A Comprehensive Security Framework for Publish/Subscribe-Based IoT Services Communication

The publish/subscribe paradigm provides a loosely-coupled and scalable communication model for the large-scale IoT service systems, such as supervisory control and data acquisition (SCADA). Data confidentiality and service privacy are two crucial security issues for the publish/subscribe model deployed in different domains. The existing access control schemes for such model cannot address both the issues at the same time. In this paper, we propose a comprehensive access control framework (CACF) to bridge this gap. The design principle of the proposed framework is twofold: (a) a bi-directional policy matching scheme for protecting the privacy of IoT services; and (b) a fully homomorphic encryption scheme for encrypting published events to protect data confidentiality. We analyze the correctness and security of the CACF, moreover, we prototype CACF based on Apache ActiveMQ, an open source message broker, and evaluate its performance. The experimental results indicate that our security system meets the latency requirements for very high-quality SCADA services.