We present how blockchain technology can power IOT (internet of things) edge authentication which is critical for security and reliability of millions of iot applications in business, manufacturing, transportation, healthcare, banking etc. sectors.
6. Comparing Traditional IAM and IOT IAM
Traditional IAM IOT IAM
End points to manage Typically < 100,000 Can be millions
System administration IT and Security departments
Operational personnel, plant
and business managers
Auditing User-centric Device-centric
Authenticating process Passwords, biometrics
PKI certificates, device
behaviors, biometrics
Provisioning and registration
process
Static Dynamic, application driven
Self-services Typically web based
Also support Bluetooth, DSRC
etc. wireless communication
13. IOT Gateway Architecture
Operating System
Example: Linux or Android OS
HAL (Hardware Abstraction Layer)
Supports reusability and portability of the IoT software.
IoT Sensors Stack
Software stacks that serve as interfaces with IoT sensors modules.
Examples: ZigBee, 6LoWPAN, EnOcean, BLE, Modbus, PROFIBUS
Device Management and Configuration
Configuration and settings to interface with different types of Sensor devices.
Security
Ensure robust data security, device security and network security.
FOTA
Firmware Over The Air (FOTA) updates with latest versions of security patches, OS,
Firewalls and more.
Data Communication Protocols
Connect with the Cloud over Ethernet, Wi-Fi or a 4G/3G modem via UDP or TCP IP
protocol. MQTT, CoAP, XMPP, AMQP utilized.
Data Management
Includes data streaming, data filtering and data storing.
Cloud Connectivity Manager
Connectivity, device state, heartbeat message, and gateway device authentication
with the cloud.
Custom Application
Manage data between sensor node and gateway and from gateway to cloud.
Gateway Data Transfer
To connect to the internet for data transfer using Ethernet, 4G/3G/GPRS modem or
Wifi.
Reference:https://www.embitel.com/blog/embedded-blog/understanding-how-an-iot-gateway-architecture-works
15. Key Requirements for IOT
Edge Authentication
• Has to replace central authority with distributed apps, should not depend
on a single point of failure, means to distribute trust
• Need distributed storage of device security data that is immutable
• Automated process to add and update devices without need for manual
authorization and authentication process, via code driven smart contract
• Have the means to flag abnormal behavior and quarantine devices
through group consensus on what is normal
Answer - Blockchain technology
20. Support in Blockchain for IAM
security policies
func (s *SmartContract) Init(APIstub shim.ChaincodeStubInterface) sc.Response {
return shim.Success(nil)
}
func (s *SmartContract) Invoke(APIstub shim.ChaincodeStubInterface) sc.Response {
function, args := APIstub.GetFunctionAndParameters()
if function == "queryCar" {
return s.queryCar(APIstub, args)
} else if function == "initLedger" {
return s.initLedger(APIstub)
} else if function == "createCar" {
return s.createCar(APIstub, args)
} else if function == "queryAllCars" {
return s.queryAllCars(APIstub)
} else if function == "changeCarOwner" {
return s.changeCarOwner(APIstub, args)
Smart Contracts - Enforce who can perform what actions
Access Control Language -
ACL rules determine which users/roles are permitted to
create, read, update or delete member elements.
Certifying authority -
Certifies X509 certificates
rule networkControlPermission {
description: "networkControl can access network commands"
participant: "org.acme.vehicle.auction.networkControl"
operation: ALL
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
Validity
Not Before: Nov 21 08:00:00 2016 GMT
Subject Public Key Info:
Public-Key: (256 bit)
pub:
04:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5:
af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e:
Shared Configuration -
Policies dictating modification of elements in configuration