物联网中的数据通常包含大量的隐私信息,为了防止设备协同过程中因越权访问造成隐私数据泄露的问题,针对多域物联网设备协同场景提出了一套访问控制机制。将分布式的基于权能的访问控制(capability-based access control,CapAC)与区块链技术相结合,设计了存储于区块链的权能令牌以及基于智能合约实现的令牌管理合约。根据CapAC的决策方式,设计了基于区块链的令牌验证方法。针对物联网的特性进行优化,设计了区块链轻量化节点。最后,搭建了区块链系统并实现了所提出的机制。实验测试结果显示,相比于中心化的访问控制机制,该方案不但在大规模的物联网场景下安全准确地执行访问决策而且具有更稳定的处理性能。此外,轻量化设计能够大幅度地降低节点存储负担。
Data in Internet of things (IoT) usually contains a large amount of personal privacy information, In order to prevent privacy data leakage due to unauthorized access during device collaboration, this article proposes a set of access control mechanisms for multi-domain IoT device collaboration scenarios. By combining distributed capabilitybased access control (CapAC) with blockchain technology, this article designs a capability token stored in the blockchain and a token management contract based on smart contracts. According to CapACs access decision-making method, a blockchain-based token verification method is designed. The blockchain lightweight node is optimized for the characteristics of IoT. Finally, a blockchain system is built to implement the mechanism proposed in the article. Experimental test results show that compared to centralized access control mechanisms, this solution can safely and accurately execute access decisions in large-scale IoT scenarios and has more stable processing performance. Lightweight design can greatly reduce node storage burden.
[1] Sandhu R S, Coyne E J, Feinstein H L, et al. Role-based access control models[J]. Computer, 1996, 29(2):38-47.
[2] De Souza L M S, Spiess P, Guinard D, et al. Socrades:a Web service based shop floor integration infrastructure[M]//The Internet of Things. Heidelberg, Berlin:Springer, 2008:5067.
[3] Spiess P, Karnouskos S, Guinard D, et al. SOA-based integration of the Internet of things in enterprise services[C]//IEEE International Conference on Web Services, 2009:968-975.
[4] Zhang G, Tian J. An extended role based access control model for the Internet of things[C]//International Conference on Information, Networking and Automation, 2010, 1:319323.
[5] Smari W W, Clemente P, Lalande J F. An extended attribute based access control model with trust and privacy:application to a collaborative crisis management system[J]. Future Generation Computer Systems, 2014, 31:147-168.
[6] Yuan E, Tong J. Attributed based access control (ABAC) for Web services[C]//IEEE International Conference on Web Services, 2006:74-79.
[7] Ning Y E, Zhu Y, Wang R C, et al. An efficient authentication and access control scheme for perception layer of Internet of things[J]. Applied Mathematics & Information Sciences, 2014, 8(4):1-8.
[8] Mahalle P N, Anggorojati B, Prasad N R, et al. Identity authentication and capability based access control for the Internet of things[J]. Journal of Cyber Security and Mobility, 2013, 1(4):309-348.
[9] 沈海波, 刘少波. 面向物联网的基于上下文和权能的访问控制架构[J]. 武汉大学学报(理学版), 2014, 60(5):424-428. Shen H B, Liu S B. A context-aware capability-based access control framework for the Internet of things[J]. Journal of Wuhan University (Natural Science Edition), 2014, 60(5):424-428. (in Chinese)
[10] Hernández-Ramos J L, Jara A J, Marin L, et al. Distributed capability-based access control for the Internet of things[J]. Journal of Internet Services and Information Security, 2013, 3(3/4):1-16.
[11] Gusmeroli S, Piccione S, Rotondi D. A capability-based security approach to manage access control in the Internet of things[J]. Mathematical and Computer Modelling, 2013, 58(5/6):1189-1205.
[12] Anggorojati B, Mahalle P N, Prasad N R, et al. Capability-based access control delegation model on the federated IoT network[C]//The 15th International Symposium on Wireless Personal Multimedia Communications, IEEE, 2012:604-608.
[13] Zhang Y, Kasahara S, Shen Y, et al. Smart contract-based access control for the Internet of things[J]. IEEE Internet of Things Journal, 2018, 6(2):1594-1605.
[14] Nakamoto S. Bitcoin:a peer-to-peer electronic cash system[R/OL]. 2009[2020-10-15]. https://bitcoin.org/bitcoin.pdf.
[15] Back A. Hashcash-a denial of service counter-measure[OL]. 2002[2020-10-15]. https://www.researchgate.net/publication/2482110_Hashcash_-_A_Denial_of_Service_CounterMeasure.
[16] Wood G. Ethereum:a secure decentralised generalised transaction ledger[J]. Ethereum Project Yellow Paper, 2014, 151:1-32.
[17] Androulaki E, Barger A, Bortnikov V, et al. Hyperledger Fabric:a distributed operating system for permissioned blockchains[C]//Proceedings of the Thirteenth EuroSys Conference, 2018:1-15.
[18] 袁勇, 倪晓春, 曾帅, 等. 区块链共识算法的发展现状与展望[J]. 自动化学报, 2018, 44(11):20112022. Yuan Y, Ni X C, Zeng S, et al. Blockchain consensus algorithms:the state of the art and future trends[J]. Acta Automatica Sinica, 2008, 44(11):2011-2022. (in Chinese)
[19] Aitzhan N Z, Svetinovic D. Security and privacy in decentralized energy trading through multi-signatures, blockchain and anonymous messaging streams[J]. IEEE Transactions on Dependable and Secure Computing, 2016, 15(5):840-852.
[20] Feng Q, He D, Zeadally S, et al. A survey on privacy protection in blockchain system[J]. Journal of Network and Computer Applications, 2019, 126:45-58.
[21] Herlihy M. Atomic cross-chain swaps[C]//Proceedings of 2018 ACM Symposium on Principles of Distributed Computing, 2018:245-254.
[22] Spanos N, Martin A R, Dixon E T, et al. System and method for creating a multi-branched blockchain with configurable protocol rules:U.S. Patent 9608829[P]. 2017-03-28.
[23] Zamani M, Movahedi M, Raykova M. Rapidchain:scaling blockchain via full sharding[C]//Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018:931-948.
[24] Dang H, Dinh T T A, Loghin D, et al. Towards scaling blockchain systems via sharding[C]//Proceedings of 2019 ACM International Conference on Management of Data, 2019:123140.
[25] Benet J. IPFS-content addressed, versioned, P2P file system[OL].[2020-10-15]. https://arxiv.org/abs/1407.3561.
[26] Gilad Y, Hemo R, Micali S, et al. Algorand:scaling Byzantine agreements for cryptocurrencies[C]//Proceedings of the 26th ACM Symposium on Operating Systems Principles, 2017:51-68.
[27] Kalra S, Goel S, Dhawan M, et al. ZEUS:analyzing safety of smart contracts[C]//Network and Distributed System Security Symposium, 2018.
[28] Cebe M, Erdin E, Akkaya K, et al. Block4forensic:an integrated lightweight blockchain framework for forensics applications of connected vehicles[J]. IEEE Communications Magazine, 2018, 56(10):50-57.
[29] Dorri A, Kanhere S S, Jurdak R, et al. LSB:a lightweight scalable blockchain for IoT security and anonymity[J]. Journal of Parallel and Distributed Computing, 2019, 134:180-197.
[30] Liu Y, Wang K, Lin Y, et al. LightChain:a lightweight blockchain system for industrial Internet of things[J]. IEEE Transactions on Industrial Informatics, 2019, 15(6):3571-3581.
