Introduction

With the gradual diversification of Internet of Things (IoT) application fields and the exponential growth of its diffusion rate, the number of IoT devices is expected to exceed 29 billion by 2030 [1]. However, many problems caused by communication in IoT applications have gradually been exposed, such as too many industry standards and scattered application scenarios. Therefore, the global 3rd generation partnership project (3GPP) committee formulated the core standard of narrowband Internet of Things (NB-IoT) in 2016 [2]. NB-IoT is a new access technology based on the IoT [3]. Compared with traditional wireless communication technology, NB-IoT can use cellular wireless transmission technology to realize information interaction, which has the characteristics of large capacity, wide coverage, low cost, and low power consumption [4]. Therefore, NB-IoT can provide a better network access way for long-distance and large-scale deployment and is widely used in many application scenarios such as water and electricity meter reading, logistics warehousing, and fire warning [5]. As stated in Ericsson’s report [6], the number of devices connected by the massive IoT technologies NB-IoT and LTE-M reached nearly 500 million by the end of 2022. As NB-IoT terminal devices are increasingly integrated into people’s lives, their security and performance have attracted great attention. Once these large-scale connected NB-IoT terminals [7] are attacked from the outside, it will have a serious impact on the 5 G network. In particular, NB-IoT terminal devices are often deployed in places that are not subject to effective human supervision, and are vulnerable to attacks and thus controlled by adversaries, and pretending to be legitimate terminal devices to communicate with servers. Therefore, to realize the security of NB-IoT devices in various applications, it is necessary to perform secure authentication and key exchange between communicating entities and use an effective security authentication scheme to ensure the authenticity and legitimacy of NB-IoT device identity.

Identity authentication can ensure safe and reliable device access, by implementing comprehensive authentication for the devices in the IoT, the attacks on the IoT devices can be reduced. The issues of NB-IoT terminal devices in access authentication are shown in Fig. 1. Terminal devices face the threat of being captured by attackers, so as to communicate with the server as legitimate terminal devices, and steal and tamper with messages. Moreover, if a large number of terminal devices send authentication requests to the same authentication server at the same time, A large number of authentication request signaling will increase the communication burden of the whole transmission network, resulting in signaling congestion, and a large number of data concentrated in the server will easily lead to large authentication delay.Thus affect the operation of the NB - IoT system efficiency, and even may fail to complete the certification work. Group authentication enables the server to authenticate a group of devices at a time [8]. Compared with traditional authentication schemes, group authentication can better solve the problem of signaling congestion caused by a large number of terminal devices, and is more suitable for scenarios with a large number of devices requiring authentication. However, most of the existing group authentication schemes transfer the authentication data to the server for centralized processing, which is easy to cause large authentication delay.

Edge computing is a distributed computing paradigm that extends server authentication services to the edge of network, which can solve the problems of communication efficiency, computing efficiency, and application service expansion between NB-IoT terminal devices and servers [9]. Computing, storage and data transmission in edge computing have strong distributed characteristics, which can process terminal data promptly, thereby reducng the burden of massive data processing on the server and signaling overhead. Edge computing adds an edge network layer close to the terminal device between the server and the terminal. The edge network layer contains devices and gateways with medium computing power, storage capacity, and battery life [10], and its functions are mainly realized by edge computing nodes, which are regarded as intermediate components and deployed between the NB-IoT terminal and the server.

Although the characteristics of edge computing can well support various NB-IoT applications, introducing edge computing into NB-IoT will also bring some challenges. The introduction of edge computing can divide the NB-IoT infrastructure into multiple different trust domains such as server, edge layer and terminal layer. Among them, the server is considered to be fully trusted, while the edge nodes and terminal devices are considered to be not fully trusted. And its communication subject is easier to be compromised, such as edge nodes and terminal devices are often deployed on the user side, which are vulnerable to attacks and destruction by adversaries and cannot provide stronger security protection. Therefore, edge computing also has its own authentication and authorization risks. And the terminal faces the problem of permanent identity identifier leakage when it first registers with the server and authenticates in plaintext. Considering that NB-IoT is an emerging technology based on the IoT, there are many similarities with the traditional IoT, but the characteristics and working methods of NB-IoT and traditional IoT terminals have certain differences; And the energy and compute storage capacity to the NB-IoT terminal is limited. If the existing encryption algorithm is used directly without modification, it may lead to poor encryption effect. To solve these problems, this paper proposes a group authentication scheme based on edge assistance. The scheme uses the edge computing method and aggregate authentication technology to realize the authentication of a group of NB-IoT devices and the authentication of edge nodes. This scheme can not only simplify the authentication process, reduce the network burden, but also provide strong security protection, including user anonymity; The performance analysis results show that the signaling overhead is reduced and network congestion is avoided. Its main contributions are as follows:

  1. (1)

    The edge computing paradigm is applied in the traditional NB-IoT system architecture to transform the centralized processing of servers into distributed processing, which can reduce the authentication delay and respond more quickly.

  2. (2)

    A lightweight encryption algorithm for NB-IoT is used to encrypt the IMSI number carried by the terminal device itself to prevent the identity information of the terminal device from being leaked.

  3. (3)

    Based on the edge-assisted three-layer architecture, a group authentication scheme between the terminal device, the edge network and the server was designed, which could authenticate the identity legitimacy of the incompletely trusted edge nodes and terminal devices, so as to ensure the legitimacy of the message source.

The organizational structure is as follows: “Related work” summarizes the related research work. Section “Prerequisites and system model” presents some research foundations and the system model. Section “The proposed scheme” introduces the authentication scheme designed. Safety and performance analyses are presented in “Security analysis” and “Performance analysis”, respectively. Section “Conclusion” gives a summary.

Fig. 1
figure 1

NB-IoT Terminal Authentication Issues

Full size image

Related work

The edge-assisted group authentication scheme is a group authentication scheme based on the "server-edge-terminal" three-layer architecture, which applies edge computing to the traditional NB-IoT application architecture. Therefore, this section will introduce related technologies of edge computing and related research on group authentication schemes.

Authentication scheme in edge computing environment

Edge computing is a new distributed computing paradigm developed in recent years, which can solve the problem of centralization of current servers and also provide advantages such as meeting latency requirements and efficiency.

At present, the relevant research on security authentication in edge computing environment mostly focuses on fog computing and mobile cloud computing [11,12,13]. For example, Dey et al. [11] proposed a mutual authentication scheme based on timestamp, location and message digest in mobile cloud computing environment. Pardeshi et al. [12] realized the mutual authentication between fog server and terminal device. Ibrahim [13] proposed an edge authentication scheme Octopus based on fog computing, which realizes mutual authentication between fog users and fog nodes. However, the scheme does not support anonymous authentication, and it is easy to leak user identity privacy. However, there are still few researches based on mobile edge computing. Amor et al. [14] used the bilinear pairing algorithm to realize the authentication of terminals in the edging-fog computing environment based on Octopus, which can support anonymous authentication. Jia et al. [15] proposed an anonymous authenticated key agreement protocol in which complex bilinear pairing operations were used. Kaur et al. [16] designed an anonymous authentication scheme based on user identity. However, these protocols all use complex bilinear pairing calculation, which will produce a large computational burden.

In summary, due to poor scalability, authentication schemes based on fog computing and mobile cloud computing are not suitable for mobile edge computing scenarios. And there are still some problems in the existing authentication schemes of edge computing, such as the inability of anonymous authentication and heavy computational burden. Therefore, when applying the edge computing paradigm to NB-IoT, we combine the massive and easy capture characteristics of NB-IoT terminal devices to design a new authentication scheme.

Group authentication schemes

So far, many protocols have focused on group authentication protocols based on traditional cellular networks, which can be divided into the following two types. The first is to divide devices into different device groups according to some similar characteristics, and then choose a group leader. The group leader aggregates the authentication requests of the group members that are connected to the network and sends the aggregated group authentication requests to the authentication server. The server only needs to verify the aggregated message sent by the group leader to complete the authentication of devices in the entire device group. Firstly, Lai [17] et al. proposed a lightweight group authentication protocol LGTH in 2013, in which the group leader used the technology of aggregated message authentication code to aggregate group messages. Although this authentication protocol achieved lightweight authentication, it still had security problems such as internal forgery attacks. To solve the access security and efficiency problems in machine type communication (MTC) between 3GPP and WiMAX networks, Lai et al. [18] proposed a certificateless aggregate signature authentication scheme in 2014, which overcame the shortcomings of key esprit in the identity-based aggregate signature scheme, but added bilinear pairing operation, which led to a large increase in computation. Not suitable for resource-constrained devices. Then, in 2015, Cao et al. [19] proposed a GBAAM scheme for MTC access protocol based on a group, which can simultaneously authenticate a large number of MTC devices through the network and reduce the signaling load of the LTE network. Li et al. [20] proposed a group authentication and key agreement scheme GRAKA in 2016, which combined the (t, m, n) asynchronous secret sharing scheme and Diffie-Hellman key exchange scheme, and could simultaneously authenticate multiple MTC devices and dynamically update the access rights of MTC devices. The above two schemes can reduce the cost of communication and the burden of signaling, but because of the use of public key technology, it increased the amount of computation and the computational cost. To reduce the computational cost, Lai et al. [21] proposed a lightweight aggregate authentication protocol GLARM for MTC in 2016, which only used hash function and XOR operation to complete the verification of a group of MTC devices, but GLARM is vulnerable to counterfeits and other attacks. In summary, the above group authentication schemes have the problems of excessive computation and vulnerability to partial attacks. Considering the resource constraints of NB-IoT terminal devices and the security of authentication protocols, these schemes are not suitable for NB-IoT systems. In summary, these group authentication schemes have the problems of excessive computation and vulnerability to impersonation attacks. Therefore, considering the resource constraints of NB-IoT terminal devices and the security in the authentication process, these schemes are not completely suitable for direct use in NB-IoT systems.

The second type is to belong to the same home network (HN) terminal equipment or machine type communication equipment (MTCD) into a device group, when the first group member in the group access to the service network, then by the member to complete the authentication of the device group, the member can send the verification information of the entire device group to the service network. Firstly, Chen et al. [22] proposed a group authentication scheme for roaming scenarios in 2012, which could simplify the communication activities of a group of mobile stations (MS) roaming from the same HN to the service network (SN). Then, in 2013, Lai et al. [23] proposed a secure and efficient AKA protocol SEAKA, which adopted an asymmetric key cryptosystem to protect users’ privacy and simplified the whole authentication process by calculating group temporary keys (GTK). In the same year, Jiang et al. [24] proposed a group authentication protocol EGAKA based on the EAP framework, which combined the elliptic curve Diffie-Hellman to realize that non-3GPP MTC devices could connect to the 3GPP core network. Subsequently, Zhang et al. [25] proposed a group-based authentication and key agreement protocol in 2014, which supports group key updating for dynamic MTC groups and could use the group key as the authentication key to reduce the authentication signal. Lai et al. [26] proposed a new type of group access authentication for MTC devices. In this scheme, the first MTC device that accessed the network could perform the whole authentication and obtain the group authentication information, so that the authentication process of the remaining devices was simplified. In summary, these group authentication schemes have the problem of excessive computing and vulnerable to impersonation attacks, so considering the resource constraints of NB-IoT terminal devices and the security in the authentication process, these schemes are not fully suitable for direct use in NB-IoT systems.

In the NB-IoT network, so far, several authentication schemes have been proposed for the NB-IoT network. [27] proposed a group aggregation access authentication scheme using certificateless signcryption technology, which could achieve fast authentication for a large number of NB-IoT devices, but could not achieve multi-party authentication. In 2019, Cao et al. [28] proposed a quantum resistance access authentication and data distribution scheme, which used certificateless signcryption technology without a bilinear pairing method to achieve group authentication. Then, Yu et al. [28, 29] used the lattice homomorphic encryption technology to complete the access authentication and data transmission of a group of NB-IoT devices, but its computational load was relatively high. Zhang et al. [30] proposed a certificateless multi-party authenticated encryption scheme, which can complete the simultaneous access authentication of multiple NB-IoT terminals. However, the size of aggregation requests in these schemes will be affected by the number of end devices, and there is still a risk of communication blocking. Then, Ren et al. [31] implemented a group authentication scheme by using a physical unclonable function (PUF), which used a group leader to aggregate and relay authentication information, and then achieved the purpose of reducing signaling and communication overhead. Chang et al. [32] proposed a group authentication scheme using the Chinese Remainder theorem and Schnorr aggregate signatures.

To sum up, the existing research work still has some problems, such as large delay in the authentication process, insufficient security and cannot solve the signaling congestion. It can be seen that the existing schemes cannot meet the application requirements of NB-IoT.

Therefore, we apply the edge computing paradigm in the NB-IoT network, making the original "server-terminal" architecture into the current "server-edge-terminal" three-layer network architecture, and then designs an edge-assisted group authentication scheme to realize the authentication between servers, edge nodes and terminal devices. And the introduction of edge computing can realize decentralization so as to reduce the burden of the server side and reduce the processing delay.

Network and physical layer security

We further cite other references to enrich the literature review. It can be seen that under the development of intelligent networks and complex systems, it is necessary to achieve effective authentication of source identity and message legitimacy for IoT devices. This section provides a more comprehensive perspective to strengthen the relationship with this topic.

With the rapid development of 5 G networks in the industry and the rapid growth of NB-IoT device connections, the network security threats faced by NB-IoT are also increasing. Therefore, the research of network security technology and physical layer security technology becomes crucial. Network security technology covers many different areas and approaches used to protect computer systems, networks, and data from unauthorized access, destruction, or disclosure. Zhang et al. [51] have proposed a hybrid-driven fuzzy security filtering method to deal with the case of a nonlinear parabolic PDE system under cyber-attack. Song et al. [52] introduces a switching event-triggered state estimation method of reaction diffusion neural network for DOS attacks. But these two methods may help to improve the robustness and security of the system. However, more empirical studies are needed to verify their effectiveness and practicability.

Physical layer security technology is a security technology based on information theory, which uses the channel characteristics and radio frequency fingerprint characteristics between legitimate transmitters and receivers to achieve secure transmission, access authentication, key generation and other network security design. Among them, the security of end devices mainly includes the following two basic elements: Authenticity and message Integrity. First of all, identity authenticity means that terminal devices can access the Internet of things only if they are authenticated and authorized. For the authenticity of identity, the identity authentication technology of physical layer is the supplement and enhancement of the existing identity authentication based on key agreement. It is an effective means to deal with the attacks such as spoofing attack and witch attack by designing the authentication decision mechanism to identify. In spoofing attacks, attackers use fake and disguised identities and other devices to communicate in order to gain illegal network access and thus send malicious data to the entire network [33, 34]. In the witch attack, the attacker can obtain unreasonable network resources or cause the entire network to be paralyzed by pretending to be multiple legal devices [35]. Secondly, message integrity means that the sensed data of the terminal device is not changed during transmission. For message integrity, Forgery Attack can tamper the sensing data of IoT devices, so that the cloud server or users can obtain false physical world information [36]. Therefore, in order to protect the security of IoT terminal devices, it is very important to authenticate the identity authenticity and message integrity of IoT devices.

In recent years, the rise of Physical Layer Authentication (PLA) technology provides new ideas for the security authentication of IoT devices [37,38,39,40]. As an effective supplement to the existing security protection mechanisms, physical-layer security authentication technology makes full use of the inherent propagation characteristics of wireless signals to achieve effective authentication of source identity and message legitimacy. However, in view of the security threats in the Internet of Things, the existing physical layer security authentication technology does not fully consider the environmental characteristics of the Internet of things, which has problems such as insufficient scalability in resource-constrained scenarios and high response delay in high real-time scenarios.

Prerequisites and system model

In this section, we introduce the relevant cryptographic knowledge used in the proposed scheme. Then, the NB-IoT system model is improved. Finally, the edge-assisted NB-IoT system model and threat model are explained.

LCHAOSAES encryption algorithm

Considering the limited resources of NB-IoT terminal devices, and the characteristics and working mode of NB-IoT terminals are different from those of traditional Internet of things, we use the LCHAOSAES algorithm for NB-IoT proposed by Jia et al. [41] to encrypt the identity of NB-IoT terminal devices. Jia et al. proposed an NB-IoT encryption model for NB-IoT architecture, in which LCHAOSAES algorithm is a lightweight encryption algorithm based on the NB-IoT encryption model. The algorithm is a lightweight encryption algorithm based on AES and chaotic sequence, which can use the Logistic map and Tent map to obtain the chaotic sequence to provide different initial keys for each plaintext block. Then the encryption round number of the AES algorithm is reduced to six rounds, and the round function is optimized to improve the operation efficiency. The round function of the AES algorithm includes four transformation processes: SubBytes, ShiftRows, MixColumns, and AddRoundkey. SubBytes is a nonlinear operation. The AddRoundkey operation uses addition in the finite field \(GF(2^8)\), while ShiftRows and MixColumns use multiplication in the finite field \(GF(2^8)\). A large number of multiplication operations will cause a large computational burden on NB-IoT terminal devices, so when designing the LCHAOSAES algorithm, the multiplication operation on the finite field \(GF(2^8)\) should be replaced. Therefore, LCHAOSAES ignores the ShiftRows operation in rounds 1 to 5, and then uses the look-up table method to replace SubBytes and MixColumns. The specific operation is as follows: assuming matrix A is the input of SubBytes, the function S(A) is used to represent the operation of SubBytes, and the output result matrix B is obtained. Then use the matrix B as the input of MixColumns, and the output result is matrix C, as shown in Eqs. (1) and (2). Figure 2 shows the encryption process of the LCHAOSAES algorithm, where \(Nr[1\thicksim 5](0\le i \le 6)\) represents the ith round operation, Key is the seed key, and \(K[i](0\le i \le 6)\) represents the ith round key.

$$\begin{aligned}{} & {} B_{ij}=S(A_{ij})(0\le i,j\le 3) \end{aligned}$$
(1)
$$\begin{aligned}{} & {} \begin{bmatrix} C_{0j}\\ C_{1j}\\ C_{2j}\\ C_{3j} \end{bmatrix}=\begin{bmatrix} 02 &{} \quad 03 &{}\quad 01 &{}\quad 01\\ 01 &{}\quad 02 &{}\quad 03 &{}\quad 01\\ 01 &{}\quad 01 &{}\quad 02 &{}\quad 03\\ 03 &{}\quad 01 &{}\quad 01 &{}\quad 02 \end{bmatrix}\begin{bmatrix} B_{0j}\\ B_{1j}\\ B_{2j}\\ B_{3j} \end{bmatrix}(0\le j\le 3) \end{aligned}$$
(2)

Hardness of discrete logarithms

Suppose q is a large prime number and \(\alpha \) is its primitive root. Firstly, the Diffie-Hellman key exchange process is briefly explained [42]. Suppose users A and B want to exchange keys, user A chooses a random number \(X_A<q\) as her private key and stores it in secret and computes the public key \({Y_{A} =\alpha ^{X_{A} }\; mod\; q}\) and sends it to B. Similarly, user B secretly stores A private random number \(X_B<q\) and sends the public key \({Y_{B} =\alpha ^{X_{B} }\; mod\; q}\) to user A. The calculation method for users A and B to generate the shared key is shown in Eq. (3). Because the attacker can only obtain the public parameters but not the private parameters \(\{X_A, X_B\}\), according to the difficulty of the discrete logarithm, the attacker cannot obtain the shared key K.

$$\begin{aligned} \begin{aligned} K_A&=(Y_B)^{X_A} \bmod q= (\alpha ^{X_B} \bmod q)^{X_A} \bmod q \\&=(\alpha ^{X_B})^{X_A} \bmod q \\&=(\alpha ^{X_A})^{X_B} \bmod q =(\alpha ^{X_A} \bmod q)^{X_B} \bmod q\\ {}&=(Y_A)^{X_B} \bmod q =K_B \end{aligned} \end{aligned}$$
(3)

Moreover, suppose \(E_P\) is an elliptic curve over a finite field, where \(P,Q\in E_{P} \) and k is a positive integer smaller than the large prime q. For the equation \(Q=kP\), it is easy to solve Q given k, P; However, it is difficult to solve the positive integer k when P and Q are known, which is the hard problem of discrete logarithm on elliptic curve. At present, there is no effective method to solve this problem [43].

Fig. 2
figure 2

Encryption process of LCHAOSAES algorithm

Full size image

System model

In this paper, the edge network layer is introduced into the NB-IoT system to realize group authentication. According to the authentication process, the NB-IoT system model is simplified and divided into the terminal device layer, edge network layer, and server layer, as shown in Fig. 3. The Access and Mobility Management Function (AMF) and Authentication Server Function (AUSF) in the NB-IoT core network layer are assigned to the server layer, assuming that the area is covered by a server and the server provides remote data communication services. Then, the NB-IoT terminal devices in the same area are divided into a group according to their functions or other similar characteristics, and an edge node with certain computing, storage, and communication capabilities is deployed near each group of devices. Before the terminal sends or receives data, the edge node needs to securely authenticate the identity of the terminal device, and before the authentication of the edge node and terminal device, the server needs to authenticate the edge network layer. Further explanation of each layer entity function is given below.

Server layer: it can provide registration services for terminal devices and edge nodes. The registration and authentication data are stored, the mutual authentication with the edge layer is completed and the session key is generated. After the authentication is completed between the edge layer and the terminal layer, the edge layer can delete the unauthenticated terminal devices when abnormal information is reported.

Fig. 3
figure 3

System model of edge-assisted NB-IoT

Full size image

Edge network layer: it can provide identity authentication services and real-time data services for terminal devices. In the process of identity authentication of the terminal devices, if the terminal devices’ authentication is abnormal, the authentication process will be stopped. On the contrary, if the authentication passes, the session key is generated to provide a secure communication service for the terminal devices, and the data of the terminal devices that are successfully authenticated is sent to the server.

Terminal device layer: it can initiate registration requests to the server layer, and then send identity authentication requests and real-time data service requests to the edge layer. The identity authentication and data sharing between the edge layer and the terminal are realized.

Threat model

Based on the system model, we make the assumptions about the attacker’s capabilities:

  1. (1)

    The system model has two types of communication channels. One is the secure channel, which is used to register with entities. The other is the public channel, which is used for authentication between entities. Suppose that an attacker A can control the information transmitted on the public channel, but cannot intercept the information transmitted on the secure channel [44].

  2. (2)

    According to the Dolev-Yao attacker model [45], the attacker can eavesdrop, forge and replay the transmitted information.

  3. (3)

    Assume the server is fully trusted and cannot be compromised by an attacker.

  4. (4)

    Since the terminal devices and edge nodes are often deployed in an open environment, they are vulnerable to attackers, so the terminal devices and edge nodes are not fully trusted entities.

The proposed scheme

We add an edge network layer between the terminal devices and the server and propose a mutual authentication scheme between server, edge and terminal. This section mainly explains the proposed authentication scheme.

Notation

The notation used in this paper is shown in Table 1.

Table 1 Description of the relevant symbols
Full size table

EAGAS authentication scheme

In this part, a new edge-assisted group authentication scheme EAGAS is proposed according to the system model architecture. Eagas introduces the Edge computing paradigm, which can use the edge nodes near the terminal to authenticate the group terminal. The lightweight encryption algorithm suitable for NB-IoT terminal combined with Diffie-Hellman algorithm is used to encrypt the identity of NB-IoT terminal. Therefore, the authentication process of the proposed scheme is divided into initialization phase, terminal identity anonymization phase, edge node registration phase, edge-server authentication phase, terminal device registration phase and terminal-edge authentication phase, which are explained in detail as follows.

Initialization phase

The initialization phase is divided into two stages: group generation and parameter generation, as detailed below.

  1. (1)

    Group generation phase. Firstly, a large number of NB-IoT terminal devices are constructed into an NB-IoT group according to their location, function, or other similar characteristics. Then, the supplier will deploy an edge node \(EN_j\) for each NB-IoT group as the group leader. These group leaders will be activated at almost the same time to access the NB-IoT system through the 5 G network to achieve data transmission. Then the supplier pre-stores the private identifier \(GID_j\) and group key \(gk_j\) of each group in the NB-IoT group and the corresponding edge node.

  2. (2)

    Parameter generation stage. In this phase, the system administrator generates various parameters required for authentication and assigns a key to the server. The administrator first selects the elliptic curve \(E_P\) over a finite field, then selects a security parameter k, and defines a cyclic group G with a prime number \(q(q>2^k)\), is a primitive root of q and P is a generator of the group G. Next, we choose an anti-collision hash function h(\(\cdot \)):\(\{0,1\}^{*} \rightarrow \{0,1\}^{n}\). For each edge node \(EN_j\), a private key \(ek_j\) is assigned, and the public key \(EK_j=ek_j P\) is calculated. Finally, the system selects a random number \(K_AS\) as the server’s master key and publicizes the system public parameters \(\{h(\cdot ),q,a,P\}\).

Terminal identity anonymization phase

In the process of real-name authentication, if some sensitive information (such as terminal identity) is sent to the server in the form of plaintext, there is a risk of leakage of the privacy of the terminal devices. Attackers can use this public information to illegally track terminal devices and then steal their private information. Anonymous authentication technology can verify the legal identity of the terminal without revealing sensitive information. There is a unique identity identification code IMSI in the NB-IoT terminal devices. To prevent the terminal devices from transmitting their own identity identification code in the form of plaintext during the authentication process and thereby leaking private information, we use an encryption method to encrypt the identity code of the terminal devices. Considering the resource constraints of terminal devices and the performance requirements of encryption, we use the Diffie-Hellman algorithm to realize key sharing, and then use a lightweight block encryption algorithm LCHAOSAES to encrypt the identity code to ensure the confidentiality of the terminal devices’ identity. The steps are as follows:

Step 1: The terminal device \(U_i\) sends public key request information to the server.

Step 2: The server selects the random number \(X_A<q\) as the private key, and computes the public key \({Y_{A} =\alpha ^{X_{A} }\; mod\; q}\), and sends \(Y_A\) to the terminal device \(U_i\).

Step 3: The terminal device \(U_i\) receives the public key \(Y_A\), also selects a private random number \(X_B<q\), calculates the encryption key \(K=(Y_{A})^{X_{B}} \;mod\;q\), then encrypts the identity code to obtain the external identity code \(UID_i=E_k(IMSI)\).

Edge node registration phase

In this phase, the edge node \(EN_j\) is able to communicate with the server through the secure channel, thus completing the registration. Firstly, the edge node \(EN_j\) reads its its own identity identifier \(ID_{EN_{j} }\), calculates \(ENID_j=h(ID_{EN_j}\parallel ek_j)\), and then sends \(\{ID_{EN_{j} },ENID_j\}\) as the registration request information to server AS. After receiving the registration request information of the edge node \(EN_j\), the server AS first determines whether \(ID_{EN_{j} }\) exists, and refuses to register if it exists. Otherwise, the server to generate a random number\( R_j\) and calculate \({A_j=ENID_j\oplus h(K_{AS}\parallel R_j)}\), and then sending \(A_j\) to the edge node and store \(\{ID_{EN_{j}},R_j, A_j\}\). Finally, the edge node received \(A_j\) and stored it in its own memory, and the registration was completed. Figure 4 shows the edge node registration phase.

Fig. 4
figure 4

Edge node registration process

Full size image

Terminal device registration phase

The terminal device \(U_i\) sends a registration request message to the server through a secure channel, and the server AS completes the registration of the terminal device \(U_i\) after receiving the request. Figure 5 depicts the registration phase of the terminal device, and the detailed steps are shown below.

Fig. 5
figure 5

Terminal device registration process

Full size image

Step 1: The terminal device sends its anonymous identity \(UID_i\) and the group identity \(GID_j\) to the server as the registration request information.

Step 2: After the server receives \(\{UID_i,GID_j\}\), it queries the database for the existence of \(UID_i\), if so, it rejects the registration. Otherwise, the server selects a random number \(uk_i\) as the private key of \(U_i\), and then calculate the public key \({UK_i=uk_iP}\), then aggregated into terminal public key \({L_j=UK_1\oplus UK_2\oplus \cdots \oplus UK_n}\), and calculate the group public key \({GK_j= {\textstyle \sum _{i=1}^{n}a_iUK_i} }\), where \({a_i=h(L_j\parallel UID_i)}\).

Step 3: Set a time interval, if no registration request is received from the UE within this time interval, all devices are considered to be registered. Then the server will send \(\{uk_i,UK_i,L_j,GK_j \}\) to the terminal device through the secure channel, and then clear the key information of the terminal device, and store the information \(\{UID_i,GID_j,L_j,GK_j \}\) in the terminal authentication list, as shown in Table 2.

Table 2 Terminal authentication record table
Full size table

Step 4: The terminal device receives the group parameters \(\{uk_i,UK_i,L_j,GK_j \}\) from the server and stores them in its own memory.

Step 5: The server classifies the terminal devices according to their group identity, and then aggregates the identities of terminal devices belonging to the same group \(GID_j\) into \({UID_j=\{UID_1,UID_2,\cdots ,UID_n\}}\), Send \(\{UID_j,L_j, GK_j \}\) to the edge node \(EN_j\).

Fig. 6
figure 6

The authentication phase

Full size image

The authentication phase

The authentication process of the scheme is shown in Fig. 6, and its core content is as follows: Firstly, an edge computing node is deployed in the area close to the group terminal as the group leader of the NB-IoT group terminal. This edge computing node can ensure the continuity and security of the power, and the group leader can aggregate and verify the request information that needs to be verified. Secondly, the server performed group authentication on NB-IoT terminals. During authentication, the server only performed mutual authentication with the group leader of one group at a time, rather than with each terminal device. Then, after the server realizes mutual authentication of edge computing nodes, the authenticated edge computing nodes authenticate the group terminals. Finally, the session key agreement was carried out between the server and the edge node, as well as between the edge node and the terminal device, so as to realize the encryption protection and integrity protection of the transmitted data, so as to ensure the security of data in the wireless transmission process. The detailed steps of the authentication phase are as follows.

  1. (1)

    \({EN_j\rightarrow AS}\): The edge node generate timestamps \(T_1\) and random \(N_1\), then calculate \({M_1=A_j\oplus T_1}\), \({M_2=N_1\oplus } \) \({ h(A_j\parallel ENID_j)}\), \({M_3=N_1\oplus h(ek_j\parallel T_1)}\), \({Ver_1=}\) \({h(ENID_j\parallel N_1\parallel h(ek_j\parallel T_1))}\), then \(\{M_1,M_2, M_3,Ver_1,T_1\}\) is sent to the server as an authentication request, and authentication begins.

  2. (2)

    After receiving the message from the edge node, the server first verifies whether \({T-T_1\le \bigtriangleup T}\) holds, where T is the current timestamp and \(\bigtriangleup T\) is the minimum transmission delay. If not, the server rejects the authentication request. On the other hand, the server computes \({A_{j}^{'}=M_1\oplus T_1 }\), and from the database retrieves out \(\{A_j,R_j \}\), then calculates \({ENID_{j}^{'}{=}A_{j}^{'}{\oplus } h(R_j\parallel K_{AS})}\), \({N_{1}^{'}{=}M_2{\oplus } h(A_{j}^{'} \parallel ENID_{j}^{'})}\), \({h^{'}(ek_j\parallel T_1){=}M_3\oplus N_{1}^{'} }\), \({Ver_{1}^{'}=h(h^{'} (ek_j\parallel T_1)\parallel N_{1}^{'} \parallel ENID_{j}^{'})}\). The server will Verify \({Ver_{1}^{'}?=Ver_1}\), if not equal, then terminate the authentication; Otherwise, the server successfully validates \(EN_j\).

  3. (3)

    \({AS \rightarrow EN_j}\): The server generates a random number \(N_2\) and a timestamp \(T_2\). Firstly, it calculates the session key of the edge node \({SK_j=h(ENID_j\parallel N_{1}^{'} \parallel N_2\parallel }\) \({ h^{'} (ek_j\parallel T_1))}\). And then calculate certification request information \({M_4=h(N_2\parallel ENID_j)\oplus h(T_2\parallel A_j)}\), \({M_5=h(R_j\parallel K_{AS})\oplus N_2}\), \({Ver_2=h(N_2}\) \(\parallel h(N_2\parallel ENID_j)\parallel T_2)\), The authentication request information \(\{M_4,M_5,Ver_2,T_2 \}\) is sent to the edge node.

  4. (4)

    The edge node receives certification, first verifies the validity of the timestamp, if invalid, the authentication is rejected; Otherwise, the edge node calculates \({h^{'}(N_2\parallel ENID_j)=M_4\oplus h^{'}(T_2\parallel A_j)}\), \({h^{'}(R_j\parallel K_{AS})}\) \({=ENID_j\oplus A_j}\), \({N^{'}_2=M_5\oplus h^{'}(R_j\parallel K_{AS}) }\), \({Ver^{'}_2}\) \({=h(N^{'}_2\parallel h^{'}(N_2\parallel ENID_j)\parallel T_2) }\), and then verifies \({Ver_{2}^{'}?=Ver_2}\), if not equal, then terminate the authentication; Otherwise, the edge node successfully authenticates the server and calculates the session key of both sides \({SK_j=h(ENID_j\parallel N_1 \parallel N_{2}^{'}\parallel }\) \({h(ek_j\parallel T_1))}\). Therefore, the mutual authentication between the edge node layer and the server is completed and the session key is established. When the plaintext of the application data needs to be transmitted, the encryption algorithm can be used to calculate the ciphertext \(ciphertext=Enc_{SK_j}(plaintext)\), so as to ensure the security of data transmission.

  5. (5)

    \({EN_j\rightarrow U_i}\): When the edge node authentication is successful, generates timestamp \(T_e\) and random number \(r_e\), calculates \({R_e=r_e P}\), and then generates verification information \({v_j=r_e+h(gk_j\parallel GK_j\parallel GID_j)ek_j}\), then broadcasts \(\{T_e,R_e,v_j \}\) as a challenge request to the terminal devices in their own authentication group to tell these NB-IoT devices that they can start issuing authentication requests to the edge node.

  6. (6)

    \({U_i \rightarrow EN_j}\): After receiving the challenge request from the edge node, the terminal NB-IoT device first verifies whether the time is fresh, and then calculates \({v_jP?=R_e+h(gk_j\parallel GK_j\parallel GID_j)EK_j}\), if not equal, then refuses to start authentication; Otherwise, the terminal device \(U_i\) selects a random number \(r_i\), generating timestamp \(T_i\), computes public random \({R_i=r_i P}\), \(M_6=h(r_i\parallel uk_i)\oplus gk_j\oplus T_i\), \(M_7=UID_i\oplus h(r_i\parallel uk_i)\), then the signature \({v_i=r_i+h(GID_j\parallel gk_j)a_iuk_i}\) is calculated, and the authentication request information \(\{T_i,R_i,M_6,M_7,v_i \}\) is sent to the edge node. Then the session key \(HK_i=h(h(r_i\parallel uk_i)\parallel gk_j\parallel T_e\parallel T_i)\) is calculated.

  7. (7)

    When the edge node receives the authentication request information from n terminal devices in the group, it first verifies the validity of the timestamp. If \(T_j-T_i\le \bigtriangleup time\) is not satisfied, it will reject the authentication information. On the other hand, the edge node \(EN_j\) begins to calculate \(h^{'}(r_i\parallel uk_i)=M_6\oplus gk_j\oplus T_i \) and stores, and then calculates \(UID_{i}^{'}= M_7\oplus h^{'}(r_i\parallel uk_i)\), checks whether \({UID_{i}^{'}}\) belongs to the edge node authentication group \(GID_j\), if not, then reject authentication; On the contrary, the authentication request information of terminal device belonging to the group will be aggregated, and the aggregation result is \({V_i= {\textstyle \sum _{i=1}^{n}} v_i={\textstyle \sum _{i=1}^{n}}}\) \({[r_i +h(GID_j\parallel gk_j)a_iuk_i]}\). Then, the validity of the aggregate signature can be verified by judging whether Eq. (4) is valid, to realize the group authentication of n terminal devices in the authentication domain. Calculate the session key \({HK_i=h(h^{'} (r_i\parallel uk_i)\parallel gk_j\parallel T_e\parallel T_i)}\). Then each terminal device can decrypt the received downlink data according to its corresponding session key.

    $$\begin{aligned} V_iP{} & {} =\sum _{i=1}^{n}[r_i+h(GID_j\parallel gk_j)h(L_j\parallel UID_i)uk_i]\nonumber \\{} & {} =\sum _{i=1}^{n}R_i +\sum _{i=1}^{n} [h(GID_j\parallel gk_j)h(L_j\parallel UID_i)UK_i]\nonumber \\{} & {} =\sum _{i=1}^{n}R_i+h(GID_j\parallel gk_j)GK_j \end{aligned}$$
    (4)
  8. (8)

    \({EN_j\rightarrow AS}\): edge node generates timestamps \(T_3\), then successfully certified terminal device \(UID_i\) polymerization for \(UID=Enc_{SK_j}\{UID_1\parallel UID_2\parallel \cdots \parallel UID_n\}\), then send \(\{T_3,UID\}\) to the server. The server first verifies the freshness of the timestamp, then decrypts it with the negotiated session key and checks it with the terminal authentication table. The terminal device \(UID_i\) that has not been authenticated successfully is deleted from the table.

Terminal device dynamic update phase

(1) The add phase

To add a terminal device \({U_{i}^{new} }\) to NB-IoT, its features such as functionality are first confirmed, then we deploy it to the corresponding group area, and the supplier assigns it the group identifier \(GID_j\) and group key \(gk_j\). \({U_{i}^{new} }\) will be registered through the server in the following steps.

Step 1: \({UID_{i}^{new} }\) performs key exchange with the server through a secure channel to obtain its anonymous identity identifier \({UID_{i}^{new} }\).

Step 2: \({U_{i}^{new} }\) uses its pseudonym \({UID_{i}^{new} }\) and group identifier \(GID_j\) to apply for registration with server. The server selects a random number \({uk_{i}^{new} }\) as the private key of \({U_{i}^{new} }\), then calculates the public key \({UK_{i}^{new} =uk_{i}^{new}P}\). And update the parameters \({L_{j}^{new} =UK_1\oplus UK_2\oplus \cdots \oplus UK_n}\) \({\oplus UID_{i}^{new}}\) and group public key \({GK_{j}^{new}=GK_j+ a_{i}^{new}}\) \({UK_{i}^{new}}\), the server updates authentication record. Registration information is sent to \({U_{i}^{new} }\) and \(\{{UID_{i}^{new} },L_{j}^{new},GK_{j}^{new} \}\) is sent to the edge node.

Step 3: \({U_{i}^{new} }\) receives the relevant parameters \(\{uk_{i}^{new}, UK_{i}^{new},L_{j}^{new},GK_{j}^{new} \}\) and stores them, and then sends the authentication request to the edge node.

(2) The delete phase

To delete the end device \({U_{i}^{old} }\) from the NB-IoT, we first send a withdrawal signal to the server, and the server first deletes the information of \({U_{i}^{old} }\) from the authentication record table. And then updates the parameters \({L_{j}^{new} =UK_1\oplus UK_2\oplus \cdots \oplus UK_n\oplus UID_{i}^{old}}\) and group public key \({GK_{j}^{new}=GK_j- a_{i}^{old}UK_{i}^{old}}\), then sends \(\{{UID_{i}^{old} },L_{j}^{new},GK_{j}^{new} \}\) to the edge node.

Security analysis

To evaluate the security of the proposed authentication scheme, this section uses the formal analysis method based on Burrows Abadi Needham (BAN) logic reasoning to verify the security of the proposed authentication scheme, and uses the informal analysis method to show that the proposed authentication scheme can resist other known attacks.

Formal safety analysis

BAN logic analysis can judge whether the protocol can achieve the authentication goal based on the subject belief and knowledge reasoning. It can formally explain various authentication protocols by using simple logic to describe the subject belief involved in the authentication protocol and reasoning about the communication results in the authentication process [46]. Therefore, BAN logic analysis [47] is used in this section to analyze the security of the proposed group authentication scheme. The symbols commonly used in BAN logic analysis are described in Table 3. While the relevant description of the BAN logic inference rules is presented in Table 4.

Table 3 Description of BAN logic symbols
Full size table

Based on the security analysis of BAN logic, firstly, the information transmitted in the authentication process and the initialization state in the proposed scheme are idealized, and then the security goals that the authentication scheme needs to meet are proposed. Finally, the formal analysis of the proposed scheme is carried out according to the BAN logic symbol and the BAN logic inference rules.

Table 4 Inference rules of BAN logic
Full size table

(1) The formal description of information transmission in the authentication process.

\({Msg_1:EN_j\rightarrow AS\{M_1,\{N_1,ENID_j,ek_j,Ver_1\}_h,T_1\}}\)

\({Msg_2:AS\rightarrow EN_j\{T_2,\{N_2,ENID_j,K_{AS},Ver_2\}_h\}}\)

\({Msg_3:EN_j\rightarrow U_i\{T_e,R_e,\{v_j\}_h\}}\)

\({Msg_4:U_i\rightarrow EN_j\{T_i,R_i,\{gk_j,UID_i,v_i\}_h\}}\)

(2) Initialization assumptions.

\({A_1:AS\mid \equiv \#(T_1,N_1)}\) \({A_2:EN_{j}\mid \equiv \#(T_2,N_2) }\)

\({A_3:U_{i}\mid \equiv \#(T_e,gk_j) }\)   \({A_4:EN_{j}\mid \equiv \#(T_i,gk_j) }\)

\({A_5:AS\mid \equiv EN_{j}\mid \Rightarrow (N_1)}\)   \({A_6:EN_{j}\mid \equiv AS\mid \Rightarrow (N_2)}\)

\({A_7:EN_{j}\mid \equiv AS\overset{h}{\longleftrightarrow }EN_j}\)   \({A_8:AS\mid \equiv EN_j\overset{h}{\longleftrightarrow }AS}\)

\({A_9:EN_j\mid \equiv U_i\overset{h}{\longleftrightarrow }EN_j}\)   \({A_{10}:U_i\mid \equiv EN_j\overset{h}{\longleftrightarrow }U_i}\)

(3) Goals and proofs

The security objectives are as follows.

\({G1:EN_j\mid {\equiv } (EN_j\overset{SK_j}{\longleftrightarrow }AS)}\),       \({G2:AS\mid \equiv (EN_j\overset{SK_j}{\longleftrightarrow }AS)}\);

\({G3:AS \mid \equiv EN_j \mid \equiv Ver_1}\), \({G4:EN_j\mid \equiv AS\mid \equiv Ver_2}\);

\({G5:U_i\mid \equiv (U_i\overset{HK_i}{\longleftrightarrow }EN_j)}\),       \({G6:U_i\mid \equiv (EN_j\overset{HK_i}{\longleftrightarrow }U_i)}\);

\({G7:U_i\mid \equiv EN_j\mid \equiv v_j}\),   \({G8:EN_j\mid \equiv U_i\mid \equiv v_i}\)

Finally, using the formally described information and the steps mentioned earlier, the BAN logical symbol definition in Table 3 and the BAN logical reasoning rules in Table 4 are applied to show the realization of the above goals, as shown below.

According to \(Msg_1\), we obtain \({S_1:AS{\triangleleft } \{M_1,\{N_1,}\) \({ ENID_j, ek_j,Ver_1\}_h,T_1\}}\)

By \(A_8\) and \(S_1\), we employ the Rule1 to derive:

\({S_2:AS\mid \equiv EN_j\mid \sim \{M_1,\{N_1,ENID_j,ek_j,Ver_1\}_h,T_1\}}\)

By \(A_1\), we apply the Rule4 and Rule2 to deduce:

\({S_3:AS\mid \equiv EN_j\mid \equiv \{M_1,\{N_1,ENID_j,ek_j,Ver_1\}_h,T_1\}}\)

By \(S_3\), we apply the Rule5 to deduce

\({S_4:AS \mid \equiv EN_j \mid \equiv Ver_1}\)(which satisfies the G3),       \({S_5:AS\mid \equiv EN_j\mid \equiv N_1}\)

By \(A_5\), \(S_5\), we employ the Rule3 to deduce: \({S_6:AS\mid \equiv N_1}\)

By \({SK_j=h(ENID_j\parallel N_{1} \parallel N_2\parallel h(ek_j\parallel T_1))}\) and \(A_1\), we employ the Rule6 to deduce: \({S_7:AS\mid \equiv (EN_j\overset{SK_j}{\longleftrightarrow }AS)}\) (which satisfies the G2)

By \(Msg_2\), \(A_7\), we employ the Rule1 to derive:

\({S_8:EN_j\mid \equiv AS\mid \sim \{T_2,\{N_2,ENID_j,K_{AS},Ver_2\}_h\}}\)

By \(A_2\), we apply the Rule4 and Rule2 to deduce:

\({S_9:EN_j\mid \equiv AS\mid \equiv \{T_2,\{N_2,ENID_j,K_{AS},Ver_2\}_h\}}\)

By \(S_9\), we apply the Rule5 to deduce:

\({S_{10}:EN_j\mid \equiv AS\mid \equiv Ver_2}\) (which satisfies the G4),       \({S_{11}:EN_j\mid \equiv AS\mid \equiv N_2}\)

By \(A_5\), \(S_{11}\), we employ the Rule3 to deduce: \(S_{12}:EN_j{\mid } \equiv N_2\)

By \(SK_j=h(ENID_j\parallel N_{1} \parallel N_2\parallel h(ek_j\parallel T_1))\), \(A_2\) and \(S_{11}\), we employ the Rule6 to deduce: \(S_{13}:EN_j\mid \equiv (EN_j\overset{SK_j}{\longleftrightarrow }AS)\)(which satisfies the G1)

By \(Msg_3\), \(A_{10}\), we employ the Rule1 to derive:

\(S_{14}:S_{14}:U_i\mid \equiv EN_j\mid \sim \{T_e,R_e,\{v_j\}_h\}\)

By \(A_3\), we apply the Rule4 and Rule2 to deduce:

\({S_{15}: U_i\mid \equiv EN_j\mid \equiv \{T_e,R_e,\{v_j\}_h\}}\)

By \(S_{15}\), we apply the Rule5 to deduce:

\({S_{16}:U_i\mid \equiv EN_j\mid \equiv v_j}\) (which satisfies the G7)

By \(v_j=r_e+h(gk_j\parallel GK_j\parallel GID_j)ek_j\), \(HK_i=h(h(r_i\parallel uk_i)\parallel gk_j\parallel T_e\parallel T_i)\), \(A_3\) and \(S_{16}\), we employ the Rule5 and Rule6 to deduce:

\({S_{17}:U_i\mid \equiv (U_i\overset{HK_i}{\longleftrightarrow }EN_j)}\) (which satisfies the G5)

By \(Msg_4\), \(A_9\), we employ the Rule1 to derive:

\({S_{18}:EN_j\mid \equiv U_i\mid \sim \{T_i,R_i,\{gk_j,UID_i,v_i\}_h\}}\)

By \(A_4\), we apply the Rule4 and Rule2 to deduce:

\({S_{19}:EN_j\mid \equiv U_i\mid \equiv \{T_i,R_i,\{gk_j,UID_i,v_i\}_h\}}\)

By \(S_{19}\), we apply the Rule5 to deduce:

\({S_{20}:EN_j\mid \equiv U_i\mid \equiv v_i}\)(which satisfies the G8)

By \(v_j=r_e+h(gk_j\parallel GK_j\parallel GID_j)ek_j\) and \(HK_i=h(h(r_i\parallel uk_i)\parallel gk_j\parallel T_e\parallel T_i)\), \(A_4\) and \(S_{20}\), we employ the Rule5 and Rule6 to deduce:

\({S_{21}:U_i\mid \equiv (EN_j\overset{HK_i}{\longleftrightarrow }U_i)}\)(which satisfies the G6)

Informal safety analysis

Formal security analysis and informal security analysis can better describe the security characteristics of the authentication scheme [48, 49]. Therefore, from the perspective of informal analysis, this section considers anonymity, mutual authentication, and several common attack methods, to evaluate the security of the proposed scheme.

Anonymity

In the proposed scheme, the edge node can use its private key to hide its real identity through the hash function. Since the hash function cannot uniquely determine the input value according to the hash value, the attacker cannot get the real information of the group leader. The terminal device can use a lightweight encryption algorithm to encrypt the real identity, to obtain a pseudonym \(UID_i\). And the encryption key used is Diffie-Hellman key exchange algorithm, the terminal device, and the server choose random numbers as their private keys. Then, the server sends the calculated public key to the terminal device, and the private keys \(X_A\) and \(X_B\) are private to the server and the terminal device. Through the security assumption on discrete logarithm, the attacker cannot know the private keys, so he cannot infer the key used in encryption. Therefore, the attacker cannot get the relevant identity information of the terminal device through the pseudonym.

Replay attacks

Replay attack is one of the common attacks in authentication protocols. In the scheme proposed in this paper, we add timestamps and random numbers in the authentication phase to resist replay attacks, in which the edge node can send the verification message \({Ver_1=h(ENID_j\parallel N_1\parallel h(ek_j\parallel T_1))}\) to the server. Therefore, when attacker A directly uses the stolen message to carry out the replay attack, the server can determine whether the received message has expired by detecting the timestamp \({T_1-T\le \bigtriangleup T}\), and then the server will verify the freshness of the random number. If attacker A tries to tamper with the value of the timestamp to make the server judge it as fresh, then the attacker also needs to tamper with the verification message value \(Ver_1\), but \(Ver_1\) includes random values, and also includes the secret value of the edge node, which the attacker cannot obtain. Similarly, the terminal device can send the verification message \({v_i=r_i+h(GID_j\parallel gk_j)a_iuk_i}\) to the edge node, and the edge node needs to verify the freshness of the timestamp. And the attacker cannot obtain the random number of the terminal device and its private key in the verification message. Therefore, the attacker cannot successfully launch a replay attack.

Insider attacks

Suppose an attacker A is an insider in the server, then A has access to the data \(\{R_j,A_j,UID_i,GID_j\}\) stored in the server, so A can try to use \(R_j\),\(A_j\) to calculate \(ENID_j\), but the attacker does not know the private key \(K_AS\) of the server. Therefore, \(ENID_j\) can not be obtained. In addition, the attacker cannot know the random numbers \(N_1\),\(N_2\), so the attacker cannot successfully calculate \(SK_j\). In the stage of terminal device registration, the server will delete the private key distributed to the terminal, so the attacker can only get \(UID_i\),\(GID_j\) from the database, but can not find out the private key of the terminal to disguise as a node for malicious attacks. In summary, the proposed scheme can resist insider attacks.

Impersonation attacks

For the edge node side, suppose an attacker A gets the authentication request information \(\{M_1,M_2,M_3,Ver_1,T_1\}\) and wants to pretend to be a legitimate node, then he needs to know the authentication value \({Ver_1=h(ENID_j\parallel N_1}\) \({\parallel h(ek_j\parallel T_1))}\). The attacker can only get \(A_j\) from \(M_1\) and \(T_1\), but does not know the value of \(ENID_j\),\(N_1\) and the private key \(ek_j\) of the node, so he cannot calculate \(Ver_1\). For the terminal device side, suppose that the attacker A can intercept \(\{R_i,M_6,M_7,v_i \}\). Since the attacker does not know the private key value \(uk_i\) and the random number \(r_i\) of the terminal device, the device signature information \(v_i\) cannot be calculated. Therefore, the proposed scheme is secure and can resist impersonation attacks.

Table 5 Comparison of security features of different schemes
Full size table

Session-specific random number leakage attacks

Suppose that in the authentication process, attacker A can obtain all the random numbers \(N_1\),\(N_2\) and \(R_j\). Then, attacker A tries to compute the session key \(SK_j\). However, \(SK_j\) computation also needs \(ENID_j\) and \({h(ek_j\parallel T_1)}\), and \(ENID_j\) computation needs to use the key of the server, but the attacker does not know the key \(K_AS\) of the server and the key of the edge node \(ek_j\). Similarly, if the attacker wants to calculate the session key \(HK_i\), considering the difficulty of solving the discrete logarithm, the random number \(r_i\) and the private key \(uk_i\) of the terminal device cannot be obtained. Therefore, the proposed scheme is secure against the random number leakage attack of a specific session key.

Man-in-the-middle attacks

In the proposed scheme, the session key \({SK_j=h(ENID_j\parallel }\) \({ N_{1} \parallel N_2\parallel h(ek_j\parallel T_1))}\) between the edge network layer and the server is derived based on \(ENID_j\) and the edge node private key \(ek_j\). The \(ek_j\) is not transmitted on the public channel, which is confidential. Therefore, the MITM adversary cannot obtain the session key \(SK_j\) by exploiting the public parameters of the communication channel between the edge node and the server. For the authentication process between the edge layer and the terminal layer, the security of the random numbers \(r_i\),\(r_e\) and the key of the terminal device \(uk_i\) can be guaranteed based on the elliptic curve discrete logarithm problem. In addition, the attacker cannot obtain the group key that is pre-deployed to the group, so the attacker cannot forge the authentication information between the edge layer and the terminal layer. In summary, the proposed scheme is resistant to man-in-the-middle attack.

Mutual authentication

In the proposed scheme, the server, the edge network layer, and the terminal device all perform the authentication process. Among them, the authentication request information is calculated between the server and the edge network layer through timestamps, random numbers, and their private parameters, and then whether the authentication between the server and the edge node is successful is determined by checking the validity of \({Ver_1?=Ver_1}\) and \({Ver_2?=Ver_2}\). After successfully completing the authentication between the edge node and the server, the edge node sends an inquiry request to the terminal device in the group. The terminal device first verifies the signature information sent by the edge node and then sends its signature information to the edge node. The edge node aggregates the signature information and then calculates the aggregated results to verify whether \(V_iP\) is valid to complete the authentication of the terminal devices in the whole group. Therefore, the proposed scheme can achieve mutual authentication between the server and the edge node, and between the edge node and the end device. The proposed scheme can achieve identity authentication for a large number of terminal devices.

Signaling congestion avoidance

Because the edge network layer contains devices and gateways with computing and storage capabilities, and its functions are realized through edge nodes. By introducing an edge network layer between the terminal device and the server, the edge node was used as the group leader to group a large number of terminal devices. The server first completes the authentication of the edge nodes, and then the edge node is used as the group leader to aggregate the authentication requests of the terminals in the group and authenticate. Therefore, the server can realize the authentication of the group, which greatly reduces the signaling overhead compared with the single authentication. It can be seen that the proposed scheme can avoid the network signaling congestion.

Finally, according to the security properties of the informal analysis above, a comparison of related authentication schemes is obtained as shown in Table 5.

Performance analysis

Considering that when a large number of NB-IoT devices simultaneously initiate authentication to the server in a short period of time, signaling congestion will affect the entire authentication process, and edge computing is a computing mode that pushes computing and data processing functions closer to the edge of the network and the data source and the end device to meet the real-time, distributed and large-scale application needs, At the same time, a large number of cryptographic operations are involved in the authentication process. In order to quantify and compare the performance of the proposed method, this section will mainly calculate from the aspects of signaling cost, transmission cost, bandwidth consumption and computing load, and compare it with other authentication schemes, including GBAAM [19], GRAKA [20], LGTH [17], MTCAKA [26], SEAKA [23], EGAKA [24], LPPA [50], FADTS [27], REN et al. [31] and Chang et al. [32] proposed schemes respectively. Through the performance test of the proposed scheme, it is verified whether it is reasonable, which can verify the legitimacy of the identity of edge computing nodes and terminal devices, avoid network signaling congestion in the process of authentication, and have low communication cost and bandwidth consumption, so as to better complete identity authentication under the premise of secure access. In this section, the number of groups in the authentication scheme is assumed to be m, while the number of terminal devices is n.

Signaling overhead

When a large number of terminal devices request authentication to the server, it is easy to cause a signaling storm problem. Therefore, in this part, the number of signaling messages is used to evaluate the performance and compare EAGAS with other group authentication schemes. Since NB-IoT can achieve authentication and data transmission simultaneously using a control plane optimized transmission mechanism, the number of signaling messages can be greatly reduced. Except for the scheme proposed by REN et al. [25] and the FADTS scheme [21], which can realize access authentication and data transmission, the other schemes do not involve the data transmission process. Assuming that these schemes all use the same optimized transport mechanism to achieve data transmission, according to one current standard, the establishment process of the data bearer requires the transmission of six signaling messages per device. However, the proposed scheme as well as the scheme proposed by REN et al. and the FADTS scheme do not need to establish a data bearer, so no additional signaling overhead is required. The signaling overhead of these group authentication schemes is compared. According to the description of the proposed scheme in “The proposed scheme”, it can be seen that the server can authenticate the group leader, and then the group leader authenticates the terminal devices in the group, and the total number of signaling required is \(n+4m\). The signaling overhead of other authentication schemes is shown in Table 6. Moreover, in Fig. 5, the trend of the signaling overhead of different schemes with the increase of group membership is shown when the number of groups is 5 and the number of groups is 10.

Table 6 Signaling overhead of different schemes
Full size table
Fig. 7
figure 7

Signaling overhead of different schemes

Full size image

By adding an edge network layer to assist the mass of terminal devices to realize identity authentication, the massive terminal devices are divided into different groups, and the edge nodes that were successfully authenticated by the server complete the authentication of the terminal devices, which reduced the signaling overhead and avoided network congestion caused by a large number of devices issuing authentication requests to the server at the same time. According to the results in Fig. 7, when the number of groups is small, the signaling overhead of our proposed scheme is slightly higher than FADTS, and the growth trend is consistent, which is much better than the other schemes.

Delay

Delay is the time it takes for data to travel from one end of the network to the other. To test whether an authentication scheme using edge computing assisted NB-IoT architecture can reduce delay and thus process terminal authentication requests in a more timely manner, we use OPNET software based on Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz 2.71 GHz for network simulation. Two simulation scenarios are constructed by OPNET software. The first scenario is a traditional NB-IoT network, which has 100 terminal devices, 1 base station node, and 1 server. Scenario 2 is an edge-assisted NB-IoT network, which has 100 terminal devices, 1 base station node, 5 edge nodes, and 1 server, where 20 terminal devices are connected under each edge node. In each simulation scenario, each terminal device initiates authentication to the network, the simulation time is set to 30 min, and the delay of the two scenarios obtained after the simulation is shown in Fig. 8. Due to the addition of the edge network layer, all the authentication data need not be sent to the server for processing, and the edge nodes can assist in the authentication of massive terminal devices, reducing the burden of the server. According to Fig. 8, the edge-assisted NB-IoT network has less delay.

Fig. 8
figure 8

Delay for different scenarios

Full size image
Fig. 9
figure 9

Comparison of transmission cost of different schemes

Full size image

Transmission cost

Because the power consumption cost of transmission involves many factors, such as distance and data volume, it is convenient to analyze and compare the transmission cost of the proposed scheme with other existing schemes and simplify according to the system model proposed, the AMF and AUSF in the NB-IoT core network layer are simplified to the server layer, and then the following assumptions are made: Assuming that the cost of a transmission between the server and the NB-IoT terminal device is 1 unit, the cost of a transmission between the server and the edge layer is a unit, and the cost of a transmission between the terminal device and the group member and the group leader is b unit. The cost of eNB transmission in the NB-IoT network generally varies according to the deployment of different terminal devices. However, considering that the eNB and the server mainly communicate through the wired channel, it is considered that the cost of eNB and terminal transmission is c unit. Similarly, according to the control plane transmission mechanism, schemes that cannot transmit data need to establish a data bearer, so in this process, additional 2 units of transmission cost are needed between the server and terminal devices in these schemes, and additional 2c units are needed between the eNB and terminal devices. The transmission cost of different protocols is compared, and the results are shown in Table 7.

Table 7 Comparison of transmission cost
Full size table
Table 8 Cryptographic operation symbols and costs
Full size table
Table 9 Comparison of the computational cost of different schemes
Full size table
Fig. 10
figure 10

Computational cost of different schemes

Full size image

The analysis of transmission cost is simplified, considering that the edge layer is on the side near the terminal between the server and the terminal layer, and the distance between NB-IoT devices is generally not more than 100 ms, then the cost is far less than 1 unit. Thus assuming that a=0.9, b=0.01, and c=0.4. Figure 9 shows the trend of the transmission cost of different schemes with the increase of group membership when the number of groups is 5 and 10. Because the proposed scheme adds an edge network layer between the server and the terminal device as the group leader, the edge node can realize the authentication between the server and the edge layer as well as the edge layer and the terminal layer, and the edge layer is on the near terminal side between the server and the terminal devices, so in the authentication process, The cost of transmitting information between the server and the edge layer and between the edge layer and the end device is smaller. From Fig. 9, it can be found that the transmission cost of the proposed scheme, Chang et al. ’s scheme, and the FADTS scheme is similar, but much smaller than other schemes.

Computational cost

Computational Cost is an important metric to measure the performance of group authentication schemes. To compare the computational cost of different group authentication schemes, it is necessary to calculate the number of cryptographic operations in these schemes. Considering that the XOR operation consumes much less time than the hash operation and bilinear pairing operation, in the authentication process, the computational load of the following three operations is mainly calculated: hash operation, bilinear pairing operation, and point multiplication operation. The computing cost of the terminal devices uses the data obtained from the test of the ARM9 node with NuvoTon N32905U1DN (ARM926EJ-S@200 MHz) in reference [32]. The computing cost of the server is obtained using Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz 2.71GHz 4GB personal computer test. The names, corresponding operation time symbols, and operation costs of these cryptographic operations are shown in Table 8.

Table 10 Bandwidth consumption for different parameters
Full size table
Table 11 Bandwidth consumption of different schemes
Full size table
Fig. 11
figure 11

Bandwidth consumption of different schemes

Full size image

In the proposed scheme, each edge node needs \(6t_h\) to authenticate with the server and establish the session key, and then needs \(3t_h+3t_m\) to authenticate with the terminal device layer. The computational overhead required for each terminal device to generate signature authentication information and authenticate with the group leader is \(4t_h+3t_m\). In addition, the computational overhead required for the server to receive an edge node authentication message to complete the authentication is \(7t_h\). Since an edge network layer is added between the terminal device layer and the server, and the edge nodes are deployed as the group leaders in the edge layer, to simplify the analysis, the calculated computational load of the group leader is merged into the computational load of the server. Therefore, when there are n terminal devices and m groups, the computational cost of this scheme is \(n(4t_h+3t_m )+m(16t_h+3t_m)\). The computational overhead of the proposed scheme is compared with other authentication schemes, and the result is shown in Table 9. Figure 10 shows the comparison of computational load between different schemes with different numbers of groups.

It can be seen from Fig. 10 that the computational cost of the proposed scheme EAGAS is lower than GBAAM and FADTS and is close to the scheme proposed by Chang et al. Since the proposed scheme uses the public key cryptographic mechanism to ensure the security of random numbers and signature information in the authentication process, it can be seen from Table 9 that the point multiplication operation of the terminal device is higher than the hash operation, so with the increase of the terminal device, the proposed scheme is much higher than the scheme using an only hash function.

Bandwidth consumption

Bandwidth consumption can be measured by the amount of data transferred. To compare the bandwidth consumption of different schemes without loss of generality, we use the bandwidth consumption of the relevant parameters in reference [32], as detailed in Table 10.

\({BW}_{total}\) is used to represent the total bandwidth consumption of the scheme, and then the calculation of the bandwidth consumption of the scheme is defined as the sum of the data volume of each authentication information transmission when all devices make authentication requests, which is expressed by Eq. (5).

$$\begin{aligned} BW_{total}=n*\sum _{i=1}^{t}AM_i \end{aligned}$$
(5)

where \({AM}_i\) denotes the size of the ith authentication message sent. Then according to the description of the authentication process in “The proposed scheme”, the authentication bandwidth consumption in this paper is shown in Eq. (6). Then the total bandwidth consumption is shown in Equation Eq. (7).

$$\begin{aligned} \begin{aligned} AM_1&=\mid TS \mid +2\mid RN \mid +2\mid Hash \mid =401\,bits \\ AM_2&=\mid TS \mid +\mid RN \mid +2\mid Hash \mid =273\,bits \\ AM_3&=\mid TS \mid +\mid EK \mid +\mid ES \mid =529\,bits \\ AM_4&=n/m\times (\mid TS \mid +\mid EK \mid +\mid Hash \mid \\ {}&\quad +\mid ID\mid +\mid ES \mid )\\&=721n/m\,bits\,for\,each\,UE_i\\ AM_5&=\mid TS \mid +\mid ID \mid =145\,bits \end{aligned} \end{aligned}$$
(6)
$$\begin{aligned} BW_{total}=m*\sum _{i=1}^{t}AM_i =(721n+1348m)\,bits \end{aligned}$$
(7)

Similarly, other schemes are also calculated according to Eq. (5), and the bandwidth overhead obtained by them is compared with that of the proposed scheme and the result is shown in Table 11. Figure 11 shows the comparison of bandwidth consumption in different authentication schemes with a different number of groups. According to Fig. 11, it can be found that the bandwidth consumption of the proposed scheme is lower than that of the other schemes.

To sum up, from the perspective of implementation, the proposed authentication scheme uses the edge operation method and cryptographic operation. Therefore, we use OPNET software for network simulation, and use personal devices to test the password operation time. From the calculation point of view, we calculate the password operation time obtained by theoretical knowledge and test, and calculate the signaling, data volume and time consumed in each authentication process, and compare it with other schemes. The results show that the comprehensive performance of the proposed scheme is better.

Conclusion

Aiming at the problems of security, signaling congestion and large delay in the access authentication of massive terminal devices in NB-IoT, we use edge computing method and encryption algorithm to design an edge-assisted group authentication scheme EAGAS. The scheme protects the identity information of terminal devices and realizes the mutual authentication among servers, edge nodes and terminal devices. The server only participates in the initial authentication process and records the authentication results. The edge node can authenticate a group of devices at a time, which effectively reduces the signaling cost and delay in the authentication process. Through the security analysis of the proposed scheme, EAGAS can pass the BAN logic verification, and has the ability to resist the replay attack, insider attack and man-in-the-middle attack. In comparison with other related protocols, the proposed scheme reduces the signaling overhead, communication overhead and bandwidth consumption, but the computing overhead is still large. Therefore, in future studies, the use of other security mechanisms in the authentication process can be considered to reduce the computational overhead. In addition, this paper is for the certification of NB-IoT device groups with similar characteristics. With the development of 5 G and 6 G networks, when the coverage of NB-IoT devices with different characteristics and NB-IoT devices with high-speed mobility changes, how to carry out effective certification management is an urgent problem to be solved.