DOI QR코드

DOI QR Code

Session Key Agreement Protocol for IoT Home Devices using Shadow Passwords

그림자 패스워드를 사용한 IoT 홈 디바이스 사이의 세션키 공유 프로토콜

  • Jung, Seok Won (Department of Information Security Engineering, Mokpo National University)
  • Received : 2020.03.12
  • Accepted : 2020.05.12
  • Published : 2020.06.30

Abstract

Although various home services are developed as increasing the number of home devices with wire and wireless connection, privacy infringement and private information leakage are occurred by unauthorized remote connection. It is almost caused by without of device authentication and protection of transmission data. In this paper, the devices' secret value are stored in a safe memory of a smartphone. A smartphone processes device authentication. In order to prevent leakage of a device's password, a shadow password multiplied a password by the private key is stored in a device. It is proposed mutual authentication between a smartphone and a device, and session key agreement for devices using recovered passwords on SRP. The proposed protocol is resistant to eavesdropping, a reply attack, impersonation attack.

유·무선 연결이 가능한 홈 디바이스의 증가로 다양한 홈 서비스가 나타나고 있으나, 인가 없는 원격 접속으로 사생활 침해와 개인정보의 유출이 발생하고 있다. 이는 디바이스의 인증 부재와 전송 데이터의 보호가 없는 것에 대부분 기인한다. 본 논문에서는 스마트폰을 사용하여 디바이스의 비밀 정보를 안전한 메모리에 저장하고 디바이스의 인증을 수행한다. 패스워드에 디바이스 개인키를 곱한 그림자 패스워드를 디바이스에 저장하여 디바이스 패스워드의 직접적인 유출을 막는다. 또한, Lamport의 일회용 패스워드 기법으로 스마트폰과 디바이스를 상호인증하고, SRP 프로토콜을 이용하여 패스워드를 복구하여 디바이스 사이의 세션키를 공유하는 방법을 제안한다. 본 논문에서 제안하는 프로토콜은 도청, 재전송, 위장 공격 등에 안전하다.

Keywords

References

  1. KATS, Smart home industry and standardization trend, KATS Technical Report, Vol.74, 2015.
  2. CISCO, CISCO Annual Internet Report(2018-2023), 2020.
  3. KISA, IoT Security Guide for Household Appliances, 2017.
  4. https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf
  5. MQTT 3.1.1 specification. OASIS. 2015.
  6. Z.Shelby, K.Hartke and C.Bormann, "Constrained Application Protocol (CoAP)," RFC 7252, 2014.
  7. E.Rescorla and N.Modadugu, "Datagram Transport Layer Security Version 1.2," RFC 6347, 2012.
  8. X.Sun, S.Men, C.Zhao and Z.Zhou, "A security authentication scheme in machine-to-machine home network service." Secur. Comm.. Netw., Vol.8, pp.2678-2686, 2012.
  9. M.Zhao, X.Yao, H.Liu and H.Ning, "Physical Unclonable Function Based Authentication Protocol for Unit IoT and Ubiquitous IoT." In Proceedings of the 2016 International Conference on Identification, IIIKI, pp.179-184, 2016.
  10. M.A.Muhal, X.Luo, Z.Mahmood and A.Ullah, "Physical Unclonable Function Based Authentication Scheme for Smart Devices in Internet of Things." In Proceedings of the 2018 IEEE International Conference on Smart Internet of Things(SmartIoT), pp.160-165, 2018.
  11. M.A.Jan, F.Khan, M.Alam and M.Usman, "A payload-based mutual authentication scheme for Internet of Things." Future Gen. Comput. Syst., Vol.92, pp.1028-1039, 2019. https://doi.org/10.1016/j.future.2017.08.035
  12. K.Lee, "A Scheme for Information Protection using Blockchain in IoT Environment," Jour. of The Korea Internet of Things Society, Vol.5, No.2, pp.33-39, 2019. https://doi.org/10.20465/KIOTS.2019.5.2.033
  13. L.Lamport, "Password Authentication with Insecure Communication," Communications of the ACM, Vol.24, No.11, pp.770-772, 1981. https://doi.org/10.1145/358790.358797
  14. W.Diffie and M.E.Hellman, "New Directions in Cryptography," IEEE Trans. on Information Theory, Vol.IT-22, No.6, pp.644-654, 1976.
  15. T.Wu, "The Secure Remote Password Protocol," Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, pp.97-111, 1998.
  16. T.Wu, "SRP-6: Improvements and Refinements to the Secure Remote Password Protocol," Submission to the IEEE P1363 Working Group, 2002.