{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,10]],"date-time":"2026-07-10T12:09:46Z","timestamp":1783685386805,"version":"3.55.0"},"reference-count":47,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2018,7,13]],"date-time":"2018-07-13T00:00:00Z","timestamp":1531440000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"<jats:p>While Internet of Things (IoT) technology has been widely recognized as an essential part of Smart Cities, it also brings new challenges in terms of privacy and security. Access control (AC) is among the top security concerns, which is critical in resource and information protection over IoT devices. Traditional access control approaches, like Access Control Lists (ACL), Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC), are not able to provide a scalable, manageable and efficient mechanism to meet the requirements of IoT systems. Another weakness in today\u2019s AC is the centralized authorization server, which can cause a performance bottleneck or be the single point of failure. Inspired by the smart contract on top of a blockchain protocol, this paper proposes BlendCAC, which is a decentralized, federated capability-based AC mechanism to enable effective protection for devices, services and information in large-scale IoT systems. A federated capability-based delegation model (FCDM) is introduced to support hierarchical and multi-hop delegation. The mechanism for delegate authorization and revocation is explored. A robust identity-based capability token management strategy is proposed, which takes advantage of the smart contract for registration, propagation, and revocation of the access authorization. A proof-of-concept prototype has been implemented on both resources-constrained devices (i.e., Raspberry PI nodes) and more powerful computing devices (i.e., laptops) and tested on a local private blockchain network. The experimental results demonstrate the feasibility of the BlendCAC to offer a decentralized, scalable, lightweight and fine-grained AC solution for IoT systems.<\/jats:p>","DOI":"10.3390\/computers7030039","type":"journal-article","created":{"date-parts":[[2018,7,16]],"date-time":"2018-07-16T04:05:33Z","timestamp":1531713933000},"page":"39","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":126,"title":["BlendCAC: A Smart Contract Enabled Decentralized Capability-Based Access Control Mechanism for the IoT"],"prefix":"10.3390","volume":"7","author":[{"given":"Ronghua","family":"Xu","sequence":"first","affiliation":[{"name":"Department of Electrical and Computer Engineering, Binghamton University, SUNY, Binghamotn, NY 13902, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1880-0586","authenticated-orcid":false,"given":"Yu","family":"Chen","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, Binghamton University, SUNY, Binghamotn, NY 13902, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6894-6108","authenticated-orcid":false,"given":"Erik","family":"Blasch","sequence":"additional","affiliation":[{"name":"The U.S. Air Force Research Lab, Rome, NY 13441, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Genshe","family":"Chen","sequence":"additional","affiliation":[{"name":"Intelligent Fusion Technology, Inc., Germantown, MD 20876, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2018,7,13]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"2347","DOI":"10.1109\/COMST.2015.2444095","article-title":"Internet of things: A survey on enabling technologies, protocols, and applications","volume":"17","author":"Guizani","year":"2015","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Snidaro, L., Garcia-Herrera, J., Llinas, J., and Blasch, E. (2016). Context-Enhanced Information Fusion, Springer.","DOI":"10.1007\/978-3-319-28971-7"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Blasch, E., Kadar, I., Grewe, L.L., Brooks, R., Yu, W., Kwasinski, A., Thomopoulos, S., Salerno, J., and Qi, H. (2017, January 11\u201312). Panel summary of cyber-physical systems (CPS) and Internet of Things (IoT) opportunities with information fusion. Proceedings of the International Society for Optics and Photonics, Signal Processing, Sensor\/Information Fusion, and Target Recognition XXVI, Anaheim, CA, USA.","DOI":"10.1117\/12.2264683"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1016\/j.jnca.2017.04.002","article-title":"Internet of Things security: A survey","volume":"88","author":"Alaba","year":"2017","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1189","DOI":"10.1016\/j.mcm.2013.02.006","article-title":"A capability-based security approach to manage access control in the internet of things","volume":"58","author":"Gusmeroli","year":"2013","journal-title":"Math. Comput. Model."},{"key":"ref_6","unstructured":"Nakamoto, S. (2018, July 12). Bitcoin: A Peer-to-Peer Electronic Cash System. Available online: https:\/\/bitcoin.org\/bitcoin.pdf."},{"key":"ref_7","first-page":"6","article-title":"Blockchain technology: Beyond bitcoin","volume":"2","author":"Crosby","year":"2016","journal-title":"Appl. Innov."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"237","DOI":"10.1016\/j.comnet.2016.11.007","article-title":"Access control in the Internet of things: Big challenges and new opportunities","volume":"112","author":"Ouaddah","year":"2017","journal-title":"Comput. Netw."},{"key":"ref_9","unstructured":"Gong, L. (1989, January 1\u20133). A secure identity-based capability system. Proceedings of the 1989 IEEE Symposium on Security and Privacy, Oakland, CA, USA."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1109\/2.485845","article-title":"Role-based access control models","volume":"29","author":"Sandhu","year":"1996","journal-title":"Computer"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Samarati, P., and de Vimercati, S.C. (2000). Access control: Policies, models, and mechanisms. International School on Foundations of Security Analysis and Design, Springer.","DOI":"10.1007\/3-540-45608-2_3"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"De Souza, L.M.S., Spiess, P., Guinard, D., K\u00f6hler, M., Karnouskos, S., and Savio, D. (2008). Socrades: A web service based shop floor integration infrastructure. The Internet of Things, Springer.","DOI":"10.1007\/978-3-540-78731-0_4"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Spiess, P., Karnouskos, S., Guinard, D., Savio, D., Baecker, O., De Souza, L.M.S., and Trifa, V. (2009, January 6\u201310). SOA-based integration of the internet of things in enterprise services. Proceedings of the 2009 IEEE International Conference on Web Services, Los Angeles, CA, USA.","DOI":"10.1109\/ICWS.2009.98"},{"key":"ref_14","unstructured":"Zhang, G., and Tian, J. (2010, January 18\u201319). An extended role based access control model for the Internet of Things. Proceedings of the 2010 International Conference on Information Networking and Automation (ICINA), Kunming, China."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Yuan, E., and Tong, J. (2005, January 11\u201315). Attributed based access control (ABAC) for web services. Proceedings of the 2005 IEEE International Conference on Web Services (ICWS 2005), Orlando, FL, USA.","DOI":"10.1109\/ICWS.2005.25"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"147","DOI":"10.1016\/j.future.2013.05.010","article-title":"An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system","volume":"31","author":"Smari","year":"2014","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"1617","DOI":"10.12785\/amis\/080416","article-title":"An efficient authentication and access control scheme for perception layer of internet of things","volume":"8","author":"Ye","year":"2014","journal-title":"Appl. Math. Inf. Sci."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1109\/MAES.2014.130115","article-title":"Information fusion in a cloud computing era: A systems-level perspective","volume":"29","author":"Liu","year":"2014","journal-title":"IEEE Aerosp. Electron. Syst. Mag."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Gusmeroli, S., Piccione, S., and Rotondi, D. (2012, January 17\u201321). IoT@ Work automation middleware system design and architecture. Proceedings of the 2012 IEEE 17th Conference on Emerging Technologies & Factory Automation (ETFA), Krakow, Poland.","DOI":"10.1109\/ETFA.2012.6489652"},{"key":"ref_20","unstructured":"Anggorojati, B., Mahalle, P.N., Prasad, N.R., and Prasad, R. (2012, January 24\u201327). Capability-based access control delegation model on the federated IoT network. Proceedings of the 2012 15th International Symposium on Wireless Personal Multimedia Communications (WPMC), Taipei, Taiwan."},{"key":"ref_21","unstructured":"Skinner, G.D. (2009, January 9\u201312). Cyber security management of access controls in digital ecosystems and distributed environments. Proceedings of the 6th International Conference on Information Technology and Applications (ICITA 2009), Hanoi, Vietnam."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Pal, S., Hitchens, M., and Varadharajan, V. (2017, January 9\u201312). Towards a Secure Access Control Architecture for the Internet of Things. Proceedings of the 2017 IEEE 42nd Conference on Local Computer Networks (LCN), Singapore.","DOI":"10.1109\/LCN.2017.76"},{"key":"ref_23","first-page":"1","article-title":"Distributed capability-based access control for the internet of things","volume":"3","author":"Jara","year":"2013","journal-title":"J. Int. Serv. Inf. Secur."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1080\/00207160.2014.915316","article-title":"DCapBAC: Embedding authorization logic into smart things through ECC optimizations","volume":"93","author":"Jara","year":"2016","journal-title":"Int. J. Comput. Math."},{"key":"ref_25","unstructured":"(2018, July 12). Databox Project. Available online: https:\/\/www.databoxproject.uk\/publications\/."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Birgisson, A., Politz, J.G., Erlingsson, U., Taly, A., Vrable, M., and Lentczner, M. (2014). Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud, Network and Distributed System Security Symposium, Internet Society.","DOI":"10.14722\/ndss.2014.23212"},{"key":"ref_27","unstructured":"Maesa, D.D.F., Mori, P., and Ricci, L. (2017, January 19\u201322). Blockchain based access control. Proceedings of the IFIP International Conference on Distributed Applications and Interoperable Systems, Neuch\u00e2tel, Switzerland."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"5943","DOI":"10.1002\/sec.1748","article-title":"FairAccess: A new Blockchain-based access control framework for the Internet of Things","volume":"9","author":"Ouaddah","year":"2016","journal-title":"Secur. Commun. Netw."},{"key":"ref_29","unstructured":"(2018, July 12). Trust, confidence and Verifiable Data Audit. Available online: https:\/\/deepmind.com\/blog\/trust-confidence-verifiable-data-audit\/."},{"key":"ref_30","unstructured":"Swan, M. (2015). Blockchain: Blueprint for a New Economy, O\u2019Reilly Media, Inc."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Szabo, N. (1997). Formalizing and securing relationships on public networks. First Monday, 2.","DOI":"10.5210\/fm.v2i9.548"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Gomi, H., Hatakeyama, M., Hosono, S., and Fujita, S. (2005, January 11). A delegation framework for federated identity management. Proceedings of the 2005 workshop on Digital identity management, Fairfax, VA, USA.","DOI":"10.1145\/1102486.1102502"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Aura, T. (1999). Distributed access-rights management with delegation certificates. Secure Internet Programming, Springer.","DOI":"10.1007\/3-540-48749-2_9"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"404","DOI":"10.1145\/937527.937530","article-title":"A rule-based framework for role-based delegation and revocation","volume":"6","author":"Zhang","year":"2003","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Chen, N., Chen, Y., You, Y., Ling, H., Liang, P., and Zimmermann, R. (2016, January 20\u201322). Dynamic urban surveillance video stream processing using fog computing. Proceedings of the 2016 IEEE Second International Conference on Multimedia Big Data (BigMM), Taipei, Taiwan.","DOI":"10.1109\/BigMM.2016.53"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Chen, N., Chen, Y., Blasch, E., Ling, H., You, Y., and Ye, X. (2017, January 3\u20135). Enabling Smart Urban Surveillance at The Edge. Proceedings of the 2017 IEEE International Conference on Smart Cloud (SmartCloud), New York, NY, USA.","DOI":"10.1109\/SmartCloud.2017.24"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Chen, N., Chen, Y., Song, S., Huang, C.T., and Ye, X. (2016, January 27\u201328). Smart Urban Surveillance Using Fog Computing. Proceedings of the 2016 IEEE\/ACM Symposium on Edge Computing (SEC), Washington, DC, USA.","DOI":"10.1109\/SEC.2016.25"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Xu, R., Chen, Y., Blasch, E., and Chen, G. (2018, January 17). A Federated Capability-based Access Control Mechanism for Internet of Things (IoTs). Proceedings of the Conference on Sensors and Systems for Space Applications, SPIE Defense & Commercial Sensing 2018 (DCS), Orlando, FL, USA.","DOI":"10.1117\/12.2305619"},{"key":"ref_39","unstructured":"(2018, July 12). Ethereum Homestead Documentation. Available online: http:\/\/www.ethdocs.org\/en\/latest\/index.html."},{"key":"ref_40","unstructured":"(2018, July 12). Solidity. Available online: http:\/\/solidity.readthedocs.io\/en\/latest\/."},{"key":"ref_41","unstructured":"(2018, July 12). Truffle. Available online: http:\/\/truffleframework.com\/docs\/."},{"key":"ref_42","unstructured":"Crockford, D. (2018, July 12). JavaScript Object Notation (JSON). Available online: https:\/\/tools.ietf.org\/html\/rfc4627."},{"key":"ref_43","unstructured":"(2018, July 12). Flask: A Pyhon Microframework. Available online: http:\/\/flask.pocoo.org\/."},{"key":"ref_44","unstructured":"(2018, July 12). SQLite. Available online: https:\/\/www.sqlite.org\/index.html."},{"key":"ref_45","unstructured":"(2018, July 12). BlednCAC Project. Available online: https:\/\/github.com\/samuelxu999\/Blockchain_dev\/."},{"key":"ref_46","unstructured":"(2018, July 12). Go-Ethereum. Available online: https:\/\/ethereum.github.io\/go-ethereum\/."},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Xu, R., Nikouei, S.Y., Chen, Y., Song, S., Polunchenko, A., Deng, C., and Faughnan, T. (2018, January 20\u201324). Real-Time Human Object Tracking for Smart Surveillance at The Edge. Proceedings of the IEEE International Conference on Communications, Selected Areas in Communications Symposium Smart Cities Track, Kansas City, MO, USA.","DOI":"10.1109\/ICC.2018.8422970"}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/7\/3\/39\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T15:12:01Z","timestamp":1760195521000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/7\/3\/39"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,7,13]]},"references-count":47,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2018,9]]}},"alternative-id":["computers7030039"],"URL":"https:\/\/doi.org\/10.3390\/computers7030039","relation":{"has-preprint":[{"id-type":"doi","id":"10.20944\/preprints201805.0079.v1","asserted-by":"object"}]},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,7,13]]}}}