The present application relates generally to authentication and authorization of an access to a resource by a device, and more specifically, to a mechanisms for authentication and authorization of an access to a resource by a device, which is a computational resource weak device. The present application relates further to a system for authentication and authorization of an access to a resource by a device, and a computer program product.
Nowadays, an emerging number of IoT (Internet-of-Things) devices are installed to control production and logistic processes to help to protect the environment, measure environmental parameters, and so on. Basically, IoT devices are omnipresent. However, an emerging number of these devices are based on a SoC (system-on-chip) technology. They may be used as sensors or actuators. Despite the growing computational power, flexibility and capacity of the SoCs, it continues to be important not to exceed capacity limits by requirements related to demanding software functions and communication protocols. Such overburdening of the SoCs goes against most of the rules of real-time embedded solutions as well as energy-saving rules.
With such increasing number of devices it is necessary to find a way of computational low-cost automatic authentication and authorization operations that can be performed on services located anywhere and that may belong to different owners—and at the same time minimize the amount of data or software needed for these processes, at least from a device perspective.
In this context it is highly important that only well known, identified and trusted devices can post data as well as that only proper and correct actuators received commands. When the number of IoT devices grows and when they change dynamically (in location and/or in nature) a growing problem may exist to manage the identification and the authorization for all of them.
Delegated authorization protocols, such as OAuth, are often used in a similar context. However, the irrelevant task is still reserved to the resource owner that must authorize every device and grant permission on what resource to access. Moreover, the authorization grant has a limited lifetime, the scope of the authorization is fixed, and a full stack of web protocol implementation is required.
There are also other known techniques for giving automatic consent to certain clients by classifying and comparing commonality with other devices. However, those techniques cannot be used for clients that are tiny SoC IoT devices due to a limited fingerprint or identity, simple limited computational resources, different nature and dynamic changes to scoped grants.
Furthermore, there are also techniques for identifying a context-based access by defining proper policy grant access roads by building a risk score. However, those policies are statically defined and do not work properly in the dynamic context resulting in an improper risk calculation.