Security Embedded CoAP using DTLS for IoT

Transcription

1 Security Embedded CoAP using DTLS for IoT Shravya AR 1, Reshma J 2 1 Department of Computer Science BNM Institute of Technology 2 Department of Computer Science BNM Institute of Technology Abstract - The Internet of Things (IoT) consists of a large number of interconnected devices. These devices perform sensing and actuating tasks. Each of the devices is identified through a unique IPv6 address. The devices are connected to the Internet through which the sensors can be read and controlled. At the application layer, these resource constrained devices communicate using the Constrained Application Protocol (CoAP). Data is transmitted through the public Internet and hence security is a major issue. Hence there is a need for developing a secure version of CoAP Datagram Transport Layer Security (DTLS) protocol can be used to secure CoAP. DTLS security protocol operates at the transport layer. Security is also provided at the application layer using authentication techniques. In this paper security is looked at in two layers, namely application layer and transport layer. Keywords Internet of Things, Constrained Application Protocol, Security, Datagram Transport Layer Security Protocol, IPv6 address. I. INTRODUCTION Internet of Things(IoT) is an environment where every small devices can be connected to each other and then subsequently to the cloud. The devices are given unique identifiers. They are capable of transmitting information without human intervention. A thing in Internet of Things can be as tiny as a sensor. The sensor can be implanted on the human body, or can be buried deep into the soil, or imbibed into an automobile. The things can be assigned a IPv6 address. Once the address is allocated the same can be used to identify the objects and establish communication. Internet of Things was earlier referred to as Machine to Machine(M2M) communication. The term Internet of Things was coined by Kevin Ashton in 1999[1]. The things exposes methods which can be used by other devices to discover, read or write. With IoT every device connected to the Internet is capable of communicating with every other device. The machines interact without any human help and hence there is a need for standard way of communication. The existing IP infrastructure has to be put to best use instead of developing everything from scratch. Billions of addresses are needed and hence Ipv4 address space would not be sufficient. To accommodate more addresses IPv6 was introduced. This gave rise to infinite number of addresses thus solving the problem of assigning unique addresses. The devices in IoT are constrained both with respect to power and network bandwidth and hence an efficient protocol has to be used for communication. HTTP is an existing paradigm at the application layer. There was a need for a light weight HTTP and that is when the Internet Engineering Task Force came up with Constrained application protocol (CoAP). CoAP is suitable for IoT devices as it does not require too much processing power. CoAP is easy to implement on small embedded hardware. CoAP is similar to HTTP and hence can be easily converted from one format to the other. CoAP allows message exchange between power limited resources over constrained networks. The power constrained devices have a very limited configuration with respect to speed and memory. In constrained networks, all the capabilities of a TCP/IP stacks are not available and they also have lower transfer rates. CoAP operates over UDP unlike HTTP. The complex operations provided All Rights Reserved 606

2 TCP such as congestion control, flow control are not provided by UDP. Additional functionalities have to be developed if necessary while using CoAP. CoAP uses request response model very similar to HTTP by using the GET, POST, PUT, DELETE commands. In the networking applications security is not always considered during the design of the product. The users often do not change their passwords once they login to a certain device. The default passwords remain unchanged many a times. IoT devices are directly accessible through the Internet. Confidential data like Company data, financial data, and employee personal data have to be safely transmitted across the Internet. In this paper authentication and authorization, both are taken care. Authentication is performed at the application layer and the authorization at the transport layer. II. RELATED WORK End to end security is very important in IoT as the data exchange between the devices take place through the Internet. The devices under consideration are resource constrained. Hence general E2E security mechanisms are not suitable for such environments. There has been work on analysing security challenges in the IP based IoT[2]. A header compression method is proposed in [3] which secures the data among nodes in a 6LowPAN network. Authentication headers and Encapsulating Security Payload headers are encoded using the Next Header Compression Techniques. Jorge in [4] has extended this solution and has included IPSec in tunnel mode. The proposed method was implemented and evaluated by the author using TinyOS. All the applications that run on a particular machine share the IPsec services. 6LowPAN compression techniques that are previously defined are not suitable for web based protocols such as HTTP or CoAP. The ideal security protocols for web based protocols are TLS and DTLS. TLS works over TCP. But our protocol of concern works on UDP. Hence TLS is not the preferred security protocol. Brachman in [5] proposes a mapping between TLS and DTLS. It required a IPv6 border router. But the point of failure was that there was a security breach at the 6BR and thus was ineffective in providing the E2E security. IPSec can also be used to secure the devices on IoT. As stated in [6] IPsec is a layer 3 protocol which can be used with IPv6. It can secure application and transport layer applications and is an application independent protocol. IPSec is transparent to applications as it is integrated to the kernel. But IPSec has issues with Network Address Translation. Also it requires extra messages to set up security parameters and associations. The paper authored by Kai Zhoa and Lina Ge[7] describes that the security issues in IoT are directly dependent on the applications. It describes the issues on the basis of three layer architecture. The applications have different standards based on the Industrial specifications. Any data that is collected by a sensor is transmitted through wireless networks. Most of the sensor devices are unmanned. Hence the attackers can easily get access to the device. Hence security is the most important issue to be considered. A Systematic approach for IoT Security[8] proposes newer approach for designing a security mechanism. IoT includes a lot of new features and mechanisms that are difficult to secure. The security approach in the above paper considers actors and their interactions with other actors. In IoT objects are spread worldwide. Each object will have a single core identity and multiple temporary identities. Reliability of the source and sink sensors is also an important aspect. Data repositories have to be efficiently managed to guarantee reliability of the data transmitted between the source and the sink. In Construction and Strategies in IoT Security System[9] security is viewed in a different perspective. The features and the systematic structures of IoT are analysed along with the All Rights Reserved 607

3 concerns. Intelligent processing depends on technology used in the devices. The security issues are addressed in different layers: network layer, transport layer, application layer. The newer systems can be designed by incorporating the necessary security features. Imbibing security in existing infrastructure is a challenge. III. BACKGROUND IoT consists of heterogeneous devices. The devices have to be interconnected in a secure and reliable manner. The paper proposes to use the DTLS protocol as the security protocol. The protocol operates between the transport and application layer. At the application layer CoAP protocol is used. Authentication can also be performed at the application layer. A. Constrained Application Protocol (CoAP) CoAP is an application level protocol that operates over UDP. It was designed for the resource constrained devices of IoT. The resource constrained devices have low processing power and memory. CoAP is very similar to HTTP but is slightly modified to suit the resource constrained nature of IoT. Figure 1 represents the CoAP and HTTP stacks. As seen, HTTP and CoAP operate over different protocols at the transport layer. At the network layer HTTP generally operates on a IP based network, whereas the constrained devices in IoT uses a 6LowPAN network. CoAP supports unicast and multicast requests. It has a lower overhead in comparison to HTTP. Message exchanges happen in an asynchronous manner. It operates over the datagram oriented UDP. Reliability can be optionally provided by using certain message formats. A fixed length binary header of 4 bytes is used by CoAP. Optionally there could be additional payload. A compact message ID is assigned to each message that helps in identifying duplicates. Figure 1. HTTP and CoAP stack In order to ensure reliability CON messages are used. A CON message is retransmitted after a certain timeout. The message is retransmitted until the receiver sends out an acknowledgement. If the receiver is not able to process the message then it sends out a Reset(RST) message. If reliable transmission is not needed a NON message can be used. These messages are not acknowledged by the receiver. Reset(RST) is sent from the receiving end if a NON message cannot be processes by it. CoAP messages include a message code and a response code. Responses are sent in a piggy backed fashion. In order to process requests efficiently caching of responses is supported. A cache can be located in any of the intermediate devices or at the end point. Proxying of requests is used to limit network traffic and improve performance. CoAP also offers resource discovery that is needed for M2M interactions. The device will be capable of showing its presence to the other members in the network. This discovery can also be restricted to only a few devices by introducing authentication All Rights Reserved 608

4 B. Datagram Transport Layer Security (DTLS) Transport Layer Security (TLS) was widely used to secure communication networks. It was mainly used to protect web based traffic. But TLS runs over TCP. It is difficult to use TLS in datagram environments as packets may be dropped or reordered. In such a case TLS is incapable of handling such losses. DTLS serves as a solution to this problem. Minimal changes have been done to TLS to serve its purpose in a datagram environment. Messages in TLS have to be transmitted and received in a certain defined order. DTLS solves this problem by adding an explicit sequence number. The DTLS records are in the form of a structure. struct { ContentType type; ProtocolVersion version_number; uint16 epoch_number; uint48 sequence_number; uint16 message_length; opaque fragment [DTLSText.length]; } DTLSText; The epoch_number and sequence_number are the newly added fields in the DTLS structure. Epoch number is a counter that is incremented each time there is a change in the value of the cipher. Sequence_number specifies the sequence number of that particular record. Each DTLS record should fit into a single datagram. Handshakes are performed initially between the sender and receiver systems before establishing communication among them. The handshakes include Hello messages, cipher negotiation messages, certificate messages, key exchange messages and finished messages. Figure 2. DTLS Handshake The Handshake messages are organized in flights. DTLS is a chatty protocol and consists of a number of message exchanges. The handshake messages help in establishing the initial communication setup. It also involves negotiation of cipher, keys, and encryption and compression methods. The handshake messages are also cryptographically processed. The IPv6 datagrams headers can be compressed and the payload can be fragmented. The encodings are capable of compressing the header length to as low as 2 bytes. The compression techniques can only be applied to 6LowPAN networks. By fragmented the payload data sizes can All Rights Reserved 609

5 greatly reduced thus saving space. But fragmenting leads to security issues that needs to be carefully handled. Also more energy is spent in fragmenting the packets thus bringing down the life time of the constrained devices in IoT. IV. PROPOSED METHODOLGY In this paper, both authentication and authorization is taken care. The CoAP and DTLS protocol are combined to form a secure CoAP. Authentication is performed at the application layer by prompting the user for a username and a password. A series of name and password pairs are stored in the database. The steps followed in the design process are as follows. Step 1: Create a CoAP server to host certain files. Step 2: Create a CoAP Client that accesses the server. Step 3: Establish a DTLS client and server socket. Step 4: Create a PEM file. Step 5: Define a JSON for DTLS. Step6: Handle hello messages on each side. Step 7: Frame the handshake messages and exchange them. Step 8: Negotiate a suitable cipher. Step 9: Use the cipher in an encryption/decryption engine. Since DTLS operates above the transport layer, a socket connection is necessary for communication. The active socket listens to the incoming request. The handshake message exchange follows the connection establishment. A PEM file is container that includes a public certificate. The certificates may be self signed or signed by a Certificate Authority. PEM Certificate is base 64 blocks consisting of encoded data. A JSON is defined for DTLS that includes all the parameters like version, type, epoch, sequence number etc. It consists of name value pairs. It is a common exchange format used across the web. After a socket connection is established handshake messages are exchanged and a suitable cipher is negotiated. AES encryption engine can be used to perform the necessary encryption and decryption. On an implementation front any lightweight scripting technique can be used. NodeJS is one such platform that can be used for IoT. It is an event driven programming technique and is also asynchronous in nature. It makes use of callback functions to enable asynchronous execution. V. RESULTS As the first step, CoAP server that is designed is kept up and running. The files on that server are accessible only to authenticated devices. The client can choose between the GET and POST methods. The user name and the password should match the list stored in the database. Figure 3. Initial login The socket connection for DTLS is established. The DTLS client and server communicate through a series of handshakes. The client establishes a new session and sends a client hello message. The server acknowledges the client handshake and verifies the sequence number. It also checks for the validity of the data. Separate handler functions need to be written for client and server so as All Rights Reserved 610

6 handle the client and server handshake messages. The handshakes are appropriately processed on either ends. A cipher suit is then negotiated between the communicating parties. A general key is very huge in size. In our implementation we only choose a subset of the key by applying a random function over the entire key. The coordinates returned by one end is communicated to its peer. The key at the similar coordinate values is selected at the other end. The selected subset of the key is passed to an AES engine. CTR mode of AES encryption is used in this paper. In case of a GET request, client sends a request to the server to fetch a certain file. The file contents are sent in an encrypted form and the same is decrypted at the client end. In the case POST, the client sends the contents in an encrypted form which is decrypted at the server end. Figure 5. Encrypted data V. CONCLUSION Security is a very important factor in the Internet of Things today. With personal data in the air necessary security issues have to be handled accurately to prevent any data modification. CoAP is an application level protocol that is used in the constrained devices. Combining CoAP with DTLS enables us to have a secure CoAP. Both Authentication and Authorization are taken care of in this paper. Authentication is done at the application layer and authorization at the security layer (between application and transport layer). The client is authenticated through a user name and password. Authorization is performed by exchanging handshake messages. Only after this the key exchange takes place. A request can be placed for any type of file : txt, json, etc. AES encryption is used in this paper. Any encrypion engine as per the choice of the developer can be used. REFERENCES T. Heer, O. Garcia-Morchon, R. Hummen, S. Keoh, S. S. Kumar, and K. Wehrle, Security challenges in the IP based internet of things, Wireless Pers. Commun. J., vol. 61, no. 3, pp , S. Raza, S. Duquennoy, A. Chung, D. Yazar, T. Voigt, and U. Roedig Securing communication in 6LoWPAN with compressed IPsec, in Proc. 7th Int. Conf. DCOSS, Barcelona, Spain, Jun pp J. Granjal, E. Monteiro, and J. S. Silva, Network-layer security for the internet of things using TinyOS and BLIP, Int. J. Commun. Syst., 2012, doi: /dac M. Brachmann, S. L. Keoh, O. G. Morchon, and S. S. Kumar, End-to end transport security in the IP-based internet of things, in Proc. 21st ICCCN, Aug. 2012, pp C. Bormann. "Using CoAP with IPSec". Internet-Draft (work in progress draft-bormann-core-ipsec-for-coap-00). Universitaet Bremen TZI, December 06, A Survey on the Internet of Things Security Kai Zhao ; Sch. of Inf. Sci. & Eng., Guangxi Univ. for Nat., Nanning, China ; Lina Ge. 8. A systemic approach for IoT security Arbia Riahi, Yacine Challal, Enrico Natalizio, Zied Chtourou, Abdelmadjid Bouabdallah 9. Construction and Strategies in IoT Security System Quandeng GOU School of Computer Science Neijiang Normal University Neijiang, All Rights Reserved 611