CoAP Option for Capability-Based Access Control for IoT-Applications

Abstract

Access control is critical for many applications of the Internet of Things (IoT) since the owner of an IoT device (and application) may only permit one user to access a subset of the resources of the device. To provide access control for an IoT network, recent work adopted the capability-based access control (CBAC) model, which allows an IoT device to decide on the authorization by itself based on a capability token. However, the existing approaches based on CBAC directly attach the capability token at the end of CoAP when sending a request message. For the receiver, it is not easy to retrieve the capability token from the request message if the CoAP payload is present, because CoAP does not have a length field to indicate the size of its payload. To counter this problem, we propose a CoAP option, Cap-Token, to encapsulate a capability token when sending request messages. Because a CoAP option is independent from other CoAP fields, a receiver can get the capability token from the Cap-Token option of the request message without ambiguity. We also provide a compression mechanism to reduce the size of the Cap- Token option. Our evaluation shows that the compression mechanism can save the size of the option by 60%. Adding a compressed Cap-Token option to a request message increases the IP datagram size by 45 bytes, which is only 41% of the increase when directly attaching the capability token at the end of CoAP.