Securing the Internet of Things via Locally Centralized, Globally Distributed Authentication and Authorization

Hokeun Kim

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2017-139
August 9, 2017

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-139.pdf

The Internet of Things (IoT) brings about benefits through interaction with humans and the physical world using a variety of technologies including sensors, actuators, controls, mobile devices and cloud computing. However, these benefits can be hampered by malicious interventions of attackers when the IoT is not protected properly. Hence, authentication and authorization comprise critical parts of basic security processes and are sorely needed in the IoT. Characteristics of the IoT render existing security measures such as SSL/TLS (Secure Socket Layer/Transport Layer Security) and network architectures ineffective against emerging networks and devices. Heterogeneity, scalability, and operation in open environments are serious challenges that need to be addressed to make the IoT secure. Moreover, many existing cloud-based solutions for the security of the IoT rely too much on remote servers over possibly vulnerable Internet connections. This dissertation presents locally centralized, globally distributed authentication and authorization to address the IoT security challenges. Centralized security solutions make system management simpler and enable agile responses to failures or threats, while having a single point of failure and making it challenging to scale. Solutions based on distributed trust are more resilient and scalable, but they increase each entity's overhead and are more difficult to manage. The proposed approach leverages an emerging network architecture based on edge computers by using them as locally centralized points for authentication and authorization of the IoT. This allows heterogeneity and an agile access control to be handled locally, without having to depend on remote servers. Meanwhile, the proposed approach has a globally distributed architecture throughout the Internet for robustness and scalability. The proposed approach is realized as SST (Secure Swarm Toolkit), an open-source toolkit for construction and deployment of an authentication and authorization service infrastructure for the IoT, for validation of locally centralized, globally distributed trust management. SST includes a local authorization entity called Auth to be deployed on edge computers which are used as a gateway for authorization as well as for the Internet. Software building blocks provided by SST, called accessors, enable IoT developers to readily integrate their IoT applications with the SST infrastructure, by encapsulating cryptographic operations and key management. In addition to protection against network-based intruders, SST supports a secure migration mechanism for enhancing availability in the case of failures or threats of denial-of-service attacks, based on globally distributed and trusted Auths. For evaluation, I provide a formal security analysis using an automated verification tool to rigorously show that SST provides necessary security guarantees. I also demonstrate the scalability of the proposed approach with a mathematical analysis, as well as experiments to evaluate security overhead of network entities under different security profiles supported by SST. The effectiveness of the secure migration technique is shown through a case study and simulation based on a concrete IoT application.

Advisor: Edward A. Lee


BibTeX citation:

@phdthesis{Kim:EECS-2017-139,
    Author = {Kim, Hokeun},
    Title = {Securing the Internet of Things via Locally Centralized, Globally Distributed Authentication and Authorization},
    School = {EECS Department, University of California, Berkeley},
    Year = {2017},
    Month = {Aug},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-139.html},
    Number = {UCB/EECS-2017-139},
    Abstract = {The Internet of Things (IoT) brings about benefits through interaction with humans and the physical world using a variety of technologies including sensors, actuators, controls, mobile devices and cloud computing. However, these benefits can be hampered by malicious interventions of attackers when the IoT is not protected properly. Hence, authentication and authorization comprise critical parts of basic security processes and are sorely needed in the IoT. Characteristics of the IoT render existing security measures such as SSL/TLS (Secure Socket Layer/Transport Layer Security) and network architectures ineffective against emerging networks and devices. Heterogeneity, scalability, and operation in open environments are serious challenges that need to be addressed to make the IoT secure. Moreover, many existing cloud-based solutions for the security of the IoT rely too much on remote servers over possibly vulnerable Internet connections.
This dissertation presents locally centralized, globally distributed authentication and authorization to address the IoT security challenges. Centralized security solutions make system management simpler and enable agile responses to failures or threats, while having a single point of failure and making it challenging to scale. Solutions based on distributed trust are more resilient and scalable, but they increase each entity's overhead and are more difficult to manage. The proposed approach leverages an emerging network architecture based on edge computers by using them as locally centralized points for authentication and authorization of the IoT. This allows heterogeneity and an agile access control to be handled locally, without having to depend on remote servers. Meanwhile, the proposed approach has a globally distributed architecture throughout the Internet for robustness and scalability.
The proposed approach is realized as SST (Secure Swarm Toolkit), an open-source toolkit for construction and deployment of an authentication and authorization service infrastructure for the IoT, for validation of locally centralized, globally distributed trust management. SST includes a local authorization entity called Auth to be deployed on edge computers which are used as a gateway for authorization as well as for the Internet. Software building blocks provided by SST, called accessors, enable IoT developers to readily integrate their IoT applications with the SST infrastructure, by encapsulating cryptographic operations and key management. In addition to protection against network-based intruders, SST supports a secure migration mechanism for enhancing availability in the case of failures or threats of denial-of-service attacks, based on globally distributed and trusted Auths.
For evaluation, I provide a formal security analysis using an automated verification tool to rigorously show that SST provides necessary security guarantees. I also demonstrate the scalability of the proposed approach with a mathematical analysis, as well as experiments to evaluate security overhead of network entities under different security profiles supported by SST. The effectiveness of the secure migration technique is shown through a case study and simulation based on a concrete IoT application.}
}

EndNote citation:

%0 Thesis
%A Kim, Hokeun
%T Securing the Internet of Things via Locally Centralized, Globally Distributed Authentication and Authorization
%I EECS Department, University of California, Berkeley
%D 2017
%8 August 9
%@ UCB/EECS-2017-139
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-139.html
%F Kim:EECS-2017-139