Edinburgh Napier University

  Authentication and access control are critical in addressing IoT security and privacy issues. However, due to resource overhead, most legacy authentication and authorisation mechanisms are not suitable for resource-constrained IoT devices (Meneghello et al., 2019). Another significant obstacle to IoT is the centralisation of efficient security solutions, such as Public Key Infrastructure (PKI), which presents scalability challenges in a system with thousands of connected nodes. Additionally, current authentication and access control standards rely on third parties. Scalability and deployment simplicity are advantages, but it requires trust in a third party to store customers’ sensitive data, which is prone to misuse in the event of security breaches (Levi and Caglayan, 1997). However, blockchain and decentralised alternatives that do not rely on a third party can provide autonomous authentication and authorisation administration. Driven by the potential benefits of blockchain technology and the need to deliver reliable solutions that satisfy the demands of the IoT, this thesis aims to develop blockchain-based decentralised authentication and access control mechanisms for IoT to resolve security and privacy concerns in the current centralised paradigm and remove the need for a third party to maintain trust. The thesis goes further and explores the provision of decentralised identity management services such as secure and fair exchange, delegation, and revocation of credentials through the use of smart contracts. Additionally, the thesis looks into the inherent issue of designing secure, lightweight, and scalable decentralised systems that satisfy IoT needs by proposing a lightweight consensus mechanism. The contributions of this thesis are shown over all layers of the IoT architecture. For instance, the thesis proposed a blockchain-based two-factor authentication mechanism enabling authentication at the IoT applications layer. For authentication in IoT communication protocols, the thesis proposed a lightweight authentication and authorisation mechanism for the MQTT messaging protocol. Additionally, for authentication and access control at the devices layer, the thesis provided a decentralised authentication and access control for wearable medical devices. Finally, the thesis proposed a lightweight and scalable consensus mechanism that overcomes the resource overhead of distributed consensus and the complexity of blockchain in IoT. Further analysis of these approaches’ usability, mainly CPU and memory usage, was conducted compared to the current security protocols. When subjected to security analysis and evaluation, the proposed approaches demonstrated performance improvements in data privacy levels, high security and lightweight access control design compared to the current centralised access control models.