Zero-Knowledge and Identity-Based Authentication and Authorisation with integrated Key Exchange for IoT
Zero-Knowledge and Identity-Based Authentication and Authorisation with integrated Key Exchange for Internet of Things
According to the existing discussions about the Internet of Things (IoT), it can be stated that IoT is a network of dynamic networks of a huge number of addressable, uniquely identifiable, potentially resource-constrained, and heterogenous things sensing and influencing their environment to provide services with or without direct human intervention. This statement implies the IoT challenges to be met by IoT approaches. The first challenge is that IoT is a highly dynamic and very large-scale network of resource-constrained devices. Moreover, IoT is an infrastructure of heterogenous things. This means that there do not exist any fixed communication workflows, e.g., like in the Web. Thus, IoT approaches to be applied universally have to be application-independent. Additionally, IoT is an autonomous infrastructure. However, this does not mean that IoT can operate completely without human intervention. E.g., each thing has an owner/operator and needs a certain startup setup by its owner. After this setup, things have to be able to operate autonomously. Furthermore, things have to be uniquely identifiable. Thus, it is an advantage that IoT approaches follow an identity-based scheme. In addition, IoT is a service-providing infrastructure. Consequently, IoT needs infrastructure supporting instances for diverse functionalities such as service mapping and authorisation, just like in each service-providing infrastructure such as the conventional Internet.
Besides these considerations for IoT, communication confidentiality and integrity are quite important security requirements. The de facto method applied so far is cryptography. However, this needs an authentic key exchange between two communicating entities, which in turn requires a mutual authentication of the entities. Since IoT is a highly dynamic and very large-scale infrastructure, an approach providing authentication and key exchange for IoT cannot be based on public data predistribution or secret pre-sharing between authenticating things. Moreover, it cannot rely on human interventions due to the autonomous character of IoT. With regard to the heterogeneity in IoT, the approach has to be application-independent without requiring additional components or procedures, except the de facto existing ones such as thing owner, infrastructure supporting instance, thing startup setup, service mapping, and authorisation. Additionally, the approach cannot include costly cryptographic operations due to resource-constrained devices in IoT. Furthermore, the approach has to be resistant to active man in the middle attacks which can be classified as the strongest adversary model.
Our vision is to introduce a novel approach providing mutual authentication and authorisation with integrated key exchange while meeting the IoT challenges and security requirements introduced above. Here, we combine zero-knowledge and identity-based schemes and thereby leverage the existing components as well as procedures described above. Especially, we expand the Goldreich-Micali-Wigderson (GMW) zero-knowledge protocol for a mutual authentication and for an authentic key exchange. We choose the GMW protocol, since it does not include any costly cryptographic operations and is perfect zero-knowledge, i.e. resistant to malicious prover and verifier. This implies that this protocol is suitable for resource-constrained devices and is resistant to active man in the middle attacks, which also apply to our approach. For authentication public data and secret generation, we follow an identity-based scheme. This provides that we do not need any public data predistribution or secret pre-sharing with regard to authenticating things. Moreover, this scheme allows that a thing can operate autonomously in a secure manner after a startup setup by its owner. Additionally, our identity-based scheme supplies application independence without requiring additional components and procedures
Simsek, Irfan, and Erwin P. Rathgeb. :
Zero-Knowledge and Identity-Based Authentication and Key Exchange for Internet of Things. 2019 IEEE 5th World Forum on Internet of Things (WF-IoT). IEEE, 2019.