The Internet of Things, IoT, relates to the interconnection of resource-constrained devices over a public network infrastructure, such as the Internet. A resource-constrained device utilizes services in the public network, which the resource-constrained device needs to authenticate. However, a resource-constrained device is limited in terms of processing power, and battery etc. Therefore, it is necessary in the IoT area to focus on optimizing the use of resources by the resource-constrained device to perform various functions including authentication, in order to achieve a maximal lifetime of the resource-constrained device.
Due to the limited capabilities of the resource-constrained device, it may be hard to provide an authentication solution that is both sufficiently secure and sufficiently lightweight. Standardized protocols to perform certificate-based authentication and secure session establishment are often computationally intensive, which may drain the resources of the resource-constrained device.
The following prior-arts attempt to address the problem of certificate verification in a constrained environment.
An International patent application published as WO2012/068094 discloses a constrained network entity that may determine, via an authentication procedure with a core network entity, the trustworthiness of an endpoint attempting to establish a secure channel with the constrained network entity. The constrained network entity may receive a certificate from the endpoint attempting to establish the secure channel and the constrained network entity may send the certificate asserted by the endpoint to a core network entity for validation. The core network entity may indicate to the constrained network entity the validity of the certificate. The constrained network entity may determine whether to establish the secure channel with the endpoint based on the validity of the certificate.
A US patent application published as US2007/0245414 discloses embodiments of proxy authentication and indirect certificate chaining. In an implementation, authentication for a client occurs via a proxy service. Proxy service communicates between client and server, and caches security tokens on behalf of the client.
A US patent application published as US2009/0126001 discloses techniques to manage security certificates. An apparatus may comprise a certificate proxy server having a transceiver and a certificate manager module. The certificate manager module may be operative to register a digital identity certificate for a call terminal to perform authentication operations on behalf of the call terminal, and manage the digital identity certificate for the call terminal.
However, it is not sufficient to provide address the problem of certificate verification in a constrained environment. An outstanding problem, given the prior-arts, remains for the session establishment to be lightweight and secure so as to be efficiently supported by the resource-constrained device.