RUAM-IoD: A Robust User Authentication Mechanism for the Internet of Drones

The revolutionary advancement in the capabilities of hardware tools, software packages, and communication techniques gave rise to the Internet of Things-supported drone networks (IoD), thereby enabling smooth communication among devices and applications, and impacting drastically the various aspects of human lives. However, with the increasing sophistication in the infrastructure of IoD, new security threats arise that require novel algorithms and schemes as solutions. To this end, several schemes have recently been proposed. However, some schemes cannot perfectly address the novel security aspects associated with IoD environments, while others cannot provide computational or communication efficiency. Motivated by these research gaps in the existing literature, we leverage elliptic curve cryptography along with symmetric encryption and hash function, and propose a novel and robust user authentication mechanism for the IoD, called RUAM-IoD. We validate the security of the established SK formally through the random oracle model. Similarly, we provide informal security analysis to demonstrate the security capabilities of RUAM-IoD against different pernicious security attacks. Likewise, we establish a comparison of the RUAM-IoD with several state-of-the-art authentication schemes to show that RUAM-IoD acquires less storage, communication, and computational cost.


I. INTRODUCTION
Unmanned aerial vehicle (UAV) or drone is a versatile platform for communication that provides flexibility in altitude, line-of-sighting, mobility, and so on. Consequently, drones can be considered as broadband wireless access solutions for terrestrial network devices [1], [2]. The applications that benefit from UAVs include military, traffic management, tracing and tracking, disaster management, surveillance and monitoring, wireless communication, and so on [3]. This implies that drones can increasingly become capable of providing ubiquitous computing, on board processing, and wireless communication. This way, drones can serve as airborne base stations, thereby expanding the reachability of terrestrial networks. Moreover, as a flying base station, a drone The associate editor coordinating the review of this manuscript and approving it for publication was Xiaolong Li. is immune to damage caused by geographical disasters and calamities, consequently proving economically efficient [4]. The most important and unique feature of the smart UAVs is the provisioning of effective, dependable, and quick connection establishment in urban and rural areas, large roads, expanding regions, etc.
To impart these services, UAVs are dependent on the Internet of Things (IoT) networks, thereby leading to the Internet of Drones (IoD) networks [5]. Fig. 1 general overview of the UAV/IoD based communication system. Typically, the IoD networks contain a ground station (GS), several flying drones, and a certain number of remote users. The drones play the role of collecting information from the environment of interest and transmitting the collected information to the corresponding server residing within GS. The GS controls through wireless channels (by sending control commands ) the type of information required to be collected by the drones, and FIGURE 1. UAV/Drone based communication system [5], [8].
the frequency of the information collection [6], [7]. Remote users are the beneficiary of the information collected by the drones and processed by the GS. This implies that remote users can access in real-time the information collected by drones using the Internet. However, using the public wireless channels for such information retrieval from drones poses security threats and vulnerabilities, leading to unauthorized information exposure. Given that the information collected by drones is sensitive and private most of the time, its security and privacy cannot be ignored. This implies that the secure exchange of information between users and drones in the IoD environment is a critical requirement for realizing the benefits of drones and their applications [9].
However, there are several challenges to deal with for perfectly exploiting the IoD for the applications mentioned above. These challenges include power consumption of the drones, optimization of a drone's trajectorial motion, deployment of the remote user's association, the communication protocol used, the throughput and latency improvement, the effective link establishment, and security and privacy [10], [11].

II. RELATED WORK
Secure with privacy-preserving communication mechanisms are imperative for the IoD networks. Security and privacy requirements in the IoD networks are reviewed in [9], [21]. Moreover, various user AKA schemes are presented in [17], [22]- [30] to enable encrypted and reliable communications in the IoD environment. However, a vast majority of these AKA schemes are prone to a variety of security attacks. Table 1 tabulates user AKA schemes with their limitations and techniques employed in these schemes. The authors in [5] presented a terrestrial credential-based AKA scheme and employed a random oracle model (ROM) to validate the session key's (SK) security. The scheme checks the authenticity of the user before accessing the sensitive information from a specific drone in real-time and fixes a secret SK among drones and users for indecipherable communication. Nevertheless, the scheme is unable to prevent the attackes related to UI and PI. Similarly, Wazid et al. [12] designed a user AKA scheme and employed ROM to validate the SK's security. The scheme of Wazid et al. is unable to resist UI and PI attacks. Sajid et al. [27] proposed an AKA scheme by using ECC and SHA-160. The scheme renders user authentication, and SK establishment features to secure the communication in the IoD networks. Likewise, Tanveer et al. [31] devised an AKA scheme by employing SHA-256 and authenticated encryption with associative data (AEAD). Nevertheless, the scheme is incompetent in providing an anonymity feature, as pointed out in [17].
Proceeding in the same direction, Jangirala et al. [32] designed an AKA scheme for the IoT network to collect critical information from the IoT device deployed in the target field in real-time. The scheme utilizes ECC and SHA-160 cryptographic techniques to accomplish the AKA phase. But, the scheme is exposed to MITM, UI, DI, and SK disclosure attacks. In addition, the scheme suffers from a design flaw and lacks to provide untraceablity. The authors in et al. [33] proposed an AEAD and ECCbased AKA scheme to enable indecipherable communication in the IoD networks. The scheme enables a drone and user to establish an SK for indecipherable information exchange. Similarly, Tanveer et al. [34] proposed an AKA scheme by employing an AEAD encryption algorithm and SHA-256 to accomplish the AKA phase. The scheme assures the authenticity of the user before procuring the real-time information directly from the IoT device. Sutrala et al. [35] proposed an AKA scheme by employing ECC and SHA-256 cryptographic algorithms to guarantee secure communication between the user and the device deployed in the IoT environment. However, the scheme unable to resist the DSY attack. A user AKA scheme is suggested by Sajid et al. [27] for the IoD network that employs SHA-160 and ECC, which enables both the user and drone to communicate securely after establishing SK. Wazid et al. [12] designed AKA scheme employing ECC and SHA-160 to enable encrypted communication in the IoD environment. Nevertheless, the their scheme cannot provide resistance against certain attacks like UI and PI.
Aside from these works, Ali et al. [14] designed an AKA protocol to ensure the indecipherable communication between user and drone. The scheme is based on SHA-160 and XOR operation. However, it is found in [14] that the scheme is prone to PI, UI, SSD, forgery, and denial-of-service (DoS) attacks. Bera et al. [36] devised an AKA protocol for the IoD networks by employing cryptographic techniques, such as ECC and SHA-256. However, the authors couldn't stop DSY attack in their scheme. Iqbal et al. [37] formulated an AKA scheme for smart home environment by employing SHA-160 and XOR. However, it is proved in [38] that Iqbal et al.'s scheme is exposed to SK disclosure, UI, and MITM attacks. Moreover, it is also found that the presented approach does not provide user anonymity (UA) and mutual authentication (MA). A puncturable pseudorandom functionbased user AKA scheme is proposed in [39]. The scheme permits users and end-devices to establish an SK after achieving MA. Vinoth et al. [40] designed a multi-factor AKA scheme for the IoT environment using SHA-160 and AES. However, the scheme is prone to DoS, DSY, replay, and device capture attacks.

A. MOTIVATION
Drones collect sensitive data from various environments of interest and dispatch the data to GS via a wireless channel. The channel is vulnerable and risky, and can be exploited. Moreover, oftentimes distant users need to collect the sensitive information, in real-time, directly from the deployed drone, rather than utilizing the data collected at the central server (CS) posted at GS. Therefore, it is imperative to allow only authorized users to obtain critical information directly from the drone. In addition, it is necessary to protect the communication between the drone and the remote user from being disclosed by an attacker or adversary. Above this, most of AKA schemes proposed so far for this purpose are insecure against the PI attack because, in these schemes, the secret information related to users are stored in plaintext form [31], [41]. An insider adversary can obtain the secret information associated with a specific user from CS and execute an attack on behalf of the user. Other AKA schemes proposed for providing secure communication with drones are vulnerable to BPC, SSD, UI, and MITM attacks. Thus, it is crucial to design a secure and reliable AKA scheme to ensure indecipherable communication for the IoD environment [9].

B. RESEARCH CONTRIBUTION
This paper has the following main contributions.
1) A novel and robust user authentication mechanism for the IoD, called RUAM-IoD, is presented, which is based on the AES-CBC-256 encryption, ECC, SHA-256 hash function, and XOR operation. The proposed RUAM-IoD authenticates the user prior to enabling him to access the network's resources. In addition, RUAM-IoD establishes a private SK to accomplish the encrypted communication in the IoD network while ensuring the user's anonymity during the execution of the AKA phase. 2) We perform informal security verification of RUAM-IoD that shows that RUAM-IoD is secure against a variety of security risks, including DSY, BPC, drone capture, and SSD attacks. Moreover, we employ ROM-based formal validation and prove the security strength of the established private SK. Furthermore, we perform Scyther-based security validation and demonstrate that RUAM-IoD is dependable against replay and MITM attacks. In addition, RUAM-IoD is able to prevent PI attack by storing, in encrypted form, the secret information associated with the users and drones in the memory of CS. 3) We compare RUAM-IoD with relevant AKA schemes and prove that RUAM-IoD is comparatively efficient in communication, storage, and computational costs. Moreover, we prove that RUAM-IoD renders enhanced security features than the related schemes.

C. PAPER ORGANIZATION
The remaining parts of the paper is arranged as follow.
The system model, i.e., the network and threat model, is described in Section III. The preliminaries are discussed in Section IV. The functional phases of the RUAM-IoD scheme are explained in detail in Section V. In Section VI, informal security analysis is carried out, ROM based validation is performed, and Scyther-based formal security is discussed. Lastly, the comparative analysis is presented in Section VII, and the concluding remarks in Section VIII.

III. SYSTEM MODEL
A. NETWORK MODEL Fig. 2 shows the authentication model used in RUAM-IoD for the networking of drone service provider (DSP). Moreover, it is assumed that the airspace of a smart city is divided into the different fly zone (FZ). Likewise, it is assumed that the DSP network model consists of DSP registration center (DRC), CS, user (U e |e = 1, 2, 3, · · · , n), where the notation n denotes the users' number in the IoD environment, and drone (D x |x = 1, 2, 3, · · · , N ), where the notation N represents the drones' number in the IoD environment. DRC is responsible for the registration and deployment of D x in the specific FZ. CS is utilized to cache the sensitive data gathered by D x . In addition, CS also stores the secret information associated with U e and D x . Moreover, D x is deployed to monitor and collect critical information from a specific FZ and to disseminate the collected information to CS via a wireless channel. In a specific IoD application, for instance, a smart city traffic management system, U e needs to collect traffic congestion information directly from D x to avoid the delay. Thus, it is necessary to protect the information exchanged between U e and D x . Also, it is required to ensure that the attacker cannot modify the information communicated in the IoD environment. This implies that it is imperative to prevent the unauthorized U e from accessing the IoD network resources. Therefore, an AKA scheme is necessary to ensure the encrypted communication between U e and D x after the authentication of U e is carried out. RUAM-IoD ensures the encrypted communication after establishing SK between U e and D x .

B. THREAT MODEL
The network entities usually exchange information through a public communication channel exposed to various security risks. Thus, adversary A can compromise the information exchanged between the network entities by taking advantage of the public nature of the communication channel. In RUMP-IoD, we have contemplated the widely-accepted ''Dolev-Yao (DY) threat model [42], [43]. Under the DY threat model, A can capture and eavesdrop on all the communicated information or message of the network's nodes. A can also alter, forge, delete, and implant bogus information while communicating with the network entities. In addition to DY model, ''Canetti and Krawczyk's model (CK-adversary model) is also applied on the proposed RUAM-IoD. According to the CK-adversary model, A can compromise short-term secret (STS), session states, and SKs by hijacking the sessions. Therefore, the composition of SK established between network entities should be based on both STS and long-term secrets (LTS) to resist the ESL attacks. Furthermore, A can physically compromise or capture some D x and smart devices SD e s. Consequently, A can extract the secret or confidential parameters, which are pre-loaded in the memory of these devices, by utilizing power analysis (PA) attacks. However, DRC is deemed as an entirely entrusted network entity in the IoD. environment.

IV. PRELIMINARIES
This section presents the preliminaries used in RUMP-IoD.
A. AES-CBC-256 AES-CBC-256 is stateless cipher block chaining mode of the AES algorithm, which satisfies the IND-CPA property. Logically, the encryption process of AES-CBC-256 defined as follows where PT , IV , CT x , and denotes the plaintext, the initialization vector, and the ciphertext, respectively. Moreover, key denotes the encryption key of size 256. Furthermore, the decryption process using AES-CBC-256 is defined by where PT shows the plaintext retrieved from the decryption mechanism. In the proposed RUAM-IoD, AES-CBC-256 is employed as encryption/decryption algorithm, which satisfies IND-CPA property. Formally IND-CPA can be defined as follows [44], [45]. Definition 1: Let single/multiple eavesdropper are denoted by SE/ME, respectively. Let OR key1 , OR key2 ,· · · ,OR keyN denote N distinct independent encryption oracles corresponding to encryption keys key1, key2, · · · , keyN , respectively. We denote the advantage function of SE/ME as

B. FUZZY EXTRACTOR
The fuzzy extractor (FE) mechanism is a broadly adopted tool to validate bio-metric authentication. FE is specified as a tuple {B in , Lth, ERT } and comprises the subsequent two algorithms.
1) Gen(·) : It takes user's bio-metric information B in as the input parameter and generates bio-metric key BK ∈ [0, 1] Lth , where Lth denotes the length of VOLUME 10, 2022 BK and reproduction parameter rrp, i.e, Gen(B in ) = (BK , rrp)). In addition, Gen(·) is a deterministic algorithm. 2) Rep(·) : It takes user's noisy B in and rrp as the input parameter and generate BK , as where ERT is the error tolerance and HD is the hamming distance between B in and B in .

V. RUAM-IoD
This section presents our proposed AKA scheme, RUAM-IoD. The proposed RUAM-IoD comprises six phases: (i) System Initialization Phase, (ii) Drone Registration (DRG) Phase, (iii) User Registration (URG) Phase, (iv) AKA Phase, (v) BPC Phase, and (vi) Revocation Phase. These phases are elaborated in detail in the following sub-sections. Table 2 shows a list of notations employed in RUAM-IoD.

A. INITIALIZATION PHASE OF THE SYSTEM
DRC determines an elliptic curve, i.e., EC(α, β), of the form , q being the big prime number, with the condition 4α 3 + 27β 2 = 0 (mod q), with O as the the point of infinity. DRC then selects picks a EC(α, β) base or generation point P, such that P ∈ EC(α, β), of order, say N , where N .P = P+P+P+P+· · ·+(N times). DRC picks private key S kg ∈ Z * q for CS and generate a public as Pu g = S kg ·P. Moreover, DRC stores the parameters {S kg , Pu g , EC(α, β), P} in the tempered proof database of CS. Eventually, CS makes the parameters {Pu g , EC(α, β), P} public in the IoD environment.

B. DRG PHASE
In DRG phase, DRC is responsible for registering D x prior to its deployment in a particular FZ. In addition, DRC preloads some distinct secret parameters in the memory of D x .
These secret parameters are used during the AKA process. DRC executes the following measures to position a D x in a particular FZ.

1) STEP DRG-1
DRC determines a distinct random-number R D x along with a pseudo-identity PID D x for a specific D x . In addition, DRC computes the secret parameter SP D x for D x as follows.
where G 1 and G 2 are procured after dividing G into two parts (128 bits each because the output of the SHA-256 is 256 bits).

2) STEP DRG-2
Eventually, DRC reserves the credential {PID D x , P, SP D x } in D x 's memory. In addition, D x has the access to all the public parameters of CS, such {Pu g , EC(α, β), P}.

C. URG PHASE
In URG phase, U e register itself with DRC before accessing the services from a specific D x , which is deployed the DSP.
The DRC issues a smart device SD e with pre-loaded secret parameters. The assigned secret parameters are validated by CS during the AKA process to allow U e to procure the sensitive information from a particular D x in real-time. DRC register a user by performing the following necessary steps.

1) STEP URG-1
U e selects its password PAW U e and unique identity ID U e . In addition, U e marks its bio-metric B in at the sensor's biometric installed on SD e and determines bio-metric key BK U e and rpp as (BK U e , rpp) = Gen(B in ). Moreover, SD e determines RM = H (ID U e PAW U e ) and contrives a registration request message M rrm : {RM } and dispatches M rrm to DRC via a secure communication channel.

2) STEP URG-2
After getting M rrm from U e , DRC selects a random-number IV reg , bearing 128 bits size, and determines the secret parameter SP U e and PID U e for U e as follows.
where A 1 and A 2 are derived by splitting A into two strings or parts of the same size (128 bits each). Moreover, DRC determines where K g is the secret key, which is used to encrypt plaintext

3) STEP URG-3
After procuring M rep from DRC, SD e selects an initialization vector IV a and computes where AR is obtained by XORing bio-metric key and identity of U e , KR is the secret key used in the encryption process to encrypt the plaintext or the sensitive information associated with U e . CT xt is obtained by encrypting PT xt = Athn is the authentication parameter, which is obtain by performing the hash operation on PAW U e , ID U e , BK U e , and Y . Finally, SD e stores the credentials {CT xt , Athn, rpp, Gen(.), ERT , Rep(.), IV a } in its inherent memory.

D. AKA PHASE
In this phase, U e achieves the local authentication by providing its secret credentials as the input to SD e . After performing local authentication, SD e sends the AKA request to CS for the further validation of U e . To ensure encrypted communication in the future, both U e and D x to set up an SK with the help of CS. Following steps are needed to execute this phase of AKA.
1) STEP AKA-1 U e achieves the local authentication by making use of its own secret parameters, including password PAW U e and identity ID U e , and bio-metric B l in . After receiving these secret parameters, SD e computes the bio-metric key (BK l U e ) = Rep(B l in , rpp). To verify the authenticity of U e 's secret parameters, SD e computes and checks the condition Athn l ? = Athn. If it holds, SD e passes the local authentication of U e and proceeds the AKA process. Otherwise, SD e discontinues the AKA process.

2) STEP AKA-2
After achieving the local authentication, SD e chooses a timestamp T A , random-number R U e , distinct secret key S ku , bearing 32, 128, 160 bits sizes, respectively, and calculates where Pu u denotes the public key of U e , k represents the shared secret, which is obtained after performing ECC point multiplication of S ku and Pu g , and U is obtained after performing the hash operation on k and T A . In addition, SD e computes (29) where Q 1 is obtained after XORing U and concatenation of Y and PID U e , K u is the secret key of size 256 bits, used to encrypt R U e , and PID D x , IV u denotes the initialization vector, Q 2 is obtained after preforming encryption using AES-CBC-256, and Athn n1 represents the authentication parameter, which will be verified at the destination. Furthermore, SD e constructs the message MS a : {T A , Q 1 , Q 2 , Pu u , Athn n1 } and sends MS a to CS for further verification via open channel.

3) STEP AKA-3
Upon procuring MS a , CS determines the freshness of MS a after verifying the condition T DL ≥ |T r − T A |. If MS a is fresh or within the specified time delay limit, CS computes where k1 denotes the shared secret between CS and U e and U 2 is obtained after performing hash of k1 and T A . Moreover, after retrieving Y and PID U e from Q 1 , CS checks if PID U e exist in its database. If it is found, CS retrieves {CT g } related to PID U e from its own database. Furthermore, CS computes where K g is the secret key, which is used to decrypt the encrypted (CT g ) information stored and after successful decryption process CS retrieves the plaintext (38) where K d is the secret key used to decrypt Q 2 and IV u2 denotes the initialization vector. Finally, to validate the VOLUME 10, 2022 authenticity of MS a , CS validates the condition Athn n1 ? = Athn n2 . If it holds, CS accept the received MS a . Otherwise, CS terminates the AKA procedure.

4) STEP AKA-4
After getting the validity of U e verified, CS chooses a timestamps T B , random-number R G of size 32 and 128 bits, respectively. Moreover, CS computes where K G is the secret key used in the encryption process, IV G is the initialization vector, Q 3 is obtained after performing the encryption using AES-CBC-256, and Athn n3 is the authentication parameter. Finally, CS constructs the message If the condition holds, D x considers MS b as a licit message. Moreover, D x computes where K D represents the secret key used in the decryption process, IV D is the initialization vector, and Athn n4 is the authentication parameter. In addition, D x validates the condition Athn n3 ? = Athn n4 to verify the authenticity of MS b . If it holds, D x consider the received message MS b as licit message and continue the AKA process. Moreover, D x chooses a timestamps T C and random-number R D of size 32 ans 128 bits, respectively and calculates where Pu d represents the public key of D x , k d denotes the shared secret between D x and U e , U D signifies the secret key used in the encryption process, IV D1 is the initialization vector, and Q 4 is obtained by employing AES-CBC-256. Moreover, D x calculates After getting MS c from D x , U e verifies the condition T DL ≥ |T r − T C | to determine the freshness of the received message MS c . If MS c is received within the predefined time delay limit, U e consider MS c as the valid message. In addition, U e computes where k u is shared secret between U e and D x , U u is the secret key to perform the encryption, and IV u1 is the initialization vector. In addition, SD e computes SK to achieve the indecipherable communication with D x and authentication parameter as follows where Athn n6 is the authentication parameter. Finally, to validate the authenticity of MS c , U e checks Athn n5 ? = Athn n6 , if holds, authentication is success-full. Furthermore, picks a new initialization vector IV n a and computes CT n xt = E KR l {(IV n a ), PT xt }. Finally, SD e replaces IV n a and CT n xt with IV a and CT xt in its own memory. The AKA process of RUAM-IoD is depicted in Fig. 3.

E. BPC PHASE
In the proposed RUAM-IoD, U e is allowed to change/update its bio-metric and password. To change/update the bio-metric and password information, U e needs to perform the necessary steps.

2) STEP BPC-2
After receiving PAW n U e and Bio n U e from U e . SD e performs the following computations Finally, SD e replaces the old stored credentials {CT xt , Athn, rpp, Gen(.), ERT , Rep(.), IV a } with new credentials {CT n xt , Athn n , rpp n , Gen(.), ERT n , Rep(.), IV n a } in its own memory. The BPC phase is summarized in Fig. 4.

F. REVOCATION PHASE
It is assumed that a valid U e of the IoD environment lost its SD e . However, U e can obtained new SD n e with new/fresh credentials from DRC and executes the following steps to perform the revocation (RvP) phase.

1) STEP RvP-1
After getting new SD n e from DRC, U e inputs its secret parameters, such as PAW U e and ID U e and computes RM rov = H (ID U e PAW U e ). SD n e constructs a revocation message M ro1 : {RM ro1 } to CS via a secure communication channel. After receiving M ro1 , CS computes the following computation VOLUME 10, 2022 CS checks the existence of PID U e in its own database.
If PID U e is detected, CS removes the information associated with PID U e and dispatches a message to U e for new registration.

2) STEP RvP-2
After getting the new registration request from U e , DRC conducts the same procedure as accomplished in Step URG-2 under Section V-C.
where G 1 and G 2 are obtained after dividing G into two equal parts.

2) STEP DDD-2
Finally, DRC pre-loads the credentials {PID new D x , P, SP new D x } in the memory of D new x . In addition, D new x has the access to all the public credentials of CS, such {Pu g , EC(α, β), P}.

VI. SECURITY ANALYSIS
This section presents the informal analysis of RUAM-IoD to demonstrates its immunity/resistance against different pernicious security vulnerabilities, such as CSI, UI, SSD, DoS, and BPC attacks. Furthermore, ROM-based analysis is conducted to prove SK's security, established between U e and D x . Moreover, Scyther is employed to illustrate that RUAM-IoD can resist or protect replay and MITM attacks.

A. INFORMAL SECURITY ANALYSIS
In this subsection, informal analysis of RUAM-IoD is conducted to show its effectiveness against the succeeding attacks.

1) BPC ATTACK
After procuring the information {CT xt , Athn, rpp, Gen(.), ERT , Rep(.), IV a }, which are pre-loaded in the memory of SD e , A need to update the password of U e . However, to update the password of U e , A picks PAW A U e and ID A U e , and B A in on behalf of U e and perform the following computations . To check if the decryption process is successful, A verifies the condition Athn A = Athn. Hovered, It is computationally infeasible for A to determine the secret credentials, such as PAW U e and ID U e , and B in associated with U e simultaneously. Therefore, A cannot perform theses computation successfully without the knowledge of PAW U e and ID U e , and B in and canot update the password of U e . Thus, the proposed RUAM-IoD is secured against BPC attack.

2) SSD ATTACK
Assume that A can obtain the lost/stolen smart device SD e of U e . A by employing PA attack can extricate the information {CT xt , Athn, rpp, Gen(.), ERT , Rep(.), IV a }, which are preloaded in the memory of SD e . A cannot gain any confidential or secret information related to U e because all the sensitive information are stored in the encrypted form. It is imperative for A to determine KR = (AR PAW U e ), where AR = (BK U e ⊕ ID U e ) to make the encryption process successful. A requires to know ID U e , PAW U e , and BK U e , to compute KR. Computationally, it is impracticable for A to determine the bio-metric key BK U e , which is used in deriving KR. The secret key KR used to decrypt the encrypted information retrieved from SD e 's memory. Therefore, without knowing KR, Computationally, it is infeasible for A to extricate any sensitive information related to U e after retrieving information form SD e . Thus, RUAM-IoD is secured with respect to SSD attack.

3) MITM ATTACK
According to DY model, the adversary, A, can capture, modify or compromise all the exchanged message, which are communicated over the wireless channel. During the AKA process, the communicated message are MS a : {T A , Q 1 , Q 2 , Pu u , Athn n1 }, MS b : {T B , Q 3 , Pu u , Athn n3 }, and MS c : {T C , Q 4 , Pu d , Athn n5 } Now, A may attempt to alter the content of the transmitted messages to make the message receiving entity believe that the received messages are from the legitimate entity. If A tries to reconstruct MS a , A requires to alter the contents of Q 1 , Q 2 , Pu u , Athn n1 , which requires the knowledge of PID U e , SP U e , and S ku . Moreover, to reconstruct MS b , A requires the knowledge SP D x and S ku . S kd and R U e are the necessitated parameters to regenerate MS c . Therefore, it is impractical for A to regenerate a valid message without the knowing the secret credentials associated with a specific entity. Thus, RUAM-IoD can withstand MITM attack.

4) DoS ATTACK
Local authentication is necessary to prevent U e from sending too many AKA requests to CS. To accomplish the local authentication, U e requires to inputs its secret credentials, such as ID U e , PAW U e , and BK U e at the interface of SD e and execute the following computations (BK U e ) = Rep(B in , rpp), To check if the decryption process is successful, A checks the condition Athn l = Athn. The condition will hold if A enters the valid secret login credentials. Otherwise, SD e terminates the login process and does not send AKA requests to CS. Under this situation, local authentication prevents U e from sending a large number of AKA requests to CS. Therefore, the proposed RUAM-IoD can resist DoS attack.

5) IMPERSONATION ATTACK
According to the DY model, A has the capability to expropriate all the exchanged messages, such as MS a : {T A , Q 1 , Q 2 , Pu u , Athn n1 }, MS b : {T B , Q 3 , Pu u , Athn n3 }, and MS c : {T C , Q 4 , Pu d , Athn n5 }. A after capturing the MS a can impersonates as U e . However, to impersonate as a legitimate U e , A requires to reconstruct a message to make believe CS that this reconstructed message is from a legitimate U e of the system. However, to construct a licit MS a , A requires to know the secret credentials, such as SP U e and S ku . Moreover, It is computationally impracticable for A to procure the secret credentials of U e . Thus, A cannot effectuate the UI attack. To reconstruct MS b and MS c A need to know the secret credentials of CS and D x . A cannot impersonate as a legitimate CS and D x in the communication system without the knowledge of secret credentials of CS and D x . Therefore, RUAM-IoD is secured against UI, DI, and CSI attacks.

6) UA AND UNTRACEABILITY
A has the capability to expropriate all the exchanged messages, such as MS a : {T A , Q 1 , Q 2 , Pu u , Athn n1 }, MS b : {T B , Q 3 , Pu u , Athn n3 }, and MS c : {T C , Q 4 , Pu d , Athn n5 }, which transmitted over the public communication channel during the AKA process. It is difficult for A to determine the real-identities of network entities from captured MS a , MS b , and MS c . Therefore, the proposed RUAM-IoD can resist the IG guessing attack. In addition, MS a , MS b , and MS c are randomly generated because they incorporate the latest timestamp and fresh random-number. After capturing two d messages from different AKA sessions it is hard for A to determine any significant information by correlating these two messages. Thus, RUAM-IoD ensures UA and untraceablity features. According to the DY model, A can potentially capture, modify or compromise all the disseminated messages in the IoD environment. Now, A may attempt to replay the messages to excerpt some estimable information from network entities involved in the AKA process. Each message communicated during the AKA process is produced using the participant's latest timestamp and a fresh random-number. Therefore, the message receiving entity checks the validity of the timestamp. In case of an invalid timestamp, the message is contemplated as replayed message, and the message receiving network entity declines the validation of the replayed messages, restricting A from effectuating the replay attack.

8) PI ATTACK
In RUAM-IoD, DRC is contemplated as a fully trusted network entity and CS is considered as semi-trusted network entity. A can obtain the secret credentials associated with the legitimate U e and D x of the communication system and can effectuate any malicious attacks on the behalf of U e and D x . In RUAM-IoD, secret credentials related to U e and D x are stored in encrypted form and insider attacker cannot procure secret information related to U e and D x without knowing the secret key S kg of CS, stored in temper proof database of CS. Therefore, RUAM-IoD is secured against PI attack.

9) DRONE CAPTURE ATTACK
In the IoD environment, it is tough to monitor the drone for all the time (24 × 7). Thus, A can capture some drones, which are deployed in the IoD environment. After capturing a drone A can extract the sensitive information, such as {PID D x , P, SP D x }. Since all the drones are assigned with distinct and unique secret parameters. Therefore, the secret parameters of compromised drones are not useful to derive SK, which is established between the non-compromised drone and U e . Thus, RUAM-IoD is secured against drone capture attack.

10) ESL ATTACK
Adversary under the CK-adversary model can compromise the secret credentials (LTS and STS) and session state, in addition to actions permitted under the DY model. In RUAM-IoD, the session key is constructed using both STS and LTS secret credentials. By compromising STS, A will not be able to construct the session key SK U e (= SK D x ), which is established between U e and D x . Similarly, by compromising LTS, A will be able to derive the session key SK U e (= SK D x ). Therefore, to derive the session key SK U e (= SK D x ), A requires to know both LTS and STS secret credentials, which is a computationally expensive task for A. Thus, RUAM-IoD is resistant to ESL attack.

B. FORMAL SECURITY VERIFICATION THROUGH ROM
In our proposed scheme, ROM-based formal method is employed to prove the security strength of the SK that is established during the AKA phase. It is worth noting that a total of three participants, i.e., U e , CS, and D x , play roles during the AKA process. Moreover, from theorem 1, we verify that A is unable to determine the SK, which is determined and set up between the network entities, U e and D x , by means of CS. ROM has the following components, which are associated with the different queries, accessed by A.

1) PARTICIPANTS
The instances p1, p2, and p3 of U e , CS, and D x are shown by π p1 U e , π p2 CS , and π p3 D x , respectively, which are also deemed as random oracles.
2) FRESHNESS π p1 U e and π p3 D x are deemed to be fresh if the SK established between U e and D x is not known to A when A performs Reveal query, as explained in Table 3.

3) ACCEPTED STATE
The instance π p is deemed to be in accepted state when it receives the last expected message while carrying out the AKA process. In addition to this, Sid symbolizes the session identifier of π p for the present AKA session. It is worth noting that Sid is created by concatenating the exchanged messages generated in sequence by π p .

4) PARTNERING
Two instances π p1 and π p2 are considered to be partners in case the three subsequent conditions are simultaneously fulfilled: 1) π p1 and π p2 need to exchange the common Sid after authenticating each other conjointly, 2) π p1 and π p2 need to be in accepted states, and 3) π p1 and π p2 need to be interdependent partners.

5) ADVERSARY
DY model stipulates that A has the capabilities to seize all the messages disseminated among the entities in the IoD environment. This implies that A, by means of the queries defined in Table 3, can modify, inject, and delete the communicated messages.
Moreover, this also implies that A has the capability to access the hash function H (.). It is worth noting that H (.) is modeled as a random-oracle, say RSH . Above this, the queries, which are defined in Table 3, are exploited by A to simulate an attack.
Definition 2: Elliptic Curve Discrete Logarithm Problem (ECDLP): For any Pu g = S kg · P, Ad ECDLP (TP oly ) is the for A s advantage or the probability to derive Skg from Pu g within polynomial-time TP oly . It is hard for A to determine Skg from Pu g within polynomial-time, which makes Ad ECDLP (TP oly ) trivial and defined as the elliptic curve discrete logarithm problem (ECDLP).

(l) signifies A's advantaged to breach the security of AES-CBC-256 in TP oly (Definition 1), and Ad ECDLP
A (TP oly ) designates the advantage in compromising ECDLP (Definition 2). A's advantage to compromise the SK's security, which is set up between U e and D x while executing the proposed RUAM-IoD can be defined as: (75) Proof: Following five games (GM x |x = 0, 1, 2, 3, 4) are utilized to prove Theorem 1. We follow the same method to prove Theorem 1 as in [12].
GM 0 : This game is associated with real attack, which is executed by A against RUAM-IoD in the ROM. It is imperative for A to select the bit B at the beginning of GM 0 . The semantic security of RUAM-IoD renders the following:  Table 3, which are exchanged during execution of the AKA process. Upon the completion of this game, A required to make the Reveal query along with Test query to determine whether the derived SK is the correct key or a random key. In the proposed RUAM-IoD is computed as PID D x ), which is the amalgamation of both the LTS and STS parameters. Therefore, A requires knowing both STS parameters, such as R U e , R G , R D , S ku , and S kd and LTS parameters, such as PID D x and PID U e to construct a valid SK U e (= SK D x ). Therefore, only by capturing the communicated message, such as MS a , MS b , and MS c , A's winning possibility/probability of GM 1 is not enhance at all. Thus, both the games GM 1 and GM 2 remains indistinguishable. So, we get (77) GM 2 : In this game, A launches an active attack, which incorporates the Send and RSH oracles and attempts to convince a specific network entity to receive the modified message. In addition, A can implement any number of queries to find a collision in the hash digest. However, all the exchanged messages are protected by the irreversible and collision-resistant SHA-256. Therefore, it is infeasible for A to attain the collision in the output (hash digest) produced by SHA-256. Then, by birthday paradox, the succeeding result is achieved: GM 3 : CorruptSD query is implemented in this game. Therefore, A can extract all the sensitive information, such as {CT xt , Athn, rpp, Gen(.), ERT , Rep(.), IV a }, which are preloaded in the memory of SD e employing PA attack. A, from the extracted information cannot procure any useful information because the secret information assigned to U e are stored in the encrypted form. Therefore, A need to decrypt CT x to procure the secret parameters. However, to make the decryption process successful, A requires to compute the secret key KR = (AR PAW U e ), which is used for the encryption process. The secret key KR is the amalgamation of ID U e , PAW U e , and BK U e . The guessing probability of the bio-metric key BK U e is 1 2 Lth , which is negligible. Thus, it is impractical for A to get any secret parameter by extracting the information from the memory of SD e . In addition, U e is permitted to make a restricted number of wrong password attempts. Under these conditions, GM 2 and GM 3 are indistinguishable in the exclusion of guessing attack; the subsequent result is procured: GM 4 : This is the final game, A will try to derive the session key SK U e (= SK D x ), which is establish between U e and D x by eavesdropping all the exchanged message, such as MS a , MS b , and MS c . In the proposed RUAM-IoD, the session key is constructed as , where k d = S kd · Pu u . It is impractical for A to derive S ku from the public key of user Pu u and S kd from public key of drone Pu d in polynomial time and is referred to ECDLP problem in ECC (Definition 2). In addition, the secret parameters, such as R U e , R G , and R D are exchanged among the network entities in encrypted form. In RUAM-IoD, AES-CBC-256 is used as the encryption algorithm, which is secure (IND-CPA secure) to use and A cannot breach the security of AES-CBC-256 in polynomial time (Definition 1. Therefore, it is hard for A to derive SK U e (= SK D x ). So, both the games GM 3 and GM 4 remain indistinguishable in the absence of breaching the security of AES-CBC-256 and solving the ECDLP. The following result can be achieved: A has accomplished all the queries. Therefore, A requires to determine the bit B in order to win the game after executing the Test query. It is then obvious that From (76) and (77), we get From (82), we get By using (81) and (83) C. SECURITY EVALUATION USING SCYTHER TOOL Fig. 5 exhibits the result generated through Scyther tool-based formal security validation. Scyther is utilized extensively to prove the security perspectives of any security protocol in an automated way. Compared to other security protocol validation tools, such as Pro-Verify and AVISPA, Scyther is more commonly employed by the researcher to validate the security of the proposed AKA schemes. One of the advantages of Scyther is that it is based on the DY VOLUME 10, 2022 adversarial model and the simulation results it generates to ensure that the secret parameters are not disclosed while executing the AKA scheme.
Since Scyther uses the security protocol description language (SPDL), a python-like language, for the description of security protocols hence, RUAM-IoD is coded in SPDL. To this end, three roles are defined in the SPDL script, which are U e , CS, and D x . In addition, there are different claims in SPDL generated either manually or automatically. Scyther facilitates describing and verifying these claims. For instance, the ''Alive claim'' guarantees that a network entity has accomplished some events. ''Nisynch claims'' guarantees that all the communicated messages between two network entities are delivered successfully. ''Weak-agree'' ensures the AKA scheme is protected against the impersonation attack. All these automatically generated claims are verified according to the procedure shown in Fig. 5. In addition, the manually generated claim, such as claim(UE, Secret, SKU ) and claim(DX , Secret, SKD) are also verified, which indicates that an attacker cannot determine the secret SK. Fig. 5 indicates that the proposed RUAM-IoD is safe and an attacker cannot find any vulnerability.

VII. PERFORMANCE EVALUATION
RUAM-IoD is compared with the existing AKA scheme, such as Wazid et al. [18], Sutrala et al. [35], and Jangirala et al. [32]. The performance of RUAM-IoD is measured in terms of computational, memory/storage, and communication costs. We utilize the widely-accepted ''Multi-precision Integer and Rational Arithmetic Cryptographic Library (MIRACL)'' to conduct the experimental evaluation for different cryptographic primitives. This will enable us to estimate the computational time of the cryptographic primitives on the succeeding two environments   In the existing literature, the same environment is used to conduct experiments on resource-constricted devices [46], [47]. Each cryptographic (algorithm) primitive is executed for 100 time for PF − 1 and PF − 2 to procure the average computational time different cryptographic primitives. Table 4 provides the average computational time of various cryptographic primitives.

A. SECURITY FEATURES COMPARISON
In this subsection, we compare the security feature of RUAM-IoD with Wazid et al. [18], Sutrala et al. [35], and Jangirala et al. [32]. To this end, a comparative analysis of the security features of RUAM-IoD and the related scheme is presented in Table 5. It is shown in the table that the scheme of Sutrala et al. [35] cannot resist DSY attack, and the scheme of Wazid et al. [18] is susceptible to DSY attack and does not render ROM-based analysis and RvP phase. The scheme of Jangirala et al. [32] is susceptible to MITM, UI, parallel session, DI, and SK compromise attacks and does not render the anonymity and untraceablity features. In contrast, RUAM-IoD is secured against the DSY, UI, DI, and SK compromised attacks.

B. COMPUTATIONAL COST COMPARISON
Computational cost denotes the CPU time required by a security scheme to complete its AKA process. Thus, without losing the security features, minimizing the computational cost is a critical design goal of AKA or security schemes. Table 4 presents the computational cost of various cryptographic primitives, which are used to compute the computational cost of RUAM-IoD and the related AKA schemes. The computational cost at user side in the proposed RUAM-IoD is 8T HF + 4T ENC + 3T EPM + T FE ≈ [15.825] ms, while   Fig. 6. The CS, stationed at the DRC of DSP, is a critical component in the IoD environment. So, it is desirable to reduce the computational cost at CS. The computational cost at CS side in the proposed RUAM-IoD is 5T HF + 3T ENC + T EPM ≈ [0.858] ms, while Sutrala et al. [35], Wazid et al. [18], and Jangirala et al. [32] require 9T HF + 3T EPM + 2T EPA ≈ [2.084] ms, T HF + 5T EPM + T EPA ≈ [3.058] ms, and 11T HF + 3T EPM + T EPA ≈ [2.138] ms. So, RUAM-IoD incurs lesser computational cost than the related AKA schemes as shown in Fig. 6. Aside from this, Fig. 7 shows that the computational cost increases at CS, in all the schemes, as the number of authentication (user) requests increases at CS. However, RUAM-IoD reduces the computational cost in comparison to the other schemes. In the proposed RUAM-IoD, the computational cost at drone (D x ) or sensor node 6T HF + 2T ENC + 2T EPM ≈ [8.55] ms, while Sutrala et al. [35], Wazid et al. [18], and Jangirala et al. [32] Fig. 6 also shows that RUAM-IoD needs less computational resources at the drone side than required by the related AKA schemes. This implies that RUAM-IoD is suitable for drone environment because drone being a resource-constrained device requires a reduced level of computational cost. In addition, Table 3 and Fig. 8 illustrate the total computational cost required to accomplish the AKA process of RUAM-IoD.

C. COMMUNICATION COST COMPARISON
Communication cost signifies the number of communicated messages (bits) transmitted to perform the AKA process.  Therefore, it is essential to reduce the communication cost required to accomplish AKA process without risking the security traits of a security scheme. In the proposed RUAM-IoD, during the AKA process, the communicated messages are MS a : {T A , Q 1 , Q 2 , Pu u , Athn n1 }, MS b : {T B , Q 3 , Pu u , Athn n3 }, and MS c : {T C , Q 4 , Pu d , Athn n5 }. The length MS a , MS b , and MS c is {32 + 256 + 256 + 160 + 256} = 960 bits, {32 + 256 + 160 + 256} = 704 bits, and {32 + 128 + 160 + 256} = 576 bits, respectively. Thus, the total communication cost required by RUAM-IoD to accomplish the AKA phase is {960 + 704 + 576} = [2240] bits. Contrarily, Wazid et al. [18], Sutrala et al. [35], and Jangirala et al. [32] require [3360] bits, [3200] bits, and [2656] bits, respectively. So, it is evident from Table 7 and Fig. 9 that RUAM-IoD demands less communication cost than demanded by the related AKA protocols. Fig. 10 illustrates the communication cost incurred when multiple users need to obtain the real-time information from a particular D x concurrently.

D. STORAGE COST COMPARISON
As drones are resource-constricted devices with limited storage/memory resources, diminishing its memory utilization is the pressing need when designing an AKA protocol.    [18], Sutrala et al. [35], and Jangirala et al. [32] require to store [4696] bits, [4320] bits, and [1768] bits, respectively. This comparison is more visibly illustrated in Fig. 11 wherein RUAM-IoD needs fewer memory/storage cost than Wazid et al. [18] and Sutrala et al. [35] with a marginal increment in memory/ storage cost compared to Jangirala et al. [32].

VIII. CONCLUSION
This paper has presented an AKA scheme, called RUAM-IoD, for securing the communication between a remote user and a drone. To this end, RUAM-IoD checks the authenticity of a remote user before allowing him to access, in real-time, the sensitive information from a drone deployed in a particular FZ. After validating the authenticity of the remote user, RUAM-IoD establishes an SK between the user and the drone to make their communication indecipherable. The effectiveness of RUAM-IoD is verified against various security attacks through informal analysis. Furthermore, the security of the established SK is validated using ROM-based formal analysis. In addition, Scyther-based validation is performed on RUAM-IoD that demonstrated that the RUAM-IoD is secure against various security attacks. Furthermore, the performance analysis demonstrated that RUAM-IoD requires less computational, storage, and communication cost without compromising the security features.