Securing The IoT Presented By: Guided By:Moustafa Najm Dr. RASHMI RANJAN ROUT NITW – CSE M.Tech Roll No: 147509

Abstract• The Internet of Things (IoT) is a computing concept that

describes a future internet where everyday physical objects will be connected to the Internet making daily life easier.

• on the other hand there will be many security challenges

• This seminar gives overview about IoT, analyzes security challenges and requirements in IoT, introduces IoT communication stack for IoT and discusses different mechanisms to secure communications in each protocol, as well as limitations and some improvements and open issues for future research.

AgendaOverview of the Internet of Things

IoT security challenges

Securing the Internet of Things

Conclusion and summary

Firstly, does it matter?

Motivation

By 2018, mobile data traffic will exceed fifteen Exabyte each month.

Yet we are still at

the beginning

Motivation

The web search popularity, as measured by the Google search

What is the IoT

Place where machine to machine talk

Internet Evolving

IoT Applications

‘Botnets are already a major security concern and the emergence of “thingbots” [things being gadgets] may make the situation much worse.’ David Knight, Proofpoint.

http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

SECURITY COMES FIRST

So what is different about IoT?

• The longevity of the device– Updates are harder (or impossible)

• The size of the device– Capabilities are limited – especially around crypto

• The fact there is a device– Usually no UI for entering userids and passwords

• The data– Often highly personal

IoT security requirements

– There can be many ways the system could be attacked:– Capture data and messages– Disabling the network availability– Pushing erroneous data into the network– Accessing personal information …

– Security is critical to any network and the first line of defense against data corruption is cryptography.

• insider attacks ?!

IoT Security requirements

Security Requirements

confidentialityprivacy

integrity

authentication

availability

nonrepudiation

protocol stack for the IoT

Communication protocols in the IoT

IEEE 802.15.4

Security in IEEE 802.15.4

Security in IEEE 802.15.4

• Efficient symmetric cryptography at hardware

Security in IEEE 802.15.4– security is available only at the MAC layer– Security as currently defined by IEEE 802.15.4 is optional

• Confidentiality:– encryption using AES in the Counter (CTR) mode

• Data authenticity and integrity:– employing AES in the Cipher Block Chaining (CBC) mode

• Confidentiality, data authenticity and integrity– The CTR and CBC modes may be jointly employed using the combined

Counter with CBC-MAC AES/CCM encryption mode

Security in IEEE 802.15.4

• protection against message replay attacks– The sender breaks the original packet into 16-byte blocks,

each block identified by its own block counter.

– each block is encrypted using a different nonce or Initialization Vector (IV)

Security in IEEE 802.15.4

• Access control mechanisms– the device stores an access control lists (ACL) with

max of 255 entries, each for particular destination device.

– A default ACL entry may also be employed

Limitations of security with IEEE 802.15.4

• No keying model.

• The management of IV values – if the same key is used in two or more ACL entries. it may enable

an adversary to recover plaintexts from cipher texts.

• No adequate support for all keying models– in particular group keying and network-shared keying.

• No protection for acknowledgment messages in respect to integrity or confidentiality DOS Attack

6LoWPANIPv6 over IEEE 802.15.4

6LowPAN Challenge

• Header Size Calculation. . .127-25-40-8 = 54 octets left for application data!– The challenges in 6LoWPAN environments are

related to the resource constraints of typical wireless sensing platforms

• IPv6 MTU Requirements– IPv6 requires that links support an MTU of 1280

octets– Link-layer fragmentation / reassembly is needed

Security in 6LoWPAN

• No security mechanisms are currently defined in 6LoWPAN

• a malicious or misconfigured node sending forged, duplicate or overlapping fragments– This is due to the lack of authentication at the

6LoWPAN adaptation layer.

Proposals for Security in 6LoWPAN

• Lightweight IPSec– confidentiality, authentication and non-repudation– Analysis:• With compressed IPSec, packet size is similar to

802.15.4 while IPSec provides end-to-end security• Space analysis show that AH and ESP consumes just

3.9KB and 9kB, respectively, for mandatory IPSec Algorithms.

Proposals for Security in 6LoWPAN

• security against packet fragmentation attacks:– Addition of a timestamp plus a nonce to the

6LoWPAN fragmentation header to support security against unidirectional and bidirectional fragment replays

– per-fragment sender authentication using hash chains

Example of a content chain for a packet consisting of three fragments

RPLIPv6 Routing Protocol for LLNs

Routing in RPL• RPL builds Destination Oriented Directed Acyclic Graph

(DODAG) for each root. by accounting for link costs, node attributes, and its respective objective function. The topology is set up based on a rank metric.

RPL Control Messages

• DAG Information Object (DIO)• DAG Information Solicitation (DIS)• Destination Advertisement Object (DAO)• Destination Advertisement Object ACK (DAO-ACK) • Consistency Check (CC) – Synchronization of counter values among

communicating nodes– provide a basis for the protection against packet replay

attacks.

Security in RPL• secure versions of the various routing control messages• The high order bit of the RPL Code field identifies whether or not security is

applied

• Support of integrity and data authenticity:– Confidentiality and Integrity: AES/CCM with 128-bit keys for MAC– integrity and data authenticity : RSA with SHA-256

• LVL :allows varying levels of data authentication and, optionally, of data confidentiality.

Security in RPL

• protection against packet replay attacks :CC (Consistency Check ) messages are used for synchronization of counter values among communicating nodes.

Proposal for Security in RPL

• Protection of RPL routing operations against falsified routing updates :– a child may have malicious parent !– Use a version and rank authentication security

scheme based on one-way hash chains providing security against internal attackers

CoAPConstrained Application Protocol

CoAP Security

• Define bindings to DTLS , with four security modes:– NoSec:

• no protocol-level security and DTLS is disabled– PreSharedKey:

• PreShared Key(PSK)-based authentication is used. • The device store list of keys, each key includes a list of nodes

– RawPublicKey:• the device has an asymmetric key pair.

– Certificate: • the device has an asymmetric key pair • The X.509 certificate binds the public key

Evaluation 1

• Large memory footprint in ROM and RAM. – Complexity of the DTLS handshake, i.e., many messages and states. – Crypto suites require SHA-2 that is not available on hardware crypto co-processor.

• Overhead due to lower layer per-packet protocol headers.

Evaluation 2

DTLS Improvement

• Avoiding Fragmentation Through Compression

• on average 15% less energy is used to transmit (and receive) compressed packets

Conclusion

• With the nature of today’s computing, security is becoming very critical for wide range of applications.

• we have seen the requirements, issues, designs and solutions of secure standard protocol design to counter the different attacks.

• Several issues, however, still remain open to find a solution to the problem of IoT security.

• By Complying with the security measures, the IoT can fully improve daily aspects of our life.

References (1)• Jorge Granjal, Edmundo Monteiro, Jorge Sá Silva, “Security for the Internet of Things: A

Survey of Existing Protocols and Open Research issues”, Communications Surveys & Tutorials, IEEE (Volume:PP , Issue: 99 ), Page(s):1, 2015.

• Charith Perera, Member, IEEE, Chi Harold Liu, Member, IEEE, Srimal Jayawardena, Member, IEEE and Min Chen, Senior Member, IEEE ,”A Survey on Internet of Things from Industrial Market Perspective” , Access, IEEE jornal, (Volume:2), Page(s):1660 – 1679, 2015

• Sye Loong Keoh ,Kumar, S.S. ; Tschofenig, H.,”Securing the Internet of Things:A Standardization Perspective”, Internet of Things Journal, IEEE (Volume:1,Issue: 3 ), Page(s):265 - 275,2014.

• Christine Hennebert and Jessye Dos Santos,”Security Protocols and Privacy Issues into 6LoWPAN Stack: A Synthesis”, IEEE INTERNET OF THINGS JOURNAL, VOL. 1, NO. 5, Page(s):274–279, OCTOBER 2014.

• Yasin Nizami, Emiliano Garcia-Palacios.,”Internet of Things A Proposed Secured Network Topology”, Irish Signals & Systems Conference 2014 and 2014 China-Ireland International Conference on Information and Communications Technologies (ISSC 2014/CIICT 2014). 25th IET,Page(s):274 - 279,2014.

References (2)• Gurpreet Singh Matharu, Priyanka Upadhyay , Lalita Chaudhary ,”The Internet of Things:

Challenges & Security Issues” Emerging Technologies (ICET), 2014 International Conference on,Page(s):54 - 59, 2014.

• Jayavardhana Gubbi, Rajkumar Buyyab, Slaven Marusic, Marimuthu Palaniswami,” Internet of Things (IoT): A vision, architectural elements, and future directions”,Future Generation Computer Systems jornal,Volume 29, Issue 7, Pages 1645–1660, September 2013.

• Raza, S. ,Shafagh, H. ; Hewage, K. ; Hummen, R. ”Lithe: Lightweight Secure CoAP for the Internet of Things”, Sensors Journal, IEEE (Volume:13 , Issue: 10 ),Page(s):3711 - 3720, 2013

• Anass RGHIOUI , Mohammed BOUHORMA , Abderrahim BENSLIMANE ,”Analytical study of security aspects in 6LoWPAN networks”, 2013 5th International Conference on Information and Communication Technology for the Muslim World, Page(s):1 – 5,2013.

• Shahid Raza, Tony Chung, Simon Duquennoy, Dogan Yazar, Thiemo Voigt1, Utz Roedig “Securing Internet of Things with Lightweight Ipsec”, SICS Technical Report,ISSN:1100-3154, 2013

• Ren´e Hummen, Klaus Wehrle, “Standards-based End-to-End IP Security for the Internet of Things”, Network Protocols (ICNP), 2013 21st IEEE International Conference, Page(s):1 – 3, 2013.