To secure the Internet of Things (IoT) while keeping its interoperability with today’s Internet is crucial to unleash the full potential of the IoT. Authentication and Authorization are fundamental guarantees to enable further security and operational challenges. To fulfill these guarantees in complex and diverse scenarios, we propose a solution based on the Authentication and Authorization for Constrained Environments (ACE) Framework, a token-based authorization, and authorization. Our solution, the IPsec profile for ACE, builds on the IPsec protocol suite and the Internet Engineering Task Force (IETF) IoT stack to provide network layer security and IPsec channel establishment based on token provisioning for constrained devices. The Direct Provisioning (DP) of Security Association (SA), symmetric-based authenticated establishment (Internet Key Exchange Protocol version 2 (IKEv2) in Pre-Shared Key (PSK) mode), and asymmetric key-based authenticated establishment (IKEv2 in Certificate-based Public Key (CPK) mode) are specified as ways to establish SAs, i.e., IPsec channels. We provide an implementation for Contiki, an Operating System (OS) for constrained devices such as the Zolertia Firefly. Furthermore, we evaluate our protocol design providing an lower bound for the performance of the profile. The evaluation includes network latency and processing time, energy consumption, memory footprint and packet sizes for the different SA establishment methods. The results provide a benchmark for the different protocol steps as well as aggregated measures for each of the evaluated setups. Our evaluation showed that the DP establishment has the smallest memory footprint and ACE packet size, and at the same time the highest performance. In the other hand, the authenticated establishment featuring IKEv2 in CPK mode, shows the largest memory footprint and packet size, together with the lowest performance of the three SA establishment methods. The trade-off regarding Random Access Memory (RAM) and Read-Only Memory (ROM) footprint, power consumption and network latency and processing time and security guarantees are also described.
Sep 2017
Completed