Authentication, Authorization, and Selective Disclosure for IoT data sharing using Verifiable Credentials and Zero-Knowledge Proofs

TL;DR

This paper presents a privacy-preserving platform for controlled IoT data sharing in smart buildings, using Verifiable Credentials and Zero-Knowledge Proofs to enable fine-grained access control and data discovery.

Contribution

It introduces a novel framework integrating SSI, Verifiable Credentials, and Zero-Knowledge Proofs with OAuth 2.0 and Web of Things for secure, selective IoT data sharing.

Findings

Enables privacy-preserving, controlled sharing of IoT data.

Supports fine-grained, selective data disclosure.

Integrates industry standards for IoT data management.

Abstract

As IoT becomes omnipresent vast amounts of data are generated, which can be used for building innovative applications. However,interoperability issues and security concerns, prevent harvesting the full potentials of these data. In this paper we consider the use case of data generated by smart buildings. Buildings are becoming ever "smarter" by integrating IoT devices that improve comfort through sensing and automation. However, these devices and their data are usually siloed in specific applications or manufacturers, even though they can be valuable for various interested stakeholders who provide different types of "over the top" services, e.g., energy management. Most data sharing techniques follow an "all or nothing" approach, creating significant security and privacy threats, when even partially revealed, privacy-preserving, data subsets can fuel innovative applications. With these in mind we develop a platform that enables controlled, privacy-preserving sharing of data items. Our system innovates in two directions: Firstly, it provides a framework for allowing discovery and selective disclosure of IoT data without violating their integrity. Secondly, it provides a user-friendly, intuitive mechanisms allowing efficient, fine-grained access control over the shared data. Our solution leverages recent advances in the areas of Self-Sovereign Identities, Verifiable Credentials, and Zero-Knowledge Proofs, and it integrates them in a platform that combines the industry-standard authorization framework OAuth 2.0 and the Web of Things specifications.