Design and development of an access control architecture for the Internet of Things

The emergence of the Internet of Things (IoT) has already produced significant changes in our everyday lives, where everything and anything can be connected and communicated in the cyber-physical world. With the proliferation of smart mobile devices, intelligent sensors, wearable devices, and ubiquitous Internet and cloud computing, the use of the IoT is growing at an increasing rate. However, this growth poses numerous challenges for the designers and users of these systems. One significant challenge is the provision of security within the IoT. The high mobility of things, the potential scale of the systems in the number of things and users combined with dynamic network topology and wireless communication mediums create a challenging environment. This is only exacerbated by the limitations in device memory, battery-life and processing capacity, arguing against the use of ‘heavy-weight’ security architectures. In this thesis, we examine security mechanisms for large-scale IoT systems, in particular, the need for access control, identity management, delegation of access rights and the provision of trust within such systems. We propose an access control architecture for the IoT. Our policy-based approach provides fine-grained access for authorized users to services while protecting valuable resources from unauthorized access. We use a hybrid approach by employing attributes, roles and capabilities for our authorization design. We apply attributes for role membership assignment and in permission evaluation. Membership of roles grants capabilities. The capabilities which are issued may be parameterized based on further attributes of the user and are then used to access specific services provided by IoT devices. This significantly reduces the number of policies required for specifying access control settings. The proposed scheme is XACML driven. We also propose an identity-less, asynchronous and decentralized delegation model for the IoT leveraging the advantage of blockchain technology. We describe system components, architecture and key aspects related to the security of the system for both the access control and access control delegation models. One significant issue of this thesis is the use of attributes for identifying an entity rather than depending upon the unique concrete identity of that entity. That said, we use attributes to validate an entity rather than depending upon unique identities. We have implemented a proof of concept prototype of the proposed access control architecture and provide a detailed performance analysis of the implementation. Evaluation results show that our access control approach requires minimal additional overhead when compared to other proposals employing capabilities for access control in the IoT. For the delegation of access rights, we demonstrate the feasibility of the model through use-case examples and analyze the performance with a proof of concept testbed implementation using Ethereum private blockchain. To better understand IoT identity, we outline the foundations for building a formal model of IoT identity based on attributes. We take the approach of attribute-based identity and examine the notion of trust in an IoT context. We propose a trust model for the IoT by considering the uncertainty that exists in such systems. The contributions of the thesis shows that it is feasible to incorporate the use of attributes in all the cases including access control, delegation of access rights, management and modeling of identity and finally building the notion of trust to achieve both fine-grained and flexible system design in large-scale IoT systems.