The Internet of Things (IoT) emerged when everyday objects began connecting to the Internet and interacting with each other autonomously without human intervention. IoT devices follow the IEEE 802.15.4 standard [
1] to enable network connectivity for resource-constrained devices using short-range, lightweight communication protocols [
1]. Due to the limited availability of device resources in addition to the bandwidth problem, the IoT ecosystem prefers multicast communication instead of unicast messages to send updates and patch-ups [
2,
3]. To send multicast messages securely, a common secret key need to be shared between the devices in the multicast group. To efficiently distribute the keys to all group devices, a vast amount of group key management techniques have been proposed in the literature. Group key management enables the group to operate with integrity and confidentiality [
4]. There are three methods for managing group keys. The Key Management Server (KMS), a trustworthy third party, is utilized for key distribution in the centralized key management technique [
5,
6]. In decentralized key management, both the server and group member devices contribute to key management [
7,
8,
9]. In distributed key management, there is no centralized trust, but every member participates in key management [
10,
11,
12,
13]. Among all three methods, centralized key management offers less communication and computation overhead on the member devices with simpler functions. Hence, the proposed work focuses on centralized key management techniques, considering them to be most suitable for resource-constrained IoT devices. Centralized key management relies on a dependable third-party server for key management and key distribution. The proposed group management server uses an SDN controller to obtain centralized control over the heterogeneous network. The controller provides opinions on whether to forward network traffic, while the routers just obey the controller [
14]. The advantages of SDN in comparison with traditional networks [
15,
16,
17] are,
The distribution of a common group key or key materials needed for group key generation occurs during the rekeying procedure. Rekeying ensures the group’s confidentiality by putting forward and backward secrecy into action. When a group member leaves, the departing member should not have any access to any key materials that could be used to access any unapproved group data after the member exit event. This is termed forward secrecy. Similarly, when a new member enters an existing group, the joining member ought not to receive any key materials to obtain any unauthorized group data preceding the member join event. This is termed backward secrecy. A collusion attack is when two or more members join to obtain key material to access the group’s data that are unauthorized for the colluding members. An efficient key management technique should ensure both forward secrecy and backward secrecy, as well as resistance to collusion attacks. Chinese Remainder Theorem (CRT)-based methods [
18] offer the lowest communication costs out of all the centralized group key management techniques that have been proposed in the literature. However, because of its limited scalability, the method cannot be applied to dynamic groups.
2. SDN-Centered Security for IoT
An architecture for furnishing network security services like an internet content filtering system, firewall, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and packet inspection using SDN is proposed. The network traffic can be routed through the services based on the needs of the user. The use of SDN for IoT networks to mitigate attacks by limiting the rate of suspicious traffic flow is proposed in [
20]. An SDN-based framework for designing cyber resilience for the Industrial IoT (IIoT) is proposed in [
21]. The ontology is designed to create pre-programmed failover paths that become activated in the event of failure. This maintains the equilibrium resilience of the IIoT network for effective failure recovery. A similar SDN-based ontology design for cyber resilience in smart manufacturing applications is proposed in [
22]. To implement incident response in the IIoT, the use of SDN is proposed in [
23] due to its dynamic routing policies. The preconfigured incident–response policy is enforced using SDN in the event of an attack. Invariant-based anomaly detection using SDN for IIoT is proposed in [
24]. Invariant is a property of the IIoT network that remains the same in any situation. A change in this property is identified as an anomaly by adding the invariant algorithm to the SDN-controlled switches. An Intrusion Detection and Prevention System (IDPS) is proposed in [
25] that exploits SDN and a Genetic Algorithm (GA) to extract features for effective intrusion detection in IoT applications. Advanced reservation-based access control using SDN is proposed in [
26]. The advanced reservation of bandwidth for a certain period is employed using SDN. SDN extends the reservation from border routers to the end devices with tokens for authorization. Another SDN-based architecture for smart home networks is proposed in [
27]. With SDN, all smart home devices are connected via a gateway. KNOT and Orchestrator are used with the aid of SDN to detect Advanced Persistent Threats and saturation attacks and mitigate them effectively. HanGaurd SDN-based fine-grained protection for a smart home from malicious apps running on authorized devices like a smartphone is proposed in [
28]. An SDN-based firewall called FORTRESS is proposed in [
29]. The stateful flow data are obtained from the data plane, and the Mealy machine is exploited to perform state table updations based on the routing decision made. An SDN-centered defense mechanism for IoT networks is proposed in [
30]. The IoT devices are classified as easily patchable or non-patchable, vulnerable or hard-to-exploit, and a proactive defense mechanism is provided by changing the attack surface in case the device is vulnerable and non-patchable. The features of SDN are exploited to provide a honeypot as a service by steering the traffic through Virtualized Functions (VF) as proposed in [
31]. The honeypot acts as a proactive as well as a reactive defense mechanism against attacks. The honeypots are virtualized and provided as a service using SDN. SDN for effective intrusion detection as well as for mitigation of attacks like Distributed Denial of Service (DDoS) in the habitat of the IoT is proposed in [
32,
33]. DDoS detection system that exploits the convenience of SDN using machine learning techniques is proposed in [
34]. The proposed work uses an adaptive multilayered feed-forwarding scheme that uses different algorithms in five layers. The third layer computes the live, real-time network traffic for DDoS attack detection, and SDN mitigates the attacks using Open Flow switches.
3. Group Key Management Techniques
SKDC follows a very simple approach, where all the existing participants of the group share an individual secret key with the KMS. When there is a change in the number of group members, the new group key is handed out by KMS to existing participants of the group individually, encrypted using the shared secret key, in sequential order. Hence, the communication cost is linear, which is highly inefficient for large dynamic groups. The group Diffie–Hellman (DH) proposed in [
35] uses asymmetric encryption for key distribution, with higher computation overhead. Logical Key Hierarchy (LKH) [
36] is a familiar centralized, hierarchy-based key management approach for dynamic groups. LKH uses a balanced binary tree-based data structure with member devices’ keys as leaf nodes. The root node contains the group key. The intermediate nodes along the path of the member devices to the root hold the key encryption keys with which the devices can obtain the group key. The overall overhead of the approach is 2 log n.
Yet another centralized, hierarchy-based key management approach for groups is the OFT, which reduces the communication cost to log n. Hence, the approach reduces bandwidth consumption considerably. The approach is similar to LKH, with the member device’s individual keys as leaf nodes. The root key is the group key. The intermediate nodes hold the key-encryption key, which is calculated using a one-way and mixing function on the child node’s keys. However, the approach fails to provide collusion resistance where two expelled members collide and can gain access to unauthorized group data. Several advancements to the OFT-based approach are proposed [
37,
38] to enhance the collusion resistance property, but in turn, the advancements increase the overall overhead. To impart collusion resistance in OFT, two more approaches are proposed in [
39]; both approaches successfully impart collusion resistance with the same communication cost as OFT but with higher computation costs.
A centralized key management approach for the group that uses Diffie-Hellman for generating the key-encryption key is proposed in [
40]. The group key can be decrypted using the key-encryption key. However, the use of public key cryptography increases the computation cost greatly. Moreover, without authentication, the use of Diffie-Hellman is liable to man-in-the-middle attack. A lightweight key management approach for groups formed in IoT applications is proposed in. The approach uses a hybrid technique with a combination of CRT and LKH. The intermediate node keys are calculated by hashing the device’s ID. Although the ID of a device is unique, tracking the ID of the device is simple for malicious users to perform forgery-based attacks. Group key management using the Chinese Reminder Theorem (CRT) is proposed in. The approach is efficient, with the least communication cost of a single broadcast. When the group size exceeds the preset n value, the individual keys for the entire group must be renewed. A blockchain-based solution for key management in groups for autonomous aerial vehicles has earlier been proposed. The approach uses LKH along with blockchain for group key updations and reduces delay. The approach also assures forward and backward secrecy. However, the use of blockchain in a resource-constrained environment would be a problem. Another lightweight asymmetric group key management approach for VANETS is proposed in [
41]. The approach uses a combination of CRT and asymmetric cryptography in contrast to the traditional symmetric group key management techniques. The scheme is comparatively scalable and has minimal computation overhead compared to its predecessor, CRT-based group key management techniques for VANETS. Still, the approach cannot use variable key sizes since the key sizes are chosen based on constraints. Further, a collusion-resistant approach to group key management is proposed in [
42], which makes use of tokens to avoid collusions. The approach distributes group keys with a single broadcast with minimal communication load. Still, the storage overhead is high as the devices store the tokens belonging to a device’s cognate nodes. A novel protocol, GKMP, for key management in groups, is proposed in [
43] to avoid collusion attacks during file sharing in the cloud. The scheme uses a group key generated by participants and not by a centralized cloud server, adding security in terms of file sharing. But the scheme uses RSA for key generation, which is expensive for IoT devices. Yet another communication-aware key management protocol for IoT networks is proposed in [
44]. The scheme uses hyperelliptic curve cryptography for authentication along with bilateral generalization in a homogeneous short integer-based solution for effective key management in IoT groups. The scheme has lower computational time compared to its previous similar schemes; still, public key cryptography-based schemes increase the complexity and device overload in IoT networks.
When evaluated in terms of computation, communication, storage load, scalability, and secrecy, the existing techniques in the literature attain efficiency in one parameter with a trade-off in other parameters. OFT reduces the communication cost but does not ensure secrecy. CRT reduces the overall computation, communication, and storage costs but lacks scalability.