Securing Internet of Things

Physical Layer Security in Internet of Things:

Traditionally wireless security in IoT devices is achieved on a higher layer of protocols stack via various available cryptographic approaches. However, these lead to conflict as the computational cost increases with the high level of cryptography. In order to address this challenge, a new technology which is called Physical-layer security is emerging. This technology comes with a promise of resolving the challenge of cost and security levels. One of the concepts which are helping develop this technology is Compressed Sensing which has a direct and positive impact on the way data is acquired in the information systems. This technology can increase the efficiency of data transfer. In general, symmetric key encryption and decryption is considered to be most direct and effective method of achieving security. Compressed Sensing, when used with Physical-Layer security, can provide interesting results however just as an “out of box” implementation may lead to potential challenges. In general, compressed sensing, do not provide the perfect secrecy. As the computational power is increased, the chances of information leaking in the CS model is increased. To address all the existing challenges, author Ning Wang in the article named “Physical-layer security in Internet of Things based on compressed sensing and frequency selection” proposes as security framework which promises to overcome the existing challenges. Below is high-level overview of this model:

In the first stage, which is a dynamic selection of communicating channel phase, authors exploit the frequency selection channel to increase the entropy of measured channel. The model uses a dynamic channel selection method which utilizes the frequency selective feature. Once the channel is detected and selected using the available algorithm, a random set of secured bits are achieved. This process is further enhanced using the hash function Further to implement the proposed model, the author suggests to use the m-sequence circular matrix to generate a random sequence. Using the mathematical function and the recommended algorithm, authors were able to achieve the randomness in selecting of a channel on both single channel samples and dynamic channel samples. This model once brought into production will help in increasing security at the physical layer.

Securing Federated Cloud and IoT Networks:

Internet of Things devices rely heavily on the internet connectivity from transforming them from just being a dumb device to intelligent applications and demonstrate an intelligent behavior. The pattern for such behavior is called as control loop – Step 1: Gather and collect data from a series of sensors, step2: aggregate the data collected and perform analytics and step3: exhibit smart behavior in the form of decisions made. Considering the fact that the use of such IoT devices is increasing, it is prudent that the communication between IoT devices and applications are protected from any security threats which exist today or may potentially exist in future. One of the mechanisms of protecting the network communication between the devices and the applications in the cloud is to use network slices to connect the IoT network gateway to cloud and data analytics application. The benefit of using network slices is the use and implementation of global network security policies on each network slice independently of different network security policies at the physical layer of the network. Since the IoT devices are limited in terms of energy and resources, a lightweight encryption is used to secure the network communication. This model is based on federated cloud network architecture. It is said that the future 5G networks will support the concept of network slices by default. Each network slice would have to be protected separately based on the DevOps security requirements. In this model, security is considered to be end-to-end as the security policies are enforced within the network slices. The physical infrastructure is composed of compute environment, network and storage resources. The virtual network consists of virtual compute and storage. The federated IoT network communicates with the cloud network using the routers. The benefit of this approach is that it enables the possibility of using global security policies end-to-end on the network slices. Because the IoT devices are limited in power it is not possible to implement the same security policies on them as of cloud or fog network components or architecture. For all practical purposes, the parts of global security policies will be implemented on the IoT network depending upon the type of device and the type of network being used by the array of those devices. However, the approach towards security remains the same as of global security policy. The global network security policy is implemented using the Network Function Virtualization (NFV) and Service Functioning Chain (SFC) at the edge of a federated network. The architecture of this model comprises of three core components - The service manager, cloud manager and network manager. This architecture is transparent to with the respect to the underlying network technologies. Using Advanced Service Manifest which is partially compliant with TOSCA the security policy is defined. From the security vantage point, each member who participates in the federated IoT cloud is assumed to be SDN enabled.

The IoT devices are more efficient when they interact with each other. Opening a sensor gateway to share its data with other devices can be achieved in two ways one by centralized data sharing and second by Distributed data sharing. In the former approach the data communicates on a machine to machine platform whereas in the latter approach, the devices in the neighbourhood directly share the data among themselves. For distributed communication mode, the security approach should also be distributed in nature. The model discussed in this section is able to provide security cover to the federated network up to the edge of IoT network. However, this is not sufficient as the edge of may consists of routers but the inner core of IoT network may not have resources to run the NFV/ SFC. So, a separate solution is needed to secure the internal working of the IoT and the approach discussed in the previous section can be used to secure the IoT devices communication at the physical layer.

Authenticated Encryption Schemes:

Authenticated encryption schemes are a type of symmetric crypto algorithms that simultaneously provide confidentiality and authenticity of data. In the language of CISSP, the confidentiality means protecting data from unauthorized access and authenticity refers to the integrity of data. A majority of IoT devices use lightweight application and require handling of additional data headers which may need authentication without any encryption. So, one of the best-suited schemes for lightweight IoT application is Authenticated Encryption with Authenticated Data (AEAD). When looking at the authenticated encryption schemes, the three key factors to consider are:

Nonce Misuse Resistance: In cryptography, “nonce” is an arbitrary number which is used only once. It is often a random number used in an authentication protocol to ensure old communications cannot be reused in replay attacks. It is favorable for authentication algorithm to resist the misuse of nonce. In IoT devices, storing and managing fresh nonce for each new message becomes a challenging task. The incorrect implementation of this concept leads to security breaches. There are few algorithms which provide complete nonce misuse resistance both in terms of confidentiality and authentication.

Security: The security aspect of algorithms needs evaluation both in the terms of mathematical proofs and through testing by external groups. Selection of 128 bits key size is a very common scenario wherever possible. From the security point of view having 128 bits key size is an acceptable level of security.

Parallelizability: In cryptology, a parallel algorithm is one which can be executed a piece at a time on multiple different processing devices and then combined together again at the end to get the correct result. Parallelizability refers to the capability of an algorithm to run in parallel mode. While some algorithms are completely parallelizable whereas others are not parallelizable at all. Parallel algorithms help developers by allowing various optimization techniques available to them. This is an important feature for an algorithm to be used in IoT devices as this helps optimize the IoT devices functioning.

Based on the above parameters, below are two of the authenticated encryption schemes which can be used in IoT devices:

Joltik encryption: This encryption mechanism was presented by Jeremy Jean, Ivica Nikolic and Thomas Peyrin of Nanyang Technological University, Singapore in March 2014. This encryption mechanism is based on 64- bit lightweight and tweakable block chipper that uses AES like round function as a building block. This is specially designed for hardware applications. In some versions of Joltik, the key can be hard wired for even smaller implementations if permitted by applications. This mechanism has minimal overhead for decryption

POET: (Pipelineable On-Line Encryption with Authenticated Tag) is an online authenticated encryption scheme which is based on AES and provides complete nonce misuse resistance and parallelizability. This algorithm is used in applications which have low latency and high throughput with large data.

References:

1. P. Massonet, L. Deru, A. Achour, S. Dupont, A. Levin and M. Villari, "End-To-End Security Architecture for Federated Cloud and IoT Networks," 2017 IEEE International Conference on Smart Computing (SMARTCOMP), Hong Kong, China, 2017, pp. 1-6.
2. Koteshwara. S; Das. A, "Comparative study of Authenticated Encryption targeting lightweight IoT applications," in IEEE Design & Test , vol.PP, no.99, pp.1-1 doi: 10.1109/MDAT.2017.2682234
3. Blelloch, G., Maggs, B. School of Computer Science. Carnegie Mellon University. Parallel Algorithms. Retrieved from https://www.cs.cmu.edu/~guyb/papers/BM04.pdf
4. Jean, J., Nikolic, I., and Peyrin, T. (16 March 2014). Nanyang Technological University, Singapore. Retrieved from https://competitions.cr.yp.to/round1/joltikv1.pdf