Authentication and Authorization for Interoperable IoT Architectures

Advances in technology have enabled the creation of “smart” Things, fostering the vision of the Internet of Things (IoT). Smart Things have connection capabilities, they support Internet protocols and they even come with operating systems and Application Programming Interfaces. The pursuit for a protocol stack that will support the IoT has resulted, so far, in an ecosystem of heterogeneous and non-compatible solutions that satisfy the requirements of particular vertical sectors (“silos”). For this reason, several research initiatives, driven by both academia and industry, investigate the potential of an interoperable IoT architecture, i.e., an architecture that will provide a common and horizontal communication abstraction, which will act as interconnection layer among all prominent IoT protocols and systems. Securing such an architecture, which includes many stakeholders with diverse interests and security requirements, is not a trivial task. In this paper, we present an authentication and authorization solution that facilitates the interoperability of existing IoT systems. This solution achieves endpoint authentication, encryption key establishment, and enables third parties to define fine-grained, domain-specific access control policies. Things store minimal information, perform only ultra-lightweight computations, and are oblivious about the business logic and processes involved in the authentication and authorization procedures. Furthermore, the proposed solution preserves end-user privacy and can be easily incorporated into existing systems.