WO2020082228A1 - Method and apparatus for attesting physical attacks - Google Patents

Method and apparatus for attesting physical attacks Download PDF

Info

Publication number
WO2020082228A1
WO2020082228A1 PCT/CN2018/111407 CN2018111407W WO2020082228A1 WO 2020082228 A1 WO2020082228 A1 WO 2020082228A1 CN 2018111407 W CN2018111407 W CN 2018111407W WO 2020082228 A1 WO2020082228 A1 WO 2020082228A1
Authority
WO
WIPO (PCT)
Prior art keywords
heartbeat message
session key
interval
neighbor
neighbor device
Prior art date
Application number
PCT/CN2018/111407
Other languages
French (fr)
Inventor
Anmin Fu
Jingyu FENG
Original Assignee
Nokia Technologies Oy
Nokia Technologies (Beijing) Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy, Nokia Technologies (Beijing) Co., Ltd. filed Critical Nokia Technologies Oy
Priority to US17/287,405 priority Critical patent/US20220021690A1/en
Priority to CN201880098928.4A priority patent/CN112889239A/en
Priority to PCT/CN2018/111407 priority patent/WO2020082228A1/en
Priority to EP18937799.7A priority patent/EP3871364A4/en
Publication of WO2020082228A1 publication Critical patent/WO2020082228A1/en

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • Embodiments of the disclosure generally relate to information technology, and more particularly, to attestation for physical attacks for devices in a network.
  • IoT Internet of Things
  • remote attestation usually follows a challenge-response mechanism. It allows a trusted party (also referred to as verifier) to send a challenge to other untrusted and possibly compromised parties (also referred to as prover) . The provers will generate a response according to the challenge and its current operating status. At last, the verifier can determine prover’s status via the response and some previous knowledge.
  • verifier also referred to as verifier
  • a method implemented at a first device may comprise receiving a first heartbeat message from a neighbor device at a periodic interval.
  • the first heartbeat message is encrypted with a session key of the neighbor device for a current interval, and comprises a first key material for updating the session key of the neighbor device for a next interval.
  • the method further comprises decrypting the received first heartbeat message based at least part on a session key of the first device for the current interval.
  • the method further comprises determining whether the neighbor device is physically compromised at least based on the first heartbeat message.
  • the periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device.
  • the method may further comprises obtaining the first key materials from the decrypted first heartbeat message; and updating the session key of the first device for the next interval based at least part on the first key material.
  • the method may further comprise obtaining the session key of the first device for the current interval from a network managing device.
  • the neighbor device when no first heartbeat message is received from the neighbor device within the current interval, or the received first heartbeat message is not successfully decrypted, or the decrypted first heartbeat message is not valid, the neighbor device may be determined to be physically compromised.
  • the method may further comprise: sending a report to a network managing device indicating that the neighbor device is suspicious to be physically compromised.
  • the method may further comprise doing a self-measurement of software integrity at the first device; and sending a result of the self-measurement of software integrity to the network managing device.
  • the method may further comprise generating and sending a second heartbeat message to the neighbor device at the periodic interval.
  • the second heartbeat message may be encrypted with the session key of the first device for the current interval.
  • the second heartbeat message may comprise a second key material for updating the session key of the first device for the next interval.
  • the method may further comprise updating the session key of the first device for the next interval based at least part on the second key material.
  • the receiving of the first heartbeat message may be timed within a period from a start of the current interval, and the sending of the second heartbeat message may be timed within the period from the start of the current interval.
  • the updating of the session key of the first device for the next interval based at least part on the second key material may be executed after the decrypting of the received first heartbeat message, or an expiration of the period from the start of the current interval, whichever occurs earlier.
  • the method may further comprises keeping synchronization between the first device and the neighbor device for the transmission of the first heartbeat message and the second heartbeat message.
  • the first heartbeat message may further comprise an identifier of the neighbor device.
  • the key material for generating a session key may comprise a nonce.
  • both the first device and the neighbor device may be internet of things devices.
  • an apparatus may comprise at least one processor, at least one memory including computer program code, the memory and the computer program code configured to, working with the at least one processor, cause the apparatus to receive a first heartbeat message from a neighbor device at a periodic interval.
  • the first heartbeat message is encrypted with a session key of the neighbor device for a current interval, and comprises a first key material for updating the session key of the neighbor device for a next interval.
  • the apparatus is further caused to decrypt the received first heartbeat message based at least part on a session key of the first device for the current interval, and determine whether the neighbor device is physically compromised at least based on the first heartbeat message.
  • the periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device.
  • a computer readable storage medium on which instructions are stored, when executed by at least one processor, the instructions cause the at least one processor to perform the method according to the first aspect.
  • Fig. 1 schematically shows a network in which embodiments of the present disclosure can be implemented
  • Fig. 2 is a flow chart depicting a method according to an embodiment of the present disclosure
  • Fig. 3 is a flow chart depicting a method according to an embodiment of the present disclosure
  • Fig. 4 is a diagram depicting a procedure for attesting physical attacks in a network according to some embodiments of the present disclosure.
  • Fig. 5 shows a simplified block diagram of an apparatus according to an embodiment of the present disclosure.
  • the term “network” and “communication network” refers to a wired or wireless network.
  • the wireless network may follow any suitable communication standards, such as new radio (NR) , long term evolution (LTE) , LTE-Advanced, wideband code division multiple access (WCDMA) , high-speed packet access (HSPA) , and so on.
  • NR new radio
  • LTE long term evolution
  • WCDMA wideband code division multiple access
  • HSPA high-speed packet access
  • the communications among devices in the network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either now known or to be developed in the future.
  • the terms “first” , “second” and so forth refer to different elements.
  • the singular forms “a” and “an” are intended to include the plural forms as well, unless the context clearly indicates otherwise.
  • the term “based on” is to be read as “based at least in part on” .
  • the term “one embodiment” and “an embodiment” are to be read as “at least one embodiment” .
  • the term “another embodiment” is to be read as “at least one other embodiment” .
  • Other definitions, explicit and implicit, may be included below.
  • a light-weight protocol is proposed to take advantage of absence detection to identify suspected devices.
  • Each device periodically emits a heartbeat message that needs to be received, verified and logged by every other device in the network.
  • O the number of sent messages per heartbeat period
  • n the total number of devices in the network. This will cause larger amount of energy consumption and longer run time in large network.
  • each device needs to record all heartbeat message of others, which increases the consumption of memory space.
  • a same hash value generated by a leader device is used as the heartbeat message.
  • Each device having two correct heartbeat message would be think as physically healthy one. It reduces the communication complexity from O (n2) in DARPA to O (n) .
  • O (n2) in DARPA O (n)
  • the current heartbeat message relies on the leader device, whenever leader device was compromised it will cause so-called signal point of failure problem. Thus it must spend more time and energy to select a new leader.
  • Existing attestation schemes resilient to physical attacks further have a lot of problems in security and efficiency.
  • the problems lie in the following four aspects. Firstly, existing attestation schemes lacks a quick response to the potentially compromised devices. Specific compromised devices can only be known after a periodic attestation. When one compromised device comes back during such periodic interval, it can execute other attacks easier and quicker. It poses a serious security hole.
  • the existing attestation schemes may occupy too much memory or suffer from single point failure. The existing attestation schemes either let each device record all heartbeat messages, which waste too much memory, or let each device just record heartbeat message from lead device, which may cause single point failure.
  • IoT devices are limited in memory and single point failure will cause great security problem.
  • the existing attestation schemes may bring relatively high communication overheard of a heartbeat protocol.
  • the run-time will increase with the number of devices in the network, which may cause great time consumption in large network.
  • the existing attestation schemes almost authentication others devices via verifying the signatures or a challenge-response mode. It will cause much time wasting.
  • This disclosure present efficient attestation scheme for devices that is resilient to physical attacks.
  • physical attacks on any device in the network will require to offline the device for a certain time.
  • an attestation scheme is designed, in which heartbeat messages are generated and transmitted between verifier and prover in a periodic interval smaller than the minimum time an adversary needed to physically attach one device. Every device can both serve as verifier and prover.
  • neighbor devices are utilized to serve as verifiers to attest the prover.
  • FIG 1 shows a network in which embodiments of the present disclosure can be implemented.
  • D 1 , D 2 , ..., D 7 are devices in the network, such as IoT devices. These devices can communicate with each other through the communication links as shown in figure 1.
  • each device in the network can serve as a verifier to verify the presence of its neighbor devices.
  • each device in the network can serve as a prover to be verified by its neighbor devices.
  • D 1 is connected with D 2 , D 4 and D 5 with a one-hop communication link, and thus D 2 , D 4 and D 5 are neighbor devices of D 1 .
  • D 1 can be configured to receive hearbeat messages sent from D 2 , D 4 and D 5 periodically, and verify whether D 2 , D 4 and D 5 are compromised by a physical attack.
  • D 1 can be further configured to send heartbeat messages to D 2 , D 4 and D 5 periodically, so that D 2 , D 4 and D 5 can receive hearbeat messages from D 1 to verify whether D 1 is compromised by a physical attack.
  • the network may comprise more or less devices.
  • the network can further comprise a device for network managing and operating, as depicted by the node O in figure 1.
  • this device may be a device of the network’s owner. In some other embodiments, this device may be a leader device among the IoT devices.
  • the node O can be configured to manage the devices in the network. In some embodiment, the node O can be configured to receive report of the attestation of physical attacks from devices in the network.
  • Figure 1 shows an exemplary scenario where D 2 is the device that physically attacked. Its neighbor devices D 1 and D 4 may detect an absence of D 2 , and then report absence messages to the node O.
  • Each device in the network can be provided with a write-protected real-time clock, so that each device can execute the attestation periodically in a synchronized manner.
  • These clocks may be loosely synchronized with one clock, such as the clock of the node O, O’s clock.
  • ⁇ t represents a maximum clock skew between any two devices in the network.
  • Figure 2 illustrates a flow chart depicting a procedure executed by a first device for attesting physical attacks according to an embodiment of the present disclosure.
  • the first device can receive a heartbeat message from a neighbor device at a periodic interval. This periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device.
  • the heartbeat message is encrypted with a session key of the neighbor device for a current interval.
  • the session key may be updated for each interval of heartbeat message transmission between the neighbor device and the first device.
  • the heartbeat message comprises key materials for updating the session key for a next interval.
  • the first device can decrypt the received heartbeat message based at least part on the session key of the first device for the current interval.
  • the session key for the current interval may be allotted by a network managing device, such as node O shown in figure 1.
  • a network managing device such as node O shown in figure 1.
  • an initial session key may be allotted when the first device or the neighbor device enters the network.
  • heartbeat messages are transmitted periodically.
  • the heartbeat message transmitted in a last interval may comprise key materials for updating the session key for a current interval.
  • the session key for the current interval may be derived from a last heartbeat message received from the neighbor device in the last interval.
  • the first device can determine whether the neighbor device is physically compromised based on the heartbeat message. In this regard, if no heartbeat message is received or correctly received from the neighbor device within the current interval, it can be determined that the neighbor device is physically compromised. For example, if the heartbeat message is not successfully decrypted, or the decrypted heartbeat message is not valid, it can be determined that the neighbor device is physically compromised.
  • the first device can send a report to a network managing device, such as the node O in figure 1, indicating that the neighbor device is suspicious to be physically compromised.
  • a network managing device such as the node O in figure 1
  • the first device can further do a self-measurement of software integrity, and send a result of the self-measurement to the network managing device.
  • the self-measurement can be utilized to avoid false report.
  • the self-measurement can be triggered in response to a request from the network managing device.
  • the first device can obtain the key materials from the decrypted heartbeat message, and partly update the session key of the neighbor device for a next interval based at least part on the key material. Then, the first device can wait for receiving a next heartbeat message in the next interval.
  • the first device can serve as a prover.
  • the first device can generate a heartbeat message and send it to its neighbor device at a periodic interval.
  • This period interval is set to be smaller than a minimum time of a physical attack on the first device.
  • This periodic interval is set be same as the periodic interval of the heartbeat message of the neighbor device.
  • the first device can be synchronized with its neighbor device, so that they transmit heartbeat messages essentially at a same time.
  • all devices in the network can take a same periodic interval for transmitting heartbeat message and executing the attestation for physical attack.
  • This heartbeat message is encrypted with a session key of the first device for a current interval, and comprises a key material for updating the session key of the first device for a next interval.
  • each device will change its session key with its heartbeat message sending in each interval.
  • the first device may update its session key for the next interval based at least part on the key material after of the decryption of the heartbeat message received from its neighbor device for the current interval. For example, the first device may update its session key when generating the heartbeat message for the next interval.
  • its neighbor device can verify whether the first device is physically compromised, in a similar way as discussed with respect to blocks 210 to 250.
  • the schemes of this disclosure introduce an accusation mechanism.
  • the network owner can only know such compromised devices after a periodic attestation.
  • one physically compromised devices coming back to the network during the attestation period may easily bypass such attestation, because such devices have better computing capabilities.
  • the attestation is executed at a periodic interval smaller than a minimum time of a physical attack. The network owner can know the physically compromised devices as early as possible.
  • the schemes of the disclosure introduce a distributed attestation mode.
  • the current attestation models either made each devices record all heartbeat message, which cause large waste of memory, or let one spread heartbeat message to many others, which cause single point failure.
  • the schemes of the disclosure adopt the distributed attestation model, in IoT network, for example.
  • the neighbor devices are utilized to attest the prover, so that it can reduce the waste of memory and also prevent a single point of failure.
  • the schemes of the disclosure can utilize a loosely synchronized clock, so that each device can execute the attestation at the same time.
  • the execute time for attestation of the whole network will only be affected by the number of neighbor devices.
  • some device must wait for some event coming from other devices to trigger their corresponding events. It may cause great time consumption in larger network.
  • the schemes of the disclosure introduce a zero-round authentication method.
  • each attestation round in an interval only one heartbeat message is needed to be transferred from a prover to a verifier.
  • Current attestation schemes usually follow the challenge-response mechanism, which cause extra energy and time consumption in communication.
  • the schemes of the disclosure utilize a session key to authenticate one device, and the session key will change with the heartbeat message sending. This is also advantage to prevent impersonation attacks.
  • FIG 3 shows a flow chart depicting an exemplary attestation procedure in a device according to an embodiment of the present disclosure.
  • the attestation procedure for physical attacks can be executed at different time point.
  • the procedure can be divided into four phases, comprising an Offline phase 310, a Heartbeat phase 320, a Report phase 330 and a Check phase 340.
  • devices can be configured or initialized with initial parameters.
  • a device (denoted as D i ) may be deployed into a network (as shown in figure 1) , for example, by the owner of the network. Before the deployment, it can be assumed that all devices are in a healthy state. Before a device D i join in the network, the owner (e.g. the node O in figure 1) may allot a symmetric key dk i , an asymmetric key pair (pk i , sk i ) and a distinct identifier id i to the device D i .
  • the device D i can join in the network, i.e., the new device establishes connections to all neighbor nodes.
  • the owner’s node O may inform all its neighbors about the identifier id i of the new device D i , and inform the new device D i of its neighbors’identifiers. Meanwhile, the owner’s node O may allot a session key to each pair of neighboring devices for data transmission between the pair of neighboring devices.
  • the session key is a symmetric key. For example, k ij can be used to represent the session key held in D i for the data transmission between D i and D j , while k ji can be used to represent the session key held in D j for data transmission between D i and D j .
  • Both of the neighboring devices D i and D j can obtained the pair of session keys (k ij , k ji ) .
  • the session key between a pair of neighboring devices would show the same value, because the session key was the symmetric key.
  • every device may record a value D i _present for each of its neighbor device D i , which indicates the presence of neighbor device D i . For example, when the new device D i joins into the network, its neighbor device D j may set a value D i _present to indicate that the device D i is in a healthy state.
  • D 2 is a new device to be deployed in the network.
  • the node O may inform D 1 and D 4 of D 2 ’s identifier id 2 , and inform D 2 of D 1 ’identifier id 1 and D 4 ’identifier id 4 .
  • the node O may allot a pair of initial session keys (k 12 , k 21 ) to the neighboring devices D 1 and D 2 , and allot a pair of initial session keys (k 42 , k 24 ) to the neighboring devices D 4 and D 2 .
  • the device D2 can enter in a heartbeat phase 320.
  • devices in the network can serve as verifiers and provers by distributing heartbeat messages between neighbor devices.
  • each device periodically sends a message (called heartbeat) to its neighbor devices.
  • the periodic interval is T hb , T hb ⁇ T cap , which denotes the minimum time an adversary needed to physically attack one device.
  • Neighbor devices can claim that a device who offline for more than T hb + ⁇ t time is physically compromised.
  • the heartbeat phase can be timed within a period from a start of every periodic heartbeat interval. The period can be extended from a start of an interval till a maximum time needed for heartbeat message transmission has expired.
  • TimeStart (t) i.e., T lasehb +T hb +T acc ⁇ t ⁇ T lasehb + T hb , every device executes these algorithms for neighbor devices.
  • T lasthb represents a last execute time of attestation. For example, it can be a start time for the last heartbeat phase in the last periodic heartbeat interval.
  • T acc represents a maximum time needed for transmission for a heartbeat message. Since the heartbeat message is transferred between neighbor devices, T acc can be very small. Obviously, T acc is smaller than T hb .
  • a device D i Upon the current time t satisfied a function TimeStart (t) , a device D i can be triggerd to execute GenHeartbeatMsg (neighbors) to generate a heartbeat message for each of its neighbor device D j , as shown in block 322.
  • D i can randomly chooses a nonce n i .
  • D i can encrypt its id i and n i with the session key k ij .
  • D i sends its heartbeat message hb ij to each neighbor device D j , as shown at block 323.
  • a device D j can be triggered to execute GenHeartbeatMsg (neighbors) to generate a heartbeat message for each of its neighbor device D i .
  • device D j can send the heartbeat message hb ji to its neighbor device D i .
  • VerHeartbeatMsg (hb ji ) 1
  • VerHeartbeatMsg (hb ji ) 1
  • the device D i can execute UpdatePartOfKey (k ij , hb ji ) , to partly update its session key k ij .
  • the device D i can extract the nonce n j form hb ji , and update the session key k ij based at least part on the extracted nonce, for example by As shown by the arrow from block 327 to block 321, the device D i can wait for the next heartbeat period at block 321.
  • each healthy neighbor device will also update its session key based at least part on the nonce sent to its neighbor.
  • the device D i can execute UpdateKey (neighbors) , to further update each of its session key k ij , for example by using its nonce n i through As k ij has been partly updated with UpdatePartOfKey (k ij , hb ji ) , the relation between the session key of the current interval and the session key of the next interval can be defined as:
  • the neighbor device D j can also execute UpdatePartOfKey (k ji , hb ij ) by using the nonce n i in the heartbeat message from D i , and execute UpdateKey (neighbors) by using its own nonce n j , to update its session key k ji , so that its new session key of the next interval can be defined as:
  • Di and Di can hold a same symmetric key at each interval, if
  • the nonce n j can be generated by D j itself, for example when it generates the heartbeat message h ji for the current heartbeat period. Alternatively, the nonce n j can be generated after a VerHeartbeaMsg (h ji ) of the last heartbeat period has been executed.
  • the updated session key from UpdateKey (neighbors) will be used to encrypt and decrypt a next heartbeat message to be transferred between D i and D j in a next heartbeat interval.
  • a session update with UpdateKey can be executed after the device has receiving all healthy neighbors’heartbeat messages.
  • every device can use the session key to identify each other, since the session key changed with the heartbeat message sending.
  • the device that was absent during the last heartbeat period will have different session key with its neighbors. For example, when D j was physically attacked, D j was offline during the last interval. Then, it cannot get the heartbeat message from D i .
  • D j just can updage the session key k ji once for the heartbeat current interval. Then, the two devices can’t communicate with each.
  • the session key k ji will never be same as the session key k ij .
  • D i Without correctly decrypting with D i ’s session key k ij , a heartbeat message hb ji which is encrypted with session key k ji , D i can determine that Dj is suspicious to be physically attacked. Without receiving correct heartbeat message from D j , D i cannot derive the new session key for a next heartbeat period. Then, the two devices can’t communicate with each. In another example, when D j was physically attacked, D j cannot send a heartbeat message to D i or cannot send a correct heartbeat message to D i . All of its neighbors cannot receive its heartbeat message, then D j has different session keys with all of its neighbors. So D j cannot decrypt any heartbeat message in the network.
  • VerHeartbeatMsg (hb ji ) 0, it means that the neighbor device D j is suspicious to be physical compromised. Then, the device D i can proceed to a report phase 330 to report one absence message to the network owner (such as node O) . In an embodiment, the device D i can proceed to the report phase 330 after it has checked the presence of each of its neighbor devices in the network.
  • the verifier device may execute a function of AbsenceReport (neighbors) , to send one absence message which contains all the absent devices’identifiers to the node O.
  • the function can encrypt a string “absence” and sus_id p , the current time t with the key dk i , if sus_id doesn’t equal to NULL.
  • Di can send the absence message ab i to the node O.
  • every device can record such sus_id p and add these messages to a periodic attestation result.
  • D i can execute UpdateKey (neighbors) in the report phase 330, to update each of its session key k ij .
  • the device can update its session key with its nonce. For example, when a function Timeout (t) is satisfied, i.e., t ⁇ T lasehb +T hb +T acc , D i can update its session key k ij by using the nonce n i generated by itself.
  • the new session key k ij can be generated as This new session key k ij will be used to encrypt a heartbeat message to be sent to D j in a next heartbeat period, and decrypt a heartbeat message to be received from D j in the next heartbeat period.
  • the node O may send attestation requests attest to all suspicious devices and corresponding verifier device, in order to prevent malicious report.
  • the suspicious devices and corresponding verifier device will do the self-measurements of the software integrity and respond the result.
  • Di may be requested to do the self-measurements of the software integrity and respond the result. Because the heartbeat message just transmitted in one hop, network delay can be omitted. Then, the attestation result will show three situations.
  • the node O doesn’t receive D j ’s response and D i shows a healthy result. Then, the node O can delete D j from the network topology and inform all other devices in the network that D j was physically attacked;
  • D j shows a healthy result and D i shows to be compromised. Then the node O can regard the absence message as a false report, then deletes D i ;
  • the node O may further do some repair on these compromised devices.
  • Fig. 4 shows a procedure for distributed attestation in a network according to some embodiments.
  • each devices in the network proceeds into a heartbeat phase in a loosely synchronized manner.
  • D i and D j can generate heartbeat messages hb ij and hb ji , respectively, in each heartbeat period at a same time.
  • These heartbeat messages can be sent to corresponding neighbor devices, as shown at 420a and 420b. Accordingly, these heartbeat messages can be received by corresponding neighbor devices as shown at 430a and 430b.
  • each device can check the presence of its neighbor devices through the function VerHeartbeatMsg () and update the session key to be used in a next heartbeat period through the function UpdatePartOf Key () , as described above. Then, each device can report the absence of suspicious devices, as shown at 440a and 440b. Meanwhile, the devices can update its session key for a next round of heartbeat message transferring with neighbor devices. For example, if D j is suspicious to be physically compromised, D i can send a report message ab i to the node O, as shown at 450. The message ab i can be encrypted with a symmetric key dk i of D i . At 460, the node O can decrypt the message ab i with the symmetric key dk i , and send a request of self-measurement to the suspicious device D j and the report device D i .
  • This disclosure introduces an accusation mechanism to ensure a quick response to the suspicious physically attacked devices. Furthermore, by utilizing a distributed attestation mode, where each device is verified by its neighbors, the accusation mechanism can protect against the single point failure and reduce the memory consumption. By utilizing a loosely synchronized clock equipped in every device to trigger the attestation protocol, each device can execute the protocol at the same time. It reduces the run-time to a fixed value. Furthermore, by designing a zero-round identify-based authentication scheme, each device can authenticate others with the session keys, which are changed with heartbeat message sending. It insures a freshness of every heartbeat message and can quickly disconnect suspicious devices.
  • Fig. 5 shows a simplified block diagram of an apparatus according to an embodiment of the present disclosure.
  • the apparatus 500 can be implemented as a device D i or a module thereof as shown in figures 1 and 4.
  • the apparatus 500 comprises a processor 504, a memory 505, and a transceiver 501 in operative communication with the processor 504.
  • the transceiver 501 comprises at least one transmitter 502 and at least one receiver 503. While only one processor is illustrated in Fig. 5, the processor 504 may comprises a plurality of processors or multi-core processor (s) . Additionally, the processor 504 may also comprise cache to facilitate processing operations. For some same or similar parts which have been described with respect to Figs. 1-4, the description of these parts is omitted here for brevity.
  • Computer-executable instructions can be loaded in the memory 505 and, when executed by the processor 504, cause the apparatus 500 to implement the above-described methods.
  • an aspect of the disclosure can make use of software running on a computing device.
  • a computing device Such an implementation might employ, for example, a processor, a memory, and an input/output interface formed, for example, by a display and a keyboard.
  • the term “processor” as used herein is intended to include any processing device, such as, for example, one that includes a CPU (central processing unit) and/or other forms of processing circuitry. Further, the term “processor” may refer to more than one individual processor.
  • memory is intended to include memory associated with a processor or CPU, such as, for example, random access memory (RAM) , read only memory (ROM) , a fixed memory device (for example, hard drive) , a removable memory device (for example, diskette) , a flash memory and the like.
  • RAM random access memory
  • ROM read only memory
  • the processor, memory, and input/output interface such as display and keyboard can be interconnected, for example, via bus as part of a data processing unit. Suitable interconnections, for example via bus, can also be provided to a network interface, such as a network card, which can be provided to interface with a computer network, and to a media interface, such as a diskette or CD-ROM drive, which can be provided to interface with media.
  • computer software including instructions or code for performing the methodologies of the disclosure, as described herein, may be stored in associated memory devices (for example, ROM, fixed or removable memory) and, when ready to be utilized, loaded in part or in whole (for example, into RAM) and implemented by a CPU.
  • Such software could include, but is not limited to, firmware, resident software, microcode, and the like.
  • aspects of the disclosure may take the form of a computer program product embodied in a computer readable medium having computer readable program code embodied thereon.
  • computer readable media may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that may contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Computer program code for carrying out operations for aspects of the disclosure may be written in any combination of at least one programming language, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • each block in the flowchart or block diagrams may represent a module, component, segment, or portion of code, which comprises at least one executable instruction for implementing the specified logical function (s) .
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially simultaneously, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Methods and apparatus are disclosed for attesting physical attacks. A method may comprise: receiving a heartbeat message from a neighbor device at a periodic interval, wherein the heartbeat message is encrypted with a session key of the neighbor device for a current interval, and comprises a key material for updating the session key of the neighbor device for a next interval; and decrypting the received first heartbeat message based at least part on a session key of the first device for the current interval; and determining whether the neighbor device is physically compromised at least based on the heartbeat message. The periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device.

Description

METHOD AND APPARATUS FOR ATTESTING PHYSICAL ATTACKS Field of the Invention
Embodiments of the disclosure generally relate to information technology, and more particularly, to attestation for physical attacks for devices in a network.
Background
Nowadays, Internet of Things (IoT) devices are permeating our environments. They are widely used in industrial control, smart office, health care, military communication and so on. It is forecasted that 20.8 billion connected things will be in use worldwide by 2020. Since these devices always store large amount of private information or control physical equipment, they become an attractive target for adversaries. A compromised device may result in not only privacy disclosure but also the collapse of the entire network in a contagious manner. Therefore, protecting these devices against different kinds of attacks becomes an important security issue.
However, different from other computing devices, IoT devices are often limited in energy, computing capability and memory. Thus, IoT devices usually lack necessary resources to defend against attacks. Thus, researchers propose to use remote attestation to determine whether they have been compromised. Remote attestation usually follows a challenge-response mechanism. It allows a trusted party (also referred to as verifier) to send a challenge to other untrusted and possibly compromised parties (also referred to as prover) . The provers will generate a response according to the challenge and its current operating status. At last, the verifier can determine prover’s status via the response and some previous knowledge.
In order to have little impact on the normal mission about these devices, many light-weight and efficient schemes have been proposed so far. But most current  remote attestation schemes only consider only software attacks. Physical attacks on provers are generally ruled out. However, it is certain that these devices also suffer from physical attacks, as they are deployed in an open environment. All the physical attacks exploit the devices by real-life contact without network communication. There are many means of physical attacks. The most common physical attack is to extract information from a device by trying to directly access internal components using sophisticated and expensive specialized equipment, such as Focused Ion Beam and micro-probing stations. Recently, another kind of physical attack is also introduced, where adversary can temper with the hardware of a normal device to get a strong ability of storing. Then the device can easily bypass the tradition attestation. It can be seen that, those physical attacks will bring greater damage than the software attacks. However, as such attacks do not need to inject new malicious code, the traditional attestation schemes lack the ability to resist such attacks.
Therefore, how to attesting physical attacks becomes a security issue that needs to be solved.
Summary
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
According to first aspect of the disclosure, it is provided a method implemented at a first device. Said method may comprise receiving a first heartbeat  message from a neighbor device at a periodic interval. The first heartbeat message is encrypted with a session key of the neighbor device for a current interval, and comprises a first key material for updating the session key of the neighbor device for a next interval. The method further comprises decrypting the received first heartbeat message based at least part on a session key of the first device for the current interval. The method further comprises determining whether the neighbor device is physically compromised at least based on the first heartbeat message. The periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device.
In an embodiment, the method may further comprises obtaining the first key materials from the decrypted first heartbeat message; and updating the session key of the first device for the next interval based at least part on the first key material.
In an embodiment, the method may further comprise obtaining the session key of the first device for the current interval from a network managing device.
In an embodiment, when no first heartbeat message is received from the neighbor device within the current interval, or the received first heartbeat message is not successfully decrypted, or the decrypted first heartbeat message is not valid, the neighbor device may be determined to be physically compromised.
In an embodiment, if it is determined that the neighbor device is physically compromised, the method may further comprise: sending a report to a network managing device indicating that the neighbor device is suspicious to be physically compromised. The method may further comprise doing a self-measurement of software integrity at the first device; and sending a result of the self-measurement of software integrity to the network managing device.
In an embodiment, the method may further comprise generating and sending a second heartbeat message to the neighbor device at the periodic interval. The second heartbeat message may be encrypted with the session key of the first device for the current interval. The second heartbeat message may comprise a second key material for updating the session key of the first device for the next interval.
In this embodiment, the method may further comprise updating the session key of the first device for the next interval based at least part on the second key material. The receiving of the first heartbeat message may be timed within a period from a start of the current interval, and the sending of the second heartbeat message may be timed within the period from the start of the current interval. The updating of the session key of the first device for the next interval based at least part on the second key material may be executed after the decrypting of the received first heartbeat message, or an expiration of the period from the start of the current interval, whichever occurs earlier. The method may further comprises keeping synchronization between the first device and the neighbor device for the transmission of the first heartbeat message and the second heartbeat message.
In an embodiment, the first heartbeat message may further comprise an identifier of the neighbor device.
In an embodiment, the key material for generating a session key may comprise a nonce.
In an embodiment, both the first device and the neighbor device may be internet of things devices.
According to second aspect of the disclosure, it is provided an apparatus. Said apparatus may comprise at least one processor, at least one memory including computer program code, the memory and the computer program code configured to, working with the at least one processor, cause the apparatus to receive a first heartbeat message from a neighbor device at a periodic interval. The first heartbeat message is encrypted with a session key of the neighbor device for a current interval, and comprises a first key material for updating the session key of the neighbor device for a next interval. The apparatus is further caused to decrypt the received first heartbeat message based at least part on a session key of the first device for the current interval, and determine whether the neighbor device is physically compromised at least based on the first heartbeat message. The periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device.
According to third aspect of the present disclosure, it is provided a computer readable storage medium, on which instructions are stored, when executed by at least one processor, the instructions cause the at least one processor to perform the method according to the first aspect.
According to fourth aspect of the present disclosure, it is provided computer program product comprising instructions which when executed by at least one processor, cause the at least one processor to perform the method according to the first aspect.
These and other objects, features and advantages of the disclosure will become apparent from the following detailed description of illustrative embodiments thereof, which is to be read in connection with the accompanying drawings.
Brief Description of the Drawings
Fig. 1 schematically shows a network in which embodiments of the present disclosure can be implemented;
Fig. 2 is a flow chart depicting a method according to an embodiment of the present disclosure;
Fig. 3 is a flow chart depicting a method according to an embodiment of the present disclosure;
Fig. 4 is a diagram depicting a procedure for attesting physical attacks in a network according to some embodiments of the present disclosure; and
Fig. 5 shows a simplified block diagram of an apparatus according to an embodiment of the present disclosure.
Detailed Description
The embodiments of the present disclosure are described in detail with reference to the accompanying drawings. It should be understood that these embodiments are discussed only for the purpose of enabling those skilled persons in the art to better understand and thus implement the present disclosure, rather than suggesting any limitations on the scope of the present disclosure. Reference throughout this specification to features, advantages, or similar language does not imply that all of the features and advantages that may be realized with the present disclosure should be or are in any single embodiment of the disclosure. Rather, language referring to the features and advantages is understood to mean that a specific feature, advantage, or characteristic described in connection with an embodiment is  included in at least one embodiment of the present disclosure. Furthermore, the described features, advantages, and characteristics of the disclosure may be combined in any suitable manner in one or more embodiments. One skilled in the relevant art will recognize that the disclosure may be practiced without one or more of the specific features or advantages of a particular embodiment. In other instances, additional features and advantages may be recognized in certain embodiments that may not be present in all embodiments of the disclosure.
As used herein, the term “network” and “communication network” refers to a wired or wireless network. For example, the wireless network may follow any suitable communication standards, such as new radio (NR) , long term evolution (LTE) , LTE-Advanced, wideband code division multiple access (WCDMA) , high-speed packet access (HSPA) , and so on. Furthermore, the communications among devices in the network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either now known or to be developed in the future.
As used herein, the terms “first” , “second” and so forth refer to different elements. The singular forms “a” and “an” are intended to include the plural forms as well, unless the context clearly indicates otherwise. The terms “comprises” , “comprising” , “has” , “having” , “includes” and/or “including” as used herein, specify the presence of stated features, elements, and/or components and the like, but do not preclude the presence or addition of one or more other features, elements, components and/or combinations thereof. The term “based on” is to be read as “based at least in part on” . The term “one embodiment” and “an embodiment” are to be read as “at least  one embodiment” . The term “another embodiment” is to be read as “at least one other embodiment” . Other definitions, explicit and implicit, may be included below.
As described above, most of the traditional attestations just focus on the software attacks. Physical attacks on provers are generally ruled out. However, physical attacks must be considered. The physical attacks possess a characteristic different from software attacks. It is that they must take these devices offline for a certain time to do some physical operation. Based on this characteristic, some schemes can be proposed to detect physical attacks by heartbeat message.
For example, in an attestation scheme, a light-weight protocol is proposed to take advantage of absence detection to identify suspected devices. Each device periodically emits a heartbeat message that needs to be received, verified and logged by every other device in the network. However, it has several shortcomings. Firstly, the number of sent messages per heartbeat period is O (n2) where n is the total number of devices in the network. This will cause larger amount of energy consumption and longer run time in large network. Secondly, each device needs to record all heartbeat message of others, which increases the consumption of memory space.
In another attestation scheme, a same hash value generated by a leader device is used as the heartbeat message. Each device having two correct heartbeat message would be think as physically healthy one. It reduces the communication complexity from O (n2) in DARPA to O (n) . However, using the same heartbeat message generated by leader device, it may suffer from collusion attack, where compromised device can ask for newest heartbeat messages from another device to bypass the attestation. Moreover, the current heartbeat message relies on the leader device,  whenever leader device was compromised it will cause so-called signal point of failure problem. Thus it must spend more time and energy to select a new leader.
Existing attestation schemes resilient to physical attacks further have a lot of problems in security and efficiency. In general, the problems lie in the following four aspects. Firstly, existing attestation schemes lacks a quick response to the potentially compromised devices. Specific compromised devices can only be known after a periodic attestation. When one compromised device comes back during such periodic interval, it can execute other attacks easier and quicker. It poses a serious security hole. Secondly, the existing attestation schemes may occupy too much memory or suffer from single point failure. The existing attestation schemes either let each device record all heartbeat messages, which waste too much memory, or let each device just record heartbeat message from lead device, which may cause single point failure. However, IoT devices are limited in memory and single point failure will cause great security problem.
Thirdly, the existing attestation schemes may bring relatively high communication overheard of a heartbeat protocol. The run-time will increase with the number of devices in the network, which may cause great time consumption in large network. Fourthly, the existing attestation schemes almost authentication others devices via verifying the signatures or a challenge-response mode. It will cause much time wasting.
This disclosure present efficient attestation scheme for devices that is resilient to physical attacks. As described above, physical attacks on any device in the network will require to offline the device for a certain time. Based on this characteristic, an attestation scheme is designed, in which heartbeat messages are generated and  transmitted between verifier and prover in a periodic interval smaller than the minimum time an adversary needed to physically attach one device. Every device can both serve as verifier and prover. In embodiments of this disclosure, neighbor devices are utilized to serve as verifiers to attest the prover.
Figure 1 shows a network in which embodiments of the present disclosure can be implemented. D 1, D 2, …, D 7 are devices in the network, such as IoT devices. These devices can communicate with each other through the communication links as shown in figure 1. each device in the network can serve as a verifier to verify the presence of its neighbor devices. Meanwhile, each device in the network can serve as a prover to be verified by its neighbor devices. For example, as shown in figure 1, D 1 is connected with D 2, D 4 and D 5 with a one-hop communication link, and thus D 2, D 4 and D 5 are neighbor devices of D 1. D 1 can be configured to receive hearbeat messages sent from D 2, D 4 and D 5 periodically, and verify whether D 2, D 4 and D 5 are compromised by a physical attack. D 1 can be further configured to send heartbeat messages to D 2, D 4 and D 5 periodically, so that D 2, D 4 and D 5 can receive hearbeat messages from D 1 to verify whether D 1 is compromised by a physical attack.
Although there are seven devices illustrated in figure 1, it should be understood that the network may comprise more or less devices. In practice, in a network, there may at least three neighbor devices for each device.
The network can further comprise a device for network managing and operating, as depicted by the node O in figure 1. In some embodiments, this device may be a device of the network’s owner. In some other embodiments, this device may be a leader device among the IoT devices. The node O can be configured to manage the devices in the network. In some embodiment, the node O can be configured to  receive report of the attestation of physical attacks from devices in the network. Figure 1 shows an exemplary scenario where D 2 is the device that physically attacked. Its neighbor devices D 1 and D 4 may detect an absence of D 2, and then report absence messages to the node O.
Each device in the network can be provided with a write-protected real-time clock, so that each device can execute the attestation periodically in a synchronized manner. These clocks may be loosely synchronized with one clock, such as the clock of the node O, O’s clock. In this regard, there may be a small clock skew between clocks of two devices. For example, Δt represents a maximum clock skew between any two devices in the network.
Figure 2 illustrates a flow chart depicting a procedure executed by a first device for attesting physical attacks according to an embodiment of the present disclosure. At block 210, the first device can receive a heartbeat message from a neighbor device at a periodic interval. This periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device. The heartbeat message is encrypted with a session key of the neighbor device for a current interval. In this regard, the session key may be updated for each interval of heartbeat message transmission between the neighbor device and the first device. The heartbeat message comprises key materials for updating the session key for a next interval.
At block 220, the first device can decrypt the received heartbeat message based at least part on the session key of the first device for the current interval. The session key for the current interval may be allotted by a network managing device, such as node O shown in figure 1. For example, an initial session key may be allotted when the first device or the neighbor device enters the network. As the attestation is  executed periodically, heartbeat messages are transmitted periodically. The heartbeat message transmitted in a last interval may comprise key materials for updating the session key for a current interval. Thus, the session key for the current interval may be derived from a last heartbeat message received from the neighbor device in the last interval.
At block 230, the first device can determine whether the neighbor device is physically compromised based on the heartbeat message. In this regard, if no heartbeat message is received or correctly received from the neighbor device within the current interval, it can be determined that the neighbor device is physically compromised. For example, if the heartbeat message is not successfully decrypted, or the decrypted heartbeat message is not valid, it can be determined that the neighbor device is physically compromised.
At block 240, if it is determined that a neighbor device is physically compromised, the first device can send a report to a network managing device, such as the node O in figure 1, indicating that the neighbor device is suspicious to be physically compromised. At block 250, the first device can further do a self-measurement of software integrity, and send a result of the self-measurement to the network managing device. The self-measurement can be utilized to avoid false report. In some embodiments, the self-measurement can be triggered in response to a request from the network managing device.
If the heartbeat message is correctly received, it can be determined that the neighbor device is healthy till the current interval. Then, the first device can obtain the key materials from the decrypted heartbeat message, and partly update the session key  of the neighbor device for a next interval based at least part on the key material. Then, the first device can wait for receiving a next heartbeat message in the next interval.
Meanwhile, the first device can serve as a prover. As shown at block 260, the first device can generate a heartbeat message and send it to its neighbor device at a periodic interval. This period interval is set to be smaller than a minimum time of a physical attack on the first device. This periodic interval is set be same as the periodic interval of the heartbeat message of the neighbor device. Preferably, the first device can be synchronized with its neighbor device, so that they transmit heartbeat messages essentially at a same time. Further, all devices in the network can take a same periodic interval for transmitting heartbeat message and executing the attestation for physical attack. This heartbeat message is encrypted with a session key of the first device for a current interval, and comprises a key material for updating the session key of the first device for a next interval.
As described above, each device will change its session key with its heartbeat message sending in each interval. The first device may update its session key for the next interval based at least part on the key material after of the decryption of the heartbeat message received from its neighbor device for the current interval. For example, the first device may update its session key when generating the heartbeat message for the next interval.
By virtual of the heartbeat message sent from the first device, its neighbor device can verify whether the first device is physically compromised, in a similar way as discussed with respect to blocks 210 to 250.
There are several differences between the schemes of this disclosure and prior art. Firstly, the schemes of the disclosure introduce an accusation mechanism. In the  exiting schemes, the network owner can only know such compromised devices after a periodic attestation. However, one physically compromised devices coming back to the network during the attestation period may easily bypass such attestation, because such devices have better computing capabilities. In the accusation mechanism of the schemes of the disclosure, the attestation is executed at a periodic interval smaller than a minimum time of a physical attack. The network owner can know the physically compromised devices as early as possible.
Secondly, the schemes of the disclosure introduce a distributed attestation mode. The current attestation models either made each devices record all heartbeat message, which cause large waste of memory, or let one spread heartbeat message to many others, which cause single point failure. The schemes of the disclosure adopt the distributed attestation model, in IoT network, for example. The neighbor devices are utilized to attest the prover, so that it can reduce the waste of memory and also prevent a single point of failure.
Thirdly, the schemes of the disclosure can utilize a loosely synchronized clock, so that each device can execute the attestation at the same time. The execute time for attestation of the whole network will only be affected by the number of neighbor devices. In contrast, in current attestation schemes for physical attacks, some device must wait for some event coming from other devices to trigger their corresponding events. It may cause great time consumption in larger network.
Fourthly, the schemes of the disclosure introduce a zero-round authentication method. In each attestation round in an interval, only one heartbeat message is needed to be transferred from a prover to a verifier. Current attestation schemes usually follow the challenge-response mechanism, which cause extra energy and time  consumption in communication. Meanwhile, the schemes of the disclosure utilize a session key to authenticate one device, and the session key will change with the heartbeat message sending. This is also advantage to prevent impersonation attacks.
Now reference is made to figure 3, which shows a flow chart depicting an exemplary attestation procedure in a device according to an embodiment of the present disclosure. In this embodiment, the attestation procedure for physical attacks can be executed at different time point. As shown in figure 3, the procedure can be divided into four phases, comprising an Offline phase 310, a Heartbeat phase 320, a Report phase 330 and a Check phase 340.
In an offline phase 310, devices can be configured or initialized with initial parameters. In an embodiment, in an offline phase, a device (denoted as D i) may be deployed into a network (as shown in figure 1) , for example, by the owner of the network. Before the deployment, it can be assumed that all devices are in a healthy state. Before a device D i join in the network, the owner (e.g. the node O in figure 1) may allot a symmetric key dk i, an asymmetric key pair (pk i, sk i) and a distinct identifier id i to the device D i. Then, the device D i can join in the network, i.e., the new device establishes connections to all neighbor nodes. The owner’s node O may inform all its neighbors about the identifier id i of the new device D i, and inform the new device D i of its neighbors’identifiers. Meanwhile, the owner’s node O may allot a session key to each pair of neighboring devices for data transmission between the pair of neighboring devices. The session key is a symmetric key. For example, k ij can be used to represent the session key held in D i for the data transmission between D i and D j, while k ji can be used to represent the session key held in D j for data transmission between D i and D j . Both of the neighboring devices D i and D j can obtained the pair of session keys (k ij, k ji) . Although different symbols are used to represent session key  in different devices, the session key between a pair of neighboring devices would show the same value, because the session key was the symmetric key. As the session key was used to symmetric encryption. Only when k ij=k ji, D i and D j can decrypt the message sending from each other. In some embodiments, every device may record a value D i_present for each of its neighbor device D i, which indicates the presence of neighbor device D i. For example, when the new device D i joins into the network, its neighbor device D j may set a value D i_present to indicate that the device D i is in a healthy state.
Taking the network of figure 1 as an example, it is assumed that D 2 is a new device to be deployed in the network. When D 2 joints in the network and are connected to devices D 1 and D 4, the node O may inform D 1 and D 4 of D 2’s identifier id 2, and inform D 2 of D 1’identifier id 1 and D 4’identifier id 4. Meanwhile, the node O may allot a pair of initial session keys (k 12, k 21) to the neighboring devices D 1 and D 2, and allot a pair of initial session keys (k 42, k 24) to the neighboring devices D 4 and D 2. Initially, k 12=k 21 and k 42=k 24. Furthermore, D 1 and D 4 may set a value D 2_present =1 to indicate that the device D 2 is in a healthy state. Meanwhile, D 2 may set a value D 1_present =1 and a value D 4_present =1 to indicate that the devices D 1 and D 4 are in a healthy state, respectively.
After the initialization, the device D2 can enter in a heartbeat phase 320. In this phase, devices in the network can serve as verifiers and provers by distributing heartbeat messages between neighbor devices. In this regard, each device periodically sends a message (called heartbeat) to its neighbor devices. The periodic interval is T hb, T hb<T cap, which denotes the minimum time an adversary needed to physically attack one device. Neighbor devices can claim that a device who offline for more than T hb+Δt time is physically compromised.
This phase can be described by virtue of a three-tuples of algorithms (GenHeartbeatMsg, VerHeartbeatMsg, UpdatePartOfKey) . In some embodiments, the heartbeat phase can be timed within a period from a start of every periodic heartbeat interval. The period can be extended from a start of an interval till a maximum time needed for heartbeat message transmission has expired. As shown at block 321, upon current time t satisfied a function TimeStart (t) , i.e., T lasehb+T hb+T acc≥ t ≥ T lasehb + T hb, every device executes these algorithms for neighbor devices. Before the execution, a device can set D i_present = 0 for each neighbor D i. T lasthb represents a last execute time of attestation. For example, it can be a start time for the last heartbeat phase in the last periodic heartbeat interval. T acc represents a maximum time needed for transmission for a heartbeat message. Since the heartbeat message is transferred between neighbor devices, T acc can be very small. Obviously, T acc is smaller than T hb.
Upon the current time t satisfied a function TimeStart (t) , a device D i can be triggerd to execute GenHeartbeatMsg (neighbors) to generate a heartbeat message for each of its neighbor device D j, as shown in block 322. In an example, D i can randomly chooses a nonce n i. For each neighbor device D j, D i can encrypt its id i and n i with the session key k ij. The generated heartbeat message can be denoted as hb ij = Enc (k ij, (id i || n i) ) . Then, D i sends its heartbeat message hb ij to each neighbor device D j, as shown at block 323.
Similarly, upon the current time t satisfied a function TimeStart (t) , a device D j can be triggered to execute GenHeartbeatMsg (neighbors) to generate a heartbeat message for each of its neighbor device D i. The generated heartbeat message can be denoted as hb ji = Enc (k ji, (id j || n j) ) . Then device D j can send the heartbeat message hb ji to its neighbor device D i.
Meanwhile, upon the current time t satisfied a function TimeStart (t) , the device D i can be triggered to execute VerHeartbeatMsg (hb ji) to verify whether its neighbor device D j is physically compromised. As shown at block 324, the device D i can receive the heartbeat message hb ji from its neighbor device D j. Whenever D i receives a heartbeat message hb ji from device D j, it can set D j_present = VerHeartbeatMsg (hb ji) .
In VerHeartbeatMsg (hb ji) , as shown at block 325, the device D i can try to decrypt hb ji using its session key k ij. If the message hb ji is decrypted successfully, then the device D i can check whether the decrypted message hb ji is valid. For example, it can check the id j. If the id j in the message hb ji is equal to the identifier of D j, it can be determined that the heartbeat message was valid. Accordingly, a result value of VerHeartbeatMsg (hb ji) can be output, as VerHeartbeatMsg (hb ji) =1. Otherwise, if the decrypted message hb ji is not valid, the device D i can discard the heartbeat message hb ji and output a result value VerHeartbeatMsg (hb ji) = 0.
If VerHeartbeatMsg (hb ji) =1, it means that the neighbor device D j is not physical compromised. Then, as shown at block 327, the device D i can execute UpdatePartOfKey (k ij, hb ji) , to partly update its session key k ij. In this regard, the device D i can extract the nonce n j form hb ji, and update the session key k ij based at least part on the extracted nonce, for example by
Figure PCTCN2018111407-appb-000001
As shown by the arrow from block 327 to block 321, the device D i can wait for the next heartbeat period at block 321.
It is assumed that each healthy neighbor device will also update its session key based at least part on the nonce sent to its neighbor. In this embodiment, the device D i can execute UpdateKey (neighbors) , to further update each of its session key k ij, for  example by using its nonce n i through
Figure PCTCN2018111407-appb-000002
As k ij has been partly updated with UpdatePartOfKey (k ij, hb ji) , the relation between the session key of the current interval and the session key of the next interval can be defined as: 
Figure PCTCN2018111407-appb-000003
Correspondingly, the neighbor device D j can also execute UpdatePartOfKey (k ji, hb ij) by using the nonce n i in the heartbeat message from D i, and execute UpdateKey (neighbors) by using its own nonce n j, to update its session key k ji, so that its new session key of the next interval can be defined as: 
Figure PCTCN2018111407-appb-000004
As such, Di and Di can hold a same symmetric key at each interval, if only they are healthy.
The nonce n j can be generated by D j itself, for example when it generates the heartbeat message h ji for the current heartbeat period. Alternatively, the nonce n j can be generated after a VerHeartbeaMsg (h ji) of the last heartbeat period has been executed. The updated session key from UpdateKey (neighbors) will be used to encrypt and decrypt a next heartbeat message to be transferred between D i and D j in a next heartbeat interval. In some embodiments, a session update with UpdateKey (neighbors) can be executed after the device has receiving all healthy neighbors’heartbeat messages.
As such, every device can use the session key to identify each other, since the session key changed with the heartbeat message sending. The device that was absent during the last heartbeat period will have different session key with its neighbors. For example, when D j was physically attacked, D j was offline during the last interval. Then, it cannot get the heartbeat message from D i. D j just can updage the session key k ji once for the heartbeat current interval. Then, the two devices can’t communicate with each. The session key k ji will never be same as the session key k ij. Without correctly decrypting with D i’s session key k ij, a heartbeat message hb ji which is encrypted with session key k ji, D i can determine that Dj is suspicious to be physically  attacked. Without receiving correct heartbeat message from D j, D i cannot derive the new session key for a next heartbeat period. Then, the two devices can’t communicate with each. In another example, when D j was physically attacked, D j cannot send a heartbeat message to D i or cannot send a correct heartbeat message to D i. All of its neighbors cannot receive its heartbeat message, then D j has different session keys with all of its neighbors. So D j cannot decrypt any heartbeat message in the network.
If VerHeartbeatMsg (hb ji) =0, it means that the neighbor device D j is suspicious to be physical compromised. Then, the device D i can proceed to a report phase 330 to report one absence message to the network owner (such as node O) . In an embodiment, the device D i can proceed to the report phase 330 after it has checked the presence of each of its neighbor devices in the network.
In an embodiment, when a function Timeout (t) is satisfied, i.e., t ≥ T lasehb+T hb+T acc, every device may be triggered to check all its neighbors’presence via the value of D i_present. If none valid heartbeat message is received from one neighbor D j, then from D i’s perspective, D j is absent, i.e., D j_present = 0. The verifier device may execute a function of AbsenceReport (neighbors) , to send one absence message which contains all the absent devices’identifiers to the node O.
For example, the function of AbsenceReport (neighbors) executed in Di can firstly initialize a bit string sus_id p = NULL, which contains the identifiers of the devices that are suspicious to be physically compromised in the p th heartbeat period. For each neighbor D j, the function can check the value of D j_present. The function can set sus_id p = sus_id p || id j, if the value of D j_present equals to 0. Otherwise if the value of D j_present equals to 1, the function will skip to check a next neighbor device. Finally, the function can encrypt a string “absence” and sus_id p, the current  time t with the key dk i, if sus_id doesn’t equal to NULL. The final absence message can be defined as ab i = Enc (dk i, ( “absence” || t || sus_id p) ) . Then, Di can send the absence message ab i to the node O. To prevent absence messages from being intercepted, every device can record such sus_id p and add these messages to a periodic attestation result.
In some embodiments, D i can execute UpdateKey (neighbors) in the report phase 330, to update each of its session key k ij. When the period for the heartbeat phase is expired, or when the heartbeat message from the neighbor devices are received and decrypted, whichever occurs earlier, the device can update its session key with its nonce. For example, when a function Timeout (t) is satisfied, i.e., t ≥ T lasehb+T hb+T acc, D i can update its session key k ij by using the nonce n i generated by itself. For example, the new session key k ij can be generated as
Figure PCTCN2018111407-appb-000005
This new session key k ij will be used to encrypt a heartbeat message to be sent to D j in a next heartbeat period, and decrypt a heartbeat message to be received from D j in the next heartbeat period.
In response to the report of absence messages, the node O may send attestation requests attest to all suspicious devices and corresponding verifier device, in order to prevent malicious report. In response to the attestation requests, the suspicious devices and corresponding verifier device will do the self-measurements of the software integrity and respond the result.
For example, if the node O received an absence message from Di, which accuses D j of a suspicious device, then both Di and Di may be requested to do the self-measurements of the software integrity and respond the result. Because the  heartbeat message just transmitted in one hop, network delay can be omitted. Then, the attestation result will show three situations.
1) The node O doesn’t receive D j’s response and D i shows a healthy result. Then, the node O can delete D j from the network topology and inform all other devices in the network that D j was physically attacked;
2) D j shows a healthy result and D i shows to be compromised. Then the node O can regard the absence message as a false report, then deletes D i;
3) Both D i and D j show compromised results. Then the node O can delete D i and D j.
In some embodiment, the node O may further do some repair on these compromised devices.
Fig. 4 shows a procedure for distributed attestation in a network according to some embodiments. At 410a and 410b, each devices in the network proceeds into a heartbeat phase in a loosely synchronized manner. D i and D j can generate heartbeat messages hb ij and hb ji, respectively, in each heartbeat period at a same time. These heartbeat messages can be sent to corresponding neighbor devices, as shown at 420a and 420b. Accordingly, these heartbeat messages can be received by corresponding neighbor devices as shown at 430a and 430b. In 430a and 430b, each device can check the presence of its neighbor devices through the function VerHeartbeatMsg () and update the session key to be used in a next heartbeat period through the function UpdatePartOf Key () , as described above. Then, each device can report the absence of suspicious devices, as shown at 440a and 440b. Meanwhile, the devices can update its session key for a next round of heartbeat message transferring with neighbor devices.  For example, if D j is suspicious to be physically compromised, D i can send a report message ab i to the node O, as shown at 450. The message ab i can be encrypted with a symmetric key dk i of D i. At 460, the node O can decrypt the message ab i with the symmetric key dk i, and send a request of self-measurement to the suspicious device D j and the report device D i.
This disclosure introduces an accusation mechanism to ensure a quick response to the suspicious physically attacked devices. Furthermore, by utilizing a distributed attestation mode, where each device is verified by its neighbors, the accusation mechanism can protect against the single point failure and reduce the memory consumption. By utilizing a loosely synchronized clock equipped in every device to trigger the attestation protocol, each device can execute the protocol at the same time. It reduces the run-time to a fixed value. Furthermore, by designing a zero-round identify-based authentication scheme, each device can authenticate others with the session keys, which are changed with heartbeat message sending. It insures a freshness of every heartbeat message and can quickly disconnect suspicious devices.
Fig. 5 shows a simplified block diagram of an apparatus according to an embodiment of the present disclosure. The apparatus 500 can be implemented as a device D i or a module thereof as shown in figures 1 and 4. As shown in Fig. 5, the apparatus 500 comprises a processor 504, a memory 505, and a transceiver 501 in operative communication with the processor 504. The transceiver 501 comprises at least one transmitter 502 and at least one receiver 503. While only one processor is illustrated in Fig. 5, the processor 504 may comprises a plurality of processors or multi-core processor (s) . Additionally, the processor 504 may also comprise cache to facilitate processing operations. For some same or similar parts which have been  described with respect to Figs. 1-4, the description of these parts is omitted here for brevity.
Computer-executable instructions can be loaded in the memory 505 and, when executed by the processor 504, cause the apparatus 500 to implement the above-described methods.
Additionally, an aspect of the disclosure can make use of software running on a computing device. Such an implementation might employ, for example, a processor, a memory, and an input/output interface formed, for example, by a display and a keyboard. The term “processor” as used herein is intended to include any processing device, such as, for example, one that includes a CPU (central processing unit) and/or other forms of processing circuitry. Further, the term “processor” may refer to more than one individual processor. The term “memory” is intended to include memory associated with a processor or CPU, such as, for example, random access memory (RAM) , read only memory (ROM) , a fixed memory device (for example, hard drive) , a removable memory device (for example, diskette) , a flash memory and the like. The processor, memory, and input/output interface such as display and keyboard can be interconnected, for example, via bus as part of a data processing unit. Suitable interconnections, for example via bus, can also be provided to a network interface, such as a network card, which can be provided to interface with a computer network, and to a media interface, such as a diskette or CD-ROM drive, which can be provided to interface with media.
Accordingly, computer software including instructions or code for performing the methodologies of the disclosure, as described herein, may be stored in associated memory devices (for example, ROM, fixed or removable memory) and, when ready  to be utilized, loaded in part or in whole (for example, into RAM) and implemented by a CPU. Such software could include, but is not limited to, firmware, resident software, microcode, and the like.
As noted, aspects of the disclosure may take the form of a computer program product embodied in a computer readable medium having computer readable program code embodied thereon. Also, any combination of computer readable media may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a RAM, ROM, an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that may contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Computer program code for carrying out operations for aspects of the disclosure may be written in any combination of at least one programming language, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone  software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, component, segment, or portion of code, which comprises at least one executable instruction for implementing the specified logical function (s) . It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially simultaneously, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In any case, it should be understood that the components illustrated in this disclosure may be implemented in various forms of hardware, software, or combinations thereof, for example, application specific integrated circuit (s) (ASICS) , functional circuitry, an appropriately programmed general purpose digital computer with associated memory, and the like. Given the teachings of the disclosure provided herein, one of ordinary skill in the related art will be able to contemplate other implementations of the components of the disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used herein, the singular forms “a, ” “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of example embodiments. It will be further understood that the terms “comprises” , “containing” and/or “comprising, ” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of another feature, integer, step, operation, element, component, and/or group thereof.
The descriptions of the various embodiments have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments.

Claims (27)

  1. A method implemented at a first device, comprising:
    receiving a first heartbeat message from a neighbor device at a periodic interval, wherein the first heartbeat message is encrypted with a session key of the neighbor device for a current interval, and comprises a first key material for updating the session key of the neighbor device for a next interval; and
    decrypting the received first heartbeat message based at least part on a session key of the first device for the current interval; and
    determining whether the neighbor device is physically compromised at least based on the first heartbeat message,
    wherein the periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device.
  2. The method according to claim 1, further comprising:
    obtaining the first key materials from the decrypted first heartbeat message; and
    updating the session key of the first device for the next interval based at least part on the first key material.
  3. The method according to claim 1, further comprising:
    obtaining the session key of the first device for the current interval from a network managing device.
  4. The method according to claim 1, wherein determining whether the neighbor device is physically compromised comprises,
    determining that the neighbor device is physically compromised, under any one of the following conditions,
    no first heartbeat message is received from the neighbor device within the current interval,
    the received first heartbeat message is not successfully decrypted, and
    the decrypted first heartbeat message is not valid.
  5. The method according to claim 4, wherein if it is determined that the neighbor device is physically compromised, the method further comprises:
    sending a report to a network managing device indicating that the neighbor device is suspicious to be physically compromised.
  6. The method according to claim 5, further comprising:
    doing a self-measurement of software integrity at the first device; and
    sending a result of the self-measurement to the network managing device.
  7. The method according to claim 1, further comprising:
    generating and sending a second heartbeat message to the neighbor device at the periodic interval,
    wherein the second heartbeat message is encrypted with the session key of the first device for the current interval, and
    wherein the second heartbeat message comprises a second key material for updating the session key of the first device for the next interval.
  8. The method according to claim 7, further comprising:
    updating the session key of the first device for the next interval based at least part on the second key material.
  9. The method according to claim 8, wherein the receiving of the first heartbeat message is timed within a period from a start of the current interval, and the sending of the second heartbeat message is timed within the period from the start of the current interval.
  10. The method according to claim 9, wherein updating the session key of the first device for the next interval based at least part on the second key material is executed after decrypting the received first heartbeat message, or an expiration of the period from the start of the current interval, whichever occurs earlier.
  11. The method according to anyone of claims 7-10, further comprising: keeping synchronization between the first device and the neighbor device for the transmission of the first heartbeat message and the second heartbeat message.
  12. The method according to any one of the preceding claims, wherein the first heartbeat message further comprises an identifier of the neighbor device.
  13. The method according to any one of the preceding claims, wherein the key material for generating a session key comprises a nonce.
  14. The method according to any one of the preceding claims, wherein both the first device and the neighbor device are internet of things devices.
  15. An apparatus at a first device, comprising:
    at least one processor;
    at least one memory including computer program code, the memory and the computer program code configured to, working with the at least one processor, cause the apparatus to:
    receive a first heartbeat message from a neighbor device at a periodic interval, wherein the first heartbeat message is encrypted with a session key of the neighbor device for a current interval, and comprises a first key material for updating the session key of the neighbor device for a next interval; and
    decrypt the received first heartbeat message based at least part on a session key of the first device for the current interval; and
    determine whether the neighbor device is physically compromised at least based on the first heartbeat message,
    wherein the periodic interval is set to be smaller than a minimum time of a physical attack on the neighbor device.
  16. The apparatus according to claim 15, wherein the memory and the computer program code is configured to, working with the at least one processor, further cause the apparatus to,
    obtain the first key materials from the decrypted first heartbeat message; and
    update the session key of the first device for the next interval based at least part on the first key material.
  17. The apparatus according to claim 15, wherein the memory and the computer program code is configured to, working with the at least one processor, further cause the apparatus to,
    obtain the session key of the first device for the current interval from a network managing device.
  18. The apparatus according to claim 15, wherein the memory and the computer program code is configured to, working with the at least one processor, further cause the apparatus to,
    determine that the neighbor device is physically compromised, under any one of the following conditions,
    no first heartbeat message is received from the neighbor device within the current interval,
    the received first heartbeat message is not successfully decrypted, and
    the decrypted first heartbeat message is not valid.
  19. The apparatus according to claim 18, wherein if it is determined that the neighbor device is physically compromised, the memory and the computer program code is configured to, working with the at least one processor, further cause the apparatus to,
    send a report to a network managing device indicating that the neighbor device is suspicious to be physically compromised.
  20. The apparatus according to claim 19, wherein the memory and the computer program code is configured to, working with the at least one processor, further cause the apparatus to,
    do a self-measurement of software integrity at the first device; and
    send a result of the self-measurement to the network managing device.
  21. The apparatus according to claim 15, wherein the memory and the computer program code is configured to, working with the at least one processor, further cause the apparatus to,
    generate and sending a second heartbeat message to the neighbor device at the periodic interval,
    wherein the second heartbeat message is encrypted with the session key of the first device for a current interval, and
    wherein the second heartbeat message comprises a second key material for updating the session key of the first device for a next interval.
  22. The apparatus according to claim 21, wherein the memory and the computer program code is configured to, working with the at least one processor, further cause the apparatus to,
    update the session key of the first device for the next interval based at least part on the second key material.
  23. The apparatus according to claim 22, wherein the receiving of the first heartbeat message is timed within a period from a start of the current interval, and the sending of the second heartbeat message is timed within the period from the start of the current interval.
  24. The apparatus according to claim 23, wherein the updating of the session key of the first device for the next interval based at least part on the second key material is executed after the decrypting of the received first heartbeat message, or an expiration of the period from the start of the current interval, whichever occurs earlier.
  25. The apparatus according to any one of claims 21-24, wherein the memory and the computer program code is configured to, working with the at least one processor, further cause the apparatus to, keep synchronization between the first device and the neighbor device for the transmission of the first heartbeat message and the second heartbeat message.
  26. A computer readable storage medium, on which instructions are stored, when executed by at least one processor, the instructions cause the at least one processor to perform the method according to any one of claims 1 to 14.
  27. A computer program product comprising instructions which when executed by at least one processor, cause the at least one processor to perform the method according to any one of claims 1 to 14.
PCT/CN2018/111407 2018-10-23 2018-10-23 Method and apparatus for attesting physical attacks WO2020082228A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US17/287,405 US20220021690A1 (en) 2018-10-23 2018-10-23 Method and apparatus for attesting physical attacks
CN201880098928.4A CN112889239A (en) 2018-10-23 2018-10-23 Method and apparatus for validating physical attacks
PCT/CN2018/111407 WO2020082228A1 (en) 2018-10-23 2018-10-23 Method and apparatus for attesting physical attacks
EP18937799.7A EP3871364A4 (en) 2018-10-23 2018-10-23 Method and apparatus for attesting physical attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/111407 WO2020082228A1 (en) 2018-10-23 2018-10-23 Method and apparatus for attesting physical attacks

Publications (1)

Publication Number Publication Date
WO2020082228A1 true WO2020082228A1 (en) 2020-04-30

Family

ID=70330873

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/111407 WO2020082228A1 (en) 2018-10-23 2018-10-23 Method and apparatus for attesting physical attacks

Country Status (4)

Country Link
US (1) US20220021690A1 (en)
EP (1) EP3871364A4 (en)
CN (1) CN112889239A (en)
WO (1) WO2020082228A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112492550A (en) * 2020-11-05 2021-03-12 天翼物联科技有限公司 Terminal LWM2M session heartbeat method, system and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015013440A1 (en) * 2013-07-23 2015-01-29 Battelle Memorial Institute Systems and methods for securing real-time messages
CN105610575A (en) * 2015-09-22 2016-05-25 西安电子科技大学 Space-information-network cross-domain end-to-end secret key exchange method
WO2017023425A1 (en) * 2015-07-31 2017-02-09 Intel Corporation System, apparatus and method for optimizing symmetric key cache using tickets issued by a certificate status check service provider

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6370656B1 (en) * 1998-11-19 2002-04-09 Compaq Information Technologies, Group L. P. Computer system with adaptive heartbeat
US8738907B2 (en) * 2007-08-02 2014-05-27 Motorola Solutiions, Inc. Wireless device authentication and security key management
CN103765427B (en) * 2011-09-07 2017-02-15 英特尔公司 Verifying firmware integrity of a device
US9917851B2 (en) * 2014-04-28 2018-03-13 Sophos Limited Intrusion detection using a heartbeat
WO2017135942A1 (en) * 2016-02-03 2017-08-10 Hewlett-Packard Development Company, L.P. Heartbeat signal verification
US10397085B1 (en) * 2016-06-30 2019-08-27 Juniper Networks, Inc. Offloading heartbeat responses message processing to a kernel of a network device
SG10201704555VA (en) * 2017-06-05 2019-01-30 Arete M Pte Ltd Secure and encrypted heartbeat protocol
CN109428874B (en) * 2017-08-31 2020-10-09 华为技术有限公司 Registration method and device based on service architecture
US10862864B2 (en) * 2018-04-04 2020-12-08 Sophos Limited Network device with transparent heartbeat processing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015013440A1 (en) * 2013-07-23 2015-01-29 Battelle Memorial Institute Systems and methods for securing real-time messages
WO2017023425A1 (en) * 2015-07-31 2017-02-09 Intel Corporation System, apparatus and method for optimizing symmetric key cache using tickets issued by a certificate status check service provider
CN105610575A (en) * 2015-09-22 2016-05-25 西安电子科技大学 Space-information-network cross-domain end-to-end secret key exchange method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
FLORIAN KOHNHAUSER ET AL.: "Scalable attestation resilient to physical attacks for embedded devices in mesh networks", ARXIG.ORG 1701.08034V1, 27 January 2017 (2017-01-27)
FLORIAN KOHNHAUSER ET AL.: "SCAPI: a scalable attestation protocol to detect software and physical attacks", PROCEEDINGS OF WISEC ' 17, JULY 18-20, 2017
See also references of EP3871364A4

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112492550A (en) * 2020-11-05 2021-03-12 天翼物联科技有限公司 Terminal LWM2M session heartbeat method, system and storage medium
CN112492550B (en) * 2020-11-05 2023-08-29 天翼物联科技有限公司 Method, system and storage medium for heartbeat of LWM2M session of terminal

Also Published As

Publication number Publication date
US20220021690A1 (en) 2022-01-20
EP3871364A1 (en) 2021-09-01
EP3871364A4 (en) 2022-06-08
CN112889239A (en) 2021-06-01

Similar Documents

Publication Publication Date Title
Tewari et al. Cryptanalysis of a novel ultra-lightweight mutual authentication protocol for IoT devices using RFID tags
Alladi et al. SecAuthUAV: A novel authentication scheme for UAV-ground station and UAV-UAV communication
Attkan et al. Cyber-physical security for IoT networks: a comprehensive review on traditional, blockchain and artificial intelligence based key-security
Carpent et al. Lightweight swarm attestation: A tale of two lisa-s
US11201744B2 (en) Method and apparatus for generation of a time-based one-time password for session encryption of sensor data gathered in low-performance and IoT environments
Das A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks
CN106664561B (en) System and method for securing pre-association service discovery
US11843697B2 (en) Communication device and method using message history-based security key by means of blockchain
Song et al. Least privilege and privilege deprivation: Toward tolerating mobile sink compromises in wireless sensor networks
Nam et al. Efficient and anonymous two-factor user authentication in wireless sensor networks: achieving user anonymity with lightweight sensor computation
US10411889B2 (en) Chaotic-based synchronization for secure network communications
Chikouche et al. A privacy-preserving code-based authentication protocol for Internet of Things
Srinivas et al. Provably secure biometric based authentication and key agreement protocol for wireless sensor networks
Santos-González et al. Secure lightweight password authenticated key exchange for heterogeneous wireless sensor networks
Tan et al. A remote attestation protocol with Trusted Platform Modules (TPMs) in wireless sensor networks.
Tewari et al. An internet-of-things-based security scheme for healthcare environment for robust location privacy
Ma et al. DISH: Distributed Self-Healing: (In Unattended Sensor Networks)
Munilla et al. Attacks on ownership transfer scheme for multi-tag multi-owner passive RFID environments
Butun et al. Intrusion prevention with two–level user authentication in heterogeneous wireless sensor networks
Qian et al. ACSP: A novel security protocol against counting attack for UHF RFID systems
Won et al. A secure shuffling mechanism for white-box attack-resistant unmanned vehicles
WO2020082228A1 (en) Method and apparatus for attesting physical attacks
Saxena et al. Secure-AKA: An efficient AKA protocol for UMTS networks
Cherif et al. A lightweight and secure data collection serverless protocol demonstrated in an active rfids scenario
Aghili et al. Security analysis of fan et al. lightweight rfid authentication protocol for privacy protection in iot

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18937799

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018937799

Country of ref document: EP

Effective date: 20210525