Internet of Things (IoT) networks are the pillar of recent novel scenarios, such as smart cities or e-healthcare applications. Among other challenges, these networks cover the deployment and interaction of small devices with constrained capabilities and Internet protocol (IP)-based networking connectivity. These constrained devices usually require connection to the Internet to exchange information (e.g., management or sensing data) or access network services. However, only authenticated and authorized devices can, in general, establish this connection. The so-called authentication, authorization and accounting (AAA) services are in charge of performing these tasks on the Internet. Thus, it is necessary to deploy protocols that allow constrained devices to verify their credentials against AAA infrastructures. The Protocol for Carrying Authentication for Network Access (PANA) has been standardized by the Internet engineering task force (IETF) to carry the Extensible Authentication Protocol (EAP), which provides flexible authentication upon the presence of AAA. To the best of our knowledge, this paper is the first deep study of the feasibility of EAP/PANA for network access control in constrained devices. We provide light-weight versions and implementations of these protocols to fit them into constrained devices. These versions have been designed to reduce the impact in standard specifications. The goal of this work is two-fold: (1) to demonstrate the feasibility of EAP/PANA in IoT devices; (2) to provide the scientific community with the first light-weight interoperable implementation of EAP/PANA for constrained devices in the Contiki operating system (Contiki OS), called PANATIKI. The paper also shows a testbed, simulations and experimental results obtained from real and simulated constrained devices.
References
[1]
ZigBee Alliance. Available online: http://www.zigbee.org (accessed on 31 October 2013).
[2]
IEEE Computer Society. Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specification for Low-Rate Wireless Personal Area Networks (LR-WPANs); IEEE Std. 802.15.4, 2006.
[3]
Shelby, Z.; Bormann, C. 6LoWPAN. The Wireless Embedded Internet; WILEY: Chichester, UK, 2009.
Forsberg, D.; Ohba, Y.; Patil, B.; Tschofenig, H.; Yegin, A. Protocol for Carrying Authentication for Network Access (PANA); 2008. IETF RFC 5191.
[6]
Kaufman, C.; Hoffman, P.; Nir, Y.; Eronen, P. Internet Key Exchange Protocol Version 2 (IKEv2); 2010. IETF RFC 5996.
[7]
Kanda, M.; Ohba, Y.; Das, S.; Chasko, S. PANA Applicability in Constrained Environments. 2012. Available online: http://www.tschofenig.priv.at/sos-papers/MitsuruKanda.pdf (accessed on 31 October 2013).
[8]
ZigBee Alliance. HomePlug Powerline Alliance. Smart Energy Profile 2.0 Public Application Protocol Specification 2011.
Moreno-Sanchez, P.; Marin-Lopez, R. PANATIKI Sourceforge Project. 2013. Available online: http://sourceforge.net/projects/panatiki (accessed on 31 October 2013).
[11]
Dunkels, A.; Gronval, B.; Voigt, T. Contiki—A Lightweight and Flexible Operating System for Tiny Networked Sensors. Proceedings of the 29th Annual IEEE International Conference Local Computer Networks, Tampa, FL, USA, 16–18 November 2004.
[12]
Garcia-Morchon, O.; Keoh, S.; Kumar, S.; Hummen, R.; Struik, R. Security Considerations in the IP-Based Internet of Things. IETF Internet Draft, draft-garcia-core-security-05 2013.
[13]
Sarikaya, B.; Ohba, Y.; Moskowitz, R.; Cao, Z.; Cragie, R. Security Bootstrapping Solution for Resource-Constrained Devices. IETF Internet Draft, draft-sarikaya-core-sbootstrapping-05 2012.
[14]
IEEE Computer Society. IEEE Standard for Local and Metropolitan Area Networks—Port-Based Network Access Control; IEEE Standard 802.1X, 2010.
[15]
Moskowitz, R. HIP Diet EXchange (DEX). IETF Internet Draft, draft-moskowitz-hip-rg-dex-06 2012.
[16]
Perelman, V.; Ersue, M. TLS with PSK for Constrained Devices. 2012. Available online: http://www.tschofenig.priv.at/sos-papers/VladislavPerelman.pdf (accessed on 31 October 2013).
[17]
Meca, F.V.; Ziegeldorf, J.H.; Sanchez, P.M.; Morchon, O.G.; Kumar, S.S.; Keoh, S.L. HIP Security Architecture for the IP-Based Internet of Things. Proceedings of the 2013 27th International Conference on Advanced Information Networking and Applications Workshops, Barcelona, Spain, 25–28 March 2013; pp. 1331–1336.
[18]
Garcia-Morchon, O.; Keoh, S.L.; Kumar, S.; Moreno-Sanchez, P.; Vidal-Meca, F.; Ziegeldorf, J.H. Securing the IP-Based Internet of Things with HIP and DTLS. Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec '13, Budapest, Hungary, 17–19 April 2013; ACM: New York, NY, USA, 2013; pp. 119–124.
[19]
Toshiba Corporation. OpenDIAMETER Sourceforge Project. 2002. Available online: http://sourceforge.net/projects/diameter (accessed on 31 October 2013).
[20]
Toshiba Corporation. CPANA Sourceforge Project. 2011. Available online: http://sourceforge.net/projects/cpana (accessed on 31 October 2013).
[21]
Marin-Lopez, R.; Moreno-Sanchez, P.; Vidal-Meca, F. OpenPANA Sourceforge Project. 2011. Available online: http://sourceforge.net/projects/openpana (accessed on 31 October 2013).
[22]
Bersani, F.; Tschofenig, H. The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method; 2007. IETF RFC 4764.
[23]
Rigney, C.; Willens, S.; Rubens, A.; Simpson, W. Remote Authentication Dial in User Service (RADIUS); 2000. IETF RFC 2865.
[24]
Calhoun, P.; Loughney, J.; Guttman, E.; Zorn, G.; Arkko, J. Diameter Base Protocol; 2003. IETF RFC 3588.
[25]
Dantu, R.; Clothier, G.; Atri, A. EAP methods for wireless networks. Comput. Stand. Interfaces 2007, 29, 289–301.
Simon, D.; Aboba, B.; Hurst, R. The EAP-TLS Authentication Protocol.. IETF RFC 5216.
[37]
NXP. JN5139 Wireless Microcontroller. 2009. Available online: http://www.jennic.com (accessed on 31 October 2013).
[38]
Dekok, A. FreeRadius: The World's Most Popular RADIUS Server. 2008. Available online: http://freeradius.org (accessed on 31 October 2013).
[39]
?sterlind, F.; Dunkels, A.; Erikson, J.; Finne, N.; Voigt, T. Cross-Level Sensor Network Simulation with COOJA.; Swedish Institute for Computer Science.
[40]
Zolertia. Z1 Platform. 2010. Available online: http://www.zolertia.com/ti (accessed on 31 October 2013).
[41]
Lamping, U. Wireshark. 2000. Available online: http://www.wireshark.org (accessed on 31 October 2013).
[42]
Marin-Lopez, R.; Pereniguez-Garcia, F.; Ohba, Y.; Bernal-Hidalgo, F.; Gomez-Skarmeta, A.F. A kerberized architecture for fast re-authentication in heterogeneous wireless networks. MONET 2010, 15, 392–412.
[43]
Contiki-developers. COOJA and Socket Serial Communication - TinyOS node. 2011. Available online: https://groupsgoogle.com/forum/?fromgroups=#!topic/osdeve_mirror_rtos_-contiki-developers/175txObyWJw (accessed on 31 October 2013).
[44]
Bormann, C. 6LoWPAN Generic Compression of Headers and Header-like Payloads. IETF Internet Draft, draft-bormann-6lowpan-ghc-06 2013.
