SecIoT HAMMI

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/322201126

A lightweight IoT security protocol

Conference Paper · October 2017


DOI: 10.1109/CSNET.2017.8242001

CITATIONS READS
30 1,306

5 authors, including:

Mohamed Tahar Hammi Erwan Livolant


IRT System X 34 PUBLICATIONS   447 CITATIONS   
10 PUBLICATIONS   616 CITATIONS   
SEE PROFILE
SEE PROFILE

Patrick Bellot Ahmed Serhrouchni


MINES ParisTech Institut Mines-Télécom/Telecom-ParisTech
57 PUBLICATIONS   750 CITATIONS    204 PUBLICATIONS   2,388 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Internet of things (IoT) View project

Phd study View project

All content following this page was uploaded by Mohamed Tahar Hammi on 23 May 2019.

The user has requested enhancement of the downloaded file.


A Lightweight IoT Security Protocol
Mohamed Tahar Hammi∗ , Erwan Livolant† , Patrick Bellot∗ , Ahmed Serhrouchni∗ , Pascale Minet‡
∗ LTCI, Télécom ParisTech, Université Paris-Saclay, 75013, Paris, France
∗ {hammi,bellot,serhrouchni}@telecom-paristech.fr
† AFNeT, Boost-Conseil, 75008 Paris, France
[email protected]
‡ Inria-Paris, EVA team, 2 rue Simone Iff, 75589 Paris Cedex 12, France
[email protected]

