V1: HMFR, 2006. V2: MFNB, 2007 LabView Seminar University of Puerto Rico Mayagüez Campus.
Seminar V2
-
Upload
moustafa-najm -
Category
Documents
-
view
275 -
download
0
Transcript of Seminar V2
Securing The IoT Presented By: Guided By:Moustafa Najm Dr. RASHMI RANJAN ROUT NITW – CSE M.Tech Roll No: 147509
Abstract• The Internet of Things (IoT) is a computing concept that
describes a future internet where everyday physical objects will be connected to the Internet making daily life easier.
• on the other hand there will be many security challenges
• This seminar gives overview about IoT, analyzes security challenges and requirements in IoT, introduces IoT communication stack for IoT and discusses different mechanisms to secure communications in each protocol, as well as limitations and some improvements and open issues for future research.
AgendaOverview of the Internet of Things
IoT security challenges
Securing the Internet of Things
Conclusion and summary
Firstly, does it matter?
Motivation
By 2018, mobile data traffic will exceed fifteen Exabyte each month.
Yet we are still at
the beginning
Motivation
The web search popularity, as measured by the Google search
What is the IoT
Place where machine to machine talk
Internet Evolving
IoT Applications
‘Botnets are already a major security concern and the emergence of “thingbots” [things being gadgets] may make the situation much worse.’ David Knight, Proofpoint.
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
SECURITY COMES FIRST
So what is different about IoT?
• The longevity of the device– Updates are harder (or impossible)
• The size of the device– Capabilities are limited – especially around crypto
• The fact there is a device– Usually no UI for entering userids and passwords
• The data– Often highly personal
IoT security requirements
– There can be many ways the system could be attacked:– Capture data and messages– Disabling the network availability– Pushing erroneous data into the network– Accessing personal information …
– Security is critical to any network and the first line of defense against data corruption is cryptography.
• insider attacks ?!
IoT Security requirements
Security Requirements
confidentialityprivacy
integrity
authentication
availability
nonrepudiation
protocol stack for the IoT
Communication protocols in the IoT
IEEE 802.15.4
Security in IEEE 802.15.4
Security in IEEE 802.15.4
• Efficient symmetric cryptography at hardware
Security in IEEE 802.15.4– security is available only at the MAC layer– Security as currently defined by IEEE 802.15.4 is optional
• Confidentiality:– encryption using AES in the Counter (CTR) mode
• Data authenticity and integrity:– employing AES in the Cipher Block Chaining (CBC) mode
• Confidentiality, data authenticity and integrity– The CTR and CBC modes may be jointly employed using the combined
Counter with CBC-MAC AES/CCM encryption mode
Security in IEEE 802.15.4
• protection against message replay attacks– The sender breaks the original packet into 16-byte blocks,
each block identified by its own block counter.
– each block is encrypted using a different nonce or Initialization Vector (IV)
Security in IEEE 802.15.4
• Access control mechanisms– the device stores an access control lists (ACL) with
max of 255 entries, each for particular destination device.
– A default ACL entry may also be employed
Limitations of security with IEEE 802.15.4
• No keying model.
• The management of IV values – if the same key is used in two or more ACL entries. it may enable
an adversary to recover plaintexts from cipher texts.
• No adequate support for all keying models– in particular group keying and network-shared keying.
• No protection for acknowledgment messages in respect to integrity or confidentiality DOS Attack
6LoWPANIPv6 over IEEE 802.15.4
6LowPAN Challenge
• Header Size Calculation. . .127-25-40-8 = 54 octets left for application data!– The challenges in 6LoWPAN environments are
related to the resource constraints of typical wireless sensing platforms
• IPv6 MTU Requirements– IPv6 requires that links support an MTU of 1280
octets– Link-layer fragmentation / reassembly is needed
Security in 6LoWPAN
• No security mechanisms are currently defined in 6LoWPAN
• a malicious or misconfigured node sending forged, duplicate or overlapping fragments– This is due to the lack of authentication at the
6LoWPAN adaptation layer.
Proposals for Security in 6LoWPAN
• Lightweight IPSec– confidentiality, authentication and non-repudation– Analysis:• With compressed IPSec, packet size is similar to
802.15.4 while IPSec provides end-to-end security• Space analysis show that AH and ESP consumes just
3.9KB and 9kB, respectively, for mandatory IPSec Algorithms.
Proposals for Security in 6LoWPAN
• security against packet fragmentation attacks:– Addition of a timestamp plus a nonce to the
6LoWPAN fragmentation header to support security against unidirectional and bidirectional fragment replays
– per-fragment sender authentication using hash chains
Example of a content chain for a packet consisting of three fragments
RPLIPv6 Routing Protocol for LLNs
Routing in RPL• RPL builds Destination Oriented Directed Acyclic Graph
(DODAG) for each root. by accounting for link costs, node attributes, and its respective objective function. The topology is set up based on a rank metric.
RPL Control Messages
• DAG Information Object (DIO)• DAG Information Solicitation (DIS)• Destination Advertisement Object (DAO)• Destination Advertisement Object ACK (DAO-ACK) • Consistency Check (CC) – Synchronization of counter values among
communicating nodes– provide a basis for the protection against packet replay
attacks.
Security in RPL• secure versions of the various routing control messages• The high order bit of the RPL Code field identifies whether or not security is
applied
• Support of integrity and data authenticity:– Confidentiality and Integrity: AES/CCM with 128-bit keys for MAC– integrity and data authenticity : RSA with SHA-256
• LVL :allows varying levels of data authentication and, optionally, of data confidentiality.
Security in RPL
• protection against packet replay attacks :CC (Consistency Check ) messages are used for synchronization of counter values among communicating nodes.
Proposal for Security in RPL
• Protection of RPL routing operations against falsified routing updates :– a child may have malicious parent !– Use a version and rank authentication security
scheme based on one-way hash chains providing security against internal attackers
CoAPConstrained Application Protocol
CoAP Security
• Define bindings to DTLS , with four security modes:– NoSec:
• no protocol-level security and DTLS is disabled– PreSharedKey:
• PreShared Key(PSK)-based authentication is used. • The device store list of keys, each key includes a list of nodes
– RawPublicKey:• the device has an asymmetric key pair.
– Certificate: • the device has an asymmetric key pair • The X.509 certificate binds the public key
Evaluation 1
• Large memory footprint in ROM and RAM. – Complexity of the DTLS handshake, i.e., many messages and states. – Crypto suites require SHA-2 that is not available on hardware crypto co-processor.
• Overhead due to lower layer per-packet protocol headers.
Evaluation 2
DTLS Improvement
• Avoiding Fragmentation Through Compression
• on average 15% less energy is used to transmit (and receive) compressed packets
Conclusion
• With the nature of today’s computing, security is becoming very critical for wide range of applications.
• we have seen the requirements, issues, designs and solutions of secure standard protocol design to counter the different attacks.
• Several issues, however, still remain open to find a solution to the problem of IoT security.
• By Complying with the security measures, the IoT can fully improve daily aspects of our life.
References (1)• Jorge Granjal, Edmundo Monteiro, Jorge Sá Silva, “Security for the Internet of Things: A
Survey of Existing Protocols and Open Research issues”, Communications Surveys & Tutorials, IEEE (Volume:PP , Issue: 99 ), Page(s):1, 2015.
• Charith Perera, Member, IEEE, Chi Harold Liu, Member, IEEE, Srimal Jayawardena, Member, IEEE and Min Chen, Senior Member, IEEE ,”A Survey on Internet of Things from Industrial Market Perspective” , Access, IEEE jornal, (Volume:2), Page(s):1660 – 1679, 2015
• Sye Loong Keoh ,Kumar, S.S. ; Tschofenig, H.,”Securing the Internet of Things:A Standardization Perspective”, Internet of Things Journal, IEEE (Volume:1,Issue: 3 ), Page(s):265 - 275,2014.
• Christine Hennebert and Jessye Dos Santos,”Security Protocols and Privacy Issues into 6LoWPAN Stack: A Synthesis”, IEEE INTERNET OF THINGS JOURNAL, VOL. 1, NO. 5, Page(s):274–279, OCTOBER 2014.
• Yasin Nizami, Emiliano Garcia-Palacios.,”Internet of Things A Proposed Secured Network Topology”, Irish Signals & Systems Conference 2014 and 2014 China-Ireland International Conference on Information and Communications Technologies (ISSC 2014/CIICT 2014). 25th IET,Page(s):274 - 279,2014.
References (2)• Gurpreet Singh Matharu, Priyanka Upadhyay , Lalita Chaudhary ,”The Internet of Things:
Challenges & Security Issues” Emerging Technologies (ICET), 2014 International Conference on,Page(s):54 - 59, 2014.
• Jayavardhana Gubbi, Rajkumar Buyyab, Slaven Marusic, Marimuthu Palaniswami,” Internet of Things (IoT): A vision, architectural elements, and future directions”,Future Generation Computer Systems jornal,Volume 29, Issue 7, Pages 1645–1660, September 2013.
• Raza, S. ,Shafagh, H. ; Hewage, K. ; Hummen, R. ”Lithe: Lightweight Secure CoAP for the Internet of Things”, Sensors Journal, IEEE (Volume:13 , Issue: 10 ),Page(s):3711 - 3720, 2013
• Anass RGHIOUI , Mohammed BOUHORMA , Abderrahim BENSLIMANE ,”Analytical study of security aspects in 6LoWPAN networks”, 2013 5th International Conference on Information and Communication Technology for the Muslim World, Page(s):1 – 5,2013.
• Shahid Raza, Tony Chung, Simon Duquennoy, Dogan Yazar, Thiemo Voigt1, Utz Roedig “Securing Internet of Things with Lightweight Ipsec”, SICS Technical Report,ISSN:1100-3154, 2013
• Ren´e Hummen, Klaus Wehrle, “Standards-based End-to-End IP Security for the Internet of Things”, Network Protocols (ICNP), 2013 21st IEEE International Conference, Page(s):1 – 3, 2013.