The Internet of Things (IoT) is a dynamic network of devices and infrastructure supporting instances composed to platforms being based on cloud/fog and blockchain technologies. Its intervention in more and more sensitive areas requires IoT entities (devices and platform instances) to communicate with each other via secure channels generally established by using cryptographical methods. This needs an authentic key exchange, which in turn requires an authentication process. Moreover, it has to be ensured that client entities can access only authorized services provided by authorized server entities. Additionally, requirements specifically introduced by IoT complicate realizing these security goals even more. This article introduces a novel approach providing authentication, authorization, access control, and key exchange in instance-to-instance, device-to-instance, and device-to-device communications to handle cloud/fog-based and blockchain-based platforms. In contrast to related work, realizations of these security goals are not disjunct processes and are integrated with each other in our approach combining zero-knowledge and identity-based schemes while meeting the IoT security requirements. Thus, it does not require any public data pre-distribution or secret pre-sharing between communicating entities, and no entity has to hold any device-specific or instance-specific data to be used for authentication or authorization. While supporting the autonomous character of IoT, our approach is independent of application and platform types without requiring additional components or procedures. Moreover, it is resistant to active man-in-the-middle attacks and does not include costly cryptographic operations. This article also demonstrates the high performance of our approach with regard to multiple affecting factors.
Read full abstract