Konrad-Felix Krentz (Uppsala University), Thiemo Voigt (Uppsala University, RISE Computer Science)

Object Security for Constrained RESTful Environments (OSCORE) is an end-to-end security solution for the Constrained Application Protocol (CoAP), which, in turn, is a lightweight application layer protocol for the Internet of things (IoT). The recently standardized Echo option allows OSCORE servers to check if a request was created recently. Previously, OSCORE only offered a counter-based replay protection, which is why delayed OSCORE requests were accepted as fresh. However, the Echo-based replay protection entails an additional round trip, thereby prolonging delays, increasing communication overhead, and deteriorating reliability. Moreover, OSCORE remains vulnerable to a denial-of-sleep attack. In this paper, we propose a version of OSCORE with a revised replay protection, namely OSCORE next-generation (OSCORE-NG). OSCORENG fixes OSCORE’s denial-of-sleep vulnerability and provides freshness guarantees that surpass those of the Echo-based replay protection, while dispensing with an additional round trip. Furthermore, in long-running sessions, OSCORE-NG incurs even less communication overhead than OSCORE’s counter-based replay protection. OSCORE-NG’s approach is to entangle timestamps in nonces. Except during synchronization, CoAP nodes truncate these timestamps in outgoing OSCORE-NG messages. Receivers fail to restore a timestamp if and only if an OSCORE-NG message is delayed by more than 7.848s in our implementation by default. In effect, older OSCORE-NG messages get rejected.

View More Papers

Faults in Our Bus: Novel Bus Fault Attack to...

Nimish Mishra (Department of Computer Science and Engineering, IIT Kharagpur), Anirban Chakraborty (Department of Computer Science and Engineering, IIT Kharagpur), Debdeep Mukhopadhyay (Department of Computer Science and Engineering, IIT Kharagpur)

Read More

Acoustic Keystroke Leakage on Smart Televisions

Tejas Kannan (University of Chicago), Synthia Qia Wang (University of Chicago), Max Sunog (University of Chicago), Abraham Bueno de Mesquita (University of Chicago Laboratory Schools), Nick Feamster (University of Chicago), Henry Hoffmann (University of Chicago)

Read More

BliMe: Verifiably Secure Outsourced Computation with Hardware-Enforced Taint Tracking

Hossam ElAtali (University of Waterloo), Lachlan J. Gunn (Aalto University), Hans Liljestrand (University of Waterloo), N. Asokan (University of Waterloo, Aalto University)

Read More

DorPatch: Distributed and Occlusion-Robust Adversarial Patch to Evade Certifiable...

Chaoxiang He (Huazhong University of Science and Technology), Xiaojing Ma (Huazhong University of Science and Technology), Bin B. Zhu (Microsoft Research), Yimiao Zeng (Huazhong University of Science and Technology), Hanqing Hu (Huazhong University of Science and Technology), Xiaofan Bai (Huazhong University of Science and Technology), Hai Jin (Huazhong University of Science and Technology), Dongmei Zhang…

Read More