Expressive Policy-Based Access Control for Resource-Constrained Devices

Upcoming smart scenarios enabled by the Internet of Things envision smart objects that expose services that can adapt to user behavior or be managed with the goal of achieving higher productivity, often in multi-stakeholder applications. In such environments, smart things are cheap sensors (and actuators) and, therefore, constrained devices. However, they are also critical components because of the importance of the provided information. Therefore, strong security is a must. Nevertheless, existing feasible approaches do not cope well with the principle of least privilege; they lack both expressiveness and the ability to update the policy to be enforced in the sensors. In this paper, we propose an access control model that comprises a policy language that provides dynamic fine-grained policy enforcement in the sensors based on local context conditions. This dynamic policy cycle requires a secure, efficient, and traceable message exchange protocol. For that purpose, a security protocol called Hidra is also proposed. A security and performance evaluation demonstrates the feasibility and adequacy of the proposed protocol and access control model.This work was supported in part by the Training and Research Unit through UPV/EHU under Grant UFI11/16 and in part by the Department of Economic Development and Competitiveness of the Basque Government through the Security Technologies SEKUTEK Collaborative Research Projec

Hierarchal attribute based cryptographic model to handle security services in cloud environment: a new model

The sharing of information in the cloud is a unique element of the environment, but there is a risk that the information may land with the wrong people. To counterattack this problem, security-associated methodologies were used to secure the information that was readily available to clients. Despite the lack of benefits, this provides productive/adaptability and dependability in access control strategies between clients in the sharing of information. The novel hierarchal attribute-based cryptographic security model (NHACSM) is being proposed to provide adaptability, versatility, and access control in sharing information in the appropriate climate. This model allows clients to share information in a hierarchal way, allowing for a productive assessment of access control strategy and improved security. The NHACSM method is used to reduce the total time values for different user instances compared to conventional approaches, for example, attribute-set-based encryption (ASBE), key-policy attribute-based encryption (KP-ABE), and ciphertext-policy attribute-based encryption (CP-ABE). With respect to 10 instances existing methods achieve 2.7, 2.5, and 2.3 respectively, and also compared to 20, 30, 40, and 50 instances, our proposed method is low. The encryption and decryption time evaluation values and performance evaluation of different approaches, ASBE, CP-ABE, were taken into account when increasing the user instance

Footsteps in the fog: Certificateless fog-based access control

The proliferating adoption of the Internet of Things (IoT) paradigm has fuelled the need for more efficient and resilient access control solutions that aim to prevent unauthorized resource access. The majority of existing works in this field follow either a centralized approach (i.e. cloud-based) or an architecture where the IoT devices are responsible for all decision-making functions. Furthermore, the resource-constrained nature of most IoT devices make securing the communication between these devices and the cloud using standard cryptographic solutions difficult. In this paper, we propose a distributed access control architecture where the core components are distributed between fog nodes and the cloud. To facilitate secure communication, our architecture utilizes a Certificateless Hybrid Signcryption scheme without pairing. We prove the effectiveness of our approach by providing a comparative analysis of its performance in comparison to the commonly used cloud-based centralized architectures. Our implementation uses Azure – an existing commercial platform, and Keycloak – an open-source platform, to demonstrate the real-world applicability. Additionally, we measure the performance of the adopted encryption scheme on two types of resource-constrained devices to further emphasize the applicability of the proposed architecture. Finally, the experimental results are coupled with a theoretical analysis that proves the security of our approach

Impact assessment of policy expressivenessof an optimised access control model forsmart sensors

In the incoming internet of things (IoT) applications, smart sensors expose services to interact with them, to be parameterised, managed and maintained. Therefore, fine-grained end-to-end access control enforcement is mandatory to tackle the derived security requirements. However, it is still not feasible in very constrained devices. There is an innovative access control model that conveys an expressive policy language and an optimised codification for tight and flexible access control enforcement in very constrained devices. Such tightness enabled by the expressiveness of the policy language leads to detailed policy instances that might impact on the performance and therefore, in the feasibility and further applicability. In this context, this study assesses how the policy length impacts the performance of the establishment of a security association through the protocol named Hidra proposed by such an adapted access control model. Consequently, the notable results of the performance evaluation prove the feasibility and adequacy of this access control model for the new smart IoT scenarios.Part of this work is funded by the Department of Economic Development and Competitiveness of the Basque Government through the SEKUrtasun TEKnologiak SEKUTEK KK-2017/00044 collaborative research project and by the Spanish Ministry of Economy, Industry and Competitiveness through the State Secretariat for Research, Development and Innovation under the 'Adaptive Management of 5G Services to Support Critical Events in Cities (5G-City)' project TEC2016-76795-C6-5-R

Practical and Scalable Access Control Mechanism for the Internet of Things

Internet of Things (IoT) promises a strong world connecting digital and physical enviromments. Nevertheless, such a framework comes with huge security and privacy vulnerabilities, due to the heterogeneous nature of devices and of the diversity of their provenance. Other noticeable, technical challenges in IoT are brought with the constrained resources of devices, forcing to design protocol as lightweight as possible. In this paper, we present a new system with access control key updates and direct user revocation, that are beneficial features in IoT. Access control is done using Ciphertext-Policy Attribute-Based Encryption where attributes represent roles of devices within their networks. Moreover, we devise a novel approach, based on a binary tree, to append time credentials. This allows us to find an interesting trade-off between key update frequency and user revocation list length, as well as stressing time-sensitive data exchanged in IoT environments. The security of our scheme is proved under the Decisional Bilinear Diffie-Hellman Exponent assumption. Future work will focus on the implementation and analysis of our solution, in order to confirm that the latter is fully deployable in IoT networks

Privacy-Aware Architectures for NFC and RFID Sensors in Healthcare Applications

World population and life expectancy have increased steadily in recent years, raising issues regarding access to medical treatments and related expenses. Through last-generation medical sensors, NFC (Near Field Communication) and radio frequency identification (RFID) technologies can enable healthcare internet of things (H-IoT) systems to improve the quality of care while reducing costs. Moreover, the adoption of point-of-care (PoC) testing, performed whenever care is needed to return prompt feedback to the patient, can generate great synergy with NFC/RFID H-IoT systems. However, medical data are extremely sensitive and require careful management and storage to protect patients from malicious actors, so secure system architectures must be conceived for real scenarios. Existing studies do not analyze the security of raw data from the radiofrequency link to cloud-based sharing. Therefore, two novel cloud-based system architectures for data collected from NFC/RFID medical sensors are proposed in this paper. Privacy during data collection is ensured using a set of classical countermeasures selected based on the scientific literature. Then, data can be shared with the medical team using one of two architectures: in the first one, the medical system manages all data accesses, whereas in the second one, the patient defines the access policies. Comprehensive analysis of the H-IoT system can be useful for fostering research on the security of wearable wireless sensors. Moreover, the proposed architectures can be implemented for deploying and testing NFC/RFID-based healthcare applications, such as, for instance, domestic PoCs

Fine-grained access control framework for Igor, a unified access solution to the Internet of Things

With the growing popularity of the Internet of Things (IoT), devices in households and offices are becoming information sharing "smart" devices controlled via network connections. The growth of collection, handling and distribution of data generated by IoT devices presents ethical and privacy issues. Users have no control over what information is kept or revealed, the interpretation of data collected, data ownership and who can access specific information generated by their IoT devices. This paper describes an approach to data ethical/privacy issues related to IoT using a fine-grained access-control framework on Igor, a centralized home and office automation solution. We designed a capability-based access control framework on top of Igor that allows agents, either human or machine, to access and change only the data to which they are authorised. The applicability of this to the European General Data Protection Regulation (GDPR) should be obvious. The implementation, expert evaluation and performance measurement results demonstrate that this is a promising solution for securing access to data generated by IoT devices

A PHR system with policy-based fine-grained access control and revocation mechanism

Collaborative sharing of information is becoming much more needed technique to achieve complex goals in today's fast-paced tech-dominant world. Personal Health Record (PHR) system has become a popular research area for sharing patients informa- tion very quickly among health professionals. PHR systems store and process sensitive information, which should have proper security mechanisms to protect patients' private data. Thus, access control mechanisms of the PHR should be well-defined. Secondly, PHRs should be stored in encrypted form. Cryptographic schemes offering a more suitable solution for enforcing access policies based on user attributes are needed for this purpose. Attribute-based encryption can resolve these problems, we propose a patient-centric framework that protects PHRs against untrusted service providers and malicious users. In this framework, we have used Ciphertext Policy Attribute Based Encryption scheme as an efficient cryptographic technique, enhancing security and privacy of the system, as well as enabling access revocation. Patients can encrypt their PHRs and store them on untrusted storage servers. They also maintain full control over access to their PHR data by assigning attribute-based access control to selected data users, and revoking unauthorized users instantly. In order to evaluate our system, we implemented CP-ABE library and web services as part of our framework. We also developed an android application based on the framework that allows users to register into the system, encrypt their PHR data and upload to the server, and at the same time authorized users can download PHR data and decrypt it. Finally, we present experimental results and performance analysis. It shows that the deployment of the proposed system would be practical and can be applied into practice

Blockchain Securities Issues: Decentralized Identity System With Key Management Perspective

Blockchain was created many years ago to solve the problems of data transfer Integrity, several years later the issues persist. Blockchain securities are one of the most important considerations to be investigated, and data integrity is about ensuring the accuracy and validity of messages such that when they are read, they are the same as when they were first written. It is of the opinion that passing information across from one person to another cannot be the same as it was first said at the onset. Our work investigated Blockchain security issues, studying Integrity emanating from transactions across the blocks and how to deal with the securities issues. It also investigated decentralization and issues in blockchain to investigate how to mitigate the security issues associated with blockchain. It further discusses the use of key management in solving security issues in blockchain, viewing different key management systems of private and public keys, and solutions in addressing the blockchain problems. Lastly, we contributed the use of Decentralized Identity systems (DIDs) into the blockchain where we use a unique identifier, “ID.me” to verifier the individual credentials before any transaction, this was done by sending a digital ID through the issuer to the verifier to authenticate the integrity and identity of the holder and this proof worthy of protecting the information and maintaining the privacy of the user of the blockchain technology

Footsteps in the fog: Certificateless fog-based access control

The proliferating adoption of the Internet of Things (IoT) paradigm has fuelled the need for more efficient and resilient access control solutions that aim to prevent unauthorized resource access. The majority of existing works in this field follow either a centralized approach (i.e. cloud-based) or an architecture where the IoT devices are responsible for all decision-making functions. Furthermore, the resource-constrained nature of most IoT devices make securing the communication between these devices and the cloud using standard cryptographic solutions difficult. In this paper, we propose a distributed access control architecture where the core components are distributed between fog nodes and the cloud. To facilitate secure communication, our architecture utilizes a Certificateless Hybrid Signcryption scheme without pairing. We prove the effectiveness of our approach by providing a comparative analysis of its performance in comparison to the commonly used cloud-based centralized architectures. Our implementation uses Azure – an existing commercial platform, and Keycloak – an open-source platform, to demonstrate the real-world applicability. Additionally, we measure the performance of the adopted encryption scheme on two types of resource-constrained devices to further emphasize the applicability of the proposed architecture. Finally, the experimental results are coupled with a theoretical analysis that proves the security of our approach