Efficient kerberos authentication scheme for cross-domain systems in industrial internet of things using ECC

The advent of Industry 4.0 has propelled the Industrial Internet of Things (IIoT) as one of the essential enabling technologies for its successful adoption and implementation. IIoT links devices and enables connection and access to the Internet, providing various manufacturing and industrial practices services. These services are usually supplied with network and Internet security inside a cloud-based environment. Inter-connectivity capabilities make it possible for devices to work collaboratively to significantly improve efficiency and productivity with the assistance of automation. However, machines from different domains collaborate on the same data and task, raising security and privacy concerns about cross-domain communications. Many existing schemes have been proposed trying to meet the security and functionality of the cross-domain systems. These existing schemes, however, rely on different types of cryptographic methods that usually have high computation complexity. In addition, the communication between each participant via the public channel must be comprehensively secured against eavesdropping, altering, tampering, and impersonation attacks. Cybercriminals can take advantage of insecure communication to perform attacks that lead to compromises and intrusions. These cyberattacks against industrial entities, for common attacks examples, Trojan Horses, replay and man-in-the-middle, can lead to security compromises including espionage, sabotage, and ransomware. Solutions for these cyber security problems and threats are still not satisfactory. Furthermore, most of the current authentication schemes designed for IIoT connected devices rely on reliable and continuous network connectivity. The users of the IIoT connected devices should be able to authenticate and communicate even when the Internet connections are intermittent and not available. A new multi-factor authentication scheme is designed using the AES-ECC algorithm based on Kerberos workflow to establish secure, efficient, and lightweight communication between the user and the targeted IIoT devices to avoid the issues. ECC encrypts and transfers the private keys as AES private keys in the proposed scheme, while AES encrypts the plain text (communication data). The design combined symmetric key encryption (AES) for the message encryption with the asymmetric key encryption (ECC). This combination provides a secure key management mechanism and data hiding to provide strong encryption and decryption standards. The multi-factor credentials are proposed for secure identification and authentication based on the combination of username/password (something you know), smartcard (something you have), and fingerprint (biometric which you possess). To prove that the proposed design is suitable for IIoT, a new scheme is proposed namely a secure, efficient, and lightweight multi-factor authentication scheme for cross-domain IIoT systems (SELAMAT). In addition, a proof of concept is constructed to validate the proposed multi-factor Kerberos authentication using Java programming language. As an extension to the scheme for enabling users to authenticate to the IIoT connected devices while Internet access is unavailable, a new offline multi-factor authentication scheme for the automotive industry is proposed. The offline scheme utilizes a Time-based One-Time Password (TOTP) algorithm to allow users to authenticate to the vehicle without needing an Internet connection once they have registered online when Internet access is available. Furthermore, the proposed scheme's performance and complexity are evaluated using the JPBC cryptographic library. The proposed schemes have been validated using informal and formal security verification to compare the achieved security features against various attacks. The formal verification is performed using BAN logic to prove the security and mutual authentications. The evaluation of the security of the proposed scheme is based on SVO logic to verify the security of the informal method. Likewise, the widely used standard verification simulation tool AVISPA is used to verify that the scheme is secure against passive and active attacks. Finally, the performance and functionality of the proposed schemes are evaluated in terms of computation and communication cost. The results show that the proposed schemes outperform the previous cross-domain authentication schemes by 53% of computation cost and 65% of communication cost.

Text HAQI KHALID ISMAIL - IR.pdf Download (1MB)

Actions (login required)

View Item