Secure Key Agreement and Authentication Protocol for Message Confirmation in Vehicular Cloud Computing

With the development of vehicular ad-hoc networks (VANETs) and Internet of vehicles (IoVs), a large amount of useful information is generated for vehicle drivers and traffic management systems. The amount of vehicle and traffic information is as large as the number of vehicles and it is enormous when compared to vehicle calculation and storage performance. To resolve this problem, VANET uses a combined cloud computing technology, called vehicular cloud computing (VCC), which controls vehicle-related data, and helps vehicle drivers directly or indirectly. However, VANETs remain vulnerable to attacks such as tracking, masquerade and man-in-the-middle attacks because VANETs communicate via open networks. To overcome these issues, many researchers have proposed secure authentication protocols for message confirmation with vehicular cloud computing. However, many researchers have pointed out that some proposed protocols use ideal tamper-proof devices (TPDs). They demonstrated that realistic TPDs cannot prevent adversaries attack. Limbasiya et al. presented a message confirmation scheme for vehicular cloud computing using a realistic TPD in order to prevent these problems. However, their proposed scheme still has security weaknesses over a TPD and does not guarantee mutual authentication. This paper proposes a secure key agreement and authentication protocol to address the security weaknesses inherent in the protocol of Limbasiya et al. The suggested protocol withstands malicious attacks and ensures secure mutual authentication for privacy-preserving. We prove that the proposed protocol can provide session key security using Real-Or-Random (ROR) model. We also employed Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool to show that the proposed protocol is able to defeat replay and man-in-the-middle attacks. Furthermore, we established that the proposed protocol can resist other malicious attacks by conducting the informal security analysis. We proved that our proposed protocol is lightweight and suitable for VCC environments.


Introduction
Embedded devices, such as sensors and on-board units (OBUs) of Internet of vehicles (IoVs), collect a variety of information including traffic conditions and road conditions. The driver and traffic management system can share and use various services by sharing this information with other IoVs. Therefore, the role of embedded devices in IoV has been increasing with the increase in the size of a vehicle system, and traffic information has been increasing in complexity. However, enhancing the

Literature Reviews
This section briefly reviews secure authentication protocols and key agreement protocols that are involved in two aspects, i.e., general authentication protocols for vehicular communication or VANETs, and authentication protocol using a practical TPD that points out the limitations of the ideal TPD.

Authentication Protocol for Vehicle Communication
Authentication is considered a basic security service that allows subjects to mutually authenticate with other subjects [5][6][7][8][9]. In 2007, Lin et al. [10] suggested an authentication protocol while using a group signature based on bilinear pairing. In their protocol, the verifier can verify multiple signatures simultaneously, which improves authentication efficiency. However, Zhang et al. [11] pointed out a significant flaw in Lin et al.'s protocol, that validation required at least two pairing operations that could not be extended. In addition, their protocol uses many exponential operations that require complex computing. Therefore, they suggested an authentication protocol based on bilinear pairing and used addition operation, which is simpler than exponential operation. In 2013, Lee and Lai [12] found that Zhang et al.'s proposed scheme also has security weaknesses. They demonstrated that Zhang et al.'s protocol cannot achieve the signature non-repudiation and is insecure against replay attack. Moreover, Zhang et al.'s scheme cannot provide security to masquerade and tracking attacks. However, Jianhong et al. [13] proved that Lee and Lai's protocol is insecure to the impersonation and tracing attacks and violates the non-repudiation. Further, Bayat et al. [14] also found an impersonation attack in Lee and Lai's protocol. After that, Bayat et al. [14] proposed a secure authentication scheme for VANETS with batch verification to overcome [12]'s security weaknesses. Unfortunately, He et al. [15] pointed out that [14]'s protocol cannot defeat against modification, replay, and impersonation attacks. Then, He et al. [15] designed a novel secure protocol using Elliptic Curve Cryptographic (ECC) for vehicle communication. Zhong et al. [16] analyzed the protocol in [15] and concluded that using complex cryptographic functions can result in enormous operational costs and, consequently, the system faces network disruption problems. Therefore, they proposed a system to distribute pseudonymized signatures to verify user identities. In 2014, Chuang et al. [17] proposed a trust-extended authentication scheme in VANETs. Under their protocol, vehicles are divided into three types and they only used hash and exclusive-or functions to create lightweight communication. However, Zhou et al. [18] found out that Chuang et al.'s protocol cannot guarantee privacy-preserving and is vulnerable to impersonation and insider attacks. They also argued that the assumption of TPD is strong. Therefore, Zhou et al. proposed a more secure authentication protocol to improve Chuang et al.'s protocol. They use an ECC to protect entities' real identities and protect against internal attacks. In 2019, Wu et al. [19] pointed out that Zhou et al.'s proposed protocol cannot prevent identity guessing and impersonation attacks and also cannot guarantee user's anonymity. In 2017, Zhang et al. [1] proposed a personal information protection system based on distributed aggregation to conditionally block user's anonymity. However, this method takes more time to verify the signature, so the recipient must spend more time immediately verifying the correctness of the message. In 2019, Limbasiya et al. [4] proposed a secure message confirmation in vehicular cloud environment. They are pointed out that Zhong et al's protocol [16] has a security flaws using side channel attack over the OBU and TPD. Therefore, they suggested a more secure protocol for overcoming computational limitations of OBU and TPD through cloud computing. However, we revealed that their proposed protocol does not defeat several malicious attacks, such as session key disclosure attack and masquerade attack and so on. Additionally, their protocol does not provide privacy preserving and mutual authentication and has a correctness problem.

Ideal Tpd Limitation
In 2017, Zhang et al. [1] proposed a privacy-preserving authentication protocol for VANET communication with a realistic TPD in OBUs. They showed that the general TPD used in many previous studies was not realistic. The ideal TPD has a strong assumption that an attacker cannot obtain or tamper with values stored in the OBU. However, Zhang et al. [1] demonstrated that attackers can perform side channel attack on TPDs in realistic situations to eventually control the entire VANET. In 2017, Zhang et al. [2] proposed a Chinese remainder theorem based authentication protocol for VANETs. They pointed out the heavy reliance on the ideal TPD. If a single TPD is obtained by a malicious user, reliance on the ideal TPD created a single point of failure and fail to preserve privacy of entire network. Therefore, they use biometrics of the drivers to help prevent attack over TPDs.
In 2018, Liu et al. [3] proposed an authentication scheme for VANETs to balance the reliance on the TPD. They demonstrated that strong reliance of the TPD provokes that attacker can compromise the whole system, because of key leakage, and they designed a protocol, such that, even if the TPD is compromised, the whole system will not be in danger.

Network Model
In the general architecture of vehicular networks, the communication of vehicles among the other vehicles or with the road side units (RSUs) is based on dedicated short-range communication [20], where the vehicle-to-Infrastructure (V2I) communication is the external network among the vehicles and RSUs.
Our proposed network model is based on Limbasiya et al.'s network model, but it addresses the problems regarding flaws in communication and authentication. Under their protocol, the process of transmitting the session key between RSUs and vehicles is unclear. Therefore, we propose a network model, in which vehicles and RSUs register at a trusted authority. The key agreement consists of all entities, including the vehicle, RSU, and trusted authority. Figure 1 illustrates our proposed network model and gives a detailed description of the entities.  Figure 1. Proposed network model.

Vehicular
• Vehicle: vehicles have embedded devices, sensors and wireless communication device, such as velocity or location measurement equipment, Bluetooth, Wi-Fi, and OBU. In particular, the OBU collects information generated by sensors or devices. However, the OBU has relatively restricted memory. Therefore, the OBU sends the collected information to RSUs; subsequently, RSUs transmit the data to the vehicular cloud. • RSU: RSUs are intermediary devices to transmit data between vehicles and the vehicular cloud.
RSUs register with the trusted authority to generate a session key with vehicles. RSUs have more memory and computing performance than OBUs. Therefore, RSUs can obtain data from many vehicles. However, RSUs cannot store data from multiple vehicles. Therefore, RSUs send specific data to the vehicular cloud. • Trusted authority: a trusted authority is the top-level entity that an attacker can never attack.
RSUs and vehicles should register with the trusted authority to generate the session key, and then, the trusted authority, RSUs, and vehicles perform mutual authentication. • Vehicular cloud: a vehicular cloud is a storage server used to save a huge amount of data of different kinds within a VANET system. Each vehicle needs to collect and share the data with other vehicles. Therefore, the OBU collects data and communicates with other OBUs. However, OBUs have low computational performance and small storage space. Thus, vehicles send the data securely to RSUs and RSUs forward it to the vehicular cloud.

Threat Model
We cryptanalyze protocol security using the popular Dolev-Yao(DY) model [21]. By using this threat model, malicious attackers can capture, modify, add, or delete messages sent over insecure channels. And we also consider the following assumptions: • A malicious adversary can steal or obtain a legitimate user's device, and perform side-channel attacks [22] to obtain key information stored in the device. • A malicious adversary is able to masquerade as a legitimate user and trick authority entities for accessing resources. • An adversary may obtain an authority entity's secret key. Subsequently, the adversary can compute a previous session key to trick user or authority entities.
We also follow the claims of [1][2][3]. Therefore, we assume that attackers can perform side channel attack or power analysis attack over TPDs or OBUs. Subsequently, attackers can obtain values stored in TPDs. Adversaries can perform a variety of attacks including impersonation, spoofing, identity guessing attacks using values obtained from compromised TPDs.

Notations
The used notations in this paper are given in Table 1.

On board unit TPD
Tamper-proof device P Elliptic curve generator P pri i A server private key Hash function || Connection symbol ⊕ XOR operator

Review of Limbasiya et al.'s Protocol
We review Limbasiya et al.'s message confirmation scheme for VCC environment, which includes formation, key generation and message signature, and message confirmation phases.

Formation Phase
If a new vehicle requests registration with trusted authority TA, TA computes and sends OBU i and TPD i , which store the necessary values to the vehicle. Before registration, each vehicle computes parameters using unique identity RID i , password PWD TPD i , and random number s i . The detailed equations are shown in Figure 2 and steps are as follows. Step 1: Vehicle v i chooses unique identity RID i , password PWD TPD i and generates a random number s i . v i computes X i = (PWD TPD i ||s i ) ⊕ RID i , and then sends RID i , X i to TA through a secure channel.
Step 2: After receiving RID i and X i , TA calculates P pri i = s i ⊕ P ⊕ RID i and saves {P} in OBU i and {X i , P pri i } in TPD i . Subsequently, TA sends OBU i and TPD i to v i via a secure channel.

Key Generation Phase
The vehicle v i begins a key agreement process in TPD i for message signature. v i generates a session key SK RID i and transmits it to a concerned RSU. The detailed equations are illustrated in Figure 3 and the steps are as following. Step 1: v i inserts RID i and PWD TPD i into TPD i .
Step 2: then TPD i computes s i = P ⊕ RID i ⊕ P pri i and X i = (PWD TPD i ||s i ) ⊕ RID i . Then TPD i compares X i with X i stored in itself.
Step 3: if they are same, TPD i selects random number r i and computes ID 1 = r i · P, ID 2 = RID i ⊕ h(r i · P pri i ) and ID i+2 = h(ID 1 ||ID 2 ). Then TPD i generates the session key SK RID i = s i ⊕ h(ID i+2 ||T 1 ) ⊕ ID RSU j and transmits the session key to a concerned RSU.

Message Signature and Confirmation Phase of Limbasiya et al.'s Protocol
TPD i signs the information with the session key and forwards to the connected RSU j . Figure 4 shows the detailed equations with process steps, as follows. Step 1: for signing the message, Step 3: then, RSU j compares the σ i with σ i . If they are equal, RSU j uses M i for future computations. Additionally, Generally for batch verification, RSU j inspects the exaction by a following equation:

Cryptanalysis of Limbasiya et al.'s Protocol
Limasyia et al. demonstrated that their protocol provides privacy-preserving and mutual authentication and so on. However, in this section, we cryptanalyze Limbasiya et al.'s scheme for the VCC environment. Additionally, we figure out their protocol has several security flaws.

Correctness Problem
In the formation phase, a vehicle v i sends only {RID i , X i }. Thus, TA cannot know information s i . However, in Limbasiya et al.'s protocol, TA computes P pri i using s i . Therefore, Limbasiya et al.'s protocol has a correctness problem and it may derive the incorrect formation of v i .

Session Key Disclosure Attack
A malicious attacker A can perform the side channel attack on TPD [1][2][3] and OBU. Accordingly, A can obtain values stored in OBU and TPD, and also obtain transmitted messages through insecure channels. Thus, A can compute the session key using the obtained values.
Step 1: A can obtain P in OBU i and X i , P pri i in TPD i using side channel attack. And A also can obtain the value RID i through transmitted message. Subsequently, A can compute s i = P ⊕ RID i ⊕ P pri i . Step 2: A can obtain ID i+2 and T 1 from transmitted messages and A obtains the value ID RSU j , which is public value. Therefore, A can compute Step 3: finally, A obtains the previous session key SK RID i and can trick other OBUs or RSUs.

Impersonation Attack
A can impersonate vehicles to compute message confirmation request messages. Section 4.2 shows that A can compute the session key. Therefore, A can compute confirmation request messages while using the computed session key and transmitted messages. The detailed steps are as follows.
Step 1: A can obtain M i through the transmitted message and compute previous session key as above session key disclosure attack Section. Subsequently, A can compute

Privacy Preserving Problem
In Limbasiya et al.'s scheme, the legitimate identity of the vehicle RID i is transmitted through public channels. This may cause the tracing attack and cannot preserve the user's privacy. As above sections, the attacker can masquerade legitimate vehicles and make a session key to access sensitive information. Therefore, the protocol of Limbasiya et al. is not able to provide privacy-preserving.

Mutual Authentication
In above section, we prove that A can generate the session key SK successfully, and impersonate the legitimate vehicle. Therefore, the protocol of Limbasiya et al. cannot achieve key agreement and mutual authentication.

Secure Key Agreement and Authentication Protocol for VCC
This section provides the proposed protocol to resolve the security flaws in Limbasiya et al.'s protocol. We use only an OBU instead of a TPD. Limbasiya et al.'s protocol cannot provide secure key agreement, because the TPD sends the session key without encryption. Therefore, we register vehicles and RSUs at the TA to generate secure key agreement. Thereafter, the vehicle transmits the information encrypted with the session key to the RSU. RSUs validate the message and send it to the vehicular cloud. We also consider performance and storage of OBU because of its relatively low computational power and small storage. Thus, we design the protocol using only exclusive-or and one-way hash function, which have low computational cost.

Registration Phase
For message confirmation with VCC and communicating with other vehicles or RSUs, the vehicle must register with the TA. Additionally, RSUs also register through TA to make secure session key with the vehicle. The detailed steps are as following and shown in Figure 5. Step 1: vehicle v i chooses identity ID i , password PW i and random number b i . And vehicle computes Step 2: TA has master key x and secret key y. After receiving the registration request message from v i , TA generates random numbers a i and s i for the vehicle. Subsequently, TA calculates and VS i in the OBU i , and then sends OBU i to the vehicle through a closed channel.
Step 3: road side unit RSU j chooses ID RSU j and random nonce a j and sends these values to TA via a closed channel.
Step 4: when TA receives values from RSU j , TA calculates RA j = h(ID RSU j ||a j ) and RB j = h(RA j ||h(x||y)). Subsequently, TA sends the message {RA j , RB j } to RSU j via a secure channel.

Key Agreement and Authentication Phase
The vehicle and RSU must have key agreement through generating the session key for secure communication among the RSU and other OBUs. Vehicle and RSU are authenticated by TA. If the TA checks that vehicle and RSUs are legitimate entities, vehicle and RSU generate a session key. The detailed steps are given below. See Figure 6.  Step 1: vehicle v i inputs ID i and PW i . Step 2: RSU j selects r j , and computes B i = RB j ⊕ r j and Auth 2 = h(ID RSU j ||RB j ||r j ). Then, RSU j sends the values {Auth 1 , M 1 , H ID i , B i , RA j , Auht 2 } to the TA via an insecure channel.
Step 3: when TA receives the message from RSU j , TA computes MV i = h(H ID i ||h(x||y)), r i = M 1 ⊕ MV i and Auth i = h(r i ||MV i ). Then, TA compares Auth 1 and Auth 1 . If they are equal, TA extracts the values RB j = h(RA j ||h(x||y)) and r j = RB j ⊕ B i . TA computes Auth 2 = h(ID RSU j ||RB j ||r j ) and compares it with Auth 2 . If they are same, TA generates a new secret key y new . TA computes RB jnew = h(RA j ||h(x||y new ), Step 4: after receiving the values from TA, RSU j extracts r i = RB j ⊕ C i , RB jnew = r j ⊕ E i and computes Auth 3 = h(RB j ||RB jnew ||r i ). Then RSU j checks whether Auth 3 and Auth 3 are equal or not. If they are equal, RSU j updates RB j to RB jnew and generates the session key SK = h(r i ||r j ). RSU j sends the message {D i , Auth 4 } to v i via a public channel.
Step 5: v i extracts the value r j = MV i ⊕ D i , computes Auth 4 = h(MV i ||r j ) and checks whether Auth 4 and Auth 4 are same or not. If they are equal, v i computes the session key SK = h(r i ||r j ). Finally, v i and concerned RSU j have the same session key.

Message Signature and Message Confirmation Phase
If the v i wants to send information to the concerned RSU, v i must sign the message using the session key and sends it to the RSU j . Additionally, RSU j checks whether the message is legitimate or not. If the message is legitimate, RSU j validates the message and sends it to a cloud server. The detailed steps are as following and are shown in Figure 7. Step 1: for signing the information Step 2: after receiving the message, RSU j extracts information and checks whether σ i and σ i are equal or not. If they are the same, RSU j uses the information M i for the future computations. Additionally, generally for batch verification, RSU j inspects the exaction by a following equation:

Security Analysis
We simulate with the AVISPA simulation tool [23,24] in order to demonstrate that the proposed protocol is able to prevent against replay and man-in-the-middle attacks. We also prove the session key security using the ROR model [25] and conduct the informal security analysis. Therefore, our proposed protocol can provide security against various attacks including impersonation, side channel attack over TPD, trace attack, and so on.

ROR Model
In this section, we use the universally-accepted real-or-random (ROR) model [25] in order to prove the security of the session key in our proposed protocol.We provide the similar proof as adopted in [26,27].

Short Discussion about ROR Model
In the ROR model [25], the malicious attacker A is modeled using the DY model, which interacts with the instance of the participants in the protocol. In our proposed protocol, v i , RSU j and TA are considered as participants. Additionally, P t 1 v i , P t 2 RSU j , and P t 3 TA , which are called oracles denoting the instances t 1 , t 2 , and t 3 of v i , RSU j , and TA, respectively. Table 2 shows various queries that simulate attacks, such as eavesdropping, modifying, and deleting or inserting the transmitted messages among the entities. h(·) and Collision-resistant one-way hash function Hash are modeled as a random oracle and they can be used by all participants including A.
Wang et al. [28] showed that the password chosen by the user follows the Zipf's law, which is quite different from the uniform distribution. They also found that the size of password dictionary is quite limited in the sense that users do not generally use the entire space of the passwords; instead, they use a small space of the allowed characters space. We apply the Zipf's law in order to prove the session key security of our proposed protocol. Theorem 1. If Adv P is the advantage function of an attacker A in breaking the session key SK security of the proposed protocol P, respectively, q h , q send , and |Hash| are the number of Hash queries, Send queries, and the range space of the hash function, respectively. Subsequently, where C and s are the Zipf's parameters [28]. Table 2. Various queries and their meanings.

Query Meaning
Execute(P t 1 v i , P t 2 RSU j , P t 3 TA ) This query means that the model of the eavesdropping attack between the entities v i , RSU j and TA via an insecure channels.

CorruptOBU(P t 1 v i )
Under this corrupt on-board-unit (OBU) query, A can fetch all sensitive credentials stored in the OBU of v i . This is modeled as an active attack.

Send(P t )
Under this query, A can transmits a message to P t , and in response, it also receives a message from P t . This is also modeled as an active attack.

Reveal(P t )
The query means that A reveals session key SK created by P t and its partner to A in the current session.

Test(P t )
Before the game begins, under this query, an unbiased coin c is flipped. Depending on the output, the following decisions are made. A executes this query and if the session key SK among v i and RSU j is fresh, P t returns SK if c = 1 or a random nonce if c = 0; otherwise, it returns a null value(⊥).

Proof.
We define four games, called game GM i , i ∈ [0, 1, 2, 3]. The probability associated with GM i in which A can guess the random bit c and wins the game and denoted by Succ i . Moreover, Pr[.] denotes the probability. We discuss the details for these four defined games below.
• Game GM 0 : in this game, A chooses a random bit c. Additionally, this game involves a practical attack executed by A against the protocol in the ROR model. Because GM 0 and protocol are identical, we get, Adv P = |2 · Pr[Succ 0 ] − 1|. (1) • Game GM 1 : under this game, A performs the eavesdropping attack to all transmitted messages during key generation and message confirmation process of the proposed protocol using the Execute query. At the end of the this game, A makes Reveal and Test queries. The output of the Reveal and Test queries decide if A obtains the derived session key SK between v i and RSU j or a random number. In our proposed protocol, v i and RSU j computes the session key as SK = h(r i ||r j ). To derive SK, A needs the short-term (temporal) secrets (r i and r j ), which are unknown to A. However, the transmitted messages are not helpful to increase winning probability. As both the game GM 0 and GM 1 are indistinguishable, we can get • Game GM 2 : this game is modeled as an active attack which includes the simulation of Hash and Send queries. In proposed protocol, all of the messages are protected by the collision-resistant one-way hash function except M 1 , B j , C i and D i . However, random numbers are used in values M 1 , B j , C i and D i . Furthermore, deriving r i from the intercepted Auth 1 , C i , and M 1 , and also r j from intercepted B i , Auth 2 , D i , and Auth 4 are computationally infeasible task because of collision-resistant property of the hash function. Therefore, no collision occurs when A executes Hash query. Using the birthday paradox results, we can have, • Game GM 3 : this is the final game that executes the CorruptOBU query by A. A can extract all To derive the secrets s i , a i , and b i from A i , V I i , BE i , and AE i , A needs unknown ID i and PW i . Without having secret credentials b i , ID i , and PW i of v i , it is a computationally difficult problem for A to guess password PW i of v i correctly using the Send queries. Because GM 2 and GM 3 are identical when password guessing attack is absent. Therefore, using the Zipf's law on passwords, we obtain |Pr[ All of the games are executed; therefore, A needs to guess the correct bit c. Therefore, we have Equations (1) and (2) give the following result: Again, Equations (5) and (6) give the following result: We obtain the following equation using the triangular inequality and Equations (3) and (4): At last, we obtain the required result by multiplying both sides of Equation (8) by a factor of 2: Therefore, the Theorem 1 is proved.

Formal Security Analysis through AVISPA
We perform a formal security analysis of the proposed protocol using the AVISPA validation tool in order to demonstrate that the protocol can resist replay and man-in-the-middle attacks. The AVISPA adopts the High-Level Protocol Specification Language (HLPSL) code. We briefly discuss AVISPA and present HLPSL codes of our protocol. After that, we present the simulation results of the AVISPA to show that our protocol can protect against man-in-the-middle and replay attacks. Numerous studies verified with the AVISPA tool have been presented [29][30][31].

Proposed Protocol's HLPSL Code
The AVISPA uses the four back-ends, such as On-the-fly Model-Checker (OFMC) [32], CL-based Attack Searcher (CL-AtSe) [33], SAT-based Model-Checker (SATMC), and Tree Automate-based Protocol Analyser (TA4SP) in order to verify security of a protocol. The code is translated into intermediate format (IF), and IF uses four back-ends to convert to output format (OF). Especially, OFMC and CL-AtSe are commonly used for verification.
The proposed protocol has three basic roles which denote entities: V I denotes a vehicle, RSU denotes a roadside unit and TA denotes a trusted authority. Roles of session and environments are illustrated in Figure 8. In session and environments, we set up the intruder knowledge, five authentication goals and four secrecy goals. We briefly discuss HLPSL code for role V I shown in Figure 9.
At transition 1, V I begins registration phase at 0 state value with start message, and V I updates the state to 1. V I sends message {ID i , PW i , PE i , BE i } to TA through closed channels and declares the function secret({IDi, PWi, Bi }, sp1, {V I}), which means that sp1 denotes values {IDi, PWi, Bi } which are only known to V I. At transition 2, V I receives the OBU i from TA and updates the state to 2. At the state 2, VA generates a random number r i , sends the message {Auth 1 , M 1 , H ID i } to the RSU j through an open channel, and declares function witness(V I, TA, vi_ta_ri, Ri ), which means that vi_ta_ri denotes a weakness authentication factor is used by V I to authenticate TA. At transition 3, V I receives the message from RSU. After that V I generates the session key SK, performs message confirmation and declares witness(V I, RSU, vi_rsu_sig, SK ) and request(V I, TA, ta_vi_auth4, Rj ). The function request(V I, TA, ta_vi_auth4, Rj ) means that ta_vi_auth4 represents a strong authentication factor. The codes of RSU and TA are similar to the code of V I.

