Change search
Link to record
Permanent link

Direct link
BETA
Publications (10 of 49) Show all publications
Aslam, M., Mohsin, B., Nasir, A. & Raza, S. (2020). FoNAC - An automated Fog Node Audit and Certification scheme. Computers & security (Print), 93, Article ID 101759.
Open this publication in new window or tab >>FoNAC - An automated Fog Node Audit and Certification scheme
2020 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 93, article id 101759Article in journal (Refereed) Published
Abstract [en]

Meeting the security and privacy needs for IoT data becomes equally important in the newly introduced intermediary Fog Computing layer, as it was in its former technological layer - Cloud; but the accomplishment of such security is critical and challenging. While security assurance of the fog layer devices is imperative due to their exposure to the public Internet, it becomes even more complex, than the cloud layer, as it involves a large number of heterogeneous devices deployed hierarchically. Manual audit and certification schemes are unsuitable for large number of fog nodes thereby inhibiting the involved stakeholders to use manual security assurance schemes altogether. However, scalable and feasible security assurance can be provided by introducing automated and continuous monitoring and auditing of fog nodes to ensure a trusted, updated and vulnerability free fog layer. This paper presents such an solution in the form of an automated Fog Node Audit and Certification scheme (FoNAC) which guarantees a secure fog layer through the proposed fog layer assurance mechanism. FoNAC leverages Trusted Platform Module (TPM 2.0) capabilities to evaluate/audit the platform integrity of the operating fog nodes and grants certificate to the individual node after a successful security audit. FoNAC security is also validated through its formal security analysis performed using AVISPA under Dolev-Yao intruder model. The security analysis of FoNAC shows its resistance against cyber-attacks like impersonation, replay attack, forgery, Denial of Service(DoS) and MITM attack.

Place, publisher, year, edition, pages
Elsevier Ltd, 2020
Keywords
Certification, Cloud computing, Continuous auditing, Edge, Fog, Remote attestation, Security, SLA, TPM 2.0, Automation, Fog computing, Network security, Security systems, Trusted computing, Denial-of-service attack
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-44444 (URN)10.1016/j.cose.2020.101759 (DOI)2-s2.0-85081116437 (Scopus ID)
Note

Funding details: VINNOVA, 2019-01305; Funding details: 830927; Funding text 1: This research has been supported by the funding for H2020 CONCORDIA (grant agreement No 830927) and from VINNOVA Sweden (grant agreement no 2019-01305).

Available from: 2020-03-17 Created: 2020-03-17 Last updated: 2020-03-17Bibliographically approved
Höglund, J., Lindemer, S., Furuhed, M. & Raza, S. (2020). PKI4IoT: Towards public key infrastructure for the Internet of Things. Computers & security (Print), 89, Article ID 101658.
Open this publication in new window or tab >>PKI4IoT: Towards public key infrastructure for the Internet of Things
2020 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 89, article id 101658Article in journal (Refereed) Published
Abstract [en]

Public Key Infrastructure is the state-of-the-art credential management solution on the Internet. However, the millions of constrained devices that make of the Internet of Things currently lack a centralized, scalable system for managing keys and identities. Modern PKI is built on a set of protocols which were not designed for constrained environments, and as a result many small, battery-powered IoT devices lack the required computing resources. In this paper, we develop an automated certificate enrollment protocol light enough for highly constrained devices, which provides end-to-end security between certificate authorities (CA) and the recipient IoT devices. We also design a lightweight profile for X.509 digital certificates with CBOR encoding, called XIOT. Existing CAs can now issue traditional X.509 to IoT devices. These are converted to and from the XIOT format by edge devices on constrained networks. This procedure preserves the integrity of the original CA signature, so the edge device performing certificate conversion need not be trusted. We implement these protocols within the Contiki embedded operating system and evaluate their performance on an ARM Cortex-M3 platform. Our evaluation demonstrates reductions in energy expenditure and communication latency. The RAM and ROM required to implement these protocols are on par with the other lightweight protocols in Contiki’s network stack.

Keywords
Security, CBOR, IoT, PKI, Digital certificates, Enrollment, Embedded systems, Contiki
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-42433 (URN)10.1016/j.cose.2019.101658 (DOI)
Available from: 2019-12-20 Created: 2019-12-20 Last updated: 2020-01-28Bibliographically approved
Aslam, M., Bouget, S. & Raza, S. (2020). Security and trust preserving inter- and intra-cloud VM migrations. International Journal of Network Management, Article ID e2103.
Open this publication in new window or tab >>Security and trust preserving inter- and intra-cloud VM migrations
2020 (English)In: International Journal of Network Management, ISSN 1055-7148, E-ISSN 1099-1190, article id e2103Article in journal (Refereed) Published
Abstract [en]

This paper focus on providing a secure and trustworthy solution for virtual machine (VM) migration within an existing cloud provider domain, and/or to the other federating cloud providers. The infrastructure-as-a-service (IaaS) cloud service model is mainly addressed to extend and complement the previous Trusted Computing techniques for secure VM launch and VM migration case. The VM migration solution proposed in this paper uses a Trust_Token based to guarantee that the user VMs can only be migrated and hosted on a trustworthy and/or compliant cloud platforms. The possibility to also check the compliance of the cloud platforms with the pre-defined baseline configurations makes our solution compatible with an existing widely accepted standards-based, security-focused cloud frameworks like FedRAMP. Our proposed solution can be used for both inter- and intra-cloud VM migrations. Different from previous schemes, our solution is not dependent on an active (on-line) trusted third party; that is, the trusted third party only performs the platform certification and is not involved in the actual VM migration process. We use the Tamarin solver to realize a formal security analysis of the proposed migration protocol and show that our protocol is safe under the Dolev-Yao intruder model. Finally, we show how our proposed mechanisms fulfill major security and trust requirements for secure VM migration in cloud environments. 

Place, publisher, year, edition, pages
John Wiley and Sons Ltd, 2020
Keywords
Compliance control, Infrastructure as a service (IaaS), Network security, Regulatory compliance, Virtual machine, Baseline configurations, Cloud service models, Computing techniques, Dolev-Yao intruders, Formal security analysis, Migration protocols, Security and trusts, Trusted third parties, Trusted computing
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-44389 (URN)10.1002/nem.2103 (DOI)2-s2.0-85079698182 (Scopus ID)
Note

Funding details: Horizon 2020 Framework Programme, H2020, 833742, 783119; Funding text 1: This research has been supported by the funding for H2020 projects SECREDAS (grant agreement no. 783119), nIoVe (grant agreement no. 833742), and RISE Cybersecurity KP.

Available from: 2020-03-09 Created: 2020-03-09 Last updated: 2020-03-09Bibliographically approved
Pérez, S., Hernández-Ramos, J., Raza, S. & Skarmeta, A. (2019). Application Layer Key Establishment for End-to-End Security in IoT. IEEE Internet of Things Journal
Open this publication in new window or tab >>Application Layer Key Establishment for End-to-End Security in IoT
2019 (English)In: IEEE Internet of Things Journal, ISSN 2372-2541Article in journal (Refereed) Epub ahead of print
Abstract [en]

In most IoT deployments, intermediate entities are usually employed for efficiency and scalability reasons. These intermediate proxies break end-to-end security when using even the state-of-the-art transport layer security (TLS) solutions. In this direction, the recent Object Security for Constrained RESTful Environments (OSCORE) has been standardized to enable end-to-end security even in the presence of malicious proxies. In this work, we focus on the key establishment process based on application layer techniques. In particular, we evaluate the Ephemeral Diffie-Hellman over COSE (EDHOC), the de facto key establishment protocol for OSCORE. Based on EDHOC, we propose CompactEDHOC, as a lightweight alternative, in which negotiation of security parameters is extracted from the core protocol. In addition to providing end-to-end security properties, we perform extensive evaluation using real IoT hardware and simulation tools. Our evaluation results prove EDHOC-based proposals as an effective and efficient approach for the establishment of a security association in IoT constrained scenarios.

Keywords
Internet of Things, Key Establishment, DTLS, EDHOC.
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-42593 (URN)10.1109/JIOT.2019.2959428 (DOI)
Available from: 2020-01-10 Created: 2020-01-10 Last updated: 2020-01-10Bibliographically approved
Tiloca, M., Dini, G., Rizki, K. & Raza, S. (2019). Group rekeying based on member join history. International Journal of Information Security
Open this publication in new window or tab >>Group rekeying based on member join history
2019 (English)In: International Journal of Information Security, ISSN 1615-5262, E-ISSN 1615-5270Article in journal (Refereed) Epub ahead of print
Abstract [en]

This paper presents GREP, a novel group rekeying scheme that leverages the history of join events in order to achieve efficiency and high scalability. GREP rekeys thegroup with only two broadcast messages, hence displaying an overhead which is small, constant and independent of the group size. Also, GREP efficiently recovers the group from collusion attack with no recourse to total member reinitialization. Even in the very unlikely worst case, collusion recovery displays a smooth impact on performance that gradually increases with the attack severity. We implemented GREP for the Contiki OS and tested it on different resource-constrained platforms. Our analytical and experimental evaluation confirm that GREP is efficient, highly scalable and deployable also on constrained nodes. The paper extends a previous version of this work, especially through additional security analysis, treatise of probabilities for worst case collusion, and experimental evaluation of performance.

Place, publisher, year, edition, pages
Springer Berlin/Heidelberg, 2019
Keywords
Security, Group key management, Rekeying, Join history, Secure group communication
National Category
Engineering and Technology Electrical Engineering, Electronic Engineering, Information Engineering Communication Systems Computer Systems
Identifiers
urn:nbn:se:ri:diva-39284 (URN)10.1007/s10207-019-00451-0 (DOI)2-s2.0-85068966622 (Scopus ID)
Note

Funding details: 607109; Funding details: Università di Pisa, UniPi; Funding details: VINNOVA; Funding details: European Commission, EC; Funding details: Ministero dell’Istruzione, dell’Università e della Ricerca, MIUR; Funding text 1: The authors sincerely thank the anonymous referees and the associate editor for their insightful comments and suggestions. This work has been partially supported by: the European Commission under the 7-th Framework Programme (Grant Agreement No. 607109), for research, technological development and demonstration; VINNOVA and the Celtic-Next project CRITISEC; the EIT-Digital High Impact Initiative ACTIVE; the Italian Ministry of Education and Research (MIUR) in the framework of the CrossLab project (Departments of Excellence); the University of Pisa in the framework of PRA 2019. The authors also thank Rikard Höglund for his help during the implementation phase of this work.; Funding text 2: This research received funding from: the European Commission under the 7-th Framework Programme (Grant Agreement No. 607109), for research, technological development and demonstration; VINNOVA and the Celtic-Next project CRITISEC; the EIT-Digital High Impact Initiative ACTIVE; the Italian Ministry of Education and Research (MIUR) in the framework of the CrossLab project (Departments of Excellence); the University of Pisa in the framework of PRA 2019.

Available from: 2019-06-29 Created: 2019-06-29 Last updated: 2020-01-10Bibliographically approved
Rizki, K., Lamproudi, A., Tiloca, M. & Raza, S. (2019). Group-IKEv2 for multicast IPsec in the internet of things. International Journal of Security and Networks (IJSN), 14(1), 10-22
Open this publication in new window or tab >>Group-IKEv2 for multicast IPsec in the internet of things
2019 (English)In: International Journal of Security and Networks (IJSN), ISSN 1747-8405, E-ISSN 1747-8413, Vol. 14, no 1, p. 10-22Article in journal (Refereed) Published
Abstract [en]

This paper presents Group-IKEv2, a group key management protocol supporting secure group communication based on multicast IPsec. Group-IKEv2 is an adaptation of the IKEv2 protocol for the IPsec suite, and is especially designed to address internet of things (IoT) scenarios composed of resource-constrained devices. Compared to static approaches, Group-IKEv2 enables dynamic and flexible establishment of IPsec group security associations as well as group key material. Also, it integrates the management and renewal of group key material, both on a periodical fashion and upon group membership changes. We have implemented Group-IKEv2 for the Contiki OS and tested it on the OpenMote resource-constrained platform. Our experimental performance evaluation confirms that Group-IKEv2 is affordable and deployable also on constrained IoT devices.

Place, publisher, year, edition, pages
Inderscience Enterprises Ltd., 2019
Keywords
Group communication, Group-IKEv2, Internet of things, Key management, Multicast IPsec, Secure communication, Security, Multicasting, Security of data, Experimental performance evaluations, Group communications, Group key management protocols, Resourceconstrained devices, Secure group communications
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:ri:diva-38462 (URN)10.1504/IJSN.2019.098908 (DOI)2-s2.0-85064263362 (Scopus ID)
Available from: 2019-05-06 Created: 2019-05-06 Last updated: 2019-05-06Bibliographically approved
He, Z., Furuhed, M. & Raza, S. (2019). Indraj: Digital certificate enrollment for battery-powered wireless devices. In: WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks: . Paper presented at 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, 15 May 2019 through 17 May 2019 (pp. 117-127). Association for Computing Machinery, Inc
Open this publication in new window or tab >>Indraj: Digital certificate enrollment for battery-powered wireless devices
2019 (English)In: WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks, Association for Computing Machinery, Inc , 2019, p. 117-127Conference paper, Published paper (Refereed)
Abstract [en]

A public key infrastructure (PKI) has been widely deployed and well tested on the Internet. However, this standard practice of delivering scalable security has not yet been extended to the rapidly growing Internet of Things (IoT). Thanks to vendor hardware support and standardization of resource-efficient communication protocols, asymmetric cryptography is no longer unfeasible on small devices. To migrate IoT from poorly scalable, pair-wise symmetric encryption to PKI, a major obstacle remains: how do we certify the public keys of billions of small devices without manual checks or complex logistics? The process of certifying a public key in form of a digital certificate is called enrollment. In this paper, we design an enrollment protocol, called Indraj, to automate enrollment of certificate-based digital identities on resource-constrained IoT devices. Reusing the semantics of the Enrollment over Secure Transport (EST) protocol designed for Internet hosts, Indraj optimizes resource usage by leveraging an IoT stack consisting of Constrained Application Protocol (CoAP), Datagram Transport Layer Security (DTLS) and IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN).We evaluate our implementation on a low power 32-bit MCU, showing the feasibility of our protocol in terms of latency, power consumption and memory usage. Asymmetric cryptography enabled by automatic certificate enrollment will finally turn IoT devices into well behaved, first-class citizens on the Internet.

Place, publisher, year, edition, pages
Association for Computing Machinery, Inc, 2019
Keywords
Contiki OS, Digital Certificate, Enrollment, EST, Internet of Things, PKI, Security, Constrained optimization, Digital devices, Electric batteries, Low power electronics, Mobile security, Mobile telecommunication systems, Network protocols, Personal communication systems, Public key cryptography, Semantics, Wireless networks, Constrained Application Protocol (CoAP), Contiki ossa, Digital certificates, IPv6 over low-power wireless personal area networks (6LoWPAN), Public-key infrastructure, Transport layer security, Network security
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-39056 (URN)10.1145/3317549.3323408 (DOI)2-s2.0-85066759864 (Scopus ID)9781450367264 (ISBN)
Conference
12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, 15 May 2019 through 17 May 2019
Note

Funding details: VINNOVA; Funding text 1: This research has partly been funded by VINNOVA, Formas och Energimyndigheten under the Strategic Innovation Program on IoT (SIP-IoT), and partly by VINNOVA through the Eurostars SecureIoT project.

Available from: 2019-06-26 Created: 2019-06-26 Last updated: 2019-06-26Bibliographically approved
Raza, S. & Magnusson, R. M. (2019). TinyIKE: Lightweight IKEv2 for Internet of Things. IEEE Internet of Things Journal, 6(1), 856-866, Article ID 8424816.
Open this publication in new window or tab >>TinyIKE: Lightweight IKEv2 for Internet of Things
2019 (English)In: IEEE Internet of Things Journal, ISSN 2327-4662, Vol. 6, no 1, p. 856-866, article id 8424816Article in journal (Refereed) Published
Abstract [en]

There is unanimous consensus that cyber security in the IoT is necessary. In cyber security, key establishment is one of the toughest problems. It is even more challenging in resource-constrained but Internet-connected IoT devices that use low-power wireless communication. A number of IoT communication protocols define cryptographic mechanisms for confidentiality and integrity services but do not specify key management. For example, IEEE 802.15.4, RPL, and object security all rely on external key management protocols. Due to the lack of automatic key management support, IoT devices either end up using pre-shared keys or no security at all. In this paper we overcome these challenges and present TinyIKE, a lightweight adaptation of IKEv2 for the IoT. Using TinyIKE, we solve the key establishment problem for multiple IoT protocols using a single IKEv2-based solution. We implement TinyIKE for resource-constrained IoT devices that run the Contiki OS. The TinyIKE implementation supports full certificate-based IKEv2 that uses Elliptic Curve Cryptography (ECC). In order to ensure the feasibility of TinyIKE in the IoT, we perform an extensive evaluation of TinyIKE using a setup consisting of real IoT hardware.

Keywords
Contiki OS., Cryptography, IEEE 802.15 Standard, IEEE 802.15.4, IKEv2, Internet Key Exchange, Internet of Things, IoT, IP networks, Key Management, Protocols, Security, IEEE Standards, Internet protocols, Network protocols, Network security, Public key cryptography, Wireless telecommunication systems, Contiki ossa, IEEE 802.15 Standards
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:ri:diva-34583 (URN)10.1109/JIOT.2018.2862942 (DOI)2-s2.0-85051003602 (Scopus ID)
Available from: 2018-08-14 Created: 2018-08-14 Last updated: 2019-08-21Bibliographically approved
Boo, E., Raza, S., Höglund, J. & Ko, J. (2019). Towards supporting IoT device storage and network security using DTLs. In: MobiSys 2019 - Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services: . Paper presented at 17th ACM International Conference on Mobile Systems, Applications, and Services, MobiSys 2019, 17 June 2019 through 21 June 2019 (pp. 570-571). Association for Computing Machinery, Inc
Open this publication in new window or tab >>Towards supporting IoT device storage and network security using DTLs
2019 (English)In: MobiSys 2019 - Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, Association for Computing Machinery, Inc , 2019, p. 570-571Conference paper, Published paper (Refereed)
Abstract [en]

This work presents FDTLS, a security framework that combines storage and network/communication-level security for resource limited Internet of Things (IoT) devices using Datagram Transport Layer Security (DTLS). While coalescing storage and networking security scheme can reduce redundent and unnecessary operations, we identify security- and system-level challenges that can occur when applying DTLS. FDTLS addresses these challenges by employing asymmetric key generation, a virtual peer, and header reduction-based storage optimization. Our results obtained using a Contiki-based implementation on OpenMote platforms show that compared to using storage and networking security separately, FDTLS can reduce the latency of packet transmission responses and also contribute to saving energy. © 2019 Copyright held by the owner/author(s).

Place, publisher, year, edition, pages
Association for Computing Machinery, Inc, 2019
Keywords
DTLS, Secure Internet of Things, Self-key Generation, Flocculation, Internet of things, Virtual addresses, Internet of Things (IOT), Key generation, Networking security, Packet transmissions, Security frameworks, Storage optimization, Transport layer security, Network security
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-39656 (URN)10.1145/3307334.3328630 (DOI)2-s2.0-85069204631 (Scopus ID)9781450366618 (ISBN)
Conference
17th ACM International Conference on Mobile Systems, Applications, and Services, MobiSys 2019, 17 June 2019 through 21 June 2019
Available from: 2019-08-08 Created: 2019-08-08 Last updated: 2019-08-08Bibliographically approved
Aragon, S., Tiloca, M., Maass, M., Hollick, M. & Raza, S. (2018). ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control. In: : . Paper presented at 6th IEEE Conference on Communications and Network Security, CNS 2018; Beijing; China; 30 May 2018 through 1 June 2018. , Article ID 8433209.
Open this publication in new window or tab >>ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control
Show others...
2018 (English)Conference paper, Published paper (Refereed)
Abstract [en]

The Authentication and Authorization for ConstrainedEnvironments (ACE) framework provides fine-grainedaccess control in the Internet of Things, where devices areresource-constrained and with limited connectivity. The ACEframework defines separate profiles to specify how exactlyentities interact and what security and communication protocolsto use. This paper presents the novel ACE IPsec profile, whichspecifies how a client establishes a secure IPsec channel witha resource server, contextually using the ACE framework toenforce authorized access to remote resources. The profilemakes it possible to establish IPsec Security Associations, eitherthrough their direct provisioning or through the standardIKEv2 protocol. We provide the first Open Source implementationof the ACE IPsec profile for the Contiki OS and testit on the resource-constrained Zolertia Firefly platform. Ourexperimental performance evaluation confirms that the IPsecprofile and its operating modes are affordable and deployablealso on constrained IoT platforms.

National Category
Computer Systems
Identifiers
urn:nbn:se:ri:diva-35112 (URN)10.1109/CNS.2018.8433209 (DOI)2-s2.0-85052561250 (Scopus ID)9781538645864 (ISBN)
Conference
6th IEEE Conference on Communications and Network Security, CNS 2018; Beijing; China; 30 May 2018 through 1 June 2018
Available from: 2018-09-03 Created: 2018-09-03 Last updated: 2019-01-07Bibliographically approved
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0001-8192-0893

Search in DiVA

Show all publications
v. 2.35.9