Lightweight Session-Key Rekeying Framework for Secure IoT-Edge Communication

TL;DR

The paper tackles the security shortcomings of static PSK in IoT edge environments by proposing DSEKP, a lightweight framework that derives per-session AES-GCM keys via HKDF-SHA256 and authenticates session setup with an HMAC InitProof in a single init-ack exchange. Implemented on an ESP32 client and a Raspberry Pi 5 edge server communicating through MQTT, DSEKP achieves throughput comparable to PSK with only modest increases in latency (~27%) and payload size (~10%), while delivering per-session key isolation and replay protection. The authors provide a thorough experimental evaluation over ~6,500 encrypted packets per configuration, demonstrating robustness across multi-session rekeying with >99.8% packet delivery. The work offers a practical, scalable migration path from static PSK to session-aware IoT security, enabling secure, edge-friendly synchronization without public-key infrastructures.

Abstract

The proliferation of Internet of Things (IoT) networks demands security mechanisms that protect constrained devices without the computational cost of public-key cryptography. Conventional Pre-Shared Key (PSK) encryption, while efficient, remains vulnerable due to static key reuse, replay attacks, and the lack of key freshness. This paper presents the Dynamic Session Enhanced Key Protocol (DSEKP), a lightweight session-key rekeying framework that derives per-session AES-GCM keys using the HMAC-based Key Derivation Function (HKDF-SHA256) and authenticates session establishment through an HMAC proof in a single init-ack exchange. DSEKP was implemented on an ESP32 IoT sensor node and a Raspberry Pi 5 edge server communicating through a Mosquitto MQTT broker, and benchmarked against a static PSK baseline over more than 6,500 encrypted packets per configuration. The results demonstrate nearly identical throughput and reliability, with minimal runtime impact (approximately 27 percent one-time session-establishment latency and 10 percent per-packet payload overhead), while delivering per-session key isolation (assuming the long-term secret remains uncompromised) and built-in replay protection. The PSK baseline and DSEKP datasets are publicly archived on IEEE DataPort to enable full reproducibility and comparative benchmarking. These findings confirm that dynamic symmetric rekeying can substantially strengthen IoT-Edge links with minimal computational and bandwidth cost, offering a practical migration path from static PSK to session-aware and scalable IoT security.

Figures (7)

• Figure 1: DSEKP IoT–Edge communication architecture. The ESP32 client publishes encrypted DHT11 sensor data to a Dockerized Mosquitto broker, which relays packets to the Raspberry Pi 5 edge server for decryption and logging.
• Figure 2: DSEKP protocol workflow consisting of four phases: Initialization, Acknowledgment, Data Transmission, and Session Termination. The init–ack handshake establishes an authenticated AES–GCM session using HKDF-derived keys.
• Figure 3: Experimental IoT–Edge setup showing ESP32–DHT11 IoT node and Raspberry Pi 5 edge server communicating through a Dockerized Mosquitto broker.
• Figure 4: Cumulative latency distribution (CDF) comparison between PSK and DSEKP over 6,500 packets. DSEKP adds a small rightward shift ($\approx$ 80 ms) while retaining sub--second responsiveness for IoT telemetry.
• Figure 5: Latency distribution (boxplot) comparison between PSK and DSEKP. PSK shows more high--latency outliers, while DSEKP yields a tighter, more stable latency profile due to session rekeying and reduced jitter.