Planned maintenance
A system upgrade is planned for 10/12-2024, at 12:00-13:00. During this time DiVA will be unavailable.
Change search
Refine search result
12 1 - 50 of 78
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Aragon, Santiago
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS. Technische Universität Darmstadt, Germany.
    Tiloca, Marco
    RISE - Research Institutes of Sweden, ICT, SICS.
    Maass, Max
    Technische Universität Darmstadt, Germany.
    Hollick, Matthias
    Technische Universität Darmstadt, Germany.
    Raza, Shahid
    RISE - Research Institutes of Sweden, ICT, SICS.
    ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control2018Conference paper (Refereed)
    Abstract [en]

    The Authentication and Authorization for ConstrainedEnvironments (ACE) framework provides fine-grainedaccess control in the Internet of Things, where devices areresource-constrained and with limited connectivity. The ACEframework defines separate profiles to specify how exactlyentities interact and what security and communication protocolsto use. This paper presents the novel ACE IPsec profile, whichspecifies how a client establishes a secure IPsec channel witha resource server, contextually using the ACE framework toenforce authorized access to remote resources. The profilemakes it possible to establish IPsec Security Associations, eitherthrough their direct provisioning or through the standardIKEv2 protocol. We provide the first Open Source implementationof the ACE IPsec profile for the Contiki OS and testit on the resource-constrained Zolertia Firefly platform. Ourexperimental performance evaluation confirms that the IPsecprofile and its operating modes are affordable and deployablealso on constrained IoT platforms.

    Download full text (pdf)
    fulltext
  • 2.
    Aslam, Mudassar
    et al.
    RISE Research Institutes of Sweden, Digital Systems. COMSATS University Islamabad, Pakistan.
    Bouget, Simon
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Security and trust preserving inter- and intra-cloud VM migrations2020In: International Journal of Network Management, ISSN 1055-7148, E-ISSN 1099-1190, article id e2103Article in journal (Refereed)
    Abstract [en]

    This paper focus on providing a secure and trustworthy solution for virtual machine (VM) migration within an existing cloud provider domain, and/or to the other federating cloud providers. The infrastructure-as-a-service (IaaS) cloud service model is mainly addressed to extend and complement the previous Trusted Computing techniques for secure VM launch and VM migration case. The VM migration solution proposed in this paper uses a Trust_Token based to guarantee that the user VMs can only be migrated and hosted on a trustworthy and/or compliant cloud platforms. The possibility to also check the compliance of the cloud platforms with the pre-defined baseline configurations makes our solution compatible with an existing widely accepted standards-based, security-focused cloud frameworks like FedRAMP. Our proposed solution can be used for both inter- and intra-cloud VM migrations. Different from previous schemes, our solution is not dependent on an active (on-line) trusted third party; that is, the trusted third party only performs the platform certification and is not involved in the actual VM migration process. We use the Tamarin solver to realize a formal security analysis of the proposed migration protocol and show that our protocol is safe under the Dolev-Yao intruder model. Finally, we show how our proposed mechanisms fulfill major security and trust requirements for secure VM migration in cloud environments. 

  • 3.
    Aslam, Mudassar
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science. COMSATS University Islamabad, Pakistan.
    Mohsin, Bushra
    COMSATS University Islamabad, Pakistan.
    Nasir, Abdul
    COMSATS University Islamabad, Pakistan.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    FoNAC - An automated Fog Node Audit and Certification scheme2020In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 93, article id 101759Article in journal (Refereed)
    Abstract [en]

    Meeting the security and privacy needs for IoT data becomes equally important in the newly introduced intermediary Fog Computing layer, as it was in its former technological layer - Cloud; but the accomplishment of such security is critical and challenging. While security assurance of the fog layer devices is imperative due to their exposure to the public Internet, it becomes even more complex, than the cloud layer, as it involves a large number of heterogeneous devices deployed hierarchically. Manual audit and certification schemes are unsuitable for large number of fog nodes thereby inhibiting the involved stakeholders to use manual security assurance schemes altogether. However, scalable and feasible security assurance can be provided by introducing automated and continuous monitoring and auditing of fog nodes to ensure a trusted, updated and vulnerability free fog layer. This paper presents such an solution in the form of an automated Fog Node Audit and Certification scheme (FoNAC) which guarantees a secure fog layer through the proposed fog layer assurance mechanism. FoNAC leverages Trusted Platform Module (TPM 2.0) capabilities to evaluate/audit the platform integrity of the operating fog nodes and grants certificate to the individual node after a successful security audit. FoNAC security is also validated through its formal security analysis performed using AVISPA under Dolev-Yao intruder model. The security analysis of FoNAC shows its resistance against cyber-attacks like impersonation, replay attack, forgery, Denial of Service(DoS) and MITM attack.

  • 4. Bagci, Ibrahim Ethem
    et al.
    Pourmirza, Mohammad Reza
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Roedig, Utz
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Codo: Confidential Data Storage for Wireless Sensor Networkss2012Conference paper (Refereed)
    Abstract [en]

    Many Wireless Sensor Networks (WSNs) are used to collect and process confidential information. Confidentiality must be ensured at all times and, for example, solutions for confidential communication, processing or storage are required. To date, the research community has addressed mainly the issue of confidential communication. Efficient solutions for cryptographically secured communication and associated key exchange in WSNs exist. Many WSN applications, however, rely heavily on available on-node storage space and therefore it is essential to ensure the confidentiality of stored data as well. In this paper we present Codo, a confidential data storage solution which balances platform, performance and security requirements. We implement Codo for the Contiki WSN operating system and evaluate its performance.

  • 5.
    Bagci, Ibrahim Ethem
    et al.
    Lancaster University, United Kingdom.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Chung, Tony
    Lancaster University, United Kingdom.
    Roedig, Utz
    Lancaster University, United Kingdom.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Uppsala University, Sweden.
    Combined Secure Storage and Communication for the Internet of Things2013Conference paper (Refereed)
    Abstract [en]

    The future Internet of Things (IoT) may be based on the existing and established Internet Protocol (IP). Many IoT application scenarios will handle sensitive data. However, as security requirements for storage and communication are addressed separately, work such as key management or cryp-tographic processing is duplicated. In this paper we present a framework that allows us to combine secure storage and secure communication in the IP-based IoT. We show how data can be stored securely such that it can be delivered securely upon request without further cryptographic processing. Our prototype implementation shows that combined secure storage and communication can reduce the security-related processing on nodes by up to 71% and energy consumption by up to 32.1%.

  • 6.
    Bagci, Ibrahim Ethem
    et al.
    Lancaster University, UK.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Roedig, Utz
    Lancaster University, UK.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Uppsala University, Sweden.
    Fusion: Coalesced Confidential Storage and Communication Framework for the IoT2015In: Security and Communication Networks, ISSN 1939-0114, E-ISSN 1939-0122, Vol. 9, no 15, p. 2656-2673Article in journal (Refereed)
    Abstract [en]

    Comprehensive security mechanisms are required for a successful implementation of the Internet of Things (IoT). Existing solutions focus mainly on securing the communication links between Internet hosts and IoT devices. However, as most IoT devices nowadays provide vast amounts of flash storage space it is as well required to consider storage security within a comprehensive security framework. Instead of developing independent security solutions for storage and communication we propose Fusion, a framework which provides coalesced confidential storage and communication. Fusion uses existing secure communication protocols for the IoT such as IPsec and DTLS and re-uses the defined communication security mechanisms within the storage component. Thus, trusted mechanisms developed for communication security are extended into the storage space. Notably, this mechanism allows us to transmit requested data directly from the file system without decrypting read data blocks and then re-encrypting these for transmission. Thus, Fusion provides benefits in terms of processing speed and energy efficiency which are important aspects for resource constrained IoT devices. The paper describes the Fusion architecture and its instantiation for IPsec and DTLS based systems. We describe Fusion’s implementation and evaluate its storage overheads, communication performance and energy consumption

  • 7.
    Boo, EunSeong
    et al.
    Ajou University, South Korea.
    Raza, Shahid
    RISE - Research Institutes of Sweden (2017-2019), ICT, SICS.
    Höglund, Joel
    RISE - Research Institutes of Sweden (2017-2019), ICT, SICS.
    Ko, JeongGil
    Ajou University, South Korea.
    Towards supporting IoT device storage and network security using DTLs2019In: MobiSys 2019 - Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, Association for Computing Machinery, Inc , 2019, p. 570-571Conference paper (Refereed)
    Abstract [en]

    This work presents FDTLS, a security framework that combines storage and network/communication-level security for resource limited Internet of Things (IoT) devices using Datagram Transport Layer Security (DTLS). While coalescing storage and networking security scheme can reduce redundent and unnecessary operations, we identify security- and system-level challenges that can occur when applying DTLS. FDTLS addresses these challenges by employing asymmetric key generation, a virtual peer, and header reduction-based storage optimization. Our results obtained using a Contiki-based implementation on OpenMote platforms show that compared to using storage and networking security separately, FDTLS can reduce the latency of packet transmission responses and also contribute to saving energy. © 2019 Copyright held by the owner/author(s).

  • 8.
    Eklund, David
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Industrial Systems.
    Iacovazzi, Alfonso
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Wang, Han
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Pyrgelis, Apostolos
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science. Mälardalen University, Sweden.
    BMI: Bounded Mutual Information for Efficient Privacy-Preserving Feature Selection2024In: Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349, Vol. 14983 LNCS, p. 353-373Article in journal (Refereed)
    Abstract [en]

    We introduce low complexity bounds on mutual information for efficient privacy-preserving feature selection with secure multi-party computation (MPC). Considering a discrete feature with N possible values and a discrete label with M possible values, our approach requires O(N) multiplications as opposed to O(NM) in a direct MPC implementation of mutual information. Our experimental results show that for regression tasks, we achieve a computation speed up of over 1,000× compared to a straightforward MPC implementation of mutual information, while achieving similar accuracy for the downstream machine learning model.

  • 9.
    Eriksson, Joakim
    et al.
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Österlind, Fredrik
    RISE - Research Institutes of Sweden (2017-2019), ICT, SICS.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Finne, Niclas
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Tsiftes, Nicolas
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Dunkels, Adam
    RISE - Research Institutes of Sweden (2017-2019), ICT, SICS.
    Demo abstract: accurate power profiling of sensornets with the COOJA/MSPSim simulator2009Conference paper (Refereed)
    Abstract [en]

    Power consumption is of utmost concern in sensor networks. Researchers have several ways of measuring the power consumption of a complete sensor network, but they are typically either impractical or inaccurate. To meet the need for practical and scalable measurement of power consumption of sensor networks, we have developed a cycle-accurate simulator, called COOJA/MSPsim, that enables live power estimation of systems running on MSP430 processors. This demonstration shows the ease of use and the power measurement accuracy of COOJA/MSPsim. The demo setup consists of a small sensor network and a laptop. Beside gathering software-based power measurements from the motes, the laptop runs COOJA/MSPsim to simulate the same network. We visualize the power consumption of both the simulated and the real sensor network, and show that the simulator produces matching results.

  • 10.
    Figueiredo, S.
    et al.
    Instituto Pedro Nunes, Portugal.
    Silva, P.
    Instituto Pedro Nunes, Portugal; University of Coimbra, Portugal.
    Iacovazzi, Alfonso
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Holubenko, V.
    Instituto Pedro Nunes, Portugal.
    Casal, J.
    SCNL Truphone SA, Portugal.
    Calero, J. M. A.
    University of the West of Scotland, UK.
    Wang, Q.
    University of the West of Scotland, UK.
    Colarejo, P.
    LOAD Interactive, Portugal.
    Armitt, R. L.
    ATOS, Spain.
    Inches, G.
    Martel Innovate, Switzerland.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    ARCADIAN-IoT - Enabling Autonomous Trust, Security and Privacy Management for IoT2022In: Lect. Notes Comput. Sci. 5th The Global IoT Summit, GIoTS 2022. Dublin 20 June 2022 through 23 June 2022, Springer Science and Business Media Deutschland GmbH , 2022, Vol. 13533, p. 348-359Conference paper (Refereed)
    Abstract [en]

    Cybersecurity incidents have been growing both in number and associated impact, as a result from society’s increased dependency in information and communication technologies - accelerated by the recent pandemic. In particular, IoT. technologies, which enable significant flexibility and cost-efficiency, but are also associated to more relaxed security mechanisms, have been quickly adopted across all sectors of the society, including critical infrastructures (e.g. smart grids) and services (e.g. eHealth). Gaps such as high dependence on 3rd party IT suppliers and device manufacturers increase the importance of trustworthy and secure solutions for future digital services. This paper presents ARCADIAN-IoT, a framework aimed at holistically enabling trust, security, privacy and recovery in IoT systems, and enabling a Chain of Trust between the different IoT entities (persons, objects and services). It builds on features such as federated AI for effective and privacy-preserving cybersecurity, distributed ledger technologies for decentralized management of trust, or transparent, user-controllable and decentralized privacy. © 2022, The Author(s)

  • 11.
    Forsby, Filip
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS. KTH Royal Institute of Technology, Sweden.
    Furuhed, Martin
    Technology Nexus Secured Business Solutions, Sweden.
    Papadimitratos, Panos
    KTH Royal Institute of Technology, Sweden.
    Raza, Shahid
    RISE - Research Institutes of Sweden, ICT, SICS.
    Lightweight X.509 Digital Certificates for the Internet of Things2018In: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng., 2018, p. 123-133Conference paper (Refereed)
    Abstract [en]

    X.509 is the de facto digital certificate standard used in building the Public Key Infrastructure (PKI) on the Internet. However, traditional X.509 certificates are too heavy for battery powered or energy harvesting Internet of Things (IoT) devices where it is crucial that energy consumption and memory footprints are as minimal as possible. In this paper we propose, implement, and evaluate a lightweight digital certificate for resource-constrained IoT devices. We develop an X.509 profile for IoT including only the fields necessary for IoT devices, without compromising the certificate security. Furthermore, we also propose compression of the X.509 profiled fields using the contemporary CBOR encoding scheme. Most importantly, our solutions are compatible with the existing X.509 standard, meaning that our profiled and compressed X.509 certificates for IoT can be enrolled, verified and revoked without requiring modification in the existing X.509 standard and PKI implementations. We implement our solution in the Contiki OS and perform evaluation of our profiled and compressed certificates on a state-of-the-art IoT hardware.

  • 12.
    He, Zhitao
    et al.
    RISE - Research Institutes of Sweden, ICT, SICS. Assa Abloy AB, Sweden.
    Furuhed, Martin
    Technology Nexus Secured, Sweden .
    Raza, Shahid
    RISE - Research Institutes of Sweden, ICT, SICS.
    Indraj: Digital certificate enrollment for battery-powered wireless devices2019In: WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks, Association for Computing Machinery, Inc , 2019, p. 117-127Conference paper (Refereed)
    Abstract [en]

    A public key infrastructure (PKI) has been widely deployed and well tested on the Internet. However, this standard practice of delivering scalable security has not yet been extended to the rapidly growing Internet of Things (IoT). Thanks to vendor hardware support and standardization of resource-efficient communication protocols, asymmetric cryptography is no longer unfeasible on small devices. To migrate IoT from poorly scalable, pair-wise symmetric encryption to PKI, a major obstacle remains: how do we certify the public keys of billions of small devices without manual checks or complex logistics? The process of certifying a public key in form of a digital certificate is called enrollment. In this paper, we design an enrollment protocol, called Indraj, to automate enrollment of certificate-based digital identities on resource-constrained IoT devices. Reusing the semantics of the Enrollment over Secure Transport (EST) protocol designed for Internet hosts, Indraj optimizes resource usage by leveraging an IoT stack consisting of Constrained Application Protocol (CoAP), Datagram Transport Layer Security (DTLS) and IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN).We evaluate our implementation on a low power 32-bit MCU, showing the feasibility of our protocol in terms of latency, power consumption and memory usage. Asymmetric cryptography enabled by automatic certificate enrollment will finally turn IoT devices into well behaved, first-class citizens on the Internet.

  • 13.
    Hewage, Kasun
    et al.
    Uppsala University, Sweden.
    Raza, Shahid
    RISE - Research Institutes of Sweden, ICT, SICS.
    Voigt, Thiemo
    Uppsala University, Sweden.
    Protecting Glossy-based Wireless Networks from Packet Injection Attacks2017Conference paper (Refereed)
    Abstract [en]

    Glossy is a flooding-based communication primitive for low-power wireless networks that leverages constructive interference to achieve high reliability. The Low-power Wireless Bus (LWB) uses Glossy to abstract an entire wireless network into a shared bus like topology. As Glossy is not designed as a secure communication protocol, Glossy and hence LWB are vulnerable to unauthorised eavesdropping and packet injection attacks. In this paper, we propose several security mechanisms to protect Glossy and LWB communication and evaluate their effectiveness in real-world settings. The evaluation of the proposed security mechanisms shows that we can confine the effect of the packet injection attacks on Glossy networks into single hop nodes from the attacker

  • 14.
    Hewage, Kasun
    et al.
    Uppsala University, Sweden.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Gomez, F.
    An Experimental Study of Attacks on the Availability of Glossy2014In: Computers & electrical engineering, ISSN 0045-7906, E-ISSN 1879-0755, p. 115-125Article in journal (Refereed)
    Abstract [en]

    Glossy is a reliable and low latency flooding mechanism designed primarily for distributed communication in wireless sensor networks (WSN). Glossy achieves its superior performance over tree-based wireless sensor networks by exploiting identical concurrent transmissions. WSNs are subject to wireless attacks aimed to disrupt the legitimate network operations. Real-world deployments require security and the current Glossy implementation has no built-in security mechanisms. In this paper, we explore the effectiveness of several attacks that attempt to break constructive interference in Glossy. Our results show that Glossy is quite robust to approaches where attackers do not respect the timing constraints necessary to create constructive interference. Changing the packet content, however, has a severe effect on the packet reception rate that is even more detrimental than other physical layer denial-of-service attacks such as jamming. We also discuss potential countermeasures to address these security threats and vulnerabilities.

  • 15.
    Hummen, Rene
    et al.
    RWTH Aachen University, Germany.
    Ziegeldorf, Jan Henrik
    RWTH Aachen University, Germany.
    Shafagh, Hossein
    RISE, Swedish ICT, SICS. RWTH Aachen University, Germany.
    Raza, Shahid
    RISE, Swedish ICT, SICS.
    Wehrle, Klaus
    RWTH Aachen University, Germany.
    Towards viable certificate-based authentication for the Internet of Things2013In: HotWiSec 2013 - Proceedings of the 2013 ACM Workshop on Hot Topics on Wireless Network Security and Privacy, 2013, p. 37-41Conference paper (Refereed)
    Abstract [en]

    The vision of the Internet of Things considers smart objects in the physical world as first-class citizens of the digital world. Especially IP technology and RESTful web services on smart objects promise simple interactions with Internet services in the Web of Things, e.g., for building automation or in e-health scenarios. Peer authentication and secure data transmission are vital aspects in many of these scenarios to prevent leakage of personal information and harmful actuating tasks. While standard security solutions exist for traditional IP networks, the constraints of smart objects demand for more lightweight security mechanisms. Thus, the use of certificates for peer authentication is predominantly considered impracticable. In this paper, we investigate if this assumption is valid. To this end, we present preliminary overhead estimates for the certificate-based DTLS handshake and argue that certificates - with improvements to the handshake - are a viable method of authentication in many network scenarios. We propose three design ideas to reduce the overheads of the DTLS handshake. These ideas are based on (i) pre-validation, (ii) session resumption, and (iii) handshake delegation. We qualitatively analyze the expected overhead reductions and discuss their applicability. 

  • 16.
    Hummen, René
    et al.
    RWTH Aachen University, Germany.
    Shafagh, Hossein
    ETH Zürich, Switzerland.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Uppsala University, Sweden.
    Wehrle, Klaus
    RWTH Aachen University, Germany.
    Delegation-based Authentication and Authorization for the IP-based Internet of Things2014Conference paper (Refereed)
    Abstract [en]

    IP technology for resource-constrained devices enables transparent end-to-end connections between a vast variety of devices and services in the Internet of Things (IoT). To protect these connections, several variants of traditional IP security protocols have recently been proposed for standardization, most notably the DTLS protocol. In this paper, we identify significant resource requirements for the DTLS handshake when employing public-key cryptography for peer authentication and key agreement purposes. These overheads particularly hamper secure communication for memory-constrained devices. To alleviate these limitations, we propose a delegation architecture that offloads the expensive DTLS connection establishment to a delegation server. By handing over the established security context to the constrained device, our delegation architecture significantly reduces the resource requirements of DTLS-protected communication for constrained devices. Additionally, our delegation architecture naturally provides authorization functionality when leveraging the central role of the delegation server in the initial connection establishment. Hence, in this paper, we present a comprehensive, yet compact solution for authentication, authorization, and secure data transmission in the IP-based IoT. The evaluation results show that compared to a public-key-based DTLS handshake our delegation architecture reduces the memory overhead by 64 %, computations by 97 %, network transmissions by 68 %.

  • 17. Hummen, René
    et al.
    Ziegeldorf, Jan H.
    Shafagh, Hossein
    RISE, Swedish ICT, SICS.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Wehrle, Klaus
    Towards Viable Certificate-based Authentication for the Web of Things2013Conference paper (Refereed)
  • 18.
    Höglund, Joel
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Bouget, Simon
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Furuhed, Martin
    Nexus Group, Sweden.
    Preuß Mattsson, John
    Ericsson, Sweden.
    Selander, Göran
    Ericsson, Sweden.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    AutoPKI: public key infrastructure for IoT with automated trust transfer2024In: International Journal of Information Security, ISSN 1615-5262, E-ISSN 1615-5270Article in journal (Refereed)
    Abstract [en]

    IoT deployments grow in numbers and size, which makes questions of long-term support and maintainability increasingly important. Without scalable and standard-compliant capabilities to transfer the control of IoT devices between service providers, IoT system owners cannot ensure long-term maintainability, and risk vendor lock-in. The manual overhead must be kept low for large-scale IoT installations to be economically feasible. We propose AutoPKI, a lightweight protocol to update the IoT PKI credentials and shift the trusted domains, enabling the transfer of control between IoT service providers, building upon the latest IoT standards for secure communication and efficient encodings. We show that the overhead for the involved IoT devices is small and that the overall required manual overhead can be minimized. We analyse the fulfilment of the security requirements, and for a subset of them, we demonstrate that the desired security properties hold through formal verification using the Tamarin prover. 

    Download full text (pdf)
    fulltext
  • 19.
    Höglund, Joel
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Furuhed, Martin
    Nexus Group, Sweden.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Lightweight certificate revocation for low-power IoT with end-to-end security2023In: Journal of Information Security and Applications, ISSN 2214-2134, E-ISSN 2214-2126, Vol. 73, article id 103424Article in journal (Refereed)
    Abstract [en]

    Public key infrastructure (PKI) provides the basis of authentication and access control in most networked systems. In the Internet of Things (IoT), however, security has predominantly been based on pre-shared keys (PSK), which cannot be revoked and do not provide strong authentication. The prevalence of PSK in the IoT is due primarily to a lack of lightweight protocols for accessing PKI services. Principal among these services are digital certificate enrollment and revocation, the former of which is addressed in recent research and is being pushed for standardization in IETF. However, no protocol yet exists for retrieving certificate status information on constrained devices, and revocation is not possible unless such a service is available. In this work, we start with implementing the Online Certificate Status Protocol (OCSP), the de facto standard for certificate validation on the Web, on state-of-the-art constrained hardware. In doing so, we demonstrate that the resource overhead of this protocol is unacceptable for highly constrained environments. We design, implement and evaluate a lightweight alternative to OCSP, TinyOCSP, which leverages recently standardized IoT protocols, such as CoAP and CBOR. In our experiments, validating eight certificates with TinyOCSP required 41% less energy than validating just one with OCSP on an ARM Cortex-M3 SoC. Moreover, validation transactions encoded with TinyOCSP are at least 73% smaller than the OCSP equivalent. We design a protocol for compressed certificate revocation lists (CCRL) using Bloom filters which together with TinyOCSP can further reduce validation overhead. We derive a set of equations for computing the optimal filter parameters, and confirm these results through empirical evaluation. © 2023 The Authors

  • 20.
    Höglund, Joel
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Lindemer, Samuel
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Furuhed, Martin
    Technology Nexus Secured Business Solutions, Sweden.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    PKI4IoT: Towards public key infrastructure for the Internet of Things2020In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 89, article id 101658Article in journal (Refereed)
    Abstract [en]

    Public Key Infrastructure is the state-of-the-art credential management solution on the Internet. However, the millions of constrained devices that make of the Internet of Things currently lack a centralized, scalable system for managing keys and identities. Modern PKI is built on a set of protocols which were not designed for constrained environments, and as a result many small, battery-powered IoT devices lack the required computing resources. In this paper, we develop an automated certificate enrollment protocol light enough for highly constrained devices, which provides end-to-end security between certificate authorities (CA) and the recipient IoT devices. We also design a lightweight profile for X.509 digital certificates with CBOR encoding, called XIOT. Existing CAs can now issue traditional X.509 to IoT devices. These are converted to and from the XIOT format by edge devices on constrained networks. This procedure preserves the integrity of the original CA signature, so the edge device performing certificate conversion need not be trusted. We implement these protocols within the Contiki embedded operating system and evaluate their performance on an ARM Cortex-M3 platform. Our evaluation demonstrates reductions in energy expenditure and communication latency. The RAM and ROM required to implement these protocols are on par with the other lightweight protocols in Contiki’s network stack.

