Jiot 2020 2988126

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.2988126, IEEE Internet of
Things Journal
IEEE INTERNET OF THINGS JOURNAL 1
iTLS: Lightweight Transport Layer Security

Protocol for IoT with Minimal Latency and Perfect
Forward Secrecy
Pengkun Li, Jinhu Su*, Senior Member, IEEE, and Xiaofeng Wang
Abstract—Enabling end-to-end secure communication is essen- its datagram-oriented variant Datagram TLS (DTLS) protocol
tial for many Internet of Things (IoT) application scenarios. are the de-facto protocols for communication security in the
Transport Layer Security (TLS) and Datagram TLS (DTLS) IoT [5], [6], which can provide encryption, authentication,
are the de-facto protocols for communication security in the
IP-based IoT. However, the current authentication approaches and data integrity for information exchange. The Internet
of TLS are confronted with the heavy overhead and security Engineering Task Force (IETF) has defined a TLS/DTLS 1.2
issues in the resource-constrained IoT scenario. On the other profile that offers communication security for IoT applications
hand, Identity-based Cryptography (IBC) becomes an attractive [7]. The newest version 1.3 of TLS provides considerable
cryptographic solution for IoT. Unfortunately, current IBC-based performance improvement and smaller message sizes that can
proposals exist the problem of either high communication latency
or low level of security. In this paper, we propose the first further advance IoT communication security [8].
lightweight secure transport protocol called iTLS, which delivers Although the standardized Internet security protocols bring
protected data in the first flight with perfect forward secrecy, and many advantages in terms of interoperability and deployment,
provides implicit mutual authentication without certificates. iTLS typical deployment scenarios of IoT limit the feasibility of
dynamically generates identity-based early keys before receiving TLS because of highly constrained devices in low-power and
a server response, allowing clients to send encrypted data without
additional round-trips. Furthermore, it employs the ephemeral lossy networks of IoT [3], [6]. The TLS protocol supports
secret ticket to obtain an ephemeral server key in the previous authentication using the symmetric pre-shared key (PSK) or
connection. Therefore, the early key established afterward can public-key certificates. PSK-based authentication consumes
provide full forward secrecy. Design and implementation in the a small number of computational resources and bandwidth.
form of extension make iTLS fully compatible with TLS 1.3 However, considering the large-scale deployment of IoT de-
and easy to be converted to a DTLS version. Our evaluation
shows that iTLS reduces the network traffic overhead by at least vices, there exist key management and scalability issues
61.2%, and handshake latency on an ideal network by at least when using the PSK. In addition, the PSK established out
60% compared to certificate-based TLS. The results demonstrate of band is vulnerable to attacks due to the IoT devices’
iTLS achieves strong adaptability on the low-power and lossy IoT uncontrolled deployment environment and restricted security
networks. features. Generating the PSK also needs sufficient entropy to
Index Terms—end-to-end security, secure transport protocol, ensure security, which is usually not guaranteed in practice.
Internet of Things, identity-based cryptography, authentication. Finally, the data encrypted by the PSK, especially sent in the
zero round-trip time (0-RTT) mode in TLS 1.3, cannot provide
I. I NTRODUCTION forward secrecy [8], [9].
HE Internet of Things (IoT) plays an increasingly consid- Certificate-based authentication can solve many challenges
T erable role in all aspects of our daily life. It has been used
in various application domains, such as factory automation,
where particularly PSK-based solutions fall short, so a number
of IoT systems choose certificates as the authentication method
medicine of health-care, and smart city/home [1]. Naturally, [5], [10]. However, the long certificate chain processing as well
the data collected in many scenarios are sensitive and may be as the revocation list checking bring significant overhead in
delivered through the untrusted network infrastructure, e.g., terms of resource consumption, including computing, memory,
the Internet. Therefore, end-to-end communication security bandwidth, and energy. In addition, due to the low packet
is a critical requirement for these IoT application scenarios, delivery rate and computational performance, certificate trans-
which can protect sensitive data even if the underlying network mission and verification also induce a considerable increase in
infrastructure is not under the user’s control [2], [3], [4]. Cur- the connection latency of the protocol. Furthermore, the use of
rent IoT security solutions include standards-based proposals. small packets (e.g. the maximum frame size for IEEE 802.15.4
Among them, the Transport Layer Security (TLS) protocol and is 127 bytes) will result in the fragmentation of large certificate
messages, which may cause specific attacks [11]. Meanwhile,
Pengkun Li, Jinshu Su, and Xiaofeng Wang are with the College the above problems is exacerbate due to the fragment losses
of Computer, National University of Defense Technology, Changsha
410073, China. E-mail: lipengkun14@nudt.edu.cn, sjs@nudt.edu.cn, and and the need for retransmissions. Although both hardware and
xf_wang@nudt.edu.cn software related improvements have been considered by many
*Corresponding author: Jinshu Su works [7], [12], [13], [14], [15], [16], the above problems have
Copyright (c) 20xx IEEE. Personal use of this material is permitted.
However, permission to use this material for any other purposes must be not been effectively solved.
obtained from the IEEE by sending a request to pubs-permissions@ieee.org. Identity-based Cryptography (IBC) is a public key cryptog-
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 02,2020 at 17:29:48 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.2988126, IEEE Internet of
Things Journal
raphy mechanism which allows the user taking its identity for early data. After each connection is established, the server
as the public key. Thanks to its low bandwidth overhead sends a ticket that is associated with an ephemeral secret
and high scalability, the IBC-based end-to-end security so- determined by itself. This ticket is leveraged to generate the
lutions for IoT gained considerable attention. However, as IDEK for the subsequent connection. Establishing the IDEK
we discuss in the related work, exiting solutions either have with the ephemeral cryptographic key corresponding to the
the problem of complex communication procedures and high ticket can provide forward secrecy for early data. Rejecting
communication latency or cannot provide enough security as reduplicative tickets on the server-side can also mitigate the
the traditional end-to-end security scheme. Some proposals replay attack on early data [9], [27].
employ the identity-based non-interactive key agreement (IB- Finally, the extension-based design and implementation
NIKA) protocol [17], [18] to establish pairwise keys between make iTLS fully compatible with the TLS 1.3 protocol and
devices [19], [20], [21], [22], benefitting from extremely low can facilitate its deployment with the assurance of interoper-
bandwidth overhead. However, this approach provides a lower ability with the Internet. Moreover, design in the form of the
level of security, especially the shared key established is not extension also makes iTLS easy to be converted to DTLS-
forward secret. Compromising the long-term private key of oriented versions [28] that can provide security for datagram-
either party can result in the compromise of the shared key. based applications, e.g., the CoAP protocol [29].
Also, the assailant who compromises a device’s private key can We implement the iTLS protocol based on an IoT-oriented
impersonate any legitimate entity to establish communications open TLS library and evaluate the performance of iTLS
with the device. On the other hand, some proposals adopt on networks with different latencies, packet loss rates, and
Identity-based Encryption (IBE) or Identity-based Signature bandwidth. We compare iTLS with the TLS 1.3 protocol,
(IBS) instead of certificates for authentication and apply Diffie- and experimental results show that iTLS reduces the network
Hellman (DH) key exchange protocol to establish shared keys traffic overhead by at least 61.2% and the full handshake
[23], [24], [25], [20], thereby achieving the authenticated key latency by at least 60% compared to the certificate-based TLS
agreement. While this approach provides higher security, the protocol at 128-bit symmetric key security. The 0-RTT model
DH parameters exchange imposes an additional round trip of iTLS handshake makes establishing secure connections
before sending any sensitive data. Furthermore, few IBC- using iTLS at least 1.5 times faster than using certificate-
based solutions consider compatibility with the standardized based TLS. In addition, the connection performance of iTLS
protocols, which is not conducive to the protocol deployment is similar to that of PSK-based TLS, especially in low-power
and the interoperability between IoT and the Internet. and lossy networks.
In this paper, we extend our previous work [26] to propose The rest of the paper is organized as follows. Section II
iTLS, the first lightweight secure transport protocol for IP- presents some prerequisites about iTLS, including an overview
based IoT, which can deliver protected data in the first of TLS 1.3 and the identity-based authenticated key agreement
handshake flight with perfect forward secrecy, and provide protocol. In Section III, we detail the iTLS design. The
implicit mutual authentication without using certificates. iTLS security of iTLS is analyzed in Section IV. Then, Section V
authenticates communication parties while establishing the implements and evaluates iTLS. Finally, we discuss related
shared key by integrating the identity-based key agreement work and conclude in Section VI and VII, respectively.
protocol into TLS. Therefore, the entity only needs to be
configured with the identity-based private key and requires II. P REREQUISITES
few computing resources used to calculate the shared secret
to establish encrypted communications. iTLS also introduces A. TLS 1.3: An Overview
little bandwidth and energy consumption because no large TLS 1.3 comprises two primary components, a handshake
certificates messages need to be transmitted. What’s more, protocol and a record protocol [8]. The handshake protocol ne-
iTLS comes with minimal connection latency through a zero gotiates cryptographic algorithms and parameters, establishes
round-trips handshake, which also provides perfect forward shared keying material, and authenticates the communicating
secrecy for the 0-RTT data. Specifically, the main contributions parties. The record protocol carries the handshake messages
of iTLS are as follows: and application layer data to be transmitted, and divides traffic
Firstly, iTLS designs the identity-based 0-RTT crypto- up into a series of records, each of which is independently
graphic handshake that employs dynamic early keys (IDEK) to protected with the parameters established by the handshake
minimize the security handshake latency for all connections. protocol.
The iTLS handshake allows the client to dynamically generate The handshake protocol is the core of the TLS protocol.
the IDEK, i.e., an authenticated shared key with the server, TLS 1.3 uses a new handshake protocol compared to previous
based on the identities of the communication parties before re- versions. This handshake protocol reduces the handshake
ceiving a reply from the server. IDEK enables the client to send latency from the original two RTT to one RTT. A basic full
data immediately following the initial handshake message, i.e., TLS 1.3 handshake is shown in Fig. 1.
"early data", without sharing a static PSK with the server in The TLS client sends the ClientHello message to initialize
advance, thereby establishing the encrypted connection with the handshake, which contains its supported cryptographic
no additional round trips. algorithms and parameters. After receiving and processing
Secondly, iTLS introduces the ephemeral secret ticket mech- the ClientHello, the server determines the appropriate crypto-
anism to provide perfect forward secrecy and replay protection graphic parameters and responds with a ServerHello message
Things Journal
the Certificate. Finally, they exchange the Finished message to

complete the handshake, which contains a MAC over the entire
handshake. If PSK-based key exchange is used, endpoints do
Client Server not send the Certificate and CertificateVerify messages, since
ClientHello they authenticate each other via the PSK.
+key_share*
Key Exchange
+psk_key_exchange_modes* Note that, except for the ClientHello and ServerHello mes-
+pre_shared_key*
sages, all other handshake messages are encrypted by the
ServerHello
+key_share*
shared key established after exchanging the ClientHello and
+pres_shared_key* ServerHello. As a contrast, only the Finished message is
encrypted in previous versions.
Parameters
Server
EncryptedExtensions
Compared with the older versions, the other major change in
CertificateRequest*
TLS 1.3 is to support the 0-RTT model that allows the client to
Certificate* send application data to the server in the first flight when they
Authentication
CertificateVerify* share a pre-shared key [8]. With this model, the ClientHello
Finished message contains an "early_data" extension to indicate that
Certificate* the client will send the early data in the 0-RTT model. Then,
CertificateVerify* the client can immediately send application data encrypted
Finished
with the PSK following the ClientHello message. If the server
determines to accept the early data, the server chooses the first
PSK presented in the list of PSKs offered by the client, and
adds the "early_data" extension to the EncryptedExtensions
message. Then the server also uses the PSK to decrypt the
early data. In the 0-RTT model, endpoints authenticate each
other via the PSK, too. After the handshake is completed,
Fig. 1. The full TLS 1.3 handshake. ’+’ indicates extensions sent in the connection is protected under the new keying material
previously noted messages; ’*’ indeicates optional or situation-dependent mes- established via the PSK or (EC)DHE. ,
sages/extensions that are not always sent; Solid line box indicates messages
encrypted.
B. Identity-based Authenticated Key Agreement
In 1985, Shamir first proposed the concept of Identity-based
to indicate the negotiated connection parameters. The client Cryptography (IBC) [30]. The main idea of IBC is to use the
and server complete the key exchange and establish the shared user’s unique identifier as its public key. The corresponding
secret key in this phase. TLS 1.3 supports three key exchange private key is generated by a trusted authority, called Private
modes: (EC)DHE (Diffie-Hellman exchange over either finite Key Generator (PKG), using secret knowledge only possessed
fields or elliptic curves), PSK-only, and PSK with (EC)DHE. If by the PKG. Boneh and Franklin proposed the first fully func-
(EC)DHE key establishment is in use, a "key_share" extension tional solution for identity-based encryption schemes using
is included in the ClientHello and ServerHello messages, bilinear pairing in 2001 [31]. Following this work, numerous
which contains the client and server’s Diffie-Hellman key feasible identity-based authenticated key agreement (IBAKA)
shares respectively; If PSK key establishment is in use, a protocols based on bilinear pairing have been proposed [32],
"pre_shared_key" extension is used by the client and server. [33], [34], [35]. There are also some pairing-free IBAKA
This extension contains a set of pre-shared key labels in the schemes proposed to avoid the computational overhead of the
ClientHello, and the PSK identity chosen by the server in the pairing [36], [37], [38], [39]. Generally, a two-party IBAKA
ServerHello. The (EC)DHE and PSK can be used together, in can be described using three algorithms:
which case both extensions are contained in the ClientHello Setup(k): Given a security parameter k as input, this al-
and ServerHello messages. gorithm outputs the system public parameters SPP and the
After sending the ServerHello, the server then sends the master secret key msk.
EncryptedExtensions message which contains extensions that KeyE xtract(SPP, msk, I Di ): This algorithm extracts a pri-
are not required to determine the cryptographic parameters, vate key from an arbitrary bit string. It takes an identity I Di ,
and the CertificateRequest message if client authentication is the msk, and SPP as input, and then outputs a secret key sk i
desired. for I Di .
The client and server send authentication messages to each Key Agreement(SPP, sk i , esi , I D p , EK p ): Before establish-
other in the authentication phase. If they choose the (EC)DHE ing the shared key, the communication parties generally
mode to exchange key shares, certificate-based authentication choose an ephemeral secret es and compute the corresponding
is needed. The server and client send Certificate and Certifi- ephemeral public key EK respectively, and then exchange their
cateVerify messages to authenticate themselves. The former ephemeral public keys. This algorithm takes SPP, the private
message contains the endpoint’s certificate chain, and the latter key sk i of I Di and its ephemeral secret esi , the peer’s identity
one contains a signature over the handshake transcript using I D p and its ephemeral public key EK p as input, and outputs
the private key corresponding to the public key presented in a secret shk shared with I D p for I Di . The es and EK can be
Things Journal
∅, then this is an identity-based two-party non-interactive key the system public parameters and the master secret key at a
exchange scheme [17], [18]. specified security level. Specifically, in this paper, the PKG
In this paper, we chose the pairing-based IBAKA algorithm performs the following steps in the initialization phase:
proposed in [34] to better illustrate iTLS because of its high The PKG selects two groups G, GT , a bilinear pairing e :
computational performance and the security properties it holds. G × G → GT , and the generator P as described in Section II.
Here we briefly review the basic facts of bilinear pairing and It then randomly selects s ∈ Z∗q as the master secret key and
several related hardness assumptions. The details can be found computes the master public key Ppub = sP. It also chooses
in [32]. a hash function H : {0, 1}∗ → G to map an arbitrary string
Bilinear pairing Let G denote an additive group and GT to a point on G. Finally, the PKG stores the master secret
a multiplicative group, and both of them are cyclic groups key s secretly and publishes the system parameters SPP =<
of prime order q. Let P denote a generator of G. A bilinear G, GT , e, P, Ppub , H >.
pairing is a map e : G × G → GT , which has the following After the system parameters initialization is completed, the
properties: communication participants can register their own identities
1) Bilinear: for all Q, R ∈ G and all a, b ∈ Zq , we have with the PKG and obtain the corresponding private keys. The
e(aQ, bR) = e(Q, R)ab ; identity can be the unique identifier of a device or the identifier
2) Non-degenerate: e(P, P) = 1; of an IoT platform. The PKG adopts the KeyE xtract algo-
3) Computable: for all Q, R ∈ G, e(Q, R) is efficiently rithm of the specified IBAKA to generate the corresponding
computable. private key for an entity. In this paper, the PKG maps the
Assumption 1 (Bilinear Diffie–Hellman (BDH)) For entity’s identity I Di to a point on G via H and calculates the
a, b, c ∈ Z∗q , given (P, aP, bP, cP), computing e(P, P)abc is private key as sk i = sH(I Di ). PK i = H(I Di ) is used as the
hard. public key corresponding to the identity.
Assumption 2 (Computational Diffie–Hellman (CDH)) This paper does not discuss in detail the specific imple-
For a, b ∈ Z∗q , given (P, aP, bP), computing abP is hard. mentation of PKG and how it assigns the private key to the
Assumption 3 (Elliptic Curve Discrete Logarithm device in IoT. The administrator can run a PKG server in its
(ECDL)) Given (P, aP), extracting a ∈ Z∗q is hard. administration domain, and configure the device with the URI
of the PKG. Then the device can fetch and update the public
III. I TLS D ESIGN system parameters and the private key based on the configured
URI. There are usually two types of strategies to initialize a
This section describes the details of the iTLS protocol.
private key for a device. One is by the offline type. Before de-
iTLS utilizes IBC to establish an inherent binding between
ploying the device, the administrator can preload each device
the public key and the entity presenting the public key. By
with a unique identity, the public system parameters, and the
using the IBAKA to authenticate communication parties while
associated private key. The other approach is to initialize the
establishing the shared key, iTLS eliminates the transmission
device online dynamically. This approach requires the device
and verification of certificates during the connection establish-
to carry through an authentication procedure with the PKG,
ment. iTLS also generates the early key dynamically using
and a cryptographic channel to distribute the private key. After
the identities of the communication parties, which is used to
obtaining the private key for the first time, subsequent key
protect data sent in the first flight. Moreover, iTLS associates
updates can be done via the secure channel established by
the ticket with an ephemeral server key and uses it in the early
iTLS.
key generation procedure of the next connection to provide
Compared to the certificate-based authentication where the
forward secrecy and replay protection.
private key is generated locally, the private key used for
iTLS consists of two phases. In the initialization phase, a
iTLS communication is generated by the PKG. The iTLS
PKG is initialized and generates the private keys for entities.
protocol may face a security risk of private key disclosure
Then, the communication participants use the iTLS handshake
due to improper management of the PKG, which can easily
protocol to establish secure connections between each other.
lead to man-in-the-middle attacks and interception of the
This section first introduces the basic iTLS handshake pro-
traffic in the system (see Section IV). Therefore, a stronger
tocol, where a new "identity_share" extension is presented
key management system shall be adopted by the PKG when
for key establishment and authentication. Then, we extend
using iTLS. For example, The PKG can adopt a hardened
the basic protocol to support the 0-RTT model, which adopts
security device, e.g., the Trusted Platform Module (TPM) [40],
IDEK for early data transmission and ephemeral secret tickets
to protect the master secret, and should update the master
for early data security enhancement.
secret and public system parameters periodically. In addition,
iTLS requires all entities to register with the same PKG for
A. Initialization encrypted communication. In typical IoT networks with closed
Before using iTLS for secure communication, a trusted groups, such as wireless sensor networks, the trusted PKG
PKG is needed to initialize cryptographic system parameters should be played by the network administrator. However, in
and generate private keys for communication participants. The networks with multiple administrative domains, hierarchical
PKG is usually run by the administrator for a specific IoT and cross-domain IBAKA algorithms should be considered by
ecosystem. Firstly, the PKG is initialized through the Setup the administrator.
algorithm of the chosen IBAKA scheme, which generates After registering the identity with the PKG and equipped
Things Journal
with the associated private key, each entity can use iTLS to
establish secure connections with others. iTLS adopts a new
identity-based cryptographic handshake protocol and the same
Client Server
record layer protocol as TLS 1.3. Next, we introduce the iTLS
handshake protocol. ClientHello
+identity_share
B. Handshake Protocol ServerHello

+identity_share
The basic iTLS handshake, shown in Fig. 2, is similar to
that of TLS 1.3 with two major changes: EncryptedExtensions
1) A new extension is used by ClientHello and ServerHello Finished
to exchange identity information. Finished
2) Remove the component in the handshake related to the
certificate. Application data
The "identity_share" extension is added to iTLS. The client
and server send this extension in the ClientHello and Server-
Hello messages to exchange their identities and cryptographic Fig. 2. The basic full iTLS handshake. ’+’ indicates newly added ex-
tension; Blue box indicates messages protected using keys derived from
parameters used for establishing the shared secret. The format handshake_secret.
of the "identity_share" extension is provided below. The
identity field contains the endpoint’s identity that represents
its public key. private key. The other case is that the PKG parameters
The trusted_authority field comprises the identifier of the presented in ClientHello are different from those known to the
PKG where the endpoint registers with the identity and the server, which usually happens when PKG updates parameters.
related algorithm information. The information should include Under these circumstances, the server can either continue the
the IBAKA algorithm used, which can be represented by an handshake by responding with a HelloRetryRequest message
object identifier, and the system public parameters generated if the server supports other authentication methods, or abort
by the PKG, the structure of which is specified by the IBAKA the handshake with an alert directly.
algorithm. In order to reduce the number of bytes carried in If the server has registered with the same PKG, then it
this field, a hash of the algorithm information is generally put responses a ServerHello message with an "identity_share"
into the trusted_authority field. extension which contains the server’s identity I D S , the PKG
Finally, the endpoint usually chooses a random ephemeral information and the ephemeral public key EK S = yP, where
secret and calculates an ephemeral public key for the establish- y ∈ Z∗q is the random ephemeral secret selected by the server.
ment of the shared secret. The ephemeral public key is carried With the identity information in the identity_share extension
in the key_exchange field, whose content is determined by the of the ClientHello, the server can calculate the shared secret
specified IBAKA algorithm. with its private key sk S through the Key Agreement algorithm
of the corresponding IBAKA. In this paper, the server com-
struct { putes the shared secret via the following formula:
TrustedAuthorit y trusted_authorit y; shared_secret = yEK C ||e(EK C + H(I DC ), yPpub + sk S ).
Identit y identit y;
As same as the key derivation schedule mechanism of
opaque key_exchange; TLS 1.3 [8], the server extracts the handshake secret from
} Identit yShare; the shared secret through the HMAC-based Key Derivation
Function (HKDF) [41]:
Fig. 2 shows the basic full iTLS handshake.
The client sends the ClientHello message containing an handshake_secret = H M ACek (shared_secret),
"identity_share" extension. This extension indicates to the
where the Hash function used for HMAC is the cipher suite
server that the client supports iTLS, and further tells the
hash algorithm selected by the server, and the HMAC key ek is
server the client’s identity I DC , the corresponding PKG that
the key derived from the early key that is described in the next
distributes the private key for this identity, and the ephemeral
subsection. Then the server can send EncryptedExtensions
public key the client provides for key agreement. According to
and Finished messages which are encrypted by the handshake
the IBAKA algorithm selected in this paper, the client selects
traffic key derived from the handshake secret.
an ephemeral secret x ∈ Z∗q at random, and calculates the
After receiving the ServerHello message, the client must
ephemeral public key EK C = xP.
verify that the PKG presented in the "identity_share" extension
The server processes the ClientHello message and checks
is the same as that in the "identity_share" extension of the
the carried "identity_share" extension. It needs to validate the
original ClientHello message. With the server’s identity and
client’s identity and whether the PKG presented in the exten-
ephemeral public key offered in the ServerHello, the client
sion is trusted. There are two cases where the PKG received
can also compute the shared secret with its private key sk C :
is untrusted. One case is that the server has not registered
with the same PKG and does not have the corresponding shared_secret = xEK S ||e(xPpub + sk C , EK S + H(I D S )).
Things Journal
By the bilinearity of the pairing, the client and server can

obtain the same secret:
shared_secret Client Server
= xEK S ||e(xPpub + sk C , EK S + H(I D S )) ClientHello

+early_data
= xyP||e(xsP + sPK C , yP + PK S ) +identity_share
= xyP||e(xsP, yP)e(xsP, PK S )e(sPK C , yP)e(sPK C , PK S ) Application data*

