FECAC: Fine-Grained and Efficient Capability-Based Access Control for Enterprize-Scale IoT Systems

IF 8.9 1区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS IEEE Internet of Things Journal Pub Date : 2024-11-22 DOI:10.1109/JIOT.2024.3504825

Qiong Wang;Xia Feng;Liangmin Wang;Haiqin Wu;Boris Düdder

{"title":"FECAC: Fine-Grained and Efficient Capability-Based Access Control for Enterprize-Scale IoT Systems","authors":"Qiong Wang;Xia Feng;Liangmin Wang;Haiqin Wu;Boris Düdder","doi":"10.1109/JIOT.2024.3504825","DOIUrl":null,"url":null,"abstract":"In enterprize-scale Internet of Things, users need to query data by accessing the resource-constrained smart nodes. Such queries typically include data from one node (DON), and data from one catalog of multiple nodes (DOC). Traditional access control mechanisms often prove inadequate due to the lack of efficient policy management. Their authorization time for queries is linear with respect to the number of access control rules in the policy, which greatly impedes access granularity, efficiency, and scale. To address this issue, we propose FECAC, a fine-grained and efficient capability-based access control mechanism for DON and DOC access queries. Specifically, FECAC builds a policy matching tree structure by translating the rule into matching properties in the tree node, which avoids authorizing queries by traversing the entire rule collection. We then introduce an authorization scheme to match the elements of access requests in a top-down manner, and check the rules with the internal properties of the data queries sublinearly, which efficiently combines the requests of DOC and DON. Further, we give a concrete operation of FECAC from query authorization scheme to execute data querying based on capabilities. Finally, we demonstrate the improved and more stable evaluation efficiency of FECAC compared to existing schemes.","PeriodicalId":54347,"journal":{"name":"IEEE Internet of Things Journal","volume":"12 7","pages":"8669-8684"},"PeriodicalIF":8.9000,"publicationDate":"2024-11-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Internet of Things Journal","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10763520/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

In enterprize-scale Internet of Things, users need to query data by accessing the resource-constrained smart nodes. Such queries typically include data from one node (DON), and data from one catalog of multiple nodes (DOC). Traditional access control mechanisms often prove inadequate due to the lack of efficient policy management. Their authorization time for queries is linear with respect to the number of access control rules in the policy, which greatly impedes access granularity, efficiency, and scale. To address this issue, we propose FECAC, a fine-grained and efficient capability-based access control mechanism for DON and DOC access queries. Specifically, FECAC builds a policy matching tree structure by translating the rule into matching properties in the tree node, which avoids authorizing queries by traversing the entire rule collection. We then introduce an authorization scheme to match the elements of access requests in a top-down manner, and check the rules with the internal properties of the data queries sublinearly, which efficiently combines the requests of DOC and DON. Further, we give a concrete operation of FECAC from query authorization scheme to execute data querying based on capabilities. Finally, we demonstrate the improved and more stable evaluation efficiency of FECAC compared to existing schemes.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

FECAC：面向企业级物联网系统的基于能力的精细高效访问控制

在企业级物联网中，用户需要通过访问资源受限的智能节点来查询数据。此类查询通常包括来自一个节点（DON）的数据和来自多个节点的一个目录（DOC）的数据。由于缺乏有效的策略管理，传统的访问控制机制往往被证明是不够的。它们对查询的授权时间与策略中的访问控制规则的数量成线性关系，这极大地阻碍了访问粒度、效率和规模。为了解决这个问题，我们提出了FECAC，这是一种针对DON和DOC访问查询的细粒度和高效的基于能力的访问控制机制。具体来说，FECAC通过将规则转换为树节点中的匹配属性来构建策略匹配树结构，从而避免了通过遍历整个规则集合来授权查询。然后，我们引入了一种自顶向下匹配访问请求元素的授权方案，并根据数据查询的内部属性对规则进行亚线性检查，有效地将DOC和DON请求结合起来。在此基础上，给出了FECAC从查询授权方案到基于能力执行数据查询的具体操作。最后，我们证明了与现有方案相比，FECAC的评估效率得到了改进，并且更加稳定。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Internet of Things Journal Computer Science-Information Systems

CiteScore

17.60

自引率

13.20%

发文量

1982

期刊介绍： The EEE Internet of Things (IoT) Journal publishes articles and review articles covering various aspects of IoT, including IoT system architecture, IoT enabling technologies, IoT communication and networking protocols such as network coding, and IoT services and applications. Topics encompass IoT's impacts on sensor technologies, big data management, and future internet design for applications like smart cities and smart homes. Fields of interest include IoT architecture such as things-centric, data-centric, service-oriented IoT architecture; IoT enabling technologies and systematic integration such as sensor technologies, big sensor data management, and future Internet design for IoT; IoT services, applications, and test-beds such as IoT service middleware, IoT application programming interface (API), IoT application design, and IoT trials/experiments; IoT standardization activities and technology development in different standard development organizations (SDO) such as IEEE, IETF, ITU, 3GPP, ETSI, etc.