2018 IEEE International Congress on Internet of Things

Authenticated Key Management Protocols for Internet of Things

Celia Li Cungang Yang

Department of Electrical and Computer Engineering Department of Electrical and Computer Engineering
Ryerson University Ryerson University
Toronto, Canada Toronto, Canada
e-mail: [email protected]

Abstract—The Internet of Things (IoT) provides transparent protocols optimized for sensor networks that they called
and seamless incorporation of heterogeneous and different end ‘SPINS’. The suite is built upon two secure building blocks,
systems. It has been widely used in many applications such as each performing individual required work: SNEP and
smart homes. However, people may resist the IOT as long as TESLA. SNEP offers data confidentiality, authentication,
there is no public confidence that it will not cause any serious
integrity, and freshness, while TESLA offers broadcast data
threats to their privacy. Effective secure key management for
things authentication is the prerequisite of security operations. authentication. The TESLA protocol, used on regular
In this paper, we present an interactive key management networks, is modified as a SPINS for use in resource-
protocol and a non-interactive key management protocol to constrained WSNs. Disadvantages of this scheme include
minimize the communication cost of the things. The security TESLA overhead from releasing keys after a certain delay
analysis show that the proposed schemes are resilient to and possible message delay. A non-interactive key
various types of attacks. management approach is introduced in the article "self-
certified keys - concepts and applications" [5]. This scheme
Keywords- Internet of things; Authentication; Key allows the computation of a session key in a non-interactive
management; Self-certified keys
manner. Non-interactive key management protocol involve
minimal interaction among the nodes of the network which
I. INTRODUCTION requires global clock. In a key pre-distribution
scheme[6][7][8], some keys are preloaded into each sensor
The Internet of Things (IoT) comprises of billions of
before sensor deployment. After deployment, sensor nodes
devices that can sense, communicate, compute and
undergo a discovery process to set up shared keys for secure
potentially actuate[1][2][3]. IoT involves accessing,
communications. This scheme ensures to some probability
monitoring and controlling various sensors and devices over
that any two sensor nodes can communicate using a
the internet. A great example of the IoT application is smart
pairwise key. This scheme does not, however, ensure that
homes. Household systems like smart smoke-alarms, air
two nodes always are able to compute a pairwise key to use
quality sensors, smart doorbells, and home monitoring
for secure communication.
devices can now communicate with smart watches, and
The contribution of this work is developing pairwise key
activity trackers. After an activity tracker assessed your
generation and rekey schemes for IoT devices. In particular,
sleep – determining when you are in light sleep – it can tell
we bring in a novel interactive key management protocol
your alarm clock to go off. Your alarm clock in union with
which is resilient to attacks and save communication cost.
your phone will check the weather – just before you wake
Moreover, we propose a secure non-interactive key
up (based on your preference and sleep cycle) and tell air
management protocol which further reduces the
conditioners in your car and your home to change the
communication cost close to zero.
temperature accordingly. Navigation apps on your smart
phone – after gathering information from your weather app
– can predict how the weather will affect traffic congestion, II. AN INTERACTIVE KEY MANAGEMENT SCHEME
and plan a route to your work. As the communication
between IOT devices may include sensitive and critical data, The interactive key management scheme between devices
the security requirements for any IoT-based system are high. such as device A and S is comprised of two phases that is
To set up a security channel between different devices such shown in Figure 1. In phase 1, A requests to communicate
as an air quality sensor and a smart watch, a number of with S. They mutually authenticate each other with a Ticket-
security operations (authentication, authorisation, and data based authentication protocol and generate a Pairwise
integrity) are needed. Since key management is the Master Secret (PMK). In phase 2, following the
prerequisite of these security operations, the motivation of establishment of the PMK, a session key rekey protocol is
this research is thus to develop pairwise key generation and executed to confirm the existence of the PMK and the
rekeying schemes for IoT devices. liveliness of the peers; the session key rekey protocol
supports Perfect Forward Secrecy (denoted PFS) which
So far, the research on the secure key issues of the IoT refers to the property that disclosure of long-term PMK does
is focused on homogenous and heterogeneous wireless not comprise the session keys from earlier runs.
sensor networks. Perrig [4] presented a suite of security

978-1-5386-7244-0/18/$31.00 ©2018 IEEE 126

DOI 10.1109/ICIOT.2018.00024
 (2) S generates a random number NS, gNS mod p and
calculate the MAC value of gNS mod p with the PMK key.
With this step, A authenticates S.
Both A and S then calculate DH key KDH = gNANS mod p
and their shared session Key KM by applying a hash
function H to the message { KDH ⊕ NS0⊕ NA0} where NS0
and NA0 are the random numbers generated in steps (1) and
(2). That is, KM = H(KDH ⊕ NS0⊕ NA0).
(3) A sends an acknowledgement message, msg1,
VKM{AA, msg1}, to S. S authenticates A.
(4) S sends an acknowledgement message, msg2, VKM{
msg2}, to A. A authenticates S.

III. THE NON-INTERACTIVE KEY MANAGEMENT

PROTOCOL (NON-INT)
A. Overview
The authenticity of public keys in a public cryptosystem is
Figure 1: Interactive Key Management Protocol gained in two different ways: either it is verified by its
certificate, or it is verified implicitly during the use of the
1) Phase 1: Authentication and PMK Generation keys. The latter is introduced by Girault as self-certified
Tickets are used to establish the trust relationships among keys[9]. Self-certified keys are not verified until it is used
entities. For example, devise A will trust devise S if the for cryptographic function such as signature verification.
ticket of S is valid and issued by the ticket agent it trusts. A Public keys of each node are verified without the aid of its
ticket agent is defined as an authority who issues and public key certificate or an online Certificate Authority
manages various types of tickets and can be trusted by (CA)[5]. The concept of self-certified keys is employed in
various entities in IoT. Before deployment of IoT devices, this paper due to its simple non-interactive rekey
the network operator, denoted by OP, requests tickets from mechanism. In this section, by coupling the ticket-based
a ticket agent, one per device, and preinstall the ticket for technique with the self-certified keys, we obtain a fully non-
each node. The OP is also responsible for requesting and interactive key management protocol for IoT. In contrast
distributing new tickets before the current tickets expire. with prior work [5], our techniques for session key update
do not require any interaction and do not involve any
With the design of tickets in the design of the key reliable broadcast communications among devices. Here, we
management protocol, the key generation and negotiation present a new scheme that offers both device A and S to
of IoT devises do not need the involvement of the third compute or rekey a session key in a non-interactive manner.
party, such as the key distributed center or authentication We achieve this result by using the user-controlled key
server. The messages exchange only between the pair of progression. Compare with interactive key management
devices dramatically reduce the communication cost of the schemes, the new non-interactive approach further reduce
network. the communication cost of the session key generation and
In phase 1, device A and S exchange their tickets and rekey to zero or close to zero.
verify the validity of each other’s tickets. The trust
relationship between A and S from the same network is B. Bootstrapping
based on their exchanged tickets which should be issued by The network is initialized by the network operator OP. OP
a same ticket agent. The results of the protocol are mutual chooses large primes p and q with q|(p-1) (q is a prime actor
authentication of the pair and the generation of a shared of p-1). OP chooses a random number KA ∈Zq* with order q
PMK key which is the basis for the following process to and generates its (public, private) key pair (yZ, xZ). We
create the session key for data confidentiality. assume that the public key yZ , p, q and g are preinstalled to
every node of the network. To issue the private key for a
2) Session key rekey: device A with identifier IDA, OP computes the signature
The session key rekey protocol is shown in phase 2 of parameter rA = gkA (mod p) and sA = xZ * h(IDA, rA) + kA
Figure 1. Here, we assume g and p are public information (mod q). rA is called the guarantee and xA = sA is its private
known by both A and S. key. The public key of A can be computed by any node that
(1) In the first message, gNA mod p, VPMK{gNA mod p}. has yZ, IDA and rA using the following equation yA = yZ h(IDA,
Device A generates a random number NA and calculate the rA)
* rA (mod p). We denote this initial key pair as (xA,0, yA,0).
MAC value of gNA mod p with the PMK key. Device S We assume that each node has installed the initial pair of
authenticates A. public and private key issued by the OP.

127
C. Self-Certification Thus, KA,t = NA * (H(KDH ⊕ NA0 ⊕ NS0))t-1 mod p = NA
The non-interactive key management protocol is comprised t-1
*V mod p.
of two phases. phase 1 in Figure 2 is in charge of the PMK rA, 1 = gKA,1 mod p = gNA mod p
key generation and rekey which is interactive. Phase 2 rA, t = gKA,t mod p = g NA * (H(KDH ⊕ NA0 ⊕ NS0))t-1 mod p mod p
discuss the session key generation and rekey which is non- = gNA *Vt-1mod p.
interactive.
For the original non-interactive scheme, for each PMK
update, the device A and S need to exchange rA, t = gKA,t mod
p and rS, t = gKs,t mod p where 1” t ” n. This scheme waste
valuable bandwidth because each rA, t or rS, t could be as
large as 2048 bits or 3072 bits and number n is uncertain
since the number of session keys update within a PMK
rekey interval is unknown.
1) Phase 1: Ticket-based Authentication and PMK
Generation
In phase 1 of the non-interactive key management protocol.
(1) First message TA includes R and VPMK{R}. Device A
generates a random number R and calculate the MAC value
of R with the PMK key. Device S authenticates A because
only A has the shared PMK to generate the MAC value.
(2) Upon receiving the second message, A decrypts it using
its private key, and verifies the digital signature of the ticket
agent who issued the ticket TS using the ticket agent’s public
key. A receives three random numbers NS0, NS1, NS2 and gNS
mod p where NS is the secret value generated and hold by S,
A verifies other information of ticket TS such as the ID of
the ticket agent who issued TS and the ticket expiry date. Figure 2 Non-interactive Key Management Protocol
(3) If the above verifications succeed, A retrieves S’s public
key from ticket TS, and generates a message MA containing For devise S, KS,1 = NS and KS,t = NS *Vt-1 mod p
gNA mod p, l, ΔT, F and three random numbers NA0, NA1 rS, 1 = gNS mod p and rS, t = gNS *Vt-1mod p
and NA2. NA is the secret value generated and hold by A. A In phase 2, A keeps its secret value KA,1 = NA and derives
then encrypts message MA using S’s public key, and sends KA,t = NA*Vt-1 mod p for the following sessions. S keeps
the encrypted message to S. S will decrypt the message KS,1 = NS and derives KS,t = NS *Vt-1 mod p for the
using its private key and retrieve gNA mod p, the length of following sessions.
the one-way hash chain l, session key progression interval On the other hand, to derive the public key of the S, A
ΔT, lifetime of the PMK F and three random numbers NA0, needs to know rS, 1 and rS, t. rS, 1 = gNS mod p is transferred to
NA1 and NA2. Again, S authenticates A in this message. A in message 2 of layer 1 while rS, t = gNS *Vt-1mod p can
(4) In message 4, S verified A's authenticity. Finally, both A be derived for each session because A know gNS and V.
and S calculate the DH key as KDH = gNANS mod p and Each r value we derived will be ∈Zq* because q is a prime
derive the initial VA,1 and VS,1 value as H(KDH ⊕ NA0⊕ NS0). and all r value are modular p and its value must be in Zq*.
In phase 1, whenever generate or rekey the PMK, A and S The initial scheme [5] is not a pure non-interactive key
generate their new secret values NA and NS which are the management scheme because in their approach the set of rA,
basis to derive new session keys in the second phase. After Vt
t = g mod p is shared through message exchange. Compare
phase 1, both A and S know their common secret value V as with the scheme, our protocol allows A and S to generate
well. the rA,t by themselves, and thus no message exchange are
involved.
2) Phase 2: Session Key Generation and Rekey
xA,0, xS,0, yS,0 and yA,0 are assigned by the OP. yS,0 and yA,0 are D. Security Analysis:
exchanged by A and S with the second and third messages For our proposed scheme, the security of the VA,t values
of phase 1. depends on the public key algorithm we used in phase 1
We define that KA,t = KA,t-1* V mod p = KA,t-1* H(KDH ⊕ which is safe.
NA0⊕ NS0) mod p = KA,1 * (H(KDH ⊕ NA0 ⊕ NS0))t-1 mod p The non-interactive has no PFS problem because the
and KA,1 = NA. PMK has no relationship with the values of VA,t and VS,t. If
the PMK exposed, it will not compromise the session key.
1) Key Security

128
In the non-interactive key management protocol, the = yS,0h(IDS, gNS *Vt-1mod p) * rS,t mod p
security of the session rekey procedure of phase 2 depends = yS,0h(IDS, gNS *Vt-1mod p) * gNS *Vt-1mod p
on the Schnorr signature scheme whose security is based on = yS,0h(IDS, gNS *(H(KDH ⊕ NA0⊕ NS0))t-1mod p) * gNS
the intractability of discrete logarithm problems. The *(H(KDH ⊕ NA0⊕ NS0))t-1mod p
Schnorr signature scheme has been provably secure in a If DH key is exposed, the session key of non-interactive
random oracle model[10][11]. protocol cannot be compromised since only g, p, KDH and
To derive the value of the session key, the attacker has to IDs of authenticator and supplicant are know. Other
figure out xA,t and yS,t. parameters are hiding from the attackers. Due to the same
xA,t = xA,0 * h(IDA, rA, t) + KA,t reason, if the session key is exposed, the attacker still cannot
= xA,0 * h(IDA, gNA *Vt-1mod p) + KA,t mod p derive the DH key.
= xA,0 * h(IDA, gNA *Vt-1mod p) + NA *Vt-1 mod p
IV. CONCLUSION
yS,t = yS,0h(IDS, rS,t) * rS,t (mod p) Security has become the central issue for IoT and key
= yS,0h(IDS, gNS *Vt-1mod p) * rS,t (mod p) management plays a critical role to ensure data
= yS,0h(IDS, gNS *Vt-1mod p) * gNS *Vt-1mod p (mod p) confidentiality and integrity. A new design of ticket-based
where only the ID of A and S, p and g are public known. authentication protocol, an interactive key management
Other parameters are hiding from the attackers. Thus the protocols and a non-interactive key management enhanced
session keys cannot be disclosed to attackers. the security of 4-way handshake of 802;11i. Security
2) Key Refreshment analysis shows that our proposed key management protocols
For the non-interactive key management protocol, the satisfies the principles of PFS, key refreshment and are
update of PMK is carried out in phase 1 while the session resilience to attacks.
key rekey is automatically implemented by device A and S.
Whenever the session key needs rekeying, the phase 2 of References
each protocol will be carried out. [1] Michelle S. Henriques and Nagaraj K. Vernekar, "Using symmetric and
3) Perfect Forward Secrecy asymmetric cryptography to secure communication between devices in
The only value in phase 1 relating to the generation of IoT", International Conference on IoT and Application, May 2017.
[2] B.Vinayaga Sundaram; Ramnath.M ;Prasanth.M ;Varsha Sundaram.J,
session key is V. V = H(KDH ⊕ NA0⊕ NS0). If the PMK is “Encryption and Hash based Security in Internet of Things” 3rd
exposed, it cannot derive DH key. Thus, we can say that the Interational Conference on Signal Processing, Communication and
attacker cannot compromise the session key if PMK is Networking (ICSCN), 2015.
exposed. [3]J.Hermans,R.Peeters,andB.Preneel,“ProperRFIDprivacy:Modelandproto
cols, ”IEEETrans.MobileComput., vol.13, no.12, pp.2888–2902, Dec.2014.
4) Key Separation: [4] D. Liu and P. Ning, “Establishing Pairwise Keys in Distributed Sensor
a. PMK and Session key: Networks,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS).
The PFS analysis shows that PMK is independent from pp. 52-61, 2003.
the session key. That is, if PMK is exposed, the session key [5] Holger Petersen, Patric Horster, "Self-certified keys - Concepts and
Applications.", Proc. of conference on Communication and Multimedia
will not be compromised. Due to the same reason, if a Security, Athens, September 22-23, 1997.
session key is exposed, the PMK cannot be compromised [6] A. Perrig et al., "SPINS: security protocols for sensor networks",
either. Proceedings of ACM MOBICOM (2001).
b. PMK and DH key: [7] L. Eschenauer, V.D. Gligor, "A key management scheme for
distributed sensor networks", Proceedings of the 9th ACM Conference on
In the non-interactive key management protocol, DH Computer and Communication Security.
key KDH = gNANS mod p, the NA and NS are secret random [8] H. Chan, A. Perrig, D. Song, "Random key predistribution schemes for
numbers that only known by the authenticator and sensor networks", Proceedings of the 2003 IEEE Symposium on Security
supplicant. The PMK and session key are independent: if and Privacy, May 11–14, pp. 197– 213.
[9] M. Girault, "Self-Certified Public Keys", LNCS547, Advances in
PMK is exposed, it does not help to figure out the DH key. Cryptology: Proc. Eurocrypt' 91, Springer, pp. 490-497.
On the other hand, if DH key is exposed, the PMK will not [10] P. Horster, M. Michels, H. Peterson, "Meta-ElGamal signature
be compromised. schemes", Proc. 2. ACM Conferences on Computer and Communication
c. DH and Session key: Security, pp. 96-107.
[11] Schnorr C.P., "Efficient signature generation by smart cards", Journal
The session key Kt = h(MA, t) = yS,txA,t (mod p). To derive of Cryptology,Vol. 4, No. 3, pp.161-174, 1994.
the session key, we have to know xA,t and yS,t http://en.wikipedia.org/wiki/Schnorr_signature
[12] M. Long, “Energy-efficient and Intrusion Resilient Authentication for
xA,t = xA,0 * h(IDA, rA, t) + KA,t Ubiquitous Access to Factory Floor Information,” IEEE Transaction on
Industrial Informatics, Vol. 2, No. 1, pp. 40-47, 2006.
= xA,0 * h(IDA, gNA *Vt-1mod p) + KA,t mod p [13] David Manz, Jim Alves-Foss and Shanyu Zheng, "Network
= xA,0 * h(IDA, gNA *Vt-1mod p) + NA *Vt-1 mod p Simulation of Group Key Management Protocols", Journal of
= xA,0 * h(IDA, gNA * (H(KDH ⊕ NA0⊕ NS0))t-1mod p) + Information Assurance and Security, pp. 67-79, January, 2008.
[14]http://www.cacr.math.uwaterloo.ca/conferences/2005/ecc2005/vanston
NA *(H(KDH ⊕ NA0⊕ NS0))t-1 mod p e.pdf

yS,t = yS,0h(IDS, rS,t) * rS,t (mod p)

129