(SEM V) THEORY EXAMINATION 2023-24 PRIVACY AND SECURITY IN IOT

Course: B.Tech (All Branches – Open Elective)

Semester: V                                                         Subject Code: KOT054

Subject Title: Privacy and Security in IoT           Maximum Marks: 100

Duration: 3 Hours

Exam Pattern:

Section A: Short conceptual questions — 20 marks

Section B: Descriptive questions — 30 marks

Section C: Analytical / Application-based questions — 50 marks

SECTION A – Short Answer Questions (10 × 2 = 20 Marks)

All ten questions are compulsory and focus on basic definitions and core security concepts.

Define Authentication and Authorization.

Authentication: Confirms user/device identity (e.g., password, token, biometric).

Authorization: Determines access level or permissions granted after authentication.

Functions of Secret Key Cryptography:

Uses a single key for encryption and decryption.

Ensures data confidentiality, integrity, and authenticity in communication.

Size of Hash Value:

Typically 128–512 bits (MD5 → 128 bits, SHA-256 → 256 bits).

Random Number Generators:

Most are pseudo-random, generated using algorithms and seeds, not truly random.

Publish–Subscribe Model in IoT:

Enables asynchronous communication between devices via brokers (e.g., MQTT).

Preferred for scalability and low network load.

Technology Used in Access Control:

Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and biometric systems.

Concerns of Data Dissemination:

Unauthorized sharing, data leakage, lack of user consent, and privacy breaches.

Common Privacy Risk During Personal Data Collection:

Unauthorized data profiling and identity theft.

Cloud vs Traditional Data Centers:

Cloud offers on-demand scalability, virtualization, and pay-as-you-go flexibility.

Traditional centers are static and hardware-bound.

Security Benefits of Cloud Computing:

Centralized control, redundancy, automated backups, encryption, and continuous monitoring.

SECTION B – Descriptive Questions (3 × 10 = 30 Marks)

Attempt any three out of five.

(a) IoT Security Architecture and Attacks:

IoT security architecture includes perception, network, and application layers.

Common attacks:                                     Eavesdropping

Man-in-the-middle (MITM)                     Denial of Service (DoS)

Firmware tampering                                Device spoofing

(b) MQTT Protocol in IoT:

Lightweight publish–subscribe protocol for low-bandwidth, high-latency environments.

Ensures reliable message delivery using QoS (Quality of Service) levels 0, 1, and 2.

(c) Strong Authentication Methods for IoT Devices:

Multi-factor authentication (MFA)                         Digital certificates (PKI-based)

Token-based authentication (OAuth, JWT)            Hardware security modules (HSMs)

(d) Unauthorized Access Prevention:

Role-based access, encryption, firewalls, and intrusion detection systems (IDS).

Secure boot and firmware integrity checks.

(e) IoT Platform Monitoring and Control:

Real-time dashboards track device health, firmware updates, and network traffic.

Uses protocols like MQTT, CoAP, and HTTP REST APIs.

SECTION C – Analytical / Application-Based Questions (5 × 10 = 50 Marks)

Attempt one part from each question (Q3–Q7).

Q3. Authentication Token Security

(a) Secure transmission of authentication tokens between client and server uses:

SSL/TLS encryption                                     Token expiration policies

Session-based validation                            Refresh tokens for reauthorization

(b) Design considerations for avoiding improper authorization:

Enforce least-privilege principle                 Validate user roles

Secure APIs with role-based access

Q4. Cryptography and Data Integrity

(a) Cryptographic controls in IoT messaging:        End-to-end encryption

Secure hashing (SHA, HMAC)                                 TLS over MQTT/CoAP

Digital signatures for non-repudiation

(b) IoT Node Authentication:

Devices verify authenticity via certificates, TPM (Trusted Platform Module), or blockchain.

Ensures data integrity through hash verification.

Q5. Access Management & Security Testing

(a) Access Management Solutions for IoT:     Centralized IAM systems, OAuth 2.0, X.509 certificates.

Employ Zero Trust Architecture.

(b) IoT Device Attacks and Testing Activities:

Attacks: DDoS, firmware tampering, buffer overflow, replay, data sniffing.

Testing: Penetration testing, fuzzing, and vulnerability scanning.

Q6. Trust and Privacy

(a) Trust in IoT:                        Based on identity, reliability, and behavior of devices.

Components:                            Trust establishment

Trust evaluation                        Trust management

(b) Lightweight and Robust IoT Privacy Schemes:

Homomorphic encryption, differential privacy, and lightweight key management protocols like ECC (Elliptic Curve Cryptography).

Q7. Data Analytics & Cloud Integration

(a)

Types of IoT Data Analytics:

Descriptive (what happened), Predictive (what will happen), Prescriptive (what should be done).

Cloud Communication:

IoT devices use MQTT/HTTP over secure TLS to send data to cloud platforms like AWS IoT, Azure IoT Hub.

(b) Architectural Considerations in Cloud:

Multi-layered security, redundancy, encryption, isolation, and compliance (GDPR, ISO 27001).

 Key Topics Covered

IoT security architecture & layers                         Authentication, encryption, and access control

MQTT and data confidentiality                            Privacy risks and data protection techniques

Cloud integration and analytics in IoT                 Trust management and lightweight cryptography