TY - GEN A1 - Bock, Benedikt A1 - Matysik, Jan-Tobias A1 - Krentz, Konrad-Felix A1 - Meinel, Christoph T1 - Link Layer Key Revocation and Rekeying for the Adaptive Key Establishment Scheme T2 - 2019 IEEE 5TH World Forum on internet of things (WF-IOT) N2 - While the IEEE 802.15.4 radio standard has many features that meet the requirements of Internet of things applications, IEEE 802.15.4 leaves the whole issue of key management unstandardized. To address this gap, Krentz et al. proposed the Adaptive Key Establishment Scheme (AKES), which establishes session keys for use in IEEE 802.15.4 security. Yet, AKES does not cover all aspects of key management. In particular, AKES comprises no means for key revocation and rekeying. Moreover, existing protocols for key revocation and rekeying seem limited in various ways. In this paper, we hence propose a key revocation and rekeying protocol, which is designed to overcome various limitations of current protocols for key revocation and rekeying. For example, our protocol seems unique in that it routes around IEEE 802.15.4 nodes whose keys are being revoked. We successfully implemented and evaluated our protocol using the Contiki-NG operating system and aiocoap. KW - IEEE 802.15.4 KW - key management KW - key establishment KW - key revocation KW - rekeying KW - link layer security KW - MAC security Y1 - 2019 SN - 978-1-5386-4980-0 U6 - https://doi.org/10.1109/WF-IoT.2019.8767211 SP - 374 EP - 379 PB - IEEE CY - New York ER - TY - GEN A1 - Seidel, Felix A1 - Krentz, Konrad-Felix A1 - Meinel, Christoph T1 - Deep En-Route Filtering of Constrained Application Protocol (CoAP) Messages on 6LoWPAN Border Routers T2 - 2019 IEEE 5th World Forum on Internet of Things (WF-IoT) N2 - Devices on the Internet of Things (IoT) are usually battery-powered and have limited resources. Hence, energy-efficient and lightweight protocols were designed for IoT devices, such as the popular Constrained Application Protocol (CoAP). Yet, CoAP itself does not include any defenses against denial-of-sleep attacks, which are attacks that aim at depriving victim devices of entering low-power sleep modes. For example, a denial-of-sleep attack against an IoT device that runs a CoAP server is to send plenty of CoAP messages to it, thereby forcing the IoT device to expend energy for receiving and processing these CoAP messages. All current security solutions for CoAP, namely Datagram Transport Layer Security (DTLS), IPsec, and OSCORE, fail to prevent such attacks. To fill this gap, Seitz et al. proposed a method for filtering out inauthentic and replayed CoAP messages "en-route" on 6LoWPAN border routers. In this paper, we expand on Seitz et al.'s proposal in two ways. First, we revise Seitz et al.'s software architecture so that 6LoWPAN border routers can not only check the authenticity and freshness of CoAP messages, but can also perform a wide range of further checks. Second, we propose a couple of such further checks, which, as compared to Seitz et al.'s original checks, more reliably protect IoT devices that run CoAP servers from remote denial-of-sleep attacks, as well as from remote exploits. We prototyped our solution and successfully tested its compatibility with Contiki-NG's CoAP implementation. Y1 - 2019 SN - 978-1-5386-4980-0 SN - 978-1-5386-4981-7 U6 - https://doi.org/10.1109/WF-IoT.2019.8767262 SP - 201 EP - 206 PB - Institute of Electrical and Electronics Engineers CY - New York ER -