Int. j. inf. tecnol.
https://doi.org/10.1007/s41870-024-01753-w
ORIGINAL RESEARCH
Secure IoT framework for authentication and confidentiality
using hybrid cryptographic schemes
Salman Ali1 · Faisal Anwer1
Received: 13 October 2023 / Accepted: 12 January 2024
© The Author(s), under exclusive licence to Bharati Vidyapeeth’s Institute of Computer Applications and Management 2024
Abstract IoTs are increasingly gaining popularity and
prevalence due to their extensive applications across vari-
ous domains. They gather data from the real environment
and transmit it through the networks. Security is essential to
prevent data alteration, misuse of data, unauthorized access,
etc. Cryptography techniques are an efficient way to pro-
vide a security mechanism for stored data and data during
transmission. The proposed secure model commences by
authenticating the user and IoT and activating associated IoT
devices that are subsequently, sent data to the cloud server.
To ensure the secure transmission of IoT data, the technique
utilizes Elliptic Curve Cryptography (ECC) in combination
with Genetic Algorithm (GA) to generate keys. The data
is encrypted using the generated key and the Advanced
Encryption Standard (AES). Assessment and comparison are
performed based on parameters such as key size, execution
time, throughput, and avalanche effect. Experimental results
show that the proposed model ensures the authentication and
confidentiality of the data against unauthorized access and
data expose. Moreover, the proposed approach is robust and
performs better on selected parameters than state-of-the-art
cryptographic algorithms such as Data Encryption Standard
(DES) and Rivest–Shamir–Adleman (RSA).
* Salman Ali
salmanali.amu@gmail.com
Faisal Anwer
faisalanwer.cs@amu.ac.in
1
Department of Computer Science, Aligarh Muslim
University, Aligarh, India
Keywords Elliptic curve cryptography (ECC) · Genetic
Algorithm (GA) · Advanced encryption standard (AES) ·
SHA-512 · Authentication · Data security
1 Introduction
The Internet of Things (IoT) is a fast-growing technology
poised to revolutionize various applications across indus-
tries. Its swift adoption across sectors has ushered in a new
era of improved service quality and productivity. Multiple
industries have unlocked significant benefits by integrat-
ing IoT devices, including heightened security and efficient
management [1]. Moreover, IoT has paved the way for deliv-
ering services to individuals in remote locations through
cloud-based services, further bridging geographical gaps
and enhancing accessibility for all. Consequently, there
is a pressing need for improved data security and privacy
for individuals and organizations. IoT devices have always
had significant concerns about transmitting information
and data over the Internet, and this concern has intensified
with the increasing use of the Internet, smart devices, and
other means of data transmission. Data thefts and breaches
are rising, emphasizing the need for robust security meas-
ures. Researchers and cryptographers continuously strive to
develop innovative cryptographic models and improve exist-
ing algorithms to address this issue. These efforts enhance
user privacy, data security, authentication, and other related
features in real-world applications [2].
Numerous approaches have been introduced to tackle
data security concerns. Basic encryption techniques have
shown limited effectiveness. Nevertheless, researchers have
put forth the following methods to address these challenges:
13
Vol.:(0123456789)

