Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Lightweight Security Solutions for the Internet of Things
Mälardalen University, School of Innovation, Design and Engineering. SICS Swedish ICT, Kista, Stockholm. (NES Group)ORCID iD: 0000-0001-8192-0893
2013 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The future Internet will be an IPv6 network interconnecting traditional computers and a large number of smart object or networks such as Wireless Sensor Networks (WSNs). This Internet of Things (IoT) will be the foundation of many services and our daily life will depend on its availability and reliable operations.

Therefore, among many other issues, the challenge of implementing secure communication in the IoT must be addressed. The traditional Internet has established and tested ways of securing networks. The IoT is a hybrid network of the Internet and resource-constrained networks, and it is therefore reasonable to explore the options of using security mechanisms standardized for the Internet in the IoT.

The IoT requires multi-facet security solutions where the communication is secured with confidentiality, integrity, and authentication services; the network is protected against intrusions and disruptions; and the data inside a sensor node is stored in an encrypted form. Using standardized mechanisms, communication in the IoT can be secured at different layers: at the link layer with IEEE 802.15.4 security, at the network layer with IP security (IPsec), and at the transport layer with Datagram Transport Layer Security (DTLS). Even when the IoT is secured with encryption and authentication, sensor nodes are exposed to wireless attacks both from inside the WSN and from the Internet. Hence an Intrusion Detection System (IDS) and firewalls are needed. Since the nodes inside WSNs can be captured and cloned, protection of stored data is also important.

This thesis has three main contributions. (i) It enables secure communication in the IoT using lightweight compressed yet standard compliant IPsec, DTLS, and IEEE 802.15.4 link layer security; and it discusses the pros and cons of each of these solutions. The proposed security solutions are implemented and evaluated in an IoT setup on real hardware. (ii) This thesis also presents the design, implementation, and evaluation of a novel IDS for the IoT. (iii) Last but not least, it also provides mechanisms to protect data inside constrained nodes.

The experimental evaluation of the different solutions shows that the resource-constrained devices in the IoT can be secured with IPsec, DTLS, and 802.15.4 security; can be efficiently protected against intrusions; and the proposed combined secure storage and communication mechanisms can significantly reduce the security-related operations and energy consumption.

Place, publisher, year, edition, pages
Västerås: Mälardalen University , 2013.
Series
Mälardalen University Press Dissertations, ISSN 1651-4238 ; 139
Keyword [en]
Security, Internet of Things, 6LoWPAN, CoAP, RPL, Secure Storage, IDS, DTLS, IPsec
National Category
Engineering and Technology
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:mdh:diva-18863ISBN: 978-91-7485-110-6 (print)OAI: oai:DiVA.org:mdh-18863DiVA: diva2:619066
Public defence
2013-06-05, Kappa, Mälardalens högskola, Västerås, 10:15 (English)
Opponent
Supervisors
Available from: 2013-05-02 Created: 2013-04-30 Last updated: 2014-10-07Bibliographically approved
List of papers
1. Security Considerations for the WirelessHART Protocol
Open this publication in new window or tab >>Security Considerations for the WirelessHART Protocol
2009 (English)In: Emerging Technologies & Factory Automation, 2009. ETFA 2009. IEEE Conference on, 2009, 1-8 p.Conference paper, Published paper (Refereed)
Abstract [en]

WirelessHART is a secure and reliable communication standard for industrial process automation. The WirelessHART specifications are well organized in all aspects exceptsecurity: there are no separate specifications of security requirements or features. Rather,security mechanisms are described throughout the documentation. This hinders implementation of the standard and development of applications since it requires profound knowledge of all the core specifications on the part of the developer. In this paper we provide a comprehensive overview of WirelessHART security: we analyze the providedsecurity mechanisms against well known threats in the wireless medium, and propose recommendations to mitigate shortcomings. Furthermore, we elucidate the specifications of the security manager, its placement in the network, and interaction with the network manager.

Identifiers
urn:nbn:se:mdh:diva-12283 (URN)10.1109/ETFA.2009.5347043 (DOI)2-s2.0-77949891992 (Scopus ID)978-1-4244-2727-7 (ISBN)
Conference
Emerging Technologies & Factory Automation, 2009. ETFA 2009. IEEE Conference on
Note
(c) 2011 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.Available from: 2011-05-24 Created: 2011-05-21 Last updated: 2014-10-07Bibliographically approved
2. Securing Communication in 6LoWPAN with Compressed IPsec
Open this publication in new window or tab >>Securing Communication in 6LoWPAN with Compressed IPsec
2011 (English)In: 7th IEEE International Conference on Distributed Computing in Sensor Systems (IEEE DCOSS '11), 2011Conference paper, Published paper (Refereed)
Abstract [en]

Real-world deployments of wireless sensor networks(WSNs) require secure communication. It is important that areceiver is able to verify that sensor data was generated bytrusted nodes. It may also be necessary to encrypt sensor datain transit. Recently, WSNs and traditional IP networks are moretightly integrated using IPv6 and 6LoWPAN. Available IPv6protocol stacks can use IPsec to secure data exchange. Thus, itis desirable to extend 6LoWPAN such that IPsec communicationwith IPv6 nodes is possible. It is beneficial to use IPsec becausethe existing end-points on the Internet do not need to be modifiedto communicate securely with the WSN. Moreover, using IPsec,true end-to-end security is implemented and the need for atrustworthy gateway is removed.In this paper we provide End-to-End (E2E) secure communicationbetween IP enabled sensor networks and the traditionalInternet. This is the first compressed lightweight design, implementation,and evaluation of 6LoWPAN extension for IPsec.Our extension supports both IPsec’s Authentication Header (AH)and Encapsulation Security Payload (ESP). Thus, communicationendpoints are able to authenticate, encrypt and check theintegrity of messages using standardized and established IPv6mechanisms.

Identifiers
urn:nbn:se:mdh:diva-12285 (URN)
Conference
7th IEEE International Conference on Distributed Computing in Sensor Systems (IEEE DCOSS '11)
Note
(c) 2011 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.Available from: 2011-05-24 Created: 2011-05-21 Last updated: 2014-10-07Bibliographically approved
3. Secure Communication for the Internet of Things - A Comparison of Link-Layer Security and IPsec for 6LoWPAN
Open this publication in new window or tab >>Secure Communication for the Internet of Things - A Comparison of Link-Layer Security and IPsec for 6LoWPAN
Show others...
2014 (English)In: Security and Communication Networks, ISSN 1939-0114, E-ISSN 1939-0122, Vol. 7, no 12, 2654-2668 p.Article in journal (Refereed) Published
Abstract [en]

The future Internet is an IPv6 network interconnecting traditional computers and a large number of smart objects. This Internet of Things (IoT) will be the foundation of many services and our daily life will depend on its availability and reliable operation. Therefore, among many other issues, the challenge of implementing secure communication in the IoT must be addressed. In the traditional Internet IPsec is the established and tested way of securing networks. It is therefore reasonable to explore the option of using IPsec as security mechanism for the IoT. Smart objects are generally added to the Internet using 6LoWPAN which defines IP communication for resource constrained networks. Thus, to provide security for the IoT based on the trusted and tested IPsec mechanism it is necessary to define an IPsec extension of 6LoWPAN. In this paper we present such a 6LoWPAN/IPsec extension and show the viability of this approach. We describe our 6LoWPAN/IPsec implementation which we evaluate and compare with our implementation of IEEE 802.15.4 link-layer security. We also show that it is possible to reuse crypto hardware within existing IEEE 802.15.4 transceivers for 6LoWPAN/IPsec. The evaluation results show that IPsec is a feasible option for securing the IoT in terms of packet size, energy consumption, memory usage, and processing time. Furthermore, we demonstrate that in contrast to common belief IPsec scales better than link-layer security as the data size and the number of hops grow, resulting in time and energy savings. 

Place, publisher, year, edition, pages
John Wiley & Sons, 2014
Keyword
Security; Internet of Things; 6LoWPAN; IPsec; IEEE 802.15.4 Security
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-18865 (URN)10.1002/sec.406 (DOI)2-s2.0-84911865485 (Scopus ID)
Available from: 2013-04-30 Created: 2013-04-30 Last updated: 2017-12-06Bibliographically approved
4. Lithe: Lightweight Secure CoAP for the Internet of Things
Open this publication in new window or tab >>Lithe: Lightweight Secure CoAP for the Internet of Things
Show others...
2013 (English)In: IEEE Sensors Journal, ISSN 1530-437X, E-ISSN 1558-1748, Vol. 13, no 10, 3711-3720 p.Article in journal (Refereed) Published
Abstract [en]

The Internet of Things (IoT) enables a wide range of application scenarios with potentially critical actuating and sensing tasks, e.g., in the e-health domain. For communication at the application layer, resource-constrained devices are expected to employ the Constrained Application Protocol (CoAP) that is currently being standardized at the IETF. To protect the transmission of sensitive information, secure CoAP (CoAPs) mandates the use of Datagram TLS (DTLS) as the underlying security protocol for authenticated and confidential communica- tion. DTLS, however, was originally designed for comparably powerful devices that are interconnected via reliable, high- bandwidth links.

