Secure Authentication Protocol for Wireless Sensor Networks in Vehicular Communications

With wireless sensor networks (WSNs), a driver can access various useful information for convenient driving, such as traffic congestion, emergence, vehicle accidents, and speed. However, a driver and traffic manager can be vulnerable to various attacks because such information is transmitted through a public channel. Therefore, secure mutual authentication has become an important security issue, and many authentication schemes have been proposed. In 2017, Mohit et al. proposed an authentication protocol for WSNs in vehicular communications to ensure secure mutual authentication. However, their scheme cannot resist various attacks such as impersonation and trace attacks, and their scheme cannot provide secure mutual authentication, session key security, and anonymity. In this paper, we propose a secure authentication protocol for WSNs in vehicular communications to resolve the security weaknesses of Mohit et al.’s scheme. Our authentication protocol prevents various attacks and achieves secure mutual authentication and anonymity by using dynamic parameters that are changed every session. We prove that our protocol provides secure mutual authentication by using the Burrows–Abadi–Needham logic, which is a widely accepted formal security analysis. We perform a formal security verification by using the well-known Automated Validation of Internet Security Protocols and Applications tool, which shows that the proposed protocol is safe against replay and man-in-the-middle attacks. We compare the performance and security properties of our protocol with other related schemes. Overall, the proposed protocol provides better security features and a comparable computation cost. Therefore, the proposed protocol can be applied to practical WSNs-based vehicular communications.


Introduction
Wireless sensor networks (WSNs), in conjunction with intelligent transport systems (ITS) and embedded technology, have advanced to such an extent that drivers can make full use of various information such as traffic congestion, vehicle accidents, and speed. To provide these useful services, a sensor in the vehicle collects data on the vehicle and surrounding area and sends it to the traffic manager through a sink node. The traffic manager in the traffic management office receives data from vehicle sensors and can monitor a vehicle and the surrounding area to provide useful data to the driver in real time. However, a malicious adversary can easily obtain and modify the data because it is transmitted via a public network. Therefore, the authentication protocol between the vehicle and user in vehicular communications has become a very important security issue. In the last few decades, numerous authentication schemes for WSNs have been proposed to ensure secure communications and user privacy [1][2][3][4][5][6][7][8]. In 2006, Wong et al. [9] proposed a dynamic ID-based user • We demonstrate that Mohit et al.'s scheme is vulnerable to various attacks such as impersonation and trace attacks. In addition, we point out that their scheme cannot provide mutual authentication, session key security and anonymity. • We propose a secure authentication protocol for WSNs in vehicular communications to resolve these security weaknesses. Our proposed protocol prevents impersonation and trace attacks, and also achieves anonymity, session key security and secure mutual authentication. In addition, the proposed scheme is efficient because it utilizes only hash function and XOR operation in authentication phase.

•
We prove that our protocol provides secure mutual authentication by using the broadly accepted Burrows-Abadi-Needham (BAN) logic [28]. We also perform an informal analysis to demonstrate the security of the proposed protocol against various attacks such as impersonation and trace attacks.

•
We compare the performance of our scheme against those of related existing schemes and perform a formal security verification by using the widespread Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation software tool.

Paper Outline
The remainder of this paper is organized as follows. In Section 2, we introduce the vehicular communications system model. In Sections 3 and 4, we review Mohit et al.'s authentication scheme and analyze its security weaknesses. In Section 5, we propose a secure authentication protocol for WSNs in vehicular communications to resolve the security problems of their scheme. In Section 6, we present an informal analysis on the security of our protocol and prove that it achieves secure mutual authentication by using BAN logic. In Sections 7 and 8, we present the formal security verification with the AVISPA simulation tool and compare the performance of our protocol with that of related protocols. Finally, we present our conclusions in Section 9.

