University Institute of Engineering

AIT-CSE
Privacy and Security in IoT - CSD- 433
Unit 2-CRYPTOGRAPHIC FUNDAMENTALS FOR IOT
Topic- KDC_Continued
Cryptographic controls for IoT protocols, IoT Node Authentication
Lecture - 19
Delivered by
Er. Gaurav Soni (E9610)
Assistant Professor, AIT-CSE

DISCOVER . LEARN . EMPOWER

 Privacy and Security in IoT
Course Objectives
CO Number Title
CO1 To identify various privacy and security requirements in
Internet of Things

CO2 To learn cryptographic techniques for a secure IoT system

CO3 To understand various Trust Models used in IoT

2
 Privacy and
Security in
IoT
Course Outcome This will be covered in this
lecture
CO Title Level
Number

CO1 After successful completion of this course students will Understand

be able to understand the security requirements in IoT.
CO2 After successful completion of this course students will Understand
be able to understand the authentication credentials and
access control.
CO3 After successful completion of this course students will Implement
be able to implement security algorithms to make a
secure IoT system.

3
 Key Hierarchy
• typically have a hierarchy of keys
• session key
• temporary key
• used for encryption of data between users
• for one logical session then discarded
• master key
• used to encrypt session keys
• shared by user & key distribution center
 Cryptographic controls for IoT
Protocols
• To integrate cryptographic controls as integrated into various IoT protocols.
• Lacking these controls, IoT point-to-point and end-to-end communications
would be impossible to secure.
• There are many options for establishing communication capabilities for IoT
devices and often these communication protocols provide a layer of
authentication and encryption that should be applied at the link layer.
• IoT communication protocols such as ZigBee, ZWave, and Bluetooth-LE all
have configuration options for applying authentication, data integrity, and
confidentiality protections.
 Cryptographic controls for IoT
Protocol-Zigbee
• ZigBee relies upon three types of keys for security features:
• Master keys, which are pre-installed by the vendor and used to protect a key
exchange transaction between two ZigBee nodes
• Link keys, which are unique keys per node, allowing secure node-to-node
communications
• Network keys, which are shared across all ZigBee nodes in a network and
provisioned by the ZigBee trust center; these support secure broadcast
communications
 Cryptographic controls for IoT protocol-
BLUETOOTH-LE
• BLUETOOTH-LE
• Bluetooth-LE is based on the Bluetooth Core Specification Version (4.2) and
specifies a number of modes that provide options for authenticated or
unauthenticated pairing, data integrity protections, and link encryption.
Specifically, Bluetooth-LE supports the following security-
• Pairing: Devices create one or more shared secret keys
• Bonding: The act of storing the keys created during pairing for use in
subsequent connections; this forms a trusted device pair
• Device authentication: Verification that the paired devices have trusted keys
• Encryption: Scrambling of plaintext message data into ciphertext data
• Message integrity: Protects against tampering with data
 Cryptographic controls for IoT protocol-
BLUETOOTH-LE

Key type Description

• Temporary key (TK) Determined by the type of Bluetooth pairing used, the TK
can be different lengths. It is used as an input to the cipher-based derivation of
the short-term key (STK).
• Short-term key (STK) STK is used for secure distribution of key material and is
based on the TK and a set of random values provided by each device
participating in the pairing process.
• Long-term key (LTK) The LTK is used to generate a 128-bit key employed for link-
layer encryption.
 Cryptographic controls for IoT
protocol-NFC
NEAR FIELD COMMUNICATION (NFC)
• NFC does not implement native cryptographic protection;
• However, it is possible to apply endpoint authentication across an NFC
negotiation.
• NFC supports short-range communication and is often used as a first-step
protocol to establish out-of-band pairings for use in other protocols, such as
Bluetooth.
 IoT Node Authentication
• The authentication of IoT end-nodes is an important issue to provide basic
secure protection of the network and devices. The node authentication in IoT
involves the following:
• Smart objects, small device with specific purpose, low cost, limited abilities;
• IoT, interconnect things and their users to enable new applications;
• IoT nodes are expected to be integrated in all aspects of existing works,
entrusted with vast amounts of data, need to communicate unseen and
autonomously.
 IoT End node limitations
• In IoT environment, the limitation at IoT end-nodes includes following aspects:
• The existing IP-based IoT structure and primitives are not fully designed with
the limitation of resource-constrained IoT devices (such as energy consumption,
computation resource, communication ranges, RAM, FLASH, etc.)
• Processing power, CPU(MCU) processor, RAM
• Storage space
• Network capacity
• Lack of user interface and display
• Energy consumption
 Existing Security Schemes for IoT

Secure boot: It is a process involving cryptography that allows an electronic device to start executing
authenticated and trusted software to operate.

Access control: The access control should be well designed to mandatory different forms of resources
and roles in IoT.

Existing PKC schemes verify the integrity and authenticity of digital contents.

The digital signature provides the two fundamental characteristics to make sure the digital content is
trusted by other entity.

1. Integrity of digital content is guaranteed by message digest, that is, a secure hash algorithm (SHA-1,
SHA-256, SHA-3, etc.).
2. The authenticity of digital content is guaranteed by the public-key-based signature scheme itself.
3. Hash. Hashing the digital content and producing a hash value with the properties.
 IoT Node Authentication
• The basic goals of an authenticated authorization protocol in IoT include:
• Secure exchange of authorization information
• Use only symmetric key cryptography on constrained nodes
• Support of class-1 devices
• RESTful architectural style
• Relieve constrained nodes from managing authentication and authorization
• Authentication: Verify that an entity has certain attributes (cf. RFC4949).
• Authorization: Grant permission to an entity to access an item of interest.
• Authenticated Authorization: Use the verified attributes to determine if an
entity is authorized.
 IoT Node Authentication
• Protocols in IoT.
• Communication in IoT-constrained environment
• CoAP (RFC 7252), which is designed for special requirements of constrained
environments like IoT and similar to HTTP with RESTful architecture style
• DTLS binding
• User controls the device and data through authorization
 Protocols in IoT
• Protocols that have been developed at different layers of IoT, including messaging
protocols at application layer, such as CoAP, routing protocols (such as the routing
protocol for low power and lossy network, RPL).
• In this protocol, the IPv6 is one of the most important enablers in the IoT environment
that supports the possibility to connect billions of smart objectives together.
 Datagram Transport Layer Security
•In the Internet, the TLS is a prominent IP-based security protocol
which is widely used
•It provides protection over transparent connection-orient channel
against security attacks, such as eavesdropping, tampering, or
message forgery.
• In web applications, the TLS is widely used for web protocols,
such as HTTP and TCP.

structure of DTLS
 Further Reading

1. Network Security Essentials: Applications and

Standards, William Stallings
2. Cryptography and Network Security - Principles and
Practice | Seventh Edition |By Pearson, William,
Stallings
THANK YOU

For queries
Email: [email protected]