A Group-Oriented DTLS Handshake for Secure IoT Applications

The datagram transport layer security (DTLS) is a de facto standard for the end-to-end security of the constrained application protocol (CoAP) that defines the following three security modes: preshared key (PSK), raw public key, and certificate. The pros and cons of each security mode are obvious. Even though the PSK mode is the most preferable in terms of the performance of the DTLS handshake, the in-advance distribution of a unique symmetric key for each pair of endpoints is difficult as the number of pairs increases. Alternatively, the certificate mode provides a convenient key-management functionality but its performance is very poor. The focus of most of the previous works is the reduction of the computational load for a single DTLS handshake that is induced by the certificate mode. In this paper, a group-oriented end-to-end security is considered, together with the introduction of a new security mode. Namely, a security association is established between a CoAP client and a group of CoAP servers (sensor devices); however, a fine-grained access control can be enforced so that each CoAP client can access a limited number of CoAP servers in the group. Furthermore, when each CoAP client performs several DTLS handshakes with the CoAP servers in the group, the first DTLS handshake involves a single public-key operation. A public-key operation, however, is not required for the subsequent DTLS handshakes, so the overall computational burden can be reduced. Also, a testbed was established along with the implementation of the proposed security mechanism for the conduction of a performance comparison with the other security mechanisms.