University of Colombo School of Computing

Literature Survey

Authentication and Authorization

Mechanism for Internet of Things
Infrastructure

Supervisor:

Author:

Dr. TNK De Zoysa

UDGDR Dolapihilla

This Literature Survey is submitted in fulfillment of the requirements

for the course SCS3017 in the degree of
Bachelor of Computer Science
in the
University of Colombo School of Computing

December 2014

Declaration of Authorship
I, UDGDR Dolapihilla, declare that this Literature Survey titled, Authentication and
Authorization Mechanism for Internet of Things Infrastructure and the work presented
in it are my own. I confirm that:

Where I have consulted the published work of others, this is always clearly attributed.

Where I have quoted from the work of others, the source is always given. With
the exception of such quotations, this thesis is entirely my own work.

I have acknowledged all main sources of help.

Where the literature survey is based on work done by myself jointly with others,
I have made clear exactly what was done by others and what I have contributed
myself.

Signed:

Date:

Abstract
by UDGDR Dolapihilla

Internet of things infrastructure which is an emerging topic in the world of Information Technology is defined as the interconnection of distinctively identifiable embedded
computing devices within the existing internet infrastructure. Things, in the Internet
of Things may consist of a wide variety of devices scaling from Nanochips to large scale
devices. There are researches which assume that there will be more than thirty billion
Things connected to the Internet of Things Infrastructure by the year 2020. This rapid
growth associated with the Internet of Things Infrastructure is widely criticized since the
security features are not being developed accordingly. Things, in nature may be used to
carry out physical work rather than being virtual as in current internet infrastructure,
therefore threats associated with Internet of Things can be cause physical damages. Authentication and Authorization, the initiation of any cryptographic security mechanism
plays a major role in cryptographic security. Do current internet cryptosystems guarantee secure authentication and authorization in Internet of Things Infrastructure? The
review is to critically analyze this question.

Contents
Declaration of Authorship

Abstract

ii

Contents

iii

Abbreviations

1 Introduction

2 Authentication and Authorization in Common Internet Infrastructure

2.1 Cryptographic Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.1 Password Based Authentication . . . . . . . . . . . . . . . . . . . .
2.1.2 Symmetric Key Based Authentication . . . . . . . . . . . . . . . .
2.1.3 Asymmetric Key Based Authentication . . . . . . . . . . . . . . .
2.2 Cryptographic Authorization . . . . . . . . . . . . . . . . . . . . . . . . .

3
3
4
4
5
6

3 Growth of the Internet of Things Infrastructure

3.1 Transition from Internet to Internet of Things . . . . . . . . . . . . . . . .
3.2 Future of The Internet of Things . . . . . . . . . . . . . . . . . . . . . . .

8
8
9

4 Authentication and Authorization Challenges Directed

Internet of Things Infrastructure
4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 Challenges to Authentication and Authorization . . . . .
4.2.1 Population of Devices . . . . . . . . . . . . . . . .
4.2.2 Resource Constraints . . . . . . . . . . . . . . . . .
4.2.3 Unpredictable Growth . . . . . . . . . . . . . . . .
4.2.4 High Mobility . . . . . . . . . . . . . . . . . . . . .
4.2.5 High Heterogeneity . . . . . . . . . . . . . . . . .
4.2.6 Lack of Common Standards . . . . . . . . . . . . .

Towards The
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

5 Proposed Cryptographic Mechanisms Related to Authentication and

Authorization of Internet of Things
5.1 Device Capability Based Authentication using Advanced Encryption Standard - Galois Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . . . . . .
5.3 Thing Name Service (TNS) for the Internet of Things . . . . . . . . . . .
iii

13
13
15
15
15
16
16
16
16

17
17
19
19

Contents
5.4
5.5

iv

Key Management Scheme Based on Micro-Certificate for Internet of Things 20

Other Approaches to Strengthen IoT Authentication and Authorization . 21

6 Conclusion

22

Abbreviations
IoT

Internet of Things

CA

Certificate Authority

PAP

Password Authentication Protocol

ASCII

American Standard Code for Information Interchange

IETF

Internet Engineering Task Force

AES

Advanced Encryption Standard

GCM

Golais Counter Mode

ECC

Elliptic Curve Cryptography

Chapter 1

Introduction
A large number of interconnected information sources or Smart Objects which can be
much less complex than computers are the conceptual nodes of IoT infrastructure. These
electronic nodes can be the simplest of its nature, typically they are expected to be
equipped with sensors, actuator, microprocessors, nanoprocessors, communication interfaces and power sources. These nodes may be tailored to carry out specific applications
ranging from just feeding sensor data to large scale industrial mechanisms which can
initiate massive physical automation.

This interconnection of uniquely identifiable embedded computing devices through current internet infrastructure is informally defined as the Internet of Things infrastructure.
With automation being the prime goal, IoT is in verge of an exponential growth. It is
believed that there will be more than thirty billion of these connected nodes by the year
2020.

IoT infrastructure can be expanded in to a wide variety of applications, ranging from

sensor utilization in monitoring environmental factors to large scale industrial applications. Smart city technology is an emerging topic in the technological world , many
devices being able to connect with each other on the IoT infrastructure is supposed
to enable the dream of Smart Cities. Automation is a prime expectation of IoT , the
Things which are connected to the IoT infrastructure is not only expected to carry out
sensing functionalities. They are also to be used to carry out physical tasks.

Chapter 1. Introduction

Security of IoT infrastructure is a major topic in discussion. Although the growth

of the number of interconnected devices are increasing, the growth or the development
of appropriate security mechanisms is not catching up with it. Some cryptographic
mechanisms are being developed as proprietary solutions, but these solutions does not
address the need of a regulated and standardized set of cryptographic solutions needed
for IoT infrastructure in a global level.[14]

With the increasing spread of IoT infrastructure the threats can be rather physical
than being virtual as in common internet infrastructure. Therefore forcing a proper
cryptographic mechanism to address the issues in Authentication , Authorization , Integrity, Availability and Non-repudiation aspects of crypto security.

The organizations which are held responsible for regulating the Internet has a massive
responsibility of standardizing the security protocols associated with the IoT infrastructure. Also the applicability of the protocol stack being used in the current Internet
Infrastructure for the next generation of Internet, The Internet of Things.

In this literature review Authentication and Authorization aspects of IoT infrastructure is critically analyzed and the applicability of common internet security protocols to
the IoT infrastructure is discussed.

Chapter 2

Authentication and Authorization

in Common Internet
Infrastructure
2.1

Cryptographic Authentication

Cryptographic Authentication is as its literal definition concerns with confirming the

identity. In other words making sure that a certain entity is genuine or real. Authentication not only does the indicating a claimed identity. The validation of an identity
which is borne by a certain entity also falls under Authentication.

In accepted standards an Authentication mechanism should atleast verify the validity of atleast a single identification. Ultimately the answer Authentication addresses is
Who are you?

Authentication is performed in the simplest way by usernames and passwords, To enable

more stringent mechanism to do the authentication, asymmetric key encryption or the
public key encryption is used. Use of digital certification by a Certification Authority
using Public Key Encryption Cryptosystem has become an standard for the common
internet infrastructure.

Chapter 1. Authentication and Authorization in Common Internet Infrastructure

2.1.1

Password Based Authentication

The most common and the simplest way of Authentication is the Username and Password or PIN (Personal Identification Number) based authentication.

Among these protocols the simplest is the PAP (Password Authentication Protocol)
which uses a pre-shared password and a username. This is supported among almost
every network operating system and is available when there are no other advanced
authentication cryptosystem is not implemented. Although PAP is considered as an
insecure protocol specially due to the fact that the passwords are transmitted over the
network as unencrypted ASCII characters.

2.1.2

Symmetric Key Based Authentication

Symmetric Key Authentication is based on a unique and a secret key which is shared
in advance among the entities which are authenticating each other. Both encryption of
the Plaintext and decryption of the Ciphertext is done using a single shared key.

To describe the simplest of the Shared Key Authentication, The first entity is to send its
credentials along with a random message known as The Challenge which is encrypted
using the relevant key. The second entity with the use of the pre shared key can match
the particular message and check for a match. If there is a match the relevant entities
are authenticated.

The simplest Shared Key Authentication is considered a weak authentication mechanism since the secret itself has to be revealed in order to get authenticated. This is
opening up to many security threats. There are many protocols which are derived from
the idea but has been developed to increase the security of the authentication which is
provided.

Advanced authentication cryptograhic mechanisms are implemented on the basis of

Symmetric Keys. A widely used protocol is Kerberos protocol which is based on the
symmetric key based Needham-Schroeder Protocol. Kerberos uses tickets to allow nodes
to authenticate themselves with each other through a non-secure network. A trusted

Chapter 1. Authentication and Authorization in Common Internet Infrastructure

3rd party is also involved in the Kerberos protocol.

Figure 2.1: Kerberos Negotiation illustrated by Daniel Sonck

For the key exchange over a non-secured public network The DiffieHellman key exchange method is used. This is to walk over the symmetric key authentications major
weakness which is its vulnerability for man in the middle attacks and spoofing.

2.1.3

Asymmetric Key Based Authentication

Asymmetric cryptosystems address two major issues in symmetric cryptosystems. Namely,

the issues in unsafe key distribution and enables the Digital Signing which is now a standard in internet infrastructure. This cryptosystems are used for both data confidentiality
as well as authentication.

The simplest mechanism is as follows. Each party associated with the transactions
has own Private Key and a Public Key. They are mathematically linked in a way such
that each key can decrypt ciphers which are encrypted by the other.

Chapter 1. Authentication and Authorization in Common Internet Infrastructure

For authentication plaintext is hashed using a hash function and is encrypted using
the senders private key. This cipher is known as the Signature. The signature is attached to the data and sent over to the receiving party. Receiver gets the signature
and decrypts it using the senders public key and the result is compared to the hash of
the data. A match will authenticate the sender. The mechanism is illustrated in the
following figure.

Figure 2.2: Digital Signature and Verification illustrated by Acdx - wikipedia

2.2

Cryptographic Authorization

Authorization , although comes with authentication as a presuppose plays a different

role. This deals with the permission of an Authenticated entity. Simply this answers
What are you allowed to do?
Restrictions and constraints are normally defined as the permissions given to a specific
entity. When that entity is Authenticated , the Authorization defines what that entity
can perform.

Chapter 1. Authentication and Authorization in Common Internet Infrastructure

In multi-user systems which Internet also falls under, it is important to have the access controlled to perform operations and to get information. Categorizing the entities
which are authenticated by their privileges to perform certain actions on the systems is
Authorization.

Chapter 3

Growth of the Internet of Things

Infrastructure
3.1

Transition from Internet to Internet of Things

The Internet of Things cant be considered a whole new infrastructure as it is hyped in

current community. It is rather an eventuality, or a significant milestone in the growth
of internet. Internet from the beginning has been an interconnection of a networks , in
the internet of things infrastructure its definition has evolved as follows,
A world-wide network of uniquely addressable, interconnected heterogeneous objects.
The keyword here which makes IoT rather different from the internet is objects. The
accepted definition of Internet is the interconnection of computer networks which follow
certain protocols set. The significant difference between the Computer Networks and
Objects is what makes the IoT a whole new infrastructure.

The internet has taken over many tasks in current day to day work, idea of the IoT
is believed to take internet to many levels which it has not yet integrated in. As a
result of the development in embedded smart objects the internet will be all over the
environment in a matter of some years. Hence making the so called Internet of Things
true.

Chapter 3. Growth of the Internet of Things Infrastructure

3.2

Future of The Internet of Things

IoT will connect beyond computers, it will enable the communication between almost all
everyday devices making the Smart Living , Smart Homes and Smart Cities a reality.
The estimated IoT market value is massive, the idea of the live connection of consumers
, businesses and government has hyped up the IoTs concepts. The estimated interconnections in not far future is illustrated in the following graph which is based on CISCO
researches.

Figure 3.1: Estimated Growth of Connected Devices by CISCO

Using the interconnection of these devices it is expected to automate a vast variety of

day to day functions. Gartner Incorporation, a research organization in USA estimates
that there will be a 36 percent growth in the connected devices in the internet. The foundation of the smart nodes , processing and semiconductor market share is also expected
to grow 5 percent according to them. This rapid growth enables the IoT expectations
to become a reality.

Intelligent interconnected nodes are expected to take over many functions from weather
sensing to automobile industry or from wearable to industrial mechanics, enabling the

Chapter 3. Growth of the Internet of Things Infrastructure

10

concept of Predictive Maintenance. Things as referred in IoT are not necessarily computing nodes they can range from tiny sensors to massive industrial machines. Therefore
the scalability is limitless.

Possible applications of IoT are limitless, some of the possible applications which in
discussion according to the Business Insider magazine are as follow,

Interconnected advertising using smart billboards.

Intelligent city management systems are being planned mainly focusing on the
traffic management.

Smart electrical grids.

Industrial smart assembly lines and smart factories.

Home automation.

Healthcare monitoring using implanted embedded systems.

Remote security

Environmental monitoring.

Among other factors which enables the limitlessness of the IoT is the IPv6. Uniquely
identifiable number of connected nodes were running out with the range limitations of
IPv4, but with IPv6 there are no boundaries until these nodes reach trillions.

Another reason for the accelerated growth of the IoT is the development in the semiconductor and processor market. Cheaper and better solutions with newer features are
continously being developed. Janus Bryzek who is considered as the father of sensors
has said that the internet as an industry with the emerging IoT technologies has the potential to add 10 to 15 trillion American dollars to the global Gross Domestic Product.
Following figure by Gartner shows the estimated growth of IoT semiconductor revenue
categorized by the industries.

Chapter 3. Growth of the Internet of Things Infrastructure

11

Figure 3.2: Estimated Growth of Semiconductor Revenue. Source: Gartner Inc.

A 30 percent growth of semiconductor business is estimated by the year 2020. Low cost
devices will enable the cheaper implementation and a rapid growth of IoT. Parallel to
this the development in the sensor industry is also another accelerator of IoT. Among
some other aspects of IoT development are the growth of Cloud Computing and the discussion of enhancing it to a level called Fog Computing. Following factors are identified
as major fuels of IoT growth by the Raymond James Research

Figure 3.3: Drivers of IoT growth. Author: Raymond James

Chapter 3. Growth of the Internet of Things Infrastructure

12

Internet of things is expected to deliver a set of technical capabilities to achieve its

targeted function. In the Friedemann Mattern and Christian Floerkemeier s publication
, From Internet of Computers to Internet of Things following capabilities are emphasized
as essentials of the IoT infrastructure.

Cross communication between the Things

Addressable objects to achieve the ability to remotely interrogate and configure

Unique identification ability of the objects

Sensing

Actuation to enable mechanical movements

Embedded information processing

Localization

User interfacing

These capabilities altogether can fill the gap between the virtual and physical worlds as
discussed in the above publication.

Chapter 4

Authentication and Authorization

Challenges Directed Towards The
Internet of Things Infrastructure
4.1

Overview

The pervasive development in IoT is enabling the interconnection of almost every electronic equipment from home consumers to industrial machines. This rapid growth has
exposed new attack vectors. Connected mobile phones and computers also have vulnerabilities but IoT infrastructures growth has increased the impact of the attacks. Having
essential devices which are required to perform day to day operations connected may
expose sensitive data to new attack vectors.

The current common internet infrastructure is based on a set of standard security protocols which are widely used and enhanced. Although the monopolistic nature of the
many organizations which are involved in the IoT development results in the development of only proprietary solutions for IoT security. Not having a proper standard yet
is the major risk associated with IoT.

IoT as a potential Trillion dollar economy does not yet guarantee the security the world

13

Chapter 4. Security Challenges Directed Towards The Internet of Things Infrastructure

14
expects from such an infrastructure. A research carried out by the Hewlett-Packard reveals an alarmingly high average number of vulnerabilities per device. The following
figure by HP illustrates their research findings.

Figure 4.1: IoT Vulnerabilities by Hewlett-Packard

With all the hype around the growth of IoT is not very well synchronized with the
development of the security of IoT. The rocketing adoption of connected things without
the concerns of security will ultimately make The Internet of Things , an Internet of
Insecure Things.

Professor Christof Paar of the Horst Gortz Institute for IT Security at Ruhr-University
Bochum in Germany mentions that Theres essentially no tolerance for error in security
engineering , application level can contain vulnerabilities but security vulnerabilities
should be eliminated 100 percent. If the world reaches the expected sheer amount of IoT
devices and their capabilities a single security loophole would be able to make massive
impact on the worlds economy and the well being of humankind, that is how humongous
this infrastructure is.

This section discusses the various types of challenges posed towards Authentication
and Authorization processes in a high level.

Chapter 4. Security Challenges Directed Towards The Internet of Things Infrastructure

15

4.2
4.2.1

Challenges to Authentication and Authorization

Population of Devices

The limitless connections and the scalable structure of the IoT enables a huge span of
attacks on it. Unmanageable nature caused by the sheer number of devices can cause
vulnerabilities in Authentication. Managing credentials and identifying each device may
become a huge burden.

Even with the large number of devices are connected the ability of unique identification
is a necessity. The billions of devices should be identified and authenticated for communication. Having their authorization details is also a major issue specially considering
the number of devices in IoT infrastructure. Any candidate mechanism is expected to
be scalable with the device population and also should be cross-platform supported.

Improper verification or spoofing simply will not be a virtual threat, the sheer number of
devices will make the effect an exponentially growing threat. Fraudulent authentication
may result in a catastrophic effect if the IoT reaches the level which is expected to be
in a decade.

4.2.2

Resource Constraints

Unlike computers with high processing power and storage the things associated with
the IoT infrastructure may not well equipped with resources. Many of the protocol
suites which are being used in the common internet protocols are designed with the
expectations of certain resources in terms of processing power and memory. According
to a publication by two security area directors of IETF. This presumption is not at all
applicable in the IoT devices.

An essential part of authentication is key management, storing these keys require a

certain amount of memory. Although since the things are expected to get cheaper and
simpler hence the resources for such mechanisms may not be available in some IoT
devices.

Chapter 4. Security Challenges Directed Towards The Internet of Things Infrastructure

16

4.2.3

Unpredictable Growth

Many security protocols including Authentication and Authorization protocols rely on

some assumptions in many aspects. The growth of the internet of things infrastructure is
highly unpredictable. The heterogeneity of the smart nodes can increase the complexity.

The broad distribution and the unpredictable advancements can be a critical issue when
tailoring security mechanisms according to the publication by Michael J. Covington and
Rush Carskadden , Threat Implications of the Internet of Things. The presumptions
which can be important when designing such cryptographic suites can be inaccurate
with this unpredictable nature of the future of IoT infrastructure.

4.2.4

High Mobility

Highly mobile nature of the connected devices of IoT infrastructure will enable rapid
changing of data between different environments according to Covington. In the context
of this review it will affect the access control of the infrastructure. Limited visibility
and constrained monitoring will open up domains in the security areas.

4.2.5

High Heterogeneity

Highly heterogeneous entities are expected to be connected with each other within the
IoT infrastructure. This heterogeneous nature may result in lack of inter-operablity
among the interconnected devices within IoT infrastructure.

4.2.6

Lack of Common Standards

Internet of Things in verge for a rapid pervasive invasion of technological world. But
still this development is done within organizations and they are being developed as proprietary solutions. Globally adopted set of standards are not yet implemented therefore
the vulnerabilities in the security of IoT infrastructure is increased.

Chapter 5

Proposed Cryptographic
Mechanisms Related to
Authentication and Authorization
of Internet of Things
5.1

Device Capability Based Authentication using Advanced

Encryption Standard - Galois Counter Mode

With daunting challenges to identify the devices which are interconnected throughout
IoT infrastructure, this model is published by a set of researchers at the Mobisec 2011.
AES-GCM is a new encryption algorithm which is capable of providing hardware implementations with both authentication and confidentiality aspects. This is to enable inter
device authentication with limited resources.

Proposed authentication and authorization protocol is based on a capability model.

This cryptographic capability is used as a ticket or a token to get authenticated and
authorized by the respective devices. AES-GCM is then used to encrypt this token,
providing both authenticity and encryption especially within resource constraints.

17

Chapter 5. Authentication and Authorization Mechanisms for IoT

18

The capability token is a customized data structure which contains a unique identifier , access rights and a random number. The walkthrough of the proposed protocol is
illustrated in the figure below.

The capability token of device 1 which is derived from unique identifier and access
rights is encrypted along with a random number using AES-GCM encryption. Then
the generated cipher is sent to the device 2. Device 2 then decrypts the received cipher
using the symmetric key. One way hash function can identify if there is any sort of
tampering done. Mismatch of the hashes received and hashes generated will cause a
violation in authentication hence the authentication is not completed. A match will
result in authenticated communication between devices.

Figure 5.1: AES-GCM Capability based authentication source Mobisec

Chapter 5. Authentication and Authorization Mechanisms for IoT

19

Main features which makes this protocol a candidate for the IoT authentication and authorization is the resource utilization. Also the random number can provide protection
for replay attacks. The one way hash and the symmetric key cryptosystem provides
mutual authentication this can be ideal for anti forgery. [13]

5.2

Elliptic Curve Cryptography

Asymmetric Key Cryptography will play a significant role in IoT infrastructure as it

does in the current internet. Elliptic Curve Cryptography (ECC) can be used to provide
security equivalent to Rivest Shamir Adleman (RSA) but with a significantly shorter key
size. Well optimized 160 bit ECC cryptosystem is supposed to deliver the equivalent of
a 1024 bit RSA encryption. [15]

ECC is rather beneficial than the RSA in many aspects, time of computations , significantly low RAM footprint, lower bandwidth requirements have made ECC a better
contender for IoT infrastructure security than RSA. The advantages which makes ECC
stand out from RSA are even more useful in IoT, given the limited resource constraints
the features in ECC are supposed to overcome the resource constraint issues of IoT.

Although the downside for this protocol is the intricacy of implementation of this ,
the conflicts and diversity on the IoT can make the solution implementation a harder
task. Expensive hardware operations are suggested for increased performances.

5.3

Thing Name Service (TNS) for the Internet of Things

Also being proposed as Objects Naming Service is supposed to used as a substitute for
Domain Name Service being used in internet.[17] The publication by GS1 a Sweden
based non-profit organization, cited here is being developed as a candidate solution for
identification aspect of Internet of Things.

To provide authenticity it is important to identify the objects uniquely. Billions of

Chapter 5. Authentication and Authorization Mechanisms for IoT

20

objects with direct connection to the internet can become a burden for identification.
In the GS1 ONS method there are keys used for the unique identification. These GS1
identifications can be used for location and status identification of certain objects globally.
The importance of thing-friendly names and machine friendly names translation is important. The DNS like infrastructure of TNS/ONS is supposed to make identification
through TCP/IP more convenient. [16]

5.4

Key Management Scheme Based on Micro-Certificate

for Internet of Things

Due to resource constraints on IoT devices key management can be a big issue. Also the
billions of devices which are expected to be connected to IoT can make key management
a burden. Proposed solution is to implement a key management cryptosystem which is
light weight and faster than the existing.[18]

The micro-certificate based key management mechanism comprises of several keys, Key
Seed, Transport Keys, Storage Keys , Authentication Keys and Signature/Encryption
Keys. All these are symmetric hence are smaller in size and are processed fast.

These key management scheme is highly applicable to the IoT domain. Regarding
its high scalability and the high resource constraints. Following figure illustrates the
characteristics of the keys mentioned above.

Chapter 5. Authentication and Authorization Mechanisms for IoT

21

Figure 5.2: Key type and lifecycle. source ICETIS 2013 [18]

5.5

Other Approaches to Strengthen IoT Authentication

and Authorization

The British Computer Societys State of Play report on Internet of Things states a few
approaches in a high level to ensure the cryptographic security of IoT infrastructure. [19]

Full implementation of IPV6.

Enforcing rights management on data.

Worldwide Public Key Infrastructure managed preferably by The United Nations,

countrywide distribution for easier management is adviced.

Standardizing body for IoT nodes integral security features.

Providing anonymity outside the local connectivity of an IoT network.

These approaches are being advised by the BCS for the British Government in regulating
IoT.

Chapter 6

Conclusion
Throughout this literature review the Internet of Things infrastructure is analyzed in
the terms of its security constraints applied to the authentication and authorization
cryptographic mechanisms. Contrary to the hype generated around the development
of IoT, the security protocols do not keep up with the development of infrastructure.
Challenges directed towards the authenticating and authorization of IoT are ones which
should be addressed at any cost.
The main challenge which is discussed over many publications was the resource constraints of IoT devices. This issue can be addressed by some very potent candidate
solutions, ECC based cyrptosystems and AES-GCM. They can provide much less resource consumption. The heterogeneity of the connected devices can become a serious
threat to authentication of devices with each other. Capability based mutual authentication is a reasonable candidate solution for this issue.
Another matter in hand is the vast population of the IoT devices, for authentication
to happen the identification is a necessity. Therefore the need of a DNS equivalent for
IoT has become essential. The candidate solution of ONS/TNS is an emerging topic in
discussion which can address the issues of identification.
The micro certificate based solutions can also be considered as a proper candidate solution for better authenticity and authorization in IoT. The lightweight and faster nature
is considered ideal for the IoT domain.
As discussed in the review the most problematic issue on the IoT security is the lack of
common standards. Due to the unpredictable growth of the IoT enforcing a common

22

Chapter 6. Conclusion

23

standard is an utmost importance. In the BCS state of play report a set of recommendations are made to the British Government. Mostly on the regulation process of the
IoT.
Given the nature of the IoT, Authentication and Authorization can save the day of IoT
security. As analyzed and presented in the literature survey the most suitable ways
to avoid the challenges to IoT Authentication and Authorization are the lightweight
cryptographic mechanisms and regulated infrastructure standards.

Bibliography
[1] Wind River Systems, SECURITY IN THE INTERNET OF THINGS Lessons from
the Past for the Connected Future , 2014
[2] Junlin Li, Hua Zhou, Li Wang, Zhihong Liang, Xiangcheng Wan, Yuhong Chen,
The Modeling Research on wireless Sensor Network Security Protocol in Internet of
Things , Yunnan software engineering key laboratory,Yunnan University, Kunming,
China , 2011
[3] Rolf H. Weber , Internet of Things New security and privacy challenges , University of Zurich, Zurich, Switzerland, and University of Hong Kong, Hong Kong,
2010
[4] Ollie Whitehouse, Security of Things: An Implementers Guide to Cyber-Security
for Internet of Things Devices and Beyond , NCC Group 2014
[5] Forouzan , Data Communication and Networking. McGraw-Hill Education (India)
Pvt Limited, 2007
[6] How Kerberos Authentication Works. learn-networking.com. 28 January 2008
[7] Dieter Gollmann, Computer Security Second Edition, West Sussex, England: John
Wiley and Sons, Ltd. 2006
[8] Tavis C. McCourt, Simon Leopold, Frank G. Louthan IV, Hans Mosesmann, J.
Steven Smigie, Terry Tillman, Daniel Toomey, Georgios Kyriakopoulos, Eric Lemus,
Brian Peterson, Alexander Sklar, The Internet of Things A Study in Hype, Reality,
Disruption, and Growth, Raymond James Associates , 14th January 2014
[9] Friedemann Mattern and Christian Floerkemeier, From the Internet of Computers to the Internet of Things, Distributed Systems Group, Institute for Pervasive
Computing, ETH Zurich
24

Chapter 6. Conclusion

25

[10] Craig Smith and Daniel Miessler, Internet of Things Research Study, HP Fortify,
June 2014
[11] Simone Cirani, Gianluigi Ferrari and Luca Veltri, Enforcing Security Mechanisms
in the IP-Based Internet of Things: An Algorithmic Overview , Department of
Information Engineering, University of Parma, Parco Area delle Scienze 181/A,
3124,Parma, Italy , 2013
[12] Michael J. Covington and Rush Carskadden , Threat Implications of the Internet
of Things , 5th International Conference on Cyber Conflict, 2013
[13] Sachin D. Babar, Parikshit N. Mahalle, Neeli R. Prasad and Ramjee Prasad ,
Proposed on Device Capability based Authentication using AES-GCM for Internet
of Things (IoT) , Procedings of the 3rd Springer International ICST Conference on
Security and Privacy in Mobile Information and Communication Systems , 2011
[14] Tim Polk and Sean Turner, Security Challenges For the Internet Of Things ,
February 14, 2011
[15] Erich Wenger and Johann Groschadl , An 8-bit AVR-Based Elliptic Curve Cryptographic RISC Processor for the Internet of Things
[16] Ning Kong and Shuo Shen, Position Paper on Thing Name Service (TNS) for the
Internet of Things (IoT) , China Internet Network Information Center , 2011
[17] F-ONS - The Internet of Things, GS1 , Sweden
[18] LiPing Du 12, FuWei Feng and JianWei Guo, Key Management Scheme Based
on Micro-certificate for Internet of Things , International Conference on Education
Technology and Information System 2013
[19] BCS State of Play Report , British Computer Society , October 2014