The expanding attack surface of Internet of Things (IoT) systems calls for innovative security approaches to verify the reliability of IoT devices. To this end, Remote Attestation (RA) serves as a key mechanism that remotely detects the presence of malware in IoT devices. Typically, RA allows a centralized trusted Verifier to retrieve reliable evidence about the software integrity of an untrusted Prover. Existing RA schemes generally rely on the assumption that the Verifier and the Prover know each other and have pre-shared cryptographic keys during the bootstrap phase. However, these assumptions are not realistic to employ over commonly used event-driven IoT networks, in which the interacting parties do not know each other and do not communicate directly. This paper proposes PROVE, a novel protocol that allows many Verifiers to attest one or more Provers without pre-shared key material and without using public-key cryptography which is often not suitable for resource-constraint IoT devices. In particular, PROVE considers a realistic IoT system where devices adopt the publish/subscribe communication paradigm. In PROVE, the subscribers act as untrusted Verifiers and attest not only the firmware integrity of the publishers that act as untrusted Provers but also the authenticity of the received data originated from these publishers. We simulate PROVE on the Contiki emulator and demonstrate the scalability of the solution. We also validate PROVE through two hardware proof-of-concept implementations: PROVE and PROVE+, which rely on different cryptographic cores. The results show that a complete execution of the protocol takes 4605 ns and 324 ns for PROVE and PROVE+, respectively.
Dushku, E, Rabbani, MM, Vliegen, J, Braeken, A & Mentens, N 2023, 'PROVE: Provable remote attestation for public verifiability', Journal of Information Security and Applications, vol. 75, 103448. https://doi.org/10.1016/j.jisa.2023.103448, https://doi.org/10.1016/j.jisa.2023.103448
Dushku, E., Rabbani, M. M., Vliegen, J., Braeken, A., & Mentens, N. (2023). PROVE: Provable remote attestation for public verifiability. Journal of Information Security and Applications, 75, Article 103448. https://doi.org/10.1016/j.jisa.2023.103448, https://doi.org/10.1016/j.jisa.2023.103448
@article{54c6e8cd9a61431a9328c66b003f2290,
title = "PROVE: Provable remote attestation for public verifiability",
abstract = "The expanding attack surface of Internet of Things (IoT) systems calls for innovative security approaches to verify the reliability of IoT devices. To this end, Remote Attestation (RA) serves as a key mechanism that remotely detects the presence of malware in IoT devices. Typically, RA allows a centralized trusted Verifier to retrieve reliable evidence about the software integrity of an untrusted Prover. Existing RA schemes generally rely on the assumption that the Verifier and the Prover know each other and have pre-shared cryptographic keys during the bootstrap phase. However, these assumptions are not realistic to employ over commonly used event-driven IoT networks, in which the interacting parties do not know each other and do not communicate directly. This paper proposes PROVE, a novel protocol that allows many Verifiers to attest one or more Provers without pre-shared key material and without using public-key cryptography which is often not suitable for resource-constraint IoT devices. In particular, PROVE considers a realistic IoT system where devices adopt the publish/subscribe communication paradigm. In PROVE, the subscribers act as untrusted Verifiers and attest not only the firmware integrity of the publishers that act as untrusted Provers but also the authenticity of the received data originated from these publishers. We simulate PROVE on the Contiki emulator and demonstrate the scalability of the solution. We also validate PROVE through two hardware proof-of-concept implementations: PROVE and PROVE+, which rely on different cryptographic cores. The results show that a complete execution of the protocol takes 4605 ns and 324 ns for PROVE and PROVE+, respectively.",
keywords = "IoT security, PUB/SUB communication, Remote attestation, Swarm attestation",
author = "Edlira Dushku and Rabbani, {Md Masoom} and Jo Vliegen and An Braeken and Nele Mentens",
note = "Funding Information: This work is supported by CyberSecurity Research Flanders, Belgium with reference number VR20192203. All authors approved version of the manuscript to be published. Publisher Copyright: {\textcopyright} 2023 The Author(s)",
year = "2023",
month = jun,
doi = "10.1016/j.jisa.2023.103448",
language = "English",
volume = "75",
journal = "Journal of Information Security and Applications",
issn = "2214-2126",
publisher = "Elsevier",
}