This page is dedicated to the design of a decentralized and multi-authority access control scheme in cloud-assisted Cyber-Physical Systems. The designed architecture integrates four logical entities, that are client application, identity authority, attribute authority, and resource server. They interact each other to provide controlled access to the resources, through a communication protocol made up of four consecutive phases: system configuration, ephemeral identity generation, authentication procedure, and authorization procedure.

The core of the proposed approach leverages and properly extends the Decentralized Multi-Authority – Ciphertext-Policy – Attribute Based Encryption (DMA-CP-ABE) algorithm, proposed by Lewko and Waters in [1] . Differently from the current state of the art, the proposed approach does not use DMA-CP-ABE for protecting (i.e., encrypting) the resource itself, but for managing the access to IoT resources through a flexible and fine-grained authorization mechanism. The resulting algorithm is able to offer the features not covered by the original scheme, while jointly fulfilling all the following requirements: decoupling between authentication and authorization; fine-grained authorization; mutual authentication; support for offline authorization; protection against collusion attacks; time-limited authorization; access rights revocation; user privacy.

The code of the proof-of-concept is freely available here.

Please, see the README file to understand how to setup the system and use the code.

For any problems, contact daniele.caldarola@poliba.it

Enjoy the security framework!
Telematics Research Group – Politecnico di Bari (IT)

[1] A. Lewko and B. Waters, “Decentralizing Attribute-based Encryption,” in Proc. of the 30th Annual Int. Conf. on Theory and Applications of Cryptographic Techniques: Advances in Cryptology, 2011, pp. 568–588.