Ad-Hoc Networking and Networks

ADHOC 1181 No.
of Pages 15, Model 3G

14 February 2015
Ad Hoc Networks xxx (2015) xxx–xxx
1
Contents lists available at ScienceDirect
Ad Hoc Networks
journal homepage: www.elsevier.com/locate/adhoc
5
6
3 Survey on secure communication protocols for the Internet of

4 Things
7 Kim Thuat Nguyen a,⇑, Maryline Laurent b,1, Nouha Oualha a,2
8 a
CEA, LIST, Communicating Systems Laboratory, 91191 Gif-sur-Yvette CEDEX, France
9 b
Institut Mines-Telecom, Telecom SudParis, UMR CNRS 5157 SAMOVAR, 9 rue Charles Fourier, 91011 Evry, France
10
a r t i c l e i n f o a b s t r a c t
1
2 2
5
13 Article history: The Internet of Things or ‘‘IoT’’ defines a highly interconnected network of heterogeneous 26
14 Received 5 June 2014 devices where all kinds of communications seem to be possible, even unauthorized ones. 27
15 Received in revised form 20 November 2014 As a result, the security requirement for such network becomes critical whilst common 28
16 Accepted 11 January 2015
standard Internet security protocols are recognized as unusable in this type of networks, 29
17 Available online xxxx
particularly due to some classes of IoT devices with constrained resources. The document 30
discusses the applicability and limitations of existing IP-based Internet security protocols 31
18 Keywords:
and other security protocols used in wireless sensor networks, which are potentially suit- 32
19 Security
20 Key management
able in the context of IoT. The analysis of these protocols is discussed based on a taxonomy 33
21 Internet of Things focusing on the key distribution mechanism. 34
22 Wireless sensor network Ó 2015 Elsevier B.V. All rights reserved. 35
23 Cryptographic primitives 36
24
37
38
39 1. Introduction over these devices. Such great feature enables the connec- 53
tion of literally billions of devices to the Internet, in which 54
40 The Internet of Things (IoT) is designed as a network of very different things such as a humidity sensor or an RFID 55
41 highly connected devices (things). In today perspective, the tag can communicate with each other, with a human carry- 56
42 IoT includes various kinds of devices, e.g., sensors, actua- ing a smartphone, or with a remote backend server. 57
43 tors, RFID tags, smartphones or backend servers, which While the concept of IoT is easy to grasp, major research 58
44 are very different in terms of size, capability and function- efforts still need to be made. Various aspects of IoT are cur- 59
45 ality. The main challenge is how to adapt such network so rently being discussed, such as IoT applications and archi- 60
46 to operate in the conventional Internet. Inspired by that tectures. In addition, more and more research efforts are 61
47 motivation, recent research efforts focus on the design, initiated in resolving challenges associated with security, 62
48 application and adaptation of standard Internet protocols privacy, and trust as IoT devices are increasingly deployed. 63
49 in the IoT. According to Gartner’s forecast [68], the IoT, which 64
50 The initiative of 6LoWPAN [9] working group allowed excludes PCs, smartphones and tablets, will grow to more 65
51 the smallest devices with limited processing capabilities than 26 billion units installed in 2020. Allowing each single 66
52 to become part of the Internet by enabling the use of IP physical object to connect to the Internet and to share 67
information, may create more threats than ever for our 68
personal data and business secret information. Concerned 69
⇑ Corresponding author. Tel.: +33 1 69 08 00 98. objects cover our everyday friendly devices, such as, ther- 70
E-mail addresses: kimthuat.nguyen@cea.fr (K.T. Nguyen), maryline. mostats, fridges, ovens, washing machines, and TV sets. It 71
laurent@telecom-sudparis.eu (M. Laurent), nouha.oualha@cea.fr is easy to imagine how bad it would be, if these devices 72
(N. Oualha).
1
were spying on us and revealing our personal information. 73
Tel.: +33 1 60 76 44 42.
2
Tel.: +33 1 69 08 46 25.
As an example, a major cyber-attack campaign observed by 74
http://dx.doi.org/10.1016/j.adhoc.2015.01.006
1570-8705/Ó 2015 Elsevier B.V. All rights reserved.
Please cite this article in press as: K.T. Nguyen et al., Survey on secure communication protocols for the Internet of Things, Ad Hoc Netw.
(2015), http://dx.doi.org/10.1016/j.adhoc.2015.01.006
ADHOC 1181 No. of Pages 15, Model 3G
14 February 2015
2 K.T. Nguyen et al. / Ad Hoc Networks xxx (2015) xxx–xxx
75 Proofpoint’s researchers [66] in January 2014, proved that while processing, storing, and transmitting data. The main 134
76 even a harmless fridge can be employed to launch security line of the existing surveys in relation with the IoT security 135
77 attacks. Their analysis shows that 25 percent of malicious is that they generally focus on identifying the challenges 136
78 emails from the cyber-attack between December 23, and the security threats present in the IoT. However, 137
79 2013 and January 2014 (over 750,000 messages), came several security solutions and techniques have been 138
80 from ‘‘smart’’ things, including home appliances (TVs, proposed since the advent of the IoT. For this reason, the 139
81 refrigerators. . .). It would be even worse if critical IoT present survey takes a different direction by looking in 140
82 applications, for instance, the control system in nuclear depth into these security protocols and techniques. Indeed, 141
83 reactors, the vehicle safety system or the remote monitor- we will not focus on specific security properties needed for 142
84 ing in healthcare, were compromised. the IoT. We will look closer at the security protocol itself, 143
85 By means of IP protocols crafted for the IoT, an IoT how it is constructed, which security properties are 144
86 device is able to directly interact with other Internet enti- provided, and which cryptographic primitives are used. 145
87 ties located far beyond its local network. In a typical WSN, Moreover, the survey proposes a new taxonomy of key 146
88 devices should be properly authenticated in the network establishment mechanisms in the context of IoT that 147
89 based on a set of credentials stored in a secure area. The allows to better understand the proposed security 148
90 security solutions generally deployed within the network approaches. In this way, strong and weak features of exist- 149
91 are poorly defined to protect communications within the ing approaches can be identified with the objective to build 150
92 network premises and not between external entities. To secure protocols for the IoT. 151
93 provide end-to-end security, the potential adaptations of The contributions of the document are threefold: 152
94 several standard security protocols have been studied in
95 [1] such as IKE/IPsec, TLS, DTLS, and HIP-DEX, but certain present an overview of the challenges and the require- 153
96 issues continue to persist using these solutions. In particu- ments to build a secure IoT; 154
97 lar, resource limitations and the large volume of IoT provide a taxonomy of different security protocols pro- 155
98 devices deployed in a network hamper the application of posed for WSN and IoT with respect to the employed 156
99 Internet standard solutions. key bootstrapping mechanism and also propose a com- 157
100 According to the authors in [67], several new issues parative analysis of these protocols and techniques; and 158
101 brought by IoT need also to be addressed, such as secure finally, provide a review of ongoing research initiatives 159
102 booting, firewalling and secure updating and patching. in the field of security in the IoT. 160
103 For example, we need to ensure that only authorized and 161
104 authenticated software are loaded into the embedded
1.2. Paper outline 162
105 device, for example, by verifying a digital signature
106 attached to the software image. As stated in a recently
The rest of this paper is organized as follows. Section 2 163
107 HP security report [9], almost 60 percent of smart devices
discusses the security requirements and challenges associ- 164
108 are not using encryption when downloading software
ated with the IoT. Section 3 gives a classification of recently 165
109 updates. In order to deploy security solutions to this prob-
proposed security protocols for IoT. Sections 4 and 5 give 166
110 lem, devices are required not only to use cryptographic
in-depth description of the protocols based on asymmetric 167
111 algorithms to perform encryption, but also to share the
key schemes and the protocols based on symmetric key 168
112 necessary keys required by these algorithms, which is an
pre-distribution schemes. Section 6 evaluates the solutions 169
113 even worse issue considering the foreseen large deploy-
according to the considered categories in terms of the chal- 170
114 ment and the general resource limitations of these devices.
lenges identified in Section 3. In Section 7, we look into 171
115 The main motivation of this survey is to identify secu-
promising security research directions for the IoT. Finally, 172
116 rity issues associated with IoT, and to demonstrate the lim-
concluding remarks are provided in Section 8. 173
117 itations of existing security solutions to fulfill these issues.
118 The reviewed solutions are analyzed and compared.
2. IoT security overview 174
119 1.1. Related surveys and positioning
The IoT offers connectivity for both human-to-machine 175
120 There have been several conducted studies and surveys and machine-to-machine communications. In the near 176
121 [e.g., 60–64] that are relevant to the security in the IoT. For future, everything is likely to be equipped with small 177
122 instance, Wang et al. [64] gave a very detailed survey of embedded devices which are able to connect to the Inter- 178
123 security issues in wireless sensor networks, which can be net. Such ability is useful for various domains in our daily 179
124 considered as a reference for the IoT. The authors identified life: i.e. from building automation, smart city, and surveil- 180
125 the constraints and the requirements based on the existing lance system to all wearable smart devices. However, the 181
126 attacks against the IoT at different layers. They also pre- more the IoT devices are deployed, the greater our infor- 182
127 sented the key management systems in WSN according mation system is at risk. Indeed, a non-negligible number 183
128 to the employed cryptographic primitives. Atzori et al. of devices in IoT are vulnerable to security attacks, for 184
129 [61] focused on authentication, data integrity and privacy example, denial of service and replay attacks, due to their 185
130 issues in the IoT, particularly in RFID systems and sensor constrained resources and the lack of protection methods. 186
131 networks. Kumar et al. [52] gave a general overview of This kind of attacks leads to sensor battery depletion and 187
132 security and privacy issues in IoT. They provided a descrip- results in poor performances of sensing applications. In 188
133 tion of different security threats and privacy concerns more serious cases, information leak from such tiny 189
14 February 2015
K.T. Nguyen et al. / Ad Hoc Networks xxx (2015) xxx–xxx 3
190 devices can expose sensitive data to the outside. In this between the sensor node and the outside world. The 6LBR 242
191 section, we firstly present the essential security properties may take part in the communication between two entities 243
192 for the IoT. Then, we summarize the challenges to be in a passive (transparent to the communicating parties) or 244
193 addressed in the IoT. active (as a mediator in the communication process) man- 245
ners. Our study concentrates mainly on securing unicast 246
194 2.1. Security properties communications between two entities. Note that group 247
communications are out of scope of this document. 248
195 Several security properties may need to be satisfied in
