Mališa Vučinić
PhD, November 2015
Tuesday 17 November 2015
Our research explores the intersection of academic, industrial and standardization spheres to enable secure and energy-efficient Internet of Things. We study standards-based security solutions bottom-up and first observe that hardware accelerated cryptography is a necessity for Internet of Things devices, as it leads to reductions in computational time, as much as two orders of magnitude. Overhead of the cryptographic primitives is, however, only one of the factors that influences the overall performance in the networking context. To understand the energy-security tradeoffs, we evaluate the effect of link-layer security features on the performance of Wireless Sensors Networks. We show that for practical applications and implementations, link-layer security features introduce a negligible degradation on the order of a couple of percent, that is often acceptable even for the most energy-constrained systems, such as those based on harvesting.
Because link-layer security puts trust on each node on the communication path consisted of multiple, potentially compromised devices, we protect the information flows by end-to-end security mechanisms. We therefore consider Datagram Transport Layer Security (DTLS) protocol, the IETF standard for end-to-end security in the Internet of Things and contribute to the debate in both the standardization and research communities on the applicability of DTLS to constrained environments. We provide a thorough performance evaluation of DTLS in different duty-cycled networks through real-world experimentation, emulation and analysis. Our results demonstrate surprisingly poor performance of DTLS in networks where energy efficiency is paramount. Because a DTLS client and a server exchange many signaling packets, the DTLS handshake takes between a handful of seconds and several tens of seconds, with similar results for different duty cycling protocols.
But apart from its performance issues, DTLS was designed for point-to-point communication dominant in the traditional Internet. The novel Constrained Application Protocol (CoAP) was tailored for constrained devices by facilitating asynchronous application traffic, group communication and absolute need for caching. The security architecture based on DTLS is, however, not able to keep up and advanced features of CoAP simply become futile when used in conjunction with DTLS. We propose an architecture that leverages the security concepts both from content-centric and traditional connection-oriented approaches. We rely on secure channels established by means of DTLS for key exchange, but we get rid of the notion of “state” among communicating entities by leveraging the concept of object security. We provide a mechanism to protect from replay attacks by coupling the capability-based access control with network communication and CoAP header. OSCAR, our object-based security architecture, intrinsically supports caching and multicast, and does not affect the radio duty-cycling operation of constrained devices. Ideas from OSCAR have already found their way towards the Internet standards and are heavily discussed as potential solutions for standardization.
Keywords: Internet of Things, Wireless Sensor Network, security, performance, object security.