Secure gateway for Internet of Things with internal AAA mechanism

In this paper, we describe secure gateway for Internet of Things (IoT) devices with internal AAA mechanism, implemented to connect IoT sensors with Internet users. Secure gateway described in this paper allows to (1) authenticate each connected device, (2) authorise connection or reconﬁguration performed by the device and (3) account each action. The same applies to Internet users who want to connect, download data from or upload data to an IoT device. Secure Gateway with internal AAA mechanism could be used in Smart Cities environments and in other IoT deployments where security is a critical concern. The mechanism presented in this paper is a new concept and has been practically validated in Polish national research network PL-LAB2020.


Introduction
The ability to connect, communicate and remotely manage different devices has led to rapid development of the Internet of Things (IoT) technology.There were fears that this development is happening too fast, without proper handling of safety issues and regulatory changes that may be necessary.According to surveys conducted by the Business Insider in the last quarter of 2014 [1], 39% of respondents believed that the privacy and security aspects of IoT are the biggest barrier to investing and implementing technology in their companies.Further, there were doubts about the Return on Investment (ROI) -27% and the lack of real function in a corporation -16%.In particular, while maintaining the current speed of development and the spread of technology, cyber attacks may become more and more physical (not just virtual) threat.Joseph Secure gateway for Internet of Things with internal AAA mechanism (2 of 19) Steinberg's article [2] listed a number of devices that can now spy on people in their homes, including televisions, kitchen appliances, cameras, thermostats or baby monitors.House obtain intelligence that can be understood in two ways: • as the ability to acquire and apply knowledge and skills, • as the collection of information of military or political value.
Similarly, mechanisms in automobiles such as brakes, engine, the driver-aid systems (for example ABS) and systems providing comfort during a ride (for example air conditioning) more and more often can also be controlled remotely.There are some documented cases, where these systems were hacked and exploited remotely: • hijacking system of Chrysler's cars [3], in which researchers completely took control of the car and were able to activate the brakes remotely.
• remote unlocking of BMW brand cars [4], in which attackers spoofed the BMW server communicating with the car (in order to draw latched keys) what among other allows to unlock the car.
• extraction of data from internal systems of the vehicle based on the USB dongle hack inserted into the radio [5].Originally it was prepared for monitoring driving performance for insurance companies but due to lack of authentication and authorization mechanism opens the possibility to hack the car's internal systems.
As part of the Horizon 2020 program, the European Commission released a Work Programme for years 2016-2017 ([6] -Commission communicate dated 13.10.2015).Among the key priorities the programme specifies: "A Connected Digital Single Market" which includes the following: the Internet and digital technologies are changing the modern world.The activities, which are to contribute to the development of innovative digital solutions are as follows: • the area of Internet of Things (139 million euros) will complement the technological developments of large-scale pilot projects carried out in areas of major social challenges.
• Digital Security area (118 million euros) will respond to the opportunities and risks associated with the processes of digitisation and computerization.
Among already completed project one worth noticing is the SmartSantander project [7].It proposes a unique worldwide experimental research centre for typical applications and services in a smart city.This unique experimental facility is large enough, open and flexible to allow the creation of a federation with other experimental objects and stimulate the development of new algorithms and platforms by users of various types, including advanced technology research, the Internet of Things and a realistic assessment of user acceptability tests.The facility consists of more than 20,000 sensors and is based on realistic distribution facilities in the city.The heart of the facility is located in Santander, the capital of Cantabria region, situated on the northern coast of Spain.SmartSantander allows the future Internet of Things to become a reality [8].
In this paper, we describe a secure gateway for Internet of Things devices with internal Authentication, Authorisation and Accounting (AAA) mechanism, implemented to connect the Secure gateway for Internet of Things with internal AAA mechanism (3 of 19) devices with the national research network PL-LAB2020 [9] (a large testbed and experimental network being built in Poland right now).Secure gateway described in this paper allows to (1) authenticate each connected device, (2) authorise connection or reconfiguration performed by the device and (3) account each action.The same applies to Internet users who want to connect, download data from or upload data to an IoT device.
This paper is organised as follows.In Section 2, we discuss related works.Section 3 presents an overview of the proposed system architecture.It additionally defines and explains the AAA mechanism and describes its components.In Section 4, we present technical details of the proposed solution, including a secure connection of the IoT device to Internet and communication process between Internet users and the IoT device.In Section 5, a brief validation of proposed solution is carried out considering performance, security and energy consumption aspects.Section 6 concludes the paper and presents our planned future work on the subject, including the deployment process on PL-LAB2020 and testing solution in wide area network topology.

Related work
Research topics that contribute to the development of IoT are carried out by many communities and are launched from different perspectives.They usually share common or similar problems what induces the cooperation between these communities in order to solve them effectively.In this chapter, we will highlight and discuss seven key research topics and how they relate to the two-way secure IoT communication described in this paper.

Architecture
Billions of things connected to the Internet need principles that describe control, communication and applications.Researchers try to define and develop a good IoT architecture e.g.[10], and how the devices will connect with and between platforms e.g.[11].The communication scheme and routing protocols are well studied in the literature, and there were many articles regarding the comparison of different protocols and their efficiency e.g.[12, ?].In IoT, similarly as in other architectures (e.g.[13]), security is an essential element.Thus, the secure communication between the Internet (users, applications) and things (devices) is crucial for further development.

Robustness
IoT application will be based on sensing, actuation and communication.A crucial aspect of proper deployment and usage is synchronisation or in other words solving the problem of deterioration of clock synchronisation, see [14].Another interesting aspect is the required entropy [15] and running time assurances by authorities to certify that the system is secure and working as expected [16].

Big Data
In IoT the amount of collected data will be enormous.There are techniques to collect [17], convert and send this data stream to the proper server application.One of the areas where this technique will be applicable is the medicine.However, security and privacy maintenance should be mission-critical when validating solutions before production deployment.
Secure gateway for Internet of Things with internal AAA mechanism

Scaling
There are estimates that IoT will consist at least 50 billion objects by 2020 [18].With the current pace of evolution, several questions must be answered.How will massive amount of data be collected, transferred and stored?Will addressing protocols be enough?How to provide reliability?These topics are discussed for example in [19] and [20].Of course aspects regarding authenticating access, protection, authorization and accounting can not be neglected when considering scaling.

Open source
Currently, most of the sensor-based platforms are closed systems, without direct access to the code.Their security is sometimes assessed by a third party, only by means of black-box testing - [16].Due to the fact of rapid development of new platforms, it is better to focus on open platforms that allow co-operating easily between different vendor devices.From the security perspective open platform allows for better assessment by the community.

Security
As mentioned in the Introduction, the fundamental problems in IoT systems are security, privacy and dealing with security breaches [21], [22].As mentioned in [21], unique solutions (as the one presented in this paper) will be necessary for providing authentication, authorization and accounting.

Human interaction
As Human-Device interaction in IoT is one of the crucial aspects, developing a new mechanism to track data received from humans (e.g.[23]) is another important research topic.Secure communication and applying security policies to such interaction should be missioncritical for developers and architects.
There are numerous papers dealing with IoT Gateways, built on embedded devices such as Raspberry PI [24] or standalone servers (as in the proposed solution) [25].However, to the best of the authors' knowledge, there is no work presented in creating Secure AAA solution for Internet of Things devices.Especially, we are not aware of any paper presenting AAA Gateway connecting several IoT devices (for example built with Raspberry Pis) together and providing the two-way security (AAA for both -Internet users and the devices).It is important to assume that the objective of this work, was to create a secure gateway, not secure nodes (devices), so security mechanisms are implemented on a gateway and not on the nodes (however nodes are also secured as much as possible).

System components
In the following section, we present the proposed system components.First, we describe AAA mechanism, how authentication, authorization and accounting systems work.How it can be deployed in the production environment and which architecture we used in our work.The second part is a list of devices and software we used to build and validate our solution, with short description and explanation of each component.

AAA mechanism
Authentication, Authorisation and Accounting (AAA) is a mechanism for (1) identifying the other end, (2) defining policies to control access to resources, (3) auditing and reporting on actions performed in the system.The combined processes are considered important for effective and safe network management.Securing network services according to the AAA mechanism provides a basic framework through which you can configure access control on an input device -in our case IoT Gateway.The characteristics of AAA components is described in the following subsections.

Authentication.
In the first process, authentication provides a method for identifying a user (or device), usually by entering the correct username/login and the correct password before access is granted.The authentication process is based on the possession of unique user's credentials.AAA server compares them with user's credentials stored in the database.If they match, the user gets access to the network.Otherwise, authentication fails, and network access is denied.

Authorisation.
After authentication, the user must obtain a permit to perform certain tasks.The authenticated user sends a request to the server for a certain action (in the case of this article, for example, it could be downloading IoT device data).The authorization process determines whether the user has permission to request this action.Namely, authorization is a process to enforce security policy: determine what kind of action (e.g. which resources or services) the user can perform.The granularity of authorization depends on application but usually systems distinguish several levels of access rights, such as: direct rights -e.g."User ABC is allowed to download data gathered on device XYZ", group/role based rights -e.g."Users having ABC role are allowed to download data gathered on device XYZ".

Accounting.
The final element in the framework of the AAA is the accounting, which logs all user/device actions performed during access.It could be the amount of time on the system, the amount of data that user sent or received during a session, or even the actual actions that user performed during it.Accounting is carried out by recording the session statistics and information and is used to control the authorization, billing, trend analysis, resource utilisation and planning activities.Accounting keeps track of how network resources are used, e.g."User ABC accessed device XYZ for 15 minutes and requested access to following data REQUEST-LIST."

Possible architectures.
There are three main ways to implement AAA mechanism: 1. Local AAA database AAA service is locally-contained on the gateway itself.This type of architecture is also known as local authentication and will be used in the solution described in this paper.

Access Control Server
AAA service running on gateway connects to some external Access Control Server (ACS) where all authentication and authorization data is stored.

Identity Service Engine
AAA service connects to Identity Service Engine (ISE) to define and enforce security polices.
The ACS and ISE architectures need additional, dedicated software and/or hardware.Also, there is a more elaborate scheme of communication; namely, there is no direct communication between client and server during authentication/authorisation process.In this paper, we present the simplest mechanism, created on the same hardware as actual IoT Gateway minimising needed hardware and topology.
Another aspect related to AAA are two different types of authentication: • Character mode The user that wants to establish the connection and authenticate, sends login/password when prompted by a gateway.In our solution used when authenticating the user connecting to IoT device.

• Packet mode
The user sends to gateway a packet with proper data and certificates to get access to the network.In our solution used when IoT device registers and wants the connection to Internet.

Solution components
Architecture for implementing and validating proposed solution contains server acting as a proxy between IoT devices and Internet users with AAA mechanism, IoT Device sensing environment and presenting data using web-interface and communication scheme based on the user-proxydevice path and both-sided AAA mechanism.

Gateway with AAA mechanism.
As a gateway between Internet users and IoT device, we use a server with Intel Core i7-3610QM processor, Kali Linux operating system, 32GB DDR3 1600Mhz memory, HDD storage, 1Gbps network card with Ethernet RJ45 connector and b/g/n wireless card.From the software perspective, the main part is AAA mechanism.In Linux environment, we install Remote Authentication Dial In User Service (RADIUS) Server and update local database with authentication, authorization and accounting rules.Also, Public Key Infrastructure for secure communication with IoT device has been deployed on the gateway.RADIUS is a remote authentication service for users who want to connect to the system (in the case of the proposed solution these will be users from the Internet accessing IoT Device webinterface).It is currently a very popular protocol for authentication and authorization of users.It is also used in wireless networks.In response to the attempt to log into the network, network Secure gateway for Internet of Things with internal AAA mechanism (7 of 19) access server (gateway) generates a request for user information, including the user ID/login and password.After retrieving the answer from the user, the identifier along with the encoded password are sent to a RADIUS daemon.After checking the user data, their confrontation with the contents of a local database, RADIUS server can answer in one of the following messages: • ACCEPT -means the success of authentication, • REJECT -the user is not properly authenticated, access to network/IoT device resources is prohibited.
• CHALLENGE -prompt to enter additional credentials.
After passing the first phase successfully, the RADIUS server checks the database, what services are available to the user (requests to web interface).The RADIUS server for authorization phase also checks whether the actions of the user on the network should not be subject to restrictions that result from the access lists deployment.The last phase would be to log proper data/requests/actions as accounting phase until connectivity between user and device has been terminated.

IoT Device.
As an IoT device, we assumed and used the Raspberry Pi 2 Model B, which is the second generation Raspberry Pi (replacing Raspberry Pi 1 Model B+).This model features a more powerful processor quad-core ARM Cortex-A7 900 MHz and more memory -1 GB of RAM.The kit features peripherals, which include four USB slots, an additional 40 GPIO connectors, a microSD card, an Ethernet port and four mounting holes.We retrofitted device with USB WiFi Adapter (to connect to IoT Gateway) and Raspberry Pi Camera Board Module (to act as a sensor), collecting data -accessed from web-interface by Internet users.

Communication scheme.
In our solution, we chose the proxied approach over direct access as shown in Figure 1.
From IoT device perspective, when connecting it to the Internet through the gateway, it utilises registration and authentication scheme using mechanisms described below in Algorithm section.After successful connection, it sets up classic Web or WebService interface (secured with HTTPS protocol) where users can download data obtained using installed and configured sensors and/or reconfigure device remotely.
When Internet user needs to access IoT device, it sends a direct request, however, intercepted by a gateway.The gateway stops forwarding the request to IoT device until AAA mechanism authenticates and gives the user proper access level to the device.After successful check against RADIUS server, the request is forwarded through a secure channel to IoT device.Specifics are described in Algorithm section.through a simple HTTP server.The idea presented in this paper is to introduce a Gateway device which provides the AAA.The Gateway works like an HTTP proxy server forwarding the HTTP request further to the IoT Devices and bringing the responses back to the client.The flow of information is depicted in Fig. 2.
The Gateway needs to secure both communication channels: client and IoT side.These security mechanisms are described in the following subsections.

Users accessing IoT device
The user initiates the process with generating http (https) request directly to IoT device.The request is intercepted by a proxy gateway, and the user starts the authentication process.Gateway prompts for username and password.User replies.On the gateway, RADIUS client sends username and an encrypted password to the RADIUS server.RADIUS server responds with Accept, Reject, or Challenge.The RADIUS client acts upon services and services parameters bundled with Accept or Reject.The gateway passes additional access list entries down to the network interface configuration to allow the users through after authentication.Request to IoT device is forwarded, rest of the communication is performed until TCP session between the user and IoT device has been terminated or reaches timeout.All actions are accounted on the gateway with requests and corresponding timestamps.The complete process is shown in Figure 3.

Secure IoT Device Communication
The internal IoT Device network in some applications may be considered as secure.But quite often this is not the case -especially when IoT networks are becoming gigantic, and the devices are distributed across a large area (e.g.Smart City).Sometimes the configuration may require using an untrusted network or even public Internet instead of a dedicated internal one.In such cases, it is necessary to additionally secure the communication between the Gateway and the IoT Devices.
The proposed solution is to provide a two-way authentication, authorization and communication encryption by using the existing SSL/TLS Client Authentication [26] mechanism.In order to do this properly, it is necessary to create a Public Key Infrastructure (PKI ) [27] and generate certificates for all the IoT Devices as well as the Gateway.
Certificate Authority (CA) is the main component responsible for issuing all certificates used in the system.By design it is stored on the Gateway and at the beginning contains only the root self-signed certificate and private key.Using this key, the CA signs the certificates for Gateway and all IoT Devices.Such architecture provides the following:  Before the Gateway can provide the device's data to users, it needs to register all the IoT Devices.It is a preliminary phase and is done only once for each device.After the registration, the Gateway is ready to forward client requests further to the devices.

Registration
Every device before being published through the Gateway needs to be approved by an administrator and registered by signing its Certificate Signing Request (CSR).This process is initiated from IoT device.The whole registration process is presented in Fig. 4.  Further, the Gateway (SSL/TLS client in this case) can send the request using the HTTP protocol over an encrypted and secure SSL/TLS channel (step 3 in Fig. 5).Further, the IoT Device verifies if the SSL/TLS client certificate matches the Gateway certificate (step 4).If the requester is indeed the Gateway, the IoT Device can finally respond with data.In the end, the Gateway proxy re-sends the response to the user (step 5).

Solution validation
After successful implementation, authors performed several tests to validate proposed solution.Namely three categories was questioned: (14 of 19) • Security Top ten vulnerabilities committed by developers and architects were listed and checked if proposed solution mitigates them.
• Performance Latency when using a standard mechanism (without security), secured using https without authentication, authorization and accounting, and secured using both-sided https with AAA proxy, was measured and compared in a few scenarios.

• Energy consumption
The last category was energy consumption of IoT device with and without security functions presented in this paper.

Security
The OWASP Internet of Things (IoT) Top 10 [28] is a project designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.The project defines the top ten security vulnerabilities areas significant to IoT world and provides information on attack vectors, vulnerabilities, impacts and recommendations associated with each.The list of vulnerabilities with proposed mitigation acquired by IoT gateway with internal AAA mechanism is presented in Table 1.

Performance
Authors compared latency when sending requests to IoT device with three variants: using a standard mechanism (without security), secured using https without authentication, authorization and accounting, and secured using both-sided https with AAA proxy.In addition, several sizes of responses were examined and presented on Figure 6 and Table 2. Obtained results for standard IoT web-interface requests( 500kB) were: 201,7(+/-4,4)ms, 211,8(+/-5)ms, 222,6(+/-5,1)ms respectively for HTTP, HTTPS and HTTPS with client side authentication.In the second test, latency grows with response size.However, when requesting bigger files (f.e., images) percentage difference between HTTP and HTTPS/HTTPS with client authentication, drops from 11% and 22% for 233kB response to 1% and 3% for the 2MB response.

Energy consumption
In the last test, authors compare the energy consumption of IoT device when no cryptography is involved (sensing and hosting web-interface), with cryptography module is enabled (hosting webinterface with https protocol) and with implemented secure solution.The results are presented on Figure 7. Obtained results are 5,18mW, 5,2mW and 5,21mW respectively for HTTP, HTTPS and HTTPS with client side authentication.When converting this results to percentage differences HTTPS has power consumption higher by only 0,3% and proposed fully secure environment 0,5% more than insecure architecture.
Secure gateway for Internet of Things with internal AAA mechanism

Figure 1
Figure 1 IoT device deployment options.

Figure 2
Figure 2 Flow of information.

1 .
allows the Gateway to authenticate all IoT Devices, 2. allows the IoT Devices to authenticate the Gateway, 3. prevents communication eavesdropping between Gateway and IoT Devices, and(10 of 19)

Figure 3
Figure 3 Users accessing IoT device through gateway with internal AAA mechanism.

Figure 4
Figure 4 IoT Device registration process.

Figure
Figure Standard communication process between Gateway and IoT Device.

Figure 6
Figure 6 Latency comparison between HTTP, HTTPS and HTTPS with client authentication.

Figure 7
Figure 7 Energy consumption when different level of security is obtained.

Table 2
Latency comparison with several responses sizes.generators and analysers.Also, we want to deploy IoT Gateway in each of geographically dispersed PL-LAB2020 nodes.