An Efficient Cluster-Based Mutual Authentication and Key Update Protocol for Secure Internet of Vehicles in 5G Sensor Networks

Abstract

The Internet of Vehicles (IoV), a key component of smart transportation systems, leverages 5G communication for low-latency data transmission, facilitating real-time interactions between vehicles, roadside units (RSUs), and sensor networks. However, the open nature of 5G communication channels exposes IoV systems to significant security threats, such as eavesdropping, replay attacks, and message tampering. To address these challenges, this paper proposes the Efficient Cluster-based Mutual Authentication and Key Update Protocol (ECAUP) designed to secure IoV systems within 5G-enabled sensor networks. The ECAUP meets the unique mobility and security demands of IoV by enabling fine-grained access control and dynamic key updates for RSUs through a factorial tree structure, ensuring both forward and backward secrecy. Additionally, physical unclonable functions (PUFs) are utilized to provide end-to-end authentication and physical layer security, further enhancing the system’s resilience against sophisticated cyber-attacks. The security of the ECAUP is formally verified using BAN Logic and ProVerif, and a comparative analysis demonstrates its superiority in terms of overhead efficiency (more than 50%) and security features over existing protocols. This work contributes to the development of secure, resilient, and efficient intelligent transportation systems, ensuring robust communication and protection in sensor-based IoV environments.

1. Introduction

In recent years, the widespread deployment of sensor devices in various sectors, including urban transportation, healthcare, and the industrial Internet, has significantly improved connectivity and functionality [1,2]. In the Internet of Vehicles (IoV), a critical element of smart urban transportation, vehicles equipped with on-board units (OBUs) integrated with sensors and electronic control units (ECUs) exchange real-time data with external environments, enabling advanced functionalities such as autonomous driving and collision avoidance [3]. Furthermore, the external environment includes a wide array of roadside sensing devices, such as microwave radars, motion detection cameras, speed detection cameras, traffic light controllers, and dynamic display signs, which collectively form a comprehensive network [4,5,6,7,8,9,10]. At the core of this network are roadside units (RSUs), whose primary function is to collect and process real-time information on road conditions, traffic flow, and vehicle data. RSUs facilitate communication between vehicles, pedestrian devices, and other IoV nodes, including sensor networks and intelligent terminals, to enable end-to-end communication between vehicles, infrastructure, and pedestrians. This seamless data exchange between IoV entities is essential to improve road safety, traffic management, and overall system efficiency, while also raising significant security challenges due to the open and interconnected nature of these sensor-based networks [11,12,13,14].

Specifically, RSUs allow participating nodes to sense their surroundings by gaining access to operational data [15], traffic control information, congestion data, and visual blind spots of IoV devices within their range and authority. This expands their “field of view” to “see” vehicles, pedestrians, and buildings behind intersection masks, regardless of weather conditions. Information sharing among these participating entities can significantly reduce the incidence of traffic accidents and improve traffic safety [16,17].

With the global commercial launch of the 5th Generation Mobile Communication Technology (5G), 5G base station (gNodeB, gNB)-assisted communication is widely used in IoV and other systems due to its low latency, etc. [18]. In the 5G IoV system, information exchange between RSU and device, RSU and OBU, and OBU and OBU is connected through the 5G network [19,20], which can lead to various unknown risks. Due to the open nature of the channel, the attacker can intercept, replay, and falsify the transmitted information, and may launch multiple network attacks, resulting in system crashes. Therefore, it is crucial to ensure the confidentiality, integrity, and authenticity of IoV information transmission.

In recent years, authentication has been recognized as promising in protecting the security and privacy of nodes [21,22,23,24]. By verifying the identity of an entity, unauthorized access and message forgery can be eliminated and the confidentiality of transmitted data can be ensured. However, considering the diversity of attack types, most current relevant authentication schemes suffer from security flaws, and the overhead of the algorithms used is too high to be applicable for practical deployment in the IoV environment. Therefore, in this paper, we propose an efficient cluster-based mutual authentication and key update protocol (ECAUP) to realize low overhead and highly reliable information interaction among IoV nodes. For this paper, the main contributions are as follows:

The fine-grained access authority control of RSU to sensing devices is realized through the factorial tree, which must access the corresponding devices according to the group key generated in the registration phase, and low-cost encryption algorithms such as physical unclonable functions (PUFs) are utilized to provide physical layer security against device capture attacks while realizing end-to-end security authentication.

Considering the mobility of IoV and the device update of RSU clusters, a dynamic and flexible cluster key update scheme is proposed to provide perfect forward and backward secrecy for ECAP with anonymous and untraceable properties under the premise of security.

Verify the security of ECAUP’s session and update keys using tools such as BAN logic and Proverif, and analyze its reliability against various attacks and the security features it possesses. Moreover, the comparison with other schemes in terms of computation and communication overhead demonstrates the efficiency of the ECAUP.

Organization of the rest of the paper: Section 2 presents related research and work. Section 3 presents the mathematical background. Section 4 explains the authentication model and attacker model. Section 5 provides the implementation process of ECAUP. Section 6 provides a security analysis of ECAUP. Section 7 provides comparisons with other schemes. Section 8 summarizes the paper and gives future research directions.

2. Related Work

Currently, the related research on authentication in IOV has been continuously advancing. Xie et al. [25] proposed an authentication protocol based on blockchain and elliptic curve cryptography (ECC) to meet the needs of Vehicular Ad-hoc Networks (VANETs), which can realize the authentication between vehicle-to-vehicle and vehicle-to-roadside devices, and the method applies vehicle attributes, node pseudo-identity, and dynamic anonymity strategy within the protocol to ensure anonymity and untraceability. In addition, to achieve physical layer security, they use PUFs to cope with device capture attack and fuzzy-extractor-based bioinformation to avoid OBU intrusion attack.

Zhou et al. [26] proposed a mutual authentication protocol for vehicular sensor networks in 2017, but Wu et al. [27] found that the protocol could not solve the identity guessing attack, impersonation attack, and session key leakage. Therefore, Wu et al. proposed an efficient vehicle-to-vehicle secure communication authentication protocol to solve IoV security and privacy protection problems, which can realize secure mutual authentication between OBUs, and not only resist replay attack and guessing attacks but also ensure node anonymity. However, the scheme of Wu et al. cannot guarantee the forward secrecy of the communication session because it cannot address the impact of long-term key leakage.

Wang et al. [28] proposed a 5G-based end-to-end message authentication scheme for nodes applicable to VANETs that utilizes a group signature-based algorithm to achieve initial mutual authentication between vehicle-to-vehicle communication. In the proposed scheme, a vehicle first authenticates with a third-party trusted entity and uses one of the pseudo-identities to obtain its local signing private key, which can be used to sign messages to communicate with other vehicles in the neighborhood. In addition, to improve the computational speed of signature and modulo power operations, Wang et al. deployed a computational lookup table ahead of time in the registration phase, which improves the verification efficiency, and the related performance and security analyses demonstrate the effectiveness of the scheme in privacy protection.

Mun et al. [29] in 2022 proposed a new 5G-based Vehicle-to-Everything (V2X) security architecture that utilizes network slicing to enable V2X services with different characteristics and analyzes the security requirements of V2X services based on their ability to provide secure V2X authentication. The solution not only enables service authorization and revocation of participating nodes but also transmits information such as services and key credentials without revealing sensitive vehicle information. However, the computational overhead of the scheme proposed by Mun et al. is too high to meet the end-to-end latency requirements of autonomous driving in IoV.

Du et al. [30], in 2024, proposed an anonymous authentication protocol for 5G IoV nodes against impersonation attacks, which utilizes cryptographic algorithms such as elliptic curves to ensure the session privacy of the communication between OBU and RSU, and demonstrates its effectiveness against man-in-the-middle, replay, and other attacks through simulation and security analysis. The scheme uses temporary anonymized identity instead of the original identity and the nodes are unable to know each other’s real identity; hence, privacy is preserved. Moreover, the utilization of authentication to generate temporary key for communication eases the burden of key management and makes it difficult for attackers to obtain keys or tamper with messages.

However, the above schemes still have many flaws in terms of security and efficiency. For example, the overhead of the encryption method used is too high, and when actually deployed, the computation and communication overhead is too high to meet the low-latency requirement of IoV. Furthermore, all the above schemes lack access control on RSU authority, which makes them vulnerable to authority change attack from internal contaminated RSUs.

Table 1. Related works.

Reference	Main Technologies Adopted	Advantages	Disadvantages
[25]	hash, ECC, PUF, blockchain, fuzzy extractor	OBU intrusion attack ✓ device capture attack ✓ MITM attack ✓ impersonation attack ✓ anonymity and untraceability ✓	privilege-insider attack × forward secrecy × known session key security × high resource cost × fine-grained access control ×
[26]	hash, asymmetric encryption	key update ✓ mutual authentication ✓	identity guessing attack × impersonation attack × device capture attack × session key disclosure × high resource cost × fine-grained access control ×
[27]	hash, asymmetric encryption	guessing attack ✓ session key security ✓ replay attack ✓ anonymity ✓	impersonation attack × forward secrecy × physical security × device capture attack × fine-grained access control ×
[28]	hash, digital signature, lookup table	privacy protection ✓ replay attack ✓ message integrity ✓ impersonation attack ✓ MITM attack ✓	privilege-insider attack × dynamic key update × physical security × anonymity and untraceability × high resource cost × fine-grained access control ×
[29]	hash, ECC, symmetric encryption	authorization and revocation ✓ privacy protection ✓ MITM attack ✓ privilege-insider attack ✓ anonymity and untraceability ✓	device capture attack × guessing attack × high resource cost × forward secrecy × fine-grained access control ×
[30]	hash, ECC	MITM attack ✓ replay attack ✓ forward secrecy ✓ impersonation attack ✓ anonymity and untraceability ✓	device capture attack × physical security × known session key security × high resource cost × fine-grained access control ×

summarizes the related research of existing work.

3. Preliminaries

3.1. One-Way Hash Function

A one-way hash function [31] has an input and an output, where the input is called the message and the output is called the hash value. A one-way hash function can be calculated based on the content of the message hash value, and the hash value can be used to check the integrity of the message. Simply stated, the content of any length is converted into a fixed-length output string, and it is difficult to restore the original content through the output string. It is widely used in the fields of message summarization, message authentication code, key encryption, and data integrity verification. A one-way hash function can be denoted as $h:{\{0,1\}}^{\ast }\to {\{0,1\}}^n$, where $m\in {\{0,1\}}^{\ast }$ and $h\left(m\right)\in {\{0,1\}}^n$ are an input of arbitrary length binary strings and an output of fixed length binary strings, respectively.

3.2. Physical Unclonable Function

The Physical Unclonable Function [32,33] is a hardware security function based on physical characteristics. The PUF is a hardware security feature based on physical characteristics that takes advantage of uncontrollable differences in the manufacturing process of semiconductor devices to generate and store a unique identifier on a chip. The PUF generates a unique output for each access that is not stored on the chip and cannot be accessed, thus ensuring its unclonability.

PUF technology can be applied in many fields, such as information security, anti-counterfeiting authentication, Internet of Things (IoT), etc. (1) Information security: PUF can be used for key generation and storage. The unique identification generated by PUF can be used as the key generator in encryption systems to ensure the uniqueness and security of the key. (2) Anti-counterfeiting authentication: The PUF can be used for product anti-counterfeiting authentication. Each product can be equipped with a PUF, through the generation of unique identification, to achieve product anti-counterfeiting and traceability. (3) IoT: IoT devices need to be secure and trustworthy when deployed on a large scale. A PUF can be used for authentication and key generation of IoT devices to prevent them from being tampered with or cloned.

PUFs can be categorized into two types, i.e., strong PUFs and weak PUFs, based on factors such as the size of the chip. The number of challenge response pairs that can be generated by a strong PUF is much higher than that of a weak PUF, and usually, the researcher chooses the appropriate type of PUF based on the specific scenario. Suppose that we use a strong PUF in our scenario. The mathematical definition of a PUF can be denoted as $PUF\left(C\right)=R$, where C is the input incentive and challenge, and R is the output response. It is worth noting that since the PUF relies on the physical property of not storing any key, there may exist two responses, R and $R^{\prime }$, for the same input C in the actual authentication process. Usually, the threshold r is set and the authentication is passed when the Hamming distance between R and $R^{\prime }$ satisfies $HamDis(R,R^{\prime })\le r$. The main purpose of the ECAUP utilizing a PUF is to reduce key storage and provide physical layer security. Therefore, in this paper, we do not consider the response difference of PUFs.

4. System Model

4.1. Authentication Model

As shown in Figure 1, the 5G IoV system mainly consists of a 5G core network (5GC) and a 5G radio access network (RAN). Distributing different types of IoV devices on both sides of the road, e.g., sensors such as speed camera, motion surveillance camera, and radar, as well as vehicles and pedestrians traveling on the road carrying a variety of intelligent terminals, e.g., OBU and cell phone, these intelligent terminals and devices constitute the so-called HIOV system. The 5GC-based system architecture includes various functions such as Access and Mobility Management Function (AMF), Authentication Server Function (AUSF), and Unified Data Management (UDM), which can be integrated into a particular ES. In the specific authentication process, the AMF is responsible for processing and providing 5G access, registration, and mobility management for participating nodes, including OBUs and roadside sensors. AUSF and UDM are responsible for maintaining the key management of the nodes, providing data upload and storage, and supporting authority modification configurations, authentication data, and subscription data. The 5G-enabled IoV mutual authentication protocol consists of four main components: RSU, ES, gNB, and IoV terminal device (IOVD).

Specifically, when there are collisions, traffic jams, fires, and other traffic conditions, various sensor devices in the IoV system will collect information related to traffic conditions and send it to RSU, which then forwards the information to vehicles and pedestrians in an end-to-end way, facilitating the traffic participants to make quick judgments, which indirectly expands the “traffic vision” of the drivers and pedestrians, and greatly decreases the number of traffic accidents. However, the communication radius of RSU is about 500–1000 m, to realize the access control of RSU to ensure the privacy of IOVD data. We divided the range of accessible devices for different RSUs. As shown in Figure 1, the two circles show the clusters of accessible devices for RSU1 and RSU2, respectively (note that the range is not only determined by the communication distance but also includes restrictions on the devices that can be accessed by the RSUs themselves).

When a new device, e.g., OBU1, wants to join the RSU1 cluster, the cluster key generated based on access control needs to be updated. Since the whole IoV system is a dynamic process, and the traditional offline key update method obviously does not meet the practical requirements, the key update needs to be realized in an online way.

In addition, we assume that ES is a completely trusted third-party entity, whose information such as internal keys cannot be captured by attackers. In contrast, RSUs and IOVDs are common participating nodes in the IoV system, which are not only susceptible to various network attacks but also have relatively simple internal hardware structures and very limited communication and computational resources compared to ES.

4.2. Threat Model

The security analysis model of our proposed scheme is based on an extension of the Dolev–Yao [34] threat model (DY model), in which some behaviors of an adversary can be defined:

(1)

The adversary has the ability to generate random numbers and timestamps;

(2)

The adversary may arbitrarily intercept, alter, delete, and relocate messages transmitted in the public channel;

(3)

The adversary may attempt to impersonate and track nodes;

(4)

The adversary may act as an intermediate node to forge and forward messages;

(5)

The adversary may act as an insider attacker to change authorities;

(6)

An adversary has the ability to physically capture devices;

(7)

The adversary is unable to obtain any secret information from ES regardless of the method used.

5. Proposed Scheme

In this section, we detail the implementation process of ECAUP, which consists of five main phases as follows: (1) parameter setup, (2) $IOVD$ registration, (3) $RSU$ registration, (4) mutual authentication, and (5) dynamic key update. During the setup phase, some ECAUP public parameters (e.g., the type of PUF) are selected by a fully trusted $ES$. After setup, $RSU$ and $IOVD$ need to complete the registration with the help of $ES$. Then, a secure session key is generated between $RSU$ and $IOVD$ through mutual authentication for subsequent secure communication. Furthermore, ECAUP flexibly realizes online cluster key update when new/old devices join/exit.

Table 2. Notation and abbreviation.

Noation	Description
$RSU$, $IOVD$	Road side unit, IoV device
$ES$	Edge server
$I{D}_R$, $I{D}_V$	Identity of $RSU$ and $IOVD$
$RI{D}_R$, $RI{D}_V$	Pseudo-identity of $RSU$ and $IOVD$
$TI{D}_R$, $TI{D}_V$	Temporary identity of $RSU$ and $IOVD$
$ADT$	Accessible device table of $RSU$
$C_k$	Cluster key of $RSU$
$L_k$	Leaf node key of $IOVD$
$A{L}_1$,…,$A{L}_n$	Auxiliary leaf node keys of $IOVD$
$R_k$	Master key of $RSU$
$h(·)$	One-way collision-resistant hash function
$PUF(·)$	Physical unclonable function
$C_i$	PUF-based challenge of $IOVD$
$R_i$	PUF-based response of $IOVD$
⊕, ‖	Bitwise XOR and concatenation operations
$N_a$, $N_b$	Random numbers for registration
$N_1$, $N_2$, $N_3$	Random numbers for authentication
$S{k}_R$, $S{k}_V$	Session keys shared between $RSU$ and
	$IOVD$
$\mathcal{A}$	Adversary
$P\to Q:M$	P sends the message M to Q

lists the related symbols and their abbreviations used in ECAUP.

5.1. Parameter Setup Phase

Before authentication, there are three necessary operations performed by the $ES$. First, $ES$ chooses a one-way hash function $h(·)$ that generates a fixed-length string (e.g., hash-256), which guarantees the integrity and tamper-proofness of messages. Next, $ES$ sets an appropriate $PUF(·)$ for $IOVD$ and stores a set of challenge and response pairs $(C_i,R_i)$ generated from such PUF (assuming that a strong PUF is used) into its database, which can be used for subsequent authentication to provide physical-layer security. Finally, $ES$ chooses a factorial tree architecture to generate cluster-based access authority key $C_k$ for $RSU$ in the subsequent registration. Note: In ECUAP, we assume that $ES$ has rich database functions such as store, find, modify and delete.

5.2. $RSU$ Registration Phase

In general, IoV consists of many sensors, such as speed radar, localization device, motion detection camera, time detection camera, etc. However, the effective communication radius of $RSU$ is about 500 m to 1000 m, which requires multiple $RSU$s to be controlled cooperatively to realize the interaction of the entire IoV sensor data. These $RSU$s can then interact with $IOVD$s to enable vehicles/pedestrians to “see” the complex road conditions behind the cover and react quickly, which greatly reduces the incidence of traffic accidents and improves the safety of IoV. Therefore, we achieve the authority attribution of $RSU$ through fine-grained access control based on factorial tree [35] as follows:

(1)

Factorial-tree-based fine-grained access control

The purpose of fine-grained access control is to authenticate and transmit information to $IOVD$s within range based on the communication radius of the $RSU$. However, due to the dynamic character of HIOV (i.e., the mobility of vehicles or pedestrians), the forward secrecy and backward secrecy of the key are difficult to guarantee. Thus, we provide online factorial-tree-based cluster key updates for ECAUP.

As shown in Figure 2, the cluster architecture of ECAUP can be simplified as a factorial tree, which consists of multiple layers of leaf nodes (level 1–level t)) and a single root node level 0, where t is the level of the tree. In the tree, layer t denotes the $IOVD$s accessible to $RSU$, i.e., $\left\{h_{t0}=L_{k0},h_{t1}=L_{k1},...,h_{t\left[\right(t+1)!-1]}=L_{k\left[\right(t+1)!-1]}\right\}$, where $\left\{L_{k0},L_{k1},...,L_{kt}\right\}$ is the leaf node key generated by $ES$ to $IOVD$.

$$h_{xy}=h\left\{h_{(x+1)(xy+2y)}\parallel ,...,\parallel h_{(x+1)(xy+2y+x+1)}\right\}$$

(1)

Then, the auxiliary leaf node keys $A{L}_{kxy}=h_{xy}$ can be computed from (1), where $x=1,2,...,t-1$ and $y=0,1,...,(x+1)!$. Finally, the cluster key $C_k=h_{00}$ of $RSU$ is computed.

(2)

Registration

First, $RSU$ sends a registration request containing $I{D}_R$ and an accessible device table $ADT=\left\{IOV{D}_1,IOV{D}_2,...,IOV{D}_n\right\}$ to $ES$ via a secure channel. Once the request from $RSU$ is received, $ES$ first selects an appropriate factorial tree level t based on the number of $IOVD$s n. $ES$ then sets the identities $\left\{I{D}_{V0},I{D}_{V1},...,I{D}_{V\left[\right(t+1)!-1]}\right\}$ and leaf node keys $\left\{L_{k0},L_{k1},...,L_{k\left[\right(t+1)!-1]}\right\}$ for these devices and computes the corresponding auxiliary leaf node keys $A{L}_{kxy}$ and cluster/root key $C_k=h(A{L}_{k10}\parallel A{L}_{k11})$. Next, $ES$ also finds the corresponding device’s PUF-based challenge response pairs $(C_i,R_i)$ in the database according to $ADT$. In addition, $ES$ sets a master key $R_k$ for $RSU$ and computes pseudo-identity $RI{D}_R=h(I{D}_R\parallel N_a)$, where $N_a$ is a random number generated by $ES$. Finally, $ES$ sends $\left\{C_k,R_k,RI{D}_R,(C_i,R_i)\right\}$ to $RSU$ via secure channel and stores $\left\{C_k,L_k,A{L}_k,R_k,I{D}_R,ADT\right\}$ into its database. Upon receiving a message from the $ES$, the $RSU$ stores the information contained in the message, such as the key, into memory as well. The RSU registration process is summarized in Figure 3.

5.3. $IOVD$ Registration Phase

In the $IOVD$ registration phase, a registration request containing $I{D}_V$ is first sent by $IOVD$ to $ES$. The ownership of $IOVD$ is then confirmed in the database by $ES$ according to $ADT$. As shown in Figure 2, assuming that the level of the factorial tree is 3 and $h_{30}$ represents the current $IOVD$, ES selects the shortest path $\left\{h_{20},h_{10},h_{00}\right\}$ from the bottom up and fetches $\left\{L_{k0},A{L}_{k20},A{L}_{k10}\right\}$ in the database. Next, $ES$ computes the pseudo-identity $RI{D}_V=h(I{D}_V\parallel N_b)$, and $P=h(C_k\parallel I{D}_R)$, where $N_b$ is a random number. Finally, $ES$ sends $\left\{P,RI{D}_V,L_{k0},A{L}_{k20},A{L}_{k10}\right\}$ to $IOVD$ in a secure channel and stores $I{D}_V$. Meanwhile, $IOVD$ receives and stores the message from $ES$.

5.4. Mutual Authentication Phase

When the $RSU$ wants to access the $IOVD$ and obtain data, it needs to complete a two-way authentication operation between $RSU$ and $IOVD$. After authentication is finished, a secure session key $S{k}_R=S{k}_V$ is established between $RSU$ and $IOVD$ for subsequent data transmission. Note that authentication is realized via an open channel (e.g., 5G core network/Internet) as follows:

Step 1: $RSU\to IOVD:\left\{N_1^{\ast },T_1,RI{D}_R,C_i\right\}$

First $RSU$ generates the random number $N_1$ and extracts the pair $(C_i,R_i)$ from its memory according to the $IOVD$ it wants to access, and then computes $N_1^{\ast }=N_1\oplus h(RI{D}_R\parallel h(C_k\parallel I{D}_R))=N_1\oplus TI{D}_R$, $T_1=h(R_i\parallel RI{D}_R\parallel h(C_k\parallel I{D}_R))$, where $TI{D}_R$ is the temporary identity of $RSU$. Finally, $M_1=\left\{N_1^{\ast },T_1,RI{D}_R,C_i\right\}$ is sent by the $RSU$ to $IOVD$ via public channel.

Step 2: $IOVD\to RSU:\left\{N_2^{\ast },T_2,T_3,T_4,RI{D}_V\right\}$

Once the message $M_1$ is received from $RSU$, $IOVD$ extracts $N_1^{\prime }=N_1^{\ast }\oplus h(RI{D}_R\parallel P)$ to verify the freshness. If found fresh, the session continues; otherwise, it aborts. $IOVD$ then inputs $C_i$ from $M_1$ into PUF to obtain the response $R_i$ and computes $T_1^{\prime }=h(R_i\parallel RI{D}_R\parallel P)$ to verify $T_1^{\prime }\stackrel{?}{=}{T}_1$. If not satisfied, the session is terminated; otherwise, it continues. Next, $IOVD$ generates the random number $N_2$, computes the temporary identity $TI{D}_V=h(RI{D}_V\parallel P)$, $N_2^{\ast }=N_2\oplus TI{D}_V$, $a_i=h(L_k\parallel I{D}_V)$, $T_2=N_2\oplus a_i$, $T_3=h(P\parallel R_i\parallel N_1\parallel N_2\parallel I{D}_V)$, $T_4=h(T_3\parallel a_i\parallel RI{D}_V)$, and sends $M_2=\left\{N_2^{\ast },T_2,T_3,T_4\right\}$ to $RSU$ via public channel.

Step 3: $RSU\to IOVD:\left\{N_3^{\ast },T_5,T_6\right\}$

When the message $M_2$ is received from $IOVD$, $RSU$ extracts $N_2^{\prime }=N_2^{\ast }\oplus h(RI{D}_V\parallel h(C_k\parallel I{D}_R))$ and verifies the freshness. If it is met, $RSU$ further computes $a_i^{\prime }=T_2\oplus N_2^{\prime }$, $T_4^{\prime }=h(T_3\parallel a_i^{\prime }\parallel RI{D}_V)$ and verifies $T_4^{\prime }\stackrel{?}{=}{T}_4$. When all the above conditions are met, the session continues; otherwise, it is terminated. $RSU$ then generates a random number $N_3$ and computes $N_3^{\ast }=N_3\oplus TI{D}_R$, $b_i=h(R_k\parallel I{D}_R)$, $T_5=N_3\oplus b_i$, $T_6=h(b_i\parallel N_3\parallel R_i\parallel RI{D}_R)$. Moreover, the ultimate session key $S{K}_R=h(a_i\parallel b_i\parallel T_3\parallel N_3)$ is computed by $RSU$ for subsequent communication. Finally, $M_3=\left\{N_3^{\ast },T_5,T_6\right\}$ is sent by $RSU$ to $IOVD$ via a public channel.

Step 4: Meanwhile, once $M_3$ is received, $IOVD$ verifies the freshness of the random number through extraction $N_3^{\prime }=N_3^{\ast }\oplus h(RI{D}_R\parallel P)$. $N_3^{\prime }$ is determined fresh, and the session continues; otherwise, it terminates. $IOVD$ then computes $b_i^{\prime }=T_5\oplus N_3^{\prime }$, $T_6^{\prime }=h(b_i^{\prime }\parallel N_3^{\prime }\parallel R_i\parallel RI{D}_R)$ and verifies $T_6^{\prime }\stackrel{?}{=}{T}_6$. When both are equal, $IOVD$ computes the session key $S{K}_V=h(a_i\parallel b_i\parallel T_3\parallel N_3)=S{K}_R$, which is used for subsequent data encryption between $RSU$ and $IOVD$. The authentication process is summarized in Figure 4.

5.5. Dynamic Key Update Phase

In this paper, an $RSU$ can only access the corresponding sensor devices based on $ADT$. The accessible device table $ADT$ needs to be kept up to date due to the mobility of participant nodes in urban transportation, e.g., sensors attached to pedestrians and vehicles. Moreover, for static sensors such as speed cameras/radar, $ADT$ also needs to be updated when new/old devices join/leave the cluster of $RSU$. For ease of description, we assume that t is 2, as shown in Figure 5. Therefore, this section describes the dynamic update process of cluster key $C_k$ in ECAUP as follows.

The entire key update process of ECAUP is implemented in an online manner with the help of a fully trusted $ES$, which only requires that $ES$ sends update messages unilaterally to $IOVD$ and $RSU$, and does not involve multiple message interaction and authentication, which greatly reduces network congestion. First, $ES$ resets the structure of the factorial tree and layer t according to the number of added devices, and generates the corresponding auxiliary leaf node keys $A{L}_k$ a and cluster key $C_k$. Then, depending on the forwarding logic rule of factorial tree, it implements the online update of Ck with the minimum number of messages.

(1)

$IOVD$ joins the cluster

$ES\to IOVD$: $ES$ first generates the random number $N_j$ and then computes the factorial tree element $A{L}_{k20}=h(L_{k0}\parallel L_{k6})$, $A{L}_{k10}^{new}=h(A{L}_{k20}\parallel L_{k1}\parallel L_{k2})$, $C_k^{new}=h(A{L}_{k10}^{new}\parallel A{L}_{k11})$, $P^{new}=h(C_k^{new}\parallel I{D}_R)$, the random number verification message $N_j^{\ast }=N_j\oplus h(C_k\parallel I{D}_R)=N_j\oplus P$, $N_j^{\prime \ast }=N_j\oplus h(C_k^{pre}\parallel I{D}_R^{pre})=N_j\oplus P^{pre}$. Next, $ES$ computes ${\alpha }_1=h(P\parallel A{L}_{k11}\parallel N_j)$, $X_1=P^{new}\oplus {\alpha }_1$ for $D_3$, $D_4$, $D_5$; ${\alpha }_2=h(P\parallel A{L}_{k10}\parallel N_j)$, $X_2=P^{new}\oplus {\alpha }_2$, $X_3=A{L}_{k10}^{new}\oplus {\alpha }_2$, for $D_1$, $D_2$; ${\alpha }_3=h(P\parallel A{L}_{k10}\parallel L_{k0}\parallel N_j)$, $X_4=P^{new}\oplus {\alpha }_3$, $X_5=A{L}_{k10}^{new}\oplus {\alpha }_3$, $X_6=A{L}_{k20}\oplus {\alpha }_3$ for $D_0$; and ${\alpha }_4=h(P^{pre}\parallel L_{k6}\parallel N_j)$, $X_7=P^{new}\oplus {\alpha }_4$, $X_8=A{L}_{k10}^{new}\oplus {\alpha }_4$, $X_9=A{L}_{k20}\oplus {\alpha }_4$ for $D_6$. Finally $ES$ broadcasts $Y_1=\left\{N_j^{\ast },X_1\right\}$, $Y_2=\left\{N_j^{\ast },X_2,X_3\right\}$, $Y_3=\left\{N_j^{\ast },X_4,X_5,X_6\right\}$ and $Y_4=\left\{N_j^{\prime \ast },X_7,X_8,X_9\right\}$ to the devices in cluster. Finally, $ES$ stores all the factorial tree information $C_k^{new}$, $A{L}_k^{new}$ into the database.

