Cengiz TOĞAY, Gökhan MUTLU, Durmuş KURTULUŞ, Faik ÖZGÜR

Nesnelerin İnterneti için Güvenli Ağ Geçidi

Nesnelerin interneti cihazları, endüstriyel gömülü sistemler, araçlar, akıllı ev aygıtları, sensörler ve işleticiler gibi birbirine bağlı cihazlardan meydana gelmektedir. İnternete bağlanma imkanı olmayan cihazlar dahi ağ geçitleri sayesinde bir nesnelerin interneti sisteminin parçası olabilmektedirler. Nesnelerin interneti sistemleri gömülü sistemlerin sahip oldukları donanım sınırları nedeni ile saldırganların hedefi olmaya başladı. Saldırganlar bu cihazları DDOS ataklarından kullanabilmekte veya doğrudan ilgili cihaza yapılan saldırılar ile bağlı oldukları sistemlerde çok ciddi hasarlara neden olabilmektedirler. Bir ortamda birden fazla MQTT, AMQP ve COAP gibi iletişim protokolünün kullanılması nedeni ile cihazlar arasındaki iletişimde aracı olarak bir aracı/broker kullanılabilir. Saldırganlar şifresiz iletişimin bir sonucu olarak kullanıcı adı ve parolası gibi bilgileri ağ üzerinden elde edilebilmekte ya da mesaj içeriklerini değiştirebilmektedirler. Sistemin güvenli hale getirmek için güvenli yetkilendirme ve şifreli iletişimi sağlamamız gerekmektedir. TLS tabanlı yaklaşımlar uygulanabilir. Ancak, kısıtlı gömülü sistemler asimetrik şifreleme yaklaşımlarını uygulamakta güçlük çekilmektedirler. Bu makalemizde nesnelerin internet ağ geçitleri için güvenli anahtar depolama, gerçek rastgele üretici ve 128 bit AES şifreleme/çözme özelliklerine sahip olan bir chipi baz alan bir yaklaşım önerilmektedir. Sunulan çalışma broker ile cihaz arasında kimlik doğrulama ve şifreli iletişim imkanı sunmaktadır. Sunulan çalışmada ayrıca ARM Cortex-M3’ün sahip olduğu fiziksel I2C özelliğini kullanan bir metod ile iletişim ve şifrelemenin aynı zamanda gerçekleştirilmesini sağladık. Bu çalışma için ARM Cortex-M0 işlemcisine sahip yeni bir gömülü system cihazı geliştirildi ayrıca ARM Cortex-M3 işlemcisine sahip bir demo kart kullanılarak önerilen yaklaşım test edildi ve performans değerleri ölçüldü. Ayrıca, mesajların bütünlüğüne yönelik olarak kriptografik hash (MD5, SHA-1 ve SHA-2) ve çevrimsel fazlalık sınaması (CRC32/64) algoritmaları kullanıldı.

Secure Gateway for the Internet of Things

Internet of Things (IoT) includes connected devices such as industrial embedded devices, vehicles, smart home appliances, sensors, andactuators. Even non-internet-enabled physical devices can be part of the IoT system through gateways. IoT platforms are getting theattraction of the attackers because of the security weakness of the constrained devices. They can use the IoT devices for DDOS attackingor directly attack the device to damage the overall system. Since several communication industry standard protocols such as MQTT,AMQP, and COAP can be utilized in an environment, communication between devices can be provided through a broker. Unencryptedcommunications can be sniffed; therefore, username and passwords can be stolen or message content can be modified by an attacker.Therefore, secure authentication and encrypted communication are required in order to make the systems secure. TLS based approachescan be utilized to provide encrypted communication. However, constrained devices cannot handle asymmetric encryption algorithms.In this paper, we propose a new approach for IoT gateways with the utilization of a secure element which has storage for keys, truerandom generator, and AES 128-bit encryption capability. The proposed approach includes authentication and encryptedcommunication between the gateway and the broker. We also proposed a new method to provide simultaneous encryption and MQTTbased communication with the utilization of physical I2C property of the ARM Cortex-M3. The secure element/chip is utilized in twodifferent embedded devices, namely new developed embedded device (ARM Cortex-M0) and a demo card (ARM Cortex-M3) to testthe approach and measure performances. We also investigate message integrity methods through the cryptographic hash (such as MD5,SHA-1, and SHA-2) or cyclic redundancy check (CRC32/64) algorithms.

PDF

___

ActiveMQ. (2003). Retrieved May 12, 2017, from http://activemq.apache.org/
Andy, S., Rahardjo, B., & Hanindhito, B. (2017). Attack scenarios and security analysis of MQTT communication protocol in IoT system. In 2017 4th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI) (pp. 1–6). http://doi.org/10.1109/EECSI.2017.8239179
ATAES132A. (n.d.). Retrieved from http://ww1.microchip.com/downloads/en/DeviceDoc/ATAES132A-Data-Sheet-40002023A.pdf
Banks, A., & Gupta, R. (n.d.). MQTT Version 3.1.1. Retrieved from https://www.oasis-open.org/news/announcements/mqtt-version-3- 1-1-becomes-an-oasis-standard
Bassham, L. E. (2002). The Advanced Encryption Standard Algorithm Validation Suite (AESAVS). Retrieved from http://csrc.nist.gov/groups/STM/cavp/documents/aes/AESAVS.pdf
Bormann, C., Ersue, M., & Keränen, A. (2014, May). Terminology for Constrained-Node Networks. RFC Editor. http://doi.org/10.17487/RFC7228
Choi, S. K., Yang, C. H., & Kwak, J. (2018). System hardening and security monitoring for IoT devices to mitigate IoT security vulnerabilities and threats. KSII Transactions on Internet and Information Systems, 12(2), 906–918. http://doi.org/10.3837/tiis.2018.02.022
Chowdhury, F. S., Istiaque, A., Mahmud, A., & Miskat, M. (2018). An implementation of a lightweight end-to-end secured communication system for patient monitoring system. In 2018 Emerging Trends in Electronic Devices and Computational Techniques (EDCT) (pp. 1–5). http://doi.org/10.1109/EDCT.2018.8405076
Digikey. (n.d.). Retrieved December 20, 2018, from https://www.digikey.com
Dworkin, M. (n.d.). NIST Special Publication 800-38C: Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 38c.pdf
Eclipse Paho. (n.d.). Retrieved from https://www.eclipse.org/paho/
Ettercap. (n.d.). Retrieved December 20, 2018, from https://www.ettercap-project.org/
Fathy, A., Tarrad, I. F. I. F., Hamed, H. F. A. H. F. A., & Awad, A. I. A. I. (2012). Advanced Encryption Standard Algorithm: Issues and Implementation Aspects. In Communications in Computer and Information Science. http://doi.org/10.1007/978-3-642-35326- 0
FIPS 197: Announcing the ADVANCED ENCRYPTION STANDARD (AES). (2001). Retrieved from http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
Fusesource MQTT Client. (n.d.). Retrieved from https://github.com/fusesource/mqtt-client
Huitsing, P., Chandia, R., Papa, M., & Shenoi, S. (2008). Attack taxonomies for the Modbus protocols. International Journal of Critical Infrastructure Protection, 1, 37–44. http://doi.org/10.1016/J.IJCIP.2008.08.003
Ionescu, V. M. (2015). The analysis of the performance of RabbitMQ and ActiveMQ. In 2015 14th RoEduNet International Conference - Networking in Education and Research, RoEduNet NER 2015 - Proceedings (pp. 132–137). Craiova Romania. http://doi.org/10.1109/RoEduNet.2015.7311982
ISO/IEC 19464:2014: Advanced Message Queuing Protocol (AMQP) 1.0. (2014). Retrieved from http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=64955
Katsikeas, S. (2016). A lightweight and secure MQTT implementation for Wireless Sensor Nodes. Technical University of Crete. Technical University of Crete.
King, J., & Awad, A. I. (2016). A distributed security mechanism for Resource-Constrained IoT Devices A Distributed Security Mechanism for Resource-Constrained IoT Devices, 40(June), 133–143.
MbedTLS. (n.d.). Retrieved from https://tls.mbed.org
Modbus. (n.d.). Retrieved November 21, 2018, from http://www.modbus.org
Mosquitto. (n.d.). Retrieved December 19, 2018, from https://mosquitto.org/
Naik, S., & Maral, V. (2018). Cyber security - IoT. RTEICT 2017 - 2nd IEEE International Conference on Recent Trends in Electronics, Information and Communication Technology, Proceedings, 2018–Janua, 764–767. http://doi.org/10.1109/RTEICT.2017.8256700
Oliveira, C. T., Moreira, R., de Oliveira Silva, F., Miani, R. S., & Rosa, P. F. (2018). Improving Security on IoT Applications Based on the FIWARE Platform. In 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA) (pp. 686–693). http://doi.org/10.1109/AINA.2018.00104
OWASP IoT Vulnerabilities. (n.d.). Retrieved from https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Vulnerabilities
Petit, C., Standaert, F.-X., Pereira, O., Malkin, T., & Yung, M. (2007). A Block Cipher based PRNG Secure Against Side-Channel Key Recovery. In AsiaCCS (pp. 1–22). Retrieved from http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.74.4352%5Cnhttps://eprint.iacr.org/2007/356.pdf
Schwabe, P., & Stoffelen, K. (2016). All the AES You Need on Cortex-M3 and M4. IACR Cryptology EPrint Archive, 2016, 714.
TinyCrypt. (n.d.). Retrieved from https://01.org/tinycrypt
Urbina, M., Astarloa, A., Lázaro, J., Bidarte, U., Villalta, I., & Rodriguez, M. (2017). Cyber-Physical Production System Gateway Based on a Programmable SoC Platform. IEEE Access, 5, 20408–20417. http://doi.org/10.1109/ACCESS.2017.2757048
Vrettos, G., Logaras, E., & Kalligeros, E. (2018). Towards Standardization of MQTT-Alert-based Sensor Networks: Protocol Structures Formalization and Low-End Node Security. In 2018 IEEE 13th International Symposium on Industrial Embedded Systems (SIES) (pp. 1–4). http://doi.org/10.1109/SIES.2018.8442109
Wardhani, R. W., Ogi, D., Syahral, M., & Septono, P. D. (2017). Fast implementation of AES on Cortex-M3 for security information devices. In 2017 15th International Conference on Quality in Research (QiR) : International Symposium on Electrical and Computer Engineering (pp. 241–244). http://doi.org/10.1109/QIR.2017.8168489
Whiting, D., Housley, R., & Ferguson, N. (2003). Counter with CBC-MAC (CCM). United States: RFC Editor.