BLOCKCHAIN AND ACCESS CONTROL

Abstract

Blockchain and IoT technologies have gained much popularity nowadays in almost every sector. The blockchain is a decentralized public ledger mainly for cryptocurrency transactions. But becauseofitsimportantinherentsecurityfeatures,itisbeingexploredinothersectorsalso,e.g.,IoT. Although IoT has evolved greatly through the years but providing fine-grained access control for itsusersisstillamajorissue. Totacklesuchanissue,Ouaddahet. al. hasgivenanideaofusinga token-based access control system with the help of second-generation blockchain technology,i.e., Ethereum, and smart contracts. But they have not provided any method for selective access control. CP-ABE(Ciphertext-Policy Attribute-Based Encryption) schemes are known for providing fine-grained role-based access control. So, the inherent features of blockchain technology and CP-ABE schemes can be combined to provide a fine access control mechanism in IoT. Inthiswork,amoresecureandprivacy-preservingaccesscontrolsystemisdeployedEthereum blockchainwiththehelpofsmart-contracts(SC)andCP-ABEforIoT.CP-ABEisusedtoprovide afine-grainedaccesscontroltoprotectIoTdata. Implementationandtestingofthesystemisdone on a Raspberry Pi2 device and on Linux 16.04 based system. Two smart contracts have been created named as PolicyContract and AuthList. PolicyContract SC is deployed by IoT end, and AuthList SC is deployed by requester end. IoT device acts as a service-end(SE) and other user devices such as PCs act as a requester-end(RE). IoT end is just a geth-client, it⢠A´Zs not a full ethereum node. Mining work is done on a PC, so it is a full node. Every transaction submitted by IoT is mined by PC miners. IoT device defines access policies using CP-ABE for its resources andconvertstheseaccesspoliciestothePolicyContractSC.REsubmitsitsattributelisttoSEand SE checks if attribute list satisfies the access policy. If it satisfies then, SE sends create the token transaction, and a token and RE’s secret key is added to AuthList SC via PolicyContract SC. RE receives the token and its secret by SE. Whenever RE wants to access a particular resource A, it providestheappropriatetokentoSE.SEchecksfortokenvalidityandgivesaccesstothatresource A. Resources are encrypted with CP-ABE. RE decrypts the resource using its secret key. After this SE removes the token from AuthList SC. In case SE detects malicious activities by an RE, it will revoke its access by removing the token from AuthList SC.The said access control system is implemented on a Raspberry Pi2 device and on a Dell PC with acceptable timings for access check, token creation and validation.