Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
BooT-IoT: A Privacy-Aware Authentication Scheme for Secure Bootstrapping of IoT Nodes
1. SECuRE and Trustworthy
Computing Lab
Authors
Mahmud Hossain and Ragib Hasan
SECuRE and Trustworthy computing Lab (SECRETLab)
University of Alabama at Birmingham
Presenter: Mahmud Hossain, PhD Student, Dept. of Computer and
Information Sciences, UAB
http://secret.cis.uab.edu
IoT
Boot-IoT: A Privacy-Aware Authentication Scheme for Secure
Bootstrapping of IoT Nodes
2. SECuRE and Trustworthy
Computing Lab
2
The Internet of Things (IoT)
A programmable world
Everyday objects are interconnected
Objects are smart enough to make decision
Objects are programmable
Smart Thermostat
IoT Ecosystem
3. SECuRE and Trustworthy
Computing Lab
IoT Forecasts and Market Estimates
3
Estimation of connected things by 2020
20.8 billion (Gartner)
26.3 billion (Cisco)
28 billion (Ericson)
34 billion (Business Insider)
Source: IoT Analytics (2015)
Source: Zinnov Zones (2016)
4. SECuRE and Trustworthy
Computing Lab
Internet of Insecure Things
4
Smart Objects
TV, webcams, home thermostat, remote
power outlets, sprinkler controllers, door
locks, home alarm, garage door openers.
IoT Security study by HP1
80% of devices raised privacy concerns
80% failed to require passwords of
sufficient complexity and length
70% did not encrypt communications to
the internet and local network
60% raised security concerns with their
user interfaces
[1] Hewlett Packrad (HP), “Securing the Internet of Things: Mapping Attack Surface Areas Using the OWASP IoT Top 10”, in RSA Conference, 2015
5. SECuRE and Trustworthy
Computing Lab
Attacks on IoT Systems
5
Remotely hacked an IoT enabled car1
Consumer gadgets sending phishing and spam emails2
DVRs and cameras were infected to form Botnet3
Internet connected Baby Monitors were compromised4
“Hospira” hospital drug pumps were compromised5
[1] IoActive Lab, 2015, http://blog.ioactive.com/2014/04/car-hacking-2-content.html
[2] Proofpoint Lab, 2014, https://www.proofpoint.com/us/news
[3] Krebson Security, 2016, https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
[4] Rapid7, 2016, https://information.rapid7.com/iot-baby-monitor-research.html
[5] Hacking the Drug Pump. 2015. http://money.cnn.com/2015/06/10/technology/drug-pump-hack/
6. SECuRE and Trustworthy
Computing Lab
The Scope of This Propose Work
6
Secure Network
Admission
Secure Service
Access
Life cycle of an IoT node
7. SECuRE and Trustworthy
Computing Lab
Content Outline
Motivation and Threat Model
Contribution
Operational Model
Performance Analysis
7
8. SECuRE and Trustworthy
Computing Lab
Motivation and Threat Model
Static identity usage
Does not provide location privacy
Vulnerable to location tracing and Denial (DoS) of Service attacks
Internet of Vehicle (Connected Cars)
Cyber espionage
False information about collocated vehicles
Smart Home
Infer home owner's presence
User targeted attack (e.g., Burglary or physical attack)
Smart Medical Assistance
DoS attacks for blocking devices from sending real-time updates
8
9. SECuRE and Trustworthy
Computing Lab
Contributions
Secure network admission
Privacy-aware authentication based on Combined Public Key (CPK) cryptography
Secure end to end communication
Lightweight ECQV implicit certificate scheme for mutual authentication
Experimental evaluation
BooT-IoT is resource efficient compared to contemporary network admission
schemes
9
10. SECuRE and Trustworthy
Computing Lab
Combined Public Key (CPK) Cryptography
Take advantage of Elliptic Curve Cryptograph (ECC)
ECC pair (d,Q); d = secret key and Q = public key
Q = d*G
Two ECC pairs (d1, Q1) and (d2, Q2)
New key pair (d,Q) can be calculated as
Q = Q1 + Q2 = d1*G + d2*G = (d1 + d2)*G = d*G
10
11. SECuRE and Trustworthy
Computing Lab
BooT-IoT: CPK-based Authentication (1/2)
11
Q11 Q12 … Q1w
Q21 Q22 … Q2w
Qv1 Qv2 … Qvw
.
.
.
.
.
.
.
.
.
PKM
Verifier maintains a Public Key Matrix (PKM)
Qij = PKM[i][j] represents a public key of an ECC pair (dij, Qij)
Verifier issues a set of cells from PKM to a prover
Prover computes (d11,Q11), (d22,Q22)… (dnn, Qnn)
Prover sends (Q11, Q22, …, Qnn) and stores (d11, d22,…, dnn)
1 2 …. v
1 2 . . . w
List of Assigned Cells
Verifier
Prover
12. SECuRE and Trustworthy
Computing Lab
BooT-IoT: CPK-based Authentication (2/2)
12
Prover generates an ECC pair using [d11], [d22],… [dnn]
Prover selects a combination dij, …,dkl from [d11], [d22],… [dnn] keys
Prover computes
d = dij+ … + dkl
Q =d*G
Prover sends a nonce N, MACk(N), and the indices (ij)…(kl) of cells
used to compute Q
K is the shared key between verifier and prover.
Verifier computes Q = PKM [ij] + … + PKM (kl) and verifies Signd(N)
using Q
13. SECuRE and Trustworthy
Computing Lab
Experiment and Evaluation
RE-Mote IoT devices
Webtech IoT Gateway
Contiki IoT Operating System
Analysis and comparison of BooT-IoT with authentication
methods of Extensible Authentication Protocol (EAP)
EAP authentication method
TLS-ECC
Pre Shared Key
MD5
13
14. SECuRE and Trustworthy
Computing Lab
Analysis of Communication Cost
14
1.5x Faster
Pre shared key and MD5
faster but do not provide
good degree of security.
15. SECuRE and Trustworthy
Computing Lab
Comparison of Cryptographic Operations
15
Eliminates cryptographic operations for ECDSA signature