An Enhanced Privacy-Preserving Authentication Scheme for Vehicle Sensor Networks

Vehicle sensor networks (VSNs) are ushering in a promising future by enabling more intelligent transportation systems and providing a more efficient driving experience. However, because of their inherent openness, VSNs are subject to a large number of potential security threats. Although various authentication schemes have been proposed for addressing security problems, they are not suitable for VSN applications because of their high computation and communication costs. Chuang and Lee have developed a trust-extended authentication mechanism (TEAM) for vehicle-to-vehicle communication using a transitive trust relationship, which they claim can resist various attacks. However, it fails to counter internal attacks because of the utilization of a shared secret key. In this paper, to eliminate the vulnerability of TEAM, an enhanced privacy-preserving authentication scheme for VSNs is constructed. The security of our proposed scheme is proven under the random oracle model based on the assumption of the computational Diffie–Hellman problem.


Introduction
With the rapid development of the intelligent transportation systems (ITSs) [1], vehicular ad hoc networks (VANETs) have become increasingly popular. The vehicles in VANETs can communicate with each other via wireless communication [2]. If vehicles can interact with other vehicles or the roadside infrastructure to exchange collected data for decision-making and safer driving, traffic jams can be avoided and the safety of drivers can be guaranteed to the utmost extent; consequently, VANETs are a promising means of improving traffic safety and management. At present, vehicles are equipped with various sensors that can provide valuable data. Further equipping vehicles with onboard sensing devices can turn VANETs into vehicle sensor networks (VSNs) [3]. Therefore, the authentication protocols used in VANETs can also be used in VSNs. Moreover, dynamic traffic information and many types of physical data associated with traffic distributions can be sensed and collected by such vehicular communication networks. Therefore, VSNs are expected to significantly facilitate future wireless communication.
Two types of communication exist in VANETs, namely vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication, which depend on two essential kinds of The contributions of this paper are as follows: (1) an enhanced privacy-preserving authentication scheme based on the Chuang-Lee's scheme is proposed that can resist internal attack. In addition, we demonstrate the correctness and security of the improved scheme and analyze its computational costs; (2) to preserve the identity privacy of drivers, anonymity is achieved by randomizing the real identities; and (3) to preserve the location privacy of drivers, unlinkability is achieved in the authentication procedure.
The remainder of this paper is organized as follows. Related work is introduced in Section 2. Preliminaries are presented in Section 3. A review of the Chuang-Lee's scheme is provided in Section 4. Then, a concrete description of the proposed scheme is offered in Section 5. Section 6 presents the proofs of correctness, security and performance. Finally, the conclusions are provided.

Related Work
To cope with the challenges associate with VANETs, many types of authentication schemes have been investigated. Porambage et al. [6] introduced a two-phase authentication protocol for sensor networks that uses certificates and consequently cannot preserve the unlinkability of messages. Raya and Hubaux [7] proposed an authentication scheme for VANETs using anonymous certificates, in which each vehicle can utilize distinct key pairs in each authentication stage to avoid being tracked. However, frequent changing of key pairs is likely to result in burdensome management and storage requirements. Lu et al. [8] proposed an alternative way to avoid the complexity of preloading a large number of anonymous certificates with the support of RSUs. When a vehicle passes an RSU, it will be issued a short-term anonymous certificate; thus, the unlinkability of messages is preserved. However, the efficiency will inevitably be low because each vehicle must frequently interact with RSUs. Subsequently, Lin et al. [9] introduced another secure scheme that does not require interaction with RSUs, in which membership managers, rather than RSUs, are responsible for the issuing of certificates based on group signatures. However, the efficiency of this solutions is low. Zhang et al. [10] presented two additional authentication schemes with privacy preservation; however, the computational costs of their methods are somewhat high because of the utilization of bilinear pairing. Similarly, Zheng et al. [11] introduced an authenticated key agreement scheme based on bilinear pairing. Ou et al. [12] later showed that Zheng et al.'s scheme is susceptible to impersonation attacks, and proposed a more secure authenticated key agreement scheme; however, the computational cost of this scheme is again somewhat high because of the utilization of bilinear pairing. In addition, an authentication scheme with access control for VANETs was investigated by Yeh et al. [13]; however, Horng et al. [14] later showed that Yeh et al.'s scheme [13] is susceptible to privilege escalation attacks.
Recently, Chuang and Lee [15] developed a trust-extended authentication mechanism, called TEAM, for VANETs. In TEAM, vehicles are classified into three types, namely, law executors (LEs), mistrusted vehicles (MVs) and trusted vehicles (TVs), as shown in Figure 1. Moreover, it required each vehicle is equipped with a tamper-proof device from which no attacker can extract any stored data, which is so strong that it is not practical. The performance of this mechanism in response to several types of attacks has been analyzed; however, the linkability of messages in the authentication procedure and the possibility of internal attacks during the secure communication procedure, which can easily be executed by a malicious vehicle, have been ignored. A malicious vehicle can trace a driver by intercepting the message sent during the authentication procedure because the values D i and M 4 are constant. Moreover, a malicious trusted vehicle can compute the real identity of a user and the session key by intercepting a message communicated via the secure communication procedure because it possesses the authorized parameter. Kumari et al. [16] proposed an enhanced trust-extended authentication scheme based on TEAM. However, their scheme fails to protect against internal attacks. Therefore, we have developed an improved authentication procedure and secure communication procedure and have proven their correctness and security. The updating of the constant values used in the authentication procedure is performed by the user himself. Finally, we analyze the computational costs and security features of the improved secure communication procedure.

Security Model
To accurately capture the capabilities of an attacker, an experiment concerning the interaction between an adversary and a challenger is introduced. The random oracle model, which originates from the work of Bellare et al. [17], is adopted in our security proof. An adversary A can be allowed to communicate with the participants through defined oracle queries; thus, the adversary's behavior during a real attack can be modeled. In our proposed protocol, each participant is either a common vehicle's OBU V i or an LE E i . Let U represent all participants that is the union of common vehicle's OBUs and LEs.

Protocol Execution
Let U i i represent the ith instance of a participant U i and let b denote a randomly chosen bit. All possible oracle queries are described as follows: The passive attack capability of the adversary A is tested by this query. Executing this query will output an honest execution transcript of the protocol.
This query models the ability of the adversary A to distinguishing a real session key from a random key. If the session key of participant U i i has not been defined, ⊥ will be returned. Otherwise, if b = 1, then the session key of instance U i i will be returned; if b = 0, a random key of the same size will be returned.

Notation
An instance U i i is said to have been opened if A has issued a query Reveal(U i i ) to it; otherwise, it is said to be unopened [18]. After receiving the last expected protocol message, U i i enters an accept mode and it is said to be accepted.

Partnering
To illustrate the process of partnering, the concept of a session identification code sid is introduced. Given U 1 , U 2 ∈ OBU, instances U i 1 and U i 2 are called partners only when the following conditions hold: (1) U i 1 and U i 2 have entered accept mode. (2) The same sid is shared between U i 1 and U i 2 .
(3) U i 1 and U i 2 are partners of each other.

Freshness
To avoid cases in which the security of the scheme is trivially broken by the adversary, the concept of freshness is introduced. The objective is to only permit the adversary to issue Test queries to fresh oracle instances. Specifically, an instance U i i is called fresh when it enters accept mode and both U i i and its partner are unopened.

Semantic Security
Suppose that an adversary A executes a protocol P. A can ask a Test query to a fresh instance after being given access to Execute, Send, Reveal, Corrupt and Test queries, and outputs a guess bit b . If b = b where b is chosen in the Test query, A is said to win this experiment defining semantic security. Let Succ represent the event in which A is successful. The advantage of A in breaking the semantic security of P is defined as follows where the password is selected from a dictionary D.

Elliptic Curve Discrete Logarithm Problem
Let G be an elliptic curve group defined by a generator P and a prime number p. Then, the two central mathematical problems in elliptic curve cryptography (ECC), namely, the discrete logarithm problem and the computational Diffie-Hellman assumption, can be defined as follows [19]. Definition 1. Elliptic curve discrete logarithm (ECDL) problem. Let Q = aP, where Q, P ∈ G and a∈ R Z * p . The objective of the elliptic curve discrete logarithm problem is to find a when given two points Q, P ∈ G. Definition 2. Elliptic curve computational Diffie-Hellman (ECCDH) assumption. Let G denote a representative group of order p and A denote an adversary. Consider the following experiment: The advantage of A in solving the ECCDH problem is defined as follows: where the maximum is taken over all A with time-complexity at most t.

Review of the Chuang-Lee's Scheme
In this section, we review Chuang and Lee's trust-extended authentication scheme (TEAM) [15]. In their scheme, the vehicles are classified into three types, namely, law executors (LEs), mistrusted vehicles (MVs) and trusted vehicles (TVs), as shown in Figure 1. An LE, such as a police vehicle, is treated as permanently trusted and plays a role similar to that of a mobile authentication server (AS). When a normal vehicle is authenticated successfully, it is deemed to be trusted, otherwise, it is treated as mistrusted. A TV will turn into an MV once the lifetime of its key has expired. To ensure the security of communication, an OBU can obtain service from providers only if it has been authenticated successfully.
TEAM consists of eight procedures: registration, login, password change, general authentication, trusted-extended authentication, secure communication, key update and key revocation. Before each vehicle joins the network, its OBU performs the registration procedure to register itself with the AS. The login procedure is performed when a vehicle intends to access service from the vehicular ad hoc network. After successfully completing the login procedure, the OBU checks its authentication state. If the vehicle is an MV, it needs to perform either the general authentication procedure or the trust-extended authentication procedure; it will then turn into a TV once it has been authenticated successfully and has obtained an authenticated key. Then, it can play the role of an LE to authenticate other mistrusted OBUs via the trust-extended authentication procedure. Two trusted vehicles can perform the secure communication procedure to interact with each other. A trusted vehicle can choose to perform the key update procedure with an LE when its key is approaching expiration. Otherwise, the state of the TV changes to mistrusted when the lifetime of the key has expired.
The OBU of each vehicle is equipped with secure hardware, including a tamper-proof device (TPD) and an event data recorder (EDR). The TPD hinders an attacker from obtaining information from the OBU. Recording important data, such as public parameters, preloaded secret keys, times, and locations, is the responsibility of the EDR. In addition, each vehicle is synchronized via a GPS device. Finally, each vehicle periodically broadcasts a hello message with its authentication state (mistrusted or trusted). The related notations are briefly defined in Table 1. The details of the TEAM protocol follow.

