0% found this document useful (0 votes)

92 views14 pages

TCALAS: Temporal Credential-Based Anonymous Lightweight Authentication Scheme For Internet of Drones Environment

This article discusses the design of a new authentication mechanism called TCALAS for drones communicating over the Internet of Drones (IoD). TCALAS allows a user to authenticate with a drone to access its real-time data. It uses temporal credentials and provides anonymous authentication to resist attacks while minimizing computation and communication costs compared to other schemes. The article analyzes the security of TCALAS using formal methods and compares it to related schemes.

Uploaded by

Haseeb Tahir

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

92 views14 pages

TCALAS: Temporal Credential-Based Anonymous Lightweight Authentication Scheme For Internet of Drones Environment

Uploaded by

Haseeb Tahir

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 14

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TVT.2019.2911672, IEEE
Transactions on Vehicular Technology
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY 1

TCALAS: Temporal Credential-Based Anonymous

Lightweight Authentication Scheme for Internet of
Drones Environment
Jangirala Srinivas, Member, IEEE, Ashok Kumar Das, Senior Member, IEEE,
Neeraj Kumar, Senior Member, IEEE, and Joel J. P. C. Rodrigues, Senior Member, IEEE

Abstract—A user (external party) is interested in accessing present the data efficiently with full accuracy. This is achieved
the real-time data from some designated drones of a particular by reducing human involvement as less as possible [1], [2],
fly zone in the Internet of Drones (IoD) deployment. However, [3].
to provide this facility the user needs to be authenticated
by an accessed remote drone and vice-versa. After successful A drone is a type of Unmanned Aircraft System (UAS)
authentication both parties can establish a secret session key for whose components include a flight controller, an Inertial
the secure communication. To handle this important problem Measurement Unit (IMU), multiple rotors and a battery. At
in IoD environment, we design a novel temporal credential present, the drones are widely used for distribution delivery,
based anonymous lightweight user authentication mechanism for aerial photography, and surveillance, as well as for private
IoD environment, called TCALAS. A detailed security analysis
using formal security under the broadly applied Real-Or-Random hobbies. Because of the increasing drone population, tracking
(ROR) model, formal security verification under the broadly- drones has become an important issue for improving both their
used software verification tool, known as Automated Validation of safety and attacking drones by attackers [4]. These drones
Internet Security Protocols and Applications (AVISPA), and also are currently utilizing the IoT technology to play its part as
informal security analysis reveal that TCALAS has the capability Internet of Drones (IoD). In addition, due to the on-going
to resist various known attacks against passive/active adversary.
In addition, a detailed comparative study has been conducted miniaturization of sensor devices, processors and ubiquitous
for TCALAS and other related schemes, and the study also wireless connectivity, the drones are now used in enhancing
reveals that TCALAS provides better security and functionality our way of life too. Fig.1 presents a pictorial representation of
features, and lower costs in both computation & communication a typical drone system where the communication is monitored
as compared to existing schemes. and controlled from the user equipment to drones.
Index Terms—Drones, surveillance, authentication, key agree-
ment, security, AVISPA.

I. I NTRODUCTION
NTERNET of Things (IoT) is currently being used very
I vastly as it consists of numerous objects. These objects
are meant for gathering the information from various sources
which are interconnected and the collected information can be
exchanged over the Internet. These objects are categorized as
physical objects, such as sensors, camera, smartphones, drones
and vehicles, and the other category contains virtual objects,
such as agenda, wallet and electronic ticket. The advantage
Fig. 1. Block diagram of a typical drone system [5]
of the things (objects) in IoT is that without the involvement
of humans, these objects are smart enough to take their own Tracking drones can be used to enhance their safety as it
decisions. Therefore, one of the basic purpose behind IoT is can be used to avoid collisions, improve traffic efficiency, and
to make integration of computer based systems with the real- prevent the flights of unauthorized drones by considering the
world physical system for the economic comfort and also to increasingly crowded airspace. For example, the agencies like
“National Aeronautics and Space Administration (NASA)”
J. Srinivas is with the Jindal Global Business School, O. P. Jindal Global
University, Haryana 131001, India (e-mail: [email protected], getsrin- and “Federal Aviation Administration (FAA)” in cooperation
[email protected]). with various other companies, such as Amazon and Google,
A. K. Das is with the Center for Security, Theory and Algorithmic Research, have been developing the UAS Traffic Management (UTM)
International Institute of Information Technology, Hyderabad 500 032, India
(e-mail: [email protected], [email protected]). system for drones flying at low altitudes in between 200 and
N. Kumar is with the Department of Computer Science and Engineering, 500 feet [5].
Thapar University, Patiala 147 004, India (e-mail: [email protected]). Tracking drones can be also used for malicious purposes as
J. J. P. C. Rodrigues is with the National Institute of Telecommunications
(Inatel), Brazil; Instituto de Telecomunicações, Portugal; Federal University well. An attacker can maliciously track the locations of the
of Piauí (UFPI), Teresina-PI, Brazil (e-mail: [email protected]). drones for disturbing drone-related services, escaping from

0018-9545 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TVT.2019.2911672, IEEE
Transactions on Vehicular Technology
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY 2

drone surveillance as well as capturing drones themselves. security and energy efficiency become critical issues. To
Most drones have a telemetry functionality based on the save energy at the drones/smart objects, the protocol
Micro Aerial Vehicle Link (MAVLink) protocol [6], [7] for execution should be completed as soon as possible. In
monitoring their status. Because the drones are used for flying, general, the processing speed of a drone would work like
the status information supported by this telemetry is usually PC, whereas the processing speed of a smart object would
given via wireless communication modules, such as 433 or work like a resource-limited sensor device. Thus, the
915 MHz telemetry and Wi-Fi transceivers in real time. The challenge is that the smart objects need to have minimal
transmitted status data is different from each implementation computational overhead for the designed protocols. It is
of flight controllers, but most implementations include system evident that a drone may try practically to access many
parameters, Global Positioning System (GPS) data, altitude, smart objects concurrently. Therefore, a well defined user
rotor status, memory status, sensor status, and sensor outputs. authentication protocol should support such parallel and
These data are used not only to monitor but also to debug the concurrent cryptographic operations.
drone systems.
C. System Models
A. Future of Drones in Business and Commerce The following models (authentication & threat models) are
Due to growing interests and features, drones are applied in utilized in the design of TCALAS.
wide areas of applications, such as infrastructure inspection, 1) Authentication Model: In the architecture shown in
environmental monitoring, tracking/forecasting, search and Fig.2, the only trusted entity is the Ground Station Server
rescue, storm, construction sites, agriculture, wildlife research, (GSS). Due to the nature of communication between the
mines, prospecting, emergency response, city planning and entities, there is always a threat regarding several security
architecture (map areas before building) and cinematography issues and breaching of the privacy of entities in this IoD
[8]. Now a days, as a supplement of humans in a part environment [9]. This raises in demand handling the security
of delivery in business, drones have started showing their issues, and also in ensuring the security of the communication
impact (i.e., these drones are commercially used by the hi-tech in IoD environment. A novel temporal lightweight authentica-
businesses which make it practical in some trials). Business tion scheme is put forward in this paper which can be executed
giants like Amazon, Google, Facebook and Wal-Mart have efficiently in terms of communication and computation costs
started delivering the products for the speedy delivery and among all the involved participants. In the IoD environment
customary satisfaction. In the other areas, such as industries monitoring system shown in Fig.2, there are several flying
like real estate, construction, film or cinematography, fire and zones (also called clusters) having their own identifiers. In a
police departments, and farming have commercially started particular zone, some drones can fly which can communicate
using the benefits of drones. Looking into the technological each other and then to the GSS. The GSS is also connected
trends, many Business to Business (B2B) executives agree to the control room. A external user having his/her mobile
and believe that drones can give extra benefits for them to device can monitor/access some designated drones from some
cope up with their business and also understand the benefits flying zones provided that he/she is authorized to access those
of drones which can bring by integrating the technology into drones.
their operations by providing an extra advantage over their
competitors. This shows that the future of drones in commerce C1
and business will impact on the marketplace and organizations.
RD1
Fly zone 1 Internet
B. Requirements for Secure Drone Communications RD2
Fly zone 2
The secure communication among the drones and smart C2
objects requires a better communication protocol which is
summarized as follows. Mobile Device
Ground Station Server (User Ui)
• Security: Firstly, a user authentication and confidentiality RD3
Fly zone 3
needs to be ensured and preserved with securely au-
C3
thenticated key establishment mechanism. Secondly, the
communication protocol needs to ensure and keep a check RDj
on the integrity of the transmitted data, and also needs Fly zone j
Ck Control room
to support non-repudiation. Thirdly, on capturing of a
Remote Wi-Fi Cluster
drone, the extracted information from that captured drone Drone (RDj) communication
should be compromised secure communication among
other drones with a user and other smart objects. Finally, Fig. 2. IoD environment monitoring system
to acquire the internal data of the smart objects, only the
authorized/authenticated drones should be permitted with 2) Threat Model: The following are the assumptions in the
different access rights. considered threat model. The popular Dolev-Yao (DY) threat
• Efficiency: The issue with the drones and smart objects is model [10] is utilized in TCALAS. With the DY model, an ad-
that they are equipped with limited battery power. Hence, versary, say A has not only the capability to intercept messages

during communication between two parties, but he/she can 3) As a part of formal security verification, AVISPA simu-
also update, modify, delete or even insert malicious messages lation tool is applied on TCALAS and the results proved
as the communication between the entities is public. Since to be safe in the sense that man-in-the-middle & replay
the drones deployed in some target area can not be monitored attacks are safeguarded in TCALAS.
in 24 × 7 hours, there is a concern of physical capture of 4) The detailed comparative study is then presented among
some drones from flying zones. The extracted information TCALAS and other existing relevant recent schemes in
from these captured drones can be then applied in breaching terms of security & functionality features, communi-
the security of the system by means of compromising the cation and computation costs. The results exhibit that
secure communication among other non-compromised drones TCALAS is efficient and it also preserves the security
and users in a user authentication protocol. In addition, if & functionality attributes while these parameters are
the mobile device of a user is lost or stolen, the extracted balanced with other schemes.
information using the power analysis attacks [11] should not
lead to compromise the security of the system by means E. Paper Outline
of deriving the secret credentials of that user (e.g., user’s In the IoD environment, various related studies on the basis
identity, password & personal biometrics). If these credentials of existing schemes are presented in the Section II. A new
are derived successfully, A may then attempt to perform many temporal user authentication scheme in the IoD environment
potential attacks including privileged-insider, impersonation (called TCALAS) is then presented in Section III. Next, the
and man-in-the-middle attacks. Currently used Canetti and security analysis on the basis of formal and informal methods
Krawczyk’s adversary model (CK-adversary model) [12] is are presented in Section IV. The simulation study on TCALAS
a stronger model than the DY model which is being used in by using the formal security verification tool, AVISPA, is
recent user authentication protocols in the literature. Under conducted in Section V. A comprehensive comparative study
the CK-adversary model, apart from all the abilities of the is done on the basis of communication and computation
DY model, A can also settle the session states and secret overheads for TCALAS and other schemes in Section VI.
information including secret keys. Hence, it is very important Section VII is concluded with concluding remarks about the
that even if the session states and secret information are work.
compromised in a specific session, those information do not
lead to compromise the secrecy of other parties’ credentials II. R ELATED W ORK
involved during communication. Thus, forward and backward Alqassem et al. [14] presented a review work on numerous
secrecy should be preserved in a designed user authentication IoT applications in the context of security. In his survey,
protocol under the CK-adversary model. Furthermore, the they figured-out that most of the networks assume that the
GSS being the trusted entity in the IoD domain can be placed applications utilize only two types of devices. The first type
under a locking system to physically safeguard it from A as contains the devices that communicate with humans and
it is the same scenario used in [2]. Thus, it is assumed that environment. The other type contains the devices which may
the GSS is not compromised in the IoD environment by A. act as the gateway(s) during the data aggregation. In the same
context, Tan et al. [15] expostulated with the conclusion of
D. Research Contributions Alqassem et al. [14], and also pointed out more critical and
complicated security measures that should be forced for many
In this section, we discuss about the main research contri- possible scenarios in order to ensure the security of various
butions made in the proposed TCALAS, which are presented IoT applications.
below. Chen et al. [23] presented a survey containing various IoT
1) In the IoD environment, according to TCALAS the security & vulnerability issues. They also discussed about tax-
legitimate and registered users are only allowed to get onomy, and some challenges and practice need to emphasize.
the services from the remote drones by registering to the Das et al. [24] also presented a detailed taxonomy and then
GSS. Prior to providing services, all the remote drones the analysis of security mechanisms for IoT that are important
need to register with GSS. Once the registration is done, and critical to be addressed in IoT environment. Alternatively,
the remote drones RDj are given some secret credentials Hassanalian et al. [25] discussed in detail about classifications,
which are only known to RDj and GSS. The registered and various applications as well as design challenges of the
users have the facility to update their passwords and/or drones.
biometrics at any time without involving further the Pan et al. [26] presented an algorithm which is meant to
GSS. In addition, other facilities like mobile device control the speed of UAV dynamically and also to collect the
revocation and new remote drones deployed are also data efficiently. The communication among sensor devices and
supported in TCALAS. drones are supported by the cellular network. Furthermore, the
2) TCALAS is tested through the formal security using UAVs can effectively tune the speed of sensor devices speed
on the broadly trusted ROR model [13]. This model to their density during the coverage and collection of the data
is basically applied to ensure about the session key to maximize efficiency.
security. Furthermore, TCALAS is validated using the In 1981, Lamport [27] introduced the concept of remote
informal security to ensure its security by restricting authentication based on passwords. Inspiring from this sem-
other potential attacks by an adversary. inal work, many researchers came up with their innovative

TABLE I
S UMMARY OF TECHNIQUES USED AND LIMITATIONS / DRAWBACKS OF EXISTING USER AUTHENTICATION PROTOCOLS

Scheme Year Techniques applied Properties

Turkanovic et al. [16] 2014 Two-factor (smart card & user password); It does not protect “privileged-insider, off-line password guessing, stolen
applies “one-way cryptographic hash function” smart card, user impersonation and smart device impersonation attacks”.
It does not provide formal security analysis.
Farash et al. [17] 2016 Two-factor (smart card & user password); It is not secure against “known session-specific temporary information,
applies “one-way cryptographic hash function” off-line password-guessing, stolen/lost smart card, new smart card issue,
and user-impersonation attacks”. It does not preserve “user anonymity”.
The secret key of the gateway node is not secure.
It does not provide formal security analysis.
Amin et al. [18] 2016 Three-factor (smart card, user password It is not secure against “known-session
& biometrics); specific temporary information, smart card loss, tracing,
applies “one-way cryptographic hash function and denial-of-service attacks”.
and bio-hashing for biometric verification” It does not provide formal security analysis.
Challa et al. [19] 2017 Three-factor (smart card, user password It is not as “computationally expensive” as Jiang et al.’s scheme [20].
and biometrics); applies “elliptic curve It does not provide formal security analysis.
cryptography” with signature and
“one-way cryptographic hash function”
Tai et al. [21] 2017 Two-factor (smart card & user password); It is not secure against several known attacks.
applies “one-way cryptographic hash function” It does not provide formal security analysis.
Wazid et al. [22] 2018 Three-factor (smart card, user password It does not preserve “revocability” property.
& biometrics); It does not provide formal security analysis.
applies “one-way cryptographic hash function”
“fuzzy extractor for biometric verification”
Proposed scheme 2019 Three-factor (smart card, user password It is secure against various known attacks.
(TCALAS) & biometrics); It provides formal security analysis.
applies “one-way cryptographic hash function”, It is also secure against “denial-of-service attack”.
and “fuzzy extractor for biometric verification”;
based on “temporal credentials”

proposals on designing more secure authentication protocols poral credential-based anonymous lightweight authentication
in various environments. scheme (TCALAS). TCALAS applies lightweight hash func-
Turkanovic et al. [16] was the first to present a user authenti- tions and fuzzy extractor techniques. The fuzzy extractor is
cation scheme which is integrated to both Wireless Sensor Net- only applied for a user’s local biometric verification. Keeping
work (WSN) and IoT. Due to numerous attacks on the scheme the security concerns into consideration, we also consider
[16], it was shown that Turkanovic et al.’s proposal was the presently considered de facto CK-adversary model in
insecure [17]. As a remedy, Farash et al. [17] proposed another our TCALAS which can be strengthen additionally apart
work which is tailored for the IoT environment by connecting from the traditional DY model (see Section I-C2). Table I
the heterogeneous WSNs. Unfortunately, this scheme contains tabulates a summary of different techniques used and lim-
various drawbacks and it was proved to be insecure by Amin itations/drawbacks of existing user authentication protocols
et al. [18]. Furthermore, Tai et al. [21] also designed another related to the IoD environment.
authentication scheme under the same domain as in Farash et
al. However, their scheme fails to withstand many attacks (e.g., III. T HE P ROPOSED S CHEME
privileged-insider, password guessing, man-in-the-middle & The proposed scheme (TCALAS) is organized into six
replay attack), and also forward secrecy. Later, Jiang et al. phases, namely 1) pre-deployment, 2) user registration,
[20] illustrated that Amin et al.’s [18] is insecure as several 3) login and authentication, 4) revocation and reissue, 5)
security loopholes exist in their scheme, and also proposed a password/biometric update, and 6) dynamic node addition.
“lightweight three-factor based authentication scheme”. TCALAS uses the user’s mobile device, password and per-
In view of future IoT applications, Challa et al. [19] sonal biometrics as three factors. The notations described in
put a new proposal for user authentication which uses the Table II are used for discussing and analyzing TCALAS.
Elliptic Curve Cryptography (ECC) and ElGamal-type dig- The detailed discussions of various phases are presented in
ital signature. However, it demands for more computation subsequent subsections.
& communication costs as compared with other non-ECC
based user authentication methods. Roy et al. [28] proposed a A. Pre-deployment Phase
user authentication scheme which was designed for crowd- In this phase, the ground station server GSS is responsible
sourcing IoT environment. Using three factors (password, to register each remote drone to be deployed in a particular
biometrics and smart card), a user authentication scheme was target area. Assume that the target area is partitioned into
also designed for hierarchical IoT environment by Wazid et nc disjoint clusters (groups), where a set of drones will
al. [22]. This scheme is secure and lightweight in nature. be deployed in a cluster, called a flying zone. The GSS
The previous studies motive us to work on several security first assigns a unique identity CIDk to k th cluster. For
drawbacks in the existing schemes. For this purpose, we each remote drone RDj to be deployed in k th cluster, the
target to propose a new secure lightweight user authentica- GSS assigns it with a unique identity IDRDj , and then
tion protocol suitable for IoD environment, called the tem- calculates SIDRDj = h(CIDk kIDRDj kXGSS kXRDj )

TABLE II credentials M Di = {Ai , Bi , T Ci , h(·), IDGSS , CIDk } to

N OTATIONS USED Ui using a reliable secure channel.
Symbol Description R3: After receiving the response from the GSS, Ui imprints
Ui , RDj , GSS ith user, j th remote drone and ground his/her biometric BIOi into the sensor of the mobile device
station server, respectively M Di and computes Gen(BIOi ) = (σi , τi ), Li = bi ⊕ h(σi
M Di Mobile device of Ui
XGSS ,XRDj Long-term secret keys of GSS and RDj , kIDi kP Wi ), Mi = h(Ai kT Ci kbi kσi ), and A0i = Ai ⊕ h(bi
respectively kHIDi kHP Wi kσi ), where σi & τi are the secret biometric
SIDRDj Secret key between GSS and RDj key & public reproduction parameter associated with BIOi ,
U IDi Secret key between Ui (M Di ) and GSS
IDi , IDRDj , IDGSS Unique identities of M Di , RDj and GSS, respectively. Finally, Ui stores the credentials {A0i , Bi , Mi ,
respectively Li , h(·), IDGSS , CIDk , Gen(·), Rep(·), τi } in M Di to
P Wi , BIOi Password and biometrics of Ui , respectively complete the registration process. The details about the fuzzy
h(·) Cryptographic one way hash function
SK Session key between Ui and RDj extractor functions (Gen(·) and Rep(·)) can be attained in
bi , R1 , R2 , R3 Random numbers [28].
T1 , T2 , T3 Current timestamps The illustration of this phase is summarized in Fig. 4.
Gen(·), Rep(·) Fuzzy biometric generator and reproduction
functions, respectively
∆T Maximum allowable transmission delay Mobile Device of User (Ui ) Ground Station Server (GSS)
T Ci Temporal credential of Ui Choose IDi , P Wi and bi .
? Compute HIDi = h(IDi kbi ),
i=j Checks if i equals to j
HP Wi = h(P Wi kbi ).
CIDk Identity of kth cluster in the flying zones {HIDi }
⊕, k bitwise XOR & concatenation operations, −−−−−−−−−−→ Compute U IDi = h(HIDi kXGSS ),
Secure channel
respectively T Ci = h(CIDk kU IDi kIDGSS ),
A An adversary Ai = U IDi ,
Input biometric BIOi . Bi = CIDk ⊕ h(HIDi kU IDi ).
M Di ={Ai ,Bi ,T Ci ,h(·),IDGSS ,CIDk }
Compute Gen(BIOi ) = (σi , τi ), ←−−−−−−−−−−−−−−−−−−−−−−−−−
Secure channel
which is the shared secret key between GSS and RDj , Li = bi ⊕ h(σi kIDi kP Wi ),
Mi = h(Ai kT Ci kbi kσi ),
where XGSS and XRDj are the long-term secret keys of the A0i = Ai ⊕ h(bi kHIDi kHP Wi kσi ).
GSS and RDj , respectively, and h(·) is a selected one-way Update M Di = {A0i , Bi , Mi , Li , h(·),
cryptographic collision-resistant hash function. In addition, the IDGSS , CIDk , Gen(·), Rep(·), τi }.
GSS also selects its own identity IDGSS . RDj is pre-loaded Fig. 4. User registration phase
with the credentials {IDGSS , CIDk , IDRDj , SIDRDj , h(·)}
before it is deployed in the k th cluster flying zone. The
GSS keeps the credentials {IDGSS , {CIDk |1 ≤ k ≤ nc }, C. Login and Authentication Phase
{(IDRDj , SIDRDj )|1 ≤ j ≤ nr }, XGSS , h(·)}, where nr
denotes the number of drones to be positioned in a cluster. During this phase, the validation of a legal registered user
Finally, this phase is briefed in Fig. 3. Ui is verified by checking his/her login credentials and also the
credentials are stored in the mobile device M Di . This phase is
Remote drone (RDj ) in k th cluster flying zone executed over a public channel. Once the login request from
{IDGSS , CIDk , IDRDj , SIDRDj , h(·)} the user is received, the user’s legitimacy is challenged and
Ground station server GSS
verified by the other involved participants (the GSS and an
accessed remote drone RDj in a particular flying zone). It
{IDGSS , {CIDk |1 ≤ k ≤ nc }, {(IDRDj , SIDRDj )|1 ≤ j ≤ nr },
XGSS , h(·)} is assumed that Ui will have a list of identities IDRDj of
remote drones RDj for which he/she is given the real-time
Fig. 3. Credentials stored during the pre-deployment phase
data access from some designated flying zones. The details
steps to complete this phase are explained by the following
steps:
B. User Registration Phase LA1: Ui inputs his/her login credentials (identity IDi ,
For accessing the services from the remote drones in a password P Wi & biometric BIOi0 ) to the mobile device
designated flying zone, say k th cluster, a user Ui needs M Di . M Di then calculates σi0 = Rep(BIOi0 , τi ), bi =
to register with the GSS. This phase is provided with the Li ⊕ h(σi0 kIDi kP Wi ), HIDi = h(IDi kbi ), HP Wi =
following steps: h(P Wi kbi ), Ai = A0i ⊕ h(bi kHIDi kHP Wi kσi0 ), U IDi =
R1: Ui is free to select his/her user identity IDi and Ai , CIDk = Bi ⊕ h(HIDi kU IDi ) and T Ci = h(CIDk
?
password P Wi . Ui then generates a random number bi to kU IDi kIDGSS ), and verifies Mi = h(Ai kT Ci kbi kσi0 ). If
calculate HIDi = h(IDi kbi ) and HP Wi = h(P Wi kbi ) the verification is unsuccessful, the phase is discontinued
to submit the registration request with the credentials {HIDi , promptly. Otherwise, M Di creates a random number R1 and
h(·)} to the GSS through a secure channel. current timestamp T1 , computes U1 = HIDi ⊕ h(T1 kIDGSS
R2: On receiving the request, the GSS calculates U IDi = kCIDk ), U2 = IDRDj ⊕ h(U IDi kCIDk kT Ci ), U3 =
h(HIDi kXGSS ), temporal credential T Ci = h(CIDk h(IDRDj kCIDk kT Ci kT1 ) ⊕R1 , and U4 = h(R1 kU IDi
kU IDi kIDGSS ), Ai = U IDi , and Bi = CIDk ⊕h(HIDi kIDRDj kT Ci kCIDk ), and transmits the message M SG1 =
kU IDi ), and then dispatches the mobile device M Di with the {U1 , U2 , U3 , U4 , T1 } to the GSS over a public channel.

Mobile Device of User (M Di ) Ground Station Server (GSS) Remote Drones (RDj )
Input IDi , P Wi and BIOi0 .
Compute σi0 = Rep(BIOi0 , τi )
bi = Li ⊕ h(σi0 kIDi kP Wi ),
HIDi = h(IDi kbi ), HP Wi = h(P Wi kbi )
Ai = A0i ⊕ h(bi kHIDi kHP Wi kσi0 ),
U IDi = Ai ,
CIDk = Bi ⊕ h(HIDi kU IDi ),
T Ci = h(CIDk kU IDi kIDGSS ).
?
Verify Mi = h(Ai kT Ci kbi kσi0 ) Check if |T1∗ − T1 | < ∆T ?
Generate random number R1 and Compute HIDi∗ = U1 ⊕ h(T1 kIDGSS kCIDk ),
current timestamp T1 . U IDi∗ = h(HIDi∗ kXGSS ).
Compute Extract T Ci by verifying U IDi∗ ’s existence.
U1 = HIDi ⊕ h(T1 kIDGSS kCIDk ), Compute IDRDj = U2 ⊕ h(U IDi kCIDk kT Ci ),
U2 = IDRDj ⊕ h(U IDi kCIDk kT Ci ), R1 = U3 ⊕ h(IDRDj kCIDk kT Ci kT1 ).
?
U3 = h(IDRDj kCIDk kT Ci kT1 ) ⊕ R1 , Verify U4 = h(R1 kU IDi kIDRDj kT Ci kCIDk )
U4 = h(R1 kU IDi kIDRDj kT Ci kCIDk ). Generate random R2 & timestamp T2 . Compute Check if |T2∗ − T2 | < ∆T ?
U5 = h(IDGSS kSIDRDj kIDRDj kT2 ) ⊕ HIDi , Compute
M SG1 ={U1 ,U2 ,U3 ,U4 ,T1 }
−−−−−−−−−−−−−−−−−−−−→ U6 = h(HIDi kIDRDj kCIDk kT2 kh(R1 kR2 )), HIDi = U5 ⊕ h(IDGSS kSIDRDj kIDRDj kT2 ),
(M Di →GSS)
U7 = h(HIDi kIDRDj kSIDRDj kT2 ) ⊕ h(R1 kR2 ). h(R1 kR2 ) = U7 ⊕ h(HIDi kIDRDj kSIDRDj kT2 ).
M SG2 ={U5 ,U6 ,U7 ,T2 } ?
−−−−−−−−−−−−−−−−−−−−→ Verify U6 = h(HIDi kIDRDj kCIDk kT2 kh(R1 kR2 ))
(GSS→RDj )
Generate random R3 and current timestamp T3 .
Receive message M SG3 . Compute R30 = h(R3 kh(R1 kR2 )),
Check if |T3∗ − T3 | < ∆T ? U8 = R30 ⊕ h(HIDi kIDRDj kT3 kCIDk ),
Compute SK = h(R30 kHIDi kIDRDj kCIDk kT3 ),
R30 = U8 ⊕ h(HIDi kIDRDj kT3 kCIDk ), U9 = h(R30 kSKkT3 kCIDk ).
M SG3 ={U8 ,U9 ,T3 }
SK = h(R30 kHIDi kIDRDj kCIDk kT3 ). ←−−−−−−−−−−−−−−−−−−−
(M Di ←RDj )
Verify if U9 = h(R30 kSKkT3 kCIDk )?
Authenticate RDj .
SK=h(h(R3 kh(R1 kR2 ))kHIDi kIDRDj kCIDk kT3 )
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
←
(M Di ↔RDj )

Fig. 5. Summary of login and authentication phase of TCALAS

LA2: Upon receiving M SG1 from Ui at time T1∗ , the GSS along with U9 = h(R30 kSK kT3 kCIDk ). RDj then sends
checks the freshness of the message by |T1∗ − T1 | < ∆T . If the message M SG3 = {U8 , U9 , T3 } directly to Ui via public
it holds, the GSS computes HIDi∗ = U1 ⊕ h(T1 kIDGSS channel.
kCIDk ) and U IDi∗ = h(HIDi∗ kXGSS ), and extracts T Ci LA4: Upon receiving M SG3 from RDj at time T3∗ , if
by verifying U IDi∗ ’s existence in its database. On validating |T3∗ − T3 | < ∆T holds, Ui calculates R30 = U8 ⊕ h(HIDi
the existence of the user’s information, the GSS computes kIDRDj kT3 kCIDk ) and session key SK = h(R30 kHIDi
IDRDj = U2 ⊕ h(U IDi kCIDk kT Ci ). If the computed ?
kIDRDj kCIDk kT3 ) to verify U9 = h(R30 kSK kT3
IDRDj exists in the GSS’s database, it then calculates R1 = kCIDk ). If the verification holds, Ui authenticates RDj .
U3 ⊕ h(IDRDj kCIDk kT Ci kT1 ), fetches SIDRDj corre- Otherwise, Ui discontinues the process. Finally, both Ui and
?
sponding to IDRDj , and verifies U4 = h(R1 kU IDi kIDRDj RDj establish the session key as SK = h(h(R3 kh(R1 kR2 ))
kT Ci kCIDk ). Upon unsuccessful validation, the GSS rejects kHIDi kIDRDj kCIDk kT3 ).
the Ui ’s legitimacy. Otherwise, the GSS continues to generate The detailed illustration of this process is shown in Fig. 5.
a random number R2 and current timestamp T2 , and compute
U5 = h(IDGSS kSIDRDj kIDRDj kT2 ) ⊕HIDi , U6 = D. User Password/Biometric Update Phase
h(HIDi kIDRDj kCIDk kT2 kh(R1 kR2 )) and U7 =
For updating the current password/biometrics by new pass-
h(HIDi kIDRDj kSIDRDj kT2 )⊕ h(R1 kR2 ) and transmit
word/biometrics, a legal registered user Ui with mobile device
the message M SG2 = {U5 , U6 , U7 , T2 } to the remote drone
M Di can follow the following steps. It is worth noticing
RDj via open channel.
that the user Ui ’s personal biometric is not typically changed,
LA3: On receiving M SG2 at time T2∗ , RDj validates the whereas his/her password may be updated periodically in order
message’s freshness by the condition |T2∗ − T2 | < ∆T . If to achieve the maximum security of the system. However, we
the verification holds, it calculates HIDi = U5 ⊕ h(IDGSS suggest the biometric update along with the password update
kSIDRDj kIDRDj kT2 ), h(R1 kR2 ) = U7 ⊕ h(HIDi if the user Ui wants to do so. In the case of old biometric to
?
kIDRDj kSIDRDj kT2 ), and checks U6 = h(HIDi kIDRDj be kept unchanged by Ui , old biometric will be considered as
kCIDk kT2 kh(R1 kR2 )). If if fails, RDj rejects the mes- new one during the password/biometric update phase.
sage. Otherwise, it creates a random number R3 with current PB1: Ui first inputs the credentials (identity IDi , password
timestamp T3 . RDj also calculates R30 = h(R3 kh(R1 kR2 )), P Wi and biometric BIOi0 ) in his/her mobile device M Di .
U8 = R30 ⊕ h(HIDi kIDRDj kT3 kCIDk ), and computes M Di computes σi0 = Rep(BIOi0 , τi ), bi = Li ⊕ h(σi0 kIDi
the session key SK = h(R30 kHIDi kIDRDj kCIDk kT3 ) kP Wi ), HIDi = h(IDi kbi ), HP Wi = h(P Wi kbi ), Ai =

A0i ⊕ h(bi kHIDi kHP Wi kσi0 ), U IDi = Ai , CIDk = mobile device. Ui also deletes T Ci from M Di to complete
Bi ⊕ h(HIDi kU IDi ), T Ci = h(CIDk kU IDi kIDGSS ). the revocation and reissue process.
?
Next, if the condition Mi = h(Ai kT Ci kbi kσi0 ) fails, M Di This phase is also illustrated in Fig. 7.
discontinues this process. Otherwise, M Di informs Ui to
Mobile Device of User (Ui ) Ground Station Server (GSS)
supply fresh password P Winew and fresh biometric BIOinew , Choose same IDi , but new P Winew .
and it continues to the next step. Generate new random number b0i .
PB2: Ui picks a fresh password P Winew and selects fresh Compute HIDi = h(IDi kb0i ),
HP Winew = h(P Winew kb0i ). Compute
biometrics BIOinew , and supplies them to M Di . M Di com- {HIDi }
−−−−−−−−−−→ T Ci = h(CIDk kU IDi kIDGSS ),
putes HIDi = h(IDi kbi ), HP Wi = h(P Winew kbi ), Secure channel
Ai = U IDi ,
(σinew , τinew ) = Gen(BIOinew ), Lnewi = bi ⊕ h(σinew kIDi Bi = CIDk ⊕ h(HIDi kU IDi ).
new
kP Wi ), Mi new
= h(Ai kT Ci kbi kσinew ), and A0newi = Input biometrics BIOinew .
M D new ={Ai ,Bi ,T Ci ,h(·),IDGSS ,CIDk }
←−−i−−−−−−−−−−−−−−−−−−−−−−−−
Secure channel
Ai ⊕ h(bi kHIDi kHP Winew kσinew ). Compute Gen(BIOinew ) = (σinew , τi ),
Lnew = bi ⊕ h(σinew kIDi kP Winew ),
PB3: Finally, Ui replaces A0i , Mi and Li with A0new
i , Minew i
Minew = h(Ai kT Ci kbi kσinew ),
new
and Li , respectively, in the mobile device M Di . A0new
i = Ai ⊕ h(bi kHIDi
The detailed illustration of this phase is shown in Fig. 6. kHP Winew kσinew ).
Update M Di = {A0new
i , Bi , Minew , Lnew
i ,
h(·), IDGSS , CIDk , Gen(·), Rep(·), τi }.
User (Ui ) Mobile Device (M Di ) Fig. 7. Revocation and reissue phase
Choose IDi , P Wi and BIOi0 .
{IDi , P Wi , BIOi0 } Compute σi0 = Rep(BIOi0 , τi ),
−−−−−−−−−−−−−−−− −→
bi = Li ⊕ h(σi0 kIDi kP Wi ),
HIDi = h(IDi kbi ), F. Dynamic Remote Drone addition phase
HP Wi = h(P Wi kbi ),
For deploying a new remote drone device, say RDjnew in
Ai = A0i ⊕ h(bi kHIDi kHP Wi kσi0 ),
U IDi = Ai , some existing cluster with identity CIDk , the following steps
CIDk = Bi ⊕ h(HIDi kU IDi ), need to be executed in offline:
T Ci = h(CIDk kU IDi kIDGSS ). new
DA1: The GSS picks a unique identity IDRD j
and gen-
?
Verify Mi = h(Ai kT Ci kbi kσi0 ) new
erates a long-term secret XRDj for RDj new
to calculate the
If so, inform Ui to supply fresh new new
password & biometrics.
secret key SIDRD j
= h(CIDk kIDRD j
kXGSS kXRDjnew )
Select fresh password P Winew , using long-term secret key XGSS of the GSS.
fresh biometrics BIOinew . DA2: Finally, RDj new is pre-loaded with the credentials
{P Winew , BIOinew } Compute HIDi = h(IDi kbi ), {IDGSS , CIDk , IDRD new
, SIDRD new
, h(·)} before it is de-
−−−−−−− −−−−−−−−−−−→ j j
HP Wi = h(P Winew kbi ), ployed in the k th cluster flying zone. The GSS also adds the
(σinew , τinew ) = Gen(BIOinew ), new new
Lnew = bi ⊕ h(σinew kIDi kP Winew ),
credentials {IDRD j
, SIDRD j
} in its database.
i
Replace A0i , Mi & Li with Minew = h(Ai kT Ci kbi kσinew ),
A0new
i , Minew &Lnew
i in A0new
i = Ai ⊕ h(bi kHIDi k IV. S ECURITY A NALYSIS
M Di , respectively. HP Winew kσinew ).
Both formal and informal security analysis have been car-
Fig. 6. Password/biometric update phase
ried out on TCALAS to show its resistance against vari-
ous attacks performed by an active (passive) adversary. The
Burrows-Abadi-Needham (BAN) logic [29] is a logic of belief
E. Revocation and Reissue Phase whose primary application is to “analyze the authentication
protocols by deriving the beliefs that the honest principals
If an authorized registered user Ui ’s mobile device M Di
correctly executing a protocol can come to as a result of the
is somehow stolen or lost, Ui can obtain new mobile device
protocol execution”. It is worth noting that the BAN logic
M Dinew by executing phase as follows.
only proves the mutual authentication of the security protocols
RR1: Ui maintains the same identity IDi , but picks a new
among the considered communicating entities. On the other
password P Winew . Next, Ui creates a random number b0i to
hand, the Real-Or-Random (ROR) model [13] is used for
compute HIDi = h(IDi kb0i ) and HP Winew = h(P Winew
formal security analysis of security protocols to show whether
kb0i ), and presents {HIDi , h(·)} to the GSS through secure
those protocols provide the session key (SK) security or not.
channel.
RR2: On receiving the request, the GSS computes T Ci =
h(CIDk kU IDi kIDGSS ), Ai = U IDi , and Bi = CIDk ⊕ A. ROR Model-Based Formal Security Analysis
h(HIDi kU IDi ), and dispatches M Dinew = {Ai , Bi , T Ci , In this paper, the formal security under the widely applied
h(·), IDGSS , CIDk } using a reliable channel. Real-Or-Random (ROR) model [13] for TCALAS is analyzed
RR3: After receiving the response from the GSS, to test its the session key (SK) security.
Ui imprints his/her biometrics BIOinew and computes Under the ROR model, an adversary, say A interacts with
Gen(BIOinew ) = (σinew , τi ), Lnewi = bi ⊕ h(σinew kIDi P t , the tth instance of an executing participant (e.g. in
new
kP Wi ), Mi new
= h(Ai kT Ci kbi kσinew ) and A0new
i = TCALAS it can be a user Ui , the GSS or a remote drone
Ai ⊕ h(bi kHIDi kHP Winew kσinew ). Finally, Ui replaces DRj ). Thus, there are three PUt1i , PGSS
t2 t3
and PRD j
as the
Ai with A0newi , and stores A0new
i , Minew and Lnew
i on the th th th
t1 , t2 and t3 of Ui , GSS and RDj , respectively. Also,

the ROR model presumes different queries simulating an and R3 ) and long term secrets (HIDi , IDRDj and CIDk )
actual attack, such as Send, CorruptMD, Test, Execute and which are unknown to the adversary A. Therefore, just by
Reveal queries, which are provided in Table III. In addition, a eavesdropping the messages M SG1 , M SG2 and M SG3 the
collision-resistant one-way hash function h(·) is accessible by winning chance of Game1 by A is not at all increased.
all the participating entities including A, which is modeled as Leveraging the indistinguishability of Game0 and Game1 , it
a random oracle, say Hash. follows that
AdvTA,Game1 A,Game0
CALAS = AdvT CALAS . (2)
TABLE III
VARIOUS QUERIES WITH THEIR DESCRIPTIONS Game2 : The simulations of the Send and Hash queries are
involved in this game to model it as an active attack. From
Query Description
the exchanged messages M SG1 , M SG2 and M SG3 , all Uk
Send(P t , msg) Modeled as an active attack, where A can
dispatch a message msg to an instance P t , (k = 1, 2, . . . , 9), are safeguarded by the collision-resistant
and also P t replies accordingly h(·). Since all the Uk are included the random nonces, current
Reveal(P t ) Execution of this query allows to reveal current timestamps, identities and secret credentials, there will be no
session key SK between P t and its partner to
A collision when the Send and Hash queries are executed by
CorruptM D(PU t1
) A can obtain biometric key σi and password A. Both the games Game1 and Game2 are indistinguishable
i
P Wi of Ui from stolen/lost mobile device except the inclusion of the simulations of the Send and Hash
M Di
t queries in Game2 . The results of the birthday paradox lead
T est(P ) A requests P t for the session key SK and P t
replies probabilistically an outcome of a flipped to the following result:
unbiased coin c
Execute(PU t1 t2
, PGSS , It enables A to eavesdrop the messages com-
|AdvTA,Game A,Game2 2
CALAS − AdvT CALAS | ≤ qrh /(2|Hash|).
1
(3)
i
P t3 ) municated among Ui , GSS and RDj Game3 : The final game Game3 is transformed from
RDj
Game2 by including the simulation of CorruptM D query
In Theorem 1, the SK-security of TCALAS under the ROR described in Table III. By executing the CorruptM D query,
model is proved using the queries defined in Table III. A will have the credentials {A0i , Bi , Mi , Li , h(·), IDGSS ,
CIDk , Gen(·), Rep(·), τi }. By guessing some passwords, A
Theorem 1. Let a polynomial time adversary A run in time
can verify it using the extracted information A0i and Li using
t against the proposed protocol (TCALAS). If qrh , qrs , l and
the Zipf’s law on passwords [30]. If we only take in account
|Hash| denote the number of hash queries, the number of
of the trawling guessing attacks, A’s advantage will exceed
Send queries, the number of bits in the biometric secret key,
over 0.5 in case qrs = 107 or 108 [30]. In addition, when
the range space of h(·), respectively, and C 0 and s0 are the
A utilize the target user’s personal data using the targeted
Zipf’s parameters defined in [30], A’s advantage in cracking
guessing attacks, A’s advantage will exceed over 0.5 when
TCALAS’s semantic security to attain the session key SK
qrs ≤ 106 [32]. Furthermore, since the fuzzy extractor applied
between Ui and RDj can be approximated as
2
qrh
n 0
o in TCALAS can extract at most l random bits, A guessing
AdvTACALAS (t) ≤ |Hash| + 2 max C 0 · qrss , qr
2l
s
. probability of the biometric key σi ∈ {0, 1}l turns out to
Proof. The proof of this theorem is followed in a similar way be approximately 21l [22]. The games Game2 and Game3
that presented in [2], [3], [31]. are indistinguishable except the inclusion of the simulation of
We define the following four games, say Gamej , j ∈ [0, 3]. the CorruptM D query in Game3 . If the system permits a
If Succj denotes an event wherefore A can imagine the restricted number of wrong password inputs, the Zipf’s law
random bit c in Gamej accurately, A’s advantage in winning on passwords [30] leads to the following result:
s0 qrs
A,Game n o
this game will be denoted and defined by AdvT CALASj = |AdvTA,Game 2
− Adv A,Game3
| ≤ max C 0
· qr , . (4)
CALAS T CALAS s
P r[Succj ], where P r[X] is an event X’s probability. 2l
Game0 : The real attack performed by A against TCALAS Since all the queries are simulated by A, it only remains to
in the ROR model corresponds to Game0 . The bit c is picked predict the bit c to win the game once the T est query is
up randomly at the starting of Game0 . Hence, we have, executed, and hence, we have AdvTA,Game 3
CALAS = 2 .
1

Simplifying the Eqs. (1)–(4) and utilizing the triangular

AdvTACALAS (t) = |2.AdvTA,Game
CALAS − 1|.
0
(1) inequality, the following is obtained:
Game1 : Under this game, an eavesdropping attack is mod- 1 1
.AdvTACALAS (t) = |AdvTA,Game
CALAS − |
0

eled in which A can intercept all the communicated messages 2 2

M SG1 = {U1 , U2 , U3 , U4 , T1 }, M SG2 = {U5 , U6 , U7 , T2 } = |AdvTA,Game
CALAS
1
− Adv A,Game3
T CALAS |
and M SG3 = {U8 , U9 , T3 } during the login & authentication ≤ |AdvTA,Game A,Game2
CALAS − AdvT CALAS |
1

phase which executing TCALAS using the Execute query

listed in Table III. At the end of this game, A executes +|AdvTA,Game A,Game3
CALAS − AdvT CALAS |
2

the Reveal and T est queries to check whether the derived qrh2 0 qrs
≤ + max{C 0 · qrss , l }.
session key SK is real or a random key. The session key 2|Hash| 2
constructed between user Ui and accessed drone DRj is 2
qrh
Hence, it follows that AdvTACALAS (t) ≤ +
SK = h(h(R3 kh(R1 kR2 )) kHIDi kIDRDj kCIDk kT3 ). n 0
o |Hash|
To calculate SK, A requires the temporal secrets (R1 , R2 2 max C 0 · qrss , qr
2l
s
.

B. Informal Security Analysis and Other Discussions some legitimate information or message to convince the GSS.
Propositions 1–9 show that TCALAS is resilient against If A responds on behalf of Ui , he/she needs to respond with
several attacks, and also ensures user anonymity and untrace- a valid message M SG1 . Though A can generate a timestamp
ability. T10 , due to the lack of knowledge about IDi , σi0 , bi , R1∗ , XGSS
∗
the adversary A will fail to compute {HIDi , IDRD j
, CIDk ,
Proposition 1. TCALAS is resilient against stolen mobile U IDi , T Ci } as valid parameters. This discussion ensures that
device attacks. A will fail to forge/impersonate the legal user Ui in polynomial
Proof. This attack specifically deals with a legal registered time. Therefore, TCALAS protects user impersonation attack.
user Ui ’s mobile device M Di which is either lost or stolen. ii) GSS impersonation attack: In order to make believe
The details of this attack are as follows. a registered drone RDj , A can intercept the authentication
message M SG2 = {U5 , U6 , U7 , T2 } of the GSS. A may
i) Identity guessing attack: In the initial part, Ui sends
produce some tampered or forged messages by extracting
the credentials {HIDi , h(·)} to the GSS, where HIDi =
some confidential information/credentials of the GSS to prove
h(IDi kbi ), over the secure channel during the registration
his/her authenticity. To perform this, A needs to be successful
process. It is observed that the requested message does not
in computing a legal message M SG2 by creating a fresh
have any plaintext login credentials, i.e., the identity IDi of
random nonce R2 and timestamp T2 in polynomial time.
Ui is concatenated with random number bi . Now, we assume
Due to the lack of knowledge about CIDk , IDRDj , XGSS ,
that an insider of the GSS being an attacker A and having the
U IDi and SIDRDj , A can not compute HIDi and T Ci ,
lost/stolen M Di tries to extract information from its memory
or to modify U6 . Thus, it ensures that A is not privileged
using the power analysis methods [11]. A has the credentials
to forge/tamper the deceived message of the GSS in a
{A0i , Bi , Mi , Li , h(·), IDGSS , CIDk , Gen(·), Rep(·), τi }.
polynomial time. Hence, TCALAS resists GSS impersonation
Gaining access or guessing Ui ’s IDi from HIDi without
attack.
knowledge of random secret bi is computationally infeasible
iii) Remote drone impersonation attack: Consider the sce-
task for A to invert HIDi as it is facilitated with cryptographic
nario where during the execution of the TCALAS A tries
collision resistant h(·). From the above discussion it is clear
to make believe Ui by intercepting M SG3 = {U8 , U9 ,
that TCALAS resists the identity guessing attack.
T3 } of RDj . To forge/impersonate RDj , A must succeed in
ii) Offline password guessing attack: Having the extracted
computing a valid message M SG3 by means of generating
credentials from lost or stolen M Di of Ui , A fails to guess
new random nonce R1 , R2 & R3 , and timestamp T3 in
correctly P Wi from the extracted parameters A0i , Mi and Li
polynomial time. Due to the lack of knowledge about the secret
as he/she needs the secret parameters bi , Ai , T Ci , σi and
parameters XGSS , SIDRDj , h(R1 kR2 ) and CIDk , A can not
IDi . Thus, TCALAS also resists the offline password guessing
compute R1 , R2 , R3 , HIDi and the shared session key SK
attack.
of Ui and RDj . Thus, A fails to forge/impersonate RDj in
Proposition 2. TCALAS ensures user anonymity and untrace- polynomial time.
ability. Proposition 4. TCALAS protects replay attack.
Proof. Based on the threat model (Section I-C2), A can cap- Proof. We consider that during the login & authentication
ture the messages M SG1 = {U1 , U2 , U3 , U4 , T1 }, M SG2 = phase, A tries to capture M SG1 = {U1 , U2 , U3 , U4 , T1 },
{U5 , U6 , U7 , T2 } and M SG3 = {U8 , U9 , T3 } which were M SG2 = {U5 , U6 , U7 , T2 } and M SG3 = {U8 , U9 , T3 }
communicated in the time of login & authentication phase over to frame replay attack by replaying these messages to the
the insecure channel. Without knowing the parametric values receiver. But this attempt fails due to the involvement of the
U IDi , R1 , T Ci and bi , and the discussion in Proposition 1, it current timestamp and random numbers involved in the com-
is computationally infeasible task for A to derive authorized municated messages. On receiving the messages, the initial
user’s identity IDi . So, this ensures that TCALAS holds the step is the timestamp verification and then for the validation
user anonymity. In ensuring the untraceability, it is observed of the transmitted messages. Thus, framing the replay attack
that the messages M SGi (i = 1, 2, 3) are dynamic in is resisted in TCALAS.
nature which were computed using random nonces and current
timestamps. Therefore, A can not keep track of the activities Proposition 5. TCALAS protects man-in-the-middle attack.
performed by the same user over various sessions. Hence, Proof. In the login & authentication processs, suppose A tries
TCALAS also ensures untraceability feature. to capture and modify the messages M SG1 , M SG2 and
M SG3 to believe the participants that the messages received
Proposition 3. TCALAS is resilient secure against imperson-
from the genuine authentic participants. To frame this attack,
ation attacks.
A may modify the message M SG1 = {U1 , U2 , U3 , U4 , T1 }.
Proof. The following impersonation attacks related to But, this attempt fails due to the lack of knowledge on the
TCALAS are taken into account. involved secrets HIDi , R1 , T Ci and CIDk . Similarly, A’s
i) User impersonation attack: From the threat model (Sec- attempts fail to modify the other messages M SG2 = {U5 ,
tion I-C2), we consider A can intercept M SG1 = {U1 , U2 , U6 , U7 , T2 } and M SG3 = {U8 , U9 , T3 } due to the involved
U3 , U4 , T1 } of Ui during the execution of the protocol. secrets, randomness of the messages and usage of timestamps.
Further, A behaves likes an authentic user to extract or produce Thus, TCALAS also withstands man-in-the-middle attack.

Proposition 6. TCALAS delivers mutual authentication. to compromise the previous and future sessions as the session
keys are random and unique for each session. Therefore, A can
Proof. In TCALAS, the involved participants (Ui , GSS and
not determine the previous and upcoming session keys even
RDj ) need to authenticate mutually among each other. The
if the current session key is compromised [2], [3], [34]. Thus,
details are discussed as follows.
TCALAS successfully preserves both backward and forward
1) M Di → GSS : M SG1 = {U1 , U2 , U3 , U4 , T1 }: GSS secrecy along with the SK-security. Moreover, even with some
checks R1 and U4 to authenticate Ui . session hijacking attacks, only a particular session key can be
2) GSS → RDj : M SG2 = {U5 , U6 , U7 , T2 }: RDj leaked but the effect of it does not compromise previous &
checks U6 by extracting h(R1 kR2 ) to authenticate the future sessions. Hence, TCALAS is secure against the ESL
GSS directly, and also checking HIDi by Ui which attack.
is already available in the records (thereby indirectly
validates it upon matching with the records). Proposition 8. TCALAS is resilient against password and/or
3) RDj → M Di : M SG3 = {U8 , U9 , T3 }: Ui verifies U9 biometric update attack.
to validate RDj directly to perform the computation to Proof. Suppose the adversary A has lost or stolen mobile
establish SK = h(h(R3 kh(R1 kR2 )) kHIDi kIDRDj device M Di of a recorded user Ui and tries to attempt the
kCIDk kT3 ) and the GSS indirectly. password and/or biometrics of Ui so that he/she can utilize
From the above discussion, it is noted that mutual authentica- M Di for communication with the GSS and some accessible
tion between Ui and RDj is preserved with the help of the drones RDj . Applying the power analysis attacks, A can
GSS, and both Ui and RDj agree on the session key SK = extricate the credentials {A0i , Bi , Mi , Li , h(·), IDGSS ,
h(h(R3 kh(R1 kR2 )) kHIDi kIDRDj kCIDk kT3 ). CIDk , Gen(·), Rep(·), τi } from the memory of M Di . Now,
A’s task is to execute the steps described in Section III-D
Proposition 7. TCALAS is resilient against the Ephemeral
and picks some fake login credentials on behalf of Ui , such
Secret Leakage (ESL) attack.
as password P WiA and biometric BIOiA . To get access
Proof. The “ephemeral secrets” may be compromised if they to the system, A needs to compute HIDi = h(IDi kbi ),
are “pre-computed as well as stored in insecure memory”. In HP Wi = h(P WiA kbi ), (σiA , τinew ) = Gen(BIOiA ), LA i =
this scenario, the long term secret keys along with temporary bi ⊕ h(σiA kIDi kP WiA ), MiA = h(Ai kT Ci kbi kσiA ) and
secrets of communicating entities in the network can be A0Ai = Ai ⊕h(bi kHIDi kHP WiA kσiA ). For attempting
revealed to an adversary. Using the compromised secret cre- these computations, A needs to possess the secret credentials,
dentials, the adversary may derive the session key between two such as Ui ’s password P Wi and identity IDi , and σi , T Ci ,
communicating entities. This attack is termed as “ephemeral Ai and U IDi . Without these secrets it is a computationally
secret leakage (ESL) attack” [33]. impractical for A to get succeed in framing the attack. Thus,
During the login & authentication phase, after validating updating the information σi , T Ci , bi , Ai and U IDi by A is
mutual authentication in Proposition 6, Ui and RDj establish restricted in TCALAS, and hence, this attack is protected.
a common session key SK = h(h(R3 kh(R1 kR2 )) kHIDi
Proposition 9. TCALAS is resilient against remote drones
kIDRDj kCIDk kT3 ) (= SK ∗ ). Based on the threat model
capture attack.
(Section I-C2), we consider the CK-adversary model for the
SK-security. The reliability of SK-security of TCALAS is Proof. Under the threat model (Section I-C2), it is the case
relied on the following two cases: that A can physically steal some remote drones to obtain
Case 1. Assume the secret credentials R1 , R2 and R3 , which the information available in drones RDj0 s. Monitoring the
are ephemeral (short term) secrets, are some how familiar to devices, such as drones, 24/7 and 365 days is not possible
an adversary A. The challenge for A is to create the session as the remote drones are positioned in a combative domain.
key SK based on the short term secrets. But, due to the lack Thus, these drones can be stolen by A and the credentials
0 0
of knowledge of long term secrets (HIDi , IDRDj , XGSS , {IDGSS , CIDk , IDRD j
, SIDRDj
, h(·)} available in RDj0
0 0
T Ci , CIDk , and U IDi ), A fails to succeed in its challenge are known to A, where SIDRDj = h(CIDk kIDRD j
kXGSS
as it is computationally impractical for A to guess the long 0 0 0
kXRDj ). Since the identity IDRDj and XRDj of RDj are
term secrets. utilized, all the credentials SIDRDj s for all RDj s are dis-
Case 2. Suppose few or all of the long-term secrets (HIDi , tinct in the network. Furthermore, A using the compromised
IDRDj , XGSS , T Ci , CIDk , and U IDi ) are some how leaked remote drone RDj0 the session key SK = h(h(R3 kh(R1
to A. Now, the challenge for A remains to construct the kR2 )) kHIDi kIDRDj kCIDk kT3 ) established between
session key SK based on the long term secrets. However, the user Ui and other non-compromised drone RDj can not
without knowledge of short term secrets (R1 , R2 and R3 ), it compromise due to the distinct as well as uniqueness property
is computationally impractical for A to win the challenge by of the information stored in the remote drones, and also the
guessing the short term secrets. established session keys between the same user Ui and other
From the above two discussed cases, it is clear that the valid non-compromised remote drones RDj s in the network are also
session key SK is only computed with legitimate long term distinct. Moreover, compromising RDj0 has no consequence on
secrets and short term secrets which is possible only by the the session keys among Ui and remaining non-compromised
legitimate participants (Ui , GSS, and RDj ). Furthermore, in remote drones RDj s. Therefore, TCALAS is resilient against
TCALAS, compromising of current session key does not lead remote drones capture attack.

V. F ORMAL S ECURITY V ERIFICATION : A S IMULATION the back-ends validates whether the tested protocol can be
S TUDY executed by the authorized agents in order to search for
a passive adversary (intruder). The back-ends provide the
There are several automated software tools, such as “Au- intruder (always specified by the symbol i) with information
tomated Validation of Internet Security Protocols and Ap- about some normal sessions among the authorized agents. The
plications (AVISPA)” [35], “Scyther” [36] and “ProVerif” DY model (Section I-C2) is used by AVISPA and for its
[37] for formal security verification of a security protocol. verification the back-ends check any practicability of a man-
AVISPA is a “push-button tool for the automated validation in-the-middle attack.
of Internet security-sensitive protocols and applications, which The broadly used SPAN (Security Protocol ANimator for
provides a modular and expressive formal language for spec- AVISPA) tool [40] is used to do simulation on TCALAS.
ifying protocols and their security properties, and integrates The reported simulation results summarized in Fig. 8 clearly
different back-ends that implement a variety of state-of-the- evident that TCALAS protects both replay & man-in-the-
art automatic analysis techniques” [35]. ProVerif tool is based middle attacks.
on “applied pi calculus and is used for proving session key
secrecy and authentication” [37]. ProVerif also analyzes “an % OFMC SUMMARY
% Version of 2006/02/13 SAFE
unbounded number of runs by using over-approximation and SUMMARY DETAILS
SAFE BOUNDED_NUMBER_OF_SESSIONS
represents protocols by Horn clauses” [38]. On the other hand, DETAILS TYPED_MODEL
Scyther tool is “a tool for the automatic verification of security BOUNDED_NUMBER_OF_SESSIONS PROTOCOL
PROTOCOL C:\progra~1\SPAN\testsuite
protocols which checks bounded and unbounded number of C:\progra~1\SPAN\testsuite \results\auth−drone.if
\results\auth−drone.if GOAL
runs, using a symbolic backwards search based on patterns” GOAL As Specified
[38]. Cremers et al. [38] conducted a performance compar- as_specified
BACKEND
BACKEND
ison on several automatic protocol analysis tools, including OFMC CL−AtSe
COMMENTS
AVISPA, ProVerif and Scyther. Their analysis demonstrated STATISTICS STATISTICS
that ProVerif is the “fastest tool for the tested set of protocols, parseTime: 0.00s Analysed : 255 states
Reachable : 63 states
searchTime: 0.50s
whereas Scyther comes in as a very close second and has visitedNodes: 130 nodes Translation: 0.08 seconds
depth: 6 plies Computation: 0.02 seconds
the advantage of not using approximations, and AVISPA (CL-
Atse and OFMC backends (with concrete sessions)) are close
Fig. 8. Analysis of simulation results under OFMC & CL-AtSe backends
to each other, and these are also the most efficient followed
by another backend (SATMC) of AVISPA”.
In this paper, we apply the broadly accepted the software VI. P ERFORMANCE C OMPARISON
verification tool, AVISPA [35], to further validate the security
In this section, we study a detailed performance comparison
of TCALAS against an adversary who is either passive or
among TCALAS and other relevant schemes [16], [21], [19],
active. Various state-of-the-art mechanisms are designed in
[41].
AVISPA for performing automatic security analysis of a secu-
rity protocol. The four back-ends are integrated with AVISPA,
which include OFMC, CL-AtSe, SATMC, and TA4SP [35]. To A. Comparison of Security and Functionality Features
test whether a security protocol is safe or unsafe against an In Table IV, TCALAS is compared with the earlier proposed
adversary, the following steps are essential for implementation: works, such as the schemes of Challa et al. [19], Wazid et
Step 1. The protocol needs to be implemented using the al. [41], Turkanovic et al. [16] and Tai et al. [21] based on
High-Level Protocol Specification Language (HLPSL) which several security and functionality attributes. From this table it
is role-oriented language in nature [39]. Different roles need is evident that TCALAS more functionality features and also
to be specified. The basic roles are needed for all the partic- provides better security features as compared to other schemes.
ipants involved in a protocol (for example, for implementing
TCALAS the basic roles for a user Ui , the GSS and a drone B. Comparison of Communication Costs
DRj are essential). The composite roles (session and goal & In proving the efficiency of TCALAS in comparison to the
environment) refer to various scenarios which involve the basic existing schemes, we compare the communication cost of dif-
roles defined earlier. It is worth noting the composite roles are ferent participants involved during the login and authentication
mandatory. phases in which the messages are transmitted by the partici-
Step 2. The HLPSL2IF translator is responsible for trans- pants. We consider the bit-sizes of various parameters, such as
lating the HLPSL code to the Intermediate Format (IF). random number, identity, timestamp, elliptic curve point, and
Step 3. The IF is then used as input to a back-end to have hash output (if we apply SHA-1 as h(·) [42]), as 160, 160, 32,
either safe or unsafe result. (160 + 160) = 320, and 160 bits respectively. Furthermore,
All the details of AVISPA & HLPSL implementation related the 80-bit key size of a symmetric key cryptographic algorithm
information are available in [35], [39]. (e.g., Double Data Encryption Standard (2DES)) provides the
The broadly tested OFMC and CL-AtSe backends are equivalent security for the 1024-bit RSA and 160-bit ECC
chosen for TCALAS. We have not selected other back-ends [43].
(SATMC and TA4SP), because these do not assist bitwise Table V shows comparative study on communication over-
XOR operations. For checking the replay attack in a protocol, heads in the login and authentication process. During the login

TABLE IV
C OMPARISON OF SECURITY & FUNCTIONALITY ATTRIBUTES

Attribute Wazid et al. Challa et al. Turkanovic Tai et al. TCALAS

[41]
√ [19]
√ et al. [16] [21] √
SF A1 √ √ × × √
SF A2 √ √ ×
√ × √
SF A3 √ √ × √
SF A4 √ √ ×
√ √× √
SF A5 √ √ √
SF A6 √ √ ×
√ ×
√ √
SF A7 √ √ √ √ √
SF A8 √ √ √
SF A9 √ √ ×
√ ×
√ √
SF A10 √ √ √
SF A11 √ √ × × √
SF A12 √ ×
√ ×
√ √
SF A13 × Fig. 9. Comparison of communication costs
√ √ √ √ √
SF A14 √
SF A15 ×
√ ×
√ × × √
SF A16 × ×
√ milliseconds only. This cost is better than the schemes of
: a scheme supports an attribute or resists an attack; ×: a scheme does not
support an attribute or it does not resist an attack. Challa et al. and Tai et al., and it is comparable with the
SF A1 : offline or online password guessing attack; SF A2 : privileged insider schemes of Wazid et al. and Turkanovic et al. It is observed
attack; SF A3 : user anonymity; SF A4 : traceability; SF A5 : detection for that although Turkanovic et al.’s scheme requires overall lower
unauthorized login; SF A6 : stolen mobile/smart card attack; SF A7 : denial-
of-service attack; SF A8 : mutual authentication; SF A9 : ESL attack; SF A10 : computation cost than TCALAS, TCALAS is more secure than
replay & man-in-the-middle attacks; SF A11 : impersonation attacks; SF A12 : Turkanovic et al.’s scheme.
Sensing node or drone capture attack; SF A13 : revocability; SF A14 : formal
security verification under AVISPA tool; SF A15 : ROR model based formal
security; SF A16 : freely password/biometric change.

and authentication phase, TCALAS requires three messages

M SG1 = {U1 , U2 , U3 , U4 , T1 }, M SG2 = {U5 , U6 , U7 ,
T2 }, & M SG3 = {U8 , U9 , T3 } whose sizes are |M SG1 | =
(160+ 160+ 160+ 160+ 32) = 672 bits, |M SG2 | = (160+
160+ 160+ 32) = 512 bits and |M SG3 | = (160+ 160+
32) = 352 bits, respectively. The
P3overall communication cost
consumed by TCALAS is then i=1 |M SGi | = (672+ 512+
352) = 1536 bits. On the other hand, the existing schemes of
Challa et al. [19], Wazid et al. [41], Turkanovic et al. [16]
and Tai et al. [21] demand the communication costs of 2528
Fig. 10. Comparison of computation costs
bits, 1696 bits, 2720 bits and 2560 bits, respectively. It is
evident from Table V and Fig. 9 that TCALAS needs lower
communication cost than other existing schemes.
TABLE VI
ROUGH TIME FOR VARIOUS OPERATIONS [2], [3]
TABLE V
C OMPARISON OF COMMUNICATION COSTS Notation Description Approximate computation
(Time to compute) time (in seconds)
Scheme Messages among entities (in bits) Total cost (in bits)
672 512 512 Th Hash function 0.00032
[41] Ui −−→ S −−→ DRj −−→ Ui 1696 Tm ECC point multiplication 0.0171
992 1024 512
[19] Ui −−→ GW N −−−→ SNj −−→ Ui 2528 Tf e ≈ Tm Biometric-fuzzy extractor 0.0171
672 1024 576 448
[16] Ui −−→ SNj −−−→ GW N −−→ SNj −−→ Ui 2720
512 1024 576 448
[21] Ui −−→ SNj −−−→ GW N −−→ SNj −−→ Ui 2560
672 512 352
TCALAS Ui −−→ GSS −−→ RDj −−→ Ui 1536
TABLE VII
C OMPARISON OF COMPUTATION COSTS
Scheme→ Wazid et al. Challa et al. Turkanovic Tai et al. TCALAS
C. Comparison of Computation Costs Entity ↓ [41] [19] et al. [16] [21]
User 16Th + Tf e 5Th + Tf e 7Th 7Th 14Th + Tf e
The experimental results presented in Table VI are utilized +5Tm
to calculate the estimated computation costs of TCALAS GSS/ 8Th 4Th + 5Tm 5Th 6Th 9Th
and other related schemes in Table VII and also in Fig. Gateway

10. TCALAS, the schemes of Wazid et al., Challa et al., Drones/ 7Th 3Th + 4Tm 7Th 10Th 7Th
devices
Turkanovic et al. & Tai et al. need approximately 0.0267,
Total cost 31Th + Tf e 12Th + Tf e 19Th 23Th 30Th + Tf e
0.02702, 0.26034, 0.00608, and 0.00736 seconds, respectively. (in seconds) +14Tm
However, the computation cost needed for drones is very ≈ 0.02702 ≈ 0.26034 ≈ 0.00608 ≈ 0.00736 ≈ 0.0267

efficient as it requires 7Th ≈ 0.00224 seconds, that is, 2.24

VII. C ONCLUDING R EMARKS [7] J. A. Marty, “Vulnerability analysis of the mavlink protocol for
command and control of unmanned aircraft,” Master’s thesis, Air
It was pointed out in [44] that “IoD is a trend that will Force Institute of Technology, Air University, Wright-Patterson
remain in the foreseeable future, and there is a strong need Air Force Base, Ohio, USA, 2013. [Online]. Available: https:
//apps.dtic.mil/dtic/tr/fulltext/u2/a598977.pdf
to ensure the security and privacy of data collected from the [8] “UAV-applications,” https://en.wikipedia.org/wiki/List_of_unmanned_
drones and also to outsource the data to the cloud”. User aerial_vehicle_applications. Accessed on January 2019.
authentication is one of the main security services that is [9] M. Wazid, A. K. Das, and J.-H. Lee, “Authentication Protocols for the
Internet of Drones: Taxonomy, Analysis and Future Directions,” Journal
needed for securing communication between a legal user & of Ambient Intelligence and Humanized Computing, pp. 1–10, 2018.
a designated drone to acquire the real-time data from the [10] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE
designated drones. Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983.
[11] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-card
In this article, we designed a new temporal credential based security under the threat of power analysis attacks,” IEEE Transactions
anonymous lightweight user authentication mechanism for IoD on Computers, vol. 51, no. 5, pp. 541–552, 2002.
environment (TCALAS) which is a three-factor scheme using [12] R. Canetti and H. Krawczyk, “Universally Composable Notions of Key
Exchange and Secure Channels,” in International Conference on the
user’s mobile device, password and biometrics. TCALAS is Theory and Applications of Cryptographic Techniques– Advances in
tested rigorously for its security part using formal security Cryptology (EUROCRYPT 2002), Amsterdam, The Netherlands, 2002,
analysis using ROR model, formal security verification using pp. 337–351.
[13] M. Abdalla, P. Fouque, and D. Pointcheval, “Password-based authenti-
AVISPA tool and also using informal security analysis. A cated key exchange in the three-party setting,” in Public Key Cryptog-
detailed comparative analysis of TCALAS with other existing raphy (PKC’05), Lecture Notes in Computer Science, vol. 3386. Les
related schemes provided that TCALAS is better in security, Diablerets, Switzerland: Springer, Berlin, Heidelberg, 2005, pp. 65–84.
[14] I. Alqassem and D. Svetinovic, “A taxonomy of security and privacy
supports more functionality attributes, and has lower com- requirements for the Internet of Things (IoT),” in IEEE International
munication and computation costs for the drones or resource Conference on Industrial Engineering and Engineering Management
constrained sensing devices in the IoD environment. (IEEM’14), Bandar Sunway, Malaysia, 2014, pp. 1244–1248.
[15] H. Tan, G. Tsudik, and S. Jha, “MTRA: Multi-Tier randomized Remote
In the future, we would like to evaluate TCALAS in a real- Attestation in IoT Networks,” Computers & Security, 2018.
world environment. This will allow us to fine-tune TCALAS, [16] M. Turkanović, B. Brumen, and M. Hölbl, “A novel user authentication
if needed, to offer better security and performance in a real- and key agreement scheme for heterogeneous ad hoc wireless sensor
networks, based on the internet of things notion,” Ad Hoc Networks,
world deployment. vol. 20, pp. 96–112, 2014.
[17] M. S. Farash, M. Turkanović, S. Kumari, and M. Hölbl, “An efficient
user authentication and key agreement scheme for heterogeneous wire-
ACKNOWLEDGMENTS less sensor network tailored for the internet of things environment,” Ad
This work was partially supported by RNP with resources Hoc Networks, vol. 36, pp. 152–176, 2016.
[18] R. Amin, S. H. Islam, G. Biswas, M. K. Khan, L. Leng, and N. Ku-
from MCTIC, Grant No. 01250.075413/2018-04, under the mar, “Design of an anonymity-preserving three-factor authenticated key
Centro de Referência em Radiocomunicações - CRR project exchange protocol for wireless sensor networks,” Computer Networks,
of the National Institute of Telecommunications (Instituto vol. 101, pp. 42–62, 2016.
[19] S. Challa, M. Wazid, A. K. Das, N. Kumar, A. G. Reddy, E. J. Yoon, and
Nacional de Telecomunicações - Inatel), Brazil; by National K. Y. Yoo, “Secure Signature-Based Authenticated Key Establishment
Funding from the FCT – Fundação para a Ciência e a Scheme for Future IoT Applications,” IEEE Access, vol. 5, pp. 3028–
Tecnologia through the UID/EEA/500008/2019 Project; and 3043, 2017.
[20] Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight Three-Factor
by Brazilian National Council for Research and Development Authentication and Key Agreement Protocol for Internet-Integrated
(CNPq) via Grant No. 309335/2017-5. The authors would Wireless Sensor Networks,” IEEE Access, vol. 5, pp. 3376–3392, 2017.
like to thank the Associate Editor and the reviewers for their [21] W.-L. Tai, Y.-F. Chang, and W.-H. Li, “An IoT notion-based au-
thentication and key agreement scheme ensuring user anonymity for
valuable comments and suggestions which have helped in heterogeneous ad hoc wireless sensor networks,” Journal of Information
improving the technial quality of the paper. Security and Applications, vol. 34, pp. 133–141, 2017.
[22] M. Wazid, A. K. Das, V. Odelu, N. Kumar, M. Conti, and M. Jo, “Design
of Secure User Authenticated Key Management Protocol for Generic IoT
R EFERENCES Networks,” IEEE Internet of Things Journal, vol. 5, no. 1, pp. 269–282,
Feb 2018.
[1] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of Things [23] K. Chen, S. Zhang, Z. Li, Y. Zhang, Q. Deng, S. Ray, and Y. Jin,
(IoT): A vision, architectural elements, and future directions,” Future “Internet-of-things security and vulnerabilities: Taxonomy, challenges,
Generation Computer Systems, vol. 29, no. 7, pp. 1645 – 1660, 2013. and practice,” Journal of Hardware and Systems Security, pp. 1–14,
[2] J. Srinivas, A. K. Das, N. Kumar, and J. Rodrigues, “Cloud Centric 2018.
Authentication for Wearable Healthcare Monitoring System,” IEEE [24] A. K. Das, S. Zeadally, and D. He, “Taxonomy and analysis of security
Transactions on Dependable and Secure Computing, 2018, DOI: protocols for Internet of Things,” Future Generation Computer Systems,
10.1109/TDSC.2018.2828306. vol. 89, pp. 110–125, 2018.
[3] J. Srinivas, A. K. Das, M. Wazid, and N. Kumar, “Anonymous [25] M. Hassanalian and A. Abdelkefi, “Classifications, applications, and
lightweight chaotic map-based authenticated key agreement protocol for design challenges of drones: A review,” Progress in Aerospace Sciences,
industrial Internet of Things,” IEEE Transactions on Dependable and vol. 91, pp. 99–131, 2017.
Secure Computing, 2018. [26] Q. Pan, X. Wen, Z. Lu, L. Li, and W. Jing, “Dynamic Speed Control of
[4] M. Gharibi, R. Boutaba, and S. L. Waslander, “Internet of drones,” IEEE Unmanned Aerial Vehicles for Data Collection under Internet of Things,”
Access, vol. 4, pp. 1148–1162, 2016. Sensors, vol. 18, no. 11, p. 3951, 2018.
[5] Y. Son, J. Noh, J. Choi, and Y. Kim, “GyrosFinger: Fingerprinting [27] L. Lamport, “Password authentication with insecure communication,”
Drones for Location Tracking Based on the Outputs of MEMS Gy- Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981.
roscopes,” ACM Transactions on Privacy and Security, vol. 21, no. 2, [28] S. Roy, S. Chatterjee, A. K. Das, S. Chattopadhyay, S. Kumari, and
p. 10, 2018. M. Jo, “Chaotic Map-Based Anonymous User Authentication Scheme
[6] “MAVLink: Micro Air Vehicle Communication Protocol,” http:// With User Biometrics and Fuzzy Extractor for Crowdsourcing Internet
mavlink.org/messages/common, http://qgroundcontrol.org/mavlink/start. of Things,” IEEE Internet of Things Journal, vol. 5, no. 4, pp. 2884–
Accessed on August 2018. 2895, Aug 2018.

[29] M. Burrows, M. Abadi, and R. Needham, “A Logic of Authentication,” Ashok Kumar Das (M’17–SM’18) received a Ph.D.
ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990. degree in computer science and engineering, an
[30] D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s Law in M.Tech. degree in computer science and data pro-
Passwords,” IEEE Transactions on Information Forensics and Security, cessing, and an M.Sc. degree in mathematics from
vol. 12, no. 11, pp. 2776–2791, Nov 2017. IIT Kharagpur, India. He is currently an Associate
[31] M. Wazid, A. K. Das, V. Odelu, N. Kumar, and W. Susilo, “Secure Professor with the Center for Security, Theory and
Remote User Authenticated Key Establishment Protocol for Smart Algorithmic Research, IIIT, Hyderabad, India. His
Home Environment,” IEEE Transactions on Dependable and Secure current research interests include cryptography and
Computing, 2018, doi: 10.1109/TDSC.2017.2764083. network security including security in smart grid,
[32] D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang, “Targeted On- Internet of Things (IoT), Internet of Drones (IoD),
line Password Guessing: An Underestimated Threat,” in Proc. of the Internet of Vehicles (IoV), Cyber-Physical Systems
ACM SIGSAC Conference on Computer and Communications Security (CPS) and cloud computing, and blockchain. He has authored over 185 papers
(CCS’06), Vienna, Austria, 2016, pp. 1242–1254. in international journals and conferences in the above areas, including over
[33] C.-L. Liu, W.-J. Tsai, T.-Y. Chang, and T.-M. Liu, “Ephemeral-Secret- 160 reputed journal papers. He was a recipient of the Institute Silver Medal
Leakage Secure ID-Based Three-Party Authenticated Key Agreement from IIT Kharagpur. He is on the editorial board of KSII Transactions on
Protocol for Mobile Distributed Computing Environments,” Symmetry, Internet and Information Systems, International Journal of Internet Technology
vol. 10, no. 4, pp. 1–24, 2018. and Secured Transactions (Inderscience), and IET Communications, is a Guest
[34] J. Srinivas, A. K. Das, and J. J. Rodrigues, “2PBDC: Privacy-Preserving Editor for Computers & Electrical Engineering (Elsevier) for the special issue
Big Data Collection in Cloud Environment,” The Journal of Supercom- on Big data and IoT in e-healthcare and for ICT Express (Elsevier) for the
puting, pp. 1–30, 2018. special issue on Blockchain Technologies and Applications for 5G Enabled
[35] AVISPA, “Automated Validation of Internet Security Protocols and IoT, and has served as a Program Committee Member in many international
Applications,” 2019, Accessed on December 2018. [Online]. Available: conferences.
http://www.avispa-project.org/
[36] “The Scyther Tool,” Accessed on March 2019. [Online]. Available:
https://people.cispa.io/cas.cremers/scyther/
[37] M. Abadi, B. Blanchet, and H. Comon-Lundh, “Models and Proofs of
Protocol Security: A Progress Report,” in 21st International Conference
on Computer Aided Verification (CAV’09), Grenoble, France, 2009, pp.
35–49. Neeraj Kumar (M’16, SM’17) received the Ph.D.
[38] C. J. F. Cremers, P. Lafourcade, and P. Nadeau, “Comparing state spaces degree in computer science and engineering from
in automatic security protocol analysis,” in Formal to Practical Security: Shri Mata Vaishno Devi University, Katra (J&K),
Papers Issued from the 2005-2008 French-Japanese Collaboration, India, in 2009. He was a Post-Doctoral Research
V. Cortier, C. Kirchner, M. Okada, and H. Sakurada, Eds. Berlin, Fellow at Coventry University, Coventry, U.K. He
Heidelberg: Springer Berlin Heidelberg, 2009, pp. 70–94. is currently an Associate Professor with the Depart-
[39] D. von Oheimb, “The high-level protocol specification language hlpsl ment of Computer Science and Engineering, Thapar
developed in the eu project avispa,” in Proceedings of 3rd APPSEM University, Patiala, India. He has authored more than
II (Applied Semantics II) Workshop (APPSEM’05), Frauenchiemsee, 250 technical research papers published in leading
Germany, 2005, pp. 1–17. journals and conferences from the IEEE, Elsevier,
[40] AVISPA, “SPAN, the Security Protocol ANimator for AVISPA,” Springer, John Wiley, etc. He is in the editorial
2019, Accessed on December 2018. [Online]. Available: http: board of IEEE Communications Magazine, Journal of Network and Computer
//www.avispa-project.org/ Applications (Elsevier) and International Journal of Communication Systems
[41] M. Wazid, A. K. Das, N. Kumar, A. V. Vasilakos, and J. J. (Wiley).
Rodrigues, “Design and Analysis of Secure Lightweight Remote
User Authentication and Key Agreement Scheme in Internet of
Drones Deployment,” IEEE Internet of Things Journal, 2018, doi:
10.1109/JIOT.2018.2888821.
[42] “Secure Hash Standard,” FIPS PUB 180-1, National Institute of
Standards and Technology (NIST), U.S. Department of Commerce,
April 1995. Accessed on January 2019. [Online]. Available: http:
//nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
[43] E. Barker, “Recommendation for Key Management,” Special Publication Joel J. P. C. Rodrigues (S’01, M’06, SM’06) is
800-57 Part 1 Rev. 4, NIST, 01/2016. Accessed on Feb. Professor at the National Institute of Telecommu-
2019. [Online]. Available: https://csrc.nist.gov/csrc/media/publications/ nications (Inatel), Brazil and senior researcher at
sp/800-57-part-1/rev-4/final/documents/sp800-57p1r4_draft.pdf the Instituto de Telecomunicações, Portugal. Prof.
[44] C. Lin, D. He, N. Kumar, K.-K. R. Choo, A. Vinel, and X. Huang, “Se- Rodrigues is the leader of the Internet of Things
curity and privacy for the internet of drones: Challenges and solutions,” research group (CNPq), Director for Conference
IEEE Communications Magazine, vol. 56, no. 1, pp. 64–69, 2018. Development - IEEE ComSoc Board of Governors,
IEEE Distinguished Lecturer, Technical Activities
Committee Chair of the IEEE ComSoc Latin Amer-
ica Region Board, the President of the scientific
council at ParkUrbis Covilh Science and Technology
Jangirala Srinivas (M’19) completed his Bachelor Park, the Past-Chair of the IEEE ComSoc Technical Committee on eHealth,
of Science in 2003 from Kakatiya University, India, the Past-chair of the IEEE ComSoc Technical Committee on Communications
the Master of Science degree from Kakatiya Univer- Software, Steering Committee member of the IEEE Life Sciences Technical
sity in 2008, the Master of Technology degree from Community and Publications co-Chair, and Member Representative of the
IIT Kharagpur in 2011, and then his PhD degree IEEE Communications Society on the IEEE Biometrics Council. He is the
from the Department of Mathematics, IIT Kharagpur Editor-in-Chief of two International Journals and an editorial board member
in 2017. He is currently working as an assistant of several top journals. He has authored or coauthored over 700 papers in
professor with the Jindal Global Business School, O. refereed international journals and conferences, 3 books, and 2 patents. He
P. Jindal Global University, Haryana 131001, India. had been awarded several Outstanding Leadership and Outstanding Service
Prior to this, he also worked as a research assistant Awards by IEEE Communications Society and several best papers awards. He
with the Center for Security, Theory and Algorithmic is member of the Internet Society, and a senior member ACM and IEEE.
Research, International Institute of Information Technology (IIIT), Hyderabad,
India. His research interests include authentication protocols, information
security, digital rights management and cloud computing. He has authored
10 papers in international journals and conferences in his research areas.

Enabling Drones in The Internet of Things With Decentralized Blockchain-Based Security
No ratings yet
Enabling Drones in The Internet of Things With Decentralized Blockchain-Based Security
10 pages
Bera 2021
No ratings yet
Bera 2021
15 pages
Hafizul
No ratings yet
Hafizul
40 pages
Nature Report IoT Drones Article
No ratings yet
Nature Report IoT Drones Article
20 pages
Mee 789
No ratings yet
Mee 789
19 pages
A Review of Security in Internet of Things
No ratings yet
A Review of Security in Internet of Things
20 pages
Smart Cybersecurity Framework For IoT-Empowered Drones Machine Learning Perspective 2022
No ratings yet
Smart Cybersecurity Framework For IoT-Empowered Drones Machine Learning Perspective 2022
25 pages
Quantum-Safe Secure and Authorized Communication Protocol For Internet of Drones
No ratings yet
Quantum-Safe Secure and Authorized Communication Protocol For Internet of Drones
9 pages
Downloads Brochure Fz25
No ratings yet
Downloads Brochure Fz25
7 pages
Development of An Autonomous Iot-Based Drone For Campus Security
No ratings yet
Development of An Autonomous Iot-Based Drone For Campus Security
7 pages
Review Paper
No ratings yet
Review Paper
23 pages
A Review On Security Issues and Solutions of The Internet of Drones.2024.15s
No ratings yet
A Review On Security Issues and Solutions of The Internet of Drones.2024.15s
15 pages
Blockchain-Based Secure and Lightweight Authentication For Internet of Things
No ratings yet
Blockchain-Based Secure and Lightweight Authentication For Internet of Things
12 pages
Smart Defenses: Machine Learning-Based Proactive Cyber Attack Detection in Iot Systems
No ratings yet
Smart Defenses: Machine Learning-Based Proactive Cyber Attack Detection in Iot Systems
5 pages
Sensors 22 07433 v3
No ratings yet
Sensors 22 07433 v3
51 pages
A Machine Learning Security Framework For Iot Systems
No ratings yet
A Machine Learning Security Framework For Iot Systems
12 pages
Sensors 18 04015 v2
No ratings yet
Sensors 18 04015 v2
21 pages
Hyperelliptic Curve Based Authentication For The Internet of Drones
No ratings yet
Hyperelliptic Curve Based Authentication For The Internet of Drones
10 pages
Insight To Security Paradigm Research Trend Statis
No ratings yet
Insight To Security Paradigm Research Trend Statis
11 pages
An In-Depth Analysis of Iot Security Requirements, Challenges, and Their Countermeasures Via Software-Defined Security
No ratings yet
An In-Depth Analysis of Iot Security Requirements, Challenges, and Their Countermeasures Via Software-Defined Security
27 pages
A Survey On Security and Privacy Issues in Internet-of-Things
No ratings yet
A Survey On Security and Privacy Issues in Internet-of-Things
9 pages
Implementation of Intrusion Detection System in The
No ratings yet
Implementation of Intrusion Detection System in The
6 pages
Drone Application in Smart Cities: The General Overview of Security Vulnerabilities and Countermeasures For Data Communication
No ratings yet
Drone Application in Smart Cities: The General Overview of Security Vulnerabilities and Countermeasures For Data Communication
27 pages
04 Abstract
No ratings yet
04 Abstract
3 pages
10 0000@ieeexplore Ieee Org@8717819 PDF
No ratings yet
10 0000@ieeexplore Ieee Org@8717819 PDF
5 pages
Improving The Security of Internet of Things Using Encryption Algorithms
No ratings yet
Improving The Security of Internet of Things Using Encryption Algorithms
4 pages
LNKDSEA - Machine Learning Based IoT IIoT
No ratings yet
LNKDSEA - Machine Learning Based IoT IIoT
8 pages
Botnet Attack Detection in the Internet of Things Using Selected Learning Algorithms: A Research Study on Securing IoT Against Cyber Threats Using Machine Learning
From Everand
Botnet Attack Detection in the Internet of Things Using Selected Learning Algorithms: A Research Study on Securing IoT Against Cyber Threats Using Machine Learning
Bolakale Aremu
5/5 (1)
A Survey On Security and Privacy Issues in Internet-of-Things
No ratings yet
A Survey On Security and Privacy Issues in Internet-of-Things
9 pages
Internetof Things Security ASurvey
No ratings yet
Internetof Things Security ASurvey
5 pages
A Secure Mutual Authentication Protocol Based On Visual Cryptography Technique For IoT-Cloud
No ratings yet
A Secure Mutual Authentication Protocol Based On Visual Cryptography Technique For IoT-Cloud
15 pages
Batch9 DataSecurityInIot
No ratings yet
Batch9 DataSecurityInIot
19 pages
Securing Data in Iot Using Cryptography and Steganography
No ratings yet
Securing Data in Iot Using Cryptography and Steganography
8 pages
Drones 07 00694 v3
No ratings yet
Drones 07 00694 v3
20 pages
A Survey On Security in Internet of Things With A Focus On The Impact of Emerging Technologies - Elsevier Enhanced Reader
No ratings yet
A Survey On Security in Internet of Things With A Focus On The Impact of Emerging Technologies - Elsevier Enhanced Reader
24 pages
Applications Deployments and Integration of Internet of Drones IoD A Review
No ratings yet
Applications Deployments and Integration of Internet of Drones IoD A Review
15 pages
A Critical Review of Practices and Challenges in Intrusion Detection Systems For IoT Toward Universal and Resilient Systems
No ratings yet
A Critical Review of Practices and Challenges in Intrusion Detection Systems For IoT Toward Universal and Resilient Systems
14 pages
Cryptography Algorithms For Enhancing Io T
No ratings yet
Cryptography Algorithms For Enhancing Io T
29 pages
Security and Privacy in Iot: A Survey: Poornima M. Chanal Mahabaleshwar S. Kakkasageri
No ratings yet
Security and Privacy in Iot: A Survey: Poornima M. Chanal Mahabaleshwar S. Kakkasageri
27 pages
Gulzar 2019
No ratings yet
Gulzar 2019
6 pages
14 Reference
No ratings yet
14 Reference
10 pages
Internet of Things' Authentication and Access Control
No ratings yet
Internet of Things' Authentication and Access Control
14 pages
Iot Security Using Aes Encryption Technology Based Esp32 Platform
No ratings yet
Iot Security Using Aes Encryption Technology Based Esp32 Platform
10 pages
SDN Iot2
No ratings yet
SDN Iot2
6 pages
Cryptographic Solutions For Industrial Internet-of-Things Research Challenges and Opportunities
No ratings yet
Cryptographic Solutions For Industrial Internet-of-Things Research Challenges and Opportunities
3 pages
IoT-Enabled Sensors in Automation Systems and Their Security Challenges
No ratings yet
IoT-Enabled Sensors in Automation Systems and Their Security Challenges
4 pages
Recent Developments in IoT Security and Privacy: A Review of Best Practices With Challenges and Emerging Solutions
No ratings yet
Recent Developments in IoT Security and Privacy: A Review of Best Practices With Challenges and Emerging Solutions
7 pages
13 Jsee2457
No ratings yet
13 Jsee2457
9 pages
Digital Technologies – an Overview of Concepts, Tools and Techniques Associated with it
From Everand
Digital Technologies – an Overview of Concepts, Tools and Techniques Associated with it
Editor IJSMI
No ratings yet
A Survey of Privacy Leakage and Security Vulnerabilities in The Internet of Things
No ratings yet
A Survey of Privacy Leakage and Security Vulnerabilities in The Internet of Things
9 pages
Security and Internet of Things: Benefits, Challenges, and Future Perspectives
No ratings yet
Security and Internet of Things: Benefits, Challenges, and Future Perspectives
22 pages
Securing The Skies
No ratings yet
Securing The Skies
22 pages
Final Version
No ratings yet
Final Version
11 pages
1 s2.0 S2666285X21000121 Main
No ratings yet
1 s2.0 S2666285X21000121 Main
7 pages
Transportation Management Land & Sea, Aviation and Infrastructure Concepts: Analyzing the influence of Covid on company processes
From Everand
Transportation Management Land & Sea, Aviation and Infrastructure Concepts: Analyzing the influence of Covid on company processes
BoD - Books on Demand
No ratings yet
A Lightweight Encryption Algorithm IOT
100% (1)
A Lightweight Encryption Algorithm IOT
10 pages
ASecurity Modelfor Io Tbased Systems
No ratings yet
ASecurity Modelfor Io Tbased Systems
12 pages
Secure ABE Scheme For Access Management in Blockchain-Based IoT
No ratings yet
Secure ABE Scheme For Access Management in Blockchain-Based IoT
10 pages
1-Intelligent Drone-Assisted Robust Lightweight Multi-Factor ...
No ratings yet
1-Intelligent Drone-Assisted Robust Lightweight Multi-Factor ...
20 pages
The Research
No ratings yet
The Research
12 pages
01 Ad8602 Dis Unit 1
No ratings yet
01 Ad8602 Dis Unit 1
78 pages
Unit 1
No ratings yet
Unit 1
63 pages
2016A IP Question
No ratings yet
2016A IP Question
46 pages
Handling Advice Unaccompanied Minor
No ratings yet
Handling Advice Unaccompanied Minor
3 pages
API Security With OpenID Connect and Red Hat 3scale API Management
No ratings yet
API Security With OpenID Connect and Red Hat 3scale API Management
57 pages
Bizhub C650ie EN
No ratings yet
Bizhub C650ie EN
4 pages
Resident Loan App Form 2025
No ratings yet
Resident Loan App Form 2025
2 pages
ECDE Assistants Shortlisted Candidates - January 2022
No ratings yet
ECDE Assistants Shortlisted Candidates - January 2022
27 pages
Lecture3 AccessControl
No ratings yet
Lecture3 AccessControl
56 pages
Systems Analysis For IGCSE
No ratings yet
Systems Analysis For IGCSE
8 pages
Id Longo
No ratings yet
Id Longo
1 page
SBI YONO Salary Account Opening
No ratings yet
SBI YONO Salary Account Opening
3 pages
University Management System Project Report.
100% (1)
University Management System Project Report.
20 pages
Canara - Epassbook - 2024-05-31 115626.960866
No ratings yet
Canara - Epassbook - 2024-05-31 115626.960866
19 pages
Ahmad Arif Santosa
No ratings yet
Ahmad Arif Santosa
11 pages
Shareworks by Morgan Stanley Privacy Policy Effective Date: May 2020 1. Overview
No ratings yet
Shareworks by Morgan Stanley Privacy Policy Effective Date: May 2020 1. Overview
10 pages
Project PPT 1
No ratings yet
Project PPT 1
13 pages
IBM Security Verify Access Level 2 Quiz Attempt Review PDF
No ratings yet
IBM Security Verify Access Level 2 Quiz Attempt Review PDF
10 pages
Digital Identity
No ratings yet
Digital Identity
8 pages
Newland Product Catalog 2024.04.03
No ratings yet
Newland Product Catalog 2024.04.03
20 pages
Id Card Requisition Form
No ratings yet
Id Card Requisition Form
1 page
Cerberus
No ratings yet
Cerberus
17 pages
Capricorn Authorisation Letter
No ratings yet
Capricorn Authorisation Letter
1 page
Identity Access Management
100% (4)
Identity Access Management
52 pages
Hardening ProCurve Switches White Paper
100% (2)
Hardening ProCurve Switches White Paper
10 pages
Guidelines On Cyber Resilience For Participants of Paynet's Services - 002
No ratings yet
Guidelines On Cyber Resilience For Participants of Paynet's Services - 002
1 page
Addendum To The Common Proposal Form: Proposer Details
No ratings yet
Addendum To The Common Proposal Form: Proposer Details
1 page
Managengine Adselfservice Plus Overview
No ratings yet
Managengine Adselfservice Plus Overview
40 pages
Steps in Applying For Assessment and Certification - Regular Qualifications - TESDA
No ratings yet
Steps in Applying For Assessment and Certification - Regular Qualifications - TESDA
3 pages
Authentication - What's New: Channels Technology
No ratings yet
Authentication - What's New: Channels Technology
7 pages

TCALAS: Temporal Credential-Based Anonymous Lightweight Authentication Scheme For Internet of Drones Environment

Uploaded by

TCALAS: Temporal Credential-Based Anonymous Lightweight Authentication Scheme For Internet of Drones Environment

Uploaded by

This article has been accepted for publication in a future issue of this journal, but has not been

TCALAS: Temporal Credential-Based Anonymous

Scheme Year Techniques applied Properties

TABLE II credentials M Di = {Ai , Bi , T Ci , h(·), IDGSS , CIDk } to

Fig. 5. Summary of login and authentication phase of TCALAS

Simplifying the Eqs. (1)–(4) and utilizing the triangular

eled in which A can intercept all the communicated messages 2 2

phase which executing TCALAS using the Execute query

Attribute Wazid et al. Challa et al. Turkanovic Tai et al. TCALAS

and authentication phase, TCALAS requires three messages

efficient as it requires 7Th ≈ 0.00224 seconds, that is, 2.24

You might also like