A Secure Authentication Protocol Supporting Efficient Handover for UAV

Abstract

Unmanned Aerial Vehicles (UAVs) are increasingly pivotal in operations such as flood rescue, wildfire surveillance, and covert military endeavors, with their integration into the Internet of Things (IoT) networks broadening the scope of services they provide. Amidst this expansion, security concerns for UAVs have come to the forefront, particularly in open communication environments where they face authentication challenges and risks of sensitive data, including location information, being exposed to unauthorized parties. To address these issues, we propose a secure and lightweight authentication scheme that combines the use of anonymity mechanisms and Physical Unclonable Functions (PUFs). Specifically, we employ pseudo- and temporary identities to maintain the anonymity of UAVs, while also utilizing PUF technology to strengthen the security of Ground Station Servers (GSSs) against physical threats. Rigorous validation through ProVerif and the Random Oracle (ROR) Model indicates our scheme’s superior performance over existing protocols in terms of both efficiency and security.

1. Introduction

Unmanned Aerial Vehicle technology has become an indispensable part of the modern scientific and technological landscape, revolutionizing numerous sectors through its versatile applications. These UAVs, commonly known as drones, offer substantial benefits in diverse areas such as military operations, commercial ventures, environmental monitoring, and efficient traffic management [1,2]. The military sector leverages UAVs for surveillance, reconnaissance, and targeted operations, whereas commercial applications range from aerial photography to logistics and delivery services. In environmental monitoring, UAVs play a crucial role in tracking wildlife, assessing disaster zones, and gathering climate data. Similarly, in traffic management, they assist in congestion analysis and accident response.

As UAV technology continues to advance, significant enhancements in performance metrics, including extended flight duration, improved payload capacity, and advanced navigational systems, are observed. These improvements not only broaden the scope of UAV applications but also suggest a future where UAVs could become integral to everyday life and industrial processes. However, alongside these advancements, the rapid evolution of UAV technology introduces notable security challenges [3]. A critical concern involves UAVs’ reliance on wireless communication links with GSSs. These links are essential for operational control, data transmission, and firmware updates. The inherent openness of these wireless channels makes UAVs vulnerable to a range of network security threats, including eavesdropping, data interception, and unauthorized access [4]. A particular issue arises from the need for UAVs to frequently switch between GSS domains due to their high mobility and the limited coverage of each GSS. This necessitates the reestablishment of secure connections, which in turn requires efficient and secure authentication protocols. Traditional authentication methods are often too cumbersome for UAV use, introducing unacceptable delays and overhead in high-speed mobile environments [5]. Therefore, developing lightweight yet robust authentication protocols specifically tailored for UAVs is pressing.

Current UAV authentication protocols face several challenges, exacerbating the security risks [6]. These challenges include vulnerability to impersonation attacks, where malicious entities mimic legitimate UAVs; lack of anonymity, which could compromise the confidentiality of UAV operations; the risk of physical capture, which could lead to unauthorized access to sensitive data; and substantial computational and communication overheads, impractical in UAV contexts where resources are limited. Therefore, addressing these challenges to develop an effective, lightweight, and secure UAV handover authentication scheme is not only complex but also critical for the safe and efficient operation of UAVs in various domains. The development of such a scheme would require a multi-faceted approach, considering the unique characteristics of UAV operations, the dynamic nature of their environments, and the balance between security and performance.

The main contributions of this paper can be summarized as follows:

• We have proposed a two-part handover authentication protocol tailored for UAV scenarios, distinguished by its lightweight and secure framework. This protocol is divided into initial authentication and subsequent handover authentication phases, enabling UAVs to achieve rapid and efficient verification with GSS following a successful initial authentication. The design significantly reduces overhead during the handover process, addressing a critical need in UAV operations for swift and secure authentication mechanisms.
• Our protocol demonstrates exceptional defense capabilities against a wide array of common cyber threats, further augmented by its provision for user anonymity and resilience against physical attacks. The security of our protocol was rigorously validated using advanced evaluation tools like ProVerif and the ROR model, ensuring its robustness and reliability for UAV applications. This outcome directly stems from the protocol’s design principles and operational mechanics, illustrating its comprehensive security advantages over existing solutions.
• Moreover, our protocol’s design and implementation have been shown to outperform existing authentication protocols in terms of reducing both communication and computational overheads. This performance efficiency not only underscores the protocol’s suitability for UAV applications but also positions it as a more effective alternative to current authentication methods. The analysis and comparative assessment highlight how the protocol’s innovative features contribute directly to operational efficiency, making it an advantageous choice for UAV scenarios.

1.1. Related Work

The inception of Unmanned Aerial Vehicles (UAVs) was pioneered by Gharibi et al. [7], introducing a hierarchical network control architecture for these systems. UAVs are instrumental in delivering a plethora of services, such as package delivery, traffic surveillance, and disaster response, significantly boosting work efficiency, enhancing life quality, and fostering new commercial ventures. However, the reliance of UAV communications on public channels introduces substantial security vulnerabilities, endangering data integrity and privacy. Such breaches pose dire consequences, prompting the development of robust authentication frameworks tailored for UAV ecosystems.

Deebak et al. [8] proposed a lightweight, privacy-centric scheme aimed at reducing computational burdens through autonomous knowledge acquisition. Despite its innovations, the scheme’s resilience against Global Satellite System (GSS) impersonation attacks remains insufficient [9]. Cho et al. [10] devised a bespoke authentication mechanism for UAVs, facilitating session key generation and verification by GSSs for drones on predetermined routes. However, vulnerabilities to privileged insider and verification table leakage attacks were exposed by Jan et al. [11], who then recommended a symmetric key authentication strategy to mitigate these vulnerabilities.

Further exploration by Zhang et al. [12] yielded an authentication protocol leveraging hash and XOR operations, though Chaudhary et al. [13] later identified susceptibilities to several forms of attacks, including privileged insider and smart card theft. Hussain et al. [14] introduced an elliptic curve-based authentication scheme, enhancing user-UAV communication security within designated zones. Yet, it was found vulnerable to drone impersonation and session key compromises by Zhang et al. [15]. These methodologies, however, overlooked the critical handover process necessary for extended UAV flights.

Addressing long-distance communication challenges, Kumar et al. [16] in 2018 advanced a handover protocol integrating device and base station consistency, albeit without considering computational limitations due to bilinear pairings dependency. Son et al. [17] in 2022 innovated a blockchain-based protocol facilitating UAV-GSS authentication post-initial verification, albeit susceptible to various attack vectors [18]. Babu et al. [19] developed a PUF-based protocol for seamless UAV charging, yet it remains exposed to replay attacks and lacks forward secrecy. Kwon et al. [20] introduced a handover scheme vulnerable to physical assaults and burdened by excessive overhead from GSS involvement in the process. In response, Khalid et al. [21] unveiled an efficient, anonymous handover authentication protocol in 2023, utilizing AES-RSA for heightened security, albeit with concerns over computational demands. Ren et al. [22] subsequently proposed a comprehensive, novel handover protocol for UAV applications, incorporating three distinct authentication phases. While innovative, the protocol’s complexity and communication demands may impede practical implementation in UAV operations.

1.2. Organization

In Section 2, we introduce the preliminaries of the protocol. Section 3 presents the details of our proposed protocol. In Section 4, we perform an informal security analysis of the proposed protocol. Section 5 uses the Random Oracle Model and the ProVerif formal verification tools to verify the security of the protocol. Additionally, Section 6 provides a comprehensive analysis of the protocol’s performance. Finally, we draw our conclusions in Section 7.

2. Preliminaries

In this section, we present an overview of the preliminaries, encompassing elliptic curve cryptography, physical unclonable functions, the system model, and the threat model.

2.1. Elliptic Curve Cryptography

Consider $F_p$ as a finite field where P is a prime number. Within $F_p$, define $E(a,b):y^2=x^3+ax+b$, where $a,b\in F_p$ and $4a^3+27b^2\mathrm{mod}q\ne 0$. Let G be a cyclic group of prime order q, with P as the generator point.

Definition 1. 

Elliptic Curve Discrete Logarithm Problem (ECDLP): For given points P, $Q\in G$, where $Q=s·P$, it is computationally difficult to determine s from Q within polynomial time.

Definition 2. 

Elliptic Curve Computational Diffie-Hellman Problem (ECCDH): Given points P, $a·P$, $b·P\in G$, it is challenging to compute $a·b·P$ within polynomial time.

2.2. Physical Unclonable Function

A PUF is a random function derived from the physical properties of a device. It exploits minor manufacturing variations in chips to generate unique keys. A PUF can be expressed as $R=PUF\left(C\right)$, where C represents the challenge value and R the response value. PUFs are characterized by two main properties:

• Consistency: The PUF consistently produces the same output for a given input.
• Uniqueness: Each semiconductor device has a unique PUF response or output. This uniqueness is derived from the specific manufacturing variations, making it extremely difficult for two devices to have identical PUF outputs.

2.3. System Model

Illustrated in Figure 1, we present an overview of the system model for our proposed protocol, which comprises three entities:

• UAV: The UAV is with limited computing and storage resources. It communicates with GSSs to receive control commands and transmit sensor data. During handovers, it authenticates with the new GSS.
• GSS: GSS provide communication links and control interfaces for UAVs. As UAVs move between GSS coverage areas, they may switch between GSS, necessitating authentication with the new GSS. GSS possess greater computational power but could be vulnerable to external attacks.
• RA: The Registration Authority (RA) serves as a trusted third party. It issues cryptographic credentials such as certificates to UAVs during registration. The RA also shares essential public parameters with UAVs and GSS to facilitate the authentication process.

2.4. Adversary Model

The Dolev-Yao threat model [23], introduced by Dolev and Yao in 1983, is a cornerstone in cybersecurity. This seminal model distinctively delineates the security protocol from the specific cryptographic algorithms it utilizes. Its primary application is the analysis of a protocol’s security under the assumption of an ideal cryptographic system. This framework allows for the evaluation and validation of our proposed authentication and key agreement protocol for UAV communication, irrespective of the subsequent symmetric key encryption and decryption processes.

The Dolev-Yao model rigorously defines the adversary, represented as $\mathcal{A}$, and their potential attack methods, which include:

• $\mathcal{A}$’s ability to eavesdrop, intercept, delete, or alter messages over insecure wireless channels. However, they cannot modify messages sent through secure channels.
• $\mathcal{A}$’s capability to store intercepted messages and replay them to legitimate entities such as UAVs and ground station server, and to fabricate and send false messages to impersonate legitimate parties [24].
• $\mathcal{A}$’s potential to seize network nodes, like GSS, and extract cryptographic keys or other information through physical attack [25].

This model specifies $\mathcal{A}$’s capabilities in the context of UAV communication networks, utilizing the Dolev-Yao assumptions to assess the security and robustness of our novel authentication protocol.

3. The Proposed Handover Authentication Scheme

In this section, we will describe our proposed lightweight and secure handover authentication scheme for UAV. The specific scheme has four phases: system initialization phase, registration phase, UAV initial authentication phase and UAV handover authentication phase.

• System initialization phase: This phase completes the generation and publication of public parameters, including the RA’s public key, private key, and appropriate hash functions.
• Registration phase: The registration phase includes the registration of the GSS and the registration of the UAV. The GSS protects the registered information through the PUF, and the UAV hides the registration information through biometrics.
• UAV initial authentication phase: This phase mainly completes the UAV’s initial authentication in the GSS.
• Handover authentication phase: This phase mainly completes authentication and key negotiation when the UAV is moving from one GSS to another GSS network.

3.1. System Initialization Phase

The RA builds an elliptic curve $E_p(a,b)$ using P as the generator within the group $\mathbb{G}$. In addition to selecting its own secret key $S{K}_{RA}$ and corresponding public key $P{K}_{RA}$, the RA uses the one-way hash function $h(·)$.

3.2. Registration Phase

The registration phase encompasses enrollment of the GSSs and UAVs. It has two parts.

3.2.1. GSS Registration Phase

In the GSS Registration Phase, as illustrated in

Table 1. GSS registration phase.

${\mathit{GSS}}_{\mathit{i}}$		RA
Chooses $GI{D}_i$
	$\underset{\mathrm{Secure}\mathrm{channel}}{\overset{\left\{GI{D}_i\right\}}{\to }}$
		Verify the uniqueness of $GI{D}_i$
		Select $b_i$
		Calculates $S{K}_{GS{S}_i}=h(GI{D}_i\left|\right|S{K}_{RA}\left|\right|b_i)$
		$P{K}_{GS{S}_i}=S{K}_{GS{S}_i}·P$
		$k=h\left(RID\right|\left|S{K}_{RA}\right)$
		Stores $(GI{D}_i,b_i)$ in secure memory
	$\underset{\mathrm{Secure}\mathrm{channel}}{\overset{\{k,S{K}_{GS{S}_i}\}}{\leftarrow }}$
Generates a challenge $Ch{a}_i$
$Re{s}_i=PUF\left(Ch{a}_i\right)$
$Y_i=S{K}_{GS{S}_i}\oplus h(GI{D}_i\left|\right|Re{s}_i)$
$V_i=k\oplus h(GI{D}_i\left|\right|S{K}_{GS{S}_i})$
Stores $\{Y_i,V_i,Ch{a}_i\}$

, each $GS{S}_i$ selects a unique identity $GI{D}_i$, and securely transmits it to the RA over a secure channel. RA verifies the identity’s uniqueness. Upon confirmation of uniqueness, RA generates a random number $b_i$, and computes $GS{S}_i$’s private key $S{K}_{GS{S}_i}$ = $h\left(GI{D}_i\right|\left|S{K}_{RA}\right|\left|b_i\right)$, and the corresponding public key, $P{K}_{GS{S}_i}$ calculated as $S{K}_{GS{S}_i}·P$. Simultaneously, a shared secret $k=h\left(RID\right|\left|S{K}_{RA}\right)$, is established between RA and $GS{S}_i$. RA confidentially transmits the values $k,S{K}_{GS{S}_i}$ to $GS{S}_i$ and publicly discloses $P{K}_{GS{S}_i}$ while securely storing the tuple $(GI{D}_i,b_i)$ in its memory.

Upon receiving $\{k,S{K}_{GS{S}_i}\}$, $GS{S}_i$ initiates a challenge-response mechanism, generating a challenge $Ch{a}_i$ and computing the corresponding response, $Re{s}_i=PUF\left(Ch{a}_i\right)$. Subsequently, $GS{S}_i$ computes $Y_i=S{K}_{GS{S}_i}\oplus h(GI{D}_i\left|\right|Re{s}_i)$ and $V_i=k\oplus h(GI{D}_i\left|\right|S{K}_{GS{S}_i})$, while retaining the values {$Y_i$,$V_i$,$Ch{a}_i$}.

3.2.2. UAV Registration Phase

In the UAV Registration Phase, as illustrated in

Table 2. UAV registration phase.

${\mathit{UAV}}_{\mathit{i}}$		RA
Chooses $UI{D}_i$
	$\underset{\mathrm{Secure}\mathrm{channel}}{\overset{\left\{UI{D}_i\right\}}{\to }}$
		Verify the uniqueness of $UI{D}_i$
		Selects $a_i$
		Calculates $A_i=a_i·P$
		$PI{D}_i=h(UI{D}_i\left|\right|A_i)$
		$d_i=a_i+PI{D}_i·S{K}_{RA}$
		Stores $(UI{D}_i,a_i)$ in secure memory
	$\underset{\mathrm{Secure}\mathrm{channel}}{\overset{\{A_i,d_i\}}{\leftarrow }}$
Computes $PI{D}_i=h(UI{D}_i\left|\right|A_i)$
Verify $d_i·P\stackrel{?}{=}{A}_i+PI{D}_i·P{K}_{RA}$
Input $Bi{o}_i$
$Gen\left(Bi{o}_i\right)=({\sigma }_i,{\tau }_i)$
$F_i=A_i\oplus h\left({\sigma }_i\right)$
$G_i=d_i\oplus h(A_i\left|\right|PI{D}_i)$
$H_i=h(A_i\left|\right|d_i\left|\right|PI{D}_i)$
Stores $(F_i,G_i,H_i,Rep(·))$

, each $UA{V}_i$ selects a unique identity $UI{D}_i$ and securely transmits it to the RA. RA verifies the uniqueness of the identity. Upon confirmation of uniqueness, RA generates a random number $a_i$, calculates $A_i=a_i·P$, and derives $UA{V}_i$’s pseudo-identity $PI{D}_i$ = $h\left(UI{D}_i\right|\left|A_i\right)$. Additionally, it computes $d_i=a_i+PI{D}_i·S{K}_{RA}$. RA securely transmits the values $\{A_i,d_i\}$ to $UA{V}_i$ via a secure channel while securely storing the tuple $(UI{D}_i,a_i)$ in its memory.

Upon reception, $UA{V}_i$ recalculates $PI{D}_i$ as $h\left(UI{D}_i\right|\left|A_i\right)$ and verifies the equation $d_i·P\stackrel{?}{=}{A}_i+PI{D}_i·P{K}_{RA}$. Successful verification prompts $UA{V}_i$ to input its biometric information $Bi{o}_i$. It computes $Gen\left(Bi{o}_i\right)=({\sigma }_i,{\tau }_i)$, $F_i=A_i\oplus h\left({\sigma }_i\right)$, $G_i=d_i\oplus h(A_i\left|\right|PI{D}_i)$, and $H_i=h(A_i\left|\right|d_i\left|\right|PI{D}_i)$. Finally, $UA{V}_i$ stores the values $\{F_i,G_i,H_i,Rep(·)\}$.

3.3. UAV Initial Authentication Phase

When $UA{V}_i$ initially enters the coverage area of GSS, it is required to undergo an initial authentication process, as illustrated in

Table 3. UAV initial authentication phase.

${\mathit{UAV}}_{\mathit{i}}$		${\mathit{GSS}}_{\mathit{i}}$
Input $Bi{o}_i^{*}$
${\sigma }_i^{*}=Rep(Bi{o}_i^{*},{\tau }_i)$
$A_i^{*}=h\left({\sigma }_i^{*}\right)\oplus F_i$
$PI{D}_i^{*}=h(UI{D}_i\left|\right|A_i^{*})$
Computes $d_i^{*}=G_i\oplus h(A_i^{*}\left|\right|PI{D}_i^{*})$
Checks $H_i\stackrel{?}{=}h(A_i^{*}\left|\right|d_i^{*}\left|\right|PI{D}_i^{*})$
Generates $c_i\mathrm{and}{T}_1$
$P_{it}=c_i·P{K}_{GS{S}_i}$
$P_i=c_i·P$
$W_1=PI{D}_i\oplus h(GI{D}_i\left|\right|P_{it})$
$W_2=d_i\oplus h(PI{D}_i\left|\right|T_1\left|\right|P_{it})$
$W_3=h(PI{D}_i\left|\right|d_i\left|\right|A_i\left|\right|P_{it}\left|\right|T_1)$
	$\stackrel{(W_1,W_2,W_3,P_i,T_1)}{\to }$
		Checks $T_1$
		$Re{s}_i=PUF\left(Ch{a}_i\right)$
		$S{K}_{GS{S}_i}=Y_i\oplus h(GI{D}_i\left|\right|Re{s}_i)$
		Computes $P_{it}=S{K}_{GS{S}_i}·P_i$
		$PI{D}_i=W_1\oplus h(GI{D}_i\left|\right|P_{it})$
		$d_i=W_2\oplus h(PI{D}_i\left|\right|T_1\left|\right|P_{it})$
		Calculates $A^{*}=d_i·P-PID·P{K}_{RA}$
		Checks $W_3\stackrel{?}{=}h(PI{D}_i\left|\right|d_i\left|\right|A^{*}\left|\right|P_{it}\left|\right|T_1)$
		Generates $e_i,n_i$ and $T_2$
		$K_{it}=e_i·P_i$
		$K_i=e_i·P$
		$TI{D}_i=PI{D}_i\oplus h\left(n_i\right)$
		$W_4=TI{D}_i\oplus h(K_{it}\left|\right|PI{D}_i)$
		$S{K}_{it}=h(K_{it}\left|\right|PI{D}_i\left|\right|TI{D}_i)$
		$k=V_i\oplus h(GI{D}_i\left|\right|S{K}_{GS{S}_i})$
		$Q_i=h(TI{D}_i\left|\right|k)$
		$W_5=Q_i\oplus h\left(K_{it}\right)$
		$W_6=h(S{K}_{it}\left|\right|Q_i\left|\right|T_2)$
	$\stackrel{(W_4,W_5,W_6,K_i,T_2)}{\leftarrow }$
Checks $T_2$
Computes $K_{it}=c_i·K_i$
$TI{D}_i=W_4\oplus h(K_{it}\left|\right|PI{D}_i)$
$Q_i=W_5\oplus h\left(K_{it}\right)$
$S{K}_{it}=h(K_{it}\left|\right|PI{D}_i\left|\right|TI{D}_i)$
Checks $W_6\stackrel{?}{=}h(S{K}_{it}\left|\right|Q_i\left|\right|T_2)$

. The detailed process unfolds as follows.

• The $UA{V}_i$ inputs the user’s biological information $Bi{o}_i^{*}$, recovers ${\sigma }_i^{*}=Rep(Bi{o}_i^{*},{\tau }_i)$, then calculates $A_i^{*}=h\left({\sigma }_i^{*}\right)\oplus F_i$, $PI{D}_i^{*}=h(UI{D}_i\parallel A_i^{*})$, computes $d_i^{*}=G_i\oplus h(A_i^{*}\parallel PI{D}_i^{*})$, and verifies $H_i$ to check if it equals $h(A_i^{*}\parallel d_i^{*}\parallel PI{D}_i^{*})$.
• If the verification is successful, $UA{V}_i$ selects a random number $c_i$ and the current timestamp $T_1$, and then calculates $P_{it}=c_i·P{K}_{GS{S}_i}$, $P_i=c_i·P$, $W_1=PI{D}_i\oplus h(GI{D}_i\parallel P_{it})$, $W_2=d_i\oplus h(PI{D}_i\parallel T_1\parallel P_{it})$, and $W_3=h(PI{D}_i\parallel d_i\parallel A_i\parallel P_{it}\parallel T_1)$. It then sends the computed tuple $(W_1,W_2,W_3,P_i,T_1)$ to $GS{S}_i$.
• Upon receiving the values, $GS{S}_i$ verifies the freshness of $T_1$, calculates $Re{s}_i=PUF\left(Ch{a}_i\right)$, $S{K}_{GS{S}_i}=Y_i\oplus h(GI{D}_i\parallel Re{s}_i)$, $P_{it}=S{K}_{GS{S}_i}·P_i$, $PI{D}_i=W_1\oplus h(GI{D}_i\parallel P_{it})$, $d_i=W_2\oplus h(PI{D}_i\parallel T_1\parallel P_{it})$, and $A^{*}=d_i·P-PID·P{K}_{RA}$. It then verifies that $W_3$ is equal to $h\left(PI{D}_i\right|\left|d_i\right|\left|A^{*}\right|\left|P_{it}\right|\left|T_1\right)$.
• If the validation is successful, $GS{S}_i$ selects random numbers $e_i$, $n_i$, and a timestamp $T_2$, and calculates $K_{it}=e_i·P_i$, $K_i=e_i·P$, $TI{D}_i=PI{D}_i\oplus h\left(n_i\right)$, $W_4=TI{D}_i\oplus h(K_{it}\parallel PI{D}_i)$, $S{K}_{it}=h(K_{it}\parallel PI{D}_i\parallel TI{D}_i)$, $k=V_i\oplus h(GI{D}_i\parallel S{K}_{GS{S}_i})$, $Q_i=h(TI{D}_i\parallel k)$, $W_5=Q_i\oplus h\left(K_{it}\right)$, and $W_6=h(S{K}_{it}\parallel Q_i\parallel T_2)$. $GS{S}_i$ then sends the values $(W_4,W_5,W_6,K_i,T_2)$ to $UA{V}_i$.
• Based on the received values, $UA{V}_i$ checks the freshness of $T_2$ and calculates $K_{it}=c_i·K_i$, $TI{D}_i=W_4\oplus h(K_{it}\parallel PI{D}_i)$, $Q_i=W_5\oplus h\left(K_{it}\right)$, and $S{K}_{it}=h(K_{it}\parallel PI{D}_i\parallel TI{D}_i)$. Finally, $UA{V}_i$ verifies $W_6$ to confirm if it equals $h(S{K}_{it}\parallel Q_i\parallel T_2)$. Consequently, $UA{V}_i$ completes authentication with $GS{S}_i$, securing the session key $S{K}_{it}$ and a temporary identity $TI{D}_i$.

3.4. UAV Handover Authentication Phase

After the successful authentication of the $UA{V}_i$ and $GS{S}_i$, when the $UA{V}_i$ enters the coverage of $GS{S}_j$, the $UA{V}_i$ and $GS{S}_j$ need to complete a new authentication. This handover authentication process is described in

Table 4. UAV handover authentication phase.

${\mathit{UAV}}_{\mathit{i}}$		${\mathit{GSS}}_{\mathit{j}}$
Generates $m_i,T_3$
Calculates
$W_7=h(PI{D}_i\left|\right|TI{D}_i\left|\right|GI{D}_j\left|\right|T_3)\oplus m_i$
$W_8=Q_i\oplus PI{D}_i$
$W_9=h(m_i\left|\right|PI{D}_i\left|\right|TI{D}_i\left|\right|T_3)$
	$\stackrel{(TI{D}_i,W_7,W_8,W_9,T_3)}{\to }$
		Checks $T_3$
		$Re{s}_j=PUF\left(Ch{a}_j\right)$
		$S{K}_{GS{S}_j}=Y_j\oplus h(GI{D}_j\left|\right|Re{s}_j)$
		$k=V_j\oplus h(GI{D}_j\left|\right|S{K}_{GS{S}_j})$
		Computes $PI{D}_i^{*}=W_8\oplus h(TI{D}_i\left|\right|k)$
		$m_i^{*}=W_7\oplus h(PI{D}_i^{*}\left|\right|TI{D}_i\left|\right|GI{D}_j\left|\right|T_3)$
		Checks $W_9\stackrel{?}{=}h(m_i\left|\right|PI{D}_i^{*}\left|\right|TI{D}_i\left|\right|T_3)$
		Generates $e_j,n_j\mathrm{and}{T}_4$
		Computes $TI{D}_j=PI{D}_i\oplus h\left(n_j\right)$
		$W_{10}=TI{D}_j\oplus h(m_i\left|\right|PI{D}_i)$
		$W_{11}=e_j\oplus h(m_i\left|\right|TI{D}_j\left|\right|PI{D}_i)$
		$S{K}_{ij}=h(m_i\left|\right|e_j\left|\right|TI{D}_j\left|\right|PI{D}_i)$
		$W_{12}=h(S{K}_{ij}\left|\right|T_4)$
	$\stackrel{(W_{10},W_{11},W_{12},T_4)}{\leftarrow }$
Checks $T_4$
Computes
$TI{D}_j=W_{10}\oplus h(m_i\left|\right|PI{D}_i)$
$e_j=W_{11}\oplus h(m_i\left|\right|TI{D}_j\left|\right|PI{D}_i)$
$S{K}_{ij}=h(m_i\left|\right|e_j\left|\right|TI{D}_j\left|\right|PI{D}_i)$
Checks $W_{12}\stackrel{?}{=}h(S{K}_{ij}\left|\right|T_4)$

, and the process is shown below.

• The $UA{V}_i$ generates a random number $m_i$ and a timestamp $T_3$, then calculates $W_7=h(PI{D}_i\left|\right|TI{D}_i\left|\right|GI{D}_j\left|\right|T_3)\oplus m_i$, $W_8=Q_i\oplus PI{D}_i$, $W_9=h(m_i\left|\right|PI{D}_i\left|\right|TI{D}_i\left|\right|T_3)$. Subsequently, the $UA{V}_i$ sends $(TI{D}_i,W_7,W_8,W_9,T_3)$ to $GS{S}_j$.
• Once the above information is received, $GS{S}_j$ first checks the freshness of the $T_3$, and if the test passes, calculates $Re{s}_j=PUF\left(Ch{a}_j\right)$, $S{K}_{GS{S}_j}=Y_j\oplus h(GI{D}_j\left|\right|Re{s}_j)$, $k=V_j\oplus h(GI{D}_j\left|\right|S{K}_{GS{S}_j})$, Computes $PI{D}_i^{*}=W_8\oplus h(TI{D}_i\left|\right|k)$, $m_i^{*}=W_7\oplus h(PI{D}_i^{*}\left|\right|TI{D}_i\left|\right|$$GI{D}_j\left|\right|T_3)$, and verifies $W_9\stackrel{?}{=}h(m_i\left|\right|PI{D}_i^{*}\left|\right|TI{D}_i\left|\right|T_3)$.
• If the above verification is passed, $GS{S}_j$ generates random numbers $e_j,n_j$ and a timestamp $T_4$, calculates $TI{D}_j=PI{D}_i\oplus h\left(n_j\right)$, $W_{10}=TI{D}_j\oplus h(m_i\left|\right|PI{D}_i)$, $W_{11}=e_j\oplus h(m_i\left|\right|TI{D}_j\left|\right|PI{D}_i)$, $S{K}_{ij}=h(m_i\left|\right|e_j\left|\right|TI{D}_j\left|\right|PI{D}_i)$, $W_{12}=h(S{K}_{ij}\left|\right|T_4)$, and then sends the calculated results $(W_{10},W_{11},W_{12},T_4)$ to $UA{V}_i$.
• After receiving the information transmitted by $GS{S}_j$, the $UA{V}_i$ verifies the freshness of the $T_4$, then calculates $TI{D}_j=W_{10}\oplus h(m_i\left|\right|PI{D}_i)$, $e_j=W_{11}\oplus h(m_i\left|\right|TI{D}_j\left|\right|PI{D}_i)$, $S{K}_{ij}=h(m_i\left|\right|e_j\left|\right|TI{D}_j\left|\right|PI{D}_i)$, verifies $M_{13}\stackrel{?}{=}h(S{K}_{ij}\left|\right|T_4)$. Through the above calculation, the session key $S{K}_{ij}$ can be obtained, and a new temporary identity $TI{D}_j$ can be obtained. At this point, the $UA{V}_i$ completes the handover authentication process.

4. Informal Security Analysis

In this section, we show that our proposed scheme is secure through analysis on various desirable security properties.

4.1. Mutual Authentication

In our protocol, $GS{S}_i$ authenticates $UA{V}_i$ by verifying the correctness of $A_i\stackrel{?}{=}{d}_i·P-PID·P{K}_{RA}$. Conversely, $UA{V}_i$ authenticates $GS{S}_j$ by validating the correctness of $K_{it}=c_i·K_i$. This process ensures mutual authentication between $GS{S}_i$ and $UA{V}_i$.

4.2. Impersonation Attack

Consider a scenario where an adversary $\mathcal{A}$ attempts to impersonate a UAV. $\mathcal{A}$ intercepts the messages $(W_1,W_2,W_3,P_i,T_1)$ on public channels, where each W is defined by specific cryptographic operations. Despite interception, $\mathcal{A}$ cannot compute $W_1$, $W_2$, and $W_3$ due to the lack of access to $PI{D}_i$. Therefore, our protocol is resilient against UAV impersonation attacks.

4.3. Replay Attack

Assume an adversary $\mathcal{A}$ captures previously transmitted messages over public channels. $\mathcal{A}$ may try retransmitting these messages. However, due to the incorporation of a timestamp mechanism in our protocol, which guarantees message freshness, $\mathcal{A}$ cannot generate a session key with the GSS. Consequently, our protocol effectively thwarts replay attacks.

4.4. GSS Physical Capture Attack

In our protocol, each GSS is equipped with a PUF and stores $Y_i$, $V_i$, and $Ch{a}_i$, defined by specific cryptographic operations. In the event of a GSS capture by an adversary $\mathcal{A}$, they cannot access the secret parameters $S{K}_{GS{S}_i}$ and k. Hence, our protocol is safeguarded against GSS physical capture attacks.

4.5. MITM Attack

In a man-in-the-middle (MITM) attack scenario, adversary $\mathcal{A}$ intercepts specific messages. However, $\mathcal{A}$ is unable to access crucial secret values and random numbers necessary for generating authentication requests/responses and the session key. This incapacity of $\mathcal{A}$ to derive these critical elements ensures our scheme’s resistance to MITM attacks.

4.6. Anonymity and Untraceability

During preliminary authentication, a pseudonym $PI{D}_i$ is used, safeguarding the UAV’s real identity $GI{D}_i$. This approach ensures the UAV’s identity remains anonymous. Furthermore, the usage of a dynamic temporary identity $TI{D}_i$, updated during handover authentication, prevents adversary $\mathcal{A}$ from tracking the UAV, thus ensuring unlinkability.

4.7. Perfect Forward Secrecy

Assuming the leakage of long-term private keys of entities, our protocol maintains security. The session key $S{K}_{it}$, derived through complex cryptographic operations, remains secure due to the ECDLP problem, preventing adversary $\mathcal{A}$ from deducing the random numbers from each session. This design ensures the provision of perfect forward secrecy in our scheme.

5. Formal Security Analysis

In this section, we present a formal security proof using a ROR model and utilize the ProVerif formal verification tool to validate the proposed security protocol.

5.1. Formal Security Analysis under ROR Model

Definition 3. 

(Participants): Three parties involved in our protocol: one Unmanned Aerial Vehicle (UAV), one ground station server (GSS) and one registration authority (RA). Each party can have multiple instances, and the i-th instance of UAV and GSS are denoted as $U^i$ and $G^i$, respectively. The verification can output three possible results. The accept state indicates that the input message is valid. The reject state means the input data is incorrect. The ⊥ state represents that there is no response to the input. The adversary is able to simulate queries to interact with the UVA or GSS. The details of the queries are presented in

Table 5. Queries in ROR model.

Queries	Description
Execute($U^i$, $G^i$)	$\mathcal{A}$ can obtain all publicly transmitted information between $U^i$ and $G^i$.
Send($U^i$, $G^i$, m)	This query simulates an active attack. $\mathcal{A}$ can send messages to $U^i$ and $G^i$, and obtain respective responses.
Reveal($U^i$, $G^i$)	$\mathcal{A}$ can get the session keys between $U^i$ and $G^i$.
Corrupt($U^i$, $G^i$)	$\mathcal{A}$ can obtain the stored information {$F_i,G_i,H_i,Rep(·)$} and {$Y_i$,$V_i$,$Ch{a}_i$} of $U^i$ and $G^i$.
Test($U^i$, $G^i$, r)	$\mathcal{A}$ selects a session to launch a reveal query. This will generate a random number r. When $r=1$, the actual session key can be obtained by $\mathcal{A}$; when $r=0$, $\mathcal{A}$ will get a random number with the same length as the session key.

.

Definition 4. 

(Semantic security): $\mathcal{A}$ is permitted to make a single query to the Test($U^i$, $G^i$, r) and and multiple other queries to determine the correctness of the return value of Test($U^i$, $G^i$, r). $\mathcal{A}$’s advantage in guessing r is defined as $Ad{v}_P=|2Pr\left[suc\left(A\right)\right]-1|<\eta$ represents the protocol is secure, where η is sufficiently small.

Theorem 1. 

The advantage of obtaining the session key in polynomial time by $\mathcal{A}$ is $Ad{v}_P\le \frac{q_h^2}{2^{l_h}}+\frac{q_s}{2^{l_{bio}-1}}+2Ad{v}_{PUF}+2Ad{v}_{ECDLP}$. Where $q_s$, $q_h$, and $q_e$ represent performing the queries Send, Hash and Execute within time t. The hash, transcripts, and biological key have lengths of $l_h$, $l_{bio}$ and n respectively. The advantages of $\mathcal{A}$ in breaking the PUF and ECDLP are $Ad{v}_{PUF}$ and $Ad{v}_{ECDLP}$ respectively.

Proof. 

The games are defined to simulate the attacks launched by $\mathcal{A}$, and divided from $G_0$ to $G_4$. $\mathcal{A}$ correctly guessing the random number r represents $Wi{n}_i(0\le i\le 4)$.

$G_0$: This game simulates the real attack initially launched by $\mathcal{A}$. According to the definition, we obtain:

$$Ad{v}_{G_0}=\left|2Pr[Wi{n}_0-1]\right|$$

(1)

$G_1$: This game simulates the $Execute$ query to obtain all publicly transmitted messages. Then, $\mathcal{A}$ verifies the session key through the $Reveals$ and $Test$ queries. Due to the ECDLP, the attacker cannot determine the association between the captured messages and the session key. Hence,

$$Pr\left[Wi{n}_1\right]=Pr\left[Wi{n}_0\right]$$

(2)

$G_2$: This game simulates hash and transcript collisions. By the Birthday Paradox, the probability of hash collisions is at most $\frac{q_h^2}{2^{l_h}}$. Therefore, we obtain:

$$Pr\left[Wi{n}_2\right]-Pr\left[Wi{n}_1\right]\le \frac{q_h^2}{2^{l_h+1}}+\frac{{(q_s+q_e)}^2}{2n}$$

(3)

$G_3$: This game simulates the $Corrupt$ query to obtain stored information {$F_i,G_i,H_i,Rep(·)$} in UAV and {$Y_i$,$V_i$,$Ch{a}_i$} in GSS, where $F_i=A_i\oplus h\left({\sigma }_i\right)$, ${\sigma }_i$ is the biometric key, $S{K}_{GS{S}_i}=h(GI{D}_i\left|\right|PUF\left(Ch{a}_i\right))\oplus Y_i$. If $\mathcal{A}$ is able to guess the value of $\sigma$ or break the PUF, then $\mathcal{A}$ will be able to access valuable parameters. As a result, we get:

$$Pr\left[Wi{n}_3\right]-Pr\left[Wi{n}_2\right]\le \frac{q_s}{2^{l_{bio}}}+Ad{v}_{PUF}$$

(4)

$G_4$: $\mathcal{A}$ can obtain $P_i=c_i·P$ and $K_i=e_i·P$ publicly, which are then used for session key agreement. This game simulates $\mathcal{A}$ solving the ECDH problem. We have:

$$Pr\left[Wi{n}_4\right]-Pr\left[Wi{n}_3\right]\le Ad{v}_{ECDLP}$$

(5)

The session key is independently randomly generated, meaning that $\mathcal{A}$ guessing r has the same difficulty as guessing the session key directly. As a result, we have:

$$Pr\left[Wi{n}_4\right]=\frac{1}{2}$$

(6)

Combining the above formulas, we have:

$$\begin{array}{c}\hfill \frac{1}{2}Ad{v}_P=|Pr\left[Wi{n}_0\right]-\frac{1}{2}|\end{array}$$

(7)

$$\begin{array}{cc}\hfill & \le \frac{q_h^2}{2^{l_h+1}}+\frac{q_s}{2^{l_{bio}}}+Ad{v}_{PUF}+Ad{v}_{ECDLP}\hfill \end{array}$$

(8)

$$\begin{array}{cc}\hfill Ad{v}_P& \le \frac{q_h^2}{2^{l_h}}+\frac{q_s}{2^{l_{bio}-1}}+2Ad{v}_{PUF}+2Ad{v}_{ECDLP}\hfill \end{array}$$

(9)

□

5.2. Formal Verification Using ProVerif

ProVerif is recognized as an automated verification tool adept at handling a variety of cryptographic algorithms, including symmetric and asymmetric encryption, hash functions, digital signatures, and more. It is particularly effective in assessing security properties such as confidentiality, authentication, and other essential attributes. In this section, we utilize ProVerif to evaluate the security of our proposed scheme.

The initial segment presents declarations relevant to the scheme, covering aspects such as message transmission channels, constants, variables, functions, and events. Figure 2 details the definition of a public channel, named ch1, utilized for UAV-GSS node communication. This includes the establishment of constants, variables, the hash function $h(·)$, various connection functions, XOR, and ECC operations. The model for the attacker’s queries and the events are primarily detailed in Figure 3.

The second segment comprehensively examines the participation process of the UAV, as depicted in Figure 4. Initially, the UAV retrieves stored data following biological verification, sends authentication messages to the GSS, and generates session keys based on the information received from the GSS. The involvement of the GSS is illustrated in Figure 5. This includes decrypting messages using the GSS’s private key, verifying the UAV’s identity via the RA’s public key, generating a temporary identity and session key, and securely transmitting these to the UAV.

Figure 6 displays the outcomes of ProVerif’s analysis of our scheme. The results confirm that adversaries are unable to access key parameters necessary for session key computation. As a result, our proposed scheme is validated as secure.

6. Performance Comparison

This section presents a detailed performance evaluation of our proposed scheme, focusing on computation, communication, and security aspects. It is benchmarked against significant existing works, namely Kumar et al. [16], Son et al. [17], Kwon et al. [20], and the Babu et al. approach [19].

6.1. Computation Cost

To compare computational costs,

Table 6. Comparison of Computation Cost.

Scheme	Device	Infrastructure	Total Performed Operation
[16]	$4T_m+9T_h+1T_b$	$3T_m+2T_h+2T_b$	$7T_m+11T_h+3T_b\approx 40.654\mathrm{ms}$
[17]	$6T_h$	$9T_h$	$15T_h\approx 0.84\mathrm{ms}$
[20]	$2T_m+7T_h$	$2T_m+13T_h$	$4T_m+20T_h\approx 12.344\mathrm{ms}$
[19]	$17T_h$	$11T_h$	$28T_h\approx 1.568\mathrm{ms}$
Proposed	$5T_h$	$9T_h$	$14T_h\approx 0.784\mathrm{ms}$

provides a detailed analysis, contrasting our proposed scheme with the aforementioned studies. This assessment was conducted on a personal computer equipped with an Intel(R) (Intel, Santa Clara, CA, USA) Core(TM) i5-1035G1 CPU @ 1.00 GHz (1.19 GHz), 16.0 GB RAM, and a Windows 10 64-bit operating system. The evaluation measures the computation times for cryptographic one-way hash functions, elliptic curve point operations, and bilinear pairing functions, recorded as $T_h$, $T_m$, and $T_b$, respectively. These times are 0.056 milliseconds for $T_h$, 2.806 milliseconds for $T_m$, and 6.892 milliseconds for $T_b$.

Our scheme primarily focuses on handover authentication overhead, as the initial authentication occurs only once. In this context, the computation cost for a UAV in our scheme is 5$T_h$, and for GSS nodes, it is 9$T_h$. The total computation cost thus approximates to $5T_h+9T_h\approx 0.784$ milliseconds. In contrast, the total computation costs for the approaches in Kumar et al. [16] and Son et al. [17] are approximately 40.654 milliseconds and 0.84 milliseconds, respectively. The schemes by Kwon et al. [20] and the Babu et al. approach [19] require about 12.344 milliseconds and 1.568 milliseconds, respectively. Figure 7 visually represents these findings. A comparative analysis highlights the lower computational overhead of our proposed scheme relative to its counterparts.

6.2. Communication Cost

The communication costs of the proposed scheme were evaluated during the authentication phase,

Table 7. Comparison of Communication Cost.

Scheme	Number of Transmitting Messages	Communication Overhead (in Bits)
[16]	4	3200
[17]	2	2112
[20]	4	2560
[19]	3	2784
Proposed	2	1856

provides a detailed analysis. We assumed the following sizes for various elements: timestamps, identities, and random numbers at 32 bits, 160 bits, and 160 bits respectively, encryption/decryption processes at 256 bits; and hash function outputs at 256 bits. The elliptic curve point size P = (Px, Py) was considered to be 320 bits. In the UAV authentication phase, a UAV and a GSS exchange two messages, with sizes detailed as follows: $Ms{g}_1=\{TI{D}_i,M_7,M_8,M_9,T_3\}=(256+256+256+256+32)=1056$ bits and $Ms{g}_2=\{M_{10},M_{11},M_{12},T_4\}=(256+256+256+32)=800$ bits. The total communication cost thus amounts to 1056 + 800 = 1856 bits.

For comparison, the communication costs in the schemes of Kumar et al. [16], Son et al. [17], Kwon et al. [20], and the Babu et al. approach [19] are 3200 bits, 2112 bits, 2560 bits, and 2784 bits, respectively. Figure 8 visually compares the proposed scheme’s communication overhead with these other schemes, highlighting that the proposed scheme is competitive in terms of communication costs.

6.3. Security Features

Table 8. Comparison of Security Features.

Security Features	[16]	[17]	[20]	[19]	Ours
Mutual Authentication	✔	✔	✔	✔	✔
Impersonation Attack	✔	×	×	✔	✔
Replay Attack	✔	✔	✔	✔	✔
Device Physical Capture Attack	×	×	×	×	✔
MITM Attack	✔	✔	✔	✔	✔
Anonymity and Untraceability	✔	✔	✔	✔	✔
Perfect Forward Secrecy	✔	✔	✔	✔	✔

offers a comprehensive analysis of the security functionalities comparing our newly developed protocol with earlier versions. This assessment underscores critical security aspects, such as “Mutual Authentication”, “Impersonation Attack Resistance”, “Replay Attack Defense”, “Protection against Device Physical Capture”, “Mitigation of Man-In-The-Middle (MITM) Attacks”, “Ensuring Anonymity and Untraceability”, and “Guaranteeing Perfect Forward Secrecy”. As elaborated in Section 4, our protocol not only incorporates these security measures but also surpasses in their practical application. In contrast, the previously established protocols [16,17,20], and [19] either overlook these critical security dimensions or are inadequate in their assurance. Our protocol, by catering to a broader spectrum of potential threats in wireless channels, significantly bolsters security over the existing models.

7. Conclusions

In this paper, we developed and introduced a lightweight secure handover authentication protocol tailored for UAV applications. This protocol incorporates an initial authentication phase when a UAV enters a GSS domain and efficiently uses information from previous authentications to streamline the authentication process during transitions to subsequent GSS domains. This strategy significantly optimizes operational efficiency in dynamic environments for UAVs. The protocol demonstrates exceptional resistance to a variety of security threats, including UAV hijacking, identity spoofing, and replay attacks, thereby underscoring its reliability in securing UAV communications. The security and robustness of our protocol have been rigorously validated using the ROR model and the ProVerif tool. Moreover, our comprehensive performance analysis shows that our protocol surpasses existing solutions in significantly reducing computational and communication overheads, reflecting its specialized optimization for UAV scenarios.

The impact of our work extends beyond the direct benefits of improved authentication efficiency and security. By addressing the unique challenges of UAV handover scenarios, our protocol contributes to broader efforts to enhance the integrity of UAV operations in increasingly complex airspace environments. This research not only lays a solid foundation for safer and more efficient UAV deployments but also provides important insights for future studies on advanced authentication mechanisms, further refining UAV communication and operation protocols.