Jianhong Zhang,Wenle Bai,Yuehai Wang

DOI: https://doi.org/10.1109/access.2019.2899828

IF: 3.9

2019-01-01

IEEE Access

Abstract:The Internet of Things (IoT) is the internetworking of terminal physical devices depends on application programming interfaces and sensors to be connected to the Internet for collecting and exchanging data. According to the characteristics of IoT, it can provide rich services for the terminal user. However, the centralized cloud computing-based storage architecture in IoT faces many challenges, such as data security, identity privacy, and high latency. To overcome these challenges, this paper introduces an IoT network storage architecture based on mobile edge computing, which not only achieves low-latency message response and computation offloading of the terminal user but also preserves identity-privacy of the terminal user. Afterward, we presented a novel non-interactive pairing-free ID-based proxy re-signature scheme (ID-PRS), which is a kernel technique to construct the aforementioned storage architecture. Compared with most of proxy re-signature schemes constructed based on traditional public-key-infrastructure, the proposed scheme avoids expensive pairing operation and intricate certificate-maintenance. And it is demonstrated to be provably secure under the classic security assumptions: integer factoring problem and the RSA assumption. Finally, in contrast to the other two ID-PRS schemes, the proposed ID-PRS scheme has more advantages in terms of security, functionability, and computation costs. Thus, it is very suitable to be applied to the resource-constrained mobile users.

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Jie Yin,Yang Xiao,Qingqi Pei,Ying Ju,Lei Liu,Ming Xiao,Celimuge Wu

DOI: https://doi.org/10.1109/jiot.2022.3145089

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) applications have penetrated into all aspects of human life. Millions of IoT users and devices, online services, and applications combine to create a complex and heterogeneous network, which complicates the digital identity management. Distributed identity is a promising paradigm to solve IoT identity problems and allows users to have soverignty over their private data. However, the existing state-of-the-art methods are unsuitable for IoT due to continuing issues regarding resource limitations for IoT devices, security and privacy issues, and lack of a systematic proof system. Accordingly, in this article, we propose SmartDID, a novel blockchain-based distributed identity aimed at establishing a self-sovereign identity and providing strong privacy preservation. First, we configure IoT devices as light nodes and design a Sybil-resistant, unlinkable, and supervisable distributed identity that does not rely on central identity providers. We further develop a dual-credential model based on commitment and zero-knowledge proofs to protect the privacy of sensitive attributes, on-chain identity data, and linkage of credentials. Moreover, we combine the basic credential proofs to prove the knowledge of solutions to more complex problems and create a systematic proof system. We go on to provide the security analysis of SmartDID. Experimental analysis shows that our scheme achieves better performance in terms of both credential generation and proof generation when compared with CanDID.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jing He,Xiaofeng MA,Dawei Zhang,Feng Peng

DOI: https://doi.org/10.1051/sands/2024013

2024-10-16

Security and Safety

Abstract:Decentralized identity represents an innovative approach based on blockchain to achieve effective identity management. This method utilizes decentralized identifiers and verifiable credential to enable trusted authentication, free circulation of identity information, and self-sovereign control over identity data functionalities. The current decentralized identity systems rely on entirely anonymous identifiers, lacking robust identity regulation. Furthermore, they face challenges such as identity attribute leakage during verifiable credential presentation and the issuers' struggle to reliably revoke credentials. To address these issues, efficient and practical schemes have been designed based on BBS signature, zero-knowledge proof, dynamic accumulator and blockchain technology: one for decentralized identifiers management and the other for verifiable credential privacy protection, both of which are supervised and revocable. The former ensures the privacy of subject identity while achieving regulatability and revocability of identity data by regulator. The latter facilitates selective disclosure of anonymous credentials and reliable revocation. A security analysis shows that the proposed scheme meets anonymity, non-forgeability, regulatory reliability, and revocability reliability, and offers comprehensive and effective privacy protection measures. The experimental results demonstrate that the algorithms designed operate at a millisecond level, which satisfies the demands of blockchain identity management scenarios.

Yang Su,Jing Wu,Chengnian Long,Lijun Wei

DOI: https://doi.org/10.1145/3390566.3391670

2020-01-01

Abstract:The digital identities of Internet of Things (IoT) devices are vital to the security of IoT system. However, current centralized identity management systems have many drawbacks such as the single point of failure, suffering DDoS attacks and privacy issues. In this paper, to solve the above problems, we combine with the scenario of electrical vehicles charging to present our decentralized machine identifier (DMID) and identity management scheme. The scheme is based on blockchain and InterPlanetary File System (IPFS) technologies. Moreover, to improve the security of DMID, we design a secure hardware module by employing Physical Unclonable Function (PUF), True Random Number Generation (TRNG) and Trustzone. At last, we design a simulation system, and the result demonstrates the feasibility and effectiveness of our proposed scheme.

