Change search
Link to record
Permanent link

Direct link
BETA
Publications (10 of 46) Show all publications
Tiloca, M., Dini, G., Rizki, K. & Raza, S. (2019). Group rekeying based on member join history. International Journal of Information Security
Open this publication in new window or tab >>Group rekeying based on member join history
2019 (English)In: International Journal of Information Security, ISSN 1615-5262, E-ISSN 1615-5270Article in journal (Refereed) Epub ahead of print
Abstract [en]

This paper presents GREP, a novel group rekeying scheme that leverages the history of join events in order to achieve efficiency and high scalability. GREP rekeys the group with only two broadcast messages, hence displaying an overhead which is small, constant and independent of the group size. Also, GREP efficiently recovers the group from collusion attack with no recourse to total member reinitialization. Even in the very unlikely worst case, collusion recovery displays a smooth impact on performance that gradually increases with the attack severity. We implemented GREP for the Contiki OS and tested it on different resource-constrained platforms. Our analytical and experimental evaluation confirms that GREP is efficient, highly scalable and deployable also on constrained nodes. The paper extends a previous version of this work, especially through additional security analysis, treatise of probabilities for worst case collusion, and experimental evaluation of performance.

Place, publisher, year, edition, pages
Springer Verlag, 2019
Keywords
Group key management, Join history, Rekeying, Secure group communication, Security, Computer networks, Software engineering, Broadcast messages, Experimental evaluation, High scalabilities, Re-keying, Secure group communications, Security analysis, Network security
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-39677 (URN)10.1007/s10207-019-00451-0 (DOI)2-s2.0-85068966622 (Scopus ID)
Note

Funding details: 607109; Funding details: Università di Pisa, UniPi; Funding details: VINNOVA; Funding details: European Commission, EC; Funding details: Ministero dell’Istruzione, dell’Università e della Ricerca, MIUR; Funding text 1: The authors sincerely thank the anonymous referees and the associate editor for their insightful comments and suggestions. This work has been partially supported by: the European Commission under the 7-th Framework Programme (Grant Agreement No. 607109), for research, technological development and demonstration; VINNOVA and the Celtic-Next project CRITISEC; the EIT-Digital High Impact Initiative ACTIVE; the Italian Ministry of Education and Research (MIUR) in the framework of the CrossLab project (Departments of Excellence); the University of Pisa in the framework of PRA 2019. The authors also thank Rikard Höglund for his help during the implementation phase of this work.; Funding text 2: This research received funding from: the European Commission under the 7-th Framework Programme (Grant Agreement No. 607109), for research, technological development and demonstration; VINNOVA and the Celtic-Next project CRITISEC; the EIT-Digital High Impact Initiative ACTIVE; the Italian Ministry of Education and Research (MIUR) in the framework of the CrossLab project (Departments of Excellence); the University of Pisa in the framework of PRA 2019.

Available from: 2019-08-07 Created: 2019-08-07 Last updated: 2019-08-07Bibliographically approved
Tiloca, M., Dini, G., Rizki, K. & Raza, S. (2019). Group rekeying based on member join history. International Journal of Information Security
Open this publication in new window or tab >>Group rekeying based on member join history
2019 (English)In: International Journal of Information Security, ISSN 1615-5262, E-ISSN 1615-5270Article in journal (Refereed) Epub ahead of print
Abstract [en]

This paper presents GREP, a novel group rekeying scheme that leverages the history of join events in order to achieve efficiency and high scalability. GREP rekeys thegroup with only two broadcast messages, hence displaying an overhead which is small, constant and independent of the group size. Also, GREP efficiently recovers the group from collusion attack with no recourse to total member reinitialization. Even in the very unlikely worst case, collusion recovery displays a smooth impact on performance that gradually increases with the attack severity. We implemented GREP for the Contiki OS and tested it on different resource-constrained platforms. Our analytical and experimental evaluation confirm that GREP is efficient, highly scalable and deployable also on constrained nodes. The paper extends a previous version of this work, especially through additional security analysis, treatise of probabilities for worst case collusion, and experimental evaluation of performance.

Place, publisher, year, edition, pages
Springer Berlin/Heidelberg, 2019
Keywords
Security, Group key management, Rekeying, Join history, Secure group communication
National Category
Engineering and Technology Electrical Engineering, Electronic Engineering, Information Engineering Communication Systems Computer Systems
Identifiers
urn:nbn:se:ri:diva-39284 (URN)0.1007/s10207-019-00451-0 (DOI)
Available from: 2019-06-29 Created: 2019-06-29 Last updated: 2019-08-12Bibliographically approved
Rizki, K., Lamproudi, A., Tiloca, M. & Raza, S. (2019). Group-IKEv2 for multicast IPsec in the internet of things. International Journal of Security and Networks (IJSN), 14(1), 10-22
Open this publication in new window or tab >>Group-IKEv2 for multicast IPsec in the internet of things
2019 (English)In: International Journal of Security and Networks (IJSN), ISSN 1747-8405, E-ISSN 1747-8413, Vol. 14, no 1, p. 10-22Article in journal (Refereed) Published
Abstract [en]

This paper presents Group-IKEv2, a group key management protocol supporting secure group communication based on multicast IPsec. Group-IKEv2 is an adaptation of the IKEv2 protocol for the IPsec suite, and is especially designed to address internet of things (IoT) scenarios composed of resource-constrained devices. Compared to static approaches, Group-IKEv2 enables dynamic and flexible establishment of IPsec group security associations as well as group key material. Also, it integrates the management and renewal of group key material, both on a periodical fashion and upon group membership changes. We have implemented Group-IKEv2 for the Contiki OS and tested it on the OpenMote resource-constrained platform. Our experimental performance evaluation confirms that Group-IKEv2 is affordable and deployable also on constrained IoT devices.

Place, publisher, year, edition, pages
Inderscience Enterprises Ltd., 2019
Keywords
Group communication, Group-IKEv2, Internet of things, Key management, Multicast IPsec, Secure communication, Security, Multicasting, Security of data, Experimental performance evaluations, Group communications, Group key management protocols, Resourceconstrained devices, Secure group communications
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:ri:diva-38462 (URN)10.1504/IJSN.2019.098908 (DOI)2-s2.0-85064263362 (Scopus ID)
Available from: 2019-05-06 Created: 2019-05-06 Last updated: 2019-05-06Bibliographically approved
He, Z., Furuhed, M. & Raza, S. (2019). Indraj: Digital certificate enrollment for battery-powered wireless devices. In: WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks: . Paper presented at 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, 15 May 2019 through 17 May 2019 (pp. 117-127). Association for Computing Machinery, Inc
Open this publication in new window or tab >>Indraj: Digital certificate enrollment for battery-powered wireless devices
2019 (English)In: WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks, Association for Computing Machinery, Inc , 2019, p. 117-127Conference paper, Published paper (Refereed)
Abstract [en]

A public key infrastructure (PKI) has been widely deployed and well tested on the Internet. However, this standard practice of delivering scalable security has not yet been extended to the rapidly growing Internet of Things (IoT). Thanks to vendor hardware support and standardization of resource-efficient communication protocols, asymmetric cryptography is no longer unfeasible on small devices. To migrate IoT from poorly scalable, pair-wise symmetric encryption to PKI, a major obstacle remains: how do we certify the public keys of billions of small devices without manual checks or complex logistics? The process of certifying a public key in form of a digital certificate is called enrollment. In this paper, we design an enrollment protocol, called Indraj, to automate enrollment of certificate-based digital identities on resource-constrained IoT devices. Reusing the semantics of the Enrollment over Secure Transport (EST) protocol designed for Internet hosts, Indraj optimizes resource usage by leveraging an IoT stack consisting of Constrained Application Protocol (CoAP), Datagram Transport Layer Security (DTLS) and IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN).We evaluate our implementation on a low power 32-bit MCU, showing the feasibility of our protocol in terms of latency, power consumption and memory usage. Asymmetric cryptography enabled by automatic certificate enrollment will finally turn IoT devices into well behaved, first-class citizens on the Internet.

Place, publisher, year, edition, pages
Association for Computing Machinery, Inc, 2019
Keywords
Contiki OS, Digital Certificate, Enrollment, EST, Internet of Things, PKI, Security, Constrained optimization, Digital devices, Electric batteries, Low power electronics, Mobile security, Mobile telecommunication systems, Network protocols, Personal communication systems, Public key cryptography, Semantics, Wireless networks, Constrained Application Protocol (CoAP), Contiki ossa, Digital certificates, IPv6 over low-power wireless personal area networks (6LoWPAN), Public-key infrastructure, Transport layer security, Network security
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-39056 (URN)10.1145/3317549.3323408 (DOI)2-s2.0-85066759864 (Scopus ID)9781450367264 (ISBN)
Conference
12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, 15 May 2019 through 17 May 2019
Note

Funding details: VINNOVA; Funding text 1: This research has partly been funded by VINNOVA, Formas och Energimyndigheten under the Strategic Innovation Program on IoT (SIP-IoT), and partly by VINNOVA through the Eurostars SecureIoT project.

Available from: 2019-06-26 Created: 2019-06-26 Last updated: 2019-06-26Bibliographically approved
Raza, S. & Magnusson, R. M. (2019). TinyIKE: Lightweight IKEv2 for Internet of Things. IEEE Internet of Things Journal, 6(1), 856-866, Article ID 8424816.
Open this publication in new window or tab >>TinyIKE: Lightweight IKEv2 for Internet of Things
2019 (English)In: IEEE Internet of Things Journal, ISSN 2327-4662, Vol. 6, no 1, p. 856-866, article id 8424816Article in journal (Refereed) Published
Abstract [en]

There is unanimous consensus that cyber security in the IoT is necessary. In cyber security, key establishment is one of the toughest problems. It is even more challenging in resource-constrained but Internet-connected IoT devices that use low-power wireless communication. A number of IoT communication protocols define cryptographic mechanisms for confidentiality and integrity services but do not specify key management. For example, IEEE 802.15.4, RPL, and object security all rely on external key management protocols. Due to the lack of automatic key management support, IoT devices either end up using pre-shared keys or no security at all. In this paper we overcome these challenges and present TinyIKE, a lightweight adaptation of IKEv2 for the IoT. Using TinyIKE, we solve the key establishment problem for multiple IoT protocols using a single IKEv2-based solution. We implement TinyIKE for resource-constrained IoT devices that run the Contiki OS. The TinyIKE implementation supports full certificate-based IKEv2 that uses Elliptic Curve Cryptography (ECC). In order to ensure the feasibility of TinyIKE in the IoT, we perform an extensive evaluation of TinyIKE using a setup consisting of real IoT hardware.

Keywords
Contiki OS., Cryptography, IEEE 802.15 Standard, IEEE 802.15.4, IKEv2, Internet Key Exchange, Internet of Things, IoT, IP networks, Key Management, Protocols, Security, IEEE Standards, Internet protocols, Network protocols, Network security, Public key cryptography, Wireless telecommunication systems, Contiki ossa, IEEE 802.15 Standards
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:ri:diva-34583 (URN)10.1109/JIOT.2018.2862942 (DOI)2-s2.0-85051003602 (Scopus ID)
Available from: 2018-08-14 Created: 2018-08-14 Last updated: 2019-08-21Bibliographically approved
Boo, E., Raza, S., Höglund, J. & Ko, J. (2019). Towards supporting IoT device storage and network security using DTLs. In: MobiSys 2019 - Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services: . Paper presented at 17th ACM International Conference on Mobile Systems, Applications, and Services, MobiSys 2019, 17 June 2019 through 21 June 2019 (pp. 570-571). Association for Computing Machinery, Inc
Open this publication in new window or tab >>Towards supporting IoT device storage and network security using DTLs
2019 (English)In: MobiSys 2019 - Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, Association for Computing Machinery, Inc , 2019, p. 570-571Conference paper, Published paper (Refereed)
Abstract [en]

This work presents FDTLS, a security framework that combines storage and network/communication-level security for resource limited Internet of Things (IoT) devices using Datagram Transport Layer Security (DTLS). While coalescing storage and networking security scheme can reduce redundent and unnecessary operations, we identify security- and system-level challenges that can occur when applying DTLS. FDTLS addresses these challenges by employing asymmetric key generation, a virtual peer, and header reduction-based storage optimization. Our results obtained using a Contiki-based implementation on OpenMote platforms show that compared to using storage and networking security separately, FDTLS can reduce the latency of packet transmission responses and also contribute to saving energy. © 2019 Copyright held by the owner/author(s).

Place, publisher, year, edition, pages
Association for Computing Machinery, Inc, 2019
Keywords
DTLS, Secure Internet of Things, Self-key Generation, Flocculation, Internet of things, Virtual addresses, Internet of Things (IOT), Key generation, Networking security, Packet transmissions, Security frameworks, Storage optimization, Transport layer security, Network security
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-39656 (URN)10.1145/3307334.3328630 (DOI)2-s2.0-85069204631 (Scopus ID)9781450366618 (ISBN)
Conference
17th ACM International Conference on Mobile Systems, Applications, and Services, MobiSys 2019, 17 June 2019 through 21 June 2019
Available from: 2019-08-08 Created: 2019-08-08 Last updated: 2019-08-08Bibliographically approved
Aragon, S., Tiloca, M., Maass, M., Hollick, M. & Raza, S. (2018). ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control. In: : . Paper presented at 6th IEEE Conference on Communications and Network Security, CNS 2018; Beijing; China; 30 May 2018 through 1 June 2018. , Article ID 8433209.
Open this publication in new window or tab >>ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control
Show others...
2018 (English)Conference paper, Published paper (Refereed)
Abstract [en]

The Authentication and Authorization for ConstrainedEnvironments (ACE) framework provides fine-grainedaccess control in the Internet of Things, where devices areresource-constrained and with limited connectivity. The ACEframework defines separate profiles to specify how exactlyentities interact and what security and communication protocolsto use. This paper presents the novel ACE IPsec profile, whichspecifies how a client establishes a secure IPsec channel witha resource server, contextually using the ACE framework toenforce authorized access to remote resources. The profilemakes it possible to establish IPsec Security Associations, eitherthrough their direct provisioning or through the standardIKEv2 protocol. We provide the first Open Source implementationof the ACE IPsec profile for the Contiki OS and testit on the resource-constrained Zolertia Firefly platform. Ourexperimental performance evaluation confirms that the IPsecprofile and its operating modes are affordable and deployablealso on constrained IoT platforms.

National Category
Computer Systems
Identifiers
urn:nbn:se:ri:diva-35112 (URN)10.1109/CNS.2018.8433209 (DOI)2-s2.0-85052561250 (Scopus ID)9781538645864 (ISBN)
Conference
6th IEEE Conference on Communications and Network Security, CNS 2018; Beijing; China; 30 May 2018 through 1 June 2018
Available from: 2018-09-03 Created: 2018-09-03 Last updated: 2019-01-07Bibliographically approved
Sedrati, A., Abdelraheem, M. A. & Raza, S. (2018). Blockchain and IoT: Mind the Gap. In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng.: . Paper presented at International Conference on Safety and Security in IoT InterIoT 2017, SaSeIoT 2017: Interoperability, Safety and Security in IoT pp 113-122. 6 November 2017 through 7 November 2017 (pp. 113-122).
Open this publication in new window or tab >>Blockchain and IoT: Mind the Gap
2018 (English)In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng., 2018, p. 113-122Conference paper, Published paper (Refereed)
Abstract [en]

Blockchain, the core technology behind the first decentralized cryptocurrency, Bitcoin, has been recently proposed as a promising solution to create a viable decentralized network of Internet of Things (IoT) with good security and privacy properties. This survey investigates the currently proposed Blockchain-IoT solutions and examines their suitability for IoT devices.

Keywords
Blockchain, Electronic money, Interoperability, Bitcoin, Core technology, Decentralized networks, Internet of Things (IOT), Iot devices, Security and privacy, Internet of things
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:ri:diva-34631 (URN)10.1007/978-3-319-93797-7_13 (DOI)2-s2.0-85051063343 (Scopus ID)9783319937960 (ISBN)
Conference
International Conference on Safety and Security in IoT InterIoT 2017, SaSeIoT 2017: Interoperability, Safety and Security in IoT pp 113-122. 6 November 2017 through 7 November 2017
Available from: 2018-08-14 Created: 2018-08-14 Last updated: 2019-03-07Bibliographically approved
Forsby, F., Furuhed, M., Papadimitratos, P. & Raza, S. (2018). Lightweight X.509 Digital Certificates for the Internet of Things. In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng.: . Paper presented at ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018,6 November 2017 through 7 November 2017 (pp. 123-133).
Open this publication in new window or tab >>Lightweight X.509 Digital Certificates for the Internet of Things
2018 (English)In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng., 2018, p. 123-133Conference paper, Published paper (Refereed)
Abstract [en]

X.509 is the de facto digital certificate standard used in building the Public Key Infrastructure (PKI) on the Internet. However, traditional X.509 certificates are too heavy for battery powered or energy harvesting Internet of Things (IoT) devices where it is crucial that energy consumption and memory footprints are as minimal as possible. In this paper we propose, implement, and evaluate a lightweight digital certificate for resource-constrained IoT devices. We develop an X.509 profile for IoT including only the fields necessary for IoT devices, without compromising the certificate security. Furthermore, we also propose compression of the X.509 profiled fields using the contemporary CBOR encoding scheme. Most importantly, our solutions are compatible with the existing X.509 standard, meaning that our profiled and compressed X.509 certificates for IoT can be enrolled, verified and revoked without requiring modification in the existing X.509 standard and PKI implementations. We implement our solution in the Contiki OS and perform evaluation of our profiled and compressed certificates on a state-of-the-art IoT hardware.

Keywords
6LoWPAN, CBOR, Contiki, IoT, X.509 certificate, Digital devices, Energy harvesting, Energy utilization, Interoperability, Public key cryptography, Digital certificates, Internet of Things (IOT), Public-key infrastructure, X.509 certificates, X.509 digital certificates, Internet of things
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-35921 (URN)10.1007/978-3-319-93797-7_14 (DOI)2-s2.0-85051070819 (Scopus ID)9783319937960 (ISBN)
Conference
ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018,6 November 2017 through 7 November 2017
Available from: 2018-11-06 Created: 2018-11-06 Last updated: 2018-11-06Bibliographically approved
Kwon, H., Raza, S. & Ko, J. (2018). POSTER: On compressing pki certificates for resource limited internet of things devices. In: ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security: . Paper presented at 13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018, 4 June 2018 through 8 June 2018 (pp. 837-839).
Open this publication in new window or tab >>POSTER: On compressing pki certificates for resource limited internet of things devices
2018 (English)In: ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security, 2018, p. 837-839Conference paper, Poster (with or without abstract) (Refereed)
Abstract [en]

Certificate-based Public Key Infrastructure (PKI) schemes are used to authenticate the identity of distinct nodes on the Internet. Using certificates for the Internet of Things (IoT) can allow many privacy sensitive applications to be trusted over the larger Internet architecture. However, since IoT devices are typically resource limited, full sized PKI certificates are not suitable for use in the IoT domain. This work outlines our approach in compressing standards-compliant X.509 certificates so that their sizes are reduced and can be effectively used on IoT nodes. Our scheme combines the use of Concise Binary Object Representation (CBOR) and also a scheme that compresses all data that can be implicitly inferenced within the IoT sub-network. Our scheme shows a certificate compression rate of up to ∼30%, which allows effective energy reduction when using X.509-based certificates on IoT platforms. .

Keywords
6LoW-PAN, CBOR, Certificate Compression, Secure Internet of Things, Public key cryptography, Certificate-based, Internet architecture, Internet of thing (IOT), Public-key infrastructure, Sensitive application, X.509 certificates, Internet of things
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:ri:diva-37298 (URN)10.1145/3196494.3201591 (DOI)2-s2.0-85049198219 (Scopus ID)9781450355766 (ISBN)
Conference
13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018, 4 June 2018 through 8 June 2018
Available from: 2019-01-18 Created: 2019-01-18 Last updated: 2019-03-28Bibliographically approved
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0001-8192-0893

Search in DiVA

Show all publications
v. 2.35.7