Designing Secure User Authentication Protocol for Big Data Collection in IoT-Based Intelligent Trans

文章全名：Designing Secure User Authentication Protocol for Big Data Collection in IoT-Based Intelligent Transportation System

Abstract:

Secure access of the real-time data from the Internet-of-Things (IoT) smart devices (e.g., vehicles) by a legitimate external party (user) is an important security service for big data collection in the IoT-based intelligent transportation system (ITS). To deal with this important issue, we design a new three-factor user authentication scheme, called UAP-BCIoT, which relies on elliptic-curve cryptography (ECC). The mutual authentication between the user and an IoT device happens via the semitrusted cloud-gateway (CG) node in UAP-BCIoT. UAP-BCIoT supports several functionality features needed for IoT-based ITS environment including IoT smart device credential validation and big data analytics. A detailed security analysis is conducted based on the defined threat model to show that UAP-BCIoT is resilient against many known attacks. A thorough comparative study reveals that UAP-BCIoT supports better security, offers various functionality attributes, and also provides similar costs in communication as well computation as compared to other relevant schemes Finally, the practical demonstration of the proposed UAP-BCIoT is also provided to measure its impact on the network performance parameters.

Published in: IEEE Internet of Things Journal ( Volume: 8, Issue: 9, 01 May 2021)

SECTION I.

Introduction

The Internet of Things (IoT) brings a new era in computing which is formed using various networked objects, called smart devices. The smart devices are interconnected each other for gathering, processing, refining, and also exchanging important data over the public Internet. The devices can be assigned to IP addresses (IPv4 or IPv6) or even device identities. Due to the shortage of IPv4 addresses, IPv6 over low-power wireless personal-area networks (6LoWPAN) has drastically changed the IoT scenery by seeking to increase the use of IPv6 to smart as well as small-scaled objects [1]. These days, IoT is utilized in many environments and platforms. Along these lines, IoT has numerous potential applications, for example, smart homes, smart cities, smart traffic monitoring, smart health care, and intelligent transportation system (ITS). A cloud-based policy can be applied for storing the information collected by IoT devices (nodes) in a cloud-driven IoT-based big data deployment that can be further treated as a Big Data warehouse. Such a situation should be highly versatile and it ought to likewise give significant processing for the real-time events (for instance, surveillance & monitoring).

ITS is an emerging transportation structure that is incorporated an advanced information and communicate correspondences sort out for users, roads, and vehicles. ITS is the fused usage of pattern setting advancements using equipment, PCs, communications, and impelled sensors. These applications give voyagers huge information while improving the safety, security, and capability of the transportation system [2]. The data assembled by the nodes in the IoT-based ITS environment is of colossal volume. In any case, the imperatives of the relational database management system (RDBMS) [3] led to the inception of big data [4], [5].

The intelligent vehicle parking system [4] is one of the potential applications of ITS. The IoT sensing devices help in collecting different data with respect to the geographic area of the vehicles, accessibility of the parking area, earlier reservation details, parking position, insights about the vehicle and current traffic information, and so on. The generated data can be of colossal volume and huge. Thus, big data incorporates all the varieties of data, including structured data and unstructured data from e-mails, social media, text streams, and so on. This kind of data management requires companies to leverage both their structured and unstructured data. This necessitates for the big data that will play a major role in such situation as it incorporates the real-time application with the facility to render an intelligent system for transportation. Likewise, the intelligent vehicle parking system, there are several applications, such as smart traffic monitoring.

It is estimated that by 2020, there will be 250 million connected vehicles on the road, which represents 75% of the total vehicles [6]. In ITS, the connected cars exchange information of the sensors in the cars with other devices such as vehicle to vehicle (V2V). Meanwhile, the information is also exchanged between the connected cars from the roads and equipments in traffic facilities such as vehicle to roadside (V2R) and vehicle to infrastructure (V2I). Modern cars are equipped with numerous electronic control units, such as onboard diagnostic (OBD), in-vehicle infotainment (IVI), and telematics control unit (TCU). They communicate with each other over the vehicle Internet. Furthermore, thanks to the important elements, such as IVI, TCU, and OBD, drivers in the vehicles are seamlessly connected to the Internet [2], [5].

The advance methods, such as sensing equipments are installed onboard, where a control area network (CAN) gateway can extract the sensing information from the on-board sensors (e.g., direction, temperature, velocity, and airbag status), parking assistance radars, and rear and front cameras. Furthermore, a different set of characteristics is utilized in communication equipment to extract communication range, transmission power, bit rates and frequency bands. Basically, the communication is considered as two types based on their ranges: 1) short-range ad hoc communication and 2) long-range communication. The former communication is considered primarily to V2V and on the other side, the later communication is infrastructure-based primarily for V2I purposes only. However, for vehicle-to-cloud communication (V2C), the Internet connection is required. Similarly, an external user can access the real-time data of an installed IoT device in a vehicle through the Internet. The transportation system is based on four fundamental principles: 1) safety; 2) responsiveness; 3) integration; and 4) sustainability. This helps in achieving the main objectives of ITS, such as mobility, accessibility, safety, environmental sustainability, and economic development [4].

A. Motivation

There are serious issues on the safety protection at all critical end-point devices, and once broken to the hackers, vehicles may face hazards of malfunctions. There should be a secure communication design to restrict the hackers in creating hazards of malfunctions. Malicious parties can easily attack the vulnerable systems of the vehicles which may lead to loss or leakage of sensitive data. Hackers can also grasp the vehicle owner’s private information for extortion or maliciously manipulate the vehicles functionality. In the era of IoT-based smart vehicles, the future of associated cybersecurity mechanisms rely on the secure communication design to ensure the security of the data transmission. In IoT-based smart vehicles, the accessibility of the real-time data has become extremely important as the users wish to access the desired IoT devices directly. In such sort of real-time information accessing, the legitimate external users can be permitted to get the information from the IoT devices. In addition, a legitimate user may also demand for big data query processing and big data analytics over the information stored in the cloud servers to make sense of hidden patterns of certain marvels (i.e., prediction of fire in an ITS environment). This demands for designing a secure authentication scheme for IoT-based ITS environment that will enable an enlisted legitimate user to get to the real-time data from an assigned IoT device directly in a secure way.

B. Research Contributions

The main contributions are highlighted as follows.

1. A new ECC-based three-factor user authentication scheme, called UAP-BCIoT, has been designed for big data collection in the IoT-based ITS environment. UAP-BCIoT achieves the mutual authentication among a user and an IoT device via the semitrusted cloud-gateway (CG). Furthermore, UAP-BCIoT supports various functionality attributes, such as supporting password/biometric update phase, dynamic IoT device addition phase, user mobile device revocation phase if the mobile device of an authorized registered user is stolen/lost. In addition, UAP-BCIoT also supports IoT node credential validation and big data analytics phases.

2. A detailed formal security analysis under the widely accepted real-or-random (ROR) model [7], informal (nonmathematical) security analysis and formal security verification based on simulation using the broadly applied automated validation of Internet security protocols and applications (AVISPA) tool [6] reveal that UAP-BCIoT can combat many known attacks that are relevant in an IoT-based ITS environment. The detailed comparative analysis reveals that UAP-BCIoT provides better tradeoff among security and functionality features, communication, as well computation costs with relevant existing schemes.

3. Finally, the practical demonstration of the proposed UAP-BCIoT is also provided to measure the impact on various network performance parameters.

C. Paper Outline

The outline of this article is as follows. While the related work is discussed in Section II, the network model and threat models of the proposed scheme (UAP-BCIoT) are provided in Section III. Different phases of UAP-BCIoT have been discussed in Section IV. A detailed formal as well as informal (nonmathematical) security analysis is presented in Section V. To further strengthen the security of UAP-BCIoT, the formal security verification using one of the widely accepted software verification tools, known as AVISPA has been carried out on UAP-BCIoT in Section VI. A comparative study on UAP-BCIoT and other relevant existing competing user authentication schemes is illustrated in Section VII. The practical demonstration of UAP-BCIoT using NS2 simulation study is also conducted in Section VIII. Finally, the concluding remarks are put in Section IX.

SECTION II.

Related Work

In this section, we confine our discussion on related existing authentication schemes.

Das et al. [8] provided a taxonomy of various security protocols, such as “key management,” “user and device authentication,” “access control,” “privacy preservation,” and “identity management” protocols, which are needed for an IoT-based environment and emphasized that user authentication mechanism is one of the important security services in the IoT deployment. They presented several security requirements that are needed to design security protocols in the IoT deployment. They further highlighted several attacks associated with the IoT deployment, such as “replay,” “man-in-the-middle,” “stolen/lost smart card/mobile device,” “privileged-insider,” “impersonation,” “password guessing,” “password change,” and “physical IoT smart devices capture” attacks. In addition, they also provided a threat model that can be considered for designing the security protocols in the IoT deployment. Wazid et al. [9] their review work also discussed about a scientific classification of different existing validation plans appropriate for a “cloud-driven IoT-based big data environment,” which covers a near investigation of several user authentication schemes.

