In this information age, with the emergence of organizations, the number of various resources on the Internet of Things is also increasing. Generally, different users have different access permissions to different resources and most of the existing schemes have realized access control. But most of them are rough and not feasible in many organizations. Moreover, traditional access control schemes adopted a central entity or a trusted third party to centrally manage users’ permissions and access information, which can easily lead to single point of failure. Therefore, a kind of secure, trusted, and fine-grained access control is urgently needed in some large-scale organizations or institutions that maintain thousands of IoT devices. In order to solve the above problems, in this paper, we propose a blockchain-based high-efficiency access control framework called BHE-AC to achieve secure and efficient access to resources for users. In BHE-AC, a registration model is designed to register users and resources, and it can evaluate the ability value for users according to their attributes which is an essential factor when requesting resources. Besides, we represent a blockchain-based token requesting mechanism to compare the capability values of users with requested resources; meanwhile, the mechanism also allows users to request multiple resources at the same time, which can avoid repeated requests. Then, an unforgeable token indicates the users’ access to a specific resource is granted to a requester only if a requester meets the access requirements; from then on, the user can use a token to invoke the resource. Finally, security analysis and experiments of our framework are given in our paper. The experimental results show that BHE-AC can achieve low cost and efficient access.

在这个信息时代，随着组织的出现，物联网上各种资源的数量也在增加。通常，不同的用户对不同的资源具有不同的访问权限，并且大多数现有方案已经实现了访问控制。但是它们大多数都是粗糙的，在许多组织中都不可行。此外，传统的访问控制方案采用中央实体或受信任的第三方来集中管理用户的权限和访问信息，这很容易导致单点故障。因此，在一些维护数千个IoT设备的大型组织或机构中，迫切需要一种安全，可信任且细粒度的访问控制。为了解决上述问题，本文中，BHE - AC，可以为用户实现安全有效的资源访问。在BHE - AC，注册模型设计用于注册用户和资源，它可以根据用户的属性评估用户的能力值，这是请求资源时必不可少的因素。此外，我们代表了一种基于区块链的令牌请求机制，用于将用户的能力值与请求的资源进行比较；同时，该机制还允许用户同时请求多个资源，从而避免了重复请求。然后，不可伪造的令牌指示仅当请求者满足访问要求时，才将用户对特定资源的访问权限授予请求者。从那时起，用户可以使用令牌来调用资源。最后，本文对我们的框架进行了安全性分析和实验。实验结果表明，BHE - AC 可以实现低成本和高效率的访问。