Secure IoT ecosystems require new identity management solutions to cope with new challenges due to the inherent nature and requirements of IoT, where the identities of a huge amount of heterogeneous smart objects need to be managed. Current proposed solutions need to be adapted to the envisioned scenarios allowing more flexible sharing models, as well as volatile and dynamic security associations between entities, while privacy is still preserved, keeping data minimization and unlinkability as main concerns.
Identity Management in the Internet of Things (IoT), unlike in traditional systems that are often concerned with the management of identities of users, requires taking into account different kind of identities and their relationships. Despite the fact that IoT objects may have different networking identifiers they also have to possess their own identity to be distinguished from other similar devices. Objects can be identified not only by a core identifier but also by using specific features or attributes that distinguish the object. Moreover, objects can have a core or real identity and some other temporal identities may be used according to the context, for instance, according to its location in a particular moment. On the other hand, objects could act on behalf of a user. These objects could then be aware of the identity of their owners.
Delegation schemes are important to authorize objects to perform actions on behalf of the user, making use of certain virtual identities according to the context. The identity management should be distributed in order to authenticate objects between each other but, at the same time, centralized enough to be able to establish a hierarchical approach where identities’ credentials can be issued and authenticated securely enabling a global digital trust environment. As privacy concerns are of paramount importance in IoT mechanisms for anonymity making use of partial identities are required.
A partial identity is a subset of the attributes that comprise the complete or real identity of the user. Thus, an identity of a particular user or object may be composed of many different partial identities. Each of these partial identities can be used to represent the user or the object in different circumstances according to the context and social situation. The real identity is the union of all the attributes of the partial identities of the user or object. The attribute values of the partial identities can change over time. In fact, even the attributes that comprise the partial identity can change. As real identities, partial identities may comprise not only traditional user personal attribute values like names, identifiers, and addresses, but also object features like hardware characteristics, model, software version, and so on.
Additionally, a partial identity could also be comprised by pseudonyms. In fact a partial identity could have a pseudonym as an identifier. Such a identifier in the partial identity could provoke linkability as long as the pseudonym is not changed over the time. Besides, static or easily determinable attributes of the partial identity can also provoke linkability. Depending on the representativeness of the set of the attributes that comprise the partial identity, it could sufficiently serve to identify the real user of object identity. Therefore, there are different sets of attributes that represent an identity, which enables different degrees of anonymity.
In order to achieve a true Identity Management in the Internet of Things (IoT), an essential feature is to provide support for finding the IoT devices in order to be addressable, named, and finally discovered. Unlike in small-scale application silos making up an Intranet of Things, applications and services cannot be configured with respect to a fixed set of services. This is mainly due to the underlying dynamics of the IoT system resulting from the mobility of physical entities and IoT devices, as well as the changing availability of services due to constraints of the underlying resources and devices. Therefore, a real need exists for a suitable infrastructure to be in place that allows addressing, naming and discovery of IoT services allowing a way to link identities of IoT and smart object and their security and privacy attributes:
– IoT Addressing: an IoT address refers to an identifier of a smart object and/or its virtual representation. This feature entails the assignment and management of addresses/identifiers for smart objects.
– IoT Naming: it refers to mechanisms and techniques for assigning names to objects and supporting their resolution/mapping to IoT addresses. IoT Naming provides the means to identify smart objects through a resolution mechanism of a name according to a naming system. Additionally, names can be organized according to taxonomies or classifications in a hierarchical fashion and according to a well-defined naming system. Consequently, names can be also used for groups of objects.
– IoT Discovery: it refers to the process of locating and retrieving IoT resources in the scope of a large and complex space of smart objects.
Previous concepts are closely related, given that the adherence to certain choices and solutions (e.g., standards, mechanisms, algorithms, tools) for one area (e.g., choice of addresses/identifiers) can directly affect the respective choices and solutions in the other areas (e.g., naming system used). As a consequence, the consideration of solutions for one area cannot be seen as isolated from the others.
Antonio will speak more about sensor identity and security for IoT in the IoT panel discussion at IEEE’s Technology Time Machine conference, #ieeettm, in San Diego on 20 October 2016.
Antonio Skarmeta is an IEEE IoT volunteer and General and Tutorial Chair for the Technical Program of the IEEE World Forum on Internet of Things, and is a Professor at University of Murcia, Spain
Edited by
Stefania Viscusi
