A lightweight and secure online/offline cross-domain authentication scheme for VANET systems in Industrial IoT

Introduction

The Industrial Internet of Things (IIoT), also known as the industrial Internet, put forward the IoT advances in development (Shaikh, Zeadally & Exposito, 2015; Khalid et al., 2020a). IIoT integrates a wide range of existing industrial automation systems with the latest electronics, computing, machine learning, and communication technologies. IIoT claims that in gathering and communicating data, intelligent machines are more capable than humans (Khalid et al., 2021a). This data makes business intelligence activities simpler for the manufacturing and business communities (Sey, 2018). An extensive network of vehicles and roadside units communicating with each other to share information is the ad hoc vehicle network, an IIoT application (Latif et al., 2018; Al-Heety et al., 2020). VANET is a particular case of wireless multihop network, which has the constraint of fast topology changes due to the high node mobility. With the increasing number of vehicles equipped with computing technologies and wireless communication devices, inter-vehicle communication is becoming a promising field of research, standardization, and development. VANETs enable a wide range of applications, such as prevention of collisions, safety, blind crossing, dynamic route scheduling, real-time traffic condition monitoring, etc. Another important application for VANETs is providing Internet connectivity to vehicular nodes (Badis & Rachedi, 2015). These are networks for naturally created needs from connected vehicles—VANETs aim to provide comfort for travelers and improve road safety and congestion. VANETs, information about vehicle-to-vehicle (V2V), and vehicle-to-infrastructure (V2I) communication between the highway and urban scenarios are shared wirelessly. The growing number of vehicles on the road causes many major traffic problems every day, including traffic delays and pileups of cars (Kaiwartya et al., 2016; Khalid et al., 2017). The industrial IoT is an emerging implementation of IoT technologies in several contexts, such as automation, intelligence controls, smart cities, smart transportation, and smart grids (Rehman et al., 2021). It would be hard to incorporate industrial IoT solutions without the construction of an infrastructural network. It is important to understand unique IoT concepts when applying these methods to wireless IoT networks. One of the significant features of IoT networks is the collaboration between heterogeneous IoT devices. The Internet of Things (IoT) application areas have significantly increased as digital electronics and wireless networking evolve rapidly (Goudarzi et al., 2019). A broad range of technologies is currently funded, including industrial automation, smart transport, medical and e-health services (Javed et al., 2020). Low-weight, efficient communication between sensing devices and interoperability between various communication mechanisms is the IoT’s critical issue (Khalid et al., 2020b). The industrial IoT data created from billions of device-person interactions will be massive and complex and will suffer from many security and privacy issues, particularly concerning device authentication. Computer security researchers have developed many authentication protocols, implemented in the industrial IoT context, to overcome these security concerns (Ferrag et al., 2017). Vehicle ad-hoc networks (VANETs), an essential part of an intelligent transport system, will use less wired communications technologies to provide continuing and reliable network communications services (Manvi & Tangade, 2017). As illustrated in Fig. 1, VANETs are made of three essential entities: trust authority (TA), roadside units (RSU), and on-board vehicles (OBUs) (Sheikh & Liang, 2019).

• OBU: Each vehicle must be linked to the TA with the private key and the public device’s necessary parameters. Secret information, such as private keys, is inserted into each vehicle’s tamper-proof device to allow only authorized parties to access the tamper-proof device. Individual safe values, such as true vehicle identity and a secret vehicle key, are pre-loaded by the device. The vehicles’ computation mechanism is also included in this system, and the hidden values are never revealed. OBUs routinely disseminate such data while traveling on roads, such as distance, current time, direction, speed, traffic conditions, and traffic events useful for other vehicles and RSUs. The 5.9 GHz Dedicated Short-Range Communication (DSRC) IEEE 802.11p is the communication protocol for neighboring OBUs.

• TA: TA has registered OBUs and RSUs. It initializes them with the public system’s data or private keys. TA has a general computing and storage capacity and is the only party who can reveal the signers’ identity. The solution to TA is impossible, and both parties to the scheme fully trust it.

• RSU: RSU is a stationary component system with DSRC wireless access point, stable memory storage, and computational capabilities. The time between requesting and receiving RSU responses is crucial for successfully disseminating data by VANETs, given the restricted transmission range of RSUs and vehicles’ movement. RSUs are known as fully trusted parties in the scheme.

However, VANET architecture dealing with a hundred vehicle devices for accessing and management, this large amount of data and information seems to be a large-scale environment. However, these systems are limited resource devices in computation, storage, and energy. Traditionally, most authentication schemes rely on Roadside units (RSUs) that mainly hold the data’s computing and processing. According to the large-scale architecture, the devices will deal with a large amount of data transmitted and processed. In a short time interval, several vehicles can continuously cross-practical areas of several RSUs. Also, at any time beyond prediction, the random vehicle can enter or leave the VANET network. The vehicles are also dynamically moved through different domains. This movement comes out with a critical problem across domain access. Because of the significant number of participating vehicles, the individual RSUs would have enormous time consumption and computation costs, which are crucial for limiting the comprehensive implementation of VANETs. Each vehicle and the RSU passed should be authenticated in time for each vehicle before exchanging vehicle data. Thus, this issue causes a significant delay and high computation costs, and it also increases the number of the interacted messages through a public network. Therefore, the VANET system will take a lengthy verification process before granting access (Picone et al., 2015). Likewise, transmitted data between the RSUs, OBUs, and the trusted party are sensitive. The adversaries are mainly targeting this information to delete, manipulate, eavesdrop on this data. Current authentication schemes are vulnerable to specific attacks (e.g., replay attacks, modification attacks, man-in-the-middle attacks, and insider attacks), and these attacks make the VANET system week (Deepa et al., 2021). For example, a MiTM attack occurs in the middle of V2V communication to check closely and alter the messages. The attacker can access and control the entire V2V communication, but the communication entities think they can communicate directly in private. Also, this way, each vehicle’s temporary identity changes over time, and a malicious attacker can hardly trace a specific vehicle. This is because after altering the certificate, an attacker would not link the new certificate with the old certificate, which means that the attacker has lost the target. However, this method still has some problems, such as high revocation costs. For example, when a vehicle is revoked, the number of pseudonymous certificates that need to be added to the Certificate Revocation List (CRL) could be too large. The size of CRL increases rapidly when the size of the network increases. These attacks could enable adversaries to enter the VANET system user’s registered ID, password and broadcasting a false message, or repeat/delay the transmission fraudulently (Khalid et al., 2021b). Also, preserving data confidentiality, privacy, and integrity in the trusted information context, where the information is shared between many parties, is becoming one of the most challenging issues for such a community. Therefore, a lightweight cross-domain authentication scheme for the VANET system is critically needed to satisfy the VANET’s security requirements.

Motivated by the above discussion on VANET secure transmission, we proposed an online/offline lightweight authentication scheme for VANET in industrial IoT. The offline joining and handover phase was added to avoid service interruption if the connectivity is down, allowing vehicles to send authentication requests. At the same time, they are temporarily disconnected from the Internet (Deepa et al., 2020). In offline authentication, TA is not involved in the joining procedure since the information is preloaded prior. The combination comprises the Advanced Encryption Algorithm (AES) and the Database Encryption RSA algorithm for the integrity, authentication, and distribution of the key. The algorithms have less encryption and decryption time in processing such extensive data. This mechanism also provides dual protection by taking advantage of the algorithms used, so the data transmission in the network will be more secure. The main advantage of this combination is that the AES-RSA encryption algorithm utilized the features of already existing algorithms which are very secure and difficult to break since it requires two different keys and algorithms. The strength of the security is improved by combining symmetric and asymmetric encryption methods where retrieval of the key is very difficult. The scheme ensures resistance against specific attacks, e.g., such as reply, modification, impersonation, and man-in-the-middle attacks. Also, it provides message integrity, authentication, and identity privacy preserving against change.

The study lists the findings as follows: in “VANETs security requirements,’’ we identify the security requirements of the VANET system; in “Related Work,’’ we review the previous studies and categorize their limitations; in “Preliminaries,’’ we give a brief introduction on RSA, and AES-RSA algorithms; in “proposed Scheme’’ presents the main finding of the study; in “Security analysis’’ verify the security aspects using BAN logic, and AVISPA tool; in “performance evaluation’’ we evaluate the performance of the proposed scheme; in “Conclusion’’ the study is finalized, and a brief conclusion is given.

Vanets Security Requirements

Vehicles in VANETs may detect nearby traffic details or an event to notify neighboring vehicles or the central traffic center. The authentication of messages can reduce these threats because of users’ wrong behaviors, such as false information transmissions, re-transmission of previous messages, and changes in the messages sent. Since users’ data should be kept secret, including driver names, speeds, positions, and relationships with other users, authentication should be performed anonymously (Khan et al., 2021). There is a contradiction between anonymity and dedication. As a result of anonymous authentication, unauthorized users should not utilize the network against external attackers (Hemalatha, 2021). If approved users do something wrong, anonymous authentication will not track them. For TA to determine the sender’s real identity, anonymous authentication should therefore be performed. We thus need the preservation of authentication protocols on conditional privacy. The security criteria for the VANETs are as follows:

1. Message integrity and authentication: VANETs must be sure to create and send the received message through an approved OBU and that nobody modifies the received message. Moreover, the authentication scheme should be immune to impersonation, and no signature vehicle could be impersonated (Kumar & Singh, 2021).

2. Identity privacy-preserving: The security of identity information underlines that by monitoring communications in VANETs, an intruder cannot identify either the initiators of the message or the party, including its originators. As vehicle names and locations are private and privacy disclosure is immoral, this is a critical property for VANETs.

3. Traceability: This means that TA can identify the identity of the originators if appropriate. VANETs are susceptible to insiders without traceability, and a malicious user can easily give the other vehicle a wrong message and fool them.

4. Unlinkability: Except for DTA, the RSU and the malicious vehicle should not determine two communications from the same vehicle.

5. Resistance to attacks: Various common attacks occur in VANETs, such as the impersonation attack, the alteration attack, the replay attack, the man-in-the-middle attack, and the stolen verifier table attack, should be able to withstand the system.

Related Works

In recent years, security authentication and privacy protection have been a significant research orientation in VANETs. Several anonymous authentication schemes were suggested for VANETs. Azees, Vijayakumar & Deboarh (2017) proposed in 2017 an effective anonymous authentication scheme (EAAP) for VANETs. No storage of anonymous vehicle certificates and RSUs based on bilinear pairing is required by the trusted authority (TA) in the EAAP. In the case of a dispute, the trust authority will revoke and expose its real identity to a misbehaving vehicle’s privacy. The revoked identity is then put on the TA’s retained identity revocation list (IRL). Furthermore, without incentives, the enthusiasm problem still suffers when sending messages. Verma et al. (2021) presents a short digital signature scheme without pairing in a certificate-based setting with aggregation in an IIoT environment. In the SCBS scheme, each signer/user generates his/her (public and secret) keys and gets a certificate on (ID, public access) pair from CA. Certificates are sent via a public channel. During the execution of the signing phase, the signer requires his/her updated certificate along with a secret key. Similarly, Moni & Manivannan (2021) proposed a distributed and scalable privacy-preserving authentication and message dissemination scheme. Traditionally Certificates and CRLs were used for authenticating entities. However, as the number of entities grows, using CRLs for authentication incurs significant computation and communication overhead. In this scheme, a vehicle only needs to store the public key of the TA and the latest MHT root generation timestamp to authenticate RSUs. Similarly, MMPT is used by RSUs to authenticate vehicles, thus reducing the complexity involved in authenticating vehicles. Xie et al. (2017) subsequently introduced a new, efficient authentication process, using identity to relatively protect VANET applicants’ privacy. The ECC is used to solve the problem of the bilinear pairing because of its complex operations. The proposed system is an improved CPA solution based on (He et al., 2015) that is more effective than the former and fulfills VANET security requirements. The proposed scheme offers a simple message verification and batch message verification, where several messages can simultaneously be verified, and authentication costs are significantly reduced. However, a TA can track this vehicle when a vehicle broadcasts false information without preventing it from transmitting these messages. Furthermore, the identity of each vehicle can be easily discovered by an insider attacker since this attacker has private and public key pairs and has high computational and communication costs.

In Vijayakumar et al. (2018), a signature-based anonymity technique was suggested for vehicular ad hoc networks using bilinear pairing. However, this method eventually introduces enormous computational complexity and overhead, which are unfeasible for the RFID Tag resource restriction. A conditional monitoring mechanism is developed through which the TA tracks the wrong vehicles or RSUs in the IoT environment that misuse the VANET. The TA will, therefore, revoke the privacy of misbehaved vehicles for additional damage. Efficient authentication of the anonymous batch message (ABM) also suggested testing the authenticity of an RSU while sending a batch of messages via RSU to vehicles. However, because of the high overhead of communication, the high computational cost of the Certificate Revocation List (CRL) testing method makes it difficult to validate a large number of VANET messages over a specific period (Lu, Qu & Liu, 2018). Similarly, Pournaghi et al. (2018), proposed the NECPPA scheme, incorporating schemes based on RSU and TPD. The key concept for this system is that the master and public parameter is stored on the RSU TPD. This is because the connection between TA and RSU is secure and fast for communication. The RSU, therefore, generates the sub-master key inside the coverage area to be sent to all vehicles (Zmezm et al., 2015). The execution time during message generation and verification, however, is high (Al-Shareeda et al., 2020). Li et al. (2018) a conditional anonymous authentication of the VSNs’ privacy was proposed, while the authors suggested the VSNs’ design goals. Their scheme is robust and adopts pseudo-identity generation and private key extraction to maintain anonymity. To keep the privacy of its identity, every OBU should restore several pseudo-identities in this scheme. This scheme promotes the security and privacy needed for services rendered by VANET. However, the machine’s private key is pre-loaded into the car’s tamper-proof computer, which attackers can eliminate (e.g., through side-channel attacks). Hence, when the attackers have physical access to the tamper-proof device, their solution is not secure.

Likewise, an available certificates conditional privacy-preserving authentication scheme for vehicular ad-hoc networks was proposed by Ming & Shen (2018). Certificateless cryptography and elliptical curve cryptography form the basis of the proposed scheme (ECC). As an adversary would not connect a vehicle to its transmitted message, the system encourages conditional privacy and ensures unlinkability. In this work, however, the property of non-observability was not considered. Zhong et al. (2019) proposed a privacy protection scheme for safe V2I communications based on a certificateless aggregate signature, and the scheme could achieve complete aggregation. It utilizes the RSU as the aggregator to aggregate under its coverage the signatures signed by the vehicle. The authors attempted to fix the problem in the verification step and had a significant overhead in the signature authentication process. Unfortunately, their latest scheme uses the bilinear pairing operation and the Map-To-Point hash function in the verification process, which has added high overhead in verifier computation expense. A message verification scheme has been suggested for VANET (Cui et al., 2018). However, it is still not comparatively efficient due to the need for many EC operations, and the overhead for communication is high. The system (Cui et al., 2018) is vulnerable to attacks by impersonation, alteration, man-in-the-middle, and concatenation. A protocol for the vehicular environment was also proposed in 2018 by Mukherjee, Gupta & Biswas (2019). In this scheme, lattice-based cryptography is used. This scheme is secure in a quantum computing system, but the identity and password are stored directly in a tamper-proof device. If an opponent catches a TRD, then details may be leaked via the side-channel attack. A mutual authentication scheme was subsequently proposed for V2V in the ad hoc vehicle network to achieve better efficiency and security (Xie et al., 2017). Using elliptic curve encryption technology, the authors attempted to perform privacy-preserving mutual authentication for regular V2V communication. Sadly, their method is vulnerable to man-in-the-middle attacks and modification attacks. In 2020, instead of a map-to-point hash for safe V2I communication, Ali & Li (2020), using BP and a general one-way hash, introduced an ID-based framework. The messages are authenticated easily by an RSU within their scheme. Instead of map-to-point hash functions, it utilizes general one-way hash functions during high traffic density area verification. Since the private key generator (PKG) has access to all users’ private keys in identity-based schemes, the main escrow problems will occur if PKG was compromised. Lightweight security was suggested without using a single verification batch verification system (LSWBVM) scheme to broadcast many safety messages while driving (Al-Shareeda et al., 2020). However, because the verifying vehicle for signature authentication uses only a one-way hash feature, this system is vulnerable to various security threats, such as impersonation and alteration attacks. Also, since the timestamp is not included in the safety message tuple, it is prone to replay attacks. Besides the authentication and honesty requirements, this scheme does not meet in-vehicle systems. Moreover, since the name of the vehicle stored on TPD has not been updated for a long time, it is suspected of side-channel attacks.

In 2020, an anonymous authentication scheme based on community signature in VANETs was proposed by Jiang, Ge & Shen (2020) (AAAS). As a group manager, AAAS adds a regional trust authority (RTA) to provide anonymous vehicle authentication and communication services that can efficiently increase TA’s computing and communication costs and alleviate RSU pressure with low computing and storage capacity. However, the high traffic congestion increases the number of messages transmitted, which increases the overhead of computations and communications from VANET. A refiling framework has been developed for on-demand pseudonyms and certificates by Benarous et al. (2020); anonymous tickets and challenge-based authentication are the foundation of their scheme. The scheme’s effectiveness against the most popular security parameters is tested using several methods and techniques that have proven its efficiency and robustness, such as the BAN logic, SPAN, and AVISPA instruments. Recently, Alfadhli et al. (2020b) proposed a novel and successful CPPA-VANET solution based on lightweight pseudo-identity to overcome the crucial driving area and key escrow problems and provide better efficiency in terms of computation cost and overhead communications. Regrettably, the device also has a high computational cost in the authentication process and is prone to replay attacks. Similarly, Cheng & Liu (2020) an improved ECC authentication scheme based on RSU was proposed, in which RSU distributes vehicle pseudonyms when the vehicle pseudonyms are invalid. However, the password is estimated to have a low entropy secret value and vulnerable to password guessing attacks due to the built-in issues related to the password.

In Thumbur et al. (2020), to avoid the complicated public fundamental infrastructure certificate management problem and the Identity-based key escrow problem, a new VANET certificateless aggregate signature-based authentication scheme was proposed. All signatures/messages received from the surrounding vehicles are aggregated into a single signature by the RSU. AS/RSU can ensure that the related messages are signed by only the registered vehicles. The lack of an effective signature authentication process, however, increases the overhead of computing. Jiang, Ge & Shen (2020) and Jiang, Hua & Wahab (2020) also proposed a Self-checking Authentication Scheme with Higher Efficiency and Security for VANET, called SAES; the proposed scheme adopts pseudonym-based self-checking authentication. Unfortunately, the system also suffers from primary session attacks, modification attacks, and high processing costs due to the bilinear pairing. Similarly, for VANETs that protect privacy, a lightweight multi-factor authentication and security solution was introduced (Alfadhli et al., 2020a). It operates as authentication variables, a mixture of physically unclonable (PUF) functions and one-time dynamic pseudo-identities. The proposed scheme removes the need for a TPD to store sensitive long-term data (such as a fingerprint, password), enhancing the system’s effectiveness and security. Nevertheless, by analyzing the content of such captured messages in VANETs, an intruder can acquire the original identity and track its traveling routes. From the above analysis, we found out that most of the existing schemes suffer from high computation and communication costs because the architecture of VANET contains a considerable quantity of vehicles. Likewise, transmitted data between the RSUs, OBUs, and the trusted party are sensitive. The adversaries are primarily targeting this information to delete, manipulate, eavesdrop on this data. Some attacks (e.g., replay attacks, modification attacks, man-in-the-middle attacks, and insider attacks) are vulnerable to current authentication systems, and these attacks make the VANET system week. Such attacks will probably allow adversaries to access the registered ID of the VANET device user and password and broadcast a false message or fraudulently repeat/delay the transmission. Though some research attention has been paid to date, the critical issue of cross-domain authentication has not been appropriately addressed in the VANET market. As a matter of fact, under the static trust model, most of the existing VANET authentication mechanisms tend to build up the verification process, where only the initial RSU opportunity is discussed. The CDA ability, in other words, was not considered at all. Both successive RSUs must request sensitive information from the cloud server for the remaining systems where the CDA issue has already been solved, causing unnecessary contact burdens and high latency. The comparison of the existing studies is shown in Table 1.

Preliminaries

In this section, the mathematical concept of RSA and the AES-RSA algorithm steps proposed are discussed. First, the basic definition and properties of the RSA algorithm are highlighted to explain RSA encryption and decryption. The combined AES-RSA algorithm is also described to understand the workflow on the sender and receivers’ sides. Figure 2 shows the workflow diagram of the AES-RSA algorithm.

Proposed Scheme

The lightweight authentication scheme for the VANET cross-domain system in industrial IoT is proposed in this section. The system includes entities such as the Trusted Authority (TA), the Domain Trusted Authority (DTA), road-side units (RSUs), and vehicles (Vi). The proposed scheme comprises eight phases: the setup phase, the vehicle registration phase, the domain TA registration phase, the RSU registration phase, the online joining phase, the online crossover phase, the offline joining phase, and the offline crossover phase. Figure 3 displays the proposed scheme’s network diagram. The notations and definitions used in the scheme are shown in Table 2. The phases of the scheme proposed are described in detail below.

Vehicle registration phase

In this phase, the vehicle must be registered at the trusted authority TA to authenticate to the distributed domains. The vehicle initializes the session by sending the identity and other security parameters to the TA via a secure channel. The transmitted message is protected where the information is double encrypted using the AES-RSA algorithm. When the TA receives the message, it checks the existence of the information in the database; if the vehicle is registered, the server will send a notification; otherwise, the vehicle performs the following steps as shown in Fig. 4.

1. Firstly, the Vehicle V_i randomly picks a secret key $s\in Z_q^{\ast },$ secret value R_i, and computes A_i = a.p. Then, it computes T_i = H(VID_i ∥ s), and encrypt the hash value with RSA’s public key $Enc\mathrm{\_}T{A}_{rsa}^{pk}\{T_i\}$. The vehicle parameters and it is identity are concatenated and encrypted with AES’s public key $C{T}_{V\to TA}=Enc\mathrm{\_}T{A}_{aes}^{pk}\{A_i,R_i,Enc\mathrm{\_}T{A}_{rsa}^e\{T_i\}\}.$ The vehicle sends the CT_V $\to$_TA to the TA.

2. The trusted authority TA receives the message CT_V $\to$_TA from the vehicle, it will decrypt the CT_V $\to$_TA using it is public-key $Dec\mathrm{\_}T{A}_{aes}^{pk}\{A_i,R_i,Enc\mathrm{\_}T{A}_{rsa}^{pk}\{T_i\}\}$ to obtain the encrypted identity and the parameters $<A_i,R_i,Enc\mathrm{\_}T{A}_{rsa}^e\{T_i\}>$.

3. Then, it uses the RSA private key $Dec\mathrm{\_}T{A}_{rsa}^d\{T_i\}$ to obtain the vehicle identity VID_i. TA will select a few random values $r_v^j\in Z_q^{\ast }$ to calculate vehicles pseudonyms $FI{D}_v=H_3(VI{D}_i,r_v^j)$ and corresponding public key $P{K}_v^j=H_1(p{s}_v\parallel t_{e}x{p}^v)$, and private keys $S{K}_v^j=d.P{K}_v^j$, where t_exp is the expiration of $r_v^j,1<j<n,n$ is the total number of each vehicle obtaining pseudonym. Later, TA calculates the session key with the vehicle K_TA→v = d.A_i and encrypts $<r_v^j,S{K}_v^j,t_{exp}^v,R_i>$ to get $C{T}_{TA\to v}=Enc\mathrm{\_}{K}_{TA\to v}\{r_v^j,S{K}_v^j,t_{exp}^v,R_i\}.$ Finally, it stores $<VI{D}_i,r_v^j,S{K}_v^j,t_{exp}^v,R_i>,$ and encrypt the ciphertext with AES public key $C{T}_{TA\to v}^{aes}=Enc\mathrm{\_}T{A}_{aes}^{pk}\{C{T}_{TA\to v}\}$ and sends $C{T}_{TA\to v}^{aes}$ to the vehicle.

4. Upon receiving $C{T}_{TA\to v}^{aes}$ from TA, Vi decrypts it $Dec\mathrm{\_}T{A}_{aes}^{pk}\{C{T}_{TA\to v}\}$ to obtain $Enc\mathrm{\_}T{A}_{aes}^{pk}\{C{T}_{TA\to v}\}$ and calculates the session with TA K_v→TA = s.PK_TA and decrypts CT_TA $\to$_v to obtain $<r_v^j,S{K}_v^j,t_{exp},R_i>.$ After obtaining N_i, vehicle verifies it and stores $<r_v^j,S{K}_v^j,t_{exp}>.$ Otherwise, the vehicle needs to reapply for registration.

Domain TA registration phase

This phase enables the domain trusted authority DTA to register itself into the trusted authority TA. The DTA sends a registration request containing the hashed value of the domain along with a freshly generated random number. Figure 5 shows the steps of the current phase. Then, TA checks whether the identity already exists in the database or not; if yes, send a notification; otherwise, apply the following steps:

1. Firstly, DTA selects a random number $r_2^{dta}\in Z_q^{\ast }$ as a secret key and compute $A_i^{dta}=r_2^{dta}.p,andHI{D}_{dta}=H_1(I{D}_{dta}\parallel r_2^{dta})$. Then encrypt the hashed identity with RSA’s public key $Enc\mathrm{\_}P{K}_{TA}\{HI{D}_{dta},r_2^{dta},A_i^{dta},R_i\},$ to get the ciphertext $C{T}_{DTA\to TA}=Enc\mathrm{\_}P{K}_{TA}HI{D}_{dta},r_2^{dta},A_i^{dta},R_i,$ where R_i is the secret value. The AES’s public key is then utilized to encrypt the ciphertext CT_DTA $\to$_TA to get $C{T}_{DTA\mathrm{\beta }TA}^{aes}=Enc\mathrm{\_}T{A}_{aes}^{pk}\{C{T}_{DTA\to TA}\}$. DTA sends $C{T}_{DTA\to TA}^{aes}$ to TA.

2. When TA receives $C{T}_{DTA\to TA}^{aes}$, it will first decrypt $Dec\mathrm{\_}T{A}_{aes}^{pk}\{C{T}_{DTA\to TA}\}$, and then decrypt the ciphertext $Dec\mathrm{\_}T{A}_{rsa}^{d}HI{D}_{dta},r_2^{dta},A_i^{dta},R_i$ using it is the private key to obtain $<HI{D}_{dta},r_2^{dta},A_i^{dta},R_i>,$ it also calculates it is a private key SK_dta = d.PK_dta, where $P{K}_{dta}=H_1(I{D}_{dta}\parallel t_{exp}^{dta})$ is the public key of DTA, and $t_{exp}^v$ is the expiration of SK_dta. TA calculates the shared session key with DTA $K_{TA\mathrm{\beta }DTA}=d.r_2^{dta}.p$ and encrypt the parameters $<S{K}_{dta},t_{exp}^v,R_i>$ with the session key $C{T}_{TA\mathrm{\beta }DTA}=Enc\mathrm{\_}{K}_{TA\mathrm{\beta }DTA}S{K}_{dta},t_{exp}^v,R_i$. Finally, the ciphertext is further encrypted with AES public for secure communication $C{T}_{TA\to DTA}^{aes}=Enc\mathrm{\_}T{A}_{aes}^{pk}\{C{T}_{TA\to DTA}\}$, and sends $C{T}_{TA\to DTA}^{aes}$ to DTA.

3. Upon receiving $C{T}_{TA\to DTA}^{aes}$ from TA, DTA decrypts it using AES public key and then decrypts CT_TA $\to$_DTA. DTA computes $K_{TA\mathrm{\beta }DTA}=d.r_2^{dta}.p$ to obtain $S{K}_{dta},t_{exp}^v,R_i$. DTA then validate the R_i, if valid, DTA stores $S{K}_{dta},t_{exp}^v;$ otherwise, DTA rejects it.

RSU registration phase

All RSUs submit their registration information to DTA within their domain area. Before the RSU registration phase, the DTA select a group private/public key that only valid in this area based on RSA key generation $s{k}_{dta}^{\mathrm{\prime }}=r_2^{dta}$, and $p{k}_{dta}^{\mathrm{\prime }}=r_2^{dta}.p$. Then DTA uses the private key $s{k}_{dta}^{\mathrm{\prime }}$ to generate signature $Sig{n}_{dta}=Sign\mathrm{\_}s{k}_{dta}\{HI{D}_{dta},t_{exp}^{dta},p{k}_{dta}^{\mathrm{\prime }}\}$. DTA also calculates $X_{dta}=r_2^{dta}.p{k}_{dta}^{\mathrm{\prime }},I_{dta}=X_{dta}+H_2(M_{dta}^{\mathrm{\prime }},X_{dta})$ where $M_{dta}^{\mathrm{\prime }}$ is $M_{dta}^{\mathrm{\prime }}=HI{D}_{dta}\parallel t_{exp}^{dta}\parallel p{k}_{dta}^{\mathrm{\prime }}\parallel r_2^{dta}$. The DTA then concatenated the signature with the message $C{T}_{DTA\to RSU}=Enc\mathrm{\_}DT{A}_{DTA\to RSU}^{aes}\{Sig{n}_{dta}\parallel M_{dta}^{\mathrm{\prime }}\}$, and broadcasting CT_DTA→RSU to the RSUs in this domain. Upon receiving CT_DTA→RSU, RSU decrypts it $Dec\mathrm{\_}DT{A}_{DTA\mathrm{\beta }RSU}^{aes}\{Sig{n}_{dta}\parallel M_{dta}^{\mathrm{\prime }}\}$ to obtain the parameters and compute the public key based on domain identity and expiration time $p{k}_{dta}=H_1(HI{D}_{dta}\parallel t_{exp}^{dta})$. The RSU validates the Sign_dta by comparing it with new computed signature $Sig{n}_{dta}^{\mathrm{\prime }}\ne Sig{n}_{dta}$, if valid, stores $HI{D}_{dta},t_{exp}^{dta},p{k}_{dta}^{\mathrm{\prime }}$ and apply the registration steps and as shown in Fig. 6.

1. The RSUs generates a random number $r_{rsu}\in Z_q^{\ast }$ as a secret key and computes $A_i^{r}su=r_{r}su.p$, and RID_rsu = H₁ (ID_rsu ∥ r_rsu). RSU encrypt the parameter RSA’s public key CT_RSU→DTA = Enc_PK_DTA {RID_rsu, r_rsu}, $A_i^{rsu},R_i$, where R_i is the secret value. Then, generate ciphertext using AES’s public key $C{T}_{RSU\to DTA}^{aes}=Enc\mathrm{\_}DT{A}_{aes}^{pk}\{C{T}_{RSU\to DTA}\}$, and sends $C{T}_{RSU\to DTA}^{aes}$ to DTA.

2. Upon receiving $C{T}_{RSU\to DTA}^{aes}$, DTA decrypts is using $Dec\mathrm{\_}DT{A}_{aes}^{pk}\{C{T}_{RSU\to DTA}\}$, and also decrypts $Dec\mathrm{\_}DT{A}_{rsa}^d\{RI{D}_{rsu},r_{rsu},A_i^{rsu},R_i\}$ to get $<RI{D}_{rsu},r_{rsu},A_i^{rsu},R_i>.$ DTA generates a RSU’s private key $S{K}_{rsu}=r_2^{dta}.P{K}_{rsu},$ where PK_rsu = H₁ (RID_rsu.r_rsu). Then, it calculates the session key with DTA $K_{DTA\to RSU}=r_2^{dta}.r_{rsu}.p,$ and $C{T}_{DTA\to RSU}:Enc\mathrm{\_}{K}_{DTA\to RSU}\{S{K}_{rsu},t_{exp}^{rsu},R_i+1\},$ where $t_{exp}^{rsu}$ is the expiration of SK_rsu. The ciphertext is further encrypted with AES’s public key $C{T}_{DTA\to RSU}^{aes}=Enc\mathrm{\_}RS{U}_{aes}^{pk}\{C{T}_{DTA\to RSU}\}$, and sends $C{T}_{DTA\to RSU}^{aes}$ to RSU.

3. After receiving the RSU decrypts $Dec\mathrm{\_}RS{U}_{aes}^{pk}\{C{T}_{DTA\to RSU}\}$, to obtain CT_DTA $\to$_RSU and compute session key with DTA $K_{DTA\to RSU}=r_2^{dta}.P{K}_{dta}$ and decrypts $Dec\mathrm{\_}{K}_{DTA\to RSU}\{S{K}_{rsu},t_{exp}^{rsu},R_i+1\}$, to get $<S{K}_{rsu},t_{exp}^{rsu},R_i+1>$ if valid, stores $S{K}_{rsu},t_{exp}^{rsu}$. Otherwise, RSU rejects it.

Online joining phase

In this phase, the vehicle will send a joining request to the DTA through the RSU. The information is broadcasted to each vehicle within the domain to enable the vehicle to get authenticated. The joining steps are shown in Fig. 7 and described as follow:

1. The RSU1 broadcasts $I{D}_{rsu1},t_{exp}^{dta},t_{exp}^{rsu},T_1,R_i,I{D}_{dta},P{K}_{dta},Sig{n}_{rsu1})$ and Sign_dta regularly, where $Sig{n}_{rsu1})=Sign\mathrm{\_}s{k}_{rsu1})\{I{D}_{rsu1}),I{D}_{dta},t_{exp}^{rsu},T_1,R_i\},$ and calculates $X_{rsu1}=r_2^{rsu}.p{k}_{rsu1}{)}^{\mathrm{\prime }},I_{rsu1}=X_{rsu1}+H_2(M_{rsu1}{)}^{\mathrm{\prime }},X_{rsu1}),$ and $M_{r}s{u}^{\mathrm{\prime }}=I{D}_{rsu1}\parallel I{D}_{dta}\parallel t_{exp}^{rsu1}\parallel T_1\parallel R_i$. Then, it encrypts it using AES public key $C{T}_{RSU\to V}=Enc\mathrm{\_}{V}_{RSU\to V}^{aes}\{Sig{n}_{rsu1}\parallel M_{rsu}^{\mathrm{\prime }}\}$, and sends CT_RSU→_V to the vehicle.

2. Upon receiving, Vehicle decrypt CT_RSU $\to$_V using the public key $Dec\mathrm{\_}{V}_{RSU\to V}^{aes}\{Sig{n}_{rsu1})\parallel M_{rsu}^{\mathrm{\prime }}\}$ to get the signature. Then, it computes $p{k}_{dta}=H_1(HI{D}_{dta}\parallel t_{exp}^{dta}$ and verifies Sign_rsu1), if invalid, end the session; otherwise, the vehicle continues to verify the freshness of the timestamp T₁ and validity of the Sign_rsu1), if validation successful, DTA and RSU1 are considered legal entities. Vehicle choose a random number $r_2^v\in Z_q^{\ast }$ and compute session key with RSU1 $K_{(V\to RS{U}_1)}=r_2^v.X_{rsu1})$ and the session key with DTA $K_{V\to DTA}=r_2^v.X_{dta}$ respectively. The vehicle finally choose pseudonyms $FI{D}_v=H_3(VI{D}_i,r_v^j)$ and generates the signature $Sig{n}_v=Sig{n}_{skv}\{FI{D}_v,t_{exp}^v,T_2,R_i\}$. It also calculates $X_v=r_{2^v}.p{k}_{v^{\mathrm{\prime }}},I_v=X_v+H_2(M_{(}v{)}^{\mathrm{\prime }},X_v),$ and $M_v^{\mathrm{\prime }}=FI{D}_v\parallel t_{exp}^v\parallel T_2\parallel R_i$ and encrypts the secret value Enc_Kv $\to$_RSU1 ∥ R_i, and Enc_K_v $\to$_DTA ∥ R_i. Then AES public utilized to encrypt the message $C{T}_{v\to rs{u}_1/DTA}=Enc\mathrm{\_}{V}_{v\to rs{u}_1/DTA}^{aes}\{Sig{n}_v\parallel FI{D}_v\parallel T_2\parallel M_{rsu}^{\mathrm{\prime }}\}$ to RSU1.

3. When the RSU1 receives the message, it decrypts the $Dec\mathrm{\_}{V}_{v\to rs{u}_1/DTA}^{aes}\{Sig{n}_v\parallel FI{D}_v\parallel T_2\parallel M_{rsu}^{\mathrm{\prime }}\}$ and verifies Sign_v, T₂, and $t_{exp}^v$ accordingly. If the verification goes well, RSU1 generates a shared session key $K_{RS{U}_1\to v}=r_2^v.X_v$ to decrypt Enc_Kv $\to$RSU₁ and check the validity of R_i. Finally computes CT_v $\to$_DTA = Enc_CTv $\to$RSU₁{R_i} and sends $C{T}_{rs{u}_1\to v}=Enc\mathrm{\_}{V}_{v\to rs{u}_1}^{aes}\{t_{exp}^v\parallel FI{D}_v\parallel C{T}_{v\to DTA}\}$ to DTA.

4. Upon receiving the message, DTA computes the session key $K_{DTA\to v}=r_2^{dta}.X_v$ and decrypts $Dec\mathrm{\_}{V}_{v\to rs{u}_1}^{aes}\{t_{exp}^v\parallel FI{D}_v\parallel C{T}_{v\to DTA}\}$ and also decrypt CT₍v $\to$DTA) to get R_i. If valid, DTA generates a group of identities $MI{D}_v^i$ and the group private key $s{k}_{MI{D}_v^i}^{\mathrm{\prime }}=r_2^{dta},s{k}_i$ for the vehicle. The DTA encrypt the message using the session key $C{T}_{DTA\to v}=Enc\mathrm{\_}{K}_{DTA\to v}\{MI{D}_v^i,s{k}_{MI{D}_v^i}^{\mathrm{\prime }},t_{exp}^{MI{D}_v^i},R_i\}$, where $t_{exp}^{MI{D}_v^i}$ is expiration of $MI{D}_v^i$. The DTA sends CT_DTA $\to$_v to RSU1, and RSU1 forwards the CT_DTA→v, and CT_RSU $\to$_V to vehicle.

5. The vehicle decrypts the CT_RSU→V and verify the secret value R_i, if valid, then a secure channel is established. The $MI{D}_v^i$, $s{k}_{MI{D}_v^i}^{\mathrm{\prime }},t_{exp}^{MI{D}_v^i})$, and R_i is obtained now after decryption, and vehicle stores $MI{D}_v^i,s{k}_{MI{D}_v^i}^{\mathrm{\prime }},t_{exp}^{MI{D}_v^i}$.

Online crossover phase

When the vehicle crosses from one domain to another, it needs to send a joining request to the RSU2 located in different geographical domains. After the RSU2 broadcasted the information to each vehicle, it will send an authentication message to RSU2, where this phase is called the crossover phase. Figure 8 shows the steps of this phase and described as follows:

1. The RSU2 broadcasts $I{D}_{rs{u}_2},t_{exp}^{rs{u}_2},T_3,R_i,Sig{n}_{rs{u}_2}$ and Sign_dta regularly, where $Sig{n}_{rs{u}_2}=Sign\mathrm{\_}s{k}_{rs{u}_2}\{I{D}_{rs{u}_2},t_{exp}^{rs{u}_2},T_3,R_i\}$, and calculates $X_{rs{u}_2}=r_2^{rs{u}_2}.p{k}_{rs{u}_2}^{\mathrm{\prime }},I_{rs{u}_2}=X_{rs{u}_2}+H_2(M_{rs{u}_2}^{\mathrm{\prime }},X_{rs{u}_2},$ and $M_{rs{u}_2}^{\mathrm{\prime }}=I{D}_{rs{u}_2}\parallel t_{exp}^{rs{u}_2}\parallel T_3\parallel R_i.$ Then, it encrypts it using AES public key $C{T}_{RSU\to V}=Enc\mathrm{\_}{V}_{RSU\to V}^{aes}\{Sig{n}_{rs{u}_2}\parallel M_{rs{u}_2}^{\mathrm{\prime }}\},$ and sends CT_RSU → _V to the vehicle.

2. The vehicle gets the message and decrypts it using AES’s public key $Dec\mathrm{\_}{V}_{RSU\to V}^{aes}\{Sig{n}_{rs{u}_2}\parallel M_{rs{u}_2}^{\mathrm{\prime }}\}$ to obtain a signature, then it verifies the T₃ whether is fresh or not, if not, end the session. Otherwise, the vehicle generates a shared session key with RSU2 $K_{V\to RS{U}_2}=r_2^v.X_{rs{u}_2},G\mathrm{\_}Sign\mathrm{\_}S{K}_{MI{D}_v^i}\{MI{D}_v^i,T_4,t_{exp}^{MI{D}_v^i},R_i\},X_{rs{u}_2}=r_2^{rs{u}_2}.p{k}_{rs{u}_2}^{\mathrm{\prime }},I_{rs{u}_2}=X_{rs{u}_2}+H_2(M_{rs{u}_2}^{\mathrm{\prime }},X_{rs{u}_2}),$ and $M_{rs{u}_2}^{\mathrm{\prime }}=I{D}_{rs{u}_2}\parallel I{D}_{dta}\parallel t_{exp}^{rs{u}_2}\parallel T_4\parallel R_i.$ Then, it encrypts it using AES public key $C{T}_{V\to RS{U}_2}=Enc\mathrm{\_}{V}_{V\to RS{U}_2}^{aes}\{Sig{n}_v\parallel M_{rs{u}_2}^{\mathrm{\prime }}\}$, and sends CT_V→RSU2 to the RSU2.

3. The RSU2 first decrypts $Dec\mathrm{\_}{V}_{V\to rs{u}_2}^{aes}\{Sig{n}_v\parallel M_{rs{u}_2}^{\mathrm{\prime }}\},$ and verifies the timestamp T₄, and signature Sign_v by computing the public of the vehicle $p{k}_{MI{D}_v^i}=H_1(MI{D}_v^i\parallel t_{exp}^{MI{D}_v^i})$, if invalid, end session; otherwise, vehicle $MI{D}_v^i$ is legal. Finally, RSU2 generates a shared session key with the vehicle $K_{RS{U}_2\to v}=r_2^{rs{u}_2}.X_v$, and compute CTRSU₂→v = Enc_kRSU₂→v {R_i}, then encrypt the ciphertext using AES public key $Enc\mathrm{\_}{V}_{rs{u}_2\to v}^{aes}\{C{T}_{rs{u}_2\to v)}$, and send it to the vehicle.

4. The vehicle uses the AES public key to decrypt the message $Dec\mathrm{\_}{V}_{rs{u}_2\to v}^{aes}\{C{T}_{rs{u}_2\to v}\}$, to obtain CTrsu₂ $\to$v to decrypt it using a shared session key $K_{v\to rs{u}_2}=r_2^{rs{u}_2}.X_{rs{u}_2},$ if the secret value R_i is valid, then a trust relationship is created; otherwise, authentication fails.

Security Analysis

We provide a complete overview of the proposed scheme’s security in this section to illustrate how the proposed scheme has provided robust security. The study was carried out using Burrows, Abadi, and Needham’s logic in our scheme to demonstrate mutual authentication between the vehicle and other participating entities (BAN). Finally, in this section, a theoretical security examination, called informal analysis, has been discussed.