  • 21.
    Höglund, Joel
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    BLEND: Efficient and blended IoT data storage and communication with application layer security2022In: Proceedings of the 2022 IEEE International Conference on Cyber Security and Resilience, CSR 2022, Institute of Electrical and Electronics Engineers Inc. , 2022, p. 253-260Conference paper (Refereed)
    Abstract [en]

    Many IoT use cases demand both secure storage and secure communication. Resource-constrained devices cannot afford having one set of crypto protocols for storage and another for communication. Lightweight application layer security standards are being developed for IoT communication. Extending these protocols for secure storage can significantly reduce communication latency and local processing.We present BLEND, combining secure storage and communication by storing IoT data as pre-computed encrypted network packets. Unlike local methods, BLEND not only eliminates separate crypto for secure storage needs, but also eliminates a need for real-time crypto operations, reducing the communication latency significantly. Our evaluation shows that compared with a local solution, BLEND reduces send latency from 630 μs to 110 μs per packet. BLEND enables PKI based key management while being sufficiently lightweight for IoT. BLEND doesn't need modifications to communication standards used when extended for secure storage, and can therefore preserve underlying protocols' security guarantees. 

  • 22.
    Höglund, Joel
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Furuhed, Martin
    Technology Nexus Secured Business Solutions, Sweden.
    Towards Automated PKI Trust Transfer for IoT2022In: 2022 IEEE International Conference on Public Key Infrastructure and its Applications, PKIA 2022, Institute of Electrical and Electronics Engineers Inc. , 2022Conference paper (Refereed)
    Abstract [en]

    IoT deployments grow in numbers and size and questions of long time support and maintainability become increasingly important. To prevent vendor lock-in, standard compliant capabilities to transfer control of IoT devices between service providers must be offered. We propose a lightweight protocol for transfer of control, and we show that the overhead for the involved IoT devices is small and the overall required manual overhead is minimal. We analyse the fulfilment of the security requirements to verify that the stipulated requirements are satisfied. 

  • 23.
    Höglund, Rikard
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Tiloca, Marco
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Bouget, Simon
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Key Update for the IoT Security Standard OSCORE2023In: 2023 IEEE International Conference on Cyber Security and Resilience (CSR), IEEE , 2023Conference paper (Refereed)
    Abstract [en]

    The standard Constrained Application Protocol (CoAP) is a lightweight, web-transfer protocol based on the REST paradigm and specifically suitable for constrained devices and the Internet-of-Things. Object Security for Constrained RESTful Environment (OSCORE) is a standard, lightweight security protocol that provides end-to-end protection of CoAP messages. A number of methods exist for managing keying material for OSCORE, as to its establishment and update. This paper provides a detailed comparison of such methods, in terms of their features, limitations and security properties. Also, it especially considers the new key update protocol KUDOS, for which it provides a more extended discussion about its features and mechanics, as well as a formal verification of its security properties.

  • 24.
    Iacovazzi, Alfonso
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Ensemble of Random and Isolation Forests for Graph-Based Intrusion Detection in Containers2022In: Proceedings of the 2022 IEEE International Conference on Cyber Security and Resilience, CSR 2022, Institute of Electrical and Electronics Engineers Inc. , 2022, p. 30-37Conference paper (Refereed)
    Abstract [en]

    We propose a novel solution combining supervised and unsupervised machine learning models for intrusion detection at kernel level in cloud containers. In particular, the proposed solution is built over an ensemble of random and isolation forests trained on sequences of system calls that are collected at the hosting machine's kernel level. The sequence of system calls are translated into a weighted and directed graph to obtain a compact description of the container behavior, which is given as input to the ensemble model. We executed a set of experiments in a controlled environment in order to test our solution against the two most common threats that have been identified in cloud containers, and our results show that we can achieve high detection rates and low false positives in the tested attacks. 

  • 25.
    Iacovazzi, Alfonso
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Wang, Han
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Butun, Ismail
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Towards Cyber Threat Intelligence for the IoT2023In: Proceedings - 19th International Conference on Distributed Computing in Smart Systems and the Internet of Things, DCOSS-IoT 2023, Institute of Electrical and Electronics Engineers Inc. , 2023, p. 483-490Conference paper (Refereed)
    Abstract [en]

    With the proliferation of digitization and its usage in critical sectors, it is necessary to include information about the occurrence and assessment of cyber threats in an organization’s threat mitigation strategy. This Cyber Threat Intelligence (CTI) is becoming increasingly important, or rather necessary, for critical national and industrial infrastructures. Current CTI solutions are rather federated and unsuitable for sharing threat information from low-power IoT devices. This paper presents a taxonomy and analysis of the CTI frameworks and CTI exchange platforms available today. It proposes a new CTI architecture relying on the MISP Threat Intelligence Sharing Platform customized and focusing on IoT environment. The paper also introduces a tailored version of STIX (which we call tinySTIX), one of the most prominent standards adopted for CTI data modeling, optimized for low-power IoT devices using the new lightweight encoding and cryptography solutions. The proposed CTI architecture will be very beneficial for securing IoT networks, especially the ones working in harsh and adversarial environments. 

  • 26.
    Karlsson, August
    et al.
    RISE Research Institutes of Sweden.
    Hoglund, Rikard
    RISE Research Institutes of Sweden, Digital Systems, Data Science. Uppsala University, Sweden.
    Wang, Han
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Iacovazzi, Alfonso
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science. Mälardalen University, Sweden.
    Enabling Cyber Threat Intelligence Sharing for Resource Constrained IoT2024Conference paper (Refereed)
    Abstract [en]

    Cyber Threat Intelligence (CTI) development has largely overlooked the IoT- network-connected devices like sensors. These devices’ heterogeneity, poor security, and memory and energy constraints make them prime cyber attack targets. Enhancing CTI for IoT is crucial. Currently, CTI for IoT is derived from honeypots mimicking IoT devices or extrapolated from standard computing systems. These methods are not ideal for resource-constrained devices. This study addresses this gap by introducing tinySTIX and tinyTAXII. TinySTIX is a data format designed for efficient sharing of CTI directly from resource-constrained devices. TinyTAXII is a lightweight implementation of the TAXII protocol, utilizing CoAP with OSCORE. Two implementations were assessed: one for integration into the MISP platform and the other for execution on network-connected devices running the Contiki operating system. Results demonstrated that tinySTIX reduces message size by an average of 35%, while tinyTAXII reduces packet count and session size by 85% compared to reference OpenTAXII implementations. 

  • 27.
    Khurshid, Anum
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Alsaaidi, Reem
    RISE Research Institutes of Sweden. Ericsson, Sweden.
    Aslam, Mudassar
    RISE Research Institutes of Sweden. National University of Computer and Emerging Sciences, Pakistan.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science. Uppsala University, Sweden.
    EU Cybersecurity Act and IoT Certification: Landscape, Perspective and a Proposed Template Scheme2022In: IEEE Access, E-ISSN 2169-3536, Vol. 10, p. 129932-Article in journal (Refereed)
    Abstract [en]

    The vulnerabilities in deployed IoT devices are a threat to critical infrastructure and user privacy. There is ample ongoing research and efforts to produce devices that are secure-by-design. However, these efforts are still far from translation into actual deployments. To address this, worldwide efforts towards IoT device and software certification have accelerated as a potential solution, including UK’s IoT assurance program, EU Cybersecurity Act and the US executive order 14028. In EU, the Cybersecurity Act was launched in 2019 which initiated the European cybersecurity certification framework for Internet and Communications Technology (ICT). The heterogeneity of the IoT landscape with devices ranging from industrial to consumer, makes it challenging to incorporate IoT devices in the certification framework or introduce a European cybersecurity certification scheme solely for IoT. This paper analyses the cybersecurity certification prospects for IoT devices and also places article 54 of the EU Cybersecurity Act in an international perspective. We conducted a comparative study of existing IoT certification schemes to identify potential gaps and extract requirements of a candidate IoT device security certification scheme. We also propose an approach that can be used as a template to instantiate an EU cybersecurity certification scheme for IoT devices. In the proposed template, we identify IoT-critical elements from the article 54 of the Cybersecurity Act. We also evaluate the proposed template using the ENISA qualification system for cybersecurity certification schemes and show its qualification on all criteria. 

