Modeling of a Security Enhanced Communication Protocol for IoT-based Applications

Authors

DOI:

https://doi.org/10.56567/pmisr.v2i1.16

Keywords:

Internet of Things, Security, MQTT, ProVerif, Mutual Authentication

Abstract

In the near future, humans will have easy access to gadgets connected to the Internet of Things (IoT). Research on the security issues of the IoT have always been welcome and different protocols used in IoT has pros and cons. In the modern setting, developer significantly use the Message Queue Telemetry Transport (MQTT) protocol. However, the MQTT standard does not impose any necessary security criteria, and it appears to be relatively simple to manipulate security vulnerabilities in MQTT platforms. This paper investigates this protocol's security analysis, and proposed a security-enhanced MQTT protocol. The suggested protocol provides security services for IoT systems by utilizing additional cryptographic primitives. Reciprocal verification between subscribers and brokers, between published and broker are the key features of the proposed security enhanced protocol. The security services are utilized by only using symmetric key and key distribution is done along with authentication. A formal verification has also been done using ProVerif to validate the security features of the modified MQTT protocol.

Author Biography

  • B M Mainul Hossain, University of Dhaka

    Dr. B M Mainul Hossain is an Associate Professor at the Institute of Information Technology (IIT), University of Dhaka, Bangladesh. He received his Ph.D. degree in computer science from the University of Illinois at Chicago, USA. Before that, he earned his Bachelor's and Master's degrees from the Department of Computer Science & Engineering, University of Dhaka, Bangladesh. He has the experience of working both in industry and academia. He worked as a Software Engineer in Microsoft Corporation (Redmond, USA) & Accenture Technology Lab (Chicago & California). His core areas of interest are Machine Learning, Computer & Internet Security, and Software Testing. He has been leading many research projects and serving as an advisor in various private and public organizations including the Government of Bangladesh. Dr. Mainul had presented and attended many international conferences and workshops in different countries including the USA, Russia, Luxembourg, South Korea, and Japan.

References

S. R. J. Ramson, S. Vishnu, and M. Shanmugam (2020). Applications of Internet of

Things (IoT) – An Overview. 5th International Conference on Devices, Circuits and

Systems (ICDCS), 92–95, doi:10.1109/ICDCS48716.2020.243556

P. Fraga-Lamas, T. Fernández-Caramés, M. Suárez-Albela, L. Castedo, and M.

González-López (2016). A Review on Internet of Things for Defense and Public

Safety. Sensors, 16 (10), doi: 10.3390/s16101644

V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, and B. Sikdar (2019). A Survey

on IoT Security: Application Areas, Security Threats, and Solution Architectures.

IEEE Access, vol. 7, 82721–82743, doi: 10.1109/ACCESS.2019.2924045

Bali RS, Jaafar F, Zavarasky P (2019). Lightweight authentication for MQTT to

improve the security of IoT communication. Proceedings of the 3rd International

Conference on Cryptography, Security and Privacy - ICCSP, 6–12.

E. Elemam, A. M. Bahaa-Eldin, N. H. Shaker, and M. Sobh (2020). Formal verifcation

for a PMQTT protocol, Egyptian Informatics Journal, 21(3), 169–182. doi: 10.1016/j.

eij.2020.01.001.

MQTT Version 5. [Online]. Available: https://docs.oasis-open.org/mqtt/mqtt/ v5.0/

mqtt-v5.0.html. [Accessed: 26-Dec-2023].

Blanchet B, Smyth B, Cheval V, Sylvestre M (2018). ProVerif 2.00: Automatic

Cryptographic Protocol Verifer, User Manual and Tutorial.

Bhawiyuga A, Data M, Warda A (2017). Architectural design of token-based

authentication of MQTT protocol in constrained IoT device. 11th International

Conference on Telecommunication Systems Services and Applications (TSSA). 1–4.

Rahman A, Roy S, Kaiser MS, Islam Md (2018). A Lightweight Multi-Tier S-MQTT

Framework to Secure Communication between low-end IoT Nodes. 5th International

Conference on Networking, Systems and Security (NSysS). 1–6.

