Amassing the Security: An Enhanced Authentication Protocol for Drone Communications over 5G Networks

Abstract

At present, the great progress made by the Internet of Things ($IoT$) has led to the emergence of the Internet of Drones ($IoD$). $IoD$ is an extension of the $IoT$, which is used to control and manipulate drones entering the flight area. Now, the fifth-generation mobile communication technology ($5G$) has been introduced into the $IoD$; it can transmit ultra-high-definition data, make the drones respond to ground commands faster and provide more secure data transmission in the $IoD$. However, because the drones communicate on the public channel, they are vulnerable to security attacks; furthermore, drones can be easily captured by attackers. Therefore, to solve the security problem of the $IoD$, Hussain et al. recently proposed a three-party authentication protocol in an $IoD$ environment. The protocol is applied to the supervision of smart cities and collects real-time data about the smart city through drones. However, we find that the protocol is vulnerable to drone capture attacks, privileged insider attacks and session key disclosure attacks. Based on the security of the above protocol, we designed an improved protocol. Through informal analysis, we proved that the protocol could resist known security attacks. In addition, we used the real-oracle random model and ProVerif tool to prove the security and effectiveness of the protocol. Finally, through comparison, we conclude that the protocol is secure compared with recent protocols.

1. Introduction

In the past decade, the development of artificial intelligence [1,2,3] and network has witnessed significant advances. A network called the Internet of Things ($IoT$) has emerged, which connects physical objects to the network and realizes a comprehensive information interaction between objects and between people and objects [4,5,6,7,8]. The $IoT$ deploys sensors in a specific network area to collect real-time information to meet various user needs. In the $IoT$, the data transmission mode is WiFi or Bluetooth, but the communication distance of these two transmission modes is limited. Therefore, researchers have proposed using the base station for data transmission. The fourth-generation mobile communication technology ($4G$) is suitable for scenarios involving a large amount of data, strong mobility and remote use areas. However, in some cases, data transmission is unstable and the speed is not too fast, which makes meeting user needs difficult. Now, a new mobile communication network, the fifth-generation mobile communication technology ($5G$) has appeared [9]. The application of $5G$ technology to the $IoT$ environment increases the capacity of access equipment, expands the coverage area of the signal and improves the stability of signal [10,11].

Recently, drones, which are aircraft managed by a control station, have been introduced [12,13]. The physical structure of drones includes the sensor, receiver, recorder, communication module and actuator. These devices have always been used in the military field and are now widely used in civil fields, including aerial photography, express transportation, disaster relief and power patrol inspection. These applications have been used to make people’s daily life more efficient. Due to their mobile characteristics, drones have been introduced into the $IoT$ and form a special network called the Internet of Drones ($IoD$) [14,15,16,17]. The development of communication technology in the $IoD$ is similar to that in the $IoT$. Due to the limited communication distance of WiFi or Bluetooth, the flight range of drones is significantly limited. Consequently, researchers have proposed a new communication mode, namely, network-connected drones, which uses base stations to connect and control drones. However, when $4G$ is used in some specific scenarios (face recognition, high-altitude requirements, etc.), its resolution is not very clear and positioning may be inaccurate, which hinders meeting user needs. Now, some studies in recent times have combined $5G$ with $IoD$ [18,19]. The high-broadband characteristics of $5G$ can transmit ultra-high-definition data and its low delay can make responding to ground commands faster, operate more accurately and provide more secure data transmission. The universal $IoD$ architecture is shown in Figure 1. This architecture has been mentioned in many works of literature [20,21]. The $IoD$ architecture consists of four entities: user, server, drone and control room. The user obtains real-time information captured by the drones in the flight area and the control room formulates the flight mission of the drones and controls the flight area and flight altitude. Each drone is deployed in different flight areas, using built-in sensors to detect the physical phenomena of the target, or built-in cameras to capture the target video. When users want to obtain the information captured by drones in a certain area, they send a data request to the servers. The servers find the drones in the corresponding area and ask to upload the captured information, then transmit the data through $5G$ technology to meet user needs.

However, in the $IoD$ environment, because drones communicate on the public channel, they may be attacked by attackers, such as replay attacks [22], impersonation attacks [20,21], or man-in-the-middle attacks [21,23]. Moreover, the real-time sensitive data in transmission need to be kept confidential [24,25]. Drones flying in a certain area are also susceptible to being captured by attackers and the secret values stored in the memory would also be exposed [23,26]. Therefore, these problems make it necessary to design security protocols to ensure normal communication. Due to the relatively weak computing and storage capabilities of drones, the designed protocol should also meet the lightweight requirements. Recently, Hussain et al. [21] proposed a three-party authentication protocol in an $IoD$ environment. Because the computing power of drones is relatively weak, the protocol is lightweight and conforms to the scenario of using the drone. The protocol is applied to the supervision of the smart city, users who want to obtain real-time data about smart cities collected by drones can only transmit data after both parties have been authenticated. However, we find that Hussain et al.’s protocol is vulnerable to drone capture attacks and privileged insider attacks. The attacker can also impersonate the user by obtaining the information in the server memory to complete a session. Based on the security problems of Hussain et al.’s protocol, it is necessary to design an enhanced protocol to ensure communication security. To solve these security problems, we improved Hussain et al.’s protocol by proposing an enhanced authentication protocol. Based on the relatively weak computing power of drones, the protocol uses only lightweight primitives. Through informal analysis, we proved that the protocol can resist known security attacks. In addition, we used the real-oracle random (ROR) model and ProVerif tool to prove the security and effectiveness of the protocol. Finally, by comparing the proposed protocol with other available protocols, we show that the effectiveness of the proposed protocol.

The rest of this paper is structured as follows: In Section 2, we review the recent research results on the drone communication authentication protocol. In Section 3, we briefly describe the protocol of Hussain et al. [21] and we point out their security problems. We show the specifics of the proposed protocol in Section 4. In Section 5, we use the ROR model, ProVerif tool and informal security analysis to prove the security and effectiveness of the proposed protocol. In Section 6, we compare the proposed protocol with recent protocols and conclude that our protocol is better in terms of security. Finally, we present our conclusions in Section 7.

2. Related Work

A variety of studies have focused on designing authentication and key agreement (AKA) protocols for $IoT$. In 2014, Turkanovic et al. [27] designed an authentication protocol to ensure secure communication in the $IoT$ environment. The protocol has a low computational cost and only uses lightweight primitives. However, in 2016, Farash et al. [28] pointed out that Turkanovic et al.’s protocol [27] could not provide anonymity of users and sensors and could not resist session key disclosure attacks, stolen smart card attacks and sensor node impersonation attacks. This showed that Turkanovic et al.’s protocol [27] was unsafe, which was contrary to their statement of security at that time. At the same time, Farash et al. [28] proposed an enhanced protocol based on Turkanovic et al.’s [27] and claimed that the protocol was secure. However, Amin et al. [29] showed that the protocol of Farash et al. [28] was vulnerable to off-line password guessing attacks, user impersonation attacks and temporary information disclosure attacks. Amin et al. [29] proposed a three-factor authentication protocol, which could realize anonymous protection. Later, research on the combination of $IoT$ and $5G$ was mentioned in the literature [30,31,32]. In 2019, Lee et al. [30] designed a cross-layer protocol based on the physical layer and cryptography authentication. In the same year, Jangirala et al. [31] proposed an authentication protocol based on blockchain. The protocol uses radio frequency identification (RFID) technology and bit rotation operation to realize the security authentication of the $IoT$ environment. In 2020, Minahil et al. [32] designed an authentication protocol for $IoT$ applications. The protocol uses the hash function and elliptic curve encryption (ECC) point addition operation to realize mutual authentication between users and servers.

Recently, research on the $IoD$ has been widely conducted [33,34,35]. All the architectures proposed in the above literature are for users to communicate with drones, but other architectures of drones may need to be discussed in real life, such as the combination and communication between drones and external smart devices in the $IoT$ environment [36,37]. Then, researchers designed an AKA protocol for $IoD$. Bera et al. [38] designed a blockchain-based control protocol that not only uses the hash function but also uses expensive operation primitives, such as ECC and digital signature. Tian et al. [39] designed an AKA based on privacy protection that uses expensive digital signature and modular multiplication. In addition, Li et al. [40] proposed a secure authentication mechanism based on ECC and claimed to be lightweight, but the mechanism encrypts messages through a public key infrastructure (PKI) mechanism, which is cost-intensive. Ever et al. [20] designed a security protocol, which realizes the mutual authentication between users and drones. The protocol [20] uses bilinear pairing and ECC, which has a large computational cost. Moreover, the protocol [20] cannot provide user anonymity and untraceability and cannot resist drone capture attacks. Hussain et al. [21] designed a protocol for smart cities using drones. The protocol [21] uses symmetric encryption operation and cannot resist privileged insider attacks, impersonation attacks and drone capture attacks. The protocols mentioned above have high costs and make it difficult to meet the needs of lightweight computing primitives for drones due to their weak computing power.

Subsequently, researchers began to design AKA protocols for the $IoD$ from a lightweight perspective. In 2019, Srinivas et al. [23] designed an AKA based on temporal credentials and claimed that the protocol [23] could resist known attacks. However, Ali et al. [41] found that Srinivas et al.’s protocol [23] could not provide user anonymity and could not resist mutual authentication, stolen verification attacks. In the same year, Wizard et al. [20] designed a protocol based on anonymity, but the protocol [20] could not achieve mutual authentication and was vulnerable to privileged insider attacks and impersonation attacks. In 2020, Chen et al. [22] proposed a privacy protection authentication protocol for drone communication, but the protocol [22] could not resist temporary information disclosure and replay attacks. In 2020, Zhang et al. [42] proposed a key agreement protocol, which is lightweight and suitable for the $IoD$ environment. However, the protocol [42] could not resist the stolen smart card attacks nor provide untraceability.

In recent years, $5G$ technology has been introduced into the $IoD$ to improve the clarity and security of data transmission. In 2020, Abdel et al. [43] proposed an authentication inspired by the second factor, which triggers the second factor for authentication. In 2021, Abdel et al. [18] designed a signature-based authentication in a $5G$ network. In the same year, Alladi et al. [19] designed an AKA protocol, also known as Drone-MAP. The authentication protocol [19] was based on a $5G$ network and uses a physical unclonable function (PUF) to realize mutual authentication between the drone and $5G$ base station. Some important related works are summarized in

Table 1. The summary of authentication protocols.

Protocols	Cryptographic Techniques	Limitations
Turkanovic et al. [27]	(1) Utilizes one-way hash function (2) Based on smart card	(1) Does not resist session key disclosure attacks (2) Does not provide user anonymity (3) Does not resist sensor node impersonation attacks
Farash et al. [28]	(1) Utilizes one-way hash function (2) Based on smart card (3) Two-factor	(1) Does not resist off-line password guessing attacks (2) Does not resist user impersonation attacks (3) Does not resist temporary information disclosure attacks
Zhang et al. [42]	(1) Utilizes one-way hash function (2) Based on smart card (3) Two-factor	(1) Does not resist stolen smart card attacks (2) Does not provide untraceability
Chen et al. [22]	(1) Utilizes one-way hash function (2) Utilizes ECC (3) Utilizes asymmetric encryption	(1) Does not resist temporary information disclosure attacks (2) Does not resist replay attacks
Srinivas et al. [23]	(1) Utilizes one-way hash function (2) Three-factor	(1) Does not resist privileged insider attacks (2) Does not resist drone capture attacks (3) Does not provide user anonymity and untraceability
Wazid et al. [20]	(1) Utilizes one-way hash function (2) Three-factor	(1) Does not resist privileged insider attacks (2) Does not resist impersonation attacks (3) Does not provide mutual authentication
Ever et al. [26]	(1) Utilizes one-way hash function (2) Utilizes bilinear pairing (3) Utilizes ECC	(1) Does not resist privileged insider attacks (2) Does not resist drone capture attacks (3) Does not provide user anonymity and untraceability
Hussain et al. [21]	(1) Utilizes one-way hash function (2) Based on symmetric encryption (3) Three-factor	(1) Does not resist privileged insider attacks (2) Does not resist impersonation attacks (3) Does not resist drone capture attacks

.

3. Security Analysis of Hussain et al.’s Protocol

3.1. Review of Hussain et al.’s Protocol

In this section, we briefly review the protocol of Hussain et al. [21]. The protocol consists of three entities: user ($U_i$), drone ($D_j$) and server (S). The protocol has three phases: predeployment phase, user registration phase and login authentication phase. The symbols used in this protocol are shown in

Table 2. Notations used in the protocol.

Symbol	Description
$U_i$	The i-th user
$D_j$	The j-th drone
S	Server
$I{D}_i,I{D}_j,I{D}_S$	Identities of $U_i$, $D_j$ and S
$TI{D}_i$	Temporary identities of $U_i$
$PS{W}_i$	Password of $U_i$
$K_S$	Secret key of S
$SK$	Session key

.

3.1.1. Predeployment Phase

S selects an identity $I{D}_j$ for all drones $D_j$ before deployment, computes the value $N_j=h(I{D}_j\Vert K_s)$, then saves $\{I{D}_j,N_j\}$ to the memory of drones $D_j$ and, finally, saves the $I{D}_j$ to its own memory.

3.1.2. User Registration Phase

(1)

First, user $U_i$ selects its identity $I{D}_i$ and then sends the identity $I{D}_i$ to S through the secure channel.

(2)

After receiving $I{D}_i$, S selects the random number n, computes $RI{D}_i=E_{K_s}(I{D}_i\Vert n)$ and $N_i=h(I{D}_i\Vert n\Vert K_s)$ and then saves the identity $I{D}_i$ to its database. Finally, S generates the random number M and sends message $\{RI{D}_i,N_i,I{D}_j,M\}$ to $U_i$.

(3)

After receiving the message $\{RI{D}_i,N_i,I{D}_j,M\}$ sent by S, $U_i$ selects the password $PS{W}_i$, biometric $BI{O}_i$ and the random number $r_i$, then computes $Gen\left(BI{O}_i\right)=({\sigma }_i,{\tau }_i)$, $RI{D}_i^{\prime }=RI{D}_i\oplus (PS{W}_i\Vert {\sigma }_i)$, $I{D}_j^{\prime }=I{D}_j\oplus (I{D}_i\Vert PS{W}_i\Vert {\sigma }_i)$, $N_i^{\prime }=N_i\oplus (I{D}_i\Vert {\sigma }_i),RP{W}_i=(PS{W}_i\Vert r_i)$, $M^{\prime }=M\oplus (I{D}_i\Vert PS{W}_i\Vert {\sigma }_i)$, $R_i=r_i\oplus (PS{W}_i\Vert I{D}_i\Vert {\sigma }_i)$ and $P_i=(M\Vert RI{D}_i\Vert RP{W}_i\Vert {\sigma }_i)$. Finally, $U_i$ stores $\{RI{D}_i^{\prime },I{D}_j^{\prime },N_i^{\prime },M^{\prime },R_i,P_i,{\tau }_i,Gen\left(\right),Rep\left(\right),h\left(\right)\}$ in mobile device $M{D}_i$.

3.1.3. Login and Authentication Phase

(1)

First, $U_i$ enters the identity $I{D}_i$, password $PS{W}_i^{\prime }$ and biometric $BI{O}_i^{\prime }$ into $M{D}_i$ and $M{D}_i$ computes ${\sigma }_i^{\prime }=Rep(BI{O}_i^{\prime },{\tau }_i)$, $RI{D}_i=RI{D}_i^{\prime }\oplus (PS{W}_i^{\prime }\Vert {\sigma }_i^{\prime })$, $I{D}_j=I{D}_j^{\prime }\oplus (I{D}_i\Vert PS{W}_i^{\prime }\Vert {\sigma }_i^{\prime })$, $N_i=N_i^{\prime }\oplus (I{D}_i\Vert {\sigma }_i^{\prime })$, $r_i=R_i\oplus (PS{W}_i^{\prime }\Vert I{D}_i\Vert {\sigma }_i^{\prime })$, $RP{W}_i^{\prime }=(PS{W}_i^{\prime }\Vert r_i)$, $M=M^{\prime }\oplus (I{D}_i\Vert PS{W}_i^{\prime }\Vert {\sigma }_i^{\prime })$, $P_i=(M\Vert RI{D}_i\Vert RP{W}_i^{\prime }\Vert {\sigma }_i^{\prime })$. Then, $M{D}_i$ compares $P_i^{\prime }\stackrel{?}{=}{P}_i$. If equal, it means that $U_i$ successfully logs in to $M{D}_i$. Otherwise, the login fails. After a successful login, $M{D}_i$ selects a random number $r_1$ and timestamp $T_1$, then computes $A_1=RI{D}_i$, $A_2=I{D}_j\oplus h(N_i\Vert I{D}_i\Vert T_1)$, $A_3=h(I{D}_s\Vert N_i\Vert T_1)\oplus r_1$ and $A_4=h(I{D}_i\Vert I{D}_s\Vert I{D}_j\Vert N_i\Vert r_1\Vert T_1)$. Finally, $U_i$ sends the authentication request $M_1=\{A_1,A_2,A_3,A_4,T_1\}$ to S.

(2)

After receiving the authentication request $M_1$ from $U_i$, S first verifies the freshness of the timestamp $T_1$. If the time has been exceeded, the authentication is terminated. Otherwise, S computes $(I{D}_i\Vert n)=D_{Ks}\left(A_1\right)$ to verify whether $I{D}_i$ is registered. If it is registered, S computes $N_i=h(I{D}_i\Vert n\Vert K_s)$, $I{D}_j=A_2\oplus h(N_i\Vert I{D}_i\Vert T_1)$, $r_1^{\prime }=h(I{D}_s\Vert N_i\Vert T_1)\oplus A_3$ and $A_4^{\prime }=h(I{D}_i\Vert I{D}_s\Vert I{D}_j\Vert N_i\Vert r_1^{\prime }\Vert T_1)$. Then, S compares $A_4^{\prime }\stackrel{?}{=}{A}_4$. If not equal, it means that $U_i$ is illegal. Otherwise, S selects the random numbers $r_2$, $r_i^{new}$ and timestamp $T_2$ and computes $N_j=h(I{D}_j\Vert K_s)$, $A_5=h(N_j\Vert I{D}_j)\oplus h(I{D}_j\Vert r_1\Vert r_2)$, $A_6=h(N_j\Vert T_2)\oplus I{D}_i$, $A_7=h(N_j\Vert I{D}_j\Vert h(I{D}_s\Vert r_1\Vert r_2)\Vert T_2)$ and $A_8=E_{K_s}(I{D}_i\Vert r_i^{new})\oplus h(N_i\Vert I{D}_i\Vert RI{D}_i)$. Finally, S sends the message $M_2=\{A_5,A_6,A_7,A_8,T_2\}$ to drone $D_j$.

(3)

After receiving the message $M_2$, $D_j$ first verifies the freshness of $T_2$. If the time has not been exceeded, it computes $I{D}_i=h(N_j\Vert T_2)\oplus A_6$, $A_9=h(I{D}_j\Vert N_j)\oplus A_5$, $A_{10}=h(N_j\Vert I{D}_j\Vert A_9\Vert T_2)$. Then, $D_j$ compares $A_{10}\stackrel{?}{=}{A}_7$. If not equal, it means that S is illegal. Otherwise, $D_j$ selects the random number $r_3$ and timestamp $T_3$ and computes $A_{11}=h(I{D}_j\Vert I{D}_i\Vert T_3)\oplus r_3$, $SK=h(A_9\Vert r_3\Vert I{D}_i\Vert I{D}_j)$, $A_{12}=h(I{D}_i\Vert I{D}_j\Vert r_3)\oplus A_9$ and $A_{13}=h(SK\Vert T_3)$. Finally, $D_j$ sends the message $M_3=\{A_{11},A_{12},A_{13},A_8,T_3\}$ to $U_i$.

(4)

After receiving the message $M_3$, $U_i$ first verifies the freshness of $T_3$. If the time has not been exceeded, it computes $r_3^{\prime }=h(I{D}_j\Vert I{D}_i\Vert T_3)\oplus A_{11}$, $A_9^{\prime }=h(I{D}_i\Vert I{D}_j\Vert r_3)\oplus A_{12}$, $SK=h(A_9^{\prime }\Vert r_3^{\prime }\Vert I{D}_i\Vert I{D}_j)$ and $A_{14}=h(SK\Vert T_3)$. Then, $U_i$ compares $A_{14}\stackrel{?}{=}{A}_{13}$. If not equal, it means that $D_j$ is illegal and the authentication is terminated. Otherwise, the authentication is successful. Finally, $U_i$ updates $\overline{RI{D}_i}=A_8\oplus h(N_i\Vert I{D}_i\Vert RI{D}_i)$ and $RI{D}_i=\overline{RI{D}_i}$.

3.2. Cryptanalysis of Hussain et al.’s Protocol

In this part, we point out that the protocol of Hussain et al. [21] is vulnerable to drone capture attacks, session key disclosure attacks and drone impersonation attacks.

3.2.1. Adversary Model

We briefly describe the capabilities of the adversary (A) and use the D–Y model according to the literature [44,45,46]. The capabilities are described in detail as follows:

(1)

A can intercept, modify and eavesdrop messages transmitted on public channels.

(2)

A can obtain information stored in the server.

(3)

A can extract the private value in the memory of the captured drones.

3.2.2. Drone Capture Attacks

We assume that A can capture drones $D_j$ and obtain the value $\{I{D}_j,N_j\}$ stored in the memory of $D_j$. A can compute the session key $SK$ through the following steps:

(1)

A first intercepts $\{A_5,A_6,T_2\}$ in $M_2$ and $\{A_{11},T_3\}$ in $M_3$ transmitted by the common channel.

(2)

A can compute $I{D}_i$, $A_9$ and $r_3$ through $I{D}_i=h(N_j\Vert T_2)\oplus A_6,A_9=h(I{D}_j\Vert N_j)\oplus A_5$ and $r_3=h(I{D}_j\Vert I{D}_i\Vert T_3)\oplus A_{11}$.

(3)

A can successfully compute $SK=h(A_9\Vert r_3\Vert I{D}_i\Vert I{D}_j)$.

Therefore, the protocol of Hussain et al. [21] cannot resist drone capture attacks.

3.2.3. Privileged Insider Attacks

We assume that A obtains $K_s$ stored in the server. Based on this attack, there are two security vulnerabilities.

A. Session Key Disclosure Attacks

(1)

A first intercepts $\{A_2,A_5,A_{11},T_1,T_2\}$ transmitted by the common channel.

(2)

A can obtain $I{D}_i$ and n by computing $(I{D}_i\Vert n)=D_{Ks}\left(A_1\right)$ with the value of $K_s$. Then, A can compute $N_j=h(I{D}_j\Vert K_s)$, $I{D}_j=A_2\oplus h(N_i\Vert I{D}_i\Vert T_1)$, $A_9=h(I{D}_j\Vert N_j)\oplus A_5$ and $r_3=h(I{D}_j\Vert I{D}_i\Vert T_3)\oplus A_{11}$.

(3)

A can successfully compute $SK=h(A_9\Vert r_3\Vert I{D}_i\Vert I{D}_j)$.

Therefore, the protocol of Hussain et al. [21] cannot resist session key disclosure attacks.

B. Drone Impersonation Attacks

Similar to the session key disclosure attacks mentioned above, this attack is also based on privileged insider attacks. A can obtain $\{I{D}_i,I{D}_j,N_j,A_9,A_8\}$.

(1)

After receiving the message $M_2$ sent by S, A selects the random number $r_3^{*}$ and timestamp $T_3^{*}$ and computes $A_{11}^{*}=h(I{D}_j\Vert I{D}_i\Vert T_3^{*})\oplus r_3^{*}$, $SK=h(A_9\Vert r_3^{*}\Vert I{D}_i\Vert I{D}_j)$, $A_{12}^{*}=h(I{D}_i\Vert I{D}_j\Vert r_3^{*})\oplus A_9$ and $A_{13}^{*}=h(SK\Vert T_3^{*})$. Finally, $D_j$ sends the message $M_3^{*}=\{A_{11}^{*},A_{12}^{*},A_{13}^{*},A_8,T_3^{*}\}$ to $U_i$.

(2)

After receiving the message $M_3^{*}$, $U_i$ first verifies the freshness of $T_3^{*}$ and computes $r_3^{*}=h(I{D}_j\Vert I{D}_i\Vert T_3^{*})\oplus A_{11}^{*}$, $A_{12}^{*}=h(I{D}_i\Vert I{D}_j\Vert r_3^{*})\oplus A_{12}^{*}$, $SK=h(A_9\Vert r_3^{*}\Vert I{D}_i\Vert I{D}_j)$ and $A_{14}^{*}=h(SK\Vert T_3^{*})$. $U_i$ compares $A_{14}^{*}\stackrel{?}{=}{A}_{13}^{*}$. Then, $U_i$ successfully authenticates A and establishes session key $SK$. Finally, $U_i$ updates $\overline{RI{D}_i}=A_8\oplus h(N_i\Vert I{D}_i\Vert RI{D}_i)$ and $RI{D}_i=\overline{RI{D}_i}$.

Therefore, A can impersonate a legitimate $D_j$ to complete authentication with $U_i$; the protocol of Hussain et al. [21] cannot resist drone impersonation attacks.

4. The Proposed Protocol

To improve the security of Hussain et al.’s protocol [21], we propose an improved protocol based on the architecture shown in Figure 1. The protocol consists of three entities: $U_i$, $D_j$ and S. The protocol has three phases: drone registration phase, user registration phase and login authentication phase.

4.1. Drone Registration Phase

$D_j$ registers with S. The registration phase is shown in Figure 2. The registration steps are as follows.

(1)

First, drone $D_j$ selects its identity $I{D}_j$ and then sends the identity $I{D}_j$ to S through the secure channel.

(2)

After receiving $I{D}_j$, S selects the random number $k_j$, computes $N_j=h(I{D}_j\Vert k_j\Vert K_s)$ and then saves $\{I{D}_j,k_j\}$ to its database. Finally, S sends message $\left\{N_j\right\}$ to $D_j$.

(3)

After receiving the message $\left\{N_j\right\}$ sent by S, $D_j$ stores $\left\{N_j\right\}$ in its database.

4.2. User Registration Phase

$U_i$ registers with S. The registration phase is shown in Figure 3. The registration steps are as follows.

(1)

First, user $U_i$ selects $I{D}_i,PS{W}_i,BI{O}_i,r$ and computes $Gen\left(BI{O}_i\right)=({\sigma }_i,{\tau }_i)$. Then, $U_i$ sends identity $I{D}_i$ to S through the secure channel.

(2)

After receiving $I{D}_i$, S selects the random number $k_i$ and $TI{D}_i$, computes $RP{W}_i=(PS{W}_i\Vert r)$, $RI{D}_i=h(I{D}_i\Vert k_i)$, $N_i=h(RI{D}_i\Vert k_i\Vert K_s)$ and $RI{D}_i^{*}=RI{D}_i\oplus h(k_i\Vert K_s)$ and then saves the identity $\{TI{D}_i,RI{D}_i^{*},k_j\}$ to its database. Finally, S sends message $\{RI{D}_i,N_j,I{D}_j,TI{D}_i\}$ to $U_i$.

(3)

After receiving the message $\{RI{D}_i,N_i,I{D}_j,TI{D}_i\}$ sent by S, $U_i$ computes $RI{D}_i^{\prime }=RI{D}_i\oplus (I{D}_i\Vert {\sigma }_i)$, $N_i^{\prime }=N_i\oplus (PS{W}_i\Vert {\sigma }_i)$, $I{D}_j^{\prime }=I{D}_j\oplus (I{D}_i\Vert PS{W}_i\Vert r)$ and $P_i=(I{D}_i\Vert RP{W}_i\Vert {\sigma }_i)$. Finally, $U_i$ stores $\{RI{D}_i^{\prime },I{D}_j^{\prime },N_i^{\prime },r,P_i,TI{D}_i,{\tau }_i,Gen\left(\right),Rep\left(\right),h\left(\right)\}$ in mobile device $M{D}_i$.

4.3. Login and Authentication Phase

In the login and authentication phase, $U_i$ and $D_j$ achieve mutual authentication and establish session key $SK$ with the help of S. The login and authentication phase is shown in Figure 4 and the steps are as follows:

(1)

First, $U_i$ enters identity $I{D}_i$, password $PS{W}_i$ and biometric $BI{O}_i$ into $M{D}_i$ and $M{D}_i$ computes ${\sigma }_i^{\prime }=Rep(BI{O}_i,{\tau }_i)$, $RP{W}_i=(PS{W}_i\Vert r)$ and $P_i^{*}=(I{D}_i\Vert RP{W}_i\Vert {\sigma }_i^{\prime })$. Then, $M{D}_i$ compares $P_i^{\prime }\stackrel{?}{=}{P}_i$. If they are equal, it means that $U_i$ successfully logs in to $M{D}_i$. Otherwise, the login fails. After a successful login, $M{D}_i$ computes $RI{D}_i=RI{D}_i^{\prime }\oplus (PS{W}_i\Vert {\sigma }_i^{\prime })$, $I{D}_j=I{D}_j^{\prime }\oplus (I{D}_i\Vert PS{W}_i\Vert r)$ and $N_i=N_i^{\prime }\oplus (PS{W}_i\Vert {\sigma }_i^{\prime })$. Then, $M{D}_i$ selects the random number $r_1$ and timestamp $T_1$ and computes $A_1=h(RI{D}_i\Vert T_1)\oplus r_1$, $A_2=I{D}_j\oplus h(N_i\Vert RI{D}_i\Vert T_1)$ and $V_1=h(RI{D}_i\Vert I{D}_j\Vert r_1\Vert T_1)$. Finally, $U_i$ sends the authentication request $M_1=\{A_1,A_2,V_1,TI{D}_i,T_1\}$ to S.

(2)

After receiving the authentication request $M_1$ from $U_i$, S first verifies the freshness of the timestamp $T_1$. If the time has been exceeded, the authentication is terminated. Otherwise, S searches $\{RI{D}_i^{*},k_j\}$ according to $TI{D}_i$ and computes $RI{D}_i=RI{D}_i^{*}\oplus h(k_i\Vert K_s)$, $N_i=h(RI{D}_i\Vert k_i\Vert K_s)$, $r_1=h(RI{D}_i\Vert T_1)\oplus A_1$, $I{D}_j=A_2\oplus h(N_i\Vert RI{D}_i\Vert T_1)$ and $V_1^{\prime }=h(RI{D}_i\Vert I{D}_j\Vert r_i\Vert T_1)$. Subsequently, S compares $V_1^{\prime }\stackrel{?}{=}{V}_1$. If they are not equal, it means that $U_i$ is illegal. Otherwise, S selects the random number $r_2$ and timestamp $T_2$ and computes $N_j=h(I{D}_j\Vert k_j\Vert K_s)$, $A_3=r_2\oplus h(I{D}_j\Vert N_j)$, $A_4=RI{D}_i\oplus h(I{D}_j\Vert N_j\Vert T_2)$ and $V_2=h(I{D}_j\Vert N_j\Vert r_2\Vert T_2)$. Finally, S sends the message $M_2=\{A_1,A_3,A_4,V_2,T_1,T_2\}$ to drone $D_j$.

(3)

After receiving the message $M_2$, $D_j$ first verifies the freshness of $T_2$. If the time has not been exceeded, it computes $RI{D}_i=h(I{D}_j\Vert N_j\Vert T_2)\oplus A_4$, $r_2=h(I{D}_j\Vert N_j)\oplus A_3$ and $V_2^{\prime }=h(I{D}_j\Vert N_j\Vert r_2\Vert T_2)$. Then, $D_j$ compares $V_2^{\prime }\stackrel{?}{=}{V}_2$. If they are not equal, it means that S is illegal. Otherwise, $D_j$ selects the random number $r_3$ and timestamp $T_3$ and computes $r_1=h(RI{D}_i\Vert T_1)\oplus A_1$, $SK=h(RI{D}_i\Vert I{D}_j\Vert r_1\Vert r_2\Vert r_3)$, $A_5=h(RI{D}_i\Vert T_3)\oplus r_3$, $A_6=h(I{D}_j\Vert T_3)\oplus r_2$ and $V_3=h(SK\Vert I{D}_j\Vert RI{D}_i\Vert r_1\Vert r_3)$. Finally, $D_j$ sends the message $M_3=\{A_5,A_6,V_3,T_3\}$ to $U_i$.

(4)

After receiving the message $M_3$, $U_i$ first verifies the freshness of $T_3$. If the time has not been exceeded, it computes $r_3=h(RI{D}_i\Vert T_3)\oplus A_5$, $r_2=h(I{D}_j\Vert T_3)\oplus A_6$, $SK=h(RI{D}_i\Vert I{D}_j\Vert r_1\Vert r_2\Vert r_3)$ and $V_3^{\prime }=h(SK\Vert I{D}_j\Vert RI{D}_i\Vert r_1\Vert r_3)$. Then, $U_i$ compares $V_3^{\prime }\stackrel{?}{=}{V}_3$. If they are not equal, it means that $D_j$ is illegal and the authentication is terminated. Otherwise, the authentication is successful.

5. Security Analysis

5.1. Formal Security Analysis

In this part, we show how we used the ROR model to analyze the security of the proposed protocol. The ROR model was proposed by Canetti et al. [47,48]. The ROR model was used to judge the security of the protocol by obtaining the probability of successfully cracking the session key $SK$ through different game rounds.

5.1.1. ROR Model

The protocol consists of three entities: $U_i$, $D_j$ and S. In the ROR model, ${\Pi }_{U_i}^x$, ${\Pi }_{D_j}^y$ and ${\Pi }_S^z$ represent the x-th instance of $U_i$, the y-th instance of $D_j$ and the z-th instance of S, respectively. Let us suppose that A has the following query capabilities: $Q=\{{\Pi }_{U_i}^x$, ${\Pi }_{D_j}^y$, ${\Pi }_S^z\}$.

(1)

$Execute\left(Q\right)$: By executing this query, A can intercept messages transmitted among $U_i$, $D_j$ and S on the common channel.

(2)

$Send(Q,M)$: By executing this query, A can send message M to Q and receive a response from Q.

(3)

$Hash\left(string\right)$: Through executing this query, A can enter a string and return its hash value.

(4)

$Corrupt\left(Q\right)$: By executing this query, A can obtain a party’s private value, such as long-term key, parameters stored in a smart card, or temporary information.

(5)

$Test\left(Q\right)$: By executing this query, A flips a coin C. If C = 1, A can obtain the correct $SK$. If C = 0, A can obtain any string of the same length as $SK$.

5.1.2. ROR Proof

Theorem 1.

In the ROR model, assuming that A can execute the above five queries, the probability that A can break the proposed protocol P in polynomial time is $ad{v}_{\mathcal{A}}^{\mathcal{P}}\left(\xi \right)\le q_{send}/2^{l-2}+3q_{hash}^2/2^{l-1}+2max\{C^{\prime }·q_{send}^{s^{\prime }},q_{send}/2^l\}$, where $q_{send}$ refers to the number of queries executed; $q_{hash}$ refers to the number of times hash queries executed; l refers to the bit length of biological information; and $C^{\prime }$ and $s^{\prime }$ refer to two constants.

Proof. 

Our proof consists of seven game rounds, from $G{M}_0$ to $G{M}_6$. $Suc{c}_A^{G{M}_i}\left(\xi \right)$ represents the probability that A can win in seven rounds of the game.

$G{M}_0$: $G{M}_0$ is the first round of the game and does not start any query operation. This round of the game begins by flipping a coin C. Therefore, we can obtain the probability that A can successfully break P as

$$Ad{v}_A^P=|2Pr\left[Suc{c}_A^{G{M}_0}\right]-1|.$$

(1)

$G{M}_1$: $G{M}_1$ has one more $Execute\left(Q\right)$ operation than $G{M}_0$ and A intercepts only the message $\{M_1,M_2,M_3\}$ transmitted on the common channel in $G{M}_1$. Since the values of $I{D}_j$, $r_1$, $r_2$, $r_3$ and $RI{D}_i$ are unknown, A cannot compute the $SK$ through the $test\left(Q\right)$ query. Therefore, the probability of $G{M}_1$ is equal to that of $G{M}_0$.

$$Pr\left[Suc{c}_A^{G{M}_1}\right]=Pr\left[Suc{c}_A^{G{M}_0}\right].$$

(2)

$G{M}_2$: $G{M}_2$ has one more $Send\left(Q\right)$ operation than $G{M}_1$. According to Zipf’s law [49], we can obtain the probability of $G{M}_2$ as

$$|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_2}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_1}\left(\xi \right)\right]|\le q_{send}/2^l.$$

(3)

$G{M}_3$: $G{M}_3$ has one more $Hash\left(Q\right)$ operation than $G{M}_2$. According to the birthday paradox, we can obtain the probability of $G{M}_3$ as

$$|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_3}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_2}\left(\xi \right)\right]|\le q_{hash}^2/2^{l+1}.$$

(4)

$G{M}_4$: In this round, the ROR model analyzes two events to prove the security of the protocol. One is to obtain the long-term key $K_S$ of S to prove that the protocol can provide perfect forward security and the other is to obtain the temporary information of an entity to prove that the protocol can resist the known session-specific temporary information disclose attacks.

(1)

Perfect forward security: A uses ${\Pi }_S^Z$ to obtain the long-term key $K_S$ of S or uses ${\Pi }_{U_i}^x$ and ${\Pi }_{D_j}^y$ to obtain the private value used in the registration phase.

(2)

Known session-specific temporary information disclose attacks: A uses ${\Pi }_{U_i}^x$, ${\Pi }_{D_j}^y$ and ${\Pi }_S^z$ to obtain random numbers of three parties.

For the previous event, even if A obtains the long-term key $K_S$ of S or the private value used by both in the registration phase, the values of $\{r_1,r_2,r_3,RI{D}_i,I{D}_j\}$ cannot be computed and A cannot compute the value of $SK$, where $SK=h(RI{D}_i\Vert I{D}_j\Vert r_1\Vert r_2\Vert r_3)$. For the latter event, even if A can obtain $r_1$, the values of $\{r_2,r_3,RI{D}_i,I{D}_j\}$ are confidential; thus, $SK$ cannot be computed. Similarly, even if A can obtain $r_2$ or $r_3$, the value of $SK$ cannot be computed. We can obtain the probability of $G{M}_4$ as follows:

$$|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_4}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_3}\left(\xi \right)\right]|\le q_{send}/2^l+q_{hash}^2/2^{l+1}.$$

(5)

$G{M}_5$: In $G{M}_5$, A uses $Corrupt\left(Q\right)$ to query the parameters $\{RI{D}_i^{\prime },I{D}_j^{\prime },N_i^{\prime },M^{\prime },R_i,P_i,{\tau }_i\}$, which proves that the protocol can resist offline password guessing attacks. $U_i$ registers with S using password $PS{W}_i$ and biometric $BI{O}_i$. A wants to guess $P_i=(M\Vert RI{D}_i\Vert RP{W}_i\Vert {\sigma }_i)$, but $I{D}_i$ and $RP{W}_i$ are confidential. The probability of A guessing l bits of biological information is $1/2^l$. According to Zipf’s law [49], when $q^{send}\le {10}^6$, the probability that A can guess the password is greater than 0.5. Therefore, we can obtain the probability of $G{M}_5$ as

$$|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_5}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_4}\left(\xi \right)\right]|\le max\{C^{\prime }·q_{send}^{s^{\prime }},q_{send}/2^l\}$$

(6)

$G{M}_6$: $G{M}_6$ is to verify whether protocol P can resist impersonation attacks. A uses $h(RI{D}_i\Vert I{D}_j\Vert r_1\Vert r_2\Vert r_3)$ to query and the game is terminated. Therefore, we can obtain the probability of $G{M}_6$ as

$$|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_6}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_5}\left(\xi \right)\right]|\le q_{hash}^2/2^{l+1}.$$

(7)

Because, in $G{M}_6$, the probability of success and failure is $1/2$, the probability that A can guess $SK$ is

$$Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_6}\left(\xi \right)\right]=1/2.$$

(8)

According to the above formula, we can obtain

$$\begin{array}{cc}\hfill 1/2Ad{v}_{\mathcal{A}}^{\mathcal{P}}\left(\xi \right)& =\left|Pr\right[Suc{c}_{\mathcal{A}}^{G{M}_0}\left(\xi \right)]-1/2|\hfill \\ \hfill & =|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_0}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_6}\left(\xi \right)\right]|\hfill \\ \hfill & =|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_1}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_6}\left(\xi \right)\right]|\hfill \\ \hfill & \le \sum _{i=0}^5|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_{i+1}}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_i}\left(\xi \right)\right]|\hfill \\ \hfill & =q_{send}/2^{l-1}+3q_{hash}^2/2^l+max\{C^{\prime }·q_{send}^{s^{\prime }},q_{send}/2^l\}\hfill \end{array}$$

(9)

Therefore, we can obtain

$$Ad{v}_{\mathcal{A}}^{\mathcal{P}}\left(\xi \right)\le q_{send}/2^{l-2}+3q_{hash}^2/2^{l-1}+2max\{C^{\prime }·q_{send}^{s^{\prime }},q_{send}/2^l\}.$$

(10)

□

5.2. ProVerif

We used the formal tool ProVerif to verify the validity of the proposed protocol by modeling, writing code and performing calculations [50,51].

The definition of ProVerif is shown in Figure 5. Here, sch and ch are used to represent the secure channel and common channel, respectively. The parameters and functions of the protocol can be seen from the figure. The functions include h(), mult(), con(), xor(), Gen() and Rep(), which represent hash operations, scalar multiplication, concatenation, XOR, generator and reduction operations, respectively. Figure 6 shows the query operations and events. Here, $SKi$ and $SKj$ represent the session keys of $U_i$ and $D_j$, respectively. “Query attacker” was used to verify whether A could compute $SK$ by intercepting the information on the common channel through query operations. ProVerif contains five events: UserStarted(), UserAuthed(), ServerAcUser(), DroneAcServer() and UserAcDrone().

Figure 7 shows the process of $U_i$, $D_j$ and S. $D_j$’s process is similar to $U_i$’s process, so we take the $U_i$’s process as an example. Here, “out(sch,(IDi))” is a registration process initiated by $U_i$ to S in the registration phase and “in(sch,(xRIDi:bitstring,xNi:bitstring,xIDj:bitstring,xTIDi:bitstring))” is to simulate $U_i$ to receive the message sent by S in the registration phase. At this time, the registration phase ends. “!()” is $U_i$’s authentication process in the login authentication phase, which means that this phase can occur multiple times, while the registration phase can only occur once. “out(ch,(A1,A2,xTIDi,T1))” means that $U_i$ sends a login request to S. “in(ch,(xA5:bitstring,xA6:bitstring,xV3:bitstring,xT3:bitstring))” refers to the $U_i$ who receives the authentication message returned by S. As for S’s process, it is mainly composed of the “UserReg” $U_i$ registration process, “DroneReg” $D_j$ registration process and “ServerAuth” S authentication process. “UserReg” is the registration process of S in the $U_i$ registration phase, “DroneReg” is the registration process of S in the $D_j$ registration phase, “ServerAuth” is the authentication process adopted by S in the login and authentication phase.

The results of ProVerif are presented in Figure 8. We can see that “Query not attacker (SKi[]) is true”, “Query not attacker (SKj[]) is true”, “Query inj-event (UserStarted) $==>$ inj-event (UserAuthed) is true”, “Query inj-event(SeverAcUser) $==>$ inj-event(DroneAcServer) is true” and “Query inj-event(DroneAcServer) $==>$ inj-event (UserAcDrone) is true”. Therefore, it can be concluded that A cannot compute the $SK$ of $U_i$ and drone $D_j$.

5.3. Informal Security Analysis

5.3.1. Mutual Authentication

In this protocol, $U_i$ and $D_j$ realize mutual authentication with the help of S. $V_1$ in message $M_1$ is the authentication value for S authenticating $U_i$, $V_2$ in message $M_2$ is the authentication value for $D_j$ authenticating S and $V_3$ in message $M_3$ is the authentication value for $D_j$ authenticating $U_i$. Therefore, the proposed protocol realizes the mutual authentication between $U_i$ and $D_j$.

5.3.2. Replay Attacks

Our proposed protocol uses timestamps $T_1,T_2,T_3$. When $U_i,D_j$, or S receive the message, it first verifies the freshness of the timestamp. If the timestamp is valid, the session process continues. When A replays to a message transmitted from the common channel, the timestamp becomes invalid and the session process is terminated when an entity is verifying the timestamp. Thus, the proposed protocol can resist replay attacks.

5.3.3. Privileged Insider Attacks

If A can obtain the long-term key $K_s$ of S, because $\{TI{D}_i,RI{D}_i^{*},k_j\}$ and $\{I{D}_j,k_j\}$ stored in S are unknown, $\{RI{D}_i,I{D}_i,r_1,r_2,r_3\}$ cannot be computed and A cannot compute $SK$, where $SK=h(RI{D}_i\Vert I{D}_j\Vert r_1\Vert r_2\Vert r_3)$. If A can obtain the parameter $\{TI{D}_i,RI{D}_i^{*},k_j\}$ and $\{I{D}_j,k_j\}$ stored in S, A can intercept message $M_1$ from the public channel, obtain $TI{D}_i$ and then index it to $RI{D}_i^{*}$, but the long-term key $K_s$ of S is unknown, so $\{RI{D}_i,I{D}_i,r_1,r_2,r_3\}$ cannot be computed. Thus, the proposed protocol can resist privileged insider attacks.

5.3.4. Drone Capture attacks

If A can obtain the parameter $\left\{N_j\right\}$ stored in the drone’s memory, the $RI{D}_i$ cannot be computed because A does not know the identity $I{D}_j$ of the $D_j$, where $RI{D}_i=h(I{D}_j\Vert N_j\Vert T_2)\oplus A_4$. Furthermore, A cannot compute $\{r_1,r_2,r_3\}$ and $SK$. Thus, the proposed protocol can resist drone capture attacks.

5.3.5. Man-in-the-Middle Attacks

Let us suppose that A can intercept message $M_1=\{A_1,A_2,V_1,TI{D}_i,T_1\}$ transmitted on the public channel between $U_i$ and S. As A cannot obtain the information $\{RI{D}_i^{\prime },I{D}_j^{\prime },r\}$ in the smart card and $\{I{D}_i,PS{W}_i,BI{O}_i\}$ of $U_i$, A cannot calculate the values $\{RI{D}_i,I{D}_j,r_1\}$ required for $V_1$, where $V_1=h(RI{D}_i\Vert I{D}_j\Vert r_1\Vert T_1)$. Therefore, after A tampers with $M_1$, it cannot pass the authentication of S. Similarly, because the privacy value is unknown, A cannot compute the value $V_2$, $V_3$ or $V_4$ and cannot complete the verification after intercepting the information $M_2$, $M_3$ or $M_4$. Therefore, the proposed protocol can resist man-in-the-middle attacks.

5.3.6. User Anonymity and Untraceability

The identities of $U_i$ and $D_j$ are not directly transmitted on the public channel and their identities cannot be computed. If A wants to track $U_i$ or $D_j$, A intercepts the message $\{M_1,M_2,M_3,M_4\}$ transmitted on the common channel, but the messages are variable during each session because random numbers $\{r_1,r_2,r_3\}$ are used. A cannot track the $U_i$ or $D_j$. Therefore, the proposed protocol can provide user anonymity and untraceability.

6. Security and Performance Comparisons

In this section, we compare our protocol with those of Hussain et al. [21], Ever et al. [26], Wazid et al. [20] and Srinivas et al. [23] in terms of security, computational costs and communication costs.

6.1. Security Comparisons

In security comparison, ✓ indicates that the protocol can resist known attacks and × indicates that the protocol cannot resist attacks. The results of the security comparison are shown in

Table 3. Comparisons of security.

Security Properties	[23]	[20]	[26]	[21]	Ours
Privileged insider attacks	−	× [21]	−	×	✓
Impersonation attacks	✓	× [21]	✓	×	✓
drone capture attacks	× [41]	✓	× [52]	×	✓
Mutual authentication	✓	× [21]	✓	✓	✓
User anonymity	× [41]	✓	× [52]	✓	✓
Perfect forword secrecy	−	−	−	✓	✓
Man-in-the-middle attacks	✓	✓	−	✓	✓
Temporary information disclose attacks	−	−	−	✓	✓
Untraceability	× [41]	✓	× [52]	✓	✓

. Here, in 2020, Ali et al. [41] found that the protocol of Srinivas et al. [23] could not provide anonymity and untraceability and was vulnerable to drone capture attacks. In the same year, Hussain et al. [21] pointed out that the protocol of Wazid et al. [20] could not realize mutual authentication and was vulnerable to privileged insider attacks and impersonation attacks. Deebak et al. [52] found that the protocol of Ever et al. [26] could not provide anonymity and untraceability and was vulnerable to drone capture attacks. We point out that the protocol of Hussain et al. [21] is vulnerable to drone capture attacks, privileged insider attacks and drone impersonation attacks in Section 3. So, we can see that proposed protocol can resist known attacks and has better security.

6.2. Performance Comparison

We compare the protocol with other related papers in terms of computational costs and communication costs. The computational costs includes the costs required to perform various operations during the login authentication process, because the computational costs of XOR and join operations are small enough to be ignored. Here, we performed a simulation experiment to evaluate the approximate computational time of the protocols. In the simulation experiment, we used Redmi note 9 Pro equipped with Android system, Qualcomm Snapdragon 750 processor and 8 G running memory to simulate users, using a Lenovo Desktop computer with Windows 10, Intel(R) Core(TM) i5-9500 CPU @ 3.00 GHz Processor and 8 G RAM to simulate servers. Since we had no suitable equipment to simulate drones, we used the results of Hussain et al. [21] in the simulation experiment as the computational time of drones. The experimental results are shown in

Table 4. Experimental results.

Operations	Symbolic	${\mathit{U}}_{\mathit{i}}$	S	${\mathit{D}}_{\mathit{j}}$
Bilinear pairing	$T_{bp}$	38.9 ms	9 ms	12.52 ms
Symmetric encryption	$T_{se}$	0.0392 ms	0.202 ms	0.013 ms
Hash function	$T_h$	0.00251 ms	0.0027 ms	0.006 ms
Scalar multiplication	$T_{sm}$	20 ms	9 ms	4.107 ms

. According to the experimental results, the fuzzy extraction function took the same time as the hash function, so we used the fuzzy extraction function as the hash function. The comparison of computational costs is shown in

Table 5. Computational cost comparison.

Protocols	${\mathit{U}}_{\mathit{i}}$	S	${\mathit{D}}_{\mathit{j}}$	Tocal	Tocal (ms)
Srinivas et al. [23]	$T_f+14T_h$	$9T_h$	$9T_h$	$T_f+30T_h$	0.116
Wazid et al. [20]	$T_f+16T_h$	$8T_h$	$7T_h$	$T_f+31T_h$	0.106
Ever et al. [26]	$2T_{bp}+5T_h$	$2T_{bp}+3T_h$	$4T_{sm}+2T_{bp}+9T_h$	$4T_{sm}+6T_{bp}+17T_h$	137.34
Hussain et al. [21]	$T_f+15T_h$	$2T_{se}+9T_h$	$7T_h$	$2T_{se}+T_f+31T_h$	0.510
Ours	$T_f+12T_h$	$9T_h$	$8T_h$	$T_f+29T_h$	0.135

Here,$T_{se}$ represents the time to perform the symmetric encryption operation, $T_{bp}$ represents the time to perform the the bilinear pairing operation, $T_{sm}$ represents the time to perform the elliptic curve scalar multiplication operation, $T_f$ represents the time to perform the fuzzy extraction function and $T_h$ represents the time to perform the hash operation.

. We can see that the protocol of Srinivas et al. [23] and Wizard et al. [20] only use fuzzy extraction and hash operations. The computational costs of the proposed protocol is slightly higher than those of the above two protocols. The protocol of Ever et al. [26] uses elliptic curve scalar multiplication operation, bilinear pairing operation and hash operation. The protocol of Hussain et al. [21] uses symmetric encryption operation, fuzzy extraction operation and hash operation. Therefore, the computational costs of the protocol of Ever et al. [26] and Hussain et al. [21] are higher than those of other protocols.

In terms of communication costs, we compared the cost used to transmit messages on the common channel in the login authentication phase. Here, we assumed that the cost of transmitting the timestamp was 32 bits, the cost of transmitting identity and the random number was 160 bits, the cost of transmitting hash function was 256 bits and the cost of transmitting ECC points was 32 bits. Therefore, based on the above assumptions, we computed the communication cost of our protocol as an example. The computational methods of other protocols were similar. Our protocol transmitted three rounds of messages on the common channel, namely, $M_1=\{A_1,A_2,V_1,TI{D}_i,T_1\}$, $M_2=\{A_1,A_3,A_4,V_2,T_1,T_2\}$ and $M_3=\{A_5,A_6,V_3,T_3\}$. Among them, $\{V_1,V_2,V_3\}$ belonged to a hash value, $\{T_1,T_2,T_3\}$ belonged to the timestamp and $\{A_1,A_2,TI{D}_i,A_3,A_4,A_5,A_6\}$ belonged to a random number. Therefore, the communication cost of our protocol was 2176 bits. Similarly, the communication costs of Srinivas et al. [23], Ever et al. [26], Wazid et al. [20] and Hussain et al. [21] were 1536 bits, 1696 bits, 5344 bits and 2061 bits, respectively. The comparison results of communication costs are shown in

Table 6. Communication cost comparison.

Protocols	Rounds	Communication Cost
Srinivas et al. [23]	3	1536 bits
Wazid et al. [20]	3	1696 bits
Ever et al. [26]	6	5344 bits
Hussain et al. [21]	3	2061 bits
Ours	3	2176 bits

and Figure 9 can more clearly describe the comparison results. It can be seen that the communication cost of the proposed protocol was much lower than that of the protocol of Ever et al. [26].

According to the above comparison, it is clear that, in terms of security, our protocol can resist known attacks, whereas other protocols cannot resist known attacks. So, our protocol has better security than other protocols. In terms of computational costs, the proposed protocol is more expensive than the protocols of Srinivas et al. [23] and Wazid et al. [20] and has a lower computation cost than the protocols of Ever et al. [26] and Hussain et al. [21]. In terms of communication costs, although the proposed protocol is more expensive than the protocols of Srinivas et al. [23], Wazid et al. [20] and Hussain et al. [21], it has a much lower cost than the protocol of Ever et al. [26].

7. Conclusions

This paper first summarizes the importance and combination of $IoD$ and $5G$, reviews the recent AKA protocol in $IoD$ and briefly reviews the protocol of Hussain et al. [21], pointing out that Hussain et al.’s protocol [21] is vulnerable to drone capture attacks, privileged insider attacks and session key disclosure attacks. To solve the security problems faced by the protocol of Hussain et al. [21], we propose an improved protocol. Through an informal analysis, we show that the proposed that protocol could resist known security attacks. In addition, the security and effectiveness of the protocol are demonstrated through a formal security analysis. Finally, through a comparison, we conclude that the protocol is secure compared with recent protocols. The rapid development of $5G$ makes the emergence of 6th generation mobile communication technology ($6G$) an inevitable trend and the subject of introducing $6G$ into $IoD$ has a great research value in the future. In addition, researchers may combine drones with external smart devices to meet some specific needs. In future research work, it would also be necessary to design a secure authentication protocol for other architectures of drones. Therefore, the secure communication of $IoD$ under different architectures is worthy of in-depth study by scholars.