Abstract—The IoT is a technology that enables the inter- in October 2015. Hackers managed to get many customers
connection of smart physical and virtual objects and provides records, that contain important informations like logins and
advanced services. Objects or things are generally constrained passwords, secret codes, confidential and personal data, etc.
devices which are limited by their energy, computing and storage
capacity. A Wireless Sensor Networks (WSN) is a network com- Therefore the company has lost a lot of money and customers.
posed of devices managed by a CPAN (Personal Area Network The unauthorized access, the identity usurpation, and the
Coordinator). The network is used in order to gather and process steal and/or modification of stored and/or exchanged data
data of a given environment. It is characterized by their low bit
rate and low power consumption, and it uses small size packet represent a serious danger for our information systems. Re-
in their transmissions. In order to protect the WSN, a mutual searchers and developers try to find and create new solutions
authentication between devices is required during the association to enhance the security and the robustness of such systems.
of a new device. The exchanged data should be authenticated The issue is more complex if the system is an architecture
and encrypted. In this work we propose a robust, lightweight for the Internet of Things (IoT). The IoT is a technology
and energy-efficient security protocol for the WSN systems. The
real tests we made and a performance evaluation of our security that enables the interconnection of smart physical and virtual
protocol are provided. objects and provides advanced services. Objects or things
Index Terms—Security, Authenticated encryption, Mutual are generally constrained devices, which are limited by their
authentication, WSN, IoT, Industrial Environment, Scyther, energy, computing and storage capacity.
OCARI.
The IoT covers a lot of areas such as Smart Cities,
I. I NTRODUCTION M2M (Machine to Machine) systems, Body Area Net-
With the IoT, today, virtual and smart physical things are works (BAN), and Wireless Sensor Networks (WSN). The WSN
able to communicate with each other, without the human is a network composed of devices managed by a CPAN (Per-
intervention. This technology attracts different fields, because sonal Area Network Coordinator). The network is used in
of its economical and societal benefits. Industry is in the order to gather and process data of a given environment.
top list. In fact, industrial wireless sensor networks represent Usually, the devices (except the CPAN) are limited in terms
a sub-domain of the IoT which concerns limited capacity of computation and memory capacity. They are characterized
devices used to gather data and manage various environments. by their low bit rate and low power consumption, and they use
Due to the nature of these devices, security represents a big small size packet in their transmissions. The data produced by
issue for researchers and developers. In this paper, we present each device is transmitted via multiple hops to the CPAN,
a robust and a lightweight securing protocol that ensures which can use them, or forward them to another network.
a mutual authentication and secures transmissions between The most known WSN technologies are based on the IEEE
devices. This protocol has been implemented on the OCARI 802.15.4 physical layer (PHY) [9]. It is resilient to radio
platfrom which is a promising and energy efficient industrial interferences and provides a good foundation for building ad-
wireless sensor network. hoc mesh networks.
In 2014, according to The New York Times, Russian hackers In order to protect the WSN, a mutual authentication
got access to the state department’s unclassified system and between devices is required during the association of a new
stole the archived e-mails including the president’s ones. Even device. The exchanged data should be authenticated and en-
worst, a few years ago in Australia, a certain Vitek Boden, for crypted. In this work we propose a robust, lightweight and
revenge reasons, attacked the SCADA (Supervisory Control energy-efficient security protocol for the WSN systems. This
and Data Acquisition) system of the Maroochy Shire Council paper is organized as follows. Section II presents different
which was in charge of the waste management. As a result, researches realized for securing the IoT. Section III explains
millions of liters of raw sewage were redirected to a park our proposed approach and its implementation. The real tests
and an hotel located around the company. Thus, an ecosystem we made and a performance evaluation of our security protocol
was destroyed in short time [1]. In the UK, a provider of are provided in section IV. Finally a conclusion and our future
telecommunications services, was the victim of an attack works are given in section V.
II. R ELATED WORK generate a shared key. It will be used to secure transmissions
during the data exchange using symmetric secure channel.
In [7], we proposed an authentication protocol for securing This solution requires the exchange of only 3 messages.
the IoT system OCARI, an industrial WSN for constrained en- It is lightweight, energy-efficient, and needs a reasonable
vironment. It was based on pre-shared keys. It provided a mu- computing capacity. The only weakness is in the first sent
tual authentication and a good mechanism for the derived key message (A) in Figure 1.
exchange during the association step. Although this solution
is lightweight robust and fast protocol, the confidentiality of
the transmitted data is missing. In addition using HMAC [11]
for signing packets can be expensive in terms of computing
and execution time.
Authors in [13] propose a security protocol called HIP (Host
Identity Protocol). Their study focuses mainly on the security
of the constrained devices over LoWPAN (Low power Wire- Figure 1: Authentication Procedure for a Wi-Fi based IoT
less Personal Area Networks). HIP is based on the asymmetric
key cryptography. They propose to add a central authority for XA , XB and xA , xB represent respectively the public and
managing and controlling each IoT domain. During a new as- the private keys. K is a pre-shared key between two en-
sociation, both devices and the central authority should be mu- tities. H(u, v) is the hash of the message u, v. And fi-
tually authenticated using the asymmetric cryptography. Once nally SigA (u, v, w), SigB (u, v, w) is the signature of the
the two communicating entities are authenticated, session messageu, v, w of the entity with its own public key. The
symmetric keys are shared and an encrypted communication messages labelled (B) and (C) are without any risk. However
can start. For managing and updating keys, they use another the authentication with the pre-shared key K in message
protocol called MIKEY (Multimedia Internet KEYing). Their labelled (A), without any random factor or counter, exposes
solution ensures a good authentication and data protection K to potential cryptanalysis attack.
mechanism. However generating and providing new keys for In the next section, we will explain our proposed approach,
each association step consumes a lot of time and energy. In which aim is to solve the performance and security problems
Section III, we will describe our system that does not require seen above.
a generation of new symmetric keys while keeping the system
safe against the cryptanalysis and replay attacks. III. P ROPOSED APPROACH
Researchers in [10] propose a secure architecture based on As explained above, the WSN architecture is made of con-
the DTLS (Datagram Transport Layer Security) protocol for strained devices (sensors, or actuators) managed by a CPAN
IoT. It was designed to work over LoWPANs. It provides which is an unconstrained device. When a new device wants
a mutual authentication and symmetric key exchange for to join the WSN network, first a mutual authentication should
creating a symmetric secure channel). It uses x509 certifi- be ensured. Then, a symmetric secure channel should be
cates [8] and RSA (Rivest Shamir Adleman) algorithm [15]. created between the communicating entities in order to protect
The authentication requires a trustful third parties. Although the exchanged data. The mutual authentication mechanism
this solution is very robust and ensures a strong authentication was realized in the MAC sub-layer, and the authenticated
mechanism, it is not optimized. First, the use of RSA algorithm encryption of data is done in the application layer.
and the exchange of a large number of messages (6 messages
are mandatory for the DTLS-Handshake) is resource-intensive A. Chosen algorithms
computing and consumes a lot of energy. Secondly, the size For the authentication mechanism, we opted for the asyn-
of x509 certificates is not adapted to the constrained devices chronous OTP (One Time Password) algorithm. It is adapted
that have a small capacity of memorization. And thirdly, this to our needs [6]. The OTP is a password that can be used
solution is time consuming, as shown in [10], the execution only one time. It is based on pre-shared key and a random
time with keys of 1024-bit of the DTLS-handshake takes challenge in the case of asynchronous OTP. The random
3783 ms for the single hop, and 4791 ms for the multi hop. challenge protects the authentication against replay attacks
Using 2048-bit keys, it takes 4000 ms for the the single and cryptanalysis attacks. In order to ensure a robust and fast
hop and 6627 ms for the multi hop. This represents a large authenticated encryption of data, we implemented the AES,
execution time that could not be acceptable for applications also called Rijndael, possibly using GCM (Galois Counter
with strong latency constraints. Mode) or CCM (Counter with CBC-MAC). The mode to use is
Another interesting work described in [16] proposes a selected in the configuration file. The authenticated encryption
lightweight proposition designed for the WIFI based IoT. In ensures the confidentiality and the integrity of the transmitted
their architecture, all the communications should pass through data in the same time.
a gateway. This solution provides a mutual authentication We deployed our protocol in the OCARI network (Opti-
based on the public keys combined with the pre-shared keys. mization of Communication for Ad hoc Reliable Industrial
It uses the Elliptic Curve Diffie-Hellman (ECDH) operation to networks). OCARI is an energy efficient WSN technology. It
represents an application of the IoT in the industrial environ- computes otp01 , and compares the latter with otp1. If
ment. OCARI is based on the IEEE 802.15.4 physical layer [9] the authentication failed and the same device has been
that allows reliable signal transmission and resistance against rejected consecutively max_assoc_req times, then it is
the radio interferences in harsh environment (eg. power plants, blacklisted. Otherwise the authentication is successful.
factories, etc). We previously designed and implemented a new It generates a symmetric secret key called keyu . This
security mechanism for the authentication of the associated key will be used for the authenticated encryption of the
devices and the integrity of their exchanged data [6]. However exchanged messages in the unicast mode. It computes
the confidentiality service was still missing. Although this otp2 for the authentication of the CPAN, and hides the
solution is proposed and implemented for OCARI, it can also keyb . The keyb is the authenticated encryption key in the
be deployed for any other WSN. broadcast mode:
B. Design of our protocol keyu = P RF (keyd , challenge)
For the key management, we created a method called the signature = HM AC(keyu , otp1 )
“personalization”. The principle of this method is detailed hiddenKeyBroadcast = signature ⊕ keyb
in Figure 2. For each OCARI network, the devices provider otp2 = HOT P (keyu , hiddenKeyBroadcast)
generates a “kit” of secret keys that contains: an initial key where PRF is the Pseudo Random Function defined in
keyi and derived onces keyd (s). The kit will be installed, in the SSL/TLS specification [3]. We use this function in
out of band mode, in the CPAN and the concerned devices. The order to create the keyu and securely share the keyb . If an
derived keys are computed using the “PersoFunc()” function external attacker intercepts all the exchanged information,
(see equation 1). It is an irreversible function that generates a challenge, otp1 , hiddenKeyBroadcast, and otp2 , it
strong key and protects the keyi against deductive attacks. cannot compute any secret information because it does
not have the couple (keyd , keyb ) nor (keyu , keyb ). For
persoF unc(keyi , U I) = HM AC(keyi , U I) (1) an internal attacker which has the keyb in addition to all
the exchanged information, it cannot cannot the keys of
Once the keyd is created and set into the device, the device other devices. That is to say, when an internal attacker
is able to be associated with the OCARI network. attempts to get the keyu of another device, it computes
the xor between the keyb and the hiddenKeyBroadcast
in order to obtain the signature and because the latter
is generated by an irreversible function, even using otp1 ,
the attacker cannot get the keyu . otp2 is computed by
the CPAN for hitting two targets with one shot. Firstly to
ensure the integrity of the hiddenKeyBroadcast and,
secondly, to authenticate itself. To be generated, otp2
needs a secret key and a unique challenge. For this
reason the CPAN uses keyu as a secret and exploits
the hiddenKeyBroadcast as the challenge. The latter
is unique, because it is based on a unique signature,
Figure 2: The personalization of devices that is based on unique OTP (otp1 ). Then otp2 is sent
accompanied by the hiddenKeyBroadcast through an
The goal of this personalization is to ensure that the association response.
communication between a device A and the CPAN cannot • Finally, when the device receives the message, it com-
be intercepted by a device B belonging to the same OCARI putes also keyu and signature using the same inputs
network. In addition, the other advantage is that even if an as the CPAN. It retrieves the keyb by xoring signature
attacker could get a personalized key of one device, it will and hiddenKeyBroadcast. The device gets a keyb
not influence the security of the rest of devices belonging to which needs to be verified by checking for its integrity.
the same OCARI network. That is why it computes otp02 based on the received
Figure 3 on the following page depicts the association of a hiddenKeyBroadcast and keyu . Then the device com-
device to a cluster. We can summarize this process: pares the two otps. If they match, this means that the
• The device sends an association request to the CPAN. It hiddenKeyBroadcast is correct, thus the keyb is correct
receives an authentication request that contains a chal- and the CPAN is authenticated. Otherwise if the retrieved
lenge (random number). By means of the encryption otp2 or the hiddenKeyBroadcast or both of them
algorithm named HOTP [14]), it computes the OTP using are wrong. The may have been modified during their
its keyd and the challenge. It sends the generated otp1 to transmission, then otp2 and otp02 will not match. Hence
the CPAN as the authentication response. the keyb is not accepted, the CPAN is not authenticated,
• The CPAN checks if the joining device is blacklisted and the association operation stops.
or not. Then, it generates the keyd for this device, The secure channel created after the association step uses
Figure 3: OCARI secured association

