Design of Lightweight Authentication and Key ... - IEEE Xplore

68 downloads 0 Views 7MB Size Report
Aug 22, 2017 - 3) between cluster heads and their respective roadside units. In addition ..... sends information 〈RIDi, TCVi , IDTA, Y1, Y2, A1, A2〉 to Vi through ...
Received June 11, 2017, accepted June 25, 2017, date of publication July 3, 2017, date of current version August 22, 2017. Digital Object Identifier 10.1109/ACCESS.2017.2723265

Design of Lightweight Authentication and Key Agreement Protocol for Vehicular Ad Hoc Networks MOHAMMAD WAZID1 , (Student Member, IEEE), ASHOK KUMAR DAS1 , (Member, IEEE), NEERAJ KUMAR2 , (Member, IEEE), VANGA ODELU3 , ALAVALAPATI GOUTHAM REDDY4 , (Student Member, IEEE), KISUNG PARK5 , AND YOUNGHO PARK5 , (Member, IEEE) 1 Center

for Security, Theory, and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India of Computer Science and Engineering, Thapar University, Patiala 147 004, India of Computer Science and Engineering, Indian Institute of Information Technology Chittoor, Sri City 517 588, India 4 KINDI Laboratory, Department of Computer Science and Engineering, Qatar University, Doha, Qatar 5 School of Electronics Engineering, Kyungpook National University, Daegu 702-701, South Korea 2 Department 3 Department

Corresponding author: Youngho Park ([email protected]) This work was supported in part by the Basic Science Research Program through the National Research Foundation of Korea funded by the Ministry of Science, ICT, and Future Planning under Grant 2017R1A2B1002147, and in part by the BK21 Plus project funded by the Ministry of Education, Korea under Grant 21A20131600011.

ABSTRACT Due to the widespread popularity in both academia and industry, vehicular ad hoc networks (VANETs) have been used in a wide range of applications starting from intelligent transportation to e-health and itinerary planning. This paper proposes a new decentralized lightweight authentication and key agreement scheme for VANETs. In the proposed scheme, there are three types of mutual authentications: 1) between vehicles; 2) between vehicles and their respective cluster heads; and 3) between cluster heads and their respective roadside units. Apart from these authentications, the proposed scheme also maintains secret keys between roadside units for their secure communications. The rigorous formal and informal security analysis shows that the proposed scheme is capable to defend various malicious attacks. Moreover, the ns-2 simulation demonstrates the practicability of the proposed scheme in VANET environment. INDEX TERMS Vehicular ad hoc networks, user authentication, key agreement, security, NS-2 simulation. I. INTRODUCTION

Vehicular Ad hoc Network (VANET) is considered as a special type of Mobile Ad hoc Network (MANET), which allows the vehicles on roads to form a self-organized network. VANETs provide multiple benefits, such as the in-built warning system which warns the driver about the accidents so that he/she can take quick decisions on the basis of provided information. The vehicles further share the information with each other. It also provides information about traffic congestion at the different roads so that driver can take decision on the basis of this information and can select alternative roads [1]. In summary, VANETs help to improve the road environment, infotainment dissemination, and traffic safety for drivers as well as passengers [2]–[4]. An estimation in [5] reveals that the market for vehicular communications will reach several billions of euros in the coming year. Therefore, considerable research efforts are needed in this field [5]. However, in the absence of security and privacy, an adversary can easily

14966

gather privacy information including identity and location of the vehicles. Sometimes, the adversary can also generate fake messages to misguide the drivers of the vehicles so that they are forced to take wrong decisions, i.e., drivers can take wrong turn to a road where there is so much congestion but initially system was showing no congestion. Therefore, it becomes essential to design security protocols which should provide protection against possible attacks to the exchanged messages, and also provide privacy and anonymity [1], [6].

A. RELATED WORK

Chuang and Lee [7] proposed a trust-extended authentication mechanism (TEAM ) for vehicle-to-vehicle (V 2V ) communication in VANETs, which is a lightweight decentralized protocol. However, their protocol is insecure against insider attack, impersonation attacks and session key breaking attack [8]. Also, their protocol fails to preserve user

2169-3536 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

VOLUME 5, 2017

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

traceability, user anonymity and mutual authentication [8]. Lu and Li [9] surveyed various privacy-preserving authentication (PPA) protocols for VANETs, and provide a comparative study on them. Wasef and Shen [10] proposed an authentication protocol, called the message authentication acceleration (MAAC) protocol in which the revocation checking process is performed. Kim et al. [11] proposed an authentication protocol for V 2V secure communication in VANETs. Later, Wasef and Shen extended the work of [10] in [12]. Both schemes were based on certificate revocation list (CRL). Lin and Li [13] proposed a cooperative message authentication protocol for VANETs. In this protocol, without the direct involvement of the TA, the vehicle’s users can authenticate a bunch of message-signature pairs. Liu et al. [14] provided a proxy-based authentication protocol (PBAS) using distributed computing for VANETs in which proxy vehicles were used to authenticate multiple messages at the same time. Wang et al. [15] also presented a decentralized twofactor lightweight privacy-preserving authentication scheme (2FLIP) for VANETs. 2FLIP uses a certificate authority (CA) and the biological-password to achieve the authentication goals. Shao et al. [16] presented a new group signature based scheme for V 2V authentication in VANETs. Later, it was proved that their scheme lacks forward and backward security properties, and anti-collision [17]. Jiang et al. [1] replaced the CRL-based schemes with their new scheme, called anonymous batch authentication (ABAH ). Sanchez-Garcia et al. [18] proposed a secure authentication scheme, called On-SiteDriverID, and its application for VANET road authorities, which is based on the already in use Spanish eID smart cards. After that, Sugumar et al. [19] presented a trust-based authentication protocol for cluster-based VANETs. The group signatures based schemes, such as the schemes presented in [10] and [12] suffer from long computation delay as CRL checking takes long time. Therefore, to overcome such problem, Zhu et al. [20] proposed HMAC based authentication scheme for VANETs. Li et al. [21] proposed a framework with preservation and repudiation (ACPN ) for VANETs, which can be used for V 2V and vehicle-to-road side unit (V 2RSU ) authentication.

we propose a novel lightweight decentralized authentication and key agreement protocol for VANETs. The proposed scheme supports the following additional features: 1) dynamic RSU addition after initial deployment, 2) RSU to RSU (RSU2RSU) key establishment, 3) password update by a user of a vehicle at any time locally without contacting the trusted authority, 4) anonymity and untraceability properties, 5) usage of non tamper-resistant device as compared to other schemes [7], [18], and 6) formal security analysis. Unlike other existing schemes, the proposed scheme also allows three types of mutual authentications: 1) between vehicles; 2) between vehicles and their respective cluster heads; and 3) between cluster heads and their respective roadside units. In addition, the cluster-based VANET network model is used in the proposed scheme in order to reduce the communication and computation overheads. C. CONTRIBUTIONS

The major contributions of this paper can be summarized as follows. •





We propose an efficient lightweight authentication and key agreement protocol for VANETs, which uses only one-way hash functions and bitwise XOR operations. We prove the security of the proposed scheme using the formal security analysis under the broadly-used RealOr-Random (ROR) model [22] along with informal security analysis. Finally, the practical perspective of the proposed scheme is demonstrated through the ns-2 simulation.

D. STRUCTURE OF THIS PAPER

Section II contains the network and threat models used in the proposed scheme. In Section III, we present a new lightweight authenticated key agreement scheme in VANETs. In Section IV, we analyze the security of our scheme rigorously through the formal and informal analysis. The performance evaluation of our scheme with other relevant schemes is provided in Section V. The simulation analysis using ns-2 is done in Section VI. Section VII concludes the paper with future directions. II. SYSTEM MODELS

B. MOTIVATION

The existing security schemes proposed in VANETs in Section I-A are either computationally expensive or insecure against several known attacks. For example, though the scheme [7] is a lightweight decentralized protocol, it is insecure against insider attack, impersonation attacks and session key breaking attack [8]. Also, it fails to preserve user traceability, user anonymity and mutual authentication. Another scheme [18] is not resistant to stolen on-board unit (OBU ) attack. Furthermore, it does not preserve anonymity and untraceability properties. In addition, it does not support dynamic RSU addition phase. To overcome these important security drawbacks and limitations in existing schemes, VOLUME 5, 2017

In this section, we demonstrate the network and attack models used in the proposed scheme. A. NETWORK MODEL

In Figure 1, we have shown the network model for the vehicular ad hoc network (VANET), which is used in the proposed scheme. In the given model, we have considered different types of vehicles (Vs), cluster heads (CHs), roadside units (RSUs), application server (AS) and trusted authority (TA). Different types of communications exist in the network, which include: 1) vehicle-to-vehicle (V 2V ); 2) vehicle-to-cluster head (V 2CH ); 3) cluster head-toroadside unit (CH 2RSU ); and 4) roadside unit-to-roadside 14967

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

FIGURE 1. Authentication in VANETs.

unit (RSU 2RSU ). The role of the TA is to generate the credentials, such as identities, keys etc., for vehicles, CHs and roadside units. After storing the generated information into the memory of roadside units, they are deployed in the network (on different roadsides). The required information are also stored in the memory of an on-board unit (OBU ) of a vehicle so that this information can be used for the authentication process later. The AS is used to provide support for safety-related applications at the traffic management center and also communicates with RSU s for providing application support [23]. According to the proposed model, the different types of authentication mechanisms are needed for V 2V , V 2CH , CH 2RSU and RSU 2RSU in the network. Note that the cluster-based VANET network model is applied in the proposed scheme to reduce the communication and computation overheads in the network. B. THREAT MODEL

We follow the well-known Dolev-Yao (DY) threat model [24] in the proposed scheme. Under this model, the communication channel is assumed to be insecure. The nodes communicate among each other using insecure channel [25]. We further assume that the RSU s are semi-trusted. An adversary A can then eavesdrop, modify or delete the exchanged messages during the transmission under the DY threat model. Since the RSU s are semi-trusted, we assume that the secret 14968

information of RSU s are stored in tamper-resistant device inside RSU s. However, we assume that the OBU s of vehicles are not equipped with tamper-resistant devices unlike other existing schemes where the OBU s are tamper-resistant. Moreover, A can steal the on-board units of some vehicles, and extract all the stored sensitive information from the memory of OBU s by using the power analysis attacks [26], [27] as OBU s are non-tamper resistant devices. Finally, TA is assumed to be fully trusted. III. THE PROPOSED SCHEME

We discuss a new lightweight authentication and key agreement scheme for VANETs. In the proposed scheme, vehicles passing through a cross section and moving together with the same velocity form a cluster. The vehicle which is more strategically placed and can communicate with all vehicles is elected as a cluster head node (CHj ) [28]. Note that, in the proposed scheme, the role of cluster head node is very important. In this paper, the cluster head node is selected similar to the scheme [28]. Bali and Kumar [28] proposed a novel secure clustering for efficient data dissemination between different devices in Vehicular Cyber–Physical Systems (VCPS) environment. In order to achieve better cluster stability, they have suggested only those vehicles are selected as CH s that have high trust values and strong connectivity among them. They have shown that their clustering approach VOLUME 5, 2017

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

TABLE 1. Notations used in this paper.

achieves higher clustering efficiency. In addition, to maintain the connectivity among the vehicles at various levels, connecting dominating set (CDS) is also constructed among the vehicles to enhance the performance of their scheme. In our scheme, the selection of the cluster head nodes is based on the existing approach [28]. We assume that there are n roadside units, say R1 , R2 , . . . , Rn and l vehicles in the network, say V1 , V2 , . . . , Vl . A cluster head CHj is elected from the vehicles present in a cluster using the existing clustering algorithm in VANETs [29]. In our scheme, the vehicles in a cluster authenticate with the other vehicles, and with their corresponding cluster head CHj . A cluster head also authenticates with the nearest roadside unit. The following three types of authentication and key establishment are executed in our scheme: • • •

Vehicle (Vi ) to vehicle (Vj ) authentication and key establishment. Vehicle (Vi ) to cluster head (CHj ) authentication and key establishment Cluster head (CHj ) to road-side unit (Rk ) authentication and key establishment.

Apart from these authentications, the key establishment between the neighbor RSUs is also done for pairwise symmetric key establishment between them so that they can communicate securely using those established keys. The proposed scheme contains various phases, such as roadside unit registration phase, vehicle registration phase, different authentication and key agreement phases, password update phase and dynamic roadside unit addition phase. We use the current timestamps in order to prevent replay attack. For this reason, it is assumed that all the entities (vehicles, cluster heads and RSU s) are synchronized with their clocks. The details of the all phases are given given in subsequent subsections. Various notations used in the proposed scheme are given in Table 1. VOLUME 5, 2017

Before explaining the phases in detail, we provide the high level description of various phases of our scheme in a flow chart given in Figure 2. During the roadside unit registration phase, the TA is responsible for generating the credentials for each RSU to be deployed in the network. The TA then stores these credentials in RSU s. For RSU to RSU pairwise key establishment, the TA also generates credentials and stores them in RSU s. In the vehicle registration phase, a user Ui of a vehicle Vi chooses his/her credentials and sends them to the TA via secure channel. The TA then sends information to Vi securely and OBUi of Vi stores the credentials in its memory prior to deployment of Vi in the network. The authentication and key agreement phase consists of three subphases: 1) vehicle to vehicle (V2V) authentication and key agreement phase, 2) vehicle to cluster head (V2CH) authentication and key agreement phase, 3) cluster head to RSU (CH2RSU) authentication and key agreement phase. Note that one of the vehicles in a cluster is elected as the cluster head node as in [28]. In each subphase, two entities first authenticate each other and establish a secret session key between them only after successful mutual authentication. Using the established session key, the entities then communicate each other securely for future communications. The purpose of the RSU to RSU (RSU2RSU) key establishment phase is that two neighbor RSU s will establish the secret pairwise key between them using their pre-loaded credentials during the roadside unit registration phase, and they can use the established key for their future secure communication. For security reasons, it is preferred to change passwords periodically by the users of the vehicles. The password update phase facilitates the users to change their passwords at any time locally without further contacting the TA. A. REGISTRATION PHASE

The registrations of roadside units and vehicles are performed as follows. 1) ROADSIDE UNIT REGISTRATION PHASE

Before the RSU s are deployed in VANETs, the trusted authority TA generates 1024-bit long distinct secret keys X and X 0 . The TA then generates unique identities of RSU s, say IDR1 , IDR2 , . . . , IDRn and the corresponding pseudo identities RIDR1 , RIDR2 , . . . , RIDRn which are generated as RIDRk = h(IDRk ||X 0 ) for 1 ≤ k ≤ n. The TA further generates secret key of each Rk as x 0 = h(IDTA ||X 0 ). In addition, the TA also generates the time-dependent identities for each Rk as TIDRk = h(IDTA ||RTSRk ||X 0 ), where RTSRk is the registration timestamp of Rk . Rk is then given the information {x 0 , RIDRk , TIDRk }. Note that in our scheme, RIDRk is used for cluster head to RSU authentication (Section III-B.3), whereas TIDRk is for symmetric key establishment between RSU s (Section III-C). For RSU 2RSU pairwise key establishment phase in Section III-C, we use the polynomial-based key distribution scheme proposed by Blundo et al. [30]. For this purpose, the TA first selects a bivariate polynomial 14969

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

FIGURE 2. High level description of various phases in the proposed scheme.RSU registration phase: (1) TA generates credentials for deployed RSUs and stored those credentials in their memory prior to their deployment. Vehicle registration phase: (2) registration request message; (3) registration reply message. V2V authentication and key agreement phase: (4) authentication request message; (5) authentication reply message; (6) acknowledgment message. V2CH authentication and key agreement phase: (7) authentication request message; (8) authentication reply message; (9) acknowledgment message. CH2RSU authentication and key agreement phase: (10) authentication request message; (11) authentication reply message; (12) acknowledgment message. RSU2RSU key establishment phase: (13) key establishment request message; (14) key establishment reply message. Dynamic RSU addition phase: (15) TA generates credentials for a newly deployed RSU , say RSUknew and stores those credentials in its memory prior to its deployment.

Pt Pt i j P(x, y) = i=0 j=0 ai,j x y ∈ GF(p)[x, y] over a finite field (Galois field) GF(p) of degree t, where the co-efficients ai,j ’s are in GF(p). Note that the prime p is chosen large. For example, P(x, y) = x +y +3xy+ 5x 2 + 5y2 + 3x 2 y2 over GF(7) is symmetric as P(y, x) = y+ x+ 3yx+ 5y2 + 5x 2 + 3y2 x 2 = P(x, y). For each deployed RSU , say Rk , the TA computes the polynomial share P(TIDRk , y), which is a univariate polynomial of degree t whose co-efficients are from GF(p). Rk is also loaded with P(TIDRk , y) in its memory. If (t +1) or more shares of P(x, y) are revealed to an adversary, he/she can easily reconstruct P(x, y) uniquely using Lagrange’s interpolation [31], [32]. Thus, the disclosure of up to t shares does not reveal the polynomial P(x, y) to an adversary and non-compromised shared keys based on P(x, y) remains completely secure. As a result, t is also taken large (for example, we can take the value of t as t = 5000), which is much larger than the number of RSU s deployed in VANETs to preserve unconditional security and t-collusion resistant property [33], [34]. Note that each Rk is given the information {x 0 , RIDRk , TIDRk , P(TIDRk , y)} prior to its deployment in VANETs. 14970

2) VEHICLE REGISTRATION PHASE

To start the secure communication with other vehicles, cluster head and roadside units, the offline registration of each vehicle happens at the TA. Since the vehicle registration is one-time process, this phase is executed via a secure channel (for example, in person). This phase has the following steps: Step 1: The user Ui of a vehicle Vi first chooses a unique identity IDi and password PWi by his/her choice, and two 160-bit random secrets ri and k. The on-board unit OBUi of Vi then calculates the masked password RPWi = h(PWi ||ri ) and sends the registration request hIDi , (RPWi ⊕ k)i to the TA through secure channel. Step 2: Upon reception of hIDi , (RPWi ⊕ k)i, TA computes RIDi = h(IDi ||X ), A1 = h(RIDi ||X ) using the previously generated 1024-bit long secret key X . It further computes A2 = h(RIDi ||A1 ||IDTA ), x = h(IDTA ||X ), x 0 = h(IDTA ||X 0 ), Y1 = x⊕ A2 ⊕(RPWi ⊕ k), and Y2 = x 0 ⊕ A2 ⊕(RPWi ⊕ k). In addition, the TA also generates a unique secret key KVi for each registered vehicle Vi and computes the temporal credential TCVi = h(KVi ||RTSVi ||IDi ) using the registration timestamp RTSVi of Vi and identity IDi of Ui . The TA then sends information hRIDi , TCVi , IDTA , Y1 , Y2 , A1 , A2 i to Vi through secure channel. VOLUME 5, 2017

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

FIGURE 3. Vehicle registration phase.

Step 3: Upon reception of information in Step 2, OBUi of Vi calculates Bi = h(PWi ||IDi ) ⊕ri , A01 = A1 ⊕ h(IDi ||ri ), ID0TA = h(IDi ||ri ) ⊕IDTA , A3 = h(IDi ||RPWi ||IDTA ||A1 ), A4 = h(A3 ||A2 ), RID0i = RIDi ⊕ h(PWi ||IDi ||ri ), TCV0 i = TCVi ⊕ h(PWi ||ri ), Y = Y1 ⊕ k = x⊕ A2 ⊕RPWi and Y 0 = Y2 ⊕ k = x 0 ⊕ A2 ⊕RPWi . OBUi then deletes k, RIDi , TCVi , IDTA , A1 , Y1 and Y2 from its memory. Finally, OBUi contains {RID0i , TCV0 i , ID0TA , Bi , Y , Y 0 , A01 , A4 , h(·)}. Note that the parameter Y is used in case of vehicle to vehicle and vehicle to cluster head authentication and key agreement, whereas the parameter Y 0 is only used in case of cluster head to roadside unit authentication and key agreement. The summary of vehicle registration phase is shown in Figure 3. B. AUTHENTICATION AND KEY AGREEMENT PHASE

Ui first inputs his/her identity IDi and password PWi∗ in the OBUi . OBUi computes ri∗ = Bi ⊕h(PWi∗ ||IDi ), A∗1 = A01 ⊕ h(IDi || ri∗ ) = h(RIDi ||X ), RPWi∗ = h(PWi∗ ||ri∗ ), ID∗TA = ID0TA ⊕h(IDi ||ri∗ ) and RIDi = RID0i ⊕ h(PWi∗ ||IDi ||ri∗ ). OBUi further computes A∗2 = h(RIDi ||A∗1 ||ID∗TA ), x = Y ⊕ ∗ A2 ⊕ RPWi∗ , x 0 = Y 0 ⊕ A∗2 ⊕ RPWi∗ , A∗3 = h(IDi ||RPWi∗ ||ID∗TA ||A∗1 ) and A∗4 = h(A∗3 ||A∗2 ). Note that other vehicles also compute same x and x 0 in this way once the authorized users of those vehicles input the correct credentials: identity and password. OBUi checks if A∗4 = A4 . It the condition does not hold, this phase terminates immediately. Otherwise, it implies that Ui provides the correct identity and password information, and Ui is considered as a valid user of the vehicle Vi . In addition, OBUi also calculates TCVi = TCV0 i ⊕ RPWi∗ . 1) V2V AUTHENTICATION AND KEY AGREEMENT PHASE

In this phase, two neighbor vehicles, say Vi and Vj in each cluster perform the following steps: Step 1: OBUi of Vi chooses a random nonce r1 and generates the current timestamp T1 , and computes time-dependent secret key Kx1 = h(x ||T1 ) using previously computed x. VOLUME 5, 2017

Note the x and x 0 are used for authentication between two neighbor vehicles in a cluster, and the cluster head and nearest RSU in VANETs, respectively. OBUi further calculates D1 = h(r1 || RIDi ||TCVi ||T1 ), M1 = Kx1 ⊕D1 and M2 = h(D1 ||ID∗TA ||T1 ), and sends authentication request message hM1 , M2 , T1 i to its neighbor vehicle Vj via open channel. Step 2: Upon receiving hM1 , M2 , T1 i, OBUj of Vj verifies the timeliness of T1 by checking condition |T1 − T1∗ | ≤ 1T , where 1T is the maximum transmission delay and T1∗ is the time when the message is received. If it satisfies, OBUj computes time-dependent secret key Kx1 = h(x ||T1 ) using the received timestamp T1 and previously computed x. It then calculates D01 = Kx1 ⊕ M1 = h(r1 || RIDi ||TCVi ||T1 ). It then proceeds to calculate M3 = h(D01 ||ID∗TA ||T1 ). OBUj further checks the condition M3 = M2 . If it matches, Vi is authenticated by Vj ; otherwise, the authentication process is stopped by Vj immediately. Step 3: OBUj chooses a random nonce r2 and current timestamp T2 , and computes time-dependent secret key Kx2 = h(x ||T2 ), D2 = h(r2 || RIDj ||TCVj ||T1 ||T2 ) and M4 = Kx2 ⊕ D2 . It further computes session key SKVi ,Vj = h(h(x ||T1 ||T2 )|| D01 ||D2 ||ID∗TA ) and M5 = h(SKVi ,Vj ||T2 ), and then sends the message hM4 , M5 , T2 i to Vi via open channel. Step 4: Upon receiving hM4 , M5 , T2 i, OBUi also checks the timeliness of T2 by condition |T2 − T2∗ | ≤ 1T , where T2∗ is the reception time of the message. If it satisfies, OBUi computes Kx2 = h(x|| T2 ) using the received timestamp T2 and previously computed x, and D02 = Kx2 ⊕ M4 = h(r2 || RIDj ||TCVj ||T1 ||T2 ). OBUi further computes the session key SKV0 i ,Vj = h(h(x ||T1 ||T2 )|| D1 ||D02 ||ID∗TA ), M6 = h(SKV0 i ,Vj ||T2 ). It then checks the condition M6 = M5 . If it matches, Vj is successfully authenticated by Vi . OBUi again chooses current timestamp T3 and computes M7 = h(SKV0 i ,Vj ||T3 ), and finally sends an acknowledgment message hM7 , T3 i to Vj via open channel. Step 5: After receiving hM7 , T3 i, OBUj checks the timeliness of T3 by checking condition |T3 − T3∗ | ≤ 1T , where T3∗ is the reception time of the message. Then, it computes M8 = h(SKVi ,Vj ||T3 ) and checks whether M8 = M7 . If it matches, the computed session key by OBUi is correct, and ensures that both Vi and Vj establish the same common session key SKVi ,Vj (= SKV0 i ,Vj ) to start communication with each other securely. This phase is summarized in Figure 4. 2) V2CH AUTHENTICATION AND KEY AGREEMENT PHASE

A vehicle Vi and its cluster head CHj in each cluster perform following steps: Step 1: OBUi of Vi first selects a random nonce rVi and current timestamp T1 , and then calculates Kx1 = h(x|| T1 ) using previously computed x. It further calculates D1 = h(rVi || RIDi ||TCVi ||T1 ), M1 = Kx1 ⊕D1 and M2 = h(D1 ||ID∗TA ||T1 ), and sends authentication request message hM1 , M2 , T1 i to CHj via open channel. Note that IDCHj is same as IDVj , and RIDCHj is also same as RIDVj , and as a result, IDCHj and RIDCHj are only used when the vehicle Vj is elected as a cluster head in the cluster. 14971

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

FIGURE 4. Vehicle to vehicle authentication and key agreement phase.

Step 2: Upon receiving message, CHj verifies the timeliness of T1 . If it satisfies, on-board unit of CHj , OBUCHj computes Kx1 = h(x ||T1 ) using the received timestamp T1 . It then retrieves D01 = Kx1 ⊕ M1 = h(rVi || RIDi ||TCVi ||T1 ). It then computes M3 = h(D01 ||ID∗TA ||T1 ). OBUCHj then checks condition M3 = M2 . If it matches, Vi is authenticated by CHj ; otherwise, CHj stops the authentication process immediately. Step 3: OBUCHj then chooses a random nonce rCHj and current timestamp T2 , and calculates the time-dependent key Kx2 = h(x ||T2 ), D2 = h(rCHj || RIDCHj ||TCCHj ||T1 ||T2 ) and M4 = Kx2 ⊕ D2 . It further computes session key SKVi ,CHj = h(h(x|| T1 || T2 )|| D01 ||D2 ||ID∗TA ) and M5 = h(SKVi ,CHj ||T2 ), and then sends the message hM4 , M5 , T2 i to Vi via open channel. Step 4: Upon receiving hM4 , M5 , T2 i, OBUi checks the timeliness of T2 . If it satisfies, OBUi computes the timedependent key Kx2 = h(x ||T2 ) using T2 , D02 = Kx2 ⊕ M4 = h(rCHj || RIDCHj ||TCCHj ||T1 ||T2 ). It further computes the session key SKV0 i ,CHj = h(h(x ||T1 || T2 )|| D1 ||D02 || ID∗TA ), M6 = h(SKV0 i ,CHj ||T2 ). If M6 = M5 , CHj is successfully authenticated by Vi . OBUi again generates current timestamp T3 , calculates M7 = h(SKV0 i ,CHj ||T3 ) and sends an acknowledgment hM7 , T3 i to CHj via open channel. Step 5: After receiving hM7 , T3 i, OBUCHj checks the timeliness of T3 . If it is valid, OBUCHj computes M8 = h(SKVi ,CHj ||T3 ). If M8 = M7 , it ensures the computed session key by OBUi is correct, and both Vi and CHj establish the same session key SKVi ,CHj (= SKV0 i ,CHj ) for secure communication. 3) CH2RSU AUTHENTICATION AND KEY AGREEMENT PHASE

The cluster head CHj and its nearby roadside unit Rk perform following steps: Step 1: OBUCHj of CHj chooses a random nonce rCHj and timestamp T1 , and calculates the time-dependent key 14972

FIGURE 5. Cluster head to roadside unit authentication and key agreement phase.

Kx10 = h(x 0 ||T1 ) using previously computed x 0 instead of using x in this case. It further calculates D1 = h(rCHj || RIDCHj ||TCCHj ||T1 ), M1 = Kx10 ⊕D1 and M2 = h(D1 ||ID∗TA ||T1 ) and sends authentication request message hM1 , M2 , T1 i to its nearby Rk via open channel. Step 2: Upon receiving hM1 , M2 , T1 i, Rk verifies the timeliness of T1 . If it satisfies, Rk computes the time-dependent key Kx10 = h(x 0 ||T1 ) using the received T1 . It then calculates D01 = Kx10 ⊕M1 = h(rCHj || RIDCHj ||TCCHj ||T1 ) and M3 = h(D01 ||ID∗TA ||T1 ). If M3 = M2 , CHj is authenticated by Rk ; otherwise, the authentication process is immediately terminated by Rk . Step 3: Rk then chooses a random nonce rRk and current timestamp T2 and computes another time-dependent key Kx20 = h(x 0 ||T2 ), D2 = h(rRk ||RIDRk ||T1 ||T2 ) and M4 = Kx20 ⊕D2 . It further computes session key SKCHj ,Rk = h(h(x 0 ||T1 ||T2 )|| D01 || D2 || ID∗TA ) and M5 = h(SKCHj ,Rk ||T2 ), and sends the message hM4 , M5 , T2 i to CHj via open channel. Step 4: Upon receiving hM4 , M5 , T2 i, OBUCHj also verifies the timeliness of T2 . If it is valid, OBUCHj computes the time-dependent key Kx20 = h(x 0 ||T2 ) using the received T2 and D02 = Kx20 ⊕M4 = h(rRk ||RIDRk ||T1 ||T2 ). It further 0 computes the session key SKCH = h(h(x 0 ||T1 ||T2 )|| D1 || j ,Rk 0 ∗ 0 D2 || IDTA ) and M6 = h(SKCHj ,Rk ||T2 ). If M6 = M5 is satisfied, Rk is successfully authenticated by CHj . OBUCHj again 0 generates current timestamp T3 , computes M7 = h(SKCH j ,Rk ||T3 ) and sends acknowledgment message hM7 , T3 i to Rk via open channel. Step 5: After receiving hM7 , T3 i, Rk checks the timeliness of T3 . If it is valid, Rk computes M8 = h(SKCHj ,Rk ||T3 ) and checks whether M8 = M7 . If it matches, the computed session key by OBUCHj is correct, and it also ensures that both CHj 0 and Rk establish the same session key SKCHj ,Rk (= SKCH ) j ,Rk for secure communication. This phase is further summarized in Figure 5. VOLUME 5, 2017

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

C. RSU2RSU KEY ESTABLISHMENT PHASE

For pairwise key establishment between two neighbor RSU s, say Ru and Rv , the following steps are executed: Step 1: Ru generates a random nonce ru and sends the message hTIDRu , ru i to Rv . Step 2: After receiving hTIDRu , ru i, Rv computes the symmetric key shared with Ru as SKRu ,Rv = P(TIDRv , TIDRu ) using its pre-loaded polynomial share P(TIDRv , y) and SKV = h(SKRu ,Rv ||ru ). Rv then sends the message hTIDRv , SKV i to Ru . Step 3: Finally, after receiving hTIDRv , SKV i, Ru computes the symmetric key shared with Rv as SKR0 u ,Rv = P(TIDRu , TIDRv ) (= SKRu ,Rv ) using its pre-loaded polynomial share P(TIDRu , y) and SKV 0 = h(SKR0 u ,Rv ||ru ) using its own previously generated random nonce ru . Furthermore, Ru checks if SKV 0 = SKV . If the condition holds, it guarantees that both Ru and Rv share the same symmetric key for their future secure communication. D. PASSWORD UPDATE PHASE

In the proposed scheme, OBUi of the vehicle Vi can update password after the registration phase without using a verification table and connecting to the remote system. To improve the security of a system, it is necessary to change the passwords periodically by the legal users after the registration phase. This phase helps a legal user Ui of the vehicle Vi to update current password by a new password with the help of the following steps: Step 1: Ui provides identity IDi and old password PWiold . OBUi then computes ri∗ = Bi ⊕ h(PWiold ||IDi ), A∗1 = A01 ⊕ h(IDi || ri∗ ), RPWiold = h(PWiold ||ri∗ ), ID∗TA = ID0TA ⊕ h(IDi ||ri∗ ), RID∗i = RID0i ⊕ h(PWiold ||IDi ||ri∗ ), A∗2 = h(RID∗i || A∗1 || old ||ID∗ ||A∗ ) and Aold = h(Aold ID∗TA ), Aold TA 3 = h(IDi || RPWi 1 4 3 old ∗ ||A2 ). OBUi checks if A4 = A4 . If condition does not match, it stops the password update process. Otherwise, Ui is a valid user and then OBUi proceeds for the password update using the next steps. Step 2: OBUi asks Ui to provide a new password PWinew . new ||ID ||r ∗ ), ∗ After that it computes RID∗∗ i i i = RIDi ⊕ h(PWi old ∗ 0 ∗∗ ∗ TCVi = TCVi ⊕ RPWi , TCVi = TCVi ⊕ h(PWinew ⊕ ri∗ ), Bnew = h(PWinew ||IDi )⊕ ri∗ , RPWinew = h(PWinew ||ri∗ ), i new A3 = h(IDi || RPWinew ||ID∗TA ||A∗1 ), Anew = h(Anew ||A∗2 ), 4 3 old new new ∗ Y = Y ⊕ (RPWi ⊕ RPWi ) = x⊕ A2 ⊕ RPWi and Y ∗∗ = Y 0 ⊕ (RPWiold ⊕ RPWinew ) = x 0 ⊕ A2 ⊕ RPWinew . Step 3: Finally, OBUi replaces RID0i , TCV0 i , Bi , Y , Y 0 and new ∗∗ ∗ ∗∗ and Anew in its memory, A4 with RID∗∗ i , TCVi , Bi , Y , Y 4 respectively. Hence, OBUi contains the information {RID∗∗ i , ∗ , Y ∗∗ , A0 , Anew , h(·)} after the password TCV∗∗i , ID0TA , Bnew , Y i 1 4 update. E. DYNAMIC ROADSIDE UNIT ADDITION PHASE

TA further generates the time-dependent pseudo identity for new new 0 Rnew as TIDnew k Rk = h(IDTA ||RTSRk ||X ), where RTSRk is the new registration timestamp of Rk and the secret key of Rnew as k x 0 = h(IDTA ||X 0 ). For pairwise symmetric key establishment with other RSU s in VANETs, the TA also computes the polynomial share P(TIDnew Rk , y), which is a univariate polynomial of degree t whose co-efficients are from GF(p). new new Finally, Rnew contains {x 0 , RIDnew k Rk , TIDRk , P(TIDRk , y)} prior to its deployment in VANETs. IV. SECURITY ANALYSIS

In this section, through the formal security analysis using the broadly-used Real-Or-Random (ROR) model [22] and informal security analysis, we show that the proposed scheme is secure against various known attacks. A. FORMAL SECURITY ANALYSIS USING REAL-OR-RANDOM MODEL

The Real-Or-Random (ROR) model is applied in formal security proof of the proposed scheme as in [35] and [36]. Under this model, we show that the proposed scheme provides the session-key security. We have three main participants, namely vehicle Vi , cluster head CHj (which is one of the vehicles in a cluster) and RSU Rk . The ROR model [22] has the following components: Participants. Let 5tVi , 5uCHj and 5vRk be the instances t, u and v of Vi , CHj and Rk , respectively, which are called as the oracles. Accepted state. An instance 5t is in the accepted state, if upon receiving the last expected protocol message, it goes into an accept state. The ordered concatenation of all communicated sent and received messages by 5t forms the session identification (sid) of 5t for the current session [37]. Partnering. Two instances 5t1 and 5t2 are called partnered if the following three conditions are fulfilled: 1) both 5t1 and 5t2 are in accept state; 2) both 5t1 and 5t2 mutually authenticate each other and share identical session identification (sid); and 3) 5t1 and 5t2 are mutual partners of each other [37]. Freshness. If an adversary A does not derive the session key between any two communicating parties using the reveal query, RL(5t ) given below, 5tVi or 5uCHj or 5vRk is called fresh. Adversary. A can have fully control over all the communications. Thus, A has the ability to read and modify all exchanged messages, and even can fabricate new messages and also inject them in the network. Apart from this, A can have access to the following queries as presented in [35]: •

A new roadside unit, say Rnew k

can be deployed in the network at any time as follows. First of all, the TA generates a new unique identity IDRnew and its corresponding pseudo identity k by using secret key X 0 such as RIDRnew = h(IDRnew ||X 0 ). The k k

VOLUME 5, 2017



EX (5t /5uCHj , 5u ): A executes this query in order to obtain the messages exchanged between two honest participants. This is modeled as an eavesdropping attack. RL(5t ): This query reveals the current session key generated by 5t (and its partner) to an adversary A. 14973

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

SN (5t , msg): This query is executed by A in order to transmit a message, say msg to a participant instance 5t and also receives a response message. This is modeled as an active attack. • CorruptOBU (5tV /5uCH ): It models Vi ’s or CHj ’s OBU i j stolen attack. It can extract all the information stored in OBU of Vi or CHj . • Test(5t ): It models the semantic security of the session key SK following the indistinguishability in ROR model [22]. At the beginning of the experiment, a coin c is flipped and then its output is only known to A. It helps to determine the output of the Test query. If A executes this query, and also SK is fresh, 5t outputs SK in case c = 1 or a random number in the same domain when c = 0; otherwise, it outputs a null value (⊥). Semantic security of the session key. In the ROR model, A’s task is to distinguish between an instance’s real session key and a random key. A can have several Test queries to either 5tVi , 5uCHj and 5vRk . The random bit c needs to be consistent with the output of Test query. Once the experiment is over, A outputs a guessed bit c0 and win the game if c0 = c. Let Win be an event that A can win the game. The advantage AdvAKE AS of A in breaking the semantic security of the proposed authenticated key exchange (AKE) scheme, say AS with respect to authenticated key exchange protocol (AKE) is defined by AdvAKE AS = |2Pr[Win] − 1|. AS is secure if AdvAKE ≤ ψ, for a sufficiently small real number ψ > 0. AS Random oracle. As in [35], all the participants including A will have access to a collision-resistant one-way cryptographic hash function h(·), which is also modeled as a random oracle, say H. The security proof given in Theorem 1 is similar to that presented in [35]. Note that Theorem 1 presents the the semantic security of the proposed authentication scheme for breaking the session key security between a cluster head CHj and an RSU Rk . Similarly, the the semantic security of the proposed authentication scheme for breaking the session key security between two neighbor vehicles, and between a vehicle and its cluster head can be proved as in Theorem 1. Theorem 1: Let A be an adversary running in polynomial time t against the proposed scheme AS in the ROR model. Let D, qh , qsend , |Hash| and |D| be a uniformly distributed password dictionary, the number of H queries, the number of SN queries, the range space of h(·) and the size of D, respectively. Then, the advantage AdvAKE AS of A in breaking the semantic security of the session key SKCHj ,Rk between a cluster head CHj and an RSU Rk in the proposed scheme is given by •

q2h 2.qsend + . AdvAKE ≤ AS |Hash| |D| Proof: As in [35] and [36], we define a sequence of four games, say Gi (i = 0, 1, 2, 3). We denote Wini as an event wherein the bit c in the game Gi can be successfully guessed by A. The detailed description of these games are given below. 14974

Game G0 : It is the A’s real attack on the proposed scheme AS in the random oracle model. The bit c is first guessed by A at the beginning of the game. By definition, we have, AdvAKE AS = |2Pr[Win0 ] − 1|.

(1)

Game G1 : This game simulates A’s eavesdropping attack by executing EX (5u , 5v ) query. A makes the Test query at the end of the game. A needs to decide whether the output of the Test query is the actual session key SKCHj ,Rk or a random number. The session key is derived by Rk as SKCHj ,Rk = h(h(x 0 ||T1 ||T2 )|| D01 || D2 || ID∗TA ), where D01 = Kx10 ⊕M1 = h(rCHj || RIDCHj ||TCCHj ||T1 ) and D2 = h(rRk ||RIDRk ||T1 ||T2 ). On the other hand, the same session key is also derived by CHj . The session key involves the long-term secrets x 0 , RIDCHj , TCCHj , RIDRk and ID∗TA as well as temporary secrets rCHj and rRk . The chance of winning G1 by A is not increased by eavesdropping the messages Msg1 = hM1 , M2 , T1 i, Msg2 = hM4 , M5 , T2 i and Msg3 = hM7 , T3 i in order to derive the session key. Hence, we get, Pr[Win0 ] = Pr[Win1 ].

(2)

Game G2 : In this game, we add the simulations of the Send and H oracles, where G2 is modeled as an active attack. A tries to deceive a participant in the network into accepting a modified message. A is allowed to query several H oracle to verify if there is any collision in hash outputs. Note that each of messages Msg1 , Msg2 and Msg3 is associated to a participant’s pseudo identity, temporary random secrets, long-term secrets as well as timestamps. Thus, even if A makes the SN oracle queries, there will no collision. Applying the birthday paradox, we have, |Pr[Win1 ] − Pr[Win2 ]| ≤

q2h . 2|Hash|

(3)

Game G3 : This is the final game, which simulates the CorruptOBU query. Note that A can extract the information {RID0i , TCV0 i , ID0TA , Bi , Y , Y 0 , A01 , A4 , h(·)} stored in OBUCHj . However, these information do not help in deriving the session key SKCHj ,Rk as it needs the secrets x 0 , RIDCHj , TCCHj , RIDRk and IDTA and these are protected by h(·). It is also difficult to calculate x 0 from Y 0 without correct password PWi of user of CHj and A2 using the password dictionary attack. If the system allows a limited number of wrong password inputs, we get, qsend . (4) |Pr[Win2 ] − Pr[Win3 ]| ≤ |D| Since all the random oracles are simulated except that the adversary A needs to guess the bit c to win the game after querying the Test oracle, we get, Pr[Win3 ] = 1/2.

(5)

From Equation (1), we have, 1 1 AdvAKE AS = |Pr[Win0 ] − 2 |. 2

(6) VOLUME 5, 2017

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

With the help of the triangular inequality, we have, |Pr[Win1 ] − Pr[Win3 ]| ≤ |Pr[Win1 ] − Pr[Win2 ]| + |Pr[Win2 ] − Pr[Win3 ]| q2h qsend ≤ + . 2.|Hash| |D| As a result, equations (2) and (6) yield q2h 1 qsend |Pr[Win0 ] − | ≤ + . 2 2|Hash| |D|

(7)

Finally, from equations (6) and (7), we get, AdvAKE AS ≤

q2h 2.qsend + . |Hash| |D| 

B. INFORMAL SECURITY ANALYSIS

We also analyze the security of the proposed scheme informally and show that the proposed scheme has the ability to protect the following well-known attacks. 1) REPLAY ATTACK

In the proposed, during the authentication and key agreement for V 2V , V 2CH and CH 2RSU , the messages Msg1 = hM1 , M2 , T1 i, Msg2 = hM4 , M5 , T2 i and Msg3 = hM7 , T3 i involve the timestamps T1 , T2 and T3 , respectively. Therefore, even if an adversary intercepts and replays these messages later, validation of the attached timestamps will fail. Thus, these messages will be treated as old messages only. Hence, our scheme is secure against replay attack. 2) MAN-IN-THE-MIDDLE ATTACK

Consider the V 2V authentication in the proposed scheme. There are three messages Msg1 = hM1 , M2 , T1 i, Msg2 = hM4 , M5 , T2 i and Msg3 = hM7 , T3 i involve during this phase. Suppose an adversary A intercepts the message Msg1 and tries to modify this message to create a valid message. For this purpose, A can generates a random nonce r1a and current timestamp T1a . Then, A can not calculate Kx1a = h(x|| T1a ) as the secret key x is unknown to him/her. This means that A can not further compute D1a = h(r1a || RIDi ||TCVi ||T1a ), M1 = Kx1 ⊕D1 and M2 = h(D1a ||ID∗TA ||T1a ) without having other secrets RIDi , TCVi and IDTA . Thus, A can not modify Msg1 . In a similar way, A can not also modify other two messages Msg2 and Msg3 . Using the similar argument, it can be also shown that A does not have ability to modify the messages for V 2CH as well as CH 2RSU authentication and key agreement in the proposed scheme too. This clearly indicates that the proposed scheme provides the man-in-themiddle attack protection. 3) STOLEN OBU, PRIVILEGED-INSIDER AND OFFLINE PASSWORD GUESSING ATTACKS

Assume that the OBUi of a vehicle is stolen by an adversary A. According to the threat model (Section II-B), VOLUME 5, 2017

A can extract the information {RID0i , TCV0 i , ID0TA , Bi , Y , Y 0 , A01 , A4 , h(·)} stored in OBUi using the power analysis attacks [26], [27] as the OBUi is not tamper resistant. Without having the secret X , it is computationally difficult task for A to derive IDi from RIDi . Also, without random secret ri and IDi , it is difficult job for A to guess the password PWi of a legal user Ui using the offline password guessing attack. Furthermore, we assume that an insider user of the TA knows the registration information IDi and RPWi ⊕ k during the vehicle registration phase. Even if the information extracted from the stolen OBUi are known to the insider user later after registration phase, he/she is still unable to derive the secrets PWi , x and x 0 . This shows that the proposed scheme resists the stolen OBU, privileged-insider as well as offline password guessing attacks. 4) STOLEN VERIFIER ATTACK

In the proposed scheme, the OBUi of a vehicle Vi stores the information {RID0i , TCV0 i , ID0TA , Bi , Y , Y 0 , A01 , A4 , h(·)}. Assume that these information are stolen by an adversary A. However, the secrets PWi , x, x 0 , IDTA and IDi are protected by the one-way hash function h(·). Collision resistant property of h(·) ensures that the secrets PWi , x, x 0 , IDTA and IDi can not be derived or guessed correctly by A. In addition, the proposed scheme does not store any verifier table to check the entered credentials of a user Ui associated with a vehicle Vi . Hence, the proposed scheme is secure against stolen verifier attack. 5) IMPERSONATION ATTACKS

To impersonate a vehicle during the V 2V authentication, an attacker A needs to create a valid message Msg1 = hM1 , M2 , T1 i. To do so, A requires the secret x. Even if A generates its own random nonce and timestamp, he/she is unable to calculate M1 and M2 as the secrets x, RIDi , TCVi , and IDTA are unknown. Also A can not create valid messages Msg2 = hM4 , M5 , T2 i and Msg3 = hM7 , T3 i. Similarly, A can not also impersonate the cluster head and RSU during the vehicle to cluster head and cluster head to RSU authentication phases. Thus, our scheme is secure against vehicle (user), cluster head and RSU impersonation attacks. 6) ANONYMITY

During the V 2V , V 2CH and CH 2RSU authentication phase, the messages Msg1 = hM1 , M2 , T1 i, Msg2 = hM4 , M5 , T2 i and Msg3 = hM7 , T3 i do not involve the identities of a user (vehicle) and RSU . Furthermore, from these eavesdropped messages, it is computationally infeasible task for an adversary to derive the identities of a user (vehicle) and RSU as these are protected by encryption and one-way hash function. The proposed scheme thus preserves the anonymity property. 7) UNTRACEABILITY

During the V 2V , V 2CH and CH 2RSU authentication phase, each session follows three messages Msg1 = hM1 , M2 , T1 i, Msg2 = hM4 , M5 , T2 i and Msg3 = hM7 , T3 i. M1 is 14975

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

constructed using random nonce and the pseudo identity of a vehicle. Thus, M1 , and also M2 are distinct for each session as the random nonce and timestamp are involved in M2 . Similarly, M4 and M5 are constructed using random nonce and the pseudo identity of a cluster head or RSU . Furthermore, M7 is also constructed using the current timestamp. As a result, all these messages are distinct in each session, and an adversary can not trace a vehicle or RSU . Hence, the proposed scheme preserves the untraceability property.

TABLE 2. Functionality features: A comparative analysis.

V. PERFORMANCE EVALUATION

This section compares the communication and computation overheads, and functionality features among the proposed scheme and other most relevant schemes in VANETs, such as Chuang-Lee’s scheme [7] and Sanchez-Garcia et al.’s scheme [18]. A. SECURITY AND FUNCTIONALITY FEATURES COMPARISON

The comparison of security and functionality features of the proposed scheme, Chuang-Lee’s scheme [7] and SanchezGarcia et al.’s scheme [18] are provided in Table 2. ChuangLee’s scheme [7] is not resistant to impersonation attacks, stolen OBU attack, privileged insider attack and offline password guessing attack. In addition, it does not preserve anonymity and untraceability properties and mutual authentication, and also lacks dynamic RSU addition phase. SanchezGarcia et al.’s scheme [18] is not resistant to stolen OBU attack. Furthermore, it does not preserve anonymity and untraceability properties. In addition, it does not support dynamic RSU addition phase. In both Chuang-Lee’s scheme and Sanchez-Garcia et al.’s scheme, OBU s are tamper-proof devices, whereas in our scheme the OBU s as the non-tamper proof devices. We have also provided the formal security using the random oracle model to prove the security of our scheme, whereas other two existing schemes do not have the formal security analysis.

TABLE 3. Communication overhead: A comparative analysis.

TABLE 4. Computation overhead: A comparative analysis.

B. COMMUNICATION OVERHEAD COMPARISON

The communication costs of the existing schemes and our scheme are compared in Table 3. We have assumed that the pseudo identity is 160 bits (as it is derived using hash function); random nonce is 128 bits; timestamp is 32 bits; hash digest is 160 bits (if we use SHA-1 as hash function [38], [39]). Note that for more security, one can also use SHA-256 as hash function [39]. By considering these values, the communication costs for our scheme, Chuang-Lee’s scheme [7] and Sanchez-Garcia et al.’s scheme [18] become 896 bits, 1440 bits, and 6722 bits, respectively. In the authentication and key establishment phase of our scheme, the messages Msg1 = hM1 , M2 , T1 i, Msg2 = hM4 , M5 , T2 i and Msg3 = hM7 , T3 i need (160+ 160+ 32) = 352 bits, (160 +160 +32) = 352 bits and (160 +32) = 192 bits, respectively. As a result, the total communication cost of the proposed scheme for V2V or V2CH or CH2RSU 14976

authentication phase turns out to be (352+ 352+ 192) = 896 bits. In Sanchez-Garcia et al.’s scheme, we have considered 1024-bit RSA cryptosystem, where each encryption/decryption block size is 1024 bits. Our scheme is efficient as it takes less communication cost as compared to other schemes. C. COMPUTATION OVERHEAD COMPARISON

In Table 4, the notations TE /TD and TH are used for computational time for an encryption/decryption using public key cryptographic technique (such as RSA algorithm) and a cryptographic one-way hash function h(·), respectively. Since the computation time taken by a bitwise XOR operation is negligible, we have neglected it from the performance evaluation. VOLUME 5, 2017

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

The existing experimental values of the various operations provided in [40] and [41] are considered for TE /TD and TH , which are 0.0192s and 0.00032s, respectively. Note that it is assumed that TE /TD is equal to the time taken for a modular exponentiation operation, and therefore, it is taken as 0.0192s. The computation costs of our scheme and existing schemes are compared in Table 4. The total computation cost for our scheme is 24TH ≈ 7.68ms, which is less than that for Sanchez-Garcia et al.’s scheme. Though the computation cost of our scheme is little more than that for Chuang-Lee’s scheme, our scheme is more secure than that scheme, and it also provides extra functionality features as comapred to Chuang-Lee’s scheme, which are shown in Table 2.

TABLE 5. Simulation parameters.

VI. PRACTICAL PERSPECTIVE: NS2 SIMULATION STUDY

In this section, the practical perspective of the proposed scheme, Chuang-Lee’s scheme [7] and Sanchez-Garcia et al.’s scheme [18] is discussed through the NS2 simulation. A. SIMULATION PARAMETERS

The proposed scheme and other related schemes [7], [18] are simulated on Ubuntu 14.04 LTS platform using the NS2 2.35 simulator [42]. The values of various network parameters used in the simulations are listed in Table 5. The simulation time is 1800 seconds (30 minutes). Vi , dVeh, CHj , LEj and aVehs represent ith vehicle, ith driving vehicle, jth cluster head, jth law executor and authority vehicle in the existing schemes [7], [18]. We have taken the three different types of mobility, i.e., 20, 40 and 60 kilometers per hour (kmph) for CHj /LEj /aVeh/Vi /dVeh. Moreover, we have taken five RSU s for all scenarios wherever it is applicable.

FIGURE 6. Comparison of throughputs among different schemes.

1) IMPACT ON THROUGHPUT B. SIMULATION ENVIRONMENTS

We have three different network simulation scenarios. In each scenario, we have three authentication and key agreement messages. • • •

Scenario 1. It consists of five CHj /LEj /aVehs and 45 Vi /dVehs. Scenario 2. It consists of five CHj /LEj /aVehs and 70 Vi /dVehs. Scenario 3. It consists of five CHj /LEj /aVehs and 95 Vi /dVehs.

The messages exchanged between the entities and their communication costs in bits for various schemes provided in Table 6 are used in the simulation study. C. DISCUSSION ON SIMULATION RESULTS

Various network performance parameters, such as throughput (in bps), end-to-end delay (in seconds) and packet delivery ratio are computed during the simulation, which are further given in detail below.

VOLUME 5, 2017

Throughput is calculated as the number of bits transmitted per unit time. The throughput (in bps) of the proposed scheme under three scenarios is shown in Figure 6. The throughput can be computed as (nr × npkt )/Td , where Td is the total time (in seconds), npkt the size of a packet, and nr the total number of received packets. Note that we have considered the simulation time as 1800 seconds, which is the total time. In our scheme, the scenarios 1, 2 and 3 have the throughput values as 35.18 bps, 50.58 bps and 65.10 bps, respectively. The throughput values increase with the number of increasing vehicles because more number of vehicles interact among each other and also with the cluster heads, and as a result, the number of exchanged messages is high from scenarios 1 to 2, and also from scenarios 2 to 3. Moreover, we have compared the throughput of our scheme with that for the schemes of Chuang-Lee [7] and Sanchez-Garcia et al. [18]. Throughput of our scheme is less than the schemes of Chuang-Lee [7] and Sanchez-Garcia et al. [18]. This is because our scheme is efficient and it needs less communication cost due to small sized messages used for authentication as compared to other schemes (see Table 6).

14977

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

TABLE 6. Exchanged messages between entities in simulation.

3) IMPACT ON PACKET DELIVERY RATIO

FIGURE 7. Comparison of end-to-end delays among different schemes.

The packet delivery ratio (PDR) is the ratio of total packets sent to total packets received. PDR of our scheme under scenarios 1, 2 and 3 is shown in Figure 8. PDRs of our scheme are 0.93, 0.89 and 0.86 for scenarios 1, 2 and 3, respectively. Note that PDR decreases with increasing number of vehicles from scenario 1 to scenario 2, and also from scenario 2 to scenario 3. This is because in case of more number of vehicles, more messages are exchanged, and hence, it causes congestion in the network. In addition, we have compared PDR of our scheme with the schemes of Chuang-Lee and Sanchez-Garcia et al. The PDR of our scheme is also comparable with that for the existing schemes. VII. CONCLUSION

FIGURE 8. Comparison of packet delivery ratios among different schemes.

2) IMPACT ON END-TO-END DELAY

The end-to-end delay (EED) is derived as the average time taken by data packets to arrive at a destination from a source. Figure 7 shows EED of our scheme under scenarios 1, 2 Pn p and 3. Mathematically, EED can be expressed as i=1 (Treci − Tsendi )/np , where Treci and Tsendi are the receiving and sending time of a packet i, respectively, and np the total number of packets. In the proposed scheme, EEDs are 0.09451s, 0.22400s and 0.43083s for the network scenarios 1, 2 and 3, respectively. Note that the value of EED increases with the increasing number of vehicles. This happens because the increment in the number of vehicles causes more exchanged messages that further incurs congestion, and thus, the EED increases from scenario 2 to scenario 3. We have also compared the EED values of our scheme with those for the schemes of Chuang-Lee and Sanchez-Garcia et al. The EED of our scheme is comparable with that for the schemes of Chuang-Lee and Sanchez-Garcia et al. 14978

We present a new lightweight authentication and key agreement protocol for VANETs. The proposed scheme is efficient as it uses only one-way hash functions and bitwise XOR operations. The security analysis of the proposed scheme depicts that it is secure against various known attacks, and also provides additional functionality features, such as efficient dynamic RSU addition phase, mutual authentication, vehicles (cluster heads) and RSUs anonymity property, and untraceability property. The performance analysis of the proposed scheme shows that the proposed scheme is lightweight and incurs low computation cost and communication cost. The practical demonstration is also done using the ns2 simulation for various network parameters. Therefore, the proposed scheme is suitable for the deployment in the next generation VANETs based applications such as intelligent transportation, e-healthcare and smart ecosystems. ACKNOWLEDGMENTS

The authors would like to thank the anonymous reviewers and the Associate Editor for providing constructive and generous feedback. REFERENCES [1] S. Jiang, X. Zhu, and L. Wang, ‘‘An efficient anonymous batch authentication scheme based on HMAC for VANETs,’’ IEEE Trans. Intell. Transp. Syst., vol. 17, no. 8, pp. 2193–2204, Aug. 2016. [2] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. S. Shen, ‘‘An efficient identitybased batch verification scheme for vehicular sensor networks,’’ in Proc. 27th IEEE Int. Conf. Comput. Commun. (INFOCOM), Phoenix, AZ, USA, Apr. 2008, pp. 246–250. [3] R. Daher and A. Vinel, Roadside Networks for Vehicular Communications: Architectures, Applications, and Test Fields, 1st ed. Hershey, PA, USA: IGI Global, 2012. [4] C. Englund, L. Chen, A. Vinel, and S. Y. Lin, Future Applications of VANETs. Cham, Switzerland: Springer, 2015. VOLUME 5, 2017

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

[5] R. Di Pietro, S. Guarino, N. V. Verde, and J. Domingo-Ferrer, ‘‘Security in wireless ad-hoc networks—A survey,’’ Comput. Commun., vol. 51, pp. 1–20, Sep. 2014. [6] Y. Sun, R. Lu, X. Lin, X. Shen, and J. Su, ‘‘An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications,’’ IEEE Trans. Veh. Technol., vol. 59, no. 7, pp. 3589–3603, Sep. 2010. [7] M. C. Chuang and J. F. Lee, ‘‘TEAM: Trust-extended authentication mechanism for vehicular ad hoc networks,’’ IEEE Syst. J., vol. 8, no. 3, pp. 749–758, Sep. 2014. [8] S. Kumari, M. Karuppiah, X. Li, F. Wu, A. K. Das, and V. Odelu, ‘‘An enhanced and secure trust-extended authentication mechanism for vehicular ad-hoc networks,’’ Secur. Commun. Netw., vol. 9, no. 17, pp. 4255–4271, 2016. [9] H. Lu and J. Li, ‘‘Privacy-preserving authentication schemes for vehicular ad hoc networks: A survey,’’ Wireless Commun. Mobile Comput., vol. 16, no. 6, pp. 643–655, 2016. [10] A. Wasef and X. Shen, ‘‘MAAC: Message authentication acceleration protocol for vehicular ad hoc networks,’’ in Proc. IEEE Global Telecommun. Conf. (GLOBECOM), Honolulu, HI, USA, Nov./Dec. 2009, pp. 1–6. [11] Z. Kim, J. Yim, J. Kim, K. Kim, and T. Sohn, ‘‘Traceable anonymous authentication scheme for vehicular ad-hoc networks,’’ in Proc. IEEE 9th Int. Symp. Parallel Distrib. Process. Appl. Workshops (ISPAW), Busan, South Korea, May 2011, pp. 250–255. [12] A. Wasef and X. Shen, ‘‘EMAP: Expedite message authentication protocol for vehicular ad hoc networks,’’ IEEE Trans. Mobile Comput., vol. 12, no. 1, pp. 78–89, Jan. 2013. [13] X. Lin and X. Li, ‘‘Achieving efficient cooperative message authentication in vehicular ad hoc networks,’’ IEEE Trans. Veh. Technol., vol. 62, no. 7, pp. 3339–3348, Sep. 2013. [14] Y. Liu, L. Wang, and H. Chen, ‘‘Message authentication using proxy vehicles in vehicular ad hoc networks,’’ IEEE Trans. Veh. Technol., vol. 64, no. 8, pp. 3697–3710, Aug. 2015. [15] F. Wang, Y. Xu, H. Zhang, Y. Zhang, and L. Zhu, ‘‘2FLIP: A two-factor lightweight privacy-preserving authentication scheme for VANET,’’ IEEE Trans. Veh. Technol., vol. 65, no. 2, pp. 896–911, Feb. 2016. [16] J. Shao, X. Lin, R. Lu, and C. Zuo, ‘‘A threshold anonymous authentication protocol for VANETs,’’ IEEE Trans. Veh. Technol., vol. 65, no. 3, pp. 1711–1720, Mar. 2016. [17] Z. Zhao, J. Chen, Y. Zhang, and L. Dang, ‘‘An efficient revocable group signature scheme in vehicular ad hoc networks,’’ KSII Trans. Internet Inf. Syst., vol. 9, no. 10, pp. 4250–4267, 2015. [18] J. Sánchez-García, J. M. García-Campos, D. G. Reina, S. L. Toral, and F. Barrero, ‘‘On-siteDriverID: A secure authentication scheme based on Spanish eID cards for vehicular ad hoc networks,’’ Future Generat. Comput. Syst., vol. 64, pp. 50–60, Nov. 2016. [19] R. Sugumar, A. Rengarajan, and C. Jayakumar, ‘‘Trust based authentication technique for cluster based vehicular ad hoc networks (VANET),’’ Wireless Netw., pp. 1–10, 2016. [20] X. Zhu, S. Jiang, L. Wang, and H. Li, ‘‘Efficient privacy-preserving authentication for vehicular ad hoc networks,’’ IEEE Trans. Veh. Technol., vol. 63, no. 2, pp. 907–919, Feb. 2014. [21] J. Li, H. Lu, and M. Guizani, ‘‘ACPN: A novel authentication framework with conditional privacy-preservation and non-repudiation for VANETs,’’ IEEE Trans. Parallel Distrib. Syst., vol. 26, no. 4, pp. 938–948, Apr. 2015. [22] M. Abdalla, P. Fouque, and D. Pointcheval, ‘‘Password-based authenticated key exchange in the three-party setting,’’ in Proc. 8th Int. Workshop Theory Pract. Public Key Cryptogr. (PKC), vol. 3386. 2005, pp. 65–84. [23] D. He, S. Zeadally, B. Xu, and X. Huang, ‘‘An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks,’’ IEEE Trans. Inf. Forensics Security, vol. 10, no. 12, pp. 2681–2691, Dec. 2015. [24] D. Dolev and A. C. Yao, ‘‘On the security of public key protocols,’’ IEEE Trans. Inf. Theory, vol. 29, no. 2, pp. 198–208, Mar. 1983. [25] M. L. Das, ‘‘Two-factor user authentication in wireless sensor networks,’’ IEEE Trans. Wireless Commun., vol. 8, no. 3, pp. 1086–1090, Mar. 2009. [26] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, ‘‘Examining smart-card security under the threat of power analysis attacks,’’ IEEE Trans. Comput., vol. 51, no. 5, pp. 541–552, May 2002. [27] P. Kocher, J. Jaffe, and B. Jun, ‘‘Differential power analysis,’’ in Proc. 19th Annu. Int. Cryptol. Conf. (CRYPTO), vol. 1666. Santa Barbara, CA, USA, 1999, pp. 388–397. VOLUME 5, 2017

[28] R. S. Bali and N. Kumar, ‘‘Secure clustering for efficient data dissemination in vehicular cyber–physical systems,’’ Future Generat. Comput. Syst., vol. 56, pp. 476–492, Mar. 2016. [29] Y. Chen, M. Fang, S. Shi, W. Guo, and X. Zheng, ‘‘Distributed multihop clustering algorithm for VANETs based on neighborhood follow,’’ EURASIP J. Wireless Commun. Netw., vol. 2015, no. 1, pp. 1–12, 2015. [30] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, ‘‘Perfectly-secure key distribution for dynamic conferences,’’ in Proc. 12th Annu. Int. Cryptol. Conf. (CRYPTO), vol. 740. Santa Barbara, CA, USA, 1993, pp. 471–486. [31] F. B. Hildebrand, Introduction to Numerical Analysis, 2nd ed. New York, NY, USA: Dover, 1974. [32] H. Wang and Y. Zhang, ‘‘Cryptanalysis of an efficient threshold selfhealing key distribution scheme,’’ IEEE Trans. Wireless Commun., vol. 10, no. 1, pp. 1–4, Jan. 2011. [33] D. Liu, P. Ning, and R. Li, ‘‘Establishing pairwise keys in distributed sensor networks,’’ ACM Trans. Inf. Syst. Secur., vol. 8, no. 1, pp. 41–77, 2005. [34] A. K. Das and I. Sengupta, ‘‘An effective group-based key establishment scheme for large-scale wireless sensor networks using bivariate polynomials,’’ in Proc. 3rd IEEE Int. Conf. Commun. Syst. Softw. Middleware Workshops (COMSWARE), Bangalore, India, Jan. 2008, pp. 9–16. [35] C.-C. Chang and H.-D. Le, ‘‘A provably secure, efficient, and flexible authentication scheme for ad hoc wireless sensor networks,’’ IEEE Trans. Wireless Commun., vol. 15, no. 1, pp. 357–366, Jan. 2016. [36] A. K. Das, S. Kumari, V. Odelu, X. Li, F. Wu, and X. Huang, ‘‘Provably secure user authentication and key agreement scheme for wireless sensor networks,’’ Secur. Commun. Netw., vol. 9, no. 16, pp. 3670–3687, 2016, doi: 10.1002/sec.1573. [37] S. Chatterjee, S. Roy, A. K. Das, S. Chattopadhyay, N. Kumar, and A. V. Vasilakos, ‘‘Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment,’’ IEEE Trans. Depend. Sec. Comput., to be published, doi: 10.1109/TDSC.2016. 2616876. [38] ‘‘Secure hash standard,’’ Nat. Inst. Standards Technol., U.S. Dept. Commerce, Washington, DC, USA, Tech. Rep. NIST FIPS 180-1, 1995. [39] National Institute of Standards and Technology (NIST), U.S. Department of Commerce. (Apr. 1995). Secure Hash Standard, FIPS PUB 180-1, accessed on Sep. 2015. [Online]. Available: http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf [40] D. He, N. Kumar, J. H. Lee, and R. S. Sherratt, ‘‘Enhanced three-factor security protocol for consumer USB mass storage devices,’’ IEEE Trans. Consum. Electron., vol. 60, no. 1, pp. 30–37, Feb. 2014. [41] C.-C. Lee, C. T. Chen, P.-H. Wu, and T.-Y. Chen, ‘‘Three-factor control protocol based on elliptic curve cryptosystem for universal serial bus mass storage devices,’’ IET Comput. Digit. Techn., vol. 7, no. 1, pp. 48–55, 2013. [42] The Network Simulator-ns-2, accessed on Apr. 2016. [Online]. Available: http://www.isi.edu/nsnam/ns/

MOHAMMAD WAZID (S’17) received the M.Tech. degree in computer network engineering from Graphic Era University, Dehradun, India, and the Ph.D. degree in computer science and engineering from the International Institute of Information Technology, Hyderabad, India. He has authored over 40 papers in international journals and conferences in his research areas. His current research interests include cryptography and security in wireless sensor network, vehicular ad hoc network, Internet of Things, and cloud computing. He is a member of various organizations, such as the IEEE, the IEEE Engineering in Medicine and Biology Society, the IEEE Communication Society, the IEEE Cloud Computing Community, and European Alliance for Innovation. He was a recipient of the University Gold Medal and the Young Scientist Award by UCOST, Department of Science and Technology, Government of Uttarakhand, India. 14979

M. Wazid et al.: Design of Lightweight Authentication and Key Agreement Protocol for VANETs

ASHOK KUMAR DAS (M’17) received the M.Sc. degree in mathematics, the M.Tech. degree in computer science and data processing, and the Ph.D. degree in computer science and engineering from IIT Kharagpur, Kharagpur, India. He is currently an Assistant Professor with the Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad, India. He has authored over 140 papers in international journals and conferences in his research areas. His current research interests include cryptography, wireless sensor network security, hierarchical access control, data mining, security in vehicular ad hoc networks, smart grid, Internet of Things (IoT) and cloud computing, and remote user authentication. He was a recipient of the Institute Silver Medal from IIT Kharagpur. He is in the Editorial Board of the KSII Transactions on Internet and Information Systems and the International Journal of Internet Technology and Secured Transactions (Inderscience), and a Guest Editor of the Computers & Electrical Engineering (Elsevier) for the special issue on Big data and Internet of Things in e-healthcare, and has served as a Program Committee Member in many international conferences.

NEERAJ KUMAR (M’16) received the Ph.D. degree in computer science and engineering from Shri Mata Vaishno Devi University, Katra (J &K), India, in 2009. He was a Post-Doctoral Research Fellow with Coventry University, Coventry, U.K. He is currently an Associate Professor with the Department of Computer Science and Engineering, Thapar University, Patiala, India. He has authored over 160 technical research papers published in leading journals and conferences from the IEEE, Elsevier, Springer, and John Wiley. Some of his research findings are published in top cited journals, such as the IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, the IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, the IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, the IEEE TRANSACTIONS ON CONSUMER ELECTRONICS, the IEEE NETWORK, the IEEE COMMUNICATIONS, the IEEE WIRELESS COMMUNICATIONS, the IEEE INTERNET OF THINGS Journal, the IEEE SYSTEMS JOURNAL, Future Generation Computer Systems, Journal of Network and Computer Applications, and Computer Communications. He has guided many research scholars leading to Ph.D. and M.E./M.Tech. His research is supported by funding from TCS and UGC.

14980

VANGA ODELU received the M.Tech. and Ph.D. degrees in computer science and data processing from IIT Kharagpur, Kharagpur, India. He is currently an Assistant Professor with the Department of Computer Science and Engineering, Indian Institute of Information Technology, Sri City, India. His research interests include cryptography, network security, hierarchical access control, remote user authentication, security in smart grid, and cloud computing. He has authored 40 papers in international journals and conferences in the above areas. He is member of the ACM.

ALAVALAPATI GOUTHAM REDDY (S’15) received the M.Tech. degree in computer science and engineering from Christ University, India, in 2013, and the Ph.D. degree in Information security from Kyungpook National University, South Korea, in 2017. He is currently a Post-Doctoral Fellow with the KINDI Laboratory, Qatar University, Qatar. He holds several publications in cryptographic authentication protocols. His primary research interests revolve around cryptography and information security. He is a Student Member of the ACM.

KISUNG PARK received the B.S. and M.S. degrees in electronics engineering, Kyungpook National University, Daegu, South Korea, in 2015 and 2017, respectively, where he is currently pursuing the Ph.D. degree with the School of Electronics Engineering, Kyungpook National University. His research interests include authentication, computer networks, Internet of Things, VANET, and information security.

YOUNGHO PARK (M’17) received the B.S., M.S., and Ph.D. degrees in electronic engineering from Kyungpook National University, Daegu, South Korea, in 1989, 1991, and 1995, respectively. From 1996 to 2008, he was a Professor with the School of Electronics and Electrical Engineering, Sangju National University, South Korea. From 2003 to 2004, he was a Visiting Scholar with the School of Electrical Engineering and Computer Science, Oregon State University, USA. He is currently a Professor with the School of Electronics Engineering, Kyungpook National University. His research interests include information security and computer networks.

VOLUME 5, 2017