Security and Privacy issues of IoT at Fog layer architecture

: Internet of Things (IoT) based applications and systems are gaining attention in the recent days because of their vast benefits such as efficient utilization of resources, enhanced data collection, improved security, lesser human efforts and reduced time. Security of sensitive data in IoT based fog environments is inevitable to prevent those data to be misused by the attackers. In this study, we present an improved hybrid algorithm termed as HQCP-ABE (Hybrid Quantum key Cipher text Policy Attribute based Encryption with Cipher text update) that integrates highly effective algorithms such as CP-ABE, cryptography and cipher text update. The proposed algorithm eliminates the need of costly pairing during decryptions and efficiently performs data encryption, decryption and user authorization. The proposed protocol is demonstrated to be highly efficient in terms of encryption and decryption while compared to other existing methods. It also achieves lesser packet loss, reduced control overheads, reduced computational overhead during encryption and decryption processes, lesser delay, improved security, packet delivery ratio, throughput, network lifetime with limited bandwidth and user privacy. We further considered energy consumption in this study. The proposed HQCP-ABE method is demonstrated using ns3 simulation and compared with existing CP-ABE and PA-CPABE methods.


Introduction:
In the recent days, the substantial development in Internet of Things (IoT) technology and the number of users utilizing internet had enabled large amount of users to create, transmit and save massive amount of data and sensitive information. IoT based systems grabbed considerable attention across the globe towards furnishing solutions for several real-time applications in healthcare, smart grid, agriculture, industry, home, transport and many more. Any conventional device or appliance can be revolutionized into smart IoT based device by authorizing inter-communication protocols and internet connectivity [1]. To provide higher level of quality services, data received from the IoT devices is forwarded to a centralized location and treated as per the application requirements. Managing vast amount of data for transfer and processing through cloud computing resulted in various problems namely increased response time and delayed services. Further, meeting out the demand in the real-time data transfer and processing due to the increased number of applications in IoT, the need for IoT is significantly increasing [2]. Fog computing emerged as a computing model for data handling by directing near field communication with sensors. Since Fog computing employs near field communication, the response time of the model is quicker and the number of sensors assigned to a device is lesser while compared to cloud computing [3][4][5]. Fog based IoT is an innovative and remarkable communication technology solution that offers services with unchanging network bandwidth, portability assistance, reduced latency and location recognition. Fog based communications also offers reliable and trustworthy solutions to escort the fog resources and services adjacent to the users and further supports in utilizing the available resources and services in the network edge [6]. Fog computing considers data transfer and utilization as significant. Similarly, data transfer and access to a legitimate user is most important. Therefore, data security [7] is a demanding requirement to ensure the security of sensitive information specifically in today's advanced communicating technology and innovative trends namely in fog based IoT networks. But, various issues breach data privacy during data transmission and storage. These challenges pose great threat to data security of sensitive information. Similarly, the data transmission of sensitive information through insecure mediums in case of fog based IoT networks becomes an issue [8] that has to be focused instantly.
Various encryption techniques were presented earlier in regard to constructing data transmission and storage functional areas which are categorized into partial or complete encryption methods. Encryption methods involve in either completely or partially encrypting data through conventional block cipher methods namely AES, DES or stream cipher methods. Cipher-text Policy attribute based encryption (CP-ABE) is identified as an effective encryption technique for outsourcing data [9]. Though CP-ABE offers higher flexibility and scalability in establishing secure data access control in outsourcing data, it suffers from a major issue called revocation management. Various CP-ABE methods were proposed to resolve the revocation problem. Proxy re-encryption technique has been identified as an effective method [10] to resolve the revocation problem in CP-ABE. Proxy re-encryption (PRE) method envoys the function for reencryption to a semi-trusted proxy and decreases revocation costs and updates of the policies but creates more overheads for data owners. To resolve the challenges in the PRE methods, more specifically in handling sensitive information in the internet based environments, Quantum information processing method [11] plays a significant role. Quantum Cryptography aims in transmitting quantum information through open channels. This method grabbed a considerable attention among researchers. So, in this paper, we investigate the issues in the conventional approaches by presenting a hybrid approach to improve the data security and user privacy by improving the network lifetime utilizing limited bandwidth.
Furthermore, we evaluate the feasibility and convergence of our proposed hybrid approach through simulations and experimental trials.
The main contributions of this research study can be summarized as follows: To provide higher accuracy in sensitive data protection and data confidentiality, we formulate a hybrid approach termed HQCP-ABE (Hybrid Quantum key Cipher text Policy Attribute based Encryption with Cipher text update) which is an integration of three conventional, well-known approaches as CP-ABE, Quantum key Cryptography and the extension method of CP-ABE, cipher-text update [12]. The proposed hybrid method overcomes all the drawbacks in CP-ABE, cipher-text update process and Quantum cryptography schemes and provides effective encryption and decryption of the valuable data and guarantees data security and confidentiality.
(ii) The formulated hybrid approach HQCP-ABE solves the problem in the cipher-text update process by integrating Quantum cryptography method. It avoids the costs incurred during bilinear pairing operations during decryption process in the cipher text update process.
(iii) The incorporation of cipher-text update and computation outsourcing scheme in the hybrid algorithm satisfies other needs of data owners who could like to authorize some other users in updating the encrypted data. Similarly, the addition of Quantum key Cryptography method in the hybrid algorithm takes over the major computing processes for encryption, decryption and user authorization.
The rest of this study is arranged as follows. The related studies are reviewed in Section 2. Section 3 describes the system overview and model for our proposed system and the key approaches used. Section 4 presents the security driven HQCP-ABE approach. Section 5 discusses about the algorithm constructions for our proposed system. Section 6 discusses about the analysis of security.
Simulation results and discussions were analysed in Section 7. Finally, we conclude this study in Section 8.

Related Works
The

PRE based methods for Secure Fog communications:
To resolve the issues in ABE methods, Proxy re-encryption can be used as an constructed a systematic cryptographic interpretation to ensure increased security for establishing communication among fog to things using Proxy re-encryption.
To defeat the challenges related to privacy and security, different security methods were utilized for transmitting, storing and retrieving data information in fog computing. But, these methods could end up in larger computational overheads, control the validity of devices, and show consequential latency for time-sensitive applications which requires response. This method is not ideal for real time IoT scenarios. This method uses quantum entangled states, XOR operation, hash function and gray code for reliable and trustworthy communication.

Quantum Cryptography based methods for
The above discussed approaches aim to secure sensitive information using various techniques. These approaches will be further efficient if they are integrated as a hybrid approach which ensures higher security and data confidentiality. Hence, in this study, we propose a hybrid approach called HQCP-ABE by integrating the well-known CP-ABE, CP-ABE with cipher-text update and Quantum cryptography with one time pad (OTP) mechanism.

System Overview
The system overview of our proposed scheme is shown in Fig. 1. It constitutes controlling attributes, control server(cloud), fog nodes, data owners and users.

1) Controlling of Attributes:
Controlling attributes is completely trustworthy and it is responsible for producing system parameters and also the secret key for every user.

2) Control Server:
The Control server provides the storage service through online and it is a semitrusted device. Signature verification and cipher-text updating process is accomplished by a control server.

3) Fog node:
The fog nodes that are placed over the network edge provide number of services. It is responsible for generating cipher-text and transferring cipher-text to control server. It also decrypts the cipher-text for users. Further, it helps end users for signing the cipher-text update demand.

4) Data owner:
Data owner is responsible for uploading IoT things information to the cloud server. It is used for accessing and updating policies for generating entire ciphertext with fog nodes.

5) User:
Users which are connected to the fog nodes contain IoT devices like smart meters, smart cameras and medical sensors. Due to limited storage and computation ability in IoT devices, fog nodes furnish necessary assistance for accessing cipher-text which is saved in the control server. If the attributes set furnished by the user satisfies the access policy present in the cipher-text, they are allowed for decrypting the data. If a user wishes to perform any alteration and needs to reencrypt the data after accessing the data, control sever regenerates the cipher-text stored for the user only if their attributes set assures the update policy in the cipher-text.

Preludes and Descriptions:
i. Bi-linear mapping: Assume and as two product categories that are prime . A bi-linear map can be defined as a function, : → and contain the characteristics as follows:

3.
Generating ability: If is assumed as a generator of , then ( , ) will also be considered as a generator of 1 .

System initialization and setup of the certifying authority
The System initialization setup ( ) ., CC requests to select system parameters. The authorized security parameters as the security variable for input and produces public key PU key and the master key MS key as output. The authority for certificate starts the system using the ℎ algorithm as follows: The above statement considers parameter measures as inputs and delivers the system master key MS key , public variables PS along with a signature pair and a verifying key ( ℎ , ℎ ) as outputs.

(ii) Registering the users:
The users in the fog system forward their identification information to the certifying authority ℎ. Executes the algorithm: .

(iii) Registering authorized attributes:
Every authorized attribute forwards their identification information to the ℎ to get their unique identification, .
(iv) Setting up authorized attributes ℎ : The received outputs namely SEC key = ( , , ), PU key = (k( , ) , 1/ , / ) are the authority keys namely secret and public keys that belong to ℎ and { = , PU key = ( ) )} are the public and secret version keys for every attribute monitored by ℎ .

System Definition
The HQCP-ABE model contains various stages and algorithms as described below:

Stage 1: System initialization and setup
i) _ ( ).The authorized attribute considers as the security variable for input and produces public key PU key and the master secret key MS key as output.

Stage 2: Generation of Keys
ii) GenOfKey(PU key , MS key , ). The authorized attribute considers as the PUBK, MS key , attribute set as inputs and produces SEC key , secret key for the user as the output. Further, it will send the re-distribution key, SEC key ʹ to the fog nodes.

Stage 3: Session Key generation using Quantum Cryptography
The QKM in one-time pad (OTP) mechanism, where the session key's feature has identified the data security. The kernel of the conventional Quantum Random Number Generator (QRNG) is responsible for the quality of the produced random number. Moreover, it is prone to contain the fault of correlating for a more extended period and could fail in the localized randomness testing. Employed a quantum random number generator based on arriving time for generating a random number to avoid such defects. Session key generation was generated using QRNG. Algorithm 1 shows generate keys for encryption and decryption to users and CC, respectively. Moreover, it encrypts the data consumption and generates an on each encrypted value using Quantum key management. the PU key , MS key , attribute set as inputs and produces SEC key , a secret key for the user as the output. Further, it will send the re-distribution key, SEC key ʹ to the users.

Stage 4: Design of Quantum Key encryption algorithm:
 The Quantum key-based cryptographic algorithm utilizes a one-time pad (OTP) mechanism that needs the same length of plaintext, Ciphertext, and the key. In this study, a stream cipher-based algorithm is presented. The plaintext size is broken up into various length sequences, which is the same as the keys' length. Considering the first bit of the sequence || || || .it generates a permutation matrix and session key 0 . To ensure enhanced security to authorize identities once establishing the data communication, the key generating model, GenOfKey(PU key , MS key , ), utilizes a session key to update secret = [ 1 , 2 , … , ].which is key generated by QRNG is Hence, every is utilized to protect against impersonation attacks. The addition of the check code can decrease the communication rejection created by the channel noise. The regular sequence can be broken up into four portions, namely , , , . Employ to retrieve 0 ′ from .where N is the authentication sequence generated using XOR of and L, which is If a difference is found among ′ and Evaluate the check code option, and if one error is noted in the stated sequence, the data communication is allowed. Hence, the data communication is authorized if it satisfies the following conditions: a.
If complements with key sequence, will not match but compared to , ′ will contain two varying bits alone where there will not be any fault identified, the key will be placed in . b. If complements with key sequence, will not match but compared to . ′ will contain one varying bit alone where there will be fault identified, the key will be placed no faults in .
where we consider that if 1 = 0, ℎ 0 = 1, 0 = 0. b) The plaintext contains bit that is broken up into data bit fragments. If the length of the final sector is lesser than , the same will be filled up with zero. c) Build a permutation matrix as per the ascending order of . If the starting bit of the variable is zero, the last permutation matrix is and  The user considers PU key , partial signature PART sig ′ and a global key key as inputs and delivers the signature PART sig as a result.

v)
Key Stability Check (PU key , PART sig , key ) The user considers the public key PU key , global key key and signature PART sig as input parameters if the key satisfies the key stability check conditions. If the condition gets satisfied, it generates output as 1 else it outputs a 0.

vi) Track (PU key , PART sig , key )
If the key stability check conditions get satisfied, it considers the public key PU key , global key key and signature PART sig as input parameters and produces user identity id , otherwise it produces a defeat symbol, ȡ.

Traceability Model:
To prove the traceability of the proposed mechanism, a game theory has been considered that gets executed between a challenger and an opponent.  The key conditions of the key stability checking model outputs 1 if it is satisfied, else it outputs zero.

Algorithm for Tracking:
Track(PU key , PART sig key * ) → id or ȡ. The trust center executes the algorithm. If the user key key fails to satisfy the conditions of key stability checking Key Stability Check(PU key , PART sig , key ) → 0, it produces an output ȡ, else it collects the identity data id from key of the user through the decrypt operation.

Security Model:
In this proposal, the fog nodes and cloud servers are assumed to be truthful but strange. They together implement the tasks and could conspire to receive the

Security driven HQ-CPE method for enhanced data security and user privacy:
In this study, to utilize the benefits of achieving higher levels of security and user privacy, we combine the Cipher-text key policy attribute-based encryption, Quantum key cryptography method also establishes the overall system decryption precisely. We also measured the energy consumed by the proposed method during encryption and decryption processes to present an energy efficient model.  to them alone. The sender establishes encryption operation by accepting attribute sets as input for every authority, information or a message to be transmitted and the system public key and outputs the cipher-text. The receiver side performs the decryption process by considering the input (cipher-text). It uses decryption keys for the attribute sets and produces the information or a message as the output to be available for all the authorized users in the receiver side. Hence, we could be able to achieve better security for data and user privacy using the proposed HQCP-ABE approach.

ALGORITHM CONSTRUCTIONS:
Due to the resource limitations of IoT devices, fog computing primarily focuses to reduce the computational complexity and overheads of the system. Initially, we present fine grained access control with effective cipher-text update method using quantum cryptography with OTP mechanism and CP-ABE. In this scheme, the attributes of the legitimate users that satisfy the access policy can only be able to decrypt the cipher-text. Similarly, the attributes of those users have to satisfy the update policies can only be able to upgrade the cipher-text. Further, we establish a security aware, energy efficient re-distributable construction that redistributes many encryption, decryption and signature calculations from the target IoT devices to the fog nodes. The algorithm construction is explained below:

(ii) Generation of Keys
Secondly, the authorized attribute ℎ executes GenOfKey algorithm to choose arbitrary value ∈ , a distinct secret key allocated to every user.
Further, every authorized attribute ℎ arbitrarily selects ƛ ∈ and another arbitrary value, for every attribute, ∈ , where indicates the user's attribute set. This assumption generates a re-distributable key along with a secret key.
(iii) Data encryption using Quantum cryptography: The data owner initially selects a random key, ∈ prior to data upload process to the cloud service provider for the data dat along with using quantum encryption which can be written as = (dat). Further, the data owner introduces the access policy along with the update policy and forwards to the fog nodes. Then, the fog nodes execute the quantum encryption algorithm to establish the re-distributable algorithm. For every node in the , the fog nodes select a polynomial . The polynomial is selected in a top-down fashion starting from the root node . For every node in the access policy tree , fix a degree for the polynomial as lesser than the fixed threshold ℎ of that particular node. Hence, = ℎ -1. The quantum key algorithm selects randomly and fixes (0) = ( ) (index(y)) and selects points arbitrarily to entirely define .
Assume as the leaf nodes set in the access policy tree , the fog nodes produce partial cipher-text ′ as the output. Thus, Eventually, the fog nodes remit ′ back to the data owner. The data owner further executes the quantum encryption algorithm for the data owner explained above to choose arbitrarily and calculates (iv) Data decryption using Quantum cryptography: If the attributes of the user satisfies the access policy tree , such user can start the decryption of the cipher-text by executing the algorithm discussed below and get the Quantum cryptographic session key . Then, the fog nodes start to execute the quantum decryption algorithm discussed above to get the cipher-text from the cloud service provider. The decryption algorithm has been written for both the nodes with and without leaf where the former is a recursive algorithm which has to be executed initially. The quantum decryption algorithm considers the cipher-text , SEC key ′ and a node from the access policy tree as an input.
Hence, (dat) has been decrypted using by applying the quantum decryption algorithm.
(v) Cipher-text update process: Once altering the value of decrypted data, the fog user further encrypts the altered data as explained in the stage of quantum data encryption and further applies signature to the cipher-text update requests using the user's attributes. If the attributes of the fog user present in the signature fulfils the cipher-text update policy, , the cipher-text has been authorized to upgraded by the cloud service provider.
The user forwards a request along with the cipher-text update policy, to the fog nodes. They execute the fog signature algorithm to establish redistributable signing feature. For every node present in the cipher-text update policy, , the fog nodes select a polynomial . The polynomial has been selected from the root node in a top-down fashion. Every node in the tree has been set to the degree ′ of the polynomial value as one lesser than the value of threshold ℎ ′ for that particular node, hence, ′ = ℎ ′ -1. The algorithm selects an arbitrary value r ∈ and fix up (0) = .
Further, it selects ′ other points of the polynomial value arbitrarily for defining them. It sets up (0) = ( ) ( ( )) and selects the ′ other points arbitrarily to entirely define . Assume as the leaf node set in the cipher-text update policy, , the fog nodes deliver the global key key as the output.
For every attribute, ℎ ∈ , the fog nodes arbitrarily select ℎ ∈ and calculate using ′.
(a) If ℎ ∈ ⌒ , it calculates as: (b) If ℎ ∈ / ⌒ , it calculates as: Further, the fog nodes arbitrarily choose ƛ ∈ and produces ′ the partial signature as the output.
The fog nodes produce back ′ to the user. Further, the user executes the user signature algorithm to arbitrarily choose µ ∈ and calculate 1 = 1 ′ . 2 (REQ) ƛ .F, 2 = 2 ′ . m µ . Eventually, the user produces the signature as the output.
= ( REQ, 1 = 2 (REQ) ƛ+µ . m ( + ) , 2 = m (ƛ+µ) , 3 (14) If the user attributes fulfils the cipher-text update policy which is saved in the first cipher-text, the cloud service provider verifies the signature of the user by executing the verification algorithm. The cloud service provider considers to execute the VerificationNode algorithm which is a recursive algorithm. This algorithm considers the signature , the global key key , node from the updating tree as inputs.
Upon the cipher-text update, the proposed system undergoes two theorems: one for traceability and another for key stability checking as discussed in [39].

ANALYSIS OF SECURITY:
To achieve higher level of security, we consider quantum cryptography method with one time pad mechanism. Hence, the proposed HQCP-ABE method is highly secure to establish data communication in fog computing. The security properties of the proposed method can be analysed as follows: (i) Data privacy: Initially, the data is encrypted using access policy tree and cipher-text update policy, in order to guarantee the data privacy against the users who cannot contain a set of attributes which satisfies the stated access policy. The fog node involves in encryption calculations for users during encryption but it could not access the data because of the absence of secret key.
The attribute sets fail to satisfy the stated access policy for the cipher-text during decryption and therefore fog nodes or cloud servers are unable to retrieve the value = (m, m) so as to acquire the anticipated value since it will not have the knowledge about of the user. Hence, the users whose attributes are valid and fulfil the access policy can only be able to perform decryption over the cipher-text.
(ii) User authentication: The proposed scheme employs attribute-based signature to realize the cipher-text update along with user authentication. Hence, an attacker who attempts to counterfeit the signature present in the cipher-text update policy in his attributes will not get satisfied. Assume as an attacker who attempts queries namely 1 , 2 , 0 , 1 , and h to the arbitrary oracles 1 , 2 , re-distributable key generating oracle, signature oracle and secret keys generating oracle. They together make a victorious counterfeit in opposition the proposed method.
(iii) Fine grained access control: This enables flexibility to specify various access rights for each user. To make use of this feature, we employ HQCP-ABE method that uses quantum cryptography method. During the stage of encryption, the data owner is allowed to use a flexible access policy method and encrypt the data using quantum cryptography and re-distribute the cipher-text to the cloud servers. Particularly, the access tree which uses the access policy of the quantum encrypted data bears intricate processes that contain both OR and AND gates that are capable of representing any attribute set desired. Hence, the proposed scheme could be able to achieve fine grained access control.
(iv) Resistance to Collusion: The data which are not individually accessed are integrated by the users for accessing the data. They integrate re-distributable keys and secret keys. In this proposed method, the authorized attribute produces secret keys for various users. If more than two users who have dissimilar attribute merge with one another to fulfil the access policy, they are unable to calculate = (m, m) in the re-distributable decryption stage. Hence, the proposed method proves that it is resistant to collusion.

RESULTS AND DISCUSSIONS:
We have considered the existing approaches such as CP-ABE and Proxy aided CP-ABE (PA-CPABE) to compare with the proposed model HQCP-ABE. We implement the given instantiation for the proposed HQCP-ABE so as to assess the performance of the proposed model. The proposed HQCP-ABE method does not require any secure channel for delivering the private keys during decryption process similar to the PA-CPABE method, but all other existing approaches require secure channels for distributing the private keys to their end users in order to achieve enhanced security. We demonstrated the proposed model using the simulation parameters in Table I   to the signature algorithms discussed in [38] is shown in the Fig 4. The proposed approach gains a constant performance while compared that of the scheme in [38] with the linearly increasing efficiency by re-distributing large number of computations to the fog nodes. Hence, this method can be utilized for resource limited IoT devices to carry out the signing operations.

Conclusions:
IoT based fog environments handle massive amount of data which requires rapid data analysis and security. Specifically, sensitive information has to be highly secured in order to ensure user privacy. Since data leakage has been a major issue among communication environments, choosing appropriate solutions that guarantee data security is vital. To overcome the challenges in the existing approaches and to ensure data security and user privacy, we present a hybrid algorithm, HQCP-ABE which is a combination of three effective techniques namely CP-ABE, cipher-text update and quantum key cryptography with OTP mechanism. The presented hybrid algorithm avoids costly pairing that occurs during decryption operation. The proposed technique effectively performs encryption, decryption and user authorization operations. The results transparently indicates that the proposed HQCP-ABE method remarkably outperforms the other two methods in terms of increased throughput, reduced packet loss, reduced average delay, improved packet delivery ratio, reduced computational overheads and control overheads. Further, the proposed system is energy efficient as well since it consumed lesser energy during the encryption and decryption operations.