Print[PRINT] English[FLAG]
.  Home  .  Projekte  .  Embedded MSec Lab

The Embedded Multicast Security Lab

Securing group communication in constrained networks requires new solutions to be found, implemented and evaluated. This is especially true when group communication is desired, which turns out to be much more difficult to secure than point-to-point communications, as the sharing of keys along the group potentially lowers the security of the solutions. There is a variety of work on security in constrained networks, but most of them only pick one particular security property (e.g. μTesla) or are simply designed for a very specific use case (e.g. Group-DTLS for the lightening industry). This is especially true for group communication, which is a niche, but turns out to be very attractive for constrained networks.

Smart Homes, Cars, Factories, etc. are networks of such devices acting as one system from an outside point of view. Applying well known models of informatics, this networks can be seen as administrative domains (ADs). Following this idea, the owner of a certain system (e.g. the owner of a Smart Home) acts as the administrator to the system, who in turn should decide on who to give access the system and its data. In current deployments, this access is usually managed on top of the cloud instance by registering an external actor (e.g. a smartphone) with access to the cloud service. The external actor sends control messages or data requests to the cloud, acting as some sort of "proxy" forwarding or translating the messages to the constrained device or the network.


With multicasting being an interesting option for many use cases, we are currently developing a testbed, allowing flexible deployment of group communication scenarios and implementations of different solution for secure group communication. The testbed contains devices with different constraints, such as different microprocessor architectures - namely ARM Cortex M0 and ATmega328P, but also single board computers with the ARMv7 and ARMv8 architectures. They all communicate wired (Ethernet) or wireless (Bluetooth or WiFi). The testbed is able to simulate different kinds of communication groups:

a group of devices connected to one and the same access point. Each AP is managed by an Area Server (AS) separated with VLAN.
a group of devices sharing information using IP multicasting and being managed by the Group Management Server (GMS).
a group of devices sharing secure information using IPsec, being managed by the GMS, implemented on constrained devices.


Computing Hardware:

Device Architecture Clock Speed
Flash Memory
Arduino Uno
ATmega328 16MHz 32KB 2KB
Arduino M0+
ARM Cortex-M0+ 48MHz 256KB 32KB
Arduino Due
ARM Cortex-M3 84MHz 512KB 96KB
ARM Cortex-M0 48MHz 256KB 32KB
ARM Cortex M3 72MHz 128KB 20KB
ST Nucleo F401
ARM Cortex-M4 84MHz 512Kb 96Kb
ST Nucleo144-F429
ARM Cortex-M4 180MHz 2Mb 256Kb

Network Modules

  • Semtech SX1272 868/915MHZ Lora MBED SHIELD
  • Texas Instruments SimpleLinkWi-Fi CC3200
  • Microchip AT86RF233 Zigbee / 802.15.4
  • WIZnet Ethernet-Module W5100
  • SparkFun nRF51822 Bluetooth / 802.15.1

Controller Hardware:

Device Architecture Clock Speed
Flash Memory
Raspbery Pi v1
ARM1176JZF-S 700MHz

Raspbery Pi v3
ARM cortex-a53 1.2GHz Quad Core

Beaglebone Black
Cortex-A8 + Dual PRU 1000MHz 4GB

Networking Hardware

  • Netgear Prosafe GS748T Switch
  • Colubris MAP-625 Access Point
  • Laird Sentrius RG1 LoRa-Enabled Gateway
  • Digi CONNECTPORT X4 Gateway - ZigBee to Ethernet

Current activities

  • Design, Implementation and Evaluation of a Identity Based Signature (IBS) Scheme for group communication in constrained environments
  • Implementation and Evaluation of G-IKEv2 for Strongswan
  • Implementation and Evaluation of Walnut DSA for RIOT, FreeRTOS and Linux
  • Implementation and Evaluation of Diet-ESP for RIOT and Linux


    • Guggemos, T., Dynamic Key Distribution for Secure Group Communications in Constrained Environments, In Doctoral Consortium: Doctoral Consortium on e–Business and Telecommunications, 2018, SECRYPT, ICETE, Porto, Portugal, 07, 2018.
    • gentschen Felde, N., Guggemos, T., Heider, T., Kranzlmüller, D., Secure Group Key Distribution in Constrained Environments with IKEv2, Proceedings of 2017th IEEE Conference on Dependable and Secure Computing, IEEE, Taipei , Taiwan , 08, 2017.

Student Work

Master Thesis

    • Grundner–Culemann, S., Identity–based source authentication in constrained networks, Ludwig–Maximilians–Universität München, 10, 2017.

Bachelor Thesis

    • Melnikov, A., A Testbed for Evaluating ID–based Authentication in Constrained Networks, Ludwig–Maximilians–Universität München, 07, 2018.
    • Treutner, T., Evaluation effizienter Schlüsselbäume für hierarchische identitätsbasierte Signaturen im IoT, Ludwig–Maximilians–Universität München, 06, 2018.
    • Goetzendorff, E., CAKE — Hybrides Gruppenschlüsselmanagementprotokoll für RIOT OS, Ludwig–Maximilians–Universität München, 05, 2018.
    • Yosofie, M., CAKE — Hybrides Gruppenschlüsselmanagementprotokoll für RIOT OS, Ludwig–Maximilians–Universität München, 05, 2018.
    • Engelbrecht, W., Group Key Management with Strongswan, Ludwig–Maximilians–Universität München, 01, 2018.
    • Rehms, S., Dezentrale Datenverteilung mit TPM–basierter Authentifizierung , Ludwig–Maximilians–Universität München, 01, 2018.
    • Haslberger, K., Kim, D. H., Seil, S., Implementierung und Evaluation von WalnutDSA als Modul für FreeRTOS, Riot und Linux Kernel, Ludwig–Maximilians–Universität München, 12, 2017.
    • Edmonds, K. O., IoT meets HPC: Securely transferring wireless sensor data to a supercomputer utilizing the LRZ Cloud, Ludwig–Maximilians–Universität München, 10, 2017.
    • Pauls, P., Parallelization of AES on Raspberry Pi GPU in Assembly, Ludwig–Maximilians–Universität München, 07, 2017.
    • Heider, T., Minimal G–IKEv2 implementation for RIOT OS, Ludwig–Maximilians–Universität München, 04, 2017.


For further information or access to the testbed, please contact


Dr. N. gentschen Felde

T. Guggemos, MSc

J. Schmidt, MSc

M. Höb, MSc