摘要
随着物联网飞速发展,设备数量呈指数级增长,随之而来的IoT安全问题也受到了越来越多的关注.通常IoT设备完整性认证采用软件证明方法实现设备完整性校验,以便及时检测出设备中恶意软件执行所导致的系统完整性篡改.但现有IoT软件证明存在海量设备同步证明性能低、通用IoT通信协议难以扩展等问题.针对这些问题,本文提供一种轻量级的异步完整性监控方案,在通用MQTT协议上扩展软件证明安全认证消息,异步推送设备完整性信息,在保障IoT系统高安全性的同时,提高了设备完整性证明验证效率.我们的方案实现了以下3方面安全功能:以内核模块方式实现设备完整性度量功能,基于MQTT的设备身份和完整性轻量级认证扩展,基于MQTT扩展协议的异步完整性监控.本方案能够抵抗常见的软件证明和MQTT协议攻击,具有轻量级异步软件证明、通用MQTT安全扩展等特点.最后在基于MQTT的IoT认证原型系统的实验结果表明,IoT节点的完整性度量、MQTT协议连接认证、PUBLISH报文消息认证性能较高,都能满足海量IoT设备完整性监控的应用需求.
With the rapid development of the Internet of Things(IoT),the number of IoT devices has grown exponentially,which is accompanied by the increasing attention to IoT security.Generally,IoT devices adopt software attestation to verify the integrity of the software environment,so that system integrity tampering caused by the execution of malicious software can be detected timely.However,the existing software attestation suffers from poor performance in the synchronous attestation of massive IoT devices and the difficulty in extending the general IoT communication protocol.To address these problems,this study proposes a lightweight asynchronous integrity monitoring scheme.The scheme extends the security authentication message of software attestation on the general message queuing telemetry transport(MQTT)protocol and asynchronously pushes the integrity information of devices.It improves not only the security of IoT systems but also the efficiency of integrity attestation and verification.The following three security functions are realized:device integrity measurement in a kernel module;lightweight authentication extension of device identity and integrity based on MQTT;asynchronous integrity monitoring based on MQTT extension protocol.This scheme can resist common software attestation attacks and MQTT protocol attacks and has the characteristics of lightweight asynchronous software attestation and general MQTT security extension.The experimental results of the prototype system of IoT authentication based on MQTT show the high performance of the integrity measurement of IoT nodes,MQTT protocol connection authentication and PUBLISH message authentication,which can meet the application requirements of integrity monitoring of massive IoT devices.
作者
齐兵
秦宇
李敏虹
谢宏
尚科彤
冯伟
李为
QI Bing;QIN Yu;LI Min-Hong;XIE Hong;SHANG Ke-Tong;FENG Wei;LI Wei(University of Chinese Academy of Sciences,Beijing 100049,China;Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;Shenzhen Power Supply Co.Ltd.,Shenzhen 518028,China)
出处
《计算机系统应用》
2022年第11期68-78,共11页
Computer Systems & Applications
基金
国家重点研发计划(2020YFE0200600)
国家自然科学基金(61872343)
中国科学院青年创新促进会
关键词
物联网安全
完整性度量
MQTT协议安全扩展
软件证明
可信计算
IoT security
integrity measurement
message queuing telemetry transport(MQTT)protocol security extension
software attestation
trusted computing