  • 28.
    Khurshid, Anum
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    AutoCert: Automated TOCTOU-secure digital certification for IoT with combined authentication and assurance2023In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 124, article id 102952Article in journal (Refereed)
    Abstract [en]

    The Internet of Things (IoT) network is comprised of heterogeneous devices which are part of critical infrastructures throughout the world. To enable end-to-end security, the Public Key Infrastructure (PKI) is undergoing advancements to incorporate IoT devices globally which primarily provides device authentication. In addition to this, integrity of the software-state is vital, where Remote Attestation (RA) and Integrity Certificates play an important role. Though, Integrity Certificate verifies the software-state integrity of the device at the time of execution of the remote attestation process, it does not provide mechanisms to validate that the current software-state corresponds to the attested state. This issue is referred to as the Time-Of-Check to Time-Of-Use (TOCTOU) problem and remains unsolved in the context of Integrity Certificates. In this paper, we propose AutoCert, the first TOCTOU-secure mechanism to combine software-state integrity with PKI for IoT which resolves the TOCTOU problem in RA and Integrity Certificates. To this end, we utilize the IETF Remote Attestation Procedures architecture and standard X509 IoT profile certificates to ensure both device authentication and software assurance for IoT. We implement and evaluate the performance of the AutoCert proof-of-concept on a real IoT device, the OPTIGA TPM Evaluation Kit, to show its practicality and usability. AutoCert can validate the attested state of an IoT device in approximately 4746 milliseconds, with a minimal network overhead of 350 bytes. 

  • 29.
    Khurshid, Anum
    et al.
    RISE Research Institutes of Sweden, Digital Systems.
    Yalew, Sileshi
    RISE Research Institutes of Sweden, Digital Systems.
    Aslam, Mudassar
    RISE Research Institutes of Sweden, Digital Systems.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    ShieLD: Shielding Cross-zone Communication within Limited-resourced IoT Devices running Vulnerable Software Stack2023In: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 20, no 2, p. 1031-Article in journal (Refereed)
    Abstract [en]

    Securing IoT devices is gaining attention as the security risks associated with these devices increase rapidly. TrustZone-M, a Trusted Execution Environment (TEE) for Cortex-M processors, ensures stronger security within an IoT device by allowing isolated execution of security-critical operations, without trusting the entire software stack. However, TrustZone-M does not guarantee secure cross-world communication between applications in the Normal and Secure worlds. The cryptographic protection of the communication channel is an obvious solution; however, within a low-power IoT device, it incurs high overhead if applied to each cross-world message exchange. We present ShieLD, a framework that enables a secure communication channel between the two TrustZone-M worlds by leveraging the Memory Protection Unit (MPU). ShieLD guarantees confidentiality, integrity and authentication services without requiring any cryptographic operations. We implement and evaluate ShieLD using a Musca-A test chip board with Cortex-M33 that supports TrustZone-M. Our empirical evaluation shows, among other gains, the cross-zone communication protected with ShieLD is 5 times faster than the conventional crypto-based communication. 

    Download full text (pdf)
    fulltext
  • 30.
    Khurshid, Anum
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Yalew, Sileshi
    RISE Research Institutes of Sweden.
    Aslam, Mudassar
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    TEE-Watchdog: Mitigating Unauthorized Activities within Trusted Execution Environments in ARM-Based Low-Power IoT Devices2022In: Security and Communication Networks, ISSN 1939-0114, E-ISSN 1939-0122, article id 8033799Article in journal (Refereed)
    Abstract [en]

    Trusted execution environments (TEEs) are on the rise in devices all around us ranging from large-scale cloud-based solutions to resource-constrained embedded devices. With the introduction of ARM TrustZone-M, hardware-assisted trusted execution is now supported in IoT nodes. TrustZone-M provides isolated execution of security-critical operations and sensitive data-generating peripherals. However, TrustZone-M, like all other TEEs, does not provide a mechanism to monitor operations in the trusted areas of the device and software in the secure areas of an IoT device has access to the entire secure and nonsecure software stack. This is crucial due to the diversity of device manufacturers and component suppliers in the market, which manifests trust issues, especially when third-party peripherals are incorporated into a TEE. Compromised TEEs can be misused for industrial espionage, data exfiltration through system backdoors, and illegal data sharing. It is of utmost importance here that system peripheral behaviour in terms of resource access is in accordance with their intended usage that is specified during integration. We propose TEE-Watchdog, a lightweight framework that establishes MPU protections for secure system peripherals in TrustZone-enabled low-end IoT devices. TEE-Watchdog ensures blocking unauthorized peripheral accesses and logging of application misbehaviour running in the TEE based on a manifest file. We define lightweight specifications and structure for the application manifest file enlisting permissions for critical system peripherals using concise binary object representation (CBOR). We implement and evaluate TEE-Watchdog using a Musca-A2 test chipboard. Our microbenchmark evaluations on CPU time and RAM usage demonstrated the practicality of TEE-Watchdog. Securing the system peripherals using TEE-Watchdog protections induced a 1.4% overhead on the latency of peripheral accesses, which was 61 microseconds on our test board. Our optimized CBOR-encoded manifest file template also showed a decrease in manifest file size by 40% as compared to the standard file formats, e.g., JSON. © 2022 Anum Khurshid et al.

  • 31.
    Kwon, Hyuksang
    et al.
    Ajou University, South Korea.
    Raza, Shahid
    RISE - Research Institutes of Sweden, ICT, SICS.
    Ko, JeongGil
    Ajou University, South Korea.
    POSTER: On compressing pki certificates for resource limited internet of things devices2018In: ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security, 2018, p. 837-839Conference paper (Refereed)
    Abstract [en]

    Certificate-based Public Key Infrastructure (PKI) schemes are used to authenticate the identity of distinct nodes on the Internet. Using certificates for the Internet of Things (IoT) can allow many privacy sensitive applications to be trusted over the larger Internet architecture. However, since IoT devices are typically resource limited, full sized PKI certificates are not suitable for use in the IoT domain. This work outlines our approach in compressing standards-compliant X.509 certificates so that their sizes are reduced and can be effectively used on IoT nodes. Our scheme combines the use of Concise Binary Object Representation (CBOR) and also a scheme that compresses all data that can be implicitly inferenced within the IoT sub-network. Our scheme shows a certificate compression rate of up to ∼30%, which allows effective energy reduction when using X.509-based certificates on IoT platforms. .

  • 32.
    Lundberg, Hampus
    et al.
    Mid Sweden University, Sweden.
    Mowla, Nishat
    RISE Research Institutes of Sweden, Digital Systems, Mobility and Systems.
    Abedin, Sarder
    Mid Sweden University, Sweden.
    Thar, Kyi
    Mid Sweden University, Sweden.
    Mahmood, Aamir
    Mid Sweden University, Sweden.
    Gidlund, Mikael
    Mid Sweden University, Sweden.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Experimental Analysis of Trustworthy In-Vehicle Intrusion Detection System Using eXplainable Artificial Intelligence (XAI)2022In: IEEE Access, E-ISSN 2169-3536, Vol. 10, p. 102831-102841Article in journal (Refereed)
    Abstract [en]

    Anomaly-based In-Vehicle Intrusion Detection System (IV-IDS) is one of the protection mechanisms to detect cyber attacks on automotive vehicles. Using artificial intelligence (AI) for anomaly detection to thwart cyber attacks is promising but suffers from generating false alarms and making decisions that are hard to interpret. Consequently, this issue leads to uncertainty and distrust towards such IDS design unless it can explain its behavior, e.g., by using eXplainable AI (XAI). In this paper, we consider the XAI-powered design of such an IV-IDS using CAN bus data from a public dataset, named 'Survival'. Novel features are engineered, and a Deep Neural Network (DNN) is trained over the dataset. A visualization-based explanation, 'VisExp', is created to explain the behavior of the AI-based IV-IDS, which is evaluated by experts in a survey, in relation to a rule-based explanation. Our results show that experts' trust in the AI-based IV-IDS is significantly increased when they are provided with VisExp (more so than the rule-based explanation). These findings confirm the effect, and by extension the need, of explainability in automated systems, and VisExp, being a source of increased explainability, shows promise in helping involved parties gain trust in such systems. 

  • 33.
    Misra, Prasant
    et al.
    RISE, Swedish ICT, SICS.
    Mottola, Luca
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Politecnico di Milano, Italy.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Duquennoy, Simon
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Tsiftes, Nicolas
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Höglund, Joel
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Uppsala University, Sweden.
    Supporting Cyber-Physical Systems with Wireless Sensor Networks: An Outlook of Software and Services2013In: Journal of the Indian Institute of Science, ISSN 0970-4140, Vol. 93, no 3, p. 463-486Article in journal (Refereed)
    Abstract [en]

    Sensing, communication, computation and control technologies are the essential building blocks of a cyber-physical system (CPS). Wireless sensor networks (WSNs) are a way to support CPS as they provide fine-grained spatial-temporal sensing, communication and computation at a low premium of cost and power. In this article, we explore the fundamental concepts guiding the design and implementation of WSNs. We report the latest developments in WSN software and services for meeting existing requirements and newer demands; particularly in the areas of: operating system, simulator and emulator, programming abstraction, virtualization, IP-based communication and security, time and location, and network monitoring and management. We also reflect on the ongoing efforts in providing dependable assurances for WSN-driven CPS. Finally, we report on its applicability with a case-study on smart buildings.

  • 34.
    Misra, Prasant
    et al.
    RISE, Swedish ICT, SICS. Indian Institute of Science, India.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Rajaraman, Vasanth
    Indian Institute of Science, India.
    Warrior, Jay
    Indian Institute of Science, India.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Uppsala University, Sweden.
    Security Challenges in Indoor Location Sensing using Bluetooth LE Broadcast2015In: EWSN 2015: Poster/Demo Session, 2015, 7, p. 11-12Conference paper (Refereed)
    Abstract [en]

    As we consider a new generation of Internet of Things and Humans (IoTH) applications that place humans at the epicenter of the control system the need to gather information from the immediate vicinity, in addition to global clues, is gaining importance. The loosely coupled Bluetooth Low Energy (BLE) data collection framework enables a new way of architecting IoTH systems where resource constrained BLE advertisers broadcast events, and devices inevitably carried by humans (such as smartphones) implicitly gather such notifications. While such a mechanism significantly alleviates data scavenging, it introduces serious limitations in terms of operational security. In this work, we show the applicability of BLE broadcast advertisements for indoor location sensing (as part of an IoTH application) and demonstrate an attack on the same system. Based on this preliminary case study, we discuss other security implications on BLE broadcasting.

  • 35.
    Ménétrey, J.
    et al.
    University of Neuchâtel, Switzerland.
    Göttel, C.
    University of Neuchâtel, Switzerland.
    Khurshid, Anum
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Pasin, M.
    University of Neuchâtel, Switzerland.
    Felber, P.
    University of Neuchâtel, Switzerland.
    Schiavoni, V.
    University of Neuchâtel, Switzerland.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Attestation Mechanisms for Trusted Execution Environments Demystified2022In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer Science and Business Media Deutschland GmbH , 2022, Vol. 13272, p. 95-113Conference paper (Refereed)
    Abstract [en]

    Attestation is a fundamental building block to establish trust over software systems. When used in conjunction with trusted execution environments, it guarantees the genuineness of the code executed against powerful attackers and threats, paving the way for adoption in several sensitive application domains. This paper reviews remote attestation principles and explains how the modern and industrially well-established trusted execution environments Intel SGX, Arm TrustZone and AMD SEV, as well as emerging RISC-V solutions, leverage these mechanisms. 

  • 36.
    Peyrard, Alexandre
    et al.
    IMT Lille Douai, France.
    Kosmatov, Nikolai
    CEA, France.
    Duquennoy, Simon
    RISE - Research Institutes of Sweden, ICT, SICS.
    Lille, Inria
    Nord Europe, France.
    Raza, Shahid
    RISE - Research Institutes of Sweden, ICT, SICS.
    Towards Formal Verification of Contiki: Analysis of the AES-CCM* Modules with Frama-C2018In: Proceedings of the 2018 International Conference on Embedded Wireless Systems and Networks, 2018, p. 264-269Conference paper (Other academic)
    Abstract [en]

    The number of IoT (Internet of Things) applications is rapidly increasing and allows embedded devices today to be massively connected to the Internet. This raises software security questions. This paper demonstrates the usage of formal verification to increase the security of Contiki OS, a popular open-source operating system for IoT. We present a case study on deductive verification of encryption-decryption modules of Contiki (namely, AES--CCM*) using Frama-C, a software analysis platform for C code.

  • 37.
    Peyrard, Alexandre
    et al.
    IMT Lille Douai, France.
    Kosmatov, Nikolai
    CEA, France.
    Duquennoy, Simon
    RISE - Research Institutes of Sweden, ICT, SICS. nria Lille, France.
    Raza, Shahid
    RISE - Research Institutes of Sweden, ICT, SICS.
    Towards Formal Verification of Contiki OS: Analysis of the AES-CCM* Modules with Frama-C2018In: Proceedings of the Workshop on Recent advances in secure management of data and resources in the IoT (RED-IOT), February 14-16, 2018, Madrid, Spain, 2018Conference paper (Refereed)
    Abstract [en]

    The number of Internet of Things (IoT) applications israpidly increasing and allows embedded devices today tobe massively connected to the Internet. This raises softwaresecurity questions. This paper demonstrates the usageof formal verification to increase the security of Contiki,a popular open-source operating system for the IoT. Wepresent a case study on deductive verification of encryptiondecryptionmodules of Contiki (namely, AES–CCM*) usingFrama-C, a software analysis platform for C code.

  • 38.
    Pinol Pinol, Oriol
    et al.
    Yanzi Networks AB, Sweden.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Eriksson, Joakim
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Yanzi Networks AB, Sweden.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Uppsala University, Sweden.
    BSD-based Elliptic Curve Cryptography for the Open Internet of Things2015In: 2015 7th International Conference on New Technologies, Mobility and Security (NTMS), 2015, 6, article id 7266475Conference paper (Refereed)
    Abstract [en]

    The Internet of Things (IoT) is the interconnection of everyday physical objects with the Internet and their representation in the digital world. Due to the connectivity of physical objects with the untrusted Internet, security has become an important pillar for the success of IoT-based services. Things in the IoT are resource-constrained devices with limited processing and storage capabilities. Often, these things are battery powered and connected through lossy wireless links. Therefore, lightweight and efficient ways of providing secure communication in the IoT are needed. In this context, Elliptic Curve Cryptography (ECC) is considered as a strong candidate to provide security in the IoT while being able to function in constrained environments. In this paper we present a lightweight implementation and evaluation of ECC for the Contiki OS. For fast, secure and cost-effective mass development of IoT-based services by different vendors, it is important that the IoT protocols are implemented and released as open source and open licensed. To the best of our knowledge our ECC is the first lightweight BSD-licensed ECC for the IoT devices. We show the feasibility of our implementation by a thorough performance analysis using several implementations and optimization algorithms. Moreover, we evaluate it on a real IoT hardware platform.

  • 39.
    Piñol Piñol, Oriol
    et al.
    Yanzi Networks AB, Sweden.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Eriksson, Joakim
    RISE, Swedish ICT, SICS, Computer Systems Laboratory. Yanzi Networks AB, Sweden.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    BSD-based ECC for the Contiki OS2015In: EWSN 2015: Posters and Demos, 2015, 6, p. 15-16Conference paper (Refereed)
    Abstract [en]

    Security has arisen as an important issue for the Internet of Things (IoT). Efficient ways to provide secure communication between devices and sensors is crucial for the IoT devices, which are becoming more and more used and spread in a variety of fields. In this context, Elliptic Curve Cryptography (ECC) is considered as a strong candidate to provide security while being able to be functional in an environment with strong requirements and limitations such as wireless sensor networks (WSN). Furthermore, it is a valid candidate to be used in industry solutions.

    In this demo we show a real use case of Elliptic Curve Cryptography for key establishment in combination with symmetric AES encryption. The demo will show the use of a BSD-licensed ECC library for the Contiki OS running on Yanzi Networks Contiki-based nodes that will securely communicate with a Yanzi Gateway.