= xyP||e(P, P)xys e(P, PK S )xs e(PK C , P)ys e(PK C , PK S )s ServerHello
+identity_share
= yxP||e(xP, ysP)e(xP, sPK S )e(PK C , ysP)e(PK C , sPK S )
EncryptedExtensions
= yxP||e(xP + PK C , ysP + sPK S ) +early_data
= yEK C ||e(EK C + H(I DC ), yPpub + sk S ). Finished
Application data*
The client also extracts the handshake secret from the shared
EndOfEarlyData*
secret using HKDF and responds with the Finished message
protected by the handshake traffic key. Finished
At this point, the client and server complete the handshake.
Both of them can derive the traffic keying material from the Application data
shared secret to protect the application layer data through
"Authenticated Encryption with Associated Data" (AEAD)
functions [42]. It should be noted that iTLS eliminates the ex- Fig. 3. iTLS 0-RTT handshake. ’+’ indicates extensions sent in the previously
noted message; ’*’ indicated optional or situation-dependent messages that are
change of Certificate and CertificateVerify messages between not always sent. Green box indicates messages protected using keys derived
the server and client. They have completed implicit mutual from IDEK. Blue box indicates messages protected using keys derived from
authentication after only verifying the Finished messages (see handshake_secret.
Section IV).
iTLS achieves the compatibility with the original protocol After receiving the ClientHello message, the server extracts
by having the ClientHello message carry the "identity_share" the client’s identity from the "identity_share" extension in
extension along with an empty "key_share" extension. If the ClientHello and can also compute the IDEK:
server supports iTLS, the ServerHello message replied to
the client only contains "identity_share" extension; if not, it I DEK = H M AC 0 (e(H(I DC ), sk S )).
ignores the "identity_share" extension contained in the Clien-
tHello, and responds with a HelloRetryRequest message. Then, From the bilinearity of the pairing, we can get the equation:
the client and server fall back to a full TLS 1.3 handshake.
e(sk C , H(I D S )) = e(H(I DC ), H(I D S ))s = e(H(I DC ), sk S ).
Thus the server can accept and decrypt the early data
C. 0-RTT Model with the IDEK. In order to accept early data, the server
iTLS allows the client to send application data in its first must have selected the first symmetric cipher suite offered
flight of messages ("early data") whenever establishing a in the ClientHello’s cipher suites field. It also returns its own
secure connection with the server. Unlike TLS 1.3 that requires "early_data" extension in the EncryptedExtensions message,
communication parties to share a static PSK in advance, iTLS indicating that it intends to process the early data.
instead generates the identity-based dynamic early key (IDEK) After receiving the Finished message from the server, if
though IBAKA in each connection to protect the early data. the server has accepted the early data, the client needs to
As shown in Fig. 3, the client includes an "early_data" send an EndOfEarlyData message to the server before sending
extension in the ClientHello message to indicate that it will the Finished message. This message indicates that all the 0-
send the early data following the ClientHello message. Then it RTT data have been transmitted. The rest of the handshake
calculates the IDEK through the identity-based non-interactive is the same as the iTLS 1-RTT handshake shown in Fig.
key agreement using its private key and the server’s identity 2. The client and server establish the new session keys to
as input parameters: encrypt the handshake messages and normal application data
by exchanging the "identity_share" extensions.
I DEK = H M AC 0 (e(sk C , H(I D S ))), The IDEK described above provides protection analogous to
TLS 1.3 with the PSK model. However, the security properties
where the Hash function for HMAC is the hash algorithm for the early data encrypted using this IDEK are weaker
defined in the first cipher suite in the client’s cipher suites than those for other kinds of data (the handshake messages
list, and the HMAC key is set to a string of zeros with the and application data). Firstly, the early data is not forward
output length of the hash algorithm in bytes. The early traffic secret. If the long-term private key of the client or server is
key derived from the IDEK is used to encrypt the early data compromised after completing the handshake, an attacker who
through the AEAD algorithm. has stored the early data in advance can compute the early
Things Journal
secret and decrypt the early data. Secondly, the early data can secrecy. In addition, the server can reject reduplicative tickets
be replayed arbitrarily. The attacker simply duplicates a flight to mitigate the replay attack. After accepting the early data,
of 0-RTT data, the server cannot determine whether it is a new the server erases the ephemeral secret from the local database,
connection or a replay. or stores the value of the received ticket until the ticket expires
iTLS employs the ephemeral secret ticket to enhance the 0- and rejects duplicates during storage.
RTT data’s security. After establishing the connection success- The new format of the "early_data" extension is shown
fully, the server sends the client a NewSessionTicket message below.
that carries an "identity_share" extension and an "early_data"
extension. The former extension contains an ephemeral pub- struct {
lic key offered by the server, which will be involved in select (Handshake.msg_t ype) {
establishing the IDEK in the subsequent connection. The case new_session_ticket :
server determines the ephemeral key according to the IBAKA uint32 max_earl y_data_size;
algorithm that the current handshake uses. In this paper, the
server chooses a random secret r and calculates [EK S ]ek = r P case client_hello : opaque ticket;
as the ephemeral public key for establishing the early key. The case encr ypted_extensions : Empt y;
latter extension is the same as the extension in TLS 1.3, which }
contains an integer to indicate the maximum amount of 0-RTT } Earl yDataIndication;
data that the client is allowed to send when using this ticket
and ephemeral server key.
The server then stores the ephemeral secret r and the IV. S ECURITY A NALYSIS
identity information of the client (the identity and PKG infor- In this section, we describe several important security prop-
mation) in a database with the ticket in the NewSessionTicket erties iTLS provides.
message as the lookup key. For the constrained server, it can We consider an attacker to be an active network attacker,
directly use the encrypted and integrity-protected r and the which means it has complete control over the communication
client’s identity information as the value of the ticket, thereby channel between the communicating parties. Thus, the attacker
avoiding keeping per-client state. can eavesdrop, replay, insert, delete, or modify all messages
After receiving the NewSessionTicket, the client caches the exchanged between the parties, and further, may attempt to
ticket and the associated ephemeral server key along with the impersonate either party to communicate with the other party.
server’s identity information. The identity information contains We also consider an attacker that has the capacity of tampering
the server’s identity and PKG information, which is carried in with the IoT devices to extract their long-term private keys. We
the “identity_shared” extension in the NewSessionTicket mes- do not consider the Denial of Service (DoS) attack since iTLS
sage. Since the client has determined that the server registers is a connection-orient protocol. Nevertheless, the "cookie"
with the same PKG based on the successful handshake, it only extension supported by TLS 1.3 can also be used to provide
needs to cache a hash of the PKG information. In the next a measure of DoS protection for the non-connection-oriented
connection, the client can use this hash value to determine version [8].
whether the PKG has updated the system parameters, so as to It is assumed that the PKG is trusted, secure, not com-
determine whether the ticket can still be used. Therefore, the promise, and will not launch any active attacks. Since all the
ephemeral secret ticket introduces very little memory overhead private keys are derived from the master key held by the PKG,
for constrained devices. an untrusted PKG or an attacker who compromises the master
When establishing a new connection with the same server key can arbitrarily mount a successful MitM attack. We also
subsequently, the client includes this ticket in the "early_data" assume that the AEAD cipher for symmetric encryption is
extension within the ClientHello message. With the server’s secure, and the hard problems described in Section II cannot
ephemeral public key [EK S ]ek and the ephemeral secret x be solved with an efficient algorithm. In addition, the security
randomly selected by the client, the client calculates the IDEK of iTLS is relevant to the IBAKA protocol chosen to establish
through the corresponding IBAKA: the shared key during the handshake. The formalized security
proof of the IBAKA protocol chosen in this paper can be found
I DEK = H M AC 0 (x[EK S ]ek ||e(xPpub +sk C , [EK S ]ek +PK S )).
in [32].
The client’s ephemeral public key EK C = xP is sent to the End-to-end security: Since iTLS has the same record layer
server by carrying it in the "identity_share" extension of the as the TLS 1.3 protocol, all the application data transmitted
ClientHello. through iTLS is divided up into a series records, and all the
The server retrieves its ephemeral secret r from the received records are encrypted and integrity protected by AEAD with
ticket. Combined with the client’s identity information within the shared key established during the handshake. Moreover,
the "identity_share" extension of the ClientHello, the server iTLS ensures that the shared key established can only be
can also compute the IDEK: known by the communication parties. Thus, only the com-
munication endpoints can encrypt and decrypt the data, and
I DEK = H M AC 0 (r EK C ||e(EK C + PK C , r Ppub + sk S )).
further, only the endpoints can authenticate the data trans-
The ephemeral secrets offered by both sides of the com- mitted from the peer. Any third party on the communication
munication guarantee that the IDEK provides perfect forward path (such as the gateway) or attacker that eavesdrops and
Things Journal
manipulations the network cannot acquire the plaintext data, raphy that the key generated by the user, the private key in
modify existing data or inject false data. Thus, end-to-end IBC is generated by the PKG. PKG escrow indicates that the
security can be realized through iTLS. PKG can recover the session key for a completed handshake.
Mutual authentication: iTLS provides implicit mutual au- For the iTLS protocol described in this paper, even though the
thentication without using certificates. During the handshake, PKG knows the communication parties’ private keys and the
after receiving and validating the Finished message from the master secret s, it cannot recover the session key yet, since it
server, the client can confirm that the server has computed cannot calculate the xyp from xP and yP, which is CDH
the same shared secret as that calculated using the server’s problem. However, PKG escrow is desirable under certain
public key. Given the assumption that the PKG is trusted and circumstances, especially in certain closed group applications.
well behaved (it will not impersonate the server), the client In these situations, other IBAKA protocols that support PKG
can confirm the server’s authenticity since only the entity that escrow can be implemented in iTLS [35].
possesses the server’s long-term private key can calculate the Resistance to Man-in-the-Middle attack: An attacker
same shared secret. Similarly, upon receiving and validating subverts the communication steam in order to masquerade
the Finished message sent by the client, the server can also as the server to client and the client to the server. In iTLS,
verify the client’s authenticity. when an attacker receives respective EK C and EK S from the
0
Perfect forward secrecy: This property ensures that com- client and server, he can construct arbitrary EK C and EK S0
promising the long-term private keys of one or both com- to replace EK C and EK S , and send them to the server and
munication parties cannot break the security of the session client, respectively. For example, the attacker can randomly
key established in the previous handshake, and therefore the select x 0 and y 0, and replace EK C = xP with EK C 0
= x 0P
security of the protected data transmitted beforehand. In iTLS, and EK S = yP with EK S = y 0 P. Then the shared secret the
0
the calculation of the shared session key depends not only on client computes is xEK S0 ||e(xPpub + sk C , EK S0 + PK S ) =
the long-term private key of the participating parties but also y 0 xP||e(Ppub , y 0 xP)e(P, PK S )xs e(PK C , y 0 sP)e(PK C , PK S )s .
on the randomly selected endpoints’ ephemeral secrets. Even However, though the attacker knows xP and y 0, he cannot
if an attacker compromises the private keys, he also needs compute the shared secret without the server’s private
to compute xyP from EK C = xP and EK S = yP, which key. The attack can also substitutes EK C and EK S with
is CDH problem and is independent of the long-term private EK C 0
= x 0 P − PK C and EK S0 = y 0 P − PK S , respectively.
keys. Thus, an attacker who knows the private keys cannot Thus, he can calculate e(xPpub + sk C , EK S0 + PK S ) =
get previous session keys. In the 0-RTT mode of iTLS, the e(xPpub + sk C , y 0 P) = e(Ppub , y 0 EK C )e(PK C , y 0 Ppub ).
server sends the ephemeral public key in a previous connection However, he still cannot compute the shared key, since he
through the ephemeral secret ticket. The client can generate the needs to compute xEK S0 = x(y 0 P − PK S ), which needs him
early key with forward secrecy by including the ticket value get x from xP. This is ECDL problem.
in the "early_data" extension in the ClientHello. Resistance to Replay attack: The keying material used
Uniqueness of the session keys: Since the endpoints’ for encrypting the ordinary 1-RTT data is determined by both
ephemeral private keys are randomly selected in each con- client and server, thus providing replay protection for the 1-
nection, any two distinct handshakes produce distinct and RTT data. However, the early traffic key does not depend on
independent session keys. Even the early key and the ordinary the ServerHello, and therefore the 0-RTT data is vulnerable
session key produced by the same handshake are distinct to replay attack [27]. An attacker could simply record the
because they are calculated from different ephemeral server ClientHello message and the 0-RTT data and duplicates the
keys. Therefore, even though one session key is compromised, flight to mount a replay attack. iTLS prevent this type of attack
the attacker cannot obtain any useful information on other by guaranteeing that the ticket associated with the ephemeral
session keys. public key used for the early secret establishment is accepted
Key compromise impersonation resistance: In a mutu- at most once. Nevertheless, a network attacker can also take
ally authenticated connection, compromising the long-term advantage of client retry behavior to arrange for the server to
private key of one participant should not break that partic- receive multiple copies of an application message [9]. This
ipant’s authentication of its peer. It means that an attacker type of attack cannot be prevented at the transport layer and
who compromises a device’s private key cannot impersonate must be dealt with by the application.
arbitrary legitimate entities to establish a connection with
that device successfully in subsequent handshakes. In iTLS, V. I MPLEMENTATION A ND P ERFORMANCE E VALUATION
if the attacker compromises the client’s long-term private
We implemented iTLS1 based on the WolfSSL library2 ,
key, he impersonates the server to establish a connection
which is a lightweight open-source TLS/SSL implementation
with the client. He knows the client’s private key sk C ,
targeting at IoT and currently supports the TLS 1.3 protocol.
the ephemeral public key EK C sent by the client, and the
As we choose the pairing-based IBAKA protocol in iTLS in
ephemeral secret y 0 he chooses. To calculate the shared secret
this paper, we also introduced the PBC library to implement
y 0 EK C ||e(EK C + PK C , y 0 Ppub + sk S ), he must calculate
the pairing operations [43]. The PBC library is a free portable
e(EK C , sk S ) = e(P, PK S )xs . However, the server’s private
C library that allows the rapid prototyping of pairing-based
key is not known, and calculating xsP from EK C = xP and
Ppub = sP is CDH problem. 1 https://github.com/PengkunLi-nudt/iTLS
PKG escrow: In contrast to classical public-key cryptog- 2 wolfSSL. https://www.wolfssl.com/products/wolfssl/
Things Journal
TABLE I CertificateVerify messages, iTLS reduces the traffic overhead

T RAFFIC OVERHEAD COMPARISON AT 112- BIT SECURITY (B YTES ) by 82.3% and 68.5% compared to TLS using RSA and ECC
certificates, respectively. At the security level of 128-bit (RSA
TLS 1.3 iTLS
certificate size is 1667 bytes, and ECC certificate size is 839
RSA Certificate ECC Certificate PSK
bytes), the traffic overhead decreases by 82.6% and 61.2%,
Client 2630 1482 237 501
respectively (shown in Table. II). It should be noted that
Server 2603 1454 147 423
large certificate messages have to be divided into multiple
Total 5233 2936 384 924
packets when transmitting over a link with limited packet sizes
such as IEEE 802.15.4. These small packets result in more
TABLE II network traffic overhead. Sending fewer bytes also means
T RAFFIC OVERHEAD COMPARISON AT 128- BIT SECURITY (B YTES )
less energy consumption, which has significant implications
TLS 1.3 iTLS for constrained devices. Therefore, iTLS is more suitable for
RSA Certificate ECC Certificate PSK IoT scenarios than certificate-based TLS in terms of commu-
Client 3397 1529 237 627 nication overhead and energy consumption. However, iTLS
Server 3370 1501 147 549 establishes a secure connection with more traffic overhead than
Total 6767 3030 384 1176 PSK-based TLS. These extra bytes are all introduced by the
"identity_share" extension in the ClientHello and ServerHello
messages.
cryptosystems. We also modified the demo server and client
applications that are part of the WolfSSL to support the iTLS
B. Connection Latency
protocol for the experiment. Our implementation was tested
and run on the Linux 4.10 kernel. We evaluated the connection performance of iTLS with
We experimentally evaluate the performance of iTLS, two kinds of experiments. The first experiment was designed
specifically on network traffic overhead and connection la- to evaluate the full handshake latency for iTLS. In this
tency. The experimental results are shown by comparing the experiment, the client establishes encrypted connections with
performance of iTLS and TLS 1.3. We configure TLS 1.3 to the server using the basic full handshake of iTLS and TLS,
use PSK, RSA certificate and ECC (Elliptic Curve Cryptogra- respectively. The handshake latency is measured on the server-
phy) certificate, respectively. RSA certificate-based TLS uses side as the time from receiving the ClientHello message until
RSA for authentication and DHE for key exchange, while ECC the handshake is considered complete. We conducted 500
certificate-based TLS uses ECDSA (Elliptic Curve Digital measurements for each type of handshake and computed the
Signature Algorithm) for authentication and ECDHE for key average handshake latency.
exchange. Both client and server are set to be authenticated To study the impact of iTLS’s 0-RTT model on connection
in certificate-based TLS. We compare the performance of latency, we designed the second experiment in which the client
iTLS and TLS at the 112-bit and 128-bit symmetric key sequentially connects to the server, sends a 28-byte request,
security, respectively. In different security levels, the length receives a 58-byte response, and terminates the connection.
of involved cryptographic keys is chosen according to the rec- The client establishes the secure connection with the server
ommendations of NIST [44]. Finally, the cipher suites for both using iTLS’s 0-RTT handshake, TLS’s 0-RTT handshake with
iTLS and TLS 1.3 select "TLS_AES_128_CCM_SHA256" for PSK, and TLS’s 1-RTT handshake with certificates, respec-
symmetric key and hashing operations. tively. We measure the number of such operations completed
Our experiment was run on two virtual machine instances in 1 minute for each type of connection.
within a computer with a 2.30 GHz Intel i5-6300HQ quad-core We performed the experiments under a variety of network
processor and 4 GB memory. We run the client application on latencies, packet loss rates, and bandwidth using Linux’s netem
one virtual machine and run the server application on the other interface. In addition, all the measurements were performed
one. Each virtual machine instance consumed a processor core on links with the Maximum Transmission Unit (MTU) of
and 1 GB memory. 1500 (the ethernet MTU) and 127 (the maximum frame
size for IEEE 802.15.4), respectively. The MTU of 127 is
adopted to simulate an IEEE 802.15.4 link for better evaluating
A. Network Traffic Overhead iTLS performance on IoT networks, such as wireless sensor
Our results from comparing network traffic generated by networks.
iTLS and TLS 1.3 are listed in Table. I and Table. II. These 1) The full handshake latency: Fig. 4 shows the compar-
results provided indicate the number of bytes of the records ison of the full handshake latency between iTLS and TLS
generated during the full handshake, so these bytes do not 1.3 on a network with zero latency, no packet loss, and
contain the IP protocol header and TCP header. Table. I unlimited bandwidth. As we can see, in the ideal network
shows the results measured with 112-bit security level, at environment, iTLS creates connections faster than TLS 1.3
which the RSA and ECC certificates used by TLS are 1322 that uses certificate-based authentication. At the security level
bytes and 814 bytes in size, respectively. Each certificate is of 112-bit, the iTLS handshake is about three times faster than
accompanied by a minimal certificate chain of length 2. Since certificate-based TLS. At 128-bit security, the performance
the client and server do not need to transmit Certificate and of iTLS handshake increases by 78% and 60% compared to
Things Journal
5 0
T L S -R S A
performance of iTLS and TLS 1.3. The time that iTLS
4 5 4 4 .8 6
T L S -E C C performs a full handshake is always close to the time PSK-
T L S -P S K based TLS takes to perform a handshake in a packet loss
4 0
iT L S network environment. What’s more, the handshake latency for
3 5
H a n d s h a k e L a te n c y (m s )
iTLS increases more slowly than that for certificate-based TLS

3 0 as the packet loss rate rises. For example, at 128-bit security,
2 5 2 4 .7 6 when the packet loss rate reaches 17.5%, an iTLS, PSK-
2 3 .3 7
2 1 .5 2 based TLS, RSA certificate-based TLS, and ECC certificate-
2 0 based TLS handshake performed on the 1500 MTU link takes
1 5 304.41ms, 290.27ms, 876.63ms, and 769.41ms, respectively.
1 0 9 .9 2 With MTU of 127, the gap between the handshake latencies
7 .4 5 of certificate-based TLS and iTLS is greater. The average
5
1 .3 1 .3
handshake times are 658.74ms, 980.40ms, 12740.72ms, and
0 6787.71ms, respectively. These results are attributed to the
1 1 2 -b it s e c u rity 1 2 8 -b it s e c u rity
avoidance of the delivery of large certificate messages, which
Fig. 4. Time spent completing a full handshake with different security in an could result in many retransmissions for the lost packets. This
ideal network environment. Data shown is measured on 1500 MTU link, data indicates that the connection latency of iTLS that does not use
with MTU 127 is similar. certificates is less affected by the packet loss.
Fig. 7 displays the full handshake latency for iTLS and
TLS on networks with different bandwidth. iTLS achieves
RSA certificate-based TLS and ECC certificate-based TLS, better connection performance than certificate-based TLS in
respectively. The handshake latency is mainly caused by the low-bandwidth networks because of the lower traffic overhead.
processing and transmitting of handshake messages. While the With 64Kbps bandwidth, the average handshake latencies
time to transmit messages is negligible in the ideal network for iTLS, PSK-based TLS, RSA certificate-based TLS, and
environment, iTLS eliminates the processing and verification ECC certificate-based TLS are respective 87.36ms, 68.75ms,
of certificates comparing with the certificate-based TLS. In 993.73ms, and 508.80ms on 1500 MTU link, and respective
addition, the average handshake latency for iTLS is higher than 204.26ms, 87.82ms, 1713.03ms, and 1004.22ms on 127 MTU
that for PSK-based TLS, which also does not need to exchange link at 112-bit security level. At the security level of 128-
and process the Certificate and CertificateVerify messages. bit, the times are respective 81.70ms, 68.75ms, 1235.95ms,
This is because iTLS needs to use the time-consuming pairing and 511.05ms with MTU of 1500, and respective 183.47ms,
operation to calculate the shared secret during the handshake. 87.82ms, 2231.25ms, and 1281.36ms with MTU of 127. In
In contrast, TLS uses the pre-shared key directly as the shared addition, when the bandwidth achieves 256Kbps, the hand-
key. shake latency for iTLS is close to the handshake latency on
Fig. 5 displays the handshake latency for iTLS and TLS the ideal network. This indicates that iTLS is well-suited for
1.3 according to the network latency. The average time each the low-bandwidth network.
handshake takes is plotted in log scale. With increasing 2) 0-RTT connection performance: Fig. 8 shows the
network latencies, the time to transmit messages gradually connection performance ratios between 0-RTT iTLS vs.
dominates during the handshake, so the average handshake certificate-based 1-RTT TLS and 0-RTT iTLS vs. PSK-based
latency for both iTLS and TLS is increasing. However, the 0-RTT TLS. Each connection contains a TCP handshake,
handshake performed by iTLS always takes less time than a handshake for secure channel establishment, and an ap-
certificate-based TLS, especially on the link with MTU of 127. plication data exchange. On the link with MTU of 1500,
The handshake latency for iTLS is slightly higher than that for the performance of iTLS is at least 1.5 times efficient than
TLS with PSK mode, and these two latencies become equal as that of certificate-based TLS. This protocol performance ra-
the network latency increases. In addition, the gap between the tio approaches the number predicted by counting the round
handshake latencies of certificate-based TLS on 127 MTU link trips inherent in each type of connection at high latencies.
and on 1500 MTU link enlarges as network latency increases, The 0-RTT model of iTLS facilitates the full connection
while the handshake latencies for iTLS and PSK-based TLS process to complete in two round trips with one for TCP
have slightly changed with different MTU. At the network handshake, while certificate-based TLS requires three round
latency of 256ms, the handshake of iTLS, PSK-based TLS, trips to perform a full connection. With a lower MTU, the
RSA certificate-based TLS, and ECC certificate-based TLS transmission of large certificates further lowers the connection
performed on the link with MTU of 1500 takes 527.18ms, performance of certificate-based TLS, while iTLS is almost
514.10ms, 623.42ms, and 598.39ms at 128-bit security, respec- unaffected. Thus, as shown in Fig. 8c and 8d, iTLS is 2.5 to
tively. With MTU of 127, the times are 530.58ms, 515.93ms, 4.0 times faster than RSA certificate-based TLS, and about
3094.78ms, and 2083.92ms, respectively. The reason is that 2.0 to 3.5 times faster than ECC certificate-based TLS on 127
the large certificate messages require to be divided into more MTU link. Although PSK-based 0-RTT TLS also completes
fragments, and thus taking more time to transmit on the lower the data exchange in two round-trips, the connection based
MTU link. on iTLS takes more time because of the IDEK calculation.
Fig. 6 shows the impact of packet loss on the handshake However, the time to compute the early key is negligible with
Things Journal
1 0 3
1 0 3
1 0 2
1 0 2
1 0 1
1 0 1
iT L S (M T U : 1 5 0 0 ) iT L S (M T U : 1 2 7 ) iT L S (M T U : 1 5 0 0 ) iT L S (M T U : 1 2 7 )
T L S -R S A (M T U : 1 5 0 0 ) T L S -R S A (M T U : 1 2 7 ) T L S -R S A (M T U : 1 5 0 0 ) T L S -R S A (M T U : 1 2 7 )
T L S -E C C (M T U : 1 5 0 0 ) T L S -E C C (M T U : 1 2 7 ) T L S -E C C (M T U : 1 5 0 0 ) T L S -E C C (M T U :1 2 7 )
T L S -P S K (M T U : 1 5 0 0 ) T L S -P S K (M T U : 1 2 7 ) T L S -P S K (M T U :1 5 0 0 ) T L S -P S K (M T U :1 2 7 )
1 0 0
1 0 0
1 2 4 8 1 6 3 2 6 4 1 2 8 2 5 6 1 2 4 8 1 6 3 2 6 4 1 2 8 2 5 6
N e tw o rk L a te n c y (m s ) N e tw o rk L a te n c y (m s )
(a) At 112-bit security (b) At 128-bit security
Fig. 5. Comparison of full handshake latency for iTLS and TLS 1.3 on networks with different latencies.
1 6 0 0 1 6 0 0 1 2 0 0 0 1 2 0 0 0
1 4 0 0 iT L S 1 4 0 0 iT L S iT L S iT L S
1 0 0 0 0 1 0 0 0 0
1 2 0 0 T L S -R S A 1 2 0 0 T L S -R S A T L S -R S A T L S -R S A
T L S -E C C T L S -E C C 8 0 0 0 T L S -E C C 8 0 0 0 T L S -E C C
1 0 0 0 1 0 0 0
T L S -P S K T L S -P S K T L S -P S K T L S -P S K
8 0 0 8 0 0 6 0 0 0 6 0 0 0
6 0 0 6 0 0 4 0 0 0 4 0 0 0
4 0 0 4 0 0
2 0 0 0 2 0 0 0
2 0 0 2 0 0
0 0 0 0
0 % 5 % 1 0 % 1 5 % 2 0 % 0 % 5 % 1 0 % 1 5 % 2 0 % 0 % 5 % 1 0 % 1 5 % 2 0 % 0 % 5 % 1 0 % 1 5 % 2 0 %
P a c k e t L o s s R a te P a c k e t L o s s R a te P a c k e t L o s s R a te P a c k e t L o s s R a te
(a) With 112-bit security and MTU of (b) With 128-bit security and MTU of (c) With 112-bit security and MTU of (d) With 128-bit security and MTU of
1500 1500 127 127
Fig. 6. Comparison of full handshake latency for iTLS and TLS 1.3 on networks with different packet loss rates.
1 3 0 0 1 3 0 0 2 2 0 0 2 2 0 0
1 2 0 0 iT L S 1 2 0 0 T L S -R S A 2 0 0 0 T L S -R S A 2 0 0 0 T L S -R S A
1 1 0 0 1 1 0 0
T L S -R S A T L S -E C C 1 8 0 0 T L S -E C C 1 8 0 0 T L S -E C C
1 0 0 0 1 0 0 0 1 6 0 0 1 6 0 0
9 0 0 T L S -E C C 9 0 0 T L S -P S K T L S -P S K T L S -P S K
8 0 0 8 0 0 1 4 0 0 1 4 0 0
T L S -P S K iT L S 1 2 0 0 iT L S 1 2 0 0 iT L S
7 0 0 7 0 0
6 0 0 6 0 0 1 0 0 0 1 0 0 0
5 0 0 5 0 0 8 0 0 8 0 0
4 0 0 4 0 0 6 0 0 6 0 0
3 0 0 3 0 0
2 0 0 2 0 0 4 0 0 4 0 0
1 0 0 1 0 0 2 0 0 2 0 0
0 0 0 0
6 4 1 2 8 2 5 6 5 1 2 1 0 2 4 6 4 1 2 8 2 5 6 5 1 2 1 0 2 4 6 4 1 2 8 2 5 6 5 1 2 1 0 2 4 6 4 1 2 8 2 5 6 5 1 2 1 0 2 4
B a n d w id th (K b p s ) B a n d w id th (K b p s ) B a n d w id th (K b p s ) B a n d w id th (K b p s )
1500 1500 127 127
Fig. 7. Comparison of full handshake latency for iTLS and TLS 1.3 on networks with different bandwidth.
2 .4 x iT L S /T L S -R S A 2 .4 x iT L S /T L S -R S A 4 .0 x 4 .0 x
2 .2 x 2 .2 x iT L S /T L S -E C C
iT L S /T L S -E C C 3 .5 x 3 .5 x
2 .0 x 2 .0 x
P e rfo rm a n c e R a tio
iT L S /T L S -P S K iT L S /T L S -P S K
1 .8 x 1 .8 x 3 .0 x 3 .0 x
1 .6 x 1 .6 x 2 .5 x iT L S /T L S -R S A 2 .5 x iT L S /T L S -R S A
1 .4 x 1 .4 x
1 .2 x 1 .2 x 2 .0 x iT L S /T L S -E C C 2 .0 x iT L S /T L S -E C C
1 .0 x 1 .0 x 1 .5 x iT L S /T L S -P S K 1 .5 x iT L S /T L S -P S K
0 .8 x 0 .8 x 1 .0 x 1 .0 x
0 .6 x 0 .6 x
0 .4 x 0 .4 x 0 .5 x 0 .5 x
1 2 4 8 1 6 3 2 6 4 1 2 8 2 5 6 1 2 4 8 1 6 3 2 6 4 1 2 8 2 5 6 1 2 4 8 1 6 3 2 6 4 1 2 8 2 5 6 1 2 4 8 1 6 3 2 6 4 1 2 8 2 5 6
N e tw o rk L a te n c y (m s ) N e tw o rk L a te n c y (m s ) N e tw o rk L a te n c y (m s ) N e tw o rk L a te n c y (m s )
1500 1500 127 127
Fig. 8. Connection performance ratios between iTLS with 0-RTT model and TLS 1.3.
Things Journal
high network latencies. Thus, the performance ratio of iTLS needed to establish a symmetric shared secret between two
vs. PSK-based TLS gradually approaches 1.0 as the network parties.
latency increases. Wang et al. proposed the self-trustworthy and secure Inter-
net protocol (T-IP) for authenticating and encrypting network
layer communications [19]. T-IP also uses the IP address as the
VI. R ELATED W ORK
public key and assigns the corresponding IBC-based private
Existing research results have demonstrated that ECC and key to the host, thus providing a self-trustworthy IP address.
pairing-based cryptography can be well suited for resource- Based on the T-IP address, two hosts calculate the symmetric
constrained devices [45], [21]. Many works apply IBC for session key through the IDNAKA protocol to encrypt the com-
key management in IoT and WSN. These schemes use IBC munication. The self-trustworthy also provides the secure fea-
to set up pairwise keys between nodes and provide security ture of source accountability and prevents the spoofing source
for end-to-end communication by using the symmetric keys to address. Therefore, T-IP can achieve an authenticated and
protect the data. Szczechowiak and Collier proposed TinyIBE secure data transmission without spending time on credential-
[46], a simple authenticated key distribution mechanism using based authentication or key negotiation. However, T-IP cannot
IBE for heterogeneous WSN. This solution provides only one- provide forward secrecy, since it adopts IDNAKA to establish
way authentication and no forward secrecy. Since pairing- the session key. In addition, the mechanisms operating at the IP
based IDNIKA allows two nodes to establish a shared secret layer generally must be implemented in the operating system
without exchange any messages, Oliveira et al. used IDNIKA kernel.
to bootstrap the security in WSN and proposed TinyPBC [21], Similar to our work, some proposals integrate IBC into the
an efficient implementation of pairing primitives for resource- TLS protocol to accommodate the constrained nature of IoT
constrained sensor nodes. Boujelben et al. also proposed a and WSN. Mzid et al. proposed two modified TLS handshake
key management scheme for heterogeneous WSN based on protocols based on IBC for IP-based WSN [20]. They in-
IDNIKA [22]. However, the IDNIKA protocol cannot defend corporate IBC for authentication to reduce the management
against the key compromise impersonation attack or provide overhead of certificate-based solutions in traditional TLS and
forward secrecy. Cakulev et.al combined the IBE and ECDH improve the TLS handshake performance in terms of latency
and proposed an identity-based authenticated key exchange and energy consumption. The first proposed TLS handshake
scheme that does not suffer from the key escrow problem [25]. still uses ECDH for key exchange but uses the IBS algorithm
This scheme encrypts the exchanged ECDH parameters using to sign the ECDH ephemeral public key for authentication.
IBE to establish the authenticated symmetric key, thus pro- This handshake protocol skips the transfer of certificates,
viding forward secrecy. Qin et al. introduced the Bloom filter thus reduces the number of messages exchanged during the
into the identity-based key management scheme to reduce the handshake. The second proposal goes further by using the
memory overhead of the sensor node for storing other nodes’ IBNIKA protocol instead of ECDH to establish the shared
identities and public keys [47]. Aiming at better efficiency, key. Bilinear pairing allows two nodes to establish the shared
some pairing-free authenticated key agreement protocols are session key without any interaction. This further reduces the
proposed for IoT [37], [38], [39], [48]. To tackle the key number of handshake messages sent. However, the session key
escrow issue, there are also a few identity-based escrow-less established based on the pairing does not satisfy the forward
authentication schemes for IoT by adopting the certificate-less secrecy property. Both handshake protocols are designed based
paradigm [49], [50], [51], [52], [53], [54]. However, many of on TLS 1.2, thus the secure connection is established with two
these schemes are accompanied by complex processing and round trips. In addition, the design of these two protocols does
high latency. not consider compatibility with the original protocol.
Some research works embed identity-based cryptography Wang et al. extended the raw public key mechanism to
into the network layer to provide end-to-end authentication support the identity-based signature algorithm (IBS) [24].
and secure communication for the IoT. Markmann et al. The raw public key is used for authentication in TLS/DTLS
proposed a federated end-to-end authentication mechanism to simplify certificate exchange. With the raw public key
for constrained devices based on IBC [23]. The entire IPv6 mechanism, only entities’ public keys are exchanged during
address of a device is used as its identity, and the powerful the TLS/DTLS handshake, instead of transmitting certificates
border gateway of each subnetwork acts as the TA to assigns or the full certificate chains. However, the binding between
IP addresses and the corresponding private keys to devices in the public key and the entity presenting the key is established
this domain. The messages transmitted are authenticated by through an out-of-band mechanism, which might be challeng-
signing them with a specific IBS algorithm. To enable end-to- ing in IoT networks. Wang et al. use an IBC-based public key
end authentication between nodes from different subnetworks, as the raw public key to simplify this binding. To support IBS
the subnet-ID equal to the cryptographic hash of the TA public algorithms, the entity’s identity as the raw public key is carried
system parameters is embedded into the IPv6 address. The by the certificate message along with the corresponding IBS
embedded hash binds the TA to the subnetwork, preventing algorithm identifier and the PKG public system parameters.
the replacement of the public parameters without changing The CertificateVerify message contains a signature over the
the identity as part of a Man-in-the-middle attack. However, handshake context using the IBS algorithm. Since the TLS 1.3
this authentication mechanism does not provide confidentiality handshake flow is not modified in this way, the shared session
nor perfect forward secrecy, thus an ECDH key exchange is key is still established by the (EC)DHE key exchange, which
Things Journal
also needs 1 round trip to complete the handshake. However, 2) iTLS provides perfect forward secrecy for all protected
this mechanism does not support the 0-RTT model. data, including early data, by exchanging the ephemeral server
Existing works proposed solutions based on the standard- keys in the previous connection; 3) iTLS is easy to deploy
ized protocols to secure the end-to-end communication in because of its full compatibility with the standardized protocol.
IP-based IoT. Raza et al. defined an IPsec extension and Security analysis performed on iTLS shows that the proto-
implemented compressed IPsec for 6LoWPAN to provide col can achieve enhanced end-to-end security. Performance
end-to-end secure communication between IP-based sensor analysis demonstrates the efficient connection performance of
networks and the Internet [55], [56]. Kivinen proposed a iTLS and its strong adaptability to the low-power and lossy
minimal implementation of the Internet Key Exchange version IoT networks. In Future work, we prepare to implement its
2 (IKEv2) protocol for constrained devices [57], which is datagram-oriented version, iDTLS, based on the version 1.3
a component of IPsec that performs mutual authentication of DTLS protocol [28]. We believe that iDTLS can achieve
and establishes security associations. However, this minimal more significant performance improvement for DTLS since
IKEv2 can only interoperate with a full IKEv2 implementation the retransmission mechanism of DTLS for lost handshake
using shared secret authentication. SSNAIL provides security packets operates on all packets in a flight.
for IP-based WSN based on ECC-enable SSL [58], which
uses certificates for authentication. Kothmayr et al. proposed
an IoT security architecture based on the DTLS protocol ACKNOWLEDGMENT
using RSA [12]. To support RSA in sensor networks, the This work is supported by the National Key Research
solution employs TPM assistance on sensor nodes. The IoT and Development Program of China under Grant No.
entities perform a fully authenticated handshake by exchanging 2017YFB0802300 and No. 2018YFB0204301.
their X.509 certificates. Though this solution provides higher
security, it is complex and expensive with respect to deploying
a hardware accelerator to every sensor, especially for a large R EFERENCES
number of sensors. Raza et al. proposed a 6LoWPN header
[1] L. Atzori, A. Iera, and G. Morabito, “Understanding the internet
compression mechanism for DTLS [13], which considerably of things: definition, potentials, and societal role of a fast evolving
reduces the number of transmitted bytes and thus reduces paradigm,” Ad Hoc Networks, vol. 56, pp. 122–140, 2017.
the energy consumption. However, the proposed solution does [2] T. Heer, O. Garcia-Morchon, R. Hummen, S. L. Keoh, S. S. Kumar,
and K. Wehrle, “Security challenges in the ip-based internet of things,”
not propose backward compatibility with the actual DTLS Wireless Personal Communications, vol. 61, no. 3, pp. 527–542, 2011.
standard. [3] P. I. R. Grammatikis, P. G. Sarigiannidis, and I. D. Moscholios, “Secur-
Some solutions use the way of delegating to reduce over- ing the internet of things: Challenges, threats and solutions,” Internet of
Things, vol. 5, pp. 41–70, 2019.
head resulting from certificates in resource-constrained IoT.
[4] G. Liu, W. Quan, N. Cheng, H. Zhang, and S. Yu, “Efficient ddos
Granjal et al. proposed an architecture that supports end-to- attacks mitigation for stateful forwarding in internet of things,” Journal
end security at the transport layer with the DTLS handshake of Network and Computer Applications, vol. 130, pp. 1–13, 2019.
being mediated by a border router [14]. The border router uses [5] M. Ammar, G. Russello, and B. Crispo, “Internet of things: A survey
on the security of iot frameworks,” Journal of Information Security and
certificates for authentication to communicate with the Internet Applications, vol. 38, pp. 8–27, 2018.
host, and negotiates the session with the constrained device [6] K. T. Nguyen, M. Laurent, and N. Oualha, “Survey on secure commu-
through the PSK security mode. All the expensive operations nication protocols for the internet of things,” Ad Hoc Networks, vol. 32,
pp. 17–31, 2015.
(ECC computation, key agreement, etc.) are delegated to the [7] H. Tschofenig and T. Fossati, “Transport Layer Security (TLS) /
border router. Hummen et al. proposed a similar approach [15]. Datagram Transport Layer Security (DTLS) Profiles for the Internet
The full TLS/DTLS handshake is delegated to a rich-resource of Things,” RFC 7925, Jul. 2016. [Online]. Available: https://rfc-
editor.org/rfc/rfc7925.txt
entity, e.g., the gateway or the device’s owner. The session [8] E. Rescorla, “The Transport Layer Security (TLS) Protocol Version
state established by the full handshake is transferred to the 1.3,” RFC 8446, Aug. 2018. [Online]. Available: https://rfc-
constrained device to help it resume the session. Santos et al. editor.org/rfc/rfc8446.txt
[9] C. MacCarthaigh, “Security review of tls1.3 0-rtt,” May 2017. [Online].
proposed a DTLS-based security architecture for the IoT [16], Available: https://github.com/tlswg/tls13-spec/issues/1001
which allows to delegate authentication process to a trusted [10] R. Hummen, J. H. Ziegeldorf, H. Shafagh, S. Raza, and K. Wehrle,
third-party device. However, the delegating method generally “Towards viable certificate-based authentication for the internet of
things,” in Proceedings of the 2nd ACM workshop on Hot topics on
has intricate handshake produce and cannot provide high-level wireless network security and privacy, 2013, pp. 37–42.
security. [11] R. Hummen, J. Hiller, H. Wirtz, M. Henze, H. Shafagh, and K. Wehrle,
“6lowpan fragmentation attacks and mitigation mechanisms,” in Pro-
VII. C ONCLUSION ceedings of the sixth ACM conference on Security and privacy in wireless
and mobile networks. ACM, 2013, pp. 55–66.
In this paper, we have proposed iTLS, a lightweight trans- [12] T. Kothmayr, C. Schmitt, W. Hu, M. Brünig, and G. Carle, “Dtls based
port layer security protocol for end-to-end secure commu- security and two-way authentication for the internet of things,” Ad Hoc
nication in IP-based IoT. Compared with existing solutions, Networks, vol. 11, no. 8, pp. 2710–2723, 2013.
[13] S. Raza, H. Shafagh, K. Hewage, R. Hummen, and T. Voigt, “Lithe:
iTLS is more prominent in three aspects. 1) iTLS minimizes Lightweight secure coap for the internet of things,” IEEE Sensors
connection latency with the fact that it delivers data in the Journal, vol. 13, no. 10, pp. 3711–3720, 2013.
first flight of messages with the protection under the IDEK, [14] J. Granjal, E. Monteiro, and J. S. Silva, “End-to-end transport-layer
security for internet-integrated sensing applications with mutual and
and that it requires no transmission and verification of cer- delegated ecc public-key authentication,” in 2013 IFIP Networking
tificates by providing mutual authentication through IBAKA; Conference. IEEE, 2013, pp. 1–9.
Things Journal
[15] R. Hummen, H. Shafagh, S. Raza, T. Voig, and K. Wehrle, “Delegation- [36] X. Cao, W. Kou, and X. Du, “A pairing-free identity-based authenticated
based authentication and authorization for the ip-based internet of key agreement protocol with minimal message exchanges,” Information
things,” in 2014 Eleventh Annual IEEE International Conference on Sciences, vol. 180, no. 15, pp. 2895–2903, 2010.
Sensing, Communication, and Networking (SECON). Ieee, 2014, pp. [37] S. H. Islam and G. Biswas, “A pairing-free identity-based two-party
284–292. authenticated key agreement protocol for secure and efficient commu-
[16] G. L. dos Santos, V. T. Guimarães, G. da Cunha Rodrigues, L. Z. nication,” Journal of King Saud University-Computer and Information
Granville, and L. M. R. Tarouco, “A dtls-based security architecture Sciences, vol. 29, no. 1, pp. 63–73, 2017.
for the internet of things,” in 2015 IEEE Symposium on Computers and [38] S. Bala, G. Sharma, and A. K. Verma, “Pf-id-2paka: Pairing free identity-
Communication (ISCC). IEEE, 2015, pp. 809–815. based two-party authenticated key agreement protocol for wireless
[17] R. Sakai, K. Ohgishi, and M. Kasahara, “Cryptosystems based on sensor networks,” Wireless Personal Communications, vol. 87, no. 3,
pairing,” in The 2000 symposium on cryptography and information pp. 995–1012, 2016.
security, 2000, pp. 26–28. [39] R. Yasmin, E. Ritter, and G. Wang, “Provable security of a pairing-free
[18] Y. Chen, Q. Huang, and Z. Zhang, “Sakai–ohgishi–kasahara identity- one-pass authenticated key establishment protocol for wireless sensor
based non-interactive key exchange revisited and more,” International networks,” International journal of information security, vol. 13, no. 5,
Journal of Information Security, vol. 15, no. 1, pp. 15–33, 2016. pp. 453–465, 2014.
[19] X. Wang, H. Zhou, J. Su, B. Wang, Q. Xing, and P. Li, “T-ip: A [40] Trusted Computing Group, “Tpm 2.0 library specification.”
self-trustworthy and secure internet protocol,” China Communications, [Online]. Available: https://trustedcomputinggroup.org/resource/tpm-
vol. 15, no. 2, pp. 1–14, 2018. library-specification/
[20] R. Mzid, M. Boujelben, H. Youssef, and M. Abid, “Adapting tls [41] D. H. Krawczyk and P. Eronen, “HMAC-based Extract-and-Expand
handshake protocol for heterogenous ip-based wsn using identity based Key Derivation Function (HKDF),” RFC 5869, May 2010. [Online].
cryptography,” in 2010 International Conference on Wireless and Ubiq- Available: https://rfc-editor.org/rfc/rfc5869.txt
uitous Systems. IEEE, 2010, pp. 1–8. [42] D. McGrew, “An Interface and Algorithms for Authenticated
[21] L. B. Oliveira, D. F. Aranha, C. P. Gouvêa, M. Scott, D. F. Câmara, Encryption,” RFC 5116, Jan. 2008. [Online]. Available: https://rfc-
J. López, and R. Dahab, “Tinypbc: Pairings for authenticated identity- editor.org/rfc/rfc5116.txt
based non-interactive key distribution in sensor networks,” Computer [43] B. Lynn, “Pbc library: The pairing-based cryptography library,” 2019.
communications, vol. 34, no. 3, pp. 485–493, 2011. [Online]. Available: https://crypto.stanford.edu/pbc/
[22] M. Boujelben, H. Youssef, R. Mzid, and M. Abid, “Ikm-an identity based [44] E. Barker, “Recommendation for key management part 1: General
key management scheme for heterogeneous sensor networks.” Journal (revision 4),” NIST special publication, pp. 1–156, Sep. 2015.
of Communications, vol. 6, no. 2, pp. 185–197, 2011. [45] P. Szczechowiak, A. Kargl, M. Scott, and M. Collier, “On the application
[23] T. Markmann, T. C. Schmidt, and M. Wählisch, “Federated end-to-end of pairing based cryptography to wireless sensor networks,” in Proceed-
authentication for the constrained internet of things using ibc and ecc,” ings of the second ACM conference on Wireless network security. ACM,
ACM SIGCOMM Computer Communication Review, vol. 45, no. 4, pp. 2009, pp. 1–12.
603–604, 2015. [46] P. Szczechowiak and M. Collier, “Tinyibe: Identity-based encryption
[24] H. Wang, Y. Yang, X. Kang, and Z. Cheng, “Using Identity as Raw for heterogeneous sensor networks,” in 2009 International Conference
Public Key in Transport Layer Security (TLS) and Datagram Transport on Intelligent Sensors, Sensor Networks and Information Processing
Layer Security (DTLS),” Internet Engineering Task Force, Internet- (ISSNIP). IEEE, 2009, pp. 319–354.
Draft draft-wang-tls-raw-public-key-with-ibc-11, Oct. 2019, work in [47] Z. Qin, X. Zhang, K. Feng, Q. Zhang, and J. Huang, “An efficient
Progress. [Online]. Available: https://datatracker.ietf.org/doc/html/draft- identity-based key management scheme for wireless sensor networks
wang-tls-raw-public-key-with-ibc-11 using the bloom filter,” Sensors, vol. 14, no. 10, pp. 17 937–17 951,
[25] I. Broustis, V. Cakulev, and G. Sundaram, “IBAKE: Identity-Based 2014.
Authenticated Key Exchange,” RFC 6539, Mar. 2012. [Online]. [48] J. Liang, Z. Qin, S. Xiao, L. Ou, and X. Lin, “Efficient and secure
Available: https://rfc-editor.org/rfc/rfc6539.txt decision tree classification for cloud-assisted online diagnosis services,”
[26] P. Li, J. Su, and X. Wang, “itls/idtls: Lightweight end-to-end security IEEE Transactions on Dependable and Secure Computing, 2019.
protocol for iot through minimal latency,” in Proceedings of the ACM [49] M. A. Simplicio Jr, M. V. Silva, R. C. Alves, and T. K. Shibata,
SIGCOMM 2019 Conference Posters and Demos. ACM, 2019, pp. “Lightweight and escrow-less authenticated key agreement for the
166–168. internet of things,” Computer Communications, vol. 98, pp. 43–51, 2017.
[27] M. Fischlin and F. Günther, “Replay attacks on zero round-trip time: [50] C. Li, X. Zhang, H. Wang, and D. Li, “An enhanced secure identity-
The case of the tls 1.3 handshake candidates,” in 2017 IEEE European based certificateless public key authentication scheme for vehicular
Symposium on Security and Privacy (EuroS&P). IEEE, 2017, pp. 60– sensor networks,” Sensors, vol. 18, no. 1, p. 194, 2018.
75. [51] M. E. S. Saeed, Q.-Y. Liu, G. Tian, B. Gao, and F. Li, “Akaiots:
[28] E. Rescorla, H. Tschofenig, and N. Modadugu, “The Datagram Transport Authenticated key agreement for internet of things,” Wireless Networks,
Layer Security (DTLS) Protocol Version 1.3,” Internet Engineering vol. 25, no. 6, pp. 3081–3101, 2019.
Task Force, Internet-Draft draft-ietf-tls-dtls13-34, Nov. 2019, work in [52] S. Chen, M. Ma, and Z. Luo, “An authentication scheme with identity-
Progress. based cryptography for m2m security in cyber-physical systems,” Se-
[29] Z. Shelby, K. Hartke, and C. Bormann, “The Constrained Application curity and Communication Networks, vol. 9, no. 10, pp. 1146–1157,
Protocol (CoAP),” RFC 7252, Jun. 2014. [Online]. Available: 2016.
https://rfc-editor.org/rfc/rfc7252.txt [53] J. Su, D. Cao, B. Zhao, X. Wang, and I. You, “epass: An expressive
[30] A. Shamir, “Identity-based cryptosystems and signature schemes,” in attribute-based signature scheme with privacy and an unforgeability
Workshop on the theory and application of cryptographic techniques. guarantee for the internet of things,” Future Generation Computer
Springer, 1984, pp. 47–53. Systems, vol. 33, pp. 11–18, 2014.
[31] D. Boneh and M. Franklin, “Identity-based encryption from the weil [54] L. Ou, Z. Qin, S. Liao, Y. Hong, and X. Jia, “Releasing correlated
pairing,” in Annual international cryptology conference. Springer, 2001, trajectories: Towards high utility and optimal differential privacy,” IEEE
pp. 213–229. Transactions on Dependable and Secure Computing, 2018.
[32] L. Chen, Z. Cheng, and N. P. Smart, “Identity-based key agreement [55] S. Raza, S. Duquennoy, T. Chung, D. Yazar, T. Voigt, and U. Roedig,
protocols from pairings,” International Journal of Information Security, “Securing communication in 6lowpan with compressed ipsec,” in 2011
vol. 6, no. 4, pp. 213–241, 2007. International Conference on Distributed Computing in Sensor Systems
[33] M. Hölbl, T. Welzer, and B. Brumen, “An improved two-party identity- and Workshops (DCOSS). IEEE, 2011, pp. 1–8.
based authenticated key agreement protocol using pairings,” Journal of [56] S. Raza, S. Duquennoy, J. Höglund, U. Roedig, and T. Voigt, “Secure
Computer and System Sciences, vol. 78, no. 1, pp. 142–150, 2012. communication for the internet of things—a comparison of link-layer
[34] Q. Yuan and S. Li, “A new efficient id-based authenticated key agree- security and ipsec for 6lowpan,” Security and Communication Networks,
ment protocol,” IACR Cryptology ePrint Archive, vol. 2005, p. 309, vol. 7, no. 12, pp. 2654–2668, 2014.
2005. [57] T. Kivinen, “Minimal Internet Key Exchange Version 2 (IKEv2)
[35] S. Wang, Z. Cao, Z. Cheng, and K.-K. R. Choo, “Perfect forward Initiator Implementation,” RFC 7815, Mar. 2016. [Online]. Available:
secure identity-based authenticated key agreement protocol in the escrow https://rfc-editor.org/rfc/rfc7815.txt
mode,” Science in China series F: Information sciences, vol. 52, no. 8, [58] W. Jung, S. Hong, M. Ha, Y.-J. Kim, and D. Kim, “Ssl-based lightweight
pp. 1358–1370, 2009. security of ip-based wireless sensor networks,” in 2009 International
Things Journal
Conference on Advanced Information Networking and Applications

Workshops. IEEE, 2009, pp. 1112–1117.
Pengkun Li currently is a Ph.D. candidate in Col-

lege of Computer, National University of Defense
Technology, Changsha, China. His research interests
include Internet architecture and network security.
Jinshu Su received the B.S. degree in mathematics

from Nankai University, Tianjin, China, in 1985,
and the M.S. and Ph.D. degrees in computer science
from the National University of Defense Technology,
Changsha, China, in 1988 and 2000, respectively. He
is a Professor with the School of Computer Science,
National University of Defense Technology. He cur-
rently leads the Distributed Computing and High
Performance Router Laboratory and the Computer
Networks and Information Security Laboratory. He
also leads the High Performance Computer Net-
works Laboratory, which is a key laboratory of Hunan Province, China. His
research interests include Internet architecture and network security.
Xiaofeng Wang received the ph.D. degree from

the National University of Defense Technology. His
current research interests include trusted network,
network security and distributed intelligent data pro-
cessing.

Jiot 2020 2988126

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Jiot 2020 2988126

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

iTLS: Lightweight Transport Layer Security

the Certificate. Finally, they exchange the Finished message to

B. Handshake Protocol ServerHello

By the bilinearity of the pairing, the client and server can

shared_secret Client Server

= xEK S ||e(xPpub + sk C , EK S + H(I D S )) ClientHello

= xyP||e(xsP, yP)e(xsP, PK S )e(sPK C , yP)e(sPK C , PK S ) Application data*

PKG escrow: In contrast to classical public-key cryptog- 2 wolfSSL. https://www.wolfssl.com/products/wolfssl/

TABLE I CertificateVerify messages, iTLS reduces the traffic overhead

iTLS increases more slowly than that for certificate-based TLS

Conference on Advanced Information Networking and Applications

Pengkun Li currently is a Ph.D. candidate in Col-

Jinshu Su received the B.S. degree in mathematics

Xiaofeng Wang received the ph.D. degree from

You might also like