Elsevier

Information Sciences

Volume 527, July 2020, Pages 533-547
Information Sciences

PRTA: A Proxy Re-encryption based Trusted Authorization scheme for nodes on CloudIoT

https://doi.org/10.1016/j.ins.2019.01.051Get rights and content

Highlights

  • This paper propose a PRE based trusted authorization scheme for nodes on CloudIoT.

  • It can update the authorization assuredly when some nodes are hijacked.

  • In this scheme, cloud servers are fully used than the other work.

  • The analysis shows it has better efficiency than other works with the same properties.

Abstract

In CloudIoT platform, the data is collected and shared by different nodes of Internet of Things (IoT), and data is processed and stored based on cloud servers. It has increased the abilities of IoT on information computation. Meanwhile, it also has enriched the resource in cloud and improved integration of the Internet and human world. All of this offer advantages as well as the new challenges of information security and privacy protection. As the energy limitation of the nodes in IoT, they are particularly vulnerable. It is much easier to hijack the nodes than to attack the data center for hackers. Thus, it is a crucial and urgent issue to realize the trusted update of authorization of nodes. When some nodes are hijacked, both of the behaviors to upload data to servers and to download information from servers should be forbidden. Otherwise, it might cause the serious damage to the sensitive data and privacy of servers. In order to solve this problem, we proposed a Proxy Re-encryption based Trusted Authorization scheme for nodes on CloudIoT (PRTA). PRTA is based on the proxy re-encryption (PRE), and the cloud server will play the roles of data storing and re-encrypting, which would reach the full potential of cloud computing and reduce the cost of nodes. The node’s status is taken as one of the parameters for data re-encryption and it is under the authorization servers’ control, which could ensure the security and reliability of the data and be beneficial for the privacy protection in CloudIoT. Also, the authorization servers are divided into the downloading and uploading kinds, which will make the application range much wider.

Introduction

Internet of Things (IoT) has been proposed by the International Telecommunication Union (ITU) in 2005. Recent advances in sensing technologies and smart chips have promoted the progress of IoT. Based on various sensors and devices, IoT could collect the information of different things communicating with Internet. The communications by Internet are changing from computers to computers Man-to-Machine or Machine-to-Machine (M2M). In a word, IoT integrates various sensors, objects and smart nodes that are capable of communicating with each other without human intervention [5]. The development of IoT has been blurring the boundaries among the physical, social, and cyber worlds and fueling the astonishing number of Internet-connected devices, which has been increasing from 15 billion in 2014 to 17.6 billion in 2016 and will be 30 billion by 2020 [1], [9]. In recent years, a variety of applications based on IoT with different areas have been developed, such as logistics, manufacturing, healthcare, industrial surveillance, and etc. [24], [32].

Meanwhile, a number of corresponding techniques, such as intelligent sensors, wireless networks, big data analysis and mining [39], have been developed to realize the potential of the IoT with different intelligent systems [6], [29]. Cloud computing is one of them. The cloud provides flexible, scalable and customized computing service and storage service with lower entry barriers and less cost. More and more users choose cloud to obtain the resource, such as information, software, hardware and platform. In general, the framework of the IoT is consisted of three layers, including the perceptual layer, the transport layer and the intelligent application layer [34]. The perceptual layer is based on various sensors and is responsible for data collection. The transferring layer is based on the current common protocols, such as IP, and is responsible for data transmission. The intelligent application layer is designed for different users’ requirements and is responsible for data processing of the layers above. Cloud is suitable for the third layer of IoT for its massive computing and storing capacity. Thus, a novel paradigm where cloud and IoT merged together is proposed, which is called CloudIoT [3]. IoT could benefit from the virtually unlimited capabilities and resources of cloud to compensate its technological constraints (e.g., storage, processing, communication). CloudIoT has given birth to a new set of smart services and applications, which can strongly impact human’s daily life. Many applications are beneficial from the M2M communications when things need to exchange information among themselves and not only send them to cloud. From 2008, the number of papers dealing with cloud and IoT shows an increasing tendency. The characteristics of cloud and IoT are often complementary, which is the main reason why many researchers have proposed and are proposing their integration, generally to obtain benefits in specific application scenarios [2], [4], [8]. Meanwhile, many Internet application vendors,such as Microsoft, IBM, Google, Alibaba and Tencent have developed the cloud platforms which could support the IoT applications. They provide the application programming interfaces (API) for the nodes definitions, simulations and configurations.

The emerging CloudIoT is foreseen as one of the great developments of IoT and cloud, as the users could obtain the convenience of both cloud and IoT. However, the new problems are also brought to the security of CloudIoT. Firstly, the nodes of IoT are numerous, so the data uploaded to cloud and shared by cloud will be increased sharply. The amount of private and confidential data will become more and more as well. For instance, the cameras for smart homes could collect and upload the real records of their owner’s daily life, which will concern the privacy of users. Thus, it is important to protect the confidentiality and privacy of the data from such nodes. The security scheme is designed not only to prevent the access by illegal users, but also to avoid the analysis of cloud service providers. Only the authenticated users have privileges to obtain the information,and unauthorized accesses are prevented from tampering the data. Secondly, cyber attacks are becoming more pervasive [38], [40]. As the limitation of computation ability, the nodes are weaker in resistant to attack than the common computers. The hackers could attack the CloudIoT by hijacking a node or faking a device [25], and they could obtain information in cloud servers or upload the malicious data to a server by attacking the nodes. Thus, how to revoke the authentication of nodes when they are hacked is a serious problem to be solved.

