FairAccess: a new Blockchain-based access control framework for the Internet of Things
Corresponding Author
Aafaf Ouaddah
Oscars Laboratory, ENSA of Marrakesh, Cadi Ayyad University, BP 575, 40000 Marrakech, Morocco
Correspondence
Aafaf Ouaddah, Oscars laboratory, ENSA of Marrakesh, Cadi Ayyad University, BP 575 40000 Marrakech, Morocco.
E-mail: [email protected]
Search for more papers by this authorAnas Abou Elkalam
Oscars Laboratory, ENSA of Marrakesh, Cadi Ayyad University, BP 575, 40000 Marrakech, Morocco
Search for more papers by this authorAbdellah Ait Ouahman
Oscars Laboratory, ENSA of Marrakesh, Cadi Ayyad University, BP 575, 40000 Marrakech, Morocco
Search for more papers by this authorCorresponding Author
Aafaf Ouaddah
Oscars Laboratory, ENSA of Marrakesh, Cadi Ayyad University, BP 575, 40000 Marrakech, Morocco
Correspondence
Aafaf Ouaddah, Oscars laboratory, ENSA of Marrakesh, Cadi Ayyad University, BP 575 40000 Marrakech, Morocco.
E-mail: [email protected]
Search for more papers by this authorAnas Abou Elkalam
Oscars Laboratory, ENSA of Marrakesh, Cadi Ayyad University, BP 575, 40000 Marrakech, Morocco
Search for more papers by this authorAbdellah Ait Ouahman
Oscars Laboratory, ENSA of Marrakesh, Cadi Ayyad University, BP 575, 40000 Marrakech, Morocco
Search for more papers by this authorAbstract
Security and privacy are huge challenges in Internet of Things (IoT) environments, but unfortunately, the harmonization of the IoT-related standards and protocols is hardly and slowly widespread. In this paper, we propose a new framework for access control in IoT based on the blockchain technology. Our first contribution consists in providing a reference model for our proposed framework within the Objectives, Models, Architecture and Mechanism specification in IoT. In addition, we introduce FairAccess as a fully decentralized pseudonymous and privacy preserving authorization management framework that enables users to own and control their data. To implement our model, we use and adapt the blockchain into a decentralized access control manager. Unlike financial bitcoin transactions, FairAccess introduces new types of transactions that are used to grant, get, delegate, and revoke access. As a proof of concept, we establish an initial implementation with a Raspberry PI device and local blockchain. Finally, we discuss some limitations and propose further opportunities. Copyright © 2017 John Wiley & Sons, Ltd.
References
- 1Mousannif H, Khalil I. The human face of mobile. In Information and Communication Technology, Lecture Notes in Computer Sciences, Vol. 8407: 2014. Springer: Bali, Indonesia, 2014; 1–20. doi:10.1007/978-3-642-55032-4_1.
10.1007/978-3-642-55032-4_1 Google Scholar
- 2 The dark side of wearables: How they're secretly jeopardizing your security and privacy. Online available: http://www.techrepublic.com/article/the-dark-side-of-wearables-how-theyre-secretly-jeopardizing-your-security-and-privacyn.d.
- 3Ouaddah A, Elkalam AA, Ouahman AAIT. Towards a novel privacy-preserving access control model based on blockchain technology in IoT. In Europe and MENA Cooperation Advances in Information and Communication Technologies. Springer International Publishing, 2017; 523–533.
10.1007/978-3-319-46568-5_53 Google Scholar
- 4Ouaddah A, Mousannif H, Abou Elkalam A, Ouahman AAIT. Access control in The Internet of Things: Big challenges and new opportunities, Computer Networks (2016), doi: 10.1016/j.comnet.2016.11.007
- 5Zhang G, Tian J. An extended role based access control model for the Internet of Things. In: Information Networking and Automation (ICINA), 2010 International Conference on. IEEE, 2010. p. V1-319-V1-323.
- 6Hernández-Ramos JL, Jara AJ, Marín L, et al. Dcapbac: embedding authorization logic into smart things through ECC optimizations. International Journal of Computer Mathematics 2014, no ahead-of-print: 1–22.
- 7Ye N, Zhu Y, Wang R-c, et al. An efficient authentication and access control scheme for perception layer of Internet of Things. An International Journal Applied Mathematics & Information Sciences 2014; 8: 1617–1624.
10.12785/amis/080416 Google Scholar
- 8Seitz L, Selander G, Gehrmann C. Authorization Framework for the Internet-of-Things. In Proc. of the 14th IEEE International Symposium and Workshops on a World of Wireless, Mobile and Multimedia Networks (WoWMoM'13), Madrid, Spain, pages 1–6. IEEE, June 2013.
- 9 D. Hardt (ed), “ The OAuth 2.0 Authorization Framework,” IETF, RFC6749, October 2012, available at http://www.rfc-editor.org/rfc/rfc6749.txt
- 10 Connect All IP-Based Smart Objects (CALIPSO)—FP7 EU Project.[Online]. Available: http://www.ict-calipso.eu/, accessed Oct. 15, 2014.
- 11Cirani S, Picone M, Gonizzi P, et al. IoT-OAS: an OAuth-based authorization service architecture for secure services in IoT scenarios. Sensors Journal, IEEE 2015; 15(2): 1224–1234.
- 12Shelby Z, Hartke K, Bormann C. “ The constrained application protocol (coap),” IETF RFC 7252, vol. 10, June 2014.
- 13Yao AC-C. How to generate and exchange secrets (extended abstract). In 27th Annual Symposium on Foundations of Computer Science, pages 162–167. IEEE Computer Society Press, October 1986.
- 14Tschofenig H. “ The OAuth 2.0 Bearer Token Usage over the Constrained Application Protocol (CoAP)” IETF Internet Draft, draft-tschofenig-ace-oauth-bt-01.txt 2015
- 15Tschofenig H. “ The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant” IETF Internet Draft, draft-tschofenig-ace-oauth-iot-00.txt 2014.
- 16Wahlstroem E. “ OAuth 2.0 Introspection over the Constrained Application Protocol (CoAP)” IETF Internet Draft, draft-wahlstroem-ace-oauth-introspection-01.txt 2015.
- 17Tschofenig H, Maler E, Wahlstroe E, Erdtman S. “ Authentication and Authorization for Constrained Environments Using OAuth and UMA” IETF Internet Draft, draft-maler-ace-oauth-uma-00.txt 2015.
- 18Ouaddah A, Mousanif H, et al. access control model in the Internet of Things: the road ahead. In the proceeding of the Proceeding of the 12th ACS/IEEE International Conference on Computer Systems and Applications (AICCSA).
- 19Panikkar S, Nair S, Brody P, Pureswaran V. ADEPT: An IoT Practitioner Perspective, DRAFT COPY FOR ADVANCE REVIEW, IBM (2015).
- 20Zyskind G, Nathan O, Pentland A. Decentralizing privacy: using blockchain to protect personal data. In Security and Privacy Workshops (SPW), 2015 IEEE. IEEE, 2015; 180–184.
10.1109/SPW.2015.27 Google Scholar
- 21Sandhu R. Engineering authority and trust in cyberspace: The OM-AM and RBAC way. In Proceedings of the fifth ACM workshop on Role-based access control. ACM, 2000; 111–119.
- 22Di Vimercati SDC, Foresti S, Jajodia S, et al. Access control policies and languages in open environments. In Secure Data Management in Decentralized Systems. Springer: US, 2007; 21–58.
10.1007/978-0-387-27696-0_2 Google Scholar
- 23 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC OJ L 257, 28.8.2014, p. 73–114 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV).
- 24Yan Z, Holtmanns S. Trust modeling and management: from social trust to digital trust. IGI Global, 2008; 290–323.
- 25Pfitzmann A, Köhntopp M. Anonymity, unobservability, and pseudonymity—a proposal for terminology. In Designing privacy enhancing technologies. Springer: Berlin Heidelberg, 2001; 1–9.
10.1007/3-540-44702-4_1 Google Scholar
- 26 ISO IS 15408, 1999, http://www.commoncriteria.org/
- 27Jincy VJ, Sundararajan S. Classification mechanism for IoT devices towards creating a security framework. In In Intelligent Distributed Computing. Springer International Publishing, 2015; 265–277. doi:10.1007/978-3-319-11227-5_23.
10.1007/978-3-319-11227-5_23 Google Scholar
- 28Marquardt N, Greenberg S. Informing the Design of Proxemic Interactions. IEEE Pervasive Computing 2012; 11(2): 14–23.
- 29 “Role Based access control” NIST.gov - Computer Security Division - Computer Security Resource Center.n.d
- 30Yuan E, Tong J. Attributed Based Access Control (ABAC) for Web Services. In Proceedings of ICWS'05: IEEE International Conference on Web Services. IEEE Press: Orlando, FL, USA, 2005; 569–578.
- 31Park J, Sandhu R. Towards usage control models: Beyond traditional access control. In SACMAT'02: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, ACM, New York, NY, USA, 2002; 57–64.
- 32Park J. Usage control: A unified framework for next generation access control, Ph.D. Thesis, George Mason University, Fairfax, VA, USA, 2003.
- 33Zhang X. Formal model and analysis of usage control, Ph.D.Thesis, George Mason University, Fairfax, VA, USA, 2006.
- 34Miège. A, Definition of a Formal Framework for Specifying Security Policies: The Or-BAC Model and Extensions, Ph.D. Computer Security, ENST - INFRES Computers and Networks, ENST, 2005.
- 35Ouaddah, A, Bouij-Pasquier, I, Elkalam, AA, et al. Security analysis and proposal of new access control model in the Internet of Thing. In Electrical and Information Technologies (ICEIT), 2015 International Conference on. IEEE, 2015; 30–35.
- 36Sujansky WV, Faus SA, Stone E, Flatley Brennan P. A method to implement fine-grained access control for personal health records through standard database queries. Journal of Biomedical Informatics nd: S46–S50.
- 37Ouaddah A, Elkalam AA, Ouahman AAIT. Harnessing the power of blockchain technology to solve IoT security & privacy issues. In Second Int.Conf. Internet Things, Data Cloud Comput. (ICC 2017). ACM - International Conference Proceedings Series (ICPS): Cambridge City, United Kingdom; 2017.
- 38Gerdes S, Seitz L, Selander G, Bormann C. (ed). “ An architecture for authorization in constrained environments ”, IETF Internet Draft, draft-gerdes-ace-actors-05 -04-2015.
- 39 Federal Information and Processing Standards. FIPS PUB 180-4 Secure Hash Standard (SHS). (March), 2012.
- 40Shamir A. How to share a secret. Communications of the ACM, 22(11):612–613, 1979 Adi Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.