Upon receiving the broadcast messages, $D_0$,$D_1$,…,$D_6$ extract $P^{new}$ and the updated auxiliary leaf node keys $A{L}_k^{new}$, respectively. For instance, $D_0$ can only extract the secret information in $Y_3$ due to the absence of other path keys in the factorial tree. $D_0$ first extracts $N_j^{\prime }=N_j^{\ast }\oplus P$ and verifies the freshness, and terminates the key update if it does not match. Then, $D_0$ extracts $P^{new}$, $A{L}_{k10}^{new}$, and $A{L}_{k20}$ to replace the original keys (the update process for $D_1$,$D_2$,…,$D_6$ follows in the same way). Therefore, dynamic key update can be perfectly achieved in ECAUP for the new $IOVD$ join.

$ES\to RSU$: $ES$ generates a random number $N_{j1}$ and then computes $N_{j1}^{\ast }=N_{j1}\oplus h(C_k\parallel I{D}_R)$, $S_i=h(R_k\parallel N_{j1})$, $Z_1=C_k^{new}\oplus S_i$, $Z_2=C_i^{new}\oplus S_i$, $Z_3=R_i^{new}\oplus S_i$ and sends $\left\{N_{j1}^{\ast },Z_1,Z_2,Z_3\right\}$ via an open channel to the $RSU$ in the current cluster, where $C_i^{new}$ and $R_i^{new}$ are multiple challenges and responses from PUF of the new device taken out by $ES$ in its database. $N_{j1}$ is first extracted and verified to be fresh when $RSU$ receives the message from $ES$. Next, $RSU$ extracts and stores $C_k^{new}$, $(C_i^{new},R_i^{new})$ and deletes the original $C_k$, $(C_i,R_i)$ in memory.

(2)

$IOVD$ leaves the cluster

As shown in Figure 5, the root key of the factorial tree also needs to be updated when the old device $D_0$ leaves the current cluster, which is similar to the joining process. First, $ES$ changes the structure of the tree and computes the path key of the changed node (i.e., leaf node, auxiliary leaf node, root node) by hash, and then broadcasts messages to corresponding nodes through the factorial-tree-based forwarding logic rule. Meanwhile, $RSU$ receives additional update messages from $ES$. Finally $RSU$ and $IOVD$s verify the above messages and realize the update of the original key. Note that all dynamic key updates are accomplished via the public channel, regardless of the joining or leaving of devices.

6. Security Analysis

In this section, we verify the security of the ECAUP using both formal and informal security analysis. In particular, we first analyze the security of the session key generated between $RSU$ and $IOVD$ in the protocol utilizing BAN logic. Further, the robustness of the ECAUP in the face of various attacks is then given using informal security analysis. In addition, we perform a comprehensive verification of the protocol with Proverif, a popular automated verification tool.

6.1. BAN-Logic-Based Formal Security Analysis

In the reasoning process of BAN logic [36], the beliefs of participants in a protocol change continuously with the increase of message exchange. The application of BAN logic firstly requires an “idealization step”, i.e., converting the messages of the protocol into formulas in BAN logic; secondly, making reasonable assumptions based on the situation of the protocol, then reasoning according to the rules and assumptions; and, finally, deducing whether the protocol can accomplish the desired goal. In this paper, we verify the security of the session keys $S{K}_R$ and $S{K}_V$ generated in the ECAUP through BAN logic.

(1)

Notation and rule

Some notations and semantics in BAN logic are as follows.

N1: $P\mid \equiv X$: Principal P believes statement X.

N2: $P⊲X$: Principal P sees the statement X.

N3: $P|\backsim X$: Principal P once said the statement X.

N4: $P\Rightarrow X$: Principal P has jurisdiction over the statement X.

N5: $\#\left(X\right)/fresh\left(X\right)$: Formula X is fresh.

N6: ${\langle X\rangle }_Y$: A message synthesized from formula X and secret Y.

N7: $P\stackrel{K}{⟷}Q$: Formula K is a shared key of P and Q.

N8: $P\stackrel{X}{\rightleftharpoons }Q$: Formula X is a secret only known to P and Q.

N9: $(X,Y)$: Formula $(X,Y)$ containing formula X and formula Y.

N10: $SK$: Session key used in the current session.

BAN consists of 19 inference rules, and we only list the relevant rules used in ECAUP.

R1: ${\displaystyle \frac{P|\equiv Q\stackrel{Y}{\rightleftharpoons }P,P⊲{\langle X\rangle }_Y}{P|\equiv Q|\backsim X}}$: Message-meaning rule.

R2: ${\displaystyle \frac{P|\equiv \#(X),P|\equiv Q|\backsim X}{P|\equiv Q|\equiv X}}$: Nonce-verification rule.

R3: ${\displaystyle \frac{P|\equiv \#(X)}{P|\equiv \#(X,Y)}}$: Freshness rule.

R4: ${\displaystyle \frac{P|\equiv Q\Rightarrow X,P|\equiv Q|\equiv X}{P|\equiv X}}$: Jurisdiction rule.

R5: ${\displaystyle \frac{P|\equiv (X,Y)}{P|\equiv X}},{\displaystyle \frac{P⊲(X,Y)}{P⊲X}},{\displaystyle \frac{P|\equiv Q|\backsim (X,Y)}{P|\equiv Q|\backsim X}},{\displaystyle \frac{P|\equiv Q|\equiv (X,Y)}{P|\equiv Q|\equiv X}}$: Seeing and belief rule.

(2)

Security goal

Based on the above BAN logic rules, the security goals of ECAUP can be expressed as follows:

G1: $RSU\mid \equiv (RSU\stackrel{SK}{⟷}IOVD)$.

G2: $IOVD\mid \equiv (RSU\stackrel{SK}{⟷}IOVD)$.

(3)

Idealized form

In mutual authentication of ECAUP, messages $M_1$, $M_2$ and $M_3$ transmitted between $RSU$ and $IOVD$ can be abstractly represented as follows:

M1: $RSU\to IOVD:\left\{N_1^{\ast },T_1,RI{D}_R,C_i\right\}$.

M2: $IOVD\to RSU:\left\{N_2^{\ast },T_2,T_3,T_4,RI{D}_V\right\}$.

M3: $RSU\to IOVD:\left\{N_3^{\ast },T_5,T_6\right\}$.

M1: $RSU\to IOVD:({\langle N_1,RI{D}_R,I{D}_R\rangle }_{C_k},{\langle RI{D}_R,C_k,I{D}_R\rangle }_{R_i},RI{D}_R,C_i)$.

M2: $IOVD\to RSU:({\langle N_2,RI{D}_V,P\rangle }_{C_k},{\langle I{D}_V,L_k\rangle }_{N_2},{\langle P,N_1,N_2,I{D}_V\rangle }_{R_i},{\langle P,N_1,N_2,I{D}_V,L_k,RI{D}_V\rangle }_{R_i},RI{D}_V)$.

M3: $RSU\to IOVD:({\langle N_3,RI{D}_R,I{D}_R\rangle }_{C_k},{\langle RI{D}_R,I{D}_R\rangle }_{N_3},{\langle R_k,I{D}_R,N_3,RI{D}_R\rangle }_{R_i})$.

(4)

Assumption

Some assumptions related to the authentication process of ECAUP are listed according to the BAN logic.

A1: $RSU|\equiv \#(N_2)$.

A2(a): $IOVD|\equiv \#(N_1)$, A2(b): $IOVD\mid \equiv \#\left(N_3\right)$.

A3: $RSU|\equiv IOVD\Rightarrow (N_2,RI{D}_V,I{D}_V,L_k,P)$.

A4: $IOVD|\equiv RSU\Rightarrow (N_1,N_3,RI{D}_R,I{D}_R,R_k)$.

A5: $RSU|\equiv (N_1,N_3,I{D}_R,R_k,C_i,R_i,C_k)$.

A6: $IOVD|\equiv (N_2,I{D}_V,L_k,R_i,C_k)$.

A7: $RSU|\equiv (RSU\stackrel{C_k}{\rightleftharpoons }IOVD)$.

A8: $IOVD|\equiv (RSU\stackrel{C_k}{\rightleftharpoons }IOVD)$.

A9: $RSU|\equiv (RSU\stackrel{R_i}{\rightleftharpoons }IOVD)$.

A10: $IOVD|\equiv (RSU\stackrel{R_i}{\rightleftharpoons }IOVD)$.

(5)

Security proof

Based on the above assumptions and the rules of BAN logic, we simplify the idealized form of ECAUP and provide the main proof procedure. Specifically, the $IOVD$ receives an access request $M1$ and an authentication message $M3$ from $RSU$, both of which contribute to the realization of $G2$. According to $M1$, we can obtain the following information:

S1: $IOVD⊲({\langle N_1,RI{D}_R,I{D}_R\rangle }_{C_k},{\langle RI{D}_R,C_k,I{D}_R\rangle }_{R_i},RI{D}_R,C_i)$.

S2: According to S1 and R5, we obtain $IOVD⊲{\langle N_1,RI{D}_R,I{D}_R\rangle }_{C_k}$.

S3: According to A8 and R1, we obtain $IOVD|\equiv RSU|\backsim (N_1,RI{D}_R,I{D}_R)$.

S4: According to A2(a) and R3, we obtain $IOVD|\equiv \#(N_1,RI{D}_R,I{D}_R)$.

S5: According to S3, S4 and R2, we obtain $IOVD|\equiv RSU|\equiv (N_1,RI{D}_R,I{D}_R)$.

S6: According to S5, A4 and R4, we obtain $IOVD|\equiv (N_1,RI{D}_R,I{D}_R)$.

S7: According to S6 and R5, we obtain $IOVD|\equiv N_1,IOVD|\equiv I{D}_R$.

According to $M3$, and repeating the above steps, we obtain

S8: $IOVD|\equiv R_k,IOVD|\equiv N_3$.

S9: $IOVD|\equiv N_2,IOVD|\equiv I{D}_V,IOVD|\equiv L_k,IOVD|\equiv R_i,IOVD|\equiv C_k$.

S10: According to the session key $S{K}_V=h(a_i\parallel b_i\parallel T_3\parallel N_3)=h(h(L_k\parallel I{D}_V)\parallel h(R_k\parallel I{D}_R)\parallel h(h(C_k\parallel I{D}_R)\parallel R_i\parallel N_1\parallel N_2\parallel I{D}_V)\parallel N_3)$ in ECAUP S7, S8, and S9, we can obtain G2: $IOVD\mid \equiv (RSU\stackrel{SK}{⟷}IOVD)$.

According to $M2$, we can obtain the following information:

S11: $RSU⊲({\langle N_2,RI{D}_V,P\rangle }_{C_k},{\langle I{D}_V,L_k\rangle }_{N_2},{\langle P,N_1,N_2,I{D}_V\rangle }_{R_i},{\langle P,N_1,N_2,I{D}_V,L_k,I{D}_V\rangle }_{R_i},RI{D}_V)$.

S12: According to S11 and R5, we obtain $RSU⊲{\langle P,N_1,N_2,I{D}_V,L_k,RI{D}_V\rangle }_{R_i}$.

S13: According to A9 and R1, we obtain $RSU|\equiv IOVD|\backsim (P,N_1,N_2,I{D}_V,L_k,RI{D}_V)$.

S14: According to A1 and R3, we obtain $RSU|\equiv \#(P,N_1,N_2,I{D}_V,L_k,RI{D}_V)$.

S15: According to S13, S14 and R2, we obtain $RSU|\equiv IOVD|\equiv (P,N_1,N_2,I{D}_V,L_k,RI{D}_V)$.

S16: According to S15 and R5, we obtain $RSU|\equiv IOVD|\equiv (P,N_2,I{D}_V,L_k,RI{D}_V)$.

S17: According to S16, A3 and R4, we obtain $RSU|\equiv (P,N_2,I{D}_V,L_k,RI{D}_V)$.

S18: According to S17 and R5, we obtain $RSU|\equiv N_2,RSU|\equiv I{D}_V,RSU|\equiv L_k$.

S19: According to A5 and R5, we obtain $RSU|\equiv N_1,RSU|\equiv N_3,RSU|\equiv I{D}_R,RSU|\equiv R_k,RSU|\equiv R_i,RSU|\equiv C_k$.

S20: According to the session key $S{K}_V=h(a_i\parallel b_i\parallel T_3\parallel N_3)=h(h(L_k\parallel I{D}_V)\parallel h(R_k\parallel I{D}_R)\parallel h(h(C_k\parallel I{D}_R)\parallel R_i\parallel N_1\parallel N_2\parallel I{D}_V)\parallel N_3)$ in ECAUP S18 and S19, we can obtain G1: $RSU\mid \equiv (RSU\stackrel{SK}{⟷}IOVD)$.

The realizability and security of the session key $S{K}_R=S{K}_V$ generated between $RSU$ and $IOVD$ can be shown from S10 and S20.

6.2. Informal Security Analysis

$RSU$ impersonation attack: In this attack, an adversary $\mathcal{A}$ attempts to impersonate $M_1=\left\{N_1^{\ast },T_1,RI{D}_R,C_i\right\}$, $M_3=\left\{N_3^{\ast },T_5,T_6\right\}$ and then serves as a legitimate node to communicate with $IOVD$, where $T_1=h(R_i\parallel RI{D}_R\parallel h(C_k\parallel I{D}_R))$, $T_5=N_3\oplus b_i$, $T_6=h(b_i\parallel N_3\parallel R_i\parallel RI{D}_R)$, $b_i=h(R_k\parallel I{D}_R)$. Even if $\mathcal{A}$ can generate the random numbers $N_1^{\mathcal{A}}$ and $N_3^{\mathcal{A}}$, there is no possibility to replace $RSU$ as a real node due to the lack of critical secret information $R_i$, $C_k$, $I{D}_R$, and $R_K$. Thus, our scheme can cope with $RSU$ impersonation attack.

