Next Article in Journal
The Impact of Virtual Reality Content Characteristics on Cybersickness and Head Movement Patterns
Next Article in Special Issue
Secure and Intelligent Single-Channel Blind Source Separation via Adaptive Variational Mode Decomposition with Optimized Parameters
Previous Article in Journal
A Comprehensive Survey of Machine Learning Techniques and Models for Object Detection
Previous Article in Special Issue
Intelligent Beam-Hopping-Based Grant-Free Random Access in Secure IoT-Oriented Satellite Networks
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Efficient Cluster-Based Mutual Authentication and Key Update Protocol for Secure Internet of Vehicles in 5G Sensor Networks

School of Communication and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
*
Author to whom correspondence should be addressed.
Sensors 2025, 25(1), 212; https://doi.org/10.3390/s25010212
Submission received: 20 November 2024 / Revised: 24 December 2024 / Accepted: 31 December 2024 / Published: 2 January 2025
(This article belongs to the Special Issue Advances in Security for Emerging Intelligent Systems)

Abstract

:
The Internet of Vehicles (IoV), a key component of smart transportation systems, leverages 5G communication for low-latency data transmission, facilitating real-time interactions between vehicles, roadside units (RSUs), and sensor networks. However, the open nature of 5G communication channels exposes IoV systems to significant security threats, such as eavesdropping, replay attacks, and message tampering. To address these challenges, this paper proposes the Efficient Cluster-based Mutual Authentication and Key Update Protocol (ECAUP) designed to secure IoV systems within 5G-enabled sensor networks. The ECAUP meets the unique mobility and security demands of IoV by enabling fine-grained access control and dynamic key updates for RSUs through a factorial tree structure, ensuring both forward and backward secrecy. Additionally, physical unclonable functions (PUFs) are utilized to provide end-to-end authentication and physical layer security, further enhancing the system’s resilience against sophisticated cyber-attacks. The security of the ECAUP is formally verified using BAN Logic and ProVerif, and a comparative analysis demonstrates its superiority in terms of overhead efficiency (more than 50%) and security features over existing protocols. This work contributes to the development of secure, resilient, and efficient intelligent transportation systems, ensuring robust communication and protection in sensor-based IoV environments.

1. Introduction

In recent years, the widespread deployment of sensor devices in various sectors, including urban transportation, healthcare, and the industrial Internet, has significantly improved connectivity and functionality [1,2]. In the Internet of Vehicles (IoV), a critical element of smart urban transportation, vehicles equipped with on-board units (OBUs) integrated with sensors and electronic control units (ECUs) exchange real-time data with external environments, enabling advanced functionalities such as autonomous driving and collision avoidance [3]. Furthermore, the external environment includes a wide array of roadside sensing devices, such as microwave radars, motion detection cameras, speed detection cameras, traffic light controllers, and dynamic display signs, which collectively form a comprehensive network [4,5,6,7,8,9,10]. At the core of this network are roadside units (RSUs), whose primary function is to collect and process real-time information on road conditions, traffic flow, and vehicle data. RSUs facilitate communication between vehicles, pedestrian devices, and other IoV nodes, including sensor networks and intelligent terminals, to enable end-to-end communication between vehicles, infrastructure, and pedestrians. This seamless data exchange between IoV entities is essential to improve road safety, traffic management, and overall system efficiency, while also raising significant security challenges due to the open and interconnected nature of these sensor-based networks [11,12,13,14].
Specifically, RSUs allow participating nodes to sense their surroundings by gaining access to operational data [15], traffic control information, congestion data, and visual blind spots of IoV devices within their range and authority. This expands their “field of view” to “see” vehicles, pedestrians, and buildings behind intersection masks, regardless of weather conditions. Information sharing among these participating entities can significantly reduce the incidence of traffic accidents and improve traffic safety [16,17].
With the global commercial launch of the 5th Generation Mobile Communication Technology (5G), 5G base station (gNodeB, gNB)-assisted communication is widely used in IoV and other systems due to its low latency, etc. [18]. In the 5G IoV system, information exchange between RSU and device, RSU and OBU, and OBU and OBU is connected through the 5G network [19,20], which can lead to various unknown risks. Due to the open nature of the channel, the attacker can intercept, replay, and falsify the transmitted information, and may launch multiple network attacks, resulting in system crashes. Therefore, it is crucial to ensure the confidentiality, integrity, and authenticity of IoV information transmission.
In recent years, authentication has been recognized as promising in protecting the security and privacy of nodes [21,22,23,24]. By verifying the identity of an entity, unauthorized access and message forgery can be eliminated and the confidentiality of transmitted data can be ensured. However, considering the diversity of attack types, most current relevant authentication schemes suffer from security flaws, and the overhead of the algorithms used is too high to be applicable for practical deployment in the IoV environment. Therefore, in this paper, we propose an efficient cluster-based mutual authentication and key update protocol (ECAUP) to realize low overhead and highly reliable information interaction among IoV nodes. For this paper, the main contributions are as follows:
The fine-grained access authority control of RSU to sensing devices is realized through the factorial tree, which must access the corresponding devices according to the group key generated in the registration phase, and low-cost encryption algorithms such as physical unclonable functions (PUFs) are utilized to provide physical layer security against device capture attacks while realizing end-to-end security authentication.
Considering the mobility of IoV and the device update of RSU clusters, a dynamic and flexible cluster key update scheme is proposed to provide perfect forward and backward secrecy for ECAP with anonymous and untraceable properties under the premise of security.
Verify the security of ECAUP’s session and update keys using tools such as BAN logic and Proverif, and analyze its reliability against various attacks and the security features it possesses. Moreover, the comparison with other schemes in terms of computation and communication overhead demonstrates the efficiency of the ECAUP.
Organization of the rest of the paper: Section 2 presents related research and work. Section 3 presents the mathematical background. Section 4 explains the authentication model and attacker model. Section 5 provides the implementation process of ECAUP. Section 6 provides a security analysis of ECAUP. Section 7 provides comparisons with other schemes. Section 8 summarizes the paper and gives future research directions.

2. Related Work

Currently, the related research on authentication in IOV has been continuously advancing. Xie et al. [25] proposed an authentication protocol based on blockchain and elliptic curve cryptography (ECC) to meet the needs of Vehicular Ad-hoc Networks (VANETs), which can realize the authentication between vehicle-to-vehicle and vehicle-to-roadside devices, and the method applies vehicle attributes, node pseudo-identity, and dynamic anonymity strategy within the protocol to ensure anonymity and untraceability. In addition, to achieve physical layer security, they use PUFs to cope with device capture attack and fuzzy-extractor-based bioinformation to avoid OBU intrusion attack.
Zhou et al. [26] proposed a mutual authentication protocol for vehicular sensor networks in 2017, but Wu et al. [27] found that the protocol could not solve the identity guessing attack, impersonation attack, and session key leakage. Therefore, Wu et al. proposed an efficient vehicle-to-vehicle secure communication authentication protocol to solve IoV security and privacy protection problems, which can realize secure mutual authentication between OBUs, and not only resist replay attack and guessing attacks but also ensure node anonymity. However, the scheme of Wu et al. cannot guarantee the forward secrecy of the communication session because it cannot address the impact of long-term key leakage.
Wang et al. [28] proposed a 5G-based end-to-end message authentication scheme for nodes applicable to VANETs that utilizes a group signature-based algorithm to achieve initial mutual authentication between vehicle-to-vehicle communication. In the proposed scheme, a vehicle first authenticates with a third-party trusted entity and uses one of the pseudo-identities to obtain its local signing private key, which can be used to sign messages to communicate with other vehicles in the neighborhood. In addition, to improve the computational speed of signature and modulo power operations, Wang et al. deployed a computational lookup table ahead of time in the registration phase, which improves the verification efficiency, and the related performance and security analyses demonstrate the effectiveness of the scheme in privacy protection.
Mun et al. [29] in 2022 proposed a new 5G-based Vehicle-to-Everything (V2X) security architecture that utilizes network slicing to enable V2X services with different characteristics and analyzes the security requirements of V2X services based on their ability to provide secure V2X authentication. The solution not only enables service authorization and revocation of participating nodes but also transmits information such as services and key credentials without revealing sensitive vehicle information. However, the computational overhead of the scheme proposed by Mun et al. is too high to meet the end-to-end latency requirements of autonomous driving in IoV.
Du et al. [30], in 2024, proposed an anonymous authentication protocol for 5G IoV nodes against impersonation attacks, which utilizes cryptographic algorithms such as elliptic curves to ensure the session privacy of the communication between OBU and RSU, and demonstrates its effectiveness against man-in-the-middle, replay, and other attacks through simulation and security analysis. The scheme uses temporary anonymized identity instead of the original identity and the nodes are unable to know each other’s real identity; hence, privacy is preserved. Moreover, the utilization of authentication to generate temporary key for communication eases the burden of key management and makes it difficult for attackers to obtain keys or tamper with messages.
However, the above schemes still have many flaws in terms of security and efficiency. For example, the overhead of the encryption method used is too high, and when actually deployed, the computation and communication overhead is too high to meet the low-latency requirement of IoV. Furthermore, all the above schemes lack access control on RSU authority, which makes them vulnerable to authority change attack from internal contaminated RSUs. Table 1 summarizes the related research of existing work.

3. Preliminaries

3.1. One-Way Hash Function

A one-way hash function [31] has an input and an output, where the input is called the message and the output is called the hash value. A one-way hash function can be calculated based on the content of the message hash value, and the hash value can be used to check the integrity of the message. Simply stated, the content of any length is converted into a fixed-length output string, and it is difficult to restore the original content through the output string. It is widely used in the fields of message summarization, message authentication code, key encryption, and data integrity verification. A one-way hash function can be denoted as h : { 0 , 1 } { 0 , 1 } n , where m { 0 , 1 } and h ( m ) { 0 , 1 } n are an input of arbitrary length binary strings and an output of fixed length binary strings, respectively.

3.2. Physical Unclonable Function

The Physical Unclonable Function [32,33] is a hardware security function based on physical characteristics. The PUF is a hardware security feature based on physical characteristics that takes advantage of uncontrollable differences in the manufacturing process of semiconductor devices to generate and store a unique identifier on a chip. The PUF generates a unique output for each access that is not stored on the chip and cannot be accessed, thus ensuring its unclonability.
PUF technology can be applied in many fields, such as information security, anti-counterfeiting authentication, Internet of Things (IoT), etc. (1) Information security: PUF can be used for key generation and storage. The unique identification generated by PUF can be used as the key generator in encryption systems to ensure the uniqueness and security of the key. (2) Anti-counterfeiting authentication: The PUF can be used for product anti-counterfeiting authentication. Each product can be equipped with a PUF, through the generation of unique identification, to achieve product anti-counterfeiting and traceability. (3) IoT: IoT devices need to be secure and trustworthy when deployed on a large scale. A PUF can be used for authentication and key generation of IoT devices to prevent them from being tampered with or cloned.
PUFs can be categorized into two types, i.e., strong PUFs and weak PUFs, based on factors such as the size of the chip. The number of challenge response pairs that can be generated by a strong PUF is much higher than that of a weak PUF, and usually, the researcher chooses the appropriate type of PUF based on the specific scenario. Suppose that we use a strong PUF in our scenario. The mathematical definition of a PUF can be denoted as P U F ( C ) = R , where C is the input incentive and challenge, and R is the output response. It is worth noting that since the PUF relies on the physical property of not storing any key, there may exist two responses, R and R , for the same input C in the actual authentication process. Usually, the threshold r is set and the authentication is passed when the Hamming distance between R and R satisfies H a m D i s ( R , R ) r . The main purpose of the ECAUP utilizing a PUF is to reduce key storage and provide physical layer security. Therefore, in this paper, we do not consider the response difference of PUFs.

4. System Model

4.1. Authentication Model

As shown in Figure 1, the 5G IoV system mainly consists of a 5G core network (5GC) and a 5G radio access network (RAN). Distributing different types of IoV devices on both sides of the road, e.g., sensors such as speed camera, motion surveillance camera, and radar, as well as vehicles and pedestrians traveling on the road carrying a variety of intelligent terminals, e.g., OBU and cell phone, these intelligent terminals and devices constitute the so-called HIOV system. The 5GC-based system architecture includes various functions such as Access and Mobility Management Function (AMF), Authentication Server Function (AUSF), and Unified Data Management (UDM), which can be integrated into a particular ES. In the specific authentication process, the AMF is responsible for processing and providing 5G access, registration, and mobility management for participating nodes, including OBUs and roadside sensors. AUSF and UDM are responsible for maintaining the key management of the nodes, providing data upload and storage, and supporting authority modification configurations, authentication data, and subscription data. The 5G-enabled IoV mutual authentication protocol consists of four main components: RSU, ES, gNB, and IoV terminal device (IOVD).
Specifically, when there are collisions, traffic jams, fires, and other traffic conditions, various sensor devices in the IoV system will collect information related to traffic conditions and send it to RSU, which then forwards the information to vehicles and pedestrians in an end-to-end way, facilitating the traffic participants to make quick judgments, which indirectly expands the “traffic vision” of the drivers and pedestrians, and greatly decreases the number of traffic accidents. However, the communication radius of RSU is about 500–1000 m, to realize the access control of RSU to ensure the privacy of IOVD data. We divided the range of accessible devices for different RSUs. As shown in Figure 1, the two circles show the clusters of accessible devices for RSU1 and RSU2, respectively (note that the range is not only determined by the communication distance but also includes restrictions on the devices that can be accessed by the RSUs themselves).
When a new device, e.g., OBU1, wants to join the RSU1 cluster, the cluster key generated based on access control needs to be updated. Since the whole IoV system is a dynamic process, and the traditional offline key update method obviously does not meet the practical requirements, the key update needs to be realized in an online way.
In addition, we assume that ES is a completely trusted third-party entity, whose information such as internal keys cannot be captured by attackers. In contrast, RSUs and IOVDs are common participating nodes in the IoV system, which are not only susceptible to various network attacks but also have relatively simple internal hardware structures and very limited communication and computational resources compared to ES.

4.2. Threat Model

The security analysis model of our proposed scheme is based on an extension of the Dolev–Yao [34] threat model (DY model), in which some behaviors of an adversary can be defined:
(1)
The adversary has the ability to generate random numbers and timestamps;
(2)
The adversary may arbitrarily intercept, alter, delete, and relocate messages transmitted in the public channel;
(3)
The adversary may attempt to impersonate and track nodes;
(4)
The adversary may act as an intermediate node to forge and forward messages;
(5)
The adversary may act as an insider attacker to change authorities;
(6)
An adversary has the ability to physically capture devices;
(7)
The adversary is unable to obtain any secret information from ES regardless of the method used.

5. Proposed Scheme

In this section, we detail the implementation process of ECAUP, which consists of five main phases as follows: (1) parameter setup, (2) I O V D registration, (3) R S U registration, (4) mutual authentication, and (5) dynamic key update. During the setup phase, some ECAUP public parameters (e.g., the type of PUF) are selected by a fully trusted E S . After setup, R S U and I O V D need to complete the registration with the help of E S . Then, a secure session key is generated between R S U and I O V D through mutual authentication for subsequent secure communication. Furthermore, ECAUP flexibly realizes online cluster key update when new/old devices join/exit. Table 2 lists the related symbols and their abbreviations used in ECAUP.

5.1. Parameter Setup Phase

Before authentication, there are three necessary operations performed by the E S . First, E S chooses a one-way hash function h ( · ) that generates a fixed-length string (e.g., hash-256), which guarantees the integrity and tamper-proofness of messages. Next, E S sets an appropriate P U F ( · ) for I O V D and stores a set of challenge and response pairs ( C i , R i ) generated from such PUF (assuming that a strong PUF is used) into its database, which can be used for subsequent authentication to provide physical-layer security. Finally, E S chooses a factorial tree architecture to generate cluster-based access authority key C k for R S U in the subsequent registration. Note: In ECUAP, we assume that E S has rich database functions such as store, find, modify and delete.