196 order to secure the IoT. These general security properties 3.2. Classification 249
197 have been also identified in [1,44]. Generally, the security
198 services that should be provided include confidentiality, In this document, existing security solutions for IoT is 250
199 integrity, authentication, authorization, and freshness. categorized into two main types: solutions that rely on 251
200 The security requirements are centered on data if sensitive asymmetric key schemes and solutions that pre-distribute 252
201 data measured or shared by IoT devices may need to be symmetric keys to bootstrap a secure communication. This 253
202 protected. Security requirements may also involve con- section describes the two first levels of the proposed 254
203 trolled access to other resources, for instance the IoT net- taxonomy. 255
204 work layer. Table 1 defines the security properties that
205 will be discussed in this document in relation with the – Asymmetric key schemes (AKSs): The key schemes 256
206 security protocols and solutions proposed for the IoT. based on asymmetric cryptography, also known as 257
Public-key cryptography (PKC) are considered as a very 258
common approach to establish a secure communication 259
207 2.2. Challenges
between two (or more) parties. They employ asymmet- 260
ric algorithms and are widely deployed in the conven- 261
208 The heterogonous nature of IoT raises various chal-
tional Internet. The applicability of AKSs in the IoT has 262
209 lenges in terms of data security and network functionality.
one major inconvenience, which is the computation 263
210 A secure and operational IoT must overcome the chal-
cost and energy consumption. Despite of expensive 264
211 lenges given in Table 2 in order to fulfill the above security
operations, a lot of researches still seek to apply AKSs 265
212 requirements.
in the context of IoT. The proposed approaches can be 266
classified into two categories: key transport based on 267
213 3. Taxonomy of security protocols for the IoT public key encryption and key agreement based on 268
asymmetric techniques. 269
214 The life cycle of a ‘‘thing’’ is composed of three phases Key transport based on public key encryption: Simi- 270
215 (as denoted in [1]): bootstrapping, operational and mainte- larly to the traditional key transport mechanism, 271
216 nance phases. The bootstrapping phase refers to any pro- the first category requires from the public key to 272
217 cessing tasks required before the network can operate. securely transport information. Various key estab- 273
218 Sarikaya et al. [44] also define that this process involves lishment techniques have been proposed for IoT, 274
219 a number of settings to be transferred between nodes that ranging from raw public key usage to complex 275
220 shared no prior knowledge of each other. The bootstrap- implementations in X.509 standard. 276
221 ping step of a device is complete when all security param- Key agreement based on asymmetric techniques: The 277
222 eters (e.g., secret keys) are securely transferred to the second category is based on asymmetric primitives 278
223 device. This study focuses on recent security solutions pro- in which a shared secret is derived among two or 279
224 posed for a secure bootstrapping process. The terms and more parties. In this category, we notice obviously 280
225 definitions used throughout the rest of the document are the DH protocol [11] and its variants as we will men- 281
226 presented in Table 3. tion later. 282
283
227 In this section, we first describe the reference model – Symmetric key pre-distribution schemes: In addition 284
228 that illustrates the scenario in which the considered secu- to asymmetric approaches, researchers propose also 285
229 rity protocols can be deployed. We then present, in Sec- multiple techniques using symmetric key establish- 286
230 tion 3.2, our classification of the security protocols based ment mechanisms to bootstrap secure communication 287
231 on the key bootstrapping mechanism, and compare, in Sec- in the IoT. Symmetric approaches often assume that 288
232 tion 3.3, our classification with related works. nodes involved in the key establishment share common 289
credentials. The pre-shared credentials might be a sym- 290
233 3.1. Scenario under consideration metric key or some random bytes flashed into the sen- 291
sor before its deployment. This category can be divided 292
234 The security protocols analyzed in this document, as into two main sub-categories: 293
235 illustrated in Fig. 1, involve two entities. At least one of them Probabilistic key distribution: This sub-category con- 294
236 is a device with resource constraints, whereas the second cerns the mechanisms that distribute security cre- 295
237 entity can be seen as another constrained device or an exter- dentials (keys, random bytes) chosen randomly 296
238 nal Internet server (i.e., with rich resources). The considered from a key pool to constrained nodes. During their 297
239 network of ‘‘things’’ consists of a number of tiny nodes com- initial communication, each two nodes may discover 298
240 municating with each other and with an unconstrained a common key, with certain probability, to establish 299
241 resource border router (6LBR). The 6LBR is the bridge a secure communication. 300
14 February 2015
Table 1
Security properties for security protocols in IoT.
Confidentiality Exchanged messages in the IoT may need to be protected. An attacker should not gain knowledge about the messages exchanged
between a sensor node and any other Internet entity
Integrity The alteration of messages should be detected by the receiver
Authentication The receiver should be able also to verify the origin of the exchanged messages
Authorization IoT devices should be able to verify whether certain entities are authorized to access their measured data. At the network layer, only
authorized devices should be able to access the IoT network. Unauthorized devices should not be able to route their messages over
the IoT devices, because it may deplete their energy
Freshness This property ensures that no older messages are replayed. This is important to secure the communication channel against replay
attacks
301 Deterministic key distribution: In this sub-category, a framework, mathematical framework, negotiation frame- 330
302 deterministic design is applied to create the key pool work and public key framework. They conclude that public 331
303 and to distribute uniformly the keys such that each key cryptography can be a viable solution for sensor nodes 332
304
305 two nodes share a common key. that run as client nodes (in the model client–server). For 333
306 server nodes, mathematical-based KMS, such as polyno- 334
307 Fig. 2 summarizes our taxonomy. Each class of the secu- mial scheme, provide better performances. The aforemen- 335
308 rity solutions provides its own advantages and disadvan- tioned approaches do not sufficiently cover possible key 336
309 tages, as it will be discussed in Sections 5 and 6. distribution mechanisms (asymmetric and symmetric 337
methods), for example, only symmetric approaches are 338
310 3.3. Related work in IoT security protocol classification studied in [52,64]. Besides, they provide heterogeneous 339
classifications due to unrelated different criteria, as in 340
311 Classification approaches have been proposed in several [63,64]. 341
312 works [10,52,63,64]. In [10], the authors propose several By taking into account the classifications described 342
313 ways to classify key establishment approaches, for above, especially in [10], our taxonomy covers asymmetric 343
314 instance based on the employed authentication method key distribution mechanisms for IoT, in addition to sym- 344
315 or the underlying cryptographic primitive. Camtepe and metric approaches. The taxonomy is marking out different 345
316 Yener [52] give a detailed classification of symmetric key protocols by the key establishment scheme used to estab- 346
317 distribution protocols for two different scenarios: distrib- lish a secret session key: asymmetric or symmetric tech- 347
318 uted and hierarchical WSNs. In each scenario, the authors niques. As mentioned in Section 3.1, we do not consider 348
319 analyze diverse mechanisms to establish pair-wise and protocols that establish group-wise keys between sensor 349
320 group-wise keys between sensor nodes. Similarly, Wang nodes for which interested readers could refer to [52]. Only 350
321 et al. [64] propose a classification of symmetric key man- pair-wise key establishments are considered in this paper. 351
322 agement protocols in WSN, but based on the network Our taxonomy has a high classification degree leading to a 352
323 structure and the probability of key sharing between a pair more in depth protocol evaluation. For instance, in the 353
324 of sensor nodes. Their works at a very first level differenti- asymmetric approach, we do not only discuss on the appli- 354
325 ate centralized and distributed key schemes. At a second cability of public key cryptography in the context of IoT, as 355
326 level, they provide other differentiation based on the prob- described in [63], but we also differentiate different 356
327 abilistic and deterministic key establishment mechanisms. asymmetric key schemes based on the key delivery scheme 357
328 Roman et al. [63] give a high level classification based on (key transport or key agreement). In symmetric key pre- 358
329 the key management systems (KMS), namely: key pool distribution schemes, we organize the existing security 359
Table 2
Research challenges in IoT.
Interoperability Deploying security solutions in the IoT should not hinder the functional operation of interconnected heterogeneous devices
Resource Most of IoT devices are limited in terms of CPU, memory capacity and battery supply. They often operate on lossy and low-
constraints bandwidth communication channels. It seems to be impossible to apply directly standard conventional security protocols of the
Internet in the context of IoT. As an example, the use of small packets (i.e. IEEE 802.15.4 supports only 127-bytes packets [25]) may
result in fragmentation of larger packets when using the standard protocols. This will exhaust the life time of sensor nodes and
open new possibility of DoS attacks. Hence, the standard security protocols must be redesigned to adapt such difficult scenario, in
order to offer equivalent security levels but more efficient performance for the IoT
Availability The sensor nodes must be available when needed. High availability network of things should remain functional, especially against
denial-of-service attacks, such as flooding of incoming messages to targeted nodes forcing them to shut down
Resilience to The system has to avoid single points of failure so a compromised node will not affect the whole system. Besides, the secured
attacks network must also avoid the resource-depletion attacks launched against resource-constrained devices
Privacy The popularity of RFID tags has raised privacy concerns because anyone can track tags and find the identity of the objects carrying
protection them. In addition, as wearable technology increases its pace, we will be soon able to connect our bodies to the Internet by ‘‘putting
on’’ tiny hardware devices (ex. Implant chips inside our bodies). Consequently, our personal information (i.e. healthcare records)
must remain secured and should not be traceable, linkable and identifiable
Scalability The IoT network, for instance WSNs, is generally composed of a large number of devices. The proposed security protocol should be
able to scale. This property is tightly related to the amount of information that each device has to keep in memory for a secure
channel to be negotiated with as many entities as possible (other sensor nodes or Internet entities)
14 February 2015
Table 3 sub-category, we classify these mechanisms based on the 384

Abbreviations and notations. public/private keys generation methods. 385
Abbreviation Definition Fig. 3 gives an example of a communication scenario 386
IoT Internet of Things between two entities A and B. In this scenario, A and B 387
WSN Wireless Sensor Network can use directly the public keys to create an encrypted 388
PKC Public Key Cryptography channel. The Certificate Authority (CA) may participate to 389
KDC Key Distribution Center verify the identity of the message transmitter when certif- 390
6LBR 6LoWPAN Border Router
PKG Private Key Generator
icates are supported. This method can be expensive for 391
DH Diffie–Hellman exchange resource-constrained-sensor nodes, in particular when 392

IBE Identity-based Encryption using a traditional algorithm like RSA. Without a verifiable 393
ECC Elliptic Curve Cryptography relationship between the public key and the identity (i.e. 394
ECDH Elliptic Curve Diffie–Hellman exchange
ID-based cryptography, cryptographic-based ID or with 395
CA mediation), this approach becomes vulnerable to the 396
360 protocols into two categories: probabilistic and determin- man-in-the-middle attack. Indeed, both A and B cannot 397
361 istic key distribution. These categories have also been authenticate each other’s identity. An attacker may gener- 398
362 mentioned in [52,64]. However, in the deterministic ate any public/private keys and pretend to be A when com- 399
363 approach, we go further by distinguishing protocols that municating with B. 400
364 have server(s) participating in the key negotiation process
365 from protocols that do not depend on any third party dur-
4.1.1. Raw public key encryption 401
366 ing key establishment phase.
Some mechanisms assume that the public key has been 402
distributed beforehand or using out-of-band communica- 403
367 4. Asymmetric key schemes tions. These mechanisms offer small number of message 404
exchanges but they are not scalable, because the public 405
368 The position of asymmetric cryptography or PKC is clear keys of all devices should be known by each device. 406
369 in the conventional Internet. However, it is not the case in Some ‘‘raw public key encryption’’ mechanisms, i.e. 407
370 the context of IoT because of its expensive encryption and Rabin’s scheme [19] or NtruEncrypt [27] have been recom- 408
371 verification operations. However, the development and mended for WSNs. 409
372 implementation of PKC in IoT has never been stopped. In Rabin’s scheme is very similar to the RSA algorithm 410
373 fact, new improvements of several primitives (i.e. ECC, (widely used cryptosystem), which is also based upon the 411
374 NTRU) continue to reduce the cost of cryptographic opera- hardness of the factorization problem. In fact, the scheme 412
375 tions, so the PKC approach is of a growing interest for con- requires the same energy consumption for decryption 413
376 strained environments. A brief study in the following operations than RSA with the same security level. 414
377 sections demonstrates various possible forms of asymmet- However, it offers much faster mechanism for encryption 415
378 ric key schemes in IoT. operations because only one squaring is required to 416
encrypt a message. 417
379 4.1. Key transport based on public key encryption NtruEncrypt is a cryptosystem which is known to be a 418
lattice-based alternative to RSA and ECC (Elliptic Curve 419
380 This sub-category looks into the key establishment Cryptography) primitives. The mechanism is highly effi- 420
381 schemes where the public key is used to transport secret cient and suitable for the most limited-resource devices 421
382 data or to negotiate a session key. Several methods are such as smartcards and RFID tags. In [27], the authors give 422
383 used to generate the pair of public and private keys. In this a comparison of the three PKC mechanisms proposed for 423
Fig. 1. Network architecture of our scenario.
14 February 2015
Fig. 2. Classification of key bootstrapping mechanisms in IoT.
424 constrained devices: the Rabin’s scheme, NtruEncrypt and implement DTLS using hardware assistance on sensor 463
425 ECC. The results show that NtruEncrypt leads to the small- nodes. The solution assumes that each sensor is equipped 464
426 est average power consumption. Nevertheless, this crypto- with a TPM (Trusted Platform Module). A TPM is an 465
427 system often requires large-size messages, and might embedded chip that offers secure generation of crypto- 466
428 result in packet fragmentation at lower layers and many graphic keys and sealed storage as well as hardware sup- 467
429 re-transmissions in the presence of communication errors. port for cryptographic algorithms. The fully authenticated 468
430 The protocols that are based on ‘‘raw public key encryp- handshake can be performed between a sensor (equipped 469
431 tion’’ require small number of exchanged messages; this is with TPM) and a subscriber (another sensor or external 470
432 actually advantageous if the transmission power is the entity). Both sensor and subscriber transmit their X.509 471
433 most important and limiting factor. certificate to initiate the authentication phase. These cer- 472
tificates are signed by a trusted CA and are included in a 473
fully authenticated DTLS handshake. This solution not only 474
434 4.1.2. Certificate-based encryption
has a high security level by establishing the trusted rela- 475
435 Certificate-based protocols are a popular choice to
tionship with the assistance of an approved third party, 476
436 establish a secure communication between two entities
but it also provides message integrity, confidentiality and 477
437 over Internet. The trust relationship between the two enti-
authenticity with affordable energy, end-to-end latency 478
438 ties is guaranteed by a well-known third party (CA) using
and memory overhead as claimed by the authors. 479
439 the standard X.509 certificate that validates the identity
Nevertheless, the approach is expensive and complex 480
440 of the entity as illustrated in Fig. 3. Indeed, each sensor
with respect to deploying a hardware accelerator next to 481
441 node possesses a certificate signed by the trusted CA. This
every sensor, especially for large number of sensors. 482
442 latter can be loaded into the node before the deployment
Optimization of existing protocols (software imple- 483
443 or can be directly acquired on request from a trusted party.
mentation): A security protocol employing the certificates 484
444 TLS [12] has been recommended by many standards
is tailored to provide higher performance without affecting 485
445 specified by IETF (Internet Engineering Task Force) for
the robustness of the protocol. Raza et al. [4] propose a 486
446 security services. However, it is mentioned in [3,4] that
modification of DTLS using the 6LoWPAN compression 487
447 TLS is not a wise choice with respect to the security best
mechanism [14]. The modified protocol reduces the size 488
448 practices in IoT. In fact, TLS runs normally in a reliable
of some headers (i.e. the DTLS record header, the hand- 489
449 transport protocol like TCP which is unsuitable for con-
shake header, the handshake message). These changes 490
450 strained resource devices, due to its congestion control
improve the performance of DTLS in terms of packet size, 491
451 algorithm. As a replacement for TLS in the tightly con-
energy consumption, processing time and network 492
452 strained environments, the DTLS (Datagram Transport
response time. However, the proposed solution does not 493
453 Layer Security) protocol has been proposed recently. It
propose backward compatibility with the actual DTLS stan- 494
454 operates over the unreliable transport protocol i.e., UDP
dard, in particular with respect to header compression. 495
455 and provides the same high security levels as TLS.
Hummen et al. [36] propose a design idea to effectively 496
456 The utilization of a certificate is basically expensive. To
reduce the overhead of the DTLS handshake. Full handshake 497
457 reduce the power consumption, both hardware and soft-
procedure requires 15 message exchanges, high dynamic 498
458 ware related improvements have been considered by
storage capability (RAM) during the communication and 499
459 researchers:
long processing time for cryptographic tasks. In order to 500
460 Usage of cryptographic hardware accelerators: The
mitigate the full handshake inconvenience, the authors 501
461 hardware accelerators are in charge of all cryptographic
propose to delegate the handshake procedure to a rich- 502
462 computations. Kothmayr et al. [3] propose a method to
14 February 2015
Fig. 3. Public key transport mechanism.
503 resource entity, e.g. the gateway or the device’s owner. All limited to the point multiplication operations and it 542
504 certificate related tasks are performed in the rich-resource requires smaller key size than RSA for the same level [30]. 543
505 entity and only the session-state message is sent to the con-
506 strained device. The session can then be established using 4.1.3. Identity-based schemes (IBS) 544
507 this message with no additional calculation. This modified The first implementation of Identity-Based Cryptogra- 545
508 DTLS can highly reduce communication overhead at the phy was developed by Shamir [6]. This type of cryptogra- 546
509 condition that the rich-resource server is trusted. phy defines a well-known string (identity) representing 547
510 Granjal et al. [31] present similar modifications to DTLS, an individual or an organization, which is used as a public 548
511 but the DTLS handshake is mediated by the 6LoWPAN Bor- key. The private key of each entity is generated from its 549
512 der Router (6LBR). The 6LBR participates in the secure public key by a trusted party (Fig. 4), named a Public Key 550
513 communication but is transparent to sensing devices and Generator (PKG). This solution eliminates the need for cer- 551
514 the Internet host. The border router intercepts and for- tificates, which makes the solution advantageous espe- 552
515 wards packets at the transport-layer. From the point of cially for WSNs. Indeed, any sensor nodes can simply 553
516 view of the Internet host, it communicates with the 6LBR generate the public key of other nodes when needed to 554
517 using traditional DTLS protocol where authentication is establish a secure communication using their identities. 555
518 supported by ECC based certificate. On the other side, the In addition, the revocation mechanism is supported by 556
519 6LBR operates in the pre-shared key security mode for consulting the list of valid sensor identities. However, ID- 557
520 communicating to the constrained sensing devices. More- based schemes are vulnerable to key-escrow attacks as 558
521 over, the 6LBR authenticates the nodes with a mechanism the PKG knows the private keys of all nodes in the network. 559
522 inspired by Kerberos [18]. If the authentication is success- It can impersonate any node and consequently intercept all 560
523 ful, a secret session key is generated to secure the commu- the traffic in the system. Therefore, the PKG is always con- 561
524 nication between the sensing devices and the 6LBR. sidered as well protected and trusted by all network nodes. 562
525 Actually, it is used to encrypt the pre-master key in the Cli- In a constrained environment, IBE paradigm is mostly 563
526 entKeyExchange message that the Internet host sends to the implemented using the ECC primitive [46,31]. Implemen- 564
527 6LBR. When the pre-master secret key is computed suc- tations on other primitive exist, for example, RSA or ElG- 565
528 cessfully in the Internet host and the sensing device, end- amal-type IBE [47]. Nevertheless, they are too much 566
529 to-end DTLS security is enabled. The proposed architecture expensive for constrained nodes because they are based 567
530 delegates all the expensive operations (ECC computation, on exponentiation operations with a large exponent. Yang 568
531 key agreement. . .) to the border router so that it offers bet- et al. [46] propose IBAKA – an IBE scheme inspired by 569
532 ter lifetime for sensing devices. Nevertheless, the 6LBR is Boneh et al. scheme [45]. However, they tailor the IBE 570
533 considered to be a single point of failure. method into an ECDH [32] key exchange in order to estab- 571
534 The IKE protocol [59] works usually jointly with IPsec to lish a session key. Their proposal still requires 2 bilinear 572
535 provide security associations (SAs) between two entities. pairings and 3 scalar point multiplications each time a 573
536 This protocol has a variant where the mutual authentica- secret key is bootstrapped. 574
537 tion is enabled using RSA-based certificates. Ray and Bis- Szczechowiak and Collier [7] propose TinyIBE – a very 575
538 was [59] propose another variant for IKE that is based on simple authenticated key distribution based on IBE for het- 576
539 ECC-based public key certificate for authentication and erogeneous sensor networks. The scheme requires no pair- 577
540 ECDH for key agreement instead of RSA and DH protocol. ing calculation. It is able to retrieve a session key for two 578
541 The proposal reduces the computation cost as it is mainly nodes after only 2 message exchanges. 579
14 February 2015
Fig. 4. Identity-based cryptography infrastructure.
580 4.2. Key agreement based on asymmetric techniques Some variants of the DH protocol are considered in con- 597
strained environments using ECC, i.e. ECDH. The ECDH 598
581 This sub-category is about key agreement protocols cryptographic primitive offers smaller key size than RSA. 599
582 based on asymmetric primitives in the IoT. As mentioned Indeed, the US National Institute for Standard and Technol- 600
583 in various research works, a key agreement protocol is ogy (NIST) in [30] has showed that to achieve the security 601
584 the mechanism where two (or more) parties derive a level of 128-bit AES key size, one can prefer 256 bit key 602
585 shared secret and no other party can predetermine the size using elliptic curve instead of 3072 bit parameters in 603
586 secret value. Fig. 5 illustrates the process of a typical asym- RSA and DH protocol. As an example, de Meulenaer et al. 604
587 metric key agreement. Km is the secret generated after the [32] implemented a key agreement protocol based on 605
588 agreement procedure. This symmetric key is then used to ECDH providing authentication using the Elliptic Curve 606
589 secure the communication. Digital Signature Algorithm (ECDH-ECDSA). 607
590 The Diffie–Hellman (DH) protocol [11] and its Practical measurements on the MICAz and the TelosB 608
591 variants are classical examples for symmetric key sensors showed that ECDH-ECDSA is affordable in terms 609
592 agreement. However, DH protocols are considered of computation complexity. 610
593 expensive and unsuitable for the constrained nodes in IBAKA [46] proposes a combination of ECDH and IBE for 611
594 particular, for class 0 and 1 according to the node sensor networks. The scheme relies on the ECDH protocol, 612
595 classification in terms of resource capacity in lwig and additionally provides the privacy of message 613
596 -terminology [29]. exchanges using Boneh et al. identity-based scheme [45]. 614
Fig. 5. Key agreement based on asymmetric mechanisms.
14 February 2015
615 HIP-DEX (Host Identity Protocol Diet Exchange) [15] nodes, unless the adversary manages to eavesdrop on all 672
616 applies also the DH protocol to generate a session key paths between them. 673
617 between two entities after only a 4-messages exchange. The probabilistic key distribution generally does not guar- 674
618 This protocol is a variant of HIP Base Exchange [53] specially antee session key establishment between all nodes even 675
619 designed to reduce the complexity of cryptographic compu- with the path-key establishment phase. Two nodes may 676
620 tations. It uses the smallest possible set of cryptographic not share any common keys with a certain probability. 677
621 primitives (e.g., AES-CBC instead of cryptographic hash
622 functions), removes digital signatures and implements sta- 5.2. Deterministic key distribution 678
623 tic ECDH to encrypt the session key, etc. This protocol has
624 been largely taken into consideration in the context of IoT In this sub-category, the described key schemes rely on 679
625 by many recent works [2,53]. For instance, Meca et al. [2] a deterministic process to generate the key pool and to dis- 680
626 propose an efficient network access mechanism based on tribute keys to nodes in order to guarantee secure full con- 681
627 HIP-DEX for mobile nodes joining the local sensor network. nectivity in the network. In deterministic solutions, the key 682
628 Besides, Hummen et al. [53] tailor HIP-DEX to the IoT, in schemes are distinguished by the presence or not of a 683
629 particular, by adapting the session resumption mechanism trusted third party during the key bootstrapping. 684
630 as in TLS [13]. As such, the constrained node performs
631 expensive operations once and maintains session-state for 5.2.1. Offline key distribution 685
632 re-authentication and re-establishment of a secure channel. The offline key distribution method is widely used in 686
633 The key agreement protocols based on DH require fewer WSNs because of its simplicity. Depending on the used 687
634 messages to establish a session key but the computational protocol, every node in the same network may share a net- 688
635 tasks on sensor nodes are usually complex. work key or each two nodes may have a common pairwise 689
key. The session key is then generated after very few data 690
636 5. Symmetric key pre-distribution schemes exchanges without the presence of any third party. The off- 691
line key distribution provides efficiency in terms of energy 692
637 In this sub-category, the communicating parties often consumption because it does not require expensive 693
638 initially share some credentials before bootstrapping the cryptographic computations like asymmetric approaches. 694
639 communication. The key pre-distribution mechanisms However, when a sensor node is physically attacked, the 695
640 may differ as described in the following sections. secret data stored inside the node can be exposed. Conse- 696
quently, the attacker can gain access to several nodes 697
641 5.1. Probabilistic key distribution which share the secret key with the attacked node, or in 698
the worst case, it may access the whole network. 699
642 The mechanism of random key pre-distribution (RKP) In several existing works, mathematical properties have 700
643 was first proposed by Eschenauer et al [48]. A typical RKP been applied to create the model for securing key 701
644 consists of three phases: key pre-distribution, shared-key exchanges between sensor nodes. These mechanisms are 702
645 discovery and path-key establishment. In the scheme, a still applicable in the context of IoT. The most well-known 703
646 large key pool is generated. Keys are then randomly schemes are based on bivariate polynomials [8,26]. In these 704
647 selected from the key pool and distributed to sensor nodes. schemes, a node A shares with other nodes a bivariate n- 705
648 Any two nodes may share a common key with a certain degree polynomial f(x, y). A can obtain the pairwise key 706
649 probability. The third phase is triggered when two nodes with another node B by calculating the value of f(IdA, IdB), 707
650 do not share any common key. In this process, one node where IdA and IdB are the respective identities of A and B. 708
651 first generates a random key K. It then sends the key to In the same way, B can obtain the same pairwise key, since 709
652 its neighbors using the pre-established secure channel. f(IdA, IdB) is equal to f(IdB, IdA). In another scheme, called the 710
653 The process continues until the key K arrives at the other Bloom’s scheme [38], a secret symmetric matrix D is gener- 711
654 node. K is considered afterward as the pairwise key ated from the shared secret key between two nodes A and B. 712
655 between both nodes. Each of them generates a public matrix IA and IB respec- 713
656 Several solutions are inspired by this scheme [37,49–51]. tively for A and B. The private keys are respectively privA = - 714
657 These proposals improve specially the pre-distribution D x IA and privB = D x IB for A and B. Finally, the pairwise key 715
658 phase to enhance the key connectivity between nodes and is calculated by solving (privA x IB) or (privB x IA). The prob- 716
659 reduce the memory space needed for key storage. In fact, lem with these latter two schemes is that the session key 717
660 Du et al. [37] propose a key pre-distribution scheme will remain unchanged for every two nodes. 718
661 that relies on the deployment knowledge and avoids SNAKE [41] and BROSK [39] are two key establishment 719
662 unnecessary key assignments. Ito et al. [50] develop a schemes where the session key is generated without the 720
