Blockchain based privacy-preserving software updates with proof-of-delivery for Internet of Things

https://doi.org/10.1016/j.jpdc.2019.06.001Get rights and content

Highlights

  • Propose a blockchain based privacy-preserving software updates protocol.

  • Preserve users’ privacy when updating the IoT devices.

  • Prove the security of the proposed protocol.

  • Implement smart contract to show the validity of the protocol.

Abstract

A large number of IoT devices are connected via the Internet. However, most of these IoT devices are generally not perfect-by-design even have security weaknesses or vulnerabilities. Thus, it is essential to update these IoT devices securely, patching their vulnerabilities and protecting the safety of the involved users. Existing studies deliver secure and reliable updates based on blockchain network which serves as the transmission network. However, these approaches could compromise users privacy when updating the IoT devices.

In this paper, we propose a new blockchain based privacy-preserving software update protocol, which delivers secure and reliable updates with an incentive mechanism while protects the privacy of involved users. A vendor delivers the updates and makes a commitment by using smart contract to provide financial incentive to the transmission nodes who deliver the updates to its IoT devices. A transmission node can get financial incentive by providing a proof-of-delivery. In order to obtain the proof-of-delivery, the transmission node uses double authentication preventing signature (DAPS) to carry out fair exchange. Specifically, the transmission node uses the DAPS to exchange an attribute-based signature (ABS) of one IoT device. Then, it uses the ABS as proof-of-delivery to receive financial incentives. Generally, to generate an ABS, the IoT device has to execute complex computations which is intolerable for resource limited devices. We propose a concrete outsourced attribute-based signature (OABS) scheme to overcome the weakness. Then, we prove the security of the proposed OABS and the protocol. Finally, we implement smart contract in Solidity to demonstrate the validity of the proposed protocol.

Introduction

According to Gartner Inc. [20], the number of the IoT devices deployed and connected on the Internet is more than 11 billion in 2018. IoT and its applications have pervaded in our daily lives from smart home, smart city to smart everything. However, most of these IoT devices are generally not perfect-by-design with security weaknesses or vulnerabilities and are easy to be hacked under various cyber attacks. In 2018, ZeroDayLab [21] reports a high-severity vulnerability in the 4G-based wireless 4GEE mini modem. The vulnerability enables an attacker to run a malicious program on a targeted computer with the highest level of privileges in the system. Later, mobile operator EE acknowledged the issue and rolled out a firmware patch to address the vulnerability. By using a previously disclosed vulnerability revealed in the CIA Vault 7 leaks, the hackers have compromised over 210,000 routers from Latvian network hardware provider Mikrotik across the world [22], [23]. With the continues growth of IoT devices, it is essential to update these IoT devices securely, patching their vulnerabilities and protecting the safety of the involved users.

Traditional software updates mainly base on the client–server architecture, as shown in Fig. 1, leading to a single point of failure for denial of service (DoS) attacks. Delivering secure and reliable updates become a challenge issue for the IoT device vendors.

Building upon decentralization concept, the advent of blockchain technology may provide a solution for IoT applications [26], [44]. Blockchain is a data structure depending on hash functions that builds a linked list by using hash pointers. Each block stores the transactions in the peer-to-peer network. Some nodes are known as miners and run consensus algorithms such as proof of work (PoW) [33] to mine and generate a new block. Blockchain technology has been widely applied to healthcare [17], IoT [4], [45], and financial transactions [1], [29], [43] etc. There are a few blockchain based solutions [11], [12], [13], [14], [15], [16], [32], [40], [41] to IoT software and/or firmware updates.

Related Work. Lee and Lee [27] proposed a secure firmware update scheme for embedded devices in the IoT environments. They executed firmware checking and validation by using blockchain with a new block structure. They used the BitTorrent as a firmware sharing network for firmware download to enhance availability and integrity of updates. Boudguiga et al. [3] used the blockchain technology to ensure the availability and innocuousness of software updates. They added the trusted innocuousness nodes to check the integrity of updates and only approved updates can be downloaded. Yohan et al. [42] proposed a firmware update framework by utilizing PUSH-based firmware updates. They used smart contract and the blockchain consensus mechanism to preserve the integrity of updates. Recently, Leiba et al. [28] proposed decentralized incentivized delivery network for IoT software updates. The participating nodes of delivery network deliver updates to IoT devices and can get financial incentive from the vendors. Leiba et al. [28] used zero-knowledge contingent payment (ZKCP) [38] data exchange protocol where the ZKCP adopted zero-knowledge Succinct Non-Interactive ARguments of Knowledge (zk-SNARKs) [19] as instance. However, these mechanisms are inadequate in the process of software updates for the privacy of the involved users. In certain circumstances, when a consumer buys an IoT device, his personal information might be automatically linked to the device. In the vehicle system, an on-board unit (OBU) is embedded into automatic vehicle as a sensing layer node to communicate with the roadside infrastructure and other peer vehicles. The IoT devices collect users’ data including driver’s location information and identity information to provide diverse services such as navigation and traffic notification. Leaking user’s location or identity information could lead to privacy threats [6], [7], [8].

Contributions. In this paper, we propose a new blockchain based privacy-preserving IoT software update protocol. It not only protects the privacy of the updated IoT devices, but also delivers secure and reliable updates with an incentive mechanism. The proposed protocol utilizes blockchain, smart contract, double authentication preventing signature (DAPS) and outsourced attribute-based signature (OABS) to deliver secure and reliable updates. In this protocol, the vendor delivers the updates by using smart contract to provide a financial incentive to the transmission node that provides a proof-of-delivery that a single update was delivered to the IoT devices. A transmission node obtains proof-of-delivery by using DAPS to carry out fair exchange. In the fair exchange, the transmission node exchanges an OABS of the IoT device with DAPS. Then, it uses the OABS as proof-of-delivery for receiving the financial incentive. The main contributions of the proposed protocol are as follows.

  • 1.

    We propose the system model of blockchain-based privacy-preserving IoT software updates protocol, and present a new concrete OABS scheme and prove the existential unforgeability under chosen message attacks.

  • 2.

    We propose a concrete blockchain-based privacy-preserving IoT software updates protocol by integrating blockchain, smart contract, DAPS and our proposed OABS, which satisfies anonymity, proof-of-delivery unforgeability, fairness, authentication and integrity.

  • 3.

    We provide detailed security analysis of the proposed protocol, and implement the protocol using smart contract to demonstrate the practicability of the protocol.

Organization. This paper is organized as follows. The model of blockchain based privacy-preserving software update protocol is given in Section 2. The introduction of building blocks is given in Section 3. The details of blockchain based privacy-preserving software update protocol and the security analysis and evaluation are described in Section 4 and Section 5. Finally, we conclude the paper in Section 6.

Section snippets

The system model and security model

In the section, we introduce the blockchain based privacy-preserving software update model and the related security requirements.

Building blocks

In this section, we review the smart contract and the cryptography algorithms used in the protocol.

Overview

The privacy-preserving IoT software update protocol works as follows. The vendor, a provider of the IoT devices, initializes the system parameters. It maintains a list of its IoT devices and burns the secret key of device into the manufactured IoT devices. The transmission node registers with the vendor to deliver updates to IoT devices and obtains the financial incentive. Then, the vendor publishes an update by using smart contract and commits to provide financial incentive to the transmission

Security and implementation

In this section, we analyze the security of the blockchain based privacy-preserving IoT software update protocol, then report the performance of the protocol.

Conclusion

We describe a new blockchain based privacy-preserving IoT software update protocol which utilizes blockchain, smart contract, double authentication preventing signatures (DAPS) and outsourced attribute-based signatures (OABS) to deliver secure and reliable updates. It protects the privacy of IoT devices while delivers secure and reliable updates with an incentive mechanism. In this protocol, the vendor can deliver updates to its IoT devices by using smart contract. The transmission node can

Acknowledgments

This work was supported by National Key Research and Development Program of China (2017YFB0802000), National Natural Science Foundation of China (61872229, 61802239), Fundamental Research Funds for the Central Universities, China (GK201702004, GK201803061, 2018CBLY006) and China Postdoctoral Science Foundation (2018M631121).

Declaration of competing interest

There is no conflict of interest between all the authors.

Yanqi Zhao is currently a Ph.D. candidate of School of Computer Science, Shaanxi Normal University. His research interest is applied cryptography.

References (45)

  • CuiZ. et al.

    Detection of malicious code variants based on deep learning

    IEEE Trans. Ind. Inf.

    (2018)
  • CuiZ. et al.

    A pigeon-inspired optimization algorithm for many-objective optimization problems

    Sci. China Inf. Sci.

    (2019)
  • D. Derler, S. Ramacher, D. Slamanig, Short double-and N-times-authentication preventing signatures from ECDSA and more,...
  • D. Derler, S. Ramacher, D. Slamanig, Generic double-authentication preventing signatures and a post-quantum...
  • DuX. et al.

    Security in wireless sensor networks

    IEEE Wirel. Commun. Mag.

    (2008)
  • DuX. et al.

    A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks

    IEEE Trans. Wirel. Commun.

    (2009)
  • X. Du, F. Lin, Designing efficient routing protocol for heterogeneous sensor networks, in: Proceedings of the IEEE...
  • DuX. et al.

    Adaptive cell-relay routing protocol for mobile ad hoc networks

    IEEE Trans. Veh. Technol.

    (2006)
  • EkblawA. et al.

    Medrec: medical data management on the blockchain

    Viral Commun.

    (2016)
  • T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in: Annual International...
  • GennaroR. et al.

    Quadratic span programs and succinct nizks without pcps

  • ...
  • Cited by (39)

    • Blockchain-empowered cloud architecture based on secret sharing for smart city

      2021, Journal of Information Security and Applications
    View all citing articles on Scopus

    Yanqi Zhao is currently a Ph.D. candidate of School of Computer Science, Shaanxi Normal University. His research interest is applied cryptography.

    Yiming Liu is currently a senior engineer at Science and Technology on Communication Security Laboratory. Her research interest is information security.

    Aikui Tian is currently a professor at School of Computer Science and Technology, Shandong University of Technology. His research interest is information security.

    Yong Yu received the Ph.D. degree in cryptography from Xidian University, Xi’an, China, in 2008. He is currently a Professor with Shaanxi Normal University, Xi’an. He holds the prestigious One Hundred Talent Professorship of Shaanxi Province as well. He has authored more than 100 refereed journal and conference papers. His research interests include cryptography and its applications, especially public encryption, digital signature, and secure cloud computing. He is an Associate Editor for Soft Computing.

    Xiaojiang Du received the B.S. and M.S. degrees from Tsinghua University, China, in 1996 and 1998, respectively. He received the M.S. and Ph.D. degrees in electrical engineering from the University of Maryland College Park, MD, USA, in 2002 and 2003, respectively. He is currently a Professor with the Department of Computer and Information Sciences, Temple University, USA. He has authored and co-authored more than 200 journals and conference papers and has been awarded more than $5M research grants from the US National Science Foundation and Army Research Office. His research interests include security, systems, wireless networks, and computer networks.

    View full text