C 671 ACTA - University of Oulujultika.oulu.fi/Files/Isbn9789526219950.pdfLIGHTWEIGHT AUTHENTICATION AND KEY MANAGEMENT OF WIRELESS SENSOR NETWORKS FOR INTERNET OF THINGS Academic

UNIVERSITY OF OULU P .O. Box 8000 F I -90014 UNIVERSITY OF OULU FINLAND

A C T A U N I V E R S I T A T I S O U L U E N S I S

University Lecturer Tuomo Glumoff

University Lecturer Santeri Palviainen

Postdoctoral research fellow Sanna Taskila

Professor Olli Vuolteenaho

University Lecturer Veli-Matti Ulvinen

Planning Director Pertti Tikkanen

Professor Jari Juga

University Lecturer Anu Soikkeli


Publications Editor Kirsti Nurkkala

ISBN 978-952-62-1994-3 (Paperback)ISBN 978-952-62-1995-0 (PDF)ISSN 0355-3213 (Print)ISSN 1796-2226 (Online)

U N I V E R S I TAT I S O U L U E N S I SACTAC

TECHNICA


TECHNICA

OULU 2018

C 671

Pawani Porambage

LIGHTWEIGHT AUTHENTICATION AND KEY MANAGEMENT OF WIRELESS SENSOR NETWORKS FOR INTERNET OF THINGS

UNIVERSITY OF OULU GRADUATE SCHOOL;UNIVERSITY OF OULU,FACULTY OF INFORMATION TECHNOLOGY AND ELECTRICAL ENGINEERING;CENTRE FOR WIRELESS COMMUNICATIONS;INFOTECH OULU

C 671

AC

TAPaw

ani Poram

bage

C671etukansi.fm Page 1 Monday, August 20, 2018 8:43 AM

Copyright © 2018Acta Univ. Oul. C 671, 2018

Supervised byProfessor Mika YlianttilaProfessor Andrei Gurtov

Reviewed byProfessor Anura JayasumanaProfessor Salil Kanhere

ISBN 978-952-62-1994-3 (Paperback)ISBN 978-952-62-1995-0 (PDF)

ISSN 0355-3213 (Printed)ISSN 1796-2226 (Online)

Cover DesignRaimo Ahonen

JUVENES PRINTTAMPERE 2018

OpponentProfessor N. Asokan

ACTA UNIVERS ITAT I S OULUENS I SC Te c h n i c a 6 7 1

PAWANI PORAMBAGE


Academic dissertation to be presented with the assent ofthe Doctoral Training Committee of InformationTechnology and Electrical Engineering of the Universityof Oulu for public defence in Kaljusensali (KTK112),Linnanmaa, on 26 September 2018, at 12 noon

UNIVERSITY OF OULU, OULU 2018

Porambage, Pawani, Lightweight authentication and key management of WirelessSensor Networks for Internet of Things. University of Oulu Graduate School; University of Oulu, Faculty of Information Technologyand Electrical Engineering; Centre for Wireless Communications; University of Oulu, InfotechOuluActa Univ. Oul. C 671, 2018University of Oulu, P.O. Box 8000, FI-90014 University of Oulu, Finland

Abstract

The concept of the Internet of Things (IoT) is driven by advancements of the Internet with theinterconnection of heterogeneous smart objects using different networking and communicationtechnologies. Among many underlying networking technologies for the IoT, Wireless SensorNetwork (WSN) technology has become an integral building block. IoT enabled sensor networksprovide a wide range of application areas such as smart homes, connected healthcare, smart citiesand various solutions for the manufacturing industry. The integration of WSNs in IoT will alsocreate new security challenges for establishing secure channels between low power sensor nodesand Internet hosts. This will lead to many challenges in designing new key establishment andauthentication protocols and redefining the existing ones. This dissertation addresses how tointegrate lightweight key management and authentication solutions in the resource constrainedsensor networks deployed in IoT domains.

Firstly, this thesis elaborates how to exploit the implicit certificates to initiate secure End-to-End (E2E) communication channels between the resource constrained sensor nodes in IoTnetworks. Implicit certificates are used for authentication and key establishment purposes. Thecompliance of the security schemes is proven through performance evaluations and by discussingthe security properties. Secondly, this dissertation presents the design of two lightweight groupkey establishment protocols for securing group communications between resource-constrainedIoT devices. Finally, the thesis explores promising approaches on how to tailor the existingsecurity protocols in accordance with IoT device and network characteristics. In particular,variants of Host Identity Protocol (HIP) are adopted for constructing dynamic and secure E2Econnections between the heterogeneous network devices with imbalanced resource profiles andless or no previous knowledge about each other. A solutions called Collaborative HIP (CHIP) isproposed with an efficient key establishment component for the high resource-constrained deviceson the IoT. The applicability of the keying mechanism is demonstrated with the implementationand the performance measurements results.

Keywords: authentication, group communication, Host Identity Protocol, implicitcertificates, Internet of Things, key establishment, lightweight security, resourceconstrained devices, wireless sensor networks

Porambage, Pawani, Langattomien anturiverkkojen kevyt autentikointi jaavaintenhallinta laitteiden Internetille. Oulun yliopiston tutkijakoulu; Oulun yliopisto, Tieto- ja sähkötekniikan tiedekunta; Centre forWireless Communications; Oulun yliopisto, Infotech OuluActa Univ. Oul. C 671, 2018Oulun yliopisto, PL 8000, 90014 Oulun yliopisto

Tiivistelmä

Esineiden internet (IoT) on viime aikoina yleistynyt konsepti älykkäiden objektien (smartobjects) liittämiseksi internetiin käyttämällä erilaisia verkko- ja kommunikaatioteknologioita.Olennaisimpia esineiden internetin pohjalla toimivia teknologioita ovat langattomat sensoriver-kot (WSN), jotka ovat esineiden internetin perusrakennuspalikoita. Esineiden internetiin kytke-tyt langattomat sensoriverkot mahdollistavat laajan joukon erilaisia sovelluksia, kuten älykodit,etäterveydenhuollon, älykkäät kaupungit sekä älykkäät teollisuuden sovellukset. Langattomiensensoriverkkojen ja esineiden internetin yhdistäminen tuo mukanaan myös tietoturvaan liittyviähaasteita, sillä laskentateholtaan yleensä heikot anturit ja toimilaitteet eivät kykene kovin vaati-viin tietoturvaoperaatioihin, joihin lukeutuvat mm. tietoturva-avaimen muodostus ja käyttäjän-tunnistus. Tässä väitöskirjassa pyritään vastaamaan haasteeseen käyttämällä kevyitä avaimen-muodostus- ja käyttäjäntunnistusratkaisuja esineiden internetiin kytketyissä resurssirajoitetuissasensoriverkoissa.

Väitöstutkimuksessa keskitytään aluksi implisiittisten sertifikaattien käyttöön tietoturvallis-ten end-to-end-kommunikaatiokanavien alustamisessa resurssirajoitettujen sensori- ja muidenIoT-laitteiden välillä. Implisiittisiä sertifikaatteja käytetään käyttäjäntunnistuksessa sekä avai-menmuodostuksessa. Kehitettyjen ratkaisujen soveltuvuus tarkoitukseen osoitetaan suoritusky-kymittauksilla sekä vertaamalla niiden tietoturvaomi- naisuuksia. Seuraavaksi väitöskirjassa esi-tellään kaksi kevyttä ryhmäavaimenmuodostus- protokollaa tietoturvalliseen ryhmäkommuni-kaatioon resurssirajoitettujen IoT-laitteiden välillä. Lopuksi väitöskirjassa tarkastellaan lupaavialähestymistapoja olemassa olevien tietoturvaprotokollien räätäläintiin IoT-laitteiden ja -verkko-jen ominaisuuksille sopiviksi. Erityistä huomiota kiinnitetään Host Identity -protokollan (HIP)eri versioiden käyttöön dynaamisten ja tietoturvallisten end-to-end-yhteyksien luomiseen toisil-leen ennestään tuntemattomien erityyppisten IoT-laitteiden välillä, joiden laitteistoresurssiprofii-lit voivat olla hyvin erilaiset. Väitöskirjan keskeinen tulos on väitöskirjatyössä kehitetty Colla-borative HIP (CHIP) -protokolla, joka on resurssitehokas avaimenmuodostusteknologia resurssi-rajoitetuille IoT-laitteille. Kehitetyn teknologian soveltuvuutta tarkoitukseensa demonstroidaanprototyyppitoteutuksella tehtyjen suorituskykymittausten avulla.

Asiasanat: avaimenmuodostus, esineiden internet, host identity protocol, implisiittisetsertifikaatit, kevyt tietoturva, käyttäjäntunnistus, langattomat sensoriverkot,resurssirajoitetut laitteet, ryhmäkommunikaatio

To my parents and family

8

Acknowledgements

This research has been carried out in the Networks and Systems group at the Centre forWireless Communication (CWC), at the University of Oulu, in Finland. The thesis hasbeen financially supported by Academy of Finland 6Genesis Flagship (grant 318927)programme. This work was performed as part of the MAMMotH, CONVINcE, andNaked Approach research projects. For the project funding, I am thankful to the FinnishFunding Agency for Innovation (Tekes) and the industrial partners in the projects. Inaddition, the thesis is also financially supported by Infotech Oulu Graduate School andthe foundations of Riitta and Jorma J. Takanen, Ulla Tuominen, HPY, Nokia, Ouluscholarships, and TES.

I would like to thank my supervisor Prof. Mika Ylianttila for his guidance andsupport throughout my studies. I would also like to thank my co-supervisor Prof. AndreiGurtov for recruiting me as a researcher at CWC and continuing his supervision frommy master’s thesis to my doctoral studies. I am very grateful to Dr. Pradeep Kumarfor his immense support provided for the work in this thesis. My sincere gratitudegoes to Dr. Madhusanka Liyanage for his continuous assistance and precise guidancethroughout my post-graduate studies. I would like to thank Dr. Erkki Harjula for thesupport and his excellent role as the project manager.

My special thanks go to the follow-up group committee Prof. Jari Iinatti and Dr.Jusi Haapola for providing their valuable comments on this thesis. I owe my thanks toProf. Nandana Rajatheva for sharing his valuable thoughts with me to carry out mydoctoral studies. The work in this thesis was partly conducted during two research visitsI made to the CSG, at the University of Zurich and the VUB, in Brussels. I would like tothank Prof. Burkhard Stiller, Dr. Corinna Schmitt, and Prof. An Breaken for hostingmy short research visits and for providing valuable comments on the work during thestays. Moreover, I would like to thank all the co-authors of my publications for theirnoteworthy contributions and cooperation.

I convey my gratitude to my official reviewers, Prof. Anura Jayasumana and Prof.Salil Kanhere for providing valuable and constructive comments. I would also like tothank Prof. N. Asokan for serving as the opponent in the doctoral defence.

I received a great support from all my team members including Dr. NamalKarunarathne, Arto Heikkinen, Dr. Ijaz Ahmad, Jude Okwuibe, Tanesh Kumar,

9

Thenager Mekonnen, and Ahsan Manzoor. I would like to thank the administrativestaff of CWC: Anu Niskanen, Eija Pajunen, Hanna Saarela, Jari Sillanpää, Juha-PekkaMäkelä, Mari Lehmikangas, Renata Kordasne Sebö and Kirsi Ojutkangas. My specialthanks go to my colleagues from the CWC (work now and then) including Ayshwarya,Bidushi, Ganesh, Hamidz, Satya, Marja, Mariella, Nuwan, Praneeth, Upul, and Udithafor making such a pleasant working environment.

During the last couple of years, I made a family-like group of friends from Ouluto whom I would certainly also like to express my gratitude. The list includes Eeva-Janne, Heshani-Udaranga, Madhusanka-Ruwanthi, Manosha-Dilani, Nuwan-Hansi,Saliya-Bhagya, Sandun-Chamari, Sumudu-Inosha, Ram-Aarthi, Tharanga-Dimuthu,Yushan-Archana, the Rajatheva family, the bunch of loving kids and many others whomI met in Oulu since 2012.

My special thanks go to my friends, relatives, and parents-in-law for supporting methroughout this journey. I would deeply like to thank my ever loving parents for givingme all the courage and making me whom I am today. Finally, I convey my heartiestgratitude to my incredible husband Buddhika for being my absolute strength, and ourprecious son Savith for bringing me all the happiness in the world.

Pawani Porambage29.08.2018

10

Abbreviations

5G Fifth Generation6LowPAN IPv6 over Low Power Wireless Personal Area NetworkAAL Ambient Assisted LivingCA Certificate AuthorityCH Cluster HeadCHIP Collaborative Host Identity ProtocolCoAP Constrained Application ProtocolCPS Cyber Physical SystemCSP Cloud Service ProviderDDoS Distributed Denial of ServiceDH Diffie-HellmanDLP Discrete Logarithmic ProblemDoS Denial of ServiceDS Digital SignatureDSA Digital Signature AlgorithmDTLS Datagram Transport Layer SecurityE2E End-to-EndEC Elliptic CurveECC Elliptic Curve CryptographyECDH Elliptic Curve Diffie-HellmanECDLP Elliptic Curve Discrete Logarithmic ProblemECDSA Elliptic Curve DigitalECQV Elliptic Curve Qu-VanstoneETSI European Telecommunications Standards InstituteGDPR General Data Protection RegulationsHI3 Host Identity InfrastructureHIP Host Identity ProtocolHIP-BEX Host Identity Protocol Base ExchangeHIP-DEX Host Identity Protocol Diet ExchangeI3 Internet Indirect InfrastructureIEEE Institute of Electrical and Electronics Engineering

11

IETF Internet Engineering Task ForceIKE Internet Key ExchangeIoT Internet of ThingsIP Internet ProtocolISP Internet Service ProviderLHIP Lightweight authentication extension to HIPM2M Machine-to-MachineOSI Open Systems InterconnectionPAuthKey Pervasive Authentication and Key establishment protocolPKC Public Key CryptographyRFID Radio Frequency IdentificationRSA Rivest Shamir AdlemanSDN Software Defined NetworkingTKH Topological Key HierarchyTLS Transport Layer SecurityWMSN Wireless Multimedia Sensor NetworkWSN Wireless Sensor Network

12

List of original publications

This thesis is based on the following original publications, which are referred to in thetext by Roman numerals (I–VI):

I Porambage P, Kumar P, Schmitt C, Gurtov A & Ylianttila M (2013) Certificate-based PairwiseKey Establishment Protocol for Wireless Sensor Networks. In Proceedings of IEEE 16thInternational Conference on Computational Science and Engineering (CSE), Sydney, Australia,pp. 667-674, DOI:10.1109/CSE.2013.103.

II Porambage P, Schmitt C, Kumar P, Gurtov A & Ylianttila M (2014) Two-phase AuthenticationProtocol for Wireless Sensor Networks in Distributed IoT Applications. In Proceedings ofIEEE Wireless Communications and Networking Conference (WCNC), Istanbul, Turkey,pp. 2728-2733, DOI:10.1109/WCNC.2014.6952860.

III Porambage P, Schmitt C, Kumar P, Gurtov A & Ylianttila M (2014) PAuthKey: A PervasiveAuthentication Protocol and Key Establishment Scheme for Wireless Sensor Networks inDistributed IoT Applications. International Journal of Distributed Sensor Networks, Volume2014, Article ID 35740, Hindawi, 14 pages, DOI:10.1155/2014/357430, ISSN:1550-1477.

IV Porambage P, Braeken A, Schmitt C, Gurtov A, Ylianttila M, & Stiller B (2015) Group KeyEstablishment for Enabling Secure Multicast Communication in Wireless Sensor NetworksDeployed for IoT Applications. IEEE Access, Volume 3, pp. 1503-1511,DOI:10.1109/ACCESS.2015.2474705, ISSN:2169-3536.

V Porambage P, Braeken A, Kumar P, Gurtov A, & Ylianttila M (2015) Efficient Key Establish-ment for Constrained IoT Devices with Collaborative HIP-Based Approach. In Proceedingsof IEEE Global Communications Conference (GLOBECOM), San Diego, USA, pp. 1-6,DOI:10.1109/GLOCOM.2015.7417094.

VI Porambage P, Braeken A, Kumar P, Gurtov A, & Ylianttila M (2017) CHIP: Collabora-tive Host Identity Protocol with Efficient Key Establishment for Constrained Devices inInternet of Things. Wireless Personal Communications Journal, volume 96, pp. 421-440,DOI:10.1007/s11277-017-4176-5, ISSN:1572-834X.

Paper I focuses on a lightweight key establishment protocol in generic WSN. Papers II-IIIdiscuss authentication and key establishment protocols for IoT enabled WSNs. Paper IVprovides group key management solutions for secure group communications. Finally,Papers V-VI describe how to integrate a collaborative key establishment component intothe HIP protocol.

13

14

Contents

AbstractTiivistelmäAcknowledgements 9Abbreviations 11List of original publications 13Contents 151 Introduction 17

1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.2 Motivation and research problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.3 Research methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1.4 Contribution of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1.5 Organization of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2 Literature review 272.1 Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.1.1 The basics of network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.1.2 Key establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.1.3 Implicit certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.1.4 Host Identity Protocol (HIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.2 Wireless Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.2.1 Energy consumption in WSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.2.2 Security in WSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.2.3 Key management in WSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2.3 The Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2.3.1 The evolution of IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2.3.2 IoT Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

2.3.3 Key establishment in the IoT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

2.3.4 Authentication in the IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

2.3.5 Related work on IoT key establishment and authentication . . . . . . . . . 40

2.3.6 Design requirements for IoT key establishment . . . . . . . . . . . . . . . . . . . 41

2.3.7 Secure group communication for multicasting in the IoT . . . . . . . . . . 43

15

3 Research contribution 453.1 Key management and authentication in WSN and IoT . . . . . . . . . . . . . . . . . . . 453.2 Secure group key management in IoT-enabled WSN . . . . . . . . . . . . . . . . . . . . . 483.3 Collaborative HIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4 Discussion 514.1 Summary of contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514.2 Limitations and generalizability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524.3 Future research directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

4.3.1 Work with an immediate impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534.3.2 Potential research areas with long-term goals . . . . . . . . . . . . . . . . . . . . . 53

5 Conclusions 55References 57Appendices 63Original publications 69

16

1 Introduction

1.1 Background

According to the projections made by many networking specialties [1], by 2025 there willbe many billions of web-enabled devices all around the globe ranging from unmannedvehicles or robots to smart phones, wearables, or even kitchen appliances. InternetService Providers (ISPs), Cloud Service Providers (CSPs), and consumers have alreadyencountered many global security and privacy threats due to the use of pervasiveproducts and services. The Internet of Things (IoT) introduces an evolutionary changeto the future Internet that enables connectivity between thousands to millions of devicesand the Internet. IoT is a key enabling technology of the Fifth Generation (5G) wirelesssystems [2]. The concept of IoT is driven by the expansion of the Internet with connectedsmart objects. It is an interconnection of heterogeneous network entities with differentcommunication patterns and backend users who can control the IoT devices via thelegacy Internet. These include a wide range of electronic devices such as smart phones,tablets, home appliances, or sensor nodes.

With the development of communication and sensing technologies, the physicalobjects that manage, monitor, and facilitate the operational aspects of human activitieswill no longer act as unresponsive devices. Instead, they are fast becoming interactivedevices connected to the Internet with intelligence and numerous capabilities such assensing, communication, processing, and storage capacity. IoT exploits traditionalinformation transportation techniques such as the Internet, mobile communicationnetworks and Wireless Sensor Networks (WSN) in order to connect ordinary physicalobjects with identifiable addresses and by providing intelligent services towards an“always-connected” paradigm [3, 4]. This rapidly expanding connected world alsoimplies that attacks can be carried out from anywhere, making the IoT systems adouble-edged sword and hence the need for security measures that span entire globalnetworks. The more objects are connected the more the network is exposed to securityvulnerabilities. Security and privacy attacks and their harmful consequences can occurwhen sensitive information is concealed or controlled without users’ consent. Becauseof application interdependency and data sensitivity, a small leakage of informationcould severely damage user security and privacy. Furthermore, users will accept IoTdeployments only if the infrastructure is secure, trustworthy, and privacy-preserving.

17

Currently, IoT security has received a great deal of big attention from security profes-sionals, IoT hardware and software product developers, retailers, network providers,government entities and even the general public. Although security is a prime andmandate requirement that should be integrated at the design phase of the IoT devicelife-cycle, still it is too often neglected in the development of systems. Recent pressreports highlight many security breaches that are taking the advantage of insecure IoTdevices [5]. Mirai is one such well-known malware that launches Distributed Denial ofService (DDoS) attacks on IoT devices with weak security credentials [6]. It primarilytargets online consumer devices such as IP cameras and home routers. Therefore,it is recommended that IoT devices should possess strong security credentials withself-updating capabilities to mitigate these kinds of vulnerabilities.

Over the last two decades, wireless communications and digital electronics tech-nologies have been rapidly evolving by introducing the incredible advances to WSNs.Typically, a WSN [7] is a network that comprises a large number of sensor nodes whereeach node is equipped with single or multiple sensors to detect physical phenomenasuch as light intensity, temperature, humidity, or pressure. From the early days, WSNswere deployed in myriads of applications including military, environmental monitoring,healthcare, home automation, and commercial sites. WSNs are the first building blocksof smart environments which rely on sensory data or information gathered from the realworld. The Machine-to-Machine (M2M) communication and IP connectivity have alsoextended the usability of WSNs to data communication between physical devices au-tonomously [8]. WSNs are integrated with the Internet Protocol (IP) based infrastructureusing IPv6 over Low Power Wireless Personal Area Networks (6LoWPAN) [9].

Given their self-organizing characteristics, device constraints, and wireless transmis-sion medium, WSNs face inherent challenges in protecting security and privacy [10].This is mainly due to the prevention of existing techniques such as public key ciphersfrom being directly transplanted in resource-constrained devices. This tendency mayintensify when sensor networks gain IP connectivity and they become a part of the IoTecosystem. In traditional WSNs, End-to-End (E2E) communication is considered onlybetween the sensor nodes, which are deployed in a particular local network. However,the communication paths in M2M systems no longer follow the logical hierarchiesand the topologies of the conventional WSN architectures. Instead they advocate E2Ecommunication among the sensor nodes and the remote hosts in distinctive networks [11].On the other hand, unlike the centralized approach, in the distributed IoT architecture,the end devices are not dependent on a single central entity. Instead they acquire data

18

and services from the other nodes from distinctive networks and possess different levelsof processing capabilities.

Moreover, since IoT systems may comprise heterogeneous networking technologiesand devices (e.g., sensors, Radio Frequency Identification (RFID) tags, or smartphones)in dynamic networking environments, it is challenging to deploy conventional securityprotocols. This is because the high-performing devices may sometimes require advancedsecurity protocols to face the powerful attackers. However, these protocols can be tooexpensive to run on constrained devices. For this reason, it is highly challenging tomaintain the trade-off between robustness and complexity of the security protocols insuch a heterogeneous environment.

Resource limitations of the sensor nodes are considered in terms of battery capacity,computational power, memory-footprint and bandwidth utilization. Due to these limita-tions, it is highly impractical to deploy conventional security algorithms in their ordinaryformat. Standardization and research organizations such as the Internet Engineering TaskForce (IETF), European Telecommunications Standards Institute (ETSI), and Instituteof Electrical and Electronics Engineers (IEEE) provide a noteworthy contribution tonormalizing IoT security standards. The specialized protocols for constrained devicessuch as CoAP, 6LoWPAN, DTLS, and IKEv2 are some well-known examples of theirstandardization efforts.

While initiating communication from WSNs to the legacy Internet, it is mandatoryto establish secure channels which can adequately protect the information flows [12, 13].For that, it is necessary to provide key management mechanisms between the sensornodes and the Internet hosts to negotiate certain security credentials (e.g., session key).In general, the Transport Layer Security (TLS) protocol and other web services securityprotocols provide mechanisms for negotiating a shared secret between two peers. Theyare based either on Public Key Cryptography (PKC) or on the existence of pre-sharedmaster secret keys.

However, the conventional PKC techniques are quite expensive for resource con-strained nodes and are also time consuming. The use of a single pre-shared key mightnot be suitable for dynamic IoT applications where the connections are not predefined.Therefore, the design of hybrid keying mechanisms and integrating them in the existingsecurity protocols is timely and important. Elliptic Curve Cryptography (ECC) is a viablePKC approach which can be implemented even for severely constrained devices [14].While addressing these research questions, this thesis discusses the formulation of

19

authentication and key establishment solutions in the resource constrained sensornetworks in the context of IoT.

1.2 Motivation and research problems

Many studies have been undertaken to examine secure key management in WSNs [15].However, developing secure key management protocols in IoT-enabled WSNs isan ongoing research area [12]. In order to gain a good insight into the securityrequirements in resource constrained IoT networks, it is necessary to identify the specificnetwork characteristics of IoT sensor networks and the shortcomings of the availablesecurity protocols. The most significant IoT-enabled WSN characteristics are identifiedas resource constraints in terms of memory, processor power, battery capacity andbandwidth, heterogeneity of the networking technologies, mobility, and scalability.Moreover, the available key management and authentication solutions in the securityprotocols are still too expensive for the device constraints of low-power IoT sensors.The major goal of this research is to design, implement and evaluate pervasive andlightweight network security solutions for constrained IoT sensor networks in terms ofkey management and authentication. The scope of the research is to investigate thesesecurity solutions for Application, Transport and Network layers of the basic OpenSystems Interconnection (OSI) reference model.

Based on the given observations, the thesis focuses on addressing three main researchquestions in the context of securing the resource constrained IoT sensor networks, asfollows:

RQ1: How can lightweight and secure key establishment and authentication protocolsbe formulated for resource constrained sensors in WSNs which can be deployed in IoTapplications?

Many key establishment protocols designed for WSNs are symmetric key-basedschemes [16]. Although, PKC based keying algorithms are proposed for IoT sensornetworks, they use large X.509 type certificates for authentication purposes, which aretoo expensive for resource constrained sensor nodes [14]. Therefore, it is necessaryto formulate lightweight solutions which provide adequate robustness for the keyestablishment process in sensor networks.

RQ2: How can secure group communication in IoT sensor networks be improved?Group communication in the form of broadcasting and multicasting will allow

efficient message deliveries between the resource constrained devices. Negotiating a

20

common shared key among the participants will enable secure group communication.However, while designing group key management solutions, it is required to considerthe device constraints and the dynamic behavior of the IoT sensor networks [17].

RQ3: How can the requirement of lightweight and secure E2E key establishmentin high resource-constrained IoT devices be fulfilled by integrating existing securitysolutions?

The IoT must extensively use Internet standards for communication and serviceprovision. However, sensor type devices may still lack the resources to implementInternet security mechanisms that normally protect these kinds of interactions[4]. Thisresearch question addresses how to integrate lightweight keying schemes and makethe right adjustments to the well-known security protocols used for securing resourceconstrained IoT sensor networks. The solutions should adhere to device and networkcharacteristics such as heterogeneity and mobility with forward adaptation to the existingsecurity protocols. In particular, the solution proposes a lightweight key establishmentcomponent for the Host Identity Protocol (HIP).

Fig. 1. The contribution of the original publications to the research questions.

In Figure 1, the original publications and their contributions are mapped to the researchquestions. The knowledge obtained on ECC primitives while developing the solutionsfor RQ1 is reused in designing group key management protocols under RQ2. Likewise,the concepts of secret sharing used in RQ2 are further extended for RQ3.

21

1.3 Research methodology

While addressing the given three research questions, the research was mainly planned asthree stages. The first step was a preliminary study and literature survey to examinethe state-of-the-art of existing work on the fundamentals of network security, WSNand IoT technologies, and the security protocols for lightweight key management andauthentication. The second phase was the theoretical design of the lightweight securitysolutions for resource-constrained sensor nodes in WSN and IoT. The key aspects ofthese solutions were the device authentication, E2E key management, and secure groupcommunication. The third phase was the evaluation of the proposed solutions usingestimations, simulations, and real-time implementations. Apart from those numericalperformance evaluations, the solutions were discussed in terms of security and scalabilityproperties in the context of IoT sensor applications. In particular, the IoT applicationswere addressed concerning healthcare, Ambient Assisted Living (AAL) systems, andindustry automation.

All the key management and authentication solutions proposed in this thesis werevalidated in terms of their performance, either by real-time implementation (Paper I,II, III, and VI) or through estimations (Paper IV and V). Moreover, for the securityschemes in all the publications, mathematical analysis is used to show the correctness ofthe protocols.