For the problems above, researchers have done a plenty of work, such as privacy protection [7], [37], integrity verification [42], access control, secure storage of data in IoT environment. In order to ensure the data is accessed by the authenticated users, many efforts have been taking place to apply traditional methods of access control to IoT scenarios [19], [28]. And there are some new approaches to access control mechanisms in IoT at the same time by describing the parameters of devices, e.g. device ID [31] or combing with some famous security protocols, e.g. Kerberos and RADIUS [23]. Due to the limitation of IoT sensors, some lightweight schemes also have been proposed [35]. As same as the common cloud service, the CloudIoT also requires the data encryption, thus, the cryptography based access control will be needed, e.g. Diffie–Hellman [21] or ECC [10], [19]. All the works above contributed a great deal to the data protection of IoT, but they did not discuss the corresponding access control scheme for CloudIoT or how to deal with the data authentication when the nodes are hacked. Although, some of them have talked about the lightweight, but they did not try to take advantage of cloud service. PRE has played an important role in cloud access control and data protection. The proxy server could finish some work of data sharing. For the characteristics of PRE, it also could be applied to CloudIoT. If the cloud server is responsible for the work of re-encryption proxy, the computing cost of individual users and nodes will be much less.

Summing up, the current references have discussed a lot about how to keep the sensitive data security, but it is still a serious problem that how to update the authorization of the hacked nodes to prevent their downloading and uploading information. It means revoking the compromised nodes from the system assuredly is still one of the hottest topics for IoT security. And the main technical challenges are as followed:

  • (1)

    The applications of the IoT is various. Some nodes will collect and upload the information to server, some nodes will download the data for configuration and some will both upload and download the data. For example, some nodes for the smart healthcare solution will collect data of patient physical conditions. They focus on the data uploading quickly and correctly. Some nodes for the smart cars will download the information for navigation or speed control. They require to download the information conveniently. And for the smart homes, some nodes will both download and upload the information,such as intelligent entrance guard. Thus the scheme for the nodes revoking should consider the different applications.

  • (2)

    The cloud servers usually play the role for data storing, and they are used less in data encryption or decryption. For data security, the IoT servers and nodes will finish the work of encryption and decryption. It will be a great cost for nodes and IoT servers. Also the cloud servers are not fully used.

  • (3)

    When the nodes are compromised, some current schemes could update the key for such node. However if the node has already stored the old key, it will be a threat to the system.

Thus, we have done some research on this issue and its corresponding technologies and proposed a PRE based Trusted Authorization scheme for nodes on CloudIoT platform (PRTA). Firstly, we analyze the related work and proposed the system model. Secondly, we explain the system processes and algorithms based PRE. Finally, we discuss the properties including the security and efficiency issues. The main contributions of the paper are threefold:

  • (1)

    We defined the processes of data downloading and data uploading for nodes, and the permissions are designed for each process, respectively. The downloading permission is managed by the downloading authentication server and uploading permission is managed by the uploading authentication server, which will be more suitable for the various IoT applications. Some applications only need the node to collect data, some only need the nodes to share information of data server and some need both downloading and uploading. The users could be free to deploy the CloudIoT with downloading authentication server or uploading authentication server or both of them for different requirements. This is for the challenge (1).

  • (2)

    We designed the algorithms based on PRE, and the permissions assignment according to the re-encryption keys. The cloud server will be responsible for data re-encryption. The IoT data server and nodes will cost less for data accessing and collection. This is for the challenge (2).

  • (3)

    It is worth mentioning that there are two kinds of re-encryption algorithms, one is for downloading (ReEnc1) and the other is for uploading(ReEnc2). ReEnc1 will generate the ciphertext for nodes from the IoT data server, and ReEnc2 will generate the ciphertext for the IoT data server from the nodes. ReEnc1/ReEnc2 have divided the parameters of re-encryption keys generation, one part is submitted to cloud servers, the other is under the control of downloading or uploading authentication server. When updating the authorization, downloading or uploading authentication server delete that part, the re-encryption keys will not be able to generated for parameters missing. The authorization is updated assuredly.This is for the challenge (3).

Organizations: The rest of this paper is organized as follows: The related works and preliminaries is in Section 2, and the system models, main processes and algorithm of it explained in Section 3. Security proof is presented in Section 4, and Properties and efficiency analysis are in Section 5, The concluding remarks are in Section 6.

