A Data-centric security architecture for the Integration of constrained devices into IoT scenarios

Abstract

The expansion of the IoT is being driven with the arrival of recent communication technologies, such as 5G, which enable the massive exchange of information among a large number of interconnected heterogeneous devices. This evolution of the Internet is encouraging the emergence of new scenarios, which represent ecosystems where different deployed physical devices detect and share data about their environment. This fact enables to transform and improve daily services, such as transportation or healthcare systems. However, the realisation of this data-driven society paradigm presents important security challenges related to the treatment of personal information, which may violate the privacy of the participants. Consequently, data protection is considered a key aspect to increase people's trust and to achieve the development of IoT scenarios on a large scale. In this direction, important standardization bodies, such as the IETF and ETSI, have offered different proposals to overcome security and privacy concerns in IoT scenarios. This fact proves that security and privacy in the IoT context are currently one of the main hot research topics getting rising attention from the academia and the industry. Nevertheless, the application of these proposals is not trivial due to the particularities inherent to these scenarios, such as technological heterogeneity, devices' resource constraints, presence of intermediate entities and group communications. Therefore, ensuring end-to-end data protection in IoT scenarios is still challenging. Consequently, the main objective of this thesis is to develop a data-centric security architecture for the integration of resource-constrained devices in IoT scenarios. In this sense, a typical evolutionary methodology of research projects has been followed. Thus, an analysis of security and privacy requirements in different IoT scenarios was performed, which allowed to identify the need for efficient and effective data protection solutions for these data sharing environments. Furthermore, it was found that many of existing standards and proposals did not adequately fit with the particularities inherent to these scenarios previously mentioned. This fact drove the need for designing an architecture intended to guarantee the security of information during its entire lifecycle in the IoT context. Towards this end, a lightweight, flexible and scalable cryptographic approach based on the CP-ABE scheme was designed and implemented, in order to enable secure group data sharing. Additionally, this approach was extended with a key exchange mechanism based on a recent IETF standardization effort known as EDHOC, which enables the establishment of security associations in these constrained scenarios. It should be noted that this mechanism considers the realisation of a previous bootstrapping phase, where entities obtain their corresponding credentials and keys to securely join the network. Particularly, the LO-CoAP-EAP boostrapping service was considered due to it was specifically designed for the IoT context. Eventually, a performance analysis of the different security mechanisms integrated in the architecture was performed, with the aim of demonstrating their feasibility and advantages compared to other solutions currently proposed for IoT scenarios. All in all, the proposed security architecture represents an excellent starting point to address the main security and privacy concerns in the IoT context, especially for the integration of resource-constrained devices. Eventually, it should be pointed out that this architecture could be still extended by integrating complementary approaches, such as OSCORE, thus achieving secure, flexible and efficient IoT scenarios.