Professional Documents
Culture Documents
Manuscript Number:
Dear Editor,
We are submitting our manuscript titled “Towards the inclusion of end-to-end security in the OM2M
platform” for consideration to be published on Journal of Network and Computer Applications.
We believe that the paper may be of particular interest to this journal, as it proposes an efficient
dynamic authorization system for a oneM2M-based architecture. This innovative security scheme has
been implemented for the OM2M platform. We also provide a performance evaluation with different
devices and libraries.
We hereby state that the paper contains original information and has not submitted to other journals
Best regards,
Simone Patonico
*Suggested List of Potential Referees
Potential Referees
Pardeep Kumar is associate professor at the Department of Computer Science, Swansea University, email:
pardeep.kumar@swansea.ac.uk
Madhusanka Liyanage is associate professor at the School of Computer Science, University College Dublin, Ireland and
Centre for Wireless Communications, University of Oulu, Finland, email: mashuanka@ucd.ie,
madhusanka.liyanage@oulu.fi
Susanna Spinsante is assistant researcher at the Department of Information Engineering of the Università Politecnica delle
Marche, email: s.spinsante@staff.univpm.it
*Manuscript
Click here to view linked References
Abstract
The exponential growth in the number of Internet of Things (IoT) devices and their potential in many applications
in a vast number of domains fuelled the development of different IoT platforms, supported by big companies and
industry groups. These platforms are able to provide reliable services to IoT devices and reduce the time to market for
the targeted applications. Unfortunately, these proprietary solutions fragment the IoT market and hamper horizontal
integration. The need to interoperate the different IoT platforms and communication protocols pushed the Standards
Developing Organizations (SDOs) to the specification of a Machine-to-Machine (M2M) service layer, published as
the oneM2M standard. Although, the oneM2M standard provides generic guidelines to implement security solu-
tions which include authentication, authorization, confidentiality and data integrity, more efficient security schemes
should be investigated when constrained IoT devices are concerned. This paper presents two main contributions.
First, a CoAPS binding for the OM2M platform is provided that enables secure and reliable communication with
constrained IoT devices. Second, a lightweight dynamic access control system is designed, developed and integrated
in a oneM2M-based architecture. It allows to dynamically grant or revoke access permission in an anonymous way
to constrained IoT devices for controlling some actuators. From the experimental results, we can conclude that the
computational complexity of the proposed security scheme is extremely low for the client device which requests data
access. We show that a constrained IoT device establishes a trust relationship with the OM2M server in few seconds.
Keywords:
CoAPS, ECQV, tinydtls, microECC, Scandium, oneM2M, interoperability, authentication, authorization
(2014)). In that situation the use of a horizontal layer tion protocols. To manipulate oneM2M resources, two
(Swetina et al. (2014); Elmangoush et al. (2014)) able to message types called oneM2M primitive request and re-
mediate between different protocol stacks is mandatory. sponse have been defined. Bindings specify rules for
A fully interoperable platform should provide technical, encapsulating these primitive messages in HTTP, CoAP
syntactic and semantic interoperability. or MQTT packets so as to use them as transport ve-
hicles. Since oneM2M has a Representational State
2.1. The oneM2M standard Transfer (REST) architecture, binding with HTTP and
CoAP is straightforward. To allow a flexible communi-
The oneM2M global initiative was founded in 2012 cation protocol interoperability, an Interworking Proxy
by a group of Standard Development Organizations Entity (IPE) can be included. This way, any com-
(SDOs) together with several industrial consortia. The munication protocol or software framework (Wu et al.
oneM2M service layer was conceived as a resource- (2017)) can be integrated in oneM2M. The IPE imple-
based framework. This means everything is considered ments the server and/or client side of the specific pro-
as a resource, and resources are organized in a hierar- tocol that needs to be bound and makes the conversion
chical tree. To fulfil the property of technical inter- between protocol specific and oneM2M primitive mes-
operability, three standardized bindings have been in- sages. The oneM2M standard defines five operations
cluded that facilitate the communication with devices to manage resources: CREATE, RETRIEVE, UPDATE,
using Hyper Text Transfer Protocol (HTTP), CoAP or DELETE and NOTIFY (CRUD+N). Two different en-
Message Queue Telemetry Transport (MQTT) applica-
3
tities are described by the standard: Application Entity 2.3. Secure communications in oneM2M
(AE) and Common Service Entity (CSE). The AE is an The Transport Layer Security (TLS) or the DTLS
M2M application service logic and represents an appli-
protocols have been selected by the oneM2M stan-
cation residing in a specific device, whereas the CSE
dard as security solutions to protect data exchanged be-
provides a set of Common Service Functions (CSFs)
tween different M2M devices. In our previous work
to offer useful functionalities such as data and device (Patonico et al. (2018)), we investigated the usabil-
management to the other entities. Beyond this distinc- ity of DTLS in a constrained WSN device and devel-
tion, oneM2M defines different types of nodes that are oped an IPE to integrate DTLS in a oneM2M CSE-
represented in Figure 1. The Infrastructure Node (IN)
capable device. In particular, we used the tinydtls li-
is the core of the oneM2M platform and must contain
brary to implement DTLS clients in several WSN de-
at least one CSE. There is only one IN per oneM2M
vices which act as NoDNs, whereas the Scandium li-
service provider. The Middle Node (MN) is usually brary was exploited to develop the IPE featuring a
deployed close to the IoT sensor devices and acts as DTLS server. We analyzed the DTLS handshake for two
a gateway. Since also this oneM2M node has to pro-
cipher suites: TLS PSK WITH AES 128 CCM 8 and
vide services to the other nodes of the system, it must TLS ECDHE ECDSA WITH AES 128 CCM 8. The
also contain a CSE. The Application Dedicated Node former uses symmetric key cryptography for device
(ADN) can reside in a constrained IoT device and needs
authentication and key exchange, making the hand-
at least an AE to communicate with other CSEs through shake less resource-hungry. The latter uses asymmetric
one of the standardized bindings. The Application Ser- key cryptography, leveraging the Elliptic Curve Digi-
vice Node (ASN) is a CSE-capable node that must con- tal Signature Algorithm (ECDSA) for mutual authenti-
tain one CSE and one AE. It can reside in a M2M de- cation and the Elliptic Curve Diffie-Hellman Exchange
vice such as a smartphone. The Non-oneM2M Device
(ECDHE) for the key exchange. Although the EC-
Node (NoDN) does not contain any AEs or CSEs, so it
based cipher suite offers a higher level of security, it
requires the implementation of an IPE to communicate also consumes many more resources compared to the
with oneM2M devices. PSK-based cipher suite. We also provided a perfor-
mance comparison between these two cipher suites in
the constrained NoDN by measuring the DTLS hand-
2.2. Elliptic Curve Cryptography
shake duration and energy consumption.
ECC provides lightweight public key cryptography
2.4. Authentication and authorization in oneM2M
which offers the same level of security as the ordinary
Rivest-Shamir-Adleman (RSA) but with shorter keys. The oneM2M standard proposes several solutions for
Since shorter key reduce the complexity of the crypto- identifying and authenticating an entity which requires
graphic operations, ECC can be used in IoT devices, services from a CSE. The identification process verifies
avoiding the long delays of the RSA algorithm. ECC is if an identity fits in a certificate. Authentication can be
based on the algebraic structure of elliptic curves (EC) done through the verification of the signature in case of
over finite fields. We denote the curve E p(a,b) over the fi- a certificate-based method or through computation of a
nite field F p with the generator point G of order n. The Message Integrity Code (MIC) when using a symmetric
product A = aG = (A x , Ay ), with a ∈ F p , is an EC mul- key-based approach. For authorization, oneM2M pro-
tiplication and the result A is a point of the curve. To poses different methods such as RBAC, ABAC, etc. To
transmit a point of the curve, it is sufficient to transmit take an access decision, the roles or attributes are evalu-
its x coordinate together with a single bit for the sign, ated against Access Control Policies (ACPs) that protect
according to the encoding rules described in (Research the oneM2M resources. oneM2M defines two types of
(2009)). The security of ECC is based on two computa- dynamic authorization systems classified as direct dy-
tional hard problems: the Elliptic Curve Discrete Loga- namic authorization and indirect dynamic authorization.
rithm Problem (ECDLP) and the Elliptic Curve Diffie These systems, shown in Figure 2, provide temporary
Hellman Problem (ECDHP). The ECDLP states that, permission to the originator of the request to access pro-
given two points A and B of an EC, it is computationally tected resources. The direct dynamic authorization sys-
hard to find a value x, such that A = xB. The ECDHP tem assumes that the originator of the request had al-
affirms that, given two points A = xG and B = yG with ready been provisioned with an access token or a token
x,y unknown, it is computationally hard to find the point identifier before the start of the authorization procedure.
Q = xyG. Upon reception of a request, the hosting CSE interacts
4
Figure 2: The dynamic authorization systems suggested in the oneM2M standard to provide temporary access permissions: (a) The direct dynamic
authorization system assumes that the originator of the request is pre-provisioned with access tokens; (b) In the indirect dynamic authorization
system, the originator of the request has to request access tokens to the dynamic authorization server before being able to access the protected
resources from the oneM2M hosting CSE.
with the dynamic authorization server before computing the first one we present the state of the art of DTLS im-
the access decision. In the indirect dynamic authoriza- plementations used in constrained IoT sensor nodes. In
tion system, the originator of the request receives token the second one we investigate security systems with fo-
request information from the hosting CSE in case of de- cus on device authorization in oneM2M-based architec-
nied access. Then, the originator can use this token in- tures.
formation to request either a token or a token identifier
from the dynamic authorization server. The OM2M im- 3.1. DTLS in WSN devices
plementation only includes a basic authorization mod-
The usage of the DTLS handshake on constrained
ule which defines one or more ACPs. The oneM2M
WSN devices can be very costly in terms of energy con-
originator, which is a parameter of a oneM2M primitive
sumption and computation time. For this reason, sev-
request, is evaluated against these ACPs and access is
eral research works focus on solutions that move the
granted when at least one ACP allows it. We now pro-
computational complexity of the DTLS handshake from
pose an efficient scheme following the different steps
the WSN devices to a more powerful router or gate-
described in the indirect dynamic authorization scheme,
way. (Granjal and Monteiro (2016)) propose a medi-
where in addition a common shared secret session key is
ated DTLS handshake which moves the ECC complex-
established between the originator and the hosting CSE
ity of the mutual authentication and key exchange from
in an anonymous way.
the sensor device to a more powerful border router. The
communication between constrained sensor devices and
3. Related work the border router is still secured using the DTLS pro-
tocol but with the Pre-Shared Key (PSK) cipher suite
Since we provide a security solution for constrained that is much more lightweight. However, their approach
IoT sensor devices using the DTLS protocol on the one requires the deployment of access control servers and
side and a customized IAM solution for client IoT de- a certificate authority to provide reliable authentication
vices wanting to access protected resources on the other of the sensor devices. A solution based on a DTLS
side, related work will be split in two paragraphs. In terminated gateway is described by (Van den Abeele
5
et al. (2015)). This gateway can perform multiple DTLS source owner password credentials” grant type to issue
handshakes with multiple Internet hosts and can main- the token. This solution can only be used with trusted
tain a long-lived DTLS session with constrained WSN clients that can securely store the owner’s credentials.
devices. This way, they avoid that multiple DTLS hand- (Lee et al. (2018)) propose to integrate a blockchain
shake sessions exhaust the limited resources of WSN framework in a oneM2M-based architecture. This way,
devices. Moreover, the gateway offers a flexible solu- they improve the security of data storage by moving
tion, permitting public key cryptography for the DTLS from a standard centralized database used by oneM2M
session with the Internet hosts and a more suitable PSK to the distributed approach offered by the blockchain
cipher suite for establishing a secure channel with WSN technology. They used Logchain, a type of blockchain
devices. Our previous work (Patonico et al. (2018)) suitable to IoT platforms, with blind voting as consen-
provides a solution to perform the DTLS handshake sus rule. (Hsu and Lin (2017)) follow the guidelines
with the ECC-based cipher suite using the tinydtls li- of the oneM2M standard to implement a certificate-
brary on the constrained Zolertia RE-mote. However, based authentication and authorization system which
we were forced to add an extra handshake message from uses a Machine-to-Machine Enrolment Function (MEF)
the client side to acknowledge the ServerKeyExchange for credentials provisioning. They also developed two
message avoiding overwhelming the constrained client solutions for the OM2M implementation that avoid the
with other handshake messages during the signature use of the same certificate in multiple machines. Their
verification procedure. (Staudemeyer et al. (2018)) pro- security system requires a certificate-based TLS hand-
pose to integrate different ECC implementations such as shake that is too heavy for constrained WSN devices.
MicroECC in tinydtls to speed up the EC point multipli- Even on a standard PC implementation, the total pro-
cation. In the same direction, (Capossele et al. (2015)) cess takes more than 8s. A certification procedure for
provide an extensive study on the use of DTLS with the IoT/M2M devices is provided by (Neisse et al. (2017)).
ECC cipher suite in very constrained WSN devices. To The authors propose to combine model-based testing
speed up the DTLS handshake, they propose several op- and policy-based management to detect vulnerabilities
timizations in the calculation of the EC multiplication in IoT platforms and enforce runtime policies to cor-
for a customized WSN platform with an 8-bit ultra-low rect the problem. As a test case, they evaluate the se-
power 16 MHz microcontroller. They also measured the curity level of access control policies of oneM2M. The
improvements in terms of latency and energy consump- use of Software Defined network Perimeters (SDP) to
tion of each optimization. They were able to perform provide advanced security features for oneM2M-based
an EC multiplication in tens of milliseconds, but their platforms has been investigated in (Balfour (2015)).
solution was tailored to their specific platform. (Paton- However, SDP uses certificates to authenticate and au-
ico et al. (2018)) offers a solution that integrates DTLS thorize M2M devices requiring access that cannot be
into the OM2M framework. No application protocol has used for constrained WSN devices. For the implementa-
been included in (Patonico et al. (2018)), which in con- tions of (Oh and Kim (2017); Lee et al. (2018); Neisse
trast is the case in (Granjal and Monteiro (2016); Van et al. (2017); Balfour (2015)), performance results are
den Abeele et al. (2015); Staudemeyer et al. (2018); Ca- not provided. None of the approaches (Oh and Kim
possele et al. (2015)). Therefore, we extend our previ- (2017); Lee et al. (2018); Hsu and Lin (2017); Neisse
ous work to a CoAPS implementation and made a cor- et al. (2017); Balfour (2015)) include anonymity during
responding binding to the OM2M platform. the authorization and authentication process.
4.1. System architecture the sensor data to the more storing-capable OM2M
The proposed dynamic authorization system is a server.
complete security solution which takes care of sensor
data integrity and confidentiality as well as client iden- • A OM2M server, which is a oneM2M IN-CSE in
tification, authentication and authorization. The set-up, charge of storing the data gathered by the WSN and
demonstrating this solution is represented in Figure 3. relayed by the OM2M gateway. The OM2M server
It consists of six entities: must also guarantee that only authenticated and au-
thorized clients can access the protected oneM2M
• A Sensor Owner, who deploys several WSN de- resources.
vices in the field to measure some physical param-
eters. • A Dynamic Authorization Server (DAS) is the en-
• A WSN, which consists of several Zolertia RE- tity which stores dynamic access information ob-
motes featuring several sensors. These devices can tained through interaction with the sensor owner
securely send data by exploiting CoAP and DTLS. during the installation phase. This external server
These data will be opportunely decrypted and uses a MySQL database to store access tokens,
transformed in oneM2M resources by the CoAPS linked to specific WSN devices deployed by the
binding software that we added to the OM2M gate- sensor owner.
way.
• A Client that wants to access the protected re-
• A OM2M gateway, which is a oneM2M MN-CSE sources from the OM2M server. This entity needs
providing the CoAPS interface to securely receive to communicate with the DAS to obtain a ticket
data from the WSN devices. The OM2M gateway before being able to retrieve data from the OM2M
exploits a pre-installed HTTPS channel to forward server.
7
We also assume the presence of a secure channel be- Since the communication between the access request
tween the OM2M server and the DAS, and between the originators and DAS (steps 3-4 of Figure 2b) is not de-
OM2M server and the OM2M gateway. These channels fined in the oneM2M technical specification TS-0003,
are fundamental for the exchange of sensitive authoriza- we developed our own authorization system and added
tion information and the privacy of sensor data, respec- the anonymity feature to it. The security scheme has
tively. Moreover, the OM2M server and the DAS share been designed to be as lightweight as possible. Be-
a symmetric key that will be used to verify the client’s yond client authentication and authorization, the secu-
authenticity in an anonymous way. rity scheme allows the client and OM2M server to agree
on a session key that can be used to establish a secure
4.2. CoAPS binding for oneM2M channel. The security scheme consists of three phases:
In previous work (Patonico et al. (2018)) we modi-
fied the tinydtls library, which is a lightweight imple- • Installation phase: the sensor owner creates dy-
mentation of the DTLS protocol, to fix the problems namic authorization information per WSN device.
during the handshake when we use the EC-based cipher
suite in the Zolertia RE-mote. We also developed an • Registration phase: the client registers to a partic-
IPE to implement a DTLS server in the oneM2M IN- ular resource and receives a temporary access right
CSE using the Scandium library. To improve the in- (token) to the resource possibly after a successful
tegration and usability of DTLS in oneM2M devices, payment.
we created the CoAPS protocol binding which features
• Key Agreement phase: the client requests access to
CoAP and DTLS. Following the same approach as the
the protected resource. The OM2M server evalu-
other standardized bindings, we registered the CoAPS
ates the access request after the client’s authentic-
service by extending the RestClientService.java class.
ity has been verified. If resource access is granted,
We also modified the Erbium implementation of CoAP
client and OM2M server end up sharing a common
in Contiki OS to integrate the security features provided
session key.
by tinydtls. This mainly involves the addition of the files
er-coap-dtls.c and er-coap-dtls.h to provide the APIs for
the data encryption/decryption and the installation of se-
curity credentials for the mutual authentication. More- 4.3.1. Installation phase
over, we replaced the ECC implementation included in The installation phase is started by the DAS. It estab-
tinydtls with the MicroECC library that speeds up the lishes a connection with the MySQL database, generates
EC multiplication and addition operations. This way, its private key k and public key PDAS using the APIs of
constrained WSN devices can verify the signature of the the BouncyCastle library and creates a table called AC-
other party using the ECDSA in a couple of seconds. CESS TOKEN to store dynamic access tokens issued by
The WSN devices are programmed as CoAPS clients the sensor owner. The ACCESS TOKEN table contains
and they initiate the DTLS handshake with the CoAPS information about a specific access token, such as:
server involved in the CoAPS binding. Once the hand-
shake is completed, CoAPS clients and the oneM2M • token identifier: a seven characters length unique
MN-CSE can communicate securely using the estab- identifier;
lished session key.
• issuer: the unique identifier of the AE created by
4.3. Security scheme for client authentication and au- the WSN device in the OM2M server;
thorization
• holder: always the DAS entity;
Client authentication and authorization are funda-
mental features of a security system that provide protec- • validity period: time interval where the access to-
tion against several attacks such as impersonation, man- ken is considered valid and can be used to access
in-the-middle, denial of service, replay, etc. To avoid the protected resource;
leakage of sensitive data, strong authentication and au-
thorization solutions should be deployed. The oneM2M • token name: the name of the resource that the token
standard suggests different solutions to tackle unautho- is protecting (e.g. temperature, humidity, etc...);
rized access to protected resources. In this paper, we
follow the guidelines related to the indirect dynamic au- • audience: the unique identifier of the client that
thorization system which is represented in Figure 2b. received the access token;
8
Figure 4: The Login Page (a) and Token Creation Page (b) used by the owner of the sensor nodes to define new access tokens for the ones he has
deployed.
• permission: the level of permissions granted to the each client is pre-provisioned with a unique identifier
client. There are two levels of permissions: only by the manufacturer, the derivation of security creden-
retrieve or retrieve plus discovery that are identi- tials for the client is performed using the ECQV scheme
fied by the numbers 32 and 34 respectively. For (Qu (2000)). The ECQV is a very efficient algorithm
retrieve only, the client is authorized to request just that allows a TTP to issue an implicit certificate and de-
the latest measurement; whereas in case of retrieve rive the key pair to the client without the necessity of a
plus discovery, the client can retrieve all the mea- secure channel between TTP and client. (Brown et al.
surements of the requested resource; (2002)) have proven the security of this scheme. Thanks
to its efficiency, the ECQV implicit certificate scheme
• business data: some information detailing the type has been studied to improve the security features in IoT
of subscription chosen by the client and the fee to applications (Park (2017)). In our scheme, the DAS as-
receive the access token. sumes the role of the TTP to perform the ECQV implicit
certificate protocol with the client. Figure 5 represents
The sensor owner can deploy his WSN devices that
all the cryptographic operations performed by the two
will automatically start the DTLS handshake with the
entities as well as the messages exchanged.
OM2M gateway using asymmetric key cryptography
for mutual authentication and key exchange. Next, the The scheme is started by the client that requests the
WSN devices will use the CoAPS protocol to securely derivation of its key pair and corresponding certificate
send new sensor data to the OM2M gateway which will to the DAS. For doing so, the client generates a random
forward it to the OM2M server. At this point, we as- value u, obtains the point U = uG by performing an
sume that the DAS and the sensor owner are provisioned EC multiplication and sends its identifier IDu and the
with valid certificates by a third-party Certificate Au- computed point U to the DAS. The latter also gener-
thority (CA). This way, the sensor owner can install the ates a random value a, computes the point A = aG as
valid certificate in his browser and can securely access an EC multiplication and the client’s implicit certificate
the login.html page provided by the DAS entity. Upon certu = U + A executing an EC addition. Next, the DAS
successful login, the sensor owner is redirected to the computes the implicit signature as:
createTokens.html page where he can issue new access
qu = H(certu kIDu )a + k
tokens. In particular, the sensor owner must specify the
name of the protected resource, the level of permission
and the client’s public key as:
and the type of subscription needed for billing associ-
ated to the new access token. The login.html and cre- Pu = H(certu kIDu )certu + PDAS
ateTokens.html webpages are shown in Figure 4.
where the hash operation SHA256 is denoted by H()
4.3.2. Registration phase whereas the concatenation operation is represented by
The registration phase has two main functionalities the symbol k. The client’s certificate certu , the implicit
that are needed for the key agreement algorithm: the signature qu and the DAS’s public key PDAS are sent to
derivation of the client’s key pair and the client’s sub- the client over the public channel. Upon reception of the
scription to a particular access token. Assuming that message (certu , qu , PDAS ), the client derives its private
9
Figure 5: The Elliptic Curve Qu-Vanstone algorithm that is used by the client to derive its key pair and receive the implicit certificate from the
DAS.
and public key respectively as: an access token. The client’s subscription algorithm is
described in Figure 6. To start, the client generates two
du = H(certu kIDu )u + qu random numbers c, z and a timestamp T R . Next, it com-
Pu = duG putes the EC point Z = zG, and two symmetric keys,
denoted Kr and Kz , using a Diffie Hellman based con-
Since the client’s private key is computed using secret
struction using PDAS and Z respectively. The last one al-
information of both client and DAS, there is no key es-
lows anonymous encryption of the subscription request
crow problem. To verify the authenticity of the DAS,
S ub which includes the resource in which the client is
the client can also compute its own public key by using
interested denoted Rn , the type of subscription chosen
the public key of the DAS:
denoted T ype, the random number denoted c, identity
P∗u = H(certu kIDu )certu + PDAS of the client denoted IDu and the key denoted Kr . The
inclusion of the key Kr guarantees the authentication of
If Pu equals P∗u , the client is sure about the authentic- the client. The subscription request S ub is sent to the
ity of the certificate received and can trust the key pair DAS together with the timestamp of the request T R and
computed using the DAS’s implicit signature qu . Note the point Z. Upon reception of the request, the DAS
that given certu , IDu and PDAS , which are public infor- computes the key Kz using Z and the received times-
mation, any other entity of the system can compute the tamp T R , and decrypts S ub in order to obtain the name
public key Pu . Upon reception of an ECQV initializa- of the resource Rn the client is interested in, the type
tion request from a client, the DAS stores the client’s of subscription chosen T ype, the random number c, the
identifier IDu , certificate certu and public key Pu in the client’s identifier IDu as well as the key Kr . Next, it
CLIENTS table created in a MySQL database. This is checks if the client’s identifier and corresponding pub-
done to maintain a list of all clients that performed the lic key Pu are already present in the CLIENTS table.
ECQV scheme with the DAS. The second part of the Then, it computes the same disposable symmetric key
registration phase consists in the client’s subscription to Kr using the received timestamp T R and checks if it cor-
a particular resource protected by a specific access to- responds with the received value. Next, the CLIENTS
ken. The client communicates with the DAS to receive
10
Figure 6: The client’s subscription algorithm to obtain dynamic authorization information from the DAS.
table is updated with resource name and subscription sage containing the masked identity Qu and the ticket
type obtained from the ciphertext S ub. The DAS gen- received during the registration phase to the OM2M
erates a new symmetric key Kt , based on the usage of server. As soon as the OM2M server receives the au-
the masked identity Qu = H(IDu kc) and the common thentication request, it computes the decryption key
shared key K s with the OM2M server. The key Kt is Kt , using the client’s masked identity and the common
used to derive the so called ticket for the client denoted shared key K s , to allow the decryption of the ticket. If
by Ticket in step 12 of Figure 6. The ticket includes the the result contains a valid resource name Rn , a valid
specific token identifier corresponding to the resource expiration time and a fresh token identifier, the client
the client is interested in, the name of the resource and is authenticated. Then, the OM2M server generates a
the expiration date. Finally, the DAS sends the ticket, timestamp T s , retrieves the AE identifier containing the
encrypted with the key Kr , back to the client in response measurements corresponding to the requested resource
to the subscription request. and sends a message which consists of AE identifier,
T s and token identifier over the secure HTTPS chan-
4.3.3. Key agreement phase nel. Upon reception of this message, the DAS veri-
The client uses the key agreement algorithm, shown fies the presence and validity of the token identifier in
in Figure 7, to compute and share a common session the ACCESS TOKEN table and updates it with the re-
key SK with the OM2M server. Beyond this, the algo- ceived AE identifier. If this verification succeeds, the
rithm allows the OM2M server to verify the client’s au- client is considered authorized to access the protected
thenticity while the DAS checks if the presented ticket resource. The DAS computes the session key SK using
contains a valid token identifier for the requesting client. the received timestamp T s and delivers it to the OM2M
In the following we describe the necessary operations server through the secure HTTPS channel. Finally, the
and data exchanges performed by the three entities in- OM2M server sends timestamp T s and the encrypted
volved. First, the client generates the masked identity Uniform Resource Identifier (URI) of the requested re-
Qu using the secret random number c and sends a mes- source with SK to the client so that it can compute the
11
Figure 7: The Key Agreement algorithm used by the client and OM2M server to establish a common session key SK with the help of the DAS.
During this phase the client is also authenticated by the OM2M server and authorized by the DAS.
same session key and check the validity by verifying • Man-in-the-middle attacks: In the subscription al-
if the decryption leads to a valid URI. This shared ses- gorithm, an attacker intercepting the subscription
sion key can now be used by client and OM2M server to and corresponding response messages is not able to
create a secure channel for the coming session. Every change the subscription message to a useful mes-
time the client wants to refresh the secret credentials, sage without being able to solve the ECDLP. In the
it can freely initiate a new registration phase. This dy- key agreement phase, an attacker is not able to cre-
namic access control system requires the execution of ate a valid ticket, without knowledge of the com-
a few EC multiplications, encryptions/decryptions and mon shared key between DAS and OM2M server.
hash operations and hence is extremely lightweight. For In addition, the attacker cannot force the response
this reason, even a constrained client, unable to store of the OM2M server to the client without being
and send the heavy X.509 certificates, can authenticate able to know the secret key of either the client or
itself with other parties. the DAS.
Raspberry PI
PC(ms) Zolertia RE-mote(ms)
Phase Client operations 3B(ms)
Hardware
tinydtls-
BouncyCastle BouncyCastle Acceleration
microECC
Engine
ECQV
3T m + 1T a + 2T h 3.45 114.04 1039.19 3000.06
registration
Client
3T m + 2T s + 2T h 3.45 113.98 1034.41 2987.89
subscription
Key agreement 1T m + 1T s + 2T h 1.15 38.03 344.95 998.04
7T m + 1T a +
Total 8.05 266.05 2418.55 6985.99
3T s + 6T h
constrained Zolertia RE-mote, we replaced the standard about 8 ms when the personal computer is used and 266
ECC implementation of tinydtls with the microECC ms for a Raspberry PI 3B. We prove that the scheme can
library. Although microECC increases the RAM be used even for constrained clients such as a Zolertia
consumption of DTLS of about 150 B, it speeds up the RE-motes. Indeed, it only takes 7 seconds to perform
EC multiplication operation almost 10 times. This way, all the cryptographic operations involved in the security
it is possible to perform the DTLS handshake using scheme on these devices when tinydtls and microECC
the TLS ECDHE ECDSA WITH AES 128 CCM 8 are used. This time can be reduced to 2.5 seconds if the
cipher suite in few seconds. cryptographic operations are performed with the hard-
The inclusion of both CoAP and DTLS heavily uses ware acceleration engine of the Zolertia RE-mote.
the RAM of the device by provoking the overflow. To
avoid this, we needed to modify the standard values of
some of the variables defined in Contiki 3.0. The ap- References
plied modifications are reported in Table 4. Note the
necessary increase in the stack space to avoid unwanted Balfour, R.E., 2015. Building the ”Internet of Everything” (IoE)
for first responders, in: 2015 Long Island Systems, Applications
reboots during the DTLS handshake. and Technology, IEEE. pp. 1–6. URL: http://ieeexplore.
ieee.org/document/7160172/, doi:10.1109/LISAT.2015.
7160172.
7. Conclusion Brown, D.R.L., Gallant, R., Vanstone, S.A., 2002. Provably Se-
cure Implicit Certificate Schemes, Springer, Berlin, Heidelberg,
pp. 156–165. URL: http://link.springer.com/10.1007/
The interoperability offered by the oneM2M stan- 3-540-46088-8{\_}15, doi:10.1007/3-540-46088-8_15.
dard is an essential feature for many M2M applica- Capossele, A., Cervo, V., De Cicco, G., Petrioli, C., 2015. Security
tions which adopt heterogeneous hardware and differ- as a CoAP resource: An optimized DTLS implementation for the
IoT, in: 2015 IEEE International Conference on Communications
ent communication technologies. However, the security (ICC), IEEE. pp. 549–554. URL: http://ieeexplore.ieee.
of oneM2M-based architectures should be carefully de- org/document/7248379/, doi:10.1109/ICC.2015.7248379.
signed and implemented to avoid unauthorized data ac- Corici, A., Elmangoush, A., Steinke, R., Magedanz, T., Mwangama,
cess and leakage of private information. In this paper we J., Ventura, N., 2014. Utilizing M2M Technologies for Build-
ing Reliable Smart Cities, in: 2014 6th International Confer-
propose two solutions to enhance the security features ence on New Technologies, Mobility and Security (NTMS), IEEE.
of the OM2M platform. First, we integrated the CoAPS pp. 1–5. URL: http://ieeexplore.ieee.org/document/
binding to secure the communication between OM2M 6814059/, doi:10.1109/NTMS.2014.6814059.
gateway and WSN devices. Following the principles of Elmangoush, A., Al-Hezmi, A., Magedanz, T., 2014. The devel-
opment of M2M standards for ubiquitous sensing service layer,
the indirect dynamic authorization system suggested in in: 2014 IEEE Globecom Workshops (GC Wkshps), IEEE. pp.
the oneM2M standard, we designed and implemented 624–629. URL: http://ieeexplore.ieee.org/document/
a lightweight anonymous IAM system for the OM2M 7063502/, doi:10.1109/GLOCOMW.2014.7063502.
platform to allow client devices and OM2M server to Fotiou, N., Kotsonis, T., Marias, G.F., Polyzos, G.C., 2016. Ac-
cess Control for the Internet of Things, in: 2016 International
establish a trust relationship as well as a secure chan- Workshop on Secure Internet of Things (SIoT), IEEE. pp. 29–38.
nel. Since the proposed scheme only uses lightweight URL: http://ieeexplore.ieee.org/document/7913563/,
cryptographic operations, the computational complex- doi:10.1109/SIoT.2016.010.
Gope, P., Hwang, T., 2016. A Realistic Lightweight Anony-
ity to provide client authentication, client authorization mous Authentication Protocol for Securing Real-Time Applica-
and the key agreement is very low. To perform all the re- tion Data Access in Wireless Sensor Networks. IEEE Transac-
quired cryptographic operations the client device needs tions on Industrial Electronics 63, 7124–7132. URL: http://
15
ieeexplore.ieee.org/document/7500072/, doi:10.1109/ doi:10.1109/ICENCO.2017.8289760.
TIE.2016.2585081. oneM2M, 2012. oneM2M - Home. URL: http://www.onem2m.
Granjal, J., Monteiro, E., 2016. End-to-end transparent transport-layer org/.
security for Internet-integrated mobile sensing devices, in: 2016 Park, C.S., 2017. A Secure and Efficient ECQV Implicit Cer-
IFIP Networking Conference (IFIP Networking) and Workshops, tificate Issuance Protocol for the Internet of Things Applica-
IEEE. pp. 306–314. URL: http://ieeexplore.ieee.org/ tions. IEEE Sensors Journal 17, 2215–2223. URL: http://
document/7497235/, doi:10.1109/IFIPNetworking.2016. ieeexplore.ieee.org/document/7737016/, doi:10.1109/
7497235. JSEN.2016.2625821.
Hsu, Y.H., Lin, F.J., 2017. Preventing Misuse of Duplicate Certifi- Patonico, S., Nguyen, T.L., Placide, S., An, B., Kris, S., 2018. DTLS
cates in IoT/M2M Systems, in: 2017 26th International Confer- Integration in oneM2M based on Zolertia RE-motes, in: The 4th
ence on Computer Communication and Networks (ICCCN), IEEE. International Conference on Cloud Computing Technologies and
pp. 1–8. URL: http://ieeexplore.ieee.org/document/ Applications.
8038508/, doi:10.1109/ICCCN.2017.8038508. Qu, M.V.S.A., 2000. Implicit certificate scheme. URL: https://
Indu, I., Anand, P.M.R., 2016. Hybrid authentication and au- patents.google.com/patent/US6792530.
thorization model for web based applications, in: 2016 Inter- Research, C., 2009. Standards for Efficient Cryptography SEC 1:
national Conference on Wireless Communications, Signal Pro- Elliptic Curve Cryptography. Technical Report. URL: https:
cessing and Networking (WiSPNET), IEEE. pp. 1187–1191. //www.secg.org/sec1-v2.pdf.
URL: http://ieeexplore.ieee.org/document/7566324/, rfcDTLS, 2012. RFC 6347 - Datagram Transport Layer Secu-
doi:10.1109/WiSPNET.2016.7566324. rity Version 1.2 URL: http://www.rfc-editor.org/info/
Jan, M.A., Zhang, W., Usman, M., Tan, Z., Khan, F., rfc6347.
Luo, E., 2019. SmartEdge: An end-to-end encryp- Staudemeyer, R.C., Pohls, H.C., Wojcik, M., 2018. The Road to
tion framework for an edge-enabled smart city applica- Privacy in IoT: Beyond Encryption and Signatures, Towards Un-
tion. Journal of Network and Computer Applications observable Communication, in: 2018 IEEE 19th International
137, 1–10. URL: https://www.sciencedirect.com/ Symposium on ”A World of Wireless, Mobile and Multimedia
science/article/pii/S1084804519300827, doi:10.1016/ Networks” (WoWMoM), IEEE. pp. 14–20. URL: https://
J.JNCA.2019.02.023. ieeexplore.ieee.org/document/8449779/, doi:10.1109/
Kim, H., Lee, E.A., 2017. Authentication and Authorization for the WoWMoM.2018.8449779.
Internet of Things. IT Professional 19, 27–33. URL: http:// Sun, G., Sun, S., Sun, J., Yu, H., Du, X., Guizani, M., 2019. Se-
ieeexplore.ieee.org/document/8057722/, doi:10.1109/ curity and privacy preservation in fog-based crowd sensing on the
MITP.2017.3680960. internet of vehicles. Journal of Network and Computer Applica-
Lee, C., Nkenyereye, L., Sung, N., Song, J., 2018. To- tions 134, 89–99. URL: https://www.sciencedirect.com/
wards a Blockchain-enabled IoT Platform using oneM2M Stan- science/article/pii/S1084804519300694, doi:10.1016/
dards, in: 2018 International Conference on Information and J.JNCA.2019.02.018.
Communication Technology Convergence (ICTC), IEEE. pp. Swetina, J., Lu, G., Jacobs, P., Ennesser, F., Song, J., 2014. To-
97–102. URL: https://ieeexplore.ieee.org/document/ ward a standardized common M2M service layer platform: Intro-
8539724/, doi:10.1109/ICTC.2018.8539724. duction to oneM2M. IEEE Wireless Communications 21, 20–26.
Li, J., Zhang, W., Dabra, V., Choo, K.K.R., Kumari, S., Hogrefe, URL: http://ieeexplore.ieee.org/document/6845045/,
D., 2019. AEP-PPA: An anonymous, efficient and provably- doi:10.1109/MWC.2014.6845045.
secure privacy-preserving authentication protocol for mobile ser- Van den Abeele, F., Vandewinckele, T., Hoebeke, J., Moerman,
vices in smart cities. Journal of Network and Computer Applica- I., Demeester, P., 2015. Secure communication in IP-based
tions 134, 52–61. URL: https://www.sciencedirect.com/ wireless sensor networks via a trusted gateway, in: 2015 IEEE
science/article/pii/S1084804519300475, doi:10.1016/ Tenth International Conference on Intelligent Sensors, Sensor
J.JNCA.2019.02.003. Networks and Information Processing (ISSNIP), IEEE. pp. 1–6.
Liu, J.K., Au, M.H., Huang, X., Lu, R., Li, J., 2016. Fine- URL: http://ieeexplore.ieee.org/document/7106963/,
Grained Two-Factor Access Control for Web-Based Cloud Com- doi:10.1109/ISSNIP.2015.7106963.
puting Services. IEEE Transactions on Information Forensics and Wu, C.W., Lin, F.J., Wang, C.H., Chang, N., 2017. OneM2M-
Security 11, 484–497. URL: http://ieeexplore.ieee.org/ based IoT protocol integration, in: 2017 IEEE Conference on Stan-
document/7305762/, doi:10.1109/TIFS.2015.2493983. dards for Communications and Networking (CSCN), IEEE. pp.
Naik, N., Jenkins, P., 2016. A Secure Mobile Cloud Identity: 252–257. URL: http://ieeexplore.ieee.org/document/
Criteria for Effective Identity and Access Management Stan- 8088630/, doi:10.1109/CSCN.2017.8088630.
dards, in: 2016 4th IEEE International Conference on Mo- Younis, Y.A., Kifayat, K., Merabti, M., 2015. A novel evaluation
bile Cloud Computing, Services, and Engineering (MobileCloud), criteria to cloud based access control models, in: 2015 11th In-
IEEE. pp. 89–90. URL: http://ieeexplore.ieee.org/ ternational Conference on Innovations in Information Technol-
lpdocs/epic03/wrapper.htm?arnumber=7474415, doi:10. ogy (IIT), IEEE. pp. 68–73. URL: http://ieeexplore.ieee.
1109/MobileCloud.2016.22. org/document/7381517/, doi:10.1109/INNOVATIONS.2015.
Neisse, R., Baldini, G., Steri, G., Ahmad, A., Fourneret, E., Leg- 7381517.
eard, B., 2017. Improving Internet of Things device certification
with policy-based management, in: 2017 Global Internet of Things
Summit (GIoTS), IEEE. pp. 1–6. URL: http://ieeexplore.
ieee.org/document/8016273/, doi:10.1109/GIOTS.2017.
8016273.
Oh, S.R., Kim, Y.G., 2017. Development of IoT security com-
ponent for interoperability, in: 2017 13th International Com-
puter Engineering Conference (ICENCO), IEEE. pp. 41–44.
URL: http://ieeexplore.ieee.org/document/8289760/,
16
*Author Biography
Simone Patonico obtained the Bachelor and Master degree in Electronics Engineering
from Università Politecnica delle Marche (UNIVPM) respectively in 2014 and 2017.
Currently, he is a Ph.D. student under the supervision of Prof. Kris Steenhaut and Prof.
An Braeken at the Department of Electronics and Informatics (ETRO) at Vrije
Universiteit Brussel (VUB). As member of the research group, he worked on the
Horizontal-IoT project to investigate the interoperability between different application
protocols using the oneM2M standard. He also contributed to the Inter-OM2M project
which focuses on the creation of a common middleware to link different interoperable
frameworks. His research interests include the investigation, design and implementation of
communication and security protocols in wireless sensor networks.
*Conflict of Interest
Declaration of interests
☒ The authors declare that they have no known competing financial interests or personal relationships
that could have appeared to influence the work reported in this paper.
☐The authors declare the following financial interests/personal relationships which may be considered
as potential competing interests:
Simone Patonico