Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

KESIC: Kerberos Extensions for Smart, IoT and CPS Devices

Renascence Tarafder Prapty, Sashidhar Jakkamsetti, Gene Tsudik

TL;DR

KESIC tackles secure multi-user access for IoT/CPS devices by extending Kerberos with an IoT Server (ISV) that manages device tickets and time attestation without changing Kerberos protocols. It partitions devices into general and power-constrained classes and provides two HMAC-based protocols to handle each class, enabling attestation and remote verification of device software state. The open-source prototype demonstrates strong efficiency gains over traditional Kerberos, including roughly $47$× lower memory and $135$× lower runtime overhead, along with modest storage and network demands. These results suggest that Kerberos-compatible, attestation-enabled access control can scale to large IoT deployments while preserving security guarantees. The work thus offers a practical path to secure, auditable, and scalable multi-user IoT access in real-world settings.

Abstract

Secure and efficient multi-user access mechanisms are increasingly important for the growing number of Internet of Things (IoT) devices being used today. Kerberos is a well-known and time-tried security authentication and access control system for distributed systems wherein many users securely access various distributed services. Traditionally, these services are software applications or devices, such as printers. However, Kerberos is not directly suitable for IoT devices due to its relatively heavy-weight protocols and the resource-constrained nature of the devices. This paper presents KESIC, a system that enables efficient and secure multi-user access for IoT devices. KESIC aims to facilitate mutual authentication of IoT devices and users via Kerberos without modifying the latter's protocols. To facilitate that, KESIC includes a special Kerberized service, called IoT Server, that manages access to IoT devices. KESIC presents two protocols for secure and comprehensive multi-user access system for two types of IoT devices: general and severely power constrained. In terms of performance, KESIC onsumes $\approx~47$ times less memory, and incurs $\approx~135$ times lower run-time overhead than Kerberos.

KESIC: Kerberos Extensions for Smart, IoT and CPS Devices

TL;DR

KESIC tackles secure multi-user access for IoT/CPS devices by extending Kerberos with an IoT Server (ISV) that manages device tickets and time attestation without changing Kerberos protocols. It partitions devices into general and power-constrained classes and provides two HMAC-based protocols to handle each class, enabling attestation and remote verification of device software state. The open-source prototype demonstrates strong efficiency gains over traditional Kerberos, including roughly × lower memory and × lower runtime overhead, along with modest storage and network demands. These results suggest that Kerberos-compatible, attestation-enabled access control can scale to large IoT deployments while preserving security guarantees. The work thus offers a practical path to secure, auditable, and scalable multi-user IoT access in real-world settings.

Abstract

Secure and efficient multi-user access mechanisms are increasingly important for the growing number of Internet of Things (IoT) devices being used today. Kerberos is a well-known and time-tried security authentication and access control system for distributed systems wherein many users securely access various distributed services. Traditionally, these services are software applications or devices, such as printers. However, Kerberos is not directly suitable for IoT devices due to its relatively heavy-weight protocols and the resource-constrained nature of the devices. This paper presents KESIC, a system that enables efficient and secure multi-user access for IoT devices. KESIC aims to facilitate mutual authentication of IoT devices and users via Kerberos without modifying the latter's protocols. To facilitate that, KESIC includes a special Kerberized service, called IoT Server, that manages access to IoT devices. KESIC presents two protocols for secure and comprehensive multi-user access system for two types of IoT devices: general and severely power constrained. In terms of performance, KESIC onsumes times less memory, and incurs times lower run-time overhead than Kerberos.
Paper Structure (28 sections, 12 equations, 13 figures, 8 tables)

This paper contains 28 sections, 12 equations, 13 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Kerberos
  4. Root-of-Trust (RoT)
  5. Design Overview
  6. System Model
  7. IoT Server (ISV)
  8. Device Types
  9. Protocol Overview
  10. Adversary model
  11. Security Requirements
  12. $\sf{KESIC}$ Protocols
  13. General Device Protocol
  14. Protocol for Power Constrained Devices
  15. Implementation Details
  16. ...and 13 more sections

Figures (13)

  • Figure 1: Kerberos Steps.
  • Figure 2: Kerberos Protocol.
  • Figure 3: System Model.
  • Figure 4: $Dev_{g}$ Protocol Overview.
  • Figure 5: $Dev_{g}$ Protocol.
  • ...and 8 more figures