FECAC: Fine-Grained and Efficient Capability-Based Access Control for Enterprize-Scale IoT Systems

In enterprize-scale Internet of Things, users need to query data by accessing the resource-constrained smart nodes. Such queries typically include data from one node (DON), and data from one catalog of multiple nodes (DOC). Traditional access control mechanisms often prove inadequate due to the lack of efficient policy management. Their authorization time for queries is linear with respect to the number of access control rules in the policy, which greatly impedes access granularity, efficiency, and scale. To address this issue, we propose FECAC, a fine-grained and efficient capability-based access control mechanism for DON and DOC access queries. Specifically, FECAC builds a policy matching tree structure by translating the rule into matching properties in the tree node, which avoids authorizing queries by traversing the entire rule collection. We then introduce an authorization scheme to match the elements of access requests in a top-down manner, and check the rules with the internal properties of the data queries sublinearly, which efficiently combines the requests of DOC and DON. Further, we give a concrete operation of FECAC from query authorization scheme to execute data querying based on capabilities. Finally, we demonstrate the improved and more stable evaluation efficiency of FECAC compared to existing schemes.