Context-Based Authentication and Lightweight Group Key Establishment Protocol for IoT Devices

(1)

Master’s thesis in Computer Engineering

Master’s thesis

Department of Information Systems and Technology Master of Science in Computer Engineering

Context-Based Authentication and Lightweight Group- Key Establishment Protocol for IoT Devices

Nico Ferrari

(2)

MID SWEDEN UNIVERSITY

Department of Information Systems and Technology

Examiner: Prof. Mikael Gidlund, mikael.gidlund@miun.se Supervisor: Dr. Ulf Jennehag , ulf.jennehag@miun.se Author: Nico Ferrari, nife1600@student.miun.se

Degree program: Master of Science in Computer Engineering, Master by Research, 120 ECTS

Main field of study: Computer Engineering Semester, year: Summer, 2019

Release date of this thesis report: July 7, 2019

(3)

Abstract

The concept of the Internet of Things is driven by advancements of the Inter- net with the interconnection of heterogeneous smart objects using different networking and communication technologies. With the rapidly increasing number of interconnected devices present in the life of a person, providing authentication and secure communication between them is considered a key challenge. The integration of Wireless Sensor Networks in the Inter- net of Things creates new obstacles due to the necessity of finding a balance between the resources utilization and the applied security solutions. In multicast group communications, the energy consumption, bandwidth and processing overhead at the nodes are minimized in comparison to a point- to-point communication system. To securely transmit a message in order to maintain confidentiality of the data and the user’s privacy, usually involves human interaction or the pre-agreement upon some key, the latter unknown to an external attacker. In this thesis, the author proposed an authentication protocol based on the similar context between the correct devices and lightweight computationally secure group-key establishment, avoiding any kind of human involvement. The goal is achieved by having the devices calculate a fingerprint from their ambient context and through a fuzzy commitment scheme generating a commitment respectively opening value which is used to generate a common secret key between them. The tests are effectuated on real world data accumulated from different environments.

The proposed scheme is based on elliptic curve cryptography and cryptographic one-way accumulators. Its feasibility is analyzed by implementing the group key establishment phase in the Contiki operating system and by simulating it with the Cooja simulator. Furthermore, the applicability of the protocol is analyzed and justified by an analysis of the storage overhead, communication overhead, and energy consumption. The simulator shows an energy consumption of only 112 mJ per node for group key establishment.

The results obtained in this thesis demonstrate the feasibility of the scheme and its computational and communication costs are further comparable to other similar approaches.

Keywords: Internet of Things, Context-based authentication, Fuzzy commitment scheme, Cryptographic key establishment, Lightweight cryptography, Contiki, One-way accumulators

(4)

Acknowledgement

Foremost, I would like to express my sincere gratitude to my supervisor Ulf Jen- nehag for the continuous support during my Master studies. Thanks to his pa- tience, motivation and enthusiasm which guided me during my studies and supported the participation the two conferences in Valencia and in Sundsvall.

I would also like to express gratitude to Teklay Gebremichael for reviewing the thesis. Thank you for being always ready to advice me, to help me to clear doubts and for all your great feed-backs during these years.

Heartfelt thanks go to Thomas Wiss which gave me invaluable help with proof reading the thesis report. Thank you for listening, offering me advice, and sup- porting me through this entire process. From the deep of my heart I thank you for your friendship.

Next, I would like to thank the friends and nice people from all over the world that I met during these amazing years and for all the memories we shared.

Finally, my deep and sincere gratitude to my family for their continuous support, help and love. I am forever indebted to my parents for giving me the opportu- nities, encouraging me to engage new challenges and inspiring me to follow my dreams. This would not have been possible without them. Thank you.

(5)

Terminology

Abbreviations and Acronyms

5G Fifth Generation

AES Advanced Encryption Standard

CRNG Common Random Number Generators DH Diffie-Hellman

ECC Elliptic Curve Cryptography ECDH Elliptic-Curve Diffie-Hellman

ECDLP Elliptic Curve Discrete Logarithm Problem EC Elliptic Curve

HMAC Hash Message Authentication Code IIoT Industrial IoT

IoT Internet of Things

PKC Public Key Cryptography RPi Raspberry Pi

RS Reed-Solomon

WSN Wireless Sensor Network

(8)

1 Introduction

During the last decades Internet has evolved significantly towards the Internet of Things (IoT) environment, where different resource-constrained objects communicate and exchange information with each other for improved functionalities and performance. The Internet of Things denotes the interconnection of highly heterogeneous networked embedded systems (nodes) with different communication patterns, enabling the connection to IP networks and allowing them to be remotely monitored and controlled [1]. According to the projections made by networking specialists, it is forecast that by the next years the adoption of IoT will boost the amount of connected devices, estimating many billions of different web-enabled devices all around the globe[2] [3]. IoT introduces different changes to the future of Internet, becoming also a key enabling technology of the Fifth Generation(5G) wireless systems. This development does not only affect digitalizing and connect- ing the society, but also the industry and economy as a whole. Concepts brought by the Internet of Things, such as IoT cloud computing, Big Data analysis on data gathered from the sensors, reached also the industry which has started to embrace the IoT forming the Industrial Internet of Things (IIoT) [4].

With the development and expansion of communication and sensing technologies, also the research sector has been affected, bringing new challenges. The main research challenges moved, in fact, from packet switching to connect several computers in a network [5], trying to make devices accessible and allowing communication between them.

Over the last two decades, wireless communications and digital electronics technologies have been rapidly evolving by introducing the incredible advances to Wireless Sensor Networks (WSNs). Typically, a WSN is a network that comprises a large number of sensor nodes, where each node is equipped with single or multiple sensors to detect physical phenomena such as light intensity, temperature, humidity, or pressure measuring and quantifying their physical environment [6]. WSNs represent an important technology for distributed monitoring of different physical quantities, capable to provide measurements characterized by high temporal and spatial resolutions.

1.1 Background and problem motivation

The more objects are connected the more the network is exposed to security vul- nerabilities, leading to a drastic exposure of users’ potentially sensitive privacy threats. Considering, therefore, the number of everyday device which could possi- bly be involved, the IoT has greater threats and risks than what Internet has until

(9)

Chapter 1. Introduction

now[7]. Security and privacy attacks and their harmful consequences can occur when sensitive information is concealed or controlled without users’ consent.

Despite the fact that security is a prime and mandatory requirement that should be integrated at the design phase of the IoT device life-cycle, still it is too often neglected in the development of systems. Recent press reports highlight many security breaches that are taking the advantage of insecure IoT devices, leading attacks such as against networked garage or cars door systems [8] or medical devices [9].

