Sage Journals: Discover world-class research

Abstract

Blockchain as a new technique has attracted attentions from industry and academics for sharing data across organizations. Many blockchain-based data sharing applications, such as Internet of Things devices management, need privacy-preserving access services over encrypted data with dual capabilities. On one hand, they need to keep the sensitive data private such that others cannot trace and infer sensitive data stored in the block. On the other hand, they need to support fine-grained access control both from time and users’ attributes. However, to the best of our knowledge, no blockchain systems can support time-bound and attributes-based access with high efficiency. In this article, we propose a privacy-preserving Internet of Things devices management scheme based on blockchain, which provides efficient time-bound and attribute-based access and supports key automatic revocation. The analysis and experiments show that our scheme is quite efficient and deployable.

Keywords

Blockchain attribute-based encryption time-bound key management Internet of Things device management

Introduction

The blockchain technology was first described in a 2008 paper titled “Bitcoin: A peer-to-peer electronic cash system.”¹ Blockchain, as the core technology of cryptocurrencies such as Bitcoin and Ethereum, can effectively solve the problem of the Byzantine and dual payments of digital currency. The trust of traditional society is based on trusted third parties, such as banks. Therefore, it is very difficult to directly establish trust between two strange entities without a third-party center. The blockchain can solve the problem of establishing trust among the decentralized system nodes through the verification and consensus mechanism.

Blockchain can not only be applied to the financial field but also be served as an innovative technology framework to establish a distributed and peer-to-peer trust relationship in many fields, such as healthcare, education and logistics. In this article, we focus on the blockchain applications in the Internet of Things (IoT) network to realize device management across organizations.

However, in order to achieve security and privacy-preserving IoT device management, there are still many problems to be solved. Transaction information in the blockchain is publicly stored in the ledger and anyone can see all the transaction information. Although plaintext storage facilitates public verification of transactions, this results in the disclosure of user’s account information. A simple way to address this problem is to encrypt the data stored in the block. But when the data on the blockchain are stored in ciphertext, how to realize the fine-grained access control of data becomes a tough problem.

In this article, we combine attribute-based encryption (ABE) and time-bound key management techniques to achieve privacy-preserving IoT device management–based blockchain.

Contribution

This article presents a scheme of privacy-preserving IoT device management based on blockchain. The scheme uses blockchain technology to achieve the management of IoT devices across organizations. We also combine ABE and time-bound key management to provide fine-grained access control over encrypted data and key automatic revocation. To the best of our knowledge, our scheme is the first blockchain system able to support time-bound and attributes-based access with high efficiency:

First, it achieves the sharing of devices information between multiple organizations and systems. This article takes advantages of the blockchain to make the stored data non-tampered, unforgeable and verifiable.

Second, ABE algorithm can not only protect the confidentiality of data but also provide fine-grained access to data according to the user’s roles and attributes. Another advantage of adopting ABE in the blockchain is that it can loose coupling between user identity information and key pairs, so that user’s identity information can be prevented from being leaked.

Third, our scheme adopts a time-bound key management mechanism to achieve the automatic revocation of user attributes and keys. Specifically, the hash algorithm is used to calculate the time values in different time slices and the key of the current time slice is combined and calculated with the encryption algorithm, so that a user cannot decrypt the data with an expired key.

Finally, we analytically and experimentally show that our scheme not only offers strong security but is also practical and deployable for sharing over encrypted data in the IoT environment.

Organization

The rest of the article is organized as follows. In section “Related work,” we describe the related work of blockchain-based access control technology. Section “Preliminaries” describes the basic principles of several key technologies that need to be used in this article. In section “System model,” we introduce the basic model of the privacy-preserving IoT device management based on blockchain. In section “The scheme,” we introduce the details of the execution of each phase of the system. Section “Security analysis” gives the detailed security analysis from four aspects. Section “Evaluation” provides the experimental evaluation of our scheme. In section “Conclusion,” we conclude the work.

Related work

Blockchain-based access control technology mainly includes transaction-based policy management and access control based on smart contract.

Maesa et al.² explored the feasibility of creating, managing, and enforcing access control policies using blockchain-based transactions and implemented it on the Bitcoin platform. This method extends the standard workflow based on the attribute-based access control (ABAC) model,³ replaces the traditional relational database access control policy with the blockchain, and implements access control policy management by the form of transaction. Since the blockchain is a general ledger system that can only increase data, Maesa implemented the update and revoke of policies by spending policy creation transaction (PCT) output that used to update or revoke policy to form a new PCT, then form a transaction chain to the corresponding policies, and realize the full cycle management of policies. The transfer of policies and permissions is kept in a publicly visible blockchain, enabling distributed, non-tamperable log audit function.

Zyskind’s⁴ mechanism implements fine-grained authority management for mobile applications. Each user and service in the blockchain corresponds to a public key address as the identity credential, and the public key (resource owner) and service public key (resource requester) manage the authority together in the form of federation identity. This method expands the connotation of “transaction” in blockchain and realizes access control through “transaction.”

The FairAccess mechanism^5–8 stores policies as blockchain transactions in the form of (resource, requester), introduces the concept of wallet in Bitcoin, and installs their own wallet for different IoT devices. The wallet functions as an access control agent. Authority management is performed by sending an authorization token to the authorized access requester account. The authorization token can effectively reduce the overhead of processing access control information of the IoT device with limited computing resources and verify the authorization only by verifying the transaction signature. Like the unspent transaction output (UTXO) mechanism used for Bitcoin, FairAccess uses authorization tokens to represent the UTXO. It implements authorized, obtain authorization, and delegate authorization through three transaction types: GrantAccess Transaction, GetAccess Transaction, and DelegateAccess Transaction. The revocation of authority is controlled by the token’s timestamp and expiration time, and when the token expires, the authority recorded by the token is revoked. Thus, realizing the user-driven transparent access control mechanism.

