Research Area:  Internet of Things
User access control is a crucial requirement in any Internet of Things (IoT) deployment, as it allows one to provide authorization, authentication, and revocation of a registered legitimate user to access real-time information and/or service directly from the IoT devices. To complement the existing literature, we design a new three-factor certificateless-signcryption-based user access control for the IoT environment (CSUAC-IoT). Specifically, in our scheme, a user Us password, personal biometrics, and mobile device are used as the three authentication factors. By executing the login and access control phase of CSUAC-IoT, a registered user (U) and a designated smart device (Si) can authorize and authenticate mutually via the trusted gateway node (GN) in a particular cell of the IoT environment. In our setting, the environment is partitioned into disjoint cells, and each cell will contain a certain number of IoT devices along with a GN. With the established session key between U and Si, both entities can then communicate securely. In addition, CSUAC-IoT supports new IoT devices deployment, user revocation, and password/biometric update functionality features. We prove the security of CSUAC-IoT under the real-or-random (ROR) model, and demonstrate that it can resist several common attacks found in a typical IoT environment using the AVISPA tool. A comparative analysis also reveals that CSUAC-IoT achieves better tradeoff for security and functionality, and computational and communication costs, in comparison to five other competing approaches.
Keywords:  
Author(s) Name:  Shobhan Mandal; Basudeb Bera; Anil Kumar Sutrala; Ashok Kumar Das; Kim-Kwang Raymond Choo; YoungHo Park
Journal name:  IEEE Internet of Things Journal
Conferrence name:  
Publisher name:  IEEE
DOI:  10.1109/JIOT.2020.2966242
Volume Information:  Volume: 7, Issue: 4, April 2020, Page(s): 3184 - 3197
Paper Link:   https://ieeexplore.ieee.org/abstract/document/8957688