A Lightweight Authenticated Key Agreement Protocol Using Fog Nodes in Social Internet of Vehicles

Recently, there has been rapid growth in the Internet of things, the Internet of vehicles, fog computing, and social Internet of vehicles (SIoV), which can generate large amounts of real-time data. Now, researchers have begun applying fog computing to the SIoV to reduce the computing pressure on cloud servers. However, there are still security challenges in SIoV. In this paper, we propose a lightweight and authenticated key agreement protocol based on fog nodes in SIoV. *e protocol completes the mutual authentication between entities and generates the session key for subsequent communication. *rough a formal analysis of the Burrows–Abadi–Needham (BAN) logic, real-oracle random (ROR) model, and ProVerif, the security, validity, and correctness of the proposed protocol are demonstrated. In addition, informal security analysis shows that our proposed protocol can resist known security attacks. We also evaluate the performance of the proposed protocol and show that it achieves better performance in terms of computing power and communication cost.


Introduction
With the popularization and development of the world wide web, the Internet of things (IoT) [1][2][3], which is a network of Internet extension and expansion, has emerged. With the continuous development of IoT applications, a "social network of intelligent objects" called social Internet of things (SIoT) [4] has been formed. Internet of vehicles (IoV) [5] is an extension of the concept of SIoT. IoV can realize network connections between the vehicle and vehicle (V2V), vehicle and infrastructure (V2I), and vehicle and pedestrian (V2P) and collect and share the key road information. With the rapid development of network and sensor technology, social connection in urban transportation systems is necessary, so social Internet of vehicles (SIoV) is produced [6][7][8]. SIoV is an application of SIoT in the field of vehicles and is a combination of vehicular ad hoc networks (VANET) and mobile networks, and it can generate a large amount of realtime data. In SIoV, intelligent vehicles can establish social relationships with other objects and form a specific social network.
For cloud computing processing of road real-time data, there are some problems associated with network delays, transmission efficiency, and others. Because the distance between the cloud computing server and vehicles is far, and the number of vehicles is increasing, the cloud server needs to process more real-time data, which increases the computing burden. erefore, researchers have introduced fog computing to reduce the computational burden on cloud servers. e data, processing, and application of fog computing are stored on scattered and weak devices, almost outside the cloud, so the computing power is not strong. It can help the cloud server process some data that are not necessary or urgent at that moment. If it encounters data that it cannot process, it reports to the cloud server. Fog nodes can detect unsafe driving behavior in time, issue early warnings for the behavior, and provide the corresponding punishment when necessary. e application of fog node in IoT and IoV environments was mentioned in the articles [9][10][11][12][13]. In 2016, Azimi et al. [11] proposed a medical warning system in IoT based on fog computing. In 2019, Ismail et al. [12] proposed an implication of fog computing on the IoT.
In 2019, Ma et al. [10] proposed a protocol for fog-based IoV networks, which realized authenticated key agreement. In 2021, Eftekhari et al. [9] proposed a pairwise secret key agreement protocol using fog-based IoV, which was a threepart authentication protocol. e SIoV typical architecture based on fog nodes is shown in Figure 1.
However, in the SIoV environment based on fog nodes, there are still great risks related to security issues. For example, it is very challenging to ensure the confidentiality and privacy of data transmission based on ensuring the security of devices deployed on the network edge. e data transmitted through the public channel usually includes sensitive information such as the personal information of vehicle users, which needs to be kept secret. Recently, Ahmed et al. [6] researched a key agreement protocol for V2G in the SIoV environment, which was a two-party authentication protocol. e protocol [6] was based on an elliptic-curve (ECC) point multiplication and had a large computational cost.
is shortcoming leads us to propose a more effective protocol.
We propose a lightweight and authenticated key agreement protocol based on three parties using fog nodes in an SIoV environment. In this protocol, vehicles and fog nodes authenticate each other with the help of a cloud server (CS) and establish a secure session key. Owing to the weak computing power of fog nodes, our protocol only uses lightweight primitives, such as hash function and XOR operation.
rough formal analysis of the Burrows-Abadi-Needham (BAN) logic, real-oracle random (ROR) model, and ProVerif, the security, validity, and correctness of the proposed protocol are demonstrated. In addition, informal security analysis shows that our proposed protocol can resist known security attacks. We also evaluate the performance of the proposed protocol and show that it has better performance in terms of computing power and communication cost. e rest of the paper is structured as follows: in Section 2, we review recent research results. e details of our proposed agreement are in Section 3. In Section 4, we use BAN, ROR, and ProVerif to verify the security, validity, and correctness of the proposed protocol. In addition, we conduct an informal security analysis. In Section 5, we compare our method with other protocols in terms of performance and security. Finally, we summarize this paper in Section 6.

Related Work
IoV is an open network environment, so this feature may threaten the identity information and relevant sensitive data of vehicle users. For many years, researchers have proposed many protocols to protect the privacy of vehicle users in IoV environments. In 2006, Raya et al. [14] proposed a vehicle communication protocol that stored multiple public and private key pairs and protected the privacy of vehicle users through the certificates stored in OBU. However, in 2008, Lu et al. [15] determined that the protocol [14] had high computing and storage cost because the key was changing at times and proposed a privacy protection protocol for vehicle communication. at same year, Zhang et al. [16] proposed an identity verification protocol for IoV. e protocol [16] realized privacy protection by the tamper-proof device to generate a random pseudoidentity. In 2020, Cui et al. [17] researched a privacy-preserving scheme. e protocol [17] was based on edge computing and used lightweight primitives, such as elliptic-curve cryptography, instead of bilinear pairing-based primitives with high computational cost. Later, Hu et al. [18] proposed a privacy-preserving authentication scheme for IoV. e protocols proposed by some researchers have high computing power. In 2014, Li et al. [19] proposed a protocol that provided PKC-based privacy protection for IoV and claimed that their protocol could resist replay and stolen smart card attacks. However, Amit et al. [20] revealed that Li et al.'s protocol [19] was susceptible to key compromise impersonation attacks and could not provide user anonymity. To reduce high computing cost caused by the use of PCK in the above protocol, the Trust-Extended Authentication Mechanism (TEAM) protocol was proposed [21]. In 2016, Kumari et al. [22] proposed an authentication protocol that also used TEAM. In 2017, Ying and Nayak [23] proposed an effective and lightweight protocol for an IoV environment, which could provide user anonymity. Chen et al. [5] demonstrated that [23] was vulnerable to replay and offline identity guessing attacks. erefore, to solve the vulnerability of Ying and Nayak's protocol [23], Chen et al. [5] proposed a secure authentication scheme for IoV. However, the protocol [5] stored extensive data in the database, so it had high storage cost. In the same year, Mohit et al. [24] proposed an efficient authentication protocol for vehicular systems and deemed their protocol safe. However, Yu et al. [25] pointed out that the protocol [24] of Mohit et al. was susceptible to impersonation attacks and could not provide anonymity, traceability, and mutual authentication. en, Yu et al. [25] proposed an authenticated protocol in vehicular communications. In 2020, Sadri et al. [26] demonstrated that Yu et al.'s protocol [25] was susceptible to sensor capture attacks and impersonation attacks and could not provide traceability. Additionally, Sadri and Rajabzadeh Asaar [26] proposed a protocol in the IoV environment, which was based on lightweight primitives. In 2021, Wu et al. [27] proposed a protocol in IoV, and the protocol realized authentication key exchange (AKE). ere are increasingly more vehicles in the IoV environment, and data processing and transmission have become an inevitable challenge. erefore, researchers began to apply cloud computing to IoV to solve the problem of processing a large amount of data to improve authentication efficiency. In an IoV environment, an authentication scheme based on cloud computing had been widely mentioned and applied in articles [28][29][30][31]. For an environment using cloud computing, problems such as network delay and transmission efficiency would exist, and the cloud server would need to process more data, which would increase the computing burden of the cloud server.
erefore, researchers have begun to introduce fog nodes for fog computing to share the pressure of cloud servers. In these papers [10][11][12][13], fog computing technology was applied. Ma et al.'s protocol [10] applied fog computing to IoV and proposed an authenticated key agreement protocol. ey claimed that the protocol [10] was secure and efficient, but Eftekhari et al. [9] pointed out that Ma et al.'s protocol [10] was vulnerable to internal attacks, stolen smart card attacks, and known session-specific temporary information attacks. erefore, Eftekhari et al. [9] proposed a more efficient authentication protocol. In 2021, Wu et al. [32] proposed a secure scheme using fog nodes in IoV, and the protocol realized AKE. In the same year, Maria et al. [33] proposed a blockchain-based anonymous authentication scheme, which used bilinear pairing. Some important related works are summarized in Table 1.

The Proposed Protocol
In this part, we introduce a lightweight and authenticated key agreement protocol using fog nodes in SIoV. Our protocol is based on the architecture of Figure 1. e protocol includes three entities: vehicle V i , fog node FN j , and CS. e symbols used in the protocol are shown in Table 2. e protocol has three phases: vehicle registration phase, fog node registration phase, and login authentication phase.

V i Registration Phase.
In the V i registration phase, V i registers with CS. e phase is shown in Figure 2, and the specific steps are as follows: (1) First, V i selects its identity ID i , password PSW i , and a random number r i , calculates its pseudoidentity PID i � h(ID i � � � �r i ), and then transmits the PID i to CS through the secure channel.
replaces HID i with the value of α i , and stores the α i , P i , r i , K V in its smart card.

F j Registration Phase.
In FN j registration phase, FN j registers with CS. e phase is shown in Figure 3, and the specific steps are as follows: (1) First, FN j selects its identity FID j and a random number r j , calculates its pseudoidentity PFID j � h(FID j � � � � � r j ), and then transmits PFID j , FID j to CS through the secure channel. (2) After receiving the message from FN j , CS first selects a random number R j , calculates the value of , and stores the K FN , β j , r j , N j in its database.

Login and Authentication Phase.
In the login and authentication phase, V i , FN j , and CS realize authentication and establish session key SK. is phase is shown in Figure 4, and the specific steps are as follows: (1) First, V i inserts the smart card into the reader terminal, inputs its identity ID i , password PSW i , calculates the login authentication value P * i � h(ID i � � � �PSW i � � � �r i ), and then compares P * i � ? P i . If equal, V i logs in successfully. Otherwise, the login fails. After successful login, V i selects a random number N 1 and calculates selects a random number N 2 and then calculates If it is equal, it means that CS believes that FN j is legal. Otherwise, the authentication process is terminated. After authenticating V i and FN j , CS calculates Table 1: e summary of authentication protocols.
and compares V * 4 � ? V 4 . If equal, it means that V i believes that FN j and CS are legal. Otherwise, the authentication process is terminated. Finally, V i updates K V � K V + 1.

BAN Logic.
BAN logic is a formal security analysis method [35]. In this part, we use BAN logic to prove that vehicles, fog nodes, and cloud servers share a session key SK and further prove the correctness of our protocol. e rules used in BAN logic are shown in the references.  Mobile Information Systems

Detailed
Steps. By considering the message M1 and using the seeing rule, we get S1: Using S1, we get Under the premise of assuming A4, using S2, and the message-meaning rule, we get In the case of conclusion S3, using assumption A5, the freshness rule, and the nonce-verification (N-V) rule, we get In the case of conclusion S4, using assumption A6, and the jurisdiction rule, we get In addition, considering the message M2, we get Using S6, we get Under the premise of assuming A7, using S7, and the message-meaning rule, we get In the case of conclusion S8, using assumption A8, the freshness rule, and the nonce-verification (N-V) rule, we get In the case of conclusion S9, using assumption A9, and the jurisdiction rule, we get S10: CS| ≡ N 2 .

Mobile Information Systems
Using A8, S11, and the SK rule, we get By considering the message M3 and using the seeing rule, we get S14: Using S14, we get S15: Under the premise of assuming A12, using S15, and the message-meaning rule, we get S16: In the case of conclusion S16, using assumptions A13 and A14, the freshness rule, and the nonce-verification (N-V) rule, we get S17: Applying this for each component, we get In the case of conclusion S18, using assumption A15, and the jurisdiction rule, we get In the case of conclusion S22, using assumption A16, and the jurisdiction rule, we get In the case of conclusion S23, using assumption A17, and the jurisdiction rule, we get , according to the conclusions S21, S22, and S23 and the belief rule, we get Using A15, S24, and the SK rule, we get By considering the message M4 and using the seeing rule, we get Using S26, we get Under the premise of assuming A18, using S27, and the message-meaning rule, we get In the case of conclusion S28, using assumption A19 and A20, the freshness rule, and the nonce-verification (N-V) rule, we get Applying this for each component, we get In the case of conclusion S30, using assumptions A21, and the jurisdiction rule, we get In the case of conclusion S31, using assumptions A22, and the jurisdiction rule, we get In the case of conclusion S32, using assumptions A23, and the jurisdiction rule, we get Because SK � h(N 1 ⊕ N 2 ⊕ N 3 ⊕ HID i ⊕ HID j ), according to the conclusions S31, S32, and S33 and the belief rule, we get Using A21, S34, and the SK rule, we get en, the probability that A can break the proposed protocol P in polynomial time is Adv P A (ξ) ≤ (q send /2 l−1 ) +(3q 2 hash /2 l ) + 2 max C ′ · q s′ send , (q send /2 l )} + ((q exe + q send ) 2 /p), where q hash represents the number of times hash queries are executed, q send represents the number of times send queries are executed, q exe represents the number of times execute queries are executed, l represents the bits of biological information, and C ′ and s are constants in Zipf's law.

Proof.
We played five rounds of games, which were expressed as follows: GM 0 to GM 6 . Succ GM 0 : GM 0 is the first-round game in the ROR model and a real attack. We choose a coin c to start the round. erefore, in GM 0 , we can obtain the probability that A can successfully break P as GM 1 : GM 1 adds an execute query to GM 0 . In GM 1 , A can only obtain the messages transmitted on the public channel. After GM 1 , A will query the session key SK through the test, but A cannot obtain five values N 1 , N 2 , N 3 , HID i , HID j , so the probability that GM 0 is equal to that of GM 1 is Pr Succ GM 2 : GM 2 adds a send query to GM 1 . According to Zipf's law [38], we obtain Pr Succ GM 3 : GM 3 adds the hash query to GM 2 . e maximum probability of text collision in transmission is (q exe + q send ) 2 /2p, and we can obtain Pr Succ GM 4 : in this round, we verify the security of the session key SK using two events. One is to obtain the long-term key of Π z CS to verify the perfect forward security, and the other is to obtain temporary information to verify that the protocol can resist the known session-specific temporary information attacks.
(1 )Perfect forward security: using Π z CS , A attempts to obtain the private key K CS of CS, or A uses Π x V i or Π y FN j to obtain some secret values in the registration phase.
(2) Known session-specific temporary information attacks: A uses one of Π x V i or Π y FN j or Π z CS to attempt to obtain temporary information.
For the first event, if A obtains the private key K CS of CS, or the secret value of Π x V i and Π y FN j in the registration phase, but A cannot get the random number For the second event, if A can obtain N 1 , but the values of N 2 and N 3 are confidential, the SK cannot be calculated. Similarly, if N 2 and N 3 are leaked, SK cannot be calculated by A. erefore, the probability of this round is Pr Succ GM 5 : in this round of the game, A uses the corrupt query to obtain the parameter α i , P i , r i , K V stored in the smart card, so A wants to conduct the offline key guessing attacks. V i uses random numbers and passwords for registration, so A must guess P i � h (ID i � � � �PSW i � � � �r i ), but the probability of guessing a random number is 1/2 l , which can be ignored. Using Zipf's law [38], we can obtain Pr Succ GM 6 : this round of the game is to verify that protocol P can resist the impersonation attacks, A uses h(N 1 ⊕ N 2 ⊕ N 3 ⊕ HID i ⊕ HID j ) to query, and the game is terminated. erefore, the probability that A can guess SK is Pr Succ Because the probability of success and failure of the GM 6 is 1/2, Pr Succ Finally, we can obtain

ProVerif.
ProVerif is a formal automatic verification tool, which can verify confidentiality, identity, anonymity, and so on [39,40]. In this paper, we use the ProVerif code to achieve vehicle registration, fog node registration, and authentication between the two parties and the CS and verify the security and effectiveness of our proposed protocol through ProVerif. ProVerif demonstrates that the specific operation works as follows. Our protocol includes three entities: vehicle, fog node, and cloud server. e symbols and operation definitions used in ProVerif are shown in Figure 5. e proof contains six events, as shown in Figure 6. e six events are veclestarted (), vecleauthored (), cloudserveracvehicle (), cloudserveracfognode (), fognodeaccloudserver (), and vecleaccloudserver (), indicating that the vehicle starts certification, the vehicle completes certification, the cloud server completes the vehicle certification, and the cloud server completes the fog node certification, respectively. e fog node completed the certification of the cloud server, and the vehicle completed the certification of the cloud server. en, we use ProVerif to query whether A can calculate the session key SK through the data transmitted on the common channel. e query operation is shown in Figure 7.
Finally, we get the verification result using the ProVerif tool, as shown in Figure 8. e result shows that A cannot calculate the session key SK of the V i , FN j , and CS.

Informal Security Analysis.
is part is an informal security analysis of our proposed agreement. We have proved that the protocol can meet common security requirements. e specific proof is as follows.

Mutual Authentication.
In the authentication phase, with the help of CS, mutual authentication between V i and FN j is realized. V 1 in message M 1 is the value CS uses to authenticate V i , V 2 in message M 2 is the value CS uses to authenticate FN j , and V 3 and V 4 in message M 3 are the values CS uses to authenticate FN j and V i , respectively. erefore, the mutual authentication among V i , FN j , and CS is realized in the authentication phase.

Replay Attacks.
In this protocol, we use cumulative value K V to resist replay attacks. In the V i registration phase, we initialize K V to 0. As the session progresses, it carries out +1 operation on the value K V , saves it to its database after CS authenticates V i , FN j , and carries out the necessary calculation. After CS authenticates V i and generates the session key, it also carries out the +1 operation on the value K V and saves it to the smart card. In this manner, K V on both sides is synchronous and equal, and the session process is completed smoothly. If A repeatedly sends message M 1 intercepted in the public channel, CS continues to calculate the value K V + 1 in the authentication phase. Value V 4 generated using K V is not equal to value V 4 calculated by V i using K V stored in its smart card, because the value K V in the smart card of V i cannot keep up with the CS update speed, so the authentication fails. us, our protocol can resist replay attacks.

Man-in-the-Middle Attacks.
Suppose that A can intercept the message M 1 � A 1 , V 1 , ID CS , PID i transmitted on the public channel between V i and FN j . Since A cannot obtain the information α i , K V , r i in the smart card and the identity ID i of V i , A cannot calculate the values K V , HID i , erefore, after A tampers with M 1 , it cannot pass the authentication of FN j . Similarly, because the privacy value is unknown, A cannot calculate the authentication value V 2 , V 3 , or V 4 and cannot complete the verification after intercepting the information M 2 , M 3 , or M 4 . erefore, our protocol can resist man-in-the-middle attacks.

User Anonymity.
e real identities of V i and FN j are transmitted on the secure channel and are protected by pseudoidentity PID i and PFID j in the authentication phase. e anonymity of V i and FN j is ensured. erefore, our protocol can provide user anonymity.

Untraceability.
If A wants to trace the V i , it intercepts the messages M 1 , M 2 , M 3 , M 4 transmitted on the common channel. Since the random numbers N 1 , N 2 , N 3 are used, this means that messages M 1 , M 2 , M 3 , M 4 are different during each session. In addition, A cannot obtain the random numbers N 1 , N 2 , N 3 , so A cannot be traced back to V i . erefore, our protocol can provide untraceability.

Security and Performance Comparisons
In this part, we compare our protocol with those of Ma et al. [10], Wazid et al. [34], Eftekhari et al. [9], and Wu et al. [32] in terms of security, computational cost, and communication cost.

Security Comparisons.
When comparing protocol security, we use ✔ to indicate that the protocol can resist the attacks and × to indicate that the protocol cannot resist the attacks.
e results of comparing protocol security are shown in Table 3. It can be seen that our protocol can resist known attacks and have better security. Ma et al.'s protocol [10] cannot provide user anonymity and untraceability and is vulnerable to impersonation attacks and known sessionspecific temporary information attacks. e protocols in [9,32,34] and our protocol are secure.

Performance Comparison.
Performance analysis is conducted from the aspects of computational cost and communication cost. We analyze and compare the computational cost from the login authentication phase of each protocol. e computational cost of XOR and join operations is negligible. e computational cost comparison is shown in Table 4. It is obvious that the protocols of Ma et al.
Here, T pm represents the time taken to perform a point multiplication operation, T pa represents the time taken to execute an ECC point addition, T f represents the time taken to execute a fuzzy extraction function, and T h represents the time taken to execute a hash operation.
In the comparison of communication cost, we assume that the length of the identity and the random number are 160 bits, the length of the timestamp is 32 bits, the length of the one-way hash function is 256 bits, and the length of ECC point is 320 bits. erefore, based on our assumption, the communication costs of the protocols of Ma et al. [10], Wazid et al. [34], Eftekhari et al. [9], and Wu et al. [32] are 4512 bits, 3488 bits, 4416 bits, and 4448 bits. Here, we illustrate our  Table 5. Obviously, the communication cost of our proposed protocol is less.
In the security comparison, we found that Ma et al.'s protocol [10] cannot provide user anonymity and untraceability and is vulnerable to impersonation attacks and known session-specific temporary information attacks.  Although the protocols of [9,32,34] can resist known security attacks, the overhead in the aspect of computational cost and communication cost is much more than that of our proposed protocol. erefore, our protocol is better in terms of security and performance.

Conclusions
In this paper, we first review the AKE protocol in IoV and SIoV, and then, we propose a lightweight and authenticated key agreement protocol using fog nodes. e security analysis of the protocol is conducted by using BAN, ROR, and ProVerif. e comparison of security and performance shows that the protocol achieves higher performance in terms of computing power and communication cost compared with other protocols. In future research, we will focus on improving the security and performance of the protocol in SIoV.

Data Availability
e data used to support the findings of this study are included within the article.