  • 40.
    Pérez, Salvador
    et al.
    University of Murcia, Spain.
    Hernández-Ramos, Jose
    European Commission, Italy.
    Raza, Shahid
    RISE - Research Institutes of Sweden (2017-2019), ICT, SICS.
    Skarmeta, Antonio
    University of Murcia, Spain.
    Application Layer Key Establishment for End-to-End Security in IoT2019In: IEEE Internet of Things Journal, ISSN 2372-2541, Vol. 7, no 3, p. 2117-2128Article in journal (Refereed)
    Abstract [en]

    In most IoT deployments, intermediate entities are usually employed for efficiency and scalability reasons. These intermediate proxies break end-to-end security when using even the state-of-the-art transport layer security (TLS) solutions. In this direction, the recent Object Security for Constrained RESTful Environments (OSCORE) has been standardized to enable end-to-end security even in the presence of malicious proxies. In this work, we focus on the key establishment process based on application layer techniques. In particular, we evaluate the Ephemeral Diffie-Hellman over COSE (EDHOC), the de facto key establishment protocol for OSCORE. Based on EDHOC, we propose CompactEDHOC, as a lightweight alternative, in which negotiation of security parameters is extracted from the core protocol. In addition to providing end-to-end security properties, we perform extensive evaluation using real IoT hardware and simulation tools. Our evaluation results prove EDHOC-based proposals as an effective and efficient approach for the establishment of a security association in IoT constrained scenarios.

  • 41.
    Ramadan, Mohammed
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Broadband Jamming Suppression at Subarray Level for Frequency Diverse Array Antenna2022In: Proceedings - 16th International Conference on Signal-Image Technology and Internet-Based Systems, Institute of Electrical and Electronics Engineers Inc. , 2022, p. 231-237Conference paper (Refereed)
    Abstract [en]

    Frequency diverse array (FDA) is a modern and flexible antenna array conception different from the phased array (PA). The FDA utilized a small frequency increment across the antenna elements to achieve a range-dependent beam pattern. Adopting subarray signal processing is one of the critical technologies in new PAs that plays a significant role in clutter and noise jammer suppression. However, it experiences serious performance regression in the case of broadband jamming. This paper proposes a concrete scheme based on FDA subarray signal processing coupled with real-time delay processing to counteract broadband jamming. Therefore, the FDA combines real-time delay processing; the desired target can be distinguished from the clutter and jamming signals at the subarray level. Accordingly, adaptive weights based on space-time finite impulse response (FIR) filter (linearly constrained minimum variance (LCMV) method are applied at all delay outputs of each subarray to achieve optimum performance. The look angle uniquely determines the space steering vector with a different spatial steering vector for each transmitted frequency. The simulation results show that our proposed method is efficient, effective, and practically applicable. 

  • 42.
    Ramadan, Mohammed
    et al.
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Raza, Shahid
    RISE Research Institutes of Sweden, Digital Systems, Data Science.
    Secure Equality Test Technique using Identity Based Signcryption for Telemedicine Systems2023In: IEEE Internet of Things Journal, ISSN 2327-4662, Vol. 10, no 18, p. 16594-Article in journal (Refereed)
    Abstract [en]

    For telemedicine, Wireless Body Area Network (WBAN) offers enormous benefits where a patient can be remotely monitored without compromising the mobility of remote treatments. With the advent of high capacity and reliable wireless networks, WBANs are used in several remote monitoring systems, limiting the COVID-19 spread. The sensitivity of telemedicine applications mandates confidentiality and privacy requirements. In this paper, we propose a secure WBAN-19 telemedicine system to overcome the pervasiveness of contagious deceases utilizing a novel aggregate identity-based signcryption scheme with an equality test feature. We demonstrate a security analysis regarding indistinguishable adaptive chosen-ciphertext attack (IND-CCA2), one-way security against adaptive chosen-ciphertext attack (OW-CCA2), and unforgeability against adaptive chosen-message attack (EUF-CMA) under the random oracle model. The security analysis of the scheme is followed by complexity evaluations where the computation cost and communication overhead are measured. The evaluation demonstrates that the proposed model is efficient and applicable in telemedicine systems with high-performance capacities. 

  • 43.
    Raza, Shahid
    RISE, Swedish ICT, SICS. Department of Computer Science and Engineering.
    Lightweight Security Solutions for the Internet of Things2013Doctoral thesis, monograph (Other academic)
    Abstract [en]

    The future Internet will be an IPv6 network interconnecting traditional computers and a large number of smart objects or networks such as Wireless Sensor Networks (WSNs). This Internet of Things (IoT) will be the foundation of many services and our daily life will depend on its availability and reliable operations. Therefore, among many other issues, the challenge of implementing secure communication in the IoT must be addressed. The traditional Internet has established and tested ways of securing networks. The IoT is a hybrid network of the Internet and resource-constrained networks, and it is therefore reasonable to explore the options of using security mechanisms standardized for the Internet in the IoT. The IoT requires multi-faceted security solutions where the communication is secured with confidentiality, integrity, and authentication services; the network is protected against intrusions and disruptions; and the data inside a sensor node is stored in an encrypted form. Using standardized mechanisms, communication in the IoT can be secured at different layers: at the link layer with IEEE 802.15.4 security, at the network layer with IP security (IPsec), and at the transport layer with Datagram Transport Layer Security (DTLS). Even when the IoT is secured with encryption and authentication, sensor nodes are ex- posed to wireless attacks both from inside the WSN and from the Internet. Hence an Intrusion Detection System (IDS) and firewalls are needed. Since the nodes inside WSNs can be captured and cloned, protection of stored data is also important. This thesis has three main contributions. (i) It enables secure communication in the IoT using lightweight compressed yet standard compliant IPsec, DTLS, and IEEE 802.15.4 link layer security; and it discusses the pros and cons of each of these solutions. The proposed security solutions are implemented and evaluated in an IoT setup on real hardware. (ii) This thesis also presents the design, implementation, and evaluation of a novel IDS for the IoT. (iii) Last but not least, it also provides mechanisms to protect data inside constrained nodes. The experimental evaluation of the different solutions shows that the resource- constrained devices in the IoT can be secured with IPsec, DTLS, and 802.15.4 security; can be efficiently protected against intrusions; and the proposed combined secure storage and communication mechanisms can significantly reduce the security-related operations and energy consumption.

    Download full text (pdf)
    FULLTEXT01
  • 44.
    Raza, Shahid
    RISE, Swedish ICT, SICS, Security Lab.
    Secure Communication in WirelessHART and its Integration with Legacy HART2010Report (Other academic)
    Abstract [en]

    The WirelessHART is a new standard for Industrial Process Automation and Control, formally released in September 2007. WirelessHART specifications are very well organized in all aspects except security as there are no separate specifications that document security requirements, the security is limited and spread throughout the WirelessHART specifications, and it is hard to understand the employed security without reading all the core specifications. This report will provide a comprehensive overview of WirelessHART security, the provided security mechanisms will be analyzed against the possible threats and the solutions will be proposed for the identified shortcomings. The report work also comprises of the ways to integrate the WirelessHART network with the legacy HART network. Different integration options are provided and each differs with the kind of legacy HART network already in use. A secure way of integrating HART and WirelessHART is also proposed by enhancing the capabilities of Adapters and connecting them with the HART Masters rather than slave devices. Finally the architecture of such a Security Manager will be proposed which will be capable of securing the entire WirelessHART network. A comprehensive and secure key management system is proposed which is capable of random key generation, secure key storage and retrieval, secure and automatic key renewal, timely key revocation, and efficient key distribution.

    Download full text (pdf)
    FULLTEXT01
  • 45.
    Raza, Shahid
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Chung, Tony
    Duquennoy, Simon
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Yazar, Dogan
    RISE, Swedish ICT, SICS.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Roedig, Utz
    Securing Internet of Things with Lightweight IPsec2010Report (Other academic)
    Abstract [en]

    Real-world deployments of wireless sensor networks (WSNs) require secure communication. It is important that a receiver is able to verify that sensor data was generated by trusted nodes. In some cases it may also be necessary to encrypt sensor data in transit. Recently, WSNs and traditional IP networks are more tightly integrated using IPv6 and 6LoWPAN. Available IPv6 protocol stacks can use IPsec to secure data exchange. Thus, it is desirable to extend 6LoWPAN such that IPsec communication with IPv6 nodes is possible. It is beneficial to use IPsec because the existing end-points on the Internet do not need to be modified to communicate securely with the WSN. Moreover, using IPsec, true end-to-end security is implemented and the need for a trustworthy gateway is removed. In this paper we provide End-to-End (E2E) secure communication between an IP enabled sensor nodes and a device on traditional Internet. This is the first compressed lightweight design, implementation, and evaluation of 6LoWPAN extension for IPsec on Contiki. Our extension supports both IPsec's Authentication Header (AH) and Encapsulation Security Payload (ESP). Thus, communication endpoints are able to authenticate, encrypt and check the integrity of messages using standardized and established IPv6 mechanisms.

    Download full text (pdf)
    FULLTEXT01
  • 46.
    Raza, Shahid
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Dini, Gianluca
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Gidlund, Mikael
    Secure Key Renewal in WirelessHART2011Conference paper (Refereed)
    Abstract [en]

    WirelessHART is a wireless extension to the HART protocol. Even though WirelessHART is designed to be a secure protocol, the loopholes in the key management system makes it vulnerable to security threats. The broadcast approach for key renewal mechanisms in WirelessHART is not secure enough to be used in sensitive industrial automation environments where breach of security may result in catastrophic results. Also, key distribution with unicast communication with each device requires O(n) rekeying messages, where n is the size of the network. In this paper we provide a secure and scalable key renewal protocol for WirelessHART that reduces the communication overhead to O(logn). Our protocol requires far less messages than the conventional unicast approach.

  • 47.
    Raza, Shahid
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Duquennoy, Simon
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Chung, Tony
    Yazar, Dogan
    RISE, Swedish ICT, SICS.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Roedig, Utz
    Securing Communication in 6LoWPAN with Compressed IPsec2011Conference paper (Refereed)
    Abstract [en]

    Real-world deployments of wireless sensor networks (WSNs) require secure communication. It is important that a receiver is able to verify that sensor data was generated by trusted nodes. It may also be necessary to encrypt sensor data in transit. Recently, WSNs and traditional IP networks are more tightly integrated using IPv6 and 6LoWPAN. Available IPv6 protocol stacks can use IPsec to secure data exchange. Thus, it is desirable to extend 6LoWPAN such that IPsec communication with IPv6 nodes is possible. It is beneficial to use IPsec because the existing end-points on the Internet do not need to be modified to communicate securely with the WSN. Moreover, using IPsec, true end-to-end security is implemented and the need for a trustworthy gateway is removed. In this paper we provide End-to-End (E2E) secure communication between IP enabled sensor networks and the traditional Internet. This is the first compressed lightweight design, implementation, and evaluation of 6LoWPAN extension for IPsec. Our extension supports both IPsec’s Authentication Header (AH) and Encapsulation Security Payload (ESP). Thus, communication endpoints are able to authenticate, encrypt and check the integrity of messages using standardized and established IPv6 mechanisms.

    Download full text (pdf)
    fulltext
  • 48.
    Raza, Shahid
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Duquennoy, Simon
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Höglund, Joel
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Roedig, Utz
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Secure Communication for the Internet of Things: A Comparison of Link-Layer Security and IPsec for 6LoWPAN2012In: Security and Communication Networks, ISSN 1939-0114, E-ISSN 1939-0122Article in journal (Refereed)
    Abstract [en]

    The future Internet is an IPv6 network interconnecting traditional computers and a large number of smart objects. This Internet of Things (IoT) will be the foundation of many services and our daily life will depend on its availability and reliable operation. Therefore, among many other issues, the challenge of implementing secure communication in the IoT must be addressed. In the traditional Internet, IPsec is the established and tested way of securing networks. It is therefore reasonable to explore the option of using IPsec as a security mechanism for the IoT. Smart objects are generally added to the Internet using IPv6 over Low-power Wireless Personal Area Networks (6LoWPAN), which defines IP communication for resource-constrained networks. Thus, to provide security for the IoT based on the trusted and tested IPsec mechanism, it is necessary to define an IPsec extension of 6LoWPAN. In this paper, we present such a 6LoWPAN/IPsec extension and show the viability of this approach. We describe our 6LoWPAN/IPsec implementation, which we evaluate and compare with our implementation of IEEE 802.15.4 link-layer security. We also show that it is possible to reuse crypto hardware within existing IEEE 802.15.4 transceivers for 6LoWPAN/IPsec. The evaluation results show that IPsec is a feasible option for securing the IoT in terms of packet size, energy consumption, memory usage, and processing time. Furthermore, we demonstrate that in contrast to common belief, IPsec scales better than link-layer security as the data size and the number of hops grow, resulting in time and energy savings. Copyright © 2012 John Wiley & Sons, Ltd.

  • 49.
    Raza, Shahid
    et al.
    RISE, Swedish ICT, SICS, Security Lab.
    Duquennoy, Simon
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Voigt, Thiemo
    RISE, Swedish ICT, SICS, Computer Systems Laboratory.
    Roedig, Utz
    Demo Abstract: Securing Communication in 6LoWPAN with Compressed IPsec2011Conference paper (Refereed)
    Abstract [en]

    With the inception of IPv6 it is possible to assign a unique ID to each device on planet. Recently, wireless sensor networks and traditional IP networks are more tightly integrated using IPv6 and 6LoWPAN. Real-world deployments of WSN demand secure communication. The receiver should be able to verify that sensor data is generated by trusted nodes and/or it may also be necessary to encrypt sensor data in transit. Available IPv6 protocol stacks can use IPsec to secure data exchanges. Thus, it is desirable to extend 6LoWPAN such that IPsec communication with IPv6 nodes is possible. It is beneficial to use IPsec because the existing end-points on the Internet do not need to be modified to communicate securely with the WSN. Moreover, using IPsec, true end-to-end security is implemented and the need for a trustworthy gateway is removed. In this demo we will show the usage of our implemented lightweight IPsec. We will show how IPsec ensures end-to-end security between an IP enabled sensor networks and the traditional Internet. This is the first compressed lightweight design, implementation, and evaluation of a 6LoWPAN extension for IPsec. This demo complements the full paper that will appear in the parent conference, DCOSS’11.

    Download full text (pdf)
    fulltext
  • 50.
    Raza, Shahid
    et al.
    RISE - Research Institutes of Sweden (2017-2019), ICT, SICS.
    Helgason, Tomas
    RISE - Research Institutes of Sweden (2017-2019), ICT, SICS.
    Papadimitratos, Panos
    KTH Royal Institute of Technology, Sweden.
    Voigt, Thiemo
    Uppsala University, Sweden.
    SecureSense: End-to-end secure communication architecture for the cloud-connected Internet of Things2017In: Future Generation Computer Systems, ISSN 0167-739X, E-ISSN 1872-7115, Vol. 77, no Dec, p. 40-51Article in journal (Refereed)
    Abstract [en]

    Constrained Application Protocol (CoAP) has become the de-facto web standard for the IoT. Unlike traditional wireless sensor networks, Internet-connected smart thing deployments require security. CoAP mandates the use of the Datagram TLS (DTLS) protocol as the underlying secure communication protocol. In this paper we implement DTLS-protected secure CoAP for both resource-constrained IoT devices and a cloud backend and evaluate all three security modes (pre-shared key, raw-public key, and certificate-based) of CoAP in a real cloud-connected IoT setup. We extend SicsthSense– a cloud platform for the IoT– with secure CoAP capabilities, and compliment a DTLS implementation for resource-constrained IoT devices with raw-public key and certificate-based asymmetric cryptography. To the best of our knowledge, this is the first effort toward providing end-to-end secure communication between resource-constrained smart things and cloud back-ends which supports all three security modes of CoAP both on the client side and the server side. SecureSense– our End-to-End (E2E) secure communication architecture for the IoT– consists of all standard-based protocols, and implementation of these protocols are open source and BSD-licensed. The SecureSense evaluation benchmarks and open source and open license implementation make it possible for future IoT product and service providers to account for security overhead while using all standardized protocols and while ensuring interoperability among different vendors. The core contributions of this paper are: (i) a complete implementation for CoAP security modes for E2E IoT security, (ii) IoT security and communication protocols for a cloud platform for the IoT, and (iii) detailed experimental evaluation and benchmarking of E2E security between a network of smart things and a cloud platform.

    Download full text (pdf)
    fulltext
12 1 - 50 of 78
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf