ABSTRACT
The Internet of Things is one of the new trends that has been drawing attention due to its rapid dissemination and acceptance. However, not knowing whether personal data and information are secure can hamper a more widespread acceptance of this technology by users. In this context, the security of one of the main components of the IoT system, the gateway, becomes even more relevant, as it is essential in connecting heterogeneous IoT devices. The IoT gateway ends up centralizing communication and system management, thus becoming a high-value target in terms of security. To improve confidentiality, IoT gateways should use cryptographic services implemented with appropriate configurations based on organizations or technical standards accepted by the scientific community. In this context, the main objective of this paper is to evaluate the security level of IoT gateways considering encryption requirements. For this, a subset of encryption requirements suggested by international technical organizations, such as IoTSF and OWASP, is selected. This evaluation was carried out in the security assessment of four IoT gateways considering cryptographic requirements. None of the gateways achieved more than 80% compliance with the selected requirements, which raises concerns regarding the security of their users’ data.
- FIPS PUB 46. 1977. Data Encryption Standard (DES). NIST, Springfield VA, USA(1977).Google Scholar
- Elaine Barker and Quynh Dang. 2016. NIST Special Publication 800-57 part 1, revision 4. NIST, Tech. Rep 16(2016).Google Scholar
- Elaine Barker and Allen Roginsky. 2011. NIST Special Publication 800-131A. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (2011).Google Scholar
- Eclipse Kura 2015. Eclipse Kura Documentation. Retrieved Mar 27, 2021 from http://eclipse.github.io/kura/Google Scholar
- Donald L Evans 2002. FIPS PUB 140-2 Change Notices (Dec. 3, 2002) Security Requirements for Cryptographic Modules Category: Computer Security Subcategory: Cryptography. Mar 12 (November 2002), 1–2.Google Scholar
- G. Hansch, P. Schneider, K. Fischer and K. Böttinger. 2019. A Unified Architecture for Industrial IoT Security Requirements in Open Platform Communications. 2019 24th IEEE International Conference on Emerging Technologies and Factory Automation (2019), 325–332.Google Scholar
- IoTSF 2009. NIST - IoT Security Foundation – make it safe to connect. Retrieved Fev 02, 2022 from https://www.nist.gov/Google Scholar
- IoTSF 2015. IoTSF - IoT Security Foundation – make it safe to connect. Retrieved Fev 19, 2019 from https://www.iotsecurityfoundation.org/Google Scholar
- IoTSF 2021. IoT Security Foundation – The Global Home of IoT Cybersecurity. Retrieved June 20, 2022 from https://www.iotsecurityfoundation.org/Google Scholar
- ISAIEC [n. d.]. ISA/IEC 62443 Cybersecurity | ISA São Paulo Section. Retrieved March 3, 2022 from http://isasp.org.br/isa-iec-62443-cybersecurity/Google Scholar
- J.-I. Choi, Y.-S. Oh, D. Kim, EY Choi and S.-H. Seo. 2018. Analysis of IoT Open-Platform Cryptographic Technology and Security Requirements. KIPS Tr. Comp. and Comm. Sys 7, 7 (2018), 183–194. https://doi.org/10.3745/KTCCS.2018.7.7.183Google ScholarCross Ref
- JD Parra Rodriguez, D. Schreckling and J. Posegga. 2016. Addressing Data-Centric Security Requirements for IoT-Based Systems. 2016 International Workshop on Secure Internet of Things (SIoT) (2016), 1–10. https://doi.org/10.1109/SIoT.2016.007Google ScholarCross Ref
- Fernando A Aires Lins and Marco Vieira. 2020. Security Requirements and Solutions for IoT Gateways: a Comprehensive Study. IEEE Internet of Things Journal 8, 11 (2020), 8667–8679. https://doi.org/10.1109/JIOT.2020.3041049Google ScholarCross Ref
- M. Imdad, D. Jacob, H. Mahdin, Z. Baharum, S. Shaharudin and M. Azmi. 2020. Internet of Things: Security Requirements, Attacks and Counter Measures. IEEE Access 18(2020), 1520.Google Scholar
- M. Kamalrudin, AA Ibrahim and S. Sidek. 2018. A Security Requirements Library for the Development of Internet of Things (IoT) Applications. Requirements Engineering for Internet of Things (2018), 87–96. https://doi.org/10.1007/978-981-10-7796-8_7Google ScholarCross Ref
- Li Ning, Yasir Ali, Hu Ke, Shah Nazir, and Zhao Huanli. 2020. A Hybrid MCDM Approach of Selecting Lightweight Cryptographic Cipher Based on ISO and NIST Lightweight Cryptography Security Requirements for Internet of Health Things. IEEE Access 8(2020), 220165–220187.Google ScholarCross Ref
- DES NIST. 1980. Modes of Operation FIPS PUB 81.Google Scholar
- OPC 2008. Unified Architecture. Retrieved March 3, 2022 from https://opcfoundation.org/about/opc-technologies/opc-ua/Google Scholar
- OWASP Foundation 2001. OWASP Foundation | Open Source Foundation for Application Security. Retrieved Fev 19, 2022 from https://owasp.org/Google Scholar
- P. Papcun, E. Kajati, D. Cupkova, J. Mocnej, M. Miskuf and I. Zolotova. 2020. Edge-enabled IoT gateway criteria selection and evaluation. Concurr. Computer Practice Exp 32, 13 (2020), e5219. https://doi.org/10.1002/cpe.5219Google ScholarCross Ref
- FIPS Pub. 2001. 186-2, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2. US Department of Commerce/National Institute of Standard and Technology 15 (January 2001).Google Scholar
- R. Ankele, S. Marksteiner, K. Nahrgang, and H. Vallant. 2019. Requirements and Recommendations for IoT/IIoT Models to Automate Security Assurance Through Threat Modeling, Security Analysis and Penetration Testing. ACM Digital Library 18(2019), 1–8.Google Scholar
- Secure Hash Standard. 1995. FIPS Pub 180-1. National Institute of Standards and Technology 17, 180(1995), 15.Google Scholar
- ThingsBoard 2019. ThingsBoard IoT Gateway Documentation. Retrieved Mar 21, 2021 from https://thingsboard.io/docs/iot-gateway/Google Scholar
- WebIOPi 2015. WebIOPi Gateway Documentation. Retrieved Mar 21, 2021 from http://webiopi.trouch.com/Google Scholar
- WebThings 2017. WebThings Documentation. Retrieved Mar 21, 2021 from https://webthings.io/docs/Google Scholar
Index Terms
- Compliance Evaluation of Cryptographic Security Requirements on IoT Gateways
Recommendations
Security Evaluation of Authentication Requirements in IoT Gateways
AbstractIn the Internet of Things (IoT) context, gateways are devices that play a strategic role in the communication of things with the external environment. Gateways help with the problem of heterogeneity, acting to carry out the communication of the ...
Security Threats and Possible Countermeasures in IoT Applications Covering Different Industry Domains
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityThe world is witnessing the emerging role of Internet of Things (IoT) as a technology that is transforming different industries, global community and its economy. Currently a plethora of interconnected smart devices have been deployed for diverse ...
Comments