IoT/M2M comprises physical entities; identities or states of which can be exchanged over the Internet infrastructure. M2M may be considered as a subset of the IoT. A pattern in which the data is transferred on an M2M driven IoT is different from the conventional Internet in terms of data traffic model and number of participating nodes. M2M deals with much more nodes than conventional human to human (H2H) kind of interaction over Internet.
IoT/M2M systems usually consist of constrained devices like sensors that allow communication over wireless and/or wired networks. Usually this wireless communication network is also constrained in terms of bandwidth. Deploying a robust as well as low overhead secure means of communication with authentication in such constrained domain is a challenge. Conventional robust certificate based schemes for constrained devices that use public key cryptosystem may prove too costly due to the processing, energy and bandwidth requirements involved. Additionally, if Security at the IP layer, for e.g., IPSec is considered, it is suboptimal in terms of resource usage and maintenance. Also, Transport layer security scheme like TLS, is not applicable for its resource requirements even though it is very robust, because, it may prove to be costly for constrained devices.
Constrained Application Protocol (CoAP) is an exemplary network application layer protocol that allows interactive communication between constrained devices over the Internet in a RESTful manner. CoAP from Internet Engineering Task Force (IETF) is primarily designed to run on User Datagram Protocol (UDP) to create a lightweight solution and proposes Datagram Transport Layer Security (DTLS) as a security layer solution for IoT/M2M. However, DTLS with a full blown certificate based public key infrastructure (PKI) is not optimal for constrained devices. So, a pre-shared key (PSK) mode of DTLS is defined as a light-weight alternative for constrained devices. Such a scheme, though lightweight, sacrifices robustness. It also lacks authentication of end-points.
In CoAP, DTLS uses the cookie exchange technique to mitigate Denial of Service (DoS) attack where a ClientHello message is sent by an attacker to launch an amplification attack. Particularly, in the PSK mode, the client computes a Pre-Master Secret and Master Secret, from the pre-shared key and then sends a ClientKeyExchange message to the server containing a psk_identity that is used by the server to lookup the required pre-shared key. However, a cookie exchange in plain text is not robust. Also, the cookie exchange mechanism adds to the connection establishment overhead which prove costly for constrained environments.
Accordingly, it is evident that there is a definite white space in terms of a robust authenticated yet lightweight secured system usable in the constrained space of IoT/M2M. Additionally, there is also need for a system and method that is generic in catering to the authentication requirement of general networking/communication systems.