Authentication and Authorization Mechanism for Internet of Things Infrastructure

University of Colombo School of Computing

Literature Survey

Authentication and AuthorizationMechanism for Internet of Things

Infrastructure

Author:

UDGDR Dolapihilla

Supervisor:

Dr. TNK De Zoysa

This Literature Survey is submitted in fulfillment of the requirements

for the course SCS3017 in the degree of

Bachelor of Computer Science

in the

University of Colombo School of Computing

December 2014

https://www.linkedin.com/profile/view?id=262458057

Declaration of Authorship

I, UDGDR Dolapihilla, declare that this Literature Survey titled, ’ Authentication and

Authorization Mechanism for Internet of Things Infrastructure’ and the work presented

in it are my own. I confirm that:

� Where I have consulted the published work of others, this is always clearly at-

tributed.

� Where I have quoted from the work of others, the source is always given. With

the exception of such quotations, this thesis is entirely my own work.

� I have acknowledged all main sources of help.

� Where the literature survey is based on work done by myself jointly with others,

I have made clear exactly what was done by others and what I have contributed

myself.

Signed:

Date:

i

Abstract

by UDGDR Dolapihilla

Internet of things infrastructure which is an emerging topic in the world of Informa-

tion Technology is defined as the interconnection of distinctively identifiable embedded

computing devices within the existing internet infrastructure. Things, in the Internet

of Things may consist of a wide variety of devices scaling from Nanochips to large scale

devices. There are researches which assume that there will be more than thirty billion

‘Things’ connected to the Internet of Things Infrastructure by the year 2020. This rapid

growth associated with the Internet of Things Infrastructure is widely criticized since the

security features are not being developed accordingly. Things, in nature may be used to

carry out physical work rather than being virtual as in current internet infrastructure,

therefore threats associated with Internet of Things can be cause physical damages. Au-

thentication and Authorization, the initiation of any cryptographic security mechanism

plays a major role in cryptographic security. Do current internet cryptosystems guaran-

tee secure authentication and authorization in Internet of Things Infrastructure? The

review is to critically analyze this question.

Contents

Declaration of Authorship i

Abstract ii

Contents iii

Abbreviations v

1 Introduction 1

2 Authentication and Authorization in Common Internet Infrastructure 3

2.1 Cryptographic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.1 Password Based Authentication . . . . . . . . . . . . . . . . . . . . 4

2.1.2 Symmetric Key Based Authentication . . . . . . . . . . . . . . . . 4

2.1.3 Asymmetric Key Based Authentication . . . . . . . . . . . . . . . 5

2.2 Cryptographic Authorization . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Growth of the Internet of Things Infrastructure 8

3.1 Transition from Internet to Internet of Things . . . . . . . . . . . . . . . . 8

3.2 Future of The Internet of Things . . . . . . . . . . . . . . . . . . . . . . . 9

4 Authentication and Authorization Challenges Directed Towards TheInternet of Things Infrastructure 13

4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.2 Challenges to Authentication and Authorization . . . . . . . . . . . . . . 15

4.2.1 Population of Devices . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.2.2 Resource Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.2.3 Unpredictable Growth . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.2.4 High Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.2.5 High Heterogeneity . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.2.6 Lack of Common Standards . . . . . . . . . . . . . . . . . . . . . . 16

5 Proposed Cryptographic Mechanisms Related to Authentication andAuthorization of Internet of Things 17

5.1 Device Capability Based Authentication using Advanced Encryption Stan-dard - Galois Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5.2 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.3 Thing Name Service (TNS) for the Internet of Things . . . . . . . . . . . 19

iii

Contents iv

5.4 Key Management Scheme Based on Micro-Certificate for Internet of Things 20

5.5 Other Approaches to Strengthen IoT Authentication and Authorization . 21

6 Conclusion 22

Abbreviations

IoT Internet of Things

CA Certificate Authority

PAP Password Authentication Protocol

ASCII American Standard Code for Information Interchange

IETF Internet Engineering Task Force

AES Advanced Encryption Standard

GCM Golais Counter Mode

ECC Elliptic Curve Cryptography

v

Chapter 1

Introduction

A large number of interconnected information sources or Smart Objects which can be

much less complex than computers are the conceptual nodes of IoT infrastructure. These

electronic nodes can be the simplest of it’s nature, typically they are expected to be

equipped with sensors, actuator, microprocessors, nanoprocessors, communication inter-

faces and power sources. These nodes may be tailored to carry out specific applications

ranging from just feeding sensor data to large scale industrial mechanisms which can

initiate massive physical automation.

