Content uploaded by Md Masuduzzaman
Author content
All content in this area was uploaded by Md Masuduzzaman on Mar 14, 2022
Content may be subject to copyright.
Safely, Security and Reliability of robotic Systems: Algorithms, Applications and Technologies
Chapter 8 : Two Phase Authentication and VPN Based Secured Communication for IoT
Home Networks
Md Masuduzzaman
Ashik Mahmud
Anik Islam
Md Mofijul Islam
Abstract
With the advancement of technology (i.e., devices), which are considered non-traditional in terms
of internet capabilities, are now being embedded in microprocessors to communicate and these
devices are known as IoT devices. This technology has enabled household devices to have the
ability to communicate with the internet and a network comprising of such device can create a
home IoT network. Such IoT devices are resource constrained and lack high-level security
protocols. Thus, security becomes a major issue for such network systems. One way to secure the
networks is through reliable authentication protocols and data transfer mechanism. As the
household devices are controllable by the users remotely, they are accessed over the internet.
Therefore, there should also be a method to make the communication over the internet between
IoT devices and the users more secured. This paper proposes a two phase authentication protocol
for authentication purposes and a VPN based secure channel creation for the communication of
the devices in the network. Furthermore, the paper discusses the elliptic curve cryptography as a
viable alternative to RSA for a more efficient Key exchange mechanism for low-powered IoT
devices in the network.
Keywords: Authentication, Elliptic Curve Cryptography, Internet of Things, Security,
Vitual Private Network (VPN).
1. Introduction
1.1 Background
The Internet of Things (IoT) is a system of interconnected devices, sensors and actuators
etc. which work together in a network to reach a common goal [1]. Such technology can be
implemented in various ways to make our daily lives easier by placing internet capabilities in
devices which are not regularly used as network devices. In recent years, the application of
microprocessor-based controllers in devices ranging from toasters to airliners is being added to
connect them to the internet [2-4]. With such advancements in IoT technology, it is showing
potential to be deployed as consumer products for home usage [4]. Providing internet capabilities
to home devices, such as air conditioners, lights, fans, refrigerators etc., enables them to be
controlled remotely. Such type of application can be called home IoT networks. As the devices
Safely, Security and Reliability of robotic Systems: Algorithms, Applications and Technologies
connected to a home network and these devices can be controlled remotely which make these
devices vulnerable to malicious attacks [3-5] and secure data transferring is also needed [2]. So
there need to add methods of authentication and security between the user and the devices in the
network in order to prevent attacks [6-8]. Secure authentication of devices in a network includes a
key exchange mechanism and handshake between the devices [7-9]. This can be done through
centralized network system in which a central node is responsible for the security mechanisms or
through distributed networks where each node shares private keys and after successful handshake
communication is established [7-9].
1.2 Authentication Protocols
Authenticating devices in a home network is a key process in securing the user interaction
with IoT. If the network lacks security the end devices are vulnerable to attack and the purpose of
implementing IoT is diminished [10]. There are several authentication mechanisms for IoT
applications. Such as password based remote user authentication using one-way hash functions and
ticket based authentication [11]. Existing methods of authentication of devices include registering
devices in a cloud platform running with the home network and initiating a handshake and key
exchange [11, 12]. Such systems also include a current method of key exchange which is the RSA
key exchange mechanism [7]. As most of the IoT devices are resource constrained, DTLS protocol
is often used for handshaking [13].
2. Related Works
2.1 Wi-Fi Network Based Security
The system contains a home gateway, the user or mobile device and several IoT devices
connected through a Wi-Fi network, as shown in Figure 8.1.
Users can access the IoT devices from the home gateway and the gateway performs
authentication and monitoring functions between the devices in the system [4]. The
authentication protocol used in this system involves the use of public key cryptography [7]
with pre-shared keys between the gateway and a new device which utilizes Elliptic Curve
Cryptography (ECC) to reduce key size [4], as shown in Figure 8.2. This model lacks a
proper mechanism for the handshaking protocol for constrained devices. Although ECC
was used to reduce key size shared for authentication, the whole application lacks security
measures if a malicious attacker is able to infiltrate the system.
2.2 PAuthKey Protocol
Figure 8.1. System Step for Wi-Fi based security.
Figure 8.2. Simple handshake protocol using ECC.
Safely, Security and Reliability of robotic Systems: Algorithms, Applications and Technologies
The system authenticates its devices in a two-phase authentication protocol [7, 9, 11], as
shown in Figure 8.3. The network consists of several nodes in a cluster that communicates with the
user over the IoT cloud through a gateway. A Certificate Authority (CA) is connected to the network
and is responsible for authenticating the devices using handshake and key exchange. The first phase
of the authentication is done manually by registering the devices in the certificate authority [9-11].
The second phase is done through initiating handshake using DTLS handshaking protocol and
exchanging keys using ECC [7, 8, 13]. Since the user communicates with the IoT devices over the
IoT cloud or internet, in these areas, the data packets remain vulnerable to attackers. Even though
they are encrypted, there still lie possibilities of the packets being sniffed and decrypted.
2.3 Two-way Authentication Security Scheme on Existing DTLS Protocol
This system comprises of a network containing a certificate authority which is responsible
for authorizing the devices and an access control server for exchanging key, as shown in Figure
8.4. The devices communicate with each other over the internet and the IoT devices
communicate with the user and the server through a gateway [15]. The key aspect of this system
is the use of DTLS handshake for mutual authentication of the devices, i.e. a two-way
authentication [13-16], as shown in Figure 8.5. During the handshake, keys are exchanged using
RSA cryptography [15].
This model also briefly talks about using VPN as a mechanism to secure payload over the
internet for their proposed model [10, 15, 17]. As this model uses the RSA key exchange
mechanism, there exist the probability of large network overheads occurring due to large key size.
This can be modified by using a key exchanging mechanism which generates a lower key size for
the same security bit for RSA.
3. Network Model and Assumption
Our proposed network model follows the existing network model used in the PAuthKey
system for the authentication process [11]. Since the devices in their network are
communicating over the internet or IoT cloud [11, 18], we modified the network using VPN
for secure communication. Here, the model is made such that the wireless sensor networks
(WSN) clusters with gateways (GW) can be an individual house or a room so that the system
is scalable to larger implementations. The certificate authority used in PAuthKey system
[11] has been replaced by a VPN server which is responsible for registering the devices as
well as authenticating the devices using DTLS handshake [11, 15] and public key
cryptography for key exchange mechanism [7]. The VPN server also establishes VPN
endpoint to gateway tunnels [19, 20] for securing data packets sent by any devices in the
system. The VPN server is responsible for creating VPN tunnels for data communication
Figure 8.3. PAuthKey Network Model.
Figure 8.4. DTLS based Security and Two-way Authentication Network Model.
Figure 8.5. DTLS Handshake Mechanism for Two-way Authentication.
Safely, Security and Reliability of robotic Systems: Algorithms, Applications and Technologies
between the user and the device or the gateways and the server. The VPN server is
responsible for creating VPN tunnels for data communication between the user and the
device or the gateways and the server.
4. Proposed Solution
4.1 MAC Address Based User Registration
Similar to the aforementioned systems, our system also uses a registration phase for the
devices in the network [4, 8, 15], as shown in Figure 8.6.
In our system, the VPN server contains a database that keeps a record of valid users which
includes their usernames, password and MAC address, as shown in Table 1. This record is
kept as a fail-safe such that if an authorized user does manage to gain access to the system,
the server can deny them access as their MAC address does not match with any registered
addresses.
Table 1. MAC Address Based User Registration.
User Info
Password
MAC
User1
Pass1
30-65-EC-6F-C4-58
User2
Pass2
00-1B-63-84-45-E6
User3
Pass3
00-1B-44-11-3A-B7
4.2 Authentication Protocol
Use of ECC is now being adopted as an alternate public key exchange mechanism for IoT
based networks [4, 21]. In PAuthKey [11] and Wi-Fi based system [4], the usage of ECC
was also adopted along with DTLS handshake. On the other hand, the DTLS two-way
authentication protocol used RSA as their method for key exchange. In our proposed method,
we use ECC along with DTLS handshake for authentication purposes. The reason ECC is
used in lieu of RSA is that ECC is more suitable for resource-constrained devices. ECC
keys are generated through computation on an elliptical curve whose basic equation is
y2 = x2 + ax + b (1)
The trapdoor function of ECC is similar to RSA with complex mathematical computation
[14], this is due to elliptic curves having horizontal symmetry and any non-vertical line
will intersect the curve in 3 places at most. Moreover, the endpoint of the non-vertical
intersection can be reflected to form another nonvertical intersection resulting in the scope
of more key generation [21, 22]. The major advantages that ECC has over RSA are:
Figure 8.6. Proposed Network Model.
Safely, Security and Reliability of robotic Systems: Algorithms, Applications and Technologies
- ECC relies on difficult discrete logarithm functions which make it more difficult to
decrypt by malicious attackers [22].
- ECC generates keys with shorter size compared to RSA for the same security bits [21,
22].
-For the same bit size, ECC generates more number of keys than RSA [22], which is
provided in Table 2.
Table 2. Comparable key sizes between RSA and ECC
Security Bits
ECC
RSA
80
260
1024
112
224
2048
128
256
3072
192
384
7680
256
521
15350
4.3 Data Transfer Security Using VPN
In our network model and the network models discussed in our related works, users
communicate with IoT devices through the internet or IoT cloud [4, 11, 15]. This may leave
the data packets being sent vulnerable to eavesdropping or sniffing attacks. To solve this
problem, our model introduces VPN to the network. A VPN endpoint to gateway tunnel [20]
which is created from the server to the gateways, from user to server and from user to
gateway by the VPN server as shown in Figure 8.4. This enables the devices to communicate
using private IP’s over a secured channel. Furthermore, such type of secured communication
ensures that CIA (Confidentiality, Integrity, and Authenticity) is maintained in the system.
5. Conclusion and Future Work
5.1 Scope of Future Work
This solution focuses on secure data communication and authentication protocols for home
IoT networks. The proposed network model mainly focuses on home networks including
control over multiple homes for one user based on cluster topology. This network is scalable
to larger network areas such as industries and hospitals and even smart cities. Furthermore,
the scope of improving VPN based communication over the internet is vast as this solution
focus on conceptual based discussion rather than practical implementation.
5.2 Conclusion
In this solution, the problem that was focused on the authentication mechanism of devices
in a home IoT network and secured communication of devices over the internet. Efficient
authenticating mechanism based on ECC and DTLS handshake was introduced and VPN
based tunneling was proposed to secure data communication. Moreover, MAC address-
Safely, Security and Reliability of robotic Systems: Algorithms, Applications and Technologies
based fail-safe solution was also proposed such that in an unlikely event an unauthorized
user gains access to the system, they can be dealt with.
6. References
1. Parvaneh Asghari, Amir Masoud Rahmani, Hamid Haj Seyyed Javadi, "Internet
of Things applications: A systematic review" Computer Networks (2019),
Volume 148, 2019, Pages 241-261, ISSN 1389-1286.
2. Anik Islam, Soo Young Shin,"A blockchain-based secure healthcare scheme with
the assistance of unmanned aerial vehicle in Internet of Things", Computers &
Electrical Engineering, Volume 84, 2020, 106627, ISSN 0045-7906,
https://doi.org/10.1016/j.compeleceng.2020.10662
3. Huichen Lin, Neil W. Bergmann "IoT Privacy and Security Challenges for Smart
Home Environments", University of Queensland, Australia, 2016.
4. Freddy K Santoso, and Nicholas C H Vun, "Securing IoT for Smart Home
System" 2015 IEEE International Symposium on Consumer Electronics (ISCE).
5. Shivaji Kulkarni, Shrihari Durg, Nalini Iyer, "Internet of Things (IoT) Security"
International Conference on Computing for Sustainable Global Development
(INDIACom), 2016.
6. Kim Thuat Nguyen, Maryline Laurent, Nouha Oualha, "Survey on secure
communication protocols for the internet of Things" Ad Hoc Networks, 2015.
7. SRINIVASAN NAGARAJ, Dr.G.S.V.P.RAJU, V.SRINADTH. Data Encryption
and Authetication Using Public Key Approach. International Conference on
Intelligent Computing, Communication \& Convergence., 2015.
8. A. Islam and S. Y. Shin, "BUS A Blockchain-Enabled Data Acquisition Scheme
With the Assistance of UAV Swarm in Internet of Things", in IEEE Access, vol.
7, pp. 103231-103249, 2019.
9. Pawani Porambage, Corinna Schmitt, Pardeep Kumar, Andrei Gurtov, Mika
Ylianttila. Two-phase Authentication Protocol for Wireless Sensor Networks in
Distributed IoT Applications. IEEE WCNC'14 Track 3 (Mobile and Wireless
Networks), 2014.
10. Zhi-Kai Zhang, Michael Cheng Yi Cho, Shiuhpyng Shieh. Emerging Security
Threats and Countermeasures in IoT. National Chiao Tung University Hsinchu,
Taiwan.
11. M. Young, The Technical Writer's Handbook. Mill Valley, CA: University
Science, 1989.
12. A. Islam and S. Y. Shin, BUAV A blockchain based secure UAV-assisted data
acquisition scheme in Internet of Things, in Journal of Communications and
Networks, vol. 21, no. 5, pp. 491-502, Oct. 2019.
13. Gl ederson Lessa dos Santos, Vinıcius Tavares Guimaraes, Guilherme da Cunha
Rodrigues, Lisandro Zambenedetti Granville, Liane Margarida Rockenbach
Tarouco. A DTLS-based Security Architecture for the Internet. 20th IEEE
Symposium on Computers and Communication (ISCC), 2015.
14. Corinna Schmitt,. Thomas Kothmayr, Wen Hu, Burkhard Stiller. Two-way
Authentication for the Internet-of-Things. Ministry of Education and Research:
the SODA Project under Grant Agreement No. 01IS09040A.and the AutHoNe
Project under Grant Agreement No. 01BN070[25], 2012.
Safely, Security and Reliability of robotic Systems: Algorithms, Applications and Technologies
15. Thomas Kothmayr,Corinna Schmitt,Wen Hub, Michael Brünig, Georg Carle
"DTLS based security and two-way authentication for the Internet of Things" Ad
Hoc Networks, 2013.
16. Priyan Malarvizhi Kumar, Usha Devi Gandhi. Enhanced DTLS with CoAP-based
authentication scheme for the internet of things in healthcare application. Springer
Science+Business Media, LLC 2017.
17. Rolf H. Weber. Internet of Things – New security and privacy challenges.
University of Zurich, Zurich, Switzerland, 2010.
18. Vijay Sivaraman, Hassan Habibi Gharakheili, Arun Vishwanath, Roksana Boreli,
Olivier Mehani. Network-Level Security and Privacy Control for Smart-Home
IoT Devices. Eight International Workshop on Selected Topics in Mobile and
Wireless Computing, 2015.7
19. N.M. Mosharaf Kabir Chowdhury, Raouf Boutaba. A survey of network
virtualization. Computer Networks 54 (2010), 862–876.
20. V.C. Gungor, F.C. Lambert. A survey on communication networks for electric
system automation. Computer Networks 50 (2006), 877–897.
21. Z. Liu, H. Seo. IoT-NUMS: Evaluating NUMS Elliptic Curve Cryptography for
IoT Platforms. IEEE Transactions on Information Forensics and Security, Volume
14, Issue 3, 720-729, March 2019.
22. Rounak Sinha, Hemant Kumar Srivastava, Sumita Gupta. Performance Based
Comparison Study of RSA and Elliptic Curve Cryptography. International Journal
of Scientific \& Engineering Research, Volume 4, Issue 5, May-2013.
Authors Bio:
Mr. Md Masuduzzaman is currently pursuing his Ph.D in IT convergence engineering at Kumoh
National Institute of Technology, Gumi, South Korea. Previously he has worked as a Lecturer at
American International University-Bangladesh for 4 years [2015-2019]. He is in study leave now
to complete his PhD program. His major research interests include Blockchain, Internet of
Things (IoT), Unmanned Aerial Vehicle (UAV), Edge Computing, Machine Learning,
Cryptography and Network Security. He has several publications on International Journal and
Conferences across the world.
e-mail: masud.prince@kumoh.ac.kr
Affiliation/Address:
Department of IT Convergence Engineering, Kumoh National Institute of Technology (KIT),
Gumi 39177, South Korea
Mr. Ashik Mahmud is currently is pursuing his Masters degree at Hochschule Rhein-Waal University,
Germany. Earlier he has worked as a web developer at Composis Blades Inc. in Bangladesh as software
engineer from 2018 to 2019. His major research interest includes web development, web engineering,
web Security etc. He has several publication on internation conferences.
e-mail: mahmud.devops@gmail.com
Safely, Security and Reliability of robotic Systems: Algorithms, Applications and Technologies
Affiliation/Address:
Department of Computer Science and Engineering, American International University-
Bangladesh, Dhaka, Bangladesh.
Mr. Anik Islam was born in 1992. He received the B.Sc. in software engineering and M.Sc. degrees in
computer science from American International University-Bangladesh (AIUB), Dhaka, Bangladesh, in
2014 and 2017, respectively. He is currently working toward the PhD degree with the WENS Laboratory,
Kumoh National Institute of Technology, Gumi, South Korea. He has more than 5 years of experience of
working in the software development field. He has participated in various software competitions with
good achievements. His major research interests include blockchain, internet of things, unmanned aerial
vehicle, social internet of things, edge computing, and distributed system.
e-mail: anik.islam@kumoh.ac.kr
Affiliation/Address:
Department of IT Convergence Engineering, Kumoh National Institute of Technology (KIT),
Gumi 39177, South Korea
Mr. Md Mofijul Islam is currently pursuing Ph.D. Degree in System and Information Engineering at
University of Virginia. He received the B.S. and M.S. degrees in computer science and engineering from
the Department of Computer Science and Engineering, University of Dhaka, Bangladesh. He was a
Lecturer at the Department of Computer Science and Engineering, University of Dhaka (Sep 2017- Aug
2019). He also was a Lecturer at the Department of Computer Science and Engineering, United
International University (Jan 2015-Sep 2017). He was a Software Engineer with Tiger It Ltd (April 2014-
Jul 2014). He is also involved in programming training, mobile apps, and different software contest
team-building activities. His research interests include Artificial Intelligence, Multimodal Learning, Self-
Supervised Learning, Human-Robot Interaction, and Optimization.
e-mail: mi8uu@virginia.edu
Affiliation/Address:
Department of System and Information Engineering, University of Virginia, 2002 Jefferson park
avenue, Apt 17, Charlottesville, Virginia.