Cryptography Applied to the Internet of Things

0 downloads 0 Views 162KB Size Report
ment by collecting, processing and analyzing data generated by sensors or smart ... can be implemented in devices that can connect to the internet of things, in order to .... included in embedded microcontroller and requires fewer E/S pins. ... IoT device connects a physical device to the cloud for processing additional data.
Cryptography Applied to the Internet of Things Javier Sanchez Guerrero1 , Robert Vaca Alban1 , Marco Guachimboza1 , Cristina P´ aez Quinde1 Margarita Narv´aez R´ıos1 , and Luis Alfredo Jimenez R.1 Facultad de Ciencias Humanas y de la Educaci´ on, Direcci´ on de Tecnolog´ıa de la Informaci´ on y Comunicaci´ on, Facultad de Contabilidad y Auditor´ıa, Universidad T´ecnica de Ambato, Ambato- Ecuador, jsanchez, rvaca, marcovguachimboza, mc.paez, mm.narvaez, [email protected]

Abstract. Concepts and technologies that have made it possible for devices to interconnect to real-world objects, have existed for some time. The Internet of things can be defined as a pervasive and ubiquitous network that allows the monitoring and control of the physical environment by collecting, processing and analyzing data generated by sensors or smart objects. As the number of devices connect to the Internet increases, it is necessary to provide a safe and reliable operation of such devices. This paper emphasizes the use of cryptographic algorithms that can be implemented in devices that can connect to the internet of things, in order to provide security for the transmission of information on the vast network of sensors, a network that is increasing in size and number. This paper describes the problem of security on networked devices and describes the main algorithms and processes that provide security to this technology. It is concluded that since the devices that form the Internet of things have little memory and processing, it is necessary to apply algorithms that use the least amount of bits, with encryption algorithms that are based on elliptic curves. The advancement of technologies and algorithms that provide security should be considered, because every day we are more dependent on the internet of things. . . Keywords: Internet, security, encryption

1

INTRODUCTION

The Internet has so far been a communication network among humans. Computers learn, and with the right software they can become better than humans, or at least help humans in their day-to-day activities. Remote monitoring is now an ordinary activity, it can be performed from anywhere in the world. The internet of things links the chips of things with advancements in information technology. Computers that can reason and learn, this means that you can make something intelligent. A red light on the dashboard of a vehicle indicates that something is happening. A good owner will take it to the shop and have it repaired. It means that connected things will be able to anticipate problems[15]. You can find the problem before it occurs, or at least you can identify these problems and act on

II

them. What will happen is that eventually any industrial product will have the desired connectivity. If you have appliances to monitor the temperature at home, such as a thermostat, why not use them to protect the house?.The internet of things is a global phenomenon that includes human machine communication, radio frequency identification, location - based services, Lab-on-a-Chip sensors, augmented reality, robotics and vehicle telematics. Its common feature is its ability to combine embedded objects with sensory capabilities and communication intelligence, exchanging data through a combination of wired and wireless networks. Companies can analyze patterns of behavior, so this can create new business value by simply monitoring things[17]. The amount of computer attacks is increasing day by day. This can lead to severe breaches of sensitive information. The security of communication is an aspect that is causing concern, since the number of devices connected to the internet grows by the hour. Although Internet of Things (IoT) devices do not appear to be critical devices, they can become critical devices if they are not used properly [29]. An open security issue is the distribution of passcodes between devices. Risks vary depending on the criticality of the device either by their function or dependence that people may have on them. Threats to which devices are exposed will have a negative effect on accessibility, integrity, identity, availability and confidentiality. This last aspect is very important since it must exist in the device, and even more if this information is transmitted over the Internet. GPS positioning can become a threat, because the user’s location can be recorded on a website[20].In many cases you can access these devices via internet, but if a third party has obtained a passcode, then privacy issues appear. Remote control of the devices by third parties, whose non legitimate use can affect the computer and physical security of the users, is something that must be avoided. Since devices send information via the Internet, in most cases an extensive use of communication networks is needed[1]. All these communications that propagate via public networks are sensitive to being compromised. In this paper, we describe the means by which the attacks are performed, and cryptographic solutions that prevent their development. Elliptical curves are considered, and we argue that the use of such elliptical curves is one of the best methods of information encryption. The aim is to publicize the importance of IoT and the security that can be provided to the links created between the devices from the beginning to the end of the transmission of information. This is very important, since by the year 2020 many devices will be connected to the internet and it is necessary to disclose how you can provide adequate security on these devices. The following section of related work problems and recent developments in relation to cryptography for IoT is described, thus explaining the computer algorithms and procedures needed to provide the highest security of communications that take place on the Internet of things. This description allows for conclusions and future work that will contribute to improving safety on the IoT.

