Sage Journals: Discover world-class research

Abstract

Space-air-ground integrated Internet of things can improve the scope of Internet of things applications significantly by offering truly global coverage all over the world. While space-air-ground integrated Internet of things is promising to be very useful in many aspects, its deployment and application should overcome severe security threats, for example, interceptions, identity forgery, data tampering, and so on. Authentication is an essential step to protect the Internet of things security, and mutual authentication (i.e. two-way authentication) is especially important to ensure the security of both communication parties simultaneously. However, the intrinsical properties of network dynamics and wide coverage make the authentication concern in space-air-ground integrated Internet of things extremely challenging than traditional Internet of things networks. In this article, we propose MASIT, an identity-based efficient and lightweight mutual authentication scheme for space-air-ground integrated Internet of things. MASIT exploits the natural broadcast property of space-air-ground integrated Internet of things to speed up authentication process, and leverage the distinguished feature of IPv6 to support concurrent numerous nodes. Theoretically, we prove that MASIT is existential unforgeable secure under adaptively chosen message and identity Attacks. We also implement MASIT and other existing typical identity-based encryption schemes and evaluate their performance in real platforms. Experimental results showed that, MASIT outperforms the existing identity-based encryption schemes significantly, that is, the signature verification time can be reduced by 50% to 60%, and the user signature size can be reduced by 13% to 50%.

Keywords

Space-air-ground networks Internet of Things authentication

Introduction

The Internet of things (IoT) are assumed to provide connectivity to all things around the world at any time. However, current mainstream IoT techniques, such as NB-IoT and LoRa, rely mainly on terrestrial infrastructure networks, whose coverage is severely limited by its fixed base station and restricted coverage area. Typically, a terrestrial base station is always located on dense crowd area, and its communication range varies from a few kilometers in urban areas to over 20 km in rural settings.^1,2 Consequently, it is unable to provide connections in more areas on earth, such as oceans (occupies more than 70% of the world), forests, and polar regions. In comparison, emerging satellite networks (i.e. space networks) and aerial networks (aka, air networks), including moving drones (e.g. AT&T Cell on Wings), high altitude long endurance air vehicle (such as Airbus Zephyr), loons (e.g. Google Loon),³ and satellites (such as Iridium, Orbcomm, Globalstar, Inmarsat), are able to cover hundreds or thousands of kilometers in diameter. As a result, by leveraging the natural broad coverage properties of satellite networks and aerial networks, space-air-ground integrated Internet of things (SIoT) have attracted intensive research interest from both industries and academies.^4,5

Unfortunately, there are also serious security risks associated with SIoT. Due to the inherent openness of wireless channels, the SIoT communications are easily intercepted, eavesdropped, and tampered by unauthenticated malicious attackers.^6,7 Moreover, the identities of terrestrial nodes (TNs) and network control center (NCC) are likely to be forged by malicious attackers, which might cause replay attacks and man-in-the-middle attacks. Therefore, measures must be taken to ensure the secure networking of SIoT.

As the first and most fundamental step to ensure the network security, authentication of SIoT is extremely critical. However, different from traditional terrestrial IoT, there are great challenges in SIoT authentication from many perspectives. First, since the moving speed of SIoT base station is fast and the network topology is dynamically changing, the time spent on authentication should be very short; second, the coverage area of SIoT is significantly wider, which means the authentication should serve numerous nodes concurrently; Third, the bandwidth of SIoT is limited and the link is associated with high transmission delay, which determines that authentication should be lightweight. Consequently, it requires a very efficient authentication scheme for SIoT.

However, existing authentication approaches are mainly designed for terrestrial IoT (TIoT), and not suitable for SIoT. Traditional approaches are based on public key infrastructure (PKI), which brings a long authentication time together with heavy overhead of certificate storage and management. Due to its advantages of good scalability and no certificate management, typical identity-based cryptography-based (IBC) schemes, such as Hess’s and⁸ Cha and Cheon’s works,⁹ have been improved and applied for static TIoT.^10–14 However, they are unable to provide efficient authentication during dynamic and wide coverage circumstances.

To handle with this concern, in this article, we propose MASIT, an identity-based efficient and lightweight mutual authentication scheme for SIoT. In general, our contribution can be summarized as follows:

We formulate a multiuser high concurrent mutual authentication model in the SIoT scenario. Based on this model, we carefully analyze the SIoT authentication procedure and find two potential bottlenecks.

We design MASIT, a novel authentication scheme for SIoT. MASIT utilizes the SIoT natural broadcast property and takes the advantage of IPv6 address mechanism.

We proved that MASIT is existential unforgeable secure under adaptively chosen message and identity attacks (EUF-ACMIA) in theory.

We conduct experiments on real platform, and experimental results showed that MASIT is more efficient than existing approaches.

The remaining part of the article proceeds as follows. “Related work” section presents the related work. We propose MASIT authentication scheme in “The SIoT authentication problem” section, followed by the security proof in “The proposed MASIT scheme” section, and the performance analysis in “Security proof” section. Finally, “Performance analysis” section concludes the article.

Related work

Since SIoT authentication is a new concern, rare research has been introduced in this area. As the foundation of SIoT, satellite networks have been widely studied. The satellite network authentication methods can be divided into three categories: authentication based on PKI, authentication based on hash function and symmetric encryption, and authentication based on IBC.

Authentication based on PKI

PKI-based authentication in satellite networks has been investigated since early 2000s. Balasubramanian et al.¹⁵ proposed a PKI-based authentication and key management scheme. There is no centralized certificate authority (CA) in the scheme, and the threshold mechanism is adopted. The CA service is dispersed to each node in the satellite network, which greatly ensures the security of the CA service. Hao et al.¹⁶ proposed an authentication routing protocol for the specific architecture of two-layers satellite networks. In this protocol, MEO satellites in the upper layer authorize the certificates of LEO satellites in the lower layer, which enhances the security of the satellite network routing messages. Considering the certificate management problems in the PKI mechanism, Qian et al.¹⁷ studied the certificate revocation method for the characteristics of satellite networks, which allows the satellite nodes to revoke the certificate of the malicious node according to local decisions when the satellite nodes are unable to connect with the CA. Fang et al.¹⁸ proposed a distributed certificate revocation algorithm for satellite networks, in which the Satellite nodes supervise each other and decide whether to revoke their certificates according to the legal node’s accusation of illegal nodes.

