LAKE-IoD: Lightweight Authenticated Key Exchange Protocol for the Internet of Drone Environment

A drone is an unmanned aerial vehicle, which is deployed in a particular Fly Zone (FZ), and used to collect crucial information from its surrounding environment to be transmitted to the server for further processing. Generally, a Mobile User (MU) is required to access the real-time information collected by the drone stationed in a specific FZ securely. Therefore, to ensure secure and reliable communications an Authenticated Key Exchange (AKE) protocol is imperative to the Internet of Drone (IoD) environment. An AKE scheme ensures only authentic MU to access IoD network resources. Upon successful authentication, MU and drone can set up a secret session key for secure communication in the future. This paper presents a novel Lightweight AKE Protocol for IoD Environment (LAKE-IoD), which first ensures the authenticity of MU and also renders session key establishment mechanism between MU and drone with the help of a server. LAKE-IoD is an AKE protocol, which is based on an authenticated encryption scheme AEGIS, hash function, and bit-wise XOR operation. Meticulous formal security verification by employing a software tool known as Scyther and informal security analysis demonstrates that LAKE-IoD is protected against different well-known active and passive security attacks. Additionally, Burrows-Abadi-Needham logic is applied to verify the logical completeness of LAKE-IoD. Furthermore, a comparison of LAKE-IoD with the related schemes shows that LAKE-IoD incurs less communication, computational and storage overhead.


I. INTRODUCTION
Unmanned Aerial Vehicles (UAVs) applications have observed outstanding growth in diverse fields along with the colossal demand of the Internet of Things (IoT). UAV can be employed in several applications, such as security surveillance system, traffic monitoring system in a smart city [1], disaster management, goods distribution, data collection, distributed processing, object detection and tracking, localization and mapping, environmental monitoring, health-care system, and rescue system [2]- [4]. Besides, the advancements presented by UAVs, these also have motivated the way The associate editor coordinating the review of this manuscript and approving it for publication was Kuo-Hui Yeh .
for the unification of UAVs, like smart drones within IoT domain. Drones are existing around for a long time; recently their uses within IoT realm have become a vital research topic [4].
Drones are a new form of the flying IoT objects acting as a sensing device. The synthesis of the smart drones and IoT domain is known as the Internet of Drone (IoD). IoD is a layered network control architecture devised especially to control the airspace by deploying drones technology and by establishing the coordination among the drones [5]. Fig. 1 shows a high-level architecture of the IoD system [6], [7], which is the interconnection of a Ground Station (GS), and smart drone deployed in the airspace. A drone is a fundamental component of IoD networks. The primary function of the drone is to collect the information from a specific Fly Zone (FZ) and transmit the collected information to GS. It is usually equipped with a communication module for transmission with GS, sensors used to collect the information, memory to store the data collected by the sensor, and also has computational capabilities and power resources [6], [7].
IoD is a new paradigm in wireless communication, which utilizes IoT technologies to accomplish its various critical operations. The cost-effective operational functionalities such as drone monitoring and control, trajectory planning, localization, authorization, and security and privacy are the prime requirements of IoD networks [8]- [10]. Irrespective of the advancements and plethora of solutions for drone communications, security and privacy in an IoD environment is still a major issue. IoD networks are resource constricted because a drone has limited computational, storage, and power resources. However, to enhance the lifetime of an IoD network, it is inevitable to devise a communication protocol that requires minimum resources [11]. Therefore, an efficient AKE protocol is necessary before utilizing a cryptographic encryption and decryption mechanism to ensure the secure and reliable transmission of information in an IoD network. This paper proposed a novel and lightweight AKE protocol for an IoD environment to ensure secure communication. The proposed scheme utilized a Lightweight Cryptographic (LWC) and Authenticated Encryption (AE) mechanism to ensure the confidentiality and integrity of the exchanged messages during the AKE phase. An AE encryption and decryption scheme can provide confidentiality and integrity simultaneously. LWC mechanism is suitable for the resource constricted environment.

A. RESEARCH CONTRIBUTION
The summary of the main contributions are listed as follows: • In this paper, we devised a novel and lightweight Authenticated Key Exchange (AKE) protocol named as Lightweight AKE protocol for IoD Environment (LAKE-IoD). The proposed AKE scheme utilizes an AE algorithm AEGIS, a hash function (SHA-256), and exclusive-OR operation. LAKE-IoD renders password update phase, revocation or reissue phase, and dynamic drone deployment phase.
• Informal security analysis shows that LAKE-IoD is secure. Furthermore, LAKE-IoD is analyzed formally by employing Burrows-Abadi-Needham (BAN) logic and by using automatic verification software tool Scyther, which shows that the proposed LAKE-IoD is logically complete and secure against the various security attacks, such as Man-in-the-Middle (MITM) attack and replay attack.
• Finally, LAKE-IoD is compared with the related existing AKE schemes in terms of computational, communication, and storage overheads. The comparisons illustrate that the proposed scheme incurs fewer overheads than the existing schemes.

