Internet of Things – Architecture © - 105 -
From one side, we want to build a trustworthy system i.e. every entity in that
system can prove, according to either trust-building mechanisms or to
certificates distributed by some authority, its own trust value.
From the other side, we want the system to provide, to each entity, the privacy
that it requires, without forcing it to disclosure more personal information that it
wants to.
This tension between security and privacy emerges also in our reference model.
Indeed, the trust-evaluation mechanisms for example not couple well with the
many pseudonyms an entity might present to protect its privacy in various
scenarios. Indeed, a given malicious entity can fool the system by presenting,
within a given context, the pseudonym with the highest trust value built so far. It
becomes thus very important to strongly bind, somehow, the trust value of an
entity with its root ID.
But, from the other side, this poses clear problematics to the privacy of the
entities: If the trust-value has to be calculated on the fly, based on certificates
given to that entity in the many interactions it has had in the past, all binded to
its root ID, the entity can be easily traced inside the IoT, even though it presents
different pseudonyms.
A solution to this problem is to make the trust value be recalculated, each time
an interaction occurs, by a unique, trustworthy system component which is also
able to bind various pseudonyms to root IDs. This solution does guarantee
correct trust values for all entities in the system, yet preserving their privacy.
However, it has 2 major drawbacks: (1) The unique component would become a
huge bottleneck in the system; (2) It would become a single point of failure: By
compromising it (or tampering with it) an attacker would be able to de-
anonymize all entities in the system, or even change trust-values to his liking,
by boosting trust-values of malicious entities, and lowering the trust value of
others.
For the above reasons, we believe that within the IoT-A system we should opt
for a mechamism which trades-off trust for privacy: Subjects are allowed just
one trust-value, valid for a certain number of pseudo-identities, and included in
a trust-certificate signed by the AuthN component. The trust value is then
updated each time the subject interacts in the system, by the counter-part of
this interaction. The trust value is to be used for sensitive interactions and/or
access to sensitive system resources, data, and services, within which the
subject is thus required to presend one of the pseudonyms binded to the trust-
certificate. This would empede a subject to fake its unique trust value, and, to
present the most convenient trust value for every pseudonym—the certificate
comes with a clear binding between the pseudonyms for which it holds and the