PMIS Review, Volume 2, No 1, June 2023

A. Niruntasukrat, C. Issariyapat, P. Pongpaibool, K. Meesublak, P. Aiumsupucgul

and A. Panya (2016). Authorization mechanism for MQTT-based Internet of Things.

IEEE International Conference on Communications Workshops (ICC). 290-295

M. M. Hossain, M. Fotouhi, and R. Hasan (2015). Towards an analysis of security

issues, challenges, and open problems in the Internet of Things. IEEE World Congress

on Services. 21–28.

A. Mohan (2014), Cyber security for personal medical devices internet of things.

IEEE International Conference on Distributed Computing in Sensor Systems

(DCOSS). 372–374.

S. Yoon, H. Park, and H. S. Yoo (2015). Security issues on smart home in IoT

environment. Computer Science and its Applications. Springer, 691–696.

R. H. Weber (2010). Internet of things–new security and privacy challenges. Computer

Law & Security Review, 26(1), 23–30

B. Blanchet (2001). An efcient cryptographic protocol verifer based on prolog

rules. Proceedings. 14th IEEE Computer Security Foundations Workshop, 82-96,

doi: 10.1109/CSFW.2001.930138.

B. Blanchet, B. Smyth, and V. Cheval (2013). ProVerif 1.88: Automatic Cryptographic

Protocol Verifer, User Manual and Tutorial. INRIA, Paris, France

D. Dolev and A. Yao (1983). On the security of public key protocols. IEEE

Transactions on Information Theory, 29(2), 198-208, doi: 10.1109/TIT.1983.1056650

Kremer, S., Ryan, M. and Smyth, B. (2010). Election verifability in electronic voting

protocols. European Symposium on Research in Computer Security. Springer, 389-

Delaine, S., Kremer, S. and Ryan, M. (2009). Verifying privacy-type properties of

electronic voting protocols. Journal of Computer Security. 17(4), 435-487

Chen, L. and Ryan, M. (2009). Attack, Solution, and Verifcation for Shared

Authorization Data in TCG TPM. International Workshop on Formal Aspects in

Security and Trust. Springer

Abadi, M. and Blanchet, B. (2005). Computer-assisted verifcation of a protocol for

certifed email. Science of Computer Programming, 58(1-2), 3-27

Abadi, M. and Glew, N. (2002). Certifed email with a light on-line trusted third

party: Design and implementation. Proceedings of the 11th international conference

on World Wide Web. 387-395

Tang, C., Naumann, D.A. and Wetzel, S. (2013), Analysis of authentication and key

establishment in inter-generational mobile telephony. IEEE 10th International

Conference on High Performance Computing and Communications. 1605-1614

Arapinis, M., Mancini, L., Ritter, E., Ryan, M., Golde, N., Redon, K. and Borgaonkar,

R. (2012). New privacy issues in mobile telephony: fx and verifcation. Proceedings

of the 2012 ACM conference on Computer and communications security. 205-216

Modeling of a Security Enhanced Communication Protocol for IoT-based Applications 199

Arapinis, M., Mancini, L.I., Ritter, E. and Ryan, M.D. (2017). Analysis of privacy in

mobile telephony systems. International Journal of Information Security, 16(5), 491-

Mohammed Shaful Alam Khan (2017). Improving security and privacy in current

mobile systems, PhD thesis, Information Security Group, Royal Holloway University

of London, United Kingdom.

Khan, M.S.A. and Mitchell, C.J. (2017). Trashing IMSI catchers in mobile networks.

Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and

Mobile Networks. 207-218

Downloads

Published

2023-12-31 — Updated on 2024-07-07

Versions

Issue

Vol. 2 No. 1 (2023)

Section

Original Research

License

Copyright (c) 2023 PMIS Review

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Modeling of a Security Enhanced Communication Protocol for IoT-based Applications. (2024). PMIS Review, 2(1). https://doi.org/10.56567/pmisr.v2i1.16 (Original work published 2023)