System Model
In this section, we introduce a vehicular communication system using WSNs and essential security requirements. There are three entities involved in the vehicular communications system: the vehicle sensor, sink node, and user. The vehicular communications system model is shown in Figure 1. The vehicular communications system consists of two parts: the WSNs and vehicle and the user and sink node. The vehicle sensor is deployed in the vehicle and collects data on the traffic and surrounding area in real time, which it then sends to the sink node. After receiving the data from the vehicle sensor, the sink node stores it for the user. The user can control the response to traffic jams, speed, and emergency situations based on the data collected by the sink node.
The numerous authentication protocols [29][30][31] have defined security requirements in order to explain their security goals. Therefore, we also define the essential security requirements to explain and ensure our security goals.
• Untraceability and anonymity. In a modern vehicular communication system, user's real identity and location data are very sensitive information. For these reason, an adversary cannot trace a user's location and know the user's real identity to guarantee a privacy of user. • Secure mutual authentication. A secure mutual authentication is known for a essential security requirement in VANETs in order to guarantee that only the legitimate users should access the services and communicate securely with each other [32]. • Confidentiality. In our system, the user, sink node, and vehicle sense can freely communicate among themselves through a internet. However, an adversary can try to obtain various pieces of information from users such as traffic congestion, speed, and vehicle accident because it is transmitted in a public channel. Therefore, a confidentiality must be guaranteed and the transmitted data is only known to legitimate user in order to ensure a security.

Review of Mohit et al.'s Scheme
In this section, we review Mohit et al.'s authentication protocol for WSNs, which consists of three phases: system setup, user registration, and user login and authentication. Table 1 presents the notations used in this paper.

System Setup Phase
When a driver wants to deploy a sensor in a vehicle, the registration authority (RA) registers the vehicle sensor in the network. In addition, RA stores various data on the vehicle such as the vehicle number, engine, battery, and insurance in a database.

User Registration Phase
If a new traffic manager U i wants to register him or herself, U i must send the registration request message to the sink node SN j first. The user registration phase of Mohit et al.'s scheme is shown in Figure 2, and the detailed steps are described as follows. Step 1: and sends them to the sink node via a secure channel.

Step 2:
SN j selects a random nonce RG i and random number q i , and then SN j computes After that, SN j stores {A i , B i , C i , D i , RG i } in the smartcard and issues the smartcard to U i through a secure channel.

Step 3:
Upon receiving the smartcard, U i computes HN i = h(ID i ||PW i ) ⊕ RN i and stores it in the smartcard. Ultimately, the smartcard contains {A i , B i , C i , D i , RG i , HN i }.

User Login and Authentication Phase
If a user U i wants to access the system, U i must send the login request message to the sink node SN j . After receiving the login request message from U i , SN j checks whether it is legitimate. If it is valid, SN j performs the authentication phase. The user login and authentication phase of Mohit et al.'s scheme is shown in Figure 3. The detailed steps of this phase are described as follows.
Step 1: U i inserts the smartcard into a card reader and inputs ID i and PW i . The smartcard then computes Then, the smartcard checks whether B * i ? = B i . If it is equal, the smartcard computes q i = C i ⊕ HPW i and generates a random nonce NU i . The smartcard also computes M TS = h(q i ||B i ||NU i ), p 1 = NU i ⊕ q i , p 2 = ID k ⊕ h(p 1 ||q i ) and E i = D i ⊕ HPW i . Finally, the smartcard sends the login request message {M TS , p 1 , p 2 , E i } to SN j via a public channel.
Step 2: After receiving the login request message from U i , SN j retrieves q i = E i ⊕ h(K s ), NU i = p 1 ⊕ q i and ID k = p 2 ⊕ h(p 1 ||q i ). Then, SN j computes M * TS = h(q i ||B i ||NU i ) and checks whether M * TS is equal to M TS . Then, SN j generates a random nonce NS j and computes Finally, SN j sends {M SV , d 1 , d 2 } to the vehicle sensor.
Step 3: Upon receiving the message {M SV , d 1 , d 2 }, the vehicle sensor VS k retrieves NS j = d 1 ⊕ h(ID k ) and ID j = d 2 ⊕ ID k . Then, VS k checks the freshness of NS j . If it is fresh, VS k sends ID k and requests the sink node's master key X k from RA. After receiving X k from RA through a secure channel, VS k computes M * SV = h(ID k ||NS j ||X k ||ID j ) and checks whether M * SV ? = M SV . If it is verified, VS k chooses a random nonce NV k and computes v = h(ID k ||NS j ||NV k ), M VS = h(X k ||NS j ||v), and t = NS j ⊕ NV k . Finally, VS k sends {M VS , t} to SN j .
Step 4: After receiving the message {M VS , t}, SN j retrieves NV k = t ⊕ NS j and computes v = Step 5: Upon receiving the message {M ST , w} from SN j , U i retrieves NS j = w ⊕ NU i and If they are equal, mutual authentication has been successfully achieved.
Inputs identity ID i and password PW i