AES with GCM or CCM modes of operation. In following, GCM mode of operation.
we will consider only the AES-GCM, where GCM is a mode In the end of the authenticated encryption operation we
of operation for block ciphers that uses universal hashing over usually concatenate the ciphertext with the tag T. The latter
a binary Galois field [4]. will be used for checking the integrity of the message once
1) Authenticated encryption: First, the entity that wants the packet is received.
to send data, should authenticate and encrypt its data using 2) Authenticated decryption: We have four input parame-
the generated keyu in the unicast mode, and the keyb in the ters for the authenticated decryption operation: the ciphertext
broadcast mode. This operation requires a plaintext P1 ..Pn , C, the received tag T , the IV and the authenticated additional
an additional authenticated data A (A can be any random data A. And as output, we get the plaintext P and a Tag T 0
data, added for strengthen the encryption algorithm) and an for checking the integrity of data. Compared to the encryption
initialization vector IV as inputs. The generation of the IV is operation, the order of the hash step and decrypt step are
based on the keyu and a counter value. The latter is used in reversed. The authenticated decryption operation is defined by
order to avoid the cryptanalysis attacks. And as a result, we the following equations:
get the ciphertext C1 ..Cn and an authenticated tag T . 
The authenticated encryption operation is defined by the 
 H = E(K, 0128 )
following equations (2): We use len(IV ) of 96 bits