III

1.1

THEORETICAL FRAMEWORK

Security must remain throughout the devices lifecycle, from initial design to its deployment. This implies that there must be credentials that allow secure access to networks in the IoT. It is necessary that the devices have unique protocols, which must be verified, this being the only form of safe and proper operation. Many security systems need to deploy patches that reduce bandwidth consumption or reduce the possibility of attacks when someone could steal the credentials to access the devices operation. This implies that a connected device that maintains limited bandwidth and intermittent network must authenticate itself before receiving data from another device. Then, security must exist from end to end, both at the device and network levels; the intelligence that allows the devices to carry out their tasks, should also allow them to recognize and repel threats[28]. The Man in the Middle attack means that the receivers data is intercepted by the attacker, who pretends to be the originator of the message that is being sent to the receiver, acting as an intermediate point between communications, remaining invisible during the process[26]. Reduced versions of operating systems are used in certain devices, which means lowering software costs. This implies a security risk, since this weakens the security of the entrance doors, compromising the information transmitted by the devices. Web interfaces that are used in IoT, allow their administration from another enabled device, which implies that these interfaces allow the administration of a device from the network, so that when they are attacked, the attack is not only made at the interface level but in the hijacked devices as well. Some devices like Smart tvs allow the installation of third-party applications just like Smartphones, in those cases, the applications can be used as an entry platform to the device[4]. In some cases, developers or users do not follow an appropriate security policy, this means that most devices enable many of their functionalities in their configurations, which means having a security gap. The attacks against hardware are carried out through the Internet, as well as through an analysis of its structure and functioning. An example of these situations are attacks on electrical components or components of network traffic. Depending on the equipment, attacks such as monitoring interfaces, reverse engineering or manipulation of internal sources can take place. Social engineering consists of exploiting user behavior as a gateway for fraud, thats what is known as phishing. An attack much more elaborate, is to study the internet victim when the victim publishes personal information on the Internet, making him more vulnerable. The most elaborate attacks are aimed at more profitable targets [22]. The principles of reliable computing are accessible for embedded systems, but IoT devices with limited resources and low energy make their implementation a major challenge. A comparison of the LPC interface, I2C is most commonly included in embedded microcontroller and requires fewer E/S pins. For handheld devices or other applications where space is limited, the Atmel ATSHA204A provides client and host security capabilities in a small 3-pin SOT23 package with a single cable interface to the host. Other possible uses include images of encryption code to prevent tampering, session key exchange, secure data storage

IV

and verification of user passwords. Faced with the reality of millions of devices connected to each other and the Internet, our real challenge is to provide security solutions that meet the needs of heterogeneity and scalability that imposes the Internet of Things[13]. Cryptographic techniques such as preservation and homomorphic encryption use procedures that increase the processing time by 25 % and also work with proxies which are expensive to implement in electronic circuits that work with IoT. By contrast, Talos is a system that allows the storage of secure information and allows encrypted queries. It focuses on the partially homomorphic encryption that provides a high level of security when working with a reasonable data overload [25]. When working in a client - server model, the device is connected via LAN, WLAN or WPAN. The device communicates certain localized information or service requests to a network concentrator of a cloud-based service. An IoT device connects a physical device to the cloud for processing additional data or services. Architectural considerations for CPU performance for IoT devices depend on the scope of what the CPU has to do as well as hardware security provisions contained in the CPU hardware. A key requirement for IoT applications is security. Devices connected in networks open a variety of threats as they are more connected to the network and finally to the cloud. Among the elements to be considered for safety we should consider: a) secure boot, b) updating secure code, c) password protection, d) controlling access to secure resources, and d) DMA (Direct Memory Access) with data encryption for critical functions such as session authentication[11]. An interesting trend that contributes to the growth of IoT is the transition from IPv4 to IPv6 which allows for interactions at a machine-machine level. IPv6 is one of the most important enablers of IoT since it is not possible to add thousands of millions of devices over IPv4. Security Considerations and Implications of IPv6 are critical to secure IoT[30]. Existing technologies and security solutions can take advantage of a network architecture, especially through the central layers and data centers in the cloud, there are unique challenges in the field of IoT. Methods must be implemented to ensure that the authenticity of the data, the path from the sensor to the collector, the authentication parameters between the initial installation / configuration of the device and its possible presence in the IoT infrastructure are not compromised. Man-in-the-middle is the means by which the attacker can successfully create a connection between two points and spy on their conversation while capturing the data. Hence, IPv6, a function of the IoT, is subject to the same threats of attack as IPv4, such as smurfing, recognition, spoofing, fragmentation attacks, sniffing, neighbor discovery, rogue devices, man-in-the -middle, and others [2]. When IoT / M2M devices are connected, they need access to the infrastructure, a secure connection is started based on the identity of the device. In this domain, many devices may not have enough memory to store certificates or may not even have the CPU power needed to run cryptographic operations to validate X.509 certificates. Data generated by IoT devices is only valuable if appropriate analysis algorithms or other processes are defined to identify the threat. While the security implications for construction of IO / M2M are vast,