Section snippets

Access control and authentication scheme for CloudIoT

There are a plenty of schemes designed for IoT, some of them are based on the tractional access control models, such as role based access control (RBAC) and attribute based access control (ABAC). Paper [28] is one of them, which focused on the dynamic characteristics of IoT and proposed an access control model based on attribute and role to solve the scenarios of large scale dynamics users. The model has put forward a policy language of attribute rules and a method to solve the policy conflict

Goals and preconditions

Our scheme will face to the application scenario in Fig. 1. The first part of Fig. 1 shows the common framework for the IoT. The nodes will collect and upload the data to IoT data server. Also the nodes might download the data from the data server, including data or configure commands. In order to increase the computing and storing abilities of IoT, the cloud server is applied in the IoT, and CloudIoT appeared. For the first step of our research, we will deploy a proxy server for re-encryption

Security model

We will build the security model of PRTA based ont the DBDH problem. In the security model, adversary A can query the oracles such as key generation, data creation, ciphertext sharing by nodes, re-decryption and so on. The security model will be described as follows.

Setup: Challenger sets up system parameters param.

Phase 1: Adversary A can query one of the any oracles as follows: KeyGen, IoTEnc, ReKeyGen,ReEnc1, ReDec1, ReEnc2 and ReDec2. During the querying of IoTEnc, ReKeyGen,ReEnc1, ReDec1,

Security analysis

The security of our scheme will be based on two issues. Firstly, we will prove the security of algorithm. We have constructed a security framework based on random oracle model in the section above. In the framework, we can prove our algorithm is CCA-security by the challenge-response method (see Section 5.2). Secondly, we will analyze the possible attacks to prove the security of our system.

  • 1)

    Cryptographic analysis. We will encrypt the message M by symmetric method based on the traditional

Conclusion

The IoT brings the convenience to connect everything to Internet. And CloudIoT has increased the abilities of IoT to data storing and processing. However, this integration has brought the new challenges to security of IoT and cloud. Firstly, there are thousands and hundreds nodes of IoT, more and more information is appeared in cloud including the sensitive data and privacy. Secondly, the nodes are limited in storing and computing, which make them weak in defending against attacks. Connected to

Acknowledgment

This work has been supported by the National Natural Science Foundation of China (61702266, 61572255).

References (42)

  • FuA. et al.

    Npp: a new privacy-aware public auditing scheme for cloud data sharing with group users

    IEEE Trans. Big Data

    (2018)
  • M.M. Gomes et al.

    Future directions for providing better iot infrastructure

    Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication

    (2014)
  • IHS, Internet of Things (IoT) Connected Devices Installed Base Worldwide from 2015 to 2025 (in Billions), 2017,...
  • JiangQ. et al.

    A privacy-aware two-factor authentication protocol based on elliptic curve cryptography for wireless sensor networks

    Int. J. Netw. Manag.

    (2017)
  • KimS.H. et al.

    Iot device security based on proxy re-encryption

    J. Ambient Intell. Humaniz. Comput.

    (2018)
  • LiF. et al.

    Practical Access Control for Sensor Networks in the Context of the Internet of Things

    (2016)
  • LiJ. et al.

    Ksf-oabe: outsourced attribute-based encryption with keyword search function for cloud storage

    IEEE Trans. Serv. Comput.

    (2017)
  • LiJ. et al.

    User collusion avoidance cp-abe with efficient attribute revocation for cloud storage

    IEEE Syst. J.

    (2018)
  • LiJ. et al.

    Flexible and fine-grained attribute-based data storage in cloud computing

    IEEE Trans. Serv. Comput.

    (2017)
  • LiJ. et al.

    Provably secure certificate-based conditional proxy re-encryption

    J. Inf. Sci. Eng.

    (2016)
  • LiuJ. et al.

    Authentication and access control in the internet of things

    Proceedings of International Conference on Distributed Computing Systems Workshops

    (2012)
  • Cited by (20)

    • Backdoor-resistant identity-based proxy re-encryption for cloud-assisted wireless body area networks

      2022, Information Sciences
      Citation Excerpt :

      It can perform a ciphertext search function in a heterogeneous system. Su et al. [13] proposed a PRE scheme based on trusted authorization to achieve the trusted update of authentication of nodes on the Internet of Things. Ge et al. [14] proposed a revocable IBPRE scheme to solve the key revocation problem by revoking delegates from the re-encryption key.

    • A survey of remote attestation in Internet of Things: Attacks, countermeasures, and prospects

      2022, Computers and Security
      Citation Excerpt :

      Nowadays, they have been deployed for intelligent transportation, environmental monitoring, government work, public safety, smart home, industrial monitoring, lighting control, elderly care, personal health, food traceability, etc. Millions of IoT devices have spread throughout our lives (Heartfield et al., 2021; Li et al., 2021; Su et al., 2020). As people are getting used to these devices and relying on them, their security becomes an utmost important concern.

    • Secure Traffic Data Sharing in UAV-Assisted VANETs

      2024, Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
    View all citing articles on Scopus

    This paper belongs to the special issue IG006054 edited by Prof. W. Pedrycz.

    View full text