B. PAPER ORGANIZATION
The rest of the paper is organized as follows. Section II reports different relevant security schemes for the IoD environment. System models are presented in Section III and preliminaries are discussed in Section IV. The details of the devised LAKE-IoD scheme are described in Section V. Security analysis of LAKE-IoD is provided in Section VI. A detailed comparison of LAKE-IoD with the recent related schemes is presented in Section VII. Finally, the paper is concluded in Section VIII.

II. RELATED WORK
In this section, various related user authentication schemes are discussed. Lin et al. [11] present a review on the security and privacy issues in the Internet of Drone (IoD) and discuss various applications of IoD in the next generation of communication technology. Wazid et al. [12] present a survey on the security requirements in the IoD environment and also analyze various security protocols suitable for the IoD environment. Wazid et al. [6] proposed user Authentication and Key Establishment (AKE) scheme for the IoD environment. The proposed scheme is lightweight and insecure against various well-known attacks. Srinivas et al. [7] an AKE scheme for IoD, which is insecure against impersonation and privilege insider attacks. Srinivas et al.'s scheme also does not scale well as demonstrated in [13]. Wazid et al. [6] presented a security solution based on convolution neural networks for the IoD environment. Farash and Attari [14] presented an Elliptic Curve Cryptography (ECC) based AKE scheme for Session Initiation Protocol (SIP). Thereafter, Lu et al. [15] demonstrated that scheme presented by Farash et al. is insecure against the offline-password guessing attack, and they presented an AKE scheme based on ECC to remove the shortcomings of Farash et al. Zhang et al. [16] presented an authentication strategy for SIP. However, the proposed scheme is vulnerable to various security attacks such as privileged-insider attack and Daniel-of-Service (DoS) attack as pointed out in [17]. Kumari et al. [18] proposed an AKE scheme for the Multi-Server Environment (MSE) based on ECC. Feng et al. [19] 155646 VOLUME 8, 2020 pointed out the scheme devised by Kumari et al. is insecure against the server-impersonation Attack and presented an authentication scheme for the MSE environment. Ali and Pal [20] devised an AKE based on ECC for MSE and thereafter, Wang et al. [21] demonstrated that the scheme proposed by Ali et al. can not withstand privileged insider attack, user/server impersonation attack, DoS attack, and fails to provide forward-secrecy. Challa et al. [22] devised an ECC based AKE scheme, which is unprotected against various security attacks.
Amin et al. [23] constructed an AKE scheme for the cloud computing-based IoT environment, which is lightweight and suitable for resource constricted devices. However, the strategy presented by Amin et al. can not withstand the impersonation attack and privileged insider attack as demonstrated in [24]. Das et al. [24] proposed an AKE scheme for the IoT environment, which utilized lightweight hash function and FE technique for the bio-metric verification and cannot withstand traceability attack. Hussain and Chaudhry [25] pointed out that the scheme proposed by DAS et al. is vulnerable to various security attacks such as traceability attack, stolenverifier attack, stolen/lost smart-device attack, and also does not render forward secrecy. Moreover, Challa et al. [26] presented an AKE scheme based on ECC, which is not suitable for resource-limited devices because of high computational overhead. Additionally, Jia et al. [27] highlighted that the scheme presented by Challa et al. is insecure against the impersonation attack and also does not ensure the untraceability property. Sharma and Kalra [28] proposed an AKE scheme for the cloud-based IoT environment. However, Sharma et al.'s scheme is vulnerable to the privilegedinsider attack. Tanveer et al. [29] proposed an AKE scheme for 6LoWPAN resource-limited devices, which utilizes an authenticated encryption scheme known as ASCON and hash function. However, this scheme cannot resist the tractability attack.
The existing studies and their shortcomings motivate us to work on their weakness. For this aim, we target to construct a novel security scheme called LAKE-IoD. The LAKE-IoD utilizes a Secure Hash Algorithm (SHA-256), an AE scheme known as AEGIS, which is LWC mechanism, and an FE for the bio-metric verification of a user.

III. SYSTEM MODELS
We consider the following two models in designing the proposed LAKE-IoD.

A. NETWORK MODEL
For the remote user authentication, this paper considers the network model as shown in Fig. 2. According to the network model, the airspace is divided into multiple FZs and many drones can be deployed in a specific FZ to monitor a particular environment (airspace). The drone deployed in a particular FZ collects data or information from the surrounding environment and transmits the gathered information to the Management Server (MS), which is stationed at the Ground Station (GS). The MS is used to store the data collected by the drone. It also stores the secret information related to the user, drone, and airspace. An internal user usually sits in the Control Room (CR) to monitor an IoD environment. Promising technologies such as 4G/5G cellular networks are used to provide wireless connectivity in a specific FZ. There is a wired connectivity between the GS and wireless access point. Generally, the External User (EU) requires to collect the real-time information from the drone instead of using buffered (stored) information at the MS. For instance, an ambulance driver requires to know the traffic condition on the roads to reach the destination (for example, a hospital) as soon as possible. To access the real-time information from a particular drone, an EU must register himself/herself with the MS. An EU and a drone require to authenticate with each other through MS. After authentication, both the drone and EU can establish the session-key (secret-key) to secure future communication.

B. THREAT MODEL
We follow the widely accepted Dolev and Yao (DY) [30] threat model for the proposed scheme LAKE-IoD.
1) According to DY model, two entities (drone and EU) in the network can communicate using public (insecure) channel, and endpoint entities are trustworthy. Therefore, an adversary A can capture or eavesdrop the communicated information or messages and can also forge or modify the exchanged messages.
2) The drone is usually deployed in a hostile or unattended environment. It is possible that A can capture the drone and can also extract the secret information stored in the drone memory by employing the power analysis attack. However, the MS is considered as a secure entity in the proposed scheme and A can not compromise the MS.

A. FUZZY EXTRACTOR (FE)
In this paper, we employ Fuzzy Extractor (FE) [31]  AEGIS is a dedicated, lightweight, and high-performance Authenticated Encryption with Associative Data (AEAD) is an LWC mechanism. A brief description of AEGIS is given below: 1) The AEGIS was submitted to CAESAR competition and selected as the finalist candidates [32].
2) The AEGIS renders high security and speed of AEGIS is double as compared to Advance Encryption Standard (AES), i.e, (2 * AES), 8 times of AES-CBC, and slightly faster than AES-CTR. The details of the recommended parameters for the AEGIS are given in [32], [33]. The AEGIS is appropriate for RFID tags and resource constricted IoT devices. It requires less computational resources as compared to AES and AES-GCM. 3) The AEGIS is an encryption algorithm, which generates output CT , AUTH tag , where CT is the ciphertext, AUTH tag is the authentication parameter, by taking the plaintext PT as input. Logical operation of AEGIS can be expressed as CT = E K {{IV , AD}, PT } and AUTH tag , where K is the key, IV is the Initialization Vectors, and AD is the Associative Data. AUTH tag is used to ensure the authenticity and integrity of AD and CT . In this paper, we employ AEGIS as the encryption/decryption algorithm.

V. LAKE-IoD SCHEME
The proposed scheme LAKE-IoD comprises six phases, such as (i) Drone registration phase, (ii) User registration phase, (iii) User authentication and key exchange, (iv) Password and bio-metric update phase, (v) Revocation phase, (vi) Dynamic drone deployment phase. It is assumed that all the nodes in entities in an IoD environment are time-synchronized. Secure Hash Algorithm (SHA-256) utilized in the proposed scheme, which takes arbitrary input and generates a fixedsized output. It is also assumed that all the entities in an IoD environment are time-synchronized. Table 1 presents the list of notations utilized in the proposed strategy. A detailed description of all phases of LAKE-IoD is presented as follows.

A. DRONE REGISTRATION PHASE (DRP)
In this phase, the registration process for a drone D j |j = 1, 2..N j is discussed, where N j is the total number of D j . It is assumed that the airspace is divided into k number of Fly Zones (FZ). Each FZ is assigned with a unique Fly Zone Identity (FID k |k = 1, 2..N k ). It is necessary to register D j with the Management Server (MS) before its deployment in a specific FZ. It is assumed that MS has a unique identity ID MS and temporary identity SID MS , which are known only to MS. The detailed process of D j registration is given below.

1)
Step DRP-1: MS assigns a unique identity ID D j and Fly Zone Identity FID k to D j before its deployment in a specif FZ.

2)
Step DRP-2: MS computes the temporary identity where Q 1 and Q 2 are the two equal chunks (128-bits) of Q.

3)
Step DRP-3: MS computes secret parameter SP D j for the drone D j by computing Step DRP-4: Finally, MS stores the parameters {ID D j , SID D j , SP D j , FID k } in the memory of D j . MS also stores these credentials in its memory.

B. MOBILE-USER REGISTRATION PHASE (MURP)
An MU i requires to register with MS in IoD environment before accessing the services provided by the Zone Service Provider (ZSP) (ZSP is an organization, which monitors and maintains an IoD network). After successful registration, ZSP allow an MU i to acquire the real-time vital information from a specific drone deployed in a particular FZ. The details of an MU i registration process are given as follows. 1) Step MURP-1: MU i picks his/her unique identity ID MU i , and PW MU i .

C. USER LOGIN & AUTHENTICATION PHASE (ULP)
This phase explains the AKE process between an MD i and a D j with the help of MS. In this phase all the entities utilize the public communication channel for AKE. Upon receiving the login request from MD i , MS validates the validity of the receives message and also verifies the existence of an MD i in its database. An MD i has a list of D j form which he/she is allowed to acquire the real-time data collected by D j . The succeeding steps describe the details of ULP. 1) Step ULP-1: An MU i inputs his/her real identity ID MU i and PW MU i on the available device login interface. He/she also imprints his/her bio-metric information BU MU i on the sensor available on the MD i .

