Description
User sovereignty, privacy and security are not always top priorities in product development of typical IoT systems
which are deployed in practice today. This can have severe consequences ranging from data breaches to non-functional
devices. In this work, we explore how to extend the principles of self-sovereign identities (SSI) from human identities to
the IoT realm. We discuss how to embody a focus on security, privacy and sovereignty into a generic framework which is
suitable for the wide range of IoT application areas. In order to construct such a framework, we first identify vital components
of IoT systems, and examine relevant challenges. Then, we build upon existing decentralized systems with strong privacy and
security features. Our proposed framework leverages the concept of identities and enables secure interactions between users,
devices and application services. We discuss how to include vital functionality for discovery, connectivity, data storage and
sharing, device management and trust. To exchange identity information and to communicate bootstrapping data, we propose
an approach based on a secure local channel with encryption and authentication. We build upon existing work to integrate legacy
devices and devices with low computing capabilities. Additionally, we follow a lifecycle model for devices to ensure data privacy
and secure operation no matter how often ownership or operation realm of a device changes. To conclude the thesis, we examine
the potential of integrating our approach with the International Data Spaces reference architecture model.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching