IoTSEAR: A System for Enforcing Access Control Rules with the IoT

Internet of Things (IoT) environments are composed of heterogeneous sensors and devices that collect and share contextual information. This data can improve the accuracy and usability of access control systems, as authentication and authorization requirements can be specified more precisely. However, certain security requirements need to be enforced in order to use such data in access control decision processes. In short, the data must be authentic, recent, and unforgeable. In this paper, we present a generic model for context, which takes datasecurity into account along with properties about the device, or context-source. Security-objects, such as message signatures, are modeled as proofs, which are verifiable, while information about the context-source, communication channel, and the data itself is captured as meta-data. This model allows an access control system to verify the authenticity and trustworthiness of contextdata by (1) checking the presence of a specific proof and verifying it, and (2) analyzing the associated meta-data. It covers not only data from IoT sources, but also authorization and identity tokens. In addition, we present IoTSEAR, a middleware for trustworthy context-aware access control, which uses this model internally. Finally, we show performance results of our IoTSEAR prototype, which show that the overhead is low and that the system is usable even on commodity hardware. Keywords–Access Control, Security, Internet of Things