/iot-abe

Attribute-based encryption for the IoT

Primary LanguageJupyter Notebook

iot-abe

Attribute-based encryption and access control for the IoT.

Contents

About

More and more electronic devices find their way into our everyday lives - for instance the coffee machine that automatically orders repair service, the parking lot that identifies when it is being used or the rubbish bin that detects when it is full. These devices are all connected to the Internet and are commonly denoted as the Internet of Things (IoT). Most of the time they process and exchange data without any human intervention which introduces new concerns in terms of the security and privacy of the data.

The issues concerning the security and privacy of IoT systems turn out to be even more problematic in respect of the recent incidents that the IoT has witnessed.
The main problem is that new technical challenges arise from the use of the IoT that are hard to resolve using traditional approaches. Some factors that contribute to this fact are:

  • heterogeneity: The decentralized and highly heterogeneous nature of the IoT makes it difficult to centralize components such as authentication and authorization systems. This hints the use of a decentralized system such as Blockchain technologies to control both authentication and access control for the IoT.
  • credibility: Not only the access control to the data but also the integrity of data sent by an IoT device has to be ensured.
  • harmonization: IoT standards and protocols are only emerging slowly which might be due to the fact that the industry is developing faster than research in this area.
  • large volumes of data: IoT devices are already producing a substantial amount of data which is expected to grow in the next few years. Approaches that are fully centralized will most probably soon reach the scaling limit and impose single points of failures. On the other hand, also approaches that are purely decentralized and try to save the data produced by the devices on a Blockchain (such as IOTA might soon reach their maximum capacity.
  • constrained resources: IoT devices usually are resource constrained which prevents them from executing computationally intensive tasks.

To overcome the aforementioned issues as well as the fact that traditional access control models are hard to manage on scale. We propose using the rather new attribute-based access control model which leverages the fact that users are able to decrypt data based on a set of attributes. We introduce a new scheme for access control using several smart-contracts to facilitate ABE based on the Ethereum platform.

Components

  • Wrapper for the C library libbswabe
  • Wallet management
  • ABE Workflow
  • IoT Server
  • IoT Client

Development

Environment

Install the following components on your system:

  • PBC Crypto Library

    sudo apt-get install flex bison
    cd output
    wget https://crypto.stanford.edu/pbc/files/pbc-0.5.14.tar.gz -O ./pbc-0.5.14.tar.gz
    tar -zxvf pbc-0.5.14.tar.gz
    cd pbc-0.5.14/
    ./configure
    make
    sudo make install
    cd ..
    wget http://hms.isi.jhu.edu/acsc/cpabe/libbswabe-0.9.tar.gz -O ./libbswabe-0.9.tar.gz
    tar -zxvf libbswabe-0.9.tar.gz
    cd libbswabe-0.9
    ./configure
    make
    sudo make install
    cd ..
    wget http://hms.isi.jhu.edu/acsc/cpabe/cpabe-0.11.tar.gz -O ./cpabe-0.11.tar.gz
    tar -zxvf cpabe-0.11.tar.gz
    cd cpabe-0.11
    ./configure
    # add -lgmp to linker command, fix  policy_lang.y by changing line 67 to result: policy { final_policy = $1; }
    make
    sudo make install
    

To install all required development tools run:

make setup

run:

cp config.yml.dist config.yml

Create an Etherscan api key and add it to config.yml. Adapt the node urls in config.yml with the urls of your Ethereum nodes.

Build

make install
make build

Debugging

go-delve does not support input from stdin when using vscode, therefore a remote debug session has to be launched. Change the cmd flags in .vscode/tasks.json if needed.

Ctrl + shift + B
Then press F5 (having Go Remote Debug selected)

Refer to:

Caveats

Raspberry Pi Integration

Setup:

  • install Raspberry NOOBS as detailed here
  • connect the raspberry to your local WiFi
  • run sudo raspi-config > interfacing options > SSH to enable the ssh interface
  • connect via ssh ssh pi@192.168.1.54
  • sudo apt-get install vim
  • curl -fsSL get.docker.com -o get-docker.sh && sh get-docker.sh
  • sudo gpasswd -a $USER docker
  • newgrp docker
  • docker run hello-world
  • plugin the camera
  • enable camera interface sudo raspi-config > interfacing options > Camera
  • raspistill -w 1600 -h 1200 --timeout 1 --brightness 50 --quality 90 --hflip null -o ~/capture.jpg

CLI

iot-abe has a cli for interacting with the different components:

make build && ./output/iot-abe

iot-abe - attribute-based access control for the IoT.

Usage:
  iot-abe [command]

Available Commands:
  client      Retrieves encrypted data from an iot device server and decrypts it (if possible)
  devices     Manages IoT devices
  grant       Manages access rights
  help        Help about any command
  request     Manages access right requests
  server      Starts an iot device server
  version     Print the version number of iot-abe
  wallet      Manages eth wallets

Flags:
  -c, --config.path string   config path (default "./config.yml")
  -h, --help                 help for iot-abe

Use "iot-abe [command] --help" for more information about a command.

Examples

# list wallets
./output/iot-abe wallet list

# transfer Ether between accounts
./output/iot-abe wallet transfer --from 0x20683Db6E6d7ff53b62BCD6F723f74eC94dC410e --to 0x1e52b030261C4890A6aCe85Ed48CaE5f459525A0 --amount 0.01

# initialize ABE system for data owner
./output/iot-abe grant init --from 0xBB79396384ed533476b9D2Edf6c25797Ab3eD2cD

# watch access requests
./output/iot-abe grant watch-requests --contract=0x7bF73B9dFA1d9A520de1Bd4BB829d4Dc602b4567

# request access for data user
./output/iot-abe request access --contract 0x7bF73B9dFA1d9A520de1Bd4BB829d4Dc602b4567 --for 0xa9a0E7C567f5fE4f9C7f684b3398FD74041385BF

# get all access requests
./output/iot-abe grant get-requests --contract 0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e

# watch access grants
./output/iot-abe request watch-grants --contract 0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e

# grant specified attributes for a data user by a data owner
./output/iot-abe grant access --for=0x1e52b030261C4890A6aCe85Ed48CaE5f459525A0 --contract=0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e --owner=0x20683Db6E6d7ff53b62BCD6F723f74eC94dC410e --attributes="admin,ceo,it_staff"

# get an access grant for a data user
./output/iot-abe request get-grant --for 0x1e52b030261C4890A6aCe85Ed48CaE5f459525A0 --contract 0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e

# watch device policy changes
./output/iot-abe devices watch-policy-updated --contract=0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e

# set a device policy
./output/iot-abe devices add --contract=0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e --owner=0x20683Db6E6d7ff53b62BCD6F723f74eC94dC410e --device=0xE1097bAAA914277A8E2AefE464f8E29557e5f046 --name="Camera A" --policy="(admin & it_departement)"

# get device policy for device
./output/iot-abe devices get --contract=0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e --device=0xE1097bAAA914277A8E2AefE464f8E29557e5f046

# get all device policies
./output/iot-abe devices get-all --contract 0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e

# watch device policy removals
./output/iot-abe devices watch-policy-removed --contract=0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e

# remove a device policy
./output/iot-abe devices remove --contract=0xC695C023d4A2FfB1C98e0d609A7Ff02e858AF09e --device=0xE1097bAAA914277A8E2AefE464f8E29557e5f046 --owner=0x20683Db6E6d7ff53b62BCD6F723f74eC94dC410e

# start an iot-abe device server
./output/iot-abe server

# start an iot-abe client
./output/iot-abe client serve --server http://192.168.1.54:8080

Links