Research Of Security Enhanced CoAP Communication Technology Based On Zero Trust

With the wide application of the Internet of Things,more and more small-scale devices are joining the Io T platform,and the existing application layer protocols can no longer meet the lightweight requirements of resource-constrained Io T devices.Therefore,various organizations have developed a variety of lightweight protocols for Io T,among which the latest proposed Constrained Application Protocol(CoAP)has become the preferred target for small devices with the lowest energy consumption.However,as a new Io T protocol,although considering security design,CoAP still cannot meet these emerging new security requirements,which hinders the wide application of the CoAP protocol.Therefore,how to solve various security threats without destroying the lightweight characteristics of the protocol has become an urgent problem to be solved.In this thesis,based on the zero-trust framework paradigm,a security-enhanced CoAP communication framework is proposed,combining the three technologies of single-packet authentication,dynamic access control,and data re-encryption.The main research contents are as follows:(1)For external attackers in the network,this thesis proposes a single-packet authentication(SPA)technique based on the CoAP.The client adds identity information,device information and CoAP request method information to the first datapacket sent to the controller in the handshake process.Before being authenticated by the controller,the server will not respond to any client requests,realizing the zero-trust principle of “authentication first and then communication”.Through security experiments on networks adopting single-packet authentication,it is found that the scheme has good resilience to external attacks,especially denial of service attacks.Further performance analysis shows that the scheme does not introduce obvious computational and communication overhead.(2)After being authenticated,the client may be a hacker who steals the legal credentials and enters the network to cause destruction.To address this issue,this thesis proposes a multi-dimensional access control scheme.The scheme ignores the identity of the visitor and instead examines the access request itself.The core is the trust evaluation module,which takes environmental,behavioral,and historical information as input,and fuzzy logic inference as algorithm,to evaluate the comprehensive trustworthiness of the access in real time.The decision module calculates the trust threshold based on the request mode and access target of the visitor,and compares the comprehensive trustworthiness with the trust threshold to implement dynamic access authorization.By simulating the access scenario of multiple nodes,the detection rate of the malicious access by the access control engine is counted.The results show that the scheme can effectively screen out malicious access.(3)For the data leakage problem during the communication between the authorized client and the server,this thesis proposes a communication scheme based on re-encryption.According to the security level of the transmitted data,different encryption schemes with different security capabilities are adopted: low security level adopts ordinary re-encryption scheme,which can prevent malicious gateways from directly stealing data;high security level adopts conditional re-encryption scheme,which further prevents the collusion attack between gateway and client based on low security level.Experiments compared this scheme with other encryption schemes proposed in the literature and the existing CoAP security protocol-DTLS,and the results show that this scheme has the lowest computational overhead and the highest security.