Professional Documents
Culture Documents
Computer Communications
journal homepage: www.elsevier.com/locate/comcom
∗ Corresponding author at: Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and
Engineering, Wuhan University, Wuhan 430072, China.
E-mail address: hedebiao@163.com (D. He).
https://doi.org/10.1016/j.comcom.2020.02.067
Received 7 December 2019; Received in revised form 25 January 2020; Accepted 23 February 2020
Available online 29 February 2020
0140-3664/© 2020 Elsevier B.V. All rights reserved.
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
of calculating the solution to a specific mathematical problem inse- Turkanovic et al. [22] was the first to put forward a novel AKA
cure. On the other side, with the limited resources, drones cannot scheme between users and nodes without the help of gateway node.
execute complex operations on large datasets [13,14]. Like, the opera- The scheme is befitting the resource-limited nodes as the use of hash
tions drones execute in the authentication phase should be sufficiently function and bitewise XOR operation. However, Farash et al. [23]
lightweight. In such that case, it is critical to achieve authentication pointed out Turkanovic et al. s’ scheme cannot resist against man-in-
between drones and users (controllers) before sharing the collected
the-middle attack, node impersonation attack, and also cannot provide
data, which also satisfies confidential requirement simultaneously.
nodes anonymity and user traceability. Farash et al. proposed a new
In existing literatures, symmetric cryptographic was usually used
to implement lightweight authentication scheme. However, it does not and improved AKA scheme to overcome the drawbacks in Turkanovic
support user anonymity. Subsequently, public key infrastructure (PKI) et al. s’ scheme.
was also pointed out unsuitable for the IoD environment owing to its Unfortunately, Amin et al. [24] also found some security weaknesses
complex certificate management. Identity-based cryptographic (IBC), of Farash et al. s’ scheme, such as known specific temporary infor-
with user’s identity (e.g. email address, phone number) being his/her mation attack, off-line password guessing attack, user impersonation
public key, is probably the appropriate option. attack and so on. Amin et al. designed a robust AKA scheme based on
The key contributions in this paper are listed as follows:
smart card. Later, Amin et al. s’ scheme suffered from smart card lost
• We propose a lightweight and efficient AKA scheme for the attack and off-line password guessing attack were come up by Jiang
IoD architecture, in which there are only secure one-way hash et al. [25]. Challa et al. [26] put forward a new signature based AKA
function and bitewise XOR operations. scheme using the elliptic curve cryptography. Along with the security of
• The proposed scheme can satisfy mutual authentication and AKA- the scheme is the increased communication and computation overhead
secure by means of provable security, and can withstand various compared with other not using elliptic curve cryptography.
known attacks through informal security analysis. The security
However, there are certificate management problem and key es-
comparison demonstrates our proposed scheme provides better
security. crow problem in traditional PKI and IBC respectively. In order to
• In terms of communication and computation cost, the proposed address these issues, also consider that the execution time of pair op-
scheme have better functionality features than the other two eration [27,28] is much larger than other standard operations, several
schemes in [15,16]. certificate-less public key cryptography (CL-PKC) AKA schemes based
on pairing-free were introduced [29–32]. Nevertheless, neither of them
The remaining parts of this paper is organized as follows. We review
were proved to be secure. Thereafter, Seo et al. [33] first put forward a
some related literature on existing AKA schemes in Section 2. Sec-
pairing-free certificate-less signcryption tag key encapsulation mecha-
tion 3 describes the network model and the security requirements that
proposed scheme needs to meet. In Section 4 we depict the proposed nism (CLSC-TKEM). However, neither the existing CL-AKA schemes or
AKA scheme, whose security analysis is described in Section 5. We CLSC-TKEM schemes have resolved user revocation issues. That means,
compare our proposed scheme with schemes in [15,16] in terms of once an adversary capture a drone, it can access all the information no
communication cost and computation cost in Section 6. Section 7 makes matter whether it is already collected or about to be collected.
a conclusion of the paper. For the sake of revoking a compromised drone to protect the whole
network, Won et al. [34] pointed out an efficient and secure certificate-
2. Related work less scheme for the drones. They proposed corresponding schemes
considering the three different communication scenarios of drones. The
AKA scheme allows participants to generate a common session key
first scenario is one-to-one, the authors proposed a CLSC-TKEM which
via an insecure channel when they mutual authenticate each other.
could provide mutual authentication and key agreement and satisfy
The scheme of remote authentication on the basis of password was
introduced by Lamport for the first time [17], in the whole scheme user revocation. For the next one-to-many scenario, they put forward a
only one-way hash function was needed in the whole scheme. Inspiring multi-recipient encryption scheme through which drones could share
from this seminal work, many more secure authentication schemes sensitive data with multiple smart devices. And for the last many-
and analysis schemes were come up with the innovative proposals in to-one, a certificate-less data aggregation scheme would allow drones
various environments [18–21]. collect data from numerous smart devices.
456
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
Table 1
Summary of notations.
Notation Description
𝑈𝑖 , 𝑉𝑗 The 𝑖th user and 𝑗th drone, respectively
𝐶𝑆 Control server of the all users and drones
𝐼𝐷𝑖 , 𝐼𝐷𝑗 The identities of the 𝑖th user and 𝑗th drone
𝑘, 𝑀𝑆𝐾 160 bits secret value and mask key of 𝐶𝑆
𝑛 160 bits public parameter selected by 𝐶𝑆
𝑃 𝐼𝐷𝑖,𝑗,𝑠 The pseudonym of 𝑈𝑖 , 𝑉𝑗 and 𝐶𝑆, respectively
𝛼𝑖 , 𝛼𝑗 The master private key of 𝑈𝑖 and 𝑉𝑗 , respectively
𝑟1 , 𝑟2 160 bits random numbers of 𝑈𝑖 and 𝑉𝑗 , respectively
𝑆𝑇1 The current timestamp
▵𝑇 The maximum internal time threshold of accepting messages
ℎ(⋅) Secure one-way hash function, where ℎ ∶ {0, 1}∗ → 𝑍𝑛∗
⊕ Bitwise XOR operation
∥ Concatenation operation
Fig. 2. The network model of designed framework.
3. System model
457
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
458
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
• 𝐸𝑥𝑒𝑐𝑢𝑡𝑒(𝑈𝑖 , 𝑉𝑗 ): This query can eavesdrop any messages in can successfully break the mutual authentication of the proposed
the public channel. When executes this query, it can get all scheme 𝛴, if can forge a legal login message, a communication
messages during the process. message or a response message. Let 𝐸𝑈 −𝐶𝑆 express the event that
• 𝑇 𝑒𝑠𝑡(𝛱𝛬𝑡 ): This query can distinguish between real session key impersonates the user 𝑈𝑖 and generates a login message accepted by 𝐶𝑆
and random secret key. can execute this query only once. successfully. Let 𝐸𝑈 −𝑉 express the event that impersonates the drone
randomly chooses a bit 𝑏 ∈ 0, 1 and returns real session key to 𝑉𝑗 and generates a response message accepted by 𝑈𝑖 . The advantage of
if 𝑏 = 1, otherwise, returns random secret key of the same winning this game is defined as 𝑎𝑑𝑣𝑀𝐴𝛴
() = 𝑃 𝑟[𝐸𝑈 −𝐶𝑆 ] + 𝑃 𝑟[𝐸𝑈 −𝑉 ].
size(𝑏 = 0). In other case, if the queried instance 𝛱𝛬𝑡 does not
have the session key, returns ⟂ to . Define 2 (MA-Secure). If there is no probability polynomial adver-
sary can successfully win the game with non-negligible advantage
can also continue to do 𝐸𝑥𝑡𝑟𝑎𝑐𝑡, 𝑆𝑒𝑛𝑑, 𝑅𝑒𝑣𝑒𝑎𝑙, 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 queries 𝑎𝑑𝑣𝑀𝐴 (), we say the proposed scheme 𝛴 is MA-Secure.
𝛴
after the 𝑇 𝑒𝑠𝑡 query. At this point, the limitation of is that it cannot
do 𝑅𝑒𝑣𝑒𝑎𝑙 query for the oracle and its pattern oracle that has been 5.2. Provable security block
executed 𝑇 𝑒𝑠𝑡 query.
At last, outputs 𝑏′ as a guess of 𝑏. We say can successfully win We prove that there is no adversary can forge a legal login
this game (break the authentication and key agreement of the proposed and response message in non-negligible probability. That means the
scheme 𝛴) if 𝑏′ = 𝑏. The advantage of is defined as 𝑎𝑑𝑣𝐴𝐾𝐴 𝛴
() = proposed scheme is AKA-secure and MA-secure in the security block.
|2𝑃 𝑟[𝑏′ = 𝑏] − 1|.
Lemma. Assumption that the probability polynomial adversary can
Define 1 (AKA-Secure). If there is no probability polynomial adver- calculate a legal login message or a response message with non-negligible
sary can successfully win the game with non-negligible advantage probability. Then, there is a challenger can guess 160 bits random number
𝑎𝑑𝑣𝐴𝐾𝐴
𝛴
(), we say the proposed scheme 𝛴 is AKA-Secure. successfully with a non-negligible probability.
459
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
Proof. selects a 160 bits random number 𝑚𝑠𝑘, and sends the in which, 𝑎 is the correct tuple number in 𝑆𝑒𝑛𝑑(𝛱𝑈𝑡 , 𝑆𝑡𝑎𝑟𝑡)-query and
𝑖
parameters {ℎ, 𝑛} to . generates a hash list 𝐿ℎ which is initially 𝑏 is the correct number of 𝑆𝑒𝑛𝑑(𝛱𝑈𝑡 , (𝑀8 , 𝑀10 ))-query. Therefore, the
𝑖
empty to record the inputs and outputs of the hash oracles, and selects challenger guesses the 160 bits random number successfully with the
two challenge drones’ identities 𝐼𝐷𝐼 and 𝐼𝐷𝐽 at the beginning. non-negligible probability as follows:
We suppose all the other oracles can be queried after the hash
𝑃 𝑟[𝐸1 ∧ 𝐸2 ∧ 𝐸3 ∧ 𝐸4 ]
oracles are done. The answers to the queries are as follows:
= 𝑃 𝑟[𝐸4 |𝐸3 ∧ 𝐸2 ∧ 𝐸1 ]𝑃 𝑟[𝐸3 |𝐸2 ∧ 𝐸1 ]𝑃 𝑟[𝐸2 |𝐸1 ]𝑃 𝑟[𝐸1 ]
• ℎ(𝑥𝑖 ): first checks whether 𝑥𝑖 exists in the list 𝐿ℎ . If it exists, 1 1 1 1 𝑎 𝑏
then returns 𝑋𝑖 to ; if not, randomly chooses a number 𝑋𝑖 , = ( + )𝜖
𝑞𝑠 𝑞𝐿𝑠 𝑞𝐿𝑠 𝑞𝐿𝑠 − 1 𝑞𝐿ℎ 𝑞𝐿ℎ − 𝑎
adds (𝑥𝑖 , 𝑋𝑖 ) in list 𝐿ℎ and returns 𝑋𝑖 to .
However, this is contradictions of the hardness of guessing the
• 𝐸𝑥𝑡𝑟𝑎𝑐𝑡(𝐼𝐷𝑖 ): If 𝑖 ≠ 𝐼, 𝐽 , seeks a tuple (𝐼𝐷𝑖 ∥ 𝑚𝑠𝑘, 𝛼𝑖 ) in the list
160 bits random number. That means, cannot generate a legal login
𝐿ℎ , and returns 𝛼𝑖 to . Otherwise, rejects the query and aborts
message or a legal response message, and drones in the scheme can
the game.
authenticate each other. □
• 𝑆𝑒𝑛𝑑(𝛱𝛬𝑡 , 𝑀): can lunch this query to simulate the active attack
in four types.
Theorem 1. The proposed scheme is MA-Secure under guessing 160 bits
– 𝑆𝑒𝑛𝑑(𝛱𝑈𝑡 , 𝑆𝑡𝑎𝑟𝑡): first checks whether 𝑖 ≠ 𝐼. then random number is hard.
𝑖
seeks hash list 𝐿𝑠 for 𝑈𝑖 ’s secret key 𝛼𝑖 if they are equal.
Form the Lemma, there is no can generate a legal login message
With the help of secret key 𝛼𝑖 , chooses a random num-
or a legal response message if it is hard to guess the 160 bits random
ber 𝑟1 ∈ 𝑍𝑛∗ , the current time-stamp 𝑆𝑇1 and computes
number. Hence we can get the proposed scheme is MA-Secure.
(𝑀1 , 𝑀2 , 𝑀3 , 𝑀4 ). If they are not equal, randomly selects
three numbers 𝑅1 , 𝑅2 , 𝑅3 ∈ 𝑍𝑛∗ and sets 𝑀2 ← 𝑅1 , 𝑀3 ← 𝑅2 ,
Theorem 2. The proposed scheme is AKA-Secure under guessing 160 bits
𝑀4 ← 𝑅3 . Compute 𝑀1 = ℎ(𝑃 𝐼𝐷𝑠 ∥ 𝑆𝑇1 )⊕𝑃 𝐼𝐷𝐼 and return random number is hard.
(𝑀1 , 𝑀2 , 𝑀3 , 𝑀4 ) to .
– 𝑆𝑒𝑛𝑑(𝛱𝑉𝑘 , (𝑀5 , 𝑀6 , 𝑀7 )): On receiving the message, first Proof. Assumption that the probability polynomial adversary out-
𝑗
check whether 𝑗 and 𝐽 are equal. If yes, casts away this puts a correct 𝑏′ = 𝑏 with non-negligible probability 𝜖 after executing
message, selects two random numbers 𝑅4 , 𝑅5 ∈ 𝑍𝑛∗ and sets 𝑇 𝑒𝑠𝑡-query. Then, there is a challenger can guess 160 bits random
𝑀8 ← 𝑅4 , 𝑀10 ← 𝑅5 . Otherwise, seeks hash list 𝐿ℎ for number successfully with a non-negligible probability. The following
secret key 𝛼𝑗 of 𝑉𝑗 , and processes the scheme as usual. events are defined to calculate the advantage of for convenience.
– 𝑆𝑒𝑛𝑑(𝛱𝑈𝑡 , (𝑀8 , 𝑀10 )): first checks whether𝑗 ≠ 𝐽 . then
𝑖 • 𝐸𝑆𝐾 : can get the correct session key after querying 𝑇 𝑒𝑠𝑡-query.
seeks hash list 𝐿𝑠 for 𝑉𝑗 ’s secret key 𝛼𝑗 if they are equal.
With the help of secret key 𝛼𝑗 , chooses a random number • 𝐸𝑈 : executes a 𝑇 𝑒𝑠𝑡-query to instance 𝛱𝑉𝐼 successfully.
𝑟2 ∈ 𝑍𝑛∗ , and computes (𝑀8 , 𝑀10 ). If they are not equal, • 𝐸𝑉 : executes a 𝑇 𝑒𝑠𝑡-query to instance 𝛱𝑉𝐽 successfully.
randomly selects three numbers 𝑅4 , 𝑅5 , 𝑅6 ∈ 𝑍𝑛∗ , sets • 𝐸𝑈 −𝐶𝑆−𝑉 : can destroy the authentication between user and
𝑟2 ← 𝑅4 𝑀8 ← 𝑅5 , 𝑀10 ← 𝑅6 and returns (𝑀8 , 𝑀10 ) to control server 𝐶𝑆, and the authentication between 𝑈𝑖 and 𝑉𝑗 .
𝑈𝑖 .
As we know the probability that guesses a correct 𝑏 without any
• 𝑅𝑒𝑣𝑒𝑎𝑙(𝛱𝛬𝑡 ): If instance 𝛱𝛬𝑡 has been accepted, returns its other help information is 1∕2, thus, we can get 𝑃 𝑟[𝐸𝑆𝐾 ] ≥ 𝜖∕2. The
correct session key 𝑆𝐾𝛬 , otherwise, returns ⟂. following equation holds:
Assumption that the adversary can calculate a legal login mes- 𝑃 𝑟[𝐸𝑆𝐾 ] = 𝑃 𝑟[𝐸𝑆𝐾 ∧ 𝐸𝑉 ] + 𝑃 𝑟[𝐸𝑆𝐾 ∧ 𝐸𝑉 ∧ 𝐸𝑈 −𝐶𝑆−𝑉 ]
sage or a response message successfully, that is to say, the answers + 𝑃 𝑟[𝐸𝑆𝐾 ∧ 𝐸𝑉 ∧ ¬𝐸𝑈 −𝐶𝑆−𝑉 ]
(𝑀1 , 𝑀2 , 𝑀3 , 𝑀4 ) to 𝑆𝑒𝑛𝑑(𝛱𝑈𝑡 , 𝑆𝑡𝑎𝑟𝑡) query with 𝑖 = 𝐼 and (𝑀8 , 𝑀10 ) to ≤ 𝑃 𝑟[𝐸𝑆𝐾 ∧ 𝐸𝑈 ] + 𝑃 𝑟[𝐸𝑈 −𝐶𝑆−𝑉 ]
𝑖
𝑆𝑒𝑛𝑑(𝛱𝑉𝑘 , (𝑀5 , 𝑀6 , 𝑀7 )) query with 𝑗 = 𝐽 are passed the verification by
𝑗 + 𝑃 𝑟[𝐸𝑆𝐾 ∧ 𝐸𝑉 ∧ ¬𝐸𝑈 −𝐶𝑆−𝑉 ]
𝐶𝑆 and 𝑈𝑖 . The following events are defined to calculate the advantage
of for convenience. Then we have
𝑃 𝑟[𝐸𝑆𝐾 ∧ 𝐸𝑈 ] + 𝑃 𝑟[𝐸𝑆𝐾 ∧ 𝐸𝑉 ∧ ¬𝐸𝑈 −𝐶𝑆−𝑉 ]
• 𝐸1 : The simulation is not aborted.
• 𝐸2 : submits a legal login message (𝑀1 , 𝑀2 , 𝑀3 , 𝑀4 ) from ≥ 𝑃 𝑟[𝐸𝑆𝐾 ] − 𝑃 𝑟[𝐸𝑈 −𝐶𝑆−𝑉 ]
𝑆𝑒𝑛𝑑(𝛱𝑈𝑡 , 𝑆𝑡𝑎𝑟𝑡) query or a legal response message (𝑀8 , 𝑀10 ) ≥ 𝜖∕2 − 𝑃 𝑟[𝐸𝑈 −𝐶𝑆−𝑉 ]
𝑖
from 𝑆𝑒𝑛𝑑(𝛱𝑉𝑘 , (𝑀5 , 𝑀6 , 𝑀7 )) query, meanwhile, 𝐸𝑥𝑡𝑟𝑎𝑐𝑡(𝐼𝐷𝐼 ) Owing to 𝑃 𝑟[𝐸𝑉 ∧ ¬𝐸𝑈 −𝐶𝑆−𝑉 ] = 𝑃 𝑟[𝐸𝑉 ], thus
𝑗
and 𝐸𝑥𝑡𝑟𝑎𝑐𝑡(𝐼𝐷𝐽 ) have never been queried.
𝜖 𝑃 𝑟[𝐸𝑈 −𝐶𝑆−𝑉 ]
• 𝐸3 : 𝑈𝑖 = 𝑈𝐼 or 𝑉𝑗 = 𝑉𝐽 . 𝑃 𝑟[𝐸𝑆𝐾 ∧ 𝐸𝑉 ] ≥ −
4 2
• 𝐸4 : can choose the correct tuples from hash list 𝐿ℎ .
The event 𝐸𝑆𝐾 ∧ 𝐸𝑉𝑖 shows impersonates user 𝑈𝑖 and gets the
Let 𝑞𝑠 , 𝑞𝐿𝑠 and 𝑞𝐿ℎ denote the number of 𝑆𝑒𝑛𝑑-query, 𝐿𝑠 -query and correct session key successfully. According to the Lemma, 𝑃 𝑟[𝐸𝑈 −𝐶𝑆−𝑉 ]
𝐿ℎ -query executed by . 𝜖 𝑃 𝑟[𝐸𝑈 −𝐶𝑆−𝑉 ]
is a negligible probability, so that − is non-negligible.
4 2
1 That means the probability can get the correct session key is non-
𝑃 𝑟[𝐸1 ] ≥
𝑞𝑠 negligible, this is contradictions of the hardness of guessing the 160 bits
random number. □
It is obvious that
1
𝑃 𝑟[𝐸3 |(𝐸2 ∧ 𝐸1 )] ≥ In this subsection, we also exhibit that the proposed scheme satisfies
𝑞𝐿𝑠 the other security requirements described in Section 3.2.
1 1 𝑎 𝑏 Mutual Authentication: We can know that the advantage that can
𝑃 𝑟[𝐸4 |(𝐸3 ∧ 𝐸2 ∧ 𝐸1 )] ≥ +
𝑞𝐿𝑠 𝑞𝐿𝑠 − 1 𝑞𝐿ℎ 𝑞𝐿ℎ − 𝑎 forge the legal login message and response authentication message
460
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
is negligible, on the basis of Lemma in Section 5.2. Thus, 𝑈𝑖 and • Modification Attack: We can see that the transmitted messages
𝑉𝑗 can authenticate each other with the aid of 𝐶𝑆 by verifying the 𝑀4 (𝑀7 ) is composed of sender’s(receiver’s) secret key 𝛼𝑖 (𝛼𝑗 ), on
validation of the transmitted messages. Therefore, the proposed scheme the basis of Theorems 1 and 2. 𝐶𝑆(𝑉𝑗 ) can estimate whether the
can achieve mutual authentication. message is modified by checking the equation of 𝑀4 = 𝑀4′ (𝑀7 =
Anonymity: The user’s identity 𝐼𝐷𝑖 is transmitted not directly in 𝑀7′ ). Besides, 𝑀10 contains receiver’s random number 𝑟1 , 𝑈𝑖 can
plain text but in a masked form, 𝑃 𝐼𝐷𝑖 = ℎ(𝐼𝐷𝑖 ∥ 𝑘) in our proposed detect any modification of 𝑀10 by checking the equation of 𝑀10 =
𝑀10 ′ . Therefore, the proposed scheme can resist modification
scheme. Moreover, 𝑃 𝐼𝐷𝑖 is embedded in 𝑀1 = ℎ(𝑃 𝐼𝐷𝑠 ∥ 𝑆𝑇1 ) ⊕ 𝑃 𝐼𝐷𝑖 .
On account of the hardness of guessing 160 bits random number, the attack.
adversary is infeasible to compute drone’s real identity without • Drone Capture Attack: As we have presented in Sections 1 and
knowing mask key 𝑘. Therefore, the proposed scheme can guarantee 2, drones are vulnerable. Suppose has captured 𝑐 drones and
anonymity. gets their stored and communication information: 𝛼𝑗 = ℎ(𝐼𝐷𝑗 ∥
𝑀𝑆𝐾), 𝑃 𝐼𝐷𝑗 = ℎ(𝐼𝐷𝑗 ∥ 𝑘), 𝑆𝐾𝑖𝑗 = ℎ(𝑃 𝐼𝐷𝑖 ‖𝑃 𝐼𝐷𝑗 ∥ 𝑃 𝐼𝐷𝑠 ‖ℎ(𝑟1 ∥
Un-traceability: In authentication phase, random nonces 𝑟1 , 𝑟2 , and
𝑟2 )), 𝑗 ∈ (1, … , 𝑐). The master key 𝑀𝑆𝐾 and mask key 𝑘 are
current time-stamp are chosen in various sessions, so that the messages
embedded in secure one-way hash function, thus, even though
(𝑀1 , … , 𝑀10 ) sent by the participant in every session are different.
gets 3𝑐 information, it cannot calculate the correct master key
The adversary cannot find the relationship among the messages sent
𝑀𝑆𝐾 and mask key 𝑘. Since the session key is compromised of
by 𝑈𝑖 (𝐶𝑆∕𝑉𝑗 ) and also cannot trace the sender. Moreover, the real
pseudonyms and random numbers, cannot compute the next
identities or pseudonyms (𝐼𝐷𝑤 , 𝑃 𝐼𝐷𝑤 )𝑤∈𝑖,𝑗,𝑠 are not directly involved communication session key without knowing the random num-
in messages but embedded in secure one-way collision-resistant hash bers. Therefore, the proposed scheme can resist drone capture
function. Therefore, the proposed scheme can achieve un-traceability. attack.
Session key Agreement : 𝑈𝑖 authenticates 𝑉𝑗 by checking the vali- • Stolen Smart Device Attack: If steals user’s smart device and
dation of 𝑀10 and 𝑉𝑗 authenticates 𝑈𝑖 by checking the validation of extracts the stored data (𝛼𝑖𝑚 , 𝑃 𝐼𝐷𝑖𝑚 , 𝑃 𝐼𝐷𝑗 ) through side channel
𝑀7 , thus, 𝑈𝑖 and 𝑉𝑗 make sure they have the right random nonce 𝑟1 attack, in which 𝛼𝑖𝑚 = 𝛼𝑖 ⊕ ℎ(𝐼𝐷𝑖 ∥ 𝑃 𝑊𝑖 ) and 𝑃 𝐼𝐷𝑖𝑚 = 𝑃 𝐼𝐷𝑖 ⊕
and 𝑟2 . So, they can compute the session key 𝑆𝐾 = 𝑆𝐾𝑖𝑗 = 𝑆𝐾𝑗𝑖 = ℎ(𝐼𝐷𝑖 ∥ 𝑃 𝑊𝑖 ). The adversary can guess user’s password 𝑃 𝑊𝑖 ,
ℎ(𝑃 𝐼𝐷𝑖 ‖𝑃 𝐼𝐷𝑗 ∥ 𝑃 𝐼𝐷𝑠 ‖ℎ(𝑟1 ∥ 𝑟2 )) and use the session key in the future however, he cannot verify the correctness without knowing user’s
communication. Therefore, the proposed scheme can provide secure identity 𝐼𝐷𝑖 . Therefore, the proposed scheme can resist stolen
session key agreement. smart device attack.
Resistance against Various Attacks: We will exhibit that our proposed • Replay Attack: Both two entities choose random numbers (𝑟1 , 𝑟2 ∈
scheme can withstand impersonation attack, server spoofing attack, 𝑍𝑛∗ ) and calculates the login message 𝑀4 and the response mes-
modification attack, drone capture attack, stolen smart device attack, sage 𝑀10 . Owing to the freshness of 𝑟1 and 𝑟2 , 𝐶𝑆, 𝑉𝑗 and 𝑈𝑖 can
replay attack, known session key attack and man-in-the-middle attack. distinguish the replayed message from the received messages by
The detailed description are exhibited as follows. checking the validation of them. Therefore, the proposed scheme
can resist the replay attack.
• Impersonation Attack: Assume that the adversary has captured • Known Session Key Attack: If the adversary knows the session
a legal registered drone, so he knows all the secret information key for a particular session. As we know, the session key 𝑆𝐾
stored in drone. That is to say, knows the pseudonyms of is a hash value of participants’ pseudonyms and the random
drones. Under the circumstances, can impersonate 𝑈𝑖 and 𝑉𝑗 . numbers. On account of the collision-resistant secure one-way
hash function, cannot parse the random numbers from 𝑆𝐾.
– If wants to impersonate a legal user 𝑈𝑖 , he/she should And for the other sessions, cannot compute the right session
generate the valid messages (𝑀1 , 𝑀4 ) and send them to key without knowing current random numbers. Therefore, the
𝐶𝑆. Given that knows user’s pseudonym accidentally. proposed scheme can resist known session key attack.
computes a valid 𝑀1 = ℎ(𝑃 𝐼𝐷𝑠 ∥ 𝑆𝑇1 ) ⊕ 𝑃 𝐼𝐷𝑖 and 𝑀4 = • Man-In-The-Middle Attack: From Section 5.2, we can see that
ℎ(𝑃 𝐼𝐷𝑖 ‖𝑃 𝐼𝐷𝑗 ‖𝑃 𝐼𝐷𝑠 ‖𝛼𝑖∗ ‖𝑟1 ), where 𝑟1 and 𝛼𝑖∗ are randomly 𝑈𝑖 can be authenticated by 𝐶𝑆 through its secret key, 𝑉𝑗 can
selected by as 𝑈𝑖 ’s random nonce and secret key. Upon authenticate 𝐶𝑆 because 𝐶𝑆 knows its secret key and 𝑉𝑗 can be
receiving the message (𝑀1 , 𝑀4 ), 𝐶𝑆 first parses 𝑃 𝐼𝐷𝑖 from identified by 𝑈𝑖 with the help of the knowing of 𝑟1 . Thus, all the
𝑀1 and retrieve the corresponding secret key 𝛼𝑖 in list 𝐿𝑠 . participants can authenticate each other. Therefore, the proposed
Then 𝐶𝑆 computes 𝑀4′ with 𝛼𝑖 and checks whether 𝑀4′ is scheme can resist man-in-the-middle attack.
equal to 𝑀4 . However, does not know the real 𝛼𝑖 , thus,
𝐶𝑆 can distinguish the impersonated 𝑈𝑖 from real user. 5.4. Security comparisons
– If wants to impersonate a legal drone 𝑉𝑗 , he/she should
generate the valid messages 𝑀10 and send it to 𝑈𝑖 . ran- The comparison of security requirements between the proposed
domly select 𝑟∗1 and 𝑟2 and computes 𝑀10 = ℎ(𝑃 𝐼𝐷𝑖 ‖𝑃 𝐼𝐷𝑗 ∥ scheme and two latest lightweight authentication schemes [15,16]
𝑃 𝐼𝐷𝑠 ‖𝑟∗𝑖 ‖𝑟2 ‖ℎ(𝑟∗𝑖 ∥ 𝑟2 )). Upon receiving the message 𝑀10 , designed for devices in Internet of Things is provided in Table 2. In
𝑈𝑖 calculates 𝑀10 ′ with real random number 𝑟 and checks Wazid et al.’s scheme [15], if adversary is a legal user, he can know
1
′
whether 𝑀10 is equal to 𝑀10 . However, does not know all pseudonyms of registered users and get what he needs to calculate
the real 𝑟1 , thus, 𝑈𝑖 can distinguish the impersonated 𝑉𝑗 𝑆𝐾 from message 𝑀𝑠𝑔3 . Thus, this scheme cannot provide session key
from real drone. agreement. In Singh et al.’s scheme [16], the adversary can calculate
nodes’ secret values 𝑆𝑖 , 𝑆𝑗 from the transmitted messages, and then
• Server Spoofing Attack: pretends itself as the control server and impersonate the nodes. Our proposed scheme can satisfy all the security
sends a legal message 𝑀7 to 𝑉𝑗 . computes 𝑀7 = ℎ(𝑃 𝐼𝐷𝑖 ‖𝑃 𝐼𝐷𝑗 requirements, and have better security than the other two schemes.
‖𝑃 𝐼𝐷𝑠 ‖𝛼𝑗∗ ‖𝑟1 ), where 𝛼𝑗∗ is a random number selected as 𝑉𝑗 ’s
secret key by . On receiving the message 𝑀7 , 𝑉𝑗 calculates 6. Performance evaluation
𝑀4′ with 𝛼𝑗 and checks whether 𝑀7′ is equal to 𝑀7 . However,
cannot get real 𝛼𝑗 , thus, 𝑉𝑗 can find out the vicious server. In this section, we demonstrate the performance of our proposed
Therefore, the proposed scheme can resist the server spoofing scheme in terms of communication costs and computation costs, and
attack. we also compare the results with Wazid et al.’s scheme [15] and
461
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
Table 2 Table 4
Comparison of security requirements. Comparison of computation cost.
Requirements Ref. [15] Ref. [16] Our scheme Scheme User side Drone side Server side Total
Mutual authentication Yes No Yes Ref. [15] 1𝑇𝑓 + 16𝑇ℎ (14.301) 7𝑇ℎ (0.392) 8𝑇ℎ (0.056) 14.794
Anonymity Yes No Yes Ref. [16] 2𝑇𝑒𝑥𝑝 + 5𝑇𝑚𝑢𝑙 (4.538) 2𝑇𝑒𝑥𝑝 + 7𝑇𝑚𝑢𝑙 (4.554) – 9.092
Un-traceability Yes No Yes Our scheme 10𝑇ℎ (0.56) 7𝑇ℎ (0.392) 7𝑇ℎ (0.049) 1.001
Session key agreement No No Yes
Impersonation attack Yes No Yes
Server spoofing attack Yes – Yes Table 5
Modification attack Yes No Yes Comparison of communication cost.
Drone capture attack Yes No Yes Scheme No. of messages Communication cost Length (bits)
Stolen smart device attack Yes – Yes
Ref. [15] 3 10|𝑍𝑛 | + 3|𝐼𝐷| 1696
Replay attack Yes Yes Yes
Ref. [16] 2 4|𝐺| + 4|𝐼𝐷| 4256
Known session key attack Yes Yes Yes
Our scheme 3 9|𝑍𝑛 | + |𝐼𝐷| 1472
Man-in-the-middle attack Yes No Yes
Table 3
Executing time of various operations (MS).
Operations User (Drone) side Server side
𝑇𝑓 13.405 5.427
𝑇ℎ 0.056 0.007
𝑇𝑒𝑥𝑝 2.249 0.339
𝑇𝑚𝑢𝑙 0.008 0.001
462
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
[12] C.-T. Li, C.-C. Lee, C.-Y. Weng, C.-I. Fan, An extended multi-server-based user
authentication and key agreement scheme with user anonymity, KSII Trans.
Internet Inf. Syst. 7 (1) (2013).
[13] Y.-J. Chen, L.-C. Wang, Privacy protection for Internet of Drones: A network
coding approach, IEEE Internet Things J. 6 (2) (2018) 1719–1730.
[14] A.S. Sohal, R. Sandhu, S.K. Sood, V. Chang, A cybersecurity framework to iden-
tify malicious edge device in fog computing and cloud-of-things environments,
Comput. Secur. (2018) S0167404817301827.
[15] M. Wazid, A.K. Das, N. Kumar, A.V. Vasilakos, J.J.P.C. Rodrigues, Design and
analysis of secure lightweight remote user authentication and key agreement
scheme in Internet of Drones deployment, IEEE Internet Things J. 6 (2) (2019)
3572–3584, http://dx.doi.org/10.1109/JIOT.2018.2888821.
[16] J. Singh, A. Gimekar, S. Venkatesan, An efficient lightweight authentication
scheme for human-centered industrial Internet of Things, Int. J. Commun. Syst.
Fig. 7. Comparison of communication cost. (2019) e4189, http://dx.doi.org/10.1002/dac.4189.
[17] L. Lamport, Password authentication with insecure communication, Commun.
ACM 24 (11) (1981) 770–772.
[18] J.H. Cheon, K. Han, S.-M. Hong, H.J. Kim, J. Kim, S. Kim, H. Seo, H. Shim,
Declaration of competing interest Y. Song, Toward a secure drone system: Flying with real-time homomorphic
authenticated encryption, IEEE access 6 (2018) 24325–24339.
The authors declare that they have no known competing finan- [19] P. Gope, T. Hwang, An efficient mutual authentication and key agreement
cial interests or personal relationships that could have appeared to scheme preserving strong anonymity of the mobile user in global mobility
influence the work reported in this paper. networks, J. Netw. Comput. Appl. 62 (2016) 1–8.
[20] P. Gope, T. Hwang, Lightweight and energy-efficient mutual authentication and
The data used to support the findings of this study are available
key agreement scheme with user anonymity for secure communication in global
from the corresponding author upon request.
mobility networks, IEEE Syst. J. 10 (4) (2015) 1370–1379.
[21] C. Wang, Y. Zhu, W. Shi, V. Chang, P. Vijayakumar, B. Liu, Y. Mao, J. Wang, Y.
Acknowledgments Fan, A dependable time series analytic framework for cyber-physical systems
of IoT-based smart grid, ACM Trans. Cyber-Phys. Syst. 3 (2018) 1–18, http:
This work is partially supported by the National Key Research and //dx.doi.org/10.1145/3145623.
Development Program of China (No. 2018YFC1315404), the National [22] M. Turkanović, B. Brumen, M. Hölbl, A novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks, based
Natural Science Foundation of China (Nos. 61972294, 61932016), the
on the Internet of Things notion, Ad Hoc Netw. 20 (2014) 96–112.
Opening Project of Guangdong Provincial Key Laboratory of Data Secu-
[23] M.S. Farash, M. Turkanović, S. Kumari, M. Hölbl, An efficient user authentication
rity and Privacy Protection, China (No. 2017B030301004-11) and the and key agreement scheme for heterogeneous wireless sensor network tailored
Science and Technology planning project of ShenZhen, China (No. for the Internet of Things environment, Ad Hoc Netw. 36 (2016) 152–176.
JCYJ20170818112550194). [24] R. Amin, S.H. Islam, G. Biswas, M.K. Khan, L. Leng, N. Kumar, Design of
an anonymity-preserving three-factor authenticated key exchange protocol for
References wireless sensor networks, Comput. Netw. 101 (2016) 42–62.
[25] Q. Jiang, S. Zeadally, J. Ma, D. He, Lightweight three-factor authentication and
key agreement protocol for internet-integrated wireless sensor networks, IEEE
[1] M. Gharibi, R. Boutaba, S.L. Waslander, Internet of Drones, IEEE Access 4 (2016)
1148–1162, http://dx.doi.org/10.1109/ACCESS.2016.2537208. Access 5 (2017) 3376–3392.
[2] Y.-J. Chen, L.-C. Wang, Privacy protection for Internet of Drones: A network [26] S. Challa, M. Wazid, A.K. Das, N. Kumar, A.G. Reddy, E.-J. Yoon, K.-Y. Yoo,
coding approach, IEEE Internet Things J. 6 (2) (2019) 1719–1730, http://dx. Secure signature-based authenticated key establishment scheme for future IoT
doi.org/10.1109/JIOT.2018.2875065. applications, IEEE Access 5 (2017) 3028–3043.
[3] S. Aggarwal, N. Kumar, Path planning techniques for unmanned aerial ve- [27] S.D. Selvi, S. Vivek, C. Rangan, Certificateless KEM and hybrid signcryption
hicles: A review, solutions, and challenges, Comput. Commun. 149 (2020) schemes revisited, in: International Conference on Information Security Practice
270–299, http://dx.doi.org/10.1016/j.comcom.2019.10.014, URL http://www. and Experience, Springer, 2010, pp. 294–307.
sciencedirect.com/science/article/pii/S0140366419308539. [28] F. Li, M. Shirase, T. Takagi, Certificateless hybrid signcryption, in: International
[4] R. Valentino, W.-S. Jung, Y.-B. Ko, A design and simulation of the opportunistic Conference on Information Security Practice and Experience, Springer, 2009, pp.
computation offloading with learning-based prediction for unmanned aerial 112–123.
vehicle (UAV) clustering networks, Sensors 18 (11) (2018) 3751. [29] D. He, J. Chen, J. Hu, A pairing-free certificateless authenticated key agreement
[5] M. Erdelj, B. Uk, D. Konam, E. Natalizio, From the eye of the storm: An IoT protocol, Int. J. Commun. Syst. 25 (2) (2012) 221–230.
ecosystem made of sensors, smartphones and UAVs, Sensors 18 (11) (2018) 3814. [30] M. Geng, F. Zhang, Provably secure certificateless two-party authenticated
[6] B. Vergouw, H. Nagel, G. Bondt, B. Custers, Drone technology: Types, payloads, key agreement protocol without pairing, in: 2009 International Conference on
applications, frequency spectrum issues and future developments, in: The Future Computational Intelligence and Security, Vol. 2, IEEE, 2009, pp. 208–212.
of Drone Use, Springer, 2016, pp. 21–45, http://dx.doi.org/10.1007/978-94- [31] G. Yang, C.-H. Tan, Strongly secure certificateless key exchange without pairing,
6265-132-6_2. in: Proceedings of the 6th ACM Symposium on Information, Computer and
[7] S. Saharan, S. Bawa, N. Kumar, Dynamic pricing techniques for intelligent Communications Security, ACM, 2011, pp. 71–79.
transportation system in smart cities: A systematic review, Comput. Commun. [32] H. Sun, Q. Wen, H. Zhang, Z. Jin, A novel pairing-free certificateless authenti-
150 (2020) 603–625, http://dx.doi.org/10.1016/j.comcom.2019.12.003, URL cated key agreement protocol with provable security, Front. Comput. Sci. 7 (4)
http://www.sciencedirect.com/science/article/pii/S0140366419310990. (2013) 544–557.
[8] N. Kumar, N. Chilamkurti, J.J.P.C. Rodrigues, Learning automata-based oppor- [33] S.-H. Seo, J. Won, E. Bertino, pCLSC-TKEM: a pairing-free certificateless
tunistic data aggregation and forwarding scheme for alert generation in vehicular signcryption-tag key encapsulation mechanism for a privacy-preserving IoT,
ad hoc networks, 39 (3) (2014) 22–32. Trans. Data Priv. 9 (2) (2016) 101–130.
[9] M. Bae, H. Kim, Authentication and delegation for operating a multi-drone [34] J. Won, S.-H. Seo, E. Bertino, Certificateless cryptographic protocols for efficient
system, Sensors 19 (9) (2019) 2066. drone-based smart city applications, IEEE Access 5 (2017) 3721–3749.
[10] R. Kaur, N. Kumar, S. Batra, Trust management in social Internet of Things: [35] C.T. Li, C.C. Lee, C.Y. Weng, A secure chaotic maps and smart cards based
A taxonomy, open issues, and challenges, Comput. Commun. 150 (2019) http: password authentication and key agreement scheme with user anonymity for
//dx.doi.org/10.1016/j.comcom.2019.10.034. telecare medicine information systems, J. Med. Syst. 38 (9) (2014) 77.
[11] C.-T. Li, C.-C. Lee, C.-Y. Weng, A secure chaotic maps and smart cards based [36] C.C. Lee, Y.M. Lai, C.T. Chen, S.D. Chen, Advanced secure anonymous authen-
password authentication and key agreement scheme with user anonymity for tication scheme for roaming service in global mobility networks, Wirel. Pers.
telecare medicine information systems, J. Med. Syst. 38 (9) (2014) 77. Commun. 94 (3) (2016) 1–16.
463
Y. Zhang, D. He, L. Li et al. Computer Communications 154 (2020) 455–464
[37] P. Vijayakumar, V. Chang, L.J. Deborah, B. Balusamy, P.G. Shynuc, Computa- Debiao He received his Ph.D. degree in applied mathe-
tionally efficient privacy preserving anonymous mutual and batch authentication matics from School of Mathematics and Statistics, Wuhan
schemes for vehicular ad hoc networks, Future Gener. Comput. Syst. 78 (2016) University in 2009. He is currently an Professor of the
943–955. School of Cyber Science and Engineering, Wuhan Univer-
[38] R. Amin, S.H. Islam, P. Vijayakumar, M.K. Khan, V. Chang, A robust and efficient sity. His main research interests include cryptography and
information security, in particular, cryptographic protocols.
bilinear pairing based mutual authentication and session key verification over
insecure communication, Multimedia Tools Appl. 77 (13) (2017) 1–26.
[39] D. He, Y. Zhang, D. Wang, K.-K.R. Choo, Secure and efficient two-party signing
protocol for the identity-based signature scheme in the IEEE P1363 standard for
public key cryptography, IEEE Trans. Dependable Secure Comput. 1 (99) (2018)
1–10, http://dx.doi.org/10.1109/TDSC.2018.2857775.
Li Li received her Ph.D degree in computer science from
[40] Q. Feng, D. He, S. Zeadally, N. Kumar, K. Liang, Ideal lattice-based anony-
Computer School, Wuhan University. She is currently an
mous authentication protocol for mobile devices, IEEE Syst. J. 13 (3) (2018)
associate professor at School of Software, Wuhan University.
2775–2785, http://dx.doi.org/10.1109/JSYST.2018.2851295. Her research interests include data security and privacy,
[41] K.Y. Choi, J.Y. Hwang, D.H. Lee, I.S. Seo, ID-based authenticated key agreement applied cryptography and security protocols.
for low-power mobile devices, in: Australasian Conference on Information
Security and Privacy, Springer, 2005, pp. 494–505.
[42] D. He, S. Zeadally, N. Kumar, W. Wu, Efficient and anonymous mobile user au-
thentication protocol using self-certified public key cryptography for multi-server
architectures, IEEE Trans. Inf. Forensics Secur. 11 (9) (2016) 2052–2064.
464