# Secure Key Agreement and Authentication Protocol for Message Confirmation in Vehicular Cloud Computing

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Related Works

#### 2.1. Literature Reviews

#### 2.1.1. Authentication Protocol for Vehicle Communication

#### 2.1.2. Ideal Tpd Limitation

#### 2.2. Network Model

- Vehicle: vehicles have embedded devices, sensors and wireless communication device, such as velocity or location measurement equipment, Bluetooth, Wi-Fi, and OBU. In particular, the OBU collects information generated by sensors or devices. However, the OBU has relatively restricted memory. Therefore, the OBU sends the collected information to RSUs; subsequently, RSUs transmit the data to the vehicular cloud.
- RSU: RSUs are intermediary devices to transmit data between vehicles and the vehicular cloud. RSUs register with the trusted authority to generate a session key with vehicles. RSUs have more memory and computing performance than OBUs. Therefore, RSUs can obtain data from many vehicles. However, RSUs cannot store data from multiple vehicles. Therefore, RSUs send specific data to the vehicular cloud.
- Trusted authority: a trusted authority is the top-level entity that an attacker can never attack. RSUs and vehicles should register with the trusted authority to generate the session key, and then, the trusted authority, RSUs, and vehicles perform mutual authentication.
- Vehicular cloud: a vehicular cloud is a storage server used to save a huge amount of data of different kinds within a VANET system. Each vehicle needs to collect and share the data with other vehicles. Therefore, the OBU collects data and communicates with other OBUs. However, OBUs have low computational performance and small storage space. Thus, vehicles send the data securely to RSUs and RSUs forward it to the vehicular cloud.

#### 2.3. Threat Model

- A malicious adversary can steal or obtain a legitimate user’s device, and perform side-channel attacks [22] to obtain key information stored in the device.
- A malicious adversary is able to masquerade as a legitimate user and trick authority entities for accessing resources.
- An adversary may obtain an authority entity’s secret key. Subsequently, the adversary can compute a previous session key to trick user or authority entities.

#### 2.4. Notations

## 3. Review of Limbasiya et al.’s Protocol

#### 3.1. Formation Phase

**Step****1:**- Vehicle ${v}_{i}$ chooses unique identity $RI{D}_{i}$, password $PW{D}_{TP{D}_{i}}$ and generates a random number ${s}_{i}$. ${v}_{i}$ computes ${X}_{i}=(PW{D}_{TP{D}_{i}}\left|\right|{s}_{i})\oplus RI{D}_{i}$, and then sends $RI{D}_{i}$, ${X}_{i}$ to $TA$ through a secure channel.
**Step****2:**- After receiving $RI{D}_{i}$ and ${X}_{i}$, $TA$ calculates ${P}_{pr{i}_{i}}={s}_{i}\oplus P\oplus RI{D}_{i}$ and saves $\left\{P\right\}$ in $OB{U}_{i}$ and $\{{X}_{i},{P}_{pr{i}_{i}}\}$ in $TP{D}_{i}$. Subsequently, $TA$ sends $OB{U}_{i}$ and $TP{D}_{i}$ to ${v}_{i}$ via a secure channel.

#### 3.2. Key Generation Phase

**Step****1:**- ${v}_{i}$ inserts $RI{D}_{i}$ and $PW{D}_{TP{D}_{i}}$ into $TP{D}_{i}$.
**Step****2:**- then $TP{D}_{i}$ computes ${s}_{i}=P\oplus RI{D}_{i}\oplus {P}_{pr{i}_{i}}$ and ${X}_{i}^{\prime}=(PW{D}_{TP{D}_{i}}\left|\right|{s}_{i})\oplus RI{D}_{i}$. Then $TP{D}_{i}$ compares ${X}_{i}^{\prime}$ with ${X}_{i}$ stored in itself.
**Step****3:**- if they are same, $TP{D}_{i}$ selects random number ${r}_{i}$ and computes $I{D}_{1}={r}_{i}\xb7P$, $I{D}_{2}=RI{D}_{i}\oplus h({r}_{i}\xb7{P}_{pr{i}_{i}})$ and $I{D}_{i+2}=h(I{D}_{1}\left|\right|I{D}_{2})$. Then $TP{D}_{i}$ generates the session key $S{K}_{RI{D}_{i}}={s}_{i}\oplus h(I{D}_{i+2}\left|\right|{T}_{1})\oplus I{D}_{RS{U}_{j}}$ and transmits the session key to a concerned $RSU$.

#### 3.3. Message Signature and Confirmation Phase of Limbasiya et al.’s Protocol

**Step****1:**- for signing the message, $TP{D}_{i}$ computes ${\sigma}_{i}=S{K}_{RI{D}_{i}}\oplus h({M}_{i}\left|\right|{T}_{1})$ and ${M}_{i}^{\prime}=S{K}_{RI{D}_{i}}\oplus {M}_{i}\oplus {T}_{1}\oplus RI{D}_{i}\oplus I{D}_{RS{U}_{j}}$. Subsequently, $TP{D}_{i}$ sends message $\{I{D}_{i+2},RI{D}_{i},{\sigma}_{i},{M}_{i}^{\prime},{T}_{1}\}$ to the concerned $RS{U}_{j}$.
**Step****2:**- after receiving the message, $RS{U}_{j}$ computes ${M}_{i}=S{K}_{RI{D}_{i}}\oplus {M}_{i}^{\prime}\oplus {T}_{1}\oplus RI{D}_{i}\oplus I{D}_{RS{U}_{j}}$ and ${\sigma}_{i}^{\prime}=S{K}_{RI{D}_{i}}\oplus h({M}_{i}\left|\right|{T}_{1})$.
**Step****3:**- then, $RS{U}_{j}$ compares the ${\sigma}_{i}$ with ${\sigma}_{i}^{\prime}$. If they are equal, $RS{U}_{j}$ uses ${M}_{i}$ for future computations. Additionally, Generally for batch verification, $RS{U}_{j}$ inspects the exaction by a following equation:$$(\sum _{i=1}^{n}{v}_{i}\xb7{\sigma}_{i})=\sum _{i=1}^{n}{v}_{i}\xb7S{K}_{RI{D}_{i}}\oplus \sum _{i=1}^{n}{v}_{i}\xb7h({M}_{i}\left|\right|{T}_{1})$$

## 4. Cryptanalysis of Limbasiya et al.’s Protocol

#### 4.1. Correctness Problem

#### 4.2. Session Key Disclosure Attack

**Step****1:**- $\mathcal{A}$ can obtain P in $OB{U}_{i}$ and ${X}_{i},{P}_{pr{i}_{i}}$ in $TP{D}_{i}$ using side channel attack. And $\mathcal{A}$ also can obtain the value $RI{D}_{i}$ through transmitted message. Subsequently, $\mathcal{A}$ can compute ${s}_{i}=P\oplus RI{D}_{i}\oplus {P}_{pr{i}_{i}}$.
**Step****2:**- $\mathcal{A}$ can obtain $I{D}_{i+2}$ and ${T}_{1}$ from transmitted messages and $\mathcal{A}$ obtains the value $I{D}_{RS{U}_{j}}$, which is public value. Therefore, $\mathcal{A}$ can compute $S{K}_{RI{D}_{i}}={s}_{i}\oplus h(I{D}_{i+2}\left|\right|{T}_{1})\oplus I{D}_{RS{U}_{j}}$.
**Step****3:**- finally, $\mathcal{A}$ obtains the previous session key $S{K}_{RI{D}_{i}}$ and can trick other OBUs or RSUs.

#### 4.3. Impersonation Attack

**Step****1:**- $\mathcal{A}$ can obtain ${M}_{i}^{\prime}$ through the transmitted message and compute previous session key as above session key disclosure attack Section. Subsequently, $\mathcal{A}$ can compute ${M}_{i}=S{K}_{RI{D}_{i}}\oplus {M}_{i}^{\prime}\oplus {T}_{1}\oplus RI{D}_{i}\oplus I{D}_{RS{U}_{j}}$.
**Step****2:**- $\mathcal{A}$ can also compute ${\sigma}_{i}=S{K}_{RI{D}_{i}}\oplus h({M}_{i}\left|\right|{T}_{1})$.
**Step****3:**- finally, $\mathcal{A}$ can generate the confirmation request message $\{I{D}_{i+2},RI{D}_{i},{\sigma}_{i},{M}_{i}^{\prime},{T}_{1}\}$ to impersonate the vehicle.

#### 4.4. Privacy Preserving Problem

#### 4.5. Mutual Authentication

## 5. Secure Key Agreement and Authentication Protocol for VCC

#### 5.1. Registration Phase

**Step****1:**- vehicle ${v}_{i}$ chooses identity $I{D}_{i}$, password $P{W}_{i}$ and random number ${b}_{i}$. And vehicle computes $P{E}_{i}=h(P{W}_{i}\left|\right|{b}_{i})$ and $B{E}_{i}={b}_{i}\oplus h(I{D}_{i}\left|\right|P{W}_{i})$. ${v}_{i}$ sends the message $\{I{D}_{i},P{W}_{i},P{E}_{i},B{E}_{i}\}$ to $TA$.
**Step****2:**- $TA$ has master key x and secret key y. After receiving the registration request message from ${v}_{i}$, $TA$ generates random numbers ${a}_{i}$ and ${s}_{i}$ for the vehicle. Subsequently, $TA$ calculates $A{E}_{i}=h(I{D}_{i}\left|\right|P{E}_{i})\oplus {a}_{i}$, $HI{D}_{i}=h(I{D}_{i}\left|\right|P{W}_{i}\left|\right|{a}_{i})$, $HP{W}_{i}=h(HI{D}_{i}\left|\right|P{W}_{i})$, $M{V}_{i}=h(HI{D}_{i}\left|\right|h\left(x\right|\left|y\right))$, ${A}_{i}=HP{W}_{i}\oplus {s}_{i}$, ${V}_{i}=M{V}_{i}\oplus {s}_{i}$ and $V{S}_{i}=h(HI{D}_{i}\left|\right|M{V}_{i}\left|\right|{s}_{i})$. Afterwards, $TA$ saves ${A}_{i},V{I}_{i},A{E}_{i},B{E}_{i}$ and $V{S}_{i}$ in the $OB{U}_{i}$, and then sends $OB{U}_{i}$ to the vehicle through a closed channel.
**Step****3:**- road side unit $RS{U}_{j}$ chooses $I{D}_{RS{U}_{j}}$ and random nonce ${a}_{j}$ and sends these values to $TA$ via a closed channel.
**Step****4:**- when $TA$ receives values from $RS{U}_{j}$, $TA$ calculates $R{A}_{j}=h(I{D}_{RS{U}_{j}}\left|\right|{a}_{j})$ and $R{B}_{j}=h(R{A}_{j}\left|\right|h\left(x\right|\left|y\right))$. Subsequently, $TA$ sends the message $\{R{A}_{j},R{B}_{j}\}$ to $RS{U}_{j}$ via a secure channel.

#### 5.2. Key Agreement and Authentication Phase

**Step****1:**- vehicle ${v}_{i}$ inputs $I{D}_{i}$ and $P{W}_{i}$. Subsequently, ${v}_{i}$ extracts ${b}_{i}=B{E}_{i}\oplus h(I{D}_{i}\left|\right|P{W}_{i})$ with stored values $B{E}_{i}$ in the $OB{U}_{i}$. ${v}_{i}$ calculates $PE=h\left(P{W}_{i}\right|\left|{b}_{i}\right)$, ${a}_{i}=A{E}_{i}\oplus h(I{D}_{i}\left|\right|P{E}_{i})$, $HI{D}_{i}=h(I{D}_{i}\left|\right|P{W}_{i}\left|\right|{a}_{i})$, $HP{W}_{i}=h(HI{D}_{i}\left|\right|P{W}_{i})$, ${s}_{i}=HP{W}_{i}\oplus {A}_{i}$, and $M{V}_{i}=V{I}_{i}\oplus {s}_{i}$ and $V{S}_{i}^{\prime}=h(HI{D}_{i}\left|\right|M{V}_{i}\left|\right|{s}_{i})$. Then, ${v}_{i}$ checks whether $V{S}_{i}^{\prime}\stackrel{?}{=}V{S}_{i}$. If valid, ${v}_{i}$ selects a random number ${r}_{i}$ and computes $Aut{h}_{1}=h({r}_{i}\left|\right|M{V}_{i})$ and ${M}_{1}=M{V}_{i}\oplus {r}_{i}$. Finally, ${v}_{i}$ sends the message $\{Aut{h}_{1},{M}_{1},HI{D}_{i}\}$ to the concerned $RS{U}_{j}$ via an insecure channel.
**Step****2:**- $RS{U}_{j}$ selects ${r}_{j}$, and computes ${B}_{i}=R{B}_{j}\oplus {r}_{j}$ and $Aut{h}_{2}=h(I{D}_{RS{U}_{j}}\left|\right|R{B}_{j}\left|\right|{r}_{j})$. Then, $RS{U}_{j}$ sends the values $\{Aut{h}_{1},{M}_{1},HI{D}_{i},{B}_{i},R{A}_{j},Auh{t}_{2}\}$ to the $TA$ via an insecure channel.
**Step****3:**- when $TA$ receives the message from $RS{U}_{j}$, $TA$ computes $M{V}_{i}^{\prime}=h(HI{D}_{i}\left|\right|h\left(x\right|\left|y\right))$, ${r}_{i}={M}_{1}\oplus M{V}_{i}$ and $Aut{h}_{i}^{\prime}=h({r}_{i}\left|\right|M{V}_{i})$. Then, $TA$ compares $Aut{h}_{1}^{\prime}$ and $Aut{h}_{1}$. If they are equal, $TA$ extracts the values $R{B}_{j}=h(R{A}_{j}\left|\right|h\left(x\right|\left|y\right))$ and ${r}_{j}=R{B}_{j}\oplus {B}_{i}$. $TA$ computes $Aut{h}_{2}^{\prime}=h(I{D}_{RS{U}_{j}}\left|\right|R{B}_{j}\left|\right|{r}_{j})$ and compares it with $Aut{h}_{2}$. If they are same, $TA$ generates a new secret key ${y}_{new}$. $TA$ computes $R{B}_{jnew}=h(R{A}_{j}\left|\right|h\left(x\right||{y}_{new})$, ${C}_{i}=R{B}_{j}\oplus {r}_{i}$, ${D}_{i}=M{V}_{i}\oplus {r}_{j}$, ${E}_{i}=R{B}_{jnew}\oplus {r}_{j}$, $Aut{h}_{3}=h(R{B}_{j}\left|\right|{r}_{i})$ and $Aut{h}_{4}=h(M{V}_{i}\left|\right|{r}_{j})$. Finally, $TA$ sends the message $\{{C}_{i},{D}_{i},{E}_{i},Aut{h}_{3},Aut{h}_{4}\}$ to $RS{U}_{j}$ through an open channel.
**Step****4:**- after receiving the values from $TA$, $RS{U}_{j}$ extracts ${r}_{i}=R{B}_{j}\oplus {C}_{i}$, $R{B}_{jnew}={r}_{j}\oplus {E}_{i}$ and computes $Aut{h}_{3}^{\prime}=h(R{B}_{j}\left|\right|R{B}_{jnew}\left|\right|{r}_{i})$. Then $RS{U}_{j}$ checks whether $Aut{h}_{3}^{\prime}$ and $Aut{h}_{3}$ are equal or not. If they are equal, $RS{U}_{j}$ updates $R{B}_{j}$ to $R{B}_{jnew}$ and generates the session key $SK=h\left({r}_{i}\right|\left|{r}_{j}\right)$. $RS{U}_{j}$ sends the message $\{{D}_{i},Aut{h}_{4}\}$ to ${v}_{i}$ via a public channel.
**Step****5:**- ${v}_{i}$ extracts the value ${r}_{j}=M{V}_{i}\oplus {D}_{i}$, computes $Aut{h}_{4}^{\prime}=h(M{V}_{i}\left|\right|{r}_{j})$ and checks whether $Aut{h}_{4}^{\prime}$ and $Aut{h}_{4}$ are same or not. If they are equal, ${v}_{i}$ computes the session key $SK=h\left({r}_{i}\right|\left|{r}_{j}\right)$. Finally, ${v}_{i}$ and concerned $RS{U}_{j}$ have the same session key.

#### 5.3. Message Signature and Message Confirmation Phase

**Step****1:**- for signing the information ${M}_{i}$, ${v}_{i}$ computes ${\sigma}_{i}=SK\oplus h({M}_{i}\left|\right|{T}_{1})$ and ${M}_{i}^{\prime}=SK\oplus {M}_{i}\oplus {T}_{1}\oplus I{D}_{RS{U}_{j}}$ and sends the message $\{{\sigma}_{i},{M}_{i}^{\prime},{T}_{1}\}$ to the concerned $RS{U}_{j}$.
**Step****2:**- after receiving the message, $RS{U}_{j}$ extracts information ${M}_{i}=SK\oplus {M}_{i}^{\prime}\oplus {T}_{1}\oplus I{D}_{RS{U}_{j}}$, computes ${\sigma}_{i}^{\prime}=SK\oplus h({M}_{i}\left|\right|{T}_{1})$ and checks whether ${\sigma}_{i}$ and ${\sigma}_{i}^{\prime}$ are equal or not. If they are the same, $RS{U}_{j}$ uses the information ${M}_{i}$ for the future computations. Additionally, generally for batch verification, $RS{U}_{j}$ inspects the exaction by a following equation:$$(\sum _{i=1}^{n}{v}_{i}\xb7{\sigma}_{i})=\sum _{i=1}^{n}{v}_{i}\xb7SK\oplus \sum _{i=1}^{n}{v}_{i}\xb7h({M}_{i}\left|\right|{T}_{1})$$

## 6. Security Analysis

#### 6.1. ROR Model

#### Short Discussion about ROR Model

**Theorem**

**1.**

**Proof.**

**Game**$G{M}_{0}$: in this game, $\mathcal{A}$ chooses a random bit c. Additionally, this game involves a practical attack executed by $\mathcal{A}$ against the protocol in the ROR model. Because $G{M}_{0}$ and protocol are identical, we get,$$Ad{v}_{P}=|2\xb7Pr\left[Suc{c}_{0}\right]-1|.$$**Game**$G{M}_{1}$: under this game, $\mathcal{A}$ performs the eavesdropping attack to all transmitted messages during key generation and message confirmation process of the proposed protocol using the $Execute$ query. At the end of the this game, $\mathcal{A}$ makes $Reveal$ and $Test$ queries. The output of the $Reveal$ and $Test$ queries decide if $\mathcal{A}$ obtains the derived session key $SK$ between ${v}_{i}$ and $RS{U}_{j}$ or a random number. In our proposed protocol, ${v}_{i}$ and $RS{U}_{j}$ computes the session key as $SK=h\left({r}_{i}\right|\left|{r}_{j}\right)$. To derive $SK$, $\mathcal{A}$ needs the short-term (temporal) secrets (${r}_{i}$ and ${r}_{j}$), which are unknown to $\mathcal{A}$. However, the transmitted messages are not helpful to increase winning probability. As both the game $G{M}_{0}$ and $G{M}_{1}$ are indistinguishable, we can get$$Pr\left[Suc{c}_{1}\right]=Pr\left[Suc{c}_{0}\right].$$**Game**$G{M}_{2}$: this game is modeled as an active attack which includes the simulation of $Hash$ and $Send$ queries. In proposed protocol, all of the messages are protected by the collision-resistant one-way hash function except ${M}_{1},{B}_{j},{C}_{i}$ and ${D}_{i}$. However, random numbers are used in values ${M}_{1},{B}_{j},{C}_{i}$ and ${D}_{i}$. Furthermore, deriving ${r}_{i}$ from the intercepted $Aut{h}_{1}$, ${C}_{i}$, and ${M}_{1}$, and also ${r}_{j}$ from intercepted ${B}_{i}$, $Aut{h}_{2}$, ${D}_{i}$, and $Aut{h}_{4}$ are computationally infeasible task because of collision-resistant property of the hash function. Therefore, no collision occurs when $\mathcal{A}$ executes $Hash$ query. Using the birthday paradox results, we can have,$$|Pr\left[Suc{c}_{2}\right]-Pr\left[Suc{c}_{1}\right]|\le \frac{{q}_{h}^{2}}{2\left|Hash\right|}.$$**Game**$G{M}_{3}$: this is the final game that executes the $CorruptOBU$ query by $\mathcal{A}$. $\mathcal{A}$ can extract all the information $\{{A}_{i},{V}_{i},A{E}_{i},B{E}_{i},V{S}_{i}\}$ from the OBU of ${v}_{i}$. Note that $HP{W}_{i}=h(HI{D}_{i}\left|\right|P{W}_{i})$, $A{E}_{i}=h(I{D}_{i}\left|\right|P{E}_{i})\oplus {a}_{i}$, $P{E}_{i}=h(P{W}_{i}\left|\right|{b}_{i})$, $B{E}_{i}={b}_{i}\oplus h(I{D}_{i}\left|\right|P{W}_{i})$, and $V{S}_{i}=h(HI{D}_{i}\left|\right|M{V}_{i}\left|\right|{s}_{i})$. To derive the secrets ${s}_{i}$, ${a}_{i}$, and ${b}_{i}$ from ${A}_{i}$, $V{I}_{i}$, $B{E}_{i}$, and $A{E}_{i}$, $\mathcal{A}$ needs unknown $I{D}_{i}$ and $P{W}_{i}$. Without having secret credentials ${b}_{i}$, $I{D}_{i}$, and $P{W}_{i}$ of ${v}_{i}$, it is a computationally difficult problem for $\mathcal{A}$ to guess password $P{W}_{i}$ of ${v}_{i}$ correctly using the $Send$ queries. Because $G{M}_{2}$ and $G{M}_{3}$ are identical when password guessing attack is absent. Therefore, using the Zipf’s law on passwords, we obtain$$|Pr\left[Suc{c}_{3}\right]-Pr\left[Suc{c}_{2}\right]|\le {C}^{\prime}\xb7{q}_{send}^{{s}^{\prime}}.$$

#### 6.2. Formal Security Analysis through AVISPA

#### 6.2.1. Proposed Protocol’s HLPSL Code

#### 6.2.2. Results of Verification

#### 6.3. Informal Analysis

#### 6.3.1. Vehicle Impersonation Attack

#### 6.3.2. Side Channel Attack over OBU

#### 6.3.3. Off-Line Guessing Attack

#### 6.3.4. Man-in-the Middle Attack and Replay Attack

#### 6.3.5. Session Key Disclosure Attack

#### 6.3.6. Trace Attack and Privacy-Preserving

#### 6.3.7. Mutual Authentication

## 7. Performance Analysis

#### 7.1. Computation Cost

- ${T}_{bp}$: Time for bilinear pairing operation (≈4.2110 ms)
- ${T}_{bpsm}$: Time for small scale multiplication related to bilinear pairing (≈1.7090 ms)
- ${T}_{MPH}$: Time for map-To-point hash operation (≈4.406 ms)
- ${T}_{h}$: Time for one-way hash operation (≈0.0001 ms)
- ${T}_{sem}$: Time for small scale multiplication related to ECC (≈0.0138 ms)
- ${T}_{ea}$: Time for point addition related to ECC (≈0.0018 ms)

