Lightweight Session-Key Rekeying Framework for Secure IoT-Edge Communication

TL;DR

This paper introduces a lightweight, secure session-key rekeying protocol for IoT devices that enhances security with minimal performance impact, enabling scalable and robust IoT communication.

Contribution

It proposes the DSEKP protocol, a novel lightweight session-key rekeying framework using HKDF and HMAC, suitable for resource-constrained IoT devices, with practical implementation and benchmarking.

Findings

DSEKP achieves nearly identical throughput to static PSK with minimal latency overhead.

Provides per-session key isolation and replay protection for IoT communications.

Demonstrates practical feasibility on ESP32 and Raspberry Pi with extensive benchmarking.

Abstract

The proliferation of Internet of Things (IoT) networks demands security mechanisms that protect constrained devices without the computational cost of public-key cryptography. Conventional Pre-Shared Key (PSK) encryption, while efficient, remains vulnerable due to static key reuse, replay attacks, and the lack of key freshness. This paper presents the Dynamic Session Enhanced Key Protocol (DSEKP), a lightweight session-key rekeying framework that derives per-session AES-GCM keys using the HMAC-based Key Derivation Function (HKDF-SHA256) and authenticates session establishment through an HMAC proof in a single init-ack exchange. DSEKP was implemented on an ESP32 IoT sensor node and a Raspberry Pi 5 edge server communicating through a Mosquitto MQTT broker, and benchmarked against a static PSK baseline over more than 6,500 encrypted packets per configuration. The results demonstrate nearly identical throughput and reliability, with minimal runtime impact (approximately 27 percent one-time session-establishment latency and 10 percent per-packet payload overhead), while delivering per-session key isolation (assuming the long-term secret remains uncompromised) and built-in replay protection. The PSK baseline and DSEKP datasets are publicly archived on IEEE DataPort to enable full reproducibility and comparative benchmarking. These findings confirm that dynamic symmetric rekeying can substantially strengthen IoT-Edge links with minimal computational and bandwidth cost, offering a practical migration path from static PSK to session-aware and scalable IoT security.