Konstantinos Rantos

Lightweight Cryptography for Embedded Systems A Comparative Analysis

As computing becomes pervasive, embedded systems are deployed in a wide range of domains, including industrial systems, critical infrastructures, private and public spaces as well as portable and wearable applications. An integral part of the functionality of these systems is the storage, access and transmission of private, sensitive or even critical information. Therefore, the confidentiality and integrity of the resources and services of said devices constitutes a prominent issue that must be considered during their design. There is a variety of cryptographic mechanisms which can be used to safeguard the confidentiality and integrity of stored and transmitted information. In the context of embedded systems, however, the problem at hand is exacerbated by the resource-constrained nature of the devices, in conjunction with the persistent need for smaller size and lower production costs. This paper provides a comparative analysis of lightweight cryptographic algorithms applicable to such devices, presenting recent advances in the field for symmetric and asymmetric algorithms as well as hash functions. A classification and evaluation of the schemes is also provided, utilizing relevant metrics in order to assess their suitability for various types of embedded systems.

IPsec over IEEE 802.15.4 for low power and lossy networks

The wide deployment of low-power and lossy networks (LLNs) connected to the Internet has raised many security concerns regarding the protection of data they handle and communicate. Such networks now face all sorts of security threats identified in traditional networks. However, solutions found in traditional networks cannot directly be adopted by LLNs, due to the inherent limited capabilities of the embedded systems that comprise them. This paper focuses on the security provided to LLN nodes using 6LoWPAN adaptation format, one of the predominant solutions adopted for communicating data over IEEE 802.15.4 networks. It proposes a compression format for IPsec, able to offer end-to-end security, that utilises AES-CCM* (CCM-Star), a variant of AES in Counter with CBC-MAC mode (AES-CCM), while considering the restrictions of the underlying IEEE 802.15.4 protocol. Compared to similar approaches, the proposed scheme features low packet overhead for providing both message authentication, integrity and confidentiality, while adhering to the latest standards.

Policy-Controlled Authenticated Access to LLN-Connected Healthcare Resources

Ubiquitous devices comprising several resource-constrained nodes with sensors, actuators, and networking capabilities are becoming part of many solutions that seek to enhance users environment smartness and quality of living, prominently including enhanced healthcare services. In such an environment, security issues are of primary concern as a potential resource misuse can severely impact users privacy or even become life threatening. Access to these resources should be appropriately controlled to ensure that eHealth nodes are adequately protected and the services are available to authorized entities. The intrinsic resource limitations of these nodes, however, make satisfying these requirements a great challenge. This paper proposes and analyzes a service-oriented architecture that provides a policy-based, unified, cross-platform, and flexible access control mechanism, allowing authorized entities to consume services provided by eHealth nodes while protecting their valuable resources. The scheme is XACML driven, although modifications to the related standardized architecture are proposed to satisfy the requirements imposed by nodes that comprise low-power and lossy networks (LLNs). A proof-of-concept implementation is presented, along with the associated performance evaluation, confirming the feasibility of the proposed approach.

IPv6 security for low power and lossy networks

Low-power and lossy networks (LLNs) are continually gaining popularity, due to their wide range of applications. Such networks mainly comprise of resource-constrained devices that feature Internet connectivity. This raises many security concerns that cannot be easily resolved, since the inherent limitations of LLN nodes do not allow the direct applicability of existing solutions. This paper proposes an IPsec header compression format for the 6LoWPAN adaptation layer that runs over IEEE802.15.4. The proposed scheme utilises AES-CCM* (CCM-Star), a cryptographic functionality supported by the underlying IEEE802.15.4 protocol, features low packet overhead, and provides both message authentication and confidentiality.

Policy-based access control for DPWS-enabled ubiquitous devices

As computing becomes ubiquitous, researchers and engineers aim to exploit the potential of the pervasive systems in order to introduce new types of services and address inveterate and emerging problems. This process will, eventually, lead us to the era of urban computing and the Internet of Things; the ultimate goal being to improve our quality of life. But these concepts typically require direct and constant interaction of computing systems with the physical world in order to be realized, which inevitably leads to the introduction of a range of safety and privacy issues that must be addressed. One such important aspect is the fine-grained control of access to the resources of these pervasive embedded systems, in a secure and scalable manner. This paper presents an implementation of such a secure policy-based access control scheme, focusing on the use of well-established, standardized technologies and considering the potential resource-constraints of the target heterogeneous embedded devices. The proposed framework adopts a DPWS-compliant approach for smart devices and introduces XACML-based access control mechanisms. The proof-of-concept implementation is presented in detail, along with a performance evaluation on typical embedded platforms.

Secure policy-based management solutions in heterogeneous embedded systems networks

Managing a large number of heterogeneous nodes in a network of embedded systems is a challenging task, mainly due to differences in requirements and resources. Nano nodes with very limited capabilities, such as the nodes of a Wireless Sensor Network (WSN), may not be suitable for adopting solutions designed for power nodes that have no such constraints. Using these devices in dynamic, ad-hoc infrastructures that feature a plethora of characteristics, has brought up the need for appropriate management of participating nodes to satisfy the corresponding policy restrictions. Many schemes have been proposed for various types of devices in terms of resources, ranging from the well-studied policy-based management in computer networks to the more challenging management in sensor networks. This paper identifies these schemes and proposes a framework for the secure and interoperable policy-based management of heterogeneous, resource-constrained, embedded systems networks.

Analysis of Potential Vulnerabilities in Payment Terminals

Payment systems fraud is considered in the center of several types of criminal activities. The introduction of robust payment standards, practices and procedures has undoubtedly reduced criminals’ profit, and significantly hardened their work. Still though, all payment systems’ components are constantly scrutinised to identify vulnerabilities. This chapter focuses on the security of payment terminals, as a critical component in a payment system’s infrastructure, providing an understanding on potential attacks identified in the literature. The attacks are not only limited to those aiming to insult terminals’ tamper-resistance characteristics but also include those that target weak procedures and practices aiming to facilitate the design of better systems, solutions and deployments.

Policy-Based Access Control for Body Sensor Networks

Sensor nodes and actuators are becoming ubiquitous and research efforts focus on addressing the various issues stemming from resources constraints and other intrinsic characteristics typically associated with such devices and their applications. In the case of wearable nodes, and especially in the context of e-Health applications, the security issues are exacerbated by the direct interaction with the human body and the associated safety and privacy concerns. This work presents a policy-based, unified, cross-platform and flexible access control framework. It adopts a web services-compliant approach to enable secure and authorized fine-grained access control to body sensor network resources and services. The proposed scheme specifically considers the very limited resources of so-called nano nodes that are anticipated to be used in such an environment. A proof-of-concept implementation is developed and a preliminary performance evaluation is presented.

Secure and Authenticated Access to LLN Resources Through Policy Constraints

Ubiquitous devices comprising several resource-constrained sensors and actuators while having the long desired Internet connectivity, are becoming part of many solutions that seek to enhance users environment smartness and quality of living. Their intrinsic resource limitations however constitute critical requirements, such as security, a great challenge. When these nodes are associated with applications that might have an impact in users privacy or even become life threatening, the security issues are of primary concern. Access to these resources should be appropriately controlled to ensure that such wearable nodes are adequately protected. On the other hand, it is very important to not restrict access to only a very closed group of entities. This work presents a service oriented architecture that utilizes policy-based, unified, cross-platform and flexible access control to allow authenticated entities consume the services provided by wearable nodes while protecting their valuable resources.

Proxied IBE-based key establishment for LLNs

Embedded systems devices have a wide application range, an instance of which is their use in Low-power and Lossy Networks (LLNs), which are anticipated to become one of the fundamental building blocks for the realisation of the Internet of Things (IoT). The security issues emerging from the requirement for Web accessibility can be fulfilled by appropriate cryptographic techniques, so as to secure the communicated information, supported by appropriate key exchange protocols, able to cope with the particular nature of such networks. The properties of Identity-Based Encryption (IBE) seem to match well the nature of such networks, thus an IBE-based key establishment protocol would be a good choice to be used in an LLN. However, severe limitations on those devices resources render deployment of expensive key establishment protocols inappropriate. Alternatives are therefore proposed such as offloading some of the computationally-intensive tasks to other, more powerful devices. Our IBE-based key establishment protocol enables a constrained node to exchange a shared secret with a remote party, that typically operates outside the nodes network through an also non-constrained proxy node that undertakes the task of performing some of the expensive computations. The proposed key establishment scheme facilitates secure communications among embedded systems devices providing information and services to remote parties, towards the realisation of the Internet of Things.