SGXAP: SGX-Based Authentication Protocol in IoV-Enabled Fog Computing

Abstract

With the maturity and popularization of the Internet of Things, we saw the emergence of the Internet of Vehicles. This collects and processes real-time traffic information, alleviates traffic congestion, and realizes intelligent transportation. However, sensitive information, such as real-time driving data of vehicles, are transmitted on public channels, which are easily to steal and manipulate for attackers. In addition, vehicle communications are vulnerable to malicious attacks. Therefore, it is essential to design secure and efficient protocols. Many studies have adopted asymmetric cryptosystems and fog computing to in this environment, but most of them do not reflect the advantages of fog nodes, which share the computational burden of cloud servers. Therefore, it is challenging to design a protocol that effectively uses fog nodes. In this paper, we design an authentication protocol based on a symmetric encryption algorithm and fog computing in the Internet of Vehicles. In this protocol, we first propose a four-layer architecture that significantly reduces the computational burden of cloud servers. To resist several well-known attacks, we also apply Intel software guard extensions to our protocol. This is because it can resist privileged insider attacks. We prove the security of the proposed protocol through the Real-Or-Random model and informal analysis. We also compare the performance of the proposed protocol with recent protocols. The results show better security and a lower computational cost.

1. Introduction

With the maturity and popularization of the Internet of Things (IoT) [1,2], a special network connecting vehicles through the Internet has emerged: the Internet of Vehicles (IoV) [3,4,5]. The IoV is a subset of the IoT that realizes communication by vehicle-to-vehicle (V2V), vehicle-to-pedestrian (V2P), and vehicle-to-infrastructure (V2I) connections. The IoV collects, processes, and shares road information in real time, alleviates traffic congestion in traffic control, and reduces traffic accidents through early warnings to ensure vehicle safety. It also realizes intelligent transportation to improve its efficiency.

Previously, researchers introduced cloud computing into the IoV to efficiently process large amounts of real-time road information. With an increasing number of vehicles, the computational burden of the cloud server (CS) is also increasing. The authors of [6,7,8] proposed a definition of fog computing. Compared with cloud computing, fog computing has the characteristics of low latency, large numbers, wide distribution, and lighter computing. Fog and cloud computing are complementary but not substitutes. Cloud computing realizes the calculation or storage of a large amount of data, compensating for the lack of computing resources for fog nodes.

Recently, the literature [9,10,11,12] has involved research on authenticated key agreement (AKA) protocols for applying fog computing to the IoV. In 2019, Ma et al. [9], based on asymmetric cryptosystems and fog computing, proposed an AKA protocol. The protocol used the traditional three-layer architecture: “vehicle–fog node–CS”, where the vehicle and roadside unit (RSU) play the participant (i.e., vehicle). However, the protocol showed that the participation of a CS was required for each authentication, which did not reflect the advantages of fog nodes and did not realize the function of fog nodes sharing the computational burden of a CS. Moreover, Eftekhari et al. [10] found that the protocol [9] was insecure and vulnerable to stolen smart card attacks, known session-specific temporary information disclosure attacks, and privileged insider attacks. Based on this architecture, Eftekhari et al. [10] designed an improved protocol that did not reflect the advantages of fog nodes. In 2020, Wu et al. [11] proposed a fog-based AKA protocol based on the traditional three-layer architecture. However, the RSU was a fog node. Each communication required the participation of a CS. In 2021, following the architecture presented in [11], Wu et al. [12] proposed a lightweight AKA protocol that still did not realize the function of fog nodes sharing the computational burden of a CS.

Although the above AKA protocols [9,10,11,12] use fog computing, they fail to realize the function of fog nodes sharing the computational burden of a CS. This is because in the conventional architecture, fog nodes actually replace the RSU, and computing is still on the CS, which does not reduce the computational burden of the CS. Therefore, we first propose a four-layer architecture: “vehicle–RSU–fog node–CS”. The four-layer architecture of the IoV based on fog computing is shown in Figure 1. In this architecture, when a vehicle enters the road and wants to communicate with the RSU, the communication modes are divided into the following two cases:

1.

Case 1: The RSU judges that the vehicle communicates with itself for the first time and then sends a data request to the CS. The CS sends a response to the RSU accordingly and simultaneously sends the data response to the fog node. Thereafter, the vehicle and RSU realize their communication with the assistance of the fog node. The four entities involved in this communication process are the vehicle, RSU, fog node, and CS.

2.

Case 2: This extends from Case 1. Only the fog node (without the participation of the CS) can help the vehicle and RSU to realize communication. Here, this architecture effectively realizes the function of the fog node sharing the computational burden of the CS.

The IoV environment still has some security challenges. For example, sensitive information such as vehicle real-time driving data are transmitted on a public channel, which is easy to steal from and manipulate for an attacker, resulting in the disclosure of vehicle privacy. In addition, the process of vehicle communication is vulnerable to replay attacks [13], impersonation attacks [14,15,16], and privileged insider attacks [9], among others. Therefore, to ensure communication and protect the sensitive data of vehicles, a safe and effective protocol must be designed.

Due to the above security challenges of the IoV environment, researchers are committed to enhancing the security of the IoV. Therefore, a hardware-based, trusted execution environment called software guard extensions (SGX) [17,18,19] has emerged. SGX is secure hardware developed by Intel. The difference between SGX and other security software is that it only includes hardware, which avoids software vulnerabilities and malicious threats in the system and largely ensures system security. In addition, SGX provides a trusted execution environment, as malicious code cannot access or tamper with any sensitive data stored in SGX, guaranteeing data confidentiality and integrity. The structure of SGX mentioned in [17]. Preserved random memory (PRM) is a reserved area for SGX in the dynamic memory, and the Enclave Page Cache (EPC) is a part of the PRM. SGX has a secure container called Enclave, which is stored in the EPC to store sensitive data and code. The user enters the value into the Enclave through the Ecall. After SGX completes the confidential computing in the Enclave, it returns the computational results through Ocall.

To ensure secure communication and reduce the computational burden of the CS, we propose an authentication protocol under a four-layer architecture. We also apply SGX and a symmetric encryption algortihm to the proposed protocol to resist several well-known attacks. Our main contributions are as follows:

(1)

We first propose a four-layer architecture in the IoV environment as shown in Figure 1. Adopting such an architecture reduces the computational pressure of the CS.

(2)

We apply SGX to store the private value of the fog node and RSU in SGX so that even if the attacker obtains the data in the authentication table, he or she cannot obtain the private values in SGX. In other words, SGX can make the proposed protocol resist privileged insider attacks and enhance the security of the protocol.

(3)

We prove the security of the proposed protocol through the Real-Or-Random model (ROR) and informal analysis. Furthermore, we compare the performance of the proposed protocol with recent protocols, with the results showing better security and a lower computational cost.

The rest of the paper is organized as follows. Section 2 briefly reviews the relevant research work. Section 3 describes the system model and proposed protocol in detail. In Section 4, we use the ROR model and informal analysis to prove the protocol’s security. We compare the performance of the proposed protocol with recent protocols and discuss the obtained results in Section 5. Finally, we provide a brief summary of the content of this study in Section 6.

2. Related Work

Researchers have conducted extensive research on security challenges based on the IoV [20,21]. In 2007, Raya et al. [22] determined that information transmission security should be ensured in the IoV. Therefore, cryptographic technology, namely the public key infrastructure (PKI) mechanism, was introduced into the proposed protocol. Although this technology ensured that the vehicles privacy was not leaked, the computational cost was extremely high. In 2011, Huang et al. [23] designed an AKA protocol for value-added services known as ABAKA. The protocol realized anonymity but used elliptic curve cryptography (ECC), and the overhead remained extremely high. In 2017, Ying et al. [13] designed a protocol and claimed that it realized anonymous and secure communication. The protocol had a low computational cost and was lightweight. Mohit et al. [14] proposed a secure authentication protocol that configured vehicle sensors for the IoV to monitor the vehicle and the surrounding environment. However, Yu et al. [15] found that the protocol [14] was vulnerable to user impersonation attacks and could not provide anonymity or mutual authentication. Yu et al. [15] designed an improved protocol for ensuring communication security. However, Sadri et al. [24] found that the protocol [15] was vulnerable to user impersonation and sensor capture attacks and could not provide untraceability. Sadri et al. [24] designed a secure protocol based on this. In 2021, Jiang et al. [25] designed an authentication protocol based on a physical unclonable function (PUF). This protocol effectively combined biometrics and a PUF to achieve secure identification and authentication. In the same year, Kurma et al. [26] designed a new authentication protocol for the IoV. The protocol [26] was based on radio frequency identification, which increased the protocol security and used ECC at a high computational cost.

In previous years, to achieve efficient authentication, the literature [27,28] adopted the cloud computing architecture to different environments. Later, researchers found that fog computing is more suitable for the IoV than cloud computing with a large amount of real-time data to process. Therefore, scholars have applied fog computing to the IoV to reduce the computational burden of the CS. Wazid et al. [29] proposed a protocol based on authentication key management (AKM) between two different entities, namely AKM and the IoV, to realize security authentication in the IoV. Han et al. [30] proposed a security protocol based on fog computing [30], which had two highlights. One was that the vehicle and RSU were self-authenticated without the participation of the trusted authority (TA), which improved the communication efficiency. The other was that the fog node managed the pseudonym of the vehicle to realize privacy protection. Soleymani et al. [31] designed a message authentication protocol that used bilinear pairing primitives with a high overhead. The protocol [31] also used pseudonym management for privacy protection. Ma et al. [9], based on asymmetric cryptosystems and fog computing, proposed an AKA protocol. The protocol used ECC at a high computational cost, and they claimed that the protocol was provably secure. However, Eftekhari et al. [10] found that the protocol [9] was vulnerable to known session-specific temporary information disclosure, privileged insider, and stolen smart card attacks. Eftekhari et al. [10] proposed an improved lightweight protocol. Wu et al. [11] proposed an AKA protocol. The protocol also used ECC, which had a large computational cost and computational burden from the CS under the architecture used. In 2021, Wu et al. [12] designed a lightweight AKA protocol, which was also based on the above architecture and did not realize the function of fog nodes sharing the computational burden of the CS. The main works related to this paper are summarized in

Table 1. Summary of authentication protocols.

Protocols	Cryptographic Techniques and Properties	Limitations
Ying et al. [13]	(1) One-way hash function (2) Anonymity	(1) Does not resist replay attacks (2) Does not resist offline identity guessing attacks (3) Does not resist stolen smart card attacks
Mohit et al. [14]	(1) One-way hash function (2) Based on smart card	(1) Does not resist impersonation attacks (2) Does not provide mutual authentication
Yu et al. [15]	One-way hash function	(1) Does not resist user impersonation attacks (2) Does not resist sensor capture attacks
Ma et al. [9]	(1) ECC (2) Based on smart card	(1) Does not resist internal attacks (2) Does not resist stolen smart card attacks (3) Does not resist known session-specific temporary information attacks
Wazid et al. [29]	(1) ECC (2) Anonymity	−
Eftekhari et al. [10]	(1) ECC (2) Anonymity	−
Wu et al. [11]	(1) One-way hash function (2) ECC	−
Wu et al. [12]	(1) One-way hash function (2) Three-factor (3) Based on smart card	−

.

3. The Proposed Protocol: SGXAP

This section introduces the system model and the proposed protocol in detail. Definitions and specific descriptions of the symbols used in the protocol are listed in

Table 2. Notations used in the protocol.

Symbol	Description
$V_i$	The i-th vehicle
$RS{U}_j$	The j-th RSU
$F{S}_m$	The m-th fog node
$CS$	Cloud server
$I{D}_i,I{D}_j,I{D}_f$	Identities of $V_i$, $RS{U}_j$, and $F{S}_m$
$K_{CS}$	Secret key of $CS$
$SK$	Session key
$D_k\left(\right)$ and $E_k\left(\right)$	Symmetric encryption and decryption algortihm

.

3.1. System Model

The system includes four entities: the vehicle, RSU, fog node, and CS. In this model, the RSUs know which fog nodes they are deployed in, and the CS also knows which fog node RSU is deployed. These four entities, namely the definition, function, computing power, and storage capability of each role, are explained in detail below:

(1)

Vehicle: This refers to the vehicle or vehicle user who selects the appropriate speed or driving route by acquiring the relevant real-time road information collected by the RSU.

(2)

RSU: This is a semi-trusted device that collects real-time road condition information. It is arranged on both sides of the road and has weak computing power and storage capacity. The RSU judges whether the vehicle is communicating with itself for the first time.

(3)

Fog node: This is a semi-trusted entity with certain computing power. It quickly processes the road condition information collected by the RSU and can store data. As a third party, the fog node participates in communicating between the vehicle and RSU.

(4)

CS: This is a semi-trusted entity which can realize the calculation or storage of a large amount of data. Here, the CS is the registration center, which participates in registering vehicle, RSU, and fog node. For Case 1, it is also the data transmitter.

When the vehicle wants to communicate with the RSU, there are two communication modes:

1.

Case 1 is shown in Figure 2. The RSU judges that the vehicle communicates with itself for the first time and sends a data request to the CS. Then, the CS transmits the private value of the vehicle to the fog node and RSU. Here, the RSU stores the private data of the vehicle to judge whether the communication between the vehicle and itself is happening for the first time. The fog node stores information about the vehicle to realize the authentication process. Finally, the vehicle and RSU realize communication through the fog node.

2.

Case 2 is shown in Figure 3. This case extends Case 1. Therefore, only the fog node (without the participation of the CS) can help the vehicle and RSU to realize communication. This is because in the first communication, the fog node and RSU know the private information of the vehicle. Here, this architecture dramatically reduces the computational burden of the CS.

3.2. The Proposed SGXAP

The proposed protocol comprises three phases: registration, login authentication, and data transmission.

3.2.1. Registration Phase

The registration phase of the proposed protocol includes the $V_i$, $RS{U}_j$, and $F{S}_m$ registration phases.

In the $V_i$ registration phase,$V_i$ registers with the $CS$, as shown in Figure 4. The detailed registration steps are as follows:

(1)

First, $V_i$ selects the $I{D}_i$, password $PS{W}_i$, biometrics $BI{O}_i$, and random number $r_i$, computes $Gen\left(BI{O}_i\right)=({\sigma }_i,{\tau }_i)$, and finally transmits $\left\{I{D}_i\right\}$ to the $CS$.

