读书笔记(八)--多平台IoT
Hernández-Serrano, Juan, et al. “On the road to secure and privacypreserving IoT Ecosystems.” International Workshop on Interoperability and Open-Source Solutions. Springer, Cham, 2016.
A. Problem Statement
The paper targets the problem of massive IoT device nodes bringing physical security weakness and diversified data bringing data transmission security vulnerabilities. Particularly, how to enable the cross-platform and cross-domain application to form an IoT ecosystem?
B. Problem Significance
At present, there are billions of devices connected to the Internet. IoT has established interconnected systems, data, and devices that connect the physical world with the online world, bringing great convenience to human life. Because new security attacks may not have been discovered, it is necessary to update the IoT platform. Since seamless interconnects are critical to the operation of IoT, insufficient security of a single device can impair the incompatibility of the entire network. The expansion of the IoT network should be accompanied by a rigorous review of security to ensure that the safety of new elements meets the requirements. Despite the rapid expansion of IoT, designing enhanced network security can help protect the IoT ecosystem.
C. State of the Art
In the case of signed manifests, it’s hard to start building a solution, considering the language that is already in use on the current Web, such as JSON rely on JSON Web Encryption (JWE) along with JSON Web Signature (JWS).
It also mentioned a one-way hash function, which is used for anonymizing the address of a bus.
k-anonymous is used for blurring parking spot status, reducing specific information to ensure user safety. The reduction in information also reduces the accuracy of the feedback, which requires balancing privacy and usability.
D. Contributions
Section 2 of this paper presents 7 requirements for the BIG IoT as well as current action, as is shown in Table II.
| Requirements | Corresponding Action |
|---|---|
| End-to-end Security | HTTP1 |
| “Batteries included but swappable” | Generic API |
| Flexible Authentication/Authorization | Signed manifests or tokens |
| Ownership Transfer | Quick response to dynamic topologies |
| Accounting and Charging | Non-repudiation |
| Continuous Security | Software updates/patches |
| Secure Development | OWASP3 |
1 HTTP -- HyperText Transfer Protocol
2 API-- application programming interface
3 OWASP--Open Web Application Security Project
In section 3, it mentioned best practices for privacy in IoT Ecosystems. First, it is data minimization which is in PbD. However, after the data has been miniaturized, it may be reidentified to cause security problems, so the second measure is strong accountability for companies. The third is transparency and easily assess to data. In my understanding, this corresponds to the Inform strategy in PbD, allowing users to know what the data is used for.
This paper also presents three standard levels of OWASP Application Security Verification Standard (ASVS): ASVS Level1”Opportunistic”, ASVS Level2 “Standard”, However, after the data has been miniaturized, it may be re-identified to cause security problems, so the second measure is ASVS Level3 “Advanced”. An example of a smart transportation assistant is given from the platform to the service, and each corresponding ASVS Level and reasons are given, as is shown in Table III.
| Platform | ASVS Level of Platform | Service | ASVS Level of Sevice |
|---|---|---|---|
| 1Bitcarrier’sWIFI/Bluetooth antennas | 2 or 3 | TMS | 2 or 1 |
| 2SEAT’s cars | 2 or 3 | TMS | 2 or 1 |
| 3Fastprk’s on-street parking spot status | 2 | PAS | 2 or 1 |
| 4Wifi probe catching sensors on buses | 2 or 3 | – | – |
| 5Location sensors on bus | 2 or 1 | – | – |
| – | – | TMBS | 2 |
| – | – | PDES | 2 |
| – | – | LBLS | 1 |
As for smartphone app for the end user, data is provided by 5 services, the best choice can be seen from the Table III is ASVS 2.
This paper uses a case to analysis to explain levels of security and privacy and emphasizes the important role of APIs and marketplaces in the IoT ecosystem.
E. Remaining Questions
Encrypted one-way hash used in hidden MAC address. I always think the hash algorithm is a one-way cryptosystem, that is, only the encryption process, no decryption process. So I guess the key may be a dictionary. How does the platform operator encrypt the dictionary? I think this requires a lot of work.