Developing lightweight security protocols for the IoT with RISE
Connected homes, self-driving cars and automated industry – just a few of the things that come to mind when you think of the Internet of Things (IoT). Behind the scenes, however, there’s still plenty of work to be done before many IoT devices can truly become a cost-effective and efficient reality. In partnership with RISE Research Institutes of Sweden, Ericsson Security Research is developing a key enabler of the IoT: lightweight security protocols.
Identifying a fundamental challenge
Sweden is home to a thriving research community and Ericsson and RISE – a leading research institute for applied information and communication technology – are leading the way when it comes to addressing the security problems posed by the growth of the IoT and connected devices.
In 2013, the collaboration began with a research paper on the implementation of access control in IoT devices. Since then, the two organizations have been leveraging their combined expertise to tackle some of the fundamental challenges that the connected society will face.
Ericsson Security Research has been involved in analyzing the security of many IoT application domains over the years, including those related to smart grids, smart homes and e-health. This research has resulted in a thorough understanding of the security issues posed by increasingly complex networks of connected devices, and the need for new security solutions supporting constrained device deployments. This includes embedded devices with very restricted Random Access Memory, Read-Only Memory, or power budget, where the solutions support:
- End-to-end security, across multiple intermediary devices and protocols
- Group communication with individual responses securely bound to the request
- Authentication, authorization and access control with granular and rich permission set configured by the application
These past projects also highlighted that, in the case of constrained IoT devices (for example, those with limited memory, battery or processing capabilities), current security protocol standards are not always suitable.
With the benefit of their combined in-depth understanding of internet security protocols, cryptography, industry requirements and system implementation, Ericsson Research and RISE decided to tackle this problem and provide new future-ready solutions, helping to address the security issues highlighted above.
Standardizing the solution
The main aim of the project is to define, implement and standardize security protocols which are suitable for constrained devices in the IoT.
A key limiting factor for today's security protocols is the message overhead. For example, in the case of battery-powered constrained IoT devices, a lot of energy goes into transmitting, listening to and receiving messages. In order to reduce the number of round trips, the project has reduced the size and the number of messages – making it easier for them to be parsed and cached, and so reducing the amount of battery used.
The research has also found that IoT security protocols are very effective when applied in the application layer of the protocol stack. This is because it provides independence from the lower layers, allowing end-to-end security through intermediaries.
Security on the application layer also allows access permissions to be expressed in terms of application layer entities, such as which resources are referred to and which method is applied to that resource, etc.
To date, the project has resulted in two lightweight application layer security protocols, which have been adopted in different working groups of the Internet Engineering Task Force (IETF):
Object Security for Constrained RESTful Environments (OSCORE)
- A security protocol built into CoAP (a lightweight variant of http suitable for sensors and actuators)
- Provides authentication, encryption, integrity and replay protection (preventing the replaying of a recorded message, for example, to open a connected door lock)
- Assumes shared symmetric keys, which can be established using EDHOC (peer-to-peer) or ACE (trusted third-party assisted)
- Secures messages end-to-end through all proxies
- Secures unicast or multicast with unicast response, using additional asymmetric keys for source authentication
Authentication and Authorization for Constrained Environments (ACE)
- A lightweight version of OAuth 2.0 for constrained devices
- Provides access control to resources via a trusted third party (authorization server)
- Establishes keys for authorized clients and resource servers for use with profiled communication and security protocols, e.g. CoAP/DTLS or CoAP/OSCORE
The below diagram demonstrates the relationships between the lightweight security protocols developed by Ericsson and RISE, and those they are based on or have contributed to:
An alternative for suitable use cases
The standardization of lightweight security protocols in the IoT space is proving to be a huge success, and is the result of a lot of hard work by the research teams at RISE and Ericsson.
The project is ongoing and there is still work to be done – including making all of the protocols Proposed Standards, also termed 'Request for Comments' in the internet standardization community.
Over the next year, the plan is to move into deployment. While there is already considerable interest in utilizing the new protocols, as well as positive feedback, communication and demonstration of their benefits will help to highlight where the current solutions are lacking and why there is a significant need for lightweight variants.
That said, the ultimate aim is not to replace today's security protocols (although the developed protocols work equally well with non-constrained IoT devices). Instead, these lightweight variants should be viewed as alternative tools for use in suitable circumstances – of which there will be many in the future of the IoT.
The innovative work carried out by Ericsson and RISE will have extensive benefits, securing constrained IoT devices and, ultimately, helping to make the connected future a reality.