Results of Verification
The verification results using models OFMC and CL-AtSe are shown in Figure 10. Two simulations are able to check whether the protocol withstands man-in-the-middle and replay attacks. The CL-AtSe verification shows that three states are analyzed and translated to 0.11 s. The results of OFMC shows that it visits 1040 nodes with a search time of 9.57 s and 9 plies depth. The summary part of CL-AtSe and OFMC indicates SAFE, so we can say that the proposed protocol resists replay and man-in-the-middle attacks.

Informal Analysis
In this section, we analyze informal security verification in order to prove that the proposed protocol can resist numerous attacks, such as OBU stolen, impersonation, session key disclosure, off-line guessing attacks, and so on. Moreover, we show that the proposed protocol can achieve privacy-preserving and mutual authentication.

Vehicle Impersonation Attack
If an adversary A attempts to impersonate a vehicle v i , A should generate message {Auth 1 , M 1 , H ID i } and {σ i , M i , T 1 }. However, A cannot extract a i , r i and MV i even if A extracts the value stored in the OBU. Because a i , r i and MV i are masked with random numbers b i , s i , and session key SK. Therefore, the proposed protocol resists impersonation attacks, because A cannot generate the correct messages.

Side Channel Attack over OBU
We assume that A can extract values from the OBU based on our assumed threat model. Therefore, A can perform side channel attack over OBU and extract {A i , V I i , AE i , BE i , VS i }. However, A cannot obtain any useful information without identity, password, and secret random numbers, because all of the values stored in OBU are masked with one-way hash function or XOR operation on a i , b i , and s i . Thus, A does not have any advantage of side channel attack over OBU.

Off-Line Guessing Attack
A cannot guess the identity or password, because b i = BE i ⊕ h(ID i ||PW i ), a i = AE i ⊕ h(ID i ||PE i ) and PE i = h(PW i ||b i ) are masked with random numbers and the secret values ID i and PW i . A must also check whether VS i and calculate VS i by A to see whether the identity and password are guessed correctly. For this, A can perform a side channel attack over OBU to obtain the stored values {A i , V I i , AE i , BE i , VS i }. However, to calculate VS i , A needs to know the secret random number s i and secret parameter MV i . This allows for being computationally expensive to guess identity or password. Therefore, we show that the proposed protocol can prevent off-line guessing attacks.

Man-in-the Middle Attack and Replay Attack
The adversary A can obtain the transmitted messages over an open channel and stored parameters in the OBU according to the threat model. However, we show that A cannot generate valid vehicle's messages as mentioned above. Furthermore, A also cannot generate the RSU j 's message, because A does not know secret random numbers r i , r j and secret parameter RB j . Thus, A cannot impersonate v i or RSU j by replaying intercepted messages as all messages are dynamic with random numbers r i and r j . Therefore, the proposed protocol prevents man-in-the-middle and replay attacks.

Session Key Disclosure Attack
Even if A has obtained values, as mentioned above, A cannot generate the session key SK. The SK comprises the hash function with secret random numbers r i and r j . However, A cannot extract random numbers, because they are masked with secret parameters MV i and RB j . Moreover, MV i and RB j are also masked with random numbers. Therefore, A does not know about the session key SK.

Trace Attack and Privacy-Preserving
The vehicle v i does not send its real identity ID i over an open channel. The vehicle generates the pseudonym identity H ID i = h(ID i ||PW i ||a i ). And also RSU j uses the RA j instead of real identity ID RSU j . Moreover, as above mentioned Sections, A cannot impersonate legitimate vehicles and also cannot generate a validated session key. Therefore, the proposed protocol provides the privacy-preserving. v i and RSU j communicate the information using the session key without pseudonym identities. Thus, we can say that the proposed protocol can prevent trace attack. = Auth 4 . If they are valid, v i , RSU j , and TA successfully authenticate each other. Previous sections have shown that A cannot generate valid messages. Furthermore, all of the transmitted messages are refreshed for every session with secret random numbers. Therefore, our proposed protocol successfully ensures secure mutual authentication and achieves session key agreement.

Performance Analysis
In this section, we compare our proposed protocol with other related protocols for VANETs. We consider computation, communication costs, and security features.

Computation Cost
We show the comparison outcomes in Table 3. Our proposed protocol is lightweight as compared to other related protocols. Therefore, we can demonstrate that the proposed protocol is suitable for vehicular cloud environment in VANETs. Table 3. Computation cost of key generation and message confirmation phase.
For comparing the computational cost, we define following notations. T bp , T bpsm , T MPH , T h , T sem and T ea , which denotes the execution time of bilinear mapping, multiplication related to bilinear pairing, map-To-point hash, one-way hash, small scale multiplication related to elliptic curve cryptography (ECC), and addition related to ECC. We focus on time overhead in the process of authentication message generation and message verification. For rough estimation, we consider the existing results reported by [34]. The execution time of each operation is as following.

Communication Cost and Storage Cost
We compare communication cost overheads among related protocols and proposed protocol during the message confirmation phase in Table 4. We assume that the identity, password, and normal variable needs eight bytes, the time-stamp needs four bytes, an ECC encryption/decryption needs 32 bytes, a bilinear pairing needs 128 bytes, and one-way hash function needs 32 bytes [4]. As the results of the comparison, the proposed protocol is the most efficient when compared with other related protocols. The storage overhead is calculated based on the total number of bytes required to store required parameters in OBU or TPD and RSU. The proposed protocol has 224 bytes storage cost, where OBU has 160 bytes and RSu has 64 bytes. Although the total memory of our protocol is slightly higher than that of other protocols, our protocol ensures security. Table 4. Communication cost and storage cost.

Energy Consumption
Researchers need to consider the size and speed of the message being sent to the recipient. This is because data transmission occurs under Dedicated Short-Range Communication (DSRC) and, in the case of vehicle networks defined in IEEE 802.11p, it belongs to the physical protocol layer. This IEEE standard operates at 10 MHz channel bandwidth, 5.8 GHz frequency, 25 dBm transmit power, and 6 Mbps data rate [35]. The energy consumption for the verification scheme can be calculated as E et (for the execution time of key generation and message confirmation) E co (for the communication cost for message confirmation) and it is measured in millijoule (mJ). For the execution time, E et = T c * C, where T c = Total computation cost, C = cpu maximum power, which is 10.88 W for wireless communication networks [36]. E et = (D m * C)/(D r ), where D m = the size of message, D r = the data rate for vehicular communications (6000 Kbps). By referring to Table 5, we can say that the proposed protocol consumes the least energy. Table 5. Energy consumption.

Propagation Delay
The propagation delay (d p = T 2 − T 1 ) is determined by computing the difference between the timestamps of a message received (T 2 ) and transmitted (T 1 ). But d p expects some time interval, which can be stated as in d p(V2V) = L * h f and d p(V2I) = L f RSU for L length messages (i.e., communication cost) at f transmitted data rate along with h hops through which a message is traveled [37]. Thus, the propagation delay of our protocol is the lowest, because the communication cost of the proposed protocol is the lowest.

Security Properties
In Table 6, we present the results of protocols related to security comparisons and our proposed protocol based on batch verification. The suggested protocol prevents more attacks than other related previous studies, and also provide privacy-preserving and mutual authentication. Therefore, our proposed protocol is significantly safer than the considered related protocols. The system consumes some energy during implementation, depending on the real time and communication overhead of the system.

Conclusions
Vehicle systems have developed significantly and they have recently helped people to drive more comfortably and safely. However, unsolved security problems and large quantities of traffic information have limited the use of vehicle systems. The VCC with message confirmation is the one of solutions to decline burdens of OBU's storage. And VCC helps to use the vast amount of vehicle information easily. In addition, to protect the vehicle information, key agreement and authentication process is also necessary to address malicious attacks, including communication security problems. Additionally, previous studies and the protocol of Limbasiya et al. are not safe for stored values in ideal or realistic TPDs. In this paper, we first showed that protocol of Limbasiya et al. is not secure against session key disclosure and impersonation attacks because of information leaked from a TPD. Their protocol also does not provide privacy of the users and mutual authentication property. Subsequently, we proposed a secure key agreement and authentication protocol for message confirmation in VCC. The proposed protocol withstands various attacks and provides privacy of users and mutual authentication. We conducted formal security analysis and simulation to prove the security of the proposed protocol. Moreover, we compared computation, communication costs and the security properties with other related protocols. Thus, our proposed protocol is lightweight and suitable for VCC environments. As part of the future, we will put effort into developing a better protocol by applying the developed protocol to the real environment.