Your search keyword '"Gurtov, A."' showing total 40 results

1. SAVAH: Source Address Validation with Host Identity Protocol

Author

Kuptsov, Dmitriy, Gurtov, Andrei, Akan, Ozgur, Series editor, Bellavista, Paolo, Series editor, Cao, Jiannong, Series editor, Dressler, Falko, Series editor, Ferrari, Domenico, Series editor, Gerla, Mario, Series editor, Kobayashi, Hisashi, Series editor, Palazzo, Sergio, Series editor, Sahni, Sartaj, Series editor, Shen, Xuemin (Sherman), Series editor, Stan, Mircea, Series editor, Xiaohua, Jia, Series editor, Zomaya, Albert, Series editor, Coulson, Geoffrey, Series editor, Schmidt, Andreas U., editor, and Lian, Shiguo, editor

Published

2009

2. Traversing Middleboxes with the Host Identity Protocol

Author

Tschofenig, Hannes, Gurtov, Andrei, Ylitalo, Jukka, Nagarajan, Aarthi, Shanmugam, Murugaraj, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Dough, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Boyd, Colin, editor, and González Nieto, Juan Manuel, editor

Published

2005

3. IoT and HIP's Opportunistic Mode

Author

Ariel Stulman, Andrei Gurtov, and Adel Fuchs

Subjects

Authentication, Computer Networks and Communications, computer.internet_protocol, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Trusted third party, Man-in-the-middle attack, Computer security, computer.software_genre, Mode (computer interface), Multihoming, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Confidentiality, Host Identity Protocol, Electrical and Electronic Engineering, computer, Software

Abstract

Key sharing has always been a complex issue. It became even more challenging for the Internet of Things (IoT), where a trusted third party for global management rarely exists. With authentication and confidentiality lacking, things resort to a leap of faith (LoF) paradigm where it is assumed that no attacker is present during the initial configuration. In this paper we focus on the Host Identity Protocol (HIP), specifically designed to provide mobility and multihoming capabilities. Although HIP is normally based on many strict security mechanisms (e.g., DNSSEC), it also provides a better than nothing opportunistic mode, based on the LoF paradigm, which is to be used when other more trusted mechanisms are not available. In this paper, we analyze different MiTM attacks which might occur under this opportunistic mode. Taking advantage of HIP's multihoming capabilities, we propose two key spraying techniques which strengthen the opportunistic mode's security. The first technique spreads the four key-exchange messages among different networks, while the second spreads fractions of one of those messages. Evaluation of these techniques is provided, demonstrating the major benefit of our proposal.

Published

2021

4. Lightweight Authentication and Key Agreement for Smart Metering in Smart Energy Networks

Author

Andrei Gurtov, Andrew P. Martin, Pardeep Kumar, Mangal Sain, and Phuong Hoai Ha

Subjects

Scheme (programming language), General Computer Science, Computer science, Cryptography, 02 engineering and technology, Electrical Engineering, Electronic Engineering, Information Engineering, Computer security, computer.software_genre, Domain (software engineering), Server, 0202 electrical engineering, electronic engineering, information engineering, Session key, Elektroteknik och elektronik, computer.programming_language, smart metering infrastructure, Authentication, business.industry, smart energy networks, 020208 electrical & electronic engineering, key agreement, 020206 networking & telecommunications, business, computer, Anonymity, Efficient energy use

Abstract

Smart meters are considered as foundational part of the smart metering infrastructure (SMI) in smart energy networks. Smart meter is a digital device that makes use of twoway communication between consumer and utility to exchange, manage and control energy consumptions within a home. However, despite all the features, a smart meter raises several securityrelated concerns. For instance, how to exchange data between the legal entities (e.g., smart meter and utility server) while maintaining privacy of the consumer. To address these concerns, authentication and key agreement in SMI can provide important security properties that not only to maintain a trust between the legitimate entities but also to satisfy other security services. This work presents a lightweight authentication and key agreement (LAKA) that enables trust, anonymity, integrity and adequate security in the domain of smart energy network. The proposed scheme employs hybrid cryptography to facilitate mutual trust (authentication), dynamic session key, integrity, and anonymity. We justify the feasibility of the proposed scheme with a testbed using 802.15.4 based device (i.e., smart meter). Moreover, through the security and performance analysis, we show that the proposed scheme is more effective and energy efficient compared to the previous schemes. Funding agencies: U.K. EPSRC (Security and Privacy in Smart Grid Systems: Countermeasure and Formal Verification) [EP/N020170/1]; Center for Industrial Informatics; Research Council of Norway through PREAPP Project [231746/F20]; Research Council of Norway through eX3 Proje

Published

2019

5. Realization of Mobile Femtocells: Operational and Protocol Requirements

Author

Namal, Suneth, Liyanage, Madhusanka, and Gurtov, Andrei

Published

2013

6. A Security Model for Controller-Pilot Data Communication Link

Author

An Breaken, Andrei Gurtov, Suleman Khan, and Pardeep Kumar

Subjects

050210 logistics & transportation, Authentication, business.industry, Computer science, 05 social sciences, Byte, 020206 networking & telecommunications, Cryptography, Controller–pilot data link communications, 02 engineering and technology, Computer security model, Encryption, Communications system, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), business, Computer network

Abstract

Communication systems in aviation tend to focus on safety rather than security. Protocols such as ADS-B are known to use plain-text, unauthenticated messages and thus are open to various attacks. Controller-Pilot Data Communication Link is no exception and was shown vulnerable also in practice. In this paper, we propose a cryptographic mechanism to provide secure mobility for CPDLC that can enable data encryption and authentication. The protocol is formally verified with the Proverif tool. We also estimate the byte overhead in CPDLC use.

Published

2021

7. Secure and Efficient Reactive Video Surveillance for Patient Monitoring

Author

An Braeken, Pawani Porambage, Andrei Gurtov, and Mika Ylianttila

Subjects

patient monitoring, visual sensor networks, security, privacy, authentication, Chemical technology, TP1-1185

Abstract

Video surveillance is widely deployed for many kinds of monitoring applications in healthcare and assisted living systems. Security and privacy are two promising factors that align the quality and validity of video surveillance systems with the caliber of patient monitoring applications. In this paper, we propose a symmetric key-based security framework for the reactive video surveillance of patients based on the inputs coming from data measured by a wireless body area network attached to the human body. Only authenticated patients are able to activate the video cameras, whereas the patient and authorized people can consult the video data. User and location privacy are at each moment guaranteed for the patient. A tradeoff between security and quality of service is defined in order to ensure that the surveillance system gets activated even in emergency situations. In addition, the solution includes resistance against tampering with the device on the patient’s side.

Published

2016

8. Analyzing Internet-connected industrial equipment

Author

Adam Hansson, Mohammad Khodari, and Andrei Gurtov

Subjects

Industrial equipment, Authentication, Exploit, business.industry, Computer science, Industrial control system, Computer security, computer.software_genre, Server, The Internet, Internet of Things, business, computer, Vulnerability (computing)

Abstract

The search engine Shodan crawls the Internet to collect banners from Internet connected devices. When making this information publicly available, anyone can search and find these devices. Results from Shodan show that it is not only web or mail servers that are connected, but also industrial Control Systems (ICS) and Internet of Things (IoT) devices. Some of these devices use protocols that were invented more than 20 years ago. These protocols are not designed to be exposed on the Internet and since they lack security mechanisms, they are vulnerable to attacks. With help from Shodan we have searched for vulnerable devices using search queries corresponding to ICS and IoT protocols. To find the security flaws in protocols, we utilized the vulnerability and exploit database Rapid7. Our results indicate that there are several hundreds of online devices that are vulnerable in Sweden.

Published

2018

9. Lightweight and Secure Session-Key Establishment Scheme in Smart Home Environments

Author

Andrei Gurtov, Jari Iinatti, Mangal Sain, Pardeep Kumar, and Mika Ylianttila

Subjects

Engineering, Access control, security, 02 engineering and technology, Computer security, computer.software_genre, Security token, Home automation, 0202 electrical engineering, electronic engineering, information engineering, Session key, ta518, Electrical and Electronic Engineering, Instrumentation, ta515, USER AUTHENTICATION, ta113, ta112, Authentication, ta213, business.industry, Wireless network, access control, 020206 networking & telecommunications, APPLIANCES, WIRELESS SENSOR NETWORKS, Key distribution in wireless sensor networks, smart homes, ta5141, 020201 artificial intelligence & image processing, business, computer, Wireless sensor network, Computer network

Abstract

The proliferation of current wireless communications and information technologies have been altering humans lifestyle and social interactions—the next frontier is the smart home environments or spaces. A smart home consists of low capacity devices (e.g., sensors) and wireless networks, and therefore, all working together as a secure system that needs an adequate level of security. This paper introduces lightweight and secure session key establishment scheme for smart home environments. To establish trust among the network, every sensor and control unit uses a short authentication token and establishes a secure session key. The proposed scheme provides important security attributes including prevention of various popular attacks, such as denial-of-service and eavesdropping attacks. The preliminary evaluation and feasibility tests are demonstrated by the proof-of-concept implementation. In addition, the proposed scheme attains both computation efficiency and communication efficiency as compared with other schemes from the literature.

Published

2016

10. IoT and HIP's Opportunistic Mode.

Author

Fuchs, Adel, Stulman, Ariel, and Gurtov, Andrei

Subjects

INTERNET of things, IP networks, COMPUTER access control

Abstract

Key sharing has always been a complex issue. It became even more challenging for the Internet of Things (IoT), where a trusted third party for global management rarely exists. With authentication and confidentiality lacking, things resort to a leap of faith (LoF) paradigm where it is assumed that no attacker is present during the initial configuration. In this paper we focus on the Host Identity Protocol (HIP), specifically designed to provide mobility and multihoming capabilities. Although HIP is normally based on many strict security mechanisms (e.g., DNSSEC), it also provides a better than nothing opportunistic mode, based on the LoF paradigm, which is to be used when other more trusted mechanisms are not available. In this paper, we analyze different MiTM attacks which might occur under this opportunistic mode. Taking advantage of HIP's multihoming capabilities, we propose two key spraying techniques which strengthen the opportunistic mode's security. The first technique spreads the four key-exchange messages among different networks, while the second spreads fractions of one of those messages. Evaluation of these techniques is provided, demonstrating the major benefit of our proposal. [ABSTRACT FROM AUTHOR]

Published

2021

11. Secure Hierarchical VPLS Architecture for Provider Provisioned Networks

Author

Andrei Gurtov, Madhusanka Liyanage, and Mika Ylianttila

Subjects

General Computer Science, computer.internet_protocol, Computer science, Distributed computing, Data security, Hierarchical, VPN, Forwarding plane, General Materials Science, Host Identity Protocol, Authentication, HIP, business.industry, Testbed, General Engineering, Local area network, Scalability, Provisioning, VPLS, Software deployment, Security, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971, Computer network, Private network

Abstract

Virtual private LAN service (VPLS) is a Layer 2 virtual private network technique that has gained enormous popularity in industrial networks. However, the deployment of legacy VPLS architectures in large-scale networks is challenging due to unresolved security and scalability issues. In this paper, we propose a novel hierarchical VPLS architecture based on host identity protocol. The proposed architecture tackles both security and scalability issues in legacy VPLS architectures. It secures the VPLS network by delivering vital security features such as authentication, confidentiality, integrity, availability, and secured control protocol. The security analysis and simulation results confirm that the proposed architecture is protected from various IP-based attacks as well. Theoretical analysis and simulation results have also verified that the proposed architecture provides scalability in control, forwarding, and security planes. Finally, the data plane performance of the proposed architecture is measured in a real-world testbed implementation.

Published

2015

12. Anonymous Secure Framework in Connected Smart Home Environments

Author

Phuong Hoai Ha, An Braeken, Jari Iinatti, Andrei Gurtov, Pardeep Kumar, Industrial Sciences and Technology, Digital Mathematics, and Engineering Technology

Subjects

Smart Home, Computer science, smart home, Computer Networks and Communications, Internet of Things, unlinkability, 02 engineering and technology, Computer security, computer.software_genre, Home automation, 0202 electrical engineering, electronic engineering, information engineering, Session key, Safety, Risk, Reliability and Quality, AKA, Authentication, anonymity, business.industry, key agreement, 020206 networking & telecommunications, Intervention (law), Identity (object-oriented programming), 020201 artificial intelligence & image processing, The Internet, business, computer, Anonymity

Abstract

The smart home is an environment, where heterogeneous electronic devices and appliances are networked together to provide smart services in a ubiquitous manner to the individuals. As the homes become smarter, more complex, and technology dependent, the need for an adequate security mechanism with minimum individual’s intervention is growing. The recent serious security attacks have shown how the Internet-enabled smart homes can be turned into very dangerous spots for various ill intentions, and thus lead the privacy concerns for the individuals. For instance, an eavesdropper is able to derive the identity of a particular device/appliance via public channels that can be used to infer in the life pattern of an individual within the home area network. This paper proposes an anonymous secure framework (ASF) in connected smart home environments, using solely lightweight operations. The proposed framework in this paper provides efficient authentication and key agreement, and enables devices (identity and data) anonymity and unlinkability. One-time session key progression regularly renews the session key for the smart devices and dilutes the risk of using a compromised session key in the ASF. It is demonstrated that computation complexity of the proposed framework is low as compared with the existing schemes, while security has been significantly improved.

Published

2017

13. Performance evaluation of current and emerging authentication schemes for future 3GPP network architectures

Author

Zoltán Faigl, Andrei Gurtov, Jani Pellikka, and László Bokor

Subjects

Challenge-Handshake Authentication Protocol, Network architecture, Authentication, Computer Networks and Communications, Computer science, business.industry, Network packet, computer.internet_protocol, Distributed computing, Testbed, Authentication protocol, Default gateway, Lightweight Extensible Authentication Protocol, Scalability, Cellular network, Mobile telephony, Host Identity Protocol, business, computer, AKA, Computer network

Abstract

One of the key issues in recent mobile telecommunication is to increase the scalability of current packet data networks. A challenging topic of scalability is the efficient handling of rapidly growing Machine-type communication, which comes along with the requirement of low-cost network attachment and re-attachment procedures. In this paper we present the results of a comprehensive testbed-based performance evaluation on a set of authentication schemes over ''centralized'', ''distributed'' and ''flat'' mobile network architecture alternatives in terms of computational cost, memory utilization, authentication delay, and signalling overhead. The aim of our measurement and analysis is to facilitate decision making on authentication scheme selection in future mobile networks and in Wireless Personal Area Networks. We also show that the optimal distribution level of the network architecture is ''distributed'' with respect to the authentication delay. The studied authentication schemes seem to hinder seamless handover provision in case of frequent gateway changes, except the Host Identity Protocol-based Diet Exchange extended with 3GPP Authentication and Key Agreement authentication scheme over Wi-Fi access.

Published

2014

14. Suitability analysis of existing and new authentication methods for future 3GPP Evolved Packet Core

Author

Jani Pellikka, László Bokor, Andrei Gurtov, and Zoltán Faigl

Subjects

Authentication, Internet Key Exchange, Access network, Computer Networks and Communications, business.industry, Network packet, Computer science, computer.internet_protocol, Mobile broadband, Authentication protocol, Lightweight Extensible Authentication Protocol, Wireless, Host Identity Protocol, business, computer, AKA, Computer network

Abstract

The fourth generation of 3GPP networks is evolving toward the realization of true global mobile broadband services. This stimulates the appearance of new applications, such as remote sensing and controlling services running on resource-constrained wireless devices, but also comes along with new challenges regarding performance and cost of the whole system, involving the requirement for lightweight security services.This paper analyzes the suitability of a recently developed protocol, i.e., the Host Identity Protocol using Diet Exchange extended with Authentication and Key Agreement, as a new option providing lightweight unified network access service in 3GPP Evolved Packet Core and replacing Internet Key Exchange version 2 with EAP-AKA. The proposed technology is compared with five other Layer-3 authentication methods under security, performance, deployment and functionality related criteria and trade-offs of the alternatives are analyzed. The results show that it is worth using this recent authentication method in scenarios where low performance overhead and support of extra functionalities such as multi-access capabilities are important. Consequently, the concept of a new secure data tunneling option is proposed for these scenarios for distributed Evolved Packet Core.

Published

2013

15. A Strong Authentication Scheme with User Privacy for Wireless Sensor Networks

Author

Hoon-Jae Lee, Andrei Gurtov, Pardeep Kumar, Sang-Gon Lee, and Mika Ylianttila

Subjects

ta113, Authentication, ta112, General Computer Science, ta213, business.industry, Computer science, Mutual authentication, Electronic, Optical and Magnetic Materials, Key distribution in wireless sensor networks, Security service, Sensor node, ta5141, Session key, Strong authentication, Electrical and Electronic Engineering, ta518, business, Wireless sensor network, ta515, Computer network

Abstract

Wireless sensor networks (WSNs) are used for many real-time applications. User authentication is an important security service for WSNs to ensure only legitimate users can access the sensor data within the network. In 2012, Yoo and others proposed a security-performance-balanced user authentication scheme for WSNs, which is an enhancement of existing schemes. In this paper, we show that Yoo and others' scheme has security flaws, and it is not efficient for real WSNs. In addition, this paper proposes a new strong authentication scheme with user privacy for WSNs. The proposed scheme not only achieves end-party mutual authentication (that is, between the user and the sensor node) but also establishes a dynamic session key. The proposed scheme preserves the security features of Yoo and others' scheme and other existing schemes and provides more practical security services. Additionally, the efficiency of the proposed scheme is more appropriate for real-world WSNs applications.

Published

2013

16. Poster Abstract: An Efficient Authentication Model in Smart Grid Networks

Author

Phuong Hoai Ha, Pardeep Kumar, and Andrei Gurtov

Subjects

Scheme (programming language), 021110 strategic, defence & security studies, Authentication, business.industry, Computer science, 020209 energy, Distributed computing, 0211 other engineering and technologies, 02 engineering and technology, Electronic mail, Smart grid, Logic gate, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Supply network, Wireless, Electricity, business, computer, computer.programming_language

Abstract

A smart grid is envisioned as a promising platform for the next-generation power supply network, where the electricity is generated based on the demand from the consumers energy-use information. However, the security and privacy issues over insecure wireless communications are still big obstacles in the success of smart grid networks. In this paper, we present an efficient authentication model in smart grid networks. The proposed model justifies its feasibility with an early test-bed using off-the-shelf 802.15.4 low- cost sensors. Moreover, this poster reports preliminary performance evaluation results, and shows that the proposed scheme is effective and efficient than the prior works.

Published

2016

17. Performance and security evaluation of intra-vehicular communication architecture

Author

Andrei Gurtov, Mika Ylianttila, Madhusanka Liyanage, Simone Soderi, and Pardeep Kumar

Subjects

Computer science, computer.internet_protocol, 050801 communication & media studies, 02 engineering and technology, Communications system, 0508 media and communications, Distributed System Security Architecture, 0202 electrical engineering, electronic engineering, information engineering, Wireless, Host Identity Protocol, ta113, Authentication, Information sharing, HIP, Intra-Vehicular Communication, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 05 social sciences, 020206 networking & telecommunications, Wireless Transport Layer Security, Security service, Smart-spaces, Embedded system, IPsec, Security, business, computer, Computer network

Abstract

In this paper, we propose a secure intra-vehicular wireless communication architecture based on Host Identity Protocol (HIP). It ultimately improves the security of wireless intra-vehicular communication systems. The performance evaluation of the proposed architecture is performed in a ski tunnel which emulates the real underground transportation environment. Our results verify the feasibility of proposed architecture by providing required level of service quality. Also, it outperforms the existing secure architectures. More importantly, the proposed architecture protect the wireless intra-vehicular communication system from IP based attacks.

Published

2016

18. Lightweight Authentication and Key Agreement for Smart Metering in Smart Energy Networks.

Author

Kumar, Pardeep, Gurtov, Andrei, Sain, Mangal, Martin, Andrew, and Ha, Phuong H.

Abstract

Smart meters (SMs) are considered as foundational part of the smart metering infrastructure (SMI) in smart energy networks (SENs). SM is a digital device that makes use of two-way communication between consumer and utility to exchange, manage and control energy consumptions within a home. However, despite all the features, an SM raises several security-related concerns. For instance, how to exchange data between the legal entities (e.g., SM and utility server) while maintaining privacy of the consumer. To address these concerns, authentication and key agreement in SMI can provide important security properties that not only to maintain a trust between the legitimate entities but also to satisfy other security services. This work presents a lightweight authentication and key agreement that enables trust, anonymity, integrity and adequate security in the domain of SEN. The proposed scheme employs hybrid cryptography to facilitate mutual trust (authentication), dynamic session key, integrity, and anonymity. We justify the feasibility of the proposed scheme with a test-bed using 802.15.4 based device (i.e., SM). Moreover, through the security and performance analysis, we show that the proposed scheme is more effective and energy efficient compared to the previous schemes. [ABSTRACT FROM AUTHOR]

Published

2019

19. Two-phase authentication protocol for wireless sensor networks in distributed IoT applications

Author

Corinna Schmitt, Andrei Gurtov, Pawani Porambage, Mika Ylianttila, and Pardeep Kumar

Subjects

Authentication, SSLIOP, business.industry, Computer science, Public-key cryptography, Key distribution in wireless sensor networks, Distributed System Security Architecture, Authentication protocol, Server, Mobile wireless sensor network, business, Implicit certificate, Wireless sensor network, Computer network

Abstract

In the centralized Wireless Sensor Network (WSN) architecture there exists a central entity, which acquires, processes and provides information from sensor nodes. Conversely, in the WSN applications in distributed Internet of Things (IoT) architecture, sensor nodes sense data, process, exchange information and perform collaboratively with other sensor nodes and endusers. In order to maintain the trustworthy connectivity and the accessibility of distributed IoT, it is important to establish secure links for end-to-end communication with proper authentication. The authors propose an implicit certificate-based authentication mechanism for WSNs in distributed IoT applications. The developed two-phase authentication protocol allows the sensor nodes and the end-users to authenticate each other and initiate secure connections. The proposed protocol supports the resource scarcity of the sensor nodes, heterogeneity and scalability of the network. The performance and security analysis justify that the proposed scheme is viable to deploy in resource constrained WSNs.

Published

2014

20. Secure lightweight protocols for medical device monitoring

Author

Pawani Porambage, Andrei Gurtov, and Ilya Nikolaevskiy

Subjects

Provable security, Engineering, Authentication, business.industry, computer.internet_protocol, Cryptography, Computer security, computer.software_genre, lcsh:Telecommunication, Key distribution in wireless sensor networks, Wireless Transport Layer Security, lcsh:TK5101-6720, Host Identity Protocol, business, computer, Protocol (object-oriented programming), Efficient energy use

Abstract

In the present days, the health care costs are sky-rocketing and most developed nations, including EU and US, are struggling to keep the costs under control. One of the areas is related to monitoring and control of medical appliances embedded to human bodies, such as insulin pumps as heart pacers. Fortunately, recent technology advances make it possible to monitor the medical appliances remotely, greatly decreasing the need for personal doctor visits. Naturally, remote wireless monitoring of such crucial appliances poses several formidable technological challenges including security of data communication, device authentication, attack resistance, and seamless connectivity. A remote monitoring protocol must be executed in a resource-constrained environment with energy efficiency. The recently proposed Diet Exchange for Host Identity Protocol (HIP) could solve most of security issues of remote appliance monitoring. However, it has to be developed to run in an embedded device environment; its security properties must be triple-checked against the stringent requirements; potential privacy issues must be addressed; protocol messages and cryptographic mechanisms must be adopted to wireless sensor standards. Although bearing high risks of provable security and patient faith, remote monitoring of health appliances could create breakthroughs in healthcare cost reduction and bring great benefits of individuals and the society.

Published

2014

21. PAuthKey: A Pervasive Authentication Protocol and Key Establishment Scheme for Wireless Sensor Networks in Distributed IoT Applications

Author

Pawani Porambage, Pardeep Kumar, Mika Ylianttila, Corinna Schmitt, Andrei Gurtov, University of Zurich, and Porambage, Pawani

Subjects

Key establishment, Article Subject, 10009 Department of Informatics, Computer Networks and Communications, Computer science, 000 Computer science, knowledge & systems, lcsh:QA75.5-76.95, 1705 Computer Networks and Communications, ta518, Key management, ta515, ta113, Authentication, ta112, ta213, business.industry, General Engineering, Key distribution in wireless sensor networks, Authentication protocol, ta5141, 2200 General Engineering, The Internet, lcsh:Electronic computers. Computer science, business, Implicit certificate, Wireless sensor network, Computer network

Abstract

Wireless sensor Networks (WSNs) deployed in distributed Internet of Things (IoT) applications should be integrated into the Internet. According to the distributed architecture, sensor nodes measure data, process, exchange information, and perform collaboratively with other sensor nodes and end-users, which can be internal or external to the network. In order to maintain the trustworthy connectivity and the accessibility of distributed IoT, it is important to establish secure links for end-to-end communication with a strong pervasive authentication mechanism. However, due to the resource constraints and heterogeneous characteristics of the devices, traditional authentication and key management schemes are not effective for such applications. This paper proposes a pervasive lightweight authentication and keying mechanism for WSNs in distributed IoT applications, in which the sensor nodes can establish secured links with peer sensor nodes and end-users. The established authentication scheme PAuthKey is based on implicit certificates and it provides application level end-to-end security. A comprehensive description for the scenario based behavior of the protocol is presented. With the performance evaluation and the security analysis, it is justified that the proposed scheme is viable to deploy in the resource constrained WSNs.

Published

2014

22. Lightweight authentication and key management on 802.11 with Elliptic Curve Cryptography

Author

Konstantinos Georgantas, Suneth Namal, and Andrei Gurtov

Subjects

Authentication, Voice over IP, business.industry, computer.internet_protocol, Computer science, Service set, Local area network, Public-key cryptography, Authentication protocol, Lightweight Extensible Authentication Protocol, Wireless lan, Host Identity Protocol, Elliptic curve cryptography, business, Key management, Internetworking, computer, Computer network

Abstract

Wireless Local Area Networks (WLANs) have experienced a significant growth during the last decade due to ever emerging and heavy resource demanding applications. Widely used IEEE 802.11 may unexpectedly require long durations in association compared to what Voice over IP (VoIP), Video on Demand (VoD) and other real-time applications can tolerate. In this paper, we implement HIP-WPA; a novel approach of Fast Initial Authentication (FIA) which is a combination of Host Identity Protocol Diet EXchange (HIP-DEX) with some features of Wi-Fi Protected Access (WPA) technology. This approach provides the necessary IP layer elevated security mechanisms in order to face the challenges of fast authentication in WLANs. HIP-DEX introduces a radically new way of authenticating hosts by using Elliptic Curve Cryptography (ECC) only with two message exchanges and therefore improves the authentication delay by 300% compared to WPA2. Thus, this is an effective solution to be used with any type of real-time application for intra-network (Basic Service Set (BSS) transitions) and internetwork (Extended Service Set (ESS) transitions) handovers.

Published

2013

23. AKAASH: A realizable authentication, key agreement, and secure handover approach for controller-pilot data link communications.

Author

Khan, Suleman, Gaba, Gurjot Singh, Braeken, An, Kumar, Pardeep, and Gurtov, Andrei

Abstract

Controller-Pilot Data Link Communications (CPDLC) are rapidly replacing voice-based Air Traffic Control (ATC) communications worldwide. Being digital, CPDLC is highly resilient and bandwidth efficient, which makes it the best choice for traffic-congested airports. Although CPDLC initially seems to be a perfect solution for modern-day ATC operations, it suffers from serious security issues. For instance, eavesdropping, spoofing, man-in-the-middle, message replay, impersonation attacks, etc. Cyber attacks on the aviation communication network could be hazardous, leading to fatal aircraft incidents and causing damage to individuals, service providers, and the aviation industry. Therefore, we propose a new security model called AKAASH, enabling several paramount security services, such as efficient and robust mutual authentication, key establishment, and a secure handover approach for the CPDLC-enabled aviation communication network. We implement the approach on hardware to examine the practicality of the proposed approach and verify its computational and communication efficiency and efficacy. We investigate the robustness of AKAASH through formal (proverif) and informal security analysis. The analysis reveals that the AKAASH adheres to the CPDLC standards and can easily integrate into the CPDLC framework. • CPDLC globally replaces voice-based ATC for resilience and bandwidth efficiency. • Cyber-attacks on CPDLC pose fatal risks to individuals, stakeholders, and industry. • AKAASH offers a lightweight solution for authentication, key establishment, handover. • AKAASH can easily integrate into the existing CPDLC framework. [ABSTRACT FROM AUTHOR]

Published

2023

24. Securing Medical Sensor Network with HIP

Author

Dmitriy Kuptsov, Boris Nechaev, and Andrei Gurtov

Subjects

Network architecture, Authentication, business.industry, Computer science, Access control, Cryptographic protocol, Computer security, computer.software_genre, Data Protection Act 1998, Wireless, business, Wireless sensor network, computer, Block (data storage)

Abstract

Recent developments of embedded wireless technologies, such as low-cost low-power wireless sensor platforms, uncovered big potential for novel applications. Health care and well-being are examples of two applications that can have large impact on society. Medical sensor networks via continuous monitoring of vital health parameters over a long period of time, can enable physicians to make more accurate diagnosis and provide better treatment. Such network allow emergency services to react fast to dangerous patient’s conditions and perhaps save more lives. For such applications to become viable, their design has to consider fail-safe mode of operation, protection of sensitive user data, and especially provide solution for efficient access control. Given the specifics of these applications, in this work we identify communication pattern that will guarantee the most secure way to exchange medical data, propose a standard based security protocol enabling authentication and data protection, and introduce a mechanism for access control—a crucial building block in privacy sensitive applications. To validate our design we implement a prototype on a wireless sensor platform.

Published

2012

25. Secure Resolution of End-Host Identifiers for Mobile Clients

Author

Samu Varjonen, Tobias Heer, Ken Rimey, and Andrei Gurtov

Subjects

Authentication, Relation (database), Computer science, computer.internet_protocol, business.industry, Mobile computing, Identifier, Unique identifier, Locator/Identifier Separation Protocol, Host Identity Protocol, business, Host (network), computer, Computer network

Abstract

Many efforts of the network research community focus on the introduction of a new identifier to relieve the IP address from its dual role of end-host identifier and routable locator. This identifier-locator split introduces a new identifier between human readable domain names and routable IP addresses. Mapping between identifiers and locators requires additional name mapping mechanisms because their relation is not trivial. Despite its popularity and efficiency, the DNS system is not a perfect choice for performing this mapping because identifiers are not hierarchically structured and mappings are frequently updated by users. In this paper we discuss the features needed to resolve flat identifiers to locators in a secure manner. In particular, we focus on the features and the performance that identifier-locator split protocols require from a mapping system. To this end, we consider a mapping system for an identifier-locator split based mobility solution and evaluate its performance.

Published

2011

26. Comparison and Analysis of Secure Mobile Architecture (SMA) and Evolved Packet System

Author

Andrei Gurtov, Marek Skowron, and Jani Pellikka

Subjects

Engineering, Authentication, Information privacy, business.industry, Multihoming, Network packet, Mobile architecture, Mobile computing, Mobile telephony, business, Mobile device, Computer network

Abstract

In this paper, we analyse and compare two architectures providing an all-IP based connectivity and mobility for mobile devices over heterogeneous access technologies: Evolved Packet System (EPS) as specified by 3GPP and Secure Mobile Architecture (SMA), a standardization effort by The Open Group (TOG). We briefly present each architecture and qualitatively evaluate their advantages and disadvantages in terms of security, mobility, and support for location-based policy enforcement and security zoning. While SMA is capable of providing simultaneous multihoming, cryptographic identity-based packet tracking and ready support for location-based security zoning and policy control, EPS enables legal interception of user traffic and protection of user/host privacy by default.

Published

2011

27. On application of Host Identity Protocol in wireless sensor networks

Author

Andrei Gurtov, Andrey Khurri, and Dmitriy Kuptsov

Subjects

Authentication, business.industry, Computer science, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Denial-of-service attack, Energy consumption, Cryptographic protocol, Computer security, computer.software_genre, Encryption, Public-key cryptography, Key distribution in wireless sensor networks, Wireless Transport Layer Security, Wireless, ComputerSystemsOrganization_SPECIAL-PURPOSEANDAPPLICATION-BASEDSYSTEMS, Host Identity Protocol, business, computer, Wireless sensor network, Countermeasure (computer), Key exchange, Computer network

Abstract

Recent advances in development of low-cost wireless sensor platforms open up opportunities for novel wireless sensor network (WSN) applications. Likewise emerge security concerns of WSNs receiving closer attention of research community. Well known security threats in WSNs range from Denial-of-Service (DoS), Replay and Sybil attacks to those targeted at violating data integrity and confidentiality. Public-key cryptography (PKC) as a countermeasure to potential attacks, although originally treated infeasible for resource-constrained sensor nodes, has shown its eligibility for WSNs in the past few years. However, different security and performance requirements, energy consumption issues, as well as varying hardware capabilities of sensor motes pose a challenge of finding the most efficient security protocol for a particular WSN application and scenario. In this paper, we propose to use the Host Identity Protocol (HIP) as the main component for building network-layer security in WSNs. Combining PKC signatures to authenticate wireless nodes, a Diffie-Hellman key exchange to create a pairwise secret key, a puzzle mechanism to protect against DoS attacks and the IPsec protocol for optional encryption of sensitive application data, HIP provides a standardized solution to many security problems of WSNs. We discuss how HIP can strengthen security of WSNs, suggest possible alternatives to its heavy components in particular WSN applications and evaluate their computational and energy costs on a Linux-based Imote2 wireless sensor platform.

Published

2010

28. Distributed user authentication in wireless LANs

Author

Andrey Khurri, Andrei Gurtov, and Dmitriy Kuptsov

Subjects

Password, Authentication, Access network, computer.internet_protocol, business.industry, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer security, computer.software_genre, IPsec, The Internet, Host Identity Protocol, Mobile telephony, business, computer, Mobile device, Computer network

Abstract

An increasing number of mobile devices, including smartphones, use WLAN for accessing the Internet. Existing WLAN authentication mechanisms are either disruptive, such as presenting a captive web page prompting for password, or unreliable, enabling a malicious user to attack a part of operator's infrastructure. In this paper, we present a distributed authentication architecture for WLAN users providing instant network access without manual interactions. It supports terminal mobility across WLAN access points with the Host Identity Protocol (HIP), at the same time protecting the operator's infrastructure from external attacks. User data sent over a wireless link is protected by the IPsec ESP protocol. We present our architecture design and implementation experience on two OpenWrt WLAN access points, followed by measurement results of the working prototype. The system is being deployed into pilot use in the city-wide panOULU WLAN.

Published

2009

29. Performance of Host Identity Protocol on Symbian OS

Author

Andrey Khurri, Andrei Gurtov, and Dmitriy Kuptsov

Subjects

Authentication, business.industry, computer.internet_protocol, Computer science, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, computer.software_genre, Porting, Public-key cryptography, Multihoming, Mobile phone, IPsec, Server, Operating system, The Internet, Host Identity Protocol, business, Host (network), computer, Computer network

Abstract

The Host Identity Protocol (HIP) has been specified by the IETF as a new solution for secure host mobility and multihoming in the Internet. HIP uses self-certifying public-private key pairs in combination with IPsec to authenticate hosts and protect user data. While there are three open-source HIP implementations, little experience is available with running HIP on lightweight hardware such as a mobile phone. Limited computational power and battery lifetime of lightweight devices raise concerns if HIP can be used there at all. This paper describes the porting process of HIP on Linux (HIPL) and OpenHIP implementations to Symbian OS, as well as performance measurements of HIP over WLAN using Nokia E51 and N80 smartphones. We found that with 1024-bit keys, the HIP base exchange with a server varies from 1.68 to 3.31 seconds depending on whether the mobile phone is in standby or active state respectively. After analyzing HIP performance in different scenarios we make conclusions and recommendations on using IP security on lightweight hardware clients.

Published

2009

30. Access Control Protocol With Node Privacy in Wireless Sensor Networks.

Author

Kumar, Pardeep, Gurtov, Andrei, Iinatti, Jari, Sain, Mangal, and Ha, Phuong Hoai

Abstract

For preventing malicious nodes joining wireless sensor networks (WSNs), an access control mechanism is necessary for the trustworthy cooperation between the nodes. In addition to access control, recently, privacy has been an important topic regarding how to achieve privacy without disclosing the real identity of communicating entities in the WSNs. Based on elliptic curve cryptography, in this paper, we present an access control protocol with node privacy (called ACP) for the WSN. The proposed scheme not only accomplishes the node authentication but also provides the identity privacy (i.e., source to destination and vice-versa) for the communicating entities. Compared with the current state of the art, the proposed solution can defend actively against attacks. The efficacy and the efficiency of the proposed ACP are confirmed through the test bed analysis and performance evaluations. [ABSTRACT FROM PUBLISHER]

Published

2016

31. Secure and Efficient Reactive Video Surveillance for Patient Monitoring.

Author

Braeken, An, Porambage, Pawani, Gurtov, Andrei, and Ylianttila, Mika

Subjects

VIDEO surveillance, PATIENT monitoring research, SENSOR networks, RIGHT of privacy, AUTHENTICATION (Law)

Abstract

Video surveillance is widely deployed for many kinds of monitoring applications in healthcare and assisted living systems. Security and privacy are two promising factors that align the quality and validity of video surveillance systems with the caliber of patient monitoring applications. In this paper, we propose a symmetric key-based security framework for the reactive video surveillance of patients based on the inputs coming from data measured by a wireless body area network attached to the human body. Only authenticated patients are able to activate the video cameras, whereas the patient and authorized people can consult the video data. User and location privacy are at each moment guaranteed for the patient. A tradeoff between security and quality of service is defined in order to ensure that the surveillance system gets activated even in emergency situations. In addition, the solution includes resistance against tampering with the device on the patient's side. [ABSTRACT FROM AUTHOR]

Published

2016

32. A Mobile Object-Based Secret Key Distribution Scheme for Wireless Sensor Networks.

Author

Kumar, Pardeep, Porambage, Pawani, Ylianttila, Mika, and Gurtov, Andrei

Abstract

Security is a paramount requirement in any modern technology. This also applies to wireless sensor networks (WSNs), where sensor nodes have severe resources scarcity. Recently the presence of mobile object (e.g., moving robot, vehicle, etc) has shown their great impact on WSNs. However, as the low-cost sensor networks become wide-spread, secret key distribution to the sensor nodes is a challenging task in such unattended WSNs. In this regards, this paper presents a mobile object-based secret key distribution scheme for resource hungry sensor nodes. The key idea is that a mobile object should visit all the sensor nodes along its pre-defined path and distribute secret keys within its broadcasting range. The proposed scheme exploits the symmetric cryptographic approach. The feasibility of proposed scheme is advocated using real test bed experiments. The analysis reveals that the proposed scheme attains high efficiency (in terms of computation and communication costs), and provides strong security. [ABSTRACT FROM PUBLISHER]

Published

2013

33. Delegation-based robust authentication model for wireless roaming using portable communication devices.

Author

Kumar, Pardeep, Gurtov, Andrei, Iinatti, Jari, and Lee, Sang-gon

Subjects

*WIRELESS communications, *ROAMING (Telecommunication), *DATA security, *HOUSEHOLD electronics, *BIOMETRIC identification

Abstract

Wireless networks provide a convenient means of seamless roaming services using portable consumer electronics communication devices (e.g., mobile devices, MDs), but ensuring robust security in wireless roaming is still challenging. However, to prevent wireless roaming services joining from malicious users/MDs, a secure and robust authentication model is highly desirable that can ensure adequate security. This paper exploits the concept of a delegation system and introduces a delegation-based robust authentication model for protecting wireless roaming services from unauthorized user ? by means of portable communication devices (MDs). To perform robust authentication, the proposed scheme utilizes the biometric and defends roaming services from popular attacks and frauds. Security analysis is provided to guarantee that the proposed model provides unlinkability, and resists to denial-of-service and man-in-the middle attacks. [ABSTRACT FROM PUBLISHER]

Published

2014

34. A Strong Authentication Scheme with User Privacy for Wireless Sensor Networks.

Author

Kumar, Pardeep, Gurtov, Andrei, Ylianttila, Mika, Sang-Gon Lee, and HoonJae Lee

Subjects

WIRELESS sensor networks, REAL-time programming, COMPUTER access control, DATA privacy, CONFIDENTIAL communications, SECRECY, WIRELESS communications

Abstract

Wireless sensor networks (WSNs) are used for many real-time applications. User authentication is an important security service for WSNs to ensure only legitimate users can access the sensor data within the network. In 2012, Yoo and others proposed a security-performancebalanced user authentication scheme for WSNs, which is an enhancement of existing schemes. In this paper, we show that Yoo and others' scheme has security flaws, and it is not efficient for real WSNs. In addition, this paper proposes a new strong authentication scheme with user privacy for WSNs. The proposed scheme not only achieves end-party mutual authentication (that is, between the user and the sensor node) but also establishes a dynamic session key. The proposed scheme preserves the security features of Yoo and others' scheme and other existing schemes and provides more practical security services. Additionally, the efficiency of the proposed scheme is more appropriate for real-world WSNs applications. [ABSTRACT FROM AUTHOR]

Published

2013

35. A layered encryption mechanism for networked critical infrastructures.

Author

Cao, Huayang, Zhu, Peidong, Lu, Xicheng, and Gurtov, Andrei

Subjects

INFORMATION storage & retrieval systems, DATA security, CRYPTOGRAPHY, COMPUTER network security, COMPUTER security

Abstract

Networked critical infrastructures improve our lives, but they are attractive targets for adversaries. In such infrastructures, to secure sensitive data is vital, as the information system is a foundation of today?s critical infrastructures, and data security is a main concern in such systems. Cryptography is an approach for data security, but this method should be altered according to various features of infrastructure networks. Since complex and distributed critical infrastructures usually spread over large geographic areas, different parts of those infrastructures have different levels of perimeter defense. Devices in weakly protected zones are more likely to be captured than those in well protected zones. If an adversary captures devices, s/he can bypass cyber security measures and obtain secret information directly. Such a threat requires a layered security mechanism that can prevent adversaries from invading the whole infrastructure network from these weak zones. In this article, we propose a layered encryption mechanism based on hash chain technology for protecting sensitive data. Besides showing the layered defense, the mechanism is also lightweight and has convenient key management. It can be used independently or as a supplement to existing security measures. We evaluate performance of the proposed mechanism over different kinds of devices. [ABSTRACT FROM PUBLISHER]

Published

2013

36. Analysis of the HIP base exchange protocol

Author

Andrei Gurtov, Aarthi Nagarajan, and Tuomas Aura

Subjects

Authentication, computer.internet_protocol, business.industry, Computer science, Internet layer, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Internet security, law.invention, Identifier, IP tunnel, Internet protocol suite, law, Internet Protocol, The Internet, Host Identity Protocol, business, Host (network), computer, Key exchange, Computer network

Abstract

The Host Identity Protocol (HIP) is an Internet security and multi-addressing mechanism specified by the IETF. HIP introduces a new layer between the transport and network layers of the TCP/IP stack that maps host identifiers to network locations, thus separating the two conflicting roles that IP addresses have in the current Internet. This paper analyzes the security and functionality of the HIP base exchange, which is a classic key exchange protocol with some novel features for authentication and DoS protection. The base exchange is the most stable part of the HIP specification with multiple existing implementations. We point out several security issues in the current protocol and propose changes that are compatible with the goals of HIP.

37. Delegation-Based Robust Authentication Model for Wireless Roaming using Portable Communication Devices

Author

Sang-Gon Lee, Pardeep Kumar, Andrei Gurtov, and Jari Iinatti

Subjects

Authentication, Delegation, Exploit, Computer science, Wireless network, business.industry, media_common.quotation_subject, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, CCKM, Computer security, computer.software_genre, Media Technology, Wireless, Electrical and Electronic Engineering, Roaming, business, computer, Mobile device, Computer network, media_common

Abstract

Wireless networks provide a convenient means of seamless roaming services using portable consumer electronics communication devices (e.g., mobile devices, MDs), but ensuring robust security in wireless roaming is still challenging. However, to prevent wireless roaming services joining from malicious users/MDs, a secure and robust authentication model is highly desirable that can ensure adequate security. This paper exploits the concept of a delegation system and introduces a delegation-based robust authentication model for protecting wireless roaming services from unauthorized user – by means of portable communication devices (MDs). To perform robust authentication, the proposed scheme utilizes the biometric and defends roaming services from popular attacks and frauds. Security analysis is provided to guarantee that the proposed model provides unlinkability, and resists to denial-of-service and man-in-the middle attacks.

38. Secure End-to-End Communication for Constrained Devices in IoT-enabled Ambient Assisted Living Systems

Author

Mika Ylianttila, Pawani Porambage, Susanna Spinsante, An Braeken, Andrei Gurtov, Industrial Sciences and Technology, and Digital Mathematics

Subjects

Authentication, Computer science, business.industry, Context (language use), Cryptographic protocol, Computer security, computer.software_genre, Networking hardware, Secure communication, Authentication protocol, Server, business, Internet of Things, computer, Computer network

Abstract

The Internet of Things (IoT) technologies interconnect broad ranges of network devices irrespective of their resource capabilities and local networks. In order to upgrade the standard of life of elderly people, Ambient Assisted Living (AAL) systems are also widely deployed in the context of IoT applications. To preserve user security and privacy in AAL systems, it is significant to ensure secure communication link establishment among the medical devices and the remote hosts or servers that are interested in accessing the critical health data. However, due to the limited resources available in such constrained devices, it is challenging to exploit expensive cryptographic operations in the conventional security protocols. Therefore, in this paper we propose a novel proxy-based authentication and key establishment protocol, which is lightweight and suitable to safeguard sensitive data generated by resource-constrained devices in IoT-enabled AAL systems.

39. Lightweight authentication and key management of wireless sensor networks for Internet of things

Author

Porambage, P. (Pawani), Ylianttila, M. (Mika), and Gurtov, A. (Andrei)

Subjects

kevyt tietoturva, käyttäjäntunnistus, Internet of Things, avaimenmuodostus, key establishment, lightweight security, resource constrained devices, implisiittiset sertifikaatit, implicit certificates, group communication, authentication, resurssirajoitetut laitteet, esineiden internet, wireless sensor networks, Host Identity Protocol, langattomat sensoriverkot, ryhmäkommunikaatio

Abstract

The concept of the Internet of Things (IoT) is driven by advancements of the Internet with the interconnection of heterogeneous smart objects using different networking and communication technologies. Among many underlying networking technologies for the IoT, Wireless Sensor Network (WSN) technology has become an integral building block. IoT enabled sensor networks provide a wide range of application areas such as smart homes, connected healthcare, smart cities and various solutions for the manufacturing industry. The integration of WSNs in IoT will also create new security challenges for establishing secure channels between low power sensor nodes and Internet hosts. This will lead to many challenges in designing new key establishment and authentication protocols and redefining the existing ones. This dissertation addresses how to integrate lightweight key management and authentication solutions in the resource constrained sensor networks deployed in IoT domains. Firstly, this thesis elaborates how to exploit the implicit certificates to initiate secure End-to-End (E2E) communication channels between the resource constrained sensor nodes in IoT networks. Implicit certificates are used for authentication and key establishment purposes. The compliance of the security schemes is proven through performance evaluations and by discussing the security properties. Secondly, this dissertation presents the design of two lightweight group key establishment protocols for securing group communications between resource-constrained IoT devices. Finally, the thesis explores promising approaches on how to tailor the existing security protocols in accordance with IoT device and network characteristics. In particular, variants of Host Identity Protocol (HIP) are adopted for constructing dynamic and secure E2E connections between the heterogeneous network devices with imbalanced resource profiles and less or no previous knowledge about each other. A solutions called Collaborative HIP (CHIP) is proposed with an efficient key establishment component for the high resource-constrained devices on the IoT. The applicability of the keying mechanism is demonstrated with the implementation and the performance measurements results. Tiivistelmä Esineiden internet (IoT) on viime aikoina yleistynyt konsepti älykkäiden objektien (smart objects) liittämiseksi internetiin käyttämällä erilaisia verkko- ja kommunikaatioteknologioita. Olennaisimpia esineiden internetin pohjalla toimivia teknologioita ovat langattomat sensoriverkot (WSN), jotka ovat esineiden internetin perusrakennuspalikoita. Esineiden internetiin kytketyt langattomat sensoriverkot mahdollistavat laajan joukon erilaisia sovelluksia, kuten älykodit, etäterveydenhuollon, älykkäät kaupungit sekä älykkäät teollisuuden sovellukset. Langattomien sensoriverkkojen ja esineiden internetin yhdistäminen tuo mukanaan myös tietoturvaan liittyviä haasteita, sillä laskentateholtaan yleensä heikot anturit ja toimilaitteet eivät kykene kovin vaativiin tietoturvaoperaatioihin, joihin lukeutuvat mm. tietoturva-avaimen muodostus ja käyttäjäntunnistus. Tässä väitöskirjassa pyritään vastaamaan haasteeseen käyttämällä kevyitä avaimenmuodostus- ja käyttäjäntunnistusratkaisuja esineiden internetiin kytketyissä resurssirajoitetuissa sensoriverkoissa. Väitöstutkimuksessa keskitytään aluksi implisiittisten sertifikaattien käyttöön tietoturvallisten end-to-end-kommunikaatiokanavien alustamisessa resurssirajoitettujen sensori- ja muiden IoT-laitteiden välillä. Implisiittisiä sertifikaatteja käytetään käyttäjäntunnistuksessa sekä avaimenmuodostuksessa. Kehitettyjen ratkaisujen soveltuvuus tarkoitukseen osoitetaan suorituskykymittauksilla sekä vertaamalla niiden tietoturvaomi- naisuuksia. Seuraavaksi väitöskirjassa esitellään kaksi kevyttä ryhmäavaimenmuodostus- protokollaa tietoturvalliseen ryhmäkommunikaatioon resurssirajoitettujen IoT-laitteiden välillä. Lopuksi väitöskirjassa tarkastellaan lupaavia lähestymistapoja olemassa olevien tietoturvaprotokollien räätäläintiin IoT-laitteiden ja -verkkojen ominaisuuksille sopiviksi. Erityistä huomiota kiinnitetään Host Identity -protokollan (HIP) eri versioiden käyttöön dynaamisten ja tietoturvallisten end-to-end-yhteyksien luomiseen toisilleen ennestään tuntemattomien erityyppisten IoT-laitteiden välillä, joiden laitteistoresurssiprofiilit voivat olla hyvin erilaiset. Väitöskirjan keskeinen tulos on väitöskirjatyössä kehitetty Colla- borative HIP (CHIP) -protokolla, joka on resurssitehokas avaimenmuodostusteknologia resurssirajoitetuille IoT-laitteille. Kehitetyn teknologian soveltuvuutta tarkoitukseensa demonstroidaan prototyyppitoteutuksella tehtyjen suorituskykymittausten avulla.

Published

2018

40. Enhanced communication security and mobility management in small-cell networks

Author

Namal, S. (Suneth), Ylianttila, M. (Mika), and Gurtov, A. (Andrei)

Subjects

OpenFlow, mobile femtocells, mobiilit femtosolut, fast initial authentication, nopea alustava varmennus, software defined networking, authentication, OMNet++, ohjelmisto-ohjattu verkko, Host Identity Protocol, varmentaminen

Abstract

Software-Defined Networks (SDN) focus on addressing the challenges of increased complexity and unified communication, for which the conventional networks are not optimally suited due to their static architecture. This dissertation discusses the methods about how to enhance communication security and mobility management in small-cell networks with IEEE 802.11 backhaul. Although 802.11 has become a mission-critical component of enterprise networks, in many cases it is not managed with the same rigor as the wired networks. 802.11 networks are thus in need of undergoing the same unified management as the wired networks. This dissertation also addresses several new issues from the perspective of mobility management in 802.11 backhaul. Due to lack of built-in quality of service support, IEEE 802.11 experiences serious challenges in meeting the demands of modern services and applications. 802.11 networks require significantly longer duration in association compared to what the real-time applications can tolerate. To optimise host mobility in IEEE 802.11, an extension to the initial authentication is provided by utilising Host Identity Protocol (HIP) based identity attributes and Elliptic Curve Cryptography (ECC) based session key generation. Finally, this dissertation puts forward the concept of SDN based cell mobility and network function virtualization, its counterpart. This is validated by introducing a unified SDN and cognitive radio architecture for harmonized end-to-end resource allocation and management presented at the end. Tiivistelmä Ohjelmisto-ohjatut verkot (SDN) keskittyvät ratkaisemaan haasteita liittyen kasvaneeseen verkkojen monimutkaisuuteen ja yhtenäiseen kommunikaatioon, mihin perinteiset verkot eivät staattisen rakenteensa vuoksi sovellu. Väitöskirja käsittelee menetelmiä, joilla kommunikaation turvallisuutta ja liikkuvuuden hallintaa voidaan parantaa IEEE 802.11 langattomissa piensoluverkoissa. Vaikkakin 802.11 on muodostunut avainkomponentiksi yritysverkoissa, monissa tapauksissa sitä ei hallinnoida yhtä täsmällisesti kuin langallista verkkoa. 802.11 verkoissa on näin ollen tarve samantyyppiselle yhtenäiselle hallinnalle, kuin langallisissa verkoissa on. Väitöskirja keskittyy myös moniin uusiin liikkuvuuden hallintaan liittyviin ongelmiin 802.11 verkoissa. Johtuen sisäänrakennetun yhteyden laatumäärittelyn (QoS) puuttumisesta, IEEE 802.11 verkoille on haasteellista vastata modernien palvelujen ja sovellusten vaatimuksiin. 802.11 verkot vaativat huomattavasti pidemmän ajan verkkoon liittymisessä, kuin reaaliaikasovellukset vaativat. Työssä on esitelty laajennus alustavalle varmennukselle IEEE 802.11-standardiin isäntälaitteen liikkuvuuden optimoimiseksi, joka hyödyntää Host Identity Protocol (HIP)-pohjaisia identiteettiominaisuuksia sekä elliptisten käyrien salausmenetelmiin (ECC) perustuvaa istunnon avaimen luontia. Lopuksi työssä esitellään ohjelmisto-ohjattuihin verkkoihin pohjautuva solujen liikkuvuuden konsepti, sekä siihen olennaisesti liittyvä verkon virtualisointi. Tämä validoidaan esittelemällä yhtenäinen SDN:ään ja kognitiiviseen radioon perustuva arkkitehtuuri harmonisoidulle päästä päähän resurssien varaamiselle ja hallinnoinnille, joka esitellään lopussa.

Published

2014