Elsevier

Future Generation Computer Systems

Volume 76, November 2017, Pages 285-292
Future Generation Computer Systems

Efficient certificateless access control for industrial Internet of Things

https://doi.org/10.1016/j.future.2016.12.036Get rights and content

Highlights

  • We revised the BDCPS certificateless signcryption scheme.

  • Our scheme gets public verifiability, ciphertext authenticity and insider security.

  • We designed an access control scheme for industrial IoT using revised signcryption.

Abstract

Industrial wireless sensor networks (IWSNs) play an important role in monitoring the industrial equipment and creating a highly reliable industrial system. To query of the network to gain useful information from anywhere and anytime, we need to integrate the IWSNs into the Internet as part of the industrial Internet of Things (IoT). In this case, it is crucial to design an access control scheme that can authorize, authenticate and revoke a user to access the IWSNs. In this paper, we first give a certificateless signcryption scheme and then design an access control scheme for the IWSNs in the context of the industrial IoT using the certificateless signcryption. Compared with existing two access control schemes using traditional signcryption, our scheme achieves public verifiability, ciphertext authenticity and insider security. In addition, the computational cost of the sensor node in our scheme is reduced by about 62% and 77%, respectively and the energy consumption of the sensor node in our scheme is reduced by about 64% and 75%, respectively.

Introduction

Wireless sensor networks (WSNs) are ad hoc networks that usually are composed of a large number of tiny sensor nodes with the capabilities of sensing, computation and communication  [1], [2]. WSNs have important application in military sensing and tracking, target tracking, environment monitoring, and so on. Industrial wireless sensor network (IWSNs) are an important application of the WSNs in the industrial manufacturing field. In the IWSNs, many tiny sensor nodes are deployed on the industrial equipment. These tiny sensor nodes monitors the efficiency of each industrial equipment by measuring vibration, pressure, temperature, power quality, and so on. If a factory personnel find a potential problem by collecting the data from the IWSNs, he or she can replace or repair the equipment before the efficiency of the equipment drops or the equipment fails entirely. Therefore, by using the IWSNs, we can avoid some catastrophic equipment failures and associated loss. Compared with the traditional wired industrial monitoring system, the IWSNs have lower cost for development and maintenance and higher flexibility and intelligent process capability  [3], [4]. IWSNs has the potential to make our cities smarter. The industry is an important part of a city. A smart industry can be obtained by using the IWSNs. We can stay in the office and monitor equipment operation. If the data collected by the IWSNs deviate the normal value, we can switch to the redundant equipment and repair the failed equipment. While the IWSNs supply a great flexibility for establishing communications, it also bring some technical challenges. In  [3], Gungor and Hancke gave eight technical challenges for the IWSNs. The fifth challenge is the security due to all the characteristics of these networks, such as open nature of wireless communication, dynamically changing topology, and the limited capabilities of sensor nodes in terms of processing power, storage, energy and bandwidth. The eighth challenge is the integration with the Internet. To query of the IWSNs to gain the useful information from anywhere and anytime, we need to integrate the IWSNs into the Internet as part of the industrial Internet of Things (IoT). Roman and Lopez  [5] gave three methods to gain this integration, front-end proxy solution, gateway solution and TCP/IP overlay solution. In the front-end proxy solution, the sensor nodes cannot communicate with the Internet hosts directly. The base station acts as an interface between the IWSNs and the Internet and parses all incoming and outgoing information. That is, the users issue data queries to the sensor nodes through the base station and the base station forwards the results to the users. In this solution, the base station may become the bottleneck and the single point of failure. In both gateway solution and TCP/IP overlay solutions, the sensor nodes can communicate with the Internet hosts directly. In the gateway solution, the base station acts as an application layer gateway which translates the lower layer protocols from both networks. In the TCP/IP overlay solution, the sensor nodes communicate with other nodes using TCP/IP. The base station acts as a router that forwards the packets from and to the sensor nodes.

To prevent abuse of the data collected by the IWSNs, only authorized users are allowed to access the IWSNs. However, it is not an easy thing to design an access control scheme for the IWSNs in the context of the industrial IoT since the resource of the sensor nodes is very limited.

In 2009, Le et al.  [6] designed an energy-efficient access control scheme for the WSNs using elliptic curve cryptography (ECC). The advantage of ECC is that it can use smaller key size to achieve comparable security level to the other public key cryptosystem such as RSA  [7]. For instance, to obtain the 80-bit security level, the modulus size of RSA should be 1024 bits but the key size of ECC only needs 160 bits. In 2011, He et al.  [8] proposed a privacy-preserving access control scheme for the WSNs using ring signature  [9], [10]. In a ring signature scheme, a signer can anonymously sign a message on behalf of a set of users including itself. A verifier knows that the message comes from a member of a ring, but does not exactly know who the signer is. Therefore, the ring signature can protect the privacy of the signer. Yu, Ren and Lou  [11] gave a fine-grained data access control scheme for the WSNs using attribute-based encryption (ABE)  [12]. Hur  [13] also used ABE to propose a fine-grained data access control scheme with efficient user revocation. In 2012, Zhang, Zhang and Ren  [14] designed a new privacy-preserving access control scheme for the WSNs using blind signature. In 2013, Yu et al.  [15] designed a novel access control scheme for the WSNs in the context of IoT using signcryption [16], [17] (hereafter called YHZXZ). In 2014, Ma, Xue and Hong  [18] also used signcryption to design an access control scheme for the WSNs (hereafter called MXH). The advantage of using signcryption in access control for the WSNs is that it can simultaneously authenticates the users and protects the query messages with a lower cost. Signcryption is a new cryptographic technique that can gain both the functions of public key encryption and digital signature in a logical single step, with a cost significantly lower than that required by the traditional encryption-then-signature or signature-then-encryption methods. That is, a signcryption scheme can simultaneously achieve confidentiality, integrity, authentication and non-repudiation with a lower cost. However, both YHZXZ  [15] and MXH  [18] are based on the traditional public key infrastructure (PKI). In the PKI system, each user has a private key and a corresponding public key. To ensure the authenticity of the public key, a certificate authority (CA) needs to issue a digital certificate that affords an unforgeable and trusted link between a user’s identity and the public key by the digital signature of the CA. The main difficulty in the WSNs using PKI system is the certificates management, including distribution, storage and revocation. In addition, each user should verify the validity of a certificate before using the corresponding public key. If a certificate is not valid, the corresponding public key cannot be used in any cryptographic protocols. Otherwise, the public key is believable and can be used. For the access control for the IWSNs in the context of the IoT, it is a heavy burden for the sensor nodes to verify the validity of the public key certificates. To reduce the burden of the sensor nodes, identity-based cryptosystem (IBC)  [19] was used to design the security schemes for the WSNs  [20], [21], [22], [23]. Compared with the PKI system, the IBC does not need public key certificates. A user’s public key is computed from its identity information, such as telephone numbers, email addresses and IP addresses. The user’s private key is produced by a trusted third party called private key generator (PKG). Authenticity of a public key is explicitly verified without a certificate. Therefore, the lightweight IBC is very suitable for design the security schemes for the WSNs. However, the lightweight IBC has a weakness called key escrow problem since the PKG possesses all users’ private keys. That is, the PKG can decrypt any ciphertext and forge a signature for any message. Therefore, the IBC is only suitable for small networks, such as the WSNs, and is not suitable for large-scale networks, such as the Internet. For design an access control scheme for the IWSNs in the context of the IoT, we need to find a new solution that has neither key escrow problem nor public key certificates. In 2013, Li and Xiong  [24] discussed the secure communication in the IoT using heterogeneous online/offline signcryption. Cirani et al.  [25] discussed the security challenges of the IoT. In 2015, Cirani et al.  [26] proposed an OAuth-based authorization mechanism for the IoT.

The motivation of this paper is to find a new solution for design of an access control scheme for the IWSNs in the context of the IoT. The scheme has neither key escrow problem nor public key certificates. Only authorized users can access the IWSNs and the query messages are protected. It is important to protect the query messages for preserving the privacy of the users  [18]. Our solution is to use certificateless signcryption (CLSC)  [27]. The concept of certificateless cryptography (CLC) was proposed by Al-Riyami and Paterson  [28]. The main advantage of the CLC is neither public key certificates nor key escrow problem. The CLC still needs a trusted third party called the key generating center (KGC) who is responsible for producing a partial private key using a master key and a user’s identity. Then the user generates some secret value and combines the secret value with the partial private key to get a full private key. Note that the KGC does not know the full private key since it does not know the secret value. We give an access control scheme for the IWSNs in the context of the IoT using the CLSC technique. Our scheme has the ciphertext authenticity that allows us shift the computational cost of the sensor nodes to the gateway. In addition, our scheme also satisfies the public verifiability and insider security. Compared with existing two access control schemes using PKI-based signcryption  [15], [18], the computational cost of the sensor node in our scheme is reduced by about 62% and 77%, respectively and the energy consumption of the sensor node in our scheme is reduced by about 64% and 75%, respectively.

The rest of this paper is arranged as follows. The network model, security requirements and bilinear pairings are introduced in Section  2. An efficient CLSC scheme is given in Section  3. We give a certificateless access control scheme for the IWSNs in the context of the IoT in Section  4. The performance and security of the proposed access control scheme are discussed in Section  5. Finally, the conclusions are given in Section  6.

Section snippets

Preliminaries

In this section, we give the network model, security requirements and bilinear pairings.

A certificateless signcryption scheme

In 2008, Barreto et al.  [27] proposed an efficient certificateless signcryption scheme (hereafter called BDCPS). However, this scheme cannot be directly used to design an access control scheme for the IWSNs in the context of the IoT. In this section, we first review the BDCPS scheme and then point out its weakness. Finally, we give a modified scheme that is suitable for the design of an access control scheme for the IWSNs in the context of the IoT.

A certificateless access control scheme

In this section, we propose an efficient certificateless access control scheme for the IWSNs in the context of the IoT using the modified BDCPS scheme. The access control scheme consists of four phases: the initialization phase, the registration phase, the authentication phase, and the revocation phase. In this scheme, the SP acts as the KGC in the CLC environment. The proposed access control scheme is summarized in Fig. 2

Analysis of the access control scheme

In this section, we evaluate the performance and security of our access control scheme. First, we compare the computational cost and communication cost of our scheme with those of YHZXZ  [15] and MXH  [18] in Table 1.

We denote by P the pairing operation, M the point multiplication operation in G1 and E the exponentiation operation in G2. The other operations are ignored in Table 1 since the three operations consume the most running time of the whole algorithm. Let |x| be the number of bits of x

Conclusion

In this paper, we proposed a modified certificateless signcryption scheme that satisfies public verifiability, ciphertext authenticity and insider security. We also gave a certificateless access control scheme for the IWSNs in the context of IoT using the modified signcryption. Compared with existing YHZXZ and MXH using PKI-based signcryption, the computational cost of the sensor node in our scheme is reduced by about 62% and 77%, respectively and the energy consumption of the sensor node in

Fagen Li is an associate professor in the School of Computer Science and Engineering, University of Electronic Science and Technology of China (UESTC), Chengdu, PR China. He received his Ph.D. degree in Cryptography from Xidian University, Xi’an, PR China in 2007. From 2008 to 2009, he was a postdoctoral fellow in Future University-Hakodate, Hokkaido, Japan, which is supported by the Japan Society for the Promotion of Science (JSPS). He worked as a research fellow in the Institute of

References (40)

  • D. He et al.

    Distributed access control with privacy support in wireless sensor networks

    IEEE Trans. Wireless Commun.

    (2011)
  • R.L. Rivest et al.

    How to leak a secret

  • J.K. Liu et al.

    Linkable ring signature with unconditional anonymity

    IEEE Trans. Knowl. Data Eng.

    (2014)
  • S. Yu et al.

    FDAC: toward fine-grained distributed data access control in wireless sensor networks

    IEEE Trans. Parallel Distrib. Syst.

    (2011)
  • V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption for fine-grained access control of encrypted data,...
  • J. Hur

    Fine-grained data access control for distributed sensor networks

    Wirel. Netw.

    (2011)
  • R. Zhang et al.

    Distributed privacy-preserving access control in sensor networks

    IEEE Trans. Parallel Distrib. Syst.

    (2012)
  • H. Yu et al.

    Enabling end-to-end secure communication between wireless sensor networks and the Internet

    World Wide Web

    (2013)
  • Y. Zheng

    Digital signcryption or how to achieve cost (signature & encryption) cost (signature) + cost(encryption)

  • F. Li et al.

    Efficient signcryption for heterogeneous systems

    IEEE Syst. J.

    (2013)
  • Cited by (0)

    Fagen Li is an associate professor in the School of Computer Science and Engineering, University of Electronic Science and Technology of China (UESTC), Chengdu, PR China. He received his Ph.D. degree in Cryptography from Xidian University, Xi’an, PR China in 2007. From 2008 to 2009, he was a postdoctoral fellow in Future University-Hakodate, Hokkaido, Japan, which is supported by the Japan Society for the Promotion of Science (JSPS). He worked as a research fellow in the Institute of Mathematics for Industry, Kyushu University, Fukuoka, Japan from 2010 to 2012. His recent research interests include cryptography and network security. He has published more than 70 papers in the international journals and conferences. He is a member of the IEEE.

    Jiaojiao Hong is now a master student in the School of Computer Science and Engineering, University of Electronic Science and Technology of China (UESTC), Chengdu, PR China. Her research interests include cryptography and information security.

    Anyembe Andrew Omala is now a Ph.D. student in the School of Computer Science and Engineering, University of Electronic Science and Technology of China (UESTC), Chengdu, PR China. His research interests include cryptography and network security.

    This work is supported by the National Natural Science Foundation of China (Grant Nos. 61073176, 61272525, 61302161 and 61462048) and the Fundamental Research Funds for the Central Universities (Grant No. ZYGX2013J069).

    View full text