Usable Security for an IoT OS: Integrating the Zoo of Embedded Crypto Components Below a Common API
Authors: 
Lena Boeckmann, Peter Kietzmann, Leandro Lanzieri, 
Thomas C Schmidt, 
Matthias WählischAuthors Info & Claims
Abstract
IoT devices differ widely in crypto-supporting hardware, ranging from no hardware support to powerful accelerators supporting numerous of operations including protected key storage. An operating system should provide uniform access to these heterogeneous hardware features, which is a particular challenge in the resource constrained IoT. Effective security is tied to the usability of cryptographic interfaces. A thoughtful API design is challenging, and it is beneficial to re-use such an interface and to share the knowledge of programming embedded security widely.
In this paper, we integrate an emerging cryptographic interface into usable system-level calls for the IoT operating system RIOT, which runs on more than 240 platforms. This interface supports ID-based key handling to access key material in protected storage without exposing it to anyone. Our design foresees hardware acceleration on all available variants; our implementation integrates diverse cryptographic hardware and software backends via the uniform interface. Our performance measurements show that the overhead of the uniform API with integrated key management is negligible compared to the individual crypto operation. Our approach enhances the usability, portability, and flexibility of cryptographic support in the IoT.
References
[1]
Mindermann,K.,Keck,P., and Wagner,S. 2018. "How Usable Are Rust Cryptography APIs". In International Conference on Software Quality, Reliability and Security (QRS '18). vol. 154,pp. 143--143.
[2]
Arm Ltd,Mbed,Tls. 2020. "https://tls.mbed.org/". In Online-ArXiV Preprint or similar. pp. 7--17.
[3]
Arm Ltd,. 2020. "PSA Cryptography API 1". In Online-ArXiV Preprint or similar. pp. 9--28.
[4]
2020. "FreeRTOS Real-time operating system for microcontrollers". In 2020.
[5]
Whitten,A.,Tygar,J D. 1999. "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0". In 8th USENIX Security Symposium (USENIX Security 99).
[6]
Arm Ltd,. 2021. "ARM Trusted Firmware A". In Online-ArXiV Preprint or similar. pp. 10--17.
[7]
Acar,Y.,Backes,M.,Fahl,S.,Garfinkel,S.,Kim,D.,Mazurek,M L., and Stransky,C. 2017. "Comparing the Usability of Cryptographic APIs". In Proc. of the IEEE Symposium on Security and Privacy (SP '17). pp. 154--171.
[8]
Gerez,A H.,Kamaraj,K.,Nofal,R.,Liu,Y., and Dezfouli,B. 2018. "Energy and Processing Demand Analysis of TLS Protocol in Internet of Things Applications". In International Workshop on Signal Processing Systems (SiPS '18). pp. 312--317.
[9]
Arm Ltd,. 2021. "PSA Functional APIs Architecture Test Suite". In Online-ArXiV Preprint or similar. pp. 10--17.
[10]
Arm Ltd,Arm, and Certified,. 2021. "https://www.psacertified.org/". In Online-ArXiV Preprint or similar. pp. 9--28.
[11]
Hiesgen,R.,Nawrocki,M.,King,A.,Dainotti,A.,Schmidt,T C.,Wählisch,M., and Spoki,. 2022. "Unveiling a New Wave of Scanners through a Reactive Network Telescope". In Proc. of 31st USENIX Security Symposium.
[12]
Antonakakis,M. 2017. "Understanding the Mirai Botnet". In 26th USENIX Security Symposium (USENIX Security 17). pp. 1093--1110.
[13]
Wray,J. 2000. "Generic Security Service API Version 2 : C-bindings. RFC 2744, IETF". In Online-ArXiV Preprint or similar.
[14]
Gündogan,C.,Amsüss,C.,Schmidt,T C., and Wählisch,M. 2022. "Content Object Security in the Internet of Things: Challenges, Prospects, and Emerging Solutions". In IEEE Transactions on Network and Service Management (TNSM). vol. 19,pp. 538--553.
[15]
Oasis Open,. 2020. "PKCS #11 Cryptographic Token Interface Base Specification Version 3". In Online-ArXiV Preprint or similar. pp. 10--16.
[16]
Kietzmann,P.,Boeckmann,L.,Lanzieri,L.,Schmidt,T C., and Wählisch,M. 2021. "A Performance Study of Crypto-Hardware in the Lowend IoT". In International Conference on Embedded Wireless Systems and Networks (EWSN'21).
[17]
Noseda,M.,Zimmerli,L.,Schläpfer,T., and Rüst,A. 2022. "Performance Analysis of Secure Elements for IoT". In IoT. vol. 3,pp. 1--28.
[18]
Oasis Open,. 2014. "PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40". In Online-ArXiV Preprint or similar. pp. 10--16.
[19]
Kietzmann,P.,Schmidt,T C., and Wählisch,M. 2021. "A Guideline on Pseudorandom Number Generation (PRNG) in the IoT". In ACM Comput. Surv. vol. 54,
[20]
Schläpfer,T.,Rüst,A. 2019. "Security on IoT Devices with Secure Elements". In WEKA.
[21]
Beer,Daniel. 2014. "Curve25519 and Ed25519 for low-memory systems". In Online-ArXiV Preprint or similar. pp. 7--28.
[22]
Patnaik,N.,Hallett,J., and Rashid,A. 2019. "Usability Smells: An Analysis of Developers' Struggle With Crypto Libraries". In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). pp. 245--257.
[23]
Lachner,C.,Dustdar,S. 2019. "A Performance Evaluation of Data Protection Mechanisms for Resource Constrained IoT Devices". In International Conference on Fog Computing (ICFC '19). pp. 47--52.
[24]
Kumar,D. 2019. "All Things Considered: An Analysis of IoT Devices on Home Networks". In 28th USENIX Security Symposium (USENIX Security 19). pp. 1169--1185.
[25]
Arm Ltd,.,Mbed,O S. 2020. "https://www.mbed.com/". In Online-ArXiV Preprint or similar. pp. 7--17.
[26]
Linn,J. 2000. "Generic Security Service Application Program Interface Version 2, Update 1. RFC 2743, IETF". In Online-ArXiV Preprint or similar.
[27]
Arm Ltd,. 2021. "ARM Platform Security Architecture". In Online-ArXiV Preprint or similar. pp. 9--28.
[28]
Clulow,J. 2003. "On the Security of PKCS #11". In Cryptographic Hardware and Embedded Systems (CHES '03). pp. 411--425.
[29]
Pearson,B.,Luo,L.,Zhang,Y.,Dey,R.,Ling,Z.,Bassiouni,M., and Fu,X. 2019. "On Misconception of Hardware and Cost in IoT Security and Privacy". In 53rd International Conference on Communications (ICC '19). pp. 1--7.
[30]
ARM. 2020. "ARM Trusted Firmware", https://trustedfirmware-a.readthedocs.io/en/latest/".
[31]
Munoz,P S.,Tran,N.,Craig,B.,Dezfouli,B., and Liu,Y. 2018. "Analyzing the Resource Utilization of AES Encryption on IoT Devices". In AsiaPacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC'18). pp. 1200--1207.
[32]
Mades,J.,Ebelt,G.,Janjic,B.,Lauer,F.,Rheinländer,C C., and Wehn,N. 2020. "TLS-Level Security for Low Power Industrial IoT Network Infrastructures". In Design, Automation Test in Europe Conference Exhibition (DATE '20). pp. 1720--1721.
[33]
Openwsn.,Edhoc-C,. 2020. "https://github.com/openwsn-berkeley/EDHOC-C". In Online-ArXiV Preprint or similar. pp. 5--10.
[34]
Project,Zephyr.,Zephyr. 2020. "https://www.zephyrproject.org/". In Online-ArXiV Preprint or similar. pp. 7--17.
[35]
Bergzand,Koen. 2018. "https://github.com/bergzand/libcose". In Online-ArXiV Preprint or similar. pp. 5--10.
[36]
Green,M.,Smith,M. 2016. "Developers are Not the Enemy!: The Need for Usable Security APIs". In IEEE Security and Privacy. vol. 14,pp. 40--46.
[37]
Ukrop,M.,Matyas,V. 2018. "Why Johnny the Developer Can't Work with Public Key Certificates: An Experimental Study of OpenSSL Usability". In Topics in Cryptology -CT-RSA 2018: The Cryptographers' Track at the RSA Conference. pp. 45--64.
Index Terms
- Usable Security for an IoT OS: Integrating the Zoo of Embedded Crypto Components Below a Common API
Index terms have been assigned to the content through auto-classification.
Recommendations
Refining the Understanding of Usable Security
HCI for Cybersecurity, Privacy and TrustAbstractCybersecurity technologies and processes must be usable if users are to make effective use of protection. Many security practitioners accept the value of usable security, but few can precisely define it in practice and in terms of how it ...
Developing Usable Interface for Internet of Things (IoT) Security Analysis Software
Human Aspects of Information Security, Privacy and TrustAbstractIn this paper, we present a case study of designing and improving an interface for a web based security analysis software for the internet of things (IoT), called the IoTCube. The objective of the IoTCube is to provide an easy-to-use security ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2022
273 pages
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 January 2023
Check for updates
Qualifiers
- Article
Conference
EWSN '22
Sponsor:
Acceptance Rates
EWSN '22 Paper Acceptance Rate 18 of 46 submissions, 39%;
Overall Acceptance Rate 81 of 195 submissions, 42%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 31 Dec 2024