Master's thesis; One-to-Many Secure Notification Responses for the IoT Using CoAP and Group OSCORE

In the Internet of Things (IoT), a large number of connectable devices will be connected to the Internet, with many of them being heterogeneous or resource-constrained in terms of processing power, memory, accessibility, and energy budget. For these reasons, it is important that IoT networks can rely on efficient communication models together with strong security solutions. Many IoT devices may communicate through assisting intermediaries, such as proxies or gateways, which can perform tasks including message forwarding and caching, or protocol translation.

State-of-the art protocols for IoT-based networks and applications are the standard Constrained Application Protocol (CoAP) and the standard security protocol Object Security for Constrained RESTful Environments (OSCORE). CoAP enables lightweight communication between client and server peers according to the same RESTful paradigm of HTTP, and it natively supports intermediary proxies. OSCORE efficiently protects CoAP messages at the application layer, providing end-to-end security between the client and server peers also in the presence of intermediaries.

One standard extension, of CoAP allows clients to "observe" resources at a server and to automatically receive notifications as unicast responses from the server, upon changes of the resource state.

In some use cases, such as applications based on publish-subscribe, multiple clients observe the same resource at the same server. Therefore, it would be convenient for the server to send a single, one-to-many notification addressed to all the clients observing the same target resource, e.g., over IP multicast. Securing these notifications using the security protocol Group OSCORE is desirable, thus protecting multicast notifications end-to-end between the server and the observer clients.

Description
The goal of this project is to design, implement, and evaluate a solution for enabling the sending of CoAP notifications as one-to-many responses over IP multicast, using the security protocol Group OSCORE to protect them end-to-end.

Ongoing activities within the international standardization body Internet Engineering Task Force (IETF) will be considered as a starting point for the work on the solution. RISE will provide background information and the necessary guidance during the Master Thesis work.

Key Responsibilities

• Study IoT communication and security protocols, with a focus on the Constrained Application Protocol (CoAP) and the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE).

• Design and implement a solution for (secure) sending of CoAP notifications as multicast response messages, by relying on relevant building blocks such as related IETF specifications and the Java Eclipse Californium framework.

• Experimentally evaluate the solution for multicast notifications. Performance assessment can include evaluation of memory usage, communication overhead, and efficiency.

• Evaluate the correctness and effectiveness of the implemented solution, also in the presence of an adversary.

• Document the activities and results as a thesis report.

Qualifications
We are looking for an ambitious, committed, and strongly motivated MSc student who has fulfilled the course requirements. Good Java programming skills are required, as is good spoken and written English. Experience with network and communication security is a plus.

Applications should include a brief personal statement, a CV, and a list of grades. The application has to mention previous activities or other projects that are relevant for the position.

Terms

• Scope: 30 hp, one semester full-time

• Location: Kista, Stockholm

• Start: January 2026

• Compensation: 39,990 SEK after the project is completed and approved

Please note: You need to have a valid student visa that allows you to study in Sweden during the thesis period.

Welcome with your application!
Last day of application: December 19, 2025

Candidates are encouraged to send in their application as soon as possible. Suitable applicants will be interviewed as applications are received. A successful candidate will have the opportunity to contribute to European Research & Development security projects.

Contact: Rikard Höglund (rikard.hoglund@ri.se) and Marco Tiloca (marco.tiloca@ri.se)