on the security and privacy of internet of things architectures

ON THE SECURITY AND PRIVACY OF INTERNET OF THINGS ARCHITECTURES AND SYSTEMS

1

E. Vasilomanolakis, J. Daubert, M. Luthra, V. Gazis, A. Wiesmaier, P. Kikiras

manisha.luthra@stud.tu-darmstadt.de

2

Outline

Introduction Security Requirements

Discussion and comparison of IoT architectures IOT-A BeTaaS OpenIoT IoT@Work

Conclusion

manisha.luthra@stud.tu-darmstadt.de

3

Introduction

Motivation

IoT specific properties Mobility Constrained resources Heterogeneity Scalability

manisha.luthra@stud.tu-darmstadt.deImage source: Google Images

Security Requirements

4

Confidentiality

Integrity

Authenticity

Availability

Authentication

Authorization

Accountability

Revocation

Data Privacy

Anonymity

Pseudonimity

Unlinkability

Trust

Device Trust

Entity Trust

Data Trust

Resilience

Robustness against attacks

Resilience against failures

manisha.luthra@stud.tu-darmstadt.de

Network Security

Identity Management Privacy Trust Resilience

DISCUSSION AND COMPARISON OF IOT ARCHITECTURES

5manisha.luthra@stud.tu-darmstadt.de

IoT Architecture (1) – IoT-A

Overview Goal : provide Architectural

Reference model (ARM) forming guidelines for network protocols.

Successful integration of ARM to service into IoT.

EU FP7 project completed in 2013.

Five logical security components (SC) mapped to our security requirements.

Security components Dedicated security components

for network security, Identity Management, privacy and trust.

Fault tolerance as a dedicated functional group.

6

Security reqt. RatingNetwork security Identity ManagementPrivacyTrustResilience

manisha.luthra@stud.tu-darmstadt.deImage source: http://www.iot-a.eu/public

IoT Architecture (2) – BeTaaS

Overview Goal : architecture for IoT and

M2M communication for apps over cloud of gateways.

Things as a Service (TaaS) reference model comprising four layers.

Physical layer, Adaptation layer, TaaS layer, Service layer.

EU FP7 project completed in 2015.

Security components Augments the reference model

of IoT-A – similar security. Confidentiality, integrity and

authenticity via PKI. OAuth for identity management.

7

Security reqt. RatingNetwork securityIdentity ManagementPrivacyTrustResilience

manisha.luthra@stud.tu-darmstadt.deImage source: http://www.betaas.eu/

IoT Architecture (3) – OpenIoT

Overview Goal : Open source with cloud

characteristics – pay-as-you-go and on-demand services.

EU FP7 project completed in 2014.

Based on IoT-A ARM. Specifies two modules security and privacy.

However privacy seems not to be addressed apart from data privacy.

Trust is a module addressing data and device trust.

Security components TLS ensures encrypted

messaging. Centralized architecture

providing OAuth and RBAC. Robustness not addressed.

8

Security reqt. RatingNetwork securityIdentity ManagementPrivacyTrustResilience

manisha.luthra@stud.tu-darmstadt.deImage source: http://www.openiot.eu/

IoT Architecture (4) – IoT@Work

Overview Goal : IoT architecture for an

industrial automation domain.

EU FP7 project completed in 2013.

Use common technologies such as EAP and CBAC.

Privacy and Trust not driving requirements due to industry focus.

Security components Some data privacy is provided

and access delegation is used for pseudonyms.

Trust based reqts. seems not be addressed.

9

Security reqt. RatingNetwork security Identity Management

Privacy Trust Resilience

manisha.luthra@stud.tu-darmstadt.deImage source: https://www.iot-at-work.eu/

Comparison Summary

10

Each architecture has a specific focus area. IoT@Work works best for the manufacturing domain. OpenIoT as open sensor and service marketplace. IoT-A and BeTaaS provides an ARM and fulfills most of the requirements. Though the actual implementation may vary.

IoT architecturesSecurity reqt. IoT-A BeTaaS OpenIoT IoT@WorkNetwork security Identity ManagementPrivacy Trust Resilience

manisha.luthra@stud.tu-darmstadt.de

Conclusion

Architectural Gaps Data transmission in

constrained devices and gateway remains unprotected.

Focus on enclosed domain, lack inter-domain capabilities.

Privacy and Trust in most IoT architectures seems to be unaddressed.

11

Future Work Accountability mechanisms e.g.,

blind signatures with threshold cryptography can be adopted.

We plan to propose framework for protection at the device, communication and cloud level, rather only at one of these.

To realize the envisioned marketplace of IoT, transitive trust can be adopted.

manisha.luthra@stud.tu-darmstadt.de

Thank you

Manisha Luthra (M.Sc Informatik)manisha.luthra@stud.tu-darmstadt.de

12manisha.luthra@stud.tu-darmstadt.de