Key Management Protocol with Implicit Certificates for IoT systems Savio Sciancalepore Angelo Capossele Giuseppe Piro Dep. of Electrical and Dep. of Computer Science Dep. of Electrical and Information Engineering (DEI) Sapienza Information Engineering (DEI) Politecnico di Bari, Italy University of Rome, Italy Politecnico di Bari, Italy [email protected] [email protected] [email protected] Gennaro Boggia Giuseppe Bianchi Dep. of Electrical and Dep. of Electronic Engineering Information Engineering (DEI) University of Rome 2 Tor Politecnico di Bari, Italy Vergata, Italy [email protected] [email protected] ABSTRACT tication, integrity, and availability services in mobile and This paper proposes a Key Management Protocol for mo- industrial IoT systems [24][9]. bile and industrial Internet of Things systems, targeting, at Secure communication mainly grounds its roots in the im- the same time, robust key negotiation, lightweight node au- plementation of robust Key Management Protocols (KMPs) thentication, fast re-keying, and efficient protection against [15]. About a decade ago, there was considerable skepti- replay attacks. The proposed approach pragmatically lever- cism on the feasibility of Public Key Cryptographic tech- ages widely accepted Elliptic Curve Cryptography construc- niques over sensor devices, with the community largely in tions, specifically the (Elliptic Curve)\Fixed"Diffie Hellman favor of symmetric techniques such as key pre-distribution key exchange and the (Elliptic Curve) Qu-Vanstone implicit [8]. Nowadays, many works, among which [7, 4, 19, 3] and certificates. Our value added is their suitable integration many more, have duly assessed the viability of Elliptic Curve into a security protocol exchange, designed at layer 2, in the Cryptography (ECC) implementations even over severely 802.15.4 protocol stack, which permits to i) avoid Elliptic constrained devices. What however remains surprising is Point multiplications upon rekeying of previously paired de- the fact that, at the time of writing and to the best of our vices, and ii) support mutual authentication while securing knowledge, most of the proposed approaches in both the the protocol exchange. To prove its viability, the proposed standard bodies as well as from the scientific community Key Management Protocol has been implemented and as- (for more details see Sec. 2) still handle key negotiation sessed on severely constrained devices. As expected, but and peer authentication via large X.509 certificates, indeed made explicit and quantified by our experimental perfor- extremely expensive in terms of transmission requirements. mance evaluation, the usage of implicit certificates in con- In this work, we describe a KMP, integrated at the layer-2 junction with an optimized message exchange yields impres- of the protocol stack, which aims at maximal airtime sav- sive gains in terms of airtime consumption with respect to ings by natively exploiting the Elliptic Curve Qu-Vanstone state of the art schemes. (ECQV) technique for generating ultra-lightweight\implicit" certificates [6]. More specifically, our proposed protocol leverages a\fixed"Elliptic Curve Diffie Hellman (ECDH) ex- change [10], with (statically assigned) public coefficients im- 1. INTRODUCTION plicitly certified using ECQV. The protocol is complemented The revolutionary Internet of Things (IoT) paradigm is by the exchange of nonces along with the (lightweight) au- enabling the interaction among smart objects, pervasively thentication of the exchanged message sequence, so as to diffused across the Internet [9]. In this evolving context, guarantee mutual authentication and freshness in the key security risks and threats are ever more critical; as such derivation (and very fast re-keying, when necessary). Our the research community and the standardization bodies are KMP has been implemented in the open source OpenWSN currently working to define novel methodologies, protocols, protocol stack [27], and its performance are preliminarily and algorithms, in order to provide confidentiality, authen- assessed in the remainder of the paper. The rest of the paper is structured as it follows: back- ground material is reported in Sec. 2 along with a brief dis- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed cussion of related work; Sec. 3 describes the conceived KMP for profit or commercial advantage and that copies bear this notice and the full cita- mechanism and provides some implementation details; Sec. tion on the first page. Copyrights for components of this work owned by others than 4 illustrates the theoretical and experimental evaluation of ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- the described solution; finally, Sec. 5 closes the paper and publish, to post on servers or to redistribute to lists, requires prior specific permission outlines directions for future work. and/or a fee. Request permissions from [email protected]. IoT-Sys 2015, May 19-22, 2015, Florence, Italy. Copyright c 2015 ACM 978-1-4503-3502-7/15/05 ...$15.00. http://dx.doi.org/10.1145/2753476.2753477 . 2. A BACKGROUND ON SECURE DEVICE the private keys of the CA, respectively. Before asking for a PAIRING certificate, the device IA generates a random positive inte- ger r ; then, it computes a point R on the chosen elliptic The literature background presented in this section re- A A curve, RA = rA ·G, and sends it to the CA. The CA extracts marks pros and cons of the most important solutions pro- a random positive integer k, computes k ·G (another point posed so far. Moreover, it sheds some lights on powerful on the elliptic curve), generates the implicit certificate,P , approaches that can be considered for designing key nego- A and the implicit signature, γ , by using: tiation schemes more suitable in mobile and industrial IoT A ( systems. P = R + k · G A A (1) 2.1 Reference key negotiation algorithms γA = c + k · H(PA;IA) The pre-distribution of cryptographic keys represents the Now, it sends them to the device. Then, it can generate its simplest approach that can be adopted for enabling security private key, sv;A, and its public key, Pb;A, by: services in the IoT. It presents two main limitations: (i) in a ( scenario, where the same key is shared among all the nodes, s = γ + r · H(P ;I ) v;A A A A A (2) the impairment of a single device compromise the security Pb;A = sv;A · G of the whole network; (ii) the idea to configure a dedicate key for each couple of devices does not scale with the net- As well-known, the most important strength of ECQV is work size [8]. Key agreement mechanisms may solve these that the public key of a given device can be computed by issues. Most proposals are based on Diffie-Hellman (DH) any other third-party starting from the knowledge of the and ECDH approaches [15]. As well known, built on the implicit certificate and the public key of the authority: multiplicative group of integers modulo p, the DH algorithm founds its potentiality on the difficulty to solve the discrete Pb;A = sv;A · G = C + PA · H(PA;IA): (3) logarithm problem. In ECDH, instead, the secret is negoti- At the time of this writing, implicit certificates are only ated through Elliptic Curve Cryptography (ECC) primitives used in the Certificate Based Key Establishment (CBKE) and same security levels offered by DH can be achieved with protocol, integrated in the ZigBee IP specifications, for man- shorter keys. aging the authentication of nodes during the join procedure 2.2 Authentication of communicating peers [1]. Node authentication techniques are introduced for pre- 2.3 Re-keying mechanisms venting Man-In-The-Middle (MITM) attacks during the key Re-keying mechanisms are generally adopted when it is negotiation procedure. To this aim, devices involved in a necessary to reduce the lifetime of a specific key during a KMP session need to exchange specific data structures (i.e., communication session. Despite lightweight mechanisms for a certificate) to bind and authenticate their identities with the IoT have been proposed in [7] and [13], their jointly public keys. adoption with ECC and ECQV has been not yet discussed All the contributions discussed in both research commu- in literature. nity and IETF standardization bodies (like [4] [16] [17] [19] [20][25][22] ) make use of X.509 certificates [11], that contain, among other parameters, the device identity, its public key, 3. THE PROPOSED KMP ALGORITHM and an explicit signature, provided by a trusted Certification Without loss of generality, we suppose that implicit cer- Authority (CA). Unfortunately, the size of such certificates tificates are preloaded in each device by the network admin- is too large. As example, focusing on a 40 bytes long ECC istrator before the deployment of the network. public key, the OpenSSL tool 1 generates a X.509 certificate In its main rational, the developed KMP scheme is based with a size equal to 864 byts; of course, this value tends on the exchange of four different logical messages. The first to increase with the length of the key. As a consequence, two messages carry the key materials (i.e., the ECQV im- their transmission requires significant bandwidth usage and plicit certificate and a nonce). ECQV implicit certificates brings to high latencies and notably energy wastefullness; jointly offer authentication and key agreement services in thus it cannot be considered well suitable for networks made the sense that each node is able to compute, through a fixed up of constrained devices. ECDH mechanism, a shared secret starting from an authen- An effective alternative can be the adoption of implicit ticated public key. The latest two messages, instead, are certificates, that bind the identity of a node and its public exchanged for finalizing the mutual authentication.