IEEE-International Conference on IoT and its Applications (ICIOT-2017)
USING SYMMETRIC AND ASYMMETRIC CRYPTOGRAPHY
TO SECURE COMMUNICATION
BETWEEN DEVICES IN IoT
Michelle S Henriques
Departmentof Computer Engineering
Goa College of Engineering
Farmagudi- Goa, India
michhenr88@gmail.com
Abstract—Internet of Things (IoT) allows the interconnection
of computing and sensing devices over the Internet, allowing them
to send and receive data. The applications of IoT range from Smart
Home to Wearable devices. An IoT system has high security
requirements, owing to the critical and sensitive nature of the
information exchanged between devices. In this paper, a schematic
consisting of Asymmetric and Symmetric cryptography is defined to
secure the communication between the devices in an IoT system.
The combination of both Symmetric and Asymmetric cryptography
reduces encryption time in preference to simply using an
Asymmetric cryptographic algorithm. The use of random keys for
Symmetric encryption each time solves the issue of session-key
distribution and strengthens the symmetric encryption approach.
Keywords—Cryptography; Encryption; Internet of Things
(IoT); Security;Vigenere;
I. INTRODUCTION
The term “Internet of Things” (IoT) is the concept of
communication (i.e. data exchange) between objects, having
sensing or computing capabilities or both, over the internet. It
allows devices with the above-mentioned capabilities,
generally embedded in everyday objects (such as an air
conditioner, lamps, etc.), to be controlled as well as
communicate over the internet.
The applications of IoT are far reaching. As the scope of
human-to-human interaction or human-to-computer
interaction is minimum or zero or would require no more than
a one-time setup, IoT has applications ranging from wearable
devices to self-parking automobiles to Smart homes.
IoT involves accessing, monitoring and controlling various
sensors and devices over the internet. As these types of sensor
based networks become enormously popular and widespread
in various domains, it is fundamental to provide the adequate
level of protection against cyber-attacks for the users.
As the communication between devices in an IoT system has
very sensitive and critical data, the security requirements for
any IoT-based system are high. Some of these security
requirements include authentication, both at user and device
level, and secure (encrypted) communication between the
devices.
ISBN: 978-93-84893-49-4
(Organized by School of Computing [IT, CSE & MCA], E.G.S Pillay Engineering College, Nagapattinam)
Prof. Nagaraj K. Vernekar
Department of Computer Engineering
Goa College of Engineering
Farmagudi- Goa,India
nv@gec.ac.in
II. RELATED WORK
[1] The Open Web Application Security Project (OWASP) is
a worldwide not-for-profit charitable organization focused on
improving the security of software. The mission is to make
software security visible to facilitate both individuals and
organizations to make informed decisions.
As per the OWASP Internet of Things (IoT) Project, IoT
attack areas are as follows:
 Insecure Web Interface
 Insufficient Authentication/Authorization
 Insecure Network Services
 Lack of Transport Encryption
 Privacy Concerns
 Insecure Cloud Interface
 Insecure Mobile Interface
 Insufficient Security Configurability
 Insecure Software/Firmware
 Poor Physical Security
[2] described the study titled “How safe are home security
systems? – An HPE study on IoT Security” by Hewlett
Packard Enterprise Security (HPE). This research reviewed and
performed security testing on ten off-the-shelf IoT-based home
security systems by HPE using HPE Fortify on Demand. HPE
Fortify on Demand is a tool used for Application Security
Testing. Standard techniques to test the IoT systems, which
combines manual security testing and use of automated tools.
The systems were assessed based on OWASP Internet of
Things Top 10 Project and the specific vulnerabilities
associated with each top 10 category. A host of vulnerabilities
were uncovered. Some of the vulnerabilities are listed as
follows: -
 100 percent allowed the use of weak passwords
 100 percent lacked an account lockout mechanism that
would prevent automation attacks
 100 percent were vulnerable to account harvesting,
allowing attackers to guess login credentials and gain
access
 IEEE-International Conference on IoT and its Applications (ICIOT-2017)
 Four of seven systems that had cameras, gave the owner
the ability to grant video access to additional users,
further exacerbating account harvesting issues
 Two of the systems allowed video to be streamed
locally without authentication
 A single system o ered two-factor authentication
The results for the ten devices were very similar and
provided a good indicator of the current market status
with respect to security and the IoT.
[3]proposed various Encryption and Hash algorithms,
aiming to enhance the security in Smart Home Systems. The
algorithms proposed in the paper were aimed at secure
communication between the devices in the IoT System.
Existing algorithms such as RC-5, Skipjack, and AES to ensure
security within the network. A modified hash algorithm based
of RC4 is discussed and its performance is measured against
existing hashing algorithms.
[4] define security requirementsand functions for the Smart
Home service. A Smart Home system was defined to be
consisting of a home server, a home gateway, and smart home
devices. A security feature was defined for each components of
a smart home in an IoT environment. The security
requirements and functionsproposed were based on the
principles of Integrity, Confidentiality, and System
Availability.
[5]presents an analysis of the main challenges and security
threats present in Smart Home networks. The results of the
analysis were then used to draw the fundamental requirements
needed for providing secure and confidential operations in
Smart Homes. The paper discussed in detail the technologies
composing a smart home i.e. applications, devices, operating
systems, and communication protocols. It discussed the main
challenges present in securing smart homes. The security
threats present in the communication protocols were illustrated
with case studies and defense strategies. Countermeasures were
discussed along with the security requirements of Smart
Homes.
[6]presented an approach to incorporate security in a IoT
based Smart Home System, with the aim of keeping the user
convenience and experience unhampered.The paper described
the design and prototype implementation of a Wi-fi based IoT
Smart Home system consisting of IoT devices (sensors,
actuators, equipment) connected to the Home Gateway over the
Home network. The user device (android based smartphone),
used to access and control the system, was connected to the
Home gateway over the internet. The Home gateway enabled
secure communication between the IoT devices, and allowed
the user to access, configure, and control the system via the
user interface. The base of the implementation was the AllJoyn
framework. It is an open source IoT framework, capable of
supporting multiple devices and operating systems and has
various libraries from cryptography (ECC, AES, etc.).
[7]aimed at IoT Security Technology, with a detailed view
of Privacy protection technology. A privacy protection scheme
for IoT was designed for remote health care system. The
ISBN: 978-93-84893-49-4
(Organized by School of Computing [IT, CSE & MCA], E.G.S Pillay Engineering College, Nagapattinam)
hardware and software design of the security system of an IoT-
based Smart Home system with the application of basic
security measures, privacy protection technologies, and the
implementation of intrusion prevention and malicious code
precaution technologies to enhance the security of the system.
[8] described various IoT technologies such as Wireless
Sensor Networks (WSN), and Radio Frequency Identification
Technology (RFID) and defined in detail the various type of
security attacks on the two technologies.
[9] described the privacy and security challenges for IoT.
Current cryptographic models, schemes, and implementations
such as Advanced Encryption Standard (AES), Elliptic Curve
Cryptography (ECC) are described with their functionality and
the both the advantages and disadvantages. The need for more
flexible cryptographic suites is highlighted.
III. SYSTEM OVERVIEW
The configuration of an IoT based system is as shown in
Figure 1. The system typically consists of IoT devices, a
gateway, the server and the User device(s). The IoT devices
are generally sensors, actuators, or devices with computational
capabilities. These devices sense information within the
system or are monitor or access various parts of the system.
The IoT devices are connected to the gateway over the
internal/home network. The gateway acts as a relay of the IoT
devices to the User and the Server. The Server acts as a
repository for the information collected by the IoT devices as
well as for transmission over the internet. The User device
provides the interface for the user to monitor, access and
control the system remotely over the internet. [4]
Figure 1 - Configuration of an IoT System
IV. PROPOSED WORK
The Proposed Technique in this paper caters to the
communication within the IoT system(Intra-network) i.e. the
communication between the Gateway and the IoT devices.
The aim is to secure the communication within the network
and make it resilient to attacks. The proposed method is a
combination of Symmetric and Asymmetric cryptographic
techniques for transmission of data within the IoT networki.e.
for Intra-Network security.Symmetric-key algorithms are
 IEEE-International Conference on IoT and its Applications (ICIOT-2017)

cryptographic algorithms that use the same cryptographic keys

for both encryption and decryption. Asymmetriccryptography
uses pairs of keys: public keys, which are publicly available to
everyone, and private keys, known only to the owner. For
encryption, the public key of the receiver is used, whereby the
receiver, who is only the holder of the paired private key can
decrypt the message encrypted with the public key. For the
proposed technique, the symmetric cryptographic algorithm
used is a modified version of the Vigenere Cipher. The
Asymmetric cryptographic algorithm is the RSA Algorithm.
The steps in the proposed technique at the sender end are as
follows: -
1) Obtain the current timestamp.
2) Generate a random key K using the current timestamp. Figure 3 : Receiver's end
3) Obtain the data P to be transmitted.
B. Modified Vigenere Cipher
4) Use the modified Vigenere Cipher to encrypt the data
Pusing the random key K, obtaining ciphertext C. The Vigenere Cipher is a polyalphabetic substitution cipher. It
5) Obtain the public key Pk of the receiver. is a method of encrypting text using a series of interwoven
6) Use RSA Algorithm to encrypt the random key K, Caesar ciphers based on the letters of the keyword [10]. The
obtaining the encrypted Key E. Algebraic description for Encryption and Decryption using
Vigenere Cipher is as follows: -
7) Concatenate the encrypted key E and the ciphertext C,
obtaining messageM =E + C to be transmitted.
Let N be the number of characters in the alphabet.
8) Transmit message M to the receiver
Let the characters of the alphabet in order be represented
numerically as 0 – (N-1)
For a key K of size m, encryption E using the Vigenere cipher
is as follows: -
Ci = Ek (Mi) = (Mi + Ki) mod N
Decryption D using key K is as follows:
Mi = Dk (Mi) = (Ci + Ki) mod N
Where M = M1 M2 … Mn is the message of length n
C = C1 C2 … Cn is the ciphertext
K = K1 K2 … Kn is the key obtained by repeating
[n/m] times, where m is the length of the key.

The modified Vigenerealgorithm for Encryption is as follows:

1) Let P be the plaintext message.
2) Let N be the count of characters in the alphabet
3) Generate a random key K by using the timestamp and
Figure 2 : Sender's end alphabets.
4) Pick a value randomly amongst 0 and 1. This value is
The steps at the Receiver’s end are as follows: -
the Randomizing Factor R.
1) Receive messageE + Cfrom the sender. 5) If the value of the Randomizing Factor is 0, then the
2) Split the message into two parts :- the encrypted key E message is encrypted by the normal Vigenere cipher
and the Ciphertext C. method.
3) Use RSA to decrypt E using own private key, obtaining C[i] = (P[i] + K[i]) mod N
random key K. 6) If the value of the Randomizing factor is 1, the do the
4) Use the modified Vigenere Cipher to decrypt the following: -
ciphertext C using the random key K, obtaining plaintext a. Generate a number I amongst 2, 3 and 5.
message P. This value will be the Randomizing IndexI.
b. Perform encryption as follows: -
i. Iteratei over the length of the
plaintext message.

ISBN: 978-93-84893-49-4
(Organized by School of Computing [IT, CSE & MCA], E.G.S Pillay Engineering College, Nagapattinam)
 IEEE-International Conference on IoT and its Applications (ICIOT-2017)
ii. If i is divisible by I, then
encryption is done as follows:
C(i) = [P(i) - K(i)] mod N
iii. Else, encryption is done as follows:
C[i] = (P[i] + K[i]) mod N
The Randomizing FactorR and the Randomizing indexI are
concatenated at a fixed position, either at the start or end of the
encrypted message. These values are essential for decryption.
The modifiedVigenere algorithm for Decryption is as follows:
1. Let V be the message received (without the
Random Key K) consisting of the Randomizing
Factor R, the Randomizing IndexI, and the
Encrypted Message C.
2. Let N be the count of characters in the alphabet.
3. Obtain the Random KeyK.
4. Check the Randomizing FactorR.
a. If the value isF, then normal Vigenere
decryption is used.
b. If Value is T, then the next character
gives the RandomizingIndexI.
5. If the value of the Randomizing Factor is F,
perform decryption as follows.
C[i] = (P[i] - K[i]) mod N
6. If the value of the Randomizing Factor is T, the
do the following: -
a. Let I be the randomizing index.
b. Perform decryption as follows: -
i. Iteratei over the length of the
plaintext message.
ii. If iis divisible by I, then
decryption is done as follows:
C(i) = [P(i) + K(i)] mod N
iii. Else, decryption is done as
follows:
C[i] = (P[i] - K[i]) mod N
C. RSA Algorithm
RSA stands for Ron Rivest, Adi Shamir and Leonard
Adleman. RSA is an asymmetric cryptographic algorithm. It
involves two types of keys – A public key and a private key.
The public key is known to all and is used to encrypt
messages. The private key is known only to the owner.
Messages encrypted using the public key can be decrypted
using the private key. [11]
D. Random Key generation
The Random Key is generated using the timestamp as a seed.
The Key generation is done sequentially using a combination
of mathematical functions chosen randomly. These functions
include additive and multiplicative operations.
ISBN: 978-93-84893-49-4
(Organized by School of Computing [IT, CSE & MCA], E.G.S Pillay Engineering College, Nagapattinam)
V. CONCLUSION AND FUTURE WORK
This paper proposes a technique comprising of Symmetric
and Asymmetric cryptography to secure the communication
within an IoT system. The combination of Symmetric and
Asymmetric cryptography reduces encryption time compared
to using Asymmetric cryptography alone. As a random key is
generated for each communication, and is generated using the
current system timestamp as the seed, there is no relation
between the keys. This makes the communication more secure
and tolerant to attacks. It also solves the problem of
distribution of Session-keys. The amount of plaintext
encrypted is small, and as stated above, there is no relationship
between the keys. This ensures the security of the scheme.
The proposed system can be further enhanced to include a
multiplicative element in the modified Vigenere cipher. This
will increase the security of the cipher. Additional
enhancements can be done to ensure authentication of the
sender to the receiving device. Asymmetric algorithms such as
Elliptical Curve Cryptography (ECC), etc. can be used for
encrypting the random key for each communication. Hashing
techniques can be used to ensure message integrity.
REFERENCES
[1] https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Te
n_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014
[2] HP Study on IoT Home Security Systems,
http://go.saas.hpe.com/l/28912/2015-07-
21/32bhy5/28912/69170/IoT_Home_Security_Systems.pdf
[3] B.Vinayaga Sundaram; Ramnath.M ;Prasanth.M ;Varsha Sundaram.J,
“Encryption and Hash based Security in Internet of Things” 2015 3rd
Interational Conference on Signal Processing, Communication and
Networking (ICSCN)
[4] Jin-Hee Han; YongSung Jeon; Jeongynyeo Kim,“Security
Considerations for Secure and Trustworthy Smart Home System in the
IoT Environment” 2015 International Conference on Information and
Communication Technology Convergence (ICTC)
[5] C. Lee, L. Zappaterra, Kwanghee Choi and Hyeong-Ah Choi, "Securing
smart home: Technologies, security challenges, and security
requirements," 2014 IEEE Conference on Communications and Network
Security, San Francisco, CA, 2014, pp. 67-72.
[6] Freddy K Santoso ; Nicholas C H Vun “Securing IoT for smart home
system” 2015 International Symposium on Consumer Electronics
(ISCE), 24-26 June 2015
[7] Cuihua Tian, Xuhui Chen, Di Guo,Jinhua Sun,Ling Liu*, Jiangshui
Hong” Analysis and Design of Security in Internet of Things”, in 2015
8th International Conference on BioMedical Engineering and
Informatics (BMEI 2015)
[8] MdHusamuddin,Mohammed Qayyum,”Internet of Things :A Study on
Security and Privacy Threats”, in 2017 2nd International Conference on
Anti-Cyber Crimes (ICACC)
[9] Nicolas Sklavos I, III, I. D. Zaharakis,”Cryptography and
Security in Internet of Things (IoTs) : Models, Schemes and
Implementations”, in2016 8th IFIP International Conference on
New Technologies, Mobility and Security (NTMS)
[10] Vigenere Cipher,
https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
[11] RSA ,”https://en.wikipedia.org/wiki/RSA_(cryptosystem)”