Turkanoviá et al. [10] suggested a “two-factor user authentication method” which is lightweight in computation and communication, and also applicable for the IoT environment. Unfortunately, their approach is vulnerable to various well-known attacks, including “privileged-insider,” “off-line password guessing,” “stolen smart card,” and “user and smart device impersonation” attacks.

Porambage et al. [11] designed a mechanism for user authentication in the IoT deployment, which allows the end users to authenticate themselves to the IoT sensing nodes directly and access sensing information and services. Though this scheme is computationally efficient, it is vulnerable to several known attacks.

Porambage et al. [12] also proposed two schemes in IoT environment: 1) Scheme-1 is facilitated with the key derivation process to the legitimate users of the multicast group and 2) Scheme-2 deals with the shared secret key which is established among the entities in a multicast group.

Farash et al. [13] designed another lightweight two-factor user authentication mechanism for the IoT deployment. However, their mechanism is also vulnerable to several well-known attacks, such as “known session-specific temporary information,” “offline password-guessing,” “stolen/lost smart card,” “new smart card issue,” and “user-impersonation” attacks. In addition, their scheme also fails to preserve “user anonymity” goal.

Challa et al. [14] designed an “ECC-based user authentication technique” which is aimed for the future IoT applications, which depends on ECC-based digital signature. Though their scheme supports various functionality attributes, a noted observation is that their scheme requires high computation and communication costs for the involved entities in order to apply in the IoT environment.

Tai et al. [15] proposed a lightweight authentication scheme in the IoT deployment. Unfortunately, their mechanism is also found to have several vulnerabilities, such as “privileged-insider,” “password guessing,” “man-in-the-middle,” and “replay” attacks. In addition, their scheme fails to achieve the “forward secrecy” property.

Wazid et al. [16] designed a “three-factor user authentication mechanism in the IoT deployment” using a legal registered user’s smart card, password, and personal biometrics. Though their scheme has the ability to protect various well-known attacks, it does not support the revocability property where new credentials for the mobile device of a user are required in case the mobile device of that user is stolen/lost.

Li et al. [17] framed an industrial IoT environment using an ECC-based authentication mechanism. Furthermore, an important observation on their scheme is that it fails to ensure some of the functionality attributes (Section VII-A). In addition to this, due to the high-computation cost generated during the execution of the authentication mechanism, it is not suitable for the resource limited IoT sensing nodes.

Banerjee et al. [19] proposed a “three-factor user authentication mechanism” for generic IoT deployment. In their design, symmetric key encryption/decryption technique was used to establish the session key between a user and an IoT smart device. A “DeviceList” is used in their scheme, which needs to be updated each time when the login and authentication phase as well as password/biometric update phase are executed. However, their scheme does not provide the “big data analytics phase,” and as a result, it may not be suitable for the big data collection and analysis in IoT-based ITS. In addition, no mechanism is provided to validate the credentials in IoT devices by the gateway nodes after the deployment of the IoT smart devices in the network.

Srinivas et al. [18] also designed a new authentication mechanism for a “wearable healthcare monitoring system” in which the Bigdata Registration Centre (BRC) is responsible for registering the Cloud of Things-centric (CoTC), users and wearable sensor devices. In their scheme, a session key is derived between a legal registered user and a wearable sensor device for the real-time sensor data access provided a mutual authentication is successful among them via the CoTC. Though the scheme in [18] provides several functionality features, its communication cost is more than that for our proposed scheme (UAP-BCIoT) in this article. Moreover, the scheme in [18] is a two-factor user authentication scheme where user password is used. On the other side, the proposed scheme (UAP-BCIoT) is a three-factor user authentication that applies user password and biometrics both, and it increases the security of user authentication locally by the user mobile device/smart card. It is also worth noticing that while the scheme in [18] is based on the computational integer factorization problem (IFP) in finding two large distinct prime factors p and q from a composite modulus n=p×q , the proposed UAP-BCIoT relies on the computational elliptic-curve decisional Diffie–Hellman problem (ECDDHP). Therefore, to achieve the same level security, the proposed UAP-BCIoT works with smaller ECC-based key size as compared to larger RSA-based key size in the scheme [18]. In addition, the proposed UAP-BCIoT is based on the more recent Zipf’s law [20] for the user-chosen passwords as compared to traditional uniform distributed dictionary for user-selected passwords.

Finally, a summary of various cryptographic techniques applied and limitations/drawbacks, as well as advantages of previously proposed user authentication protocols related to the IoT deployment is provided in Table I.

TABLE I Summary of Cryptographic Techniques Applied and Limitations of Previous Existing User Authentication Mechanisms

SECTION III.

System Models

In the designing of the proposed UAP-BCIoT, we use the following network and threat models.

A. Network Model

A network model for an IoT-based ITS [4] is provided in Fig. 1. The architecture consists of different types of entities, such as smart vehicles, roadside units (RSUs) (infrastructure), vehicle charging units, BRC, CG nodes (CG), and different types of users. The smart vehicles are installed with IoT devices [IoT nodes (IN)], which monitor various types of factors inside and outside of the vehicles. In this network model, there are different types of communications: 1) vehicle-to-vehicle communication (V2V); 2) vehicle-to-infrastructure communication (V2I); 3) vehicle-to-grid communication (V2G); and 4) vehicle-to-cloud communication (V2C). The authorized users can access the data of IoT nodes directly installed in smart vehicles through the CG node. The data of ITS is stored over the cloud to perform bigdata analysis, which is further helpful to draw useful conclusion from that. For example, prediction of road accident in a specific region on the basis of collected and analyzed data. The ITS structure is required to work with ultrahigh recurrent that will help in achieving the staggering division and recognize the information for around 4–6 m. In this model, an external party (user) (e.g., a traffic inspector) likes to retrieve real-time information from a smart vehicle (installed with IoT nodes) in a particular region. The user can have the list of the accessed registered vehicles in that particular region. To deal with this scenario, a user authentication mechanism is extremely required between the external party (user) and IoT nodes installed in the smart vehicles via the CG node, which serve as the gateway node. The secret credentials are loaded in the memory of IoT nodes that are installed in the smart vehicles through the trusted BRC. Also, each user has to register at the CG for retrieving real-time information from a particular IoT node in the IoT-based ITS environment. After the successful mutual authentication between a user and an IoT node through the CG, both entities generate and establish a session key for their secure communication in future. It is worth noticing that the proposed scheme (UAP-BCIoT) is also effective for V2V communication. For the secure V2V communication, the proposed authentication model can also be utilized. For that purpose, the registration of each vehicle will be done by the trusted authority (i.e., BRC) of the network. After the successful registration of each vehicle, the registration information of the vehicle can be stored in the on board memory unit of each vehicle. The preloaded information helps each vehicle to communicate with other vehicle in a secure way through the establishment of a computed session key.

Fig. 1.

Network model for the IoT-based intelligent transport system [4].

Show All

B. Threat Model

The well-known “Dolev–Yao threat model (DY model)” [21] has been applied in the proposed UAP-BCIoT scheme. In the DY model, the participating entities communicate among each other via insecure channel, where the “end-point participants (e.g., vehicles and RSUs)” are not trusted. During the communication, an attacker A would then have the option to spy, alter, or delete the interchanged messages as they communicate over insecure channel. The trusted BRC is considered as a full-trusted entity, whereas the CG nodes are semitrusted. Moreover, since the IoT nodes cannot be monitored 24×7 , some IoT nodes can be physically seized and it opens an opportunity to A to obtain the credentials stored in those seized IoT nodes using the “power analysis attacks” [22]. The CK-adversary model [23] is presently a de facto standard model under which A can convey information as in the DY model, and in addition, he/she can also compromise the secret credentials, such as “session keys, private keys and session state.” Several attacks associated with the IoT-based ITS deployment need to be inspected while developing a user authentication protocol, such as “replay,” “man-in-the-middle,” “stolen/lost mobile device,” “privileged-insider,” “impersonation,” ephemeral secret leakage (ESL) (Section V-B7) and “physical IoT nodes capture” attacks. The detailed description of these attacks can be found in [8]. Apart from these attacks, mutual authentication, anonymity, and untraceability properties need to be preserved in the IoT-based ITS deployment.

SECTION IV.

Proposed Scheme

Different phases associated to our proposed user authentication protocol for big data collection in IoT-based ITS (UAP-BCIoT) are discussed in this section. We apply the notations listed in Table. II for analyzing and discussing the proposed UAP-BCIoT. To accommodate the replay attack protection, we utilize the current system timestamp validation of the communicated messages. This is a typical assumption applied in several authentication mechanisms across various networking environments [16], [18], [24]–​[28].

TABLE II Notations and Their Importance

UAP-BCIoT has seven phases, which are briefly discussed before their detailed description in the subsequent sections as follows.

1. In the system initialization phase, the BRC is the authorized entity in the network for picking up various system parameters for each deployed IoT node, and also the authorized CG selects other system parameters including its own private and public keys.

2. In the IoT device enrollment phase, the BRC preloads the essential credentials in each IoT node’s memory before they are placed in the IoT-based ITS environment.

3. In the user registration phase, a legal user Ui first sends the registration request secretly to the trusted CG (CGk) . After receiving the request, CGk issues registration reply to Ui and the credentials are finally stored in Ui ’s mobile device.

4. During the login and authentication phase, for accessing the services from a desired intelligent IoT device (INj) in real-time, a registered legal user Ui with his/her mobile device MDi needs to login into the system and then to establish the session key with INj through the help of CGk for secure communications among Ui and INj. In addition, this phase also allows to establish a session key between CGk and INj at the same time in order to execute the IoT device credential validation phase discussed below.

5. During the password and/or biometric update phase, UAP-BCIoT permits an authorized registered user Ui to update his/her password/biometric using the credentials stored in the mobile device MDi without further help of the CGk, and this phase is executed completely locally.

6. The dynamic IoT device addition phase allows deployment of a new IoT device node in the existing network by preloading the necessary credentials in its memory.

7. The user mobile device revocation phase permits a scenario where the mobile device of an authorized registered user may be stolen/lost, and in that case, the new credentials for the mobile device are obtained.

8. The big data analytics phase permits the secure storage and analysis of the big data generated by the smart devices of the IoT-based ITS environment. This phase is very useful to draw some useful conclusion from the stored, processed and analyzed data. For example, it may be used to predict the chances of a road accident in a particular region, roadside condition, weather condition, etc.

9. The IoT device credential validation phase is particularly needed when the CG (CGk) periodically checks the credentials stored in an IoT node INj are valid after its deployment in the network. For this purpose, the established session key between CGk and INj is utilized for secure execution of this phase. In addition, this phase also allows if the IoT nodes are working as per the expectations of the CGk to detect the malicious behavior of the IoT nodes.

A. System Initialization Phase

This phase incorporates the following steps.

1. The BRC first picks a long-term secret key XCGk for the CGk. It then picks a unique identity IDINj for each deployed IoT node INj(j=1,2,…,ns) , where ns is the number of IoT nodes installed initially in the IoT-based ITS environment. Next, the BRC computes the secret key SKCG−BRC=h(XCGk∥MKBRC) , where XCGk is the secret key of the CGk and MKBRC is a unique master key of the BRC.

2. The BRC selects a cryptographic collision-resistant one-way hash function h : {0,1}∗→{0,1}l , where the bit length of hash output (message digest) is denoted by l . h(⋅) can be taken as SHA-1 (Secure Hash Standard) and for better security, SHA-256 can be also applied [29]. Moreover, the BRC selects a distinct identity IDCGk for each CGk.

3. CG selects a base point P with the order n over a nonsingular elliptic curve Ep(a,b) , where n is large for sufficient security consideration (for example, n should be chosen at least 160-b number). The CGk then derives its private/public key pair (gpri,Gpub) , where Gpub=gpri⋅P .

4. Finally, the information (P,(gpri,Gpub),h(⋅),{IDINj|1≤j≤ns},XCGk,SKCG−BRC) are stored in CGk’s storage database.

B. IoT Device Enrollment Phase

This phase is completed by the BRC in an offline manner.

For each IoT node INj, the BRC calculates the secret credential ICj1=h(SKCG−BRC∥IDINj) . The BRC stores the information (IDINj,ICj1) into INj’s memory before its deployment in the IoT-based ITS environment.

C. User Registration Phase

In this phase, a mobile user/traffic inspector Ui first registers to the CG (CGk) in order to issue the credentials to be used in the mobile device MDi through a secure channel. It is worth noting that in UAP-BCIoT we have applied the widely accepted fuzzy extractor for biometric verification purpose [30]. The fuzzy extractor compromises the following two procedures.

1. Gen : It is a probabilistic function that takes personal biometrics BIOi of the user Ui (e.g., fingerprint) as input and a pair (σi,τi) is produced as output, where σi and τi signify the secret biometric key and public reproduction parameter, respectively, that is, Gen(BIOi)=(σi,τi) .

2. Rep: It is a deterministic function that takes a noisy biometric BIO′i and public reproduction parameter τi as input and constructs the original biometric secret key σi as output, that is, Rep(BIO′i,τi)=τi with the criteria that the Hamming distance between BIO′i and BIOi is less than a predefined error tolerance threshold et .

Ui undergoes the procedure to receive the credentials from CDk using the following steps.

1. Ui is free to pick his/her identity IDi and password PWi . Ui then imprints his/her biometrics BIOi at the mobile device MDi and generates a random number bi . Ui calculates Gen(BIOi)=(σi,τi) , MIDi=h(IDi∥bi) and MPWi=h(PWi∥σi) , and submits the registration request 〈MIDi, MPWi〉 secretly to the registered CDk .

2. Upon reception of the request, the CGk calculates G1=(gpri.h(MIDi))⋅P , G2=G1⊕h(MPWi∥MIDi) and G3=G1⊕h(XCGk) . The CGk then issues the secret credentials to Ui secretly as a registration reply message having the information {G1,G2,G3,h(⋅),P} .

3. After receiving SCi , Ui computes Li=bi⊕h(IDi∥σi∥PWi) , G∗2=G2⊕h(bi∥σi∥PWi)=G1⊕h(MPWi∥MIDi)⊕h(bi∥σi∥PWi) , G∗3=G3⊕h(σi∥bi∥PWi)=G1⊕h(XCGk)⊕h(σi∥bi∥PWi) , and G4=h(G1∥PWi∥bi∥σi) .

Finally, Ui stores {Li , G∗2 , G∗3 , Gen(⋅), Rep(⋅), τi} into MDi to complete the registration process. Hence, the Ui ’s MDi finally contains {Li, G∗2, G∗3, G4, h(⋅), Gen(⋅), Rep(⋅), τi, P} . In addition, Ui deletes G1 , G2 and G3 .

Note that for doing the bitwise XOR of an elliptic-curve point Q=(Qx,Qy) with hash value h(s) of an input string s , we will perform it as Q⊕h(s)=(Qx⊕h(s),Qy⊕h(s)) where the x and y co-ordinates of Q are Qx and Qy , respectively. The above phase is outlined in Fig. 2.

Fig. 2.

User registration phase.

Show All

D. Login and Authentication Phase

To access a desired intelligent IoT device, say INj in real-time, a registered legal user Ui with his/her mobile device MDi can login into the system and establish the session key with INj through the CG (CGk) as follows.

• LA1:

  Ui inserts his/her “identity IDi” and “password PWi ” into the interface of MDi , and also imprints “biometrics BIO′i at MDi ’s sensor.” MDi then calculates σ∗i=Rep(BIO′i,τi) provided that the “Hamming distance between earlier registered BIOi and current BIO′i is less than et ,” MPW∗i=h(PWi∥σ∗i) , b∗i=Li⊕h(IDi∥σ∗i∥PWi) , MID∗i=h(IDi∥b∗i) , G1=h(MID∗i)⋅Gpub , G2=G∗2⊕h(b∗i∥σ∗i∥PWi)(=G1⊕h(MPWi∥MIDi)) , G3=G∗3⊕h(σ∗i∥b∗i∥PWi)(=G1⊕h(XCGk)) , and G∗4=h(G1∥PWi∥b∗i∥σ∗i) .

• LA2:

  MDi verifies G∗4=?G4 . If it is successful, MDi confirms that Ui ’s entered credentials (IDi,PWi,BIO′i) are valid, and Ui then picks an accessed IoT node INj’s identity IDINj from which he/she likes to access the services. Ui generates a “random number x∈Z∗p ” and the “current timestamp TS1 ,” to compute Mx=x⋅P , HIDi=MID∗i⊕h((G1⊕G3)||TS1)=MID∗i⊕h(h(XCGk)||TS1) , A1=x⋅(Gpub+h(IDINj)⋅P) , A2=A1⊕h(G2∥G1∥Mx∥TS1) , A3=h((G1⊕G3)∥MID∗i∥TS1∥A2) , and dynamic identity of INj as DIDINj=IDINj⊕h(G1∥TS1) with its stored parameters. MDi sends the login request message to the CGk as MSG1={A3,HIDi,G2,DIDINj,Mx,TS1} over the public channel.

• LA3:

  CGk checks if |TS′1−TS1|<ΔT after receiving the message MSG1 at time TS′1 . If the verification is successful, CGk computes MID∗i=HIDi⊕h(h(XCGk)||TS1) , G∗1=(gpri.h(MID∗i))⋅P , IDINj=DIDINj⊕h(G∗1∥TS1) , A∗1=(gpri+h(IDINj))⋅Mx , and A2=A∗1⊕h(G2∥G∗1∥Mx∥TS1) , and verifies A3=?h((HIDi⊕MID∗i)∥MID∗i∥TS1∥A2) . If the verification is successful, CGk confirms that the message received from Ui is legitimate. Then, CGk generates current timestamp TS2 , calculates GI1=h(h(SKCG−BRC||IDINj)||TS2)⊕MID∗i , the session key shared with IoT node INj as SKkj=h(TS2∥IDCGk∥MID∗i∥h(SKCG−BRC||IDINj)) and GI2=h(IDINj∥MID∗i∥Mx∥SKkj∥TS2) , and then transmits the message MSG2={GI1,GI2,Mx,TS2} to INj over public channel. In addition, CGk stores the session key SKkj shared with INj in its secure database.

• LA4:

  The IoT node INj checks if |TS′2−TS2|<ΔT is met after receiving the message MSG2 at time TS′2 . If the verification is successful, INj computes MIDi=GI1⊕h(ICj1||TS2) and the session key shared with IoT node CGk as SKjk=h(TS2∥IDCGk∥MIDi∥ICj1) , and verifies if GI2=h(IDINj∥MIDi∥Mx∥SKjk∥TS2) . If it is legitimate, INj also stores the session key SKjk(=SKkj) shared with CGk for its key revocation phase described in Section IV-I. Next, INj creates a random y∈Z∗p along with the current timestamp TS3 and computes My=y⋅P , NM2=h(MIDi∥IDINj∥IDCGk∥Mx∥My∥TS3) , NM3=y⋅(NM2⋅Mx+h(IDINj)⋅P) , its dynamic identity DID∗INj=IDINj⊕h(MIDi||IDCGk||TS3) , and finally the session key SKji=h(NM3∥MIDi∥IDINj∥Mx∥My) shared with Ui and its verifier SKVji=h(SKji∥TS3)) . INj transmits the message MSG3={DID∗INj,NM2,My,SKVji,TS3} to the user Ui via open channel.

• LA5:

  MDi receives the message MSG3 at time TS′3 and checks if |TS′3−TS3|<ΔT . If the verification is successful, MDi computes ID∗INj=DID∗INj⊕h(MID∗i||IDCGk||TS3) , and then verifies if accessed INj’s identity IDINj=?ID∗INj . If it is satisfied, MDi verifies NM2=?h(MID∗i∥IDINj∥IDCGk∥Mx∥My∥TS3) to validate the received message MSG3 from legitimate INj. If the verification is successful, MDi validates the IoT node INj and its legitimacy. Furthermore, MDi computes A4=(NM2.x+h(IDINj))⋅My and the session key SKij=h(A4∥MID∗i∥IDINj∥Mx∥My) shared with INj, and checks if SKVji=?h(SKij∥TS3) . If it is so, SKij is treated as authentic.

Finally, two session keys are successfully established: 1) a session key between Ui and INj as SKij=h(A4∥MID∗i∥IDINj∥Mx∥My)=h(NM3∥MIDi∥IDINj∥Mx∥My)=SKji and 2) another session key between CGk and INj as SKkj=h(TS2∥IDCGk∥MID∗i∥h(SKCG−BRC∥IDINj))=h(TS2∥IDCGk∥MIDi∥ICj1)=SKjk . This phase is also briefly illustrated in Fig. 3.

Fig. 3.

Login and authentication phases.

Show All

Remark 1:

Through the proposed scheme (UAP-BCIoT), a legitimate user can access the data of the IoT devices installed inside the vehicles via the cloud gateway node using the Internet. This mechanism is applicable in scenarios where a legitimate user needs to access the real-time data of the vehicles (i.e., roadside conditions and vehicle accident in some particular regions). In such a scenario, enormous amount of data is generated, which we need to store the data to the cloud servers, which also form the ITS data. It is treated as the big data in ITS. Some big data analytics techniques are then required to draw useful conclusion from this (i.e., chances of road accident in a particular region). The data of IoT nodes can be transmitted to cloud servers in a secure way through the cloud gateway node using the authentication and key agreement mechanism. The proposed authentication and key agreement scheme (UAP-BCIoT) is useful in such scenarios because the real-time accessed data from the IoT nodes in the vehicles can be later securely stored at the cloud too. In addition, authentication and key agreement among IoT nodes, cloud gateway node and cloud servers are also required to store the data securely at the cloud for the big data analytics. In this way, the proposed UAP-BCIoT helps in big data collection at the cloud securely.

E. Password/Biometric Update Phase

A valid registered user Ui will undergo the following procedure to update his/her password/biometric using the credentials stored in mobile device MDi without the involvement of CGk.

1. Ui inserts his/her identity IDi and password PWi into the interface of MDi , and also imprints biometrics BIO′i at MDi ’s sensor. MDi then computes σ∗i= Rep(BIO′i, τi) provided that the Hamming distance between earlier registered BIOi and current BIO′i is less than et , MPW∗i=h(PWi∥σ∗i) , b∗i=Li⊕h(IDi∥σ∗i∥PWi) , MID∗i=h(IDi∥b∗i) , G1=h(MID∗i)⋅Gpub , G2=G∗2⊕h(b∗i∥σ∗i∥PWi) , G3=G∗3⊕h(σ∗i∥b∗i∥PWi) and G∗4=h(G1∥PWi∥b∗i∥σ∗i) .

2. MDi verifies G∗4=?G4 . If it is successful, MDi confirms that Ui ’s entered old credentials (IDi,PWi,BIO′i) are valid, and Ui is then informed to choose a new password PWnewi as well as a new biometrics BIOnewi , if needed. MDi calculates Gen(BIOnewi)=(σnewi,τnewi) , Lnewi=b∗i⊕h(IDi∥σnewi∥PWnewi) , MPWnewi=h(PWnewi∥σnewi) , G∗new2=G2⊕h(b∗i∥σnewi∥PWnewi) , G∗new3=G3⊕h(σnewi∥b∗i∥PWnewi) , and G4=h(G1∥PWnewi∥b∗i∥σnewi) .

3. Finally, Ui stores Lnewi , G∗new2 , G∗new3 , Gen(⋅), Rep(⋅) and τnewi into MDi to complete the update process. Hence, Ui ’s MDi contains {Lnewi, G∗new2, G∗new3, Gnew4, h(⋅), Gen(⋅), Rep(⋅), τnewi, P} . In addition, Ui deletes G∗2 and G∗3 from MDi .

The password/biometric change phase is then briefly illustrated in Fig. 4.

Fig. 4.

Summary of the password/biometric update phase.

Show All

F. Dynamic IoT Device Addition Phase

For deployment of a new IoT device node, say INnewj in the existing network, the BRC requires to pick a unique identity IDnewINj . After that the BRC needs to calculate the secret credential ICnewj1=h(SKCG−BRC∥IDnewINj) . The BRC also stores the information (IDnewINj, ICnewj1) into INnewj ’s memory before its deployment in the IoT-based ITS environment.

G. User Mobile Device Revocation Phase

If the mobile device MDi of an authorized registered user Ui is stolen/lost, the following steps need to be executed for obtaining new credentials for the mobile device MDnewi .

• RE1:

  Ui keeps the same identity IDi, but chooses a new password PW′i . Ui can then imprint his/her biometrics BIO′i at the mobile device MDi and generates a random number b′i . Ui calculates Gen(BIO′i)=(σ′i,τ′i) , MID′i=h(IDi∥b′i) and MPW′i=h(PW′i∥σ′i) , and submits the registration request 〈MID′i, MPW′i〉 secretly to the registered CDk .

• RE2:

  On receiving the request, the CGk computes G1=(gpri.h(MID′i))⋅P , G′2=G1⊕h(MPW′i∥MID′i) and G3=G1⊕h(XCGk) . The CGk then issues the secret credentials to Ui secretly as a registration reply message having the information {G1,G′2,G3,h(⋅),P} .

• RE3:

  After receiving registration reply message, Ui computes L′i=b′i⊕h(IDi∥σ′i∥PW′i) , G∗2=G′2⊕h(b′i∥σ′i∥PW′i) , G∗3=G3⊕h(σ′i∥b′i∥PW′i) , and G4=h(G1∥PW′i∥b′i∥σ′i) .

Finally, Ui stores {L′i , G∗2 , G∗3, G4, Gen(⋅), Rep(⋅), τ′i} into MDi to complete the revocation process. Hence, the Ui ’s MDi contains {L′i, G∗2, G∗3, G4, h(⋅), Gen(⋅), Rep(⋅), τ′i, et, P} . In addition, Ui deletes G1 , G′2 , and G3 .

The above user mobile device revocation phase is also briefly illustrated in Fig. 5.

Fig. 5.

Summary of the user mobile device revocation phase.

Show All

H. Big Data Analytics Phase

This phase permits a secure storage and analysis of the big data generated by the smart devices of the IoT-based ITS environment. This phase is apparently useful to draw some useful conclusion from the stored, processed and analyzed data. For example, it will give the predictions about the chances of a road accident in a particular region, vehicle condition, roadside condition, etc. The following procedure is used in this phase.

• BDA1:

  The deployed IoT nodes (i.e., smart devices inside the vehicles) produce enormous amount of data which is very sensitive in nature, because there are vulnerabilities to various types of attacks as discussed earlier. The data should be stored, processed and analyzed in a secure way. Note that for the secure exchange of data between the cloud gateway server CGk and an IoT node INj, we can utilize the steps of authentication and key establishment phase as discussed in Section IV-D. For secure communication between CGk and INj, they established a session key SKkj(=SKjk) .

• BDA2:

  INj now encrypts its data, say dataINj as ESKjk(dataINj) with the session key SKjk and sends the encrypted data to CGk. After receiving encrypted data, CGk decrypts it using the established session key SKkj to extract the original data dataINj .

• BDA3:

  Likewise, CGk receives the data from different IoT nodes INj, where j=1,2⋯ns and ns is the number of IoT nodes in the ITS environment. Again, CGk executes other steps of the big data analytics, such as data acquisition and filtering, data extraction, data aggregation and representation, data analysis, and data visualization, on the received data. The final outcome of this phase will come in the form of some useful conclusion, such as chances of road accident in a particular region [31]–​[33].

Remark 2:

ITS is an emerging transportation structure in which several users, roads, and vehicles are involved. ITS is the fused usage of pattern setting advancements using equipment, communication, and impelled sensors. These applications give voyagers huge information while improving the safety, security and capability of the transportation system. The data assembled by different devices and users in an IoT-based ITS environment is of colossal volume which leads to the inception of big data. Thus, we require some big data analytical methods to draw useful conclusions from the assembled data. However, for such kind of data collection, we require strong security protocols (i.e., user authentication). In the absence of these security protocols, an adversary A may interfere in the communication and can change the value of the exchanged data. In that situation, there will not be any use of big data collection and analysis, because it may produce wrong predictions and results. Thus, there is an essential requirement of the deployment of user authentication in an IoT-based ITS for the big data collection and analysis. As a result, we have presented a secure user authentication protocol for big data collection and analysis in the IoT-based ITS environment.

I. IoT Device Credential Validation Phase

Due to the possibility of the IoT node physical capture attack by an adversary or malicious behavior of an IoT node, it is apparent to verify periodically by the CG node (CGk) if an IoT node INj is behaving properly or not in the network. This phase uses the already established session key SKjk(=SKkj) between INj and CGk. The following are the steps required to complete this phase.

• DCV1:

  CGk first initiates the communication by generating a current timestamp TSrg and a random secret rvrg∈Z∗q and then calculating ACGk=h(XCGk∥rvrg∥TSrg) and Re1=ACGk⊕h(SKkj∥h(SKCG−BRC∥IDINj)∥TSrg) . Next, CGk sends the device credential validation request message {Re1, TSrg} to INj via the public channel.

• DCV2:

  If the message {Re1, TSrg} is received at time TS′rg , INj verifies the timestamp TSrg by the condition: |TSrg−TS′rg|<ΔT . If it is valid, INj proceeds to calculate BCGk=Re1⊕h(SKjk∥ICj1∥TSrg) using its stored credential ICj1 and session key SKjk shared with CGk. After that, INj generates a current timestamp TSrj , calculates Re2=h(SKjk∥BCGk∥TSrj) and sends the device credential validation response message {Re2, TSrj} to CGk via public channel.

• DCV3:

  After receiving the message {Re2, TSrj} at time TS′rj , CGk checks if |TSrj−TS′rj|<ΔT . If the timestamp validation passes, CGk then calculates Re∗2=h(SKkj∥ACGk∥TSrj) and validates the condition: Re∗2=Re2 . If it is valid, CGk assures that INj is behaving properly in the deployment area and also its credentials are genuine.

SECTION V.

Security Analysis

Wang et al. [34] analyzed numerous anonymous two-factor authentication protocols and then specified that under the widely accepted adversarial model, such as the DY model [21], certain goals are beyond fulfillment. They also specified that the widely accepted formal methods including the random oracle model-based proof cannot catch some structural faults. This implies that assuring the soundness of authentication protocols still stands to be an open matter. Such crucial observations force us to have all sorts of security analysis, such as the random oracle model-based formal security analysis (Section V-A), informal security analysis (Section V-B), and formal security verification (Section VI) in order to strengthen security of the proposed scheme.

To analyze the security of the proposed scheme (UAP-BCIoT), we define a one-way collision-resistant hash function and ECDDHP as follows.

Definition 1:

A “one-way collision-resistant hash function,” say h : {0,1}∗ →{0,1}lh is a “deterministic algorithm that gives output as a binary string h(s)∈{0,1}lh of fixed-length lh bits as hash output (message digest) on an input with an arbitrary length binary string s∈{0,1}∗ .” The advantage in finding collision for an adversary A is then “AdvHASHA(t)=Pr[(s1,s2)←RA:s1≠s2,h(s1)=h(s2)] , where an event E ’s probability is denoted by Pr[E] and (s1,s2)←RA indicates that the input pair (s1,s2) is randomly picked by A .” An (ψ,t) -adversary A attacking h ’s collision resistance implies that the runtime allowed for A is at most t and AdvHASH(A)(t)≤ψ .

Definition 2:

Let X∈Ep(a,b) be a point on an elliptic curve Ep(a,b) . The ECDDHP states that given a quadruple (X, k1.X, k2.X, k3.X) , decide if k3=k1k2 or it is a uniform value, where k1,k2,k3∈Z∗p={1,2,…,p−1} .

In order to maintain the intractability of ECDDHP, p must be picked as at least 160-b prime number.

A. Formal Security Analysis Using ROR Model

The semantic security of the proposed UAP-BCIoT under the ROR model [7] is demonstrated in this section. Wang et al. [20] mentioned that Zipf’s law significantly differs from the uniform distribution for user-selected passwords. In practical scenario, “the size of password dictionary is very much constrained in the sense that the space of the passwords may not be fully utilized by the users, and only a small portion of the permitted characters space is used” [20]. We apply Zipf’s law in proving the semantic security of the proposed UAP-BCIoT in Theorem 1 in order to show the session key security part, because Zif’s law is widely used in several recently proposed authentication schemes [19], [35]. Prior to proving Theorem 1, we discuss below the ROR model in short.

The considered ROR model has the following components that are associated with various queries accessed by an adversary A . The purpose of various queries are tabulated in Table III.

1. Participants: The involved participants associated with the proposed UAP-BCIoT are the users (Ui) , the CG nodes (CGk) , and IoT nodes (INj) . The instances i1, i2 , and i3 of Ui , CGk, and INj are denoted by the notations πi1Ui , πi2CGk , and πi3INj , and these are also termed as oracles.

2. Accepted State: An instance πi is said to be in “accepted state,” when after receiving the last presumed protocol message it gets into an accept state. The “session identification sid of πi for the running session” is constituted when all the transmitted and received messages by the πi are organized in continuation.

3. Partnering: Two instances, πi1 and πi2 , will be partners to each other once the following conditions are fulfilled.

   1. πi1 and πi2 need to be in “accepted states.”

   2. πi1 and πi2 need to have the same sid and also need to “mutually authenticate each other.”

   3. πi1 and πi2 need to be “mutual partners of each other.”

4. Freshness: The instance πi1Ui or πi3INj is called fresh if the created session key SKij between Ui and INj is not leaked to the A using the Reveal(πi ) query provided in Table III.

TABLE III Various Queries and Their Significance

Theorem 1:

If A is a polynomial time adversary running in time t against the proposed UAP-BCIoT under the ROR model that applies Zipf’s law for the user-chosen passwords, lb is the number of bits in the biometrics secret key σi , and AdvUAP−BCIoTA(t) is A ’s advantage in breaking the proposed UAP-BCIoT’s semantic security in time t for deriving the session key SKij between a user Ui and an IoT node INj, and also the session key SKjk between an IoT node INj and the CG node (CGk) , then AdvUAP−BCIoTA(t)≤(q2h/|Hash|)+2(max{C′.qs′s,(qs/2lb)}+AdvECDDHPA(t)) , where qh , qs , and |Hash| denote, respectively, the number of hash queries, Send queries and range space of h(⋅) , and A ’s advantage in cracking the ECDDHP (see Definition 2) is AdvECDDHPA(t) , and Zipf’s parameters are C′ and s′ [20].

Proof:

We follow the proof of this theorem in a similar manner as in the previous authentication protocols [18], [26], [36]. The defined five games, say GameAj , j=0,1,2,3,4 , are associated with the proof, which are played in the following way. We denote SuccGameAj as an “event where A can guess the random bit c in the game GameAj correctly,” and A ’s advantage in winning GameAj as AdvGameAjUAP−BCIoT=Pr[SuccGameAj] , where Pr[E] indicates the “probability of an event E .”

1. GameA0 : This game corresponds to the actual attack executed by A against our proposed UAP-BCIoT in the ROR model. Because “the bit c is picked up randomly before the beginning of the GameA0 ,” the semantic security of UAP-BCIoT gives the following:

   AdvUAP−BCIoTA(t)=∣∣2AdvGameA0UAP−BCIoT−1∣∣.(1)
   View Source

2. GameA1 : This game is implemented as “an eavesdropping attack in which A can eavesdrop all the messages MSG1={A3,HIDi,G2,DIDINj,Mx,TS1} , MSG2={GI1,GI2,Mx,TS2} , and MSG3={DID∗INj,NM2,My,SKVji,TS3} exchanged between Ui , CGk, and INj during the login and authentication phase by executing the Execute query tabulated in Table III. Once this game is over, A needs to execute the Reveal along with Test queries in order to ensure if the derived session key SKij is original or just a “random key.” However, only by eavesdropping the messages MSGj(j=1,2,3) the adversary A ’s winning probability in GameA1 is not at all elevated as the calculation of SKij needs both temporal and long-term secret information, such as x , y , MIDi , IDCGk , and IDINj . This means that both the games GameA0 and GameA1 are “indistinguishable.” Hence, we have

   AdvGameA1UAP−BCIoT=AdvGameA0UAP−BCIoT.(2)
   View Source

3. GameA2 : This game corresponds to an active attack where A can execute several hash queries. Assume that A intercepts all the messages MSG1={A3,HIDi,G2,DIDINj,Mx,TS1} , MSG2={GI1,GI2,Mx,TS2} , and MSG3={DID∗INj,NM2,My,SKVji,TS3} exchanged between Ui , CGk, and INj. It is worth noticing that Mx=x⋅P , HIDi=MID∗i⊕h((G1⊕G3)||TS1)=MID∗i⊕h(h(XCGk)||TS1) , A1=x⋅(Gpub+h(IDINj)⋅P) , A2=A1⊕h(G2∥G1∥Mx∥TS1) , and A3=h((G1⊕G3)∥MID∗i∥TS1∥A2) , the dynamic identity of INj is DIDINj=IDINj⊕h(G1∥TS1) , GI1=h(h(SKCG−BRC||IDINj)||TS2)⊕MID∗i , the session key shared between the IoT node INj and CGk is SKkj=h(TS2∥IDCGk∥MID∗i∥h(SKCG−BRC∥IDINj))=h(TS2∥IDCGk∥MIDi∥ICj1)=SKjk and GI2=h(IDINj∥MID∗i∥Mx∥SKkj∥TS2) , My=y⋅P , NM2=h(MIDi∥IDINj∥IDCGk∥Mx∥My∥TS3) , NM3=y⋅(NM2⋅Mx+h(IDINj)⋅P) , and DID∗INj=IDINj⊕h(MIDi||IDCGk||TS3) , the session key is SKji=h(NM3∥MIDi∥IDINj∥Mx∥My) shared between Ui and INj, and its verifier is SKVji=h(SKji∥TS3) . All the secret credentials in various components involved in the messages (MSG1, MSG2, and MSG3) are protected by a “one-way collision-resistant hash function h(⋅) ” (see Definition 1). The chosen random numbers, identities, current timestamps, and also secrets are applied in the construction of the messages MSG1, MSG2, and MSG3. Therefore, there is no collision when A executes the hash query. Since both the games GameA1 and GameA2 are “indistinguishable” apart from the inclusion of the simulation of the hash query in GameA2 , the results from the “birthday paradox” lead to the following:

   ∣∣AdvGameA1UAP−BCIoT−AdvGameA2UAP−BCIoT∣∣≤q2h2|Hash|.(3)
   View Source

4. GameA3 : This game implements the simulation of the CorruptMD query. Thus, A can extract “all the information {Li, G∗2, G∗3, G4, h(⋅), Gen(⋅), Rep(⋅), τi, P} stored in the mobile device MDi of the user Ui .” The guessing probability of the “biometric secret key σi of length lb bits (respectively, BIOi)” is roughly (1/2lb) [37]. In addition, assume that A will attempt to guess the “low-entropy passwords using Zipf’s law on passwords” [20]. When only the “trawling guessing attacks” are considered, the advantage of A turns out to be over 0.5 if qs=107 or 108 [20]. Now, if the “targeted guessing attacks (in which A can use the target user’s personal information)” are considered, A ’s advantage turns out to be over 0.5 if qs≤106 [20]. Since only a limited number of wrong password entries are allowed in a system in practice, and the games GameA2 and GameA3 are “indistinguishable” in the absence of guessing attacks, the following result is obtained [19], [35]:

   ∣∣AdvGameA2UAP−BCIoT−AdvGameA3UAP−BCIoT∣∣≤max{C′.qs′s,qs2lb}.(4)
   View SourceHere, C′ and s′ denote Zipf’s parameters [20].

5. GameA4 : In this final game, A by eavesdropping the messages MSG1, MSG2 and MSG3 will try to compute the session key between a legal user Ui and an IoT node INj. The session key shared between the IoT node INj and CGk is SKkj=h(TS2∥IDCGk∥MID∗i∥h(SKCG−BRC∥IDINj))=h(TS2∥IDCGk∥MIDi∥ICj1)=SKjk . The session key between Ui and INj is computed as SKij=h(A4∥MID∗i∥IDINj∥Mx∥My)=h(NM3∥MIDi∥IDINj∥Mx∥My)=SKji . We have NM3=y⋅(NM2⋅Mx+h(IDINj)⋅P)=((xy)⋅P).NM2+h(IDINj)⋅My , and A4=(NM2.x+h(IDINj))⋅My=((xy)⋅P).NM2+h(IDINj)⋅My=NM3 . Thus, if A is able to derive (xy)⋅P from the intercepted Mx=x⋅P and My=y⋅P in polynomial time t , the derivation of SKij becomes easy. Both the games GameA3 and GameA4 are also “indistinguishable” in the absence of solving ECDDHP (see Definition 2). As a result, the ECDDHP leads to the following result:

   ∣∣AdvGameA3UAP−BCIoT−AdvGameA4UAP−BCIoT∣∣≤AdvECDDHPA(t).(5)
   View SourceNow, all the queries are executed by A . Therefore, it is only pending to guess the bit c for “winning the game after querying the Test query.” It then follows that:
   AdvGameA4UAP−BCIoT=12.(6)
   View Source

From (1), (2), and (6), we have

12AdvUAP−BCIoTA(t)===∣∣∣AdvGameA0UAP−BCIoT−12∣∣∣∣∣AdvGameA0UAP−BCIoT−AdvGameA4UAP−BCIoT∣∣∣∣AdvGameA1UAP−BCIoT−AdvGameA4UAP−BCIoT∣∣.(7)

View SourceApplying the triangular inequality on (7), and from (3)–​(5), we obtain the following result:

12AdvUAP−BCIoTA(t)≤∣∣AdvGameA1UAP−BCIoT−AdvGameA2UAP−BCIoT∣∣+∣∣AdvGameA2UAP−BCIoT−AdvGameA3UAP−BCIoT∣∣+∣∣AdvGameA3UAP−BCIoT−AdvGameA4UAP−BCIoT∣∣≤q2h2|Hash|+max{C′.qs′s,qs2lb}+AdvECDDHPA(t).(8)

View SourceFinally, by multiplying both sides of (8) by a factor of 2, we obtain the final result: AdvUAP−BCIoTA(t)≤(q2h/|Hash|)+2(max{C′.qs′s,(qs/2lb)}+AdvECDDHPA(t)) .

B. Informal Security Analysis

This section discusses the security of the proposed UAP-BCIoT informally (nonmathematically).

1) Impersonation Attacks:

We consider the following three cases.

1. User Impersonation Attack: Consider an active attacker A who tries to capture the transmitted messages MSGi(i=1,2,3) between entities Ui and CGk, between entities CGk and INj and between entities Ui and INj. If A tries to impersonate Ui , A needs to produce the MSG1 with valid credentials to the CGk. But, due to the lack of knowledge of the CGk’s private key, IDi, bi , x , and G1 , it becomes a computationally expensive task for A to impersonate Ui in a polynomial time using the trapped messages. A similar logic also holds for impersonating CGk and INj for generating valid messages MSG2 and MSG3, respectively, in polynomial time.

2. CG Impersonation Attack: Consider an active attacker A tries to capture the transmitted messages between CGk and INj such as MSG2={GI1,GI2,Mx,TS2} during the execution of the protocol. If A tries to impersonate CGk, A needs to produce MSG2 with valid credentials to INj. But due to the lack of knowledge on the CGk’s private key, Master secret key, IDi, SKCG−BRC , and G1 , it is computationally expensive task for the attacker to impersonate CGk in polynomial time from the trapped messages.

3. IoT Node Impersonation Attack: Consider an active attacker A tries to capture the transmitted messages between Ui and INj such as MSG3={DID∗INj,NM2,My,TS3} during the execution of the protocol. If A tries to impersonate INj, A needs to produce the MSG3 with valid credentials to Ui . But due to lack of knowledge on the shared secret CGk and INj, IDi, SKCG−BRC , y , and NM3 it is computationally expensive task for the attacker to impersonate INj in polynomial time from the trapped messages.

As a result, we infer that the proposed UAP-BCIoT resists all the above impersonation attacks.

2) Replay Attack:

Consider that A captures all the transmitted messages MSG1={A3,HIDi,G2,DIDINj,Mx,TS1} , MSG2={GI1,GI2,Mx,TS2} , and MSG3={DID∗INj,NM2,My,SKVji,TS3} between the participants during the login and authentication phase over the public channel. Now, A may try to replay the messages in order to extract some valuable information from the participants. The validation of the replayed messages will fail as each message is furnished with the participants current timestamp and random number, which will restrict A to prone the replay attack.

