Encryption Method for Systems with Limited Computing Resources Roman Chernenko1, Andriy Anosov1, Roman Kyrychok1, Zoreslava Brzhevska1, and Svitlana Spasiteleva1 1 Borys Grinchenko Kyiv University, 18/2 Bulvarno-Kudriavska str., Kyiv, 04053, Ukraine Abstract Due to the active development of the Internet of Things (IoT) technology, more and more systems of interconnected devices and sensors are appearing that collect various data and transmit them through gateways to remote servers. It goes without saying that this data must be protected at all stages. This is especially important for data on the functioning of potentially dangerous objects and devices. Because of the features of devices with limited computing resources, it is impossible to use standard methods of information protection in the gateway- built-in sensor link. The article considers the algorithm of the Internet of Things system using limited devices, which consists of a gateway for receiving data from sensors and transmitting them to servers and limited devices used for data collection and encryption. The proposed algorithm describes the process of data packet generation, key generation, encryption, transmission, and decryption of data received from sensors. The reliability of data encryption transmitted in the gateway-built-in sensor link is ensured by the generation of a truly random sequence - the encryption key, based on the initial measured value on the unconnected and ungrounded analog input of the microcontroller, and a series of arithmetic operations. Keywords 1 Internet of Things, IoT, network security, encryption, Vernam cipher, random number generation. 1. Introduction can be provided based on standard protocols [3]. In the gateway-built-in sensor (limited device) link, there is an objective need to use algorithms The rapid development of the Internet of that employ a minimum of computing resources Things has led to the creation of a large number of to ensure the required level of information heterogeneous systems of interconnected protection. computing devices, built-in sensors that collect and measure environmental parameters and transmit them through IoT gateways to a remote 2. Formulation of the Problem server in the cloud [1]. It is clear that all data transmission links of such a system must be The application of encryption methods in reliably protected. This is especially important for computer systems on limited devices creates a systems that collect data on the operation of limitation in the existing computing resources, potentially dangerous objects and devices [2]. which makes it necessary to work out such a Therefore, security is crucial for IoT protocols. method that will employ a minimum of such Computer systems on restricted devices operate resources. on the basis of standard or proprietary protocols, After analyzing the algorithms, namely the in which data must be protected from interception, required number of calculations and device modification and substitution. In the gateway- memory for organizing these calculations, it was remote server link, the required level of protection investigated that for the operation of the RSA CPITS-2022: Cybersecurity Providing in Information and Telecommunication Systems, October 13, 2022, Kyiv, Ukraine EMAIL: r.chernenko.asp@kubg.edu.ua (R. Chernenko); a.anosov@kubg.edu.ua (A. Anosov); r.kyrychok@kubg.edu.ua (R. Kyrychok); z.brzhevska@kubg.edu.ua (Z. Brzhevska); s.spasitielieva@kubg.edu.ua (S. Spasiteleva) ORCID: 0000-0002-1439-961X (R. Chernenko); 0000-0002-2973-6033 (A. Anosov); 0000-0002-9919-9691 (R. Kyrychok); 0000-0002- 7029-9525 (Z. Brzhevska); 0000-0003-4993-6355 (S. Spasiteleva) ©️ 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) 142 algorithms and the El-Gamal scheme it is  Limited devices used to collect and encrypt necessary to use an amount of memory that data for secure transmission over unsecured exceeds the amount available in class 0 and 1 channels to the gateway. devices [4]. Accordingly, they cannot be implemented on limited devices [5]. Thus, a problematic issue arises regarding the development and use of the encryption method in modern objects representing computer systems on limited devices. The purpose of the article is to increase the level of security of systems in the Internet of Things network by developing a method of data encryption on devices with limited computing resources. Figure 1: General model of an IoT system using 3. Analysis of Recent Research limited devices and Publications The general algorithm of the system functions In [5], a prototype of the IoT system was as follows: developed using limited devices, which provides 1. Reading data from sensors with a limited absolute cryptographic stability due to the use of device. the Vernam cipher with disposable notebooks [6]. 2. Generation of a random key, the length of During the development of the prototype, the which is equal to the length of the message. following security vulnerabilities were 3. Encrypting the message with the Vernam eliminated, such as transmission of unencrypted cipher, using the bitwise “exclusive OR” operator. data over an unsecured channel. 4. Random selection of one of the predefined During the study of encryption methods, the keys to encrypt the key itself. main operations that are used were highlighted: 5. Encryption of the key. addition, shuffling, bit shift and binary XOR 6. Sending the message and key to the operation. Considering the concept of using the gateway. XOR operation in existing encryption methods, it 7. Receiving the message by the gateway and can be noted that such a task remains a priority sending the encrypted message via secure [7]. channels to the company’s servers. In [8], a study and comparative analysis of the 8. Reception of the message by the server and bandwidth of low-power wireless IoT devices in selection of the necessary key to decrypt the key the role of wireless switches is presented. Such with which important data is encrypted. switches can be used as gateways when 9. Data decoding and adding them to special implementing a prototype of an IoT system using structures for data storage and processing. So, the limited devices. software implementation of the system consists of The complexity of the topological structures of three parts, the program running on the limited wireless sensor networks due to their variability device is responsible for generating data and [9] determines the need to create secure data encrypting packets for sending. According to the transmission channels and parameters in all links block scheme (Fig. 2), the first step is the of the functioning of computer systems with generation of the message “M” for further limited computing resources. encryption. The prototype uses a temperature and humidity sensor to generate useful values. After the message generation is completed, the 4. Research Results random key sequence generation function is called for data encryption. In general, the function The general model of the IoT system using should generate a truly random sequence of limited devices (Fig. 1) consists of: characters equal to the length of the message in  A gateway for receiving data from sensors and order to ensure absolute cryptoresistance [10]. transferring them to servers. 143 Figure 2: Block diagram of the general algorithm of a limited device operation Figure 3: Block diagram for generating a random key sequence Any random number generation function performs mathematical operations with some After running these functions, the program has initial value, therefore, to obtain a truly random two variables, the first one stores the value of the sequence, the initial value must be random [11]. It message, the second, the value of the key to was decided to initialize the value measured at the encrypt this message. unconnected and ungrounded analog input of the The message is as follows: microcontroller, in other words the noise caused 14.00,23.00,14.00,23.00, by the stray current, and to perform some 14.00,23.00,14.00,23.00, arithmetic between this value and the sensor 14.00,23.00,14.00,23.00, readings to make the value even more random. It 14.00,23.00,14.00,23.00, is worth noting that the use of various “noises” of 14.00,23.00,14.00,23.00. the environment is a widespread method of forming truly random sequences [12]. So, the The generated key looks like this: random sequence generation function (Fig. 3) %⸮9⸮g⸮⸮cV(1p'p9⸮C⸮⸮⸮lȖ⸮gtvgȋ' performs the following actions: (⸮⸮⸮n⸮;P=䌕=⸮⸮⸮B⸮r⸮W⸮⸮%⸮N⸮⸮z⸮⸮W; • Accepts the value of the length of the data to ⸮t⸮⸮3⸮⸮s&Lf⸮⸮|⸮CKIW*/ be sent. • Initializes the initial value for the generation of ⸮M⸮!Z1⸮%⸮l⸮⸮⸮ާ͋⸮⸮⸮⸮⸮⸮Us8⸮⸮⸮ key symbols. After generating the message and the key, the • In the loop, a key symbol is randomly encryption function is performed. For encryption, generated for each symbol of the message. a Vernam cipher is used, which uses a bitwise • The function returns a generated sequence of “exclusive OR” operation to create an encrypted characters, the length of which is equal to the message (Fig. 4). For each symbol of the message length of the message. in bitwise form, an XOR operation is applied with the corresponding key symbol in bitwise form, for example: 144 00110001 = 1 • With the received value, the operation of the ⊕00100101= % remainder from division by 2 is performed. 0 0 0 1 0 1 0 0 = 𝐷𝐶4 • If a 1 is received, then the first key is used, According to the example, after the bitwise otherwise the second key is used. operator XOR was applied to the message Keys for encryption of randomly generated character “1,” the character DC4 (Device sequences have a fixed length, which is equal to Control 4) was obtained with the corresponding the length of the message and therefore to the key character “%” at the output. This operation length of the key that was generated randomly. takes place in a loop, for each pair of key and Predefined keys must be loaded during flashing of message values. After the end of the loop, the the limited device. The number of such keys may function returns an encrypted message in the form be different depending on the memory of the of a text variable, which is ready for transmission limited device or the possibility of using to the gateway. additional energy-independent memory in which the keys will be stored. Each limited device must have its own unique keys, so that if one device is compromised, the security of the entire system will not be compromised. The corresponding keys will be stored on the enterprise server, which will receive and decrypt the received data from the gateway. After choosing a predefined key, the encryption function is called again, but only to encrypt a randomly generated key. At the output, two text variables are obtained, which are the encrypted message and the encrypted key for decrypting the message. After that, these variables can be transferred through any unsecured data transmission channel. As a prototype, transmission through the UART interface is used. In a real system, any standard protocols for Internet of Things networks can be used: ZigBee, Thread, Z-Wave, MQTT, LwM2M [13, 14]. After sending the data, the next data packet is formed. The function of encryption and random sequence generation works very quickly even on limited devices, because it has a linear algorithmic complexity of the algorithm O(n). The data packet Figure 4: Block diagram of the operation of the sent to the gateway has the following form as in encryption function Fig. 5. The gateway, in turn, can work according to Upon completion of the encryption function, two scenarios depending on the needs of the one of the predefined keys is selected to encrypt system. In the first option, the gateway acts as a the key with which the message was ciphered. The simple intermediary between the server and the key is chosen randomly. Since two predefined limited device, that is, it uses standard keys were used in the system prototype, the communication protocols to transmit encrypted selection algorithm works as follows. The current data to the company’s servers without changing value is read on the unconnected analog input: packets. Figure 5: A data packet that is sent to the gateway 145 In the second option, if there is a need to character of the key is decrypted, but the key was perform calculations with the received data and generated on the limited device randomly. adjust the operation of the system, the gateway Accordingly, it is not possible to verify the itself decrypts the data and saves them in a format validity of the first character of the key, so with convenient for calculations. It is possible to allow the received key character, it is necessary to a mixed version of work, in which part of the data perform an XOR operation on the first character will be decrypted at the gateway, and part will be of the received message. sent to the server without changes. In this case, it is necessary to use different predefined encryption keys to encrypt the randomly generated keys for the server and for the gateway, so that in the event of a breach of the gateway, the data to be transmitted to the server remains protected. In any case, the software implementation of decryption and data storage in a convenient format will have approximately the same form (Fig. 6). The algorithm will perform the following steps: • Receiving an encrypted message over an unsecured channel. • Receiving an encrypted key to decrypt a message over an unsecured channel. • Selection of one of the predefined keys for decryption. • Decryption of the key. • Decoding the message. • Data storage in a convenient form for calculations option. The CSV format files are used as a prototype to create a data frame from the received data [15]. Figure 6: The general algorithm of decryption and The algorithm begins its work by receiving data storage data, to which two symbols have been added due to the peculiarity of sending through the UART Since the data is transmitted from the interface. The data is sent to the server and stored transmitters, then we can expect a certain symbol in the form of two arrays of the byte type (Fig. 7). of the message, which will already be some kind After receiving the data, the function of of information. But if the key was chosen selecting a predefined key (Fig. 8) is called to incorrectly, then there will be no useful decrypt the key with which the message was information in the message. So, you can check the encrypted. The function takes three arguments— first character of the message: if after decryption the first character of the received encrypted it represents the expected data, then the function message, the first character of the encrypted key returns the index of the current operation, and a list of predefined keys. accordingly, this is the index of the key in the According to the block diagram, the algorithm array that needs to decrypt the randomly iterates all the keys from the array of predefined generated key. After returning the index, the keys one by one. Two text variables are created to function completes its work so as not to perform store the first decrypted character. First, the first unnecessary operations. Figure 7: Data that is received by the server 146 If, in the case of packet exchange, the value could not be decrypted, then the function returns a value that is not included in the array index range, and further, the message will not be decrypted, since the key was not matched, and therefore the message did not come from the expected limited device. Figure 9: Block diagram of the decryption function After the loop is finished, the function returns the value of the decrypted text, which in this case is the key for the next call to the decryption function. After finding the required key and decrypting the encrypted key, the decryption function is called again, but now as arguments, the encrypted message and the key that was decrypted in the previous step are passed. At the output, the Figure 8: Block diagram of the predefined key function returns a decrypted message that looks selection function like this: 91.00,24.00,91.00,24.00, After choosing a predefined key, the function 91.00,24.00,91.00,24.00, for decryption is called (Fig. 9), which accepts 91.00,24.00,91.00,24.00, two arguments, the text to be decrypted and the 91.00,24.00,91.00,24.00, key for decrypting the text. The received 91.00,24.00,91.00,24.00. encrypted key as text and one key from the array Thus, the initial values transmitted from the of predefined keys whose index was found in the limited device were obtained. previous step are passed as arguments to the function. The first step initializes the variable in which 5. Analysis Results the decrypted text will be stored. In this case of the call, the decrypted randomly generated key Using the initial measured value for the will be stored in the variable to decrypt the initialization on the unconnected and ungrounded message. Next, in a loop that works for each analog input of the microcontroller and element in the array of text bytes, except for the performing several arithmetic operations last two characters that do not carry information according to the proposed algorithm, it is possible and are the end characters of the string added to generate a truly random sequence of characters, when sending, a bitwise exclusive OR operation as long as the length of the message, to ensure is applied to the corresponding element of the absolute cryptoresistance. selected key. If there is a need to perform calculations with the received data and adjust the system operation 147 on the gateway of the Internet of Things system [4] C. Bormann, M. Ersue, A. Keranen. model, it is necessary to use different predefined Terminology for Constrained-Node encryption keys to encrypt the randomly Networks, Internet Engineering Task Force, generated keys, for the server and for the gateway, 2014. so that in the event of a breach of the gateway, the [5] R. Chernenko, et al., Increasing the Security data to be transmitted to server, remained Level of Internet of Things Network Systems protected. Due to Data Encryption on Devices with Limited Computing Resources, 6. Conclusions Cybersecurity: Education, Science, Technology, vol. 3, no. 11, pp. 124–135. [6] C. Shannon, Communication Theory of The developed method makes it possible to Secrecy Systems, Bell System Technical eliminate the threat of unauthorized access to data Journal, vol. 28, no. 4, 1949, pp. 656–715. in the gateway-built-in sensor link by encrypting doi: 10.1002/j.1538-7305.1949.tb00928.x. data packets. [7] K. Rosen, Discrete Mathematics and Its Since these algorithms can be used on devices Applications, 6th Ed., McGraw-Hill Edu., with limited computing resources due to the 2006. minimization of calculations, since elementary [8] V. Sokolov, B. Vovkotrub, E. Zotkin, operations are used for encryption. Encryption Comparative Analysis of Throughput of reliability in this case is ensured by a unique Low-Power Wireless IoT Switches, encryption key for each data packet. To generate Cybersecurity: Education, Science, random key values, analog noises are used, read Technology, vol. 5, 2019, pp. 16–30. from the unconnected input of the [9] O. Semko, et al., Methodology of Intelligent microcontroller, so the resulting value is truly Routing Management in Conflicting Sensor random. Preset keys are used to encrypt the keys Networks of Variable Topology, Modern with which the encrypted message is ciphered. Special Equipment, vol. 55, no. 4, 2019, pp. Since message encryption keys are random and 64–76. unique, encrypting them with preset keys makes it [10] C. Henk, (2005). Encyclopedia of impossible for an attacker to learn the preset key. Cryptography and Security, Springer Science In further research, it is necessary to evaluate and Business Media. the reliability of the algorithm for generating [11] C. S. Petrie, J. A. Connelly, A Noise-based random numbers for key generation, in particular, IC Random Number Generator for the ability to influence analog noise using Applications in Cryptography, IEEE electromagnetic radiation and to analyze the Transactions on Circuits and Systems I: developed method of information encryption Fundamental Theory and Applications, using the criteria of various performance vol. 47, 2000. indicators such as execution time, power [12] N.G. Bardis, et al., True Random Number consumption, memory requirement for Generation Based on Environmental Noise performing calculations. Measurements for Military Applications, in 8th WSEAS International Conference on 7. References Signal Processing, Robotics and Automation, 2009. [1] N. Srivastava, P. Pandey, Internet of Things [13] A. Karpenko, et al., Ensuring Information (IoT): Applications, Trends, Issues and Security in Wireless Sensor Networks, Challenges, Materials Today, 2022. Cybersecurity: Education, Science, [2] F. Yuan, et al., Internet of People Enabled Technology, vol. 2, no. 10, 2020, pp. 54–66. Framework for Evaluating Performance Loss doi: 10.28925/2663-4023.2020.10.5466. and Resilience of Urban Critical [14] I. Opirskyy, et al., Problems and Security Infrastructures, Safety Science, vol. 134, Threats of IoT Devices, Cybersecurity: 2021, 105079. Education, Science, Technology, vol. 3, [3] S. Zeadally, A. K. Das, N. Sklavos, Crypto- no. 11, 2021, pp. 31–42. doi: 10.28925/ graphic Technologies and Protocol 2663-4023.2021.11.3142. Standards for Internet of Things, Internet of [15] CSV-1203, CSV File Format Specification, Things, vol. 14, 2021, 100075. 2012. 148