Research and Implementation of Gateway Security
Technology in Internet of Things
Yi-qin BAO and Wan-li SONG*
Nanjing Xiaozhuang University, Nanjing, China, 211171 *Corresponding author
Keywords: Internet of things gateway, Home network, Public key cryptography.
Abstract. This article introduces the existing home gateway architecture, discusses its security risk, and researches and implements a security algorithm to ensure reliable communication between home network and mobile Internet, in view of the increasing popularity of home networking gateway and Internet connection communication security issues. The algorithm takes the public key cryptography as the core, gives the concrete implementation algorithms and procedures, and for the lack of public key encryption, the standard communication protocol is extended and MD5 hash algorithm is used, to solve the problem of data encryption and decryption, and prevents the attack of the middleman. It provides a safe environment to communicate between home network and the Internet.
Introduction
The Internet of things was proposed by Kevin Ashton in 1998, it can be regarded as another wave of information industry after computer. The Internet of things is an information carrier based on the Internet and traditional telecommunication networks, to make all common physical objects that can be independently addressed to interconnect. Compared with the Internet, it has a more comprehensive connectivity, and through the Internet of things can make the physical world and the information world merge with each other.
With the development of science technology and the improvement of people’s living standard, traditional home appliances have gradually developed to the direction of intelligence, which need to achieve intelligent monitoring and control. And a large number of embedded devices urgently need network connectivity to enhance their service capabilities and application value, such as electric appliances, electric cookers, microwave ovens, air conditioners, washing machines etc. They all need to be connected with the Internet to realize the communication between the home network and the outside world. Therefore, it is necessary to design a home networking gateway with the combination of embedded system and network. It can make the embedded devices such as home appliances connect with the Internet through the home gateway, and realize the remote control of the smart home.
The home networking gateway connects multiple devices and appliances within the home, so establishing a communication network and accessing the Internet network at home, communication security problems associated with Internet will exist.
Internet of Things Gateway
Internet of things gateway architecture. As shown in figure 1, the Internet of things gateway connects smart home appliances and the Internet. In the system architecture, the mobile terminal or the network terminal passes the Internet realizing the connection with the home network through the Internet of things gateway, and the remote monitoring and control of the home appliance.
Figure 1. Internet of things gateway architecture.
Figure 2. Encryption and decryption process.
The effect of the Internet of things gateway. The Internet of things gateway plays an important role in the Internet of things architecture. The home network uses a lightweight network, to achieve the connection between it and the Internet, there must be a device to complete the connection of two networks. This device is used as a network bridge to complete the hardware interface and software protocol conversion, and the key device is the Internet of things gateway. Viewed from the network architecture, the home networking gateway is the connecting point between the external Internet and the home network; The home gateway is the management center of smart home equipment from the security point of view, which is responsible for the management and centralized control of home appliance equipment, including equipment networking, equipment safety, equipment control, etc., it prevents family networks from being threatened by external networks.
The traditional gateway is usually implemented by PC, although this method has many advantages, but it also has shortcomings, such as large size, power consumption, high cost. So we consider using embedded system ARM-Linux to implement the home gateway. The embedded system is used to implement the home gateway, called the embedded home networking gateway.
Embedded Home Networking gateway not only has the function of common access device, but also should consider the security of gateway. It should have the ability of data encryption and secure communication when the gateway communicate.
Internet of Things Gateway Security Status
The Internet of things gateway connects the home appliance network and the Internet, and has the same security problems like the common computer and the Internet. At present, there are many security threats and attacks in the gateway of home networking. There are the following several kinds of security threats and attacks:
(1) Illegal connections, system intrusions. Obtain important data or implement system destruction through network detection, illegal connections, etc..
(2) Network monitoring, acquire passwords. Through network monitoring, analysis of data transmission network, access to passwords and other important information.
[image:2.612.177.433.254.308.2]Therefore, the gateway of the Internet of things must take corresponding security measures to protect the security of the home network and maintain the reliability of the communication. It is more important that we use embedded Internet gateway to solve its security problems for the home network consisting of all kinds of embedded home appliances.
Gateway Security Technology of Internet of Things
In the communication between home equipment and external network, in order to prevent network intrusion, illegal connections, information tampering and other intrusions, it is necessary to adopt security technology in the home network:
(1) Implementing dynamic keys; (2) Encrypt the communication data; (3) Take an attack against middlemen.
Nowadays, cryptography has been widely used, and the common encryption algorithms are: Symmetric cipher, asymmetric cipher and message digest (one-way hash function) algorithm. We use Diffie-Hellman cryptography security algorithm [6] and MD5 algorithm [7] to solve the encryption and decryption of data, and prevent the attack of the middleman in this article. In communication, the communication keys are different from each other, and the data is encrypted and transmitted by key, which guarantees the realization of (1), (2) technology. Otherwise, by means of communication protocol extension and the use of MD5 hash algorithm, the implementation of (3) technology is guaranteed, thus ensuring the security of the Internet of things gateway.
Networking security algorithm. Networking security algorithms are mathematical functions used for encryption and decryption. Under normal circumstances, two related functions, E and D:E, are used as encryption, and D is used as decryption. The plain text is represented by M, the cipher text is represented by C, and the encryption function E is applied to M to get cipher text C, mathematically expressed as: C = E (M). Instead, the decryption function D acts on C to produce M and is mathematically represented as: M=, D (E (M)).As shown in Figure 2:
Diffie-Hellman algorithm is a public key algorithm, namely: the two sides open an integer g, a prime number N, exchange their public keys X and y, to calculate the same secret key K1 and K2 by calculating the secret key of K1 and K2 to encrypt and decrypt the message. Its theoretical basis is: the complexity of discrete logarithm calculation, known as X=gx mod N, X is infeasible to calculate.
MD5 (Message-Digest Algorithm 5) is a secure hash algorithm that inputs two different plain text and does not yield the same output value. The original plain text can’t be obtained according to the output value. That is, the process is irreversible. So to decrypt the MD5, there is no ready-made algorithm. You can only use the brute force method to make possible plain text.
In this article, two algorithms are combined in the design, 1) Firstly, using the Diffie-Hellman cryptography algorithm, both sides produce their private keys and calculate the public key to each other. Each secret key is calculated for encryption and decryption of data. 2) In communication, the MD5 security hash algorithm is used to check whether the secret key is consistent and prevent the middleman from attacking. If we want to decipher the secret key encrypted by MD5 algorithm, we can only use exhaustive method. Moreover, the secret key calculated by the Diffie-Hellman algorithm is different each time, so it is almost impossible to break a secret key, so as to achieve the purpose of data security.
Step 1: Gateway and intelligent terminal, open agreement g, N.
Step 2: Smart terminal generates a random number x as its own private key and calculates X = gx mod N, and X as the public key, which is transmitted to the gateway via the network.
Step 3: After the gateway receives the X, it generates a random number y as its own private key, and calculates Y = gy mod N, Y is used as an open secret key to be transmitted to an intelligent terminal via a network. At the same time, K2 = Xy mod N = gxy mod n are calculated as private keys for encryption and decryption.
Step 4: After the mobile terminal receives the Y, it calculates the K1 = Yx mod N = gxy mod N, as the private key used for encryption and decryption.
Step 5: Because of K1 = K2, when communicating with the intelligent terminal, the gateway has a common private key to realize the data encryption and decryption, so as to ensure the encryption security of the whole system.
Implementation of C Program
Sub-procedure 1: Producing an integer from 0 to RAND_MAX randomly.
Sub-procedure 2: Calculating gx mod N; In the implementation of computational GX programming, something needs to be noted: To prevent GX data overflow, such as 5^97 data is too large, the method of cyclic computing is adopted.
Sub-procedure 3: Smart terminal generates the private key X and calculates the public key X which are transmitted to the gateway.
Sub-procedure 4: The gateway generates the private key y and calculates the public key Y which are transmitted to the intelligent terminal.
Sub-procedure 5: Smart terminal calculates the private key K1, which is used to encrypt the data and decrypt the data.
Sub-procedure 6: The gateway calculates the private key K1, which is used to encrypt the data and decrypt the data.
[image:4.612.108.499.351.668.2]Simulation result analysis. Public: g = 5, N = 97, 3 sets of simulation data are as Table 1. Table 1. Test data.
1st set 2nd set 3rd set
A's private key x 36 12 27
A's public key X 50 64 42
Private key A calculated by K1 75 40 59
B's private key Y 58 25 32
B's public key Y 44 27 22
Private key B calculated by K2 75 40 59
Table 2. Frame format.
Data domain Identification
Start character 68H
Length L
Length L
Start character 68H
Control domain C
Address field A
Link user data DATA
Check sum CS
End character 16H
[image:4.612.176.439.433.678.2]Analysis conclusion: Each time the public key of the communication is different, the private key used for encryption and decryption is different, which solves the problem of dynamic key and data encryption.
However, the algorithm also has shortcomings. In communication, there is no way to prevent replay attacks, and a problem of being vulnerable to middleman attacks exists.
Secure communication of data. Communication of data can easily be attacked by middlemen, for example, the third party C acts as a B in communicating with the A; or acts as a A in communicating with the B; Both A and B negotiates a key with the C, and then the C can monitor and communicate the communication information. The middle man attack follows:
B sends his public key in the message to A. C intercepts and parses the message. C saves the B public key and sends the message public key Yc to A, is still sent as if it were from B, and when A receives the message from C, it stores the Yc and B messages in one block. Similarly, C uses Yc to send messages to B just like from A. B based on private keys Xb and Yc calculates the secret key K1; A based on private keys Xa and Yc calculates the secret key K2; C uses private keys Xc and Yb to compute K1, and uses Xc and Ya to compute K2.From now on, C can forward A messages to B or forward B messages to A. On the way, their cipher text is modified as needed, so that neither A nor B knows that they share communication with C, but K1 and K2 are unequal.
In view of the above intermediate attacking, the problem is solved in the design by extension of communication protocols. Firstly, exchange public keys first. Secondly, encrypt the computational private keys K1 and K2 by exchanging a shared key, and identify whether they are consistent, such as whether the K1 is equal to K2, prevents middlemen from attacking. When identifying computational private keys K1 and K2, they are encrypted and transmitted through the MD5 operation, using the irreversibility of the MD5 algorithm, to prevent eavesdropping and ensure the calculation of private key security. If you want to decipher the secret key of the MD5 algorithm, you can only use the exhaustive method, and each time the calculated secret key is different. Therefore, by checking MD5 encrypted packets to prevent the calculation of private key eavesdropping, thus preventing the middleman attacks.
This communication protocol is based on the Q/GDW 130-2005 data transfer protocol [8]( standard protocol), and extends two commands for data security. In the protocol, the master station transmits the data to the slave station in the form of data frame. The salve station received the data and then sent a data frame containing different control codes to the master station. The protocol data frame format is shown in Table 2, where 68H is the starting character, A is the address field, C is the control domain, and L is the length, double byte length. Set up two L for comparison to enhance reliability. DATA is the link user data, CS is the sum of all byte modulus 256 from the start of the frame to the check sum, so as to guarantee the correctness of the transmitted data.
In the frame format, the link user data contains all user type data, and different types of user data are distinguished by the function code and the data unit identification. As shown in Table 3.
Table 3. Link user data frame format. Data domain Identification
Application layer function code AFN
Frame sequence field SEQ
Data unit identifier (1-N) DA, DT
[image:5.612.200.413.579.698.2]Data unit (1-N) UNIT
Table 4. Data implications(AFN=11H). Data unit identifier Data unit
F1 Public key X and Y
F2 MD5 encrypted private key
F1 The data unit refers to the public key of both sides, and achieves the purpose of calculating the same secret key between the two parties.
F2 A data unit is a private key that is calculated by MD5 encryption.
First, the master station and the slave station exchange public keys X and Y via the F1. The two sides calculated the K1 and K2 through the Diffie-Hellman password algorithm. Second, The master station transfers MD5 (K1) to the slave station via F2,and the salve station check whether the MD5 (K1) is consistent with MD5 (K2). If correct, the master station is successfully connected to the slave station. In this way, both sides can encrypt and decrypt data through K1 and K2; If not, there is a middle attack and both connections are disconnected. Thus, through the expansion of AFN and the MD5 encryption algorithm, the goal of preventing intermediate attack is achieved.
Conclusion
The gateway of home networking is the key intermediate hub of the intelligent home system, and its security is related to the security and reliability of the system. In this paper, through the research of public cryptography and the extension of communication protocol and MD5 hash algorithm, dynamic key generation, data encryption and decryption are achieved. At the same time, the middleman attack is prevented. This effectively ensures the communication and data security of the smart home system. Simulation results show that the gateway designed in this paper has high security and practicability. It can effectively monitor and control the household appliances through intelligent terminals.
Acknowledgement
This work was partially supported by the following research grants: (1) No. BM2013123 from the Jiangsu Engineering Research Center for Networking of Elementary Education Resources and (2) No. 2016NXY46 from the Research Foundation of Nanjing Xiaozhuang University.
References
[1] Elson J., Girod L., Estrin D. Fine-grained network time synchronization using reference broadcasts. Fifth Symposium Operating Systems Design and Implementation, Boston, Massachusetts, USA, 2001: 1-2.
[2] Wu Zhengqiang, Zhou Yanwei, Ma Jianfeng. Secure transfer model of Internet of things. Journal of Computer Science. 2011; 8(34): 1351-1364.
[3] Bose I, Pal R. Auto-ID: managing anything, anywhere, anytime in the apply chain. Communications of the ACM, 2005; 48(8): 100-106.
[4] Wangqian, Zhen Shuquan, Ding Zhigang, Nanchao. Design and implementation of a "one master, multi slave" gateway system for Internet of things. [J]. Computer applications and software. 2015, 32(1): 118 - 120, 166.
[5] Zhen Bigeng, Wangheng. Design of low energy consumption gateway for smart home and improved UDP protocol. Science, technology and Engineering. 2014, 14(7).
[6] YiTong, Chen Hongchao, Wu Dailin. Improved password based three party key exchange protocol. [J] Computer applications and software. 2013, 30(4): 313-315.
[7] Fang Yanfei, WangJun, He Wangquan. Real time detection of file integrity based on multilayer MD5 message digest. [J] Computer applications and software. 2015, 32(1): 20 -23.
