Showing papers on "Message authentication code published in 2021"

HDMA: Hybrid D2D Message Authentication Scheme for 5G-Enabled VANETs

Abstract: The fifth-generation (5G) mobile communication technology with higher capacity and data rate, ultra-low device to device (D2D) latency, and massive device connectivity will greatly promote the development of vehicular ad hoc networks (VANETs). Meantime, new challenges such as security, privacy and efficiency are raised. In this article, a hybrid D2D message authentication (HDMA) scheme is proposed for 5G-enabled VANETs, in which a novel group signature-based algorithm is used for mutual authentication between vehicle to vehicle (V2V) communication. In addition, a pre-computed lookup table is adopted to reduce the computation overhead of modular exponentiation operation. Security analysis shows that HDMA is robust to resist various security attacks, and performance analysis also points out that, the authentication overhead of HDMA is more efficient than some traditional schemes with the help of the pre-computed lookup table in V2V and vehicle to infrastructure (V2I) communication.

PLVA: Privacy-Preserving and Lightweight V2I Authentication Protocol

Abstract: Vehicular ad hoc networks (VANETs) significantly improves the efficiency and safety of driving since it reduces traffic jams and avoiding accidents, in which the necessary security goals are guaranteed using cryptographic method. In reality, the computation efficiency is very important in implementing the protocol in VANETs. When a vehicle with high speed enters in the coverage of a roadside unit (RSU), the computation overhead of authentication not only affects the communication experience, but also downgrades the driving safety. The feasible solution is to share a message in advance between vehicle and RSU with the help of certification authority (CA), however, CA can deduce the vehicle's route that should be privacy. In this paper, a privacy-preserving and lightweight V2I authentication (PLVA) protocol is proposed. Specifically, in the beginning phase, all roadside units in a region are converted to a vector using the Moore curve technique, then, a vehicle deduces the RSUs' information on its planning route using BGN homomorphic encryption before the vehicle begins its trip, meanwhile, CA knows nothing about the route plan although it assists the above process. With the deduced RSUs' information, fast authentication is achieved between vehicle and each RSU on its route. Moreover, performance evaluation illustrates that our PLVA is efficient in practical VANETs environment.

P2BA: A Privacy-Preserving Protocol With Batch Authentication Against Semi-Trusted RSUs in Vehicular Ad Hoc Networks

Abstract: Vehicular Ad-hoc Networks (VANETs) supporting the seamless operation of autonomous vehicles introduce various network-connected devices. The widespread devices are engaged in VANETs so that users can enjoy advantageous computing and reliable services. The combination brings in massive real-time message propagation and dissemination, which would be leveraged by the adversaries to perform data association, integration analysis and privacy mining. To address such challenges, existing authentication schemes use $n$ pseudonym certificates for pre-defined $k$ times and try to keep the vehicles anonymous. These schemes require fresh certificates for each authentication process, which cost more communication and storage resources. In this paper, we propose a novel privacy-preserving authentication protocol (P2BA) in bilinear groups, where a registered vehicle signs a traffic-related message and sends it to the nearby Road-side Unit (RSU) together with its blinded certificate. The RSU is able to independently check the message for validity based on a non-interactive zero-knowledge proof protocol. In this way, the computation time has been reduced from $\mathcal {O}(n)$ to $\mathcal {O}(1)$ while the storage overhead from $\mathcal {O}(nk)$ to $\mathcal {O}(n)$ compared to anonymous authentication protocols. Moreover, our scheme provides privacy properties such as anonymity and unlinkability. The simulations show that the message authentication can be processed by individual RSUs within 1 ms under the batch-enabled scheme, which outperforms the existing schemes in terms of computation overhead and latency.

SEMA: Secure and Efficient Message Authentication Protocol for VANETs

Abstract: Message authentication and conditional privacy preservation are two critical security issues in vehicular ad hoc networks (VANETs), which have been extensively studied in recent years. To achieve these security issues, many information security technologies have been proposed so far. Among them, pseudonyms-based and group-based messages signing and verifying are two of the main methods adopted in recently published literature. However, analysis points out that both of the two technologies have their downsides. To address these issues, a secure and efficient message authentication protocol (SEMA) is proposed in this article, which aims to achieve mutual authentication among vehicles and road-side units (RSUs) in VANETs by combining the advantages of pseudonyms-based and group-based methods. Security analysis shows that SEMA is robust to various security attacks. Performance evaluation demonstrates that SEMA is computationally lightweight on both vehicles and RSUs. Finally, simulations are performed to prove the feasibility in highway and urban environment.

Design of Secure Authenticated Key Management Protocol for Cloud Computing Environments

Abstract: With the maturity of cloud computing technology in terms of reliability and efficiency, a large number of services have migrated to the cloud platform. To convenient access to the services and protect the privacy of communication in the public network, three-factor Mutual Authentication and Key Agreement (MAKA) protocols for multi-server architectures gain wide attention. However, most of the existing three-factor MAKA protocols don’t provide a formal security proof resulting in various attacks on the related protocols, or they have high computation and communication costs. And most of the three-factor MAKA protocols haven’t a dynamic revocation mechanism, which leads to malicious users can not be promptly revoked. To address these drawbacks, we propose a provable dynamic revocable three-factor MAKA protocol that achieves the user dynamic management using Schnorr signatures and provides a formal security proof in the random oracle. Security analysis shows that our protocol can meet various demands in the multi-server environments. Performance analysis demonstrates that the proposed scheme is well suited for computing resource constrained smart devices. The full version of the simulation implementation proves the feasibility of the protocol.

Security Issues with In-Vehicle Networks, and Enhanced Countermeasures Based on Blockchain

Abstract: Modern vehicles are no longer simply mechanical devices. Connectivity between the vehicular network and the outside world has widened the security holes that hackers can use to exploit a vehicular network. Controller Area Network (CAN), FlexRay, and automotive Ethernet are popular protocols for in-vehicle networks (IVNs) and will stay in the industry for many more years. However, these protocols were not designed with security in mind. They have several vulnerabilities, such as lack of message authentication, lack of message encryption, and an ID-based arbitration mechanism for contention resolution. Adversaries can use these vulnerabilities to launch sophisticated attacks that may lead to loss of life and damage to property. Thus, the security of the vehicles should be handled carefully. In this paper, we investigate the security vulnerabilities with in-vehicle network protocols such as CAN, automotive Ethernet, and FlexRay. A comprehensive survey on security attacks launched against in-vehicle networks is presented along with countermeasures adopted by various researchers. Various algorithms have been proposed in the past for intrusion detection in IVNs. However, those approaches have several limitations that need special attention from the research community. Blockchain is a good approach to solving the existing security issues in IVNs, and we suggest a way to improve IVN security based on a hybrid blockchain.

Design and Analysis of Lightweight Authentication Protocol for Securing IoD

Abstract: The Internet-of-drones (IoD) environment is a layered network control architecture designed to maintain, coordinate, access, and control drones (or Unmanned Aerial vehicles UAVs) and facilitate drones’ navigation services. The main entities in IoD are drones, ground station, and external user. Before operationalizing a drone in IoD, a control infrastructure is mandatory for securing its open network channel (Flying Ad Hoc Networks FANETs). An attacker can easily capture data from the available network channel and use it for their own purpose. Its protection is challenging, as it guarantees message integrity, non-repudiation, authenticity, and authorization amongst all the participants. Incredibly, without a robust authentication protocol, the task is sensitive and challenging one to solve. This research focus on the security of the communication path between drone and ground station and solving the noted vulnerabilities like stolen-verifier, privileged-insider attacks, and outdated-data-transmission/design flaws often reported in the current authentication protocols for IoD. We proposed a hash message authentication code/secure hash algorithmic (HMACSHA1) based robust, improved and lightweight authentication protocol for securing IoD. Its security has been verified formally using Random Oracle Model (ROM), ProVerif2.02 and informally using assumptions and pragmatic illustration. The performance evaluation proved that the proposed protocol is lightweight compared to prior protocols and recommended for implementation in the real-world IoD environment.

Anonymous Message Authentication Scheme for Semitrusted Edge-Enabled IIoT

Abstract: As internet of things and other technologies are widely used in industrial manufacturing, automation and intelligence have witnessed rapid developments, resulting in the proposal of the industrial internet of things (IIoT). However, the IIoT still faces various network security threats; hence, data integrity, confidentiality, and anonymity need to be ensured. The use of cloud and edge servers as semitrusted third parties often results in the leaking of privacy sensitive user data. Meanwhile, existing security schemes treat the cloud and edge as fully trusted entities, which is not always valid. Considering edge servers as semitrusted entities, we propose a novel message authentication scheme that leverages group signature technology and proxy reencryption technology to ensure data integrity, confidentiality, and anonymity. Through theoretical analysis and performance comparison, we prove the security of our scheme. In addition, we implement our scheme on a real publish/subscribe system, and the experimental results show the feasibility of our scheme.

SOS: Standard-Compliant and Packet Loss Tolerant Security Framework for ADS-B Communications

Abstract: The Automatic Dependent Surveillance - Broadcast (ADS-B) technology, already deployed by the major avionics companies (e.g., QatarAirways and AmericanAirlines), will become mandatory on board of civil and military aircraft flying in Class A, B, and C airspaces by 2020, enabling direct airplanes communications and enhanced flights monitoring. However, ADS-B has been designed without security considerations, thus being vulnerable to a variety of attacks, including message injection and messages order manipulation attacks, that can be easily performed via widely available commercial Software Defined Radios. To address these threats, we present Securing Open Skies (SOS), a standard-compliant, backward-compatible, loss-tolerant, and bandwidth efficient security framework to secure ADS-B communications. SOS leverages the real deployment of densely distributed, participatory ADS-B sensor networks such as OpenSky Network and Flight Radar, and provides message authentication and integrity security services on a time-slot basis, without resorting to any public key cryptography mechanism. Experimental performances obtained through a realistic proof-of-concept, deployed using commercial Ettus Research X310 Software Defined Radios, demonstrate the viability and effectiveness of our solution, even in presence of uniformly at random or burst packet loss events characterizing the ADS-B frequency band. For instance, SOS allows the verification of the authenticity of ADS-B messages requiring less than 50 percent of bandwidth overhead, with a percentage of verifiable slots above 80 percent, even in an highly lossy environment, characterized by a single packet loss probability of 60 percent—the process requiring less than one second: almost one tenth of similar approaches published in the literature. Finally, a thorough comparison against state of the art solutions in the literature highlights the unique security and reliability features enjoyed by SOS, as well as its practical viability.

Designing an authenticated Hash function with a 2D chaotic map

Abstract: This paper shows the use of four sets of coefficient values of the 2D chaotic map to generate pseudo-random number generators. We demonstrate that the generated sequences are random by applying NIST suite 800-22-a and TestU01 tests. The generated random sequences are used to implement a stream cipher and are applied to encrypt images. To detect if the images have been modified, we propose to use the random sequences as keys for a hash function based on the pseudo-dot product. This hash can be used as a message authentication code in the images to detect if the stored information has been compromised. The proposed schemes can be used to encrypt and authenticate any digital data not only images. The random sequences generator is probed also in a high-performance microcontroller STM32F746ZG obtaining a throughput of 173.35 Kbit/s.

Designing an Efficient and Secure Message Exchange Protocol for Internet of Vehicles

Abstract: In the advancements in computation and communication technologies and increasing number of vehicles, the concept of Internet of Vehicles (IoV) has emerged as an integral part of daily life, and it can be used to acquire vehicle related information including road congestion, road description, vehicle location, and speed. Such information is very vital and can benefit in a variety of ways, including route selection. However, without proper security measures, the information transmission among entities of IoV can be exposed and used for wicked intentions. Recently, many authentication schemes were proposed, but most of those authentication schemes are prone to insecurities or suffer from heavy communication and computation costs. Therefore, a secure message authentication protocol is proposed in this study for information exchange among entities of IoV (SMEP-IoV). Based on secure symmetric lightweight hash functions and encryption operations, the proposed SMEP-IoV meets IoV security and performance requirements. For formal security analysis of the proposed SMEP-IoV, BAN logic is used. The performance comparisons show that the SMEP-IoV is lightweight and completes the authentication process in just .

Analysis and Recommendations for MAC and Key Lengths in Delayed Disclosure GNSS Authentication Protocols

Abstract: Data and signal authentication schemes are being proposed to address Global Navigation Satellite Systems' (GNSS) vulnerability to spoofing. Due to the low power of their signals, the bandwidth available for authentication in GNSS is scarce. Since delayed-disclosure protocols, e.g., TESLA (timed-efficient stream loss-tolerant authentication), are efficient in terms of bandwidth and robust to signal impairments, they have been proposed and implemented by GNSS. The length of message authentication codes (MACs) and cryptographic keys are two crucial aspects of the protocol design as they have an impact on the utilized bandwidth, and therefore on the protocol performance. We analyze both aspects in detail for GNSS-TESLA and present recommendations for efficient yet safe MAC and key lengths. We further complement this analysis by proposing possible authentication success and failure policies and quantify the reduction of the attack surface resulting from employing them. The analysis shows that in some cases it is safe to use MAC and key sizes that are smaller than those proposed in best-practice guidelines. While some of our considerations are general to delayed-disclosure lightweight protocols for data and signal authentication, we particularize them for GNSS-TESLA protocols.

An Efficient Privacy Preserving Message Authentication Scheme for Internet-of-Things

Abstract: As an essential element of the next generation Internet, Internet of Things (IoT) has been undergoing an extensive development in recent years. In addition to the enhancement of people's daily lives, IoT devices also generate/gather a massive amount of data that could be utilized by machine learning and big data analytics for different applications. Due to the machine-to-machine communication nature of IoT, data security and privacy are crucial issues that must be addressed to prevent different cyber attacks (e.g., impersonation and data pollution/poisoning attacks). Nevertheless, due to the constrained computation power and the diversity of IoT devices, it is a challenging problem to develop lightweight and versatile IoT security solutions. In this article, we propose an efficient, secure, and privacy-preserving message authentication scheme for IoT. Our scheme supports IoT devices with different cryptographic configurations and allows offline/online computation, making it more versatile and efficient than the previous solutions.

A Secure and Lightweight Protocol for Message Authentication in Wireless Sensor Networks

Abstract: Securing messages and protecting them from tampering during transmission in wireless sensor networks is a challenging task. Using message authentication schemes provides security and authentication, but with a high computational and communication cost. Sensors are highly constrained in terms of computational capabilities and power consumption. Therefore, computation is divided into two phases: online (at the sensor) and offline (at a more powerful central node). Moreover, public keys are generated based on the identities to reduce communication overhead. In this article, we propose a message authentication scheme based on identity that uses online/offline signature. We prove that the scheme provides and protects the integrity of messages during the transmission of data over an insecure network. Our scheme is existential unforgeable against chosen message attack.

Digital Signature Authentication Using Asymmetric Key Cryptography with Different Byte Number

Abstract: Nowadays, each and every system needs proper security. Only proper security can save important documents. There are different types of security systems that people use for safety. Digital Signature is one kind of a security system. Digital Signature is the public key primitive of different types of message authentication. Digital signature is one kind of technique that converts the handwritten signature in digital data. It is one kind of cryptographic value that is calculated from the data and a secret private key which is only known by the signer. In this paper, we want to make the digital signature more secure by using the ED25519 algorithm, which is an asymmetric algorithm. In this algorithm, the signature will be converted into different byte number, which will make the security system more strong.

Security Enhancement for Real-Time Independent In-Vehicle CAN-FD Messages in Vehicular Networks

Abstract: The rise of autonomous driving technology and the prosperity of mobile vehicular applications have brought tremendous pressure and put forward high bandwidth and low latency requirements for vehicular networks. Controller Area Network with Flexible Data-rate (CAN-FD) is a feasible choice to meet the high bandwidth and low latency requirements of in-vehicle communication of mobile vehicles. However, CAN-FD is vulnerable to masquerade attacks because it lacks necessary security authentication mechanisms and protection measures. This study presents a security enhancement technique called forward-backward exploration for independent in-vehicle CAN-FD messages while still guaranteeing each message is real-time. In the forward-backward exploration solution, a novel dual-pointer (including the forward pointer and the backward pointer) solution is proposed; the Message Authentication Code (MAC) size of each message is then dynamically adjusted by presenting the dual-pointer movement rules until the total payload no longer increases. Experimental results with real-life CAN-FD message set provided by an automaker demonstrate the effectiveness of our solution.

Optimized mobility management protocol for the IoT based WBAN with an enhanced security

Abstract: Today, Wireless Sensor Network (WSN) is widely used for general purposes. With the propagation of the Internet of Things (IoT), security issues arise wherever the healthcare devices are used exclusively for data transfer protocols. These network protocols are easily susceptible to attack. Although it is problematic to save sensing information from the body sensors, the loss of signal messages will often occur in an IoT environment. Thus security is a supreme requirement in health care applications, especially in the case of patient privacy. In this paper, an IoT health care communication system is designed to implement the integration using CoAP based Secure-aware Mobility Management Protocol (CoSMP) in Wireless Body Area Network (WBAN) based IoT environment. The proposed protocol is extremely effective to secure the sensing information of the device node wherever they are moving and additionally, it is accustomed to offer secure data transmission between the node and web client. Our protocol establishes a pairwise key between the networks according to an exact algorithm, namely Advanced Encryption Standard Cipher Feedback Message Authentication Code (AES-CFMAC) algorithm, and handover operation could be authenticated by Elliptic Curve Digital Signature Algorithm (ECDSA). Numerical analysis and performance result imposes the proposed scheme is simulated in terms of network delay and handover delay. Experimental results depict that the proposed protocol has been compared with the previous protocol in terms of security and mobility management. Hence, the numerical result would be evaluated based on the measures of Total Transmission Delay (TTD) on the variation of wireless link delay, sensor node delay, link failure probability delay, hop count between the gateway and WMMS in the network delay with the low delay of 303.55, 1.6, 700 and 80 in ms respectively and also performance measures of Handover Delay (HD) achieves 1212.5, 1.212, 49.46 and 1453.8 in ms respectively. The percentage in terms of using performance measures of TTD and HD is compared between proposed and existing schemes resulted in (COMP = 0.3632%, COMP-G = 0.2712 % and COSMP = 0.2532%) and (COMP = 0.3188%, COMP-G = 0.2421 % and COSMP = 0.2133%) respectively.

Hash Algorithm In Verification Of Certificate Data Integrity And Security

Abstract: The hash function is the most important cryptographic primitive function and is an integral part of the blockchain data structure. Hashes are often used in cryptographic protocols, information security applications such as Digital Signatures and message authentication codes (MACs). In the current development of certificate data security, there are 2 (two) types of hashes that are widely applied, namely, MD and SHA. However, when it comes to efficiency, in this study the hash type SHA-256 is used because it can be calculated faster with a better level of security. In the hypothesis, the Merkle-Damgard construction method is also proposed to support data integrity verification. Moreover, a cryptographic hash function is a one-way function that converts input data of arbitrary length and produces output of a fixed length so that it can be used to securely authenticate users without storing passwords locally. Since basically, cryptographic hash functions have many different uses in various situations, this research resulted in the use of hash algorithms in verifying the integrity and authenticity of certificate information.

Security Enhancement for Real-Time Parallel In-Vehicle Applications by CAN FD Message Authentication

Abstract: Controller Area Network with Flexible Data-rate (CAN FD) is beneficial for the in-vehicle communication of Internet of Connected Vehicles (IoCVs) because of its high bandwidth and data field length However, CAN FD lacks a security authentication mechanism, making it extremely vulnerable to masquerade attacks This study proposes the security enhancement for a real-time parallel in-vehicle application adopting a two-stage method The first stage obtains the lower bound of an in-vehicle application by quickly abandoning most of sequences, while the second stage enhances security by adding Message Authentication Codes (MACs) to messages taking advantage of the laxity interval from the lower bound to the deadline Experiments with an example and the adaptive cruise control in-vehicle application show the advantage of the proposed two-stage method in increasing the total byte size of MACs

VCom: Secure and Efficient Vehicle-to-Vehicle Message Communication Protocol

Abstract: Vehicles are especially capable of exchanging pertinent information with nearby vehicles. However, there are multiple challenges like secure data exchange, fast message transmission, dynamic topology, and user data protection while transmitting relevant information between moving vehicles on the road. Therefore, researchers suggested different vehicle-to-vehicle (V2V) message communication and verification mechanisms, but they are vulnerable to crucial security attacks. Furthermore, the existing V2V communication schemes relatively require high operational costs for the implementation, taking more time and computational resources for road safety and traffic data exchanges. In this article, we propose a secure and efficient V2V message communication protocol (named as VCom ) for vehicle users using a low-cost function (i.e., SHA-256) while preserving user anonymity. The security proof and analysis are discussed for the VCom to confirm its security and user privacy strengths against different security attributes and attacks. The test-bed implementation results show that the VCom is comparatively efficient in the computational cost, communication overhead, storage cost, and energy consumption.

Physically Secure Lightweight and Privacy-preserving Message Authentication Protocol for VANET in Smart City

Abstract: Secure message transmission in vehicular communications in smart cities is still a challenging task. Most of the related work employed the Public Key Infrastructure and Certification Revocation Lists (CRLs) for ensuring security and privacy. However, these work suffered from some issues such as 1) the time-consuming checking process and huge size of CRLs, 2) traceability attacks by linking unencrypted Basic Safety Messages (BSMs), and 3) extracting secret keys from the storage of parked vehicles or road-side units (RSU) by an adversary. To address the aforementioned issues, we thus propose a physically secure privacy-preserving message authentication protocol using Physical Unclonable Function (PUF) and Secret Sharing. The proposed protocol guarantees security and privacy against passive and active attacks even under memory leakage. The entities (i.e., vehicles and RSU) make use of their PUF to reconstruct a secret polynomial-share so that pairwise temporal secret keys (PTKs) can be established with other entities. Unlike existing protocols, BSMs are also encrypted in our protocol (by PTKs) to provide a higher level of security and thwart vehicles traceability attacks. To revoke a vehicle, RSU needs not broadcast CRLs. Instead, RSU distributes only a secure offset key using threshold Secret Sharing. Consequently, our revocation checking process has computation complexity O(1). Our protocol also eliminates the need for a third party in Vehicle-to-Vehicle communication to ensure expeditious transmission. Security analysis and performance evaluation show that our proposed protocol outperforms existing schemes in terms of security features, computation, and communication cost.

Enhanced GNSS Authentication Based on the Joint CHIMERA/OSNMA Scheme

Abstract: The authentication of the navigation signals can be considered as the contribution of the system to the robustness against spoofing attacks and it is becoming an important requirement for a growing number of user communities. GPS and Galileo systems are proposing evolutions of their civil signals to embed features of authentication. For Galileo, the Open Service Navigation Message Authentication (OSNMA) is integrated in the Galileo E1 OS signal. For the GPS, the Chips-Message Robust Authentication (Chimera) solution, designed for the GPS L1C signal, is foreseen to be tested soon. On the other hand, suitable signal processing techniques can be implemented inside the receiver to monitor the quality of the received signals and protect against spoofing attacks. Such techniques shall work as a complement to the authentication strategies, to further increase the signals’ robustness. Within this context, the paper presents the Joint Chimera/OSNMA scheme , designed to be adopted by a multi-constellation receiver that already exploits both OSNMA and Chimera enhancements. The idea is to further strengthen the robustness with respect to the individual use of the two solutions, to tackle sophisticated spoofing attacks, which are able to avoid detection from navigation message authentication (NMA) techniques. The manuscript proves the high performance of the joint scheme, presenting the results of a wide bench of tests, under different scenarios of spoofing, and user conditions.

A Key Management Protocol Based on the Hash Chain Key Generation for Securing LoRaWAN Networks.

Abstract: Recently, many Low Power Wide Area Network (LPWAN) protocols have been proposed for securing resource-constrained Internet of Things (IoT) devices with negligible power consumption. The Long Range Wide Area Network (LoRaWAN) is a low power communication protocol that supports message authentication, integrity, and encryption using two-session preshared secret keys. However, although the LoRaWAN supports some security functions, it suffers from session key generation and key update problems. This motivates us to introduce a new key management protocol that resolves the LoRaWAN problems and supports key updates. The proposed protocol is based on hash chain generation using a one-way hash function. Network entities share a common hash chain of n key elements to allow using a unique signing key per message. We also propose a salt hashing algorithm that encrypts the original keys into a different form to avoid the physical attacks at the end device side. We analyzed the proposed key generation performance in terms of the computation time, the required storage, and the communication overhead. We implemented and tested the proposed key generation protocol using the NS-3 network simulator. The proposed lightweight key generation protocol significantly enhances the security of the original LoRaWAN at a negligible overhead. The proposed protocol reduces the power consumption and transmission time by two times compared with some previous protocols. In addition, the proposed key generation protocol can resist attacks, such as key compromising attacks and replay attacks, and it supports the Perfect Forward Secrecy, which was not supported by LoRaWAN.

Novel one round message authentication scheme for constrained IoT devices

Abstract: Security and privacy concerns have emerged as critical challenges in the Internet-of-Things (IoT) era. These issues need to be carefully addressed due to the sensitive data within IoT systems. However, some IoT devices have various limitations in terms of energy, memory capacity, and computational resources, which makes them extremely vulnerable to security attacks. Data integrity with source authentication are essential security services for protecting IoT data value and utility. Existing message authentication algorithms (MAAs), which are either based on block ciphers or keyed hash functions, require multiple rounds and complex operations, which leads to unacceptable overhead for resource-limited devices and delay-sensitive applications. Moreover, the high number of IoT connected devices generates a huge amount of data, which challenges even the capacity of powerful network devices to handle the security of such Big Data. As such, the protection of such amounts of generated data calls for lightweight security solutions. In this paper, we propose a lightweight MAA that provides data integrity and source authentication. The proposed solution is based on a dynamic key structure with a single round and simple operations. The used cryptographic primitives (substitution and permutation tables) are dynamic and get updated for each new input message by using specific update primitives. The dynamic structure of the proposed MAA allows for decreasing the required number of rounds to just one, while maintaining a high degree of security. The security tests results show that the proposed keyed hash functions (1) achieve the desired cryptographic properties, (2) are immune against existing attacks and (3) require low overhead in terms of computational and storage resources.

Implementation of Secure Sampled Value (SeSV) Messages in Substation Automation System

Abstract: IEC61850 is the mainstream of the development for substation automation. This paper presents a practical consideration and analysis for implementing a secure sampled measured value (SeSV) message in substation automation system. Due to the lack of security features in the standard, IEC Working Group 15 of Technical Committee 57 published IEC62351 on security for IEC61850 profiles. However, the use of authentication methods for SV based on IEC62351 standards are still not integrated, and computational capabilities and performance are not validated and tested with commercial grade equipment. Hence, this paper shows the performance of security feature enabled SeSV packets transmitted between protection and control devices by appending a message authentication code (MAC) to the extended IEC61850 packets. A prototype implementation on a low cost commodity embedded system has proved that the MAC-enabled SV message can fully secure the process bus communication in the digital substation with negligible time delay.