Han Zhang,Qian Wang,Xiaoli Zhang,Yi He,Bo Tang,Qi Li

DOI: https://doi.org/10.1109/mcom.001.2300390

IF: 9.03

2024-01-01

IEEE Communications Magazine

Abstract:Internet of things (IoT) networks allow cross-device interactions to achieve various intelligent applications, for example, smart homes and smart commercial spaces. However, cross-device interactions are often protected by inadequate authorization mechanisms, making them susceptible to various attacks, including connection-based attacks, application impersonation attacks, and so on. In this article, we propose a zero-trust IoT network architecture, OUTSIDE, designed to provide fine-grained authorization for IoT applications. It achieves the application-level authorization at the network layer by encoding the capability information of applications into verifiable tokens. Meanwhile, it enables a zero-trust service for per-packet verification, ensuring that every packet is sent by an authorized application with proper access privileges. Particularly, our architecture is versatile and compatible with various IoT protocols. We prototype and deploy OUTSIDE in Raspberry Pis and ESP32 microcontrollers running over the constrained application protocol (CoAP). The experimental results show that our architecture incurs negligible performance degradation.

Siwei Li,Hui Zhang,Hui Shi,Maode Ma,Cong Wang

DOI: https://doi.org/10.1007/s11227-024-06262-y

IF: 3.3

2024-06-04

The Journal of Supercomputing

Abstract:The distributed authentication of a large number of resource-constrained power terminal devices (PTDs) is crucial for ensuring the security of the power IoT communication. However, existing solutions are inadequate in terms of security (such as vulnerability to single point failures or insider attacks) and communication costs, which do not meet the requirements of the power IoT environment. Therefore, we propose a zero-trust-based mutual authentication scheme in cloud-edge-end collaboration power IoT environment based on blockchain technology. The proposed solution involves deploying a distributed multi-point zero-trust engine around dense PTDs to collect real-time identity information. Through the maintenance of an alliance blockchain, the edge server securely shares and traces identity information, preventing tampering and effectively blocking threats related to lost terminals during authentication. Additionally, a lightweight ECC key management scheme ensures the security of authentication information. The proposed scheme effectively defends against common attacks such as replay attacks and identity forgery attacks through informal security analysis, while its security is evaluated using the Canetti and Krawczyk (CK) adversary models. Performance evaluation results demonstrate that the proposed scheme achieves effectiveness without the compromising required security attributes, which obtains up to 58% improvement 58% improvement in computation delay and a 56.9% improvement in communication costs over previous state-of-the-art methods.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Fenhua Bai,Zikang Wang,Kai Zeng,Chi Zhang,Tao Shen,Xiaohui Zhang,Bei Gong

DOI: https://doi.org/10.1016/j.cose.2024.104136

IF: 5.105

2024-09-29

Computers & Security

Abstract:With the widespread adoption of Internet of Things (IoT) devices, remote attestation is crucial for ensuring their security. However, current schemes that require a central verifier or interactive approaches are expensive and inefficient for collaborative autonomous systems. Furthermore, the security of the software state cannot be guaranteed before or between successive attestations, leaving devices vulnerable to Time-Of-Check-Time-Of-Use (TOCTOU) attacks, as well as confidentiality issues arising from pre-sharing software information with the verifier. Therefore, we propose the Secure mutual Attestation against TOCTOU Zero-Knowledge proof based for IoT devices (ZKSA), which allows devices to mutually attest without a central verifier, and the attestation result is transparent while preserving confidentiality. We implement a ZKSA prototype on a Raspberry Pi 3B, demonstrating its feasibility and security. Even if malware is removed before the next attestation, it will be detected and the detection time is typically constant. Simulations show that compared to other schemes for mutual attestation, such as DIAT and CFRV, ZKSA exhibits scalability. When the prover attests to numerous verifier devices, ZKSA reduces the verification time from linear to constant.

computer science, information systems

Syed W. Shah,Naeem F. Syed,Arash Shaghaghi,Adnan Anwar,Zubair Baig,Robin Doss

DOI: https://doi.org/10.48550/arXiv.2010.05144

2020-10-11

Abstract:Continuous Authentication (CA) has been proposed as a potential solution to counter complex cybersecurity attacks that exploit conventional static authentication mechanisms that authenticate users only at an ingress point. However, widely researched human user characteristics-based CA mechanisms cannot be extended to continuously authenticate Internet of Things (IoT) devices. The challenges are exacerbated with increased adoption of device-to-device (d2d) communication in critical infrastructures. Existing d2d authentication protocols proposed in the literature are either prone to subversion or are computationally infeasible to be deployed on constrained IoT devices. In view of these challenges, we propose a novel, lightweight, and secure CA protocol that leverages communication channel properties and a tunable mathematical function to generate dynamically changing session keys. Our preliminary informal protocol analysis suggests that the proposed protocol is resistant to known attack vectors and thus has strong potential for deployment in securing critical and resource-constrained d2d communication.

Cryptography and Security

Peiyong Cong,Zhenhu Ning,Fei Xue,Haifeng Liu,Kechao Xu,Haibo Li

DOI: https://doi.org/10.1504/ijwmc.2017.10005966

2017-01-01

International Journal of Wireless and Mobile Computing

Abstract:Traditional methods of attestation cannot prevent the access of malicious nodes. In this paper, based on trusted connection architecture TCA, trusted network connection of TCA-IOT oriented to perception layer is supported to achieve mutual identity authentication and mutual integrity of platform between access point of centre of IOT and sensing nodes (sensing nodes, cluster node and sink node) and achieve the attestation of behaviours of sensing network.

Wei Ren,Ruoting Xiong,Yizhi Liu,G. Min,Tianqing Zhu,Xiaohan Hao,K. Choo

DOI: https://doi.org/10.1109/TC.2022.3157996

IF: 3.183

2023-02-01

IEEE Transactions on Computers

Abstract:Internet-of-Things (IoT) are increasingly operating in the zero-trust environments where any devices and systems may be compromised and hence untrusted. In addition, data collected by and sent from IoT devices may be shared with and processed by edge computing systems, in order to reduce the reliance on centralized (cloud) servers, leading to further security and privacy issues. To cope with these challenges, this paper proposes an innovative blockchain-enabled information sharing solution in zero-trust context to guarantee anonymity yet entity authentication, data privacy yet data trustworthiness, and participant stimulation yet fairness. This new solution is able to support filtering of fabricated information through smart contracts, effective voting, and consensus mechanisms, which can prevent unauthenticated participants from sharing garbage information. We also prove that the proposed solution is secure in the universal composability framework, and further evaluate its performance over an Ethereum-based blockchain platform to demonstrate its utility.

Computer Science,Engineering

Jie Cai,Han Jiang,Qiuliang Xu,Guangshi Lv,Minghao Zhao,Hao Wang

DOI: https://doi.org/10.1007/978-3-030-02744-5_10

2018-01-01

Abstract:In recent years, IoT devices have been widely used in the newly-emerging technologized such as crowd-censoring and smart city. Authentication among each IoT node plays a central role in secure communications. Generally, zero-knowledge identification scheme enables one party to authenticate himself without disclosing any additional information. However, a zero-knowledge based protocol normally involves heavily computational or interactive overhead, which is unaffordable for lightweight IoT devices. In this paper, we propose a modified zero-knowledge identification scheme based on that of Silva, Cayrel and Lindner (SCL, for short). The security of our scheme relies on the existence of a commitment scheme and on the hardness of ISIS problem (i.e., a hardness assumption that can be reduced to worst-case lattice problems). We present the detail construction and security proof in this paper.

Xinyin Xiang,Jin Cao,Weiguo Fan

DOI: https://doi.org/10.1109/jsyst.2020.3040739

IF: 4.802

2021-09-01

IEEE Systems Journal

Abstract:Trusted data transmission is the foundation of the Internet of Things (IoT) security, so in the process of data transmission, the trust of IoT nodes needs to be confirmed in real time, and the real-time tracking of node trust is also expected. Yet, modern IoT devices provide limited security capabilities, forming a new attack focus. Remote attestation is a kind of technology to detect network threats by remotely checking the internal situation of terminal devices by a trusted entity. Multidevice attestation is rarely studied although the ongoing single device attestation techniques lack scalability in the application of IoT. In this article, we present a lightweight attestation protocol based on an IoT system under an ideal physical unclonable functions environment. Our protocol can resilient against any strong adversary who physically accesses IoT devices. Simulation results show that our protocol is scalable and can be applied to dynamic networks.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Hsiao-Ling Wu,Chin-Chen Chang,Yao-Zhu Zheng,Long-Sheng Chen,Chih-Cheng Chen

DOI: https://doi.org/10.3390/s20195604

IF: 3.9

2020-09-30

Sensors

Abstract:The Internet of Things (IoT) is currently the most popular field in communication and information techniques. However, designing a secure and reliable authentication scheme for IoT-based architectures is still a challenge. In 2019, Zhou et al. showed that schemes pro-posed by Amin et al. and Maitra et al. are vulnerable to off-line guessing attacks, user tracking attacks, etc. On this basis, a lightweight authentication scheme based on IoT is proposed, and an authentication scheme based on IoT is proposed, which can resist various types of attacks and realize key security features such as user audit, mutual authentication, and session security. However, we found weaknesses in the scheme upon evaluation. Hence, we proposed an enhanced scheme based on their mechanism, thus achieving the security requirements and resisting well-known attacks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Mengru Tsai,Shanhsin Lee,Shiuhpyng Winston Shieh

DOI: https://doi.org/10.1109/tr.2023.3345665

IF: 5.883

2024-03-09

IEEE Transactions on Reliability

Abstract:In recent years, due to the impact of the COVID-19 pandemic, enterprises have been forced to adapt their operation patterns to ensure resilience, transitioning from traditional office-based work to remote work from home. However, this sudden and unforeseen change has made enterprises unprepared, resulting in a dramatic increase in cybersecurity threats. The most significant challenge arises from the adjustment from working in previously trusted areas to that beyond the boundaries of protection. While employees used to work within the company's defense perimeter, malicious attacks were blocked and detected by boundary security gateways. Shifting to remote work moves employees out of the protective environment, thereby their devices connecting to the internal resources of a company become exploitable targets for threat actors, and weaknesses in the internal authentication, authorization, and access control mechanisms become evident. The zero trust architecture (ZTA) approach is primarily focused on resource protection. When users or services attempt to access resources, ZTA requires precise authentication, minimal authorization, and continuous verification (trust inference) to ensure legitimacy and authorization of the resource usage, eliminating any space for assumed or inherited trust. In this article, we will address the challenges in handling the threats and propose the strategies, implementation, and limitation of ZTA, aiming to shed light on its effectiveness and applicability in mitigating cybersecurity risks.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Yuanhang He,Daochao Huang,Lei Chen,Yi Ni,Xiangjie Ma

DOI: https://doi.org/10.1155/2022/6476274

2022-06-16

Wireless Communications and Mobile Computing

Abstract:The traditional perimeter-based network protection model cannot adapt to the development of current technology. Zero trust is a new type of network security model, which is based on the concept of never trust and always verify. Whether the access subject is in the internal network or the external network, it needs to be authenticated to access resources. The zero trust model has received extensive attention in research and practice because it can meet the new network security requirements. However, the application of zero trust is still in its infancy, and enterprises, organizations, and individuals are not fully aware of the advantages and disadvantages of zero trust, which greatly hinders the application of zero trust. This paper introduces the existing zero trust architecture and analyzes the core technologies including identity authentication, access control, and trust assessment, which are mainly relied on in the zero trust architecture. The main solutions under each technology are compared and analyzed to summarize the advantages and disadvantages, as well as the current challenges and future research trends. Our goal is to provide support for the research and application of future zero trust architectures.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jianhua Li,Jiong Jin,Lingjuan Lyu,Dong Yuan,Yingying Yang,Longxiang Gao,Chao Shen

DOI: https://doi.org/10.48550/arXiv.2011.06325

2020-11-12

Abstract:Numerous resource-limited smart objects (SOs) such as sensors and actuators have been widely deployed in smart environments, opening new attack surfaces to intruders. The severe security flaw discourages the adoption of the Internet of things in smart living. In this paper, we leverage fog computing and microservice to push certificate authority (CA) functions to the proximity of data sources. Through which, we can minimize attack surfaces and authentication latency, and result in a fast and scalable scheme in authenticating a large volume of resource-limited devices. Then, we design lightweight protocols to implement the scheme, where both a high level of security and low computation workloads on SO (no bilinear pairing requirement on the client-side) is accomplished. Evaluations demonstrate the efficiency and effectiveness of our scheme in handling authentication and registration for a large number of nodes, meanwhile protecting them against various threats to smart living. Finally, we showcase the success of computing intelligence movement towards data sources in handling complicated services.

Cryptography and Security,Networking and Internet Architecture

Jinsong Han,Feng Lin,Wenbo Shen,Kui Ren

DOI: https://doi.org/10.1145/3313294.3313380

2019-01-01

Abstract:We have witnessed a tremendous growth of Internet of Things (IoT) and popularization of IoT devices in past decades, including wireless sensors, smart phones, wearable devices, smart tags, activity trackers, and the like. These devices are widely deployed to enable intelligent computing and services in our daily life, such as the logistics, retailing, healthcare to be used in the smart city. However, trustworthy authentication in IoT becomes a key challenge towards a smooth and rapid development of IoT. According to a survey by Altman Vilandrie & Company [1], due to the lack of authentication and other system protections, small and medium-sized enterprises suffer a losses of up to 13% of their annual revenues from attacks on IoT systems. In the IoT environment, trust also becomes ubiquitous. Merely authenticating individual users or devices is not enough, because collaborative interaction and cooperation among users, devices, and environments are critical in IoT. In such circumstance, information is shared, data is fused, and all elements, including the human, device, and environment, are highly integrated. Thus, the authentication requirement for IoT applications should be characterized as temporally-spatially consistent, human-and-environment-in-the-loop, and continuously trustworthy. Unfortunately, conventional authentication methods failed to meet above demands. The main reasons are as follows. • Existing approaches usually perform authentication on the user and device separately. Meanwhile, there is scarcely seen the authentication carried out in the environment. An attacker can eavesdrop in the communication, counterfeit the authentication tokens or proofs [2], or just simply carry out replaying attacks to impersonate the actual user or device [3]. • Existing authentication systems have little consideration on the spatio-temporal nature of IoT computing and services. Besides the authenticity of data, users, and devices, it is also necessary to ensure the spatiotemporal consistence of the computing and services. In other words, a transaction in IoT also requires the au-

Xinchao Wang,Wei Wang,Cheng Huang,Ping Cao,Youwen Zhu,Qihui Wu

DOI: https://doi.org/10.1109/jsyst.2023.3345370

IF: 4.802

2024-03-19

IEEE Systems Journal

Abstract:Identity authentication is an essential element for industrial Internet of Things (IIoT), which guarantees secure access control for various devices. Existing authentication schemes face some security threats, including temporary secret leakage attack, key recovery attack, and forgery attack. In this article, we introduce a blockchain-based certificateless conditional anonymous authentication (BCCA) scheme specifically designed for IIoT. To optimize the authentication efficiency, BCCA employs elliptic curve design to avoid the relatively time-consuming bilinear pairing operation. Additionally, we introduce a precomputation strategy, allowing users to prepare essential materials in advance, and one-time verification support for batch signatures is applied, thus reducing authentication latency. To further enhance the security, random verification checksums are employed to counter key recovery attack, and a combination of long-term and short-term secrets is used to mitigate temporary secret leakage attack. Simulation results demonstrate that our scheme has advantages in both security and computational cost.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Wenlong Zhu,Changli Zhou,Linmei Jiang

DOI: https://doi.org/10.3390/electronics13061026

IF: 2.9

2024-03-09

Electronics

Abstract:With the rapid popularization of current Internet of Things (IoT) technology and 5G networks, as well as the continuous updating of new service lifestyles and businesses, the era of big data processing for the IoT has arrived. However, centralizing all data for processing in the cloud can lead to issues such as communication latency and privacy breaches. To solve these problems, edge computing, as a new network architecture close to terminal data sources and supporting low latency services, has gradually emerged. In this context, cloud edge collaborative computing has become an important network architecture. With the changing security requirements and communication methods of cloud edge collaborative network architecture, traditional authentication key agreement protocols are no longer applicable. Therefore, a new IoT authentication and key agreement protocol needs to be designed to solve this problem. This study proposes an IoT accessible solution for cloud edge collaboration. This scheme adopts a chaotic mapping algorithm to achieve efficient authentication. It ensures the anonymity and untraceability of users. Following this, we conducted strict security verification using BAN logic and Scyther tools. Through experimental comparative analysis, the research results show that the protocol performs better than other schemes while ensuring security. This indicates that the protocol can achieve efficient authentication and key negotiation in cloud edge collaborative network architecture, providing a secure and reliable solution for the accessibility of the IoT.

engineering, electrical & electronic,computer science, information systems,physics, applied

Libo Feng,Fei Qiu,Kai Hu,Bei Yu,Junyu Lin,Shaowen Yao

DOI: https://doi.org/10.1016/j.future.2024.04.042

IF: 7.307

2024-04-25

Future Generation Computer Systems

Abstract:Device management in the Industrial Internet of Things (IIoT) is complex, especially in a cross-domain context. Trust identity authentication between cross-domain devices is required when devices work together. Existing identity authentication methods can result in heavy key management overhead or be computationally demanding on the device. In this paper, we propose a cross-domain authentication scheme based on blockchain and certificateless signature that can be suitable for IIoT devices. First, smart contracts are used to complete trusted identity verification of devices, which reduces the computing overhead of IIoT devices. Second, a trust value-based access control method is proposed, which can quickly and timely identify malicious authentication and ensure the normal operation of the authentication system. Finally, the validity and safety of our proposed methods are proven by experiments. The experiment results showed that our methods can meet the needs in terms of IIoT device security and blockchain system output performance, and can achieve cross-domain authentication for IIoT devices.

computer science, theory & methods

Seunghwan Son,Deokkyu Kwon,Sangwoo Lee,Hyeokchan Kwon,Youngho Park

DOI: https://doi.org/10.1109/access.2024.3484522

IF: 3.9

2024-10-29

IEEE Access

Abstract:The sixth generation (6G) is the next generation of wireless communication technology, is not limited to cellular networks but can be used to provide better services in all areas of wireless communication, including vehicles, drones, and smart homes. However, these advancements in 6G technology require further security considerations. In earlier networks, authentication schemes were designed to rely on a secure channel between the core network and access points. The 6G network is an open, distributed network that integrates multiple domains and entities and cannot guarantee secure channels in the network. The 6G network requires a new security authentication scheme that applies the zero-trust model. Therefore, this study proposes a zero-trust authentication scheme with access control for 6G-enabled Internet of Things environments. The scheme uses blockchain technology for mutual authentication in a distributed environment and lightweight attribute-based encryption to ensure dynamic access control and network efficiency. This study compares the proposed authentication method with existing methods and demonstrates that this scheme has better performance and security. To the best of our knowledge, this paper is the first to propose a specific authentication protocol with access control considering the zero-trust model in a 6G environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Fei Tong,Xing Chen,Cheng Huang,Yujian Zhang,Xuemin Shen

DOI: https://doi.org/10.1109/JIOT.2022.3229676

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Multidomain Internet of Things (IoT) is faced with serious domain interoperability (DI) and compatibility issues since different intradomain authorization and authentication (A&A) mechanisms are deployed without the consideration of interdomain A&A. This article proposes a blockchain-assisted scheme to achieve flexible intra- and inter-domain A&A simultaneously and seamlessly. Specifically, we first design a contract-based mutual access control agreement on top of a consortium blockchain, where domain managers can manage their access permission without any trusted parties. Based on the agreement, a secure and privacy-preserving authentication protocol is further proposed by tailoring one-out-of-many proof techniques, which enables IoT devices to anonymously access authorized IoT domains. We additionally design a voting-based protocol by using a threshold-based cryptosystem. The protocol allows domain managers to transparently audit resource access with the assistance of the blockchain. Detailed security analysis demonstrates that the proposed scheme achieves the security properties, such as DI, privacy protection, and accountability. Finally, we develop two proof-of-concept prototypes in a physical testbed and virtual machine, respectively, based on an open-source blockchain platform to show our scheme's efficiency in terms of computation and communication overhead.

Yuquan Xiao,Qinghe Du,Wenchi Cheng,Panagiotis D. Diamantoulakis,George K. Karagiannidis

2024-06-04

Abstract:Zero Trust is a new security vision for 6G networks that emphasises the philosophy of never trust and always verify. However, there is a fundamental trade-off between the wireless transmission efficiency and the trust level, which is reflected by the verification interval and its adaptation strategy. More importantly, the mathematical framework to characterise the trust level of the adaptive verification strategy is still missing. Inspired by this vision, we propose a concept called age of trust (AoT) to capture the characteristics of the trust level degrading over time, with the definition of the time elapsed since the last verification of the target user's trust plus the initial age, which depends on the trust level evaluated at that verification. The higher the trust level, the lower the initial age. To evaluate the trust level in the long term, the average AoT is used. We then investigate how to find a compromise between average AoT and wireless transmission efficiency with limited resources. In particular, we address the bi-objective optimization (BOO) problem between average AoT and throughput over a single link with arbitrary service process, where the identity of the receiver is constantly verified, and we devise a periodic verification scheme and a Q-learning-based scheme for constant process and random process, respectively. We also tackle the BOO problem in a multiple random access scenario, where a trust-enhanced frame-slotted ALOHA is designed. Finally, the numerical results show that our proposals can achieve a fair compromise between trust level and wireless transmission efficiency, and thus have a wide application prospect in various zero-trust architectures.

Systems and Control

Ziyi Su,Shiwei Wang,Hongliu Cai,Jiaxuan Huang,Yourong Chen,Xudong Zhang,Muhammad Alam

DOI: https://doi.org/10.3390/electronics13183735

IF: 2.9

2024-09-21

Electronics

Abstract:Current authentication schemes based on zero-knowledge proof (ZKP) still face issues such as high computation costs, low efficiency, and security assurance difficulty. Therefore, we propose a secure and efficient authentication scheme (SEAS) for large-scale IoT devices based on ZKP. In the initialization phase, the trusted authority creates prerequisites for device traceability and system security. Then, we propose a new registration method to ensure device anonymity. In the identity tracing and revocation phase, we revoke the real identity of abnormal devices by decrypting and updating group public keys, avoiding their access and reducing revocation costs. In the authentication phase, we check the arithmetic relationship between blind certificates, proofs, and other random data. We propose a new anonymous batch authentication method to effectively reduce computation costs, enhance authentication efficiency, and guarantee device authentication security. Security analysis and experimental results show that an SEAS can ensure security and effectively reduce verification time and energy costs. Its security and performance exceed existing schemes.

engineering, electrical & electronic,computer science, information systems,physics, applied