A Verifiably Secure ECC Based Authentication Scheme for Securing IoD Using FANET

Perfect forward secrecy, cross-verification, and robust mutual authentication guarantee secure communication through unfavorable and unsafe channels. The speedy development in wireless communication and drone-assisted networking technology has miserable significance in many areas, including wildlife monitoring, sidewalk checking, infrastructure inspection, and smart city surveillance. But guaranteeing message integrity, non-repudiation, authenticity, and authorization for information transmission for these areas are still challenging for researchers when using Flying Ad Hoc Networks (FANETs). The FANET’s existence for drone technology is more complicated due to dynamic changes in its topology and easily vulnerable to the adversary for numerous attacks. So far, before exhilarating a drone in the Internet-of-Drones (IoD) environment, controlled layered network architecture is indispensable to allow only legitimate drones to collaborate securely with each other and with the ground control station (GCS) for building the highest trust. A minor lapse creates a severe complication for communication security because an attacker might be trapping data from the open network channel and using it for their unusual deeds. Attentively, identification authentication and message authentication are necessary for such a sensitive environment. Therefore, in this research article, we have designed a verifiably secure Elliptic Curve Cryptographic (ECC)-based authentication scheme for IoD using FANET. The formal security proof of the scheme has been made using a programming verification toolkit ProVerif2.03, Random Oracle Model (ROM), and informally by pragmatic illustration. And the performance evaluation section of the article has been made by considering storage, computation, and communication costs. When comparing the proposed security mechanism with state-of-the-art schemes, it has been shown that the work done in this article is efficient and effective and is suitable for practically implementing in the IoD environment.

broadcasting remains a noticeable concern. The attacker can 92 catch data from the insecure channel and use it later for mali-93 cious deeds. Furthermore, suppose the integrity, confidential-94 ity, and authorization of this sensitive information becomes 95 leaked and exposed to the attacker; they can easily be 96 launching reply, masquerade, man-in-the-middle, and drone 97 physical capture attacks at any time. Also, the attacker can 98 rebound it to an adversary (an algorithm, powerful computer 99 or software program, etc.) for disrupting Ephemeral-Secret-100 Leakage (ESL) attack. Therefore, it is extremely required to 101 build an authentication protocol that can provide access to 102 an end-user at any time without interacting with the GCS. 103 As a result, we suggested an ECC-Based protocol for IoD 104 deployment drone using FANET. The major contributions of 105 this research work are as under: 106 i. An ECC-based lightweight protocol is designed for an 107 IoD deployment drone using FANET. The Computation 108 Diffie-Hellman (CDHP) technique is used to securely 109 exchange ECC keys among all the participants of IoD 110 during the session key generation process. 111 ii. The proposed protocol guarantees to be secured against 112 all known threats faced by IoD, incredibly privileged 113 insider, stolen-verifier attacks, and mitigates the outdated 114 data transmission and design flaws that are often noticed 115 in state-of-the-art protocols. 116 iii. The randomized key over finite filed F q has the capabil-117 ity of minimum computation costs, less communication 118 and storage overheads, and strong security. 119 iv. The generation of 160-bit random keys, formal proof 120 using [9], [10] and informal proof using [11] demonstrate 121 the robustness of the proposed protocol.
122 v. The security and performance balancing approach has 123 been accomplished, which is often lacking in previous 124 protocols. 125 B. PAPER ORGANIZATION 126 The organization of the paper is structured as follows: 127 Section 2 contains the foundation of this research, section 128 3 demonstrates the literature, section 4 proposes a lightweight 129 ECC-based authentication protocol for IoD, and section 130 5 explains how to perform a security analysis using ROM 131 [9], ProVerif2.03 [10], and proposition/pragmatic illustra-132 tion [11] for the proposed protocol. Section 6 contains 133 the proposed protocol's performance analysis regarding 134 storage overheads, communication, and computation costs 135 and comparative analysis. Finally, in section 7, we will 136 conclude the paper and make some recommendations for 137 future work.

Trusted Authority Center (TAC):
The trusted authority 197 center (TAC), also known as the certification authority, is a 198 legitimate organization that verifies IoD services in order to 199 determine with whom you interacted. It is an essential part 200 of the designed security framework which is responsible for 201 supplying real-time problem handling, data processing, and 202 networking services to the IoD environment as a whole.

203
Ground Control Station (GCS): It is the centralized 204 command and control center for drones' secure flight and 205 direction services. It manages operational parameters, mon-206 itors drone sensors, and governs surveillance cameras. GCS 207 creates flight separation operations and mission-critical activ-208 ities and controls the drones' payload subsystems. GCS is 209 also responsible for interpreting, gathering, and disseminat-210 ing data gathered by the drone during a critical task.   Figure 1 shows the proposed network or system model in 226 this article in which each entity first registers with TAC and 227 then is deployed in IoD for the task.   user's internal credentials when using an extract algorithm. 308 Paterson and Schuldt [21] devised an efficient and effec-309 tive protocol in the random oracle model compared to [20].  334 Won et al. [28] proposed a set of three security protocols 335 for IoD implementation of drones for smart car parking, 336 smart city infrastructure health monitoring, and infrastructure 337 inspection after a severe earthquake. But due to the batch 338 verification instead of one-to-one, the one protocol from 339 three suits, i.e., CLDA (Certificateless Data Aggregation), 340 is incompetent in computation. It does not secure under a 341 random oracle model using CDHP. Zhong et al. [29] proposed 342 an aggregate signature-based protocol and stated that it could 343 withstand types I and II attacks in the random oracle model 344 but later failed to resist a side-channel attack.

345
In the IoT environment, Challa et al. [30] developed a 346 new user authentication and key exchange protocol that can 347 also be used in the IoD environment. Haque et al. [31] 348 suggested a protocol based on simple encryption/decryption 349 with low computation complexity and efficiently running on 350 a low-resource computer system. Benzart et al. [32] proposed 351 a security mechanism that offered integrity, nonrepudiation, 352 unforgeability, and confidentiality because they used encryp-353 tion and aggregate signature concepts. But digitally sign-354 ing and then encrypting a document takes more computer 355 cycles and bloats the message by adding extra information. 356 In an IoT environment, Turkanovic et al. [33] demonstrated 357 a user authentication protocol that can also be used in an 358 IoD environment. Farash et al. [34] proposed an improved 359 authentication protocol and addressed all the security flaws 360 identified in Turkanovic  [33] is vulnerable to user impersonation, known temporary 363 session key details, smart card problems, and off-line pass-364 word guessing attacks. 365 Pu and Li [35] used a physical unclonable function (PUF) 366 to verify and validate messages between drones and ground 367 stations. They demonstrated that traditional cryptography 368 is insufficient to protect sensitive data transmission; how-369 ever, PUF may ensure communication. They also merged 370 the Chaotic Map method for generating random keys, but 371 it did not provide perfect forward secrecy. Alladi et al.
[36] 372 also suggested a PUF-based authentication protocol for UAVs 373 using FANET. Their protocol computed two session keys to 374 ensure high protection in UAVs' critical data transmission 375 environment. Their protocol is unsafe, and confidentiality, 376 privacy, and reliability are not guaranteed [38]. Jan et al. [37] 377 proposed an HMACSHA1-based authentication protocol for 378 securing IoD and have combined hash message authenti-379 cation code with a secure hash algorithm (HMACSHA1) 380 to offer a much more secure IoD environment for drone 381 technology. Their scheme securely communicated between 382 a drone to GCS, GCS to drone, drone to drone, and GCS. 383 Nikooghadam et al. [38] demonstrated an ECC-based proto-384 col, claiming that their protocol is stable and resists all known 385 attacks under the random oracle model when using CDHP. 386 VOLUME 10, 2022 if it is an insider with a security clearance? Because sev-441 eral high-profile cases have arisen where a trusted indi-442 vidual caused great harm to an organization. It is unclear 443 whether that person committed the sabotage willingly, but 444 the payload only activated upon particular criteria. Therefore 445 considering these questions in mind, the scheme presented 446 by Chen et al.
[42] contains a random number r UAV and an 447 identity ID UAV during its initial flight; an operator can easily 448 use it for malicious purposes.

449
Microsoft statistics tells us that 1.5 million users have 450 used 6.5 identities and passwords for just 25 websites in 451 just three months, implying that a single password is shared 452 in 3.9 online accounts/applications. As a result, if GCS's 453 privileged insider/administrator knows the identity (ID UAV ), 454 he/she can easily impersonate that specific user by using it 455 on another website for other reasons. In  Table 1.  The ground control station (GCS) chooses identity ID G , 545 random nonce N G , computes MID G = h(ID G ||N G ) and 546 sends MID G towards trusted authority center. The TAC 547 picks a random number r G , computes R G = r G P, h G = 548 H 1 (MID G ||R G ), S G = r G ⊕h G ||s and transmits (R G , S G , PK G , 549 SK G ) message towards GCS over a secure channel. Upon 550 receiving (R G , S G , PK G , SK G ) message, GCS confirms 551 S G P?=R G ⊕H 1 (MID G ||R G )||PK C , if verified stores (R G , S G , 552 PK G , SK G ) parameters in the memory of GCS.   ii. The GCS upon receiving (MID M , R M , X M2 , TS 1 ) 596 message, checks whether the received data is fresh or 597 outdated by subtracting the received timestamp from 598 its current timestamp TS c -TS 1 ≤ TS, if not vali-599 dated, the message is considered for potential replay 600 attack, else, chooses a random number d and computes: 601 M2 , and com-603 pute session secret keys i.e. SEK GP =H 2 (K GP1 ||K GP2 ), 604 and CHK PG =H 3 (SEK GP ||X M2 ). Build a message having 605 (ID G , R G , X G , CHK PG , TS 2 ) parameters and send back 606 towards mobile device. iii. The mobile device, first checks the freshness of 608 the message TS c -TS 2 ≤ TS and computes: 609

511
=c / X G , and confirms: SEK GP =H 2 (K PG1 ||K PG2 ) 727 with CHK PG ?=H 3 (SEK GP ||X M2 ). If matched with the 728 previously stored values, the operation become success-729 ful, otherwise, a denied message will be displayed.   The proposed authentication protocol P involves three enti-792 ties: the mobile device U, drone V and ground control station 793 G. Each entity has several instances to connect with s after 794 P is executed, which is referred to as an oracle. Let U k 795 represent the x th instance of U, V k is the y th instance of V, 796 and G k is the z th instance of G. However, I k is known to 797 be the instance of all three members, namely, U, V, and G; 798 likely, an oracle has three outcomes, namely, accept, reject, 799 ⊥ and do nothing/no result; accept means receiving a mes-800 sage authentically, rejection means getting a wrong message, 801 and do nothing/no result. Before execution, has ((R M , 802 S M , PK M , SK M )) parameters, has ((R D , S D , PK D , SK D )) 803 parameters and G --has ((R G , S G , PK G , SK G )) parameters and 804 supposes these are in the memory of each participant stored 805 securely [37].  G --z ), 816 Execute (G --z , y ), and Execute ( y , x ) queries, Reveal (I k ) 817 query for recognizing the session secret key SK, fraudulent 818 for apprehending the arguments stored in the and Test 819 (I k ) query for finding the shared secret session key. Each 820 one of these participant, however, has a secretly encrypted 821 unique identity, and it will consent to the creation of a 822 session if and only if any message from I to v) is sent to 823 any participant. It must confirms: SEK UP ?=H 2 (K UP1 ||K UP2 ), 824 CHK PU ?=H 3 (SEK UP ||X M , SEK GP ?=H 2 (K PG1 ||K PG2 ), 825 CHK PG ?=H 3 (SEK GP , T PMD2 ), and (MID M ||R D || 826 M GPS ||cert D )?=V PKD (Sig D4 ) for SK calculated by each par-827 ticipants. A A A has only the probability of breaking the security 828 of P P P by flipping a coin , and suppose A A A flip a coin and get 829 / output, the advantage is: Despite attempting polynomial times, A A A cannot compute the 832 160 bits arbitrary selection of key by the ground control 833 station (GCS), drone (D), and mobile device (M) for each ses-834 sion. As a result, the proposed authentication protocol is reli-835 able against all potential adversary attempts. Furthermore, if a 836 hash oracle's performance is q 2 he /2 ths+1 , q 2 he+1 /2 ths+1 and q 2 he /2 ths 837 then the full probability of collision among hash-output is 838 (q send +q receive ) 2 /2(p-1), we will get:  This section of the paper presents a pragmatic illustration of 893 the proposed protocol. This is the informal security analysis 894 of the protocol. So far, we will discuss the proposed protocol 895 for different security functionalities in the following manner. To do so, an attacker must know X M or N M , SK M , which 918 is impossible for them. In the second case, an attacker must 919 extract elliptic curve random points over a finite field E/F q , 920 which they cannot perform such a considerable calculation 921 even in months. identities in its database, and confirmation of freshness of 988 every message; a DoS attack is impossible in the proposed 989 protocol. 990 Similarly, upon authenticating M with D, if the adversary, 991 for example, copied (MID M , R M , X M , TS 1 ) message and sent 992 towards D for getting helpful information and cannot succeed, 993 alternately sent hundreds of thousand messages for disturbing 994 the standard functionalities, such an attempt cannot accom-995 plish, due to timestamp, the adversary requests will be dis-996 carded in the first phase; Or (MID D , R D , X D , CHK PU , TS 2 ) 997 message towards M, due to timestamp, the M considered it 998 outdated and discarded for potential DoS attack. Also, during 999 the authentication of M with GCS, the GCS contains the pre-  If an attacker desires to launch a clogging attack, he/she 1016 has to send a fake message (MID D , R A , X D2 ) towards 1017 GCS. For doing so, the attacker must first generate a 1018 public-private key pair X D , and random number R A and 1019 simulates it by calculating PK D =R D ⊕H 1 (MID D ||R D )||PK C , 1020 K GU1 =S G ||(X D2 ⊕f )||PK D , SEK GU =H 2 (K UG1 ||K UG2 ) and 1021 CHK UG =H 3 (SEK UG ||X D2 ). For such a calculation, an 1022 attacker must identify the curve points by flipping a coin 1023 to win (M R ||cert D )?=V PKM (Sig M3 ) or (M R ||cert D ) =V PKM 1024 (Sig M3 ) and (M R ||cert D )=D SEKup (c M3 ). But doing such a 1025 complicated calculation requires the drone's identity MID D , 1026 X D2 , and the previously computed value eP||TS 1 .

1027
Similarly, if the attacker transmits (MID G , R D , X G , 1028 CHK UG ) message, he/she must correctly send the message 1029 in the pre-defined time threshold, which is not possible 1030 TS c -TS 2 ≤ TS. Also, the attacker must iden-1031 tify MID D , random number R D , and PK C by calculat-1032 ing PK D =R D ⊕H 1 (MID D ||R D )||PK C . Next, he/she has 1033 to extract two random points in the curve, compute 1034 K UG1 =S M ||(X D ⊕g)||PK D , and confirms: SEK UG ?=H 2 (K UG1 1035 ||K UG2 ) and CHK UG ?=H 3 (SEK UG |\X D2 ) which is not pos-1036 sible. The proposed protocol can detect clogging attack 1037 in both cases because the attacker couldn't pass from 1038 SEK UG ?=H 2 (K UG1 ||K UG2 ) and CHK UG ?=H 3 (SEK UG |\ 1039 X D2 ) authentication check. Therefore, the proposed protocol 1040 strongly resists a clogging attack. Suppose an adversary gets the previous session key. The 1098 adversary cannot deduce the drone's identity from the old 1099 session key because the session key is made up of three 1100 random integers chosen separately by the mobile device (M), 1101 drone (D), and GCS and are unrelated to the identity MID D , 1102 GCS's secret key r G . But even if the adversary compromises 1103 an old session key, they can't find the R D , MID D , PK D , SK D 1104 for drone D or the private key r G for the GCS.

1105
In addition, a new session key is created for each session 1106 based on the integer chosen by the Drone, Mobile Device and 1107 GCS. As a result, even though the adversary compromises an 1108 old session key, they will be unable to acquire new session 1109 keys because the session key SEK UG ?=H 2 (K UG1 ||K UG2 ) is 1110 not connected in any manner. Therefore, the proposed proto-1111 col can resist Denning-Sacco attacks. R D , X D2 , TS 1 ), (MID G , R G , X G2 , CHK UG , TS 2 ) and (MID G , 1128 R D , X G2 , CHK UG , TS 3 ) messages, an adversary's attempt 1129 cannot be successful due to the involvement of randomness 1130 in messages, timestamps, secrets and 160-bits ECC keys. 1131 A cannot make an independent connection for computing 1132 session shard key due to no knowledge of secret credentials, 1133 identities, and random numbers. Therefore, the proposed key 1134 agreement protocol withstands man-in-the-middle attack. The 160-bit long keys of mobile-device (a, c, and g), 1137 drone (b, t, and e), and ground-control-station (d, r, 1138 and f) are computed randomly for each session. Sup-1139 pose an adversary can extract these keys from the previ-1140 ous session key; he/she needs to extract a form K UP1 = 1141 S M ||(X D ⊕a)||PK D , c from K PG1 =S M ||(X G ⊕c)||PK G , and 1142 g from K UG1 =S M ||(X D ⊕g)||PK D and vice versa. How-1143 ever, an adversary cannot extract any of these keys from 1144 the captured information without knowing K UP2 =aX D , 1145 X D = bP||TS 2 , X M2 =cP||TS 1 , K GP2 =dX M2 , X G =rP||TS 1 , 1146 X D = tP||TS 2 and secret information X D2 =eP||TS 1 , X G2 = 1147 VOLUME 10, 2022 adversary cannot obtain (X D ⊕a), (X G ⊕c), and (X D ⊕g) 1149 form SEK UP =H 2 (K UP1 ||K UP2 ), CHK PU =H 3 (SEK UP ||X M ), T PMD2 ) which in turn means key secrecy.

1200
Suppose A knows the session key, as each session starts 1201 with a different SK; therefore, A doesn't launch any attack; 1202 therefore, knowing the session key creates no problem 1203 for the IoD.  Table 2.

1293
Let suppose SF1 represents session key agreement, SF2 1294 formal verification, SF3 Mutual Authentication, SF4 resists 1295 to known session key attack, SF5 resists replay attack, 1296 SF6 resists impersonation attack, SF7 resists stolen-verifier 1297 attack, SF8 support forward secrecy, SF9 support of 1298 anonymity, SF10 withstands ESL attack, SF11 resists drone 1299 physical capture attack and SF12 safe against privileged 1300 insider attack. Table 5 shows that the proposed protocol ful-1301 fills all the given necessary security functionalities comparing 1302 with [26], [28], [   He is also working as an Assistant Professor with 1897 the Department of Computer Science, University of Bisha, Saudi Arabia. 1898 He has over 12 years of research and teaching experience. He is the author 1899 of many articles published in top quality journals. His research interests 1900 include networks, VANETs, MANETs, FANETs, mobile computing, the IoT, 1901 cloud computing, cybersecurity, cryptography, soft computing, and drone 1902 security and authentication. He has received multiple awards, scholarships, 1903 and research grants. He is serving as an editor. He is also acting as a reviewer 1904 for many well reputed peer-reviewed international journals and conferences.