CAMBRIDGE, MA—The internet of things is causing a headache for the military. Millions of devices unwittingly reveal their identities with every message they send or receive. The concern is that adversaries could be listening.
Commonly used safeguards to fend off identity data leakage include blind signatures, identity certificates and newer kinds of device authentication, such as verifiably common secret encoding. But adversaries have caught on and are finding ways to monitor, track and record use of many devices.
The fact is, camouflaging IoT device signals remains a problem, and not just for the military.
Lake Bu at Draper recently unveiled another approach. Bu found a way to hide the identity of a device inside a group identity. That way a device doesn’t reveal its individual identity, and the user can authenticate their access and still do their job. “Whether the device is a drone, robot, GPS app or soldier system, its identity is masked because it’s wrapped inside a secure Group Anonymous Authentication Protocol (GAAP),” Bu said.
Bu describes GAAP in a paper he co-authored with a team from Boston University’s Adaptive and Secure Computing Systems (ASCS) Laboratory. “GAAP enables a device to be authenticated without revealing its individual identity,” said Dr. Michel A. Kinsy, who directs the ASCS Laboratory.
GAAP works as a network-installed software application that goes out and gathers information about every device that’s been granted access to the network, including the groups, their members and their members’ privileges. GAAP uses the information to generate design parameters and construct and install a set of hardware modules on each device. The physical system is initialized when each device fetches its group identity certificates from the verifier on the network. If any malicious behavior is detected, the system diagnoses the issue and updates the network information.
The authors give examples of GAAP at work and point out how it could be used, for instance, in an army unit, a home with IoT devices or a department or team at a company with multiple employees. GAAP enables users to control access to services and resources granted to the individual devices or components based on their group information or privileges, and establish and enforce data-sharing policies that preserve the privacy of the critical information on end-users. GAAP makes devices resistant to ploys such as man-in-the-middle attacks, imposters, hijacking, counterfeiting and eavesdropping.
Authors include Bu and a team from Boston University’s Adaptive and Secure Computing Systems Laboratory, including Rashmi Agrawal, Eliakin Del Rosario and Kinsy.
Draper’s capabilities used in the development of the secure Group Anonymous Authentication Protocol and architecture include image and data analytics and secure and assured systems.