Secure End-to-End Communication for Constrained Devices in IoT ...

Download PDF
4 downloads 553 Views 785KB Size Report
Comment
AAL systems, it is significant to ensure secure communication .... As explained in the DH key exchange algorithm. IoT Cloud. Remote Host. (Initiator). P1. P2. Pn.
Secure End-to-End Communication for Constrained Devices in IoT-enabled Ambient Assisted Living Systems Pawani Porambage∗ , An Braeken† , Andrei Gurtov‡ , Mika Ylianttila∗ and Susanna Spinsante§ ∗ Centre

for Wireless Communications, University of Oulu, P.o.Box 4500, FI-90014 Oulu, Finland {pporamba, mika.ylianttila}@ee.oulu.fi †† Vrije Universiteit Brussel, INDI, 1000 Brussels, Belgium. [email protected] ‡ Helsinki Institute for Information Technology (HIIT) and Department of Computer Science and Engineering, Aalto University, FI-00076 Aalto, Finland. [email protected] § Dipartimento di Ingegneria dell’Informazione, Universita’ Politecnica delle Marche, IT-60131 Ancona, Italy. [email protected] Abstract—The Internet of Things (IoT) technologies interconnect broad ranges of network devices irrespective of their resource capabilities and local networks. In order to upgrade the standard of life of elderly people, Ambient Assisted Living (AAL) systems are also widely deployed in the context of IoT applications. To preserve user security and privacy in AAL systems, it is significant to ensure secure communication link establishment among the medical devices and the remote hosts or servers that are interested in accessing the critical health data. However, due to the limited resources available in such constrained devices, it is challenging to exploit expensive cryptographic operations in the conventional security protocols. Therefore, in this paper we propose a novel proxybased authentication and key establishment protocol, which is lightweight and suitable to safeguard sensitive data generated by resource-constrained devices in IoT-enabled AAL systems. Keywords-Internet of Things; authentication; key establishment; proxy; resource-constrained devices;

I. I NTRODUCTION Internet of Things (IoT) is the binding force of next generation networking technologies that provide seamless connectivity among enormously wide range of devices [1], [2]. Ambient Assisted Living (AAL) systems are emerging as multidisciplinary schemes for providing solutions to upgrade the life standard of elderly population in the world [3]. AAL applications and services integrate different technologies and devices to enable continuous monitoring of the elderly people [4]. To ensure an adequate response to the needs of the users, AAL systems typically rely on the collection of big amounts of personal data and information, from which relevant knowledge on the user’s habits is gathered. Such a process is critical and necessary to enable the automatic detection of anomalous events, and a prompt reaction to them, according to the level of risk and danger estimated. Collecting and processing of personal data, like healthrelated data, or data about the person’s habits and preferences, raise serious issues about privacy protection. National legal frameworks, which define comprehensive requirements for data privacy, apply to AAL systems too. At the same

time, the volumes of data collected in health and social care are drawing increasing business and economic interests [5]. Adherence to data protection requirements in AAL needs new organizational and technical solutions, if compared to conventional IT security tools, due to specific constraints; most of the devices (sensors, actuators) integrated in AAL platforms are strongly limited in terms of processing resources, power availability (e.g. wireless nodes), and transmission capacity. They must devote available energy and computation to the execution of core functionality: supporting security and authentication-related tasks becomes a quite challenging issue [6]. Both security and privacy aspects play an important role in the successful adoption of assistive technologies in the home environment. The user’s perception of security, strongly depends on his/her conditions (e.g. health, level of autonomy and independence): as reported in [7], healthy adults require, and insist on, the highest security and privacy standards, compared with the ailing elderly. In this paper, we propose a proxy-based authentication and key establishment protocol, which is specifically designed for highly resource-constrained devices in the context of IoTenabled AAL systems. Moreover, we discuss the application scenario, system requirements, and security requirements in detail along with the related work. The remainder of the paper is organized as follows: Sections II and III respectively provide related work and preliminaries that are used in explaining the protocol. Section IV describes the proposed solution. Section V provides a brief analysis of the protocol followed by its applicability in the context of IoT. Finally, Section VI summarizes the paper by giving the conclusions. II. BACKGROUND AND R ELATED W ORK To enable increased safety and well being, the home has to become intelligent. AAL addresses the needs of elderly users by means of IoT platforms powered by Ambient Intelligence (AI). IoT is capable of providing all the features necessary in an assistive and intelligent environment: being connected,

context-sensitive, personal, adaptive and anticipative. The combination of smart objects and closed-loop healthcare services can employ the IoT paradigm to enable communication between different stakeholders, such as elderly individuals, caregivers, physicians, and family members [8]. Along the different communication links, proper privacy and identity protection requirements shall be ensured. Several standards have been proposed to support end-to-end (E2E) security and key establishment in IoT, like Datagram Transport Layer Security [9], Internet Key Exchange (IKEv2) scheme [10], and HIP-DEX [11] protocols. An interesting approach to further improve these standards has been suggested in [12] and [13]. In these papers, a proxy-based solution is proposed for delegating the heavy cryptographic operations from a constrained device to less constrained nodes in its neighborhood. In both [12] and [13], only one set of intermediary proxies are used in the key establishment protocols. This approach is generalized in [14], where two different sets of proxies are used, corresponding to two constrained end nodes. In this paper, we use similar techniques from [14], but again restrict to the setting of one set of proxies, due to the particular application scenario. III. N ETWORK A RCHITECTURE AND P RELIMINARIES As illustrated in Figure 1, a remote host needs to acquire sensitive and health critical data from a medical sensor which is highly resource-constrained. The medical sensor can be a wearable sensor attached to an elderly person whereas the remote host can be any party who is interested in retrieving the person’s medical data, such as doctors, nurses or caregivers. The remote host needs to initiate a secure E2E communication link with the medical sensor. In this particular scenario, the two parties need to authenticate each other and securely establish a secret key for encrypting further data transmissions. The medical sensor node is considered a highly resource-constrained device, and it advocates the resource rich neighboring devices, which are trustworthy and in its closest proximity, to establish the secure E2E connection. Those neighboring devices are performing as proxies whereas they are responsible for executing expensive cryptographic operations on behalf of the constrained node. The number of proxies contributing is n and they are named as P1 , P2 . . . , Pn . The protocol is based on a (n, k) threshold scheme [15], wherein n proxies process a polynomial share, and k polynomial shares are enough to reconstruct the Diffie-Hellman (DH) keys through the Lagrange polynomial interpolation. It is assumed that the medical sensor has pre-installed shared keys with the proxies as K1r , K2r , . . . , Knr . Moreover, we consider shared secret keys between the initiator and the proxies as K1i , K2i , . . . , Kni . These keys can be established by regular security protocols, such as TLS or IPSec, since both parties do not suffer severe processing capacities like the medical sensors. As explained in the DH key exchange algorithm

IoT Cloud

P1 P2 Pn Wearable Medical Sensor (Responder)

Remote Host (Initiator)

Home Network

Figure 1: Network system model

[16], we also consider the variable p is prime and g is the generator. IV. P ROPOSED AUTHENTICATION AND K EY E STABLISHMENT P ROTOCOL According to the message flow of the proxy-based authentication and key establishment protocol (Figure 2), the resource-constrained medical sensor delegates costly cryptographic operations to the resource rich neighboring devices in its closest proximity. Remote Host (Initiator)

A PA i SRC ID, NI

Medical Sensor (Responder) Check SRC ID and NI Select pre-compute ( ) ,

Decrypt message Obtain

Proxies establish secure connection with remote host

Compute

Compute , Construct Use DH parameter

Decrypt message Compute

Compute

Compute MAC Finish message (MAC)

Check MAC

Figure 2: Message flow of proposed security protocol. First the initiator starts the communication by sending a request message to the responder with the source identity (SRC ID) and a true cryptographic nonce (NI ). Upon receiving the request, the responder checks the freshness of the nonce and the source identity. Then the responder selects

a private key value (a = f (0)) and its corresponding precomputed shares (f (1), . . . , f (n)). These shares are obtained as follows. Consider the polynomial function f of degree k − 1 expressed as: f (x) = q0 + q1 x + . . . + qk−1 xk−1 where q1 , q2 , . . . , qk−1 are random, uniform, and independent coefficients. The responder’s DH private key is a and a = q0 . According to Lagrange formula [15], the polynomial f can be derived as follows: ! k k X Y x−l (1) f (x) = f (j) × j−l j=1 l=1,l6=j

The shares of the private exponent a are named as ai s and ai = f (i). The responder selects n values f (1), f (2), . . . , f (n) of polynomial f where n > k and a = f (0), and sends each f (j) value to the corresponding proxy Pj as encrypted unicast message where j = 1 to n. This message includes the encrypted f (j) value and received SRC ID using Kjr pre-shared key. After receiving this message, each proxy decrypts it and obtains SRC ID. Accordingly each proxy establishes secure connections and session keys (Ki1 , . . . , Kin ) with the remote host using a secure link initiating protocol such as TLS or IPSec. During this process, the proxies can determine the legitimacy of the remote host and its willingness to continue the handshake with the constrained medical sensor. Therefore this will also make an explicit authentication process from the remote host’s point of view. If this verification is successful, each individual proxy computes its part of the responder’s DH public key g aj mod p = g f (j) mod p, encrypts the values with Kj1 keys, and forwards them to the initiator. Upon the reception of subset P of k values from proxies, the initiator solves the puzzle and starts computing the cj coefficients as follows: cj =

Y j∈P,l6=j

−l j−l

(2)

Then the initiator reconstructs the responder’s DH public key using the Lagrange formula and the cj values: P

Q

(g f (j) )cj mod p

= g j∈P

f (j)×cj

mod p

j∈P

= g f (0) mod p = g a mod p (3) Accordingly, the recipient (i.e., initiator) has to use only k successful deliveries out of n total messages for the consistent recovery of the responder’s DH public key. Therefore, the protocol will remain uninterrupted in case of a proxy failure, misbehaving or unreliability and the loss of certain messages. Then the initiator derives DH key KDH = (g a mod p)b = g ab mod p. Later, the initiator computes the messages E(Kij , g cj b modp) and sends to the proxies Pij s with j ∈ {1, . . . , n}. The intermediate proxies

decrypt their corresponding parts of the messages, compute the shares of the DH key (i.e., KDHj = g f (j)bcj mod p) and forward them to the responder. After receiving k number of successful deliveries, the responder decrypts the messages and reconstructs the DH key KDH as follows: Q Q bcj KDH = KDHj = (g mod p)f (j) j∈PP j∈P (4) b f (j)×cj = g j∈P mod p = g ab mod p Finally, to conclude the handshake, the responder computes the MAC value for SRC ID using KDH , and sends it to the initiator as the Finish message. By verifying the received MAC value, the initiator can confirm the successful derivation of the final key KDH . V. P ROTOCOL A NALYSIS A. Energy consumption For the evaluation of the energy consumption, we focus on the most constrained node in the protocol, being the medical sensor. The key establishment protocol is implemented on Libelium Waspmote platform [17] using Waspmote cryptographic libraries. In the implementation, the number of proxies n is set to 5, and k is considered to be 3. The AES-128 algorithm is selected for encryption/decryption. As a result, we obtained a total of 251.1 µJ for the energy consumption of the computations to be performed at the medical sensor’s side. The energy costs for communication are restricted to costs related to transmission and reception of bytes. The key establishment protocol includes a transmission of 80 bytes and a reception of 48 bytes, corresponding with energy consumptions of 237.6 µJ and 648 µJ respectively and thus a total of 885.6 µJ. Consequently, the energy consumption including the computations and the communications in our protocol require 1.137mJ. This number is a huge difference compared with the energy consumption of famous HIP-DEX and HIP-BEX protocols, requiring 13.694mJ and 237.948mJ respectively. First of all, the main difference between HIP-DEX and HIPBEX is the presence of digital signatures in the first. The difference between our protocol and the two other variants of HIP is related to the fact that the computationally heavy operation of exponentiation is transferred to the proxies. Consequently, the protocol is taking advantage of the device heterogeneity in IoT. B. Security properties The security of the key establishment scheme heavily relies on the trust of the proxies. Due to the pre-installed key material, the proxies are assumed to be reliable and trustworthy. Since the derivation of the DH key requires the collaboration of at least k proxies, a maximum number of n − k proxies are allowed to malfunction due to a lack of energy or because of being compromised. As soon as

the total number of proxies does not contribute anymore, the initiator should identify the problematic proxy and communicate it to the responder. In this way, the responder can act appropriately and avoid the situation that at least k proxies are in the possibility to cooperate or perform Denial of Service (DoS) attacks. In a DoS attack, malicious proxies may try to disrupt the key establishment protocol by sending no or bogus traffic to the initiator. The authentication of the initiator and the responder is established through the proxies. The proxies are on the one hand linked with the responder through pre-installed key material. On the other hand, the common key between proxy and initiator is derived through TLS or IPsec since both possess enough resources. Consequently, each individual proxy, linked with a particular responder, can be identified by the initiator. Moreover, thanks to this proxy-based approach, there is no need to include computational expensive digital signatures as in HIP-DEX. Since all messages, from medical sensor to proxy, proxy to initiator and back, are encrypted ensuring confidentiality, man-in-the-middle and eavesdropping attacks learn no information on the content of the messages and become very hard. Since ephemeral DH credentials are used, the scheme obtains forward secrecy, meaning that the short-term session keys can not be derived from the long-term asymmetric key. Moreover, replay attacks are impossible, due to the random choice on parameters a and b. VI. C ONCLUSIONS This paper proposed a lightweight authentication and key establishment protocol for E2E secure connection initiation with highly resource constrained medical sensors in IoTenabled AAL systems. A proxy-based approach is used to delegate the computational heavy operations to more powerful devices in the neighborhood of the medical sensor. The energy consumption of the protocol shows promising results for real world applications. ACKNOWLEDGEMENT This work is supported by the TETRA grant of the Flanders agency for Innovation by Science and Technology, and the Short Term Scientific Mission performed under COST Action IC1303. This work is also supported by the European Celtic-Plus project CONVINcE and was partially funded by Finland, France, Romania, Sweden and Turkey. R EFERENCES [1] L. Atzori, A. Iera, and G. Morabito, “The Internet of Things: A Survey,” Computer Networks, vol. 54, no. 15, pp. 2787– 2805, 2010. [2] D. Miorandi, S. Sicari, F. D. Pellegrini, and I. Chlamtac, “Internet of Things: Vision, Applications and Research Challenges,” Ad Hoc Networks, vol. 10, no. 7, pp. 1497–1516, 2012.

[3] M. Memon, S. R. Wagner, C. F. Pedersen, F. H. A. Beevi, and F. O. Hansen, “Ambient Assisted Living Healthcare Frameworks, Platforms, Standards, and Quality Attributes,” Sensors (MDPI), vol. 14, no. 3, pp. 4312–4341, 2014. [4] S. Spinsante and E. Gambi, “Remote health monitoring by osgi technology and digital tv integration,” Consumer Electronics, IEEE Transactions on, vol. 58, no. 4, pp. 1434–1441, November 2012. [5] V. Vimarlund and S. Wass, “Big Data, Smart Homes and Ambient Assisted Living.” Yearbook of Medical Informatics, vol. 9, no. 1, pp. 143–149, 2014. [6] W. Trappe, R. Howard, and R. Moore, “Low-energy security: Limits and opportunities in the internet of things,” Security Privacy, IEEE, vol. 13, no. 1, pp. 14–21, Jan 2015. [7] W. Wilkowska and M. Ziefle, “Privacy and data security in E-health: Requirements from the users perspective,” Health Informatics Journal (SAGE), vol. 18, no. 3, pp. 191–201, 2012. [8] S. Islam, D. Kwak, M. Kabir, M. Hossain, and K. Kwak, “The internet of things for health care: A comprehensive survey,” Access, IEEE, vol. 3, pp. 678–708, 2015. [9] H. Tschofenig and T. Fossati, “A TLS/DTLS 1.2 Profile for the Internet of Things,” IETF draft, RFC editor, 2013, hhttp: //tools.ietf.org/html/draft-ietf-dice-profile-09i. [10] C. Kaufman, “Internet Key Exchange (IKEv2) Protocol,” IETF RFC 7296, 2014, hhttp://tools.ietf.org/html/rfc7296i. [11] R. Moskowitz, “HIP Diet EXchange (DEX),” IETF draft, RFC editor, 2014, hhttp://tools.ietf.org/html/ draft-moskowitz-hip-dex-02i. [12] Y. Saied and A. Olivereau, “D-HIP: A distributed key exchange scheme for HIP-based Internet of Things,” in Proceeding of IEEE World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2012, pp. 1–7. [13] Y. B. Saied, A. Olivereau, D. Zeghlache, and M. Laurent, “Lightweight collaborative key establishment scheme for the Internet of Things,” Computer Networks, vol. 64, no. 0, pp. 273 – 295, 2014. [14] P. Porambage, A. Braeken, P. Kumar, A. Gurtov, and M. Ylianttila, “Proxy-based End-to-End Key Establishment Protocol for the Internet of Things,” in Proceedings of IEEE ICC Workshop on Security and Privacy for Internet of Things and Cyber-Physical Systems, 2015, p. to appear in. [15] A. Shamir, “How to Share a Secret,” Communication ACM, vol. 22, no. 11, pp. 612–613, 1979. [16] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transaction on Information Theory, vol. 22, no. 6, 1976. [17] Libelium Comunicaciones Distribuidas S.L., “Waspmote Technical Guide, v5.8,” online, 2015, hhttp://www. libelium.com/development/waspmote/documentation/ waspmote-technical-guide/?action=downloadi.