Sie sind auf Seite 1von 4

IEEE-International Conference on IoT and its Applications (ICIOT-2017)

USING SYMMETRIC AND ASYMMETRIC CRYPTOGRAPHY


TO SECURE COMMUNICATION
BETWEEN DEVICES IN IoT
Michelle S Henriques Prof. Nagaraj K. Vernekar
Departmentof Computer Engineering Department of Computer Engineering
Goa College of Engineering Goa College of Engineering
Farmagudi- Goa, India Farmagudi- Goa,India
michhenr88@gmail.com nv@gec.ac.in

Abstract—Internet of Things (IoT) allows the interconnection


of computing and sensing devices over the Internet, allowing them II. RELATED WORK
to send and receive data. The applications of IoT range from Smart
Home to Wearable devices. An IoT system has high security [1] The Open Web Application Security Project (OWASP) is
requirements, owing to the critical and sensitive nature of the
information exchanged between devices. In this paper, a schematic
a worldwide not-for-profit charitable organization focused on
consisting of Asymmetric and Symmetric cryptography is defined to improving the security of software. The mission is to make
secure the communication between the devices in an IoT system. software security visible to facilitate both individuals and
The combination of both Symmetric and Asymmetric cryptography organizations to make informed decisions.
reduces encryption time in preference to simply using an As per the OWASP Internet of Things (IoT) Project, IoT
Asymmetric cryptographic algorithm. The use of random keys for attack areas are as follows:
Symmetric encryption each time solves the issue of session-key  Insecure Web Interface
distribution and strengthens the symmetric encryption approach.
 Insufficient Authentication/Authorization
Keywords—Cryptography; Encryption; Internet of Things  Insecure Network Services
(IoT); Security;Vigenere;  Lack of Transport Encryption
 Privacy Concerns
I. INTRODUCTION  Insecure Cloud Interface
The term “Internet of Things” (IoT) is the concept of  Insecure Mobile Interface
communication (i.e. data exchange) between objects, having  Insufficient Security Configurability
sensing or computing capabilities or both, over the internet. It  Insecure Software/Firmware
allows devices with the above-mentioned capabilities,  Poor Physical Security
generally embedded in everyday objects (such as an air
conditioner, lamps, etc.), to be controlled as well as
communicate over the internet. [2] described the study titled “How safe are home security
The applications of IoT are far reaching. As the scope of systems? – An HPE study on IoT Security” by Hewlett
human-to-human interaction or human-to-computer Packard Enterprise Security (HPE). This research reviewed and
performed security testing on ten off-the-shelf IoT-based home
interaction is minimum or zero or would require no more than
security systems by HPE using HPE Fortify on Demand. HPE
a one-time setup, IoT has applications ranging from wearable Fortify on Demand is a tool used for Application Security
devices to self-parking automobiles to Smart homes. Testing. Standard techniques to test the IoT systems, which
IoT involves accessing, monitoring and controlling various combines manual security testing and use of automated tools.
sensors and devices over the internet. As these types of sensor The systems were assessed based on OWASP Internet of
based networks become enormously popular and widespread Things Top 10 Project and the specific vulnerabilities
in various domains, it is fundamental to provide the adequate associated with each top 10 category. A host of vulnerabilities
level of protection against cyber-attacks for the users. were uncovered. Some of the vulnerabilities are listed as
As the communication between devices in an IoT system has follows: -
very sensitive and critical data, the security requirements for
any IoT-based system are high. Some of these security  100 percent allowed the use of weak passwords
requirements include authentication, both at user and device  100 percent lacked an account lockout mechanism that
level, and secure (encrypted) communication between the would prevent automation attacks
devices.  100 percent were vulnerable to account harvesting,
allowing attackers to guess login credentials and gain
access

ISBN: 978-93-84893-49-4
(Organized by School of Computing [IT, CSE & MCA], E.G.S Pillay Engineering College, Nagapattinam)
IEEE-International Conference on IoT and its Applications (ICIOT-2017)

 Four of seven systems that had cameras, gave the owner hardware and software design of the security system of an IoT-
the ability to grant video access to additional users, based Smart Home system with the application of basic
further exacerbating account harvesting issues security measures, privacy protection technologies, and the
 Two of the systems allowed video to be streamed implementation of intrusion prevention and malicious code
locally without authentication precaution technologies to enhance the security of the system.
 A single system o ered two-factor authentication [8] described various IoT technologies such as Wireless
The results for the ten devices were very similar and Sensor Networks (WSN), and Radio Frequency Identification
provided a good indicator of the current market status Technology (RFID) and defined in detail the various type of
security attacks on the two technologies.
with respect to security and the IoT.
[9] described the privacy and security challenges for IoT.
[3]proposed various Encryption and Hash algorithms, Current cryptographic models, schemes, and implementations
aiming to enhance the security in Smart Home Systems. The such as Advanced Encryption Standard (AES), Elliptic Curve
algorithms proposed in the paper were aimed at secure Cryptography (ECC) are described with their functionality and
communication between the devices in the IoT System. the both the advantages and disadvantages. The need for more
Existing algorithms such as RC-5, Skipjack, and AES to ensure flexible cryptographic suites is highlighted.
security within the network. A modified hash algorithm based
of RC4 is discussed and its performance is measured against
existing hashing algorithms. III. SYSTEM OVERVIEW
[4] define security requirementsand functions for the Smart
Home service. A Smart Home system was defined to be The configuration of an IoT based system is as shown in
consisting of a home server, a home gateway, and smart home Figure 1. The system typically consists of IoT devices, a
devices. A security feature was defined for each components of gateway, the server and the User device(s). The IoT devices
a smart home in an IoT environment. The security are generally sensors, actuators, or devices with computational
requirements and functionsproposed were based on the capabilities. These devices sense information within the
principles of Integrity, Confidentiality, and System system or are monitor or access various parts of the system.
Availability. The IoT devices are connected to the gateway over the
internal/home network. The gateway acts as a relay of the IoT
[5]presents an analysis of the main challenges and security devices to the User and the Server. The Server acts as a
threats present in Smart Home networks. The results of the repository for the information collected by the IoT devices as
analysis were then used to draw the fundamental requirements well as for transmission over the internet. The User device
needed for providing secure and confidential operations in provides the interface for the user to monitor, access and
Smart Homes. The paper discussed in detail the technologies
control the system remotely over the internet. [4]
composing a smart home i.e. applications, devices, operating
systems, and communication protocols. It discussed the main
challenges present in securing smart homes. The security
threats present in the communication protocols were illustrated
with case studies and defense strategies. Countermeasures were
discussed along with the security requirements of Smart
Homes.
[6]presented an approach to incorporate security in a IoT
based Smart Home System, with the aim of keeping the user
convenience and experience unhampered.The paper described
the design and prototype implementation of a Wi-fi based IoT
Smart Home system consisting of IoT devices (sensors,
actuators, equipment) connected to the Home Gateway over the
Home network. The user device (android based smartphone), Figure 1 - Configuration of an IoT System
used to access and control the system, was connected to the
Home gateway over the internet. The Home gateway enabled IV. PROPOSED WORK
secure communication between the IoT devices, and allowed
the user to access, configure, and control the system via the The Proposed Technique in this paper caters to the
user interface. The base of the implementation was the AllJoyn communication within the IoT system(Intra-network) i.e. the
framework. It is an open source IoT framework, capable of communication between the Gateway and the IoT devices.
supporting multiple devices and operating systems and has The aim is to secure the communication within the network
various libraries from cryptography (ECC, AES, etc.). and make it resilient to attacks. The proposed method is a
combination of Symmetric and Asymmetric cryptographic
[7]aimed at IoT Security Technology, with a detailed view techniques for transmission of data within the IoT networki.e.
of Privacy protection technology. A privacy protection scheme for Intra-Network security.Symmetric-key algorithms are
for IoT was designed for remote health care system. The

ISBN: 978-93-84893-49-4
(Organized by School of Computing [IT, CSE & MCA], E.G.S Pillay Engineering College, Nagapattinam)
IEEE-International Conference on IoT and its Applications (ICIOT-2017)

cryptographic algorithms that use the same cryptographic keys


for both encryption and decryption. Asymmetriccryptography
uses pairs of keys: public keys, which are publicly available to
everyone, and private keys, known only to the owner. For
encryption, the public key of the receiver is used, whereby the
receiver, who is only the holder of the paired private key can
decrypt the message encrypted with the public key. For the
proposed technique, the symmetric cryptographic algorithm
used is a modified version of the Vigenere Cipher. The
Asymmetric cryptographic algorithm is the RSA Algorithm.
The steps in the proposed technique at the sender end are as
follows: -
1) Obtain the current timestamp.
2) Generate a random key K using the current timestamp. Figure 3 : Receiver's end
3) Obtain the data P to be transmitted.
B. Modified Vigenere Cipher
4) Use the modified Vigenere Cipher to encrypt the data
Pusing the random key K, obtaining ciphertext C. The Vigenere Cipher is a polyalphabetic substitution cipher. It
5) Obtain the public key Pk of the receiver. is a method of encrypting text using a series of interwoven
6) Use RSA Algorithm to encrypt the random key K, Caesar ciphers based on the letters of the keyword [10]. The
obtaining the encrypted Key E. Algebraic description for Encryption and Decryption using
Vigenere Cipher is as follows: -
7) Concatenate the encrypted key E and the ciphertext C,
obtaining messageM =E + C to be transmitted.
Let N be the number of characters in the alphabet.
8) Transmit message M to the receiver
Let the characters of the alphabet in order be represented
numerically as 0 – (N-1)
For a key K of size m, encryption E using the Vigenere cipher
is as follows: -
Ci = Ek (Mi) = (Mi + Ki) mod N
Decryption D using key K is as follows:
Mi = Dk (Mi) = (Ci + Ki) mod N
Where M = M1 M2 … Mn is the message of length n
C = C1 C2 … Cn is the ciphertext
K = K1 K2 … Kn is the key obtained by repeating
[n/m] times, where m is the length of the key.

The modified Vigenerealgorithm for Encryption is as follows:


1) Let P be the plaintext message.
2) Let N be the count of characters in the alphabet
3) Generate a random key K by using the timestamp and
Figure 2 : Sender's end alphabets.
4) Pick a value randomly amongst 0 and 1. This value is
The steps at the Receiver’s end are as follows: -
the Randomizing Factor R.
1) Receive messageE + Cfrom the sender. 5) If the value of the Randomizing Factor is 0, then the
2) Split the message into two parts :- the encrypted key E message is encrypted by the normal Vigenere cipher
and the Ciphertext C. method.
3) Use RSA to decrypt E using own private key, obtaining C[i] = (P[i] + K[i]) mod N
random key K. 6) If the value of the Randomizing factor is 1, the do the
4) Use the modified Vigenere Cipher to decrypt the following: -
ciphertext C using the random key K, obtaining plaintext a. Generate a number I amongst 2, 3 and 5.
message P. This value will be the Randomizing IndexI.
b. Perform encryption as follows: -
i. Iteratei over the length of the
plaintext message.

ISBN: 978-93-84893-49-4
(Organized by School of Computing [IT, CSE & MCA], E.G.S Pillay Engineering College, Nagapattinam)
IEEE-International Conference on IoT and its Applications (ICIOT-2017)

ii. If i is divisible by I, then V. CONCLUSION AND FUTURE WORK


encryption is done as follows:
C(i) = [P(i) - K(i)] mod N This paper proposes a technique comprising of Symmetric
iii. Else, encryption is done as follows: and Asymmetric cryptography to secure the communication
C[i] = (P[i] + K[i]) mod N within an IoT system. The combination of Symmetric and
Asymmetric cryptography reduces encryption time compared
The Randomizing FactorR and the Randomizing indexI are to using Asymmetric cryptography alone. As a random key is
concatenated at a fixed position, either at the start or end of the generated for each communication, and is generated using the
encrypted message. These values are essential for decryption. current system timestamp as the seed, there is no relation
between the keys. This makes the communication more secure
The modifiedVigenere algorithm for Decryption is as follows: and tolerant to attacks. It also solves the problem of
distribution of Session-keys. The amount of plaintext
1. Let V be the message received (without the encrypted is small, and as stated above, there is no relationship
Random Key K) consisting of the Randomizing between the keys. This ensures the security of the scheme.
Factor R, the Randomizing IndexI, and the The proposed system can be further enhanced to include a
Encrypted Message C. multiplicative element in the modified Vigenere cipher. This
2. Let N be the count of characters in the alphabet. will increase the security of the cipher. Additional
3. Obtain the Random KeyK. enhancements can be done to ensure authentication of the
4. Check the Randomizing FactorR. sender to the receiving device. Asymmetric algorithms such as
a. If the value isF, then normal Vigenere Elliptical Curve Cryptography (ECC), etc. can be used for
decryption is used. encrypting the random key for each communication. Hashing
b. If Value is T, then the next character techniques can be used to ensure message integrity.
gives the RandomizingIndexI.
5. If the value of the Randomizing Factor is F, REFERENCES
perform decryption as follows.
[1] https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Te
C[i] = (P[i] - K[i]) mod N n_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014
6. If the value of the Randomizing Factor is T, the [2] HP Study on IoT Home Security Systems,
do the following: - http://go.saas.hpe.com/l/28912/2015-07-
a. Let I be the randomizing index. 21/32bhy5/28912/69170/IoT_Home_Security_Systems.pdf
b. Perform decryption as follows: - [3] B.Vinayaga Sundaram; Ramnath.M ;Prasanth.M ;Varsha Sundaram.J,
i. Iteratei over the length of the “Encryption and Hash based Security in Internet of Things” 2015 3rd
Interational Conference on Signal Processing, Communication and
plaintext message. Networking (ICSCN)
ii. If iis divisible by I, then [4] Jin-Hee Han; YongSung Jeon; Jeongynyeo Kim,“Security
decryption is done as follows: Considerations for Secure and Trustworthy Smart Home System in the
C(i) = [P(i) + K(i)] mod N IoT Environment” 2015 International Conference on Information and
Communication Technology Convergence (ICTC)
iii. Else, decryption is done as
[5] C. Lee, L. Zappaterra, Kwanghee Choi and Hyeong-Ah Choi, "Securing
follows: smart home: Technologies, security challenges, and security
C[i] = (P[i] - K[i]) mod N requirements," 2014 IEEE Conference on Communications and Network
Security, San Francisco, CA, 2014, pp. 67-72.
[6] Freddy K Santoso ; Nicholas C H Vun “Securing IoT for smart home
C. RSA Algorithm system” 2015 International Symposium on Consumer Electronics
RSA stands for Ron Rivest, Adi Shamir and Leonard (ISCE), 24-26 June 2015
Adleman. RSA is an asymmetric cryptographic algorithm. It [7] Cuihua Tian, Xuhui Chen, Di Guo,Jinhua Sun,Ling Liu*, Jiangshui
Hong” Analysis and Design of Security in Internet of Things”, in 2015
involves two types of keys – A public key and a private key. 8th International Conference on BioMedical Engineering and
The public key is known to all and is used to encrypt Informatics (BMEI 2015)
messages. The private key is known only to the owner. [8] MdHusamuddin,Mohammed Qayyum,”Internet of Things :A Study on
Messages encrypted using the public key can be decrypted Security and Privacy Threats”, in 2017 2nd International Conference on
Anti-Cyber Crimes (ICACC)
using the private key. [11]
[9] Nicolas Sklavos I, III, I. D. Zaharakis,”Cryptography and
Security in Internet of Things (IoTs) : Models, Schemes and
D. Random Key generation Implementations”, in2016 8th IFIP International Conference on
New Technologies, Mobility and Security (NTMS)
The Random Key is generated using the timestamp as a seed. [10] Vigenere Cipher,
The Key generation is done sequentially using a combination https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
of mathematical functions chosen randomly. These functions [11] RSA ,”https://en.wikipedia.org/wiki/RSA_(cryptosystem)”
include additive and multiplicative operations.

ISBN: 978-93-84893-49-4
(Organized by School of Computing [IT, CSE & MCA], E.G.S Pillay Engineering College, Nagapattinam)