Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Lightweight certificate revocation for low-power IoT with end-to-end security
RISE Research Institutes of Sweden, Digital Systems, Data Science.ORCID iD: 0000-0002-9491-8183
Nexus Group, Sweden.
RISE Research Institutes of Sweden, Digital Systems, Data Science.ORCID iD: 0000-0001-8192-0893
2023 (English)In: Journal of Information Security and Applications, ISSN 2214-2134, E-ISSN 2214-2126, Vol. 73, article id 103424Article in journal (Refereed) Published
Abstract [en]

Public key infrastructure (PKI) provides the basis of authentication and access control in most networked systems. In the Internet of Things (IoT), however, security has predominantly been based on pre-shared keys (PSK), which cannot be revoked and do not provide strong authentication. The prevalence of PSK in the IoT is due primarily to a lack of lightweight protocols for accessing PKI services. Principal among these services are digital certificate enrollment and revocation, the former of which is addressed in recent research and is being pushed for standardization in IETF. However, no protocol yet exists for retrieving certificate status information on constrained devices, and revocation is not possible unless such a service is available. In this work, we start with implementing the Online Certificate Status Protocol (OCSP), the de facto standard for certificate validation on the Web, on state-of-the-art constrained hardware. In doing so, we demonstrate that the resource overhead of this protocol is unacceptable for highly constrained environments. We design, implement and evaluate a lightweight alternative to OCSP, TinyOCSP, which leverages recently standardized IoT protocols, such as CoAP and CBOR. In our experiments, validating eight certificates with TinyOCSP required 41% less energy than validating just one with OCSP on an ARM Cortex-M3 SoC. Moreover, validation transactions encoded with TinyOCSP are at least 73% smaller than the OCSP equivalent. We design a protocol for compressed certificate revocation lists (CCRL) using Bloom filters which together with TinyOCSP can further reduce validation overhead. We derive a set of equations for computing the optimal filter parameters, and confirm these results through empirical evaluation. © 2023 The Authors

Place, publisher, year, edition, pages
Elsevier Ltd , 2023. Vol. 73, article id 103424
Keywords [en]
IoT security, OCSP, PKI, Revocation, X.509, Authentication, Network security, Networked control systems, Public key cryptography, Certificate revocation, End-to-end security, Internet of thing security, Low Power, Networked systems, Online certificate status protocol, Public key infrastructure, Strong authentication, Internet of things
National Category
Communication Systems
Identifiers
URN: urn:nbn:se:ri:diva-63979DOI: 10.1016/j.jisa.2023.103424Scopus ID: 2-s2.0-85146599883OAI: oai:DiVA.org:ri-63979DiVA, id: diva2:1737468
Note

Correspondence Address: Höglund, J.; RISE Research Institutes of Sweden; email: joel.hoglund@ri.se;

Funding details: 101020259; Funding details: 830927; Funding details: Stiftelsen för Strategisk Forskning, SSF; Funding text 1: This work was partly supported by the Swedish Foundation for Strategic Research (SSF) institute PhD program, and by the H2020 CONCORDIA (GA No. 830927 ) and ARCADIAN-IoT (GA No. 101020259 ) projects.

Available from: 2023-02-16 Created: 2023-02-16 Last updated: 2023-06-08Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Höglund, JoelRaza, Shahid

Search in DiVA

By author/editor
Höglund, JoelRaza, Shahid
By organisation
Data Science
In the same journal
Journal of Information Security and Applications
Communication Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 74 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf