1,720,995 research outputs found
Hack in an Elevator! Pentesting a Lift Control Web App
No full textImagine taking an elevator to go to the fourth floor, and suddenly you are stuck inside due to a cyber attack! This can happen since elevators have become Cyber-Physical Systems (CPS), which involve networked embedded computers, and therefore they are not anymore immune to hackers. In this research we assess the security of an elevator CPS designed and developed by an Italian company, which is deployed on several elevator installations in Italy. The objective is to evaluate if and to what extent the various cybersecurity risks are understood by CPS developers. In this paper we present the results of the first part of a complete penetration test, in which we focused on the elevator management web site only, which is the component most exposed to possible attacks due to its public and remote availability. From our experience we can conclude that the CPS developers have a good awareness of the most common cyber security threats, and they are aware of common defense techniques. Still, they miss to implement defenses against advanced client-side attacks, and they do not follow the best practices, which could lead to vulnerabilities in case some unfortunate conditions are met
Tiny keys hold big secrets: On efficiency of Pairing-Based Cryptography in IoT
No full textPairing-Based Cryptography (PBC) is a sub-field of elliptic curve cryptography that has been used to design ingenious security protocols including Short Signatures (SS), Identity-Based Encryption (IBE), and Attribute-Based Encryption (ABE). These protocols have extremely promising applications in diverse scenarios, including Internet of Things (IoT), which usually involves computing devices with limited processing, memory, and energy capabilities. Many studies in the literature evaluated the performance of PBC on typical IoT devices, giving promising results, and showing that a large class of constrained devices can run PBC schemes. However, in the last years, new advancements in Number Field Sieve algorithms threatened the security of PBC, so that all protocols must be re-parametrized with larger keys to maintain the same security level as before. Therefore, past literature reporting PBC performance on IoT devices must be redone because optimistic, and it is not clear whether present IoT devices will bear PBC. In this paper we evaluate the performance of some prominent PBC schemes on a very constrained device, namely the Zolertia RE-Mote platform, which is equipped with an ARM Cortex-M3 processor. From our experiments, the usage of IBE and SS schemes is still possible on IoT devices, but the security level is limited to 80 or 100 bits. Reaching greater security levels leads to higher execution times, which might not be compatible with many IoT applications. The usage of ABE is efficient only with IoT-oriented schemes, which offer good performance at the cost of a limited policy expressiveness
Post-Quantum Attribute-Based Encryption: Performance Evaluation and Improvement for Embedded Systems
No full textCiphertext-Policy Attribute-Based Encryption (CP-ABE) is an encryption paradigm that embeds access control func-tionalities within ciphertexts. It has shown to be useful for protecting privacy and intellectual property in embedded systems, especially when confidential data is temporarily stored on untrusted cloud or edge servers. However, current CP-ABE ciphers are generally based on pairing mathematics, which is broken if attacked by large-scale quantum computers. Thus, these ciphers will not be secure anymore in the future. In this paper, we focus on a RLWE-based CP-ABE cipher (namely the scheme proposed by Gür et al. in 2019 on IEEE Trans. on Computers), which is believed to be resistant to quantum attacks, so it is a candidate replacement of pairing-based ABE schemes in the future quantum world. Specifically, we measure its performance in terms of processing time and memory with reference to two embedded applications: smart home privacy and automotive FOTA intellectual property protection. We also propose a method to improve the encryption efficiency by dividing it into a slow offline phase and a fast online phase
A lightweight and scalable attribute-based encryption system for smart cities
Full text linkIn the near future, a technological revolution will involve our cities, where a variety of smart services based on the Internet of Things will be developed to facilitate the needs of the citizens. Sensing devices are already being deployed in urban environments, and they will generate huge amounts of data. Such data is typically outsourced to some cloud service in order to lower capital and operating expenses and guarantee high availability. However, cloud services may suffer from data breaches due to software and hardware vulnerabilities, or they may have incentives to release stored data to unauthorized entities. In this work we present ABE-Cities, an encryption system for urban sensing which solves the above problems while ensuring fine-grained access control on data by means of Attribute-Based Encryption (ABE). ABE-Cities senses data from the city and stores it on the cloud in an encrypted form. Then, it provides users with keys able to decrypt only data sensed from authorized paths or zones of the city. In ABE-Cities, sensors perform only lightweight symmetric-key encryption, thus we can employ constrained sensor devices such as battery powered motes. ABE-Cities allows us to plan an expiration date for each key, as well as to revoke a given key in an unplanned fashion. We prove that ABE-Cities scales well with the number of users and the number of streets by simulating it with 30 000 users on the Beijing street network, which consists of more than 30 000 streets. In addition to the “vanilla” ABE-Cities scheme, we propose an “advanced” one that leverages the presence of IoT gateways to reduce the computational load otherwise weighing on a single Trusted Third Party. We validate this by testing the advanced scheme on the simulated Houston and Beijing street networks
A Rational Mining Strategy for Proof-of-Work Consensus Algorithms
No full textTo maintain a secured, universal state of a blockchain, Proof-of-Work consensus algorithms economically incentivize miners to compete for block creation through hashing-based challenge solving. Nowadays, the default mining strategy consists in including as many transactions as possible in a block so as to maximize the block reward. Unfortunately, this strategy also maximizes the risk of block orphaning. In this work, we propose a rational mining strategy that carefully balances the trade-off between the block reward and the risk of block orphaning. The strategy is designed so that the chance to get a block reward is higher than the default strategy chance. Furthermore, the strategy is flexible as it provides a degree of freedom of how much larger this chance should be. We analytically study the long-term economic advantage of the proposed approach and derive the condition under which the long-term reward is higher than the one of the default strategy. Finally, we validate the proposed strategy based on a case study analysis method against Bitcoin and Ethereum and show that the higher the risk of block orphaning the more convenient the strategy happens to be
SegWit Extension and Improvement of the BlockSim Bitcoin Simulator
No full textFourteen years after its inception, the Bitcoin market capitalization exceeds 700 trillion. As Bitcoin blockchain continues gaining tremendous interest, it is vital evaluating Bitcoin protocol performance. In this context, the BlockSim simulation framework is among the current state-of-the-art tools. Despite that, the BlockSim model of the Bitcoin protocol shows two main limitations: i) at the consensus layer, the model does not account for Segregated Witness (SegWit) upgrade, which sensibly improves the Bitcoin throughput; and ii) at the network layer, the simulated block propagation process is oversimplified. Those limitations affect several blockchain performance metrics, like throughput, orphan block rate and mining reward per block. In this work we improve the existing BlockSim model of the Bitcoin protocol. Namely, we introduce SegWit support, and we update the simulated block propagation process. Block propagation delay is now estimated via linear regression on a per-simulated-block basis. We also extensively validate the proposed model within the light simulation technique of BlockSim. The results show that the model correctly simulates the current Bitcoin blockchain. As to the full simulation technique of BlockSim, it actually turns out to be so inefficient to be unpractical. We experimentally prove the performance limitations of the full technique, thereby confirming the original claims regarding its inefficiency. Yet, we provide suggestions to improve execution time and memory footprint, corroborated by profiling results
A Survey on Attribute-Based Encryption Schemes Suitable for the Internet of Things
Full text linkThe Internet of Things (IoT) is an information service paradigm based on the integration of smart objects, mobile devices, and computers via the Internet. IoT technologies are key enablers for a multitude of applications in diverse fields, such as digital health, smart city, industrial automation, and supply chain. This raises new security and privacy challenges that can be addressed by advanced cryptographic methods. One of the most prominent is Attribute-Based Encryption (ABE), which allows one to encrypt data while enforcing fine-grained access control on it. ABE is advantageous in many IoT applications since it allows data to be safely stored on untrusted storage, like third-party cloud servers, hackable publish-subscribe brokers, physically accessible sensors, etc. This paper surveys the ABE literature proposing schemes and solutions that are best suited for IoT applications. To do so, it first identifies three performance indicators that are key in IoT, namely the data producer CPU efficiency, the data producer bandwidth efficiency, and the key authority bandwidth efficiency. Then, it analyzes only those schemes that are promising from the point of view of one or more indicators and, therefore, more applicable in typical IoT applications. As a further contribution, this paper selects a subset of representative schemes and assesses their efficiency by thorough simulations. Such simulations show that no scheme excels in all three performance indicators at once, but some simultaneously perform well in two indicators
FABElous: An attribute-based scheme for industrial internet of things
Full text linkThe Internet of Things (IoT) is a technological vision in which constrained or embedded devices connect together through the Internet. This enables common objects to be empowered with communication and cooperation capabilities. Industry can take an enormous advantage of IoT, leading to the so-called Industrial IoT. In these systems, integrity, confidentiality, and access control over data are key requirements. An emerging approach to reach confidentiality and access control is Attribute-Based Encryption (ABE), which is a technique able to enforce cryptographically an access control over data. In this paper, we propose fABElous, an ABE scheme suitable for Industrial IoT applications which aims at minimizing the overhead of encryption on communication. fABElous ensures data integrity, confidentiality, and access control, while reducing the communication overhead of 35% with respect to using ABE techniques naively
Performance evaluation of Attribute-Based Encryption on constrained IoT devices
Full text linkThe Internet of Things (IoT) is enabling a new generation of innovative services based on the seamless integration of smart objects into information systems. This raises new security and privacy challenges that require novel cryptographic methods. Attribute-Based Encryption (ABE) is a type of public-key encryption that enforces a fine-grained access control on encrypted data based on flexible access policies. The feasibility of ABE adoption in fully-fledged computing systems, i.e., smartphones or embedded systems, has been demonstrated in recent works. In this paper, we consider IoT devices characterized by strong limitations in terms of computing, storage, and power. Specifically, we assess the performance of ABE in typical IoT constrained devices. We evaluate the performance of three representative ABE schemes configured considering the worst-case scenario on two popular IoT platforms, namely ESP32 and RE-Mote. Our results show that, if we assume to employ up to 10 attributes in ciphertexts and to leverage hardware cryptographic acceleration, then ABE can indeed be adopted on devices with very limited memory and computing power, while obtaining a satisfactory battery lifetime. In our experiments, as also performed in other works in the literature, we consider only the worst-case configuration, which, however, might not be completely representative of the real working conditions of sensors employing ABE. For this reason, we complete our evaluation by proposing a novel benchmark method that we used to complement the experiments by evaluating the average performance. We show that by always considering the worst case, the current literature significantly overestimates the processing time and the energy consumption
- …
