Hash-chain-based authentication for IoT

  • Antonio Pinto
    GCC, CIICESI, ESTG, Polytechnic of Porto, Portugal AND CRACS & INESC TEC, Porto, Portugal apinto[at]inesctec.pt
  • Ricardo Costa
    GCC, CIICESI, ESTG, Polytechnic of Porto, Portugal


The number of everyday interconnected devices continues to increase and constitute the Internet of Things (IoT). Things are small computers equipped with sensors and wireless communications capabilities that are driven by energy constraints, since they use batteries and may be required to operate over long periods of time. The majority of these devices perform data collection. The collected data is stored on-line using web-services that, sometimes, operate without any special considerations regarding security and privacy. The current work proposes a modified hash-chain authentication mechanism that, with the help of a smartphone, can authenticate each interaction of the devices with a REST web-service using One Time Passwords (OTP) while using open wireless networks. Moreover, the proposed authentication mechanism adheres to the stateless, HTTP-like behavior expected of REST web-services, even allowing the caching of server authentication replies within a predefined time window. No other known web-service authentication mechanism operates in such manner.
  • Referencias
  • Cómo citar
  • Del mismo autor
  • Métricas
ABIresearch, 2014. The Internet of Things Will Drive Wireless Connected Devices to 40.9 Billion in 2020.

Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P. H., Heam, P. C., Kouchnarenko, O., and Mantovani, J., 2005. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. volume 5, pages 281–285. Springer. https://doi.org/10.1007/11513988_27

Costa, R. and Pinto, A., 2015. A framework for the secure storage of data generated in the IoT. Advances in Intelligent and Soft Computing. https://doi.org/10.1007/978-3-319-19695-4_18

Dolev, D. and Yao, A., 1983. On the security of public key protocols. Information Theory, IEEE Transactions on, 29:198–208.

Fielding, R. and Reschke, J. Hypertext Transfer Protocol (HTTP/1.1): Authentication.

Fielding, R. T., 2000. Architectural Styles and the Design of Network-based Software Architectures. PhD, University of California, Irvine.

Hardt, D. The OAuth 2.0 Authorization Framework.

Hardt, D. and Jones, M. The OAuth 2.0 Authorization Framework: Bearer Token Usage.

Jammer-Lahav, E. The OAuth 1.0 Protocol.

Liang, J. and Lai, X.-J., 2007. Improved Collision Attack on Hash Function MD5. Journal of Computer Science and Technology, 22(1):79–87. ISSN 1000-9000, 1860-4749. https://doi.org/10.1007/s11390-007-9010-1

Peng, D., Li, C., and Huo, H., 2009. An extended UsernameToken-based approach for REST-style Web Service Security Authentication. In 2nd IEEE International Conference on Computer Science and Information Technology, 2009. ICCSIT 2009, pages 582–586. https://doi.org/10.1109/ICCSIT.2009.5234805

Press, G., 2014. It's Official: The Internet Of Things Takes Over Big Data As The Most Hyped Technology.

Stevens, M.M.J., 2006. Fast Collision Attack on MD5. Technical report.

Wang, X., Yin, Y. L., and Yu, H., 2005. Finding Collisions in the Full SHA-1. In Shoup, V., editor, Advances in Cryptology – CRYPTO 2005, number 3621 in Lecture Notes in Computer Science, pages 17–36. Springer Berlin Heidelberg. ISBN 978-3-540-28114-6, 978-3-540-31870-5. https://doi.org/10.1007/11535218_2

Xia, F., Yang, L. T., Wang, L., and Vinel, A., 2012. Internet of Things. International Journal of Communication Systems, 25(9):1101–1102. ISSN 1099-1131. https://doi.org/10.1002/dac.2417
Pinto, A., & Costa, R. (2016). Hash-chain-based authentication for IoT. ADCAIJ: Advances in Distributed Computing and Artificial Intelligence Journal, 5(4), 43–57. https://doi.org/10.14201/ADCAIJ2016544357


Download data is not yet available.

Author Biographies

Antonio Pinto

GCC, CIICESI, ESTG, Polytechnic of Porto, Portugal AND CRACS & INESC TEC, Porto, Portugal
António Pinto has a PhD in Electrical and Computers Engineering from Porto University (2010). Currently, he is an Assistant Professor at Escola Superior de Tecnologia e Gestão (ESTG) of the Polytechnic of Porto, where he gives courses in computer networks, operating systems, network security and digital forensics. He is also a researcher of CRACS at INESC TEC research institute, and the head researcher for the Group for the study of Cybersecurity and Cybercrime (GCC) of CIICESI. His current research interests include information security management systems, computer and network security, and digital forensics. António Pinto has published 15+ papers and participated in 5+ research projects, including the following European projects: Smart UNattended airborne sensor Network for detection of vessels used for cross border crime and irregular entrY (SUNNY), Media Ecosystem Deployment Through Ubiquitous Content-Aware Network Environments (IST ALICANTE), and End-to-End QoS through Integrated Management of Content, Networks and Terminals (ENTHRONE).

Ricardo Costa

GCC, CIICESI, ESTG, Polytechnic of Porto, Portugal
Ricardo worked in the Bank/Financial industry, more concretely in SIBS S.A. in the Credit Card Payment Systems MBNet as responsible developer of the VISA/MASTERCARD gateway interaction modules. He also worked in Multicert S.A. as a Network Security Analyst and New Products Manager where he participated in several projects (Portuguese Citizen Card | Portuguese Official Journal | Portuguese Electronic Passport | among others). He is one of the founders of Eurocloud Portugal. He has been responsible for several security and cloud computing projects and teaching programs of its University. Finally he is a Senior Researcher at GCC and INESC TEC under the Privacy, Security and Identity thematics.