#### 7.2. Communication Cost and Storage Cost

#### 7.3. Energy Consumption

#### 7.4. Propagation Delay

#### 7.5. Security Properties

## 8. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Zhang, L.; Wu, Q.; Domingo-Ferrer, J.; Qin, B.; Hu, C. Distributed aggregate privacy-preserving authentication in VANETs. IEEE Trans. Intell. Transp. Syst.
**2017**, 18, 516–526. [Google Scholar] [CrossRef] - Zhang, J.; Cui, J.; Zhong, H.; Chen, Z.; Liu, L. PA-CRT: Chinese Remainder Theorem Based Conditional Privacy-preserving Authentication Scheme in Vehicular Ad-hoc Networks. IEEE Trans. Dependable Secur. Comput.
**2019**. [Google Scholar] [CrossRef] [Green Version] - Liu, Z.; Xiong, L.; Peng, T.; Peng, D.; Liang, H. A realistic distributed conditional privacy-preserving authentication scheme for vehicular ad hoc networks. IEEE Access
**2018**, 6, 26307–26317. [Google Scholar] [CrossRef] - Limbasiya, T.; Das, D. Secure message confirmation scheme based on batch verification in vehicular cloud computing. Pysical Commun.
**2019**, 34, 310–320. [Google Scholar] [CrossRef] - Wazid, M.; Das, A.K.; Kumar, N.; Odelu, V.; Reddy, A.G.; Park, K.; Park, Y. Design of lightweight authentication and key agreement protocol for vehicular ad hoc networks. IEEE Access
**2017**, 5, 14966–14980. [Google Scholar] [CrossRef] - Kim, M.; Park, K.; Yu, S.; Lee, J.; Park, Y.; Lee, S.-W.; Chung, B. A Secure Charging System for Electric Vehicles Based on Blockchain. Sensors
**2019**, 19, 3028. [Google Scholar] [CrossRef] [PubMed] [Green Version] - Lee, J.; Yu, S.; Kim, M.; Park, Y.; Das, A.K. On the Design of Secure and Efficient Three-Factor Authentication Protocol Using Honey List for Wireless Sensor Networks. IEEE Access
**2020**, 8, 107046–107062. [Google Scholar] [CrossRef] - Yu, S.; Lee, J.; Park, Y.; Park, Y.; Lee, S.; Chung, B. A Secure and Efficient Three-Factor Authentication Protocol in Global Mobility Networks. Appl. Sci.
**2020**, 10, 3565. [Google Scholar] [CrossRef] - Wazid, M.; Bagga, P.; Das, A.K.; Shetty, S.; Rodrigues, J.J.; Park, Y.H. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J.
**2019**, 6, 8804–8817. [Google Scholar] [CrossRef] - Lin, X.; Sun, X.; Ho, P.; Shen, X. GSIS: A secure and privacy-preserving protocol for vehicular communications. IEEE Trans. Veh. Technol.
**2007**, 56, 3442–3456. [Google Scholar] - Zhang, C.; Ho, P.; Tapolcai, J. On batch verification with group testing for vehicular communications. Wirel. Netw.
**2011**, 17, 1851–1865. [Google Scholar] [CrossRef] - Lee, C.C.; Lai, Y.M. Toward a secure batch verification with group testing for VANET. Wirel. Netw.
**2013**, 19, 1441–1449. [Google Scholar] [CrossRef] - Jianhong, Z.; Min, X.; Liying, L. On the security of a secure batch verification with group testing for VANET. Int. J. Netw. Secur.
**2014**, 16, 351–358. [Google Scholar] - Bayat, M.; Barmshoory, M.; Rahimi, M.; Aref, M.R. A secure authentication scheme for VANETs with batch verification. Wirel. Netw.
**2015**, 21, 1733–1743. [Google Scholar] [CrossRef] - He, D.; Zeadally, S.; Xu, B.; Huang, X. An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks. IEEE Trans. Inf. Forensics Secur.
**2015**, 10, 2681–2691. [Google Scholar] [CrossRef] - Zhong, H.; Wen, J.; Cui, J.; Zhang, S. Efficient conditional privacy-preserving and authentication scheme for secure service provision in VANET. Tsinghua Sci. Technol.
**2016**, 21, 620–629. [Google Scholar] [CrossRef] - Chuang, C.M.; Lee, F.J. TEAM: Trust-extended authentication mechanism for vehicular ad hoc networks. IEEE Syst. J.
**2014**, 8, 749–758. [Google Scholar] [CrossRef] - Zhou, Y.; Zhao, X.; Jiang, Y.; Shang, F.; Deng, S.; Wang, X. An enhanced privacy-preserving authentication scheme for vehicle sensor network. Sensors
**2017**, 17, 2854. [Google Scholar] [CrossRef] [Green Version] - Wu, L.; Sun, Q.; Wang, X.; Wang, J.; Yu, S.; Zou, Y.; Liu, B.; Zhu, Z. An Efficient Privacy-Preserving Mutual Authentication Scheme for Secure V2V Communication in Vehicular Ad Hoc Network. IEEE Access
**2019**, 7, 55050–55063. [Google Scholar] [CrossRef] - Kenney, J. Dedicated short-range communications (DSRC) standards in the United States. Proc. IEEE
**2011**, 99, 1162–1182. [Google Scholar] [CrossRef] - Dolev, D.; Yao, A.C. On the security of public key protocols. IEEE Trans. Inf. Theory
**1983**, 29, 198–208. [Google Scholar] [CrossRef] - Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Advances in Cryptology; Springer Science + Business Media: Berlin, Germany; New York, NY, USA, 1999; pp. 388–397. [Google Scholar]
- AVISPA. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/ (accessed on 17 July 2019).
- SPAN: A Security Protocol Animator for AVISPA. Available online: http://www.avispa-project.org/ (accessed on 17 July 2019).
- Abdalla, M.; Fouque, P.A.; Pointcheval, D. Password based authenticated key exchange in the three-party setting. In Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography; Springer: Les Diablerets, Switzerland, 2005; pp. 65–84. [Google Scholar]
- Park, K.; Park, Y.; Das, A.K.; Yu, S.; Lee, J.; Park, Y. A dynamic privacy-preserving key management protocol for V2G in social Internet of Things. IEEE Access
**2019**, 7, 76812–76832. [Google Scholar] [CrossRef] - Park, K.; Noh, S.; Lee, H.; Das, A.K.; Kim, M.; Park, Y.; Wazid, M. LAKS-NVT: Provably Secure and Lightweight Authentication and Key Agreement Scheme without Verification Table in Medical Internet of Things. IEEE Access
**2020**, 8, 119387–119404. [Google Scholar] [CrossRef] - Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur.
**2017**, 12, 2776–2791. [Google Scholar] [CrossRef] - Yu, S.; Park, K.; Park, Y. A secure lightweight three-Factor authentication scheme for IoT in cloud computing environment. Sensors
**2019**, 19, 3598. [Google Scholar] [CrossRef] [Green Version] - Park, Y.; Park, K.; Lee, K.; Song, H.; Park, Y. Security analysis and enhancements of an improved multi-factor biometric authentication scheme. Int. J. Distrib. Sens. Netw.
**2017**, 13, 1–12. [Google Scholar] [CrossRef] [Green Version] - Lee, J.; Yu, S.; Park, K.; Park, Y.; Park, Y. Secure three-factor authentication protocol for multi-gateway IoT environments. Sensors
**2019**, 19, 2358. [Google Scholar] [CrossRef] [Green Version] - Basin, D.; Modersheim, S.; Vigano, L. OFMC: A symbolic model checker for security protocols. Int. J. Inf. Secur.
**2005**, 4, 181–208. [Google Scholar] [CrossRef] - Turuani, M. The CL-Atse protocol analyser. In Proceedings of the International Conference on Rewriting Techniques and Applications (RTA), Seattle, WA, USA, 12–14 August 2006; pp. 227–286. [Google Scholar]
- Cui, J.; Zhang, J.; Zhong, H.; Xu, Y. SPACF: A secure privacy-preserving authentication scheme for VANET with cuckoo filter. IEEE Trans. Veh. Tech.
**2017**, 66, 10283–10295. [Google Scholar] [CrossRef] - Mir, Z.H.; Fethi, F. LTE and IEEE 802.11 p for vehicular networking: A performance evaluation. EURASIP J. Wirel. Commun. Netw.
**2014**, 1, 89. [Google Scholar] - He, D.; Chen, C.; Chan, S.; Bu, J. Secure and efficient handover authentication based on bilinear pairing functions. IEEE Trans. Wirel. Commun.
**2012**, 11, 48–53. [Google Scholar] [CrossRef] - Mostafa, A.; Vegni, A.M.; Singoria, R.; Oliveira, T.; Little, T.D.; Agrawal, D.P. A V2X-based approach for reduction of delay propagation in Vehicular Ad-Hoc Networks. In Proceedings of the 2011 11th International Conference on ITS Telecommunications (ITST), St. Petersburg, Russia, 23–25 August 2011; pp. 756–761. [Google Scholar]

**Figure 10.**Result of Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation using On-the-fly Model-Checker (OFMC) and CL-based Attack Searcher (CL-AtSe) models.

Notations | Meanings |
---|---|

$OBU$ | On board unit |

$TPD$ | Tamper-proof device |

P | Elliptic curve generator |

${P}_{pr{i}_{i}}$ | A server private key |

${s}_{i},{a}_{i},{b}_{i},{r}_{i},{r}_{j},{a}_{j}$ | Selected random numbers |

$RI{D}_{i},I{D}_{i}$ | Registered vehicle identity |

$I{D}_{RS{U}_{j}}$ | Road-side unit identity |

$P{W}_{TP{D}_{i}},P{W}_{i}$ | Registered vehicle password |

${v}_{i}$ | Vehicle i in the network |

$RSU$ | Road-side unit |

$TA$ | Trusted authority |

$h(\xb7)$ | Hash function |

$\left|\right|$ | Connection symbol |

⊕ | XOR operator |

Query | Meaning |
---|---|

$Execute({P}_{{v}_{i}}^{{t}^{1}}$, ${P}_{RS{U}_{j}}^{{t}^{2}}$, ${P}_{TA}^{{t}^{3}})$ | This query means that the model of the eavesdropping attack between the entities ${v}_{i}$, $RS{U}_{j}$ and $TA$ via an insecure channels. |

$CorruptOBU({P}_{{v}_{i}}^{{t}^{1}})$ | Under this corrupt on-board-unit (OBU) query, $\mathcal{A}$ can fetch all sensitive credentials stored in the OBU of ${v}_{i}$. This is modeled as an active attack. |

$Send\left({P}^{t}\right)$ | Under this query, $\mathcal{A}$ can transmits a message to ${P}^{t}$, and in response, it also receives a message from ${P}^{t}$. This is also modeled as an active attack. |

$Reveal\left({P}^{t}\right)$ | The query means that $\mathcal{A}$ reveals session key $SK$ created by ${P}^{t}$ and its partner to $\mathcal{A}$ in the current session. |

$Test\left({P}^{t}\right)$ | Before the game begins, under this query, an unbiased coin c is flipped. Depending on the output, the following decisions are made. $\mathcal{A}$ executes this query and if the session key $SK$ among ${v}_{i}$ and $RS{U}_{j}$ is fresh, ${P}^{t}$ returns $SK$ if $c=1$ or a random nonce if $c=0$; otherwise, it returns a null value(⊥). |

Protocols | Computational Complexity | Total Cost |
---|---|---|

Jianhong et al. [13] | ${T}_{bpsm}+3{T}_{bp}+{T}_{MPH}$ | 18.748 ms |

Zhong et al. [16] | 5${T}_{sem}$+3${T}_{h}$+$Tea$ | 0.0711 ms |

Limbasiya et al. [4] | 4${T}_{h}$+2${T}_{sem}$ | 0.0280 ms |

Ours | 22${T}_{h}$ | 0.0022 ms |

Protocols | Communication Cost | Storage Cost | Total Memory |
---|---|---|---|

Jianhong et al. [13] | 132 bytes | 528 bytes | 660 bytes |

Zhong et al. [16] | 100 bytes | 136 bytes | 236 bytes |

Limbasiya et al. [4] | 124 bytes | 32 bytes | 156 bytes |

Ours | 100 bytes | 224 bytes | 324 bytes |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Lee, J.; Yu, S.; Kim, M.; Park, Y.; Lee, S.; Chung, B.
Secure Key Agreement and Authentication Protocol for Message Confirmation in Vehicular Cloud Computing. *Appl. Sci.* **2020**, *10*, 6268.
https://doi.org/10.3390/app10186268

**AMA Style**

Lee J, Yu S, Kim M, Park Y, Lee S, Chung B.
Secure Key Agreement and Authentication Protocol for Message Confirmation in Vehicular Cloud Computing. *Applied Sciences*. 2020; 10(18):6268.
https://doi.org/10.3390/app10186268

**Chicago/Turabian Style**

Lee, JoonYoung, SungJin Yu, MyeongHyun Kim, YoungHo Park, SangWoo Lee, and BoHeung Chung.
2020. "Secure Key Agreement and Authentication Protocol for Message Confirmation in Vehicular Cloud Computing" *Applied Sciences* 10, no. 18: 6268.
https://doi.org/10.3390/app10186268