The implementations in Papers I, II, and III were performed with TinyOS on TelosBsensor nodes, which have a very low memory footprint and processing power. Therefore,implementing the proposed security schemes in TelosB platform provides an implicitassurance that the schemes are suitable for most sensor platforms that have very limitedresources. Since the key establishment solution proposed in Paper VI is based on PKC,its implementation is performed on the Libelium Waspmote platform. This is becausethe PKC type heavy cryptographic operations are not possible with TelosB type sensors.Hence, in order to compare the proposed solution with the available schemes, Waspmotewas selected as the implementation platform.

An empirical study was carried out in Papers IV and V in order to estimate theprotocol overhead and energy consumption and verify the feasibility of the proposed keyestablishment protocols. All the estimations were performed with respect to the TelosBand Waspmote sensor nodes.

In addition to the verification of energy and memory consumption, an analyticalresearch approach was followed in order to demonstrate the security strengths of the

22

proposed security schemes in all the publications. The security robustness of eachscheme is discussed with respect to well-known attacks and threats that can occur in thegiven network architectures.

1.4 Contribution of the thesis

This thesis contributes from three different perspectives to address the aforementionedresearch problems. A brief overview of the contributions is mentioned below, whereasthe detailed contributions of each original publication are discussed in Chapter 3.

The first contribution of this thesis is presented in Paper I, Paper II and Paper III withthe design and the evaluation of key management protocols for generic WSN and IoTenabled WSN applications. In Paper I, an implicit certificate based key establishmentprotocol is proposed for generic WSN. The author was responsible for designing the keyestablishment protocol, implementing it on TelosB sensors and analyzing the protocolwith security and scalability features. The idea of exploiting the implicit certificatesfor the key establishment between resource constrained sensors was firstly proposedby Prof. Gurtov. Dr. Kumar who participated in discussing the protocol, formingthe security analysis, and reviewing the paper. Dr. Schmitt also reviewed the paper.Prof. Ylianttila was the supervisor.

Paper II and III are associated with securing resource constrained devices in IoT-enabled WSN in terms of E2E key establishment and authentication. Paper II describesa two-phase authentication protocol for WSN in distributed IoT applications. Paper IIIpresents a lightweight authentication and key establishment protocol for the resourceconstrained sensor nodes in IoT networks, which is named PAuthKey. Paper III extendsthe preliminary work on exploiting the implicit certificates presented in Paper I and II.PAuthKey provides application level E2E security between IoT devices. The paperpresents the comprehensive scenario-based behaviour of the protocol. For Paper II andIII, the author came up with the idea and contributed to the implementation and analysisof the protocols. Dr. Kumar and Prof. Gurtov provided comments on analyzing theprotocols and improving the quality of the paper. Dr. Corinna participated in finalizingthe paper. Prof. Ylianttila was the supervisor.

The second research contribution of this thesis, as presented in Paper IV, is regardingthe secure group key establishment in IoT-enabled WSN. This work was mostlyperformed during the author’s research visit to the CSG group at the University ofZurich whereas the preliminary design was published in [18]. The author designed

23

two group key management protocols suitable for centralized and distributed IoTapplications. The computations in the protocols were performed using ECC operations.The computation and communication costs of the protocols were estimated to verifythe applicability of deploying them in resource-constrained IoT devices. Moreover,the scalability properties of the protocols are discussed along with a security analysis.Dr. Braeken contributed to the security, scalability, and performance analysis of theprotocols. Dr. Corinna and Prof. Stiller provided technical input and participated infinalizing the paper. Prof. Gurtov and Prof. Ylianttila were the supervisors.

Finally, Paper V and Paper VI introduce novel modifications to the generic HIPprotocol in such a way to support device heterogeneity in IoT networks. Paper V presentsthe initial design principles of the collaborative HIP approach with theoretical evaluationsof the protocol. Paper VI describes collaborative key establishment in HIP with theactual implementation and results. Dr. Kumar and Dr. Braeken provided technical inputand participated in finalizing the papers. Prof. Gurtov and Prof. Ylianttila were thesupervisors. The work presented in [19] and [20] also advocates the collaborative HIPapproach discussed in Papers V and VI.

In addition to the included original publications, the author has published severalother research articles in renowned venues by providing the background to the thesistopic. In [21], the authors present a mobile object-based (i.e., a moving robot or avehicle) secret key distribution scheme for resource hungry sensor nodes. Moreover,in [22] the authors address secure session-key establishment for a health care scenariowhere a patient needs to be authenticated using a new networking entity. The workdescribed in [23] shows how to exploit implicit certificates to make medical sensorssecure. By working on these three publications, the author could acquire a good insightinto WSN security and lay a solid foundation for the original contribution of this thesis.

The work in [24] and [25] respectively presents a symmetric key-based securityframework for a patient monitoring application and a short survey on IoT privacy. Theauthor has also co-authored a few publications, including [26–28] which discuss theenergy consumption and multi-tier network architecture of Wireless Multimedia SensorNetworks (WMSNs). The proposed three-tier security architecture in [29] will providesecure service accessibility in a future gadget-free world. Based on the service levelsand their required security levels, user authentication and authorization processes areperformed at local, edge and global levels of the network architecture. This will be agood starting point to extend the proposed authentication solutions in the thesis towardsa future hyper-connected world.

24

1.5 Organization of the thesis

This thesis is organized as follows: Chapter 2 presents a literature review on the concepts,taxonomies, and security considerations related to the WSN and IoT-enabled networks.Chapter 3 discusses and summarizes the main contributions of the original papers. Thischapter mainly consists of three parts: key management and authentication in WSN andIoT-enabled WSN, group key management in IoT-enabled WSN, and collaborative HIP.Chapter 4 discusses a summary of the research contribution, its limitations and futureresearch directions. Finally, Chapter 5 draws the conclusions of this thesis.

25

26

2 Literature review

This chapter presents an overview of the literature on security and related issuesfor WSN and IoT. The chapter consists of three parts. Firstly, Section 2.1 providesthe fundamentals and theoretical background to network security concepts. Section2.2 describes the fundamentals of WSN in terms of the architecture, security, andkey management. Section 2.3 provides a brief overview of the IoT paradigm anddiscusses the security requirements highlighting the importance of key management andauthentication.

2.1 Network security

2.1.1 The basics of network security

Information security in any system is determined by the basic CIA triad which includesthree fundamental principles: confidentiality, integrity and availability [30]. Theserespectively ensure that the information is shared only by authorized parties, that theinformation is authentic and complete, and that the information is available when needed.Network security is addressed with respect to all the entities involved in the network,communication channels, and the information shared by them. Network securityprotocols should be designed to protect data against invalid operations, unauthorizedinvocations, and unauthorized users. The design of these protocols also combines thebasic OSI reference model.

Data encryption, user authentication, and secure channel establishment are the keyfunctionalities of network security and these are inter-related [30]. For encryption anddecryption functions, the cryptographic operations are performed in two ways. The firstis symmetric key cryptography where the sender and receiver share the same secretkey (e.g. DES, AES). The second is asymmetric or PKC where each user has publicand private keys (e.g. ECC, RSA). User authentication is performed either based onthe symmetric key or PKC approaches. Secure channels are obtained based on theproper user authentication and by establishing secret keys between the communicationparties. In addition to these basic concepts, Appendix 1 provides the most important andfundamental security concepts and protocols used in the thesis.

27

ECC is an efficient approach to PKC with the most suitable adaptations for low-performing networking devices [31]. ECC has faster computational time, smaller keys,and uses less memory and bandwidth than the well-known Rivest Shamir Adleman (RSA)public-key algorithm. As shown in the graph in Fig. 2, ECC can achieve a similarsecurity level to RSA using much smaller keys. The fundamentals of ECC are describedin Appendix 1.

80 100 120 140 160 180 200 220 240 260

Security level or Symmetric key size (bits)

0

2000

4000

6000

8000

10000

12000

14000

16000

Ke

y s

ize

(b

its)

ECC

RSA

Fig. 2. Comparison of key sizes of ECC and RSA for different security levels.

2.1.2 Key establishment

Key establishment (or key exchange) is an essential process to transform an insecurecommunication channel into a secure channel between two parties [30]. This uses acryptographic algorithm to compute the keys and later the keys are used to encrypt anddecrypt transmitting messages between two endpoints. It has been over four decadessince Diffie-Hellman (DH) key exchange (Appendix 1) was first proposed in [32].Nonetheless, it is the foundation for many existing network security protocols (e.g. HIP,IKE). In addition to this, new eras are also emerging for other mechanisms such asquantum key exchange which exploits the properties of quantum physics.

28

Table 1. Size comparison between ECC and RSA public key and certificates.

Security level Public key size (bits) Certificate size (bits)

ECC RSA ECQV ECDSA RSA

80 160 1024 193 577 2048112 224 2048 225 673 4096128 256 3072 257 769 6144192 384 7680 385 1153 15360256 512 15360 522 1564 30720

2.1.3 Implicit certificates

Digital certificates advocate the establishment of identity in secure communications.Similar to the conventional or explicit certificates such as X.509, implicit certificates aremade up of three parts [33]: identification data, a public key and a digital signaturewhich binds the public key to the user’s identification data and verifies that the bindingis accepted by a trusted-third-party. In an explicit certificate, the public key and digitalsignature are two distinct elements. In contrast, the public key and digital signatureare included in implicit certificates and allow the recipient to extract and verify thepublic key of the other party from the signature segment. This significantly reducesthe required bandwidth since there is no need to transmit both the certificate and theverification key.

The most important advantages of using implicit certificates over the conventionalcertificates are their smaller size and faster processing. Table 1 specifies the compa-rable key sizes for asymmetric cryptosystems based on equivalent security strengths(i.e., symmetric key size). The Elliptic Curve Digital Signature Algorithm (ECDSA)is a variant of the Digital Signature Algorithm (DSA) that operates in elliptic curvegroups. Elliptic Curve Qu-Vanstone (ECQV) [34] (Appendix 1) is another type ofimplicit certificate scheme with smaller certificate sizes, lower computational power andvery fast processing time for generating certified public keys. Accordingly, the sizes ofECQV and ECDSA-signed certificates are substantially smaller than RSA due to thereduced public key size of ECC.

2.1.4 Host Identity Protocol (HIP)

HIP is an IETF standard that introduces a separation between the network and transportlayers in the OSI protocol stack [35]. HIP establishes secure signaling channels which

29

inherently support node mobility and multihoming functionalities. The Host IdentityIndirection Infrastructure (HI3) network architecture provides higher resilience andscalability than the generic Internet Indirect Infrastructure (I3) architecture. HIP operatesabove the IP layer and introduces a host identification scheme that decouples theidentification from location information. Instead of using the IP addresses, whichconvey the physical location of the hosts, the applications reference hosts by theircryptographically generated identifiers. Consequently, HIP facilitates the mobility andthe location anonymity of the users which is highly useful in IoT applications.

HIP has two principal variants, namely HIP Base Exchange (HIP-BEX) [35] and HIPDiet Exchange (HIP-DEX) [36]. In HIP-BEX (Appendix 1), each HIP peer should havea public key serving as a Host Identifier (HI), whose private counterpart is known andused only by its legitimate owner. These public and private keys are useful for identityproofing and authentication purposes. However, since the HIP-BEX (Appendix 1)mechanism involves heavy asymmetric cryptographic operations, it cannot be supportedas it is by constrained sensor nodes. HIP-DEX is proposed as a lighter version of HIPwith a reduced computational cost. The significant differences between HIP BEXand HIP DEX are the complete removal of the signature scheme in HIP BEX and thereplacement of the expensive DH key exchange with an ECC variant (i.e. ECDH). Withthese adaptations, HIP-DEX fits better for resource-constrained sensors than HIP-BEX.

Several other solutions have been proposed as lighter variants of HIP [37, 38].In the IETF draft [39], a lightweight authentication extension to HIP (LHIP) wasproposed for CPU-restricted devices to access HIP benefits such as end-host mobility andmultihoming. Although, for the sake of compatibility, LHIP maintains a message syntaxsimilar to HIP BEX, it does not provide the same security level for host authenticationand payload encryption. This is because LHIP does not have DH key computation, RSAoperation, and a secure IPsec tunnel after the exchange. Instead, LHIP exploits hashchains for cryptographically binding the successive messages to each other. Nevertheless,this mechanism only guarantees integrity protection over the current session. As statedin [40], expensive cryptographic operations of Tiny HIP message exchange are delegatedfrom the highly resource-constrained device (i.e. low performing initiator) to lessconstrained nodes in the neighbourhood. Thereby, new HIP BEX connections areestablished with another unconstrained node (i.e. a powerful responder). This solutionuses a common set of less constrained nodes as proxies for supporting both the initiatorand responder. However, this approach does not match actual scenarios, due to the needto establish secure links with a single set of proxies.

30

2.2 Wireless Sensor Networks

WSNs are deployed in wide ranges of applications, such as environmental monitoring,health care, industrial automation and battlefields where information security andconfidentiality are prime requirements [41].

Fig. 3. Generic WSN architecture.

WSNs are the wireless ad-hoc networks consisting of large numbers of spatiallydistributed leaf sensor nodes for gathering data from the physical environment [7]. Thegeneric architecture of a WSN is represented in Fig. 3. Depending on the application ofthe WSN, the sensor nodes may be mobile or statically deployed in random locations inharsh and inhospitable physical environments. In the conventional scenario, aggregateddata is delivered to a central collecting node, often know as a sink node. The sinknode may be an IP node which is connected to the legacy Internet and can be remotelyaccessible and manageable. In general, a sensor node consists of a micro-controller(processor), a memory unit, a communication device, a power supply unit, and one ormultiple sensors or actuators. Depending on the hardware design and the application,other advanced components are added to this basic sensor platform. Conventionally,the wireless sensors are low cost low-power multi-functional devices which inherentlyexhibit resource restrictions in terms of memory, battery capacity and computationalpower. Well-known low-power sensor platforms for WSN testbed implementation areidentified as TelosB, MikaZ, and SkyMotes with TinyOS or Contiki operating systems.

31

There are many WSN standards which define the functions and protocols that arenecessary for sensor nodes to interface with a network. Some of these WSN standardsinclude IEEE 802.15.4 [42], ZigBee [43], WirelessHART [44], ISA100.11 [44], IETF6LoWPAN [9], and Bluetooth Low Energy [45].

The proliferation of WSN technology along with the advancements of Internettechnologies has paved the way to the huge paradigm shift of the IoT. The key transitionsof WSN technology are shown in Fig. 4.

Fig. 4. Transition from WSN to IoT.

As illustrated in Fig. 4, the transition from WSN to IoT is leveraged by an intermediarystep, namely M2M communications. M2M will enable all nodes to communicate witheach other on a peer-to-peer basis without the need for human interaction. Nevertheless,the usability of M2M communications is restricted to unified scenarios such as smarthomes, energy management, healthcare, or asset management. According to Fig. 4,another noteworthy characteristic of the transition from WSN to the M2M is theevolution from human-centric management to autonomous behaviours. Consequently,

32

M2M architectures advocate the emergence of IoT by enhancing the self-organizingcapability of sensor nodes along with the self-monitoring and self-healing characteristicsof the legacy Internet. The core technology behind IoT is WSN and cloud basedinformation processing for building an advanced and powerful information acquisitionand processing platform [46]. With these technological advancements, new frontiershave been opened for WSN-based IoT in smart cities, the industrial Internet, autonomousvehicles, smart farming, and smart energy.

2.2.1 Energy consumption in WSN

Typically, the sensor nodes deployed in WSNs are low performing battery-powereddevices with limited memory footprints and processing power. Especially, sensor nodesdeployed in hazardous environments or battle fields that are difficult or impossible toaccess frequently, face the challenge of replacing batteries. Under such circumstances,it would be critical to use highly energy efficient security schemes to conserve thebattery life. The energy consumption in WSN is influenced by two key factors [47]:the transmission power of each communication; the working rate of each sensor. Asensor node may consume power not only for transmitting its data to the sink, but also torelay data received from neighbouring nodes. Therefore, when the data is successfullytransmitted from a source to the sink, it is important to consider the energy consumptionof all the relay nodes on the selected routing path. As a result, the hop-count should beproperly planned for efficient energy usage. Unlike scalar sensors, multimedia sensorsproduce, process, and transmit large amounts of visual and audio data and they areengaged in continuous monitoring. Therefore, the power consumptions of variants ofWSNs such as wireless multimedia sensor networks should be critically considered andefficiently managed in order to maximize the life-time of the network [26, 27].

2.2.2 Security in WSN

Security is a paramount property in WSNs and it has been widely discussed in theresearch community over the last two decades [10, 48]. Due to unreliable communicationlinks (e.g., unreliable transfer, conflicts in broadcasting, network latency) and unattendedoperations, WSNs are highly prone to security attacks. When WSNs are left unattendedfor long periods of time in hostile environments, they can even be exposed to physicalattacks. There can be more security threats while managing WSNs remotely or when

33

they lack a central management point. However, the traditional security mechanismswith significant overheads are infeasible to incorporate into tiny sensor nodes. Thelimited resources available in typical sensor nodes would be a key obstacle [48]. Forinstance, the well-known TelosB sensor has a 16-bit 8 MHz RISC CPU with only10 KByte RAM, 48 KByte program memory, and 1024 KByte flash storage [49].Therefore, the code size and the computation complexity of all the security relatedprograms must also be small. TelosB sensors use TinyOS as the software platform,where TinySec is unified as the link-layer cryptography protocol [50]. Obviously, theadded security functions (e.g., encryption, decryption, and verify signatures) and theirrelated data transmission and storage overhead (e.g., for key management) will consumeextra power. However, since the energy is a critical constraint to the capabilities of thesensor nodes, the cryptographic functions or protocols should be designed in such a wayto minimize the power consumption.

WSNs share the common security requirements as the typical networks and theirunique features as discussed above. The most important security requirements ofconventional WSNs can be identified as data confidentiality, data integrity, data freshness,forward and backward secrecy, availability, self-organization, time synchronization,secure localization, non-repudiation, and authentication [48, 51]. To achieve theserequirements, multiple security mechanisms are used such as incorporating securityprimitives (e.g., public and symmetric key cryptography), key management, establishingsecurity channels, developing secured routing algorithms, introducing self-healing andself-management protocols. Furthermore, there are numerous attacks identified in WSNsincluding Denial of Service (DoS), sybil, traffic analysis, node replication, privacy, andphysical attacks.

2.2.3 Key management in WSN

Efficient and lightweight key management has been identified as a core mechanism toensure security in network services and applications of WSNs [15, 52]. Key managementin WSN includes several processes and mechanisms to solve the problem of establishing(or creating), distributing and maintaining secret keys [53]. The key establishmenttechniques should guarantee the authenticity of all the sensor nodes involved in aparticular communication and protect the disclosure of data to unauthorized parties(i.e., confidentiality) and from falsifications (i.e. integrity). Furthermore, the key

34

establishment techniques should be scalable to the varying sizes of networks and beflexible to different kinds of environments.

In order to defend from malicious attacks and ensure hop-by-hop security, symmetrickey encryption is mostly used for secure communication between WSN nodes. Due tothe computational complexity and resource consumptions of PKC algorithms, theycannot be used in their original formats for the key management protocols of veryconstrained sensor nodes. The adaptation of PKC solutions for the key management ofhighly constrained sensor nodes became popular with the use of certificates and ECCtechniques [54]. TinyECC provides a ready-to-use, publicly available software packagefor ECC-based PKC operations that can be flexibly configured and integrated intoWSN applications [55]. The utilization of implicit certificates for generating pair-wiseephemeral keys for WSNs and IoT are presented in some literature [14, 56, 57]. Hybridkey management schemes may also have the advantages of using both symmetric andasymmetric keying schemes [11]. On the whole, key management schemes should bedesigned in accordance with the resource scarcity of the low-power sensor nodes and thedynamic and scalability characteristics of the WSN architecture.

For the myriads of WSN key management schemes proposed in the recent past, oneclassification can be performed depending on the ability to update the cryptographickeys of the sensor nodes during their run time [15]: static and dynamic. As the nameimplies, static key management adopts the principle of key pre-distribution where thekeys are fixed for the whole lifetime of the network. Nevertheless, long-term static keysmay increase the probability of being attacked. Therefore, WSNs require dynamic keymanagement techniques which perform rekeying either periodically or on demand asneeded by the network. With their ability to revoke the keys of compromised nodes inthe rekeying process, dynamic key management schemes may enhance the networksurvivability and network resilience significantly. Based on the involvement of a centralkey controller entity, dynamic schemes can be further categorized as distributed andcentralized.

2.3 The Internet of Things

2.3.1 The evolution of IoT

IoT is a driving force for interconnecting millions to billions of objects through theInternet [3]. The maturation of the Internet and the advancements of electronic,

35

networking and communication technologies have paved the way to the evolution ofthe Internet (Figure 5). The early phase started with connecting two computers bypeer-to-peer links. In the second phase, the World-Wide-Web was created by connectinga large number of computers together. Then the mobile-Internet was introduced with theconnected mobile devices to the Internet. In phase 4, human identities have also beenadded to the Internet by the means of social networks. Since then, IoT has emerged in ahuge paradigm shift, by connecting a versatile collection of smart objects to the Internet.With IoT, people and things are able to connect anytime, anyplace, with anythingand anyone, ideally using any path or network and any service [58]. The followingnoteworthy advancement of the Internet will be the Tactile Internet. It will enhance IoTnetworks with ultra-reliable, ultra-responsive and ultra-secured communication linkswith extremely low latency.

Fig. 5. Evolution of the Internet.

Due to the seamless connectivity among various objects, IoT poses a high demandsfor a flexibly layered architecture. Although many different architectures have beenproposed for IoT with close collaboration between research and industry, none is yetsolidly established as a reference model [59, 60]. This modeling is based on modifyingthe standard OSI model with proper adjustments to the physical, data link, network,transport and application layers.

Over the past couple of years, many organizations have boosted their contributionto develop a suite of protocols and open standards for IoT deployments that supportinter-operable communication [61–63]. Among them the IETF has taken the leadin standardizing the communication protocols for the resource constrained devicesincluding Routing Protocol for Low Power and Lossy Networks (RPL) [64], Constrained

36

Application Protocol (CoAP) [65], and 6LoWPAN [9]. ETSI introduced M2M standardsrelevant to IoT communications, whereas ITU had coordination activities on aspects ofidentification systems for M2M.

2.3.2 IoT Network Security

With the development of IoT technologies, physical objects are enriched with sensing,data processing, and communication capabilities. They tend to follow the alwaysconnected paradigm of IoT at anywhere to anything by any means of networkingtechnology. Therefore, IoT systems inherit most of the security vulnerabilities commonlyfound for all types of Cyber Physical Systems (CPS) and the Internet as a whole. Manyresearch efforts are being undertaken to identify security threats in IoT and improvethem [66]. Similar to security in IoT, privacy [25] and trust management [67] arealso equally important properties, which have many synergies. In [68], the authorsdefined a security architecture considering a layered architecture in IoT system design.Their principal approach was to secure all the devices, subnetworks, core networks,cloud servers and processes in the IoT ecosystems. The security related mechanismsfor each layer are defined based on three criteria: Authorization and authentication;Encryption and key management; Trust and identity management. Moreover, in [69],Jing et. al. present a detailed security architecture for the three main layers of IoT,perception, transportation and application (Fig. 6). Accordingly, each layer has its ownsecurity issues and the countermeasures. Standardization organizations and professionalassociations such as the IETF, ETSI, and IEEE have further provided a noteworthycontribution to normalizing IoT security standards [70].

2.3.3 Key establishment in the IoT

A key establishment protocol provides shared secrets between two or more parties,typically for subsequent use as symmetric keys for a variety of cryptographic purposes.Key establishment is a major prerequisite to construct secure communication channelsbetween network devices for both unicast and multicast scenarios in IoT [13]. Onthe other hand, the heterogeneous nature of IoT architecture, that accommodates awide variety of networking elements with different resource capabilities, makes it morechallenging to provide E2E security. However, resource consuming cryptographicoperations such as key establishment, key revocation, and key distribution are not

37

Fig. 6. Security architecture for IoT as explained in [69].

be affordable or could be remarkably expensive to perform by most of the resourceconstrained devices in many IoT applications. For instance, the direct use of an existingkey exchange scheme between two IoT entities would be unfeasible unless both can runexpensive cryptographic primitives. Therefore, it would be challenging to incorporateexisting security protocols in their original formats. All in all, introducing securitywould bring an extra overhead to the low-power low-performing devices and theirnormal operations since they exhibit constraints in both computational power and batterycapacity.

The major requirements related to network security are authentication, confidentiality,non-repudiation and data integrity. These security requirements are dependent on theuse of cryptographic primitives such as encryption, decryption, signature generation,and signature verification schemes. In order to achieve these security primitives, aninitial key establishment protocol running between the communication parties in the IoTapplication is needed. Accordingly, key establishment occurs only at the initializationphase of a secure communication channel. Later on, the key can be reused until there is aneed for re-keying. Therefore, a lengthy key establishment process, such as few seconds,is still acceptable as long as it occurs once in a while during the entire operational mode.In certain IoT applications, sensor nodes deployed in hazardous environments or battlefields that are difficult or impossible to access frequently face the challenge of replacing

38

batteries. Under such circumstances, it would be highly critical to use energy efficientsecurity schemes to conserve the battery life.

IoT key establishment protocols can be classified based on the key delivery schemeor the underlying cryptographic primitive family [12]. The former is further divided intokey transport and key agreement where the latter consists of symmetric and asymmetriccrypto systems. In key transport protocols, keys are generated by one or multiplepeers and securely transferred to the other peers. A key agreement runs betweentwo peers, where the resulting key is derived at both peers from public informationexchanged between the peers. Although the symmetric cryptography primitives based onpre-shared keys are low resource consuming, they are poorly applicable to the dynamiccommunication links created between remote devices in IoT environments. Under suchcircumstances, two party key agreement protocols are followed by the asymmetric key(or public-key) cryptographic primitives.

The key establishment is a non-trivial component of both Internet Protocol secu-rity (IPsec) and Transport Layer Security (TLS) protocols which are widely adopted inIoT applications [71]. IPsec [72] resides at the Network Layer of the OSI model andcreates a secure tunnel between two endpoints. The Internet Key Exchange (IKE) [73]protocol and HIP BEX [35] are both designed to perform the key establishment forIPsec protocol. The TLS protocol provides the same E2E security services for thereliable transport protocols which have in-sequence deliveries (i.e., Transmission ControlProtocol (TCP)). The TLS variant, Datagram Transport Layer Security (DTLS) [74]protocol, has been proposed to operate on top of datagram-oriented transport protocolslike the User Datagram Protocol (UDP). DTLS is widely adapted for securing CoAPwhich runs over UDP and enables efficient application-level communication for IoTdevices [17]. Raza et al. [75] propose a DTLS header compression technique with lessenergy consumption and reduced number of transmitted bytes.

All these keying protocols require key agreements with the asymmetric cryptographicprimitives that have the variants of DH protocol. Although HIP is identified as a keycandidate for securing E2E connections in IoT, not many works are available for tailoringthe HIP protocol in the context of IoT environments. HIP introduces a cryptographicnamespace of stable Host Identities (HIs) between the network and transport layer [76].Unlike DTLS and minimal IKEv2, HIP supports node mobility and multi-homing,which are very important attributes of IoT [77]. Garcia-Morchon et al. [77] show how toexploit polynomial schemes for key management and generation of pair-wise keys inHIP and DTLS handshakes.

39

2.3.4 Authentication in the IoT

With the rapid expansion of the connected smart objects, authentication has becomecrucial to secure the IoT and prevent malicious attacks [78]. In the key establishmentprotocols, this property defines whether the peers are authenticated during the negotiationprocess or not. Authentication is the process of identifying an object or a person as alegitimate entity to use a particular product or service. It is a prerequisite for authorizationor access control, which determines whether an entity can access resources or participatein a given communication. With heterogeneous devices and their distributed nature, theauthentication protocols in IoT should be not only resistive to malicious attacks, butthey should also be lightweight to be deployed in less performing IoT devices [79].Authentication is an essential feature in key establishment protocols which can beclassified as symmetric vs. asymmetric techniques.

Shared secret-based authentication is a classical symmetric scheme where twoparties are statically configured with a common shared secret mapped to their respectiveidentities. Under asymmetric techniques, there are four variants such as static public keyauthentication, certificate-based authentication, cryptographically generated identifiers,and identity-based authentication. In each case, a node proves its identity by providing aproof of knowledge of the corresponding private key. In the first two categories, theauthentication is implicitly ensured by the ownership of corresponding public-privatekeys or certificates. In the third category, the authentication identifiers are generatedusing the public key of the node. In the last asymmetric technique, opposite to theprevious category, a node’s public key is derived from its identity.

2.3.5 Related work on IoT key establishment and authentication

During the recent past, few researches have proposed asymmetric cryptographic schemesfor authentication and key agreement for heterogeneous WSNs which can be tailored tothe IoT environment. The scheme proposed by Tukanovic et al. [80] ensures mutualauthentication between the user, sensor node, and GW node along with a lightweightkey agreement protocol. Furthermore, the scheme provides password protection, freepassword changing and a dynamic node addition. Their scheme uses simple hashfunctions and XOR computation to make it compatible with the resource constrainedarchitecture of WSNs. However, in [81], Farash et al. identify security vulnerabilitieswith Tukanovic et al.’s scheme such as smart card stolen attacks, man-in-the-middle

40

attacks, and lack of forward/backward secrecy. They propose an improved version ofTukanovic et al.’s scheme and eliminate the given security shortcomings. Although thework in [81] presents the communication and storage cost analysis of the proposedscheme, it lacks a performance analysis of the energy costs which make a noteworthyimpact on the battery life of the sensor nodes.

Similarly, the aggregated-proof based hierarchical authentication scheme proposedin [82] is proven with no obvious security defects. The authors have not discussed itsperformance and compatibility with resource constrained sensor nodes. In [83, 84],the authors analyzed the impacts of PKC on the certificate-based DTLS handshakeand identified significant memory requirements. As a solution, in [84], they propose asymmetric-key-based DTLS handshake for the authentication of IP-based IoT deviceswhich requires an additional key provisioning mechanism.

In [85], the authors present a lightweight three-factor authentication and keyagreement protocol for internet-integrated WSNs based on the Rabin cryptosystem.This solution is robust to user identity and password guesses in an offline mannerwith secrets stored in a stolen smart card and the intercepted authentication messages.In [11], Said et. al. discuss a proxy-based collaborative key establishment protocol forresource-constrained IoT devices. A resource-constrained device can delegate its heavycryptographic operations to less constrained nodes in the neighbourhood exploitingthe spatial heterogeneity of the IoT environment. The work in [11] explains how tointegrate the collaborative approach with a TLS handshake and IKE key establishmentprotocols. When initiating a secure E2E connection between two unknown nodes indistinctive networks, they exploit one set of intermediary nodes as proxies in order tosupport the key establishment process. Nevertheless, this would not be realistic in actualscenarios, since both the end nodes, which are completely unknown, may not havethe securely pre-established communication links with those common proxies. As asolution to this, in [20] the authors have proposed a new key exchange scheme, whichadvocates a particular set of proxies for each end node.

2.3.6 Design requirements for IoT key establishment

In addition to the proper authentication, a number of other properties should be alsoconsidered while designing a key establishment protocol for resource-constrained IoTdevices [11, 12].

41

– E2E security: Typically in conventional WSNs, E2E communication is consideredonly between the sensor nodes, which are deployed in a particular local network.However, the communication paths in IoT networks will no longer follow the logicalhierarchies and the topologies in the conventional WSN architectures. Instead theyadvocate E2E communication between the sensor nodes, remote hosts and users indistinctive networks. Moreover, unlike the centralized approach, in the distributedIoT architecture end devices are not dependent on a single central entity and thedevices may play both client and server roles. Therefore, the IoT keying protocolsshould provide E2E security for decentralized and bidirectional IoT communicationparadigms.

– Pervasiveness: IoT has widespread pervasive computing power throughout a widerange of objects which are heterogeneous and mobile. This pervasiveness hasintroduced additional requirements for IoT key establishment. The devices may havepre-shared keying materials or they may be totally unaware of each other. Therefore,dynamic asymmetric key delivery schemes and authentication methods should begiven priority while designing an IoT key establishment protocol.

– Adaptability: IoT is not entirely defined with novel protocols. Instead, the securityschemes are customized in such way they meet the application requirements of IoT.The key exchange techniques in existing security protocols such as TLS and IPSecneed to be adapted for the mobility and interoperability characteristics.

– Scalability: With the rapid growth of connected smart devices in IoT networks, theamount of security data related to those objects will also be huge. Therefore, akey establishment protocol needs to be scalable when the information required tocontact any potential peer does not impose an overhead on the device. Similarly, akey establishment scheme should be extensible and the number of peers that can besecurely contacted through a negotiation process is on such a large scale. A scalablekeying scheme should be able to manage a large group over a wide area with highlydynamic sensors. If the computation and communication traffic at the sources increasedramatically with the size of the group, the keying scheme is treated as non-scalable.

– Efficiency: For designing efficient cryptographic protocols, a few criteria shouldbe considered such as the number of exchanged messages, the required bandwidth,the complexity of computations, and the possibility of pre-computations. Theseshould be critically addressed as the security protocols will be running on highlyresource-constrained nodes with limited computational power, low memory, andminimal battery capacity.

42

2.3.7 Secure group communication for multicasting in the IoT

The most efficient means of resource management in the communication in WSNapplications is based on clustering and multicasting [86]. Particularly for large-scaleenvironments and time-critical applications, efficiency is higher in one-to-many, many-to-one, one-to-any, and one-to-all types of communication than the basic multi-hop modelin WSNs. Similarly, the field of applying multicast communication is as manifold as theapplication area of IoT itself, including smart homes, smart cities, industrial automation,and healthcare. It is more effective and efficient to convey multicast messages to a groupof devices rather than sending unicast messages to individual devices in multiple copies.Multicast communication is recommended for resource-constrained IoT networks toreduce the bandwidth usage, and minimize the energy consumption and processingoverhead at the terminals. Securing the group key establishment between the legitimatemembers is the key functionality needed to provide integrity, authentication, andconfidentiality for message transmissions in multicast groups [18].

A primary challenge in this context is the management of cryptographic keys re-quired for message authentication and integrity protection. Asymmetric cryptography isan appropriate tool for authentication and integrity protection in broadcast and multicastscenarios. If hardware-accelerated implementations of asymmetric cryptography areavailable, they can be used to strengthen and simplify the implementation of WSN com-munication mechanisms. Although such hardware is usually included in state-of-the-artdesigns, legacy devices might not be powerful enough for asymmetric cryptography [87].In these situations, symmetric encryption offers far better performance. Keyed hashfunctions such as HMAC are based on symmetric encryption and shared keys. Thefundamental problem in multicast or broadcast scenarios is that the shared key has to bedistributed to all members of the group to enable them to authenticate received messages.Being in possession of the shared key enables all members of the group to generate validmessages, which contradicts the idea of the individual authentication of messages.

The WSN group key management protocols such as MIKEY [88] and TESLA [10]are still lacking compatibility with IoT characteristics. For instance, the MIKEYarchitecture is entirely designed to facilitate multimedia distributions, whereas TESLAis proposed for the broadcast authentication of the source and not for protecting theconfidentiality of multicast messages. Likewise, the Topological Key Hierarchy (TKH)scheme lowers the communication cost of rekeying messages by generating a key-tree

43

based on the underlying topology of WSNs [89]. However, in TKH, the computationand communication costs grow linearly with the number of group members.

44

3 Research contribution

This chapter elaborates the contribution of the original publications in detail. Firstly, theproposed solutions for the key establishment and authentication in WSN and WSN-IoTare discussed. Secondly, the group key establishment protocols are presented. Finally,the collaborative HIP approach is discussed with its performance comparisons.

3.1 Key management and authentication in WSN and IoT

The first research question of this thesis addresses the design of lightweight and securekey establishment and authentication protocols for resource constrained sensor networks.Paper I provides a solution to this research area in terms of generic WSN, whereas PaperII and Paper III make contributions by formulating keying mechanisms for IoT enabledWSNs.

Paper I presents an implicit certificate-based key establishment protocol for resourceconstrained sensors deployed in generic WSNs. For defining the protocol, the authorsconsidered the standard WSN architecture with a cluster tree topology as shown inFig. 7. The protocol is based on ECC and consists of two phases. In Phase I, sensor

Fig. 7. Generic WSN architecture.

nodes receive implicit certificates from the cluster head, which acts as the CertificateAuthority (CA). For renewing expired certificates, the sensor nodes need to send new

45

certificate requests to CA. Upon receiving the certificates, the nodes can calculatetheir own public and private keys. The certificate generation process is inspired bythe design principles of the ECQV implicit certificate scheme. Phase II contains thekey establishment component where the sensors use obtained certificates to establishpair-wise ephemeral keys with their neighbouring sensor nodes. The paper discusseshow the protocol supports the arrival of a new node and the generation of pairwise linkkeys with the neighbouring nodes.

The protocol was implemented on TelosB sensor nodes with TinyOS using theTinyECC configurable library for ECC operations. The experimental setup comprisedthree TelosB motes, where one was considered as the CA. The CA functionalitiesare implemented on the sensor nodes in order to compare the performance resultsfor memory and time consumption. The experimental results show the feasibility ofdeploying the proposed scheme in resource constrained WSNs. Furthermore, accordingto the obtained empirical results, the proposed certificate scheme exhibited betterperformance than the conventional ECDSA and ECDH schemes. The paper alsodiscusses the security properties of the proposed scheme and how it is resilient to nodecompromising, masquerade and impersonate attacks. Thereby, this work proves how touse a PKC based solution with implicit certificates for deriving a common secret key forsymmetric encryption in resource constrained WSNs.

Paper II extends the idea of exploiting implicit certificates for authentication purposesfrom the generic WSNs to the sensor networks in distributed IoT applications. In orderto maintain a trusted network in IoT applications, multiple entities such as sensors,service providers, and information processing systems have to authenticate each other.The proposed protocol comprises two phases: Phase 1 for obtaining cryptographiccredentials to the sensors and end-users; Phase 2 for authenticating each user or deviceat the beginning of the communication link establishment. The implementation resultshave proven that the authentication protocol is well fitting even with the low performingsensors. The extension of Paper II paves the way to the sound realization of the solutionproposed in Paper III.

Paper III proposes a lightweight authentication and key establishment scheme forWSNs in distributed IoT applications, known as PAuthKey. The proposed solutionprovides application level E2E security. As shown in the distributed IoT architectureillustrated in Fig. 8, the sensor networks may include heterogeneous resource constrainedsensors and the end users may be either humans or virtual entities. We consider thatthe local networks follow the same cluster tree topology where the low power sensors

46

Fig. 8. IoT enabled WSN architecture in Paper III. Reprinted with permission of Hindawi.

use one resource rich device as the cluster head (CH). The CHs in each cluster andthe end-users have to acquire security credentials from a trusted party such as a CA.Four types of communication links are identified in this particular network architecture:Two sensors in the same cluster (Link A); Two sensors in distinctive clusters in thesame domain (Link B); Two sensors in distinctive domains (Link C); An end-user whocommunicates with a sensor (Link D).

PAuthKey has two phases for registration and authentication. During the registrationphase, the sensors in a particular cluster should obtain ECQV-based implicit certificatesfrom the CH and derive their own public private key pairs. Possessing the certificateswill always provide an implicit assurance for the sensors that they are legitimate nodes.Thanks to the certificates, even though the sensors frequently change their locations (i.e.,also the neighbouring set), they can authenticate themselves and derive the pairwisekeys securely without previous knowledge of the neighbouring nodes or end-users. Theauthentication phase varies depending on the type of communication link between theend-parties which are described as three scenarios. In each scenario, the sensors use theimplicit certificates to authenticate themselves and establish ephemeral session keys.

47

It is proven with the implementation results that PAuthKey can be easily run on TelosBsensors which have very limited memory and computational capability. The securityproperties and the scalability of PAuthKey and its comparison with the existing DTLS,ECDH, and ECDSA protocols are also discussed in Paper III.

3.2 Secure group key management in IoT-enabled WSN

The second research question is associated with improvements to securing groupcommunications in IoT networks. Paper IV provides a contribution to this researcharea with two ECC based group key establishment techniques which enable securemulticasting communication in WSNs deployed in IoT applications. An example offormulating a multicast group to control light bulbs in a smart building is illustratedin Fig. 9. The environmental monitoring network collects data about light intensity,temperature, and population of all rooms in the building and delivers aggregated data toa central entity. Based on the data received, the central entity can enable synchronousoperations (e.g., sending on, off, or dim-level commands) among a group of light bulbson a floor or in a room to achieve visual synchronizing of light effects on the user.

Fig. 9. Example of a multicast group creation.

Protocols 1 and 2 proposed in Paper IV are the ECC variants of the group key establish-ment solutions given in [90–92]. They also have improvements such as the assurance ofmessage integrity and the prevention of man-in-the-middle attacks. In Protocol 1, theinitiator determines the composition of the multicast group and broadcasts the groupformation message first. Only legitimate members are eligible to continue the key

48

derivation process, in which the final group key is computed based on their inputs. Inaddition to the first broadcast message in Protocol 1, three message transactions occurbetween the initiator and each group member. Protocol 2 uses the same mathematics asin Protocol 1. In Protocol 2, the initiator defines the formation of the multicast group,determines the group key, and sends the key reconstruction materials along with thelightweight digital signatures to the WSN. The legitimate members can recompute thegroup key using the received keying materials and their own security credentials.

According to the performance evaluation results, the computation and communica-tion energy consumptions of both protocols are tolerable for the resource-constrainedsensor nodes. It is proved that the proposed solutions mitigate the existing securityvulnerabilities of these state-of-the-art solutions with better performance characteristics.The first scheme is more appropriate for distributed IoT applications, which requirehigher contributions of the group members to compute the key with greater randomness.The second scheme is more suitable for centralized IoT applications due to the lowenergy costs.

3.3 Collaborative HIP

The third research question of this thesis focuses on developing lightweight and secureE2E key establishment solutions for resource-constrained IoT devices and integratingthem in existing security protocols. Paper V introduces a collaborative key establishmentsolution for the HIP protocol, whereas Paper VI provides the implementation details andthe performance analysis.

Paper V proposes a collaborative HIP solution with an efficient key establishmentphase to provide E2E secure connectivity between resource constrained devices in IoT.As shown in the network architecture in Fig. 10, highly constrained devices delegate thecomputational resource demanding cryptographic operations of the HIP protocol toresource rich devices in the neighbourhood which act as proxies.

The protocol is based on a (n; k) threshold scheme [93], wherein n proxies processa polynomial share and k polynomial shares which is enough to reconstruct the DHkeys through Lagrange polynomial interpolation. Paper V presents an estimation of thecomputation and communication energy costs of the collaborative HIP approach withrespect to TelosB sensors.

Paper VI is an extension of [20] and Paper V. It presents a derivation of the CHIP

protocol, implementats the protocol on a Libelium Waspmote sensor platform, measures

49

Fig. 10. The network architecture of an AAL system for an IoT application in Paper VI.Reprinted with permission of Springer.

the energy costs, and discusses their performance and security features in detail. Theexperimental results show that the proxy-based key establishment scheme in thecollaborative HIP protocol significantly increases the energy savings for a constrainedresponder compared with the standard HIP BEX and HIP DEX protocols. The numberof collaborating proxies should be kept between 3 to 40 for better performance of thecollaborative HIP approach than HIP DEX and HIP BEX protocols. Consequently, inthe performance and security analysis (i.e., in Paper VI), the proposed key establishmentscheme generates a significantly lower amount of computational overhead and has lessenergy consumption with stronger security features at the resource-constrained nodesthan that of the HIP BEX and HIP DEX protocols.

50

4 Discussion

This chapter recaps the thesis. Section 4.1 provides a summary of the research results.Section 4.2 discusses their limitations and generalizations. Finally, Section 4.3 presentssome insights on future research directions.

4.1 Summary of contributions

Key establishment is an essential feature to initiate a shared secret across an insecurechannel and open a secure channel between two communication parties. Cryptographickeys become more vulnerable to malicious attacks, the longer they are used. The bestpractice is to use short-term pairwise session keys and discard them when the channel isnot in use. Public-key certificates advocate the authentication of two communication endsin the process of key management. Lightweight key establishment and authentication areequally important in the revolutionary IoT paradigm which enables interaction betweenheterogeneous smart objects. Device constraints in terms of memory and computationalpower, and energy efficiency are the major factors to consider while designing securityprotocols for low-power IoT sensor nodes.

This thesis presents a high-level overview of the evolution of WSN and IoTtechnologies and the respective network security features. Regarding the designrequirements for IoT key establishment, the thesis describes five main propertiesincluding E2E security, pervasiveness, adaptability, scalability, and efficiency. Moreover,the thesis discusses the fundamental cryptographic norms and protocols such as DH keyexchange, ECC, HIP, and implicit certificates, which can be exploited for developinglightweight security solutions for WSN and IoT.

The principal investigations of this thesis are divided into three research questions.Firstly, the thesis identifies the possibility of natively exploiting the ECQV technique forgenerating lightweight implicit certificates for authentication and key management. PaperI, II, and III use these implicit certificates to offer robust key negotiation and lightweightauthentication for securing generic WSNs and resource constrained sensors in IoTenabled WSNs. The implementation results on the TelosB sensor platform show theviability of integrating the proposed security schemes into the low performing resourceconstrained sensor networks. Secondly, the thesis presents group key establishmentsolutions for securing the group communication in IoT enable WSNs. In Paper IV, the

51

applicability of the solution is verified by the energy estimations and by discussingthe security properties. Finally, based on Paper V and VI, the thesis proposes a novelcollaborative approach to HIP protocol with an efficient key establishment scheme forcreating secure E2E connections between resource constrained networking devices inthe context of IoT. All in all, this thesis provides a good insight into identifying theimportance of lightweight key management and authentication in IoT enabled WSNapplications.

4.2 Limitations and generalizability

The research spanned multiple years during which the specification of sensor platforms,their availability of resources, and the software libraries changed significantly. Therefore,the performance results obtained in Papers I - III might be further improved with theexploitation of optimized EC operations on different sensor hardware.

Although the security properties of the key establishment protocols are discussedin the publications (i.e., Paper I to VI), their security strengths and weaknesses arenot proven formally. This might limit the ability to deploy the protocols in real-lifeapplications that require high security. Nevertheless, it would be an interesting researcharea in the future, to use dedicated formal verification tools like AVISPA [94] andCDVT/AD [95] to validate the security requirements of the proposed schemes. Thetools can be further used to identify the robustness of the keying schemes for differenttypes of attack scenarios.

Two group key establishment protocols proposed in Paper IV are applicable toone-to-many (1 : n) communication scenarios. However, in IoT sensor networks, therecan be instances where multiple initiators need to send secure messages to more than onereceivers (e.g., visual sensor networks used for multimedia conferencing, multi-playergames). Under such circumstances, it would be noteworthy to improve the group keyestablishment solutions for many-to-many (m : n) communication scenarios as well.Moreover, the performance analysis of the keying mechanisms in Paper IV should bediscussed in terms of the energy estimations. These could be implemented on a real-timetestbed to obtain similar quantitative results to the other protocols described.

52

4.3 Future research directions

The future research directions are discussed under two categories: Work with animmediate impact; Potential research areas with long-term goals.

4.3.1 Work with an immediate impact

Although the work presented in this thesis is solely focused on low-power IoT sensornetworks, it can be applied to the broader domains of IoT which include WSN,Internet, Applications and Cloud Computing. The contributions provide a scientificfoundation for future work in the area of securing localized service provider networks,also known as micro operators, in 5G. Micro operators intend to build an indoorsmall cell communication infrastructure and offer context related services and content.The solutions proposed in this thesis will be exploited to define a complete securityarchitecture for micro operator networks with service-oriented authentication. It isexpected to use the 5G Test Network platform available at the University of Oulu toimplement the derived solutions. Moreover, it is important to put more effort intostandardizing those security schemes to push technological frontiers beyond the researchlevel.

4.3.2 Potential research areas with long-term goals

Beyond the research work presented in this thesis, several future research areas are iden-tified which can be improved with the utilization of key management and authenticationtechniques.

Quantum security for authentication and key management

Quantum security will be the next evolutionary tide of the network security era [96].With the powerful adversaries, the existing public-key encryption and signature schemeswill no longer provide secure connectivity. The security of quantum cryptographycan be proven mathematically without imposing any restrictions on the abilities of aneavesdropper. Longer symmetric keys derived and distributed by quantum cryptographicapproaches will ensure the lifetime security of many IoT devices. This will also extendthe battery life of the devices and minimize the network overheads by reducing frequent

53

handshaking for the key establishment process. Furthermore, this may be exploited formanaging secure identity, mutual authentication of the devices, appropriate certificationand qualification, and power efficient algorithms and policies.

Blockchain

Blockchain based approaches have recently emerged to provide decentralized securityand privacy in the networking field. Nevertheless, these approaches involve significantdelays, energy, and computational overheads which will not be suitable for resourceconstrained devices in IoT. As stated in [97], a lightweight instantiation of a Blockchainwould be suitable for IoT. It will be useful to investigate the novel frontiers of lightweightkey management techniques for Blockchain in the context of IoT applications.

Keying schemes for IoT privacy

In 2016, the European Union passed the General Data Protection Regulations (GDPR)to protect the data privacy of individuals across Europe. According to the GDPR theprinciples of data protection should not apply to data rendered anonymous in such away that the data subject is no longer identifiable. Cryptographic keys are mandatedto encrypt data which makes data anonymous. Therefore, strong key managementtechniques are required to not only protect encrypted data, but also to ensure thedeletion of files and comply with a user’s right to be forgotten. New research directionsare opening for the design of means to achieve GDPR compatible key managementalong with the verification methods of user identities and transactions in different IoTapplication areas.

54

5 Conclusions

Network security is a paramount property for both generic WSNs and IoT enabled sensornetworks. These sensor networks can be formed with highly resource constrained andlow-power low-performing objects. Their resource limitations are considered in terms ofbattery capacity, computational power, memory-footprint and bandwidth utilization.Existing key management solutions will drive researchers to define promising securitystandards for constrained IoT networks. Nevertheless, designing new solutions andadjusting the available security protocols will still be challenging. This is due to thenecessity of maintaining the balance between the robustness of the security protocolsand the limitations of the low power IoT senors and their connectivity to the legacyInternet.

The thesis commenced with the introduction of WSN and IoT security, along withthe significance of designing lightweight key management and authentication solutionsfor resource constrained devices. Later, the thesis described the theoretical backgroundand the related work in the literature review section. The first research contribution of thethesis was on exploiting implicit certificates for establishing session keys for initiatingsecure channels in generic WSNs. Then the same work was extended by developingthe PAuthKey protocol for key management and authentication in the sensor networksdeployed in IoT applications. The security properties and the performance results of theproposed protocols were discussed along with the implementation details. After that, thethesis discussed two group key establishment protocols for secure group communicationin IoT sensor networks. Finally, the thesis presented a collaborative approach to the HIPprotocol known as CHIP with an efficient key establishment component. It was verifiedthat the overall performance of the CHIP was better than the conventional HIP BEX andHIP DEX protocols. This was proven by proving the high relevance of CHIP for theresource constrained heterogeneous IoT sensor platforms.

Despite the limitations, the results obtained in this thesis show that lightweight keymanagement and authentication solutions are feasible and can be generalized for lowpower sensor nodes deployed in IoT applications. Finally, the thesis puts forward theinsights of some emerging future research directions on key management techniques forIoT and beyond.

55

56

References

1. IEEE Spectrum (2016). Popular Internet of Things Forecast of 50 Billion Devices by 2020 IsOutdated. URI: https://spectrum.ieee.org/tech-talk/telecom/internet/popular-internet-of-things-forecast-of-50-billion-devices-by-2020-is-outdated. Accessed on 04.02.2018.

2. Ejaz W, Anpalagan A, Imran MA, Jo M, Naeem M, Qaisar SB & Wang W (2016) Internet ofThings (IoT) in 5G Wireless Communications. IEEE Access 4: 10310–10314.

3. Atzori L, Iera A & Morabito G (2010) The Internet of Things: A Survey. Computer Networks54(15): 2787–2805.

4. Roman R, Zhou J & Lopez J (2013) On the Features and Challenges of Security and Privacyin Distributed Internet of Things. Computer Networks 57(10): 2266–2279.

5. Dunlap T (2017). The 5 Worst Examples of IoT Hacking and Vulnerabilities in RecordedHistory. Blog post. URI: https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/.Accessed on 25.02.2018.

6. Arghire I (2016). Mirai Botnet Infects Devices in 164 Countries. Security Week. URI:https://www.securityweek.com/mirai-botnet-infects-devices-164-countries. Accessed on20.05.2018.

7. Akyildiz IF, Su W, Sankarasubramaniam Y & Cayirci E (2002) Wireless Sensor Networks: ASurvey. Computer Networks 38(4): 393–422.

8. Mainetti L, Patrono L & Vilei A (2011) Evolution of Wireless Sensor Networks Towards theInternet of Things: A Survey. In: IEEE International Conference on Software, Telecommuni-cations and Computer Networks (SoftCOM), pp. 1–6.

9. P Thubert (2011). Compression Format for IPv6 Datagrams over IEEE 802.15.4-BasedNetworks. IETF RFC 6282. URI: https://tools.ietf.org/html/rfc6282. Accessed on 17.02.2018.

10. Perrig A, Stankovic J & Wagner D (2004) Security in Wireless Sensor Networks. Communi-cations of the ACM 47(6): 53–57.

11. Saied YB, Olivereau A, Zeghlache D & Laurent M (2014) Lightweight Collaborative KeyEstablishment Scheme for the Internet of Things. Computer Networks 64: 273–295.

12. Roman R, Alcaraz C, Lopez J & Sklavos N (2011) Key Management Systems for SensorNetworks in the Context of the Internet of Things. Computers & Electrical Engineering37(2): 147–159.

13. Zhou L & Chao HC (2011) Multimedia Traffic Security Architecture for the Internet ofThings. IEEE Network 25(3).

14. Sciancalepore S, Capossele A, Piro G, Boggia G & Bianchi G (2015) Key ManagementProtocol with Implicit Certificates for IoT Systems. In: ACM Workshop on IoT Challengesin Mobile and Industrial Systems, pp. 37–42.

15. Zhang J & Varadharajan V (2010) Wireless Sensor Network Key Management Survey andTaxonomy. Journal of Network and Computer Applications 33(2): 63–75.

16. Lu H, Li J & Guizani M (2014) Secure and Efficient Data Transmission for Cluster-basedWireless Sensor Networks. IEEE Transactions on Parallel and Distributed Systems 25(3):750–761.

17. Keoh SL, Kumar SS & Tschofenig H (2014) Securing the Internet of Things: A Standardiza-tion Perspective. IEEE Internet of Things Journal 1(3): 265–275.

57

18. Porambage P, Braeken A, Schmitt C, Gurtov A, Ylianttila M & Stiller B (2015) Group keyestablishment for secure multicasting in IoT-enabled Wireless Sensor Networks. In: 40thIEEE Conference on Local Computer Networks (LCN), pp. 482–485.

19. Porambage P, Braeken A, Gurtov A, Ylianttila M & Spinsante S (2015) Secure End-to-EndCommunication for Constrained Devices in IoT-enabled Ambient Assisted Living Systems.In: 2nd IEEE World Forum on Internet of Things (WF-IoT), pp. 711–714.

20. Porambage P, Braeken A, Kumar P, Gurtov A & Ylianttila M (2015) Proxy-based End-to-EndKey Establishment Protocol for the Internet of Things. In: IEEE International Conference onCommunication Workshop (ICCW), pp. 2677–2682.

21. Kumar P, Porambage P, Ylianttila M & Gurtov A (2013) A Mobile Object-based Secret KeyDistribution Scheme for Wireless Sensor Networks. In: 10th IEEE International Conference onUbiquitous Intelligence and Computing, and Autonomic and Trusted Computing (UIC/ATC),pp. 656–661.

22. Kumar P, Porambage P, Ylianttila M, Gurtov A, Lee HJ & Sain M (2014) Addressing aSecure Session-key Scheme for Mobility Supported e-Healthcare Systems. In: 16th IEEEInternational Conference on Advanced Communication Technology (ICACT), pp. 538–540.

23. Gurtov A, Porambage P & Nikolaevskiy I (2014) Secure Lightweight Protocols for MedicalDevice Monitoring. In: 15th IEEE Conference of Open Innovations Association FRUCT, pp.46–51.

24. Braeken A, Porambage P, Gurtov A & Ylianttila M (2016) Secure and Efficient ReactiveVideo Surveillance for Patient Monitoring. Sensors 16(1): 32.

25. Porambage P, Ylianttila M, Schmitt C, Kumar P, Gurtov A & Vasilakos AV (2016) The Questfor Privacy in the Internet of Things. IEEE Cloud Computing 3(2): 36–45.

26. Porambage P, Heikkinen A, Harjula E, Gurtov A & Ylianttila M (2016) Quantitative PowerConsumption Analysis of a Multi-tier Wireless Multimedia Sensor Network. In: 22ndEuropean Wireless Conference, pp. 1–6. VDE.

27. Mekonnen T, Porambage P, Harjula E & Ylianttila M (2017) Energy Consumption Analysis ofHigh Quality Multi-tier Wireless Multimedia Sensor Network. IEEE Access 5: 15848–15858.

28. Harjula E, Mekonnen T, Komu M, Porambage P, Kauppinen T, Kjällman J & YlianttilaM (2018) Energy Efficiency in Wireless Multimedia Sensor Networking: Architecture,Management and Security. In: Greening Video Distribution Networks, pp. 133–157.

29. Kumar T, Porambage P, Ahmad I, Liyanage M, Harjula E & Ylianttila M (2018) Securing theGadget-Free Digital Services. Computer .

30. Stallings W (2006) Cryptography and Network Security: Principles and Practices. PearsonEducation India.

31. Hankerson D, Menezes AJ & Vanstone S (2006) Guide to Elliptic Curve Cryptography.Springer Science & Business Media.

32. Diffie W & Hellman M (1976) New Directions in Cryptography. IEEE transactions onInformation Theory 22(6): 644–654.

33. Explaining Implicit Certificates. Certicom cooperation. URI:https://www.certicom.com/content/certicom/en/code-and-cipher/explaining-implicit-certificate.html. Accessed on 02.03.2018.

34. SEC4: Elliptic Curve Qu-Vanstone Implicit Certificate Scheme (ECQV), version 0.97 (2013).www.secg.org. Accessed on 21.12.2017.

35. P Jokela RM & Melen J (2015). Using the Encapsulating Security Payload (ESP)Transport Format with the Host Identity Protocol (HIP). IETF RFC 7402. URI:

58

http://tools.ietf.org/html/rfc7402. Accessed on 19.01.2018.36. Moskowitz R & Hummen R (2014). HIP Diet EXchange (DEX). IETF draft, RFC editor.

URI: http://tools.ietf.org/html/draft-moskowitz-hip-dex-02. Accessed on 20.12.2017.37. Hummen R, Wirtz H, Ziegeldorf JH, Hiller J & Wehrle K (2013) Tailoring End-to-End IP

Security Protocols to the Internet of Things. In: 21st IEEE International Conference onNetwork Protocols (ICNP), pp. 1–10.

38. Sahraoui S & Bilami A (2015) Efficient HIP-based Approach to Ensure LightweightEnd-to-End Security in the Internet of Things. Computer Networks 91: 26–45.

39. Heer T (2007). LHIP Lightweight Authentication Extension for HIP. IETF draft, RFC editor.URI: http://tools.ietf.org/html/draft-heer-hip-lhip-00. Accessed on 04.02.2018.

40. Saied YB & Olivereau A (2012) HIP Tiny Exchange (TEX): A Distributed Key ExchangeScheme for HIP-based Internet of Things. In: 3rd International Conference on Communica-tions and Networking (ComNet), pp. 1–8.

41. Yick J, Mukherjee B & Ghosal D (2008) Wireless Sensor Network Survey. ComputerNetworks 52(12): 2292–2330.

42. IEEE Standard for Local and metropolitan area networks–Part 15.4: Low-Rate WirelessPersonal Area Networks (LR-WPANs) Amendment 1: MAC sublayer. IEEE Std 802.15.4e-2012 (Amendment to IEEE Std 802.15.4-2011) pp. 1–225.

43. Baronti P, Pillai P, Chook VW, Chessa S, Gotta A & Hu YF (2007) Wireless Sensor Networks:A Survey on the State of the Art and the 802.15. 4 and ZigBee Standards. ComputerCommunications 30(7): 1655–1695.

44. Petersen S & Carlsen S (2011) WirelessHART Versus ISA100. 11a: The Format war Hits theFactory Floor. IEEE Industrial Electronics Magazine 5(4): 23–34.

45. Gomez C, Oller J & Paradells J (2012) Overview and Evaluation of Bluetooth Low Energy:An Emerging Low-power Wireless Technology. Sensors 12(9): 11734–11753.

46. Chi Q, Yan H, Zhang C, Pang Z & Da Xu L (2014) A Reconfigurable Smart Sensor Interfacefor Industrial WSN in IoT Environment. IEEE transactions on industrial informatics 10(2):1417–1425.

47. Luo J, Wu D, Pan C & Zha J (2015) Optimal Energy Strategy for Node Selection and DataRelay in WSN-based IoT. Mobile Networks and Applications 20(2): 169–180.

48. Walters JP, Liang Z, Shi W & Chaudhary V (2007) Wireless Sensor Network Security: ASurvey. Security in Distributed, Grid, Mobile, and Pervasive Computing 1: 367.

49. TelosB Mote Platform (2018). MEMSIC Data Sheet. URI:http://www.memsic.com/userfiles/files/Datasheets/WSN/telosbdatasheet.pdf. Accessed on04.03.2018.

50. Karlof C, Sastry N & Wagner D (2004) TinySec: a Link Layer Security Architecture forWireless Sensor Networks. In: 2nd ACM International Conference on Embedded NetworkedSensor Systems, pp. 162–175.

51. Yu Y, Li K, Zhou W & Li P (2012) Trust Mechanisms in Wireless Sensor Networks: AttackAnalysis and Countermeasures. Journal of Network and computer Applications 35(3):867–880.

52. Xiao Y, Rayi VK, Sun B, Du X, Hu F & Galloway M (2007) A Survey of Key ManagementSchemes in Wireless Sensor Networks. Computer communications 30(11-12): 2314–2341.

53. He X, Niedermeier M & De Meer H (2013) Dynamic Key Management in Wireless SensorNetworks: A Survey. Journal of Network and Computer Applications 36(2): 611–622.

59

54. Simplício Jr MA, Barreto PS, Margi CB & Carvalho TC (2010) A Survey on Key ManagementMechanisms for Distributed Wireless Sensor Networks. Computer Networks 54(15): 2591–2612.

55. Liu A & Ning P (2008) TinyECC: A Configurable Library for Elliptic Curve Cryptography inWireless Sensor Networks. In: 7th international conference on Information processing insensor networks, pp. 245–256. IEEE Computer Society.

56. Park CS (2017) A Secure and Efficient ECQV Implicit Certificate Issuance Protocol for theInternet of Things Applications. IEEE Sensors Journal 17(7): 2215–2223.

57. Lu R, Li X, Liang X, Shen X & Lin X (2011) GRS: The Green, Reliability, and Security ofEmerging Machine to Machine Communications. IEEE Communications Magazine 49(4).

58. Guillemin P & Friess P (2009). The Industrial Internet of Things volume G1: ReferenceArchitecture,. The Cluster of European Research Projects, Tech. Rep.,.

59. Al-Fuqaha A, Guizani M, Mohammadi M, Aledhari M & Ayyash M (2015) Internet of Things:A Survey on Enabling Technologies, Protocols, and Applications. IEEE CommunicationsSurveys & Tutorials 17(4): 2347–2376.

60. Weyrich M & Ebert C (2016) Reference Architectures for the Internet of Things. IEEESoftware 33(1): 112–116.

61. Sheng Z, Yang S, Yu Y, Vasilakos A, Mccann J & Leung K (2013) A Survey on the IETFProtocol Suite for the Internet of Things: Standards, Challenges, and Opportunities. IEEEWireless Communications 20(6): 91–98.

62. Kafle VP, Fukushima Y & Harai H (2016) Internet of Things Standardization in ITU andProspective Networking Technologies. IEEE Communications Magazine 54(9): 43–49.

63. Gazis V (2017) A Survey of Standards for Machine-to-Machine and the Internet of Things.IEEE Communications Surveys & Tutorials 19(1): 482–511.

64. Winter T, Thubert P, Brandt A, Hui J, Kelsey R, Levis P, Pister K, Struik R, Vasseur JP &Alexander R (2012). RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks. IETFRFC 6550. URI: https://tools.ietf.org/html/rfc6550. Accessed on 16.02.2018.

65. Shelby Z, Hartke K & CB (2014). The Constrained Application Protocol (CoAP),. IETFRFC 7552. URI: https://tools.ietf.org/html/rfc7252. Accessed on 04.02.2018.

66. Granjal J, Monteiro E & Silva JS (2015) Security for the Internet of Things: A Survey ofExisting Protocols and Open Research Issues. IEEE Communications Surveys & Tutorials17(3): 1294–1312.

67. Yan Z, Zhang P & Vasilakos AV (2014) A Survey on Trust Management for Internet ofThings. Journal of Network and Computer Applications 42: 120–134.

68. Minoli D, Sohraby K & Kouns J (2017) IoT Security (IoTSec) Considerations, Requirements,and Architectures. In: 14th IEEE Annual Consumer Communications & NetworkingConference (CCNC), pp. 1006–1007.

69. Jing Q, Vasilakos AV, Wan J, Lu J & Qiu D (2014) Security of the Internet of Things:Perspectives and Challenges. Wireless Networks 20(8): 2481–2501.

70. Bandyopadhyay D & Sen J (2011) Internet of Things: Applications and Challenges inTechnology and Standardization. Wireless Personal Communications 58(1): 49–69.

71. Heer T, Garcia-Morchon O, Hummen R, Keoh SL, Kumar SS & Wehrle K (2011) SecurityChallenges in the IP-based Internet of Things. Wireless Personal Communications 61(3):527–542.

72. Raza S, Duquennoy S, Höglund J, Roedig U & Voigt T (2014) Secure Communication for theInternet of Things - A Comparison of Link-layer Security and IPsec for 6LoWPAN. Security

60

and Communication Networks 7(12): 2654–2668.73. Kaufman C, Hoffman P, Nir Y, Eronen P & Kivinen T (2014) Internet Key Exchange Protocol

version 2 (IKEv2). Technical report.74. Rescorla E & Modadugu N (2012). Datagram Transport Layer Security Version 1.2. IETF

RFC 6347. URI: https://tools.ietf.org/html/rfc6347. Accessed on 10.03.2018.75. Raza S, Shafagh H, Hewage K, Hummen R & Voigt T (2013) Lithe: Lightweight Secure

CoAP for the Internet of Things. IEEE Sensors Journal 13(10): 3711–3720.76. Nikander P, Gurtov A & Henderson TR (2010) Host Identity Protocol (HIP): Connectivity,

Mobility, Multi-homing, Security, and Privacy over IPv4 and IPv6 Networks. IEEECommunications Surveys & Tutorials 12(2): 186–204.

77. Garcia-Morchon O, Keoh SL, Kumar S, Moreno-Sanchez P, Vidal-Meca F & ZiegeldorfJH (2013) Securing the IP-based Internet of Things with HIP and DTLS. In: 6th ACMConference on Security and Privacy in Wireless and Mobile Networks, pp. 119–124.

78. Kothmayr T, Schmitt C, Hu W, Brünig M & Carle G (2013) DTLS based Security andTwo-way Authentication for the Internet of Things. Ad Hoc Networks 11(8): 2710–2723.

79. Liu J, Xiao Y & Chen CP (2012) Authentication and Access Control in the Internet of Things.In: 32nd IEEE International Conference on Distributed Computing Systems Workshops(ICDCSW), pp. 588–592.

80. Turkanovic M, Brumen B & Hölbl M (2014) A Novel User Authentication and Key AgreementScheme for Heterogeneous Ad Hoc Wireless Sensor Networks, Based on the Internet ofThings Notion. Ad Hoc Networks 20: 96–112.

81. Farash MS, Turkanovic M, Kumari S & Hölbl M (2016) An Efficient User Authenticationand Key Agreement Scheme for Heterogeneous Wireless Sensor Network Tailored for theInternet of Things Environment. Ad Hoc Networks 36: 152–176.

82. Ning H, Liu H & Yang LT (2015) Aggregated-Proof Based Hierarchical AuthenticationScheme for the Internet of Things. IEEE Transactions on Parallel and Distributed Systems26(3): 657–667.

83. Hummen R, Ziegeldorf JH, Shafagh H, Raza S & Wehrle K (2013) Towards Viable Certificate-Based Authentication for the Internet of Things. In: 2nd ACM Workshop on Hot Topics onWireless Network Security and Privacy, pp. 37–42.

84. Hummen R, Shafagh H, Raza S, Voig T & Wehrle K (2014) Delegation-based Authenticationand Authorization for the IP-based Internet of Things. In: 11th IEEE International Conferenceon Sensing, Communication, and Networking (SECON), pp. 284–292.

85. Jiang Q, Zeadally S, Ma J & He D (2017) Lightweight Three-factor Authentication andKey Agreement Protocol for Internet-integrated Wireless Sensor Networks. IEEE Access 5:3376–3392.

86. Klaoudatou E, Konstantinou E, Kambourakis G & Gritzalis S (2011) A Survey on Cluster-based Group Key Agreement Protocols for WSNs. IEEE Communications Surveys &Tutorials 13(3): 429–442.

87. Yao X, Han X, Du X & Zhou X (2013) A Lightweight Multicast Authentication Mechanismfor Small Scale IoT Applications. IEEE Sensors Journal 13(10): 3693–3701.

88. Arkko J, Carrara E, Lindholm F, Norrman K & Naslund M (2004). Mikey: MultimediaInternet Keying. IETF RFC 3830. URI: https://tools.ietf.org/html/rfc3830. Accessed on04.02.2018.

89. Son JH, Lee JS & Seo SW (2010) Topological Key Hierarchy for Energy-efficient Group KeyManagement in Wireless Sensor Networks. Wireless Personal Communications 52(2): 359.

61

90. Lee CY, Wang ZH, Harn L & Chang CC (2011) Secure Key Transfer Protocol Based onSecret Sharing for Group Communications. IEICE Transaction on Information and Systems94(11): 2069–2076.

91. Harn L & Lin C (2010) Authenticated Group Key Transfer Protocol Based on Secret Sharing.IEEE Transactions on Computers 59(6): 842–846.

92. Yuan W, Hu L, Li H & Chu J (2013) Security and Improvement of an Authenticated GroupKey Transfer Protocol Based on Secret Sharing. Applied Mathematics & InformationSciences 7(5): 1943.

93. Shamir A (1979) How to Share a Secret. Communications of the ACM 22(11): 612–613.94. Armando A, Basin D, Boichut Y, Chevalier Y, Compagna L, Cuéllar J, Drielsma PH, Héam

PC, Kouchnarenko O, Mantovani J et al. (2005) The AVISPA Tool for the AutomatedValidation of Internet Security Protocols and Applications. In: International Conference onComputer Aided Verification, pp. 281–285. Springer.

95. Jurcut A, Coffey T & Dojen R (2013) Establishing and Fixing Security Protocols WeaknessesUsing a Logic-based Verification Tool. Journal of Communication 8(11): 795–806.

96. Alkim E, Ducas L, Pöppelmann T & Schwabe P (2016) Post-quantum Key Exchange - ANew Hope. In: USENIX Security Symposium, volume 2016.

