A Project Based Seminar Report on “New approach for securing communication over MQTT protocol and a comparison between RSA and Elliptic Curve” Submitted to the Savitribai Phule Pune University In partial fulfillment for the award of the Degree of Bachelor of Engineering in Information Technology by Mr

A Project Based Seminar Report
“New approach for securing communication over
MQTT protocol and a comparison between RSA and Elliptic Curve”
Submitted to the
Savitribai Phule Pune University
In partial fulfillment for the award of the Degree of
Bachelor of Engineering
Information Technology by
Mr. Ashish Patil
(Roll no. : 72 and Division :TE)
Under the guidance of

Department Of Information Technology
Kennedy Road, Near RTO,Pune,Maharashtra,India

This is to certify that the project based seminar report entitled “FUSION OF IRIS AND SCLERA BIOMETRICS” being submitted by Mr. Ashish Patil (Roll no.:78 Division :TE) is a record of bonafide work carried out by her under the supervision and guidance of Prof. V.S.Morein a partial fulfillment of the requirement for TE (Information Technology Engineering)-2015 course of Savitribai Phule Pune University ,Pune in the academic year 2017-2018.

Prof. V.S.More Prof.P.A.Patil
Guide Head of the Department
This project based seminar report has been examined by us as per the Savitribai Phule Pune University, Pune, requirements at All India Shri Shivaji Memorial Society’s Institute of Information Technology, on FUSION OF IRIS AND SCLERA BIOMETRICS.

name name
Internal Examiner External Examiner
ACKNOWLEDGEMENTI wish to express my sincere gratitude to Prof. P. A. Patil sir for providing me an opportunity to present seminar on ” New approach for securing communication over MQTT protocol and a comparison between RSA and Elliptic Curve”.

I sincerely thank Prof. V.S.More Ma’am for their guidance and encouragement in carrying out this seminar.

Mr. Ashish Patil

ABSTRACTThis report presents the mechanisms for secure and lightweight communication between IoT devices. It discusses about different mechanisms of data security and authentication. The communication between IoT devices is less secure as these devices are less capable in terms of computing power. The encryption mechanisms used by computers cannot be used for the IoT devices for the same reason. The communications between the server and IoT can be intercepted by an attacker which can lead to question the data integrity and authenticity. Due to limited CPU and memory capabilities of the IoT devices, an effective way must be used to improve the quality of communication between IoT devices. The Message Queue Telemetry Transport, shortened as MQTT is a lightweight protocol created by IBM that uses the Publish/Subscribe pattern and needs a smaller bandwidth that can be used for this purpose. For the communication over unsecured network, different cryptography schemes have been implemented. The standard cryptography mechanisms like digital signatures, hash functions and encryption and decryption are used for data integrity and authenticity. The algorithm we have used is ECC (Elliptic Curve Cryptography). ECC is capable of providing the same cryptographic strength as an RSA-based system with smaller key size. A 256 bit ECC key is equivalent to RSA 3072 bit key which is still 50
INDEX TOC o “1-1” h z u AcknowledgementPAGEREF _Toc12054 hiAbstractPAGEREF _Toc12055 hiiIndexPAGEREF _Toc12056 hiiiList of FiguresPAGEREF _Toc12057 hv
New approach for securing communication over MQTT protocol and
a comparison between RSA and Elliptic Curve1
Introduction to project. . . . . . . . . . . . . . . . . . . . . . . . .1
Motivation behind project . . . . . . . . . . . . . . . . . . . . . . . .1
Aim of project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Objective of project . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Introduction To MQTT. . . . . . . . . . . . . . . . . . . . . . . . .2
Introduction To RSA . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Introduction To ECC . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Aim of IoT Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Objectives of IoT Security . . . . . . . . . . . . . . . . . . . . . . . .3
RSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

List of Figures3.1Neural Network based on SLFN Algorithm . . . . . . . . . . . . . . .9
3.2Flowchart of Neural Network. . . . . . . . . . . . . . . . . . . . . .11
Chapter 1
New approach for securing communication over MQTT protocol and a comparison between RSA and Elliptic Curve
1.1Introduction to project
Increasingly affordable micro controllers like Arduino and Raspberry Pi are enabling cheap devices that measure sensor data and send it over the internet. The goal of this project is to introduce the lightweight protocol MQTT and its capabilities to send data between devices and other systems.

RSA derives its security from the difficulty of factoring large integers that are the product of two large prime numbers. Multiplying these two numbers is easy, but determining the original prime numbers from the total – factoring – is considered infeasible due to the time it would take even using todays super computers.

ECC is the latest encryption method. It stands for Elliptic Curve Cryptography and promises stronger security, increased performance, yet shorter key lengths. This makes it ideal for the increasingly mobile world.

1.2Motivation behind project
The Internet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices that have sensing or actuation capabilities, and are connected to each other via the Internet.

Security has not been a high priority for these devices until now. It is now time to establish The Internet of Secure Things. According to OWASP Internet of Things Top 10, three attack surfaces are caused by insecure network and insufficient authentication/authorization.


In order to reduce these attack surfaces, proper cryptographic scheme should be used for communication as well as authentication and authorization.

1.3Aim of project
To build an effective system for securing communication between IoT devices.

To build an effective system for IoT device authentication.

To build an effective system for IoT device authorization.

1.4Objective of project
• To secure IoT devices from various attacks such as evesdropping, spoofing and spamming, MITM.

1.5Introduction To MQTT
MQTT is a standardised publish/subscribe messaging protocol. It was designed in 1999 for use on satellites and as such is very light-weight with low bandwidth requirements making it ideal for M2M or IoT applications. As such, it has become one of the most common protocols for those situations.The publish / subscribe (often called pub-sub) pattern lies at the heart of MQTT. Clients can publish or subscribe to particular topics which are somewhat like message subjects. They are used by the broker to decide who will receive a message.

1.6Introduction To RSA
RSA (RivestShamirAdleman) is one of the first public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and it is different from the decryption key which is kept secret (private). In RSA, this asymmetry is based on the practical difficulty of the factorization of the product of two large prime numbers, the “factoring problem”. The acronym RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1978.


1.7Introduction To ECC
an elliptic curve is a plane curve over a finite field (rather than the real numbers) which consists of the points satisfying the equation y2 = x + ax + b, alongwithadistinguishedpointatinfinity.

1.8Aim of IoT Security
To give Quality of Service(QoS).

Ensure Data Integrity and Authenticity.

1.9Objectives of IoT Security
Maximize data integrity: Data integrity emerges as a fundamental issue in IoT. This is because there is a constant transmission of data from one device to the other. And there is an increased change of unauthorized changes and the accuracy of the data that is received.

Ensure IoT trust mechanisms: This objective pertains to organizations responsible for creating, maintaining IoT. Trust is the huge factor. These organizations have a fundamental and moral obligation to ensure the IoT products are well protected and trust building technologies are used properly.

Ensure user authentication: This objective deals with the importance of building authentication mechanisms such that IoT security could be enhanced.

Ensure safe connectivity: This objective deals with safe connectivity between different IoT devices to mitigate the threats. When the individuals privately access the data and applications anywhere and anytime, they expect to be fully secure.

Chapter 2

Table 2.1: Literature survey
Author Name of the
paper Content
Ibrahim Modelling and Evaluation of Malicious Attacks against the IoT MQTT
Protocol. Use of Firewall and IPS to block DoS and DDoS attacks. Using certificates to identify clients and servers. Encrypting the data stored in the broker and IoT device, use of trusted client software on PC and smartphones, end-to-end encryption, VPN between clients and brokers. Message integrity checks using hashing algorithms, use of encrypted communication technologies such as TLS/SSL in MQTT broker, X509 certicates from trusted authority.

Muneer Bani Yassein, Mohammed Q. Shat-
nawi Internet of Things: Survey and open issues of MQTT
Protocol. Many applications in various fields use the MQTT. For example, it is being used in health care, Facebook notification, surveillance, and in the energy meter. Therefore, the MQTT protocol is considered the perfect messaging protocol for the M2M communications and in the IoT.

Department of INFORMATION TECHNOLOGY, AISSMS Institute of Information Technology, Pune. 2017-2018
Table 2.2: Literature survey
Author Name of the
paper Content
Tarun Kumar Goyal Lightweight Security Algorithm for Low Power
IoT Devices. Elliptic Curve Dife Hellman(EC-DH) Algorithm has received achieved signicance in view of its features like low power, lightweight and robustness, which is reasonable for IoT gadgets. ECDH is superior to other considered algorithms in terms of power and area.

Anshuman Chhabra and
Arora AnElliptic
CurveCryptography Based Encryption
Scheme For Securing the Cloud Against
Eavesdropping Attack. ECC is used to generate the encryption key to secure the data against external threats as well. The scheme is shown to outperform RSA in terms of expediency in encryption and decryption times. It is faster than RSA algorithm. At the same time it is excellent for alluding eavesdropping.

T.Shijo Mathew

Suresh Comparative
Analysis of AES and ECC in Automated
Metering Infrastructur. In addition to AES, ECC is another powerful security protocol and got lot of advantages compared to AES. So towards implementing proper security protocol in AMI, both AES and ECC been analyzed for different data size from energy meter in terms of Key generation, Encryption and Decryption..

Chapter 3
The proposed contribution is to secure the flow of distributed message between the users of the MQTT protocol. In fact, we opted for the solution of a certification authority “CA” to generate two kinds of certificates, the first one for the clients and second one for the Topics (subjects). In the case of a many clients wish certified by the same certificate authority CA and they hope exchanging the messages through a Topic. In the first step the CA generates a private key and a certificate to this Topic. This key and the certificate will be published manually for certified clients, enabling a secure exchange of messages. When a new client wants to participate in the flow of a Topic, he must send a request certificate in order to be able to decrypt published messages.

3.1RSA Algorithm
Association analysis is used to find the relationship among the data elements and determining association rules. Some of the important association rule mining algorithms are apriori and hash based approach. They are used to find the associations using the minimum support and minimum confidence. The association analysis is divided into two sub problems. One is to find the accounts whose happening occurs behind the threshold and the second one is generating association rules over large databases with the constraints of minimum confidence. Apriori algorithm works well only if the data base is small and contains less number of frequent transactions.Then hash based technique is used to reduce the candidate k-items, ck, for k¿1. From that candidate key,We generate a path to detect suspecious accounts.

3.2Neural Network
Neural Network make use of Single-Hidden Layer Feed Forward Neural Network algorithm. It has most hidden nodes and with almost any nonlinear activation function can exactly learn distinct observations. SLFN with at most hidden neurons can learn distinct samples with zero error, and the weights connecting the input neurons and the hidden neurons can be chosen arbitrarily.

Figure 3.1: Neural Network based on SLFN Algorithm
Flowchart of neural network:
Algorithm of neural network:
Given a training set X=(xi,ti)—xi Rn,ti Rm,i=1,2,.,N activation function g(x),and hidden node number N.

Step 1 : Randomly assign input weight wi and bias bi, i=1,2,N
Step 2 : Calculate the hidden layer output matrix H
Step 3 : Calculate the output weight B = HT where H is the Moore-Penrose generalized inverse of matrix H and T = t1,tNT. Standard SLFNs with N hidden nodes and activation function g(x) are mathematically modeled as B Bigi(xj)=ig(wi . xj + bi) = oj,j= 1..n i=1 i=1
Figure 3.2: Flowchart of Neural Network
Chapter 4
The legacy systems have various shortcomings, causing numerous challenges in creating a robust AML system.

Large number of transactions: As per Capgeminis world Payments Report 2016,the global non-cash transaction volume in 2014 stood at 387.3 billion and estimated to be 426.3 billion in 2015. It continues to grow with increasing digital penetration in the emerging economies, and as the growth of wearables and biometric-enabled payments systems convert more and more cash transactions to digital. Put briefly, the transaction data is too huge to be screened comprehensively.