5.2. R S U Registration Phase

In general, IoV consists of many sensors, such as speed radar, localization device, motion detection camera, time detection camera, etc. However, the effective communication radius of R S U is about 500 m to 1000 m, which requires multiple R S U s to be controlled cooperatively to realize the interaction of the entire IoV sensor data. These R S U s can then interact with I O V D s to enable vehicles/pedestrians to “see” the complex road conditions behind the cover and react quickly, which greatly reduces the incidence of traffic accidents and improves the safety of IoV. Therefore, we achieve the authority attribution of R S U through fine-grained access control based on factorial tree [35] as follows:
(1)
Factorial-tree-based fine-grained access control
The purpose of fine-grained access control is to authenticate and transmit information to I O V D s within range based on the communication radius of the R S U . However, due to the dynamic character of HIOV (i.e., the mobility of vehicles or pedestrians), the forward secrecy and backward secrecy of the key are difficult to guarantee. Thus, we provide online factorial-tree-based cluster key updates for ECAUP.
As shown in Figure 2, the cluster architecture of ECAUP can be simplified as a factorial tree, which consists of multiple layers of leaf nodes (level 1–level t)) and a single root node level 0, where t is the level of the tree. In the tree, layer t denotes the I O V D s accessible to R S U , i.e., h t 0 = L k 0 , h t 1 = L k 1 , . . . , h t [ ( t + 1 ) ! 1 ] = L k [ ( t + 1 ) ! 1 ] , where L k 0 , L k 1 , . . . , L k t is the leaf node key generated by E S to I O V D .
h x y = h h ( x + 1 ) ( x y + 2 y ) , . . . , h ( x + 1 ) ( x y + 2 y + x + 1 )
Then, the auxiliary leaf node keys A L k x y = h x y can be computed from (1), where x = 1 , 2 , . . . , t 1 and y = 0 , 1 , . . . , ( x + 1 ) ! . Finally, the cluster key C k = h 00 of R S U is computed.
(2)
Registration
First, R S U sends a registration request containing I D R and an accessible device table A D T = I O V D 1 , I O V D 2 , . . . , I O V D n to E S via a secure channel. Once the request from R S U is received, E S first selects an appropriate factorial tree level t based on the number of I O V D s n. E S then sets the identities I D V 0 , I D V 1 , . . . , I D V [ ( t + 1 ) ! 1 ] and leaf node keys L k 0 , L k 1 , . . . , L k [ ( t + 1 ) ! 1 ] for these devices and computes the corresponding auxiliary leaf node keys A L k x y and cluster/root key C k = h ( A L k 10 A L k 11 ) . Next, E S also finds the corresponding device’s PUF-based challenge response pairs ( C i , R i ) in the database according to A D T . In addition, E S sets a master key R k for R S U and computes pseudo-identity R I D R = h ( I D R N a ) , where N a is a random number generated by E S . Finally, E S sends C k , R k , R I D R , ( C i , R i ) to R S U via secure channel and stores C k , L k , A L k , R k , I D R , A D T into its database. Upon receiving a message from the E S , the R S U stores the information contained in the message, such as the key, into memory as well. The RSU registration process is summarized in Figure 3.

5.3. I O V D Registration Phase

In the I O V D registration phase, a registration request containing I D V is first sent by I O V D to E S . The ownership of I O V D is then confirmed in the database by E S according to A D T . As shown in Figure 2, assuming that the level of the factorial tree is 3 and h 30 represents the current I O V D , ES selects the shortest path h 20 , h 10 , h 00 from the bottom up and fetches L k 0 , A L k 20 , A L k 10 in the database. Next, E S computes the pseudo-identity R I D V = h ( I D V N b ) , and P = h ( C k I D R ) , where N b is a random number. Finally, E S sends P , R I D V , L k 0 , A L k 20 , A L k 10 to I O V D in a secure channel and stores I D V . Meanwhile, I O V D receives and stores the message from E S .

5.4. Mutual Authentication Phase

When the R S U wants to access the I O V D and obtain data, it needs to complete a two-way authentication operation between R S U and I O V D . After authentication is finished, a secure session key S k R = S k V is established between R S U and I O V D for subsequent data transmission. Note that authentication is realized via an open channel (e.g., 5G core network/Internet) as follows:
Step 1: R S U I O V D : N 1 , T 1 , R I D R , C i
First R S U generates the random number N 1 and extracts the pair ( C i , R i ) from its memory according to the I O V D it wants to access, and then computes N 1 = N 1 h ( R I D R h ( C k I D R ) ) = N 1 T I D R , T 1 = h ( R i R I D R h ( C k I D R ) ) , where T I D R is the temporary identity of R S U . Finally, M 1 = N 1 , T 1 , R I D R , C i is sent by the R S U to I O V D via public channel.
Step 2: I O V D R S U : N 2 , T 2 , T 3 , T 4 , R I D V
Once the message M 1 is received from R S U , I O V D extracts N 1 = N 1 h ( R I D R P ) to verify the freshness. If found fresh, the session continues; otherwise, it aborts. I O V D then inputs C i from M 1 into PUF to obtain the response R i and computes T 1 = h ( R i R I D R P ) to verify T 1 = ? T 1 . If not satisfied, the session is terminated; otherwise, it continues. Next, I O V D generates the random number N 2 , computes the temporary identity T I D V = h ( R I D V P ) , N 2 = N 2 T I D V , a i = h ( L k I D V ) , T 2 = N 2 a i , T 3 = h ( P R i N 1 N 2 I D V ) , T 4 = h ( T 3 a i R I D V ) , and sends M 2 = N 2 , T 2 , T 3 , T 4 to R S U via public channel.
Step 3: R S U I O V D : N 3 , T 5 , T 6
When the message M 2 is received from I O V D , R S U extracts N 2 = N 2 h ( R I D V h ( C k I D R ) ) and verifies the freshness. If it is met, R S U further computes a i = T 2 N 2 , T 4 = h ( T 3 a i R I D V ) and verifies T 4 = ? T 4 . When all the above conditions are met, the session continues; otherwise, it is terminated. R S U then generates a random number N 3 and computes N 3 = N 3 T I D R , b i = h ( R k I D R ) , T 5 = N 3 b i , T 6 = h ( b i N 3 R i R I D R ) . Moreover, the ultimate session key S K R = h ( a i b i T 3 N 3 ) is computed by R S U for subsequent communication. Finally, M 3 = N 3 , T 5 , T 6 is sent by R S U to I O V D via a public channel.
Step 4: Meanwhile, once M 3 is received, I O V D verifies the freshness of the random number through extraction N 3 = N 3 h ( R I D R P ) . N 3 is determined fresh, and the session continues; otherwise, it terminates. I O V D then computes b i = T 5 N 3 , T 6 = h ( b i N 3 R i R I D R ) and verifies T 6 = ? T 6 . When both are equal, I O V D computes the session key S K V = h ( a i b i T 3 N 3 ) = S K R , which is used for subsequent data encryption between R S U and I O V D . The authentication process is summarized in Figure 4.

5.5. Dynamic Key Update Phase

In this paper, an R S U can only access the corresponding sensor devices based on A D T . The accessible device table A D T needs to be kept up to date due to the mobility of participant nodes in urban transportation, e.g., sensors attached to pedestrians and vehicles. Moreover, for static sensors such as speed cameras/radar, A D T also needs to be updated when new/old devices join/leave the cluster of R S U . For ease of description, we assume that t is 2, as shown in Figure 5. Therefore, this section describes the dynamic update process of cluster key C k in ECAUP as follows.
The entire key update process of ECAUP is implemented in an online manner with the help of a fully trusted E S , which only requires that E S sends update messages unilaterally to I O V D and R S U , and does not involve multiple message interaction and authentication, which greatly reduces network congestion. First, E S resets the structure of the factorial tree and layer t according to the number of added devices, and generates the corresponding auxiliary leaf node keys A L k a and cluster key C k . Then, depending on the forwarding logic rule of factorial tree, it implements the online update of Ck with the minimum number of messages.
(1)
I O V D joins the cluster
E S I O V D : E S first generates the random number N j and then computes the factorial tree element A L k 20 = h ( L k 0 L k 6 ) , A L k 10 n e w = h ( A L k 20 L k 1 L k 2 ) , C k n e w = h ( A L k 10 n e w A L k 11 ) , P n e w = h ( C k n e w I D R ) , the random number verification message N j = N j h ( C k I D R ) = N j P , N j = N j h ( C k p r e I D R p r e ) = N j P p r e . Next, E S computes α 1 = h ( P A L k 11 N j ) , X 1 = P n e w α 1 for D 3 , D 4 , D 5 ; α 2 = h ( P A L k 10 N j ) , X 2 = P n e w α 2 , X 3 = A L k 10 n e w α 2 , for D 1 , D 2 ; α 3 = h ( P A L k 10 L k 0 N j ) , X 4 = P n e w α 3 , X 5 = A L k 10 n e w α 3 , X 6 = A L k 20 α 3 for D 0 ; and α 4 = h ( P p r e L k 6 N j ) , X 7 = P n e w α 4 , X 8 = A L k 10 n e w α 4 , X 9 = A L k 20 α 4 for D 6 . Finally E S broadcasts Y 1 = N j , X 1 , Y 2 = N j , X 2 , X 3 , Y 3 = N j , X 4 , X 5 , X 6 and Y 4 = N j , X 7 , X 8 , X 9 to the devices in cluster. Finally, E S stores all the factorial tree information C k n e w , A L k n e w into the database.
Upon receiving the broadcast messages, D 0 , D 1 ,…, D 6 extract P n e w and the updated auxiliary leaf node keys A L k n e w , respectively. For instance, D 0 can only extract the secret information in Y 3 due to the absence of other path keys in the factorial tree. D 0 first extracts N j = N j P and verifies the freshness, and terminates the key update if it does not match. Then, D 0 extracts P n e w , A L k 10 n e w , and A L k 20 to replace the original keys (the update process for D 1 , D 2 ,…, D 6 follows in the same way). Therefore, dynamic key update can be perfectly achieved in ECAUP for the new I O V D join.
E S R S U : E S generates a random number N j 1 and then computes N j 1 = N j 1 h ( C k I D R ) , S i = h ( R k N j 1 ) , Z 1 = C k n e w S i , Z 2 = C i n e w S i , Z 3 = R i n e w S i and sends N j 1 , Z 1 , Z 2 , Z 3 via an open channel to the R S U in the current cluster, where C i n e w and R i n e w are multiple challenges and responses from PUF of the new device taken out by E S in its database. N j 1 is first extracted and verified to be fresh when R S U receives the message from E S . Next, R S U extracts and stores C k n e w , ( C i n e w , R i n e w ) and deletes the original C k , ( C i , R i ) in memory.
(2)
I O V D leaves the cluster
As shown in Figure 5, the root key of the factorial tree also needs to be updated when the old device D 0 leaves the current cluster, which is similar to the joining process. First, E S changes the structure of the tree and computes the path key of the changed node (i.e., leaf node, auxiliary leaf node, root node) by hash, and then broadcasts messages to corresponding nodes through the factorial-tree-based forwarding logic rule. Meanwhile, R S U receives additional update messages from E S . Finally R S U and I O V D s verify the above messages and realize the update of the original key. Note that all dynamic key updates are accomplished via the public channel, regardless of the joining or leaving of devices.

6. Security Analysis

In this section, we verify the security of the ECAUP using both formal and informal security analysis. In particular, we first analyze the security of the session key generated between R S U and I O V D in the protocol utilizing BAN logic. Further, the robustness of the ECAUP in the face of various attacks is then given using informal security analysis. In addition, we perform a comprehensive verification of the protocol with Proverif, a popular automated verification tool.

6.1. BAN-Logic-Based Formal Security Analysis

In the reasoning process of BAN logic [36], the beliefs of participants in a protocol change continuously with the increase of message exchange. The application of BAN logic firstly requires an “idealization step”, i.e., converting the messages of the protocol into formulas in BAN logic; secondly, making reasonable assumptions based on the situation of the protocol, then reasoning according to the rules and assumptions; and, finally, deducing whether the protocol can accomplish the desired goal. In this paper, we verify the security of the session keys S K R and S K V generated in the ECAUP through BAN logic.
(1)
Notation and rule
Some notations and semantics in BAN logic are as follows.
N1: P X : Principal P believes statement X.
N2: P X : Principal P sees the statement X.
N3: P | X : Principal P once said the statement X.
N4: P X : Principal P has jurisdiction over the statement X.
N5: # ( X ) / f r e s h ( X ) : Formula X is fresh.
N6: X Y : A message synthesized from formula X and secret Y.
N7: P K Q : Formula K is a shared key of P and Q.
N8: P X Q : Formula X is a secret only known to P and Q.
N9: ( X , Y ) : Formula ( X , Y ) containing formula X and formula Y.
N10: S K : Session key used in the current session.
BAN consists of 19 inference rules, and we only list the relevant rules used in ECAUP.
R1: P | Q Y P , P X Y P | Q | X : Message-meaning rule.
R2: P | # ( X ) , P | Q | X P | Q | X : Nonce-verification rule.
R3: P | # ( X ) P | # ( X , Y ) : Freshness rule.
R4: P | Q X , P | Q | X P | X : Jurisdiction rule.
R5: P | ( X , Y ) P | X , P ( X , Y ) P X , P | Q | ( X , Y ) P | Q | X , P | Q | ( X , Y ) P | Q | X : Seeing and belief rule.
(2)
Security goal
Based on the above BAN logic rules, the security goals of ECAUP can be expressed as follows:
G1: R S U ( R S U S K I O V D ) .
G2: I O V D ( R S U S K I O V D ) .
(3)
Idealized form
In mutual authentication of ECAUP, messages M 1 , M 2 and M 3 transmitted between R S U and I O V D can be abstractly represented as follows:
M1: R S U I O V D : N 1 , T 1 , R I D R , C i .
M2: I O V D R S U : N 2 , T 2 , T 3 , T 4 , R I D V .
M3: R S U I O V D : N 3 , T 5 , T 6 .
M1: R S U I O V D : ( N 1 , R I D R , I D R C k , R I D R , C k , I D R R i , R I D R , C i ) .
M2: I O V D R S U : ( N 2 , R I D V , P C k , I D V , L k N 2 , P , N 1 , N 2 , I D V R i , P , N 1 , N 2 , I D V , L k , R I D V R i , R I D V ) .
M3: R S U I O V D : ( N 3 , R I D R , I D R C k , R I D R , I D R N 3 , R k , I D R , N 3 , R I D R R i ) .
(4)
Assumption
Some assumptions related to the authentication process of ECAUP are listed according to the BAN logic.
A1: R S U | # ( N 2 ) .
A2(a): I O V D | # ( N 1 ) , A2(b): I O V D # ( N 3 ) .
A3: R S U | I O V D ( N 2 , R I D V , I D V , L k , P ) .
A4: I O V D | R S U ( N 1 , N 3 , R I D R , I D R , R k ) .
A5: R S U | ( N 1 , N 3 , I D R , R k , C i , R i , C k ) .
A6: I O V D | ( N 2 , I D V , L k , R i , C k ) .
A7: R S U | ( R S U C k I O V D ) .
A8: I O V D | ( R S U C k I O V D ) .
A9: R S U | ( R S U R i I O V D ) .
A10: I O V D | ( R S U R i I O V D ) .
(5)
Security proof
Based on the above assumptions and the rules of BAN logic, we simplify the idealized form of ECAUP and provide the main proof procedure. Specifically, the I O V D receives an access request M 1 and an authentication message M 3 from R S U , both of which contribute to the realization of G 2 . According to M 1 , we can obtain the following information:
S1: I O V D ( N 1 , R I D R , I D R C k , R I D R , C k , I D R R i , R I D R , C i ) .
S2: According to S1 and R5, we obtain I O V D N 1 , R I D R , I D R C k .
S3: According to A8 and R1, we obtain I O V D | R S U | ( N 1 , R I D R , I D R ) .
S4: According to A2(a) and R3, we obtain I O V D | # ( N 1 , R I D R , I D R ) .
S5: According to S3, S4 and R2, we obtain I O V D | R S U | ( N 1 , R I D R , I D R ) .
S6: According to S5, A4 and R4, we obtain I O V D | ( N 1 , R I D R , I D R ) .
S7: According to S6 and R5, we obtain I O V D | N 1 , I O V D | I D R .
According to M 3 , and repeating the above steps, we obtain
S8: I O V D | R k , I O V D | N 3 .
S9: I O V D | N 2 , I O V D | I D V , I O V D | L k , I O V D | R i , I O V D | C k .
S10: According to the session key S K V = h ( a i b i T 3 N 3 ) = h ( h ( L k I D V ) h ( R k I D R ) h ( h ( C k I D R ) R i N 1 N 2 I D V ) N 3 ) in ECAUP S7, S8, and S9, we can obtain G2: I O V D ( R S U S K I O V D ) .
According to M 2 , we can obtain the following information:
S11: R S U ( N 2 , R I D V , P C k , I D V , L k N 2 , P , N 1 , N 2 , I D V R i , P , N 1 , N 2 , I D V , L k , I D V R i , R I D V ) .
S12: According to S11 and R5, we obtain R S U P , N 1 , N 2 , I D V , L k , R I D V R i .
S13: According to A9 and R1, we obtain R S U | I O V D | ( P , N 1 , N 2 , I D V , L k , R I D V ) .
S14: According to A1 and R3, we obtain R S U | # ( P , N 1 , N 2 , I D V , L k , R I D V ) .
S15: According to S13, S14 and R2, we obtain R S U | I O V D | ( P , N 1 , N 2 , I D V , L k , R I D V ) .
S16: According to S15 and R5, we obtain R S U | I O V D | ( P , N 2 , I D V , L k , R I D V ) .
S17: According to S16, A3 and R4, we obtain R S U | ( P , N 2 , I D V , L k , R I D V ) .
S18: According to S17 and R5, we obtain R S U | N 2 , R S U | I D V , R S U | L k .
S19: According to A5 and R5, we obtain R S U | N 1 , R S U | N 3 , R S U | I D R , R S U | R k , R S U | R i , R S U | C k .
S20: According to the session key S K V = h ( a i b i T 3 N 3 ) = h ( h ( L k I D V ) h ( R k I D R ) h ( h ( C k I D R ) R i N 1 N 2 I D V ) N 3 ) in ECAUP S18 and S19, we can obtain G1: R S U ( R S U S K I O V D ) .
The realizability and security of the session key S K R = S K V generated between R S U and I O V D can be shown from S10 and S20.

