SDP-CoAP:基于软件定义边界的安全增强CoAP通信框架设计

doi:10.3969/j.issn.1671-1122.2023.08.002

摘要/Abstract

摘要：

约束应用协议（CoAP）作为一种新兴的物联网协议，虽然考虑了安全设计，但依然不能满足新的安全需求。文章提出了一个基于软件定义边界（SDP）的安全增强CoAP通信框架（SDP-CoAP），利用单包认证（SPA）技术，客户端将认证信息、数据包传输层安全性协议（DTLS）的隧道加密方式和CoAP请求方式等信息添加到握手过程的第一个数据包中，并发送给SDP控制器，实现先认证后通信。对于通过认证的访问请求，从环境、行为等多个维度实时评估访问的可信度，结合客户端不同的请求方式，实现多维动态访问授权。文章还对SDP-CoAP架构的具体部署方式进行分析，设计了一种综合安全性能、能量消耗和处理延迟的部署方式。实验结果表明，SDP-CoAP的客户端-网关部署方式在没有引入明显能源消耗和网络延迟的情况下可以有效增强CoAP网络的安全性。

关键词: 物联网, 零信任, 软件定义边界, 单包认证

Abstract:

Constrained Application Protocol(CoAP), as a new Internet of Things(IoT) protocol, can not meet the new security requirements despite considering its security design. This paper proposed a security enhanced CoAP communication framework (SDP-CoAP) based on Software Defined Perimeter(SDP-CoAP). SDP-CoAP used Single Packet Authentication(SPA) technology. The client added authentication information, the tunnel encryption method of the Datagram Transport Layer Security(DTLS) and the CoAP request method to the first packet in the handshake process and send it to the SDP controller to achieve authentication before communication. For authenticated access requests, the credibility of the access was evaluated in real time from multiple dimensions such as environment and behavior, and multi-dimensional dynamic access authorization was realized by combining different request methods of the client. This paper also analyzed the specific deployment mode of SDP-CoAP architecture, and designed a deployment mode that integrated security performance, energy consumption and processing delay. Experiments verify that the client gateway deployment mode of SDP-CoAP can effectively enhance the security of CoAP network without introducing significant energy consumption and network delay.

Key words: Internet of Things, zero trust, software-defined perimeter, single packet authentication

中图分类号:

TP309

张伟, 李子轩, 徐晓瑀, 黄海平. SDP-CoAP:基于软件定义边界的安全增强CoAP通信框架设计[J]. 信息网络安全, 2023, 23(8): 17-31.

ZHANG Wei, LI Zixuan, XU Xiaoyu, HUANG Haiping. SDP-CoAP: Design of Security Enhanced CoAP Communication Framework Based on Software Defined Perimeter[J]. Netinfo Security, 2023, 23(8): 17-31.