This interconnection of uniquely identifiable embedded computing devices through cur-

rent internet infrastructure is informally defined as the Internet of Things infrastructure.

With automation being the prime goal, IoT is in verge of an exponential growth. It is

believed that there will be more than thirty billion of these connected nodes by the year

2020.

IoT infrastructure can be expanded in to a wide variety of applications, ranging from

sensor utilization in monitoring environmental factors to large scale industrial applica-

tions. Smart city technology is an emerging topic in the technological world , many

devices being able to connect with each other on the IoT infrastructure is supposed

to enable the dream of Smart Cities. Automation is a prime expectation of IoT , the

Things which are connected to the IoT infrastructure is not only expected to carry out

sensing functionalities. They are also to be used to carry out physical tasks.

1

Chapter 1. Introduction 2

Security of IoT infrastructure is a major topic in discussion. Although the growth

of the number of interconnected devices are increasing, the growth or the development

of appropriate security mechanisms is not catching up with it. Some cryptographic

mechanisms are being developed as proprietary solutions, but these solutions does not

address the need of a regulated and standardized set of cryptographic solutions needed

for IoT infrastructure in a global level.[14]

With the increasing spread of IoT infrastructure the threats can be rather physical

than being virtual as in common internet infrastructure. Therefore forcing a proper

cryptographic mechanism to address the issues in Authentication , Authorization , In-

tegrity, Availability and Non-repudiation aspects of crypto security.

The organizations which are held responsible for regulating the Internet has a massive

responsibility of standardizing the security protocols associated with the IoT infrastruc-

ture. Also the applicability of the protocol stack being used in the current Internet

Infrastructure for the next generation of Internet, The Internet of Things.

In this literature review Authentication and Authorization aspects of IoT infrastruc-

ture is critically analyzed and the applicability of common internet security protocols to

the IoT infrastructure is discussed.

Chapter 2

Authentication and Authorization

in Common Internet

Infrastructure

2.1 Cryptographic Authentication

Cryptographic Authentication is as it’s literal definition concerns with confirming the

identity. In other words making sure that a certain entity is genuine or real. Authen-

tication not only does the indicating a claimed identity. The validation of an identity

which is borne by a certain entity also falls under Authentication.

In accepted standards an Authentication mechanism should atleast verify the valid-

ity of atleast a single identification. Ultimately the answer Authentication addresses is

”Who are you?”

Authentication is performed in the simplest way by usernames and passwords, To enable

more stringent mechanism to do the authentication, asymmetric key encryption or the

public key encryption is used. Use of digital certification by a Certification Authority

using Public Key Encryption Cryptosystem has become an standard for the common

internet infrastructure.

3

Chapter 1. Authentication and Authorization in Common Internet Infrastructure 4

2.1.1 Password Based Authentication

The most common and the simplest way of Authentication is the Username and Pass-

word or PIN (Personal Identification Number) based authentication.

Among these protocols the simplest is the PAP (Password Authentication Protocol)

which uses a pre-shared password and a username. This is supported among almost

every network operating system and is available when there are no other advanced

authentication cryptosystem is not implemented. Although PAP is considered as an

insecure protocol specially due to the fact that the passwords are transmitted over the

network as unencrypted ASCII characters.

2.1.2 Symmetric Key Based Authentication

Symmetric Key Authentication is based on a unique and a secret key which is shared

in advance among the entities which are authenticating each other. Both encryption of

the Plaintext and decryption of the Ciphertext is done using a single shared key.

To describe the simplest of the Shared Key Authentication, The first entity is to send it’s

credentials along with a random message known as The Challenge which is encrypted

using the relevant key. The second entity with the use of the pre shared key can match

the particular message and check for a match. If there is a match the relevant entities

are authenticated.

The simplest Shared Key Authentication is considered a weak authentication mecha-

nism since the secret itself has to be revealed in order to get authenticated. This is

opening up to many security threats. There are many protocols which are derived from

the idea but has been developed to increase the security of the authentication which is

provided.

Advanced authentication cryptograhic mechanisms are implemented on the basis of

Symmetric Keys. A widely used protocol is Kerberos protocol which is based on the

symmetric key based Needham-Schroeder Protocol. Kerberos uses tickets to allow nodes

to authenticate themselves with each other through a non-secure network. A trusted


3rd party is also involved in the Kerberos protocol.

Figure 2.1: Kerberos Negotiation illustrated by Daniel Sonck

For the key exchange over a non-secured public network The Diffie–Hellman key ex-

change method is used. This is to walk over the symmetric key authentication’s major

weakness which is it’s vulnerability for man in the middle attacks and spoofing.

2.1.3 Asymmetric Key Based Authentication

Asymmetric cryptosystems address two major issues in symmetric cryptosystems. Namely,

the issues in unsafe key distribution and enables the Digital Signing which is now a stan-

dard in internet infrastructure. This cryptosystems are used for both data confidentiality

as well as authentication.

The simplest mechanism is as follows. Each party associated with the transactions

has own Private Key and a Public Key. They are mathematically linked in a way such

that each key can decrypt ciphers which are encrypted by the other.


For authentication plaintext is hashed using a hash function and is encrypted using

the sender’s private key. This cipher is known as the Signature. The signature is at-

tached to the data and sent over to the receiving party. Receiver gets the signature

and decrypts it using the sender’s public key and the result is compared to the hash of

the data. A match will authenticate the sender. The mechanism is illustrated in the

following figure.

Figure 2.2: Digital Signature and Verification illustrated by Acdx - wikipedia

2.2 Cryptographic Authorization

Authorization , although comes with authentication as a presuppose plays a different

role. This deals with the permission of an Authenticated entity. Simply this answers

”What are you allowed to do?”

Restrictions and constraints are normally defined as the permissions given to a specific

entity. When that entity is Authenticated , the Authorization defines what that entity

can perform.


In multi-user systems which Internet also falls under, it is important to have the ac-

cess controlled to perform operations and to get information. Categorizing the entities

which are authenticated by their privileges to perform certain actions on the systems is

Authorization.

Chapter 3

Growth of the Internet of Things

Infrastructure

3.1 Transition from Internet to Internet of Things

The Internet of Things cant be considered a whole new infrastructure as it is hyped in

current community. It is rather an eventuality, or a significant milestone in the growth

of internet. Internet from the beginning has been an interconnection of a networks , in

the internet of things infrastructure it’s definition has evolved as follows,

A world-wide network of uniquely addressable, interconnected heterogeneous objects.

The keyword here which makes IoT rather different from the internet is objects. The

accepted definition of Internet is the interconnection of computer networks which follow

certain protocols set. The significant difference between the Computer Networks and

Objects is what makes the IoT a whole new infrastructure.

The internet has taken over many tasks in current day to day work, idea of the IoT

is believed to take internet to many levels which it has not yet integrated in. As a

result of the development in embedded smart objects the internet will be all over the

environment in a matter of some years. Hence making the so called Internet of Things

true.

8

Chapter 3. Growth of the Internet of Things Infrastructure 9

3.2 Future of The Internet of Things

IoT will connect beyond computers, it will enable the communication between almost all

everyday devices making the Smart Living , Smart Homes and Smart Cities a reality.

The estimated IoT market value is massive, the idea of the live connection of consumers

, businesses and government has hyped up the IoT’s concepts. The estimated intercon-

nections in not far future is illustrated in the following graph which is based on CISCO

researches.

Figure 3.1: Estimated Growth of Connected Devices by CISCO

Using the interconnection of these devices it is expected to automate a vast variety of

day to day functions. Gartner Incorporation, a research organization in USA estimates

that there will be a 36 percent growth in the connected devices in the internet. The foun-

dation of the smart nodes , processing and semiconductor market share is also expected

to grow 5 percent according to them. This rapid growth enables the IoT expectations

to become a reality.

Intelligent interconnected nodes are expected to take over many functions from weather

sensing to automobile industry or from wearable to industrial mechanics, enabling the


concept of Predictive Maintenance. Things as referred in IoT are not necessarily com-

puting nodes they can range from tiny sensors to massive industrial machines. Therefore

the scalability is limitless.

Possible applications of IoT are limitless, some of the possible applications which in

discussion according to the Business Insider magazine are as follow,

� Interconnected advertising using smart billboards.

� Intelligent city management systems are being planned mainly focusing on the

traffic management.

� Smart electrical grids.

� Industrial smart assembly lines and smart factories.

� Home automation.

� Healthcare monitoring using implanted embedded systems.

� Remote security

� Environmental monitoring.

Among other factors which enables the limitlessness of the IoT is the IPv6. Uniquely

identifiable number of connected nodes were running out with the range limitations of

IPv4, but with IPv6 there are no boundaries until these nodes reach trillions.

Another reason for the accelerated growth of the IoT is the development in the semi-

conductor and processor market. Cheaper and better solutions with newer features are

continously being developed. Janus Bryzek who is considered as the father of sensors

has said that the internet as an industry with the emerging IoT technologies has the po-

tential to add 10 to 15 trillion American dollars to the global Gross Domestic Product.

Following figure by Gartner shows the estimated growth of IoT semiconductor revenue

categorized by the industries.


Figure 3.2: Estimated Growth of Semiconductor Revenue. Source: Gartner Inc.

A 30 percent growth of semiconductor business is estimated by the year 2020. Low cost

devices will enable the cheaper implementation and a rapid growth of IoT. Parallel to

this the development in the sensor industry is also another accelerator of IoT. Among

some other aspects of IoT development are the growth of Cloud Computing and the dis-

cussion of enhancing it to a level called Fog Computing. Following factors are identified

as major fuels of IoT growth by the Raymond James Research

Figure 3.3: Drivers of IoT growth. Author: Raymond James


Internet of things is expected to deliver a set of technical capabilities to achieve it’s

targeted function. In the Friedemann Mattern and Christian Floerkemeier ’s publication

, From Internet of Computers to Internet of Things following capabilities are emphasized

as essentials of the IoT infrastructure.

� Cross communication between the Things

� Addressable objects to achieve the ability to remotely interrogate and configure

� Unique identification ability of the objects

� Sensing

� Actuation to enable mechanical movements

� Embedded information processing

� Localization

� User interfacing

These capabilities altogether can fill the gap between the virtual and physical worlds as

discussed in the above publication.

Chapter 4


Challenges Directed Towards The

Internet of Things Infrastructure

4.1 Overview

The pervasive development in IoT is enabling the interconnection of almost every elec-

tronic equipment from home consumers to industrial machines. This rapid growth has

exposed new attack vectors. Connected mobile phones and computers also have vulner-

abilities but IoT infrastructure’s growth has increased the impact of the attacks. Having

essential devices which are required to perform day to day operations connected may

expose sensitive data to new attack vectors.

The current common internet infrastructure is based on a set of standard security pro-

tocols which are widely used and enhanced. Although the monopolistic nature of the

many organizations which are involved in the IoT development results in the develop-

ment of only proprietary solutions for IoT security. Not having a proper standard yet

is the major risk associated with IoT.

IoT as a potential Trillion dollar economy does not yet guarantee the security the world

13

Chapter 4. Security Challenges Directed Towards The Internet of Things Infrastructure14

expects from such an infrastructure. A research carried out by the Hewlett-Packard re-

veals an ” alarmingly high average number of vulnerabilities per device.” The following

figure by HP illustrates their research findings.

Figure 4.1: IoT Vulnerabilities by Hewlett-Packard

With all the hype around the growth of IoT is not very well synchronized with the

development of the security of IoT. The rocketing adoption of connected things without

the concerns of security will ultimately make The Internet of Things , an Internet of

Insecure Things.

Professor Christof Paar of the Horst Gortz Institute for IT Security at Ruhr-University

Bochum in Germany mentions that ”There’s essentially no tolerance for error in security

engineering” , application level can contain vulnerabilities but security vulnerabilities

should be eliminated 100 percent. If the world reaches the expected sheer amount of IoT

devices and their capabilities a single security loophole would be able to make massive

impact on the worlds economy and the well being of humankind, that is how humongous

this infrastructure is.

This section discusses the various types of challenges posed towards Authentication

and Authorization processes in a high level.


4.2 Challenges to Authentication and Authorization

4.2.1 Population of Devices

The limitless connections and the scalable structure of the IoT enables a huge span of

attacks on it. Unmanageable nature caused by the sheer number of devices can cause

vulnerabilities in Authentication. Managing credentials and identifying each device may

become a huge burden.

Even with the large number of devices are connected the ability of unique identification

is a necessity. The billions of devices should be identified and authenticated for commu-

nication. Having their authorization details is also a major issue specially considering

the number of devices in IoT infrastructure. Any candidate mechanism is expected to

be scalable with the device population and also should be cross-platform supported.

Improper verification or spoofing simply will not be a virtual threat, the sheer number of

devices will make the effect an exponentially growing threat. Fraudulent authentication

may result in a catastrophic effect if the IoT reaches the level which is expected to be

in a decade.

4.2.2 Resource Constraints

Unlike computers with high processing power and storage the things associated with

the IoT infrastructure may not well equipped with resources. Many of the protocol

suites which are being used in the common internet protocols are designed with the

expectations of certain resources in terms of processing power and memory. According

to a publication by two security area directors of IETF. This presumption is not at all

applicable in the IoT devices.

An essential part of authentication is key management, storing these keys require a

certain amount of memory. Although since the things are expected to get cheaper and

simpler hence the resources for such mechanisms may not be available in some IoT

devices.


4.2.3 Unpredictable Growth

Many security protocols including Authentication and Authorization protocols rely on

some assumptions in many aspects. The growth of the internet of things infrastructure is

highly unpredictable. The heterogeneity of the smart nodes can increase the complexity.

The broad distribution and the unpredictable advancements can be a critical issue when

tailoring security mechanisms according to the publication by Michael J. Covington and

Rush Carskadden , ”Threat Implications of the Internet of Things”. The presumptions

which can be important when designing such cryptographic suites can be inaccurate

with this unpredictable nature of the future of IoT infrastructure.

4.2.4 High Mobility

Highly mobile nature of the connected devices of IoT infrastructure will enable rapid

changing of data between different environments according to Covington. In the context

of this review it will affect the access control of the infrastructure. Limited visibility

and constrained monitoring will open up domains in the security areas.

4.2.5 High Heterogeneity

Highly heterogeneous entities are expected to be connected with each other within the

IoT infrastructure. This heterogeneous nature may result in lack of inter-operablity

among the interconnected devices within IoT infrastructure.

4.2.6 Lack of Common Standards

Internet of Things in verge for a rapid pervasive invasion of technological world. But

still this development is done within organizations and they are being developed as pro-

prietary solutions. Globally adopted set of standards are not yet implemented therefore

the vulnerabilities in the security of IoT infrastructure is increased.

Chapter 5

Proposed Cryptographic

Mechanisms Related to


of Internet of Things

5.1 Device Capability Based Authentication using Advanced

Encryption Standard - Galois Counter Mode

With daunting challenges to identify the devices which are interconnected throughout

IoT infrastructure, this model is published by a set of researchers at the Mobisec 2011.

AES-GCM is a new encryption algorithm which is capable of providing hardware imple-

mentations with both authentication and confidentiality aspects. This is to enable inter

device authentication with limited resources.

Proposed authentication and authorization protocol is based on a capability model.

This cryptographic capability is used as a ticket or a token to get authenticated and

authorized by the respective devices. AES-GCM is then used to encrypt this token,

providing both authenticity and encryption especially within resource constraints.

17

Chapter 5. Authentication and Authorization Mechanisms for IoT 18

The capability token is a customized data structure which contains a unique identi-

fier , access rights and a random number. The walkthrough of the proposed protocol is

illustrated in the figure below.

The capability token of device 1 which is derived from unique identifier and access

rights is encrypted along with a random number using AES-GCM encryption. Then

the generated cipher is sent to the device 2. Device 2 then decrypts the received cipher

using the symmetric key. One way hash function can identify if there is any sort of

tampering done. Mismatch of the hashes received and hashes generated will cause a

violation in authentication hence the authentication is not completed. A match will

result in authenticated communication between devices.

Figure 5.1: AES-GCM Capability based authentication source Mobisec


Main features which makes this protocol a candidate for the IoT authentication and au-

thorization is the resource utilization. Also the random number can provide protection

for replay attacks. The one way hash and the symmetric key cryptosystem provides

mutual authentication this can be ideal for anti forgery. [13]

5.2 Elliptic Curve Cryptography

Asymmetric Key Cryptography will play a significant role in IoT infrastructure as it

does in the current internet. Elliptic Curve Cryptography (ECC) can be used to provide

security equivalent to Rivest Shamir Adleman (RSA) but with a significantly shorter key

size. Well optimized 160 bit ECC cryptosystem is supposed to deliver the equivalent of

a 1024 bit RSA encryption. [15]

ECC is rather beneficial than the RSA in many aspects, time of computations , sig-

nificantly low RAM footprint, lower bandwidth requirements have made ECC a better

contender for IoT infrastructure security than RSA. The advantages which makes ECC

stand out from RSA are even more useful in IoT, given the limited resource constraints

the features in ECC are supposed to overcome the resource constraint issues of IoT.

Although the downside for this protocol is the intricacy of implementation of this ,

the conflicts and diversity on the IoT can make the solution implementation a harder

task. Expensive hardware operations are suggested for increased performances.

5.3 Thing Name Service (TNS) for the Internet of Things

Also being proposed as Objects Naming Service is supposed to used as a substitute for

Domain Name Service being used in internet.[17] The publication by GS1 a Sweden

based non-profit organization, cited here is being developed as a candidate solution for

identification aspect of Internet of Things.

To provide authenticity it is important to identify the objects uniquely. Billions of


objects with direct connection to the internet can become a burden for identification.

In the GS1 ONS method there are keys used for the unique identification. These GS1

identifications can be used for location and status identification of certain objects glob-

ally.

The importance of thing-friendly names and machine friendly names translation is im-

portant. The DNS like infrastructure of TNS/ONS is supposed to make identification

through TCP/IP more convenient. [16]

5.4 Key Management Scheme Based on Micro-Certificate

for Internet of Things

Due to resource constraints on IoT devices key management can be a big issue. Also the

billions of devices which are expected to be connected to IoT can make key management

a burden. Proposed solution is to implement a key management cryptosystem which is

light weight and faster than the existing.[18]

The micro-certificate based key management mechanism comprises of several keys, Key

Seed, Transport Keys, Storage Keys , Authentication Keys and Signature/Encryption

Keys. All these are symmetric hence are smaller in size and are processed fast.

These key management scheme is highly applicable to the IoT domain. Regarding

it’s high scalability and the high resource constraints. Following figure illustrates the

characteristics of the keys mentioned above.


Figure 5.2: Key type and lifecycle. source ICETIS 2013 [18]

5.5 Other Approaches to Strengthen IoT Authentication

and Authorization

The British Computer Society’s State of Play report on Internet of Things states a few

approaches in a high level to ensure the cryptographic security of IoT infrastructure. [19]

� Full implementation of IPV6.

� Enforcing rights management on data.

� Worldwide Public Key Infrastructure managed preferably by The United Nations,

countrywide distribution for easier management is adviced.

� Standardizing body for IoT nodes’ integral security features.

� Providing anonymity outside the local connectivity of an IoT network.

These approaches are being advised by the BCS for the British Government in regulating

IoT.

Chapter 6

Conclusion

Throughout this literature review the Internet of Things infrastructure is analyzed in

the terms of it’s security constraints applied to the authentication and authorization

cryptographic mechanisms. Contrary to the hype generated around the development

of IoT, the security protocols do not keep up with the development of infrastructure.

Challenges directed towards the authenticating and authorization of IoT are ones which

should be addressed at any cost.

The main challenge which is discussed over many publications was the resource con-

straints of IoT devices. This issue can be addressed by some very potent candidate

solutions, ECC based cyrptosystems and AES-GCM. They can provide much less re-

source consumption. The heterogeneity of the connected devices can become a serious

threat to authentication of devices with each other. Capability based mutual authenti-

cation is a reasonable candidate solution for this issue.

Another matter in hand is the vast population of the IoT devices, for authentication

to happen the identification is a necessity. Therefore the need of a DNS equivalent for

IoT has become essential. The candidate solution of ONS/TNS is an emerging topic in

discussion which can address the issues of identification.

The micro certificate based solutions can also be considered as a proper candidate solu-

tion for better authenticity and authorization in IoT. The lightweight and faster nature

is considered ideal for the IoT domain.

As discussed in the review the most problematic issue on the IoT security is the lack of

common standards. Due to the unpredictable growth of the IoT enforcing a common

22

Chapter 6. Conclusion 23

standard is an utmost importance. In the BCS state of play report a set of recommen-

dations are made to the British Government. Mostly on the regulation process of the

IoT.

Given the nature of the IoT, Authentication and Authorization can save the day of IoT

security. As analyzed and presented in the literature survey the most suitable ways

to avoid the challenges to IoT Authentication and Authorization are the lightweight

cryptographic mechanisms and regulated infrastructure standards.

Bibliography

[1] Wind River Systems, ”SECURITY IN THE INTERNET OF THINGS Lessons from

the Past for the Connected Future” , 2014

[2] Junlin Li, Hua Zhou, Li Wang, Zhihong Liang, Xiangcheng Wan, Yuhong Chen,

”The Modeling Research on wireless Sensor Network Security Protocol in Internet of

Things ”, Yunnan software engineering key laboratory,Yunnan University, Kunming,

China , 2011

[3] Rolf H. Weber , ”Internet of Things – New security and privacy challenges” , Uni-

versity of Zurich, Zurich, Switzerland, and University of Hong Kong, Hong Kong,

2010

[4] Ollie Whitehouse, ”Security of Things: An Implementers’ Guide to Cyber-Security

for Internet of Things Devices and Beyond” , NCC Group 2014

[5] Forouzan , ”Data Communication and Networking”. McGraw-Hill Education (India)

Pvt Limited, 2007

[6] ”How Kerberos Authentication Works”. learn-networking.com. 28 January 2008

[7] Dieter Gollmann, ”Computer Security Second Edition”, West Sussex, England: John

Wiley and Sons, Ltd. 2006

[8] Tavis C. McCourt, Simon Leopold, Frank G. Louthan IV, Hans Mosesmann, J.

Steven Smigie, Terry Tillman, Daniel Toomey, Georgios Kyriakopoulos, Eric Lemus,

Brian Peterson, Alexander Sklar, ”The Internet of Things A Study in Hype, Reality,

Disruption, and Growth”, Raymond James Associates , 14th January 2014

[9] Friedemann Mattern and Christian Floerkemeier, ”From the Internet of Comput-

ers to the Internet of Things”, Distributed Systems Group, Institute for Pervasive

Computing, ETH Zurich

24

Chapter 6. Conclusion 25

[10] Craig Smith and Daniel Miessler, ”Internet of Things Research Study”, HP Fortify,

June 2014

[11] Simone Cirani, Gianluigi Ferrari and Luca Veltri, ”Enforcing Security Mechanisms

in the IP-Based Internet of Things: An Algorithmic Overview” , Department of

Information Engineering, University of Parma, Parco Area delle Scienze 181/A,

3124,Parma, Italy , 2013

[12] Michael J. Covington and Rush Carskadden , ”Threat Implications of the Internet

of Things” , 5th International Conference on Cyber Conflict, 2013

[13] Sachin D. Babar, Parikshit N. Mahalle, Neeli R. Prasad and Ramjee Prasad ,

”Proposed on Device Capability based Authentication using AES-GCM for Internet

of Things (IoT)” , Procedings of the 3rd Springer International ICST Conference on

Security and Privacy in Mobile Information and Communication Systems , 2011

[14] Tim Polk and Sean Turner, ”Security Challenges For the Internet Of Things” ,

February 14, 2011

[15] Erich Wenger and Johann Großschadl , ”An 8-bit AVR-Based Elliptic Curve Cryp-

tographic RISC Processor for the Internet of Things”

[16] Ning Kong and Shuo Shen, ”Position Paper on Thing Name Service (TNS) for the

Internet of Things (IoT)” , China Internet Network Information Center , 2011

[17] ”F-ONS - The Internet of Things”, GS1 , Sweden

[18] LiPing Du 12, FuWei Feng and JianWei Guo, ”Key Management Scheme Based

on Micro-certificate for Internet of Things” , International Conference on Education

Technology and Information System 2013

[19] ”BCS State of Play Report” , British Computer Society , October 2014

Documents

Authentication and Authorization Mechanism for Internet of Things Infrastructure