• Homomorphic encryption: It processes encrypted data
through calculations without decryption. Gentry (2009)
later enhanced this approach. Nonetheless, these com-
putational operations lead to a considerable rise in
expenses.
• Hybrid technique: It employs a secure key-sharing sys-
tem and improved authentication methods through appro-
priate arrangement.
• Distributive storage: This approach involves breaking the
data into smaller sections. Each section is then encrypted
and stored in individual databases on the cloud. Never-
theless, this process consumes a substantial amount of
resources.
• Data concealment: It combines genuine data with fabri-
cated visual information to augment the total dataset, and
authorized users subsequently distinguish this expanded
dataset.
Security Challenges, such as modifying sensitive data,
data privacy breaches, and unauthorized data utilization,
pose significant obstacles in IoT systems that rely on cloud
technology.
Consequently, cloud-based IoT systems must adhere to
various security requirements. Below are the fundamental
standards for ensuring the security and privacy of cloud-
based IoT systems [3–5].
• Authentication: This principle is established to grant
access exclusively to authorized users while preventing
unauthorized attempts to access the system. Verifying
user and IoT device identities should be ensured through
a robust cryptographic process.
• Authorization: This represents the second prerequisite,
following authentication, which guarantees user permis-
sions, resource allocation, and access priorities within
the system. Access levels vary depending on the privi-
leges granted to users.
• Non-repudiation: This approach guarantees that the per-
son sending information receives confirmation of suc-
cessful delivery while the person receiving it obtains
evidence of the sender’s identity. As a result, neither
party can later deny their involvement in handling the
information.
• Integrity: This characteristic guarantees the integrity of
the data received and ensures that the data transmitted
from the sender to the receiver remains unaltered and
untouched by any malicious entity while it travels to the
cloud.
• Confidentiality: Confidentiality guarantees that only the
intended recipient can access and read the message that
has been sent. This can be accomplished through the uti-
lization of encryption algorithms.
13
Int. j. inf. tecnol.
The suggested model encompasses a security frame-
work specifically designed for a wide range of applications
within the realm of IoT. It utilizes the SHA-512 algorithm
to authenticate the user. ECC is employed to generate keys
with a smaller size to enhance data security. This key is
then subjected to GA to introduce randomness to its value.
AES is utilized for data encryption, employing the secret
key that ECC and GA have generated. The suggested hybrid
algorithm can improve system security more efficiently by
addressing key size issues, ultimately reducing computa-
tional power.
This paper is organized into various sections. Section 2
reviews the prior studies in the field. Section 3 provides
background and introduces the platform used in the study.
Section 4 presents the hybrid design and its operational
approach, while Sect. 5 discusses the implementation results.
Security analysis is given in Sect. 6. Finally, the conclusion
of the paper is given in Sect. 7.
2 Related work
Due to simultaneous resource sharing among all users, data
security is becoming increasingly important. Because cloud
storage is always accessible, data owners choose it over other
services. Authentication and data confidentiality should be
examined to improve data security.
Shukla et al. [6], proposed a method using ECC and AES
to increase the system’s security without a trusted center.
The system is distributed and managed using Shamir secret
sharing. Even though the combined strategy that has been
described improves system security, it still requires consider-
able amounts of time and computational power.
In another work, the authors combine DES, AES, and
Blowfish algorithms, to provide the security services of the
cloud [7]. To prevent conflict between large groups of users
and safeguard each user’s data separately, these algorithms
offer integrity, efficiency to data storage, accessibility, and
the avalanche effect of data block size and plain text.
In a paper by Madhavi et al. [8], ECC and RSA’s security
level is coupled with data over 264 bits. Because it offers
greater secure services with smaller data sizes and requires
minimum storage for data accessibility, in this comparison
of algorithms, the ECC algorithm demonstrates superior per-
formance compared to the RSA method. On several JAVA
platforms, experimentation is performed.
In one of the works, data is encrypted and decrypted
using ECC to offer secure and effective services to vari-
ous consumers [9, 10]. Data encryption and decryption
are carried out using a two-part, layered approach. The
first portion is divided into smaller parts to add the bits
needed for data encryption and minimize the key size for
Int. j. inf. tecnol.
easy accessibility. While, the second part comprises a divi-
sion of elliptical curves that are used to encrypt data such
as {P0, P1, P2, . … , Pn} Encryption and decryption are car-
ried out using these methods, and together these two layers
offer data security.
A novel approach called Polynomial-based Hashing Ellip-
tical Curve Cryptography (PHECC) is introduced in the
work of Selvam et al. [11]. This method employs a hybrid
algorithm within cloud computing services to implement
polynomial-based hashing elliptical curve cryptography.
The primary objective is to ensure client/user support and
utilization of the service. By incorporating a hybrid cloud
algorithm, this technique enhances cloud data security, mak-
ing it well-suited for the current environment and offering a
high level of security.
The paper [12] employs hybrid algorithms that combine
RSA and ECC for data reduction. Following reduction, spe-
cific elements serving as signatures are allocated to ellipti-
cal curve authorities, facilitating the signing and digestion
of messages. Occasionally, ECC utilizes encrypted data for
this purpose. The encryption and decryption procedures
are executed in a consistent manner. The analysis of hybrid
algorithms for RSA and ECC is conducted, evaluating their
performance based on excellence.
Secure data transmission involving various encryption
and decryption methods is proposed in the work [13]. The
paper emphasizes the importance of maintaining the data’s
confidentiality, integrity, and authenticity. To ensure the
security and privacy of data in cloud computing services
over the internet, the Irondale encryption algorithm and
EAP-CHAP technology are utilized for authentication and
confidentiality.
Verifying data integrity holds significance in various con-
temporary devices like IoT devices. These storage spaces
contain extensive data, including highly sensitive informa-
tion, underscoring the necessity for authentication in con-
junction with these devices. To execute cryptographic opera-
tions on the device, a robust processor is required due to the
complexity of the tasks. These devices utilize cloud services
to facilitate data authentication and protocol execution [14].
Singla et al. [15], introduced the Wide Area Measurement
System Key Management, a model designed for the smart
grid. This system employs public key infrastructure for
secure data communication and authentication across vari-
ous devices to implement protocols. It’s worth noting that
the conventional public key infrastructure can also address
this issue effectively.
Almorsy et al. [16], introduce the 8-bit ECC proces-
sor that utilizes only 11 cuts. An assessment of duplica-
tion methods was conducted, revealing the effectiveness of
Karatsuba, Stall, and Montgomery’s specific enhancement
techniques. The examination focused on these three augmen-
tation methods, ultimately selecting Karatsuba duplication
as a space-efficient strategy. Compared to other approaches,
the Karatsuba augmentation method involves fewer cuts,
making it advantageous for reducing complexity in higher-
order bits, given that lower-order bits already have a fewer
number of cuts.
The paper [17] presented a dual-level cryptographic
approach and a framework designed to enhance informa-
tion security in cloud processing. This framework employs
symmetric and asymmetric encryption algorithms (AES and
ECC) to enhance data security, preventing unauthorized
access to the information. As a result, it promotes privacy,
and data integrity, and expedites cryptographic tasks, ulti-
mately boosting user trust in cloud computing. Addition-
ally, the model accelerates using smaller ECC keys in the
cryptographic process.
Table 1 provides a thorough summary, offering a com-
parative examination of the relevant literature in the speci-
fied field.
3 Background
This research paper explores the accomplishment of vari-
ous tasks by leveraging the unique capabilities of diverse
cryptographic algorithms. A comprehensive understanding
of each algorithm is crucial to obtaining a detailed overview
of the proposed solution.
3.1 Advanced Encryption Standard (AES)
Nowadays, AES is a leading option for assuring digital sys-
tem security. AES is the primary data security protocol used
in cloud and IoT services [18]. It is one of the best avail-
able options for encrypting big data blocks that are stored,
processed, and transported utilizing the cloud because of
its simplicity and processing speed. The US National Insti-
tute of Standards and Technologies (NIST) chose the AES
algorithm as its default encryption method in 2001 (Fed-
eral Information). Comparatively to DES, [16], the Feistel
network is not used in AES. Sensitive information can be
encrypted and decrypted using the AES method’s single key.
Meaningful data is converted by encryption into cipher text,
an unreadable format that requires the AES key to decipher,
data is transformed back into plaintext, or original meaning,
by decrypting the cipher text.
AES offers the advantages of different design options
and architectures coupled with real security to meet cloud
requirements the architectural security offered by AES needs
to be carefully implemented[19].
AES is a 32-bit block encryption that operates on plain
text that is 16 bytes (128 bits) in size and does multiple
rounds to add encryption and decryption. With varying
key lengths of 128, 192, and 256 bits, this cryptographic
13
 Int. j. inf. tecnol.

Table 1  A comparative study of the related work

Authors Tools/Platforms Algorithm used Approach Limitations

Shukla et. al. [6] JAVA ECC + AES Shamir secret key combined with CSP does not store any information
AES-ECC related to the private key of indi-
vidual users
Yahia et. al. [7] MATLAB DES + AES + Blowfish Comparative analysis of various Substantial key size is required for
existing algorithms encryption
Madhavi et.al. [8], JAVA RSA + ECC Two-layered security approach Employing (ECC) alongside (GDLP)
where the group operations extend
beyond mere multiplication
Chen et. al. [9] Euler’s Phi function ECC Two-layered security approach Less data security
Sridharan et. al. [10] iFogSim ECC Point Multiplication in Hybrid Reduced security of data for Internet
Approach of Things (IoT) in cloud-based
environments
Astuti et. al. [13] Python ECC The Irondale security algorithm is EAP-CHAP requires a significant
employed alongside EAP-CHAP amount of computational resources
Awad et. al. [14] XSS ECC Model-based approach A compact protective barrier sur-
rounds the security enclosure
Singla et. al. [15] MATLAB RSA Smart grid model named WAM The smart grid requires various
(Wide Area Measurement) devices to secure the transmis-
sion of data within localized area
measurements
Nie et. al. [17] AESCrypt with AES + ECC AESCrypt Two-layered security There is a restricted space for carry-
OpenSSL in the approach ing out ECC operations
Linux

technique can offer security. These are the following steps 3.2 Basics of Elliptic Curve Cryptography
involved in AES:
ECC was introduced as a potential solution to address the
• Byte Substitution (SubBytes): In this stage, every byte limitations of slow speed, redundancy, and key size found
is exchanged from a different byte. This process utilizes in established encryption methods like the digital signature
a reference table known as the S-box. The substitution algorithm (DSA) and Rivest, Shamir, and Adleman (RSA)
is executed so that a byte is never replaced by an identi- algorithm, [20–23]. ECC operates on an algebraic-curve-
cal byte, nor is it replaced by a byte that complements based system utilizing elliptical curve points within a finite
the current one. As a result of this operation, a 16-byte field. Combining ECC with the AES algorithm can offer
matrix, enhanced security for modern technologies that are con-
• Shiftrows: This procedure operates precisely as it seems. stantly evolving [24, 25]. Depending on the specific use
Each row experiences a designated number of shifts. The case, elliptic curve cryptosystems can be designed for either
first row remains unaltered, while the second row shifts prime or binary fields.
leftward once, the third-row shifts leftward twice, and the ECC offers a comparable level of security to other crypto-
fourth row shifts leftward thrice. graphic algorithms but with the advantage of using smaller
• MixColumns: This stage involves performing a matrix key sizes. For example, an ECC-80-bit key provides the
multiplication, where every column undergoes multipli- same security as a 1024-bit RSA key.
cation with a specific matrix, changing the byte positions
within each column. It is important to consider that the
final step of the process does not include this step.
• Addroundkey: The outcome obtained from the preceding Table 2  Comparable Key Strength of Various Algorithms
step is subjected to XOR operation with the associated ECC RSA Diffie-Hellman AES
round key. In this context, the 16-byte arrangement is not
80 1024 1024 160
treated as a grid but rather as a 128-bit data set.
112 2048 2048 224
128 3072 3072 256
192 7680 7680 384
256 15,360 15,360 521

13
Int. j. inf. tecnol.

Consequently, the reduced key size of ECC enables a ⎧ XR = (λ2 − XP − XQ ) mod p

more compact design, resulting in several benefits, including ⎪ Y = (−Y + 𝜆�X − X � mod p)
improved circuit area, lower memory requirements, reduced ⎨ R P P
(Yp −YQ )
R (1)
⎪ 𝜆 = (X −X )
power consumption, enhanced performance, and increased ⎩ p Q

bandwidth. The key size of ECC has been incorporated into

both IEEE 1363 and NIST as well [3]. Table 2 shows that where λ represents the slope of the line that connects
ECC requires a moderate key size when comparing RSA points P and Q. If P = -Q, that is, P = ­(XQ, -YQ) mod P, then
and ECC. Consequently, ECC offers enhanced security com- P + Q = O where O is a point at infinity. Figure 1 shows the
pared to RSA [26, 27]. point addition operation over EC.

3.3 Arithmetic over elliptic curve • Point Doubling:

The representation of the elliptic curve on a prime field can
be expressed as: y2 (modp) = x3 + ax + b(modp)Where (4 a3
+27 b2 ) (mod p)≠ 0. Each element is an integer within the
range of 0 to (p-1). Moreover, all the mathematical opera-
tions will occur within a uniform range, i.e. from 0 to (p-1).
To enhance security, a prime number p is chosen from a
range of 0 to n-1 bits where n is a random number over the
prime field [28]. Based on Eq. (1) and the variability of p,
it is evident that calculating the y coordinate on the ellipti-
cal curve using the x coordinate requires substantial data
width addition, multiplication, and point-doubling opera-
tions depending on the values of x, a, and b.
• Point Addition:
Let two points, P and Q as P = (XP , YP ) and Q = (XQ , YQ ).
Suppose a point R is the point Addition of P and Q, such
that R = P + Q, whose coordinate is given as R = (XR , YR ),
according to Eq. 1.
Suppose A point P such that P = (XP , YP ) where XP≠0.
Consider a point Q such that Q = 2P , where Q = (XQ , YQ ).
The coordinate of Q is given according to Eq. 2.
⎧ XQ = (λ2 −� 2X P ) mod p
⎪ Y = (−X + 𝜆 X − X � mod p)
⎨ Q P P Q (2)
(3X 2 −p )
⎪ 𝜆 = (2YP ) t
⎩ p
The parameters selected for the elliptic curve are repre-
sented by "λ," which denotes the tangent at point A and pt .
Figure 2 shows the point doubling operation over EC.
The fundamental process in the ECC algorithm involves
performing point multiplication
Q = kP (3)
where Q is derived from multiplying the private key k with
the base point P on the elliptic curve to obtain the public key
Q. Where k is a point between 0 to n-1 and.

Fig. 1  Point addition in EC Fig. 2  Point doubling in EC

13
 Int. j. inf. tecnol.

Fig. 3  System Model of Pro-

posed Method

Q=P+P+P+…+P
⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟
k times

3.4 Genetic Algorithm applications

A potent optimization method known as Genetic Algo-

rithm (GA) utilizes a population-based approach to per-
form various operations such as Two-point crossover, and
mutation. These operations are employed to approximate
a solution for optimization problems. Prior to applying
the genetic algorithm’s operators, an initial population of
chromosomes (individuals) is randomly generated within
the search space. Everyone in the population represents
a potential solution to the problem within the search
area. The fitness of each chromosome is assessed using
a fitness function. Each chromosome comprises multi-
ple genes, with each gene symbolizing a specific part of
the solution. Afterward, these operators are employed on
the population to generate a fresh population (solutions).
These operators are iteratively applied until a specified
termination condition is satisfied [29]. The procedures
for executing the tasks of the GA are outlined as follows:
• Mutation process: To enhance the likelihood of gener-
ating novel and distinct offspring that differ from their
parents, a specific procedure involves selecting certain
genes within the chromosome at random and altering
their values to other potential values within the search
space. Typically, the mutation operation is performed
with a lower probability (Pm) in contrast to Pc. The pri-
mary goal of mutation is to explore the nearby region,
ultimately leading to increased genetic diversity. In this
process, we just interchange the strings.

• Two Points Cross Over: The crossover process involves

applying the crossover operation to individuals from the
current generation to produce a new generation. The aim
is for this new generation to be fitter than the previous
one. In the two-point crossover, we selectively swap seg-
ments of genetic information between two parent strings.
Selecting two random points within the parent strings’
chromosomes and then exchanging the genetic material
between these points. Example:
4 Proposed methodology
In this work, we have introduced a novel model designed to
facilitate a cloud-based IoT-enabled system, as depicted in
Fig. 3. Our proposed model comprises three distinct entities,
each serving a unique purpose and contributing to the sys-
tem’s overall functionality. In the following sections, we will
provide a detailed description of each of these entities, elu-
cidating their roles and interactions within the framework.

13
Int. j. inf. tecnol.
• Cloud service provider: This entity serves as the primary
overseer or central governing body for any cloud envi-
ronment that facilitates infrastructure and delivers cloud
services through the utilization of multiple high-powered
servers equipped with ample memory capacity [30].
• IoT: IoT devices store sensitive or regular data within the
cloud server’s database and rely on the Cloud Service
Provider (CSP) to handle the data.
• User: Users may be viewed as authorized individuals or
entities seeking access to data or various services pro-
vided by the cloud service provider.
To ensure secure communication between IoT devices
and users, a comprehensive method is proposed to estab-
lish robust security for the data transmitted by IoT-ena-
bled devices. This recommended approach encompasses
two distinct phases: (1) authentication, and (2) ensuring
robust security of IoT data during communication. The
first phase of the suggested system is the authentication.
This phase involves three steps: registration, login, and
verification. Initially, the user registers their information
Fig. 4  Workflow of the proposed framework
with the cloud service provider. Following the registra-
tion process, the user utilizes their username, password,
and attribute to login into the cloud service provider. The
information of the users who have registered is stored
within the database hosted on a cloud server. When a
user signs up for cloud services, a hash code is generated
using the SHA-512 algorithm as a standard procedure to
authenticate the user’s identity. In the verification pro-
cess, the server checks if the user employing the hash
function is indeed an authenticated user or not. Once the
user’s identity is verified, the IoT devices that have been
registered, are triggered into operation. The data transmit-
ted by these devices is concurrently gathered by the cloud
server in an encrypted format, ensuring the safeguarding
of data against potential attackers. The cloud transmits
the encrypted data to the respective user. Subsequently,
the user decrypts the encrypted data by using the secret
key. In the second phase, key generation and expansion
are done through ECC and GA, and data is encrypted
and decrypted by the AES algorithm. Figure 4 shows the
workflow of the proposed scheme.
13
 Int. j. inf. tecnol.

their identity. This authentication mechanism ensures secure

Fig. 5  Sequence diagram of the user authentication
Table 3  Symbol used for user
authentication
and controlled access to cloud resources, safeguarding both
user data and the integrity of the cloud infrastructure. Fig-
ure 5 illustrates the sequence diagram for the suggested
authentication scheme, while Table 3 illustrates the symbol
used for user authentication.
Step 1: The user registers to the cloud service provider
by providing details such as their name, date of birth, and
address. Following the registration process, the SHA-512
algorithm produces a hash code using the user`s details. Let
us consider a user as U, with identification Idi, having a pass-
word Pwi , and a user attribute UA. We refer to a trustworthy
user as Tu. The resulting hash code produced by using SHA-
512 is displayed as follows Hc = hf (Idi |||Pwi || |UA ), where Hc
represents the hash code produced by the hash function hf .
Step 2: Login credentials are provided to the user by the
cloud service provider.
Step 3: The login process requires the user to input
authentication credentials supplied by the cloud service
provider. During this login step, the system combines
the provided Idi , and Pwi to generate a hash code called
Hs1 = hf (Id1 |||Pw1 || |UA ), utilizing the SHA-512 algorithm.
Step 4: The SHA-512 algorithm is used again to calculate
the hash code for the user denoted as Up with the identifi-
ers Idi and Pwi by the cloud service provider. The resulting
hash code is then displayed as Hs2 = hf (Id2 |||Pw2 || |UA ), If
Symbol Description the values of Hs2 and Hs1 are equal, it signifies that the user
is authorized, and the IoT-enabled device connected to the
Ui User i cloud service provider will be activated. Conversely, if these
Idi Identification of User i values are not the same, it indicates that the individual is
Pwi Password of User i unauthorized, and their access to the system will be denied.
Tu Trusted User It’s important to note that Id2 , Pw2, and UA represent infor-
bi The random number mation already saved on the registration server. This data
selected by user i
was generated during the registration process.
Hc Hash Code
hf Hash Function
• IoT Authentication
|| Concatenation

We proposed a novel method designed for the authenti-

4.1 Authentication
The authentication of the proposed method encompasses
two key aspects: user authentication and IoT authentication.
• User Authentication
Users function as authorized entities or parties seeking
access to data stored on remote cloud servers. The typical
process involves the user’s registration within the cloud envi-
ronment, enabling them to connect with the cloud server and
initiate data requests. During this registration, each user is
assigned a distinct identifier and password, which serve as
the means for login into the cloud platform and verifying
cation of IoT devices. This approach comprises three key
components: the devices themselves, a trust center, and
a cloud service provider. The suggested method involves
registering devices with the trust center, enabling them to
establish communication with the cloud service provider.
This involves assigning a unique identifier and password
to every individual device, both serving as credentials for
network access and authentication. Following successful
authentication, the trust center employs a designed crypto-
graphic algorithm to encrypt the plaintext and allows com-
munications exchanged between the devices and the cloud
service provider. Figure 6 depicts the sequence diagram for
the suggested method, while Table 4 lists the variables uti-
lized within the IoT authentication.

13
Int. j. inf. tecnol.
Fig. 6  Sequence diagram of the
IoT authentication, DB = Data-
base
Step 1: Every IoT device registers with a unique Idi to the
TC to ensure its information is stored and retained.
Step 2: The TC authorizes the IoT device, stores its regis-
ter data in its database, and sends the root certificate to the
IoT device.
Step 3: The device stores its account details within its
database and subsequently generates a key pair.
Step 4: The IoT device requests the TC for an enrollment
certificate.
Step 5: The TC validates identity and sends the enrolment
certificate if the device is valid. Otherwise, the request is
denied.
Step 6: The IoT device generates fresh key pairs and
requests to the TC for certificate signing.
Step 7: The TC validates the signature and signs the cer-
tificate if it is valid, then sends the operational certificate to
the IoT device.
Step 8: The registration of the CSP with the trust center
is essential for facilitating the connectivity of IoT devices.
CSP transmits ( SIdj ∙ dj ) to TC.
Step 9: The TC provides an identifier and password to
the cloud service provider, storing the CSP’s details in the.
TC database. Subsequently, the TC forwards a registration
confirmation to the CSP.
13
 Int. j. inf. tecnol.

Table 4  Symbol used for IoT authentication and BN = |Curr − Negative |, where Positive and Negative have
Symbol Description approved boundaries for the time frame and Curr represent
the current time. If an action falls within the BP boundary, it
TC Trust Center is deemed positive; otherwise, it is ruled out. The same prin-
Idi Identification of the device i ciple applies to a negative action within the BN boundary.
CSP Cloud Service provider The level of trust in the CSP is determined using a fuzzy
SIdj Identification of server j system that considers the count of positive as well as nega-
SPj Service provider j tive actions. The fuzzy system utilizes input variables rep-
dj A random number selected by the server i resenting the quantity of positive as well as negative behav-
TS Time Stamp iors and employs triangle membership functions for both
X Trust center security number variables.
ΔRT Threshold of the distance of sending the Step 11: Upon verifying CSP authentication after step 8,
CSP`s request to the IoT
the T C proceeds to transmit the key Ki to the CSP.
ΔT Threshold of delay
Step 12: The capability to make requests and obtain ser-
vices will be accomplished through the sharing of a mutual
key between the device and the service provider. During this
Step 10: Every time data is requested from the IoT device, stage, the IoT device shares the mutual key with the CSP.
it is essential to authenticate the CSP. Consequently, the Step 13: By utilizing the issued key, the CSP can now
server transmits CSP details to TC for to assess the CSP entry establish secure communication with the IoT device, and
and establish a shared connection key. After assessing time- request data. We employ a hybrid model of ECC and AES
related factors, which include the minimum time interval to send messages securely.
between consecutive requests made by the CSP, ensuring it
meets or exceeds the required time gap for sending a request 4.2 Data security and privacy
to an IoT device (TSni − TSn−1i
≥ ΔRT) , additionally, the
delay should not exceed the predetermined threshold After the IoT devices are activated, the data generated by
cur
(TSP − TSi ) < ΔT . The TC then proceeds to create the key. these devices is transmitted to the cloud server. Robust
j

Assessing the reliability of CSP and subsequently determin-
ing the IoT device’s accessibility is a crucial responsibility
of the trust center. The time frame is characterized by its
defined positive and negative bounds as BP = |Curr − Positive |
security measures are essential to safeguard the informa-
tion as it travels from the IoT devices to the cloud. This
protection ensures that sensitive data remains confidential
and prevents unauthorized access, thereby maintaining
the integrity and trustworthiness of the IoT ecosystem. A

Fig. 7  Schematic diagram of the proposed security and privacy approach

13
Int. j. inf. tecnol.
robust encryption process is proposed to ensure the utmost
privacy and security when transferring data from IoT devices
to the cloud server. The values of data generated by the IoT
devices undergo encryption using the AES algorithm. This
encryption process involves the utilization of a secret key,
which is generated through a combination of ECC and GA.
By employing this state-of-the-art encryption methodol-
ogy, we can confidently safeguard the confidentiality and
integrity of the transmitted data, providing a robust shield
against unauthorized access and potential threats to privacy.
Figure 7 illustrates the complete design of the security and
privacy approach.
Combining ECC with GA decreases the key length, which
makes the system effective. ECC is used as a lightweight
cryptography scheme for data security. To attain the desired
outcomes, it may be beneficial to maintain data with smaller
keys. This will help to optimize the performance. The small
key length of ECC is its main advantage [31].
Whereas, AES is considered highly secure and efficient,
making it a popular choice for securing data in various appli-
cations, including data transmission and storage [32, 33].
The data security and privacy stage consists of four phases
(i) Key generation (ii) Key expansion (iii) Encryption, and
(iv) Decryption.
• Key Generation
Step 1: Choose a randomly generated 256-bit number
from the Elliptic Curve.
Step 2: Split this bit sequence into two equal segments
containing 128 bits each.
Step 3: Utilize GA techniques, specifically employing a
two-point crossover and mutation operation, on this pair of
strings.
Step 4: Ultimately, both bit strings undergo an XOR
operation, resulting in a 128-bit string that is regarded as
the secret key K0.
• Key Expansion
In the AES, the number of keys used in the encryption
and decryption process is indeed equal to the number of
rounds plus one. The remaining keys are produced in the
same manner as the key generation process described above.
and Ki = (Ki ⊕ Ki−1 ), where i = 1,2,3,……
• Encryption and Decryption
Divide the data D from the IoT device into 16-octet
blocks, each 128-bit according to Eq. 4, labeled as b­ 1, ­b2,
­b3, …, ­bn. Pad the last block with zeros if needed. However,
if the message M is an empty string, no additional blocks
will be added during this process.
∑n
D= b
i=1 i
(4)
In the described process, every block undergoes a trans-
formation into a 4 × 4 matrix, and subsequently, encryption
and decryption are applied using the AES algorithm. This
technique is visually represented in Fig. 8, illustrating the
crucial steps in securing the data. This process is a crucial
step in securing data, and ensuring its confidentiality and
integrity.
5 Results and discussion
A Python-based platform, along with the SageMath tool,
was utilized to create a simulation of the suggested authen-
tication and encryption system for IoT data. We used the
pycryptodome library of Python and brainpoolP256r1 spe-
cific elliptic curve for the suggested method.
To compare our suggested method with other existing
strategies, we use four different datasets, of size 128 kB,
188 kB, 214 kB, and 254 kB respectively. Consequently, we
needed to assess how long it would take to generate the keys,
encryption, and decryption of data. It can be easily seen
that the key generation, encryption, and decryption time of
the proposed approach is lesser in comparison to the other
cryptographic algorithms. With the reduction in time, the
computational cost of the system also reduces, hence the
system becomes more effective. Figure 9 illustrates the com-
parison of key generation time, Fig. 10 presents the encryp-
tion time comparison, and Fig. 11 displays the decryption
time comparison. Figure 12 illustrates that the suggested
model outperforms DES by 51.21% and surpasses RSA by
81.25% in terms of speed.
Experimental analysis indicates that the suggested model
guarantees privacy by producing unpredictable variations
when minor alterations are made to the key. Furthermore, we
employ Eq. 5 to assess the extent of dissimilarity between
two ciphertexts derived from the same plaintext, which
reveals a significant avalanche effect in the proposed model
compared to alternative models, as illustrated in Fig. 13.
∑n ∑n
(Ciphertext2) − i=1 (ciphertext1)
A = i=1 ∑n × 100 (5)
(ciphertext1)
i=1
Throughput values are determined by applying Eq. 6. A
greater throughput signifies superior efficiency and effec-
tiveness of the algorithm. Analyzing these throughput
values reveals that the proposed model outperforms other
models in terms of efficiency. The examination reveals that
the suggested approach outperforms the alternatives regard-
ing throughput efficiency. Specifically, the chart illustrates
throughputs of 1543.611 KB/s for RSA, 2136.298 KB/s for
13
 Int. j. inf. tecnol.

Fig. 8  Encryption and Decryption through AES

Fig. 9  Key generation time Fig. 10  Encryption time

∑
DES, and 2325.926 KB/s for the proposed hybrid model. Datasize
Figure 14 illustrates the throughput efficiency of the pro- Throughput(KB∕ms) = ∑ (6)
Time
posed model.

13
Int. j. inf. tecnol.
Fig. 11  Decryption time
Fig. 12  Average percent time faster speed
Fig. 13  Avalanche effect analysis
Fig. 14  Throughput efficiency
6 Security analysis
In this segment, we have analyzed the robustness of our
suggested approach when confronted with various security
threats.
6.1 DoS attack
Our proposed authentication protocol is designed to effec-
tively thwart DoS (Denial of Service) attacks. It empowers
users with the ability to determine whether their messages
have successfully passed the authentication phase. This
determination is made immediately after receiving the serv-
er’s response, which can either confirm the message’s valid-
ity or reject it. To ensure message freshness, our method
relies on timestamps, which serve as a means of verification.
Moreover, generating arbitrary numbers at every stage and
in every session enhances the system’s security. Importantly,
preventing duplicated messages is a key feature, rendering
it practically impossible for an attacker to execute a DoS
attack. Consequently, our proposed method provides robust
resistance against DoS attacks, bolstering the system’s over-
all security.
6.2 Replay attack
Suppose an adversary attempts to replay an old message
to the server. In our proposed approach, the cloud ser-
vice provider can detect that this message is not current.
Initially, the cloud server verifies the timestamp validity
using the condition T2 − T1 ≤ ΔT; if it’s considered valid,
the session terminates. The same validation process occurs
when the server receives an IoT device message, check-
ing if T4 − T3 ≤ ΔT. Meanwhile, the sensor node and the
user employ T3 − T2 ≤ ΔT and T5 − T4 ≤ ΔT, respectively,
to assess the freshness of the cloud server’s message. As a
result, our proposed protocol is resilient to replay attacks.
6.3 Insider attack
Our proposed system is designed to withstand privileged
insider attacks. If a malicious individual gains access to the
registration data {MID, c}, even possessing this data will
not enable the attacker to guess the password or launch any
form of fraudulent attack. Additionally, if the attacker aims
to obtain only the user ID, they will encounter the challenge
of breaking the one-way hash function’s secrecy. In contrast,
if the attacker intends to carry out an impersonation attack,
they would need access to the cloud server’s secret key. As a
result, our proposed protocol demonstrates resilience against
privileged insider attacks.
13

7 Conclusion
Modern technologies are profoundly reshaping our world,
bringing both opportunities and challenges. In this digital
age, professionals now possess the capability to access sen-
sitive user data online, underscoring the critical need for
robust authentication methods to safeguard user privacy and
security. Therefore, exploring a lightweight authentication
method is essential to ensure secure communication between
the user and cloud-based IoT devices. This study uses ECC,
GA, and AES techniques to introduce a robust authentica-
tion and cryptographic framework for safeguarding IoT data
during transmission. ECC and GA are utilized to create a
shorter-length key to enhance both the level of security and
the speed. The data generated through IoT devices undergoes
AES encryption before being transmitted to the cloud ser-
vice provider. The system achieves security requirements by
minimizing key generation, encryption, and decryption time,
decreasing communication overhead. Its security analysis
and simulation results demonstrate the proposed frame-
work’s strength. Compared to the conventional algorithms,
or cryptographic methods such as DES and RSA, the analy-
sis of results shows that the suggested model offers faster
execution times and higher throughput when performing
encryption and decryption. The application of the suggested
approach has demonstrated its suitability for integration into
cloud-based IoT applications due to its efficient time utiliza-
tion and significant enhancement of security measures.
The proposed framework can be applied as a separate ser-
vice in a cloud environment to authenticate IoT devices, and
users, and protect data in the cloud. In the future, we want to
apply this framework to healthcare infrastructure to authen-
ticate Medical IoT (MIoT) devices and healthcare users. The
framework will also protect the patient’s medical history
including data such as lab tests, prescribed medicines, and
other related medical data. In the future, we intend to extend
this work by including hardware-level IoT authentication to
make the platform more robust.
Data availability Not applicable.
Declarations
Conflict of interest All authors of this article declare there is no
competing interest.
References
1. Stallings W Cryptography and Network Security, 7th ed. 2019.
2. Lone AN, Mustajab S, Alam M (2023) A comprehensive study
on cybersecurity challenges and opportunities in the IoT world.
Security and Privacy, e318 (2023).
13
Int. j. inf. tecnol.
3. Kumar R, Agrawal N Analysis of multi-dimensional Industrial IoT
(IIoT) data in Edge-Fog-Cloud based architectural frameworks:
A survey on current state and research challenges. J Ind Inform
Integration (2023): 100504.
4. Butpheng C, Yeh K-H, Xiong Hu (2020) Security and privacy
in IoT-cloud-based e-health systems—a comprehensive review.
Symmetry 12(7):1191
5. Martinez L, Antonio MGP, Ruiz-Martínez A (2023) A compre-
hensive review of the state-of-the-art on security and privacy
issues in healthcare. ACM Comput Surveys 55(12): 1–38.
6. Shukla DK, Dwivedi VK, Trivedi MC (2020) Encryption algo-
rithm in cloud computing. Mater Today Proc 37:1869–1875
7. Yahia HS, Zeebaree SRM, Sadeeq MAM, Salim NOM, Kak SF,
Al-Zebari A, Salih AA, Hussein HA (2021) Comprehensive sur-
vey for cloud computing based nature-inspired algorithms opti-
mization scheduling. Asian J Res Comput Sci
8. Madhavi G, Samatha J (2021) Secure data storage and access of
data in cloud using Elliptic curve cryptography. IEEE J. 2020, 11.
Available online: www.​jespu​blica​tion.​com. Accessed on 22 Oct
2021.
9. Chen Y, Liu H, Wang B, Sonompil B, Ping Y, Zhang Z (2021) A
threshold hybrid encryption method for integrity audit without
trusted center. J Cloud Comput 10:3
10. Sridharan S, Arokiasamy A (2017) Effective secure data storage in
cloud by using ecc algorithm. Middle-East J Sci Res 25:117–127
11. Selvam JM, Srivaramangai P (2020) Time complexity analysis of
cloud authentications and data security: Polynomial based hashing
and elliptic curve cryptography. Int J Anal Exp Modal Anal 12:
850–860.
12. Manaa ME (2021) Data encryption scheme for large data scale
in cloud computing. J. Telecommun. Electron. Comput. Eng.
2017, 9, 1–5. Available online: https://​jtec.​utem.​edu.​my/​jtec/​
artic​le/​view/​2759. Accessed 22 Oct 2021.
13. Astuti NRDP, Aribowo E, Saputra E (2020) Data security
improvements on cloud computing using cryptography and
steganography. IOP Conf Series Mater Sci Eng 821:012041
14. Awad WS (2020) A framework for improving information
security using cloud computing. Int J Adv Res Eng Technol
11:264–280
15. Singla S, Bala A. A review: cryptography and steganography
algorithm for cloud computing. In: 2018 second international
conference on inventive communication and computational
technologies (ICICCT). IEEE, 2018.
16. Almorsy M, Grundy J, Müller I An analysis of the cloud com-
puting security problem arXiv preprint arXiv:​1 609.​0 1107
(2016).
17. Nie T, Song C, Zhi X (2010) "Performance evaluation of DES
and Blowfish Algorithms. International Conference on Biomedi-
cal Engineering and Computer Science 2010:1–4. https://​doi.​org/​
10.​1109/​ICBECS.​2010.​54623​98
18. Gupta M, Sinha A (2021) Enhanced-AES encryption mechanism
with S-box splitting for wireless sensor networks. Int J Inf Technol
13:933–941
19. Hodowu DKM, Redeemer Korda D, Danso Ansong E An
enhancement of data security in cloud computing with an imple-
mentation of a two-level cryptographic technique, using AES and
ECC algorithm. Int. J. Eng. Res. Technol 9 (2020): 639–650.
20. Naresh R, Sayeekumar M, Karthick G, Supraja P (2019) Attribute-
based hierarchical file encryption for efficient retrieval of files by
dv index tree from cloud using crossover genetic algorithm. Soft
Comput 23(8):2561–2574
21. Kamal KK, Gupta S, Joshi P, Kapoor M (2023) An efficient mCK
signing and mobile based identity solution for authentication. Int
J Inf Technol. https://​doi.​org/​10.​1007/​s41870-​023-​01189-8
Int. j. inf. tecnol.
22. Ubaidur Rahman NH, Balamurugan C, Mariappan R (2015) A
novel DNA computing based encryption and decryption algo-
rithm. Proc Comput Sci 46:463–475
23. Cheng C, Lu R, Petzoldt A, Takagi T (2017) Securing the internet
of things in a quantum world. IEEE Commun Mag 55(2):116–120
24. Imam R, Anwer F, Nadeem M (2022) An effective and enhanced
RSA based public key encryption scheme (XRSA). Int J Inf Tech-
nol 14(5):2645–2656
25. Lawal OM et al (2021) An improved hybrid scheme for e-pay-
ment security using elliptic curve cryptography. Int J Inf Technol
13:139–153
26. Sethi PC, NeelimaSahu, Kumar Behera P Group security using
ECC. International Journal of Information Technology (2022):
1–9.
27. Jain S, Doriya R (2022) Security framework to healthcare robots
for secure sharing of healthcare data from cloud. Int J Inf Technol
14(5):2429–2439
28. Odelu V, Das AK, Choo KKR, Kumar N, Park Y (2017) Effi-
cient and secure time-key based single sign-on authentication for
mobile devices. IEEE Access 5:27707–27721
29. Certicom Corp., Standards for Efficient Cryptography, SEC 2:
Recommended Elliptic Curve Domain Parameters, Version 1.0,
Certicom, Sept. 2000.
30. Namasudra S et al. Securing multimedia by using DNA-based
encryption in the cloud computing environment. ACM Transac-
tions on Multimedia Computing, Communications, and Applica-
tions (TOMM) 16.3s (2020): 1–19.
31. AlMajed H, AlMogren A (2020) A secure and efficient ECC-
based scheme for edge computing and internet of things. Sensors
20(21):6158
32. Imam R, Anwer F (2022) An empirical study of secure and com-
plex variants of RSA scheme. In Cyber Security, Privacy and
Networking (pp. 185–196). Springer, Singapore.
33. Pawar RS, Kalbande DR (2023) Optimization of quality of service
using ECEBA protocol in wireless body area network. Int J Inf
Technol 15:595–610. https://d​ oi.o​ rg/1​ 0.1​ 007/s​ 41870-0​ 22-0​ 1152-z
Springer Nature or its licensor (e.g. a society or other partner) holds
exclusive rights to this article under a publishing agreement with the
author(s) or other rightsholder(s); author self-archiving of the accepted
manuscript version of this article is solely governed by the terms of
such publishing agreement and applicable law.
13