Wentao Jing,Linning Peng,Hua Fu,Aiqun Hu

DOI: https://doi.org/10.1109/jiot.2024.3385989

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:With the development of Internet of Things (IoT) and cloud networks, the security of edge networks, borderless networks, and obscure networks are essential, so there are many security problems that need to be tackled, including over-trust in trust areas and security only based on security boundaries in traditional security architecture. According to characters of zero trust security architectures and integrative trust model (ITM), the zero trust architectures (ZTAs) better adapt to handle these security problems compared to the ITM for the IoT networks. Meanwhile, the radio frequency fingerprint (RFF) identification keeps high accuracy and high stability with researchers' investigation, which makes RFF authentication feasible. Therefore, we propose a mechanism that combines the RFF authentication technique and ZTA to improve security in IOT networks, including edge networks, borderless networks, and obscure networks. The method resolves the difficulty of over-reliance on a trustable center or trust chain, and the method is suitable for borderless networks and obscure networks. Besides, this method resists data leakage, counterfeit attack and rouge access point (AP) attack with RFF authentication, and it can reduce the risk caused by compromised devices with zero trust concepts. With the analysis in this article, the proposed method keeps high-level security and performance that method effectively against spoofing identity, tampering, and information disclosure. The authentication accuracy of the method has reached 99%, and the authentication owns robustness in time cost and collision-resistant.

Wei Ren,Ruoting Xiong,Yizhi Liu,G. Min,Tianqing Zhu,Xiaohan Hao,K. Choo

DOI: https://doi.org/10.1109/TC.2022.3157996

IF: 3.183

2023-02-01

IEEE Transactions on Computers

Abstract:Internet-of-Things (IoT) are increasingly operating in the zero-trust environments where any devices and systems may be compromised and hence untrusted. In addition, data collected by and sent from IoT devices may be shared with and processed by edge computing systems, in order to reduce the reliance on centralized (cloud) servers, leading to further security and privacy issues. To cope with these challenges, this paper proposes an innovative blockchain-enabled information sharing solution in zero-trust context to guarantee anonymity yet entity authentication, data privacy yet data trustworthiness, and participant stimulation yet fairness. This new solution is able to support filtering of fabricated information through smart contracts, effective voting, and consensus mechanisms, which can prevent unauthenticated participants from sharing garbage information. We also prove that the proposed solution is secure in the universal composability framework, and further evaluate its performance over an Ethereum-based blockchain platform to demonstrate its utility.

Computer Science,Engineering

Dongfeng Fang,Yi Qian,Rose Qingyang Hu

DOI: https://doi.org/10.1109/jiot.2020.2970974

IF: 10.6

2020-04-01

IEEE Internet of Things Journal

Abstract:Internet-of-Things (IoT) applications have been rapidly deployed into pervasive environment, where both challenges and opportunities abound. On the one hand, a large number of IoT devices and their rich functions contribute significant volumes of data, which has brought tremendous convenience to the daily lives of end users. On the other hand, the heterogeneous IoT devices and a large amount of private information transmitted through networks also bring serious security and privacy issues. It is a big challenge to model IoT systems and trust relationships between different entities with a large number of heterogeneous IoT devices. In this article, we study a general IoT system architecture with consideration of heterogeneous IoT devices. Different trust models are proposed and analyzed based on the trust relationships between different entities in the IoT system. We propose a flexible and efficient authentication scheme with a consideration of heterogeneous IoT devices based on the least trust-required model. The proposed scheme provides security and privacy to resource-limited IoT devices flexibly and efficiently by utilizing IoT devices with better storage and computational ability. Moreover, secure data transmission is presented with contextual privacy and data integrity services. The proposed scheme achieves not only the mutual authentication, initial session key agreement, and data integrity but also anonymity, contextual privacy, forward security, end-to-end security, and key escrow resilience. Security analysis is presented to provide verification of the proposed protocol and security objectives. Moreover, performance evaluation is presented with comparison to the other schemes in terms of security features, computational overhead, and communication overhead. The performance comparisons show that our proposed scheme provides flexible and efficient security by consideration of heterogeneous IoT devices. With the higher proportion of resource-limited IoT devic-s, our proposed scheme outperforms other similar schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kehe Wu,Jin Shi,Zhimin Guo,Zheng Zhang,Junfei Cai

DOI: https://doi.org/10.1109/iccea53728.2021.00023

2021-01-01

Abstract:In order to guarantee the normal operation of the power Internet of things devices, the zero-trust idea was used for studying the security protection strategies of devices from four aspects: user authentication, equipment trust, application integrity and flow baselines. Firstly, device trust is constructed based on device portrait; then, verification of device application integrity based on MD5 message digest algorithm to achieve device application trustworthiness. Next, the terminal network traffic baselines are mined from OpenFlow, a southbound protocol in SDN. Finally, according to the dynamic user trust degree attribute access control model, the comprehensive user trust degree was obtained by weighting the direct trust degree. It obtained from user authentication and the trust degree of user access to terminal communication traffic. And according to the comprehensive trust degree, users are assigned the minimum authority to access the terminal to realize the security protection of the terminal. According to the comprehensive trust degree, the minimum permissions for users to access the terminal were assigned to achieve the security protection of the terminal. The research shows that the zero-trust mechanism is applied to the terminal security protection of power Internet of Things, which can improve the reliability of the safe operation of terminal equipment.

Fabio Federici,Davide Martintoni,Valerio Senni

DOI: https://doi.org/10.3390/electronics12030566

IF: 2.9

2023-01-22

Electronics

Abstract:This paper considers the domain of Industrial Internet of Things (IIoT) infrastructures and the recurring need for collaboration across teams and stakeholders by means of remote access. The paper describes a secure solution beyond the traditional perimeter-based security approach, which consists of an architecture that supports multi-level authorization to achieve fine-grained access control, better scalability, and maintainability. An implementation of the proposed solution, using open-source technologies, is also discussed and covers the protection of both the network and edge domains of a complex IIoT infrastructure. Finally, the paper presents a risk-driven and model-based process that is designed to support the migration of existing infrastructures to the solution architecture. The approach is validated, taking as a reference two relevant scenarios for the aerospace industry.

engineering, electrical & electronic,computer science, information systems,physics, applied

Biao Zhang,Shuo Yang,Xinran Zheng,Xingjun Wang

DOI: https://doi.org/10.1109/wcnc57260.2024.10571244

2024-01-01

Abstract:Network technology developments are blurring the security boundary of the Internet of Things (IoT), making it difficult for traditional border-based security architectures to cope with endless internal attacks. The Zero Trust Architecture (ZTA), with its core concept of “Never Trust, Always Verify”, effectively addresses this problem. Continuous Authentication (CA) is an indispensable component of the zero trust IoT. However, existing CA protocols are impractical to deploy on zero trust IoT due to their dependence on specific properties and thirst for resources. Therefore, this paper proposes a continuous authentication protocol, namely STCA, that uses stacked tokens to ensure the legitimacy of entities during a whole session. Through the theoretical analysis and simulation results, STCA resists several common attacks. The comparison analysis indicates that STCA has a better performance compared with related CA protocols, thereby demonstrating it is more suitable for zero trust IoT.

Seunghwan Son,Deokkyu Kwon,Sangwoo Lee,Hyeokchan Kwon,Youngho Park

DOI: https://doi.org/10.1109/access.2024.3484522

IF: 3.9

2024-10-29

IEEE Access

Abstract:The sixth generation (6G) is the next generation of wireless communication technology, is not limited to cellular networks but can be used to provide better services in all areas of wireless communication, including vehicles, drones, and smart homes. However, these advancements in 6G technology require further security considerations. In earlier networks, authentication schemes were designed to rely on a secure channel between the core network and access points. The 6G network is an open, distributed network that integrates multiple domains and entities and cannot guarantee secure channels in the network. The 6G network requires a new security authentication scheme that applies the zero-trust model. Therefore, this study proposes a zero-trust authentication scheme with access control for 6G-enabled Internet of Things environments. The scheme uses blockchain technology for mutual authentication in a distributed environment and lightweight attribute-based encryption to ensure dynamic access control and network efficiency. This study compares the proposed authentication method with existing methods and demonstrates that this scheme has better performance and security. To the best of our knowledge, this paper is the first to propose a specific authentication protocol with access control considering the zero-trust model in a 6G environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Siwei Li,Hui Zhang,Hui Shi,Maode Ma,Cong Wang

DOI: https://doi.org/10.1007/s11227-024-06262-y

IF: 3.3

2024-06-04

The Journal of Supercomputing

Abstract:The distributed authentication of a large number of resource-constrained power terminal devices (PTDs) is crucial for ensuring the security of the power IoT communication. However, existing solutions are inadequate in terms of security (such as vulnerability to single point failures or insider attacks) and communication costs, which do not meet the requirements of the power IoT environment. Therefore, we propose a zero-trust-based mutual authentication scheme in cloud-edge-end collaboration power IoT environment based on blockchain technology. The proposed solution involves deploying a distributed multi-point zero-trust engine around dense PTDs to collect real-time identity information. Through the maintenance of an alliance blockchain, the edge server securely shares and traces identity information, preventing tampering and effectively blocking threats related to lost terminals during authentication. Additionally, a lightweight ECC key management scheme ensures the security of authentication information. The proposed scheme effectively defends against common attacks such as replay attacks and identity forgery attacks through informal security analysis, while its security is evaluated using the Canetti and Krawczyk (CK) adversary models. Performance evaluation results demonstrate that the proposed scheme achieves effectiveness without the compromising required security attributes, which obtains up to 58% improvement 58% improvement in computation delay and a 56.9% improvement in communication costs over previous state-of-the-art methods.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Xinyin Xiang,Jin Cao,Weiguo Fan

DOI: https://doi.org/10.1109/jsyst.2020.3040739

IF: 4.802

2021-09-01

IEEE Systems Journal

Abstract:Trusted data transmission is the foundation of the Internet of Things (IoT) security, so in the process of data transmission, the trust of IoT nodes needs to be confirmed in real time, and the real-time tracking of node trust is also expected. Yet, modern IoT devices provide limited security capabilities, forming a new attack focus. Remote attestation is a kind of technology to detect network threats by remotely checking the internal situation of terminal devices by a trusted entity. Multidevice attestation is rarely studied although the ongoing single device attestation techniques lack scalability in the application of IoT. In this article, we present a lightweight attestation protocol based on an IoT system under an ideal physical unclonable functions environment. Our protocol can resilient against any strong adversary who physically accesses IoT devices. Simulation results show that our protocol is scalable and can be applied to dynamic networks.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Maha Ali Allouzi,Javed Khan

2024-02-16

Abstract:Internet of Medical Things (IoMT) deals with a patient-data-rich segment, which makes security and privacy a severe concern for patients. Therefore, access control is a significant aspect of ensuring trust in the IoMT. However, deploying existing authentication and authorization solutions to the Internet of Medical Things (IoMT) is not straightforward because of highly dynamic and possibly unprotected environments and untrusted supply chain for the IoT devices. In this article, we propose Soter, a Zero-Trust based authentication system for the IoMT. Soter Incorporates trust negotiation mechanisms within the Zero Trust framework to enable dynamic trust establishment. When a user or device seeks access to a resource, initiate a trust negotiation process. During this process, credentials, attributes, and contextual information are exchanged between the requester and the resource owner. Soter defines access rules based on various factors, including user identity, device health, and location. Access is granted or denied based on these conditions.

Cryptography and Security,Computers and Society

Jinsong Han,Feng Lin,Wenbo Shen,Kui Ren

DOI: https://doi.org/10.1145/3313294.3313380

2019-01-01

Abstract:We have witnessed a tremendous growth of Internet of Things (IoT) and popularization of IoT devices in past decades, including wireless sensors, smart phones, wearable devices, smart tags, activity trackers, and the like. These devices are widely deployed to enable intelligent computing and services in our daily life, such as the logistics, retailing, healthcare to be used in the smart city. However, trustworthy authentication in IoT becomes a key challenge towards a smooth and rapid development of IoT. According to a survey by Altman Vilandrie & Company [1], due to the lack of authentication and other system protections, small and medium-sized enterprises suffer a losses of up to 13% of their annual revenues from attacks on IoT systems. In the IoT environment, trust also becomes ubiquitous. Merely authenticating individual users or devices is not enough, because collaborative interaction and cooperation among users, devices, and environments are critical in IoT. In such circumstance, information is shared, data is fused, and all elements, including the human, device, and environment, are highly integrated. Thus, the authentication requirement for IoT applications should be characterized as temporally-spatially consistent, human-and-environment-in-the-loop, and continuously trustworthy. Unfortunately, conventional authentication methods failed to meet above demands. The main reasons are as follows. • Existing approaches usually perform authentication on the user and device separately. Meanwhile, there is scarcely seen the authentication carried out in the environment. An attacker can eavesdrop in the communication, counterfeit the authentication tokens or proofs [2], or just simply carry out replaying attacks to impersonate the actual user or device [3]. • Existing authentication systems have little consideration on the spatio-temporal nature of IoT computing and services. Besides the authenticity of data, users, and devices, it is also necessary to ensure the spatiotemporal consistence of the computing and services. In other words, a transaction in IoT also requires the au-

Guntur Dharma Putra,Volkan Dedeoglu,Salil S Kanhere,Raja Jurdak,Aleksandar Ignjatovic

DOI: https://doi.org/10.48550/arXiv.2104.00832

2021-04-02

Abstract:Authorization or access control limits the actions a user may perform on a computer system, based on predetermined access control policies, thus preventing access by illegitimate actors. Access control for the Internet of Things (IoT) should be tailored to take inherent IoT network scale and device resource constraints into consideration. However, common authorization systems in IoT employ conventional schemes, which suffer from overheads and centralization. Recent research trends suggest that blockchain has the potential to tackle the issues of access control in IoT. However, proposed solutions overlook the importance of building dynamic and flexible access control mechanisms. In this paper, we design a decentralized attribute-based access control mechanism with an auxiliary Trust and Reputation System (TRS) for IoT authorization. Our system progressively quantifies the trust and reputation scores of each node in the network and incorporates the scores into the access control mechanism to achieve dynamic and flexible access control. We design our system to run on a public blockchain, but we separate the storage of sensitive information, such as user's attributes, to private sidechains for privacy preservation. We implement our solution in a public Rinkeby Ethereum test-network interconnected with a lab-scale testbed. Our evaluations consider various performance metrics to highlight the applicability of our solution for IoT contexts.

Cryptography and Security

Wenxin Lei,Zhibo Pang,Hong Wen,Wenjing Hou,Wen Li

DOI: https://doi.org/10.1109/tii.2023.3321106

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:As security issues facing the industrial Internet of Things (IIoT) continue to emerge, industrial organizations are working to further improve the security system. Zero trust (ZT) is seen as the future of industrial security, with a rising voice, but currently, no concrete implementation technique is available. In this article, we start with the requirements of ZT security and attempt to design a ZT technical framework applicable to wireless IIoT. Specifically, a three-step ZT security framework is proposed that builds on the benefits of physical-layer security to enhance ZT in IIoT. Security zone formation is done first, which then facilitates a trusted environment for subsequent device authentication and cryptographic negotiation. By integrating physical-layer security, several promising techniques, including artificial noise, physical fingerprint, and key distribution, are well designed to accomplish the proposed framework. Our analysis reveals that the proposed framework and the designed particular implementation techniques are feasible to enhance ZT security in wireless IIoT.

Junhui Zhao,Huanhuan Hu,Fanwei Huang,Yingxuan Guo,Longxia Liao

DOI: https://doi.org/10.3390/electronics12081812

IF: 2.9

2023-04-12

Electronics

Abstract:This paper mainly summarizes three aspects of information security: Internet of Things (IoT) authentication technology, Internet of Vehicles (IoV) trust management, and IoV privacy protection. Firstly, in an industrial IoT environment, when a user wants to securely access data from IoT sensors in real-time, they may face network attacks due to the data being transmitted through an open channel. In order to solve this problem, we innovatively propose a user and device authentication model integrated with cloud computing, introduce an algorithm related to protocol design, and summarize the research direction of developing a more lightweight algorithm when designing security protocols in the future. Secondly, for mobile IoT applications, such as IoV, information collection and distribution is realized by establishing a network between vehicles and infrastructure. IoV will face security threats such as information insecurity and privacy disclosure. We introduce a typical trust management model for the IoV, which solves the problem of information unreliability by storing vehicle trust values. In the future, we are committed to making the process of computing node credibility using a trust model more robust. Finally, aiming at the privacy protection of the IoV, we propose a cross-domain anonymous authentication system model based on blockchain. The user's auxiliary authentication information is stored in the blockchain, and the auxiliary authentication information of any registered user can be obtained from the blockchain. The privacy protection of cross-domain authentication can be realized through anonymous authentication, which greatly saves the communication cost of cross-domain authentication. In the future, we will try to use deep learning or federated learning to integrate with blockchain for actual deployment.

engineering, electrical & electronic,computer science, information systems,physics, applied

Christos-Minas Mathas,Costas Vassilakis,Nicholas Kolokotronis

DOI: https://doi.org/10.1109/SERVICES48979.2020.00047

2021-09-04

Abstract:In modern internet-scale computing, interaction between a large number of parties that are not known a-priori is predominant, with each party functioning both as a provider and consumer of services and information. In such an environment, traditional access control mechanisms face considerable limitations, since granting appropriate authorizations to each distinct party is infeasible both due to the high number of grantees and the dynamic nature of interactions. Trust management has emerged as a solution to this issue, offering aids towards the automated verification of actions against security policies. In this paper, we present a trust- and risk-based approach to security, which considers status, behavior and associated risk aspects in the trust computation process, while additionally it captures user-to-user trust relationships which are propagated to the device level, through user-to-device ownership links.

Cryptography and Security

Daojing He,Yanchang Cai,Shanshan Zhu,Ziming Zhao,Sammy Chan,Mohsen Guizani

DOI: https://doi.org/10.1109/twc.2023.3257028

IF: 10.4

2023-01-01

IEEE Transactions on Wireless Communications

Abstract:The number of IoT devices is growing rapidly, and the interaction between devices and servers is also more frequent. However, IoT devices are often at the edge of the network, which leads their communications with the server to be completely exposed, making it more vulnerable to attacks. Moreover, IoT devices have limited energy and computational resources. Therefore, we propose in this paper a lightweight authentication and key exchange protocol with anonymity for IoT devices. The proposed scheme supports mutual authentication between IoT devices and the server. We verify the security of the protocol through formal and informal analyses. Finally, we compare security and performance with other protocols, which shows that our protocol has the advantages of being lightweight and secure.

Sameh Zakhary,Thomas Lodge,Derek McAuley

DOI: https://doi.org/10.48550/arXiv.2207.08482

2022-07-18

Networking and Internet Architecture

Abstract:Most of the existing models for deploying IoT ecosystem involves the vendor being in the loop of the command and control of IoT devices hence users' privacy and security is one of the main challenges. Despite these concerns, users are often faced with a choice between limiting the device functionality or enabling internet access to the IoT devices by signing up to the vendor centralized model in order to access their device from outside their home. In this paper, we argue that although IoT is promising a revolutionary way of offering services to users, most of these devices shouldn't be allowed to have Internet access due to the increased risks to privacy and security. We present an alternative home networking design model which limits the exposure of IoT devices, and enable seamless access to their functionality from outside the home using WireGuard (WG), a state-of-the-art Virtual Private Network (VPN) protocol. We built a test-bed using off-the-shelf IoT devices for testing our proposed network design under various conditions; including access from Home, 4G, Office and Public Wifi networks. We show that our VPN-based remote access to the IoT device offers a better performance in terms of end-to-end delay in all scenarios when using Hypertext Transport Protocol (HTTP) and comparable performance when using double encryption Hypertext Transport Protocol Secure (HTTPS) over the VPN.

Wenyi Liu,Zheng Zhang,Xu Qiao,Yuanzhang Li,Yu-an Tan,Weizhi Meng

DOI: https://doi.org/10.1145/3672200.3673874

2024-01-01

Abstract:With the rapid expansion of network scale and the increasing complexity of network infrastructure, network boundaries have gradually blurred, traditional bound-based security models have gradually become ineffective to new application environment. In the literature, zero trust security model implements continuous verification and dynamic authorization for all access requests based on multi-dimensional factors such as the identity of the access subject. To safeguard against untrusted software and vulnerabilities, it is crucial to employ diverse technologies to protect software integrity and ensure system safety. This paper focuses on the research of software integrity authentication for the zero trust network. We create a master-slave collaboration environment of host and SSD in the zero trust network, where the host CPU is the dominant CPU and the SSD CPU is the slave CPU. We then design a software integrity authentication protocol for this zero trust architecture. The protocol does not require any hardware assistance and our experimental results show that it can defend against attacks through checksum correctness and verification-time validity.

Omair Faraj,David Megías,Joaquin Garcia-Alfaro

2023-04-29

Abstract:The Internet of Things (IoT) is integrating the Internet and smart devices in almost every domain such as home automation, e-healthcare systems, vehicular networks, industrial control and military applications. In these sectors, sensory data, which is collected from multiple sources and managed through intermediate processing by multiple nodes, is used for decision-making processes. Ensuring data integrity and keeping track of data provenance is a core requirement in such a highly dynamic context, since data provenance is an important tool for the assurance of data trustworthiness. Dealing with such requirements is challenging due to the limited computational and energy resources in IoT networks. This requires addressing several challenges such as processing overhead, secure provenance, bandwidth consumption and storage efficiency. In this paper, we propose ZIRCON, a novel zero-watermarking approach to establish end-to-end data trustworthiness in an IoT network. In ZIRCON, provenance information is stored in a tamper-proof centralized network database through watermarks, generated at source node before transmission. We provide an extensive security analysis showing the resilience of our scheme against passive and active attacks. We also compare our scheme with existing works based on performance metrics such as computational time, energy utilization and cost analysis. The results show that ZIRCON is robust against several attacks, lightweight, storage efficient, and better in energy utilization and bandwidth consumption, compared to prior art.

Cryptography and Security

Xu Chen,Wei Feng,Ning Ge,Yan Zhang

DOI: https://doi.org/10.1109/mnet.2023.3326356

IF: 10.294

2023-01-01

IEEE Network

Abstract:The upcoming sixth generation (6G) network is expected to be more open and heterogeneous, posing new challenges to conventional security architectures. Traditionally, these architectures rely on the construction of a security perimeter at network boundaries. In this article, we propose a software-defined zero trust architecture (ZTA) for 6G networks, offering a promising approach to establish an elastic and scalable security regime. Our proposed architecture ensures secure access control through adaptive collaborations among control domains, effectively mitigating malicious access behaviors like distributed denial of service (DDoS) attacks, malware spread, and zero-day exploits. We also highlight key design aspects of this architecture and present simulation results from a case study that demonstrate the effectiveness and robustness of ZTA for 6G. Finally, we discuss open issues that warrant further exploration to promote and enhance this novel architecture.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture