research-article

RESCURE: a security solution for IoT life cycle

Authors:

Georgios Selimis,

Geert-Jan Schrijen,

Frans M. J. Willems,

Lieneke KustersAuthors Info & Claims

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Article No.: 95, Pages 1 - 10

https://doi.org/10.1145/3407023.3407075

Published: 25 August 2020 Publication History

Abstract

We present RESCURE, a security solution built on software, which retrofits Internet of Things (IoT) devices to secure ones. RESCURE exploits the entropy originating from the random variations of silicon (transistors) during manufacturing and generates a unique unforgeable root key and an identity per device. In this way, root key and identity are inseparable from the IoT hardware. To achieve lifetime reliability (reproducibility) and security (randomness) for root key and identity, we apply error correcting and randomness amplification algorithms to the signals derived from silicon. RESCURE supports certificates which are able to prove the device identity and authenticity. RESCURE supports multiple keys derivation (private keys or private/public key pairs) and End-to-End security. In this way an IoT device is able to communicate securely and independently with multiple actors (e.g., Service Providers). It supports secure storage so it is able to encrypt sensitive data such as application keys, sensitive data or software Intellectual Properties (IP). Finally, the entire device software is protected by secure boot and secure software update mechanisms allowing for malware-free software execution and renewable security and features. RESCURE has been prototyped on an ST32L4 device and its performance is presented across real use case scenarios covering the entire life cycle of the device. It is a low-cost solution for all the devices manufacturers that want to achieve high standard security without redesigning the hardware of their IoT product.

References

[1]

R. Ahlswede and I. Csiszàr. 1993. Common Randomness in Information Theory & Cryptography. IEEE Trans. Inf. Theory 39, 4 (jul 1993), 1121--1132.

Digital Library

[2]

Amazon. [n.d.]. Amazon. https://www.amazon.com

[3]

Amazon. [n.d.]. Amazon FreeRTOS. https://github.com/aws/amazon-freertos

[4]

Amazon. [n.d.]. AWS IoT SDK Python v2. https://github.com/aws/aws-iot-device-sdk-python-v2

[5]

Orlando Arias, Kelvin Ly, and Yier Jin. 2017. Security and privacy in IoT era. In Smart Sensors at the IoT Frontier. Springer, 351--378.

[6]

ARM. 2020. TrustZone. Retrieved April 03, 2020 from https://developer.arm.com/ip-products/security-ip/trustzone

[7]

ARMmbed. [n.d.]. mbedtls. https://github.com/ARMmbed/mbedtls

[8]

boto. [n.d.]. boto3. https://github.com/boto/boto3

[9]

J. Delvaux, D. Gu, D. Schellekens, and I. Verbauwhede. 2015. Helper Data Algorithms for PUF-Based Key Generation: Overview and Analysis. IEEE Trans. Comput.-Aided Des. Integr. Circuits and Syst. 34, 6 (June 2015), 889--902.

[10]

Yevgeniy Dodis, Leonid Reyzin, and Adam Smith. 2004. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In International conference on the theory and applications of cryptographic techniques. Springer, 523--540.

[11]

Google. [n.d.]. Google. https://www.google.com

[12]

J. Guajardo, S. S. Kumar, G. Schrijen, and P. Tuyls. 2007. FPGA Intrinsic PUFs and Their Use for IP Protection. In Cryptographic Hardware Embedded Syst. - CHES. 63--80.

[13]

D. E. Holcomb, W. P. Burleson, and K. Fu. 2009. Power-Up SRAM state as an identifying fingerprint and source of true random numbers. IEEE Trans. Comput. 58, 9 (2009), 1198--1210.

Digital Library

[14]

IBM. 2020. Top 10 IoT security challenges. Retrieved March 19, 2020 from https://developer.ibm.com/technologies/iot/articles/iot-top-10-iot-security-challenges/

[15]

INTRINSIC ID. 2018. Flexible Key Provisioning. Retrieved April 03, 2020 from http://go.intrinsic-id.com/flexible-key-provisioning-sram-puf-lp

[16]

Intel. 2020. Tinycrypt. https://github.com/intel/tinycrypt

[17]

iot eclipse. 2020. IoT developer survey 2019. Retrieved March 19, 2020 from https://drive.google.com/file/d/17WEobD5Etfw5JnoKC1g4IME_XCtPNGGc/view

[18]

L. Kusters, T. Ignatenko, F. M.J. Willems, R. Maes, E. van der Sluis, and Georgios Selimis. 2017. Security of helper data schemes for SRAM-PUF in multiple enrollment scenarios. In IEEE Int. Symp. Inf. Theory - ISIT. IEEE.

[19]

L. Kusters and F. M. J. Willems. 2019. Debiasing of SRAM PUFs: Selection and Balancing. In IEEE Int. Workshop Inf. Forensics and Secur. - WIFS. Delft, The Netherlands.

[20]

L. Kusters and F. M. J. Willems. 2019 - Early access. Secret-Key Capacity Regions for Multiple Enrollments with an SRAM-PUF. IEEE Trans. on Inform. Forensics and Security (2019 - Early access).

[21]

R. Maes. 2013. An Accurate Probabilistic Reliability Model for Silicon PUFs. In Cryptographic Hardware and Embedded Systems - CHES 2013, Guido Bertoni and Jean-Sébastien Coron (Eds.), Vol. 8086 LNCS. Springer Berlin Heidelberg, Berlin, Heidelberg, 73--89.

Digital Library

[22]

R. Maes, P. Tuyls, and I. Verbauwhede. 2009. A soft decision helper data algorithm for SRAM PUFs. In IEEE International Symposium on Information Theory.

[23]

Roel Maes and Ingrid Verbauwhede. 2010. Physically unclonable functions: A study on the state of the art and future research directions. In Towards Hardware-Intrinsic Security. Springer, 3--37.

[24]

Ueli M. Maurer. 1993. Secret key agreement by public discussion from common information. IEEE Trans. Inf. Theory 39, 3 (1993), 733--742.

Digital Library

[25]

Microsoft. [n.d.]. Amazon. https://www.microsoft.com

[26]

Microsoft. 2020. The Seven Properties of Highly Secure Devices. Retrieved March 19, 2020 from https://www.microsoft.com/en-us/research/publication/seven-properties-highly-secure-devices/

[27]

Mitre. 2020. Common Vulnerabilities and Exposures. Retrieved April 03, 2020 from https://cve.mitre.org/index.html

[28]

Yoav Nir and Adam Langley. 2015. ChaCha20 and Poly1305 for IETF Protocols. Internet Engineering Task Force (2015).

[29]

NIST. 2018. CVE-2018-14786. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2018-14786

[30]

NIST. 2018. CVE-2018-16546. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2018-16546

[31]

NIST. 2018. CVE-2019-13523. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-13523

[32]

NIST. 2019. CVE-2019-11220. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-11220

[33]

NIST. 2019. CVE-2019-14236 Detail. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-14236

[34]

NIST. 2019. CVE-2019-14239 Detail. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-14239

[35]

NIST. 2019. CVE-2019-17391 Detail. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-17391

[36]

NIST. 2019. CVE-2019-2267 Detail. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-2267

[37]

NIST. 2019. CVE-2019-5160. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-5160

[38]

NIST. 2019. CVE-2019-5478 Detail. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-5478

[39]

NIST. 2019. CVE-2019-5995. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2019-5995

[40]

NIST. 2020. CVE-2020-6769 Detail. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2020-6769

[41]

NIST. 2020. CVE-2020-9435 Detail. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2020-9435

[42]

NIST. 2020. CVE-2020-9544 Detail. Retrieved March 19, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2020-9544

[43]

U.S. Department of Homeland Security. 2016. Strategic Pronciples for securing the IoT. Retrieved March 19, 2020 from https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf

[44]

OWASP. 2020. IoT top vulnerabilities. Retrieved March 19, 2020 from https://owasp.org/www-project-internet-of-things/

[45]

Minghua Qu. 1999. SEC 2: Recommended elliptic curve domain parameters. Certicom Res., Mississauga, ON, Canada, Tech. Rep. SEC2-Ver-0.6 (1999).

[46]

STMicroelectronics. 2020. B-L475E-IOT01A. https://www.st.com/en/evaluation-tools/b-l475e-iot01a.html

[47]

STMicroelectronics. 2020. STM32 ST-LINK Utility. https://www.st.com/en/development-tools/stsw-link004.html

[48]

STMicroelectronics. 2020. STM32L475VG. https://www.st.com/en/microcontrollers-microprocessors/stm32l475vg.html

[49]

The Verge. 2020. Zoom isn't actually E2E encrypted. https://www.theverge.com/2020/3/31/21201234/zoom-end-to-end-encryption-video-chats-meetings

[50]

Wikipedia. [n.d.]. CSR. Retrieved April 03, 2020 from https://en.wikipedia.org/wiki/Certificate_signing_request

[51]

Wikipedia. [n.d.]. Transport Layer Security. https://en.wikipedia.org/wiki/Transport_Layer_Security

[52]

Wikipedia. 2020. Internet of Things. Retrieved March 19, 2020 from https://en.wikipedia.org/wiki/Internet_of_things

[53]

Frans MJ Willems, Yuri M Shtarkov, and Tjalling J Tjalkens. 1995. The context-tree weighting method: basic properties. IEEE transactions on information theory 41, 3 (1995), 653--664.

Cited By

Chakraborty SAithal P(2023)Let Us Create Our Desktop IoT Soft-Switchboard Using AWS, ESP32 and C#International Journal of Case Studies in Business, IT, and Education10.47992/IJCSBE.2581.6942.0295(185-193)Online publication date: 11-Aug-2023
https://doi.org/10.47992/IJCSBE.2581.6942.0295
Haar CBuchmann E(2022)IoT Security With INFINITE: The 3-Dimensional Internet Of Things Maturity Model2022 9th International Conference on Internet of Things: Systems, Management and Security (IOTSMS)10.1109/IOTSMS58070.2022.10062148(1-8)Online publication date: 29-Nov-2022
https://doi.org/10.1109/IOTSMS58070.2022.10062148
Corno FDe Russis LMannella L(2022)Helping novice developers harness security issues in cloud-IoT systemsJournal of Reliable Intelligent Environments10.1007/s40860-022-00175-4Online publication date: 13-May-2022
https://doi.org/10.1007/s40860-022-00175-4

Index Terms

RESCURE: a security solution for IoT life cycle
1. Security and privacy
  1. Security in hardware
    1. Embedded systems security

Recommendations

Taxonomy and analysis of security protocols for Internet of Things
Abstract
The Internet of Things (IoT) is a system of physical as well as virtual objects (each with networking capabilities incorporated) that are interconnected to exchange and collect information locally or remotely over the Internet. Since ...
Highlights
- We first discuss essential security requirements that are needed to secure IoT environment. We also discuss the threat model and various attacks related to ...
Cyberentity Security in the Internet of Things

A proposed Internet of Things system architecture offers a solution to the broad array of challenges researchers face in terms of general system security, network security, and application security.
Emerging Security Threats and Countermeasures in IoT
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

IoT (Internet of Things) diversifies the future Internet, and has drawn much attention. As more and more gadgets (i.e. Things) connected to the Internet, the huge amount of data exchanged has reached an unprecedented level. As sensitive and private ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

August 2020

1073 pages

ISBN:9781450388337

DOI:10.1145/3407023

Program Chairs:
Melanie Volkamer
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)
,
Christian Wressnegger
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Eurostars

Conference

ARES 2020

ARES 2020: The 15th International Conference on Availability, Reliability and Security

August 25 - 28, 2020

Virtual Event, Ireland

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
147
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chakraborty SAithal P(2023)Let Us Create Our Desktop IoT Soft-Switchboard Using AWS, ESP32 and C#International Journal of Case Studies in Business, IT, and Education10.47992/IJCSBE.2581.6942.0295(185-193)Online publication date: 11-Aug-2023
https://doi.org/10.47992/IJCSBE.2581.6942.0295
Haar CBuchmann E(2022)IoT Security With INFINITE: The 3-Dimensional Internet Of Things Maturity Model2022 9th International Conference on Internet of Things: Systems, Management and Security (IOTSMS)10.1109/IOTSMS58070.2022.10062148(1-8)Online publication date: 29-Nov-2022
https://doi.org/10.1109/IOTSMS58070.2022.10062148
Corno FDe Russis LMannella L(2022)Helping novice developers harness security issues in cloud-IoT systemsJournal of Reliable Intelligent Environments10.1007/s40860-022-00175-4Online publication date: 13-May-2022
https://doi.org/10.1007/s40860-022-00175-4

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten