A Dynamic Context-Aware and Role-Capability Based Access Control Mechanism for Internet of Things

The Internet of Things (IoT) presents distinct challenges for access control due to its dynamic, heterogeneous, and evolving nature, which existing mechanisms often struggle to address. To overcome these challenges, this paper proposes a novel context-aware role-capability based access control (CRCBAC) system which ef-fectively handles key issues such as dynamic adaptation, capability delegation, con-text awareness, scalability, and security. At its core, CRCBAC utilizes a structured role capability tree (RCT) to ensure secure capability propagation and manage-ment across roles, resolving conflicts through a priority system. Additionally, we design a set of protocols leveraging RCT-operations to securely evaluate access requests, as well as to create, transfer, and revoke capabilities. These protocols are validated through formal analysis using BAN logic and Scyther-based attack simulation, demonstrating CRCBAC’s robustness in ensuring both confidentiality and integrity. Experimental evaluation confirms CRCBAC’s superior scalability and efficiency, achieving up to 75% lower response times and 4.6 times higher through-put compared to state-of-the-art approaches. The capability delegation mechanism consistently maintains response times below 3 ms, even as user capabilities scale, while also reducing energy consumption by 87.5% compared to state-of-the-art approach, making CRCBAC particularly well-suited for energy-constrained IoT environments.