See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/328247073

A Blockchain-Based Authentication and Security Mechanism for IoT

Conference Paper · July 2018

DOI: 10.1109/ICCCN.2018.8487449

CITATIONS READS

25 5,580

4 authors, including:

Wei Peng Fangyu Gai

National University of Defense Technology University of British Columbia - Okanagan
102 PUBLICATIONS   1,412 CITATIONS    10 PUBLICATIONS   61 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

the research on the complexity to solve a NPC problem View project

All content following this page was uploaded by Wei Peng on 25 December 2019.

The user has requested enhancement of the downloaded file.

 A Blockchain-based Authentication and Security
Mechanism for IoT
Dongxing Li Wei Peng
College of Computer College of Computer
National University of Defense Technology National University of Defense Technology
Changsha, Hunan, 410073, China Changsha, Hunan, 410073, China
Email: [email protected] Email: [email protected]

Wenping Deng Fangyu Gai

College of Computer College of Computer
National University of Defense Technology National University of Defense Technology
Changsha, Hunan, 410073, China Changsha, Hunan, 410073, China
Email: [email protected] Email: [email protected]

Abstract—The existing identity authentication of IoT any cooperating group of attacker nodes [1]. The data stored
devices mostly depends on an intermediary institution, i.e. a in the blockchain cannot be tampered with, even if the
CA server, which is considered under the risk of single-point- attacker comes from the internal system.
failure attack. Even worse, the critical data of authenticated
devices can be tampered by inner attacks without being The blockchain technology provides feasible solutions
identified. To address these issues, we utilize blockchain for the identity authentication and security protection of IoT
technology, which serves as a secure tamper-proof distributed devices. The threshold of deployment and management
ledger for IoT devices. In the proposed method, we assign a blockchain is relatively low. Even if the intelligent devices
unique ID for each individual device and record them into the have limited computing resources, blockchain can be
blockchain, so that they can authenticate each other without a deployed. Applying blockchain in the IoT makes the
central authority. We also design a data protection mechanism centralized network structure become decentralized or multi-
by hashing significant data (i.e. firmware) into the blockchain centralized, which can greatly improve the security of the
where any state changes of the data can be detected system. It is necessary to save device ID, public key and
immediately. Finally, we implement a prototype based on an hash of critical data in the ledger before a device access to
open source blockchain platform Hyperledger Fabric to verify the IoT. Through the use of asymmetric cryptography, the
the proposed system. peer-to-peer identity authentication equals to verifying the
correctness of the matching between a public key and a
Keywords—blockchain; authentication; security; data
protection;
device ID [2]. By checking the hash of critical data of
devices, any modification of the data can be detected
immediately.
I. INTRODUCTION
With the development of the Internet of Things (IoT), the II. RELATED WORKS
number of networked devices is increasing explosively.
However, security issues of IoT can cause disastrous While blockchain was born with Bitcoin, its applications
consequences to our human life. For example, the Mirai have gone far beyond Bitcoin or digital currency. Blockchain
botnet was used to attack the Internet infrastructure firm Dyn could revolutionize many fields, such as finance, accounting,
which resulted many of the Internet’s top destinations offline management, and law [15]. Blockchain and its applications
in 2016. Thus, IoT devices require strong self-protection are studied and alternative model for authentication,
capabilities to defend malicious attacks from inner or outer authorization and security protection is proposed by scholars
areas. The authentication mechanism can secure the identity around the world.
of the IoT devices in the network, which is the first gateway Ouaddah A et al. [3] proposed a blockchain-based IoT
to the network security. It is necessary to authenticate the access control framework with the goal of providing a
identities of devices in the network, and the traditional reference model for the framework proposed in the
authentication of the IoT is mostly based on the Public Key specification of objectives, models, architectures, and
Infrastructure(PKI), which requires a central authority. mechanisms in the IoT. Xu Q et al. [4] proposed a
Blockchain, as a distributed ledger technology, creates a blockchain-based decentralized Docker Trust (DDT)
trustless environment which can entirely remove the solution, which greatly reduces the risk of DoS and provides
dependence on the central authority. Each node achieves the signature verification services for Docker images. Rodrigues
consistency of storage data through a consensus algorithm in B et al. [5] proposes a new architecture through emerging
blockchain network. The system is secure as long as the technologies such as blockchain and smart contracts,
honest nodes control collectively control more hashrate than providing new opportunities for flexible and efficient DDoS
mitigation solutions across multiple domains. Zyskind G et In order to prevent illegal devices accessing the IoT, we
al. [6] proposes a decentralized personal data management use public key cryptography to authenticate IoT entities.
system to ensure that users own and control their data and The biggest difference is that we introduce a peer-to-peer
implements an agreement that turns the blockchain into an authentication methodology without third party based on
automatic access control manager that does not require third- blockchain.
party trust. Kumari S et al. [7] proposed a new architecture
design by combining emerging technologies such as B. Security protection
blockchain and smart contracts, introducing new In the IoT, ensure the reliability of the IoT devices
opportunities for flexible and efficient DDoS mitigation provides security protection. Even if a device has passed the
solutions across multiple domains. Lee B et al. [8] proposes a authentication of other nodes, it still has the risk of being
new firmware update scheme using blockchain technology attacked by malicious users due to software or system
for securely checking the firmware version, verifying the vulnerabilities during the execution of the task. The intruder
correctness of the firmware and downloading the latest usually will modify the network entity to leave a backdoor in
firmware of the embedded device. Moinet A et al. [9] the device to prepare for subsequent infiltration and modify
proposed a new security model and protocol based on the key configuration file in the device and cause damage to
blockchain technology to ensure the validity and integrity of the entire network.
password authentication data and the associated peer trust
level from the beginning to the end of the sensor network In order to discover potential intrusions quickly, we
lifecycle. Lundbaek L N et al. [10] proposes to use a regularly verify that whether critical data have been
blockchain to record the hash of the financial process tampered with.
transaction to increase its credibility and the credibility of the
audit. Yin W et al. [11] proposed a new anti-quantum C. Assumptions
transaction authentication scheme in the blockchain.
Alexopoulos N et al. [2] pointed out that in the trust 1) Enrollment Control
management certification, blockchain technology and openly We use a permission chain with access control rights
distributed ledger (ODL) can usually provide considerable ensured by the system administrator for the proposed
advantages compared to previous methods. Zhang L et al. system. A device needs to register in blockchain before it
[12] uses blockchain technology to design a fully distributed accesses to the network. The access control layer in the
user authentication framework. In their framework, users permission chain ensures that only devices with legal
store their identities in a blockchain, store encrypted personal identities can register information in the blockchain.
information in a blockchain store, and attach a smart contract
to grant different permissions to each site/application. ZHOU 2) Secure Channel
Zhicheng et al. [13] proposed an efficient cross-domain For simplicity, we assume a secure information channel to
authentication scheme based on blockchain technology. The avoid man-in-the-middle attacks (MITM) [16]. It means
scheme includes the trust model and architecture of the that no third party can intercept and modify messages.
BlockChain Certificate Authority (BCCA), and the This secure channel is mainly used to ensure the integrity
blockchain certificate format and user cross-domain of the information. Nodes can communicate with each
authentication. Authentication protocols, as well as security other and verify information reliably.
and efficiency. Abdullah N et al. [14] proposes a blockchain-
based method for enhancing large data validation in a 3) Fast Synchronization
distributed environment. When a device registers in the blockchain, it only needs to
The above studies mostly focus on trust management, request the ledger from a small number of nodes rather
data security and security protection. Our model’s advantage than performing long-term synchronization of block data.
in comparison with other works lies with its generic nature The nodes for synchronization are selected randomly, so
and simplicity. Our research addresses the security of IoT we can assume that these nodes are trustworthy.
and especially identity authentication and security protection
for IoT devices. IV. SYSTEM MODEL
Blockchain, as an open, secure and distributed
III. PROBLEM DEFINITION transaction ledger technology, can flexibly adapt to complex
and changing network environments. The failure of some
A. Authentication nodes does not affect the stable operation of the system.
In the IoT, ensure the validity of identity of a device Distributed authentication between nodes prevents malicious
accessing to the network is the base of security. nodes from invading the network. Even if a small number of
Authentication is a mechanism by which a network nodes are compromised, the ledger will not be tampered
determines whether the user has access to certain resources.. with.
The authentication can be categorized into three categories: In a multi-node network, the identity information of the
what-you-know (knowledge), what-you-have (possession) devices need to be registered in the blockchain every time a
and who-you-are (ownership) [17]. new device is added. Each device's ID, public key, hash of
critical data and other information are stored in the
blockchain ledger. At the same time, each device is a node in security key module. The private key is encrypted and
the blockchain network and the consensus mechanism make stored locally, and the public key is stored in blockchain
sure that each node stores the same information. Whenever ledger. After receiving the registration information, the
peer-to-peer communication occurs, public key cryptography consensus node regards it as a registration event, generates a
can be used for identity authentication between IoT devices. block after consensus with other consensus nodes and
synchronizes to other non-consensus nodes. In the process
Enrollment of devices of enrollment, it also needs to store the hash value of critical
data such as the local configuration file and firmware in the
blockchain so as to prepare for subsequent data integrity
verification.
Identity authentication Table 1. The roles and functions of nodes
Roles Functions
Generate blocks;
Integrity verification Consensus nodes Verify blocks;
Participate in consensus.
Figure 1. System process
Non-consensus nodes Transfer data.
The system process is mainly divided into three steps. All
devices need to complete the registration in the blockchain
C. A P2P identity authentication method
before authentication. When a device needs to access the
network, it will be authenticated using the registration Assuming device A sends a connection request including
information in the blockchain. After authentication, device message M to device B which is in a network, the identity
will be verified the integrity of the hash of the critical authentication process is as follows.
information in order to discover potential intrusion behavior.
The process of our system is shown in Figure 1 and the A sends connection request (ID_A, M_signed_ by_A) to B;
system model is shown in Figure 2 // B query Key_A and verify the identity of A
If (Key_A_exists _in_local)
Verify the identity of A;
Else
If (Key_A_exists_in_consensus_nodes)
Verify the identity of A;
Else
Reject the connection request of A;

Figure 3. The P2P identity authentication process

When B receives the message, B firstly searches the
public key of A in the local blockchain ledger according to
the ID of A. If the public key of A is found in local
Figure 2. System model blockchain ledger, the public key will be used to verify the
identity of A. Otherwise, B searches the public key of A in
A. Roles of nodes consensus nodes. If the public key of A is obtained, B will
Nodes can be divided into consensus nodes and non- verify the identity of A. Otherwise, it means that A has not
consensus nodes according to the different functions in registered in the blockchain system and B will reject the
permission chain. Consensus nodes participate in consensus connection request of A. The P2P identity authentication
process, generate blocks and broadcast blocks to non- process is shown in Figure 3.
consensus nodes. The functions of the two types of nodes are
shown in Table 1. D. Integrity check periodically
The hash of the critical data of each device has stored
共识节点与非共识节点中存储的内容不同。
into blockchain in the process of registration. During the
execution of the task, the IoT nodes periodically send a
B. Enrollment of devices integrity verification request for the critical data to the
In the IoT, all the nodes need to be enrolled in the neighboring node. If the verification fails, it indicates that a
blockchain. Each device generates a key pair from its own
key configuration file has been tampered with and a warning similar to bitcoin. The difference is that the transactions are
will be triggered. events such as device registration, identity authentication,
In addition to the firmware and configuration files of the and integrity check. The data structure of the block is shown
IoT devices, the data collected and the log files generated by in figure 5.
the devices during the execution of the task can also be saved
into blockchain after hashing the data for data protection and B. Transactions on the chain
security audit. The interaction between devices and block chain is
carried out in the form of transaction. We defined three
V. IMPLEMENTATION different kinds of transactions by smart contracts. The smart
This section will introduce the specific implementation contracts receive requests from devices and perform
details of the system, including the deployment of the different operations such as writing and reading in the
blockchain, the process of the asymmetric key generation blockchain according to different requests. The interaction
and the storage structure of the data to be verified integrity in between devices and blockchain is shown in figure 6.
the blockchain. Finally, the security analysis of the system is
given.

A. Environmental deployment
According to the IoT application scenario, we decided to
deploy a permission chain on the IoT cluster. We deployed a
blockchain network on the Raspberry Pi based on the open
source project Hyperledger Fabric. Each Raspberry Pi acts
Figure 6. The interaction between devices and blockchain
as a node in the blockchain network and nodes are
connected by ad hoc.
C. CSPRNG-based key generation technology
In the IoT, each device corresponds to a pair of key,
including a private key and a public key. This key pair
represents the identity of the device. A private key is a
number chosen randomly and the public key can be
generated by elliptic curve multiplication

Figure 4. Structure of blockchain network

Based on the multi-chain and channel technology, the
blockchain can be divided into different sub-chains and the Figure 7. Key Generation Process
IoT devices can form different subnets according to
business requirements. A subnet can interact with a sub- A sufficiently secure entropy source is the most critical
chain with no distractions. A structure of blockchain step in generating the private key. In order to ensure that the
network is shown in figure 4. selected random number result is unpredictable or non-
repeatable, a cryptographical secure pseudo-random number
generator (CSPRNG) is often used as a source of
randomness. CSPRNG is a pseudo-random number
generator that can compute cryptographically secure
pseudo-random numbers through operations. Compared to
statistical pseudo-random number generators and weaker
pseudo-random number generators, CSPRNG generates
cryptographically secure pseudo-random numbers with
additional pseudo-random properties.
Figure 5. Data structure of the block
Using CSPRNG to generate random numbers also
All transactions in the entire blockchain network are requires a seed from a source with sufficient entropy values.
recorded in the blockchain. The data structure of the block is In our system, we get an approximate random seed by
collecting various information of the IoT devices, such as Assuming a Byzantine fault tolerance system with n nodes,
memory usage status, hard disk free space, I/O delay, the the number of traitors (fault nodes or colluders of attacker)
number of processes, CPU clock, etc. is t, as long as n>3t, the agreement will terminate in a
limited time and the loyalty party (honest nodes) will
The public key can be calculated from the private key
eventually achieves a consensus result.
through the elliptic curve algorithm. This is an irreversible
process: K=k*G. Where k is the private key, G is called the In terms of security defenses, our system has the
constant point of the generating point, and K is the resulting following advantages.
public key. If the public key K is known to find the private
key k, i.e. "find discrete logarithm", it is very difficult to 1) Prevent malicious nodes from intruding.
search the right key by experimenting all the possible values We implement peer-to-peer authentication based on
violently. The key generation process is shown in Figure 7. permission chain, where the access control layer can
effectively prevent malicious nodes from intruding.
D. Data integrity verification in the blockchain
2) Resist DDoS attacks.
A file is signed by distributed ledger technology in
blockchain instead of traditional file signatures. It is almost The proposed system where all nodes share a ledger is
impossible to forge and steal data. Unlike traditional decentralized. The system will still work well even if some
methods that rely on asymmetric key encryption, nodes suffer from a DDoS attack [5].
blockchain-based integrity protection techniques use hash
3) Prevent the firmware backdoor.
encryption techniques, making integrity verification
dependent on the security of hash functions and the validity Utilizing the tamper-resistant nature of blockchain, store
of shared ledger. the hash values of critical data such as firmware and
configuration files into blockchain. Any nodes in a subnet
The storage structure of the files in the blockchain is can verify the integrity of an item of data and quickly
shown in Figure 8. First, the files are stored as a hash value discover the firmware backdoor.
and then these hash values are combined to calculate hash
and the hash value is obtained again until a root hash value VI. CONCLUSIONS AND FUTURE WORK
is obtained. The resulting data structure is called Merkle
Tree (hash tree). The path from the hash of each file up to In this paper, we analyze the drawbacks of the
the root hash is called the signature of the file. traditional IoT in identity authentication and security
protection. And we proposed a blockchain-based model for
IoT authentication and security protection. We also
discussed details of the system implementation. In addition,
we implement a prototype system based on Hyperledger
Fabric to verify the proposed system. Our research has the
advantages of generic nature and simplicity in comparison
with other works. The low implementation cost makes it
suitable for deployment on lightweight devices such as IoT.
Moreover, the structure of multi-chain provides additional
security protection between different trust domains.
The future work will focus on the management of the
Figure 8. File storage structure in the blockchain enormous amount of IoT sensor data vs. traditional financial
transaction data based on blockchain.
When verifying the integrity of a file, it’s only need to
substitute the hash of the file to be verified into the signature REFERENCES
path and compare the obtained root hash value with the [1] Nakamoto S. Bitcoin: A peer-to-peer electronic cash system[J].
original hash value. Consulted, 2008.
E. Performance analysis [2] Alexopoulos N, Daubert J, Mühlhäuser M, et al. Beyond the Hype:
On Using Blockchains in Trust Management for Authentication[J].
The system performance metrics such as throughput and 2017:546-553.
delay are mainly dependent on the blockchain platform [3] Ouaddah A, Abou Elkalam A, Ait Ouahman A. FairAccess: a new
Hyperledger Fabric, so these details will not be discussed Blockchain based access control framework for the Internet of
Things[J]. Security & Communication Networks, 2017, 9.
here.
[4] Xu Q, Jin C, Rasid M F B M, et al. Blockchain-based decentralized
The consensus algorithm we adopt is PBFT (Practical content trust for docker images[J]. Multimedia Tools & Applications,
2017(239):1-26.
Byzantine Fault Tolerance), which enables the discovery of
[5] Rodrigues B, Bocek T, Lareida A, et al. A Blockchain-Based
abnormal behavior and the synchronization of data in the Architecture for Collaborative DDoS Mitigation with Smart
ledger to achieve consistency of the blockchain network. Contracts[C]// IFIP International Conference on Autonomous
The security of our system relies on the robustness of PBFT. Infrastructure, Management, and Security. Springer, Cham, 2017:16-
29.
[6] Zyskind G, Nathan O, Alex. Decentralizing Privacy: Using
Blockchain to Protect Personal Data[C]// IEEE Security and Privacy
Workshops. IEEE Computer Society, 2015:180-18.
[7] Kumari S, Karuppiah M, Das A K, et al. A secure authentication
scheme based on elliptic curve cryptography for IoT and cloud
servers[J]. Journal of Supercomputing, 2017(4):1-26.
[8] Lee B, Lee J H. Blockchain-based secure firmware update for
embedded devices in an Internet of Things environment[J]. Journal of
Supercomputing, 2017, 73(3):1-16.
[9] Moinet A, Darties B, Baril J L. Blockchain based trust &
authentication for decentralized sensor networks[J]. 2017.
[10] Lundbaek L N, D'Iddio A C, Huth M. Optimizing Governed
Blockchains for Financial Process Authentications[J]. 2017.
[11] Yin W, Wen Q, Li W, et al. An Anti-Quantum Transaction
Authentication Approach in Blockchain[J]. IEEE Access, 2018,
6(99):5393-5401.
[12] Zhang L, Li H, Sun L, et al. Poster: Towards Fully Distributed User
Authentication with Blockchain[C]//Privacy-Aware Computing
(PAC), 2017 IEEE Symposium on. IEEE, 2017: 202-203.
[13] ZHOU Zhicheng,LI Lixin,LI Zuohui. Efficient cross-domain
authentication scheme based on blockchain technology[J]. Journal of
Computer Applications, 2018, 38(2): 316-320.
[14] Abdullah N, Hakansson A, Moradian E. Blockchain based approach
to enhance big data authentication in distributed environment[C]//
Ninth International Conference on Ubiquitous and Future Networks.
IEEE, 2017:887-892.
[15] Zhao J L, Fan S, Yan J. Overview of business innovations and
research opportunities in blockchain and introduction to the special
issue[J]. Financial Innovation, 2016, 2(1):28.
[16] Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-middle attack to
the HTTPS protocol. IEEE Security & Privacy 7(1), 78–81 (2009),
https://doi.org/10.1109/MSP.2009.12
[17] Weaver, A. C.: Biometric authentication. Computer, 39(2):96–97,
Feb 2006, ISSN 0018-9162.

View publication stats