See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/329514624

IoTeWay: A Secure Framework Architecture for 6LoWPAN based IoT Applications

Conference Paper · December 2018

DOI: 10.1109/GCIoT.2018.8620137

CITATIONS READS
2 331

2 authors, including:

Mohamed Seliem
University College Cork
9 PUBLICATIONS   34 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Privacy preserving in IoT environments View project

Web of Objects View project

All content following this page was uploaded by Mohamed Seliem on 08 December 2018.

The user has requested enhancement of the downloaded file.

 IoTeWay: A Secure Framework Architecture for
6LoWPAN based IoT Applications
Mohamed Seliem, Khalid Elgazzar
Center for Advanced Computer Studies
University of Louisiana at Lafayette, USA
mohamed.seliem1, elgazzar@louisiana.edu
Abstract— Smart devices “things”, connected to the
Internet, form a huge network to bring the physical systems
“humans world” to the information systems “digital world”,
which we call it the Internet of Things (IoT). These smart
devices exist in many applications such as Smart spaces, cities,
grids, health monitoring, smart Industries, car, TV,
networking and big data. Although several customers have
adopted the IoT applications, still its infrastructure faces
major security and privacy challenges. Those challenges lie in
the different communication model layers starting from the
physical layer, ending up in the running application layer, and
passing through the network layer. This paper presents
IoTeWay, a secure framework that targets IoT applications
built on top of IPv6 Low Power Networks. IoTeWay divided
into three main tiers: smart devices tier, platform and
infrastructure tier, and the application tier. Besides, a cloud
supporting tier to serve the large-scale IoT networks. Our
experimental verification, based on Smart homes application,
and our theoretical analysis shows that IoTeWay provides an
excess of security and offers resiliency against famous security
attacks.
Keywords—IoT, Security, Privacy, 6LoWPAN, Network
Architecture.
I. INTRODUCTION
The Internet of Things has been grown and extended to
different domains and applications [1] such as healthcare,
energy, smart cities, Industry, Environment, and
Entertainment. According to the 2017 report of the
International Data Corporation [2], forecasts that in the near
future, billions of smart devices will be capable to speak to
each other, exchange data, and make a decision to actuate the
surrounding environment to provide custom services. A huge
market opportunity with over $19 trillion market share value.
However, as a new evolving technology, IoT faces many
challenges and drawbacks especially in terms of security and
privacy. The reason is that IoT devices collect and exchange
very sensitive and private data about its customers. Further,
many IoT devices are resource constrained for low cost,
which aggravates the security challenge, as they cannot
afford the high resource requirements of complex and
heavyweight traditional security algorithms.
IPv6 Lossy and Low Power Wireless Personal Area
Networks (6LoWPAN) [3] is used to connect such low
power, IPv6 driven nodes and large mesh network to the
internet, which makes this technology a great choice to build
IoT applications. The Internet engineering task force (IETF)
formed a 6LoWPAN working group to define certain
mechanisms (Header compression, fragmentation, and 16-bit
mesh addressing) that allow the transmission of IPv6 packets
over IEEE 802.15.4 (MTU=127 bytes). Over 50 companies
made an effort in trying to standardize a protocol, to run over
6LoWPAN layer, called Thread [4] that optimally connect
and control smart home devices. However, the nature of
6LoWPAN networks requires a special, lightweight, and
distributed security measures to secure and preserve the
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
exchanged in such a constrained network. In this Paper, we
propose IoTeWay, a novel framework that incorporates
security measures for all stack tiers in 6LoWPAN based IoT
applications.
Our framework follows a hierarchical structure and
consists of three tiers with distributed security and privacy-
preserving measures in each tier. (1) The first tier is the
smart devices tier that contains all the resources that collect
or control data. The devices in this tier are highly
heterogeneous and resource constrained, which make them
subject to several attacks such as node capture, timing attack,
replay attack, and mass node authentication problem.
Therefore, we adapt and modify the security mechanisms in
conventional Internet protocols to fit these devices. (2) The
second tier is the platform and infrastructure tier that is
similar to the traditional network tier, where data is
preprocessed to reduce the requirements in the application
tier. Moreover, it contains the 6LoWPAN adaptation layer
where IPv6 packets processed to be ready for transmission
over IEEE 802.15.4 unreliable links. This tier suffers from
general security problems such as unauthorized access,
eavesdropping information, confidentiality or integrity
damage, and Man-in-the-Middle attacks, which threaten data
integrity and confidentiality. Therefore, we set up a cohesive
authentication mechanism with a lightweight public key
infrastructure to secure the end-to-end communication. (3)
Final Tier is the Application Tier that provides necessary
support for the IoT infrastructure such as smart homes,
Internet of Medical devices (IoMT), and intelligent
transportation. IoT applications are versatile and
heterogeneous with varying needs, which oppose a challenge
in providing a standard support. Therefore, in our application
tier, we tackle such a problem by providing non-technical
and technical security measures to preserve users’ privacy.
The contributions of this paper can be summarized as
follows: (1) A lightweight, private, and secure framework
architecture to secure 6LoWPAN based IoT applications. (2)
We build a smart home use case based on our framework for
reliability testing. (3) We provide quantitative arguments to
prove that our framework meets meeting security and
privacy goals such as confidentiality, authenticity,
availability and integrity. The rest of the paper is organized
as follows. Section II provides an overview of the proposed
framework architecture. Section III we develop a smart home
use case based on IoTeWay, explain its components and their
functionality. In section IV, we discuss the security measures
incorporated in the smart home use case. In section V, we
analyze and evaluate the performance of the proposed
framework based on state-of-the-art security measures.
Section VI highlights some of the related work and Section
VII concludes the work presented in this paper.
II. IOTEWAY FRAMEWORK ARCHITECTURE
Figure 1 shows the abstract architecture of the proposed
IoTeWay framework for 6LoWPAN based IoT applications,
which encompasses multiple tiers that interact and exchange
data with each other. Information, management, and physical
security measures are considered for each tier. Therefore,
exchanged data confidentiality and integrity is preserved.
The hierarchical framework structure consists of three tiers
as follows.
A. Smart Devices Tier
This tier consists of all the smart devices in the domain,
which vary according to the application context. For
example, in smart houses (temperature, humidity, and smoke
sensors…etc.). However, in IoMT (heartbeat monitoring,
blood pressure, and pacemakers). In general, these devices
are limited in memory (~Kbytes), processing capabilities (8-
bit Microcontroller units), and energy (battery operated).
Therefore, such resources barely operate a lightweight
operating system and the running application on top of these
devices. Thus, IoTeWay tends to optimize all the operating
systems protocols to allow enough room for implementing
the following security measures: (a) Physical security, we
use IPsec/6LoWPAN extension [5] to secure the
communication channel and protect the data exchanged
between the devices. (b) Management Security: we use
Identity Based Credentials (IBC) for device authentication,
which is only based on the device identity. Besides, applying
lightweight access control to prevent open and unauthorized
access. (c) Information Security: the data collected by these
devices are very sensitive and part of it is personal.
Therefore, data encryption and cryptography techniques are
essential to preserve users’ privacy. The non-linear key based
on displaced calculations, digital signatures, and simplified
hash functions require low computational power compared to
the high level of security and the good data transmission rate,
they provide. In addition, we assume that each smart device
exposes a single credential, which a more capable device
issues, this device operates in the infrastructure layer (e.g.
gateway, or cloudlet). Thus, it can move part of the
encryption overhead to the network edge.
B. Platform and Infrastructure Tier
This tier consists of all the supporting and managing
platforms and infrastructure. The operating devices in this
tier, such as routers, switches, and gateways, have more
processing capability. Therefore, it provides intelligent data
preprocessing to reduce resource requirements at the
application layer. However, due to the heterogeneity and the
huge scale of IoT and its applications, poses some general
security problems related to data integrity and
confidentiality. Although the traditional network protocols
implement highly secured measures, such measures designed
for the traditional internet of people, do not necessarily apply
to the new internet of machines. As such, IoT-oriented
security mechanisms must be considered to fit IoT
applications with the following security measures: (a)
Physical security: we use a Public key infrastructure (PKI) to
encrypt the data exchanged between the operating platforms
in this tier. (b) Management Security: is the most important
measure in this tier, as the function of such an intermediate
tier is to support and manage the data exchanged between the
smart devices in the devices tier. Besides, it manages and
preprocesses the data transmission for the running
application in the application tier.
Information Management Physical
Security Security Security
Application Service Data Security
(smart homes, smart cities…etc.)
Application tier
Application Support tier
(Cloud, Edge, ….etc.)
Platform and
Infrastructure Network transmissions and information
(TCP/IP, UDP, mobile communication,
tier 6LoWPAN)
Smart Devices Device Layer Local Security
tier (Sensor, Actuators, BLE, ZigBee, IEEE 802.15.4)
Secure Secure data Secure data
information in transmissions in
network
streams in the
upper stack layers physical layer
management layers
Figure 1. IoTeWay 3-tiers framework architecture.
Therefore, we utilize network virtualization to reduce the
management complexity. Moreover, adopting IPv6 as the
main network layer protocol makes use and inherits its well-
designed security mechanism. This tier deals with the
transmitted information as chunks or packets. Therefore,
information security is part of the aforementioned
management security measures. However, IoTeWay uses a
cohesive end-to-end authentication to distribute the network-
wide key securely.
C. Application Tier
This tier encompasses two sub-tiers: the supporting tier
where the framework depends on the cloud resources to run
the analytical services, apply the complex security
algorithms, and store the huge amount of the collected data.
Cloud servers and data centers host this sub-tier; the security
of the cloud is out of the paper scoop but [6] contains a
decent guide for securing cloud entities. The other sub-tier is
the application services tier where the support from the
infrastructure tier is used to provide IoT customers with
certain services such as Smart homes, IoMT, Industrial IoT,
Smart cities…etc. the importance of securing this tier is that
it interacts with the customers directly, so any breach or
failure will lead to customers’ dissatisfaction. Although,
different IoT applications target different domains, which
makes it challenging to provide standard security measures
but we provide different security aspects that differ from the
previous tiers. (a) Technical security aspects: we use the
password-authenticated key agreement with asymmetric
elliptic curve technique to create a strong-shared secret
between the application, running in top of application tier
device (commissioner), and the new added smart devices tier
device (joiner). (b) Non-technical security aspects: we
provide security awareness embedded in the user interface
application, which highlights the information regarding
private data collection, potential risks, how to use IoT
services safely, and to avoid private information leakage.
III. IOTEWAY-BASED SMART HOME USE CASE
The smart home is one of many IoT applications that is
widely spread in today’s market. Users install a group of IoT
devices in the surrounding environment to monitor physical
quantities (e.g., temperature, humidity, air pollution), to
enhance their quality of life. In this section, we use our
IoTeWay framework to build a smart home scenario.
 Figure 2: IoTeWay based Smart home Architecture
Figure 2 depicts the architecture for the smart home
application. It primarily relies on three main components
to cover the previously mentioned tiers.
A. Smart mesh devices for constructing the smart home
network
Smart devices (sensing and actuating IoT nodes) that
construct mesh IPv6 Low-Rate Wireless Personal Area
Network (6LoWPAN). Each device implements the
6LoWPAN protocol stack with 6LoWPAN ND, RPL, and
CoAP incorporated. These smart devices marked as a
6LoWPAN node (6LN) and classified into two types:
either a router (6LR) when it supports full functional
capabilities (e.g. routing packets to and from other nodes),
or a host (6LH) when it has reduced functionalities.
Generally, a 6LN has the following capabilities: (1) CoAP
server to submit readings to the gateway. (2) Gateway
client process to construct the network tree. (3) Clients
directory to detect the abnormal events (e.g., the unpaired
client tries to obtain data from the node).
B. Smart home gatway and border router
While smart home border router (6LBR) connects to
peer devices over IEEE 802.15.4, the smart home gateway
connects to the Internet through IEEE 802.11 (WIFI), or
IEEE 802.3 (Ethernet). Both of them operates together to
manage the smart home network and provide the following
capabilities: (1) local managing entity to constructing the
network tree and route the communication packets
between the devices and each other. (2) A gateway to the
cloud interface to support remote users. Furthermore, the
presence of a 6LBR and the gateway at the border of LLN
is essential for several reasons: 1) network isolation to
protect constrained devices from unauthorized access. 2)
Web integration support with secure HTTP access. 3)
Resource caching to provide high availability of resources.
4) Load reduction through data preprocessing (e.g.,
filtering and summarization) for data collected from
constrained devices. 5) Various data formats support,
which are suitable for constrained applications (e.g., XML,
JSON). 6) Privacy policy execution in case of control or
data traffic exchange.
C. Supporting cloud servers and human interaction
interface
IoTeWay leverages a cloud infrastructure to deploy
strict security measures on the cloud for better data
protection, and support large-scale IoT deployment.
Additionally, enable remote users to have control over
their resources and services. The cloud infrastructure
encompasses the different type of servers to (a) connect
users with their devices by establishing a persistent and
secure connection with the server throughout the
communication session. (b) Register users to perform the
authentication and authorization processes. Additionally
create, maintain, validate and refresh access tokens for
registered users. (c) Provide a large storage space to handle
the big collected and exchanged data. The final
component of the architecture is to allow human
interaction with the system, through providing a simple
and yet exciting user interface and experience. IoTeWay
supports different types of interactions such as close by
interaction where users can reach the 6LoWPAN gateway
without need any internet access, or remote interaction
where users are out of reach and in need to have internet
access to benefit from their desired service. The variations
of interactions depend on the application type, therefore in
the smart home application, user choose the way to interact
with the systems provided that he has the privileges and
authority to do so. A web application and mobile
application are provided, which encapsulates the security
measures aforementioned for the application tier.
IV. IOTEWAY-BASED SMART HOME SECURITY
MEASURES
In this section, we provide a closer look at the security
measures, which are incorporated in the IoTeWay smart
home application.
Secure stack protocols: IoTeWay uses well-established
standardized protocols to secure the devices and the
communications in each tier. Those protocols are similar
to traditional protocols but optimized to meet the IoT
requirements. For example, Datagram transport layer
security (DTLS) [7], based on internet TLS, which
provides private and secure communication between
devices and prevents snooping, interfering, or message
falsification. In addition, 6LoWPAN IPsec [5], based on
IPsec, which provides end-to-end security rather than hop
by hop. Besides, it secures all IPv6 communication
(ICMP, UDP and TCP) using the same mechanisms.
Network-wide key: IoTeWay uses both asymmetric and
symmetric key cryptography. First, it uses the public key
algorithm (PKA), which underlies the DTLS protocol, to
transfer the symmetric encryption key (session key) as
PKA does not require a secure channel initially to
exchange the secret session keys between parties. Then,
the same cryptographic key is used for both collected data
encryption and the ciphertext decryption on the receiver
side as symmetric encryption/decryption is simpler and
much faster. Additionally, symmetric key cryptography
provides (a) Integrity protection through the integrity
check tag embedded in each message, which can be
verified at the recipient side. (b) Payload encryption
through scrambling its content to prevent the attacker from
interpreting this content.
Key agreement: when a new device joins the smart home
network, it requires the network-wide key to encrypt its
collected data. However, exchanging the key on the air
without any protection compromises the whole network.
Therefore, we use the password-authenticated Key (PAK)
Diffie-Hellman, a public key algorithm, to distribute the
network key securely. PAK requires both parties the joiner
(new device) and the commissioner (recipient, gateway, or
smartphone) to create their own secret, random numbers
and exchange the exponentiation of their respective
numbers. Then, it creates a high strength shared secret
between both parties that is used to encrypt the
communication of the network-wide key, which makes it
secured against what is called offline dictionary analysis.
Authorization: the newly added device is authorized to
join the smart home network when receiving the network-
wide key from the network gateway or border router.
Initially, the network gateway runs neighbor discovery
protocol [8] and in case of finding new nodes, it consults
the network administrator to decide whether to add or
ignore these nodes. Then, the PAK key is created for the
new node to be able to decrypt the received encrypted key
from the gateway and be authorized. IoTeWay also allows
authorization through allowing the network admin to scan
QR codes from the newly installed device, establish the
public key, and then share this information with the
network gateway. Therefore, the gateway can authorize
this device by sending the network-wide key.
Authentication: IoTeWay implements the authentication
process in each tier. (a) Authentication between the newly
added device and the network border router or gateway
through completing the authorization process.
(b) Authorizing customers to access and control the smart
home services. Users in the network gateway range, who
own a network-wide key, get access through the gateway.
However, users, far from home, have to log in with their
cloud account to verify their credentials and authority in
accessing and controlling the smart home network.
Maintenance: IoTeWay periodically changes the actual
key that secures the network messages. The change
happens through maintaining a system counter that is
combined with the network-wide key to derive this actual
key. Therefore, even if the attackers managed to obtain the
key through brute force, it will be for a limited period.
Privacy and security preserving: In compliance with
GDPR [9] requirements, IoTeWay based smart home
application provides users with the consent of subjects for
data processing. The application that runs on the user
platform (pc or smartphone) implements the privacy
regulations to handle the transfer of the personal data
safely. In addition, the user will be aware of the purpose of
collecting this data, what is used for, why, and who use it.
As well, in case of a data breach, user be notified to ensure
that this breach is revealed and addressed..
V. IOTEWAY FRAMEWORK ANALYSIS
We analyze the security performance of our IoTeWay
framework from two perspectives: prone to security
attacks and the application functionalities. Initially, we
provide a brief theoretical discussion to show the
resistivity of the framework and the explained smart home
use case to security attacks. Further, we study the
computational and communication cost to evaluate the
system performance.
A. Security Analysis
In the following, we describe how IoTeWay based
smart home use case meets the fundamental security
requirements including confidentiality, integrity,
availability, authentication, and customer control.
Confidentiality: only authorized user or device, with a
network-wide key, can decrypt the received encrypted
messages. Our network wide-key and the key agreement
assure such requirement. Additionally, the (PAK) Diffie-
Hellman and the system counter assure the secure
distribution and maintenance of the network key.
Integrity: All system messages are encrypted, and only
authorized data owners can hold the high strength shared
secret. This provides high-security measures even if
communication channels are compromised, which is
unlikely to happen with the secure incorporated protocols.
Availability: IoTeWay considers energy saving and
reducing the communications overhead. 6LoWPAN
protocol stack can set the network devices to communicate
their measurements only when the threshold is reached,
otherwise remain standby, keep monitoring, or sleep. This
increases the device lifetime and improves availability.
Other security requirements such as authentication and
authorization were discussed in the previous section.
Therefore, we will proceed with our theoretical analysis
for the effectiveness of our proposed framework against
famous attacks such as (a) Distributed denial of service
attack (DDOS), in which the invader manages to infect
several smart home devices and exploit them to
overwhelm a targeted network device until it fails. The
IoTeWay-based smart home consists of hierarchical tiers,
each tier equipped with several security measures, which
makes it hard to gain authority offer any network device
without being compromised. For example, the invader has
to crack the network gateway, crack the network key
agreement before being able to communicate with any
network device, and then try to install malware, which is
very hard considering the final security measures deployed
in the device itself. Therefore, we proclaim that the
IoTeWay framework is resilient to DDOS attack. (b)
Linking attack, in which the invader manages to create a
link between the data exchanged through the network to
infer personal information or interests related to
technology users. In IoTeWay, all the communication
between devices through the network is encrypted.
Messages only are decrypted at the application tier to
provide the users with a high-quality service. Therefore,
 invaders only can obtain information through the brute Base IoTeWay based Smart home
force, in this case, the system has the intelligence to 50
identify the security breach and lock the communication
45
flow until the network gets maintained. 42.25
36 39.75

Network overhead(ms)
40

B. Performance evaluation 35 33.5

30
We evaluate our IoTeWay smart home use case and 30 26 25.5
27
compare its performance to the traditional deployment of 25
6LoWPAN smart home network. We use both simulation 19 22

and actual implementation to evaluate the proposed 20

framework over Contiki 3.0. We use the Cooja simulator 15

[10] to define a variable number of randomly deployed 10
nodes to construct the 6LoWPAN, which ranges from 10
5
to 50 nodes per gateway. We run 10 experiments at a 5-
minutes interval and the average is calculated with a 95% 0
confidence interval. Therefore, we can assess the network 10 20 30 40 50

overhead due to the extra packets exchanged between the
devices such as key distribution, authentication, and other
security-related traffic. Such overhead adds time delay to
the packets transmitted through the network.
Figure 3 shows the end-to-end delay due to network
overhead for varying network size. Due to the additional
network management traffic, encryption, and other hashing
operations, our framework adds extra processing time
compared the base 6LoWPAN. However, the extra delay
is in terms of milliseconds (~ 10 to 40 ms). We argue that
with such a non-significant overhead, our framework
provides high security and privacy preserving in
6LoWPAN based IoT applications.
VI. RELATED WORK
Several efforts have been targeted the security
challenges in IoT applications. Authors in [11] bring
together a classification for computing threats and its
countermeasures with respect to reliability and security. In
[12], the ENISA study proposes an end-to-end resilient
security method by providing an ontology that
incorporates different network domains and assists in
hiding the heterogeneity of the underlying infrastructure.
In [13], a secure framework is offered that includes tools
to detect and react to intrusion and security breaches.
However, these efforts are mainly concerned about
separate application domains and rely on human
intervention in order to resolve problems, which cannot be
applicable in huge and dynamic IoT environments.
VII. CONCLUSION
Security of IoT application is a key challenge for the
adoption of the technology, especially in constrained
environments such as 6LoWPAN. In this paper, we
present IoTeWay a secure framework for 6LoWPAN-
based IoT Applications. We present the security measures
for each tier of the framework, and we use a smart home
application built on top of our framework to assess the
reliability and analyze these suggested security measures.
Our analysis and performance evaluation demonstrates that
our framework provides a secure environment with no
Significant overhead on end-to-end delay or energy
consumption. To the best of our knowledge, our
framework is well established to fit in any 6LoWPAN-
based application, even though in this paper we introduced
the smart home use cases, it might be extended to fit other
applications.
Network Size
Figure 3: Network overhead due to the added security requirements
for variable network size
REFERENCES
[1] Lee, In, and Kyoochun Lee. "The Internet of Things (IoT):
Applications, investments, and challenges for enterprises."
Business Horizons 58, no. 4 (2015): 431-440..
[2] Worldwide Internet of Things Forecast, 2017–2021, Sep 2017 |
Doc #US43087717 | Market Forecast. [Online]. Available:
https://www.idc.com/getdoc.jsp?containerId=IDC_P24793
[3] Kushalnagar, Nandakishore, Gabriel Montenegro, and Christian
Schumacher. IPv6 over low-power wireless personal area networks
(6LoWPANs): overview, assumptions, problem statement, and
goals. No. RFC 4919. 2007.
[4] Thread. https://www.threadgroup.org/
[5] Raza, Shahid, Simon Duquennoy, Joel Höglund, Utz Roedig, and
Thiemo Voigt. "Secure communication for the Internet of Things—
a comparison of link‐layer security and IPsec for 6LoWPAN."
Security and Communication Networks 7, no. 12 (2014): 2654-
2668.
[6] Krutz, Ronald L., and Russell Dean Vines. Cloud security: A
comprehensive guide to secure cloud computing. Wiley Publishing,
2010.
[7] Rescorla, Eric, and Nagendra Modadugu. "RFC 6347." Datagram
transport layer security version 1 (2012).
[8] Seliem, Mohamed AM, Khaled MF Elsayed, and Ahmed Khattab.
"Optimized neighbor discovery for 6LoWPANs: Implementation
and performance evaluation." Computer Communications 112
(2017): 73-92.
[9] Team, ITGP Privacy. EU general data protection regulation
(GDPR): an implementation and compliance guide. IT Governance
Ltd, 2017.
[10] Osterlind, Fredrik, Adam Dunkels, Joakim Eriksson, Niclas Finne,
and Thiemo Voigt. "Cross-level sensor network simulation with
cooja." In Local computer networks, proceedings 2006 31st IEEE
conference on, pp. 641-648. IEEE, 2006.
[11] A. Aviienis et al., “Basic Concepts and Taxonomy of Dependable
and Secure Computing,” IEEE Trans. Dependable and Secure
Computing, vol. 1, no. 1, Jan.–Mar. 2004, pp. 11–33.
[12] ENISA, 2011, Ontology and Taxonomies of Resilience,
http://www.enisa.europa.eu/activities/identity-andtrust/technology-
for-resilience/ontology/ontology_taxonomies/
at_download/fullReport.
[13] M. Chora et al., “Ontology-Based Decision Support for Security
Management in Heterogeneous Networks,” LNCS, vol. 5755/2009,
2009, pp. 920–27.

View publication stats