2)
Step ULP-2: To verify the login request, an MD i computes AUTH LO LO 11 ) and checks the condition AUTH LO = AUTH reg . If the condition holds, MD i continues the authentication process. Otherwise, MD i aborts the authentication process promptly.

3)
Step ULP-3: After successful verification of the login parameters of MU i , MD i picks timestamp T 1 of 32 bit size, and random number R MU i of 128 bits. MD i derives P 1 = R MU i and P 2 = SID D j , where P 1 and P 2 are the plaintext. Moreover, where A 2 and A 3 are the two equal 128-bits chunks of A 1 . Furthermore, The AEGIS takes two parameter as input, which are secret key K 1 of size 128-bits and Initialization Vector (IV ) of 128-bits. The IV is a public parameter. It is required to transmit IV with the communicated message. In the proposed scheme, IV can be computed as IV 1 = A 2 ⊕ AD 1 , which can be derived at the receiver side in the same way. Therefore, in the proposed scheme IV will not be transmitted with the exchanged messages to decrease the communication overhead. Furthermore, MD i computes (C mu 1 , and AUTH tag1 by using AEGIS encryption algorithm, where AD 1 is the associative data. Finally, MD i constructs the message Step ULP-4: Upon receiving M 1 , MS checks freshness of M 1 by checking the condition T 1 ad ≥ |T R − T 1 |. If the condition holds, the received M 1 is considered to be a fresh message. Otherwise, MS rejects M 1 . MS , and verifies if SID MU i exists in its database or not. If SID MU i is found, MS retrieves SP MU i related to SID MU i from the database and continues the AKE process. Otherwise, MS aborts the AKE process promptly. Furthermore, MS computes A 5 = H (SID MU i SID MS SP MU i ) and K 1 = A 6 ⊕ A 7 . MS picks A 4 from the received M 1 and calculates IV 2 = A 6 ⊕ A 4 , and AD 2 = A 4 . Additionally, MS computes P 1 , and AUTH tag2 by using AEGIS decryption algorithm. To verify the authenticity of the received M 1 , MS checks the condition AUTH tag1 = AUTH tag2 . If the condition does not hold, MS aborts the AKE process promptly. Otherwise, MS considers M 1 as a valid message and continues the AKE process. 5) Step ULP-5: Moreover, MS picks T 2 , R MS , and computes 12 , and IV 3 = A 10 ⊕ AD 3 . Additionally, MS calculates C ms 1 = E K 2 {{IV 3 , AD 3 }, P 3 }, and AUTH tag3 by employing the encryption algorithm. Finally, MS constructs the message M 2 : T 2 , A 12 , C ms 1 , AUTH tag3 and dispatches M 2 to D j through a public channel.

6)
Step ULP-6: After receiving M 2 from MS, D j verifies the condition T 2 ad ≥ |T R − T 2 |. If the condition does not hold, M 2 is considered to be outdated message.
1 }, and AUTH tag4 by using AEGIS decryption algorithm. To establish the authenticity of the received message M 2 , MS validates the condition AUTH tag4 = AUTH tag3 . If the condition does not hold, D j rejects the message and aborts the AKE process. Otherwise, D j retrieves P 3 = R MU i ⊕ R MS from C ms 1 , which is received with M 2 . 7) Step ULP-7: D j picks T 3 , R D i , and computes To secure the communication between D j and MD i , D j computes the session-key by Step ULP-8: After receiving the message M 3 from D j , MD i checks the freshness of M 3 by checking the condition 19 from the received message M 3 and calculates AD 6 = A 19 and IV 6 = A 21 ⊕AD 6 . Additionally, MU i computes P 4 = D K 3 {{IV 6 , AD 6 }, C d 1 }, and AUTH tag6 by using AEGIS decryption process.
To secure the communication between MD i and D j , MD i computes the session-key by computing 23 . If the condition holds, it indicates that SK X computed at D j and SK Y computed at MD i are same. The summary of AKE process is shown in the Fig. 3.

D. PASSWORD/BIO-METRIC UPDATE PHASE (PUP)
A legitimate registered MU i with an MD i is required to execute the following steps to update the password PW MU i and BU MU i information of MU i . BU MU i of MU i remains unchanged and old bio-metric information is considered as new or fresh. However, to strengthen the security of the system, it is imperative to update MU i 's password frequently.
MS also stores these credentials in its memory.

VI. SECURITY ANALYSIS
Both informal and formal security analyses have been conducted on LAKE-IoD to ascertain its immunity against various harmful attacks, such as device capture attack, Manin-the-Middle (MITM) attack, and replay attack. BAN logic is applied to examine the logical completeness of LAKE-IoD. Scyther, a software tool, is utilized to examine the security characteristics of LAKE-IoD in an automatic way.

A. INFORMAL SECURITY ANALYSIS
Following informal security analysis explicates that LAKE-IoD is immune to various attacks, and also guarantees user's un-traceability/anonymity.

1) OFFLINE PASSWORD-GUESSING ATTACK
Presume that an adversary A somehow gets or steals MD i of MU i . A by applying the power-analysis attack [34] can procure the information stored in the memory of MD i , such as {A 2 , A 3 , AUTH reg , Gen(), Rep(.), RP reg , ET }. The extracted information does not provide any secret information to A related to MU i , such as ID MU i , PW MU i , and BU MU i . Therefore, without knowing valid parameters, such as ID MU i and BU MU i , it is hard for A to guess the correct PW MU i of MU i . Hence, LAKE-IoD is resistant to the password-guessing attack.

2) PASSWORD AND BIO-METRIC UPDATE ATTACK
Suppose that an adversary A somehow has obtained the lost or stolen MU i 's MD i and extricates the stored information, such as {A 2 , A 3 , AUTH reg , Gen(), Rep(.), RP reg , ET } by employing the power analysis attack [34]. Now, A tries to update the password PW MU i and bio-metric information BU MU i of MU i . For this purpose, A picks bogus password

4) USER ANONYMITY/UN-TRACEABILITY
According to the threat model described in Section III-B, an adversary A can intercept the communicated messages which are communicated during the AKE phase. However, without knowing the valid secret parameters and based on the discussion for the identity-guessing attack as in Section VI-A3, it is hard for A to derive the real identity of MU i . Thus, LAKE-IoD ensures the anonymity of MU i . All the exchanged messages are dynamic in nature, which incorporates the latest timestamps, fresh random numbers, and random Initialization Vectors (IV). Therefore, A can not correlate two messages of different AKE sessions. So, LAKE-IoD also ensures the user's un-traceability.

5) DRONE CAPTURE ATTACK
From the threat model as discussed in Section III-B, it is possible for an adversary A to capture the drone device D j because they are deployed in the hostile environment. By utilizing the power analysis attack [34], A can retrieve the secret information stored in memory of D j , such as ID D j , SID D j , SP D j , and FID k and can compromise the session key security of the captured D j . However, by compromising the security of captured D j , A can not breach the security of other non compromised D j because of the uniqueness of the secret parameters ID D j , SID D j , SP D j , and FID k . Therefore, LAKE-IoD is resilient against the drone captured attack.

6) IMPERSONATION ATTACK
The succeeding impersonation attacks associated to LAKE-IoD are considered.
• MU i Impersonation Attack: According to the threat model described in Section III-B, an adversary A can capture M 1 : { T 1 , A 4 , C mu 1 , C mu 2 ,AUTH tag1 } transmitted by MU i during the login and AKE phase. Further, A can act as a legitimate MU i by producing some bogus message M 1 to persuade MS that M 1 is from a valid MU i . However, A can generate the timestamp T 1 but without the knowledge of valid parameters, such as SID MU i , SID MS , SP MU i , and K 1 , it is hard for A to generate a valid M 1 because the authenticity of M 1 is checked against the condition AUTH tag1 = AUTH tag2 . Without satisfying this condition, A cannot impersonate as a legitimate user in IoD environment. Therefore, LAKE-IoD is resistant against MU i impersonation attack.
• MS Impersonation Attack: An adversary A can capture M 2 :{T 2 , A 12 , C ms 1 , AUTH tag3 } and also generate a fake message M 2 to make D j believe that M 2 is from a legitimate MS. However, M 2 received by D j during the login and AKE phase will be checked against the condition AUTH tag3 = AUTH tag4 . If the condition holds, M 2 will be accepted. Otherwise, D j rejects M 2 . Therefore, it is hard for A to generate a valid message M 2 , without the knowledge of the secret parameters, such as SID D j , ID D j , FID k , and SP D j . Hence, LAKE-IoD is resistant against MS impersonation attack.
• D j Impersonation Attack: In this case, an adversary A intercepts the message M 3 : {T 3 ,A 19 , C d 1 , AUTH tag5 } transmitted by the D j and generates a fake message M 3 on behalf of D j to convince MU i that M 3 is from a legitimate D j . However, without the knowledge of secrete parameters SID MU i , and SID D j , it is hard forA to generate a fake message on behalf of D j . Therefore, the proposed scheme is secure against D j impersonation attack.

7) MAN-IN-THE-MIDDLE ATTACK
During the login & authentication phase, A tries to intercept the exchanged messages, such as M 1 : 1 , AUTH tag5 }, and attempts to modify the contents of M 1 , M 2 , and M 3 . By framing this attack, the objective of A is to make the entities in IoD environment, such as MU i , MS, and D j , which are involved in the AKE process believe that the messages are from a legitimate entity. However, A can not frame this attack without computing valid secret credentials, such as K 1 , K 2 , and K 3 because these credentials are derived by using secret parameters SID MU i , SID MS , SP MU i , SID D j , and SP D j , which are unknown to A. Therefore, without knowing these secret parameters, it is hard for A to frame this attack. Hence, LAKE-IoD is secure against the Man-in-the-Middle attack.

8) DANIEL-OF-SERVICE (DoS) ATTACK
In the proposed scheme LAKE-IoD, MU i enters his/her secret credentials, such as password PW MU i , bio-metric information BU MU i , and identity ID MU i at the available interface of MD i . These parameters are verified locally by checking the condition AUTH LO = AUTH reg before sending an authentication request to MS. If the condition holds, MD i will then send authentication request to MS. If the condition does not hold, MD i aborts AKE process promptly and prevent MU i from sending too many authentication requests to MS. Above discussion shows that LAKE-IoD is resistant to the DoS attack.

9) REPLAY ATTACK
In this attack, an adversary A attempts to capture the communicated messages, such as M 1 : { T 1 ,A 4 , C mu 1 , C mu 2 , AUTH tag1 }, M 2 :{ T 2 , A 12 , C ms 1 , AUTH tag3 }, and M 3 : {T 3 , A 19 , C d 1 , AUTH tag5 } during the AKE process in the proposed scheme to launch the replay attack by replying the forged instances of the messages to the receiver. However, all the exchanged messages incorporate the timestamps and fresh random numbers. At first, the receiver of the message checks the freshness of each message by cheeking the condition T 1 If all the received messages are with in allowed delay time limit, the received messages are considered as latest/fresh messages. Otherwise, the receiver discards the delayed messages. Additionally, the receiver will validate the authenticity and integrity of each received message by checking the condition AUTH tag1 = AUTH tag2 for M 1 , AUTH tag3 = AUTH tag4 for M 2 , and AUTH tag5 = AUTH tag6 for M 3 . All the exchanged message during the AKE phase are considered to be authentic, if these satisfy these conditions. Without knowing the valid secret parameters, it is hard for A to reproduce a valid message and cannot frame this attack. Therefore, LAKE-IoD is immune to the replay attack.

10) EPHEMERAL SECRET LEAKAGE (ESL) ATTACK
It is possible that an adversary A may compromise the longterm and short-term secret parameters of the communicating entities in IoD environment. By utilizing these compromised secret parameters, A may reveal the secret session key between the two communicating entities. This type of attack is referred to as Ephemeral Secret Leakage (ESL) attack.
• Case-1: Suppose that the short-term (ephemeral) secret parameters, such as R MU i , R MS , and R D i are somehow revealed to the adversary A. Now, the objective of A is to generate the secret session key by computing SK X (= SK Y ) = H (SID D j P 4 SID MU i T 3 ). However, without knowing other long-term secret credentials SID D j , SID MU i , and FID k , it is hard for A to generate the valid secret session key SK X (= SK Y ).
• Case-2: In this case, if the log-term secret credential SID D j , SID MU i , and FID k are somehow reveled to A, still A is required to know the short-term secret parameters, such as R MU i , R MS , and R D i to derive the valid session key SK X (= SK Y ).
It is clear from the above discussion that A needs to know both the long-term and short-term secret parameters to breach VOLUME 8, 2020 the security of the session key SK X (= SK Y ). Therefore, the proposed LAKE-IoD is secure against ESL attack.

11) MUTUAL AUTHENTICATION
LAKE-IoD renders the mutual authentication among the involved entities in the IoD environment. The details of the mutual authentication process are given below.
• MU i → MS: MS after receiving the message M 1 : {T 1 , A 4 , C mu 1 , C mu 2 , AUTH tag1 } authenticates MU i by checkingSID MU i in its database and ensures the authenticity of M 1 by verifying the condition AUTH tag1 = AUTH tag2 .
• MS → D j : Upon receiving the message M 2 :{T 2 , A 12 , C ms 1 , AUTH tag3 } from MS, D j computes SID MU i = A 12 ⊕ SID D j . Further, D j verifies the authenticity of M 2 by checking the condition AUTH tag3 = AUTH tag4 and extracts P 3 = R MS ⊕ R MU i .
C d 1 , AUTH tag5 } from D j and checks the condition to authenticate D j by verifying the condition AUTH tag6 = AUTH tag5 . After the authentication of D j , MU i retrieves the plaintext P 4 = R D j ⊕ FID k ⊕ P 3 form the ciphertext C d 1 . Above discussion reveals that the proposed LAKE-IoD achieves the mutual authentication between MU i and D j with the help of MS. After achieving the mutual authentication, both entities MU i and D j establish a secret session-key SK X (= SK Y ) = H (SID D j P 4 SID MU i T 3 ).

B. FORMAL SECURITY ANALYSIS
This section provides the formal analysis of the proposed scheme by employing the Burrows et al. [35] logic and software verification tool Scyther [36].

1) MUTUAL AUTHENTICATION VERIFICATION BY USING BAN LOGIC
Burrows-Abadi-Needham (BAN) logic [35] is an epistemic logic devised for the analysis of communication security protocols. The BAN logic is a set of rules for describing and validating the completeness of an authentication protocol. Particularly, BAN logic assists its users to determine whether the exchanged information is reliable. The semantics of the BAN logic comprises of the expression presented in Table 2 and different inference derivation rules are specified in Table 3.
1) Assumptions: The subsequent assumptions are considered at the inception of the proposed scheme LAKE-IoD, to validate its mutual authentication.

2) FORMAL VERIFICATION
We validate the mutual authentication property of LAKE-IoD formally by utilizing THE basic BAN Logic rules defined in Table 2, BAN Inference rules defined in Table 3, and by using the assumptions. Details of the steps are given below.
• FV-13: Using FV-12, by using A-2, and A-4, G-2 is achieved From FV-8 and FV-13, it is clear that M and D j authenticate with each other through MS.

3) SECURITY ANALYSIS USING SCYTHER TOOL
We employ Scyther tool [36] to analyze security properties and potential weaknesses of the proposed LAKE-IoD formally. The details of the Scyther tool are given below.
• Scyther tool is used for automatic validation of the security schemes. It is better and effective tool for falsification, verification, and analysis of proposed security protocols as compared to other verification tools, such as ProVerif and AVISPA.
• Scyther is based on the perfect cryptographic assumptions. It means that an adversary can not decrypt the encrypted information without knowing the secret key.
• Scyther utilizes the Security-Protocol Description-Language (SPDL) for modeling the user defined security scheme. In SPDL specification, each communicating entity is described by Role that can perform various functions such as Send, Recv, event, and security claim.
• Scyther tool follows the Dolev-Yao (DY) model and 9 other adversarial models such as eCK model and CK model, etc.
• Scyther renders a set of tests and claims to validate the security properties such as secrecy, authentication, synchronization, aliveness, weak agreement, and agreement. There are three basic roles involved during the login and authentication phase of the LAKE-IoD, which are the Mobile-User MU i , the Management Server MS, and drone D j . The proposed scheme is implemented in SPDL. Scyther takes the SPDL file as input and performs various analyses on the LAKE-IoD scheme. Fig. 6 shows the results generated by Scyther after the analysis of the LAKE-IoD, which demonstrates that the proposed security scheme is secure under the claims as specified.

VII. PERFORMANCE EVALUATION
In this section a detailed comparison between the proposed scheme LAKE-IoD and other relevant AKE schemes, such as Wazid et al. [6], Das et al. [24], Challa et al. [26], Srinivas et al. [7], and Challa et al. [22] is presented. LAKE-IoD is compared in term of security features, storage overhead, communication overhead, and computational cost during the AKE phase.

A. SECURITY FEATURE COMPARISON (SFC)
This section presents the comparison of LAKE-IoD security features and other related AKE schemes. It is obvious from . VOLUME 8, 2020  Table 4 that the scheme of Wazid et al. [6] does not render SFC1, SFC3, and SFC6, Das et al. [24] is insecure against SFC1, SFC3, SFC4, and SFC16, Challa et al. [26] is vulnerable to SFC1, SFC2, and SFC3, SFC4, and SFC6, Srinivas et al. [7] is not protected against SFC1, SFC3, and SFC6, and Challa et al. [22] is unprotected against SFC5, SFC6, SFC7, SFC8, and SFC9. Security is one of the most important parameters of concern of an AKE scheme. The proposed LAKE-IoD provides more security features as compared to other related AKE schemes. Table 4 illustrates the security feature comparison between LAKE-IoD and other related schemes.  [7], and slightly high storage cost as compared to Challa et al. [22]. However, LAKE-IoD renders more security than Challa et al. [22], which is the most important parameter of concern for security scheme. Table 5 illustrates the storage .
cost comparison of the proposed LAKE-IoD and other related AKE schemes.

C. COMMUNICATION OVERHEAD COMPARISON
In this section, LAKE-IoD is compared with the existing schemes regarding the communication overhead of different involved entities during the AKE phase. The sizes of various credentials, we considered, such as timestamps, identities, random numbers, and EC points are 32 bits, 128 bits, 128 bits, and 160 bits, respectively. Moreover, the output hash function is 256 bits. Furthermore, the key size for the AEGIS is 128 bits and the size of parameter AUTH tagx = 128, where x = 1, 2, 3. Table 6 illustrates the comparison of communication overhead during the AKE phase between LAKE-IoD and related schemes. LAKE-IoD exchanges three messages during the AKE process, such as M 1 [7], and Challa et al. [22] require 1696 bits, 1536 bits, 2528 bits, 1536 bits, and 1428 bits, respectively. Table 6 and Fig.7 manifest that LAKE-IoD requires less communication overhead as compared to the recent related schemes.

D. COMPUTATIONAL OVERHEAD COMPARISON
This paper considers the experimental results presented in the Table 7 to compute the computational overhead of the LAKE-IoD and other proposed schemes. The execution time of various operations employed in LAKE-IoD is computed using the system Intel(R) Pentium(R) CPU @ 2.5GHz, with Ubuntu (64 bits) operating system, and RAM 2 GB. Total computational overhead of the LAKE-IoD and the schemes of Wazid et al. [6], Das et al. [24], Challa et al. [26], Srinivas et al. [7], and Challa et al. [22] require 13T SH + 6T AG + 1T BU ≈ 0.8943 ms, 31T SH + 1T BU ≈ 1.2114 ms, 30T SH + T BU ≈ 1.1803 ms, 12T SH + 14T ec + T BU ≈ 3.8354 ms, 30T SH +1T BU ≈ 1.1803 ms, and 19T SH +3T ec +  T BU ≈ 1.5800 ms, respectively. Table 8 and Fig. 8 shows the computational cost comparison of LAKE-IoD and the related AKE schemes. Moreover, the proposed LAKE-IoD requires computational cost at the drone side 3T SH + 2T AG ≈ 0.2052 ms, which is comparable with the existing recent related schemes, such as Wazid [6], Das [24], Challa [26], Srinivas [7], and Challa [22], require 7T SH ≈ 0.2177 ms, 7T SH ≈ 0.2177 ms, 3T SH + 4T ec ≈ 1.0825 ms, 7T SH ≈ 0.2177 ms, and 5T SH ≈ 0.1555 ms computational cost at the drone/sensor side, respectively. LAKE-IoD requires slightly high computation cost at drone side as compared to   Challa [22] and less computational cost as compared to other related AKE schemes. However, the proposed LAKE-IoD is secure and renders more security functionality as compared to Challa [22], which is a critical feature of an AKE scheme.

VIII. CONCLUSION
IoD is a providential technology that will predominate in the anticipated future, and there is an inevitable requirement to guarantee secure communication in IoD environment. The drones collect critical data and outsource it to the cloud and the users can collect buffered data from the cloud or (realtime data) directly from the drone. User authentication is inevitable and one of the principal security requirements to ensure secure communication between a specific drone and authorized user. In this paper, we devised a novel Lightweight Authenticated Key Exchange Protocol for the Internet of Drone Environment (LAKE-IoD) which is a three-factor security scheme employing user's password, mobile device, and bio-metric information. LAKE-IoD is examined meticulously for its security characteristics by employing formal security analysis using BAN logic and Scyther tool and also using informal security analysis. A comprehensive comparison of LAKE-IoD and other relevant security strategies illustrates that LAKE-IoD renders better security functionalities and incurs less computational and communication overhead for IoD resource constricted environment.
MUHAMMAD TANVEER received the B.S. degree in electronics from GCU Lahore, Pakistan, and the M.S. degree in computer science from the Institute of Management of Sciences (IMS), Lahore, in 2017. He is currently pursuing the Ph.D. degree with the Faculty of Computer Sciences and Engineering. He is also a member of the Telecommunications and Networking (TeleCoN) Research Laboratory, GIK Institute of Engineering Sciences and Technology. His current research interests include remote user authentication, cyber security, security and privacy, cryptography, the Internet of Things, 6LoWPAN, and the Internet of Drone.
AMJAD HUSSAIN ZAHID received the Ph.D. degree in computer science (information security) from the University of Engineering and Technology, Lahore, Pakistan. He is currently working as an Assistant Professor with the University of Management and Technology (UMT), Lahore. He is also the Program Advisor for BS(IT) program and member of many academic bodies. He has been an Active Member of Higher Education Commission (HEC) National Curriculum Revision Committee (NCRC), Pakistan. He has been an Active Member of Faculty Board of Studies with the Punjab University College of Information Technology (PUCIT) and the Virtual University of Pakistan. He possesses quality monitoring and maintaining capabilities along with the strong interpersonal, leadership, and team management skills. He has more than 23 years of qualitative experience in teaching. He is vigorous in academic research. His research interests include information security, programming languages, algorithm design, enterprise architecture, technology management, IT infrastructure, block chain, and so on. He is serving as an Efficient and an effective Reviewer in several reputed international research journals of high impact factor in the domain of information security.
MUSHEER AHMAD received the B.Tech. and M.Tech. degrees from the Department of Computer Engineering, Aligarh Muslim University, India, in 2004 and 2008, respectively, and the Ph.D. degree in chaos-based cryptography from the Department of Computer Engineering, Jamia Millia Islamia, New Delhi, India. From 2007 to 2010, he has worked with the Department of Computer Engineering, Aligarh Muslim University. Since 2011, he has been working as an Assistant Professor with the Department of Computer Engineering, Jamia Millia Islamia. He has published over 80 research papers in international reputed refereed journals and conference proceedings of the IEEE/Springer/Elsevier. He has more than 1000 citations of his research works with an H-index of 18. His research interests include multimedia security, chaos-based cryptography, cryptanalysis, machine learning for security, image processing, and optimization techniques. He has served as a reviewer and a technical program committee member of many international conferences. He has also served as referee of some renowned journals, such as Signal Processing, Information Sciences, the Journal of Information Security and Applications, IEEE ACCESS, the IEEE JOURNAL ON   He is currently an Associate Professor with the Computer Science Department, UQU. He focuses on enhancing real-world matching systems using machine learning and data analytics in a context of supporting decision-making. His research interests include algorithms, semantic web, and optimization techniques. VOLUME 8, 2020