Volume 3 - Issue 3 - 4
Distributed Capability-based Access Control for the Internet of Things
- Jose L. Hernandez-Ramos
Department of Information and Communications Engineering, Computer Science Faculty, University of Murcia, 30100 Murcia, Spain.
jluis.hernandez@um.es
- Antonio J. Jara
Institute of Information Systems, University od Applied Sciences Western Switzerland (HES-SO), Sierre, Switzerland
jara@ieee.org
- Leandro Marin
Department of Information and Communications Engineering, Computer Science Faculty, University of Murcia, 30100 Murcia, Spain.
leandro@um.es
- Antonio F. Skarmeta
Department of Information and Communications Engineering, Computer Science Faculty, University of Murcia, 30100 Murcia, Spain.
skarmeta@um.es
Keywords: Security, Distributed access control, Cryptographic primitives, Internet of Things
Abstract
The evolution of the Internet towards the Internet of Things is being deployed in emerging cyber-
physical systems such as access control solutions, alert networks, building automation, and the ex-
tension of all these systems into Smarter Cities. This extension and proliferation of the technology
in our lives is also presenting security challenges, since the unexpected leaks of information, and
illegitimate access to data and physical systems could present a high impact in our lives. This work
proposes a cryptographic solution against insider threats through a distributed capability-based ac-
cess control. This access control solution supports the management of certificates, authentication,
and authorization processes. The capability-based approach offers benefits in terms of distributed
management, support for delegation, traceability of the access, authentication chains to extend scala-
bility and support of standard certificates based on Elliptic Curve Cryptography (ECC). Specifically,
it has been designed a capability token for CoAP Resources, which is signed with the Elliptic Curve
Digital Signature Algorithm (ECDSA) in order to ensure end-to-end authentication, integrity and
non-repudiation. This distributed solution allows the deployment of scenarios without the interven-
tion of any intermediate entity, a distributed scenario with end-to-end access control validation has
been implemented, deployed, and evaluated based on the Jennic/NXP JN5139 module. The results
obtained through our experiments demonstrate the feasibility of the proposed approach, in numbers,
this has required an average of 480 ms to carry out all the validation process (included signature
validation in the smart objects).