Password Change Phase
U i can freely update his or her password when desired. The password change phase is described in Figure 4 and the detailed steps of this phase are as follows. Step 1: U i inserts smartcard in the card reader and inputs the identity ID * i and password PW * i , and then U i submits {ID * i , PW * i } to the card reader via a secure channel.

Step 2:
After If this is verified, the smartcard sends the authentication message and requests a new password from U i . After receiving the authentication message from smartcard, U i inputs the new password PW new i .

Step 3:
The smartcard calculates HPW new

Cryptanalysis of Mohit et al.'s Scheme
In this section, we discuss the security weaknesses of Mohit et al.'s scheme. They asserted that their scheme is secure against trace and impersonation attack, and they showed that their scheme can provide anonymity, session key security and secure mutual authentication. However, here we demonstrate that Mohit et al.'s scheme does not resist the following attacks.

Impersonation Attack
If an adversary U a tries to impersonate a legitimate user, U a can successfully generate a login request message of legitimate user {M TS , p 1 , p 2 , E i }. According to Section 1.1, we can assume that U a obtains the smartcard of the legitimate user U i and extracts the values {B i , C i , D i } stored in smartcard and that U a has the messages transmitted in the previous session. Here, we show that Mohit et al.'s scheme does not prevent an impersonation attack.
Step 1: , where E i , p 1 , and p 2 are messages of the previous session.

Step 2:
U a can obtain the secret parameters q i , B i , and HPW i and a random nonce NU i . U a then chooses a random nonce RU a and computes Finally, U a generates the login request message {M TSa , p 1a , p 2a , E i } and sends it to the sink node SN j .

Step 3:
After receiving the login request message from U a , SN j retrieves and checks whether M * TS is equal to M TSa . Then, SN j generates a random nonce NS j2 and computes Step 4: Upon receiving the message {M SV2 , d 1 , d 2 }, the vehicle sensor VS k retrieves NS j2 = d 1 ⊕ h(ID k ) and ID j = d 2 ⊕ ID k , and then VS k checks the freshness of NS j2 . If it is fresh, VS k sends ID k and requests the sink node's master key X k from RA. After receiving X k from RA through a secure channel, Step 5: After receiving the message {M VS2 , t}, SN j retrieves NV k2 = t ⊕ NS j2 and computes Step 6: Upon receiving the message {M ST2 , w} from SN j , U a successfully achieves mutual authentication.
Therefore, Mohit et al.'s scheme is vulnerable to impersonation attacks.

Trace Attack and Anonymity Preservation
According to Section 4.1, an adversary U a can obtain the real identities of the vehicle sensor and sink node. First, U a retrieves the vehicle sensor's real identity ID k = p 2 ⊕ h(p 1 ||q i ) and then computes NS j = d 1 ⊕ h(ID k ). Finally, U a retrieves the sink node's real identity ID j = d 2 ⊕ ID k . For this reason, Mohit et al.'s scheme does not prevent trace attack or provide anonymity.

Mutual Authentication
In Section 4.1, we demonstrate that Mohit et al.'s scheme does not resist impersonation attacks. An adversary U a can compute the login request message {M TS , p 1 , p 2 , E i } and successfully achieve mutual authentication with VS k . In addition, the sink node SN j cannot compute the authentication message

Session Key Security
Mohit et al. claimed that their scheme can provide session key security because an adversary cannot compute M TS = h(q i ||B i ||NU i ). However, we demonstrate that an adversary can compute the value M TS in Section 4.1. Therefore, Mohit et al.'s scheme cannot achieve session key security.

Proposed Protocol
In this section, we propose a secure authentication protocol for WSNs in vehicle communications to resolve the security problems of Mohit et al.'s scheme [23]. Our proposed scheme consists of four phases: system setup, user registration, login and authentication and password change. In our protocol, the system setup phase is equivalent to that of Mohit et al.'s scheme. The details of the other three phases are presented below.

User Registration Phase
When a new user U i wants to first access the sink node as a traffic manager, he or she must first register with the sink node. The user registration phase of the proposed protocol is shown in Figure 5 and the detailed steps are as follows: Step 1: The user U i selects the identity ID i and password PW i and then generates a random number a i to computes HPW i = h(PW i ||a i ). Then, U i sends {ID i , HPW i } to the sink node SN j via a secure channel.

Step 2:
After receiving the registration request message from U i , SN j generates a random unique identity TID i for U i and computes

Step 3:
Upon receiving the smartcard from SN j ,

Login and Authentication Phase
If a user U i wants to access the sink node SN j , U i must send a login request message. The login and authentication phase of our scheme is shown in Figure 6 and the details of this phase are as follows.
Inputs identity ID i and password PW i Figure 6. User login and authentication phase of the proposed scheme.
Step 1: U i inserts the smartcard and inputs the identity ID i and password PW i into a smartcard reader. Then, U i computes Step 2: After receiving the login request message from U i , SN j retrieves C i matched with TID i in a database. Then, SN j computes = M TS . If it is correct, SN j generates a random nonce RS j and computes SN j also sends the authentication request message {M SV , M 3 , M 4 } to VS k via a public channel.
Step 3: Upon receiving the message {M SV , M 3 , M 4 }, VS k computes ID j = M 4 ⊕ ID k and receives X k from RA. Then, VS k computes RS j = M 3 ⊕ h(ID j ||X k ) and M * SV = h(ID k ||ID j ||X k ||RS j ) and checks whether M * SV ? = M SV . If they are equal, VS k generates a random nonce RV k and computes v i = h(ID k ||RS j ||RV K ), M VS = h(X k ||RS j ||v i ), and t = RS j ⊕ RV k . Finally, VS k sends {M VS , t} to SN j through a public channel.

Step 4:
After receiving the message {M VS , t} from VS k , SN j computes RV k = t ⊕ RS j , v i = h(ID k ||RS j ||RV k ) and M * VS = h(X k ||RS j ||v i ). Then, SN j checks whether M * VS ? = M VS . If it is equal, SN j computes n = RS j ⊕ RU i and m = RV k ⊕ RU i . After that, SN j generates a new random unique identity TID new i and computes M 5 = TID new i ⊕ h(RS j ||RV k ) and M ST = h(RU i ||RS j ||RV k ||ID k ||ID i ). SN j also sends the message {M ST , M 5 , n, m} to U i via an open channel.
Step 5: Upon receiving the message {M ST , M 5 , n, m}, and sends the confirmation message {M 6 } to SN j .
Step 6: After receiving the message

Password Change Phase
In our proposed protocol, U i can change the password when desired without the help of the sink node SN j . The password change phase is shown in Figure 7 and the detailed steps of this phase are presented below: Step 1: U i inserts his or her smartcard into a card reader and inputs the identity ID i and old password PW * i .
Then, SC compares the computed B * i with the stored B i in its memory. If it is valid, SC sends an authentication message to U i .

Step 3:
On receiving the message from the smartcard, U i inserts the new password PW new i in the smartcard.
Step 4: Using the new password PW new Finally, the smartcard replaces the old information with

Security Analysis
In this section, we use the Burrow-Abadi-Needham (BAN) logic [28], which is a broadly accepted formal security model, to carry out an analysis and prove that our protocol can provide secure mutual authentication. We also demonstrate that our proposed protocol can resist various attacks through an informal security analysis, which is based on Section 1.1.

Informal Security Analysis
We present an informal security analysis of our proposed scheme to show that it prevents trace, impersonation, and replay attacks. In addition, we demonstrate that our protocol can achieve mutual authentication and anonymity.

Impersonation Attack
If an adversary U a tries to impersonate a legitimate user U i , U a must generate a login request message {M TS , M 1 , M 2 , CID i , TID i } and response message {M 6 } successfully. However, U a cannot generate these because U a cannot know the real identity of U i and secret parameters X i , RU i , and K S . In addition, U a does not retrieve a random nonce RU i from M 1 . Therefore, our protocol resists impersonation attacks because U a cannot generate valid messages.

Trace Attack and Anonymity
In the login and authentication phase of our protocol, an adversary U a cannot trace a legitimate user U i or vehicle VS k because all transmitted messages are changed every session. In addition, U i sends the dynamic identity CID i = ID i ⊕ h(TID i ||X i ||RU i ) and TID i to the sink node, and the identity of VS k is also included in M 4 = ID k ⊕ ID j . In other words, to obtain the record of a user's movement and real identity, an adversary must know the user's real identity ID i , secret parameter X i , and random nonces RU i , RS j , and RV k . For these reasons, our protocol provides the anonymity and is secure against trace attacks.

Smartcard Stolen Attack
According to Section 1.1, we assume that an adversary U a can obtain a smartcard and extract the parameters {A i , B i , TID i , Q i }. However, U a cannot obtain any sensitive user information without ID i and PW i because the parameters stored in smartcards are masked in X i = h(ID i ||K S ), , and Q i = h(ID i ||PW i ) ⊕ a i by the hash function and XOR operation. Consequently, our proposed protocol prevents smartcard stolen attack.

Replay Attack
According to Section 1.1, we suppose that adversary U a tries to impersonate a legitimate user U i by resending messages transmitted in the previous session, U a cannot impersonate U i successfully. In our scheme, the sink node SN j checks whether a random nonce is fresh or not. If a random nonce value RU i is not fresh, SN j rejects the login request message. In addition, U a cannot generate the confirmation message M 6 successfully because U a cannot obtain the random nonce RS j generated by SN j . Therefore, the proposed protocol is secure against replay attacks.

Secure Mutual Authentication
When receiving the login message {M TS , M 1 , M 2 , CID i , TID i } and confirmation message {M 6 } from U i , the sink node SN j checks whether M TS and M 6 are correct. In addition, SN j retrieves X i from a database to validate M TS . If this is correct, SN j authenticates U i . After receiving {M VS , t} from VS k , the sink node checks whether M SV = h(ID k ||RS j ||RV k ) is valid. If it is valid, SN j authenticates VS k . Finally, the user U i checks whether the received value If it is correct, U i authenticates SN j . Therefore, all entities authenticate each other successfully because an adversary cannot know the important parameters discussed in Sections 6.1.1 and 6.1.2.
According to Sections 6.1.2 and 6.1.5, all transmitted messages are changed every session and an adversary cannot obtain user's sensitive information. Therefore, we achieve essential security requirement into untraceability, anonymity, secure mutual authentication and confidentiality. Furthermore, secure mutual authentication is proved in Section 6.2 using BAN logic.

Security Analysis Using BAN Logic
To prove the secure mutual authentication of our protocol, we perform an analysis with the BAN logic [28], which is a widely accepted formal security model. First, we define the notation of the BAN logic in Table 2. Then, we describe the logical postulates of the BAN logic in Section 6.2.1. Next, we present the goals, idealized form, and initial assumptions of our protocol. Finally, we demonstrate that our protocol achieves secure mutual authentication between U i and VK k by using the BAN logic.

Notation Description
P| ≡ X P believes the statement X

#X
The statement X is fresh P X P sees the statement X The postulates of the BAN logic are given below:

Goals
We have the following goals to prove the secure mutual authentication of our proposed protocol: Goal 6: SN j |≡ VS k |≡ (RV k ).

Idealized Forms
The idealized forms of the transmitted messages are given below:

Assumptions
We make the following initial assumptions to perform the BAN logic proof:

Security Analysis Using the AVISPA Tool
In this section, we perform a formal security verification of our protocol with the widely accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool [33,34]. Formal security verification with this tool has received much attention and has been used in numerous studies to demonstrate that various authentication protocols are secure against replay and man-in-the-middle attacks [35][36][37][38][39].
With AVISPA, the security protocol must be implemented by using the High Level Protocols Specification Language (HLPSL) [40]. The HLPSL specifications of the security protocol are translated to an intermediate format (IF) by the HLPSLIF translator. Finally, it is converted to the output format (OF) with the On-the-fly Model-Checker (OFMC) [41], the CL-based Attack Searcher (AtSe) [42], SAT-based Model-Checker (SATMC), or Tree Automata-based Protocol Analyzer (TA4SP).

HLPSL Specifications
According to HLPSL, the proposed protocol has three entities, which are called role: user denotes a user U A, sinknode denotes a sink node SN, and vehiclesense denotes a vehicle sense VS. The session and environment also contain the security goals, as shown in Figure 8. The role specifications of U i are shown in Figure 9 and the details are as follows.

Analysis of Simulation Results
In this section, we present the results of the AVISPA analysis using OFMC and CL-AtSe back-ends to ensure the security of our protocol, as shown in Figure 12. To estimate the security against replay attack, the OFMC and CL-AtSe back-ends check whether a legitimate entity can execute the protocol by searching for a passive adversary. Moreover, the OFMC and CL-AtSe back-ends also check whether the proposed protocol is secure against the man-in-the-middle attack for the DY model checking.
The OFMC back-end has a search time of 1.17 seconds to visit 130 nodes, and the CL-AtSe back-end analyzes two states with a translation time of 0.12 seconds. Because the replay attack and Dolev-Yao model checking are performed successfully, the proposed protocol is safe against replay and man-in-the-middle attacks.

Performance Analysis
In this section, we compare the computation and communication costs of our proposed protocol with those of related protocols [3,15,16,23,43,44] and discuss the security properties.

Computation Cost
We compare the computation overheads of our protocol with those of related protocols [3,15,16,23,43,44]. For the comparison of computation cost, we define the notations as follows. T h , T S , and T M denote the times for hash operation (≈0.0005 s), symmetric key cryptographic operation (≈0.0087 s) and elliptic curve scalar point multiplication operation (≈0.0630 s), respectively. The analysis results are presented in Table 3. Table 3. Computation cost of our proposed scheme with other related schemes.

Schemes User Sink Node Sensor Total Cost Total Cost (s)
Shi et al. [15] 5T 0818 Xue et al. [44] 10T h 14T h 6T h 30T h 0.0150 Kumari and Om [3] 10T h 8T h 6T h 24T h 0.0120 Mohit et al. [23] 7T We use the existing computation analysis results of Mohit et al. [23] for a rough evaluation. We do not include the XOR operation because it is negligible compared with the other operations. The results show that our protocol needs 8T h for the user, 13T h for the sink node, and 4T h for the sensor. Thus, total cost of our protocol is 0.0125 seconds. Even though this is slightly higher than the cost for Mohit et al.'s protocol, the difference is negligible, and the proposed protocol provides better security than other protocols. Therefore, our protocol is secure and suitable for practical WSNs environments. Table 4 compares the security properties of our proposed protocol compared with other related protocols. The existing related schemes clearly cannot resist various attacks, and their protocols cannot achieve anonymity and mutual authentication. For these reasons, our protocol provides better security features than the other protocols [3,15,16,23,43,44]. •: preserves the security properties, ×: does not preserve the security properties.

Communication Cost
Finally, we analyze the communication cost of our scheme with related protocols. For the communication analysis, we assume that a random nonce (number) and timestamp are 64 bits, a pseudo-identity is 160 bits, the SHA-1 hash digest [45] is 160 bits, elliptic curve scalar multiplication is 512 bits, and symmetric key cryptographic operation is 256 bits.

Conclusions
In this paper, we demonstrate that Mohit et al.'s scheme does not resist the impersonation and trace attacks. We also show that it does not achieve secure mutual authentication, session key security, and anonymity. We propose a secure authentication protocol for WSNs in vehicular communications to resolve the security problems of their scheme. The proposed protocol is secure against impersonation, replay, smartcard stolen and trace attacks and can achieve secure mutual authentication and anonymity by using dynamic values for the transmitted messages that change every session. We also prove that our protocol can provide secure mutual authentication between U i , SN j and VS k by using BAN logic and we present a formal security verification using the AVISPA tool. Furthermore, we compare the performance and security functionalities with those of other related protocols. Therefore, the proposed protocol can be efficiently applied to practical vehicle communications systems.