Sage Journals: Discover world-class research

Abstract

The Internet of vehicles technology has developed rapidly in recent years and has become increasingly important. The social Internet of vehicles provides better resources and services for the development of the Internet of vehicles and provides better experience for users. However, there are still many security problems in social vehicle networking environments. Once the vehicle is networked, the biggest problem is data security according to the three levels of data collection, intelligent analysis, and decision control of the Internet of vehicles. Recently, Wu et al. proposed a lightweight vehicle social network security authentication protocol based on fog nodes. They claimed that their security authentication protocol could resist various attacks. However, we found that their authentication protocols are vulnerable to internal attacks, smart card theft attacks, and lack perfect forward security. In this study, we propose a new protocol to overcome these limitations. Finally, security and performance analyses show that our protocol perfectly overcomes these limitations and exhibits excellent performance and efficiency.

Keywords

Fog node authentication social Internet of vehicles

Introduction

At the Information Society Summit held in 2005, the International Telecommunication Union $(ITU)$ formally introduced the concept of the Internet of Things $(IoT)$ in the form of an Internet report. $IoT$ is based on the Internet, which uses radio frequency automatic identification, wireless data communication, and other technologies, to achieve automatic identification of objects and information interconnection and sharing, to build a “Internet of things” that encompasses everything in the world. The scope of application of the $IoT$ is gradually expanding, and its application in various industries, agriculture, transportation, and others has promoted the development of intelligence in these fields, making resources allocation more rational and improving the efficiency of these industries. The application in life-related areas, such as smart warehouses, smart medical care, smart electricity, and tourism services has substantially improved the quality of people’s lives, from the scope of services and the way they are provided to the quality of services. Fog computing is an extension of cloud computing, an IoT-based distributed computing infrastructure that can use devices in edge networks to enable the delivery of data with extremely low latency. The application of fog computing reduces inter-network distances, increases efficiency, and reduces the amount of data required to be transmitted to the cloud for processing, analysis, and storage. Fog nodes are a key component of the fog computing architecture, and they can appear in different forms and be deployed in a variety of environments.

The Internet of Vehicles $(IoV)$ is an automotive mobile $IoT$ technology that provides different functional services in the operation of vehicles through advanced sensor technology, communication technology, data processing technology, network technology, and information dissemination technology. The devices on the vehicles effectively use the information in the network platform. The $IoV$ can provide spacing between vehicles and reduce the risk of collisions; it can help vehicle owners navigate in real-time and improve the efficiency of traffic operations by communicating with other vehicles and network systems. With the advances in the application of $IoT$ , $IoT$ technology is being combined with social networks to form a new network called the social Internet of things $(SIoT)$ . The $IoT$ will include not only the association of things and things and people, but also introduces the relationship between people and people, thus better depicting the connected world of all things. $SIoT$ is a new application of IoT technology in social networks. Ordinary objects in our lives can be informatized in real-time using IoT’s sensing and monitoring technology, and the information of the objects can be displayed online through network technology, cloud computing technology, and cloud storage technology.

With the development of modern technology, the $IoV$ also requires the organic combination of traditional $IoV$ functions and social networking of vehicles, resulting in the rise of social networking of vehicles $(SIoV)$ . The $SIoV$ is a social approach to increase the viscosity of the user, thereby maintaining the profitability of $SIoV$ and the related information reserve.

$SIoV$ provides better resources and services for the development of $IoV$ . Telematics can be better implemented and telematics services can be better enhanced, only by continuously improving the functions of social telematics enhancing the popularity of telematics. In the $SIoV$ environment, relevant information is entered into the telematics database in the background, and then the vehicle owner can use the telematics social services like a social software, which can always keep learning to obtain information and help the vehicle owner to improve the efficiency of the trip, and even enable the vehicle’s remote pre-diagnosis of itself to improve safety. The typical structure of $SIoV$ is shown in Figure 1, which mainly includes vehicle, roadside unit $(RSU)$ , a fog node, and a cloud server $(CS)$ . The cloud server is an infrastructure as a service (IaaS) service that integrates computing, storage, and network resources based on a $WEB$ service that provides an elastic cloud technology with customizable cloud hosting configurations. Vehicles are tangible users and beneficiaries. Vehicles can communicate with each other and owners can access information, share location, and so on, to make travel safer and smarter. The $RSU$ can collect information about nearby vehicles, send it to the fog node, and receive information from the fog node. In the telematics environment, the deployment of fog nodes is strongly influenced by geographical location; however, the prevalence of content within the coverage area varies greatly, because fog nodes are usually deployed in different areas and the cached content has certain geographical characteristics. A fog node is responsible for collecting and processing data of vehicles in a certain area, and subsequently, it transmits the collected data to the cloud server, reducing the computational load on the cloud server.

Figure 1.

Typical architecture of SIoV.

However, there are still many security issues in the $SIoV$ environment. Once a car is connected, the biggest problem is data security according to the three levels of data collection, intelligent analysis, and decision control. If we want to achieve data interoperability and data sharing, particularly, if we want to achieve decision control, ensuring data security is the most challenging issue of entire vehicle networking. In addition to traditional solution techniques such as authentication and access control, two other typical issues are how to verify the reliability of the data and protect the privacy of the data. This reflects the importance and criticality of data encryption, which encrypts data to achieve data concealment and thus protect data security. Encryption requires negotiation of a common session key between the participating actors to achieve reliable transmission. Wu et al. proposed a fog node–based secure authentication protocol for vehicular social networks and an authentication protocol that ensures user anonymity and security. Wu et al. claimed that their proposed secure authentication protocol was resistant to various attacks. However, we find that their authentication protocol is vulnerable to offline password guessing attacks, smart card theft attacks, and lacks perfect forward security, and there are also some design issues in this scheme. Here, we present these issues and make recommendations.

The main contributions of this article are as follows:

We perform a security analysis of the authentication protocol proposed by Wu et al. for $SIoV$ and find that their authentication protocol is vulnerable to insider attacks, smart card theft attacks, and lacks perfect forward security. As a user, we focus on protecting the data anonymity and security of the vehicle, prioritize data security in the protocol design, and propose a new scheme to improve the shortcomings of Wu et al.’s protocol.

We use elliptic curve algorithms to encrypt the transmission of information, which can provide a higher level of security. We use the Real-or-Random $(ROR)$ model, a formal proof tool, to verify the validity, correctness, and security of the protocol. In addition, a detailed informal analysis shows that our protocol is resistant to known attacks and break-ins.

We also systematically evaluate the protocol’s computational performance and communication costs in addition to other factors, and show that it performs well.

The rest of this article is organized as follows. Section “Related work” presents the related work of this article. Section “Review of Wu et al.’s protocol” briefly describes Wu et al.’s authentication scheme, followed by a thorough cryptanalysis of Wu et al.’s scheme in section “Cryptanalysis of Wu et al.’s protocol.” In section “Cryptanalysis of Wu et al.’s protocol,” we propose a new scheme to improve the shortcomings of the old scheme. In section “Security analysis,” we perform a security analysis, which includes a formal analysis, security requirements analysis, and a security comparison, to demonstrate the security and stability of the new protocol in terms of these three aspects. In section “Performance evaluation,” we analyze the security and performance of the new protocol in terms of both performance evaluation and communication cost evaluation. Finally, we summarize the work in section “Conclusion.”

Related work

With the advancement of the application of $IoT$ , $IoT$ technology is combined with social networks to form a new network, that is, $SIoT$ . With the combination of the IoV and $SIoT$ , the social IoV has gradually emerged. Because the $IoT$ environment, $IoV$ environment, and $SIoT$ environment have been proposed, many researchers have attempted studying how to realize data transmission safely and efficiently. Therefore, various authentication protocols have been proposed to protect the security and privacy of data transmissions.

In 2014, Yang et al.¹ presented an abstract network model for $IoV$ , described the technologies needed to create $IoV$ , and different applications based on existing technologies, presented several open research challenges, and considered the development of $IoV$ in future domains. In 2015, Sun et al.² reviewed IoV-related security and privacy developments, including security and privacy requirements, types of attacks and solutions, and described the future IoV-related security and privacy developments and challenges. In 2017, Contreras-Castillo et al.³ presented IoV-related architectures, protocols, and security and introduced communication protocols that enable seamless integration and operation of $IoV$ . Dandala et al.⁴ described the relation between the $IoV$ environment and traffic management, and provided an IoV-based traffic management solution to overcome serious traffic management problems in real-life. Ferrag et al.⁵ provided an overview of the previously proposed IoV-related protocols and classified these protocols according to the target environment, identified remaining issues, and proposed future directions for the research. In 2019, Chandrakar et al.⁶ proposed a secure authentication protocol for vehicle ad hoc networks and claimed that the protocol is secure and efficient. In 2020, Xu et al.⁷ proposed a blockchain-based protocol for RSU-assisted authentication and key management in vehicle networks, which they claimed to have low computational overhead, high efficiency, high authentication efficiency, and resistance to various common attacks.

Some of the research on $SIoT$ is presented below. In 2011, Atzori et al.⁸ presented the research concept of $SIoT$ and a preliminary architecture for achieving $SIoT$ in an object structure that follows the definition of potential social responsibility. In 2012, Atzori et al.⁹ again presented the concept, architecture, and network of $SIoT$ and analyzed the characteristics of the $SIoT$ network structure through simulations. In 2015, Nitti et al.¹⁰ discussed the link selection problem in $SIoT$ , proposed heuristic algorithms for local link selection, and proposed a method to dynamically adjust the threshold of the number of connections according to the number of hubs in the network. In 2017, Shen et al.¹¹ proposed a privacy-preserving and lightweight key negotiation protocol based on $V 2 G$ in social $IoT$ and claimed that the protocol can withstand different types of attacks. In 2019, Park et al.¹² proposed a $V 2 G$ dynamic privacy-preserving key management protocol for the $SIoT$ and claimed that the protocol is resistant to a variety of attacks, such as simulations and offline passwords.

This final section presents the research work related to $SIoV$ . In 2015, Alam et al.¹³ presented concepts, structures, and applications of the architecture of $SIoV$ environments and provided implementation details and experimental analysis to demonstrate the effectiveness of the proposed system. In 2016, Maglaras et al.¹⁴ combined $SIoV$ with smart cities, reviewing $SIoV$ enabling technologies and key components, and presenting $SIoV$ applications that can be deployed in smart cities. In 2018, Butt et al.¹⁵ presented a scalable $SIoV$ architecture based on the $Restful web$ technology and highlighted the importance of $web$ technology. In 2020, Ahmed et al.¹⁶ proposed an anonymous key negotiation protocol for the $V 2 G$ environment in $SIoV$ and claimed that the protocol is not only lightweight, but also efficient in terms of communication and storage costs of other protocols. In 2021, Wu et al.¹⁷ proposed a lightweight authentication key negotiation protocol for vehicular social networks based on fog nodes and claimed the protocol to be lightweight, secure, and efficient.

Review of Wu et al.’s protocol

The main entities included in the protocol are the vehicle, fog node, and cloud server. A fog node can detect unsafe driving behavior in real-time, provide early warning for the behavior, impose appropriate penalty when necessary, and share the pressure of the cloud server. Table 1 lists the symbols used in the protocol. The protocol has three phases as follows: vehicle registration, fog node registration, and login authentication.

Table 1.

Notations used in Wu et al.’s protocol.

Symbol	Description
$V_{i}$	The ith vehicle
$F N_{j}$	The jth fog node
$CS$	Cloud server
$I D_{i}, FI D_{j}, I D_{CS}$	Identities of $V_{i}$ , $F N_{j}$ , and $CS$
$PS W_{i}$	Password of the $V_{i}$
$K_{FN}$	Shared key of $F N_{j}$ and $CS$
$K_{CS}$	Secret key of $CS$
$K_{V}$	Counter value of $V_{i}$
$SK$	Session key

Vehicle registration phase

The registration process of the vehicle $V_{i}$ is described as follows:

First, vehicle $V_{i}$ inputs its identity $I D_{i}$ , password $PS W_{i}$ , and a random number $r_{i}$ , calculates its pseudo-identity $PI D_{i} = h (I D_{i} ∥ r_{i})$ , and then transmits the $PI D_{i}$ to $CS$ through the secure channel.

$CS$ receives ${PI D_{i}}$ , calculates the value of $HI D_{i} = h (PI D_{i} ∥ K_{CS})$ , initializes the value of $K_{V}$ to 0, and stores ${PI D_{i}, K_{V}}$ in its database. Finally, $CS$ sends ${HI D_{i}, K_{V}}$ to $V_{i}$ .

$V_{i}$ receives ${HI D_{i}, K_{V}}$ . Using $HI D_{i}$ , $PS W_{i}$ , $r_{i}$ , and $I D_{i}$ , it calculates the value $α_{i} = HI D_{i} \oplus h (PS W_{i} ∥ r_{i}), P_{i} = h (I D_{i} ∥ PS W_{i} ∥ r_{i})$ , replaces $HI D_{i}$ with the value of $α_{i}$ , and stores the ${α_{i}, P_{i}, r_{i}, K_{V}}$ in its smart card.

Fog node registration phase

The registration process of the $F N_{j}$ is described as follows:

First, fog node $F N_{j}$ inputs its identity $FI D_{j}$ and a random number $r_{j}$ , by $FI D_{j}$ and $r_{j}$ , calculates its pseudo-identity $PFI D_{j} = h (FI D_{j} ∥ r_{j})$ , and sends ${PFI D_{j}, FI D_{j}}$ to $CS$ .

$CS$ receives ${PFI D_{j}, FI D_{j}}$ , selects a random number $R_{j}$ , calculates the value of $N_{j} = h (FI D_{j} ∥ I D_{CS}) \oplus R_{j}$ , $K_{FN} = h (PFI D_{j} ∥ K_{CS})$ , and $HI D_{j} = h (FI D_{j} ∥ K_{CS})$ , and stores ${PFI D_{j}, K_{FN}, FI D_{j}}$ in its database. Finally, $CS$ sends ${K_{FN}, HI D_{j}, N_{j}, I D_{CS}}$ to $F N_{j}$ .

$F N_{j}$ receives { $K_{FN}$ , $HI D_{j}$ , $N_{j}$ , $I D_{CS}$ }, calculates the value $R_{j} = h (FI D_{j} ∥ I D_{CS}) \oplus N_{j}$ and $β_{j} = HI D_{j} \oplus h (R_{j} ∥ r_{j})$ , and stores the { $K_{FN}, β_{j}, r_{j}, N_{j}$ } in its database.

Login and authentication phase

In the login and authentication phase, $V_{i}$ , $F N_{j}$ , and $CS$ complete authentication and establish session key $SK$ , which is described as shown in Figure 2.

First, $V_{i}$ inputs its identity $I D_{i}$ , password $PS W_{i}$ , according to $I D_{i}$ , $PS W_{i}$ , and $r_{i}$ , calculates $P_{i}^{*} = h (I D_{i} ∥ PS W_{i} ∥ r_{i})$ , and then compares $P_{i}^{*} \overset{?}{=} P_{i}$ . If equal, then $V_{i}$ logs successfully. After successful login, $V_{i}$ selects a random number $N_{1}$ and calculates $A_{1} = h (I D_{i} ∥ r_{i}) \oplus N_{1}$ , $HI D_{i} = α_{i} \oplus h (PS W_{i} ∥ r_{i})$ , and $V_{1} = h (HI D_{i} ∥ K_{V}) \oplus N_{1}$ . Finally, $V_{i}$ sends the login request $M_{1} = {A_{1}, V_{1}, I D_{CS}, PI D_{i}$ } to $F N_{j}$ through a common channel.

$F N_{j}$ receives ${A_{1}, V_{1}, I D_{CS}, PI D_{i}}$ , selects a random number $N_{2}$ , according to $A_{1}$ , $K_{FN}$ , $HI D_{j}$ , and $N_{2}$ , calculates $A_{2} = h (A_{1} ∥ K_{FN} ∥ HI D_{j}) \oplus N_{2}$ , $V_{2} = h (A_{2} ∥ K_{FN} ∥ V_{1})$ , and finally $F N_{j}$ sends $M_{2} = {PI D_{i}, PFI D_{j}, A_{2}, V_{1}, V_{2}}$ to $CS$ .

After $CS$ receives ${PI D_{i}, PFI D_{j}, A_{2}, V_{1}, V_{2}}$ , indexes $K_{FN}$ according to $FPI D_{j}$ , then calculates $HI D_{i} = h (PI D_{i} ∥ K_{CS})$ , $N_{1} = h (HI D_{i} ∥ K_{V}) \oplus V_{1}$ , $V_{1}^{*} = h (HI D_{i} ∥ K_{V}) \oplus N_{1}$ , checks $V_{1}^{*} \overset{?}{=} V_{1}$ . If it is equal, then $V_{i}$ is legal. Otherwise, the authentication process is terminated. $CS$ calculates $V_{2}^{*} = h (A_{2} ∥ K_{FN} ∥ V_{1})$ and compares $V_{2}^{*} \overset{?}{=} V_{2}$ . If it is equal, it means that $CS$ believes that $F N_{j}$ is legal. Otherwise, the authentication process is terminated. After authenticating $V_{i}$ and $F N_{j}$ , $CS$ calculates $A_{1} = N_{1} \oplus PI D_{i}$ , $HI D_{j} = h (FI D_{j} ∥ K_{CS})$ , $N_{2} = h (A_{1} ∥ K_{FN} ∥ HI D_{j}) \oplus A_{2}$ , selects a random number $N_{3}$ , and calculates $N'_{X} = h (HI D_{i} ∥ N_{1}) \oplus N_{2} \oplus N_{3} \oplus HI D_{j}$ , $N'_{Y} = h (HI D_{j} ∥ N_{2}) \oplus N_{1} \oplus N_{3} \oplus HI D_{i}$ , $SK = h (N_{1} \oplus N_{2} \oplus N_{3} \oplus HI D_{j} \oplus HI D_{i})$ , $V_{3} = h (HI D_{j} ∥ K_{FN} ∥ SK)$ , $V_{4} = h (HI D_{i} ∥ K_{V} ∥ SK)$ , then updates $K_{V} = K_{V} + 1$ , and sends message $M_{3} = {N'_{X}, N'_{Y}, V_{3}, V_{4}}$ to $F N_{j}$ .

$F N_{j}$ receives ${N'_{X}, N'_{Y}, V_{3}, V_{4}}$ , calculates $N_{1} \oplus N_{3} \oplus HI D_{i} = h (HI D_{j} ∥ N_{2}) \oplus N'_{Y}$ , $SK = h (N_{1} \oplus N_{2} \oplus N_{3} \oplus HI D_{j} \oplus HI D_{i})$ , and $V_{3}^{*} = h (HI D_{j} ∥ K_{FN} ∥ SK)$ , and checks $V_{3}^{*} \overset{?}{=} V_{3}$ . If it is equal, it means that $F N_{j}$ believes that $CS$ is legal. Otherwise, the authentication process is terminated. Finally, $F N_{j}$ sends message $M_{4} = {N'_{X}, V_{4}}$ to $V_{i}$ .

$V_{i}$ receives ${N'_{X}, V_{4}}$ , then calculates $N_{2} \oplus N_{3} \oplus HI D_{j} = = h (HI D_{i} ∥ N_{1}) \oplus N'_{X}$ , $SK = h (N_{1} \oplus N_{2} \oplus N_{3} \oplus HI D_{j} \oplus HI D_{i})$ , $V_{4}^{*} = h (HI D_{i} ∥ K_{V} ∥ SK)$ , and checks $V_{4}^{*} \overset{?}{=} V_{4}$ . If equal, it means that $V_{i}$ believes that $F N_{j}$ and $CS$ are legal. Otherwise, the authentication process is terminated. Finally, $V_{i}$ updates $K_{V} = K_{V} + 1$ .

Figure 2.

Cryptanalysis of Wu et al.’s protocol

This section focuses on various security flaws in the attacker model, Wu et al.’s protocol. Wu et al. claimed that it is secure against common attacks and is safe and efficient. However, we show that Wu et al.’s protocol does not resist insider attacks and smart card theft attacks and does not ensure perfect forward security.

Threat model

In this study, we define a potential attacker as $A$ . He may be an external attacker who listens to or intercepts data, or a staff member or privileged user inside the server or fog node. When $A$ acts as an external attacker, he can eavesdrop and intercept messages in the public channel without being detected by the subject protocol, can send or forge messages, and can participate in the operation of the protocol as a legitimate protocol participant. This is partially similar to the capabilities of the attacker assumed by the $D - Y$ model. When $A$ acts as an insider attacker, he may have some privilege to access parts of the server or fog node as part of the system participants. Based on existing research, we assume that $A$ has the following capabilities:

$A$ can eavesdrop and intercept information transmitted through the public channel, and can forge, modify, delete, redirect, or replay messages transmitted through the public channel.¹⁸

When a smart card or vehicle is lost or stolen, $A$ can obtain the parameters and useful information that is stored in a smart card or vehicle.¹⁹

$A$ may be a legitimate but malicious administrator or privileged user.²⁰

Insider attack

In an insider attack, the server can also be used as an attacker to steal user information, for example, by collecting the identifier and password submitted by the user during the registration phase and by collecting information from the user’s smart card.²¹

Assuming that $A$ is an internal person, he can obtain the information stored in the smart card ${α_{i}, P_{i}, r_{i}, K_{V}}$ . The attacker can guess the password repeatedly, calculate the authentication value, and complete the password guessing through the following steps:

Step 1: $A$ intercepts the information $A_{1}$ and $PI D_{i}$ transmitted to the common channel, and then calculates that $N_{1}$ passes $A_{1} = N_{1} \oplus PI D_{i}$ .

Step 2: because $A$ obtains $A_{1}, r_{i}$ , and $N_{1}$ , $A$ can try to enter the value of $I D_{i}$ to calculate $A_{1}^{*} = h (I D_{i} ∥ r_{i}) \oplus N_{1}$ .

Step 3: $A$ compares and verifies the calculated $A_{1}^{*}$ with $A_{1}$ to obtain $I D_{i}$ .

Step 4: after $A$ obtains $I D_{i}$ , $A$ also knows $P_{i}$ , thus, he calculates $P_{i}^{*} = h (I D_{i} ∥ PS W_{i} ∥ r_{i})$ and verifies $P_{i}^{*} = P_{i}$ . If the verification is successful, $A$ obtains $I D_{i}$ and $PS W_{i}$ .

Therefore, attacker can complete the password guessing.

Lack of perfect forward security

Forward security means that the leakage of a long-used master key does not lead to the leakage of a past session key $SK$ . Forward security protects communications performed in the past from the threat of future exposure of passwords or keys.^22,23

We assume that the attacker can steal $M_{1} = {A_{1}, V_{1}, I D_{CS}, PI D_{i}}$ , $M_{2} = {PI D_{i}, PFI D_{j}, A_{2}, V_{1}, V_{2}}$ , and $M_{3} = {N'_{X}, N'_{Y}, V_{3}, V_{4}}$ in the login and mutual authentication phases because they are transmitted over a common channel. The attacker can calculate session key $SK$ using the following steps:

Step 1: the attacker can obtain $K_{CS}$ by the first attack, and then obtain $HI D_{i}$ by calculating $h (PI D_{i} ∥ K_{CS})$ .

Step 2: obtain $N_{1}$ by calculating $A_{1} \oplus PI D_{i}$ .

Step 3: obtain $(N_{2} \oplus N_{3} \oplus HI D_{j})$ by calculating $h (HI D_{i} ∥ N_{1}) \oplus N'_{X}$ .

Therefore, the attacker can calculate the correct session key $SK = h (N_{1} \oplus N_{2} \oplus N_{3} \oplus HI D_{j} \oplus HI D_{i})$ .

Smart card theft attack

A smart card theft attack occurs when secret information stored on a smart card is obtained by some unethical means, and the attacker uses the information obtained to crack the session key or cause damage to the protocol.²³

We assume that the attacker steals the smart card and obtains ${α_{i}, P_{i}, r_{i}, K_{V}}$ . The attacker can steal $M_{1} = {A_{1}, V_{1}, I D_{CS}, PI D_{i}}$ , $M_{2} = {PI D_{i}, PFI D_{j}, A_{2}, V_{1}, V_{2}}$ , and $M_{3} = {N'_{X}, N'_{Y}, V_{3}, V_{4}}$ in the login and mutual authentication phase because they are transmitted over a common channel. The attacker can calculate session key $SK$ using the following steps:

Step 1: the attacker can obtain $PS W_{i}$ by the first attack, and then obtain $HI D_{i}$ by calculating $α_{i} \oplus h (PS W_{i} ∥ r_{i})$ .

Step 2: obtain $N_{1}$ by calculating $A_{1} \oplus PI D_{i}$ .

Step 3: obtain $(N_{2} \oplus N_{3} \oplus HI D_{j})$ by calculating $h (HI D_{i} ∥ N_{1}) \oplus N'_{X}$ .

Therefore, the attacker can calculate the correct session key $SK = h (N_{1} \oplus N_{2} \oplus N_{3} \oplus HI D_{j} \oplus HI D_{i})$ .

