以ECQV內蘊公鑰憑證為依據供資源有限的物聯網器件使用的DTLS省便認證方案

Abstract

資源有限的物聯網器件的IoT應用程式常常有隱私敏感資料。這個特點使得IoT應用程式需要強且延展性高的安全機制。在資源受限的物聯網器件能力範圍之下，最好能擁有公鑰加密的運算能力。因此，這裡要介紹針對資源受限器件做低成本的公鑰加密方案。這個解決方案是基於橢圓曲線加密法以及數據包傳輸層安全協定。此橢圓加密法運用橢圓Qu-Vanstone蘊藏憑證幫助IoT應用程式以低成本的運算能力與低頻寬做公鑰加密，另外藉由標準的數據包傳輸層安全協定可以更廣泛的應用此方法。這個解決方法是由兩階段組合而成的安全協定。第一層是註冊階段，此層一個受限器件的節點需要執行註冊程序認證並從IoT系統的憑證管理中心取得橢圓Qu-Vanstone蘊藏的憑證。然後將所得的橢圓Qu-Vanstone蘊藏憑證拿去第二階段進行認證及密鑰交換。第二階段被稱為密鑰建立階段。為證明此解決方案的可行性，協定的實作必須基於遷入式傳輸層安全協定的函式庫–wolfSSL還有評估實作結果的執行時間來驗證此解決方案的效率。

IoT applications often work with sensitive data and are made up of a large number of constrained devices. These characters require that IoT applications must have a robust and scalable security solution. In this case, public-key cryptography can be the best choice if the cost of computation is acceptable for the constrained devices. For that reason, this work will introduce a low-cost public-key cryptography solution for the constrained devices. The solution is developed base on elliptic curve cryptography and Datagram Transport Layer Security (DTLS) protocol. The elliptic curve cryptography, combined with Elliptic Curve Qu-Vanstone (ECQV) implicit certificate, will offer a public-key cryptography solution with low-cost of computation and bandwidth for IoT applications, and by using the standard protocol DTLS, the solution can be accepted widely. The solution is a security protocol consisting of two phases. The first phase is registration phase in which a constrained node need to execute enrolment procedure to authenticate and get an ECQV implicit certificate from the certificate authority of the IoT system. The obtained ECQV implicit certificate is then used for performing authentication and key exchange scheme in the second phase, this phase is called secure key establishment phase. To prove the feasibility of the solution, an implementation of the protocol has been done based on an embedded SSL library – wolfSSL, and an evaluation of execution time of the implementation is also conducted to assess the efficiency of the solution.