Security and Privacy in IoT Challenges to be won

(1)

DINFO

Dipartimento di Ingegneria dell’Informazione Department of Information Engineering

Security and Privacy in IoT

Challenges to be won

June 16-18, 2015 CHIST-ERA Conference 2015 1

Enrico Del Re

University of Florence and CNIT

Italy

(2)

DINFO

FROM WHERE WE START…..

(3)

DINFO

3

ICT-related activities in Horizon2020 - an Overview

(4)

DINFO

4

ICT-related activities in Horizon2020

(5)

DINFO

5

IEEE ComSoc

Vision of the future top technologies



5G



Fiber everywhere



_{Virtualization, SDN & NFV}



_{Everywhere connectivity for IoT and IoE}



_{Cognitive networks, Big data}



Cybersecurity



Green communications



_{Smarter smartphones and connected devices}



_{Network neutrality, Internet governance}



_{Molecular communications}

(6)

DINFO

6

IEEE CompSoc

Vision of the future top technologies

(7)

DINFO

7

Cloud Computing and Internet of Things

 _{Assumption that the recent steady advances in microelectronics,}

communications and information technology will continue into the foreseeable future

 _{CC and IoT}_potentially_{can provide breakthroughs and enormous benefits to}

the society and persons (e.g. e-Health applications and services to disabled and elderly people, environment control and security,…)

 _{However, technical flaws and threats of intrusions might significantly lower}

the benefits of the new developments. Traditional protection techniques are insufficient to guarantee users’ security and privacy within the future

framework

 _{Users not trusting in the new technologies could}_{refuse partially or totally}

the new services

 _{Or, worse, they could become the}_{new future slaves}_{of a few big players}

(8)

DINFO

Some Security threats in IoT

cloning of smart things by untrusted manufacturers

malicious substitution of smart things during installation firmware replacement attack

extraction of security parameters since smart things may be physically unprotected eavesdropping attack if the communication channel is not adequately protected man-in-the-middle attack during key exchange

routing attacks

denial-of-service attacks privacy threats

(9)

DINFO

Some EU Statements on IoT Security and Privacy

Design from the start to meet:



The right of deletion



The right to be forgotten



Data portability



Privacy and data protection principles

with two general principles



The IoT shall not violate human identity, human integrity,

human rights, privacy or individual or public liberties.



_{Individuals shall remain in control of their personal data}

generated or processed within the IoT, except where this

would conflict with the previous principle.

(10)

DINFO

10

Trustworthy user-centric IoT

 _{Widely acknowledged need to guarantee both technically and regulatory the}

neutrality of the future internet

 _{All aspects of security and privacy of the user data must be under the control of}

their original owner by means of as simple and efficient technical solutions as possible (user-controlled security)

 _{This challenging technical approach}_{is not the only problem}

 _{Different security and privacy applicable laws in}_{different countries}  _{Different (i.e. opposite) business views from}_{big players}

 _{A fundamental and}_unbiased_{(i.e. public) research action on this topic is}

necessary built on a holistic view for all IoT elements at all stages

 _{Last but not least,}_{user and social involvement}_{since the beginning for two}

main reasons:

• Final users education and awareness of their IoT rights • Technical solutions to satisfy shared and agreed objectives

(11)

DINFO

Information-centric security

 _{Shift from protecting data from the outside (system and applications}

which use the data) to protecting data from within

 _{Put intelligence in the data itself}

 _{Data needs to be self-describing and defending, regardless of the}

environment

 _{Data needs to be encrypted and packaged with a usage policy}

 _{When accessed, data should consult its policy and attempt to re-create}

a secure environment using virtualization and reveal itself only if the environment is verified as trustworthy

 _{Information-centric security is a natural extension of the trend toward}

finer, stronger, and more usable data protection

R. Chow, et al., Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control, ACM CCSW’09, 2009

(12)

DINFO

…….LOOKING FORWARD…….

(13)

DINFO

• Secure Communication: Message Security

–

How to protect messages confidentiality and integrity?

• Lightweight IPsec, Lightweight DTLS, IEEE 802.15.4 Security

• Secure Network: Intrusion Detection

–

How to protect nets from attacks?

• new Intrusion Detection Systems (IDSs)

• Secure Device: Data Security

–

How to securely store data?

• combining secure storage and communication for

IP6LoWPAN networks

(14)

DINFO

Encryption



Lightweight crypthography

• efficiency of E2E communication

• applicability to low resource devices



Homomorphic encryption

• processing carried out on cyphertext, generating an

encrypted result that, when decrypted, gives the result

of operations performed on the plaintext.



Quantum cryptography

• Optical networks



Physical layer cryptography

(15)

DINFO

Information and media authentication



IoT will be more and more populated with contents directly generated

by the users, according to a typical peer-to-peer communication

paradigm.



_{The ease with which false information can be diffused on the web}

increases doubt on the validity of the information gathered “on-line”

as an accurate and trustworthy representation of reality



_{visual signals are the preferred means to get access to information}

• immediacy

• supposed objectivity



_{But can we trust visual data?}

• manipulation of visual data is becoming common

• Examples in several fields: propaganda, gossip, fashion …

(16)

DINFO

Multimedia Forensics



It aims at extracting important information on the history of

audio-visual contents



Idea: inherent traces (like digital fingerprints or footprints) are

left behind in a digital media during creation phase and any

further successive processing



These digital traces are extracted for understanding the history of

digital content



_{2D-3D data protection and anticounterfeiting (watermarking)}

(17)

DINFO

Necessary Breakthroughs



_{Information retrieval and data mining in a big data scenario}

• contextual and semantic

information to help media

authentication in the extreme heterogeneity of the data

available on the web



_{Social studies}

• what

impact on society

of counterfeited information in the web and

mechanisms to minimize such an impact



_{Social computing}

• social authentication model

: technological tools with social

computing mechanisms together for information verification



_{Legal aspects}

• Ideally same regulations along the whole web

(18)

DINFO