Ad Hoc Networks 107 (2020) 102253 Contents lists available at ScienceDirect Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc FLAT: Federated lightweight authentication for the Internet of Things Maria L.B.A. Santos a, Jéssica C. Carneiro a, Antônio M.R. Franco a, Fernando A. Teixeira b, ∗ Marco A .A . Henriques c, Leonardo B. Oliveira a, a UFMG, Belo Horizonte, Brazil b UFSJ, Ouro Branco, Brazil c Unicamp, Campinas, Brazil a r t i c l e i n f o a b s t r a c t Article history: Federated Identity Management schemes (FIdMs) are of great help for traditional systems as they improve Received 3 March 2020 user authentication and privacy. In this paper, we claim that traditional FIdMs are mostly cumbersome Revised 2 June 2020 and then ill-suited for IoT. As a solution to this problem, we came up with Federated Lightweight Au- Accepted 16 June 2020 thentication of Things (FLAT), namely a federated identity authentication protocol exclusively tailored to Available online 26 June 2020 IoT. FLAT replaces weighty protocols and public-key cryptographic primitives used in traditional FIdMs by Keywords: lighter ones, like symmetric cryptographic primitives and Implicit Certificates. Our results show that FLAT Internet of Things can reduce the data exchange overhead by around 31% when compared to a baseline solution. Also, the security FLAT Client, the role played by an IoT device in the protocol, is more efficient than the baseline Client authentication in terms of data exchange, storage, memory, and computation time. Our results indicate that FLAT runs federated identity management efficiently, even on top of resource-constrained devices like Arduino. ©2020 Elsevier B.V. All rights reserved. 1. Introduction Federated Identity Management (FIdM) [7] , in turn, improves the IdM idea by enabling a domain to control accesses to its re- The development of the Internet of Things (IoT) [1–3] is a na- sources from external users. For instance, it allows an external tional priority in several countries around the world and is signif- user to authenticate to a local server and utilize its services with- icantly impacting our society. Studies suggest that we are already out having to create an identity or register credentials locally. In- surrounded by 20 billion IoT devices. 1 The IoT development has en- stead, the authentication process between the user and the Ser- abled a diverse number of applications in academy and industry. vice Provider (SP) is mediated by the Identity Provider (IdP) of the When it comes to IoT, one of the most significant challenges user’s home domain. FIdM, hence: to its full realization lies in the field of Identity Management • enables applications like Single-Sign-On (SSO); (IdM) [4]. IdM refers to the identification of users in a given system • increases privacy by limiting the amount of information shared; (e.g., a network, application, or service) and controlling their ac- • and improves the end-user experience and security by elimi- cess to resources within that system. (Here, the term identification nating the need for new accounts registration and restricting means the process for authenticating the identity of a user [5]). the number of entities that hold their password. Ideally, IdM provides administrators with the tools to manage the full user’s identity life-cycle (e.g., setup, maintenance, and tear Fig. 1 illustrates how traditional FIdM works. The Client initi- down) and, thus, are vital to the security and productivity of or- ates communication with the SP ( Fig. 1 , step 1). The SP, in turn, ganizations. redirects the Client to the IdP (step 2). Next, the Client requests an assertion (or token) to the IdP (step 3) and authenticates itself to the IdP by presenting its credentials (steps 4 and 5). The IdP, in ∗ Corresponding author. exchange, sends the assertion to the Client (step 6). This assertion E-mail addresses: [email protected] (M.L.B.A. Santos), is then used by the Client to get access to the SP service (steps [email protected] (J.C. Carneiro), [email protected] (A.M.R. Franco), 7 and 8). All these steps are normally protected and authenticated [email protected] (F.A. Teixeira), [email protected] (M.A.A. Henriques), by public key infrastructure certificates, which have to be validated [email protected] (L.B. Oliveira). by all participants. 1 https://www.gartner.com/en/newsroom/press-releases/ 2017- 02- 07- gartner- says- 8- billion- connected- things- will- be- in- use- in- 2017 So far, unfortunately, IoT technology cannot fully enjoy the ben- - up- 31- percent- from- 2016 efits of either IdM or FIdM. This is so because both IdM or FIdM https://doi.org/10.1016/j.adhoc.2020.102253 1570-8705/© 2020 Elsevier B.V. All rights reserved. 2 M.L.B.A. Santos, J.C. Carneiro and A.M.R. Franco et al. / Ad Hoc Networks 107 (2020) 102253 Fig. 1. Traditional FIdM (adapted from Birrell and Schneider [6] , Figure 2). widely adopted approaches are inadequate to IoT [8] . First and We describe FLAT development Section 7 , discuss its per- foremost, there is no such thing as IdM for IoT devices. Instead, formance figures ( Section 8 ), and then sum up our findings in existing (F)IdM schemes, IoT devices make use of credentials ( Section 9 ). of individual (human) users to log on and enjoy domain services. However, this is both insecure and inappropriate as devices should 2. Background not have the same clearance level as users, and some IoT devices just cannot be naturally linked to any individual user. For exam- This section introduces some necessary concepts related to ple, what user should a light traffic system be running as?). Sec- FLAT, including the characterization of IoT devices, fundamental ond, the IoT mobile nature and dynamics urge a higher level of concepts in FIdM, and some cryptosystems used in the solution. scalability and interoperability across multiple domains when com- pared to conventional network elements [8] . And last but not least, 2.1. IoT the authentication process on existing (F)IdM schemes typically build upon the login/password paradigm, which is usually okay Society is experiencing an increasing number of connected de- for humans but ill-suited for devices [9] , and leverage expensive vices: smartphones, sensors, and computers can communicate and RSA/DSA cryptosystems, hence, incurring significant computational cooperate to perform specific tasks [1] . In this sense, IoT is a net- resources overhead [10] . So, there is patently a dire need for a work of everyday objects with certain capabilities communicating FIdM able to meet IoT special needs. to reach a specific goal [13] . As a solution to this problem, we propose a FIdM protocol ex- There are numerous possibilities in IoT, including applications clusively tailored to IoT called Federated Lightweight Authentica- in several different domains such as healthcare, transportation, tion of Things (FLAT) 2. In short, we design, developed, and eval- smart cities, smart homes, agriculture, and traffic management [2] . uate a lightweight authentication protocol well-suited for IoT-like Undoubtedly, IoT can bring a series of advantages and enhance- devices based on Federated Identity. By lightweight, we mean FLAT ments to businesses and also increase the comfort and quality of replaces cumbersome protocols and costly public-key cryptosystem services. The possibilities brought by IoT have caught the attention operations used in traditional FIdM by more efficient ones. This of the scientific community, hence making IoT a research topic of lightnness , in turn, enables even highly resource-constrained IoT general interest. devices to participate in a federation and then to enjoy its ben- Among several open research topics in IoT, there are privacy, efits. Our key insight while conceiving FLAT was to combine sym- standardization, and authentication [1] . FLAT approaches exactly metric cryptosystems and Implicit Certificates [12] synergistically. the authentication issue in IoT, considering the lack of computa- Additionally, we built a prototype of FLAT and evaluated its perfor- tional resources and the potential mobility of devices, as well as mance and security. Our results indicate that FLAT runs efficiently other inherent aspects of IoT that are not present in the traditional on top of constrained devices like Arduino Due. Internet. This paper is organized as follows. We first present the concepts necessary to understand the authentication solution ( Section 2 ) and discuss the related work ( Section 3 ). 2.2. IoT Devices Next, we argue the need for lightweight cross-domain authen- tication schemes ( Section 4 ). As the IoT devices contemplate environments with very differ- Then, we present how FLAT meet this need ( Section 5 ) and ent needs, these devices also have diverse characteristics, varying evaluate the security of the protocol ( Section 6 ). in size, type, and computational capabilities. Some devices have very low computational and storage capa- bilities, so protocols and processes executed by these devices must 2 Santos et al. [11] introduced FLAT first concepts and preliminary results. be lightweight. Here, this kind of IoT devices is referred to as re- M.L.B.A. Santos, J.C. Carneiro and A.M.R. Franco et al. / Ad Hoc Networks 107 (2020) 102253 3 Fig. 2. IdM main operations. Table 1 users and devices to these resources and manages the entire life- Examples of IoT devices. cycle of users’ (and devices’) digital identities [14] . Digital iden- Class Device CPU(GHz) SRAM(MB) Flash(GB) tity, in turn, is a set of attributes or any other data that together − − − can uniquely identify one entity (user, device, institution), usually restricted Memsic IRIS 8.0 x 10 3 7.8 x 10 3 1.2 x 10 4 − − − Arduino Mega 1.6 x 10 2 7.8 x 10 3 2.4 x 10 4 proven through the use of credentials [14].
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages24 Page
-
File Size-