Security in Internet of Things (IoT) | Digital Ritesh

Security in the Internet of Things (IoT)

Digital Ritesh

IoT is facing more severe challenges in the security aspect, there are the following reasons:

• The IoT extends the internet through the traditional internet, mobile network, and sensor network

• Every “thing” is connected to the internet;

• These “things” will communicate with each other.

Therefore, new security and privacy problems will arise, and there is a need to pay more attention to the research issues for confidentiality, authenticity, and integrity of data in the IoT.

With the development of advanced network techniques, distributed multiagent control, and cloud computing, there is a shift in integrating the concepts of IoT and autonomous control in the machine-to-machine (M2M) research to produce an evolution of M2M in the form of Cyber-Physical-System (CPS).

M2M is a broader terminology for any technology that enabled networked devices to exchange information and perform actions without the manual assistance of humans, CPS mainly focuses on allowing smart interaction, interactive applications, distributed real-time control, cross-layer optimization, and cross-domain optimization. 

Therefore, some new technologies and methodologies should be developed to meet the higher requirements in terms of reliability, security, and privacy.

The security of information and network should be equipped with properties such as identification, confidentiality, integrality, and indisputability.

IoT will be applied to the crucial areas of the national economy, i.e. medical service and health care, and intelligent transportation, thus security needs in the IoT will be higher in availability and dependability. In general, the security architecture of the IoT can be divided into four key levels:

• The most basic level is the Perceptual Layer, which collects all kinds of information through physical equipment and identifies the physical world, the information includes object properties or environmental conditions. The key component in this layer is sensors for capturing and representing the physical world in the digital world.

• The second level is the Network Layer. The network layer is responsible for the reliable transmission of information from the perceptual layer, initial processing of information, classification, and polymerization. In this layer the information transmission relies on several basic networks, which are the internet, mobile communication network, satellite nets, wireless network, network infrastructure, and communication protocols that are also essential to the information exchange between devices

• The third level is the Support Layer. The support layer will set up a reliable support platform for the application layer, on this support platform all kinds of intelligent computing powers will be organized through network grid and cloud computing. It plays the role of combining the application layer upward and the network layer downward.

• The Application Layer is the terminal level. The application layer provides personalized services according to the needs of the users. Users can access the internet of Things through the application layer interface using of television, personal computer or mobile equipment, and so on. Network security and management features play an important role above each level.

• Perceptual Layer: Usually perceptual nodes are short of computer power and storage capacity because they are simple and with less power. Therefore, it is unable to apply a public key encryption algorithm to security protection. And it is very difficult to set up a security protection system. Meanwhile, attacks from the external network such as denial of service also bring new security problems. On the other hand sensor data still need protection for integrity, authenticity, and confidentiality.

• Network Layer: Although the core network has relatively complete safety protection ability, the man-in-the-middle attack and counterfeit attacks still exist, meanwhile junk mail and computer virus cannot be ignored, and a large number of data sending cause congestion. Therefore, the security mechanism at this level is very important to the IoT system.

• Support Layer: Do the mass data processing and intelligent decision of network behavior in this layer, intelligent processing is limited to malicious information, so it is a challenge to improve the ability to recognize the malicious information.

• Application Layer: At this level security needs for different application environments are different, and data sharing is one of the characteristics of the application layer, which creates problems of data privacy, access control, and disclosure of information. According to the above analysis, we can summarize the security requirements for each level in the following.

• Perceptual Layer: At the first node, authentication is necessary to prevent illegal node access; secondly to protect the confidentiality of information transmission between the nodes, data encryption is an absolute necessity; and before the data encryption key agreement is an important process in advance; the stronger are the safety measures, the more is the consumption of resources, to solve this problem, lightweight encryption technology becomes important, which includes Lightweight cryptographic algorithm and lightweight cryptographic protocol. At the same time, the integrity and authenticity of sensor data are becoming a research focus.

• Network Layer: In this layer, existing communication security mechanisms are difficult to be applied. Identity authentication is a kind of mechanism to prevent the illegal nodes, and it is the premise of the security mechanism, confidentiality and integrality are of equal importance, thus we also need to establish data confidentiality and integrality mechanism.

• Support Layer: The support layer needs a lot of the application security architecture such as cloud computing and secure multiparty computation, almost all of the strong encryption algorithm and encryption protocol, stronger system security technology, and antivirus.

• Application Layer: To solve the security problem of the application layer, two aspects are needed. One is the authentication and key agreement across the heterogeneous network, and the other is the user’s privacy protection. In addition, education and management are very important to information security, especially password management. 

In summary security technology in the IoT is very important and full of challenges. On the other hand, laws and regulations issues are also significant. Looking into the state of research for the security requirements on encryption mechanism, communication security, protecting sensor data, and cryptographic algorithm.

In the traditional network layers are adopted by-hop encryption mechanisms, in this way the information is encrypted in the transmission process, but it needs to keep plain text in each node through the decryption and encryption operations.

Meanwhile, the traditional application layer encryption mechanism is end-to-end encryption, that is, the information only is explicit for the sender and the receiver, and in the transmission process and forwarding nodes, it will be always encrypted.

The IoT network layer and application layer connect so closely, so there is a need to choose between by-hop and end-to-end encryption. The features of by-hop encryption are low latency, high efficiency, low cost, and so on. However, because of the decryption operation in the transmission node can get the plaintext message, by-hop encryption needs high credibility of the transmission nodes.

Using the end-to-end encryption, are allowed for different security policies according to the type of business, thus it can provide high-level security protection to the high-security requirements of the business.

However, end-to-end encryption can not encrypt the destination address, because each node determines how to transmit messages according to the destination address, which causes it can not hide the source and the destination of the message being transmitted and bring about malicious attacks.

To summarize when the security requirement of some businesses is not very high can be adopted by-hop encryption protection; when the business needs high security, then end-to-end encryption is the first choice.

For what concerns communication security, there are some protocols that can provide integrity, authenticity, and confidentiality for communication, such as TLS/SSL or IPSec. TLS/SSL is designed to encrypt the link in the transport layer, and IPSec is designed to protect the security of the network layer, they can provide integrity, authenticity, and confidentiality in each layer.

Then communication security mechanisms are also rarely applied nowadays. Because in the IoT small devices are less processing power, this leads that communication security is often weak. Meanwhile, the core network is always the current or next-generation Internet, so DDoS still exists and is a very severe problem.

Botnets and DDoS attacks will destroy the availability of communication. When larger-scale or organized DDoS attacks happen, how to do the disaster recovery is highly significant, so is needed to pay more attention to research better preventive measures and disaster recovery mechanisms.

Protecting sensor data is becoming a research focus, and confidentiality of sensor data is a lower demand because when an attacker can just place their own sensor physically near, he can sense the same values.

So at the sensor itself, the confidentiality need is relatively low. The main research target in sensors is privacy, and privacy is also a major problem. Should be adopted the mechanisms to protect the privacy of humans and objects in the physical world. Most times people are often unaware of sensors in their life, so we need to set up regulations to preserve their privacy of people.

In literature, several guidelines are given to solve this problem in the design phase: at first, users must know that they are being sensed, the second users must be able to choose whether they are being sensed or not, and the third users must be able to remain anonymous. When the user has no realization of these guidelines, regulations must be made.

Finally, what concern cryptographic algorithms, the algorithm used to encrypt data for confidentiality is the Advanced Encryption Standard (AES) block cipher. The asymmetric algorithm is often used for digital signatures and key transport, frequently used algorithm is the Rivest Shamir Adleman (RSA); the Diffie-hellman (DH) asymmetric key agreement algorithm is used for the key agreement, and the SHA-1 and SHA-256 secure hash algorithms will be applied for integrality.

Another significant asymmetric algorithm is known as elliptic curve cryptography, ECC can provide equal safety by use of shorter length keys. To implement these cryptographic algorithms available resources are necessary such as processor speed and memory.

So how to apply these cryptographic techniques to the IoT is not clear, more effort to further research is necessary to ensure that these algorithms can be successfully implemented in constrained memory and low-speed processor of IoT devices.

IoT is a very active and new research field, so a variety of questions need even to be solved, at different layers of the architecture and from different aspects of information security.