Secure and QoS-aware Communicationsfor Smart Home Services

Markus Hager, Sebastian Schellenberg, Jochen Seitz, Sebastian Mann, and Gunar Schorcht

Abstract—In this paper, we present the combination of twoconcepts addressing important aspects for smart home services:a new quality of service concept and a new integrated conceptfor a smart home security system. We assume that every flat in ahouse has its own smart device to perform local services and actas an interface for the different sensors and actors inside the flat.These smart computers are interconnected using a plain switchedEthernet infrastructure. All different types of sensors and actorscommunicate via different types of standards. Based on theclassification of each service, we present a solution to preventcongestion situations inside the network. This scheme is not onlyapplicable to the presented scenario, it could also be appliedto handle similar problems within classical computer networksand many other fields. These advantages are realized within theaffirmation of security of the whole system. All communicationchannels, all information and user-data and all kinds of access tothe system are secured by a comprehensive security architecture.

Keywords—Congestion control, Ethernet, security, smart home.

I. INTRODUCTION

SMART home services (SHS) are software modules thatexpand the concept of the home automation scenario. The

idea is to do more than just switching the heating operationstatus, based on the available temperature sensor information.To create a smart home, the necessary basis are different sensorunits collecting as many information as possible and actors toperform the desired actions. Due to the fact, that there is nobase technology comprising sensors and actors for all of thecomprehensive use cases, there is the need for a solution, thatoffers the possibility to integrate the different sensor and actornetworks into one system. This was one of the main goals ofthe SHS research project [1]. There are also some productswhich are established in the market like the “ViciOne” homeand building automation system [2]. For the rest of the paperwe will use the HAM (home automation module) notation,used by [3] as name for their developed automation computerunit as a placeholder for similar technologies like this, allow-ing to realize the interconnection of different sensor and actornetworks.

Manuscript received February 10, 2012. The work described in this paperhas been carried out in the “SHS: Home” research project funded by theAiF (Arbeitsgemeinschaft industrieller Forschungsvereinigungen ”Otto vonGuericke” e.V.) Projekt GmbH, the project executing organization for theGerman Federal Ministry of Econ. and Technology.

M. Hager, S. Schellenberg, and J. Seitz are with the CommunicationNetworks Research Laboratory, Ilmenau University of Technology (e-mail:markus.hager@tu-ilmenau.de, web: http://www.tu-ilmenau.de/kn).

S. Mann and G. Schorcht are with the Applied Informatics ResearchLaboratory, University of Applied Science, Erfurt (web: http://www.ai.fh-erfurt.de).

The advantage of such a solution is that all informationabout the state of the house or flat is now available at onecentral point. This offers the chance to combine the data ofthe installed technologies to realize better services, knownas smart services. This means for example that the heatingcontrol is no longer just based on the temperature sensor,also the information if a window is opened, someone is insidethe room and maybe also the weather forecast is taken intoaccount to make a better decision for how the heating shouldbe controlled. Also, the recorded history could be used to makea prediction which could be useful if the costs of a resourcevaries over time.

Such systems make it more comfortable to live in thosehouses and therefore the current focus in the already men-tioned SHS research project is to adapt these concepts forhousing associations. This cannot be done by a simple ex-pansion of the system, because a larger network must beestablished, it must use standard low cost hardware andespecially the control and the data of the system must besecured. As we know, the existing systems are either designedfor private houses and/or have no special security and qualityof service concept. Due to that, in this paper we present oursolution offering a security and quality of service system forthis scenario.

Fig. 1 shows an example of a typical SHS network. Thementioned HAM units are installed in each flat and are inter-connected with Ethernet, because it is one of the main networkstandards and highly available, cost efficient and guaranteesa simple installation. The HAM units have a touch screen togive the user the chance to interact with the system. Moreover,a NAT gateway with Internet connection gives the user theoption to get Internet access based on the installed network.Further applications like VoIP phones or other multimediadevices could also use the network. Finally, the HAM units arecontrolled and administrated by a central server which couldbe part of the network or a computer from the Internet.

II. RELATED WORK

A. Security

There exists a variety of different home automation systems.All these systems have in common, that they are interchanginginformation and personal data via unsecured communicationchannels. If a malicious intruder has access to these data, he isable to obtain a complete picture of the regarding individual. Itis possible to gather information of the private behavior, of thepresence in the flat or of Internet usage. To prevent this leakageit is necessary to secure these data concerning information

11978-1-4673-1118-2/12/$31.00 ©2012 IEEE TSP 2012

Fig. 1. Structure of the SHS network.

interchange, access, storage and processing. Furthermore, itis necessary to check the authentication of the participatingentities and the integrity of each delivered message to ensurethat the received message is sent by the claimed originator andis not altered.

There are many different ways to secure each of theseaspects. To secure the storage or the data interchange it ispossible to encrypt the data, so that an eavesdropper is notable to retrieve the data. But this leads to a new problem, thekey exchange management. How to provide the encryptionkeys to the eligible entity?

Some exemplary home automation systems are ”SmartHome”, ”Smarter Wohnen R©NRW”, ”SerCHo” and ”ViciOne”(see [4], [5], [6], [2]). All of these existing security conceptsfor home automation systems are having one problem incommon. All of them are providing some singular securityfeatures, but there is no comprehensive concept, which fits toall of the named aspects. Only ”ViciOne” provides a compre-hensive home automation system, with a security concept. Thisconcept provides many security features, but some importantfeatures, like authentication of users and devices, are missing.All of them are isolated applications for each regarded system.

B. Quality of Service

Every quality of service solution is mainly designed basedon the used hardware and due to the fact, that switchedEthernet is used for the SHS network, we will only focuson solutions based on this technology. Furthermore, qualityof service is a collective term for many aspects classifying aconnection. In the SHS scenario, the most important aspectsare the available data rate for an end to end connection insidethe SHS network and the delay and/or the jitter for thisconnection.

Moreover, a separation based on the different servicesrunning on the HAM units must be done, because on theone side we have applications with high priority, for examplethe message of a smoke detector or some administrationcommands and on the other side less important data streams

like the heating control communication or the Internet sessionof a user. Ethernet offers a well known scheme to mark eachpacket either in the type of service field of the IP header or inthe QoS field of the Ethernet frame (see IEEE 802.1Q or IEEE802.1p) to allow the network components to handle packetswith a certain priority in a preferred way.

However, there is one main problem concerning theseconcepts: if there are more packets arriving at a switch thanit can handle, some packets still get discarded due to bufferoverflows. This could affect UDP streams because there is noflow control mechanism like TCP streams have. Therefore, aquality of service concept has to be developed based on trafficshaping, that avoids congestions at any point inside the smarthome network.

AVB (audio/video bridging [7]) is one concept, to expandthe behavior of standard Ethernet. The main idea is to usea similar mechanism as in the case of the RSVP (resourcereservation protocol). Before establishing a new connection,every switch for this connection gets a request and checkswhether or not the necessary resources are available. Thisis a suitable solution for some cases, but has also somedisadvantages: special AVB switches are required and there isno scheme implemented, that adapts the different data streams,if the requested resources are not obtainable. Finally, theapplications must support these requests.

Therefore we think, the access to the network must bemanaged based on the applications, the destination of eachcommunication session and the current status on each linkof the network for these data streams. [8] demonstrates howtraffic shaping could be applied, but the presented solutionis designed for virtual machines and the network topologyis not taken into account. Besides, there are a lot of otherpublications, e.g. [9], [10], [11], but after all we have not yetidentified one concept that fulfills all our requirements:• guaranteed and/or best effort data rate for individual

applications• consideration of the network topology• avoidance of network congestion for end-to-end commu-

nication• integration of standard off-the-shelf switches• no changes to the network stack• no special requirements for the behavior of the applica-

tionsIn the following sections we will present our solution, first thesecurity architecture and finally the quality of service schemefor the SHS network scenario.

III. SECURITY ARCHITECTURE

Regarding the problem, that there is no all in all securityconcept, we developed such a concept in the SHS researchproject. We provide a complete and comprehensive securitysystem with features for each single application of the SHSsystem. This includes features for encrypting transferred andstored data, to authenticate each participant and for a role-based access-system to restrict access to all the data andfunctions of the system. We also performed threat modeling toidentify the most common security threats to the system anddeveloped solutions for these threats.

12

A. Threat Modeling

Threat modeling is a system to identify and evaluate allpotential threats of a system. The procedure is to identify thethreats and visualize them in a threat matrix. The most danger-ous of them are chosen to build threat trees to give an overviewabout the reason of the threat. Furthermore, all security assetsand security leaks are identified and possible attack scenariosand corresponding counter-measures are shown.

Threats: Some of the identified threats of the providedsystem are:

• physical threats like vandalism, burglary, theft of devices• theft of passwords• intentional disclosure of administrator passwords, account

information• hacking of accounts, passwords or ciphers• phishing of information, spoofing within authentication

procedures• intentional backdoors in external code• denial-of-service attacks

These threats are just the most common, of course there aremore threats or attacks possible, but they are more unlikely orthey do not harm that much. All of these threats were analyzedand rateted, in order to compare threats. In our research, weidentified phishing as the most likely and hacking of a cipheras the most harmful threat.

Security Assets – A main part of our research was to identifyall security assets of the given building automation system.Assets define all system features, processed data and systemfunctions which have to be protected against attacks. Thosesecurity assets are:

• confidentiality – all personal data in the system hasto be confidential, i.e. data has to protected againstunauthorized access and it has to be assured, that onlythe designated receiver can read the data.

• authenticity – it has to be assured that received dataare originated by the claimed sender, i.e. the sender’sauthenticity has to be ensured.

• accountability – it must be possible to identify the re-sponsible entity for each incident.

• integrity – unintended and intentional data altering haveto be recognizable or preventable.

• availability – the system’s inherent services and functionshave to be available and have to work correctly.

• controlled access – only authorized entities are allowedto access services, functions and data.

• anonymity (pseudonymity) – personal data has to bepseudonymized. This means, that it is not possible toassociate personal data to a single user, even if there isan unauthorized access.

• impossibility of finding linkage of intercepted data – alldata, processed in the system, have to be encrypted ina way, that it is not possible to determine connectionsbetween the data and the system status. E.g. it shouldnot be possible to create a presence profile based onintercepted radiator usage data.

• robustness – the system has to be robust against faults.

• physical safety of devices – it is also important to ensurethe physical safety of all devices.

B. Encryption Features

The proposed security architecture provides features forencrypting transferred and stored data, management of keyexchange and to ensure message authentication. There aremany ciphers, but we are liable to severe restrictions ofcomputing power, because most of the used devices are em-bedded systems with low resources. So we cannot use neitherasymmetric ciphers nor a complete public key infrastructure.We provide two different ciphers, which can be used withinthe system. Those ciphers are AES128 (Advanced EncryptionStandard with 128 bit key length, see [12]) and RC4 (Ron’sCode Nr. 4, see [13]). We recommend the use of RC4, becauseit is more secure and faster than AES128, but AES128 is amore widely spread standard. Of course there are many otherencryption standards, but they all have crucial disadvantageslike lack of security, high performance needs or they are notsupported by most manufacturers.

Symmetric ciphers work with one key for both participants(sender and receiver). The main problem is how to provide thiskey to both parties. It is insecure to send the key in plain textover an insecure channel and it is impracticable to committhe keys personally. So there is a need for a key exchangemanagement. We provide a common procedure for securekey exchange, the Diffie-Hellman Key Exchange (DHKE, see[14]). The DHKE establishes a shared secret, which can beused for secret communication.

The security of the DHKE is based on the discrete logarithmproblem, which makes it hard to compute:

gab from given ga, gb.

This key exchange is used to provide keys between par-ties, which communicate bidirectionally. This comprises user,operators, provider and all devices, that are able to com-municate bidirectionally. To provide keys to unidirectionallycommunicating devices, the key is stored at the device duringthe manufacturing process and, after putting into operationmanually, provided to other parties. In order to provide asmuch security as possible, a periodic key renewal is necessary.This is only applicable with bidirectionally communicatingdevices by using the key exchange method again.

As mentioned above we use AES-128 as encryption method,so we need symmetric keys of 128 bit length. Referring to [15]and [16] we need the public DH-parameters p (prime number)and g (primitive root) as well as the private DH-parametersa and b (private random numbers). The requirements to thisparameters are shown in table I.

In [16] it is shown how to extract a 128 bit shared key. Asymmetric key of 128 bit length is equivalent in strength to a3072 bit asymmetric key, as claimed by RSA Security in 2003(see [17]). An asymmetric key length of 3072 bit should beused if security is required beyond the year 2030.

Due to known problems of DHKE, e.g. the possibility of aman-in-the-middle attack (a man in the middle masqueradeshimself as Alice and Bob and performs two distinct DHKE,

13

so he is able to decrypt and re-encrypt messages), it isnecessary to provide advanced versions of the DHKE. Apossible countermeasure for man-in-the-middle attacks is theuse of an authenticated DHKE, or station-to-station protocol(STS, see [18]). The STS-protocol is based on the classicDHKE and its security is also based on the discrete logarithmproblem. As distinct from DHKE, the STS-protocol uses anasymmetric key pair for each party to sign the key exchangeprocess. This advancement results in a mutual authenticationof each other, that means the originator of a message withinthe key exchange is the claimed one and there is no man in themiddle. The disadvantage of the STS-protocol is the additionalcomputational cost. Therefore, we provide both methods, theclassic DHKE for devices with high resource restrictions andthe STS- protocol for devices with more available resources .

Besides encryption and key exchange, we provide afeature to ensure message integrity. Therefore, we use specialmessage authentication codes, so called cryptographic hashalgorithms. We provide two different hash algorithms, thewidely known SHA-1 (Secure Hash Algorithm Nr. 1, see [12])and the RIPEMD128 algorithm (RACE Integrity PrimitivesEvaluation Message Digest, see [19]). Both algorithmsgenerate a unique 128 bit hash based on the message. Eachmessage can be identified by this hash. Comparing the hash ofa message m, denoted by h(m), which is sent and encryptedwithin the message, with a self computed hash of the receivedmessage m’, h(m′), you can detect altering of a message, byh(m) 6= h(m′), which ensures the message integrity.

C. Authentication

Authentication is the process of verifying a claim madeby a subject that it should be allowed to act on behalfof a given entity (person, computer, process, etc.). Thereare many different ways for authentication, e.g. two-factorauthentication, login / password, ownership authentication orknowledge authentication. Within this scope, different authen-tication methods, like ID cards, security token, password,personal identification number, fingerprints, retinal pattern orother biometric identifiers are conceivable.

Due to the resource restrictions of some devices, we cannot use modern methods like biometric authentication. In theproposed security architecture, we use a common knowledgebased authentication. The knowledge we use is a uniqueidentifier, which is provided to every participant within the reg-istration or manufacturing process. The authentication methoditself is an adapted challenge-response protocol. Challenge-response authentication is a family of protocols in which oneparty presents a question (”challenge”) and another party must

TABLE IREQUIREMENTS TO THE DHKE-PARAMETERS

Value Sizep min. 512 bit (recommended 1024 bit)g 0 < g < pa 0 ≤ a ≤ p− 1b 0 ≤ b ≤ p− 1

User

Step 1: Send authenticationrequestauth_req: send uID

Step 2: Calculate user challengeuc: 512 bit random number

Step 3: Calculate user responseur = hash(uc + sc + uID)

Step1: Calculate server challengesc: 512 bit random number

Step 2: Calculate expected user response

ur_exp = hash(uc + sc + uID)

Step 3: Check user responseur = ur_exp ?

1: auth_req

3: uc, ur

5: ACK/NACK

HAM

Service provider

2: sc

4: c

heck

uID

Fig. 2. User Authentication Process.

provide a valid answer (”response”) to be authenticated. Thesimplest example of a challenge-response protocol is passwordauthentication, where the challenge is asking for the passwordand the valid response is the correct password. Since wesupport many different entities, we need different types ofknowledge for every entity type. Electronic devices possess aunique identity number, which can be used for authentication.A user receives such a number during the registration process.

To clarify this family of authentication methods, we will de-scribe the device authentication process of an user exemplarily.Every user of the system needs to be registered by a serviceprovider. Within this registration process the user is providedwith a unique identifier. This identifier is used to authenticatethe user at his first participation in the system. After this firstauthentication, the user chooses a nickname and a passwordfor every further authentication due to usability reasons. Thereare many ways for an user to take part in the system, e.g. via aflat-terminal, a smartphone or a webinterface. In the following,we will describe this first authentication process at the flat-terminal.

The authentication starts after receiving the uniqueidentifier. The user wants to take part in the system and sendsan authentication request to the system. As shown in figure2, the user and the system perform a challenge-responseprocess. Within this process, the user sends his identifier,encoded together with random numbers and timestamps ina hash-value, to the system. Due to this process, the systemand only the system is able to check whether the user isallowed to participate in the system or not. If the process isexited successfully, the user chooses a unique nickname anda password for any further authentication and the system onlyneeds to check the combination of nickname and password.

D. Role-Based-Access-System

A home automation system, like SHS, has a number offunctions and a variety of different and partly personal data.Required by law, the provider of such a system has to securethe personal data itself as well as proper handling of the data.That means for example, that only eligible persons for anassigned purpose are allowed to access this data. Because

14

of the nature of a home automation system, there are somefunctions whose wrong usage can affect dependability. Forthis reason, the restriction of those functions is essential toensure functionality at any time.

To provide this feature, we developed a role-based accesssystem for the SHS scenario. First of all, we identified allparticipating entities, i.e. all kinds of persons or electronicdevices which take part in the system. After that, we definedsome standard roles and possible profiles and assigned theaccess authority to the specific data and functions:• administrator - non-personalized user profile, personal-

ized user profile (e.g. flat administrator, parents, ...)• limited user - limited user profile (limitations individ-

ually determinable by flat administrator, e.g. profile:children,...)

• maintenance user - non-personalized profile with limita-tions for the purpose of maintenance (remote profile, onsite profile,...)

• guest user - non-personalized limited profile with optionalnon-critical authorizations

• system provider - provider of the SHS system• property provider - provider of the property, lessor• service provider - external service provider, who offers

services to normal usersWe further identified the complete system functions/data and

for all of them we assigned useful authorizations for every role.There are roles, like the administrator, who has authorizationto all functions and data. Other roles, like a maintenance user,own only task-specific authorizations with respect to usersprivacy. Every system function and every data has an accesscontrol and only authorized users are able to get access. Forevery access, the system checks the user profile attributeswhether the access is allowed or not. Within the registrationprocess of a new user, there is a form where the registrar hasto check which parts of system have to be accessible by thenew user.

E. Simulation Results

All provided algorithms work on embedded systems, whichare supplied with battery and have only low resources. So itis necessary that each algorithm uses only a small amount ofenergy and time. So we measured duration and energy con-sumption of all cryptographic algorithms. The computationswere processed on two different micro-controllers, the HCS08and the MSP430.HCS08 - all computations were processed by 8 MHz of clockfrequency, a voltage of 3 V and a maximum current of 5 mA.Due to compiler license restrictions, RIPEMD128 was nottested on this device. The measurement results are shown intable II.

MSP430 - the computations were processed by a clockfrequency of 25 MHz, a maximum of 3.6 V and a maximumcurrent of 8.9 mA. The results are shown in table III.

The energetic consideration of the implemented algorithmsshows, that the Diffie-Hellman key exchange consumes themost energy. For this reason, we recommend to perform thekey exchange only once during the first authentication. Every

further key should be transferred via the established securechannel. As an energetically convenient cipher, we recommendAES128. Furthermore, it is supported by almost every device.We recommend RIPEMD128 as an energetic-optimal hashalgorithm, because it is obviously better than SHA-1.

The following scenario within a home automation systemdemonstrates how important a security system is. Let usassume a radiator remotely controlled via Internet, i.e. theuser wants to turn on the radiator thirty minutes before hearrives at the flat. He uses his smartphone to connect to thesystem remotely and uses a system function to turn on theradiator. In this scenario, there are many security needs. Theremote connection has to be secured, the remote device has toauthenticate itself, the accessing user has to be authorized andit has to be checked if the user has the right to access. If one ofthose needs is not satisfied it is possible for a malicious personto turn on the radiator whenever he wants to. Furthermore, foran intruder it would be possible to detect if the user is notat home, which means a high burglary risk. The proposedsecurity architecture satisfies all of the named needs. Weprovide a secure Internet connection via SSL and the namedencryption algorithms, our system is able to authenticate theaccessing device and user and we can refuse the connectionif an unauthorized access occurs.

IV. QUALITY OF SERVICE SYSTEM

A. Theoretical Functionality

The fundamental idea of our quality of service solutionis to control the access to the SHS network on each HAMunit and differ thereby between the applications based on apredefined priority scheme for each service. This means, thatwe allow each application to use only a defined data rate forcommunication. Furthermore, an adaptation of these settings iscontinuously made based on the state of the network. To per-form this evaluation, first the network topology must be knownand second, the current behavior of the applications must beobtained. For the first task, there exist diverse techniques toget this information automatically, but currently this is not apart of our application, we simply work with the predefinedinformation of the network topology.

The second task is to measure and to shape the traffic causedby the services on the HAM unit. Both parts are highly relatedto the used operation system. To monitor the traffic, a packetanalyzer, developed with the help of the “pcap” library [20],is used. This software offers the possibility to implement oursystem on Linux and on Windows machines, because thislibrary is based on a portable framework. The shaping of theoutgoing traffic is more challenging, but from a general point

TABLE IIANALYSIS OF THE HCS08 MICRO-CONTROLLER

Algorithm Duration [ms] Enery useDHKE 5220 87.5 mWsRC4 14 210 µWsAES128 5.7 85.5 µWsSHA1 191 2.87 mWsRIPEMD128 - -

15

TABLE IIIANALYSIS OF THE MSP430 MICRO-CONTROLLER

Algorithm Duration [ms] Enery useDHKE 464 14.9 mWsRC4 4.98 159 µWsAES128 2.00 64.1 µWsSHA1 6.57 211 mWsRIPEMD128 0.827 26.5 µWs

of view, Linux as well as Windows have a mechanism, thatallows to take control of the data rate on the network interfacecard. The mechanism can be divided into two parts: a filterand a queue. The filter is used to assign specific packagesto a queue, whereby several attributes could be used, e.g. adestination port range, a process ID of the sending process orthe 802.1p flag settings of the package. Each filter is assignedto a queue, but it is also possible to connect several filters tothe same queue. If necessary, a serving strategy of the queue,like HTB (hierarchical token buffer) could be used, but in ourcase, a simple FIFO strategy is sufficient. The queue schedulesthe transmission of the packages, so that the defined data rateis guaranteed.

Our complete quality of service system works as follows:on each HAM unit a middleware is installed, that monitorsand controls the outgoing network traffic with the help ofthe instruments recently described. A powerful HAM unit oran additional control server is used as control manager ofthe network. The middleware on each HAM unit reports thecommunication status frequently in a certain time interval, e.g.200 ms, to the control server. With this information, the serverchecks the network status on each link and sends adaptationmessages to the middlewares, if one or more applicationscause more traffic than suitable for the network. The adaptationprocess guarantees, that the high priority services of the SHSsystem can use their desired data rate for communication andprevents congestion situations inside the network.

B. Simulation and Evaluation

To test the quality of service system, we used a virtualnetwork to check the functionality of the system and as wella real network to get reliable messurement data to prove thecorrect system behavior.

As mention in the introduction, the HAM unit is not onlyused as gateway for the sensor network, it is also used bysome multimedia devices like a VoIP phone or a smartphoneto allow them to communicate with each other and to givethem access to the Internet via the installed SHS network.Therefore, by the virtual setup, we first checked the behaviorof such devices and how the traffic shaping could be applied tocontrol the traffic caused by such devices. Because the HAMunit acts as gateway in this case, the only way to assign thistraffic to a filter is to use the second network interface asspecific attribute for this packet and the MAC-address of thedevices, to handle them individually.

Fig. 3 presents the measured results. The axis of abscissasshows the time in seconds, but the time axises of the two plotsare not synchronized and the axis of ordinates is scaled in bits

Fig. 3. Shaped traffic caused by multimedia device.

Fig. 4. Shaped traffic of some SHS services.

per second. The multimedia device sends three data packets ina row separated by a short time interval. The adaptation of thetraffic class due to the reached data rate limit is not visualizedin the diagrams.

The left plot shows the data received on the gateway sentby the multimedia device and the right plot shows the datareceived at the addressed destination. It illustrates that thetraffic is limited to 100 kbit/s which was the default settingby our setup for this traffic class. Noticeable is the fact, thatthe gateway gets a short package burst from the multimediadevice at the startup, but the received traffic at the destinationshows that the shaping works well when the gateway forwardsthe traffic to the SHS network.

Next, we used a real network for the evaluation of thesystem. To reduce the complexity, only two PCs, acting asHAM unit, are sending data to one destination and accordingto that, there is one unique bottleneck link inside the network.Fig. 4 illustrates the traffic on that link. To eliminate theinfluence of the network devices and the system performanceof each unit, we modeled each link inside the network tosupport only a maximum data rate of 5 Mbit/s. Finally weused only two priority classes and reduced the system reactiontime to one second, which means that the middleware sendsthe current status each second to the control server. As above,the abscissa represents the time in seconds, but the data isreduced to the situations, where some changes happened. Theordinate dimension is in kbit/s.

Initially, PC1 sends a data stream with low priority and adata rate of 3.5 Mbit/s. Next, after a few seconds, this PCinitializes a data stream with 2.5 Mbit/s but high priority.Due to the adaptation strategy, both streams are reduced to2.5 Mbit/s (point A), because the link supports only 5 Mbit/s,but any other user defined partitioning would also be possible.

16

This behavior is described in the system configuration, whichcould be changed by administrator.

After a few seconds, PC2 starts a data stream with lowpriority and a desired data rate of 3.5 Mbit/s (point B). In thiscase the adaptation of the data streams is different becausewe have two data streams coming from different PCs withdifferent priority at the same time on the link. The reactionis, that both data streams with low priority in summary andthe high priority data stream will get an equal data rate. Thismeans, that the high priority data stream of PC1 is unchangedbut the two low priority data streams are reduced to 2.5 Mbit/sin total.

Next, after the situation is stable, the low priority datastream from PC1 is stopped (point C) and so the low prioritydata stream of PC2 reaches the maximum of 2.5 Mbit/s,because there is still the high priority data stream of PC1.Finally this high priority stream is canceled (point D) and dueto that, the data rate of the last stream inside the network canincrease the date rate to the desired value of 3.5 Mbit/s.

V. CONCLUSION AND FUTURE WORK

In this paper we provided a complete communication ar-chitecture for the smart home scenario which offers both, anadequate security system and a quality of service scheme.The comprehensive security architecture addresses all needsof modern building automation systems. We performed threatmodeling and identified all possible threats and all secu-rity assets of the system. We provide security features andfunctions for all needs, comprising encryption features, hashalgorithms, authentication methods and a role-based-access-system. The proposed security architecture satisfies all actuallegal requirements regarding the German federal data secu-rity law. In the near future, updates of this law in relationto smart metering systems are expectable. Nevertheless, theproposed architecture will also fulfill these requirements, butthe actual certification has to be considered. Within the actualcompetition for the next secure hash algorithm, aligned by theNational Institute for Standardization and Technology (NIST),we recommend to slip in these innovations into future work.The same is true for innovation in ciphers, key managementsystems and authentication methods.

Moreover, the evaluation of the quality of service strategydemonstrated, that the main parts of that solution can cooper-ate to avoid network congestion inside the home network.

Additionally, we want to simulate our system to checkthe behavior, especially with very large networks, becausewe think, in such cases, a distributed traffic shaping controlalgorithm could be better and would avoid the single point offailure problem.

REFERENCES

[1] Smart Home Services Research Project. (2011). [Online]. Available:http://www.smart-home-services.de/

[2] ACX GmbH. (2011) ViciOne Home and BuildingAutomation. [Online]. Available: http://www.acx-gmbh.de/de/home-building-automation/index.html

[3] M. A. Zamora-Izquierdo, J. Santa, and A. F. Gomez-Skarmeta, “AnIntegral and Networked Home Automation Solution for Indoor AmbientIntelligence,” IEEE Pervasive Computing, vol. 9, pp. 66–77, October2010. [Online]. Available: http://dx.doi.org/10.1109/MPRV.2010.20

[4] Smart Home der Bundeswehr Universitaet Muenchen. (2011). [Online].Available: http://www.unibw.de/eit8 2/forschung/projekte/shfilm/

[5] Smarter Wohnen R©NRW, Fraunhofer IMS, Fraunhofer ISST, HGW.(2011). [Online]. Available: http://www.smarterwohnennrw.de

[6] SerCHo: Service Centric Home. (2011). [Online]. Available: http://www.sercho.de

[7] IEEE 802.1 Audio/Video Bridging Task Group Home Page. (2011).[Online]. Available: http://www.ieee802.org/1/pages/avbridges.html

[8] Bannazadeh H. and Leon-Garcia A., “A Distributed Ethernet TrafficShaping System,” Local and Metropolitan Area Networks (LANMAN),2010 17th IEEE Workshop on, May 2010.

[9] Y. Zhang, R. Yu, S. Xie, W. Yao, Y. Xiao, and M. Guizani, “HomeM2M Networks: Architectures, Standards, and QoS Improvement,”Communications Magazine, IEEE, vol. 49, no. 4, pp. 44 –52, April2011.

[10] T. Dreibholz, E. Rathgeb, I. Ruengeler, R. Seggelmann, M. Tuexen, andR. Stewart, “Stream Control Transmission Protocol: Past, Current, andFuture Standardization Activities,” Communications Magazine, IEEE,vol. 49, no. 4, pp. 82 –88, April 2011.

[11] G. McAlpine, “Congestion Control for Switched Ethernet,” High Per-formance Interconnects for Distributed Computing, 2005.

[12] N. Ferguson and B. Schneier, “Practical Cryptography,” Wiley Publish-ing, Indianapolis, ISBN 0-471-22357-3, 2003.

[13] N. W. Group, “A Stream Cipher Encryption Algorithm ’Arcfour’,”Internet Engineering Task Force, 1997.

[14] W. Diffie and M. E. Hellman, “New Directions in Cryptography,” InIEEE Transactions on Information Theory. 22, Nr. 6, 1976.

[15] RSA Security. (1991) Public Key Cryptography Standards Number3: Diffie Hellman Key Agreement Standard. [Online]. Available:http://www.rsa.com/rsalabs/node.asp?id=2126

[16] N. W. Group, “RFC 2631: Diffie-Hellman Key Agreement Method,”Internet Engineering Task Force, 1999.

[17] B. Kaliski, RSA Security. (2003) TWIRL and RSA Key Size. [Online].Available: http://www.rsa.com/rsalabs/node.asp?id=2004

[18] W. Diffie, P. C. V. Oorschot, and M. J. Wiener, “Authentication andAuthenticated Key Exchanges,” Designs, Codes and Cryptography,vol. 2, no. 2, pp. 107 – 125, 1992.

[19] H. D. B. Preneel, A. Bosselaers, “The Cryptographic Hash FunctionRIPEMD-160,” CryptoBytes, Vol. 3, Nr. 2, 1997.

[20] TCPDump and LibPCap, the official web site. (2011). [Online].Available: http://www.tcpdump.org

17