Abstract
As the number of controllers and devices increases in Industrial Internet of Things (IIoT) applications, it is essential to provide a secure and usable user authentication system for human operators who have to manage tens or hundreds of controllers and devices with his/her password. In this paper, we propose a formally verified certificate-based authentication system using a secondary network device for such IIoT applications. In the proposed system, a user’s sign key is encrypted with a secret key that can be computed with his/her password and a secret parameter in a secondary device to securely protect the sign key. To demonstrate the feasibility of the proposed system, we implemented a prototype with standard cryptographic algorithms (AES-256, RSA-3072, and ECDSA-256). The experiment results demonstrated that the execution time overhead of the sign key recovery process was 0.039 and 0.073 s, respectively, for RSA-3072 and ECDSA-256, which was marginal compared with the total execution time (0.383 s for RSA-3072 and 0.319 s for ECDSA-256) of the conventional system. We also verified the security of the proposed protocol using a formal verification tool called ProVerif.
Highlights
One of the key requirements for Industrial Internet of Things (IIoT) applications is to establish trust among things and human operators [1].Interestingly, secure authentication protocols using cryptographic primitives are generally used for things, whereas passwords are still popularly used for human operators
We demonstrate the feasibility of the proposed certificate-based authentication method by implementing a prototype with popularly used cryptographic algorithms (AES-256, RSA-3072, and ECDSA-256)
We modeled a set of cryptographic primitives Fc that are used in our proposed key protection system
Summary
One of the key requirements for Industrial Internet of Things (IIoT) applications is to establish trust among things (e.g., industrial controllers, sensors, and actuators) and human operators [1]. To perform an offline dictionary attack against the proposed scheme, an attacker would have to break into both the primary and secondary devices at the same time to steal the encrypted sign key, as well as the specific secret value. We propose a formally verified certificate-based user authentication method that does not require additional secure hardware (e.g., ARM TrustZone) to mitigate offline password guessing attacks. We demonstrate the feasibility of the proposed certificate-based authentication method by implementing a prototype with popularly used cryptographic algorithms (AES-256, RSA-3072, and ECDSA-256) With this prototype, we analyze its communication overhead and demonstrate that the execution time overhead of the signing key recovery process is acceptable (0.039 s for RSA-3072, 0.073 s for ECDSA-256 on average compared with the total execution time of the conventional system) for the industrial controller application.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
