Exploiting Smart Contracts for Capability-Based Access Control in the Internet of Things †

Due to the rapid penetration of the Internet of Things (IoT) into human life, illegal access to IoT resources (e.g., data and actuators) has greatly threatened our safety. Access control, which specifies who (i.e., subjects) can access what resources (i.e., objects) under what conditions, has been recognized as an effective solution to address this issue. To cope with the distributed and trust-less nature of IoT systems, we propose a decentralized and trustworthy Capability-Based Access Control (CapBAC) scheme by using the Ethereum smart contract technology. In this scheme, a smart contract is created for each object to store and manage the capability tokens (i.e., data structures recording granted access rights) assigned to the related subjects, and also to verify the ownership and validity of the tokens for access control. Different from previous schemes which manage the tokens in units of subjects, i.e., one token per subject, our scheme manages the tokens in units of access rights or actions, i.e., one token per action. Such novel management achieves more fine-grained and flexible capability delegation and also ensures the consistency between the delegation information and the information stored in the tokens. We implemented the proposed CapBAC scheme in a locally constructed Ethereum blockchain network to demonstrate its feasibility. In addition, we measured the monetary cost of our scheme in terms of gas consumption to compare our scheme with the existing Blockchain-Enabled Decentralized Capability-Based Access Control (BlendCAC) scheme proposed by other researchers. The experimental results show that the proposed scheme outperforms the BlendCAC scheme in terms of the flexibility, granularity, and consistency of capability delegation at almost the same monetary cost.

[1]  Masahiro Sasabe,et al.  Capability-Based Access Control for the Internet of Things: An Ethereum Blockchain-Based Scheme , 2019, 2019 IEEE Global Communications Conference (GLOBECOM).

[2]  Yunpeng Zhang,et al.  Decentralized, BlockChain Based Access Control Framework for the Heterogeneous Internet of Things , 2018 .

[3]  Masahiro Sasabe,et al.  Using Ethereum Blockchain for Distributed Attribute-Based Access Control in the Internet of Things , 2019, 2019 IEEE Global Communications Conference (GLOBECOM).

[4]  Wattana Viriyasitavat,et al.  When blockchain meets Internet of Things: Characteristics, challenges, and business opportunities , 2019, J. Ind. Inf. Integr..

[5]  Khaled Salah,et al.  Decentralized Access Control for IoT Data Using Blockchain and Trusted Oracles , 2019, 2019 IEEE International Conference on Industrial Internet (ICII).

[6]  Qi Li,et al.  IoT Passport: A Blockchain-Based Trust Framework for Collaborative Internet-of-Things , 2019, SACMAT.

[7]  Blase Ur,et al.  Rethinking Access Control and Authentication for the Home Internet of Things (IoT) , 2018, USENIX Security Symposium.

[8]  Elena Ferrari,et al.  Access control technologies for Big Data management systems: literature review and future trends , 2019, Cybersecur..

[9]  Xiaochen Zhang,et al.  SBAC: A secure blockchain-based access control framework for information-centric networking , 2020, J. Netw. Comput. Appl..

[10]  Domenico Rotondi,et al.  IoT@Work automation middleware system design and architecture , 2012, Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012).

[11]  Patrice Clemente,et al.  An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system , 2014, Future Gener. Comput. Syst..

[12]  Anas Abou El Kalam,et al.  FairAccess: a new Blockchain-based access control framework for the Internet of Things , 2016, Secur. Commun. Networks.

[13]  Ramjee Prasad,et al.  Capability-based access control delegation model on the federated IoT network , 2012, The 15th International Symposium on Wireless Personal Multimedia Communications.

[14]  Nadeem Javaid,et al.  Data Sharing System Integrating Access Control Based on Smart Contracts for IoT , 2019, 3PGCIC.

[15]  Genshe Chen,et al.  BlendCAC: A Smart Contract Enabled Decentralized Capability-Based Access Control Mechanism for the IoT , 2018, Comput..

[16]  Maurizio Morisio,et al.  Connected Car , 2016, ACM Comput. Surv..

[17]  Erik Blasch,et al.  BlendMAS: A Blockchain-Enabled Decentralized Microservices Architecture for Smart Public Safety , 2019, 2019 IEEE International Conference on Blockchain (Blockchain).

[18]  Roksana Boreli,et al.  Network-level security and privacy control for smart-home IoT devices , 2015, 2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[19]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[20]  Rodrigo Roman,et al.  On the features and challenges of security and privacy in distributed internet of things , 2013, Comput. Networks.

[21]  Luigi Alfredo Grieco,et al.  Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[22]  MousannifHajar,et al.  Access control in the Internet of Things , 2017 .

[23]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[24]  Ren Ping Liu,et al.  Enabling Attribute Revocation for Fine-Grained Access Control in Blockchain-IoT Systems , 2020, IEEE Transactions on Engineering Management.

[25]  Roksana Boreli,et al.  An experimental study of security and privacy risks with emerging household appliances , 2014, 2014 IEEE Conference on Communications and Network Security.

[26]  Chen Li,et al.  A Novel Attribute-Based Access Control Scheme Using Blockchain for IoT , 2019, IEEE Access.

[27]  OthmanMazliza,et al.  Internet of Things security , 2017 .

[28]  Laura Ricci,et al.  Blockchain Based Access Control Services , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[29]  Zhuming Bi,et al.  New Blockchain-Based Architecture for Service Interoperations in Internet of Things , 2019, IEEE Transactions on Computational Social Systems.

[30]  Praveen Gauravaram,et al.  Blockchain for IoT security and privacy: The case study of a smart home , 2017, 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops).

[31]  David M. Eyers,et al.  Twenty Security Considerations for Cloud-Supported Internet of Things , 2016, IEEE Internet of Things Journal.

[32]  Peng Wang,et al.  An Attribute-Based Distributed Access Control for Blockchain-enabled IoT , 2019, 2019 International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[33]  Xiaohong Jiang,et al.  Smart Contract-Based Access Control for the Internet of Things , 2018, IEEE Internet of Things Journal.

[34]  Mazliza Othman,et al.  Internet of Things security: A survey , 2017, J. Netw. Comput. Appl..

[35]  Naoto Yanai,et al.  RBAC-SC: Role-Based Access Control Using Smart Contract , 2018, IEEE Access.

[36]  Laura Ricci,et al.  A blockchain based approach for the definition of auditable Access Control systems , 2019, Comput. Secur..

[37]  Antonio F. Gómez-Skarmeta,et al.  A decentralized approach for security and privacy challenges in the Internet of Things , 2014, WF-IoT.

[38]  Sean Carlisto de Alvarenga,et al.  A survey of intrusion detection in Internet of Things , 2017, J. Netw. Comput. Appl..

[39]  Blase Ur,et al.  The Current State of Access Control for Smart Devices in Homes , 2013 .

[40]  Ru-chuan Wang,et al.  An efficient authentication and access control scheme for perception layer of Internet of Things , 2014 .

[41]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[42]  Alexandru Vulpe,et al.  Attribute-based Access Control for Secure and Resilient Smart Grids , 2019 .

[43]  Laura Ricci,et al.  Blockchain Based Access Control , 2017, DAIS.

[44]  Hajar Mousannif,et al.  Access control in the Internet of Things: Big challenges and new opportunities , 2017, Comput. Networks.

[45]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.