me during the last twoyears

I would like to thank my fellow master students and my co-workers at work for theirhelp, cooperation and our friendships as well, which have encouraged and got methrough certain difficult stages

Last but not least, I would like to thank my friends and my families, to my parents and

my sister for unconditionally supporting me throughout the course and life in general

Pham Duc Minh Chau

By utilizing the potential of the Internet connectivity, the Internet of Things (IoT) isnow becoming a popular trend in the technology industry Its greatest benefit comesfrom highly heterogeneous interconnected devices and systems, covering every shape,size, and functionality Being considered as the future of the Internet, IoT developmentcomes with urgent requirements about the provision of security and privacy as thenumber of deployed IoT devices rapidly increases Among those, authenticity is themajor requirement for the IoT On the other hand, one of the most important featuresrequired for the IoT is the support for resource-constrained devices In fact, a largeproportion of involved devices in the IoT has low energy power and computationalcapability Therefore, proposed solutions requiring complex computations and highenergy consumption cannot be applied to the IoT in practice

In this thesis, I propose a mutual privacy-preserving authentication protocolbased on the elliptic curve cryptography (ECC) to achieve efficiency in resource con-sumption and protect the privacy of involved devices The proposed model is a holisticextension of previously related works, in which distributed network architecture, aswell as secure communications between devices, are enabled The correctness of theproposed scheme is formally proved with BAN-logic In addition, I provide an in-formal security analysis in which I will present its resilience to different attacks Aperformance analysis is also conducted in the scope of this thesis, which proves theefficiency in resource consumption of the proposed protocols compared to the baserelated scheme

Tóm tắt luận văn

Bằng việc tận dụng tiềm năng kết nối của các thiết bị thông qua Internet, Mạng lướivạn vật kết nối (Internet of Things - IoT) đang là một xu thế phát triển phổ biến tronglĩnh vực công nghệ Lợi ích to lớn của nó đến từ sự kết nối chặt chẽ thiết bị và hệ thống

vô cùng đa dạng về mặt chủng loại, hình dáng, kích thước cũng như chức năng Đượcxem như là tương lai của Internet, sự phát triển của IoT đi đôi với những thách thứccũng như yêu cầu cấp bách về khả năng cũng cấp sự bảo mật và riêng tư khi mà sốlượng các thiết bị IoT được cài đặt trong thực tế không ngừng tăng lên nhanh chóng.Trong số đó, tính xác thực là một trong những yêu cầu nền tảng cho sự bảo mật trongIoT Xác thực là một vấn đề không mới và đã có nhiều giải pháp được đề xuất dànhcho vấn đề này Tuy nhiên, chúng ta cần biết rằng một yêu cầu quan trọng đối với cácgiải pháp dành cho IoT là việc hỗ trợ các thiết bị có nguồn tài nguyên giới hạn Trênthực tế, một tỷ lệ lớn các thiết bị trong IoT có nguồn năng lượng cũng như khả năngtính toán thấp Do đó, các giải pháp đề xuất đòi hỏi tính toán quá phức tạp và tiêu tốnnhiều năng lượng cũng như tài nguyên sẽ không thể áp dụng vào thực tiễn

Trong luận văn này, tôi sẽ đề xuất một cơ chế xác thực lẫn nhau có bảo vệ tínhriêng tư dựa trên mã hóa đường cong Elliptic (Elliptic curve cryptography - ECC) đểđạt được hiệu quả về mặt tiêu thụ tàì nguyên cũng như đồng thời bảo vệ tính riêng tưcủa các thiết bị liên quan Mô hình đề xuất là sự kế thừa và mở rộng từ các công trìnhliên quan khác, trong đó kiến trúc mạng phân tán cũng như sự giao tiếp an toàn giữacác thiết bị cuối được kích hoạt Tính đúng đắn cũng như bảo mật của giao thức đềxuất được chứng minh với BAN-logic Ngoài ra, luận văn cũng bao gồm phân tích vềkhả năng chống chọi của giải pháp đối với các loại tấn công bảo mật phổ biến trongthực tế Phân tích về mặt hiệu năng tiêu thụ tài nguyên của được tiến hành trong phạm

vi luận văn để chứng minh sự hiệu quả của giao thức được đề xuất so sánh với môhình nền tảng trước đó

Declaration of authorship

I declare that the work presented herein is my own original work and has not beenpublished or submitted elsewhere for any degree programme, diploma or other qual-ifications Any literature data or work done by others and cited within this thesis hasbeen completely listed in the reference section

