Support for confidentiality becomes harder and harder as IoT becomes more widespread. More devices are connected to different types of devices, and this increase in opportunities for connection and data collection leads to smaller monitoring. Both the control of data and tracking of the attached devices are staked.

Control of support of confidentiality can be lost if someone cracks the smartphone or the computer acting as the panel for other devices. In the case of computers and smartphones, this cracking can be remotely and often not found. Smartphones, as well as computers, contain a vast number of personal information on their owners. They often refer to bank accounts, e-mail accounts and in some instances to household appliances. The stolen data can lead to severe problems. Vehicles contain many computers which control the function. Initially, these computers could not be cracked. Nevertheless, in case of the increase in the possibility of connection of IoT vehicles are exposed to risk because of connection to the Internet.

In other sense, monitoring can be lost as more and more companies collect data on users. These data often draw a detailed pattern of certain users by means of the collection online of data. The companies using these data monitor everything that you look for, all your actions on the Internet. These companies often use data for improvement of the user experience, but they also use these data for the sale of products of users or for sale to other companies which sell products of users.

Innovations in this sphere mean that the companies shall change the privacy policy, which exists and also how they interact with these devices ^[1]. The companies will look at a policy which they have to provide to users a possibility of access and monitoring of their own data once again. Customers everything will realise more consequences for the confidentiality of this interoperability layer using interaction from IoT and susceptibility to policies which provide them with the companies.

Now first of all the principles of the notification message, consent, access and safety are applied, for example, in electronic commerce and online advertising. The legislation on confidentiality also affects some mature technologies which are a part of the evolution of IoT: last RFID and a network of cameras paid much attention. Recent legislative efforts focused on data protection in cloud computing and support of appropriate protection of web users against tracing.

However, already today, the protection level of personal privacy offered by the legislation is insufficient as demonstrate data leakages and unpunished violations of confidentiality day by day. The Internet of Things, undoubtedly, will create new grey zones with sufficient space to bypass legislative barriers.

First, the majority of acts is concentrated around an indistinct concept of Personally identified information (PII). Nevertheless, efforts on receiving a short determination of what represents PII (for example, by listing of combinations of the identifying attributes) quickly become outdated as new IoT technologies are unblocked and integrate new data sets which can provide identification and make more difficult to distinguish PII from a не-PII,

Secondly, the timeliness of the legislation is a constant problem, e.g. the tracking of web users was used for many years before the European Commission adopted the law against it at the beginning of 2011. With the fast development of IoT, the legislation will be inevitable to fall further away. An example is indications of Smart Meter, which already allow making exhaustive information on the life of people.

Thirdly, already today many violations of confidentiality remain unnoticed. In IoT realisation of breaches of privacy among users will be even lower as data collection moves to daily things and happens more passively. The legislation, however, often is only the response to public protests and shouts which require the realisation of incidents first of all.

At last, the economy of private life still appears for those who ignore the legislation on confidentiality. On the one hand, development of PET, ensuring compliance and audit of policies of protection of private life are expensive and can restrict business models. On the other side, violations of the law about personal privacy either remain unpunished or lead only to rather small penalties while awareness of the public still too low to cause unacceptable damage to public reputation. Thus, ignoring the legislation on personal privacy as, for example, Google intentionally bypasses the protection of tracing of users of Safari, seems profitable. In this regard, an incident of Google paid a record penalty in the amount of $22.5 million of the USA in the settlement with the Federal trade commission (FTC), but it is entirely possible that profit more than is compensated ^[2].

Will be a severe problem to draft the uniform strong legislative base for privacy protection in IoT instead of quickly revising outdated acts for unique technologies. Success, undoubtedly, will demand all-round knowledge of a technological basis of IoT and its current evolution. The key, however, will consist of a deep understanding of the current and remaining new threats of confidentiality in IoT – these threats are what the legislation shall protect from, eventually.

Authentication Methods

Implementation of intelligent devices created the incalculable potential both for customers, and for business, but thanks to it there was an opportunity for hackers to abduct valuable information from personal data in intellectual property which does the company or a product unique. On the broader context of IoT, this idea of authentication of users or devices becomes more and more widespread. For example, when we go to unblock our connected car utilising our mobile phone, we want to be sure that only we, owners, are authorised to do it to which successful “authentication” precedes. It means that users of the device (and/or the accounting entry) are that whom they speak, and have the authorised registration data for information access after that that helps to create the primary basis for support of communication and with the device on these expanded networks.

Nevertheless, presence only of one allowed user also creates problems or restrictions. For example, if the defect in the attached device is found? The supplier, most likely, will demand access to the device far off to provide updates of the software for the solution of these problems. It was evident in updates of the software of the iPhone. Therefore, the device receives the software far off but is set only after you agree with conditions, and you allow loading to begin ^[3].

If Apple had no original powers on sending you the software, you will not be able to approve loading and to maintain operability of the device effectively or effectively.

One more practical example from the courageous new world of IoT is a concept of the virtual keys for cars which you can “wear with yourself” on the mobile phone, but also you can share with other family members or service personnel in a garage and resolve them (for example, during limited time) to use your car (of course, after successful authentication).

It is necessary to set the trust level according to which the public shall be sure that correspondence arrives directly from the specified source, but not for this purpose, which creates a security risk for a network.

Thanks to several recent loud attacks in the field of cybersecurity, such as TalkTalk and Ashley Maddison, is more and more important that the enterprises assured the clients that these growing networks will be safe and will allow the user to control the data.

One of the methods of the solution of this problem of false authentication of users is the use of biometric data, that is the use of unique “biology” of individuals for access to their data. It includes unique means of identification, such as fingerprints and scanning of an iris of the eye of an eye which is incredibly tricky for reproducing.

Use of biometry and behavioural biometry (gestures, retina, etc.) creates the unique level of identification of users - indeed attributing feeling “personal” between the user and the device. It considerably increases registration this safety of the device and acts as the main barrier between hackers and their data access. When “things” communicate in IoT, registration data which are in the protected elements protected from illegal access which are built in devices can not only safeguard network access and communication but also support the protected services, such virtual private area networks, for example for updates of the software.

When the attached devices IoT/M2M (for example, the built-in sensors and the executive mechanisms or ending points) need access to IoT infrastructure, trusting relationships are initiated based on the device identifier. The method of storage and provision of the identification information can significantly differ for IoT devices. Pay attention that on typical corporate networks ending points can be identified through registration data of the person (for example, username and the password, a token or biometry). Ending points of IoT/M2M shall be printed by fingers using means which do not require interaction with the person. Such identifiers include radio frequency identification (RFID), the general secret, certificates of X.509, the MAC address of an ending point or some type of the invariable trust based on hardware.

Establishment of authenticity through certificates of X.509 provides a reliable authentication system. However, in the IoT domain memory for storage of the certificate cannot be enough for many devices or even not have the required CPU power for the execution of cryptography operations of verification of certificates of X.509 (or any type of operations with the public key).

The present identification traces, such as 802.1AR and protocols of authentication as IEEE 802.1X is defined, can be used for those devices which can control loading and memory of the CPU for storage of the strong registration data. Nevertheless, problems of new shape factors and also new modalities create an opportunity for further researches in the determination of more small-sized account types and fewer cryptography constructions and authentication protocols with intensive computation.

The second level of a framework is the authorisation controlling access of the device on all network. This level is based on the main authentication level, using the identification information of an object. With components of authentication and authorisation, the trusting relationship between IoT devices for exchange of the relevant information is established.

For example, the car can set a confidential union with another vehicle at the same supplier. Nevertheless, these trusting relationships can allow cars to exchange opportunities for safety. When an entrusted alliance is set between the same vehicle and a network of his dealer, the vehicle can have the right to share additional information, such as indications of the odometer, the last protocol of maintenance, etc.

Fortunately, the existing policy mechanisms for control and monitoring of access to consumer and corporate networks very well reflect needs of IoT/M2M ^[4]. The big task will consist in the creation of architecture, which can be scaled for processing of billions of IoT/M2M devices with different relations of trust in structure. Policies of traffic and the appropriate controls will be applied on all network to segmentation of traffic of data and establishment of open communication.

Different medical devices shall be authenticated on the local gateway at the left when sending state-of-health data of health. Then the gateway shall be authenticated in an ending point of a cloud in case of transfer of these data. Applications with the rights which will analyse and display data of working capacity also shall be authenticated in a cloud in case of a request of data. The single scalable model for all authentications mentioned above are tokens of safety – one actor is authenticated on another, including earlier received token in the messages. This token serves for identification of the first actor, allowing the second actor to accept the appropriate permission.

It is crucial for data on health and other personal information that the appropriate users controlled as their data on health are collected, shared and analysed. The dominant mechanism providing such monitoring is the requirement of the active involvement of the user in the process when different characters are given safety tokens used for the subsequent interactions. Without the consent of the user, tokens are not given, and there are no authenticated interactions. Thus, state-of-health data of health cannot proceed.

OAuth 2.0 and OpenID Connect 1.0 are the two standardised frames for authentication and authorisation, which obviously support the model stated above. Both allow the user to participate obviously in the release of tokens for the applications requiring user data – health or otherwise, – and, thus, can provide significant monitoring of confidentiality. Besides, Connect provides the built-in mechanisms of detection and registration, which are extremely important for scaling of any architecture to the number of the participants created by IoT.

One of the problems is that OAuth and Connect are still connected to HTTP. Experts in safety read that HTTP is not enough for many interactions in IoT, especially between things/devices and other participants. There was a new class of protocols which promises to be more suitable than HTTP, for such interactions, including MQ Telemetry Transport and Constrained Application Protocol. There were early researches of binding OAuth and Connect with this new category of protocols with IoT optimisation, but the operation remains.

The task to invent new mechanisms and standards for authentication of participants of IoT is not all history. The possibility of authentication in IoT consists in acknowledging the possibility of switching on new methods of authentication of users via devices and things which surround us. Use of the smartphone for two-factor authentication is an early manifestation of this tendency. Opportunities which do the smartphone by a powerful authentication factor are the same that will allow our hours, bracelets and thermostats to have a judgement on our identity – and ability to approve this judgement.

A phone does robust coefficient of authentication because for most of the users it always with them – a factor “what you have” matters a little if you cannot assume that the user has it at their instruction. But this quality which is tightly connected to the user is even fairer concerning a new class of the carriers used for monitoring of suitability of the person, a dream and other personal indices.

We will consider a bracelet of Fitbit, which gives users reviews of the daily activities. Fitbit is a tiny connected computer which is tightly connected to the specific user. Thus, Fitbit and other similar devices can facilitate authentication of the user in case of access to applications, devices or cloud services. The Nymi device accepts the idea on one step, having added biometric authentication of the user; it will not do keys which it saves for authentication, before confirmation of the electrocardiogram of the user from the saved template.

Authentication with the use of the infrastructure of OAuth over the simple level of authentication and safety (sasl) in IoT devices

OAuth is the open standard structure of authorization and the authentication protocol providing to third-party applications the limited delegated access to private resources by establishment of interaction between the third-party application and the owner of a resource and determination of a certain process to which the owner of a resource provides authorization of access to third-party applications to server resources, without tearing off their registration information (a user id, passwords, etc.) ^[5].

On the other hand, the authentication level of level and the security level (SASL) is an authentication basis for data protection in the environment of the application layer. During the provision of access to the client (for example, Facebook application, application of Twitter, etc.). For protected resources (the user account of Facebook, the accounting entry of Twitter, etc.)Originally the permissions on access to resources executed over Plain OAuth 2.0 were requested, but the last stage of authentication the client for access to resources from the owner of a resource is implemented with the use of the infrastructure of the OAuth protocol through the structure of authentication of SASL. Systematic transmissions of requests from the client for the provision of permission are given below:

Use of Plain OAuth

Step I: the client's request for provision of permission from the owner of a resource two methods: i) The owner of a resource receives the request sent per the client, directly; ii) A request is sent per the client via the intermediate server of authorisation.

Step II: authorisation is provided to the client in the form of registration data. This permission depends on whether the client for receiving a grant directly or indirectly requested.

Step III: access to the resource server is possible only by means of a certain token of access. They are requested by the client, at first verifying authenticity with the authorisation server, and then redirecting the authorisation permission got directly from the owner of a resource or indirectly via the authorisation server.

Step IV: if the client is authenticated on the servers, the server of authorisation checks the permission of authorisation and then gives an access token.

Use of OAuth over SASL

Step I: after receiving a token of access, the client requests access to private resources from the server of resources, authenticating himself by means of an access token.

Step II: the server of resources checks an access token. In case of success, the client is authenticated for access to resources on behalf of the owner of a resource.