663 scheme based on Du et al. [37] works but the keys are need for a key server to perform key management. These 721
664 mapped on two-dimensional positions. They propose a two protocols assume that all nodes in the same network 722
665 probability density function which provides better key con- share a master secret key. In SNAKE, the session key is 723
666 nectivity. Chan et al. [49] develop also a mechanism to rein- obtained by hashing two random nonces generated from 724
667 force the path-key establishment phase. The basic idea is each communicating party using the pre-shared key. 725
668 that node A finds all possible links to a node B. It generates BROSK broadcasts the key negotiation message containing 726
669 for each link a random value and routes these values to B. a nonce. Once a node receives the message from its neigh- 727
670 The common keys between A and B are protected by these bors, it can construct the session key by computing the 728
671 random values. The generated key will be shared by both message authentication code (MAC) of two nonces. 729
14 February 2015
Fig. 6. Server-assisted mechanism.
730 Raza et al. [25] implement the standard Internet security at rich–resource servers. Server-assisted approaches for 747
731 protocol IPsec in an IP-based WSN (using 6LoWPAN). The key establishment protocols have been proposed in this 748
732 authors propose mechanisms to compress the AH and ESP respect in IoT. In such protocols, message exchanges 749
733 header in order to integrate IPsec with the 6LoWPAN layer engage two entities and one (or more) trusted server. The 750
734 but they keep a reasonable packet size. AH and ESP mecha- server shares long-term key a priori with each communi- 751
735 nisms provide origin authenticity, message integrity and cating entity. It often plays the role of a Key Distribution 752
736 confidentiality protection of IP packets but they do not han- Center (KDC) and then supplies the session key to each 753
737 dle the key exchange. The security associations are estab- party by re-encrypting it using the shared keys as shown 754
738 lished manually using pre-shared key. in Fig. 6. 755
739 The offline key distribution does not provide rekeying
740 operations. When the system changes to other secret keys, (1) External assisted server 756
741 all the entities in the network need to be updated to estab- 757
742 lish secure communications using the new keys. In this sub-category, the assisted entities are external 758
rich-resource servers which are located outside the WSN. 759
743 5.2.2. Server-assisted key distribution As a result, they can handle the key distribution of one or 760
744 Due to the resource limitations of constrained devices, several WSNs. 761
745 the cryptographic computation and other expensive tasks The second approach proposes in [3] is inspired by the 762
746 (e.g., identity management, key generation) can be handled TLS Pre-Shared Key cipher suite [13]. Each sensor has to 763
Fig. 7. Proxy-based assisted server infrastructure.
14 February 2015
764 pre-install some random bytes called protokeys before the establishment between a sensor node and an external 824
765 deployment. These random bytes are used to derive the Internet host. Upon the reception of a sensor node request, 825
766 PSK (Pre-Shared Key) key for each session. Instead of using the PBS authenticates the sensor node with the help of 826
767 TPM, a central rich-resource server is employed to create 6LBR. It then applies a DH key agreement mechanism with 827
768 the security association between the sensor node and the the remote server and calculates the session key (SK) on 828
769 subscriber. The protokeys are also known by the trusted behalf of the sensor node as the sensor node is resource 829
770 server. The server then generates the same session key constrained. Finally, the sensor node can communicate 830
771 for the subscriber from the protokeys. with the remote server in a secure manner using the SK 831
772 MIKEY-Ticket [17] is an additional mode to the basic received from the PBS. 832
773 MIKEY [22] protocol, in which a KDC is involved in the pro- In this same sub-category, Saied and Olivereau [43] 833
774 cess of establishing a security association between the two present the Distributed HIP Exchange (D-HIP) protocol 834
775 parties. MIKEY-Ticket originated from the ticket concept of inspired by HIP-BEX [53]. They use the same network 835
776 Kerberos [18]. The KDC securely communicates with the model as described in Fig. 7. During the key negotiation 836
777 node initiating the protocol (Initiator) and the responding step, a constrained node establishes a session key with 837
778 node (Responder) by encrypting important data using the the server using the DH protocol by delegating the 2 mod- 838
779 pre-shared master key shared with each node. Neverthe- ular exponentiation operations to the proxy nodes. It first 839
780 less, the protocol is vulnerable to Denial of Service (DoS) splits its secret exponent a into n parts a1, a2, . . . , an where 840
781 attacks, particularly replaying messages to the Responder. n is the number of the less constrained nodes. It then sends 841
782 To prevent these attacks, Boudguiga et al. [20] propose a each part ai to a neighbor node (proxies) PBSi. The node PBSi 842
783 new key establishment, called SAKE (Sever Assisted Key calculates its part of the final DH session key: SKi = (gb mod 843
784 Establishment) based on the MIKEY-Ticket mode but p)ai where the value (gb mod p) is achieved from the remote 844
785 removing the threat of DoS attacks. SAKE allows establish- server (or Internet host). PBSi sends SKi back to the con- 845
786 ing security associations between the two parties after strained node. From these values, the constrained node 846
787 only five exchanged messages, compared to six messages obtains the same final DH session key as the server (by 847
788 in the original MIKEY-Ticket. Indeed, upon reception of multiplying the n values received). This approach has a 848
789 the first message from the Initiator, the KDC generates major advantage that all expensive computation tasks are 849
790 the session key and contacts directly the Responder. This done by the PBS nodes. However, the number of message 850
791 change reduces one message exchange comparing to exchanges can be large depending on the number of PBS 851
792 MIKEY-ticket. Besides, as each message of SAKE contains nodes. As we know, the transmission cost is non-negligible 852
793 a MAC computed with a key shared with the receiver, the and packet lost during communication can happen at any 853
794 DoS attack is mitigated. time. 854
795 Other IoT solutions of key distribution based on an
796 external server, include solutions that implement the
797 PANA protocol (Protocol for Carrying for Network access) 6. Discussion 855
798 [23]. PANA runs over UDP and uses EAP (Extensible
799 Authentication Protocol) for authentication that supports Table 4 illustrates examples of security protocol solu- 856
800 multiple authentication methods including pre-shared tions which are implemented in WSN and IoT. It compares 857
801 key distribution. Kanda et al. [24] propose an improvement these solutions using the identified criteria given in 858
802 of PANA to adapt the resource-constraints. The main mod- Section 2. 859
803 ifications consist of reducing the number of message At first glance, we can easily identify that most of the 860
804 exchanges (e.g., choosing EAP-PSK as the only authentica- general security services are well provided by the proposed 861
805 tion method), removing unused PANA header fields, mini- protocols. Nevertheless, few protocols support the Access 862
806 mizing the collection of cryptographic primitives at the control (AC) and Privacy Protection (PP) properties. The AC 863
807 constrained device. These proposals may effectively reduce service is very important and needed in such perspective 864
808 the PANA implementation code size at the device, but the where an Internet host can only access the sensor node 865
809 authors do not give an estimation of the gains that might to execute actions or to retrieve data according to its access 866
810 be obtained, for example, in terms of energy consumption privileges. The server-based protocols usually offer this 867
811 or network-response time. requirement, for example, with the help of an authoriza- 868
tion server. On the other hand, the PP strengthens the ano- 869
812 (2) Proxy-based assisted server nymity of communications. This property becomes very 870
813 important in today perspective as personal data on sensor 871
814 This sub-category does not require an external server nodes must remain untraceable by any attackers. 872
815 but a proxy-based server (PBS) located within the WSN, In the high level synthetic picture, the table shows that 873
816 as shown in Fig. 7. This server is equipped with sufficient the asymmetric solutions usually require high computation 874
817 resources and storage capacity to execute all expensive complexity on sensor nodes. However, these approaches 875
818 tasks for constrained nodes. It often plays the role of a have high resilience against node capture attacks, low 876
819 mediator to associate the sensor nodes and other entities. memory requirements for keying materials, few message 877
820 Additionally, the PBSs usually share a symmetric secret exchanges and high scalability for large networks. On the 878
821 key with the constrained nodes and the 6LBR router. other hand, the key pre-distribution schemes offer low 879
822 Using the same considerations, Hussen et al. [42] complexity computation which is really beneficial for con- 880
823 propose SAKES providing secure authentication and key strained nodes, but, they have their own inconveniences, 881
12
14 February 2015
ADHOC 1181
Table 4
Summary of proposed security solutions for IoT. Solutions are grouped based on the mentioned classification in Fig. 1.
Confiden- Integrity Authen- Autho- Fresh- Resil- Computation Commu- Memory Scala- Privacy
tiality tication rization ness ience Complexity nication bility Protection
Complexity
Key bootstrapping Asymmetric Key transport RPKE Protocols based d n/a n/a n/a n/a d s s d d n/a
in IoT key schemes based on on: NTRU [44],
public key Rabin’s scheme
encryption Moustaine and n/a d d s s d d d d d d
Laurent [56]
ZKP based on n/a d d s d d s d d d d
ECDLP [34]
CBE DTLS modified d d d s d d s s d d d
[4,36]
IKEv2-ECC based d d d s d d s s d d d
K.T. Nguyen et al. / Ad Hoc Networks xxx (2015) xxx–xxx

[59]
IBS TinyIBE [7] d s d s s d d s d s s
IBAKA [46] d d d s d d s s d d d
Key ECDH-ECDSA [32] d d d s d d s d d d s
agreement HIP-DEX [15] d d d s d d d d d d s
based on
asymmetric
techniques
Symmetric Probabilistic E-G [48] d s s s s s d s s s s
key pre- key Du et al. [37] d s s s d s d s s s s
distribution distribution Chan et al. [49] d s s s s s d s s s s
schemes Ito et al. [50] d s s s s s d s s s s
Deterministic OKD Blom’s scheme d s s s s s d d d s s
key based [37,38]
distribution SNAKE [41] d d d s d s d d d s s
BROSK [39] d d d s d s d d d s s
Lightweight IPsec d d d s d s s s d d d
[25]
DTLS-PSK [31] d d d s d d s s d d d
Diet-ESP [55] d d d s d d d s n/a s d
EAS Mikey-ticket [17] d d d d d s d d d s s
SAKE [20] d d d s d d d d d s s
PANA/EAP-PSK d d d s d d d d d s s
[23,24]
No. of Pages 15, Model 3G

PBAS SAKES [42] d d d s d d s d s s s
D-HIP [43] d d d s d s s s s s s
Some abbreviations are used: (RPKE) – Raw public key encryption, (CBE) – Certificate based encryption, (IBS) – Identity based schemes, (OKD) – Offline key distribution, (EAS) – External server assisted, (PBAS) –
Proxy-based assisted server. Eleven metrics are provided to evaluate the solutions: Confidentiality, Integrity, Authentication, Authorization, Freshness, Resilience, Computation complexity, Communication
Complexity, Memory or storage space required for keying materials, Scalability and Privacy Protection. The Resilience, Computation complexity, Communication Complexity and Memory columns can take two
different values: d (good or medium performance level) and s (low performance level), which indicate the level of a specific protocol to support a property. Communication complexity refers to the number of
message exchanges in general until a secret key is negotiated. The (n/a) notation means ‘‘not applicable’’. We define simple notations to evaluate the security services: d – supported, s – not supported. The
evaluation of RPKE assumes the protocols that used the mentioned primitives (no real protocol reference).
14 February 2015
882 such as high communication complexity, high memory require only additions and circular shifts to encrypt the 940
883 space for keying materials, low level of scalability for large challenges during the authentication phase. Besides, the 941
884 networks and vulnerability against node capture attacks. protocol is resistant against classical attacks including 942
replays, tracking and man in the middle attacks with very 943
885 7. Overview on recent trends on IoT security protocols low requirements for computation. 944
As another asymmetric technique, Zero-knowledge 945
886 There are some new approaches being pushed by proofs (ZKP) [16,34] is also a candidate for future proposals 946
887 researchers. They always keep their interest in both asym- in IoT. ZKP are interactive proof systems involving two 947
888 metric and symmetric approaches; even if the symmetric entities: a prover and a verifier. The prover demonstrates 948
889 paradigm is considered to be more energy efficient. The the knowledge of a secret to the verifier without revealing 949
890 asymmetric solutions are still preferable because of their a single bit about the secret. ZKP relies on some hard math- 950
891 deployment facility, flexibility and scalability in terms of ematical problems, such as the factorization of integers, i.e. 951
892 key management. Besides, the public key paradigm allows [16] or the discrete logarithm problem (DLP) [34]. This 952
893 two entities without any prior-trust relationship with each mechanism is commonly used in WSN for node authenti- 953
894 other, establishing a secure channel, which is generally an cation. For example, the authors in [34] provide an efficient 954
895 important feature in real time scenarios. authentication scheme based on DLP over elliptic curve 955
896 The following points need to be highlighted before groups. The scheme requires only three messages between 956
897 designing any efficient security protocols for constrained the prover and verifier. ZKP has advantages in terms of the 957
898 devices in IoT: amount of messages being sent and the memory usage on 958
899 Optimizing asymmetric solutions: The asymmetric nodes as also mentioned in [16,34]. One can benefit ZKP to 959
900 approaches are generally energy-consuming. The first propose an efficient key bootstrapping protocol in IoT with 960
901 ambition is to reduce the required computation time in the node authentication provided by ZKP. 961
902 order to save energy for sensor nodes. One can think about Tailoring the existing standard protocols to IoT: Stan- 962
903 adapting directly NTRU to the standard protocols because dard security protocols can be adapted to work in con- 963
904 it is currently the most energy-efficient primitive. How- strained and heterogeneous environments of IoT. As 964
905 ever, this primitive requires more memory space for key- described in this document, many attempts have been 965
906 ing materials than other asymmetric primitives. Some done to adapt and apply standard protocols in the context 966
907 researchers are working on optimizing mathematical of IoT, for example, DTLS [4,36], IPsec [25], IKEv2 [59], HIP- 967
908 mechanisms used in cryptographic algorithms, i.e. Marin DEX [2,15,53]. As another example, Kivinen [57] propose a 968
909 et al. [35] discuss a solution to optimize the ECC primitives. minimum implementation of standard IKE [58] by remov- 969
910 They propose an optimization for the modular multiplica- ing the requirement for certificates. This minimum variant 970
911 tion operation. The solution is evaluated in the widely- defines only two message exchanges for key negotiation 971
912 used microprocessor MSP430. The authors claimed that and provides entity authentications using pre-shared key 972
913 the optimization is presenting the lowest time and number approach. On the other hand, Migault et al. [55] suppose 973
914 of required operations for ECC multiplication. Another that the security associations between entities are estab- 974
915 method to reduce the energy consumption on sensor nodes lished using existing mechanism like IKEv2. They are inter- 975
916 relies on pre-computation techniques. It helps diminishing ested in the security of packet transmissions by proposing 976
917 the cost of modular exponentiations in several signature Diet-ESP – an adaptation of ESP (Encapsulation Security 977
918 and key management schemes, such as ECDSA or Protocol) to IoT in order to compress and reduce the ESP 978
919 Diffie–Hellman key exchange. The idea is to store a set of overhead. The authors define mechanisms to remove or 979
920 n Discrete Log pairs in the form (ai ; g ai mod q). Then, a reduce some ‘‘unnecessary’’ or ‘‘larger than required’’ ESP 980
921 ‘‘random’’ pair ðr; g r mod qÞ is generated from a subset of fields for the specific needs or applications of IoT devices. 981
922 k pairs chosen randomly in the memory. The technique However, the deployment of Diet-ESP has to keep the 982
923 seems simple, but it requires the value of n to be suffi- trade-off between the security requirements and the bat- 983
924 ciently large in order to ensure the randomness of the gen- tery life time of constrained devices. Indeed, as depicted 984
925 erated pairs ðr; g r mod qÞ. Ateniese et al. [65] improve the by the authors, small SPI (Security Parameters Index) size, 985
926 pre-computation techniques above and apply it to ECDSA. small size of ICV (Integrity Check Value) and removing SN 986
927 They show that the almost 50% of energy is saved with (Sequence Number) expose the devices to respectively 987
928 ECDSA with pre-computation compared to the original sig- Denial of Service, spoofing and replay attacks. 988
929 nature scheme and also to the NTRUsign signature scheme Using hybrid approaches: Another trend consists of 989
930 (which is considered to be a natural candidate in low- combining the advantages of both symmetric and asym- 990
931 power devices). metric solutions. Meca et al. [2] choose HIP-DEX (an asym- 991
932 On the other hand, several researches adapt the proper- metric technique) [15] to provide access to a local sensor 992
933 ties of asymmetric primitives in an optimized manner to fit network. A mobile node is authenticated with help of a 993
934 in the most constrained environment of IoT. Effectively, central server. If the authentication is successful, the server 994
935 Moustaine and Laurent [56] propose an efficient authenti- sends securely the necessary parameters for the mobile 995
936 cation protocol for low-cost RFID systems based on an node by encrypting the data with the session key gener- 996
937 adaption of NTRU. This adaption first delegates the com- ated after the DH exchanges. These parameters are actually 997
938 plex operations of NTRU (i.e. modular arithmetic, polyno- a bivariate polynomial used to bootstrap secure communi- 998
939 mial multiplication) to the server. Secondly, the tags cations with a local node (a symmetric technique). The 999
14 February 2015
1000 pairwise key generated by the shared polynomial is [4] S. Raza, H. Shafagh, et al., Lithe: lightweight secure CoAPs for the 1056
Internet of things, IEEE Sens. J. 13 (10) (2013). 1057
1001 employed as a master key to generate multiple session 1058
[5] B. Aoba, L. Blunk, et al., Extensible Authentication Protocol (EAP),
1002 keys for specific purposes. IETF, RFC 3748, June 2004. 1059
1003 The presence of a third party in such hybrid approach [6] A. Shamir, Identity-based cryptosystems and signature schemes, in: 1060
Proc. Crypto’84, Santa Barbara, California, USA, 1984, pp. 47–54. 1061
1004 becomes essential in the IoT. Firstly, the rich-resource ser- 1062
[7] P. Szczechowiak, M. Collier, TinyIBE: identity-based encryption for
1005 ver is expected to support almost all heavyweight compu- heterogeneous sensor networks, in: 5th International Conference on 1063
1006 tations. As such, the sensor nodes with limited energy and Intelligent Sensors, Sensor Networks and Information Processing 1064
(ISSNIP), 2009. 1065
1007 capabilities are no longer involved in this expensive pro-
[8] A. Fanian, M. Berenjkoub, H. Saidi, A scalable and efficient key 1066
1008 cess as described in [42,43]. The constrained node can establishment protocol for wireless sensor networks, in: IEEE 1067
1009 establish a communication with external hosts without Globecom Workshop on Web and Pervasive Security, 2010. 1068
1010 implementing the full asymmetric process. Additionally, [9] HP report on Internet of Things Research Study, 2014. <http:// 1069
fortifyprotect.com/HP_IoT_Research_Study.pdf>. 1070
1011 the assisted servers are capable to provide fine-grained [10] Thesis: Collaborative Security for the Internet of Thing, Yosra Ben 1071
1012 access control such that only authorized actions are exe- Saied. <http://www.theses.fr/2013TELE0013> (accessed November 1072
1013 cuted on sensor nodes. 2013). 1073
[11] E. Rescorla, Diffie–Hellman Key Agreement Method, IETF, RFC 2631, 1074
1999. 1075
[12] S. Turner, T. Polk, Transport Layer Security, IETF, RFC 6176, 2011. 1076
1014 8. Conclusion
[13] P. Eronen, H. Tschofenig, Pre-Shared Key Ciphersuites for Transport 1077
Layer Security (TLS), IETF, RFC 4279, 2005. 1078
1015 This paper studied multiple secure, lightweight and [14] J. Hui, P. Thubert, Compression Format for IPv6 Datagrams over IEEE 1079
1016 attack-resistant solutions for WSNs and IoT based on iden- 802.15.4-Based Networks, IETF, RFC 6282, 2011. 1080
[15] R. Moskowitz, HIP Diet EXchange (DEX), IETF, draft-moskowitz-hip- 1081
1017 tified security requirements and challenges. We also pro- rg-dex-06, 2012. 1082
1018 vided a novel classification of existing protocols relying [16] I. Chatzigiannakis, A. Pyrgelis, et al., Elliptic curve based zero 1083
1019 on their key bootstrapping approach to establish a secure knowledge proofs and their applicability on resource constrained 1084
devices, in: 8th IEEE Conference on Mobile Ad-Hoc and Sensor 1085
1020 communication channel. These protocols and techniques 1086
Systems, 2011.
1021 are analyzed according to different criteria in order to [17] J. Mattsson, T. Tian, MIKEY-TICKET: Ticket-Based Modes of Key 1087
1022 identify the advantages and drawbacks of each protocol. Distribution in Multimedia Internet KEYing (MIKEY), IETF, RFC 6043, 1088
March 2011. 1089
1023 Using this methodology, we noted that symmetric 1090
[18] J. Kohl, C. Neuman, The Kerberos Network Authentication Service
1024 approaches are not anymore the default choice for IoT. Pub- (V5), IETF, RFC 4120, 6649, July 2005. 1091
1025 lic key cryptography is likely to be increasingly recom- [19] M.O. Rabin, Digitalized Signature and Public Key Functions as 1092
Intractable as Factorization, MIT/LCS/TR-212, Massachusetts 1093
1026 mended in the IoT context, provided that the associated
Institute of Technology, 1979. 1094
1027 asymmetric techniques are properly optimized. A trusted [20] A. Boudguiga, A. Olivereau, N. Oualha, Server assisted key 1095
1028 third party will also certainly take a more active role to establishment protocol for WSN: a MIKEY-ticket approach, in: 1096
12th IEEE Trustcom, 2013. 1097
1029 secure the IoT and to adapt to its heterogeneous nature.
[21] Z. Shelby, K. Hartke, C. Bormann, Constrained Application Protocol 1098
1030 Additionally, security protocols should take into account (CoAP), IETF, Internet-draft, 2013. 1099
1031 the resource-constrained feature of things. Heavyweight [22] J. Arkko, E. Carrara, F. Lindholm, et al., MIKEY: Multimedia Internet 1100
1032 cryptographic operations i.e. based on RSA and Diffie–Hell- KEYing, RFC 3830, August 2004. 1101
[23] D. Forsberg, Y. Ohba, et al. (Eds.), Protocol for Carrying 1102
1033 man agreement protocols should be replaced by lightweight Authentication for Network Access (PANA), RFC 5191, 2008. 1103
1034 operations, i.e. using symmetric cryptography or applying [24] M. Kanda, Y. Ohba, S. Das, et al., PANA Applicability in Constrained 1104
1035 more lightweight asymmetric primitives such as ECC and Environments, Sources. <http://www.lix.polytechnique.fr/> 1105
(accessed February 2012). 1106
1036 NTRU. Besides, lightweight security protocols are also 1107
[25] S. Raza, S. Duquennoy, T. Chung, et al., Securing communication in
1037 needed to reduce the communication complexity. Aside 6LoWPAN with compressed IPsec, in: International Conference on 1108
1038 from performance concerns, the future proposed security Distributed Computing in Sensor Systems and Workshop, 2011. 1109
[26] D. Liu, P. Ning, R. Li, Establishing pairwise keys in distributed sensor 1110
1039 solutions will offer perspectives on new applications that 1111
networks, J. ACM Trans. Inform. Syst. Secur. 8 (1) (2005) 41–77.
1040 increasingly expand the coverage of capabilities and fea- [27] G. Gaubatz, J.-P. Kaps, B. Sunar, State of the art in ultra-low power 1112
1041 tures offered by IoT devices making them more and more public key cryptography for wireless sensor networks in: 3rd IEEE 1113
International Conference on Pervasive Computing and 1114
1042 intelligent.
Communications Workshop (PERCOMW), 2005. 1115
[28] R. Needham, M. Schroeder, Using encryption for authentication in 1116
large networks of computer, Commun. ACM (1978) 993–999. 1117
1043 9. Uncited references 1118
[29] C. Bormann, M. Ersue, A. Keranen, Terminology for Constrained Node
Networks, Draft-Internet, 2013. 1119
1044 [5,21,28,33,40,54]. [30] NSA, The Case for Elliptic Curve Cryptography. <http://www.nsa.gov/ 1120
business/programs/elliptic_curve.shtml> (accessed February 2014). 1121
[31] J. Granjal, E. Monteiro, J. Silva, End-to-end transport layer security 1122
1045 References for Internet-integrated sensing applications with ECC public-key 1123
authentication, in: IFIP Networking Conference, 2013. 1124
1046 [1] O. Garcia-Morchon, S. Kumar, Security Consideration in the IP-based [32] G. de Meulenaer, F. Gosset, et al., On the energy cost of 1125
1047 Internet of Things, CoRE, Internet-draft, 2013. communication and cryptography in wireless sensor network, in: 1126
1048 [2] F. Meca, J. Ziegeldorf, et al., HIP security architecture for the IP-based IEEE International Conference on Wireless and Mobile Computing, 1127
1049 Internet of thing, in: 27th International Conference on Advanced Network & Communication, 2008. 1128
1050 Information Networking and Applications Workshops (WAINA), [33] A. Rubertis, L. Mainetti, et al., Performance evaluation of end-to-end 1129
1051 2013. security protocols in an Internet of things, in: 21th Conference on 1130
1052 [3] T. Kothmayr, C. Schimit, et al., A DTLS based end-to-end security Software, Telecommunications and Computer Networks (SoftCOM), 1131
1053 architecture for the Internet of thing with two-way authentication, 2013. 1132
1054 in: 7th IEEE International Workshop on Practical Issues in Building [34] U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity, J. 1133
1055 Sensor Network Applications, 2012. Cryptogr. 1 (2) (1988). 1134
14 February 2015
1135 [35] L. Marin, A. Jara, et al., Shifting primes: optimizing elliptic curve [62] J.S. Kumar, D.R. Patel, A survey on Internet of things: security and 1211
1136 cryptography for smart things, in: 6th International Conference on privacy issues, Int. J. Comput. Appl. 90 (11) (2014) 20–26. 1212
1137 Innovative Mobile and Internet Services in Ubiquitous Computing [63] R. Roman, C. Alcaraz, et al., Key management systems for sensor 1213
1138 (IMIS), 2012. networks in the context of the Internet of things, Int. J. Comput. 1214
1139 [36] R. Hummen, Jan H. Ziegeldorf, et al., Towards viable certificate-based Electr. Eng. (2011) 147–159. 1215
1140 authentication for the Internet of things, in: Proceedings of the 2nd [64] Y. Wang, G. Attebury, B. Ramamurthy, A survey of security issues in 1216
1141 ACM Workshop on Hot Topics on Wireless Network Security and wireless sensor networks, IEEE Commun. Surv. Tutorials 8 (2) 1217
1142 Privacy (HotWiSec’13), 2013. (2006). 1218
1143 [37] W. Du, J. Deng, et al., A key predistribution scheme for sensor [65] G. Ateniese, G. Bianchi, et al., Low-cost Standard Signature in 1219
1144 networks using deployment knowledge, IEEE Trans. Dependable Wireless Sensor Networks: A Case for Reviving Pre-computation 1220
1145 Secure Comput. 3 (1) (2006) 41–77. Techniques, Usenix Network and Distributed System Security 1221
1146 [38] R. Blom, An optimal class of symmetric key generation systems, Symposium (NDSS), 2013. 1222
1147 in: Advances in Cryptology: Proc. EUROCRYPT ’84, 1985, pp. 335– [66] Proofpoint, Article Proofpoint Uncovers Internet of Things (IoT) 1223
1148 338. Cyberattack. <http://www.proofpoint.com/about-us/press-releases/ 1224
1149 [39] A. Perrig, R. Szewczyk, J.D Tygar, et al., SPINS: security protocols for 01162014.php> (accessed September 2014). 1225
1150 sensor networks, in: ACM International Conference on Mobile [67] W. River, White Paper, Security in the Internet of Things, 2014. 1226
1151 Computing and Networking (MobiCom), 2001. <http://www.windriver.com/whitepapers/security-in-the-internet- 1227
1152 [40] B. Lai, S. Kim and I. Verbauwhede, Scalable session key construction of-things/wr_security-in-the-internet-of-things.pdf>. 1228
1153 protocol for wireless sensor networks, in: IEEE Workshop on Large [68] Gartner Inc., Forecast: The Internet of Things, Worldwide, 2013, 1229
1154 Scale RealTime and Embedded Systems (LARTES), 2002. 2013. 1230
1155 [41] S. Seys, Key Establishment and Authentication Suite to Counter DoS 1231
1156 Attacks in Distributed Sensor Networks, COSIC, 2012.
1157 [42] H.R. Hussen, G.A. Tizazu, et al., SAKES: secure authentication and key
1158 Kim Thuat Nguyen is currently pursuing his 1234
establishment scheme for M2M communication in the IP-based
1159 PHD thesis at the Communicating Systems 1235
wireless sensor network (6LoWPAN), in: 5th International
1160 Conference on Ubiquitous and Future Networks (ICUFN), 2013. Laboratory at CEA, France. He has obtained his 1236
1161 [43] Y.B. Saied, A. Olivereau, D-HIP: a distributed key exchange scheme engineering diploma from the engineering 1237
1162 for HIP-based Internet of things, in: First IEEE WoWMoM Workshop school of Informatics, Applied Mathematics 1238
1163 on the Internet of Things: Smart Objects and Services (IoT-SoS), and Telecommunications (Ensimag), Grenoble 1239
1164 2012. INP, France. His research focus on lightweight 1240
1165 [44] B. Sarikaya, Y. Ohba, et al., Security Bootstrapping Solutions for security protocols for IP-based Wireless Sen- 1241
1166 Resource-Constrained Devices, Internet-draft, 2012. sor Networks and the Internet of Things. 1242
1167 [45] D. Boneh, M. Franklin, Identity-based encryption from the Weil 1243
1168 paring, SIAM J. Comput. 32 (2003) 586–615.
1169 [46] L. Yang, C. Ding, M. Wu, Establishing Authenticated Pairwise Key
1170 using Pairing-based Cryptography for Sensor Network, 8th
1171 Chinacom, 2013.
1172 [47] C. Gentry, Practical identity-based encryption without random 1233
1173 oracles, in: Proc. of the EUROCRYPTO’06, Springer-Verlag, 2006, pp.
1174 445–464. Maryline Laurent, PhD works as a professor 1246
1175 [48] L. Eschenauer, V.D. Gligor, A Key-Management Scheme for at Telecom SudParis, Mines-Telecom Institute, 1247
1176 Distributed Sensor Networks, 2002. and is the head of the research team R3S 1248
1177 [49] H. Chan, A. Perrig, D. Song, Random key predistribution schemes for (Network, Systems, Services, Security) of the 1249
1178 sensor networks, in: Proc. IEEE Symp. Security and Privacy, May French CNRS UMR 5157 SAMOVAR. Her main 1250
1179 2003. topics of interest are related to network 1251
1180 [50] T. Ito, H. Ohta, et al., A key pre-distribution scheme for secure sensor security and personal data privacy, including 1252
1181 networks using probability density function of node deployment, in: 1253
clouds, tiny devices (RFID, sensors), social
1182 Proc. 3rd ACM Workshop on Security and Ad Hoc Sensor Networks,
networks and digital identity management. 1254
1183 2005, pp. 69–75.
She cofounded the chair of Institut Mines- 1255
1184 [51] D.D. Hwang, B. Lai, I. Verbauwhede, Energy-memory-security
Télécom on Values and personal information 1256
1185 tradeoff distributed sensor networks, in: Proc. 3rd Conference on
1186 policies. She chaired several workshops and 1257
Ad-Hoc Networks and Wireless, 2004, pp. 70–81.
1187 [52] S. A. Camtepe, B. Yener, Key Distribution Mechanisms for Wireless conferences like Data Privacy Management DPM 2013, Secure Smart 1258
1188 Sensor Networks: A Survey, Technical Report TR-05-07, Rensselaer Objects SSO 2013, and IFIP New Technologies, Mobility and Security 1259
1189 NTMS 2011. She is co-editor of the special issue on « Privacy-aware 1245
1260
Polytechnic Institute, 2005.
1190 [53] R. Moskowitz, P. Jokela, et al., Host Identity Protocol version 2 electronic society », Annals of Telecommunication, 2014. She published a 1261
1191 (HIPv2), Draft-Internet, 2013. number of papers in journals, international conferences and book chap- 1262
1192 [54] R. Hummen, H. Wirtz, et al., Tailoring end-to-end IP security ters. 1263
1193 protocols to the Internet of things, in: 21th International 1264
1194 Conference on Network Protocols (ICNP), 2013.
1195 [55] D. Migault, T. Guggemos, D. Palomares, Diet-ESP: A Flexible and Nouha Oualha is a research engineer at the 1267
1196 Compressed Format for IPsec/ESP, Draft-Internet, January 2014. 1268
Communication Systems Laboratory of CEA-
1197 [56] E. Moustaine, M. Laurent, A lattice based authentication for low-cost 1269
LIST, since October 2010. She graduated from
1198 RFID, in: IEEE International Conference on RFID-Technologies and
the engineering school of telecommunica- 1270
1199 Applications (RFID-TA), 2012.
tions, Telecom Bretagne (formerly known as 1271
1200 [57] T. Kivinen, Minimal IKEv2, Draft-Internet, 2011.
1201 ENST Bretagne), in 2005. She received her PhD 1272
[58] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, IETF, RFC 4306,
1202 degree from Telecom ParisTech (formerly 1273
2005.
1203 [59] S. Ray, G.P. Biswas, Establishment of ECC-based initial secrecy usable known as ENST) in 2009, on the topic of 1274
1204 for IKE implementation, in: Proc. of World Congress on Expert ‘‘Security and cooperation for peer-to-peer 1275
1205 Systems (WCE), 2012. data storage’’. Her research interests focus on 1276
1206 [60] D. Miorandi, S. Sicari, F.D. Pellegrini, Internet of things: vision, several topics such as secure systems, security 1277
1207 applications and research challenges, Ad Hoc Netw. 10 (7) (2012) protocols and cryptographic algorithms, as 1278
1208 1497–1516. well as, peer-to-peer and IP-based wireless sensor networks. 1279
1209 [61] L. Atzori, A. Iera, G. Morabito, The Internet of things: a survey, 1280
1210 Comput. Netw. 54 (15) (2010) 2787–2805. 1266

Ad-Hoc Networking and Networks

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ad-Hoc Networking and Networks

Hochgeladen von

Copyright:

Verfügbare Formate

ADHOC 1181 No.

of Pages 15, Model 3G

Contents lists available at ScienceDirect

3 Survey on secure communication protocols for the Internet of

311 Classiﬁcation approaches have been proposed in several [63,64]. 341

Table 3 sub-category, we classify these mechanisms based on the 384

DH Difﬁe–Hellman exchange resource-constrained-sensor nodes, in particular when 392

Fig. 1. Network architecture of our scenario.

Fig. 2. Classiﬁcation of key bootstrapping mechanisms in IoT.

Fig. 3. Public key transport mechanism.

Fig. 4. Identity-based cryptography infrastructure.

Fig. 5. Key agreement based on asymmetric mechanisms.

Fig. 6. Server-assisted mechanism.

Fig. 7. Proxy-based assisted server infrastructure.

K.T. Nguyen et al. / Ad Hoc Networks xxx (2015) xxx–xxx

No. of Pages 15, Model 3G

Das könnte Ihnen auch gefallen