An authentication and access control framework for CoAP-based Internet of Things

Internet of Things (IoT) and Cyber-physical Systems (CPS) are two very hot research topics today, and more and more products are starting to appear on the market. Research has shown that the use of Service Oriented Architecture (SOA) can enable distributed application and devices to device communication, even on very resource constrained devices, and thus play an important role for IoT and CPS. In order to realize the vision of Internet of Things, communication between devices must be secured. Security mechanisms for resource constrained devices has attracted much interest from the academic community, where research groups have shown solutions like IPsec, VPN-tunnels, (D)TLS, etc. are feasible to use on this type of networks. However, even though the use of well-known security mechanisms are vital for SOA-based IoT/CPS networks and systems to be protected, they do not provide any fine-grain access control. In this paper, a CoAP-based framework for service-level access control on low-power devices is presented. The framework allows fine grain access control on a per service and method basis. For example, by using this approach a device can allow read/write access to its services to one group of users while only allowing read access to another group. Users without the right credentials are not even allowed to discover available services. To demonstrate the validity of the proposed approach, several implementations are presented together with test results. The aim is to provide a holistic framework for secure SOA-based low power networks comprise by resource constrain devices.

[1]  Mark Nottingham,et al.  Defining Well-Known Uniform Resource Identifiers (URIs) , 2010, RFC.

[2]  Utz Roedig,et al.  Secure communication for the Internet of Things - a comparison of link-layer security and IPsec for 6LoWPAN , 2014, Secur. Commun. Networks.

[3]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[4]  Sam Hartman,et al.  The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 , 2005, RFC.

[5]  D. Kushner,et al.  The real story of stuxnet , 2013, IEEE Spectrum.

[6]  Carsten Bormann,et al.  The Constrained Application Protocol (CoAP) , 2014, RFC.

[7]  Eric Rescorla,et al.  Datagram Transport Layer Security , 2006, RFC.

[8]  Armando W. Colombo,et al.  SOA at device level in the industrial domain: Assessment of OPC UA and DPWS specifications , 2010, 2010 8th IEEE International Conference on Industrial Informatics.

[9]  Sheila Frankel,et al.  IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap , 2011, RFC.

[10]  Jari Arkko,et al.  Diameter Base Protocol , 2003, RFC.

[11]  Stamatis Karnouskos,et al.  Architecting the next generation of service-based SCADA/DCS system of systems , 2011, IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society.

[12]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[13]  Simon Josefsson PKCS #5: Password-Based Key Derivation Function 2 (PBKDF2) Test Vectors , 2011, RFC.

[14]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[15]  Maurizio A. Spirito,et al.  Denial-of-Service detection in 6LoWPAN based Internet of Things , 2013, 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).