Simulation Modelling Practice and Theory 122 (2023) 102681

Contents lists available at ScienceDirect

Simulation Modelling Practice and Theory

journal homepage: www.elsevier.com/locate/simpat

Authentication methods for internet of vehicles based on trusted

connection architecture
Han Zhang a, Yingxu Lai a, b, *, Ye Chen a
a
Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China
b
Engineering Research Center of Intelligent Perception and Autonomous Control, Ministry of Education, Beijing 100124, China

A R T I C L E I N F O A B S T R A C T

Keywords: This paper proposes an authentication protocol based on a trusted connection architecture to
Authentication manage the security and reliability of the cloud service environment during the communication
Trusted computing process, improve the trust of the cloud service platform toward vehicles, and ensure that vehicle
Trusted connection architecture
terminals have reliable access to cloud services. Compared with prior Internet of Vehicle (IoV)
SVO
AVISPA
authentication schemes, our scheme is the first to include platform identification in the authen­
tication process. Based on the characteristics of the trusted connection architecture, the compo­
nents that constitute the platform can be assessed for security by verifying the vehicle platform
identity and platform integrity metrics, thereby eliminating internal threats. In addition, the
protocol proposes an authentication scheme for the IoV environment, in which the trusted au­
thority only needs to generate the user’s partial key based on the identity, thereby avoiding the
key escrow problem common to identity-based cryptosystems. Finally, the scheme is proven to be
highly secure using various approaches, such as Syverson-Van Oorschot (SVO) logical analysis,
simulated authentication via automated validation of internet security protocols and applications
(AVISPA), and informal security analysis. In the identity authentication step, our method has low
computation and communication overhead when compared with other schemes according to the
performance analysis results.

1. Introduction

Wireless communication and information exchange between vehicles and X (people, vehicles, infrastructure, cloud, etc.) in
accordance with protocols and standards is known as the Internet of Vehicles (IoV). In the IoV, cloud services (CS) are particularly
important because of the exponential growth in both the number of vehicles, the data generated by the vehicles [1], and for increasing
the number of possible application services such that the user has a better experience. CS are moving the IoV toward providing more
flexible and diverse services by providing features such as remote storage, data access, and application services. Although the cloud
offers a range of advantages, it also presents problems in terms of security, privacy, availability, reliability, and the performances of
data and services [2,3]. In the process of accessing cloud services, vehicles face risks such as false entities, information eavesdropping,
tampering, and replay [4].
Communication between vehicles and cloud service providers (CSPs) is vulnerable to attacks. If an attacker modifies the content of
the message sent by a vehicle and destroys its integrity, the cloud service platform’s decision will be affected, potentially risking driver

* Corresponding author at: Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China.
E-mail address: laiyingxu@bjut.edu.cn (Y. Lai).

https://doi.org/10.1016/j.simpat.2022.102681
Received 4 June 2022; Received in revised form 29 September 2022; Accepted 16 October 2022
Available online 26 October 2022
1569-190X/© 2022 Elsevier B.V. All rights reserved.
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

safety. In addition, it is difficult for CSPs to distinguish the information resources provided by vehicles. If a malicious vehicle publishes
false information, other entities are likely to be misled by fraudulent messages, which can disrupt the entire traffic environment,
making it difficult for CSPs to trust vehicles [5]. Consequently, the challenges associated with vehicle-cloud communication are
becoming more apparent.
The first challenge is that attackers can steal the legal identities of entities, and the information exchanged between them is
vulnerable to risks including eavesdropping, modification, and replay. Many researchers have suggested public-key infrastructure
(PKI)-based methods to guarantee communication to manage these risks in the IoV. However, PKI-based systems require a certificate
authority (CA) to distribute certificates and maintain a certificate revocation list (CRL), adding to the overhead. Vehicles and CAs also
require sufficient storage capacity for the relevant certificates. Consequently, PKI-based authentication systems are incompatible with
the high-speed dynamic environment of the IoV [6]. Therefore, it is crucial to avoid flaws in PKI-based systems and ensure rapid entity
authentication.
Another challenge is that most existing studies on security solutions for the IoV have overlooked the security authentication of
vehicle platforms. Because vehicle platforms contain several vital components, protecting a vehicle platform also includes securing the
vehicle components [7]. If an attacker compromises the security of a car component and causes it to malfunction, it can negatively
influence the entire vehicle platform and potentially jeopardize driver safety. For example, in-vehicle spoofing attacks involve an
attacker who can replace legitimate components with illegal modular components to control the vehicle by injecting malicious in­
formation. This attack is possible because of the lack of authentication of relevant devices in the vehicle platform [8]. Furthermore, if
an attacker inserts malicious code during a component firmware upgrade, the security of system components may be threatened.
Therefore, the security of components must be verified regularly. Thus, platform security is crucial for ensuring proper vehicle
operation.
This study proposes an authentication scheme suitable for secure communication between vehicles and trusted CSPs to address
these issues. The scheme utilizes an authentication protocol based on a trusted connection architecture, performs communication key
negotiation in addition to mutual authentication, and achieves platform identification after the identity authentication is complete.
The main contributions of this study are as follows.

(1) For the first time, the trusted connection architecture (TCA) was used in the authentication procedure of the IoV environment
considering the security of the vehicle platform. It accomplishes identification and integrity metrics for the platform while
ensuring identity verification, eliminating internal risks, and enabling trusted access to the CSP for car terminals.
(2) Identity-based authentication protocols are designed to avoid complex deployment and maintenance when public-key certif­
icates are employed and to simplify the authentication process. In the identity-based authentication procedure, the problem of
key escrow is overcome while maintaining security.
(3) We use SVO logic to verify the design goals of the proposed scheme, informal security analysis and automated verification tools
for security verification and prove that the scheme is secure against numerous known attacks. The proposed scheme is shown to
be more efficient than alternative schemes using a performance analysis.

