On the Security of the Novel Authentication Scheme for UAV-Ground

Station and UAV-UAV Communication

Mustapha Benssalah

and Karim Drouiche

Signal Processing Laboratory, Ecole Militaire Polytechnique, BP 17 Bordj El Bahri, 16046 Algiers, Algeria

LIK Neuville Sur Oise, Cergy Pontoise University, Cergy-Pontoise CEDEX, 95000, France

Keywords:

IoD, Authentication, UAV, PUF, Security Analysis.

Abstract:

With the unexpected increase i n the number of commercialized and marketed UAVs in the last few years, both

in the civilian and military ﬁelds, the security and privacy r emain the exceedingly urgent problem of national

security for many countries over the world. In fact, it is imperative that drone security and privacy issues have

to be properly and utterly addressed by drone manufacturers as well as commercial operators, via implement-

ing efﬁcient authentication mechanisms executed between the system entities before any exchange of sensitive

information. In this paper, we examine in depth the security of the PUF-based authentication scheme published

most recently by Alladi et al. in one of the renowned international scientiﬁc journals ”IEEE Transactions on

Vehicular Technology”. Our results indicate that the claimed security performance of this scheme has been

overestimated. We show that Alladi et al.’s scheme is prone to the secret session key disclosure attack. We

demonstrate that the attacker can easily reveal the shared secret and decrypt all the exchanged messages for

both UAV-Ground Station (GS) and UAV-UAV authentication phases. To mitigate the revealed issues, some

possible improvements are suggested for this scheme. Further, via formal security analysis, using Random

Oracle, we show that Alladi et al.’s improved IoD scheme could deliver all the merits of the original scheme

and can prevent the aforementioned vulnerabilities.

1 INTRODUCTION

Unmanned aerial vehicles (UAVs) are now widely

used for both military and civilian a pplications, in-

cluding package delivery, trafﬁc surveillance, and

search and rescue missions. UAV networks are

rapidly evolving into the Internet of Drones, a layered

network control desig n, with the help of embedded

sensors and the acceptance of Internet of Things (IoT)

as one of the main approaches in next generation (5G)

(IoD) (Yahuza et al., 2021). Io D is referred to as a lay-

ered network control design that is primarily intended

for managing UAV access to regulated airspace and

offering navigation services between nodes. The In-

ternet and other cutting-edge techn ologies like cloud

computing, multi-access edge computing (MEC), ar-

tiﬁcial intelligence and communica tion networks en-

hance conventional UAV tec hnolog y, crea ting enor-

mous op portunities for future on-demand service-

oriented and user-friendly IoD applications (Choud-

hary et al., 2018). Additionally, under the IoD co n-

cept, a la rge number of UAVs are grouped together to

form a mesh network where each UAV, outﬁtted with

sensors, gathers data from a speciﬁc airspace, dissem-

inates/collects real-time data fr om other UAVs, a nd

interacts with groun d stations (Alsamhi et a l., 2019).

However, due to the h ighly sensitive nature of the col-

lected data and the wireless natu re of communication

among the various entities that comprise the system,

security and privacy of the exchanged information be-

came a key concern (Lv, 2019). The pitfalls are to

held responsible for security ﬂaws, which result in

signiﬁcant loss of availability and resources, as well

as a loss of privacy. Because the collected data in

such a scenario is highly sensitive and decisive, so a

secure and efﬁcient authentication and key agreement

(AKA) mechan ism is required to ensure mutual au-

thentication between the various entities uniting the

system.

In recent years, the security and privacy in IoD

systems have received a distinct attention. Numer-

ous overviews and surveys on IoD security and pri-

vacy have been proposed in the literature (Lv, 2019;

Choudhary et al., 201 8; Lin et al., 2018; Alsamhi

et al., 2019). Inspired by previous works that allow

users to establish a share d key while being mutually

Benssalah, M. and Drouiche, K.

On the Security of the Novel Authentication Scheme for UAV-Ground Station and UAV-UAV Communication.

DOI: 10.5220/0012077400003555

In Proceedings of the 20th International Conference on Security and Cryptography (SECRYPT 2023), pages 361-368

ISBN: 978-989-758-666-8; ISSN: 2184-7711

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

361

authenticated, many authentication scheme s with in-

novative techniques in IoD environments have been

proposed in the literature (Alladi e t al., 2020b; Al-

ladi et al., 2020a; Gope and Sikdar, 2020; Gope et al.,

2021; Hussain et al., 2021). Let us concentrate on

the most recent contributions concerning IoD secu-

rity. Tian et al. (Tian et al., 2019) presented in 2019 an

IoD privacy-preservin g authentication scheme based

on a digital signature scheme. Nonetheless, it is

demonstra te d th a t this scheme is insecure against lo -

cation threats and physical attacks (Gope and Sikdar,

2020). T CALAS is a temporal credential anonymous

lightweight authentication scheme for IoD proposed

by Srinivas et al. in 2019. However, Ali et al. (Ali

et al., 2020) showed that Srinivas et al. (Srinivas et al.,

2019) scheme is susceptible to stolen veriﬁer attacks

and lacks anonymity. In 2020, Zhang et al. (Zhang

et al., 2020) devised a lightweight AKA scheme b ased

on bitwise XOR and one-way hash function opera-

tions to ensure mutual authentication between users

and drones. Zhang et al. showed that their solution

can resist to various known attacks and can achieve

AKA-security under the random oracle model. Zhang

et al. developed a ligh twe ight AKA system based

on one-way hash function and bitwise XOR opera-

tion to enable mutual authentication between users

and drones in an IoD environment. (Zhang et al.,

2020) demonstrated th at their solution c an withstand

several known attack s and attain AKA-security under

the random oracle paradigm. Furthermore, it provides

improved functionality in terms of computation and

transmission expenses. Nevertheless, Gope and Sik-

dar (Gope and Sik dar, 2020) examined Zhang et al’s

approa c h and proved its v ulnerability to physical and

forgery attacks. Furthermore, since the drone must

store speciﬁc security credentials settings, it may be

physically caught and all data stored in its memory

accessed (Gope and Sikdar, 202 0). Chen et al. sug-

gested a traceable and privacy-preserving AKA for

UAV communication control systems in 2020. In

2021, Yahuza et al. (Yahuza et al., 2021) showed that

Chen et al. scheme is not secure under the widely

used Canetti-Kr awczyk (CK) adversary model. These

attacks include the well-known session-speciﬁc tem-

porary information attack, the partial key-escrow at-

tack and the replay attack induced by a loss of in-

tegrity in the exchange messages. In 2021, Jan et al.

(Jan et al., 2021) presented a lightweight message au-

thentication scheme for IoD implementing hash func-

tion. (Jan et al., 2021) also showed that their proto-

col is immune to stolen-veriﬁer and privileged insid er

attacks. On the other side, numerous notable PUF-

based authentication solutions have been proposed in

the literature in recent years with the goal of ensuring

higher efﬁciency and degree of security generated by

the Physically Unclonable Function (PUF) intrinsic

properties such as unclonab ility, tamper-evid ent prop-

erties, and uniqueness. In this regard, Gope an d Sik-

dar (Gope and Sikdar, 2020), Alladi e t al., and Gope et

al. (Gope et al., 2021) suggested efﬁcient PUF-ba sed

authenticatio n schemes for IoD environments.

In this paper, we ﬁrst thoroughly examine the se-

curity of Alladi et al.’s (Alladi et al., 2020a) PUF-

based authentication tech nique. Our ﬁndings suggest

that this scheme’s claimed security perform ance has

been overestimated. As a result, we will show that

Alladi et al.’s scheme is vulnerab le to eavesdropping

attack, in which an attacker who observes the insecure

channel between the UAV and the ground station GS

can easily extract th e secret session key a nd then pro-

cure the overall exchange d communications between

the various entities (UAV-UAV and UAV-GS). An im-

proved sch eme is suggested.

2 PRELIMINARIES

In this section, we will intr oduce some fundamental

mathematical concepts that are used in the studied

scheme.

2.1 Hash Function

A hash function is a one-way cryptographic function

that transforms an entry string X of an arbitrary length

to an output string Y . X ∈ {0, 1}

∗

into a con densed

output string Y of speciﬁed length Y ∈ {0, 1}

, ex-

pressed as digests (Rogaway and Shrimp ton, 2004).

This one way function is expressed as h(·) : X → Y

and has the collision and pre-image resistances prop-

erties.

This cha racteristic can be described as follow s:

Adv

Hash

(t) = Pr[(x, x

′

) ⇐

A : x 6= x

′

and

h(x) =

h(x

′

)], where Pr[e] is the ra ndom occurren ce e prob-

ability, (x, x

′

) ⇐

A is the pair message (x, x

′

) ran-

domly picked by the attacker

A and Adv

Hash

(t) sig-

niﬁes the probability advantage gained over random

picks by

A for a speciﬁed amount of time t. Then, if

this function is collision-resistant, A dv

Hash

(t) < ε for

small values of ε > 0.

2.2 Physically Unclonable Function

PUFs a re used in the design of AKA systems as one of

the most practica l one way f unctions to provide a high

security leve l again st invasive and physical attacks. A

PUF is deﬁned as a pair of challenge/response pairs

SECRYPT 2023 - 20th International Conference on Security and Cryptography

362

(CRPs) for which the PUF generates R for a given in-

put C such that R = PU F(C ). Otherwise, as reported

in numerous contributions in the literature, a potential

attacker can amass challenge response pairs (CRPs)

from their build in PUF functions to establish a ma-

chine learning (ML) mo del that could be employed to

predict the responses of future challenges with high

accuracy (Shi et al., 2019; Yu and Wen, 2019).

Thus, we expect that in our enhanced authentica-

tion system, we would use new PUF functions simi-

lar to those described in (Wang et al., 2021 ) and (Wu

et al., 2022) to avoid ML attack s (NoPUF and FLAM-

PUF). The latter has novel countermeasures based on

obfuscatin g challenge, which protects the PUF. For

example, the prediction accuracy of modeling attacks

over FLAM-PUF, wh ich is basically composed of one

Galois linear-feedback shift register ( LFSR) and one

Arbiter PUF (APUF), along with some simple logic

gates, is around 50% under the commonly used ML

techniques, namely support vector machines (SVMs),

deep neural networks (DNNs), etc.

2.2.1 Deﬁnition

PUF

Div

: {0, 1}

→ {0, 1}

linked to a given thing

Div

is a function expressed with the following char-

acteristics (Frikken et al. , 2009):

1. PUF

Div

is easy to calculate.

2. Adv

PUF

) is insigniﬁcant (≤ ε) in L

for any

probabilistic polyno mial-time adversary (

A ).

3. Bounded noise: in a wide range of circumstances,

the distance between two given outputs from the

PUF

Div

on the same challenge C is at most d,

i.e. Pr[Dist

(y, z) > d | y ← PU F

Div

(C), z ←

PUF

Div

(C)

and

C ← U

] ≤ ε, fo r su fﬁciently

small ε, where Dist

(·, ·) is the H amming dis-

tance.

4. Unique: the PU F

Div

is speciﬁc to each techno-

logical equipm ent i.e . Pr[Dist

(y, z) ≤ d | y ←

PUF

Div

(C), z ← PUF

Div

(C)

and

C ← U

] ≤ ε, for

a very tiny ε.

3 SECURITY ANALYSIS OF

ALLADI et al. SCHEME

A PUF-based lightweight mutual authentication

scheme was suggested by Alladi et al. (Alladi et al.,

2020a ) for the implementation of the Internet of

Drones. This authentication scheme, known as Se-

cAuthUAV, is recommended to secure commu nica-

tions between UAV-Ground station (G S) and UAV-

UAV. SecAuthUAV was suggested to ensure a secure

session between various entities without storing any

sensitive data. In the event that the UAV is captured,

this procedure will prevent the attacker from lear ning

the secret keys that are kept in its memory. Further-

more, the authors argued that their scheme ensures

crucial security aspects including mutual au thentica-

tion, forward secrecy and UAV anonymity compared

to recently proposed authentication schemes in this

ﬁeld. In addition, they showed tha t their scheme is

resilient to a variety of well-known attacks, includ-

ing the man-in-the-middle attack, masquerade attack,

cloning attack, tam pering attack, etc. However, in this

section we will show how Alladi et al. scheme is sus-

ceptible to eavesdropping attack, in which an attacker

might discover th e shared secret and d ecode all the ex-

changed messages for both the UAV-Ground Station

(GS) and UAV-UAV authentication phases. The main

steps of this scheme are brieﬂy described before we

proceed to discuss the vulnerabilities that have been

found.

3.1 Review of Alladi et al.’s Scheme

SecAuthUAV scheme consists of three phases, i.e.

the UAV registration phase, UAV-GS authentication

phase and the UAV-UAV au thentication phase given

in the following:

3.1.1 UAV Registration

• Before deploymen t, each UAV

must always be

enrolled with the GS using a secure channel.

• GS creates a temporary identity TU ID

for each

and maintains the permanent identity GID.

• Utilizing U

’s PUF, a challenge-response pair

(C, R) are produced and kept in the GS memory.

• The set {TUID

,C, R} is securely stored

in the GS’s database (DB), while the set

{TUID

, GID,C} is stored in the UAV’s memory.

3.1.2 UAV-GS Authentication

During this phase, the UAV

and the GS interact

across an unsecured channel to establish mutual au-

thentication a nd a session key for future interactions.

1. Once, a UAV

needs to authenticate with GS, it

computes the re sponse R = PU F(C) using the

stored challenge C. Then, it generates a ran-

dom nonce N

and calculates H(RkTUID

)

and it sends them together with its tem-

porary identity TU ID

to GS i. e. M

{TUID

, N

, H(RkTUID

)}.

On the Security of the Novel Authentication Scheme for UAV-Ground Station and UAV-UAV Communication

363

2. Upon receiving M

, GS checks the freshness of

NA and requests its DB for any entry correspon d-

ing to the received TUID

. If these conditions are

not satisﬁed, the U

’s a uthentication demand will

be rejected. Thereafter, once th at hash value is

checked, GS ﬁnds the corresponding challenge-

response pair (C, R) from its DB. After that, it

generates nonce N

and subsequently splits R in to

two parts denoted here as K

and K

, it calculates

the messag e Q as follows:

= N

⊕ K

(1)

= N

⊕ X

⊕ K

(2)

Q = (Y

) ⊕ (K

) (3)

3. GS broadcasts the message

= {Q, H(QkGIDkN

)} to U

4. Upon the rec e ption of M

, it splits R into K

and

and does the following opera tions:

= K

⊕ Q (4)

= Y

⊕ X

⊕ K

(5)

= X

⊕ K

(6)

5. Once the non ce N

and N

are extracted, U

re-

calculates the hash message u sin g the retrieved

nonce and compares it with the received one. If

the veriﬁcation does not hold, U

terminates the

session. Otherwise, U

generates a random nonc e

, a substring serves as a new challenge C

′

obtained from N

) and subsequently it computes

′

= PUF(C

′

) using its PUF. These new gener-

ated p arameters are encoded as follows:

′

= R

′

⊕ K

(7)

′

= N

⊕ K

(8)

The session key w ith which the two entities will

communication is computed as follows:

= (K

⊕ N

)k(K

⊕ N

) (9)

6. Then, U

sends the message

= {M

′

, N

′

, H(RkTUID

kSk

)} to GS.

7. Upon the reception of M

, GS obtains the new

challenge-response pair and the session key:

= N

′

⊕ K

(10)

′

= M

′

⊕ (K

) (11)

= (K

⊕ N

)k(K

⊕ N

) (12)

8. Afterward, GS checks the hash value

H(R

′

kTUID

kSk

) using the retrieved

parameters. If the veriﬁcatio n is unsuccessful, GS

terminates the session. Otherwise, GS memorizes

the new challenge respo nse pair (C

′

, R

′

) along

with the old pair in its DB. At this stage, the

mutual authenticatio n is completed, so GS can

start a secure transmission with U

using the

shared session key Sk

9. In the o ther hand, b oth U

and GS update the tem-

porary id entity TUID

for their subsequent au-

thentication rounds as follows:

TU ID

i+1

= H(K

kTUID

) (13)

10. This phase ends with an acknowledgement

string Ack along with a hash H(Ack||GID||N

)

transferred from the GS to address the de-

synchro nization issue.

3.1.3 UAV-UAV Authentication

This phase describes how any two given UAVs could

open a secure transmission session UAV-UAV while

basing itself on the above described UAV- GS authen-

tication scheme. The different steps of this phase are

given as follows:

1. When a secure session is achieved between the

UAV

and GS using Sk

, U

requests GS for a se-

cure session with a second UAV

. At this stage,

GS sends an authentication request to the UAV U

that includes {Req, H(ReqkTU ID

kGID)}.

2. Afterward, U

checks the validity of

H(ReqkTU ID

kGID) and starts the same

authenticatio n process describe d in the above

section, to establish a secure transmission session

with GS using the shared session key Sk

3. Subsequently, GS produce s a new secret key Sk

and transmits it encrypted to both U

and U

using

the shared session keys Sk

and Sk

, respectively.

Finally, b oth UAVs share the same Sk

and thus a

secure co mmunicatio n channel is established be -

tween the two UAVs.

3.2 Session Key Disclosure Attack

In this section, we show that Alladi et al.’s sche me is

vulnerable to eavesdropping attack and secret disclo-

sure attack. According to the attack model assumed

by the authors, an attacker (A ) ca n eavesdrop on the

communication between the U

and GS w here he has

access to the exchang ed messages. This spying al-

lows to the attacker to combine the br oadcasted mes-

sages, such as the parameter Q and M

′

to reve a l the

session key Sk

shared between the UAV and GS a nd

that shared between the two UAV (Sk

) during the

UAV-UAV authentication ph ase.

SECRYPT 2023 - 20th International Conference on Security and Cryptography

364

3.2.1 Session Key Disclosure At tack (UAV-GS)

The session key Sk

is supposed to be a secret parame-

ter shared only between the GS an d the UAV to ensure

a secu re communication session. In fact, the disclo-

sure of this shared key will allow to the attacker to

decryp t all the communications between the two enti-

ties and then get all the secret exchanged data during

the commun ic ation. The diffe rent steps of this attack

are g iven below:

As the authors of (Alladi et al., 2020a) have misused

or badly combined the concatenation and the XOR

operations in equation (14) from the M

, this has led

to the f ollowing simpliﬁcation of this equation (as

showed in ﬁgure (1)), using mathematical properties

between XOR and concatenation operations, knowing

that X

, Y

, K

and K

are 1 60 bit length.

Q = (Y

) ⊕ (K

) (14)

Q = (Y

)⊕ (K

) = (Y

⊕K

)k(X

⊕K

) (15)

On top o f that, knowing that (from equations (1) and

160 bits

320 bits

160 bits

Figure 1: The simpliﬁcation of the equation (14).

(2)): X

= N

⊕ K

and Y

= N

⊕ X

⊕ K

We can shorten the message Q as follows:

Q = (N

⊕ (N

⊕ K

) ⊕ K

⊕ K

)k(N

⊕ K

)

(16)

Q = (N

⊕ N

⊕ K

)k(N

⊕ K

)

It can be easily seen tha t Q can be splited into two

parts q

and q

given as follows: Q = q

where:

= N

⊕ N

⊕ K

(17)

= N

⊕ K

(18)

Accordingly, as the parameters N

and Q are public,

we can calculate the fo llowing quantities:

= q

⊕ N

= N

⊕ K

(19)

= q

⊕ N

= K

⊕ K

(20)

The parameter Q

appears to be the ﬁrst part of the

session key Sk

(knowing that Sk

= (K

⊕ N

)k(K

⊕

)). While the second part of Sk

can be derived by

combining equ ations (8) and (20) as f ollows: N

′

⊕

) = N

⊕ K

⊕ (K

⊕ K

) = N

⊕ K

. Then, the

session key is obtained.

Finally, using the disclosed Sk

between the

UAV U

and the GS, the attacker could decrypt and

exploit all the sensitive and critical info rmation ex-

changed betwe e n the two entities which could lead to

harmful impacts. Consequently, Alladi et al.’s sch eme

is vulnera ble to session key disclosure attack which

can be used to dec rypt all the sensitive data exchanged

via the insecure channel.

3.2.2 Session Key Disclosure At tack (UAV-UAV)

In this subsection, we show how an attacker can ex-

ploit the session key disclosure attack of Sk

between

the UAV U

and the GS, described above, to dis-

close the secret session key Sk

shared between the

UAV U

and UAV U

and then decrypt the UAV-UAV

communications. The steps of this attack are given in

the following:

⊲ When UAV

requests GS for a secure session with

a second UAV, GS transmits an auth entication request

to an appropriate UAV U

⊲ Thereafter, UAV U

starts the same authentication

process (UAV

-GS) to establish a secure session with

GS i.e. produces the session key Sk

⊲ In this case, the attacker follows the sam e session

disclosure attack, given above, to extract the secret

key Sk

⊲ Subsequently, GS ge nerates a new secre t key Sk

and transmits it encrypted to both U

and U

using

and Sk

, respectively.

⊲ Therefore, the attacker decrypts the secret key Sk

using the disclosed session keys Sk

or Sk

Consequently, revealing the session key Sk

allows

to the attacker decrypting all the exchan ged messages

between the two UAVs, which makes the communi-

cation session insecure. This attack co uld have seri-

ous concerns on the m ission course, especially for the

case of military or strategic missions.

4 THE IMPROVED IoD SCHEME

In this section, we describe our suggested improved

version of Alladi et al. scheme. In this enhanced

scheme, we put fo rward efﬁcient countermeasures to

overcome the revealed ﬂaws and then e nsure a secure

mutual authentication and key ag reement between the

different comm unicating entities. Consequently, the

improved Io D authentication scheme includes three

major phases as in the original sch eme SecAuthUAV

of Alladi e t al. (Alladi et al., 2020a). In the improved

version, we assume the same network and adversary

models as in the original paper. Besides, we m aintains

the same assumptions.

On the Security of the Novel Authentication Scheme for UAV-Ground Station and UAV-UAV Communication

365

4.1 Introduced Co untermeasures

The critical weakness of Alladi et al. scheme is essen-

tially relate d to the session key genera ting procedure

that is not deeply examined and also to the misuse

of the combination of XOR and concaten ation opera-

tions employed to introduce diffusion on th e different

exchanged messages. These ﬂaws largely facilitated

the computatio n of the session key for th e attacker.

As a result, in the enhanced version we suggest a new

expression for the session key c omputation while we

keep almost all the steps of the three phases of Se-

cAuthUAV scheme without change. Accordingly, we

suggest the following new expression to compute Sk

In step (5) of the UAV-GS authentication phase, the

user U

and the GS have to proceed as follows:

In both sides, GS and UAV have to split the PUF out-

put R

′

into K

′

and K

′

and compu te the session key S k

accordin g to the n ew equation:

= H(N

k(K

′

⊕ N

⊕ K

)k(K

′

⊕ K

⊕ N

). In

fact, with this new session key formula, it is d ifﬁcult

for an attacker to reveal any useful info rmation from

the exchanged public messages or from the new value

of Sk

which contains both ephemera l secrets and ran-

dom variables secured by the hash function. Along-

side, with the new equa tion of Sk

, it is difﬁcult for

the attacker to construct it. On the other hand, even

though the new scheme adds an extra computation by

summing up a hash function, this does not affect the

whole scheme. On the contrary, it provide s additional

security features and a high security level for the ap-

plication that ma kes it hard to break. Additionally,

we maintain the same steps in the UAV-UAV authen-

tication phase as the revealed session key disclosure

attack for this phase are caused essentially by the vul-

nerability of the UAV-GS authentication phase ﬁxed

above.

4.2 Security Anal ysis

The main objective of this section is to prove that

the improved version provides all the security features

claimed by Alladi e t al.(Alladi et al., 2020 a ) a nd in ad-

dition, show its resistance against to the described at-

tack. In this context, numerou s security analysis tools

via formal and informal models are u sed in the lit-

erature to check the robustness and security level of

authenticatio n schemes. These security tools can in-

clude Mao Boyd logic (Paulson, 1997), BAN (Abadi

and Needham) logic (Agray et al., 2001), AVISPA

model (Vigano, 20 06), random and dynamic o racle

models (Ene et al., 2009), etc. For this scheme, we

perform this step using the well-accepted random or-

acle model as deﬁned in (Canetti et al., 2004) by

demonstra ting that both the two authentication phases

of the new scheme are secure against session key dis-

closure attack. So, we assume the following random

oracle for the attacker A :

Reveal. The Reveal random oracle will totaly output

the string x from the corresponding hash value y, i.e.

y = H(x).

Proposition 1. Under th e PUF functio n P(·) and the

one-way hash function H(·) which acts as random or-

acle, our improved UAV-GS authentication is secure

against an attacker

A disclosing the session key Sk

and GS’s identity GID.

Algorithm 1: Exp1

Hash,PUF

A ,Im−IoD

1-Eavesdrop on the insecure channel and in-

tercept (M

= {TUID

, N

, H(RkTUID

)},

= {Q, H(QkGIDkN

)} and M

′

, N

′

, H(RkTUID

kSk

)}).

2-Call Reveal oracle on input H(RkTUID

). Let

′

) ←

Reveal 1

H(RkTUID

)

3-Compute K

and K

and then extract N

and N

4-Call Reveal oracle 1 on input H(QkGIDkN

). Let

(GID

′

) ←

Reveal 1

H(QkGIDkN

if GID

′

= GID then

Accept GID

′

as the GS’s identity.

5-Call Reveal oracle on input

H(RkTUID

kSk

). Let (Sk

′

) ←

Reveal 1

H(RkTUID

kSk

)

if Sk

′

= S k

then

Accept Sk

′

as the session key Sk

between UAV-

GS.

else

Return 0 (Failure)

end if

else

Return 0 (Failure)

end if

Proof: Consider an attacker A with capabilities to

disclose the shared session key Sk

between the UAV

and GS and get the GS’s identity GID. For this, A ini-

tiates the algorithm experiment Exp1

Hash

A,Im−IoD

given

in Algorithm 1 against the impr oved IoD scheme, say

Im-IoD by simulating the reveal Oracle 1. We ex-

press the success probability of the above given ex-

periment as succ

= |Pr[Exp1

Hash

Im-IoD

= 1] − 1|. Be-

sides, the advantage supported by A is expressed

as Adv1

Hash

Im-IoD

(t, q

rev

) = Max

{succ

}, where A can

launch maximum Reveal que ries q

rev

. as stated in

Exp1

Hash

A,Im−I oD

, A is able to divulge the shared ses-

sion key Sk

and the GS’s identity GID only if he

has the ability to invert the one- way hash function.

Conversely, acco rding to the deﬁnition, it is com-

SECRYPT 2023 - 20th International Conference on Security and Cryptography

366

putationally untractable for A to break the one-way

function and the win the game, i.e . Adv

Hash

(t) ≤

ε, for any sufﬁciently small ε > 0. Therefore,

Adv1

Hash

Im-IoD

(t, q

rev

) ≤ ε. Consequently, our en-

hanced scheme is invincible against A disclosing the

session key Sk

between the UAV-GS and the GS’s

identity.

Proposition 2. Based the one-way hash function

H(·) which acts as random oracle, our enhanced UAV-

UAV authentication is secure again st

A extracting the

session key Sk

Algorithm 2: Exp2

Hash

A ,Im−IoD

1-Eavesdrop on the public channel be-

tween UAV

− GS or UAV

− GS and inter-

cept the exchanged public messages (ex. for

UAV

− GS: M

= {TUID

, N

, H(RkTUID

)},

= {Q, H(QkGIDkN

)}, M

′

, N

′

, H(RkTUID

kSk

)}),

{

Session key

}

and {

Session key

}

2-Call Reveal oracle on input H(RkTUID

kSk

Let (Sk

′

) ←

Reveal 1

H(RkTUID

kSk

)

if Sk

′

= S k

then

Accept Sk

′

as the shared secret key Sk

between the

UAV-GS.

3-Extract Sk

′

from {

Session key

}

if Sk

′

= S k

then

Accept Sk

as the shared secret key between

UAV

and UAV

Return 1 (Success)

else

Return 0 (Failure)

end if

else

Return 0 (Failure)

end if

Proof. Let’s consider an attacker A who have the

capacity to disclose the shared session key Sk

be-

tween two UAV

and UAV

throughout the UAV-

UAV authentication phase. To do that, A per-

forms the experiment Exp2

Hash

A,Im−I oD

speciﬁed in Al-

gorithm 2 against the e nhanced scheme, by perform-

ing the reveal Oracle 1. We deﬁne the success prob-

ability of the above given experiment as succ

|Pr[Exp1

Hash

Im-IoD

= 1 ] − 1|. Besides, the advantage

supported by A is given as A dv2

Hash

Im-IoD

(t, q

rev2

) =

Max

{succ

}, where A can send maximum Reveal

queries q

rev2

. Based on Exp2

Hash

A,Im−I oD

, A is able to

disclose th e shared session key Sk

if he has the ca-

pacity to invert the one-way hash function. Recip-

rocally, according to the deﬁnition 1, it is computa-

tionally difﬁcult for A to break the one-way func-

tion, i.e. Adv

Hash

(t) ≤ ε, for any insigniﬁcant ε > 0.

As a re sult, Adv2

Hash

I-scheme

(t, q

rev2

) ≤ ε. Finally, our

enhanced scheme is secure against A who trying to

disclose the shared session key Sk

between the two

UAVs.

4.3 Perfo rmance Analysis and

Comparison

Our enhanced IoD scheme inherits all the strengths

of Alladi et al.’s scheme and in addition, it consid-

ers new countermeasur e against the revealed pitfall.

Thus, extra computational c ost was added to provide

additional security f e atures by using a supplementary

hash function in the calc ulation of the shared session

key Sk

. Besides, the comm unication and the storage

costs of the enh anced scheme are similar to those of

the original one. Finally, with the intr oduce en hance-

ment, the improved scheme could resist to the fol-

lowing security attacks: masquerade attack, man in

the middle attack, replay attack, de-sy nchronization

attack, cloning attack, etc. In addition, it provides

the following security requirements: the provision for

session key establishment, user anonymity, mutual

authenticatio n, forward secrecy, etc.

5 CONCLUSION

In this paper, we thoroughly examined the security of

Alladi et al.’s IoD authentication scheme, revealing

a fundamental ﬂaw that is generated from a misuse

of the mathematical combination of the concatenation

and XOR operations. We showed that an eavesdrop-

ping attack can disclose the shared secret session key

between the UAV an d the GS, as well as the shared

secret between the two UAVs, which might induce

major risks to the mission’s course, particularly in

the case of stra tegic applications. Besides, we have

suggested an upgraded version that ﬁxes the discov-

ered ﬂaw. We may c onclude from these kind of ﬂaws

that new authentication scheme’s designs sh ould be

thoroughly evaluated from both informal and formal

perspectives, using well-known concepts and guide-

lines. Furthermore, we may learn that misusing even

a secure cipher with powerful cryptographic func-

tions (PUF, hash function) can exceedingly compro-

mise the security and privacy of the entire application.

Lastly, we hope that this study will assist authentica-

tion designer s in evaluating and improving the secu-

rity and the durability of their IoD authentication so-

lutions.

On the Security of the Novel Authentication Scheme for UAV-Ground Station and UAV-UAV Communication

367

REFERENCES

Agray, N., Van Der Hoek, W., and De Vink, E. (2001). On

ban logics for industrial security protocols. In Inter-

national Workshop of Central and Eastern Europe on

Multi-Agent Systems, pages 29–36. Springer.

Ali, Z., Chaudhry, S. A., Ramzan, M. S., and Al-Turjman,

F. (2020). Securing smart city surveillance: A

lightweight authentication mechanism for unmanned

vehicles. IEEE Access, 8:43711–43724.

Alladi, T., Bansal, G., Chamola, V., Guizani, M., et al.

(2020a). Secauthuav: A novel authenti cation scheme

for uav-ground station and uav-uav communica-

tion. IEEE Transactions on Vehicular Technology,

69(12):15068–15077.

Alladi, T., Chamola, V., Kumar, N., et al. (2020b). Parth: A

two-stage lightweight mutual authentication protocol

for uav surveillance networks. Computer Communi-

cations, 160:81–90.

Alsamhi, S. H., Ma, O., Ansari, M. S., and Almalki, F. A.

(2019). Survey on collaborative smart drones and

internet of things for improving smartness of smart

cities. Ieee Access, 7:128125–128152.

Canetti, R., Goldreich, O., and Halevi, S. (2004). The ran-

dom oracle methodology, revisited. Journal of the

ACM (JACM), 51(4):557–594.

Choudhary, G., Sharma, V., Gupta, T., Kim, J., and You,

I. (2018). Internet of drones (iod): threats, vul-

nerability, and security perspectives. arXivpreprint

arXiv:1808.00203.

Ene, C., Laskhnech, Y., and Ngo, V. C. (2009). For-

mal indistinguishability extended to t he random ora-

cle model. In European Symposium on Research in

Computer Security, pages 555–570. Springer.

Frikken, K. B., Blanton, M., and Atallah, M. J. (2009). Ro-

bust authentication using physically unclonable func-

tions. In International Conference on Information Se-

curity, pages 262–277. Springer.

Gope, P., Millwood, O., and Saxena, N. (2021). A provably

secure authentication scheme for rﬁd-enabled uav ap-

plications. Computer Communications, 166:19–25.

Gope, P. and Sikdar, B. (2020). An efﬁcient privacy-

preserving authenticated key agreement scheme for

edge-assisted internet of drones. IEEE Transactions

on Vehicular Technology, 69( 11):13621–13630.

Hussain, S., Chaudhry, S. A., Alomari, O. A., Al sharif,

M. H., Khan, M. K., and Kumar, N. (2021). Amassing

the security: An ecc-based authentication scheme for

internet of drones. IEEE Systems Journal.

Jan, S., Qayum, F., and Khan, H. (2021). Design and analy-

sis of lightweight authentication protocol for securing

iod. IEEE Access, 9:69287–69306.

Lin, C., He, D., Kumar, N., Choo, K.-K. R., Vinel, A., and

Huang, X. (2018). Security and privacy for the inter-

net of drones: Challenges and solutions. IEEE Com-

munications Magazine, 56(1):64–69.

Lv, Z. (2019). The security of internet of drones. Computer

Communications, 148:208–214.

Paulson, L. C. (1997). Proving properties of security pro-

tocols by induction. In Proceedings 10th Computer

Security Foundations Workshop, pages 70–83. IEEE.

Rogaway, P. and Shrimpton, T. (2004). Cryptographic hash-

function basics: Deﬁ nit ions, implications, and sepa-

rations for preimage resistance, second-preimage re-

sistance, and collision resistance. In International

workshop on fast software encryption, pages 371–388.

Springer.

Shi, J., Lu, Y., and Zhang, J. (2019). Approxima-

tion attacks on strong pufs. IEEE transactions on

computer-aided design of integrated circuits and sys-

tems, 39(10):2138–2151.

Srinivas, J., Das, A. K., Kumar, N., and Rodrigues, J. J.

(2019). Tcalas: Temporal credential-based anony-

mous lightweight authentication scheme for internet

of drones environment. IEEE Transactions on Vehic-

ular Technology, 68(7):6903–6916.

Tian, Y. , Yuan, J., and Song, H. (2019). Efﬁ-

cient privacy-preserving authentication framework for

edge-assisted internet of drones. Journal of Informa-

tion Security and Applications, 48:102354.

Vigano, L. (2006). Automated security protocol analysis

with the avispa tool. Electronic Notes in Theoretical

Computer Science, 155:61–86.

Wang, A., Tan, W., Wen, Y., and Lao, Y. (2021). Nopuf: A

novel puf design framework toward modeling attack

resistant pufs. IEEE Transactions on Circuits and Sys-

tems I: Regular Papers, 68(6):2508–2521.

Wu, L., H u, Y., Zhang, K., Li, W., Xu, X., and Chang,

W. (2022). Flam-puf: A response feedback-based

lightweight anti-machine learning-attack puf. IEEE

Transactions on Computer-Aided Design of Integrated

Circuits and Systems.

Yahuza, M., Idris, M. Y. I., Wahab, A. W. A., Nandy, T.,

Ahmedy, I. B., and Ramli, R. (2021). An edge as-

sisted secure lightweight authentication technique for

safe communication on the internet of drones network.

IEEE Access, 9:31420–31440.

Yu, W. and Wen, Y. (2019). Efﬁcient hybrid side-

channel/machine learning attack on xor pufs. Elec-

tronics Letters, 55(20):1080–1082.

Zhang, Y., He, D., Li, L., and Chen, B. (2020). A

lightweight authentication and key agreement scheme

for internet of drones. Computer Communications,

154:455–464.

SECRYPT 2023 - 20th International Conference on Security and Cryptography

368