PRTA: A Proxy Re-encryption based Trusted Authorization scheme for nodes on CloudIoT☆
Introduction
Internet of Things (IoT) has been proposed by the International Telecommunication Union (ITU) in 2005. Recent advances in sensing technologies and smart chips have promoted the progress of IoT. Based on various sensors and devices, IoT could collect the information of different things communicating with Internet. The communications by Internet are changing from computers to computers Man-to-Machine or Machine-to-Machine (M2M). In a word, IoT integrates various sensors, objects and smart nodes that are capable of communicating with each other without human intervention [5]. The development of IoT has been blurring the boundaries among the physical, social, and cyber worlds and fueling the astonishing number of Internet-connected devices, which has been increasing from 15 billion in 2014 to 17.6 billion in 2016 and will be 30 billion by 2020 [1], [9]. In recent years, a variety of applications based on IoT with different areas have been developed, such as logistics, manufacturing, healthcare, industrial surveillance, and etc. [24], [32].
Meanwhile, a number of corresponding techniques, such as intelligent sensors, wireless networks, big data analysis and mining [39], have been developed to realize the potential of the IoT with different intelligent systems [6], [29]. Cloud computing is one of them. The cloud provides flexible, scalable and customized computing service and storage service with lower entry barriers and less cost. More and more users choose cloud to obtain the resource, such as information, software, hardware and platform. In general, the framework of the IoT is consisted of three layers, including the perceptual layer, the transport layer and the intelligent application layer [34]. The perceptual layer is based on various sensors and is responsible for data collection. The transferring layer is based on the current common protocols, such as IP, and is responsible for data transmission. The intelligent application layer is designed for different users’ requirements and is responsible for data processing of the layers above. Cloud is suitable for the third layer of IoT for its massive computing and storing capacity. Thus, a novel paradigm where cloud and IoT merged together is proposed, which is called CloudIoT [3]. IoT could benefit from the virtually unlimited capabilities and resources of cloud to compensate its technological constraints (e.g., storage, processing, communication). CloudIoT has given birth to a new set of smart services and applications, which can strongly impact human’s daily life. Many applications are beneficial from the M2M communications when things need to exchange information among themselves and not only send them to cloud. From 2008, the number of papers dealing with cloud and IoT shows an increasing tendency. The characteristics of cloud and IoT are often complementary, which is the main reason why many researchers have proposed and are proposing their integration, generally to obtain benefits in specific application scenarios [2], [4], [8]. Meanwhile, many Internet application vendors,such as Microsoft, IBM, Google, Alibaba and Tencent have developed the cloud platforms which could support the IoT applications. They provide the application programming interfaces (API) for the nodes definitions, simulations and configurations.
The emerging CloudIoT is foreseen as one of the great developments of IoT and cloud, as the users could obtain the convenience of both cloud and IoT. However, the new problems are also brought to the security of CloudIoT. Firstly, the nodes of IoT are numerous, so the data uploaded to cloud and shared by cloud will be increased sharply. The amount of private and confidential data will become more and more as well. For instance, the cameras for smart homes could collect and upload the real records of their owner’s daily life, which will concern the privacy of users. Thus, it is important to protect the confidentiality and privacy of the data from such nodes. The security scheme is designed not only to prevent the access by illegal users, but also to avoid the analysis of cloud service providers. Only the authenticated users have privileges to obtain the information,and unauthorized accesses are prevented from tampering the data. Secondly, cyber attacks are becoming more pervasive [38], [40]. As the limitation of computation ability, the nodes are weaker in resistant to attack than the common computers. The hackers could attack the CloudIoT by hijacking a node or faking a device [25], and they could obtain information in cloud servers or upload the malicious data to a server by attacking the nodes. Thus, how to revoke the authentication of nodes when they are hacked is a serious problem to be solved.
For the problems above, researchers have done a plenty of work, such as privacy protection [7], [37], integrity verification [42], access control, secure storage of data in IoT environment. In order to ensure the data is accessed by the authenticated users, many efforts have been taking place to apply traditional methods of access control to IoT scenarios [19], [28]. And there are some new approaches to access control mechanisms in IoT at the same time by describing the parameters of devices, e.g. device ID [31] or combing with some famous security protocols, e.g. Kerberos and RADIUS [23]. Due to the limitation of IoT sensors, some lightweight schemes also have been proposed [35]. As same as the common cloud service, the CloudIoT also requires the data encryption, thus, the cryptography based access control will be needed, e.g. Diffie–Hellman [21] or ECC [10], [19]. All the works above contributed a great deal to the data protection of IoT, but they did not discuss the corresponding access control scheme for CloudIoT or how to deal with the data authentication when the nodes are hacked. Although, some of them have talked about the lightweight, but they did not try to take advantage of cloud service. PRE has played an important role in cloud access control and data protection. The proxy server could finish some work of data sharing. For the characteristics of PRE, it also could be applied to CloudIoT. If the cloud server is responsible for the work of re-encryption proxy, the computing cost of individual users and nodes will be much less.
Summing up, the current references have discussed a lot about how to keep the sensitive data security, but it is still a serious problem that how to update the authorization of the hacked nodes to prevent their downloading and uploading information. It means revoking the compromised nodes from the system assuredly is still one of the hottest topics for IoT security. And the main technical challenges are as followed:
- (1)
The applications of the IoT is various. Some nodes will collect and upload the information to server, some nodes will download the data for configuration and some will both upload and download the data. For example, some nodes for the smart healthcare solution will collect data of patient physical conditions. They focus on the data uploading quickly and correctly. Some nodes for the smart cars will download the information for navigation or speed control. They require to download the information conveniently. And for the smart homes, some nodes will both download and upload the information,such as intelligent entrance guard. Thus the scheme for the nodes revoking should consider the different applications.
- (2)
The cloud servers usually play the role for data storing, and they are used less in data encryption or decryption. For data security, the IoT servers and nodes will finish the work of encryption and decryption. It will be a great cost for nodes and IoT servers. Also the cloud servers are not fully used.
- (3)
When the nodes are compromised, some current schemes could update the key for such node. However if the node has already stored the old key, it will be a threat to the system.
Thus, we have done some research on this issue and its corresponding technologies and proposed a PRE based Trusted Authorization scheme for nodes on CloudIoT platform (PRTA). Firstly, we analyze the related work and proposed the system model. Secondly, we explain the system processes and algorithms based PRE. Finally, we discuss the properties including the security and efficiency issues. The main contributions of the paper are threefold:
- (1)
We defined the processes of data downloading and data uploading for nodes, and the permissions are designed for each process, respectively. The downloading permission is managed by the downloading authentication server and uploading permission is managed by the uploading authentication server, which will be more suitable for the various IoT applications. Some applications only need the node to collect data, some only need the nodes to share information of data server and some need both downloading and uploading. The users could be free to deploy the CloudIoT with downloading authentication server or uploading authentication server or both of them for different requirements. This is for the challenge (1).
- (2)
We designed the algorithms based on PRE, and the permissions assignment according to the re-encryption keys. The cloud server will be responsible for data re-encryption. The IoT data server and nodes will cost less for data accessing and collection. This is for the challenge (2).
- (3)
It is worth mentioning that there are two kinds of re-encryption algorithms, one is for downloading (ReEnc1) and the other is for uploading(ReEnc2). ReEnc1 will generate the ciphertext for nodes from the IoT data server, and ReEnc2 will generate the ciphertext for the IoT data server from the nodes. ReEnc1/ReEnc2 have divided the parameters of re-encryption keys generation, one part is submitted to cloud servers, the other is under the control of downloading or uploading authentication server. When updating the authorization, downloading or uploading authentication server delete that part, the re-encryption keys will not be able to generated for parameters missing. The authorization is updated assuredly.This is for the challenge (3).
Organizations: The rest of this paper is organized as follows: The related works and preliminaries is in Section 2, and the system models, main processes and algorithm of it explained in Section 3. Security proof is presented in Section 4, and Properties and efficiency analysis are in Section 5, The concluding remarks are in Section 6.
Section snippets
Access control and authentication scheme for CloudIoT
There are a plenty of schemes designed for IoT, some of them are based on the tractional access control models, such as role based access control (RBAC) and attribute based access control (ABAC). Paper [28] is one of them, which focused on the dynamic characteristics of IoT and proposed an access control model based on attribute and role to solve the scenarios of large scale dynamics users. The model has put forward a policy language of attribute rules and a method to solve the policy conflict
Goals and preconditions
Our scheme will face to the application scenario in Fig. 1. The first part of Fig. 1 shows the common framework for the IoT. The nodes will collect and upload the data to IoT data server. Also the nodes might download the data from the data server, including data or configure commands. In order to increase the computing and storing abilities of IoT, the cloud server is applied in the IoT, and CloudIoT appeared. For the first step of our research, we will deploy a proxy server for re-encryption
Security model
We will build the security model of PRTA based ont the DBDH problem. In the security model, adversary can query the oracles such as key generation, data creation, ciphertext sharing by nodes, re-decryption and so on. The security model will be described as follows.
Setup: Challenger sets up system parameters param.
Phase 1: Adversary can query one of the any oracles as follows: KeyGen, IoTEnc, ReKeyGen,ReEnc1, ReDec1, ReEnc2 and ReDec2. During the querying of IoTEnc, ReKeyGen,ReEnc1, ReDec1,
Security analysis
The security of our scheme will be based on two issues. Firstly, we will prove the security of algorithm. We have constructed a security framework based on random oracle model in the section above. In the framework, we can prove our algorithm is CCA-security by the challenge-response method (see Section 5.2). Secondly, we will analyze the possible attacks to prove the security of our system.
- 1)
Cryptographic analysis. We will encrypt the message M by symmetric method based on the traditional
Conclusion
The IoT brings the convenience to connect everything to Internet. And CloudIoT has increased the abilities of IoT to data storing and processing. However, this integration has brought the new challenges to security of IoT and cloud. Firstly, there are thousands and hundreds nodes of IoT, more and more information is appeared in cloud including the sensitive data and privacy. Secondly, the nodes are limited in storing and computing, which make them weak in defending against attacks. Connected to
Acknowledgment
This work has been supported by the National Natural Science Foundation of China (61702266, 61572255).
References (42)
- et al.
Full verifiability for outsourced decryption in attribute based encryption
IEEE Trans. Serv. Comput.
(2018) - et al.
Key-policy attribute-based encryption against continual auxiliary input leakage
Inf. Sci.
(2019) - et al.
A survey on trust management for internet of things
J. Netw. Comput. Appl.
(2014) - et al.
Data integrity verification of the outsourced big data in the cloud environment: a survey
J. Netw. Comput. Appl.
(2018) - Ironpaper Growth Agency, Internet of Things Market Statistics,...
- et al.
Device and technology implications of the internet of things
Proceedings of the 2014 Symposium on VLSI Technology (VLSI-Technology): Digest of Technical Papers
(2014) - et al.
Integration of cloud computing and internet of things: a survey
Futur. Gener. Comput. Syst.
(2016) - et al.
A framework of adaptive interaction support in cloud-based internet of things (IoT) environment
Proceedings of International Conference on Internet and Distributed Computing Systems
(2014) - et al.
On the feasibility of attribute-based encryption on internet of things devices
IEEE Micro
(2016) - et al.
Internet of things for enterprise systems of modern manufacturing
IEEE Trans. Ind. Inf.
(2014)
Npp: a new privacy-aware public auditing scheme for cloud data sharing with group users
IEEE Trans. Big Data
Future directions for providing better iot infrastructure
Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication
A privacy-aware two-factor authentication protocol based on elliptic curve cryptography for wireless sensor networks
Int. J. Netw. Manag.
Iot device security based on proxy re-encryption
J. Ambient Intell. Humaniz. Comput.
Practical Access Control for Sensor Networks in the Context of the Internet of Things
Ksf-oabe: outsourced attribute-based encryption with keyword search function for cloud storage
IEEE Trans. Serv. Comput.
User collusion avoidance cp-abe with efficient attribute revocation for cloud storage
IEEE Syst. J.
Flexible and fine-grained attribute-based data storage in cloud computing
IEEE Trans. Serv. Comput.
Provably secure certificate-based conditional proxy re-encryption
J. Inf. Sci. Eng.
Authentication and access control in the internet of things
Proceedings of International Conference on Distributed Computing Systems Workshops
Cited by (20)
Backdoor-resistant identity-based proxy re-encryption for cloud-assisted wireless body area networks
2022, Information SciencesCitation Excerpt :It can perform a ciphertext search function in a heterogeneous system. Su et al. [13] proposed a PRE scheme based on trusted authorization to achieve the trusted update of authentication of nodes on the Internet of Things. Ge et al. [14] proposed a revocable IBPRE scheme to solve the key revocation problem by revoking delegates from the re-encryption key.
A survey of remote attestation in Internet of Things: Attacks, countermeasures, and prospects
2022, Computers and SecurityCitation Excerpt :Nowadays, they have been deployed for intelligent transportation, environmental monitoring, government work, public safety, smart home, industrial monitoring, lighting control, elderly care, personal health, food traceability, etc. Millions of IoT devices have spread throughout our lives (Heartfield et al., 2021; Li et al., 2021; Su et al., 2020). As people are getting used to these devices and relying on them, their security becomes an utmost important concern.
Secure Traffic Data Sharing in UAV-Assisted VANETs
2024, Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICSTCollusion-resistant and privacy-preserving data sharing scheme on outsourced data in e-healthcare system
2023, Multimedia Tools and ApplicationsPrivacy-preserving cloud data sharing for healthcare systems with hybrid blockchain
2023, Peer-to-Peer Networking and Applications
- ☆
This paper belongs to the special issue IG006054 edited by Prof. W. Pedrycz.