e-ISSN 2757-5195
Çanakkale Onsekiz Mart University
Journal of Advanced Research in Natural and Applied Sciences
Open Access
doi.org/10.28979/jarnas.1034534
2022, Vol. 8, Issue 4, Pages: 677-694
dergipark.org.tr/tr/pub/jarnas
Group-Based Authentication Methods in The OneM2M Ecosystem
İbrahim Uğur Aba1,*, Erhan Taşkın2
1
Department of Computer Engineering, Faculty of Engineering, University of Turkish Aeronautical Association, Ankara, Türkiye
Department of Artificial Intelligence Technology, Graduate School of Natural and Applied Sciences, Ankara University, Ankara Türkiye
2
Cloud DevOps Architect at Afiniti, İstanbul, Türkiye
1
Article History
Received:
09.12.2021
Accepted:
20.07.2022
Published:
15.12.2022
Research Article
Abstract − The essential element of the Internet of Things (IoT) environment, the number of devices has traditionally
exceeded the number of devices connected to the Internet. This situation is considered positive for the IoT concept
but still has negative consequences. Undoubtedly, the most prominent and most important among these results is the
security of the devices and the constructed IoT environment. Group-based authentication and authorization methods
are crucial to ensure the safety of many IoT devices and the environment. In this study, the “auth” mechanism that
performs group-based authentication and authorization processes, serving from the first moment when the devices in
the IoT environment are included in the system until they leave the system, has been developed. In the development
process of the “auth” mechanism, the Mobius IoT platform, which is evaluated as a golden sample by the oneM2M
global organization and developed as an open-source code, is taken as the basis. The “auth” mechanism tested in
three different test environments, including simulation, physical, and cloud environments, were tested using five
different test scenarios. By using the group management module provided by the IoT service platform and the “auth”
mechanism's together, it has been observed that the computational overhead on the devices and the signal traffic in
the environment provide up to 4 times efficiency according to performance measurements. With the development of
the “auth” mechanism with a flexible structure, it can be operated independently from the IoT server platform, allowing interoperability between oneM2M-based IoT server platforms.
Keywords − Group-based authentication, internet of things, oneM2M, open-source IoT server platform, security
1. Introduction
The internet of things (IoT) is a new network structure in which all devices are connected and may
communicate with each other via the internet. IoT can be relevant for numerous application fields such as
smart transportation, tourism service, medical treatment, energy management, and education (Su, Wong, &
Chen, 2016). In addition to these, smart homes, smart cities, and smart production stand out as other important
application areas. IEEE defines this notion as “A network of items - each embedded with sensors - which are
connected to the Internet” (Define IoT, 2015).
The Gartner research business shows the current and near-future situation of the Internet of Things through
several studies. A study done in 2019 anticipated that the number of terminal units utilized in the corporate
and automobile industries would reach 5.81 billion in 2020. That number translates to an increase of 21 percent
compared to the previous year. Also, it is noted in the report that the sector where the tremendous increase will
be in-building automation with 42 percent (Gartner, Inc., 2019). In another study by research company Gartner
done in 2018, 20 percent of institutions surveyed stated that 2015 to 2018 be exposed to at least one IoT-based
cyberattack. Researchers believe that the expenditure made in 2018 to assure security in the IoT will reach 1.5
billion dollars, and by 2021 this amount will climb to 3.5 billion dollars (Gartner, Inc., 2018). The analysis
conducted by the IoT analytics research organization published in November 2020 indicated similar results
1
ugur.aba@gmail.com
erhantaskin@gmail.com
*Corresponding Author
2
Null Line
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
with Gartner's investigations. The analysis found that despite the COVID-19 global pandemic's detrimental
consequences, the IoT market continues to flourish and grow in 2020. The most interesting information revealed by the study was that for the first time in 2020, the number of IoT devices surpassed the number of
devices that can typically connect to the Internet (computers, phones, tablets, etc.). At the end of 2020, it was
anticipated that 11.7 billion of 21.7 billion active internet-connected devices world-wide, about 54 percent,
will be IoT devices. It was also projected that the number of IoT devices would climb to 30 billion in 2025,
and 4 IoT devices will be used per person according to the world population (IoT Analytics, 2020). In the study
published by IoT Analytics in May 2022 and explaining the status of IoT in 2022, it was stated that terminal
devices will increase by 18 percent and reach 14.4 billion end devices globally. While this supports the results
of previous studies, it shows that the recovery in the IoT markets, where the chip shortage continues. In 2021,
the number of global IoT connections increased by 8% to 12.2 billion active endpoints, a significantly lower
rate than in previous years. Despite a surge in demand for IoT solutions and good attitude in the IoT community
and most IoT end markets, IoT Analytics anticipates the chip shortage to have a long-term impact on the
number of connected IoT devices. The ongoing COVID-19 pandemic and general supply chain interruptions
are also challenges for IoT industries. The Internet of Things industry is estimated to expand 18% to 14.4
billion active connections by 2022. It is predicted that there will be around 27 billion linked IoT devices by
2025, as supply restrictions ease and demand increases (IoT Analytics, 2022).
The participation of so many IoT devices in the ecosystem poses numerous issues. In the study conducted by
AIOTI, it was revealed that there are more than 100 protocol recommendations in 9 key categories (The
Alliance for Internet of Things Innovation, 2019). The large amount of study and development on classical
authentication and key agreement (AKA) and group-based AKA. The key objective of these research carried
out is to perform mutual authentication and key exchange between end devices; It has been noticed as
guaranteeing confidentiality and data integrity, and minimizing bandwidth usage, and defining the most
efficient and uncompromising AKA method.
The earliest proposal of the group-based authentication and authorization strategy is the G-AKA technique
(Chen, Wang, Chi & Tseng, 2010). In this protocol, a mobility management entity (MME) can authenticate
additional end devices in the group using information comprising of authentication of the first end device.
Thus, bandwidth usage for authentication for other end devices in the group has greatly lowered. However, it
does not give a solution to the signal traffic that arises when several end devices wish to do authentication
synchronously, which is vulnerable to the widely used man-in-the-middle (MitM) and denial-of-service (DoS)
attacks. SE-AKA (Lai, Li, Lu & Shen, 2013) and EG-AKA (Jiang, Lai, Luo, Wang & Wang, 2013) have been
presented, which are based on G-AKA and provide safety standards not found in G-AKA. Thus, the high
computational burden due to asymmetric key operations attracts attention as the weak point of both protocols.
The NOVEL-AKA protocol employs symmetric keys to lessen the computational cost, however it raises
security difficulties (Lai, Li, Li & Cao, 2013). The GBAAM-AKA protocol proposes that to strengthen security
in group-based AKA protocols (Cao, Ma & Li, 2015). However, the usage of asymmetric keys produces a high
transaction burden and cannot secure privacy. PRIVACY-AKA employs asymmetric cryptography to provide
secrecy (Fu, Song, Li, Zhang & Zhang, 2016). Although the protocol is robust to assaults, it creates a
significant processing burden and does not offer forward and backward privacy. GLARM-AKA protocol has
been designed to decrease the computational and communication overhead; protocol beneficial for resourceconstrained end devices; It is not effective in terms of impersonation attack and privacy protection (Lai, Lu,
Zheng, Li & (Sherman) Shen, 2016). The GR-AKA protocol has been suggested to assure security and privacy
(Li, Wen & Zheng, 2016).). The sophisticated and time-consuming Lagrange Multiplier (LC) is employed in
the GR-AKA protocol. GBS-AKA protocol, which is resistant to assaults and lowers the communication
burden (Yao, Wang, Chen, Wang & Chen, 2016). However, the technique is subject to preserving secrecy,
impersonation, and DoS attacks. The SEGB-AKA method has been suggested to strengthen the security of
group-based protocols (Parne, Gupta & Chaudhari, 2018). However, the protocol cannot give protection
against DoS assaults. GSL-AKA protocol, which has the same structure as GBS-AKA and SEGB-AKA, has
been suggested by developing features (Modiri, Mohajeri & Salmasizadeh, 2018). It is noted that it
successfully overcomes recognized security and non-security challenges while protecting the secrecy of end
devices and groups.
The study, published in 2019 by Şahinaslan, looked at encryption technologies for protocols used on the
internet of things. The article explains the Markov Chain and RSA asymmetric encryption approach for
wireless IoT devices. The MAC session key provides cryptographic control over the information while also
providing security against potential attacks. The paper also explains how to avoid the KRACK vulnerability
678
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
that happens during the key exchange phase by employing the DragonFly key exchange mechanism
(Şahinaslan, 2019). Aydın et al. propose a lightweight Group authentication system (GAS) that significantly
reduces device energy consumption, saving more than 80% when compared to state-of-the-art alternatives.
Their approach is also resistant to replay and man-in-the-middle attacks. In mMTC situations, the proposed
approach also tackles key agreement and key distribution concerns. That solution is also useful in both
centralized and decentralized group authentication scenarios. The proposed solution can meet the rapid
authentication requirements of the envisioned agile 6G networks, which will be supported by aerial networking
nodes (Aydın et al, 2020). Padmashree et al. suggested Group Key Exchange and Authentication with Elliptic
Curve Cryptography (ECC), or GKEAE for short, on the Internet of Things to establish safe key distribution
and improve security. When an IoT device joins or leaves a group, ECC is used for authentication. Integrating
access authentication and data transfer improves the serviceability of IoT devices. The GKEAE delivers a
faster group key distribution computation time than the quick authentication system (Padmashree et al, 2022).
Suggesting different protocols for each application area and not settling on one protocol produces a highly
undesirable standardization situation. To define technical standards for architectural structure, API, and
security solutions in M2M and IoT technologies, in 2012, the world's main standardization authorities joined
together to form an organization named OneM2M. OneM2M foundation represents nearly 200 enterprises and
universities. The OneM2M standard offers a basic horizontal platform design based on a three-tier paradigm
of applications, services, and networks (OneM2M, 2012).
Mobius, an open-source IoT service platform, was created by the Korean Electronic Technologies Institute
(KETI, 1991), a member of the OneM2M organization, as part of an open alliance for IoT standard (OCEAN)
investigations. Mobius IoT service platform gains notice by becoming the first application to acquire a
oneM2M compliance certificate. It is also used as a gold sample to evaluate test cases and test systems. Mobius
presents common service functions (CSF) as middleware for multiple service areas to IoT applications (IoT
OCEAN, 2017).
In this study, based on the Mobius IoT service platform, a “auth” mechanism has been designed that executes
group-based authentication and authorization operations from the moment the IoT devices in the IoT
environment joined the ecosystem until they exit the system. The “auth” process has been evaluated in three
separate test contexts: simulation, physical, and cloud environments. In the test scenarios, the benefit of the
“auth” method with the group-based authentication procedure was examined. According to the results obtained
by testing the “auth” mechanism using five different test scenarios in three different test environments, the
computational overhead on the nodes and the signal traffic in the IoT environment have been significantly
reduced by running the mechanism together with the group management module provided by the IoT service
platform. It has been established that the proposed “auth” method contributes 1ms computational overhead to
the IoT service platform, delivering an optimal benefit between 2 and 25 IoT devices and providing up to 4
times efficiency.
2. Materials and Methods
This section outlines the tools and apps utilized in the study. The environment produced by the introduction
of open-source software and the enhancements made to it is presented in the architectural design. In addition,
information about the methods used in the test scenarios on the generated environment is presented.
2.1. Open-Source Applications
2.1.1. Mobius IoT Server Platform
Mobius is an open-source IoT server platform based on the oneM2M standards developed by KETI as part
of OCEAN studies. Mobius provides CSFs (enrollment, data management, subscription/notification, security)
middleware for IoT applications of different service domains. Mobius can successfully connect oneM2Mcompatible and non-oneM2M-compatible devices. Within the global oneM2M organization, Mobius has been
awarded the “oneM2M compliance certificate” by Telecommunications Technology Association (TTA). This
certification guarantees that Mobius meets the oneM2M specifications and testing requirements that ensure
interoperability with oneM2M products. As it is the first application to receive oneM2M certification, it is used
as a gold example for validating test scenarios and test systems (IoT OCEAN, 2017).
679
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
Functional Architecture of the Server Platform
The Mobius IoT server platform created by KETI is architecturally based on the OneM2M functional
reference architecture stated in the document named “TR-0025 Application Developer Guide” issued with
version 2A of the OneM2M global organization (TR-0025 Technical Report, 2018).
Figure 1. Functional architecture of the IoT server platform (Kim, Choi, Yun & Lee, 2016).
As shown in Figure 1, the oneM2M architecture divides M2M and IoT environments into two different
domains (Field Domain and Infrastructure Domain). It defines four different node types for use in these
domains. An IN (infrastructure node) can exist in the infrastructure domain of any M2M (machine-to-machine)
service provider, while any oneM2M node group, including MN (middle node), ASN (application server node),
and ADN (application dedicated node), even non-oneM2M nodes can exist in the field domain.
Improvements on the IoT server platform
The Mobius IoT server platform created by KETI is architecturally based on the OneM2M functional
reference architecture stated in the document named “TR-0025 Application Developer Guide” issued with
version 2A of the OneM2M global organization (TR-0025 Technical Report, 2018).
The IoT service platform leverages access control policies (ACP) under oneM2M standards for authorization
processes in security operations (TS-0001 Technical Specification, 2016). However, it does not give a solution
for authentication processes. In this method, when a common service entity (CSE) seeks to access a resource
in a working structure, it is sufficient to conduct merely ACP's. The fact that the element that attempts to get
access during the creation of a new resource or accessing an existing resource does not perform the
authentication process puts the system open to possible attacks.
Within the scope of the study, the “auth” mechanism, which will conduct the operations of two fundamental
categories (Identification and Authentication, Authorization) for the “Security Functions Layer” of the
oneM2M security architecture, has been created (TS-0003 Technical Specification, 2018). Passport.js
(Passport.js) and jsonwebtoken (RFC7519) libraries are used for authentication and authorization operations
as it is suitable with the IoT service platform created in the Node.js working environment using the JavaScript
dynamic programming language. In the created “auth” method, MongoDB is used independently from the
MySQL database used by the IoT service platform (MongoDB). The usage of a distinct database management
680
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
system permitted flexibility in the IoT network structure to be established. It was also feasible to establish a
separate server that could execute authentication and authorization operations.
The “auth” method was created with group-based authentication and authorization operations in mind.
Accordingly, when a group administrator initially authenticates, the system creates a token value that other
members of the group can use for a limited period. By using this token value, which is specified as a Group
Common Key (GCK), other members of the group can be added to the system avoiding the authentication
stage if the GCK information is valid. After the validity of the produced token value expires, the group
administrator must execute an authentication procedure again. The jsonwebtoken (RFC7519) library is used
to construct the token structure that executes the GCK job.
Table 1
Comparison of OneM2M Token Structure and Generated Token Structure
OneM2M Token Structure
version
tokenID
holder
issuer
notBefore
notAfter
tokenName
audience
permissions
extension
Generated Token Structure
keyID
jwtID
subject
issuer
notBefore
expiresIn
header
audience
-
Description
Token version
Token unique id
The ID of the token holder
The ID of the token issuer
The token is valid from this moment
The token expires after this moment
Token name (optional)
CSE’s ID list (optional)
Associated permissions
Application-specific information
The generated token value is supplied in the header named “authorization” which is appended to HTTP
requests according to the format provided in the document named oneM2M “TS-0009 Protocol Binding” (TS0009 Technical Specification, 2016).
Table 1 explains the token structure specified in the technical specification of oneM2M TS-0003 and the
attributes used in the generated token structure. The generated token value is for sending in HTTPS requests.
Figure 2. The architectural design of the IoT service platform after the inclusion of the auth mechanism.
681
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
To increase security, all sent and received HTTP requests must be transmitted over a secure channel. Therefore,
the HTTPS protocol is for communication between the nodes in the field domain and IN. The architectural
design formed after the operations performed on Mobius is shown in Figure 2.
The established “auth” method must not compromise the IoT platform's compliance with oneM2M requirements. For this reason, the token structure developed must also conform with the criteria described in the paper
published by the worldwide oneM2M organization, named “TS-0003 Security Solutions”. Accordingly, a token is for carrying authorization information, which can be roles given to the owner or ACPs valid for the
owner (TS-0003 Technical Specification, 2018).
2.1.2. nCube
The nCube is specified as the general name of the nodes in the field domain, based on the oneM2M
standards created by KETI within the framework of OCEAN research. Developed as open source, the nCube
program contains five different versions (Rosemary, Thyme Node.js, Lavender, Thyme Arduino, Thyme Java)
that may operate as three separate oneM2M node structures. Within the scope of this investigation, the first
three node types were employed. The nCube Rosemary is an open-source IoT gateway platform based on
oneM2M standards.
The nCube Rosemary application, used to deliver proximity based IoT services, gives CSFs to oneM2M apps
and other oneM2M devices. Serving as the MN-CSE, nCube Rosemary also supports interoperability services
using interworking proxy application entity (IPE), as stated in the oneM2M standards. It links to IN-CSE
utilizing CSEs in ASN and ADNs, which are additional nodes in the field domain (nCube-Rosemary, 2018).
The nCube Thyme is an open-source IoT device application element based on oneM2M standards. Thyme has
three separate versions: node.js, java, and android. Node.js version is employed within the scope of this study.
The nCube Thyme application may be linked to MN-CSE or IN-CSE (nCube-Thyme, 2018). The nCube
Lavender is also an open-source IoT device platform based on oneM2M standards. The nCube Lavender, one
of the oneM2M platforms, delivers CSFs to oneM2M device apps operating on the same device (nCubeLavender, 2018). In this sense, although it is comparable to the nCube Rosemary application, nCube Rosemary
acts as an MN in the oneM2M domain, whereas the nCube Lavender application serves as an ASN.
Improvements on the nCube application
Several provisions have been made for the nCube application to function in harmony with the “auth” mechanism created on the IoT service platform. These arrangements are based on the nCube Thyme application and
the “auth_usr” and “auth_pwd” headers have been added to the HTTPS request submitted for registration to
the “auth” mechanism. In addition, the IoT service platform is alerted that the “auth” mechanism established
by the title “use auth” has the value of “enable”. If the title “auth_useprotocol” is provided as “local”, the
system applies the authentication processes using the information on the MongoDB. If a group header also
known as administrator will establish a connection with the “auth” mechanism for the first time, while transmitting the above-mentioned “auth_usr” and “auth_pwd” headers, the other members of the group will use to
token value created by the “auth” mechanism, which is used as GCK, by the TS-0009 technical specification
under the “authorization” heading (TS-0009 Technical Specification, 2016).
2.2. Test Environments
In the study, three distinct environments are built by employing the IoT service platform, in which the “auth”
method is integrated. Performance measurements were done on equipment with varying technical parameters.
2.2.1. Simulation Environment
A simulation environment has been constructed to assess the performance of the “auth” method on hardware
with restricted resources. Oracle VM VirtualBox program, a free and open-source hypervisor created by
Oracle, was used to construct the virtual environment used. The technical parameters of the virtual machines
utilized instead of the nodes in the oneM2M IoT ecosystem in the simulation environment are provided in
Table 2.
682
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
Table 2
Technical Specifications of Machines in the Simulation Environment
Machine Name
IN-Mobius
MN-Rosemary
ASN-Lavender
ADN-AE-Thyme
JMeter Xubuntu
CPU
2 Virtual Cores
2 Virtual Cores
1 Virtual Core
1 Virtual Core
2 Virtual Cores
RAM
2048 MB
2048 MB
2048 MB
1024 MB
2048 MB
Storage
20 GB SSD
20 GB SSD
20 GB SSD
20 GB SSD
20 GB SSD
Operating System
Ubuntu 20.04 (64-bit)
Ubuntu 20.04 (64-bit)
Ubuntu 20.04 (64-bit)
Ubuntu 20.04 (64-bit)
Ubuntu 20.04 (64-bit)
The technical specifications of the computer, which runs virtual machines throughout the development phase,
include Intel Core i7-5600U 2.60 GHz CPU, 8 GB RAM, 64-bit Windows 10 Pro operating system, and 500
GB SSD. While developing the “auth” method, the Postman program was used to transmit HTTPS requests
from the host system to virtual machines and to execute unit tests. A NAT network has been setup in the Oracle
VM VirtualBox program to correctly conduct HTTPS requests.
2.2.2. Physical Environment
In the simulation environment, test scenarios were achieved by allocating restricted resources to virtual
computers with nodes and IoT service platforms. In the physical environment experiments, a laptop computer
with technical characteristics that can function as an MN in the oneM2M IoT ecosystem and a desktop computer with technical capabilities that can work as an IN was utilized. The technical parameters of the physical
devices utilized instead of the nodes in the oneM2M ecosystem in the physical environment are presented in
Table 3.
Table 3
Technical Specifications of Machines in the Physical Environment
Machine Name
MN-Windows
IN-Mobius
CPU
Intel i7 5600U
AMD FX-8320
RAM
8 GB
32 GB
Storage
500 GB SSD
256 GB SSD
Operating System
Windows 10 (64-bit)
Ubuntu 20.04 (64-bit)
The machine named MN-Windows is in Lapseki, Çanakkale, whereas the machine called IN-Mobius is located
in Kepez, Çanakkale. There is around 40 KM between the two mentioned locations. To perform the test scenarios, a test program named Postman was installed on the MN-Windows machine and the tests were run.
2.2.3. Cloud Environment
To test the established “auth” technique in the cloud context, an EC2 is built on Amazon Web Services
(AWS). The built EC2 machine is picked in t2.large type, us-east-1e region, and North-ern Virginia location,
and the IoT service platform is deployed and served. The technical parameters of the physical and virtual
computers utilized instead of the nodes in the oneM2M ecosystem in the cloud environment are provided in
Table 4.
Table 4
Technical Specifications of Machines in the Cloud Environment
Machine Name
MN-Windows
IN-Mobius-EC2
CPU
Intel i7 5600U
Intel Xeon 2 vCPU
RAM
8 GB
8 GB
Storage
500 GB SSD
20 GB EBS
Operating System
Windows 10 (64-bit)
Ubuntu 20.04 (64-bit)
HTTPS requests are made to the IoT service platform on the virtual machine name IN-Mobius-EC2 with IP
number 54.227.195.58 utilizing the virtual private cloud (VPC) on the physical machined called MN-Windows. The HTTPS requests made from the MN-Windows computer is moved to the VPC when it reaches the
internet gateway on AWS. Considering the security information, the HTTPS requests are sent to the EC2
machine with the t2.large type IoT service platform in the private subnet via the NAT gateway.
683
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
2.3. Testing Tools
2.3.1. Postman
During the creation of the “auth” mechanism, the Postman program was utilized to execute unit tests (Postman API Platform). During the testing utilizing Postman version 7.27.0, nCube open-source apps were emulated and operations were carried out on the IoT service platform. A collection of all HTTPS requests performed for unit testing of the “auth” method has been built.
2.3.2. Apache JMeter
In the study, Apache JMeter v5.3 application was utilized to assess the efficiency offered by the developed
“auth” method (Apache JMeter). The test application was executed on the virtual machine named “JMeter
Xubuntu” defined in the simulation environment section. The test application took part in various test scenarios
as a group administrator or group member, which formed the foundations of the group-based authentication
and authorization framework.
3. Results and Discussion
In this part, five distinct test situations in which we tested the “auth” method will be explained. Then, three
distinct test methods that we devised utilizing these situations will be discussed. Finally, the outcomes seen in
the test situations will be compared and assessed using the defined test methodologies.
3.1. Test Scenarios
3.1.1. Test Scenario 1: Determination of Core Values
In the technical standard named TS-0003 issued by oneM2M, the methods to be given for authentication
and authorization are outlined. In addition, the IoT service platform, which is described as the golden example
by oneM2M and produced by KETI, has been built by TS-0003 and other technical specifications released by
oneM2M. In the technical specification designated TS-0003, it is recommended to employ ACPs for security
and authorization processes (TS-0003 Technical Specification, 2018).
Since the IoT service platform is established by the given technical standards, no separate authentication and
authorization module has been developed on the platform. In circumstances when ACP and the “auth” method
are not employed, there is no security mechanism on the IoT service platform. The “auth” mechanism has been
designed as a module that is meant to be used together with the ACP mechanism, not as a substitute for the
ACP mechanism.
To estimate the contribution of the “auth” mechanism, which provides group-based authentication and authorization, the default results should be calculated as fundamental values. At this point, fundamental values were
measured by deactivating the group feature of the “auth” mechanism produced owing to the absence of an
authentication and authorization module operating on the IoT service platform.
In the test scenario carried out, the application entity (AE) registration request of the node units was issued,
rising in floating slices between 100 up to 1000. The “auth” method, designed with each HTTPS request delivered independently, is offered to execute authentication and authorization. The outcomes when test case 1
is executed in the simulation, physical, and cloud settings are presented in Table 5, accordingly.
Table 5
Results of Test Scenario 1
# Of
nodes
100
200
300
400
500
600
700
800
900
1000
Avg.
(ms)
975
897
909
1088
1021
1111
1115
1120
1138
1111
Simulation Environment
Min.
Max.
(ms)
(ms)
844
2104
822
2157
832
2049
834
2020
818
2565
826
2530
838
2315
926
2581
929
2338
821
2318
Avg.
(ms)
504
486
495
483
492
481
478
480
478
477
Physical Environment
Min.
Max.
(ms)
(ms)
468
2382
457
2335
466
2933
459
2120
467
2756
455
2395
457
2266
458
2555
458
2279
455
2248
684
Avg.
(ms)
1029
1047
1105
1115
1048
1072
1142
1078
1017
1036
Cloud Environment
Min.
Max.
(ms)
(ms)
982
1649
980
1605
982
2797
981
2957
979
1723
978
2612
979
6336
988
4568
978
2154
983
1463
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
According to the results of test scenario 1, where the core values were determined, the operation of the “auth”
mechanism for the first HTTPS request sent when the IoT service platform wat started for the first time and
the response time of the platform to the request create the maximum value for each test. It is shown that the
number of nodes employed in the functional design of the oneM2M ecosystem is directly related to the hardware on which the IoT service platform is operating and will cease to be stable if it is more than a specific
quantity.
3.1.2. Test Scenario 2: Single Retrieve of CIN Source
A key benefit of group-based authentication and authorization procedures with the group management module is that activities may be conducted on many resources by submitting a single HTTPS request. To notice
this benefit, a core data set should be constructed identical to the prior test case. In this test scenario, it is
targeted to provide the <ContentInstance> resources described with the abbreviation CIN in the oneM2M ecosystem to the nodes that make the request from the IoT service platform. The CIN resource represents the
resources containing application-specific data generated in cooperation with the oneM2M ecosystem.
There are varied numbers of sensors and nodes in apps created to function in the IoT ecosystem. In the research
done to examine the performance gain offered by group-based authentication and authorization procedures in
the IoT ecosystem, it was established that the most ideal outcome was the construction of 100 groups in an IoT
ecosystem with 500 nodes (Su, Wong & Chen, 2016).
Considering the findings of the research indicated in the previous paragraph, the fact that the number of nodes
creating a group is between 100 and 1000, rather than between 1 and 100, is in keeping with the applications
created for the IoT environment. Considering this information, the number of nodes in the test scenario was
determined as 1, 2, 3, 5, 10, 25, 50, 70, 90, and 100. The outcomes when test case 6 is executed in the simulation, physical, and cloud settings are presented in Table 6, correspondingly.
According to the results of test scenario 2, which was carried out in the simulation environment and where the
CIN resource was retrieved individually without using group management, an irregular increase was observed
in the maximum values obtained after the test using 25 nodes, as indicated by the column representing the
maximum value. Although the average and minimum values do not reach the ideal values more than 25 nodes
submit single HTTPS requests to result in the IoT service platform delivering irregular results.
Table 6
Results of Test Scenario 2
# Of
nodes
1
2
3
5
10
25
50
70
90
100
Simulation Environment
Avg.
Min.
Max.
(ms)
(ms)
(ms)
100
100
100
84
66
102
89
43
170
75
34
144
50
30
124
49
30
103
53
15
342
45
20
126
44
16
248
36
15
102
Physical Environment
Avg.
Min.
Max.
(ms)
(ms)
(ms)
282
282
282
147
66
229
111
62
210
91
58
216
75
57
212
62
52
200
57
49
197
54
49
185
55
46
204
54
50
205
Cloud Environment
Avg.
Min.
Max.
(ms)
(ms)
(ms)
712
712
712
459
186
733
357
180
711
292
184
723
248
190
752
207
183
730
203
190
755
196
183
730
196
185
738
189
182
743
In the test scenario established in the physical environment, it is apparent that there is an increase owing to
network latency when the results are analyzed despite the increase in CPU power. When the average values of
the results achieved in the simulation environment and the results obtained in the practical environment are
compared, an increase in the range of 15-20ms was seen in the test cluster with more than 5 nodes. Considering
that these values are caused by network delay, it has been proved that the IoT service platform operates reliably
in both scenarios. When the findings are reviewed independently of the network latency, irregular results have
been created after the test in which the number of 25 nodes is employed when the values acquired are executed
on a virtual machine with restricted processing capacity in the simulation environment. However, it has been
noticed that the results produced by operating the IoT service platform on hardware that is used in the actual
world and has higher processing power, continue to be stable up to 100 nodes. In the test scenario done in the
cloud environment, it was found that the efficiency fell, and the results rose owing to the variables such as
685
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
shared EC2 usage and network latency. When the data were evaluated, it was revealed that the efficiency
reduced by 4 times compared to the results in the physical environment. The findings acquired in the minimum
column coincide with the values in the maximum column obtained in the test scenario in the physical environment. Considering this condition, it should be recognized that the technical characteristics of the EC2 machine
used in the cloud environment are raised and the efficiency will rise if it approaches the test machine that hosts
the IoT service platform in the test scenario used in the physical environment.
3.1.3. Test Scenario 3: Group-Based Authentication and Authorization
The group feature of the “auth” mechanism produced in this test scenario has been enabled to measure the
benefit offered by the “auth” mechanism designed for group-based authentication and authorization procedures
and to compare it with the findings in test scenario 1. The test scenario 3 carried out is based on the G-AKA
research, which is considered as the beginning of group-based authentication and authorization processes. According to the G-AKA research, a group authentication key (GAK) information is created when the administrator knew the header of the group enrolled in the system completes a full authentication and authorization
procedure. After the GAK information is established is shared with the other members of the group through
the group header. Other members of the group can be located and processed on the system utilizing this information (Chen et al., 2012).
The GAK information produced as a result of a full authentication authorization process of the group header
was sent to the IoT service platform by the group members under the "authorization" heading of the HTTPS
package transmitted over a secure channel, as specified in the TS-0009 technical specification published by
oneM2M, in the test, based on the number of nodes specified in test scenario 1 (TS-0009 Technical Specification, 2016).
Table 7
Results of Test Scenario 3
# Of
nodes
100
200
300
400
500
600
700
800
900
1000
Simulation Environment
Avg.
Min.
Max.
(ms)
(ms)
(ms)
30
15
165
26
13
139
22
11
113
21
10
103
20
9
98
19
9
81
19
7
98
19
9
101
20
8
150
8
22
307
Physical Environment
Avg.
Min.
Max.
(ms)
(ms)
(ms)
69
59
250
62
50
332
78
61
277
64
59
264
67
61
263
68
59
301
66
60
231
69
59
363
66
59
364
66
58
377
Cloud Environment
Avg.
Min.
Max.
(ms)
(ms)
(ms)
204
195
749
206
197
749
205
195
779
209
192
809
205
193
856
197
189
758
204
189
798
203
189
832
200
191
774
203
189
842
In the executed test scenario, AE registration requests were issued utilizing the group resources produced by
the nodes, increasing in floating slices between 100 and 1000. The findings when test case 3 is executed in the
simulation, physical, and cloud settings are presented in Table 7, accordingly.
In the executed test scenario, AE registration requests were issued utilizing the group resources produced by
the nodes, increasing in floating slices between 100 and 1000. The results reported in Table 7 do not contain
the values of the HTTPS request, in which full authentication and authorization are made by the group header.
As noted in Table 7, optimal values have been attained in the operations performed over the group resource
consisting of 600, 700, and 800 nodes. According to the findings of the test scenario established in the physical
environment, which is described in detail in Table 7 and indicates the maximum values, is examined, it is seen
that the maximum value occurs in the initial HTTPS request issued for each test owing to network delay. When
the results in the physical environment and the results in the simulation environment are compared, it is notable
that the average values created in the physical environment and the average values formed in the simulation
environment rise by two or three times. Considering that the IoT service platform tries to minimize the difference between the processing power and the processing power of the hardware on which it works in the physical
environment, and the distance between the client and server pair in the physical is approximately 40 KM, it is
thought that the difference is due to network latency. Likewise, the findings of the test scenario performed in
the cloud environment agree with the results of the actual environment. In the test scenario outlined in Table
686
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
7, average values were measured in the range of 197-209ms. In addition, the average and lowest values established created a 10 percent gap between themselves, comparable to those in the actual world.
3.1.4. Test Scenario 4: Retrieving CIN Resource Using Group Resource
The group management CSF is responsible for group-related operations. HTTP or HTTPS request is issued
for batch actions such as reading, writing, subscribing, notification, device management enabled by the group,
as well as controlling a group or its member. Group administration is responsible for gathering group answers
and alerts when a request or subscription is made through the group (TS-0001 Technical Specification, 2016).
The designed “auth” mechanism provides authentication and authorization processes in all operations done on
the IoT service platform, starting from the time the nodes are included in the system and during the full process,
they are in system. In the test scenario where the group management module offered by the IoT platform,
which was developed by the group management features specified in the technical specification named TS0001 published by oneM2M, is used, it is aimed to call the previously created daemon resources using a single
HTTPS request.
To assess the benefit offered by the group management and the “auth” mechanism, test scenario 4 was carried
out based on the identical node counts as the previous test scenario 2. Accordingly, the efficiency offered by
the “auth” method and group management was seen in the test scenario employing group resources consisting
of 1, 2, 3, 5, 10, 25, 50, 70, 90, and 100 nodes, respectively.
Table 8
Results of Test Scenario 4
# Of
nodes
1
2
3
5
10
25
50
70
90
100
Simulation Environment,
Time Elapsed (ms)
122
107
200
280
579
840
2120
2662
3590
3554
Physical Environment,
Time Elapsed (ms)
118
161
204
232
353
681
1185
1450
1876
2033
Cloud Environment,
Time Elapsed (ms)
217
242
247
278
341
532
1006
1142
1445
1476
The results when test case 4 is run in the simulation, physical, and cloud environments are shown in Table 8,
respectively.
According to the findings of test scenario 4, when the CIN resource is obtained collectively utilizing group
management, the most efficient results were reached in the test phase carried out on a single group re-source
in which 25 nodes were included as indicated in Table 8. The findings obtained in instances where group
resources with more than 25 nodes are included offer efficiency compared to the case where the group management module is not employed, but the efficiency supplied by the growth in the number of nodes is seen to
be inversely proportional. According to the findings of test scenario 4 performed in the simulation environment, efficiency cannot be attained in the test set if a group resource consisting of one node is employed. The
lowest number of nodes that a group resource is efficient is determined to be 2. It has been observed that the
optimum conditions in the results obtained with the growth in the processing capacity of the hardware employed in the physical environment compared to the simulation environment have altered. As the processing
power of the actual hardware rises, the efficiency given by the established “auth” mechanism increases in
direct proportion. When the column, which is presented in Table 8 and represents the time taken for the process,
is inspected, it is apparent that the benefit offered by the mechanism starts with the test set consisting of 2
nodes and gives the optimal level of efficiency up to the test cluster in which 50 nodes are employed. However,
although the efficiency given by the “auth” mechanism is de-creasing, it remains to be evident in the test set
consisting of 100 nodes. In the fulfillment of the test scenario, which was produced utilizing the group management of the previously constructed CIN resources, on the cloud environment, the results were acquired in
a way that verifies the values received from the prior two settings.
As observed in the test results performed in the physical environment, it has been observed that the “auth”
mechanism and the group management module developed from the group resource using 2 nodes to the group
resource with 50 nodes, and the group management module, are similarly efficient at the optimum level in the
687
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
test conducted in the cloud environment. However, the benefit given declines when more than 50 nodes are
employed, as in the actual environment. According to the data provided in Table 8, the resultant times rise in
direct proportion to the number of nodes. In group resources where more than 50 nodes are employed, forming
more than one group by splitting the nodes that make up the groups allows the efficiency offered by the group
module and the “auth” method to be delivered at the optimal level.
3.1.5. Test Scenario 5: Computational Overhead of Auth Mechanism
It is of considerable importance that the established “auth” mechanism maintains its compliance with the
technical standards given by oneM2M, as well as maintaining security by successfully completing AKA
transactions on the IoT service platform.
Table 9
Creation of group administrator resources in the simulation environment
# Of nodes
Average (ms)
Minimum (ms)
Maximum (ms)
100
200
300
400
500
600
700
800
900
1000
816
809
824
823
834
1115
904
1098
1161
1198
764
764
764
764
764
767
776
795
999
788
985
954
3276
1035
1120
6516
3810
2120
1704
2051
Table 10
AKA transactions performed by the group header and members in the simulation environment
# Of nodes
Average (ms)
Minimum (ms)
Maximum (ms)
100
200
300
400
500
600
700
800
900
1000
1,12
1,2
1,18
1,09
1,03
1,08
1,11
1,08
1,24
1,18
0
0
0
0
0
0
0
0
0
0
985
967
1032
1032
1071
988
1028
1081
1068
1044
Table 11
Creation of group administrator resources in the physical environment
# Of nodes
Average (ms)
Minimum (ms)
Maximum (ms)
100
200
300
400
500
600
700
800
900
1000
282
278
277
277
277
279
282
276
277
277
264
264
265
264
264
264
264
261
261
263
387
351
378
359
361
383
440
357
378
374
688
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
Table 12
AKA transactions performed by the group header and members in the physical environment
# Of nodes
Average (ms)
Minimum (ms)
Maximum (ms)
100
200
300
400
500
600
700
800
900
1000
3,92
2,19
1,63
1,34
1,1
1,04
0,95
0,87
0,8
0,76
0
0
0
0
0
0
0
0
0
0
356
361
358
355
354
356
348
358
354
340
Table 13
Creation of group administrator resources in the cloud environment
# Of nodes
100
200
300
400
500
600
700
800
900
1000
Average (ms)
273
272
271
272
271
271
271
271
270
272
Minimum (ms)
268
268
268
268
268
267
268
267
267
267
Maximum (ms)
383
357
356
367
413
426
360
360
386
36
Table 14
AKA transactions performed by the group header and members in the cloud environment
# Of nodes
Average (ms)
Minimum (ms)
Maximum (ms)
100
200
300
400
500
600
700
800
900
1000
3,82
2
1,61
1,27
0,98
0,92
0,78
0,73
0,76
0,59
0
0
0
0
0
0
0
0
0
0
362
357
398
392
363
391
356
360
452
360
However, the small computational overhead of the “auth” process is vital for the system to be accepted and
employed in subsequent investigations. In group-based AKA procedures, only the group leader also known as
an administrator executes a full AKA process. However, for each HTTPS request sent independently, a
complete AKA process must be executed. In addition, the computational cost while completing AKA
transactions by other members of the group using the token value described as GCK, which happens after a
full AKA transaction of the group header was assessed.
While creating the group header resource of the developed “auth” mechanism, an average set of values in the
range of 800-1200ms was produced in the test scenario 5 made in the simulation environment, as shown in
Table 9. Table 10 shows the results of AKA transactions made by the group header and its members using the
“auth” mechanism in the simulation environment. According to the results shown in Table 10, the computational overload of the “auth” mechanism on the system was measured as 1ms on average. The column showing
689
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
the maximum values shows the values resulting from a full AKA operation of the group header. When test
scenario 5 is performed in the physical environment, the results obtained decreased with the increase of the
processor power, as determined in the results of the previous tests. The average values obtained according to
the results indicated in Table 11 were measured in the range of 276-282ms. According to these results, efficiency between two and three times is provided in the test performed in the physical environment compared
to the simulation environment. In addition, the computational overhead of the “auth” mechanism on the hardware used in the physical environment and running the IoT service platform was measured as 1.4ms on average. When the column showing the average values in test scenario 5 performed in the physical environment is
examined, the average of the values formed is like the simulation environment. In addition, when the maximum
values specified in Table 12 are examined, it is observed that the results are 3 times less than in the simulation
environment. In the tests carried out in the cloud environment, it has been revealed once again that the computational overhead brought to the system by the “auth” mechanism is the lowest level. It has been observed
that the values obtained as a result of AKA operations performed in the AWS environment and performed by
the header of the group in Table 13 are 3 times more efficient than in the simulation environment. When
columns showing the minimum and average values in Table 13 are examined, EC2 and network structure used
in the AWS environment stand out as another result that was found to have the most efficient and stable bandwidth among the three different test environments.
As with other findings, the maximum numbers always indicate the time taken for the delivered value in response to the initial HTTPS request at the start of the tests. As in the previous results, the “auth” mechanism
maintains the level of efficiency it provided, as the GCK value of the developed “auth” mechanism is used by
other members of the group as a result of the request made by the group header, and the results obtained from
the structure forming the second part of the test. Also, the average of the column showing the aver-age values
in Table 14, the value is determined as 1.34ms.
According to the numbers obtained with test scenario 5 executed in three separate test settings, the additional
computational overload given to the system by the “auth” mechanism, which carries out group-based authentication and authorization operations, is 1.13, 1.46, and 1.34 accordingly.
3.2. Test Methods
3.2.1. Test Method 1: Group-Based and Non-Group-Based AE Enrollment Process
The results of test scenarios 1 and 3 are compared to measure the efficiency of the created “auth” method,
which leverages the authentication and authorization module of more than one AE resource during the registration phase of the IoT service platform. While making this comparison, instead of making the system secure
using just ACPs, the mechanism was controlled by performing AKA actions at the position where the group
feature was switched off in the “auth” mechanism.
As indicated in the part where test scenarios 1 and 3 are presented, the comparison was done based on the GAKA study in addition to the relevant measures (Chen et al., 2012). In Table 15, the efficiency given by the
“auth” method established in the place where the group feature is active is noticed.
Table 15
Test Method 1: Group-Based and Non-Group-Based AE Enrolment Process
# Of nodes
100
200
300
400
500
600
700
800
900
1000
Average with Group Feature Off (ms)
Simulation Physical
Cloud
975
504
1029
897
486
1047
909
495
1105
1088
483
1115
1021
492
1048
1111
481
1072
1115
478
1142
1120
480
1078
1138
478
1017
1111
477
1036
Average with Group Feature On (ms)
Simulation
Physical
Cloud
30
69
204
26
62
206
22
78
205
21
64
209
20
67
205
19
68
197
19
66
204
19
69
203
20
66
200
22
66
203
According to the findings presented in Table 15, by integrating the built “auth” mechanism with the IoT service
platform, the outcomes in the off and on group feature were compared. In tests done in simulation, physical
690
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
and cloud settings, 897-1138, 477-504, and 1017-1142ms intervals were measured while the group feature
turned off, accordingly. However, when the group feature was active, 19-30, 64,78, and 197-209ms intervals
were recorded, respectively.
According to these data, the “auth” method created to execute group-based authentication and authorization
operations give 4 times efficiency in the worst-case situation. In the oneM2M IoT environment, signal traffic
is decreased by employing the created “auth” method, while AKA transactions between the nodes in the field
and IN are carried out in a secure environment.
3.2.2. Test Method 2: HTTPS Requests Made with Single and Group Resource
It is of vital importance that the identities of the nodes registered to the system using the “auth” method be
validated from the minute they join the system to the moment they exit the system and that they may only do
the transactions they are permitted to accomplish. Working with the group management module of the “auth”
mechanism built in HTTPS requests utilizing CSFs offered by the IoT service platform, it has become feasible
to make transactions on the system in a safe, efficient, and collective method.
In this manner, the test results acquired in test scenarios 2 and 4, in which the group-based AKA transactions
of the previously developed CIN sources are active, but the group management module is tested in both active
and passive positions, are compared. In test scenario 4, one HTTPS request was issued to get numerous CIN
resources utilizing only one group resource. However, in test scenario 2, distinct HTTPS requests are issued
for each CIN resource. Therefore, to directly compare test cases 2 and 4, the real average value of test case 2
is computed using equation 3.2.2a.
𝑈𝑛𝑖𝑞𝑢𝑒, 𝑅𝑒𝑎𝑙 𝐴𝑣𝑒𝑟𝑎𝑔𝑒 = 𝑁𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑁𝑜𝑑𝑒𝑠 ∗ 𝐴𝑣𝑒𝑟𝑎𝑔𝑒 𝑉𝑎𝑙𝑢𝑒
𝐸𝑓𝑓𝑖𝑐𝑖𝑒𝑛𝑐𝑦 = 𝑈𝑛𝑖𝑞𝑢𝑒, 𝑅𝑒𝑎𝑙 𝐴𝑣𝑒𝑟𝑎𝑔𝑒 / 𝐴𝑣𝑒𝑟𝑎𝑔𝑒 𝑤𝑖𝑡ℎ 𝐺𝑟𝑜𝑢𝑝 (𝑚𝑠)
(3.2.2a)
(3.2.2b)
For a group to be efficient, as shown in Table 16, at least two nodes must be included in the group. However,
the efficiency value was calculated for each test set as shown in equation 3.2.2b.
Calculated efficiency values were carried out for three separate test scenarios: simulation, physical, and cloud
environments. In the simulation scenario, the greatest efficiency is assessed as 1,570ms, which happens when
a group resource consists of 2 nodes. However, when the administrative efficiency of the IoT environment is
taken into consideration, this number is estimated to be 1,458ms which happens when a group resource with
25 nodes is deployed.
Table 16
Test Method 2: HTTPS Requests Made with Single and Group Resource
# Of nodes
1
2
3
5
10
25
50
70
90
100
Single Average (ms)
Simulation
Physical
100
282
168
294
267
333
375
455
500
750
1225
1550
2650
2850
3150
3780
3960
4950
3600
5400
Cloud
712
918
1071
1460
2480
5175
10150
13720
17640
18900
Average with Group (ms)
Simulation
Physical
122
118
107
161
200
204
280
232
579
353
840
681
2120
1185
2662
1450
3590
1876
3554
2033
Cloud
217
242
247
278
341
532
1006
1142
1445
1476
Efficiency
Simulation Physical
0,819
2,39
1,57
1,826
1,335
1,632
1,339
1,961
0,863
2,125
1,458
2,276
1,25
2,405
1,183
2,607
1,103
2,639
1,012
2,656
Cloud
3,281
3,793
4,336
5,252
7,273
9,727
10,089
12,014
12,208
12,808
When the results of the values acquired in the physical and cloud environments are analyzed, the first aspect
to be noted is that the network latency in the tests done in these two settings affected all HTTPS requests.
According to the calculation done in 3.2.2a, it is shown that the most efficient condition in the cloud environment is 2,656 efficiency values created by a group resource consisting of 100 nodes. However, in the cloud
environment, this number appeared with an efficiency value of 12,808 in the test set when a resource consisting
of 100 nodes was utilized.
According to these results, the effectiveness of the “auth” mechanism created in small, medium, and largescale application regions for IoT settings that are meant to be constructed as oneM2M-based differs. If the
691
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
hardware with the IN utilized in the IoT environment to be constructed has restricted technological characteristics, the outcomes will mirror the simulated environment. As the technological qualities of the hardware with
the IN in-crease, the efficiency will grow accordingly.
3.2.3. Test Method 3: Computational Overhead of the Designed Auth Mechanism
The computational overhead that the “auth” mechanism established within the scope of the study provides
to the system during the AKA activities done on the IoT service platform must be at a low level for the mechanism to be utilized and accepted in further studies. As indicated before, there is no module supplied on the
IoT service platform that executes AKA transactions. For this reason, to assess the computational cost of the
created “auth” mechanism to the system, the results of the AKA transactions performed by the group header
and other members of the group acquired in test scenario 5 are compared.
Table 17
Test Method 3: Computational Overhead of the Designed Auth Mechanism
# Of
nodes
100
200
300
400
500
600
700
800
900
1000
Single Average (ms)
Simulation
816
809
824
823
834
1115
904
1098
1161
1198
Physical
282
278
277
277
277
279
282
276
277
277
Average with Group (ms)
Cloud
273
272
271
272
271
271
271
271
270
272
Simulation
1,12
1,2
1,18
1,09
1,03
1,08
1,11
1,08
1,24
1,18
Physical
3,92
2,19
1,63
1,34
1,1
1,04
0,95
0,87
0,8
0,76
Cloud
3,82
2
1,61
1,27
0,98
0,92
0,78
0,73
0,76
0,59
When the group management module offered by the IoT service platform is not used, each result will be the
same as the result a group header would obtain after a full AKA operation. As noted in Table 17, conducting
a full AKA operation by a group header was measured, on average, in simulated, physical, and cloud settings,
and it was observed that it took a time in the range of 800-1198, 276-282, and 270-273ms, respectively. As
shown in Table 17, when the members of the group using the “auth” mechanism designed to perform AKA
operations transmit the GCK value, the computational overhead imposed by the mechanism on the system is
measured 1.13, 1.46, and 1.34ms on average in simulated, physical and cloud environments, respectively.
4. Conclusion
Within the scope of the study, the “auth” mechanism that executes group-based authentication and authorization procedures were established based on the Mobius IoT service platform, which was issued a oneM2M
compliance certificate by the oneM2M worldwide organization and produced as open source by KETI. By
combining the “auth” method and the group management module supplied by the IoT service platform together, the computational overload and signal traffic on the nodes in the field domain are greatly decreased.
According to the findings of the test scenarios carried out, the computational overhead of the “auth” mechanism on the IoT service platform is in the range of 800-1198, 276-282, and 270-273ms for single transactions
in simulation, physical, and cloud environments, respectively. It was assessed as 1.13 – 1.46 and 1.34ms on
average for processes using the source. In the testing for accessing CIN resources, it is noticed that HTTPS
requests with the group feature enabled give up to 4 times efficiency, starting from 2 nodes to the test cluster
employing 50 nodes. For an IoT environment to be developed utilizing restricted resources in the OneM2M
ecosystem, it is advised to form groups of 25 nodes, provided that one of them is the group header.
The signal traffic on the internet of things environment has dropped as a result of the deployment of groupbased authentication systems. It is anticipated that the nodes energy usage will go down as a result of the nodes'
effective communication with one another. In this study, group-based transactions, particularly authentication
and authorization procedures, maintain a high level of security on the Internet of Things contexts while maintaining a measurably low overhead in computing and communication. In future studies, the “auth” mechanism
built based on this study can execute group-based AKA transactions on a standalone server. Developing a
692
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
structure that can interact with more than one IoT service platform in the oneM2M ecosystem would boost the
possibilities of interoperability across IoT service platforms.
Author Contributions
İbrahim Uğur Aba: Graduated MSc student. Collected data and performed the tests. Performed statistical analysis and wrote the paper.
Erhan Taşkın: Thesis supervisor. Conceived and designed the analysis.
Conflicts of Interest
The authors declare no conflict of interest.
References
Aydin, Y., Kurt, G. K., Ozdemir, E., & Yanikomeroglu, H. (2020). A flexible and lightweight group
authentication
scheme.
IEEE
Internet
of
Things
Journal,
7(10),
10277-10287.
Doi::https://www.doi.org/10.1109/jiot.2020.3004300
Apache JMeter. Retrieved from: http://jmeter.apache.org
Cao, J., Ma, M., & Li, H. (2015). GBAAM: Group-based access authentication for MTC in LTE networks.
Security and Communication Networks, 8(17), 3282-3299. doi: https://www.doi.org/10.1002/sec.1252
Chen, Y., Wang, J., Chi, K., & Tseng, C. (2010). Group-based authentication and key agreement. Wireless
Personal Communications, 62(4), 965-979. doi: https://www.doi.org/10.1007/s11277-010-0104-7
Define IOT. (2015, May 25). Retrieved October 22, 2019, from https://iot.ieee.org/definition.html
Fu, A., Song, J., Li, S., Zhang, G., & Zhang, Y. (2016). A privacy-preserving group authentication protocol
for machine-type communication in LTE/LTE-A networks. Security and Communication Networks.
doi:https://www.doi.org/10.1002/sec.1455
Gartner says 5.8 billion enterprise and automotive IoT endpoints will be in use in 2020. (2019, August 29).
Retrieved from: https://www.gartner.com/en/newsroom/press-releases/2019-08-29-gartner-says-5-8billion-enterprise-and-automotive-io
Gartner says worldwide IoT security spending will reach $1.5 billion in 2018. (2018, March 21). Retrieved
from: https://www.gartner.com/en/newsroom/press-releases/2018-03-21-gartner-says-worldwide-iotsecurity-spending-will-reach-1-point-5-billion-in-2018
IoT Analytics, state of the IoT 2018: Number of IoT devices now at 7B – market accelerating. (2018, August
08). Retrieved from: https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iotdevices-now-7b
IoT Analytics, state of the IoT 2022: Number of connected IoT devices growing 18% to 14.4 billion globally.
(2022, May 18). Retrieved from: https://iot-analytics.com/number-connected-iot-devices
IoT OCEAN. (2017, July 9). Retrieved from: http://developers.iotocean.org/archives/module/mobius
Jiang, R., Lai, C., Luo, J., Wang, X., & Wang, H. (2013). EAP-based group authentication and key agreement
protocol for machine-type communications. International Journal of Distributed Sensor Networks,
9(11), 304601. doi: https://www.doi.org/10.1155/2013/304601
RFC7519. (2015, May). Retrieved from: https://datatracker.ietf.org/doc/html/rfc7519
KETI. (1991, August). Retrieved from: https://www.keti.re.kr
Kim, J., Choi, S., Yun, J., & Lee, J. (2016). Towards the onem2M standards for building IoT ecosystem:
Analysis, implementation, and lessons. Peer-to-Peer Networking and Applications, 11(1), 139-151. doi:
https://www.doi.org/10.1007/s12083-016-0505-9
Lai, C., Li, H., Li, X., & Cao, J. (2013). A novel group access authentication and key agreement protocol for
machine-type communication. Transactions on Emerging Telecommunications Technologies, 26(3),
414-431. doi: https://www.doi.org/10.1002/ett.2635
Lai, C., Li, H., Lu, R., & Shen, X. (2013). SE-AKA: A secure and efficient group authentication and key
agreement protocol for LTE networks. Computer Networks, 57(17), 3492-3510.
Doi:https://www.doi.org/10.1016/j.comnet.2013.08.003
Lai, C., Lu, R., Zheng, D., Li, H., & (Sherman) Shen, X. (2016). GLARM: Group-based lightweight
authentication scheme for resource-constrained machine-to-machine communications. Computer
Networks, 99, 66-81. doi: https://www.doi.org/10.1016/j.comnet.2016.02.007
Li, J., Wen, M., & Zhang, T. (2016). Group-based authentication and key agreement with dynamic policy
updating for MTC in LTE-A networks. IEEE Internet of Things Journal, 3(3), 408-417. doi:
693
Journal of Advanced Research in Natural and Applied Sciences
2022, Vol. 8, Issue 4, Pages: 677-694
https://www.doi.org/10.1109/jiot.2015.2495321
Modiri, M. M., Mohajeri, J., & Salmasizadeh, M. (2018). GSL-AKA: Group-based secure lightweight
authentication and key agreement protocol for M2M communication. 2018 9th International Symposium
on Telecommunications (IST). doi: https://www.doi.org/10.1109/istel.2018.8661145
MongoDB: The application data platform. (2007). Retrieved from: http://www.mongodb.com
nCube-Lavender. Retrieved from: http://developers.iotocean.org/archives/module/ncube-lavender
nCube-Rosemary. Retrieved from: http://developers.iotocean.org/archives/module/ncube-rosemary
nCube-Thyme Nodejs. Retrieved from: http://developers.iotocean.org/archives/module/ncube-thyme-nodejs
OneM2M, the global community that develops standards for IoT. (2012). Retrieved from:
http://www.onem2m.org
Parne, B. L., Gupta, S., & Chaudhari, N. S. (2018). SEGB: Security enhanced group-based AKA protocol for
M2M communication in an IoT enabled LTE/LTE-A network. IEEE Access, 6, 3668-3684. Doi:
https://www.doi.org/10.1109/access.2017.2788919
Padmashree, M. G., Mallikarjun, Arunalatha, J. S., & Venugopal, K. R. (2022). GKEAE: Group key exchange
and authentication with ECC in internet of things. Intelligent Systems, 1-10. Doi:
https://www.doi.org/10.1007/978-981-19-0901-6_1
Passport.js. Retrieved from: http://www.passportjs.org
Postman API platform. Retrieved from: https://www.postman.com
Su, W., Wong, W., & Chen, W. (2016). A survey of performance improvement by group-based authentication
in IoT. 2016 International Conference on Applied System Innovation (ICASI).
doi:https://www.doi.org/10.1109/icasi.2016.7539800
Şahinaslan, O. (2019). Encryption protocols on wireless IOT tools. AIP Conference Proceedings. doi:
https://www.doi.org/10.1063/1.5095121
The alliance for internet of things innovation. (2019, October). IoT LSP Standard Framework Concepts,
Release 2.9 AIOTI WG03 - IoT Standardization
TR-0025 Technical Report. (2018, March 12). TR-0025 V2.0.2 Application Developer Guide.
TS-0001 Technical Specification. (2016, August 30). TS-0001 V2.10.0 Functional Architecture.
TS-0003 Technical Specification. (2018, March 12). TS-0003 V2.12.1 Security Solutions.
TS-0009 Technical Specification. (2016, August 30). TS-0009 V2.6.1 HTTP Protocol Binding.
Yao, J., Wang, T., Chen, M., Wang, L., & Chen, G. (2016). GBS-AKA: Group-based secure authentication
and key agreement for M2M in 4G network. 2016 International Conference on Cloud Computing
Research and Innovations (ICCCRI). Doi: https://www.doi.org/10.1109/icccri.2016.15
694