Hossein Shafagh

Lithe: Lightweight Secure CoAP for the Internet of Things

The Internet of Things (IoT) enables a wide range of application scenarios with potentially critical actuating and sensing tasks, e.g., in the e-health domain. For communication at the application layer, resource-constrained devices are expected to employ the constrained application protocol (CoAP) that is currently being standardized at the Internet Engineering Task Force. To protect the transmission of sensitive information, secure CoAP mandates the use of datagram transport layer security (DTLS) as the underlying security protocol for authenticated and confidential communication. DTLS, however, was originally designed for comparably powerful devices that are interconnected via reliable, high-bandwidth links. In this paper, we present Lithe-an integration of DTLS and CoAP for the IoT. With Lithe, we additionally propose a novel DTLS header compression scheme that aims to significantly reduce the energy consumption by leveraging the 6LoWPAN standard. Most importantly, our proposed DTLS header compression scheme does not compromise the end-to-end security properties provided by DTLS. Simultaneously, it considerably reduces the number of transmitted bytes while maintaining DTLS standard compliance. We evaluate our approach based on a DTLS implementation for the Contiki operating system. Our evaluation results show significant gains in terms of packet size, energy consumption, processing time, and network-wide response times when compressed DTLS is enabled.

Towards viable certificate-based authentication for the internet of things

The vision of the Internet of Things considers smart objects in the physical world as first-class citizens of the digital world. Especially IP technology and RESTful web services on smart objects promise simple interactions with Internet services in the Web of Things, e.g., for building automation or in e-health scenarios. Peer authentication and secure data transmission are vital aspects in many of these scenarios to prevent leakage of personal information and harmful actuating tasks. While standard security solutions exist for traditional IP networks, the constraints of smart objects demand for more lightweight security mechanisms. Thus, the use of certificates for peer authentication is predominantly considered impracticable. In this paper, we investigate if this assumption is valid. To this end, we present preliminary overhead estimates for the certificate-based DTLS handshake and argue that certificates - with improvements to the handshake - are a viable method of authentication in many network scenarios. We propose three design ideas to reduce the overheads of the DTLS handshake. These ideas are based on (i) pre-validation, (ii) session resumption, and (iii) handshake delegation. We qualitatively analyze the expected overhead reductions and discuss their applicability.

Delegation-based Authentication and Authorization for the IP-based Internet of Things

IP technology for resource-constrained devices enables transparent end-to-end connections between a vast variety of devices and services in the Internet of Things (IoT). To protect these connections, several variants of traditional IP security protocols have recently been proposed for standardization, most notably the DTLS protocol. In this paper, we identify significant resource requirements for the DTLS handshake when employing public-key cryptography for peer authentication and key agreement purposes. These overheads particularly hamper secure communication for memory-constrained devices. To alleviate these limitations, we propose a delegation architecture that offloads the expensive DTLS connection establishment to a delegation server. By handing over the established security context to the constrained device, our delegation architecture significantly reduces the resource requirements of DTLS-protected communication for constrained devices. Additionally, our delegation architecture naturally provides authorization functionality when leveraging the central role of the delegation server in the initial connection establishment. Hence, in this paper, we present a comprehensive, yet compact solution for authentication, authorization, and secure data transmission in the IP-based IoT. The evaluation results show that compared to a public-key-based DTLS handshake our delegation architecture reduces the memory overhead by 64 %, computations by 97 %, network transmissions by 68 %.

6LoWPAN fragmentation attacks and mitigation mechanisms

6LoWPAN is an IPv6 adaptation layer that defines mechanisms to make IP connectivity viable for tightly resource-constrained devices that communicate over low power, lossy links such as IEEE 802.15.4. It is expected to be used in a variety of scenarios ranging from home automation to industrial control systems. To support the transmission of IPv6 packets exceeding the maximum frame size of the link layer, 6LoWPAN defines a packet fragmentation mechanism. However, the best effort semantics for fragment transmissions, the lack of authentication at the 6LoWPAN layer, and the scarce memory resources of the networked devices render the design of the fragmentation mechanism vulnerable. In this paper, we provide a detailed security analysis of the 6LoWPAN fragmentation mechanism. We identify two attacks at the 6LoWPAN design-level that enable an attacker to (selectively) prevent correct packet reassembly on a target node at considerably low cost. Specifically, an attacker can mount our identified attacks by only sending a single protocol-compliant 6LoWPAN fragment. To counter these attacks, we propose two complementary, lightweight defense mechanisms, the content chaining scheme and the split buffer approach. Our evaluation shows the practicality of the identified attacks as well as the effectiveness of our proposed defense mechanisms at modest trade-offs.

Talos: Encrypted Query Processing for the Internet of Things

The Internet of Things, by digitizing the physical world, is envisioned to enable novel interaction paradigms with our surroundings. This creates new threats and leads to unprecedented security and privacy concerns. To tackle these concerns, we introduce Talos, a system that stores IoT data securely in a Cloud database while still allowing query processing over the encrypted data. We enable this by encrypting IoT data with a set of cryptographic schemes such as order-preserving and partially homomorphic encryption. In order to achieve this in constrained IoT devices, Talos relies on optimized algorithms that accelerate order-preserving and partially homomorphic encryption by 1 to 2 orders of magnitude. We assess the feasibility of Talos on low-power devices with and without cryptographic accelerators and quantify its overhead in terms of energy, computation, and latency. With a thorough evaluation of our prototype implementation, we show that Talos is a practical system that can provide a high level of security with a reasonable overhead. We envision Talos as an enabler of secure IoT applications.

TIIM: technology-independent interference mitigation for low-power wireless networks

The rise of heterogeneity in wireless technologies operating in the unlicensed bands has been shown to adversely affect the performance of low-power wireless networks. Cross-Technology Interference (CTI) is highly uncertain and raises the need for agile methods that assess the channel conditions and apply actions maximizing communication success. In this paper, we present TIIM, a lightweight Technology-Independent Interference Mitigation solution that detects, quantifies, and reacts to CTI in realtime. TIIM employs a lightweight machine learning classifier to (i) decide whether communication is viable over the interfered link, (ii) characterize the ambient conditions and apply the best coexistence mitigation strategy. We present an in-depth experimental characterization of the effect of CTI on 802.15.4 links, which motivated and influenced the design of TIIM. Our evaluation shows that TIIM, while exposed to extensive and heterogeneous interference, can achieve a total PRR improvement of 30% with an additional transmission overhead of 5.6%.

Understanding the impact of cross technology interference on IEEE 802.15.4

Over the last few decades, we witnessed notable progress in wireless communication. This has led to rapid emergence of heterogeneous wireless technologies that share the RF spectrum in an un-coordinated way. Such a coexistence introduces high uncertainty and complexity to the medium, affecting reliability and availability of wireless net works. This problem aggravates for technologies operating in the lightly regulated, yet crowded ISM bands. To address coexistence of different technologies in the scarce RF spectrum, provide proper interference-aware protocols, and mitigation schemes, we need to develop a good understanding of the interaction patterns of these technologies. In this paper, we provide a thorough study of the implications of Cross Technology Interference (CTI) on the particularly vulnerable low-power IEEE 802.15.4 wireless networks. We identify the underlying vulnerabilities that hamper 802.15.4 to withstand CTI. We show that the uncertainty that CTI induces on the wireless channel is not completely stochastic; CTI exhibits distinct patterns that can be exploited by interference-aware protocols.

Poster: come closer: proximity-based authentication for the internet of things

This paper presents a proximity-based authentication approach for the Internet of Things (IoT) that works in-band by solely utilizing the wireless communication interface. The novelty of this approach lies in its reliance on ambient radio signals to infer proximity within about one second, and in its ability to expose imposters located several meters away. We identify relevant features sensed from the RF channel to establish a notion of proximity across co-located low-power devices. We introduce our proximity-based authentication protocol and show the feasibility of our approach with an early prototype using off-the-shelf 802.15.4 sensors and an evaluation conducted in a real-world environment.

CrossZig: combating cross-technology interference in low-power wireless networks

Low-power wireless devices suffer notoriously from Cross- Technology Interference (CTI). To enable co-existence, researchers have proposed a variety of interference mitigation strategies. Existing solutions, however, are designed to work with the limitations of currently available radio chips. In this paper, we investigate how to exploit physical layer properties of 802.15.4 signals to better address CTI. We present CrossZig, a cross-layer solution that takes advantage of physical layer information and processing to improve low-power communication under CTI. To this end, CrossZig utilizes physical layer information to detect presence of CTI in a corrupted packet and to apply an adaptive packet recovery which incorporates a novel cross-layer based packet merging and an adaptive FEC coding. We implement a prototype of CrossZig for the low-power IEEE 802.15.4 in a software-defined radio platform. We show the adaptability and the performance gain of CrossZig through experimental evaluation considering both micro-benchmarking and system performance under various interference patterns. Our results demonstrate that CrossZig can achieve a high accuracy in error localization (94.3% accuracy) and interference type identification (less than 5% error rate for SINR ranges below 3 dB). Moreover, our system shows consistent performance improvements under interference from various interfering technologies.

Poster: Towards Encrypted Query Processing for the Internet of Things

The Internet of Things (IoT) is envisioned to digitize the physical world, resulting in a digital representation of our proximate living space. The possibility of inferring privacy violating information from IoT data necessitates adequate security measures regarding data storage and communication. To address these privacy and security concerns, we introduce our system that stores IoT data securely in the Cloud database while still allowing query processing over the encrypted data. We enable this by encrypting IoT data with a set of cryptographic schemes such as order-preserving and partially homomorphic encryptions. To achieve this on resource-limited devices, our system relies on optimized algorithms that accelerate partial homomorphic and order-preserving encryptions by 1 to 2 orders of magnitude. Our early results show the feasibility of our system on low-power devices. We envision our system as an enabler of secure IoT applications.