Authentication based on hash function and symmetric encryption

PKI-based authentication has better scalability. However, the storage and management overhead of certificates is heavy. Therefore, the certificate-free or lightweight nonpublic key certificate authentication mechanism based on hash function and symmetric encryption (HFSE) has been widely studied. For the limited resources of satellite network resources, the authentication based on HFSE also has certain advantages in computational overhead. Roy-Chowdhury and Baras¹⁹ presented a lightweight certificate source authentication protocol for wireless network and satellite network hybrid group communication. In the protocol, it uses a lightweight symmetric key certificate called TESLA certificate, in which the sender’s identity is bound to his keychain. Due to the message authentication codes based on the symmetric encryption, the protocol needs less requirements of node processing performance and node power than digital signatures. Yoon et al.²⁰ proposed an efficient and secure mobile satellite communication system anonymous authentication scheme, which uses a secure one-way hash function to avoid complex calculations of mobile users and NCCs. Therefore, it is suitable for lightweight equipment environments. Gope and Hwang²¹ proposed a lightweight secure anonymous authentication scheme for global mobile networks. Considering the limited resources of mobile devices, the scheme use low-cost cryptographic operations (such as hash functions and XOR) to achieve authentication. In 2016, Liu et al.²² proposed a lightweight authentication scheme for spatial information networks based on the temporary identity self-renewal strategy of the user, which also involves only hash functions, XOR, and string concatenation operations that are computationally efficient. In 2019, inspired by blockchain technology, Zhao et al.²³ proposed a hashchain-based identity authentication and privacy protection scheme in the space-air-ground integrated network, which can support effective data security for the intelligent transportation systems.

Authentication based on IBC

The above work has achieved lots of innovations and breakthroughs in satellite networks authentication. However, the abovementioned two categories still have some shortcomings in certificate management or scalability. Hess⁸ and Cha and Cheon⁹ come true the classical IBC-based authentication schemes, where the asymmetric cryptography is used for authentication without certificate and complex certificate management. Given the identity information and some public cryptography system parameters, any two nodes can authenticate the legitimate identity of each other easily. At present, some researchers try to apply IBC to authentication and key management in satellite networks.^24–27 In order to resolve the problems of concentrating key management and overconsumption on certificate maintenance in satellite networks, Luo et al.²⁴ proposed an identity-based distributed key management scheme, designing the distributed private key generators (PKGs), private key updating, host-key shares updating, and session key agreement. In 2011, Wu et al.²⁵ presented an identity-based double-encryption scheme to ensure integrity of data when updating private key component, which can resist data modification attack and denial of service attack. To improve the efficiency of satellite network key management, Zhou et al.²⁶ assume NCC as PKG and use private key to encrypt timestamp and location information to guarantee the authentication freshness. Considering the frequent link switching in among LEO satellites, Li et al.²⁷ proposes a fast and efficient authentication protocol in LEO satellite network by combining identity-based encryption for key management and blockchain technology for rapid handover.

As shown in Table 1, all above types of authentication methods in satellite networks have their own advantages and disadvantages. Compared with other methods, IBC-based authentication has some advantages such as good scalability and no need for certificate management. However, the performance of present IBC-based methods is not enough to handle the concurrent massive user authentication concern in SIoT.

Table 1.

Comparison of different authentication schemes.

Authentication schemes	Scalability	Authentication overhead	Certificate management
Public key infrastructure	Good	General	Complex
Hash function and symmetric encryption	Bad	Low	Simple
Identity-based cryptography	Good	General	None

The SIoT authentication problem

The SIoT scenario

The basic SIoT model is shown in Figure 1. The space-air-ground network connects massive IoT users and the Internet through space-air-ground links. We would also like to list the notations in Table 2.

Figure 1.

MASIT authentication model.

Table 2.

The notations.

Symbol	Description
$I D_{TN}$	IPv6 address interface identifier of TN
$I D_{NCC}$	IPv6 address interface identifier of NCC
$P_{TN}$	TN’s public key
$P_{NCC}$	NCC’s public key
$d_{TN}$	TN’s private key
$d_{NCC}$	NCC’s private key

TN: terrestrial nodes; NCC: network control center.

Nodes

In SIoT, the nodes mainly include TNs, NCC, PKG, and the flying nodes (FNs). FNs are able to provide network access and packets forwarding for TNs in SIoT. However, the computation capacity and storage capacity of FNs are generally limited. TNs are generally in small size with limited computation and storage resources. Considering the case with over $10^{10}$ TNs and just $10^{4}$ FNs, each FN needs to serve more than $10^{6}$ TNs, which brings great challenge to massive concurrent user authentication. The main function of NCC is to control the space-air networks. The NCC located on the ground generally contains a large number of servers. Compared with the FNs and TNs, NCC has abundant computation and storage capacity. In SIoT, NCC is always be regarded as the authentication server, and PKG is used to generate the private key.

Links

Links in SIoT include the space-air-ground links between the FNs and the TNs and NCC, the interspace-air links (ISLs) between satellites and drones, and the space-air-ground links (SGLs) between FNs and terrestrial gateways. Since it is always a long distance between nodes, the propagation delays of SGLs and ISLs are relatively long, which has a negative impact on the authentication performance. The bandwidth of SGLs are usually constrained, but the download link has a natural broadcast property.

Addresses

To provide access during a network, addressing is a paramount concern. Since the scale of IoT is huge, it is commonly believed that only IPv6 addresses can satisfy the requirements of the massive IoT users.²⁸ IPv6 addresses can be classified into unicast addresses, multicast addresses and anycast addresses. Considering the network dynamic property of SIoT, we suggest an IPv6 aggregatable global unicast address (128 bits) to be used, which consists of a link prefix (the first 64 bits of IPv6 address) of a subnet and an Interface IDentifier (in short, IID, the last 64 bits of IPv6 address) of a user. To meet the requirements of autoconfiguration, plug-and-play, no requirement of DHCP server, stateless address autoconfiguration (SLAAC) is suitable for the address configuration of massive nodes in SIoT.

Analysis of SIoT authentication

The mutual authentication process depends on the propagation path. We illustrate the process by taking a TN to NCC authentication as an example. First, the authentication packet from the TN first reaches the overhead FN through the SGL uplink. Then, it is forwarded multiple hops to the FN covering the NCC through ISLs. After that, the packet is sent to the gateway connected to the NCC via the SGL downlink. In this process, several messages need to be transmitted over the path. Note that each part of the path maybe a bottleneck for the concurrent massive user authentication.

We then analyze possible bottlenecks. The whole transmission time cost of the authentication packet mainly includes the packet transmission delay, the propagation delays of SGLs, the propagation delays of the ISLs, the queuing delay and the delay of the packet forwarding in FNs, and so on. The packet transmission delay is determined by the authentication packet size and the link bandwidth. Considering a minimum IPv6 packet signed with the X.509 certificate as an example. The size of such an IPv6 packet, consisting of at least an IPv6 header (40 bytes), a signature (256 bytes) and a certificate (about 1500 bytes), is about 1800 bytes. If the link bandwidth prepared for the authentication is approximately 10 KB/s, the transmission delay is about $1800 / 10 = 180$ ms. Usually the propagation delays of SGLs and ISLs are more than 10 ms. Given the fixed computation capacity of FNs and the fixed link bandwidth prepared for the authentication, the delay of the packet forwarding is also mainly related to the packet size. It is assumed that the queuing delay and the delay of one packet forwarding are 20 ms. Then, since the packet needs to be forwarded 3 times by FNs, the total transmission time cost for one authentication packet is about $180 + 3^{*} 20 + 4^{*} 10 = 280$ ms.

The above analysis only considers the time cost of one-time authentication, considering that massive users are concurrently authenticated, the major factors, which affects the authentication frequency are analyzed as follows.

Let the authentication packet size be $S$ , the bandwidth allocated for SIoT authentication be $B$ , we assume that the time cost of processing each authentication request on the NCC is $T_{0}$ . Accordingly, the frequency of receiving authentication packets is $B / S$ , and the frequency of processing the authentication request is $1 / T_{0}$ . Let $f_{request}$ denote the frequency of actual users’ authentication requests in SIoT. Under the case that $f_{request}$ is so large, to pursue the high concurrent authentication, the smaller one of the following two performance indicators is the actual bottleneck:

Bottleneck 1: The receiving frequency of authentication requests, $B / S$ ;

Bottleneck 2: The processing frequency of authentication requests, $1 / T_{0}$ .

Therefore, in order to improve the efficiency of one-time mutual authentication under the condition of the limited bandwidth and fixed propagation delay, it is necessary to reduce the authentication packet size and authentication interactions between TNs and the NCC. Accordingly, to improve the efficiency of concurrent massive user authentication, the authentication packet size and the authentication requests processing time must be reduced as possible.

The proposed MASIT scheme

In this section, we first review the preliminaries for IBE, and then introduce the identity-based signature designs of NCC and TN. Thereafter, the detailed mutual authentication process is presented. Finally, we show the design of MASIT protocol, combining with mutual authentication and user address configuration.

Preliminaries

Bilinear pairing

Let $G_{1}$ be the additive cyclic group with the generator $P$ and the prime order $q$ , and $G_{2}$ be the multiplicative cyclic group with the same order $q$ . Then, the bilinear pairing $\hat{e} : G_{1} \times G_{1} \to G_{2}$ satisfies the following properties:

Bilinearity: $\hat{e} (aP, bQ) = \hat{e} (P, Q)^{ab}$ , where $a, b \in Z_{q}^{*}$ and $P, Q \in G_{1}$ ;

Nondegeneracy: $\exists P, Q \in G_{1}$ , let $\hat{e} (P, Q) \neq 1$ ;

Computability: $\forall P, Q \in G_{1}$ , $\hat{e} (P, Q)$ can be calculated efficiently.

Computational problems

The computational challenges IBC relying are as follows:

Bilinear Diffie-Hellman problem: $\forall a, b, c \in Z_{q}^{*}$ , given $〈 P, aP, bP, cP 〉$ , calculate $\hat{e} (P, Q)^{abc}$ .

Computational Diffie-Hellman problem: $\forall a, b \in Z_{q}^{*}$ , given $〈 P, aP, bP 〉$ , calculate $abP$ .

Bilinear Diffie-Hellman decision problem: $\forall a, b, c \in Z_{q}^{*}$ , given $〈 P, aP, bP, cP 〉$ and $h \in G_{2}$ , determine if $h = \hat{e} (P, Q)^{abc}$ is established.

Collusion attack algorithm with $k$ traitor( $k$ -CAA) problem:²⁹ For integer $k$ , random number $a \in Z_{q}^{*}$ , $P \in G_{1}$ , given $P$ , $aP$ , $(a + h_{1})^{- 1} P$ , …, $(a + h_{k})^{- 1} P$ and ${h_{1}, \dots, h_{k} \in Z_{q}^{*}}$ , calculate $(a + h)^{- 1} P$ , where $h \in Z_{q}^{*}$ and $h \notin {h_{1}, \dots, h_{k}}$ .

The signature design

In MASIT, the mutual authentication between TNs and the NCC is performed by the identity-based signatures. Considering the different authentication conditions and requirements of the NCC and the TN, the NCC signature is designed with the broadcast mechanism and the TN signature size is designed to be as small as possible.

NCC signature

We adopt the Sakai and Kasahara³⁰ scheme to generate the public key, and then design an identity-based NCC signature scheme. The detailed NCC signature scheme as follows:

Setup: After inputting the security parameter $λ \in N$ , PKG outputs the system master key $s \in Z_{q}^{*}$ and the public parameter $params = 〈 q, P, G_{1}, G_{2}, \hat{e}, P_{pub}, H_{1}, H_{2} 〉$ , where $G_{1}$ is the additive cyclic group with the generator element $P$ and the order $q$ , $G_{2}$ is the multiplicative cycle group with the same order $q$ , $\hat{e} : G_{1} \times G_{1} \to G_{2}$ is the bilinear pairing, $P_{pub} = sP$ , and $H_{1} : {0, 1}^{*} \to Z_{q}^{*}$ and $H_{2} : {0, 1}^{*} \times G_{1} \to Z_{q}^{*}$ are hash functions.

Extract: After inputting the NCC’s IID $I D_{NCC} \in {0, 1}^{*}$ , PKG outputs the NCC’s private key $d_{NCC} = (s + H_{1} (I D_{NCC}))^{- 1} P$ .

Sign: The NCC randomly selects $r_{i} \in Z_{q}^{*}$ according to the period $T_{i}$ , calculates $R_{i} = r_{i} P$ and broadcasts it, where $i$ is the number of periods. Then, after inputting $d_{NCC}$ and the message $m$ , NCC calculates $h = H_{2} (m, R_{i})$ , $S = (h + r_{i}) d_{NCC}$ , and outputs the NCC signature $σ_{NCC} = (S, R_{i})$ for $m$ .

Verify: After receiving the signature $σ_{NCC} = (S, R_{i})$ and the message $m$ , the TN calculates the NCC’s public key $P_{NCC} = P_{pub} + H_{1} (I D_{NCC}) P$ , the hash value of the message $h' = H_{2} (m, R_{i})$ , and verifies whether $\hat{e} (S, P_{NCC}) = \hat{e} (h' P + R_{i}, P)$ . If the verification is passed, the signature verification succeeds, otherwise it fails.

In this process, NCC signature $σ_{NCC} = (S, R_{i})$ , only $S \in G_{1}$ is transmitted through unicast channel, while $R_{i} \in G_{1}$ is broadcast periodically. Thus, the NCC signature scheme avoids occupying the limited unicast bandwidth as possible.

TN signature

When massive TNs request authentications to the NCC, both the receiving frequency and the processing frequency of authentication requests determine the performance of the high concurrent authentication. Therefore, it is important to reduce the size and the verification overhead of the TN signature. In MASIT, the TN signature scheme is modified from the BLMQ scheme³¹ and the detailed process work as follows:

Setup: After inputting the security parameter $λ \in N$ , PKG outputs the system master key $s \in Z_{q}^{*}$ and the public parameter $params = 〈 q, P, G_{1}, G_{2}, \hat{e}, P_{pub}, H_{1}, H_{3} 〉$ , where except for the hash function $H_{3} : {0, 1}^{*} \times G_{2} \to Z_{q}^{*}$ , the other parameters are the same as those in the NCC signature scheme.

Extract: After inputting the TN’s IID $I D_{TN} \in {0, 1}^{*}$ , PKG outputs the TN’s private key $d_{TN} = (s + H_{1} (I D_{TN}))^{- 1} P$ .

Sign: The TN calculates $x = \hat{e} (P, P)^{k}$ in advance, where $k \in Z_{q}^{*}$ is chosen randomly. For the message $m$ , the TN calculates $h = H_{3} (m, x)$ and $S = (k - h) d_{TN}$ by inputting its private key $d_{TN}$ . Then, the signature $σ_{TN} = (S, h)$ for $m$ is output.

Verify: The NCC calculates $p = \hat{e} (P, P)$ in advance. When the NCC receives the signature $σ_{TN} = (S, h)$ and the message $m$ , it calculates the TN’s public key $P_{TN} = P_{pub} + H_{1} (I D_{TN}) P$ and $x' = \hat{e} (S, P_{TN}) \cdot p^{h}$ , and verifies whether $h = H_{3} (m, x')$ is true. If it’s true, the signature verification succeeds, otherwise it fails.

The correctness of the TN signature is derived as follows

\begin{matrix} \begin{matrix} H_{3} (m, x') & = H_{3} (m, \hat{e} (S, P_{TN}) p^{h}) \\ = H_{3} (m, \hat{e} ((k - h) d_{TN}, P_{pub} \\ + H_{1} (I D_{TN}) P) \hat{e} {(P, P)}^{h})) \\ = H_{3} (m, \hat{e} ((k - h) {(s + H_{1} (I D_{TN}))}^{- 1} P, \\ (s + H_{1} (I D_{TN})) P) \hat{e} {(P, P)}^{h}) \\ = H_{3} (m, \hat{e} ((k - h) P, P) \hat{e} (hP, P)) \\ = H_{3} (m, \hat{e} (kP - hP, P) \hat{e} (hP, P)) \\ = H_{3} (m, \hat{e} (kP, P)) \\ = H_{3} (m, \hat{e} {(P, P)}^{k}) \\ = H_{3} (m, x) \\ = h \end{matrix} \end{matrix}

As a result, MASIT replaces the large size element in $G_{1}$ with a small size hash value in the TN signature, which effectively reduces the unicast bandwidth overhead of the authentication. In addition, the efficiency of the TN signature verification is greatly improved.

The authentication procedure

As shown in Figure 2, the mutual authentication of MASIT includes five procedures as follows.

Figure 2.

The working flow of the authentication procedure in MASIT.

Initialization

When MASIT deploys in SIoT, the system parameters of IBS are initialized. First, PKG selects system parameters $G_{1}$ , $G_{2}$ , $\hat{e}$ , $H_{1}$ , $H_{2}$ and $H_{3}$ . Then, it randomly selects $s \in Z_{q}^{*}$ as the system master key and privately saves $s$ . After that, it calculates $P_{pub} = sP$ as the system public key. At last, PKG publishes the public parameter $params = 〈 q, P, G_{1}, G_{2}, \hat{e}, P_{pub}, H_{1}, H_{2}, H_{3} 〉$ .

Registration

Each node, including TNs and the NCC, must register for its corresponding private key at PKG before applying the authentication system. Take the TN as an example. Before deploying the TN in SIoT, it interacts with PKG through a secure channel such as offline. At first, the TN provides a unique 64-bit IID $I D_{TN} \in {0, 1}^{*}$ to PKG. Then, PKG calculates its corresponding private key $d_{TN} = (s + H_{1} (I D_{TN}))^{- 1} P$ by the system master key $s$ and the TN’s IID $I D_{TN}$ , and TN saves its private key $d_{TN}$ privately. Similarly, the NCC can register its private key $d_{NCC}$ . After the node registration, any sender can use its private key to sign its message. After verifying the signature through the sender’s public key, the receiver can authenticate the identity of the sender.

NCC signature broadcast

When the TN access SIoT, not only the TN identity needs to be verified by the NCC, but also the TN must authenticate the NCC’s identity. Moreover, compared with terrestrial networks, SIoT has the advantages of large broadcast range and abundant broadcast resources. Thus, at the beginning of the MASIT mutual authentication process, the NCC broadcasts the authentication message (including timestamp, random number, authentication request, etc.) and the NCC signature of it to massive TNs through FNs. After receiving the message, TNs verify the NCC signature to authenticate the NCC. The details are given as follows:

The NCC periodically prepares the random parameter $R_{i}$ . For the NCC’s authentication request message $m_{NCC}$ , the NCC outputs the signature $σ_{NCC} = (S, R_{i})$ by inputting its private key $d_{NCC}$ , and periodically broadcasts $m_{NCC}$ and $σ_{NCC}$ .

TN authentication solicitation

Before the TN solicits the authentication, it first authenticates the NCC’s identity. After receiving the NCC’s authentication request message $m_{NCC}$ with the signature $σ_{NCC}$ from broadcast, the TN verifies the correctness of the signature. If the NCC signature is correct, the TN tries to solicit the authentication to the NCC. The TN calculates $x$ in advance according to Sign. To sign the TN’s authentication solicitation message $m_{TN}$ , the TN outputs the signature $σ_{TN} = (S, h)$ of $m_{TN}$ by inputting its private key $d_{TN}$ . Then, it sends $m_{TN}$ and $σ_{TN}$ to NCC by unicast.

NCC verification

After receiving the TN’s authentication solicitation message $m_{TN}$ with the TN signature $σ_{TN}$ sent by the TN, the NCC verifies the signature correctness. If the TN signature is verified to be correct, the NCC authenticates the TN’s identity and the mutual authentication of MASIT is successful.

To conclude, MASIT realizes the mutual authentication by the NCC signature and the TN signature, which effectively reduce the overhead of the limited unicast bandwidth and the computation overhead of the NCC to facilitate the high concurrent authentication.

MASIT protocol design

To achieve concurrent massive user mutual authentication in SIoT, the MASIT protocol is designed to realize the mutual authentication between the TN and the NCC within the IPv6 address configuration process for the TN simultaneously.

As shown in Figure 3, the MASIT protocol is implemented on the layer of the ICMPv6 protocol, where the size of MASIT data mainly depends on the signature size. Three types of network entities are involved in the MASIT protocol authentication process, including the NCC that provides authentication services, the TN to be authenticated, and the FN that provides communication resources (CRs) and address configuration services. There are three types of MASIT messages: the secure authentication advertisement (SAA) messages, the secure authentication solicitation (SAS) messages, and the secure authentication reply (SAR) messages. The message format of these messages is designed in the following section.

Figure 3.

MASIT protocol packet construction.

SAA

As shown in Figure 4(a), the first 32 bits of the packet are the ICMPv6 header. $T ype = 200$ indicates that it is an SAA message. $C ode = 0$ indicates that the SAA message is sent from the NCC to the FN, while $C ode = 1$ indicates that the SAA message is broadcasted by the FN to TNs. TS_NCC indicates the timestamp of message generation, TYPE_MESSAGE indicates the specific function of SAA (authentication, security parameter update, security notification, etc.), SEQUENCE_SIGN indicates the serial number of signatures which is used to prevent replay attacks with TS_NCC, and SIGN_NCC indicates the NCC signature $(S, R_{i})$ . Option in the SAA(0) (SAA(x) means $C ode = x$ ) is empty. On the other hand, in SAA(1), option contains some information, such as available service time of FNs (depending on the duration of SGLs) and the information of SLAAC (64-bit address prefix, the preferred time of the prefix, the valid time of the prefix, etc.).

Figure 4.

Messages format in MASIT protocol: (a) SAA message format, (b) SAS message format, (c) SAR message format.

SAS

The SAS message is used as the response to SAA. As shown in Figure 4(b), it is an SAS message if $T ype = 201$ . After verifying the NCC signature in SAA, TN executes the SLAAC process and generates the SAS message. $C ode = 0$ indicates that the signature verification succeeds, while $C ode = 0$ indicates the failure of the signature verification. LOCATION_TN, TS_TN, and SEQUEENCE_SIGN indicate the TN location information, the timestamp of TN, the sequence number of the verified NCC signature, respectively. According these items in SAS, NCC determines whether the authentication solicitation from the TN is valid or not. SIGN_TN indicates the TN signature $(S, h)$ .

Security Authentication Reply

The SAR message is used as the response to SAS. As shown in Figure 4(c), the SAR message is identified if $T ype = 202$ . $C ode = 0$ indicates that the NCC successfully verifies the TN signature in SAS, while $C ode = 1$ means the verification failure of the TN signature. The allocation information of the CR is written in CR Allocation. The FN and TNs will perform CR allocation and secure access based on the information in SAR. Notely, since the signature parameter $R_{i}$ has been broadcast by FNs in SAA, SIGN_NCC in the SAR only includes the signature parameter $S$ .

As shown in Figure 5, the detailed process of the MASIT protocol is as follows:

Every time after a period $Δ T$ , the NCC prepares a SAA message, calculates its signature $σ_{NCC} = (S, R_{i})$ by $m = TS_NCC | | SEQ_SIGN$ $| | TYPE_MSG,$ and constructs SAA(0) thereafter

The NCC sends SAA(0) to the connected FN

FNs forward SAA(0)

After receiving SAA(0), FNs change the contents of Option in SAA with some information, sets $C ode = 1$ , and constructs SAA(1)

Each FN broadcasts SAA(1) to TNs within its signal coverage

After receiving SAA(1), each TN verifies the NCC signature in SAA(1) according to Verify. If the authentication succeeds, the TN configures the IPv6 address by the SLAAC information in SAA(1), and prepares a SAS(0) message. TN calculates its signature $σ_{TN} = (S, h)$ by $m = TS_TN | | LOC_TN | | SEQ_SIGN | | TYPE_MSG$ and constructs SAA(0). If the authentication fails, the TN constructs the SAS(1) message to indicate the failure of the authentication

The TN sends SAS to the NCC via FNs by unicast

If the NCC receives SAS(1), it indicates that the TN failed to authenticate the NCC. If receiving SAS(0), the NCC verifies the TN signature in SAS(0). If the verification is successful, the NCC authenticates the TN successfully and the access request of the TN is accepted. Thereafter, the NCC allocates CR for the TN by the SAR message. SAR(0) is constructed by generating the NCC signature of the CR allocation message, where the signature parameter $R_{i}$ has been broadcasted in SAA. Therefore, in SAR(0), SIGN_NCC only includes the signature parameter $S$ . If the verification of the TN signature is failed, the NCC constructs SAR(1) to indicate that the authentication fails

The NCC sends SAR to the connected FN

FNs forward SAR

When the FN above the target TN receives SAR(0), it configures CR for the target TN according to SAR(0)

The FN sends SAR to the TN by unicast

If the TN receives the SAR(1), the authentication fails. If receiving SAR(0), the TN configures CR according to SAR(0). After that, the mutual authentication and address configuration have completed.

Figure 5.

MASIT authentication protocol.

In the MASIT protocol, the mutual authentication and address configuration are completed by few interactions at one time, which significantly reduce the total delay of the secure access. Furthermore, by utilizing the sufficient broadcast resources, the MASIT protocol saves the limited unicast resources as possible.

Security proof

In MASIT, two identity-based signatures are designed for mutual authentication between the NCC and the TN. If there is an attacker with adaptively chosen message and identity attacks capabilities, the probability of the attacker successfully forging the existence of a signature is negligible for a secure identity-based signature scheme. In other words, the signature is existential unforgeable secure under adaptively chosen message and identity attacks (EUF-ACMIA).⁹ Generally, the attack mitigation ability of an IBS-based authentication scheme depends on whether the designed signature is EUF-ACMIA. The brief EUF-ACMIA security proof of MASIT signature based on Forking Lemma and random oracle model³² is given below.

NCC signature security proof

First, based on the random oracle model, it is assumed that there is an adaptively chosen message and identity attacker Eve, which can obtain the IBS public parameter $params = 〈 q, P, G_{1}, G_{2}, \hat{e}, P_{pub}, H_{1}, H_{2}, I D_{i} 〉$ , where $I D_{i} \in {0, 1}^{*}$ indicates the identity of any user. Eve adaptively queries the random oracles $H_{1}$ and $H_{2}$ , the private key generation oracle Extract and the signing oracle Sign. Let $n_{1}$ , $n_{2}$ , $n_{3}$ , and $n_{4}$ denote the maximum number of times that Eve queries $H_{1}$ , $H_{2}$ , Extract, and Sign, respectively. Then, the following theorem is given.

Theorem 1

Under the random oracle model, for the IBS scheme, if there is an adaptively chosen message and identity attacker Eve who can output a new valid quintuple $(ID, m, r, h, s)$ by inputting $params$ with a non-negligible probability $ε$ within a duration $T$ , where $ID$ indicates the identity, $m$ indicates the signed message and $(r, h, s)$ indicates the IBS signature of $m$ . If $ε \geq 10 (n_{4} + 1) (n_{2} + n_{4}) / q$ and $(r, h, s)$ can be generated with probability $ε$ and without the private key, Eve can construct the attacker Eve + who can generate two valid quintuple $(ID, m, r, h, s)$ and $(ID, m, r, h', s')$ within the duration $120686 n_{1} n_{2} (T + n_{4} t_{0}) / ε$ , where $h \neq h'$ and $t_{0}$ is the time of signing.

Since NCC signature scheme is a general IBS scheme, it satisfies the conditions in Theorem 1. Therefore, an NCC signature simulator can be constructed as follows.

Simulator 1

After randomly selecting $c \in Z_{q}^{*}$ , $h \in Z_{q}^{*}$ and inputting $〈 q, P, G_{1}, G_{2}, \hat{e}, P_{pub}, H_{1}, H_{2}, I D_{X} 〉$ and message $m$ , it calculates $S = cP$ and $R = c (P_{pub} + H_{1} (I D_{X}) P) - hP$ , where $R \neq 0$ . Then, $(R, h, S)$ is output.

Therefore, $(R, h, S)$ in the NCC signature scheme can be simulated without the private key, which satisfies Theorem 1. Thus, according to Theorem 1, the attacker Eve can construct the attacker Eve₁ to generate two different valid signatures $(ID, m, R, h, S)$ and $(ID, m, R, h', s')$ within the duration $120686 n_{1} n_{2} (T + n_{4} t_{0}) / ε$ , where $h \neq h'$ . It means that an algorithm $F_{1}$ with probability polynomial time complexity can be proposed by the attacker $Ev e_{1}$ to solve the $k$ -CAA problem. Algorithm $F_{1}$ is given as follows:

F ₁ generates the bilinear mapping parameters $〈 q, P, G_{1}, G_{2}, \hat{e} 〉$ involved in IBS, randomly selects $aP \in G_{1}$ , lets $P_{pub} = aP$ , and selects the hash function $H_{1} : {0, 1}^{*} \to Z_{q}^{*}$ , $H_{2} : {0, 1}^{*} \times G_{1} \to Z_{q}^{*}$ .

F ₁ runs the attacker Eve₁ by inputting the system parameter of the NCC signature scheme $params = 〈 q, P, G_{1}, G_{2}, \hat{e}, P_{pub}, H_{1}, H_{2} 〉$ ;

Eve₁ outputs two valid signatures $(ID, m, R, h, S)$ and $(ID, m, R, h', S')$ , where $h \neq h'$ . Then $(a + H_{1} (ID))^{- 1} P$ can be calculated as follows

\begin{matrix} {(a + H_{1} (ID))}^{- 1} P = {(h - h')}^{- 1} (S - S') . \end{matrix}

That is, F₁ successfully outputs $(a + H_{1} (ID))^{- 1} P$ .

If the NCC signature is existential forgeable under adaptively chosen message and identity attacks, an algorithm F₁ with probabilistic polynomial time complexity could be proposed, which calculates $(a + H_{1} (ID))^{- 1} P$ when ${P, a P, h_{1}, \dots, h_{k} \in Z_{q}^{*}, {(a + h_{1})}^{- 1}$ $P, \dots, {(a + h_{k})}^{- 1} P}$ is given, where $H_{1} (ID) \in Z_{q}^{*}$ , $H_{1} (ID) \notin {h_{1}, \dots, h_{k}}$ and $a, k \in Z_{q}^{*}$ . In other words, the $k$ -CAA problem can be solved. Regarding this problem as a known problem, it can be proved that the NCC signature is EUF-ACMIA.

TN signature security proof

The private key generation method of the TN signature is same as the NCC signature, so it can be proved that the TN signature is also EUF-ACMIA.

Since the TN signature scheme is a general IBS scheme and satisfies the conditions in Theorem 1, a TN signature simulator can be constructed as follows.

Simulator 2

After randomly selecting $S \in G_{1}$ , $h \in Z_{q}^{*}$ and inputting $〈 q, P, G_{1}, G_{2}, \hat{e}, P_{pub}, H_{1}, H_{3}, I D_{X} 〉$ and message $m$ , it calculates $r = \hat{e} (S, P_{pub} + H_{1} (I D_{X}) P) \cdot p^{h}$ , where $r \neq 1$ . Then, $(r, h, S)$ is output.

Therefore, $(r, h, S)$ in the TN signature scheme can be simulated without the private key, which satisfies Theorem 1. Thus, according to Theorem 1, the attacker Eve can construct the attacker Eve₂ to generate two different valid signatures $(ID, m, r, h, S)$ and $(ID, m, r, h', S')$ within the duration $120686 n_{1} n_{2} (T + n_{4} t_{0}) / ε$ , where $h \neq h'$ . It means that an algorithm $F_{2}$ with probability polynomial time complexity can be proposed by the attacker $Ev e_{2}$ to solve the $k$ -CAA problem. Algorithm $F_{2}$ is given as follows:

F₂ generates the bilinear mapping parameters $〈 q, P, G_{1}, G_{2}, \hat{e} 〉$ involved in IBS, randomly selects $aP \in G_{1}$ , lets $P_{pub} = aP$ , and selects the hash function $H_{1} {0, 1}^{*} \to Z_{q}^{*}$ , $H_{3} {0, 1}^{*} \times G_{2} \to Z_{q}^{*}$ ;

F₂ runs the attacker Eve₂ by inputting the system parameter of the TN signature scheme $params = 〈 q, P, G_{1}, G_{2}, \hat{e}, P_{pub}, H_{1}, H_{3} 〉$ ;

Eve₂ outputs two valid signatures $(ID, m, r, h, S)$ and $(ID, m, r, h', S')$ , where $h \neq h'$ . Then $(a + H_{1} (ID))^{- 1} P$ can be calculated as follows

\begin{matrix} {(a + H_{1} (ID))}^{- 1} P = {(h - h')}^{- 1} (S' - S) \end{matrix}

That is, F₂ successfully outputs $(a + H_{1} (ID))^{- 1} P$ .

If the TN signature is existential forgeable under adaptively chosen message and identity attacks, an algorithm F₂ with probabilistic polynomial time complexity could be proposed to solve the $k$ -CAA problem. Therefore, the TN signature is EUF-ACMIA.

Performance analysis

In MASIT, $G_{1}$ with order $q$ is generated by points on the super singular elliptic curve $E : y^{2} = x^{3} + x$ defined on the finite field $F_{p}$ , where the length of prime number $p$ is 512 bits and the length of prime number $q$ is 160 bits. Thus, the security strength of MASIT can be comparable with the 1024-bit RSA algorithm.³³ In the simulation, three benchmark schemes, including classic RSA signature scheme, Hess’s IBS scheme and Cha-Cheon’s IBS scheme, are compared. Operations involved in MASIT, Hess, Cha-Cheon, and RSA are denoted as follows:

$Pairing$ : A bilinear pairing operation $\hat{e} : G_{1} \times G_{1} \to G_{2}$ .

$Mu l_{1}$ : A point multiplication operation $aA$ , where $a \in Z_{q}^{*}$ and $A \in G_{1}$ .

$Mu l_{2}$ : A multiplication operation $g_{1} g_{2}$ , where $g_{1}, g_{2} \in G_{2}$ .

$Ad d_{1}$ : A addition operation $A + B$ , where $A, B \in G_{1}$ .

$Ad d_{2}$ : A addition operation $a + b$ , where $a, b \in Z_{q}^{*}$ .

$Sub$ : A subtraction operation $a - b$ , where $a, b \in Z_{q}^{*}$ .

$Has h_{1}$ : A hash function operation $H_{1} : {0, 1}^{*} \to Z_{q}^{*}$ .

$Has h_{2}$ : A hash function operation $H_{2} : {0, 1}^{*} \times G_{1} \to Z_{q}^{*}$ .

$Has h_{3}$ : A hash function operation $H_{3} : {0, 1}^{*} \times G_{2} \to Z_{q}^{*}$ .

$Has h_{4}$ : A hash function operation $H_{4} : {0, 1}^{*} \to G_{1}^{*}$ .

$Exp$ : A exponentiation operation $g^{a}$ , where $g \in G_{2}$ and $a \in Z_{q}^{*}$ .

$RS A_{sign}$ : A signing operation of RSA.

$RS A_{verify}$ : A verification operation of RSA.

$G$ : The maximum length of the elements in $G_{1}$ .

$Z$ : The maximum length of the elements in $Z_{q}^{*}$ .

$S$ : The length of RSA signature.

$C$ : The length of RSA certificate.

The computational overhead and the transmission overhead of each scheme are shown in Table 3.

Table 3.

Performance analysis of authentication scheme.

Scheme	Computational overhead (contents in parentheses mean precomputed operation)		Transmission overhead
	Signing	Verifying	Signature	Certificate
Hess	$Has h_{3} + Mu l_{1} + Ad d_{1}$ $(+ Pairing + Exp + Mu l_{1})$	$Has h_{3} + Has h_{4} + Mu l_{2} + 2 Pairing + Exp$	$G + Z$	\
Cha-Cheon	$Has h_{2} + Ad d_{2} + Mu l_{1}$ $(+ Mu l_{1})$	$Has h_{2} + Has h_{4} + Mu l_{1} + Ad d_{1} + 2 Pairing$	$2 G$	\
RSA	$RS A_{sign}$	$RS A_{verify}$	$S$	$C$
MASIT_NCC	$Has h_{2} + Ad d_{2} + Mu l_{1}$ $(+ Mu l_{1})$	$Has h_{1} + Has h_{2} + 2 Mu l_{1} + 2 Ad d_{1} + 2 Pairing$	$G$	\
MASIT_TN	$Has h_{3} + Sub + Mu l_{1}$ $(+ Pairing + Exp)$	$Has h_{1} + Has h_{3} + Mu l_{1} + Ad d_{1} + Pairing$ $+ Mu l_{2} + Exp (+ Pairing)$	$G + Z$	\

To simulate the real performance of SIoT, the related operations are tested in the Ubuntu 14.04 LTS system with the 2G memory and 3.40 GHz single-core Intel CPU and the CentOS 8.0 system with the 1G memory and 1 GHz ARM-A8 CPU, which represent the NCC and the TN respectively. Based on the PBC library, the GMP library, and the Openssl library, the tested time overhead of each operation is as shown in Table 4.

Table 4.

Comparison of operation time overhead.

Operation	Time overhead of the network control center (ms)	Time overhead of the terrestrial node (ms)
$Pairing$	0.8022023	23.2665560
$Mu l_{1}$	1.2500926	14.9972325
$Mu l_{2}$	0.0006500	0.0184427
$Ad d_{1}$	0.0033920	0.0582558
$Ad d_{2}$	0.0000113	0.0001646
$Sub$	0.0000103	0.0001237
$Exp$	0.1062024	3.0108536
$Has h_{1}$	0.0003359	0.0044795
$Has h_{2}$	0.0014550	0.0204250
$Has h_{3}$	0.0014328	0.0204545
$Has h_{4}$	2.5968867	31.1608060
$RS A_{sign}$	4.1687417	76.9674100
$RS A_{verify}$	2.5761635	29.4405450

According to the simulation results, operations such as $Mu l_{1}$ , $Pairing$ , $Has h_{4}$ , and $Exp$ have a greater impact on the efficiency of the IBS scheme while other operations have little effect. In terms of transmission overhead, $G$ on the elliptic curve with a 512-bit $p$ is 128 bytes, and $Z$ of $Z_{q}^{*}$ with a 160-bit $q$ is 20 bytes, $S$ is 256 bytes and $C$ is approximately 1500 bytes, where RSA is generated by Openssl with a 1024-bit key. Then, the performance comparison of different schemes in the NCC and the TN is shown in Table 5.

Table 5.

Comparison of actual performance of different authentication schemes.

Scheme	Compute overhead of the network control center		Compute overhead of the terrestrial node		Transmission overhead
	Signing (ms)	Verifying (ms)	Signing (ms)	Verifying (ms)	Signature + Certificate (bytes)
Hess	1.25491727	4.30957640	15.07594281	80.74366888	148
Cha-Cheon	1.25155885	5.45623082	15.01782209	92.76983139	256
RSA	4.16874172	2.57616346	76.96741	29.440545	About 1756
MASIT_NCC	1.25155885	\	\	76.66899328	128
MASIT_TN	\	2.16430776	15.01781067	\	148

In Table 5, it can be observed that the IBS scheme has obvious advantages over the RSA scheme in terms of the signing time and transmission overhead. As shown in Figure 6(a), compared with the classic IBS scheme, the MASIT_TN signature scheme greatly improves the verification overhead of the NCC, which is beneficial to the high concurrent authentication in the NCC. About the transmission overhead, MASIT_NCC is better than the traditional IBS scheme, which effectively reduces the authentication transmission overhead. Besides, as shown in Table 5, the compute overhead of the TN is much heavier than that of the NCC, which is caused by the difference of their compute performance. Thus, reducing the compute overhead of the TN can significantly facilitate the whole authentication process. According to Figure 6(b), the TN compute overhead of the MASIT scheme is reduced effectively. In general, compared to the classic IBS solution, the TN signature verification time of MASIT is reduced by approximately 50% to 60%, and the NCC signature size is reduced by approximately 13% to 50%.

Figure 6.

Comparison of performance test results: (a) Verifying overhead of the NCC, (b) Compute overhead of the TN, (c) Transmission overhead.

In terms of mutual authentication, compared with the traditional “request-response” authentication mode, MASIT periodically broadcasts the NCC signature in SAA by the sufficient broadcast bandwidth, and completes TN-authenticate-NCC in advance by considering the broadcast advantage of SIoT. Considering the case that the number of TNs covered by an FN per minute is $n$ , the NCC and TNs in the traditional mode need to interact at least $2 n$ messages to achieve the mutual authentication. On the other hand, when FNs broadcast SAA $f$ times per minute, the NCC and TNs only need to interact $n + f$ messages to complete the mutual authentication. As shown in Figure 7, in the authentication scenario for massive IoT nodes, $n$ is much larger than $f$ . Thus, the number of interactive messages in the MASIT protocol is significantly smaller than that in the traditional mode. In other words, MASIT can greatly reduce the bandwidth overhead of the mutual authentication.

Figure 7.

Comparison of interactions of different authentication schemes.

The MASIT protocol completes the mutual authentication and the SLAAC mechanism of IPv6 by few interactions between the NCC and the TN. In the traditional “request-response authentication + address configuration” mechanism, the TN and the NCC need to exchange three messages to authenticate each other and other three messages to configure TN’s address. In the MASIT protocol, the TN and the NCC only need to exchange three messages to achieve the mutual authentication and SLAAC. Thus, the number of interactions is reduced by 50% compared with the traditional mechanism.

Conclusion

In this article, we proposed MASIT, an identity-based lightweight mutual authentication method for SIoT based on IPv6 and broadcast preauthentication. In MASIT, to avoid the complex certificate management problem of PKI, the identity-based authentication is designed, which generates the public key from IID in the IPv6 address. Besides, MASIT completes the mutual authentication and IPv6 address configuration through less interactions. More importantly, considering the advantages of broadcast in SIoT, we carefully designed the NCC signature and TN signature respectively. Under the random oracle model, by reducing the attack against the MASIT signature to the $k$ -CAA problem, it is proved that the two signatures in MASIT is EUF-ACMIA. Finally, the performance comparison among MASIT and classical IBS schemes is conducted. Real platform experimental results showed that, compared with the classic IBS scheme, the TN signature verification time of MASIT is reduced by about 50% to 60%, and the NCC signature size of MASIT is reduced by about 13% to 50%.

However, as further research discussions, there are more authentication concerns to be addressed in the emerging SIoT scenario. For instance, due to the natural mobility of FNs, TNs need to frequently switch links between different FNs and different beams within the same FN. To ensure continuous and stable network accesses, the link switching process also requires a fast authentication to avoid denial of service attacks. Besides, to protect entities’ privacy, the anonymous authentication should be further considered. Further research efforts should be taken to address this concerns.

Footnotes

Handling Editor: Gaurav Sharma

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: The work described in this paper is supported by the National Key R&D Program of China under Grants 2017YFB0802300 and the Soonchunhyang University Research Fund.

ORCID iD

Ilsun You

References

Shih

Chou

Lin

. Wukong: secure run-time environment and data-driven IoT applications for smart cities and smart buildings. J Internet Serv Inf Secur 2018; 8(2): 1–17.

Taqieddin

Awad

Ahmad

. Location-aware and mobility-based performance optimization for wireless sensor networks. Jowua 2017; 8(4): 37–59.

Kaur

Randhawa

. Google loon: balloon-powered internet for everyone. AIP Conf Proc 2018; 2034(1): 020006.

Kato

Md Fadlullah

Tang

et al . Optimizing space-air-ground integrated networks by artificial intelligence. IEEE Wireless Comm 2019, https://arxiv.org/abs/1808.01053

Sharma

You

Seo

et al . Secure and reliable resource allocation and caching in aerial-terrestrial cloud networks (ATCNs). IEEE Access 2019; 7: 13867–13881.

Choudhary

Kim

Sharma

. Security of 5g-mobile backhaul networks: a survey. Jowua 2018; 9(4): 41–70.

Wang

Zhu

Gong

et al . Channel state information-based detection of sybil attacks in wireless networks. J Internet Serv Inf Secur 2018; 8(1): 2–17.

Hess

. Efficient identity based signature schemes based on pairings. In: Nyberg

Heys

(eds) Revised papers from the 9th annual international workshop on selected areas in cryptography (SAC ’02), London: Springer, pp.310–324.

Cha

Cheon

. An identity-based signature from gap Diffie-Hellman groups. In: Desmedt

(ed.) Proceedings of the 6th international workshop on theory and practice in public key cryptography: public key cryptography (PKC ’03), London: Springer, pp.18–30.

10.

Kumar

Choo

KKR

et al . Efficient hierarchical identity-based signature with batch verification for automatic dependent surveillance-broadcast system. IEEE Trans Informat Forensics Security 2016; 12: 454–464.

11.

Zhang

Ding

et al . Secure and efficient two-party signing protocol for the identity-based signature scheme in the IEEE p1363 standard for public key cryptography. IEEE Trans Depend Secure Comput. Epub ahead of print 19 July 2018. DOI: 10.1109/TDSC.2018.2857775.

12.

Ouada

Mawloud

Bouabdallah

et al . Lightweight identity-based authentication protocol for wireless sensor networks. Int J Informat Comp Security 2016; 8(2): 121–138.

13.

Tsai

. Provably secure and efficient anonymous id-based authentication protocol for mobile devices using bilinear pairings. Wireless Person Comm 2015; 83(2): 1–14.

14.

Feng

Liu

. Practical identity-based authentication protocol for ad-hoc networks. In: IEEE international conference on software engineering & service science, https://ieeexplore.ieee.org/document/7883087

15.

Balasubramanian

Mishra

Sridhar

. Secure key management for NASA space communication. In: ICNS conference, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.132.8266&rep=rep1&type=pdf

16.

Hao

Ren

et al . A kind of authentication routing protocol based on double satellite network in space information network. Comp Sci 2011; 38(2): 79.

17.

Qian

Cao

Chen

et al . A certificate revocation scheme for space network. In: 5th international conference on wireless communications, networking and mobile computing (WiCom’09), Beijing, China, 24–26 September 2009, pp.1–5. New York: IEEE.

18.

Fang

Jian-Feng

Zhong

. A distributed certificate revocation mechanism for space information network. J Astronautics 2011; 32(8): 1778–1785.

19.

Roy-Chowdhury

Baras

. Energy-efficient source authentication for secure group communication with low-powered smart devices in hybrid wireless/satellite networks. EURASIP J Wireless Comm Netw 2011; 2011: 392529.

20.

Yoon

Yoo

Hong

et al . An efficient and secure anonymous authentication scheme for mobile satellite communication systems. EURASIP J Wireless Comm Netw 2011; 2011(1): 86.

21.

Gope

Hwang

. Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Syst J 2016; 10(4): 1370–1379.

22.

Liu

Zhang

et al . A lightweight authentication scheme based on self-updating strategy for space information network. Int J Satellite Comm Netw 2017; 35(3): 231–248.

23.

Zhao

Shi

Huang

et al . Authentication scheme based on hashchain for space-air-ground integrated network. arXiv. http://arxiv.org/abs/1902.03683

24.

Luo

Xing

et al . Research on identity-based distributed key management in space network. J Electr Informat Tech 2010; 32(1): 183–188.

25.

. Id-based private-key management scheme in distributed satellite network. Comp Sci 2011; 38(10): 96–99.

26.

Zhou

Liu

Dong

et al . A scheme of identity-based satellite network key management. Comp Tech Dev 2013, http://en.cnki.com.cn/Article_en/CJFDTotal-WJFZ201311038.htm

27.

Liu

Wei

. A distributed authentication protocol using identity-based encryption and blockchain for LEO network. In: Wang

Atiquzzaman

Yan

et al . (eds) International conference on security, privacy and anonymity in computation, communication and storage. London: Springer, pp.446–460.

28.

Jara

Ladid

Gómez-Skarmeta

. The internet of everything through ipv6: an analysis of challenges, solutions and opportunities. Jowua 2013; 4(3): 97–118.

29.

Zhang

Safavi-Naini

Susilo

. An efficient signature scheme from bilinear pairings and its applications. In: Bao

Deng

Zhou

(eds) International workshop on public key cryptography. New York: Springer, pp.277–290.

30.

Sakai

Kasahara

. Id based cryptosystems with pairing on elliptic curve. IACR Cryptol 2003; 2003: 54.

31.

Barreto

Libert

McCullagh

et al . Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Roy

(ed.) International conference on the theory and application of cryptology and information security. New York: Springer, pp.515–532.

32.

Bellare

Rogaway

. Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the ACM CCS-93, pp.62–73, https://dl.acm.org/citation.cfm?id=168596

33.

Lenstra

Verheul

. Selecting cryptographic key sizes. J Cryptol 2001; 14(4): 255–293.

Toward efficient authentication for space-air-ground integrated Internet of things

Abstract

Keywords

Introduction

Related work

Authentication based on PKI

Authentication based on hash function and symmetric encryption

Authentication based on IBC

The SIoT authentication problem

The SIoT scenario

Nodes

Links

Addresses

Analysis of SIoT authentication

The proposed MASIT scheme

Preliminaries

Bilinear pairing

Computational problems

The signature design

NCC signature

TN signature

The authentication procedure

Initialization

Registration

NCC signature broadcast

TN authentication solicitation

NCC verification

MASIT protocol design

SAA

SAS

Security Authentication Reply

Security proof

NCC signature security proof

Theorem 1

Simulator 1

TN signature security proof

Simulator 2

Performance analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References