A Provably Secure and Lightweight Identity-Based Two-Party Authenticated Key Agreement Protocol for Vehicular Ad Hoc Networks

Li, Quanrun; Hsu, Ching-Fang; Raymond Choo, Kim-Kwang; He, Debiao

doi:https://doi.org/10.1155/2019/7871067

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 7871067 | https://doi.org/10.1155/2019/7871067

A Provably Secure and Lightweight Identity-Based Two-Party Authenticated Key Agreement Protocol for Vehicular Ad Hoc Networks

Quanrun Li,^1,2Ching-Fang Hsu ,^1,3Kim-Kwang Raymond Choo,⁴and Debiao He^3,5

Academic Editor: Bela Genge

Received25 Jan 2019

Accepted12 Sept 2019

Published04 Dec 2019

Abstract

As an important part of smart cities, vehicle ad hoc networks (VANETs) have attracted much attention from both industry and academia. In a VANET, generating a secure session key to facilitate subsequent data-in-transit transfer between two or more vehicles is crucial, which can be achieved by using an authenticated key agreement protocol. However, most of the existing identity-based two-party authenticated key agreement protocols have significant computational requirements or are known to be insecure. Thus, in this paper, a secure and efficient identity-based two-party authenticated key agreement protocol is presented by us. This protocol does not involve complex bilinear pairing computations and can generate a valid session key in two rounds. The security of the proposed protocol is proved in the eCK model which has better capability to describe a protocol’s security than the famous CK model, and it has been widely used in the security proof of ID-based key agreement protocols currently. Additionally, we also evaluate its performance for potential utility in a VANET.

1. Introduction

As smart cities become a reality, vehicle ad hoc networks (VANETs) will become increasingly crucial. Therefore, data communications in a VANET are no longer restricted to a small number of vehicles, as such communications can occur among a wide range of vehicles (including driverless vehicles and unmanned aerial vehicles), roadside units (e.g., smart traffic lights), and other supporting infrastructure (e.g., IP-based CCTV). This allows the collection of traffic and other environmental information that can be analyzed to facilitate a smooth city operation. For example, information gathered from hurricane sensors and traffic monitoring devices can help to alert nearby vehicles to avoid a certain route.

In general, a typical VANET setup comprises a trusted authority, some roadside infrastructures and some smart vehicles. VANETs can provide connectivity among vehicles and other Internet-connected entities and devices (e.g., via other local networks or the Internet). For instance, it can realize efficient vehicle-to-vehicle communications in the Internet Transportation System (ITS) [1], and so on.

Two kinds of communication modes are included in a typical VANET (see also Figure 1), namely, vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication. Since the increasing devices and electronic products around us are digitalized and Internet-connected, vehicle to everything(V2X) security has been an essential security attribute in our daily life [2].

In VANETs, communication channels between vehicles and nearby roadside infrastructures are usually established using dedicated short-range communication (DSRC) protocols [3]. By using these channels, a vehicle can transmit messages, such as traffic information or conditions, to nearby vehicles and roadside infrastructures at a uniform time period. Such information can be used by drivers to plan, revise, and optimize their routes. Depending on a city’s connectivity level, local traffic control center (a trusted authority) may be able to reroute traffic, make certain adjustments to improve the traffic flow, and hence reduce traffic build up.

As more vehicles and devices join the network, there are operational challenges, for example, to deal with latency (e.g., communication delay) and minimize computational costs. It is known that computing capability of smart vehicles and roadside units usually is limited in comparison to other computationally powerful devices such as a dedicated laptop or server. In time-critical application such as VANETs within a smart city, a large volume of traffic and other related information may need to be handled in time for making accurate traffic decision and timely instructions. In addition, messages exchanged between the different entities (e.g., vehicles and/or devices) in the VANETs can be sensitive and private. Hence, security and privacy are both two key properties. However, due to the open nature of VANETs, an adversary can easily obtain sensitive user messages through various attacks such as replay, masquerading, impersonation, and password guessing. The leakage of such messages may have real-world consequences, such as facilitating the planning and execution of a kidnapping or assassination attempt.

Therefore, one fundamental design feature is to build a fast and secure communication channel between the different entities in a VANET, such as using two-party authenticated key agreement (2PAKA) protocols or group authenticated key agreement protocols. Specifically, in VANETs, a reliable 2PAKA protocol can help two communication entities to realize mutual authentication and get a valid session key. Unsurprisingly, a large number of 2PAKA protocols have been proposed to facilitate secure message exchange in VANETs. Simultaneously, such protocols are broadly divided into public key infrastructure (PKI)-based 2PAKA protocols, identity (ID)-based 2PAKA protocols, and certificateless 2PAKA protocols (i.e., based on how public keys are generated in these protocols). One limitation associated with PKI-based protocols is the surprising cost incurred in maintaining, issuing, and authenticating a large number of certificates. To mitigate such a limitation, we could use 2PAKA protocol based on identity-based cryptography (IBC) [4–11]. While ID-based 2PAKA protocols, such as those presented in [5–7], could overcome certain shortcomings associated with PKI-based 2PAKA protocols, bilinear pairing used in these protocols makes them unrealistic for deployment on lightweight devices. Hence, to overcome inefficiency caused by bilinear pairing, Zhu et al. [12] presented an ID-based 2PAKA protocol including no pairings in 2007. Nevertheless, the protocol suffers from limitations, such as the requirement for significant bandwidth. In recent times, we can find that a large number of similar protocols have been designed in the literature. However, most of these protocols provide no security proof, use a weak model to prove safety, take more than two communication rounds, or are found to be insecure. Based on gap Diffie–Hellman assumption, for example, Dang et al. [13] designed a two-round ID-based 2PAKA protocol in 2018, which has security proof in the eCK model. However, we reveal in this paper that their protocol could suffer from the man-in-the-middle attack, contrary to their claim. In our paper, we will build on their work and introduce a two-round ID-based 2PAKA protocol. We demonstrate that our protocol requires less computation and communication costs, in comparison to the protocol of Dang et al. [13].

