Online applications are often composed of services provided by multiple service providers. In some cases, a service consumer may want to use a service anonymously to preserve the privacy of his identity data. This becomes even more problematic, when IoT devices are included in a composite service, as these devices could give a link to the service consumer’s identity. However, authentication of included IoT devices is necessary to prevent adversarial attacks.
In this work, we investigated different anonymous authentication schemes regarding their suitability for authentication of IoT devices to participate in a service composition system anonymously. We introduce a registration and authentication scheme based on hash-chain authentication, which provides anonymous authentication of IoT devices against a service composition system for a determined amount of requests.