The proposed protocol

In this section, we elaborate the various components of the protocol. First, the protocol involves three constituent entities as follows: (1) the vehicle $V_{i}$ , (2) the fog node $F_{j}$ , and (3) the cloud server $CS$ . $V_{i}$ can establish a session key $SK$ with the cloud server via the fog node, and then $CS$ can exchange information to obtain useful information, such as real-time road conditions and weather conditions. $F_{j}$ is the equivalent of a trusted intermediary between $V_{i}$ and $CS$ , which verifies the legitimacy of $CS$ , accepts authentication and requests from $V_{i}$ and sends them to $CS$ or receives feedback from $CS$ and sends them to $V_{i}$ . $CS$ has the function of processing data, saving and transmitting information, and it plays an important role in the protocol. $CS$ registers the legal identity of $V_{i}$ and $F_{j}$ in the registration phase and provides legal authentication and key establishment for $V_{i}$ and $F_{j}$ in the authentication phase. The protocol consists of the following parts: (1) vehicle registration phase, (2) fog node registration phase, and (3) login and mutual authentication phase. Table 2 lists the symbols used in the protocol.

Table 2.

Notations used in the improved protocol.

Symbol	Description
$V_{i}$	The ith vehicle
$F_{j}$	The jth fog node
$CS$	Cloud server
$VI D_{i}, VP W_{i}$	Identities of $V_{i}$ , password of $V_{i}$
$FI D_{j}$	Identities of $F_{j}$
$K_{fc}$	Shared key of $F_{j}$ and $CS$
$K_{C}$	Secret key of $CS$
$SK$	Session key
$T_{i}$	The ith timestamp
$h (\cdot)$	Hash function
⊕	Bit-wise XOR operation
∥	Concatenate operation

Vehicle registration phase

In the $V_{i}$ registration phase, $V_{i}$ sends the registration request to the $CS$ over a secure channel, and the $CS$ then computes a series of messages and returns them to $V_{i}$ , allowing $V_{i}$ to obtain a legitimate identity. The process diagram for this phase is shown in Figure 3, and the steps are detailed as follows:

First, $V_{i}$ selects and enters his identity $VI D_{i}$ and password $VP W_{i}$ , and then $V_{i}$ transmits ${VI D_{i}}$ to the $CS$ via a secure channel.

Following receipt of the information from $V_{i}$ , $CS$ generates the random number $r_{2}$ and computes $HI D_{i} = h (VI D_{i} ∥ r_{2})$ and $RI D_{i} = h (K_{c} ∥ r_{2}) \oplus HI D_{i}$ , and then stores ${RI D_{i}, r_{2}}$ in its own memory and subsequently transmits the random number ${r_{2}}$ to $V_{i}$ via a secure channel.

Following receipt of the information from $CS$ , $V_{i}$ generates a random number $r_{1}$ and then computes $P_{i} = h (VI D_{i} \oplus VP W_{i} ∥ r_{1})$ and $A_{1} = h (VP W_{i} ∥ r_{1}) \oplus r_{2}$ and stores ${A_{1}, P_{i}, r_{1}}$ in the smart card. The $V_{i}$ registration phase is complete.

Figure 3.

V_i registration phase.

Fog node registration phase

In preparation for the authentication phase, $F_{j}$ sends a registration request to the $CS$ and registers as a legitimate fog node. The detailed process diagram of this phase is shown in Figure 4, and the detailed steps are as follows:

$F_{j}$ selects a unique identity $FI D_{j}$ and then transmits ${FI D_{j}}$ to the $CS$ through a secure channel.

After receiving the message from $F_{j}$ , $CS$ generates a random number $r_{4}$ and calculates $RFI D_{j} = FI D_{j} \oplus K_{c}$ and $K_{fc} = h (FI D_{j} ∥ r_{4} \oplus K_{c})$ . Then, $CS$ stores $r_{4}$ into memory according to its $RFI D_{j}$ counterpart and subsequently transmits the message ${K_{fc}, RFI D_{j}}$ to $F_{j}$ through a secure channel.

Once $F_{j}$ receives the information from $CS$ , he generates the random number $r_{3}$ and then starts computing $A_{2} = K_{fc} \oplus h (FI D_{j} ∥ r_{3})$ , preferably storing ${A_{2}, RFI D_{j}, r_{3}}$ in his own memory. This completes the $F_{j}$ registration phase.

Figure 4.

F_j registration phase.

Login and authentication phase

In the login and mutual authentication phase, the on-board login device verifies the correctness of the identifiers ${VID}_{i}^{*}$ and ${VPW}_{i}^{*}$ entered by $V_{i}$ , and only those $V_{i}$ that pass the verification will be allowed to use the system. During the mutual authentication phase, $V_{i}$ , $F_{j}$ , and $CS$ negotiate a common session key $SK$ to allow for quick information sharing during subsequent use. This phase is the most important stage of the protocol, and the detailed process is described in Figure 5, and the detailed steps are described as follows:

First, the on-board device verifies the correctness and legitimacy of the user, $V_{i}$ inputs ${VID}_{i}^{*}$ and ${VPW}_{i}^{*}$ , calculates $P_{i}^{*} = h ({VID}_{i}^{*} ∥ {VPW}_{i}^{*} ∥ r_{1})$ and then verifies that $P_{i}^{*} \overset{?}{=} P_{i}$ . If they are equal, authentication is successful; otherwise, login is denied.

After completing verification, $V_{i}$ computes $r_{2} = A_{1} \oplus h (VP W_{i} ∥ r_{1})$ and $HI D_{i} = h (VI D_{i} ∥ r_{2})$ , and then generates a random number $R_{1}$ and timestamp $T_{1}$ . It encapsulates $R_{1}$ into $B_{1}$ by computing $B_{1} = h (HI D_{i} ∥ r_{2}) \oplus R_{1}$ and then computes $V_{1} = h (HI D_{i} ∥ r_{2})$ and subsequently transmits the message $Ms g_{1} = {B_{1}, V_{1}, T_{1}}$ to $F_{j}$ through the common channel.

Immediately after receiving the message $Ms g_{1}$ from $V_{i}$ , $F_{j}$ verifies the timestamp parameter $T_{1}$ by computing $| T_{1} - T_{c} | \overset{?}{≦} Δ T$ , then generates the random number $R_{2}$ and timestamp $T_{2}$ , computes $K_{fc} = A_{2} \oplus h (FI D_{j} ∥ r_{3})$ , $B_{2} = h (K_{fc} ∥ FI D_{j}) \oplus R_{2}$ , and $V_{2} = h (FI D_{j} \oplus K_{fc})$ , and finally the message $Ms g_{1} = {RFI D_{j}, B_{1}, B_{2}, V_{1}, V_{2}, T_{2}}$ is transmitted to the $CS$ via the common channel.

After receiving the message $Ms g_{2}$ from $F_{j}$ , $CS$ verifies the timestamp $T_{2}$ and calculates $FI D_{j}$ , $FI D_{j} = RFI D_{j} \oplus K_{c}$ , $K_{fc} = h (FI D_{j} ∥ r_{4} \oplus K_{c})$ , $HI D_{i} = RI D_{i} \oplus h (K_{c} ∥ r_{2})$ , $V_{1}^{*} = h (HI D_{i} ∥ r_{2})$ , and $V_{2}^{*} = h (FI D_{j} \oplus K_{fc})$ , and then verifies that $V_{1}^{*} \overset{?}{=} V_{1}$ to authenticate the legitimacy and validity of $V_{i}' s$ identity by verifying that $V_{2}^{*} \overset{?}{=} V_{2}$ to determine the legitimacy of the identity of $F_{j}$ . Then, $CS$ computes $R_{1} = B_{1} \oplus h (HI D_{i} ∥ r_{2})$ and $R_{2} = B_{2} \oplus H (K_{fc} ∥ FI D_{j})$ to generate a random number $R_{3}$ and timestamp $T_{3}$ . Once this is complete, $CS$ generates the session key $SK$ , $SK = h (HI D_{i} \oplus FI D_{j} \oplus R_{2} \oplus R_{3} ∥ R_{1})$ . Then calculate $B_{3} = h (FI D_{j} \oplus K_{fc}) \oplus (HI D_{i} \oplus R_{3} ∥ R_{1})$ , $B_{4} = h (HI D_{i} \oplus r_{2}) \oplus R_{2} \oplus R_{3} \oplus FI D_{j}$ , $B_{5} = h (FI D_{j} \oplus K_{fc}) \oplus h (HI D_{i} ∥ r_{2} \oplus R_{1})$ , and $V_{3} = h (K_{fc} ∥ FI D_{j} \oplus R_{2})$ , and then the message $Ms g_{3} = {B_{3}, B_{4}, B_{5}, V_{3}, T_{3}}$ is sent to $F_{j}$ through the common channel.

After $F_{j}$ receives the message $Ms g_{3}$ , it starts verifying timestamp $T_{3}$ , and if $T_{3}$ passes the verification, the nominal message $Ms g_{3}$ is considered to be a new and valid message. $F_{j}$ then computes $V_{3}^{*} = h (K_{fc} ∥ FI D_{j} \oplus R_{2})$ and verifies that $V_{3}^{*} \overset{?}{=} V_{3}$ . If the verification passes, $CS$ is a trusted server; otherwise, $F_{j}$ rejects the $CS$ request and aborts the protocol process. If it passes, $F_{j}$ computes $HI D_{i} \oplus R_{3} ∥ R_{1} = B_{3} \oplus h (FI D_{j} \oplus K_{fc})$ and $SK = h (FI D_{j} \oplus R_{2} \oplus HI D_{i} \oplus R_{3} ∥ R_{1})$ , and subsequently generates timestamp $T_{4}$ , computes $V_{4} = B_{5} \oplus h (FI D_{j} \oplus K_{fc})$ , and transmits the message $Ms g_{4} = {B_{4}, V_{4}, T_{4}}$ to $V_{i}$ through the common channel.

$V_{i}$ receives the message $Ms g_{4}$ back from $F_{j}$ and verifies the freshness and legitimacy of this message by $| T_{4} - T_{c} | \overset{?}{≦} Δ T$ , and then verifies the legitimacy identity of $F_{j}$ by computing $V_{4}^{*} = h (HI D_{i} ∥ r_{2} \oplus R_{1})$ . If the authentication passes, $V_{i}$ computes the session key $SK = h (B_{4} \oplus h (HI D_{i} \oplus r_{2}) \oplus HI D_{i} ∥ R_{1})$ . By completing the aforementioned steps, the login and authentication phase of the protocol is complete, and a common session key $SK$ is established between the three parties $V_{i}$ , $F_{j}$ , and $CS$ .

Figure 5.

Security analysis

In this section, a formal security analysis, an analysis of security requirements, and a security comparison are performed to demonstrate the security of our proposed scheme. First, the formal analysis uses the real-or-random $(ROR)$ model, and then the analysis of security requirements demonstrates that our proposed protocol is resistant to insider attacks, smart card theft attacks, and ensures perfect forward security. Finally, by comparing the security of our protocol with that of Ma et al.,²⁴ Jia et al.,²⁵ Eftekhari et al.,²⁶ and Wu et al.,¹⁷ we can observe that our protocol is secure and reliable.

Formal security analysis

In this section, the $ROR$ model²⁷ is used to perform a formal security analysis. The $ROR$ model is used to prove the semantic security of the proposed protocol. Using the $ROR$ model, we successfully proved that the session key of the protocol is secure and reliable. Before proving the session key security of the proposed protocol in Theorem 1, we briefly discuss the $ROR$ model.

ROR model

In our $ROR$ model, the attacker is represented by $A$ , and the protocol has three participants: the vehicle, fog node, and cloud server and are represented by $V$ , $F$ , and $CS$ , respectively. Assuming that $F_{all}$ denotes the communication between $A$ and the protocol entity, then $F_{V}^{i}$ denotes that $A$ communicates with the ith instance of the vehicle, $F_{F}^{j}$ denotes that $A$ communicates with the jth instance of the fog node, and $F_{CS}$ denotes that $A$ communicates with the cloud server. The attacker $A$ can also obtain relevant information through the following queries:

$Execute (F_{V}^{i}, F_{F}^{j}, F_{CS}^{k})$ , where $A$ can intercept and obtain information exchanged or transmitted between communicating entities $V$ , $F$ , and $CS$ through the open channel. This query is often used to perform eavesdropping attacks.

$Send (F_{all}, Msg)$ : using this query, $A$ can send a message $Msg$ to any entity in $F_{all}$ and obtain the corresponding feedback. $A$ can perform man-in-the-middle and simulated attacks.

$Hash (String)$ : in this query, $A$ can obtain the corresponding fixed value after executing the query by entering a fixed-length string.

$Corrupt (F_{all})$ : $A$ can send this query to $F_{V}^{i}$ and fetch the private value stored in the smart card of $V_{i}$ . Furthermore, $A$ can send this query to $F_{F}^{j}$ or $F_{CS}$ , which then obtains the long-term private key stored in the cloud server and the temporary information generated by the participant. $A$ can perform forward secrecy attacks, privileged insider attacks, stolen smart card attacks, and vehicle simulation attacks with this query.

$Reveal (F_{all})$ : using this query, $A$ can disclose the session key $SK$ generated between $F_{all}$ entities to $A$ . $A$ can then simulate the known session key to perform the attack.

$Test (F_{all})$ : $A$ can perform this query by flipping a uniformly textured coin ◯. If ◯ is $1$ , the attacker will obtain the correct session key. Otherwise, the attacker will receive a null value.

Theorem $1$ : if ${Adv}_{mathcalA}^{AKE} (xi)$ is a function of the dominance of adversary $mathcalA$ in breaching the $SK$ security of the proposed authenticated key exchange $(AKE)$ protocol, then $q_{hans}$ and $q_{send}$ denote the number of $hash$ queries performed and the $send$ queries performed, respectively. $f$ denotes the length of a user’s identity as well as the password, $C'$ and $b'$ denote the parameters of Zipf,²⁸ and then

$\begin{matrix} {Adv}_{A}^{AKE} (ξ) \leq 2 \max {\frac{C' \cdot q_{send}^{b'}, q_{send}}{2^{f}}} \\ + \frac{q_{send}}{2^{f - 2}} + \frac{3 q_{hash}^{2}}{2^{f - 1}} \end{matrix}$ (1)

Security proof

Proof

In the following proof, we define six games named GM(i), i ∈ [0, 6], and each game has its own rule. We define ${Succ}_{A}^{G M_{i}} (ξ)$ (i = 0, 1, 2, 3, 4, 5, 6) to represent the probability of success of the game under each rule. In addition, “ $A$ ’s advantage in winning a match $G M_{i}$ ” is expressed and defined by ${Adv}_{A, G M_{i}}^{AKE} (ξ)$ . The specific proof procedure is as follows:

$G M_{0}$ : in $G M_{0}$ , this round simulates $A$ for the actual attack, and because the bit ◯ is selected randomly at the start of $G M_{0}$ , we obtain

${Adv}_{A}^{A K E} (ξ) = | 2 {Adv}_{A, G M_{0}}^{AKE} (ξ) - 1 |$ (2)

$G M_{1}$ : $G M_{1}$ adds the $Execute$ operation to $G M_{0}$ , which is equivalent to $A$ intercepting and obtaining information on the public channel { $Ms g_{1}, Ms g_{2}, Ms g_{3}, Ms g_{4}$ }, and $A$ executes the $Test$ operation, thus, we obtain

${Adv}_{A, G M_{1}}^{AKE} (ξ) = {Adv}_{A, G M_{0}}^{AKE} (ξ)$ (3)

$G M_{2}$ : $G M_{2}$ adds the $Send$ operation to $G M_{1}$ , and $A$ can send messages to the entity through the common channel, thus, we can obtain

$| {Adv}_{A, G M_{2}}^{AKE} (ξ) - {Adv}_{A, G M_{1}}^{AKE} (ξ) | \leq \frac{q_{send}}{2^{f}}$ (4)

$G M_{3}$ : $G M_{3}$ adds another $Hash$ operation to $G M_{2}$ , and $A$ can use $hash$ queries to obtain specific values and strings. Using the theory of the birthday paradox, we obtain

$| {Adv}_{A, G M_{3}}^{AKE} (ξ) - {Adv}_{A, G M_{2}}^{AKE} (ξ) | \leq \frac{q_{hash}^{2}}{2^{f + 1}}$ (5)

$G M_{4}$ : in $G M_{4}$ , we have added the partial functionality of the $Corrupt$ operation to $G M_{3}$ that allows $A$ to obtain the long-term key $K_{fc}$ between $CS$ and $F_{j}$ or to crack any random number in the protocol authentication process. Under these conditions, we consider the $A$ threats to the session key $SK$ , verifying that the protocol has perfect forward security and is resistant to known session-specific temporary information attacks.

Perfect forward secrecy: we assume $A$ uses $Corrupt$ queries to obtain the long-term key $K_{c}$ , and then $A$ uses $Execute$ , $Send$ , $Hash$ , and $Corrupt$ operations to attempt to obtain the protocol’s session key $SK$ . After $A$ obtains $K_{c}$ , $A$ can obtain $RFI D_{j}$ in the message $Ms g_{2}$ on the public channel using the $Execute$ operation, and then $FI D_{j} = RFI D_{j} \oplus K_{c}$ to compute $FI D_{j}$ . If $A$ computes $K_{fc}$ , $A$ can compute $R_{2}$ by $R_{2} = B_{2} \oplus H (K_{fc} ∥ FI D_{j})$ . Then, $HI D_{i} \oplus R_{3} ∥ R_{1} = B_{3} \oplus h (FI D_{j} \oplus K_{fc})$ computes $HI D_{i} \oplus R_{3} ∥ R_{1}$ to compute $SK$ . Thus, everything points to $K_{fc}$ , however, as $K_{fc} = h (FI D_{j} ∥ r_{4} \oplus K_{c})$ , $A$ cannot obtain $r_{4}$ ; therefore, he cannot compute $K_{fc}$ , and cannot threaten the protocol $SK$ .

Known session-specific temporary information attacks: we assume $A$ uses the $Corrupt$ query to obtain a random number $R_{2}$ that is most likely to crack $SK$ , and then $A$ uses the $Execute$ operation to obtain the information $B_{2}$ and $B_{3}$ on the common channel. Subsequently, $A$ can calculate $h (K_{fc} ∥ FI D_{j}) = B_{2} \oplus R_{2}$ to obtain $h (K_{fc} ∥ FI D_{j})$ , and then calculate $B_{3} = h (FI D_{j} \oplus K_{fc}) \oplus (HI D_{i} \oplus R_{3} ∥ R_{1})$ to obtain $(HI D_{i} \oplus R_{3} ∥ R_{1})$ . However, $A$ cannot compute or intercept the acquisition of $FI D_{j}$ ; thus, $A$ cannot threaten the protocol $SK$ . As a result, the probability of this round is

$\begin{matrix} | {Adv}_{A, G M_{4}}^{AKE} (ξ) - {Adv}_{A, G M_{3}}^{AKE} (ξ) | \\ \leq \frac{q_{hash}^{2}}{2^{f + 1}} + \frac{q_{send}}{2^{f}} \end{matrix}$ (6)

$G M_{5}$ : in $G M_{5}$ , we have added additional parts of the $Corrupt$ operation to $G M_{4}$ to allow $A$ to access the information stored in the smart card via $V_{i}$ to verify that the protocol is resistant to offline password guessing attacks. We assume that $A$ has access to the information stored on the smart card ${A_{2}, RFI D_{j}, r_{3}}$ , because $A$ has no other useful information about $V_{i}$ , $A$ cannot decrypt the information about $V_{i}$ , thus, cannot compute the session key $SK$ . Using Zipf’s law,²⁸ the probability that $A$ succeeds in guessing the user’s password is 1/2, and the probability that $A$ can successfully guess the user’s password is greater than 1/2 when the number of bits transmitted ends ≤106. Thus, we obtain

$\begin{matrix} | {Adv}_{A, G M_{5}}^{AKE} (ξ) - {Adv}_{A, G M_{4}}^{AKE} (ξ) | \\ \leq \max {C' \cdot q_{send}^{b'}, \frac{q_{send}}{2^{f}}} \end{matrix}$ (7)

$G M_{6}$ : $G M_{6}$ is used to verify that the proposed protocol is resistant to simulation attacks. In $G M_{6}$ , $A$ issues a $h (FI D_{j} \oplus R_{2} \oplus HI D_{i} \oplus R_{3} ∥ R_{1})$ query to determine whether it is possible to obtain $SK$ . Here, the game was aborted. Thus, we can obtain the possibility of $G M_{6}$ as

$| {Adv}_{A, G M_{6}}^{AKE} (ξ) - {Adv}_{A, G M_{5}}^{AKE} (ξ) | \leq \frac{q_{hash}^{2}}{2^{f + 1}}$ (8)

Because $G M_{6}$ has an equal probability of success and failure, the

${Adv}_{A, G M_{6}}^{AKE} (ξ) = \frac{1}{2}$ (9)

From the aforementioned formula above, we can obtain

$\begin{matrix} \frac{1}{2} {Adv}_{A}^{AKE} (ξ) = | {Adv}_{A, G M_{0}}^{AKE} (ξ) - \frac{1}{2} | \\ = | {Adv}_{A, G M_{0}}^{AKE} (ξ) - {Adv}_{A, G M_{6}}^{AKE} (ξ) | \\ = | {Adv}_{A, G M_{1}}^{AKE} (ξ) - {Adv}_{A, G M_{6}}^{AKE} (ξ) | \\ \leq \sum_{i = 1}^{6} | {Adv}_{A, G M_{i}}^{AKE} (ξ) - {Adv}_{A, G M_{i - 1}}^{AKE} (ξ) | \\ = \max {C' \cdot q_{send}^{b'}, \frac{q_{send}}{2^{f}}} \\ + \frac{q_{send}}{2^{f - 1}} + \frac{3 q_{hash}^{2}}{2^{f}} \end{matrix}$ (10)

Then, we obtain

$\begin{matrix} {Adv}_{A}^{AKE} (ξ) \leq 2 \max {C' \cdot q_{send}^{b'}, \frac{q_{send}}{2^{f}}} \\ + \frac{q_{send}}{2^{f - 2}} + \frac{3 q_{hash}^{2}}{2^{f - 1}} \end{matrix}$ (11)

Thus, we can use the $ROR$ model to demonstrate that our proposed new protocol is resistant to common attacks (such as smart card theft attacks, offline password guessing attacks, man-in-middle attacks, and known session-specific temporary information attacks) and provides perfect forward security.

Analysis of security requirements

This section presents an analysis of our security requirements for the proposed protocol, which shows that our protocol can withstand attacks that the protocol proposed by Wu et al.¹⁷ cannot, as well as other common attacks. In the following, we use $A$ to represent the attacker, as demonstrated by the following:

Resist insider attacks

Assuming $A$ obtains $V_{i}$ in the smart card ${A_{1}, P_{i}, r_{1}}$ , he can attempt to compute $P_{i}^{*} = h ({VID}_{i}^{*} ∥ {VPW}_{i}^{*} ∥ r_{1})$ . However, guessing both $VI D_{i}$ and $VP W_{i}$ is nearly impossible, and $A$ would be unable to obtain the user’s identifier and password by collecting information from the user. Thus, our protocol is resistant to internal attacks.

Ensure perfect forward secrecy

In the protocol, assuming that the long-term key $K_{c}$ of $CS$ is compromised, $A$ can obtain $FI D_{j}$ by calculating $FI D_{j} = RFI D_{j} \oplus K_{c}$ because $RFI D_{j}$ is a public channel transmission. However, $A$ cannot calculate $K_{fc}$ . This is because in $K_{fc} = h (FI D_{j} ∥ r_{4} \oplus K_{c})$ , $A$ cannot obtain the value of $r_{4}$ and cannot compute useful concrete information. Thus, our protocol has a perfect forward security.

Resist stolen smart card attacks

Assuming that $A$ obtains the information in $V_{i}' s$ smart card ${A_{1}, P_{i}, r_{1}}$ . Because $A$ cannot obtain $V_{i}' s$ identifier $VI D_{i}$ and password $VP W_{i}$ , $A$ cannot decrypt the relevant information about $V_{i}$ , and thus, cannot compute the session key $SK$ . Therefore, our protocol is resistant to stolen smart card attacks.

Ensure mutual authentication

During the login authentication phase, $V_{i}$ , $F_{j}$ , and $CS$ can authenticate each other and establish the same session key in a secure manner. The $V_{1}$ in the $Ms g_{1}$ message contains information about $V_{i}$ . $F_{j}$ receives $Ms g_{1}$ and encapsulates $V_{1}$ and its own information $V_{2}$ in $Ms g_{2}$ and transmits it to $CS$ , which authenticates $V_{i}$ and $F_{j}$ by verifying $V_{1}$ and $V_{2}$ . $F_{j}$ can achieve authentication of $CS$ by verifying $V_{3}$ in the message $Ms g_{3}$ , and $V_{i}$ achieves authentication of $F_{j}$ by verifying $V_{4}$ in message $Ms g_{4}$ . Thus, mutual authentication is ensured among the three participants in our protocol.

Ensure user anonymity

In the protocol, we do not use $V_{i}' s$ real identity $VI D_{i}$ but a pseudo-identity $HI D_{i}$ , and no information related to $V_{i}' s$ identity is transmitted on the public channel which effectively protects user privacy. If $A$ wants to trace $V_{i}$ , the timestamped validation also prevents $A$ from using expired feedback to obtain useful information about the user. Thus, our protocol ensures user anonymity.

Resist replay attacks

Replay attacks can occur during any network communication and are one of the common attacks used by hackers in the computer world. It refers to the attacker sending a packet that has already been received by the destination host for the purpose of spoofing the system, and is mainly used in the authentication process to undermine the accuracy of the authentication. In our protocol, we add timestamps $T$ to all messages ${Ms g_{1}, Ms g_{2}, Ms g_{3}, Ms g_{4}}$ , to ensure the timeliness and freshness of the transmitted information, to ensure that the transmission of the message is completed within a valid time, and to prevent the attacker from replaying the message to obtain valid feedback. Thus, our protocol can resist replay attacks.

Resist offline password guessing attacks

In the login and authentication phase, $V_{i}$ must enter both ${VID}_{i}^{*}$ , and ${VPW}_{i}^{*}$ , and then compute $P_{i}^{*} = h ({VID}_{i}^{*} ∥ {VPW}_{i}^{*} ∥ r_{1})$ when logging in. Even if $A$ obtains the information $r_{1}$ in the smart card, it cannot guess both $VI D_{i}$ and $VP W_{i}$ ; thus, $A$ cannot obtain $V_{i}' s$ identifier and password through the guessing attack.

Resist known session-specific temporary information attacks

During the login authentication phase, three random numbers are generated: $R_{1}$ , $R_{2}$ , and $R_{3}$ . These three random numbers are also part of the session key. Assuming that $A$ learns the random number $R_{1}$ , he can only obtain $h (HI D_{i} ∥ r_{2})$ by computing $B_{1} = h (HI D_{i} ∥ r_{2}) \oplus R_{1}$ and nothing else. Assuming that $A$ learns the random number $R_{2}$ , because $B_{2}$ and $B_{3}$ are transmitted on a common channel, $A$ can obtain $h (K_{fc} ∥ FI D_{j})$ by computing $R_{2} = B_{2} \oplus h (K_{fc} ∥ FI D_{j})$ , and then can obtain $HI D_{i} \oplus R_{3} ∥ R_{1}$ by computing $HI D_{i} \oplus R_{3} ∥ R_{1} = B_{3} \oplus h (FI D_{j} \oplus K_{fc})$ . However, $A$ cannot obtain $FI D_{j}$ , and therefore cannot compute $SK$ . We assume that $A$ learns the random number $R_{3}$ ; however, he cannot compute useful information. Therefore, our protocol is resistant to known session-speculative temporary information attacks.

Resist man-in-the-middle attacks

A man-in-the-middle attack is performed by intercepting normal network communication data and performing data tampering and sniffing without the knowledge of the two parties communicating. In the framework environment, $F_{j}$ does not authenticate $V_{i}$ but sends its own authentication information along with that of $V_{i}$ to $CS$ , which promptly authenticates $V_{i}$ and $F_{j}$ . If $A$ tampers with the data during the process, it will be subjected to a double test of the timestamp and $CS$ authentication. Clearly, $A$ will not be able to pass authentication safely and will be denied access. Therefore, our protocol is resistant to man-in-the-middle attacks.

Security comparisons

As shown in Table 3, we compare the security analysis of the protocol and use ✓ and ✗ to indicate whether the protocol meets the relevant security requirements.

Table 3.

Comparisons of security.

Security properties	Ma et al.²⁴	Jia et al.²⁵	Eftekhari et al.²⁶	Wu et al.¹⁷	Ours
Resist insider attacks	✗	✓	✓	✗	✓
Ensure perfect forward secrecy	✓	✓	✗	✗	✓
Resist stolen smart card attacks	✗	✓	✓	✗	✓
Ensure mutual authentication	✓	✗	✓	✓	✓
Ensure user anonymity	✗	✓	✓	✓	✓
Resist replay attacks	✓	✓	✓	✓	✓
Resist offline password guessing attacks	✓	✓	✓	✓	✓
Known session-specific temporary information attacks	✗	✗	✓	✓	✓
Resist man-in-the-middle attacks	✓	✓	✓	✓	✓

As shown in the table, the protocol of Ma et al.²⁴ is considered by Eftekhari et al.²⁶ to be unable to resist insider attacks, provide anonymity and untraceability, and resist known session-specific temporary information attacks and stolen smart card/vehicle attacks. Furthermore, the protocol of Jia et al.²⁵ cannot provide mutual authentication and cannot resist known session-specific temporary information attacks. Therefore, in 2021, Eftekhari et al.²⁶ proposed a security-enhanced three-party pairwise shared key agreement protocol for fog-based vehicle communication. They claimed that they can save approximately 23.65% of the computing costs. However, the protocol of Eftekhari et al.²⁶ cannot guarantee perfect forward secrecy. In addition, Wu et al.¹⁷ proposed a lightweight authentication key protocol based on a fog node in $SIoV$ . In this study, we demonstrated that it cannot guarantee perfect forward security and cannot resist insider attacks and stolen smart card attacks.

Performance evaluation

In this section, we compare the performance of the proposed protocol with the protocol in Table 3, which includes calculation evaluation and communication evaluation. In terms of computing evaluation, we used more real simulation experiments. The use of mobile phones and computers to simulate an environment can more accurately reflect the computing performance of the protocol.

Hardware environment

We used the mobile phone $MEIZU - MX 5$ to simulate the on-board equipment, the computer model $Lenovo - M 715 E$ to simulate the fog node, and the computer model $MSI - GP 63$ to simulate the cloud server. Table 4 shows the platform used for the equipment.

Table 4.

Simulation platform.

Device	$MEIZU - MX 5$	$Lenovo - M 715 E$	$MSI - GP 63$
Operating system	Flyme 6.3.5.0A	Windows 10	Windows 10
CPU	Helio X10 Turbo	Pentium(R)CPU E5500@2.80 GHz	Intel(R) i7-8750HCPU@2.20 GHz
Memory	3 GB RAM	2 GB RAM	24 GB RAM

CPU: central processing unit; RAM: random access memory.

Computation evaluation

Based on the aforementioned platform, we also calculated the following cryptographic operations according to the time consumption: hash function, point encryption, symmetric key encryption/decryption, scalar multiplication, and binary pairing. Here, the time consumption of the XOR operation and connection operation is very small to be ignored, and the abbreviations and consumption times corresponding to various operations are shown in Table 5.

Table 5.

Execution time of basic operation.

Operations	Abbreviation	$MEIZU - MX 5$ (ms)	$Lenovo - M 715 E$ (ms)	$MSI - GP 63$ (ms)
Hash function	$T_{h}$	0.0049	0.0044	0.0025
Point addition	$T_{ad}$	0.4894	0.1723	0.0527
Encryption/decryption	$T_{ed}$	17.213	11.477	8.094
Scala multiplication	$T_{sm}$	7.983	5.889	3.221
Bilinear pairing	$T_{bp}$	21.607	15.532	8.607

To evaluate the calculation cost of the protocol, we divide the time cost of each protocol into four parts: $V_{i}$ , $F_{j}$ , $CS$ , and the total calculation cost, and calculate the time spent in each part to more accurately reflect the performance of the protocol. The specific calculation costs are shown in Table 6. After a detailed comparison, we can observe that the time cost of our protocol is similar to that of Wu et al.;¹⁷ however, our protocol provides higher security and reliability. Compared with Ma et al.,²⁴ Jia et al.,²⁵ and Eftekhari et al.,²⁶ the proposed protocol is much faster and saves considerable computing costs. In addition to saving costs, our protocol can ensure high security, while requiring less time.

Table 6.

Computation cost comparison.

Protocol	$V_{i}$	$F_{j}$	$CS$	Total (ms)
Ma et al.²⁴	$4 T_{h} + 3 T_{sm}$	$4 T_{h} + 4 T_{sm}$	$11 T_{h} + 10 T_{sm}$	19T_h + 17T_sm≈79.7797
Jia et al.²⁵	$6 T_{h} + 2 T_{sm} + 1 T_{bp}$	$4 T_{h} + 2 T_{sm} + 1 T_{bp}$	$11 T_{h} + 3 T_{sm} + 1 T_{bp}$	21T_h + 7T_sm + 3T_bp ≈ 83.2275
Eftekhari et al.²⁶	$11 T_{h} + 3 T_{sm} + 1 T_{ad}$	$12 T_{h} + 3 T_{sm} + 1 T_{ad}$	$15 T_{h} + 3 T_{sm} + 2 T_{ad}$	38T_h + 9T_sm + 4T_ad ≈ 52.1903
Wu et al.¹⁷	$7 T_{h}$	$5 T_{h}$	$11 T_{h}$	23T_h ≈ 0.0838
Ours	$8 T_{h}$	$7 T_{h}$	$11 T_{h}$	26T_h ≈ 0.0975

Communication evaluation

In terms of computation cost evaluation, we define the output of the hash function to account for 160 bits, the random/non-random number as 160 bits, the elliptic curve points as 320 bits, the identifier as 64 bits, and the timestamp as 32 bits. The message sent by $V_{i}$ in our protocol is $Ms g_{1} = {B_{1}, V_{1}, T_{1}}$ and the communication cost is [160+160+32], the message sent by $F_{j}$ is $Ms g_{2} = {RFI D_{j}, B_{1}, B_{2}, V_{1}, V_{2}, T_{2}}$ and $Ms g_{4} = {B_{4}, V_{4}, T_{4}}$ and the communication cost is [160+160+160+160+160+160+160+32+160+160+32], and the $CS$ sends a message with $Ms g_{3} = {B_{3}, B_{4}, B_{5}, V_{3}, T_{3}}$ with a communication cost of [160+160+160+160+160+32], adding up to a total cost of 2208 bits. After our calculation of the message data size transmitted by the protocol in Figure 6 at each stage, the total calculation is shown in Figure 6. At stage $V_{i}$ , our protocol spends the least amount of communication, imposing the least amount of computational stress on the vehicle user. In stage $F_{j}$ , our fog node computational pressure is not significantly different from Wu et al.’s¹⁷ protocol; however, it is much better than other protocols and can reduce communication costs. For the cloud server, the communication cost of our protocol is the same as that of Jia et al.²⁵ and is not much different from that of Wu et al.¹⁷ in terms of overall communication cost, and our protocol is the least expensive in terms of communication cost, which is less than half of that of Ma et al.²⁴ In short, although our protocol has a negligible difference in computational cost compared to Wu et al.’s protocol, we are better than Wu et al.’s protocol in terms of communication cost, not to mention that our protocol has better security than Wu et al.’s protocol and can withstand attacks that Wu et al. cannot. All things considered, our protocol is very efficient and secure.

Figure 6.

Communication cost evaluation.

Conclusion

In this study, we improved the protocol proposed by Wu et al. in social telematics. The improved protocol is a fast and secure authentication protocol based on the fog node that operates in the $SIoV$ , which does not ensure perfect forward security and is not resistant to insider and smart card theft attacks. The improved protocol not only compensates for the vulnerabilities and flaws of the existing protocol and can successfully resist attacks that the original protocol cannot, but can also resist replay attacks, insider attacks, simulated attacks, and more aggressive known session-specific temporary information attacks. It also exhibits excellent performance and efficiency in terms of security and computational cost. Therefore, it can be considered more suitable for use in fog-based $SIoV$ . Contemporary research needs to address not only connected vehicle problems, but also some ancillary classes of problems, such as high precision maps. Currently, there are technical challenges for high precision maps, as well as policy and regulatory challenges, and this aspect is beyond the scope of this article.

In the future, $SIoV$ will become a new starting point and a new pursuit for IoV development. $SIoV$ will help vehicles become fully intelligent and greatly improve the user’s travel experience. We should be thankful that we live in an era of rapid social change, and I hope this article will provide a reference to address the security of $SIoV$ data.

Footnotes

Handling Editor: Yanjiao Chen

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) received no financial support for the research,authorship,and/or publication of this article.

ORCID iD

Chien-Ming Chen

References

Yang

Wang

, et al. An overview of Internet of vehicles. China Commun 2014; 11(10): 1–15.

Sun

, et al. Security and privacy in the Internet of vehicles. In: 2015 international conference on identification, information, and knowledge in the Internet of Things (IIKI), Beijing, China, 22–23 October 2015, pp.116–121. New York: IEEE.

Contreras-Castillo

Zeadally

Guerrero-Ibañez

JA.

Internet of vehicles: architecture, protocols, and security. IEEE Internet Things 2017; 5(5): 3701–3709.

Dandala

Krishnamurthy

Alwan

. Internet of vehicles (IoV) for traffic management. In: 2017 international conference on computer, communication and signal processing (ICCCSP), Chennai, India, 10–11 January 2017, pp.1–4. New York: IEEE.

Ferrag

Maglaras

Janicke

, et al. Authentication protocols for internet of things: a comprehensive survey. Secur Commun Netw 2017; 2017: 6562953.

Chandrakar

Jain

Balivada

, et al. A secure authentication protocol for vehicular ad-hoc networks. In: 2019 IEEE international conference on electrical, computer and communication technologies (ICECCT), Coimbatore, India, 20–22 February 2019, pp.1–7. New York: IEEE.

Liang

, et al. A blockchain-based roadside unit-assisted authentication and key agreement protocol for Internet of vehicles. J Parallel Distr Com 2021; 149: 29–39.

Atzori

Iera

Morabito

SIoT: giving a social structure to the internet of things. IEEE Commun Lett 2011; 15(11): 1193–1195.

Atzori

Iera

Morabito

, et al. The social Internet of things (SIoT)–when social networks meet the internet of things: concept, architecture and network characterization. Comput Netw 2012; 56(16): 3594–3608.

10.

Nitti

Atzori

Cvijikj

IP.

Friendship selection in the social Internet of things: challenges and possible strategies. IEEE Internet Things 2014; 2(3): 240–247.

11.

Shen

Zhou

Wei

, et al. Privacy-preserving and lightweight key agreement protocol for V2G in the social Internet of things. IEEE Internet Things 2017; 5(4): 2526–2536.

12.

Park

Das

, et al. A dynamic privacy-preserving key management protocol for V2G in social Internet of things. IEEE Access 2019; 7: 76812–76832.

13.

Alam

Saini

El Saddik

Toward social Internet of vehicles: concept, architecture, and applications. IEEE Access 2015; 3: 343–357.

14.

Maglaras

Al-Bayatti

, et al. Social Internet of vehicles for smart cities. J Sens Actuator Netw 2016; 5(1): 3.

15.

Butt

Iqbal

Shah

, et al. Social internet of vehicles: architecture and enabling technologies. Comput Electr Eng 2018; 69: 68–84.

16.

Ahmed

Kumari

Saleem

, et al. Anonymous key-agreement protocol for V2G environment within social internet of vehicles. IEEE Access 2020; 8: 119829–119839.

17.

Guo

Yang

, et al. A lightweight authenticated key agreement protocol using fog nodes in social Internet of vehicles. Mob Inf Syst 2021; 2021: 3277113.

18.

Dolev

Yao

On the security of public key protocols. IEEE T Inform Theory 1983; 29(2): 198–208.

19.

Messerges

Dabbish

Sloan

RH.

Examining smart-card security under the threat of power analysis attacks. IEEE T Comput 2002; 51(5): 541–552.

20.

Azam

Yadav

Priyadarshi

, et al. A comprehensive review of authentication schemes in vehicular ad-hoc network. IEEE Access 2021; 9: 31309–31321.

21.

Chen

Chaudhry

, et al. Attacks and solutions for a two-factor authentication protocol for wireless body area networks. Secur Commun Netw 2021; 2021: 3116593.

22.

, et al. A novel three-factor authentication protocol for wireless sensor networks with IoT notion. IEEE Syst J 2020; 15(1): 1120–1129.

23.

Masud

Gaba

Choudhary

, et al. Lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare. IEEE Internet Things 2021; 9: 2649–2656.

24.

Wang

, et al. An efficient and provably secure authenticated key agreement protocol for fog-based vehicular ad-hoc networks. IEEE Internet Things 2019; 6(5): 8065–8075.

25.

Jia

Kumar

, et al. Authenticated key agreement scheme for fog-driven IoT healthcare system. Wirel Netw 2019; 25(8): 4737–4750.

26.

Eftekhari

Nikooghadam

Rafighi

Security-enhanced three-party pairwise secret key agreement protocol for fog-based vehicular ad-hoc communications. Veh Commun 2021; 28: 100306.

27.

Abdalla

Fouque

Pointcheval

. Password-based authenticated key exchange in the three-party setting. In: International workshop on public key cryptography, Les Diablerets, 23–26 January 2005, pp.65–84. Berlin: Springer.

28.

Wang

Cheng

Wang

, et al. Zipf’s law in passwords. IEEE T Inf Foren Sec 2017; 12(11): 2776–2791.