=> Y0 = IV ||031 1
 

H = E(K, 0128 )

0

 T = M SBt (GHASH(H, A, C, len(A), (3)
We use len(IV ) of 96 bits


len(C)) ⊕ E(K, Y0 ))

 

=> Y0 = IV ||031 1

 

Y = Yi−1 + 1, f or i = 1..n
 
i


Yi = Yi−1 + 1, f or i = 1..n (2) 

Pi = Ci ⊕ E(K, Yi ), f or i = 1, ..n
C = P ⊕ E(K, Y ), f or i = 1, ..n

i i i




 T = M SBt (GHASH(H, A, C, len(A), len(C)) At the end of the authenticated decryption operation, we
compare the received T with T 0 . If they match, the decryption


⊕E(K, Y0 ))

operation is successful. Otherwise the operation fails. For more
where E is the encryption operation, K is the secret key (Ku details about the GCM mode of operation see [5].
or Kb ), 0128 is a block of 128 bits of 0, H is obtained by
IV. T EST AND EVALUATION
encrypting a zero block using K, Y is a counter starting from
Y0 which is the concatenation (||) of IV with 31 zeros and A. Formal validation
one (bits), M SBt is the most significant bit, and len(A) is In order to check the robustness and the safety of our
the length of A and GHASH() is the hash function of the protocol, we realized a formal validation using Scyther [2].
Which is a tool for the automatic verification of security role C {
protocols created by Cas Cremers at the university of Oxford. the declaration of the local variables
In Scyther formal language, each protocol is defined by ... etc
“roles“. And each role should be played by an ”agent“, and send_1(C,D,challenge) ;
described by a sequence of events (send, receive,..etc). In the recv_2(D,C,receivedOtp1) ;
following, we show the structure of our code:
match (receivedOtp1,otp1) ;
the definition of new types // Ok, device auth successful
... etc macro hiddenKeyBroadcast =
HiddeBroadCastKey(signature,
protocol OCARIAuthAndEncProtocol(D,C) broadCastKey) ;
{ // to hide the broadcast
function OneTimePassword ; send_3(C,D,(otp2
function keyGeneration ; ,hiddenKeyBroadcast)) ;
macro otp1 = OneTimePassword recv_4(D,C
(k(D,C),challenge); ,{securedPacket}keyAuthAndEnc) ;
// k(D,C) is the personalized
// symmetric key between D and C claim (C, SKR, keyAuthAndEnc) ;
macro keyAuthAndEnc = claim (C, SKR, broadCastKey) ;
keyGeneration(k(D,C) claim (C, Alive) ;
,challenge) ; claim (C, Weakagree) ;
macro otp2 = OneTimePassword claim (C, Niagree) ;
(keyAuthAndEnc claim (C, Secret, securedPacket) ;
,hiddenKeyBroadcast); }} ;
hashfunction signFunc ; The protocol label is ”OCARIAuthAndEncProto-
macro signature = signFunc col“,”function“ and ”macro“ are respectively used for
(keyAuthAndEnc,otp1); the function definition and the formulas abbreviation. We
function HiddeBroadCastKey ; have two roles played by the device (D) and the CPAN (C).
function RevealBroadCastKey ; The different transmissions are defined by the two events
const deviceAuthError : String; ”send“ and ”receive“. The ”_id“ represents the event label,
const cpanAuthError : String; which is the identifier that links a ”send“ event with the
const securedPacket ; appropriate ”receive“ event of the other role. The ”match“
role D { event is used to model the equality tests.
the declaration of the local variables The claim event types are the goals of the formal validation.
... etc For the secrecy of transmissions we use the claim ”Secret”. In
recv_1(C,D,challenge) ; order to be more precise, the secrecy of the transmission of
send_2(D,C,otp1) ; session keys is formalized by the SKR (Session Key Reveal)
recv_3(C,D,(receivedOtp2 claim. In addition, we used three authentication claim types,
,hiddenKeyBroadcast)); which are “Alive”, “Weakagree”, and “Niagree”. [12] explains
the three authentication claims. We assume that A is the
match(receivedOtp2,otp2) ; initiator and B the responder.
// Ok, CPAN auth successful • We consider that a protocol guarantees to A aliveness
macro broadCastKey = of B if, whenever A completes a run of the protocol,
RevealBroadCastKey(signature apparently with B, then the latter has previously been
,hiddenKeyBroadcast); running the protocol.
send_4(D,C, • We consider that a protocol guarantees to A weak agree-
,{securedPacket}keyAuthAndEnc); ment with B if, whenever A completes a run of the
protocol, apparently with B, then the latter has previously
claim (D, SKR, keyAuthAndEnc) ; been running the protocol, apparently with A.
claim (D, SKR, broadCastKey) ; • And finally, we consider that a protocol guarantees to
claim (D, Alive) ; A non-injective agreement with B on a set of data
claim (D, Weakagree) ; items (variables) if, whenever A completes a run of the
claim (D, Niagree) ; protocol, apparently with B, then the latter has previously
claim (D, Secret, securedPacket) ; been running the protocol, apparently with A, and B was
} acting as responder in its run, and the two agents agreed
Mode single-hop multi-hop
on the data values corresponding to all the data items. Without security (average) 0,5243 (ms) 34,5076 (ms)
Figure 4 shows the results of the execution of the previous With security (average) 37,504 (ms) 45 (ms)
code. We used the maximum number of runs (100 runs).
In the result, the first, second, and third columns of the Table I: The association time of OCARI with and without
screen-shot in Figure 4 represent respectively: the protocol security
name, the concerned role (D and C), and a unique identifier
of the claim. The fourth column represents the claim type with
the parameters. The two last columns (status and comments) Protocol processing time
Our security protocol (average) ∼ 3 (ms)
show the result of the verification process (Fail or Ok), and DTLS-Based protocol, 2048-bits 859 (ms) (<computation = 35
a short description. The “No attack within bounds“ should be keys (average) [10] (ms)> + <Encrypt = 39 (ms)>
interpreted as: ”Scyther did not find any attacks by reaching + <signature = 726 (ms)> +
<verification = 59 (ms)>)
the bound” [2]. As we can see, the validation proves that our
protocol is safe and secure.
Table II: Comparison between the security processing time of
B. Real tests our protocol and the DTLS-based protocol
Figure 5 shows the topology used, in order to test perfor-
mances of our security protocol. The implementation of our
code was realized on the real OCARI source code, written in
C language. timestamp of the association request. The association of
the device F is not accepted because F does not have the
keydF . One can note that the difference of the association time
between the secured mode and the non secured one is small,
and that the increase of the association time using security
becomes less significant in the case of a multi-hop association.
Thus, these results prove that our solution does not affect the
network performances.
Then, in Table II, we compared our results with the
DTLS-based protocol association time (described inII), real-
ized by [10], and uses devices with similar capacity (Atmel
SAM3U micro-controller and the Atmel AT97SC3203S TPM,
with 48 kB of RAM). We did not take into account the number
of the exchanged messages, that is equal to 4 messages in our
security protocol and 6 messages at least in the DTLS-based
protocol [10].
In order to compute the processing time of our solu-
tion (challenge, otps, and keyu generation + key exchange
mechanism), we computed the association time of a 2-hop
association without security which needs the exchange of 4
Figure 5: A real OCARI nodes topology messages (association request × 2) + (association response
× 2). Then we took the association time of 1-hop in the
Each node represents a Dresden Elektronik deRFsam3 secured mode, that requires also the exchange of 4 messages
23M10-R3 device, having a 48 ko of RAM, 256 ko of ROM (association request + authentication request) + authentication
and a Cortex M-3 Processor. Each node X, except F , contains response + association response. By eliminating the time
in prior a personalized keydX generated from the keyi set up consumed by the messages exchange, a subtraction between
in the CPAN. the two association time represents the processing time of our
First, in order to know how much time our security mecha- security protocol.
nism takes during the association step, we tested the OCARI It is true that the DTLS-based is very robust, however
association time without security (we disable the security the difference between its processing time and our protocol
option), then with security. Table I presents the results of (1) processing time is very big. In addition, the fact that the DTLS-
a single-hop association, which means a direct association based protocol uses the asymmetric cryptography, consumes
between the device and the CPAN. And of a multi-hop a lot of energy and requires an important memorization and
association, which means an association between a device and processing capacity, which is not always adapted to limited
the CPAN using intermediate devices, called relays. devices.
For capturing the exchanged messages we used a Zolertia z1 Finally, Table III summarizes the differences between our
sniffer (hardware) and Wireshark. The association time is equal solution (including the secure data exchange channel) and
to timestamp of the authentication response minus (−) those discussed in Section II. We propose a score from 1
Figure 4: Formal validation results

Options Rapidity Authentication PA1 Lightness Energy PA2 Confidentiality Integrity Final score
efficiency
Our security 4 4 2 5 4 5 5 4 33
protocol
(using AES-
GCM/CCM)
Our old 3 4 2 4 3 2 0 4 22
solution [7]
(using HMAC)
DTLS-Based 1 5 5 0 1 5 5 5 27
protocol (2048-
bits keys) [10]
HIP protocol [13] 4 3 3 3 3 1 5 4 26
Wi-Fi based 5 4 0 5 5 0 4 5 28
IoT security
protocol [16]

Table III: Comparison between the different security protocols

to 5 for each feature. The sum of the scores represents system between different CPANs and to facilitate a secure
an evaluation score for the security approach. PA1: means migration of devices from a network managed by a CPAN to
Protection from the Denial of service attack, and PA2: means a network managed by another CPAN.
Protection from the cryptanalysis attack.
R EFERENCES
With these results, we can see that our security approach
is the most adapted to the security of the WSNs and the IoT [1] Marshall Abrams and Joe Weiss. Malicious control system cyber security
attack case study–Maroochy Water Services, Australia. McLean, VA:
systems in general. The MITRE Corporation, 2008.
[2] Cas Cremers. Scyther. Draft, February 2014.
V. C ONCLUSION AND FUTURE WORKS [3] Tim Dierks. The transport layer security (TLS) protocol version 1.2.
In this work we designed a security protocol that enables to 2008.
[4] Morris J Dworkin. SP 800-38C. Recommendation for block cipher
secure most of the WSNs thanks to its lightness and energy modes of operation: The CCM mode for authentication and confiden-
efficiency. It ensures a mutual authentication of the commu- tiality. 2004.
nicating entities and a protection of both the integrity and the [5] Morris J. Dworkin. SP 800-38D. Recommendation for Block Cipher
Modes of Operation: Galois/Counter Mode (GCM) and GMAC. Tech-
confidentiality of the exchanged data. The “personalization” nical report, Gaithersburg, MD, United States, 2007.
mechanism solves the problem of the internal identity usurpa- [6] Mohamed T. Hammi, E. Livolant, P. Bellot, A. Serhrouchni, and
tion. The proposed key management allows a safe and secure P. Minet. MAC sub-layer node authentication in OCARI. In 2016
International Conference on Performance Evaluation and Modeling in
keys exchange between the concerned entities. Furthermore, Wired and Wireless Networks (PEMWN), pages 1–6, Nov 2016.
this protocol provides a very fast establishment of a secure [7] Mohamed T. Hammi, E. Livolant, P. Bellot, A. Serhrouchni, and
channel based on a robust, fast, and lightweight symmetric P. Minet. A lightweight mutual authentication protocol for the IoT.
Technical report, 2017.
encryption algorithm (AES GCM/CCM). Finally, this solution [8] Russell Housley, William Polk, Warwick Ford, and David Solo. Internet
is resilient against the cryptanalysis and the replay attacks. In X. 509 public key infrastructure certificate and certificate revocation list
our future works, we aim to create a secure communicating (CRL) profile. Technical report, 2002.
[9] IEEE. IEEE Standard for Local and metropolitan area networks–Part
15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs). IEEE
Std 802.15.4-2011 (Revision of IEEE Std 802.15.4-2006), September
2011.
[10] Thomas Kothmayr, Corinna Schmitt, Wen Hu, Michael Brünig, and
Georg Carle. {DTLS} based security and two-way authentication for
the Internet of Things. Ad Hoc Networks, 11(8):2710–2723, 2013.
[11] Hugo Krawczyk, Ran Canetti, and Mihir Bellare. HMAC: Keyed-
hashing for message authentication. 1997.
[12] Gavin Lowe. A hierarchy of authentication specifications. In Computer
security foundations workshop, 1997. Proceedings., 10th, pages 31–43.
IEEE, 1997.
[13] Francisco Vidal Meca, Jan Henrik Ziegeldorf, Pedro Moreno Sanchez,
Oscar Garcia Morchon, Sandeep S Kumar, and Sye Loong Keoh. HIP
security architecture for the IP-based internet of things. In Advanced
Information Networking and Applications Workshops (WAINA), 2013
27th International Conference on, pages 1331–1336. IEEE, 2013.
[14] D M’Raihi, M Bellare, F Hoornaert, D Naccache, and O Ranen. HOTP:
An HMAC-based one-time password algorithm. IETF, RFC 4226,
December 2005.
[15] R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining
Digital Signatures and Public-key Cryptosystems. Commun. ACM,
21(2):120–126, February 1978.
[16] Freddy K Santoso and Nicholas CH Vun. Securing IoT for smart home
system. In Consumer Electronics (ISCE), 2015 IEEE International
Symposium on, pages 1–2. IEEE, 2015.

View publication stats

You might also like