Open Access
This article is

- freely available
- re-usable

**2014**,
*16*(11),
6152-6165;
https://doi.org/10.3390/e16116152

Article

Improving the Authentication Scheme and Access Control Protocol for VANETs

^{1}

Computer Center, Hsin Sheng Junior College of Medical Care and Management, No. 418, Kaoping Village, Lungtan Township, Taoyuan County 32544, Taiwan

^{2}

Department of Information Management, National Central University, No. 300, Jhongda Rd., Jhongli City, Taoyuan County 32001, Taiwan

^{*}

Author to whom correspondence should be addressed.

Received: 10 August 2014; in revised form: 25 September 2014 / Accepted: 4 November 2014 / Published: 19 November 2014

## Abstract

**:**

Privacy and security are very important in vehicular ad hoc networks (VANETs). VANETs are negatively affected by any malicious user’s behaviors, such as bogus information and replay attacks on the disseminated messages. Among various security threats, privacy preservation is one of the new challenges of protecting users’ private information. Existing authentication protocols to secure VANETs raise challenges, such as certificate distribution and reduction of the strong reliance on tamper-proof devices. In 2011, Yeh et al. proposed a PAACP: a portable privacy-preserving authentication and access control protocol in vehicular ad hoc networks. However, PAACP in the authorization phase is breakable and cannot maintain privacy in VANETs. In this paper, we present a cryptanalysis of an attachable blind signature and demonstrate that the PAACP’s authorized credential (AC) is not secure and private, even if the AC is secretly stored in a tamper-proof device. An eavesdropper can construct an AC from an intercepted blind document. Any eavesdropper can determine who has which access privileges to access which service. For this reason, this paper copes with these challenges and proposes an efficient scheme. We conclude that an improving authentication scheme and access control protocol for VANETs not only resolves the problems that have appeared, but also is more secure and efficient.

Keywords:

vehicular ad hoc networks (VANETs); cryptanalysis; privacy; authentication; access control## 1. Introduction

VANETs are a special case of mobile ad hoc networks (MANETs) that aim to enhance the safety and efficiency of road traffic [1–4]. A number of distinguishing features and limitations are related to the very nature of wireless communications in VANETs and the rapid movement of the vehicles involved in those communications. Compared to wired or other wireless networks, VANETs are very dynamic and their communications are volatile. In these networks, nodes are vehicles equipped with communication devices, known as on-board units (OBUs), and, depending on the applications, OBUs are used to establish communications with other vehicles or roadside units (RSUs), such as traffic lights or traffic signs.

In recent years, several research works on VANETs have been conducted by academics and various industries. Recently, some of these works addressed the security issues. As an instance of MANET, VANETs might suffer from any malicious user behaviors, such as bogus information and replay attacks on the disseminated messages. Among various security threats, privacy preservation in VANETs is one of the new challenges of protecting users’ private information. For instance, Chen and Wei proposed a safe, distance-based location privacy scheme called SafeAnon [5,6]. By simulating vehicular mobility in a cropped Manhattan map, they evaluated the performance of the SafeAnon scheme under various conditions to show that it could simultaneously achieve location privacy, as well as traffic safety. However, as Chen and Wei focused on the issues of the vehicles’ location privacy, little emphasis was put on the initial authentication phase of communications among vehicles.

In 2005, Raya et al. [7] first proposed a solution that mentioned both the security and privacy issues of safety-related applications. Wang and others reviewed Raya and Hubaux’s communication scheme in 2008 [8] and argued that Raya and Hubaux paid a great deal of attention to safety-related applications, such as emergency warnings, lane changing assistance, intersection coordination, traffic-sign violation warnings and road-condition warnings [9], but non-safety-related applications were neglected. In Raya and Hubaux’s communication scheme, Safety messages do not contain any sensitive information. However, VANETs also provide non-safety applications that offer maps [10,11], advertisements and entertainment information [12].

Similar to safety applications, non-safety applications in VANETs have to take both security and privacy issues into consideration. In addition, designing a practical non-safety application for VANETs should take the following requirements into consideration [13,14]:

Mutual authentication: providing mutual authentication between the two communicating parties, such as a vehicle-to-roadside communication device.

Context privacy: allowing mobile vehicles to anonymously interact with roadside devices to access services.

Lower computational cost: a system must have light overhead in terms of computational costs and high efficiency.

Session key agreement: generating dynamic session keys to secure the communication between nodes in VANETs.

Differentiated service access control: providing several services with different levels of access privileges for different users’ requirements.

Confidentiality and integrity: providing data confidentiality and integrity in applications of communications.

Preventing eavesdropping: an intruder cannot be allowed to discover valuable information from communications between members in VANETs.

Scalability: coping with the large-scale and dynamic environment presented by VANETs.

In 2008, Li et al. proposed a secure and efficient communication scheme named SECSPP [14] that employs authenticated key establishment for non-safety applications in VANETs. SECSPP is the first security scheme with explicit authentication procedures for non-safety applications. However, the speed of a vehicle can be extremely high in SECSPP. It is possible that the response sent from the service provider (SP) has not yet arrived, but the requesting vehicle has passed the RSUs’ transmission range. Moreover, all requests made by non-safety applications must first be verified by the proper SP, which will become a bottleneck of SECSPP. The scalability issue rises in a popular SP if a large number of requests are made.

In 2011, Yeh et al. [13] proposed a PAACP: a portable privacy-preserving authentication and access control protocol for vehicular ad hoc networks. However, in the authorization phase, a PAACP is breakable and cannot maintain privacy in VANETs. Recently, Wu et al. [15] presented a cryptanalysis of an attachable blind signature and demonstrate that the PAACP’s authorized credential (AC) is not secure and private, even if the AC is secretly stored in a tamper-proof device. This is because an eavesdropper is able to construct an AC from an intercepted blind document. Consequently, PAACP in the authorization phase is breakable and cannot maintain privacy in VANETs. Any outsiders can determine who has which access privileges to access which service. In addition, this paper efficiently copes with these challenges and proposes an efficient scheme. We conclude that improving an authentication scheme and access control protocol for VANETs will not only resolve the problems that have appeared, but will also be secure and efficient.

The remainder of this paper is organized as follows. Section 2 reviews the cryptanalysis of a PAACP. Section 3 introduces an improved scheme. In Section 4, we compare the performance of our schemes with PAACP and SECSPP and analyze various aspects of the security of our scheme. Finally, we conclude this paper and indicate some directions for future research in Section 5.

## 2. Cryptanalysis of A PAACP

In 2011, Yeh et al. [13] proposed a novel portable privacy-preserving authentication and access control protocol for vehicular ad hoc networks. To eliminate the communication with service providers, they proposed a novel portable access control method to store a portable service right list (SRL) into each vehicle, instead of keeping the SRLs with the service providers. In order to assure the validity and privacy of an SRL and prevent privilege elevation attacks, an attachable blind signature is used by PPACP. Recently, Wu et al. [15] proposed a cryptanalysis of an attachable blind signature and demonstrated that the PAACP’s authorized credential (AC) is not secure and private, even if the AC is secretly stored in a tamper-proof device. Their analysis showed that in PAACP, an eavesdropper can construct the AC from an intercepted blind document. As a result, PAACP in the authorization phase is breakable, and as any outsider can determine who has which access privileges to access which service, the privacy of users in PAACP’s scheme is jeopardized. Wu et al. presented Cryptanalysis 1, which shows that m′ cannot keep privacy, and Cryptanalysis 2 shows that an intruder can use public key PK

_{St}of the S_{t}to compute authorized credential $A{C}_{i}^{{S}_{t}}$. The notation used throughout the remainder of this paper is shown in Table 1.**Cryptanalysis 1.**To acquire a message m′, an intruder can eavesdrop on the two blind documents BD

_{1}, BD

_{2}in the (User → Signer) channel and also eavesdrop on$B{D}_{1}^{\prime}$, $B{D}_{2}^{\prime}$ in the (Signer → User) channel. After stealing BD

_{1}, BD

_{2}, $B{D}_{1}^{\prime}$ and$B{D}_{2}^{\prime}$, the intruder can use public key e of the signer to compute the following equation:

$$\frac{{(B{D}_{1}^{\prime}B{D}_{2}^{\prime})}^{e}}{(B{D}_{1}B{D}_{2})}={m}^{\prime}$$

**Cryptanalysis 2.**Similarly, to acquire authorized credential$A{C}_{i}^{{V}_{i}}$ and$A{C}_{i}^{{S}_{t}}$, an intruder can eavesdrop on the two blind documents BD1

_{i}, BD2

_{i}in the (Vehicle → Service Provider) channel and also eavesdrop on$BD{1}_{i}^{\prime}$, $BD{2}_{i}^{\prime}$ in the (Service Provider → Vehicle) channel. After stealing BD1

_{i}, BD2

_{i}, $BD{1}_{i}^{\prime}$ and$BD{2}_{i}^{\prime}$, the intruder can use public key PK

_{St}of the Service Provider to compute the following equation:

$$\frac{(BD{1}_{i}^{\prime}BD{2}_{i}^{\prime})}{(BD{1}_{i}BD{2}_{i})}=A{C}_{i}^{{S}_{t}}$$

Finally, according to
$\sqrt{{(A{C}_{i}^{*})}^{P{K}_{{S}_{t}}}}=A{C}_{i}^{{V}_{i}}=A{C}_{i}^{{S}_{t}}$,
$A{C}_{i}^{{S}_{t}}$ is equal to
$A{C}_{i}^{{V}_{i}}$, where
$A{C}_{i}^{*}$ consists of both
$A{C}_{i}^{{V}_{i}}$ and
$A{C}_{i}^{{S}_{t}}$. Yeh et al. [13] claimed that an attachable blind signature can keep privacy; no one could comprehend the access privileges in
$A{C}_{i}^{{V}_{i}}$, and no one can realize who is accessing those services. On the basis of our cryptanalysis,
$A{C}_{i}^{{S}_{t}}=\{SI{D}_{t}\Vert {T}_{expired}\Vert SR{L}_{i}^{{S}_{t}}\}$ and
$A{C}_{i}^{{V}_{i}}=\{SI{D}_{t}\Vert {T}_{expired}\Vert SR{L}_{i}^{{V}_{i}}\}$ could be comprehended by outsiders who could then decode the service right lists
$SR{L}_{i}^{{S}_{t}}$ and
$SR{L}_{i}^{{V}_{i}}$, respectively In a previous description, the service right list is as the following equation:

$$SR{L}_{i}^{{V}_{i}}=\{SVI{D}_{1}\Vert A{R}_{1}\Vert SVI{D}_{2}\Vert A{R}_{2}\Vert \cdots \Vert SVI{D}_{k}\Vert A{R}_{k}\}$$

where SVID

_{k}denotes the index of the k-th service and AR_{k}represents the granted access privileges of SVID_{k}. Hence, anyone can determine who has which access privileges to access which service even if $A{C}_{i}^{*}$ is secretly stored in a tamper-proof device.## 3. Improved Scheme

In this section, we propose an improved scheme and offer an efficient authentication and access control protocol for VANETs. The security of this scheme depends on a secure one-way hash function, not the use of an attachable blind signature. This scheme consists of three phases: the registration phase, the authentication phase and the access phase. We demonstrate our scheme as follows.

#### 3.1. The Registration Phase

A vehicle V

_{i}creates a service right list $SR{L}_{i}^{{V}_{i}}$ and an authorized credential $A{C}_{i}^{{V}_{i}}$, just as Yeh et al. proposed. Let x be a secret key maintained by the service provider St, and let h() be a secure one-way hash function with a fixed-length output. The registration phase is performed over a secure channel.- V
_{i}→ S_{t}: VID_{i}, $A{C}_{i}^{{V}_{i}}$A V_{i}, who submits his/her identity VID_{i}and his/her $A{C}_{i}^{{V}_{i}}$ to the S_{t}for registration. - S
_{t}→ V_{i}: h(), e_{i}The S_{t}also creates $SR{L}_{i}^{{S}_{t}}$ and $A{C}_{i}^{{S}_{t}}$ as Yeh et al. proposed. The S_{t}then computes V_{i}’s secret information y_{i}= h(VID_{i}, x) and ${e}_{i}={y}_{i}\oplus A{C}_{i}^{{S}_{t}}\oplus A{C}_{i}^{{V}_{i}}$ and writes h() and e_{i}into the smart card of on-board units (OBUs) and issues the card to V_{i}. - S
_{t}→ R_{j}: y_{i}, $A{C}_{i}^{{S}_{t}}$The S_{t}also performs a multicast to send messages y_{i}and $A{C}_{i}^{{S}_{t}}$ to their road side units (RSUs) R_{j}.

#### 3.2. The Authentication Phase

After V

_{i}sends an authentication request message to the S_{t}, the S_{t}and V_{i}will execute a mutual authentication between the vehicle and the service provider. First, let E_{k}(·)/D_{k}(·) be a symmetric encryption/decryption function with secret k, respectively.- V
_{i}→ S_{t}: VID_{i}, C, N_{i}When V_{i}wishes to access services provided by S_{t}, V_{i}generates a nonce N_{i}, where N_{i}is a random and fresh number. Then, V_{i}computes $C=h({e}_{i}\oplus A{C}_{i}^{{V}_{i}},{N}_{i})$ and sends an authentication request message (VID_{i}, C, N_{i}) to the S_{t}. - S
_{t}→ V_{i}: MAfter receiving the authentication request message (VID_{i},C, N_{i}), the S_{t}and V_{i}execute the following steps to facilitate a mutual authentication between the vehicle and the service provider. The S_{t}performs the following operations:- –
- Verifies that VID
_{i}is a valid vehicle identity. If not, the authentication request is rejected. - –
- Computes ${y}_{i}^{\prime}=h(VI{D}_{i},x)$ and verifies whether ${y}_{i}={y}_{i}^{\prime}$. If the verification fails, the request is rejected.
- –
- Checks whether it received $C=h({y}_{i}^{\prime}\oplus A{C}_{i}^{{S}_{t}},{N}_{i})$. If not, the request is rejected; otherwise, the request proceeds to the next step.
- –
- Generates a nonce N
_{s}, where N_{s}is a random and fresh number. - –
- Encrypts the message $M={E}_{{y}_{i}}{}_{\oplus A{C}_{i}^{{S}_{t}}}\{{N}_{s},{N}_{i},A{C}_{i}^{{S}_{t}}\}$ and sends it back.
- –
- After V
_{i}receives the message M, V_{i}will decrypt the message ${D}_{{e}_{i}\oplus A{C}_{i}^{{V}_{i}}}\{M\}$ to derive $({N}_{i}^{\prime},{N}_{s}^{\prime},A{C}_{i}^{{S}_{{t}^{\prime}}})$ and verify whether ${N}_{i}^{\prime}={N}_{i}$. If the answer is yes, the mutual authentication is done. The portable authorized credential is $A{C}_{i}=A{C}_{i}^{{V}_{i}}\oplus A{C}_{i}^{{S}_{t}}$, and we propose that $A{C}_{i}^{{V}_{i}}$ is not equal to $A{C}_{i}^{{S}_{t}}$. Either S_{t}may reduce access privileges for some reason (for example, not paying before the deadline or breaking a contract) or V_{i}may disable access privileges himself/herself for some reason (for example, privacy issue or lower communication costs). Therefore, AC_{i}is $A{C}_{i}^{{V}_{i}}$ and performs an exclusive operation with $A{C}_{i}^{{S}_{t}}$ that is reasonable and makes sense.

#### 3.3. The Access Phase

This phase is based on the key exchange protocol proposed by Diffie et al. [16]. It is used to encrypt an individual conversation with a session key The lifespan of a session key is the period of a particular communication session. A new session phase involves two public parameters, q and α, where q is a large prime number and α is a primitive element mod q. After V

_{i}sends a service request to its neighboring R_{j}, R_{j}will verify the authorized credential AC_{i}by itself without further communication with S_{t}. According to the access privileges stored in the authorized credential $A{C}_{i}^{{S}_{t}}$, R_{j}could decide whether V_{i}’s request is accepted or not. Furthermore, R_{j}could detect whether V_{i}is launching an elevation of privilege (EoP) attack.- V
_{i}→ R_{j}: W_{i}V_{i}computes ${W}_{i}={a}^{{r}_{{v}_{i}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q$ and sends W_{i}to R_{j}, where ${r}_{{v}_{i}}$ is a random number. - R
_{j}→ Vi : S_{i}Similarly, R_{j}computes ${S}_{i}={a}^{{r}_{{R}_{j}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q$ and sends S_{i}to V_{i}, where ${r}_{{R}_{i}}$ is a random number. V_{i}computes ${K}_{V}={({S}_{i})}^{{r}_{{v}_{i}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q$, and R_{j}computes ${K}_{R}={({W}_{i})}^{{r}_{{R}_{j}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q$. Then, both of them check whether K_{V}=K_{R}. If yes, a new session will be created. This is because:$$\begin{array}{l}\mathit{Session}\phantom{\rule{0.2em}{0ex}}\mathit{key}={({S}_{i})}^{{r}_{{v}_{i}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q={({\alpha}^{{r}_{{R}_{j}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q)}^{{r}_{{v}_{i}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q=({\alpha}^{{r}_{{R}_{j}}{r}_{{v}_{i}}})\mathit{mod}\phantom{\rule{0.2em}{0ex}}q\\ \phantom{\rule{4.7em}{0ex}}={({\alpha}^{{r}_{{v}_{i}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q)}^{{r}_{{R}_{j}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q={({W}_{i})}^{{r}_{{R}_{j}}}\mathit{mod}\phantom{\rule{0.2em}{0ex}}q\end{array}$$ - V
_{i}→ R_{j}: (Service request message)If V_{i}wants to access service, it encrypts ${E}_{{K}_{V}}(SVI{D}_{1}\Vert A{C}_{i})$ with K_{V}as the service request message and sends it to R_{j}. After R_{j}receives the message, R_{j}will decrypt the message:$${D}_{{K}_{R}}({E}_{{K}_{V}}(SVI{D}_{1}\Vert A{C}_{i}))$$with K_{R}to gain (SVID_{1}|| AC_{i}) and then derive AC_{i}and SVID_{1}, because of K_{V}= K_{R}. When R_{j}derives AC_{i}, R_{j}verifies it and is then convinced that V_{i}is a legal user. - V
_{i}→ R_{j}: (Service request message)_{nth}When V_{i}continues to access the n-th service, it encrypts the n-th service request message ${E}_{{K}_{V}+n}(SVI{D}_{n}\Vert A{C}_{i})$ with K_{V}+ n and sends it to R_{j}. After R_{j}receives the n-th service request message, R_{j}will decrypt the message:$${D}_{{K}_{R+n}}\left({E}_{{K}_{V+n}}(SVI{D}_{n}\Vert A{C}_{i})\right)$$with K_{R}+ n to derive AC_{i}and SVID_{n}. R_{j}examines whether SID_{t}, as well as SVID_{n}are included in $A{C}_{i}^{{S}_{t}}$ and checks the validity of the authorized credential by T_{expired}. If the verification succeeds, AC_{i}is legitimate and V_{i}is authorized; otherwise, R_{j}terminates this session.

## 4. Analysis of the New Scheme

In this section, we roughly compare the security properties and performance of the related mechanisms discussed. The security properties comparisons between PAACP, SECSPP and our scheme in the authentication phase and access phase are shown in Table 1. The performance comparisons are shown in Table 2.

#### 4.1. Comparison

Table 1 lists important security properties in VANETs based on Yeh et al.’s proposals. As mentioned, with PAACP, an attachable blind signature, is breakable and cannot maintain privacy, and the PAACP’s AC is not secure, even if the AC is secretly stored in a tamper-proof device. An eavesdropper is able to construct the AC from an intercepted blind document. Any outsiders in VANETs can know who has which access privileges to access which service. Consequently, PAACP cannot still satisfy context privacy properly.

#### 4.2. Performance

Since the computational load of the PKI (Public Key Infrastructure) cryptosystem is a heavy burden for all communicating nodes in the PPACP and SECSPP, we propose an efficient version without PKI cryptosystems. Furthermore, the speed of encryption/decryption with symmetric encryption schemes is faster than with asymmetric ones, namely PKI cryptosystems. For instance, it is known that DES (Data Encryption Standard) is 100-times faster than RSA in software and 1000-times faster in hardware [17]. Consequently, we treat the computational load of a PKI operation as that of 100 symmetric operations. As listed in Table 3, the PPACP needs nearly 702 symmetric operations and SECSPP needs 740 symmetric operations in the related work, while it requires about 124 symmetric operations in our scheme. Moreover, it takes 0.0005 s to complete a one-way hash operation and 0.0087 s to finish a symmetric en-/de-cryption. We hence ignore the computational load of the one-way hash function, since it is quite lighter than that of a symmetric en-/de-cryption [18]. As a result, computational loads can be reduced to 1.0788 s in our scheme.

The following is based on the computation method in PAACP. Assume that n vehicles in the VANET request the services of the same services provider at the same time and the locations where these service requests are invoked are uniformly distributed within m RSUs. The transmission delay T

_{trans}__{delay}is the time in seconds to deliver a message from a vehicle, which is forwarded to the service provider by an RSU. The waiting time T_{waiting}consists of the round-trip transmission delay and the time spent on verification by the service provider. In SECSPP, the average waiting time T_{waiting}for a requesting vehicle can be estimated as:
$${T}_{waiting}=2\times {T}_{trans-delay}+\frac{(n+1)}{2}*{T}_{Accss\phantom{\rule{0.2em}{0ex}}verification}$$

In PAACP and our scheme, the average waiting time T

_{waiting}for a requesting vehicle can be estimated as:
$${T}_{waiting}=\{\begin{array}{ll}\frac{(n/m+1)}{2}\times {T}_{Accss\phantom{\rule{0.2em}{0ex}}verification,}& \text{if}\phantom{\rule{0.2em}{0ex}}n>m\\ {T}_{Accss\phantom{\rule{0.2em}{0ex}}verification,}& \text{otherwise}\end{array}$$

In a uniform distribution of locations, the average number of requests pending in each RSU will be
$\frac{n}{m}$. Therefore, the average time spent for request verification in an RSU is
$\frac{(n/m+1)}{2}\times {T}_{Accss\phantom{\rule{0.2em}{0ex}}verification}$. Figure 1 shows that when m is equal to 10, the average waiting time T

_{waiting}for a service request from vehicle n increases from 1 to 50. Figures 2, 3 and 4 show that the average waiting time T_{waiting}for a service request from vehicle n increases from 1 to 100 when m is equal to 10, 30 and 50, respectively. As Figure 2 shows, when 100 vehicles are requesting the desired services, the average waiting time T_{waiting}to finish the authentication in PAACP is 14.32 s. In our scheme, the average waiting time T_{waiting}is about 5.73 s. Similarly, as shown in Figure 3, our scheme takes about 2.28 s, compared to about 5.65 s for PAACP. Finally, our scheme takes about 1.59 s, compared to PAACP’s average of about 3.94 s, as shown in Figure 4. In summary, the average waiting time T_{waiting}decreases when RSU increases.#### 4.3. Security Analysis

The other security features of our new scheme are also discussed below:

Forward secrecy: This security means that before a V

_{i}wants to access the (n + 1)-th service, he/she cannot decrypt the service request message that existed prior to his/her session key K_{V}+ n. Our scheme can attain forward secrecy because, if a V_{i}requests next (Service request message)_{(}_{n}_{+1)−}_{th}, then a new K_{V}+ (n + 1) will be generated by the (n + 1)-th service.Backward secrecy: After a user logs out of the server, he/she cannot receive any services belonging to the left server. After a V

_{i}accesses the n-th service, he/she cannot decrypt the service request message that existed posterior to his/her session key K_{V}+ (n + 1). Our scheme can attain backward secrecy, because after a V_{i}requests next (Service request message)_{(}_{n}_{+1)}_{−th}, the session key K_{V}+ (n + 1) will be generated, and the K_{V}+ (n) will be invalid.Authentication: A V

_{i}must submit his or her authentication request message (VID_{i}, C, N_{i}) to the service provider S_{t}, and then, the S_{t}acknowledges the V_{i}. After receiving the authentication request message, the S_{t}encrypts the message $M={E}_{{y}_{i}\oplus A{C}_{i}^{{S}_{t}}}\{{N}_{s},{N}_{i},A{C}_{i}^{{S}_{t}}\}$ to facilitate a mutual authentication between the vehicle and the service provider.Authorization: In the registration phase, the service provider creates a service right list by the following equation:

$$SR{L}_{i}^{{V}_{i}}=\{SVI{D}_{1}\Vert A{R}_{1}\Vert SVI{D}_{2}\Vert A{R}_{2}\Vert \dots \Vert SVI{D}_{k}\Vert A{R}_{k}\}$$

where SVID

_{k}denotes the index of the k-th service and AR_{k}represents the granted access privileges of SVID_{k}. Hence, anyone can determine who has which access privileges to access which service. Only valid V_{i}can encrypt ${E}_{{K}_{V}}(SVI{D}_{1}\Vert A{C}_{i})$ with K_{V}. After R_{j}receives ${E}_{{K}_{V}}(SVI{D}_{1}\Vert A{C}_{i})$, R_{j}will decrypt the message: ${D}_{{K}_{R}}({E}_{{K}_{V}}(SVI{D}_{1}\Vert A{C}_{i}))$ with K_{R}to gain (SVID_{1}|| AC_{i}) and then derive AC_{i}and SVID_{1}, because of K_{V}= K_{R}.Replay attack: In the registration phase, a V

_{i}submits his/her registration information over a secure channel, so there are not any replay attack issues. In the authorization phase, an old message was eavesdropped by an attacker. He/she may try to replay the old message (VID_{i}, C, N_{i}). It may fail because it is not always the same, and the nonce N_{i}s a random number that is generated and has a value that has not been used before, to avoid replay attack and the serious time synchronization problem.## 5. Conclusion

In this paper, we review a cryptanalysis of an attachable blind signature and demonstrate that the PAACP’s AC is not secure and private, even if the AC is secretly stored in a tamper-proof device. An eavesdropper can construct the AC from an intercepted blind document. Consequently, during the authorization phase, PAACP is breakable and cannot maintain privacy in VANETs. Consequently, any outsiders can determine who has which access privileges to access which service.

Furthermore, this paper efficiently copes with these challenges and proposes an efficient scheme. We conclude that an improved authentication scheme and access control protocol for VANETs not only resolves the documented problems, but also is secure and efficient. Compared with PAACP and SECSPP, our scheme achieves more functionality and satisfies the security features required by VANETs. Future research can focus on the many commercial applications [19–23].

## Author Contributions

Wei-Chen Wu was responsible for planning, design, analysis and writing the manuscript. Yi-Ming Chen reviewed the manuscript. Both authors have read and approved the final manuscript.

## Conflicts of Interest

The authors declare no conflict of interest.

## References

- Chung, Y.; Choi, S.; Won, D. Lightweight anonymous authentication scheme with unlinkability in global mobility networks. J. Converg.
**2013**, 4, 23–29. [Google Scholar] - Taysi, Z.C.; Yavuz, A.G. ETSI compliant GeoNetworking protocol layer implementation for IVC simulations. Hum.-Centric Comput. Inf. Sci.
**2013**, 3, 1–12. [Google Scholar] - Singh, R.; Singh, P.; Duhan, M. An effective implementation of security based algorithmic approach in mobile adhoc networks. Hum.-Centric Comput. Inf. Sci.
**2014**, 4, 1–14. [Google Scholar] - Peng, K. A secure network for mobile wireless service. J. Inf. Process. Syst.
**2013**, 9, 247–258. [Google Scholar] - Chen, Y.M.; Wei, Y.C. SafeAnon: A safe location privacy scheme for vehicular networks. Telecommun. Syst.
**2012**, 50, 339–354. [Google Scholar] - Wei, Y.C.; Chen, Y.M. Safe distance based location privacy in vehicular networks, In Proceedings of the 2010 IEEE 71st Vehicular Technology Conference (VTC 2010-Spring), Taipei, Taiwan, 16–19 May 2010; pp. 1–5.
- Raya, M.; Hubaux, J. The security of vehicular ad hoc networks, In Proceedings of the 3rd ACM Workshop on Security of Ad hoc and Sensor Networks, Alexandria, VA, USA, 7–10 November 2005.
- Wang, N.; Huang, Y.; Chen, W. A novel secure communication scheme in vehicular ad hoc networks. Comput. Commun.
**2008**, 31, 2827–2837. [Google Scholar] - Wischhof, L.; Ebner, A.; Rohling, H. Information dissemination in self-organizing intervehicle networks. IEEE Trans. Intell. Transp. Syst.
**2005**, 6, 90–101. [Google Scholar] - Isaac, J.; Camara, J.; Zeadally, S.; Marquez, J. A secure vehicle-to-roadside communication payment protocol in vehicular ad hoc networks. Comput. Commun.
**2008**, 31, 2478–2484. [Google Scholar] - Yousefi, S.; Mousavi, M.; Fathy, M. Vehicular ad hoc networks (VANETs): Challenges and perspectives, In Proceedings of the 6th International Conference on ITS Telecommunications, Chengdu, China, 21–23 June 2006; pp. 761–766.
- Zhang, C.; Lin, X.; Lu, R.; Ho, P.; Shen, X. An efficient message authentication scheme for vehicular communications. IEEE Trans. Veh. Tech.
**2008**, 57, 3357–3368. [Google Scholar] - Yeh, L.; Chen, Y.; Huang, J. PAACP: A portable privacy-preserving authentication and access control protocol in vehicular ad hoc networks. Comput. Commun.
**2011**, 34, 447–456. [Google Scholar] - Li, C.; Hwang, M.; Chu, Y. A secure and efficient communication scheme with authenticated key establishment and privacy preserving for vehicular ad hoc networks. Comput. Commun.
**2008**, 31, 2803–2814. [Google Scholar] - Wu, W.; Chen, Y. Cryptanalysis of a PAACP: A portable privacy-preserving authentication and access control protocol in Vehicular Ad Hoc Networks. Appl. Math. Inf. Sci.
**2012**, 6, 463S–469S. [Google Scholar] - Diffie, W.; Hellman, M. New directions in cryptography. IEEE Trans. Inf. Theory.
**1976**, 22, 644–654. [Google Scholar] - Schneier, B. Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed; John Wiley & Sons: New York, NY, USA, 1996. [Google Scholar]
- Chen, H.B.; Hsueh, S.C. Light-weight authentication and billing in mobile communications, In Proceedings of the IEEE 37th Annual 2003 International Carnahan Conference on Security Technology, Taipei, Taiwan, 4–16 October 2003; pp. 245–252.
- Kim, H.I.; Kim, Y.K.; Chang, J.W. A grid-based cloaking area creation scheme for continuous LBS queries in distributed systems. J. Converg.
**2013**, 4, 23–30. [Google Scholar] - Oh, J.S.; Park, C.U.; Lee, S.B. NFC-based mobile payment service adoption and diffusion. J. Converg.
**2014**, 5, 8–14. [Google Scholar] - Følstad, A.; Hornbæk, K.; Ulleberg, P. Social design feedback: Evaluations with users in online ad-hoc groups. Hum.-Centric Comput. Inf. Sci.
**2013**, 3, 1–27. [Google Scholar] - Park, S.W.; Lee, I.Y. Anonymous authentication scheme based on NTRU for the protection of payment information in NFC mobile environment. J. Inf. Process. Syst.
**2013**, 9, 461–476. [Google Scholar] - Gohar, M.; Koh, SJ. A network-based handover scheme in HIP-based mobile metworks. J. Inf. Process. Syst.
**2013**, 9, 651–659. [Google Scholar]

Notation | Description |
---|---|

V_{i} | the i-th vehicle |

VID_{i} | i-th vehicular node’s real identification |

S_{t} | the t-th service provider |

SID_{t} | t-th service provider’s real identification |

SVID_{k} | k-th service’s identification |

AR_{k} | the access privilege of SVID_{k} |

AC_{i} | authorized credential for vehicle V_{i} |

$A{C}_{i}^{{S}_{t}}$, $A{C}_{i}^{{V}_{i}}$ | authorized credential made by S_{t} and V_{i}, respectively |

$A{C}_{i}^{*}$ | portable authorized credential for vehicle V_{i} |

$SR{L}^{{S}_{t}}$, $SR{L}^{{V}_{i}}$ | service right list made by S_{t} and V_{i}, respectively |

D_{k}() | a corresponding symmetric cryptosystem that uses the secret key k for decryption |

E_{k}() | a secure symmetric cryptosystem that uses the secret key k for encryption |

N_{i} | fresh nonce, randomly generated by VID_{i} |

N_{s} | fresh nonce, randomly generated by the service provider |

h() | a collision-free and public one-way hash function |

|| | a string concatenation |

X →Y :Z | a sender X sends a message Z to receiver Y |

Requirements | Our Scheme | PAACP | SECSPP |
---|---|---|---|

Mutual Authentication | Yes | Yes | Yes |

Context Privacy | Yes | No | Yes |

Session Key Agreement | Yes | Yes | Partially Yes |

Differentiated Service Access Control | Yes | Yes | No |

Confidentiality and Integrity | Yes | Yes | N/A |

Preventing Eavesdropping | Yes | No | Yes |

Scalability | Fully Distributed | Fully Distributed | Bottleneck at Service |

Lower Communication and Computational Cost | Low | High | Extremely High |

a: In PAACP, authorized credential (AC) is not secure and private; b: In SECSPP, the session key TSK is determined by V and S, not V and R.

Our Scheme | PAACP | SECSPP | |
---|---|---|---|

Authorization Phase | 2T_{sym} + 2T_{hash}+ 5T_{xor} | 4T_{asym} + T_{hash} | 2T_{asym} + 2T_{exp}+ 3T_{hash} + 4T_{xor} |

Access Service Phase | 2T_{sym} + 2T_{exp}+ 3T_{xor} | 3T_{asym} + 2T_{sym}+ T_{hash} | 3T_{asym} + 2T_{exp}+ 6T_{hash} + 5T_{xor} |

Computational Costs | ≈ 124T_{sym} | ≈ 702T_{sym} | ≈ 740T_{sym} |

Rounds | 4 | 3 | 5 |

Authorization (T_{Authorization}) | ≈ 0.0174s | ≈ 3.48s | ≈ 2.784s |

Access Service (T_{Accss verification}) | ≈ 1.0614s | ≈ 2.6274s | ≈ 3.654s |

Total Costs | ≈ 1.0788s | ≈ 6.1074s | ≈ 6.438s |

T

_{hash}: Computational cost of one-way function; T_{xor}: Computational cost of Exclusive-OR operation; T_{sym}: Computational cost of symmetric encryption; T_{asym}: Computational cost of asymmetric operation; T_{exp}: Computational cost of modular exponentiation© 2014 by the authors; licensee MDPI, Basel, Switzerland This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).