6.2. Informal Security Analysis

R S U impersonation attack: In this attack, an adversary A attempts to impersonate M 1 = N 1 , T 1 , R I D R , C i , M 3 = N 3 , T 5 , T 6 and then serves as a legitimate node to communicate with I O V D , where T 1 = h ( R i R I D R h ( C k I D R ) ) , T 5 = N 3 b i , T 6 = h ( b i N 3 R i R I D R ) , b i = h ( R k I D R ) . Even if A can generate the random numbers N 1 A and N 3 A , there is no possibility to replace R S U as a real node due to the lack of critical secret information R i , C k , I D R , and R K . Thus, our scheme can cope with R S U impersonation attack.
I O V D impersonation attack: In ECAUP, I O V D sends only one authentication message M 2 = N 2 , T 2 , T 3 , T 4 , and A wants to fake M 2 and then communicate with R S U as a legitimate I O V D , where T 2 = N 2 a i , T 3 = h ( P R i N 1 N 2 I D V ) , T 4 = h ( T 3 a i R I D V ) , a i = h ( L k I D V ) . However, A still cannot accomplish the impersonation attack (suppose A can generate random number) to I O V D due to the privacy of L k , I D V , and R i . Therefore, our scheme is able to cope with the I O V D impersonation attack.
Replay attack: In this attack, A captures messages M 1 , M 2 , and M 3 and then replays them to R S U and I O V D , respectively, which in turn causes system crash. However, in ECAUP, replay attack initiated by A cannot work. For example, when I O V D receives the message M 1 = N 1 , T 1 , R I D R , C i replayed from A , it verifies the freshness of the random number and terminates the session immediately in case of non-compliance. Moreover, it is not possible for A to modify the random number N 1 , due to the fact that N 1 = N 1 h ( R I D R h ( C k I D R ) ) = N 1 T I D R in M 1 is secretly encapsulated by the temporary identity T I D R . Similarly, M 2 and M 3 cannot pose a threat to R S U and I O V D even if they are replayed by A in the public channel. It is worth noting that the dynamic key update process in the ECAUP also uses random numbers. Therefore, our proposed protocol is not subject to replay attack.
I O V D Captured attack: In this case, A physically captures a certain I O V D to obtain all secret information P , L k , A L k , I D V inside it, and seeks to compute the session keys of the other devices from such information. Despite the fact that A possesses P , L k , A L k , I D V , A cannot obtain the PUF-based challenge–response pairs ( C i , R i ) . Assuming that A can generate the challenge C i and thus obtain response, the probability that adversary obtains R i is almost 0 due to the physically unclonable nature of PUF. Furthermore, in the ECAUP, different PUFs are assigned to I O V D s, and the secret information of each I O V D is completely different. Therefore, A cannot impose any threat to other devices through the captured I O V D s.
Man-in-the-middle attack: Suppose that A intercepts a message M 1 in an open channel, then generates a random number n and tries to compute T 1 = h ( R i R I D R h ( C k I D R ) ) , n = n h ( R I D R h ( C k I D R ) ) . Subsequently, A sends a forged valid message M 1 = n , T 1 , R I D R , C i to I O V D , disabling it to confirm and distinguish whether or not the message has been modified. But, due to the absence of secret information R i , C k , and I D R , it is virtually impossible for A to calculate legitimate message M 1 (similarly in the case of M 2 and M 3 ). Therefore, ECAUP can deal with the man-in-the-middle attack.
Stolen-verifier attack: In ECAUP, none of the participating nodes carries the storage verification table for assisted authentication. Therefore, our scheme is resistant to stolen-verifier attacks.
Authority modification attack: In this attack, an internal node R S U authorized by E S desires to access I O V D s beyond its own authority and obtains sensor data [37,38], which can be denoted as A D T = I O V D 1 , . . . , I O V D n to A D T = I O V D 1 , . . . , I O V D n . According to Section 5.2, the access authority of R S U can be represented as C k , which is based on a factorial tree hashed in a bottom-up manner. Suppose R S U computes a new cluster key C k R using A D T and the factorial tree, and sends an authentication request M 1 = N 1 , T 1 R , R I D R , C i to I O V D , where T 1 R = h ( R i R I D R h ( C k R I D R ) ) . Once the request is received, I O V D computes T 1 R = h ( R i R I D R P ) after verifying the freshness of N 1 and continues to verify T 1 R = ? T 1 R . If both differ, it indicates that the current R S U does not belong to its cluster and then terminates the session. The reason why the R S U cannot access devices outside of its authority is due to the fact that secret information P = h ( C k I D R ) is assigned by E S to all I O V D s in cluster as early as the registration phase. Thus, our proposed protocol can handle authority modification attacks.
Anonymity and untraceability: In the ECAUP, the messages M 1 = N 1 , T 1 , R I D R , C i , M 2 = N 2 , T 2 , T 3 , T 4 and M 3 = N 3 , T 5 , T 6 generated from each authentication contain individual random numbers; thus, A cannot track participating nodes through M 1 , M 2 , and M 3 . In addition, the ECAUP transmits messages using pseudo-identities R I D R and R I D V (public), and temporary identities T I D R and T I D V (private), which do not involve the original identities I D R and I D V . Hence, our proposed protocol enables anonymity.
Known session key security: Since the session key S K V = h ( a i b i T 3 N 3 ) = S K R in each authentication contains secret information L k , I D V , R k , I D R , P , R i and random numbers N 1 , N 2 , N 3 of both current communicating parties, even if A obtains a certain session key, it cannot compute other session keys. Therefore, our protocol guarantees the security of the known session key.
Perfect forward secrecy and backward secrecy: In Section 5.5, a detailed key update process of the ECAUP is presented in a dynamic form. The purpose of the update is to ensure that the original R S U s can no longer access I O V D s that have left their clusters, thus guaranteeing the backward secrecy of the sensed data. Furthermore, assume that A obtains the long-term key and attempts to compute the session key to steal the previous information. However, it is difficult for A to obtain the cluster key C k in our system model due to the mobility of HIOV, resulting in keeping the key updated in real time. Therefore, it is obvious that ECAUP has perfect forward and backward secrecy.

6.3. Formal Verification with Proverif

Proverif is a formal verification tool [39] developed for automated reasoning about security properties in cryptographic protocols and automated analysis and verification of security protocols, which can support cryptographic primitives, including symmetric and asymmetric encryption, digital signature, hash function, bit commitment, and proof of signature for knowledge. In addition, Proverif can provide the formal path of attackers to breach the key, which enables researchers to improve the protocol. In IoV, communication between RSU and IOVD requires authentication. Therefore, we utilize Proverif to evaluate the security of ECAUP.
In this paper, three open channels, c h 1 , c h 2 , and c h 3 , and two secure channels, s c h 1 and s c h 2 , are defined. The role of each channel is as follows: (1) R S U and E S complete the registration described in Section 5.2 and Section 5.3 via s c h 1 ; (2) I O V D and E S complete the registration described in Section 6.3 via s c h 2 ; (3) the public channel c h 1 is used to realize mutual authentication between R S U and I O V D ; (4) E S sends the key P n e w that needs to be updated as well as the auxiliary leaf node key A L k n e w to I O V D via c h 2 ; (5) E S sends the new cluster/root key C k n e w as well as the challenge–response pair ( C i n e w , R i n e w ) to R S U via c h 3 .
In the Proverif code, we define R S U a u t h , I O V D a u t h , and E S = E S R e g 1 | E S R e g 2 | E S u p d a t e 1 | E S u p d a t e 2 to denote the sub-processes of R S U , I O V D , and E S , respectively, and, finally, the parallel execution of the three participating entities is realized through p r o c e s s ( ! R S U a u t h ) | ( ! E S ) | ( ! I O V D a u t h ) . From Figure 6, it can be inferred that the session keys S K R and S K V , generated by R S U and I O V D authentication, and the update keys C k n e w and A L k n e w , sent by E S to R S U and I O V D , are secure. Thus, according to the simulation results, the robustness of ECAUP against various known network attacks is demonstrated.

7. Comparative Analysis

In this section, a comparison of the ECAUP with other schemes (Wu et al. [27], Wang et al. [28], Mun et al. [29] and Du et al. [30]) in terms of calculation cost, communication cost, and security features is given.

7.1. Calculation Costs Comparison

We provide the computational cost required for the mutual verification phase of the ECAUP and other schemes. Assume that T h , T a s , T m e , T s i g , T b p , T p m , T p a , and T p u f represent the time required for the hash function, symmetric encryption/decryption, modular exponentiation, digital signature/checksumption, bilinear pairing, ECC point multiplication, ECC point addition, and PUF response, respectively. According to the available experimental results [25,30,35], the time required to use these encryption operations are T h = 0.019 ms, T a s = 19.536 ms, T m e = 5.02 ms, T s i g = 17.624ms, T b p = 44.517 ms, T p m = 2.61 ms, T p a = 0.576 ms, and T p u f = 4.4 ms. From Table 3 and Figure 7, it can be observed that the cryptographic operation required for ECAUP authentication is 16 T h + T p u f and the computation time is 4.704 ms. Comparing to other schemes, it can be inferred that our protocol is suitable for end-to-end authentication in an IoV scenario because of the extremely low latency.

7.2. Communication Costs Comparison

To measure the communication costs of R S U and I O V D in the authentication phase, we assume that the output sizes of identity, public key, hash digest, random number, timestamp, PUF challenge and response, ECC point multiplication, digital signature, and symmetric encryption are 100 bits, 100 bits, 128 bits, 128 bits, 32 bits, 100 bits, 512 bits, 1024 bits, and 1024 bits, respectively. It can be deduced that the total communication cost of the ECAUP is 1508 bits, and the schemes of Wu et al. [27], Wang et al. [28], Mun et al. [29], and Du et al. [30] require 1216 bits, 2308 bits, 3232 bits, and 1672 bits, respectively. From Table 4 and Figure 7, it can be seen that our scheme requires only three handshakes to complete the authentication between R S U and I O V D , and requires only 1508 bits of communication cost. Therefore, the ECAUP is perfectly suitable for IoV scenarios.

7.3. Security Features Comparison

Table 5 shows the comparative analysis of the ECAUP with other schemes in terms of security and functional properties (abbreviations: ✓ support; ×: no support; —: not considered). It can be inferred that our scheme provides higher security and more properties compared to the other four protocols. It is worth noting that we not only consider the mobility of the participating nodes in IoV, but also the dynamic updating of the cluster key, which perfectly ensures the forward secrecy and backward secrecy of the whole cluster. Therefore, the ECAUP has wide prospects in the practical deployment of IoV.

8. Conclusions

In this paper, we proposed a lightweight end-to-end secure authentication and key update scheme for 5G-based IoV systems. The fine-grained access control RSU and subsequent dynamic key update forwarding method were provided via a factorial tree to ensure perfect forward and backward secrecy of the ECAUP. In addition, this paper used only low overhead algorithms such as hash to optimize the communication and computation overheads while guaranteeing the properties of node anonymity, non-traceability, and known session key security. The security analysis and comparison of other schemes showed that the ECAUP can meet the practical requirements of IoV. The focus of this paper is end-to-end authentication of IoV nodes, but the current key update overhead is high, so determining how to design and implement a more efficient and reliable key update protocol is one of the next research directions. Moreover, future research directions include the following: using the MIMT tool to implement STRIDE-based threat modeling for the ECAUP; session security analysis based on the ROR model; actual deployment of the ECAUP; and analyzing packet loss rate, latency, throughput, etc.

Author Contributions

Conceptualization, X.S. and Y.X.; methodology, X.S.; software, X.S.; validation, X.S. and Y.X.; formal analysis, X.S.; investigation, X.S.; resources, X.S. and Y.X.; data curation, X.S.; writing—original draft preparation, X.S.; writing—review and editing, X.S. and Y.X.; visualization, X.S.; supervision, X.S. and Y.X.; project administration, X.S. and Y.X.; funding acquisition, X.S. All authors have read and agreed to the published version of the manuscript.

Funding

The work of this paper was funded by the National Natural Science Foundation of China, No. 62371246, and Practice Innovation Program of Jiangsu Province, No. KYCX22_0936.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data are contained within the article.

Acknowledgments

The authors would like to thank the reviewers for their valuable feedback and suggestions on this paper, which helped to improve the quality of the paper.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Nizetic, S.; Soli, P.; González-de, D.L.d.I.; Patrono, L. Internet of Things (IoT): Opportunities, issues and challenges towards a smart and sustainable future. J. Clean. Prod. 2020, 274, 1–32. [Google Scholar] [CrossRef] [PubMed]
  2. Wu, C.; Chen, J.; He, K.; Zhao, Z.; Du, R.; Zhang, C. EchoHand: High accuracy and presentation attack resistant hand authentication on commodity mobile devices. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, CA, USA, 7–11 November 2022; pp. 2931–2945. [Google Scholar]
  3. Taslimasa, H.; Dadkhah, S.; Neto, E.C.P.; Xiong, P.; Ray, S.; Ghorbani, A.A. Security issues in Internet of Vehicles (IoV): A comprehensive survey. Internet Things 2023, 22, 100809. [Google Scholar] [CrossRef]
  4. Wu, C.; He, K.; Chen, J.; Zhao, Z.; Du, R. Toward robust detection of puppet attacks via characterizing fingertip-touch behaviors. IEEE Trans. Dependable Secur. Comput. 2021, 19, 4002–4018. [Google Scholar] [CrossRef]
  5. Tang, T.; Yang, Y.; Wu, D.; Wang, R.; Li, Z. Chaotic moving video quality enhancement based on deep in-loop filtering. Digit. Commun. Netw. 2023, 10, 1708–1715. [Google Scholar] [CrossRef]
  6. Li, Z.; Gao, X.; Li, Q.; Guo, J.; Yang, B. Edge Caching Enhancement for Industrial Internet: A Recommendation-Aided Approach. IEEE Internet Things J. 2022, 9, 16941–16952. [Google Scholar] [CrossRef]
  7. Sun, G.; Wang, Z.; Su, H.; Yu, H.; Lei, B.; Guizani, M. Profit Maximization of Independent Task Offloading in MEC-Enabled 5G Internet of Vehicles. IEEE Trans. Intell. Transp. Syst. 2024, 25, 16449–16461. [Google Scholar] [CrossRef]
  8. Luo, H.; Zhang, Q.; Sun, G.; Yu, H.; Niyato, D. Symbiotic Blockchain Consensus: Cognitive Backscatter Communications-Enabled Wireless Blockchain Consensus. IEEE/ACM Trans. Netw. 2024, 32, 5372–5387. [Google Scholar] [CrossRef]
  9. Peng, X.; Song, S.; Zhang, X.; Dong, M.; Ota, K. Task Offloading for IoAV Under Extreme Weather Conditions Using Dynamic Price Driven Double Broad Reinforcement Learning. IEEE Internet Things J. 2024, 11, 17021–17033. [Google Scholar] [CrossRef]
  10. Wang, Y.; Sun, R.; Cheng, Q.; Ochieng, W.Y. Measurement Quality Control Aided Multisensor System for Improved Vehicle Navigation in Urban Areas. IEEE Trans. Ind. Electron. 2024, 71, 6407–6417. [Google Scholar] [CrossRef]
  11. Alalwany, E.; Mahgoub, I. Security and trust management in the internet of vehicles (IoV): Challenges and machine learning solutions. Sensors 2024, 24, 368. [Google Scholar] [CrossRef]
  12. Wu, C.; He, K.; Chen, J.; Zhao, Z.; Du, R. Liveness is not enough: Enhancing fingerprint authentication with behavioral biometrics to defeat puppet attacks. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20), Boston, MA, USA, 12–14 August 2020; pp. 2219–2236. [Google Scholar]
  13. Wu, C.; Chen, J.; Wang, Z.; Liang, R.; Du, R. Semantic Sleuth: Identifying Ponzi Contracts via Large Language Models. In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, Sacramento, CA, USA, 27 October–1 November 2024; pp. 582–593. [Google Scholar]
  14. Sun, J.; Wu, C.; Mumtaz, S.; Tao, J.; Cao, M.; Wang, M.; Frascolla, V. An Efficient Privacy-aware Split Learning Framework for Satellite Communications. IEEE J. Sel. Areas Commun. 2024, 42, 3355–3365. [Google Scholar] [CrossRef]
  15. Vishwakarma, L.; Nahar, A.; Das, D. LBSV: Lightweight blockchain security protocol for secure storage and communication in SDN-enabled IoV. IEEE Trans. Veh. Technol. 2022, 71, 5983–5994. [Google Scholar] [CrossRef]
  16. Wu, C.; Cao, H.; Xu, G.; Zhou, C.; Sun, J.; Yan, R.; Liu, Y.; Jiang, H. It’s All in the Touch: Authenticating Users with HOST Gestures on Multi-Touch Screen Devices. IEEE Trans. Mob. Comput. 2024, 23, 10016–10030. [Google Scholar] [CrossRef]
  17. Wu, C.; Chen, J.; Fang, Q.; He, K.; Zhao, Z.; Ren, H.; Xu, G.; Liu, Y.; Xiang, Y. Rethinking Membership Inference Attacks Against Transfer Learning. IEEE Trans. Inf. Forensics Secur. 2024, 19, 6441–6454. [Google Scholar] [CrossRef]
  18. Cao, B.; Sun, Z.; Zhang, J.; Gu, Y. Resource allocation in 5G IoV architecture based on SDN and fog-cloud computing. IEEE Trans. Intell. Transp. Syst. 2021, 22, 3832–3840. [Google Scholar] [CrossRef]
  19. Ji, B.; Chen, Z.; Mumtaz, S.; Han, C.; Li, C.; Wen, H.; Wang, D. A vision of IoV in 5G HetNets: Architecture, key technologies, applications, challenges, and trends. IEEE Netw. 2022, 36, 153–161. [Google Scholar] [CrossRef]
  20. Rani, P.; Sharma, R. Intelligent transportation system performance analysis of indoor and outdoor internet of vehicle (iov) applications towards 5g. Tsinghua Sci. Technol. 2024, 29, 1785–1795. [Google Scholar] [CrossRef]
  21. Suleski, T.; Ahmed, M.; Yang, W.; Wang, E. A review of multi-factor authentication in the Internet of Healthcare Things. Digit. Health 2023, 9, 20552076231177144. [Google Scholar] [CrossRef]
  22. El-Kenawy, E.S.M.; Mirjalili, S.; Abdelhamid, A.A.; Ibrahim, A.; Khodadadi, N.; Eid, M.M. Meta-heuristic optimization and keystroke dynamics for authentication of smartphone users. Mathematics 2022, 10, 2912. [Google Scholar] [CrossRef]
  23. Almadani, M.S.; Alotaibi, S.; Alsobhi, H.; Hussain, O.K.; Hussain, F.K. Blockchain-based multi-factor authentication: A systematic literature review. Internet Things 2023, 23, 100844. [Google Scholar] [CrossRef]
  24. Khashan, O.A.; Khafajah, N.M. Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous IoT systems. J. King Saud-Univ.-Comput. Inf. Sci. 2023, 35, 726–739. [Google Scholar] [CrossRef]
  25. Xie, Q.; Ding, Z.; Tang, W.; He, D.; Tan, X. Provable secure and lightweight blockchain-based V2I handover authentication and V2V broadcast protocol for VANETs. IEEE Trans. Veh. Technol. 2023, 72, 15200–15212. [Google Scholar] [CrossRef]
  26. Zhou, Y.; Zhao, X.; Jiang, Y.; Shang, F.; Deng, S.; Wang, X. An enhanced privacy-preserving authentication scheme for vehicle sensor networks. Sensors 2017, 17, 2854. [Google Scholar] [CrossRef]
  27. Wu, L.; Sun, Q.; Wang, X.; Wang, J.; Yu, S.; Zou, Y.; Liu, B.; Zhu, Z. An efficient privacy-preserving mutual authentication scheme for secure V2V communication in vehicular ad hoc network. IEEE Access 2019, 7, 55050–55063. [Google Scholar] [CrossRef]
  28. Wang, P.; Chen, C.M.; Kumari, S.; Shojafar, M.; Tafazolli, R.; Liu, Y.N. HDMA: Hybrid D2D message authentication scheme for 5G-enabled VANETs. IEEE Trans. Intell. Transp. Syst. 2020, 22, 5071–5080. [Google Scholar] [CrossRef]
  29. Mun, H.; Seo, M.; Lee, D.H. Secure privacy-preserving V2V communication in 5G-V2X supporting network slicing. IEEE Trans. Intell. Transp. Syst. 2021, 23, 14439–14455. [Google Scholar] [CrossRef]
  30. Du, Q.; Zhou, J.; Ma, M. EAIA: An Efficient and Anonymous Identity-Authentication Scheme in 5G-V2V. Sensors 2024, 24, 5376. [Google Scholar] [CrossRef]
  31. Damgård, I.B. A design principle for hash functions. In Conference on the Theory and Application of Cryptology; Springer: Berlin/Heidelberg, Germany, 1989; pp. 416–427. [Google Scholar]
  32. Herder, C.; Yu, M.D.; Koushanfar, F.; Devadas, S. Physical unclonable functions and applications: A tutorial. Proc. IEEE 2014, 102, 1126–1141. [Google Scholar] [CrossRef]
  33. Maes, R.; Verbauwhede, I. Physically unclonable functions: A study on the state of the art and future research directions. In Towards Hardware-Intrinsic Security: Foundations and Practice; Springer: Berlin/Heidelberg, Germany, 2010; pp. 3–37. [Google Scholar]
  34. Cervesato, I. The Dolev-Yao intruder is the most powerful attacker. In Proceedings of the 16th Annual Symposium on Logic in Computer Science—LICS, Citeseer, Boston, MA, USA, 16–19 June 2001; Volume 1, pp. 1–2. [Google Scholar]
  35. Yıldız, H.; Cenk, M.; Onur, E. PLGAKD: A PUF-based lightweight group authentication and key distribution protocol. IEEE Internet Things J. 2020, 8, 5682–5696. [Google Scholar] [CrossRef]
  36. Yogesh, P.R. Formal verification of secure evidence collection protocol using BAN logic and AVISPA. Procedia Comput. Sci. 2020, 167, 1334–1344. [Google Scholar] [CrossRef]
  37. Park, C.S.; Park, W.S. A group-oriented DTLS handshake for secure IoT applications. IEEE Trans. Autom. Sci. Eng. 2018, 15, 1920–1929. [Google Scholar] [CrossRef]
  38. Su, X.; Xu, Y.; Tong, H.; Li, T. A Cluster-based User Authentication Protocol for Internet of Medical Things Deployment. In Proceedings of the 2023 International Conference on Wireless Communications and Signal Processing (WCSP), Hangzhou, China, 2–4 November 2023; pp. 517–522. [Google Scholar]
  39. Bussa, S.; Sisto, R.; Valenza, F. Formal Verification of a V2X Privacy Preserving Scheme Using Proverif. In Proceedings of the 2023 IEEE International Conference on Cyber Security and Resilience (CSR), Venice, Italy, 31 July–2 August 2023; pp. 341–346. [Google Scholar]
Figure 1. IOV authentication model.
Figure 1. IOV authentication model.
Sensors 25 00212 g001
Figure 2. Factorial-tree-based accessible device table. The number of leaf nodes at each level in factorial tree is ( t + 1 ) ! , where t is the level of the tree.
Figure 2. Factorial-tree-based accessible device table. The number of leaf nodes at each level in factorial tree is ( t + 1 ) ! , where t is the level of the tree.
Sensors 25 00212 g002
Figure 3. R S U registration.
Figure 3. R S U registration.
Sensors 25 00212 g003
Figure 4. Mutual authentication between R S U and I O V D .
Figure 4. Mutual authentication between R S U and I O V D .
Sensors 25 00212 g004
Figure 5. I O V D join and leave.
Figure 5. I O V D join and leave.
Sensors 25 00212 g005
Figure 6. Proverif simulation results.
Figure 6. Proverif simulation results.
Sensors 25 00212 g006
Figure 7. Comparison of communication cost and calculation cost.
Figure 7. Comparison of communication cost and calculation cost.
Sensors 25 00212 g007
Table 1. Related works.
Table 1. Related works.
ReferenceMain Technologies AdoptedAdvantagesDisadvantages
[25]hash, ECC, PUF, blockchain, fuzzy extractorOBU intrusion attack ✓
device capture attack ✓
MITM attack ✓
impersonation attack ✓
anonymity and untraceability ✓
privilege-insider attack ×
forward secrecy ×
known session key security ×
high resource cost ×
fine-grained access control ×
[26]hash, asymmetric encryptionkey update ✓
mutual authentication ✓
identity guessing attack ×
impersonation attack ×
device capture attack ×
session key disclosure ×
high resource cost ×
fine-grained access control ×
[27]hash, asymmetric encryptionguessing attack ✓
session key security ✓
replay attack ✓
anonymity ✓
impersonation attack ×
forward secrecy ×
physical security ×
device capture attack ×
fine-grained access control ×
[28]hash, digital signature, lookup tableprivacy protection ✓
replay attack ✓
message integrity ✓
impersonation attack ✓
MITM attack ✓
privilege-insider attack ×
dynamic key update ×
physical security ×
anonymity and untraceability ×
high resource cost ×
fine-grained access control ×
[29]hash, ECC, symmetric encryptionauthorization and revocation ✓
privacy protection ✓
MITM attack ✓
privilege-insider attack ✓
anonymity and untraceability ✓
device capture attack ×
guessing attack ×
high resource cost ×
forward secrecy ×
fine-grained access control ×
[30]hash, ECCMITM attack ✓
replay attack ✓
forward secrecy ✓
impersonation attack ✓
anonymity and untraceability ✓
device capture attack ×
physical security ×
known session key security ×
high resource cost ×
fine-grained access control ×
Table 2. Notation and abbreviation.
Table 2. Notation and abbreviation.
NoationDescription
R S U , I O V D Road side unit, IoV device
E S Edge server
I D R , I D V Identity of R S U and I O V D
R I D R , R I D V Pseudo-identity of R S U and I O V D
T I D R , T I D V Temporary identity of R S U and I O V D
A D T Accessible device table of R S U
C k Cluster key of R S U
L k Leaf node key of I O V D
A L 1 ,…, A L n Auxiliary leaf node keys of I O V D
R k Master key of R S U
h ( · ) One-way collision-resistant hash function
P U F ( · ) Physical unclonable function
C i PUF-based challenge of I O V D
R i PUF-based response of I O V D
⊕, ‖Bitwise XOR and concatenation operations
N a , N b Random numbers for registration
N 1 , N 2 , N 3 Random numbers for authentication
S k R , S k V Session keys shared between R S U and
I O V D
A Adversary
P Q : M P sends the message M to Q
Table 3. Calculation costs comparison.
Table 3. Calculation costs comparison.
ProtocolAuthentication Total CostTime (ms)
[27] 18 T h 0.342 ms
[28] 4 T h + 5 T m e + 3 T a s + 2 T b p 172.818 ms
[29] 8 T h + 2 T m e + 2 T p m + 6 T a s + 2 T s i g 167.876 ms
[30] 5 T h + 4 T p m + 2 T p a 11.687 ms
Our 16 T h + T p u f 4.704 ms
Table 4. Communication costs comparison.
Table 4. Communication costs comparison.
ProtocolNumber of MessagesSize (Bits)
[27]31216 bits
[28]52308 bits
[29]43232 bits
[30]31672 bits
Our31508 bits
Table 5. Security features comparison.
Table 5. Security features comparison.
FeatureOur[27][28][29][30]
R S U impersonation attack×
I O V D impersonation attack×
Replay attack
I O V D captured Attack××××
Man-in-the-middle attack×
Stolen-verifier attack
Authority modification attack××××
Insider privilege attack××
Off-line password guessing attack××
Anonymity and untraceability××
Known session key security×××
Perfect forward secrecy and backward secrecy××
Mutual authentication
Key agreement××
Physical security××××
Dynamic key update×××
Fine-grained access control
Number of authentication messages33543
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Su, X.; Xu, Y. An Efficient Cluster-Based Mutual Authentication and Key Update Protocol for Secure Internet of Vehicles in 5G Sensor Networks. Sensors 2025, 25, 212. https://doi.org/10.3390/s25010212

AMA Style

Su X, Xu Y. An Efficient Cluster-Based Mutual Authentication and Key Update Protocol for Secure Internet of Vehicles in 5G Sensor Networks. Sensors. 2025; 25(1):212. https://doi.org/10.3390/s25010212

Chicago/Turabian Style

Su, Xinzhong, and Youyun Xu. 2025. "An Efficient Cluster-Based Mutual Authentication and Key Update Protocol for Secure Internet of Vehicles in 5G Sensor Networks" Sensors 25, no. 1: 212. https://doi.org/10.3390/s25010212

APA Style

Su, X., & Xu, Y. (2025). An Efficient Cluster-Based Mutual Authentication and Key Update Protocol for Secure Internet of Vehicles in 5G Sensor Networks. Sensors, 25(1), 212. https://doi.org/10.3390/s25010212

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop