Enhancing Security Mechanisms for IoT-Fog Networks

— This study contributes to improving Morocco's fish canning industry by integrating artificial intelligence (AI). The primary objective involves developing an AI and image processing-based system to monitor and guarantee canning process quality in the facility. It commenced with an IoT-enabled device capable of capturing and processing images, leading to the creation of an AI-driven system adept at accurately categorizing improperly crimped cans. Further advancements focused on reinforcing communication between IoT devices and servers housing individual client's neural network weights. These weights are vital, ensuring the functionality of our IoT device. The efficiency of the IoT device in categorizing cans relies on updated neural network weights from the Fog server, crucial for continual refinement and adaptation to diverse can shapes. Securing communication integrity between devices and the server is imperative to avoid disruptions in can classification, emphasizing the need for secure channels. In this paper, our key scientific contribution revolves around devising a security protocol founded on HMAC. This protocol guarantees authentication and preserves the integrity of neural network weights exchanged between Fog computing nodes and IoT devices. The innovative addition of a comprehensive dictionary within the Fog server significantly bolsters security measures, enhancing the overall safety between these interconnected entities


INTRODUCTION
This project is part of an industrial initiative aimed at upgrading the fish canning industry in Morocco through the integration of artificial intelligence (AI).Our primary purpose entails creating an AI and image processing-based system to oversee and ensure the quality requirements of the canning process within the facility.Our quest began with creating an IoT-enabled electronic device capable of recording and processing images.Subsequently, we developed an AI-powered system to accurately categorize improperly crimped cans.Progressing further, we reinforced the communication link between these IoT devices and the servers storing each client's neural network weights.These weights are essential; they ensure the proper functionality of our IoT device [1], [2].
The efficiency of the IoT device in precisely categorizing cans relies heavily on the neural network weights it acquires from the Fog server.These weight updates are fundamental components of our ongoing efforts to consistently fine-tune the neural network's performance.Our objective is to elevate the accuracy of classification processes while actively identifying and adapting to emerging can shapes, encompassing diverse forms such as cubic or cylindrical variations.
The significance of these weight updates lies in their role as catalysts for refinement, enabling our neural network to evolve continuously.By refining the network's parameters, we strive not only to enhance accuracy but also to ensure adaptability to newer can shapes that might enter the market.
Securing the communication link between our device and the server stands as a critical measure to uphold the integrity of these weight values.The unaltered transmission of these weights is imperative.Any tampering or modifications during transmission could severely disrupt the device's inherent capability to accurately classify cans, particularly those with deformities.Such disruptions pose a tangible risk of incurring production losses, emphasizing the indispensable need for secure and reliable communication channels to preserve the integrity of our neural network weights.
Certainly!Our contribution involves crafting a security protocol reliant on HMAC, enabling both the Fog computing node and IoT devices to authenticate themselves and ensure message integrity during their communications [3]- [5].This protocol includes the incorporation of a comprehensive dictionary within the Fog computing node.This dictionary securely stores the unique IDs and corresponding secret keys of individual IoT devices.By implementing this dictionary, we aim to fortify the security measures, ensuring the protection and isolation of data belonging to each IoT device within the Fog computing infrastructure.
In this study, Section 2 will go into the existing literature, investigating relevant studies in the topic.Section 3 will emphasize our specific contribution, concentrating on strengthening security for Fog-IoT communication through the implementation of the HMAC Protocol.Subsequently, Section 4 will engage in a full examination of the data gained and the performance increases arising from the HMAC adjustments.This will be followed by the conclusion, summarizing the important findings and insights acquired from this study.cryptographic foundation, typically leveraging a block cipher like AES (Advanced Encryption Standard) operating in Cipher Block Chaining (CBC) mode [6], [7].By utilizing a private secret key shared between the sender and recipient, CMAC processes fixed-size data blocks, potentially applying padding if the message size isn't a multiple of the block size.It employs the block cipher in CBC mode with a tweak, altering the final block cipher operation to generate an authentication tag or MAC.CMAC boasts robust security measures, resilience against specific attacks, and efficiency in constructing fixed-size authentication tags.It's often employed in protocols and applications where ensuring message integrity and authenticity holds utmost importance [8]- [10].
Similarly, Galois/Counter Mode (GCM) describes a symmetric critical cryptographic mode used with the Advanced Encryption Standard (AES) to achieve authenticated encryption [11].This approach combines encryption and authentication, ensuring data secrecy and integrity verification.GCM leverages AES encryption's counter mode (CTR), generating a keystream by encrypting successive counter values.Notably, it leverages Galois field multiplication to construct an authentication tag, enabling verification of both data authenticity and integrity.Renowned for its efficiency, particularly in hardware implementations, GCM finds extensive application in safeguarding network communications, including Wi-Fi protocols (such as WPA2 WPA3), Transport Layer Security (TLS), IPsec, and several other security protocols.With a strong cipher like AES, GCM offers solid security, balancing high-grade protection and computational performance [12], [13].
In addition, KMAC stands as a versatile cryptographic structure anchored in the KECCAK function, a core component of the SHA-3 family.Leveraging the configurable nature of its design, KMAC enables the inclusion of a customization string, providing users the flexibility to modify its functioning to specific security settings or requirements its versatility stretches across cryptographic demands, enabling message authentication, hashing, and key derivation.From the solid security qualities inherent in the SHA-3 family, KMAC retains a strong cryptographic foundation, playing a crucial role in postquantum cryptography and cryptographic standardization efforts by groups like the National Institute of Standards and Technology (NIST) [14]- [16].
Finally, there is Poly1305, a cryptographic message authentication code (MAC) function paired with a secret key that offers message integrity and authenticity [17], [18].It is frequently used with symmetric encryption algorithms like AES-GCM (Advanced Encryption Standard-Galois/Counter Mode) to create authenticated encryption.By evaluating a polynomial function over a finite field, Poly1305 delivers a fixed-size authentication tag for a message and key pair.It delivers solid security when built correctly, resists timing attacks, and boasts efficient performance.It is intended for applications demanding comprehensive data integrity checks and authentication while maintaining computational performance [19].

A. IoT Device
The IoT device comprises three key electronic components, as illustrated in figure 1.Firstly, it integrates a GOPRO HERO9 camera capable of capturing 60 frames per second (60fps), ensuring high-quality image capture regardless of the production series' speed [20], [21].Notably, the camera's open-gopro library, accessible in Python, allows for effective control (see Fig. 1, component A).
The second essential component is the Raspberry Pi 4 processing unit, equipped with 8 GB of RAM, a robust microprocessor, and an open-source Debian-based operating system.This unit houses our classification program and an Application Programming Interface (API) for seamless communication with the Fog computing node [22]- [24].Our significant scientific contribution lies in the meticulous security measures implemented to safeguard the received neural network weights from the Fog computing node (see Fig. 1, component B).
Finally, the IoT device integrates an HC-SR04 ultrasonic sensor, adept at detecting the presence of cans within a suitable position with an effective measurement angle of 15°.Each component plays a pivotal role in the device's comprehensive functionality, from high-speed image capture to neural network updates and precise can detection (see Fig. 1, component C) [25].

B. Fog Computing Architecture
The fog computing architecture, illustrated in Fig. 2, employs a tiered structure designed to optimize data processing, storage, and computation near the network edge.Its aim is to improve efficiency and reduce latency.At the foundation are multiple Edge Devices that consist of sensors, actuators, and IoT devices.They play a crucial role in generating and gathering data at the network's periphery, serving as the primary points for information entry into the fog computing ecosystem [26]- [28].
The intermediate tier consists of Fog Nodes strategically located nearer to the edge devices, unlike traditional centralized cloud data centers.These nodes function as pivotal processing hubs, executing applications, offering storage, and delivering vital network services.They encompass various devices like routers, switches, and specialized hardware, all finely tuned to efficiently manage tasks within the fog computing paradigm [29], [30].
The computational potential of fog nodes is harnessed by Fog Services and Applications.These services manage data processing, analytics, and instantaneous decision-making tailored to specific use cases and operational needs The Fog Orchestration and Management Layer effectively coordinates and supervises resource distribution within the fog computing infrastructure.This layer oversees crucial tasks such as resource allocation, security enforcement, and continuous monitoring of fog nodes and services [31]- [33].
Enabling uninterrupted links between edge devices and fog nodes, the Connectivity and Networking Layer ensures efficient data transmission and communication.It utilizes various technologies such as edge routers, wireless networks, and protocols to facilitate seamless interactions.
Integral to the comprehensive design, the Security and Privacy Layer integrates robust methods like encryption, authentication, access control, and secure communication protocols.These techniques serve to protect data and communications, guaranteeing the integrity and security of information within the fog computing environment.The decentralized nature of fog computing optimizes data processing by placing computational resources nearer to the source.This enables quicker processing, minimized latency, and enhanced efficiency for real-time applications across various industries and domains [34].

C. Hash-based Message Authentication Code
Hash-based Message Authentication Code (HMAC) represents a commonly used cryptographic construct meant to validate the integrity and origin of messages, ensuring secure communication over potentially insecure channels [35], [36].At its core, HMAC combines a cryptographic hash function with a secret key, providing a unique fixed-size authentication tag for a given message.The algorithm operates by hashing the message using a selected hash function, generally MD5, SHA-1, or SHA-256, utilizing the secret key to construct the authentication code [37]- [39].This code is attached to the message or transmitted alongside it.HMAC's strength comes in its resistance to various cryptographic attacks, thanks to the use of the secret key, which is known only to the sender and recipient, making it tough for attackers to falsify or modify messages without notice.
One of HMAC's primary advantages is its versatility and application across multiple security protocols and systems.It's extensively applied in internet security protocols like TLS (Transport Layer Security) and IPsec (Internet Protocol Security), where maintaining message authenticity and integrity is crucial.HMAC's ability to give high cryptographic assurance while being relatively simple to implement has made it a crucial tool in protecting communications and validating data integrity across a wide array of applications and sectors [40], [41].
However, while HMAC is a powerful authentication system, its security is dependant upon various aspects.The strength of the chosen hash function directly effects the security of HMAC.As processing power develops, earlier hash functions can become vulnerable to attacks, thus undermining the security of HMAC [42].Hence, it's necessary to frequently analyze and upgrade the hash functions used within HMAC implementations to maintain robust security against evolving threats.Additionally, key management is critical in preserving the secrecy and integrity of HMAC-protected communications, underlining the necessity for secure key storage and exchange protocols.Despite these issues, HMAC remains a cornerstone in maintaining data integrity and authenticity, playing a critical role in protecting modern digital communication networks [43]- [45].
Within our canning industry operations, a pressing concern revolves around enabling our IoT device to securely and equitably receive crucial neural network weights from the server [46].This challenge stems from the necessity to ensure that the transmission of these capabilities from the Fog computing node to our device occurs in a manner that's both secure and unbiased.Addressing this challenge is imperative for the uninterrupted and effective functioning of our device in classifying cans accurately and efficiently.
To resolve this, a meticulously designed protocol has been introduced as a solution.HMAC operates as a comprehensive framework aimed at facilitating the secure and fair transmission of neural network capabilities.Central to its functionality is the implementation of MAC (Message Authentication Code) verification within the IoT device [47]- [49].Through this verification process, the integrity of the weights and configurations received from the Fog computing node is rigorously checked.This meticulous scrutiny ensures that any alterations or unauthorized modifications during transmission are promptly identified, preserving the sanctity and authenticity of the neural network capabilities obtained by our device.By employing this protocol, we establish a robust system that not only upholds security but also guarantees fairness in the acquisition of vital neural network capabilities, fostering reliable and accurate can classification within our industry processes [50]- [52].

D. IoT-Fog Security
Within the IoT-Fog framework, ensuring mutual authentication among interconnected devices emerges as a critical security priority.As IoT devices commonly operate under limited battery capacities and frequent data transmission needs, integrating a lightweight authentication mechanism becomes pivotal in minimizing energy consumption.Our proposed solution addresses this authentication requirement between a Fog computing node and multiple IoT devices [53].The strategy involves leveraging the HMAC protocol alongside a compact database functioning as a repository for the unique IDs and corresponding secret keys of each IoT device.This approach effectively segregates the transmitted data at both the hashing and security layers between the node and the devices.Fig. 3 provides a schematic depiction of our network infrastructure, showcasing the integration between IoT devices and the Fog server.In the subsequent section, we'll delve into the specific security protocol implemented for communication between the node and the IoT devices [54], [55].Before the IoT device gains access to the essential neural network weight values, it engages in an intricate initiation sequence, as we see in Fig. 4.This sequence begins with the device transmitting its unique Identifier (ID) to the Fog server, a crucial step initiating the authentication process.The server, acting as the gatekeeper, meticulously verifies the presence and validity of this ID within its database.This serves as the initial checkpoint ensuring the device's legitimacy within the network.
Upon successful verification of the ID, the Fog server responds by dispatching a random value (N) to the awaiting IoT device.This random value, a cryptographic challenge, prompts the IoT device to showcase its authenticity by employing HMAC encryption.The device utilizes this random value along with a secret key (K), shared exclusively between the IoT device and the server.This process, executed through HMAC hashing, serves as a robust means of validation, affirming the device's rightful place and authorization within the network.
Successfully navigating this authentication challenge enables the IoT device to establish its trustworthiness and validated association within the network infrastructure.Upon this verification, the server securely shares the requested neural network weight values with the IoT device.To ensure the integrity of this data transmission, the server accompanies the weight values with a corresponding MAC value, generated using HMAC.This meticulous security protocol not only validates the device's legitimacy but also guarantees the unaltered and secure transfer of critical neural network weight values between the IoT device and the server.Now that we've familiarized ourselves with our network infrastructure and its inter-element communication protocol, let's delve into an in-depth exploration of HMAC, along with the latest advancements incorporated into this cryptographic method.As we see in Fig. 5, prior to sending any message, the process initiates by creating a Message Authentication Code (MAC) using a chosen hashing function like SHA256, MD5, or another specified algorithm.This MAC acts as a unique signature derived from the message and ensures its integrity and authenticity.It's generated by combining the message with the selected hashing function and includes an identifier, Idi, representing the physical address or a specific identification code associated with the IoT device generating the message.Upon transmission, the message, along with the MAC and the identifier Idi, is sent to its intended destination.Upon receipt at the Fog server, the transmitted components, including the identifier Idi, are received and processed.
The process continues by relaying the identifier Idi to the database to retrieve the corresponding secret key Ki associated with the specific IoT device.With the secret key Ki in hand, the same hash function used earlier (e.g., SHA256, MD5) is executed using the retrieved key and the received message.This step generates a recalculated MAC', serving as a new verification code [56].
Subsequently, a comparison is made between the initially received MAC and the recalculated MAC'.If an exact match is found, it confirms the authenticity of the message and validates its integrity [57].This verification process ensures that the message has not been altered during transmission.However, any disparity between the two MACs indicates potential tampering or alterations during transit, triggering further investigation or necessary corrective actions to address the issue and maintain the integrity of the communication within the IoT infrastructure.

IV. RESULTS AND DISCUSSION
The proposed protocol stands out for its exceptional efficiency, consuming minimal battery and memory resources.This makes it exceptionally suitable for constrained IoT devices [58], [59].By employing the Hashed Message Authentication Code (HMAC) function, the protocol generates a hash using a shared secret.This effectively prevents unauthorized data alterations or the creation of a new HMAC hash during transmissions.The utilization of HMAC ensures a dual layer of security, guaranteeing both the integrity and authenticity of the transmitted data [61].
In the present scenario, a dictionary has been introduced within the Fog server, housing all the IDs paired with their respective secret keys.This measure significantly bolsters security among all IoT devices and the Fog computing node.This setup ensures that even if one IoT device encounters a security breach, the remaining devices remain shielded.This heightened security is facilitated by the server's individual handling of each device through its specific secret key, thereby containing and mitigating potential risks in case of a breach on any single IoT device [62]- [64].
Nevertheless, the implementation of a dictionary for elevated security measures introduces a consequential impact on response times.This deliberate decision to heighten security comes at the price of slightly diminished operational speed.However, this compromise underscores a strategic trade-off aimed at fortifying the integrity and reliability of the system's security protocols, safeguarding critical data exchanges within the IoT ecosystem.
Despite the trade-off in speed, this approach maintains its resilience and strength.It grants an elevated level of control over the accessibility of the server.This control mechanism restricts device access to services unless their unique identifiers (IDs) are specifically registered and stored within the dictionary housed in the Fog Node [65], [66].This stringent access control paradigm ensures that only authorized devices with registered IDs can leverage and benefit from the services provided by the system.
Looking from a different perspective, a range of hashing methods, including HMAC, is available for facilitating communication between the IoT Device and the Fog computing node.However, our selection of HMAC wasn't random; it was the outcome of a thorough energy-focused comparison among hashing methods-CMAC, KMAC, GCM, and Poly1305-outlined earlier in this article.This decision was the result of a careful evaluation centered on the energy efficiency of these various methods [67]- [69].HMAC implementations generally maintain computational efficiency with moderate energy demands, utilizing hash function operations like SHA-256 alongside key manipulation.CMAC, involving block cipher operations such as AES, tends to consume more energy due to multiple encryption rounds, offering robust security but potentially impacting performance.KMAC, based on the KECCAK sponge construction, demonstrates moderate energy requirements aligned with the SHA-3 standard but might marginally exceed energy usage compared to simpler hashbased schemes [70], [71].GCM, combining symmetric encryption like AES with Galois field multiplication, potentially consumes moderate energy, providing both confidentiality and authentication efficiency but susceptible to certain side-channel attacks.In contrast, Poly1305, primarily using polynomial multiplication operations, excels in energy efficiency, providing authentication but requiring an additional encryption mechanism for confidentiality.While Poly1305 and HMAC tend to exhibit better energy efficiency compared to algorithms like CMAC, KMAC, or GCM, the specifics of hardware, implementation, and workloads significantly influence energy consumption, urging a balanced assessment considering security, efficiency, and application requisites [72]- [74].
In this assessment of energy-level protocols, we examine and contrast the fundamental hashing and encryption algorithms-SHA-256, SHA-3, and AES-integral to these protocols [75]- [77].To aid our decision-making regarding the implementation of HMAC, we offer estimated processing times for encryption operations using these algorithms as standard benchmarks.This comparative analysis is crucial for understanding their unique efficiencies and acts as a guiding tool to evaluate whether HMAC is well-suited for our specific use case [78].
The timings presented below were obtained using the Raspberry Pi Zero W, a device with limited resources.This device performed speed tests on different cryptographic hash functions used in HMAC, Poly1305, and CMAC [79]- [81].The table demonstrates variations in timing among these hash functions when generating digests on a 32-bit CPU (Table I).It's notable that AES is the slower algorithm than the SHA family.Additionally, in this test, we observed that SHA3-256 operates marginally slower in processing speed compared to SHA-256.The distinctive design of SHA3, rooted in the Keccak algorithm, involves different operations and structure compared to SHA-256, which can influence its overall speed.

V. CONCLUSION
In this paper, we've underscored the pivotal importance of updated neural network weights exchanged via Fog servers to ensure precise can categorization, advocating the use of a secure HMAC-based protocol to safeguard this communication.Furthermore, the integration of a comprehensive dictionary within the Fog server has significantly fortified security, effectively segregating communication channels between the server and individual IoT devices.In essence, our research centered on ensuring fair and secure transmission of neural network weights from servers to devices.However, our future research aims to introduce additional solutions aimed at encrypting these weights.This endeavor intends to prevent any unauthorized exploitation without proper permission by ensuring that eavesdropping on these critical resources is impossible

Fig. 1 .
Fig. 1.The foundational elements comprising an IoT device integrated within the production line.

TABLE I .
AVERAGE TIMINGS RELATED TO DIFFERENT HASH FUNCTIONS