An Iot Crypto Gateway for Resource-Constrained Iot Devices

An IoT Crypto Gateway for Resource-Constrained IoT Devices

Ahmed Alqattaa Daniel Loebenberger Technical University of Applied Sciences Amberg-Weiden January 12, 2021

When Internet of Things (IoT) devices are connected to the Internet without being protected properly, they may become vulnerable to attacks on the devices and the network itself. Thus, IoT security is a relevant aspect in the design of IoT protocols. For instance, the German Federal Oﬃce for Information Security (BSI) continuously warns against the potential attacks on the IoT and gives users possible countermeasures at hand in order to limit serious attacks against IoT devices [BSI(2017), BSI(2020)]. NGINX developers work on the technology preview of HTTP/3 [Bishop (2020)], which is at the moment still being developed by the Internet Engi- neering Task Force (IETF) and implements Quick UDP Internet Connections (QUIC) with HTTP at an open source repository1. The project is a pre-release software which is based on the IETF QUIC draft [Iyengar & Thomson(2020), Rescorla(2018)], that has adopted TLS inside it [Thomson & Turner(2020)]. Moreover, the libraries OpenSSL, wolfSSL and others have just started the im- plementations of QUIC. The Message Queuing Telemetry Transport (MQTT) protocol [ISO 20922:2016(2016)] traditionally lays on TCP (optionally on TLS as well) and is widely used in IoT applications due to its small code footprint, easy inte- gration, and good performance. Nevertheless, the TCP/TLS connection suﬀers from some disadvantages, such as expensive connection establishment (by start- ing with three ways TCP handshake) and slow handshake (in case of a full TLS handshake). Thus, instead of reducing the security level in resource constrained devices (e.g. by employing lightweight cryptographic primitives), the project compares the performance of this combination (QUIC-MQTT) with that ex- hibited by the more traditional TCP-TLS-MQTT approach. Furthermore, we present a work-in-progress project and specify the overall architecture of an

(2021) IoT cryptographic gateway which sits in-between attached IoT devices and the cloud. The gateway communicates with the cloud implementing MQTT over a TLS connection employing up-to-date asymmetric cryptography at a high security level. On the other hand, the gateway allows the IoT devices to connect to the network by implementing MQTT over QUIC, which should save consider- able resources. 1See also https://hg.nginx.org/nginx-quic/shortlog crypto day matters 32 Beiträge vom 32. Kryptotag, 15.01.2021,doi:10.18420/cdm-2021-32-14 online. The proposed gateway opens in direction of the cloud a fully-ﬂedged authen- ticated TLS tunnel and in direction of the IoT device a QUIC connection which exchanges less packets and employs after the ﬁrst handshake a pre-shared key. As a result, peers are able to establish a TLS connection with less resources for the IoT devices. Thus, the gateway may save time, power and computation on the IoT device’s side without compromising security. As stated, QUIC is still a work in progress by IETF, which forces adding changes in this project continuously. Especially for embedded operating sys- tems, such as RTOS, which are potentially not even fully POSIX-conformant, the implementation is challenging. At the moment on the hardware side, it seems most promising using the ESP32 microcontroller runned by an RTOS connected with a sensor together as a constrained IoT-client. This seems reasonable since for the ESP32 extensive measurements concerning the power-consumptions using various cryptographic primitives were already made [Fischer, Linka, Rademacher, Jonas & Loeben- berger(2019)]. For the IoT-gateway a Raspberry Pi 4 operated by a Linux system is a natural choice for the proof-of-concept implementation. On the software side, the project relies on several open source projects, which are writ- ten in C, in order to realize the MQTT, TLS and QUIC protocols (see Table1).

IoT-Client IoT-Gateway Cloud Server Client RTOS-FreeRTOS Linux-Ubuntu Linux-Ubuntu Linux-Ubuntu MQTT-coreMQTT MQTT-Mosquitto MQTT-Mosquitto MQTT-Mosquitto QUIC-LSQUIC QUIC-LSQUIC TLS-OpenSSL TLS-OpenSSL UDP/IP UDP/IP TCP/IP TCP/IP 5G/WPA3/... 5G/WPA3/... Ethernet Ethernet

Table 1: Illustration of the software environment in the project

References

Mike Bishop (2020). Hypertext Transfer Protocol Version 3 (HTTP/3). Internet-draft, IETF. URL https://datatracker.ietf.org/doc/html/ draft-ietf-quic-http-32.

BSI (2017). Sicherheit von Ger¨aten im Internet der Dinge. URL https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/ BSI-CS/BSI-CS_128.pdf?__blob=publicationFile&v=10.

BSI (2020). IT-Grundschutz-Kompendium, SYS.4.4 Allgemeines IoT-Ger¨at. Unternehmen und Wirtschaft. Reguvis Fachmedien GmbH. ISBN 978-3-8462- 0906-6.

Tilo Fischer, Hendrik Linka, Michael Rademacher, Karl Jonas & Daniel Loebenberger (2019). Analyzing Power Consumption of TLS Ci- phers on an ESP32. In crypto day matters 30, Franziskus Kiefer & Daniel Loebenberger, editors. Gesellschaft f¨urInformatik e.V. / FG KRYPTO, Bonn. ISO 20922:2016 (2016). Information technology – Message Queuing Telemetry Transport (MQTT) v3.1.1. Standard ISO/IEC 20922:2016, International Or- ganization for Standardization, Geneva, CH. URL https://www.iso.org/ standard/69466.html.

Jana Iyengar & Martin Thomson (2020). QUIC: A UDP-Based Mul- tiplexed and Secure Transport. Internet-draft, IETF. URL https:// datatracker.ietf.org/doc/html/draft-ietf-quic-transport-32.

E. Rescorla (2018). The Transport Layer Security (TLS) Protocol Version 1.3. IETF URL https://tools.ietf.org/html/rfc8446. RFC 8446.

Martin Thomson & Sean Turner (2020). Using TLS to Secure QUIC. Internet-draft, IETF. URL https://datatracker.ietf.org/doc/html/ draft-ietf-quic-tls-32.