A comparison between cryptography libraries used in BRSKI protocol for constrained devices
Abstract
The lack of a standard protocol for bootstrapping constrained devices is still a challenge in the management of Internet of Things (IoT) and Healthcare Internet of Things (HIoT). The Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol is a standard proposed by the Internet Engineering Task Force (IETF) for non-constrained devices, with cBRSKI as a constrained variant. In this work we review the current state of authentication protocols for constrained environments, emphasizing use-cases in the healthcare scenario. Then, we compare the memory usage and execution time of the cryptography library used in the reference implementation of both BRSKI and cBRSKI with lightweight alternatives. A test implementation was written using WolfSSL to perform the Cryptographic Message Syntax (CMS) signing function of the protocol, which is performed by OpenSSL in the reference implementation. Our experiments show that the lightweight library results in reduced bootstrap time and memory usage, without harming functionality. These findings highlight alternative BRSKI implementations suitable for constrained devices, and demonstrate that using lightweight cryptography libraries is recommended for IoT and HIoT.References
Abdul-Qawy, A. S., Pramod, P., Magesh, E., and Srinivasulu, T. (2015). The internet of things (iot): An overview. International Journal of Engineering Research and Applications, 5(12):71–82.
Aghili, S. F., Mala, H., Kaliyar, P., and Conti, M. (2019). SecLAP: Secure and lightweight RFID authentication protocol for Medical IoT. Future Generation Computer Systems, 101:621–634.
Aura, T., Sethi, M., and Peltonen, A. (2021). Nimble Out-of-Band Authentication for EAP (EAP-NOOB). RFC 9140, Internet Engineering Task Force.
Baucas, M. J., Spachos, P., and Gregori, S. (2023). Private Blockchain-Based Wireless Body Area Network Platform for Wearable Internet of Thing Devices in Healthcare. In IEEE International Conference on Communications, pages 6181–6186.
Bormann, C., Ersue, M., and Keranen, A. (2014). Terminology for Constrained-Node Networks. RFC 7228, Internet Engineering Task Force.
Brockhaus, H., von Oheimb, D., and Gray, J. (2023). Certificate Management Protocol (CMP) Updates. RFC 9480, Internet Engineering Task Force.
Carrillo, D. G. and Lopez, R. M. (2016). Lightweight CoAP-Based Bootstrapping Service for the Internet of Things. Sensors, 16(3).
Chatzisofroniou, G. and Kotzanikolaou, P. (2025). Security analysis of the wi-fi easy connect. International Journal of Information Security, 24(2):1–11.
Cheng, X., Zhang, Z., Chen, F., Zhao, C., Wang, T., Sun, H., and Huang, C. (2019). Secure Identity Authentication of Community Medical Internet of Things. IEEE Access, 7:115966–115977.
de Ruiter, J. (2016). A tale of the OpenSSL state machine: A large-scale black-box analysis. In Secure IT Systems: 21st Nordic Conference, NordSec 2016, Oulu, Finland, November 2-4, 2016. Proceedings 21, pages 169–184. Springer.
Eckert, T., Behringer, M. H., and Bjarnason, S. (2021). An Autonomic Control Plane (ACP). RFC 8994, Internet Engineering Task Force.
Fagan, M., Marron, J., Watrobski, P., Souppaya, M., Barker, W., Deane, C., Klosterman, J., Rearick, C., Mulugeta, B., Symington, S., et al. (2024). Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. NIST Special Publication 1800-36.
Fan, K., Jiang, W., Li, H., and Yang, Y. (2018). Lightweight RFID Protocol for Medical Privacy Protection in IoT. IEEE Transactions on Industrial Informatics, 14(4):1656–1665.
Friel, O., Shekh-Yusef, R., and Richardson, M. (2025). BRSKI Cloud Registrar. Internet-draft, Internet Engineering Task Force. Work in Progress: [link]. Access on May 9th, 2025.
Fries, S., Werner, T., Lear, E., and Richardson, M. (2025). BRSKI with Pledge in Responder Mode (BRSKI-PRM). Internet-draft, Internet Engineering Task Force. Work in Progress: [link]. Access on May 9th, 2025.
Garcia-Morchon, O., Kumar, S., and Sethi, M. (2019). Internet of Things (IoT) Security: State of the Art and Challenges. RFC 8576, Internet Engineering Task Force.
Housley, R. (2009). Cryptographic Message Syntax (CMS). RFC 5652, Internet Engineering Task Force.
Hu, X., Cheng, D., Chen, J., Jin, X., and Wu, B. (2022). Multiontology Construction and Application of Threat Model Based on Adversarial Attack and Defense Under ISO/IEC 27032. IEEE Access, 10:117955–117972.
IEEE (2018). IEEE Standard for Local and Metropolitan Area Networks - Secure Device Identity. IEEE Std 802.1AR-2018 (Revision of IEEE Std 802.1AR-2009), pages 1–73.
Jiang, S. and Eckert, T. (2020). Autonomic Networking Integrated Model and Approach (anima). [link]. Access on May 09th, 2025.
Khlebnikov, A. and Adolfsen, J. (2022). Demystifying Cryptography with OpenSSL 3.0: Discover the best techniques to enhance your network security with OpenSSL 3.0. Packt Publishing.
Malik, M., Dutta, M., and Granjal, J. (2019). A Survey of Key Boot-strapping Protocols Based on Public Key Cryptography in the Internet of Things. IEEE Access, 7:27443–27464.
Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and Furuhed, M. (2024). CBOR Encoded X.509 Certificates (C509 Certificates). Internet-draft, Internet Engineering Task Force. Work in Progress: [link]. Access on May 9th, 2025.
Nyman, B. and Elliott, P. (2024). GitHub Issue 8768: Better support for PKCS7. Archived at [link] on May 09th, 2025.
Peltonen, A., Inglés, E., Latvala, S., Garcia-Carrillo, D., Sethi, M., and Aura, T. (2020). Enterprise Security for the Internet of Things (IoT): Lightweight Bootstrapping with EAP-NOOB. Sensors, 20(21).
Pritikin, M., Richardson, M., Eckert, T., Behringer, M. H., and Watsen, K. (2021). Bootstrapping Remote Secure Key Infrastructure (BRSKI). RFC 8995, Internet Engineering Task Force.
Qutqut, M. H., Al-Sakran, A., Almasalha, F., and Hassanein, H. S. (2018). Comprehensive survey of the IoT open-source OSs. IET Wireless Sensor Systems, 8(6):323–339.
Reinfurt, L., Breitenbücher, U., Falkenthal, M., Leymann, F., and Riegg, A. (2017). Internet of Things patterns for device bootstrapping and registration. In Proceedings of the 22nd European Conference on Pattern Languages of Programs, pages 1–27.
Rescorla, E. and Modadugu, N. (2012). Datagram Transport Layer Security Version 1.2. RFC 6347, Internet Engineering Task Force.
Richardson, M., der Stok, P. V., Kampanakis, P., and Dijk, E. (2025). Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI). Internet-draft, Internet Engineering Task Force. Work in Progress: [link]. Access on May 9th, 2025.
Shelby, Z., Hartke, K., and Bormann, C. (2014). The Constrained Application Protocol (CoAP). RFC 7252, Internet Engineering Task Force.
Soares, L. R., Bastos, L., Martins, B., Medeiros, I., Rosário, D., Nobre, J. C., and Cerqueira, E. C. (2023). A Continuous Heart-Based Biometric Authentication for Healthcare Internet of Things. In Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 43–54. SBC.
Vollbrecht, J., Carlson, J. D., Blunk, L., Aboba, D. B. D., and Levkowetz, H. (2004). Extensible Authentication Protocol (EAP). RFC 3748, Internet Engineering Task Force.
von Oheimb, D., Fries, S., and Brockhaus, H. (2025). BRSKI with Alternative Enrollment (BRSKI-AE). RFC 9733, Internet Engineering Task Force.
Wi-Fi Alliance (2022). Wi-Fi Easy Connect Specification v3.0. Archived at [link].
Xu, Z., Xu, C., Liang, W., Xu, J., and Chen, H. (2019). A Lightweight Mutual Authentication and Key Agreement Scheme for Medical Internet of Things. IEEE Access, 7:53922–53931.
Aghili, S. F., Mala, H., Kaliyar, P., and Conti, M. (2019). SecLAP: Secure and lightweight RFID authentication protocol for Medical IoT. Future Generation Computer Systems, 101:621–634.
Aura, T., Sethi, M., and Peltonen, A. (2021). Nimble Out-of-Band Authentication for EAP (EAP-NOOB). RFC 9140, Internet Engineering Task Force.
Baucas, M. J., Spachos, P., and Gregori, S. (2023). Private Blockchain-Based Wireless Body Area Network Platform for Wearable Internet of Thing Devices in Healthcare. In IEEE International Conference on Communications, pages 6181–6186.
Bormann, C., Ersue, M., and Keranen, A. (2014). Terminology for Constrained-Node Networks. RFC 7228, Internet Engineering Task Force.
Brockhaus, H., von Oheimb, D., and Gray, J. (2023). Certificate Management Protocol (CMP) Updates. RFC 9480, Internet Engineering Task Force.
Carrillo, D. G. and Lopez, R. M. (2016). Lightweight CoAP-Based Bootstrapping Service for the Internet of Things. Sensors, 16(3).
Chatzisofroniou, G. and Kotzanikolaou, P. (2025). Security analysis of the wi-fi easy connect. International Journal of Information Security, 24(2):1–11.
Cheng, X., Zhang, Z., Chen, F., Zhao, C., Wang, T., Sun, H., and Huang, C. (2019). Secure Identity Authentication of Community Medical Internet of Things. IEEE Access, 7:115966–115977.
de Ruiter, J. (2016). A tale of the OpenSSL state machine: A large-scale black-box analysis. In Secure IT Systems: 21st Nordic Conference, NordSec 2016, Oulu, Finland, November 2-4, 2016. Proceedings 21, pages 169–184. Springer.
Eckert, T., Behringer, M. H., and Bjarnason, S. (2021). An Autonomic Control Plane (ACP). RFC 8994, Internet Engineering Task Force.
Fagan, M., Marron, J., Watrobski, P., Souppaya, M., Barker, W., Deane, C., Klosterman, J., Rearick, C., Mulugeta, B., Symington, S., et al. (2024). Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. NIST Special Publication 1800-36.
Fan, K., Jiang, W., Li, H., and Yang, Y. (2018). Lightweight RFID Protocol for Medical Privacy Protection in IoT. IEEE Transactions on Industrial Informatics, 14(4):1656–1665.
Friel, O., Shekh-Yusef, R., and Richardson, M. (2025). BRSKI Cloud Registrar. Internet-draft, Internet Engineering Task Force. Work in Progress: [link]. Access on May 9th, 2025.
Fries, S., Werner, T., Lear, E., and Richardson, M. (2025). BRSKI with Pledge in Responder Mode (BRSKI-PRM). Internet-draft, Internet Engineering Task Force. Work in Progress: [link]. Access on May 9th, 2025.
Garcia-Morchon, O., Kumar, S., and Sethi, M. (2019). Internet of Things (IoT) Security: State of the Art and Challenges. RFC 8576, Internet Engineering Task Force.
Housley, R. (2009). Cryptographic Message Syntax (CMS). RFC 5652, Internet Engineering Task Force.
Hu, X., Cheng, D., Chen, J., Jin, X., and Wu, B. (2022). Multiontology Construction and Application of Threat Model Based on Adversarial Attack and Defense Under ISO/IEC 27032. IEEE Access, 10:117955–117972.
IEEE (2018). IEEE Standard for Local and Metropolitan Area Networks - Secure Device Identity. IEEE Std 802.1AR-2018 (Revision of IEEE Std 802.1AR-2009), pages 1–73.
Jiang, S. and Eckert, T. (2020). Autonomic Networking Integrated Model and Approach (anima). [link]. Access on May 09th, 2025.
Khlebnikov, A. and Adolfsen, J. (2022). Demystifying Cryptography with OpenSSL 3.0: Discover the best techniques to enhance your network security with OpenSSL 3.0. Packt Publishing.
Malik, M., Dutta, M., and Granjal, J. (2019). A Survey of Key Boot-strapping Protocols Based on Public Key Cryptography in the Internet of Things. IEEE Access, 7:27443–27464.
Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and Furuhed, M. (2024). CBOR Encoded X.509 Certificates (C509 Certificates). Internet-draft, Internet Engineering Task Force. Work in Progress: [link]. Access on May 9th, 2025.
Nyman, B. and Elliott, P. (2024). GitHub Issue 8768: Better support for PKCS7. Archived at [link] on May 09th, 2025.
Peltonen, A., Inglés, E., Latvala, S., Garcia-Carrillo, D., Sethi, M., and Aura, T. (2020). Enterprise Security for the Internet of Things (IoT): Lightweight Bootstrapping with EAP-NOOB. Sensors, 20(21).
Pritikin, M., Richardson, M., Eckert, T., Behringer, M. H., and Watsen, K. (2021). Bootstrapping Remote Secure Key Infrastructure (BRSKI). RFC 8995, Internet Engineering Task Force.
Qutqut, M. H., Al-Sakran, A., Almasalha, F., and Hassanein, H. S. (2018). Comprehensive survey of the IoT open-source OSs. IET Wireless Sensor Systems, 8(6):323–339.
Reinfurt, L., Breitenbücher, U., Falkenthal, M., Leymann, F., and Riegg, A. (2017). Internet of Things patterns for device bootstrapping and registration. In Proceedings of the 22nd European Conference on Pattern Languages of Programs, pages 1–27.
Rescorla, E. and Modadugu, N. (2012). Datagram Transport Layer Security Version 1.2. RFC 6347, Internet Engineering Task Force.
Richardson, M., der Stok, P. V., Kampanakis, P., and Dijk, E. (2025). Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI). Internet-draft, Internet Engineering Task Force. Work in Progress: [link]. Access on May 9th, 2025.
Shelby, Z., Hartke, K., and Bormann, C. (2014). The Constrained Application Protocol (CoAP). RFC 7252, Internet Engineering Task Force.
Soares, L. R., Bastos, L., Martins, B., Medeiros, I., Rosário, D., Nobre, J. C., and Cerqueira, E. C. (2023). A Continuous Heart-Based Biometric Authentication for Healthcare Internet of Things. In Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 43–54. SBC.
Vollbrecht, J., Carlson, J. D., Blunk, L., Aboba, D. B. D., and Levkowetz, H. (2004). Extensible Authentication Protocol (EAP). RFC 3748, Internet Engineering Task Force.
von Oheimb, D., Fries, S., and Brockhaus, H. (2025). BRSKI with Alternative Enrollment (BRSKI-AE). RFC 9733, Internet Engineering Task Force.
Wi-Fi Alliance (2022). Wi-Fi Easy Connect Specification v3.0. Archived at [link].
Xu, Z., Xu, C., Liang, W., Xu, J., and Chen, H. (2019). A Lightweight Mutual Authentication and Key Agreement Scheme for Medical Internet of Things. IEEE Access, 7:53922–53931.
Published
2025-09-01
How to Cite
EHLERT, Ricardo R.; SOARES, Laura R.; NOBRE, Jéferson C..
A comparison between cryptography libraries used in BRSKI protocol for constrained devices. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 1-17.
DOI: https://doi.org/10.5753/sbseg.2025.11472.
