武傳坤

臨沂大學(xué)信息科學(xué)與工程學(xué)院, 臨沂276000

物聯(lián)網(wǎng)安全技術(shù)專欄

物聯(lián)網(wǎng)的概念已經(jīng)被提出 20 多年的時(shí)間了, 國(guó)內(nèi)對(duì)物聯(lián)網(wǎng)技術(shù)和產(chǎn)業(yè)的重視是在 2009 年之后.從2009 年開始, 國(guó)家在物聯(lián)網(wǎng)相關(guān)領(lǐng)域無(wú)論從政策方面還是在資金方面都給予了高度的重視和支持.物聯(lián)網(wǎng)的概念經(jīng)過(guò)最初的熱捧階段, 到之后的冷卻階段, 再到后來(lái)的逐步落地階段, 物聯(lián)網(wǎng)相關(guān)技術(shù)和產(chǎn)品慢慢從虛無(wú)縹緲發(fā)展到實(shí)實(shí)在在的產(chǎn)業(yè)應(yīng)用.物聯(lián)網(wǎng)系統(tǒng)和技術(shù)不僅應(yīng)用于許多行業(yè)領(lǐng)域, 也在不知不覺(jué)中走進(jìn)人們的日常生活: 智能家居、智慧交通、智慧醫(yī)療、智慧城市, 都是人們生活中能感受到的物聯(lián)網(wǎng)技術(shù)的產(chǎn)物.

同其他與網(wǎng)絡(luò)相關(guān)的信息技術(shù)一樣, 安全和隱私是物聯(lián)網(wǎng)系統(tǒng)不可或缺的技術(shù)支撐.然而, 雖然物聯(lián)網(wǎng)技術(shù)和產(chǎn)業(yè)在飛速發(fā)展, 但物聯(lián)網(wǎng)安全問(wèn)題卻像個(gè)氣球一樣, 飄得很高, 卻只有一條細(xì)線落地.一方面,物聯(lián)網(wǎng)安全問(wèn)題是個(gè)看不見(jiàn)效果的問(wèn)題, 在經(jīng)濟(jì)指標(biāo)導(dǎo)向下不具有競(jìng)爭(zhēng)力, 企業(yè)在物聯(lián)網(wǎng)安全方面的投入看不到明顯的效果, 這就導(dǎo)致企業(yè)對(duì)物聯(lián)網(wǎng)安全領(lǐng)域的投入失去動(dòng)力.另一方面, 具有輕量級(jí)特性的物聯(lián)網(wǎng)安全技術(shù)尚不成熟, 因此在物聯(lián)網(wǎng)設(shè)備和物聯(lián)網(wǎng)應(yīng)用系統(tǒng)中, 物聯(lián)網(wǎng)安全技術(shù)的應(yīng)用非常有限.

隨著物聯(lián)網(wǎng)技術(shù)和產(chǎn)業(yè)規(guī)模的發(fā)展, 網(wǎng)絡(luò)安全事件不可避免地會(huì)影響到物聯(lián)網(wǎng)系統(tǒng), 而物聯(lián)網(wǎng)安全事件對(duì)社會(huì)造成的影響會(huì)更大.2016 年 10 月份在美國(guó)東海岸發(fā)生的大規(guī)模分布式網(wǎng)絡(luò)拒絕服務(wù)攻擊(DDoS) 事件, 開始了典型的物聯(lián)網(wǎng)設(shè)備安全事件, 警醒了心存僥幸的物聯(lián)網(wǎng)設(shè)備制造商: 站在自己的角度評(píng)估黑客的攻擊能力, 可能要付出慘重的代價(jià).

2017 年6 月1 日起, 國(guó)家《網(wǎng)絡(luò)安全法》正式施行, 這標(biāo)志著中國(guó)已進(jìn)入依法治理網(wǎng)絡(luò), 依法保護(hù)網(wǎng)絡(luò)安全的時(shí)代.2019 年10 月26 日, 十三屆全國(guó)人大常委會(huì)第十四次會(huì)議表決通過(guò)《密碼法》, 該《密碼法》在2020 年1 月1 日起正式施行.這兩項(xiàng)法律為密碼技術(shù)對(duì)網(wǎng)絡(luò)時(shí)代的安全保護(hù)支撐作用提供了強(qiáng)有力的政策保護(hù), 也將促進(jìn)相關(guān)領(lǐng)域的政策制定、產(chǎn)業(yè)投入、技術(shù)開發(fā)和應(yīng)用推廣.

在這樣一個(gè)背景下, 我們有幸在《密碼學(xué)報(bào)》組織一個(gè)《物聯(lián)網(wǎng)安全技術(shù)專欄》, 旨在將有關(guān)專家近期在物聯(lián)網(wǎng)安全領(lǐng)域的研究成果進(jìn)行小規(guī)模的集中, 使物聯(lián)網(wǎng)安全問(wèn)題得到國(guó)內(nèi)學(xué)者更多關(guān)注.該專欄共收錄4 篇論文, 分別簡(jiǎn)介如下:

論文《物聯(lián)網(wǎng)認(rèn)證協(xié)議綜述》, 介紹了物聯(lián)網(wǎng)認(rèn)證協(xié)議研究的背景以及近幾年物聯(lián)網(wǎng)認(rèn)證協(xié)議的研究進(jìn)展, 分析了物聯(lián)網(wǎng)認(rèn)證協(xié)議與傳統(tǒng)計(jì)算機(jī)網(wǎng)絡(luò)認(rèn)證協(xié)議的不同, 指出了物聯(lián)網(wǎng)認(rèn)證協(xié)議中常用的技術(shù)和數(shù)學(xué)方法, 然后從用戶與設(shè)備認(rèn)證、設(shè)備與服務(wù)器認(rèn)證、設(shè)備與設(shè)備認(rèn)證三個(gè)方面來(lái)介紹物聯(lián)網(wǎng)認(rèn)證協(xié)議研究的最新研究成果, 最后討論了物聯(lián)網(wǎng)認(rèn)證協(xié)議的未來(lái)研究方向.

論文《基于Augur 的交易者身份管理方案研究》, 使用Augur 的身份管理技術(shù)對(duì)區(qū)塊鏈進(jìn)行研究, 探索區(qū)塊鏈應(yīng)用的身份管理方案以及潛在風(fēng)險(xiǎn), 并針對(duì) Augur 的身份管理方案潛在風(fēng)險(xiǎn)和基于設(shè)計(jì)缺陷的攻擊提出了一個(gè)基于信譽(yù)評(píng)估的安全解決方案.該方案選取了6 個(gè)信譽(yù)指標(biāo)和3 種信譽(yù)計(jì)算方法, 為交易者選擇有效市場(chǎng)及其他Augur 交易活動(dòng)提供信譽(yù)依據(jù).

論文《一種基于PUF 的超輕量級(jí)RFID 標(biāo)簽所有權(quán)轉(zhuǎn)移協(xié)議》, 針對(duì)RFID 標(biāo)簽所有權(quán)轉(zhuǎn)移協(xié)議中存在的數(shù)據(jù)完整性受到破壞、物理克隆攻擊、去同步攻擊等多種安全隱私問(wèn)題, 設(shè)計(jì)了一種基于物理不可克隆函數(shù)(PUF) 的超輕量級(jí)RFID 標(biāo)簽所有權(quán)轉(zhuǎn)移協(xié)議.所設(shè)計(jì)的協(xié)議無(wú)須引入可信第三方, 通過(guò)標(biāo)簽所有權(quán)的原所有者和新所有者之間的通信就可以完成所有權(quán)轉(zhuǎn)移.協(xié)議實(shí)現(xiàn)了 RFID 標(biāo)簽所有權(quán)轉(zhuǎn)移之前的標(biāo)簽原所有者與標(biāo)簽之間的雙向認(rèn)證、所有權(quán)轉(zhuǎn)移之后的標(biāo)簽新所有者與標(biāo)簽之間的雙向認(rèn)證.論文通過(guò)對(duì)協(xié)議的安全性的形式化分析, 表明所設(shè)計(jì)的協(xié)議能夠保證通信過(guò)程中交互信息的安全性及數(shù)據(jù)隱私性.

論文《物聯(lián)網(wǎng)的OT 安全技術(shù)探討》, 介紹了操作安全(OT 安全) 的概念, 論述了物聯(lián)網(wǎng)的操作安全區(qū)別于傳統(tǒng)信息網(wǎng)絡(luò)安全的原因, 指出傳統(tǒng)網(wǎng)絡(luò)安全保護(hù)的主要是信息, 而操作安全保護(hù)的是控制.物聯(lián)網(wǎng)系統(tǒng)除了要保護(hù)信息安全外, 還需要對(duì)操作安全提供保護(hù)技術(shù).操作安全是信息轉(zhuǎn)化為物理活動(dòng)行為的安全問(wèn)題, 其安全防護(hù)的目標(biāo)與傳統(tǒng)的信息安全保護(hù)不同, 但有許多類似的實(shí)現(xiàn)技術(shù).論文從操作安全的概念和操作安全保護(hù)技術(shù)的特點(diǎn)等方面予以分析, 并指出物聯(lián)網(wǎng)的操作安全與傳統(tǒng)信息安全的本質(zhì)區(qū)別.論文也列出了一些物聯(lián)網(wǎng)領(lǐng)域有關(guān)OT 安全的技術(shù)問(wèn)題.

物聯(lián)網(wǎng)安全技術(shù)專欄的以上幾篇論文包括一篇綜述性論文、兩篇安全方案設(shè)計(jì)方面的論文和一篇對(duì)某些新概念進(jìn)一步剖析方面的論文.對(duì)物聯(lián)網(wǎng)安全這個(gè)新穎和充滿活力的領(lǐng)域來(lái)說(shuō), 還遠(yuǎn)遠(yuǎn)不能代表國(guó)內(nèi)的研究現(xiàn)狀.無(wú)論如何, 希望這個(gè)專欄能吸引更多研究者對(duì)物聯(lián)網(wǎng)安全領(lǐng)域的關(guān)注, 更好地推動(dòng)物聯(lián)網(wǎng)安全領(lǐng)域的研究, 進(jìn)一步推動(dòng)物聯(lián)網(wǎng)安全技術(shù)的產(chǎn)業(yè)應(yīng)用.

The concept of Internet of Things (IoT for short) has been proposed for over 20 years.The booming development of IoT techniques and industrial applications in China started from 2009.Since then, the China government has paid much attention and given much support both in policy making and financial support.The development of IoT has gone through the processes of concept proposal and initial interest, enthusiasm cooling down, and graduate applications.Now the IoT related applications cover a large variety of industries.The IoT techniques and applications have also been in our everyday life, such as smart home, smart transport systems, WIT120, and smart city.

As in other network related information technology, security and privacy in IoT systems are core components.However, irrespective of the repaid development of IoT techniques and industrial applications,the IoT security techniques are like balloons–flying in the sky with a thin string connected to the ground.The reasons for this situation include the following: on one hand, the IoT security has invisible effect, and is less attractive when financial figure is the most significant measure, hence industries do not have much interest in paying for the IoT security services, and the government has also been very careful in investigating to this field.On the other hand, many IoT security techniques need to have the feature of being lightweight, such techniques are far from being mature, and hence the application of IoT security techniques to IoT applications has been very limited.

With the development of IoT techniques and IoT industries,network security events will inevitably affect the IoT application systems.IoT security events may have more serious social effect than traditional network security events.For example, in October of 2006, the US east coast experienced a large scale DDoS attack, where a large number of IoT devices are involved in the attack, which waken many manufactures of IoT devices who used to have a fluke mind of mot having IoT security problems so soon.The security event warns the IoT device manufactures that, painful price may have to be paid if the hackers’ attack is underestimated.

In 2017, the “Network Security Law” has been put into effect, which indicates that China has come into the era when the networks are managed according to the law.In 2019, China has lunched the “Cryptography Law” which will take effect from 1st, January of 2020.These two laws provide strong policy support to the applications of cryptographic techniques in this networked word, and will further foster new policies, industry investigation, technology development, and applications.

In such a background, it is our owner to organize such a special column of“Security Techniques in Internet of Things”for the Journal of Cryptologic Research,aiming at collecting recent research results in the field of IoT security from relevant researchers, hence to attract more researcher pay attention to the IoT security.This special column includes 4 papers, they are introduced as follows:

The paper titled “A survey on authentication protocol for Internet of Things” introduces the background and some recent research progress of authentication protocols of Internet of things.The paper analyzes the differences between Internet of things authentication protocols and traditional computer network authentication protocols, summarizes the techniques and theoretical methods commonly used in IoT authentication protocols.It introduces some most recent research results of Internet of things authentication protocols from three aspects: authentication protocols between a user and an IoT device, between an IoT device and a server, and between IoT devices.Some future research directions are also discussed.

The paper titled “Research on trader identity management scheme based on Augur” studies the application of Augur’s identity management techniques in blockchain applications, explores some potential risks of the identity management techniques in blockchain applications, and proposes a security solution based on reputation assessment for Augur’s identity management scheme.The proposed scheme selects 6 credit indicators and 3 credit calculation methods to provide a credibility basis for traders to choose effective market and other Augur trading activities.

The paper titled “A PUF-based ultra-lightweight ownership transfer protocol for low-cost RFID tags” proposes an ultra-lightweight ownership transfer protocol for low-cost RFID tags based on the techniques of physically uncloneable functions(PUFs).The proposed protocol aims at various security and privacy issues such as data integrity destruction, physical cloning attacks, and desynchronization attacks in the RFID tag ownership transfer protocols.In the proposed protocol, the current owner and the new owner of an RFID tag can communicate directly to complete the ownership transfer, and does not need to rely on a trusted third party.The proposed protocol achieves mutual authentication between the current owner of the tag and the tag before the completion of the ownership transfer, and the mutual authentication between the new owner of the tag and the tag after the completion of the ownership transfer.Formal security analysis shows that the proposed protocol can ensure the security of interactive information and data privacy in the process of communication.

The paper titled “A primary study on the OT security of IOT” introduces the concept of operational security(OT security for short),discusses the necessity of OT security in IoT systems apart from information security (known as IT security).The OT security is a security technique in the process of converting information into physical actions, where the purpose of security protection is different from that of traditional information systems.The paper points out some essential differences between the OT security and the traditional IT security.Some possible research topics about the OT security for IOT are listed.

The above mentioned papers in this special column of IoT security techniques include one survey paper, two papers about security protocol design, and one paper about further discussion of new concepts.For the new and active field of IoT security, these papers are far from being sufficiently representing the current research status in China.Nevertheless, it is hopped that this special column of the JCR can attract more researchers to pay attention to the field of IoT security, hence to promote the advances of IoT security research, and the industrial applications of IoT security techniques.