| 1. |
- Forsby, Filip, et al.
(författare)
-
Lightweight X.509 Digital Certificates for the Internet of Things
- 2018
-
Ingår i: Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng.. - Cham : Springer International Publishing. - 9783319937960 ; , s. 123-133
-
Konferensbidrag (refereegranskat)abstract
- X.509 is the de facto digital certificate standard used in building the Public Key Infrastructure (PKI) on the Internet. However, traditional X.509 certificates are too heavy for battery powered or energy harvesting Internet of Things (IoT) devices where it is crucial that energy consumption and memory footprints are as minimal as possible. In this paper we propose, implement, and evaluate a lightweight digital certificate for resource-constrained IoT devices. We develop an X.509 profile for IoT including only the fields necessary for IoT devices, without compromising the certificate security. Furthermore, we also propose compression of the X.509 profiled fields using the contemporary CBOR encoding scheme. Most importantly, our solutions are compatible with the existing X.509 standard, meaning that our profiled and compressed X.509 certificates for IoT can be enrolled, verified and revoked without requiring modification in the existing X.509 standard and PKI implementations. We implement our solution in the Contiki OS and perform evaluation of our profiled and compressed certificates on a state-of-the-art IoT hardware.
|
|
| 2. |
- He, Zhitao, et al.
(författare)
-
Indraj : Digital certificate enrollment for battery-powered wireless devices
- 2019
-
Ingår i: WiSec 2019 - Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks. - New York, NY, USA : Association for Computing Machinery, Inc. - 9781450367264 ; , s. 117-127
-
Konferensbidrag (refereegranskat)abstract
- A public key infrastructure (PKI) has been widely deployed and well tested on the Internet. However, this standard practice of delivering scalable security has not yet been extended to the rapidly growing Internet of Things (IoT). Thanks to vendor hardware support and standardization of resource-efficient communication protocols, asymmetric cryptography is no longer unfeasible on small devices. To migrate IoT from poorly scalable, pair-wise symmetric encryption to PKI, a major obstacle remains: how do we certify the public keys of billions of small devices without manual checks or complex logistics? The process of certifying a public key in form of a digital certificate is called enrollment. In this paper, we design an enrollment protocol, called Indraj, to automate enrollment of certificate-based digital identities on resource-constrained IoT devices. Reusing the semantics of the Enrollment over Secure Transport (EST) protocol designed for Internet hosts, Indraj optimizes resource usage by leveraging an IoT stack consisting of Constrained Application Protocol (CoAP), Datagram Transport Layer Security (DTLS) and IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN).We evaluate our implementation on a low power 32-bit MCU, showing the feasibility of our protocol in terms of latency, power consumption and memory usage. Asymmetric cryptography enabled by automatic certificate enrollment will finally turn IoT devices into well behaved, first-class citizens on the Internet.
|
|
| 3. |
- Höglund, Joel, 1979-, et al.
(författare)
-
AutoPKI : public key infrastructure for IoT with automated trust transfer
- 2024
-
Ingår i: International Journal of Information Security. - : Springer Science and Business Media Deutschland GmbH. - 1615-5262 .- 1615-5270.
-
Tidskriftsartikel (refereegranskat)abstract
- IoT deployments grow in numbers and size, which makes questions of long-term support and maintainability increasingly important. Without scalable and standard-compliant capabilities to transfer the control of IoT devices between service providers, IoT system owners cannot ensure long-term maintainability, and risk vendor lock-in. The manual overhead must be kept low for large-scale IoT installations to be economically feasible. We propose AutoPKI, a lightweight protocol to update the IoT PKI credentials and shift the trusted domains, enabling the transfer of control between IoT service providers, building upon the latest IoT standards for secure communication and efficient encodings. We show that the overhead for the involved IoT devices is small and that the overall required manual overhead can be minimized. We analyse the fulfilment of the security requirements, and for a subset of them, we demonstrate that the desired security properties hold through formal verification using the Tamarin prover.
|
|
| 4. |
- Höglund, Joel, 1979-, et al.
(författare)
-
AutoPKI: Public Key Infrastructure for IoT with Automated Trust Transfer
-
Annan publikation (övrigt vetenskapligt/konstnärligt)abstract
- IoT deployments grow in numbers and size which makes questions of long-time support and maintainability increasingly important. By offering standard-compliant capabilities to transfer the control of IoT devices between service providers, maintainability is improved and vendor lock-in can be prevented. We propose AutoPKI, a protocol for transferring control between IoT service providers. We show that the overhead for the involved IoT devices is small and that the overall required manual overhead can be minimized. We analyse the fulfilment of the security requirements, and for a subset of them, we demonstrate that the desired security properties hold through formal verification in the Tamarin prover.
|
|
| 5. |
- Höglund, Joel, 1979-, et al.
(författare)
-
Lightweight certificate revocation for low-power IoT with end-to-end security
- 2023
-
Ingår i: Journal of Information Security and Applications. - Amsterdam : Elsevier Ltd. - 2214-2134 .- 2214-2126. ; 73
-
Tidskriftsartikel (refereegranskat)abstract
- Public key infrastructure (PKI) provides the basis of authentication and access control in most networked systems. In the Internet of Things (IoT), however, security has predominantly been based on pre-shared keys (PSK), which cannot be revoked and do not provide strong authentication. The prevalence of PSK in the IoT is due primarily to a lack of lightweight protocols for accessing PKI services. Principal among these services are digital certificate enrollment and revocation, the former of which is addressed in recent research and is being pushed for standardization in IETF. However, no protocol yet exists for retrieving certificate status information on constrained devices, and revocation is not possible unless such a service is available. In this work, we start with implementing the Online Certificate Status Protocol (OCSP), the de facto standard for certificate validation on the Web, on state-of-the-art constrained hardware. In doing so, we demonstrate that the resource overhead of this protocol is unacceptable for highly constrained environments. We design, implement and evaluate a lightweight alternative to OCSP, TinyOCSP, which leverages recently standardized IoT protocols, such as CoAP and CBOR. In our experiments, validating eight certificates with TinyOCSP required 41% less energy than validating just one with OCSP on an ARM Cortex-M3 SoC. Moreover, validation transactions encoded with TinyOCSP are at least 73% smaller than the OCSP equivalent. We design a protocol for compressed certificate revocation lists (CCRL) using Bloom filters which together with TinyOCSP can further reduce validation overhead. We derive a set of equations for computing the optimal filter parameters, and confirm these results through empirical evaluation. © 2023 The Authors
|
|
| 6. |
- Höglund, Joel, et al.
(författare)
-
PKI4IoT : Towards public key infrastructure for the Internet of Things
- 2020
-
Ingår i: Computers & security (Print). - : Elsevier BV. - 0167-4048 .- 1872-6208. ; 89
-
Tidskriftsartikel (refereegranskat)abstract
- Public Key Infrastructure is the state-of-the-art credential management solution on the Internet. However, the millions of constrained devices that make of the Internet of Things currently lack a centralized, scalable system for managing keys and identities. Modern PKI is built on a set of protocols which were not designed for constrained environments, and as a result many small, battery-powered IoT devices lack the required computing resources. In this paper, we develop an automated certificate enrollment protocol light enough for highly constrained devices, which provides end-to-end security between certificate authorities (CA) and the recipient IoT devices. We also design a lightweight profile for X.509 digital certificates with CBOR encoding, called XIOT. Existing CAs can now issue traditional X.509 to IoT devices. These are converted to and from the XIOT format by edge devices on constrained networks. This procedure preserves the integrity of the original CA signature, so the edge device performing certificate conversion need not be trusted. We implement these protocols within the Contiki embedded operating system and evaluate their performance on an ARM Cortex-M3 platform. Our evaluation demonstrates reductions in energy expenditure and communication latency. The RAM and ROM required to implement these protocols are on par with the other lightweight protocols in Contiki’s network stack.
|
|
| 7. |
- Höglund, Joel, et al.
(författare)
-
Towards Automated PKI Trust Transfer for IoT
- 2022
-
Ingår i: 2022 IEEE International Conference on Public Key Infrastructure and its Applications, PKIA 2022. - : Institute of Electrical and Electronics Engineers Inc.. - 9781665488839
-
Konferensbidrag (refereegranskat)abstract
- IoT deployments grow in numbers and size and questions of long time support and maintainability become increasingly important. To prevent vendor lock-in, standard compliant capabilities to transfer control of IoT devices between service providers must be offered. We propose a lightweight protocol for transfer of control, and we show that the overhead for the involved IoT devices is small and the overall required manual overhead is minimal. We analyse the fulfilment of the security requirements to verify that the stipulated requirements are satisfied.
|
|
