Security and Privacy for the Internet of Things Communication in the SmartCity

  • Ralf C. StaudemeyerEmail author
  • Henrich C. Pöhls
  • Bruce W. Watson


Growing SmartCities means that the amount of information processed and stored to manage a city’s infrastructure (e.g., traffic, public transport, electricity) is growing as well. To manage this, SmartCities are deploying truly distributed and highly scalable information and communication (ICT) infrastructure, connecting a conglomerate of smart devices and ‘smart things’. In recent years, the term Internet-of-Things (IoT) was coined to describe constrained systems that react via sensors to physical changes in its environment and may be able to influence that environment via actuators. While ICT generally helps to ‘mine’ collected information, the IoT complements this with direct access to a sensor’s data or even taking immediate corrective action. Using the capabilities of the IoT to monitor and control the SmartCity implies numerous devices communicate data about the city its citizens. The communicated data is used to make decisions that will affect many citizens, and if not secured correctly, attackers (or other ‘errors’) could disrupt operation of the SmartCity. Moreover, collected data possibly impinges on basic privacy rights if not gathered, communicated and processed correctly. This chapter provides a primer on general information security, its main goals, and the basic IoT security challenges in the SmartCity. Built upon the basic IT security goals of confidentiality, integrity, and availability, this chapter addresses security and privacy problems faced in the communication aspects of the SmartCity. We highlight that security is a crucial enabler for the ICT-dependent SmartCity to base the decisions on reliable data and to execute commands securely. We specifically point out that security starts at the very beginning of the data collection and communication process. On top of this, we focus on major issues related to private communication, as privacy is a key acceptance factor for an ICT-enabled SmartCity by its citizens.


Internet of Things (IoT) End-to-end security Privacy Integrity Confidentiality Encryption Digital signatures Unobservable communication Mix networks Anonymous communication 



H.C. Pöhls and R.C. Staudemeyer were supported by the European Unions 7th Framework Programme (FP7) under grant agreement Open image in new window  609094 (RERUM). H. C. Pöhls was also partly supported by the European Unions Horizon 2020 Programme under grant agreement Open image in new window  644962 (PRISMACLOUD).


  1. 1.
    Gollmann D (2011) Computer security, 3rd edn. John Wiley & SonsGoogle Scholar
  2. 2.
    Stallings W, Brown L (2014) Computer security: principles and practice, 3rd edn. Pearson EducationGoogle Scholar
  3. 3.
    ISO/IEC (2014) ISO/IEC 27001: Information technology—Security techniques—Information security management systems—Overview and vocabulary. Technical reportGoogle Scholar
  4. 4.
    Mitnick KD, Simon WL (2003) The art of deception: controlling the human element of security. John Wiley & SonsGoogle Scholar
  5. 5.
    Slay J, Koronios A (2005) Information technology, security and risk management. John Wiley & Sons, Australia LtdGoogle Scholar
  6. 6.
    Paul M (2012) The 7 qualities of highly secure software. CRC PressGoogle Scholar
  7. 7.
    McGraw G (2006) Software security: building security, vol 1. Addison-WesleyGoogle Scholar
  8. 8.
    Viega J, McGraw G (2001) Building secure software: how to avoid security problems the right way. Addison WesleyGoogle Scholar
  9. 9.
    Tragos EZ, Pöhls HC, Staudemeyer RC, Slamanig D, Kapovits A, Suppan S, Fragkiadakis A, Baldini G, Neisse R, Langendörfer P, Dyka Z, Wittke C (2015) Securing the internet of things—security and privacy in a hyperconnected world. In: Vermesan O, Friess P (eds) Building the hyperconnected society- internet of things research and innovation value chains, ecosystems and markets. River Publishers Series of Communications. pp 189–219Google Scholar
  10. 10.
    Issarny V, Georgantas N, Hachem S, Zarras A, Vassiliadist P, Autili M, Gerosa MA, Hamida AB (2011) Service-oriented middleware for the future internet: state of the art and research directions. J Internet Serv Appl 2(1):23–45Google Scholar
  11. 11.
    Tragos EZ, Bernabe JB, Staudemeyer RC, Luis J, Ramos H, Fragkiadakis A, Skarmeta A, Nati M, Gluhak A (2016) Trusted IoT in the complex landscape of governance, security, privacy, availability and savety. In: Digitising the industry - internet of things connecting the physical, digital and virtual worlds. River Publishers Series of Communications. pp 210–239Google Scholar
  12. 12.
    Heer T, Garcia-Morchon O, Hummen R, Keoh SL, Kumar SS, Wehrle K (2011) Security challenges in the IP-based internet of things. Wireless Pers Commun 61(3):527–542CrossRefGoogle Scholar
  13. 13.
    Weber RH (2010) Internet of things new security and privacy challenges. Comput Law Secur Rev 26(1):23–30CrossRefGoogle Scholar
  14. 14.
    Lamport L, Shostak R, Pease M (1982) The Byzantine generals problem. ACM Trans Program Lang Syst 4(3):382–401CrossRefzbMATHGoogle Scholar
  15. 15.
    Cavoukian A (2009) Privacy by design ... take the challengeGoogle Scholar
  16. 16.
    Gürses S, Troncoso C, Diaz C (2011) Engineering privacy by design. Comput Priv Data Prot 14:25Google Scholar
  17. 17.
    Schneier B (1996) Applied cryptography: protocols, algorithms, and source code in C, 2nd edn. John Wiley & Sons, New YorkzbMATHGoogle Scholar
  18. 18.
    Katz J, Lindell Y (2014) Introduction to modern cryptography, 2nd edn. Chapman & Hall/CRCGoogle Scholar
  19. 19.
    Danezis G, Clayton R (2007) Introducing traffic analysis. In: Digital privacy: theory, technologies, and practices, pp 1–24Google Scholar
  20. 20.
    Diffie W, Hellman ME, Diffie W, Hellman ME (1976) New directions in cryptography. IEEE Trans Inf Theory 22(6):644–654MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Koblitz N (1987) Elliptic curve cryptosystems. Math Comput 48(177):203–203MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Miller V (1986) Use of elliptic curves in cryptography. In: Proceedings of advances in cryptology (CRYPTO85). Springer, pp 417–426Google Scholar
  24. 24.
    Hankerson D, Menezes AJ, Vanstone S (2006) Guide to elliptic curve cryptography. Springer Science & Business MediaGoogle Scholar
  25. 25.
    Bock H, Braun M, Dichtl M, Hess E, Heyszl J, Kargl W, Koroschetz H, Meyer B, Seuschek H (2008) A milestone towards RFID products offering asymmetric authentication based on elliptic curve cryptography. Invited talk at RFIDsecGoogle Scholar
  26. 26.
    Braun M, Hess E, Meyer B (2008) Using elliptic curves on RFID tags. Int J Comput Sci Netw Secur 2:1–9Google Scholar
  27. 27.
    Hein D, Wolkerstorfer J, Felber N (2009) ECC is ready for RFID a proof in silicon. In: Avanzi RM, Keliher L, Sica F (eds) Selected areas in cryptography. Lecture notes in computer science, vol 5381, pp 401–413Google Scholar
  28. 28.
    Municipality of Amsterdam. Amsterdam—SmartCityGoogle Scholar
  29. 29.
    Efthymiou C, Kalogridis G (2010) Smart grid privacy via anonymization of smart metering data. In: 1st IEEE international conference on smart grid communications, Oct 2010, pp 238–243Google Scholar
  30. 30.
    Jawurek M (2013) Privacy in smart grids. Ph.D. thesis, Friedrich-Alexander-University Erlangen-NuernbergGoogle Scholar
  31. 31.
    Lahoti G, Mashima D, Chen W-P (2013) Customer-centric energy usage data management and sharing in smart grid systems. In: Proceedings of the first ACM workshop on smart energy grid security, SEGS ’13. ACM, New York, NY, USA, pp 53–64Google Scholar
  32. 32.
    Danezis G, Jawurek M, Kerschbaum F (2011) Sok: privacy technologies for smart grids—a survey of optionsGoogle Scholar
  33. 33.
    Mashima D, Roy A (2014) Privacy preserving disclosure of authenticated energy usage data. In: 2014 IEEE international conference on smart grid communications (SmartGridComm), Nov 2014, pp 866–871Google Scholar
  34. 34.
    Pöhls, HC, Karwe M (2014) Redactable signatures to control the maximum noise for differential privacy in the smart grid. In: Cuellar J (ed) Proceedings of the 2nd workshop on smart grid security (SmartGridSec 2014). Lecture notes in computer science (LNCS), vol 8448. Springer International PublishingGoogle Scholar
  35. 35.
    Peterson W, Brown D (1961) Cyclic codes for error detection. Proc IRE 49(1):228–235MathSciNetCrossRefGoogle Scholar
  36. 36.
    Michiels EF (1996) ISO/IEC 10181–6: 1996 Information technology—Open systems interconnection—Security frameworks for open systems: integrity framework. ISO Geneve, SwitzerlandGoogle Scholar
  37. 37.
    Clark DD, Wilson DR (1987) A comparison of commercial and military computer security policies. In: 1987 IEEE symposium on security and privacy. Los Alamitos, CA, USA, Apr 1987, pp 184–184Google Scholar
  38. 38.
    Shirey R (2007) RFC 4949–Internet Security GlossaryGoogle Scholar
  39. 39.
    Gollmann D (2012) Veracity, plausibility, and reputation. In: Information security theory and practice. Security, privacy and trust in computing systems and ambient intelligent ecosystems, pp 20–28Google Scholar
  40. 40.
    Gollmann D (1996) What do we mean by entity authentication? In: Proceedings of 1996 IEEE symposium on security and privacy, pp 46–54Google Scholar
  41. 41.
    Goldwasser S, Micali S, Rivest RL (1988) A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput 17(2):281–308Google Scholar
  42. 42.
    Turner S, Chen L (2007) RFC 6151–updated security considerations for the MD5 message-digest and the HMAC-MD5 algorithmsGoogle Scholar
  43. 43.
    ISO/IEC (1997) ISO/IEC 13888-1: Information technology—security techniques—non-repudiation, Part 1: General. ISO Geneve, SwitzerlandGoogle Scholar
  44. 44.
    World Health Organisation Europe (WHO/E) (2013) Health impact assessment of air pollution in the eight major italian cities, p 65Google Scholar
  45. 45.
    Municipality of Milan. Milan—Area CGoogle Scholar
  46. 46.
    Camenisch J, Dubovitskaya M, Haralambiev K, Kohlweiss M (2015) Composable and modular anonymous credentials: definitions and practical constructions. In: Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics), vol 9453. Springer Verlag, pp 262–288Google Scholar
  47. 47.
    Raymond J-F (2001) Traffic analysis: protocols, attacks, design issues, and open problems. In: Designing privacy enhancing technologies, pp 10–29Google Scholar
  48. 48.
    Fawcett T, Provost F (1996) Combining data mining and machine learning for effective user profiling. Sci Technol 42:8–13Google Scholar
  49. 49.
    Danezis G, Domingo-Ferrer J, Hansen M, Hoepman J-H, Métayer DL, Tirtea R, Schiffner S, Agency (2014) Privacy and data protection by design—from policy to engineering. Technical report, European Union Agency for Network and Information Security, Dec 2014Google Scholar
  50. 50.
    Danezis G, Diaz C (2008) A survey of anonymous communication channels 1–61Google Scholar
  51. 51.
    Song DX, Wagner D, Tian X (2001) Timing analysis of keystrokes and timing attacks on SSH. In: 10th USENIX security symposium 28913:25Google Scholar
  52. 52.
    Dupasquier B, Burschka S, McLaughlin K, Sezer S (2010) Analysis of information leakage from encrypted Skype conversations. Int J Inf Secur 9(5):313–325 JulCrossRefGoogle Scholar
  53. 53.
    Pfitzmann A, Hansen M (2010) A terminology for talking about privacy by data minimization: anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management. Technical reportGoogle Scholar
  54. 54.
    Chaum DL (1981) Untraceable electronic mail, return addresses, and digital pseudonyms, Feb 1981Google Scholar
  55. 55.
    Ruiz-Martínez A (2012) A survey on solutions and main free tools for privacy enhancing web communications. J Netw Comput Appl 35(5):1473–1492Google Scholar
  56. 56.
    Goldschlag D, Reed M, Syverson P (1999) Onion routing. Commun ACM 42(2):39–41CrossRefGoogle Scholar
  57. 57.
    Dingledine R, Mathewson N, Syverson P (2004) Tor: the second-generation onion router. In: Proceedings of the 13th USENIX security symposium, vol 13. USENIX Association, pp 303–320Google Scholar
  58. 58.
    Chaum D (1988) The dining cryptographers problem: unconditional sender and recipient untraceability. J Cryptology 1(1):65–75MathSciNetCrossRefzbMATHGoogle Scholar
  59. 59.
    Golle P, Juels A (2004) Dining cryptographers revisited. In: Proceedings of advances in cryptology (EUROCRYPT 2004), pp 456–473Google Scholar
  60. 60.
    Waidner M, Pfitzmann B (1990) The dining cryptographers in the disco: unconditional sender and recipient untraceability with computationally secure serviceability. In: Proceedings of the workshop on the theory and application of cryptographic techniques on advances in cryptology (EUROCRYPT ’89) 89:690Google Scholar
  61. 61.
    Corrigan-Gibbs H, Ford B (2010) Dissent: accountable anonymous group messaging, p 12Google Scholar
  62. 62.
    Goel S, Robson M, Polte M, Sirer E (2003) Herbivore: a scalable and efficient protocol for anonymous communication. Technical report, Cornell UniversityGoogle Scholar
  63. 63.
    Guan Y, Fu X, Bettati R, Zhao W (2002) An optimal strategy for anonymous communication protocols. In: Proceedings of the 22nd international conference on distributed computing systems 2002, pp 257–266Google Scholar
  64. 64.
    Stajano F, Anderson R (2000) The cocaine auction protocol: on the power of anonymous broadcast. Inf Hiding 1768:434–447CrossRefGoogle Scholar
  65. 65.
    Shamir A (1979) How to share a secret. Commun ACM 22(11):612–613MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2017

Authors and Affiliations

  • Ralf C. Staudemeyer
    • 1
    • 2
    Email author
  • Henrich C. Pöhls
    • 1
  • Bruce W. Watson
    • 2
  1. 1.Institute of IT-Security and Security Law, University of PassauPassauGermany
  2. 2.Information Science, Stellenbosch UniversityStellenboschSouth Africa

Personalised recommendations