TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications

Díaz-Sánchez, Daniel; Marin-Lopez, Andres; Almenárez, Florina; Arias-Cabarcos, Patricia; Sherratt, R. Simon

doi:10.1109/comst.2019.2914453

Cited by 37 publications

(16 citation statements)

References 78 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Delegar en un punto único la autenticación, confiando luego en credenciales temporales, como lo permite OAuth2, mantiene la infraestructura de identidades ligera, mientras que la distribución en servicios brinda una gran facilidad a la hora de replicar y redundar servicios en clúster cuando la carga de trabajo del sistema así lo amerita. Es justamente este enfoque de servicios / microservicios lo que permite que trabajar con TLS no sea demasiado exigente a nivel de mantenimiento, como destacaron Díaz-Sánchez et al [20].…”

Section: Discussionunclassified

“…Entre los enfoques posibles, mencionan como una alternativa viable, aquel orientado a servicios, para equilibrar entre centralización y distribución del control; más aún, la tendencia en software y aplicaciones distribuidas parecería dirigirse en general hacia el empleo de microservicios [17][18][19]. Ahondando en esta línea, Díaz-Sánchez, Marín-López, Almenarez, Arias y Sherrat [20] destacan los beneficios que una arquitectura de microservicios, adicionalmente basada en TLS/PKI, puede tener en IoT, al aligerar las tareas de desarrollo y mantenimiento, beneficioso tanto para proveedores y distribuidores como para usuarios, al mismo tiempo, reforzando la seguridad de interconexión. Estudios de caso como el de Urien [21] confirman de manera práctica las posibilidades de estas técnicas.…”

Section: Trabajos Relacionadosunclassified

See 1 more Smart Citation

Reduciendo la brecha de seguridad del IoT con una arquitectura de microservicios basada en TLS y OAuth2

Camacho

2020

Ingenius

View full text Add to dashboard Cite

El Internet de las cosas es una de las tendencias más prometedoras en la actualidad. La rapidez de su adopción, sin embargo, ha provocado ciertas brechas críticas en la seguridad de los sistemas involucrados. Este proyecto analizó el problema de seguridad de una manera amplia, pero enfocándose en entornos de tipo hogar inteligente, donde el uso de dispositivos con tecnologías ampliamente heterogéneas genera problemas en la autenticación con múltiples servicios, y en la confidencialidad de los datos, si la red llegara a verse comprometida. Para atacar estos problemas, se juntaron tecnologías de última generación como OAuth2 y TLS, entre otras, junto a una metodología arquitectural de microservicios de acoplamiento ligero, para generar una arquitectura IoT segura y de amplio alcance, respaldada y validada por una implementación de referencia. La división en capas funcionales permite que tanto los dispositivos y sensores fijos como aquellos móviles, puedan acoplarse al sistema de manera transparente y fluida. El esquema de seguridad estructurado en tres niveles incrementales permite que cada equipo pueda integrarse al que mejor se adapte tanto a sus recursos computacionales como al tipo de información que debe entregar o consumir. Los resultados muestran la flexibilidad de la solución y la solidez del esquema de seguridad presentado.

show abstract

Section: Discussionunclassified

Section: Trabajos Relacionadosunclassified

Reduciendo la brecha de seguridad del IoT con una arquitectura de microservicios basada en TLS y OAuth2

Camacho

2020

Ingenius

View full text Add to dashboard Cite

show abstract

“…Certificate pinning solutions for IoT/M2M have been profoundly revised by the authors in previous works [67]. Nevertheless, we argue that actual certificate pinning techniques do not offer the dynamicity required by IoT microservices.…”

Section: Pki and Certificate Pinningmentioning

confidence: 91%

DNS/DANE Collision-Based Distributed and Dynamic Authentication for Microservices in IoT †

Díaz-Sánchez

Marín

Almenárez

et al. 2019

Sensors

Self Cite

View full text Add to dashboard Cite

IoT devices provide real-time data to a rich ecosystem of services and applications. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core networks. To alleviate the core of the network, other technologies like fog computing can be used. On the security side, designers of IoT low-cost devices and applications often reuse old versions of development frameworks and software components that contain vulnerabilities. Many server applications today are designed using microservice architectures where components are easier to update. Thus, IoT can benefit from deploying microservices in the fog as it offers the required flexibility for the main players of ubiquitous computing: nomadic users. In such deployments, IoT devices need the dynamic instantiation of microservices. IoT microservices require certificates so they can be accessed securely. Thus, every microservice instance may require a newly-created domain name and a certificate. The DNS-based Authentication of Named Entities (DANE) extension to Domain Name System Security Extensions (DNSSEC) allows linking a certificate to a given domain name. Thus, the combination of DNSSEC and DANE provides microservices’ clients with secure information regarding the domain name, IP address, and server certificate of a given microservice. However, IoT microservices may be short-lived since devices can move from one local fog to another, forcing DNSSEC servers to sign zones whenever new changes occur. Considering DNSSEC and DANE were designed to cope with static services, coping with IoT dynamic microservice instantiation can throttle the scalability in the fog. To overcome this limitation, this article proposes a solution that modifies the DNSSEC/DANE signature mechanism using chameleon signatures and defining a new soft delegation scheme. Chameleon signatures are signatures computed over a chameleon hash, which have a property: a secret trapdoor function can be used to compute collisions to the hash. Since the hash is maintained, the signature does not have to be computed again. In the soft delegation schema, DNS servers obtain a trapdoor that allows performing changes in a constrained zone without affecting normal DNS operation. In this way, a server can receive this soft delegation and modify the DNS zone to cope with frequent changes such as microservice dynamic instantiation. Changes in the soft delegated zone are much faster and do not require the intervention of the DNS primary servers of the zone.

show abstract

“…The issues related to the use of PKIs by resource-limited IoT devices have been extensively studied in the literature [20]- [22], and many solutions have been proposed, mainly based on the delegation of the most consuming tasks to a resource-rich and trusted centralized entity [23]- [26]. However, the issues related to the lifecycle management of certificates in IoT environments have received little attention so far.…”

Section: Related Workmentioning

confidence: 99%

How to Survive Identity Management in the Industry 4.0 Era

et al. 2021

View full text Add to dashboard Cite

Industry 4.0 heavily builds on massive deployment of Industrial Internet of Things (IIoT) devices to monitor every aspect of the manufacturing processes. Since the data gathered by these devices impact the output of critical processes, identity management and communications security are critical aspects, which commonly rely on the deployment of X.509 certificates. Nevertheless, the provisioning and management of individual certificates for a high number of IIoT devices involves important challenges. In this paper, we present a solution to improve the management of digital certificates in IIoT environments, which relies on partially delegating the certificate enrolment process to an edge server. However, in order to preserve end-to-end security, private keys are never delegated. Additionally, for the protection of the communications between the edge server and the IIoT devices, an approach based on Identity Based Cryptography is deployed. The proposed solution considers also the issuance of very short-lived certificates, which reduces the risk of using expired or compromised certificates, and avoids the necessity of implementing performance expensive protocols such as OCSP. The proposed solution has been successfully tested as an efficient identity management solution for IIoT environments in a real industrial environment.

show abstract

TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications

Cited by 37 publications

References 78 publications

Reduciendo la brecha de seguridad del IoT con una arquitectura de microservicios basada en TLS y OAuth2

Reduciendo la brecha de seguridad del IoT con una arquitectura de microservicios basada en TLS y OAuth2

DNS/DANE Collision-Based Distributed and Dynamic Authentication for Microservices in IoT †

How to Survive Identity Management in the Industry 4.0 Era

Contact Info

Product

Resources

About