3) Privileged-Insider Attack:

As a matter of fact, in reality, the BRC is assumed to be trusted and CGk is semitrusted. However, due to the unpredictability the user’s credentials are not stored any where. Also, the credentials received during the user’s registration phase are masked to ensure the randomness. Therefore, A fails to extract the user’s information such as identity, password and biometric information from the transmitted message {MIDi,MPWi} as MIDi=h(IDi∥bi) and MPWi=h(PWi∥σi) . Thus, though the insider attacker exists in the system, he/she cannot achieve any valuable information as the credentials are computed using one-way hash function and it is also computationally expensive to get some information in polynomial time (see Definition 1). Hence, UAP-BCIoT resists privileged-insider attack.

4) Man-in-the-Middle Attack:

Consider that A captures all the transmitted messages between the participants during the login and authentication phase over the public channel, where MSG1={A3,HIDi,G2,DIDINj,Mx,TS1} , MSG2={GI1,GI2,Mx,TS2} , and MSG3={DID∗INj,NM2,My,SKVji,TS3} . Now, A may try to modify the transmitted messages in order to make the participants believe that the received messages are from the legitimate participants. If A tries to modify the wadded MSG1, A needs to modify A3 , Mx , and G2 which necessitate the knowledge of MIDi, G1,G3 , and A2 . The problem remains same with the other wadded messages MSG2 and MSG3 where A cannot modify them without the shared secret key between CGk and INj, and between INj and Ui . Furthermore, due to the usage of random numbers and current timestamps, the attempt of this attack becomes impossible. Thus, UAP-BCIoT resists the man-in-the-middle attack.

5) Stolen Mobile Device Attack:

Assume that the mobile device MDi of a legal user Ui is lost/stolen by an attacker A who can extract the credentials stored on MDi using the power analysis attacks [22]. However, A cannot gain any control over the stored credentials as each of the credentials is wadded with collision-resistant one-way hash function (see Definition 1). Also, the credentials received during the Ui ’s registration phase are masked as {MIDi,MPWi} to ensure the randomness. Therefore, A fails to extract the Ui ’s information, such as identity, password and biometric information from the stored information. Thus, UAP-BCIoT resists stolen mobile device attack.

6) Mutual Authentication:

In UAP-BCIoT, on receiving the login request MSG1, CGk checks the authenticity of the participant Ui by verifying A3=?h((HIDi⊕MID∗i)∥MID∗i∥TS1∥A2) . Upon successful validation, CGk authenticates Ui . On receiving the message MSG2, INj checks the authenticity of the participant CGk by verifying GI2=?h(IDINj∥MIDi∥IDCGk∥TS2) . On successful verification, INj authenticates Ui indirectly and CGk directly. In addition, on receiving the response message MSG3, Ui also checks the authenticity of the INj by verifying NM2=?h(MID∗i∥IDINj∥IDCGk∥Mx∥My∥TS3) . On successful verification, Ui authenticates CGk indirectly and authenticates INj directly. Moreover, the session key verification happens at the end of Ui to ensure, both Ui and INj share the same session key. Thus, the above discussion shows the participants successfully achieve mutual authentication in UAP-BCIoT.

7) Ephemeral Secret Leakage Attack:

Based on the CK-adversary model [23], an attacker A can compromise the session state and secret credentials apart from all the activities permitted under the DY model [21]. In UAP-BCIoT, if only the short term secrets (x,y) are compromised the session key between Ui and INj computed as SKij=h(A4∥MID∗i∥IDINj∥Mx∥My)=h(NM3∥MIDi∥IDINj∥Mx∥My)=SKji is not compromised. On the other hand, if only long-term secrets (MIDi, IDCGk, IDINj) are compromised, the session key SKij is not also compromised due to computationally infeasibility of ECDDHP (see Definition 2) for deriving (xy).P from Mx and My . Hence, without having both ‘short term secrets and long-term secrets, it is computationally expensive task for A to derive the session key SKij . On the other side, the session key shared between the IoT node INj and CGk is SKkj=h(TS2∥IDCGk∥MID∗i∥h(SKCG−BRC∥IDINj))=h(TS2∥IDCGk∥MIDi∥ICj1)=SKjk . However, without having the long-term secrets (MIDi,IDCGk,IDINj,SKCG−BRC) , it also becomes computationally infeasible task to derive the session key SKkj(=SKjk) . This shows that UAP-BCIoT is resilient against ESL attack.

8) Physical IoT Node Capture Attack:

In an IoT-based ITS environment, it is not always possible to monitor the IoT nodes in 24×7 scenario. This renders the possibility of physical capture of some IoT nodes in the IoT-based ITS environment. Assume that an IoT node, say INj is physically compromised. This leads to compromise all the secret credentials (IDINj,ICj1) from the physically captured INj’s memory, where ICj1=h(SKCG−BRC∥IDINj) . Since the identities generated for all the IoT nodes are unique, all the credentials ICj1 for all IoT nodes INj are also distinct. This means that the information (IDINj,ICj1) are not useful for constructing the session keys SKik between a user Ui and other noncompromised IoT nodes INk in the IoT-based ITS environment. Therefore, even if some IoT nodes are physically captured, A cannot compromise the session keys established between the user Ui and other noncompromised IoT nodes INk. Hence, UAP-BCIoT is resilient against physical IoT node capture attack.

9) Anonymity and Untracability:

Consider that A captures all the transmitted messages MSGi(i=1,2,3) among the participants during the login and authentication phase over the public channel. But without the secret credentials x,y,MIDi,G1,b , and XCGk , the identities of the participants (IDi, IDCGk, IDINj) cannot be extracted. It is also computationally expensive for A to derive the identities of the participants from the transmitted messages. Furthermore, each wadded message is dynamic in nature involving the randomness because of the involvement of random numbers and current timestamps. This shows that A cannot identify the actual identities of the participants, and also fails to trace the participants. Thus, UAP-BCIoT restricts traceability and also ensures anonymity.

SECTION VI.

Formal Security Verification Through AVISPA Tool: Simulation Study

This section illustrates the simulation study of UAP-BCIoT through the formal security verification using the widely accepted AVISPA tool [6]. The simulation results of a security protocol tested under AVISPA tool assure whether “it is safe against active attacks, such as replay and man-in-the-middle attacks.” In AVISPA, there are four backends, namely, on-the-fly model-checker (OFMC), constraint logic-based attack searcher (CL-AtSe), sat-based model-checker (SATMC), and tree automata based on automatic approximations for the analysis of security protocols (TA4SP). The tested security protocol is first implemented using the role-oriented language, called the high-level protocol specification language (HLPSL) [6]. The intermediate format (IF) is produced after translation of HLPSL code using the HLPSL2IF translator. Finally, the IF is given as an input to one of the available four backs to produce the output format (OF). When the analysis of a tested security protocol has been successful (by noticing an attack or not), the OF specifies definitely what is the result, and under what criteria it has been acquired. In OF, the following sections are there [6].

1. The first section (SUMMARY) indicates that “whether the tested protocol is safe, unsafe, or whether the analysis is inconclusive.”

2. The second section (DETAILS) specifies “under what condition the tested protocol is declared safe or what conditions have been used for finding an attack, or finally why the analysis was inconclusive.”

3. Other sections (PROTOCOL, GOAL, and BACKEND) are “the name of the protocol, the goal of the analysis, and the name of the backend used,” respectively.

4. At the end, “after some comments and statistics, the trace of an attack (if any) is also printed in the standard Alice-Bob format.”

A detailed treatment on AVISPA and its HLPSL implementation can be also found in [6].

In UAP-BCIoT, three basic roles for Ui , CGk, and INj are implemented. The composition roles (session and goal & environment) are always the mandatory roles which specify various scenarios involving the defined basic roles. In AVISPA, the executability check for nontrivial HLPSL specifications is an important part due to the following reason. There may be some modeling mistakes where a protocol model cannot execute to completion. As a consequence, the backends may not be able to search for an attack in case the protocol model cannot reach to a state where the attack can occur. It is worth noticing that an intruder (i) also participates in the execution of a protocol as a concrete session. AVISPA implements the DY model [21], and as a result, the backends are able to check replay and man-in-the-middle attacks. Under the broadly accepted SPAN (Security Protocol ANimator for AVISPA) tool [38], the simulation results illustrated in Fig. 6 ensure that both replay and man-in-the-middle attacks are protected in the proposed UAP-BCIoT.

Fig. 6.

Analysis of simulation results under CL-AtSe and OFMC backends.

Show All

SECTION VII.

Comparative Analysis

A detailed comparative study among the proposed UAP-BCIoT and other relevant ECC-based authentication mechanisms in the IoT environment, such as the schemes of Li et al. [17], Porambage et al. [11], Porambage et al. [12], and Banerjee et al. [19], has been conducted based on the security & functionality features, computation costs and communication costs during the login and authentication phases. Note that Porambage et al.’s scheme [12] compromises two schemes (Scheme-1 and Scheme-2) that are briefly described in Section II. Both the schemes of Porambage et al. [11], [12] are based on the ECC cryptographic technique and also these are applicable for wireless sensor networks-based IoT applications, where a registered user can access real-time information directly from the IoT nodes in the IoT deployment. Li et al.’s scheme [17] is based on ECC cryptographic technique, while Banerjee et al.’s scheme [19] is based on the symmetric encryption/decryption technique and applicable for the IoT deployment.

A. Security and Functionality Features Comparison

In Table IV, the security and functionality features of UAP-BCIoT with other relevant schemes [11], [12], [17], and [19] have been compared with respect to fifteen attributes (A1−A15) . It is worth noting that UAP-BCIoT provides better security and more functionality attributes as compared to other existing schemes [11], [12], [17], [19]. Most importantly, our proposed scheme (UAP-BCIoT) only supports IoT node credential validation and big data analytics phases as discussed in Sections IV-I and IV-H, respectively, while none of other existing competing compared schemes does not support these important features.

TABLE IV Comparison of Security and Functionality Features

B. Communication Cost Comparison

We assume identity, random nonce, timestamp, certificate [signature using elliptic-curve digital signature algorithm (ECDSA)] [39], hash output (if we apply SHA-1 as h(⋅) [29]), a ciphertext block (if AES-128 symmetric encryption) and message authentication code (MAC) require 160, 160, 32, 320, 160, 128, and 160 b, respectively. It is further assumed that the security of 160-b ECC is equivalent to that for 1024-bit RSA cryptosystem [40]. Therefore, an elliptic-curve point of the form P=(Px,Py) demands (160 + 160) = 320 bits. In Table V, the communication overheads needed for UAP-BCIoT and other schemes [11], [12], [17] have been compared. In UAP-BCIoT, the messages MSG1, MSG2, and MSG3 demand for (160 + 160 + 320 + 160 + 320 + 32) = 1152 b, (160 + 160 + 320 + 32) = 672 b, and (160 + 160 + 320 + 160 + 32) = 832 b, respectively, which together incur the cumulative communication cost as (1152 + 672 + 832) = 2656 bits. It is clear from Table V that UAP-BCIoT needs less cost as compared to the Scheme-1 [12] and Li et al.’s scheme [17]. Though the schemes of Porambage et al. [11] and Scheme-2 [12] demand less cost as compared to our UAP-BCIoT, our proposed scheme provides better security and more functionality attributes as compared to other schemes including these schemes.

TABLE V Comparison of Communication Costs

C. Computation Cost Comparison

Based on the existing experimental results reported from [14], we consider Tsed (time required for symmetric encryption/decryption) ≈0.0087 s, Th (time to execute one-way hash function) ≈0.00032 s, Tecm (time to execute ECC point multiplication) ≈0.0171 s, Teca (time to execute ECC point addition) ≈0.0044 s, and Tfe (time to execute fuzzy extractor Gen/Rep function) ≈Tecm . In the test environment (CPU: 2.4 GHz, RAM: 4.0 G), the experiment was run 100 times in order to obtain the average approximate execution time. Comparative analysis on computation costs among UAP-BCIoT and other schemes tabulated in Table VI shows that the number of bits needed for transmission of messages during the login and authentication phases in UAP-BCIoT, and the schemes of Banerjee et al. [19], Li et al. [17], and Porambage et al. [11], [12] (Scheme-1 and Scheme-2) are 159.58, 108.68, 79.12, 279.86, 154.48 and 225.20 milliseconds, respectively. It is clear from Table VI that UAP-BCIoT performs better as compared to the Scheme-1 [12]. However, UAP-BCIoT provides better security and more functionality attributes as compared to other schemes [11], [12], [17].

TABLE VI Computation Cost Comparison

SECTION VIII.

Practical Demonstration: NS2 Simulation

The pragmatic study of UAP-BCIoT is performed with the help of widely used NS2 2.35 simulator [41]. For conducting the experimentation, we used the Ubuntu 18.04.4 LTS platform. We computed and analyzed some important network performance parameters, for instance, end-to-end delay (EED) (in seconds), “throughput (in bps),” and “packet loss rate” for the presented UAP-BCIoT.

A. Details of Simulation Parameters

Table VII consists of the summary of various simulation parameters. Simulation is conducted for 1800 s, i.e., 30 min. The remaining parameters are taken with their standard default values used in NS2. There are three different scenarios in the pragmatic study where one cloud gateway node CGk and 50 IoT nodes INjs in all scenarios. Furthermore, Scenarios 1 (Sc1) , 2 (Sc2) , and 3 (Sc3) consist of three, five, and eight users, respectively. In all scenarios, different communicating parties exchange the following types of messages: 1) {A3,HIDi,G2,DIDINj,Mx,TS1} from Ui to CGk; 2) {GI1,GI2,Mx,TS2} from CGk to INj; and 3) {DID∗INj,NM2,My,SKVji,TS3} from INj to Ui , and they are of sizes 1152, 672, and 832 b, respectively.

TABLE VII Details of Simulation Parameters

B. Discussions on Obtained Results

We have computed and analyzed network performance parameters (i.e., EED (in seconds), throughput (in bps), and packet loss rate) for the proposed UAP-BCIoT.

1) Effect on End-to-End Delay:

EED is the estimation of average time required by the data packets (messages) to reach at the destination point from the source point. EED can be computed by using the formula: ∑νpkti=1(δRCi−δSNi)/νpkt , where δRCi and δSNi are the receiving and sending time of a packet i , respectively. Here, νpkt represents the total number of packets. Fig. 7(a) contains the details of various values of EED under different scenarios for the proposed UAP-BCIoT. The EEDs values are 0.05249, 0.09329 and 0.13871 s under scenarios: Sc1 , Sc2 and Sc3 , respectively. It is noticed that the EED values increase with the increasing number of users (for example, from Sc1 to Sc2 and Sc2 to Sc3 ). It happens because the increment in the number of users originates with more number of exchanged messages, which further causes congestion. Therefore, EED increases from Sc1 to Sc2 and Sc2 to Sc3 . Yet the increment in EED values is not that high as the proposed UAP-BCIoT is based on the lightweight cryptographic operations.

Fig. 7.

Simulation results for (a) EED, (b) network throughput, and (c) packet loss rate.

Show All

2) Effect on Throughput:

The throughput is the estimation of the number of bits transmitted per unit time in a network communication. Fig. 7(b) consists of various values of throughput (in bps) of the proposed UAP-BCIoT for different considered scenarios. The throughput is estimated as (νr×|ϖ|/δD) , where δD , |ϖ| , and νr represent the total time (in seconds), the size of a packet, and the total number of received packets, respectively. We have taken 1800 s as the simulation time, which is δD . The simulated values of throughput are 319.96, 540.82 and 808.09 bps for scenarios: Sc1 , Sc2 , and Sc3 , respectively. The throughput values increase from Sc1 to Sc2 and from Sc2 to Sc3 . Since the scenarios: Sc2 and Sc3 contain increasing number of users, they cause the exchange of more messages.

3) Effect on Packet-Loss Rate:

The packet-loss rate is the estimate of the total number of packets lost per unit time during a network communication. The values of the packet loss rate under different considered scenarios are provided in Fig. 7(c). The packet loss rate values are 0.007, 0.038 and 0.117 bps for scenarios: Sc1 , Sc2 , and Sc3 , respectively. The value of packet loss rate increases from Sc1 to Sc2 and also from Sc2 to Sc3 .” Since the Sc2 and Sc3 contain increasing number of users, they cause the exchange of more messages to incur congestion in the network. Thus, the packet-loss rate increases from Sc1 to Sc2 and from Sc2 to Sc3 . However, increment in packet-loss rate is not that high as the proposed UAP-BCIoT is lightweight.

SECTION IX.

Conclusion

In this work, an effective and robust three-factor user authentication scheme has been proposed for big data gathering in the IoT-based ITS environment (UAP-BCIoT). UAP-BCIoT permits an authorized registered user to access the real-time information directly from some designated IoT nodes. The fuzzy extractor technique was applied for local biometric verification, and the biometric secret key along with user’s identity and password are used in UAP-BCIoT to provide more security. After the enrollment of IoT nodes and CG by the trusted BRC, and also registration process of user by the BRC, the user having the mobile device with necessary credentials can authenticate a designated accessible IoT node via the CG for establishing a session key between them for maintaining secure communication. The data of IoT nodes can be transmitted to cloud servers in a secure way through the cloud gateway node using the authentication and key agreement mechanism. The proposed authentication and key agreement scheme (UAP-BCIoT) is useful in such scenarios because the real-time accessed data from the IoT nodes in the vehicles can be later securely stored at the cloud too. The stored data is then used for the big data analytics. A detailed security analysis based on the defined threat model, including the formal security analysis using ROR model, informal security analysis, and formal security verification under the AVSIPA software tool proved that UAP-BCIoT can defend various known attacks. Moreover, the conducted comparative study revealed that UAP-BCIoT provides a better tradeoff among the security and functionality features, communication, as well computation costs with relevant existing schemes. In addition, the practical demonstration of proposed UAP-BCIoT was also provided to measure its impact on the network performance parameters.

In the future, we would like to implement UAP-BCIoT including big data analytics in the real-world environment.

ACKNOWLEDGMENT

The authors would like to thank the anonymous reviewers and the Associate Editor for their valuable feedback on this article which helped them to improve its quality as well as presentation.