Distributed Ledger-Based Authentication and Authorization of IoT Devices in Federated Environments

One of the main security challenges when federating separate Internet of Things (IoT) administrative domains is effective Identity and Access Management, which is required to establish trust and secure communication between federated IoT devices. The primary goal of the work is to develop a “lightweight” protocol to enable authentication and authorization of IoT devices in federated environments and ensure the secure communication of IoT devices. We propose a novel Lightweight Authentication and Authorization Framework for Federated IoT (LAAFFI) which takes advantage of the unique fingerprint of IoT devices based on their configuration and additional hardware modules, such as Physical Unclonable Function, to provide flexible authentication and authorization based on Distributed Ledger technology. Moreover, LAAFFI supports IoT devices with limited computing resources and devices not equipped with secure storage space. We implemented a prototype of LAAFFI and evaluated its performance in the Hyperledger Fabric-based IoT framework. Three main metrics were evaluated: latency, throughput (number of operations or transactions per second), and network resource utilization rate (transmission overhead introduced by the LAAFFI protocol). The performance tests conducted confirmed the high efficiency and suitability of the protocol for federated IoT environments. Also, all LAAFFI components are scalable as confirmed by tests. We formally evaluated LAAFFI security using Verifpal as a formal verification tool. Based on the models developed for Verifpal, we validated their security properties, such as message secrecy, authenticity, and freshness. Our results show that the proposed solution can improve the security of federated IoT environments while providing zero-day interoperability and high scalability. Compared to existing solutions, LAAFFI is more efficient due to the use of symmetric cryptography and algorithms adapted for operations involving IoT devices. LAAFFI supports multiple authorization mechanisms, and since it also offers authentication and accountability, it meets the requirements of Authentication, Authorization and Accounting (AAA). It uses Distributed Ledger (DL) and smart contracts to ensure that the request complies with the policies agreed between the organizations. LAAFFI offers authentication of devices belonging to a single organization and different organizations, with the assurance that the encryption key will be shared with another device only if the appropriate security policy is met. The proposed protocol is particularly useful for ensuring the security of federated IoT environments created ad hoc for special missions, e.g., operations conducted by NATO countries and disaster relief operations Humanitarian Assistance and Disaster Relief (HADR) involving military forces and civilian services, where immediate interoperability is required.