SK ij
A session key between entity i and entity j MSG KU A key update message

LE Registration:
In this procedure, an LE registers itself with the AS via the manufacturer or a secure channel. The secure key set {PSK i , i = 1, ..., n} is sent to the LE by the AS. Only this secure key set is required to be stored in the secure hardware of the LE. No other user information needs to be stored. Furthermore, the lifetime of each PSK i is set to be short for robust security. When the lifetime of each trusted vehicle's key expires, this vehicle is required to perform the key update procedure with the LE. The procedure for the key set generation is depicted in Figure 2. It can be seen that the old PSK (e.g., PSK 1 ) cannot be used to derive the new PSK (e.g., PSK 2 ) because a one-way hash function is introduced in the key generation procedure. Figure 2. Key set generation scheme based on the hash-chain method.
Normal Vehicle Registration: All vehicles except LEs need to perform this procedure when they are delivered to market. This registration procedure is performed only once by each vehicle.
Step1. U i → AS: A user U i chooses his password PW i and sends its public identity ID i and PW i to the AS via the manufacturer or a secure channel. Step2.
The AS evaluates the following parameters for U i after it receives ID i and PW i : AS → U i : The parameters (i.e., ID i , B i , C i , D i , h ()) are stored in the OBU's secure hardware by the AS via a secure channel.

Login
The login procedure is performed when a user U i intends to access the service from vehicle sensor networks. The login procedure is described as follows: First, OBU i verifies ID i . Then, it checks whether B i = h(PW i ) C i holds. If so, OBU i launches the general authentication procedure or the trust-extended authentication procedure. Otherwise, the login request will be rejected.

Password Change
When a user U i wants to update his password, he invokes the optional password change procedure. The steps of this procedure are described below: Step1.
i . Otherwise, the request will be rejected.

General Authentication
The general authentication procedure is performed between OBU i and LE j after U i has completed the login procedure. The steps of this procedure are described below: Step1. OBU i chooses a random number r i and computes its alias Then, it produces the request messages Upon receiving the authentication request message (i.e., AID i ,M 1 ,M 2 ,D i ), LE j uses PSK to retrieve A i = D i ⊕ PSK and r i = M 1 ⊕ h 2 (A i ) and then checks whether The authentication request will be rejected if this equation does not hold. Otherwise, LE j computes ID i = AID i ⊕ h(r i ) and produces a random number r j with which to calculate AID j = r j ⊕ ID j and SK ij = h(r i ||r j ). Finally, LE j calculates the response messages LE j uses SK ij to retrieve h(r j ). Then, it checks whether the retrieved hash value is equal to the pre-computed hash value using the chosen r j . In this way, a replay attack from an illegal OBU is avoided.
As this time, the state of OBU i changes to trusted since OBU i has been authenticated successfully and has obtained the parameter PSK = A i ⊕ D i . Now, not only LE but also OBU i can authenticate other mistrusted OBUs.

Trust-Extended Authentication
A mistrusted OBU becomes trusted once it has been authenticated successfully and has obtained PSK. Then, it can play the role of an LE to authenticate other mistrusted OBUs. The corresponding trust-extended authentication procedure is the same as the general authentication procedure.

Secure Communication
The secure communication procedure is performed between two trusted vehicles OBU i and OBU j when they intend to interact with each other. Step1.
After completing the login procedure, OBU i generates a random number r i and computes the messages Upon receiving (i.e., AID i ,M 1 ,M 2 ), OBU j uses PSK to retrieve r i from M 1 and then computes PSK ⊕ h(AID i ||r i ) and checks whether it is equal to M 2 . The request will be rejected if this equality does not hold. Otherwise, OBU j randomly chooses r j and computes ) and a session key After receiving the messages {AID j ,M 3 ,M 4 }, OBU i verifies whether OBU j is trusted: OBU i uses PSK to retrieve r j from M 3 and checks whether M 4 = h(AID j ||r j ||h(r i )) holds. If so, OBU i computes a session key SK ij = h(r i ||r j ||PSK) and a reply message Step7.
After receiving the message M 5 , OBU j computes SK ij ⊕ h(r j ) and then checks whether it is equal to M 5 . If this quality holds, then the two trusted vehicles can communicate securely using SK ij . Otherwise, OBU j terminates the process.

Key Revocation
Key revocation will be triggered when the lifetime of a key expires. The state of a mistrusted vehicle changes to trusted when the mistrusted vehicle is authenticated successfully and obtains PSK via performing either the general authentication procedure or the trust-extended authentication procedure. Then, a timer is instantiated by the secure hardware and begins to count down. The state of the vehicle becomes mistrusted when the lifetime of the key expires. When key expiration is approaching, the system requests that the trusted vehicle performs the key update procedure.

Key Update
The key update procedure will be invoked by OBU i when the key lifetime of the TV is approaching expiration. The steps of this procedure are described as follows.
Step1. OBU i randomly chooses r i to compute the messages LE j retrieves r i and MSG KU using the current PSK (i.e., PSK old ). The key update request will be rejected if h(r i ||MSG KU ) does not match M 3 . Otherwise, LE j chooses a random number r j and computes where PSK is produced via the hash-chain method. Therefore, the new PSK cannot be inferred by other OBUs using the current PSK. Finally, LE j computes SK ij = h(r i ||r j ||PSK new ). Step4.
LE j → OBU i : LE j returns the reply messages (i.e., M 4 ,M 5 , and M 6 ) to OBU i . Step5.
Upon receiving the reply messages, OBU i computes h(r i ) to retrieve r j = M 4 ⊕ h(r i ), and obtains PSK new = M 5 ⊕ r j . Next, OBU i checks whether M 6 = h(r j ||PSK new ) and PSK old = h(PSK new ). If this condition holds, OBU i renews the PSK and computes SK ij = h(r i ||r j ||PSK new ). Otherwise, OBU i terminates the process. Step7.
LE j retrieves h(r j ) using SK ij . Then, it checks whether the retrieved hash value is equal to the pre-computed hash value using the chosen r j . In this way, a replay attack from an illegal OBU is avoided. Now, this session key can be used to communicate securely between two trusted vehicles.

Improved Scheme
A concrete description of our enhanced privacy-preserving authentication scheme is presented in this section. In our scheme, the vehicles are also classified into three types: law executors (LEs), mistrusted vehicles (MVs) and trusted vehicles (TVs) as displayed in Figure 1. The LEs are equipped with TPD, but the normal vehicles such as TV and MV are not equipped with TPD. Our improved scheme consists of nine procedures: initialization, registration, login, password change, general authentication, trust-extended authentication, secure communication, key update and revocation. The notations used in this section are also briefly defined in Table 1.

Initialization
The initialization procedure is performed by the AS when it sets up the system parameters: Step1.
Let G be an elliptic curve group defined by a generator P and a prime number p. The AS randomly selects x ∈ Z * p as its secret key. Step2.

LE Registration:
In this procedure, an LE registers itself with the AS via the manufacturer or a secure channel. The secure key set {PSK i , i = 1, ..., n} and the public parameters {G, p, P} are sent to the LE by the AS. Only the secure key set and the public parameters are required to be stored in the secure hardware of the LE. No other user information needs to be stored. Similarly, the lifetime of each PSK i is set to be short for robust security. When the lifetime of each trusted vehicle's key expires, this vehicle is required to perform the key update procedure with an LE.
Normal Vehicle Registration: All vehicles except LEs need to perform this procedure when they are delivered to market. This registration procedure is performed only once by each vehicle. The steps of the normal vehicle registration procedure are described in Figure 3.
Step1. U i → AS: A user U i chooses his password PW i and sends its public identity ID i and PW i to the AS via the manufacturer or a secure channel. Step2.
The AS chooses a random number y i with which to evaluate the following parameters for U i after it receives ID i and PW i : AS → U i : The parameters (i.e., B i ,C i ,D i ,y i ,h (),G,p,P) are stored in the OBU's secure hardware by the AS via a secure channel. Step4. U i chooses a number x i as his private key and computes P pub i = x i P as his public key, and then computes Z i = x i ⊕ h(PW i ) and stores (P pub i , Z i ) in its OBU secure hardware. Figure 3. Normal vehicle registration procedure.

Login
The login procedure is performed when a user U i intends to access service from the vehicle sensor network. The login procedure is described as follows: holds. If so, OBU i launches the general authentication procedure or the trust-extended authentication procedure. Otherwise, the login request will be rejected.

Password Change
When a user U i wants to update his password, the optional password change procedure will be invoked. The steps of this procedure are described as follows: Step1.
ID i and PW i are input to OBU i by U i . Step2.
First, OBU i retrieves A i = h(PW i ) ⊕ B i . Then, it checks whether D i = h(ID i ||PW i ||A i ) holds. If so, U i will be requested to input his new password PW * i . OBU i computes and replaces B i and D i with B * i and D * i . Otherwise, the request will be rejected.

General Authentication
The general authentication procedure is performed between OBU i and LE j after U i has completed the login procedure. The general authentication procedure is shown in Figure 4 and the steps are described as follows.
Step1. OBU i chooses a random number r i and computes its alias Then, it produces the request messages where A i is obtained from the login procedure. Step2. OBU i → LE j : The authentication messages (i.e., AID i , M 1 , M 2 , C i , and y i ) are sent from OBU i to LE j . Step3.
Upon receiving the authentication request messages (i.e., AID i , M 1 , M 2 , C i , and y i ), LE j uses PSK to retrieve A i = C i ⊕ h(PSK||y i ) and r i = M 1 ⊕ h(A i ) and then checks whether M 2 = h(r i ||AID i ||C i ||y i ) holds. The authentication request will be rejected if it does not. Otherwise, LE j produces a random number r j to calculate AID j = ID j ⊕ h(r j ) and SK ij = h(r i ||r j ). Finally, LE j calculates the response messages M 3 = r j ⊕ h 2 (r i ), M 4 = PSK ⊕ r j , and M 5 = h(AID j ||SK ij ||r j ||PSK). Step4.
LE j → OBU i : LE j return response messages (i.e., AID j , M 3 , M 4 , and M 5 ) to OBU i . Step5. OBU i computes h 2 (r i ) to retrieve r j = M 3 ⊕ h 2 (r i ), PSK = M 4 ⊕ r j , and SK ij = h(r i ||r j ) and checks whether M 5 = h(AID j ||SK ij ||r j ||PSK) holds. OBU i terminates the process if it does not. Otherwise, OBU i calculates the reply message M 6 = SK ij ⊕ h(r j ); computes C inew = h(PSK||r i ) ⊕ A i and E i = h(PW i ) ⊕ PSK; replaces C i and y i with C inew and r i , respectively, and stores E i in its secure hardware. Step6. OBU i → LE j : The message M 6 is sent to to LE j by OBU i . Step7.
LE j uses SK ij to retrieve h(r j ). Then, it checks whether the retrieved hash value is equal to the pre-computed hash value using the chosen r j . In this way, a replay attack from an illegal OBU is avoided . At this time, the state of OBU i changes to trusted since OBU i has been authenticated successfully and has obtained the parameter PSK. Now, not only LE but also OBU i can authenticate other mistrusted OBUs.

