KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A SECURITY ARCHITECTURE FOR THE INTERNET OF THINGS

  • Received : 2016.09.27
  • Accepted : 2017.07.13
  • Published : 2017.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

This paper demonstrates a case for an end-to-end pure Application Security Layer for reliable and confidential communications within an Internet of Things (IoT) constrained environment. To provide a secure key exchange and to setup a secure data connection, Transport Layer Security (TLS) is used, which provides native protection against replay attacks. TLS along with digital signature can be used to achieve non-repudiation within app-to-app communications. This paper studies the use of TLS over the JavaScript Object Notation (JSON) via a The Constrained Application Protocol (CoAP) RESTful service to verify the hypothesis that in this way one can provide end-to-end communication flexibility and potentially retain identity information for repudiation. As a proof of concept, a prototype has been developed to simulate an IoT software client with the capability of hosting a CoAP RESTful service. The prototype studies data requests via a network client establishing a TLS over JSON session using a hosted CoAP RESTful service. To prove reputability and integrity of TLS JSON messages, JSON messages was intercepted and verified against simulated MITM attacks. The experimental results confirm that TLS over JSON works as hypothesised.

Keywords

References

  1. Almudawi, N.A., "Cloud Computing Privacy Concerns in Social Networks," International Journal of Computer (IJC), 22(1), pp.29-36, 2016.
  2. Abolfazli, S.A.E.I.D., Sanaei, Z., Sanaei, M., Shojafar, M. and Gani, A., "Mobile cloud computing: The-state-of-the-art, challenges, and future research," Encyclopedia of Cloud Computing, Wiley, USA, 2015.
  3. Best, E., Data Integrity Issues: Causes and Solutions, available from https://www.pda.org/publications/pda-publications/pda-letter/latest-news/2015/03/30/data-integrity-issues-causes-and-solutions, (last access 02.08.2016)
  4. Daniel, J., El-Moussa, F., Ducatel, G., Pawar, P., Sajjad, A., Rowlingson, R. and Dimitrakos, T., "Integrating Security Services in Cloud Service Stores," in Proc. of IFIP International Conference on Trust Management, Springer International Publishing, pp. 226-239, May 2015.
  5. Dsadasd Arnbak, A., Asghari, H., Van Eeten, M. and Van Eijk, N., "Security collapse in the HTTPS market," Communications of the ACM, 57(10), pp.47-55, 2014. https://doi.org/10.1145/2660574
  6. Granjal, J., Monteiro, E. and Silva, J.S., "End-to-end transport-layer security for Internet-integrated sensing applications with mutual and delegated ECC public-key authentication," in Proc. of IFIP Networking Conference, pp. 1-9, IEEE, May 2013.
  7. Hallman, S., Stahl, A. and Ahmadov, V., "The Causes, Security Issues, and Preventive Actions Associated with Data Integrity," Communications of the IIMA, 11(1), p.2, 2014.
  8. Kothmayr, T., Schmitt, C., Hu, W., Brunig, M. and Carle, G., "DTLS based security and two-way authentication for the Internet of Things," Ad Hoc Networks, 11(8), pp.2710-2723, 2013. https://doi.org/10.1016/j.adhoc.2013.05.003
  9. Lee, I. and Lee, K., "The Internet of Things (IoT): Applications, investments, and challenges for enterprises," Business Horizons, 58(4), pp.431-440, 2015. https://doi.org/10.1016/j.bushor.2015.03.008
  10. Orebaugh, A., "What do we need to make IoT security a reality?" Information Security Magazine, 16, 31-33, 2014.
  11. Graham, M. and Dutton, W.H. eds., Society and the internet: How networks of information and communication are changing our lives. OUP Oxford, 2014.
  12. Nilsson, JD 2010, Digital Evidence in the Courtroom. [Electronic Book], n.p.: New York: Nova Science Publishers, c2010, University of Liverpool Catalogue, EBSCOhost, viewed 7 August 2016.
  13. Krutz, R.L. and Vines, R.D., 2010. Cloud security: A comprehensive guide to secure cloud computing. Wiley Publishing.
  14. Basile, C. and Lioy, A., "Analysis of application-layer filtering policies with application to HTTP," IEEE/ACM Transactions on Networking, 23(1), pp.28-41, 2015. https://doi.org/10.1109/TNET.2013.2293625
  15. Schultz, K., "Padding layer 7 security," InfoWorld, (23), pp.30-32, 2004.
  16. Rahmani, R. and Kanter, T., "Layering the Internet-of-Things with Multicasting in Flow-sensors for Internet-of-services," International Journal of Multimedia and Ubiquitous Engineering, 10, 2015.
  17. Vucinic, M, Tourancheau, B, Rousseau, F, Duda, A, Damon, L, & Guizzetti, R 2014, 'OSCAR: Object Security Architecture for the Internet of Things', arXiv, EBSCOhost, viewed 3 August 2016.
  18. Modadugu, N., 2015. Datagram Transport Layer Security Version 1.2, https://tools.ietf.org/html/rfc6347, Internet Engineering Task Force (IETF), viewed 4 August 2016
  19. Granjal, J., Monteiro, E. and Silva, J.S., "Security for the internet of things: a survey of existing protocols and open research issues," IEEE Communications Surveys & Tutorials, 17(3), pp.1294-1312, 2015. https://doi.org/10.1109/COMST.2015.2388550
  20. Ko, M, & Dorantes, C 2006, THE IMPACT OF INFORMATION SECURITY BREACHES ON FINANCIAL PERFORMANCE OF THE BREACHED FIRMS: AN EMPIRICAL INVESTIGATION', http://jitm.ubalt.edu/XVII-2/article2.pdf, Journal of Information Technology Management Volume XVII, Number 2, viewed 7 August 2016
  21. Li, Q Jinmei, T & Shima, K, 2006, Ipv6 Core Protocols Implementation, pp. 1-27, ScienceDirect, EBSCOhost, viewed 7 August 2016.
  22. Durao, F, Carvalho, J, Fonseka, A, & Garcia, V 2014, 'A systematic review on cloud computing', Journal Of Supercomputing, 68, 3, pp. 1321-1346, Computers & Applied Sciences Complete, EBSCOhost, viewed 7 August 2016. https://doi.org/10.1007/s11227-014-1089-x
  23. Perera, C., Talagala, D.S., Liu, C.H. and Estrella, J.C., "Energy-Efficient Location and Activity-Aware On-Demand Mobile Distributed Sensing Platform for Sensing as a Service in IoT Clouds," IEEE Transactions on Computational Social Systems, 2(4), pp.171-181, 2015. https://doi.org/10.1109/TCSS.2016.2515844
  24. Wang, C.F. and Yang, D.L., "A Study on Decoupling Flow Engines Toward Cross-Platform Interoperability," In Information Science and Applications (ICISA) 2016, pp. 1081-1091, Springer Singapore, 2016.
  25. Wang, J., Yang, Y., Chen, L., Yang, G., Chen, Z. and Wen, L., "A Combination of Timing Attack and Statistical Method to Reduce Computational Complexities of SSL/TLS Side-Channel Attacks," in Proc. of 2015 11th International Conference on Computational Intelligence and Security (CIS), pp. 402-406, IEEE, December 2015.
  26. Yulianto, S., Lim, C. and Soewito, B., "Information security maturity model: A best practice driven approach to PCI DSS compliance," in Proc. of 2016 IEEE Region 10 Symposium (TENSYMP), pp. 65-70, IEEE, May 2016.
  27. Loo, J., Mauri, J.L. and Ortiz, J.H. eds., 2016. Mobile ad hoc networks: current status and future trends. CRC Press.
  28. Sheffer, Y., Holz, R. and Saint-Andre, P., 2015. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) (No. RFC 7525).
  29. Han, J., 2016, March. Chaining the secret: Lightweight authentication for security in pervasive computing. In 2016 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops) (pp. 1-3). IEEE.
  30. Karagiannis, V., Chatzimisios, P., Vazquez-Gallego, F. and Alonso-Zarate, J., "A survey on application layer protocols for the internet of things," Transaction on IoT and Cloud Computing, 3(1), pp.11-17, 2015.
  31. Torres, R., Javali, N., Border, J. and Ganesan, V., Torres and Robert, Dynamic disabling of multi-step transport layer handshake spoofing in performance enhancing proxies (peps) in broadband networks. U.S. patent 20,150,381,752, 2015.
  32. Kieseberg, P., Fruhwirt, P., Schrittwieser, S. and Weippl, E., "Security tests for mobile applications-Why using TLS/SSL is not enough," in Proc. of Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1-2, IEEE, April 2015.
  33. Kim, H.S., Im, H., Lee, M.S., Paek, J. and Bahk, S., "A Measurement Study of TCP over RPL in Low-power and Lossy Networks," Journal of Communications and Networks, 17(6), pp.647-655, 2015. https://doi.org/10.1109/JCN.2015.000111
  34. Capossele, A., Cervo, V., De Cicco, G. and Petrioli, C., "Security as a CoAP resource: an optimized DTLS implementation for the IoT," in Proc. of 2015 IEEE International Conference on Communications (ICC), pp. 549-554, IEEE, June 2015.
  35. Kwon, H., Park, J. and Kang, N., "Challenges in deploying CoAP over DTLS in resource constrained environments," International Workshop on Information Security Applications, pp. 269-280, Springer International Publishing, August 2015.
  36. Curran, J., Fenton, N. and Freedman, D., Misunderstanding the internet. Routledge publication. pp. 2, 2012.
  37. Jackson, W., "HTML5 History: The Past and Future of HTML Markup," HTML5 Quick Markup Reference, pp. 1-4, Apress, 2016a.
  38. Jackson, W., "An Introduction to JSON: Concepts and Terminology," JSON Quick Syntax Reference, pp. 15-20, Apress, 2016b.
  39. Castro, M., Jara, A.J. and Skarmeta, A.F., "Enabling end-to-end CoAP-based communications for the Web of Things," Journal of Network and Computer Applications, 59, pp.230-236, 2016. https://doi.org/10.1016/j.jnca.2014.09.019
  40. Xu, Q., Ren, P., Song, H. and Du, Q., "Security enhancement for IoT communications exposed to eavesdroppers with uncertain locations," IEEE Access, 4, pp.2840-2853, 2016. https://doi.org/10.1109/ACCESS.2016.2575863