图/表 23

图1

表1

图2

图3

图4

图5

图6

表2

图7

表3

图8

图9

图10

图11

表4

图12

图13

图14

图15

图16

表5

图17

图18

参考文献 28

[1]	SHAFIQUE K, KHAWAJA B A, SABIR F, et al. Internet of Things (IoT) for Next-Generation Smart Systems: A Review of Current Challenges, Future Trends and Prospects for Emerging 5G-IoT Scenarios[J]. IEEE Access, 2020, 8: 23022-23040. doi: 10.1109/Access.6287639 URL
[2]	Ministry of Industry and Information Technology. Economic Operation of the Communications Industry from January to May 2023[EB/OL]. (2023-06-21)[2023-06-25]. https://wap.miit.gov.cn/gxsj/tjfx/txy/art/2023/art_a62ac3d2646541fba9e6a5e3a20534c1.html.
	中华人民共和国工业与信息化部. 2023年1-5月份通信业经济运行情况[EB/OL]. (2023-06-21)[2023-06-25]. https://wap.miit.gov.cn/gxsj/tjfx/txy/art/2023/art_a62ac3d2646541fba9e6a5e3a20534c1.html.
[3]	BORMANN C, CASTELLANI A P, SHELBY Z. Coap: An Application Protocol for Billions of Tiny Internet Nodes[J]. IEEE Internet Computing, 2012, 16(2): 62-67. doi: 10.1109/MIC.2012.29 URL
[4]	KARAGIANNIS V, CHATZIMISIOS P, VAZQUEZ-GALLEGO F, et al. A Survey on Application Layer Protocols for the Internet of Things[J]. Transaction on IoT and Cloud Computing, 2015, 3(1): 11-17
[5]	HAN J, HA M, KIM D. Practical Security Analysis for the Constrained Node Networks:Focusing on the DTLS Protocol[C]//IEEE. 2015 5th International Conference on the Internet of Things (IoT). New York: IEEE, 2015: 22-29.
[6]	CAMPBELL M. Beyond Zero Trust: Trust is a Vulnerability[J]. Computer, 2020, 53(10): 110-113.
[7]	PALMO Y, TANIMOTO S, SATO H, et al. A Consideration of Scalability for Software Defined Perimeter Based on the Zero-Trust Model[C]//IEEE. 2021 10th International Congress on Advanced Applied Informatics (IIAI-AAI). New York: IEEE, 2021: 717-724.
[8]	Internet Engineering Task Force. Datagram Transport Layer Security[EB/OL]. [2023-05-20]. https://www.rfc-editor.org/rfc/rfc6347.
[9]	ARVIND S, NARAYANAN V A. An Overview of Security in CoAP:Attack and Analysis[C]//IEEE. 2019 5th International Conference on Advanced Computing & Communication Systems (ICACCS). New York: IEEE, 2019: 655-660.
[10]	LERCHE C, HARTKE K, KOVATSCH M. Industry Adoption of the Internet of Things:A Constrained Application Protocol Survey[C]//IEEE. Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012). New York: IEEE, 2012: 1-6.
[11]	CAPOSSELE A, CERVO V, DECICCO G, et al. Security as a CoAP Resource:An Optimized DTLS Implementation for the IoT[C]//IEEE. 2015 IEEE International Conference on Communications (ICC). New York: IEEE, 2015: 549-554.
[12]	NAVAS R E, BOUDER H L, CUPPENS N, et al. Do not Trust Your Neighbors! A Small IoT Platform Illustrating a Man-in-the-Middle Attack[C]//Springer. International Conference on Ad-Hoc Networks and Wireless. Berlin: Springer, 2018: 120-125.
[13]	MOUBAYED A, REFAEY A, SHAMI A. Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Networks[J]. IEEE Network, 2019, 33(5): 226-233. doi: 10.1109/MNET.65 URL
[14]	HAROON A, AKRAM S, SHAH M A, et al. E-Lithe:A Lightweight Secure DTLS for IoT[C]//IEEE. 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall). New York: IEEE, 2017: 1-5.
[15]	KAJWADKAR S, JAIN V K. A Novel Algorithm for DoS and DDoS Attack Detection in Internet of Things[C]//IEEE. 2018 Conference on Information and Communication Technology (CICT). New York: IEEE, 2018: 1-4.
[16]	DEY S, HOSSAIN A. Session-Key Establishment and Authentication in a Smart Home Network Using Public Key Cryptography[J]. IEEE Sensors Letters, 2019, 3(4): 1-4.
[17]	MAJUMDER S, RAY S, SADHUKHAN D, et al. ECC-CoAP: Elliptic Curve Cryptography Based Constraint Application Protocol for Internet of Things[J]. Wireless Personal Communications, 2021, 116(3): 1867-1896. doi: 10.1007/s11277-020-07769-2
[18]	SARAIVA D A F, LEITHARDT V R Q, DEPAULA D, et al. Prisec: Comparison of Symmetric Key Algorithms for IoT Devices[EB/OL]. [2023-06-21]. https://www.mdpi.com/1424-8220/19/19/4312.
[19]	HALABI D, HAMDAN S, ALMAJALI S. Enhance the Security in Smart Home Applications Based on IoT-CoAP Protocol[C]//IEEE. 2018 Sixth International Conference on Digital Information, Networking, and Wireless Communications (DINWC). New York: IEEE, 2018: 81-85.
[20]	PANDYA H B, CHAMPANERIA T A. Enhancement of Security in IoTSyS Framework[C]//Springer. Proceedings of International Conference on Communication and Networks. Berlin: Springer, 2017: 31-43.
[21]	DE HOZ DIEGO J D, SALDANA J, FERNÁNDEZ-NAVAJAS J, et al. Decoupling Security from Applications in CoAP-Based IoT Devices[J]. IEEE Internet of Things Journal, 2019, 7(1): 467-476. doi: 10.1109/JIoT.6488907 URL
[22]	KUMAR P M, GANDHI U D. Enhanced DTLS with CoAP-Based Authentication Scheme for the Internet of Things in Healthcare Application[J]. The Journal of Supercomputing, 2020, 76(6): 3963-3983. doi: 10.1007/s11227-017-2169-5
[23]	SINGH J, REFAEY A, KOILPILLAI J. Adoption of the Software-Defined Perimeter (SDP) Architecture for Infrastructure as a Service[J]. Canadian Journal of Electrical and Computer Engineering, 2020, 43(4): 357-363. doi: 10.1109/CJECE.2020.3005316 URL
[24]	SALLAM A, REFAEY A, SHAMI A. On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter[J]. IEEE Access, 2019, 7: 146577-146587. doi: 10.1109/Access.6287639 URL
[25]	SINGH J, REFAEY A, SHAMI A. Multilevel Security Framework for NFV Based on Software Defined Perimeter[J]. IEEE Network, 2020, 34(5): 114-119.
[26]	SINGH J, BELLO Y, HUSSEIN A R, et al. Hierarchical Security Paradigm for IoT Multiaccess Edge Computing[J]. IEEE Internet of Things Journal, 2020, 8(7): 5794-5805. doi: 10.1109/JIOT.2020.3033265 URL
[27]	REFAEY A, SALLAM A, SHAMI A. On IoT Applications: A Proposed SDP Framework for MQTT[J]. Electronics Letters, 2019, 55(22): 1201-1203. doi: 10.1049/el.2019.2334
[28]	SALLAM A, REFAEY A, SHAMI A. Securing Smart Home Networks with Software-Defined Perimeter[C]//IEEE. 2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC). New York: IEEE, 2019: 1989-1993.

模式	描述
NoSec	该模式下，CoAP消息采用明文传输，不采取安全措施
PresharedKey	该模式下，通过使用预先共享的对称加密密钥来启用DTLS，适用于支持无法使用公钥加密设备的应用程序
RawPublicKey	该模式下，对于需要基于公钥进行身份验证的设备，强制设备使用预先设置的密钥列表，以便在没有证书的情况下启动DTLS会话
Certificates	该模式下，支持基于公钥和参与认证链的应用程序的认证，此模式的假设安全基础设施是可用的，所有设备使用非对称密钥并具有X.509证书

维度	属性
主体	身份认证设备认证 IP认证
环境	DTLS加密方式网络拥塞当前网络中的可信请求占比
行为	非正常时间段访问访问密度过大尝试访问未授权服务
操作	GET、POST、PUT、DELETE
客体	资源机密性要求资源完整性要求

操作	机密性影响因子（Op_con）	完整性影响因子（Op_int）
GET	1	0
PUT	0	1
POST、DELETE	0.5	0.5

设备	安装的软件	配置
VM1 (SDP Controller)	- Linux CentOS7 - SDPcontroller module	- 1 Processor - 2 GB RAM - 2 NICs
VM2 (SDP Gateway)	- Linux Ubuntu 20.04 - Californium CoAP Server - SDPgateway module	- 2 Processor - 4 GB RAM - 2 NICs
VM3 (Normal Client)	- Linux Ubuntu 20.04 - Californium CoAP Client - IH module	- 2 Processor - 2 GB RAM - 2 NICs
VM4 (Malicious Client)	- Linux Ubuntu 20.04 - Californium CoAP Client	- 2 Processor - 4 GB RAM - 2 NICs
VM5 (CoAP Server)	- Linux Ubuntu 20.04 - Californium CoAP Server	- 2 Processor - 2 GB RAM - 2 NICs

参数	数值
客户端节点数量	50，100，150，200
网关和控制器节点数量	1
模拟时间	10 s
访问频率	0~0.5 s之间随机数
带宽	2 Mbps
延迟	2 ms
SPA数据包大小	64 Byte
CoAP数据包大小	64 ~576 Byte随机值
初始能量	100 J
传输功率	0.6 mW