Context-Aware Adaptive Authentication and

Authorization in Internet of Things

Amel Arfaoui, Soumaya Cherkaoui, Ali Kribèche, Sidi-Mohammed Senouci,
Mohamed Hamdi

To cite this version:

Amel Arfaoui, Soumaya Cherkaoui, Ali Kribèche, Sidi-Mohammed Senouci, Mohamed Hamdi.
Context-Aware Adaptive Authentication and Authorization in Internet of Things. 2019
IEEE International Conference on Communications (ICC), May 2019, Shanghai, China.
�10.1109/ICC.2019.8761830�. �hal-02556891�

HAL Id: hal-02556891

https://hal.science/hal-02556891
Submitted on 15 Aug 2022

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est

archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents
entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non,
lished or not. The documents may come from émanant des établissements d’enseignement et de
teaching and research institutions in France or recherche français ou étrangers, des laboratoires
abroad, or from public or private research centers. publics ou privés.

Distributed under a Creative Commons Attribution - NonCommercial 4.0 International License

 Context-Aware Adaptive Authentication And
Authorization in Internet of Things
Amel Arfaoui*ǂ, Soumaya Cherkaoui†, Ali Kribecheǂ, Sidi Mohammed Senouciǂ, Mohamed Hamdi*
*Digital Security Unit, SupCom University of Carthage, Tunisia
ǂDRIVE EA1859, Univ. Bourgogne Franche Comté, France
†INTERLAB Research Laboratory, University of Sherbrooke, Canada
{amel.arfaoui, Sidi-Mohammed.Senouci, Ali.Kribeche01}@u-bourgogne.fr, soumaya.cherkaoui@usherbrooke.ca,
mmh@supcom.tn

Abstract—The rapid technological advancements in wireless addressed the problem of remote secure control of smart
communications, ubiquitous sensing and mobile networking have actuators. For this purpose, they proposed a distributed
paved the way for the emergence of the Internet of Things (IoT) lightweight fine-grained access control based on Attribute-
era, where "anything" can be connected "anywhere" at Based Encryption scheme and one-way hash chain for
"anytime". However, the flourish of IoT still faces various security
authentication. In [3][4], Capability-Based Access Control
and privacy preserving challenges that need to be addressed. In
such pervasive and heterogeneous environment where the context (CapBAC) using authorization tokens was introduced as a
conditions dynamically and frequently change, efficient and realistic mechanism to be implemented in IoT. The approach is
context-aware mechanisms are required to meet the users’ based on the assignment of authorization decisions to a central
changing needs. Therefore, it seems crucial to design an adaptive entity which delivers privileges to be adopted at the end device.
access control scheme in order to remotely control smart things However, the use of a central entity validating users’ access
while considering the dynamic context changes. In this paper, we rights introduces a single point of failure and prevents end-to-
propose a Context-Aware Attribute-Based Access Control end security. Distributed CapBAC [5][6] tackles these issues by
(CAABAC) approach that incorporates the contextual having the authorization executed by the IoT devices
information with the Ciphertext-Policy Attribute-based
themselves. However, IoT objects are often resource-
Encryption (CP-ABE) to ensure data security and provide an
adaptive contextual privacy. From a security perspective, the constrained and may be easily compromised. Distributed
proposed scheme satisfies the security requirements such as CapBAC is, therefore, ill-equipped to address access control in
confidentiality, context-aware privacy, and resilience against key untrustworthy IoT environments. In addition, Attribute Based
escrow problem. Performance analysis proves the efficiency and Cryptography (ABC) is considered as a promising tool that can
the effectiveness of the proposed scheme compared to benchmark be exploited to provide adaptive access control. In such scheme,
schemes in terms of storage, communication and computational each user is associated with a set of attributes and data is
cost. encrypted on the basis of an access structure. Only data
consumers whose attributes satisfy the access policy can
Keywords— IoT; Context-aware security; Adaptive,
Authorization; Authentication; Attribute Based Encryption.
decrypt the ciphertext. In [7], the authors developed a CP-ABE
scheme to secure the communications between sensor nodes
I. INTRODUCTION and the data sink/data consumers. However, the proposed
The Internet of Things (IoT) is a revolutionary scheme suffers from key escrow problem and high
communication paradigm which consists to connect a multitude computational cost. Hence, this scheme is inappropriate for
of digital devices to the Internet [1]. Today, IoT is beginning to resource-constrained devices that cannot support the heavy
shape the future of many applications where users can remotely overhead of the CP-ABE. In [8] [9], the authors proposed fine-
control smart things using their smartphones. However, the grained access control schemes while combining the
open nature of wireless communication imposes diverse Ciphertext-Policy Attribute-based Encryption (CP-ABE) with
privacy preserving and security concerns such as time/location factors.
eavesdropping, message interception, and data modification. All the aforementioned works do not involve the contextual
Therefore, the transmitted data between the communicated information for the authentication and authorization and even if
parties should be handled and analyzed only by authorized users the context is considered, only time or location are used to
in order to ensure accurate monitoring. Furthermore, the define the context. Therefore, it is necessary to conceive an
dynamic and heterogeneous structure of IoT induces more effective scheme, which will grant data access only to
challenges for security solutions’ design. Indeed, authentication authorized users under a predefined context. A trivial solution
and authorization should be adapted to context changes (such to combine a user’s role and contextual information into access
as time, data consumers’ roles, location, data type, emergency policies is to consider the contextual parameters as a set of
or normal situation…) in order to make the right decision at the normal attributes [10]. However, the main difference between a
right time by the right party. user’s dynamic context and her attributes is that attributes are
Several works and researches are focusing on designing defined on the basis of her identity which will be maintained for
authentication and access control schemes in IoT to deal with a long period while the contextual information is a dynamic
security and privacy preserving challenges. In [2], the authors condition, which is frequently changing over time. If a

1
contextual parameter such as location/time is handled as a user The security of the proposed scheme depends on the
attribute, her attribute set will change permanently anywhere at following intractable problem:
any time. This solution is obviously impractical in real  DBDH (Decision Bilinear Diffie-Hellman) problem: Given
scenarios and introduces heavy computation and two groups 𝔾1 and 𝔾2 with the same prime order q, a bilinear
communication overhead [8]. map e: 𝔾1 × 𝔾1 → 𝔾2 and a generator g of 𝔾1, the objective
In this paper, we propose a context-aware authentication of DBDH is to compute e (g, g) abc in (𝔾1, 𝔾2, e) from the
and authorization scheme to adaptively provide secure given (g, ga, gb, gc), ∀a, b, c ∈ ℤq.
communication between data consumers and smart things
according to the current context. We introduce a novel Context- B. Definitions
Aware Attribute-Based Access Control (CAABAC) scheme 1) Ciphertext-Policy Attribute-Based Encryption (CP-
that combines the contextual information and attributes to ABE): This scheme includes the following four algorithms
ensure an adaptive context-aware privacy. In the proposed  Setup(1λ): Given a security parameter λ, the KGC generates a
scheme, we define fine-grained privileges while exploiting the master secret key MK that is kept private and a public key PK
features of the CP-ABE scheme. In addition, we introduce a shared by users.
contextual token mechanism which is related to the contextual  KeyGen (PK, MK, S): The KGC takes the master secret key
information (location, time, emergency situation, normal MK, the attribute set S of the user, and the public key of the
situation, data type…), where the corresponding secret should system PK as inputs. It generates the private key SKU.
be revealed under a predefined context to generate an access  Encryption (PK, M, 𝒯): it takes the public parameters PK, a
token. To decrypt a ciphertext, the data consumer has not only plaintext M, and an access structure 𝒯 as inputs. The algorithm
to possess the appropriate attribute set but also to have an access will encrypt M and generate a ciphertext CT.
token under a specific situation.  Decryption (CT, SKU): The receiver takes as input the
The major contributions can be summarized as follows: ciphertext CT, and her decryption key SKU. The algorithm
 A novel context-aware authentication and authorization
outputs a message M or a reject symbol ⊥.
approach that provides dynamic and secure control of smart
things based on the contextual information, 2) Access policy structures
 The contextual information is combined with attributes in An access structure 𝒯 consists of several nodes of a policy
access policies using contextual tokens in order to alleviate tree and several contextual tokens (presented in Fig 1). A leaf
the burdensome revocation when a user’s context changes, node represents a set of attributes (att0, ⋅⋅⋅, att3), and each non-
 An enhanced key issuing protocol is presented to resolve the leaf node defines a threshold gate (“AND”, “OR”, or other
key escrow problem of CP-ABE. In fact, users’ private keys threshold gates). Each non-leaf node 𝑥 takes two logic value 𝑛𝑥
are generated based on the cooperation between Key and 𝑘𝑥, where 𝑛𝑥 is the number of its child node, and 𝑘𝑥 is the
Generator Center (KGC) and Attribute Authority (AA), so threshold. Specifically, 𝑘𝑥 =1 if 𝑥 is an 𝑂𝑅 gate, or 𝑘𝑥 = 𝑛𝑥 if
𝑐𝑗
that any authority cannot create the whole users secret keys. 𝑥 is an 𝐴𝑁𝐷 gate [12]. In the structure 𝒯, 𝑇𝑥 is related to the
The remainder of the paper is organized as follows. Section contextual parameter cj that may be time, location, situation
II presents a mathematical background. The system model is sensitivity, etc.
presented in Section III. The new CAABAC scheme for access
control is described in Section IV, followed by the performance
analysis in Section V. Finally, a conclusion is drawn in Section
VI.
II. PRELIMINARIES
In this section, we present some preliminary knowledge
regarding a background on Bilinear Pairings and cryptographic Fig 1. An example of access structure
primitives exploited in this paper.
III. SYSTEM AND SECURITY MODELS
A. Bilinear Pairings In this section, we first present the different entities of the
Let 𝔾1 be a cyclic additive group of prime order q and 𝔾2 be system model. Then, we describe the security model.
a cyclic multiplicative group of the same order q. A bilinear
A. System Model
pairing is a map e: 𝔾1 × 𝔾1 → 𝔾2 satisfying these properties:
We consider an IoT remote control system presented in Fig
 Bilinear: A map e: 𝔾1 × 𝔾1 → 𝔾2 is bilinear if and only if ∀ 2. It mainly consists of the following entities: Key Generator
P, Q ∈ 𝔾1 and a, b ∈ ℤq, we have e (aP, bQ) = e (P, Q) ab. Center (KGC), Attribute Authority(AA), Context Manager
 Non-degeneracy: ∃P, Q∈ 𝔾1 where e (P, Q) ≠1𝔾2. (CM), IoT gateway, smart things, and data consumers. The
functions of each entity are as follows:
 Computability: ∀ P, Q∈ 𝔾1, there is an efficient algorithm
 The Key Generator Center (KGC) and the Attribute Authority
to compute e (P, Q) in polynomial time.
(AA) are semi-trusted entities. They are responsible for

2
 system initialization, public parameters generation and users’ PK, MK System public key and master key
secret keys assignment. PKi The public key of entity i
SKi The secret key of entity i
 Context Manager (CM) is responsible for the control of the 𝜸𝑮𝑾 The signing key of the gateway
dynamic context changes. It performs operations for the data 𝑲𝒗𝒆𝒓 The verification key
consumer such as verifying the user’s context and generating S The attributes set of user
an access token to enable her decrypting the ciphertext. 𝒯 An access structure
𝒄𝒋
𝑻𝒙 A contextual token for a parameter cj
 IoT gateway is deployed as a powerful node that cooperates AT Access token for a given context
with the IoT device in order to implement the CP-ABE TK Authentication token
scheme. In addition, it is responsible for the management of 𝔽𝒄𝒋 Unified format of the contextual parameter cj
remote access control to smart things.
 Smart things are resource-constrained devices that constitute Table 1. Variables and their descriptions
the control system network. These devices are deployed in an
area of interest and remotely controlled by data consumers. B. The proposed CAABAC scheme
 Data Consumers refer to the users who aim to communicate The main idea of the proposed scheme is to provide secure
with IoT devices and perform remote actions on them. To and adaptive remote control of smart things. For this purpose,
decrypt a message, data consumers need not only to have the we exploit the fine-granularity of CP-ABE and introduce a
set of attributes that satisfy the access structure but also to contextual token concept to ensure dynamic access control
verify the contextual information. while considering the contextual information. Especially, we
integrate contextual tokens into the access structure to restrict
access privileges by the contextual information. Successful
decryption requires not only proper attribute set but also a
suitable access token. In fact, a data consumer has to interact
with the CM that verifies the context requirements and
generates an access token. The proposed scheme is composed
of four phases: System initialization, Key Generation,
Encryption, as well as Decryption and communication that are
presented as follows.
1) System Initialization
In this phase, both KGC and AA generate their secret keys
and distribute the public parameters to all the entities in the
Fig 2. System model system. In addition, the context manager defines the secret keys
of the contextual parameters.
B. Security Model
Algorithm 1 System Initialization
In the proposed scheme, we consider that AA and KGC are
1. Let 𝔾1 be a bilinear group of prime order q, g a generator of 𝔾1, e: 𝔾1×
semi-trusted: honest-but-curious. That means they will honestly 𝔾1 → 𝔾2 a bilinear map
follow the protocol, but they will try to disclose as much secret 2. Let H1: {0, 1}* → 𝔾1, H2: 𝔾2→ ℤ∗𝑞 be one-way hash functions
information as possible. The CM is assumed fully trusted. The 3. For i ∈ ℤq and a set S= {s1, s2…, sm ∈ ℤq}, the Lagrange coefficient
(𝑥−𝑙)
IoT gateway presents the data owner. It is assumed to be fully ∆𝑖,𝑠 = ∏𝑙∈𝑆,𝑙≠𝑖 (𝑖−𝑙)
trusted given that it cooperates with IoT devices to encrypt data.
4. The AA chooses random exponents α1, β∈ ℤq, sets h= gβ and generates
In this work, we assume that Smart things are available and are the public/private pair key: PKA= {𝔾1, h, g, 𝑒(𝑔, 𝑔)𝛼1 } /MKA={ α1, β }
neither compromised nor spoofed. Data consumers are assumed
dishonest. They try to decrypt data even they are unauthorized. 5. The KGC selects a random parameter α2 and computes the public key
PKKGC= 𝑒(𝑔, 𝑔)𝛼2 and the secret key MKKGC={α2}
IV. EFFICIENT CONTEXT-AWARE ATTRIBUTE-BASED 6. The KGC selects a signing key 𝛾𝐺𝑊 ∈ ℤ𝑞 , and calculates the
ACCESS CONTROL (CAABAC) SCHEME verification key 𝐾𝑣𝑒𝑟 = 𝑔𝛾𝐺𝑊

In this section, we first describe the basic notations used in 7. KGC and AA publish the public parameters of the system PK= {𝔾1, h,
g, 𝑒(𝑔, 𝑔)𝛼 , 𝐾𝑣𝑒𝑟 } where α= α1+ α2 and kept secret the master key MK
this paper. Then, we present the main features of the proposed ={{α1, β}, {α2}}
scheme that ensures an adaptive access control according to the
dynamic context changes. 8. The CM defines a secret key 𝛿𝑐𝑗 for each contextual parameter cj∈
{location, time, data type, situation sensitivity}, ∀ j∈ [1, N] where N
A. Notations is the number of considered contextual parameters. The public key
𝛿
Notation Description 𝑃𝐾𝑐𝑗 = {𝔽𝑐𝑗 , 𝛾𝑐𝑗 = 𝑔 𝑐𝑗 }
Q A large prime number
𝔾1 An additive group with order q
𝔾2 A multiplicative group with order q 2) Key Generation
e A bilinear pairing This phase is executed by both AA and KGC to generate a
g A generator of the group 𝔾1 secret key for a user u. At first, AA selects a random unique
H1, H2 One-way hash functions

3
number r ∈ ℤq for the user. Then, AA and KGC execute a secure 4) Decryption and communication
two-party computation (2PC) protocol, where AA inputs MKA = In this phase, a data consumer who aims to communicate
{α1, β} and KGC inputs MKKGC = {α2}. As a result, KGC gets X with an IoT device, sends a request message to the IoT gateway.
= (α1+α2). β mod q [11]. After the 2PC protocol, AA and KGC Upon receiving the request, the IoT gateway generates a random
perform the following key commitment algorithm: nonce r ∈ {0,1}* and sends < CT, 𝜎, 𝑟, 𝐴𝐸𝑆(𝐾𝑠 , M) > to the
data consumer. The data consumer decrypts the ciphertext
Algorithm 2 Key commitment
based on her attribute set and the contextual information
Input: the public parameters PK, the master key MK, the set of attributes S
Output: SKU according to Algorithm 4 in order to obtain the symmetric key
1. KGC picks a random τ ∈ ℤq, and computes 𝑉 = 𝑔
𝑋⁄
𝜏 =𝑔
(𝛼1 +𝛼2 )𝛽⁄
𝜏, Ks. Then, she covers the plaintext M’ and sends to the gateway
and sends {V, PoK(τ, X)} to AA. 𝑀2 =< 𝐻1 ′, 𝑆𝐾 >𝑃𝐾𝐺𝑊 where 𝐻1′ = 𝐻1 (𝑀′ ||𝑟) and SK is a
𝜏1
⁄𝛽 symmetric key, which will be used to communicate the
2. AA chooses a random τ1 ∈ ℤq and computes 𝑉1 = 𝑉 , 𝑋1 = ℎ𝑟𝜏1 ,
then, it sends {V1, X1, PoK(τ1, β,r)} to KGC authentication token. Upon receiving M2, the IoT gateway
decrypts it with its private key and verifies if 𝐻1′ = 𝐻1 . If the
3. KGC picks a random number τ2 ∈ ℤq and computes 𝑉2 = (𝑉1𝜏 . 𝑋1 )𝜏2 ,
then, it sends {V2, PoK(τ2)} to AA condition holds, the IoT gateway generates an authentication
1⁄
token TK for a period Te and sends 𝑀3 =< 𝑇𝐾, 𝑇𝑒 , 𝐼𝐷𝑖 > to both
4. AA computes 𝑉3 = 𝑉2 𝜏1 = (𝑔𝛼1+𝛼1 . ℎ𝑟 )𝜏2 and sends {V3, PoK(τ1)} the data consumer and the IoT device, where IDi is the identity
to KGC
of the instruction I that will be executed by the IoT device. We
1⁄
5. KGC computes 𝑆𝐾𝐾𝐺𝐶 = 𝐷 = 𝑉3 𝜏2 = 𝑔𝛼 ℎ𝑟 and sends the partial notice that M3 is encrypted by SK to be sent to the data consumer
secret key to the user u and SK1 (a symmetric pre-shared key between the gateway and
6. AA generates the secret keys of the attribute set S of user u as follows: the IoT device) to be sent to the IoT device. When the data
𝑆𝐾𝐴𝐴,𝑢 = {𝐷𝑖 = 𝐻1 (𝑎𝑡𝑡𝑖 )𝑟 , ∀ 𝑎𝑡𝑡𝑖 ∈ 𝑆, 𝐿 = 𝑔𝑟 } consumer sends a request 𝐻1 ′ = 𝐻1 (𝑇𝐾||𝑇𝑒 ||𝐼𝐷𝑖 )to the IoT
7. The user determines his personalized secret key as 𝑆𝐾𝑢 = device, it verifies if 𝐻1′ = 𝐻1 . If succeeds the IoT device
{𝐷 = 𝑔𝛼 ℎ𝑟 , 𝐿 = 𝑔𝑟 , 𝐷𝑖 = 𝐻1 (𝑎𝑡𝑡𝑖 )𝑟 , ∀ 𝑎𝑡𝑡𝑖 ∈ 𝑆} performs the instruction, I, sent remotely by the data consumer.
Algorithm 4 Decryption
3) Encryption Input: the ciphertext CT, the signature 𝜎, the public parameters PK, the set
𝑐
In this phase, a smart thing defines a challenge M to execute of attributes S, the contextual token 𝑇𝑥 𝑗 , the secret key SKU
′
an instruction I by a user and cooperates with the IoT gateway Output: the plaintext 𝐾𝑠
𝑐 𝛿𝑐𝑗
to encrypt it based on an access tree 𝒯 for a given contextual 1. The context manager generates an access token 𝐴𝑇𝑥 𝑗 = 𝐻1 (𝔽𝑐𝑗 )
𝑐
information. At First, the IoT device encrypts the message M 2. Upon receiving the access token 𝐴𝑇𝑥 𝑗 ,
the user performs the
with Ks by using symmetric encryption method, where Ks is a following steps:
𝑐 ′ 𝑐 𝑐 𝑐
pre-shared secret key with the IoT gateway. Then, the IoT 3. Compute 𝑇𝑥 𝑗 = 𝐵𝑥 𝑗 − 𝐻2 (𝑒(𝐴𝑇𝑥 𝑗 , 𝐴𝑥𝑗 )
gateway proceeds as follows to encrypt Ks using CP-ABE. 4. function (DecryptNode (CT, 𝜎 , 𝑆𝐾𝑢 , x))
𝑐
5. If x is a leaf node related to a contextual token 𝑇𝑥 𝑗 then
𝑐𝑗 ′
Algorithm 3 Encryption 𝑇𝑥
Input: An access tree 𝒯, public parameters PK, contextual parameters cj, 6. 𝐹𝑥,𝑇𝑐𝑗 = (𝑒(ℎ. 𝐶𝑥′ , 𝐿). 𝑒(𝐶, 𝐷𝑖 ))
𝑥
symmetric key Ks 𝑐𝑗 ′

Output: the ciphertext CT, 𝜎 = (𝑒(𝑔, 𝑔)𝑟𝛽 . 𝑒(𝐻1 (𝑎𝑡𝑡𝑖 )−𝑠 , 𝑔𝑟 ). 𝑒(𝐻1 (𝑎𝑡𝑡𝑖 )𝑟 , 𝑔𝑠 ))𝑇𝑥
𝑐𝑗 ′
1. for each node x in the tree 𝒯 , choose a polynomial 𝑞𝑥 whose degree = 𝑒(𝑔, 𝑔)𝑟𝛽𝑇𝑥
is 𝑑𝑥 = 𝑘𝑥 − 1 7. Else if x is an attribute leaf node then
2. Pick a random s ∈ ℤq and set 𝑞𝑅 (0) = 𝑠 8. if atti ∈ S then
3. Select 𝑑𝑅 random points from Zq to completely define the 9. 𝐹𝑥 = 𝑒(𝐶𝑥′ . 𝐶𝑥 , 𝐿). 𝑒(𝐶, 𝐷𝑖 )
polynomial 𝑞𝑅 = 𝑒(𝐻1 (𝑎𝑡𝑡𝑖 )−𝑠 . ℎ𝑞𝑥(0) , 𝑔𝑟 ). 𝑒(𝐻1 (𝑎𝑡𝑡𝑖 )𝑟 , 𝑔𝑠 )
4. For any other node x in 𝒯 do
= 𝑒(𝑔, 𝑔)𝑟𝛽𝑞𝑥(0)
5. Set 𝑞𝑥 (0)= 𝑞𝑝𝑎𝑟𝑒𝑛𝑡(𝑥) (𝑖𝑛𝑑𝑒𝑥(𝑥))
10. Else return ⊥
6. Select 𝑑𝑥 random points from Zq to completely define 𝑞𝑥 11. End if
7. End for 12. Else
8. if x is a leaf node related to a contextual parameter cj then 13. For each child z of x do
9. Choose a random number 𝑟𝑐𝑗 ∈ ℤ𝑞 14. 𝐹𝑧 = DecryptNode (CT, 𝜎 , 𝑆𝐾𝑢 , z))
𝑐 𝑐 𝑟 𝑐
10. Generate a contextual token 𝑇𝑥 𝑗 = {𝐴𝑥𝑗 = 𝑔 𝑐𝑗 , 𝐵𝑥 𝑗 = 𝑞𝑥 (0) + 15. End for
𝑟𝑐𝑗 16. Let 𝑆𝑥 be an arbitrary 𝑘𝑥 -sized set of child nodes of x such that
𝐻2 (𝑒 (𝐻1 (𝔽𝑐𝑗 ) , γ𝑐𝑗 ) )}
𝐹𝑧 ≠⊥
11. End if 17. If 𝑆𝑥 exists then
12. Let X be the set of leaf nodes in 𝒯. The ciphertext CT is constructed ∆𝑖,𝑆′ (0)
18. 𝐹𝑥 = ∏𝑧∈𝑆𝑥 𝐹𝑧 𝑥
based on the access tree 𝒯 as follows: ∆𝑖,𝑆′ (0)
𝒯, 𝐶̃ = 𝐾𝑠 𝑒(𝑔, 𝑔)𝛼𝑠 , 𝐶 = 𝑔𝑠 = ∏𝑧∈𝑆𝑥(𝑒(𝑔, 𝑔)𝑟𝛽𝑞𝑧(0) ) 𝑥

𝑟𝛽𝑞𝑥 (𝑖) ∆𝑖,𝑆′𝑥 (0)

∀ x ∈ X, i ∈ [1, n], j ∈ [1, N], 𝐶𝑥 = ℎ𝑞𝑥(0) = ∏𝑧∈𝑆𝑥 𝑒(𝑔, 𝑔)
𝐶𝑇 = 𝑐 𝑐 𝑐
𝐶𝑥′ = 𝐻1 (𝑎𝑡𝑡𝑖 )−𝑠 , 𝑇𝑥 𝑗 = (𝐴𝑥𝑗 , 𝐵𝑥 𝑗 ) = 𝑒(𝑔, 𝑔)𝑟𝛽𝑞𝑥(0)
( ) where i = index(z) and 𝑆𝑥′ = {index(z) : z ∈ 𝑆𝑥 }
13. Compute 𝜎 = 𝐻1 (𝐾𝑠 )𝛾𝐺𝑊 where 𝛾𝐺𝑊 is the signature key of the 19. Return 𝐹𝑥
gateway. 20. Else
21. Return 𝐹𝑥 =⊥
22. End if
23. End if
24. End function

4
 25. If x is a root node then B. Performance Analysis
26. 𝐴 = DecryptNode (CT, 𝜎 , 𝑆𝐾𝑢 , R))
= 𝑒(𝑔, 𝑔)𝑟𝛽𝑠 In this subsection, we evaluate performance characteristics
27. End if of CAABAC scheme through quantitative analysis. The
28. The decryption is performed as follows: proposed scheme is compared with those of H-CLSC [10], CP-
𝐶̃ .𝐴
29. 𝐾𝑠′ = ABE [7] and PPDAS [14] in terms of storage, communication,
𝑒(𝑔𝑠 ,𝑔𝛼 .ℎ 𝑟 )
30. If 𝑒(𝜎, 𝑔) = 𝑒(𝐻1 (𝐾𝑠′ ), 𝑔𝛾𝐺𝑊 ) then and computation cost. We notice that the compared schemes
31. 𝐾𝑠′ is valid apply different methods to design the access control algorithm.
32. End if We assume that the bilinear e employs the Tate pairing. The
elliptic curve is defined over Fp. The order q of 𝔾1 and 𝔾2 is set
V. CAABAC PERFORMANCE AND SECURITY ANALYSIS to 20-byte prime. For an 80-bit security level, p should be a 64-
byte prime if 𝔾2 is a q-order subgroup of the multiplicative
In this section, we evaluate the effectiveness of the group of the finite field Fp2*. According to [7], we can set the
proposed scheme through a security analysis. Then, a length of p to 42.5 bytes in the finite field Fp3*. The length of
comparative study of benchmarking approaches will be an element in group 𝔾1 is 1024 bits using an elliptic curve with
presented to assess the communication, the storage, and the 160 bits q. As [10], the size of an element in group 𝔾1 can be
computation cost of the CAABAC scheme. compressed to 65 bytes.
A. Security Analysis 1) Storage overhead
 Data confidentiality: Data confidentiality of the proposed The storage overhead is related to the size of users’ secret
CAABAC invokes the security of both CP-ABE [12] and keys. In the CAABAC scheme, the data consumer needs to
identity-based encryption (IBE) [13] algorithms. It has been store { 𝑆𝐾𝑢 = {𝐷 = 𝑔𝛼 ℎ𝑟 , 𝐿 = 𝑔𝑟 , 𝐷𝑖 = 𝐻1 (𝑎𝑡𝑡𝑖 )𝑟 , ∀ 𝑎𝑡𝑡𝑖 ∈
proved that these algorithms are secure under the DBDH 𝑆}}, whose size is (|att|+2) |𝔾1|, where |att| is the cardinality of
assumption. On one hand, the contextual information is the attribute set. As shown in Table 2, the user in the proposed
embedded into the access structure as a set of special scheme requires less storage overhead than other schemes [14]
attributes, thus this integration does not affect the structure of [7] using CP-ABE algorithm.
the CP-ABE scheme. Hence, the property of CP-ABE
confidentiality is conserved. On the other hand, the contextual Scheme storage overhead
tokens are generated based on IBE. Therefore, the security of CP-ABE [7] (2*|att|+1) |𝔾1|
access tokens can be demonstrated in random oracle model. H-CLSC [10] | 𝔾1|=65 bytes
PPDAS[14] (3*|att|+13) |𝔾1|+2|Zq*|
In addition, the ciphertext cannot be decrypted without a valid CABAAC (|att|+2) |𝔾1|
access token. Hence, the proposed scheme ensures
confidentiality. Table 2. Storage overhead comparisons
 Context-aware privacy: In our construction, the encryption 2) Communication overhead
algorithm involves the contextual information to determine The ciphertext is stored in the IoT gateway and transmitted
who can access what and under which context. In fact, a data to data consumers when requested. In this analysis we consider
consumer can decrypt the ciphertext only if she satisfies the the exchanged messages between the data consumer, the IoT
context requirements and she has a valid token to access data. gateway and the smart thing. In fact, the IoT gateway has to
 Mutual authentication: During the authentication and send to the data consumer < 𝐶𝑇, 𝜎, 𝑟, 𝐼𝐷𝑖 , 𝑇𝐾, 𝑇𝑒 , 𝐴𝐸𝑆(𝐾𝑠 , 𝑀) >
authorization process, the authentication between the IoT whose size is | 𝑇| + |𝐶| ̌ + |𝐶| + |𝐶𝑥′ | + |𝑇 𝑐𝑗 | + |𝐶𝑥 | + |𝜎| + |𝑟| +
𝑥
gateway and the data consumer is performed using a |𝐼𝐷𝑖 | + |𝑇𝐾| + |𝑇𝑒 | + |𝐴𝐸𝑆(𝐾𝑠 , 𝑀)|. We assume as [11] that |𝐼𝐷𝑖 |,
challenge-response technique. Once the first authentication is
|Te|, |T| have 1-byte, 1-byte, 4-bytes, respectively. In addition,
achieved, each smart thing authenticates the data consumer
the IoT gateway has to send to the smart thing the message <
using an authentication token.
𝐼𝐷𝑖 , 𝑇𝐾, 𝑇𝑒 > whose size is |𝐼𝐷𝑖 | + |𝑇𝐾| + |𝑇𝑒 |. The smart thing
 Resilience against escrow problem: In the proposed scheme,
has only to encrypt the challenge M with a symmetric key and
the private keys of users are generated based on the
send it to the IoT gateway, so, the message size is |𝐴𝐸𝑆(𝐾𝑠 , 𝑀)|.
cooperation between KGC and AA. Thus, any authority
Compared to H-CLSC [10], CAABAC has higher
cannot reveal the whole secret key of the user. communication overhead. However, in H-CLSC this cost
 Replay attack: To resist the replay attack, the IoT gateway linearly increases with the number of users (n) but in our
sends a random nonce r with the ciphertext to the user. The scheme it is independent of the number of users.
response message 𝐻1′ = 𝐻1 (𝑀′ ||𝑟) cannot be used by
another user to get an authentication token. In addition, the Scheme IoT gateway (bytes) Smart thing (bytes)
expiration time Te added to the authentication token TK CP-ABE [7] 5|p|+ 24=236.5 10|p| + 76=501
ensures the validity and freshness of the communicated H-CLSC[10] 2|𝔾1|+n |Zq*|+|M|+w=180 -
messages. (1 user)
PPDAS[14] 27|p|+31=1178.5 |p|+1=43.5
CABAAC 6|p|+ 4|Zq*|+24=359 |𝐴𝐸𝑆(𝐾𝑠 , 𝑀)|=16

Table 3. Communication overhead comparisons

5
 3) Computation Cost algorithm. The performance analysis has proven that CAABAC
In this subsection, we assess the computation overhead of outperforms the existing access control schemes using CP-ABE
the proposed CAABAC scheme compared to benchmarking algorithm.
schemes. As the operations on pairing, exponentiation and
ACKNOWLEDGMENT
multiplication mainly affect the computational overhead, we
only consider them. We denote TE the time consumed for one This work is achieved as part of the European project ITEA
exponentiation operation, TM the time consumed for one scalar PARFAIT [16], which is partially funded by FEDER (European
multiplication in 𝔾1, and TP the time for one pairing operation. Regional Development Fund), BPIFRANCE, and the BFC
In CAABAC scheme, the encryption process in the IoT region (Bourgogne-Franche-Comté).
gateway requires seven Tate pairing operations. The
REFERENCES
computational cost of the different comparative schemes is
presented in Table 4. As in [15], to evaluate the running time [1] A. Zanella, N. Bui, A. Castellani, L. Vangelista and M. Zorzi, "Internet of
Things for Smart Cities," in IEEE Internet of Things Journal, vol. 1, no.
of the operations, the algorithms are implemented on an Intel 1, pp. 22-32, Feb. 2014.
PXA270 processor at 624 MHz installed on the Linux personal [2] D. E. Kouicem, B. Abdelmadjid and L. Hicham, "Distributed Fine-
digital assistant. The running time of the different operation are Grained Secure Control of Smart Actuators in Internet of Things,"
TE = 53.85ms, TM = 30.67ms, and TP = 96.20ms, respectively. (ISPA/IUCC), Guangzhou, 2017, pp. 653-660.
[3] S. Gusmeroli, S. Piccione, and D. Rotondi, “A capability-based security
Scheme IoT gateway (ms) Smart thing approach to manage access control in the internet of things,”
(ms) Mathematical and Computer Modelling, vol. 58, no. 5-6, pp. 1189–1205,
CP-ABE [7] 5TP=481 10TP=962 September 2013.
[4] P. N. Mahalle &al. “Identity Establishment and Capability based Access
H-CLSC[10] 3TP+6TM=472.62 - Control (iecac) scheme for Internet of Things,” in Proc. The 15th
PPDAS[14] 11TP + 25TE+4TM =2520.38 1TE=53.85 International Symposium on Wireless Personal Multimedia
CAABAC 7Tp=673.4 - Communications, Taipei, 2012, pp. 187-191.
[5] M. P. Pawlowski et al., “Towards a Lightweight Authentication and
Table 4. Computation cost comparisons Authorization Framework for Smart Objects ,” in IEEE Journal on
Selected Areas in Communications, vol. 33, no. 4, pp. 690-702, April
2015.
[6] D. Hussein, E. Bertin, and V. Frey, “A community-driven access control
approach in distributed iot environments,” IEEE Commun. Mag., vol. 55,
no. 3, pp. 146–153, March 2017.
[7] Chunqiang Hu, Hongjuan Li, Yan Huo, Tao Xiang, , and Xiaofeng Liao,
“ Secure and Efficient data communication protocol for Wireless Body
Area Networks”, IEEE. Trans. On Multi-scale Computing, vol.2, no.2,
June.2016
[8] J. Hong, K. Xue, W. Li, and Y. Xue, “LABAC: A Location-aware
Attribute-based Access Control Scheme for Cloud Storage,” in Proc.
IEEE Global Communications Conference (GLOBECOM), Washington,
DC, 2016, pp. 1-6.
[9] J. Hong, K. Xue, W. Li, and Y. Xue, “TAFC: Time and attribute factors
combined access control on time-sensitive data in public cloud,” in Proc.
IEEE Global Communications Conference (GLOBECOM), San Diego,
CA, 2015, pp. 1-6.
Fig 3. Communication and Computational cost comparisons
[10] A. Arfaoui, A. Kribeche, O. R. M. Boudia, A. Ben Letaifa, S. M. Senouci
and M. Hamdi, "Context-Aware Authorization and Anonymous
As shown in Fig 3, the proposed scheme is more efficient Authentication in Wireless Body Area Networks," IEEE International
than the other schemes using CP-ABE algorithm. However, it Conference on Communications (ICC), Kansas City, MO, 2018, pp. 1-7.
has more computational cost compared to the H-CLSC scheme. [11] S. Wang, K. Liang, J. K. Liu, J. Chen, J. Yu and W. Xie, "Attribute-Based
But, in H-CLSC [10], when the user context changes a heavy Data Sharing Scheme Revisited in Cloud Computing," in IEEE Trans.
computation cost will be induced to regenerate a decryption key Info. Forensics and Security, vol. 11, no. 8, pp. 1661-1673, Aug. 2016.
and re-encrypt data for the given context. Therefore, the [12] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-
based encryption,” in Proceedings of the IEEE Symposium on Security
computation cost will be linear to the context changing and the and Privacy (SP '07), Berkeley, CA, 2007, pp. 321-334.
number of users. Nevertheless, in the proposed model only a [13] D. Boneh and M. Franklin, “Identity-based encryption from the weil
unique token will be generated to define each context. pairing,” in Advances in Cryptology (CRYPTO2001), pp. 213–229,
Springer, 2001
VI. CONCLUSION [14] M. Jahan, S. Seneviratne, B. Chu, A. Seneviratne and S. Jha, "Privacy
preserving data access scheme for IoT devices," IEEE 16th International
In this paper, we have proposed a novel Context-Aware Symposium on Network Computing and Applications (NCA), Cambridge,
Attribute-Based Access Control (CAABAC) scheme to provide MA, 2017, pp. 1-10.
dynamic and context-aware access control. The proposed [15] Zhang, A.; Wang, L.; Ye, X.; Lin, X. Light-Weight and Robust
approach incorporates the contextual information as a set of SecurityAware D2D-Assist Data Transmission Protocol for Mobile-
special attributes in the CP-ABE scheme. From a security Health Systems. IEEE Trans. Inf. Forensics Secur. 2017, 12, 662–675.
perspective, the proposed scheme meets the different security [16] ITEA3-PARFAIT.https://itea3.org/project/parfait.html.
requirements and solves the key escrow problem of CP-ABE