IoT and Blockchains - enhancing security and privacy
1 like636 views
The document discusses enhancing IoT security and privacy using distributed ledger technologies (DLT), highlighting the challenges of insecure IoT devices and proposing a new model called Pythia for reliable interaction between IoT devices and DLTs without requiring direct consensus participation. It emphasizes the need for better identity models, shared governance, and economic incentives for manufacturers to strengthen IoT security. The paper also outlines various consensus algorithms and the potential benefits of integrating DLTs in improving trust and privacy in the IoT ecosystem.
![Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham
Enhancing IoT Security and
Privacy with Distributed Ledgers
Paul Fremantle[1], Benjamin Aziz[1], Tom Kirkham[2]
[1]School of Computing, University of Portsmouth
{paul.fremantle, benjamin.aziz}@port.ac.uk,
[2] Science and Technology Facilities Council
tom.kirkham@stfc.ac.uk](https://image.slidesharecdn.com/iotbds-pzf-iot-blockchain-2017-170425091346/85/IoT-and-Blockchains-enhancing-security-and-privacy-1-320.jpg)
IoT and Blockchains - enhancing security and privacy
- 1. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Enhancing IoT Security and Privacy with Distributed Ledgers Paul Fremantle[1], Benjamin Aziz[1], Tom Kirkham[2] [1]School of Computing, University of Portsmouth {paul.fremantle, benjamin.aziz}@port.ac.uk, [2] Science and Technology Facilities Council [email protected]
- 2. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham One Minute Overview Problem: The Internet of Things is insecure Mirai 620+Gbps attack Devices are tied to vendors, No heterogeneous interop, No shared governance New Transaction Le d g er Le d g er Le d g er Le d g er Le d g er Entered into Block Consensus Ledgers are updated Next Block Distributed Ledgers provide shared governance Typical IoT devices are too small to run consensus algorithms Intel SGX enclave! ! ! ! ! ! ! ! Blockchain! processor! Pythia API! OpenSourcecode IoT! Devic e! Attestation Interaction withBlockchain We propose a new model called Pythia that enables IoT devices to trust Dist Ledgers
- 3. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Challenges for IoT Security and Privacy • October 2016 Mirai Botnet – 100,000 devices compromised – 620Gbps DDOS attack – In reality there are millions of compromisable devices (Checkpoint study 2014) – Mirai was based on a dictionary attack and weak passwords • Also attacks on cars, houses, medical devices, etc – A survey of secure middleware for the Internet of Things, Fremantle and Scott, PeerJ, accepted for publication
- 4. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham IoT security and privacy • Updates are difficult and there is no economic incentive for manufacturers • Lack of clear ownership and registration models • Poor identity models • Leakage of data and metadata • Use of IoT devices as attack vectors
- 5. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham The real challenge IoT is not heterogeneous, hence no choices for users Low economic and evolutionary pressures Chrome Firefox Safari Internet Explorer Dropbox Google Drive FTP, NAS, etc HTTP, TLS HTTP/2 UDP, DTLS, FTPS, XMPP, etc Fitbit Server Fitbit
- 6. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Distributed Ledger Technologies N1 N2 Nn New Transaction Ledger Ledger Ledger Ledger Ledger Entered into Block Consensus Ledgers are updated Next Block Ledger uses a Merkle Tree to ensure that each record guarantees all previous records to create an immutable chain
- 7. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Consensus algorithms • Bitcoin: Proof of Work – Miners perform hashing, competing to be the first to finalise the block, with a reward – The longest chain becomes the master – No requirement to know or trust the other participants – Expensive, low transaction rate, slow to come to consensus – Proven to be resilient at global scale
- 8. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Alternative consensus models • Arbitrary participants – Proof of storage • Calculations based on stored data – Proof of stake • Based on ownership of existing coins • Known participants – Byzantine Failure Tolerant algorithms – E.g. Paxos
- 9. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham What can DLT do for IoT • Three main concepts – Distributed Ledger • A single, agreed source of truth – Cryptocurrency • Economic models to create value for security and privacy – Smart Contracts • Flexible transaction models that allow new transactions to be scripted • An environment where there can be trust, privacy and effective contracts between parties without reliance on a single vendor.
- 10. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham User Sphere: Fully in control of user e.g. Laptop Joint Sphere: Appears to be in user control e.g. GMail Three Tier Privacy Model Spierkermann and Cranor Spiekermann, Sarah, and Lorrie Faith Cranor. "Engineering privacy." IEEE Transactions on software engineering 35.1 (2009): 67-82. Recipient Sphere: Fully in control of Data recipient
- 11. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Approaches / Use cases Identity Ownership Registration Updates Consent Contracts Consent Logs Data Revocation Contracts Policies Policy enforcement contracts
- 12. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham User Sphere: Device Identity Device Ownership and Registration Device Updates Joint Sphere: Consent Management Policies Recipient Sphere: Consent Tracking Policy Enforcement Data Revocation Three tier privacy model for IoT
- 13. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Typical IoT footprints ESP8266 – 32bit controller, 1Mb program, 80k RAM ~ $2 each
- 14. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Uh oh • How does an IoT system participate and trust in a DLT? – Full participation is expensive • Bitcoin database >80Gb • 512MB of RAM, 1Ghz CPU minimum – Simple Payment Verification (SPV) smaller but still beyond IoT devices – Fundamentally, consensus algorithms are beyond the CPU, network, power and memory of IoT
- 15. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Oracles • In blockchains, an Oracle is a system that truthfully informs the blockchain about events outside the ledger Zhang, F., Cecchetti, E., Croman, K., Juels, A., and Shi, E. (2016). Town crier: An authenticated data feed for smart contracts. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 270–282. ACM.
- 16. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Pythia Lycurgus Consulting the Pythia (1835/1845), Delacroix
- 17. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham New concept - Pythia • We define a Pythia as the “inverse” of an Oracle • Informs the outside world truthfully about the distributed ledger – In our case, the IoT device needs to be able to interact with the ledger: • Without participating in consensus directly • With trust
- 18. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Intel SGX extensions • Provide a secure enclave – Compare with Sandbox • The code within the enclave is protected from the rest of the system • Remote attestation can guarantee the codebase running is a known codebase
- 19. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Pythia • A proposed model to allow IoT devices to trust DLTs • An attested proxy for the ledger • The Pythia truthfully informs the world (IoT) about the ledger – Without the IoT needing to participate in consensus Intel SGX enclave! ! ! ! ! ! ! ! Blockchain! processor! Pythia API! OpenSourcecode IoT! Device! Attestation Interaction withBlockchain
- 20. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham OAuthing • Previous work on IoT privacy and security: – Secure device registration – Pseudonymous Data Sharing – Personal IoT middleware – But without DLT (so far) • OAuthing + DLT + Pythia: – Shared governance and an approach based on smart contracts Fremantle, P. and Aziz, B. (2016): OAuthing: privacy-enhancing federation for the Internet of Things, 2nd International Conference on the Cloudification of the Internet of Things
- 21. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Related Work • Tindall, K. (2015) – Bitcoin payments for IoT updates • Christidis and Devetsikiotis (2016) – Discuss IoT and Blockchains, but not specifically privacy and security • Proof of Luck – Milutinovic et al. (2016) provide an alternative consensus model based on SGX enclaves • Frey et al (2016) – Have demonstrated trust in Bitcoin on a mobile phone
- 22. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Conclusions and further work • Position paper: still plenty of work to do • This is a serious issue: – How does the IoT trust the Blockchain without significant overhead? • Pythia is one potential approach • Need to validate: – Blockchain running within SGX (128Mb limitation) – Remote attestation costs on IoT devices – SGX challenges
- 23. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Contributions • A model for reasoning about how blockchains can improve privacy and security in IoT • A set of approaches for improving security and privacy of IoT with blockchains • A proposed architecture (Pythia) for creating distributed trust in a blockchain on low- power devices.
- 24. Enhancing IoT Privacy and Security with Distributed Ledgers, Fremantle, Aziz, Kirkham Thank you & Questions