Securing Iot Devices and Securelyconnecting The Dots Using Rest Api and Middleware
Securing Iot Devices and Securelyconnecting The Dots Using Rest Api and Middleware
Securing Iot Devices and Securelyconnecting The Dots Using Rest Api and Middleware
Authorized licensed use limited to: MAULANA AZAD NATIONAL INSTITUTE OF TECHNOLOGY. Downloaded on February 25,2021 at 07:47:32 UTC from IEEE Xplore. Restrictions apply.
III. RELATED WORK
There are multiple solutions available to cater to different
security requirements of an IoT System. The first and
foremost requirement is mutual authentication between the
IoT device and gateway within the resource-constrained
environment of IoT System.
Recently, many authentication schemes for IoT have
been proposed. In [3], the author suggested arobust
anonymity preserving authentication protocol for IoT
devicesthat provides mutual authentication between tag and
reader through the server. This scheme uses Elliptic Curve
Cryptography (ECC) to implement authentication.
It is already established that ECC based cryptographic
algorithms are secure. The security of ECC relies on the
difficulty of solving these two problems:-
• Elliptic Curve Discrete Logarithm (ECDL)
problem: Let E be an Elliptic curve over a finite
field. Let P and Q be the points in Zq (modulo q). It
is difficult to compute the special integer α belongs
to Zq satisfying Q = α P.
• Elliptic Curve DecisionalDiffie-Hellman (ECDDH)
problem: aP, bP, and cP are three points in G. It is
hard to verify if abP = cP.
As a method to provide the user the access of sensor or
sensor data, the user is usually authenticated through the
gateway. There will be mainly three parties: the user,
gateway, and sensor. In [4] the authors proposes a verifiable,
provable and privacy preserving user authentication scheme
for wireless sensor networks (WSN). Authors point out that
theHsieh and Leu’s scheme [13] is not secure because of its
several security shortcomings including Insider attack, off-
Figure 1: IoT Middleware Architecture
line password guessing attack, user forgery attack, and
sensor capture attack. For WSN, a new two-factor
authentication scheme also based on ECC is presented. This
B. Need for Trusted Devices scheme meets the authorization, confidentiality and integrity
IoT middleware needs to manage a trust relationship with property for IoT security.
devices so that these devices can be authenticated and Different multi-factor authentication schemes are
authorized to share data. It needs to enforce authentication suggested for user authentication. Different factors like
prior to communication with any device enabling proof of passwords, biometrics, and smartcards are used together for
the origin of data. These devices are assigned unique identity authentication mechanism. Like in [5], a three factor
identitiesthat disallow the reuse of security credentials across authentication scheme for WSN was proposed (2018). The
devices. three factors are password, smartcards and fingerprint
identification. Here Gateway is supposed to be a trusted
C. Connecting IoT devices to Middleware. participant and bridge between user and sensor. This scheme
There is a requirement to connect a large number of successfully register a user and sensor on the gateway,
heterogeneous smart devices like connected cars, connected authenticate the user to access sensor andprovides password
wearables, smart cities etc. IoT devices are typically changing facility tothe user.
connected to the Internet through an IP stack. This stack now
has its own complexity and requires a lot of power and Researchers have also proposed some ultra-lightweight
memory from connected devices. authentication schemes which only involve simple bit-wise
operations (like XOR, AND, OR, etc.) on tags. Therefore, it
is very efficient in terms of storage and communication cost
D. Security of Communication channel. [6].
IoT Data needs to be secured while at rest as well as
while in transit to ensure data integrity. Security solutions Razouk et. al. suggested a new Security Middleware
Architecture based on Fog Computing and Cloud to support
are implemented in a way to detect unwanted intrusions and
resource constrained devicesfor authentication [7]. IoT
prevent malicious attacks on the communication layer. Also
constrained devices communicate through proposed
securing against attacks like Replay attacks, offline id middleware which provides access to more computing power
guessing attacks, unauthorized login, user anonymity, and and enhanced capability to perform secure communications.
sensor node anonymity.Figure 2 gives an overview of
security requirements for different pillars of IoT system.
Authorized licensed use limited to: MAULANA AZAD NATIONAL INSTITUTE OF TECHNOLOGY. Downloaded on February 25,2021 at 07:47:32 UTC from IEEE Xplore. Restrictions apply.
This model is based on usual technologies like the for easy implementation.
“Constrained Application Protocol (CoAP)” and REST API
Authorized licensed use limited to: MAULANA AZAD NATIONAL INSTITUTE OF TECHNOLOGY. Downloaded on February 25,2021 at 07:47:32 UTC from IEEE Xplore. Restrictions apply.
Figure 4: Data sharing
Authorized licensed use limited to: MAULANA AZAD NATIONAL INSTITUTE OF TECHNOLOGY. Downloaded on February 25,2021 at 07:47:32 UTC from IEEE Xplore. Restrictions apply.
$.ajax({
type: "POST",
url: "http://localhost:8080/test/webresources
/com.mycompany.test.devicedetails",
mlkwkqnjqwdnjwdndkwefjuiefjrnfjfnjefhh data: JSON.stringify({
yrfbrhfb”,
deviceidentifier : self.newDeviceId(),
“token-type”:”bearer”,
devicemanufacturingdate : self.newMDate(),
“expires_in”:”3600”
uid : self.newUid()
}
}),
Mandatory Gateway-id, secret key
fields headers: {
'Content-Type': 'application/json'
},
b. To access device details after authorization
success: function() {
Request GET (application/ json) algorithms because the two parties involved are not
resource constrained.
Response {
• Authentication and Authorization is taken care by
In JSON "deviceIdentifier":"a"," REST APIs which makes the whole process less
complex and compatible with industry standards.
deviceManufacturingDate":"2018-12-
16T18:30:00Z[UTC]",
"uid":"abcd12344"
VI. CONCLUSION
}
We proposeda middleware architecture which provides
Mandator Device Identifier an end-to-end security solution for contributors who upload
y fields sensing data. This approach allows an end to end encryption
of data to secure data in transit. In the proposed middleware
Figure 6: Sample AJAX call to hit the REST API through a URL
solution all IoT system constraints are taken into
consideration. REST API is used for communication and
data exchange. Middleware successfully assists IoT
V. ANALYSIS OF PROPOSED MODEL development by exposing REST API and providing an
interface to the user to register their IoT devices and then
In this paper, we proposed a secure IoT framework that securely accessing data collected by the device.
ensures end-to-end security from IoT application to IoT
Devices. We can evaluate the security of the system by
VII. FUTURE SCOPE
analyzing the integrity of each component.
Our future plan is to provide a multi-factor user
• IoT devices are isolated and have no interaction authentication scheme at middleware to provide secure
with the outside world. They are connected to a access to sensory data to an authorized user. Also to provide
gateway and this gateway act as an interface to the a privacy solution to prevent any data leakage and data
internet for the IoT devices. Because of the smart breaches at middleware.
gateway devices can be hidden in enterprise behind
multiple firewalls and will not require any inbound REFERENCES
ports. Therefore there are no chances of [1] Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J. (2017). DDoS in
compromising these devices by an attacker. the IoT: Mirai and other botnets. Computer, 50(7), 80-84.
• IoT gateway acts an intermediate between IoT [2] Alrawais, A., Alhothaily, A., Hu, C., & Cheng, X. (2017). Fog
computing for the internet of things: Security and privacy issues.
devices and middleware. Gateways are enabled to IEEE Internet Computing, 21(2), 34-42.
call REST API and exchange all information [3] Tewari, A., & Gupta, B. B. (2018, January). A robust anonymity
securely. preserving authentication protocol for IoT devices. In Consumer
• Communication between IoT gateway and Electronics (ICCE), 2018 IEEE International Conference on (pp. 1-5).
IEEE.
middleware is secure with traditional cryptographic
[4] Wu, F., Xu, L., Kumari, S., & Li, X. (2017). “A privacy-preserving
algorithms. There is no need to use lightweight and provable user authentication scheme for wireless sensor networks
Authorized licensed use limited to: MAULANA AZAD NATIONAL INSTITUTE OF TECHNOLOGY. Downloaded on February 25,2021 at 07:47:32 UTC from IEEE Xplore. Restrictions apply.
based on internet of things security”. Journal of Ambient Intelligence [9] Sfar, A. R., Natalizio, E., Challal, Y., & Chtourou, Z. (2018). “A
and Humanized Computing, 8(1), 101-116. roadmap for security challenges in the Internet of Things. Digital
[5] Li, X., Niu, J., Kumari, S., Wu, F., Sangaiah, A. K., & Choo, K. K. R. Communications and Networks”, 4(2), 118-1375.
(2018). “A three-factor anonymous authentication scheme for [10] Fremantle, Paul & Scott, Philip. (2015). A security survey of
wireless sensor networks in internet of things environments”. Journal middleware for the Internet of Things.
of Network and Computer Applications, 103, 194-204. 10.7287/PEERJ.PREPRINTS.1241
[6] Chien, H. Y. (2007). SASI: A new ultralightweight RFID [11] Ayoade, G., El-Ghamry, A., Karande, V., Khan, L., Alrahmawy, M.,
authentication protocol providing strong authentication and strong & Rashad, M. Z. (2018). Secure data processing for IoT middleware
integrity. IEEE transactions on dependable and secure computing, systems. The Journal of Supercomputing, 1-26.
4(4), 337-340. [12] He, D., Chen, J., & Zhang, R. (2012). An efficient and provably‐
[7] Razouk, W., Sgandurra, D., & Sakurai, K. (2017, October). “A new secure certificateless signature scheme without bilinear pairings.
security middleware architecture based on fog computing and cloud International Journal of Communication Systems, 25(11), 1432-1442.
to support IoT constrained devices”.In Proceedings of the 1st [13] Hsieh, W. B., & Leu, J. S. (2014). A Robust ser Authentication
International Conference on Internet of Things and Machine Learning Scheme sing Dynamic Identity in Wireless Sensor Networks.
(p. 35). ACM. Wireless personal communications, 77(2), 979-989.
[8] “REST API for Oracle Internet of Things Cloud Service”, [14] Choi, Y., Lee, D., Kim, J., Jung, J., Nam, J., & Won, D. (2014).
docs.oracle.com/en/cloud/paas/iot-cloud/iotrq/QuickStart.html. Security enhanced user authentication protocol for wireless sensor
networks using elliptic curves cryptography. Sensors, 14(6), 10081-
10106.
Authorized licensed use limited to: MAULANA AZAD NATIONAL INSTITUTE OF TECHNOLOGY. Downloaded on February 25,2021 at 07:47:32 UTC from IEEE Xplore. Restrictions apply.