Low-cost client-side encryption and secure Internet of things (IoT) provisioning

Security and ease of provisioning of IoT devices onto cloud infrastructure is instrumental to the deployment of IoT devices. With not much information available on the ease of secure provisioning of IoT devices couple with inherent challenge of these devices in encrypting data before transmission to the cloud due to their constrained nature, this work implements a low-cost client-side encryption algorithm based on the AES to carry out data encryption at the IoT device’s communication end using a SAMG55 microprocessor, following which the device is securely provisioned to a cloud platform as shown in Fig. 3. Related work and direction for future work is further detailed in Online Resources 1 and Online Resources 2.


Introduction and main contributions
Internet of things (IoT) deployments hold the promise to revolutionize the technology landscape through the unprecedented connectivity of billions of devices, in many sectors including: transportation, businesses, healthcare, agriculture and homes to mention a few. In [1], cloud computing is defined as a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The use of classical encryption schemes for appropriate clientside encryption before cloud storage is an additional challenge given the scarcity of power and computing resources available in constrained IoT.
As shown in the experimental setup in Online Resource 1, provisioning an IoT device onto a cloud platform entails the process of creating a unique identity on the cloud via requisite and secure authentication credentials, while client-side encryption is used to achieve encryption of data at the end of the device before it is sent onto cloud storage.
According to [2], while the deployment of IoT devices is estimated in billions, very little to no information is present on ease of device provisioning. According to [3], some of the challenging problems in the implementation of the IoT include: key management, device authentication, user access control, privacy preservation and identity management to mention but a few. Encryption-before-outsourcing is a widely recommended method to guarantee the confidentiality of user data [4] and the need for architecting IoT devices with clientside encryption capabilities in order to preserve the privacy of data generated and outsourced to cloud storage systems brings on additional burden on the devices, given the scarcity of resources. In order to protect the security of the outsourced data, an intuitive way is to encrypt the data before outsourcing it to the cloud [5].
This work investigates resource constrain on a sample IoT device, implemented a low-cost client-side encryption algorithm for data encryption as advocated in [5], and leverages a secure element to addresses the challenges of key management and device authentication as highlighted in [3], by securely provisioning the device on an IoT cloud services platform.
The main contributions are as follows: • Implementation and comparison a low-cost algorithm (Based on the AES) to lighweight CLEFIA, experimentation of the avalanche effect test on the low-cost algorithm and using it as client-side encryption solution in provisioning the SAMG55 microprocessor. • Experimentation and analysis of resource constrain in IoT devices, exemplified by comparing a PC and SAMG55 implementations of a low-cost algorithm for client-side encryption to the standard AES128. • Secure provisioning of a sample IoT device (SAMg55 microprocessor) on the Amazon Web Services (AWS) IoT core using AWS Command Line Interface (CLI).

Low-cost client-side encryption and secure IoT provisioning
With additional details provided in Online Resource 2, Algorithm 1 and Algorithm 2 summarize the low-cost client encryption and secure provisioning algorithms of the sample IoT device respectively. Consequent upon the scarcity of computing resources on a typical IoT device, a Low-cost algorithm -based on the AES and detailed in [6] is utilized for experimenting a client-side encryption of 16bytes of data. Algorithm 1 presents an algorithmic sequence of execution of the reduced round algorithm. Favourable to the experimentation and analysis of resource constrain of IoT devices as detailed in the Online Resource 2, the reduced round algorithm is 35% cheaper than the standard AES algorithm in terms of the encryption completion time of a single block data and thus, a plausible candidate for client-side encryption of IoT device data before outsourcing to the cloud for storage or processing.
An Avalanche effect test was experimented on the low-cost algorithm, and the encryption completion time compared to that of lightweight CLEFIA, after which the Low-cost algorithm is implemented as a client-side encryption solution in provisioning the sample IoT device, as further detailed in the Online Resource 2. The AWS CLI tool was utilized for enabling programmatic access to the AWS IoT core cloud service and provisioning of the SAMG55 device and Zerynth studio for implementing and compiling the executable binaries of the reduced round algorithm for the sample client-side encryption of data. The cloud end of the experimental setup requires the creation of a cloud account with the AWS cloud platform, enabled with the AWS lambda and AWS IoT Core services.

Results, conclusion and future work
Our experimentation measured increase in the encryption completion time on the constrained IoT device in comparison to the PC, in determination of the level of constraint on a SAMG55 IoT device in determination of the level of constraint on the IoT device as shown in Fig. 2. The low-cost algorithm shows upto 50.3% reduction in the aforementioned encryption completion time and so, was utilized for experimenting low cost client-side encryption and the device provisioned to the cloud.
We implemented and compared the cost, in terms of encryption completion times, of lightweight CLEFIA and the efficient algorithm for power constrained IoT devices. A comparison of the least complex and the efficient algorithm for constrained IoT devices followed as shown in Fig. 1.
An analysis of resource constrain on an example IoT device (SAMG55) was presented by comparing a PC and SAMG55 microprocessor implementations of both the standard AES and the low-cost algorithm for client-side encryption of IoT device data. This comparison shows an increase of 657% in the encryption time using the IoT device in comparison to the PC, consequent upon the scarcity of computational resources available on typical IoT devices. The low-cost algorithm used for the client-side encryption is 35% less expensive in terms of the encryption completion time of a 16 bytes of data, compared to the standard AES and 0.97 times less expensive than lightweight CLEFIA, while passing the avalanche effect test with up to 93.75% which is well above a recommended 50% according to [7].

Conclusion
Security and ease of provisioning of IoT devices onto cloud infrastructure is instrumental to the deployment of IoT devices. With not much information available on the ease of secure provisioning of IoT devices couple with inherent challenge of these devices in encrypting data before transmission to the cloud due to their constrained nature, this work implements a low-cost client-side encryption algorithm based on the AES to carry out data encryption at the IoT device's communication end using a SAMG55 microprocessor, following which the device is securely provisioned to a cloud platform as shown in Fig. 3. Related work and direction for future work is further detailed in Online Resources 1 and Online Resources 2.