论文信息 - Access control in the Internet of Things: a survey of existing approaches and open research questions

Access control in the Internet of Things: a survey of existing approaches and open research questions

The Internet of Things operates in a personal-data-rich sector, which makes security and privacy an increasing concern for consumers. Access control is thus a vital issue to ensure trust in the IoT. Several access control models are today available, each of them coming with various features, making them more or less suitable for the IoT. This article provides a comprehensive survey of these different models, focused both on access control models (e.g., DAC, MAC, RBAC, ABAC) and on access control architectures and protocols (e.g., SAML and XACML, OAuth 2.0, ACE, UMA, LMW2M, AllJoyn). The suitability of each model or framework for IoT is discussed. In conclusion, we provide future directions for research on access control for the IoT: scalability, heterogeneity, openness and flexibility, identity of objects, personal data handling, dynamic access control policies, and usable security.

[1] Dorothy E. Denning,et al. A lattice model of secure information flow , 1976, CACM.

[2] Ramjee Prasad,et al. Identity Authentication and Capability Based Access Control (IACAC) for the Internet of Things , 2012, J. Cyber Secur. Mobil..

[3] Ravi S. Sandhu. The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[4] Frédéric Cuppens,et al. Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[5] Sabrina De Capitani di Vimercati,et al. Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[6] Martín Abadi,et al. A calculus for access control in distributed systems , 1991, TOPL.

[7] Alessandro Bassi,et al. From today's INTRAnet of things to a future INTERnet of things: a wireless- and mobility-related view , 2010, IEEE Wireless Communications.

[8] Jin Tong,et al. Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[9] Hannes Tschofenig,et al. OAuth 2.0 Device Flow for Browserless and Input Constrained Devices , 2017 .

[10] D. Elliott Bell,et al. Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[11] Yacine Atif,et al. Securing the Web of Things with Role-Based Access Control , 2015, C2SI.

[12] Se Won Oh,et al. Decentralized access permission control using resource-oriented architecture for the Web of Things , 2014, 16th International Conference on Advanced Communication Technology.

[13] Noël Crespi,et al. Service business processes for the next generation of services: a required step to achieve service convergence , 2009, Ann. des Télécommunications.

[14] Antonio F. Gómez-Skarmeta,et al. Distributed Capability-based Access Control for the Internet of Things , 2013, J. Internet Serv. Inf. Secur..

[15] Anas Abou El Kalam,et al. SmartOrBAC security and privacy in the Internet of Things , 2015, 2015 IEEE/ACS 12th International Conference of Computer Systems and Applications (AICCSA).

[16] Yuan Tian,et al. SmartAuth: User-Centered Authorization for the Internet of Things , 2017, USENIX Security Symposium.

[17] Dick Hardt,et al. The OAuth 2.0 Authorization Framework , 2012, RFC.

[18] Cheng Cheng,et al. Access Control Method for Web of Things Based on Role and SNS , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[19] Lina Yao,et al. Multi-Level Privacy-Preserving Access Control as a Service for Personal Healthcare Monitoring , 2017, 2017 IEEE International Conference on Web Services (ICWS).

[20] Rodrigo Roman,et al. On the features and challenges of security and privacy in distributed internet of things , 2013, Comput. Networks.

[21] Benjamin Aziz,et al. Federated Identity and Access Management for the Internet of Things , 2014, 2014 International Workshop on Secure Internet of Things.

[22] Naomi B. Lefkovitz,et al. An Introduction to Privacy Engineering and Risk Management in Federal Systems , 2017 .

[23] Luigi Alfredo Grieco,et al. Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[24] Ravi S. Sandhu,et al. Role-Based Access Control , 1998, Adv. Comput..

[25] Vinton G. Cerf,et al. Access Control and the Internet of Things , 2015, IEEE Internet Comput..

[26] Jing Liu,et al. The Study of Access Control for Service-Oriented Computing in Internet of Things , 2012 .

[27] Ludwig Seitz,et al. Authorization framework for the Internet-of-Things , 2013, 2013 IEEE 14th International Symposium on "A World of Wireless, Mobile and Multimedia Networks" (WoWMoM).

[28] Jing Liu,et al. A Model of Workflow-oriented Attributed Based Access Control , 2011 .

[29] P. Samarati,et al. Access control: principle and practice , 1994, IEEE Communications Magazine.

[30] Alessandro Armando,et al. Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[31] Barry Leiba,et al. OAuth Web Authorization Protocol , 2012, IEEE Internet Computing.

[32] Luca Veltri,et al. A Scalable and Self-Configuring Architecture for Service Discovery in the Internet of Things , 2014, IEEE Internet of Things Journal.

[33] Mathieu Boussard,et al. Supporting multicast and broadcast traffic for groups of connected devices , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[34] Emmanuel Bertin,et al. A Community-Driven Access Control Approach in Distributed IoT Environments , 2017, IEEE Communications Magazine.

[35] Ramjee Prasad,et al. Capability-based access control delegation model on the federated IoT network , 2012, The 15th International Symposium on Wireless Personal Multimedia Communications.

[36] Lucy Lynch. Inside the Identity Management Game , 2011, IEEE Internet Computing.

[37] Antonio F. Gómez-Skarmeta,et al. DCapBAC: embedding authorization logic into smart things through ECC optimizations , 2016, Int. J. Comput. Math..

[38] Jukka Riekki,et al. Privacy as a Service: Protecting the Individual in Healthcare Data Processing , 2016, Computer.

[39] Nadia Ben Azzouna,et al. Towards a self-adaptive access control middleware for the Internet of Things , 2018, 2018 International Conference on Information Networking (ICOIN).

[40] Domenico Rotondi,et al. IoT Access Control Issues: A Capability Based Approach , 2012, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[41] Domenico Rotondi,et al. A capability-based security approach to manage access control in the Internet of Things , 2013, Math. Comput. Model..

[42] Ru-chuan Wang,et al. An efficient authentication and access control scheme for perception layer of Internet of Things , 2014 .

[43] Antonio F. Gómez-Skarmeta,et al. An overview on delegated authorization for CoAP: Authentication and authorization for Constrained Environments (ACE) , 2016, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT).

[44] Jack B. Dennis,et al. Programming semantics for multiprogrammed computations , 1966, CACM.

[45] Noël Crespi,et al. User Identity for WebRTC Services: A Matter of Trust , 2014, IEEE Internet Computing.

[46] Robert H. Sloan,et al. Beyond Notice and Choice: Privacy, Norms, and Consent , 2013 .

[47] Ronald Fagin,et al. On an authorization mechanism , 1978, TODS.

[48] Giuseppe Piro,et al. Attribute-Based Access Control Scheme in Federated IoT Platforms , 2016, InterOSS@IoT.

[49] Atul Prakash,et al. Security Implications of Permission Models in Smart-Home Application Frameworks , 2017, IEEE Security & Privacy.

[50] David Thaler,et al. Architectural Considerations in Smart Object Networking , 2015, RFC.

[51] Emmanuel Bertin,et al. Access control in IoT: From requirements to a candidate vision , 2017, 2017 20th Conference on Innovations in Clouds, Internet and Networks (ICIN).

[52] Ralph Deters,et al. Using REST based protocol to enable ABAC within IoT systems , 2016, 2016 IEEE 7th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON).

[53] Hajar Mousannif,et al. Access control in the Internet of Things: Big challenges and new opportunities , 2017, Comput. Networks.

[54] Enzo Mingozzi,et al. An AllJoyn to CoAP bridge , 2016, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT).

[55] Georgios Kambourakis,et al. DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[56] Noël Crespi,et al. Towards a dynamic discovery of smart services in the social internet of things , 2017, Comput. Electr. Eng..

[57] Mehdi Mani,et al. Use Cases for Authentication and Authorization in Constrained Environments , 2016, RFC.