A privacy-preserving attribute-based framework for IoT identity lifecycle management

Abstract

The Internet of Things (IoT) has brought a new era of interconnected devices and seamless data exchange. As the IoT ecosystem continues to expand, there is an increasing need for effective identity management mechanisms, specifically for authorization processes and access control. The pervasiveness of such devices demands that desirable solutions tackle not only security properties but also privacy aspects like granular control over which identity data is shared in authentication/authorization processes, covering aspects like bootstrapping, enrolment, and service provision. In this context, it is natural to turn to privacy-enhancing technologies, like (privacy-preserving) Attribute-Based Credentials (p-ABC), for achieving both high security and privacy guarantees. Nonetheless, these technical tools need to be accompanied by a comprehensive approach that deals with the particularities of IoT scenarios and covers the full lifetime of the device. In this work, we propose the use of a p-ABC scheme with support for distributed issuance (dp-ABC) as a keystone for privacy-preserving attribute-based authentication and authorization in IoT scenarios. We integrate said cryptographic scheme with W3C’s Verifiable Credentials standard, evaluating its impact to gauge its feasibility. The integration facilitates adoption and, particularly, allows the solution to transparently coexist with simpler techniques in heterogeneous scenarios that demand them. Moreover, we define and analyse a generic and comprehensive framework for identity management that identifies challenges throughout the device’s lifetime to achieve IoT privacy-preserving identity management following self-sovereign principles. We show how the various aspects identified in the framework are tackled in a concrete instantiation as part of the H2020 project ERATOSTHENES.