Dorri et al.⁹ made use of smart home as a background to propose lightweight solutions based on private chains. Through the center miner digestion proof of work (PoW) mechanism to reduce block chain maintenance costs, the introduction of storage, access, monitoring, generating equipment, deleting equipment, and other types of transactions are given. At the same time, the scheme extends the traditional blockchain protocol and the policy header storage policy list is added to authorize the device and execute the access control policy.

Managing access control policies or permissions with transactions can effectively protect user resources and enable user-driven, open, and transparent access to resources. Combining the blockchain with the current mainstream access control model can improve compatibility and easy implementation. However, since the current mainstream blockchain consensus mechanism is based on computational power, the computational cost of running the blockchain separately to provide access control services is higher. In addition, block generation takes more time, making implementation of real-time policy updates difficult.

Smart contracts¹⁰ are scripts that can be run automatically on the blockchain. Nick Szabo first proposed the concept of a smart contract in 1994, defining it as a “transactional agreement that executes the terms of a contract via a computer,” that means automatically executing the contract through a code program.¹¹ Although the concept of smart contracts has long been proposed, but until the publish of the Ethereum platform, it provides the basis for the rapid development of smart contracts. Due to the automatic enforcement of smart contracts, some studies use smart contracts to control access to resources.

The MedRec framework^12,13 is the most representative of access control for medical data based on the use of smart contracts in the Ethernet platform. The framework combines smart contract and access control to achieve automatic rights management and realizes the integration and authority management of distributed medical data of different medical institutions. It has the advantage of achieving the decentralized integration of the medical data based on the blockchain technology and makes the medical data controlled by the patients themselves. According to the contract, the medical institution cannot privately use the patient’s medical data without the consent of the patient. This effectively protects patient privacy data. However, the MedRec framework uses the PoW consensus mechanism, so the computational overhead required to maintain blockchain consistency is too large. Based on this, the medical data sharing model framework¹⁴ innovates the consensus mechanism, uses the delegated proof-of-stake (DPoS) consensus mechanism to alleviate the computation pressure of nodes, effectively improves the data sharing efficiency, but it also has the shortcomings of the limited data storage capacity. Document¹⁵ improves FairAccess mechanism based on smart contract and combines access control with reinforcement learning to dynamically optimize the self-adaptive policy. Document^16,17 introduces trusted hardware to provide cryptographic protection for smart contracts.

In summary, the blockchain access control has the following advantages: (1) the policies are posted on the blockchain, so it is visible to all the users, and it can avoid the third-party ultra vires; (2) it can easily realize the transfer of access rights without the need for the involvement of resource owners and make the authority management more flexible; (3) access authority can be defined and posted to the blockchain by the resource owner through the transaction. Users have the right to manage resources and it is easy to audit at the same time; and (4) it can achieve the automated access control protection of resources based on smart contracts.

However, there are also some problems to be solved: (1) the access control policy and authority is not easy to update because the blockchain transactions cannot be revoked; (2) the block capacity is limited and a single transaction cannot store large-scale data, so the application is limited; (3) all the transaction information of the policy and authority stored in the blockchain is easily exploited by attackers and poses a security risk. There is a need for effective ways to protect transaction information; and (4) the blockchain transaction confirmation takes time, so it is unable to respond to real-time requests.

ABE is a public-key encryption algorithm in which user keys or ciphertexts are related to attributes. In this cryptosystem, the ciphertext can only be decrypted if the attributes corresponding to the user key satisfy the attributes corresponding to the ciphertext. The concept of ABE was first proposed by Sahai and Waters,¹⁸ and it was further defined by Goyal et al.¹⁹ There are two main types of ABE schemes: key-policy attribute-based encryption (KP-ABE)¹⁹ and ciphertext-policy attribute-based encryption (CP-ABE).²⁰ In KP-ABE, user keys are generated based on a predefined access control tree and ciphertext is associated with a set of attributes. In CP-ABE, the access tree is used to encrypt data, and the user key is associated with the attribute set. ABE can provide fine-grained access and can protect the user’s identity information by the attributes. However, it is difficult to revoke user’s attributes in ABE. In this article, we implement automatic revocation of user attributes and keys using time-bound key management mechanism to solve this problem.

In October 2017, Rahulamathavan et al.²¹ proposed a scheme that combines ABE with blockchain technology and applied it to privacy protection on the IoT ecosystem. Four types of parties are defined in their scheme: cluster head, blockchain miners, attribute authorities, and distributed ledger. The cluster head uses the ABE scheme to encrypt data so that users with specific attributes can access the data, and attribute authorities issue credentials for miners and users. But in ABE scheme, the automatic revocation of user attributes and keys is still a problem to be solved.

In this article, we use the ABE scheme in the IoT device management blockchain to achieve fine-grained access control. At the same time, we use the time-based key management mechanism to automatically recover the user’s attribute key, which solves the key management problem existing in the ABE solution.

Preliminaries

In this part, we simply explain the cryptographic tools used in our constructions.

ABE

In our scenario, we add the time-bound key management mechanism to the basic CP-ABE solution. The CP-ABE solution was proposed by Bethencourt et al. In their scheme, they first define the Access Tree $T$ to represent the access control structure. Each leaf node x is described by an attribute and each non-leaf node is a threshold gate.

In the setup phase, the algorithm output the public parameters PK and a master key MK. First, it chooses a bilinear group $G_{0}$ of prime order p, and its generator is g. Next, it randomly choose two exponents $α$ and $β$ in $Z_{p}$ . Then publish the following

$PK = G_{0}, g, h = g^{β}, e {(g, g)}^{α}$

and the master key MK is $(β, g^{α})$ .

In the Encrypt phase, input PK, massage M, and access tree $T$ ; let Y be the set of leaf nodes and R the root node. The ciphertext is computed by

$\begin{matrix} CT = (T, \tilde{C} = Me (g, g)^{α s}, C = h^{s}, \forall y \in Y : C_{y} \\ = g^{q_{y}} (0), {C'}_{y} = H_{1} (att (y {))}^{q_{y}} (0)) \end{matrix}$

where s randomly chooses $Z_{p}$ and $q_{R} (0) = s$ . For any other node x, $q_{x} (0) = q_{parent (x)} (index (x))$ . $H_{1}$ is the hash function used in ABE.

To generate the key, the input of the KeyGen algorithm is a set of attributes S. First, it chooses a random $r \in Z_{p}$ and random $r_{j} \in Z_{p}$ for each attribute $j \in S$ . Then computes

$S K = (D = g^{(α + r) / β}, \forall j \in S : D_{j} = g^{r} \cdot H_{1} {(j)}^{r_{j}}, {D^{'}}_{j} = g^{r_{j}})$

At the time of decryption, the algorithm Decrypt input the ciphertext CT, a private key SK associated with attribute set S, and a node x from access tree $T$ . Let $i = att (x)$ if the node x is a leaf node. If $i \in S$ , then

$\begin{array}{l} D e c r y p t N o d e (C T, S K, x) = \frac{e (D_{i}, C_{x})}{e ({D^{'}}_{i} {C^{'}}_{x},)} \\ = \frac{e (g^{r} \cdot H_{1} {(i)}^{r_{i}}, g^{q_{x} (0)})}{e (g^{r_{i}}, H_{1} {(i)}^{q_{x} (0)})} \\ = e {(g, g)}^{r q_{x} (0)} \end{array}$

If $i \notin S$ , $DecryptNode (CT, SK, x) = ⊥$ .

Attribute-based cryptography can automatically achieve fine-grained access control through the cryptographic algorithm and protect the user’s identity information at the same time. These two features make attribute-based cryptography meet the requirement of access control of blockchain data.

Time-bound key management

Although ABE algorithm has the advantages of access control and user identity information protection, user attribute and key revocation is always a difficult problem to be solved based on attribute encryption algorithm. Therefore, our scheme combines the key management and access control mechanism, controls user key generation from time dimension based on time characteristics, and achieves fine-grained access control and user attribute key automatic revocation.

Bertino et al.²² recently proposed a typical scheme of time-bound key management based on elliptic curve cryptography. In this scheme, define K_{i, t} as the secret key for C_i at the time granule $t \in [0, z]$ , where C_i is the partially ordered classes of the data source. K_{i, t} is calculated as

$K_{i, t} = H_{K} ({(K_{i})}_{Y} \oplus H_{2}^{t} (a) \oplus H_{2}^{z - t} (b) \oplus CI D_{i})$

where K denotes the system’s master key, K_i is the class key for class C_i, $(K_{i})_{Y}$ which is the Y-coordinate of point K_i, ⊕ is the bitwise XOR, $H_{2}$ is the hash function used in time-bound key management, $H_{2}^{t} (a)$ is $H_{2} (H_{2}^{t - 1} (a))$ which is the iteration of the hash function, and CID_i is the public identity of C_i.

A user can compute $H_{2}^{t} (a)$ and $H_{2}^{z - t} (b)$ at the time granule $t \in [t_{b}, t_{e}]$

$H_{2}^{t} (a) = H_{2}^{t - t_{b}} (H_{2}^{t_{b}} (a)), H_{2}^{z - t} (b) = H_{2}^{t_{e} - t} (H_{2}^{z - t_{e}} (b))$

and the user knows $H_{K}$ , $H_{2}^{t_{b}} (a)$ , $H_{2}^{z - t_{e}} (b)$ , and $CI D_{i}$ .

In our system, this time-bound key management mechanism will be used to make up for the difficulty of attribute revocation in attribute encryption and achieve fine-grained access control on the time dimension.

Practical Byzantine fault tolerance

This algorithm was proposed by Castro and Liskov²³ in 1999. It solves the problem of inefficiency of the original Byzantine fault tolerant algorithm, making the Byzantine fault tolerant algorithm feasible in practical system application.

Practical Byzantine fault tolerance (PBFT) is a state machine replication algorithm, that is, the service is modeled as a state machine and the state machine replicates replicas at different nodes in the distributed system. Replicas of each state machine save the state of service and also achieve the operation of the service.

The collection of all replicates is denoted by the letter U and each replicate is represented by an integer from 0 to $| U | - 1$ . Assume that $| U | = 3 f + 1$ ,| where f is the maximum number of replicates that may fail.

First, a master node (primary) is elected from all the nodes. The primary is responsible for generating the new block. Other nodes are backups. The main node is calculated by the formula $p = v \mod | U |$ , where v is the view number, p is the replicate number, and $| U |$ is the number of replicate sets.

The algorithm is then divided into three stages: pre-prepare, prepare, and commit. In the pre-prepare phase, the primary assigns a sequence number n to the received request, and then sends a pre-prepare message to all the backup nodes

$〈〈 PRE - PREPARE, v, n, d 〉, m 〉$

where m is the request message send by the client and d is the hash value of m.

During the prepare phase, the node i sends a prepare message

$〈 PREPARE, v, n, d, i 〉$

to all the replica nodes and writes the pre-prepare and prepare messages to its own message log.

If 2f nodes’ message received by one node has the same hash value as themselves, replicate i broadcasts

$〈 COMMIT, v, n, D (m), i 〉$

to other replica nodes, and each replicate accepts the commit message when the signature is correct, the view number of the message is the same as the current view number of the node, and the sequence number of the message is between h and H.

Finally, if a node receives 2f + 1 commit message, it submits the new block and its transaction to the local blockchain and database.

Elliptic curve digital signature algorithm

Elliptic curve digital signature algorithm (ECDSA)²⁴ is a simulation of digital signature algorithm (DSA) using elliptic curve cryptography (ECC). ECDSA became ANSI standard in 1999 and became the IEEE and NIST standards in 2000. It was accepted by the ISO in 1998 and some of the other standards that include it are also under ISO’s consideration. Unlike the discrete logarithm problem (DLP) and the integer factorization problem (IFP), the elliptic curve discrete logarithm problem (ECDLP) has no solution to the sub-exponential time. Therefore, the unit bit strength of ECC is higher than that of other public key systems.

This algorithm randomly chooses an odd prime p and defines an elliptic curve E over $F_{p}$ . G is the base point of the elliptic curve E, and q is the order of G. a, b is the coefficient of elliptic curve E, h is a unidirectional safe hash function, and n is a large prime. The key pair is generated based on the set of elliptic curve domain parameters $D = (q, FR, a, b, G, n, h)$ where FR is a valid representation for $F_{q}$ . Randomly select an integer d in the interval $[1, n - 1]$ . Then compute $Q = dG$ , where Q is the verification key and d is the signature key.

In the signature stage, choose a random integer $k \in [1, n - 1]$ , compute $kG = (x_{1}, y_{1})$ and $r = x_{1} \mod n$ , if r = 0, go to the first step. Then compute $k^{- 1} \mod n$ , $s = k^{- 1} (h (m) + dr) \mod n$ , if s = 0, go to the first step. The signature for the message m is $(r, s)$ .

In the verification stage, first verify that r and s are integers in the interval $[1, n - 1]$ . First compute $w = s^{- 1} \mod n$ and $h (m)$ , then compute $u_{1} = h (m) w m o d n$ and $u_{2} = rw \mod n$ . Let $u_{1} G + u_{2} Q = (x_{0}, y_{0})$ and $v = x_{0} \mod n$ . Accept the signature if and only if $v = r$ .

System model

In this section, we will introduce the basic model of the privacy-preserving IoT device management based on blockchain, including the various components of the model.

Attribute-based blockchain

In this section, we will describe the basic attribute-based blockchain model, which includes the block structure, nodes and their attributes, and different block type.

Block structure

The block in our model is divided into two parts: the block header and the main block. In the Bitcoin system, the block header is made up of a version number, a previous block hash, a current block hash, timestamp, nonce, and so on. The main block consists of a series of transactions.

Analogously, the attribute-based blockchain in our scheme has a current block hash, a previous block hash, a timestamp, and a signature in its block header.

In the main block, it stores some information about the IoT device, such as the device identifier, the location, and the user of this device. Some blocks will also store access control policies, and will be discussed later.

Nodes and attributes

In this model, every node has its own identity and a series of attributes. The encrypted information is identified by a set of attributes, which contains n attributes. The private key of a user is also identified by a set of attributes, which contains m attributes. When decrypting, the scheme intersects the private key attribute set and the ciphertext attribute set. If the number of attribute intersection elements is greater than or equal to a threshold, it can be decrypted successfully. A node that writes data to a block can control the node that can decrypt the data by attributes.

However, we also add the time granule in our scheme. That means every user in the system has his or her own time granule t in a time range; only in this time range, the user can decrypt the message. Otherwise, the user will not be able to decrypt the information.

There are two kinds of nodes in our scheme: primary node and backup node. Primary node is responsible for generating new blocks and putting transactions collected from the network into new blocks. Backup node can create a new transaction and read transaction information in the block if he or she has the appropriate attributes to decrypt the data.

Block types

In the privacy-preserving IoT device management blockchain, there are three different types of blocks: new transaction block (NTB), device maintenance block (DMtB), and device management block (DMgB).

When a new IoT device is traded, an NTB is generated. This kind of block stores transaction information (including transaction date, vendor information, device model, device type, and contract), the unique device identifier, storage location, owner, user, device status, manufacturer information, hardware information (version number), and software information (version number).

A DMtB will be generated when an IoT device needs maintenance. It contains the unique device identifier and some maintenance data such as hardware information (version number), software information (version number), maintenance person, and maintenance date.

The last type of block is DMgB. It stores access control policies for each type of block and other security policies. Because in the access control scheme, using attribute encryption, the user needs to repeatedly try whether his or her attributes can decrypt the current data, which makes decryption inefficient. But in this scheme, users can improve the decryption efficiency by checking the access control policies on the DMgB.

Each block contains more than one transaction, and one transaction stores the information of one device. The information stored in the blocks is stored in the form of ciphertext using ABE, in which the transactions in the DMgB that hold access control policies are decrypted by all users in the system.

Roles

There are different roles in the privacy-preserving IoT device management scheme, as described in Figure 1.

Figure 1.

Roles in IoT device management blockchain.

Manufacturer

The manufacturer produces the IoT device and trades the device to the purchaser. The manufacturer also needs to maintain the equipment. And in this scheme, the manufacturer can write message to the NTB and the DMtB.

Seller

The seller can also trade the IoT device to the purchaser and add new message to the NTB.

Purchaser

Purchaser can purchase IoT devices directly from the manufacturer or purchase device from a seller. A purchaser can only write message to the NTB.

Administrator

The administrator manages IoT devices and the system’s access control policies. An administrator can add message to the DMgB.

Authority agency

When users want to join the privacy-preserving IoT device management system, they need to apply to the authority agency (manufacturers, sellers, purchasers, and administrators are all users). When the user applies to the authority agency, the authority agency needs to verify the user’s identity and then distribute the public parameters PK and a master key MK to the user. The authority agency also distributes the attributes of the user to them. Those information is included in a certificate signed by the authority agency. After that, users will not need the authority agency to participate in accessing data in the blockchain.

Data structure

There are three kinds of messages in the privacy-preserving IoT device management scheme: Cert, Transaction, and Block.

Cert

When users apply to join the system, the authority agency will be issued to the user with a Cert. This Cert carries the signature of the authority agency. Cert is generated by the authority agency as follows

$Cert = SI G_{sik} (h_{cert}, C T_{sik | | SK | | nonce}, vk, t_{b}, t_{e}, timestamp)$

where $h_{cert}$ is the hash value of this message; sik is a signature key; SK is a secret key for ABE based on attributes S; $C T_{sik | | SK | | nounce}$ is the ciphertext; vk is a verification key to verify the digital signature; $t_{b}$ and $t_{e}$ are, respectively, the lower and upper bounds of the time the user can decrypt the data in the system; and $σ_{A}$ is the signature of the authority agency.

Transaction

A transaction is an encrypted message which a user wants to write to the block. Its structure is as follows

$Transcation = SI G_{sik} (C T_{message | | nonce}, timestamp)$

where $C T_{message | | nonce}$ is the ciphertext of the message and nonce encrypted using ABE, and SIG is the digital signature of the ciphertext and timestamp with the signature key sik.

Block

A block is a collection of transactions, and the primary nodes are put together into the block. It is as follows

$Block = {{Transaction}_{1}, \dots, {Transaction}_{n}}$

Different types of blocks store its corresponding type of transactions.

The scheme

Our scheme mainly contains five phases: system setup phase, user setup phase, proposal phase, verification phase, and access phase.

System setup phase

System setup phase installs the privacy-preserving IoT device management scheme. It needs a security parameter $λ$ , and then the algorithm will return a public key PK and a master key MK for encrypting message in the ABE.

First, choose a bilinear group $G_{0}$ , its order is a prime p and its generator is g. Randomly choose $α, β \in Z_{p}$ , then the public key is calculated as $PK = (G_{0}, g, h = g^{β}, e (g, g)^{α})$ and the master key MK is $(β, g^{α})$ . After that, the system will choose a set of attributes for all the users.

At the same time, choose two partial order class $C_{i}, C_{j}$ , where the user in $C_{i}$ can access $C_{j}$ , then select an elliptic curve E in $F_{q}$ , and a point Q in E, where q is a large prime.

Algorithm 1. System setup phase
Input: security parameter $λ$ .
Output: the public parameters PK and a master key MK in attribute-based encryption, the system’s initial attribute set S_system, and the parameters in time-bound key management.

User setup phase

The user setup phase is for each user who wants to join the system. They apply to the authority agency, and the authority agency will return them a Cert that includes the parameters they need in the system.

Through this phase, the user can get the key pair for digital signature $Ge n_{sig} (1^{λ}) \to (si k_{sig}, v k_{sig})$ in which $si k_{sig}$ is the signature key and $v k_{sig}$ is the verification key. In this scheme, we use the key generation method in ECDSA algorithm to generate the signature key and the verification key.

The authority agency will give a set of attributes S to the user. Then, the user uses the attribute set S to compute the secret key SK_att for ABE. The user randomly chooses a number $r \in Z_{p}$ , for each attribute $j \in S$ , random $r_{j} \in Z_{p}$ . $H_{1}$ is the hash function used in ABE, and the secret key $S K_{att}$ for ABE is given as follows

$S K_{a t t} = (D = g^{(α + r) / β}, \forall j \in S : D_{j} = g^{r} \cdot H_{1} {(j)}^{r_{j}}, {D^{'}}_{j} = g^{r_{j}})$

In this phase, the authority agency will also give the user a time interval in which the user can access data in blocks, $[t_{b}, t_{e}]$ .

Finally, the authority agency will put this information with a timestamp and the hash value of this message into the Cert, signed with their signature key and issued to the user.

Algorithm 2. User setup phase
Input: the security parameter $λ$ , the public parameters PK and a master key MK in attribute-based encryption, and the system’s initial attribute set S_system.
Output: a user’s certificate signed by the authority agency, Cert, which contains the ciphertext of $S K_{att}$ and sik, the verification key vk, the time interval $[t_{b}, t_{e}]$ , a timestamp, and the hash value of the message.

Proposal phase

In this phase, the system generates new transactions and blocks.

When the backup nodes generate transactions, the user should encrypt the message combined with a nonce with the public key PK, the access tree $T$ , and the time-bound key K_t, so that the user with suitable attributes and time granular can decrypt the message. The publisher of the message can control which users have access to the message by selecting different sets of attributes in the system’s attribute set S_system, and these users only have access to the data for a specific period. The user creates an access tree $T$ with these attributes.

We will choose two different modulo of p, $n_{i}$ , and $g_{i}$ and two integers a and b. Next, calculate $P_{i} = n_{i} Q$ on $E (F_{q})$ , compute $h_{i}$ where $g_{i} h_{i} \equiv 1 (\mod p)$ , $K_{i} = g_{i} P_{i}$ , and points $R_{i, j} = g_{i} K_{j} + (- K_{i})$ . $R_{i, j}$ is published and $P_{i}, n_{i}, g_{i}, h_{i}, a, and b$ are keep secret. The time-bound key $K_{t} = H_{2}^{t} (a) \cdot H_{2}^{Z - t} (b)$ , where $t \in [1, Z]$ , and $H_{1}$ and $H_{2}$ are hash functions used in ABE and time-bound key management, respectively.

Define a polynomial $q_{x}$ for each node x in the access tree $T$ , and let Y be the set of leaf nodes and R is the root node. The ciphertext is computed by

$C T = (Τ, \tilde{C} = M e {(g, g)}^{α s}, C = h^{s \cdot K_{t}}, \forall y \in Y : C_{y} = g^{q_{y} (0)}, {C^{'}}_{y} = H_{1} {(a t t (y))}^{q_{y} (0)})$

where M is the message, s randomly chooses $Z_{p}$ , and $q_{R} (0) = s$ . For any other node x, $q_{x} (0) = q_{parent (x)}$ $(index (x))$ .

The ciphertext will be time stamped and signed by the user who created the transaction with the ECDSA signature generation algorithm. Then, he or she can publish this transaction.

Algorithm 3. Transaction generate
Input: the public parameters PK, the message M and the access tree $T$ , the time $t \in [1, Z]$ , and the signature key $si k_{sig}$ .
Output: a new transaction in the block with its signature $σ$ , Transaction.1. Write a new message;2. Choose a nonce and combine with the message;3. Create an access tree $T$ with some of the attributes in S_system;4. Calculate the time-bound key K_t;5. Use the public key PK, the access tree $T$ , and the time-bound key K_t to encrypt the message with the nonce;6. Add a timestamp;7. Sign the message with $si k_{sig}$ ;8. Return Transaction.

Algorithm 3. Transaction generate

Input: the public parameters PK, the message M and the access tree

T

, the time

t \in [1, Z]

, and the signature key

si k_{sig}

Output: a new transaction in the block with its signature

σ

, Transaction.1. Write a new message;2. Choose a nonce and combine with the message;3. Create an access tree

T

with some of the attributes in S_system;4. Calculate the time-bound key K_t;5. Use the public key PK, the access tree

T

, and the time-bound key K_t to encrypt the message with the nonce;6. Add a timestamp;7. Sign the message with

si k_{sig}

;8. Return Transaction.

At this phase, the primary node may also generate new blocks. The consensus mechanism of this program uses PBFT. When generating a new block, consistency needs to be achieved through PBFT. The new block will have its signature of the primary node. The users in the system submit the new block and its transaction to the local blockchain and database when the protocol is finished.

Verification phase

Our scheme is to encrypt the data in the block first and then sign it. When verifying, all users can verify the integrity of the data, but the users who cannot decrypt the data, do not know the plaintext.

When a user wants to access a transaction in a block, he or she first verifies the block with the verification key of the block generator and then verifies the transaction with the verification key of the user who issued the transaction by the ECDSA signature verification algorithm. If and only if $Ve r_{sig} (v k_{sig_block}, Block) = 1$ and $Ve r_{sig} (v k_{sig_tran}, Transaction) = 1$ , this is a valid transaction, where $v k_{sig_block}$ is the verification key of the block generator and $v k_{sig_tran}$ is the verification key of the transaction generator. Only when the verification is successful, the user performs the data access phase.

Access phase

In access phase, users can access the data if they have attributes that the publisher chooses more than the threshold number and in the time between $t_{b}$ and $t_{e}$ with their secret key SK on attribute set S.

When $t \in [t_{b}, t_{e}]$ , the user can calculate the time-bound key $K_{t}$ by $H_{2}^{t} (a) = H_{2}^{t - t_{b}} (H^{t_{b}} (a))$ and $H_{2}^{Z - t} (b) = H_{2}^{t_{e} - t} (H_{2}^{z - t_{e}} (b))$ . Then, he or she can compute the secret key SK with SK_att in the Cert

$\begin{matrix} SK = (D = g^{(α + r) / β \cdot H_{2}^{t} (a) \cdot H_{2}^{Z - t} (b),} \forall j \in S : D_{j} \\ = g^{r} \cdot H_{1} (j)^{r_{j}}, D'_{j} = g^{r_{j}}) \end{matrix}$

At the time of decryption, the user input the ciphertext CT, the private key SK associated with attribute set S, and a node x from access tree $T$ . Let $i = att (x)$ if the node x is a leaf node. If $i \in S$ ,

$\begin{matrix} DecryptNode (CT, SK, x) = \frac{e (D_{i}, C_{x})}{e ({D'}_{i} {C'}_{x},)} \\ = \frac{e (g^{r} \cdot H_{1} {(i)}^{r_{i}}, g^{q_{x} (0)})}{e (g^{r_{i}}, H_{1} {(i)}^{q_{x} (0)})} \\ = e {(g, g)}^{r q_{x} (0)} \end{matrix}$

If $i \notin S$ , $DecryptNode (CT, SK, x) = ⊥$ .

When x is a non-leaf node, let z be the child node of x, and F_z is the output of $DecryptNode (CT, SK, z)$ . S_x is an arbitrary set of z which sized k_x, and $F_{z} \neq ⊥$ , compute

$\begin{matrix} F_{x} = \underset{z \in S_{x}}{Π} F_{z}^{Δ_{i, S {_{x}^{'}}^{(0)}}} \\ = \underset{z \in S_{x}}{Π} {(e {(g, g)}^{r \cdot q_{z} (0)})}^{Δ_{i, S_{x}^{'}} (0)} \\ = \underset{z \in S_{x}}{Π} {(e {(g, g)}^{r \cdot q_{parent (z)} (index (z))})}^{Δ_{i, S_{x}^{'}} (0)} \\ = \underset{z \in S_{x}}{Π} e {(g, g)}^{r \cdot q_{z} (i) \cdot Δ_{i, S_{x}^{'}} (0)} \\ = e {(g, g)}^{r \cdot q_{x} (0)} \end{matrix}$

where $i = index (z)$ and $S'_{x} = {index (x) : z \in S_{x}}$ .

If the access tree $T$ is satisfied by S, and let R be the root node of $T$ . Let $A = DecryptNode (CT, SK, R) = e (g, g)^{r \cdot q_{R} (0)} = e (g, g)^{rs}$ . Compute

$\begin{matrix} M = \frac{\tilde{C}}{(e (C, D) / A)} \\ = \frac{\tilde{C}}{(e (h^{s \cdot H_{2}^{t} (a) \cdot H_{2}^{Z - t} (b)}, g^{(α + r) / β \cdot H_{2}^{t} (a) \cdot H_{2}^{Z - t} (b)}) / e {(g, g)}^{rs})} \end{matrix}$

In this case, the user needs to constantly try to decrypt the message to confirm that he or she has access to the data. In order to improve the decryption efficiency, the user can first obtain the access control policy from the DMgB, and the transaction of access control policy could be decrypted by all the users in the system.

Algorithm 4. Access phase
Input: secret key SK_att on attributes S, the time t, and the message in the Transaction.
Output: if the private key SK associated with attribute set S satisfies the conditions of access control tree $T$ , $t \in [t_{b}, t_{e}]$ , it returns the message in plaintext.1. Calculate the time-bound key $K_{t}$ ;2. Calculate the secret key SK;3. Decrypt the ciphertext CT with secret key SK;4. Return the plaintext M of transaction message or ⊥ .

Security analysis

This section gives the detailed security analysis from four aspects: anonymity, fine-grained access control, key automatic revocation, and non-repudiation.

Anonymity

This scheme achieves anonymity through the user in the blockchain, who does not use his or her real identity information. In the system, only the authority agency knows the real identity of the user, because when users apply to join the system, they need to verify the identity of the user. After the user applies to the authority agency to join the system, the authority agency will assign the user a series of attributes as well as the key to encrypt and decrypt the data. In addition, it will give the user his or her signature key pair. In all the activities afterwards, the signature key is a symbol of user identity. All transactions of this user need to be signed with his signature key. Other users verify this transaction only through his or her verification key, and they do not know the user’s real identity.

Fine-grained access control

The attribute-based cryptosystem adopted in this article can automatically achieve fine-grained access control through the cryptographic algorithm and at the same time protect the user’s identity information.

The data in the blockchain are encrypted, and after the user has verified the integrity of the data, he or she cannot decrypt all the data. Only when the user has attributes that meet the data access control policy, it can be decrypted. In addition, the scheme also adds the time-bound key management mechanism. The user can access the data in the blockchain only within a certain time range and cannot access beyond the time range.

Automatic revocation of the key

Time-bound key management mechanism can realize automatic revocation of the key. It manages the keys in the time dimension and controls the generation of user keys. When the user applies to the authority agency to join the system, the authority agency will give the user the time range that he or she can access in the blockchain. This management mechanism ensures that the user can only generate the decryption key within the time range. Once it exceeds the time range, the key will be invalid, and the user cannot generate the decryption key and hence cannot decrypt the data.

Non-repudiation

The scheme is non-repudiating because each transaction and every block is digitally signed. The primary node needs to add the user’s digital signature when creating a block. When a backup node posts a transaction in the block, the user also needs to add his or her own digital signature to the message so that other users reading the transaction can confirm the source of the data. When a user visits a transaction in a block, the block’s signature and the signature of the transaction need to be verified. Only after the two signatures have been verified successfully, the user can attempt to decrypt the data.

Evaluation

We implemented our protocols in C++ with MIRACL cryptography software development kit (SDK). The algorithms run by the users were executed on a client machine with Intel i7-4600U 2.70-GHz CPU and 4GB RAM. We also choose secp256k1 (Standards for Efficient Cryptography Group (SECG) curve over a 256-bit prime field) as ECDSA algorithm. We compare the proposed scheme with Rahulamathavan et al.’s²¹ scheme. In the following part, we call YRSM scheme for short.

Figure 2 shows the computation overhead of proposal phase, which mainly contains two steps: (1) encryption and (2) signing. Let y be the number of attributes required in the process of encryption. We vary y from 1 to 10. We have observed that it takes about 30.7 ms to generate a transaction with only one attribute. When the number of y is increased to 10, the time cost of generating a transaction is 71.4 ms. YRSM²¹ takes more time for generating encrypted transactions. It takes about 199 ms to generate a transaction with only one attribute and takes about 508 ms to generate a transaction with 10 attributes.

Figure 2.

Computation overhead of proposal phase.

In the verification phase, the time cost of verifying a transaction is about 2.5 ms. Of course it takes long time to verify a block, which depends on the number of transactions in the block. The time cost of verification of YRSM²¹ is almost identical to our scheme, since they both use the ECDSA signature as their signature algorithm.

Figure 3 shows the computation overhead of access phase, which is actually a decryption process. Let i be the number of attributes needed in the process of decryption. We also vary i from 1 to 10. We have observed that it takes about 103 ms to decrypt the content in a transaction with only one attribute. When the number of i is increased to 10, the time cost of decrypting a transaction is 601.3 ms. YRSM²¹ is more efficient in accessing an encrypted transaction than that of our scheme. It only takes about 230 ms to decrypt and access a transaction with 10 attributes.

Figure 3.

Computation overhead of access phase.

From the preceding experimental results, we can see that our scheme is quite efficient in proposal phase. The time to generate a transaction is less than 100 ms even requiring 10 attributes. The time to access such a transaction is less than 1 s.

Conclusion

In this article, we have proposed privacy-preserving IoT device management based on blockchain. This scheme is novel from three perspectives. (1) It achieves the sharing of device information across organizations and systems and takes advantages of the blockchain to make the stored data non-tampered, unforgeable, and verifiable. (2) We have adopted ABE to protect the confidentiality of data and provide fine-grained access over encrypted data according to the user’s roles and attributes. (3) We have used time-bound key management mechanism to achieve the automatic revoke of user attributes and keys. (4) We have analytically and experimentally showed that our scheme not only offers strong security but is also practical and deployable for sharing over encrypted data in the IoT environment.

Footnotes

Handling Editor: Ximeng Liu

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: This work was supported by the National Key R&D Program of China (2017YFB1400700) and the Science and Technology Project of State Power Grid Corp (SAP no. 52110417000G).

References

Nakamoto

Bitcoin: a peer-to-peer electronic cash system, 2008, www.bitcoin.org

Maesa

DDF

Mori

Ricci

. Blockchain based access control. In: 17th IFIP WG 6.1 international conference, DAIS 2017, 19–22 June 2017, pp.206–220. Switzerland: Springer.

Ferraiolo

Kuhn

et al . Guide to attribute based access control (ABAC) definition and considerations, 2013, https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=915660

Zyskind

Nathan

Pentland

Decentralizing privacy: using blockchain to protect personal data. In: IEEE security and privacy workshops, San Jose, CA, 21–22 May 2015, pp.180–184. New York: IEEE.

Ouaddah

Elkalam

Ouahman

AA.

FairAccess: a new blockchain-based access control framework for the Internet of Things. Secur Commun Netw 2016; 9: 5943–5964.

Ouaddah

Mousannif

Elkalam

et al . Access control in the Internet of Things: big challenges and new opportunities. Comput Netw 2017; 112: 237–262.

Ouaddah

Elkalam

Ouahman

AA.

Towards a novel privacy-preserving access control model based on blockchain technology in IoT. In: Rocha

Serrhini

Felgueiras

(eds) Europe and MENA cooperation advances in information and communication technologies. Cham: Springer, 2017, pp.523–533.

Ouaddah

Bouij-Pasquier

Elkalam

et al . Security analysis and proposal of new access control model in the internet of thing. In: International conference on electrical and information technologies, Marrakech, Morocco, 25–27 March 2015, pp.30–35. New York: IEEE.

Dorri

Kanhere

Jurdak

et al . Blockchain for IoT security and privacy: the case study of a smart home. In: IEEE international conference on pervasive computing and communications workshops (PerCom Workshops), Kona, HI, 13–17 March 2017. New York: IEEE.

10.

Christidis

Devetsikiotis

Blockchains and smart contracts for the Internet of Things. IEEE Access 2016; 4: 2292–2303.

11.

Smart contracts, http://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/smart.contracts.html

12.

Azaria

Ekblaw

Vieira

et al . MedRec: using blockchain for medical data access and permission management. In: International conference on open and big data, Vienna, 22–24 August 2016, pp.25–30. New York: IEEE.

13.

Ekblaw

Azaria

Halamka

et al . A case study for blockchain in healthcare: “MedRec” prototype for electronic health records and medical research data. White Paper, August2016, https://www.healthit.gov/sites/default/files/5-56-onc_blockchainchallenge_mitwhitepaper.pdf

14.

Xue

Wang

et al . A medical data sharing model via blockchain. Acta Autom Sinic 2017; 43(9): 1555–1562.

15.

Outchakoucht

Es-Samaali

Leroy

JP.

Dynamic access control policy based on blockchain and machine learning for the Internet of Things. Int J Adv Comput Sci Appl 2017; 8(7): 417–424.

16.

Alansari

Paci

Sassone

. A distributed access control system for cloud federations. In: IEEE international conference on distributed computing systems (ICDCS), Atlanta, GA, 5–8 June 2017, pp.2131–2136. New York: IEEE.

17.

Alansari

Paci

Margheri

et al . Privacy-preserving access control in cloud federations. In: IEEE international conference on cloud computing (CLOUD), Honolulu, HI, 25–30 June 2017, pp.757–760. New York: IEEE.

18.

Sahai

Waters

Fuzzy identity-based encryption. In: Annual international conference on theory and application of cryptographic techniques, Aarhus, 22–26 May 2005, pp.457–473. Berlin: Springer.

19.

Goyal

Pandey

Sahai

et al . Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13Th ACM conference on computer and communications security (CCS’06), Alexandria, VA, 30 October–3 November 2006, pp.89–98. New York: ACM.

20.

Bethencourt

Sahai

Waters

. Ciphertext-policy attribute-based encryption. In: Proceedings of the 2007 IEEE symposium on security and privacy (SP’07), Berkeley, CA, 20–23 May 2007, pp.321–334. New York: IEEE.

21.

Rahulamathavan

Phan

Misra

et al . Privacy-preserving blockchain based IoT ecosystem using attribute-based encryption. In: IEEE international conference on advanced networks and telecommunications systems (ANTS) 2017, 17–20 December 2017. India: IEEE.

22.

Bertino

Shang

Wagstaff

Jr.

An efficient time-bound hierarchical key management scheme for secure broadcasting. IEEE T Depend Secure 2008; 5(2): 65–70.

23.

Castro

Liskov

. Practical Byzantine fault tolerance. In: OSDI’99 proceedings of the third symposium on operating systems design and implementation, New Orleans, LA, 22–25 February 1999. Berkeley, CA: USENIX Association.

24.

Johnson

Menezes

Vanstone

The elliptic curve digital signature algorithm (ECDSA). Int J Inf Secur 2001; 1(1): 36–63.

A privacy-preserving Internet of Things device management scheme based on blockchain

Abstract

Keywords

Introduction

Contribution

Organization

Related work

Preliminaries

ABE

Time-bound key management

Practical Byzantine fault tolerance

Elliptic curve digital signature algorithm

System model

Attribute-based blockchain

Block structure

Nodes and attributes

Block types

Roles

Manufacturer

Seller

Purchaser

Administrator

Authority agency

Data structure

Cert

Transaction

Block

The scheme

System setup phase

User setup phase

Proposal phase

Verification phase

Access phase

Security analysis

Anonymity

Fine-grained access control

Automatic revocation of the key

Non-repudiation

Evaluation

Conclusion

Footnotes

Declaration of conflicting interests

Funding

References