Authentication of Things: Authentication and Access Control for the Entire IoT Device Life-Cycle
ResumoAs the number of Internet of Things (IoT) devices already grows faster than the population, the need for strong authentication and access control mechanisms is greater than ever. Legacy authentication schemes are usually computationally expensive which makes them unsuitable for resource-constrained IoT devices. On the other hand, solutions that target such devices typically base their access control mechanism solely on authentication. In a complex smart environment, however, IoT devices often offer and consume a range of resources, which demands a fine-grained access control mechanism. Besides, the IoT paradigm also beckons safe interoperability among devices that belong to different smart environments. Last, there is a lack of options for authentication and access control solutions that cover the entire IoT device life-cycle, i.e., from device manufacturing to decommissioning. In this work, we propose Authentication of Things (AoT), a holistic authentication and fine-grained access control solution for the entire IoT device life-cycle. AoT comprises a suite of protocols which relies on Identity-Based Cryptogra phy (IBC) to distribute keys and authenticate devices as well as Attribute-Based Cryptography (ABC) to cryptographically enforce a fine-grained Attribute-Based Access Control (ABAC). We evaluate an AoT prototype at different security levels implemented on a variety of platforms, representing a wide range of IoT devices, from smartphones to microcontrollers. Our results indicate that AoT performance ranges from affordable on resource-constrained devices to highly efficient on powerful devices.
Canetti, R. (2001). Universally composable security: A new paradigm for cryptographic protocols. In Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pages 136–145. IEEE.
Ding, S., Cao, J., Li, C., Fan, K., and Li, H. (2019). A novel attribute-based access control scheme using blockchain for iot. IEEE Access.
Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006). Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. In Conference on Computer and Communications Security (CCS).
Khalid, U., Asim, M., Baker, T., Hung, P. C., Tariq, M. A., and Rafferty, L. (2020). A decentralized lightweight blockchain-based authentication mechanism for iot systems. Cluster Computing.
Khan, W. Z., Aalsalem, M. Y., and Khan, M. K. (2018). Five acts of consumer behavior: A potential security and privacy threat to internet of things. In IEEE international conference on consumer electronics (ICCE’18).
Kusters, R. and Rausch, D. (2017). A framework for universally composable diffie hellman key exchange. In 2017 IEEE Symposium on Security and Privacy (SP), pages 881–900. IEEE.
Kärkkäinen, M., Holmström, J., Främling, K., and Artto, K. (2003). Intelligent products—a step towards a more effective project delivery chain. Computers in Industry. Advanced Web Technologies for Industrial Applications.
Lunardi, R. C., Michelin, R. A., Neu, C. V., and Zorzo, A. F. (2018). Distributed access control on iot ledger-based architecture. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium.
McCullagh, N. and Barreto, P. S. L. M. (2005). A New Two-party Identity-based Authenticated Key Agreement. In International Conference on Topics in Cryptology (CT-RSA).
Nafi, M., Bouzefrane, S., and Omar, M. (2020). Matrix-based key management scheme for iot networks. Ad Hoc Networks.
Oliveira, L. B., Kansal, A., Priyantha, B., Goraczko, M., and Zhao, F. (2009). Secure-TWS: Authenticating Node to Multi-user Communication in Shared Sensor Networks. In International Conference on Information Processing in Sensor Networks (IPSN).
Shamir, A. (1984). Identity-based Cryptosystems and Signature Schemes. In International Cryptology Conference on Advances in Cryptology (CRYPTO).
Simplicio Jr, M. A., Silva, M. V., Alves, R. C., and Shibata, T. K. (2017). Lightweight and escrow-less authenticated key agreement for the internet of things. Computer Communications.
Yousefnezhad, N., Malhi, A., and Framling, K. (2020). Security in product lifecycle of iot devices: A survey. Journal of Network and Computer Applications.
Yuan, E. and Tong, J. (2005). Attributed Based Access Control (ABAC) for Web Services. In International Conference on Web Services (ICWS).