The key properties of our proposed protocol are summarized as below:(1)Mutual authentication of the two parties and negotiation of the session key can be realized by our ID-based two-party AKA protocol.(2)We show our protocol can get strong security in the eCK model, unlike most other existing protocols.(3)The proposed protocol is two-round and pairing-free. Hence, it is more superior to other competing protocols in terms of performance.

The rest of this paper is organized as follows. Some related works on ID-based 2PAKA protocol and background materials (i.e., mathematical assumptions and security attributes relating to ID-based AKA protocols) are introduced in Sections 2 and 3, respectively. Our new ID-based 2PAKA protocol is shown in Section 4. In Sections 5 and 6, we demonstrate the security of the protocol in the eCK model and give out the corresponding performance analysis. A comparative summary of the performance between the proposed protocol and the ID-based 2PAKA protocols of [13, 14] is also presented in Section 6. In the end, the last section shows our paper’s conclusion.

This section mainly shows some related works on the ID-based two-party AKA protocols. At first, we divide these protocols into two types: ID-based 2PAKA protocols with pairings and ID-based 2PAKA protocols without bilinear functions [15, 16]. Next, we respectively review the related works about the two different types of protocols:

2.1. ID-Based 2PAKA Protocols with Pairings

The first key agreement protocol employing pairings was presented by Joux [17] in 2000. Then Boneh and Franklin used bilinear pairing to construct the first ID-based encryption scheme in 2001 [18]. After Boneh and Franklin’s work, a lot of ID-based authenticated key agreement protocols with pairings have been presented. According to this ID-based encryption scheme, the first ID-based 2PAKA protocol with pairings was presented by Smart [4]. Unfortunately, Shim [19] found that the protocol presented by Smart [4] had some security flaws and constructed another one ID-based 2PAKA protocol with stronger security, which had lesser quantity of bilinear pairings. In Shim’s protocol [19], only one Weil pairing and scalar multiplication were used in the computation of session key. Meanwhile, Shim declared that his protocol could resist the general attacks. However, the protocol of Shim [20] was shown that it suffers from man-in-the-middle attack in the paper of Hsieh [19].

2.2. ID-Based 2PAKA Protocols without Bilinear Pairing Operations

To eliminate efficiency flaw in ID-based 2PAKA protocols with pairings, all kinds of ID-based 2PAKA protocols using no bilinear functions have been presented in the last decade. In 2007, the first ID-based 2PAKA protocol using no bilinear operations was presented by Zhu et al. [12] based on an ID-based signature scheme. Nevertheless, their protocol was still inefficient and needed three message exchanges. To reduce communication traffic, Fiore and Gennaro [21] used exponentiation operation to make an ID-based 2PAKA protocol in 2010. Besides, this protocol’s security was proved by them in the CK model. But this weak security model could not describe the ability of real adversary well. In the same year, Cao et al. [22] proposed a new ID-based 2PAKA protocol employing no pairings to reduce message exchange. Unfortunately, Cao et al.’s protocol was vulnerable to ephemeral key revealed attack. After Cao et al.’s work, lots of ID-based 2PAKA protocols using no bilinear functions were proposed, but these protocols still could not deal with the efficiency problem and security issue effectively.

But because ID-based 2PAKA protocol without pairings can fit real-time application environment such as VANETs perfectly, cryptologists still put a lot of effort into improving these protocols’ performance and security. Until recently, some responding protocols with better properties have been presented. In 2015, Sun et al. [23] presented an improved 2PAKA protocol based on the identity with security proof in the eCK security model. But disadvantages were that this protocol used six scalar multiplications on elliptic curve and security proof was incomplete because only passive adversary was taken into consideration in the security model. After the Sun et al.’s work, Ni et al. [24] designed other new ID-based 2PAKA protocol that only needed five scalar multiplications in 2016. In addition, it was proved secure in the eCK security model completely. Although this protocol was far more efficient than previously proposed protocols, the communication traffic was still very large. Then, in 2017, an ID-based 2PAKA protocol including no pairings based on the BAN logic model was constructed by Islam and Biswas [25]. Sadly, their protocol was unsafe.

3. Preliminaries

In this section, we show several difficult mathematical problems and indispensable security attributes in the ID-based AKA protocol.

3.1. Mathematical Assumptions

The following difficult mathematical problems are some basic tools used to analyze the security of AKA protocol.

We assume that q is the order for a finite cyclic additive group , where q is a big prime number. Meanwhile, has a generator P.

3.1.1. Elliptic Curve Discrete Logarithm (ECDL) Problem

Given two elements , it is hard to calculate a value such that for any adversary in probability polynomial time.

3.1.2. Gap Diffie–Hellman (GDH) Problem

Given three points () and a DDH oracle, for any probability polynomial time algorithm, the advantage of making the calculation of can be ignored, where are unknown.

3.1.3. Decisional Diffie–Hellman (DDH) Problem

For unknown , if an adversary is given , it is still difficult to determine whether or not.

3.1.4. Computational Diffie–Hellman (CDH) Problem

The numbers are unknown. Knowing three points , it is also impossible to compute by any PTT algorithm.

3.2. Essential Security Attributes

If an AKA protocol is safe and reliable, it must have some essential security attributes, because these security attributes show that the proposed protocol is capable of resisting corresponding attacks. So security attribute is an important index to measure quality of a protocol. The following security attributes are some basic conditions that a secure ID-based 2PAKA protocol needs to meet [26–28].

3.2.1. Known-Key Security (K-SKS)

Even though the adversary has known a protocol’s all previous session keys, this protocol can still keep the current session key secure.

3.2.2. Forward Secrecy (FS)

The leakage of users’ long-term private keys has no impact on the security of preceding session keys. Generally, forward secrecy mainly includes the following two different categories:(1)Partial forward secrecy. Even though the adversary has known some users’ long-term secret keys, session keys made in preceding sessions still can keep safe.(2)Perfect forward secrecy. For any probability polynomial time adversary, learning all long-term secrets has little help to make session keys known.

3.2.3. Key Compromise Impersonation (KCI) Resistance

Even though an adversary knows entity A’s long-term private key, he still cannot masquerade as any other user to A.

3.2.4. Unknown Key Share (UKS) Resistance

An adversary makes a group of users believe that they are sharing a secret with him. Actually, this secret should be shared by them and another user (e.g., B holds the viewpoint that a session key is established by itself and an adversary E. In fact, this key is generated by A and B together).

3.2.5. No Key Control (NKC)

No entity can enforce a session key to be preselected or predetermined.

3.2.6. Basic Impersonation (BI) Resistance

If a party A’s long-term secret key is leaked to an adversary, he can make full use of this key to disguise himself as A.

3.2.7. Ephemeral Key Reveal (EKR) Resistance

Even if an adversary acquires the ephemeral private keys of all participants in a session, the session key is kept private as before.

4. Our Presented Protocol

We describe our ID-based two-round 2PAKA protocol without bilinear pairings in this section. There are three main algorithms included in this protocol , namely, setup algorithm, key generation algorithm, and key agreement algorithm. In our protocol, it is worth noting that the trusted authority plays the role of KGC.

4.1. Setup Phase

At this stage, all vital system parameters are generated by the trusted authority performing this setup algorithm with security parameter . The specific implementation steps are as follows:(1)Chooses one additive group with a generator P. Meanwhile, p is a prime order of (2)Selects randomly a number as KGC’s private key, and then calculates as its public key(3)Picks three high-efficiency hash functions, where , , and (4)Makes public information and preserves the confidentiality of key s

4.2. Extract Key Phase

Here, we always suppose every vehicle has its own . The trusted authority (acts as KGC) uses the Schnorr signature algorithm to compute these vehicles’ long-term private keys. Besides, the trusted authority distributes these key pairs to the corresponding vehicles. The trusted authority does as below:(1)Picks randomly a number for each vehicle, and then does calculations about and .(2)Calculates and a vehicle’s long-term secret key actually is ().(3)The corresponding vehicle could receive this pair () sent by using a secure channel. Then, the vehicle can check the validity of its long-term private key after receiving the pair because they can verify whether the equation is satisfied or not. If it passes, the vehicle sets as its long-term public key.

4.3. Key Agreement Phase

After the extract key phase, two vehicles A and B have their own key pair () and relevant . Now, A and B want to establish a session key through mutual communication, which is used to keep latter data secure. Our new protocol is displayed in Figure 2.(1)Firstly, the ephemeral private key of vehicle A is randomly chosen, and its ephemeral public key is set as . Then, A sends to vehicle B:(2)Meanwhile, a random value is selected as vehicle B’s ephemeral private key, similarly. Then, B also computes as the ephemeral public key. B transmits to A:(3)After receiving messages from B, A can calculate and . So, A can compute the session key .(4)In the same way, when B gets data that A sends, vehicle B can compute and . B can also calculate the session key .

Correctness. The correctness of our protocol is shown as below:

5. Security Analysis

In the following content, the security of our protocol is displayed in detail. Firstly, it is necessary to give out the eCK security model that we use in our protocol. After that, we give the security proof and some security attributes of our protocol in detail.

5.1. Protocol Participants

There is a set that is composed of all protocol participants. Every party in set has a unique and corresponding private and public key pair (). Besides, is relative with its and always is generated by the trusted authority (acts as KGC). In security proof, the ability of each participant is usually described by a probability polynomial time (PPT) algorithm. We consider that a polynomial number of sessions are the maximum value that every participant can take part in at the same time. Furthermore, the sth session of party is denoted as that is established by party and party . If A finally gets a valid session key by communicating with B, we think participant A completes the session .

5.2. eCK Model

Without loss of generality, an adversary C always is deemed as a PPT algorithm in the security model. Moreover, C is considered to have the ability to control the whole communication network. It means messages may be arbitrarily replayed, eavesdropped, modified, suspended, and injected by the adversary. The ability of an adversary C always is described through a series of queries. Here, we only give out the simple information about the eCK model, and more details can be found in the literature of Huang and Cao [29].(i)EphemeraKeyReveal(). Adversary C can get the ephemeral private key of protocol participant in session .(ii)SessionKeyReveal(). If session is completed, adversary C can obtain the session key. Otherwise, a null value will be returned to C.(iii)StaticKeyReveal(). Adversary C could obtain ’s long-term private key sent by this query. But C cannot control completely.(iv)PKGstaticKeyReveal. The adversary can know PKG’s master private key by this query. This query usually simulates PKG-FS.(v)EstablishParty(). After requesting this query, a legitimate user can be registered. But the adversary can acquire ’s private key. In addition, party is considered to be dishonest.(vi)Send(). A message is transmitted to by adversary C. After receiving this message, responds to the message according to the protocol regulation. If is null, this session will initiate a session as an initiator. Otherwise, it will be a responder.(vii)Test(). This query usually takes place during the experiment. The adversary C can make this query to a finished fresh session only once. The session picks a random value when getting a test query from the adversary C. If , this session returns session key to C. Otherwise, a random number that is indistinguishable from the session key will be given to adversary C.

Definition 1 (matching session). If the sessions and have the same session identifier , they will be each other’s matching session. is a series connection of a session participant’s messages in the order of initiator or responder.

Definition 2 (fresh session). The is a fresh session executed by two honest parties and , if none of the following conditions is satisfied.(1)The session has a matching session . Additionally, a session key of or is leaked to adversary C.(2)Assume that session has a matching session . Besides, all of ’s secret keys in or the long-term and temporary secret keys of in are revealed to adversary C.(3)There is no matching session about , but an adversary knows the long-term and ephemeral private keys of in or the long-term secret key of .

Definition 3 (ID-eCK security). For adversary C, denotes the event that adversary C can know b’s correct value in the manner of sending a query to some fresh instances. Therefore, the advantage of adversary C is . If a 2PAKA protocol can satisfy the following conditions, this protocol is considered to be ID-eCK security.(1)For any PPT adversary, the success probability of knowing the right b is negligible. It means that is a negligible value.(2)After two honest parties complete a session, they can get the same session key.

5.3. Formal Proof

Firstly, our protocol will be proved to have strong enough security in this section. Then, we will show some security attributes that our protocol has.

Theorem 1. Assume , , and are three random oracles in the eCK model. According to the difficult GDH problem, no adversary can break the security of protocol in polynomial time.

Proof. On the basis of ID-eCK security, we know the two properties in are the basic conditions that a secure AKA protocol should satisfy. We can know the second condition is met in the correctness of our protocol. Next, we show that the first condition also can be met in the following content. In the eCK security model, our protocol ’s security parameter is specified as . Meanwhile, the maximum value of truthful users activated by an adversary is . The symbol is the maximum number of sessions that each party can take part in. Besides, it is also an assumed condition that the test session selected by adversary C is , which is established by and together. Adversary C can only use the following three methods to get the correct value of test session key.(1)Guessing directly attack. Adversary C can know test session key in a guessing way.(2)Key replication attack. Adversary C constructs another session that is not a matching session of the test session. But its session key is same with the test session. Hence, adversary C can make the use of a nonmatching session to acquire the test session key. Namely, it means that this protocol cannot stand up to adversary C’s attack.(3)Forging attack. Adversary C can query random oracle with the input . Obviously, the adversary C calculates the value by itself.Because is security parameter, it indicates that the size of session key is bit. Therefore, the guessing directly attack is successful with probability . Besides, the role of is the same as a random oracle in the security model. If this random oracle produces no collisions, the event that a session key is jointly owned by two nonmatching sessions occurs with a negligible probability because two nonmatching sessions cannot have the same under the definition of matching session. Namely, key replication attack’s successful probability is negligible. Consequently, we only need to consider about the successful probability of the forging attack.
Before we analyze a forging attack in detail, we firstly review the GDH problem. This mathematical assumption is that the value is given, where is unknown, the aim of challenger S is to get the result of by using a DDH oracle. Then, a challenger S plays the ID-eCK game with the adversary C who can break the protocol . During the game, S must make responses to all kinds of queries of the adversary C. If the adversary C can make a successful forging attack with non-negligible probability, the challenger S can construct a gap Diffie–Hellman solver by using C as a subroutine. As fresh definition shown in the eCK model, we need to consider about two special cases:(1)The session is the matching session of the test session (2)There is no corresponding session matching with the session In the first scenario, we only consider about passive adversary who cannot change messages transmitted among all parties. Contrary to the first scenario, challenger S has an active adversary that could modify the party ’s long-term secret key element in the second scenario. Above analysis results show that the adversary can adopt different attack strategies. So before the challenger S plays game with the adversary C, S can ensure C’s test session is with probability . In addition, S must guess the attack way that the adversary could choose from the following six strategies:(i)Case 1. ’s long-term secret key and ’s temporary private key are not leaked to adversary C. Meanwhile, C transmits correctly.(ii)Case 2. The long-term secret keys of and are not known by C. The value of still is not modified by C.(iii)Case 3. The temporary private keys of and are not revealed to adversary C.(iv)Case 4. ’s temporary private key and the long-term secret key of are not acquired by adversary C.(v)Case 5. Adversary C does not get the long-term secret key of and ’s temporary private key. But the value of is changed by C.(vi)Case 6. Adversary C knows nothing about long-term secret keys of and . But C alters ’s real value.Obviously, the six cases above cover all attack manners of different adversaries, including the passive adversary and the active adversary. On the basis of the above result, the correct test session and strategy are chosen by challenger S with the probability .

Case 1. ’s long-term secret key and ’s temporary private key are not leaked to adversary C. Meanwhile, C correctly transmits .

(i) Setup. The challenger S initializes the long-term keys of all parties and KGC’s public key as follows:(1)The challenger S chooses the value at random as the KGC’s public key.(2)Challenger S randomly chooses as and calculates . So we can know is the long-term public key of . can get its long-term secret key’s value .(3)For other parties , the challenger S randomly selects as and long-term private key. Similarly, the challenger can compute . Therefore, is ’s long-term public key. After the above process, for each , the challenger passes to the adversary C and this new entry is added to .

(ii) Queries. In order to deal with , , , and SessionKeyReveal queries from C, the challenger first maintains the corresponding empty lists , , , and . Then, the challenger S responds to all queries from C as below:(1). In the setup phase, when the long-term secret key of each party is set, S inserts the entry to . When a query about sent by adversary C already exists in , S returns the corresponding entry to C. Otherwise, S selects randomly and adds the new entry to the list . Then, S returns the random value .(2). When C launches an query, S first searches for the relevant entry in the whole list . If S finds the entry out, S transmits to C. Conversely, S computes and checks whether this value is already in or not. If the has the corresponding value, the challenger gives to C. Otherwise, S chooses at random. Then, S inserts the entry to and returns to the adversary C.(3). Before this query, S keeps an empty table whose entries are the form of .(i)If the corresponding entry is found in , the challenger S responds to the query with .(ii)Otherwise, S checks the whole list . If i has a correct value B and target item is stored, S uses the oracle to verify whether , , and . If all of them are right, S sets and stores the entry to . If the entry is found in the list and , the equation is made by challenger S and the relevant item is added to . But if the list has not the corresponding entry or the verifications of oracle are wrong, S randomly selects and writes these new data into the list . In final, S returns the corresponding to the adversary C.(4)EphemeralKeyReveal(). If the session is , the challenger S aborts. Otherwise, the temporary private key of is sent to S by adversary C.(5)StaticKeyReveal(). If i = B, S aborts. Otherwise, the challenger provides C with .(6)MasterPrivateKeyReveal(). The challenger S aborts.(7)EstablishParty(). For this query, the challenger S chooses at random. Then S assigns the value of to and calculates . Finally, S sends to C as its long-term secret key. Therefore, the adversary C can control completely, it is because the long-term secret key of is known by C.(8)SessionKeyReveal(). If the session is or , S aborts. Otherwise, S searches for the value in the whole list and sends it to C.(9)Send(, M). A blank table is held by S whose element is for the Send query.(i)If is and , adversary C receives X returned by challenger S.(ii)If the value of i is B and , S selects at random and returns the to C. Besides, S verifies whether , , and . If , , and are correct, S sets and inserts the entry to the list . But if the list does not have the entry or one of , , and is wrong, S chooses randomly and writes new information to .(iii)If B is not the correct value for i, S answers this Send query according to protocol rule.(10)Test(). If the session is , S chooses randomly and this data is returned to adversary C. On the contrary, S is not playing this game.

(iii) Analysis. If a forgery attack is successfully launched by adversary C with great probability, C must have used , , and to query random oracle. To cope with the difficult problem, challenger S checks whether the value of an query from C is such that , , and . If this query is found, S computes using this query. Assume that the probability of the event that a forgery attack is made by adversary C is , so S successfully deals with the problems with the advantage

Case 2. The long-term secret keys of and are not known by C. The value of still is not modified by C.

(i) Setup. All parties’ long-term secret keys and KGC’s public key are given by challenger C as follows:(1) selected by the challenger S is assigned to KGC’s public key.(2)As for , a random value is selected by S as the value of . Then, S does the calculation on and ’s long-term secret key is given the value . Thus, X is relevant public key of .(3)Using the same method, S selects at random as for the party and calculates . So ’s long-term secret key can be assigned to the value . Additionally, ’s corresponding public key is .(4)Considering about other parties , where and , challenger S randomly chooses . Similarly, S sets and computes the relevant value of . Thus, the long-term secret key of entry is . Its public key is . S sends to the adversary C, and this new entry is inserted into the table .

(ii) Queries. To deal with the query about SessionKeyReveal and three hash queries , , and , challenger S stores four tables and , , . And S uses the following ways to answer those queries asked by C.(1). S has an empty list in the form of .(i)If already has the relevant entry , S returns to the adversary C.(ii)If not, S looks up target item in the whole table . If the item is found and the value of i is A or B, challenger S verifies whether , , and . If all of them are correct, S sets and stores the new entry into the list . If has the goal entry (A and B are both not the right value of i), S assigns to . Then, S adds the new entry to the list . Otherwise, If the corresponding entry does not exist in the list or , and are not right, S chooses and inserts into the list .(2)EphemeralKeyReveal(). Adversary C acquires temporary secret key of entry returned by S.(3)StaticKeyReveal(). If A or B is the correct value of i, challenger S terminates this program. Otherwise, is transmitted to C.(4)Send(, M). As before, a blank table is held by S, the form of which is .(i)If i is equal to A, its temporary secret key is picked up by challenger S at random and the value is given to C. Next, S seeks the relevant item in the table . If the entry exists, S checks whether , , and . If all of them are right, S sets and stores the new entry to . But if this corresponding item is not found or three values verified by oracle are not correct, S randomly selects and writes new data to .(ii)If i is equal to B, S uses a similar way in the simulation.(iii)For other conditions, the challenger S responds according to the protocol specification. It is worth noting that S responds to the , , EstablishParty(), MasterPrivateKey, Session KeyReveal(), and Test() in the manner of case 1.

(iii) Analysis. Similarly, if the adversary C makes a successful forging attack with non-negligible probability , C must make the use of , , and to query . To deal with , S checks whether the content of an query from C is such that , , and . If S can find such an query, it computes . Therefore, difficult problem can be solved by S successfully with the advantage

Case 3. The temporary private keys of and are not revealed to adversary C.

(i) Setup. S assigns the values to all parties’ long-term secret keys and KGC’s master keys as follows.(1) is chosen by S as KGC’s master secret key and the challenger S also calculates . Thus, is its public key. In fact, case 3 simulates MFS.(2)For each party, S selects at random. S sets = and calculates . So ’s long-term secret key is . Then, S computes = . In the end, S sends to the adversary C. In addition, is inserted to the table .

(ii) Queries. As before, S holds four blank tables , , , and to cope with corresponding queries. Those queries from C are responded by S in the following ways.(1). The challenger S has an empty list in the form of .(i)If the list already has the matching entry, S returns to C.(ii)Otherwise, S checks the whole table . If the item is found out, S sets and puts the new entry into the list . If not, is randomly chosen by S and the corresponding data is written into .(2)StaticKeyReveal(). is revealed by S to C.(3)MasterPrivateKeyReveal. The challenger S responds to this query with .(4)EphemeralKeyReveal(). If is or , S aborts. Otherwise, S returns the ephemeral key of to C.(5)Send(, M). S maintains an empty list in the form of .(i)If = , S returns X to C.(ii)If = , S returns Y to C. Then, S searches for the relevant entry in . If the item is gotten by S, challenger S sets and the table is added with this new entry. Conversely, is randomly selected by S and the corresponding item is inserted into table .(iii)For other conditions, S responds to the C according to the protocol specification.

(iii) Analysis. Assume that adversary C can make a successful forging attack with non-negligible probability , C must make a query to with the input and and . To solve the , S checks whether the value of an query from C is such that , , and . If such an query is found, S can correctly calculate . Therefore, the problem is solved by S with an advantage

Case 4. ’s temporary private key and the long-term secret key of are not acquired by adversary C. For case 4, we can consider this case as case 1. Thus, S can use the similar way used in case 1 to make this simulation. Therefore, problem is dealt by S successfully with great advantage

Case 5. Adversary C does not get long-term secret key of and ’s temporary private key. But the value of is changed by C.
Firstly, KGC’s master public key is selected as . For all participants, S randomly chooses . Next, S makes the equation = and gets the value of . So is ’s long-term secret key. Meanwhile, = is its long-term public key. Then, for every , challenger S returns to the adversary C and adds to the table . Besides, S sets Y as the ephemeral public key of . The answers to all kinds of queries from C are easy, because all participants’ long-term secret keys are known by S.
Secondly, we assume that C neither queries EphemeralKeyReveal() nor StaticKeyReveal(). A message made by adversary C is sent to the session . Here, the adversary C selects at random and may change of to . For participant , is chosen by the challenger S and is also assigned by S. Finally, we make an assumption that the successful probability of a forgery attack made by C is . So C must make a query to with the input = , , and . S checks whether C makes an query on the value such that , , and .
On the basis of forking lemma, S restarts the game with adversary C using the same data. Similarly, is randomly selected and assigned to by S, and is not equal to . Assume that the probability of a forgery attack launched successfully can not be ignored. An query must be requested by C with the input , , and . Then, S does as above.
In order to cope with the , challenger S does a simple calculation on = − = . So the right value can be acquired by S. If λ is forking lemma’s utilization parameter, difficult problem can be successfully dealt by S with the advantage

Case 6. Adversary C knows nothing about long-term secret keys of and . But C alters ’s real value.
At first, KGC’s public key is assigned by S using a random number . Considering about , where A is not the right value of i, is selected and = − is calculated by S. Then, S makes the equation = true and gives the long-term secret key . Thus, relevant public key of gets the value = = . Particularly, for , is assigned to picked by S at random and = can be worked out. Then, the long-term secret key of gets the value . So its long-term public key is = . Besides, S sends of all parties to the adversary C and stores to the table . Particularly, the temporary secret key of is given the value selected by S randomly.
Secondly, it is an assumption that C does not request queries about StaticKeyReveal() and StaticKeyReveal(). Moreover, the simulation does not abort. A message made by C is sent to the session . is randomly selected by the adversary and C can also change . Assume that S chooses at randomly as . If the probability of a successful forgery attack maked by C cannot be ignored, the adversary must launch an asking with the input = , = , and = . Next, S checks whether there is an query from the adversary C on the value such that , , and .
Similarly, based on forking lemma, S replays the game with adversary C using the same data. S gets as . We should note that . As above, if the probability of a forgery attack cannot be ignored, adversary C must make an query with the input = , = , and = . Then, S verifies whether such an query from the adversary C exists on the value such that , , and .
In order to deal with the problem, S calculates = − = . Therefore, S can compute = . If λ is forking lemma’s utilization parameter, difficult problem can be successfully dealt by S with an advantageAll in all, because is considered to be non-negligible, also cannot be ignored. But it is contradictory to the assumption.

5.4. Other Discussions

We will show some essential security attributes that our pairing-free 2PAKA protocol holds in the following content.(i)Mutual authentication. The security proof shows that a useful message cannot be successfully made by any adversary in polynomial time because authentications among users can be achieved by verifying whether those messages that they get are valid or not. Therefore, our protocol has the hidden function of mutual authentication.(ii)Session Key Agreement. According to our protocol shown in the Key Agreement phase, one session key = = can be obtained by two users after communication. Thus, our protocol can complete the negotiation process of a session key.(iii)Known Session Key Security (KSKS) Resistance. Our protocol can achieve KSKS security property because Session Key Reveal is allowed in the eCK strong security model. Namely, any other session’ key could be revealed to an adversary excluding the goal session and its matching session’s keys. Meanwhile, the probability of the event that C can successfully distinguish goal session key from a random number can be ignored. So C cannot use other session keys to know test session key.(iv)Forward Secrecy (FS). As it shows in our security proof, it is forbidden that both a user’s long-term and temporary secret keys are known by an adversary. In other words, our protocol can get wPFS. Besides, the case 3 simulates MFS.(v)Key Compromise imPersonation (KCI) Resistance. In case 1, 3, and 5, the adversary C cannot generate the goal key acquired by and any other user when C knows ’s the long-term secret key and even changes those messages sent to .(vi)Unknown Key Share (UKS) Resistance. Because identity is the core foundation of our protocol, it indicates that one user’s public key is generated depending on its ID. Obviously, the UKS attack can be resisted by our protocol.(vii)No Key Control (NKC) Resistance. Because hash function does not have the same result with different input, the session key cannot be determined by one party or the adversary. Thus, our protocol can catch NKC resistance.(viii)BI Resistance: If the long-term secret key of is not obtained by adversary C, C cannot successfully calculate the correct input to . So C cannot get the session key generated by and any other party.(ix)Ephemeral Key Reveal (EKR) Resistance: In case 1, 4, and 5, the security still can be held by our protocol while its temporary secret keys are leaked partially. In case 2 and 6, when the ephemeral keys are compromised completely, this protocol also keeps safe.

6. Performance Analysis

Within this module, our protocol’s performance is analyzed from computational cost and running time. Besides, we display that our protocol is compared with other related protocols [13, 14] in terms of efficiency.

In our experiment, an additive group is selected by us, where is its order. This group has a generator P. The order is a big prime number with 160-bits and P is a point chosen from a common elliptic curve : . Here, the number of bits of prime number is 512.

6.1. Analysis of Computational Cost

For better computational cost analysis, we firstly give out the comparison results between our protocol and some valuable protocols [13, 14] in terms of message size in the Table 1. Then, on the basis of message size, we analyze their computational cost and give the results in Figure 3.

Assume that the ID of one party is 2 bytes long. In addition, messages exchanged between two parties in our protocol are . Here, and belong to . So the messages are one ID and two points, whose total size is . Similarly, the size of exchanged messages in the Bala et al.’s protocol is also 42 bytes. However, in Dang et al.’s protocol, the messages’ size is 62 bytes.

Next, we present the executing time of some basic operations in Table 2.

We have achieved these basic operations in the MIRACL library [30]. The implementations were deployed in a personal computer and the platform’s parameters are displayed in the following Table 3.

What deserves our attention is that our protocol is a symmetrical structure. In other words, the party and are making the computational operations at the same time. Thus, we only need to consider about the computational cost of one party. In our protocol, the computational operation only includes . Fortunately, this operation is only a simple scalar multiplication. But among the other two protocols being compared, we can find the computational operations are both four scalar multiplications. When precomputation is considered, there are still three scalar multiplications in the Bala et al.’s protocol and two scalar multiplications in the Dang et al.’s protocol. The result of computational cost is shown in the following figure.

Now, we know the computational operations in the three protocols. Moreover, we can find that most of these computational operations can be completed offline. We can know that a scalar multiplication needs 2.165 ms in the personal computer according to Table 2. Therefore, we can get the respective computational time of the three protocols. In general, we take the precomputation into consideration. So the computational time of Bala et al.’s protocol is . In the Dang et al.’s protocol, it needs . But in our protocol, we only need to achieve the required operation. Therefore, our protocol has better performance.

6.2. Analysis of Running Time

Generally, the running time of an AKA protocol is approximately made up of computational time and transmission time. Here, we can only consider the transmission time, because we already know the corresponding computational time of each protocol. As for the transmission time, we think the transmission time is mainly related to message size and hardware performance. We assume that these hardware equipments have similar performance. Hence, if the message size is longer, more time is needed to transmit it. Fortunately, we have analyzed these protocols’ message size in the analysis of computational cost.

Table 1 shows that our protocol has smaller message size than Dang’s protocol and the same size as Bala’s protocol. Therefore, compared with other ID-based protocols, our protocol can get stronger or be at the same level of security with less running time.

In conclusion, the performance of our protocol is better than that of the other two protocols. Besides, our protocol is superior to the Dang’s protocol in resisting attacks. Therefore, our protocol has better performance in VANETs environment compared with previous ID-based 2PAKA protocols.

7. Conclusion

To be able to deal with the increasing demands of VANETs (e.g., due to the increasing number of connected vehicles and devices), we constructed a new efficient 2PAKA protocol based on the identity in this paper. This protocol was designed to provide an authentication function and a session key to two users in an efficient way. Besides, we showed that our protocol has strong security in the eCK model, and it outperforms two other recently proposed 2PAKA protocols [13, 14].

Future research includes extending the protocol to achieve other desirable properties, as well as implementing an initial model of the extended protocol for evaluation in a practical application.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

The work was supported by the National Key Research and Development Program of China (No. 2018YFC1604000), the National Natural Science Foundation of China (Nos. 61772224, 61932016, and 61972294), and the Fund of the Jiangsu Key Laboratory of Big Data Security & Intelligent Processing (No. BDSIP1807).

References

E. C. Eze, S. Zhang, and E. Liu, “Vehicular ad hoc networks (vanets): current state, challenges, potentials and way forward,” in Proceedings of the 20th International Conference on Automation and Computing, ICAC 2014, X. Luo, Y. Cao, and Z. Tong, Eds., pp. 176–181, IEEE, Cranfield, Bedfordshire, UK, September 2014.
View at: Google Scholar
Y. Yang, Z. Wei, Y. Zhang, H. Lu, K.-K. R. Choo, and H. Cai, “V2X security: a case study of anonymous authentication,” Pervasive and Mobile Computing, vol. 41, pp. 259–269, 2017.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.
View at: Publisher Site | Google Scholar
N. P. Smart, “An identity based authenticated key agreement protocol based on the weil pairing,” IACR Cryptology, vol. 2001, p. 111, 2001.
View at: Google Scholar
M. Hölbl, T. Welzer, and B. Brumen, “An improved two-party identity-based authenticated key agreement protocol using pairings,” Journal of Computer and System Sciences, vol. 78, no. 1, pp. 142–150, 2012.
View at: Publisher Site | Google Scholar
L. Ni, G. Chen, and J. Li, “Escrowable identity-based authenticated key agreement protocol with strong security,” Computers & Mathematics with Applications, vol. 65, no. 9, pp. 1339–1349, 2013.
View at: Publisher Site | Google Scholar
L. Ni, G. Chen, J. Li, and Y. Hao, “Strongly secure identity-based authenticated key agreement protocols in the escrow mode,” Science China Information Sciences, vol. 56, no. 8, pp. 1–14, 2013.
View at: Publisher Site | Google Scholar
S. S. Vivek, S. S. D. Selvi, L. R. Venkatesan, and C. P. Rangan, “Efficient, pairing-free, authenticated identity based key agreement in a single round,” in Proceedings of the 7th International Conference, ProvSec 2013, W. Susilo and R. Reyhanitabar, Eds., vol. 8209 of Lecture Notes in Computer Science, pp. 38–58, Springer, Melaka, Malaysia, October 2013.
View at: Google Scholar
S. H. Islam and G. P. Biswas, “Design of two-party authenticated key agreement protocol based on ECC and self-certified public keys,” Wireless Personal Communications, vol. 82, no. 4, pp. 2727–2750, 2015.
View at: Publisher Site | Google Scholar
S. Chakraborty, S. Raghuraman, and C. P. Rangan, “A pairing-free, one round identity based authenticated key exchange protocol secure against memory-scrapers,” JoWUA, vol. 7, no. 1, pp. 1–22, 2016.
View at: Google Scholar
L. Ni, G. Chen, J. Li, and Y. Hao, “Strongly secure identity-based authenticated key agreement protocols without bilinear pairings,” Information Sciences, vol. 367-368, pp. 176–193, 2016.
View at: Publisher Site | Google Scholar
R. W. Zhu, G. Yang, and D. S. Wong, “An efficient identity-based key exchange protocol with KGS forward secrecy for low-power devices,” Theoretical Computer Science, vol. 378, no. 2, pp. 198–207, 2007.
View at: Publisher Site | Google Scholar
L. Dang, J. Xu, X. Cao et al., “Efficient identity-based authenticated key agreement protocol with provable security for vehicular ad hoc networks,” International Journal of Distributed Sensor Networks, vol. 14, no. 4, 2018.
View at: Publisher Site | Google Scholar
S. Bala, G. Sharma, and A. K. Verma, “PF-ID-2PAKA: pairing free identity-based two-party authenticated key agreement protocol for wireless sensor networks,” Wireless Personal Communications, vol. 87, no. 3, pp. 995–1012, 2016.
View at: Publisher Site | Google Scholar
D. He and D. Wang, “Robust biometrics-based authentication scheme for multiserver environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816–823, 2015.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, M. K. Khan, L. Wang, and J. Shen, “Efficient privacy-aware authentication scheme for mobile cloud computing services,” IEEE Systems Journal, vol. 12, no. 2, pp. 1621–1631, 2018.
View at: Publisher Site | Google Scholar
A. Joux, “A one round protocol for tripartite diffie–hellman,” in Proceedings of the International Algorithmic Number Theory Symposium, pp. 385–393, Springer, Leiden, The Netherlands, July 2000.
View at: Google Scholar
D. Boneh and M. K. Franklin, “Identity-based encryption from the weil pairing,” in Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, CRYPTO 2001, J. Kilian, Ed., vol. 2139 of Lecture Notes in Computer Science, pp. 213–229, Springer, Santa Barbara, CA, USA, August 2001.
View at: Google Scholar
K. Shim, “Efficient id-based authenticated key agreement protocol based on weil pairing,” Electronics Letters, vol. 39, no. 8, pp. 653-654, 2003.
View at: Publisher Site | Google Scholar
H.-M. Sun and B.-T. Hsieh, “Security analysis of shim’s authenticated key agreement protocols from pairings,” IACR Cryptology, vol. 2003, p. 113, 2003.
View at: Google Scholar
D. Fiore and R. Gennaro, “Making the diffie-hellman protocol identity-based,” in Proceedings of the Cryptographers’ Track at the RSA Conference on Topics in Cryptology, CT-RSA 2010, J. Pieprzyk, Ed., vol. 5985 of Lecture Notes in Computer Science, pp. 165–178, Springer, San Francisco, CA, USA, March 2010.
View at: Google Scholar
X. Cao, W. Kou, and X. Du, “A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges,” Information Sciences, vol. 180, no. 15, pp. 2895–2903, 2010.
View at: Publisher Site | Google Scholar
H. Sun, Q. Wen, H. Zhang, and Z. Jin, “A strongly secure identity-based authenticated key agreement protocol without pairings under the GDH assumption,” Security and Communication Networks, vol. 8, no. 17, pp. 3167–3179, 2015.
View at: Publisher Site | Google Scholar
L. Ni, G. Chen, J. Li, and Y. Hao, “Strongly secure identity-based authenticated key agreement protocols,” Computers & Electrical Engineering, vol. 37, no. 2, pp. 205–217, 2011.
View at: Publisher Site | Google Scholar
S. H. Islam and G. P. Biswas, “A pairing-free identity-based two-party authenticated key agreement protocol for secure and efficient communication,” Journal of King Saud University—Computer and Information Sciences, vol. 29, no. 1, pp. 63–73, 2017.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, H. Wang, L. Wang, K.-K. R. Choo, and A. Vinel, “A provably-secure cross-domain handshake scheme with symptoms-matching for mobile healthcare social network,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 633–645, 2018.
View at: Publisher Site | Google Scholar
Q. Feng, D. He, S. Zeadally, N. Kumar, and K. Liang, “Ideal lattice-based anonymous authentication protocol for mobile devices,” IEEE Systems Journal, vol. 13, no. 3, pp. 2775–2785, 2018.
View at: Publisher Site | Google Scholar
C. Lin, D. He, X. Huang, K.-K. R. Choo, and A. V. Vasilakos, “BSeIn: a blockchain-based secure mutual authentication with fine-grained access control system for industry 4.0,” Journal of Network and Computer Applications, vol. 116, no. 1, pp. 42–52, 2018.
View at: Publisher Site | Google Scholar
H. Huang and Z. Cao, “An id-based authenticated key exchange protocol based on bilinear diffie-hellman problem,” in Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, W. Li, W. Susilo, U. K. Tupakula et al., Eds., pp. 333–342, ACM, Sydney, Australia, March 2009.
View at: Google Scholar
Shamus Software Ltd, “Miracl library,” 2016, http://www.shamus.ie/index.php?page=home.
View at: Google Scholar

Copyright

Copyright © 2019 Quanrun Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1045

Downloads

1396

Citations

Security and Communication Networks

A Provably Secure and Lightweight Identity-Based Two-Party Authenticated Key Agreement Protocol for Vehicular Ad Hoc Networks

Abstract

1. Introduction

2. Related Work

2.1. ID-Based 2PAKA Protocols with Pairings

2.2. ID-Based 2PAKA Protocols without Bilinear Pairing Operations

3. Preliminaries

3.1. Mathematical Assumptions

3.1.1. Elliptic Curve Discrete Logarithm (ECDL) Problem

3.1.2. Gap Diffie–Hellman (GDH) Problem

3.1.3. Decisional Diffie–Hellman (DDH) Problem

3.1.4. Computational Diffie–Hellman (CDH) Problem

3.2. Essential Security Attributes

3.2.1. Known-Key Security (K-SKS)

3.2.2. Forward Secrecy (FS)

3.2.3. Key Compromise Impersonation (KCI) Resistance

3.2.4. Unknown Key Share (UKS) Resistance

3.2.5. No Key Control (NKC)

3.2.6. Basic Impersonation (BI) Resistance

3.2.7. Ephemeral Key Reveal (EKR) Resistance

4. Our Presented Protocol

4.1. Setup Phase

4.2. Extract Key Phase

4.3. Key Agreement Phase

5. Security Analysis

5.1. Protocol Participants

5.2. eCK Model

5.3. Formal Proof

5.4. Other Discussions

6. Performance Analysis

6.1. Analysis of Computational Cost

6.2. Analysis of Running Time

7. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright