HSC-IoT: A Hardware and Software Co-Verification based Authentication Scheme for Internet of Things
1. SECuRE and Trustworthy
Computing Lab
Authors
Mahmud Hossain, Shahid Noor, Ragib HasanSECuRE and
Trustworthy computing Lab (SECRETLab)
University of Alabama at Birmingham
Presenter: Mahmud Hossain, PhD Candidate, Dept. of Computer and
Information Sciences, UAB
http://secret.cis.uab.edu
IoT
HSC-IoT: A Hardware and Software Co-Verification based
Authentication Scheme for Internet of Things
2. SECuRE and Trustworthy
Computing Lab
2
The Internet of Things (IoT)
A programmable world
Everyday objects are
interconnected
Objects are smart enough to
make decision
3. SECuRE and Trustworthy
Computing Lab
The Scope of This Propose Work
3
Secure Network
Admission
Secure Service
Access
Life cyle of an IoT node
4. SECuRE and Trustworthy
Computing Lab
Content Outline
Motivation and Threat Model
Contribution
Background
Operational model
Security Analysis
Performance Analysis
4
5. SECuRE and Trustworthy
Computing Lab
Motivation and Threat Model
Hardware compromise
Counterfeit IoT deices to impersonate a real device
E.g., fabricated medical IoT devices can be sold at a cheaper price
Node cloning
Extract keying materials for impersonation types of attacks
Simulate IoT devices using virtualization layer
Software compromise
A legitimate device with malicious software
Node reprogramming with malicious code
Running an older version of a software
A vulnerable version the software
Usage of static device identity for authentication
Does not provide location privacy
Vulnerable to location tracing attacks
5
6. SECuRE and Trustworthy
Computing Lab
Motivation and Threat Model
T-Mote Sky
CPU 8 MHz
RAM 8 KB
ROM 48 KB
Communication 250 Kbps
RE-Mote
CPU 16 MHz
RAM 8 KB
ROM 48 KB
Communication 250 Kbps
6
7. SECuRE and Trustworthy
Computing Lab
Contributions
Hardware and Software co-verification
Protect node cloning and reprogramming attacks
Physical Uncloneable Function (PUF) for hardware integrity verification
Hardware Performance Counter (HPC) for software integrity verification
Privacy-aware identity usage
Prevent location tracking attacks
Resource efficient mutual authentication
Protected access to IoT resources and services.
7
9. SECuRE and Trustworthy
Computing Lab
Physical Uncloneable Function (PUF)
Same circuitry is embedded with different
devices
Same challenge bits
Different device produces different and unique
response bits
Complex and statistical variation in logic and
interconnect in an IC
9
10. SECuRE and Trustworthy
Computing Lab
Hardware Performance Counter (HPC)
HPCs are registers present in all commodity processors
ARM, Intel, AMD
HPCs can keep count of number of CPU cycles require to
complete a task (to execute code segments)
Conventional usage
To determine software performance
Software profiling
Usage in security in rich resource devices
Code behavior analysis
Malware detection
10
12. SECuRE and Trustworthy
Computing Lab
Hardware and Software Co-verification
12
Our Approach
Conventional
Approach
E.g., Temperature
Sensing
Software Hash
13. SECuRE and Trustworthy
Computing Lab
System Architecture
13
IoT Identity Provider (IIP)
Stores challenge-response pairs, software hash, value of HPC
Authenticates an IoT device
Domain Security Manager
Provides an IoT device access to the network
14. SECuRE and Trustworthy
Computing Lab
Enrollment Phase
14
1. Challenge C
2. Response Ri
IoT Device Challenge/
Device ID
Response Task HPC
Cycles
Software
Hash
Smart
Thermostat
C1 = R1 R՛1
Temperature
Sensing
CC1 SH1
Smart Light C2 = R2 R՛2
Turn Light On CC2 SH2
PUF
HPCs
3. Response R՛i
Devices
IoT Identity Provider (IIP)
Challenge as
Device Identifier
15. SECuRE and Trustworthy
Computing Lab
An Overview of the Operational Model
15
DSM
IIP
C1, R1
C1, R1
C2, R2
C2, R2
NIT1
C= Challenge, R = Response
NIT= Network Identity Token
DSM
IIP
C2, R2
C2, R2
C3, R3
C3, R3
NIT2
DSM
IIP
C3, R3
C3, R3
C4, R4
C4, R4
NIT3
Site 1
Site 2
Site 3
16. SECuRE and Trustworthy
Computing Lab
IIP Authenticates Device
16
DSM
IIP
R = PUF(C)
C՛ = F(R)
R՛ = PUF (C՛)
C, X = R ⊕ R ՛
Y= CC ⊕ SH
MACR(X ⊕Y)
Retrieve R for C from DB
R ՛ = X ⊕ R
Certificate-based
Mutual Authentication
F Public Random Generator
Shared by IIP and Device
Retrieve SH for C from DB
CC = Y⊕SH
Verify MACR(X⊕Y)
C՛ = F(R)
Sore [C՛, R ՛ ]
17. SECuRE and Trustworthy
Computing Lab
Device Authenticates IIP and DSM
17
DSM
IIP
R = PUF(C)
C՛ = F(R)
R՛ = PUF (C՛)
MACR(H(R))
h = H(R)
MACR(C՛)
h = H(R)
N, MACh (N)
MACR(C՛)
Store h
Verify MACR(C՛) Authenticates IIP
Verify MACh (N) Authenticates DSM
F Public Random Generator
Shared by IIP and Device
24. SECuRE and Trustworthy
Computing Lab
Comparison of Operations
24
XoR, Shift Operation, Random Number, Hash, MAC, Memory Access,
Concertation operations are reduced
25. SECuRE and Trustworthy
Computing Lab
Comparison of Resource Efficiency
25
Do not provide good scalability
Provide lower degree of security
26. SECuRE and Trustworthy
Computing Lab
Comparison of Computation Cost
26
Do not implement majors security properties
privacy and mutual authentication
Suitable for passive devise (RFID Tags)
Cannot be applied to active devices (IoT)
33. SECuRE and Trustworthy
Computing Lab
Comparison of Energy Consumption
33
NITDTLS-
ECQV
DTLS-
X.509
HIP
Lightweight cryptography
Reduced number of interactions
Less number of packet fragments
34. SECuRE and Trustworthy
Computing Lab
Conclusion and Future Work
Secure network admission
Authentication based on hardware and software integrity verification
Secure access to service
Certificateless and lightweight mutual authentication scheme
Secure against strong adversarial Scenarios
Future work
FPGA implementation of the PUF-based scheme
In-device intrusion detection based on Hardware Performance Counter
34
35. SECuRE and Trustworthy
Computing Lab
Thank You
35
SECRETLab@UAB
Phone: 205.934.8643
Fax: 205.934.5473
Web: http://secret.cis.uab.edu/
Mahmud Hossain
Email: mahmud@uab.edu