Pham Duc Minh Chau

1.1 Overview 1

1.2 Major purposes of the thesis 2

1.3 Contributions 3

1.3.1 Scientific contributions 3

1.3.2 Practical contributions 4

1.4 Research scope 4

1.5 Thesis outline 5

2 Backgrounds 6 2.1 Internet of Things overview 6

2.1.1 IoT properties 7

2.1.2 Cloud computing with the IoT 8

2.1.3 Fog computing with the IoT 10

2.2 Public key cryptography 12

2.2.1 Public-key encryption 13

2.2.2 Public-key digital signature 14

2.3 Elliptic curve cryptography 15

2.4 BAN-logic 16

2.4.1 BAN-logic overview 16

2.4.2 Notations 17

2.4.3 Typical protocol goals 18

2.4.4 Protocol analysis with BAN-logic 20

3 Related works 21 3.1 Authentication protocol taxonomy 21

3.1.1 Symmetric key schemes 21

3.1.2 Asymmetric key schemes 22

3.2 Authentication using ECC 23

4 Proposed scheme 26 4.1 Network architecture 26

4.2 Security and privacy requirements 27

4.3 Authentication scheme 29

4.3.1 Registration phase 29

4.3.2 Subnetwork joining phase 30

4.3.3 D2D Authentication Phase 33

5 Security analysis 37 5.1 Formal analysis 37

5.1.1 Subnetwork joining authentication 37

5.1.2 D2D authentication 43

5.2 Informal analysis 47

5.2.1 Security properties 47

5.2.2 Resilience to attacks 49

6 Performance analysis 53 6.1 Computational cost 53

6.1.1 Computational energy cost 55

6.1.2 Processing time 58

6.2 Communication overhead 58

List of Figures

1.1 The global market of IoT devices estimations by years 2

1.2 The network architecure considered in the scope of this thesis 5

2.1 Different application domains of the Internet of Things [10] 7

2.2 A two layered architecture in which End/IoT devices strongly depend-ing on the Cloud 9

2.3 Three-Layer Architecture of Fog Computing [15] 10

2.4 Encryption/Decryption in Public-key cryptosystems 13

2.5 Using a Digital Signature to Validate Data Integrity 14

4.1 The network architecture for the proposed authentication protocol 27

4.2 The registration phase between a device and the trusted server through a secure channel of the proposed scheme 31

4.3 The authentication process when a device joins a subnetwork with the verification from the trusted server of the proposed scheme 34

4.4 The D2D authentication phase between two device with the verifica-tion of their gateway of the proposed scheme 36

List of Tables

2.1 RSA and EC key sizes for equivalent security levels and ing bitlengths for EC parameternand RSA modulusn[21] 15

correspond-4.1 Descriptions of the notations used in this thesis 30

5.1 Comparisons with previous schemes 52

6.1 Computational cost comparison between the proposed scheme andthe base-scheme 546.2 Summary of energy consumption per operation 566.3 Data length of values used in both the proposed scheme and the base-scheme 576.4 Energy consumption comparisons 576.5 Processing time of devices in seconds 586.6 Transmission length of each entity in the proposed protocol and in thebase scheme in the joining phase 59

List of acronyms

ECC Elliptic Curve Cryptography

TLS Transport Layer Security

DTLS Data Transport Layer Security

TCP Transmission Control Protocol

ECDH Elliptic-curve Diffie–Hellman

ECDHP Elliptic-curve Diffie–Hellman Problem

ECDLP Elliptic Curve Discrete Logarithm Problem ECDDHP Elliptic-curve Decision Diffie–Hellman Problem

By utilizing the potential of Internet connectivity, the IoT is now becoming a populartrend in the technology industry Its greatest benefit comes from highly heteroge-neous interconnected devices and systems, covering every shape, size, and function-ality As shown in Figure 1.1, it is forecasted that around 75.4 billions of devices will

be connected to the Internet by 2025 [1] These objects in the IoT have capabilities

of communicating and interacting with each other to exchange their data, providingmonitoring of the environment around to enable and giving responses to changes inthe system’s environment Such capabilities are promising in totally changing humanlifestyle, making it safer, more convenient and comfortable This motivation has at-tracted and encouraged many researchers to participate in designing and inventingnovel solutions and applications for the IoT

IoT development also comes with urgent requirements about the provision ofsecurity and privacy as the number of deployed IoT devices rapidly increases Gartnerreports that 20% of organizations suffer at least one IoT security attack in the last threeyears [2] Prior technology trends, e.g., cloud computing and big data, seem to havequite similar security requirements with the IoT Nonetheless, the IoT unique natureintroduces new challenges to security requirements, which are much different from

Figure 1.1: The global market of IoT devices estimations by years.

previous technology trends For example, big data solutions are not required to dealwith an uncontrolled environment and constrained resources, while cloud computinghardly deals with the mobility of devices and physical accessibility of sensors [3].The security requirements for IoT systems depend on their domains of appli-cations They include the needs of confidentiality, integrity, and authenticity Amongthose, authenticity is the major requirement for the IoT [4], which provides the proofthat a connection is established with an authenticated entity Authentication is an im-portant factor in which each connected object’s identity is required to be verified be-fore they can securely communicate as well as access various IoT resources Besides,privacy is considered to be one of the most dominant challenges in the IoT [5] Highlyinterconnected objects in the IoT produce a huge amount of transmitted data Thesedata may contain different kinds of information directly involved users’ daily livesthrough their devices so that IoT applications can provide corresponding services.The involvement of users’ behaviors, preferences as well as private data has raised theconcern about the risk of leakage of privacy, which becomes a huge obstacle whenputting IoT applications into use For such reasons, effective and efficient authenti-cation protocols and privacy-preserving techniques (like anonymity) to protect users’private information are essential to provide the security of every IoT system

With the provided overview of opportunities as well as security challenges in the IoT,this thesis aims to study an authentication protocol for resource-constrained devices

in such systems In details, the main purposes of this thesis include:

as its devices: The research needs to show the features that differentiate the IoT

from other traditional systems, especially the resource constraints of devices

privacy-preserving: IoT systems have a massive number of devices connected

and exchanging data with each other in an uncontrolled and untrusted ment In addition, such devices may vary in their categories, size, shape andfunctionality Hence, a common authentications protocol which provides securecommunication needs to be something that can be used across the devices Au-thentication protocols are supposed to guarantee one entity connects and trans-mits/receives data to/from legitimate devices Moreover, authentication steps of-ten have the risk of exposing sensitive information of participants Thus, the pro-tocol studied in this research also concerns protecting ones’ private informationfrom being exposed during the authentication stages

de-vices: As previously stated, the limitation in resources of IoT devices is an

im-portant characteristic not to be ignored when studying solutions for IoT systemsbecause this will decides their feasibility in practice Therefore, the proposedsolution needs to be suitable for resource-constrained devices

• Evaluating the proposed protocol in terms of security and efficiency in consuming to assess its feasibility to resource-constrained devices.

cryptogra-• From an existing protocol that originally only supports the authentication tween devices and the cloud servers, this research extends and improves it so that

be-it can provide secure communication for direct connections of device-to-device,

as well as enables the distributed architecture which enhances the efficiency ofresource consumption of edge devices

1.3.2 Practical contributions

• This research contributes a new authentication solution that can be used for powered devices with limited computational capabilities, especially in the IoTenvironment

low-• The research also raises and addresses not only the security but also the privacyaspects of devices in the IoT

In fact, IoT has a very large context that includes many different kinds of systems.Therefore, in the scope of this thesis, I only focus on the devices having resourceconstraints in the IoT So from now on anytime a device is mentioned in this thesis,

it refers to the low-powered one with very limited resources The research also onlyfocuses on one of the most popular distributed network architecture widely deployed

in many IoT system described in Figure 1.2 The objects in this model are generalizedinto only three entities:

• Devices: Edge nodes with limited resources that account for the largest tion of the systems Devices can directly communicate with gateways and witheach other

propor-• Gateways:The intermediary between devices and servers, each of which controls

a subnetwork including a number of devices

• Centralized servers: The central controller and storage of the whole system whichresides on clouds

The advantages of this model are all the complex computations and large-size

Figure 1.2: The network architecure considered in the scope of this thesis.

data can be handled by gateways or servers so that it can lower the burden on the enddevices and help them save their resources

The rest of the thesis is organized as follows:

and the cryptographic materials that will be used in later chapters

field of authentication solutions

resource-constrained IoT devices which also protects the private information

• Chapter 5 presents the security analysis where I prove the correctness as well as

the security of the newly proposed protocol

• Chapter 6 is the performance analysis in which I will analyze the efficiency of

resource consumption of the proposed protocol compared with the base scheme

contributions as well as proposes the future works

Chapter 2

Backgrounds

IoT refers to a set of technologies and scenarios which has no formally single tion yet An understandable view of IoT is as a network of everyday things connectedvia the Internet “Things”, obviously the major part composing every IoT system, arenot only referred to one or two particular kinds of devices, but also aimed to all ofwhich can connect and communicate with each other IoT devices can range fromtiny ones such as sensors, actuators, RFID tags [6] to medium ones such as smart-phones, kitchen appliances and even large ones like backend or cloud servers, literally

defini-“anything” that includes the technological components to enable the Thing to connect

to the Internet through a wired or wireless network IoT users can be a human, ormachine, or a combination [7]

These “things” in the IoT are becoming more and more familiar with our dailyactivities Single-function embedded devices have been developed into smart things,such as smartphones, laptops, coffee machines, refrigerators, Google Home, Applewatches, etc In other words, any device can be integrated into the IoT by equipping

it with an Internet connection and sensors IoT devices collect environmental mation of their surroundings and send it to some central data servers where it is pro-cessed, manipulated, transformed and used to perform multiple tasks [8] In the end,governments, organizations, and individuals enjoy these benefits of IoT Applications

infor-of the IoT are available in many aspects infor-of life thanks to its adoption by a wide range

of industries [9], as shown in Figure 2.1

Figure 2.1: Different application domains of the Internet of Things [10].

The most common example of IoT applications in our daily lives is in the form

of wearables (smartphones, smartwatches, health monitors, etc.) and smart homes,which improve entertainment, network connectivity and the quality of life by automat-ically adjusting customers’ home environment or allowing them control appliancesand lights remotely In agriculture, monitoring and management of micro-climateconditions with IoT technologies help to increase production IoT devices can sensesoil moisture and nutrients for better controlling irrigation and fertilizer systems IoTapplications in healthcare via wearables let hospitals remotely and real-time monitortheir patients’ health that can provide timely response to emergencies like strokes orheart attacks In manufacturing, a manufacturer can track a product from its start inthe factory to its placement in the destination store by RFID and GPS technology.The gathered information can be used to calculate the traveling time, condition, andenvironmental conditions of a product Especially in transportation, GPS is being uti-lized to plot faster and more efficient routes for vehicles thus reducing moving anddelivery times Above are only a few of many applications of the IoT in our real worldbut enough to show its currently huge potential as well as its rapid development in thenear future

2.1.1 IoT properties

Unlike traditional systems such as enterprise applications, cloud computing or BigData, IoT systems are uniquely identified by several properties These properties alsoraise the challenges that we need to deal with when working in the field Related IoTresearch [3] identified four distinguishing properties of IoT in terms of security andprivacy challenges, which are: the uncontrolled environment, the heterogeneity, the

need for scalability and the resource constraints of IoT devices.

the main fact that things can travel to unreliable surroundings possibly withoutsupervision In other words, this property composes three sub-properties whichare: mobility, physical accessibility and trust

• Mobility: Connectivity in networks of IoT systems are not expected to be stable

or always available

• Physical accessibility: More often than not, sensors in IoT remains unprotectedand can be publicly accessed by outsiders, e.g., traffic control cameras and weathersensors

• Trust: It is unlikely to achieve a priori trusted relationships for the huge number

of devices and users Therefore, it is essential to have mechanisms that ically validate and manage the trust of things, services and users in IoT systems

automat-• Heterogeneity: IoT has to integrate a wide range of devices from many ent manufacturers so their version compatibility and interoperability need to beguaranteed

differ-• Scalability: The vast amount of IoT interconnected things requires highly able protocols

scal-• Resource Constraints:A large proportion of involved devices in the IoT has lowenergy power and computational capability Therefore, proposed solutions re-quiring complex computations and high energy consumption cannot be applied

to the IoT in practice

2.1.2 Cloud computing with the IoT

The rapid development of IoT generates a vast amount of data requiring massive puting power, resources, storage and bandwidth However, the resource constraints ofIoT devices like small size, limited storage, low processing capacity result in the lack

com-of many important features such as scalability, reliability and efficiency that are quired for IoT environments Besides, the large amount of data has complicated theprocessing, computing load on devices and control systems, as well as put heavy

re-pressure on the network traffic and the Internet infrastructure This is where cloudcomputing comes into play The advancement of Cloud Computing gave enterprisesvirtually unlimited computing power and storage, which can address these issues forIoT systems The integration of cloud computing and IoT enables centralized datastorage and management, powerful data processing capabilities, scalable resourcesallocation and rapid application deployment with minimal cost [11].

IoT architecture based on Cloud Computing often comprises two layers, as scribed in Figure 2.2 The top layer includes the centralized data storage, processingand control layer which allows access to large-scale data from devices and objects inthe bottom layer The bottom layer has billions of IoT devices connected with eachother and the cloud The sensed data from the IoT devices are sent to a central server

de-or a cloud by using communication infrastructure [4] In other wde-ords, in this ture devices completely depend on their cloud servers for any tasks such as comput-ing, storing, accessing applications, guaranteeing security and so on Any actions ofnodes in the same networks are involved with the administration of their server Thismodel is widely applied in practice, especially in IoT systems due to the fact that suchsystems have considerable diversity in their devices with very different resource capa-bilities and other features Thus, focusing on servers as the centralized managementsystems without the need of paying too much attention on the device end’s detailsmake this model easier to be employed and justified

architec-Figure 2.2: A two layered architecture in which End/IoT devices strongly depending on the Cloud

Despite the benefits achieved when cloud computing is integrated into IoT areattractive, this architecture nevertheless puts too much workload on the servers aswell as possibly breaks down the whole system when these servers become out ofusage It can severely suffer when attackers flood a huge number of physical objectsinto the network at an unexpected scale Also, this centralization of resources largelyseparates IoT devices and the cloud, which results in the increment of the average

network latency [12] Furthermore, integration with cloud computing does not offerthe ability for IoT devices and end-users to use delay-sensitive applications such assmart traffic lights because of communication delay.

2.1.3 Fog computing with the IoT

Fog computing, introduced by Cisco in 2012, is defined as “an extension of the cloudcomputing Paradigm to the edge of the network that provides computation, storage,and networking services between end devices and traditional cloud servers” [13] Fogcomputing provides an intermediary layer between the cloud infrastructure and itsconnected IoT devices, allowing it to analyze and process data closer to where it iscoming from The general architecture of fog computing is described in Figure 2.3,namely, Cloud-Fog-Device framework and Fog-Device framework This frameworkconsists of three distinct layers: the device layer, the fog layer and the cloud layer Be-cause the fog layer is more physically closer to the device layer, it provides more effi-cient connections between devices and analytics endpoints with lower latency Over-all, it can reduce the bandwidth needed compared to the scenario when data have to besent all the way back to a centralized center for storing and processing as in traditionalcloud computing systems Communications between layers can be achieved with theuse of various wired communication technologies such as Ethernet, optical fiber, orwireless ones like Bluetooth, ZigBee, LTE, etc or both [14]

Figure 2.3: Three-Layer Architecture of Fog Computing [15].

The fog layer consists of network equipment, such as routers, bridges, gateways,switches, base stations and local servers These devices are distributed between theIoT devices and the cloud servers in the Cloud-Fog-Device framework This layerhas certain computing and storage power to reduce the processing load on resource-constrained IoT devices The difference from traditional communications via the In-ternet as in Cloud computing is that some low-range, real-time and latency-sensitivecommunication protocols can be applied for the connection between layers, especiallybetween the fog and the IoT device layer Compared with cloud computing, fog com-puting has five distinguished features: location awareness, geographic distribution,low latency, large-scale IoT applications support and decentralization [16].

∗ ∗ ∗

Above are the two most popular models of an IoT eco-system in which all machinesdirectly are connected and controlled by centralized servers/gateways in the networks.These servers or gateways are often deployed with powerful storage and computingresources so that they can handle complicated processes and computations for theirclient nodes The sensed data from the IoT devices are sent to a central server or acloud by using communication infrastructure [17] In other words, in this model clientnodes completely depend on their servers for any tasks such as computing, storing,accessing the Internet and applications, guaranteeing security and so on Any actions

of nodes in the same networks are involved with the administration of their server.This model is widely applied in practice, especially in IoT systems since such systemshave considerable diversity in their devices with very different resource capabilitiesand other features Thus, focusing on servers as the centralized management systemswithout the need for paying too much attention to the device end’s details make thismodel easier to be employed and justified On the other hand, it nevertheless puts toomuch workload on the servers as well as possibly breaks down the whole system whenthese servers become out of usage This model can severely suffer when attackersflood a huge number of physical objects into the network at an unexpected scale

To restrain the dependence on servers, scientists thought about the Device (D2D) communication [18, 19, 20] Unlike Human-to-Human (H2H) commu-nications, there is no human interaction in D2D Hence, devices must be designed forself-establishing connections and authentications with others There are two kinds of

Device-to-D2D: Standalone D2D and Network-Assisted D2D These two structures differ by theexistence of a helping infrastructure to organize communication and resource utiliza-tion In Network-Assisted D2D, a gateway is required for the operation, and devicesare connected by cellular networks This requires a high capacity and energy effi-ciency mobile networks, which is not affordable in some countries and areas AboutStandalone D2D, devices initiate requests for communicating with nearby devices byshort-range connection mechanisms such as Bluetooth One device will send signals

to express its connection request with other devices Consequently, devices will need

to authenticate not only with the servers but also among themselves This will be ful in case there is no connection from devices to servers, i.e power blackout andservers do not have the backup power resource In this case, the IoT systems still workbecause most of the embedded devices have the battery within and will be unaffected

use-by a local area power outage So, they can continue their connection with others out interruption As a result, one device needs to itself verify that it is connecting tolegit devices without servers The list of things in the network system then has to bestored and well managed by each node, which will be a problem for small devices.Because most of the smart devices are designed for specific tasks, they have verylimited resources in the term of memory, energy, and CPU, which means they cannotrun the complex algorithms for registration or authentication or store too much data

with-It is clear that authentications in the two models above are having themselves manyadvantages and also weaknesses, raising the motivations of finding a better way toretain their good characteristics while avoiding their outages

Cryptography aims to provide authentication and privacy of communication betweentwo entities, which can be achieved by the popular adoption of symmetric cryptogra-phy However, the requirement of having a shared key, which is securely exchangedbeforehand for each pair of communicating entities makes this type of cryptogra-phy inconvenient to some applications Such inconvenience also comes from its diffi-culty to obtain signatures with non-repudiation For those reasons, Merkle, Diffie andHellman in mid-1970s proposed the idea of public-key cryptography, also called theasymmetric cryptography This scheme involves a pair of private-public keys so that

the problem of deriving the private key from its corresponding public key is lent to solving a computational problem that is considered to be intractable [21] In-tractable numeric-theoric problems used to guarantee the security of popular public-key schemes are:

equiva-• The integer factorization problem which is used by RSA public-key encryptionand signature schemes

• The discrete logarithm problem which is used by the ElGamal public-key cryption and signature schemes and their variants, e.g DSA

en-• The elliptic curve discrete logarithm problem which is used by all elliptic curvecryptographic schemes

2.2.1 Public-key encryption

With public-key encryption, each public key is published and its corresponding vate key of an entity is kept secret Data that are encrypted with the public key canonly be decrypted with its private key as shown in Figure 2.4 As we can see, thisscheme allows anyone with the public key encrypt the data and only the person whoowns the corresponding private key can decrypt and read the content of the originaldata Public-key encryption nevertheless requires more processing than symmetric-key encryption, thus may not be suitable for encrypting a large amount of data Oneapproach to address this weakness is to use the public-key scheme to encrypt andsend symmetric keys only These symmetric keys later can be used to encrypt theactual exchange data This approach is used by the SSL/TLS protocols

pri-Figure 2.4: Encryption/Decryption in Public-key cryptosystems.

Compared with symmetric-key encryption, public-key encryption requires moreprocessing and may not be feasible for encrypting and decrypting large amounts of

data However, it is possible to use public-key encryption to send a symmetric key,which can then be used to encrypt additional data This is the approach used by theSSL/TLS protocols.

2.2.2 Public-key digital signature

A public-key scheme also allows encrypting its data with a private key and usingthe corresponding public to decrypt those data It is possible to use a private key forencryption and the corresponding public key for decryption This is a technique fordigitally signing data Instead of encrypting the data itself, this technique is to create aone-way hash of the data, then use the private key to encrypt the hash The encryptedhash, along with other information such as the hashing algorithm, is known as a digitalsignature [22]

Figure 2.5: Using a Digital Signature to Validate Data Integrity

Figure 2.5 describes the use of a digital signature to validate data integrity Theoriginal data along with its signature are transferred from a sender to a recipient Thedigital signature is generated by first creating a one-way hashed data from the orig-inal data After that, this hashed data are encrypted using the sender’s private key.When the recipient receives these two items (the original data and its digital signa-ture), he/she validates the data integrity by decrypting the digital signature using theclaimed-to-be sender with its public key then applying the same one-hash algorithm

If the final hash operation results in the identical hashes, the validity of the data can

be confirmed

2.3 Elliptic curve cryptography

Elliptic curve (EC) was independently introduced to design public-key cryptographicsystems by Miller (1986) [23] and Koblitz (1987) [24] Comparing to the other widelyused public-key schemes - RSA, EC uses a smaller key size at a given security level.Table 2.1 describes the comparison between the running time of the two schemes

at80−,112−, 128−, and 256−bit respectively This parameter represents the amount

of work required to perform an exhaustive search key of the corresponding size onSKIPJACK, Triple-DES, AES-Small, AES-Medium, and AES-Large symmetric en-cryption algorithms In other words, with the same key size, EC cryptosystems areharder to break, i.e give a higher security level than RSA systems Besides, the advan-tages gained from this measurement include faster computations, and smaller keys andcertificates, which can be derived that ECC is more suitable for resource-constrained(e.g limited processing power, bandwidth, storage, power consumption, etc.) environ-ments

Table 2.1: RSA and EC key sizes for equivalent security levels and corresponding bitlengths for EC parameter

n and RSA modulus n [21]

Security level (bits) EC parameter n RSA modulus n

on an EC E defined over a finite prime field Fq The security of all ECC protocols

is based on the hardness of the EC discrete logarithm and other related problems: theelliptic curve Diffie-Hellman problem and the elliptic curve decision Diffie-Hellmanproblem

Definition 1 The elliptic curve discrete logarithm problem (ECDLP) is: Given an

elliptic curve E defined over a finite field Fq, a point P ∈ E(Fq) of order n, and a point Q ∈ E, it is computationally hard to find the integer l ∈ [0, n − 1] such that

Q = lP The integer l is called the discrete logarithm of Q to the base P, denoted

l = logPQ.

Definition 2 The elliptic curve Diffie-Hellman problem (ECDHP) is: Given an

ellip-tic curve E defined over a finite field Fq, a pointP ∈ E(Fq) of order n, and points

A = aP,B = bP ∈ E, it is computationally hard to find the pointC = abP.

Definition 3 The elliptic curve decision Diffie-Hellman problem (ECDDHP) is: Given

an elliptic curve E defined over a finite fieldFq , a point P ∈ E(Fq)of order n, and

• Correctness: The logic of authentication can provide the proof of whether a tocol meets its security goals or not

pro-• Efficiency: The logic of authentication can improve the efficiency of a protocol

by eliminating redundant messages which do not contribute to the achievement

of the security goals

• Applicability: The logic of authentication provides the formal clarifications on aprotocol’s assumptions in order to judge its applicability in practice

BAN-logic aims to answer the following questions:

• What conclusions does this protocol achieve?

• Which assumptions needed for this protocol?

• Does this protocol have unnecessary actions, which can be left out without ening the security?

weak-• Can anything be sent plain (without being encrypted) but still not weakening thesecurity?

The BAN logic makes it possible to reason in a simple way over cryptographicprotocols in a formal way It can be used in the design of a cryptographic protocolbecause the use of a formal language in the design process can exclude faults

2.4.2 Notations

• P |≡ X:P believes thatX holds

• P / X:P sees the formulaX

• P ⇒ X: P has jurisdiction overX, which means P has completely control overthe formulaX

• P |∼ X:P once said X The principalP at some time sent a message includingthe statementX

• #(X): The formula X is fresh, that is,X has not been sent in a message at anytime before the current run of the protocol

• P ← → QK : P andQ share a secret keyK P and Qcan use K to communicate toeach other and it is only known to them

• 7−K→ B: P hasK as a public key The corresponding secret key (the inverse ofK,denotedK−1) will never be discovered by any other principal

• A (−+ BX− : The formula X is a secret known only to P and Q, and possibly toprincipals trusted by them Only P andQ may useX to prove their identities toone another

• {X}Y: Encryption ofX with keyK.

• hXiY: This representsX combined with the formulaY; it is intended thatY be asecret, and that its presence prove the identity of whoever uttershXiY

2.4.3 Typical protocol goals

A protocol that establishes a session key k for A and B typically has the goal that atthe end of a successful run it can be proved that:

• The belief rules:

2.4.4 Protocol analysis with BAN-logic

There are three main stages to the analysis of a protocol using BAN logic

• Step 1: The first step is to express the assumptions and goals as formulas (also

known as statements) in symbolic notations so that the logic can proceed from aknown state so as to be able to ascertain whether the goals are in fact reached

• Step 2: The second stage is to transform the protocol steps also into formulas in

symbolic notation

• Step 3: Lastly, a set of deduction rules called postulates are applied The

postu-lates should lead from the assumptions, via intermediate formulas, to the tication goals

authen-Chapter 3

Related works

Authentication plays an important role in every system which is one of the securityaspects to protect them from possible attacks This process helps to allow only legit-imate entities to access a system and its resources or creates secure communicationsbetween objects to avoid data leakage As this is an essential process, the last fewyears have witnessed many authentication schemes proposed dealing with the con-strained environment of the IoT Proposing an authentication protocol is to suggest away in which we can first verify if an object has the rights to connect and commu-nicate with one or some other objects in the same systems, and then establish securechannels between them so that they can talk to each other without worrying abouttheir partners’ identities Solutions for the above goals can be categorized into twomain groups, which are the ones using asymmetric cryptosystems and the rest usingsymmetric schemes [26]

3.1.1 Symmetric key schemes

Solutions in the second group are based on symmetric cryptographic schemes inwhich the protocols aim to securely distribute the symmetric keys, i.e secret keys,

to the whole system Those keys will be used for encrypting and decrypting latercommunications The main challenges for such solutions are how these keys can begenerated and safely distributed to target objects while not being stolen by any hack-

ers attacking into these processes The mechanism of random key pre-distribution wasproposed by the authors in [27] In this scheme, firstly a large pool of keys is gener-ated After that, keys will be randomly selected and distribute to device nodes So,any two nodes may have some shared key pair with certain probabilities Therefore,this scheme does not guarantee there is always a pairwise key between all devices.

If there are unfortunately not, they will use their secure channel established before toexchange the key In details, one device will generate a random key and send it via thechannel to the other one There have been many protocols proposed inspired by thisscheme [28][29][30] In other approaches, symmetric keys can be distributed for each

of two-node using an offline key distribution mechanism [31] or via the support from

an intermediate trusted server

3.1.2 Asymmetric key schemes

This is a very common approach for proposing authentication schemes based on thePublic Key Cryptography [32] to establish secure communication between two ormore parties The Public Key Cryptography has been extensively used and deployedespecially in the context of the Internet Most of the schemes in this group can beclassified into two categories: key transportation based on the public key encryptionand key agreement based on the asymmetric technique

The Transport Layer Security (TLS) [33] is a popular standard protocol in whichdigital certificates of websites are distributed to their clients as public keys in order toverify identities of servers and secure the communications following However, TLS

is not suitable for IoT because of its strict underlying TCP transport protocol which isnot a good choice for limited resource devices To deal with the above issue of TLS,another transport protocol – Datagram Transport Layer Security (DTLS) [34] whichoperates on Unreliable Transport Protocol (UDP) but still provides the same securitylevel has been proposed to replace TLS In 2012, [35] proposed an implementation forDTLS on sensors with Trusted Platform Module (TPM) installed Despite its advan-tages of high security and data integrity with reasonable energy amount consumed,the need of deploying TPM hardware for each sensor is expensive and not scalable.The approach using raw public keys to encrypt messages exchanged with the as-sumption that everyone knows each other’s public keys in a system is also an option

Rabin et al [36] proposed a protocol with the design quite similar to RSA, which is apublic key cryptosystem widely used for secure data transmission Although their pro-posed scheme consumed energy as much as RSA for encryption, encryption using thisscheme is much faster because it needs only one squaring for each message Nonethe-less, the requirement of a high cost of computations and energy makes it inconvenientwhen applying to IoT systems Recent researches [37, 38] tried to replace RSA withElliptic Curve Cryptography (ECC), which has been proved to achieve less energy inconsideration of the same security levels [39] Overall, this approach requires publickeys to be first distributed and stored in each device in the whole network In otherwords, the key distribution mechanism is the main challenge of such solutions Andthe fact that each device has to maintain others’ public keys makes them inefficient inthe aspect of storage and scalability.

Key agreement protocol based on asymmetric techniques is an approach whenthe parties derive or agree on a shared secret key between them The Diffie-Hellmanprotocol is a widely known instance for such an approach Nonetheless, Diffie-Hellmanprotocols are usually expensive thus not advisable for low-powered IoT devices Sev-eral more efficient and lightweight variants like ECDH which uses ECC have beenproposed for constrained environments

ECC, an approach to public-key cryptography, was introduced by Miller [23] andKoblitz [24] ECC is considered to be more suitable for building up lightweight pub-lic key cryptosystems due to its smaller key size and lower arithmetic requirementcompared with the popular RSA in the same security level [40] Therefore, ECC hasbeen widely considered to replace RSA in public-key cryptosystems Many remoteauthentication schemes have been implemented based on it to reduce the computationloads for small devices [41,42,43,44,45,46,47,48] However in these schemes devicesstill need to verify the associated certificates by performing additional computations.Moreover, they do not support mutual authentication and session key establishmentbetween devices and remote servers Realizing these disadvantages, Yang et al pro-posed an ID-based remote mutual authentication with key agreement scheme on ECC[44] Their scheme does not require public keys for all devices Later, Islam et al iden-

tified that Yang et al.’s scheme suffered from several attacks, failed to protect users’anonymity and did not offer the session key forward secrecy as well as [45] Theysuggested an improvement to fix these issues Nonetheless, Truong et al [46] showedthat this scheme still suffered from known session-specific temporary informationand denial of service when the server’s database was leaked In the same researchdirection, Debiao et al.[47] proposed an ID-based client authentication scheme forthe client-server environment on ECC and proved their scheme to be provably secure.Unfortunately, Wang and Ma [48] later claimed that Debiao et al.’s scheme was, infact, insecure to an active adversary like reflection or parallel session attacks and didnot provide privacy protection.

The study [43] suggests an authentication protocol between devices and cloudservers using cookie data stored at the device ends The centralized cloud server takesresponsibility for registering every device in its network After that, the server anddevices are proposed to mutually authenticate each other using encrypted shared se-crets with ECC At the end of the authentication phase, the server and the device byapplying an extension of the Diffie-Hellman key exchange method successfully agree

on a common session key to be used for securing their communications later on Ascommunication between devices and the cloud server is the only one proposed to beauthenticated, we can infer that the underlying architecture of this model is based

on the client-server architecture popularly used in cloud computing applications Theprotocol proves itself to be efficient in terms of security, computational cost, and en-ergy consumption by using ECC for authenticating devices

Nevertheless, [43] also exposes several disadvantages The lacking support forD2D authentication is one of the main weaknesses According to [49], the first andforemost requirement for IoT systems is to supply the communication between de-vices This is because devices are the main users in the IoT systems And D2D au-tomatic communication without any interruption from a centralized control is ex-pected to be the intrinsic part of the IoT [50] In fact, D2D communication refers tothe paradigm where direct connectivity between devices takes place without routingthe data through other network architecture These communications introduce sev-eral benefits such as high data transmission rate, reliable communications even whenthe network fails, energy-efficiency as devices use lower transmission power in close

range, etc [51] D2D communication is also required to be secure to protect the datatransmitted Therefore, it is necessary to also provide mutual authentication betweendevices Other disadvantages which has not been addressed in all previous worksrelated to the scheme include the privacy problem and the proposed network archi-tecture In both described schemes, the identity of a device is exposed every time itsauthentication with the server occurs This fact raises another concern over the pri-vacy of devices using this scheme Considering the network architecture, IoT systemsare well known by their highly connected devices networks which are deployed withmany different kinds of communication protocols Thus, to assume every device isdirectly connected to a single centralized server via the same communication and net-working protocol is not feasible in the broadest scenario of the IoT The state-of-artdesigns for IoT systems require having one or more intermediate layers, e.g gateways,base stations, etc., to support such heterogeneity of device connections, as well as help

to lower the burden of centralized servers That way, devices can be deployed in a tributing manner with suitable networking setups and configurations A gateway orbase station is responsible for a particular number of devices to form a subnetwork

dis-In these subnetworks, a wide variety of low-power short-range wireless technologiescan be applied to provide efficient, low-power and low-latency connectivity amongdevices and gateways This architecture subsequently reduces the bandwidth and thepower needed by constrained devices compared to when they have to connect andsend data themselves all the way to the centralized servers for processing In addition,different technologies and systems specific to every application domain, such as in-trusion detection systems, can be integrated into each subnetwork without affectingthe rest network

types of connections existing in this network model: server-to-gateway,

gateway-to-device , and device-to-device connections.

• Centralized server (S): The centralized server has high computational ties and resources This server holds a long-term private key X which is lh-bitlong It is responsible for storing and managing the authentication data of ev-ery other device or gateway in the network It is also the only place where suchdata are securely stored and allows only privileged authorities to access For thisreason, the centralize server takes part in the authentication process in which itsupports gateways in verifying devices when they want to join their subnetworks

capabili-Figure 4.1: The network architecture for the proposed authentication protocol.

The communications between the servers and gateways are assumed to be safe.Such communications may be made through secure channels or involved withsome available authentication and key agreement schemes, which will not beincluded in the scope of this thesis

• Gateway (GWi): Each gateway is the controller of its subnetwork This entity isalso supposed to have high computational power and resources, and to manage alist of devices Communications with its devices are secured by their correspond-ing short-term session keys which are generated at the end of the authenticationphase for joining

• Device (D i): Registered embed devices can join one or more subnetworks Theirregistration information is stored at the centralized server They can communicatewith their gateways as well as with other devices in the same subnetworks

Both security and privacy are key requirements for the current authentication tion The privacy goals to be achieved by the proposed authentication process are asfollows:

solu-• Identity privacy preservation:Gateways and other devices are not able to extract