Blockchain based privacy-preserving software updates with proof-of-delivery for Internet of Things
Introduction
According to Gartner Inc. [20], the number of the IoT devices deployed and connected on the Internet is more than 11 billion in 2018. IoT and its applications have pervaded in our daily lives from smart home, smart city to smart everything. However, most of these IoT devices are generally not perfect-by-design with security weaknesses or vulnerabilities and are easy to be hacked under various cyber attacks. In 2018, ZeroDayLab [21] reports a high-severity vulnerability in the 4G-based wireless 4GEE mini modem. The vulnerability enables an attacker to run a malicious program on a targeted computer with the highest level of privileges in the system. Later, mobile operator EE acknowledged the issue and rolled out a firmware patch to address the vulnerability. By using a previously disclosed vulnerability revealed in the CIA Vault 7 leaks, the hackers have compromised over 210,000 routers from Latvian network hardware provider Mikrotik across the world [22], [23]. With the continues growth of IoT devices, it is essential to update these IoT devices securely, patching their vulnerabilities and protecting the safety of the involved users.
Traditional software updates mainly base on the client–server architecture, as shown in Fig. 1, leading to a single point of failure for denial of service (DoS) attacks. Delivering secure and reliable updates become a challenge issue for the IoT device vendors.
Building upon decentralization concept, the advent of blockchain technology may provide a solution for IoT applications [26], [44]. Blockchain is a data structure depending on hash functions that builds a linked list by using hash pointers. Each block stores the transactions in the peer-to-peer network. Some nodes are known as miners and run consensus algorithms such as proof of work (PoW) [33] to mine and generate a new block. Blockchain technology has been widely applied to healthcare [17], IoT [4], [45], and financial transactions [1], [29], [43] etc. There are a few blockchain based solutions [11], [12], [13], [14], [15], [16], [32], [40], [41] to IoT software and/or firmware updates.
Related Work. Lee and Lee [27] proposed a secure firmware update scheme for embedded devices in the IoT environments. They executed firmware checking and validation by using blockchain with a new block structure. They used the BitTorrent as a firmware sharing network for firmware download to enhance availability and integrity of updates. Boudguiga et al. [3] used the blockchain technology to ensure the availability and innocuousness of software updates. They added the trusted innocuousness nodes to check the integrity of updates and only approved updates can be downloaded. Yohan et al. [42] proposed a firmware update framework by utilizing PUSH-based firmware updates. They used smart contract and the blockchain consensus mechanism to preserve the integrity of updates. Recently, Leiba et al. [28] proposed decentralized incentivized delivery network for IoT software updates. The participating nodes of delivery network deliver updates to IoT devices and can get financial incentive from the vendors. Leiba et al. [28] used zero-knowledge contingent payment (ZKCP) [38] data exchange protocol where the ZKCP adopted zero-knowledge Succinct Non-Interactive ARguments of Knowledge (zk-SNARKs) [19] as instance. However, these mechanisms are inadequate in the process of software updates for the privacy of the involved users. In certain circumstances, when a consumer buys an IoT device, his personal information might be automatically linked to the device. In the vehicle system, an on-board unit (OBU) is embedded into automatic vehicle as a sensing layer node to communicate with the roadside infrastructure and other peer vehicles. The IoT devices collect users’ data including driver’s location information and identity information to provide diverse services such as navigation and traffic notification. Leaking user’s location or identity information could lead to privacy threats [6], [7], [8].
Contributions. In this paper, we propose a new blockchain based privacy-preserving IoT software update protocol. It not only protects the privacy of the updated IoT devices, but also delivers secure and reliable updates with an incentive mechanism. The proposed protocol utilizes blockchain, smart contract, double authentication preventing signature (DAPS) and outsourced attribute-based signature (OABS) to deliver secure and reliable updates. In this protocol, the vendor delivers the updates by using smart contract to provide a financial incentive to the transmission node that provides a proof-of-delivery that a single update was delivered to the IoT devices. A transmission node obtains proof-of-delivery by using DAPS to carry out fair exchange. In the fair exchange, the transmission node exchanges an OABS of the IoT device with DAPS. Then, it uses the OABS as proof-of-delivery for receiving the financial incentive. The main contributions of the proposed protocol are as follows.
- 1.
We propose the system model of blockchain-based privacy-preserving IoT software updates protocol, and present a new concrete OABS scheme and prove the existential unforgeability under chosen message attacks.
- 2.
We propose a concrete blockchain-based privacy-preserving IoT software updates protocol by integrating blockchain, smart contract, DAPS and our proposed OABS, which satisfies anonymity, proof-of-delivery unforgeability, fairness, authentication and integrity.
- 3.
We provide detailed security analysis of the proposed protocol, and implement the protocol using smart contract to demonstrate the practicability of the protocol.
Organization. This paper is organized as follows. The model of blockchain based privacy-preserving software update protocol is given in Section 2. The introduction of building blocks is given in Section 3. The details of blockchain based privacy-preserving software update protocol and the security analysis and evaluation are described in Section 4 and Section 5. Finally, we conclude the paper in Section 6.
Section snippets
The system model and security model
In the section, we introduce the blockchain based privacy-preserving software update model and the related security requirements.
Building blocks
In this section, we review the smart contract and the cryptography algorithms used in the protocol.
Overview
The privacy-preserving IoT software update protocol works as follows. The vendor, a provider of the IoT devices, initializes the system parameters. It maintains a list of its IoT devices and burns the secret key of device into the manufactured IoT devices. The transmission node registers with the vendor to deliver updates to IoT devices and obtains the financial incentive. Then, the vendor publishes an update by using smart contract and commits to provide financial incentive to the transmission
Security and implementation
In this section, we analyze the security of the blockchain based privacy-preserving IoT software update protocol, then report the performance of the protocol.
Conclusion
We describe a new blockchain based privacy-preserving IoT software update protocol which utilizes blockchain, smart contract, double authentication preventing signatures (DAPS) and outsourced attribute-based signatures (OABS) to deliver secure and reliable updates. It protects the privacy of IoT devices while delivers secure and reliable updates with an incentive mechanism. In this protocol, the vendor can deliver updates to its IoT devices by using smart contract. The transmission node can
Acknowledgments
This work was supported by National Key Research and Development Program of China (2017YFB0802000), National Natural Science Foundation of China (61872229, 61802239), Fundamental Research Funds for the Central Universities, China (GK201702004, GK201803061, 2018CBLY006) and China Postdoctoral Science Foundation (2018M631121).
Declaration of competing interest
There is no conflict of interest between all the authors.
Yanqi Zhao is currently a Ph.D. candidate of School of Computer Science, Shaanxi Normal University. His research interest is applied cryptography.
References (45)
- et al.
A novel oriented cuckoo search algorithm to improve DV-hop performance for cyber-physical systems
J. Parallel Distrib. Comput.
(2017) Qos routing based on multi-class nodes for mobile ad hoc networks
Ad Hoc Netw.
(2004)- et al.
An effective key management scheme for heterogeneous sensor networks
Ad Hoc Netw.
(2007) - et al.
Iot security: review, blockchain solutions, and open challenges
Future Gener. Comput. Syst.
(2018) A survey of key management schemes in wireless sensor networks
J. Comput. Commun.
(2007)- M. Andrychowicz, S. Dziembowski, D. Malinowski, et al. Secure multiparty computations on bitcoin. in: IEEE Symposium on...
- et al.
Double-authentication-preventing signatures
- A. Boudguiga, N. Bouzerna, L. Granboulan, et al. Towards better availability and accountability for iot updates by...
- et al.
A blockchain connected gateway for BLE-based devices in the internet of things
IEEE Access
(2018) - et al.
Secure outsourced attribute-based signatures
IEEE Trans. Parallel Distrib. Syst.
(2014)
Detection of malicious code variants based on deep learning
IEEE Trans. Ind. Inf.
A pigeon-inspired optimization algorithm for many-objective optimization problems
Sci. China Inf. Sci.
Security in wireless sensor networks
IEEE Wirel. Commun. Mag.
A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks
IEEE Trans. Wirel. Commun.
Adaptive cell-relay routing protocol for mobile ad hoc networks
IEEE Trans. Veh. Technol.
Medrec: medical data management on the blockchain
Viral Commun.
Quadratic span programs and succinct nizks without pcps
Cited by (39)
Secure decentralized firmware update delivery service for Internet of Things
2024, Internet of Things (Netherlands)Secure cloud file sharing scheme using blockchain and attribute-based encryption
2024, Computer Standards and InterfacesUsing NFTs for ownership management of digital twins and for proof of delivery of their physical assets
2023, Future Generation Computer SystemsThe role of block chain technology and Internet of Things (IoT) to protect financial transactions in crypto currency market
2022, Materials Today: ProceedingsBlockchain-empowered cloud architecture based on secret sharing for smart city
2021, Journal of Information Security and ApplicationsSecurity-enhanced firmware management scheme for smart home IoT devices using distributed ledger technologies
2024, International Journal of Information Security
Yanqi Zhao is currently a Ph.D. candidate of School of Computer Science, Shaanxi Normal University. His research interest is applied cryptography.
Yiming Liu is currently a senior engineer at Science and Technology on Communication Security Laboratory. Her research interest is information security.
Aikui Tian is currently a professor at School of Computer Science and Technology, Shandong University of Technology. His research interest is information security.
Yong Yu received the Ph.D. degree in cryptography from Xidian University, Xi’an, China, in 2008. He is currently a Professor with Shaanxi Normal University, Xi’an. He holds the prestigious One Hundred Talent Professorship of Shaanxi Province as well. He has authored more than 100 refereed journal and conference papers. His research interests include cryptography and its applications, especially public encryption, digital signature, and secure cloud computing. He is an Associate Editor for Soft Computing.
Xiaojiang Du received the B.S. and M.S. degrees from Tsinghua University, China, in 1996 and 1998, respectively. He received the M.S. and Ph.D. degrees in electrical engineering from the University of Maryland College Park, MD, USA, in 2002 and 2003, respectively. He is currently a Professor with the Department of Computer and Information Sciences, Temple University, USA. He has authored and co-authored more than 200 journals and conference papers and has been awarded more than $5M research grants from the US National Science Foundation and Army Research Office. His research interests include security, systems, wireless networks, and computer networks.