Title: Authenticating wireless nodes in building automation : challenges and approaches
Authors : Rüst, Andreas
et. al : No
Conference details: 4th Annual IoT Security Foundation Conference 2018, London, 4th December 2018
Issue Date: 4-Dec-2018
License (according to publishing contract) : Licence according to publishing contract
Type of review: Peer review (Abstract)
Language : English
Subjects : IoT Security; Authentication; Bootstrapping
Subject (DDC) : 004: Computer science
Abstract: Recent technologies and standards allow connecting constrained wireless nodes to the Internet by natively using the prevailing Internet Protocol (IP). Such standards include the protocol stack as defined by the Thread Group, based on CoAP, UDP, IPv6, 6LoWPAN and IEEE 802.15.4. As a result, the sensor and actuator networks on the field level will coalesced with the existing IT networks. Specifically, replacing gateways with routers significantly simplifies a building automation system and enables new applications. Employing IP communication, a central automation station can directly and uniformly access sensor and actuator services on field nodes. Consequently, to become a full-fledged member of an IT domain, a constrained node on the field level has to fulfill specific security requirements. However, implementing such requirements is especially challenging on constrained low power and low-cost nodes. Such nodes typically have decidedly lower resources with regard to compute performance, memory and network connectivity. Nevertheless, such nodes require a mutual authentication during the provisioning into an individual IT domain. Specifically, several trust relationships need to be established. Before granting access to the node, the IT domain administrator requires proof that the node is not compromised, e.g. by loading malicious firmware. This proof includes not only the proof that the trusted supplier has manufactured the node but also a complete and unforgeable list of previous installations and owners. As building automation systems typically are an integral part of a building, they represent capital assets and change ownership during their lifetime. On the other hand, before legitimately joining a new domain, the individual node needs to know: Is the deployment into this specific building legit? The scale of building automation systems in large buildings with hundreds of nodes mandates a highly automated authentication process. A simple provisioning of the nodes is essential. The paper presents results from a two-year long, federally funded (Innosuisse) project. As a proof-of-concept, the project implements a demonstrator based on the emerging recommendations of the Fairhair Alliance. Low power nodes in a Thread network shall be provided with a secure bootstrapping process to be easily provisioned into an existing IT domain. The use of smartphones supports and simplifies this provisioning process. The public-key-based mutual authentication takes place between the low power nodes on one side and a certificate authority (CA) operated by the node manufacturer and a CA operated by the building operator on the other side. As a result, the node receives an operational certificate and can legitimately join the IT domain. The paper illustrates the challenges encountered and proposes appropriate approaches.
Further description : For the paper, please follow this link: https://doi.org/10.21256/zhaw-2750
Departement: School of Engineering
Organisational Unit: Institute of Embedded Systems (InES)
Publication type: Conference Other
URI: https://youtu.be/34OEDYTkdGI
https://digitalcollection.zhaw.ch/handle/11475/17784
Appears in Collections:Publikationen School of Engineering

Files in This Item:
There are no files associated with this item.


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.