A capability-based security approach to manage access control in the Internet of Things

Abstract Resource and information protection plays a relevant role in distributed systems like the ones present in the Internet of Things (IoT). Authorization frameworks like RBAC and ABAC do not provide scalable, manageable, effective, and efficient mechanisms to support distributed systems with many interacting services and are not able to effectively support the dynamicity and scaling needs of IoT contexts that envisage a potentially unbound number of sensors, actuators and related resources, services and subjects, as well as a more relevance of short-lived, unplanned and dynamic interaction patterns. Furthermore, as more end-users start using smart devices (e.g. smart phones, smart home appliances, etc.) the need to have more scalable, manageable, understandable and easy to use access control mechanisms increases. This paper describes a capability based access control system that enterprises, or even individuals, can use to manage their own access control processes to services and information. The proposed mechanism supports rights delegation and a more sophisticated access control customization. The proposed approach is being developed within the European FP7 IoT@Work project to manage access control to some of the project’s services deployed in the shop floor.

[1]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[2]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[3]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[4]  Adam Lackorzynski,et al.  Taming subsystems: capabilities as universal resource access control in L4 , 2009, IIES '09.

[5]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[6]  Dennis Gannon,et al.  XPOLA – An Extensible Capability-based Authorization Infrastructure for Grids , 2005 .

[7]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2010, RFC.

[8]  Domenico Rotondi,et al.  IoT@Work automation middleware system design and architecture , 2012, Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012).

[9]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[10]  Jorge Lobo,et al.  Usability meets access control: challenges and research opportunities , 2009, SACMAT '09.

[11]  Simon S. Y. Shim,et al.  Federated Identity Management , 2005, Computer.

[12]  Philippe Dobbelaere,et al.  Towards abundant DiY service creativity , 2009, 2009 13th International Conference on Intelligence in Next Generation Networks.

[13]  Geoff Skinner Cyber Security Management of Access Controls in Digital Ecosystems and Distributed Environments , 2009 .

[14]  Alan H. Karp,et al.  Access control for the services oriented architecture , 2007, SWS '07.

[15]  Yasushi Shinjo,et al.  Capability-based egress network access control by using DNS server , 2007, J. Netw. Comput. Appl..

[16]  Philippe Dobbelaere,et al.  Towards Abundant DiY Service Creativity Successfully Leveraging the Internet-of-Things in the City and at Home , 2009 .

[17]  Dalit Naor,et al.  Capability based Secure Access Control to Networked Storage Devices , 2007, 24th IEEE Conference on Mass Storage Systems and Technologies (MSST 2007).

[18]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[19]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[20]  Domenico Rotondi,et al.  IoT Access Control Issues: A Capability Based Approach , 2012, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[21]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[22]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[23]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[24]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[25]  Lujo Bauer,et al.  Access Control for Home Data Sharing: Attitudes, Needs and Practices , 2010, CHI.

[26]  Howard E. Shrobe,et al.  Suppose We Got a Do-Over: A Revolution for Secure Computing , 2012, IEEE Security & Privacy.

[27]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[28]  Alan H. Karp Authorization-Based Access Control for the Services Oriented Architecture , 2006, Fourth International Conference on Creating, Connecting and Collaborating through Computing (C5'06).

[29]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[30]  Virpi Roto,et al.  Usable Access Control inside Home Networks , 2007, 2007 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks.

[31]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[32]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[33]  A. Karp,et al.  From ABAC to ZBAC : The Evolution of Access Control Models , 2009 .

[34]  Alan H. Karp,et al.  Solving the Transitive Access Problem for the Services Oriented Architecture , 2010, 2010 International Conference on Availability, Reliability and Security.

[35]  Zhiwei Wang A new construction of the server-aided verification signature scheme , 2012, Math. Comput. Model..