In most of Internet of Things (IoT) deployments, intermediate entities are usually employed for efficiency and scalability reasons. These intermediate proxies break end-to-end security when using event the state-of-the-art transport layer security (TLS) solutions. In this direction, the recent object security for constrained RESTful environment (OSCORE) has been standardized to enable end-to-end security even in the presence of malicious proxies. In this article, we focus on the key establishment process based on application-layer techniques. In particular, we evaluate the Ephemeral Diffie-Hellman over COSE (EDHOC), the de facto key establishment protocol for OSCORE. Based on EDHOC, we propose CompactEDHOC, as a lightweight alternative, in which negotiation of security parameters is extracted from the core protocol. In addition to providing end-to-end security properties, we perform extensive evaluation using real IoT hardware and simulation tools. Our evaluation results prove EDHOC-based proposals as an effective and efficient approach for the establishment of a security association in IoT constrained scenarios.

JRC.E.3-Cyber and Digital Citizens' Security