In this paper, we present Lithe – an integration of DTLS and CoAP for the IoT. With Lithe, we additionally propose a novel DTLS header compression scheme that aims to significantly reduce the header overhead of DTLS leveraging the 6LoWPAN standard. Most importantly, our proposed DTLS header com- pression scheme does not compromise the end-to-end security properties provided by DTLS. At the same time, it considerably reduces the number of transmitted bytes while maintaining DTLS standard compliance. We evaluate our approach based on a DTLS implementation for the Contiki operating system. Our evaluation results show significant gains in terms of packet size, energy consumption, processing time, and network-wide response times, when compressed DTLS is enabled. 

Keyword
CoAP, DTLS, CoAPs, 6LoWPAN, Security, Internet of Things
National Category
Engineering and Technology
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-18867 (URN)10.1109/JSEN.2013.2277656 (DOI)000324337900006 ()2-s2.0-84883314073 (Scopus ID)
Available from: 2013-05-01 Created: 2013-05-01 Last updated: 2017-12-06Bibliographically approved
5. SVELTE: Real-time Intrusion Detection in the Internet of Things
Open this publication in new window or tab >>SVELTE: Real-time Intrusion Detection in the Internet of Things
2013 (English)In: Ad hoc networks, ISSN 1570-8705, E-ISSN 1570-8713, Vol. 11, no 8, 2661-2674 p.Article in journal (Refereed) Published
Abstract [en]

In the Internet of Things (IoT), resource-constrained things are connected to the unreliable and untrusted Internet via IPv6 and 6LoWPAN networks. Even when they are secured with encryption and authentication, these things are exposed both to wireless attacks from inside the 6LoWPAN network and from the Internet. Since these attacks may succeed, Intrusion Detection Systems (IDS) are necessary. Currently, there are no IDSs that meet the requirements of the IPv6-connected IoT since the available approaches are either customized for Wireless Sensor Networks (WSN) or for the conventional Internet.

In this paper we design, implement, and evaluate a novel intrusion detection system for the IoT that we call SVELTE. In our implementation and evaluation we primarily target routing attacks such as spoofed or altered information, sinkhole, and selective-forwarding. However, our approach can be extended to detect other attacks. We implement SVELTE in the Contiki OS and thoroughly evaluate it. Our evaluation shows that in the simulated scenarios, SVELTE detects all malicious nodes that launch our implemented sinkhole and/or selective forwarding attacks. However, the true positive rate is not 100%, i.e., we have some false alarms during the detection of malicious nodes. Also, SVELTE’s overhead is small enough to deploy it on constrained nodes with limited energy and memory capacity. 

Place, publisher, year, edition, pages
Elsevier, 2013
Keyword
Intrusion Detection, Internet of Things, 6LoWPAN, RPL, IPv6, Security, Sensor Networks
National Category
Engineering and Technology
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-18866 (URN)10.1016/j.adhoc.2013.04.014 (DOI)000326661900037 ()2-s2.0-84885328301 (Scopus ID)
Available from: 2013-05-01 Created: 2013-05-01 Last updated: 2017-12-06Bibliographically approved
6. Combined Secure Storage and Communication for the Internet of Things
Open this publication in new window or tab >>Combined Secure Storage and Communication for the Internet of Things
Show others...
2013 (English)Conference paper, Published paper (Refereed)
Abstract [en]

The future Internet of Things (IoT) may be based on the existing and established Internet Protocol (IP). Many IoT application scenarios will handle sensitive data. However, as security requirements for storage and communication are addressed separately, work such as key management or cryp- tographic processing is duplicated. In this paper we present a framework that allows us to combine secure storage and secure communication in the IP-based IoT. We show how data can be stored securely such that it can be delivered securely upon request without further cryptographic processing. Our prototype implementation shows that combined secure storage and communication can reduce the security-related processing on nodes by up to 71% and energy consumption by up to 32.1%. 

Keyword
Secure Storage, IPsec, 6LoWPAN, Internet of Things, Communication, Internet
National Category
Engineering and Technology
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-18869 (URN)10.1109/SAHCN.2013.6645024 (DOI)2-s2.0-84890871446 (Scopus ID)978-147990230-9 (ISBN)
Conference
10th Annual IEEE Communications Society Conference on Sensing and Communication in Wireless Networks, SECON 2013; New Orleans, LA; United States; 24 June 2013 through 27 June 2013
Available from: 2013-05-01 Created: 2013-05-01 Last updated: 2014-02-07Bibliographically approved

Open Access in DiVA

fulltext(1860 kB)17095 downloads
File information
File name FULLTEXT02.pdfFile size 1860 kBChecksum SHA-512
e8b6e25bfd41555300773a21f8f2d0dea5dd0b121c618ba6dd9a0722ec6e17a9b47c21ca585eb91571a3610ff67e169d4c84d14c5807dab554e1f4384edb92b8
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Raza, Shahid
By organisation
School of Innovation, Design and Engineering
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar
Total: 17102 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 2907 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf