Lightweight Authentication Mechanism for Industrial IoT Environment Combining Elliptic Curve Cryptography and Trusted Token
Abstract
:1. Introduction
- Implementation of an authentication system based on elliptic curve cryptography and tokens to protect IIoT environments better with improved security.
- Faster authentication efficiency compared with related authentication systems.
2. Related Works
2.1. Security of Industrial Internet of Things
2.2. Authentication in IIoT Environment
3. Problem Definition
- (1)
- Register_Server(RS):
- To register the identity of terminal devices with the trusted registration server.
- To generate a JWT for devices that pass the first-stage authentication.
- (2)
- Backend_Data_Analysis_Server (BDAS):
- After the terminal IoT device has registered its identity, it performs a verification of its legitimacy and generates a session key.
- It verifies the legitimacy of the token transmitted by the terminal IoT device to determine whether the power information in the message originates from a legitimate device.
4. Process of the Proposed Authentication Mechanism
- The IoT terminal device registers its identity with the registration server and obtains relevant information.
- The first authentication is performed between the IoT terminal device and the backend data analysis server.
- The backend data analysis server obtains a token from the registration server for data transmission.
- The IoT terminal device and the backend data analysis server use the token obtained in the third step for data transmission.
4.1. Initialization Stage and Identity Registration Stage
- The terminal IoT device sends a request to register its identity with the registration server, and sends the required registration data according to the initialization stage, including EID_ip, EID_port, EID_hostname, and EID_mac_address, to be stored by the registration server.
- The registration server generates a unique temporary ID: for the terminal IoT device, as shown in (1).
- The backend data processing server registers its identity with the registration server by sending BDAS_hostname, BDAS_host_ip, and BDAS_mac_addr.
- The registration server sends to the terminal IoT device.
- The registration server passes and related EID data to the backend data analysis server for the subsequent identity authentication stage.
4.2. Identity Authentication Stage
5. Experiment
5.1. Environment Setup
5.2. Authentication Phase Based on Elliptic Curve Cryptography
5.3. Authentication Phase Based on Trusted Tokens
5.4. Packet Encryption
5.5. Security Analysis
- Replay attack:The authentication system proposed in this paper can prevent replay attacks because the identity authentication between the terminal IoT device and the backend data analysis server includes the verification of the timestamps (TSi, TSs) of both parties. When the timestamp exceeds the expiration period, the system determines that the verification request originates from an illegal device and disconnects the connection. Therefore, even if the attacker replays past messages, it will be unable to send data to the terminal IoT device and backend data analysis server owing to the expiration of the timestamp.
- Eavesdropping attack:In this study, the TLS protocol is used to encrypt the transmitted packets in the data transmission environment. Therefore, from the attacker’s perspective, the attacker cannot know the data inside the packet based on the stolen packet.
- Man-in-the-middle attack:In this study, the TLS protocol is used for packet encryption in data transmission; hence, when an attacker steals the packet, they cannot know the true data transmitted according to the content of the packet. Therefore, the attacker cannot tamper with the data based on the content of the packet. If the user wants to change the encrypted information, namely the token, both the terminal IoT device and the backend data analysis server will check its legitimacy upon receiving it. Therefore, even if the attacker arbitrarily changes the encrypted information, the system will judge it as an illegal message.
- Simulated attack:If the attacker wants to send data to the backend data analysis server through a simulated terminal IoT device, the attacker must obtain the AIDi of the terminal IoT device. However, all AIDi are generated locally on each server and, hence, the attacker cannot obtain the value of AIDi. Even if the attacker can skip the first stage of verification and directly enter the second stage of verification, the attacker cannot obtain the session key and, hence, cannot obtain the token used in the second stage of verification. Moreover, when the backend data analysis server receives the message transmitted by the terminal IoT device, it will first check the legitimacy of the token. Therefore, the attacker cannot directly send data to the backend data analysis server.
- Support for mutual authentication:The definition of mutual authentication is that both parties authenticate each other in the identity authentication protocol. In the first stage of verification, this article uses , , and for identity authentication between the terminal IoT device and the backend data analysis server. In the second stage of verification, the token is used for identity authentication between the terminal IoT device and the backend data analysis server.
- Support for forward secrecy:The definition of forward secrecy is that the leakage of the long-term main key will not lead to the leakage of past session keys. Forward secrecy can protect past communication from the threat of future key exposure. In each verification process herein, a new session key is generated to encrypt the data. Even if the attacker steals the session key of one communication session, it will not affect the confidentiality of other communications in the future.
5.6. Performance Evaluation
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Schwab, K. The Fourth Industrial Revolution; Crown Business: New York, NY, USA, 2017. [Google Scholar]
- Jeschke, S.; Brecher, C.; Meisen, T.; Özdemir, D.; Eschert, T. Industrial internet of things and cyber manufacturing systems. In Industrial Internet of Things; Springer: Cham, Switzerland, 2017; pp. 3–19. [Google Scholar]
- Fovino, I.N.; Carcano, A.; Masera, M.; Trombetta, A. Design and implementation of a secure modbus protocol. In Proceedings of the Critical Infrastructure Protection III: Third Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, NH, USA, 23–25 March 2009; Revised Selected Papers 3. Springer: Berlin/Heidelberg, Germany, 2009. [Google Scholar]
- Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.3; No. rfc8446; 2018; Available online: https://www.rfc-editor.org/rfc/rfc8446 (accessed on 18 April 2023).
- Koblitz, N.; Alfred, M.; Scott, V. The state of elliptic curve cryptography. Des. Codes Cryptogr. 2000, 19, 173–193. [Google Scholar] [CrossRef]
- Jones, M.; John, B.; Nat, S. Json Web Token (JWT); No. rfc7519; 2015; Available online: https://www.rfc-editor.org/rfc/rfc7519.html (accessed on 18 April 2023).
- Milanov, E. The RSA algorithm. RSA Lab. 2009, 1–11. [Google Scholar]
- Mahto, D.; Dilip, K.Y. RSA and ECC: A comparative analysis. Int. J. Appl. Eng. Res. 2017, 9053–9061. [Google Scholar]
- Boobalan, P.; Ramu, S.P.; Pham, Q.; Dev, K.; Pandya, S.; Maddikunta, P.K.R.; Gadekallu, T.R.; Huynh-The, T. Fusion of federated learning and industrial Internet of Things: A survey. Comput. Netw. 2022, 212, 109048. [Google Scholar] [CrossRef]
- Sadhu, P.K.; Venkata, P.Y.; Ahmed, A. Internet of Things: Security and Solutions Survey. Sensors 2022, 22, 7433. [Google Scholar] [CrossRef]
- Ahanger, T.A.; Abdullah, A.; Mohammed, A. State-of-the-art survey of artificial intelligent techniques for IoT security. Comput. Netw. 2022, 206, 108771. [Google Scholar] [CrossRef]
- Sengupta, J.; Sushmita, R.; Sipra, D.B. A comprehensive survey on attacks, security issues and blockchain solutions for IoT and IIoT. J. Netw. Comput. Appl. 2020, 149, 102481. [Google Scholar] [CrossRef]
- Job, D.; Varghese, P. Challenges, security mechanisms, and research areas in iot and iiot. In Internet of Things and Its Applications; Springer: Cham, Switzerland, 2022; pp. 523–538. [Google Scholar]
- Boyer, S.A. Supervisory Control and Data Acquisition, 4th ed.; International Society of Automation: Research Triangle Park, NC, USA, 2009. [Google Scholar]
- Ferrag, M.A.; Maglaras, L. Edge-IIoTset: A new comprehensive realistic cyber security dataset of IoT and IIoT applications for centralized and federated learning. IEEE Access 2022, 10, 40281–40306. [Google Scholar] [CrossRef]
- Atutxa, A.; Astorga, J.; Barcelo, M.; Urbieta, A.; Jacob, E. Improving efficiency and security of IIoT communications using in-network validation of server certificate. Comput. Ind. 2023, 144, 103802. [Google Scholar] [CrossRef]
- Zhou, L.; Huaqun, G.; Gelei, D. A fog computing based approach to DDoS mitigation in IIoT systems. Comput. Secur. 2019, 85, 51–62. [Google Scholar] [CrossRef]
- Rivera, J.J.D.; Khan, T.A.; Akbar, W.; Muhammad, A.; Song, W.-C. Secure enrollment token delivery for Zero Trust networks using blockchain. In Proceedings of the 2022 23rd Asia-Pacific Network Operations and Management Symposium (APNOMS), Takamatsu, Japan, 28–30 September 2022; pp. 1–6. [Google Scholar] [CrossRef]
- Tidrea, A.; Korodi, A.; Silea, I. Elliptic Curve Cryptography Considerations for Securing Automation and SCADA Systems. Sensors 2023, 23, 2686. [Google Scholar] [CrossRef] [PubMed]
- Sharma, D.K.; Baghel, N.; Agarwal, S. Multiple Degree Authentication in Sensible Homes basedon IoT Device Vulnerability. In Proceedings of the 2020 International Conference on Power Electronics & IoT Applications in Renewable Energy and its Control (PARC), Mathura, India, 28–29 February 2020; pp. 539–543. [Google Scholar] [CrossRef]
- Yang, J.; Fan, J.; Zhu, X. Perception Layer Lightweight Certificateless Authentication Scheme for IoT-Based Emergency Logistics. IEEE Access 2023, 11, 14350–14364. [Google Scholar] [CrossRef]
- Dammak, M.; Boudia, O.R.M.; Messous, M.A.; Senouci, S.M.; Gransart, C. Token-Based Lightweight Authentication to Secure IoT Networks. In Proceedings of the 2019 16th IEEE Annual Consumer Communications and Networking Conference (CCNC), Las Vegas, NV, USA, 11–14 January 2019; pp. 1–4. [Google Scholar] [CrossRef]
- Ahmed, S.; Mahmood, Q. An authentication based scheme for applications using JSON web token. In Proceedings of the 2019 22nd International Multitopic Conference (INMIC), Islamabad, Pakistan, 20–30 November 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Nyangaresi, V.O. Terminal independent security token derivation scheme for ultra-dense IoT networks. Array 2022, 15, 100210. [Google Scholar] [CrossRef]
- Das, A.K.; Wazid, M.; Yannam, A.R.; Rodrigues, J.J.P.C.; Park, Y. Provably Secure ECC-Based Device Access Control and Key Agreement Protocol for IoT Environment. IEEE Access 2019, 7, 55382–55397. [Google Scholar] [CrossRef]
- Lara, E.; Aguilar, L.; García, J.A. Lightweight Authentication Protocol Using Self-Certified Public Keys for Wireless Body Area Networks in Health-Care Applications. IEEE Access 2019, 9, 79196–79213. [Google Scholar] [CrossRef]
- Li, P.; Su, J.; Wang, X. iTLS: Lightweight Transport-Layer Security Protocol for IoT with Minimal Latency and Perfect Forward Secrecy. IEEE Internet Things J. 2020, 7, 6828–6841. [Google Scholar] [CrossRef]
- Gaba, G.S.; Kumar, G.; Monga, H.; Kim, T.-H.; Kumar, P. Robust and Lightweight Mutual Authentication Scheme in Distributed Smart Environments. IEEE Access 2020, 8, 69722–69733. [Google Scholar] [CrossRef]
- Li, X.; Niu, J.; Bhuiyan, M.Z.A.; Wu, F.; Karuppiah, M.; Kumari, S. A Robust ECC-Based Provable Secure Authentication Protocol with Privacy Preserving for Industrial Internet of Things. IEEE Trans. Ind. Inform. 2018, 14, 3599–3609. [Google Scholar] [CrossRef]
- Dodis, Y.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; pp. 523–540. [Google Scholar]
- Hammi, B.; Fayad, A.; Khatoun, R.; Zeadally, S.; Begriche, Y. A Lightweight ECC-Based Authentication Scheme for Internet of Things (IoT). IEEE Syst. J. 2020, 14, 3440–3450. [Google Scholar] [CrossRef]
- Aravindhan, K.; Karthiga, R.R. One time password: A survey. Int. J. Emerg. Trends Eng. Dev. 2013, 1, 613–623. [Google Scholar]
- Lohachab, A. ECC based inter-device authentication and authorization scheme using MQTT for IoT networks. J. Inf. Secur. Appl. 2019, 46, 1–12. [Google Scholar] [CrossRef]
Notations | Description |
---|---|
EID | Abbreviation of Edge_IoT_Device |
RS | Abbreviation of Register_Server |
BDAS | Abbreviation of Backend_Data_Analysis_Server |
Temporary id for ith EID | |
P | Base point of the elliptic curve: ECC_SECP256R1 |
ai | Private key of EID |
Ai | Public key of EID |
· | Elliptic curve–point multiplication operation |
(Aix,Aiy) | XY-axis coordinates of the EID public key |
Timestamp generated by EID | |
Hash() | Hash function |
⨁ | Exclusive OR operation |
‖ | Concatenation operation |
AIDi | Alice_id for ith EID |
Sign() | Encrypt RIDi with EID public key |
(Ax,Ay) | Hide information of EID public key |
ith verification message | |
qs | Private key of BDAS |
Qs | Public key of BDAS |
(Qsx,Qsy) | XY-axis coordinates of the BDAS public key |
(Qx,Qy) | Hide information of BDAS public key |
Timestamp generated by BDAS | |
Session key generated by BDAS | |
Authentication message generated by BDAS | |
Session key generated by EID | |
Authentication message generated by EID | |
information_EID | Information of EID |
BDAS_hostname | Hostname of BDAS |
BDAS_host_ip | IP address of BDAS |
BDAS_mac_addr | Mac address of BDAS |
EID_ip | IP address of EID |
EID_port | Socket port of EID |
EID_hostname | Hostname of EID |
EID_mac_addr | Mac address of EID |
TK_encoded | Json Web Token for verification |
Server | OS | Storage | |
---|---|---|---|
EID | Raspberry Pi4 | Ubuntu20.04 | 64 GB |
RS | Raspberry Pi4 | Ubuntu20.04 | 64 GB |
BDAS | Raspberry Pi4 | Ubuntu20.04 | 64 GB |
Notation | Description |
---|---|
Computational cost of elliptic curve addition | |
Computational cost of elliptic curve multiplication | |
Computational cost of the hash function | |
Computational cost of exclusive OR | |
Computational cost of encode JSON Web Token | |
Computational cost of decode JSON Web Token | |
Cost of one encryption using symmetric cryptography | |
Cost of one decryption using symmetric cryptography |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Yang, Y.-S.; Lee, S.-H.; Wang, J.-M.; Yang, C.-S.; Huang, Y.-M.; Hou, T.-W. Lightweight Authentication Mechanism for Industrial IoT Environment Combining Elliptic Curve Cryptography and Trusted Token. Sensors 2023, 23, 4970. https://doi.org/10.3390/s23104970
Yang Y-S, Lee S-H, Wang J-M, Yang C-S, Huang Y-M, Hou T-W. Lightweight Authentication Mechanism for Industrial IoT Environment Combining Elliptic Curve Cryptography and Trusted Token. Sensors. 2023; 23(10):4970. https://doi.org/10.3390/s23104970
Chicago/Turabian StyleYang, Yu-Sheng, Shih-Hsiung Lee, Jie-Min Wang, Chu-Sing Yang, Yuen-Min Huang, and Ting-Wei Hou. 2023. "Lightweight Authentication Mechanism for Industrial IoT Environment Combining Elliptic Curve Cryptography and Trusted Token" Sensors 23, no. 10: 4970. https://doi.org/10.3390/s23104970
APA StyleYang, Y. -S., Lee, S. -H., Wang, J. -M., Yang, C. -S., Huang, Y. -M., & Hou, T. -W. (2023). Lightweight Authentication Mechanism for Industrial IoT Environment Combining Elliptic Curve Cryptography and Trusted Token. Sensors, 23(10), 4970. https://doi.org/10.3390/s23104970