A Cross-Layer Security Solution for
Publish/Subscribe-based IoT Services
Communication Infrastructure
Yang Zhang
1
, Li Duan
2,∗
, Chang-ai Sun
2
, Bo Cheng
1
, Junliang Chen
1
1
State Key Lab of Networking & Switching Technology, Beijing University of Posts & Telecommunications, China
2
School of Computer and Communication Engineering, University of Science and Technology Beijing, China
∗
Email: duanli@bupt.edu.cn
Abstract—The publish/subscribe paradigm can be used to
build IoT service communication infrastructure owing to its loose
coupling and scalability. Its features of decoupling among event
producers and event consumers make IoT services collaborations
more real-time and flexible, and allow indirect, anonymous and
multicast IoT service interactions. However, in this environment,
the IoT service cannot directly control the access to the events.
This paper proposes a cross-layer security solution to address the
above issues. The design principle of our security solution is to
embed security policies into events as well as allow the network to
route events according to publishers’ policies and requirements.
This solution helps to improve the system’s performance, while
keeping features of IoT service interactions and minimizing the
event visibility at the same time. Experimental results show that
our approach is effective.
Keywords—Access Control, Publish/Subscribe, IoT Service, Ho-
momorphic Encryption
I. INTRODUCTION
In IoT (Internet of Things) applications, a publish/subscribe
paradigm breaks the barrier between IoT services and ap-
plication communication. For example, in the smart grid [9,
10], an evolutionary electric system with more efficiency,
uses integrated communication technologies and computational
intelligence from the generator to the end consumers of the
electricity. A new communication infrastructure is provided
to deliver coherent and real-time data in the smart grid. One
transmission line fault can result in a chain reaction as well
as a final blackout. Power disturbances cascading into large
blackouts require improving visibility of the power system. If
there is no entire picture of the power system and situational
awareness is slowly updated, the significance of one event
cannot be identified to take action to avoid the blackout.
These informational connects should be possibly obtained in
such a communication infrastructure integrated with time-
synchronized measurement devices and services such as phasor
measurement unit (PMU), phasor data concentrator (PDU) and
so on.
GridStat (Washington State University) project [11] adopts
a publish/subscribe paradigm to build the communication
infrastructure, where a data consumer can express her interest
through subscription without knowing who produces the data,
and a data producer publishes their data without knowing
who subscribes the data. Such a communication infrastructure
concerns what the information is needed, and is optimized
according to IoT services’ requirements. An IoT service is able
to describe its requirements by “event type” and qualification
parameters, and the infrastructure can dynamically adjust itself
according to its customer’s requirements, which indicates the
importance of cross-layer design in IoT applications. The
decoupling features of this publish/subscribe-based IoT com-
munication infrastructure also result in some security issues of
protecting IoT services.
In an event-driven IoT service communication infrastruc-
ture over the publish/subscribe network, event consumers do
not directly get events from publishers, and publishers cannot
directly reject event consumers to access to its events. Thus
anonymous interactions bring up one challenge for access
control of IoT services. That is to say, the classic assumption
that the access to services is controlled by an omniscient
reference monitor executing perfect surveillance on requests is
impossible because there is no request to the service providers.
In a word, event-driven IoT services interact with anonymous,
indirect, and multicast features, and thus the traditional access
control framework and mechanism will not work.
In the security framework proposed in work [1] and the
security standard proposed by OMG [8], the publish/subscribe
network together with their clients is organized into multiple
security domains. Each domain has its own security manage-
ment server and home brokers in the network, which makes
it possible for clients in the domain to publish or subscribe
events. The security management server authenticates and
authorizes clients, and the home broker permits or denies the
clients’ access to the events such as reading or publishing them.
In order to keep consistent with the decoupling features of the
publish/subscribe paradigm, clients delegate their authorization
functions to network brokers and target domain’s security man-
agement server. Although such delegation addresses the access
control issue of anonymous, indirect, and multicast clients
interactions, it in some sense violates the security policies
because clients control their own access to events. In addition,
the access control policies of reading events are enforced
during event forwarding, which may increase the delay of
event delivery and is not suitable for real-time IoT applications.
In our work, we also adopt their access control framework
having multiple security domains and home brokers, but we
do not require the clients to completely delegate their access
control to brokers and target domains. In addition, we allow the
network to route events according to publishers’ policies and
requirements, where the cross-layer design not only improves
the system’s performance but also addresses the security issue
2017 IEEE 24th International Conference on Web Services
978-1-5386-0752-7/17 $31.00 © 2017 IEEE
DOI 10.1109/ICWS.2017.68
580