Konrad-Felix Krentz (Uppsala University), Thiemo Voigt (Uppsala University, RISE Computer Science)

Object Security for Constrained RESTful Environments (OSCORE) is an end-to-end security solution for the Constrained Application Protocol (CoAP), which, in turn, is a lightweight application layer protocol for the Internet of things (IoT). The recently standardized Echo option allows OSCORE servers to check if a request was created recently. Previously, OSCORE only offered a counter-based replay protection, which is why delayed OSCORE requests were accepted as fresh. However, the Echo-based replay protection entails an additional round trip, thereby prolonging delays, increasing communication overhead, and deteriorating reliability. Moreover, OSCORE remains vulnerable to a denial-of-sleep attack. In this paper, we propose a version of OSCORE with a revised replay protection, namely OSCORE next-generation (OSCORE-NG). OSCORENG fixes OSCORE’s denial-of-sleep vulnerability and provides freshness guarantees that surpass those of the Echo-based replay protection, while dispensing with an additional round trip. Furthermore, in long-running sessions, OSCORE-NG incurs even less communication overhead than OSCORE’s counter-based replay protection. OSCORE-NG’s approach is to entangle timestamps in nonces. Except during synchronization, CoAP nodes truncate these timestamps in outgoing OSCORE-NG messages. Receivers fail to restore a timestamp if and only if an OSCORE-NG message is delayed by more than 7.848s in our implementation by default. In effect, older OSCORE-NG messages get rejected.

View More Papers

Connecting the Dots in the Sky: Website Fingerprinting in...

Prabhjot Singh (University of Waterloo), Diogo Barradas (University of Waterloo), Tariq Elahi (University of Edinburgh), Noura Limam (University of Waterloo)

Read More

Separation is Good: A Faster Order-Fairness Byzantine Consensus

Ke Mu (Southern University of Science and Technology, China), Bo Yin (Changsha University of Science and Technology, China), Alia Asheralieva (Loughborough University, UK), Xuetao Wei (Southern University of Science and Technology, China & Guangdong Provincial Key Laboratory of Brain-inspired Intelligent Computation, SUSTech, China)

Read More

MASTERKEY: Automated Jailbreaking of Large Language Model Chatbots

Gelei Deng (Nanyang Technological University), Yi Liu (Nanyang Technological University), Yuekang Li (University of New South Wales), Kailong Wang (Huazhong University of Science and Technology), Ying Zhang (Virginia Tech), Zefeng Li (Nanyang Technological University), Haoyu Wang (Huazhong University of Science and Technology), Tianwei Zhang (Nanyang Technological University), Yang Liu (Nanyang Technological University)

Read More

Sharing cyber threat intelligence: Does it really help?

Beomjin Jin (Sungkyunkwan University), Eunsoo Kim (Sungkyunkwan University), Hyunwoo Lee (KENTECH), Elisa Bertino (Purdue University), Doowon Kim (University of Tennessee, Knoxville), Hyoungshick Kim (Sungkyunkwan University)

Read More