Research On Key Technologies Of Capability-based Distributed Internet Of Things Access Control

With the rapid development of the Internet of Things(Io T),unauthorized access to Io T devices is occurring frequently.Existing access control methods relying on centralized solutions lead to the single point of failure(SPOF).Capability Based Access Control(CapBAC)uses token-based architecture to solve access control problems in distributed systems,but it faces multiple challenges in its practical application.First,the verification of the nested capability tokens in CapBAC is complex,and the passive capability detection method it uses cannot detect the unvisited capabilities.Second,CapBAC cannot directly revoke or modify a single capability,and the authorization errors are difficult to locate and collect.Additionally,the blockchain-based crossdomain capability authentication methods used in CapBAC have high communication overhead,and it is difficult to make cross-domain access decisions that meet the interests of all the collaboration participants.To address these challenges,this paper explores the key technologies of the distributed Io T access control based on capability.The main research contents and contributions of this paper are as follows:(1)To improve the efficiency of the token authentication and the passive capability detection method in CapBAC,this paper proposes a temporal capability tree(TCT)based capability access control method.The method supports quick authentication of capability tokens,which reduces the token authentication overhead.Simultaneously,an active capability detection method is described in this paper,which can trace back to the capabilities that were delegated but not used.Experiments show that the capability token verification algorithm used in this paper is more efficient,and the capability capture rate is higher than that of CapBAC.(2)To refine the coarse granularity of capability revocation and modification,and reduce the difficulty of authorization errors localization and forensic analysis,this paper proposes a fine-grained capability directional tracking and analysis method.Based on the proposed capability revocation and modification method,the directional operation of a single capability is implemented.A forensic analysis method is also proposed to detect the errors caused by capability delegation and policy configuration.Compared to existing schemes,this method has acceptable communication time,shorter revocation and modification time,as well as high error detection rate.(3)To improve the constrained capability authentication in cross-domain systems and the difficult unification of multi-domain security policies,this paper proposes an efficient multi-domain authentication and decision-making method.By designing a Trajectory-Hash-on-Blockchain scheme,the communication overhead of cross-domain capability authentication is reduced.Furthermore,a cross-domain access decisionmaking method based on federated learning is proposed to eliminate privacy risks in the unification process of multi-domain security policies.Compared to existing schemes,the communication overhead of this method has a lower growth rate with the number of access control policies,and the proposed cross-domain decision-making algorithm can quickly converge with a high accuracy.