TY - GEN
T1 - Questioning the security and efficiency of the ESIoT approach
AU - Diop, Aïda
AU - Gharout, Saïd
AU - Laurent, Maryline
AU - Leneutre, Jean
AU - Traoré, Jacques
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/6/18
Y1 - 2018/6/18
N2 - ESIoT is a secure access control and authentication protocol introduced for Internet of Things (IoT) applications. The core primitive of ESIoT is an identity-based broadcast encryption scheme called Secure Identity-Based Broadcast Encryption (SIBBE). SIBBE is designed to provide secure key distribution among a group of devices in IoT networks, and enable devices in each group to perform mutual authentication. The scheme is also designed to hide the structure of the group from nodes outside of the group. We identify multiple efficiency and security issues in this primitive that prove SIBBE unsuitable for IoT applications. First, we show that contrary to what was claimed, the size of the ciphertexts generated by the encryption function is not constant but in fact linear in the number of devices in the group. Additionally, we demonstrate that the encryption and decryption costs are also linear in the number of nodes in the group, implying scalability issues thus inefficiency for IoT applications. In terms of security, we prove that SIBBE does not achieve the desired property of anonymity and allows an attacker to gain information on the structure of any given group. Finally, we demonstrate how SIBBE does not achieve the claimed chosen-ciphertext security. We however prove its security for a weaker security notion (namely selective-ID indistinguishability against chosen-plaintext attacks) under a variant of the GDDHE assumption.
AB - ESIoT is a secure access control and authentication protocol introduced for Internet of Things (IoT) applications. The core primitive of ESIoT is an identity-based broadcast encryption scheme called Secure Identity-Based Broadcast Encryption (SIBBE). SIBBE is designed to provide secure key distribution among a group of devices in IoT networks, and enable devices in each group to perform mutual authentication. The scheme is also designed to hide the structure of the group from nodes outside of the group. We identify multiple efficiency and security issues in this primitive that prove SIBBE unsuitable for IoT applications. First, we show that contrary to what was claimed, the size of the ciphertexts generated by the encryption function is not constant but in fact linear in the number of devices in the group. Additionally, we demonstrate that the encryption and decryption costs are also linear in the number of nodes in the group, implying scalability issues thus inefficiency for IoT applications. In terms of security, we prove that SIBBE does not achieve the desired property of anonymity and allows an attacker to gain information on the structure of any given group. Finally, we demonstrate how SIBBE does not achieve the claimed chosen-ciphertext security. We however prove its security for a weaker security notion (namely selective-ID indistinguishability against chosen-plaintext attacks) under a variant of the GDDHE assumption.
U2 - 10.1145/3212480.3212491
DO - 10.1145/3212480.3212491
M3 - Conference contribution
AN - SCOPUS:85050907938
T3 - WiSec 2018 - Proceedings of the 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks
SP - 202
EP - 207
BT - WiSec 2018 - Proceedings of the 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks
PB - Association for Computing Machinery, Inc
T2 - 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2018
Y2 - 18 June 2018 through 20 June 2018
ER -