Internet of Things – Architecture © - 215 -
5.2.9.4 Discussion
Assessing the risks that relate to the Internet of Things and putting them in
perspective with the Design Choices (see Section 5.2.10) leads to interesting
synthetic conclusions. First, we recognise in the risks and their mitigation
mechanisms the well-known distinction between internal attacks and external
attacks. This distinction implies the existence of a discrimination function that
makes the system able to distinguish among authorised players (hence, able to
launch internal attacks) and unauthorised players (restrained to external
attacks). Second, it is also noticeable that some risks are not mapped to design
choices – rather, they can be mitigated through dedicated context-dependent or
local (entity-scope) security-by-design decisions. These concepts are
elaborated on in what follows.
The distinction between internal and external attackers pertains to their ability to
undergo an authorisation procedure, at the end of which only authorised players
acquire some rights. These rights in turn enable the attackers to launch internal
attacks. Note that this authorisation procedure may be characterised by more
than the rejected /authorized two levels of granularity and define a full set of
access policies. In this case, all but entirely rejected players are in position to
launch internal attacks.
The defence against external attacks is traditionally based on two means:
topological defence systems that almost spatially keep the attackers out of
reach of the protected resources (e.g. firewalls) and cryptographic mechanisms
(e.g. authentication or encryption algorithms) that logically prevent attackers to
tamper with or otherwise access the protected resources.
In the framework of IoT, special emphasis is put on one-to-one
transactions wherein a service is accessed by a remote player. These
transactions require a secure transaction set up. The service-access
control involves in its most secure embodiments an authentication phase
that can be based on various authenticating credentials. It has to be
noted, though, that these authenticating credentials have to be mapped
to an identity in order to fulfil their role. When the peer identity is not
known prior to establishing a transaction, it has to be securely retrieved
(resolved) from the resolution infrastructure. Likewise, the services
themselves may need to be securely orchestrated;
Upon successful authentication, access control has to be enforced in
order to bind all data units exchanged between two players to their
respective authenticated identities. This takes usually the form of an
authentication procedure being implemented as an authenticated key-
exchange (AKE) protocol, and all subsequent messages exchanged
between the same two players are then integrity protected by the AKE-
obtained session key. Various protocols exist for doing so: at the network