V

the deconstruction of a security framework / M2M viable IO can be the basis for implementing security in production environments [6]. Identity Based Encryption (IBC) is one of the most important applications of cryptography based matching, which is used in low memory devices. The use of another class of elliptical curves must be further extended in order to increase efficiency. The safety multiplier refers to the size of the base field on which signals in the elliptical curve are manipulated [19]. Hence, if a large security multiplier is needed, it means that it must apply elliptical or hyper-elliptic curves over a smaller base field, with the advantages of efficiency that come with it [3]. Elliptic curves over a finite F p field, are a set of (x, y) that satisfy the equation y2 mod p = x 3 + ax + b mod p, with 43 + 27b 2 ¡¿ 0, such that a,b,x,y belong to a special point Fp plus a special point known as not infinite point O. Another important feature of the elliptic curve cryptography is that a point G can be selected, which will have an order n and a cofactor h [18]. An elliptic curve can be found in major modern technologies such as the Web and technologies that rely upon TLS, PGP and SSH. RSA, DSA, and DH algorithms are combined with ECC in order to increase security. The RSA algorithm implements asymmetric cryptography, however this algorithm uses very large keys. In IoT it is necessary to use simpler computational processes especially in computational calculations, as is the case with the use of elliptic curves, especially in devices with lower computing power, shorter memory and limited energy resources. Symmetric cryptography algorithms may be simple to decode or decrypt [7]. Finite fields are a set consisting of a finite number of elements. Given a finite field Fp, is a set of integers with modulo p, where p is a prime number. A set of module p integers consists of all the integers from 0 through p -1 and mathematical operations are performed with modular arithmetic [8]: a = b mod n, being a the residual of the division by n times b. For example 2 = 38 mod 12, as 38/12 = 3 with a residue of 2. An elliptical E curve on the body K, is a cubic curve, irreducible and non-degenerated, defined on the projective plane P 2 (k) with a point O which belongs to the curve. The curve will have points in the same plane, but it also has points in infinity [23]. An example of elliptic curve is y 2 = (x)3 + 2x + a, overK = Xs

(1)

To calculate the points at infinity curve we have y = y / z x = x / z, replacing in the equation we have: x3 x y2 = +2 +1 (2) 2 3 z z z Given that we are looking for points in the infinite we convert z = 0, therefore x 3 = 0 and x = 0 Therefore the infinite points of the curve are: (0:Y: 0) = (0.1:0) This means that the normal Weierstrass formula can be located: y 2 = (x)3 + ax + b The number of points are calculated by defining the elliptic curve:

(3)

VI

E = EllipticCurve (GF (5), [2,1]), * Previous curve, over the body z(5) If E.points () is located, we will notice a set of points calculated for 7 elements [(0:1:0),(0:1:1),(0:4.1),] In this case, the number of points is 7. However, in other cases the curves have many points which are calculated with E.Cardinality () function.Curve points are operable. If there are two points P, Q belonging to the curve, one can define the P + Q operation, resulting in another point of the curve (this sum differs from the coordinate plus coordinate sum). This sum has the commutative and associative properties and has an element O which together with P, yields as a result the same point P. For every point of the curve there is a point P, such that P + (- P) = O [16].

Fig. 1. Elliptic curves in cryptography: The number of bits used to encrypt is much smaller than the RSA algorithm

Elliptic curves have a direct application in cryptography, and in the use of public and private key. The Trapdoor function makes it possible to send information from A to B, which reaches its destination but is very difficult to decipher from B to A [10].The ECC outweigh the RSA, because fewer bits are

VII

used in the encryption process (top secret level information). The characteristics of the elliptic curve are symmetrical with the axis x. In Figure 1, the three elliptic points (A, B, C) in cryptography, the idea is to apply the function A ”dot”, for example A ”dot” B ”dot” C, and as there is symmetry there is a point on the other side of the curve called D, and therefore an E point, and so on until all elliptical points are completed. Through this process we can obtain the peak that can be connected from A. These points (values) are taken into account for the public key, KeySize = Max for the private key Priv = ”n” dot, in order to find the symmetrical points that allow it to return to the original message (E, D)[27]. Systematic analysis of information is a challenging problem. A hacker can compromise the privacy and integrity of the transaction process. Being able to encrypt messages is vitally important especially if encryption processes can reside in IoT devices which in 2020 will be connected and producing large amounts of data. This section described the processes hitherto known to encrypt information, and has provided details regarding elliptic curves as one of the best elements to achieve an increase in information security. The following section describes the conclusions achieved in this research work. 1.2

CONCLUSIONS, LIMITATIONS AND FUTURE WORK.

This study is a journey through the state of the art in the field of encryption and cryptography and algorithms. Overall, it is noted that emphasis on using public and private keys, with the main issue being its encryption (Abboud, 2015). Soon, smart automobiles (which are controlled by touchscreens, recognize driver’s gestures and detect parking spaces) will move by smart cities where everything will be controlled by sensors interconnected in order to optimize traffic, reduce pollution and manage video surveillance systems. The Internet of things is already a reality in trends as wearables, accessories and clothing that offer all kinds of information about the wearer. The good news is that there are several procedures and solutions that can be taken to prevent malicious attacks; Cryptography Data; Anti-Malware; Identity and Access control and device management. Investing in security solutions for the growing array of increasingly sophisticated threats is critical to maintaining data security. In addition to investing in the ”digital education” of people, it is also necessary to create a strategy for Information Security with constant investments, seeking to eliminate the vector of attacks on your network and applications. Thats because multiple devices are simultaneously connected; computers, notebooks, tablets, smartphones, TVs, among many others. Considering the speed with which the Internet of Things advances, there is still much to do to ensure data security. All integrated services must follow best security practices, from solution design, through all stages of implementation of IT solutions. The devices that we see today are electronic devices with different names and purposes. These devices process data and therefore can be classified as computers. The growth of connectivity facilitates daily activities, but also generates a great concern: Information Security. This work describes the main algorithms to provide security for IOT transactions, especially elliptic

VIII

curves, which, when using less bits than RSA, allow better performance with IoT devices. It is very difficult to decrypt a message based on IBC and elliptic curves [9].However, in order to apply the asymmetric algorithmic processes and their relationship in the elliptic finite space, an appropriate knowledge of mathematics is required, hence it is important to describe with more examples the computational processes of elliptical encryption, which Is a task that will be covered in future research topics. An example is used for this paper, in which we describe the handling of elliptic curves, where; the management of core operations differs from traditional handling, highlighting the fact that it is necessary to opt for other mechanisms of decomposition. This implies that there may be difficulty in applying encryption methods in IoT, so it is important to conduct tests on the functioning of algorithms in real world scenarios. Furthermore, progress is made on encryption and security processes on a daily basis. Changes in algorithms and their different ways of applying them are on the agenda, and therefore requires updating and patching process in IoT devices. Quantum computing has been proposed by IBM, such technology would allow decrypting of security algorithms but at the same time would strengthen encryption methods (Noor-ul-Ain, Atta-ur- Rahman, Nadeem Ghafoor Abbasi, 2015).Hence, it is very important to make a comparison of the cost-benefit ratio of the application of the algorithms that provide security for the IoT devices especially since they have little memory and processing capacity.

References 1. Allen, N.: Weaknesses Cybersecurity to make smart cities threaten more costly and dangerous than analog Their prdecessors. USApp 2. Botta, A., Donato, W., Persico, V.,Pescap, A.: Integration of Cloud computing and Internet of Things: A survey. Future Generation Computer Systems, 684-700. 3. Breezely, G.,Prabu.: Secured key Sharing in Cloud Storage Using Elliptic Curve Crytpgraphy. Proceedings of the International Conference on Soft Computing Systems. 4. Chaitanya, B., Sekhar, C.,Ramesh, N.: IR IOT based Smart Device using CC3200. Science, Technology. 5. Chen, S., Maode, M., & Zhenxing, L.: With an authentication scheme for identitybased cryptography M2M security in cyber-physical systems. Security and communication networks, 9 (10), 1146-1157. 6. CISCO.: Securing the Internet of Things: A Proposed Framework.Retrieved from http://www.cisco.com/c/en/us/about/security-center/secure-iot-proposedframework.html 7. Delfs, C.,& Galbraith, S.: Computing isogenies supersingular Between Elliptic curves over Fp. Designs, Codes and Cryptography, 425-440. 8. Galbraith, S., & Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem. Designs, Codes and Cryptography, 51-72. 9. Geetha, D.,& Sakthivel, D.: Orient Stream Cipher Based Service Key Management Scheme for Secure Data Access Control Using Elliptic Curve Cryptography in Wireless Broadcast Networks. American-Eurasian Journal of Scientific Research, 63-71. 10. Hoffman, L.: Q & A: Finding New Directions in Cryptography. Communications of the ACM, 59 (6), 112-ff.

IX 11. Imagination Technologies.: Internet of Things-device Opportunities for differentiation. Desing & Reuse 12. Kamboj, D., Gupta, D., Kumar, A.: Efficient Scalar Multiplication Elliptic Curve over.International Journal of Computer Network and Information Security, 8 (4). 13. Kanase, P., & Gaikwad, S.: Smart Hospitals Using Internet of Things. International Research Journal of Engineering and Technology. 14. Khan, M., Deen, S., Jabbar, S., Gohar, M., Ghayvat, H., & Mukhopadhyay, S.: Context-aware intelligent low power SmarHome based on the Internet of things. Computers & Electrical Engineering. 15. Kopetz, H.: Internet of Things. Real-Time Systems (pp.4. Springer.) 16. Kumar Das, S., Sharma, G., & Kumar kevt, P.: Integrity and Authentication using elliptic curve cryptography. Journal of Interdisciplinary Research Imperial. 17. Lechelt, Z., Rogers, Y., Marquardt, N., & Shum, V.: Connectus: A New Toolkit for Teaching about the Internet of Things. Proceedigns of the CHI 2016 Conference on Human Factors Extended Abstracts in Computing Systems (pp.4. New York: ACM) 18. Maitin-Shepard, J., Tibouchi, M., & Aranha, D.: Elliptic Curve Multiset Hash. Cryptography and Security. 19. Malina, L., Hajny, J., & Hosek, J.: On perspective of security and privacypreserving solutions in the internet of things. Computer Networks, 83-95. 20. Nazim, M. Ali Shah, M., & Kamran Abbasi, M.: Analysis of Embedded Web reources in Web of Things. Proceedings of the International Conference on Communication IOARP and Networks. London: IOARP. 21. Noor-ul-Ain, W., Atta-ur-Rahman, M., Nadeem, M., & Abbasi Ghafoor, A.: Quantum Cryptography Trends: A Milestone in Information Security. In Advances in Intelligent Systems and Computing (pp.4. Switzerland: Springer). 22. Powell, A.: Hacking in the public interest: Authority, legtimacy, means, and ends. New Media & Society. 23. Rao, M., & Rao, B.: Paper Reduction And Total Inter-Carrier Interference Detection In Canceled Multiuser CDMA-OFDM CFO Corrected Elliptic Curve Cryptography With. International Journal of Applied Engineering Research, 11 (8), 58805888. 24. Scott, M.: Pairings Faster Using an Efficient Elliptic Curve With an endomorphism. Lecture Notes in Computer Science, 258-269. 25. Shafagh, H., Duquennoy, S., & Hu, W.: Talos: Encryupted Query Processing for the Internet of Things. Proceedings of the 13th ACM Conference on Embedded Networked Sensor Systems. New York. 26. Sicari, S., Rizzardi, A., Miorandi, D., Cappiello, C., & Coen-Porisini, A.: A secure and quality-aware prototypical architecture for the Internet of Things. Information Systems, 43-55. 27. Smart, N.: Elliptic Curves. In Cryptography Made Simple (p.4. London: University of Bristol. 28. WIND.: Security in the Internet of things: Lessons from the past for the future connected. USA: WIND. 29. Zambonelli, F.: Towards a General Software Engineering Methodology for the Internet of Things. Software Enginerring. 30. Palattella, M. Dohler, M., Grieco, A., & Rizzo, G.: Internet of Things in the 5G Era: Enablers, Architecture, and Business Models.IEEE Journal on Selected Areas in Communications (p.4. IEEE)