ASOP: A Sovereign and Secure Device Onboarding Protocol for Cloud-based IoT Services
Abstract: The existing high-friction device onboarding process hinders the promise and potentiality of Internet of Things (IoT). Even after several attempts by various device manufacturers and working groups, no widely adopted standard solution came to fruition. The latest attempt by Fast Identity Online (FIDO) Alliance promises a zero touch solution for mass market IoT customers, but the burden is transferred to the intermediary supply chain (i.e. they have to maintain infrastructure for managing keys and digital signatures called Ownership Voucher' for all devices). The specification relies on aRendezvous Server' mimicking the notion of Domain Name System (DNS) server'. This essentially means resurrecting all existing possible attack scenarios associated with DNS, which include Denial of Service (DoS) attack, and Correlation attack. Ownership Voucher' poses the risk that some intermediary supply chain agents may act maliciously and reject the transfer of ownership or sign with a wrong key. Furthermore, the deliberate use of the weak elliptic curve SECP256r1/SECP384r1 (also known as NIST P-256/384) in the specification raises questions. We introduce ASOP: a sovereign and secure device onboarding protocol for IoT devices without blindly trusting the device manufacturer, supply chain, and cloud service provider. The ASOP protocol allows onboarding an IoT device to a cloud server with the help of an authenticator owned by the user. This paper outlines the preliminary development of the protocol and its high-level description. Ourzero-trust' and `human-in-the-loop' approach guarantees that the device owner does not remain at the mercy of third-party infrastructures, and it utilises recently standardized post-quantum cryptographic suite (CRYSTALS) to secure connection and messages.
- Bundesministerium für Forschung und Bildung, “ Erweiterung von Physical Layer Security für Ende-zu-Ende Absicherung des IoT (PHY2APP),” URL:https://is.gd/foSnNd, 2021-2023.
- G. Cooper, B. Behm, Chakraborty et al., “FIDO Device Onboard Specification 1.1,” 2021, available at:https://fidoalliance.org/specifications/.
- D. J. Bernstein, T. Lange et al., “Safecurves: choosing safe curves for elliptic-curve cryptography,” URL: http://safecurves. cr. yp. to, 2013.
- International Data Corporation, “ Worldwide Semiannual Internet of Things Spending Guide,” 2018, available at: https://is.gd/qsA2cJ.
- INTEL, “Intel® Secure Device Onboard,” More secure, automated IoT device onboarding in seconds, available at: https://is.gd/8NGvPs.
- Initiative for Open Authentication(OATH), “Reference architecture,” Release, vol. 2, pp. 2004–2007.
- S. Symington, W. Polk, and M. Souppaya, “Trusted Internet of Things (IoT) device network-layer onboarding and lifecycle management (draft),” National Institute of Standards and Technology, Tech. Rep., 2020.
- K. Reaz and G. Wunder, “ComPass: Proximity Aware Common Passphrase Agreement Protocol for Wi-Fi Devices Using Physical Layer Security,” in Innovative Mobile and Internet Services in Ubiquitous Computing. Springer International Publishing, 2022, pp. 263–275.
- S. Machani, R. Philpott, S. Srinivas et al., “FIDO Universal Authentication Framework Architectural Overview,” 2013.
- R. Avanzi, J. Bos, L. Ducas et al., “CRYSTALS-KYBER algorithm specifications and supporting documentation,” NIST Post Quantum Cryptography Finalists, 2022, https://is.gd/4oE9dy.
- C. Paquin, D. Stebila, and G. Tamvada, “Benchmarking post-quantum cryptography in TLS,” in International Conference on Post-Quantum Cryptography. Springer, 2020, pp. 72–91.
- D. M’Raihi, S. Machani, M. Pei et al., “ TOTP: Time-Based One-Time Password Algorithm,” RFC 6238,, 2011, https://10.17487/RFC6238.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.