Introduction

The rise of IoV technology has not only changed the way people travel, but also made people's driving environment more and more comfortable [1]. However, the interconnection of networks between vehicles brings various information security, which makes the attack surface of the internal vehicle networks rise sharply, especially for remote attacks [2, 3]. In 2013, Toyota Prius cars were attacked by a hacker through the On-Board Diagnostic (OBD) interface and the braking systems were illegally manipulated, which caused traffic accidents [2]. In 2015, the 360 Crack team successfully cracked Build Your Dreams (BYD) and Tesla intelligent vehicles through remote and short-range attacks [4]. In the same year, Charlie Miller and Chris Valasek demonstrated the process of remotely attacking the Jeep Cherokee on-board system, including manipulation of speed, direction, brakes, and wipers [5]. In 2016, Tencent Keen Security Lab remotely reset the Bluetooth connection password of the Xiaomi Millet Nine Balancing Vehicle to achieve illegal manipulation. The following year, Tencent Keen Security Lab again found multiple high-risk vulnerabilities of security in Tesla's in-vehicle network [6]. In 2019, Tencent Cohen Lab can remotely gain the root privileges of the "Autopilot Electronic Control Unit (ECU)" module and control the steering system of the vehicle [7].

The above security issues are attributed to the lack of security protection mechanism in the traditional in-vehicle network [4]: 1) External devices have unrestricted access to in-vehicle data via wireless, Bluetooth, cellular network or OBD [8, 9]. 2) The information data of in-vehicle network are transmitted in the form of broadcast and plaintext, such as in the CAN bus. The broadcast data frame does not cover the source address and destination address [10]. Although [11–15] studied the security of in-vehicle networks to address these emerging issues, these in-vehicle security schemes focus on ensuring secure communication between ECUs with little consideration for the security issues introduced by external devices connected to the vehicle. The remote attacks on vehicles usually come from external networks or devices. If we only protect the vehicle network, such as data encryption, ECU authentication, data access control, which seems to be unable to play a decisive role, illegal devices can still inject malicious data frames into the vehicle network. Therefore, it is urgent to study the resistance to the invasion of external malicious nodes.

Related work

Considering that the security of in-vehicle networks directly threatens the security of users' lives and property, the information security problems caused by external devices have to be solved. However, due to the low computing power of the ECU, solving the problems of vehicle network information security is still a huge challenge [1]. In order to resist forgery attacks, tampering attacks, replay attacks, and privacy leak attacks, researchers have studied many authentication schemes in the IoV or in-vehicle network [3, 12]. Research on authentication protocols based on privacy protection policies is the main method to ensure the integrity, reliability, and identity privacy of message transmission. It is also the basis for ensuring the security of information transmission in IoV. When any entity in the IoV receives relevant traffic messages, it must first pass authentication to ensure that the source of the message is reliable, the content is complete and authentic, has not been tampered with and replayed, and the identity of the user has not been leaked.

In order to solve the problem of certificate management in Public Key Infrastructure (PKI), Shamir [16] proposed identity-based cryptosystems in 1984. In this system, the identity information of each user can be used as the user's public key, such as e-mail name, phone number, ID number. The third-party trusted Public Key Generator (PKG) computes a private key based on the public key for each user and sends it to the user. Users can use the public and private keys in their hands for data encryption and digital signature operations. The cryptosystems provide data integrity mechanisms, digital envelopes, user identification, user authentication, and other technologies. On this basis, Shamir et al. [17, 18] proposed a zero-knowledge identity authentication scheme based on QR, but this scheme cannot effectively resist key guessing attacks. Kumari et al. [19] proposed an improved smart card based authentication scheme for session initiation protocol, which increases the probability of resisting key guessing attacks.

In the application scenario of IoV, Chim [20] proposed an identity-based authentication scheme, which is based on a bilinear pairing algorithm, can support batch authentication, and has low computing energy consumption. However, Horng et al. [21] believed that Chim's scheme could not resist forgery attacks and proposed a security scheme to overcome the problem of forgery attacks. However, since this scheme is based on bilinear pairing operations, its calculation time is three times that of ordinary dot multiplication operations [22]. Wang and Liu [23] proposed a certificate-based multi-level security authentication scheme that integrates all the inside and outside interfaces of the vehicles into the On Board Unit (OBU). However, in the system initialization of this scheme, a secure channel is used to transmit the symmetric key, and only the certificate is used for authentication during the two-way handshake authentication process. Therefore, the security of this solution is not high. Woo et al. [24] proposed to split the truncated MAC into the extended ID field and CRC field of the data frame, which can reduce the bus load, but it makes the data frame lack security and cannot verify the error during transmission. In addition, the scheme they proposed only had key negotiation for external devices and no identity verification, which greatly increased security risks. Li et al. [25] proposed a robust and energy-saving three-factor authentication protocol that can block the most common attacks and provide some ideal functions. The protocol reduces the power consumption and computational cost of nodes by using appropriate communication models and lightweight algorithms. Ying and NAYAK [26] proposed an anonymous lightweight authentication method based on smart card protocol, which uses low-cost encryption operations to verify the legitimacy of vehicles and data messages. From the above, these literatures use the identity-based key system in the IoV, combining the different characteristics of the IoV, to achieve the reliability and confidentiality of information transmission. Although many solutions can guarantee high security, most of them are not applicable in the scenario of fast connection authentication of the IoV. Therefore, it is of great research value to design a safe and effective authentication scheme for the connected vehicle application scenario.

Background

Quadratic residue problem

Definition 1 [27, 28]: Let n be a positive integer. If the congruence x² ≡ a mod n have a solution and gcd (a, n) = 1, then a is called the quadratic residue of modulo n, where gcd means taking the greatest common divisor. Otherwise, a is called the quadratic non-residue of the module n.

The important conclusion about quadratic residue in number theory is given here directly: if n = p * q, where p and q are two prime numbers, a is the quadratic residue of modulo n if and only if formula (1) holds, where the symbol () in formula (1) is the Jacobi symbol. Based on this, the definitions of quadratic residue and pseudo-quadratic residue are given, as defined 2.

(1)

Definition 2 [27, 28]: QR(n) represents the set of quadratic residues of all modules n and represents the set of pseudo quadratic residues of all modules n, and their definitions are as follows: (2) (3)

QR problem: from Definition 2 and Jacobi symbol correlation operation, it can be known that for any x ϵ QR(n), there is formula (4); if formula (5) holds, then x ϵ QR(n) or . Only by knowing the values of p and q can you determine which set x belongs to. In other words, given a composite number n and an x (x ϵ Z_n), x is determined to be the quadratic residue of the modulus n, where n is obtained by multiplying two large prime numbers p and q.

QR hypothesis: Let F_QR be a polynomial probability time efficient algorithm for solving QR problem. The Adv_QR = Prob[F_QR(n,x) = yes (x ϵ QR(n))] is used to represent the probability that the algorithm F_QR solves the QR problem in polynomial time. If and only if there is no polynomial probability time algorithm which can solve the QR problem, the QR hypothesis is true (i.e., Adv_QR is negligible).

(4)(5)

Analysis of feige-fiat-shamir identification scheme

The Feige-Fiat-Shamir [17, 29, 30] identification scheme [30] is derived from the Fiat-Shamir [18] identification scheme, which is based on the intractability of computing square roots modulo n [29]. The parallel interactive mode’s process of the FFS identification scheme [31, 32] is shown in Fig 1.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. FFS identification scheme.

https://doi.org/10.1371/journal.pone.0239043.g001

Attackers can use public keys to forge a promise to spoof. The forgery process is shown in Fig 2. FFS identification scheme is provably secure against chosen message attack in the following sense: provided that factoring n is difficult, the best attack has a probability 2^−kt of successful impersonation [29]. Choosing k and t such that k*t = 20 allows a 1 in a million chance of impersonation, which suffices in the case that an identification attempt requires a personal appearance by a would-be impersonator [29]. Specific parameter choices might be, for security 2⁻²⁰: k = 5, t = 4. At present, the value of the number of bits of the parameter n requires more than 1024 bits in terms of calculation security [33]. Dhanya and Megha [33] Proposed an improved parallel interactive Feige-Fiat-Shamir identification scheme with almost zero soundness error and complete zero-knowledge. If the FFS authentication scheme is applied to an actual network communication environment, the security parameters need to be weighed. However, because of the high requirements for communication time in some application environments, these identification schemes seem not so suitable. To make identification schemes like FFS applicable to demanding application environments, further improvements are needed, which is also worth studying.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. The attacker guesses in advance and hides the corresponding public key in the promise x.

Then, ignore the received b_i, and directly send the random number r as the response y to the verifier. Finally, if are equal to b_i, the forgery is successful.

https://doi.org/10.1371/journal.pone.0239043.g002

Attack model and security threat assessment

Attack model

In reality, the attacker is more inclined to conduct remote attacks on vehicles. Vulnerabilities of in-vehicle networks include weak access control mechanisms, plaintext transmission and no identity authentication. If an attacker wants to control the vehicle through vulnerabilities of in-vehicle networks, he can pretend to be a legitimate external device, such as mobile phones and headphones, to deceive the vehicle communication unit, such as navigation systems and entertainment information systems. It is challenging to attack the in-vehicle CAN network through remote attacks. The attacker needs to first break through the vehicle communication unit, such as OBU and telematics. After successfully controlling the in-vehicle communication unit, they can steal and analyze the data in the CAN network, then fake the legitimate data frames, and inject them into the CAN network, which will cause great harm to the in-vehicle key ECUs [35]. Fig 3 presents the eight common attack surfaces and their attack processes. If the attacker is around the car, he can invade from the following attack surfaces including Wi-Fi, Cellular network, Car virtual key, Sensor and Bluetooth. If the attacker is sitting in the car, he can attack from the following attack surfaces including In-Vehicle Infotainment, USB, OBD-II. In Fig 3, although OBD and USB appear to be short-range attack surfaces, they can be combined with remote attack surfaces to attack [24]. We don't consider Denial of Service (DoS) attacks.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. FFS identification scheme.

https://doi.org/10.1371/journal.pone.0239043.g003

The proposed scheme

Zero-knowledge proof is that the prover can make the verifier believe that a certain conclusion is correct without providing the verifier with any useful information, which has better security. We adopted this method to hide the private key information of the prover. Furthermore, we chose the FFS zero-knowledge identity authentication based on QR, because the calculation amount of its one-round authentication is not particularly large, and it can be applied to ECUs whose computing power is not particularly high. However, the FFS scheme requires many rounds of certification, which limits its application to a certain extent, such as a high-velocity connected car environment. If the FFS scheme can be further optimized and improved, it would be better.

In order to better describe our protocols, the main notations in the scheme are summarized in the Table 1. As shown in Fig 4, the designed effective and safe identity authentication scheme mainly includes the following two parts:

System initialization: the Trusted Authority (TA) first initializes the system to calculate and disclose system parameters, and then distributes public-private key pairs and calculates identity authentication parameters for the mobile phone and vehicle-mounted terminals applying for registration.

Identity authentication: The proposed scheme is adopted between the mobile phone and the vehicle, which avoids sending certificates to trusted authorities, improves the efficiency of node identity authentication, and addresses privacy issues in the process.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. System model.

A represents for the message sent by TA to Vehicle, including TA's public key PK_TA and parameters. B represents for the message sent by TA to ED, including signature δ_EDv, ED's public key v_i and private key s_i. C-F represents the messages passed in the process of identity authentication. The order of A-F is defined according to the order of events.

https://doi.org/10.1371/journal.pone.0239043.g004

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 1. Notations used for protocol.

https://doi.org/10.1371/journal.pone.0239043.t001

System initialization

As shown in Fig 5, after the ED sends the registration request, TA selects two large prime numbers p and q, calculates n = p * q, and make the parameter n public. TA selects k(k≥2) random integers that are prime and different from each other as the private keys s₁,s₂, …,s_k(1≤s_i<,1≤i≤k), calculates the corresponding public keys , and then signs the public keys to generate . Finally, these parameters are secretly sent to the registered external device. It is assumed that the registered external device and the vehicle have downloaded or saved the public key PK_TA of TA. It is assumed that the vehicle has already been registered. Here we only considered the detailed initialization of ED.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. System initialization.

https://doi.org/10.1371/journal.pone.0239043.g005

Identity authentication

For a better description, the external device is referred to as ED, and the vehicle is referred to as CU (i.e., communication unit). After the system initialization, we proposed two schemes for CU to ED authentication. As shown in Algorithm 1 and Fig 6, the basic scheme is that CU authenticates the identity of ED for the first time. Concrete steps are as follows.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. Identity authentication.

https://doi.org/10.1371/journal.pone.0239043.g006

Step 1: ED chooses random number r, where r<n, and compute x by (6) and HMCA(·)₁ by (7), Then, ED sends Msg₁(x∥δ_EDv∥HMCA(·)₁) to CU. ED increases CTR_ED by 1.

(6)(7)

Step 2: After receiving message Msg₁, CU uses the hash function H() to generate for CTR_ED, x, and ID_ED by (8), and compares it with HMCA(·)₁ in Msg₁ to ensure the validity of Msg₁. After successful verification, CU decrypts δ_EDv in Msg₁ by PK_TA and check ID_ED∥ID_TA∥TS. If ID_ED∥ID_TA∥TS are valid, CU saves ID_ED and v₁∥v₂∥…v_k to the secure storage. Further, CU randomly selects k-bit binary bit strings b₁∥b₂∥…b_k and compute HMCA(·)₂ by (9). Finally, CU sends Msg₂(B∥HMCA(·)₂∥) to ED, where B is b₁∥b₂∥…b_k. CU increases CTR_ED and CTR_CU by 1.

(8)(9)

Step 3: After receiving message Msg₂, ED uses the hash function H() to generate for CTR_CU, B, and ID_CU by (10), and compares it with HMCA(·)₂ in Msg₂ to ensure the validity of Msg₂. After successful verification, ED computes y₁ by (11), y₂ by (12) and HMCA(·)₃ by (13). Finally, ED sends Msg₃(y₁∥y₂∥HMCA(·)₃) to CU. ED increases CTR_ED and CTR_CU by 1.

(10)(11)(12)(13)

Step 4: After receiving message Msg₃, CU uses the hash function H() to generate for CTR_ED, y₁, y₂ and ID_ED by (14), and compares it with HMCA(·)₃ in Msg₃ to ensure the validity of Msg₃. After successful verification, CU compute x₁ and x₂ by (15) and (16). If x = x₁ =x₂, ED is successfully authenticated by CU and CU sends Msg₄(result∥HMCA(·)₄) to ED, where result is 1 and HMCA(·)₄ is computed by (17). Otherwise, ED is not authenticated by CU and CU sends Msg₄(result∥HMCA(·)₄) to ED, where result is 0 and HMCA(·)₄ is computed by (12). CU increases CTR_ED and CTR_CU by 1.

(14)(15)(16)(17)

Step 5: After receiving message Msg₄, ED uses the hash function H() to generate for CTR_ED, y₁,y₂ and ID_ED by (18), and compares it with HMCA(·)₄ in Msg₄ to ensure the validity of Msg₄. After successful verification, if result is 1, ED is successfully authenticated by CU. Otherwise, ED is not authenticated by CU. ED increases CTR_CU by 1.

(18)

Algorithm 1 Authentication Protocol

1: ED: Choose random number r(r<n)

  Compute x = r² mod n

 ED➜CU:Msg₁(x∥δ_EDv∥HMCA(·)₁)

  Where HMCA(·)₁ =H(CTR_ED∥x∥ID_ED)

 CTR_ED++

2: CU: Verify the validity of Msg₁

 If HMCA(·)₁ are valid then

  Decrypt δ_EDv in Msg₁ by PK_TA and check ID_ED∥ID_TA∥TS

  If ID_ED∥ID_TA∥TS are valid, then Obtain v₁∥v₂∥…v_k

   Randomly select k-bit binary bit strings b₁∥b₂∥…b_k

   CU➜ED: Msg₂(B∥HMCA(·)₂∥)

    Where B = b₁∥b₂∥…b_k,

     HMCA(·)₂ =H(CTR_CU∥B∥ID_CU)

   CTR_CU++, CTR_ED++

  else Refuse the request information

 else Refuse the request information

 endif

3: ED: Verify the validity of Msg₂

 if HMCA(·)₂ are valid then Compute

  ED➜CU:Msg₃(y₁∥y₂∥HMCA(·)₃∥)

   Where HMCA(·)₂ =H(CTR_ED∥y₁∥y₂∥ID_ED)

  CTR_CU ++, CTR_ED++

 else Refuse the information

 endif

4: CU: Verify the validity of Msg₃

 if HMCA(·)₃ are valid then Compute

  if x = x₁ = x₂ then

   CU➜ED: Msg₄(result∥HMCA(·)₄∥)

    Where result = 1 and HMCA(·)₄ =H(CTR_CU∥result∥ID_CU)

  else CU➜ED: Msg₄(result∥HMCA(·)₄∥)

    Where result = 0 and HMCA(·)₄ =H(CTR_CU∥result∥ID_CU)

   CTR_CU ++, CTR_ED++

 else Refuse the information

 endif

5: ED: Verify the validity of Msg₄

  if HMCA(·)₄ are valid and result = 1

  then ED is successfully authenticated by CU

 else ED is not authenticated by CU.

 CTR_CU ++

endif

The enhanced scheme is based on the basic scheme. When the CU authenticates the ED for the first time, the information such as the ID of the ED and the public key v₁∥v₂∥…v_k has been stored by CU. In future identity authentication, it is not necessary to send the signature δ_EDv in Algorithm 1, and Other processes remain unchanged. It is worth noting that the calculation overhead of the enhanced scheme is less than the calculation overhead of the basic scheme, which saves authentication time.

Security analysis of the proposed protocol

In order to verify the security of this scheme, in this section, we present the following theoretical proof.

Theorem 1. If the QR problem is difficult and the assumption is true, the proposed protocol can guarantee the security of the private key s and prevent the leakage of information (i.e., the probability that the attacker A calculates a valid private key from the public key is exceedingly negligible).

Proof 1. It is assumed that A can construct the algorithm F_QR to solve the QR difficulty problem. The advantage of A’s successful attack on x is defined as .

F_QR publishes the public parameter {n, v, H} and saves the public-private key pairs: , . A can query F_QR for q_QR times at most.

Query: A makes queries on random number and key. Then, F_QR returns x = r² mod n and v = s^-2 mod n to A.

Challenge: A uses F_QR to get r = F_QR(x, n) and s = F_QR(v, n), respectively. That is given x and n, and r is obtained by computing.

The advantages of four successful challenges in this process are and , respectively. According to the difficult problem mentioned above, the advantage of the algorithm F_QR successfully solving the QR difficulty problem in the polynomial time is negligible. Therefore, the attacker A cannot obtain random number r and key s in x = r² modn and v = s^-2 modn.

Theorem 2. Our protocol can guarantee the confidentiality and integrity of the message m, which can prevent information tampering attack, information disclosure and forgery attack.

Proof 2. Our protocol uses hash function H(m) to realize the confidentiality and integrity of the message m. In order to prevent the attacker from forging legal data frames, we add the counter CTR_x and identity ID_x to the H() function.

Theorem 3. Our scheme meets completeness, which meaning that honest verifier always accepts proof from honest prover.

Proof 3. Since our scheme is based on FFS, it also has completeness property.

Theorem 4. Our scheme meets soundness, which means that honest verifier never accepts proof from cheating prover since it is computationally more secure than the original FFS. In other words, as long as the number of bits of large composite number n meets the required security requirements, our scheme can almost resist guessing attacks.

Proof 4. If the attacker wants to forge a legitimate identity with public key to cheat the verifier, he needs to compute responses y₁ and y₂. Suppose the attacker has computed x in (14), and are equal to b_i. Naturally y₁ is equal to r in (20). Next, compute y₂, which means that compute X in (21). Then, x and y₂ are substituted into Eq (16) to compute X in (22). It can be seen that because of b_i ϵ {0,1}, the result of X is multiplied by these private keys s_i or their inverses . The QR difficulty problem has been mentioned in the previous section. It is obvious here that the attacker cannot compute y₂, which means that the probability of successful impersonation of the best attack depends on the difficulty of factoring n rather than 2^-kt.

(19)

(20)

(21)

(22)

Theorem 5. Our scheme meets zero-knowledge, which meaning that cheating verifier is never able to learn the prover’s secret.

Proof 5. The method of proof is to construct a simulator Sim with the same computing resources as Verifier (V), which is indistinguishable from the real authentication process in polynomial time. Sim is used to generate legal interactive content.

Query 1: Sim makes queries, randomly chooses x, and sends x to V. Then, Verifier returns B = b₁∥b₂∥…∥b_k to Sim.

Challenge 1: Sim randomly chooses r, computes .

Query 2: Sim interacts with V again and sends x of Challenge 1 to V. Then, V returns B = b₁∥b₂∥…∥b_k to Sim.

Challenge 2: Sim sends r of Challenge 1 to V.

Obviously, the output and of Sim and the output y₁ and y₂ of V are the same distribution, which are indistinguishable in polynomial time. When B = 0 and k > 1, V will get z = s₁×s₂×s_k mod n. According to the difficult problem mentioned above and Proof 1, the advantage of the algorithm F_DL successfully solving the QR difficulty problem in the polynomial time is negligible. Obviously, apart from convincing Sim, V cannot get any valuable information. Therefore, the scheme has zero-knowledge property under parallel composition.

Simulation evaluation

In this section, to evaluate the performance and security of the protocols, we constructed a hardware experimental environment, which can be found in Fig 7. This experiment used STMicroelectronics' automotive microcontrollers, which is a high-performance 32-bit ARM Cortex®-M7 MCU developed by ST. The maximum operating frequency is 400MHz. We used a CU with a Bluetooth serial port and connected the CU to the ED via a Bluetooth module. The specifications of the tools employed in the hardware and software in the experiment are shown in Table 2. Firstly, we ported Contiki to Keil's MDK5 integration environment to compile the code used in the experiment and import the code into processors using ST-LINK V2. Secondly, we used Android to develop a simulated mobile phone on the computer as an ED and developed a corresponding Application (APP) for the proposed scheme to facilitate the implementation of the authentication. The simulated mobile phone system can be implanted on Android phones. Finally, we create Bmob cloud users based on JavaEE(SpringMVC) as a third-party trusted TA. In addition, we use JavaEE(SpringMVC) to develop a server-side to observe identity authentication process of the simulated CU and ED.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. Hardware experimental environment.

https://doi.org/10.1371/journal.pone.0239043.g007

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Notations used for protocol.

https://doi.org/10.1371/journal.pone.0239043.t002

In order to make our protocol more advantageous, we compared the average time delays of authentication at different clock rates (400, 300, 200, 168, 150, and 120 MHz) with the average time delays of NOTSA's authentication [23] and POSTER's authentication [36]. Compared with NOTSA, the proposed scheme has a smaller calculation amount, so the average time delays of ours are shorter, as shown in Fig 8. At different clock rates, the average time delays of our enhanced scheme are under 6.1 ms at different clock rates. In addition, average time delays of POSTER's the zero-knowledge proofs of are between 75–217 ms, which is much more than ours.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 8. Comparison among ours and NOTSA at different clock rates.

https://doi.org/10.1371/journal.pone.0239043.g008

Simplify our scheme into the form of FFS scheme (e.g., remove the hash function, counter value, etc.), as shown in Fig 9. Then, the simplified scheme is compared with FFS and DFFS [33]. In order to make experimental data conveniently, we did simulation experiments on PC and compare the average delay of each scheme at different values of k and t, as shown in Fig 10. In the FFS scheme, the probability of soundness is 2-kt, which is obviously based on the size values of the k and t parameters. When the value of t is larger, the more times the prover interacts with the verifier, the longer the authentication delay. When the value of k is larger, the number of public and private keys stored is larger, and the harder it is to save and process. From the above section, it is worth mentioning that our scheme can achieve extremely high soundness with only one iteration of authentication, which is based on the QR difficult problem. In the DFFS scheme, it is an improved 3-pass parallel interactive scheme with ‘almost’ zero soundness error, which is based on FFS digital signature. The probability of soundness error (or cheating probability) is 2^-(kt+h/2). The DFFS scheme requires encryption and decryption of hash and the promised x value for each iteration of authentication. When the value of k is too large, especially when it is greater than 100, its authentication time delays will increase exponentially. Although the cheating probability is reduced, the computational overhead is increased, and the number of authentication iterations is still t. In our scheme, the idea of "two-to-one" (e.g., y₁ and y₂ correspond to x) and "reversal" (e.g., b and 1−b) can make it possible to have extremely high security in one iteration of authentication. In order to make the comparison schemes more impressive, a computational costs comparison table is given, as shown in Table 3. Therefore, our proposed scheme has higher security and efficiency, and it can meet extremely high soundness in one iteration of authentication.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 9. The proposed scheme with removing the hash function, counter value, etc.

https://doi.org/10.1371/journal.pone.0239043.g009

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 10. Comparison among DFFS, FFS, and ours at different values of k and t.

https://doi.org/10.1371/journal.pone.0239043.g010

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Computational costs comparison.

https://doi.org/10.1371/journal.pone.0239043.t003

Conclusions

In this paper, we present the main attack models and security threat assessments for vehicles. Then, on this basis, we designed an efficient and safe identity authentication scheme based on Feige-Fiat-Shamir identification scheme with extremely high soundness. The proposed scheme has extremely high soundness based on the quadratic residue (QR) difficult problem. Subsequently, we analyzed the security of the proposed solution through a safety certificate. In simulation and evaluation, we built a hardware lab environment to evaluate performance. At the same time, software simulation was performed using JavaEE (SpringMVC) and Android. The experimental results prove that the proposed scheme is feasible and highly effective. In the future, the number of nodes in the Internet of Vehicles will increase rapidly. If each identity authentication is interactive, there may be some delays, which does not meet the high speed requirements of the Internet of Vehicles. Therefore, we will further study non-interactive zero-knowledge proofs for more secure and efficient authentication.

Supporting information

Acknowledgments

We would like to thank the Editor and the reviewers for their constructive comments and helpful suggestions.