AutoCert: Automated TOCTOU-secure digital certification for IoT with combined authentication and assurance
2023 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 124, article id 102952Article in journal (Refereed) Published
Abstract [en]
The Internet of Things (IoT) network is comprised of heterogeneous devices which are part of critical infrastructures throughout the world. To enable end-to-end security, the Public Key Infrastructure (PKI) is undergoing advancements to incorporate IoT devices globally which primarily provides device authentication. In addition to this, integrity of the software-state is vital, where Remote Attestation (RA) and Integrity Certificates play an important role. Though, Integrity Certificate verifies the software-state integrity of the device at the time of execution of the remote attestation process, it does not provide mechanisms to validate that the current software-state corresponds to the attested state. This issue is referred to as the Time-Of-Check to Time-Of-Use (TOCTOU) problem and remains unsolved in the context of Integrity Certificates. In this paper, we propose AutoCert, the first TOCTOU-secure mechanism to combine software-state integrity with PKI for IoT which resolves the TOCTOU problem in RA and Integrity Certificates. To this end, we utilize the IETF Remote Attestation Procedures architecture and standard X509 IoT profile certificates to ensure both device authentication and software assurance for IoT. We implement and evaluate the performance of the AutoCert proof-of-concept on a real IoT device, the OPTIGA TPM Evaluation Kit, to show its practicality and usability. AutoCert can validate the attested state of an IoT device in approximately 4746 milliseconds, with a minimal network overhead of 350 bytes.
Place, publisher, year, edition, pages
Elsevier Ltd , 2023. Vol. 124, article id 102952
Keywords [en]
Assurance, Certification, IoT Device Security, Public Key Infrastructure, Remote Attestation, TPM 2.0, X509, Authentication, Digital devices, Mobile security, Mobile telecommunication systems, Network security, Public key cryptography, Device authentications, Internet of thing device security, Secure digital, Time of use, Internet of things
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:ri:diva-61192DOI: 10.1016/j.cose.2022.102952Scopus ID: 2-s2.0-85141299890OAI: oai:DiVA.org:ri-61192DiVA, id: diva2:1716687
Note
Funding details: 101020259; Funding details: 957197; Funding details: Stiftelsen för Strategisk Forskning, SSF; Funding text 1: This research is partially funded by the EU H2020 projects ARCADIAN-IoT (Grant ID. 101020259) and VEDLIoT (Grant ID: 957197) and partially by Swedish Foundation for Strategic Research (SSF) aSSIsT project.
2022-12-062022-12-062023-06-08Bibliographically approved