An Efficient Authenticated Key Agreement Scheme Supporting Privacy-Preservation for Internet of Drones Communications

Abstract

In recent years, due to the rapid development of Internet of things (IoTs), various physical things (objects) in IoTs are smart enough to make their own decisions without the involvement of humans. The smart devices embedded in a drone can sense, collect, and transmit real-time data back to the controller from a designated environment via wireless communication technologies. The mobility, flexibility, reliability and energy efficiency of drones makes them more widely used in IoT environments such as commercial, military, entertainment applications, traffic surveillance and aerial photography. In a generalized IoD architecture, we have communications among the drones in a flying zone, among the drones and the control server, and also among the drones and authorized user. IoD still has many critical issues that need to be addressed, such as data access being carried out through a public channel and battery operated drones. To address these concerns in IoD communications, in this paper, an efficient authentication and secure communication scheme with privacy preservation is proposed and it only uses secure one-way hash function and bitwise XOR operations when control server, drone and user mutually authenticate each other. After the successful authentication, both IoD-based participants can agree on a common session key to secure the subsequent communication messages. The widely accepted ProVerif and BAN logic analysis have been used to assure that the proposed scheme is provably secure against existing well-known security attacks and ensures privacy. Finally, a comparative analysis is presented to demonstrate the proposed scheme preserves efficiency when compared to existing competitive schemes.

1. Introduction

For the past few years, as information and communication technology (ICT) advances and smart devices increase dramatically, the Internet of Things (IoT) has become a much-talked-about topic among many experts and large ICT companies [1]. Due to its capability to extend the traditional human-to-human network communication connection for fulfilling communication and dialogue between humans and objects, or further to achieve communication and dialogue between objects, these objects can be distinguished into physical objects and virtual objects. The physical objects include sensors, drones, surveillance cameras, smartphones, self-driving vehicles, and smart homes, while the virtual objects include electronic wallets, electronic tickets, and electronic agendas. The strength of using various smart objects in the IoT environment is that they can operate autonomously without human intervention and can be easily integrated into various smart network applications. Especially, drones can be also named unmanned aerial vehicles (UAVs), which is an aircraft that can be controlled remotely or by an onboard computer. Drones can navigate autonomously without human intervention and are comprised of several IoT smart devices, such as light pulse range sensors (laser), radio detection and distance measuring sensors, magnetic field change sensors, sonar range sensors, time of flight sensors, thermal sensors, chemical sensors, and direction sensors. Along with the miniaturization trend of different devices (processors, microcontrollers, sensors, wireless transceivers) inside the drones, it can be seen as a hint that IoT technology makes the drone network or IoDs a part of IoTs [2,3,4,5,6,7,8].

When combined with various sensing elements, location services, wireless transmission reading, content services, and other technologies, many different types of drone applications have been derived. The application scopes of several drones were described and organized, as shown below:

• For civilian purposes [9]:

  i. 

  For photography purposes: Allowing TV/film producers to take aerial photography in a new manner by using drones, thus enhancing the aerial view to a higher extent.

  ii. 

  For natural disaster assessment and control purposes: After Hurricane Katrina hit the United States in 2005, drones were used for disaster control and assessment to observe which roads were blocked by fallen trees, cars, and road barriers, or to search for missing, injured, and trapped people.

  iii. 

  For emergency response purposes: Like ambulances, drones can be used as portable medical kits which can send medical supplies to emergency units on site, particularly when the emergency site is inaccessible for vehicles. Furthermore, affected by the recent COVID-19 pandemic, drones have been deployed on the streets of Spain and China (mainly Wuhan), to raise people’s awareness of the crisis via cameras and broadcasters, or aerial spraying for disinfection. Furthermore, drones can be used as a means of delivering food and medication to infected patients, aiming to transport tested samples at a higher speed, and reduce human contact.

  iv. 

  For environmental monitoring purposes: Drones can be used to perform tasks of measuring environmental pollution, such as those for air quality measurement and analysis; perform agricultural tasks, such as soil analysis, crop/livestock management/disease, and pest control; perform animal protection tasks, such as nature/wildlife protection/anti-poaching/endangered species protection.

• For police purposes [10]:

  i. 

  For traffic monitoring purposes: Drones can be used to monitor traffic and accident scenes. For example, the Spanish government has adopted drones to monitor traffic bottlenecks since 2015.

  ii. 

  For criminal-tracking purposes: Drones can be used to monitor crime scenes and prison fugitives. For example, the Ohio State Police Station used a drone to track an escaped prisoner and track him down in 2016.

  iii. 

  For forensic search-and-rescue purposes: Drones can be used to tackle crimes, such as the missing person and murder case of Ms. Tara Grinstead in 2015, for whom Georgia police used a fixed-wing drone called Spectra to search.

• For military purposes [11]:

  i. 

  For aerial surveillance/reconnaissance purposes: Drones can be deployed in the air to collect intelligence and information and further identify and track the locations of terrorist camps, vehicles, weapons, plants, and improvised explosive devices. For example, Russia collected new drone footage that unveiled how Turkey used artillery operations to attack the Syrian army in 2020.

  ii. 

  For airstrike purposes: As early as 2002, the U.S. military used drones for airstrike missions and then developed them for application with British allies in the global anti-terrorism war. In addition, Israel also made use of drones to conduct airstrikes against military installations/key targets/people in Iraq and Syria on the west coast.

  iii. 

  For drone hijacking purposes: Drone hijacking is mainly achieved via GPS intervention/spoofing, which was used to resolve the conflict in Ukraine and stood up to the threat from the Islamic State until the city of Mosul was finally liberated from the Islamic State in 2017.

• For criminal attack purposes [12]:

  i. 

  Physical attacks: Drones can easily be used to destroy people’s privacy and threaten their private property by crashing into people or their property intentionally or unintentionally to cause them serious damage. Moreover, some drones can fly as high as 500 m in the air, just like bird strikes, which can cause serious damages to aircrafts in flight.

  ii. 

  Logical attacks: They include spoofing a hotspot of a mobile Wi-Fi network, allowing the victim users to connect and monitor their sensitive messages, such as account passwords and credit card data, or implanting malware into smartphones and mobile devices that are connected to the malicious hotspot. Furthermore, a Raspberry Pi device connected to a drone can also be maliciously coded to intercept or hijack other drones nearby.

From the perspective of security and threat analysis, drone-assisted public safety networks require a stricter manner rather than traditional wireless networks such as wireless sensor networks (WSN) [13] and mobile ad hoc networks (MANET) [14] to restrict the unauthorized collection of images and videos by drones. Though drones carry less information and less power, they can cover a wider range than WSNs and MANETs. As a result, the challenge of drone network security is how to provide communication channels with confidentiality, integrity, availability, authentication, and non-repudiation over the resource constraints and latency constraints of drones. Actually, kinds of technologies for drone operations and their specific properties are being explored and misused for potential attacks including performing terrorist attacks and reconnaissance, tracking specific people, and monitoring certain properties, thus arousing security and privacy concerns. Furthermore, if a drone is out of order and crashes into nearby private houses, public facilities, parked cars, or civilians, it could also lead to casualties and damage to property. On the other hand, drones mainly make use of Wi-Fi, short-range Wi-Fi, Bluetooth, or other wireless devices, such as Bluetooth-connected keyboards, while, if there are inadequate security measures for connection to these devices, such as insecure single factor authentication and easy-to-break typical passwords, the attackers can easily intercept messages and destroy private buildings and public areas.

In plenty of authentication and key agreement (AKA) schemes [15,16,17,18,19,20,21,22,23], symmetric and asymmetric cryptosystems have been proposed to implement a comprehensive authentication on the use of IoT and IoD environments. However, with the resource-constrained nature of drones, it cannot consume a high amount of energy for executing complex cryptographic operations on large datasets and AKA scheme shall be sufficiently lightweight both in terms of computational complexity, communication overhead and memory demand. Turkanović et al. first proposed an IoT-based AKA scheme [24] for WSNs and their scheme is highly efficient as it only uses lightweight hash and bitwise XOR computations. Although it achieves the condition of lightweight authentication, Farash et al. [25] pointed out that their devised scheme is prone to man-in-the-middle attack, node impersonation attack, and additionally does not render nodes anonymity and user traceability. In order to provide better security, Wazid et al. designed a novel AKA scheme [26] for UAV distributed networks. However, the protocol was pointed out by Lei et al. [27] as not being provided to perfect forward secrecy. Meanwhile, Rodrigues et al. [28] designed two methods for the drone communication environment. The first one is modified based on the AKA scheme of Farash et al. [25], allowing for a direct connection between a drone and another one; the second one is modified based on the AKA scheme of Jiang et al. [18], which allows a drone to communicate with another one through a ground control station. However, their AKA schemes fail to resist ephemeral secret leakage (ESL) attacks under the Canetti–Krawczyk (CK) threat model. Recently, Zhang et al. proposed a lightweight AKA scheme [29] with anonymity and untraceability for IoD environments and their AKA scheme can be proven secure under random oracle model. All the drones and the users are registered with a central trusted authority, control server (namely $CS$) prior to their deployment. By verifying the validation of the transmitted messages, all participants in IoD can ensure mutual authentication and establish a common session key securely. In this paper, we will propose an improved version of Zhang et al.’s scheme that not only provides the same level of security with anonymity and untraceability but also protects the scheme from various known attacks.

In order to achieve the aforementioned security requirements of previous authentication schemes in IoD environments, in this paper, we propose a lightweight mutual authentication and privacy preservation scheme to resist several security attacks and provide a series of important features cited above. The main contributions of this paper are given as follows: (1) In our lightweight authentication scheme, the properties of drone anonymity and drone untraceability can be guaranteed at authentication and key agreement phase when involved participants transmitted messages via a public IoD channel. (2) In comparison with existing IoT-assisted authentication schemes for IoD communications, our proposed scheme can not only maintain the efficiency of computational and computation overheads, but also achieve basic security features mentioned in prior studies. (3) Informal security analysis and BAN logic analysis are performed and ProVerif-based formal security simulation is implemented, to demonstrate that our scheme is secure against various security attacks.

The remainder of the paper is organized as follows. Section 2 presents a new security architecture along with the threat model for IoD communication environments. Section 3 introduces our authentication and key agreement scheme with privacy preserving for IoD communications. The informal security analysis with the formal security verification using the widely accepted ProVerif simulation and BAN logic of the proposed scheme are given in Section 4. An in-depth performance comparison of the proposed scheme with existing IoD authentication schemes is given in Section 5. Finally this paper is concluded in Section 6.

2. System Architecture in IoD Communications

In this section, we will illustrate the proposed system architecture for the IoD paradigm. Subsequently we define two adversary models to evaluate its security and usability.

2.1. System Model

In terms of the design, the main participants in this paper were control server ($CS$), the trusted registration authority, users who could access IoD data using mobile devices, some mobile-type drone nodes deployed in the application fields to collect and broadcast data from the fly zone. $CS$ is a trusted unit responsible for registering and issuing unique identifiers and generating secret parameters for users and drones. By deploying drone nodes via $CS$ in fly zones for authority control, these drone nodes can be seen as cluster heads for a specific fly zone, providing an efficient and well-designed communication and authentication mechanism for IoD environments to avoid the single point of failure of traditional single centralized certificate centers. An external user can access certain specific drone nodes in the IoD environment via Internet communication and his/her mobile device, given that he/she is authenticated and authorized by the $CR$ to access these drones. In this paper, the IoD communication and authentication mechanism for IoD applications included three modes, namely $CS$-to-Drone communication, $CS$-to-User communication, and User-to-Drone communication. The overall communication architecture diagram of IoD is illustrated in Figure 1.

2.2. Threat Model

According to the system architecture shown in Figure 1, drones, mobile users and control servers can communicate with each other and all communications of IoD take place over the public channels. In threat model, we will adopt the widely-used Dolev–Yao (DY) threat model and Canetti–Krawczyk (CK) adversary model. According to the definition of DY model, the communication channel between any two entities is open and insecure, and also the end-point entities are not trusted. An adversary can eavesdrop and collect on the messages exchanged on IoD network, and can also delete or tamper the transmitted messages over public channel. According to the definition of CK model, the mobile device of an $U_i$ may be lost or stolen. The system parameters stored in that device can be also extracted by using power analysis attack. Furthermore, an adversary may physically capture some drone node $V_j$ and extract the stored parameters in $V_j$ with the help of complicated power analysis attack. Therefore, the compromised data will be used to undermine the security of IoD communications such as session key exposure, impersonation attack, replay attack, privacy exposure attack and man-in-the-middle attack etc. Note that $CS$ is a trusted party and it will not be compromised by adversaries.

3. The Proposed Scheme

In this section, we propose a new lightweight authentication and key agreement scheme with privacy preservation for IoD communications. The proposed scheme consists of the following four phases: system setup, user registration, drone registration, and authentication and key agreement phase. The details of the proposed scheme are described in the following subsections. The notations used in the proposed scheme are summarized as follows.

• $U_i$: The ith mobile user.
• $V_j$: The jth drone.
• $CS$: The control server.
• $I{D}_i,P{W}_i$: The identity and password of $U_i$.
• $I{D}_j$: The identity of $V_j$.
• $k,MSK$: 160 bits secret value and master key of $CS$.
• n: 160 bits public parameter selected by $CS$.
• $T_{U_i,V_j,CS}$: The current timestamp of $U_i$, $V_j$ and $CS$, respectively.
• $r_1,r_2$: 160 bits random numbers of $U_i$ and $V_j$, respectively.
• $L_{V_j}$: An active drone list.
• $h(·)$: A collision free one-way hash function.
• ${\Delta }_T$: The maximum time threshold of accepting messages.
• $time$: The current time received message.
• $S{K}_{ij}$: The common session key shared between $U_i$ and $V_j$.
• ⊕: The bitwise exclusive OR operation.
• $\left|\right|$: The string concatenation operation.

3.1. System Setup Phase

In this phase, $CS$ first generates $MSK$ and k as its master key and secret value, respectively. Then, $CS$ chooses a secure one-way hash function $h:{\{0,1\}}^{*}\to Z_n^{*}$, where n is a 160-bits public parameter chosen by $CS$. Finally, $CS$ saves $(MSK,k)$ secretly and publishes $\left(h\right(·),n)$.

3.2. User Registration Phase

In this phase, every mobile user $U_i$ needs to perform the user registration procedure with $CS$ via a secure channel. The graphical representation of the registration procedure of the user is depicted in Figure 2.

Step 1. 

$U_i$ chooses his/her identity $I{D}_i$, password $P{W}_i$ and a random number $r_{U_i}\in Z_n^{*}$ and computes $PI{D}_i=h(I{D}_i\left|\right|P{W}_i\left|\right|r_{U_i})$. Then $U_i$ sends the registration request {$I{D}_i,PI{D}_i$} to $CS$ via a secure channel.

Step 2. 

After receiving the registration request from $U_i$, $CS$ checks the uniqueness of $U_i$’s identity. If the uniqueness of $I{D}_i$ is satisfied, $CS$ computes $A_i=h(PI{D}_i\left|\right|MSK)$ and sends it to $U_i$ securely.

Step 3. 

After receiving $A_i$ from $CS$, $U_i$ computes $B_i=A_i\oplus h\left(P{W}_i\right)$ and stores {$B_i,r_{U_i}$} in the tamper-proof memory, which means that the parameters $B_i$ and $r_{U_i}$ can be used during the computation, but it is unable to extract them from the mobile device of $U_i$.

3.3. Drone Registration Phase

In this phase, every drone $V_j$ needs to complete the drone registration procedure with $CS$ via a secure channel. The graphical representation of the registration procedure of the drone is depicted in Figure 3.

Step 1. 

$CS$ selects an unique identity $I{D}_j$ for $V_j$ and computes ${\alpha }_j=h(I{D}_j\left|\right|k)$. Then $CS$ saves ($I{D}_j,{\alpha }_j$) in list $L_{V_j}$ and sends {$I{D}_j,{\alpha }_j$} to $V_j$ securely.

Step 2. 

After receiving the registration parameters from $CS$, $V_j$ stores $I{D}_j$ and ${\alpha }_j$ in its memory securely.

3.4. Authentication and Key Agreement Phase

After registration, $U_i$ and $V_j$ can communicate with each other and establish a common session key $S{K}_{ij}=S{K}_{ji}$ for securing future communications. The graphical representation of the proposed authentication and key agreement phase is depicted in Figure 4.

Step 1. 

$U_i$ opens the login portal and inputs his/her identity $I{D}_i$ and password $P{W}_i$ into the mobile device. Then the mobile device retrieves ($B_i,r_{U_i}$) and computes $PI{D}_i=h(I{D}_i\left|\right|P{W}_i\left|\right|r_{U_i})$ and $A_i=B_i\oplus h\left(P{W}_i\right)$. Then it randomly generates two 160 bits random numbers $r_{U_i}^{new},r_1\in Z_n^{*}$ and computes $PI{D}_i^{new}=h(I{D}_i\left|\right|P{W}_i\left|\right|r_{U_i}^{new})$, $M_1=PI{D}_i^{new}\oplus h(A_i\left|\right|T_{U_i})$, $M_2=h\left(PI{D}_i^{new}\right)\oplus r_1$, $M_3=h(PI{D}_i^{new}\left|\right|r_1\left|\right|T_{U_i})$, where $T_{U_i}$ is the current timestamp of $U_i$. Then $U_i$ sends authentication request message {$PI{D}_i,M_1,M_2,M_3,$$T_{U_i}$} to $CS$ via a public channel.

Step 2. 

After receiving the authentication request from $U_i$, $CS$ checks whether $time-T_{U_i}\le {\Delta }_T$ holds or not. If not, $CS$ rejects the authentication request immediately. Otherwise, $CS$ computes $A_i=h(PI{D}_i\left|\right|MSK)$, $PI{D}_i^{new}=M_1\oplus h(A_i\left|\right|T_{U_i})$, $r_1^{\prime }=M_2\oplus h\left(PI{D}_i^{new}\right)$, and $M_3^{\prime }=h(PI{D}_i^{new}\left|\right|r_1^{\prime }\left|\right|T_{U_i})$.

Step 3. 

$CS$ checks whether $M_3^{\prime }=M_3$ holds or not. If yes, $CS$ authenticates the legality of $U_i$. Otherwise, $CS$ rejects $U_i$’s authentication request. Now, $CS$ randomly assigns an active drone $V_j$ in IoD for $U_i$ and computes $M_4=h({\alpha }_j\left|\right|T_{CS})\oplus r_1$, $M_5=h({\alpha }_j\left|\right|r_1\left|\right|T_{CS})\oplus PI{D}_i^{new}$, $M_6=h({\alpha }_j\left|\right|r_1\left|\right|PI{D}_i^{new}\left|\right|T_{CS})$, $A_i^{new}=h(PI{D}_i^{new}\left|\right|MSK)$, $M_7=A_i^{new}\oplus h(A_i\left|\right|PI{D}_i^{new})$, and $M_8=h(A_i^{new}\left|\right|r_1)$, where ${\alpha }_j$ is retrieved from list $L_{V_j}$ and $T_{CS}$ is the current timestamp of $CS$. Finally $CS$ sends the message {$M_4,M_5,M_6,M_7,M_8,T_{CS}$} to $V_j$ through a public channel.

Step 4. 

After receiving the message from $CS$, $V_j$ checks whether $time-T_{CS}\le {\Delta }_T$ holds or not. If not, $V_j$ rejects this session. Otherwise, $V_j$ retrieves ${\alpha }_j$ and computes $r_1^{\prime }=M_4\oplus h({\alpha }_j\left|\right|T_{CS})$, $PI{D}_i^{new}=M_5\oplus h({\alpha }_j\left|\right|r_1^{\prime }\left|\right|T_{CS})$, and $M_6^{\prime }=h({\alpha }_j\left|\right|r_1^{\prime }\left|\right|PI{D}_i^{new}\left|\right|T_{CS})$.

Step 5. 

$V_j$ checks whether $M_6^{\prime }=M_6$ holds or not. If not, $V_j$ rejects the request. Otherwise, $V_j$ authenticates the legality of $CS$ and $U_i$. Then, $V_j$ randomly chooses a 160 bits random number $r_2\in Z_n^{*}$ and computes the common session key $S{K}_{ji}=h(PI{D}_i^{new}\oplus r_1^{\prime }\oplus r_2)$, $M_9=h(PI{D}_i^{new}\left|\right|r_1^{\prime })\oplus r_2$, and $M_{10}=h(PI{D}_i^{new}\left|\right|r_1^{\prime }\left|\right|r_2\left|\right|S{K}_{ji}\left|\right|T_{V_j})$, where $T_{V_j}$ is the current timestamp of $V_j$. Finally $V_j$ sends the message {$M_7,M_8,M_9,M_{10},T_{V_j}$} to $U_i$ through a public channel.

Step 6. 

After receiving the message from $V_j$, $U_i$ checks whether $time-T_{V_j}\le {\Delta }_T$ holds or not. If not, $U_i$ rejects this session. Otherwise, $U_i$ computes $A_i^{\prime new}=M_7\oplus h(A_i\left|\right|PI{D}_i^{new})$ and $M_8^{\prime }=h(A_i^{\prime new}\left|\right|r_1)$. Then $U_i$ further checks if $M_8^{\prime }=M_8$ holds or not. If it is true, it implies that $CS$ is authenticated to $U_i$. In order to verify the legality of $V_j$, $U_i$ computes $r_2^{\prime }=M_9\oplus h(PI{D}_i^{new}\left|\right|r_1)$, the common session key $S{K}_{ij}=h(PI{D}_i^{new}\oplus r_1\oplus r_2^{\prime })$, and $M_{10}^{\prime }=h(PI{D}_i^{new}\left|\right|r_1\left|\right|r_2^{\prime }\left|\right|S{K}_{ij}\left|\right|T_{V_j})$ and checks whether $M_{10}^{\prime }=M_{10}$ holds or not. If not, $U_i$ rejects the communication request. Otherwise, it implies that $V_j$ is also authenticated to $U_i$ and the common session key $S{K}_{ij}=h(PI{D}_i^{new}\oplus r_1\oplus r_2)=S{K}_{ji}$ will be used for securing IoD communications between $U_i$ and $V_j$. Finally, $U_i$ computes $B_i^{new}=A_i^{new}\oplus h\left(P{W}_i\right)$ and replaces {$B_i,r_{U_i}$} with {$B_i^{new},r_{U_i}^{new}$} for the next login.

4. Security Analysis of the Proposed Scheme

In this section, meticulous informal security analysis and the security verification are carried out using ProVerif to prove the security and the validity of the proposed scheme. In addition, BAN logic is utilized to corroborate the logical exactitude of the proposed scheme.

4.1. Simulation Verification with ProVerif

ProVerif is a proper tool that can automatically analyze cryptographic protocols and verify the security and reliability of authentication protocols. The specific operation of ProVerif is described in detail below.

The symbols used in the proof process are defined as shown in Figure 5. The “$sch$” and “$ch$” refer to the secure channel and the common channel. The functions used mainly include $h\left(\right),xor\left(\right)$, and $con\left(\right)$, which represent the hash operation, XOR operation and join operation, respectively. Figure 6 shows the defined queries and events. Here, $S{K}_{ij}$ and $S{K}_{ji}$ represent the common session keys of the user and the drone, respectively. The event $UserStarted\left(\right)$ indicates that the user $U_i$ starts working, the event $UserAuthed\left(\right)$ indicates that the user is authenticated, the event $ControlServerAcUser\left(\right)$ indicates that the control server $CS$ authenticates the user event, the event $DroneAcControlServer\left(\right)$ indicates that the drone $V_j$ authenticates the control server event, the event $UserAcControlServer\left(\right)$ indicates that the user $U_i$ authenticates the control server event, and the event $UserAcDrone\left(\right)$ means that the user $U_i$ authenticates the drone event.

The tripartite agreement of user $U_i$, drone $V_j$ and control server $CS$ are converted into ProVerif code as shown in Figure 7, Figure 8 and Figure 9, respectively. In the working process of $U_i$, $out(sch,(IDi,PIDi\left)\right)$ and $in(sch,(xAi:bitstring\left)\right)$ represent the messages sent and received by $U_i$ through the secure channel during the registration phase. After completing the registration, $U_i$ starts authentication by executing the event UserStarted(). Next, $out(ch,(PIDi,M1,$$M2,M3,TUi\left)\right)$ represents the message is transmitted from $U_i$ to $CS$ over the common channel, $in(ch,(xM7:bitstring,xM8:bitstring,xM9:bitstring,xM10:bitstring,xTVj:bitstring\left)\right)$ represents the message is transmitted from $V_j$ to $U_i$ over the common channel. In addition, the working process of $CS$ includes $UiReg$ for $U_i$ registration by $CS$, $VjReg$ for $V_j$ registration by $CS$, and $CSAuth$ means the authentication operation of $CS$.

Finally, the results of the execution of the ProVerif code are shown in Figure 10. Based on the results of Figure 10, it shows that the sequence of events is normal and it can be proved that the attacker cannot derive the common session key shared among $U_i$ and $V_j$ during IoD communications.

4.2. BAN Logic Analysis

In the proposed scheme, when the mobile device wants to communicate with the flying drone, they must authenticate each other. In the following description, we use the BAN logic model to prove the security of the proposed scheme. The notation of BAN logic is described as follows:

-$P|\equiv X$:

P believes X or P would be entitled to believe X.

-$P⊲X$:

P sees X. Someone has sent a message containing X to P, who can read and repeat X.

-$P|\Rightarrow X$:

P has jurisdiction over X. P is an authority on X and should be trusted on this matter.

-$P|\sim X$:

P once said X. P at some time sent a message including X.

-$<X{>}_Y$:

This represents X combined with Y.

-$♯\left(X\right)$:

The formula X is fresh, that is, X has not been sent in a message at any time before the current run of the protocol.

-$P\begin{array}{c}K\\ ⟷\end{array}Q$:

P and Q may use the shared key K to communicate.

-$P\begin{array}{c}S\\ ⟺\end{array}Q$:

The formula S is a secret known only to P and Q and possibly to principals trusted by them.

In the authentication and key-agreement phase of the proposed scheme, the main goal of our scheme is to authenticate the session key establishment between a mobile user $U_i$ and the flying drone $V_j$.

G1: 

$U_i|\equiv U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

G2: 

$U_i|\equiv V_j|\equiv U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

G3: 

$V_j|\equiv U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

G4: 

$V_j|\equiv U_i|\equiv U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

G5: 

$V_j|\equiv I{D}_i$

G6: 

$V_j|\equiv U_i|\equiv I{D}_i$

According to the authentication and key agreement phase, we use BAN logic to produce an idealized form as follows:

M1: 

$(<PI{D}_i{>}_{h\left(I{D}_i\right|\left|P{W}_i\right|\left|r_{U_i}\right)},<r_1{>}_{h\left(PI{D}_i\right)\oplus r_1},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

M2: 

$(<r_2{>}_{h(PI{D}_i\left|\right|r_1)\oplus r_2},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

To analyze the proposed scheme, we make the following assumptions:

A1: 

$U_i|\equiv ♯\left(PI{D}_i\right)$

A2: 

$V_j|\equiv ♯\left(PI{D}_i\right)$

A3: 

$U_i|\equiv U_i\begin{array}{c}h(PI{D}_i\oplus r_1\oplus r_2)\\ ⟺\end{array}{V}_j$

A4: 

$V_j|\equiv U_i\begin{array}{c}h(PI{D}_i\oplus r_1\oplus r_2)\\ ⟺\end{array}{V}_j$

A5: 

$U_i|\equiv V_j|\Rightarrow U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

A6: 

$V_j|\equiv U_i|\Rightarrow U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

A7: 

$V_j|\equiv U_i|\Rightarrow I{D}_i$

According to these assumptions and rules of BAN logic, we show the main proof of the session key establishment between a mobile user $U_i$ and the flying drone $V_j$ as follows:

Flying drone $V_j$ authenticates mobile device $U_i$. By M1 and the seeing rule, we can derive:

S1: 

$V_j⊲(<PI{D}_i{>}_{h\left(I{D}_i\right|\left|P{W}_i\right|\left|r_{U_i}\right)},<r_1{>}_{h\left(PI{D}_i\right)\oplus r_1},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

By A2 and the freshness rule, we can derive:

S2: 

$V_j|\equiv ♯(<PI{D}_i{>}_{h\left(I{D}_i\right|\left|P{W}_i\right|\left|r_{U_i}\right)},<r_1{>}_{h\left(PI{D}_i\right)\oplus r_1},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

By S1, A4 and the message meaning rule, we can derive:

S3: 

$V_j|\equiv U_i|\sim (<PI{D}_i{>}_{h\left(I{D}_i\right|\left|P{W}_i\right|\left|r_{U_i}\right)},<r_1{>}_{h\left(PI{D}_i\right)\oplus r_1},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

By S2, S3, and the nonce verification rule, we can derive:

S4: 

$V_j|\equiv U_i|\equiv (<PI{D}_i{>}_{h\left(I{D}_i\right|\left|P{W}_i\right|\left|r_{U_i}\right)},<r_1{>}_{h\left(PI{D}_i\right)\oplus r_1},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

By S4 and the belief rule, we can derive:

S5: 

$V_j|\equiv U_i|\equiv U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

By S5, A6 and the jurisdiction rule, we can derive:

S6: 

$V_j|\equiv U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

By S6 and the belief rule, we can derive:

S7: 

$V_j|\equiv U_i|\equiv I{D}_i$

By S7, A7 and the jurisdiction rule, we can derive:

S8: 

$V_j|\equiv I{D}_i$

Mobile device $U_i$ authenticates flying drone $V_j$. By M2 and the seeing rule, we can derive:

S9: 

$U_i◃(<r_2{>}_{h(PI{D}_i\left|\right|r_1)\oplus r_2},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

By A1 and the freshness rule, we can derive:

S10: 

$U_i|\equiv ♯(<r_2{>}_{h(PI{D}_i\left|\right|r_1)\oplus r_2},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

By S9, A3 and the message meaning rule, we can derive:

S11: 

$U_i|\equiv U_i|\sim (<r_2{>}_{h(PI{D}_i\left|\right|r_1)\oplus r_2},<U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j{>}_{h(PI{D}_i\oplus r_1\oplus r_2)})$

By S10, S11, and the message meaning rule, we can derive:

S12: 

$U_i|\equiv V_j|\equiv U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

By S12, A5, and the jurisdiction rule, we can derive:

S13: 

$U_i|\equiv U_i\begin{array}{c}S{K}_{ij}\\ ⟷\end{array}{V}_j$

By S5, S8, S12 and S13, it can be proved that, in our authentication scheme, the mobile device $U_i$ and the flying drone $V_j$ authenticate each other with the help of control server CS. In addition, we are also able to prove that the proposed scheme can establish a common session key SK_ij between the mobile device U_i and the remote flying drone V_j with the help of CS. Finally, the authentication and key agreement phase of our scheme thus guarantee the security of $S{K}_{ij}$ between $U_i$ and $V_j$.

Scenario: 

A malicious attacker uses an illegal flying drone $V_j$ to authenticate a legal mobile device $U_i$.

Analysis: 

The attacker will not succeed because the illegal flying drone $V_j$ has not been registered to the legal control server $CS$, and the illegal flying drone $V_j$ cannot calculate the correct session key $SK$. Thus, it will fail when the legal mobile device $U_i$ attempts to authenticate the illegal flying drone $V_j$. In the proposed scheme, the attacker cannot achieve their purpose using an illegal flying drone $V_j$. In the same scenario, the proposed scheme can also defend against a malicious attack using an illegal mobile device $U_i$ to connect to a legal flying drone $V_j$. This is because the illegal mobile device $U_i$ has not been registered to the legal control server $CS$, and thus the illegal mobile device $U_i$ cannot calculate the correct session key SK. Therefore, the attack will fail when the legal flying drone $V_j$ attempts to authenticate the illegal mobile device $U_i$.

4.3. Informal Security Analysis

In this subsection, we present the informal security analysis of the proposed scheme and show it can satisfy the following security features and attack resilience in IoD environments.

Proposition 1.

The proposed scheme ensures anonymous interactions between $U_i$, $CS$ and $V_j$ and no adversaries can ascribe any session to a particular user during authentication and key agreement phase.

Proof. 

According to DY threat model defined in Section 2.2, an adversary $\mathcal{A}$ can collect all the communication messages transmitted in IoD, such as $\{PI{D}_i,M_1,M_2,M_3,T_{U_i}\}$, {$M_4,M_5,M_6,M_7,M_8,T_{CS}$}, and {$M_7,M_8,M_9,$$M_{10},T_{V_j}$}, which are communicated during the authentication and key agreement phase of the proposed scheme. From these messages, it is hard for $\mathcal{A}$ to derive $U_i$’s real identity $I{D}_i$ from $PI{D}_i$ without knowing the random number $r_{U_i}$ because $PI{D}_i$ is protected with cryptographic hash function $h(·)$. That is to say, $U_i$’s real identity are transmitted in cipher format instead of plaintext. Therefore, the user anonymity can be provided in the proposed authentication scheme. □

Proposition 2.

The proposed scheme ensures untraceability between a mobile user and the control server and also between a mobile and its associated drone.

Proof. 

In the proposed authentication mechanism, the generation of messages {$PI{D}_i,M_1,$$M_2,M_3,M_4,M_5,M_6,M_7,M_8,M_9,M_{10}$} incorporate the fresh random numbers $r_{U_i}$, $r_1$, and $r_2$ and the pseudonym ID and session key is updated after each successful authentication. As a result, it is impossible for $\mathcal{A}$ to correlate the communicated messages from the current and previous AKA process and the proposed scheme can provide untraceability. □

Proposition 3.

The proposed scheme supports mutual authentication between any two communicating parties, and also between a drone $V_j$ and its associated $U_i$.

Proof. 

During the proposed authentication process as presented in Section 3.4, a drone $V_j$ verifies its associated $U_i$’s legitimacy before establishment of a session key. In the session, $CS$ first checks the freshness of $U_i$’s login request by validating the timestamp $T_{U_i}$ in the messages $\{PI{D}_i,M_1,M_2,M_3,T_{U_i}\}$. Later, $CS$ checks $M_3$ to authenticate $U_i$. When receiving {$M_4,M_5,M_6,M_7,$$M_8,T_{CS}$} from $CS$, $V_j$ checks $T_{CS}$ and $M_6$ to authenticate $CS$ and $U_i$. If both the conditions are validated successfully, $V_j$ agrees a session key with $U_i$. In the similar way, when receiving {$M_7,M_8,M_9,M_{10},T_{V_j}$}, $U_i$ checks $T_{V_j}$ and $M_{10}$ to authenticate $V_j$ and $U_i$ also agrees a session key with $V_j$. Finally, the proposed scheme achieves mutual authentication and both $U_i$ and $V_j$ ensure that they shared the same session key with the help of $CS$ for securing the future IoD communications. □

Proposition 4.

The proposed scheme is secure against session key exposure attack.

Proof. 

After the successful authentication process, $U_i$ and $V_j$ can establish a common session key $S{K}_{ij}=h(PI{D}_i^{new}\oplus r_1\oplus r_2)$ and the adversary $\mathcal{A}$ may try to derive $S{K}_{ij}$ to damage the later IoD communications between them. However, in Step 1 of the authentication and key agreement phase, $\mathcal{A}$ cannot get $PI{D}_i^{new}$ and $r_1$ from $M_1$ and $M_2$ without knowing the knowledge of $A_i=h(PI{D}_i\left|\right|MSK)$. Similarity, in Step 5 of the authentication and key agreement phase, $\mathcal{A}$ cannot obtain $r_2$ from $M_9$ without knowing the knowledge of ${\alpha }_j=h(I{D}_j\left|\right|k)$. Therefore, $\mathcal{A}$ cannot get success from session key disclosure attack in the proposed AKA scheme. □

Proposition 5.

The proposed scheme is resilient against known session key attack.

Proof. 

It can be observed from Section 3.4 that the session key $S{K}_{ij}$ is the combination of both session-specific credential $PI{D}_i\left[new\right]$ and two 160 bits random numbers $r_1$ and $r_2$. Moreover, usage of session-specific credentials and random numbers in computation of session keys between $U_i$ and $V_j$ over different sessions make always-unique session keys. Even if a session key is disclosed for a specific session, it will not result in computing the session keys over other sessions. Thus, the contributed scheme is protected from known session key attack. □

Proposition 6.

The proposed scheme is protected against drone capture attack.

Proof. 

According to CK adversary model defined in Section 2.2, an adversary $\mathcal{A}$ may physically capture the drone in the sensing environment and maliciously extract the stored contents from its memory by using power analysis attacks. In this way, $\mathcal{A}$ can get {$I{D}_j,{\alpha }_j$} from the memory of compromised drone $V_j^{\prime }$. By capturing $V_j^{\prime }$, $\mathcal{A}$ can only compromise the session key between a victim user $U_i$ and $V_j^{\prime }$. Since all the identities and credentials for all $V_j$ are distinct in IoD network, $\mathcal{A}$ cannot compromise other non-captured drone due to the distinct as well as uniqueness property of the contents stored in the remote drones. Finally, compromise of a drone does not result in damaging secure IoD communications among a user and other non-compromised drones and the contributed scheme is resilient against drone capture attack. □

Proposition 7.

The proposed scheme is secure against stolen device attack.

Proof. 

Suppose an adversary $\mathcal{A}$ somehow gets or steals the mobile device of user $U_i$ and extracts the stored contents {$B_i,r_{U_i}$} from its memory by using power analysis attacks. Thus, $\mathcal{A}$ can get access to IoD environment. However, $\mathcal{A}$ cannot drive the valid secret credential $A_i$ due to the protection of $U_i$’s password. Moreover, the password is protected in the form of a one-way hash function which is a non-invertible function. Although $\mathcal{A}$ can guess the password of $U_i$, he/she cannot verify the correctness without having $U_i$’s identity $I{D}_i$ and the login parameters of previous session. Therefore, the contributed scheme can resist stolen device attack. □

Proposition 8.

The proposed scheme is resilient secure against three kinds of impersonation attacks, including: user impersonation, $CS$ impersonation and drone impersonation.

Proof. 

The following impersonation attacks related to the contributed scheme are taken into account.

(a) 

User impersonation attack: Let an adversary $\mathcal{A}$ try to behave himeself/herself as a legitimate user $U_i$ and he/she wants to generate an authorized login request, say $\{PI{D}_i,M_1,M_2,M_3,T_{U_{\mathcal{A}}}\}$. $\mathcal{A}$ can intercept the login request $\{PI{D}_i,M_1,M_2,M_3,T_{U_i}\}$ of $U_i$ and forge messages by extracting the important credential $PI{D}_i$ of $U_i$ to prove $\mathcal{A}$’s authenticity. In order to perform this operation, $\mathcal{A}$ needs to choose two random numbers $r_{\mathcal{A}}^{new}$ and $r_1^{*}$ and a timestamp $T_{U_{\mathcal{A}}}$ and computes $M_1=h\left(r_{\mathcal{A}}^{new}\right)\oplus h(A_i\left|\right|T_{U_{\mathcal{A}}})$, $M_2=h\left(h\left(r_{\mathcal{A}}^{new}\right)\right)\oplus r_1^{*}$ and $M_3=h(h\left(r_{\mathcal{A}}^{new}\right)\left|\right|r_1^{*}\left|\right|T_{U_{\mathcal{A}}})$. However, due to the lack of knowledge about $A_i$, $\mathcal{A}$ will fail to compute $M_1$ as valid login parameter. Therefore, the proposed scheme is secure against user impersonation attack.

(b) 

$CS$impersonation attack: To perform this attack, we assume $\mathcal{A}$ intercepts the message {$M_4,M_5,M_6,M_7,M_8,T_{CS}$} and generates a bogus message {$M_4^{*},M_5^{*},M_6^{*},M_7^{*},M_8^{*},T_{U_{\mathcal{A}}}$} to the drone $V_j$, to make $V_j$ and $U_i$ convince the message is from a legitimate $CS$, where $T_{U_{\mathcal{A}}}$ is a timestamp generated by $\mathcal{A}$. However, $\mathcal{A}$ does not have the knowledge of ${\alpha }_j$ and $PI{D}_i^{new}$, thus, $V_j$ and $U_i$ can distinguish the impersonated $CS$ from real control server and the proposed scheme is secure against $CS$ impersonation attack.

(b) 

Drone impersonation attack: In this attack, $\mathcal{A}$ will try to make believe $U_i$ by seizing the message {$M_4,M_5,M_6,M_7,M_8,T_{CS}$} and attempt to construct another legitimate message, which is authenticated to $U_i$. First, $\mathcal{A}$ randomly chooses a random number $r_2^{*}$ and a timestamp $T_{U_{\mathcal{A}}}$ and tries to forge $M_9$ and $M_{10}$. However, in the design process of the proposed AKA scheme, without having the knowledge of ${\alpha }_j$, $r_1$ and $PI{D}_i^{new}$, $\mathcal{A}$ cannot generate the valid convinced response to impersonate as an accurate drone.

□

5. Performance Evaluation

This section shows a detailed comparison among the proposed scheme and those of the most relevant state-of-the-art schemes in the IoD environment, such as the schemes of Singh et al. [30] and Zhang et al. [29] in terms of security features, computational and communication overheads.

5.1. Comparison of Security Features

We highlight on the comparison of security features and attacks protection of the contributed scheme against relevant schemes [29,30] in this section. It is clear from the

Table 1. Comparison of security features.

Security Features	Singh et al. [30]	Zhang et al. [29]	Proposed
	(2019)	(2020)	Scheme
Provision of mutual authentication	No	Yes	Yes
Provision of user anonymity	No	No	Yes
Provision of untraceability	No	No	Yes
Prevention of session key exposure attack	No	No	Yes
Prevention of known session key attack	Yes	Yes	Yes
Prevention of replay attack	Yes	Yes	Yes
Prevention of impersonation attack	No	No	Yes
Prevention of drone capture attack	No	Yes	Yes
Prevention of stolen device attack	No	Yes	Yes

that the scheme of Singh et al. [30] is insecure against session key exposure attack, impersonation attack, drone capture attack and stolen device attack and Zhang et al. [29] is unprotected against session key exposure attack and impersonation attack. Furthermore, the scheme of Singh et al. [30] lacks mutual authentication, user anonymity and untraceability and Zhang et al. [29] does not provide user anonymity and untraceability. Therefore, the proposed AKA scheme can provide more security features and protect against all kinds of attack which makes it more suitable for generic secure communications in IoD-based environments.

5.2. Comparison of Computational Overhead

In order to provide the analysis of the comparative computation overhead, the symbols listed in

Table 2. Execution time of the various cryptographic operations.

Symbol	Description	User (Drone) Side	Server Side
$T_{exp}$	Modular exponentiation	2.249 ms	0.339 ms
$T_{mul}$	Modular multiplication	0.008 ms	0.001 ms
$T_h$	Secure hash function	0.056 ms	0.007 ms

with their executing time as per the experiment presented in [31] on a mobile (drone) device with 2.45 G processor and 2 GB memory, performed on the Android 4.4.2 operation system. The control server is simulated on a PC I5-4460S with 2.90 GHz processor and 4 GB memory, performed on Window 8 operation system:

As shown in

Table 3. Comparison of Computational Overhead.

	Singh et al. [30]	Zhang et al. [29]	Proposed Scheme
	(2019)	(2020)
User side	2$T_{exp}$ + 5$T_{mul}$	10$T_h$	11$T_h$
Drone side	2$T_{exp}$ + 7$T_{mul}$	7$T_h$	10$T_h$
Server side	-	7$T_h$	6$T_h$
Total	9.092 ms	1.001 ms	1.022 ms

, total computational overhead of the proposed scheme, the scheme of Singh et al. [30], Zhang et al. [29] is 27$T_h\approx$ 1.022 ms, 4$T_{exp}$+12$T_{mul}\approx$ 9.092 ms, 24$T_h\approx$ 1.001 ms, respectively. The computational overhead of the proposed scheme is slightly higher than Zhang et al., whereas the proposed scheme has less computational overhead as compared with the scheme of Singh et al. Moreover, the proposed scheme is more secure than the all rest of the related schemes as proved earlier.

5.3. Comparison of Communication Overhead

This section presents another significant performance factor, namely communication overhead, to demonstrate the efficiency of the proposed scheme. For comparison purposes and to keep simplicity, let $\left|G\right|$ denote the 1024 bits length of element in G and $|Z_n|$ denote the 160 bits length of the element in $Z_n$. The symbol $\left|T\right|$ denotes a timestamp 32 bits in lengts and participant identities. We compare the communication overhead of different participants during the login and authentication phases, where the bits sent over communication channel and the number of messages transmitted between them are also considered.

As shown in

Table 4. Comparison of Communication Overhead.

	Singh et al. [30]	Zhang et al. [29]	Proposed Scheme
	(2019)	(2020)
No. of messages	2	3	3
Communication cost	4$\left|G\right|$+4$\left|T\right|$	9$|Z_n|$+$\left|T\right|$	13$|Z_n|$+3$\left|T\right|$
Bits length	4256	1472	2176

, the number of transmitted messages in Singh et al. scheme are $X_i,Y_i,Tim{e}_i,I{D}_i$ from user side and $X_j,Y_j,Tim{e}_j,I{D}_j$ from drone side, where $(Tim{e}_i,Tim{e}_j)$ are 32-bit timestamps and $(I{D}_i,I{D}_j)$ are 32-bit user identities. Therefore, the total communication cost of Singh et al. scheme is 4$\left|G\right|$+4$\left|T\right|$ about 4256 bits. In addition, the number of transmitted messages in Zhang et al. scheme are $M_1,M_2,M_3,M_4,T_1$ from user side, $M_5,M_6,M_7$ from control server side and $M_8,M_{10}$ from drone side, where $M_i\in Z_n$ and $T_1$ is a 32-bit timestamp. Thus the total communication cost of Zhang et al. scheme is 9$|Z_n|$+$\left|T\right|$ about 1472 bits. In the proposed scheme, three message transmissions complete the authentication and key agreement process: (1) user sends {$PI{D}_i,M_1,M_2,M_3,$$T_{U_i}$} to $CS$; this consumes {160 + 160 + 160 + 160 + 32} = 672 bits, and (2) control server sends {$M_4,M_5,M_6,M_7,M_8,T_{CS}$} to $V_j$, consuming {160 + 160 + 160 + 160 + 160 + 32} = 832 bits, and (3) drone sends {$M_7,M_8,M_9,M_{10},T_{V_j}$} to $U_i$, which also needs {160 + 160 + 160 + 160 + 32} = 672 bits. Therefore, the total communication cost of the proposed scheme is 13$|Z_n|$+3$\left|T\right|$, about 2176 bits.

6. Conclusions

In this paper, we proposed a lightweight hash-based authenticated key agreement and privacy preservation scheme without using symmetric/asymmetric cryptographic operations for IoD environments. The proposed scheme is a three-party AKA mechanism, which enables mobile users to communicate securely, through the public communication channel, with the IoD participants such as control server and drones. Moreover, the proposed scheme can provide anonymity and untraceability of the participants in IoD. We proved the security of the proposed scheme formally through the ProVerif tool and BAN logic analysis as well as informally. The comparative analysis depicts that the proposed scheme achieves better trade-off among security features, computational overhead and communication cost. From the results, it is concluded that the proposed scheme not only supports more security features but is also suitable for the drones or resource-constrained sensing devices in the IoD environments.