Internet of Things (IoT) applications, such as smart home, smart health, and industrial IoT, are increasingly popular with the increased number and reduced cost of smart devices. Although IoT technologies have the potential to improve our quality of life, they also introduce new security problems or challenges. One of the major challenges is how to authenticate a large number of heterogeneous and possibly resource-constrained devices in a secure and efficient manner. Without reliable authentication provisioning, the whole system will be put at risk. These observations have motivated us to investigate how to optimise the trade-off between protection strengths and overhead costs. To this end, the thesis has made the following novel contributions. Firstly, it presents a systematic analysis of security problems and threats in relation to authentication in an IoT environment, and critically analyses state-of-the-art authentication solutions in the context. This has led to the discovery that (i) existing authentication solutions are not readily applicable to secure IoT environments, and (ii) existing authentication solutions designed for IoT environments are mainly single-factor based and provide a single Level of Assurance (LoA). This single LoA, one-size-fits-all, approach to authentication may not be proper in some IoT applications. For resources with a higher sensitivity level, a higher level of protection should be provided. However, a higher assurance level often comes with a higher level of overhead cost, which can be particularly detrimental to devices with constrained capabilities. Secondly, it analyses the level of assurance required to access a device, and the level of assurance derived from a successful authentication instance or session, respectively. It then proposes four methods to quantify LoA and use it to govern how authentication should be carried out at run-time in an IoT environment. Thirdly, it proposes a Multi-Factor Multi-Level and Interaction (M2I) based authentication framework to facilitate multi-LoA and interaction based authentication for IoT applications. The M2I protocols have been evaluated in terms of security and performance. The security evaluation shows that the protocols satisfy the security requirements and are resilient to known attacks. The performance evaluation shows that adopting the interaction mode in authentication in the related use-case scenarios can reduce the communication cost considerably. The One-to-Many (O2M) protocol and the Many-to-One (M2O) symmetric-key based protocols, respectively, cut the communication cost by 42% to 45% and 70% to 74% compared with that of the most related protocol, the Kerberos version 5 protocol. The evaluation also shows that the Peer-to-Peer (P2P) protocol, the O2M protocol, and the M2O symmetric-key based protocols cut the computational cost by 70% to 72%, 81% to 82%, and 89% to 92%, respectively, in comparison with that of Kerberos. The results show that adopting the LoA linked and interaction based approach for authentication can provide more effective and efficient protection for IoT applications.
| Date of Award | 31 Dec 2022 |
|---|
| Original language | English |
|---|
| Awarding Institution | - The University of Manchester
|
|---|
| Supervisor | James Garside (Supervisor) & Ning Zhang (Supervisor) |
|---|
- Level of Assurance (LoA)
- Multi-factor authentication
- Multi-level authentication
- IoT security
- Internet of Things (IoT)
- Authentication
An Interaction based Multi-Factor Multi-Level Authentication Framework for IoT Environments
Aljanah, S. (Author). 31 Dec 2022
Student thesis: Phd