Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
An Authentication Technique based on OAuth 2.0 Protocol for Internet of Thing (IoT) Networks
Internet of Things (IoT) is the fast-growing emerging technology and it is making our daily life activities easier and better. The IoT is connecting millions of sensors and heterogeneous devices having different computation, communication, and storage capabilities which are increasing rapidly. The IoT network is dissimilar and larger from the conventional network. However, different natures of the connected devices raising security concerns and challenges which affect the importance of IoT technology. In this paper, we proposed an authentication scheme based on the OAuth 2.0 protocol to secure access IoT network by providing authentication service. An OAuth 2.0 protocol is used to propose authentication mechanism to allow only authorized and authentic users by comparing user information and access tokens in the security manager local database and denies the access to the IoT network. It also keeps safe IoT network from different types of attacks like impersonation and replays attacks etc.
Keywords: Internet of Things (IOT), Security, Authentication, Authorization, O Autho 2.0
The term “Internet of Things” was first coined by Kevin Ashton in 1999 at MIT, stated that things or physical objects in the world will be connected to the Internet via sensors -. The IoT is defined as the interconnection among heterogeneous devices with computing capability and sensors to monitor and control the physical environment by generating, collecting, processing and analyzing the data across the network with minimum or without human involvement -. The Internet connected and sensor-enabled physical objects are increasing rapidly day by day and by 2020, it is estimated that these will be installed globally up to 50 billion  . However, along with this tremendous growth in IoT infrastructure, there are several security concerns, vulnerabilities and challenges also associated with it, which can affect badly the IoT systems -. Among them, the authentication processes related concerns are also getting more attention and needs to handle in resource constrained environment .
The OAuth is an open standard protocol acts as an authorization process, which allows users to access the IoT network. The OAuth protocol enables the third party application (client) to provide services on behalf of a resource owner (user) . The information owned by the resource owner is stored on resource server are made available to the clients. However, the OAuth protocol only focus the authorization process and if only OAuth is used then all users who are authorized could be accessed the IoT network, thus the network security can be affected. To get rid from the aforesaid problem, we proposed an authentication technique based on OAuth 2.0 protocol to authenticate the authorized user from getting access to the IoT network. The proposed approach adds authentication layer by modifying OAuth 2.0 protocol to allow only authenticated users after verification by the security manager. In proposed technique, the main roles performed by two entities such as authorization server and security manager. The authorization server provides the necessary credentials (authorization code and access token) to users and clients through user proxy agent and updates the security manager at the same time. The security manager compares user credentials and controls the users’ access permissions to IoT network because it holds a local database which keeps authorized users list for accessing the IoT network. In short, the authorization server make users authorized while security manger makes users authenticate, who can access the IoT network. The proposed technique will be detailed later. This paper organized as related work in the section 2, after that basic description of OAutho 2.0 protocol in the section 3, after that proposed architecture approach in the section 3, after that some security analysis with regards to this approach in the section 4 and finally concludes in the section 5.
2. Related Work
OAuth protocol works over the transport layer as authorization layer i.e. HTTP-over-TLS. Several works have been done regarding OAuth protocol, which addressed security concerns in different OAuth protocol based implementations.
In work , an OAuth 2.0 based scheme is optimized by reducing the number of unwanted authentication based requests without affecting the original security requirements and therefore, reduced threats of attacks like denial of service (DoS) and distributed DoS (DDoS) attacks. In , the authors enhance OAuth 2.0 protocol security by recommending the issuing of access token after email authentication to protect from several attacks. The work described in , focusing HTTP/CoAP services to provide an authorization framework which is able to distribute their services without applying the standard OAuth technique but invokes an outside authorization service named IoT OAuth-based Authorization Service (IoT-OAS). IoT-OAS manages soundly the process of authorization and authentication. In , the authors recommend the scheme applying OAuth protocol for IoT environment (fire alarm system) to inform the user about the rise in temperature within minimum time through Gmail or Twitter accounts when there is a fire incident or emergency. The concerned user is notified from 20 to 50 milliseconds which minimize latency. OAuth provides improved security for alarm based notification in terms of authentication because the notification is made better and secured by multiple channels from many service providers. In work , presented the scheme based on OAuth 2.0 protocol to provide controlled access to IoT network by authenticating the users and using the authentication services of the security manager. The security manager controls the access to and protects IoT network from unauthenticated users. The load for users from several networks registration are also minimized and so reduces cost. .
3 An OAuth 2.0 Standard Protocol
An OAuth 2.0 is an open standard protocol used for authorization purposes and is the product of Internet Engineering Task Force (IETF), which enable resource owners (users) to grant third party application (client) access to the restricted resources hosted by the resource server . Basically, standard OAuth 2.0 works on four entities such as user, client application, authorization server and resource server. In some cases, the authorization server and resource server is considered the same. Fig-1 shows the flow of different signaling messages of standard OAuth 2.0 protocol between the four entities. The role of each entity is defined by OAuth 2.0 protocol as follows below.
Resource Owner: It is the user such as end user or person allowing the client application to access the restricted resources.
Client: It is an application run on a server, a desktop and other devices, authorized by the user to access the restricted resources.
Authorization Server: After successfully authenticating the user and obtaining access authorization code, this entity issues an access token to the client.
Resource Server: It hosted the restricted resources and capable of accepting and responding to the restricted resource requests made by the client by using access tokens.
Fig 1: OAuth 2.0 Protocol Flow.
Fig-1 depicts the standard OAuth 2.0 protocol flow and communication between the four entities are carried out through the following steps.
First, the client sends an authorization request message to the resource owner directly.
In response from the resource owner, the client receives an authorization grant which consists of credentials (authorization code) showing the authorization of resource owner. The authorization grant is expressed in one of the four grant types and type depends on the client requestmethod and authorization server supported types.
The client presents the authorization grant in order to request an access token by authenticating with the authorization sever.
In response to the client requests, the authorization server issue an access token, if the client credentials and authorization grant are valid.
Now the client presents the access token to resource server in order to authenticate himself or herself in order to requests the protected resource.
The resource server verifies the access token, if valid, then the requested resource is allowed to access by the client.
4 Proposed OAutho Approach
To efficiently authenticate and control the access of authorized users, which are trying to use the resources of the IoT network using user’s proxy agent and a security manager is the main objective of this paper. The flow of the proposed scheme is shown in the Fig. 2 and Fig. 3. The communication flow among the entities (user, user proxy agent, client application, an authorization server, security manager) goes through the authorization and authentication processes. Initially, the proposed approach is based on OAuth 2.0, which covers the authorization process. The OAuth 2.0 protocol flow is enhanced by modifying to perform the authentication process
Fig: 2 Proposed Approach Architecture
.In authorization process, the user authorizes client application through the authorization server, while in the authentication process, the authorization server update security manager database about user information and then user ID is obtained from authorization server by security manager with the help of OAuth protocol. The security manager then compares the user ID with the list of user IDs in its database. The access token from authorization server is used to build security manager database to acquire IoT network manager account friend list which is the first requirement for the implementation of the proposed approach. The database maintenance is done by the security manager. When the user goes to use IoT network, he or she will be redirected to security manager through user proxy agent to carry out the authentication process first as shown in Fig 2.The authorization and authentication process of the proposed approach is described through the following steps in detail.
Initially, the user authorizes client application through user proxy agent to access the IoT network.
The client application redirects this request to security manager through user proxy agent. The user and client act through user proxy agent.
The security manager checks the user credential in his database, if not validated, then forwards this to the authorization server.
The authorization server tries to authenticate the user and so requests credentials from the user.
The user in response provides credentials to the authorization server.
After validating the user, the authorization server sends an authorization code to the client application through user proxy agent.
The client application uses authorization code to request an access token from the authorization server.
After verifying the client ID and authorization code, authorization server grants an access token to the client application.
And at the same time, the authorization server update the security manager local database with client ID and access token.
In response, the client application presents an access token to security manager in order to get the user information by performing the application programming interface (API) call from the authorization server.
After the verification of access token, the security manager demands user ID from the authorization server.
The authorization server provides the response with the user information which includes user ID, to the security manager.
The security manager validates this by comparing with the list of user’s IDs in the local database, if valid, then client application on behalf of a user can access the IoT network.
4.1 Database Management
The process of database management in security manager is carried out through the following steps.
The security manager database is built by using the access token from authorization server to obtain the list of users IDs from the friend list of IoT network manager account.
The security manager demands to refresh token between the friend list and database before the expiration of the access token for upcoming management.
The token refreshed is used to update the database periodically.
During this update, the security manager adds or delete users by comparing the existing local database with the friend list.
The user ID is obtained using access token when once the user is login to IoT network. This user ID is compared with the user ID stored in the security manager local database. If it is validated then the user can access IoT network otherwise it is denied to access the network even the user is authorized from the authorization server.
The proposed scheme allows the IoT network manager to control the users which accessing the IoT network directly. Due to this scheme, the registration of users (creation of multiple user IDs) across different networks are minimized and eventually user’s efforts are reduced. This scheme also reduces the IoT network management effort while maintaining user’s information in each IoT network
Fig: 3 Proposed Approach Flow
5 Security Analysis
Several security threats exist to IoT security approaches utilizing access tokens based on OAuth protocol   . The OAuth protocol is mostly affected by impersonation, phishing and replay attacks. By the use of OAuth 2.0 protocol, the communication between the user and authorization server may be unsecured in terms of eavesdropping because the authorization code from user authorizes client application is attacked and stealth by the invader and pretend himself as a user. Similarly, the attacker can also capture the access token and re-use it .
5.1 Impersonation Attack
The attack in which an opponent adopts the identity of one of the legitimate parties in a system or in a communications protocol. Here in the process of OAuth 2.0 protocol, the attacker snoops the authorization code and blocks the original access token request. The attacker sends that request with the captured authorization code to authorization server and presents him/herself as authorized one.
Here, our proposed scheme is protected from such impersonation attack because we modify the authorization code to get token and obtain the user information from the authorization server. Even if, the attacker gets the authorization code and presents the new access token request. Still, the attacker approach to the IoT network will be denied because the user information doesn’t match with the information in security manager.
5.2 Replay Attack
This type of attack is also known as playback attack in which a valid data transmission is maliciously or fraudulently repeated or replayed. Here in OAuth 2.0 protocol, the client application is authorized by providing access grant consisting of an authorization code from the user. For each service, one authorization code is used and that same authorization code doesn’t utilize for the next service. Otherwise, the replay attack is possible if the same authorization code is utilized again for the next service. Consider if the attacker captures the request containing authorization code between the user (resource owner) and client application, and then resend or replay that request to the client application in order to login as the account of the user. The attacker can obtain the information about the user and then uses that to get authorization grant access to the user. It is also possible to reuse the authorized access token.
In our approach, the number of authorized access tokens has been limited. Each access token has its own lifetime for each access service. When the due time is over the access token is automatically expired and does not use for the second time because the user information and access token are compared in the security manager local database and so it does not allow the attacker to get access to the network. As a result, the IoT network is protected from a replay attack. Our proposed model is not affected by the aforesaid attacks. Even if authorization code or access token is captured in the mid and reused, still the attacker does not get access to the resources on the network because the security manager compares the user information and access token.
IoT ecosystem connects all sorts of things, bringing world everything that we can use to improve our lives but still need much better improvement to secure infrastructure at any cost with help of new inventions. We had seen An OAuth 2.0 protocol provides applicability and extensibility, but on the other hand it is susceptible to attacks like replay attack, and impersonation attack. Our proposed study had given some extra edge as an authentication scheme based on the OAuth 2.0 protocol to secure access to the IoT networks by providing authentication service. The OAuth 2.0 protocol is analyzed and then modified to allow only authorized and authentic users to access the IoT network. The user’s information and access tokens are compared from the security manager at local database and they deny the access to the IoT network if anything miss happening or granting access. The proposed approach minimizes the user’s efforts to register or generate multiple user IDs on different networks. It can also reduce the load from network manager for maintaining user information in each network. It also keeps safe and sound IoT network from attacks like impersonation attacks and replays attacks.
For the future work we would like to test in real environment and see how oAurtho 2.0 work efficiently and compare with other available security measures.
[1.] EY, “Cybersecurity and The Internet of Things”, Insights on governance, risk and compliance, EY. Global, UK, March 2015.
[2.] C Stergiou, K E. Psannis, B B. Gupta, Y Ishibashi,” Security, privacy & efficiency of sustainable Cloud Computing for Big Data & IoT”, Sustainable Computing: Informatics and Systems, Volume 19, September 2018, Pages 174-184
[3.] M Ammar, G Russello, B Crispo, “Internet of Things: A survey on the security of IoT frameworks”, Journal of Information Security and Applications Volume 38, February 2018, Pages 8-27
[4.]  S. Li, L. Da Xu, and S. Zhao, “The Internet of Things: A Survey”, Information Systems Frontiers, [Springer], vol. 17, issue 2, pp.243-299, 20 April, 2015.
[5.] A Tewari, B. B. Gupta, Security, privacy and trust of different layers in Internet-of-Things (IoTs) framework, Future Generation Computer Systems, In press, corrected proof, Available online 1 May 2018
[6.] A K Das, S Zeadally, D He,”Taxonomy and analysis of security protocols for Internet of Things”, Future Generation Computer Systems, Volume 89, December 2018, Pages 110-125
[7.] B Mukherjee, S Wang, W Lu, R L Neupane, P Calyam, Flexible IoT security middleware for end-to-end cloud–fog communication, Future Generation Computer Systems, Volume 87, October 2018, Pages 688-703
[8.] B. D Martino, M. Rak, M. Ficco, A. Esposito, S. Nacchia, Internet of things reference architectures, security and interoperability: A survey, Internet of Things, Volumes 1–2, September 2018, Pages 99-112
[9.] K. T. Nguyen, M. Laurent and N. Oualha, “Survey on secure communication protocols for the Internet of Things”, Ad Hoc Networks (elsevier), vol.32 pp. 17–31, 2015.
[10.] S. Singh and N. Singh, “Internet of Things (IoT): Security Challenges, Business Opportunities & Reference Architecture for E-Commerce”, IEEE International Conference on Green Computing and Internet of Things (GCIoT), pp. 1577-1581, 2015.
[11.] K. Gupta and S. Shukla, “Internet of Things: Security Challenges for Next Generation Networks”, 1st International Conference on Innovation and Challenges in Cyber Security (ICICCS), pp. 315-318, 2016.
[12.] S. Kraijak and P. Tuwanut, “A Survey On IoT Architectures, Protocols, Applications, Security, Privacy, Real-World Implementation And Future Trends”,
[13.] L. Patra and U. P. Rao, “Internet of Things – Architecture, Applications, Security and other Major Challenges”, 2016.
[14.] D Mocrii, Y Chen, P Musilek, IoT-based smart homes: A review of system architecture, software, communications, privacy and security, Internet of Things, Volumes 1–2, September 2018, Pages 81-98
[15.] H. Tschofenig, “The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant”, ACE, Internet-Draft, Mar. 2015.
[16.] E. Hammer-Lahav, “The OAuth 1.0 Protocol”, RFC 5849, Internet Engineering Task Force, Apr. 2010.
[17.] D. Hardt, “The OAuth 2.0 Authorization Framework”, RFC 6749, Internet Engineering Task Force, Oct. 2012.
[18.] M. Noureddine and R. Bashroush, “A Provisioning Model towards OAuth 2.0 Performance Optimization”, 10th IEEE International Conference on Cybernetic Intelligent Systems, pp. 76-80, Sept. 2011.
[19.] C. C. Joo, C. K. Nam, C. Kiseok, Y. Y. Hee and S. Y. Ju, “The Extended Authentication Protocol using E-mail Authentication in OAuth 2.0 Protocol for Secure Granting of User Access”, Journal of Internet Computing and Services (JICS), pp. 21–28, Feb. 2015.
[20.] S. Cirani, M. Picone, P. Gonizzi, L.Veltri, and G. Ferrari,“IoT-OAS: An OAuth-Based Authorization Service Architecture for Secure Services in IoT Scenarios,” IEEE Sensors Journal, vol. 15, no. 2, pp. 1224–1234, Feb. 2015.
[21.] S. Kinikar and S. Terdal, “Implementation of Open Authentication Protocol for IoT Based Application”, International Conference on Inventive Computation Technologies (ICICT), vol. 1, pp. 1-4, 2016.
[22.] S. Emerson, Y-K. Choi, D-Y. Hwang, K-S. Kim and K-H. Kim, “An OAuth based Authentication Mechanism for IoT Networks”, International Conference on Information and Communication Technology Convergence (ICTC), pp. 1072-1074, 2015.
[23.] H. Tschofenig and P. Hunt, “OAuth 2.0 Security: Going Beyond Bearer Tokens”, Internet-Draft, Sep. 2012.
[24.] R. Barnes and M. Lepinski, “The OAuth Security Model for Delegated Authorization”, Internet-Draft, Jul.2010
[25.] J Khan, H Abbasa, J Al-Muhtadi, Survey on Mobile User’s Data Privacy Threats and Defense Mechanisms, International Workshop on Cyber Security and Digital Investigation (CSDI 2015),Procedia Computer Science 56 ( 2015 ) 376 – 383
[26.] S Wook J ,Souhwan Jung, ” Personal OAuth authorization server and push OAuth for Internet of Things”, International Journal of Distributed Sensor Networks 2017, Vol. 13(6) DOI: 10.1177/1550147717712627
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please: