Design of authentication protocol for wireless sensor network-based smart vehicular system

Accepted Manuscript Design of authentication protocol for wireless sensor network-based smart vehicular system

Prerna Mohit, Ruhul Amin, G.P. Biswas

PII: DOI: Reference:

S2214-2096(16)30112-7 http://dx.doi.org/10.1016/j.vehcom.2017.02.006 VEHCOM 82

To appear in:

Vehicular Communications

Received date: Revised date: Accepted date:

7 September 2016 26 December 2016 23 February 2017

Please cite this article in press as: P. Mohit et al., Design of authentication protocol for wireless sensor network-based smart vehicular system, Veh. Commun. (2017), http://dx.doi.org/10.1016/j.vehcom.2017.02.006

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Design of Authentication Protocol for Wireless Sensor Network-based Smart Vehicular System Prerna Mohit1 , Ruhul Amin2 , G.P Biswas1

Abstract The design of authentication protocol for a smart vehicle system is proposed, where vehicles are equipped with sensors and the sinks are placed along the road to receive and/or send data to sensors. The user monitors the vehicles by collecting data from sinks and performs analysis of the data by taking necessary action (if needed). Moreover, the system is using sensors in vehicles to provide a user-friendly platform to communicate with users. Now, the exchange of authentication message between authenticated entities are two important issues for successful implementation of a smart vehicular system. In the proposed vehicular system there are three entities involve namely users, sink and sensor and two set of communication between user to sink and sink to sensor are needed. In short, we have proposed an architecture of data traffic/movement in vehicular sensor network and authenticate the entities. In addition, we have analyzed our protocol with respect to security attacks and found that it is strongly protected against security attacks. Furthermore, the proposed protocol is relatively better in terms of overhead such as computation and communication. Keywords: Authentication Technique, Wireless Sensor Networks.

1. Introduction Internet of Things aims at bridging the gap between the physical world and its representation within the digital world. The term things refer to an object that have sensors attached to it, and can transmit data to internet, where it can be analyzed and used to make decisions, one such example is vehicle sensors. The vehicle sensors are placed in vehicles to monitor the vehicles and its surrounding. A sensor node in wireless sensor network (WSN) is able to process, gather sensory information and communicate with other connected nodes in the network as well as widely used in many applications such as health care, industry, vehicles, etc. due to their ability for monitoring and detecting problems. The sensor node is generally built of a small device, which has a processor, limited memory and limited battery life. The sensors can be classified as 1) static sensors and 2) dynamic sensors. The static sensors are immobile nodes in network that remains stable and do not get power from any electric source directly. The dynamic sensors, are mobile and energy efficient irrespective of whether energy sources of the sensor nodes can be replenished or not [1]. In this paper, we have assumed that the sensors are dynamic and energy efficient, which are connected with the battery of vehicles. Here, the vehicular system is designed in the environment of WSN to monitor and provide a solution for the vehicle related problems such as traffic congestion, speed, etc. in the offline mode. The vehicle sensor sense the real time data and forward it to the nearby sink node directly and the user outside the network can access the sensed data. As the communications are perform via insecure channel, the adversary can intercept the communicated message. Therefore, authentication and privacy of message are the prime concern in the process of message communication. In order to provide secure communication over the insecure channel, we proposed a smart vehicular system using WSN which provides an efficient authentication protocol for securing the sensor node to sink and sink to User. To design an ∗ Corresponding

author. (Ruhul Amin) Email addresses: [email protected] (Prerna Mohit1 ), [email protected] (Ruhul Amin2 ), [email protected] (G.P Biswas1 ) 1 Department of Computer Science and Engineering, Indian Institute of Technology (ISM), Dhanbad-826004, India 2 Department of Computer science and Engineering, Thapar University Patiala 147004, Punjab, India Preprint submitted to Elsevier

March 1, 2017

efficient authentication and key agreement protocol for the vehicular sensor network, the following security aspects should be achieved: 1. An efficient login phase. 2. Authentication between the entity involved i.e. user, sink node and sensor node. 3. Resistance against various of attack such as: a) Smart card stolen attack. b) Off-line password guessing attack. c) User Anonymity. d) Known-key security. 4. Resist impersonation attack against a) User b) Sensor node. c) Sink node. 5. Provides user-friendly password change phase. 1.1. Study and Discussion on Previous Related Research There are a number of authentication and key agreement schemes are proposed in the field of wireless sensor network [2] [3] [4]. In the year of 2006, Wong et al. [5] discussed a dynamic stored password based user authentication protocol for wireless sensor network using hash operation. The author in [6] shows that Wong’s protocol [5] suffers from login problem, stolen-verifier attack and proposed an improved two-factor user authentication protocol. Later on, Chen et al. [7] shows that the protocol in [6] suffers from mutual authentication problem and proposed a more efficient protocol which provides mutual authentication between users, gateway-node, and sensor nodes. After that, Khan et al. [8] shows security loopholes such as gateway node bypassing attack and privileged-insider attack of the protocol in [6] and presented an more efficient protocol to resist the above attacks. Vaidya et al. [9] performed the cryptanalysis of [6], [8] and claimed that [8] suffers from security flaws such as sensor node capture attack and stolen smart card attack. In addition, to overcome the security weakness of [6], [8] Vaidya et al. [9] proposed an more practical scheme to overcome the security weakness. In 2011 Yoon et al. [10] perform cryptanalysis of Chen et al.’s [7] and claimed that protocol fails to provide node impersonation, user impersonation attack, as well as insider attack. After that Kumar et al. [11] analyze that Khan ’s protocol [8] does not provide mutual authentication and fails to provide session key between the user and sensor node. Later on, Yeh et al. [12] reported that Das’s [6] method found some security loopholes and proposed first elliptic curve cryptography based scheme suitable for wireless sensor network. After that, Shi et al. [3] improved the weakness of Yeh et al.’s protocol [12] and presented a new protocol based on ECC for user authentication. However, Choi et al. [13] pointed out that Shi et al.’s [3] protocol cannot withstand all the security weakness such as stolen smart card attack, session key attack, sensor Energy Exhausting attack and presented a new scheme also base on ECC. In 2011 Romen et al. [14] designed first authentication scheme for wireless sensor network in the environment of Internet of Things. Later on, Turkanovic et al. [15] also proposed an authentication scheme for heterogeneous ad hoc wireless sensor networks based on IoT. However, Amin et al. [16] pointed out that [15] protocol fails to provides smart card theft attack, off-line identity-password guessing attacks, user impersonation, sensor node impersonation attack and inefficient authentication phase and proposed an improved scheme to overcome all the security weakness. After that Lu et al. [17] claimed that Amin et al.’s scheme [16] also supports from Known session-specific temporary Information attack and proposed an efficient scheme over Amin’s scheme to provide more practical solution for user authentication in IoT environment. There are so many protocols are design based on the security of wireless vehicle system [18], [19], [20], [21], [22], [23]. Zhang et al. [24] proposed the Hash Message Authentication Code based privacy preserving authentication scheme for vehicular ad hoc networks where the key for the HMAC is generated through a key agreement protocol executed between the vehicle and the sink node. In 2008 Lu et al. [25] proposed an efficient conditional privacy preservation protocol (ECPP) base on bilinear pairing for vehicular ad hoc network. The main focus of the work is that the sink node provides multiple keys for each vehicle in order to protect its communication from unauthorized users and the sink node can be easily compromised which can be consider as the drawback of it. From literature review, we find that there is a need to have a strong user authentication protocol for vehicle applications 2

involving the sensor networks that can resist the attacks and provide a user- friendly environment. For this, we need to design an efficient user authentication and key agreement protocol for WSNs that can achieve the following security features: • A smart vehicular system using WSN (which supports easy deployability with less cost.) • An authentication protocols for exchanging authenticated data exchange between a)users and sink, and b) sink and sensors. • Providing extensive security analysis of our scheme, for its validity and showing better performance than others. 1.2. Proposed Architecture and Discussion This sub-section explains the work flow of data traffic/movement of the architecture for wireless vehicle sensor network. In order to communicate three entities are participated namely: 1. Vehicle Sensor: Sensors collected traffic data of road and send to a road side sinks of WSN. 2. Sink node: Sinks stores traffic data to be used by users. 3. User: User collected data from sink and analysis it in off-line for the traffic management. Initially, the vehicle sensors placed on vehicle sense the real time data of surrounding and forward it to the sink node for online collection of authentication of traffic data in sinks. However, users based on data collection for sink may use for offline traffic management in some cases like controlling traffic jam, related detail, speed etc. In broad sense our entire scheme comprises of two parts- a) WSN and vehicles with sensor node, b) users interaction with sink for data collection and analysis. Here, fully automated and not automated systems are generated. Our objective is to design security protocol for authentication of users, sink and sensors for online collection of authentication of traffic data in sinks. For clarity Fig. 1 is drawn, which briefly explains the flow of communication in our proposed scheme is as follows: i) Sensor node send traffic data to sink. ii) User may collect data from sink. iii) If necessary user may send data (regarding traffic management) to sinks. iv) Wireless node in vehicles may collect traffic data from sinks.

1.3. Organization of the Paper After presenting introduction in Section 1, Section 2 discusses the proposed authentication and key agreement protocol for vehicle sensor. The Section 3 addresses the security analysis followed by performance evaluation of proposed protocol with some of the existing protocols is presented in Section 4. Finally, the Section 5 gives conclusion of the paper. 2. Proposed Protocol In this section, we propose an authentication and key agreement protocol for the proposed architecture in Section 1.2 for wireless sensor network and developed a mechanism to check the legitimacy of vehicles running on road to authenticate them in order to deal with any type of vehicle problem such as traffic jam, speed, etc. The proposed protocol contains of four phases: System setup phase, User registration phase, User login and authentication phase, Password change phase. The description of all the phases of our protocol and notations (Table 1) is discussed below. 2.1. System Setup Phase The registration authority (RA) registers all the vehicle sensor available in the network during the time of purchase and stores all the relevant data of vehicle such as its battery capacity, number, engine, insurance expire date, etc.

3

Figure 1: Data traffic schematic diagram for smart Vehicular System

Table 1: Symbols used

Symbol IDk IDi PW i RA RGi KS NUi NS j NVk h(·)  ⊕

Description Identity of kth vehicle sensor Identity of ith user Ui Password of Ui Registration authority Random number selected by sink node Secret key of sink node Random Nonce generated by Ui Random Nonce generated by sink node Random Nonce generated by vehicle sensor One-way cryptographic hash function Concatenation operation Bitwise X-OR operation

2.2. User Registration Phase To obtain and monitor the data from the vehicle sensor, each Users have to register themselves with the nearby sink node. The sink node registers user and provides a smart card after verifying them. The smart card contains some 4

important parameters such as identity and password in encrypted form. Following are the steps to register a user (Ui ) and its diagrammatic view is also shown in fig. 2. Step 1 User chooses an input identity and password IDi , PWi  and a random nonce RNi . Then Ui computes a masked identity and password as HIDi = h(IDi  RNi ), HPWi = h(PWi  RNi ) and sends it to sink node via secure channel. Step 2 The Sink node randomly select a nonce and a number RGi , qi respectively. Then, computes Ai = h(HIDi  RGi ), Bi = h(HIDi  HPWi  RGi ), Ci = qi ⊕HPWi and Di = Ci ⊕h(KS ), then store Ai , Bi , Ci , Di , RGi  in the memory of smart card. Sink node sends smart card to the user via secure channel. Step 3 After receiving the smart card, the user computes HNi = h(IDi  PWi ) ⊕ RNi and store HNi in the memory of smart card. Finally, the smart card stores Ai , Bi , Ci , Di , RGi , HNi  in its memory. User (Ui ) Input IDi , PWi , RNi HIDi = h(IDi  RNi ) HPWi = h(PWi  RNi )

Sink Node (S NK )

HIDi , HPWi  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ (via a Secure channel)

Smart Card ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− (via a Secure channel)

Ai = h(HIDi  RGi ) Bi = h(HIDi  HPWi  RGi ) Ci = qi ⊕ HPWi Di = Ci ⊕ h(KS ) Store Ai , Bi , Ci , Di , RGi in smart card

HNi = h(IDi  PWi ) ⊕ RNi Store HNi in smart card Figure 2: Traffic Worker Registration phase

2.3. User Login Phase After registration, the user login into system with its identity and password using smart card. Then, the smart card checks the correctness of the entered values and sends messages to sink node. The execution of login phase is performed as: Step 1 User provides its ID∗i and PWi∗ into the terminal of smart card and the smart card computes RNi = h(ID∗i  PWi∗ ) ⊕ HNi , HID∗i = h(ID∗i  RNi∗ ) and HPWi∗ = h(PWi∗  RNi∗ ), then verifies whether B∗i =?Bi where B∗i = h(HID∗i  HPWi∗  RGi ). If it verified, it processes further, otherwise rejects the smart card. Step 2 The smart card computes qi = Ci ⊕ HPWi∗ and randomly generates a nonce NUi . After that, smart card uses the nonce to compute MT S = h(qi  Bi  NUi ), p1 = NUi ⊕ qi , p2 = IDk ⊕ h(p1  qi ) and Ei = Di ⊕ HPWi∗ . Step 3 Finally, the smart card sends the login request message MT S , p1 , p2 , Ei  to sink node. 2.4. Authentication Phase Authentication phase is initiated by the user after successfully login phase. The user sends the authentication message to a sink node. The aim of this phase is to negotiate a secret session key between the user, vehicle sensor and sink node. After successful negotiation of the session key, they can use it to securely communicate. In order to achieve the secure session key negotiation, a lightweight key agreement protocol is proposed which involves mutual authentication between all parties (i.e. Ui , S N j and VS k )as executed below and shown in fig 3. 5

Step 1 Sink node uses its own key KS and message Ei from the login request to compute q∗i = Ei ⊕ h(KS ), and uses the received message p1 , p2 to determine the nonce of Ui and identity of vehicle sensor as NUi∗ = p1 ⊕ q∗i , IDk = p2 ⊕ h(p1  qi ). If the determined nonce NUi is fresh the sink node further verifies MT∗ S =?h(q∗i  Bi  NUi∗ ). If the verification fails, the sink node rejects the login request, otherwise, sink randomly generates a nonce NS j and computes Xk∗ = h(IDk  KS ). Finally, S N j computes MS V = h(IDk  NS ∗j  X j  ID j ) and d1 = NS j ⊕ h(IDk ), d2 = ID j ⊕ IDk then sends MS V , d1 , d2  to vehicle sensor. Step 2 On receiving the message, sensor determines the nonce of sink as NS j = d1  h(IDk ), ID j = d2 ⊕ IDk and checks the freshness of NS j . If it is correct, accepts the request, otherwise rejects and then requests for Xk from registration authority by sending the IDk in response the RA sends Xk via secure channel. After that, verifies MS∗ V =?h(IDk  NS j  Xk  ID j ). If the verification fails, the vehicle sensor rejects the request, otherwise, sensor randomly generates a nonce NVk and determines v = h(IDk  NS k  NV j ) and message MVS = h(Xk  NS k  v), t = NS k ⊕ NV j . Finally, it sends MVS , t to sink node. Step 3 On receiving the reply message from vehicle sensor, the sink node determines the nonce of NVk as NVk = t⊕NS j and checks its freshness and then computes the value of v∗ = h(IDk  NS k  NV j ) and verifies whether MVS ∗ = ?h(Xk  NS k  v∗ ) holds. If it is correct, sink ensures NV j is valid and the received values are correct; Otherwise, sink node terminates the session. S N j computes w = NS j ⊕ NUi and MS T = h(q∗i  NUi  NS j  IDi  IDk ) and sends MS T , w to Ui . Step 4 The user first determines the nonce of sink using its own nonce and w as NS j = w ⊕ NUi . After that, Ui checks whether MS∗ T =?h(qi  NUi  NS j  IDi  IDk ) if valid, the Ui accepts it; otherwise rejects the session. 2.5. Password Change Phase Any registered user can change its password whenever required and executes the following operations. Step 1 Initially, user inserts her smart card into card reader and inputs its identity and password IDi , PWi  to card reader. Step 2 Then, the smart card computes the RNi = HNi ⊕ h(ID∗i  PWi∗ ), HID∗i = h(ID∗i  RNi ), HPWi∗ = h(PWi  RNi ), B∗i = h(HID∗i  HPWi  RGi ) and checks whether B∗i =?Bi . If the verification fails, the smart card rejects the request, otherwise the user inserts the new password PWinew and computes new values for parameters containing password. new ∗  RGi ), Cinew = Step 3 HPWinew = h(PWinew  RNi∗ ), HNi = RNi ⊕ h(ID∗i  PWinew ), B∗∗ i = h(HIDi  HPWi new = D ⊕ C ⊕ C . Finally, it replaces the old values of HN , B , C , D  qi ⊕ HPWinew , Dnew i i i i i i to new value of i i new new , C , D  HNinew , Bnew i i i

3. Security Analysis This section analyzes security of the proposed protocol. We consider an attacker A has the capacity to modify and eavesdrop the communicating message over the public channel. Based on the analysis of the scheme against different featured provided in Table 2 and compared with our scheme qualitatively, where ’Yes’ means the respected feature is present in scheme and ’No’ means not present. 3.1. Resistance of User Impersonation Attack The attacker A can eavesdrop as well as modify the communicated message over a public channel. In order to impersonate the valid user Ui , A modifies the login message MT S , p1 , p2 , Ei  as MT S 1 , p∗1 , p∗2 , Ei1  by performing following steps: • Attacker A randomly selects a nonce NU A . 6

User (Ui ) Input ID∗i , PWi∗ RNi = h(ID∗i  PWi∗ ) ⊕ HNi HID∗i = h(ID∗i  RNi∗ ) HPWi∗ = h(PWi∗  RNi∗ ) B∗i = h(HID∗i  HPWi∗  RGi ) B∗i =?Bi qi = Ci ⊕ HPWi∗ Generate a random nonce NUi MT S = h(qi  Bi  NUi ) p1 = NUi ⊕ qi p2 = ID j ⊕ h(p1  qi ) Ei = Di ⊕ HPWi∗ MT S , p1 , p2 , Ei  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ (via insecure channel)

Sink node (S N j )

q∗i = Ei ⊕ h(KS ) NUi∗ = p1 ⊕ q∗i IDk = p2 ⊕ h(p1  q∗i ) MT∗ S =?h(q∗i  Bi  NUi∗ ) Generate a random nonce NG j Xk∗ = h(IDk  KS ) MS V = h(IDk  NS ∗j  X j  ID j ) d1 = NS j ⊕ h(ID j ) d2 = IDk ⊕ ID j MS V , d1 , d2  −−−−−−−−−−−−−−−−−−−−−−−−−−→ (via insecure channel)

NVk = t ⊕ NS j v∗ = h(IDk  NS k  NV j ) ∗ MVS =?h(Xk  NS k  v∗ ) w = NS j ⊕ NUi MS T = h(q∗i  NUi  NS j  IDi  IDk ) MS T , w ←−−−−−−−−−−−−−−−−−−−−−−− (via insecure channel) NS j = w ⊕ NUi MS∗ T =?h(qi  NUi  NS j  IDi  IDk ) Figure 3: Login and Authentication phase

7

Vehicle sense (VS k )

NS ∗j = d1 ⊕ h(IDk ) ID j = d2 ⊕ IDk receive Xk from RA MS∗ V =?h(IDk  NS j  Xk  ID j ) Generate a random nonce NVk v = h(IDk  NS k  NV j ) MVS = h(Xk  NS k  v) t = NS k ⊕ NV j MVS , t ←−−−−−−−−−−−−−−−−−−−−−− (via insecure channel)

User (Ui )

Smart card ID∗i , PWi∗  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Authenticate ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−−− NewPassword PWinew  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

RNi = HNi ⊕ h(ID∗i  PWi∗ ) HID∗i = h(ID∗i  RNi ) HPWi∗ = h(PWi  RNi ) B∗i = h(HID∗i  HPWi  RGi ) B∗i =?Bi qi = Ci ⊕ HPWi∗ )

HPWinew = h(PWinew  RNi∗ ) HNinew = RNi ⊕ h(ID∗i  PWinew ) Bnew = h(HID∗i  HPWinew  RGi ) i new Ci = qi ⊕ HPWinew Dnew = Di ⊕ Ci ⊕ Cinew i

Figure 4: Password Change phase

• Computes p∗1 = NU A ⊕ qi1 , MT S = h(qi1  Bi  NU A ), Ei = Di ⊕ HPWi1 and sends it to sink node, where the attacker guesses the value of HPWi1 , qi1 provided that the attacker knows the parameters of smart card. However, randomly guessing of HPWi1 , qi1 without knowing password, identity will lead to incorrect values. After, that the sink node receives MT S 1 , p∗1 , p∗2 , Ei1  and verifies the message. It is obvious that the verification fails and the sink node detects the fake request. As a result, it is impossible for an attacker to falsify the sink node by sending fake message to impersonate as a legal user. Hence, our scheme provides security protection against user impersonation attacks. 3.2. Resistance Impersonation of Sink Node The attacker A interrupts the sink node when it is sending messages to vehicle sensor and user. 1. Interrupt message between sink and sensor, MS V , d1 , d2  and generates another message MS V1 , d1∗ , d2∗ , where MS V1 = IDk1  NS A  X j1ID j1 and transmits it to vehicle sensor to impersonate as legal sink, where A tries to guess the unknown values of parameter IDk1 , X j1 . However, the sensor node identifies the incorrect value of MS V1 while performing the verification process. 2. Interrupt message between sensor and user, MS T , w and generates another message MS T 1 , w1 , where MS T 1 = h(qi1  NU A  NS A  IDi1  IDk1 ) and transmits it to user to impersonate as legal sensor, where A can not compute the correct value for unknown parameters. However, the user identifies the incorrect value of MS T 1 while performing the verification process. As a result, the proposed scheme resists sink node impersonate attack. 3.3. Resistance Impersonation of Vehicle Sensor Similar to sink node impersonation attack, the attacker A tries to impersonate the vehicle sensor by replacing the message MVS , t with MVS 1 , t1 . However, the attacker cannot compute valid message MVS  without knowing the correct value of all the parameters used in order to compute the message such as nonce of sink node (NS j , Xk ). Hence, the proposed protocol resists vehicle sensor impersonation attack.

8

3.4. Resistance to Stolen Smart Card Attack We have assumed that the smart card of user is stolen by the attacker A and having access to the stored parameter Ai , Bi , Ci , Di , RGi , HNi  of smart card. The attacker tries to generate a fake login request MT S , p1 , p2 , Ei  to login into a system by sending data to sink node. MT S = h(qi  Bi  NU A ) p1 = NU A ⊕ qi p2 = ID j ⊕ h(p1  qi ) Ei = Di ⊕ HPWi Where, NU A is random nonce generated by the attacker A, which cannot be computed by A as it contain the secret key of sink node and identity of valid user. Similarly, an adversary cannot compute HPWi = h(PWi  RNi ) as it contains the password and random nonce generated by user Ui . The adversary is not able to extract the hash function to compute MT S as well as HPWi due to the non invertibility of hash function. 3.5. Resistance to Off-Line identity and Password Guessing Attack It has been seen that the user use low entropy identity and password which can be guessed in polynomial time. Due to use of one-way hash function, it is impossible to extract user information in the proposed scheme. The adversary A tries to guess the users identity and password in off-line mode after extracting several parameters. Anyway, guessing of identity and password IDi , PWi  by the attacker is not feasible as described below: 1. If attacker knows the constraints of smart card The smart card constraints are Ai , Bi , Ci , Di , which are defined as Ai = h(HIDi  RGi ), Bi = h(HIDi  HPWi  RGi ), Ci = qi ⊕ HPWi , Di = Ci ⊕ h(KS ), where HIDi = h(IDi  RNi ), HPWi = h(PWi  RNi ). It is clear that the attacker is only able to compute h(KS ) from the smartcard information. However, he/she is unable to guess user’s identity and password due to unknown information. 2. If attacker eavesdrops the transmitted message The attacker traps the message while it is been passing in login and authentication phase MT S , p1 , p2 , Ei , MS V , d1 , d2 , MVS , t, MS T , w over a public channel. If attacker A traps these messages MT S = h(qi  Bi  NUi ), Ei = Di ⊕ HPWi , MS V = h(IDk  NG j  X j  ID j ),MVS = h(Xk  NS k  v),. MS T = h(qi  NUi  NS j  IDi  IDk ) and try to obtain identity from message MS T , he/she needs to know qi , NUi , NS j , NVk , IDk . Note that, identity and password are always protected by non-invertable one way function. If the attacker tries to verify the guessed 1 identity, password the probability would be 12n+128 , where the length of the random number is 128-bits [16]. 2 The above two conditions clearly demonstrated that the attacker cannot obtaining the personal information of the legal entity. Hence, our protocol protects off-line identity and password guessing attacks. 3.6. Resistance to Untraceable attack The attacker A intercepts two messages from two different sessions and checks whether they are same. If it happens, attacker believes that these two messages belong to the same user. However, an attacker cannot trace, after intercepting one or more public messages. We consider that an attacker intercepts MT S , p1 , p2 , Ei , where MT S = h(qi  Bi  NUi ), p1 = NUi ⊕ qi , p2 = ID j ⊕ h(p1  qi ), Ei = Di ⊕ HPWi . The computation of MT S , p1 depend on random nonce NUi of user. Since, nonce is different in each session, the login message of each session must be different. Note that the sink node and vehicle sensor are also using random nonce NS j , NVk in order to compute the message and send over a public channel. If an attacker intercepts it, still A will get a different message in each session due to random selection of nonce by nodes. Therefore, our protocol resists user as well as vehicle sensor untraceable attack. 3.7. Session Key Security After performing mutual authentication, the user Ui , sink S N j negotiate a common session key MT S = h(qi  Bi  NUi ). However, the sink first verifies the session key by MT S =?h(qi  Bi  NUi ) as sink knows qi , Bi , NUi , which ensures the validity of session key between the Ui and S N j . Similarly, it goes for S N j and VS K , between VS K and S N j , between S N J and Ui . Thus, the proposed protocol resists the session key security. 9

3.8. Known-Key Security As it is known that the session key is hashed with non-invertible cryptographic one-way hash function. Hence, A cannot retrieve any information from session key and cannot compute it as well. Therefore, the proposed scheme achieves known key security. 3.9. Mutual Authentication Mutual authentication between communicating participants must be provided as the communication is performed over insecure channel. Here, we discuss authentication among user, sink node, and vehicle sensor : • User authentication by Sink node When a user, Ui , sends a login request MT S , p1 , p2 , Ei  to sink node, S N j first uses its secret key KS and Ei to retrieve the value of qi and then verifies the authenticity of Ui by checking MT S =?h(qi  Bi  NUi ). If both are equal, then the user is valid. • Sink node authentication by Vehicle Sensor After authenticating user Ui , the sink node sends the authentication message MS V , d1 , d2  to a vehicle sensor. Then, S Nk uses X j and nonce of sink node to verify the validity of sink by checking MS V =?h(IDk  NS j  Xk  ID j ). If the equation holds, then sink node is valid. • Vehicle Sensor authentication by Sink node After that the vehicle sensor sends MVS , t to sink node, where NS j retrieves the nonce of vehicle NVk , v and verifies MVS =?h(Xk  NS k  v). If the equation is correct, then sensor is valid. • Sink node authentication by User Ui receive message MS T , w and retrieves nonces NS j . Then, verifies MS T =?(qi  NUi  NS j  IDi  IDk ). If they are equal, then the user is convinced that both vehicle sensor and sink node are valid. Therefore, our protocol achieves mutual authentication in each phase between all the entities. 3.10. Password change attack We assume that the smart card has been obtained by the attackerA. If the attacker wants to change the password, he/she would need to know the old password (Section 3.4). For instance, let us assume the adversary breaches the smart card and reveals the stored data, still the computation of stored password is impractical for A to extract as described in the stolen smart card. Therefore, our scheme protects against password-change attacks. Table 2: Security analysis Attacks ↓ Impersonation of User Impersonation of Sensor node Impersonation of Gateway node Known-key security resistance Off-Line password guessing attack Untraceable attack Smart Card stolen attack Session-key security Password change attack Anonymity Mutual Authentication

He et al. [2] Yes Yes Yes Yes Yes No Yes Yes No Yes Yes

Xue et al. [26] Yes Yes Yes Yes No No Yes Yes No No Yes

Choi et al. [13] Yes Yes Yes Yes No No Yes Yes No No Yes

Amin et al. [27] Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes

Chang et al. [28] Yes Yes Yes Yes Yes No Yes Yes No Yes Yes

Kumari et al. [4] Yes Yes Yes Yes Yes No Yes Yes No Yes Yes

Shi et al. [3] Yes Yes Yes Yes Yes No No Yes No No Yes

Our Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

4. Performance Evaluation This section explains the performance of our proposed protocol in terms of computation and communication cost with some of the existing protocols, which are exactly comparable with our protocol such as He et al. [2], Xue et al. [26], Choi et al. [13], Amin et al. [27], Chang et al. [28], Kumair et al. [4], Shi et al. [3]. 10

4.1. Computation Cost In any authentication protocol the computation cost determines the total cost of protocol, which should be as low as possible. Table 3 shows the computation overhead of our protocol with some of the existing protocol based on cost of hash operation, symmetric cryptography and elliptic curve point multiplication operation. Three entities Users, Sink node and Vehicle sensors are involved during the computation process. The login and authentication phase are the prime concern in any authentication protocol. Hence, it is always computed in terms of login and authentication phase. We also measure computation cost in terms of user, sink node, vehicle sensor. From the Section 1.1 it is clear that in [2] use temporal-credential-based authentication protocol and the method discussed in [13], [3] uses the Elliptical curve point, whereas the method of [26], [27] is based on healthcare application in WSN. Similarly, our protocol is an application of WSN in vehicle system and uses cryptographic one-way hash function, XOR (⊕) and concatenation () operations for proposing the secure authentication protocol as it is known the cost of XOR and concatenation operation is considered as negligible and hash operation has very less cost. From the Table 3, it is clear that our protocol has total computation of 0.010 seconds (20 T h ), where the vehicle sensor participate with 0.002 seconds (4T h ). The sensor contributes 20% of the total cost which is very less and important to measure the efficiency of the sensor node. However, in our scheme sensor can be recharged by the vehicle battery, while in other schemes sensors have battery with limited power. Based on the algorithm of authentication in [26], [13], [27], [28], [4], [3], [2], we calculate the computation cost by considering T h , T s and T M as time of cryptographic one-way hash operation (≈ 0.0005 sec.), time of a symmetric key cryptography operation (≈ 0.0087 sec.), time of an elliptic curve scalar point multiplication operation (≈ 0.0630 sec.) respectively in Table 3 and shows that, our protocol has lesser computation overhead, then all the compared scheme. Hence, suitable for practical application.

Table 3: Computation cost Comparison

Schemes He et al. [2] Xue et al. [26] Choi et al. [13] Amin et al. [27] Chang et al. [28] Kumair et al. [4] Shi et al. [3] Our

User 4T h + 2T s 10T h 12T h + 3T M 12T h 15T h 10T h 5T h + 3T M 7T h

Sink node 2T h + 5T s 14T h 5T h + T M 17T h 18T h 8T h 3T h + 2T M 9T h

Sensor T h + 2T s 6T h 7T h + 2T M 6T h 6T h 6T h 4T h + 1T M 4T h

Total Cost

Total Cost in seconds

7T h + 9T s 30T h 24T h + 6T M 35T h 39T h 24T h 6T M + 12T h 20T h

0.0818 0.0150 0.3900 0.0175 0.0195 0.0120 0.3840 0.0100

4.2. Communication Cost Table 4 shows the communication cost of our scheme with the related schemes, where the cost is measured in terms of bits length. We assume that the hash digest is 160 bits as we consider the SHA-1 hash function, timestamp T S , identity IDi , random number, nonce are 64 bits, user identity DIDi is 160 bits, user temporary identity T IDi is 160 bits, ECC- point multiplication 512 bits and symmetric key encryption/decryption is 256 bits. Thus, communication cost of our protocol MT S , p1 , p2 , Ei , MS V , d1 , d2 , MVS , t, MS T , w is 1280 bits, computed between user, sensor and sink node. We have found that our protocol has less communication cost than the existing protocols in [26], [13], [27], [28], [4], [3] but have more than [2] . However, He et al.’s [2] suffered from untraceable attack as well as password change attack. We can conclude that our protocol provides various types of security features with less communication and computation overhead. As, the basic platform is IoT implemented as an application of WSN in Traffic management system where sensors play the key role and vehicles battery is used to recharge the sensors. As a result, the system will never crash. Hence, the proposed protocol is appropriate for the above discussed application.

11

Table 4: Communication cost Comparison

Schemes Passing He et al. [2] Xue et al. [26] Choi et al. [13] Amin et al. [27] Chang et al. [28] Kumari et al. [4] Shi et al. [3] Our

Communication cost(bits) 1216 1920 3584 2112 1760 1856 3872 1280

5. Conclusion We have proposed a new authentication protocol for vehicular system in WSN to tackle the problem of vehicles running on road such as avoidance of traffic jams, related problem. Secure communication between user, sink and vehicle sensors are important and hence we design an efficient authentication protocol which resist various attacks. In addition, the performance evaluation shows that the new protocol has better performance and the result of security analysis provides its security in terms of WSN without increasing the costs. However, we have proposed a new protocol by showing its application in vehicular system. In the future, we will extend this work to cloud and combined IoT with cloud to give more practical authentication protocol for the same application. References [1] K. Chatterjee, A. De, D. Gupta, A secure and efficient authentication protocol in wireless sensor network, Wireless Personal Communications 81 (1) (2015) 17–37. [2] D. He, N. Kumar, J. Chen, C.-C. Lee, N. Chilamkurti, S.-S. Yeo, Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks, Multimedia Systems 21 (1) (2015) 49–60. [3] W. Shi, P. Gong, A new user authentication protocol for wireless sensor networks using elliptic curves cryptography, International Journal of Distributed Sensor Networks 2013. [4] S. Kumari, H. Om, Authentication protocol for wireless sensor networks applications like safety monitoring in coal mines, Computer Networks 104 (2016) 137–154. [5] K. H. Wong, Y. Zheng, J. Cao, S. Wang, A dynamic user authentication scheme for wireless sensor networks, in: IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC’06), Vol. 1, IEEE, 2006, pp. 8–pp. [6] M. L. Das, Two-factor user authentication in wireless sensor networks, IEEE Transactions on Wireless Communications 8 (3) (2009) 1086– 1090. [7] T.-H. Chen, W.-K. Shih, A robust mutual authentication protocol for wireless sensor networks, ETRI journal 32 (5) (2010) 704–712. [8] M. K. Khan, K. Alghathbar, Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks’, Sensors 10 (3) (2010) 2450–2459. [9] B. Vaidya, D. Makrakis, H. T. Mouftah, Improved two-factor user authentication in wireless sensor networks, in: 2010 IEEE 6th International Conference on Wireless and Mobile Computing, Networking and Communications, IEEE, 2010, pp. 600–606. [10] E.-J. Yoon, K.-Y. Yoo, Cryptanalysis of robust mutual authentication protocol for wireless sensor networks, in: Cognitive Informatics & Cognitive Computing (ICCI* CC), 2011 10th IEEE International Conference on, IEEE, 2011, pp. 392–396. [11] P. Kumar, H.-J. Lee, Cryptanalysis on two user authentication protocols using smart card for wireless sensor networks, in: Wireless Advanced (WiAd), 2011, IEEE, 2011, pp. 241–245. [12] H.-L. Yeh, T.-H. Chen, P.-C. Liu, T.-H. Kim, H.-W. Wei, A secured authentication protocol for wireless sensor networks using elliptic curves cryptography, Sensors 11 (5) (2011) 4767–4779. [13] Y. Choi, D. Lee, J. Kim, J. Jung, J. Nam, D. Won, Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography, Sensors 14 (6) (2014) 10081–10106. [14] R. Roman, C. Alcaraz, J. Lopez, N. Sklavos, Key management systems for sensor networks in the context of the internet of things, Computers & Electrical Engineering 37 (2) (2011) 147–159. [15] M. Turkanovi´c, B. Brumen, M. H¨olbl, A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion, Ad Hoc Networks 20 (2014) 96–112. [16] R. Amin, G. Biswas, A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks, Ad Hoc Networks 36 (2016) 58–80. [17] Y. Lu, L. Li, H. Peng, Y. Yang, An energy efficient mutual authentication and key agreement scheme preserving anonymity for wireless sensor networks, Sensors 16 (6) (2016) 837.

12

[18] R. K. Megalingam, V. Mohan, A. Mohanan, P. Leons, R. Shooja, Wireless sensor network for vehicle speed monitoring and traffic routing system, in: Mechanical and Electrical Technology (ICMET), 2010 2nd International Conference on, IEEE, 2010, pp. 631–635. [19] V. P. Gil Jim´enez, M. J. Fern´andez-Getino Garc´ıa, Simple design of wireless sensor networks for traffic jams avoidance, Journal of Sensors 2015. [20] M. Raya, P. Papadimitratos, J.-P. Hubaux, Securing vehicular communications, IEEE Wireless Communications Magazine, Special Issue on Inter-Vehicular Communications 13 (LCA-ARTICLE-2006-015) (2006) 8–15. [21] J. S´anchez-Garc´ıa, J. Garc´ıa-Campos, D. Reina, S. Toral, F. Barrero, On-sitedriverid: A secure authentication scheme based on spanish eid cards for vehicular ad hoc networks, Future Generation Computer Systems 64 (2016) 50–60. [22] A. Rabbachin, A. Conti, M. Z. Win, Wireless network intrinsic secrecy, IEEE/ACM Transactions on Networking 23 (1) (2015) 56–69. [23] A. Bazzi, B. M. Masini, A. Zanella, G. Pasolini, Ieee 802.11 p for cellular offloading in vehicular sensor networks, Computer Communications 60 (2015) 97–108. [24] C. Zhang, X. Lin, R. Lu, P.-H. Ho, Raise: an efficient rsu-aided message authentication scheme in vehicular communication networks, in: 2008 IEEE International Conference on Communications, IEEE, 2008, pp. 1451–1457. [25] R. Lu, X. Lin, H. Zhu, P.-H. Ho, X. Shen, Ecpp: Efficient conditional privacy preservation protocol for secure vehicular communications, in: INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, IEEE, 2008. [26] K. Xue, C. Ma, P. Hong, R. Ding, A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks, Journal of Network and Computer Applications 36 (1) (2013) 316–323. [27] R. Amin, S. H. Islam, G. Biswas, M. K. Khan, N. Kumar, A robust and anonymous patient monitoring system using wireless medical sensor networks, Future Generation Computer Systems. [28] C.-C. Chang, W.-Y. Hsueh, T.-F. Cheng, A dynamic user authentication and key agreement scheme for heterogeneous wireless sensor networks, Wireless Personal Communications 1–19.

13