The Internet of things (IoT) is the network of physical devices such as vehicles, home appliances sensors, actuators and other electronic devices. The development of the Internet offers the possibility for these objects to connect and exchange data. Since the IoT will play a major role in human life, it is important to secure the IoT ecosystem in order for its value to be realized. Among the various security requirements, authentication to the IoT is important as it is the first step in prevention of any negative impact of possible attackers.

This book provides reference material on authentication in IoT. It offers an insight into the development of various authentication mechanisms to provide IoT authentication across various levels such as user level, device level and network level. This book offers reference material which will be important for all relative stakeholders of mobile networks, for example, network operators, cloud operators, IoT device manufacturers, IoT device users, wireless users, IoT standardization organizations and security solution developers.

IoT

Over the last four decades, the Internet has evolved from peer‐to‐peer networking, world‐wide‐web, and mobile‐Internet to the IoT. The IoT is a network consisting of animals, people, objects, physical devices, e.g., home appliance sensors, actuators, vehicles, digital machines, and other electronic devices that can collect and exchange data with each other without human intervention. The communication in IoT is either between people, between people and devices, and between devices themselves, also called machine‐to‐machine (M2M). Many benefits are realized through these interactions using a variety of technologies including sensors, actuators, controls, mobile devices and cloud servers as now people and things can be connected any time, any place, with anything and anyone, ideally using any path or network and any service.

Following analysis of Statista in 2019, it is estimated that there will be approximately 31 billion connected IoT devices worldwide in 2020, which may even be doubled by 2024. From 2017 onwards, the overall market of IoT has become worth more than one billion US dollars annually. According to the same study, it turns out that the largest IoT market is represented by the consumer electronics industry. The highest IoT‐related investments have been seen, for the moment, in travel, transportation and hospitality industries. A very promising market for realizing large growth in IoT is considered to be the automotive industry. Other markets are retail, logistics, construction and agriculture. Consequently, it can be concluded that IoT will have a vital impact on a lot of industries. It will, in many cases, enable a smarter decision‐making process based on context‐aware information. The main motivations to integrate IoT are the increase in both efficiency and convenience.

The Need for Security

One of the most remarkable attacks that made people more aware of the importance of security in IoT is the Mirai Botnet attack in 2016. In this attack, the hackers simply scanned the Internet for open Telnet ports. Once found, they logged into the devices by trying a set of username/password combinations, that were often used as default by the manufacturer and that had never changed. This allowed them to collect an army of compromised devices, including baby monitors, home routers, air‐quality monitors, and personal surveillance cameras, ready to perform powerful distributed denial of service attacks (DDoS). At its peak, approximately 600 000 IoT devices were infected. The most well‐known DDoS attack performed by the Mirai Botnet was on the Domain Name System provider Dyn in October 2016. This attack caused large numbers of users from Europe and North America with the non‐availability of many major Internet services like Amazon, BBC, Spotify, etc., for several hours.

As the IoT is continuously growing, it becomes an even more interesting point of attack for the hackers. According to a threat report from the security firm Symantec, the number of attacks on IoT devices increased in only one year by 600% from 2016 to 2017, corresponding to 6000 and 50 000 reported attacks respectively. Besides the DDoS attacks, mining of cryptocurrencies has also been reported as a popular activity for hackers. Another important threat is ransomware, with WannaCry and Petya/Not Petya as the most well‐known examples, resulting in a large and worldwide take down of systems.

Consequently, we can conclude that much more attention needs to be given to security when including IoT into any business. As the IoT is a kind of galaxy of devices, technologies, and concepts of information, it is hard to understand what happens if malicious interventions of attackers jeopardize the security and privacy of IoT users, devices, and networks when these IoT galaxies are implemented with poor or no security. It is, therefore, important that all elements of the chain, being the device, user and network operator, integrate the required security mechanisms to guarantee end‐to‐end security in the communication between these devices over the Internet and on local networks. This will not only result in the gaining of trust and acceptance with the end‐users, but will also avoid direct physical harm to humans, perhaps even loss of life.

The Need for Authentication

By secure communication, we mainly consider the security features of confidentiality, integrity of the transmitted messages, and authentication of the sending and receiving devices. Confidentiality and integrity are well studied security features and can rather easily be realized through lightweight symmetric primitives following the establishment of a secret shared key. However, to establish such a secret shared key, authentication of the devices, being the verification of the identities while sending and receiving messages, is required. Achieving authentication in a robust way is far harder.

Authentication mechanisms should be considered at a number of different levels, going from user, device to network. Each level has its own particularities, resulting in different types of solutions to offer efficient authentication. For instance, at the user level, biometrics play a very important role in the integration of authentication schemes. For the device, variants such as physical unclonable functions (PUFs), but also tamper resistant memory are important aspects to be considered. Finally, at the network level, different architectures should be considered.

One common feature for all the proposed solutions is efficiency, both from a communication as well as a computation point of view. Additional security features, such as anonymity, unforgeability and non‐repudiation, are also required in some cases. Therefore, mechanisms to be considered will be based on symmetric key (aiming for efficiency) and public key cryptography (aiming for additional security features).

Moreover, the choice of the authentication mechanism is also largely dependent on the specific use case since each use case has a different type of architecture, resulting in different requirements with respect to security features and efficiency.

In any case, one of the main goals is to keep the computational, communication and storage overhead as low as possible at the side of the IoT device, which is typically the most constrained device.

Intended Audience

One of the major challenges for IoT adoption is (robust) authentication, which is a basic security process and is sorely needed at first place in the IoT. Although authentication is one of the paramount requirements of IoT networks, many of the authentication related techniques and standards are still under development. Therefore, there are only a limited number of books, which partly address the authentication in IoT. However, such rapid adaptation of IoT networks will soon raise the requirement of a complete handbook of Authentication in IoT.

This book will be of key interest for:

• Consumer Internet of things (CIoT). As the consumer adoption of the IoT is evolving, it is important to understand the typical authentication mechanisms to keep illegal entities away from the IoT networks. This book will offer the required guidelines for authentication and its techniques to protect the IoT from unauthorized entities.
• Service providers. Service providers are currently actively looking to adopt IoT technology to offer new and state‐of‐the‐art secure services to IoT customers. This book will be a great source of security material that can provide insights for the authentication mechanisms in IoT networks.
• Network operators (NOs). Network operators try equally to reach large customer bases who will switch to IoT networks. Security is the key requirement while connecting the IoT devices with the core networks of large operators.
• IoT device manufacturers. Security is one of the key areas of interest for IoT device manufacturers as security challenges outpace the traditional tools available to the market. This book will offer a single source of all the authentication‐related topics for the device manufacturer.
• Academics. IoT security has already been an area of research and study for major educational institutions across the world. With IoT evolvement as the future of humans, there is no such reference and book available (particularly on authentication in IoT) that academics can use for teaching this as an area of interest.
• Technology architects. IoT is going to cross the traditional mobility borders and is going to have an equal impact on all enterprises and organizations who plan to transform into digital businesses. It would be critical for architects to start aligning their technology and security architectures to the future needs of IoT standards. This book offers resources to design and build an authentication architecture and maintain it.
• IoT organizations and digital organizations. IoT is going to change the way industrial networks are built, 5G is going to provide the underlying platform for IoT networks. Security has remained the top priority for industries due to criticality and sensitivity of the data and information flows in their networks. A beforehand, knowledge of 5G security principles, components and domains is going to help industries lay out a foundation of IoT security. This book will provide the guidelines and best practices for 5G based IoT security and authentication.

Book Organization

The book is divided into five parts covering various aspects of IoT authentication: IoT Overview, IoT network level, IoT user level, IoT device level and IoT use cases.

Part I consists of an introduction to IoT and an introduction to the corresponding security threads. Chapter 1 introduces IoT in a pedagogical manner by presenting its evolution, the taxonomy and the proposed architectures and standardization efforts. It also illustrates some of the popular applications of IoT. In Chapter 2, security challenges at every layer are addressed in detail by considering both the technologies and the architecture used. A thorough survey is provided, together with a classification of the existing vulnerabilities, exploitable attacks, possible countermeasures and the access control mechanisms including authentication and authorization. Additionally, solutions for remediation of the compromised security, as well as methods for risk mitigation, with prevention and improvement suggestions are discussed.

Part II contains the chapters related to the protection at network level. In Chapter 3, different methods to provide key establishment and authentication using symmetric key based mechanisms limited to hashing, xoring and encryption/decryption operation are discussed. A new key management protocol for wireless sensor networks with hierarchical architecture, using solely symmetric key based operations, is proposed. Chapter 4 describes the utilization of Elliptic Curve Cryptography (ECC) for designing security protocols in terms of authentication, key establishment, signcryption, and secure group communication. Chapter 5 provides a general overview of a post‐quantum security primitive, being the lattice‐based primitive. The chapter summarizes how this primitive can be applied to IoT and gives a review on the state‐of‐the‐art of proposed applications in literature.

Part III is about the user‐level authentication and consists of four chapters. Chapter 6 deals with the anonymous mutual authentication scheme in multi‐access edge computing environments (MEC). It will utilize the password‐based approach for the user authentication. Chapter 7 proposes a biometric‐based access control model in industrial IoT applications. The model will perform a robust authentication and establish a session key between the user and smart devices IIoT. In Chapter 8, authentication is discussed in case the user can experience IoT enabled services without carrying any gadget, also called the naked approach. A use case from the medical and healthcare sector has been worked out in order to enable the patient an ambient Internet of Everything experience. Chapter 9 discusses a user‐friendly Web‐based framework for handling user requests automatically by addressing user concerns for mobility support, ownership support, and immediate privilege updates having the goal of limiting the involvement of any third‐parties in the process chain and also to inform all involved parties immediately about any status changes.

Part IV of the book contains two chapters related to device‐level authentication. In Chapter 10, an authentication mechanism is discussed in case the IoT nodes contain a PUF, which is a low‐cost primitive exploiting the unique random patterns in the device allowing it to generate a unique response for a given challenge. The advantage of a PUF at the IoT is that even when the key material is extracted, an attacker cannot take over the identity of the tampered device. However, in practical applications, the verifier, orchestrating the authentication between the two IoT nodes, represents a cluster node in the field, who might be vulnerable for corruption or attacks. In the proposed authentication mechanism, additional protection has been provided for this. Chapter 11 presents an encryption and authentication scheme suitable for ASIC or Field‐Programmable Gate Array (FPGA) hardware implementation, which is based on the generalized synchronization of systems showing chaotic dynamical behavior. The strength of the system relies on the unobservability of the internal states of a strongly nonlinear system having a high‐dimensional phase space.

Part V contains three chapters dedicated to a use case in the healthcare, smart grid, connected cyber physical system. Chapter 12 introduces a remote patient monitoring platform that consists of three main parts, patient monitoring devices, cloud backend and the hospital's clinician application. The system has been implemented for a pilot project and in a joint research with neuro and cardiology departments of Helsinki University Hospital (HUS).

Chapter 13 proposes a secure and efficient privacy‐preserving scheme in a connected smart grid network. The scheme is based on ECC, outperforming both in communication and communication costs. Chapter 14 first discusses the overlapping in cyber physical system and IoT, and then proposes a cyber physical trust system that utilizes the blockchain as a security tool. The security strength is shown in terms of data authenticity, integrity and identity.