Assessment based on past trends: One significant drawback of the legacy AML systems is that these are designed to monitor known behaviours based on past trends. Much of this is judgemental based on amount thresholds or spikes in transaction value and volume. The criminal minds, however, have enough incentive to work out elaborate schemes over long periods and continuously find new loopholes. for example, is a common tool used by money launderers, where they deposit a small amount of money in multiple accounts over a long period of time. Since theres an established regularity of transactions, most of them being of small value, a rule-based system may not find any anomaly for long periods.

New payment methods: Innovation in payments has opened new avenues for money launderers. The increased penetration of mobile banking, prepaid cards and credit cards has improved the hit rate of finding gullible people for

skimming, phishing attacks and identity theft. The advent of cryptocurrencies such as bit coin poses another big challenge, and beyond the control of banks, as these are peer-to-peer, completely anonymous with no engagement of a formal banking system. The 2010 FATF report on money laundering using NPMs articulates the dangers.

Manpower dependence: Since time immemorial, there are numerous stories of money launderers conniving with bank employees to falsify or omit key details or data points that the bank systems are designed to check. As per a RBI report, during April-December 2016 a total of 450 employees from various public and private sector banks were found to be involved in cases of fraud totalling 3,870 cases, and with a value of Rs 17,750. Similarly, in 2014-15, BNP Paribas was found guilty by the US authorities of deliberately omitting key details in transactions pertaining to sanction countries such as Iran, Sudan and Myanmar.

Department of INFORMATION TECHNOLOGY, AISSMS Institute of Information Technology, Pune. 2017-2018
Chapter 5
With the chaining of accounts, we can further develop a system which identifies the sure relation between these identified suspicious accounts using concepts like ontology. The relation between these accounts can give us additional information like whether the involved criminal people are belonging to same occupation or to the same location etc.

The frequent accounts should not be the only criteria for finding out the suspicious transaction as there may be a case when the transaction does not occur frequently but even then they are illegal. To trace out such cases additional parameters have to be considered.

Combination of clustering,hash based technique,neural network,genetic algorithm ,heuristic can improve the performance of system.

The propose system improves the efficiency of existing anti money laundering techniques by identifying suspecious accounts. It generates frequent data sets which are further use in graph theoretical approach to identify the traversal path of suspecious transactions.We have considered the frequent accounts as the parameter and have obtained a chaining of accounts.

Our method exploits contextual information about the technical system, specifically the software architecture, to provide an appropriate abstraction and a hash based technique and a graph theoretical approach a users sequence through this model together to determine how likely they are to have occurred. The lower the count, the more suspicious they are.

The proposed system improve the efficiency of the existing anti money laundering techniques by generating frequent transactional data sets using Hash base association technique.

Chandni R., G. Deepa Sakthi, Geerthana B., Rajalakshmi A. A Graph Based Approach to Identify the Suspicious Accounts by Implementing the Hash Based Association Mining , International Journal of Innovations Advancement in Computer Science, Volume 6, Issue 10 October 2017.

Salehi Ahmad, Ghazanfari2 Mehdi and Fathian Mohammed, Data Mining Techniques for Anti Money Laundering , International Journal of Applied Engineering Research, Volume 12, Number 20 (2017).

Nhien-An Le-Khac, Sammer Markos and M-Tahar Kechadi, A Heuristics Approach for Fast Detecting Suspicious Money Laundering Cases in an Investment Bank, International Journal of Computer and Information EngineeringVol:3, No:12, 2009.

Du Linxiang, Analytics Systems for Anti-Money Laundering, Department of Computer Science School of Computing National University of Singapore,volume 1, 2010/2011.

Carnaz Gonalo , Nogueira Vitor and Antunes Mrio, Ontology-Based Framework Applied to Money Laundering Investigations, Center for Research in Advanced Computing Systems,2017.