武傳坤

臨沂大學信息科學與工程學院, 臨沂276000

物聯(lián)網(wǎng)安全技術專欄

物聯(lián)網(wǎng)的概念已經(jīng)被提出 20 多年的時間了, 國內對物聯(lián)網(wǎng)技術和產業(yè)的重視是在 2009 年之后.從2009 年開始, 國家在物聯(lián)網(wǎng)相關領域無論從政策方面還是在資金方面都給予了高度的重視和支持.物聯(lián)網(wǎng)的概念經(jīng)過最初的熱捧階段, 到之后的冷卻階段, 再到后來的逐步落地階段, 物聯(lián)網(wǎng)相關技術和產品慢慢從虛無縹緲發(fā)展到實實在在的產業(yè)應用.物聯(lián)網(wǎng)系統(tǒng)和技術不僅應用于許多行業(yè)領域, 也在不知不覺中走進人們的日常生活: 智能家居、智慧交通、智慧醫(yī)療、智慧城市, 都是人們生活中能感受到的物聯(lián)網(wǎng)技術的產物.

同其他與網(wǎng)絡相關的信息技術一樣, 安全和隱私是物聯(lián)網(wǎng)系統(tǒng)不可或缺的技術支撐.然而, 雖然物聯(lián)網(wǎng)技術和產業(yè)在飛速發(fā)展, 但物聯(lián)網(wǎng)安全問題卻像個氣球一樣, 飄得很高, 卻只有一條細線落地.一方面,物聯(lián)網(wǎng)安全問題是個看不見效果的問題, 在經(jīng)濟指標導向下不具有競爭力, 企業(yè)在物聯(lián)網(wǎng)安全方面的投入看不到明顯的效果, 這就導致企業(yè)對物聯(lián)網(wǎng)安全領域的投入失去動力.另一方面, 具有輕量級特性的物聯(lián)網(wǎng)安全技術尚不成熟, 因此在物聯(lián)網(wǎng)設備和物聯(lián)網(wǎng)應用系統(tǒng)中, 物聯(lián)網(wǎng)安全技術的應用非常有限.

隨著物聯(lián)網(wǎng)技術和產業(yè)規(guī)模的發(fā)展, 網(wǎng)絡安全事件不可避免地會影響到物聯(lián)網(wǎng)系統(tǒng), 而物聯(lián)網(wǎng)安全事件對社會造成的影響會更大.2016 年 10 月份在美國東海岸發(fā)生的大規(guī)模分布式網(wǎng)絡拒絕服務攻擊(DDoS) 事件, 開始了典型的物聯(lián)網(wǎng)設備安全事件, 警醒了心存僥幸的物聯(lián)網(wǎng)設備制造商: 站在自己的角度評估黑客的攻擊能力, 可能要付出慘重的代價.

2017 年6 月1 日起, 國家《網(wǎng)絡安全法》正式施行, 這標志著中國已進入依法治理網(wǎng)絡, 依法保護網(wǎng)絡安全的時代.2019 年10 月26 日, 十三屆全國人大常委會第十四次會議表決通過《密碼法》, 該《密碼法》在2020 年1 月1 日起正式施行.這兩項法律為密碼技術對網(wǎng)絡時代的安全保護支撐作用提供了強有力的政策保護, 也將促進相關領域的政策制定、產業(yè)投入、技術開發(fā)和應用推廣.

在這樣一個背景下, 我們有幸在《密碼學報》組織一個《物聯(lián)網(wǎng)安全技術專欄》, 旨在將有關專家近期在物聯(lián)網(wǎng)安全領域的研究成果進行小規(guī)模的集中, 使物聯(lián)網(wǎng)安全問題得到國內學者更多關注.該專欄共收錄4 篇論文, 分別簡介如下:

論文《物聯(lián)網(wǎng)認證協(xié)議綜述》, 介紹了物聯(lián)網(wǎng)認證協(xié)議研究的背景以及近幾年物聯(lián)網(wǎng)認證協(xié)議的研究進展, 分析了物聯(lián)網(wǎng)認證協(xié)議與傳統(tǒng)計算機網(wǎng)絡認證協(xié)議的不同, 指出了物聯(lián)網(wǎng)認證協(xié)議中常用的技術和數(shù)學方法, 然后從用戶與設備認證、設備與服務器認證、設備與設備認證三個方面來介紹物聯(lián)網(wǎng)認證協(xié)議研究的最新研究成果, 最后討論了物聯(lián)網(wǎng)認證協(xié)議的未來研究方向.

論文《基于Augur 的交易者身份管理方案研究》, 使用Augur 的身份管理技術對區(qū)塊鏈進行研究, 探索區(qū)塊鏈應用的身份管理方案以及潛在風險, 并針對 Augur 的身份管理方案潛在風險和基于設計缺陷的攻擊提出了一個基于信譽評估的安全解決方案.該方案選取了6 個信譽指標和3 種信譽計算方法, 為交易者選擇有效市場及其他Augur 交易活動提供信譽依據(jù).

論文《一種基于PUF 的超輕量級RFID 標簽所有權轉移協(xié)議》, 針對RFID 標簽所有權轉移協(xié)議中存在的數(shù)據(jù)完整性受到破壞、物理克隆攻擊、去同步攻擊等多種安全隱私問題, 設計了一種基于物理不可克隆函數(shù)(PUF) 的超輕量級RFID 標簽所有權轉移協(xié)議.所設計的協(xié)議無須引入可信第三方, 通過標簽所有權的原所有者和新所有者之間的通信就可以完成所有權轉移.協(xié)議實現(xiàn)了 RFID 標簽所有權轉移之前的標簽原所有者與標簽之間的雙向認證、所有權轉移之后的標簽新所有者與標簽之間的雙向認證.論文通過對協(xié)議的安全性的形式化分析, 表明所設計的協(xié)議能夠保證通信過程中交互信息的安全性及數(shù)據(jù)隱私性.

論文《物聯(lián)網(wǎng)的OT 安全技術探討》, 介紹了操作安全(OT 安全) 的概念, 論述了物聯(lián)網(wǎng)的操作安全區(qū)別于傳統(tǒng)信息網(wǎng)絡安全的原因, 指出傳統(tǒng)網(wǎng)絡安全保護的主要是信息, 而操作安全保護的是控制.物聯(lián)網(wǎng)系統(tǒng)除了要保護信息安全外, 還需要對操作安全提供保護技術.操作安全是信息轉化為物理活動行為的安全問題, 其安全防護的目標與傳統(tǒng)的信息安全保護不同, 但有許多類似的實現(xiàn)技術.論文從操作安全的概念和操作安全保護技術的特點等方面予以分析, 并指出物聯(lián)網(wǎng)的操作安全與傳統(tǒng)信息安全的本質區(qū)別.論文也列出了一些物聯(lián)網(wǎng)領域有關OT 安全的技術問題.

物聯(lián)網(wǎng)安全技術專欄的以上幾篇論文包括一篇綜述性論文、兩篇安全方案設計方面的論文和一篇對某些新概念進一步剖析方面的論文.對物聯(lián)網(wǎng)安全這個新穎和充滿活力的領域來說, 還遠遠不能代表國內的研究現(xiàn)狀.無論如何, 希望這個專欄能吸引更多研究者對物聯(lián)網(wǎng)安全領域的關注, 更好地推動物聯(lián)網(wǎng)安全領域的研究, 進一步推動物聯(lián)網(wǎng)安全技術的產業(yè)應用.

The concept of Internet of Things (IoT for short) has been proposed for over 20 years.The booming development of IoT techniques and industrial applications in China started from 2009.Since then, the China government has paid much attention and given much support both in policy making and financial support.The development of IoT has gone through the processes of concept proposal and initial interest, enthusiasm cooling down, and graduate applications.Now the IoT related applications cover a large variety of industries.The IoT techniques and applications have also been in our everyday life, such as smart home, smart transport systems, WIT120, and smart city.

As in other network related information technology, security and privacy in IoT systems are core components.However, irrespective of the repaid development of IoT techniques and industrial applications,the IoT security techniques are like balloons–flying in the sky with a thin string connected to the ground.The reasons for this situation include the following: on one hand, the IoT security has invisible effect, and is less attractive when financial figure is the most significant measure, hence industries do not have much interest in paying for the IoT security services, and the government has also been very careful in investigating to this field.On the other hand, many IoT security techniques need to have the feature of being lightweight, such techniques are far from being mature, and hence the application of IoT security techniques to IoT applications has been very limited.

With the development of IoT techniques and IoT industries,network security events will inevitably affect the IoT application systems.IoT security events may have more serious social effect than traditional network security events.For example, in October of 2006, the US east coast experienced a large scale DDoS attack, where a large number of IoT devices are involved in the attack, which waken many manufactures of IoT devices who used to have a fluke mind of mot having IoT security problems so soon.The security event warns the IoT device manufactures that, painful price may have to be paid if the hackers’ attack is underestimated.

In 2017, the “Network Security Law” has been put into effect, which indicates that China has come into the era when the networks are managed according to the law.In 2019, China has lunched the “Cryptography Law” which will take effect from 1st, January of 2020.These two laws provide strong policy support to the applications of cryptographic techniques in this networked word, and will further foster new policies, industry investigation, technology development, and applications.

In such a background, it is our owner to organize such a special column of“Security Techniques in Internet of Things”for the Journal of Cryptologic Research,aiming at collecting recent research results in the field of IoT security from relevant researchers, hence to attract more researcher pay attention to the IoT security.This special column includes 4 papers, they are introduced as follows:

The paper titled “A survey on authentication protocol for Internet of Things” introduces the background and some recent research progress of authentication protocols of Internet of things.The paper analyzes the differences between Internet of things authentication protocols and traditional computer network authentication protocols, summarizes the techniques and theoretical methods commonly used in IoT authentication protocols.It introduces some most recent research results of Internet of things authentication protocols from three aspects: authentication protocols between a user and an IoT device, between an IoT device and a server, and between IoT devices.Some future research directions are also discussed.

The paper titled “Research on trader identity management scheme based on Augur” studies the application of Augur’s identity management techniques in blockchain applications, explores some potential risks of the identity management techniques in blockchain applications, and proposes a security solution based on reputation assessment for Augur’s identity management scheme.The proposed scheme selects 6 credit indicators and 3 credit calculation methods to provide a credibility basis for traders to choose effective market and other Augur trading activities.

The paper titled “A PUF-based ultra-lightweight ownership transfer protocol for low-cost RFID tags” proposes an ultra-lightweight ownership transfer protocol for low-cost RFID tags based on the techniques of physically uncloneable functions(PUFs).The proposed protocol aims at various security and privacy issues such as data integrity destruction, physical cloning attacks, and desynchronization attacks in the RFID tag ownership transfer protocols.In the proposed protocol, the current owner and the new owner of an RFID tag can communicate directly to complete the ownership transfer, and does not need to rely on a trusted third party.The proposed protocol achieves mutual authentication between the current owner of the tag and the tag before the completion of the ownership transfer, and the mutual authentication between the new owner of the tag and the tag after the completion of the ownership transfer.Formal security analysis shows that the proposed protocol can ensure the security of interactive information and data privacy in the process of communication.

The paper titled “A primary study on the OT security of IOT” introduces the concept of operational security(OT security for short),discusses the necessity of OT security in IoT systems apart from information security (known as IT security).The OT security is a security technique in the process of converting information into physical actions, where the purpose of security protection is different from that of traditional information systems.The paper points out some essential differences between the OT security and the traditional IT security.Some possible research topics about the OT security for IOT are listed.

The above mentioned papers in this special column of IoT security techniques include one survey paper, two papers about security protocol design, and one paper about further discussion of new concepts.For the new and active field of IoT security, these papers are far from being sufficiently representing the current research status in China.Nevertheless, it is hopped that this special column of the JCR can attract more researchers to pay attention to the field of IoT security, hence to promote the advances of IoT security research, and the industrial applications of IoT security techniques.