Two-Stage High-Efficiency Encryption Key Update Scheme for LoRaWAN Based IoT Environment

Kun-Lin Tsai,Li-Woei Chen,Fang-Yie Leu and Chuan-Tian Wu

1Department of Electrical Engineering,Tunghai University,Taichung,407,Taiwan

2Research Center for Smart Sustainable Circular Economy,Tunghai University,Taichung,407,Taiwan

3Department of Computer and Information Sciences,Chinese Military Academy,Kaohsiung,830,Taiwan

4Department of Computer Science,Tunghai University,Taichung,407,Taiwan

5Emergency Response Management Center,Industry-Academia Collaboration and University Extension Division,Ming-Chuan University,Taipei,111,Taiwan

Abstract:Secure data communication is an essential requirement for an Internet of Things (IoT) system.Especially in Industrial Internet of Things(IIoT)and Internet of Medical Things(IoMT)systems,when important data are hacked,it may induce property loss or life hazard.Even though many IoTrelated communication protocols are equipped with secure policies,they still have some security weaknesses in their IoT systems.LoRaWAN is one of the low power wide-area network protocols,and it adopts Advanced Encryption Standard (AES) to provide message integrity and confidentiality.However,LoRaWAN’s encryption key update scheme can be further improved.In this paper,a Two-stage High-efficiency LoRaWAN encryption key Update Scheme(THUS for short)is proposed to update LoRaWAN’s root keys and session keys in a secure and efficient way.The THUS consists of two stages,i.e.,the Root Key Update(RKU)stage and the Session Key Update(SKU)stage,and with different update frequencies,the RKU and SKU provide higher security level than the normal LoRaWAN specification does.A modified AES encryption/decryption process is also utilized in the THUS for enhancing the security of the THUS.The security analyses demonstrate that the THUS not only protects important parameter during key update stages,but also satisfies confidentiality,integrity,and mutual authentication.Moreover,The THUS can further resist replay and eavesdropping attacks.

Keywords:Key update;AES;LoRaWAN;IoT security;high efficiency

1 Introduction

Due to the rapid developments of Internet of Things (IoT),Artificial Intelligence (AI),and communication technologies,in recent years,IoT applications have been built for different fields.For example,an IoT system can be used in industry and medical treatment,and forms the so-called Industrial Internet of Things(IIoT)[1]and Internet of Medical Things(IoMT)[2]systems.For human daily lives,a smart home system[3]and a smart city[4]can also be created by combining IoT and AI technologies.In an IoT system,massive sensors are linked to network via wired and wireless connections,and then sensed data are delivered to control center,so that the corresponding operations can be performed.

In order to provide mass,wide-range and low-power connections,the concept of Low Power Wide Area Network(LPWAN)communication structure is established.In the past decade,many LPWAN communication systems have been proposed,e.g.,Narrow Band IoT(NB-IoT)[5],Long Range Wide-Area Network (LoRaWAN)[6],Sigfox[7],DASH7[8],etc.Due to business and research reason,many NB-IoT and LoRaWAN related studies have been proposed.To allow mass IoT devices to communicate with each other,NB-IoT utilizes licensed telecommunication bands,while LoRaWAN uses unlicensed band.Generally,both NB-IoT and LoRaWAN have the features of wide-area and low-energy communication.Moreover,LoRaWAN is an evolving protocol and can be used for many modern IoT environments.

The IoT security is as important as general computer and network security since its applications relate to businesses,industries,cities,and even human healthcare[9,10].Providing information confidentiality,data integrity,and device availability becomes an essential requirement for LPWAN communication systems.The Advanced Encryption Standard (AES)[11]is adopted by LoRaWAN to ensure the transmitted data can be safely delivered from sender to receiver.Besides,two types of session keys are utilized in AES data encryption and decryption processes between end-devices and servers[12].

Even though LoRaWAN uses AES to protect the security of transmitted data,it still exists some security problems that need to be solved[13-15].For example,LoRaWAN’s root keys are kept in join-server and end-devices,but lack their own update mechanisms.Once the root keys are stolen,LoRaWAN’s security might be crashed.Besides,the session keys are updated through the end-device re-join process which may also lead to device management and data consistency problems.

In order to deal with the key management and update problem,in this study,a Two-stage Highefficiency LoRaWAN key Update Scheme(THUS for short)is proposed to update LoRaWAN’s root keys and session keys in a secure and efficient way.The THUS utilizes modified AES process and system time stamp to achieve the goal of mutual authentication,confidentiality and message integrity during its update procedure.Besides,the security analysis also shows that the THUS has the ability to resist replay and eavesdropping attacks.In the THUS,the root key and session key can be renewed without changing the device information recorded in join-server,network-server,and applicationserver.Besides,with different key update frequencies,the THUS provides higher security level than the conventional LoRaWAN specification does.The main contributions of this paper are listed below.

(i) The proposed THUS improves LoRaWAN key management by updating both root keys and session keys.

(ii) The modified AES algorithm is utilized in the THUS so that the security of key update procedure can be enhanced and the processing performance can also be improved.

(iii) During the key update procedure,the proposed THUS provides the features of mutual authentication,confidentiality and message integrity and has the ability to resist eavesdropping attack and replay attack.

The remaining part of this paper is organized as follows.LoRaWAN security policy and some IoTrelated studies are introduced in Section 2.Then,Section 3 presents the detailed process of the THUS,including the Root Key Update (RKU) stage and Session Key Update (SKU) stage.The security analyses and discussion are presented in Section 4.Section 5 addresses the THUS performance.Section 6 concludes this study and points out our future study.

2 Preliminary

2.1 LoRaWAN Security

Since LoRaWAN is one of the communication protocols designed for IoT applications,it provides many attractive features including low power and long-distance communication.The security policy of LoRaWAN[16,17]is established under the requirements of data confidentiality,mutual authentication between devices and servers,message integrity.Accordingly,AES cryptographic algorithm and two operation modes,i.e.,Counter Mode (CTR) and Cipher-based Message Authentication Code(CMAC),are adopted in the LoRaWAN data transmission.The CTR is used for data encryption and decryption,while the CMAC is utilized to guarantee the message integrity.Besides,LoRaWAN uses two types of session keys to protect data security,one for end-devices and application-servers,namely application session key(AppSKey),and another for end-devices and network-servers,namely network session key(NwkSKey for R1.0,and FNwkSIntKey,SNwkSIntKey,NwKSEncKey for R1.1.To simplify,in this study,the NwkSKey is used to represent all network session keys).As shown in Fig.1,when an end-device new joins to an IoT system,a globally unique identifier DevEUI and two unique root keys,including AppKey and NwkKey,are registered in join-server.And then,the join process between end-device and join-server generates two types of session keys by using DevEUI,AppKey and NwkKey.Following that,the NwkSKey and AppSKey are delivered to network-server and application-server,respectively.

2.2 Related Studies

Since IoT security is an important topic for constructing an IoT system,many related studies[18-21]have been proposed in the past years.According to the announced LoRaWAN 1.0 protocol,Naoui et al.[18]pointed out two important parameters might be attacked.The first parameter is a 16-bit counter,DevNonce,which is used to record the join times of an end-device.Since theDevNonceis transmitted with unencrypted format,the replay attack might be launched by some attacker.The second parameter isAppNoncewhich is utilized for mutual authentication between application-server and end-device.An attacker may forge the join acceptance message sent by network server,retransmit the same message to the end-device,and then pretend to be a legitimate application-server.In[18],Naoui et al.utilized an independent computer to be the trusted third party and created a timeline for every message so that the session keys can be delivered to network-server and application-server in a secure way.

Eldefrawy et al.[19]checked the security policies of different LoRaWAN protocols.Similarly,they also claimed that the transmitted data will be disclosed when the parameterAppNoncein LoRaWAN v1.0 is known by attackers.However,LoRaWAN v1.1 utilized join-server to generate and dispatch session keys,hence enhanced the security level.Even though LoRaWAN improves its security in v1.1,many researchers still think the root key management is a drawback of LoRaWAN’s security policy.

Chen et al.[20]proposed a comprehensive LoRaWAN key management scheme,which addressed key updating,key generation,key backup,and key backward compatibility.The centralized key management server designed in[20]was a trusted agent dealing with the whole lifecycle of the key management,i.e.,key generation/derivation,updating,backup/recovery,and key revocation.Compared with other previous studies,they provided a good and secure solution for LoRaWAN key management.However,involving an extra server may also lead to other security problems.Xing et al.[21]used elliptic curve cryptography for root key update scheme.Both end-devices and server adopted the hierarchical deterministic wallet to manage the key pair,and the key agreement between the end-devices and the server was realized by the elliptic curve Diffie-Hellman key exchange algorithm.They also used bi-directional Hash algorithm during communication.Although their method indeed enhanced the security of LoRaWAN key management,the complex elliptic curve cryptography algorithm consumed much power during key update procedure.

D?nmez et al.[22]utilized a master device to store the original root keys of end-devices so as to enhance the LoRaWAN’s security.The connections between master device and end-devices are physical links,as a result,the master device can be considered as an extension part of end-devices.Moreover,the master device can also be utilized to charge the batteries of end-devices.However,when master device was hacked,it may result in serious problem of whole IoT system.

Because original root keys are stored in end-devices,and in LoRaWAN standard,only session key can be update by using rejoin process;however,the root keys cannot be update.In[23],Han and Wang created a root key update method by using key derivation function to solve the key management problem.Their experiment showed that the key generation process can generate new root keys with very high degree of randomness.

3 Two-Stage LoRaWAN Key Update Scheme

As abovementioned,LoRaWAN’s protocols[16,17]do not take root key management into account.Once the root keys are attacked and stolen,it can easily induce security problems.In this section,as shown in Fig.2,a two-stage LoRaWAN key update scheme is proposed.The first one is root key update (RKU) stage,and the second one is session key update (SKU) stage.In Section 3.1,the modified AES is introduced so as to enhance the security level and reduce the computational complexity at the same time.Then,the detailed steps of RKU stage and SKU stage are described in Sections 3.2 and 3.3,respectively.The notations used in the RKU and SKU stage are illustrated and defined in Tab.1.

Table 1:Notations used in RKU stage and SKU stage

Table 1:Continued

3.1 Modified AES

In order to improve AES’s security strength and operating speed,a dynamic-box (D-Box) is designed to replace the original substitution-box(S-Box).The enhanced dynamic accumulated shifting substitution(EDASS)algorithm proposed in[24]and used in[25]is a randomized function which can be used to generate irreversible text.The EDASS based D-Box Generation(DBG)process uses three inner keys and three insertion arrays to generate a D-Box.During the RKU and SKU stage,the inputs of modified AES are plaintext and a D-Box,and the corresponding output is a ciphertext.Besides,a flag array is also utilized to prevent duplicate elements appear in the D-Box.For security reason,the D-Box is required irregular renewal.In this study,the D-Box of modified AES has 256 elements,which means that a total number ofpossible combinations of a D-Box.When an attacker captures some encrypted messages and would like to decrypt them,he needs 128-bit session key and the D-Box,indicating that the combination is up to 2128× 256!.Since EDASS algorithm and DBG process are input-sensitivity and randomness,decrypting the encrypting messages in a short period of time without correct session key and D-Box are very difficult.Besides,as shown in[25],by replacing S-Box with the D-Box,the encryption cycles of the conventional 128-bit AES can be simplified to 5 rounds.As a result,the modified AES with D-Box has high efficiency than the conventional AES does.

3.2 Stage 1:Root Key Update Procedure

In the RKU stage,there are three important parameters,i.e.,α,β,andγ,which are generated by network-server,end-device,and join-server,respectively.Firstly,network-server deliversαto joinserver and end-device so as to state up the RKU procedure.Then,the end-device sendsβto join-server by integratingαinto the encrypted message so that the feature of message integrity can be achieved.At the same time,the join-server also transmitsγto end-device.Once when end-device and join-server haveβandγin hand,they utilize these two parameters to generate two new root keys.As shown in Fig.3,in the RKU stage,there are 8 steps,which are described as follows.

Figure 3:There are 8 steps in the RKU stage

3.3 Stage 2:Session Key Update Procedure

In the SKU stage,once the join-server receives the session key update request sent by networkserver,it generates an important parameter?,and utilizes?and new root keys generated in RKU stage to calculate new session keys,i.e.,AppSKeyandNwkSKey.Then the parameter?is delivered to the end-device so that the end-device can generate the same session keys.Next,the end-device sends a new-session-key encrypted acknowledgement message to join-server,and the join-server confirms the acknowledgement message to ensure that the session keys generated by the end-device are the correct.After that,the join-server delivers network session key and application session key to networkserver and application-server,respectively.Finally,both application-server and network-server send encrypted messages to the end-device to guarantee new session keys’function.As shown in Fig.4,in the SKU stage,there are 13 steps,which are described as follows.

Figure 4:The SKU stage consists of 13 steps

4 Security Analyses

In this section,we analyze the security of THUS with Scyther tool[26]and discuss the security features of the THUS.The Scyther tool traces all parameters of the THUS,and checks whether these parameters are safe during transmission.The analyzed result is shown in Fig.5,in which the important parameters are not threatened by attackers.

The other THUS security features are discussed as follows.

? Mutual authenticationindicates that the data transmission parties can authenticate with each other.In the RKU stage of the THUS,bothDevEUIandDevNonceare used to guarantee the authenticities of each communication pair.When an attacker lacks correctDevNonce,the correctandα⊕DevNoncecannot be calculated,and fails the checking in Steps(3.3),(4.3),(7.3),and (8.3).In the SKU stage,theJoinNonce,JoinEUI,andDevNonceare adopted to verify the identities of join-server,network-server,end-device,and application-server.Once an attacker is short of correctJoinNonce,JoinEUI,andDevNonce,the accurateAppSKeynewandNwkSKeynewcannot be calculated,and thus the Steps(4.6),(6.5),and(6.6)of SKU stage will generate wrong message,so that the checking in Steps(6.3),(9.3),and(11.3)will also be failed.Thus,the THUS equips mutual authentication feature.

? Confidentialityrepresents that the THUS has the ability to protect all important parameters.In the RKU stage and SKU stage of the THUS,all parameters become ciphertext by utilizing modified AES before transmission.In Steps(2a)and(2b)of RKU stage,the messagesD-Boxnewandαare encrypted by using encryption keysNwkSKeyoldandkns-js,respectively.In Steps(5)and(6)of RKU stage,the messages are both encrypted by usingAppSKeyold.In Steps(3)and(5)of SKU stage,the messages are encrypted by usingAppSKeyoldandAppSKeynew,respectively.In Steps(7)and(10)of SKU stage,the messages are encrypted by usingAppSKeynew,while in Steps(8)and(12)of SKU stage,the messages are encrypted by usingNwkSKeynew.According to abovementioned steps,different messages and important parameters can then be protected by using different encryption keys.

Figure 5:The analyzed result of the proposed THUS

? Message integrityfeature makes sure the transmitted messages not be forged.In the THUS,eight message integrity patterns,i.e.,are generated to guarantee the integrity of transmitted message.When one of these patterns fails,the RKU or SKU stage is stopped.Consequentially,the THUS equips message integrity feature.

? Resist replay attackmeans some attacker captures some messages delivered by sender,duplicates those messages,and then retransmit them to receiver so as to pretend to be the legal sender.In the THUS,both RKU and SKU stages utilize time parameters (tnonce) to resist replay attack.Before data transmission,the time parameter is encrypted and embedded in the transmitted message.As shown in steps (3.2),(4.2),(7.2),and (8.2) of the RKU and steps (4.3),(6.2),(9.2),and(11.2)of the SKU,when receiver receives the message,the time parameter is utilized to guarantee the transmission time shorter than a predefine time limit.Once the actual transmission time is longer than the predefined time limit,it indicates that the message may send by illegal part,which means it may suffer replay attack.Accordingly,the THUS has the ability to prevent the replay attack.

? Resist eavesdropping attackindicates that an attacker captures massive messages and tries to obtain important information from them.In the THUS,parametersα,β,γ,ε,and D-Box are the most important parameters.The former three parameters are generated randomly and the D-Box is also produced by utilizing random box R-Box via DBG algorithm.All of these parameters and D-Box are encrypted by using EDASS before transmission.Since these parameters vary in every RKU stage and SKU stage,attackers cannot extract any parameters from the captured messages.

The comparisons between the proposed THUS and five previous works are listed in Tab.2.As shown,the THUS equips not only root key update scheme,but also session key update scheme.By using modified AES algorithm,the THUS has the ability to provide high level security with efficient process.

Table 2:The comparisons between the THUS and five previous works

Table 2:Continued

5 THUS Performance

Tab.3 lists the operating time of the THUS,whereTrindicates random number generation time,TSHAis the secure hash algorithm computational time,TAESstands for AES computational time,TEDASSrepresents the EDASS algorithm operation time,andTbmeans the binary operation (addition and subtraction)time.According to the evaluation proposed in[24,25],TEDASSis less than half ofTAES,andTrandTbcan be ignored when compared withTAES,TEDASS,andTSHA,thus the THUS with modified AES has the feature of high-efficiency when compared with traditional AES encryption method.

Table 3:The operating time of THUS with traditional AES and modified AES

6 Conclusion and Future Studies

Secure data communication is a basic requirement for every IoT system.Although LoRaWAN utilizes AES cryptography to achieve the goal of data integrity and confidentiality,the encryption key management can be further improved.In this paper,the THUS is proposed to update LoRaWAN’s root keys and session keys so that the LoRaWAN’s security scheme can be enhanced.The modified AES algorithm with dynamic substitution-box is utilized in both RKU stage and SKU stage.According to the security discussion above,the proposed THUS has the features of mutual authentication,confidentiality and message integrity,and can resist replay and eavesdropping attacks.

In the future,the formal security verification for the RKU and SKU will be performed.Besides,the implementation of THUS on a FPAG (Field Programmable Gate Array) system will also be developed so that the real performance can be evaluated.These constitute our future studies.

Funding Statement:The authors received no specific funding for this study.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.