97. Dorri A, Kanhere SS, Jurdak R & Gauravaram P (2017) Blockchain for IoT Security andPrivacy: The Case Study of a Smart Home. In: IEEE International Conference on PervasiveComputing and Communications Workshops (PerCom Workshops), pp. 618–623.

62

Appendix 1 Definitions of security protocols

1.1 Elliptic Curve Cryptography (ECC)

For ECC, the Elliplic Curves (ECs) are defined over a finite field by an equation usingtwo variables with coefficients which are the elements of the finite field. As a result, allthe variables, coefficients and curve points are possessed by the same finite abeliangroup, G. The resultant points of curve operations are also restricted to be in the sameabelian group. A special point 0, known as the zero element or point of infinity, isconsidered the identity element of the group. ECC is formulated by EC point addition,point scalar multiplication and, additive and multiplicative inverses of ECs over primeinteger fields or binary polynomial fields. Modulo arithmetic is the foundation for all theEC point operations. The implementation of ECC on WSNs is performed over primeinteger fields, since binary polynomial field operations are too expensive for low-powersensors.

We consider the ECs defined over prime fields Zp, where p is a large prime number.The variables and coefficients will have the values between 0 and p−1 and calculationsare performed in modulo p. Let a,b ∈ Zp and 4a3 +27b2 6= 0. Then the EC is definedas;

y2mod p = (x3 +ax+b)mod p (1)

Once p, a, and b are selected, a group of EC points Ep(a,b) are defined so theysatisfy Equation 1. Then a base point generator G = (x1,y1) is chosen so that the orderof G is a very large value n and n∗G = 0. The key building block of ECC is the scalarpoint multiplication which is Q = k ∗P, where k is a positive integer and P and Q arepoints in the EC. The value k ∗P is computed by adding point P for k−1 times and theresulting point Q is obtained. However, the recovery of k, knowing the points P and Q isa hard or computationally infeasible problem which is known as the Elliptic CurveDiscrete Logarithmic Problem (ECDLP). In real time applications k is made large inorder to overcome guessing and brute force attacks.

1.2 Diffie-Hellman Key Exchange

DH key exchange is an asymmetric cryptographic protocol which is the foundationfor many public-key protocols. Its security is based on the computational hardness of

63

solving a Discrete Logarithm Problem (DLP). As given in the message flow below, ingeneric DH protocol, two peers Alice and Bob first agree on a prime p and generatorg, and define their secret values A and B. They compute and share the correspondingpublic values a = gA mod p and b = gB mod p. Finally, the same DH shared secret keyK is computed by Alice and Bob. However, since DH key exchange is vulnerable toman-in-the-middle attacks, digital signatures (DSs) are added to the messages. DSs usea private key to sign the message and use a public key to verify the message at the otherparty.

Alice BobGenerate A = random() Generate B = random()

a = gAmod p b = gBmod pa−−−−−−−−−−→ K = aB(mod p) = gAB(mod p)

K = bA(mod p) = gBA(mod p) b←−−−−−−−−−−

1.2.1 Elliptic Curve Diffie-Hellman Key Exchange (ECDH)

Elliptic Curve Diffie-Hellman Key Exchange (ECDH) is the EC variant of the standardDH protocol. The security of ECDH is based on the complexity of solving ECDLP. Asgiven in the message flow below, using the received information and their private keys,both Alice and Bob compute a secret key K. The difficulty of the ECDLP ensures thatthe private keys kA and kB and the shared secret (kA ∗ kB)∗G are difficult to computegiven PA and PB.

Alice BobPrivacy key kA Privacy key kB

PA = kA ∗G PB = kB ∗GPA−−−−−−−−−−→ K = kB ∗PA = kB ∗ (kA ∗G)

K = kA ∗PB = kA ∗ (kB ∗G)PB←−−−−−−−−−−

64

1.3 Elliptic Curve Qu-Vanstone (ECQV) implicit certificate

Due to the smaller size of ECQV certificate, this is a practical alternative for X.509certificate-based security association. The certificate scheme is defined using threeentities namely a certificate authority (CA), a certificate requester and a certificateprocessor, and six stages as follows: ECQV setup, certificate request, certificategeneration, certificate extraction, certificate public key extraction, certificate receptionand certificate verification. The private and public keys of the CA are qCA and QCA =

qCA ∗G. Alice’s identity, private and public keys are respectively named IA, qA, and QA.The cryptographic hash function is denoted as H(.).

Alice CAGenerate rA ∈ [1,n−1]

RA = rA ∗GRA, IA−−−−−−−−−−→ Generate rCA ∈ [1,n−1]

Implicit certificateCertA = RA + rCA ∗G

= RA +RCA

Implicit signature

qA = s+ rA ∗H(CertA, IA)CertA, s←−−−−−−−−−− s = qCA + rCA ∗H(CertA, IA)

QA = qA ∗G

Alice’s public key can be computed by any other third-party, starting from theknowledge of the implicit certificate and QCA as follows.

QA = qA ∗G = (s+ rA ∗H(CertA, IA))∗G

= (qCA + rCA ∗H(CertA, IA)+ rA ∗H(CertA, IA))∗G

= qCA ∗G+(rCA ∗G+ rA ∗G)∗H(CertA, IA))

= QCA +CertA ∗H(CertA, IA)

(2)

1.4 Host Identity Protocol

1.4.1 HIP BEX Protocol

The first well-known variant of HIP is called Base Exchange (HIP-BEX) whichdynamically establishes security associations between HIP peers on the Internet. The

65

message flow of HIP-BEX consists of four messages (R1, I1, R2, I2) between theinitiator and the responder, which compute the DH key KDH at both sides, as depictedbelow.

Initiator ResponderI1: SRC HIT [DEST HIT ]−−−−−−−−−−−−−−−−→

Check signature.

Solve puzzle.R1: puzzle, DHR, sign←−−−−−−−−−−−−−−−−

Compute KDHI2: solution, DHI , sign−−−−−−−−−−−−−−−−→ Check signature

and solution.

Check signature and MACR2: sign, MAC←−−−−−−−−−−− Compute KDH

The main objective of HIP BEX is to perform an authenticated key agreementbetween two HIP peers (i.e., I for initiator and R for responder). The first I1 messagesent by initiator I, simply invokes the responder R to request an R1 message. The I1message includes the source host identity tag (HIT) (SRC HIT ) and optional destinationHIT (DST HIT ). The responder replies with the R1 message, which is pre-computedand composed of a cryptographic puzzle, a public DH key (DHR), and a signature fornode authentication. In order to continue with HIP BEX, the initiator has to solvethe puzzle and provide the solution along with its public DH key (DHI) and signaturein the I2 message. By solving and verifying the puzzle the initiator can convinceits commitment to the responder to start secure communications and the respondercan mitigate denial-of-service attacks. In the meantime, the responder computes theDH session key KDH . Once the responder has verified the solution, it can confidentlycontinue the computation of the DH session key KDH and start the secure HIP associationwith the initiator. The last message R2 in HIP BEX, finalizes the exchange and sends a(signed) message authentication code (MAC) computed with the generated DH keyto the initiator for key confirmation. In HIP BEX, both, the initiator and responderundertake heavy cryptographic operations including the computation of two modularexponentiations for the generation of the DH key.

66

1.4.2 HIP DEX Protocol

HIP DEX is a modified version of the HIP BEX protocol with a reduced computationaloverhead.

Initiator ResponderI1: SRC HIT [DEST HIT ]−−−−−−−−−−−−−−−−→

Solve puzzle.R1: puzzle, Public keyR←−−−−−−−−−−−−−−−− Select precomputed R1

Perform ECDH.

Encrypt xI2: solution, Public keyI , E(KDH ,x), MAC−−−−−−−−−−−−−−−−−−−−−−−→ Check puzzle and MAC.

Perform ECDH

Check MAC.R2: E(KDH ,y), MAC←−−−−−−−−−−−−−−− Decrypt x. Encrypt y

Decrypt y.

The first message, I1, includes the source host identity tag (SRC HIT ) and optionaldestination HIT (DST HIT ). The second message R1 contains a cryptographic challengeas a puzzle similar to HIP BEX, and a public key PKR. In HIP DEX, the initiatorand responder perform an Elliptic Curve DH (ECDH) key calculation by using publickey (PK) values to produce KDH . The third message I2 contains the solution to thepuzzle, PKI and a key wrap parameter (E(KDH ,x)). The random values x and y arerespectively the initiator’s and responder’s contributions to the final session secret key.The message I2 is also accompanied with the MAC value to ensure message integrityagainst tampering or corruption. The fourth message R2 also contains the MAC valueand the responder’s key wrap parameters (E(KDH ,y)) and it finalizes the handshake. InHIP DEX, the ECDH key is used to encrypt the secrets (x,y), which will be eventuallyused to generate the final session key to encrypting subsequent data packets.

67

68

Original publications

I Porambage P, Kumar P, Schmitt C, Gurtov A & Ylianttila M (2013) Certificate-based PairwiseKey Establishment Protocol for Wireless Sensor Networks. In Proceedings of IEEE 16thInternational Conference on Computational Science and Engineering (CSE), Sydney, Australia,pp. 667-674, DOI:10.1109/CSE.2013.103.

II Porambage P, Schmitt C, Kumar P,Gurtov A & Ylianttila M (2014) Two-phase AuthenticationProtocol for Wireless Sensor Networks in Distributed IoT Applications. In Proceedings ofIEEE Wireless Communications and Networking Conference (WCNC), Istanbul, Turkey,pp. 2728-2733, DOI:10.1109/WCNC.2014.6952860.

III Porambage P, Schmitt C, Kumar P,Gurtov A & Ylianttila M (2014) PAuthKey: A PervasiveAuthentication Protocol and Key Establishment Scheme for Wireless Sensor Networks inDistributed IoT Applications. International Journal of Distributed Sensor Networks, Volume2014, Article ID 35740, Hindawi, 14 pages, DOI:10.1155/2014/357430, ISSN:1550-1477.

IV Porambage P, Braeken A, Schmitt C, Gurtov A, Ylianttila M, & Stiller B (2015) Group KeyEstablishment for Enabling Secure Multicast Communication in Wireless Sensor NetworksDeployed for IoT Applications. IEEE Access, Volume 3, pp. 1503-1511,DOI:10.1109/ACCESS.2015.2474705, ISSN:2169-3536.

V Porambage P, Braeken A, Kumar P, Gurtov A, & Ylianttila M (2015) Efficient Key Establish-ment for Constrained IoT Devices with Collaborative HIP-Based Approach. In Proceedingsof IEEE Global Communications Conference (GLOBECOM), San Diego, USA, pp. 1-6,DOI:10.1109/GLOCOM.2015.7417094.

VI Porambage P, Braeken A, Kumar P, Gurtov A, & Ylianttila M (2017) CHIP: Collabora-tive Host Identity Protocol with Efficient Key Establishment for Constrained Devices inInternet of Things. Wireless Personal Communications Journal, volume 96, pp. 421-440,DOI:10.1007/s11277-017-4176-5, ISSN:1572-834X.

Reprinted with permission from IEEE (I, II, IV, V), Hindawi (III) and Springer (VI).

The original publications are not included in the electronic version of the dissertation.

69

70


Book orders:Granum: Virtual book storehttp://granum.uta.fi/granum/

S E R I E S C T E C H N I C A

655. Pallaspuro, Sakari (2018) On the factors affecting the ductile-brittle transition inas-quenched fully and partially martensitic low-carbon steels

656. Kyösti, Pekka (2018) Radio channel modelling for 5G telecommunication systemevaluation and over the air testing

657. Petäjäjärvi, Juha (2018) Low-power wireless communications in the Internet ofThings : solutions and evaluations

658. Boulkenafet, Zinelabidine (2018) Face presentation attack detection using textureanalysis

659. Kaikkonen, Harri (2018) Supporting rapid product development with agiledevelopment methodologies

660. Tervo, Oskari (2018) Transceiver optimization for energy-efficient multiantennacellular networks

661. Menberu, Meseret Walle (2018) Hydrology of peat-dominated headwatercatchments : theories and empirical analysis of the impacts of anthropogenicdisturbance

662. Hietava, Anne (2018) Electrical behaviour of submerged arc furnace’s chargematerials

663. Lappalainen, K. Matti (2018) Itämeren rehevöitymisen uudistettu diagnoosi japaradigma

664. Ahmad, Ijaz (2018) Improving software defined cognitive and secure networking

665. Laiyemo, Ayotunde Oluwaseun (2018) High speed moving networks in futurewireless systems

666. Kaleva, Jarkko (2018) Decentralized multiantenna transceiver optimization forheterogeneous networks

667. Hänninen, Tuomo (2018) Detection algorithms and FPGA implementations forSC-FDMA uplink receivers

668. Huotari, Joni (2018) Vanadium oxide nanostructures and thin films for gas sensorapplications

669. Anttila, Severi (2018) Influence of minor elements on some weldability issues ofintermediate purity stabilized ferritic stainless steels

670. Hartmann, Robert (2018) Flotation using cellulose-based chemicals

C671etukansi.fm Page 2 Monday, August 20, 2018 8:43 AM

UNIVERSITY OF OULU P .O. Box 8000 F I -90014 UNIVERSITY OF OULU FINLAND


University Lecturer Tuomo Glumoff

University Lecturer Santeri Palviainen

Postdoctoral research fellow Sanna Taskila


University Lecturer Veli-Matti Ulvinen

Planning Director Pertti Tikkanen

Professor Jari Juga

University Lecturer Anu Soikkeli


Publications Editor Kirsti Nurkkala

ISBN 978-952-62-1994-3 (Paperback)ISBN 978-952-62-1995-0 (PDF)ISSN 0355-3213 (Print)ISSN 1796-2226 (Online)


TECHNICA


TECHNICA

OULU 2018

C 671

Pawani Porambage


UNIVERSITY OF OULU GRADUATE SCHOOL;UNIVERSITY OF OULU,FACULTY OF INFORMATION TECHNOLOGY AND ELECTRICAL ENGINEERING;CENTRE FOR WIRELESS COMMUNICATIONS;INFOTECH OULU

C 671

AC

TAPaw

ani Poram

bageC671etukansi.fm Page 1 Monday, August 20, 2018 8:43 AM

Documents

C 671 ACTA - University of Oulujultika.oulu.fi/Files/Isbn9789526219950.pdfLIGHTWEIGHT AUTHENTICATION AND KEY MANAGEMENT OF WIRELESS SENSOR NETWORKS FOR INTERNET OF THINGS Academic