Due to the heterogeneously of the networking technologies and devices in dynamic networking environments, the deployment of conventional security protocols has become challenging. In fact, to face powerful attackers, devices with high performances require advanced security solutions. However, these protocols can be too expensive to be deployed on resource constrained devices, which are limited in terms of battery capacity, computational power, memory-footprint and bandwidth utilization.

Moreover, even traditional cryptographic techniques, such as the Diffie-Hellman (DH) protocol, are not sufficient for a secure pairing between the devices that spontaneously come into the network. Techniques like the devices’ names and network addresses do not guarantee protection from the devices impersonation by an attacker.

Therefore, finding a balance between security solutions and the associated resources utilization overhead is subject to new challenges, keeping regard on how these systems can be made easily usable and not compromised by users.

Since there is a enormous amount of connected devices with different functionalities, it may happen that some have to communicate with an unknown number of other devices. Clustering and multicasting result the most efficient means of resource management in the communication in IoT applications [10]. In group communication a group of two or more devices communicate with each other in such a way that a sender broadcasts a message to the group rather than sending a unicast message for each group member. Conveying messages to a multicast group is more efficient and effective than sending unicast messages to different devices in multiple copies. Multicast communication helps with improving the bandwidth usage reducing the number of transmitted messages and enabling then a fast de- livery of a message to multiple recipients, a very important feature in time critical applications. It also minimizes the energy consumption and processing overhead at the terminals improving their lifetime and responsiveness.

1.2 Problem statement

According to the statistics [11] there are more than 7 billions of connected "things"

in the world today, challenging the researchers with novel research problems due to this ever-growing amount of devices.

The thesis aims to address the following research questions:

RQ1: How can lightweight and secure key establishment and authentication protocols be designed in order to permit the deployment on constrained devices in IoT applications?

(10)

Public key cryptography (PKC) has usually been chosen to ensure a satis- factory level of security for data transmissions within the network. This is because one does not need to transmit the private key in the channel, in addition to providing digital signatures that can not be repudiated. However, the constrained energy, computation, and memory budgets of sensors make the implementation of PKC challenging.

RQ2: Can the physical environment be exploited in order to enable secure authentication between devices and gateways?

During the last years, the constantly increasing number of sensors in com- bination with the variation inherent in many of the measurable quantities, brought into the spotlight novel security approaches(such as Common Ran- dom Number Generators CRNG). Using the aquired data to generate mu- tual authentication could bring a natural way to authenticate that the keys obtained through the cryptographic exchange belong to devices that are within phisical proximity. The pairing would happen without user interaction, based solely on information that the involved devices can communicate and sense from their ambient context without human involvement.

The research questions of this study which are outlined above are motivated by the research problems described in the previous sections.

1.3 Scope

The scope of this thesis work is to analyze the use of context information in order to realise autonomous establishment of security services able to be used by the IoT applications mentioned previously. The target of the authentication protocol are IoT devices in factory and office environments and the complexity of the services is not the scope of this research. For the group-key establishment protocol the target are wireless sensors in order to being able to extend the solution to more powerful devices. The evaluations are performed on simulated devices and the implementation of the proposed solutions on physical devices is not included as part of this work.

The conducted implementations of the concepts proposed in the thesis are considered a Proof of Concept, therefore is not included efforts to provide production ready solutions. The power efficiency related properties (e.g. duty-cycle) are also out of the scope of this thesis. Power consumption result is only measured for key establishment process. In order to reduce the measurement loads, each devices are configured to disable the power saving option. Each devices has 100% active time and resulting always on ready state to receive, send and process a message.

1.4 Concrete and verifiable goals

As part of the preparation and initialization of the master thesis project work a set of concrete and verifiable goals has been elaborated and is presented in the following list:

(11)

G1 Research and evaluate context-based authentication and lightweight group key management protocols used in the IoT context.

G2 Implementation of devices able to get ambient data using different sensors and data acquisition from real world use cases.

G3 Analysis of the obtained data in order to generate an authentication key between devices in located in the same ambient.

G4 Design and implementation of a lightweight group-key management scheme which uses lightweight cryptographic primitives.

G5 Measure the computation overhead and the communication overhead of the implemented protocol and include related lightweight group-key management protocols in the performance evaluation.

How these goals were achieved as part of the work in this master thesis project is outlined in the subsequent chapters. First however, an outline of the chapters in the report at hand is provided.

1.5 Outline

Chapter 1 introduces the topic of this master thesis project, gives reasons for the project’s motivation, scopes the work, and sets goals to be achieved in this master thesis project. The following Chapter 2 outlines and describes the principle topics encountered during the master thesis project. Chapter 3, Methodology, describes in which manner the concrete goals shall be approached in order to fulfill them.

The Chapter 4 describes the scenarios analyzed for the context-based authentication scheme and the threat model considered in the study. The subsequent Chapter 5 gives detailed insight into the implementation efforts conducted in this master thesis project work related to the authentication protocol. Chapter 6 is described the proposed lightweight group-key establishment protocol and the implementation details are shown in Chapter 7. The results of the performance evaluation of the authentication protocol and the proposed group-key management scheme are covered in Chapter 8. The final chapter, Chapter 9, outlines the thesis’ conclusion which contains a discussion covering the implementation efforts and tests, the conclusion itself and further describes both the ethical considerations and the potential future work.

(12)

2 Theory

In this chapter technologies and topics of relevance for this thesis project work are outlined and explained. It offers a gradual introduction into the technologies and topics applied.

2.1 Fuzzy Commitment Scheme

Traditional cryptographic systems rely on keys, secret sets of bits used for secure management of data. For example, a symmetric-key cipher involves a secret key x and two operations defined as encryption and decryption. The encryption function takes as input a message m and the key x and returns as output a cyphertext c.

The decryption function reverses the encryption, taking as input the cyphertext c as well as the key and yielding the original message m.

Ordinary ciphers rely on exact correctness of the key x, making possible the decryption of a cybertext c only with a precise key. Fuzzy commitment, however, is a cryptographic primitive which as has been designed by Juels and Wattenberg [12] in order to handle noise over the key x. A commitment scheme is defined as a function G : C × X −→ Y able to commit a random secret value κ ∈ C choosing a witness x ∈ X and computing a blob value y = G(κ, x). A decommitment function G⁻¹ : Y × X −→ C takes a blob and a witness as input and yields the original value κ. A well defined commitment scheme shall have two basic properties:

• binding: it is not possible to decommit y under a pair (κ⁰, x⁰) such that κ⁰ 6= κ ;

• hiding: given y alone, it is infeasible to compute κ.

The fuzzy commitment encryption scheme allows the recovery of κ from a given commitment y = G(κ, x) from any witness x⁰ close to x in some appropriate metric, such as Hamming distance, but not necessarily identical to x. Since h(c) is a secure one-way function, y leaks only a small amount of information about a committed value, therefore it may be revealed publicly and used to recover κ using any close witness x⁰.

The n-bit witness can be expressed in terms of the committed value with an n-bit offset δ such that x = κ ⊕ δ. The idea behind the commitment function G is to hide κ using an hash function h (such as SHA256) while leaving δ in clear.

The commitment function can be then defined as:

G(κ, x) = (h(κ), x ⊕ κ) = (h(κ), δ)

(13)

Chapter 2. Theory

It is then possible to leverage the error correcting properties of error correcting codes such as Reed-Solomon (RS) to correctly recover the secret κ. An error- correcting code comprises a message space C ⊆ {0, 1}^a, a corresponding codeword space C ⊆ {0, 1}^b , for b ≥ a, and a bijection ϕ : M ←→ C. Here {0, 1}^k denotes a k-bit message/codeword generating a space with a total of 2^k distinct elements.

Another important element of error-correcting codes is a decoding function f : C⁰ −→ C ∪ ⊥, where C ⊆ C⁰ ⊆ {0, 1}^b. The role of the decoding function is to map an element in C⁰ to its nearest (i.e., nearest in terms of Hamming distance) element in C, resulting in the elimination of the noise added to a codeword or the failure to find a valid one, denoted with the symbol ⊥.

To decommit F (κ, δ) using a witness x⁰ , the receiver computes κ⁰ = f (x⁰⊕ δ) , where f is an efficient decoding function from the error correcting code. If the received h(κ) corresponds to h(κ⁰) then the blob has been successfully decommit- ted, with κ⁰ representing the extracted commitment, otherwise, x⁰ represents an incorrect witness.

One application of fuzzy commitment, as suggested by the authors in [12], is to secure biometric systems. An enrolled fingerprint image (known as a template), for example, might be viewed as a key x. The user tries to authenticate using another, slightly different image of the same finger,which we may denote by x⁰. Authentication is successful if and only if x⁰ is "close" to x.

2.2 Elliptic Curves Cryptography

Elliptic curve cryptography is a public key cryptosystem developed by Neil Kobiltz and Victor Miller in 19th century [13]. An elliptic curve (EC) over the field F is the set of all solutions (x,y) in F that satisfy the mathematical equation:

y²+ a₁xy + a₃y = x³+ a₂x²+ a₄x + a₆ (2.1) where a₁, a₂, a₃, a₄, a₅, a₆ ∈ F together with a point at infinity denoted by ∞.

Cryptographic systems usually use elliptic curves over prime fields Fp ( for some large prime number p) or binary fields (F^m2 for some integer m ), since field arith- metic in these particular fields can be implemented very efficiently. For the purpose of this thesis, we have focused on prime field curves recommended by the National Institute of Standards and Technology (NIST) using implementation following these standard practices. In curves over a prime field, the Weierstrass equation above can be expressed, using a variable change, as a much simpler equation of the form

y² = x³+ ax + b (2.2)

The set of points x, y ∈ F that satisfy equation 2.2, plus the point ∞ and an

"addition" form a group [14]. To perform the operation of addition of two points P(x¹, y₁) 6= Q(x2, y₂) and P, Q 6= ∞ on the curve E(a, b) to obtain a third point R(x₃, y₃) on the curve, we need draw a straight line that passes through the two points. The line will intersect the curve in another point −R. Reflecting across the x-axis that point, we find the third point, R, as shown in Figure 2.1.

(14)

Chapter 2. Theory

Figure 2.1 Group law on an elliptic curve.

In the case where P = Q, we will draw a line tangent to that point and then looking for the point which intersects with the curve. Its reflection along the x-axis is the sum P + P. If P = Q with y = 0 or y¹ 6= y₂, the sum will be P + Q = ∞. A related group operation is the scalar point multiplication, where by a given point is added to itself a given number of times.

The security of elliptic curve cryptography rests on the assumption that the Elliptic Curve Discrete Logarithm Problem (ECDLP) is hard, which represent the fundamental building block for ECC. The ECDLP is the following computational problem: given points P, Q ∈ E to find an integer a, if it exists, such that Q = aP.

Elliptic Curve Cryptography (ECC) is a preferred choice among various PKC options due to its fast computation, small key size, and compact signatures[15].

Experiments proved that Elliptic Curve Cryptography (ECC) is more suitable for resource constraint devices compared with RSA [16][17]. For example, to provide equivalent security to 1024-bit RSA, an ECC scheme only needs 160 bits on various parameters, such as 160-bit finite field field operations and 160-bit key size[15].

EC parameters are denoted by a, b, q, p and P and they are embedded in all the entities that participate in the communication scenario. The parameter q is the prime which indicates the finite field F^q. The variables a and b are the coefficients of the elliptic curve. P is the base point generator with order p which is a prime number.

2.3 One Way Accumulators

The concept of one-way accumulator, proposed by Benaloh and Mare [18], was designed mainly for timestamping purposes and memberhip testing. A cryptographic one-way accumulator is a way to combine a set of values into one accumulator value, in such a way that, all the entities which participated in the generation of this accumulator value with their values are able to produce a witness. Over time,

(15)

Chapter 2. Theory

other applications such as distributed signatures and accountable certificate management [19] have been proposed. Formally, a one-way accumulator is essentially a one-way hash function f : X × Y −→ X with the quasi-commutative property:

∀x ∈ X, ∀y1, y₂ ∈ Y : f(f(x, y1), y₂) = f (f (x, y₂), y₁) (2.3) This hash function can be used to compute an accumulator value z starting from an initial value x ∈ X and for all the values in y¹, ..., yn∈ Y by applying f repeatedly to each value y_i. The hash function can ensure that the accumulator value does not depend on the order in which the items participating in its generation appears.

The one-way accumulator can be also used to generate a witness zj for a value yj

in Y by hashing all elements yi ∈ Y such as i 6= j. Using the quasi-commutative property of f it is possible to recover z = f (z_j, y_j), ∀y_j ∈ Y.

In this thesis has been used point multiplication on elliptic curve as a one-way asymmetric accumulator to generate a witness and to establish a group key. Given a curve E, the function f is defined as:

f (P, s) = P × s = Q (2.4)

where, given a base point P ∈ E and a scalar integer s, f computes the scalar multiplication to find a new point Q ∈ E. Due to the ECDLP, this operation results one-way because, given the two points P and Q, it is hard to compute the scalar value s. The function f results quasi-commutative since we have:

f (f (P, s¹), s2) = f (f (P, s²), s1) = P × (s¹s2) (2.5)

2.4 Related work

The proposed protocol is based on a previous work presented in [20] and [21].

There are well studied group key establishment protocols in use today. An extension of the Diffie-Hellman protocol to a group of nodes with the generation of a one-time session key is described in [22]and [23]. However, the intensive computational power required for the execution of these protocols makes them not ideal for power and resources constrained devices. Moreover, [24] demonstrated that [23] does not meet some security requirements.

