Abstract
As IoT becomes omnipresent vast amounts of data are generated, which can be used for building innovative applications. However, interoperability issues and security concerns, prevent harvesting the full potentials of these data. In this paper we consider the use case of data generated by smart buildings. Buildings are becoming ever “smarter” by integrating IoT devices that improve comfort through sensing and automation. However, these devices and their data are usually siloed in specific applications or manufacturers, even though they can be valuable for various interested stakeholders who provide different types of “over the top” services, e.g., energy management. Most data sharing techniques follow an “all or nothing” approach, creating significant security and privacy threats, when even partially revealed, privacy-preserving, data subsets can fuel innovative applications. With these in mind we develop a platform that enables controlled, privacy-preserving sharing of data items. Our system innovates in two directions: Firstly, it provides a framework for allowing discovery and selective disclosure of IoT data without violating their integrity. Secondly, it provides a user-friendly, intuitive mechanisms allowing efficient, fine-grained access control over the shared data. Our solution leverages recent advances in the areas of Self-Sovereign Identities, Verifiable Credentials, and Zero-Knowledge Proofs, and it integrates them in a platform that combines the industry-standard authorization framework OAuth 2.0 and the Web of Things specifications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Au, M.H., Susilo, W., Mu, Y.: Constant-size dynamic k-TAA. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 111–125. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_8
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_3
Camenisch, J., Drijvers, M., Lehmann, A.: Anonymous attestation using the strong Diffie Hellman assumption revisited. In: Franz, M., Papadimitratos, P. (eds.) Trust 2016. LNCS, vol. 9824, pp. 1–20. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45572-3_1
Fett, D., et al.: OAuth 2.0 Demonstrating of Proof-of-Possession at the Application Layer (DPoP). RFC draft (2020). https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
Dimitrakos, T., et al.: Trust aware continuous authorization for zero trust in consumer internet of things. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1801–1812 (2020)
Fotiou, N., Siris, V.A., Polyzos, G.C., Kortesniemi, Y., Lagutin, D.: Capabilities-based access control for IoT devices using verifiable credentials. In: SafeThings 2022. IEEE (2022)
Ghosh, N., Chandra, S., Sachidananda, V., Elovici, Y.: Softauthz: a context-aware, behavior-based authorization framework for home IoT. IEEE Internet Things J. 6(6), 10773–10785 (2019)
Goyal, G., Liu, P., Sural, S.: Securing smart home IoT systems with attribute-based access control. In: Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, Sat-CPS 2022, pp. 37–46. Association for Computing Machinery, New York, NY, USA (2022)
Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749, IETF (2012)
Jones, M.: JSON Web Key (JWK). RFC 7517, IETF (2015). https://tools.ietf.org/html/rfc7517
Kaastra, M., Tinkler, S., Tuzlic, S., Abts, M., Griggiths, F., Allen, J.: New Energy Consumer. Report, Accenture (2022). https://www.accenture.com/sk-en/insights/utilities/new-energy-transition-demand
Kalos, V., Polyzos, G.C.: Requirements and Secure Serialization for Selective Disclosure Verifiable Credentials. In: Meng, W., Fischer-Hübner, S., Jensen, C.D. (Eds.) ICT Systems Security and Privacy Protection. SEC 2022. IFIP Advances in Information and Communication Technology, vol. 648, pp. 231–247. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-06975-8_14
Kovatsch, M., Matsukura, R., Lagally, M., Kawaguchi, T., Toumura, K., Kajimoto, K.: Web of Things Architecture. In: W3C Recommendation, W3C (2020). https://www.w3.org/TR/wot-architecture/
Longley, D., Sporny, M.: Revocation list 2020. Draft Community Group Report, W3C (2021). https://w3c-ccg.github.io/vc-status-rl-2020/
M. Sporny et al.: Verifiable credentials data model 1.1. W3C Recommendation, W3C (2022). https://www.w3.org/TR/verifiable-claims-data-model/
Reijsbergen, D., Maw, A., Dinh, T.T.A., Li, W.T., Yuen, C.: Securing smart grids through an incentive mechanism for blockchain-based data sharing. In: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy, CODASPY 2022, pp. 191–202. Association for Computing Machinery, New York, NY, USA (2022)
Kaebish, S., Kamiya, T., McCool, M., Charpenay, V., Kovatsch, M.: Web of Things Thing Description. W3C Recommendation, W3C (2020). https://www.w3.org/TR/wot-thing-description/
Schuster, R., Shmatikov, V., Tromer, E.: Situational access control in the Internet of Things. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 1056–1073. ACM, New York, NY, USA (2018)
Shafagh, H., Burkhalter, L., Hithnawi, A., Duquennoy, S.: Towards blockchain-based auditable storage and sharing of IoT data. In: Proceedings of the 2017 on Cloud Computing Security Workshop, CCSW 2017, pp. 45–50. Association for Computing Machinery, New York, NY, USA (2017)
Shakarami, M., Benson, J., Sandhu, R.: Blockchain-based administration of access in smart home IoT. In: Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, Sat-CPS 2022, pp. 57–66. Association for Computing Machinery, New York, NY, USA (2022)
Sikder, A.K., et al.: Kratos: multi-user multi-device-aware access control system for the smart home. In: Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2020, pp. 1–12. Association for Computing Machinery, New York, NY, USA (2020)
Sikder, A.K., et al.: Who’s controlling my device? Multi-user multi-device-aware access control system for shared smart home environment. ACM Trans. Internet Things 3(4) (2022). https://dl.acm.org/doi/10.1145/3543513
Sun, Y., Yin, L., Sun, Z., Tian, Z., Du, X.: An IoT data sharing privacy preserving scheme. In: IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 984–990. IEEE (2020)
Lodderstedt, T., et al.: OAuth 2.0 Rich Authorization Requests. RFC draft (2022). https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar
Whitehead, A., Lodder, M., Looker, T., Kalos, V.: The BBS signature scheme (2022). https://identity.foundation/bbs-signature/draft-bbs-signatures.html
Acknowledgments
The work reported in this paper has been funded in part by European Union’s Horizon 2020 research and innovation programme through subgrant Selective IoT data sharing (SelectShare) of project NGI DAPSI (Data Portability and Services Incubator, Grant Agreement ID: 871498).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 Springer Nature Switzerland AG
About this paper
Cite this paper
Fotiou, N. et al. (2023). Authentication, Authorization, and Selective Disclosure for IoT Data Sharing Using Verifiable Credentials and Zero-Knowledge Proofs. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2022. Lecture Notes in Computer Science, vol 13782. Springer, Cham. https://doi.org/10.1007/978-3-031-25467-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-25467-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25466-6
Online ISBN: 978-3-031-25467-3
eBook Packages: Computer ScienceComputer Science (R0)