부산대학교 도서관

As resource-constrained Internet-of-Things (IoT) devices become popular targets of various malicious attacks, frequent updates to keep their software up to date are essential to their security. However, state-of-the-art software delivery and payment systems incorporate multiple services in a client-server structure requiring multiple transits of information between client and server, while also creating a wide attack surface. We propose a blockchain-based end-to-end secure software update delivery framework for Internet of Things (IoT) devices, which aims to ensure confidentiality, integrity, availability, efficiency, and audit-ability for verified software delivery, while offloading the cryptographic computation from resource-constrained IoT devices to a decentralized blockchain system. In particular, we leverage Ciphertext-Policy Attribute-Based Encryption (CP-ABE) and design a customized authorization policy to not only ensure that software updates can only be decrypted and installed on authorized IoT devices but also significantly reduce the computational overhead for key generation and key delivery on the manufacturer side. Furthermore, secure and atomic software delivery and payments between IoT devices and the manufacturer are assured through smart contracts. The authenticity of the delivered software is guaranteed by offloading the computation-based signature validation to smart contracts. Compliance audits are satisfied through immutable records on the blockchain’s public ledger, and the smart contracts efficiently guarantee the delivery of software updates in exchange for payment. Security analysis and experiments are performed to compare the proposed framework with state-of-the-art studies and validate its effectiveness.