(2)

After $CS$ receives the message $\left\{I{D}_i\right\}$, it selects $r_c$, computes $PI{D}_i=h(I{D}_i\Vert r_c)$ and $T{K}_{V-C}=h(PI{D}_i\Vert K_{CS})$, and then saves the pseudo identity $\left\{PI{D}_i\right\}$ in the database before finally transmitting $\{PI{D}_i,T{K}_{V-C}\}$ to $V_i$.

(3)

After $V_i$ receives the message $\{PI{D}_i,T{K}_{V-C}\}$, it computes $RP{W}_i=h(PS{W}_i\Vert {\sigma }_i)$, $T{R}_i=T{K}_{V-C}\oplus h(RP{W}_i\Vert r_i)$, and $P_i=h(I{D}_i\Vert RP{W}_i\Vert r_i)$. Finally, $V_i$ stores $\{PI{D}_i,r_i,P_i,T{R}_i,{\tau }_i\}$ in the smart card (SC).

In the $RS{U}_j$ registration phase,$RS{U}_j$ registers with the $CS$, as shown in Figure 5. The detailed registration steps are as follows:

(1)

First, $RS{U}_j$ selects the $I{D}_j$ and random number $r_j$ and then transmits $\{I{D}_j,r_j\}$ to the $CS$.

(2)

After the $CS$ receives the message $\{I{D}_j,r_j\}$, it selects $r_s$, computes $PI{D}_j=h(I{D}_j\Vert r_j\Vert r_s)$ and $T{K}_{R-C}=h(PI{D}_j\Vert K_{CS})$, saves $\{PI{D}_j,I{D}_j\}$ in the database, transmits $\{PI{D}_j,T{K}_{R-C}\}$ to $RS{U}_j$, and sends $\{PI{D}_j,T{K}_{R-C},I{D}_j\}$ to $F{S}_m$.

(3)

After $RS{U}_j$ receives the message $\{PI{D}_j,T{K}_{R-C}\}$, it stores $\{PI{D}_j,T{K}_{R-C}\}$ in the database.

(4)

After $F{S}_m$ receives the message $\{PI{D}_j,T{K}_{R-C},I{D}_j\}$, it stores $\{PI{D}_j,T{K}_{R-C}\}$ in SGX and stores $\{PI{D}_j,I{D}_j\}$ in the database.

In the $F{S}_m$ registration phase,$F{S}_m$ registers with the $CS$, as shown in Figure 6. The detailed registration steps are as follows:

(1)

First, $F{S}_m$ selects the identity $I{D}_f$ and random number $r_f$ and then transmits $\{I{D}_f,r_f\}$ to the $CS$.

(2)

After the $CS$ receives the message $\{I{D}_f,r_f\}$, it selects $r_{cs}$, computes $PI{D}_f=h(I{D}_f\Vert r_f\Vert r_{cs})$ and $T{K}_{F-C}=h(PI{D}_f\Vert K_{CS})$, saves $\{PI{D}_f,I{D}_f\}$ in the database, and transmits $\{PI{D}_f,T{K}_{F-C}\}$ to $F{S}_m$.

(3)

After $F{S}_m$ receives the message $\{PI{D}_f,T{K}_{F-C}\}$, it stores $\{PI{D}_f,T{K}_{F-C}\}$ in the database.

3.2.2. Login and Authentication Phase

The vehicle and RSU achieve authentication and establish a session key with the assistance of the fog node to realize secure communication. The authentication of the proposed protocol has the following two cases:

1.

Case 1.$V_i$ communicates with $RS{U}_j$ under $F{S}_m$ for the first time. The authentication process needs the assistance of $F{S}_m$ and the participation of the $CS$. When $RS{U}_j$ receives the message $M_1$ sent by $V_i$, it cannot retrieve the private value of $V_i$ through the pseudo-identity $PI{D}_i$. Then, $RS{U}_j$ enters the data transmission phase and sends a data request $Re{q}_j$ to the $CS$. After the $CS$ successfully verifies $RS{U}_j$, it sends the private value of $V_i$ to $RS{U}_j$ and $F{S}_m$, and then $RS{U}_j$ and $F{S}_m$ store the private value. Finally, $V_i$, $RS{U}_j$, and $F{S}_m$ continue to realize relevant authentication. The entire process includes the authentication phase of Figure 7 and the data transmission phase of Figure 8.

2.

Case 2.$V_i$ has communicated with $RS{U}_j$ under $F{S}_m$. Therefore, the private value of $V_i$ is stored in $RS{U}_j$ and $F{S}_m$, and the entire authentication process can be realized without the $CS$ participating. The process is the login authentication phase, as shown in Figure 7.

The entities in the authentication phase include $V_i$, $RS{U}_j$, and $F{S}_m$ without the $CS$ participating. The specific authentication steps are illustrated in Figure 7.

(1)

$V_i$ first enters its own $I{D}_i$, $PS{W}_i$, and $BI{O}_i$, and the SC computes ${\sigma }_i^{\prime }=Rep(BI{O}_i,{\tau }_i)$, $RP{W}_i=h(PS{W}_i\Vert {\sigma }_i^{\prime })$, and $P_i^{*}=h(I{D}_i\Vert RP{W}_i\Vert r_i)$ and compares $P_i^{*}\stackrel{?}{=}{P}_i$. If they are equal, then the login is successful. Otherwise, the login fails. After successfully logging in to the SC, $V_i$ selects a random number $N_i$ and timestamp $T_1$ and computes $T{K}_{V-C}=T{R}_i\oplus h(RP{W}_i\Vert r_i)$, $T{N}_{V-C}=h(T{K}_{V-C}\Vert PI{D}_i)$, $T{V}_{V-C}=(I{D}_i\Vert N_i)\oplus T{N}_{V-C}$, and $V_1=h(I{D}_i\Vert N_i\Vert T{V}_{V-C})$. Finally, $V_i$ sends the message $M_1=\{PI{D}_i,T{V}_{V-C},V_1,T_1\}$ to $RS{U}_j$.

(2)

After $RS{U}_j$ receives $M_1$ from $V_i$, it first checks the freshness of the timestamp $T_1$. If the limit is exceeded, then the authentication is suspended. Otherwise, the authentication continues. Then, $RS{U}_j$ indexes $T{K}_{V-C}$ stored in SGX according to $PI{D}_i$. If it cannot be indexed, then it indicates that $V_i$ is communicating with $RS{U}_j$ for the first time. Here, $RS{U}_j$ sends a data request to the $CS$, requesting the $CS$ to send the private value of $V_i$ to itself and $F{S}_m$, as shown in Figure 8, and then continue to realize the authentication process. If it can be indexed, $V_i$ is not communicating with $RS{U}_j$ for the first time, and the authentication process continues. Later, $RS{U}_j$ selects $N_j$, and $T_2$ computes $T{N}_{R-C}=h(T{K}_{R-C}\Vert PI{D}_j)$, $T{V}_{R-C}=N_j\oplus T{N}_{R-C}$, and $V_2=h(I{D}_j\Vert N_j\Vert T{V}_{R-C})$. Finally, $RS{U}_j$ sends the message $M_2=\{PI{D}_i,T{V}_{V-C},V_1,PI{D}_j,T{V}_{R-C},V_2,T_2\}$ to $F{S}_m$.

(3)

After $F{S}_m$ receives $M_2$ from $RS{U}_j$, it checks the freshness of $T_2$ and then sends $PI{D}_i$ to the security interface of SGX. SGX matches the secret value $T{K}_{V-C}$ according to $PI{D}_i$, computes $T{N}_{V-C}=h(T{K}_{V-C}\Vert PI{D}_i)$, and outputs the secret value $T{N}_{V-C}$ from the secure interface after the computation is completed. Then, $F{S}_m$ computes $(N_i\Vert I{D}_i)=T{N}_{V-C}\oplus T{V}_{V-C}$ and $V_1^{\prime }=h(I{D}_i\Vert N_i\Vert T{V}_{V-C})$ and compares $V_1^{\prime }\stackrel{?}{=}{V}_1$. If they are equal, this indicates that $V_i$ is legal. Otherwise, the authentication is suspended. $F{S}_m$ finds the identity $I{D}_j$ according to $PI{D}_j$ and then sends $PI{D}_j$ to the security interface of SGX. SGX matches the secret value $T{K}_{R-C}$ according to $PI{D}_j$, computes $T{N}_{R-C}=h(T{K}_{R-C}\Vert PI{D}_j)$, and outputs the secret value $T{N}_{R-C}$ from the secure interface. Then, $F{S}_m$ computes $N_j=T{N}_{R-C}\oplus T{V}_{R-C}$, $V_2^{\prime }=h(I{D}_j\Vert N_j\Vert T{V}_{R-C})$ and compares $V_2^{\prime }\stackrel{?}{=}{V}_2$. If they are equal, $RS{U}_j$ is legal. Otherwise, the authentication is suspended. After authenticating $V_i$ and $RS{U}_j$, $F{S}_m$ selects timestamp $T_3$, computes $T{V}_{F-R}=(I{D}_i\Vert N_i)\oplus h(I{D}_j\Vert N_j)$, $V_3=(I{D}_j\Vert N_j\Vert T{V}_{F-R})$, and finally sends the message $M_3=\{T{V}_{F-R},V_3,T_3\}$ to $RS{U}_j$.

(4)

After $RS{U}_j$ receives the message $M_3$ from $F{S}_m$, it checks the freshness of $T_3$ and computes $(I{D}_i\Vert N_i)=h(I{D}_j\Vert N_j)\oplus T{V}_{F-R}$, $SK=h(I{D}_i\Vert I{D}_j\Vert N_i\Vert N_j)$, and $V_3^{\prime }=h(I{D}_j\Vert N_j\Vert T{V}_{F-R})$. Then, $F{S}_m$ compares $V_3^{\prime }\stackrel{?}{=}{V}_3$. If they are equal, $F{S}_m$ is legal. Otherwise, the authentication fails. After the authentication is successful, $RS{U}_j$ selects the timestamp $T_4$ and computes $T{V}_{R-V}=(I{D}_j\Vert N_j)\oplus h(I{D}_i\Vert N_i)$ and $V_4=h(I{D}_i\Vert N_i\Vert T{V}_{R-V})$. Finally, the message $M_6=\{T{V}_{R-V},V_4,T_4\}$ is sent to $V_i$.

(5)

After $V_i$ receives $M_4$ from $RS{U}_j$, it first checks the freshness of $T_4$ and then computes $(I{D}_j\Vert N_j)=h(I{D}_i\Vert N_i)\oplus T{V}_{R-V}$, $SK=h(I{D}_i\Vert I{D}_j\Vert N_i\Vert N_j)$, and $V_4^{\prime }=h(I{D}_i\Vert N_i\Vert T{V}_{R-V})$. Then, $V_i$ compares $V_4^{\prime }\stackrel{?}{=}{V}_4$. If they are equal, $RS{U}_j$ is legal. Otherwise, the authentication fails.

3.2.3. Data Transmission Phase

When $V_i$ communicates with $RS{U}_j$ under $F{S}_m$ for the first time, the private value of $V_i$ is not stored in $RS{U}_j$ or $F{S}_m$. Thus, $RS{U}_j$ requests private data from the $CS$. The entities in this phase include $RS{U}_j$, $F{S}_m$, and the $CS$. According to Case 1, when $RS{U}_j$ receives the message $M_1$ sent by $V_i$ and does not retrieve the privacy value of $V_i$ through $PI{D}_i$, $RS{U}_j$ requests data from the $CS$, as shown in Figure 8. The specific steps are as follows:

(1)

$RS{U}_j$ generates a data request $Re{q}_j$, selects $N_R$ and $T_5$, and computes $T{V}_{R-C}=(I{D}_j\Vert T{K}_{R-C})\oplus N_R$ and $V_5=h(I{D}_j\Vert N_R\Vert T{V}_{R-C})$. Finally, the message $M_5=\{Re{q}_j,PI{D}_i,PI{D}_j,PI{D}_f,T{V}_{R-C},V_5,T_5\}$ is sent to the $CS$.

(2)

After the $CS$ receives $M_5$ from $RS{U}_j$, it checks the freshness of $T_5$. After finding $I{D}_j$ according to $PI{D}_j$, the $CS$ computes $T{K}_{R-C}=h(PI{D}_j\Vert K_{CS})$, $N_R=(I{D}_j\Vert T{K}_{R-C})\oplus T{V}_{R-C}$, and $V_5^{\prime }=h(I{D}_j\Vert N_R\Vert T{V}_{R-C})$ and compares $V_5^{\prime }\stackrel{?}{=}{V}_5$. If they are equal, $RS{U}_j$ is legal. Otherwise, the authentication is suspended. Then, $CS$ selects $T_6$ and $T_7$ and computes $T{K}_{V-C}=h(PI{D}_i\Vert K_{CS})$, $C{N}_m=E_{h(I{D}_j\Vert T{K}_{R-C})}\left(T{K}_{V-C}\right)$, and $V_6=h(I{D}_j\Vert N_R\Vert C{N}_m)$. The $CS$ finds $I{D}_f$ according to $PI{D}_f$ and computes $T{K}_{F-C}=h(PI{D}_f\Vert K_{CS})$, $C{N}_n=E_{h(I{D}_f\Vert T{K}_{F-C})}\left(T{K}_{V-C}\right)$, and $V_7=h(I{D}_f\Vert T{K}_{F-C}\Vert C{N}_n)$. Finally, the message $M_6=\{V_6,C{N}_m,T_6\}$ is sent to $RS{U}_j$, and $M_7=\{V_7,C{N}_n,T_7\}$ is sent to $F{S}_m$.

(3)

After $RS{U}_j$ receives $M_6$ from the $CS$, it checks the freshness of $T_6$, computes $T{K}_{V-C}=D_{h(I{D}_j\Vert T{K}_{R-C})}\left(C{N}_m\right)$ and $V_6^{\prime }=h(I{D}_j\Vert N_R\Vert C{N}_m)$, and compares $V_6^{\prime }\stackrel{?}{=}{V}_6$. If they are equal, then $CS$ is legal. Otherwise, the authentication is suspended. Finally, $RS{U}_j$ stores $\{PI{D}_i,T{K}_{V-C}\}$ in SGX.

(4)

After $F{S}_m$ receives the message $M_7$ from the $CS$, it checks the freshness of $T_7$, computes $T{K}_{V-C}=D_{h(I{D}_f\Vert T{K}_{F-C})}\left(C{N}_n\right)$ and $V_7^{\prime }\stackrel{?}{=}h(I{D}_f\Vert T{K}_{F-C}\Vert C{N}_n)$, and compares $V_7^{\prime }\stackrel{?}{=}{V}_7$. If they are equal, then the $CS$ is legal. Otherwise, the authentication is suspended. Finally, $F{S}_m$ stores $\{PI{D}_i,T{K}_{V-C}\}$ in SGX.

After completing the above data request, $V_i$, $RS{U}_j$, and $F{S}_m$ continue the authentication process.

4. Security Analysis

4.1. Formal Security Analysis

The ROR model, proposed by Canetti et al. [32], calculates the probability that the attacker (A) can break the $SK$ through multiple query operations to prove the security of the protocol. Here, we compute the probability of cracking the $SK$ and prove that our protocol is secure.

4.1.1. Adversary Model

We used the Dolev–Yao and Canetti–Krawczyk models to define the capabilities of A [33,34]. The specific capabilities are as follows:

(1)

A can intercept, interrupt, forge, and replay the information transmitted on the common channel.

(2)

A can act as malicious insiders of the fog nodes and CS to obtain internal information.

(3)

A can guess the identities or passwords of vehicles by violent cracking.

(4)

A can obtain the values in the vehicle’s smart card.

(5)

A can obtain the private key of the CS and a random number of four entities.

Here, we use ${\mathsf{\Pi }}_V^m$, ${\mathsf{\Pi }}_{RSU}^n$, and ${\mathsf{\Pi }}_{FS}^z$ to represent the m-th $V_i$, n-th $RS{U}_j$, and z-th $F{S}_m$ instances, respectively. Here, we assume that the query capabilities of A are $Y=\{{\mathsf{\Pi }}_V^m$, ${\mathsf{\Pi }}_{RSU}^n$, and ${\mathsf{\Pi }}_{FS}^z\}$:

(1)

$Execute\left(Y\right)$: A intercepts messages $\{M_1,M_2,M_3,M_4\}$ transmitted on the common channel;

(2)

$Send(Y,M)$: A sends message M to entity Y and receives a response;

(3)

$Hash\left(string\right)$: A enters a character string of any length and returns the corresponding hash value;

(4)

$Corrupt\left(Y\right)$: A can obtain the private value of an entity;

(5)

$Test\left(Y\right)$: A flips a coin C. If $C=1$, then A can obtain $SK$. If $C=0$, A can obtain any string of the same length as the $SK$.

4.1.2. Security Requirements

The secure AKA protocol should meet the following security requirements:

1.

User anonymity and untraceability: A can neither obtain the real identity of the communication entity nor trace the session key of the communication process through the data transmitted on the public channel.

2.

Resistance of common attacks: The secure AKA protocol should be able to resist the following attacks:

(1)

Privileged insider attacks: As an A, the insiders of the communication entity spy on the private data stored in the database to disguise as a legal entity or obtain the session key;

(2)

Impersonation attacks: A intercepts and decrypts the data transmitted on the public channel, disguises as a legal entity, communicates with other entities, and establishes a session key;

(3)

Known temporary information disclosure attacks: A calculates the session key in the communication process by obtaining the random number of an entity and the data transmitted on the public channel;

(4)

Man-in-the-middle attacks: A intercepts the data transmitted on the public channel, tampers with the data, and establishes the session key with the legal entity without the knowledge of both parties of the communication entity;

(5)

Offline password guessing attacks: A intercepts the verification value containing the password stored on the public channel or in the smart device, repeatedly guesses the password, calculates the verification value in the offline state, and compares it with the intercepted verification value until the two values are equal;

(6)

Replay attacks: A repeatedly sends the message transmitted on the public channel to the communication entity so as to deceive the entity and interfere with normal communication;

(7)

Stolen smart card attacks: After A steals the smart card and obtains the parameters about the entity identity before using the parameters to launch camouflage attacks or malicious acts.

Theorem 1.

Suppose that A can execute the above queries and the probability that A can break the proposed protocol P in polynomial time is $ad{v}_{\mathcal{A}}^{\mathcal{P}}\left(\xi \right)\le q_{send}/2^{l-1}+3q_{hash}^2/2^l+2max\{C^{\prime }·q_{send}^{s^{\prime }},q_{send}/2^l\}$. Here, $q_{send}$ refers to the number of queries executed, $q_{hash}$ refers to the number of times the hash is executed, l refers to the bit length of the biological information, and $C^{\prime }$ and $s^{\prime }$ refer to two constants.

Proof. 

We define seven games $G{M}_0$–$G{M}_6$ to simulate the attack process of A. In the proof, $Suc{c}_A^{G{M}_i}\left(\xi \right)$ represents the probability that A can win multiple rounds of the game. The process of A simulating the query is shown in

Table 3. The process of Send, Execute, Corrupt, and Test queries.

Query	Description
$Send(Y,M)$	On a query $Send({\mathsf{\Pi }}_V^m,start)$, we assume ${\mathsf{\Pi }}_V^m$ is a normal state. ${\mathsf{\Pi }}_V^m$ selects $N_i,T_1$ and computes $T{K}_{V-C}=T{R}_i\oplus h(RP{W}_i\Vert r_i)$, $T{N}_{V-C}=h(T{K}_{V-C}\Vert PI{D}_i)$, $T{V}_{V-C}=(I{D}_i\Vert N_i)\oplus T{N}_{V-C}$, and $V_1=h(I{D}_i\Vert N_i\Vert T{V}_{V-C})$. Then, $Send({\mathsf{\Pi }}_V^m,start)$ returns $M_1=\{PI{D}_i,T{V}_{V-C},V_1,T_1\}$.
	On a query $Send({\mathsf{\Pi }}_{FS}^z,(PI{D}_i,T{V}_{V-C},V_1,PI{D}_j,T{V}_{R-C},V_2,T_2))$, ${\mathsf{\Pi }}_{FS}^z$ computes $T{N}_{V-C},(N_i\Vert I{D}_i)$, and checks $V_1$. If the verification holds, continue to calculate $T{N}_{R-C},N_j$ and check $V_2$. If it is equal, select $T_3$ and compute $T{V}_{F-R},V_3$. Then, $Send({\mathsf{\Pi }}_{FS}^z,M_2)$ returns $M_3=\{T{V}_{F-R},V_3,T_3\}$.
	On a query $Send({\mathsf{\Pi }}_{RSU}^n,(T{V}_{F-R},V_3,T_3))$, ${\mathsf{\Pi }}_{RSU}^n$ computes $(I{D}_i\Vert N_i),SK$, and $V_3$ and checks $V_3$. If $V_3$ holds, ${\mathsf{\Pi }}_{RSU}^n$ selects $T_4$ and computes $T{V}_{R-V},V_4$. Then, $Send({\mathsf{\Pi }}_{RSU}^n,M_3))$ returns $M_4=\{T{V}_{R-V},V_4,T_4\}$.
	On a query $Send({\mathsf{\Pi }}_V^m,T{V}_{R-V},V_4,T_4$), ${\mathsf{\Pi }}_V^m$ computes $(I{D}_j\Vert N_j),SK$, and $V_4$ and checks $V_4$. If it is not equal, then the query process is terminated. Otherwise, ${\mathsf{\Pi }}_V^m$ accepts and terminates.
$Execute\left(Y\right)$	On an $Execute$ query, we continue with the $Send$ query simulation as follows: $(PI{D}_i,T{V}_{V-C},V_1,T_1)$⟵$Send({\mathsf{\Pi }}_V^m,start)$, $(PI{D}_i,T{V}_{V-C},V_1,PI{D}_j,T{V}_{R-C},V_2,T_2)$⟵$Send({\mathsf{\Pi }}_{RSU}^n,(PI{D}_i,T{V}_{V-C},V_1,T_1))$, $(T{V}_{F-R},V_3,T_3)$⟵$Send({\mathsf{\Pi }}_{FS}^z,(PI{D}_i,T{V}_{V-C},V_1,PI{D}_j,T{V}_{R-C},V_2,T_2))$, $(T{V}_{R-V},V_4,T_4)$⟵$Send({\mathsf{\Pi }}_{RSU}^n,(T{V}_{F-R},V_3,T_3))$. The query returns $(PI{D}_i,T{V}_{V-C},V_1,T_1),(PI{D}_i,T{V}_{V-C},V_1,PI{D}_j,T{V}_{R-C},V_2,T_2),(T{V}_{F-R},V_3,T_3)$, and $(T{V}_{R-V},V_4,T_4)$.
$Corrupt\left(Y\right)$	On a $Corrupt\left({\mathsf{\Pi }}_V^m\right)$ query, if ${\mathsf{\Pi }}_V^m$ is accepted, then it returns the private information $\{PI{D}_i,r_i,P_i,T{R}_i,{\tau }_i\}$ of vehicle V.
$Test\left(Y\right)$	On a $Test$ query, to flip a coin C, if $C=1$, A can obtain $SK$. If $C=0$, A can obtain any string of the same length as $SK$.

. The proof steps are as follows:

$G{M}_0$: In the ROR model, the simulation of $G{M}_0$ is consistent with a real attack. Therefore, we have

$$Ad{v}_A^P=|2Pr[Suc{c}_A^{G{M}_0}]-1|.$$

(1)

$G{M}_1$: $G{M}_1$ and $G{M}_0$ are different from the $G{M}_1$ add Execute() operation. In $G{M}_1$, A can intercept $\{M_1,M_2,M_3,M_4\}$ transmitted on the common channel. When $G{M}_1$ ends, A executes a Test() query to compute the $SK$, where $SK=h(I{D}_i\Vert I{D}_j\Vert N_i\Vert N_j)$. As $\{I{D}_i,I{D}_j,N_i,N_j\}$ is confidential to A, the probability of $G{M}_1$ is equal to $G{M}_0$. The probability of $G{M}_1$ is

$$Pr[Suc{c}_A^{G{M}_1}]=Pr[Suc{c}_A^{G{M}_0}].$$

(2)

$G{M}_2$: The difference between $G{M}_2$ and $G{M}_1$ is that $G{M}_2$ adds the Send() operation. According to Zipf’s law [35], the probability of $G{M}_2$ is expressed as

$$|Pr[Suc{c}_{\mathcal{A}}^{G{M}_2}\left(\xi \right)]-Pr[Suc{c}_{\mathcal{A}}^{G{M}_1}\left(\xi \right)]|\le q_{send}/2^l.$$

(3)

$G{M}_3$: $G{M}_3$ adds the Hash() operation and reduces the Send() operation. According to the birthday paradox, the probability of $G{M}_3$ is

$$|Pr[Suc{c}_{\mathcal{A}}^{G{M}_3}\left(\xi \right)]-Pr[Suc{c}_{\mathcal{A}}^{G{M}_2}\left(\xi \right)]|\le q_{hash}^2/2^{l+1}.$$

(4)

$G{M}_4$: In $G{M}_4$, A obtains temporary information to verify that it is resistant to known temporary information disclosure attacks. A can obtain a random number for one of the two parties: ${\mathsf{\Pi }}_V^m$ and ${\mathsf{\Pi }}_{RSU}^n$. Suppose A obtains a random number $N_i$. As $I{D}_i$, $I{D}_j$, and $N_j$ are unknown, the $SK$ cannot be computed. Similarly, if the random number $N_j$ is leaked, then the $SK$ cannot be computed by A. Therefore, the probability of $G{M}_4$ is expressed as

$$|Pr[Suc{c}_{\mathcal{A}}^{G{M}_4}\left(\xi \right)]-Pr[Suc{c}_{\mathcal{A}}^{G{M}_3}\left(\xi \right)]|\le q_{hash}^2/2^{l+1}.$$

(5)

$G{M}_5$: In this game, A executes the Corrupt(${\mathsf{\Pi }}_V^m$) query to obtain the parameters $\{PI{D}_i,r_i,P_i,T{R}_i,{\tau }_i\}$ in the smart card. Legitimate users typically use low-entropy passwords. A may attempt to extract the password $PS{W}_i$ by executing an offline password guessing attack using the parameters $\{PI{D}_i,r_i,P_i,T{R}_i,{\tau }_i\}$. However, in our protocol, A cannot obtain $PS{W}_i$ without the biometric information ${\tau }_i$ and secret credential $RP{W}_i$. The probability of A guessing one bit of biological information is $1/2^l$. According to Zipf’s law [35], when $q^{send}\le {10}^6$, the probability that A can guess a password is greater than 0.5. These results prove that the proposed protocol is resistant to offline password guessing attacks. Therefore, we can derive

$$\begin{array}{c}\hfill |Pr[Suc{c}_A^{G{M}_5}]-Pr[Suc{c}_A^{G{M}_4})]|\le max\{C^{\prime }·q_{send}^{s^{\prime }},q_{send}/2^l\}.\end{array}$$

(6)

$G{M}_6$: This game verifies whether the proposed protocol is resistant to impersonation attacks. The difference between $G{M}_6$ and $G{M}_5$ is that A uses $h(I{D}_i\Vert I{D}_j\Vert N_i\Vert N_j)$ for the query operation, and the probability of successfully obtaining $SK$ is

$$|Pr[Suc{c}_{\mathcal{A}}^{G{M}_6}\left(\xi \right)]-Pr[Suc{c}_{\mathcal{A}}^{G{M}_5}\left(\xi \right)]|\le q_{hash}^2/2^{l+1}.$$

(7)

The probability of the success and failure of $G{M}_6$ is 1/2. Therefore, the probability that A can guess $SK$ is

$$Pr[Suc{c}_{\mathcal{A}}^{G{M}_6}\left(\xi \right)]=1/2.$$

(8)

Using these formulas, we obtain

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill 1/2Ad{v}_A^P& =|Pr[Suc{c}_A^{G{M}_0}]-1/2|\hfill \\ \hfill & =|Pr[Suc{c}_A^{G{M}_0}]-Pr[Suc{c}_A^{G{M}_6}]|\hfill \\ \hfill & =|Pr[Suc{c}_A^{G{M}_1}]-Pr[Suc{c}_A^{G{M}_6}]|\hfill \\ \hfill & \le \sum _{i=0}^5|Pr[Suc{c}_A^{G{M}_{i+1}}]-Pr[Suc{c}_A^{G{M}_i}]|\hfill \\ \hfill & =q_{send}/2^l+3q_{hash}^2/2^{l+1}+max\{C^{\prime }·q_{send}^{s^{\prime }},q_{send}/2^l\}\hfill \end{array}\end{array}$$

(9)

Therefore, we can obtain

$$\begin{array}{c}\hfill Ad{v}_A^P\le q_{send}/2^{l-1}+3q_{hash}^2/2^l+2max\{C^{\prime }·q_{send}^{s^{\prime }},q_{send}/2^l\}.\end{array}$$

(10)

□

4.2. Informal Security Analysis

4.2.1. Mutual Authentication

The proposed protocol realizes mutual authentication using $\{V_1,V_2,V_3,V_4\}$. $F{S}_m$ uses $V_1$ to verify the legitimacy of $V_i$ and $V_2$ to verify the legitimacy of $RS{U}_j$. $RS{U}_j$ uses $V_3$ to verify the legitimacy of $F{S}_m$, and $V_i$ uses $V_4$ to verify the legitimacy of $RS{U}_j$. Therefore, the proposed protocol can achieve mutual authentication.

4.2.2. Replay Attacks

The timestamps $\{T_1,T_2,T_3,T_4\}$ are used by the protocol to resist replay attacks. Here, we consider $T_1$ as an example. When $RS{U}_j$ receives message $M_1$ of $V_i$, it first checks the freshness of $T_1$. If $T_1$ is valid, then the authentication continues. Otherwise, authentication is suspended. Suppose A intercepts $M_1$ and repeatedly sends it to $RS{U}_j$. When $RS{U}_j$ checks the freshness of $T_1$, $T_1$ exceeds this time, and the authentication process stops. Therefore, the proposed protocol can resist replay attacks.

4.2.3. Privileged Insider Attacks

Suppose that A can obtain the value from a party’s database. Here, we consider $F{S}_m$ as an example. Based on this assumption, A can obtain the values $\{PI{D}_f,T{K}_{F-C},PI{D}_j,I{D}_i\}$ stored in the database. However, because the protocol uses a secure hardware SGX, the values $\{T{K}_{R-C},T{K}_{V-C}\}$ stored in SGX are not available. Therefore, A cannot obtain the value $\{I{D}_i,I{D}_j,N_i,N_j\}$ required to compute the $SK$, where $SK=h(I{D}_i\Vert I{D}_j\Vert N_i\Vert N_j)$. Therefore, the proposed protocol can resist privileged insider attacks.

4.2.4. Man-in-the-Middle Attacks

Suppose that A can intercept $\{M_1,M_2,M_3,M_4\}$ in the common channel. Here, we consider an intercept $M_1$ between $V_i$ and $F{S}_m$ as an example. Because A does not know the values of $\{I{D}_i,N_i,RP{W}_i\}$ or $\{r_i,T{R}_i\}$ in the smart card, A cannot compute the values of $\{I{D}_i,N_i,T{V}_{V-C}\}$ required by $V_1$, where $V_1=h(I{D}_i\Vert N_i\Vert T{V}_{V-C})$. Thus, the legitimacy of $V_i$ cannot be verified in $F{S}_m$. The same applies for A attempting to intercept $\{M_2,M_3,M_4\}$. Therefore, the proposed protocol can resist man-in-the-middle attacks.

4.2.5. User Anonymity and Untraceability

In our protocol, the identities of $V_i$, $RS{U}_j$, and $F{S}_m$ are not transmitted to the common channel, but pseudo-identities $\{PI{D}_i,PI{D}_j,PI{D}_f\}$ are transmitted. A cannot know the identities of the three, thus realizing anonymity. Because random numbers $N_i$ and $N_j$ used in $\{M_1,M_2,M_3,M_4\}$ are variable in every session, A cannot track $V_i$, $RS{U}_j$, or $F{S}_m$. Therefore, our protocol provides anonymity and untraceability.

5. Comparisons and Discussions

In this section, we compare the proposed protocol with the AKA protocols proposed by Ma et al. [9], Wazid et al. [29], Eftekhari et al. [10], and Wu et al. [11] in terms of security and performance.

5.1. Security Comparisons

Table 4. Comparisons of security.

Security Properties	[9]	[29]	[10]	[11]	Ours
Privileged insider attacks	×	✓	−	✓	✓
Impersonation attacks	✓	×	✓	✓	✓
Known temporary information disclosure attacks	×	−	✓	✓	✓
Stolen smart card attacks	×	✓	−	−	✓
User anonymity	×	✓	✓	✓	✓
Man-in-the-middle attacks	✓	−	−	✓	✓
Untraceability	×	✓	✓	✓	✓
Offline password guessing attacks	−	✓	−	✓	✓
Replay attacks	✓	✓	✓	✓	✓

presents the comparison results in terms of security. Here, indicates that the protocol can resist the attack, × indicates that the protocol is vulnerable to the attack, and − demonstrates that it is not mentioned whether the protocol can resist it. As shown in the table, the protocol of Ma et al. [9] is vulnerable to privileged insider attacks, known specific temporary information disclosure attacks, and stolen smart card attacks. The protocol proposed by Wazid et al. [29] is vulnerable to impersonation attacks. The other protocols and the proposed protocol are secure.

5.2. Performance Comparison

In this part, we compare the proposed protocol with the current AKA protocols for computational and communication costs. Because the authentication phase of the proposed protocol has two cases, the calculations of the computational and communication costs are also divided into two cases.

To calculate the computational cost, we considered two cases of the proposed protocol as examples. In Case 1, $RS{U}_j$ and $F{S}_m$ have no privacy value of $V_i$. Therefore, the CS must transmit the privacy value to $RS{U}_j$ and $F{S}_m$ to realize the entire authentication process. This situation requires the participation of the CS. Therefore, when calculating the computational cost, in addition to calculating the computational cost of the three parties involved in the authentication phase, we also needed to calculate the computational cost of the CS. In Case 2, $RS{U}_j$ and $F{S}_m$ have the private value of $V_i$ and do not require the participation of the CS; only the computational costs of $V_i$, $RS{U}_j$, and $F{S}_m$ need to be calculated.

When comparing the computational cost, we estimated the computational time of each entity in the protocol through a simulation experiment. We used MI 8 to simulate the vehicle, a Lenovo laptop to simulate the RSU and fog node, and a Lenovo desktop computer to simulate the cloud server. The equipment configuration of the three devices is shown in

Table 5. Experimental environment.

	MI 8	Lenovo Desktop Computer	Lenovo Laptop
Operating System	Android system	Windows 10	Windows 10
CPU	Qualcomm Snapdragon 845	Intel(R) Core(TM) i5-9500 CPU @ 3.00 GHz	Intel(R) Core(TM) i7-6700HQ CPU @ 2.60 GHz
Memory	6 GB	8 GB RAM	16 GB RAM

. The simulation experiment used the average execution time of the three devices 10 times as the running time, as shown in

Table 6. Experimental results.

Operations	${\mathit{V}}_{\mathit{i}}$ (ms)	${\mathbf{RSU}}_{\mathit{j}}$/${\mathbf{FS}}_{\mathit{m}}$ (ms)	CS (ms)
ECC scalar multiplication	20	18	12
ECC point addition	0.1556	0.0731	0.0500
Symmetric key encryption and decryption	0.2263	0.1648	0.1384
Hash function	0.0042	0.0030	0.0024

. Here, the ⊕ and ‖ operations were negligibly small, and the execution time of fuzzy extraction was similar to that of the hash function, according to [36]. It is shown in [19] that the average running time of the system with SGX only increases by 20 $\mu$s, sufficiently showing the low computation cost of SGX. Hence, we ignored the computational cost of SGX in the following comparisons. The results of the comparison of the computational cost are listed in

Table 7. Computational cost comparison¹.

Protocol	${\mathit{V}}_{\mathit{i}}$ (ms)	${\mathbf{RSU}}_{\mathit{j}}$ (ms)	${\mathbf{FS}}_{\mathit{m}}$ (ms)	CS (ms)
Ma et al. [9]	$3T_{sm}+4T_{ha}\approx 60.017$	-	$4T_{sm}+4T_{ha}\approx 42.012$	$10T_{sm}+11T_{ha}\approx 120.026$
Wazid et al. [29]	$3T_{sm}+2T_{fe}+22T_{ha}\approx 60.100$	-	$2T_{sm}+T_{pa}+14T_{ha}\approx 36.115$	$3T_{ha}\approx 0.007$
Eftekhari et al. [10]	$3T_{sm}+T_{pa}+11T_{ha}\approx 60.202$	-	$3T_{sm}+T_{pa}+12T_{ha}\approx 54.109$	$3T_{sm}+2T_{pa}+15T_{ha}\approx 36.136$
Wu et al. [11]	$2T_{sm}+T_{fe}+8T_{ha}\approx 60.038$	-	$4T_{sm}+5T_{ha}\approx 72.015$	$4T_{sm}+13T_{ha}\approx 48.031$
Ours, Case 1	$T_{fe}+8T_{ha}\approx 0.038$	$T_{en}+9T_{ha}\approx 0.092$	$T_{en}+7T_{ha}\approx 0.186$	$2T_{en}+6T_{ha}\approx 0.291$
Ours, Case 2	$T_{fe}+8T_{ha}\approx 0.038$	$7T_{ha}\approx 0.021$	$6T_{ha}\approx 0.018$	-

¹ Here, $T_{sm}$ indicates the running time of ECC scalar multiplication, $T_{pa}$ indicates running time of ECC point addition, $T_{fe}$ indicates running time of the fuzzy extraction operation, $T_{en}$ indicates the running time of encryption and decryption, and $T_{ha}$ indicates the running time of the hash function.

. It is evident from Table 7 that for $V_i$ and $F{S}_m$, excluding our protocol, the other protocols performed point multiplication, so the computational cost of our protocol was the lowest. For $RS{U}_j$, only our protocol contained the RSU. For the CS, the computational cost of Wazid et al. [29] was smaller than that of our protocol, whereas the others were higher than that of our protocol. As the CS had strong computing power, it did not affect the protocol’s performance. Therefore, the computational cost of the proposed protocol was relatively small.

When comparing the communication cost, the length of the timestamp was regarded as 32 bits, the length of the identity and random number was 160 bits, that of the hash function and symmetric encryption and decryption was 256 bits, and that of the ECC point was 320 bits. The proposed protocol was considered an example to illustrate the calculation method. The communication cost was calculated based on the two cases of the protocol. For Case 1, we needed to calculate the communication cost in the authentication phase and the communication cost in the data transmission phase. In Case 1, the protocol transmitted seven messages on the common channel, including $M_1=\{PI{D}_i,T{V}_{V-C},V_1,T_1\}$, $M_2=\{PI{D}_i,T{V}_{V-C},V_1,PI{D}_j,T{V}_{R-C},V_2,T_2\}$, $M_3=\{T{V}_{F-R},V_3,T_3\}$, $M_4=\{T{V}_{R-V},V_4,T_4\}$, $M_5=\{Re{q}_j,PI{D}_i,PI{D}_j,PI{D}_f,T{V}_{R-C},V_5,T_5\}$, $M_6=\{V_6,C{N}_m,T_6\}$, and $M_7=\{V_7,C{N}_n,T_7\}$. Here, $\{PI{D}_i,T{V}_{V-C},PI{D}_j,T{V}_{R-C},T{V}_{F-R},T{V}_{R-V},Re{q}_f,PI{D}_f,T{V}_{R-C}\}$ are random numbers, $\{V_1,V_2,V_3,V_4,V_5,V_6\}$ are hash values, $\{T_1,T_2,T_3,T_4,T_5,T_6,T_7\}$ are timestamps, and $\{C{N}_m,C{N}_n\}$ are encrypted values. Through our calculations, the communication cost of Case 1 was 5152 bits. In Case 2, we only needed to calculate the communication cost of the four messages $\{M_1,M_2,M_3,M_4\}$ in the authentication phase. Through calculations, the communication cost of Case 2 was 2688 bits. From the above calculation method, the communication costs of the protocols of Ma et al. [9], Wazid et al. [29], Eftekhari et al. [10], and Wu et al. [11] were 4512, 3488, 4416, and 4448 bits, respectively. The comparison results are presented in

Table 8. Communication cost comparison.

Protocols	Rounds	Communication Cost
Ma et al. [9]	4	4512 bits
Wazid et al. [29]	3	3488 bits
Eftekhari et al. [10]	4	4416 bits
Wu et al. [11]	4	4448 bits
Ours, Case 1	7	5152 bits
Ours, Case 2	4	2688 bits

. Therefore, evidently in Case 1, because our protocol has seven rounds of messages, the communication cost of our protocol was higher than that of the other protocols. In Case 2, the communication cost of our protocol was lower than that of the other protocols, which significantly reduced the communication cost of the protocol.

5.3. Discussions

Now, we discuss our protocol and those of Eftekhari et al. [10] and Wu et al. [11] in terms of architecture, computational cost, and communication cost.

In the first item (architecture), both protocols [10,11] used the traditional three-layer architecture (i.e., vehicle–fog node–CS). As mentioned in the Introduction, this architecture fails to realize the function of fog nodes sharing the computational burden of the CS, because the fog nodes actually replace the RSUs, and computation is still performed on the CS. To reduce the computational burden of the CS, we extended the traditional architecture to propose the first four-layer architecture, namely vehicle–RSU–fog node–CS. In this architecture, when a vehicle enters the road and wants to communicate with the RSU, the communication modes are divided into the two cases. Case 1 requires the participation of each entity, while Case 2 only requires the participation of the vehicle, RSU and fog node without the CS. Therefore, this architecture effectively realizes the function of the fog node sharing the computational burden of the CS.

In the second item (computational cost), both protocols [10,11] performed ECC operations. Our protocol performs hash, fuzzy extraction, and symmetric encryption and decryption operations in Case 1, and it only performs hash and fuzzy extraction operations in Case 2. Though the three protocols are secure, our protocol has a lower computational cost.

In the final item (communication cost), the communication cost of the proposed protocol (Case 1) was slightly higher than that of both protocols [10,11] because it requires an additional three rounds to judge whether the vehicle communicates with the RSU for the first time. However, Case 1 only occurred once for the same vehicle and RSU. In Case 2, our protocol had a lower communication cost than Eftekhari et al. [10] and Wu et al.’s [11] protocols.

6. Conclusions

In this paper, we first introduced the IoV and fog computing and reviewed the related research results. After that, we proposed an authentication protocol based on SGX and fog computing in the IoV. In this protocol, we first proposed a four-layer architecture that significantly reduced the computational burden of the CS. To resist several well-known attacks, we applied SGX to our protocol. Finally, we proved the security of the proposed protocol through the ROR model and informal analysis. We also compared its performance with those of recent protocols. The results show that the proposed protocol had better security and a lower computational cost. Future studies will continue to conduct further research based on the architecture used. We hope that this research will provide ideas and help researchers.