Lightweight certificate revocation for low-power IoT with end-to-end security
2023 (English)In: Journal of Information Security and Applications, ISSN 2214-2134, E-ISSN 2214-2126, Vol. 73, article id 103424Article in journal (Refereed) Published
Abstract [en]
Public key infrastructure (PKI) provides the basis of authentication and access control in most networked systems. In the Internet of Things (IoT), however, security has predominantly been based on pre-shared keys (PSK), which cannot be revoked and do not provide strong authentication. The prevalence of PSK in the IoT is due primarily to a lack of lightweight protocols for accessing PKI services. Principal among these services are digital certificate enrollment and revocation, the former of which is addressed in recent research and is being pushed for standardization in IETF. However, no protocol yet exists for retrieving certificate status information on constrained devices, and revocation is not possible unless such a service is available. In this work, we start with implementing the Online Certificate Status Protocol (OCSP), the de facto standard for certificate validation on the Web, on state-of-the-art constrained hardware. In doing so, we demonstrate that the resource overhead of this protocol is unacceptable for highly constrained environments. We design, implement and evaluate a lightweight alternative to OCSP, TinyOCSP, which leverages recently standardized IoT protocols, such as CoAP and CBOR. In our experiments, validating eight certificates with TinyOCSP required 41% less energy than validating just one with OCSP on an ARM Cortex-M3 SoC. Moreover, validation transactions encoded with TinyOCSP are at least 73% smaller than the OCSP equivalent. We design a protocol for compressed certificate revocation lists (CCRL) using Bloom filters which together with TinyOCSP can further reduce validation overhead. We derive a set of equations for computing the optimal filter parameters, and confirm these results through empirical evaluation. © 2023 The Authors
Place, publisher, year, edition, pages
Elsevier Ltd , 2023. Vol. 73, article id 103424
Keywords [en]
IoT security, OCSP, PKI, Revocation, X.509, Authentication, Network security, Networked control systems, Public key cryptography, Certificate revocation, End-to-end security, Internet of thing security, Low Power, Networked systems, Online certificate status protocol, Public key infrastructure, Strong authentication, Internet of things
National Category
Communication Systems
Identifiers
URN: urn:nbn:se:ri:diva-63979DOI: 10.1016/j.jisa.2023.103424Scopus ID: 2-s2.0-85146599883OAI: oai:DiVA.org:ri-63979DiVA, id: diva2:1737468
Note
Correspondence Address: Höglund, J.; RISE Research Institutes of Sweden; email: joel.hoglund@ri.se;
Funding details: 101020259; Funding details: 830927; Funding details: Stiftelsen för Strategisk Forskning, SSF; Funding text 1: This work was partly supported by the Swedish Foundation for Strategic Research (SSF) institute PhD program, and by the H2020 CONCORDIA (GA No. 830927 ) and ARCADIAN-IoT (GA No. 101020259 ) projects.
2023-02-162023-02-162023-06-08Bibliographically approved