Siwei Li,Hui Zhang,Hui Shi,Maode Ma,Cong Wang

DOI: https://doi.org/10.1007/s11227-024-06262-y

IF: 3.3

2024-06-04

The Journal of Supercomputing

Abstract:The distributed authentication of a large number of resource-constrained power terminal devices (PTDs) is crucial for ensuring the security of the power IoT communication. However, existing solutions are inadequate in terms of security (such as vulnerability to single point failures or insider attacks) and communication costs, which do not meet the requirements of the power IoT environment. Therefore, we propose a zero-trust-based mutual authentication scheme in cloud-edge-end collaboration power IoT environment based on blockchain technology. The proposed solution involves deploying a distributed multi-point zero-trust engine around dense PTDs to collect real-time identity information. Through the maintenance of an alliance blockchain, the edge server securely shares and traces identity information, preventing tampering and effectively blocking threats related to lost terminals during authentication. Additionally, a lightweight ECC key management scheme ensures the security of authentication information. The proposed scheme effectively defends against common attacks such as replay attacks and identity forgery attacks through informal security analysis, while its security is evaluated using the Canetti and Krawczyk (CK) adversary models. Performance evaluation results demonstrate that the proposed scheme achieves effectiveness without the compromising required security attributes, which obtains up to 58% improvement 58% improvement in computation delay and a 56.9% improvement in communication costs over previous state-of-the-art methods.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Biao Zhang,Shuo Yang,Xinran Zheng,Xingjun Wang

DOI: https://doi.org/10.1109/wcnc57260.2024.10571244

2024-01-01

Abstract:Network technology developments are blurring the security boundary of the Internet of Things (IoT), making it difficult for traditional border-based security architectures to cope with endless internal attacks. The Zero Trust Architecture (ZTA), with its core concept of “Never Trust, Always Verify”, effectively addresses this problem. Continuous Authentication (CA) is an indispensable component of the zero trust IoT. However, existing CA protocols are impractical to deploy on zero trust IoT due to their dependence on specific properties and thirst for resources. Therefore, this paper proposes a continuous authentication protocol, namely STCA, that uses stacked tokens to ensure the legitimacy of entities during a whole session. Through the theoretical analysis and simulation results, STCA resists several common attacks. The comparison analysis indicates that STCA has a better performance compared with related CA protocols, thereby demonstrating it is more suitable for zero trust IoT.

Wenyi Liu,Zheng Zhang,Xu Qiao,Yuanzhang Li,Yu-an Tan,Weizhi Meng

DOI: https://doi.org/10.1145/3672200.3673874

2024-01-01

Abstract:With the rapid expansion of network scale and the increasing complexity of network infrastructure, network boundaries have gradually blurred, traditional bound-based security models have gradually become ineffective to new application environment. In the literature, zero trust security model implements continuous verification and dynamic authorization for all access requests based on multi-dimensional factors such as the identity of the access subject. To safeguard against untrusted software and vulnerabilities, it is crucial to employ diverse technologies to protect software integrity and ensure system safety. This paper focuses on the research of software integrity authentication for the zero trust network. We create a master-slave collaboration environment of host and SSD in the zero trust network, where the host CPU is the dominant CPU and the SSD CPU is the slave CPU. We then design a software integrity authentication protocol for this zero trust architecture. The protocol does not require any hardware assistance and our experimental results show that it can defend against attacks through checksum correctness and verification-time validity.

Seunghwan Son,Deokkyu Kwon,Sangwoo Lee,Hyeokchan Kwon,Youngho Park

DOI: https://doi.org/10.1109/access.2024.3484522

IF: 3.9

2024-10-29

IEEE Access

Abstract:The sixth generation (6G) is the next generation of wireless communication technology, is not limited to cellular networks but can be used to provide better services in all areas of wireless communication, including vehicles, drones, and smart homes. However, these advancements in 6G technology require further security considerations. In earlier networks, authentication schemes were designed to rely on a secure channel between the core network and access points. The 6G network is an open, distributed network that integrates multiple domains and entities and cannot guarantee secure channels in the network. The 6G network requires a new security authentication scheme that applies the zero-trust model. Therefore, this study proposes a zero-trust authentication scheme with access control for 6G-enabled Internet of Things environments. The scheme uses blockchain technology for mutual authentication in a distributed environment and lightweight attribute-based encryption to ensure dynamic access control and network efficiency. This study compares the proposed authentication method with existing methods and demonstrates that this scheme has better performance and security. To the best of our knowledge, this paper is the first to propose a specific authentication protocol with access control considering the zero-trust model in a 6G environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wentao Jing,Linning Peng,Hua Fu,Aiqun Hu

DOI: https://doi.org/10.1109/jiot.2024.3385989

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:With the development of Internet of Things (IoT) and cloud networks, the security of edge networks, borderless networks, and obscure networks are essential, so there are many security problems that need to be tackled, including over-trust in trust areas and security only based on security boundaries in traditional security architecture. According to characters of zero trust security architectures and integrative trust model (ITM), the zero trust architectures (ZTAs) better adapt to handle these security problems compared to the ITM for the IoT networks. Meanwhile, the radio frequency fingerprint (RFF) identification keeps high accuracy and high stability with researchers' investigation, which makes RFF authentication feasible. Therefore, we propose a mechanism that combines the RFF authentication technique and ZTA to improve security in IOT networks, including edge networks, borderless networks, and obscure networks. The method resolves the difficulty of over-reliance on a trustable center or trust chain, and the method is suitable for borderless networks and obscure networks. Besides, this method resists data leakage, counterfeit attack and rouge access point (AP) attack with RFF authentication, and it can reduce the risk caused by compromised devices with zero trust concepts. With the analysis in this article, the proposed method keeps high-level security and performance that method effectively against spoofing identity, tampering, and information disclosure. The authentication accuracy of the method has reached 99%, and the authentication owns robustness in time cost and collision-resistant.

Wei Ren,Ruoting Xiong,Yizhi Liu,G. Min,Tianqing Zhu,Xiaohan Hao,K. Choo

DOI: https://doi.org/10.1109/TC.2022.3157996

IF: 3.183

2023-02-01

IEEE Transactions on Computers

Abstract:Internet-of-Things (IoT) are increasingly operating in the zero-trust environments where any devices and systems may be compromised and hence untrusted. In addition, data collected by and sent from IoT devices may be shared with and processed by edge computing systems, in order to reduce the reliance on centralized (cloud) servers, leading to further security and privacy issues. To cope with these challenges, this paper proposes an innovative blockchain-enabled information sharing solution in zero-trust context to guarantee anonymity yet entity authentication, data privacy yet data trustworthiness, and participant stimulation yet fairness. This new solution is able to support filtering of fabricated information through smart contracts, effective voting, and consensus mechanisms, which can prevent unauthenticated participants from sharing garbage information. We also prove that the proposed solution is secure in the universal composability framework, and further evaluate its performance over an Ethereum-based blockchain platform to demonstrate its utility.

Computer Science,Engineering

Haoran Xie,Yujue Wang,Yong Ding,Changsong Yang,Hai Liang,Bo Qin

DOI: https://doi.org/10.1109/mwc.001.2300368

IF: 12.777

2024-01-01

IEEE Wireless Communications

Abstract:As a critical infrastructure for contemporary information technology industry, industrial internet of things (IIoT) contains a vast amount of sensitive data, making it a key requirement to ensure data security. As the use of wireless networks as a means of communication between nodes is becoming more and more common, in order to prevent malicious attacks from compromising the system, a zero-trust authentication system is necessary. In this article, we propose a comprehensive implementation framework for zero-trust verification of IIoT wireless transmission nodes, which utilizes federated learning to achieve zero-trust rule training and terminal model training, while employing blockchain technology for on-chain aggregation and cloud backup of the models. This approach enhances the accuracy and availability of the zero-trust rules while safeguarding the security of IIoT nodes. The constructed zero-trust framework incorporates a self-incremental learning function, and experiments show that it achieves a high level of accuracy at recognising attacks. Finally, we discuss the challenges of utilizing federated learning in zero-trust for IIoT and several potential solutions to address these challenges.

Han Zhang,Qian Wang,Xiaoli Zhang,Yi He,Bo Tang,Qi Li

DOI: https://doi.org/10.1109/mcom.001.2300390

IF: 9.03

2024-01-01

IEEE Communications Magazine

Abstract:Internet of things (IoT) networks allow cross-device interactions to achieve various intelligent applications, for example, smart homes and smart commercial spaces. However, cross-device interactions are often protected by inadequate authorization mechanisms, making them susceptible to various attacks, including connection-based attacks, application impersonation attacks, and so on. In this article, we propose a zero-trust IoT network architecture, OUTSIDE, designed to provide fine-grained authorization for IoT applications. It achieves the application-level authorization at the network layer by encoding the capability information of applications into verifiable tokens. Meanwhile, it enables a zero-trust service for per-packet verification, ensuring that every packet is sent by an authorized application with proper access privileges. Particularly, our architecture is versatile and compatible with various IoT protocols. We prototype and deploy OUTSIDE in Raspberry Pis and ESP32 microcontrollers running over the constrained application protocol (CoAP). The experimental results show that our architecture incurs negligible performance degradation.

Yujian Zhang,Yuhao Luo,Xing Chen,Fei Tong,Yuwei Xu,Jun Tao,Guang Cheng

DOI: https://doi.org/10.1155/2022/9686049

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Internet of Things (IoT) has been ubiquitous in both industrial and living areas, but also known for its weak security. Being as the first defense line against various cyberattacks, authentication is even more critical to IoT applications. Moreover, there has been a growing demand for cross-domain collaboration, leading to an increasing need for cross-domain authentication. Recently, certificate-based authentication schemes have been extensively studied. However, many of these schemes are not efficient in computation, storage, and communication, which are highly required in IoT. In this paper, we propose a lightweight authentication scheme based on consortium blockchain and design a cryptocurrency-like digital token to build trust. Furthermore, trust lifecycle management is performed by manipulating the amount of tokens. The comprehensive analysis and evaluation demonstrate that the proposed scheme is resistant to various common attacks and more efficient than competitor schemes in terms of storage, communication, and authentication cost.

Yuanhang He,Daochao Huang,Lei Chen,Yi Ni,Xiangjie Ma

DOI: https://doi.org/10.1155/2022/6476274

2022-06-16

Wireless Communications and Mobile Computing

Abstract:The traditional perimeter-based network protection model cannot adapt to the development of current technology. Zero trust is a new type of network security model, which is based on the concept of never trust and always verify. Whether the access subject is in the internal network or the external network, it needs to be authenticated to access resources. The zero trust model has received extensive attention in research and practice because it can meet the new network security requirements. However, the application of zero trust is still in its infancy, and enterprises, organizations, and individuals are not fully aware of the advantages and disadvantages of zero trust, which greatly hinders the application of zero trust. This paper introduces the existing zero trust architecture and analyzes the core technologies including identity authentication, access control, and trust assessment, which are mainly relied on in the zero trust architecture. The main solutions under each technology are compared and analyzed to summarize the advantages and disadvantages, as well as the current challenges and future research trends. Our goal is to provide support for the research and application of future zero trust architectures.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wenlong Zhu,Changli Zhou,Linmei Jiang

DOI: https://doi.org/10.3390/electronics13061026

IF: 2.9

2024-03-09

Electronics

Abstract:With the rapid popularization of current Internet of Things (IoT) technology and 5G networks, as well as the continuous updating of new service lifestyles and businesses, the era of big data processing for the IoT has arrived. However, centralizing all data for processing in the cloud can lead to issues such as communication latency and privacy breaches. To solve these problems, edge computing, as a new network architecture close to terminal data sources and supporting low latency services, has gradually emerged. In this context, cloud edge collaborative computing has become an important network architecture. With the changing security requirements and communication methods of cloud edge collaborative network architecture, traditional authentication key agreement protocols are no longer applicable. Therefore, a new IoT authentication and key agreement protocol needs to be designed to solve this problem. This study proposes an IoT accessible solution for cloud edge collaboration. This scheme adopts a chaotic mapping algorithm to achieve efficient authentication. It ensures the anonymity and untraceability of users. Following this, we conducted strict security verification using BAN logic and Scyther tools. Through experimental comparative analysis, the research results show that the protocol performs better than other schemes while ensuring security. This indicates that the protocol can achieve efficient authentication and key negotiation in cloud edge collaborative network architecture, providing a secure and reliable solution for the accessibility of the IoT.

engineering, electrical & electronic,computer science, information systems,physics, applied

Syed W. Shah,Naeem F. Syed,Arash Shaghaghi,Adnan Anwar,Zubair Baig,Robin Doss

DOI: https://doi.org/10.48550/arXiv.2010.05144

2020-10-11

Abstract:Continuous Authentication (CA) has been proposed as a potential solution to counter complex cybersecurity attacks that exploit conventional static authentication mechanisms that authenticate users only at an ingress point. However, widely researched human user characteristics-based CA mechanisms cannot be extended to continuously authenticate Internet of Things (IoT) devices. The challenges are exacerbated with increased adoption of device-to-device (d2d) communication in critical infrastructures. Existing d2d authentication protocols proposed in the literature are either prone to subversion or are computationally infeasible to be deployed on constrained IoT devices. In view of these challenges, we propose a novel, lightweight, and secure CA protocol that leverages communication channel properties and a tunable mathematical function to generate dynamically changing session keys. Our preliminary informal protocol analysis suggests that the proposed protocol is resistant to known attack vectors and thus has strong potential for deployment in securing critical and resource-constrained d2d communication.

Cryptography and Security

Keke Gai,Yufeng She,Liehuang Zhu,Kim-Kwang Raymond Choo,Zhiguo Wan

DOI: https://doi.org/10.1145/3511899

IF: 5.3

2023-01-01

ACM Transactions on Internet Technology

Abstract:Multi-organization data sharing is becoming increasingly prevalent due to the interconnectivity of systems and the need for collaboration across organizations (e.g., exchange of data in a supply chain involving multiple upstream and downstream vendors). There are, however, data security concerns due to lack of trust between organizations that may be located in jurisdictions with varying security and privacy legislation and culture (also referred to as a zero trust environment). Hence, in such a zero trust setting, one should introduce strengthened, yet efficient, access control mechanisms to facilitate cross-organizational data access and exchange requests. Contemporary access control schemes generally focus on protecting a single objective rather than multiple parties, due to higher security costs. In this article, we propose a blockchain-based access control scheme, designed to facilitate lightweight data sharing among different organizations. Specifically, our approach utilizes the consortium blockchain to establish a trustworthy environment, in which a Role-Based Access Control (RBAC) model is then deployed using our proposed multi-signature protocol and smart contract methods. Evaluation of our proposed approach is performed on the HyperLedger Fabric consortium blockchain platform using both Caliper and BFT-SMaRT benchmarks, and the findings demonstrate the utility of our approach.

Shiva Raj Pokhrel,Luxing Yang,Sutharshan Rajasegarar,Gang Li

2024-06-25

Abstract:This paper introduces a robust zero-trust architecture (ZTA) tailored for the decentralized system that empowers efficient remote work and collaboration within IoT networks. Using blockchain-based federated learning principles, our proposed framework includes a robust aggregation mechanism designed to counteract malicious updates from compromised clients, enhancing the security of the global learning process. Moreover, secure and reliable trust computation is essential for remote work and collaboration. The robust ZTA framework integrates anomaly detection and trust computation, ensuring secure and reliable device collaboration in a decentralized fashion. We introduce an adaptive algorithm that dynamically adjusts to varying user contexts, using unsupervised clustering to detect novel anomalies, like zero-day attacks. To ensure a reliable and scalable trust computation, we develop an algorithm that dynamically adapts to varying user contexts by employing incremental anomaly detection and clustering techniques to identify and share local and global anomalies between nodes. Future directions include scalability improvements, Dirichlet process for advanced anomaly detection, privacy-preserving techniques, and the integration of post-quantum cryptographic methods to safeguard against emerging quantum threats.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Machine Learning

Jingnan Dong,Guangxia Xu,Chuang Ma,Jun Liu,Uchani Gutierrez Omar Cliff

DOI: https://doi.org/10.1109/jiot.2023.3296506

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In Industrial Internet, mutual authentication between enterprises is a prerequisite for establishing reliable upstream and downstream relationships. Existing authentication methods suffer from complicated certificate management and key escrow problems. Moreover, many authentication mechanisms cannot resist common security attacks and have high computational overhead and communication costs. Therefore, this paper proposes a blockchain-based certificate-free cross-domain authentication mechanism for Industrial Internet. By establishing an Ethereum consortium blockchain as the trusted cornerstone among different regions, industrial enterprises in each region generate the user’s private key with the key generation center in the region, thus avoiding the key escrow problem. This consortium blockchain adopts the proof of authority consensus mechanism for scalability and throughput. Industrial enterprises in different regions invoke smart contracts and query other industrial enterprises for mutual authentication and key negotiation. SVO logic proves the proposed scheme achieves the intended authentication goal, and the automated formal verification tool Scyther proves the scheme’s security. In addition, compared with seven related schemes in the last three years, the experimental results show that the proposed scheme has low communication overhead and computational cost in the authentication key negotiation phase. The experiments on the Ethereum consortium blockchain built by Raspberry Pi prove the effectiveness of the proposed scheme. Finally, the comparative analysis of common security properties proves the reliability of the scheme.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jie Cai,Han Jiang,Qiuliang Xu,Guangshi Lv,Minghao Zhao,Hao Wang

DOI: https://doi.org/10.1007/978-3-030-02744-5_10

2018-01-01

Abstract:In recent years, IoT devices have been widely used in the newly-emerging technologized such as crowd-censoring and smart city. Authentication among each IoT node plays a central role in secure communications. Generally, zero-knowledge identification scheme enables one party to authenticate himself without disclosing any additional information. However, a zero-knowledge based protocol normally involves heavily computational or interactive overhead, which is unaffordable for lightweight IoT devices. In this paper, we propose a modified zero-knowledge identification scheme based on that of Silva, Cayrel and Lindner (SCL, for short). The security of our scheme relies on the existence of a commitment scheme and on the hardness of ISIS problem (i.e., a hardness assumption that can be reduced to worst-case lattice problems). We present the detail construction and security proof in this paper.

Ziyi Su,Shiwei Wang,Hongliu Cai,Jiaxuan Huang,Yourong Chen,Xudong Zhang,Muhammad Alam

DOI: https://doi.org/10.3390/electronics13183735

IF: 2.9

2024-09-21

Electronics

Abstract:Current authentication schemes based on zero-knowledge proof (ZKP) still face issues such as high computation costs, low efficiency, and security assurance difficulty. Therefore, we propose a secure and efficient authentication scheme (SEAS) for large-scale IoT devices based on ZKP. In the initialization phase, the trusted authority creates prerequisites for device traceability and system security. Then, we propose a new registration method to ensure device anonymity. In the identity tracing and revocation phase, we revoke the real identity of abnormal devices by decrypting and updating group public keys, avoiding their access and reducing revocation costs. In the authentication phase, we check the arithmetic relationship between blind certificates, proofs, and other random data. We propose a new anonymous batch authentication method to effectively reduce computation costs, enhance authentication efficiency, and guarantee device authentication security. Security analysis and experimental results show that an SEAS can ensure security and effectively reduce verification time and energy costs. Its security and performance exceed existing schemes.

engineering, electrical & electronic,computer science, information systems,physics, applied

Min Guo,Dongjuan Ma,Feng Jing,Huiping Zheng,Xiaojie Liu,Penghui Liu,Yun Ju

DOI: https://doi.org/10.3233/jcm-226750

2023-05-13

Journal of Computational Methods in Sciences and Engineering

Abstract:In order to study the standard security access authentication mechanism of intelligent sensing terminals of massive power Internet of Things, In order to study the standard secure access authentication mechanism of intelligent sensing terminal of massive power Internet of Things, a new privacy protection method widely used in block chain is proposed to prove identity. The traditional power IoT cloud-side interaction security access MQTT protocol still has a lot of room for adaptation and optimization. First, the proposed non-interactive zero-knowledge proof identity authentication method reduces the time of traditional standard secure access authentication process; Second, it reduced the computing resources consumed in a large number of intelligent sensors access authentication. The comparison results show that, the access authentication time of this method is 30%∼50% less than that of the traditional secure access authentication process. The computing resources consumed during authentication are reduced by 20% to 30% compared with traditional security and secrecy mechanisms.

Xingxing Chen,Qingfeng Cheng,Weidong Yang,Xiangyang Luo

DOI: https://doi.org/10.1007/s11704-023-2595-x

IF: 2.6688

2024-01-23

Frontiers of Computer Science

Abstract:With the widespread use of network infrastructures such as 5G and low-power wide-area networks, a large number of the Internet of Things (IoT) device nodes are connected to the network, generating massive amounts of data. Therefore, it is a great challenge to achieve anonymous authentication of IoT nodes and secure data transmission. At present, blockchain technology is widely used in authentication and s data storage due to its decentralization and immutability. Recently, Fan et al. proposed a secure and efficient blockchain-based IoT authentication and data sharing scheme. We studied it as one of the state-of-the-art protocols and found that this scheme does not consider the resistance to ephemeral secret compromise attacks and the anonymity of IoT nodes. To overcome these security flaws, this paper proposes an enhanced authentication and data transmission scheme, which is verified by formal security proofs and informal security analysis. Furthermore, Scyther is applied to prove the security of the proposed scheme. Moreover, it is demonstrated that the proposed scheme achieves better performance in terms of communication and computational cost compared to other related schemes.

computer science, information systems, theory & methods, software engineering

Shanyao Ren,Yizhong Liu,Beiyuan Yu,Jianwei Liu,Dongyu Li

DOI: https://doi.org/10.1109/jiot.2023.3332943

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The inherent massive heterogeneous devices and open channels in the Internet of Things (IoT) present significant challenges for identity authentication between devices and cloud servers. For this issue, reliable protocols ensure the legality of participants and act as a crucial method to provide security for authentication. In previous research, schemes devised by researchers exhibit certain security vulnerabilities, making it challenging to withstand comprehensive network attacks, e.g., stolen device attacks, replay attacks, impersonation, etc. Additionally, some protocols have complex interaction processes, which incur significant computational redundancy and resource loss. Motivated by this, this article proposes an anonymous and certificateless lightweight authentication protocol (ACLAP) for device-to-server and device-to-device based on elliptic curve cryptography. It improves the communication quality between devices and cloud servers and solves the security risks in authentication. In the scheme, we utilize device users' passwords and biometric features as verification credentials without storing any trusted proofs on the cloud server. We address the issue of resource consumption caused by numerous devices in the IoT environment. From formal security analysis and comparisons with other works, our protocol has preferable security performance and effectively saves communication resources for authentication. Simulation results demonstrate the feasibility and practical significance of the scheme.