Haiku: Efficient Authenticated Key Agreement with Strong Security Guarantees for IoT

Abstract

IoT devices often gather critical information that needs to be communicated in a secure manner. Authentication and secure communication in an IoT environment can be difficult because of constraints, in computing power, memory, energy and network connectivity. For secure communication with the rest of the network, an IoT device needs to trust the gateway through which it communicates, often over a wireless link. An IoT device needs a way of authenticating the gateway and vice-versa, to set up that secure channel. The protocol for authentication and key exchange needs to also work in situations where one or both parties lose connectivity with the outside of their network (e.g., infrastructure failure, intermittent connectivity to the rest of the network, to save cost or power). We propose a lightweight authentication and key exchange protocol for IoT environments that is tailored to handle IoT-imposed constraints. In our protocol, the gateway and IoT device communicate over an encrypted channel that uses a shared symmetric session key which changes periodically (every session) in order to ensure perfect forward secrecy (PFS). We combine both symmetric-key and public-key cryptography based authentication and key exchange, thus reducing the overhead of manual configuration. We leverage on the digital certificate signed by the manufacturer that is typically provided to each device. We study our proposed protocol, called Haiku, where keys are never exchanged over the network. We show that Haiku is lightweight and provides authentication, key exchange, confidentiality, and message integrity. Haiku does not need to contact a trusted third party (TTP), works in disconnected IoT environments, provides PFS, and is efficient in compute, memory and energy usage.