Next Article in Journal
New Estimates for Hermite-Hadamard Inequality in Quantum Calculus via (α, m) Convexity
Next Article in Special Issue
A Survey of Low Rate DDoS Detection Techniques Based on Machine Learning in Software-Defined Networks
Previous Article in Journal
Decentralized and Privacy Sensitive Data De-Duplication Framework for Convenient Big Data Management in Cloud Backup Systems
Previous Article in Special Issue
A Novel Undeniable (t, n)-Threshold Signature with Cheater Identification
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

SGXAP: SGX-Based Authentication Protocol in IoV-Enabled Fog Computing

1
College of Computer Science and Engineering, Shandong University of Science and Technology, Qingdao 266590, China
2
Department of Computer Science, University of California, Davis, CA 001313, USA
3
Department of Mathematics, Chaudhary Charan Singh University, Meerut, Uttar 250004, Uttar Pradesh, India
*
Author to whom correspondence should be addressed.
Symmetry 2022, 14(7), 1393; https://doi.org/10.3390/sym14071393
Submission received: 31 May 2022 / Revised: 24 June 2022 / Accepted: 1 July 2022 / Published: 6 July 2022

Abstract

:
With the maturity and popularization of the Internet of Things, we saw the emergence of the Internet of Vehicles. This collects and processes real-time traffic information, alleviates traffic congestion, and realizes intelligent transportation. However, sensitive information, such as real-time driving data of vehicles, are transmitted on public channels, which are easily to steal and manipulate for attackers. In addition, vehicle communications are vulnerable to malicious attacks. Therefore, it is essential to design secure and efficient protocols. Many studies have adopted asymmetric cryptosystems and fog computing to in this environment, but most of them do not reflect the advantages of fog nodes, which share the computational burden of cloud servers. Therefore, it is challenging to design a protocol that effectively uses fog nodes. In this paper, we design an authentication protocol based on a symmetric encryption algorithm and fog computing in the Internet of Vehicles. In this protocol, we first propose a four-layer architecture that significantly reduces the computational burden of cloud servers. To resist several well-known attacks, we also apply Intel software guard extensions to our protocol. This is because it can resist privileged insider attacks. We prove the security of the proposed protocol through the Real-Or-Random model and informal analysis. We also compare the performance of the proposed protocol with recent protocols. The results show better security and a lower computational cost.

1. Introduction

With the maturity and popularization of the Internet of Things (IoT) [1,2], a special network connecting vehicles through the Internet has emerged: the Internet of Vehicles (IoV) [3,4,5]. The IoV is a subset of the IoT that realizes communication by vehicle-to-vehicle (V2V), vehicle-to-pedestrian (V2P), and vehicle-to-infrastructure (V2I) connections. The IoV collects, processes, and shares road information in real time, alleviates traffic congestion in traffic control, and reduces traffic accidents through early warnings to ensure vehicle safety. It also realizes intelligent transportation to improve its efficiency.
Previously, researchers introduced cloud computing into the IoV to efficiently process large amounts of real-time road information. With an increasing number of vehicles, the computational burden of the cloud server (CS) is also increasing. The authors of [6,7,8] proposed a definition of fog computing. Compared with cloud computing, fog computing has the characteristics of low latency, large numbers, wide distribution, and lighter computing. Fog and cloud computing are complementary but not substitutes. Cloud computing realizes the calculation or storage of a large amount of data, compensating for the lack of computing resources for fog nodes.
Recently, the literature [9,10,11,12] has involved research on authenticated key agreement (AKA) protocols for applying fog computing to the IoV. In 2019, Ma et al. [9], based on asymmetric cryptosystems and fog computing, proposed an AKA protocol. The protocol used the traditional three-layer architecture: “vehicle–fog node–CS”, where the vehicle and roadside unit (RSU) play the participant (i.e., vehicle). However, the protocol showed that the participation of a CS was required for each authentication, which did not reflect the advantages of fog nodes and did not realize the function of fog nodes sharing the computational burden of a CS. Moreover, Eftekhari et al. [10] found that the protocol [9] was insecure and vulnerable to stolen smart card attacks, known session-specific temporary information disclosure attacks, and privileged insider attacks. Based on this architecture, Eftekhari et al. [10] designed an improved protocol that did not reflect the advantages of fog nodes. In 2020, Wu et al. [11] proposed a fog-based AKA protocol based on the traditional three-layer architecture. However, the RSU was a fog node. Each communication required the participation of a CS. In 2021, following the architecture presented in [11], Wu et al. [12] proposed a lightweight AKA protocol that still did not realize the function of fog nodes sharing the computational burden of a CS.
Although the above AKA protocols [9,10,11,12] use fog computing, they fail to realize the function of fog nodes sharing the computational burden of a CS. This is because in the conventional architecture, fog nodes actually replace the RSU, and computing is still on the CS, which does not reduce the computational burden of the CS. Therefore, we first propose a four-layer architecture: “vehicle–RSU–fog node–CS”. The four-layer architecture of the IoV based on fog computing is shown in Figure 1. In this architecture, when a vehicle enters the road and wants to communicate with the RSU, the communication modes are divided into the following two cases:
1.
Case 1: The RSU judges that the vehicle communicates with itself for the first time and then sends a data request to the CS. The CS sends a response to the RSU accordingly and simultaneously sends the data response to the fog node. Thereafter, the vehicle and RSU realize their communication with the assistance of the fog node. The four entities involved in this communication process are the vehicle, RSU, fog node, and CS.
2.
Case 2: This extends from Case 1. Only the fog node (without the participation of the CS) can help the vehicle and RSU to realize communication. Here, this architecture effectively realizes the function of the fog node sharing the computational burden of the CS.
The IoV environment still has some security challenges. For example, sensitive information such as vehicle real-time driving data are transmitted on a public channel, which is easy to steal from and manipulate for an attacker, resulting in the disclosure of vehicle privacy. In addition, the process of vehicle communication is vulnerable to replay attacks [13], impersonation attacks [14,15,16], and privileged insider attacks [9], among others. Therefore, to ensure communication and protect the sensitive data of vehicles, a safe and effective protocol must be designed.
Due to the above security challenges of the IoV environment, researchers are committed to enhancing the security of the IoV. Therefore, a hardware-based, trusted execution environment called software guard extensions (SGX) [17,18,19] has emerged. SGX is secure hardware developed by Intel. The difference between SGX and other security software is that it only includes hardware, which avoids software vulnerabilities and malicious threats in the system and largely ensures system security. In addition, SGX provides a trusted execution environment, as malicious code cannot access or tamper with any sensitive data stored in SGX, guaranteeing data confidentiality and integrity. The structure of SGX mentioned in [17]. Preserved random memory (PRM) is a reserved area for SGX in the dynamic memory, and the Enclave Page Cache (EPC) is a part of the PRM. SGX has a secure container called Enclave, which is stored in the EPC to store sensitive data and code. The user enters the value into the Enclave through the Ecall. After SGX completes the confidential computing in the Enclave, it returns the computational results through Ocall.
To ensure secure communication and reduce the computational burden of the CS, we propose an authentication protocol under a four-layer architecture. We also apply SGX and a symmetric encryption algortihm to the proposed protocol to resist several well-known attacks. Our main contributions are as follows:
(1)
We first propose a four-layer architecture in the IoV environment as shown in Figure 1. Adopting such an architecture reduces the computational pressure of the CS.
(2)
We apply SGX to store the private value of the fog node and RSU in SGX so that even if the attacker obtains the data in the authentication table, he or she cannot obtain the private values in SGX. In other words, SGX can make the proposed protocol resist privileged insider attacks and enhance the security of the protocol.
(3)
We prove the security of the proposed protocol through the Real-Or-Random model (ROR) and informal analysis. Furthermore, we compare the performance of the proposed protocol with recent protocols, with the results showing better security and a lower computational cost.
The rest of the paper is organized as follows. Section 2 briefly reviews the relevant research work. Section 3 describes the system model and proposed protocol in detail. In Section 4, we use the ROR model and informal analysis to prove the protocol’s security. We compare the performance of the proposed protocol with recent protocols and discuss the obtained results in Section 5. Finally, we provide a brief summary of the content of this study in Section 6.

2. Related Work

Researchers have conducted extensive research on security challenges based on the IoV [20,21]. In 2007, Raya et al. [22] determined that information transmission security should be ensured in the IoV. Therefore, cryptographic technology, namely the public key infrastructure (PKI) mechanism, was introduced into the proposed protocol. Although this technology ensured that the vehicles privacy was not leaked, the computational cost was extremely high. In 2011, Huang et al. [23] designed an AKA protocol for value-added services known as ABAKA. The protocol realized anonymity but used elliptic curve cryptography (ECC), and the overhead remained extremely high. In 2017, Ying et al. [13] designed a protocol and claimed that it realized anonymous and secure communication. The protocol had a low computational cost and was lightweight. Mohit et al. [14] proposed a secure authentication protocol that configured vehicle sensors for the IoV to monitor the vehicle and the surrounding environment. However, Yu et al. [15] found that the protocol [14] was vulnerable to user impersonation attacks and could not provide anonymity or mutual authentication. Yu et al. [15] designed an improved protocol for ensuring communication security. However, Sadri et al. [24] found that the protocol [15] was vulnerable to user impersonation and sensor capture attacks and could not provide untraceability. Sadri et al. [24] designed a secure protocol based on this. In 2021, Jiang et al. [25] designed an authentication protocol based on a physical unclonable function (PUF). This protocol effectively combined biometrics and a PUF to achieve secure identification and authentication. In the same year, Kurma et al. [26] designed a new authentication protocol for the IoV. The protocol [26] was based on radio frequency identification, which increased the protocol security and used ECC at a high computational cost.
In previous years, to achieve efficient authentication, the literature [27,28] adopted the cloud computing architecture to different environments. Later, researchers found that fog computing is more suitable for the IoV than cloud computing with a large amount of real-time data to process. Therefore, scholars have applied fog computing to the IoV to reduce the computational burden of the CS. Wazid et al. [29] proposed a protocol based on authentication key management (AKM) between two different entities, namely AKM and the IoV, to realize security authentication in the IoV. Han et al. [30] proposed a security protocol based on fog computing [30], which had two highlights. One was that the vehicle and RSU were self-authenticated without the participation of the trusted authority (TA), which improved the communication efficiency. The other was that the fog node managed the pseudonym of the vehicle to realize privacy protection. Soleymani et al. [31] designed a message authentication protocol that used bilinear pairing primitives with a high overhead. The protocol [31] also used pseudonym management for privacy protection. Ma et al. [9], based on asymmetric cryptosystems and fog computing, proposed an AKA protocol. The protocol used ECC at a high computational cost, and they claimed that the protocol was provably secure. However, Eftekhari et al. [10] found that the protocol [9] was vulnerable to known session-specific temporary information disclosure, privileged insider, and stolen smart card attacks. Eftekhari et al. [10] proposed an improved lightweight protocol. Wu et al. [11] proposed an AKA protocol. The protocol also used ECC, which had a large computational cost and computational burden from the CS under the architecture used. In 2021, Wu et al. [12] designed a lightweight AKA protocol, which was also based on the above architecture and did not realize the function of fog nodes sharing the computational burden of the CS. The main works related to this paper are summarized in Table 1.

3. The Proposed Protocol: SGXAP

This section introduces the system model and the proposed protocol in detail. Definitions and specific descriptions of the symbols used in the protocol are listed in Table 2.

3.1. System Model

The system includes four entities: the vehicle, RSU, fog node, and CS. In this model, the RSUs know which fog nodes they are deployed in, and the CS also knows which fog node RSU is deployed. These four entities, namely the definition, function, computing power, and storage capability of each role, are explained in detail below:
(1)
Vehicle: This refers to the vehicle or vehicle user who selects the appropriate speed or driving route by acquiring the relevant real-time road information collected by the RSU.
(2)
RSU: This is a semi-trusted device that collects real-time road condition information. It is arranged on both sides of the road and has weak computing power and storage capacity. The RSU judges whether the vehicle is communicating with itself for the first time.
(3)
Fog node: This is a semi-trusted entity with certain computing power. It quickly processes the road condition information collected by the RSU and can store data. As a third party, the fog node participates in communicating between the vehicle and RSU.
(4)
CS: This is a semi-trusted entity which can realize the calculation or storage of a large amount of data. Here, the CS is the registration center, which participates in registering vehicle, RSU, and fog node. For Case 1, it is also the data transmitter.
When the vehicle wants to communicate with the RSU, there are two communication modes:
1.
Case 1 is shown in Figure 2. The RSU judges that the vehicle communicates with itself for the first time and sends a data request to the CS. Then, the CS transmits the private value of the vehicle to the fog node and RSU. Here, the RSU stores the private data of the vehicle to judge whether the communication between the vehicle and itself is happening for the first time. The fog node stores information about the vehicle to realize the authentication process. Finally, the vehicle and RSU realize communication through the fog node.
2.
Case 2 is shown in Figure 3. This case extends Case 1. Therefore, only the fog node (without the participation of the CS) can help the vehicle and RSU to realize communication. This is because in the first communication, the fog node and RSU know the private information of the vehicle. Here, this architecture dramatically reduces the computational burden of the CS.

3.2. The Proposed SGXAP

The proposed protocol comprises three phases: registration, login authentication, and data transmission.

3.2.1. Registration Phase

The registration phase of the proposed protocol includes the V i , R S U j , and F S m registration phases.
In the V i registration phase, V i registers with the C S , as shown in Figure 4. The detailed registration steps are as follows:
(1)
First, V i selects the I D i , password P S W i , biometrics B I O i , and random number r i , computes G e n ( B I O i ) = ( σ i , τ i ) , and finally transmits { I D i } to the C S .
(2)
After C S receives the message { I D i } , it selects r c , computes P I D i = h ( I D i r c ) and T K V C = h ( P I D i K C S ) , and then saves the pseudo identity { P I D i } in the database before finally transmitting { P I D i , T K V C } to V i .
(3)
After V i receives the message { P I D i , T K V C } , it computes R P W i = h ( P S W i σ i ) , T R i = T K V C h ( R P W i r i ) , and P i = h ( I D i R P W i r i ) . Finally, V i stores { P I D i , r i , P i , T R i , τ i } in the smart card (SC).
In the R S U j registration phase, R S U j registers with the C S , as shown in Figure 5. The detailed registration steps are as follows:
(1)
First, R S U j selects the I D j and random number r j and then transmits { I D j , r j } to the C S .
(2)
After the C S receives the message { I D j , r j } , it selects r s , computes P I D j = h ( I D j r j r s ) and T K R C = h ( P I D j K C S ) , saves { P I D j , I D j } in the database, transmits { P I D j , T K R C } to R S U j , and sends { P I D j , T K R C , I D j } to F S m .
(3)
After R S U j receives the message { P I D j , T K R C } , it stores { P I D j , T K R C } in the database.
(4)
After F S m receives the message { P I D j , T K R C , I D j } , it stores { P I D j , T K R C } in SGX and stores { P I D j , I D j } in the database.
In the F S m registration phase, F S m registers with the C S , as shown in Figure 6. The detailed registration steps are as follows:
(1)
First, F S m selects the identity I D f and random number r f and then transmits { I D f , r f } to the C S .
(2)
After the C S receives the message { I D f , r f } , it selects r c s , computes P I D f = h ( I D f r f r c s ) and T K F C = h ( P I D f K C S ) , saves { P I D f , I D f } in the database, and transmits { P I D f , T K F C } to F S m .
(3)
After F S m receives the message { P I D f , T K F C } , it stores { P I D f , T K F C } in the database.

3.2.2. Login and Authentication Phase

The vehicle and RSU achieve authentication and establish a session key with the assistance of the fog node to realize secure communication. The authentication of the proposed protocol has the following two cases:
1.
Case 1. V i communicates with R S U j under F S m for the first time. The authentication process needs the assistance of F S m and the participation of the C S . When R S U j receives the message M 1 sent by V i , it cannot retrieve the private value of V i through the pseudo-identity P I D i . Then, R S U j enters the data transmission phase and sends a data request R e q j to the C S . After the C S successfully verifies R S U j , it sends the private value of V i to R S U j and F S m , and then R S U j and F S m store the private value. Finally, V i , R S U j , and F S m continue to realize relevant authentication. The entire process includes the authentication phase of Figure 7 and the data transmission phase of Figure 8.
2.
Case 2. V i has communicated with R S U j under F S m . Therefore, the private value of V i is stored in R S U j and F S m , and the entire authentication process can be realized without the C S participating. The process is the login authentication phase, as shown in Figure 7.
The entities in the authentication phase include V i , R S U j , and F S m without the C S participating. The specific authentication steps are illustrated in Figure 7.
(1)
V i first enters its own I D i , P S W i , and B I O i , and the SC computes σ i = R e p ( B I O i , τ i ) , R P W i = h ( P S W i σ i ) , and P i * = h ( I D i R P W i r i ) and compares P i * = ? P i . If they are equal, then the login is successful. Otherwise, the login fails. After successfully logging in to the SC, V i selects a random number N i and timestamp T 1 and computes T K V C = T R i h ( R P W i r i ) , T N V C = h ( T K V C P I D i ) , T V V C = ( I D i N i ) T N V C , and V 1 = h ( I D i N i T V V C ) . Finally, V i sends the message M 1 = { P I D i , T V V C , V 1 , T 1 } to R S U j .
(2)
After R S U j receives M 1 from V i , it first checks the freshness of the timestamp T 1 . If the limit is exceeded, then the authentication is suspended. Otherwise, the authentication continues. Then, R S U j indexes T K V C stored in SGX according to P I D i . If it cannot be indexed, then it indicates that V i is communicating with R S U j for the first time. Here, R S U j sends a data request to the C S , requesting the C S to send the private value of V i to itself and F S m , as shown in Figure 8, and then continue to realize the authentication process. If it can be indexed, V i is not communicating with R S U j for the first time, and the authentication process continues. Later, R S U j selects N j , and T 2 computes T N R C = h ( T K R C P I D j ) , T V R C = N j T N R C , and V 2 = h ( I D j N j T V R C ) . Finally, R S U j sends the message M 2 = { P I D i , T V V C , V 1 , P I D j , T V R C , V 2 , T 2 } to F S m .
(3)
After F S m receives M 2 from R S U j , it checks the freshness of T 2 and then sends P I D i to the security interface of SGX. SGX matches the secret value T K V C according to P I D i , computes T N V C = h ( T K V C P I D i ) , and outputs the secret value T N V C from the secure interface after the computation is completed. Then, F S m computes ( N i I D i ) = T N V C T V V C and V 1 = h ( I D i N i T V V C ) and compares V 1 = ? V 1 . If they are equal, this indicates that V i is legal. Otherwise, the authentication is suspended. F S m finds the identity I D j according to P I D j and then sends P I D j to the security interface of SGX. SGX matches the secret value T K R C according to P I D j , computes T N R C = h ( T K R C P I D j ) , and outputs the secret value T N R C from the secure interface. Then, F S m computes N j = T N R C T V R C , V 2 = h ( I D j N j T V R C ) and compares V 2 = ? V 2 . If they are equal, R S U j is legal. Otherwise, the authentication is suspended. After authenticating V i and R S U j , F S m selects timestamp T 3 , computes T V F R = ( I D i N i ) h ( I D j N j ) , V 3 = ( I D j N j T V F R ) , and finally sends the message M 3 = { T V F R , V 3 , T 3 } to R S U j .
(4)
After R S U j receives the message M 3 from F S m , it checks the freshness of T 3 and computes ( I D i N i ) = h ( I D j N j ) T V F R , S K = h ( I D i I D j N i N j ) , and V 3 = h ( I D j N j T V F R ) . Then, F S m compares V 3 = ? V 3 . If they are equal, F S m is legal. Otherwise, the authentication fails. After the authentication is successful, R S U j selects the timestamp T 4 and computes T V R V = ( I D j N j ) h ( I D i N i ) and V 4 = h ( I D i N i T V R V ) . Finally, the message M 6 = { T V R V , V 4 , T 4 } is sent to V i .
(5)
After V i receives M 4 from R S U j , it first checks the freshness of T 4 and then computes ( I D j N j ) = h ( I D i N i ) T V R V , S K = h ( I D i I D j N i N j ) , and V 4 = h ( I D i N i T V R V ) . Then, V i compares V 4 = ? V 4 . If they are equal, R S U j is legal. Otherwise, the authentication fails.

3.2.3. Data Transmission Phase

When V i communicates with R S U j under F S m for the first time, the private value of V i is not stored in R S U j or F S m . Thus, R S U j requests private data from the C S . The entities in this phase include R S U j , F S m , and the C S . According to Case 1, when R S U j receives the message M 1 sent by V i and does not retrieve the privacy value of V i through P I D i , R S U j requests data from the C S , as shown in Figure 8. The specific steps are as follows:
(1)
R S U j generates a data request R e q j , selects N R and T 5 , and computes T V R C = ( I D j T K R C ) N R and V 5 = h ( I D j N R T V R C ) . Finally, the message M 5 = { R e q j , P I D i , P I D j , P I D f , T V R C , V 5 , T 5 } is sent to the C S .
(2)
After the C S receives M 5 from R S U j , it checks the freshness of T 5 . After finding I D j according to P I D j , the C S computes T K R C = h ( P I D j K C S ) , N R = ( I D j T K R C ) T V R C , and V 5 = h ( I D j N R T V R C ) and compares V 5 = ? V 5 . If they are equal, R S U j is legal. Otherwise, the authentication is suspended. Then, C S selects T 6 and T 7 and computes T K V C = h ( P I D i K C S ) , C N m = E h ( I D j T K R C ) ( T K V C ) , and V 6 = h ( I D j N R C N m ) . The C S finds I D f according to P I D f and computes T K F C = h ( P I D f K C S ) , C N n = E h ( I D f T K F C ) ( T K V C ) , and V 7 = h ( I D f T K F C C N n ) . Finally, the message M 6 = { V 6 , C N m , T 6 } is sent to R S U j , and M 7 = { V 7 , C N n , T 7 } is sent to F S m .
(3)
After R S U j receives M 6 from the C S , it checks the freshness of T 6 , computes T K V C = D h ( I D j T K R C ) ( C N m ) and V 6 = h ( I D j N R C N m ) , and compares V 6 = ? V 6 . If they are equal, then C S is legal. Otherwise, the authentication is suspended. Finally, R S U j stores { P I D i , T K V C } in SGX.
(4)
After F S m receives the message M 7 from the C S , it checks the freshness of T 7 , computes T K V C = D h ( I D f T K F C ) ( C N n ) and V 7 = ? h ( I D f T K F C C N n ) , and compares V 7 = ? V 7 . If they are equal, then the C S is legal. Otherwise, the authentication is suspended. Finally, F S m stores { P I D i , T K V C } in SGX.
After completing the above data request, V i , R S U j , and F S m continue the authentication process.

4. Security Analysis

4.1. Formal Security Analysis

The ROR model, proposed by Canetti et al. [32], calculates the probability that the attacker (A) can break the S K through multiple query operations to prove the security of the protocol. Here, we compute the probability of cracking the S K and prove that our protocol is secure.

4.1.1. Adversary Model

We used the Dolev–Yao and Canetti–Krawczyk models to define the capabilities of A [33,34]. The specific capabilities are as follows:
(1)
A can intercept, interrupt, forge, and replay the information transmitted on the common channel.
(2)
A can act as malicious insiders of the fog nodes and CS to obtain internal information.
(3)
A can guess the identities or passwords of vehicles by violent cracking.
(4)
A can obtain the values in the vehicle’s smart card.
(5)
A can obtain the private key of the CS and a random number of four entities.
Here, we use Π V m , Π R S U n , and Π F S z to represent the m-th V i , n-th R S U j , and z-th F S m instances, respectively. Here, we assume that the query capabilities of A are Y = { Π V m , Π R S U n , and Π F S z } :
(1)
E x e c u t e ( Y ) : A intercepts messages { M 1 , M 2 , M 3 , M 4 } transmitted on the common channel;
(2)
S e n d ( Y , M ) : A sends message M to entity Y and receives a response;
(3)
H a s h ( s t r i n g ) : A enters a character string of any length and returns the corresponding hash value;
(4)
C o r r u p t ( Y ) : A can obtain the private value of an entity;
(5)
T e s t ( Y ) : A flips a coin C. If C = 1 , then A can obtain S K . If C = 0 , A can obtain any string of the same length as the S K .

4.1.2. Security Requirements

The secure AKA protocol should meet the following security requirements:
1.
User anonymity and untraceability: A can neither obtain the real identity of the communication entity nor trace the session key of the communication process through the data transmitted on the public channel.
2.
Resistance of common attacks: The secure AKA protocol should be able to resist the following attacks:
(1)
Privileged insider attacks: As an A, the insiders of the communication entity spy on the private data stored in the database to disguise as a legal entity or obtain the session key;
(2)
Impersonation attacks: A intercepts and decrypts the data transmitted on the public channel, disguises as a legal entity, communicates with other entities, and establishes a session key;
(3)
Known temporary information disclosure attacks: A calculates the session key in the communication process by obtaining the random number of an entity and the data transmitted on the public channel;
(4)
Man-in-the-middle attacks: A intercepts the data transmitted on the public channel, tampers with the data, and establishes the session key with the legal entity without the knowledge of both parties of the communication entity;
(5)
Offline password guessing attacks: A intercepts the verification value containing the password stored on the public channel or in the smart device, repeatedly guesses the password, calculates the verification value in the offline state, and compares it with the intercepted verification value until the two values are equal;
(6)
Replay attacks: A repeatedly sends the message transmitted on the public channel to the communication entity so as to deceive the entity and interfere with normal communication;
(7)
Stolen smart card attacks: After A steals the smart card and obtains the parameters about the entity identity before using the parameters to launch camouflage attacks or malicious acts.
Theorem 1.
Suppose that A can execute the above queries and the probability that A can break the proposed protocol P in polynomial time is a d v A P ( ξ ) q s e n d / 2 l 1 + 3 q h a s h 2 / 2 l + 2 m a x { C · q s e n d s , q s e n d / 2 l } . Here, q s e n d refers to the number of queries executed, q h a s h refers to the number of times the hash is executed, l refers to the bit length of the biological information, and C and s refer to two constants.
Proof. 
We define seven games G M 0 G M 6 to simulate the attack process of A. In the proof, S u c c A G M i ( ξ ) represents the probability that A can win multiple rounds of the game. The process of A simulating the query is shown in Table 3. The proof steps are as follows:
G M 0 : In the ROR model, the simulation of G M 0 is consistent with a real attack. Therefore, we have
A d v A P = | 2 P r [ S u c c A G M 0 ] 1 | .
G M 1 : G M 1 and G M 0 are different from the G M 1 add Execute() operation. In G M 1 , A can intercept { M 1 , M 2 , M 3 , M 4 } transmitted on the common channel. When G M 1 ends, A executes a Test() query to compute the S K , where S K = h ( I D i I D j N i N j ) . As { I D i , I D j , N i , N j } is confidential to A, the probability of G M 1 is equal to G M 0 . The probability of G M 1 is
P r [ S u c c A G M 1 ] = P r [ S u c c A G M 0 ] .
G M 2 : The difference between G M 2 and G M 1 is that G M 2 adds the Send() operation. According to Zipf’s law [35], the probability of G M 2 is expressed as
| P r [ S u c c A G M 2 ( ξ ) ] P r [ S u c c A G M 1 ( ξ ) ] | q s e n d / 2 l .
G M 3 : G M 3 adds the Hash() operation and reduces the Send() operation. According to the birthday paradox, the probability of G M 3 is
| P r [ S u c c A G M 3 ( ξ ) ] P r [ S u c c A G M 2 ( ξ ) ] | q h a s h 2 / 2 l + 1 .
G M 4 : In G M 4 , A obtains temporary information to verify that it is resistant to known temporary information disclosure attacks. A can obtain a random number for one of the two parties: Π V m and Π R S U n . Suppose A obtains a random number N i . As I D i , I D j , and N j are unknown, the S K cannot be computed. Similarly, if the random number N j is leaked, then the S K cannot be computed by A. Therefore, the probability of G M 4 is expressed as
| P r [ S u c c A G M 4 ( ξ ) ] P r [ S u c c A G M 3 ( ξ ) ] | q h a s h 2 / 2 l + 1 .
G M 5 : In this game, A executes the Corrupt( Π V m ) query to obtain the parameters { P I D i , r i , P i , T R i , τ i } in the smart card. Legitimate users typically use low-entropy passwords. A may attempt to extract the password P S W i by executing an offline password guessing attack using the parameters { P I D i , r i , P i , T R i , τ i } . However, in our protocol, A cannot obtain P S W i without the biometric information τ i and secret credential R P W i . The probability of A guessing one bit of biological information is 1 / 2 l . According to Zipf’s law [35], when q s e n d 10 6 , the probability that A can guess a password is greater than 0.5. These results prove that the proposed protocol is resistant to offline password guessing attacks. Therefore, we can derive
| P r [ S u c c A G M 5 ] P r [ S u c c A G M 4 ) ] | m a x { C · q s e n d s , q s e n d / 2 l } .
G M 6 : This game verifies whether the proposed protocol is resistant to impersonation attacks. The difference between G M 6 and G M 5 is that A uses h ( I D i I D j N i N j ) for the query operation, and the probability of successfully obtaining S K is
| P r [ S u c c A G M 6 ( ξ ) ] P r [ S u c c A G M 5 ( ξ ) ] | q h a s h 2 / 2 l + 1 .
The probability of the success and failure of G M 6 is 1/2. Therefore, the probability that A can guess S K is
P r [ S u c c A G M 6 ( ξ ) ] = 1 / 2 .
Using these formulas, we obtain
1 / 2 A d v A P = | P r [ S u c c A G M 0 ] 1 / 2 | = | P r [ S u c c A G M 0 ] P r [ S u c c A G M 6 ] | = | P r [ S u c c A G M 1 ] P r [ S u c c A G M 6 ] | i = 0 5 | P r [ S u c c A G M i + 1 ] P r [ S u c c A G M i ] | = q s e n d / 2 l + 3 q h a s h 2 / 2 l + 1 + m a x { C · q s e n d s , q s e n d / 2 l }
Therefore, we can obtain
A d v A P q s e n d / 2 l 1 + 3 q h a s h 2 / 2 l + 2 m a x { C · q s e n d s , q s e n d / 2 l } .

4.2. Informal Security Analysis

4.2.1. Mutual Authentication

The proposed protocol realizes mutual authentication using { V 1 , V 2 , V 3 , V 4 } . F S m uses V 1 to verify the legitimacy of V i and V 2 to verify the legitimacy of R S U j . R S U j uses V 3 to verify the legitimacy of F S m , and V i uses V 4 to verify the legitimacy of R S U j . Therefore, the proposed protocol can achieve mutual authentication.

4.2.2. Replay Attacks

The timestamps { T 1 , T 2 , T 3 , T 4 } are used by the protocol to resist replay attacks. Here, we consider T 1 as an example. When R S U j receives message M 1 of V i , it first checks the freshness of T 1 . If T 1 is valid, then the authentication continues. Otherwise, authentication is suspended. Suppose A intercepts M 1 and repeatedly sends it to R S U j . When R S U j checks the freshness of T 1 , T 1 exceeds this time, and the authentication process stops. Therefore, the proposed protocol can resist replay attacks.

4.2.3. Privileged Insider Attacks

Suppose that A can obtain the value from a party’s database. Here, we consider F S m as an example. Based on this assumption, A can obtain the values { P I D f , T K F C , P I D j , I D i } stored in the database. However, because the protocol uses a secure hardware SGX, the values { T K R C , T K V C } stored in SGX are not available. Therefore, A cannot obtain the value { I D i , I D j , N i , N j } required to compute the S K , where S K = h ( I D i I D j N i N j ) . Therefore, the proposed protocol can resist privileged insider attacks.

4.2.4. Man-in-the-Middle Attacks

Suppose that A can intercept { M 1 , M 2 , M 3 , M 4 } in the common channel. Here, we consider an intercept M 1 between V i and F S m as an example. Because A does not know the values of { I D i , N i , R P W i } or { r i , T R i } in the smart card, A cannot compute the values of { I D i , N i , T V V C } required by V 1 , where V 1 = h ( I D i N i T V V C ) . Thus, the legitimacy of V i cannot be verified in F S m . The same applies for A attempting to intercept { M 2 , M 3 , M 4 } . Therefore, the proposed protocol can resist man-in-the-middle attacks.

4.2.5. User Anonymity and Untraceability

In our protocol, the identities of V i , R S U j , and F S m are not transmitted to the common channel, but pseudo-identities { P I D i , P I D j , P I D f } are transmitted. A cannot know the identities of the three, thus realizing anonymity. Because random numbers N i and N j used in { M 1 , M 2 , M 3 , M 4 } are variable in every session, A cannot track V i , R S U j , or F S m . Therefore, our protocol provides anonymity and untraceability.

5. Comparisons and Discussions

In this section, we compare the proposed protocol with the AKA protocols proposed by Ma et al. [9], Wazid et al. [29], Eftekhari et al. [10], and Wu et al. [11] in terms of security and performance.

5.1. Security Comparisons

Table 4 presents the comparison results in terms of security. Here, indicates that the protocol can resist the attack, × indicates that the protocol is vulnerable to the attack, and − demonstrates that it is not mentioned whether the protocol can resist it. As shown in the table, the protocol of Ma et al. [9] is vulnerable to privileged insider attacks, known specific temporary information disclosure attacks, and stolen smart card attacks. The protocol proposed by Wazid et al. [29] is vulnerable to impersonation attacks. The other protocols and the proposed protocol are secure.

5.2. Performance Comparison

In this part, we compare the proposed protocol with the current AKA protocols for computational and communication costs. Because the authentication phase of the proposed protocol has two cases, the calculations of the computational and communication costs are also divided into two cases.
To calculate the computational cost, we considered two cases of the proposed protocol as examples. In Case 1, R S U j and F S m have no privacy value of V i . Therefore, the CS must transmit the privacy value to R S U j and F S m to realize the entire authentication process. This situation requires the participation of the CS. Therefore, when calculating the computational cost, in addition to calculating the computational cost of the three parties involved in the authentication phase, we also needed to calculate the computational cost of the CS. In Case 2, R S U j and F S m have the private value of V i and do not require the participation of the CS; only the computational costs of V i , R S U j , and F S m need to be calculated.
When comparing the computational cost, we estimated the computational time of each entity in the protocol through a simulation experiment. We used MI 8 to simulate the vehicle, a Lenovo laptop to simulate the RSU and fog node, and a Lenovo desktop computer to simulate the cloud server. The equipment configuration of the three devices is shown in Table 5. The simulation experiment used the average execution time of the three devices 10 times as the running time, as shown in Table 6. Here, the ⊕ and ‖ operations were negligibly small, and the execution time of fuzzy extraction was similar to that of the hash function, according to [36]. It is shown in [19] that the average running time of the system with SGX only increases by 20 μ s, sufficiently showing the low computation cost of SGX. Hence, we ignored the computational cost of SGX in the following comparisons. The results of the comparison of the computational cost are listed in Table 7. It is evident from Table 7 that for V i and F S m , excluding our protocol, the other protocols performed point multiplication, so the computational cost of our protocol was the lowest. For R S U j , only our protocol contained the RSU. For the CS, the computational cost of Wazid et al. [29] was smaller than that of our protocol, whereas the others were higher than that of our protocol. As the CS had strong computing power, it did not affect the protocol’s performance. Therefore, the computational cost of the proposed protocol was relatively small.
When comparing the communication cost, the length of the timestamp was regarded as 32 bits, the length of the identity and random number was 160 bits, that of the hash function and symmetric encryption and decryption was 256 bits, and that of the ECC point was 320 bits. The proposed protocol was considered an example to illustrate the calculation method. The communication cost was calculated based on the two cases of the protocol. For Case 1, we needed to calculate the communication cost in the authentication phase and the communication cost in the data transmission phase. In Case 1, the protocol transmitted seven messages on the common channel, including M 1 = { P I D i , T V V C , V 1 , T 1 } , M 2 = { P I D i , T V V C , V 1 , P I D j , T V R C , V 2 , T 2 } , M 3 = { T V F R , V 3 , T 3 } , M 4 = { T V R V , V 4 , T 4 } , M 5 = { R e q j , P I D i , P I D j , P I D f , T V R C , V 5 , T 5 } , M 6 = { V 6 , C N m , T 6 } , and M 7 = { V 7 , C N n , T 7 } . Here, { P I D i , T V V C , P I D j , T V R C , T V F R , T V R V , R e q f , P I D f , T V R C } are random numbers, { V 1 , V 2 , V 3 , V 4 , V 5 , V 6 } are hash values, { T 1 , T 2 , T 3 , T 4 , T 5 , T 6 , T 7 } are timestamps, and { C N m , C N n } are encrypted values. Through our calculations, the communication cost of Case 1 was 5152 bits. In Case 2, we only needed to calculate the communication cost of the four messages { M 1 , M 2 , M 3 , M 4 } in the authentication phase. Through calculations, the communication cost of Case 2 was 2688 bits. From the above calculation method, the communication costs of the protocols of Ma et al. [9], Wazid et al. [29], Eftekhari et al. [10], and Wu et al. [11] were 4512, 3488, 4416, and 4448 bits, respectively. The comparison results are presented in Table 8. Therefore, evidently in Case 1, because our protocol has seven rounds of messages, the communication cost of our protocol was higher than that of the other protocols. In Case 2, the communication cost of our protocol was lower than that of the other protocols, which significantly reduced the communication cost of the protocol.

5.3. Discussions

Now, we discuss our protocol and those of Eftekhari et al. [10] and Wu et al. [11] in terms of architecture, computational cost, and communication cost.
In the first item (architecture), both protocols [10,11] used the traditional three-layer architecture (i.e., vehicle–fog node–CS). As mentioned in the Introduction, this architecture fails to realize the function of fog nodes sharing the computational burden of the CS, because the fog nodes actually replace the RSUs, and computation is still performed on the CS. To reduce the computational burden of the CS, we extended the traditional architecture to propose the first four-layer architecture, namely vehicle–RSU–fog node–CS. In this architecture, when a vehicle enters the road and wants to communicate with the RSU, the communication modes are divided into the two cases. Case 1 requires the participation of each entity, while Case 2 only requires the participation of the vehicle, RSU and fog node without the CS. Therefore, this architecture effectively realizes the function of the fog node sharing the computational burden of the CS.
In the second item (computational cost), both protocols [10,11] performed ECC operations. Our protocol performs hash, fuzzy extraction, and symmetric encryption and decryption operations in Case 1, and it only performs hash and fuzzy extraction operations in Case 2. Though the three protocols are secure, our protocol has a lower computational cost.
In the final item (communication cost), the communication cost of the proposed protocol (Case 1) was slightly higher than that of both protocols [10,11] because it requires an additional three rounds to judge whether the vehicle communicates with the RSU for the first time. However, Case 1 only occurred once for the same vehicle and RSU. In Case 2, our protocol had a lower communication cost than Eftekhari et al. [10] and Wu et al.’s [11] protocols.

6. Conclusions

In this paper, we first introduced the IoV and fog computing and reviewed the related research results. After that, we proposed an authentication protocol based on SGX and fog computing in the IoV. In this protocol, we first proposed a four-layer architecture that significantly reduced the computational burden of the CS. To resist several well-known attacks, we applied SGX to our protocol. Finally, we proved the security of the proposed protocol through the ROR model and informal analysis. We also compared its performance with those of recent protocols. The results show that the proposed protocol had better security and a lower computational cost. Future studies will continue to conduct further research based on the architecture used. We hope that this research will provide ideas and help researchers.

Author Contributions

Conceptualization, T.-Y.W.; innovation, X.G.; methodology, T.-Y.W. and X.G.; software, Y.-C.C.; formal analysis, S.K.; investigation, C.-M.C.; writing—original draft preparation, T.-Y.W., X.G., Y.-C.C., S.K. and C.-M.C. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

This study did not involve humans.

Data Availability Statement

The data are contained within the article.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
IoTInternet of Things
IoVInternet of Vehicles
SGXSoftware guard extensions
PRMPreserved random memory
EPCEnclave page cache
RORReal-or-Random
V2VVehicle-to-vehicle
V2PVehicles-to-pedestrians
V2IVehicle-to-infrastructure
AKAAuthenticated key agreement
RSURoadside unit
PKIPublic key infrastructure
ECCElliptic curve cryptography
AKMAuthentication key management
PUFPhysical unclonable function

References

  1. Khan, M.A.; Salah, K. IoT security: Review, blockchain solutions, and open challenges. Future Gener. Comput. Syst. 2018, 82, 395–411. [Google Scholar] [CrossRef]
  2. Chegini, H.; Naha, R.K.; Mahanti, A.; Thulasiraman, P. Process automation in an IoT–fog–cloud ecosystem: A survey and taxonomy. IoT 2021, 2, 92–118. [Google Scholar] [CrossRef]
  3. Yang, F.; Wang, S.; Li, J.; Liu, Z.; Sun, Q. An overview of internet of vehicles. China Commun. 2014, 11, 1–15. [Google Scholar] [CrossRef]
  4. Contreras-Castillo, J.; Zeadally, S.; Guerrero-Ibañez, J.A. Internet of vehicles: Architecture, protocols, and security. IEEE Internet Things J. 2017, 5, 3701–3709. [Google Scholar] [CrossRef]
  5. Zhou, H.; Xu, W.; Chen, J.; Wang, W. Evolutionary V2X technologies toward the Internet of vehicles: Challenges and opportunities. Proc. IEEE 2020, 108, 308–323. [Google Scholar] [CrossRef]
  6. Stojmenovic, I.; Wen, S.; Huang, X.; Luan, H. An overview of fog computing and its security issues. Concurr. Comput. Pract. Exp. 2016, 28, 2991–3005. [Google Scholar] [CrossRef]
  7. Chen, S.; Zhang, T.; Shi, W. Fog computing. IEEE Internet Comput. 2017, 21, 4–6. [Google Scholar] [CrossRef]
  8. Dastjerdi, A.V.; Gupta, H.; Calheiros, R.N.; Ghosh, S.K.; Buyya, R. Fog computing: Principles, architectures, and applications. In Internet of things; Elsevier: Amsterdam, The Netherlands, 2016; pp. 61–75. [Google Scholar] [CrossRef] [Green Version]
  9. Ma, M.; He, D.; Wang, H.; Kumar, N.; Choo, K.K.R. An efficient and provably secure authenticated key agreement protocol for fog-based vehicular ad-hoc networks. IEEE Internet Things J. 2019, 6, 8065–8075. [Google Scholar] [CrossRef]
  10. Eftekhari, S.A.; Nikooghadam, M.; Rafighi, M. Security-enhanced three-party pairwise secret key agreement protocol for fog-based vehicular ad-hoc communications. Veh. Commun. 2021, 28, 100306. [Google Scholar] [CrossRef]
  11. Wu, T.Y.; Lee, Z.; Yang, L.; Luo, J.N.; Tso, R. Provably secure authentication key exchange scheme using fog nodes in vehicular ad hoc networks. J. Supercomput. 2021, 77, 6992–7020. [Google Scholar] [CrossRef]
  12. Wu, T.Y.; Guo, X.; Yang, L.; Meng, Q.; Chen, C.M. A Lightweight Authenticated Key Agreement Protocol Using Fog Nodes in Social Internet of Vehicles. Mob. Inf. Syst. 2021, 2021, 3277113. [Google Scholar] [CrossRef]
  13. Ying, B.; Nayak, A. Anonymous and lightweight authentication for secure vehicular networks. IEEE Trans. Veh. Technol. 2017, 66, 10626–10636. [Google Scholar] [CrossRef]
  14. Mohit, P.; Amin, R.; Biswas, G. Design of authentication protocol for wireless sensor network-based smart vehicular system. Veh. Commun. 2017, 9, 64–71. [Google Scholar] [CrossRef]
  15. Yu, S.; Lee, J.; Lee, K.; Park, K.; Park, Y. Secure authentication protocol for wireless sensor networks in vehicular communications. Sensors 2018, 18, 3191. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  16. Li, J.; Lu, H.; Guizani, M. ACPN: A novel authentication framework with conditional privacy-preservation and non-repudiation for VANETs. IEEE Trans. Parallel Distrib. Syst. 2014, 26, 938–948. [Google Scholar] [CrossRef]
  17. Liu, X.; Guo, Z.; Ma, J.; Song, Y. A Secure Authentication Scheme for Wireless Sensor Networks Based on DAC and Intel SGX. IEEE Internet Things J. 2021, 9, 3533–3547. [Google Scholar] [CrossRef]
  18. Condé, R.C.; Maziero, C.A.; Will, N.C. Using Intel SGX to protect authentication credentials in an untrusted operating system. In Proceedings of the 2018 IEEE Symposium on Computers and Communications (ISCC), Natal, Brazil, 25–28 June 2018; pp. 158–163. [Google Scholar]
  19. Wang, J.; Hao, S.; Li, Y.; Fan, C.; Wang, J.; Han, L.; Hong, Z.; Hu, H. Challenges towards protecting vnf with sgx. In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Tempe, AZ, USA, 21 March 2018; pp. 39–42. [Google Scholar] [CrossRef]
  20. Chaudhry, S.A. Combating identity de-synchronization: An improved lightweight symmetric key based authentication scheme for IoV. J. Netw. Intell. 2021, 6, 12. [Google Scholar]
  21. Xiong, H.; Chen, J.; Mei, Q.; Zhao, Y. Conditional privacy-preserving authentication protocol with dynamic membership updating for VANETs. IEEE Trans. Dependable Secur. Comput. 2022, 19, 2089–2104. [Google Scholar] [CrossRef]
  22. Raya, M.; Hubaux, J.P. Securing vehicular ad hoc networks. J. Comput. Secur. 2007, 15, 39–68. [Google Scholar] [CrossRef] [Green Version]
  23. Huang, J.L.; Yeh, L.Y.; Chien, H.Y. ABAKA: An anonymous batch authenticated and key agreement scheme for value-added services in vehicular ad hoc networks. IEEE Trans. Veh. Technol. 2010, 60, 248–262. [Google Scholar] [CrossRef]
  24. Sadri, M.J.; Rajabzadeh Asaar, M. A lightweight anonymous two-factor authentication protocol for wireless sensor networks in Internet of Vehicles. Int. J. Commun. Syst. 2020, 33, e4511. [Google Scholar] [CrossRef]
  25. Jiang, Q.; Zhang, X.; Zhang, N.; Tian, Y.; Ma, X.; Ma, J. Three-factor authentication protocol using physical unclonable function for IoV. Comput. Commun. 2021, 173, 45–55. [Google Scholar] [CrossRef]
  26. Kumar, S.; Banka, H.; Kaushik, B.; Sharma, S. A review and analysis of secure and lightweight ECC-based RFID authentication protocol for Internet of Vehicles. Trans. Emerg. Telecommun. Technol. 2021, 32, e4354. [Google Scholar] [CrossRef]
  27. Wu, T.Y.; Meng, Q.; Yang, L.; Guo, X.; Kumari, S. A provably secure lightweight authentication protocol in mobile edge computing environments. J. Supercomput. 2022, 1–22. [Google Scholar] [CrossRef]
  28. Huang, X.; Xiong, H.; Chen, J.; Yang, M. Efficient Revocable Storage Attribute-based Encryption with Arithmetic Span Programs in Cloud-assisted Internet of Things. IEEE Trans. Cloud Comput. 2021. [Google Scholar] [CrossRef]
  29. Wazid, M.; Bagga, P.; Das, A.K.; Shetty, S.; Rodrigues, J.J.; Park, Y. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J. 2019, 6, 8804–8817. [Google Scholar] [CrossRef]
  30. Han, M.; Liu, S.; Ma, S.; Wan, A. Anonymous-authentication scheme based on fog computing for VANET. PLoS ONE 2020, 15, e0228319. [Google Scholar] [CrossRef]
  31. Soleymani, S.A.; Goudarzi, S.; Anisi, M.H.; Zareei, M.; Abdullah, A.H.; Kama, N. A security and privacy scheme based on node and message authentication and trust in fog-enabled VANET. Veh. Commun. 2021, 29, 100335. [Google Scholar] [CrossRef]
  32. Canetti, R.; Goldreich, O.; Halevi, S. The random oracle methodology, revisited. J. ACM (JACM) 2004, 51, 557–594. [Google Scholar] [CrossRef] [Green Version]
  33. Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  34. Canetti, R.; Krawczyk, H. Analysis of key-exchange protocols and their use for building secure channels. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Innsbruck, Austria, 6–10 May 2001; Springer: Berlin/Heidelberg, Germany, 2001; pp. 453–474. [Google Scholar]
  35. Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 2017, 12, 2776–2791. [Google Scholar] [CrossRef]
  36. He, D.; Kumar, N.; Lee, J.H.; Sherratt, R.S. Enhanced three-factor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 2014, 60, 30–37. [Google Scholar]
Figure 1. The four-layer architecture of the IoV based on fog computing.
Figure 1. The four-layer architecture of the IoV based on fog computing.
Symmetry 14 01393 g001
Figure 2. System model of Case 1.
Figure 2. System model of Case 1.
Symmetry 14 01393 g002
Figure 3. System model of Case 2.
Figure 3. System model of Case 2.
Symmetry 14 01393 g003
Figure 4. V i registration phase.
Figure 4. V i registration phase.
Symmetry 14 01393 g004
Figure 5. R S U j registration phase.
Figure 5. R S U j registration phase.
Symmetry 14 01393 g005
Figure 6. F S m registration phase.
Figure 6. F S m registration phase.
Symmetry 14 01393 g006
Figure 7. Login and authentication phase.
Figure 7. Login and authentication phase.
Symmetry 14 01393 g007
Figure 8. Data transmission phase.
Figure 8. Data transmission phase.
Symmetry 14 01393 g008
Table 1. Summary of authentication protocols.
Table 1. Summary of authentication protocols.
ProtocolsCryptographic Techniques and PropertiesLimitations
Ying et al. [13](1) One-way hash function
(2) Anonymity
(1) Does not resist replay attacks
(2) Does not resist offline identity guessing attacks
(3) Does not resist stolen smart card attacks
Mohit et al. [14](1) One-way hash function
(2) Based on smart card
(1) Does not resist impersonation attacks
(2) Does not provide mutual authentication
Yu et al. [15]One-way hash function(1) Does not resist user impersonation attacks
(2) Does not resist sensor capture attacks
Ma et al. [9](1) ECC
(2) Based on smart card
(1) Does not resist internal attacks
(2) Does not resist stolen smart card attacks
(3) Does not resist known session-specific temporary
information attacks
Wazid et al. [29](1) ECC
(2) Anonymity
Eftekhari et al. [10](1) ECC
(2) Anonymity
Wu et al. [11](1) One-way hash function
(2) ECC
Wu et al. [12](1) One-way hash function
(2) Three-factor
(3) Based on smart card
Table 2. Notations used in the protocol.
Table 2. Notations used in the protocol.
SymbolDescription
V i The i-th vehicle
R S U j The j-th RSU
F S m The m-th fog node
C S Cloud server
I D i , I D j , I D f Identities of V i , R S U j , and F S m
K C S Secret key of C S
S K Session key
D k ( ) and E k ( ) Symmetric encryption and decryption algortihm
Table 3. The process of Send, Execute, Corrupt, and Test queries.
Table 3. The process of Send, Execute, Corrupt, and Test queries.
QueryDescription
S e n d ( Y , M ) On a query S e n d ( Π V m , s t a r t ) , we assume Π V m is a normal state. Π V m selects N i , T 1 and computes T K V C = T R i h ( R P W i r i ) , T N V C = h ( T K V C P I D i ) , T V V C = ( I D i N i ) T N V C , and V 1 = h ( I D i N i T V V C ) . Then, S e n d ( Π V m , s t a r t ) returns M 1 = { P I D i , T V V C , V 1 , T 1 } .
On a query S e n d ( Π F S z , ( P I D i , T V V C , V 1 , P I D j , T V R C , V 2 , T 2 ) ) , Π F S z computes T N V C , ( N i I D i ) , and checks V 1 .
If the verification holds, continue to calculate T N R C , N j and check V 2 . If it is equal, select T 3 and compute T V F R , V 3 .
Then, S e n d ( Π F S z , M 2 ) returns M 3 = { T V F R , V 3 , T 3 } .
On a query S e n d ( Π R S U n , ( T V F R , V 3 , T 3 ) ) , Π R S U n computes ( I D i N i ) , S K , and V 3 and checks V 3 . If V 3 holds, Π R S U n selects T 4 and computes T V R V , V 4 . Then, S e n d ( Π R S U n , M 3 ) ) returns M 4 = { T V R V , V 4 , T 4 } .
On a query S e n d ( Π V m , T V R V , V 4 , T 4 ), Π V m computes ( I D j N j ) , S K , and V 4 and checks V 4 . If it is not equal, then the query process is terminated. Otherwise, Π V m accepts and terminates.
E x e c u t e ( Y ) On an E x e c u t e query, we continue with the S e n d query simulation as follows: ( P I D i , T V V C , V 1 , T 1 ) S e n d ( Π V m , s t a r t ) ,
( P I D i , T V V C , V 1 , P I D j , T V R C , V 2 , T 2 ) S e n d ( Π R S U n , ( P I D i , T V V C , V 1 , T 1 ) ) ,
( T V F R , V 3 , T 3 ) S e n d ( Π F S z , ( P I D i , T V V C , V 1 , P I D j , T V R C , V 2 , T 2 ) ) , ( T V R V , V 4 , T 4 ) S e n d ( Π R S U n , ( T V F R , V 3 , T 3 ) ) .
The query returns ( P I D i , T V V C , V 1 , T 1 ) , ( P I D i , T V V C , V 1 , P I D j , T V R C , V 2 , T 2 ) , ( T V F R , V 3 , T 3 ) , and ( T V R V , V 4 , T 4 ) .
C o r r u p t ( Y ) On a C o r r u p t ( Π V m ) query, if Π V m is accepted, then it returns the private information { P I D i , r i , P i , T R i , τ i } of vehicle V.
T e s t ( Y ) On a T e s t query, to flip a coin C, if C = 1 , A can obtain S K . If C = 0 , A can obtain any string of the same length as S K .
Table 4. Comparisons of security.
Table 4. Comparisons of security.
Security Properties[9][29][10][11]Ours
Privileged insider attacks×
Impersonation attacks×
Known temporary information disclosure attacks×
Stolen smart card attacks×
User anonymity×
Man-in-the-middle attacks
Untraceability×
Offline password guessing attacks
Replay attacks
Table 5. Experimental environment.
Table 5. Experimental environment.
MI 8Lenovo Desktop ComputerLenovo Laptop
Operating SystemAndroid systemWindows 10Windows 10
CPUQualcomm Snapdragon
845
Intel(R) Core(TM)
i5-9500 CPU @ 3.00 GHz
Intel(R) Core(TM)
i7-6700HQ CPU @ 2.60 GHz
Memory6 GB8 GB RAM16 GB RAM
Table 6. Experimental results.
Table 6. Experimental results.
Operations V i (ms) RSU j / FS m (ms)CS (ms)
ECC scalar multiplication201812
ECC point addition0.15560.07310.0500
Symmetric key encryption and decryption0.22630.16480.1384
Hash function0.00420.00300.0024
Table 7. Computational cost comparison1.
Table 7. Computational cost comparison1.
Protocol V i (ms) RSU j (ms) FS m (ms)CS (ms)
Ma et al. [9] 3 T s m + 4 T h a 60.017 - 4 T s m + 4 T h a 42.012 10 T s m + 11 T h a 120.026
Wazid et al. [29] 3 T s m + 2 T f e + 22 T h a 60.100 - 2 T s m + T p a + 14 T h a 36.115 3 T h a 0.007
Eftekhari et al. [10] 3 T s m + T p a + 11 T h a 60.202 - 3 T s m + T p a + 12 T h a 54.109 3 T s m + 2 T p a + 15 T h a 36.136
Wu et al. [11] 2 T s m + T f e + 8 T h a 60.038 - 4 T s m + 5 T h a 72.015 4 T s m + 13 T h a 48.031
Ours, Case 1 T f e + 8 T h a 0.038 T e n + 9 T h a 0.092 T e n + 7 T h a 0.186 2 T e n + 6 T h a 0.291
Ours, Case 2 T f e + 8 T h a 0.038 7 T h a 0.021 6 T h a 0.018 -
1 Here, T s m indicates the running time of ECC scalar multiplication, T p a indicates running time of ECC point addition, T f e indicates running time of the fuzzy extraction operation, T e n indicates the running time of encryption and decryption, and T h a indicates the running time of the hash function.
Table 8. Communication cost comparison.
Table 8. Communication cost comparison.
ProtocolsRoundsCommunication Cost
Ma et al. [9]44512 bits
Wazid et al. [29]33488 bits
Eftekhari et al. [10]44416 bits
Wu et al. [11]44448 bits
Ours, Case 175152 bits
Ours, Case 242688 bits
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Wu, T.-Y.; Guo, X.; Chen, Y.-C.; Kumari, S.; Chen, C.-M. SGXAP: SGX-Based Authentication Protocol in IoV-Enabled Fog Computing. Symmetry 2022, 14, 1393. https://doi.org/10.3390/sym14071393

AMA Style

Wu T-Y, Guo X, Chen Y-C, Kumari S, Chen C-M. SGXAP: SGX-Based Authentication Protocol in IoV-Enabled Fog Computing. Symmetry. 2022; 14(7):1393. https://doi.org/10.3390/sym14071393

Chicago/Turabian Style

Wu, Tsu-Yang, Xinglan Guo, Yeh-Cheng Chen, Saru Kumari, and Chien-Ming Chen. 2022. "SGXAP: SGX-Based Authentication Protocol in IoV-Enabled Fog Computing" Symmetry 14, no. 7: 1393. https://doi.org/10.3390/sym14071393

APA Style

Wu, T. -Y., Guo, X., Chen, Y. -C., Kumari, S., & Chen, C. -M. (2022). SGXAP: SGX-Based Authentication Protocol in IoV-Enabled Fog Computing. Symmetry, 14(7), 1393. https://doi.org/10.3390/sym14071393

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop