SDP-CoAP: Design of Security Enhanced CoAP Communication Framework Based on Software Defined Perimeter

doi:10.3969/j.issn.1671-1122.2023.08.002

Abstract

Abstract:

Constrained Application Protocol(CoAP), as a new Internet of Things(IoT) protocol, can not meet the new security requirements despite considering its security design. This paper proposed a security enhanced CoAP communication framework (SDP-CoAP) based on Software Defined Perimeter(SDP-CoAP). SDP-CoAP used Single Packet Authentication(SPA) technology. The client added authentication information, the tunnel encryption method of the Datagram Transport Layer Security(DTLS) and the CoAP request method to the first packet in the handshake process and send it to the SDP controller to achieve authentication before communication. For authenticated access requests, the credibility of the access was evaluated in real time from multiple dimensions such as environment and behavior, and multi-dimensional dynamic access authorization was realized by combining different request methods of the client. This paper also analyzed the specific deployment mode of SDP-CoAP architecture, and designed a deployment mode that integrated security performance, energy consumption and processing delay. Experiments verify that the client gateway deployment mode of SDP-CoAP can effectively enhance the security of CoAP network without introducing significant energy consumption and network delay.

Key words: Internet of Things, zero trust, software-defined perimeter, single packet authentication

CLC Number:

TP309

ZHANG Wei, LI Zixuan, XU Xiaoyu, HUANG Haiping. SDP-CoAP: Design of Security Enhanced CoAP Communication Framework Based on Software Defined Perimeter[J]. Netinfo Security, 2023, 23(8): 17-31.

Figures/Tables 23

References 28

[1]	SHAFIQUE K, KHAWAJA B A, SABIR F, et al. Internet of Things (IoT) for Next-Generation Smart Systems: A Review of Current Challenges, Future Trends and Prospects for Emerging 5G-IoT Scenarios[J]. IEEE Access, 2020, 8: 23022-23040. doi: 10.1109/Access.6287639 URL
[2]	Ministry of Industry and Information Technology. Economic Operation of the Communications Industry from January to May 2023[EB/OL]. (2023-06-21)[2023-06-25]. https://wap.miit.gov.cn/gxsj/tjfx/txy/art/2023/art_a62ac3d2646541fba9e6a5e3a20534c1.html.
	中华人民共和国工业与信息化部. 2023年1-5月份通信业经济运行情况[EB/OL]. (2023-06-21)[2023-06-25]. https://wap.miit.gov.cn/gxsj/tjfx/txy/art/2023/art_a62ac3d2646541fba9e6a5e3a20534c1.html.
[3]	BORMANN C, CASTELLANI A P, SHELBY Z. Coap: An Application Protocol for Billions of Tiny Internet Nodes[J]. IEEE Internet Computing, 2012, 16(2): 62-67. doi: 10.1109/MIC.2012.29 URL
[4]	KARAGIANNIS V, CHATZIMISIOS P, VAZQUEZ-GALLEGO F, et al. A Survey on Application Layer Protocols for the Internet of Things[J]. Transaction on IoT and Cloud Computing, 2015, 3(1): 11-17
[5]	HAN J, HA M, KIM D. Practical Security Analysis for the Constrained Node Networks:Focusing on the DTLS Protocol[C]//IEEE. 2015 5th International Conference on the Internet of Things (IoT). New York: IEEE, 2015: 22-29.
[6]	CAMPBELL M. Beyond Zero Trust: Trust is a Vulnerability[J]. Computer, 2020, 53(10): 110-113.
[7]	PALMO Y, TANIMOTO S, SATO H, et al. A Consideration of Scalability for Software Defined Perimeter Based on the Zero-Trust Model[C]//IEEE. 2021 10th International Congress on Advanced Applied Informatics (IIAI-AAI). New York: IEEE, 2021: 717-724.
[8]	Internet Engineering Task Force. Datagram Transport Layer Security[EB/OL]. [2023-05-20]. https://www.rfc-editor.org/rfc/rfc6347.
[9]	ARVIND S, NARAYANAN V A. An Overview of Security in CoAP:Attack and Analysis[C]//IEEE. 2019 5th International Conference on Advanced Computing & Communication Systems (ICACCS). New York: IEEE, 2019: 655-660.
[10]	LERCHE C, HARTKE K, KOVATSCH M. Industry Adoption of the Internet of Things:A Constrained Application Protocol Survey[C]//IEEE. Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012). New York: IEEE, 2012: 1-6.
[11]	CAPOSSELE A, CERVO V, DECICCO G, et al. Security as a CoAP Resource:An Optimized DTLS Implementation for the IoT[C]//IEEE. 2015 IEEE International Conference on Communications (ICC). New York: IEEE, 2015: 549-554.
[12]	NAVAS R E, BOUDER H L, CUPPENS N, et al. Do not Trust Your Neighbors! A Small IoT Platform Illustrating a Man-in-the-Middle Attack[C]//Springer. International Conference on Ad-Hoc Networks and Wireless. Berlin: Springer, 2018: 120-125.
[13]	MOUBAYED A, REFAEY A, SHAMI A. Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Networks[J]. IEEE Network, 2019, 33(5): 226-233. doi: 10.1109/MNET.65 URL
[14]	HAROON A, AKRAM S, SHAH M A, et al. E-Lithe:A Lightweight Secure DTLS for IoT[C]//IEEE. 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall). New York: IEEE, 2017: 1-5.
[15]	KAJWADKAR S, JAIN V K. A Novel Algorithm for DoS and DDoS Attack Detection in Internet of Things[C]//IEEE. 2018 Conference on Information and Communication Technology (CICT). New York: IEEE, 2018: 1-4.
[16]	DEY S, HOSSAIN A. Session-Key Establishment and Authentication in a Smart Home Network Using Public Key Cryptography[J]. IEEE Sensors Letters, 2019, 3(4): 1-4.
[17]	MAJUMDER S, RAY S, SADHUKHAN D, et al. ECC-CoAP: Elliptic Curve Cryptography Based Constraint Application Protocol for Internet of Things[J]. Wireless Personal Communications, 2021, 116(3): 1867-1896. doi: 10.1007/s11277-020-07769-2
[18]	SARAIVA D A F, LEITHARDT V R Q, DEPAULA D, et al. Prisec: Comparison of Symmetric Key Algorithms for IoT Devices[EB/OL]. [2023-06-21]. https://www.mdpi.com/1424-8220/19/19/4312.
[19]	HALABI D, HAMDAN S, ALMAJALI S. Enhance the Security in Smart Home Applications Based on IoT-CoAP Protocol[C]//IEEE. 2018 Sixth International Conference on Digital Information, Networking, and Wireless Communications (DINWC). New York: IEEE, 2018: 81-85.
[20]	PANDYA H B, CHAMPANERIA T A. Enhancement of Security in IoTSyS Framework[C]//Springer. Proceedings of International Conference on Communication and Networks. Berlin: Springer, 2017: 31-43.
[21]	DE HOZ DIEGO J D, SALDANA J, FERNÁNDEZ-NAVAJAS J, et al. Decoupling Security from Applications in CoAP-Based IoT Devices[J]. IEEE Internet of Things Journal, 2019, 7(1): 467-476. doi: 10.1109/JIoT.6488907 URL
[22]	KUMAR P M, GANDHI U D. Enhanced DTLS with CoAP-Based Authentication Scheme for the Internet of Things in Healthcare Application[J]. The Journal of Supercomputing, 2020, 76(6): 3963-3983. doi: 10.1007/s11227-017-2169-5
[23]	SINGH J, REFAEY A, KOILPILLAI J. Adoption of the Software-Defined Perimeter (SDP) Architecture for Infrastructure as a Service[J]. Canadian Journal of Electrical and Computer Engineering, 2020, 43(4): 357-363. doi: 10.1109/CJECE.2020.3005316 URL
[24]	SALLAM A, REFAEY A, SHAMI A. On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter[J]. IEEE Access, 2019, 7: 146577-146587. doi: 10.1109/Access.6287639 URL
[25]	SINGH J, REFAEY A, SHAMI A. Multilevel Security Framework for NFV Based on Software Defined Perimeter[J]. IEEE Network, 2020, 34(5): 114-119.
[26]	SINGH J, BELLO Y, HUSSEIN A R, et al. Hierarchical Security Paradigm for IoT Multiaccess Edge Computing[J]. IEEE Internet of Things Journal, 2020, 8(7): 5794-5805. doi: 10.1109/JIOT.2020.3033265 URL
[27]	REFAEY A, SALLAM A, SHAMI A. On IoT Applications: A Proposed SDP Framework for MQTT[J]. Electronics Letters, 2019, 55(22): 1201-1203. doi: 10.1049/el.2019.2334
[28]	SALLAM A, REFAEY A, SHAMI A. Securing Smart Home Networks with Software-Defined Perimeter[C]//IEEE. 2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC). New York: IEEE, 2019: 1989-1993.

模式	描述
NoSec	该模式下，CoAP消息采用明文传输，不采取安全措施
PresharedKey	该模式下，通过使用预先共享的对称加密密钥来启用DTLS，适用于支持无法使用公钥加密设备的应用程序
RawPublicKey	该模式下，对于需要基于公钥进行身份验证的设备，强制设备使用预先设置的密钥列表，以便在没有证书的情况下启动DTLS会话
Certificates	该模式下，支持基于公钥和参与认证链的应用程序的认证，此模式的假设安全基础设施是可用的，所有设备使用非对称密钥并具有X.509证书

维度	属性
主体	身份认证设备认证 IP认证
环境	DTLS加密方式网络拥塞当前网络中的可信请求占比
行为	非正常时间段访问访问密度过大尝试访问未授权服务
操作	GET、POST、PUT、DELETE
客体	资源机密性要求资源完整性要求

操作	机密性影响因子（Op_con）	完整性影响因子（Op_int）
GET	1	0
PUT	0	1
POST、DELETE	0.5	0.5

设备	安装的软件	配置
VM1 (SDP Controller)	- Linux CentOS7 - SDPcontroller module	- 1 Processor - 2 GB RAM - 2 NICs
VM2 (SDP Gateway)	- Linux Ubuntu 20.04 - Californium CoAP Server - SDPgateway module	- 2 Processor - 4 GB RAM - 2 NICs
VM3 (Normal Client)	- Linux Ubuntu 20.04 - Californium CoAP Client - IH module	- 2 Processor - 2 GB RAM - 2 NICs
VM4 (Malicious Client)	- Linux Ubuntu 20.04 - Californium CoAP Client	- 2 Processor - 4 GB RAM - 2 NICs
VM5 (CoAP Server)	- Linux Ubuntu 20.04 - Californium CoAP Server	- 2 Processor - 2 GB RAM - 2 NICs

参数	数值
客户端节点数量	50，100，150，200
网关和控制器节点数量	1
模拟时间	10 s
访问频率	0~0.5 s之间随机数
带宽	2 Mbps
延迟	2 ms
SPA数据包大小	64 Byte
CoAP数据包大小	64 ~576 Byte随机值
初始能量	100 J
传输功率	0.6 mW