Introduction
Each year, more than 1 million person are caused to affect by a road incident. The harm of driving environment is the ninth causing of mortality universally and afford a loss at more than 2% or 1 USD trillion of the Gross Domestic Product (GDP) world [1], [2]. Besides, congestion waste massive fuel and time amount.
Intelligent transport systems (ITSs) play a highly significant role in the movement of the new human being in the digital world recently. To enhance the traffic road of vehicular in the future, ITSs provide innovative and comprehensive applications for controlling these unpleasant events [3]. It is being constructed for building smart vehicle via the fast development of wireless communication technology [4], [5]. New vehicle telcos and manufacturers have introduced the fact that wireless tools will be an integral part of each vehicle, allowing them for communicating with other vehicles and with infrastructures of road. This vehicle forms a specific kind of ad hoc network, where the vehicle is considered the network’s node. Such networks are known as vehicular ad hoc networks (VANETs) that are a type of the mobile ad hoc networks (MANETs) that utilizes the technology of wireless for proximity and communication of vehicle for fixing infrastructures [6].
Communications of VANET are classified as either Vehicle-to-Infrastructure (V2I) or Vehicle-to-Vehicle (V2V). With these communications, each vehicle broadcasts a periodic safety-messages with their position, traffic events, speed and heading. Any vehicle within the coverage area, whether legal or not, will receive these safety-messages since the broadcasting in an openness communication of VANET. Nonetheless, this will also permit adversaries to change, alter and replay these safety-messages and broadcast them in the system. The broadcast of these changed and forged safety-messages could cause for situations such as road accidents, traffic disruption, etc., and therefore justify the call for modifies to be made for messaging security. Before they become practical, the security issues in VANETs requires to be carefully addressed. In this paper, there are some following contributions for summarizing our proposed scheme,
First, an efficient conditional privacy-preserving authentication scheme for securing vehicle-to-vehicle (V2V) and vehicle to infrastructure (V2I) communications. Besides, the proposed scheme shows that satisfies the requirements of security of design goal in VANETs.
Second, a proposed that resists side-channel attacks by regularly updating the critical data stored in the tamper-proof device (TPD) of vehicle.
Finally, a proposed is more efficient than existing schemes and appropriate for an area with high traffic density by using the one-way hash function and the elliptic curve cryptography (ECC).
The remainder of this paper is organized as follows: Section II deals with the security schemes regarding VANETs. Section III introduced preliminaries of the proposed scheme. Section IV shows the five phases included in the proposed scheme. Section V shows security analysis and comparison of our work in details. Section VI presents the performance evaluation. Conclusions of the proposed scheme are shown in Section VII.
Related Work
In this section, we review and discuss the related schemes since VANETs have suffered from issues of mutual authentication and conditional privacy-preserving. Existing scheme regarding security and privacy is commonly classified into two main categories as follows,
A. Group-Signature Based Schemes
The core fundamental of group-signature based schemes is that each group member could be able for signing safety-message anonymously on behalf of the full group. The Chaum and van Heyst were first introduced group-signature [7]. Lin et al. [8] introduced a security scheme based on the group signature for securing V2V communication in vehicular systems. This scheme provides security and privacy without inducing the managing overhead regarding to multiple certificates at sides of the membership manager (MM). Zhang et al. [9] introduced a privacy-preserving scheme relies on a practical secure for applications of value-added. In their scheme, the vehicle only needs a member key for generating verifier-local revocation without violating the drivers’ privacy. Shao et al. [10] designed a threshold anonymous authentication approach to address issues of security and privacy in VANETs. This scheme combines between the model of decentralized group and method of threshold authentication for obtaining threshold authentication. Lim et al. [11] introduced a key distribution scheme to propose secure and scalable by utilizing the domain concept with a number of RSUs for group signature-based authentication.
However, the main limitation of group-signature based schemes is growing the Certificate revocation list (CRL) size since the multiple revoked vehicle is increased. In addition, the vehicle uses two bilinear pairing operations for checking on CRL operation, which cause increasing of the verification computation overhead.
