Dethroning Transport Layer Security in the Embedded World

Abstract

Developing a security concept feasible for a large number of cooperating embedded devices is crucial for the practical relevance of visions such as the Internet of Things, Ambient Assisted Living or Pervasive Computing. However, designing these concepts in conjunction with new technologies usually is more expensive. Thus, new technologies often rely on existing security techniques on lower layers of the network stack. Especially the Transport Layer Security (TLS) protocol suite is a very popular solution because TLS is a widely spread and well accepted protocol. However, TLS is not ideal for the realm of embedded devices and it does not provide all the necessary features. We state that a comprehensive security framework for large distributed systems of embedded devices has to be implemented on application level. We investigate on the applicability and adaptability of the Web Service (WS) Security specification suite since it offers such a desired comprehensive security framework. Furthermore, its base technology - Web Services - has already been ported to the domain of embedded devices by means of the Devices Profile for Web Services (DPWS). However, WS Security imposes a dramatic overhead on message sizes and parsing efforts for providing confidentiality, integrity and authenticity. Thus, in this paper we discuss two variants of WS Security that decrease the imposed overhead but remain compatible to the classical WS Security. A performance analysis shows that our proposed solutions have no significant drawback compared to the state of the art - TLS - but even provide a richer feature set.