Public Key Infrastructure and its applications for resource-constrained IoT

Abstract: The Internet of Things (IoT) is rapidly expanding and IoT devices are being deployed in security-critical scenarios, such as in critical infrastructure monitoring and within e-health, and privacy-sensitive applications in hospitals and homes. With this, questions of security and safety become paramount. The overall theme of the research presented here is to bridge some of the identified gaps in IoT security, with a particular focus on enabling Public Key Infrastructure (PKI) functionality for constrained IoT devices. The contributions of this dissertation are made through six research papers that address identified shortcomings and challenges. The focus is on protocols, mechanisms, and efficient encodings rather than specific cryptographic solutions. The work to improve the state-of-art regarding PKI for IoT includes enrollment, revocation and trust transfer. We design and implement integrated lightweight certificate enrollment solutions for IoT devices and new compact certificate formats. This brings the total communication costs of session establishment and enrollment operations down to feasible levels for constrained IoT devices. An improved design is made to benefit from application layer security, enabling end-to-end communication capable of proxy traversal. To handle revocation of trust, we propose and design lightweight certificate revocation. We show how significant performance improvements compared with existing solutions can be made without sacrificing functionality or compromising security. To address the long-time maintainability of IoT systems, we design a lightweight schema for trust transfer, which allows control of IoT deployments to shift between service providers in a highly automated manner.In addition to improving PKI functionality, we propose mechanisms for secure storage and updates, which complement and strengthen the overall IoT security landscape. We show that standard-based application-layer security mechanisms can be extended to enable secure storage and communication, reducing the memory required for cryptographic solutions and the latency when sending sensor data onto the network. In our last contribution, we propose a design for secure software updates. Based on the existing ACE framework, we use token-based access control to fulfil the need for both authentication and authorisation security services.We have been working with industry partners to share our work in the shape of new standards for a better potential for industrial impact. In summary, several new building blocks required to create, maintain and support secure PKIs capable of including constrained IoT devices are proposed, forming important steps towards making IoT devices first-class Internet citizens.