Authorization Transparency for Accountable Access to IoT Services

Highly distributed smart environments, such as Smart Cities, require scalable architectures to support a large number of stakeholders that share Internet of Things (IoT) resources and services. We focus on authorization solutions that regulate access of users to smart objects and consider scenarios where a large number of smart objects owners want to share the resources of their devices in a secure way. A popular solution is to delegate third parties, such as public Cloud services, to mediate authorization procedures among users and smart objects. This approach has the disadvantage of assuming third parties as trusted proxies that guarantee correctness of all authorization procedures. In this paper, we propose a system that allows to audit authorizations managed by third parties, to detect and expose their misbehaviors to users, smart objects owners and, possibly, to the public. The proposed system is inspired by the transparency projects used to monitor Web Certification Authorities, but improves over existing proposals through a twofold contribution. First, it is specifically designed for IoT devices, provided with little resources and distributed in constrained environments. Second, it complies to current standard authorization protocols and available open-source software, making it ready to be deployed.

[1]  Joseph Bonneau,et al.  EthIKS: Using Ethereum to Audit a CONIKS Key Transparency Log , 2016, Financial Cryptography Workshops.

[2]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[3]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[4]  Tahir Ahmad,et al.  A Lazy Approach to Access Control as a Service (ACaaS) for IoT: An AWS Case Study , 2018, SACMAT.

[5]  Michele Colajanni,et al.  A symmetric cryptographic scheme for data integrity verification in cloud databases , 2018, Inf. Sci..

[6]  Srinivas Devadas,et al.  Catena: Efficient Non-equivocation via Bitcoin , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[7]  Laura Ricci,et al.  A blockchain based approach for the definition of auditable Access Control systems , 2019, Comput. Secur..

[8]  Hannes Tschofenig,et al.  Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth) , 2020, RFC.

[9]  Michael J. Freedman,et al.  CONIKS: Bringing Key Transparency to End Users , 2015, USENIX Security Symposium.

[10]  Phil Hunt,et al.  OAuth 2.0 Threat Model and Security Considerations , 2013, RFC.

[11]  Benny Pinkas,et al.  FairplayMP: a system for secure multi-party computation , 2008, CCS.

[12]  Latifur Khan,et al.  SGX-Log: Securing System Logs With SGX , 2017, AsiaCCS.

[13]  Giacomo Verticale,et al.  BlAsT: Blockchain-Assisted Key Transparency for Device Authentication , 2018, 2018 IEEE 4th International Forum on Research and Technology for Society and Industry (RTSI).

[14]  Michele Colajanni,et al.  Enforcing Correct Behavior without Trust in Cloud Key-Value Databases , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[15]  Michele Colajanni,et al.  Verifiable Delegated Authorization for User-Centric Architectures and an OAuth2 Implementation , 2017, 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC).

[16]  Elaine Shi,et al.  Authenticated data structures, generically , 2014, POPL.

[17]  Ragib Hasan,et al.  Probe-IoT: A public digital ledger based forensic investigation framework for IoT , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[18]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[19]  Adam Langley,et al.  Certificate Transparency , 2014, RFC.

[20]  Antonio Puliafito,et al.  Stack4Things: Integrating IoT with OpenStack in a Smart City context , 2014, 2014 International Conference on Smart Computing Workshops.

[21]  Helen J. Wang,et al.  Enabling Security in Cloud Storage SLAs with CloudProof , 2011, USENIX ATC.

[22]  Aniket Kate,et al.  Liar, Liar, Coins on Fire!: Penalizing Equivocation By Loss of Bitcoins , 2015, CCS.

[23]  Oscar Novo,et al.  Blockchain Meets IoT: An Architecture for Scalable Access Management in IoT , 2018, IEEE Internet of Things Journal.

[24]  Nikos Fotiou,et al.  Access control as a service for the Cloud , 2015, Journal of Internet Services and Applications.

[25]  Francesco Longo,et al.  Blockchain-Based IoT-Cloud Authorization and Delegation , 2018, 2018 IEEE International Conference on Smart Computing (SMARTCOMP).