Decauth: Decentralized Authentication Scheme For Iot Device Using Ethereum Blockchain

Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/337936071

DecAuth: Decentralized Authentication Scheme for IoT Device Using Ethereum


Blockchain

Conference Paper · December 2019


DOI: 10.1109/TENCON.2019.8929720

CITATIONS READS
25 1,011

6 authors, including:

Bhabendu Kumar Mohanta Soumyashree S Panda


GITAM University International Institute of Information Technology, Bhubaneswar
57 PUBLICATIONS   1,143 CITATIONS    25 PUBLICATIONS   687 CITATIONS   

SEE PROFILE SEE PROFILE

Debasish Jena Debasis Gountia


International Institute of Information Technology, Bhubaneswar College of Engineering & Technolgy, Bhubaneswar
100 PUBLICATIONS   1,677 CITATIONS    9 PUBLICATIONS   105 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Information Security( IoT , Blockchain,Data Science,Machine Learning) View project

Cloud Security View project

All content following this page was uploaded by Bhabendu Kumar Mohanta on 15 December 2019.

The user has requested enhancement of the downloaded file.


DecAuth: Decentralized Authentication Scheme for
IoT Device Using Ethereum Blockchain
Bhabendu K. Mohanta1 , Anisha Sahoo2 , Shibasis Patel3 , Soumyashree S. Panda4 , Debasish Jena5 , Debasis Gountia6
1,2,3,4,5
Department of Computer Science & Engineering, IIIT Bhubaneshwar, Odisha, India, 751003
6
Department of Computer Science & Engineering, IIT Roorkee, Uttarakhand, India, 247667
Email: [email protected] , [email protected] , [email protected] ,
[email protected] , [email protected] , [email protected]

Abstract—Internet of Things (IoT) has lots of attention in the


last decade. The connected IoT devices are more than the total
world population. Due to its low cost, easy to deploy, and simple
to implement, application areas are large like smart city, smart
home, smart transportation, environment monitoring, agricul-
ture and many more. There exists some security and privacy
challenges in IoT system. The device identification is one of the
challenges in any IoT application. Authentication is one of the
processes to identify the device. Though some work has been done
on this problem, most of these are using a centralized system.
In this paper, we have proposed a distributed authentication
system using the Blockchain technology The implementation of
the proposed authentication is done on Ethereum platform for
its better results in order to justify it as a superior scheme.
Index Terms—Authentication, Decentralized, Blockchain, IoT
Device, Ethereum.

I. I NTRODUCTION
As per CISCO estimation, the number of IoT device will
cross 50 billion by 2020. Since the emerge from 2008 to till
date, IoT has shown lots of promise in the different application
areas. The living standard of the human has also become Fig. 1. Application area of Internet of Things.
more easy, comfortable by using IoT technology. Due to
low processing power and less memory space, the existing
security algorithms are not suitable for IoT devices. Some
of the security issues in IoT are Confidentiality, Integrity, do not trust each other can take decision making process. The
Availability, Identification, and Authentication. problem in centralized system is single point of failure. In a de-
Blockchain [1] technology is a decentralized architecture centralized system there are multiple coordinate points which
having all transactions recorded as a digital ledger. All the overcome the single point failure. In a distributed environment
nodes are connected in a distributed manner like mesh topol- every node collectively executes the job.Blockchain can be
ogy. The transaction occurs between any nodes is passed of two types permissioned and permissionless [2] architecture
through verification by the Blockchain network, then after the to build the application. In this work, we have implemented
mining process, the completed transaction is recorded in a the Blockchain smart contract using the Ethereum platform,
block. The block consists of numbers of valid transactions where the Web Authentication mechanism takes place using
between the different nodes. Once recorded in a block the Ethereum Authentication (DecAuth). DecAuth is an attempt
transaction never be changed. So Blockchain provides an to make a decentralized site login and authentication protocol.
immutable digital ledger among all the nodes present in the It’s analogous to the “Log In with Facebook” button that we
network. It builds trust among all the user as all the user have have probably become accustomed to. It is a smart contract
the same set of digital record present among themselves and that will store user IDs and their associated wallet addresses.
whatever happens in the network one can see it. Blockchain It works on the concept of Digital Signature and Hashing.
technology has the security and privacy issued of the uses are The IoT has lots of application areas as shown in Fig. 1,
addressed using public and private key concept also using a each of these application consists of basic three-layer architec-
digital signature.A Blockchain is a distributed computation and ture. The architecture consists of sensors devices, connecting
information sharing platform which enable multiple nodes that devices, and some user devices to monitor the environment.

978-1-7281-1895-6/19/$31.00 2019
c IEEE 558
II. BACKGROUND STUDY
The Internet of Things is widely used by the research
communities to address the challenges associated with the
technology. Though IoT is used in all most every area to
get real-time information. From the security point of view,
there are still challenges exist or need to be addressed though
some research is already done on this. Authentication is
the process of recognizing devices. In Paper [3], breathing
is used as the input to authenticate the IoT devices using
some recurrent neural network. The authors in paper [4],
describe the two-factor authentication for the IoT devices and
also mentioned that their proposed scheme is computationally
efficient. similarly in paper [5] and [6] authors have described
the authentication of IoT devices using Accelerometer-Based
Speed-Adaptive Gait and Privacy-Preserving and Accountable
protocols. In [7], authors have explained the access control
and IoT device management using Blockchain technology.
The authors in [8] proposed a framework based on machine
learning for the authentication of the IoT devices. In paper [9],
Fig. 2. Architecture of Internet of Things based on Fog and Cloud Computing.
the authors proposed an ECC based authentication system.
Most of the authentication schemes of IoT device are
centralized means depend on a single server. There is a chance cloud computing or recent development of fog computing. The
of single point failure and uses need to trust on the server. storage purpose IoT application can store at the edge device or
Thus, our objective is to use a secure and decentralized at the cloud server depend upon the storage space availability.
authentication scheme based on Blockchain concept such as
• IoT/ Physical layer: In this layer, all the required sensors
Ethereums in order to aid such type of authentication. It is,
are deployed in the application area. The sensors are
after all, a cryptographically secure keys pair in which the
connected to the next layer using WiFi or through a wire.
public key represents the wallet address, and the private key is
• Fog Layer/Processing layer: IoT application demands
never transmitted over the network. Moreover, it is known only
faster processing and quick response for better utilization
to its owner and it is possible to use asymmetric encryption
of the system. Most of the application collects data from
to authenticate users. In the simplest case, we can use the
sensors need to process in the edge of the network for
Ethereum wallet address as a user ID of the IoT device.
faster processing and temporary storage for quick analysis
III. I MPORTANT OF I OT D EVICE AUTHENTICATION of the data. The decision can be taken by analyzing the
The last decade and IoT technology have emerged as one data either in collaborating way or distributed way in
of the most promising fields of research. Since the concept mutual agreement.
of IoT arises lots of development has been taken place in a • Cloud Layer/ Storage Layer: cloud computing provides

different application. The architecture of IoT [10] is basically different types of services like infrastructure, platform,
three layer perception, network, and application layer. To and software as a service. In an IoT application as
make the real use of the IoT technology for efficient and different sensors are collected information from environ-
reliable of the system. Security and privacy issues are the ment continuous way, it is not possible to provide large
challenges to implement a different application using the IoT memory space. Also, IoT devices are low in memory
concept. some of the challenges [11] like access control, capacity. Similarly, the storage capacity of a fog device
authentication, centralized or distributed network, the identity is also limited, so the final storage must be provided by
of the things. The visualization [12] is one the important aspect cloud computing.
of the IoT application. The end user monitors the environment
B. Necessity of Device Authentication
using either mobile phone or smart tablets. In the paper [13],
authors proposed different types of architecture to build IoT The authentication of IoT devices guarantees that the device
application. Though IoT applications use both centralized and connected with the IoT application can be trusted. When
decentralized architecture. The decentralized architecture has devices perform any operation in an application, the devices
an advantage over centralized architecture. need to be identifying using its unique ID. Using the unique
ID, devices can connect to the next layer also performs
A. Working Procedure of IoT System different computation in a collective way. The authentication
The IoT application system has different stages as shown in of the devices means the communication can be done securely,
Fig. 2 like connecting different type of sensors for collecting all the nodes are identified using their ID. In the paper [14]
the data. For processing and doing computation may depend on and [15], authors have explained that the IoT security can be

2019 IEEE Region 10 Conference (TENCON 2019) 559


addressed by the Blockchain Technology. Similarly in paper of the Ethereum network then we will already have used
[16], authors proposed a model that addresses the privacy MetaMask and will probably have an idea of how it interacts
issues regarding IoT. with the network. The overall user authentication process using
DecAuth looks like this:
IV. S OLUTION A PPROACH
• The site (backend) contacts the smart contract and re-
The IoT device authentication is a process of identifying ceives the users Ethereum address.
the devices in the application with a unique ID. In this work, • The site (backend) generates and records a message, and
we have developed a decentralized scheme for IoT devices ask the user to sign this message with the help of the
authentication. The process of device authentication is done authKey address.
in Blockchain based technology. The Implementation takes • The user being on the site (frontend) signs the message
place using Ethereum platform and Web3 client (Ethereum using the MetaMask plugin and sends it to the backend.
JavaScript API) is used to integrate blockchain smart contract • The site (backend) verifies the signature, and if everything
with Frontend. is alright, it activates the user’s session.
It is important that authentication checks should take place in
A. Decentralized Authentication
a user-uncontrolled environment. So, in other words, all of the
DecAuth is an attempt to make a decentralized site login checks should be completed on a server instead of on a user’s
and authentication protocol. It is analogous to the “Log In with browser.
Facebook” button that we have probably become accustomed Among the problems, we may encounter the signature
to. It is a smart contract that will store user IDs and their verification in the frontend part. Not all browsers support
associated wallet addresses. The user ID is simply a UTF-8 elliptic curves. It can be resolved by adding a function to
string with size ranging between 2 and 32 bytes. The user the smart contract that returns the “ecrecover” result from the
himself creates it on inception of the wallet and will later use message.
it to enter any site that supports DecAuth. It would also be As a result, we have a viable proof-of-concept of a decen-
possible to add a restriction on the possible characters included tralized authentication system based on Ethereum and used
in the string. One could restrict it to Latin characters and on the MetaMask plugin. This system still needs several
Arabic numerals (subsets of 7-bit ASCII encoding) in order modifications to be able to provide user anonymity. The user
to limit the possibility of creating visually similar IDs. When has the opportunity to restore access in case of his primary
creating an account with DecAuth, a pair of keys is created. We key loss (but not in the case of a recovery key loss).
will create an authorization key (authAddr) and a key to restore The decentralized system is not subjected to censorship of
access (recoveryKey). The name “recoveryKey” is perhaps the large entities, such as Google or Facebook. If it is neces-
not the best since this address is used to manage the account sary to censor something, each website should implement it
and not merely for recovery. When created, both addresses independently. Yet, this would only affect the user’s interaction
are the same as the address of the wallet which first made the with that site and not any others.
transaction. Users who care about their security should create a The Ethereum network currently has pretty slow transaction
separate Master Key and store it in a place that is inaccessible speeds (when creating an account, the user may have to wait a
from online. It is perhaps safest to store this on a piece of few minutes), but sites can get the data and verify users quite
paper in a cold storage. Paper storage relies on what is called quickly.
a recovery seed. Recovery seeds are a set of 12 mnemonic This solution scales well, because there are a lot of data
words that when used can recreate the key pairs for our wallet. nodes, and anyone can add another one at any time. The
If we are going to be using a wallet for authentication then complexity of implementing such a solution for site owners
it’s also recommended we use a separate address from the is no higher than the complexity of implementing OAuth 2.0.
one that keeps all of our Ether. Doing this, allow us to avoid
any hackers from tracing our Authkey to the wallet with our V. E XPERIMENTAL S ETUP
assets. For now, we cannot create a separate authKey and We have used Ethereum Blockchain connected to a
recoveryKey when creating an account. Decentralized Web ethereum wallet account provided by ganache, which is a test
Authentication System using Ethereum based Blockchain - 8 ethereum network provided for development purposes. The
- This is something that could be updated in later iterations of smart contract [17] is written using solidity language and we
the smart contract. If we want to further protect ourself, then have used Truffle framework to manage the smart contract.
we consider VPN services. Similarly metamask is used as a web3 browser and ReactJs
for the frontend development.
B. Using Decentralized Authentication Authentication is performed on the client-side, using
There is a dedicated web page intended for the users ethereum’ web3.js. User identity is controlled by the user’s
interaction with the smart contract. We can create an account master account, that is used for the management of accounts.
there, change the keys or delete it. To work with it, the user
will need to install the well-known browser plugin called Prerequisites:
MetaMask. Of course, if we are already quite an avid user 1) nodejs ≥ 8.5

560 2019 IEEE Region 10 Conference (TENCON 2019)


2) vscode
3) npm install -g truffle
4) npm install -g ganache
5) npm install -g openzeppelin-solidity

VI. T HE S MART C ONTRACT D EC AUTH ’ S A SSOSIATION


RULES

The rules of smart contract DecAuth’s association are


described in the following Section as follows.

------------------------------------------
Smart Contract
------------------------------------------
Parameters:
ln: login_name Fig. 3. Homepage.
a: address
-----------------------------------------
Function: createAccount(string ln)
If (bytes(ln).length > 2 && bytes(ln).length
<= 32)
then, emit Create();

Function: authAddress(address a)
return authAddr;

Function: setAuthAddress(String ln,address a)


If(authAddr==msg.sender ||
recoveryAddr==msg.sender)
then, emit AuthChange();

Function: recoveryAddress(address a)
return recoveryAddr;
Fig. 4. Registering user.
Function:setRecoverAddress(String ln,address a)
If(recoveryAddr==msg.sender())
then, emit recoveryChange(); A. Homepage
This is the user interface where users/IoT devices need
Function: dropAccount(String ln) to register and then administer. Without Registration, users
If(recoveryAddr==msg.sender) cannot login to the decentralized Web authentication system
then, delete authAddr; and Administration is required for key management.
emit drop();
B. Registering Users
Function: signerAddress()
Keccak(); The Registration button in Homepage leads to registration
ecrecover(); where two private keys are generated i.e. Authkey address and
------------------------------------------ Recoverkey address.

C. Key Management
VII. R ESULT A NALYSIS
The administration button in Homepage leads to key man-
DecAuth algorithm is implemented using ethereum plat- agement where both the Authkey address and Recoverkey
form. The user interface is designed using ReactJs. Below address are changed such that if the user forgets the Authkey
are the screenshots of implemented results attached which address, then with the help of Recoverykey address , the
includes user interface design for dashboard and example auth user’s session is restored. So here, basically the AuthKey and
agent, smart contract implementations. RecoveryKey are changed.

2019 IEEE Region 10 Conference (TENCON 2019) 561


Fig. 5. Key management. Fig. 7. Digital signature from the frontend.

connected peer to peer way. Each of these devices identify


using their public key which is unique key generated from
the system. Security and integrity of the IoT system ensure
without using a centralized system. The proposed authentica-
tion protocol is secured against some of the attacks described
below:
1) MITM (Man-In-The-Middle): In the proposed scheme,
MITM attack is not possible as whatever message sends
from one node to another node, it is sent using the
hash techniques and public-private key concept only the
authorized user will get the message. Any modification
done on the message will be ignored by the receiver side.
The message communication also uses a digital signa-
ture as one of the concepts of Blockchain technology.
2) Impersonation attack: Whatever transaction is done in
Fig. 6. Login. the Blockchain network, all are verified and mine by
the network using mining process and digital signature
concept. Each user has their own identity added to the
D. Login system using the authentication process.
This is the User Interface designed where any random user 3) Replay Attack: In a Blockchain environment, no node
who have already registered is able to login to the DecAuth can capture more than half of the network power. Each
website only. transaction sent or received is recorded in a digital ledger
after verification and mining. So no transaction can
E. Digital Signature from the Frontend transmit multiple time in the network.
Here, the message or data is being signed(Digital Signature) 4) DoS Attack: As each message is broadcasted in the
by the user from the frontend using metamask extension plu- network and it goes through a verification process to
gin. Then this is verified with the stored key in the blockchain check valid or invalid transaction. So there is no chance
network and if it matches, user’s session is activated. that DoS attack is possible.
Due to all the above security issues, a decentralized web
VIII. S ECURITY A NALYSIS authentication system using Blockchain is proposed which is
The IoT implementation required lots of security and pri- not a password-based authentication and authentication is done
vacy issues to be addressed. Here decentralized approach using AuthKey which is a 160-bit hash and is secured enough
is proposed for authentication to increase the IoT network to prevent all the above attacks.
connectivity and build trust among all the devices. In a IoT
system not only information need to communicate securely it IX. C ONCLUSION
also needs to identify which devices are authenticated device. Internet of Things is one of the most emerging technology.
Using Blockchain based authentication all the devices are The use of IoT in different application improved the living

562 2019 IEEE Region 10 Conference (TENCON 2019)


standard of the human being in different applications like
smart home, smart city, smart transportation, smart healthcare
systems. In all of the cases, users can monitor or even
control the system in real-time. In this paper, a DecAuth
(Decentralized Authentication) scheme is proposed using the
Blockchain concept in ethereum platform for its efficacy. The
experimental results show that the authentication of the IoT
device can be done in decentralized way. The results analysis
also show that the proposed scheme is secure against the
known attacks.
R EFERENCES
[1] T. Salman, M. Zolanvari, A. Erbad, R. Jain, and M. Samaka, “Security
services using blockchains: A state of the art survey,” IEEE Communi-
cations Surveys & Tutorials, vol. 21, no. 1, pp. 858–880, 2018.
[2] T. Neudecker and H. Hartenstein, “Network layer aspects of permission-
less blockchains,” IEEE Communications Surveys & Tutorials, vol. 21,
no. 1, pp. 838–857, 2018.
[3] J. Chauhan, S. Seneviratne, Y. Hu, A. Misra, A. Seneviratne, and
Y. Lee, “Breathing-based authentication on resource-constrained iot
devices using recurrent neural networks,” Computer, vol. 51, no. 5, pp.
60–67, 2018.
[4] P. Gope and B. Sikdar, “Lightweight and privacy-preserving two-factor
authentication scheme for iot devices,” IEEE Internet of Things Journal,
vol. 6, no. 1, pp. 580–589, 2019.
[5] F. Sun, C. Mao, X. Fan, and Y. Li, “Accelerometer-based speed-adaptive
gait authentication method for wearable iot devices,” IEEE Internet of
Things Journal, vol. 6, no. 1, pp. 820–830, 2019.
[6] Z. Wang, “A privacy-preserving and accountable authentication protocol
for IoT end-devices with weaker identity,” Future Generation Computer
Systems, vol. 82, pp. 342–348, 2018.
[7] A. Z. Ourad, B. Belgacem, and K. Salah, “Using blockchain for
IOT access control and authentication management,” in Proc. of the
International Conference on Internet of Things, pp. 150–164, 2018.
[8] P. Punithavathi, S. Geetha, M. Karuppiah, S. H. Islam, M. M. Hassan,
and K.-K. R. Choo, “A lightweight machine learning-based authentica-
tion framework for smart iot devices,” Information Sciences, vol. 484,
pp. 255–268.
[9] A. Tewari and B. Gupta, “A lightweight mutual authentication protocol
based on elliptic curve cryptography for IoT devices,” International
Journal of Advanced Intelligence Paradigms, vol. 9, no. 2-3, pp. 111–
121, 2017.
[10] “A survey on Internet of Things: Architecture, enabling technologies,
security and privacy, and applications, author=Lin, Jie and Yu, Wei
and Zhang, Nan and Yang, Xinyu and Zhang, Hanlin and Zhao,
Wei, journal=IEEE Internet of Things Journal, volume=4, number=5,
pages=1125–1142, year=2017, publisher=IEEE.”
[11] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, “Security,
privacy and trust in Internet of Things: The road ahead,” Computer
networks, vol. 76, pp. 146–164, 2015.
[12] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of Things
(IoT): A vision, architectural elements, and future directions,” Future
generation computer systems, vol. 29, no. 7, pp. 1645–1660, 2013.
[13] R. Roman, J. Zhou, and J. Lopez, “On the features and challenges
of security and privacy in distributed Internet of Things,” Computer
Networks, vol. 57, no. 10, pp. 2266–2279, 2013.
[14] M. A. Khan and K. Salah, “Iot security: Review, blockchain solutions,
and open challenges,” Future Generation Computer Systems, vol. 82,
pp. 395–411, 2018.
[15] I. Makhdoom, M. Abolhasan, H. Abbas, and W. Ni, “Blockchain’s
adoption in iot: The challenges, and a way forward,” Journal of Network
and Computer Applications, 2018.
[16] P. Lv, L. Wang, H. Zhu, W. Deng, and L. Gu, “An iot-oriented privacy-
preserving publish/subscribe model over blockchains,” IEEE Access,
vol. 7, pp. 41 309–41 314, 2019.
[17] Y. Zhang, S. Kasahara, Y. Shen, X. Jiang, and J. Wan, “Smart contract-
based access control for the Internet of Things,” IEEE Internet of Things
Journal, 2018.

2019 IEEE Region 10 Conference (TENCON 2019) 563

View publication stats

You might also like