A conference-key distribution system is proposed in [25] but the the system resulted insecure because the information exchanged by the users makes it possible for a passive eavesdropper to compute the key. Moreover, the approach used for [25] requires a high number of messages exchanged and an high number of expensive computational operations.

Some of the earliest proposed protocols such as µTESLA [26] belongs to the symmetric key based protocols category and they are based on hash function in order to reduce the energy consumption. Other symmetric key schemes based on key ring like [24] are not scalable, and therefore, these are unsuitable for dynamic environments such in the analyzed scenario.

In [27] the authors propose two lightweight group-key establishment protocols using an approach similar to ours. The first protocol allows only the legitimate members of the multicast group as eligible to continue the rest of the process

(16)

Chapter 2. Theory

of key derivation. This one is more appropriate for distributed IoT applications, which require nodes to contribute hightly to the key computation and need greater randomness. The second one allows to establish a shared secret key among the multicast group. This one is more suitable for centralized IoT applications, where a central entity performs the majority of the cryptographic functions.

For the purpose of authentication, most of the proposed solutions involve human interaction such as the Wi-Fi protected setup [28] or the the necessity to use pre shared keys such as [29]. In recent, years biometric information is utilised to an in-creasing degree to replace or enhance classical cryptographic schemes [30].

Researchers started to explore context-based pairing protocol in order to capture commonly observed context features for pairing, leveraging on-board sensors and removing the "human-in-the-loop" factor. A solution which uses ambient light or sound is proposed in [31]. In [32] is proposed a solution which leverages audio for the secure pairing, but it results sensible to synchronization. A solution based on heterogeneous context features is proposed in [33] and it relies on events observed by each sensor.

(17)

3 Methodology

The methodology applied in this master thesis project work is outlined in this chapter by showing the step wise progress desired for this project. The six steps are described in detail in this chapter.

3.1 Literature review

As a very first step a preliminary study and literature survey to examine the state- of-the-art of existing work on the fundamentals WSN and IoT technologies, and the security protocols for lightweight key management and authentication. The research dealt with understanding the literature on proximity-based authentication techniques and group-key management, identifying then the research problems which is congruent to goal G1 presented in Section 1.4.

3.2 Obtaining data from real-world use-case analysis

After deciding the hardware to use for the data acquisition, the nodes have been implemented and programmed in order to get ambient data, which is in line with goal G2. The decision of the selected hardware was based on the availability of micro-controllers provided by the university and on the kind of data examined in the literature.

3.3 Data analysis and authentication key generation

Analysis of the ambient data in order to find patterns and attributes which could be exploited to generate a unique key between devices located in the same environment, corresponding to goal G3. A fuzzy commitment scheme has been then implemented based on the previous analysis.

3.4 Group-key establishment design and implementation

Theoretical design of the lightweight group-key management scheme for resource- constrained sensor nodes in WSN and IoT and implementation on a simulated

(18)

Chapter 3. Methodology

environment to fulfill goal G4. Primitives proved to be secured or whose security relies on computationally hard problems are used as building blocks for the construction of the scheme.

3.5 Conduct a performance evaluation

In this phase was the evaluation of the proposed solutions using estimations and simulations in order to reach the goal G5. The conducted performances evaluation is expressed in terms of the following metrics:

• Authentication performances

• Energy consumption

• Computation overhead

• Communication overhead

(19)

4 Proximity Based Authentication

The emergence of the IoT is rapidly and drastically increasing the number of connected devices, posing new challenges towards solutions for authenticating this huge number of very heterogeneous devices to their respective trust domains. The enormous amount of data they create often contains privacy-sensitive information, which the users might prefer to not leak to a malicious party. Moreover, the user would also prefer that no malicious device from an attacker joins his networks, and communicates with his devices. In highly dynamic networks, devices frequently join or leave the network and occurs to secure interactions between entities that do not know each others a priori. Nevertheless, there are plenty of solutions which involve manual authentication but they are often not applicable in this kind of context. In the users’ everyday life can be involved many different devices, like smart light bulbs, air conditioning (HVAC) systems [34] and different sensors, and in this case the user would have to repeat the authentication process for each device. Moreover, not all the devices are available for manual authentication due to the highly simplified hardware resources, lacking of user interface which makes then direct password entry or management challenging or even impossible [35].

As IoT devices largely interact with their surroundings providing context- dependent functionalities, becomes important to include context into their access control mechanisms. Due to the relation between context, proximity and trust [36], exploiting common contextual features among communicating devices to generate a security scheme might provide a sense of security similar to the one perceived as natural by individuals. Avoiding to involve users in the protocol (e.g., typing in a password) and other human-in-the-loop solutions would then reduce the number of human errors related to security and the users’ burden.

Authentication usually takes the form of a challenge-response mechanism whereby a verifier party V verify the possession of a pre-shared key K with a prover party P by encrypting or authenticating a random challenge (using K ) sent by P.

4.1 Context Data Collection

The goal of our experiment was to collect a comprehensive real-world dataset of ambient information that can serve as a baseline for analyzing a zero-interaction authentication scheme. We propose two scenarios where we collected data using Raspberry Pi 3. Audio data was collected using a USB sound card with mini microphone, which recorded a mono audio stream with a 44.1 kHz sampling rate, and encoded it using the MP3 format. The Raspberry Pi also collected with a frequency of one sample every 10 seconds the following context information:

(20)

Chapter 4. Proximity Based Authentication

• temperature, humidity, barometric pressure using Adafruit BME280 sensor which offers measures of humidity with ±3% accuracy, barometric pressure with ±1hP a absolute accuracy, and temperature with ±1.0C accuracy;

• digital light: using Adafruit TSL2591 high dynamic range digital light sensor, allowing for exact lux calculations and can be configured for different gain/timing ranges to detect light ranges from up to 188uLux up to 88, 000 Lux on the fly;

• vibration: using the MPU6050 accelerometer and gyroscope. offering a user-programmable gyroscope full-scale range of ±250, ±500, ±1000 and

±2000/sec and a user-programmable accelerometer full-scale range of ±2g,

±4g, ±8g and ±16g.

4.1.1 Scenario 1: Office Environment

In our first case-study, we position the devices in an office environment. Ambient audio was originated from individuals outside of the office room and from a computer located close to the devices. The context information are collected for 12 hours and the the devices are collocated close to each others.

4.1.2 Scenario 2: Factory Environment

Another typical application for IoT devices is the deployment in industrial environment. In our second case-study, we position the devices in a factory environment.

Ambient audio was originated loud machines and people working. The context information are collected for 24 hours during the week, resulting then in hours with people working and hours where the ambient audio is only from the machines.

Four devices were playing the role of co-located devices and they positioned 1 meter of distance between each others. Three other devices were located 6 meters, 12 meters and 35 meters away from that group. The summary of device locations in the factory scenario is given in Figure 4.1.

4.2 Adversary Model

We assume a standard Dolev-Yao adversary model [37] where the adversary has complete control over all communication channels and it is not able to compromise the nodes. The adversary model considered for the design of a context-based authentication scheme is shown in Figure 4.2. The model shows a network of devices located in the same environment, such as an office or in a delimited area in an industry, in which the devices are able to get the same ambient data such as light, audio and humidity. The goal of the adversary is to carry out relay attack by convincing the other nodes that it is nearby when in fact it is far away.

The proposed countermeasure against relay attack which is based on the natural assumption that two entities will sense similar ambient environments when they are co-present.

(21)

Chapter 4. Proximity Based Authentication

Figure 4.1 Distance between each device in the factory environment.

Figure 4.2 For an attacker it is not possible to acquire the data from the user environment such as ambient sound, temperature and light.

(22)

5 Implementation proximity-based authentication scheme

This chapter describes the implementation and delineates the conducted work for the design of an authentication scheme based on context.

To be able to sense the ambient data, in Figure 5.1 is shown how the sensors used to collect the data are connected to the RPi.

Figure 5.1 Raspberry Pi with the used context sensors.

The sensors direct digital output that can be sensed by the GPIO pins of the Raspberry Pi while the microphone is connected to the micro-controller through a USB sound card. The system is using Raspbian as operating system which is the massively popular OS for Raspberry Pi. To get the data from the sensors have been used the following libraries:

• adafruit-circuitpython-bme280: I2C and SPI driver for the Bosch BME280;

• Adafruit_CircuitPython_TSL2591: drivers for the sensors Adafruit TSL2591;

• mpu6050-raspberrypi: module for the sensor MPU6050;

The modules are all implemented in Python 3 which make easy to interact with them and to get the data. To record audio has been used a script using the software ffmpeg which allows the recording of audio through the sound card and

(23)

Chapter 5. Implementation proximity-based authentication scheme

its conversion to the .mp3 format in order to reduce their size. The amount of RAM and computational power of the Raspberry makes it commendable choice to get the real time data processed and accessed faster than other micro controller based systems.

The data sensing and the audio recording are started at the same time by a script and they save the data in file. The tests have been executed for 24 hours, where has been constantly recorded the ambient audio and saved every 10 seconds the other ambient data. To synchronize the start of the recording between the devices, a router has been used in order to connect them using wireless connection. From an external device has been sent a broadcast message to the devices connected and this triggers the start of the recording.

5.1 Authentication protocol

The authentication protocol has been implemented in P ython and is divided in two parts: fingerprint generation and fuzzy commitment scheme.

5.1.1 Fingerprint

The fingerprint extraction from the sensors function takes the raw sensors data of length l_sensor values for each sensor and encode the signal to a fingerprint F of length l_F bits. Two different fingerprint functions are implemented: one for the sensors and one for the audio.

Fingerprint from sensor data

The algorithm captures abrupt changes in the data and encodes them into high bits, mapping the remaining signal to low bits. The encoding algorithm is inspired from the one proposed in [38] and is divided in:

• pre-processing: apply a moving average filter to the raw data from each sensor. The raw data of a specific sensor are split in k non overlapping segments of size l_segment. A new vector avg_sensor is then generated by calculating the value’s average of each segment.

• generate fingerprint of each sensor: we calculate each sensor data fingerprint as a sequence of bits F_s, in which each bit denotes the change of each avg_sensor value in comparison with the previous avg_sensor value.

The fingerprint bit corresponding to a value of avg_sensor is set to "1" if the relative change between two consecutive values of the vector avg_sensor is larger than a specified relative threshold ∆_r and if the difference between the values exceeds an absolute threshold value ∆_a. In the other cases the bit is set to "0".

• combine fingerprints: the generated fingerprints F_sare now concatenated in order to generate a unique context fingerprint F.

(24)

Fingerprint from audio data

The fingerprinting scheme is inspired by the one proposed in [32], where its security relies on the fact that the attacker is not sharing the context with the trusted devices.

In the proposed scheme, the devices start to record the sound for t_s seconds generating an audio sequence S with length |S| = ls = t_s×r, where r is the sample rate. The audio sequence is then split in n_f frames S₁, . . . , S_n of length |S_i| = d as shown in Figure 5.2.

Figure 5.2 Audio data split in frames.

On each frame is applied a discrete Fourier transformation (DTF) and calcu- lated its absolute value (Figure 5.3):

∀i ∈ {1, . . . , n}, F S_i = |DT F (S_i)|

Now the sets are summed together in order to to get a unique set of frequencies F S_tot where the value of the frequency i is obtained by the sum of each val of i of each set S_i. Then a set SF_tot is obtained by applying an average filter of length b over F S_tot in order to remove noises as shown in Figure 5.4.

Based on the obtained sequence, it is possible to calculate the ambient audio fingerprint as a sequence of bits, in which each bit denotes the change of the SF_tot average value in comparison with the previous SF_tot’s average. The fingerprint bit corresponding to a value of SF_tot is set to "1" if the relative change between two consecutive values of the vector SF_tot is larger than a specified relative threshold

∆r_i and if the difference between the values exceeds an absolute threshold value

∆a_i. In the other cases the bit is set to "0". ∆r and ∆a are two vector with the same dimension |d_f| of the fingerprint and are generated by calculating the

(25)

Figure 5.3 Calculate the absolute value of the DTF on each frame.

Figure 5.4 Generate F Stot and apply average filter on it.

average of the relative changes and absolute differences between consecutive values in each frame i ∈ {0, . . . , |df| − 1} of SF_tot.

5.1.2 Fuzzy commitment scheme

For this part has been used the implementation proposed in [39]. This is a Python implementation based on [12] and it is divided in two main functions as shown in Figure 5.5: the commitment and the decommitment of a fuzzy commitment.

The commitment function is used to hide a randomly chosen set of bit κ using the generated fingerprint w. The decommitment method is designed in such a way that it receives a fingerprint w⁰ and if the Hamming distance is Hamming(w, w⁰) ≤ t it can regenerate κ.

To implement these functions has been used a Reed-Solomon Python extension module based on the fast, GPL Reed-Solomon library by Phil Karn. The Reed- Solomon code RS(q, m, n), with q = 2^k, k ∈ N and n < 2^k, is used to encode the

(26)

random κ to a codeword c and to generate an "helper" value δ = c ⊕ w. During the decommitment phase, the Reed-Solomon scheme is used to decode a value c⁰ = w⁰ ⊕ δ and get the value κ. This procedure is capable of correcting up to

t = n − m 2 differing bits between the fingerprints.

Figure 5.5 Fuzzy commitment scheme methods.

(27)

6 Lightweight Group-Key Management Scheme

It is fundamental to ensure security in network services and applications of WSNs and efficient and lightweight key management has been identified as one of core mechanisms to solve this problem. In multicast group communications, the energy consumption, bandwidth and processing overhead at the nodes are minimized compared to a point-to-point communication system [40]. The multicast communication protocol has to generate and distribute a secret group key that can be used to encrypt data sent from one source to all destinations that are member of the same group. Multicast groups are often very dynamic due to the join and leave of the members, and for this reason the protocol has to handle such group mem- bership changes by re-generating and re-distributing new group keys in a secure and efficient matter.

Group key management in WSN includes several processes and mechanisms to solve the problem of establishing a secure links between the members of a group.

This includes establishing (or creating), distributing and maintaining secret keys [41]. The key establishment techniques should guarantee the authenticity of all the sensor nodes involved in a particular communication and protect the disclosure of data to unauthorized parties (i.e., confidentiality) and from falsifications (i.e.

integrity).

Depending on the ability to update the cryptographic keys of sensor nodes during their run time (re-keying), these schemes can be classified into two different categories: static and dynamic. In static key management, the principle of pre-shared key is adopted, and keys are fixed for the whole lifetime of the network.

However, the probability for a cryptographic key to be attacked increases significantly with the time. Instead, in dynamic key management, the cryptographic keys are refreshed throughout the lifetime of the network.

The proposed protocol focuses on different problems related to group-key establishment and management.

First, is considered the problem of establishing a group shared secret among a group of end nodes. Then the author shows how a new node can be added to the group in such a way that the newly added node does not learn the previous group key or group communication. It is also shown how to remove a node from the group in such a way that it does not learn anything about the communications after it left the group. Finally, the problem of generating new session keys from the established group secret is analyzed.

In this thesis, it has been adopted a slightly loose definition of forward and

(28)

Chapter 6. Lightweight Group-Key Management Scheme

backward secrecy. By forward secrecy, the author means that an attacker will not able to learn future session keys or group communications even if the attacker managed to learn the current session key. This also applies to which was a member of the group but that was later removed. Even that node had access to the session key when it was a member, it shall not be able to learn or derive session keys generated after it left the group. By backward secrecy, it is meant that a newly added node will not be able to learn previous session keys and/or group communication before it joined the group.

Table 6.1 List of Notations for the proposed scheme

Notation Description

G Gateway

n_i ith node

k number of nodes

m number of legitimate nodes

P rivKey_i ith node’s private key

P ubKey ith node’s public key

Fq finite field

E|Fq elliptic curve on the finite field Fq

s_i secret shared between ith node and the gateway E generic symmetric encryption/decryption function (i.e, AES) M SK final group shared secret (Master Shared Key)

P RF Pseudo Random Function

6.1 Initialization Procedure

In this phase, a device that wants to start a secure group, usually the gateway, generates a unique group_ID and includes it in a "new_group" broadcasts message. It also generate a public key P ubKey represented as a point on an elliptic curve and a couple of values ((κ), δ) through a commitment function F using a context fingerprint as described in 4, including them in the broadcast message.

Now a specified timeout starts and the nodes that want to join the group reply to the broadcast message with their public key P ubKey_i in a JOIN message.

Each node calculate a secret s_i shared with the gateway generated with Elliptic- curve Diffie-Hellman (ECDH) protocol and , using a decommitment function f , extract from their context fingerprint x_i the value κ_i = f (x_i, δ). In the message, together with its public key, each node i include the value HM AC(κ_i, s_i), in order to guarantee confidentiality and authenticity.

The gateway G collects the JOIN replies until the timeout expires and then it calculates the secrets shared with each node i willing to join the group and checks that HM AC(κ, s_i) = HM AC(κ_i, s_i) in order to verify both integrity of the received message and that the node is located in the same ambient. G computes the group_secret =Qm

i=1s_i where m is the number of nodes which replied to the

(29)

GatewayNode1Node2Node3

Timeout

Broadcast:"NewGroup", group_ID,δ,PubKey •calculates1andκ1=f(x1,δ) •HMAC(κ1,s1) •PubKey1 •calculates2andκ2=f(x2,δ) •HMAC(κ2,s2) •PubKey2 •calculates3andκ3=f(x3,δ) •HMAC(κ3,s3) •PubKey3 •Computesecretss1,s2,s3 Computegroup_secret=s1×s2×s3 •encrypt(partial_secret=s2×s3) •encrypt(partial_secret=s1×s3) •encrypt(partial_secret=s1×s2) •group_secret=s1(s2s3) •MSK=group_secret×P•group_secret=s2(s1s3) •MSK=group_secret×P•group_secret=s3(s1s2) •MSK=group_secret×P

Figure 6.1 Group Key Initialization: The figure shows the messages exchanged between G and three end nodes which replied to the join request before the specified timeout.

(30)

J OIN message and have been authenticated. G finally sends to each node n_i the value partial_secret = group_secret/s_i, encrypted with the shared secret using protocols such as AES. This procedure is shown in Algorithm 1.

Algorithm 1 Group-key initialization Input: parameter P

Output: group_secret

Initialization: chose group_id, group_secret = 1, Broadcast group join request with group_id, δ, P ubKey Set timeout

1: while timeout not expired do

2: for for each J OIN_i message received do

3: generate shared secret si

4: if HM AC(κ, s_i) == HM AC(κ_i, s_i) then

5: group_secret = group_secret ∗ s_i

6: for for each s_i received and validated do

7: G → n_i : E_s_i(group_secret/s_i) return group_secret

After receiving the message, each node n_i decrypts the message obtaining its own partial_secret and computes

M SK = partial_secret ∗ s_i∗ P where M SK represents the group shared key.

6.2 Join Procedure

After establishing a secure group_secret, the addition of a new node in the group may occur. When a new node new_node wants to join the group, it sends a message to G containing the group_ID and its public key P ubKey. The gateway generate a couple of values ((κ), δ) through a commitment function F using a fingerprint of its context and sending a challenge to the new_node with a message containing δ and its own public key P ubKey. The new node replies to the the challenge with HM AC(κ_n, s_n), where κ_n is the secret key generated using a commitment function F exploiting a context fingerprint. At this point G can verify that new_node is located in the same ambient and recomputes the group_secret as before including the secrets from the new nodes and broadcasting the new_M SK = group_secret × P , encrypting the message with the previous M SK.

In this phase we have to ensure that the new node isn’t able to easily recover the old M SK. To solve this problem, G picks a random secret si from the nodes already present in the group and sends to the new_node a message, encrypted with his shared secret s_n, containing s_iP and partial_secret = new_group_secret/si.

(31)

Algorithm 2 New node addition Input: parameter P

Initialization: chose the group_id of the group to join,

1: new_node → G : group_ID, P ubKey_n

2: G → new_node : δ, P ubKey

3: new_node → G : HM AC(κ_n, s_n)

4: if HM AC(κ_n, s_n) == HM AC(κ, s_n) then

5: old_M SK = M SK

6: group_secret = s_n∗ old_group_secret

7: for for each node n_i already in the group do

8: G → n_i : E_{old_M SK}((M SK/s_i) × P)

9: G picks a random s_i of a node already in the group

10: partial_secret = group_secret/s_i

11: G → new_node : E_s_n(s_iP, partial_secret)

12: new_node calculates M SK = s_iP × partial_secret

13: return group_secret

To obtain the M SK, the new node only has to multiply s_iP by partial_secret and it will not be able to recover the old M SK due to difficulty to obtain si from s_iP. This procedure is shown in Algorithm 2.

6.3 Leave Procedure

Algorithm 3 Node removal’s algorithm Input: parameter P

Initialization: remove the node n from the group group_id

1: G picks a random s of a node in the group

2: partial_secreti = group_secret/(sis)

3: for for each node n_i already in the group do

4: G → n_i : partial_secret_i, sP

5: n_i calculates M SK = sP ∗ partial_secretⁱ

6: return group_secret

It can happen that one or more nodes have to be removed from the group for various reasons. In such an event, the protocol has to ensure forward secrecy of the M SK to avoid the possibility that the removed node is able to get the new group secret. The gateway proceeds as described before picking up a random node’s shared secret s and sends to each node n_i which belongs to the group a message containing a new partial secret partial_secret_i = group_secret/(s_is)

(32)

and sP. Each node can than compute M SK by multiplying partial_secretⁱ by sP and its shared secret si. The nodes that have left the group will not be able to compute the new M SK due to the same reason described during the node additions phase.

6.4 Generate Session Key

After the M SK generation, it is possible to use symmetric key encryption to encrypt the group messages. The choice of using symmetric key encryption instead of public key encryption is motivated by the fact that public key encryption is slower and requires more computation power, a critical point in this class of constrained IoT devices.

Using the same key for more than one session makes the protocol vulnerable to many attacks [42], so we generate new and pseudorandom keys from the M SK.

The session key can be produced and managed in different ways depending on whether the encryption scheme is block or stream cipher. In this section we consider those two methods separately. M SK with block ciphers: Suppose the block cipher of our choice takes n-bit key size. Therefore, every session key must be n-bit long. We assume we have a k-bit output hash function h, and a P RF that maps an input of l-bit key size to an output of size n. Note that the output of the P RF is computationally indistinguishable from an output of a random function from l to n. An l-bit input seed to our P RF is first formed by concatenating the results of a repeated application of a hash function applied to a nonce and M SK, as shown below.

seed = h(nonce1 k M SK) k h(nonce2 k M SK) k · · · A session key is then generated by feeding the seed into a P RF .

session_key = P RF (seed)

And finally M SK is updated to the new session key. Note that the node sending a group message randomly selects as many nonce values as needed to create an l-bit output. The nonce values are sent in the clear to all nodes so that every nodes updates its session key similarly.

M SK with stream ciphers: in this case, it is required tha twe produce a session key as long as the length of the text to be encrypted. This can be achieved by concatenating the results of the P RF on many seed values as follows.

seed1 = h(nonce₁ k M SK) seed₂ = h(nonce₂ k M SK)

...

seed_n= h(nonce_nk M SK)

We then apply the P RF to each seed seed and simply concatenate the results to generate a session key as long as required.

session_key = P RF (seed₁)||P RF (seed₂)||·

(33)

In both cases, encryption is done as follows :

Encrypt(M ) = f (M, Sessionkey)

Where f could by any block cipher, such as AES, or stream cipher, such as RC4.

(34)

7 Implementation of the Lightweight Protocol

7.1 Implementation Environment

7.1.1 Operating System

To check the feasibility and analyze the performances, the proposed framework has been implemented on the Contiki OS and measured its performance using the COOJA simulator[43]. Contiki provides the whole development environment(

including compilers and development tools ) in an Ubuntu virtual machine called Instant Contiki. In this thesis has been used Instant Contiki 3.0, released on Au- gust 25, 2015. COOJA is a network simulator that allows the simulation of IoT resource-constrained networks. COOJA allows to test the code and systems before running it on the target hardware or also referred as mote, verifying then its behav- ior. It also offers an interface that can be used to analyze the messages exchanged in the network during protocol execution and calculate the energy consumption and execution time Contiki Energest.

7.1.2 Tmote Sky

In this study we simulate Tmote Sky node over an MSP430 microcontroller ¹ based board. Tmote Sky is a low power wireless sensor with integrated humidity, temperature, and light sensors; its details are shown in Table 7.1.

Table 7.1 The main characteristics of the Tmote sky Resource

Operating Voltage 3 V

Microcontroller (16 bit)8 MHz

RAM 10 KB

ROM 48 KB

Low Power Mode (LPM) 0.0545 mA Current consumption TX mode 19.5 mA Current consumption RX mode 21.8 mA

Ticks/second 327680

1https://insense.cs.st-andrews.ac.uk/files/2013/04/tmote-sky-datasheet.pdf

(35)

Chapter 7. Implementation of the Lightweight Protocol

Tmote Sky corresponds to Class 1 devices according to the terminology for constrained-node networks [44] and is our choice since it is well known, widely used, and supported by Cooja. Tmote Sky does not have support for cryptographic operation needed by the proposed protocol as the only cryptographic operation supported by cc2420 radio chip is AES-128 encryption.

7.2 Network Configuration

It is defined as multicast group a particular group of nodes, which are entitled to receive the common set of information. In this thesis, we consider a network composed by a set G of nodes connected to a gateway GW as shown in Figure 7.1

Figure 7.1 Network Model. The network consists of a gateway and a set of nodes, supported by a communication infrastructure. All or a part of the nodes may be members of a group as shown in the figure (m nodes are in the group).

Formally, the network can be modeled as a graph Gr = hGW, N, Ei where GW is the gateway that acts as a group initiator and manager and N is a set of nodes n₁, n₂, . . . , n_k, and E is the set of edges from GW to n_i representing bi-directional communication links.

GW is considered a trustworthy entity which acts as the group-manager which includes creating new groups, adding new nodes to the groups and maintaining the keys and the members of nodes of each group. The gateway can be implemented according to a distributed architecture, providing benefits in terms of availability and robustness, avoiding to have a single point of failure on the single instance GW.

It is also assumed that this communication technology and sensor nodes support the transaction of multicast messages and is considered that all the entities in the network possess the same security associations and perform identical cryptographic functions. In our specific tests the entities support the following security functionality:

(36)

• Symmetric encryption scheme, specifically AES;

• HMAC function;

• Hash functions, specifically SHA2.

7.3 Code Implementation

The proposed protocol consists of 2 important components: the nodes and the gateway.

The gateway and the nodes uses cryptographic operations: the decryption / encryption with AES, elliptic curve point multiplication and HMAC. As mentioned before, Tmote Sky has no support in hardware level for those cryptographic operations used by the proposed protocol. Thus, those cryptographic operations are implemented in application level using some existing C code examples with some modifications. As the consequence, the nodes and gateway memory occupancy and computing time may be higher compared to the case if the sensor supports those cryptographic functions in hardware level.

The module performing the basic elliptic curve point operations such as multiplication and addition is a C implementation based on kmackay’s micro − ecc.

This module include the ECDH and ECDSA functions and is an implementation for 8-bit microcontrollers.

For the implementation of the AES encryption algorithms with keys 192-bit long has been used a C implementation. The original module occupies relatively small memory and suitable for devices with little endian format.

The HMAC module is Software implementation in C of the FIPS 198 Keyed- Hash Message Authentication Code for SHA2 .

For the communication between the devices has been used the Rime communication stack. Rime is a lightweight layered communication stack for sensor networks created to simplify implementation of sensor network protocols and facil- itate code reuse. Rime is already implemented in Instant Contiki 3.0 and has code footprint less than two kilobytes, with data memory requirements on the order of tens of bytes.

At the node’s startup, a pair of private and public keys is generated and it start listening to broadcast connection to port 129. After receiving the Broadcast message from the gateway, each node start to listen on the port 146 for unicast messages instead.

Table 7.2 Node and Gateway Memory Usage [bytes]

Device Text Data bss dec hex

Node 26821 302 5524 32647 7f87 Gateway 28077 302 5634 34013 84dd

(37)

In Table 7.2 we show the memory usage of the node and the gateway in bytes.

text shows the size of the code section in bytes (this will typically be in ROM).

data and bss show sections that contain variables, stored in RAM.

(38)

8 Results

This chapter presents and describes the results of the conducted performance evaluation of the context-based authentication protocol and group-key management protocol.

8.1 Performances of the authentication scheme

In this project two different fingerprints are proposed: one based on the ambient data from the sensors and one based on the recorded audio. The similarity of these fingerprints is then used to decide if devices can establish a connection by using a key generated from fuzzy commitment scheme.

The fingerprint length generated from the ambient data is 320 bits long and required 1000 data from each sensor, which means that the device has to acquire data for 10000 seconds. The features used to generate this fingerprint are: temperature, humidity, gas, light and pressure. For the analysis have been used only the parameters which were correlated among the devices during the time and the ones obtained from the gyroscope and accelerometer were completely discorrelated. A fingerprint 64-bit long is generated from each feature and then they have been combined in order to generated a unique 320 bit long fingerprint.

The fingerprint generated from the recorded audio has a length of 512 bits and required 10 seconds of audio recording. In Table 8.1 and Table 8.1 are shown the performances of the two fingerprints while changing the number of different bits t between 2 different fingerprints.

The analysis is performed comparing fingerprints from the same environment but in different times in order to verify if the scheme is able to identify if two fingerprints are generated in different periods. In the tables are shown the following parameters:

• the amount of authenticated true claims (T.A.)

• the amount of not authenticated false claims (T.R.)

• the amount of authenticated false claims (F.A.)

• the amount of not authenticated true claims(F.R.)

(39)

Chapter 8. Results Sensors

Environment t T.A. T.R. F.A. F.R.

Factory

50 1 1071 0 104

80 18 1065 6 87

92 46 1059 12 70

100 55 1055 16 50

Lab

50 0 525 0 70

80 5 525 0 65

92 20 525 0 50

100 36 519 6 34

Table 8.1 Accuracy results of the fingerprints generated from the sensors data changing the parameter t.

Audio

Environment t T.A. T.R. F.A. F.R.

Factory

190 54 151 369 21

180 39 254 266 36

170 16 362 158 59

160 6 434 86 69

Lab

180 9 12 238 1

170 44 44 206 6

160 32 82 168 18

150 18 123 127 32

Table 8.2 Accuracy results of the fingerprints generated from the recorded audio changing the parameter t.

In the factory’s use case, the device located far from the others is considered in a different environment. The results show how difficult is to recognize fingerprints generated in different time periods. In Table 8.1 and Table 8.1 has been applied the fuzzy commitment scheme between devices located in different environments.

The tests are performed changing the parameter t used by the error correcting code scheme.

The results show that when two devices are located in different environments, they produce dissimilar fingerprints and even with high values of t, it results difficult to authenticate them. In fact, using an error correcting code able to correct the 35 % of the message in the case of audio fingerprints and 37% in the case of the fingerprint generated by the other ambient features, the scheme authenticate devices in different environments the 13.3 % and 12.3% of the cases respectively.

Context-Based Authentication and Lightweight Group Key Establishment Protocol for IoT Devices

Master’s thesis

Department of Information Systems and Technology Master of Science in Computer Engineering

Context-Based Authentication and Lightweight Group- Key Establishment Protocol for IoT Devices

Nico Ferrari

Acknowledgement

Contents

Terminology

Abbreviations and Acronyms

1 Introduction

1.1 Background and problem motivation

1.2 Problem statement

1.3 Scope

1.4 Concrete and verifiable goals

1.5 Outline

2 Theory

2.1 Fuzzy Commitment Scheme

2.2 Elliptic Curves Cryptography

2.3 One Way Accumulators

2.4 Related work

3 Methodology

3.1 Literature review

3.2 Obtaining data from real-world use-case analysis

3.3 Data analysis and authentication key generation

3.4 Group-key establishment design and implementation

3.5 Conduct a performance evaluation

4 Proximity Based Authentication

4.1 Context Data Collection

4.1.1 Scenario 1: Office Environment

4.1.2 Scenario 2: Factory Environment

4.2 Adversary Model

5 Implementation proximity-based authentication scheme

5.1 Authentication protocol

5.1.1 Fingerprint

5.1.2 Fuzzy commitment scheme

6 Lightweight Group-Key Management Scheme

6.1 Initialization Procedure

6.2 Join Procedure

6.3 Leave Procedure

6.4 Generate Session Key

7 Implementation of the Lightweight Protocol

7.1 Implementation Environment

7.1.1 Operating System

7.1.2 Tmote Sky

7.2 Network Configuration

7.3 Code Implementation

8 Results

8.1 Performances of the authentication scheme