Trust-Extended Authentication
This procedure is the same as in the Chuang-Lee scheme.

Secure Communication
The secure communication procedure is performed between two trusted vehicles OBU i and OBU j when they intend to interact with each other. The secure communication procedure is shown in Figure 5 and the steps are described as follows. Step1.
After completing the login procedure, then it generates a random number r i and computes the messages AID i = ID i ⊕ h(r i P pub j ), T = r i P, u i = T + PSK · P, and M 1 = h(T||ID i ||AID i ), where E i was obtained from a previous authentication procedure. Step2. OBU i → OBU j : A secure communication request (i.e., AID i , u i , M 1 ) is sent to OBU j by OBU i . Step3.
Upon receiving (i.e., AID i , u i , M 1 ), OBU j uses PSK to retrieve T from u i and then computes ID i = AID i ⊕ h(x j T), and checks whether M 1 is equal to h(T||ID i ||AID i ). The request will be rejected if this equality does not holds. Otherwise, OBU j randomly chooses r j and computes AID j = ID j ⊕ h(r j P pub i ), R = r j P, u j = R + PSK · P, s = r j P pub i + x j T, k = h(T||R||P pub i ||P pub j ||s), Step4. OBU j → OBU i : OBU j returns the response messages (i.e., AID j , u j , M 2 ) to OBU i .
Step5. After receiving the messages {AID j , u j , M 2 }, OBU i verifies whether OBU j is trusted: OBU i computes R = u j − PSK · P, ID j = AID j ⊕ h(x i R), s = r i P pub j + x i R and k = h(T||R||P pub i ||P pub j ||s), and then checks whether M 2 = h(ID j ||k) holds. If so, OBU i computes a reply message M 3 = h(u j ||k). Otherwise, the process is terminated. Step7.
After receiving the message {M 3 }, OBU j checks whether M 3 = h(u j ||k) holds. if so, the two trusted vehicles can communicate securely using k. Otherwise, OBU j terminates the process.

Key Revocation
This procedure is the same as in the Chuang-Lee scheme.

Key Update
This procedure is the same as in the Chuang-Lee scheme.

Analysis
In this section, we first validate the correctness of the critical general authentication procedure and secure communication procedure using the BAN logic, and we then prove the security of our improved scheme. Finally, we evaluate the performance of our scheme against that of the existing related schemes.

Correctness
The BAN logic is a useful way to validate the correctness of security protocols, especially for the authentication protocols [20]. Some relevant notations are listed in Table 2. The verification procedure consists of the following steps. Table 2. Symbol and description of BAN logic.

Symbol Description
P |≡ X Entity P trusts opinion X P X Entity P sees opinion X, or P holds X P |∼ X Entity P has said opinion X P |⇒ X Entity P completely control over X (X) X is fresh

Rule1 Rule2
Rule2 comes from Rule1 k → P k is the public key of entity P P k ←→ Q k is a secret key or information between P and Q {X} PSK X is encrypted by key K

The Correctness of the General Authentication Procedure
Idealization First, we use formal logical language to idealize the general authentication procedure in our improved scheme in accordance with the rules of the BAN logic as follows: (2). LE j → OBU i : {M 2 = h(AID j SK ij r j PSK), AID j , {r j } r i , {PSK} r j }, (3). OBU i → LE j : {M 3 = SK ij ⊕ h(r j ).

Goal
There are two roles in the general authentication procedure: OBU i and LE j . Since OBU i needs to obtain the authorized parameter PSK from the LE j , it must believe PSK. Moreover, OBU i and LE j must believe each other and each other's aliases, and they must believe the session key computed in the general authentication procedure. Thus, there are five goals of the general authentication procedure in our improved scheme as follows: G2. OBU i |≡ LE j |≡ AID j : OBU i believes LE j and his alias AID j .
G3. LE j |≡ OBU i |≡ AID i : LE j believes OBU i and his alias AID i . G4. OBU i |≡ OBU i SK ij ←→ LE j : OBU i believes the share key between himself and LE j .
G5. LE j |≡ LE j SK ij ←→ OBU i : LE j believes the share key between himself and OBU i .

Assumptions
With the goals set, the assumptions also need to be stated as follows: A1. OBU i AID i : OBU i possesses an alias AID i . A2. LE j AID j : OBU j possesses an alias AID j .
A3. OBU i |≡ (r i , r j ): OBU i believes the freshness of r i and r j .
A4. LE j |≡ (r i , r j , y i ): LE j believes the freshness of r i , r j and y i . A5. LE j |≡ LE j PSK ←→ OBU i : LE j believes the share key PSK between himself and OBU i .
A6. OBU i |≡ OBU i r i ←→ LE j : OBU i believes the share key r i between himself and LE j .
A7. LE j |≡ LE j r j ←→ OBU i : LE j believes the share key r j between himself and OBU i .

Verification
In this subsection, we will verify the correctness of our proposed general authentication procedure using the BAN logic. The detailed steps of the proof are as follows: . . V8. .
In formula V3 and formulas V9 and V10, LE j believes that OBU i has sent M 2 and OBU i believes that LE j has sent M 5 . Because LE j has verified the correctness of message M 2 and OBU i has verified the correctness of message M 5 , OBU i and LE j each believe the other party and its alias, and OBU i believes the PSK obtained from LE j . In formula V8, because OBU i is able to calculate r j and believes this value which is necessary to compute SK ij , OBU i believes the freshness of SK ij , and OBU i believes the session key SK ij that it computes. Similarly, in formula V15, LE j believes the value r i and the freshness of SK ij , thus OBU i believes the session key SK ij that it computes. According to formulas V3, V8, V9, V10 and V15, we can infer that our improved general authentication procedure achieves our goals.

The Correctness of the Secure Communication Procedure
Idealization First, we use formal logical language to idealize the secure communication procedure in our improved scheme in accordance with the rules of the BAN logic as follows:

Goal
There are two roles in the secure communication procedure: OBU i and OBU j , which are the on-board units of the two communication vehicles. Since OBU i and OBU j need to generate a common session key for their communication, they must believe each other and each other's identities, and they must believe the session key computed in the secure communication procedure. Thus, there are four goals of the secure communication procedure in our improved scheme as follows: G1. OBU i |≡ OBU j |≡ ID j : OBU i believes OBU j and its identity ID j .
G2. OBU j |≡ OBU i |≡ ID i : OBU j believes OBU i and its identity ID i . G3. OBU i |≡ OBU i k ←→ OBU j : OBU i believes the shared key between itself and OBU j .
G4. OBU j |≡ OBU j k ←→ OBU i : OBU j believes the shared key between itself and OBU i .

Assumptions
With the goals set, the assumptions also need to be stated as follows: A1. OBU i ID i : OBU i owns its identity ID i . A2. OBU j ID j : OBU j owns its identity ID j .
A3. OBU i x i : OBU i holds own private key x i . A4. OBU j x j : OBU j holds own private key x j . A5. OBU i |≡ P pub i → OBU i : OBU i believes own public key P pub i . A6. OBU j |≡ P pub j → OBU j : OBU j believes own public key P pub j .
A7. OBU i (P pub i , P pub j ): OBU i holds own public key P pub i and OBU j 's public key P pub j .
A8. OBU j (P pub i , P pub j ): OBU j holds own public key P pub j and OBU i 's public key P pub i .
A9. OBU i |≡ (r i , r j ): OBU i believes the freshness of r i and r j .
A10. OBU j |≡ (r i , r j ): OBU j believes the freshness of r i and r j . A11. OBU i |≡ OBU i PSK ←→ OBU j : OBU i believes the share key PSK between himself and OBU j .
A12. OBU j |≡ OBU j PSK ←→ OBU i : OBU j believes the share key PSK between himself and OBU i .

Verification
In this subsection, we will verify the correctness of our proposed secure communication procedure using the BAN logic. The detailed steps of the proof are as follows: . .

V11.
OBU i |≡ (k),OBU i |≡OBU j |≡s In formula V4 and formula V8, OBU j believes that OBU i has sent M 1 and OBU i believes that OBU j has sent M 2 . Because OBU j has verified the correctness of message M 1 and OBU i has verified the correctness of message M 2 , OBU i and OBU j each believe the other's identity and that the other party is a trusted vehicle. In formula V11, because OBU i can use its private key to obtain ID j and calculate k, OBU i can verify M 2 by means of ID j and k; thus, OBU i believes the session key k that it computes. Similarly, in formula V16, OBU j can compute the session key k to verify M 3 , so OBU j believes the session key k that it computes. According to formulas V4, V8, V14 and V16, we can infer that our improved secure communication procedure achieves our goals.

Security Analysis
In this section, the security proof of the critical secure communication procedure and general authentication procedure is presented. We show that the proposed improved protocol is secure through a formal security analysis in the random oracle model as well as an informal security analysis.

The Formal Security Analysis
Theorem 1. Let GAP denote the general authentication procedure presented in Figure 4. Let |Hash| and |D| denote the range space of the hash function and the size of the password dictionary D, respectively. Finally, let A represent an adversary within a polynomial time t against the semantic security of GAP by issuing q send Send queries, q exe Execute queries and q h hash queries. Then, we have Proof of Theorem 1. To complete the proof, four experiments are constructed, where the first one simulates a real attack. For every experiment Exp n , we use an event Succ n to denote the event in which the adversary successfully guesses the bit b from the Test query.
Experiment Exp 0 . This experiment simulates an actual attack. According to definition, we have Experiment Exp 1 . In this experiment, the oracles Execute, Send, Corrupt, Reveal, Test as in an actual attack are simulated. It can be seen that one cannot distinguish this experiment from the actual experiment. Thus, Experiment Exp 2 . All oracles considered in experiment Exp 1 are also simulated in this experiment; however, all executions are halted where a collision occurs when simulating the Send and the h oracle. A issues Send to try to deceive the other participants into accepting a modified message. Simultaneously, it can query the h oracle to verify whether a hash collision exists. Since the messages transmitted in the network are all associated with a participant's identity, a temporary secret random number and a long-lived key, and the authentication procedure only uses an XOR operation and a hash function, there is no other collision except hash collision. The probability of collision in the h oracle is at most q 2 h /2|Hash| by the birthday paradox. Hence, Experiment Exp 3 . All oracles considered in experiment Exp 2 are simulated in this experiment, in addition to stopping the stimulation of a Corrupt query to an OBU. Note that the information B i , C i ,D i , y i , Z i and P pub i stored in the OBU can be extracted by A when the Corrupt(U i ) query is issued. However, this information is useless to A for calculating the session key since it would also need the secret A i , and it is difficult to derive A i from B i without also obtaining the user's correct password PW i via the password attack. Hence, we obtain In addition, we know that the adversary A can only win the game by guessing the bit b when querying the Test oracle because the adversary has no advantage. Therefore, From Equations (2) to (5)  A hash query h(m) (resp.h ) that matches a record (m, r ) in the list Λ h (resp.Λ h ), returns r . Otherwise, it chooses a random number r, adds the record (m, r) to the list Λ h (resp.Λ h ), and returns r.

Theorem 2.
Let G represent a group with a prime order p, and SCP denote the secure communication procedure presented in Figure 5. Let be the size of the identity space, |Hash| and |D| represent the range space of the hash function and the size of the password dictionary D. Finally, let A represent an adversary attacking the semantic security of the secure communication protocol with time-complexity at most t by issuing q send Send queries, q exe Execute queries and q h Hash queries. Then, we have: where t p denotes the time required to produce a point.

Proof of Theorem 2.
To complete the proof, six experiments are constructed, where the first one simulates a real attack. For every experiment Exp n , we use Succ n to denote the event in which the adversary successfully guesses the bit b from the Test query.
Experiment Exp 0 . This experiment simulates an actual attack, which begins with the random selection of a secure key PSK. According to definition, we have Experiment Exp 1 . In this experiment, the oracles Execute, Send, Corrupt, Reveal, and Test, as in the actual attack with a chosen random secure key PSK are simulated. It can be seen that one cannot distinguish this experiment from the actual experiment. Thus, Experiment Exp 2 . All oracles considered in experiment Exp 1 are also simulated in this experiment.
In addition, we stop simulating the adversary to execute guessing attacks on the real identity of a participant. In this case, we have Proof. Each participant's real identity is always converted into an alias using a random number (i.e., AID i = ID i ⊕ H(r i P pub j )). Therefore, the adversary cannot determine the participant's real identity because every alias is different and there is nothing that can be used to verify the real identity.
Experiment Exp 3 . All oracles considered in experiment Exp 2 are also simulated in this experiment; however, all executions are halted where a collision occurs among (AID i , u i , M 1 ), (AID j ,u j ,M 2 ), and (M 3 ). The probability of colliding in the h oracle is at most q 2 h /2|Hash| by the birthday paradox. Similarly, the probability of colliding in the transcript is at most (q send + q exe ) 2 /2p, Consequently, Experiment Exp 4 . All oracles considered in as experiment Exp 3 are simulated in this experiment, in addition to stopping the stimulation of a Corrupt query to an OBU. Note that the information B i , C i , D i , y i , Z i , P pub i , and E i stored in the OBU can be extracted by A when the Corrupt(U i ) query is issued. However, this information is useless to A for calculating the session key since it would require the secure key PSK, a private key x i and a temporary secret random number, and it is difficult to derive PSK and x i from E i and Z i without obtaining the user's correct password PW i via the password attack. Hence, we obtain |Pr[ Experiment Exp 5 . In this experiment, we use the private oracle h in place of the oracle h for computing k as shown in Table 3, such that the session key is totally independent of h. More precisely, one obtains k=h (T||R||P pub i ||P pub j ) in Execute queries. Therefore, the experiments Exp 4 and Exp 5 are indistinguishable except for the occurrence of the following event AskH 6 : A issues queries to h on T||R||P pub i ||P pub j ||s, i.e., the value T||R||P pub i ||P pub j ||ECCDH(T, P pub j ) + ECCDH(R, P pub i ).
In addition, regardless of the b value that is chosen to be used in a Test query, the response is independent for all sessions since it is a random number. Therefore, Experiment Exp 6 . The execution of the random self-reducibility of the elliptic curve computational Diffie-Hellman assumption given an ECCDH instance (A, B) is simulated in this experiment. We randomly select α, β, γ, ϕ ∈ Z * p , and let T = αA − PSK · P, R = βA − PSK · P, P pub i = γB, and P pub j = ϕB . Note that AskH 6 means that a query h on T||R||Y has been issued by A, where Y = ECCDH(T, P pub j ) + ECCDH(R, P pub i ). Indeed, Pr[AskH 6 ] = Pr[Succ 6 ] . We have: Therefore, If A knows the session key k constructed by (αA, βA, PSK · P, γB, ϕB), it must have issued queries to h on T||R||P pub i ||P pub j ||s that was recorded in the list Λ h . Therefore, we can conclude that From Equations (7) to (12) (t + (q send + q exe )t p ).

Confidentiality of Session Key
In our proposed scheme, when an authentication, secure communication or key update procedure is performed, a session key is generated using two random numbers chosen by the participants. Then, the generated key is used to ensure a secure communication. Moreover, the random numbers used to generate each session key are different. Therefore, it is difficult for an adversary A to successfully guess the session key or derived it from the communicated messages.

Anonymity
In our proposed scheme, to preserve users' privacy, the original identity of every participant is converted into an alias via an XOR operation with a hash that takes a random number r i as an input (i.e., AID i = ID i h(r i ), AID i = ID i h(r i P pub j )). Therefore, an adversary A cannot determine a user's original identity without the random number r i or the private key x j even if T has been obtained because of the hardness of the ECCDH problem in G.

Unlinkability
In our proposed scheme, the original identities of the participants are not transmitted over the unsecure network; instead, every participant's identity is converted into an alias. Moreover, the authentication, secure communication and key update phases are independent of each other. In addition, after every authentication procedure performed by OBU i , the value C i updates itself. Therefore, for two or more authentication messages that are sent by the same user, the adversary A cannot determine whether they have the same origin. Thus, A cannot trace the location of a user by intercepting messages.

Resistance to Impersonation Attack
In the authentication procedure of our improved scheme, if an adversary wishes to impersonate OBU i , it must obtain both the A i and ID i of OBU i . Otherwise, it cannot compute a valid authentication request, since the original identity of OBU i is converted into an alias via an XOR operation with a random number r i chosen by itself and this random number r i is hidden by its A i . Moreover, the adversary can successfully impersonates OBU i only by correctly guessing the random number, which is difficult because the random number is reselected with each authentication. Furthermore, in the secure communication procedure, the original identity of OBU i is also converted into an alias with a random number r i (AID i = ID i h(r i P pub j )). The adversary cannot successfully impersonate the OBU since the random number cannot be guessed.

Resistance to Internal Attack
In our proposed scheme, an internal attack refers to the case in which the owner of a vehicle, who possesses the common secure key PSK, attempts to reveal the session key for a communication channel. Under our improved scheme, in the secure communication procedure, even if the adversary can intercept all exchanged messages, (AID i , u i ) of OBU i and (AiD j , u j ) of OBU j and compute T and R using the secure key PSK, it cannot determine the user's original identity or compute the session key k under the assumption of the hardness of ECCDH problem in G.

Performance Analysis
In our proposed scheme, the general authentication procedure is based only on an XOR operation and a hash function; thus, the computation cost is low. To demonstrate the performance of the proposed scheme, we compare the the critical secure communication procedure with the existing two-party secure communication schemes with session key agreement [6,11,12,15,16]. Next, we implement our scheme based on cryptographic libraries and present a concrete comparison of execution times. Then, we compare the security features of these schemes. Some notations are defined as follows for convenience: The detailed comparison is presented in Table 4, where the middle and right columns list the complexity and total execution time, respectively, of each scheme. The transmission time is not considered in the comparison since it depends on the actual characteristics of the network, not the scheme. All operations listed in Table 4 were implemented using the OpenSSL library and the JPBC library, and the experiments were conducted on a Windows 7 PC (Samsung Electronics, Hwaseong, Korea) equipped with an Intel(R) Core(TM) i7-6500U CPU (Santa Clara, CA, USA). Table 4. The execution time of basic operation.

T h T mul T bp T add
Execution time (ms) 0.004 0.326 6.28 0.038 As seen in Table 5 and Figure 6, the execution time of our scheme is less than those of some other schemes [11,12]. Although the execution times of Chuang-Lee's scheme and Kumari's scheme are less than that of our scheme, their schemes fail to resist internal attack because the participants'aliases depend only on a random number that is hidden by PSK as shown in Table 6. Therefore, a trusted vehicle can reveal a participant's real identity because it holds PSK. Meanwhile, because Porambage's scheme uses certificates for authentication, the unlinkability of messages cannot be preserved, and a user's anonymity can be violated. Therefore, our proposed scheme is a preferable solution for secure communication in vehicle sensor networks compared with the existing similar schemes presented in [6,11,12,15,16]. Table 5. Comparison of efficiency.

Conclusions
With the emergence of intelligent transportation, the security of vehicle sensor networks is attracting attention from individuals and vehicle manufacturers, and privacy preservation in communication over vehicle sensor networks has become a critical issue. In this paper, we have demonstrated that Chuang and Lee's TEAM scheme exists the linkability of messages in the authentication protocol; thus, a malicious vehicle can track a driver by intercepting transmitted message. Simultaneously, TEAM scheme can suffer the internal attack in the secure communication protocol; thus, a malicious trusted vehicle can compute the real identity of a user and the session key. To address this shortcoming, an improved authentication scheme based on elliptic curves for better performance and security has been constructed, in which the difficulty of deriving real identities arises from the need to solve an elliptic curve discrete logarithm problem. In this way, privacy preservation is achieved since the real identities of users are protected. The correctness of our proposed scheme has been proven using BAN logic, and a rigorous security proof has been provided based on the random oracle model. In future work, elliptic curves based authentication schemes involving three parities will be investigated.