BCoT Sentry: A Blockchain-Based Identity Authentication Framework for IoT Devices
Abstract
:1. Introduction
- We design an IoT blockchain architecture to store device identity information in a distributed ledger.
- We propose a BCoT Gateway to facilitate the recording of authentication transactions in a blockchain network without modifying existing device hardware or applications.
- We propose a new device recognition model that is suitable for blockchain-based identity authentication, where a novel device traffic flow feature selection method is proposed.
- We develop a BCoT Sentry framework as a reference implementation of our proposed method.
2. Motivation and Related Work
2.1. IoT Network Security
2.2. Related Work
2.2.1. Blockchain and Smart Contract
2.2.2. Security Challenges in IoT
- Mnif et al. [30] propose a new method adapted to resource-constrained wireless sensor networks, where only legitimate users can access node resources, and unauthorized users are denied access.
- Markus et al. [31] propose a system capable of automatically identifying the types of devices being connected to an IoT network and enabling enforcement of rules for constraining the communications of vulnerable devices to minimize damage resulting from their compromise.
2.2.3. Convergence of Blockchain and IoT
- (1)
- Decentralization. Distributed nodes maintain data consistency on the blockchain network through a consensus algorithm without third parties.
- (2)
- Persistency. In blockchain, invalid transactions will not be identified by miners, so transactions that have been confirmed cannot be deleted.
- (3)
- Auditability. Each transaction can be easily verified and tracked for every packaged transaction on the blockchain and can point to the transaction packaged in the previous block.
3. The BCoT Sentry Methodology
3.1. BCoT Sentry Architecture
- (1)
- IoT Physic Network: An IoT physic network is a communication network composed of numerous tiny devices with limited capabilities. The IoT physic network can operate in an independent environment, or it can be connected to the Internet through a gateway.
- (2)
- Blockchain Network: In our framework, the blockchain network is a consortium chain. Nodes communicate with the blockchain through a reserved interface. Transaction logs and device records are maintained on the blockchain by each node and are decentralized and cannot be tampered with.
- (3)
- Cloud Applications: In a smart city scenario, IoT devices are typically utilized by cloud-based applications, such as smart transportation, smart home, and telemedicine. Our framework should also support the blockchain-based device authentication across the lower layer and upper layer of cloud applications.
- (4)
- BCoT Gateway: In our framework, the BCoT Gateway is essentially an IoT gateway [54] with blockchain node capability. BCoT Gateway can provide the functionalities of protocol conversion and device management:
- (5)
- Traffic Flow Analyzing: This module monitors the behavior of an individual IoT device and sends a device traffic flow feature to the Smart Contract via blockchain transaction.
- (6)
- Smart Contract and Interface: The device identity authentication mechanism described in this paper is realized by a single smart contract. The IoT device’s identity information and related operations are defined in smart contracts and triggered by blockchain transactions. The smart contract enforces the access permission policies through defined operations and ensures that only authorized entities could modify or access the device identity information.
3.2. Decentralized Identity Authentication Mechanism
3.3. Device Authentication Model
3.3.1. Device Fingerprint
3.3.2. Weight Assignment
- (1)
- Discrimination. Discrimination here refers to the degree of association between a feature and corresponding category.
- (2)
- Stability. Stability refers to the change of a feature in the same category. A device may be classified into the wrong category due to poor stability of its feature field. Therefore, the stability of each feature needs to be considered.
- (3)
- Sensitivity. Sensitivity is defined as a measure of how sensitive the feature is to change. Features with a lower frequency should be sensitive to changes; on the contrary, higher frequency features are relatively insensitive to changes.
- (4)
- Weight of Fingerprints. In summary, the weight corresponding to a type of device C is given by:
3.3.3. Arbitration
- (1)
- Register: To identify the type of a new device that is discovered in the network, the weighted distance between the devices is needed, and devices of the same type will have a minimum weighted distance. For a newly connected device and a certain type of device , the distance vector will be:
- (2)
- Fraud Detection: To verify and confirm the identity of registered IoT devices. Let be the fraud indicator, which is used to determine whether the identity of a registered device has been fraudulently used.
4. Implementation
4.1. Device Registration
4.2. Smart Contract Interface
4.3. Blockchain Network
4.4. Smart Contract
5. Evaluation
5.1. Dataset
5.2. Evaluation Setting
5.3. Result Analysis
5.4. Time Complexity
6. Conclusions and Future Works
Author Contributions
Funding
Comparison Item | Single CA Model | Blockchain-Based Model |
---|---|---|
How to Build Trust? | Based on users subjective trust | Based on mathematics |
Trust Anchor | Public key of the CA | Cryptography method and Consensus mechanism |
Vulnerable to SPOF | Yes | Naturally immune |
Vulnerable to Replay Attack? | Additional applications need to be deployed | Each of transactions is verified by timestamp, nonce, transaction ID, etc. |
Type | Features | Representation |
---|---|---|
Link layer protocol (2) | ARP/LLC | packet number |
Network layer protocol (3) | IP/ICMP/EAPoL | packet number |
Transport layer protocol (2) | TCP/UDP | packet number |
Application layer protocol (9) | HTTP/HTTPS/DHCP /BOOTP/SSDP/DNS /MDNS/NTP/TELNET | packet number |
– | Packet length | number of packets in a pcap file |
Components | Description |
---|---|
Discrimination | The association between a feature and corresponding category |
Stability | The stability of a feature in the same category |
Sensitivity | The sensitivity of the feature to change |
Protocols | Discrimination | Stability |
---|---|---|
ARP | 0.8567 | 0.5540 |
LLC | 0.5555 | 0.8068 |
IP | 0.8741 | 0.3977 |
ICMP | 0.6492 | 0.8519 |
EAPoL | 0.8516 | 0.6648 |
TCP | 0.8869 | 0.5943 |
UDP | 0.8086 | 0.5039 |
HTTP | 0.8926 | 0.8501 |
HTTPS | 0.9285 | 0.8019 |
DHCP | 0.8432 | 0.5693 |
BOOTP | 0.8432 | 0.5693 |
DNS | 0.7929 | 0.6232 |
NTP | 0.7925 | 0.7318 |
TELNET | 0.0000 | 1 |
Packet length | 0.9292 | 0.7661 |
Type | Transaction Cost | Execution Cost |
---|---|---|
Create Contract | 1,487,038 | 1,080,766 |
Add Device Fingerprint | 291,998 | 262,726 |
Modify Device Fingerprint | 160,963 | 131,691 |
Delete Device Fingerprint | 33,301 | 11,261 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Gong, L.; Alghazzawi, D.M.; Cheng, L. BCoT Sentry: A Blockchain-Based Identity Authentication Framework for IoT Devices. Information 2021, 12, 203. https://doi.org/10.3390/info12050203
Gong L, Alghazzawi DM, Cheng L. BCoT Sentry: A Blockchain-Based Identity Authentication Framework for IoT Devices. Information. 2021; 12(5):203. https://doi.org/10.3390/info12050203
Chicago/Turabian StyleGong, Liangqin, Daniyal M. Alghazzawi, and Li Cheng. 2021. "BCoT Sentry: A Blockchain-Based Identity Authentication Framework for IoT Devices" Information 12, no. 5: 203. https://doi.org/10.3390/info12050203