A Distributed Security Scheme to Secure Data Communication between Class-0 IoT Devices and the Internet

King, James

January 2015

This thesis focuses on securing data exchanged between highly constrained IoT devices and the internet. This thesis builds on existing research by combining elements of different research solutions to create a more secure solution. This solution helps to solve gaps in security left behind by existing solutions through the use of symmetric cryptography in data objects and IoT security gateways which act as intermediaries between devices and the internet. The goal of this research is to provide a security solution for devices which do not have the resources necessary to effectively implement the recommended TLS based protocols for secure communication over the internet. The solution provides confidentiality to data traveling between device and gateway while also providing confidentiality, integrity and authenticity to data traveling across the internet. The solution works by delegating demanding security processes to an IoT security gateway which securely processes communications to and from the internet using HTTPS (SSL/TLS). Security of data being passed between device and gateway is provided with AES symmetric encryption at the Data Link and Data Object layers. The performance of the solution is measured by timing the security process of the IoT device while also measuring the resource requirements of applying the solution to the device. / <p>Validerat; 20150622 (global_studentproject_submitter)</p>

Technology

Information Security

Internet of Things

Constrained Devices

IoT

Teknik

Real-Time Localization of Planar Targets on Power-Constrained Devices

Akhoury, Sharat Saurabh

20 September 2013

In this thesis we present a method for detecting planar targets in real-time on power-constrained, or low-powered, hand-held devices such as mobile phones. We adopt the feature recognition (also referred to as feature matching) approach and employ fast-to-compute local feature descriptors to establish point correspondences. To obtain a satisfactory localization accuracy, most local feature descriptors seek a transformation of the input intensity patch that is invariant to various geometric and photometric deformations. Generally, such transformations are computationally intensive, hence are not ideal for real-time applications on limited hardware platforms. On the other hand, descriptors which are fast to compute are typically limited in their ability to provide invariance to a vast range of deformations. To address these shortcomings, we have developed a learning-based approach which can be applied to any local feature descriptor to increase the system’s robustness to both affine and perspective deformations. The motivation behind applying a learning-based approach is to transfer as much of the computational burden (as possible) onto an offline training phase, allowing a reduction in cost during online matching. The approach comprises of identifying keypoints which remain stable under artificially induced perspective transformations, extracting the corresponding feature vectors, and finally aggregating the feature vectors of coincident keypoints to obtain the final descriptors. We strictly focus on objects which are planar, thus allowing us to synthesize images of the object in order to capture the appearance of keypoint patches under several perspectives.

planar target detection

power-constrained devices

feature recognition

Real-Time Localization of Planar Targets on Power-Constrained Devices

Akhoury, Sharat Saurabh

January 2013

In this thesis we present a method for detecting planar targets in real-time on power-constrained, or low-powered, hand-held devices such as mobile phones. We adopt the feature recognition (also referred to as feature matching) approach and employ fast-to-compute local feature descriptors to establish point correspondences. To obtain a satisfactory localization accuracy, most local feature descriptors seek a transformation of the input intensity patch that is invariant to various geometric and photometric deformations. Generally, such transformations are computationally intensive, hence are not ideal for real-time applications on limited hardware platforms. On the other hand, descriptors which are fast to compute are typically limited in their ability to provide invariance to a vast range of deformations. To address these shortcomings, we have developed a learning-based approach which can be applied to any local feature descriptor to increase the system’s robustness to both affine and perspective deformations. The motivation behind applying a learning-based approach is to transfer as much of the computational burden (as possible) onto an offline training phase, allowing a reduction in cost during online matching. The approach comprises of identifying keypoints which remain stable under artificially induced perspective transformations, extracting the corresponding feature vectors, and finally aggregating the feature vectors of coincident keypoints to obtain the final descriptors. We strictly focus on objects which are planar, thus allowing us to synthesize images of the object in order to capture the appearance of keypoint patches under several perspectives.

planar target detection

power-constrained devices

feature recognition

Efficient Cryptographic Constructions For Resource-Constrained Blockchain Clients

Duc Viet Le (11191410)

28 July 2021

<div><div>The blockchain offers a decentralized way to provide security guarantees for financial transactions. However, this ability comes with the cost of storing a large (distributed) blockchain state and introducing additional computation and communication overhead to all participants. All these drawbacks raise a challenging scalability problem, especially for resource-constrained blockchain clients. On the other hand, some scaling solutions typically require resource-constrained clients to rely on other nodes with higher computational and storage capabilities. However, such scaling solutions often expose the data of the clients to risks of compromise of the more powerful nodes they rely on (e.g., accidental, malicious through a break-in, insider misbehavior, or malware infestation). This potential for leakage raises a privacy concern for these constrained clients, in addition to other scaling-related concerns. This dissertation proposes several cryptographic constructions and system designs enabling resource-constrained devices to participate in the blockchain network securely and efficiently. </div><div><br></div><div>Our first proposal concerns the storage facet for which we propose two add-on privacy designs to address the scaling issue of storing a large blockchain state. </div><div>The first solution is an oblivious database framework, called T³, that allows resource-constrained clients to obliviously fetch blockchain data from potential malicious full clients. The second solution focuses on the problem of using and storing additional private-by-design blockchains (e.g., Monero or ZCash) to achieve privacy. We propose an add-on tumbler design, called AMR, that offers privacy directly to clients of non-private blockchains such as Ethereum without the cost of storing and using different blockchain states.</div><div><br></div><div>Our second proposal addresses the communication facet with focus on payment channels as a solution to address the communication overhead between the constrained clients and the blockchain network. A payment channel enables transactions between arbitrary pairs of constrained clients with a minimal communication overhead with the blockchain network. However, in popular blockchains like Ethereum and Bitcoin, the payment data of such channels are exposed to the public, which is undesirable for financial applications. Thus, to hide transaction data, one can use blockchains that are private by design like Monero. However, existing cryptographic primitives in Monero prevent the system from supporting any form of payment channels. Therefore, we present <i>Dual Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (DLSAG),</i> a linkable ring signature scheme that enables, for the first time, off-chain scalability solutions in Monero. </div><div><br></div><div>To address the computation facet, we address the computation overhead of the gossip protocol used in all popular blockchain protocols. For this purpose, we propose a signature primitive called <i>Flexible Signature</i>. In a flexible signature scheme, the verification algorithm quantifies the validity of a signature based on the computational effort performed by the verifier. Thus, the resource-constrained devices can partially verify the signatures in the blockchain transactions before relaying transactions to other peers. This primitive allows the resource-constrained devices to prevent spam transactions from flooding the blockchain network with overhead that is consistent with their resource constraints. </div></div>

Computer System Security

blockchain

cryptography

Oblivious Database

resource-constrained devices

Efficient Cryptographic Algorithms and Protocols for Mobile Ad Hoc Networks

Fan, Xinxin

12 April 2010

As the next evolutionary step in digital communication systems, mobile ad hoc networks (MANETs) and their specialization like wireless sensor networks (WSNs) have been attracting much interest in both research and industry communities. In MANETs, network nodes can come together and form a network without depending on any pre-existing infrastructure and human intervention. Unfortunately, the salient characteristics of MANETs, in particular the absence of infrastructure and the constrained resources of mobile devices, present enormous challenges when designing security mechanisms in this environment. Without necessary measures, wireless communications are easy to be intercepted and activities of users can be easily traced. This thesis presents our solutions for two important aspects of securing MANETs, namely efficient key management protocols and fast implementations of cryptographic primitives on constrained devices. Due to the tight cost and constrained resources of high-volume mobile devices used in MANETs, it is desirable to employ lightweight and specialized cryptographic primitives for many security applications. Motivated by the design of the well-known Enigma machine, we present a novel ultra-lightweight cryptographic algorithm, referred to as Hummingbird, for resource-constrained devices. Hummingbird can provide the designed security with small block size and is resistant to the most common attacks such as linear and differential cryptanalysis. Furthermore, we also present efficient software implementations of Hummingbird on 4-, 8- and 16-bit microcontrollers from Atmel and Texas Instruments as well as efficient hardware implementations on the low-cost field programmable gate arrays (FPGAs) from Xilinx, respectively. Our experimental results show that after a system initialization phase Hummingbird can achieve up to 147 and 4.7 times faster throughput for a size-optimized and a speed-optimized software implementation, respectively, when compared to the state-of-the-art ultra-lightweight block cipher PRESENT on the similar platforms. In addition, the speed optimized Hummingbird encryption core can achieve a throughput of 160.4 Mbps and the area optimized encryption core only occupies 253 slices on a Spartan-3 XC3S200 FPGA device. Bilinear pairings on the Jacobians of (hyper-)elliptic curves have received considerable attention as a building block for constructing cryptographic schemes in MANETs with new and novel properties. Motivated by the work of Scott, we investigate how to use efficiently computable automorphisms to speed up pairing computations on two families of non-supersingular genus 2 hyperelliptic curves over prime fields. Our findings lead to new variants of Miller's algorithm in which the length of the main loop can be up to 4 times shorter than that of the original Miller's algorithm in the best case. We also generalize Chatterjee et al.'s idea of encapsulating the computation of the line function with the group operations to genus 2 hyperelliptic curves, and derive new explicit formulae for the group operations in projective and new coordinates in the context of pairing computations. Efficient software implementation of computing the Tate pairing on both a supersingular and a non-supersingular genus 2 curve with the same embedding degree of k = 4 is investigated. Combining the new algorithm with known optimization techniques, we show that pairing computations on non-supersingular genus 2 curves over prime fields use up to 55.8% fewer field operations and run about 10% faster than supersingular genus 2 curves for the same security level. As an important part of a key management mechanism, efficient key revocation protocol, which revokes the cryptographic keys of malicious nodes and isolates them from the network, is crucial for the security and robustness of MANETs. We propose a novel self-organized key revocation scheme for MANETs based on the Dirichlet multinomial model and identity-based cryptography. Firmly rooted in statistics, our key revocation scheme provides a theoretically sound basis for nodes analyzing and predicting peers' behavior based on their own observations and other nodes' reports. Considering the difference of malicious behaviors, we proposed to classify the nodes' behavior into three categories, namely good behavior, suspicious behavior and malicious behavior. Each node in the network keeps track of three categories of behavior and updates its knowledge about other nodes' behavior with 3-dimension Dirichlet distribution. Based on its own analysis, each node is able to protect itself from malicious attacks by either revoking the keys of the nodes with malicious behavior or ceasing the communication with the nodes showing suspicious behavior for some time. The attack-resistant properties of the resulting scheme against false accusation attacks launched by independent and collusive adversaries are also analyzed through extensive simulations. In WSNs, broadcast authentication is a crucial security mechanism that allows a multitude of legitimate users to join in and disseminate messages into the networks in a dynamic and authenticated way. During the past few years, several public-key based multi-user broadcast authentication schemes have been proposed in the literature to achieve immediate authentication and to address the security vulnerability intrinsic to μTESLA-like schemes. Unfortunately, the relatively slow signature verification in signature-based broadcast authentication has also incurred a series of problems such as high energy consumption and long verification delay. We propose an efficient technique to accelerate the signature verification in WSNs through the cooperation among sensor nodes. By allowing some sensor nodes to release the intermediate computation results to their neighbors during the signature verification, a large number of sensor nodes can accelerate their signature verification process significantly. When applying our faster signature verification technique to the broadcast authentication in a 4×4 grid-based WSN, a quantitative performance analysis shows that our scheme needs 17.7%~34.5% less energy and runs about 50% faster than the traditional signature verification method.

Mobile Ad Hoc Netwoks

Resource-Constrained Devices

Cryptographic Algorithms

Security Protocols

Electrical and Computer Engineering

Efficient Cryptographic Algorithms and Protocols for Mobile Ad Hoc Networks

Fan, Xinxin

12 April 2010

As the next evolutionary step in digital communication systems, mobile ad hoc networks (MANETs) and their specialization like wireless sensor networks (WSNs) have been attracting much interest in both research and industry communities. In MANETs, network nodes can come together and form a network without depending on any pre-existing infrastructure and human intervention. Unfortunately, the salient characteristics of MANETs, in particular the absence of infrastructure and the constrained resources of mobile devices, present enormous challenges when designing security mechanisms in this environment. Without necessary measures, wireless communications are easy to be intercepted and activities of users can be easily traced. This thesis presents our solutions for two important aspects of securing MANETs, namely efficient key management protocols and fast implementations of cryptographic primitives on constrained devices. Due to the tight cost and constrained resources of high-volume mobile devices used in MANETs, it is desirable to employ lightweight and specialized cryptographic primitives for many security applications. Motivated by the design of the well-known Enigma machine, we present a novel ultra-lightweight cryptographic algorithm, referred to as Hummingbird, for resource-constrained devices. Hummingbird can provide the designed security with small block size and is resistant to the most common attacks such as linear and differential cryptanalysis. Furthermore, we also present efficient software implementations of Hummingbird on 4-, 8- and 16-bit microcontrollers from Atmel and Texas Instruments as well as efficient hardware implementations on the low-cost field programmable gate arrays (FPGAs) from Xilinx, respectively. Our experimental results show that after a system initialization phase Hummingbird can achieve up to 147 and 4.7 times faster throughput for a size-optimized and a speed-optimized software implementation, respectively, when compared to the state-of-the-art ultra-lightweight block cipher PRESENT on the similar platforms. In addition, the speed optimized Hummingbird encryption core can achieve a throughput of 160.4 Mbps and the area optimized encryption core only occupies 253 slices on a Spartan-3 XC3S200 FPGA device. Bilinear pairings on the Jacobians of (hyper-)elliptic curves have received considerable attention as a building block for constructing cryptographic schemes in MANETs with new and novel properties. Motivated by the work of Scott, we investigate how to use efficiently computable automorphisms to speed up pairing computations on two families of non-supersingular genus 2 hyperelliptic curves over prime fields. Our findings lead to new variants of Miller's algorithm in which the length of the main loop can be up to 4 times shorter than that of the original Miller's algorithm in the best case. We also generalize Chatterjee et al.'s idea of encapsulating the computation of the line function with the group operations to genus 2 hyperelliptic curves, and derive new explicit formulae for the group operations in projective and new coordinates in the context of pairing computations. Efficient software implementation of computing the Tate pairing on both a supersingular and a non-supersingular genus 2 curve with the same embedding degree of k = 4 is investigated. Combining the new algorithm with known optimization techniques, we show that pairing computations on non-supersingular genus 2 curves over prime fields use up to 55.8% fewer field operations and run about 10% faster than supersingular genus 2 curves for the same security level. As an important part of a key management mechanism, efficient key revocation protocol, which revokes the cryptographic keys of malicious nodes and isolates them from the network, is crucial for the security and robustness of MANETs. We propose a novel self-organized key revocation scheme for MANETs based on the Dirichlet multinomial model and identity-based cryptography. Firmly rooted in statistics, our key revocation scheme provides a theoretically sound basis for nodes analyzing and predicting peers' behavior based on their own observations and other nodes' reports. Considering the difference of malicious behaviors, we proposed to classify the nodes' behavior into three categories, namely good behavior, suspicious behavior and malicious behavior. Each node in the network keeps track of three categories of behavior and updates its knowledge about other nodes' behavior with 3-dimension Dirichlet distribution. Based on its own analysis, each node is able to protect itself from malicious attacks by either revoking the keys of the nodes with malicious behavior or ceasing the communication with the nodes showing suspicious behavior for some time. The attack-resistant properties of the resulting scheme against false accusation attacks launched by independent and collusive adversaries are also analyzed through extensive simulations. In WSNs, broadcast authentication is a crucial security mechanism that allows a multitude of legitimate users to join in and disseminate messages into the networks in a dynamic and authenticated way. During the past few years, several public-key based multi-user broadcast authentication schemes have been proposed in the literature to achieve immediate authentication and to address the security vulnerability intrinsic to μTESLA-like schemes. Unfortunately, the relatively slow signature verification in signature-based broadcast authentication has also incurred a series of problems such as high energy consumption and long verification delay. We propose an efficient technique to accelerate the signature verification in WSNs through the cooperation among sensor nodes. By allowing some sensor nodes to release the intermediate computation results to their neighbors during the signature verification, a large number of sensor nodes can accelerate their signature verification process significantly. When applying our faster signature verification technique to the broadcast authentication in a 4×4 grid-based WSN, a quantitative performance analysis shows that our scheme needs 17.7%~34.5% less energy and runs about 50% faster than the traditional signature verification method.

Mobile Ad Hoc Netwoks

Resource-Constrained Devices

Cryptographic Algorithms

Security Protocols

Electrical and Computer Engineering

MDE-URDS-A Mobile Device Enabled Service Discovery System

Pradhan, Ketaki A.

16 August 2011

Indiana University-Purdue University Indianapolis (IUPUI) / Component-Based Software Development (CSBD) has gained widespread importance in recent times, due to its wide-scale applicability in software development. System developers can now pick and choose from the pre-existing components to suit their requirements in order to build their system. For the purpose of developing a quality-aware system, finding the suitable components offering services is an essential and critical step. Hence, Service Discovery is an important step in the development of systems composed from already existing quality-aware software services. Currently, there is a plethora of new-age devices, such as PDAs, and cell phones that automate daily activities and provide a pervasive connectivity to users. The special characteristics of these devices (e.g., mobility, heterogeneity) make them as attractive choices to host services. Hence, they need to be considered and integrated in the service discovery process. However, due to their limitations of battery life, intermittent connectivity and processing capabilities this task is not a simple one. This research addresses this challenge of including resource constrained devices by enhancing the UniFrame Resource Discovery System (URDS) architecture. This enhanced architecture is called Mobile Device Enabled Service Discovery System (MDE-URDS). The experimental validation of the MDE-URDS suggests that it is a scalable and quality-aware system, handling the limitations of mobile devices using existing and well established algorithms and protocols such as Mobile IP.

Computer software -- Development

Mobile computing

Storage-Centric System Architectures for Networked, Resource-Constrained Devices

Tsiftes, Nicolas

January 2016

The emergence of the Internet of Things (IoT) has increased the demand for networked, resource-constrained devices tremendously. Many of the devices used for IoT applications are designed to be resource-constrained, as they typically must be small, inexpensive, and powered by batteries. In this dissertation, we consider a number of challenges pertaining to these constraints: system support for energy efficiency; flash-based storage systems; programming, testing, and debugging; and safe and secure application execution. The contributions of this dissertation are made through five research papers addressing these challenges. Firstly, to enhance the system support for energy-efficient storage in resource-constrained devices, we present the design, implementation, and evaluation of the Coffee file system and the Antelope DBMS. Coffee provides a sequential write throughput that is over 92% of the attainable flash driver throughput, and has a constant memory footprint for open files. Antelope is the first full-fledged relational DBMS for sensor networks, and it provides two novel indexing algorithms to enable fast and energy-efficient database queries. Secondly, we contribute a framework that extends the functionality and increases the performance of sensornet checkpointing, a debugging and testing technique. Furthermore, we evaluate how different data compression algorithms can be used to decrease the energy consumption and data dissemination time when reprogramming sensor networks. Lastly, we present Velox, a virtual machine for IoT applications. Velox can enforce application-specific resource policies. Through its policy framework and its support for high-level programming languages, Velox helps to secure IoT applications. Our experiments show that Velox monitors applications' resource usage and enforces policies with an energy overhead below 3%. The experimental systems research conducted in this dissertation has had a substantial impact both in the academic community and the open-source software community. Several of the produced software systems and components are included in Contiki, one of the premier open-source operating systems for the IoT and sensor networks, and they are being used both in research projects and commercial products.

Internet of Things

wireless sensor networks

resource-constrained devices

file system

database management system

virtual machine

data compression

reprogramming

checkpointing

Enhanced Community-Based Routing for Low-Capacity Pocket Switched Networks

2013 August 1900

Sensor devices and the emergent networks that they enable are capable of transmitting information between data sources and a permanent data sink. Since these devices have low-power and intermittent connectivity, latency of the data may be tolerated in an effort to save energy for certain classes of data. The BUBBLE routing algorithm developed by Hui et al. in 2008 provides consistent routing by employing a model which computes individual nodes popularity from sets of nodes and then uses these popularity values for forwarding decisions. This thesis considers enhancements to BUBBLE based on the hypothesis that nodes do form groups and certain centrality values of nodes within these groups can be used to improve routing decisions further. Built on this insight, there are two algorithms proposed in this thesis. First is the Community-Based- Forwarding (CBF), which uses pairwise group interactions and pairwise node-to-group interactions as a measure of popularity for routing messages. By having a different measure of popularity than BUBBLE, as an additional factor in determining message forwarding, CBF is a more conservative routing scheme than BUBBLE. Thus, it provides consistently superior message transmission and delivery performance at an acceptable delay cost in resource constrained environments. To overcome this drawback, the concept of unique interaction pattern within groups of nodes is introduced in CBF and it is further renewed into an enhanced algorithm known as Hybrid-Community-Based- Forwarding (HCBF). Utilizing this factor will channel messages along the entire path with consideration for higher probability of contact with the destination group and the destination node. Overall, the major contribution of this thesis is to design and evaluate an enhanced social based routing algorithm for resource-constrained Pocket Switched Networks (PSNs), which will optimize energy consumption related to data transfer. It will do so by explicitly considering features of communities in order to reduce packet loss while maintaining high delivery ratio and reduced delay.

delay-tolerant networks

pocket-switched networks

social-based routing

resource-constrained devices

clustering

mobility

popularity

centrality

community

routing

algorithm

IoT Latency and Power consumption : Measuring the performance impact of MQTT and CoAP

Lagerqvist, Alexander, Lakshminarayana, Tejas

January 2018

The purpose of this thesis is to investigate the impact on latency and power consumption of certain usage environments for selected communication protocols that have been designed for resource constrained usage. The research questions in this thesis is based on the findings in Lindén report “A latency comparison of IoT protocols in MES” and seeks to answer the following: ”How does MQTT impact the latency and power consumption on a constrained device?” ”How does CoAP impact the latency and power consumption on a constrained device?” ”How does usage environment influence the latency for MQTT and CoAP?” This thesis only seeks to explore concepts and usage environments related to wireless sensor networks, internet of things and constrained devices. The experiments have been carried out on a ESP WROOM 32 Core board V2 applying MQTT and CoAP as the communication protocols. The overall research method used in this thesis is the experimental research design proposed by Wohlin et al. Experiments have been created to support or disprove hypotheses which are formulated to answer the research questions. The experiments were conducted in test environments, which mimic a real-life wireless sensor network environment. The process is thoroughly recorded to further increase the traceability of this thesis. This decision was made due to a comment Boyle et al. made about the problems with real-life experiments about the wireless communication-based research domain. Where Boyle et al. states that there is “insufficient knowledge” available for the research community. The MQTT related latency experiments showed that QoS level 0 had the lowest latency of all the QoS levels. However, the results also showed that QoS 1 and 2 almost had an identical latency. The CoAP related latency experiments did not indicate any obvious trends. The results from the power consumption related experiments were inconclusive since the data was incomplete. The usage environment related experiments yielded conclusive results. The data showed that there was a small variation in the latency impact across the various usage environments. Furthermore, the data suggest that CoAP and MQTT had lower latencies in a high signal strength environment compared to a lower signal strength environment. However, it is not clear if there were any unknown factors influencing the results.

Internet of things

IoT

Wireless sensor networks

WSN

Constrained devices

MQTT

CoAP

Latency

Power consumption

Experiment

Computer Systems

Datorsystem