$IOVD$ impersonation attack: In ECAUP, $IOVD$ sends only one authentication message $M_2=\left\{N_2^{\ast },T_2,T_3,T_4\right\}$, and $\mathcal{A}$ wants to fake $M_2$ and then communicate with $RSU$ as a legitimate $IOVD$, where $T_2=N_2\oplus a_i$, $T_3=h(P\parallel R_i\parallel N_1\parallel N_2\parallel I{D}_V)$, $T_4=h(T_3\parallel a_i\parallel RI{D}_V)$, $a_i=h(L_k\parallel I{D}_V)$. However, $\mathcal{A}$ still cannot accomplish the impersonation attack (suppose $\mathcal{A}$ can generate random number) to $IOVD$ due to the privacy of $L_k$, $I{D}_V$, and $R_i$. Therefore, our scheme is able to cope with the $IOVD$ impersonation attack.

Replay attack: In this attack, $\mathcal{A}$ captures messages $M_1$, $M_2$, and $M_3$ and then replays them to $RSU$ and $IOVD$, respectively, which in turn causes system crash. However, in ECAUP, replay attack initiated by $\mathcal{A}$ cannot work. For example, when $IOVD$ receives the message $M_1=\left\{N_1^{\ast },T_1,RI{D}_R,C_i\right\}$ replayed from $\mathcal{A}$, it verifies the freshness of the random number and terminates the session immediately in case of non-compliance. Moreover, it is not possible for $\mathcal{A}$ to modify the random number $N_1$, due to the fact that $N_1^{\ast }=N_1\oplus h(RI{D}_R\parallel h(C_k\parallel I{D}_R))=N_1\oplus TI{D}_R$ in $M_1$ is secretly encapsulated by the temporary identity $TI{D}_R$. Similarly, $M_2$ and $M_3$ cannot pose a threat to $RSU$ and $IOVD$ even if they are replayed by $\mathcal{A}$ in the public channel. It is worth noting that the dynamic key update process in the ECAUP also uses random numbers. Therefore, our proposed protocol is not subject to replay attack.

$IOVD$ Captured attack: In this case, $\mathcal{A}$ physically captures a certain $IOVD$ to obtain all secret information $\left\{P,L_k,A{L}_k,I{D}_V\right\}$ inside it, and seeks to compute the session keys of the other devices from such information. Despite the fact that $\mathcal{A}$ possesses $\left\{P,L_k,A{L}_k,I{D}_V\right\}$, $\mathcal{A}$ cannot obtain the PUF-based challenge–response pairs $(C_i,R_i)$. Assuming that $\mathcal{A}$ can generate the challenge $C_i^{\prime }$ and thus obtain response, the probability that adversary obtains $R_i$ is almost 0 due to the physically unclonable nature of PUF. Furthermore, in the ECAUP, different PUFs are assigned to $IOVD$s, and the secret information of each $IOVD$ is completely different. Therefore, $\mathcal{A}$ cannot impose any threat to other devices through the captured $IOVD$s.

Man-in-the-middle attack: Suppose that $\mathcal{A}$ intercepts a message $M_1$ in an open channel, then generates a random number n and tries to compute $T_1^{\prime }=h(R_i\parallel RI{D}_R^{\prime }\parallel h(C_k\parallel I{D}_R))$, $n^{\prime \ast }=n\oplus h(RI{D}_R^{\prime }\parallel h(C_k\parallel I{D}_R))$. Subsequently, $\mathcal{A}$ sends a forged valid message $M_1^{\prime }=\left\{n^{\prime \ast },T_1^{\prime },RI{D}_R^{\prime },C_i^{\prime }\right\}$ to $IOVD$, disabling it to confirm and distinguish whether or not the message has been modified. But, due to the absence of secret information $R_i$, $C_k$, and $I{D}_R$, it is virtually impossible for $\mathcal{A}$ to calculate legitimate message $M_1^{\prime }$ (similarly in the case of $M_2^{\prime }$ and $M_3^{\prime }$). Therefore, ECAUP can deal with the man-in-the-middle attack.

Stolen-verifier attack: In ECAUP, none of the participating nodes carries the storage verification table for assisted authentication. Therefore, our scheme is resistant to stolen-verifier attacks.

Authority modification attack: In this attack, an internal node $RSU$ authorized by $ES$ desires to access $IOVD$s beyond its own authority and obtains sensor data [37,38], which can be denoted as $ADT=\left\{IOV{D}_1,...,IOV{D}_n\right\}$ to $AD{T}^{\prime }=\left\{IOV{D}_1^{\prime },...,IOV{D}_n^{\prime }\right\}$. According to Section 5.2, the access authority of $RSU$ can be represented as $C_k$, which is based on a factorial tree hashed in a bottom-up manner. Suppose $RSU$ computes a new cluster key $C_k^R$ using $AD{T}^{\prime }$ and the factorial tree, and sends an authentication request $M_1=\left\{N_1^{\ast },T_1^R,RI{D}_R,C_i\right\}$ to $IOVD$, where $T_1^R=h(R_i\parallel RI{D}_R\parallel h(C_k^R\parallel I{D}_R))$. Once the request is received, $IOVD$ computes $T_1^{R^{\prime }}=h(R_i\parallel RI{D}_R\parallel P)$ after verifying the freshness of $N_1$ and continues to verify $T_1^{R^{\prime }}\stackrel{?}{=}{T}_1^R$. If both differ, it indicates that the current $RSU$ does not belong to its cluster and then terminates the session. The reason why the $RSU$ cannot access devices outside of its authority is due to the fact that secret information $P=h(C_k\parallel I{D}_R)$ is assigned by $ES$ to all $IOVD$s in cluster as early as the registration phase. Thus, our proposed protocol can handle authority modification attacks.

Anonymity and untraceability: In the ECAUP, the messages $M_1=\left\{N_1^{\ast },T_1,RI{D}_R,C_i\right\}$, $M_2=\left\{N_2^{\ast },T_2,T_3,T_4\right\}$ and $M_3=\left\{N_3^{\ast },T_5,T_6\right\}$ generated from each authentication contain individual random numbers; thus, $\mathcal{A}$ cannot track participating nodes through $M_1$, $M_2$, and $M_3$. In addition, the ECAUP transmits messages using pseudo-identities $RI{D}_R$ and $RI{D}_V$ (public), and temporary identities $TI{D}_R$ and $TI{D}_V$ (private), which do not involve the original identities $I{D}_R$ and $I{D}_V$. Hence, our proposed protocol enables anonymity.

Known session key security: Since the session key $S{K}_V=h(a_i\parallel b_i\parallel T_3\parallel N_3)=S{K}_R$ in each authentication contains secret information $\left\{L_k,I{D}_V,R_k,I{D}_R,P,R_i\right\}$ and random numbers $\left\{N_1,N_2,N_3\right\}$ of both current communicating parties, even if $\mathcal{A}$ obtains a certain session key, it cannot compute other session keys. Therefore, our protocol guarantees the security of the known session key.

Perfect forward secrecy and backward secrecy: In Section 5.5, a detailed key update process of the ECAUP is presented in a dynamic form. The purpose of the update is to ensure that the original $RSU$s can no longer access $IOVD$s that have left their clusters, thus guaranteeing the backward secrecy of the sensed data. Furthermore, assume that $\mathcal{A}$ obtains the long-term key and attempts to compute the session key to steal the previous information. However, it is difficult for $\mathcal{A}$ to obtain the cluster key $C_k$ in our system model due to the mobility of HIOV, resulting in keeping the key updated in real time. Therefore, it is obvious that ECAUP has perfect forward and backward secrecy.

6.3. Formal Verification with Proverif

Proverif is a formal verification tool [39] developed for automated reasoning about security properties in cryptographic protocols and automated analysis and verification of security protocols, which can support cryptographic primitives, including symmetric and asymmetric encryption, digital signature, hash function, bit commitment, and proof of signature for knowledge. In addition, Proverif can provide the formal path of attackers to breach the key, which enables researchers to improve the protocol. In IoV, communication between RSU and IOVD requires authentication. Therefore, we utilize Proverif to evaluate the security of ECAUP.

In this paper, three open channels, $ch1$, $ch2$, and $ch3$, and two secure channels, $sch1$ and $sch2$, are defined. The role of each channel is as follows: (1) $RSU$ and $ES$ complete the registration described in Section 5.2 and Section 5.3 via $sch1$; (2) $IOVD$ and $ES$ complete the registration described in Section 6.3 via $sch2$; (3) the public channel $ch1$ is used to realize mutual authentication between $RSU$ and $IOVD$; (4) $ES$ sends the key $P^{new}$ that needs to be updated as well as the auxiliary leaf node key $AL{k}^{new}$ to $IOVD$ via $ch2$; (5) $ES$ sends the new cluster/root key $C{k}^{new}$ as well as the challenge–response pair $(C_i^{new},R_i^{new})$ to $RSU$ via $ch3$.

In the Proverif code, we define $RSUauth$, $IOVDauth$, and $ES=ESReg1\left|ESReg2\right|ESupdate1|ESupdate2$ to denote the sub-processes of $RSU$, $IOVD$, and $ES$, respectively, and, finally, the parallel execution of the three participating entities is realized through $process(!RSUauth)\left|\right(!ES\left)\right|(!IOVDauth)$. From Figure 6, it can be inferred that the session keys $S{K}_R$ and $S{K}_V$, generated by $RSU$ and $IOVD$ authentication, and the update keys $C{k}^{new}$ and $AL{k}^{new}$, sent by $ES$ to $RSU$ and $IOVD$, are secure. Thus, according to the simulation results, the robustness of ECAUP against various known network attacks is demonstrated.

7. Comparative Analysis

In this section, a comparison of the ECAUP with other schemes (Wu et al. [27], Wang et al. [28], Mun et al. [29] and Du et al. [30]) in terms of calculation cost, communication cost, and security features is given.

7.1. Calculation Costs Comparison

We provide the computational cost required for the mutual verification phase of the ECAUP and other schemes. Assume that $T_h$, $T_{as}$, $T_{me}$, $T_{sig}$, $T_{bp}$, $T_{pm}$, $T_{pa}$, and $T_{puf}$ represent the time required for the hash function, symmetric encryption/decryption, modular exponentiation, digital signature/checksumption, bilinear pairing, ECC point multiplication, ECC point addition, and PUF response, respectively. According to the available experimental results [25,30,35], the time required to use these encryption operations are $T_h$ = 0.019 ms, $T_{as}$ = 19.536 ms, $T_{me}$ = 5.02 ms, $T_{sig}$ = 17.624ms, $T_{bp}$ = 44.517 ms, $T_{pm}$ = 2.61 ms, $T_{pa}$ = 0.576 ms, and $T_{puf}$ = 4.4 ms. From

Table 3. Calculation costs comparison.

Protocol	Authentication Total Cost	Time (ms)
[27]	$18T_h$	0.342 ms
[28]	$4T_h+5T_{me}+3T_{as}+2T_{bp}$	172.818 ms
[29]	$8T_h+2T_{me}+2T_{pm}+6T_{as}+2T_{sig}$	167.876 ms
[30]	$5T_h+4T_{pm}+2T_{pa}$	11.687 ms
Our	$16T_h+T_{puf}$	4.704 ms

and Figure 7, it can be observed that the cryptographic operation required for ECAUP authentication is $16T_h+T_{puf}$ and the computation time is $4.704$ ms. Comparing to other schemes, it can be inferred that our protocol is suitable for end-to-end authentication in an IoV scenario because of the extremely low latency.

7.2. Communication Costs Comparison

To measure the communication costs of $RSU$ and $IOVD$ in the authentication phase, we assume that the output sizes of identity, public key, hash digest, random number, timestamp, PUF challenge and response, ECC point multiplication, digital signature, and symmetric encryption are 100 bits, 100 bits, 128 bits, 128 bits, 32 bits, 100 bits, 512 bits, 1024 bits, and 1024 bits, respectively. It can be deduced that the total communication cost of the ECAUP is 1508 bits, and the schemes of Wu et al. [27], Wang et al. [28], Mun et al. [29], and Du et al. [30] require 1216 bits, 2308 bits, 3232 bits, and 1672 bits, respectively. From

Table 4. Communication costs comparison.

Protocol	Number of Messages	Size (Bits)
[27]	3	1216 bits
[28]	5	2308 bits
[29]	4	3232 bits
[30]	3	1672 bits
Our	3	1508 bits

and Figure 7, it can be seen that our scheme requires only three handshakes to complete the authentication between $RSU$ and $IOVD$, and requires only 1508 bits of communication cost. Therefore, the ECAUP is perfectly suitable for IoV scenarios.

7.3. Security Features Comparison

Table 5. Security features comparison.

Feature	Our	[27]	[28]	[29]	[30]
$RSU$ impersonation attack	✓	×	✓	—	✓
$IOVD$ impersonation attack	✓	×	✓	✓	✓
Replay attack	✓	✓	✓	✓	✓
$IOVD$ captured Attack	✓	×	×	×	×
Man-in-the-middle attack	✓	×	✓	✓	✓
Stolen-verifier attack	—	—	✓	—	—
Authority modification attack	✓	×	×	×	×
Insider privilege attack	✓	✓	×	✓	×
Off-line password guessing attack	✓	✓	✓	×	×
Anonymity and untraceability	✓	✓	×	✓	×
Known session key security	✓	✓	×	×	×
Perfect forward secrecy and backward secrecy	✓	×	✓	×	✓
Mutual authentication	✓	✓	✓	✓	✓
Key agreement	✓	×	✓	×	✓
Physical security	✓	×	×	×	×
Dynamic key update	✓	×	×	×	✓
Fine-grained access control	✓	—	—	—	—
Number of authentication messages	3	3	5	4	3

shows the comparative analysis of the ECAUP with other schemes in terms of security and functional properties (abbreviations: ✓ support; ×: no support; —: not considered). It can be inferred that our scheme provides higher security and more properties compared to the other four protocols. It is worth noting that we not only consider the mobility of the participating nodes in IoV, but also the dynamic updating of the cluster key, which perfectly ensures the forward secrecy and backward secrecy of the whole cluster. Therefore, the ECAUP has wide prospects in the practical deployment of IoV.

8. Conclusions

In this paper, we proposed a lightweight end-to-end secure authentication and key update scheme for 5G-based IoV systems. The fine-grained access control RSU and subsequent dynamic key update forwarding method were provided via a factorial tree to ensure perfect forward and backward secrecy of the ECAUP. In addition, this paper used only low overhead algorithms such as hash to optimize the communication and computation overheads while guaranteeing the properties of node anonymity, non-traceability, and known session key security. The security analysis and comparison of other schemes showed that the ECAUP can meet the practical requirements of IoV. The focus of this paper is end-to-end authentication of IoV nodes, but the current key update overhead is high, so determining how to design and implement a more efficient and reliable key update protocol is one of the next research directions. Moreover, future research directions include the following: using the MIMT tool to implement STRIDE-based threat modeling for the ECAUP; session security analysis based on the ROR model; actual deployment of the ECAUP; and analyzing packet loss rate, latency, throughput, etc.