Internet of Things (IoT) is becoming one of the most important market segments and the target of all ICT key players. IoT security mechanisms are still in their infancy and have failed to keep up with the technology’s rapid growth. The increasing role of IoT devices in security breaches raises the issue of enforcing proper security on IoT devices. High-profile attacks such as the one by the Mirai botnet that exploited the vulnerabilities of IoT devices illustrate the importance of having security solutions.
Similar to the Internet, security mechanisms in the IoT should ensure confidentiality, integrity, privacy and availability of the services offered. The IoT landscape has different networking topologies : the prominent ones being mesh, point-to-point and star topology. In this tutorial, we will focus on the security issues in the star topology where all IoT devices are connected to a central gateway. Communication between the IoT devices and the cloud servers in the Internet is made through this central gateway.
In the scope of the star topology, the most common threat vectors include: physical attacks on the IoT devices such as tampering with the cryptographic keys, compromising the cloud servers in the Internet to which the IoT device connects to via the gateway, man-in-the-middle attacks where malicious actors eavesdrop and possibly alter the communication between the source and the destination, and exploiting vulnerabilities in IoT devices to organize a Distributed Denial of Service (DDoS) attacks.
On the Internet, security is enforced by the Public Key Infrastructure (PKI) through digital certificates. The PKI enables secure authentication and communication between Internet devices (such as home computers and servers) without needing tokens, password policies or other cumbersome user-initiated factors. But the PKI infrastructure cannot be directly applied to IoT in its current state due to various challenges.
Current security mechanisms in IoT are based on proprietary closed solutions, which translates to an increased cost for end-users and hinders the possibility of secure communication between different security solution providers. The second challenge is that most low-end IoT devices are highly constrained: they have little memory, limited processing capacity, and computing power. The third challenge is to provide open authentication support and trusted anchors with scalable key distribution required to secure communication channels like currently on current Internet so that IoT devices can bootstrap application-specific security mechanisms. The fourth challenge is bootstrapping trust.
The traditional use of PKI does not fit constrained IoT devices since it requires significant computing power, storage for the chain of trust and sufficient bandwidth for sending and receiving certificates, encrypting data using large block ciphers and signatures, as well as obtaining revocation lists, all of which are technically and economically infeasible for this class of devices. This tutorial explains the concept of replacing the trust and security schemes based on the traditional PKI with a novel approach that relies on the Domain Naming Service (DNS) [RFC1034] [RFC1035] infrastructure and builds all the required functionalities upon DNS. DNS brings the advantage of a single trust anchor with lightweight authentication schemes suitable for constrained IoT devices and easily automated for large-scale IoT deployments.