=Paper=
{{Paper
|id=Vol-3200/paper17
|storemode=property
|title=Technology of Secure Data Exchange in the IoT System
|pdfUrl=https://ceur-ws.org/Vol-3200/paper17.pdf
|volume=Vol-3200
|authors=Hassan Mohamed Muhi-Aldeen,Yurii Khlaponin,Ibtehal Shakir Mahmoud,Volodymyr Vyshniakov,Vadym Poltorak,Dmytro Khlaponin,Muwafaq Shyaa Alwan
}}
==Technology of Secure Data Exchange in the IoT System ==
https://ceur-ws.org/Vol-3200/paper17.pdf
Technology of Secure Data Exchange in the IoT System
Hassan Mohamed Muhi-Aldeen1, Yurii Khlaponin2, Ibtehal Shakir Mahmoud3, Volodymyr
Vyshniakov4, Vadym Poltorak5, Dmytro Khlaponin6, Muwafaq Shyaa Alwan7
2, 4, 6Kyiv National University of Construction and Architecture, Kyiv, Ukraine
11,3,7 Al Iraqia University, Baghdad, Iraq
5NTUU “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv, Ukraine
Abstract. The use of public Internet channels for managing objects in the IoT system can lead
to the emergence of security threats not only for this IoT system, but also it can provide
cybercriminals with resources to carry out attacks on any other objects of the global network.
Therefore, you should use secure data exchange technologies that prevent unauthorized entry
into the system when building IoT systems. This technology is discussed in detail in this article.
The purpose of this work is to improve safety of IoT systems through the use of a perfectly
secure data exchange channel.
Keywords
IoT system, safety of IoT systems, secure data exchange technologies, secure data exchange
channel.
1. IoT security challenges them to implement DDoS attacks due to
insufficient protection of IoT devices, the number
and power of which increases with the number of
In 2020 the number of connected devices to the
IoT users. The overwhelming majority of users
IoT exceeded 30 billion, and their annual growth
believe that general security rules for the IoT
increased from 3 billion in 2017 to 5 billion in
should be developed at the state or interstate level.
2020 as shown by the published data of
However, it is difficult to develop uniform
researchers [1].
recommendations or standards due to the
Forecasts up to 2025 assume that this growth
difference in security requirements depending on
will not decrease, but tends to increase. This
the area of use of the IoT. The variety of areas of
testifies to the rapidly growing need for managing
use is shown in Table 1.
remote sites and ample opportunities for their
implementation using existing tools and
technologies. However, the rapid growth of needs Table 1
and the broad possibilities of implementing IoT in Gartner's analysis of the number of IoT devices in
a short time often leads to insufficiently thought use globally, billion
out solutions from the point of view of security, Application area 2018 2019 2020
which is described in [2-4], where security at the Housing 0.98 1.17 1.37
network level is attributed to the most vulnerable Building automation 0.23 0.31 0.44
area. Attackers are given the opportunity to use Security systems 0.83 0.95 1.09
III International Scientific And Practical Conference “Information
Security And Information Technologies”, September 13–19, 2021,
Odesa, Ukraine
EMAIL: muhialdeen.hassan@aliraqia.edu.iq (A. 1);
y.khlaponin@gmail.com(A. 2); ibtehal.shaker@aliraqia.edu.iq
(A. 3); volodymyr.vyshniakov@gmail.com (A. 4);
poltorak_vp@online.ua (A. 5); dmytro.khlaponin85@gmail.com
(A. 6); dr.muwafaqalwan@aliraqia.edu.iq (A. 7)
ORCID: 0000-0002-9287-0817 (A. 1); 0000-0002-9287-0817
(A. 2); 0000-0001-8333-461X (A. 3); 0000-0003-4668-712X
(A. 4); 0000-0001-9231-9411(A. 5); 0000-0002-7797-4319 (A. 6);
0000-0001-7980-2716 (A. 7)
©️ 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
� Extraction of 0.33 0.4 0.49 - Cybercriminals are more likely to install their
minerals botnets (malware) on your server to implement
Automotive 0.27 0.36 0.47 DoS and DDoS attacks.
Medicine 0.21 0.28 0.36 - This server requires a dedicated IP address on
Trade 0.29 0.36 0.44 the Internet, which is associated with additional
Transport 0.06 0.07 0.08 material costs.
Government sector 0.4 0.53 0.7 - To ensure the information security of the
server, qualified service is required.
Gemalto's survey of IoT users found that 90% Disadvantages listed above are absent in the
were unsure about security. Thus, it seems to be circuit shown in Fig. 2, where data flows between
relevant the analysis of IoT systems from the point the terminal and management objects are filtered
of view of ensuring the secure exchange of data by the proxy server. This server can
over the Internet channels, as well as the technical simultaneously serve many users, protecting their
solutions in this area, given in the work. data streams from malicious attacks. Internet
service providers (ISPs) can install such servers,
providing customers with cloud-based access to
2. Analysis of data exchange options resources. However, the user can install own
in IoT systems separate or corporate broker server in case of high
security requirements for information about
To connect IoT devices to the Internet, one of objects managed. In cases when the broker's
two schemes can be used, shown in Fig. 1 and Fig. server is hit by a threat, the information about the
2 respectively. managed objects will be kept intact. An increase
in signal latency should be noted as a
disadvantage of control through an intermediary
server in comparison with the first scheme. But
this disadvantage can be considered insignificant,
since the performance in control systems cannot
be high due to the presence of unpredictable
network access latency using Internet channels.
Figure 1: Direct management of objects through
the public network
3. Technical solutions to secure the
The scheme shown in Fig. 1 is the simplest one IoT
and can be successfully used in internal computer
networks. But such solution has a number of Object management via the Internet does not
disadvantages in the conditions of the public require the transfer of large amounts of data and
Internet: high-speed messaging. This allows you to use the
- Connecting the server directly to the Internet most advanced methods of protecting data from
facilitates the intervention of unpredictable threats of disclosure or spoofing during
external threats into management processes. transmission over channels. The use of such
methods makes it possible to exclude the
Mediator
possibility of these threats being realized, which
Router is mathematically provable. It should be noted that
Internet server
no expensive technical solutions are needed for
absolute protection. This protection is
Mini-computer
for object implemented using simple software methods. It is
Terminal management mathematically proven that the absolute
for control protection of information is provided by the
Managed objects
Vernam cipher, which is called one-time pad [5].
The use of this cipher requires the fulfillment of
Figure 2: Object management using a mediation the conditions, the list of which is presented in
server Table 2.
Table 2
�Conditions for ensuring absolute data protection The rest of the random bits will be formed in
during transmission the cycle of filling the array MA with powers of
Condition Condition fulfillment the primitive root of the Galois field.
Generation of random A method for random bits The block for filling an array MA with powers
bit sequences (not generating is implemented, of A looks like this:
pseudo-random) which allows you to generate
random sequences on any // Elements of arrays with index 0
computer, as described in [3] are not used
Each random bit For each communication var A = [504]; // Sequence of 503
sequence can be used session, random bit bits for exponentiation
for encryption only sequences are generated
once independently of each other var B = [504]; // A sequence of
For the exchange of The exchange of random bit 503 bits of the exponent
random bit sequences, sequences occurs according to
// Arrays for multiplying the
an absolutely secure the Diffie-Hellman algorithm
elements of the Galois field GF (2
communication with such parameters for
^ 503)
channel should be which there is no possibility of
used data disclosure in modern var M1 = [504], M2 = [504], R =
conditions [504];
// M1 [], M2 [] - factors R [] -
The work [7] substantiates the choice of the
the result of multiplication
Diffie-Hellman algorithm parameters. The
parameters of the algebraic group for the var MA = new Array (504); // Array
implementation of the algorithm are selected MA [] [] of degrees A []
based on two conditions. In first, it is needed to for (var i = 0; i<504; i ++) MA
ensure the impossibility of disclosing data. From [i] = new Array (504);
the other hand, it is needed that the time of for (var i = 1; i<= 503; i ++) MA
cryptographic transformations does not exceed [1] [i] = A [i];
the allowable value. In order to prevent data
disclosure, an algebraic group in the form of a // The first line of the array was
filled with the value A []
Galois field with characteristic 2 was chosen and
a degree, which is a safe prime number from the for (var I = 2; I <= 503; I ++)
series 503, 563, 587, 719, was chosen too. Since {// Loop filling the array MA []
the solution to the discrete logarithm problem for [] with powers of A []
such fields is unknown today, this protection
// In the next 3 lines, we
cannot be hacked in modern conditions. All continue filling the array N []
cryptographic transformations are implemented in
the form of several dozen lines in JavaScript and T1 = new Date (); // Take the
can be copied and placed both in the client and timestamp for transformations
server parts of the software of IoT systems. If the TN = T1.getTime (); // TN - the
Node.js platform is used to write the server side, number of milliseconds from
then the cryptographic transformations in the 01/01/1970
server and client sides will be identical. All N [I] = TN% 2; // Fill in the next
fragments of the data protection program for a bit depending on the parity of TN
field of (2^503) elements are presented below.
for (var J = 1; J <= 503; J ++) M1
The beginning of filling the array with N [J] = M2 [J] = MA [I-1] [J];
random bits looks like this:
MULT (); // Function for
var N = [504]; // Array of 503 multiplying the elements of the
random bits (N [0] is not used) Galois field GF (2 ^ 503)
var T1 = new Date (); // Take the for (var j = 1; j <= 503; j ++) MA
timestamp for transformations [I] [j] = R [j];
var TN = T1.getTime (); // TN - } // Put degree 2 in MA [2] , put
the number of milliseconds from degree 4 in MA [3],
01/01/1970
// put degree 8 in MA [4], put
N [1] = TN% 2; // Fill the first degree 16 in MA [5], etc.
bit depending on the parity of TN
� Our task is to get the same random bit MULT(); // Function for
sequences C[] on both sides of the data exchange. multiplying the elements of the
This allows to add modulo 2 (XOR operation) bits Galois field GF(2^503)
of the C[] sequence to each bit of data being sent for (var I=1; I<= 503; I++)
on the transmitting side. With such information A[I]=R[I];
coding, absolute protection against disclosure } // The elements MA[][] was
threats in the communication channel is provided. Multiplied, where B[J]=1.
The recipient of the information must add modulo
2 bits of the C[] sequence to the received bits for The function of multiplying the elements of the
decryption, which is exactly the same procedure Galois field according to the rule of polynomials
as on the transmitting side. looks like this:
The transformation process begins by function MULT()
generating a sequence of 503 random bits on each { // Multiplication using the
side. This is done simultaneously with filling the polynomial X^503=X^3+1
array MA[][] with powers of the primitive root of
the Galois field. The number 2 is one of primitive var i, j, r, r1, r2, r3;
roots, which should be entered into the array A[]. for (i = 1; i<= 503; i ++) R[i] =
In our example, the least significant bits 0;
correspond to the lower array indices. Therefore, for (i = 1; i<= 503; i ++)
we get a primitive root like this:
if (M1[i] == 1) // Select units,
for (var i = 1; i<= 503; i ++) A because multiplication by 0 gives
[i] = 0; A [2] = 1; // Put the 0
number 2 in A []
{
For raising to a power, a well-known method
for (j = 1; j <= 503; j ++)
of simplifying calculations was used, which
consists in replacing the operation of raising to a if (M2[j] == 1)
power by a product of powers according to the {
next expression:
r = i + j-1;
(1) if (r> 503)
{
where r = r-503;
if (r> = 501)
{
Since any exponent B can be represented as a r = r-501;
sum of values selected from a range of weights
r1 = 1 + r; r2 = 4 + r; r3 = 501 +
20, 21, 22, 23,…, 2502, to calculate AB it is r;
enough to multiply no more than 503 elements
from the array MA. if (R[r3] == 0) R[r3] = 1; else
R[r3] = 0;
The block for raising A to power B looks like
this: }
for (var i=1; i<=503; i++) A[i]=0; else {r1 = r; r2 = r + 3;}
A[1]=1; // Put a unit in A[]
if (R[r1] == 0) R[r1] = 1; else
for (var J=1; J<=503; J++) R[r1] = 0;
if (B[J]==1) // Select the bits if (R[r2] == 0) R[r2] = 1; else
equal to 1 from the binary form of R[r2] = 0;
exponent
}
{
else {if (R[r] == 0) R[r] = 1;
for (var I=1; I<= 503; else R[r] = 0;}
I++){M1[I]=MA[J][I]; M2[I]=A[I];}
}
� } described in the previous section. A well-known
} // End of function MULT () minicomputer of the Raspberry Pi 3 type, which
has a 40-pin GPIO interface with wide
Let's imagine an algorithm for obtaining bit possibilities for connecting objects for monitoring
sequences that will be the same on both sides of and control, was chosen as hardware. Linux
the data exchange. version Ubuntu 20.10 was selected as the
Step 1. The client enters a random bit into the operating system, and the Node.js platform
first element of the array N, and enters the value version v12.18.2 with the onoff package was used
of the primitive root of the Galois field into array as a programming tool, which allows objects to be
A. controlled via the GPIO interface.
Step 2. The client executes the block of filling The initial snippet of the CONPIN.js program
the array MA with powers of A with the installed on this computer in the / home / ubuntu /
simultaneous completion of filling the array with directory looks like this:
N random bits.
const HOST = '91 .198.50.144 ';
Step 3. The client copies array N to array B and
executes the exponentiation block of A. const PORT = 3000;
Step 4. The client sends to the server the result const Gpio = require ('onoff').
of raising A to the power of B as a sequence of Gpio;
503 bits
const fs = require ('fs');
Step 5. The server stores the sequence of bits
received from the client in array C and performs const net = require ('net');
actions similar to steps 1-3 of the client. let SYM; // String.fromCharCode
Step 6. The server sends to the client its result
of raising A to power B. let STREB = '////////';
Step 7. The client stores the sequence of 503 let i = 0;
bits received from the server in array A.
let TR = '';
Step 8. The client executes the block of filling
the array MA with powers of A without filling the const Gp4 = new Gpio (4, 'out');
array with N random bits. // Pin 7 Gpio_4 # 0
Step 9. The client executes the block for const Gp17 = new Gpio (17, 'out');
raising A to the power B and enters the result into // Pin 11 Gpio_17 # 1
array C.
This client program regularly contacts the
Step 10. The server copies array C to array A
server (Mediator server) (see Fig. 2) with a period
and performs the steps similar to steps 8 and 9 of
of 20 seconds to transmit information about the
the client.
state of objects and receive control signals. The
The result of performing the above actions is
duration of the period of 20 seconds is chosen
to obtain the same random sequences of bits in the
from the condition of proportionality with the
arrays C of the same name on the client and server
time of entering the Internet. The operation of this
sides, which was required for encryption using the
program must be protected against possible power
one-time pad method.
outages. To automatically start the program after
power-up, add the following three lines to the
4. Full-scale model of a secure IoT /etc/rc.local file:
system #! / bin / sh
echo "#################### CONPIN
The main element of the IoT system that needs ######################"
to be protected from false control commands and
/ usr / bin / node / home / ubuntu
from intrusion by attackers who can create threats / CONPIN &
such as DDoS attacks is computer for object
management (see Fig. 2). Connecting this The SOCKET.js program must be running on
computer through the Router without providing a the Mediator server (see Fig. 2) located at the ISP
real IP address does not provide the ability to (Internet Service Provider) site that provides
control this computer other than through the services in SaaS (Software as a Service) mode.
console used to install the software or an The initial snippet of this program looks like this:
application program that provides the protection // server / SOCKET.js //
� const HOST = '91 .198.50.144 '; var querystring = require
('querystring');
const PORT = 3000;
var file = new static.Server
const net = require ('net');
('.');
const fs = require ('fs');
http.createServer (function (req,
net.createServer (function (sock) res)
{ {
With a single intermediary computer with a In the vybir.js program, a separate TCP port
single real IP address, the provider can serve number is allocated for each user. The
multiple IoT client systems. The number of CONPIN.html file with images of object state
supported systems depends only on the technical indicators and control buttons is also located in the
data of the computer. The operation of the user directory. The user can download this file
SOCKET.js program must be protected from through the link given to him like
failures that can lead to an emergency shutdown. http://91.198.50.144:8000/CONPIN.html. All
To do this, use the process manager pm2 communication processes, including the
automatic program restart tool, which must be authorization procedure, are protected using the
downloaded using the npm install pm2 –g means described in the previous section. The
command. After that, the SOCKET.js program above link is unprotected as it is only intended to
should be launched with the pm2 start demonstrate the control process using eight binary
SOCKET.js command. In this case, in case of any objects as an example. Authorization data is
failures, the program will automatically restart stored in the same directory in an encrypted file.
[8,13].
The main task of the Mediator server is to 5. Conclusions
protect the resources of IoT systems from the
penetration of intruders who have as their goal the
The reasons for the emergence of security
implementation of DoS and DDoS attacks. This
problems in IoT systems are described. Potential
requires unauthorized entry into the Mediator
security threats have been identified, both for the
server, which is unlikely, provided the provider
IoT itself and for the use of its resources by
follows standard instructions. Usually this
intruders in the implementation of attacks on other
situation arises due to the fault of the provider's
objects of the Internet.
staff. In any case of failures on this server, the
Variants of data exchange schemes in IoT
provider always has the ability to switch to a
systems have been analyzed and the choice of the
backup server or restore the operation of the same
most secure scheme has been substantiated.
server using copies, which is the norm in the work
The technical solutions that make it possible to
of providers [9,12].
secure data exchange in IoT systems by building
The exchange of data between users of the IoT
an ideally secure data exchange channel are
system and their objects is carried out via a web
considered in detail. These solutions are presented
interface through intermediate data files. These
in the form of text programs in the JavaScript
files are created anew at each data exchange
language and can be embedded in any user
session. Each individual user on the Mediator
software.
server is allocated his own directory, where, in
Using the example of the current model of the
addition to the SOCKET.js program with a unique
IoT system, it is shown that it is possible to
value for the PORT parameter, the vybir.js
eliminate problems with emergencies in IoT
program is located, the initial fragment of which
systems that arise for various reasons, including
looks like this:
malfunctions of programs, temporary power
// vybir.js - HTTP Server Ver. 18 outages or attempts to unauthorized entry into the
February 2021 system. A link to a resource on the Internet is
var http = require ('http'); provided to demonstrate the process of managing
objects.
var url = require ('url');
The technical solutions proposed in this work
var fs = require ('fs'); make it possible to fully secure IoT systems from
var static = require ('node- information threats.
static');
�6. References [10] Oleksandr Laptiev, Savchenko Vitalii, Serhii
Yevseiev, Halyna Haidur, Sergii Gakhov,
Spartak Hohoniants. The new method for
[1] Orlov S. (2020) Pochemu problem
detecting signals of means of covert
bezopasnosti interneta veshhej okazalos' tak
obtaining information. 2020 IEEE 2nd
trudno reshit'?
International Conference on Advanced
https://safe.cnews.ru/articles/2020-05-
Trends in Information Theory (IEEE ATIT
1_pochemu_problemu_bezopasnosti_intern
2020) Conference Proceedings Kyiv,
eta
Ukraine, November 25-27. pp.176 –181.
[2] Frustaci, M., Pace, P., Aloi, G., & Fortino, G.
[11] O.Svynchuk, O. Barabash, J.Nikodem, R.
(2018). Evaluating critical security issues of
Kochan, O. Laptiev. Image compression
the iot world: Present and future challenges.
using fractal functions.Fractal and
IEEE Internet of Things Journal, 5(4), 2483-
Fractional, 2021, 5(2), 31.pp.1-14.
2495.
DOI:10.3390/fractalfract5020031 - 14 Apr
[3] Conti, M., Dehghantanha, A., Franke, K., &
2021.
Watson, S. (2018). Internet of Things
[12] Androshchuk, А., Yevseiev, S., Melenchuk,
security and forensics: Challenges and
V., Lemeshko, O., Lemeshko, V.
opportunities. Future Generation Computer
Improvement of project risk assessment
Systems, 78(2), 544-546.
methods of implementation of automated
[4] Giray, G., Tekinerdogan, B., & Tüzün, E.
information components of non-commercial
(2018). IoT system development methods. In
organizational and technical systems.
Internet of Things (pp. 141-159). CRC
EUREKA, Physics and Engineeringthis link
Press/Taylor & Francis.
is disabled, 2020, 2020(1), pp. 48–55
[5] Shannon C. Communication Theory of
[13] V. Khoroshko, Y. Khokhlacheva, Y.
Secrecy Systems. Bell System Technical
Khlaponin, E. Gavrilko. Parametric
Journal. 1949. 28 (4). Pp. 656–715.
monitoring of computing processes in
[6] Chupryn V.M. Generuvannja vypadkovyh
information and computing systems.
chisel shtatnymy zasobamy hostiv merezhi
Workshop Proceedings (http://ceurws.org)
Internet./ V.M. Chupryn, V.M.Vyshnjakov,
Vol-2067 urn:nbn:de:0074-2067-8-0 P. 45 –
M.P. Prygara // Zahyst informacii'. – 2016. –
53. – ISSN 1613-0073
Т. 18, №4. – С. 323-335.
[7] Chupryn V.M., Vyshnjakov V.M., Prygara
M.P. Metod protydii' nezakonnomu vplyvu
na vyborciv u systemi Internet golosuvannja.
Bezpeka informacii'. – 2017. – Tom 23, №1.
– С. 7–14.
[8] V.M. Chupryn, V.M.Vyshnjakov, O.O.
Komarnyc'kyj, Metod protydii' atakam
poserednyka u transparentnij systemi
internet golosuvannja, Zahyst informacii',
Ukrainian Information Security Research
Journal. - K.: NAU, 2018. – Т.20. -№3. –
С.180-187.
http://jrnl.nau.edu.ua/index.php/ZI/article/vi
ew/13079
[9] Valentyn Sobchuk, Volodymyr Pichkur,
Oleg Barabash, Oleksandr Laptiev,
Kovalchuk Igor, Amina Zidan. Algorithm of
control of functionally stable manufacturing
processes of enterprises. 2020 IEEE 2nd
International Conference on Advanced
Trends in Information Theory (IEEE ATIT
2020) Conference Proceedings Kyiv,
Ukraine, November 25-27. pp.206 –211.
