Design and Implementation of Secure OTP Generation for IoT Devices

Size: px

Start display at page:

Download "Design and Implementation of Secure OTP Generation for IoT Devices"

Regina Mildred Hancock
6 years ago
Views:

1 , pp Design and Implementation of Secure OTP Generation for IoT Devices Young-Sae Kim 1 and Jeong-Nyeo Kim 1 1 Electronics and Telecommunications Research Institute (ETRI), Daejeon, Rep. Of Korea {vincent, jnkim}@etri.re.kr Abstract. This paper presents a secure design and implementation of a One Time Password (OTP) generation scheme with an OTP generation engine based on Mobile Trusted Module (MTM). In order to make security enhancement of IoT services as well as that of IoT devices, we integrate a hardware-based OTP generation engine into the MTM and design a new OTP generation procedure interacting with the OTP generation engine. The new design is implemented and verified on our prototype IoT device with the MTM. As a result, it is shown that the proposed architecture provides an efficient security solution suitable for IoT devices and services Keywords: OTP, IoT, MTM, security 1 Introduction Security in the IoT environment can be variously approached from a technical point of view [1]. However, considering the basic configuration of IoT that a person, a device, and a service are connected, the security of the device and that of the service are key technologies for IoT security. Therefore, it is indispensable and essential to protect IoT devices from security threats, to keep the devices safe, and to guarantee the security of the device. And security-enhanced user authentication should be applied to make IoT services more secure. In the field of device security various technologies have been studied such as secure SE [2], MTM [3] and so on. In the field of service security, OTP authentication technology is used as a strong authentication method in secure user authentication [4, 5]. However, it is difficult to apply current security technologies to IoT environment. Therefore, it is necessary to study security technology that can provide security suitable for IoT environment. In this paper, we have developed and verified the OTP generation scheme based on MTM, which is a kind of security technology suitable for the IoT environment. This paper is organized as follows. Section 2 describes related works and security issues related to IoT, and Section 3 shows the proposed design of the OTP generation engine and application. In Section 4, the implementation and verification results are reported. Finally, conclusions are presented in Section 5. ISSN: ASTL Copyright 2017 SERSC

2 2 Related Works 2.1 IoT Security With the growth of IoT, security threats such as security vulnerabilities, privacy, forgery, hacking, and malfunction are growing in parallel. In general, IoT technology includes various element technologies such as sensing, data processing, networking, and low-power consumption. However, considering that the security threats can cause economic losses, social infrastructure paralysis, and even personal threats, security technology should also be developed as a component technology for IoT and various researches related to IoT security are being carried out [6-8]. Therefore, for IoT devices, especially client devices for IoT services like smart phones, it is essential to develop security technologies dedicated to IoT services such as data protection, user authentication for service use, access control, and so on. 2.2 MTM The MTM is a kind of chip which is installed in mobile devices such as smart phones to provide Root of Trust and to guarantee the device integrity based on the hardwarebased security such as secure storage and cryptographic primitives [3]. TCG standardizes the mobile-specific and hardware-based security module that can solve security problems such as user authentication, platform authentication, device authentication and data protection for mobile devices or embedded systems. 2.3 OTP Authentication With the increase of user authentication service and that of attacks to the traditional authentication method, the need for improved security of user authentication method grows. Traditional static password authentication methods are widely used due to their convenience. However, they often suffer from attacks as eavesdropping, replay, guessing and so on. As a way to free from any of them, OTP authentication service is usually adopted to support 2-factor authentication for various fields such as financial, portal, game and so on [4, 5]. One-time password authentication, by default, requires a user-side OTP generator, called token, for the generation of dynamic passwords. Recently, the OTP generation in mobile devices is being increasingly used as a way to facilitate OTP authentication without dedicated OTP hardware token. This is referred to as mobile OTP token. However, the mobile OTP usually is an application implemented by software in a mobile terminal. That is why there is a possibility in which important information or the OTP value is hacked by an external attack for generating a mobile OTP. In this paper, we propose an MTM-based OTP generator, which is a new OTP generation technology that solves the problems of existing mobile OTP technology and provides security for IoT devices. 76 Copyright 2017 SERSC

3 3 Design This section describes the design of the MTM-based OTP engine, which is the core module of the proposed OTP generator. In order to provide secure service the proposed OTP generator constructs a secure device environment through MTM which provides integrity functions and various security functions for the IoT client devices and adds an OTP generation engine to MTM for secure user authentication. It is a hardware-based security technology that does not depend on the software platform of the device, so it is easy to apply to various kinds of client devices in numerous IoT services. 3.1 OTP Generation Engine As described in section 2, MTM provides integrity assurance, secure storage, and various encryption functions based on hardware security. In general, MTM is implemented as a chip and mounted on a mobile device. The proposed architecture of the MTM is shown in Fig. 1. The MTM shown in Figure 1 is an expanded MTM with a security service engine in addition to the basic function engines of the MTM. The security service engine includes an OTP generation engine. Although the OTP generation engine is separate from the MTM function, the hash function required for OTP generation uses a cryptographic processor and the seed to be safely stored for OTP generation is designed to use a secure storage function in Flash memory. It has the advantage that the OTP generation engine can be implemented by utilizing the resources of the MTM chip without supplement of resources. Fig. 1. Proposed architecture for the MTM Copyright 2017 SERSC 77

3.2 OTP Generation Application To generate an OTP value based on the expanded MTM with the OTP generation engine, the OTP generation application on the device is designed as shown in Fig. 2.

4 3.2 OTP Generation Application To generate an OTP value based on the expanded MTM with the OTP generation engine, the OTP generation application on the device is designed as shown in Fig. 2. There are four main functional blocks: MTM-based OTP generation engine, OTP generation API (Application Programming Interface), OTP management API, and user interface. In the OTP generation process the application on the device only plays the role of showing the OTP generation request and the generated OTP value to the user. In practice, the creation of the OTP value and the storage of the important data are performed on the independent hardware MTM. As a result, it is possible to generate OTP securely. Fig. 2. Procedure design of the OTP Application 4 Implementation and Verification The MTM-based OTP generation engine is implemented in the proposed MTM chip. Then, the OTP generation application is implemented on an IoT client device with the MTM chip. This section describes the implementation and test results of the OTP generation. 4.1 Implementation Fist, the implementation of MTM chip uses smart card IC which is verified and used for various security products. Second, a mobile device based on Android OS was made as a prototype for an IoT client device embedded with the MTM chip. Finally, the OTP generation function is performed in conjunction with the MTM chip at application level. Table 1 summarizes the features of the implemented MTM chip and Fig. 3. shows the prototype IoT device with the MTM chip. 78 Copyright 2017 SERSC

Table 1. MTM chip features Parameter Size Chip Core I/O Interface Value 3.2mm x 2.9mm Smart Card IC UART Fig. 3. Prototype of the implemented IoT device 4.

Since the reference application is implemented by software only, it is modified according to the design of the hardware-based OTP generation so that the OTP generation

5 Table 1. MTM chip features Parameter Size Chip Core I/O Interface Value 3.2mm x 2.9mm Smart Card IC UART Fig. 3. Prototype of the implemented IoT device 4.2 Verification To verify the MTM-based OTP generation function, a reference OTP application and an OTP authentication server provided for OTP verification are utilized [9]. Since the reference application is implemented by software only, it is modified according to the design of the hardware-based OTP generation so that the OTP generation function and the important data storage function can be performed in conjunction with the OTP generation engine of the MTM. Fig. 4. Verification procedure of OTP generation Copyright 2017 SERSC 79

6 Fig.4 shows the verification procedure in which the generated OTP value from the modified OTP generation app on the prototype device with MTM is verified at the authentication server. 5 Conclusion This paper presents the design and implementation of an efficient OTP generation engine for IoT client devices that requires both the security of devices and that of services. For the purpose, each of the MTM and the OTP generation app is modified in order to add a novel hardware-based OTP engine to the MTM and to design the OTP generation app interworking with the expanded MTM. We also present a new procedure to implement the hardware/software co-design of OTP generation in IoT devices. The results of implementation and verification show that the proposed architecture contributes a good solution to practical implementation of the OTP authentication for IoT security. Acknowledgments. This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No , Development of Operating System Security Core Technology for the Smart Lightweight IoT Devices) References 1. ITU.: The Internet of Things. Internet Reports, (2005). 2. J. Guaus, L. Kanniainen, P. Koistinen, P. Laaksonen, K. Murphy, J. Remes, N. Taylor and O. Welin, Best Practice for Mobile Financial Services: Enrolment Business Model Analysis. Mobey Forum Mobile Financial Services Ltd., Helsinki, (2008). 3. M. Kim, H. Ju, Y. Kim, J. Park and Y. Park, Design and implementation of mobile trusted module for trusted mobile computing, IEEE Transactions on Consumer Electronics, vol. 56, no. 8, (2010), pp N. Haller, C. Metz, P. Nesser and M. Straw, A One-Time Password system, IETF RFC 2289, (1998). 5. ITU-T.: Management framework of a one time password-based authentication service. Recommendation X.1153, (2011). 6. R. H. Weber, Internet of things - new security and privacy challenges, Computer Law & Security Review, vol. 26, (2010), pp D. Gessner, A. Olivereau, A. S. Segura and A. Serbanati, A.: Trustworthy Infrastructure Services for a Secure and Privacy-respecting Internet of Things. In: Proceedings of IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp (2012) 8. Keoh, S., Kumar, S., Tschofenig, H.: Securing the internet of things: A standardization perspective. In: IEEE Internet of Things Journal, Vol. 1, No. 3, pp (2014) 9. Mobile OTP project, 80 Copyright 2017 SERSC

The Design and Implementation of a BLE-based WebD2D Service for Android Smartphone

, pp.1-5 http://dx.doi.org/10.14257/astl.2017.146.01 The Design and Implementation of a BLE-based WebD2D Service for Android Smartphone Do-Hyung Kim 1, Seok-Jin Yoon 1, Hyung-Seok Lee 1 and Jae-Ho Lee