Zetian Zhang,Jingyu Wang,Lixin Liu,Yongfeng Li,Yun Hao,Hanqing Yang

DOI: https://doi.org/10.1016/j.adhoc.2024.103588

IF: 4.816

2024-01-01

Ad Hoc Networks

Abstract:With the rapid development of Internet of Things (IoT) technology in industrial, agricultural, medical and other fields, IoT terminal devices face security and privacy challenges when sharing data. Among them, ensuring data confidentiality, achieving dual-side privacy protection, and performing reliable data integrity verification are basic requirements. Especially in resource-constrained environments, limitations in the storage, computing, and communication capabilities of devices increase the difficulty of implementing these security safeguards. To address this problem, this paper proposes a resource-constrained anonymous data-sharing scheme (ADS-RC) for the IoT. In ADS-RC, we use elliptic curve operations to replace computation-intensive bilinear pairing operations, thereby reducing the computational and communication burden on end devices. We combine an anonymous verifiable algorithm and an attribute encryption algorithm to ensure double anonymity and data confidentiality during the data-sharing process. To deal with potential dishonest behavior, this solution supports the revocation of malicious user permissions. In addition, we designed a batch data integrity verification algorithm and stored verification evidence on the blockchain to ensure the security and traceability of data during transmission and storage. Through experimental verification, the ADS-RC scheme achieves reasonable efficiency in correctness, security and efficiency, providing a new solution for data sharing in resource-constrained IoT environments.

Tong Wu,Weijie Wang,Chuan Zhang,Weiting Zhang,Liehuang Zhu,Keke Gai,Haotian Wang

DOI: https://doi.org/10.1109/jiot.2022.3222453

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Blockchain has been a promising infrastructure for enabling secure data sharing for the Internet of Things (IoT). With the widespread of IoT applications, security issues, such as data privacy, anonymity, and accountability become critical concerns for the users, which are essential principles for secure communication in those applications. However, the existing blockchain-based data-sharing schemes mainly consider data privacy. Only a few works can support anonymity with strong, trusted assumptions. Thus, there is a research gap on the anonymity of blockchain-based data sharing for IoT, which does not rely on any trusted party. In this article, we propose a blockchain-based anonymous data-sharing scheme (BA-DS) by adopting a novel public key encryption derived from a ring signature. In BA-DS, we remove the trusted party and ensure anonymity by using an unconditional linkable ring signature and Signature of Knowledge (SoK). During the revocation, we apply blockchain infrastructure to record the valid revocation list and generate a tag for data stored on the cloud, providing solid accountability. The formal security analysis shows that BA-DS is selective indistinguishable secure in the random oracle model. Additionally, we also prove that BA-DS holds anonymity, data privacy, accountability, and authenticity. The extensive experiments indicate that our proposed BA-DS achieves reasonable efficiency in terms of computational complexity, communication overhead, and consumption on the blockchain.

Cristian Nicolae Butincu,Adrian Alexandrescu

DOI: https://doi.org/10.1109/access.2024.3394537

IF: 3.9

2024-05-03

IEEE Access

Abstract:The increased digitalization of society raises concerns regarding data protection and user privacy, and criticism on how the companies handle user data without being transparent and without providing adequate mechanisms for users to control how their own data is being processed or shared. To address this problem and open the way for a secure and efficient society, where the privacy of citizens is paramount, the identity concept and proof of identity mechanisms need to be redesigned from the ground up. In this paper we discuss how the emerging Web3 technologies like distributed ledger technology (DLT), blockchain, smart contracts, decentralized storage systems, and crypto wallets can be leveraged to design and implement a decentralized digital identity system based on decentralized identifiers (DID) and self-sovereign identities (SSI). Such a system puts the users in full control over their own data while also providing a solid backbone for building interoperable systems that are secure, scalable, and efficient. We propose different architectures for the decentralized identity infrastructure and storage layer, and also discuss the mapping of these architectures on cloud platforms. The main goal is to provide an architectural blueprint for a scalable, secure, privacy-preserving and trusted system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Carlo Mazzocca,Abbas Acar,Selcuk Uluagac,Rebecca Montanari,Paolo Bellavista,Mauro Conti

2024-02-04

Abstract:Digital identity has always been considered the keystone for implementing secure and trustworthy communications among parties. The ever-evolving digital landscape has gone through many technological transformations that have also affected the way entities are digitally identified. During this digital evolution, identity management has shifted from centralized to decentralized approaches. The last era of this journey is represented by the emerging Self-Sovereign Identity (SSI), which gives users full control over their data. SSI leverages decentralized identifiers (DIDs) and verifiable credentials (VCs), which have been recently standardized by the World Wide Web Community (W3C). These technologies have the potential to build more secure and decentralized digital identity systems, remarkably contributing to strengthening the security of communications that typically involve many distributed participants. It is worth noting that the scope of DIDs and VCs extends beyond individuals, encompassing a broad range of entities including cloud, edge, and Internet of Things (IoT) resources. However, due to their novelty, existing literature lacks a comprehensive survey on how DIDs and VCs have been employed in different application domains, which go beyond SSI systems. This paper provides readers with a comprehensive overview of such technologies from different perspectives. Specifically, we first provide the background on DIDs and VCs. Then, we analyze available implementations and offer an in-depth review of how these technologies have been employed across different use-case scenarios. Furthermore, we examine recent regulations and initiatives that have been emerging worldwide. Finally, we present some challenges that hinder their adoption in real-world scenarios and future research directions.

Cryptography and Security,Computers and Society

Efat Samir,Hongyi Wu,Mohamed Azab,Chunsheng Xin,Qiao Zhang,Chun Sheng Xin

DOI: https://doi.org/10.1109/jiot.2021.3112537

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:In a ubiquitous environment enclosing cooperative Internet-of-Things (IoT) devices, individuals, and entities, digital identity management (DIM) becomes critical and challenging. DIM pertains to device identities authentication and verification to enable trustworthy service exchange, data collection, and decision making. DIM is the supporting pillar for all online services and the foundation for security and authentication mechanisms. Due to the extreme heterogeneity, scale, and configuration complexity of such environments, enabling trustworthy DIM is crucial and seriously challenging. In an IoT context, devices use local digital identities stored within a tamper-proof unit and verified by a centralized authority for authentication. The recent attacks on IoT systems showed how vulnerable such a design is. It is also an inherent problem that influences humans. From that, self-sovereign identity (SSI) has emerged as a decentralized DIM approach embracing the concept of portable self-possession identity. SSI was presented to couple the digital identity from the owner to enable large-scale cooperation. However, digital identity storage and verification still occur on the device and in a centralized manner. Utilizing a local single-point-of-failure storage memory for verifiable credentials is one of the considerable drawbacks in contemporary SSI. In this regard, this article introduces decentralized trustworthy-self-sovereign identity management (DT-SSIM), a novel decentralized trustworthy SSI management framework. DT-SSIM integrates the secret share scheme with the blockchain-based smart contracts technologies to provide transparent and trustworthy SSI-based DIM services for IoT. Storing IoT identity credentials outside the devices' local storage preserves the identity credentials from being tampered with or misused. Evaluations and discussions show the resiliency assessment of the system and the cost and estimated running times for verification pro-esses in DT-SSIM.

computer science, information systems,telecommunications,engineering, electrical & electronic

Nikos Fotiou,Iakovos Pittaras,Vasilios A. Siris,George C. Polyzos

DOI: https://doi.org/10.48550/arXiv.1911.05539

2019-11-13

Abstract:In this work, we leverage advances in decentralized identifiers and permissioned blockchains to build a flexible user authentication and authorization mechanism that offers enhanced privacy, achieves fast revocation, and supports distributed "policy decision points" executed in mutually untrusted entities. The proposed solution can be applied in multi-tenant "IoT hubs" that interconnect diverse IoT silos and enable authorization of "guest" users, i.e., opportunistic users that have no trust relationship with the system, which has not encountered or known them before.

Cryptography and Security

Wei Ren,Ruoting Xiong,Yizhi Liu,G. Min,Tianqing Zhu,Xiaohan Hao,K. Choo

DOI: https://doi.org/10.1109/TC.2022.3157996

IF: 3.183

2023-02-01

IEEE Transactions on Computers

Abstract:Internet-of-Things (IoT) are increasingly operating in the zero-trust environments where any devices and systems may be compromised and hence untrusted. In addition, data collected by and sent from IoT devices may be shared with and processed by edge computing systems, in order to reduce the reliance on centralized (cloud) servers, leading to further security and privacy issues. To cope with these challenges, this paper proposes an innovative blockchain-enabled information sharing solution in zero-trust context to guarantee anonymity yet entity authentication, data privacy yet data trustworthiness, and participant stimulation yet fairness. This new solution is able to support filtering of fabricated information through smart contracts, effective voting, and consensus mechanisms, which can prevent unauthenticated participants from sharing garbage information. We also prove that the proposed solution is secure in the universal composability framework, and further evaluate its performance over an Ethereum-based blockchain platform to demonstrate its utility.

Computer Science,Engineering

Rui Song

2024-01-02

Abstract:Decentralized identity mechanisms endeavor to endow users with complete sovereignty over their digital assets within the Web3 ecosystem. Unfortunately, this benefit frequently comes at the expense of users' credential and identity privacy. Additionally, existing schemes fail to resist Sybil attacks that have long plagued Web3, and lack reasonable key recovery mechanisms to regain control of digital assets after loss. In this work, we propose LinkDID, a privacy-preserving, Sybil-resistant, and key-recoverable decentralized identity scheme that supports selective disclosure of credentials for arbitrary predicates while maintaining privacy for credentials and identities. Through an identifier association mechanism, LinkDID can privately and forcibly aggregate users' identifiers, providing Sybil resistance without relying on any external data or collateral from benign users. To enable key recovery, LinkDID permits users to establish proofs of ownership for identifiers with lost keys and request an update of corresponding keys from the decentralized ledger. We provide a detailed theoretical analysis and security proofs of LinkDID, along with an exhaustive performance evaluation that shows its ability to complete interactions in less than 10 seconds on consumer-grade devices.

Cryptography and Security

Ziyi Su,Shiwei Wang,Hongliu Cai,Jiaxuan Huang,Yourong Chen,Xudong Zhang,Muhammad Alam

DOI: https://doi.org/10.3390/electronics13183735

IF: 2.9

2024-09-21

Electronics

Abstract:Current authentication schemes based on zero-knowledge proof (ZKP) still face issues such as high computation costs, low efficiency, and security assurance difficulty. Therefore, we propose a secure and efficient authentication scheme (SEAS) for large-scale IoT devices based on ZKP. In the initialization phase, the trusted authority creates prerequisites for device traceability and system security. Then, we propose a new registration method to ensure device anonymity. In the identity tracing and revocation phase, we revoke the real identity of abnormal devices by decrypting and updating group public keys, avoiding their access and reducing revocation costs. In the authentication phase, we check the arithmetic relationship between blind certificates, proofs, and other random data. We propose a new anonymous batch authentication method to effectively reduce computation costs, enhance authentication efficiency, and guarantee device authentication security. Security analysis and experimental results show that an SEAS can ensure security and effectively reduce verification time and energy costs. Its security and performance exceed existing schemes.

engineering, electrical & electronic,computer science, information systems,physics, applied

Cong Wang,Xu Deng,Maode Ma,Qiang Li,Hongpeng Bai,Yanan Zhang

DOI: https://doi.org/10.1002/ett.4979

IF: 3.6

2024-04-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abstract The Named Data Networking (NDN) architecture, known for its caching strategies and name‐based routing, is an exemplary paradigm for content distribution across Internet of Things (IoT) devices. In the environment of NDN‐IoT, there is an urgent demand for a lightweight signature authentication scheme suitable for terminal devices to ensure the integrity of Data packets and the legitimacy of their sources. Many researchers opt for employing certificateless public key cryptography measures to enhance the security of communication among terminal devices in NDN‐IoT. However, among the array of proposed solutions, issues such as lack of resistance against signer identity exposure, susceptibility to man‐in‐the‐middle attacks, and replay attacks persist. Some researchers advocate for partitioning the devices in NDN‐IoT into different zones, yet there remains a deficiency in the design of packet exchange mechanisms across distinct zones. To address these issues, this paper proposes a novel blockchain‐based certificate‐less signature scheme in the NDN‐IoT environment that integrates key features such as distributed legitimate producer management, inter‐domain interaction mechanisms, anonymous identity protection, and blockchain storage optimization. The overarching goal is to provide robust security services for resource‐constrained devices within the NDN infrastructure while ensuring authenticity and integrity of data packets while alleviating the burden of certificate management on end devices. Compared to similar existing solutions, our proposed method incurs only 34% of the computational overhead required for Data packet signature verification, while maintaining equivalent cache occupancy and achieving higher security performance.

telecommunications

Dimitrios Kasimatis,Sam Grierson,William J. Buchanan,Chris Eckl,Pavlos Papadopoulos,Nikolaos Pitropakis,Craig Thomson,Baraq Ghaleb

DOI: https://doi.org/10.48550/arXiv.2403.05271

2024-03-08

Cryptography and Security

Abstract:Decentralised identifiers have become a standardised element of digital identity architecture, with supra-national organisations such as the European Union adopting them as a key component for a unified European digital identity ledger. This paper delves into enhancing security and privacy features within decentralised identifiers by integrating ring signatures as an alternative verification method. This allows users to identify themselves through digital signatures without revealing which public key they used. To this end, the study proposed a novel decentralised identity method showcased in a decentralised identifier-based architectural framework. Additionally, the investigation assesses the repercussions of employing this new method in the verification process, focusing specifically on privacy and security aspects. Although ring signatures are an established asset of cryptographic protocols, this paper seeks to leverage their capabilities in the evolving domain of digital identities.

Yuan Ji,Tian Ye,Xiang -Yang Li

DOI: https://doi.org/10.1109/bigcom57025.2022.00027

2022-01-01

Abstract:With the gradual development of the Internet of Things, people rely more and more on the Internet of Things devices to assist their daily lives. The permissions of IoT devices make it easy for them to rescue or destroy our lives. This paper proposes a new scalable IoT security framework (ISDF), which uses the unforgeable physical layer characteristics of IoT devices as the verification basis to identify illegal devices. This framework combined with the identifier generation algorithm to generate a unique trusted identifier. Under the verification of more than a dozen devices such as bluetooth, wifi, and voice, the identifiers we generate have high robustness and stability, the accuracy of verification is more than 93%. Compared with existing solutions, our framework has the advantages of supporting multimodality and high verification success rate.

Jiakun Hao,Jianbo Gao,Peng Xiang,Jiashuo Zhang,Ziming Chen,Hao Hu,Zhong Chen

DOI: https://doi.org/10.1109/smc53992.2023.10394499

2023-01-01

Abstract:Decentralized identity (DID) is an identity management framework aiming to return the ownership of an identity to its corresponding user. Recent studies propose to store the identifiers of DID issuers and implement identity management systems based on blockchain. However, existing systems cannot avoid identity tampering and verifiable credential abuse of decentralized identities, which makes the identity management opaque. In this paper, we propose TDID, a Transparent and efficient Decentralized IDentity management system with blockchain. The key insight behind TDID is to manage the registration and authentication of DIDs via smart contracts, and design Structured Merkle Patricia Tree (SMPT) as an underlying data structure to store identity data on blockchain. The smart contract based processes can improve transparency of decentralized identity management, while the SMPT data structure can realize efficient storage of DID data. We implement and evaluate TDID on different identity management operations, and the experimental results show that TDID can achieve about 3.1 times for write operation and 6.3 times for read operation while improving the transparency of DID management.

Weichu Deng,Jin Li,Hongyang Yan,Arthur Sandor Voundi Koe,Teng huang,Jianfeng Wang,Cong Peng

DOI: https://doi.org/10.1016/j.jisa.2024.103885

IF: 4.96

2024-09-14

Journal of Information Security and Applications

Abstract:In the Internet of Things, access control and identity management rely on centralized platforms. However, centralized platforms will compromise user privacy with identity leakage. Self-sovereign identity (SSI) is a novel model for identity management that does not require third-party centralized authority. Thus, SSI is a potential solution to the identity management problem in IoT access control. This paper's motivation is to address the problems of lack of identity sovereignty, centralized authorization, and high computational overhead for IoT access control. We propose a novel access control scheme for IoT that decentralizes identity management and tackles single-point-of-failure issues. This scheme leverages ciphertext policy attribute-based encryption (CP-ABE) and SSI to achieve the overall goal. Specifically, Our scheme eliminates the central authority and empowers users to manage their identity, allowing users to decide what attributes they disclose. Regarding the distribution of roles in the architecture, this paper follows the generic SSI model (ISSUER–HOLDER—VERIFIER) that allows a user to access a service from a service provider. To enable real-world deployment of our scheme, we establish an attribute authorization authority(such as the government) as a trusted identity point of entry. Users generate decentralized identifiers to enjoy services of interest in a privacy-preserving manner. The analysis demonstrates the practicality and superiority of our scheme. Our scheme requires less computation and is suitable for resource-constrained IoT scenarios.

computer science, information systems