B. Identity Based Schemes
In order to address the limitation of group-signature based schemes, many scholars have proposed identity-based schemes. The core fundamental of identity-based schemes is that the identity information extracted by the public key, while TA computes the private key. Shamir has first proposed an identity in 1984 [18]. Zhang et al. [19], [20] conducts a security and privacy scheme based on bilinear pairing by supporting batch authentication process which allowing a large number of safety-messages received by rest of components to be verified simultaneously in VANETs. Lee and Lai [21] and Chim et al. [22] indicated that the proposed schemes by [19], [20] have drawbacks due to an OBU could utilize a false identity for eliminating the requirement of traceability. Besides, [19], [20] cannot withstand impersonation attack and replay attack. Jianhong et al. [23] indicates some limitations of security in the scheme of [21], for example that it cannot satisfy the requirements of non-repudiation and traceability and cannot withstands replay attack. To address the flaws in scheme of [21], a secure identity based scheme was conducted by Jianhong et al. [23]. Bayat et al. [14] pointed out the authentication scheme of Lee and Lai [21] have insecure against the attacks of impersonation. Therefore, they proposed an enhanced authentication scheme. He et al. [15] introduced an identity-based security and privacy scheme for securing communication in vehicular systems. This scheme does not utilization a bilinear pair in the process of signature verification since it is among the finest operations of time-consuming in cryptography. Instead, in their work, elliptic curve cryptography (ECC) is based on signing and verifying safety-messages. Azees et al. [24] suggested an authentication scheme to avert attackers entering into the V2V and V2I communications. Besides, the proposed scheme supports a conditional tracking scheme to trace the malicious components in the VANETs. Zhang et al. [12] proposed an authentication with conditional Privacy-preserving scheme based on chinese remainder theorem (CRT) in VANETs. This scheme utilizing fingerprints rather than a password and genuine identity for identity verification. Cui et al. [13] proposed an authentication with conditional Privacy-preserving scheme based on the binary search and cuckoo filter methods to satisfy the top success rate in the batch verification method. Bayat et al. [25] suggested an RSU based scheme in which a private key of TA is equipped to the TPD on RSUs since the communication channels between the TAs and RSUs are more faster and secure compared to put a private key to each OBUs. Al-shareeda et al. [16] proposed lightweight security without using batch verification method (LSWBVM) scheme for making single verification has the ability a large number of safety-messages during driving broadcasting. However, this scheme is vulnerable from various security attacks such as impersonation and modification attacks due to the verifying vehicle uses only a one-way hash function for signature verification. Also, its vulnerable to replay attacks since the timestamp is not included on the safety-message tuple. Besides, this scheme is not satisfying authentication and integrity requirements in vehicular systems. Besides, it is suspect from side-channel attack due to the vehicle’s identity stored on TPD is not update for a long time. Also, Al-shareeda et al. [17] suggested a new and efficient conditional privacy-preserving authentication (NE-CPPA) scheme for securing the V2V and V2I communications in vehicular systems. This scheme computes the private key of the system by TA and preloads in the TPD that assumed not to be compromised with any adversary. Nevertheless, an adversary also could obtain some data saved in the TPD through the attack of side-channel. When the TA’s private key is obtained by the adversary, the vehicular system will be disturbed.
Table 1 summarizes the recent existing identity based schemes with their techniques applied, advantages, and limitations that proposed a mutual authentication and conditional privacy-preserving in VANETs. To overcome the aforementioned issues arising in the VANETs, we will propose an efficient conditional privacy-preserving authentication scheme for prevention of side-channel attacks, furthermore, by adding update parameter stored phase in our work for periodically changing in the TPD of the vehicle for preventing malicious adversaries from getting critical information via side-channel attacks for collapsing the VANETs system. Besides, the proposed scheme utilizes operations of ECC rather than operations of bilinear pairing; therefore, the proposed has lower performance efficiency regarding computation and communication cost compared others schemes.
Preliminaries
In this section, we first define the structure of system model; this is followed by a presentation of the design goals in terms of security requirements and finally, the security attacks specified in this paper are defined. The major notations utilized in the proposed scheme are presented in Table 2.
A. System Model
The proposed scheme’s system model is included of three components, OBU, RSU and TA, as shown in Figure 1.
OBU:
Vehicles in VANET are equipped with an On-Board Unit (OBU) which allow the vehicles for processing, receiving and broadcasting safety-messages. OBUs are fitted with a tamper-proof device (TPD) that using to save critical data.
RSU:
Roadside unit (RSU) is a wireless device located to the road as an infrastructure node. The RSU links with the TA by wired channel and links with vehicles in the wireless channel.
TA:
Trusted authority (TA) has high computation and communication resources. The responsibility of TA generates the system’s public parameters and pseudo-ID for each vehicle.
B. Design Goals
In order to fulfil the security of V2V and V2I communications in the system, the proposed scheme should be to satisfy requirements of security, as follows.
Integrity and authentication:
The wireless components in VANETs must have the ability to determine any modification of the received safety-messages and must able to validate received safety-messages and authenticate nodes for ensuring the security of communications.
Identity privacy preservation: An adversary must able to disclose the vehicle’s identity by capturing a multiple safety-messages sent by it. Thus, the identity of the vehicle maintains anonymous to other legitimate and illegitimate vehicles for ensuring the driver’s privacy.
Traceability and revocation: The TA must be capable for disclosing the identity of the vehicle from its safety-messages to prevent malicious vehicles from denying their trust for the system’s disruption by sending forge safety-messages to other authenticated vehicles.
C. Security Attacks
Its easy by adversaries to be lunch certain security attacks since the nature openness of VANETs communication. In this subsection, we briefly present some vulnerabilities with the capabilities of an adversary in the VANETs.
Replay attacks.
The aim of misbehaving vehicles is to replay the old issued valid signature to the receiver for creating the illusion that accidents are happening.
Modification attacks.
The aim of misbehaving vehicles is to change the authentic safety-messages and send to other nodes [26]. For example, a malicious vehicle could feed forge messages to nearby vehicles. Thus, the verifying recipient cannot be executed with changed messages.
Impersonation attacks.
The aim of misbehaving vehicles is to impersonate a registered vehicle and transmit a proper safety-message to other vehicles in which the attacker attempts to masquerade as a registered vehicle.
Man-In-The-Middle attacks.
The aim of misbehaving vehicles is to implement information sniffing and tampering with intercept two communication sides [27], [28].
Side-channel attacks.
The aim of misbehaving vehicles is to obtain sensitive data stored in the TPD by utilizing a side-channel attack. When the misbehaving vehicles get the TA’s private key, the structure of the system will collapse.
After the TA calculates the initial public parameters, it preloads them to the RSUs and OBUs in advance. Via the steps of mutual authentication, the vehicle must execute authenticating itself with the system for exchanging safety-message based on the RSU’ parameters. Thus, the attacker does not have the ability to authorize access to the coverage region. After the vehicle is considered as to be registered vehicle, it calculates its signature of the message and the verifier will then check these signature.
We propose an efficient conditional privacy-preserving authentication scheme for prevention of side-channel attacks for ensuring secure communication in VANETs. The five phases included in the proposed scheme is presented as follows: phases of system initialization, mutual authentication, signing safety-message, verifying safety-message and update parameters. The phases of the proposed scheme are visualized in Figure 2.
D. Phase of System Initialization
The phase of system initialization is included in the following subsection,
1) TA Initialization
In order to compute the initial public parameters of the system, the TA should execute the following steps.
Two numbers of large prime
,q are chosen by TA, the generatorp of an additive groupP , which includes of each point on the non-singular with the orderG by identifying elliptic curveq (E mody^{2} = x^{3} + ax + b , where a, bp ).\in F_{p} A random value
are chosen by TA as TA’s private key and then calculatesk \in Z_{q}^{*} to be its corresponding public key.Pub = kP Lastly, three functions of one-way hash
andh_{1}, h_{2} are chosen by TA, whereh_{3} ,-h_{1}:G \rightarrow Z_{q}^{*} and-h_{2}:\{0,1\}^{*}\times \{0,1\}^{*}\times G \rightarrow Z_{q}^{*} .-h_{3}:\{0,1\}^{*}\rightarrow Z_{q}^{*}
The Proposed Scheme
2) RSU and Vehicle Registration
In order to register the RSU and the vehicles at the TA, the following steps should be executed,
Once the TA receives RSU’s identity
, the TA verifies the RSU’s validity.ID_{RSU_{j}} The private key
is stored by the TA on the RSU’s TPD.k Once the driver submits identity
and passwordID_{i} via secure communication, the TA checks the driver’s validity.PW_{i} The TA generates the pseudonym
(Pdm = h_{3} ——ID_{i} ) after it verifies theSP_{vi} validity, whereID_{i} is a short period.V_{vi} The TA preloads <
> andPdm, V_{vi} via a secure channel into the TPD of the vehicle and each RSU, respectively.k Initial public parameters of the system
{\psi = ,p ,q ,a ,b ,P } are preloaded by TA in each vehicle’s OBU and RSU.Pub, h_{1}, h_{2}, h_{3}
A. Phase of Mutual Authentication
The vehicle reaches in the RSU’s communication range and performs the mutual authentication before it sends safety-messages to the nearby RSU or neighbour vehicle. Once the signature key
: Once the vehicle selects random valueOBU-TO-RSU , it generates its pseudo-IDw \in Z_{q}^{*} <PsID_{i} = ,PsID_{i}^{1} > as follows:PsID_{i}^{2} PsID_{i}^{1} = w P PsID_{i}^{2} = Pdm \oplus h_{1}(w Pub) Then, the vehicle transmits
to the RSU, whereTuple_{1} {Tuple_{1} = ,PsID_{i} },TS_{1}\,\,\delta _{OBU-RSU} and\delta _{OBU-RSU} = h_{3} (PsID_{i}|| TS_{1}|| Pdm) is timestamp.TS_{1} : Once theRSU-TO-TA is received by RSU from the OBU, RSU start to check theTuple_{1} freshness. Each timestamp is checks as follows. Subtract the present timeTS_{1} with TheTS for judging theTS_{1} freshness. If the result is less than the threshold of time, thenTuple_{1} is fresh. Otherwise, the safety-message is dropped. Then, it calculates theTS_{1} and verifies whetherPdm = PsID_{i}^{2} \oplus h_{1}(k PsID_{i}^{1}) . The RSU rejects the\delta _{OBU-RSU}\,\,\stackrel {?}{=}\,\,h_{3} (PsID_{i}|| Pdm|| TS_{1}) when it is not ok; otherwise, it selects random valueTuple_{1} . It generates its pseudo-IDz \in Z_{q}^{*} <PsID_{RSU_{j}} = ,PsID_{RSU_{j}}^{1} > as bellow:PsID_{RSU_{j}}^{2} PsID_{RSU_{j}}^{1} = z P PsID_{RSU_{j}}^{2} = ID_{RSU_{j}} \oplus h_{1}(z Pub) Then, the RSU transmits
to TA, whereTuple_{2} {Tuple_{2} = ,PsID_{i} } andPsID_{RSU_{j}}, TS_{2}, \delta _{RSU-TA} .\delta _{RSU-TA} = h_{3}(ID_{RSU_{j}}|| Pdm|| TS_{2}) : Once theTA-TO-RSU is received by TA from the RSU, it first checks theTuple_{2} freshness. IfTS_{2} is fresh, then the TA does not reject the safety-message. Otherwise, theTS_{2} is dropped. TA then calculates theTuple_{2} andID_{i} = PsID_{i}^{2} \oplus h_{1}(k PsID_{i}^{1}) fromID_{RSU_{j}}= PsID_{RSU_{j}}^{2} \oplus h_{1}(k PsID_{RSU_{j}}^{1}) andPsID_{i} , respectively. Then it verifies for confirming thePsID_{RSU_{j}} . If is not ok, the TA rejects the\delta _{RSU-TA}\,\,\stackrel {?}{=}\,\,h_{3}(Pdm|| ID_{RSU_{j}}|| TS_{2}) ; otherwise, it checks the identity authenticity of RSU and OBU through saved numberTuple_{2} , respectively. If it is ok, then the TA does not reject safety-message and it chooses random valueID_{i}, ID_{RSU_{j}} , TA generates its pseudo-IDr \in Z_{q}^{*} <PsID_{TA} = ,PsID_{TA}^{1} > as follows:PsID_{TA}^{2} PsID_{TA}^{1} = r P PsID_{TA}^{2} = ID_{RSU_{j}}^{*} \oplus h_{1}(r Pub) Then, the TA transmits
to RSU, whereTuple_{3} {Tuple_{3} = },PsID_{TA}, TS_{3}, \delta _{TA-RSU} and\delta _{TA-RSU} = h_{3}(ID_{RSU_{j}}^{*}||TS_{3}) is the same RSU identity.ID_{RSU_{j}}^{*} : Once theRSU-TO-OBU is received by RSU from the TA, it checks theTuple_{3} freshness. IfTS_{3} is fresh, then the RSU does not reject the safety-message. Otherwise, theTS_{3} is dropped. RSU then generates theTuple_{3} and verifies whether match of theID_{RSU_{j}}^{*} = PsID_{TA}^{2}= \oplus h_{1}(k PsID_{TA}^{1}) . It verifies whetherID_{RSU_{j}}^{*} =ID_{RSU_{j}} . The TA rejects the\delta _{TA-RSU} \stackrel {?}{=}\,\,h_{3}(ID_{RSU_{j}}^{*}||TS_{3}) when it is not ok; otherwise, RSU generates the signature keyTuple_{3} for the vehicle as follows:SK SK = k.h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Then, the RSU transmits
to OBU, whereTuple_{4} {Tuple_{4} = ,PsID_{i}, TS_{4}, SK_{enc} },\delta _{RSU-OBU} andSK_{enc} = SK \oplus h_{1}(Pdm) .\delta _{RSU-OBU} = h_{2}(Pdm||SK||TS_{4}) : Once theOBU is received by OBU from the RSU, it calculates theTuple_{4} and verifies whetherSK = SK_{enc} \oplus h_{1}(Pdm) by assisting its\delta _{RSU-OBU}\,\,\stackrel {?}{=}\,\,h_{2}(Pdm||SK||TS_{4}) . If it is ok, then the vehicle does not reject thePdm as its corresponding signature key.PK
To ensure the pseudo-ID security and its corresponding signature key in the system, we advise a protocol of updating the signature key as demonstrated in [29] for our work. Over this protocol, the vehicle uses pseudo-ID and its corresponding signature key for a few periods of routing in the system.
B. Phase of Signing Safety-Message
Once the vehicle joins the communication range of the RSU during the mutual authentication process, it starts sending safety-message utilizing
The vehicle calculates the signature of safety-message;
.\delta _{m} = Sk + w. h_{3}(m||TS) The vehicle calculates
.\sigma = h_{3}(m||TS) PsID_{i}^{1} The vehicle sets
and\delta _{m} are utilized to verifying safety-message for the recipient.\sigma Finally, the vehicle sends the tuple of safety-message-signature {
,PsID_{i} ,m ,TS ,\delta _{m} } to neighbor vehicles and nearby RSUs.\sigma
C. Phase of Verifying Safety-Message
This section presents the single and batch verifying safety-messages, as shown in Figure 4.
1) Single Verifying Safety-Message
Each vehicle only verifies the safety-message signature utilizing this process of verification. Once the recipients receive signed safety-message, they should check its validity and authenticity. Ensuring no misbehaving vehicles can be considered to be legal vehicles before accepting the safety-message for further processing. Therefore, false safety-messages are preventing in the transmission. The single verifying safety-message method is presented in deeply as follows:
Once the verifier received the tuple of safety-message-signature {
,PsID_{i} ,m ,TS ,\delta _{m} }, it verify the timestamp\sigma freshness first.TS Then, the verifier utilizes
and\delta _{m} of the tuple of safety-message-signature {\sigma ,PsID_{i} ,m ,TS ,\delta _{m} } to check safety-message\sigma , wherem and\sigma = h_{3}(m||TS) PsID_{i}^{1} . If Equation 1 holds, the safety-message does not reject. Otherwise, the verifier will drop the safety-message.\delta _{m} = Sk + w. h_{3}(m||TS) \begin{equation*} \delta _{m}. P = h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Pub + \sigma\tag{1}\end{equation*} View Source\begin{equation*} \delta _{m}. P = h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Pub + \sigma\tag{1}\end{equation*}
Equation 1 proof is presented as follows:\begin{align*}&\hspace {-2pc} L.H.S\\&\hspace {-2pc} \delta _{m}. P\\=&Sk + w. h_{3}(m||TS).P \\=&\Big (k.h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) + w. h_{3}(m||TS) \Big).P\\=&h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) k.P + h_{3}(m||TS) w. P\\=&h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Pub + h_{3}(m||TS) PsID_{i}^{1}\\=&h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Pub + \sigma \\=&R.H.S\end{align*}
Therefore, Equation 1 is checked to be true.
2) Batch Verifying Safety-Message
Via this batch verifying safety-message process, the recipient checks a multiple safety-messages at the same time. For reducing the time consumed, our work uses a batch verifying safety-message method. For satisfying the non-repudiation requirement in our work, we uses the technique of tiny exponent test [23]. The recipient randomly computes an integer number \begin{align*} \left({\sum _{i=1}^{n}(\gamma.\delta _{m})}\right). P \!=\! \left({\sum _{i=1}^{n}(\gamma.h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Pub)}\right) \!+\!(\gamma.\sigma)\!\! \\\tag{2}\end{align*}
Equation 2 proof is presented as follows:\begin{align*}&\hspace {-1.2pc} L.H.S \left({\sum _{i=1}^{n}\eta _{i}.\delta _{m} }\right). P\\=&\sum _{i=1}^{n}\eta _{i}.(Sk + w. h_{3}(m||TS)). P \\=&\sum _{i=1}^{n}\eta _{i}.(k.h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}). P + w. h_{3}(m||TS)). P \\=&\sum _{i=1}^{n}\eta _{i}.(h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) k. P + h_{3}(m||TS))w. P \\=&\sum _{i=1}^{n}\eta _{i}.(h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Pub + h_{3}(m||TS))PsID_{i}^{1} \\=&\sum _{i=1}^{n}\eta _{i}.(h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Pub + \sigma \\=&R.H.S\end{align*}
Therefore, Equation 2 is checked to be true.
D. Phase of Update Parameters
To prevent attacks of side-channel, the sensitive data stored (pseudonym of vehicle) in the TPD must be regularly updated via an online mode and annual inspection. Nonetheless, a few period, without updating the sensitive data stored for waiting for the mode of next annul inspection, the adversary could have enough period for obtaining sensitive data that can collapse the entire VANETs. The vehicle should execute the following specific steps for updating the sensitive data stored in the TPD by utilizing the online mode are as follows:
The vehicle selects a random number
and computesr \in Z_{q}^{*} andPsID_{i}^{1}=r P . Then, the vehicle sends message {PsID_{i}^{2}= Pdm \oplus h_{1}(r.Pub) ,PsID_{v}^{new} ,TS_{1} } to the TA, where\delta _{OBU_{i}^{new}} {PsID_{v}^{new} = ,PsID_{i}^{1} =r P } andPsID_{i}^{2}= Pdm \oplus h_{1}(r.Pub) .\delta _{OBU_{i}^{new}} = h_{3}(Pdm\|PsID_{i}^{1}\|PsID_{i}^{2}\| \,\,TS_{1}) The freshness of timestamp
is verified, once the TA receives the message {TS_{1} ,PsID_{v}^{new} ,TS_{1} }. If\delta _{OBU_{i}^{new}} is valid, then TA calculates old pseudonym of authenticated vehicleTS_{1} . The TA checks whetherPdm=PsID_{i}^{2}\oplus h_{1}(k.Pub) ?\delta _{OBU_{i}^{new}} = holds. TA verifies whether the tuple (h_{3}(Pdm\|PsID_{i}^{1}\|PsID_{i}^{2}\|TS_{1}) ) presents in the its registration list of vehicle; else TA checks theID_{i}, Pdm, SP_{vi} freshens.SP_{vi} Once the
is expired, a modern short periodSP_{vi} is selected by TA. Then, the TA calculates a new pseudonym of authenticated vehicleSP_{vi}^{New} . It will drop ifPdm^{New}=h_{3}(ID_{i}\|SP_{vi}^{New}) is still freshness.SP_{vi} TA encrypts message
by using the previous encryption key(Ps^{New},\lambda _{i}^{New}) to the vehicle and updates the new tuple (E_{\lambda _{i}} \in Z_{q}^{*} ) into the registration list of vehicles.OID_{i}, Ps^{New}, VP_{vi}^{New}, \lambda _{i}^{New} ,K_{enc} },\delta _{RSU-OBU} andSK_{enc}^{new} = SK \oplus h_{1}(Pdm) .\delta _{RSU-OBU} = h_{2}(Pdm||SK||TS_{4}) TA sends a message (
) to the vehicle, wherePdm_{enc}^{new}, SP_{vi} .Pdm_{enc}^{new} = Pdm \oplus h_{1}(k. PsID_{i}^{1}) Lastly, the vehicle computes
to obtain new pseudonym.Pdm = Pdm_{enc}^{new} \oplus h_{1}(k. PsID_{i}^{1})
Security Analysis and Comparison
In this section, we first present the structure of formal analysis in terms of random oracle model and BAN logic; this is followed by a description of security requirements and finally, the security comparison between the proposed and other schemes.
A. Formal Analysis
We use random oracle model and BAN logic to prove formal analysis of the proposed scheme as follows,
1) Random Oracle Model
This subsection lunches a game among adversary
Theorem 1:
This work against an adaptive chosen message attack under the random oracle model is existentially unforgeable
Proof:
Suppose
Setup:
Oracle of
Oracle of
Oracle of
Sign: When receiving an \begin{equation*} \delta _{m} P = h^{i,2} Pub + \sigma\end{equation*}
\begin{equation*} =h^{i,2} Pub + \sigma +(\delta _{m} P - h^{i,2} Pub + \sigma)= \delta _{m} P\tag{3}\end{equation*}
Output: \begin{equation*} \delta _{m} P= h^{i,2} Pub + \sigma.\tag{4}\end{equation*}
Based on the forgery lemma in [21], \begin{equation*} \delta _{m}^{*}P= {h^{i,2}}^{*} Pub + \sigma.\tag{5}\end{equation*}
From the two 4 and 5, we can obtain \begin{align*} (\delta _{m}-\delta _{m}^{*})P=&\delta _{m} P-\delta _{m}^{*}P \\=&h^{i,2} Pub + \sigma - {h^{i,2}}^{*} Pub + \sigma \\=&h^{i,2} Pub \!-\! {h^{i,2}}^{*} Pub \!= \!(h^{i,2}\! -\! {h^{i,2}}^{*}) Pub.\tag{6}\end{align*}
Therefore, we could get (
Hence, the proposed scheme in the random oracle model is resistant for choosing adaptive message attacks under the supposition that ECDLP is hardness.
2) BAN Logic
By using a generally formal logic as known BAN logic, the proposed scheme should achieve specific goals of security among the components in VANETs for mutual verification. The essential definition of the introduction of BAN logic is removed in this paper. We refer the reader for further details [30], [31].
Security goals
The main idea of these operations is to validate the session key among the components in the system. Thus, the proposed scheme requires for achieving the eight major goals as follows,
The proposed scheme’s goals are as follows.
Goal-1.
.TA|\equiv OBU_{i}|\equiv (Pdm) Goal-2.
.TA|\equiv (Pdm) Goal-3.
.TA|\equiv RSU_{j}|\equiv (ID_{RSU_{j}}) Goal-4.
.TA|\equiv (ID_{RSU_{j}}) Goal-5.
.RSU_{j}|\equiv TA|\equiv (\delta _{TA-RSU_{j}}) Goal-6.
.RSU_{j}|\equiv (\delta _{TA-RSU_{j}}) Goal-7.
.OBU_{i}|\equiv RSU_{j}| \equiv (SK) Goal-8.
.OBU_{i}|\equiv (SK)
Phase of idealize the proposed:
The messages sharing between components in VANETs are idealized for the our work as follows
M-1.
: {OBU_{i}\to RSU_{j} ,PsID_{i} }.TS_{1}\,\,\delta _{OBU-RSU} M-2.
{RSU_{j}\to TA: ,PsID_{i} }.PsID_{RSU_{j}}, TS_{2}, \delta _{RSU-TA} M-3.
: {TA\to RSU_{j} }.PsID_{TA}, TS_{3}, \delta _{TA-RSU} M-4.
: {RSU\to OBU_{i} ,PsID_{i}, SK_{enc} }.\delta _{RSU-OBU} The messages of proposed are idealized as follows:
SMI-1.
.OBU_{i} \to TA:(ID_{i})_{Pub} SMI-2.
.RSU_{j} \to TA: (ID_{RSU_{j}})_{Pub} SMI-3.
.TA \to RSU_{j}: (\delta _{TA-RSU_{j}})_{Pub} SMI-4.
.RSU_{j} \to OBU_{i}: (SK)_{h(ID_{i})}
Assumptions.
The following assumptions regarding to the initial situation of our work are made:
Ass-1.
.TA|\equiv \#(TS_{2}) Ass-2.
.RSU_{j}|\equiv \#(TS_{1}, TS_{3}) Ass-3.
.OBU_{i}|\equiv \#(TS_{4}) Ass-4.
.TA|\equiv |\xrightarrow {Pub} OBU_{i} Ass-5.
.TA|\equiv |\xrightarrow {Pub} RSU_{j} Ass-6.
.OBU_{i}|\equiv OBU_{i} \leftrightarrow {ID_{i}} RSU_{j} Ass-7.
.TA|\equiv OBU_{i} \Rightarrow (ID_{i}) Ass-8.
.TA|\equiv RSU_{j} \Rightarrow (ID_{RSU_{j}}) Ass-9.
.OBU_{i}|\equiv RSU_{j} \Rightarrow (SK) Ass-10.
).RSU_{j}|\equiv |\xrightarrow {Pub} TA Ass-11.
.RSU_{j}|\equiv TA \Rightarrow (\delta _{TA-RSU_{j}})
Proof.
In this part, the eight security goals included in the proposed scheme are accomplished.
From SMI-1., we obtain:
S-1:
From S-1, Ass-4, and by using rule of message meaning, we obtain:
S-2:
From S-2, Ass-1, and by using nonce-verification and freshness rules, we obtain:
S3:
Therefore, security Goal-1 is accomplished.
From S-3, Ass-7, and by using jurisdiction rule, we obtain:
S-4:
Therefore, security Goal-2 is accomplished.
From SMI-2., we obtain:
S-5:
From S-5, Ass-5, and by using rule of message meaning, we obtain:
S-6:
From S-6, As-1, and by using nonce-verification and freshness rules, we obtain:
S-7:
Therefore, security Goal-3 is accomplished.
From S-7, Ass-8, and by using rule of jurisdiction, we obtain:
S-8:
Therefore, security Goal-4 is accomplished.
From SMI-3., we obtain:
S-9:
From S-9, Ass-10, and by using rule of message meaning, we obtain:
S-10:
From S-10, Ass-2, and by using nonce-verification and freshness rules, we obtain:
S-11:
Therefore, security Goal-5 is accomplished.
From S-11, As-11, and by using rule of jurisdiction, we obtain:
S-12:
Therefore, security Goal-6 is accomplished.
From SMI-4., we obtain:
S-13:
From S-13, Ass-6, and by using rule of message meaning, we obtain:
S-14:
From S-14, Ass-3, and by using nonce-verification and freshness rules, we obtain:
S-15:
Therefore, security Goal-7 is accomplished.
From S-15, Ass-9, and by using jurisdiction rule, we obtain:
S-16:
Thus, security Goal-8 is accomplished.
Consequently, the eight security goals collectively guarantee that components of the proposed scheme are mutually validated.
B. Security Requirements
This subsection analyses how our work fulfills the requirements of security as follows,
Message integrity and authentication:
A receiver can check the tuple of safety-message-signature {
,PsID_{i} ,m ,TS ,\delta _{m} } sent from a vehicle regarding to authenticity of node and integrity of message by verifying whether equation\sigma holds. For instance, once capturing the tuple of safety-message-signature {\delta _{m}. P = h_{2}(PsID_{i}^{1}|| PsID_{i}^{2}) Pub + \sigma ,PsID_{i} ,m ,TS ,\delta _{m} } from authenticated vehicle\sigma in our work, a vehicleAV_{j} changes the safety-messageV_{i} and sends changed the tuple of safety-message-signature {m_{i}^{c} ,PsID_{i} ,m_{i}^{c} ,TS ,\delta _{m} } into the V2V and V2I communications. The verifying vehicle\sigma verifies the f changed the tuple of safety-message-signature {VV_{v} ,PsID_{i} ,m_{i}^{c} ,TS ,\delta _{m} } validity by verifying whether Equation 1 or 2 hold. If ok, then our work is satisfied requirements of integrity and authentication.\sigma Identity privacy preservation:
In the tuple of safety-message-signature {
,PsID_{i} ,m ,TS ,\delta _{m} } of our work, a pseudo-ID\sigma includes two secret values (i.e.,PsID_{i} ), which are chosen at random by the broadcasting TA and vehicle, respectively. Its possible by an adversary to disclose the pseudonym(w, k)\in Z_{q}^{*} of vehicle due to an attacker does not have the ability to computePdm andk PsID_{i}^{1} based on the ECCDH and ECDL problems, respectively. AswkP ,Pub=kP andPsID_{i}^{1} = wP . The adversary has the ability to computePsID_{i}^{2} = Pdm \oplus h_{1}(w Pub) ,kPsID_{i}^{1} fromwkP andPub=kP for obtaining the pseudonymPsID_{i}^{1} = wP of vehicle. This process to prevent the attacker from disclosing the vehicle’sPdm from the aforesaid computation due to it is depended on hard problems. Therefore, requirement of identity privacy preservation is satisfied by our work.Pdm Traceability and revocation:
In V2V and V2 communications, traceability and revocation are significant security requirements. If a forge safety-messages are transmitted from a malicious vehicle, the TA then can disclose the vehicle’s identity from its pseudo-ID
. The TA’s private keyPsID_{i} in our work is utilized to disclose the identityk via the following computations.ID_{i} \begin{align*} Pdm=&PsID_{i}^{2} \oplus h_{1}(k PsID_{i}^{1}) \\=&Pdm \oplus h_{1}(k Pub)\oplus h_{1}(k PsID_{i}^{1}) \\=&Pdm\end{align*} View Source\begin{align*} Pdm=&PsID_{i}^{2} \oplus h_{1}(k PsID_{i}^{1}) \\=&Pdm \oplus h_{1}(k Pub)\oplus h_{1}(k PsID_{i}^{1}) \\=&Pdm\end{align*}
Then, TA research the identity
on the registration list of the vehicle which its match withID_{i} . Besides, revocation is a serious security requirement for securing V2V and V2I communications. After the process of traceability is done, the TA inserts the identityPdm to the CRL and transmits the modern list of CRL. Thus, the RSU containing malicious vehicle broadcasts and updates the CRLs in the local. Hence, our work satisfies requirements of traceability and revocation due to they provide conditional anonymityID_{i} Resistance to replay attacks
This proposed scheme uses the current timestamp TS in the tuple of safety-message-signature {
,PsID_{i} ,m ,TS ,\delta _{m} }. During the process of verification by a receiver, an adversary can not alter TS in the tuple of safety-message-signature {\sigma ,PsID_{i} ,m ,TS ,\delta _{m} }. If TS was had expired or invalid, then the safety-message would be dropped. Hence, the proposed scheme successfully resists the replay attacks.\sigma Resistance to impersonation attacks
The attacker should get a vehicle’s identity if they want to send a true the tuple of safety-message-signature {
,PsID_{i} ,m ,TS ,\delta _{m} } by impersonating the authenticated vehicle. Furthermore, based to previous knowledge, the attacker cannot discover an identity’s vehicle in the proposed scheme. The impersonation attack in our work is therefore ineffective. Hence, the proposed scheme successfully resists the impersonation attacks.\sigma Resistance to modification attacks
The signature
is included in the tuple of safety-message-signature {\delta _{m} ,PsID_{i} ,m ,TS ,\delta _{m} } of the proposed scheme and ensures the security of the safety-message from the modification attacks. During the process of authentication by a receiver, if an adversary modifies or changes the safety-message, then it would be dropped. Therefore, the proposed scheme successfully resists the modification attacks.\sigma Resistance to man-in-the-middle attacks
Mutual authentication among the signer and the receiver is executed in the proposed scheme. If the adversaries attempt a man-in-middle attack, they then should forge the signer message and receiver message for connecting with it. Nonetheless, an attacker cannot generate this attack type, based on the above analysis. Hence, our work successfully resists the man-in-the-middle attacks.
Resistance to side-channel attacks
Several scholars resort to saving the private key of the system in the TPD of OBU due to it is possible by misbehaving vehicle to be compromised. Nonetheless, an adversary can easily get critical data stored in the TPD via a side-channel attack. To cope with this attack, our work regularly update the (
) in the TPD, wherePdm (Pdm = h_{3} ——ID_{i} ). It is stated that the pseudonymSP_{vi} of vehicle is using frequently and repeatedly; therefore, if thePsm is not continuously updated, it will offer ample chance for the misbehaving vehicle for disclosing and exploiting the pseudonyms regarding the safety-messages. Nonetheless, in the proposed scheme, thePdm is already updated before an adversary can be disclosed and exploited. For example, once adversaries reach the vehicle’s TPD directly, they disclose the registered pseudonymPdm utilized for calculating the tuple of safety message-signature {Pdm ,PsID_{i} ,m ,TS ,\delta _{m} }. In our work, the pseudonym is frequently and periodically updated (Indicate to Subsection IV-D), therefore making the adversary does not have the ability for exploiting the revealed previous pseudonym. Thus, our work successfully resists the side-channel attack.\sigma
C. Security Comparison
This section compared the design goal in terms of requirements of security between the other related schemes and proposed scheme. Table 3 indicates the comparison of security requirements. Let SR-1, SR-2, SR-3, SR-4, SR-5, SR-6 and SR-7, refer message integrity and authentication, identity privacy preservation, traceability and revocation, resistance to replay attacks, resistance to impersonation attacks, resistance to modification attacks, and resistance to side-channel attacks, respectively.
According to Table 3, neither Jianhong et al.’s [23], He et al.’s [15], Bayat et al.’s [14], Al-shareeda et al. [16] or Al-shareeda et al. [17] schemes satisfy all of the security requirements in the system. Nonetheless, the security requirements are completely satisfied in the proposed scheme.
Performance Evaluation
To overcome the issues regarding the system overhead in terms of computation cost and communication cost, we present the analysis and comparison of the performance evaluation between the proposed scheme and the schemes proposed by Jianhong et al. [23], Bayat et al. [14], He et al. [15], Al-shareeda et al. [16] and Al-shareeda et al. [17]. The cost of computation is regarding the multiple operations of cryptographic that have to be executed in the signing and verifying the messages. While the cost of communication regards to the tuple of safety-message-signature size, containing the multiple of elements in the tuple of safety-message-signature. The following subsections, we present the description of the computation cost and communication cost are described in detailed.
A. Computation Cost Analysis
A group
In He et al. [15] scheme,
As shown in Table 6, the computation cost of the proposed scheme improves by (2.0184 - 0.6738) /
B. Communication Cost Analysis
In this section, we present the performance evaluation in terms of the communication cost. In order to fulfil the same level of security in the proposed scheme and their schemes, we utilize the parameters presented in Table 5. The made of supposition in our work are consistent across the schemes: the size of the result of the timestamp is 4 bytes and the size of the result of the secure hash function is 20 bytes. Table 8 presents the cost of communication between the proposed scheme and other schemes.
The tuple of safety-message-signature in the He et al. scheme [15] is (40 *
Conclusion and Future Work
In this paper, An efficient conditional privacy-preserving authentication scheme is proposed. Compare with other schemes, and our scheme can resist the side-channel attack by periodically updating the critic data stored on the TPD on OBU of vehicle. Also, the proposed scheme is shown secure during authentication according to the rule of the BAN logic. Security analysis proves that the design goals regarding the security requirements are satisfied in our work. Finally, due to the proposed scheme uses the one-way hash function and ECC, the performance evaluation of our work are the lowest compared to other existing schemes regarding computation cost and communication cost.
In future work, the experiment could be executed utilizing platforms of network simulation, such as SUMO and OMNET++, to simulate road traffic and VANET networks, respectively.