Short presentation about a gateway-based solution for medical data encryption and the Internet of Things. Paper presented at 12th IEEE International Conference on BioInformatics and BioEngineering
Open / Free Cloud platforms and Open Hardware Systems
Enabling Data Protection through PKI encryption in IoT m-Health Devices
1. Enabling Data Protection
through PKI encryption
in IoT m-Health Devices
Charalampos Doukas, Ilias Maglogiannis, Vassiliki Koufi,
Flora Malamateniou, George Vassilacopoulos
S
5. Introduction
S Emerging global information service architecture
S Providing Internet access to devices
S Sensors
S Actuators
S Collaboration of services and integration of information
between different resources
6. Introduction
S Great impact on healthcare:
S Patient context and status awareness
S Critical information retrieval (e.g., medical record)
S Smart actions:
S Recommendations for better living (nutrition, activity, etc.)
S Emergency care
7. Challenges
S Many:
S Interoperability
S Information retrieval from different resources
S Ethical
S Business models => different entities involved
S Security
8. Challenges
Securit
y
S Data encryption
S Limited resources for many sensor devices
S Proper authentication
S User authentication
S Device authentication
S Integrity, confidentiality, etc.
9. The presented work
S A prototype Cloud-based system, which complies with the
IoT concept
S Manages data collected by wearable – textile sensors
S Utilizes the IoT gateway notion
S Data encryption, user access control and secure
transmission
S PKI technology
10. Some Related Work
S Growing interest in the utilization of IoT-based systems in
a wide range of applications, including homecare
applications
S Most works address sensor, data collection and
networking issues
S Data encryption and confidentiality:
S Some solutions utilize hop-by-hop encrypted data
aggregation some end-to-end encrypted data aggregation
S Most works present proprietary and ‘closed’ sensor systems
11. PKI for IoT Devices
S Hop-by-hop encryption of data
S Secure hop-by-hop data aggregation protocol (SEDAN)
S What about intermediate nodes?
S hold decrypted sensor data
S Easy to tamper with
S This vulnerability can be addressed by end-to-end techniques
for data encryption
S A key is shared among all sensors and the system where
aggregated data are transmitted to
12. PKI for IoT Devices
S PKI (Public Key Encryption) constitutes an effective approach
to data encryption
S If one key is used to encrypt information, then only the related
key can decrypt that information
S In case the public key gets compromised, still it is not
computationally feasible to retrieve the private key
13. PKI for IoT Devices
S For IoT and Healthcare: S Main Challenge:
S Devices that generate patient- S Even the encryption process
related information can encrypt with the public key requires
data using a public key computational and memory
resources
S health monitoring applications
can use the private key to S Existing wireless sensor
decrypt the data technologies do not provide,
especially when frequent data
S Using also PKI digital transmission is required (e.g.,
certificates the proper heart signal transmission)
authentication of the devices S Typical sensor
can be achieved, in addition to microcontroller unit: 32MHz,
the secure data transmission. 512Kb memory
14. The Proposed Solution
S Introduction of IoT Gateways
S Have the computational resources (>1 GHz CPU,
>500MB RAM) to perform PKI
S Come with additional network interfaces
S Communication with wireless sensor networks
S No issues with power consumption
S Can be easily installed (similar to home routers)
15. The Proposed Solution
S Can also address an additional security issue for IoT devices:
registration of new sensor devices and key management
S When a new monitoring device is introduced, the device needs to
have access to the public key
S By using an IoT gateway key management is essential only for the
gateway device itself and not every sensor device connecting to
the latter
S The communication between the IoT gateway and the sensor
device can be secured using symmetric encryption (which is less
computational intensive than PKI)
S In addition, the gateway has the ability to receive a new key if
required since it is a central communication point always
connected to the Internet
16. The Proposed Solution
S Mainly of three components; the mobile and contextual
sensors, the IoT gateways and the Back-end
infrastructure
17. Mobile & Contextual Sensors
S Continuously or periodically sense data about the patient
status
S heart/pulse rate, temperature, etc.
S Patient context
S room temperature, air quality, lighting conditions, etc.
S Sensor Devices = MCUs + Analog/Digital Sensors +
Wireless Interfaces (ZigBee, Bluetooth, etc.)
18. IoT Gateways
S Computational devices
S RaspberryPi, Beagleboard, etc.
S Typical price range: 25$ - 150$
S Complete OS (Linux)
S Networking Interfaces
S WiFi or Ethernet (Communication to the Internet)
S ZigBee
S Bluetooth
S Zwave, RF, etc.
19. IoT Gateways
S Computational resources:
S Perform proper data encryption
S Authentication
S (PKI)
S Used for Data processing
S Sensor data filtering
S Data mining
S I/O ports
S Connecting wireless interfaces
21. Cloud (Back-end)
Infrastructure
S Convenient, on-demand network access to shared group
of configurable computing resources
S CPU
S Storage (Scalability)
S Services
S Pay as you go model
S Maintenance-free
22. Cloud (Back-end)
Infrastructure
S Suitable model for back-end infrastructures
S Support data management and visualization of IoT m-
health devices
S Resources for PKI and key management
23. System Overview
Cloud Infrastructure
Medical devices
Certificates
Public Key
Symmetrically
encrypted data
24. Initial System Evaluation
S Prototype implementation
S Wireless (Bluetooth) Pulse Oxymeter
S A contextual sensor (temp, humidity, air quality and light)
S An IoT Gateway
S A Cloud-back end system for data management
25. Initial System Evaluation
S Contextual sensor
S Arduino microcontroller
S A digital temperature sensor
S A digital humidity sensor
S An analog light sensor
S An analog air quality sensor.
The Arduino can be connected to the home network of the user
either through Ethernet of WiFi network interfaces.
26. Initial System Evaluation
S The IoT gateway
S An open source, WiFi enabled gateway board properly modified to host
additional wireless interfaces (like Bluetooth and ZigBee)
S A Beagle board Linux board computer.
S The gateway board collects all information and forwards the
data to the Beagleboard using a serial interface.
S The Beagleboard runs a Python script that accepts data from
the UART interface and then applies PKI encryption using a
pre-stored public key (1024 bit key length).
S Then encrypted data are forwarded to a sample Cloud
application using a REST Web Service. The Cloud application
decrypts the data using the private key and presents sensor
data to users.
27. Initial System Evaluation
S Data (average sensor values) are transmitted in 1-minute
intervals
S The Python script that encrypts the data has been modified to
provide information about the time needed to encrypt the
sensor readings (total message length less than 100Kb).
S Respectively, the J2EE application on the Cloud has been
modified to present the time needed to decrypt the data before
presenting them to users.
S According to initial metrics, the total encryption process adds a
24.5% overhead in the total transmission time (about 800msec)
and less than 1 second overhead in data decryption.
S The latter overhead is acceptable in both cases for mobile
health applications.
28. Conclusion
S The Internet of Things can lead to more accurate and
instant diagnosis of health incidents
S Data protection is also weak since
S sensor devices lack the resources for anonymity, proper
authentication and data encryption
S In this paper we presented the conceptual design and
prototype implementation of a system based on IoT
gateways that aggregate health sensor data and resolve
security issues through digital certificates and PKI data
encryption
29. Conclusion
S The IoT gateway can both resolve sensor communication
interoperability issues and provide a less vulnerable
mean for securely authenticating to services and sending
patient data
S Future work:
S extended evaluation of the system with more sensors
S in a real environment
S private key management and access control should be
further investigated.
Editor's Notes
Population ageing, along with the increasing survival rates from disabling accidents and illnesses, is expected to lead to an increase in the proportion of the population with impairments, disabilities or chronic illnesses.
Ambient Assisted Living services can provide support for these people in their daily routine to allow an independent and safe lifestyle for as long as possible
AAL services utilize mostly home-based assistive technologies (e.g. intelligent, highly personalized network embedded objects, such as wireless devices and sensors, wireless communication technologies and data mining for status awareness. These however are also the main components of a new notion knows as the Internet of Things
The “Internet of Things” is an emerging global information service architecture. Its notion is based on providing Internet connectivity to various devices (can be sensors, like medical sensors, or actuators, e.g., smart doors,power management systems, etc. The key feature of IoT is the collaboration of services and integration of information between different resources. How information from sensors, like current user status, information from external resources (like a medical record) can be combined to drive decsions: e.g, initiate a doctor visit.
So the impact of IoT in healthcare is very important since the key features can facilitate the proper identification of patient context and status awareness and through critical information retrieval can drive smart actions that improve patients living or even save their lives
However the realization of IoT and healthcare solutions has not been yet achieved. There are many challenges to overcome, like interoperability between devices, operators and services, ethical and privacy issues to resolve, even how to build effective pricing models with many entities involved, and of course security.
The term security subsumes a wide range of different concepts, chief among them authentication, confidentiality, integrity and authorization. The major challenge in this case are the limited computational resources of many sensor devices: no proper data encryption or authentication schemes can be applied on wearable heart rate or oxymeter devices.
This paper presents a prototype Cloud-based system, which complies with the IoT concept. The proposed system manages data collected by wearable – textile sensors (i.e. biosignals, motion data and contextual data (like location, ambient temperature, activity status, etc.), which, are forwarded to a gateway utilizing established techniques for IoT communication and then to the Cloud infrastructure. To resolve the aforementioned security challenges we have introduced the IoT gateway notion that provides proper data encryption, access control and transmission based on applying PKI technology.
The past few years a number of key distribution schemes have been proposed for hop-by-hop encryption of data. In addition, a secure hop-by-hop data aggregation protocol, namely SEDAN has been proposed, according to which each node can verify immediately the integrity of its two hops neighbors.However, all proposed approaches could be considered vulnerable since the intermediate aggregator nodes, which hold decrypted sensor data, are easy to tamper with.This vulnerability can be addressed by end-to-end techniques for data encryption. These techniques also use a key scheme.
Public Key Encryption constitutes an effective approach to data encryption as it can provide an increased level of confidence for exchanging information over an increasingly insecure environment, such as IoT. Public key cryptography uses a pair of mathematically related keys. If one key is used to encrypt information, then only the related key can decrypt that information. In case the public key gets compromised, still it is not computationally feasible to retrieve the private key.
In the case of IoT and healthcare, devices that generate patient-related information (like body sensor readings) can encrypt data using a public key and the health monitoring applications (e.g., cloud or web systems operated by caregivers or relatives) can use the private key to decrypt the data. Using also PKI digital certificates the proper authentication of the devices can be achieved, in addition to the secure data transmission.However the establishment of PKI in IoT systems introduces a major challenge: Even the encryption process with the public key requires computational and memory resources that existing wireless sensor technologies do not provide, especially when frequent data transmission is required (e.g., heart signal transmission
he proposed system addresses this issue by introducing IoT-enabled gateways. The IoT gateways are devices with computational abilities comparable to desktop computers, come with integrated full operating system (usually Linux) and have many communication interfaces
These gateways can also address an additional security issue for IoT devices: registration of new sensor devices and key management. When a new monitoring device that transmits data through the Internet is introduced, the device needs to have access to the public key for properly encrypting the data. The latter process raises key management and distribution issues. By using an IoT gateway key management is essential only for the gateway device itself and not every sensor device connecting to the latter. The communication between the IoT gateway and the sensor device can be secured using symmetric encryption (which is less computational intensive than PKI). In addition, the gateway has the ability to receive a new key if required since it is a central communication point always connected to the Internet.
The proposed system enables medical data collection from various mobile/wearable sensors, contextual data (like room conditions, user habits, etc.) collection and secure transmission to caregivers and family members using a Cloud-based infrastructure.The architecture consists mainly of three components; the mobile and contextual sensors, the IoT gateways and the Back-end infrastructure.
The gateways have better computational resources (usually come with at least 1GHz ARM processor and 512Mb or RAM memory) and host a complete operating system that provides PKI tools (like the OpenSSL).
So they can perform data encryption, authentication, ….
Data Flow Diagram illustrating the basic functionality of an IoT gateway.An additional feature is the ability to perform some initial data preprocessing (e.g., data filtering, compression or pattern analysis) before data is encrypted using PKI and forwarded to the Internet using a WiFi or an Ethernet network interface.
Cloud Computing is a model for enabling convenient, on-demand network access to a shared group of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The latter features make Cloud computing a very suitable model for building back-end infrastructures that support data management and visualization of IoT m-health devices. In addition, Cloud resources can provide the essential requirements for PKI information encryption/decryption (like computational resources) and encryption/decryption key management
The Internet of Things enables the collective aggregation of patient data and patient information that can lead to more accurate and instant diagnosis of health incidents Data protection is also quite weak since sensor devices lack the resources for protecting user anonymity, and providing proper authentication and data encryption at the same time