Professional Documents
Culture Documents
net/publication/280171999
CITATIONS READS
28 2,745
5 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Arpan Pal on 24 August 2015.
IJPCC
10,4
Lightweight security scheme for
IoT applications using CoAP
Arijit Ukil, Soma Bandyopadhyay, Abhijan Bhattacharyya,
372 Arpan Pal and Tulika Bose
Innovation Lab, Tata Consultancy Services, Kolkata, India
Abstract
Purpose – The purpose of this paper is to study lightweight security scheme for Internet of Things
(IoT) applications using Constrained Application Protocol (CoAP). Resource-constrained
characteristics of IoT systems have ushered in compelling requirements for lightweight application
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
protocol and security suites. CoAP has already been established as the candidate protocol for IoT
systems. However, low overhead security scheme for CoAP is still an open problem. Existing security
solutions like Datagram Transport Layer Security (DTLS) is not suitable, particularly due to its
expensive handshaking, public key infrastructure (PKI)-based authentication and lengthy ciphersuite
agreement process.
Design/methodology/approach – This paper proposes a lightweight security scheme in CoAP
using Advanced Encryption Standard (AES) 128 symmetric key algorithm. The paper presents an
object security (payload embedded)-based robust authentication mechanism with integrated key
management. The paper introduces few unique modifications to CoAP header to optimize security
operation and minimize communication cost.
Findings – It is resilient to number of security attacks like replay attack, meet-in-the-middle attack
and secure under chosen plaintext attack. This scheme is generic in nature, applicable for gamut of IoT
applications. The paper proves efficacy of our proposed scheme for vehicle tracking application in
emulated laboratory setup. Specifically, it compares with DTLS-enabled CoAP to establish the
lightweight feature of our proposed solution.
Research limitations/implications – This paper mainly focuses on implementing in-vehicle
tracking systems as an IoT application and used CoAP as the application protocol.
Practical implications – Such a lightweight security scheme would provide immense benefit in IoT
systems so that resource constraint-sensing devices and nodes can be made secure. This would impact
IoT eco systems to a large extent.
Originality/value – Such kind of security suite that provides both robustness and lightweight feature
is hitherto not known to the authors, particularly in CoAP for IoT applications.
Keywords Sensors, Security, Authentication, CoAP, IoT, Lightweight
Paper type Research paper
1. Introduction
With the advancement of software and hardware technology, Internet of Things (IoT)
applications and services like smart home management, intelligent transport system,
smart energy management and E-health become possible. In an IoT system, resource
International Journal of Pervasive (like energy, bandwidth and memory)-constrained sensing devices sense environmental
Computing and Communications
Vol. 10 No. 4, 2014
and physical parameters to constitute cyber-physical system. Such sensed data is
pp. 372-392
© Emerald Group Publishing Limited
1742-7371
The authors thank Sitaram Venkata Chamarty and Praveen Gauravaram of Tata Consultancy
DOI 10.1108/IJPCC-01-2014-0002 Services (TCS) Innovation Lab, Hyderabad, India, for their valuable comments and suggestions.
communicated to a back-end infrastructure over Internet directly or typically through IoT applications
sensor gateway. However, such communication should be secure enough to counter
different security threats, as the sensor data mostly carry personal and sensitive
using CoAP
information. Due to the constrained nature of such devices and gateways, it is, indeed, a
challenge to establish a secure yet lightweight communication channel when sensor
data is transferred over the Internet. It is established that Constrained Application
Protocol (CoAP) is the candidate protocol (Bandyopadhyay and Bhattacharyya, 2013a) 373
for IoT. In this paper, we propose a lightweight security scheme, mainly considering
secure channel establishment through mutual authentication in CoAP. When sensitive
data of IoT applications using CoAP is communicated to different stakeholders,
following requirements is to be satisfied:
• mutual authentication between sensor, sensor gateway and back-end server;
• confidentiality and integrity of sensitive data; and
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
In fact, existing secure wireless protocols are not equipped to satisfy the above
requirements, particularly the need of substantial reduction of computational and
communication overhead (Li et al., 2012). In this work, we endeavor to embed a low
overhead security mechanism consisting of both authentication with integrated key
management and encryption on CoAP (Zenner, 2009). The proposed mechanism is
robust against different security-breaching attacks such as chosen plaintext attack,
replay attack and man-in-the-middle attack. We utilize the request-response layer of
CoAP to design a novel secure mode of CoAP by introducing a unique option in CoAP
header. We term our complete security scheme as “CoAPS-Lite” and the authentication
part is termed as “Auth-Lite”. Apart from ensuring secure channel establishment, it
further adapts handshaking level of its secure channel depending on the state of
application, like vehicle speed in intelligent transport system. Such adaptation further
reduces the communication cost in terms of bandwidth and power consumption. The
efficacy of our claims is shown in terms of latency, total bandwidth consumption and
computation cost by analyzing experimental results obtained in an emulated
environment.
The paper is organized as follows. In Section 2, we analyze the state-of-the-art. The
system architecture is described in Section 3. We present threat modeling and security
engineering in Section 4. In Section 5, our proposed low overhead security scheme, its
security analysis is described and its implementation for CoAP, for the vehicle tracking
application is illustrated. In Section 6, we discuss the experimental results and analysis.
Finally, we conclude our paper in Section 7.
2. Related work
Web-enablement of constrained sensor and gateways using traditional Hypertext
Transfer Protocol (HTTP)-based protocol would be unsustainable and non-scalable.
CoAP is established as candidate lightweight protocol (Bandyopadhyay and
Bhattacharyya, 2013a) for Internet connectivity of such energy-constrained sensors, and
it is evident from Table I (Colitti et al., 2011) and also shown in Figure 1, where another
competitive protocol MQ Telemetry Transport (MQTT) is chosen for performance
comparison. MQTT is a lightweight publish/subscribe protocol over Transmission
Control Protocol/Internet Protocol (TCP/IP). Bandyopadhyay and Bhattacharyya
IJPCC (2013b) have shown improved performance of CoAP against HTTP. This argument is
supported by Hans (2012) that presents CoAP as the de facto protocol for IoT,
10,4 particularly for resource-constraint devices like smart meter and smart card. However,
ensuring low overhead security on CoAP is a challenging task, particularly due to
resource-constraint nature of sensing devices. A secure routing protocol in wireless
sensor networks is described by Sen and Ukil (2010). CoAP Internet draft (Yegin and
374 Shelby, 2012) describes few modifications to allow initialization, crypto-enablement and
other security options like authentication and integrity enablement. Establishing secure
channel is of utmost importance even in case of privacy preservation of sensitive data
(Ukil and Sen, 2010). Currently, the trend of using security scheme for sensor devices is
based on symmetric key (Eronen and Tschofenig). Another approach is based on
Datagram Transport Layer Security (DTLS), a datagram counterpart of Transport
Layer Security (TLS) (Modadugu and Rescorla, 2004). Such efforts do not suit
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Figure 1.
Suitability of CoAP in IoT
applications
well-constrained sensor devices due to the computational overhead of public key IoT applications
cryptosystem that use public key infrastructure (PKI)-based certification and
communication overhead of a lengthy handshaking process. However, to adapt DTLS to
using CoAP
constrained devices, low overhead security schemes such as RawPublickey without
having any X.509 certification are introduced using preconfigured public keys (Shelby
et al., 2013). However, DTLS has at least 25 bytes overhead per packet that carries a
fragment and fills around one-third of the usable frame-size (Hartke and Bergmann, 375
2012). Bandyopadhyay et al. (2013a) proposed a mechanism for protocol characteristics
adaptation based on sensed indication derived from the vehicle’s state, but it does not
define the use of secure channels with adaptive reliability. In fact, it is shown that DTLS
as a transport layer security fails to achieve the advantages of application layer security
(Brachmann et al., 2011; Granjal et al., 2013). One of the main drawbacks of considering
CoAP to leverage the Internet backbone is its requirement of integration with HTTP,
which is to be additionally facilitated by CoAP-HTTP proxy. In a study by Hans (2012),
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
another approach of IPv6 over Low power Wireless Personal Area Networks
(6LoWPAN)-based border router for secure CoAP–HTTP integration is shown. For
introducing lightweight feature in CoAP-security, the idea of 6LoWPAN header
compression is proposed (Raza et al., 2013; 2012). However, header compression does not
incur substantial performance gain as DTLS is itself computationally heavy. We rather
focus on replacing DTLS completely or encapsulating the mutual authentication, key
management and encryption methods in least computational complex way.
In this paper, we focus on introducing a low overhead security mechanism using
symmetric key-based authentication and confidentiality for CoAP suitable for
constrained sensor devices and it has been applied with vehicle tracking application. We
also propose a scheme for adapting reliability of a secure channel, for further reduction
of communication overhead. With adaptive reliability, security suite implementation
becomes flexible and based on the requirement or condition, security suite can be
applied. For example, when data from sensors like inside car ambient temperature posts
data, security implication is low hence clear text data transmission is permissible,
security suite need to be implied for posting the car’s location data.
Figure 2.
The system architecture
shows the vehicle sensor
gateway connecting to the
back-end over Internet
using CoAP with the
proposed authentication
and security feature. The
total architecture uses a
cross-proxy to convert the
CoAP requests to HTTP
and vice versa. A remote
user can securely connect
to the back-end and access
the vehicle tracker data
IoT applications
using CoAP
377
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Figure 3.
Security engineering and
threat modeling
allows a stable and effectively engineered secure system. Our main concern is the
resource limitation due to resource constraint devices while our security requirements
are based on typical IoT applications like Intelligent Transportation Systems (ITS) and
E-health. We assume eavesdroppers, message interceptors in broadcast wireless
channel with substantial capability of replay attack, man-in-the-middle attack and
chosen plaintext attack (CPA). Also, it is assumed that nodes are hardware
tamper-resistant such that security primitives cannot be compromised. We consider a
bottom up approach for meeting limitation of resources. This allows stable and
effectively engineered secure system for considered use case. The security threats are
disclosure of sensitive information and resource consumption attacks.
5. Proposed method
For enabling secure CoAP, robust authentication and other security mechanisms need to
be supplied by communication security or by object security (within the payload). Our
proposed scheme has two components: CoAPs-Lite and Auth-Lite. CoAPs-Lite is the
component that is meant for enabling lightweight security in CoAP and Auth-Lite that
is the authentication part which is meant for enabling lightweight authentication in
typical IoT systems. It is to be noted that in CoAPs-Lite, we are concerned specifically
for CoAP and along with Auth-Lite, CoAP header modification is part of our proposed
solution.
We propose an adaptive lightweight security S for sensor data J in the overall
S( J) S( J)
ecosystem of IoT as: Sensor device (D) ↔ Sensor gateway(G) ↔ IoT backend (Ꮾ). Our
proposal, Auth-Lite (the authentication component of CoAPS-Lite), compliments the
M2M requirements by securing CoAP through object security. It is a payload embedded
(object) security suite, as shown in Figure 4, layered within message and
request/response layers.
IJPCC 5.1 Authentication mechanism
Our proposed security solution is symmetric key-based authentication with integrated
10,4 key management. Exchanged symmetric key is used with Advanced Encryption
Standard (AES)128 Cipher Block Chaining (CBC) mode, the NIST recommended
ciphering scheme (Ukil et al., 2013). However, AES 128 CCM (Counter with CBC-MAC)
mode can also be chosen which would provide additional benefit of data integrity. This
378 method is payload embedded thus minimizing the handshaking overhead. It consists of
following phases:
• secret distribution;
• session initiation;
• server challenge; and
• sensor response.
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Figure 4.
CoAP-DTLS vs Auth-Lite
IoT applications
using CoAP
379
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Figure 5.
Proposed security
protocol
Notation/symbol Meaning
tries to learn.
h: Attacker’s a priori knowledge on Ki.
兵⺛p其p 僆P: Probability ensemble of key space of Ki, where p is any key among universal
key set P.
As defined by Lindell (2010), in our semantic security model (⌽, ⌿, ⍀), [⌽ : key
generation function for n, (key) ⌿, ⍀ : encryption, decryption on n and n(plain text)]
with symmetric-key authentication: for each probabilistic polynomial-time algorithm Z
there exists Z = such that for 兵⺛p其p 僆P the space of every polynomial-bound ensembles, every
polynomial-bound functions g,h : 兵0, 1其* ¡ 兵0, 1其*, every positive polynomial p(ь) and all
sufficiently large n:
关
⬍ Pr Z =( 1n, 1ⱍ⺛pⱍ, 1ⱍ⺛pⱍ, h ( 1n, ⺛p )) ⫽ g( 1n, ⺛p ) ⫹
1
p(n) 兴
Proposed nonce-based authentication and key exchange method ⌿ is semantically
secure under CPA for all attacker A, Advantage of A over ⌿ [ADV(A, ⌿)] under CPA if
(Boneh, 2012):
where, ¡ 0.
Here, ⱕ 2⫺48. ⌿ is AES-based in CBC mode, which has cipher gain of 232. It can be
proved that ⌿ requires key-refreshment of 248 blocks (Boneh, 2012).
Proof sketch (Boneh, 2012): For every adversary Ꮽ attacking ⌿CBC, there exists a
PRP (Pseudo Random Permutation) adversary Ꮾ such that:
q 2l 2
AdvCBC 关 A, ⌿CBC 兴 ⱕ 2. AdvPRP 关 Ꮾ, ⌿ 兴 ⫹
ⱍXⱍ
Security is when q 2l 2 ⬍⬍ ⱍXⱍ
With AES-128: ⱍXⱍ ⫽ 2128, ql ⬍ 248
Nonces are generally generated using larger length random number generation
(RNG) to minimize collision attack. However, in practice, true RNG is difficult to find
(Zenner, 2009). Our solution uses a pseudo random number generation (PRNG) IoT applications
appended with a timer (counter). Nonce is non-reproducible due to randomness of j
(PRN) along with monotonic incremental nature of ᐀j (timer). j is generated in
using CoAP
pseudo-random way, and its inclusion with ᐀j assures that replay attack is improbable:
␣2 ⫺ ␣
c | max ⱖ
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
2. 2
␣2 ⫺ ␣ ␣2
2 ⱖ ⬵ 2 ⱖ ,
2. c | max 2. c | max
when ␣ ⬎⬎ 1
We have considered, ␣ ⫽ 256 and cⱍmax ⫽ 2⫺56
Figure 6.
Options introduced into
the CoAP header to embed
the proposed security
scheme
IoT applications
using CoAP
383
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Figure 7.
Embedding the
authentication mechanism
on CoAP
our use case (Ukil et al., 2013). This justifies the piggybacking of authentication payload with
response of confirmable message (Figure 8).
5.3.2 Embedding confidentiality. After authentication, the encrypted data using “K” is
getting posted by using POST with a newly introduced option type “DEC_CONF” in header
using CON mode. After decryption, server decides to send a response code depending on
received value of “DEC_CONF” as true or false. In case of “DEC_CONF” false, it does not
send any response otherwise send a response. This response message consists of a response
code indicating the status of success or failure of decryption. According to this status the
client resends previous encrypted data. We have piggybacked response code using the ACK
message of the CON mode of POST, as the decryption time in the server end is on average
0.67 seconds obtained from our experimental results which is significantly less than
IJPCC retransmission timeout of CoAP. However, we propose a separate response path, as depicted
in Figure 7, to send the decryption status when decryption time is significantly large. This is
10,4 an optional feature for our proposed method and depends on an application’s need.
There is another option we have proposed during the confidentiality phase where the
sensor gateway sends an option type “OMIT_DEC_STAT” in the header of a POST
message, along with encrypted payload sensor data as depicted in Figure 9. This time CoAP
384 running in sensor gateway adapts the NON (non-confirmable) mode while sending POST
message. The server at other end, after obtaining the encrypted message with option type
“OMIT_DEC_STAT”, does not send any decryption status, additionally this time no
response message is sent from the server (Bandyopadhyay et al., 2013a; 2013b). This further
reduces the amount of handshaking.
Encryption
128 bit NA NA
256 bit 1.372 NA
Table IV.
Computation time Decryption
(seconds) at different 128 bit NA 0.731
phases of authentication 256 bit 1.431 NA
at sensor gateway Overall computation time 2.837 0.734
Figure 8.
Exchange of data payload
through a secure channel
after the successful
authentication
5.4 Authentication round trip in DTLS and CoAPS-Lite IoT applications
The protocol is significantly lightweight as no separate authentication or key exchange
processes are required. The authentication and key exchange protocol consists of few phases
using CoAP
like secret distribution phase, session initiation phase, server challenge phase and sensor
response phase, as depicted in Figure 10 (Ukil et al., 2014). Our proposed method is two
round-trip processes as compared to CoAP ⫹ DTLS, which is at least four round-trip
processes (Hartke and Bergmann, 2012). Below, we show comparative analysis of 385
authentication in CoAP, CoAP-DTLS and CoAPS-Lite.
device is enabled with Ethernet, WiFi, ZigBee and Cellular interfaces. Operating system of
this device is a small Linux footprint, and it is packaged with a customized Python 2.6
library. For laboratory experiment, we use Ethernet connection for device login and
interconnection among server, sensor and network emulator. We emulate wireless condition
inside laboratory, where network emulator WANEM is used (Kalitay and Nambiarz, 2011).
We consider stringent wireless network condition with 9.6KBps data rate and three types
of packet loss: 0, 10 and 20 per cent. To eliminate synchronization issue, we examined closed
loop latency. We show performance comparison in Figure 12 and it is found that latency
overhead for incorporating our method does not exceed 5 per cent when packet loss is 20 per
cent. In case of 0 per cent packet loss latency is almost similar. Another performance
comparison is bandwidth requirement of our proposed security scheme and normal CoAP
(Ukil et al., 2013). We experimented with two different payloads: one with 30-second data
accumulation period (⬇ 820 Bytes) and another with 60-second data accumulation period
(⬇ 950 Bytes). We find that the message size increment in secure CoAP is less than 2 per cent
as shown in Figure 13 (Ukil et al., 2013).
Performance comparison in terms of bandwidth consumption statistics between
Auth-Lite and DTLS-CoAP (pre-shared key mode) is shown in Figure 14. Sensor gateway at
the beginning initiates the authentication process by sending ⬍HELLO, #id⬎ to back-end
server at 0. There are (say) ᏹ number of forward packets and N number of backward
packets are transmitted between sensor gateway and back-end server to complete the
authentication process. Therefore, the total authentication bandwidth consumption
(handshake bandwidth consumption in case of DTLS pre-shared key mode) is:
Figure 9.
Adaptation of reliability
based on vehicle-state.
Sensor-gateway adapts
non-reliable mode; sends
an indication to server to
suppress decryption
status as well as the
response code
IJPCC
10,4
386
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Figure 10.
Round trip of CoAP (a),
CoAP with proposed
security mechanism (b),
CoAP with DTLS (c). It
can be observed that in
normal CoAP, number of
round trips for data
transfer initiation is one.
In DTLS-based CoAP,
authentication process
requires at least four
round trips. In our
proposed security, two
round trips are required
兺 兺
ᏹ N
total ⫽ i⫽1
i | forward ⫹ i⫽1
i | backward
Basically, we calculate bandwidth consumption starting at the instant 0, step # 1 to the
instant (end ) when authentication process ends, i.e. Step 4 for Auth-Lite in Figure 3 or Step 6
for DTLS in Figure 4. We calculate bandwidth consumption of authentication process in
Auth-Lite and handshake for DTLS pre-shared key mode individually, which are reported
as: Auth⫺Lite and DTLS, respectively. We have taken 200 sets of data for both Auth⫺Lite, DTLS.
We consider mean of these 200 sets of data to find out an estimate of Auth⫺Lite, DTLS. For
better lightweight performance, lower bandwidth consumption () is desirable. We conduct
experiments according to the test configuration (Figure 5) with 0, 10 and 20 per cent packet
error conditions, which are reported as: Auth⫺Liteⱍ0%, Auth⫺Liteⱍ10%, Auth⫺Liteⱍ20%; DTLSⱍ0%,
DTLSⱍ10%, DTLSⱍ20%. We depict the results in Figure 14 (Ukil et al., 2014).
Considering bandwidth consumption as a definite indicator of lightweight property, we IoT applications
can definitely claim that our proposed scheme Auth-Lite significantly outperforms DTLS, as
shown in Figure 14 (Figure 15).
using CoAP
7. Future work
DTLS has received significant attention recently for constrained node or network
applications like in CoAP. Yet there are a few challenges when it comes to implement it in 387
such an environment. DTLS records can be large in size for a single 6LoWPAN payload.
Also, DTLS fragmentation can add a significant overhead on the number of datagrams and
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Figure 11.
Experimental set up using
a private network and
WANem for performance
testing of modified CoAP
using DigiConnectPort X5
as sensor gateway with
secure CoAP client and
CoAP server running in
standard PC with required
modifications
Figure 12.
Closed-loop latency
comparison at different
packet loss (per cent)
condition between CoAP
and secure CoAP with our
proposed mechanism
Figure 13.
Bandwidth consumption
(in bytes) comparison
using different data
accumulation period (in
seconds)
IJPCC bytes transferred. Packet loss is also still a big problem for the constrained nodes; buffers
must be large enough to hold all messages after reassembly and losing a single fragment will
10,4 cause all fragments of a message flight to be retransmitted, especially during key and
certificate exchange. DTLS recommends an initial timer value of 1 second. Given the
relatively large amount of time required by some algorithms when executed on constrained
devices, an initial value of 1 second can easily lead to spurious retransmissions. Compared to
388 TLS, DTLS exacerbates the connection initiation; a DTLS handshake has an additional
round-trip that results from the addition of a stateless cookie exchange. As such nodes with
very constrained main memory suffer from the complexity of the connection initiation phase
of DTLS handshake protocol. DTLS uses the cookie exchange technique to mitigate DoS
attack where the attacker ClientHello message sent by the attacker to launch amplification
attack. Particularly, in pre-shared key mode, the client computes a Pre-Master Secret and
Master Secret, from the pre-shared key and then sends a ClientKeyExchange message to the
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Figure 14.
Performance comparison
Auth-Lite vs DTLS
(pre-shared key mode)
Figure 15.
Closed-loop configuration
for performance
comparison between
Auth-Lite and DTLS
Application
Request-response
Message
Auth-Lite
Figure 16. DTLS (pre-shared key mode)
Auth-Lite integrated
DTLS UDP
server containing a psk_identity that is used by the server to lookup the required pre-shared IoT applications
key. However, such a scheme is vulnerable to replay attack and meet-in-the-middle attack.
Moreover, cookie exchange in plain text is not robust. Specifically, such customized DTLS in
using CoAP
CoAP lacks authentication feature, mandatory for any secure system. Auth-Lite can be
leveraged to provide robust authentication on DTLS pre-shared key mode as depicted in
Figure 16. Such layering would introduce proper mutual authentication in DTLS-CoAP (not
present in pre-shared key mode). It also eliminates vulnerable cookie exchange for 389
handshaking and psk_identity. In fact, in Auth-Lite pre-shared key of DTLS would be
replaced as “pre-shared secret” so that keying elements are not exposed in transmission.
Therefore, Auth-Lite on DTLS pre-shared key would provide superior security feature along
with mutual authentication layer, as shown in Figure 16 (Ukil et al., 2014). Specifically, this
paper is an extended version of our previous works (Ukil et al., 2013; 2014). We intend to
further demonstrate the efficacy our scheme for other applications like smart meter, E-health
that demand resource-optimized data transportation and security.
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
8. Conclusion
In the paper, lightweight security mechanism using CoAP is presented for IoT
scenarios. We specifically developed a method to enhance CoAP and implemented it
considering a vehicle tracking application. Our proposed security scheme is resilient
to typical security threats in an IoT system (Ukil, 2010b; Ukil et al., 2011). It has a
low overhead due to payload embedded symmetric key-based authentication with
integrated key management. This makes it ideal for securing resource constrained
sensor devices. We introduced unique header option in CoAP to establish a secure
channel between the sensor gateway and the back-end server. The key idea is to
design the secure mode of CoAP to be as light as possible. Another novel
contribution of our work is to reduce number of handshaking for reliability based on
the vehicle state information particularly when the vehicle is running at a high
speed. Experimental results establish that our proposed security scheme has a
low-overhead feature in comparison with DTLS pre-shared key-based security
scheme, and also establish that our proposed secure scheme for CoAP improves
performance in terms of the security, robustness and resource utilization in typical
IoT applications. Our proposed scheme Auth-Lite is low overhead due to its unique
nonce-respecting object security. This makes Auth-Lite ideal for securing M2M
systems. We have experimentally demonstrated the lightweight feature of
Auth-Lite by bandwidth comparison. Our future scope of work is to propose
modification of Auth-Lite to support multi-casting and to investigate cryptanalysis
of Auth-Lite under broad spectrum of attack scenarios.
References
Bandyopadhyay, S., Bhattacharyya, A. and Pal, A. (2013a), Adapting Sensed Indication for
Vehicular Analytics, SenSys, ACM, Roma.
Bandyopadhyay, S. and Bhattacharyya, A. (2013a), “Lightweight Internet protocols for web
enablement of sensors using constrained gateway devices”, International Conference on
Computing, Networking and Communication, IEEE, San Diego, CA, pp. 334-340.
Bandyopadhyay, S. and Bhattacharyya, A. (2013b), “Energy efficient sensor data distribution
using mobile phone in cyber-physical-system”, 14th International Conference on
Distributed Computing and Networking, Mumbai.
IJPCC Bhattacharyya, A., Bandyopadhyay, S. and Pal, A. (2013b), “CoAP option for no server-response,
draft-tcs-coap-no-response-option-04”, available at: http://tools.ietf.org/pdf/draft-tcs-coap-
10,4 no-response-option-04.pdf
Boneh, D. (2012), “Stanford University”, available at: http://crypto.stanford.edu/⬃dabo/cs255/
lectures/PRP-PRF.pdf
Brachmann, M., Garcia-Morchon, O. and Kirsche, M. (2011), “Security for practical CoAP
390 applications: issues and solution approaches”, Proceedings of the 10th GI/ITG KuVS
Fachgespraech Sensornetze (FGSN11), Paderborn, pp. 15-16.
Colitti, W., Steenhaut, K. and Caro, N.D. (2011), “Integrating wireless sensor networks with web
applications”, in Extending the Internet to Low power and Lossy Networks, IPSN.
Eronen, P. and Tschofenig, H. (2005), “Pre-shared key ciphersuites for transport layer security
(TLS)”, RFC 4279, December.
Granjal, J., Monteiro, E. and Silva, J.S. (2013), “Application-layer security for the WoT: extending
Downloaded by Doctor Arpan Pal At 06:09 13 November 2014 (PT)
Web sites
www.digi.com/products/wireless-routers-gateways/routinggateways/connectportx5#overview
www.trustedcomputinggroup.org/resources/tpm_main_specification
He has also filed for more than 45 patents and has 5 patents granted to him. He is an editor for
reputed journals like ACM Transactions on Embedded Computing and IEEE Transactions on
Emerging Topics in Computing (special issue on Emerging Computing Technologies for Resilient
& Robust Intelligent Infrastructure). He is in the program committee of various eminent
conferences and is a senior member of IEEE. He had been earlier with Defense Research and
Development Organization (DRDO) of Indian Govt. working on Missile Seeker Signal Processing.
He has also worked with Macmet Interactive Technologies, leading their real-time systems group
in the area of Interactive TV and Set-top boxes.
Tulika Bose is presently working as a Developer at TCS, Innovation Labs, Kolkata. She did her
masters in Distributed and Mobile Computing from Jadavpur University, Kolkata, and is a gold
medalist. She did her BTech in Computer Science and Engineering from Haldia Institute of
Technology, West Bengal. Her areas of research interests are primarily Network Security and
network protocols.