A Multi-User Collaborative Access Control Scheme Based on New Hash Chain
Abstract
:1. Introduction
2. Related Work
2.1. Access Control
2.2. Hash Chain
3. Multi-User Collaborative Access Control
3.1. Access Control Process
- The edge node applies for access from cloud nodes and blockchain nodes ;
- After receiving the consent request message from the cloud node, the edge node accepts the key sequence from the user;
- The edge node gets the order in which the hash chain is built from the cloud node ;
- The blockchain node accepts user keys as well as the build order from all edge nodes, and then builds a new hash chain based on sequence and order ;
- The blockchain node participates in blockchain consensus based on the hash chain, and builds solution based on the new hash chain ;
- The blockchain node determines whether solution satisfies and, if not, the access fails; if satisfied, the blockchain node broadcasts solution to other blockchain nodes;
- Other blockchain nodes verify solution , and if solution is not equal to , the access fails; if they are equal, the consensus is completed and the block is added;
- The edge node returns the access result to the user.
3.2. Construction Algorithm of New Hash Chain
3.3. Pow Algorithm Based on New Hash Chain
3.4. Establishment Algorithm of Multi-User Collaborative Access Control
3.5. Realization Algorithm of Multi-User Collaborative Access Control
4. Security Analysis
- Threat type 1: The fake block is generated. For the consensus mechanism in the field of multi-user collaborative authentication, we adopted the same assumption as the general consensus mechanism, that is, the longest blockchain is used for authentication. Therefore, when an attacker creates forged blocks in the local blockchain, the authentication process cannot be affected. Another attack scenario for the attacker is to forge and generate blocks, but this paper proposes to send the creation information to other blockchain nodes for verification, and other blockchain nodes can recognize that the current forged node is fake.
- Threat type 2: The fake block is inserted. First, the block insertion operation needs to obtain the permission of the blockchain node, and the attacker cannot verify his identity through the certificate, so he cannot obtain the insertion permission. Second, even if a block is inserted illegally, other blockchain nodes can verify the newly inserted block.
- Threat type 3: The fake transaction is generated. Since the generation of the transaction needs to obtain the key provided by the edge node, and the new transaction cannot be reversed through the existing transaction, the attacker cannot successfully forge the transaction. Assume that the key of the edge node is illegally stolen by the attacker, but in the scenario of multi-user collaborative authentication, it is difficult for the attacker to obtain the keys of all nodes participating in the authentication. In addition, in order to further increase the security of access control, block nodes will avoid using the initial value of the key when generating transactions, but will use different functions to hash and iterate the node key according to certain rules. Therefore, even if an attacker obtains all the original keys, transactions cannot be generated.
- Threat type 4: The block is deleted. Since the scheme is certified by the longest blockchain, even if an attacker deletes a block in the local blockchain, it cannot affect the authentication process. At the same time, the current transaction can be mutually verified with the previous transaction. Therefore, the deletion of any block in the blockchain will be discovered by the blockchain nodes.
- Threat type 5: The transaction has been tampered with. Since the transaction information is generated by the same set of keys according to certain rules, the blockchain nodes can calculate and obtain all possible generated transaction information. In this way, blockchain nodes can determine whether the current blockchain has been tampered with.
- Threat type 6: The blockchain nodes are illegally shut down. If the blockchain nodes in the domain are shut down, the blockchain nodes cannot respond to the access requests of other nodes. However, when the scheme is verified, it can be directly authenticated according to the block, without the authority of the blockchain node. Therefore, when a blockchain node is attacked by Dos, other nodes only need to search for the blocks they need to complete the verification.
- Threat type 7: The cloud nodes expose internal data storage. If the cloud node data are obtained illegally, the attacker can obtain the sequence of the key combination. However, the verification process in this scheme requires three conditions: key, key combination sequence, and key encryption rules. These three parts are, respectively, stored in different nodes, so the verification cannot be completed when only the key combination rules are known.
- DoS Attack: DoS Attack means that an illegal attacker occupies system resources, making it impossible for users to complete access control normally. Suppose an attacker shuts down a blockchain node in a domain through a DoS attack, making the blockchain node unable to respond to access requests from other nodes. However, in this strategy, the access control of users is realized, and authentication can be carried out directly according to the block without the need for the permission of the blockchain node. Therefore, when a blockchain node is attacked by DoS, other nodes only need to search for the block they need to complete the authentication.
- Replay Attack: Replay Attack means that an illegal attacker obtains the authentication information and resends it to the recipient in the same way and format. However, in this method, user access control is implemented by using a new type of hash chain; the passwords are completely different during each authentication. After the method completes an access control, the password used in the access control will be used to verify the next access control. Assume that an illegal attacker illegally intercepts the solution of the target number x currently used for authentication, and the user successfully completes the access control to the system through the solution . At this time, the illegal attacker uses the same method, that is, sends the solution of number x to the blockchain node. After receiving the solution, the blockchain node will judge that the solution cannot be verified and discards the information. Therefore, this method can effectively resist replay attacks.
- Sniffing attack: A sniffing attack is when illegal attackers steal transmission information between devices. However, in this method, the user’s identity information sequence used for access control will be constructed into a hash chain in advance, and it will be encrypted using the elliptic curve encryption algorithm. Therefore, in this policy, the transmission information between smart home devices is encrypted with ciphertext, and the effective time of transmission is set. The encryption level of the elliptic curve encryption algorithm is very high. With the existing computer processing power, it is difficult for an attacker to crack the ciphertext within the limited time of transmission. With this method, the transmission of data will be supplemented with digital signatures to verify some processing information, which can further ensure the security of user identity information.
- Impersonation attack: An impersonation attack is when illegal attackers forge fake data to make the device misjudge its identity. However, in this method, the edge end nodes, blockchain nodes, and cloud nodes will use digital signatures for two-way authentication to ensure that neither the sender nor the receiver is a fake node. If the signature cannot be verified, the user data package will be deleted. In addition, in the access control implementation algorithm of smart home sensing information, the blockchain node will use the saved solution to verify the target solution, and the attacker cannot complete the verification through the forged solution.
- Password attack: Password attack means that illegal attackers complete access control by guessing user passwords. However, in this method, access control is through the verification of user identity information, which consists of various types, including biometric information, digital tokens, and so on. It is difficult for attackers to guess user identity information through password attacks. In addition, the process of implementing access control requires three conditions: key, key combination sequence, and key encryption rules, and these three parts are stored in different nodes. Even if an attacker guesses and obtains user identity information, access control cannot be completed without knowing the combination rules of identity information.
5. Cost Analysis
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Xiao, J.; Guo, H.; Zhou, J.; Zhao, T.; Yu, Q.; Chen, Y.; Wang, Z. Tiny object detection with context enhancement and feature purification. Expert Syst. Appl. 2023, 211, 118665. [Google Scholar] [CrossRef]
- Ma, Z.; Meng, J.; Wang, J.; Shan, Z. Blockchain-based decentralized authentication modeling scheme in edge and IoT environment. IEEE Internet Things J. 2020, 8, 2116–2123. [Google Scholar]
- Kim, D.; Lee, J. A reverse hash chain path-based access control scheme for a connected smart home system. IEEE Consum. Electron. Mag. 2020, 10, 93–100. [Google Scholar] [CrossRef]
- Tai, W.L.; Chang, Y.F.; Li, W.H. An IoT notion–based authentication and key agreement scheme ensuring user anonymity for heterogeneous ad hoc wireless sensor networks. J. Inf. Secur. Appl. 2017, 34, 133–141. [Google Scholar] [CrossRef]
- Gong, L.; Alghazzawi, D.M.; Cheng, L. BCoT sentry: A blockchain-based identity authentication framework for IoT devices. Information 2021, 12, 203. [Google Scholar] [CrossRef]
- Huang, J.C.; Shu, M.H.; Hsu, B.M.; Hu, C.M. Service architecture of IoT terminal connection based on blockchain identity authentication system. Comput. Commun. 2020, 160, 411–422. [Google Scholar] [CrossRef]
- Wang, Z. A privacy-preserving and accountable authentication protocol for IoT end-devices with weaker identity. Future Gener. Comput. Syst. 2018, 82, 342–348. [Google Scholar] [CrossRef]
- Huang, Z.; Wang, Q. A PUF-based unified identity verification framework for secure IoT hardware via device authentication. World Wide Web 2020, 23, 1057–1088. [Google Scholar] [CrossRef]
- Takieldeen, A.; Abd Elkhalik, S.H.; Samra, A.S.; Mohamed, M.A.; Khalifa, F. A Robust and Hybrid Cryptosystem for Identity Authentication. Information 2021, 12, 104. [Google Scholar] [CrossRef]
- Luo, Y.; Li, H.; Ma, R.; Guo, Z. A composable multifactor identity authentication and authorization scheme for 5G services. Secur. Commun. Networks 2021, 2021, 6697155. [Google Scholar] [CrossRef]
- Xiang, X.; Wang, M.; Fan, W. A permissioned blockchain-based identity management and user authentication scheme for e-health systems. IEEE Access 2020, 8, 171771–171783. [Google Scholar] [CrossRef]
- Jia, X.; He, D.; Kumar, N.; Choo, K.K.R. A provably secure and efficient identity-based anonymous authentication scheme for mobile edge computing. IEEE Syst. J. 2019, 14, 560–571. [Google Scholar] [CrossRef]
- Cui, Z.; Fei, X.; Zhang, S.; Cai, X.; Cao, Y.; Zhang, W.; Chen, J. A hybrid blockchain-based identity authentication scheme for multi-WSN. IEEE Trans. Serv. Comput. 2020, 13, 241–251. [Google Scholar] [CrossRef]
- Tsai, J.L.; Lo, N.W. A privacy-aware authentication scheme for distributed mobile cloud computing services. IEEE Syst. J. 2015, 9, 805–815. [Google Scholar] [CrossRef]
- Wang, C.; Zheng, W.; Ji, S.; Liu, Q.; Wang, A. Identity-based fast authentication scheme for smart mobile devices in body area networks. Wirel. Commun. Mob. Comput. 2018, 2018, 4028196. [Google Scholar] [CrossRef] [Green Version]
- Fan, P.; Liu, Y.; Zhu, J.; Fan, X.; Wen, L. Identity Management Security Authentication Based on Blockchain Technologies. Int. J. Netw. Secur. 2019, 21, 912–917. [Google Scholar]
- Mamun, M.; Miyaji, A.; Luv, R.; Su, C. A lightweight multi-party authentication in insecure reader-server channel in RFID-based IoT. Peer-Netw. Appl. 2021, 14, 708–721. [Google Scholar] [CrossRef]
- Kumar, A.; Abhishek, K.; Liu, X.; Haldorai, A. An efficient privacy-preserving id centric authentication in iot based cloud servers for sustainable smart cities. Wirel. Pers. Commun. 2021, 117, 3229–3253. [Google Scholar] [CrossRef]
- Bae, W.I.; Kwak, J. Smart card-based secure authentication protocol in multi-server IoT environment. Multimed. Tools Appl. 2020, 79, 15793–15811. [Google Scholar] [CrossRef] [Green Version]
- Kumari, S.; Karuppiah, M.; Das, A.K.; Li, X.; Wu, F.; Kumar, N. A secure authentication scheme based on elliptic curve cryptography for IoT and cloud servers. J. Supercomput. 2018, 74, 6428–6453. [Google Scholar] [CrossRef]
- Zhang, Z.; Sun, Q.; Wong, W.C. A proposal of butterfly-graph based stream authentication over lossy networks. In Proceedings of the 2005 IEEE International Conference on Multimedia and Expo, Amsterdam, The Netherlands, 6 July 2005; p. 4. [Google Scholar]
- Huang, Q.; Huang, H.; Wang, W.; Li, Q.; Wu, Y. An Authentication Scheme Based on Novel Construction of Hash Chains for Smart Mobile Devices. Wirel. Commun. Mob. Comput. 2020, 2020, 8888679. [Google Scholar] [CrossRef]
Abbreviations | Definitions |
---|---|
Edge node | |
Blockchain node | |
Cloud node | |
The i-th identity information of the user | |
X’s database | |
Sequence of X | |
The i-th element of the hash chain | |
The public key generated by X | |
The hash value generated using the i-th hash function | |
Proof-of-work solution for block j | |
Request with content X | |
The parallel operation of X and Y | |
Use Y to generate the ciphertext of X | |
Use Y to generate the signature of X |
Type of Threat | Detail of Threat |
---|---|
Type 1 | The fake block is generated |
Type 2 | The fake block is inserted |
Type 3 | The fake transaction is generated |
Type 4 | The block is deleted |
Type 5 | The block has been tampered with |
Type 6 | The is illegally closed |
Type 7 | The internal data store is exposed |
Security Function | Our Method | Ma’s Method | Kim’s Method |
---|---|---|---|
Resistant to DoS attacks | Yes | Yes | Yes |
Resistant to replay attack | Yes | No | Yes |
Resistant to sniffing attack | Yes | Yes | Yes |
Resistant to impersonation attack | Yes | Yes | Yes |
Resistant to password attack | Yes | No | Yes |
Multi-user collaborative access control | Yes | No | No |
Algorithm | Time Overhead |
---|---|
Construction Algorithm of New Hash Chain | |
PoW Algorithm Based on New Hash Chain | |
Establishment Algorithm of Multi-user Collaborative | |
Access Control | |
Realization Algorithm of Multi-user Collaborative | |
Access Control |
Scheme | Decision Consensus | Time Complexity | Security |
---|---|---|---|
Kim’s Method | POW | Medium | |
Ma’s Method | PBFT | Strong | |
Our Method | POW | Strong |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Wang, Z.; Li, Y.; Liu, G.; Zhang, D. A Multi-User Collaborative Access Control Scheme Based on New Hash Chain. Electronics 2023, 12, 1792. https://doi.org/10.3390/electronics12081792
Wang Z, Li Y, Liu G, Zhang D. A Multi-User Collaborative Access Control Scheme Based on New Hash Chain. Electronics. 2023; 12(8):1792. https://doi.org/10.3390/electronics12081792
Chicago/Turabian StyleWang, Zetian, Yunfa Li, Guanxu Liu, and Di Zhang. 2023. "A Multi-User Collaborative Access Control Scheme Based on New Hash Chain" Electronics 12, no. 8: 1792. https://doi.org/10.3390/electronics12081792
APA StyleWang, Z., Li, Y., Liu, G., & Zhang, D. (2023). A Multi-User Collaborative Access Control Scheme Based on New Hash Chain. Electronics, 12(8), 1792. https://doi.org/10.3390/electronics12081792