Next Article in Journal
Equivariant Holomorphic Hermitian Vector Bundles over a Projective Space
Previous Article in Journal
Iterative Optimization RCO: A “Ruler & Compass” Deterministic Method
Previous Article in Special Issue
An Efficient Lightweight Authentication Scheme for Smart Meter
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Anonymous and Efficient Authentication Scheme with Conditional Privacy Preservation in Internet of Vehicles Networks

1
School of Electronic and Electrical Engineering, Kyungpook National University, Daegu 41566, Republic of Korea
2
Electronics and Telecommunications Research Institute, Daejeon 34129, Republic of Korea
*
Authors to whom correspondence should be addressed.
Mathematics 2024, 12(23), 3756; https://doi.org/10.3390/math12233756
Submission received: 21 October 2024 / Revised: 18 November 2024 / Accepted: 25 November 2024 / Published: 28 November 2024

Abstract

:
The Internet of Vehicles (IoV) is an emerging technology that enables vehicles to communicate with their surroundings, provide convenient services, and enhance transportation systems. However, IoV networks can be vulnerable to security attacks because vehicles communicate with other IoV components through an open wireless channel. The recent related work suggested a two-factor-based lightweight authentication scheme for IoV networks. Unfortunately, we prove that the related work cannot prevent various security attacks, such as insider and ephemeral secret leakage (ESL) attacks, and fails to ensure perfect forward secrecy. To address these security weaknesses, we propose an anonymous and efficient authentication scheme with conditional privacy-preserving capabilities in IoV networks. The proposed scheme can ensure robustness against various security attacks and provide essential security features. The proposed scheme ensures conditional privacy to revoke malicious behavior in IoV networks. Moreover, our scheme uses only one-way hash functions and XOR operations, which are low-cost cryptographic operations suitable for IoV. We also prove the security of our scheme using the “Burrows–Abadi–Needham (BAN) logic”, “Real-or-Random (ROR) model”, and “Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool”. We evaluate and compare the performance and security features of the proposed scheme with existing methods. Consequently, our scheme provides improved security and efficiency and is suitable for practical IoV networks.

1. Introduction

The Internet of Vehicles (IoV) is a technology that integrates vehicular ad hoc networks (VANETs) and the Internet of Things (IoT) [1]. In IoV networks, vehicles can communicate with other IoV components and access a lot of information over the Internet. In IoV networks, vehicles perform multiple tasks simultaneously, such as automated driving, multimedia services, traffic flow management, and battery management [2,3,4]. To handle these tasks, vehicles are equipped with on-board units (OBUs) that process large amounts of data in real time [5]. This enables vehicles to make intelligent decisions and enhance safety and efficiency in IoV systems. The vehicles equipped with OBU generate and transmit traffic data to nearby roadside units (RSUs) [6], and RSUs transmit wireless information from vehicles and pedestrians to a central server. As the number of vehicles increases significantly, researchers have proposed that RSUs process a part of the data processing to reduce the overload on the trusted authority (TA) [7,8,9]. This approach leverages the regional characteristics of IoV services and enhances efficiency because RSUs can process computational tasks at the network edge [10]. Thus, users can utilize advanced IoV services, including emergency vehicle preemption, intelligent traffic management systems, and multi-collision-avoidance assistance.
In IoV networks, wireless communication over an open channel is highly susceptible to various security threats [11]. Vehicles exchange sensitive information with RSUs, including the condition, location, travel route, and identity [12]. Thus, an adversary can guess an identity or password by capturing, modifying, and replaying messages. The data leakage can undermine IoV services, leading to significant security and privacy risks, including user impersonation and unauthorized tracking. Moreover, an adversary can attempt to perform various security attacks using these captured data, such as replay and man-in-the-middle (MitM) attacks. Therefore, vehicles and RSUs must authenticate each other to establish secure connections. Furthermore, the activities of malicious adversaries can disrupt normal communication and create network congestion by transmitting false information in IoV networks [13]. Thus, many researchers have proposed authentication schemes that revoke the adversary’s authority by applying conditional privacy [14,15].
In general, conditional privacy can be achieved using a public-key cryptosystem [16]. However, public-key cryptosystems may overload vehicles due to their constrained resources, such as limited memory, power, and communication capacity. A high amount of computational loads leads to a communication delay, critically damaging real-time responses. This delay can slow down the exchange of real-time information, which is crucial for addressing emergency situations and reducing accident risks. Moreover, these delays can hinder the real-time exchange of information, which is critical for responding to emergencies and minimizing the risk of accidents. Moreover, mobility is an essential consideration in IoV environments. Due to their high speeds, vehicles should establish frequent and rapid connections with RSUs within short intervals. Therefore, it is essential to design an authentication scheme that accounts for the lightweight nature of IoV networks.
In 2024, Sibahee et al. [17] suggested a two-factor-based privacy-preserving scheme for efficient authentication in IoV using lightweight primitives such as hash and XOR operations. They demonstrated security robustness against various attacks, such as impersonation and privileged insider attacks. Unfortunately, we found that Sibahee et al.’s scheme [17] is vulnerable to ephemeral secret leakage (ESL) and insider attacks. Furthermore, their scheme fails to ensure perfect forward secrecy. We propose an anonymous and efficient authentication scheme with conditional privacy preservation in IoV networks to improve these security weaknesses. We consider conditional privacy to keep the quality of information, which can exclude malicious vehicles. In the proposed scheme, the TA can trace the real identities of malicious vehicles from pseudo-identities. In addition, the proposed scheme incurs lower computational and communication costs compared with existing conditional privacy-preserving authentication (CPPA) schemes, as it uses only hash functions and XOR operations. Therefore, we demonstrate that our scheme is lightweight and practical, effectively addressing the privacy and security challenges in IoV networks.

1.1. Contributions

The following descriptions represent the main contributions of this research.
  • We have identified and demonstrated the security vulnerabilities in Sibahee et al.’s scheme [17], particularly its susceptibility to insider attacks and its failure to ensure perfect forward secrecy. To mitigate these weaknesses, we propose an enhanced scheme that effectively addresses security concerns.
  • The proposed scheme ensures essential security requirements and prevents various security attacks. Moreover, our scheme ensures conditional privacy, effectively countering malicious behavior while maintaining efficiency by utilizing only collision-resistant one-way hash functions and XOR operations.
  • Moreover, formal security analysis is conducted using “Burrows–Abadi–Needham (BAN) logic” [18], the “Real-or-Random (ROR) model” [19], and the “Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool” [20,21] to prove the security of the proposed scheme.
  • We perform a performance evaluation to analyze the communication cost, computational cost, energy consumption, and security properties of the proposed scheme in comparison with the related schemes.

1.2. Organization

The rest of this paper is organized as follows: Section 2 provides a review of related studies, and Section 3 introduces the preliminaries. Section 4 and Section 5 present an analysis of Sibahee et al.’s scheme [17] and a demonstration of its security flaws, respectively. We propose a lightweight and conditional privacy-preserving authentication scheme for IoV networks in Section 6. In Section 7, we conduct the informal and formal security analysis and demonstrate the security of our scheme. In Section 8, we evaluate the performance of our scheme compared with the existing schemes. Toward the end of this article, Section 9 concludes with a summary of our paper.

2. Related Works

IoV has become a complex network, and researchers have proposed comprehensive directions to address dynamic characteristics such as high mobility, interoperability, scalability, and reliability. Qureshi et al. [22] proposed an IoV network model to support major network requirements, such as connectivity for safety and user infotainment services. They explained that IoV networks have suffered from various security vulnerabilities because networks are extended to connect numerous vehicles and infrastructures. Taslimasa et al. [23] suggested applications of IoV with security aspects. They introduced the various security threats in IoV, such as modification, eavesdropping, impersonation, and denial of service (DoS) attacks. Sharma et al. [24] introduced security requirements and threats for IoV networks. To overcome the drawbacks of existing schemes, they emphasized the importance of authentication, data integrity, and real-time communication for secure IoV networks. However, in the existing secure authentication schemes for IoV networks, TA cannot effectively trace the real identity of a malicious vehicle from a pseudo-identity.
To address the security and privacy issues, many researchers have proposed a secure authentication scheme with conditional privacy in IoV networks. A CPPA scheme implements an important function in which any other entity except the TA cannot reveal the real identity of a vehicle. In the last decade, many mutual authentications with conditional privacy have been proposed to secure vehicular environments. Xu et al. [25] designed a CPPA scheme in which the TA stores the tuples of the most recent successful session to resist desynchronization attacks. In their scheme, RSUs can authenticate with vehicles, which can reduce bottleneck problems and improve communication efficiency. However, Kumar et al. [26] argued that Xu et al.’s scheme [25] did not provide perfect forward secrecy or resistance against login verification, stolen verifier, privileged insider, and desynchronization attacks. Therefore, Kumar et al. [26] suggested a desynchronization-resistant CPPA scheme for VANETs that provides conditional privacy using a hash function and symmetric key cryptography. In their scheme, TA does not store secret parameters or compute shared keys using parameters received only from public channels. However, the existing CCPA schemes are still vulnerable to potential security threats and lack of security properties, such as stolen verifiers, privileged insiders, desynchronization, physically captured attacks, and perfect forward secrecy. These impose additional security challenges, considering illegal involvement through public communication channels.
Thus, many researchers designed public-key cryptography-based robust authentication schemes to improve the security level of the previous CCPA schemes. Zhong et al. [27] designed a practical ID-based CPPA scheme that uses ECC operations to improve the security of VANETs. They also use the registration list to shorten the retrieval time of the revocation list, which helps to prevent an adversary from attempting further malicious attacks. Similarly, Cui et al. [28] proposed an ECC-based CPPA scheme for VANETs where a vehicle is kept anonymous from cloud service providers. Their scheme allows entities to register only once, reducing the storage burden of redundant registration information for vehicles. Moreover, a cloud broker can choose a cloud service provider (CSP) that can provide suitable services to vehicle users. Thus, vehicle users can easily access vehicular services and reduce dependence on a single CSP. They focused on increasing various services, which resulted in additional costs and overheads. Awais et al. [29] proposed a three-factor authentication protocol for fog-based VANETs using ECC. In their scheme, the fog node acts as an intermediary node to establish a session key among all entities. Their scheme applied fuzzy-verifier techniques that use unclonable properties of biometric information to resist password-guessing attacks. Kumar et al.’s scheme [30] also used ECC and ensured security properties, such as conditional privacy, untraceability, and anonymity. Their scheme provided fog-node-assisted real-time communications in VANETs. While these authentication schemes [27,28,29,30] enhance security for vehicles, most of their authentication processes rely on public-key cryptographic operations. Since the public-key infrastructures are based on the complexity of mathematical computation, the excessive use of public-key cryptography can incur comparatively high computational and communication overheads in resource-constrained environments like IoV networks.
Due to performance requirements for IoV, many researchers have focused on the importance of lightweight properties for real-time communication of vehicles. They proposed authentication schemes that aim to use only low-cost cryptographic operations to efficiently validate the legitimacy of vehicles. Chen et al. [31] proposed an anonymous and lightweight authentication scheme based on smart card protocol for typical IoV authentication scenarios. Using hash and modular exponential operations, their scheme improved the existing scheme by addressing identified weaknesses. They demonstrated the robustness of their scheme compared with previous schemes in terms of security and performance. Chaudhry [32] presented an efficient authentication scheme for communication between vehicles and RSUs. Their scheme also builds on an existing scheme, improving security flaws and overloads. Their scheme focused on efficiency to lower communication and computational costs, using symmetric encryption, XOR operations, and hash functions. Most of the proposed lightweight schemes utilize various low-cost cryptographic operations, but they cannot provide some security properties and conditional privacy. Recently, Sibahee et al. [17] suggested a lightweight two-factor authentication scheme for secure communication between vehicles and RSUs. They argued that their scheme can resist various IoV attacks, such as MitM, impersonation, desynchronization, and message replay attacks. However, Sibahee et al.’s scheme has the weakness of insider and ESL attacks and cannot provide perfect forward secrecy. To resolve these security flaws of Sibahee et al.’s scheme [17], we propose an anonymous and efficient authentication scheme with conditional privacy preservation in IoV networks. Table 1 presents the summary of related works [17,25,26,27,28,29,30,31,32].

3. Preliminaries

This section introduces an adversary model, security goals, and the system model of our scheme.

3.1. Adversary Model

The proposed scheme utilizes the Dolev–Yao (DY) [33] and Canetti–Krawczyk (CK) [34] adversary models, which are widely used to depict the capabilities of an adversary A . Based on the DY model, A can eavesdrop on the exchanged messages through an open channel. A can save, modify, and distort the messages illegally undetected. The CK model aims to define the severe capabilities of A for strong security. Under the CK model, A can control the communication between each entity and reveal secret information, such as a server’s master key and ephemeral random numbers generated in a session. Table 2 explains the adversary model classified as several attacker types [35], and the detailed assumptions are listed below:
  • A can register as a legal user of the system and obtain communication messages.
  • A can repudiate having sent or received messages and transmit fake messages to confuse the TA.
  • A can capture OBUs to retrieve all the authentication parameters stored in it [36].
  • A can disclose the long-term secret keys used in communication between IoV entities.
  • A can attempt various attacks including replay, offline password guessing, and privileged insider attacks [37].
Table 2. The description of A based on attacker types.
Table 2. The description of A based on attacker types.
TypeDescription
Internal A can access the network and interact with other entities as an authenticated user.
External A can attack from outside the network, with limited capacity due to lack of internal access.
Malicious A can use its abilities to pursue personal gain and disrupt the network’s functionality.
Active A can inject malicious nodes into transmitted messages to gain unauthorized access.

3.2. Security Goals

Security concerns in the IoV have significant implications for vehicles’ activities. To effectively counter the capabilities outlined in Section 3.1, our scheme should achieve security and performance requirements as follows:
  • Mutual Authentication: All messages and communicating entities must be authenticated before being trusted. It is crucial to verify the authenticity of communication sources from the authentication messages. The system should be capable of distinguishing between legitimate nodes and potentially malicious ones.
  • Data Integrity: The integrity of received data should be guaranteed, ensuring it remains unaltered in its original form. The system should be able to detect any tampering attempts to prevent unauthorized modifications during transmission.
  • Anonymity: The real identities of entities must be protected from the adversary who may intercept transmitted messages. This ensures that the adversary cannot trace the mobilities of vehicles or track their activities.
  • Conditional Privacy: All entities except for the TA should be unable to trace or extract the vehicle’s real identity from the exchanged messages. The TA can only track the vehicle’s real identity when malicious activity is detected.
  • Attack Resilience: To ensure enhanced privacy and security in IoV networks, the proposed scheme should be resilient against various security attacks, including offline password guessing, MitM, insider, ESL, forgery, and so on.
  • Low Overhead: Security protocols should not introduce significant delays in message transmission considering the real-time characteristics of the IoV. Therefore, security protocols for IoV networks should ensure low overhead to maintain real-time communication.

3.3. System Model

This section represents detailed descriptions of our system model. The proposed system model is composed of TA, RSUs, and vehicles, as shown in Figure 1, and the description of the entities is as follows:
  • TA: TA is a fully trusted authority responsible for system initialization, parameter generation, and registration management of other components within the IoV network. TA has sufficient storage and computational resources for the IoV networks. After vehicle registration, the TA securely stores the pseudo-identity P I D i of the vehicle encrypted with a shared secret key x and a master key K T A . The TA can only retrieve the vehicle’s real identity from P I D i if the vehicle is detected as malicious activity.
  • RSU: Each RSU has a unique identity and interacts with the TA using its identity. RSUs are semi-trusted, which are honest but curious entities. Therefore, RSUs may collect received messages and can perform the correct functions. RSUs have sufficient abilities to communicate with vehicles via wireless channels, enabling traffic-related information and facilitating mutual authentication processes. They are placed physically near vehicles and in charge of real-time communication. Moreover, they keep the recent revocation list, which has been updated by the TA. If a malicious vehicle attempts to authenticate using a revoked P I D i , the RSU performs a revocation process. To enhance security and privacy, RSUs play a crucial role in ensuring conditional privacy by maintaining vehicle anonymity during the authentication process.
  • Vehicle: Vehicles collect useful information through sensors and interact with other components in IoV networks. Vehicles rely on OBUs to exchange messages with RSUs. OBUs facilitate wireless communication over an open channel but have limited computational resources.
Figure 1. System model of the proposed scheme.
Figure 1. System model of the proposed scheme.
Mathematics 12 03756 g001

4. Review of Sibahee et al.’s Scheme

In Sibahee et al.’s scheme [17], the TA communicates with vehicles indirectly, and a session key is shared among vehicles, RSUs, and the TA. Sibahee et al.’s authentication scheme is composed of two phases: registration and login and authentication phases. The notations of this paper are described in Table 3.

4.1. Registration Phase

In Sibahee et al.’s scheme [17], RSUs and vehicles must register their identities and share secret parameters with the TA. Section 4.1.1 and Section 4.1.2 describe the registration process of V i and R S U j , respectively.

4.1.1. V i Registration

During this phase, V i and TA exchange their identity and registration parameters over a secure channel. Figure 2 shows the process of V i registration, and the following steps explain it in detail.
Step 1:
V i inputs I D i and P W i . Then, V i chooses a random number a. Using these parameters, V i , equipped with an OBU, computes security parameters A 1 = h ( I D i | | P W i | | a ) and A 2 = h ( I D i | | a ) . Through a secure channel, V i constructs and sends a request R e q = { I D i , a , A 1 , A 2 } to the TA.
Step 2:
Upon receiving R e q , the TA firstly checks whether the parameter A 2 = h ( I D i | | a ) exists in the TA’s repository. If A 2 is not in its repository, the TA stores A 2 . Then, the TA computes A 3 = h ( I D T A | | K T A | | A 2 ) A 1 , A 4 = h ( A 2 | | K T A ) , and A 5 = h ( A 1 | | A 2 | | A 4 ) , using its I D T A and K T A . After that, the TA composes a registration request response R e s = { A 3 , A 4 , A 5 , I D T A } and sends it to V i over a secure channel.
Step 3:
When V i obtains R e s , V i computes B 1 = h ( I D i | | P W i ) a . Finally, V i stores { A 3 , A 4 , A 5 , B 1 , I D T A } in OBU’s memory.
Figure 2. Vehicle registration phase of Sibahee et al.’s scheme [17].
Figure 2. Vehicle registration phase of Sibahee et al.’s scheme [17].
Mathematics 12 03756 g002

4.1.2. R S U j Registration

R S U j must register in the TA to exchange information with vehicles. Figure 3 presents the RSU registration phase of Sibahee et al.’s scheme [17]. Detailed steps of the process are described as follows:
Step 1:
The TA chooses I D j for R S U j and selects K T A as its private parameter. Afterwards, the TA computes the shared secret key K R j T A = h ( I D j | | K T A ) . The TA stores { I D j } in its secure database.
Step 2:
The TA deposits { I D j , K R j T A } in each R S U j . Then, R S U j saves { I D j , K R j T A } .
Figure 3. RSU registration phase of Sibahee et al.’s scheme [17].
Figure 3. RSU registration phase of Sibahee et al.’s scheme [17].
Mathematics 12 03756 g003

4.2. Login and Authentication Phase

After the successful registration process, V i needs complete mutual authentication with RSUs to establish the session key for secure communication. This phase is described in Figure 4, and the detailed descriptions are as follows:
Step 1:
V i inputs I D i and P W i and derives a = B 1 h ( I D i | | P W i ) , A 1 = h ( I D i | | P W i | | a ) , and A 2 = h ( I D i | | a ) . V i computes A 5 = h ( A 1 | | A 2 | | A 4 ) and checks whether A 5 = ? A 5 . If A 5 and A 5 equal, V i generates a random nonce r 1 and a timestamp T 1 . Otherwise, the login process is terminated. V i computes parameters B 2 = A 3 A 1 = h ( I D T A | | K T A | | A 2 ) , B 3 = B 2 r 1 , and B 4 = h ( I D T A | | I D j | | B 2 | | A 2 | | r 1 | | T 1 ) . To connect with R S U j , V i constructs the login message L M = { B 3 , B 4 , I D T A , A 2 , I D j , T 1 } and sends L M to the TA through a public channel.
Step 2:
After receiving L M from V i , the TA verifies the legitimacy of I D T A . Then, the TA selects the current timestamp T 2 and checks if T 1 is valid, comparing | T 2 T 1 | with the maximum value of the transfer waiting time T M a x . After the TA checks if | T 2 T 1 | T M a x , it derives B 2 = h ( I D T A | | K T A | | A 2 ) and r 1 = B 2 B 3 . The TA derives the parameter B 4 = h ( I D T A | | I D j | | B 2 | | A 2 | | r 1 | | T 1 ) and verifies B 4 = ? B 4 . If the verification is legitimate, the TA retrieves I D j from its database and generates a random nonce r 2 . The TA generates a timestamp T 3 and computes K R j T A = h ( I D j | | K T A ) , B 5 = h ( K R j T A | | I D j | | I D T A ) r 1 , C 1 = h ( r 1 ) r 2 , and C 2 = h ( K R j T A | | r 1 | | r 2 | | T 3 ) . At last, the authentication message A U T 1 = { I D j , B 5 , C 1 , C 2 , T 3 } is composed and sent to R S U j .
Step 3:
R S U j receives A U T 1 and verifies the legitimacy of I D j . Then, R S U j selects a timestamp T 4 . On condition that | T 4 T 3 | > T M a x , this message fails to authenticate, and the session is terminated. Otherwise, I D j and T 3 are now successfully validated. R S U j derives r 1 = B 5 h ( K R j T A | | I D j | | I D T A ) , r 2 = C 1 h ( r 1 ) , and C 2 = h ( K R j T A | | r 1 | | r 2 | | T 3 ) and checks C 2 = ? C 2 . If equality holds, R S U j generates a random nonce r 3 and computes S K R = h ( r 1 | | r 2 | | r 3 ) . After calculating C 3 = h ( K R j T A | | r 2 ) r 3 , C 4 = I D j h ( r 3 | | C 3 ) , and C 5 = h ( S K R | | I D j | | I D T A | | r 3 | | T 4 ) , R S U j constructs A U T 2 = { C 3 , C 4 , C 5 , T 4 } and transmits it to the TA.
Step 4:
When TA receives A U T 2 , the TA generates a timestamp T 5 and verifies the received timestamp T 4 by checking | T 5 T 4 | T M a x . The TA calculates r 3 = C 3 h ( K R j T A | | r 2 ) , I D j = C 4 h ( r 3 | | C 3 ) , and verifies if there is I D j in its repository. If it is not, the session is terminated. Afterward, it computes C 5 = h ( S K R | | I D j | | I D T A | | r 3 | | T 4 ) and verifies C 5 = ? C 5 . Then, the TA computes session key S K T = h ( r 1 | | r 2 | | r 3 ) and parameters D 1 = h ( r 1 | | A 2 ) r 2 , D 2 = h ( r 1 | | r 2 ) r 3 , D 3 = h ( S K T | | A 2 | | r 2 | | r 3 | | T 5 ) . They are used to compose A U T 3 = { D 1 , D 2 , D 3 , T 5 } and the TA sends it to V i .
Step 5:
Upon receiving A U T 3 , V i selects a current timestamp T 6 to verify the freshness of T 5 . V i calculates r 2 = D 1 h ( r 1 | | A 2 ) , r 3 = D 2 h ( r 1 | | r 2 ) , S K V = h ( r 1 | | r 2 | | r 3 ) , and D 3 = h ( S K V | | A 2 | | r 2 | | r 3 | | T 5 ) . On condition that D 3 = D 3 , V i successfully establishes the session key as S K V = S K T = S K R .
Figure 4. Login and authentication phase of Sibahee et al.’s scheme [17].
Figure 4. Login and authentication phase of Sibahee et al.’s scheme [17].
Mathematics 12 03756 g004

5. Security Analysis of Sibahee et al.’s Scheme [17]

In this section, we demonstrate that Sibahee et al.’s scheme [17] cannot prevent insider and ESL attacks. Concurrently, their scheme does not provide perfect forward secrecy.

5.1. Insider Attack

Assume A registers successfully as a legal user with the TA. Then, A can obtain authentication information by legitimate communications with RSUs and the TA. With these parameters, A can calculate other vehicles’ session keys. The detailed steps are below.
Step 1:
A can process the login and authentication phase. A inserts the identity I D A and the password P W A of A . After completing the login phase, A sends a login request message L M A to the TA. Upon receiving L M A , the TA and RSU proceed with the authentication phase, and the TA sends message A U T 3 A to A .
Step 2:
Then, A captures message A U T 1 A = { I D j , B 5 , C 1 , C 2 , T 3 } during the login and authentication phase. Finally, A computes the parameter h ( K R j T A | | I D j | | I D T A ) = B 5 r 2 A , where r 2 A is a random nonce that A has already known and used for login. The parameter is always used between the TA and the RSU during the authentication process.
Step 3:
After getting h ( K R j T A | | I D j | | I D T A ) , A eavesdrops messages L M , A U T 1 , A U T 2 , and A U T 3 exchanged by other legitimate vehicles via a public channel. Then, A computes r 1 = B 5 h ( K R j T A | | I D j | | I D T A ) from the message A U T 1 = { I D j , B 5 , C 1 , C 2 , T 3 } . Using the obtained r 1 , A can compute r 2 = C 1 h ( r 1 ) .
Step 4:
Now, A obtains r 1 and r 2 . Using parameter D 2 in A U T 3 , A can compute r 3 = D 2 h ( r 1 | | r 2 ) . Finally, A can calculate S K = h ( r 1 | | r 2 | | r 3 ) .
Therefore, Sibahee et al.’s scheme [17] does not prevent insider attacks.

5.2. ESL Attack

In Sibahee et al.’s scheme, S K consists of only random nonces. If all random nonces are leaked, A can directly calculate S K . Details are as follows:
Step 1:
A intercepts messages L M = { B 3 , B 4 , I D T A , A 2 , I D j , T 1 } and A U T 3 = { D 1 , D 2 , D 3 , T 5 } .
Step 2:
After getting parameters A 2 , D 1 , and D 2 , A computes r 2 = D 1 h ( r 1 | | A 2 ) and r 3 = D 2 h ( r 1 | | r 2 ) . Then, A has r 1 , r 2 , and r 3 to calculate S K = h ( r 1 | | r 2 | | r 3 ) .
Consequently, Sibahee et al.’s scheme [17] does not resist ESL attacks.

5.3. Perfect Forward Secrecy

If A obtains the long-term secret key K T A of the TA, the session keys can be disclosed. The following steps show the details:
Step 1:
If A obtains the master key K T A , A can compute K R j T A = h ( I D j | | K T A ) by utilizing the login message L M = { B 3 , B 4 , I D T A , A 2 , I D j , T 1 } .
Step 2:
By intercepting the authentication message A U T 1 = { I D j , B 5 , C 1 , C 2 , T 3 } , A can compute r 1 = B 5 h ( K R j T A | | I D j | | I D T A ) and r 2 = C 1 h ( r 1 ) .
Step 3:
After A obtains the message A U T 2 = { C 3 , C 4 , C 5 , T 4 } , A can compute r 3 = C 3 h ( K R j T A | | r 2 ) and S K = h ( r 1 | | r 2 | | r 3 ) .
Thus, Sibahee et al.’s scheme does not ensure perfect forward secrecy.

6. Proposed Scheme

To resolve the security weakness of Sibahee et al.’s scheme [17], we propose an improved authentication scheme. The proposed scheme comprises three phases: vehicle and RSU registration, login and authentication, and revocation phases.

6.1. Registration Phase

Before the actual deployment in IoV networks, vehicles or RSUs must acquire legitimate credentials. Through a secure channel, they send their real identities to the TA, and the TA shares secret parameters for authentication. As shown in Figure 5 and Figure 6, we present detailed descriptions of the registration phase for vehicles and RSUs.

6.1.1. V i Registration

To authenticate with an RSU, V i has to be registered at TA. The TA generates P I D i for V i and stores it instead of I D i for anonymity.
Step 1:
V i inputs I D i and P W i . After that, V i sends { I D i } to the TA over a secure channel.
Step 2:
The TA receives { I D i } and then generates random numbers a and x. Using the received registration request { I D i } , the TA derives parameters H I D i = I D i h ( K T A | | I D T A ) , P I D i = H I D i x , X i = h ( H I D i | | I D T A | | K T A ) , and S x = x h ( P I D i | | K T A ) . Then, the TA stores { S x } with P I D i in its secure database and sends the message { P I D i , X i , x , a } to V i .
Step 3:
Upon receiving the message, V i computes H I D i = P I D i x , A i = ( x | | X i ) h ( P W i | | I D i | | a ) , C i = h ( I D i | | A i ) a , and V L i = h ( P W i | | H I D i | | X i ) . Finally, V i stores { P I D i , V L i , A i , C i } in OBU’s memory and discards the rest of the values.
Figure 5. Vehicle registration phase of the proposed scheme.
Figure 5. Vehicle registration phase of the proposed scheme.
Mathematics 12 03756 g005

6.1.2. R S U j Registration

R S U j sends its I D j and shares a secret parameter K R j T A for secure communication.
Step 1:
R S U j selects I D j and transmits { I D j } to TA via a secure channel.
Step 2:
The TA receives { I D j } , then generates a random number k r and derives K R j T A = h ( k r | | I D T A | | K T A ) . Afterward, the TA stores { k r } with I D j in its database and sends the message { K R j T A } to R S U j .
Step 3:
At last, R S U j receives and stores { K R j T A } in its repository.
Figure 6. RSU registration phase of the proposed scheme.
Figure 6. RSU registration phase of the proposed scheme.
Mathematics 12 03756 g006

6.2. Login and Authentication Phase

V i has to complete the login phase before proceeding to the authentication phase. After the successful login, V i can authenticate mutually and establish a session key with R S U j through the assistance of the TA. In Figure 7, this phase is described by the following:
Step 1:
V i inputs I D i and P W i into the OBU of V i . Next, V i computes the login parameters a = C i h ( I D i | | A i ) , ( x | | X i ) = A i h ( P W i | | I D i | | a ) and H I D i = P I D i x . With the parameters, V i confirms whether V L i = ? h ( P W i | | H I D i | |   X i ) . If it is unequal, the login process is terminated. Otherwise, V i is ready to authenticate with RSUs. V i generates a random nonce r 1 and obtains a timestamp T V . V i computes M 1 = r 1 h ( X i | | x | | T V ) , V 1 = h ( P I D i | | r 1 | | X i | | T V ) . After that, the message { P I D i , M 1 , V 1 , T V } is composed and sent to R S U j for mutual authentication.
Step 2:
Upon receiving the message { P I D i , M 1 , V 1 , T V } from V i , R S U j checks the revocation list with P I D i . Then, R S U j generates a timestamp T R and checks the freshness of T V . R S U j calculates V 2 = h ( V 1 | | M 1 | | I D j | | K R j T A | | T R ) . With the received messages, R S U j sends { P I D i , I D j , M 1 , V 2 , T V , T R } to the TA.
Step 3:
The TA checks a validation of timestamp T R and retrieves S x and k r from P I D i and I D j respectively. Then, the TA derives x = S x h ( P I D i | | K T A ) , H I D i = P I D i x , X i = h ( H I D i | | K T A ) , and K R j T A = h ( k r | | I D T A | | K T A ) . After that, the TA computes r 1 = M 1 h ( X i | | x | | T V ) , V 1 = h ( P I D i | | r 1 | | X i | | T V ) , V 2 = h ( V 1 | | M 1 | | I D j | | K R j T A | | T R ) and verifies the equality of V 2 and V 2 . If it is not equal, the authentication phase is terminated. Otherwise, the TA selects a random nonce r 2 and timestamp T T A . The TA calculates M 2 = ( r 2 | | r 1 x ) h ( I D j | | K R j T A | | T T A ) , V R = h ( r 2 | | I D j | | K R j T A | | T T A ) , and V V = h ( r 2 | | X i | | r 1 | | T T A ) . Finally, the TA sends { M 2 , V R , V V , T T A } to R S U j .
Step 4:
Upon receiving the message, R S U j checks a freshness of timestamp T T A . If not, this session is terminated. Otherwise, R S U j derives ( r 2 | | r 1 x ) = M 2 h ( I D j | | K R j T A | | T T A ) and checks the equality of V R = h ( r 2 | | I D j | | K R j T A | | T T A ) and V R . If so, R S U j generates a random nonce r 3 and selects a timestamp T R R . R S U j calculates M 3 = ( r 2 | | r 3 ) h ( r 1 x ) , the session key S K = h ( r 2 | | r 3 | | r 1 x ) , and V 3 = h ( V V | | S K | | r 3 | | T R R ) . Then, R S U j sends { M 3 , V 3 , T T A , T R R } to V i over a public channel.
Step 5:
Upon getting the message, V i checks the timestamp T R R . V i computes ( r 2 | | r 3 ) = M 3 h ( r 1 x ) , the session key S K = h ( r 2 | | r 3 | | r 1 x ) , and V V = h ( r 2 | | X i | | r 1 | | T T A ) . V i checks the equality of V 3 = h ( V V | | S K | | r 3 | | T R R ) and V 3 . If V 3 = ? V 3 is correct, V i succeeds the authentication and establishes S K with R S U j .
Step 6:
When authentication is achieved successfully, V i and the TA update their parameters. V i computes P I D i n e w = P I D i h ( r 1 | | H I D i ) , A i n e w = ( x h ( r 1 | | H I D i ) | | X i ) h ( P W i | | I D i | | a ) , C i n e w = a h ( I D i | | A i n e w ) and updates { P I D i , A i , C i } to { P I D i n e w , A i n e w , C i n e w } . On the other side, the TA computes P I D i n e w = P I D i h ( r 1 | | H I D i ) , S x n e w = x h ( P I D i n e w | | K T A ) h ( r 1 | | H I D i ) and updates { P I D i , S x } to { P I D i n e w , S x n e w } .
Figure 7. Login and authentication phase of the proposed scheme.
Figure 7. Login and authentication phase of the proposed scheme.
Mathematics 12 03756 g007

6.3. Revocation Phase

The TA can disclose the real identities of malicious vehicles and trace them. When a malicious vehicle is detected, an RSU sends its pseudo-identity to TA. TA adds this pseudonym and identity to the revocation list and notifies all RSUs about the update. The following steps and Figure 8 detail the revocation process of a malicious vehicle:
Step 1:
Once an RSU issues a P I D i used by a misbehaving vehicle, the TA receives it and traces the real I D i from P I D i .
Step 2:
The TA retrieves S x from P I D i . Then the TA derives x = S x h ( P I D i | | K T A ) and H I D i = P I D i x . Using these parameters, the TA computes I D i = H I D i h ( K T A | | I D T A ) and can acquire the real identity.
Step 3:
After that, the malicious vehicle’s real I D i and P I D i are added to the revocation list, and the updated list is sent to all RSUs.
Figure 8. Revocation phase of the proposed scheme.
Figure 8. Revocation phase of the proposed scheme.
Mathematics 12 03756 g008

7. Security Analysis

We conduct various security analyses such as informal security, BAN logic, ROR model, and AVISPA simulation tool. Specific details regarding the proof process for each analysis are elaborated in the section below.

7.1. Informal Security Analysis

We perform an informal analysis to demonstrate that our scheme can prevent various attacks, such as insider, OBU captured, privileged insider, offline password guessing, vehicle impersonation, ESL, MitM, forgery, desynchronization, and replay attacks. Additionally, we show that our scheme provides anonymity, conditional privacy, mutual authentication, and perfect forward secrecy.

7.1.1. Insider Attack

If an adversary A is a legitimate insider, A can authenticate RSUs and the TA. In Sibahee et al.’s scheme, an RSU communicates with the TA using the constant parameter h ( K R j T A | | I D j | | I D T A ) . However, our scheme uses timestamps T V , T R , T T A , and T R R with the parameters to change with each session. This approach protects each session individually and prevents A from computing the secret parameter.

7.1.2. OBU Captured Attack

According to Section 3.1, A can capture an OBU of the legitimate vehicle V i and obtain parameters { P I D i , V L i , A i , C i } from the OBU’s memory. However, without knowing the vehicle’s I D i and P W i , A cannot calculate the secret parameter X i , which is shared between V i and the TA. Therefore, our scheme is secure against OBU captured attacks.

7.1.3. Privileged Insider Attack

If A is a privileged insider and intercepts the legal vehicle’s registration message { I D i } , the next goal is that A tries to compute a session key S K = h ( r 2 | | r 3 | | r 1 x ) . To derive r 2 and r 3 , A needs to know the secret parameter X i , which is shared with the TA. A cannot compute ( x | | X i ) = A i h ( P W i | | I D i | | a ) without correctly guessing both I D i and P W i . Consequently, the proposed scheme can defend against privileged insider attacks.

7.1.4. Offline Password Guessing Attack

We assume that A can extract stored parameters { P I D i , V L i , A i , C i } from V i . In the proposed scheme, the password P W i is only used in parameters A i = h ( x | | X i ) h ( P W i | | I D i | | a ) and V L i = h ( P W i | | H I D i | | X i ) and is encrypted by a hash function. Since A must correctly obtain both I D i and a, A cannot guess the P W i .

7.1.5. Identity-Guessing Attack

According to Section 6.1, the real identity I D i is only known to V i and the TA. After receiving I D i , the TA derives H I D i = I D i h ( K T A | | I D T A ) , where K T A and I D T A are the secret parameters that only the TA knows. During the login and authentication phases, the exchanged messages never directly include I D i . Here, a = C i h ( I D i | | A i ) , ( x | | X i ) = A i h ( P W i | | I D i | | a ) , H I D i = P I D i x , V L i = h ( P W i | | H I D i | | X i ) . For similar explanations in Section 7.1.4, the proposed scheme has resistance to identity-guessing attacks.

7.1.6. Vehicle Impersonation Attack

Suppose that A attempts to impersonate a legitimate vehicle. A tries to construct the authentication request message { P I D i , M 1 , V 1 , T V } . However, A cannot compute M 1 = r 1 h ( X i | | x | | T V ) and V 1 = h ( P I D i | | r 1 | | X i | | T V ) . Based on Section 7.1.4 and Section 7.1.5, A cannot derive the parameters X i and x used for authentication, and hence, this attack fails.

7.1.7. ESL Attack

Assume that A obtains random nonces r 1 , r 2 , and r 3 and tries to compute the session key S K = h ( r 2 | | r 3 | | r 1 x ) . In spite of the leakage of all random nonces in a session, the security of S K is still preserved. This is because the parameter x is derived using either I D i and P W i of V i , or the master key K T A . Specifically, x is computed as ( x | | X i ) = A i h ( P W i | | I D i | | a ) or x = S x h ( P I D i | | K T A ) . Similarly, the computation of ( r 1 x ) requires the parameter K R j T A , which is only shared between R S U j and the TA. Here, ( r 2 | | r 1 x ) = M 2 h ( I D j | | K R j T A | | T T A ) . For these reasons, the proposed scheme is secure against ESL attacks.

7.1.8. MitM Attack

A can intercept exchanged messages via an open channel. The next goal is to modify the login request message { P I D i , M 1 , V 1 , T V } . Although A obtains P I D i from the message, A still needs H I D i to compute V L i = h ( P W i | |   H I D i | | X i ) , which is used to calculate M 1 = r 1 h ( X i | | x | | T V ) and V 1 = h ( P I D i | | r 1 | | X i | | T V ) . The TA can easily detect a tampered H I D i because H I D i is derived from the parameter S x related to P I D i , which is stored in the secure database of TA. In addition, modifying all messages is impossible because they include random parameters that change with each session. Similarly, it is difficult to modify the message { P I D i , I D j , M 1 , V 2 , T V , T R } sent from the R S U j to the TA, as the parameters V 2 are masked with the shared secret key K R j T A between R S U j and the TA. Accordingly, these messages are unavailable to A , preventing the implementation of MitM attacks. Therefore, the proposed scheme is resistant to MitM attacks.

7.1.9. Forgery Attack

We assume that A tries to forge authentication messages such as { P I D i , I D j , M 1 , V 2 , T V ,   T R } , { M 2 , V R , V V , T T A } , and { M 3 , V 3 , T T A , T R R } . According to Section 7.1.8, A cannot obtain the secret keys K R j T A to forge these messages. In addition, it is difficult for A to validate using forged messages because all random nonces and secret parameters are required to compute V 2 = h ( V 1 | | M 1 | | I D j | | K R j T A | | T R ) , V R = h ( r 2 | | I D j | | K R j T A | | T T A ) , and V 3 = h ( V V | | S K | | r 3 | | T R R ) for validation. These parameters are secure and protected by their hash value. Without correctly guessing all at once, it is impossible to forge the messages. Thus, A cannot forge valid authentication messages.

7.1.10. Desynchronization Attack

In each session, the TA and V i update P I D i and related parameters, A i , C i and S x . This update is confirmed only after the authentication phase is successfully completed. There is no need to transmit the new parameter P I D i n e w from the TA to V i . According to Section 6.1, the TA derives r 1 and verifies whether the received message is legitimate. After V i and R S U j establish the correct session key S K , the TA and V i update P I D i n e w = P I D i h ( r 1 | | H I D i ) and other parameters, respectively. If the authentication is terminated, they do not update parameters until the synchronization is successful. In conclusion, the proposed scheme can resist desynchronization issues with pseudo-identity.

7.1.11. Replay Attack

In our scheme, all exchanged messages include timestamps and random nonces that are changed every session. If A obtains messages { P I D i , M 1 , V 1 , T V } and { P I D i , I D j , M 1 , V 2 , T V , T R } on a public channel, A may try to process authentication by resending previous messages. However, A cannot obtain the messages at the previous session because it fails to check the freshness of random nonces r 1 , r 2 , and r 3 , and timestamps T V , T R , T T A , and T R R . Therefore, the proposed scheme is secure against replay attacks.

7.1.12. DoS Attack

To make TA unusable, A can continuously attempt to issue fake request messages. However, according to Section 7.1.4 and Section 7.1.5, A has failed login attempts without knowing the vehicle’s real identity and password. If A constructs and sends message { P I D i , I D j , M 1 , V 2 , T V , T R } , TA firstly checks the verification of V 2 before performing further computations. According to Section 3.1, A can register as a legal user and send superfluous request message { P I D i , M 1 , V 1 , T V } . However, RSUs can detect it at the beginning of the authentication phase by checking the revocation list with P I D i . Therefore, the proposed scheme prevents TA from performing cumbrous computation in such situations and reduces the chance of a DoS attack.

7.1.13. Anonymity

I D i is masked in parameters H I D i = I D i h ( K T A | | I D T A ) , A i = ( x | | X i ) h ( P W i | | I D i | | a ) , and C i = h ( I D i | | A i ) a . In addition, the parameters H I D i is masked in parameters P I D i = H I D i x , X i = h ( H I D i | | K T A ) , and V L i = h ( P W i | | H I D i | | X i ) . Similarly, pseudo-identity P I D i is updated in each session: P I D i n e w = P I D i h ( r 1 | | H I D i ) . Since A cannot calculate these parameters, our scheme provides anonymity.

7.1.14. Conditional Privacy

Only the TA can detect real I D i from P I D i when vehicles are involved in illegal activities. During the registration phase, the TA stores P I D i with secret parameter x. If a malicious vehicle used P I D i , the TA retrieves ( S x , P I D i ) in its secret database. To find the malicious vehicle’s real I D i , the TA computes parameters x = S x h ( P I D i | | K T A ) , H I D i = P I D i x , and I D i = H I D i h ( K T A | | I D T A ) . Due to the master key K T A , only the TA can calculate these. Finally, the TA reveals the malicious vehicle’s real I D i and updates the revocation list. Thus, our scheme provides conditional privacy.

7.1.15. Mutual Authentication

To establish the authentication, our scheme performs a verification process. After V i inputs I D i and P W i into the OBU, the vehicle checks the equality of V L i = h ( P W i | | H I D i | | X i ) and V L i . If it is not equal, the login phase is terminated. The login request over the RSU is validated at the TA by checking if V 2 = ? V 2 . On the other hand, the RSU verifies V R = ? V R and the vehicle checks V 3 = ? V 3 . In every verification process, the session is terminated immediately if a validation fails.

7.1.16. Perfect Forward Secrecy

If A obtains K T A , A attempts to compute S K = h ( r 2 | | r 3 | | r 1 x ) of a legitimate V i . However, K T A is only used in the parameter X i = h ( H I D i | | K T A ) , K R j T A = h ( k r | | I D T A | | K T A ) . Moreover, X i and K R j T A are not utilized indirectly, such as V 2 = h ( V 1 | | M 1 | | I D j | | K R j T A | | T R ) , V V = h ( r 2 | | X i | | r 1 | | T T A ) and V R = h ( r 2 | | I D j | | K R j T A | | T T A ) . Even if K T A is leaked, A cannot obtain S K without the shared secret parameters H I D i or k r . Thus, the proposed scheme can achieve perfect forward secrecy.

7.2. BAN Logic

We utilize BAN logic [18], which is a logic proof method to ensure mutual authentication of the proposed scheme. Notations of BAN logic are presented in Table 4.

7.2.1. Rules

The five basic logical rules of BAN logic are summarized as follows.
1. Message meaning rule (MMR):
P 1 P 1 K P 2 , P 1 { M 1 } K P 1 P 2 M 1
2. Nonce verification rule (NVR):
P 1 # ( M 1 ) , P 1 P 2 M 1 P 1 P 2 M 1
3. Jurisdiction rule (JR):
P 1 P 2 M 1 , P 1 P 2 M 1 P 1 M 1
4. Belief rule (BR):
P 1 ( M 1 , M 2 ) P 1 M 1
5. Freshness rule (FR):
P 1 # ( M 1 ) P 1 # ( M 1 , M 2 )

7.2.2. Goals

We denote that principals of the vehicle, RSU, and TA are V i , R S U j , and T A , respectively. The goals of the proposed scheme describe V i and R S U j establish a session key, as shown as below:
G o a l 1 :
V i V i S K R S U j
G o a l 2 :
V i R S U j V i S K R S U j
G o a l 3 :
R S U j V i S K R S U j
G o a l 4 :
R S U j V i V i S K R S U j

7.2.3. Idealized Forms

Messages of the proposed scheme are formed to show the logical properties of BAN logic. The idealized forms are as follows:
M s g 1 :
V i R S U j : { r 1 , T V } x
M s g 2 :
R S U j T A : { V i { r 1 , T V } x , T R } K R j T A
M s g 3 :
T A R S U j : { r 1 x , r 2 , T T A } K R j T A
M s g 4 :
R S U j V i : { r 2 , r 3 , T R R } r 1 x

7.2.4. Assumptions

Each principal trusts that secret keys are shared and that timestamps are fresh. The proposed scheme applies the following assumptions in BAN logic proof:
A 1 :
V i # ( T R R )
A 2 :
T A # ( T V )
A 3 :
T A # ( T R )
A 4 :
R S U j # ( T T A )
A 5 :
T A T A K R j T A R S U j
A 6 :
R S U j T A K R j T A R S U j
A 7 :
V i T A x V i
A 8 :
T A T A x V i
A 9 :
V i R S U j ( V i S K R S U j )
A 10 :
R S U j V i ( V i S K R S U j )
A 11 :
V i V i r 1 x R S U j

7.2.5. BAN Logic Proof

The proceedings of BAN logic analysis to the proposed scheme are as follows:
Step 1:
According to M s g 2 , we can obtain S 1 .
S 1 : T A { V i { r 1 , T V } x , T R } K R j T A
Step 2:
From the MMR using A 5 and S 1 , we can obtain S 2 .
S 2 : T A R S U j ( V i { r 1 , T V } x , T R )
Step 3:
From M s g 1 , T A believes that { r 1 , T V } x is sent from V i in S 2 . Then, we can obtain S 3 .
S 3 : T A { r 1 , T V } x
Step 4:
From the MMR using A 8 and S 3 , we can obtain S 4 .
S 4 : T A V i ( r 1 , T V )
Step 5:
From the FR using A 2 and S 4 , we can obtain S 5 .
S 5 : T A # ( r 1 , T V )
Step 6:
From the NVR using S 4 and S 5 , we can obtain S 6 .
S 6 : T A V i ( r 1 , T V )
Step 7:
According to M s g 3 , we can obtain S 7 .
S 7 : R S U j { r 1 x , r 2 , T T A } K R j T A
Step 8:
From the MMR using A 6 and S 7 , we can obtain S 8 .
S 8 : R S U j T A ( r 1 x , r 2 , T T A )
Step 9:
From the FR using A 4 and S 8 , we can obtain S 9 .
S 9 : R S U j # ( r 1 x , r 2 , T T A )
Step 10:
From the NVR, we can obtain S 10 .
S 10 : R S U j T A ( r 1 x , r 2 , T T A )
Step 11:
According to M s g 4 , we can obtain S 11 .
S 11 : V i { r 2 , r 3 , T R R } r 1 x
Step 12:
From the MMR using A 11 , we can obtain S 12 .
S 12 : V i R S U j ( r 2 , r 3 , T R R )
Step 13:
From the FR using A 1 , we can obtain S 13 .
S 13 : V i # ( r 2 , r 3 , T R R )
Step 14:
From the NVR using S 12 and S 13 , we can obtain S 14 .
S 14 : V i R S U j ( r 2 , r 3 , T R R )
Step 15:
V i and R S U j believe that they can compute the session key S K = h ( r 2 | | r 3 | | r 1 x ) using the shared values with each other. Therefore, we can obtain S 15 and S 16 from S 10 and S 14 .
S 15 : V i R S U j V i S K R S U j ( Goal 2 ) S 16 : R S U j V i V i S K R S U j ( Goal 4 )
Step 16:
From the JR using A 9 , A 10 , S 15 , and S 16 , we can obtain S 17 and S 18 .
S 17 : V i V i S K R S U j ( Goal 1 ) S 18 : R S U j V i S K R S U j ( Goal 3 )

7.3. ROR Model

We utilize the ROR model [19] to analyze the semantic security of the proposed scheme. In this model, we denote P t as the t t h instances of participants. There are three participants in the proposed scheme, which are vehicle P V t 1 , RSU P R S U t 2 , and TA P T A t 3 . The ROR model assumes that an adversary A can perform various attacks to disclose the session key by executing queries, such as Execute, CorruptOBU, Send, and Test. Moreover, all participants, including A , can access a collision-resistant cryptographic one-way hash function H ( · ) , which is said as H a s h [38]. The detailed description of queries is as below.
  • Execute( P V t 1 , P R S U t 2 , P T A t 3 ): A can eavesdrop the transmitted messages between P V t 1 , P R S U t 2 , and P T A t 3 via public channel. This query represents the eavesdropping attack by A .
  • CorruptOBU( P t ): A performs this query to extract the stored data from the OBU of V i .
  • Send( P t , Msg): Using this query, A can send a message M s g to the participant P t and receive a reply.
  • Test( P t ): A uses this query to verify the semantic security of the session key. By executing this query, A can obtain a coin flip test, where c = 0 represents the tail of a coin and c = 1 represents the head of a coin. Based on the result, A receives a random string when c = 0 and the session key when c = 1 from P t . Otherwise, A receives a N U L L value. If A cannot distinguish the result between a random string and the session key, the session key is secure.
Theorem 1.
Suppose that A attempts to distinguish the session key and a random number. We denote A d v A as the advantage of A in the model. Then, q h and q s denote the number of H a s h and S e n d queries executed by A , and | H a s h | is the range of the H a s h . D 1 and D 2 are the distributed identity and password dictionaries, and | D 1 | and | D 2 | are the size of each dictionary.
A d v A q h 2 | H a s h | + 2 q s | D 1 | · | D 2 |
Proof. 
A can perform the attack procedures through four games G i ( i = 0 , 1 , 2 , 3 ) . P r [ S u c c i ] denotes the probability that A guesses the correct result c in G i . The proof processes of G i and S u c c i are described as follows:
G 0 : This game represents that A attempts the actual attack on the proposed authentication schemes. Then, A can guess a random bit c at the beginning of the game and hence the outcome is the following Equation (2).
A d v A = | 2 P r [ S u c c 0 ] 1 |
G 1 : A performs E x e c u t e query to attempt the eavesdropping attack. After that, A verifies whether the obtained session key S K and a random number are real by executing T e s t query. However, A cannot obtain meaningful parameters using an eavesdropping attack to calculate the session key S K = h ( r 2 | | r 3 | | r 1 x ) . This means A cannot obtain any advantage from winning G 1 . Therefore, G 1 and G 0 are indistinguishable, and we obtain the following:
P r [ S u c c 1 ] = P r [ S u c c 0 ]
G 2 : In this game, A performs S e n d and H a s h queries to obtain the session key. A can attempt to modify transmitted messages. However, deriving secret parameters from the intercepted messages is a computationally infeasible task. It’s because all exchanged messages in our scheme are encrypted with one-way hash function H ( · ) , which has collision-resistant properties. According to [39], the birthday paradox represents the probability of hash collision as ( q h 2 / 2 l h + 1 ) , where l h is the length of a hash result. Thus, we can obtain the advantage of A in G 2 as below.
| P r [ S u c c 2 ] P r [ S u c c 1 ] | q h 2 2 | H a s h |
G 3 : A can try to obtain S K = h ( r 2 | | r 3 | | r 1 x ) with C o r r u p t O B U . A can obtain the information { P I D i , X P W i , V i , A i , C i } . However, A needs X i which is masked with I D i and P W i . Therefore, A can try to guess the values from identity and password dictionaries. Basically, the length of identity is 160 bits. As the length of a password increases, the probability that A correctly guesses both identity and password decreases exponentially. The whole combinations of dictionaries | D 1 | · | D 2 | are roughly 2 160 · 2 l P W , where l P W is the length of the password. Then, we can obtain the following:
| P r [ S u c c 3 ] P r [ S u c c 2 ] | q s | D 1 | · | D 2 |
As all the games are executed, A must guess the exact bit c. However, A has no advantage to guess c; then, we can obtain the below equation.
P r [ S u c c 3 ] = 1 2
Using Equations (2), (3), and (6), we can obtain the result as below:
1 2 A d v A 1 2 A d v A = | P r [ S u c c 0 ] 1 2 | = | P r [ S u c c 1 ] P r [ S u c c 3 ] |
We obtain the following result by applying the triangular inequality to Equation (7):
1 2 A d v A 1 2 A d v A = | P r [ S u c c 1 ] P r [ S u c c 3 ] | | P r [ S u c c 1 ] P r [ S u c c 2 ] | + | P r [ S u c c 2 ] P r [ S u c c 3 ] | q h 2 2 | H a s h | + q s | D 1 | · | D 2 |
Finally, we obtain the required result by multiplying both sides of Equation (8) by 2.
A d v A q h 2 | H a s h | + 2 q s | D 1 | · | D 2 |
Therefore, we prove Theorem 1.

7.4. AVISPA Simulation

In this section, we analyze the security of the proposed scheme using the AVISPA simulation tool [20,21]. AVISPA has been widely accepted to evaluate the resistance against MitM and replay attacks [40,41]. To conduct an AVISPA analysis, the proposed scheme needs to be written in “High-Level Protocol Specification Language (HLPSL)”. To implement a protocol, HLPSL codes are converted to “Intermediate Format (IF)” by the translator. From the IF code, through the backends model, the outputs come out in “Output Format (OF)”. There are four backend modela, “On-the-Fly Model Checker (OFMC)”, “Constraint Logic-based Attack Searcher (CL-AtSe)”, “Tree Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP)”, and “SAT-based Model Checker (SATMC)”. In this analysis, we use the OFMC and CL-AtSe models, which supply XOR operation. If the summary of OF is safe, we demonstrate that the proposed scheme resists MitM and replay attacks.

7.4.1. HLPSL Specification

Based on HLPSL, the proposed scheme is divided into three roles: V i , R S U j , and the T A . “V” denotes a vehicle V i , “R” denotes a roadside unit R S U j , and “TA” denotes a trusted authority T A . Figure 9 comprises the environment and session of our scheme, which represents the security goals. Figure 10 describes the role of V i and the detailed descriptions are as follows.
At first, V i initializes the state (State = 0) and receives the start signal. During the registration phase, V i sends the registration request message { I D i } to the TA securely. Then, V i receives the reply from the TA through secure channel ( S K v t a ) and updates its state from 1 to 2. After the registration phase, V i generates random nonce R 1 and timestamps T v , and calculates parameters to send the authentication request message via public c h a n n e l ( d y ) . Then, V i declares w i t n e s s ( V , T A , v _ t a _ r 1 , R 1 ) , which means that V i generates random nonce R 1 for TA. Finally, V i computes a session key and completes authentication with R S U j in state 3. Similarly, the specification roles of R S U j and the TA are like that of V i . Their registration and authentication phases are defined as shown in Figure 11 and Figure 12.

7.4.2. AVISPA Simulation Result

Figure 13 shows the AVISPA simulation results under OFMC and CL-AtSe models. In OFMC, the search time takes 2.78 s to visit 1168 nodes. On the other hand, the CL-AtSe analyzed two states with 0.04 s to translate. The summary of results is safe; therefore, the proposed scheme is verified regarding the security resistance to replay and MitM attacks.

8. Performance Evaluations

This section discusses the performance of our scheme in terms of security properties, computational costs, communication costs, and energy consumption. We demonstrated that our scheme provides overall better results of performance analyses compared with other related schemes.

8.1. Security Properties

This section presents the security properties of our scheme compared with these related schemes, [17,25,26,27,28,31,32]. We consider security properties such as S 1 : “resistance to insider attack”, S 2 : “resistance to OBU captured attack”, S 3 : “resistance to privileged insider attack”, S 4 : “resistance to offline password guessing attack”, S 5 : "resistance to identity-guessing attack”, S 6 : “resistance to vehicle impersonation attack”, S 7 : “resistance to ESL attack”, S 8 : “resistance to MitM attack”, S 9 : “resistance to forgery attack”, S 10 : “resistance to desynchronization attack”, S 11 : “resistance to replay attack”, S 12 : “resistance to DoS attack”, S 13 : “anonymity”, S 14 : “conditional privacy”, S 15 : “mutual authentication”, and S 16 : “perfect forward secrecy”. Compared with the related schemes [17,25,26,27,28,31,32], the proposed scheme provides robust security and functional properties. As seen in Table 5, the proposed scheme is secure against various attacks and possesses a higher level of security.

8.2. Computational Costs

We analyze the computational costs of our scheme and related schemes [17,25,26,27,28,29,30,31,32]. According to [17], we approximate the execution time of each cryptographic operation. The implementation environment was Windows 10, Professional with an Intel (R) Core (TM) i5-4210U 64-bit, 8 GB DDR4, @4.1 GHz. Moreover, the programming language and library are Python and Pycryptodome cryptographic library, respectively.
The execution times of operations are summarized in Table 6. We estimate that T B , T M , T A , T H , T S , and T E are the time durations of bilinear pairing (33.75 ms), elliptic curve point (ECP) multiplication (15.65 ms), ECP addition (4.26 ms), one-way hashing (0.35 ms), symmetric key encryption/decryption (1.27 ms), and modular exponential (18.78 ms). Since the execution time of XOR operations is very small and negligible, we do not consider the computational cost of XOR operations.
In IoV networks, it is important to reduce overloads during the authentication phase. We calculate the costs required for each entity, such as V i , R S U j , and the TA. Table 7 represents that our scheme has the lowest computational costs compared with related schemes. Consequently, the proposed scheme ensures high efficiency in IoV networks compared with the related schemes [17,25,26,27,28,31,32]. Moreover, the proposed scheme can provide lower computational overheads than recent studies [29,30] due to using only hash functions and XOR operators.

8.3. Communication Costs

According to [17], we assume that the communication costs of the elliptic curve point, hash function, random nonces, real identity, and timestamp are 320, 160, 160, 32, and 32 bits, respectively. Since the registration phase occurs once for new registrants, we only consider the costs of exchanged messages during the authentication phase. In our scheme, four messages are exchanged in total during the authentication phases, which are { P I D i , M 1 , V 1 , T V } , { P I D i , I D j , M 1 , V 2 , T V , T R } , { M 2 , V R , V V , T T A } , and { M 3 , V 3 , T T A , T R R } . The costs of the four messages are 512, 576, 672, and 544 bits. On the other hand, the costs are 576, 544, 512, and 512 bits, respectively, in Sibahee et al.’s scheme. The overall communication cost of Sibahee et al.’s scheme [17] is 2144 bits, while ours is 2304, which is 160 bits more. However, our scheme provides better security properties and computational costs than [17]. Moreover, the communication cost of our scheme is still lower compared with the other schemes [25,26,27,28,29,30,31,32]. Based on the values in Table 8, the communication cost analysis of each scheme is as follows:

8.4. Energy Consumption

During the message exchange, some energy is consumed to communicate between vehicles and RSUs. Since vehicles equipped with OBUs have limited resources, the high energy consumption has the potential to affect low performance. As explained in [17], energy consumption is the product of total computational costs ( T C ) and maximum processing power ( M P ). Therefore, the equation of energy consumption E C can be represented as follows:
E C = T C × M P
According to [17], this maximum processing power is 10.88 W in wireless communication systems. Therefore, the total energy consumption of our scheme is 106.62 mJ, rounding to the nearest hundredth. The results of the energy consumption comparison are shown in Table 9. Compared with the related schemes [25,26,27,28,29,30,31,32], we can demonstrate that the proposed scheme has the lowest energy consumption. Therefore, the proposed scheme can extend the battery life of vehicles when deployed in IoV.

9. Conclusions

In this paper, we analyzed the scheme proposed by Sibahee et al. [17] and then proved its security weaknesses, such as insider and ESL attacks. Furthermore, we demonstrated that their scheme fails to ensure perfect forward secrecy. To address these security issues, we designed an anonymous and efficient authentication scheme with conditional privacy-preserving features. The proposed scheme effectively resists various attacks, such as OBU capture, privileged insider attacks, offline password guessing, and impersonation attacks. By using BAN logic and the ROR model, which is a formal analysis, we proved the mutual authentication and session key security of our scheme. Moreover, we executed an AVISPA simulation to show the resistance against replay and MitM attacks in our scheme. The performance evaluation demonstrated that our scheme offers better security properties than existing schemes. In terms of computational costs, our scheme is lightweight and uses only the XOR operations and hash functions. Furthermore, the proposed scheme guarantees a conditional privacy-preserving feature that allows the identification and revocation of malicious vehicles without exposing the privacy of legitimate users. Thus, the proposed scheme is applicable for practical IoV networks because it is more secure and efficient than existing related schemes. For instance, the proposed scheme enables secure communications between vehicles and infrastructure, exchanging real-time data such as traffic light statuses and road conditions from the traffic management center. This can improve traffic flow, optimize signal timing, and provide instant emergency alerts, enhancing overall road safety and efficiency. In future work, we will develop an architectural framework and authentication mechanisms that extend the proposed scheme to support V2V communications within IoV networks.

Author Contributions

Conceptualization, C.K.; methodology, C.K., D.K. and S.Y.; software, D.K. and S.S.; validation, S.S., S.Y. and Y.P.; formal analysis, C.K., S.S. and S.Y.; writing—original draft preparation, C.K.; writing—review and editing, S.S., D.K., S.Y. and Y.P.; supervision, Y.P.; project administration, Y.P. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported in part by the National Research Foundation of Korea (NRF) grant funded by the Korean government (Ministry of Science and ICT) (RS-2024-00450915) and in part by the BK21 FOUR Project funded by the Ministry of Education, South Korea (4199990113966).

Data Availability Statement

Data are contained within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Fan, J.; Shar, L.K.; Guo, J.; Yang, W.; Niyato, D.; Lam, K.Y. Differentiated security architecture for secure and efficient infotainment data communication in IoV networks. In Proceedings of the International Conference on Network and System Security (NSS), Denarau Island, Fiji, 9–12 December 2022; pp. 283–304. [Google Scholar]
  2. Zhang, S.; Chen, J.; Lyu, F.; Cheng, N.; Shi, W.; Shen, X. Vehicular communication networks in the automated driving era. IEEE Commun. Mag. 2018, 56, 26–32. [Google Scholar] [CrossRef]
  3. Sodhro, A.H.; Luo, Z.; Sodhro, G.H.; Muzamal, M.; Rodrigues, J.J.; De Albuquerque, V.H.C. Artificial Intelligence based QoS optimization for multimedia communication in IoV systems. Future Gener. Comput. Syst. 2019, 95, 667–680. [Google Scholar] [CrossRef]
  4. Li, H.; Kaleem, M.B.; Liu, Z.; Wu, Y.; Liu, W.; Huang, Z. IoB: Internet-of-batteries for electric Vehicles–Architectures, opportunities, and challenges. Green Energy Intell. Transp. 2023, 2, 100128. [Google Scholar] [CrossRef]
  5. Sherly, J.; Somasundareswari, D. Internet of things based smart transportation systems. Int. Res. J. Eng. Technol. 2015, 2, 1207–1210. [Google Scholar]
  6. Son, S.; Lee, J.; Park, Y.; Park, Y.; Das, A.K. Design of blockchain-based lightweight V2I handover authentication protocol for VANET. IEEE Trans. Netw. Sci. Eng. 2022, 9, 1346–1358. [Google Scholar] [CrossRef]
  7. Hou, X.; Ren, Z.; Wang, J.; Cheng, W.; Ren, Y.; Chen, K.C.; Zhang, H. Reliable computation offloading for edge-computing-enabled software-defined IoV. IEEE Internet Things J. 2020, 7, 7097–7111. [Google Scholar] [CrossRef]
  8. Li, H.; Dong, M.; Ota, K. Control plane optimization in software-defined vehicular ad hoc networks. IEEE Trans. Veh. Technol. 2016, 65, 7895–7904. [Google Scholar] [CrossRef]
  9. Wang, S.; Yao, N. LIAP: A local identity-based anonymous message authentication protocol in VANETs. Comput. Commun. 2017, 112, 154–164. [Google Scholar] [CrossRef]
  10. Ksouri, C.; Jemili, I.; Mosbah, M.; Belghith, A. Infrastructure localization service and tracking scheme in uncovered areas for internet of vehicles. Ann. Telecommun. 2021, 76, 647–664. [Google Scholar] [CrossRef]
  11. Wu, J.; Fan, P. A survey on high mobility wireless communications: Challenges, opportunities and solutions. IEEE Access 2016, 4, 450–476. [Google Scholar] [CrossRef]
  12. Su, H.; Dong, S.; Wang, N.; Zhang, T. An efficient privacy-preserving authentication scheme that mitigates TA dependency in VANETs. Veh. Commun. 2024, 45, 100727. [Google Scholar] [CrossRef]
  13. Hasrouny, H.; Samhat, A.E.; Bassil, C.; Laouiti, A. VANet security challenges and solutions: A survey. Veh. Commun. 2017, 7, 7–20. [Google Scholar] [CrossRef]
  14. Zhong, H.; Chen, L.; Cui, J.; Zhang, J.; Bolodurina, I.; Liu, L. Secure and lightweight conditional privacy-preserving authentication for fog-based vehicular ad hoc networks. IEEE Internet Things J. 2021, 9, 8485–8497. [Google Scholar] [CrossRef]
  15. Alshudukhi, J.S.; Al-Mekhlafi, Z.G.; Mohammed, B.A. A lightweight authentication with privacy-preserving scheme for vehicular ad hoc networks based on elliptic curve cryptography. IEEE Access 2021, 9, 15633–15642. [Google Scholar] [CrossRef]
  16. Horng, S.J.; Tzeng, S.F.; Huang, P.H.; Wang, X.; Li, T.; Khan, M.K. An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks. Inf. Sci. 2015, 317, 48–66. [Google Scholar] [CrossRef]
  17. Al Sibahee, M.A.; Nyangaresi, V.O.; Abduljabbar, Z.A.; Luo, C.; Zhang, J.; Ma, J. Two-Factor Privacy Preserving Protocol for Efficient Authentication in Internet of Vehicles Networks. IEEE Internet Things J. 2024, 11, 14253–14266. [Google Scholar] [CrossRef]
  18. Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst. 1990, 8, 18–36. [Google Scholar] [CrossRef]
  19. Abdalla, M.; Fouque, P.A.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. In Proceedings of the Public Key Cryptography-PKC 2005: 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, 23–26 January 2005; Proceedings 8. Springer: Berlin/Heidelberg, Germany, 2005; pp. 65–84. [Google Scholar]
  20. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/ (accessed on 10 October 2024).
  21. SPAN: A Security Protocol Animator for AVISPA. Available online: https://people.irisa.fr/Thomas.Genet/span/ (accessed on 10 October 2024).
  22. Qureshi, K.N.; Din, S.; Jeon, G.; Piccialli, F. Internet of vehicles: Key technologies, network model, solutions and challenges with future aspects. IEEE Trans. Intell. Transp. Syst. 2020, 22, 1777–1786. [Google Scholar] [CrossRef]
  23. Taslimasa, H.; Dadkhah, S.; Neto, E.C.P.; Xiong, P.; Ray, S.; Ghorbani, A.A. Security issues in Internet of Vehicles (IoV): A comprehensive survey. Internet Things 2023, 22, 100809. [Google Scholar] [CrossRef]
  24. Sharma, N.; Chauhan, N.; Chand, N. Security challenges in Internet of Vehicles (IoV) environment. In Proceedings of the 2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC), Jalandhar, India, 15–17 December 2018; pp. 203–207. [Google Scholar]
  25. Xu, Z.; Li, X.; Xu, J.; Liang, W.; Choo, K.K.R. A secure and computationally efficient authentication and key agreement scheme for internet of vehicles. Comput. Electr. Eng. 2021, 95, 107409. [Google Scholar] [CrossRef]
  26. Kumar, P.; Om, H. A conditional privacy-preserving and desynchronization-resistant authentication protocol for vehicular ad hoc network. J. Supercomput. 2022, 78, 17657–17688. [Google Scholar] [CrossRef]
  27. Zhong, H.; Huang, B.; Cui, J.; Xu, Y.; Liu, L. Conditional privacy-preserving authentication using registration list in vehicular ad hoc networks. IEEE Access 2017, 6, 2241–2250. [Google Scholar] [CrossRef]
  28. Cui, J.; Zhang, X.; Zhong, H.; Zhang, J.; Liu, L. Extensible conditional privacy protection authentication scheme for secure vehicular networks in a multi-cloud environment. IEEE Trans. Inf. Forensics Secur. 2019, 15, 1654–1667. [Google Scholar] [CrossRef]
  29. Awais, S.M.; Yucheng, W.; Mahmood, K.; Badar, H.M.S.; Kharel, R.; Das, A.K. Provably secure fog-based authentication protocol for VANETs. Comput. Netw. 2024, 246, 110391. [Google Scholar] [CrossRef]
  30. Kumar, P.; Om, H. Multi-TA model-based conditional privacy-preserving authentication protocol for fog-enabled VANET. Veh. Commun. 2024, 47, 100785. [Google Scholar] [CrossRef]
  31. Chen, C.M.; Xiang, B.; Liu, Y.; Wang, K.H. A secure authentication protocol for internet of vehicles. IEEE Access 2019, 7, 12047–12057. [Google Scholar] [CrossRef]
  32. Chaudhry, S.A. Designing an efficient and secure message exchange protocol for internet of vehicles. Secur. Commun. Netw. 2021, 2021, 5554318. [Google Scholar] [CrossRef]
  33. Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  34. Canetti, R.; Krawczyk, H. Universally composable notions of key exchange and secure channels. In Proceedings of the Advances in Cryptology—EUROCRYPT 2002: International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, 28 April–2 May 2002; Proceedings 21. Springer: Berlin/Heidelberg, Germany, 2002; pp. 337–351. [Google Scholar]
  35. Mazhar, S.; Rakib, A.; Pan, L.; Jiang, F.; Anwar, A.; Doss, R.; Bryans, J. State-of-the-Art Authentication and Verification Schemes in VANETs: A Survey. Veh. Commun. 2024, 49, 100804. [Google Scholar] [CrossRef]
  36. Wazid, M.; Bagga, P.; Das, A.K.; Shetty, S.; Rodrigues, J.J.; Park, Y. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J. 2019, 6, 8804–8817. [Google Scholar] [CrossRef]
  37. Kwon, D.; Son, S.; Park, K.; Park, Y. A secure authentication scheme with local differential privacy in edge intelligence-enabled VANET. Mathematics 2024, 12, 2383. [Google Scholar] [CrossRef]
  38. Das, A.K.; Wazid, M.; Yannam, A.R.; Rodrigues, J.J.; Park, Y. Provably secure ECC-based device access control and key agreement protocol for IoT environment. IEEE Access 2019, 7, 55382–55397. [Google Scholar] [CrossRef]
  39. Boyko, V.; MacKenzie, P.; Patel, S. Provably secure password-authenticated key exchange using Diffie-Hellman. In Proceedings of the Advances in Cryptology—EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000; pp. 156–171. [Google Scholar]
  40. Garg, N.; Wazid, M.; Das, A.K.; Singh, D.P.; Rodrigues, J.J.; Park, Y. BAKMP-IoMT: Design of blockchain enabled authenticated key management protocol for internet of medical things deployment. IEEE Access 2020, 8, 95956–95977. [Google Scholar] [CrossRef]
  41. Yu, S.; Park, Y. A robust authentication protocol for wireless medical sensor networks using blockchain and physically unclonable functions. IEEE Internet Things J. 2022, 9, 20214–20228. [Google Scholar] [CrossRef]
Figure 9. Role of session, environment, and goal.
Figure 9. Role of session, environment, and goal.
Mathematics 12 03756 g009
Figure 10. Role of vehicle V i .
Figure 10. Role of vehicle V i .
Mathematics 12 03756 g010
Figure 11. Role of roadside unit R S U j .
Figure 11. Role of roadside unit R S U j .
Mathematics 12 03756 g011
Figure 12. Role of trusted authority T A .
Figure 12. Role of trusted authority T A .
Mathematics 12 03756 g012
Figure 13. Simulation results using OFMC and CL-AtSe model.
Figure 13. Simulation results using OFMC and CL-AtSe model.
Mathematics 12 03756 g013
Table 1. The summary of related works.
Table 1. The summary of related works.
SchemeCommunication   ContributionsLimitations
Xu et al. [25]V2I
  • Proposed an authentication scheme for IoV designing storage forms of TA against desynchronization attacks
  • Utilization of RSUs to reduce the load of TA
  • Security demonstration using ROR model and simulation tool Proverif
  • Vulnerable to login verification, stolen verifier, privileged insider, and desynchronization attacks
  • Cannot ensure perfect forward secrecy
Kumar et al. [26]V2I
  • Proposed an authentication scheme using symmetric key cryptography for energy efficiency
  • Using pseudo-identities updated in each session
  • Provide conditional privacy preservation
  • Vulnerable to RSU captured attacks
  • Cannot ensure perfect forward secrecy
Zhong et al. [27]V2I
  • Proposed an authentication scheme using ECC, which prevents continuous attacks by shortening retrieval time
  • Provide password change phase on offline
  • Provide conditional privacy preservation
  • Vulnerable to smart card capture, offline password guessing, ESL, and MitM attacks
  • High computational and communication overhead using ECC
  • Large storage loads to registration list
Cui et al. [28]V2I
  • Proposed a multi-cloud-based authentication scheme that uses only one registration process to reduce redundancy
  • Provide conditional privacy preservation
  • High computational and communication cost using ECC
  • Cannot ensure perfect forward secrecy
Awais et al. [29]V2I
  • Proposed a mutual authentication scheme for VANET environments using fog computing
  • Processing authentication and key agreement with three factors
  • High computational and communication cost using ECC
  • Cannot ensure conditional privacy preservation
Kumar et al. [30]V2I
  • Proposed the real-time communication scheme using fog computing
  • Distribute entire traffic load through a group of controlled RSUs
  • Provide conditional privacy preservation
  • High computational and communication cost using ECC
  • Vulnerable to spoofing, repudiation, and DoS attacks
Chen et al. [31]V2I
  • Proposed a lightweight authentication scheme for distribution of entire traffic load using modular exponential operation
  • Provide conditional privacy
  • Vulnerable to identity guessing, ESL, and replay attacks
  • Cannot ensure conditional privacy preservation
Chaudhry [32]V2I
  • Proposed a lightweight authentication scheme using symmetric encryption
  • Provide conditional privacy preservation
  • Vulnerable to identity guessing and ESL attacks
  • Cannot ensure conditional privacy preservation and perfect forward secrecy
Sibahee et al. [17]V2I
  • Proposed a lightweight authentication scheme using only hash and XOR operation
  • model for distribution of entire traffic load
  • Provide conditional privacy
  • Vulnerable to insider and ESL attacks
  • Cannot ensure conditional privacy preservation and perfect forward secrecy
ProposedV2I
  • Proposed a lightweight authentication scheme using only hash and XOR operation
  • Secure mutual authentication against various security attacks
  • Security analysis through BAN logic, ROR model, and AVISPA simulation
  • Better computation, communication costs, and security properties compared with existing schemes
Table 3. Notations and descriptions.
Table 3. Notations and descriptions.
NotationDescription
V i i-th vehicle
R S U j j-th roadside unit
T A Trusted authority
I D i , P W i Unique identity and password of V i
I D j Unique identity of R S U j
I D T A Unique identity of T A
P I D i Pseudo-identity of V i
K T A Master key only known to T A
S K V , S K R , S K T Session key calculated by the V i , R S U j , and  T A
K R j T A Shared secret key between R S U j and T A
x , a , k r Random number
r n Random nonce (n = 1, 2, 3, …)
T n Timestamp (n = 1, 2, 3, …)
h ( · ) Collision-resistant cryptographic one-way hash function
| | Concatenation operation
Exclusive-OR operation
Table 4. Notations of BAN logic.
Table 4. Notations of BAN logic.
NotationsDescriptions
P 1 , P 2 Principals
M 1 , M 2 Statements
S K Session key
P 1 M 1 P 1 once said M 1
P 1 M 1 P 1 believes M 1
P 1 M 1 P 1 receives M 1
P 1 M 1 P 1 controls M 1
P 1 K P 2 P 1 and P 2 have shared key K
{ M 1 } K M 1 is encrypted with K
# M 1 M 1 is fresh
Table 5. Security properties.
Table 5. Security properties.
[25][26][27][28][31][32][17]Proposed
S 1 ×-----×
S 2 ×××---
S 3 ×----
S 4 --×--
S 5 -×--×-
S 6 ×××-
S 7 -×-×-×
S 8 --××-
S 9 -----
S 10 ×----
S 11 -××
S 12 ----
S 13 -
S 14 ---×-×
S 15 --
S 16 ××-×--×
-: not considered; ×: Not supported; ∘: Supported.
Table 6. Cryptographic execution time (ms).
Table 6. Cryptographic execution time (ms).
OperationTime (ms)
T B : Bilinear pairing33.75
T M : Elliptic curve point multiplication15.65
T A : Elliptic curve point addition4.26
T H : One-way hash function0.35
T S : Symmetric encryption/decryption1.27
T E : Modular exponential18.78
Table 7. Total computational costs.
Table 7. Total computational costs.
SchemeOperationsTotal Cost (ms)
Xu et al. [25] 28 T H 9.80
Kumar et al. [26] 26 T H + 4 T S 14.18
Zhong et al. [27] 8 T M + 23 T H 133.25
Cui et al. [28] 8 T M + 25 T H 133.95
Awais et al. [29] 15 T M + 20 T H 241.75
Kumar et al. [30] 12 T M + 20 T H + 6 T S 202.42
Chen et al. [31] 12 T H + 2 T S + 6 T E 119.42
Chaudhry [32] 11 T H + 12 T S 19.09
Sibahee et al. [17] 30 T H 10.50
Proposed 28 T H 9.80
Table 8. Total communication costs.
Table 8. Total communication costs.
SchemeNo. of MessagesTotal Cost (bits)
Xu et al. [25]63328
Kumar et al. [26]44224
Zhong et al. [27]43840
Cui et al. [28]53328
Awais et al. [29]44320
Kumar et al. [30]53488
Chen et al. [31]42336
Chaudhry [32]42912
Sibahee et al. [17]42144
Proposed42304
Table 9. Comparison study of energy consumption.
Table 9. Comparison study of energy consumption.
SchemeEnergy Consumption (mJ)
Xu et al. [25]106.62
Kumar et al. [26]154.28
Zhong et al. [27]1449.76
Cui et al. [28]1457.38
Awais et al. [29]2630.24
Kumar et al. [30]2202.33
Chen et al. [31]1299.29
Chaudhry [32]207.70
Sibahee et al. [17]114.24
Proposed106.62
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kim, C.; Kwon, D.; Son, S.; Yu, S.; Park, Y. An Anonymous and Efficient Authentication Scheme with Conditional Privacy Preservation in Internet of Vehicles Networks. Mathematics 2024, 12, 3756. https://doi.org/10.3390/math12233756

AMA Style

Kim C, Kwon D, Son S, Yu S, Park Y. An Anonymous and Efficient Authentication Scheme with Conditional Privacy Preservation in Internet of Vehicles Networks. Mathematics. 2024; 12(23):3756. https://doi.org/10.3390/math12233756

Chicago/Turabian Style

Kim, Chaeeon, DeokKyu Kwon, Seunghwan Son, Sungjin Yu, and Youngho Park. 2024. "An Anonymous and Efficient Authentication Scheme with Conditional Privacy Preservation in Internet of Vehicles Networks" Mathematics 12, no. 23: 3756. https://doi.org/10.3390/math12233756

APA Style

Kim, C., Kwon, D., Son, S., Yu, S., & Park, Y. (2024). An Anonymous and Efficient Authentication Scheme with Conditional Privacy Preservation in Internet of Vehicles Networks. Mathematics, 12(23), 3756. https://doi.org/10.3390/math12233756

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop