Ubiquitous middleware platforms that target smart city and smart village deployments increasingly have to support two distinct communication modes: (i) infrastructure-based client–server access to cloud-hosted services and (ii) infrastructure-less peer-to-peer communication among nearby devices. Prior work has proposed a combined authentication and authorization design that uses OAuth 2.0 for the client–server path and Elliptic Curve Diffie–Hellman (ECDH) with keyed message authentication for the peer-to-peer path. However, that design was presented primarily at the architectural level and lacked empirical validation. In this paper we implement a prototype of such a hybrid security layer and evaluate it along three axes: security (resistance to basic man-in-the-middle and spoofing attempts), performance (latency and message overhead), and practicality on mobile/edge hardware. Our results show that (a) the full OAuth 2.0 flow is acceptable for intermittent mobile clients provided that refresh tokens are reused, (b) the ECDH key agreement cost on current Android-class hardware is low enough to enable on-demand secure peer sessions, and (c) upgrading message authentication from HMAC-SHA1 to HMAC-SHA256 imposes a modest but tolerable increase in per-message cost. We conclude with deployment guidelines for middleware designers who need a single security story across both communication modes.
Ubiquitous middleware platforms that target smart city and smart village deployments increasingly have to support two distinct communication modes: (i) infrastructure-based client–server access to cloud-hosted services and (ii) infrastructure-less peer-to-peer communication among nearby devices. Prior work has proposed a combined authentication and authorization design that uses OAuth 2.0 for the client–server path and Elliptic Curve Diffie–Hellman (ECDH) with keyed message authentication for the peer-to-peer path. However, that design was presented primarily at the architectural level and lacked empirical validation. In this paper we implement a prototype of such a hybrid security layer and evaluate it along three axes: security (resistance to basic man-in-the-middle and spoofing attempts), performance (latency and message overhead), and practicality on mobile/edge hardware. Our results show that (a) the full OAuth 2.0 flow is acceptable for intermittent mobile clients provided that refresh tokens are reused, (b) the ECDH key agreement cost on current Android-class hardware is low enough to enable on-demand secure peer sessions, and (c) upgrading message authentication from HMAC-SHA1 to HMAC-SHA256 imposes a modest but tolerable increase in per-message cost. We conclude with deployment guidelines for middleware designers who need a single security story across both communication modes.
