Internet of Things or IoT is the new age revolution in every business vertical these days. Especially during the pandemic, there has been a constant need for tracking symptoms related to COVID. Now that many countries have vaccinated a significant portion of their population, authorities are also looking to track people not vaccinated.
While it may seem to be a great idea to use IoT-based solutions for tracking and tracing COVID-related data, security can be a concern here. According to a research paper prepared based on a security survey of more than 40 android apps used for contact tracing of COVID patients, tracking symptoms shows that about 55% of them store sensitive data in cleartext. At the same time, 55% of these applications also have been producing insecure random values.
There is no denying that IoT-based services need reliable security to ensure that there are no data leaks and privacy of the users is maintained. One such solution is OAuth-based authorization architecture. It is an authorization protocol that allows standardized and straightforward access to data. Let’s first understand the basics of OAuth and then discuss how to leverage it for IoT-based services?
What is OAuth?
OAuth is an open-standard authorization protocol that defines authentication of access to data of unrelated servers and services without sharing initial, related, or single logon information. It is also referred to as the third-party, user agent, or delegated authorization.
OAuth is based on representational state transfer or REST web architecture. In terms of application development, you need to understand that REST APIs can help you create web apps with CRUD( (create, retrieve, update, delete) operations. So, using OAuth for web applications that connect with smart devices based on IoT makes more sense.
Now that we have a brief idea about the OAuth protocol for data authentications let’s see what type of OAuth-based architecture you can use for IoT products.
OAuth-Based Authorization Service Architecture
IoT devices interact with different systems heterogeneous in nature, and that is why security is quintessential for businesses to manage authentication of access to data. A user interacts with the IoT-based systems to access data through a user interface designed to ease navigation and offer better UX. However, what goes behind making these interactions is the deployment of well-structured OAuth-based service architecture.
Some of the critical elements of an OAuth-based service architecture that help enhance the security in IoT devices, like
- Symmetric/asymmetric cryptographic algorithms
- Hashing functions
- Security protocols at network/transport/application layers
The fusion of these elements creates an architecture aimed at providing security features such as confidentiality, integrity, and authentication. OAuth-based authorization architecture can be invoked through a host object or IoT-based smart device. It acts as a remotely triggered switch that filters out all the incoming data access requests to decide which one of them is to be processed. The architecture enables the reduction of the overhead on the smart devices to process many requests and filter the malicious request for better security.
Securing data access in an IoT-based network is essential, primarily using a public cloud vendor to store data. When it comes to cloud security, securing your data access and authentication is vital. Such an architecture can help in securing the entire IoT system, including cloud storage or services.
Source: http://www.tlc.unipr.it/ferrari/Publications/Journals/CiPiGoVeFe_SENSORS15.pdf
Here, a user U creates the information or data which first reaches the service provider(SP) that hosts data generated by the users and makes it available through Application Programming Interface(APIs). The Service Consumer(SC) accesses the information stored by SP through APIs.
OAuth adds a layer of authorization through Authentication services to secure the API interaction between SP and SC. The entire process of data generation to the data getting authenticated is as follows,
- User(U) is willing to use a medium(SC) to offer data as the web, mobile, and others.
- SC needs to access the personal information of the users hosted on SP for verification purposes, and that is why it asks for an RT or Request Token.
- A request token is a temporary ticket that SC uses to authenticate access to personal information.
- SP verifies the identity of SC and returns an RT.
- Next, the user is redirected to the SP’s authentication service(AS) with an RT.
- The user then interacts with AS and grants permission to SC to access personal information after verification of RT.
- RT is exchanged between U and SC for an access token or AT
- SC receives AT through authentication callback
- SC issues requests including AT to SP for services that require permission from the user, also known as the secured APIs.
The entire design of the OAuth-based architecture has one goal of offering SP capabilities to integrate the authentication layer without the implementation overhead. These capabilities are for HTTP requests or COAP(Constrained Application Protocol).
There are two crucial elements in OAuth architecture for IoT devices. It is essential to understand that remote configuration of the AS or Authentication Services is quintessential. It helps businesses who are using the MVP or Minimum Viable Product approach for their IoT apps. The remote configuration will reduce their development time and help reduce the time-to-market of the beta version.
Now, let’s understand more about access tokens and request tokens exchange that helps in securing the API interactions between service providers and end device or web.
AT Granting Process
Source: http://www.tlc.unipr.it/ferrari/Publications/Journals/CiPiGoVeFe_SENSORS15.pdf
With an OAuth-based architecture, the use of security protocols becomes more transparent for SC. It offers complete backward compatibility with standard OAuth client applications. RT works as a key for the SC to access information in the SP. At the same time, authentication services that are delegated with the SP help SC access the data by offering an AT. The exchange of RT and AT enables granting of access to information. Processing of AT is facilitated through the callback URL of authentication.
However, the authentication service doesn’t need to be delegated in the SP only as it can interface with third-party authentication services like OpenID. Such an interface can include QR codes generated on users’ mobile devices to access OpenID Connect data. So, you can configure these services remotely without having the restrictive delegations to SP. The data that SP holds before granting access to SC should be only related to the identity of users.
Request Authorization
Source: http://www.tlc.unipr.it/ferrari/Publications/Journals/CiPiGoVeFe_SENSORS15.pdf
Request authorization depends on the SP’s scrutiny of access requested by SC. What an IoT-OAuth secure architecture does is improve the transparency between SC and SP. With this architecture in place, the implementation of the OAuth logic for authentication of requests is not SP’s responsibility.
So, the overhead of implementation is reduced, making the IoT systems more lightweight and yet secure. It is an excellent option for businesses looking to make IoT-based smart devices sleeker in design as they don’t have to work around much processing power. Even service providers facilitating the interaction between the database and intelligent devices will have a reduced load of processing each request and authorizing them.
Conclusion
Security is an essential part of any application development due to data theft risks and compliance with data regulation protocols. At the same time, increased exposure to IoT-based intelligent devices and a surge in their demand have caused more data. Authentication of large amounts of data simultaneously can be tedious for service providers with the need for massive resources. An OAuth-based architecture can not only help keep your apps lightweight but reduce the cost of operations.
Top comments (1)
ACE OAuth is a draft specification designed specifically for this.
github.com/ace-wg/ace-oauth