AutoCert : Automated TOCTOU-secure digital certification for IoT with combined authentication and assurance

• The Internet of Things (IoT) network is comprised of heterogeneous devices which are part of critical infrastructures throughout the world. To enable end-to-end security, the Public Key Infrastructure (PKI) is undergoing advancements to incorporate IoT devices globally which primarily provides device authentication. In addition to this, integrity of the software-state is vital, where Remote Attestation (RA) and Integrity Certificates play an important role. Though, Integrity Certificate verifies the software-state integrity of the device at the time of execution of the remote attestation process, it does not provide mechanisms to validate that the current software-state corresponds to the attested state. This issue is referred to as the Time-Of-Check to Time-Of-Use (TOCTOU) problem and remains unsolved in the context of Integrity Certificates. In this paper, we propose AutoCert, the first TOCTOU-secure mechanism to combine software-state integrity with PKI for IoT which resolves the TOCTOU problem in RA and Integrity Certificates. To this end, we utilize the IETF Remote Attestation Procedures architecture and standard X509 IoT profile certificates to ensure both device authentication and software assurance for IoT. We implement and evaluate the performance of the AutoCert proof-of-concept on a real IoT device, the OPTIGA TPM Evaluation Kit, to show its practicality and usability. AutoCert can validate the attested state of an IoT device in approximately 4746 milliseconds, with a minimal network overhead of 350 bytes. 

Ämnesord

NATURVETENSKAP  -- Data- och informationsvetenskap (hsv//swe)

NATURAL SCIENCES  -- Computer and Information Sciences (hsv//eng)

NATURVETENSKAP  -- Data- och informationsvetenskap -- Datavetenskap (hsv//swe)

NATURAL SCIENCES  -- Computer and Information Sciences -- Computer Sciences (hsv//eng)

Nyckelord

Assurance

Certification

IoT Device Security

Public Key Infrastructure

Remote Attestation

TPM 2.0

X509

Authentication

Digital devices

Mobile security

Mobile telecommunication systems

Network security

Public key cryptography

Device authentications

Internet of thing device security

Secure digital

Time of use

Internet of things

Computer Science

Publikations- och innehållstyp

ref (ämneskategori)

art (ämneskategori)