...
In the classic identity management certain protection methods have been established over the years to protect an identity from abuse. We have authentication methods to proof identities, secure channels to transmit identity attributes and passwords and other data are stored encrypted.
Security concepts like integrity, availability, authenticity, non-repudiation are built in classic identity protocols like SAML and OpenID. In the Internet of Things the situation is different. Here many communication protocols are not based on internet protocol. Many sensors or actuators have just restricted resources in terms of energy, bandwidth, connectivity. Protocols like enOcean[] or KNX[] use only few bytes to send commands or receive values. There is no room for encryption, challenge response procedure or other security mechanisms.
Authentication
The classic authentication mechanisms (ex.: login /password) may not directly work in the IoT. Objects have to provide some sort of lightweight token or certificate for an authentication where no user (providing a password) is involved. For stronger authentication means of individuals we usually combine two or multiple factors. These factors are based on following proofs:
- “Something that you have"
- “Something that you know”
- “Something that you are” (e.g. biometry)
In the IoT the last two proofs are not applicable to objects anymore.
The IoT from (a very simplfied) logical point of view
...