José L. Hernández-Ramos

Toward a Lightweight Authentication and Authorization Framework for Smart Objects

The Internet of Things (IoT) represents the current technology revolution that is intended to transform the current environment into a more pervasive and ubiquitous world. In this emerging ecosystem, the application of standard security technologies has to cope with the inherent nature of constrained physical devices, which are seamlessly integrated into the Internet infrastructure. This work proposes a set of lightweight authentication and authorization mechanisms in order to support smart objects during their life cycle. Furthermore, such mechanisms are framed within a proposed security framework, which is compliant with the Architectural Reference Model, recently presented by the EU FP7 IoT-A project. The resulting architecture is intended to provide a holistic security approach to be leveraged in the design of novel and lightweight security protocols for IoT constrained environments.

DCapBAC: embedding authorization logic into smart things through ECC optimizations

In recent years, the increasing development of wireless communication technologies and IPv6 is enabling a seamless integration of smart objects into the Internet infrastructure. This extension of technology to common environments demands greater security restrictions, since any unexpected information leakage or illegitimate access to data could present a high impact in our lives. Additionally, the application of standard security and access control mechanisms to these emerging ecosystems has to face new challenges due to the inherent nature and constraints of devices and networks which make up this novel landscape. While these challenges have been usually addressed by centralized approaches, in this work we present a set of Elliptic Curve Cryptography optimizations for point and field arithmetic which are used in the design and implementation of a security and capability-based access control mechanism (DCapBAC) on smart objects. Our integral solution is based on a lightweight and flexible design that allows this functionality is embedded on resource-constrained devices, providing the advantages of a distributed security approach for Internet of Things (IoT) in terms of scalability, interoperability and end-to-end security. Additionally, our scheme has been successfully validated by using AVISPA tool and implemented on a real scenario over the Jennic/NXP JN5148 chipset based on a 32-bit RISC CPU. The results demonstrate the feasibility of our work and show DCapBAC as a promising approach to be considered as security solution for IoT scenarios.

SAFIR: Secure access framework for IoT-enabled services on smart buildings

Abstract Recent advances on ubiquitous computing and communication technologies are enabling a seamless integration of smart devices in the Internet infrastructure, promoting a new generation of innovative and valuable services for people. Nevertheless, the potential of this resulting ecosystem may be threatened if security and privacy concerns are not properly addressed. In this work, we propose an ARM-compliant IoT security framework and its application on smart buildings scenarios, integrating contextual data as fundamental component in order to drive the building management and security behavior of indoor services accordingly. This framework is instantiated on a holistic platform called City explorer, which is extended with discovery and security mechanisms. Such platform has been validated in a reference smart building, where reasonable results of energy savings, services discovery and authorization are achieved.

Preserving Smart Objects Privacy through Anonymous and Accountable Access Control for a M2M-Enabled Internet of Things

As we get into the Internet of Things era, security and privacy concerns remain as the main obstacles in the development of innovative and valuable services to be exploited by society. Given the Machine-to-Machine (M2M) nature of these emerging scenarios, the application of current privacy-friendly technologies needs to be reconsidered and adapted to be deployed in such global ecosystem. This work proposes different privacy-preserving mechanisms through the application of anonymous credential systems and certificateless public key cryptography. The resulting alternatives are intended to enable an anonymous and accountable access control approach to be deployed on large-scale scenarios, such as Smart Cities. Furthermore, the proposed mechanisms have been deployed on constrained devices, in order to assess their suitability for a secure and privacy-preserving M2M-enabled Internet of Things.

ARMY: architecture for a secure and privacy-awar e lifecycle of smar t objects in the internet of my things

The emergence of the Internet of Things paradigm promises a multi-disciplinary revolution covering different spheres of our daily lives. However, the ubiquitous nature of IoT requires inclusive approaches in order to agree on a common understanding about its implications. Particularly, in order to unlock its huge potential and maximize its benefits, it is necessary to minimize the risks that are associated with security and privacy concerns. In this work, we propose a comprehensive architectural design to capture the main security and privacy requirements during the lifecycle of a smart object. The resulting architecture has been designed, instantiated, and implemented within the scope of different European IoT initiatives, in order to promote the design and development of secure and privacy-aware IoT-enabled services.

Holistic Privacy-Preserving Identity Management System for the Internet of Things

Security and privacy concerns are becoming an important barrier for large scale adoption and deployment of the Internet of Things. To address this issue, the identity management system defined herein provides a novel holistic and privacy-preserving solution aiming to cope with heterogeneous scenarios that requires both traditional online access control and authentication, along with claim-based approach for M2M (machine to machine) interactions required in IoT. It combines a cryptographic approach for claim-based authentication using the Idemix anonymous credential system, together with classic IdM mechanisms by relying on the FIWARE IdM (Keyrock). This symbiosis endows the IdM system with advanced features such as privacy-preserving, minimal disclosure, zero-knowledge proofs, unlikability, confidentiality, pseudonymity, strong authentication, user consent, and offline M2M transactions. The IdM system has been specially tailored for the Internet of Things bearing in mind the management of both users’ and smart objects’ identity. Moreover, the IdM system has been successfully implemented, deployed, and tested in the scope of SocIoTal European research project.

Dynamic security credentials PANA-based provisioning for IoT smart objects

The integration of physical devices into the Internet infrastructure raises significant security concerns, since many of the assumptions of the current Internet cannot be maintained in the so-called IoT. Due to the scale and requirements of these devices, the IoT should provide automated and self-managing mechanisms coping with security requirements during the life-cycle of smart objects, in order to foster the deployment of IoT scenarios. In this direction, this work addresses the bootstrapping of a smart object as a crucial stage in its lifecycle, through the use and extension of PANA as an IoT bootstrapping protocol, to enable a security credentials provisioning phase for secure M2M communications. Additionally, a set of initial evaluation results is also provided as part of our ongoing work in this area.

SocIoTal — The development and architecture of a social IoT framework

This paper presents the development and architecture of the SocIoTal platform. SocIoTal is a European FP7 project which aims to create a socially-aware citizen-centric Internet of Things infrastructure. The aim of the project is to put trust, user-control and transparency at the heart of the system in order to gain the confidence of everyday users and developers. By providing adequate tools and mechanisms that simplify complexity and lower the barriers of entry, it will encourage citizen participation in the Internet of Things. This adds a novel and rich dimension to the emerging IoT ecosystem, providing a wealth of opportunities for the creation of new services and applications. These services and applications will be able to address the needs of society therefore improving the quality of life in cities and communities. In addition to technological innovation, the SocIoTal project sought to innovate the way in which users and developers interact and shape the direction of the project. The project worked on new formats in obtaining data, information and knowledge. The first step consisted of gaining input, feedback and information on IoT as a reality in business. This led to a validated iterative methodology which formed part of the SocIoTal toolkit and a best practices guide for local policy makers and cities.

A digital envelope approach using attribute-based encryption for secure data exchange in IoT scenarios

The inclusion of the Big Data paradigm in our everyday life is giving rise to different IoT scenarios in which there is a continuous sensitive data sharing (e.g., remote healthcare or domestic automation). For such scenarios, the protection of such data is a key challenge to achieve the acceptance, by the end users, of new services and systems oriented to these scenarios. In order to address this issue, this work presents a novel approach combining the efficiency of symmetric cryptography and the flexibility and fine granularity of attribute-based cryptography, with the aim of carrying out secure information exchanges among different entities that make up this new IoT context.

Enhancing LoRaWAN Security through a Lightweight and Authenticated Key Management Approach

Luckily, new communication technologies and protocols are nowadays designed considering security issues. A clear example of this can be found in the Internet of Things (IoT) field, a quite recent area where communication technologies such as ZigBee or IPv6 over Low power Wireless Personal Area Networks (6LoWPAN) already include security features to guarantee authentication, confidentiality and integrity. More recent technologies are Low-Power Wide-Area Networks (LP-WAN), which also consider security, but present initial approaches that can be further improved. An example of this can be found in Long Range (LoRa) and its layer-two supporter LoRa Wide Area Network (LoRaWAN), which include a security scheme based on pre-shared cryptographic material lacking flexibility when a key update is necessary. Because of this, in this work, we evaluate the security vulnerabilities of LoRaWAN in the area of key management and propose different alternative schemes. Concretely, the application of an approach based on the recently specified Ephemeral Diffie–Hellman Over COSE (EDHOC) is found as a convenient solution, given its flexibility in the update of session keys, its low computational cost and the limited message exchanges needed. A comparative conceptual analysis considering the overhead of different security schemes for LoRaWAN is carried out in order to evaluate their benefits in the challenging area of LP-WAN.