Swedish research project CEBOT has solved one of the toughest IoT security problems

It has been hard to give resource-constrained things trusted identities, and as the internet of things (IoT) grows this has become one of the biggest security problems. “We have now solved this enrollment challenge by creating a new, super light-weight, and fully automated protocol,” says Shahid Raza, senior researcher and project manager for CEBOT.

The backbone for all security solutions is that people, software and things have trusted identities – if you do not know who or what you are communicating with, it does not matter how well-encrypted your digital connection is, or how well-guarded your facilities are.

“When it comes to the internet, the state of the art for enabling trusted identities is using public key infrastructure, PKI. But a real challenge with PKI is the enrollment process,” says Shahid Raza, senior researcher at Swedish non-profit research organization RISE SICS and project manager for CEBOT.

In PKI, digital certificates are used to ensure digital identities and their encryption keys.

“This means that things and people can talk to other things and people without any prior knowledge of each other, if both parties have certificates signed by a trusted third party, called a certificate authority,” says Raza.

A person can go to the bank office to get her certificate signed, and the owner of an IoT device with a user interface can sign in using a username and password to ask the certificate authority to sign the certificate.

“But many of the things that now are getting connected have no user interfaces, and when billions of connected things are to be enrolled, it has to be an automated process. There are already protocols for enrollment, but they are too heavy for really resource-constrained things. And the current enrollment protocols are also not fully automated.”

The project CEBOT (Certificate Enrollment for Billions of Things) was launched in September 2015 to solve this enrollment problem, and now, with half a year left of the project, a new super light-weight protocol has been designed and implemented.

“If you for example buy a lamp, the manufacturer has already placed a certificate in the lamp. And when you plug the lamp in for the first time, it automatically talks to the certificate authority via the new protocol and asks to get the certificate signed.”

When the certificate is signed, the lamp has a trusted digital identity and can communicate securely with other trusted identities.

“We at SICS have been a part of crafting the light-weight protocols that are already available for the internet of things, so we took our knowledge from those projects to craft this new, even lighter, protocol.”

The new protocol has the same name as the project: CEBOT. It has been quite a challenge to create a protocol that works for devices with really small amounts of memory and energy, according to Raza.

“I have presented the protocol at lots of places now and lots of people and organizations have shown great interest. It has been hard to give resource-constrained things trusted identities, and as the internet of things grows this has become one of the biggest security problems.”

The new super light-weight enrollment protocol is currently being evaluated and the next step will be to try to get CEBOT standardized by the Internet Engineering Task Force (IETF), the organization that has standardized most of the internet protocols.

“Since we have received so much interest for CEBOT, we think it will become a standard. And since there are no other available solutions for enrolling digital certificates in resource-constrained things automatically it might even get fast-tracked.”

If CEBOT does not become a standard it might still be used, like many other draft protocols.

“But if it is not a standard, the things using the protocol can of course only speak to organizations and things using the protocol. If you are to be sure that for example a lamp from Philips can talk to Amazon’s cloud services, you need to use a standard protocol.”

And if CEBOT becomes a standard, Raza believes it will be very widely used. Some of the companies that have endorsed the CEBOT project are Husqvarna, Ericsson, Saab, SUST, Yanzi Networks, Intel and Scypho.

“I think many other organizations will also want to use this protocol to solve the enrollment issue. CEBOT is the missing piece in IoT security. But other protocols solving the same problem might be developed and standardized, and then it of course is up to each organization which protocols to use.”

The CEBOT project is a joint effort between SICS and identity and security company Nexus Group.

“We at SICS are responsible for the client side, and have done the implementation for resource-constrained IoT devices running the operating system Contiki. And Nexus takes care of the server side, that is, the certificate authority part. They have done the implementation of CEBOT on their software platform Nexus Certificate Manager, which is used for issuing and managing all kinds of electronic identities.”

During the first half of 2017, the new protocol will be put to work in real products and tested further.

“And when the CEBOT project ends on June 30, 2017, we will use the work from CEBOT in a new, three-year-long Eurostars-funded project called SecureIoT. Together with partners from Sweden and South Korea, we will continue the real life testing of the protocol, while we continue to work on solving other IoT problems.”

SICS is also applying for funds for another project, with the goal to craft an entirely new structure for PKI for IoT.

“We will use the results from CEBOT in this project too. We cannot say today what the proposed new PKI system will look like, but we all have to speak the same language, and that language is the protocol CEBOT,” says Raza.

Published 16/1 2017