The remainder of this paper is organized as follows. Section 2 reviews related studies. Section 3 introduces the threat model used in
this study. Section 4 introduces the system model and relevant background information. The proposed protocol is presented in Section
5. In Section 6, a formal proof using the SVO logic is presented. Section 7 discusses the security features. Section 8 presents a formal
security-verification proof using the AVISPA tool. Section 9 compares the performance of our scheme with those of other schemes.
Finally, Section 10 concludes the paper.

2. Related works

Because the IoV is in an open access environment, which leads to a large number of strange vehicles, it is very important to ensure
the safety and reliability of the IoV. The safety problems of the IoV have been of wide concern, and these safety problems have been
investigated and summarized. It is essential to minimize the access of untrusted entities to the network and ensure the safety and
reliability of the IoV [5].
PKI technology is widely acknowledged and used in the IoV to achieve security goals such as authentication and anti-tampering [9].
This strategy involves preloading many CA-issued certificates in the vehicle’s onboard unit (OBU), and the vehicle randomly selects a
certificate for inter-entity authentication while moving. The sender signs the message with the private key, the receiver obtains the
sender’s public key from a trusted agency (TA), and the TA can track the vehicle’s true identity, if needed. Raya and Hubaux [10]
adopted this approach to ensure effective communication. To safeguard the vehicle’s true identity, [10] improved the traditional PKI
approach by offering an anonymous certificate authentication method in which the anonymous certificate contains no information
about the sender’s true identity. In 2008, Lu et al. [11] introduced a new authentication scheme in which the roadside unit (RSU)
produces temporary anonymous certificates for vehicles, addressing the storage problem while protecting the genuine identity of the
vehicles. Because CRLs must record the revoked public-key certificate, Wasef and Shen [12] devised a hash authentication code to
replace the CRL, thereby dramatically decreasing the retrieval time.
In 1984, Shamir [13] introduced an identity-based cryptosystem to generate a public key based on a user’s identity information and
a private key generator (PKG) to generate the corresponding private key, thereby solving the difficulties of certificate management and
storage. In 2001, Boneh and Franklin proposed an identity-based public-key cryptosystem that uses a bilinear pairing technique. Zhang
et al. [14] applied this strategy to vehicular networking to overcome the issues caused by certificates during the authentication

2
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

procedure. In 2012, Shim [15] designed an identity-based CPAS scheme based on a bilinear pair design. However, bilinear
pair-matching operations require a considerable amount of time. Horng et al. [16] suggested an identity-based batch authentication
approach to accelerate authentication. To improve the performance, Liu et al. [17] proposed an agent-based scheme that significantly
reduces the computational overhead of the RSU when authenticating multiple vehicles in the same area. Lo and Tsai [18] suggested an
identity-based authentication technique that does not require bilinear pairs to reduce the computational overhead. In addition to
identity authentication methods, many outstanding studies have proposed other approaches to achieve basic security. In general, the
dishonest behavior of entities can seriously threaten the security of vehicular networks. To this end, studies have designed a reputation
system that could identify untrusted messages [5,19].
Security is considered a fundamental issue in the IoV [20], where authentication technology is of great interest as the first line of
defense for security. Although identity-based cryptosystems simplify certificate management and storage, most existing identity-based
authentication algorithms are based on bilinear pairs, which have high computational overhead. PKG generates the private keys of all
entities, meaning that most schemes suffer from key escrow. If a PKG is maliciously attacked, the entire system is paralyzed.
Consequently, eliminating key escrows is a pressing issue [21].

3. Threat model

We used the Dolev-Yao threat model to analyze the security of the proposed scheme against various attacks [22]. In this scenario,
the adversary ∧ can read, change, delete, replay, or fabricate information communicated through a common channel between the
related parties. ∧ can also deduce sensitive data through a power analysis attack [23], leading to a range of assaults, such as simulation
attacks.
In addition, we employ the well-known “CK adversary model” [24], ∧, which not only performs all the functions mentioned in the
DY model, but can also compromise sensitive credentials, session keys, and session states. Consequently, the authentication scheme
designed for the IoV must ensure that if the secret is revealed to ∧, the impact on the communicating entity’s confidentiality is minimal
[8]. Despite the powerful adversary mentioned above, it should be noted that TA is a fully trusted entity in the IoV environment. The
vehicle is equipped with a tamper-proof device that prevents ∧ from reading, writing, or deleting content.

4. System model and overview

In this section, the system model of the proposed scheme is explained, followed by the specific security requirements, and finally,
the knowledge associated with TCA technology is presented.

4.1. System model

As shown in Fig. 1, the system model in this study comprises four main types of entities: the vehicle, RSU, CSP, and TA.
Vehicle: Each vehicle is equipped with an OBU that calculates and stores parameters and performs cryptographic operations. The
vehicle requesting access to the cloud service network is equivalent to an access requestor (AR) in the TCA architecture. Access control
is performed based on the local access decisions.
RSU: The RSU has storage and computation capabilities and can also communicate with the vehicle, TA, and CSP within the
communication range. The vehicle can communicate with other entities through the RSU. In the TCA architecture, the RSU serves as
the access controller (AC) and controls vehicle access to the CSP. Access control is performed based on the local access decisions.
CSP: The CSP provides different services for vehicles, such as navigation, smart parking, and traffic status. The vehicle and RSU

Fig. 1. System model.

3
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

perform two-way authentication and platform identification based on the CSP, which serves as the TCA policy manager (PM).
TA: The TA is a fully trusted third party with large computing and storage resources. To obtain the necessary certification pa­
rameters, both the vehicle and RSU must be registered with the TA.

4.2. Security goals

The scheme proposed herein considers the main security requirements that must be satisfied in an authentication scenario [25].

(1) Authentication: Authentication is the first line of defense against external threats, ensuring that the sender’s and receiver’s
identities are legitimate.
(2) Message integrity: This ensures that the messages transmitted by legitimate entities are not tampered with or forged before
being received.
(3) Key agreement: The vehicle and CSP negotiate the session key for encryption/decryption during subsequent communication. A
secure channel is established between the vehicle and CSP, which guarantees that only the vehicle and CSP know each other’s
encrypted information when communicating, and that no other entity can be informed.
(4) Solving the key escrow problem: The PKG does not generate a private key corresponding to each entity.
(5) Forward security: Even if an attacker cracks the session key during the current conversation, it cannot infer the session key of the
prior communication based on the present information.
(6) Unlinkability: Ensures that an attacker cannot utilize intercepted messages to link to the same vehicle.
(7) Resistance to common attacks: The scheme must withstand various attacks, including replay, modification, and collusion
attacks.

4.3. TCA

The TCA is a ternary peer-to-peer architecture developed in China that can be used for terminals and networks equipped with a
trusted platform control module (TPCM). When terminals are linked to the network, the TCA solves the problem of one-way identi­
fication of trusted network connections and performs two-way identity and platform verification to achieve a trusted connection
between terminals and networks [26]. The TCA includes three entities: AR, AC, and PM. AR requests access to the protected network,
AC manages AR’s access, and PM serves as a trusted third party in the authentication process, allowing AR and AC to complete two-way
identity authentication and platform identification [27].
The TCA is separated into three logical layers from top to bottom: the integrity metric, trusted platform evaluation, and network
access layers. The general procedure of the TCA is as follows. The identity of the entity is initially ensured by authentication, and the
platform’s identity and integrity metric values are then checked using platform identification to ensure platform security [27].
Terminals with TPCM can be trusted to connect through the TCA. The Chinese Trusted Computing Standard proposed TPCM as an
innovative solution that can protect data and network security by eliminating the physical channel to prevent malicious code intrusion,
can be designed independently, is no longer subordinate to the central processor, and outperforms the trusted platform module [28,
29].

5. Proposed authentication protocol

This study proposes an authentication system based on a TCA. A platform verification mechanism was added to ensure that the
vehicle terminal was a trusted platform, avoided insider threats, and significantly improved communication security in the IoV
environment. In the authentication phase, the identity-based authentication strategy proposed in [30] is used as a foundation to adapt
this system to the IoV environment while eliminating key escrow. In Table 1, we describe the meanings of the symbols used in the
protocol.
The certification process five phases: system initialization, registration, user login, identity authentication, and platform authen­
tication. This protocol completes the vehicle’s trusted access to the CSP and establishes a secure connection between the vehicle and
CSP.

Table 1
Symbols used in the proposed protocol.
Symbol Description

s System master key

Ppub Public key of the TA
IDi ,IDj Respective IDs of the vehicle and RSU
yi ,yj Respective temporary private keys of the vehicle and RSU
Yi ,Yj Respective temporary public keys of the vehicle and RSU
ki ,kj Temporary private key of CSP
Ki ,Kj Temporary public key of CSP
PKi Session key between the vehicle and CSP
PKj Session key between the RSU and CSP

4
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

5.1. System initialization

The TA chooses a q-order additive group G with generator p. It then selects a random number s ∈ Zq as its system master key and
calculates its corresponding public key Ppub = s • P. The TA chooses two one-way hash functions: H1 and H2 . It then publishes the
system parameters {G,q,P,Ppub ,H2 }. Only the TA utilizes H1 as a hash function during the registration phase. H1 does not need to be sent
to other participants because they do not need this function for calculations at any point. In addition, the attacker cannot obtain the
relevant parameters of the H1 calculation.

5.2. Registration phase

5.2.1. User registration

As shown in Fig. 2, the user Ui submits the ID and PW to the TA through a secure channel. IDi is the unique identification of a
vehicle. The
TA first checks whether the relevant information of the ID, and IDi exists in the database. Otherwise, TA calculates Value =
H2 {ID ‖ PW}, chooses a random number ri ∈ Zq and calculates Ri = ri • P hi = H1 (IDi ,Ri ), and di = ri + shi . {Value, Ri , di } is returned to
the vehicle through a secure channel.

5.2.2. RSU registration

The TA also checks whether the RSU’s related information exists in the database. If not, the TA selects a random number rj ∈ Zq and
calculates Rj = rj • P, hj = H1 (IDj , Rj ), dj = rj + shj , as shown in Fig. 3. The TA stores parameters {Rj , dj } in the TPCM of the RSU.
After the vehicle and RSU registration is completed, the TA calculates Temi = hi • Ppub and Temj = hj • Ppub and needs to only pass
the mapping table of IDi and {Temi , Ri }, IDj , and {Temj , Rj } to the legal CSP.

5.3. User login

Users enter their ID and PW, and the vehicle calculates Value = H2 (ID ‖ PW) and checks whether it is equal to the Value stored in
′

the vehicle. If it is equal, the user logs in successfully.

5.4. Identity authentication phase

The vehicle sends a request to the RSU when the user requests a cloud service. The RSU receives the message, sends an authen­
tication request to the vehicle, and chooses a CSP that satisfies the requirements. Fig. 4 shows how the vehicle and RSU authenticated
the CSP. After authentication, the vehicle can access the cloud service and communicate with the CSP.

Step 1: The vehicle selects two random numbers xi , yi and computes Xi = xi • P, Yi = yi • P and ei = H2 (Ti ,IDi ,Ri ,Xi ), where Ti is an
up-to-date timestamp. It then computes zi = xi + ei di . Finally, the vehicle sends the message {IDi , Yi , Ti , ei , zi } to the RSU.
Step 2: The RSU randomly selects two values xj , yj and calculates Xj = xj • P, Yj = yj • P and ej = H2 (Tj , IDj , Rj , Xj ), where Tj is the
timestamp of the generation. It then computes zj = xj + ej dj . The RSU generates the message {IDj , Yj , Tj , ej , zj } along with the
message sent by the vehicle and transmits it to the CSP.
Step3: The CSP checks the freshness of the timestamp Tj and confirms the value of Temj corresponding to IDj . IDj is considered to be
revoked if a corresponding value cannot be obtained. The TA calculates Xj = zj • P − ej (Rj + Temj )based on Temj and verifies the
′

condition ej =? H2 (Tj ,IDj ,Rj ,Xj ). If equal, the RSU’s identity is legitimate, and the result of Resj for RSU authentication is generated.
′

Fig. 2. User registration.

5
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

Fig. 3. RSU registration.

Fig. 4. Identity authentication.

6
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

The CSP chooses a random number kj , computes Kj = kj • Pand PKj = kj • Yj , and generates the platform identification request and
platform evaluation policy Reqj for the RSU.
Step4: The CSP checks the freshness Ti of the timestamp and the Temi value corresponding to IDi . If a corresponding value cannot be
found, it is assumed to IDi have been revoked. The TA calculates Xi = zi • P − ei (Ri +Temi ) and ei = H2 (Ti , IDi , Ri , Xi ) and determines
′ ′ ′

whether ei is equal to ei . If equal, the identity of the vehicle is legal and generates the result Resi for the vehicle. The CSP randomly
′

selects ki , calculates Ki = ki • Pand PKi = ki • Yi , and generates the platform identification request and platform evaluation policy
Reqi for the vehicle.
Step5: The CSP signs the message {IDi , Resj , Ki , Reqi , Ti } with the private key to obtain Sigi . The CSP generates the corresponding
message {IDj ,Resi ,Kj ,Reqj ,Tj }for the RSU and signs the message sent to the vehicle along with the private key to obtain Sigj . {IDj ,Resi ,
Kj , Reqj , Tj , Sigj , IDi , Resj , Ki , Reqi , Ti , Sigi }is sent to the RSU using the CSP.
Step6: The RSU first checks its timestamp and then verifies its signature Sigj . After successful verification, it checks the authen­
tication result of the vehicle generated by the CSP, calculates the session key PKj = yj • Kj with the CSP, and forwards other
messages {IDi , Resj , Ki , Reqi , Ti , Sigi }to the vehicle. The platform authentication message and platform integrity metric are then
generated based on the request message sent by the CSP.
Step7: The vehicle initially checks the timestamp and signature Sigi for accuracy. The authentication results of the RSU are reviewed
after successful verification. The vehicle computes the session key PKi = yi • Ki and generates platform authentication information
and platform integrity metric.

5.5. Platform certification phase

Based on the CSP’s platform identification request and platform evaluation policy, the vehicle and RSU generate relevant
component information and integrity metrics if the authentication of the vehicle and RSU is successful.

Step1: According to the CSP platform evaluation strategy, the vehicle generates the corresponding component information such as
the manufacturer ID, component type, version, and operational status of the component. To obtain the hashing value, a hashing
algorithm is employed to measure each component of the vehicle. The component information, hash value, and timestamp are sent
to the RSU via PKi encryption.
Step2: Based on the CSP platform evaluation strategy, the RSU produces related component information. To obtain the hashing
value, a hashing algorithm is employed to measure each component of the RSU. The component information, hash value, time­
stamp, and other information sent from the car are encrypted through PKj and transferred to the CSP.
Step3: After receiving the message from the RSU, the CSP decrypts it to verify whether the RSU component information is
acceptable. If it is not, the platform is unreliable. The hash value is then checked against the integrity benchmark value. If they do
not match, the platform is considered unreliable. After successful verification, the RSU platform identification results are
generated.
Step4: The CSP decrypts the vehicle information and confirms whether the component information is qualified. If it is not, the
platform is unreliable. The hash value is then checked against the integrity benchmark value; if they do not match, the platform is
unreliable. After successful verification, the vehicle platform identification results are generated.
Step5: The CSP encrypts the RSU’s platform identification result and timestamp with PKi and delivers it to the RSU together with
the vehicle platform identification result and timestamp encrypted with PKj .
Step6: The RSU decrypts the message, verifies the freshness of the timestamp, checks the vehicle’s platform authentication result,
and terminates the communication with the vehicle if the vehicle’s result is unsuccessful. Otherwise, the vehicle message generated
by the CSP is forwarded to the vehicle.
Step7: The vehicle decrypts the message, confirms the freshness of the timestamp, and analyzes the RSU’s platform identification
result. If the result is unreliable, the vehicle disconnects from the RSU and continues to request access after replacing the RSU.
Step8: Upon successful identification of the platform, the vehicle can communicate with the CSP, and the communication envi­
ronment between the vehicle and CSP is designated as the trusted environment.

Table 2
Symbol and descriptions for SVO logic.
Symbol Description

* Subject received, unidentifiable message

K
̃ K corresponds to the decryption key
{XP }K Encrypted message, in which P is the sender
[X]K Message after signing with K
〈XP 〉r Synthesize the message 〈X〉r
PKψ (P, K) K is the public key of P

7
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

6. Protocol analysis using SVO logic

In this section, a detailed security analysis of the scheme is performed using SVO logic to verify that the security objectives of the
protocol have been achieved and to demonstrate the protocol’s logical security.
SVO logic is widely used in the security analysis of protocols, and its inference rules are the Modus Ponens (MP) and Necessitation
(Nec) rules; some notations are listed in Table 2.
Modus Ponens: From Ψ and φ⊃Ψ, we can deduce Ψ.
Necessitation: From | − φ, we can deduce | − P|≡ φ.

6.1. SVO axioms

The following axioms of SVO logic are applied to the verification process of the scheme.
A0 (P| ≡ φ ∧ P|≡ Ψ) ≡ (P|≡ (φ ∧ Ψ))
A1 P|≡ φ ∧ P| ≡(φ⊃Ψ)⊃P|≡ Ψ
A2 PKσ (Q, K) ∧ R ◃ X ∧ SV(X, K, Y)⊃Q| ∼Y
( ( )) Kpq
A3 PKδ (P, KP ) ∧ PKδ Q, Kq ⊃P⟷Q
A4 P ◃ (X1 , ..., Xn )⊃P ◃ Xi
A5 P ◃ X⊃P϶X
A6 P϶(X1 , ..., Xn )⊃P϶Xi
A7 (P϶Xi ∧ ... ∧ P϶Xn )⊃(P϶F(X1 , ..., Xn ))
A8 #(Xi )⊃#(F(X1 , ..., Xn ))

6.2. Initial assumptions and goals

The initial assumptions and expected goals regarding CSP are as follows (assumptions about the vehicle and RSU can be obtained
similarly).
⃒ ( )
P1 CSP⃒ ≡ PKσ R, Pj
⃒ ( )
P1 CSP⃒ ≡ PKσ R, Pj
P2 CSP|≡ CSP϶wj
⃒ ( ( ))
⃒
P3 CSP⃒ ≡ SV {R, YJ }P− 1 , R, R, Yj
j
(( ⃒ ( ) ( { } )) ( ))
P4 CSP| ≡ R⃒ ∼ PKδ R, Yj ∧ CSP ◃ R, Yj , R, Yj P− 1 ⊃PKδ R, Yj
j
( )
P5 CSP| ≡PKδ CSP, wj
( )
P6 CSP| ≡# wj
( { } )
P7 CSP ◃ R, Yj , R, Yj p− 1
j
( { } )
P8 CSP| ≡CSP ◃ CSP R, Yj , R, Yj p− 1
j
( ⃒ ( ) ( ))
P9 CSP| ≡ R⃒ ∼ R, Yj ⊃R|∼ PKδ R, Yj

Goals: The following are the required goals

( )
CSP|≡ R| ∼ R, Yj

Kj−
CSP| ≡CSP⟷R
( )
CSP| ≡# Kj

6.3. Protocol analysis

The analysis of the proposed scheme applying the SVO logic formalism is conducted as follows:

(1) According to A4 and Nec, the following conclusions are obtained:

( ( { } )) { }
CSP| ≡ CSP ◃ R, Yj , R, Yj P− 1 ⊃CSP ◃ R, Yj P− 1
j j

(2) According to Eq. (1), P8, and A1, the following conclusions can be drawn:

8
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

{ }
CSP| ≡CSP ◃ R, Yj p− 1
j

(3) According to Eq. (2), P1, and P3, the following conclusions can be drawn:
⃒ ( ( ) { } ({ } ( )))
⃒
CSP⃒ ≡ PKσ R, Pj ∧ CSP ◃ R, Yj p− 1 ∧ SV R, Yj p− 1 , R, R, Yj
j j

(4) According to A2 and Nec, the following conclusions are obtained:

( ( ) { } ({ } ( ))) ⃒ ( )
CSP| ≡ PKσ R, Pj ∧ CSP ◃ R, Yj p− 1 ∧ SV R, Yj p− 1 , R, R, Yj ⊃R⃒ ∼ R, Yj
j j

(5) According to Eqs. (3) and (4) and A1 and MP, the following conclusions can be drawn:
( )
CSP|≡ R| ∼ R, Yj

(6) According to Eq. (5), P9, A1, and MP, the following conclusions can be drawn:
( )
CSP|≡ R| ∼PKδ R, Yj

(7) According to Eq. (6), P8, and A0, the following conclusions can be drawn:
( ) ( { } )
CSP| ≡R| ∼PKδ R, Yj ∧ CSP ◃ R, Yj , R, Yj p− 1
j

(8) According to Eq. (7), P4, A1, and MP, the following conclusions can be drawn:
( )
CSP| ≡PKδ R, Yj

(9) According to Eq. (8), P5, A1, and MP, the following conclusions can be drawn:
( ( ) ( ))
CSP| ≡ PKδ R, Yj ∧ PKδ CSP, wj

(10) According to A3 and Nec, the following conclusions are obtained:

(( ( ) ( )) Kj )
CSP| ≡ PKδ R, Yj ∧ PKδ CSP, wj ⊃R⟷CSP

(11) According to Eqs. (9) and (10) and A1, and MP, the following conclusions can be drawn:
Kj
CSP| ≡R⟷CSP,

where the equation of Kj is Kj = F(wj , Yj ) = H(wj , Yj )

(12) According to A5 to A7, and Nec, the following conclusions are obtained:
( ( { } ) )
CSP| ≡ CSP ◃ R, Yj , R, Yj p− 1 ⊃CSP϶Yj
j

(13) According to Eq. (12), P8, A1, and MP, the following conclusions can be drawn:
CSP| ≡CSP϶yj

(14) According to A6, A7, and Nec, the following conclusions are obtained:
(( ) )
CSP| ≡ CSP϶Yj ∧ CSP϶wj ⊃CSP϶Kj

9
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

(15) According to Eq. (13), P2, and A0, the following conclusions can be drawn:
CSP| ≡CSP϶Yj ∧ CSP϶wj

(16) According to Eqs. (14) and (15) and A1, and MP, the following conclusions can be drawn:
CSP| ≡CSP϶Kj

K−j
(17) According to Eqs. (12) and (16) and A1, MP, and CSP| ≡ CSP⟷R, the following conclusions can be drawn:
Kj−
CSP| ≡CSP⟷R

(18) According toKj = F(wj , Yj ) = H(wj , Yj ), A8 and Nec, the following conclusions can be drawn:
( ( ) ( ))
CSP| ≡ # wj ⊃# Kj

(19) According to P6, Eq. (18), Kj , A1, and MP, the following conclusions can be drawn:
( )
CSP| ≡# Kj

Likewise, conclusions similar to those in Eqs. (17) and (19) hold for R. Therefore, the formal analytical result of the scheme is:
Kj− Kj−
CSP| ≡CSP⟷R, R| ≡CSP⟷R
( ) ( )
CSP| ≡# Kj , R| ≡# Kj

The analysis process for the vehicle and RSU is also comparable; therefore, it will not be repeated. These results demonstrate that
the scheme meets the certification goals.

7. Security analysis

This section presents a security analysis of the proposed protocol. We prove that our protocol satisfies these security requirements.

7.1. Authentication

In the proposed scheme, the CSP evaluates the legality of the RSU and vehicle using the formula ex =H2 (Tx , IDx , Rx , Yx , Xx ). The
? ′

platform identification of the RSU and vehicle is performed according to the platform evaluation strategy of the CSP.

7.2. Message integrity

A one-way function creates a data digest and a digital signature generates a digital string that cannot be forged by anyone. The
digital signature is non-repudiated because it is calculated using the sender’s private key.

7.3. Perfect forward secrecy

If the previously negotiated key is unaffected when the current session key is compromised, the current session key is proven to be
forward secure. The formula PK = k • Y, which is constructed using random numbers, yields the session key. Consequently, our
scheme has forward security.

7.4. Key escrow

The protocol does not depend on the TA to establish each entity’s public and private keys. The TA generates only a portion of an
entity’s private keys based on its identity and cannot sign messages on behalf of any entity. The entity calculates and creates the entire
public-private key, which eliminates the key escrow problem.

10
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

7.5. Un-linkability

An attacker cannot access the transmitted secure message, only the transmission ciphertext, and thus, the attacker cannot track the
vehicle as the vehicle and CSP communicate via a negotiated key.

7.6. Replay attack

A timestamp is applied to each transmitted message according to the entire interaction procedure described in this study. When
information is received, the receiver compares the timestamp with the current time and determines whether a threshold value has been
exceeded. Although replay attacks are viable within the threshold, employing a distinct timestamp for each message makes replay
attacks more difficult.

7.7. Collusion attack

The CSP authenticates the identity and platform of the vehicle and RSU to protect communication and prevent the vehicle and RSU
from collaborating to undermine the security and reliability of the CSP.

8. Formal security verification using AVISPA tool

Herein, we perform simulation experiments using the widely accepted AVISPA tool to verify the security of the proposed
authentication scheme. AVISPA is a formal button verification tool with four back-ends, namely "OFMC," "CL-AtSe," "SATMC," and
"TA4MP," that can perform scheme analysis automatically [31].
The HLPSL language provided by AVISPA is used to describe the content of the scheme for formal security authentication [32].
Three fundamental roles (vehicle, rsu, and ta) and two obligatory roles (session and environment) were defined in the HLPSL modeling
implementation of this scheme. The intruder is proclaimed in the environment, revealing the attacker’s ability to attack and play all
lawful entities to communicate according to the session’s specifications.
The IF format is used as the input to any back-end of the tool to produce results in the output format, which displays the simulation
outcomes of the tested scenario as "safe," "unsafe," or "uncertain". Herein, protocols are verified utilizing the AVISPA terminals "OFMC"
and "CL-AtSe," which can perform replay attack testing and Dolev-Yao model checking, as well as detect attacks in protocol-specific
circumstances. The results for the two back-ends are shown in Fig. 5.

9. Performance comparison

In this section, the proposed system is compared with related schemes in the authentication phase, such as those proposed by Liu
et al. [33], Xu et al. [34], and Bagga et al. [23], in terms of both computation and communication overhead. The MIRACL library was
used to evaluate the cryptographic operations required for the computational overhead estimation process. The computational cost is
the time required to conduct the required processes and the communication cost is the number of bits sent across the communication
channel. A 160-bit ECC is employed in the communication protocol.

9.1. Comparison of computation overheads

The bilinear pair, elliptic curve addition, elliptic curve multiplication, and hash function are operations associated with the scheme.
The times required for each operation are denoted as Tbp, Teca, Tecm, and Th, respectively. The execution times for the dissimilarity

Fig. 5. AVISPA Output Results.

11
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

Table 3
Execution times of cryptographic operations.
Operation Description Time(ms)

Th One-way hash function operation 0.01

Tecm Point multiplication operation related to the ECC 5.56
Teca Point addition operation related to the ECC 0.30
Tbp Bilinear pairing operation 44.00

Table 4
Comparison of computation costs of various schemes.
Scheme Total cost Estimated time(ms)

PPDAS 8Tbp + 6Tecm + 14Th 386.76

LEANDER 12Tecm + 4Teca + 7Th 68.62
MAKMS-IoV 12Tecm + 4Teca + 10Th 68.92
Our 10Tecm + 2Teca + 10Th 57.20

Table 5
Comparison of communication costs of various schemes.
Scheme Total cost Estimated time(ms)

PPDAS 22208 bits 7.40

LEANDER 4480 bits 1.49
MAKMS-IoV 2144 bits 0.71
Our 4800 bits 1.60

operation and general multiplication were not considered because their processing times were negligible. The measured running times
of these processes are listed in Table 3. Table 4 compares the computational costs of the schemes to those of other certification systems,
showing the total number of operations and time required for each scheme.

9.2. Comparison of communication overheads

We assume that the identity, timestamp, and hash function outputs are 160, 32, and 256 bits, respectively. The ECC is 160 bits and
the RSA is 1024 bits. A comparison of the communication costs of the schemes and the time required to send this information using the
802.11p protocol are presented in Table 5.
As shown in Tables 4 and 5, the cost of the proposed scheme is slightly higher than those of the other schemes, particularly when the
platform identification process is considered. However, the added overhead does not affect the performance of the proposed scheme, as
evidenced by the computation and transmission times.

10. Conclusions

In this study, we proposed a trusted connection architecture-based authentication protocol that performs identity and platform
authentication across entities to provide dual guarantees for secure communication. We explored the benefits of an identity-based
authentication method and applied it to vehicular networking in the process of identity authentication, thereby overcoming the
key escrow problem and enhancing authentication efficiency. Additional platform authentication enables normal operation of the
vehicle and secure access to the CSP from the source. Security and performance analyses showed that the proposed scheme has robust
security and performance advantages and can be used by the CSP for trusted vehicle authentication. However, this study had several
limitations. Because our scheme considers the security of the physical platform, the platform authentication phase incurs additional
computational and communication overhead. Consequently, the next step is to determine methods to reduce the overhead problem
among participants while maintaining security.

Data Availability

No data was used for the research described in the article.

Acknowledgments

This work was supported by the National Key R&D Program of China (Key Technologies and Applications of Security and Trusted
Industrial Control Systems) [No. 2020YFB2009500] and the Beijing Municipal Natural Science Foundation (No. L192020).

12
H. Zhang et al. Simulation Modelling Practice and Theory 122 (2023) 102681

References

[1] N.W. Hundera, C.J. Jin, M.U. Aftab, et al., Secure outsourced attribute-based signcryption for cloud-based Internet of Vehicles in a smart city, Ann. Telecommun.
76 (2021) 605–616, https://doi.org/10.1007/s12243-021-00833-3.
[2] S. Pešić, M. Ivanović, M. Radovanović, C. Bădică, CAAVI-RICS model for observing the security of distributed IoT and edge computing systems, Simul. Model.
Pract. Theory 105 (2020), 102125, https://doi.org/10.1016/j.simpat.2020.102125.
[3] Y.Y. Bao, W.D. Qiu, X.C. Cheng, J.F. Sun, Fine-grained data sharing with enhanced privacy protection and dynamic users group service for the IoV, IEEE Trans.
Intell. Transp. Syst. (2022) 1–15, https://doi.org/10.1109/TITS.2022.3187980.
[4] G.X. Zhang, X.Y. Zhao, M.L. Chen, et al., Efficient privacy protection authentication protocol for vehicle network in 5G, Concurr. Computat. Pract. Exper.
(2022), https://doi.org/10.1002/cpe.7247.
[5] Z.H. Tian, X.S. Gao, S. Su, et al., Evaluating reputation management schemes of Internet of vehicles based on evolutionary game theory, IEEE Trans. Veh.
Technol. 68 (2019) 5971–5980, https://doi.org/10.1109/TVT.2019.2910217.
[6] I. Ali, Y. Chen, N. Ullah, et al., An efficient and provably secure ECC-based conditional privacy-preserving authentication for vehicle-to-vehicle communication
in VANETs, IEEE Trans. Veh. Technol. 70 (2021) 1278–1291, https://doi.org/10.1109/TVT.2021.3050399.
[7] T. Alladi, S. Chakravarty, V. Chamola, et al., A lightweight authentication and attestation scheme for in-transit vehicles in IoV scenario, IEEE Trans. Veh.
Technol. 69 (2020) 14188–14197, https://doi.org/10.1109/TVT.2020.3038834.
[8] J. Zhang, H. Zhong, J. Cui, et al., SMAKA: secure many-to-many authentication and key agreement scheme for vehicular networks, IEEE Trans. Inf. Forensics
Secur. 16 (2021) 1810–1824, https://doi.org/10.1109/TIFS.2020.3044855.
[9] F. Wang, Y.J. Xu, H.W. Zhang, et al., 2FLIP: a two-factor lightweight privacy-preserving authentication scheme for VANET, IEEE Trans. Veh. Technol. 65 (2016)
896–911, https://doi.org/10.1109/TVT.2015.2402166.
[10] M. Raya, J.P. Hubaux, The security of vehicular ad hoc networks, in: Proceedings of the 3rd ACM Workshop on Security of Ad Hoc And Sensor Networks, ACM,
New York, 2005, pp. 11–21.
[11] R.X. Lu, X.D. Lin, H.J. Zhu, et al., ECPP: efficient conditional privacy preservation protocol for secure vehicular communications, in: Proceedings of the 27th
Conference on Computer Communications, IEEE Publications, 2008, pp. 1903–1911.
[12] A. Wasef, X.M. Shen, EMAP: expedite message authentication protocol for vehicular ad hoc networks, IEEE Trans. Mob. Comput. 12 (2013) 78–89, https://doi.
org/10.1109/TMC.2011.246.
[13] A. Shamir, Identity-based cryptosystems and signature schemes, Adv. Cryptol. 196 (2000) 47–53, https://doi.org/10.1007/3-540-39568-7_5.
[14] C. Zhang, R. Lu, X. Lin, et al., An efficient identity-based batch verification scheme for vehicular sensor networks, in: Proceedings of the 27th Conference on
Computer Communications, IEEE Publications, Arizona, 2008, pp. 816–824.
[15] K.A. Shim, CPAS: An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks, IEEE Trans. Veh. Technol. 61 (2012)
1874–1883, https://doi.org/10.1109/TVT.2012.2186992.
[16] S.J. Horng, S.F. Tzeng, Y. Pan, et al., b-specs+: Batch verification for secure pseudonymous authentication in VANET, IEEE Trans. Inform. Forensic Secur. 8
(2013) 1860–1875, https://doi.org/10.1109/TIFS.2013.2277471.
[17] Y.L. Liu, L.M. Wang, H.H. Chen, Message authentication using proxy vehicles in vehicular ad hoc networks, IEEE Trans. Veh. Technol. 64 (2015) 3697–3710,
https://doi.org/10.1109/TVT.2014.2358633.
[18] N.W. Lo, J.L. Tsai, An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks without bilinear pairings, IEEE Trans. Intell.
Transp. Syst. 17 (2015) 1319–1328.
[19] S. Su, Z.H. Tian, S.Y. Liang, et al., A reputation management scheme for efficient malicious vehicle identification over 5G networks, IEEE Wirel. Commun. 27
(2020) 46–52, https://doi.org/10.1109/MWC.001.1900456.
[20] Z.H. Tian, X.S. Gao, S. Su, J. Qiu, Vcash: a novel reputation framework for identifying denial of traffic service in internet of connected vehicles, IEEE Intern.
Things J. 7 (2020) 3901–3909, https://doi.org/10.1109/JIOT.2019.2951620.
[21] C.X. Shen, H.G. Zhang, D.G. Feng, et al., Overview of information security, Sci. China Press 02 (2007) 129–150. E. Part, Information Science.
[22] D. Dolev, C.C. Yao, On the security of public key protocols, IEEE Trans. Inf. Theory 29 (1983) 198–208, https://doi.org/10.1109/TIT.1983.1056650.
[23] P. Bagga, A.K. Das, M. Wazid, et al., On the design of mutual authentication and key agreement protocol in Internet of vehicles-enabled intelligent
transportation system, IEEE Trans. Veh. Technol. 70 (2021) 1736–1751, https://doi.org/10.1109/TVT.2021.3050614.
[24] R. Canetti, H. Krawczyk, Universally composable notions of key exchange and secure channels, in: Proceedings of the International Conference on the Theory
and Applications of Cryptographic Techniques, 2002, pp. 337–351.
[25] S. Tangade, S.S. Manvi, P. Lorenz, Decentralized and scalable privacy-preserving authentication scheme in VANETs, IEEE Trans. Veh. Technol. 67 (2018)
8647–8655, https://doi.org/10.1109/TVT.2018.2839979.
[26] Y.X. Lai, Y. Liu, J. Liu, Trusted connection protocol between networks, J. Softw. 30 (2019) 3730–3749.
[27] M. Li, Q. Li, G.Q. Zhang, et al., The implementation and application of trusted connect architecture, J. Inf. Sec. Res. 3 (2017) 332–338.
[28] X.F. He, J.F. Tian, F.M. Liu, Survey on trusted cloud platform technology, J. Commun. 40 (2019) 154–163.
[29] J. Liu, L.H. Liu, Z.H. Liu, Y.X. Lai, et al., WSN node access authentication protocol based on trusted computing, Simul. Model. Pract. Theory 117 (2022), 102522,
https://doi.org/10.1016/j.simpat.2022.102522.
[30] S.W. Huo, W.J. Yang, J.Z. Li, et al., New identity-based authentication and key agreement scheme in ad hoc networks, Comput. Sci. 45 (S 1) (2018) 380–382.
[31] AVISPA, Automated validation of internet security protocols and applications [EB/OL], 2021-10-01. https://www.avispa-project.org/.
[32] A.K. Sutrala, P. Bagga, A.K. Das, et al., On the design of conditional privacy preserving batch verification-based authentication scheme for internet of vehicles
deployment, IEEE Trans. Veh. Technol. 69 (2020) 5535–5548, https://doi.org/10.1109/TVT.2020.2981934.
[33] Y.B. Liu, Y.H. Wang, G.H. Chang, Efficient privacy-preserving dual authentication and key agreement scheme for secure V2V communications in an IoV
paradigm, IEEE Trans. Intell. Transp. Syst. 18 (2017) 2740–2749.
[34] C. Xu, H.Z. Liu, Y. Zhang, et al., Mutual authentication for vehicular network in complex and uncertain driving, Neural Comput. Appl. 32 (2020) 6.

13