Computer Networks 195 (2021) 108219 Contents lists available at ScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet A secure blockchain-oriented data delivery and collection scheme for 5G-enabled IoD environment Azeem Irshad a, Shehzad Ashraf Chaudhry b, Anwar Ghani a, Muhammad Bilal c,* a Department of computer science and software engineering, International Islamic University Islamabad, Pakistan b Department of Computer Engineering, Faculty of Engineering and Architecture, Istanbul Gelisim University, Istanbul, Turkey c Department of Computer Engineering, Hankuk University of Foreign Studies, Yongin-si, South Korea A R T I C L E I N F O A B S T R A C T Index Terms: − There are innumerable ways the Internet of Drones (IoD) technology can impact our society. With the Blockchain deployment of an airborne network, the IoD can support real-time low-cost delivery of services ranging from Internet of drones military surveillance to a myriad of civilian applications. Nevertheless, the drones employ insecure wireless Security communication channels to communicate with other entities in the system, inhibiting its induction in sensitive Internet of Things Data collection and delivery installations if insecure or inefficient Authenticated Key Agreement (AKA) schemes are employed. The block- chain, an open distributed ledger-based technology, is increasingly being adopted to address the security concern as discussed. Recently, Bera et al. presented an efficient blockchain-enabled AKA scheme for data management among various entities in IoD network. However, their scheme does not support anonymity and untraceability for the drones; also, it does not provide resistance to Ground station server impersonation attack, while the protocol has a few redundancies. Later, we proposed an enhanced blockchain-enabled AKA scheme BOD5-IOD to authenticate drones in the system. The BOD5-IOD, other than supporting a robust access control mechanism between drones and GSS, also ensures safe transactions among all entities in the IoD environment. The formal analysis and performance evaluation endorse that our scheme supports security requirements with computa- tional and communication efficiency of 34.4% and 23.3%, respectively. 1. Introduction several security risks and threats [2-3]. The small-scale UAVs are equipped with several Internet of Things The Internet of Drones (IoD) has nearly paved its way into every (IoT)-based smart devices such as sensors and actuators which are being segment of society ranging from recreational to commercial and military used for sensing and collecting the captured data from a targeted spot applications. Alternatively, the UAVs have exhibited their promising towards any destination. In this connection, the drones need to quickly capabilities in supporting numerous applications such as military sur- transfer live streaming video data that must be complemented with low veillance, rescue, delivery, photography, agriculture, wildlife moni- latency and high bandwidth connection. The 5G connections may toring, traffic monitoring, etc. Following a recent Federal Aviation contribute to making such an IoD ecosystem viable [4-6]. The drones Administration (FAA) survey, the number of small-scale commercial or may be employed in many 5G-enabled use cases, including smart city, model-based drones or UAVs may grow as much as 7 million by the end remote industrial control applications, smart agriculture, and many of 2020 [1]. These drones may communicate data using wireless chan- other scenarios. nels after monitoring it through sensors but also perform high-tech op- The first generation (1G) of mobile communication was introduced erations with the help of remote monitoring and intelligence. Moreover, in 1980; however, it was insecure, with poor battery support and voice it can also deliver lightweight packages to the target destination, quality. It was followed by second-generation (2G) in 1990 as called depending on its application. Whatever be the application, i.e., data Global System for Mobile communication (GSM), having digital capa- transfer, remote monitoring, sensing, operation or delivering the light- bilities. However, due to the mobility problems and lower data trans- weight assignment, etc., the control data or communication between mission rates in 2G, the third generation (3G) technology was drone and control room/ground station server is always vulnerable to introduced in 2001, which supports multimedia messages, tracking, and * Corresponding author. E-mail address: m.bilal@ieee.org (M. Bilal). https://doi.org/10.1016/j.comnet.2021.108219 Received 12 December 2020; Received in revised form 3 May 2021; Accepted 31 May 2021 Available online 7 June 2021 1389-1286/© 2021 Elsevier B.V. All rights reserved. A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 augmented security [7]. Nonetheless, another fourth-generation (4G) Table 1 was developed with the support of voice over LTE (VoLTE), higher data Tabular depiction of most recent literature. rates, and HD streaming due to the infrastructure issues and expensive Scheme Features Drawbacks Year gadgets. The 5G technology is introduced in 2020 for supporting Jangirala Blockchain-based RFID Secret disclosure attack and 2019 ultra-fast Internet with higher bandwidth and reliability [8]. The 5G-ori- et al. [7] authentication scheme for traceability problems ented blockchain technology-based framework involves drones, ground IoD Srinivas et al. Temporal credential-based Mutual authentication and 2019 station servers, control rooms, registration authority, and blockchain [8] AKA scheme for IoD privacy issues for drones center. The 5G cellular technology may assist in three ways to connect SDPC [31] Authentication scheme for Lack of support of high 2020 the UAVs. 1) Administering the traffic of UAVs, 2) Beyond Visual Line of secure content distribution mobility Sight (BVLOS)-based flights [9], 3) Transmission of data based on sen- for in-network caches sors. The Unmanned Aircraft System Traffic Management (UTM) regu- Cho et al. Authentication scheme for Susceptible to ephemeral 2020 [30] UAVs secret leakage attack lates the traffic of drones and manned aviation and helps the drones Mandal et al. Certificateless- Inefficient due to more 2020 integrate in routine air traffic. Similarly, the BVLOS technology can [6] Signcryption based Three- communication overhead assist the drones in covering long distances comparatively. Factor AKA for IoT of sensors For secure data delivery and collection, many authenticated key Environment agreement schemes [4,6-9,13,23-25,30-31] have been designed to Yazdinejad Decentralized blockchain- Complex management of 2020 et al. [9] based AKA scheme for IoD distributed drone ensure the secure communication of data; however, those schemes were controllers and key prone to many security drawbacks. Another efficient distribution blockchain-enabled AKA scheme by Bera et al. [13] for data manage- Bera et al. Blockchain-oriented secure Lacking mutual 2020 ment among various entities in IoD network has been presented. How- [13] data transmission and authentication and collection traceability problems ever, it is witnessed that their scheme does not ensure anonymity as well as untraceability for the drones. Furthermore, it does not provide im- munity from ground-station server impersonation threat, and at the 3 Considering the limitations in previous research studies as shown in same time, Bera et al.’s protocol [13] has a few redundancies. Conse- Table 1, we design a blockchain-based consensus algorithm to verify quently, we proposed an enhanced blockchain-enabled AKA scheme and append the blocks through a selected leader in multiple GSSs in BOD5-IOD to authenticate drones in the system. The BOD5-IOD, other the blockchain-oriented peer-to-peer network. than supporting a robust access control mechanism between drones and 4 We employed a MIRACL library, a widely recognized collection of GSS, also warrants safe transactions among all entities in the IoD envi- cryptographic primitives, for computing the execution time on the ronment. The formal analysis and performance evaluation approve that Raspberry PI 3 B+ and server platform. our scheme (BOD5-IOD) supports enhanced security requirements with 5 Lastly, the performance analysis for BOD5-IOD has been evaluated to optimal computational and communicational delays. depict the efficacy of the contributed model on resource-deficient UAVs in the IoD environment. 1.1. Threat model 1.3. Paper outline Being on the insecure wireless communication channel, the IoD provides ample opportunities to the attacker to initiate forgery attacks The contents of the scheme are organized as stated below: Section II revisits the BSD2C-IoD scheme with respect to delivery and collection of against drones or GSS. A widely used threat model by Dolev-Yao (DY model) [10] is assumed to evaluate the security of the proposed scheme. data in IoD environment and addresses the concerns in BSD2C-IoD. Section III presents the proposed scheme countering the flaws in In DY model, an adversary may intercept, edit, block, replay or delete the communication messages in transit, and initiate many launch forg- BSD2C-IoD. Section IV formally analyzes the proposed scheme using the ROR model and AVISPA and also depicts informal analysis in the end. ery attacks. In this connection, a de facto CK-adversary model [11] is also assumed for analyzing the security, since the adversary is more Section V depicts the performance analysis. The last section concludes the scheme. potent under this model with the capability to compromise the long-term credentials, random secrets, and session keys. This affirms that the agreed session key between UAVs and GSS entities must be 2. Revisiting BSD2C-IOD: Blockchain-oriented secure data composed of short-term random secrets along with long-term creden- transmission and collection scheme tials to avoid the ephemeral information and forward secrecy attacks. Such attacks may be defeated with the use of long-term as well as The BSD2C-IOD presents a new blockchain-oriented secure data short-term secrets in the session key. delivery and collection (DDC) scheme for the IoT-based 5G-enabled IoD ecosystem. The scheme assumes that all entities in the IoD system are well-synchronized with clock-timings so that the participants may 1.2. Research contributions employ timestamps to aid in thwarting replay attacks. Table 2 tabulates few significant notations as used in the scheme. The BSD2C-IOD com- The salient points of the contribution are as follows: prises several procedures in its system model, such as system initiali- zation procedure, registration procedure, access control procedure, 1 We highlight the significance of secure transmission and receipt of secure DDC procedure, block generation, verification and addition in data in a 5G-oriented IoD ecosystem. Blockchain center procedure, and the procedure for dynamic addition of 2 We propose an enhanced and secure blockchain-oriented Data De- drones. These procedures are elaborated in the following sub-sections. livery and Collection (DDC) scheme as titled BOD5-IOD that permits the authenticated key agreement (AKA) between UAVs and corre- 2.1. System model sponding GSS in every flying zone FZj. On the basis of the suggested AKA procedure, the mutually agreed session keys among UAVs and The system model for the 5G-oriented blockchain technology-based GSSs can be established to communicate safely. The DDC process in framework involves four entities, i.e., Registration Center (RC), Con- BOD5-IOD permits recording all of the associated transactions trol Authorities (CAs), Ground station service providers (GSPs), and among UAVs, GSS, and CR in order to generate private blocks with blockchain center (BC) as shown in Fig. 1. The RC and CA are respon- the help of GSS. sible for the registration of CAj, GSPj, and drones DNi inducted in various 2 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 Table 2 flying zones FZj [28-29]. The RC and CAj are supposed to be fully trusted Notations description. entities in the IoD-based environment. The GSPs collect data from Notations Significance drones and securely deliver them and form the transaction blocks for Ep(u, v): Elliptic Curve (Non-singular) adding in the private blockchain in the Blockchain center [26-27]. G : Base point in Ep(u, v) with n order a.G: Elliptic curve (EC)-based point multiplication A+B EC-based point Addition; A, B ϵ Ep(u, v) 2.2. System initialization RC: Registration Center CAj: jth control authority The registration center RC selects few system parameters as RC, GSPj: jth ground station service provider initially picks a non-singular elliptic curve (EC) as Ep(u, v): y2=x3+ux+v DN th i i drone ID : RC’s identity (mod p) over the field of Galois [12], i.e. GF(p) with large prime p, where RC 3 2 rRC: Master secret key of RC u, v ϵ Zp be the constants with condition 4u + 27 v =∕0 (mod p) and zero PubRC: Public key of RC (PubRC = rRC.G) point, i.e. point at infinity. Then, the RC chooses a base point G ϵ Ep (u, IDCAj: Legal identity of CAj v) having order n as much as p. The RC chooses the collision-resistant rCAj: CAj’s random private key cryptographic one-way hash function SHA-256 h(.). Moreover, the RC PubCAj: CAj’s public key (PubCAj = rCAj.G) mkCAj: Randomly generated master secret key of CAj chooses its identity IDRC, long-term secret key termed as master key rRC ϵ PkCAj: Public key of CAj (PkCAj = mkCAj.G) Zp, with the calculation of corresponding public key PubRC = rRC. G. The CertCAj: Certificate issued by RC to CAj RC keeps the master key as secret, while other factors including {Ep(u, RTSCAj: Registration timestamp used by RC for CAj v), G, h(.), PubRC} are openly published. IDGSPj: Legal identity of GSPj RIDGSPj: Pseudo-identity of GSPj rGSPj: GSPj’s random private key 2.3. Registration procedure PubGSPj: GSPj’s public key (PubGSPj= rGSPj.G) kGSPj: GSPj’s private decryption key PkGSPj: GSPj’s public encryption key In the registration phase, the control room CAj is registered by the CertGSPj: Certificate issued by CAj to GSPj trusted RC on an offline basis. Thereafter, the CAj registers the entities RTSGSPj: Registration timestamp issued by CAj for GSPj GSPj and the associated drones DAi in a flying zone FZj. The registration IDDNi: Certificate issued by CAj to GSPj procedures for the CAj, DNi and GSPj entities are elaborated as under: RIDDNi: Pseudo-identity of DNi rDNi: Private certificate key of DNi PubDNi: Public signature key for DNi 2.3.1. Registration of CAj kDNi: Private signature of DNi The RA adopts the following procedure to register the CAj: PkDNi: Public key for DNi (PkDNi = kDNi.G) CertDNi: Certificate issued by CAj to DNi Step 1. RC chooses an identity ID for every CA , and selects a EPkY/ DkY: Public key encryption or decryption for entity Y CAj j random private key rCAj ∈ Z*p. Then it calculates a corresponding public key as PubCAj = rCAj ⋅ G, where k⋅G represents the elliptic Fig. 1. Blockchain-enabled 5G oriented IoD ecosystem. 3 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 curve-based scalar point multiplication given that k ∈ Z*p. The RC Step 1. Initially the DNi chooses a random integer r1 ∈ Z*p and en- generates a certificate for all CAj entities as CertCAj = rCAj + h(IDCAj || genders a fresh timestamp TS1, and computes r1′ = h(RIDDNi ||r1 || h(IDRC || PubRC || PubCAj || RTSCAj) * rRA (mod p), where * represents CertDNi ||k ′DNi ||TS1), ADNi = r1 ⋅ G. Then, DNi computes a signature modular multiplication, and RTSCAj be the registration timestamp for Sig ′DNi on r1 as SigDNi = r1’ +h(PkDNi ||RIDDNi ||PkCAj ||PubGSPj ||ADNi|| CAj. Thereafter, the RC deletes the factor rCAj from its repository. TS1) * kDNi (mod p). After that DNi constructs the authentication Step 2. Next before deployment, the RC stores the parameters in the request message as Msg1 = {RIDDNi, ADNi, CertDNi, SigDNi, TS1} and memory of CAj, i.e. {IDCAj, IDRC, CertCAj, PubRC, PubCAj, Ep(u, v), h(⋅), submits towards GSPj using a public channel. G}. Step 2. Upon receiving the request Msg1, the GSPj validates time- Step 3. The CAj selects a random master key as mkCAj ϵ Z*p and stamp TS1. If it is fresh, the GSPj verifies the certificate of DNi using calculates the related public key PkCAj = mkCAj ⋅ G. Ultimately, RC the equality CertDNi ⋅ G =PubDNi + h(RIDDNi ||PubCRj ||PubGSPj || publicly publishes the information as { PubRC, PubCAj, Ep(u, v), h(⋅); PubDNi)⋅PkCRj. If the verification fails, it declines the request; other- G}, while the CAj holds ultimate parameters in its repository as wise it further confirms the validity of signature using the condition {IDCAj, IDRC, CertCAj, PkCAj, PubRC, PubCAj, Ep(u, v), h(⋅), G}. SigDNi ⋅ G = ADNi+ h(PkDNi ||RIDDNi||PkCAj ||PubGSPj ||ADNi ||TS1) ⋅ PkDNi. It further proceeds to next step, if the signature verification 2.3.2. Registration of GSPj holds true. The registration of GSPj is performed by CAj with the help of the Step 3. Next, the GSPj engenders a random integer r2 ∈ Z*p with a following steps: fresh timestamp TS2. Then it calculates r2’ = h(RIDGSPj||IDCAj ||r2 || CertGSPj ||kGSPj||TS2), BGSPj= r2’ ⋅ G. Thereafter, the GSPj calculates Step 1: Initially, the CAj chooses a unique identity IDGSPj and cal- Diffie-Hellman based key as DHKGSPj, DNi = r2’ ⋅ ADNi (= (r2’ * r1’) ⋅ G). culates the corresponding pseudo-identity RIDGSPj = h(IDGSPj || Next, it computes the session key SKGSPj, DNi = h(DHKGSPj, DNi || RTSGSPj || mkCAj) where RTSGSPj represent the registration timestamp RIDDNi||RIDGSPj||P kDNi ||PubGSPj) as well as session key verifier as for GSPj. Then the CAj chooses a random private key rGSPj ϵ Zp* and a SKVGSPj, DNi= h(SKGSPj, DNi ||RIDDNi ||RIDGSPj ||BGSPj||CertGSPj ||TS1 || corresponding public key PubGSPj = rGSPj ⋅ G. Besides, this CAj com- TS2). In the last, GSPj constructs the response message as Msg2 = putes a certificate for GSPj as CertGSPj = rGSPj + h(RIDGSPj ||IDCAj|| {RIDGSPj, CertGSPj, BGSPj, SKVGSPj,DNi, TS2} and delivers to DNi on a PubCAj || PubGSPj) * mkCAj (mod p). public channel. Step 2: The CAj stores the parameters RIDGSPj and CertGSPj related to Step 4. Upon receiving the message Msg2, the DNi checks the genu- GSPj in its repository while publishing the public key PubGSPj . Then ineness of timestamp TS2. If it is fresh, the DNi further verifies the for the sake of security, it deletes IDGSPj and rGSPj from its repository. GSPj’s certificate as CertGSPj ⋅ G = PubGSPj + h(RIDGSPj ||IDCAj ||PubCAj Here, the GSPj also chooses its decryption-based private key kGSPj ϵ ||PubGSPj) ⋅ PkCNj. After the successful validation of certificate, the Zp* and the related public key PkGSPj = kGSPj ⋅ G for the sake of DNi builds the Diffie-Hellman based key as DHKCNj, GSPj = r1’ ⋅ encryption. BGSPj(= (r1’ * r2’) ⋅ G = DHKGSPj,DNi), and recovers the session key as Step 3: Lastly, the CAj before deployment of the GSPj, preloads it SKDNi,GSPj = h(DHKDNi,GSPj||RIDDNi ||RIDGSPj||PkDNi ||PubGSPj), and with the parameters as {RIDGSPj, IDCAj, CertGSPj, PubCAj, PubGSPj, also derives SKVDNi,GSPj= h(SKDNi,GSPj ||RIDDNi ||RIDGSPj ||BGSPj || (kGSPj, PkGSPj), PkCAj, Ep(u, v); h(⋅), G}. Moreover, the CAj for each CertGSPj||TS1 ||TS2). Thereafter, the DNi matches the equality for GSPj, stores the public key PkGSPj in its repository and finally pub- SKVDNi, GSPj= SKVGSPj, DNi. If it holds true, the DNi builds a fresh lishes the keys {PubGSPj, PkGSPj} publicly. timestamp TS3 as well as an acknowledgement message as ACKDNi,GSPj = h(SKDNi, GSPj ||TS2 ||TS3). Lastly, the DNi forwards the 2.3.3. Registration of Drone DNi message Msg3 = { ACKDNi,GSPj, TS3} to GSPj through public channel. The CAj registers all drones DNi before its deployment in the corre- Step 5: After the receipt of message Msg3, the GSPj verifies the sponding flying zone by adopting the following steps: freshness of timestamp TS3. If this is valid, the GSPj calculates ACKGSPj, DNi = h(SKGSPj, DNi||TS2 ||TS3) and compare the equality for Step 1: Initially, the CAj chooses an identity IDDNi and also calculates ACKGSPj, DNi= ACKDNi, GSPj. If it holds true, an agreed session key the corresponding pseudo-identity RIDDNi = h(IDDNi || IDCAj || mkCAj SKDNi,GSPj (=SKDNi,GSPj) is established as between the drone DNi and || RTSDNi) in relation to each DNi, where RTSDNi denotes the regis- GSPj. tration timestamp. Step 2: Next, the CAj selects a certificate-based private key rDNi ϵ Zp*, 2.5. Cryptanalysis of BSD2C-IOD and calculate the related public key for each DNi as PubDNi = rDNi ⋅ G, while the signature-based private key is kDNi ϵ Zp* and the corre- The BSD2C-IOD scheme is exposed to the following vulnerabilities. sponding signature-based public key for each DNi as PkDNi = kDNi ⋅ G. Step 3: Then, CAj generates a certificate with respect to each drone 1 No GSPj’s signature verification DNi as CertDNi = rDNi+ h(RIDDNi|| PubCAj || PubGSPj || PubDNi) * mkCAj (mod p). Next, it would delete IDDNi and rDNi from its repository. One of the major drawbacks in BSD2C-IOD is that in this scheme, the Finally, it stores the parameters {RIDDNi, CertDNi, (kDNi, PkDNi), PkCAj, drone DNi is unable to duly authenticate the GSPj entity, since DNi does Ep(u, v), h(⋅), G} before deployment in a specific flying zone FZj. not verify the constructed signature of GSPj in the protocol. After the receipt of the response message Msg2 from GSPj, the DNi only verifies the certificate of GSPj as issued by the CAj. Although the scheme provides 2.4. Mutual authentication between DNj and GSPj unilateral authentication since the GSPj properly verifies the authen- ticity of DNi through the validation of signature as created by the DNi. In this phase, the drone DNi and the corresponding GSPj in a flying The mutual authenticity bounds both of the entities to authenticate one zone FZj are mutually authenticated. Both of these entities are initialized another; however, this feature is missing in BSD2C-IOD. with preliminary information in the registration phase. This procedure employs elliptic curve cryptography (ECC) for the generation of signa- 1 No drone DNi’s anonymity tures, verification of certificates, and signatures. Upon successfully completing this procedure, the entities DNi and GSPj develop a mutually Secondly, the scheme BSD2C-IOD does not provide anonymity or un- agreed session key as SKVDNi, GSPj= SKVGSPj, DNi. The following steps are traceability to the drone DNi. This is because the pseudo-identity RIDDNi included in this phase. for DNi remains same in each session. An adversary may comfortably 4 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 link different sessions upon interception of the parameters for various 3.1. System initialization procedure sessions on public channel. This flaw can be remedied with the renewal of pseudo-identity parameters on both ends each time a session is In BOD5-IOD, the registration center RC selects the system parame- terminated. ters such as identity IDRC, master secret key rRC ϵ Zp, public key PubRC = rRC. G in the same manner as discussed in the initialization phase of 1 Inefficient use of nonces BSD2C-IOD. The RC keeps the master key as secret, while other factors including {Ep(u, v), G, h(.), PubRC} are openly published. The scheme BSD2C-IOD makes inefficient use of r1 and r2 nonces after engendering them. The judicious use of those nonces may ensure 3.2. Registration procedure mutual authenticity to both participants such that the session key re- mains protected even if the public and private secret keys are revealed to In the registration phase, the control room CAj is registered by the the adversary. trusted RC on an offline basis. After that, the CAj registers the entities GSPj and the associated drones DAi in a flying zone FZj. The steps 3. BOD5-IOD: Blockchain-oriented secure data transmission and involved in the registration procedure are depicted in Fig. 2. The collection scheme registration procedures for the CAj, DNi and GSPj entities are elaborated as under: This section demonstrates an improved and secure blockchain- oriented DDC protocol in order to improve BSD2C-IOD [13], meant 1 Registration of CAj for authenticating drones in the system. We proposed an enhanced blockchain-enabled AKA scheme BOD5-IOD to support a secure and The RA adopts the following procedure to register the CAj: robust access control mechanism between drones and GSP, which might assist protected transactions among all entities in IoD environment. Fig. 2. Registration phase. 5 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 Step 1. RC chooses an identity IDCAj for every CAj, and selects a verification of certificates, and signatures. Upon completing this pro- random private key rCAj ∈ Z*p. Then it calculates a corresponding cedure, the entities DNi and GSPj develop a mutually agreed session key public key as PubCAj = rCAj ⋅ G, where k⋅G represents the elliptic as SKVDNi, GSPj= SKVGSPj, DNi. The following steps are included in this curve-based scalar point multiplication given that k ∈ Z*p. The RC phase. generates a certificate for all CAj entities as CertCAj = rCAj + h(IDCAj || h(IDRC || PubRC || PubCAj || RTSCAj) * rRA (mod p), where * represents Step 1. Initially the DNi chooses a random integer r1 ∈ Z*p and en- modular multiplication, and RTSCAj be the registration timestamp for genders a fresh timestamp TS1, and computes ADNi= r1⋅ G, XDNi=r1. CAj. Thereafter, the RC deletes the factor rCAj from its repository. PKGSPj, ACertDNi =CertDNi+r1.kDNi, AIDDNi=RIDDNi⊕ XDNi. Then, DNi Step 2. Next before deployment, the RC stores the parameters in the computes a signature SigDNi on r1 as SigDNi= r1+h(PkDNi||RIDDNi|| memory of CAj, i.e. {IDCAj, IDRC, CertCAj, PubRC, PubCAj, Ep(u, v), h(⋅), PkCNj||PubGSPj||ADNi||TS1) * kDNi (mod p). After that DNi constructs G}. the authentication request message as Msg1 = {AIDDNi, ADNi, Step 3. The CAj selects a random master key as mkCAj ϵ Z*p and ACertDNi, SigDNi, TS1} and submits towards GSPj using a public calculates the related public key PkCAj = mkCAj ⋅ G. Ultimately, the RC channel. publicly publishes the information as { PubRC, PubCAj, Ep(u, v), h(⋅); Step 2. Upon receiving the request Msg1, the GSPj validates time- G}, while the CAj holds ultimate parameters in its repository as stamp TS1. If it is fresh, the GSPj computes XDNi=kGSPj.ADNi, RIDDNi- {IDCAj, IDRC, CertCAj, PkCAj, PubRC, PubCAj, Ep(u, v), h(⋅), G}. =AIDDNi ⊕XDNi, and verifies the dynamic certificate of DNi using the equality ACertDNi⋅ G =PubDNi+ h(RIDDNi||PubCAj|| PubGSPj||PubDNi) 1 Registration of GSPj: ⋅PkCAj + XDNi. If the verification fails, it declines the request; other- wise it further confirms the validity of signature using the condition CAj performs the registration of GSPj with the help of the following SigDNi ⋅ G = ADNi+ h(PkDNi ||RIDDNi||PkCAj|| PubGSPj||ADNi ||TS1) ⋅ steps: PkDNi. It further proceeds to next step, if the signature verification holds true. Step 1: Initially, the CAj chooses a unique identity IDGSPj and cal- Step 3. Next, the GSPj engenders a random integer r2 ∈ Z*p with fresh culates the corresponding pseudo-identity RIDGSPj = h(IDGSPj || timestamp TS2. Then it calculates BGSPj=r2⋅G, XGSPj=r2.PKDNi, RTSGSPj || mkCAj) where RTSGSPj represent the registration timestamp AIDGSPj=RIDGSPj ⊕XGSPj, and ACertGSPj= CertGSPj+r2.kGSPj. Next, it for GSPj. Then the CAj chooses a random private key rGSPj ϵ Zp* and a computes the session key SKGSPj, DNi= h(XDNi||XGSPj||RIDDNi|| corresponding public key PubGSPj = rGSPj ⋅ G. Besides, this CAj com- RIDGSPj||TS1||TS2) as well as session key verifier as SKVGSPj, DNi= h putes a certificate for GSPj as CertGSPj = rGSPj + h(RIDGSPj ||IDCAj|| (SKGSPj, DNi||BGSPj||CertGSPj||TS1 ||TS2). In the last, GSPj constructs PubCAj || PubGSPj) * mkCAj (mod p). the response message as Msg2 = {AIDGSPj, ACertGSPj, BGSPj, Step 2: The CAj stores the parameters RIDGSPj and CertGSPj related to SKVGSPj,DNi, TS2} and delivers to DNi on a public channel. GSPj in its repository while publishing the public key PubGSPj . Then Step 4. Upon receiving the message Msg2, the DNi checks the genu- for the sake of security, it deletes IDGSPj and rGSPj from its repository. ineness of timestamp TS2. If it is fresh, the DNi computes XGSPj=kDNi. Here, the GSPj also chooses its decryption-based private key kGSPj ϵ BGSPj, RIDGSPj=AIDGSPj⊕XGSPj and verifies the dynamic certificate as Zp* and the related public key PkGSPj = kGSPj ⋅ G for the sake of ACertGSPj. G =PubGSPj+ h(RIDGSPj|| IDCNj||PubCAj||PubGSPj) ⋅ PkCAj+ encryption. XGSPj. In case the timestamp and the dynamic certificate are legal, it Step 3: Lastly, the CAj before deployment of the GSPj, preloads it computes the session key as SKDNi,GSPj= h(XDNi||XGSPj||RIDDNi|| with the parameters as {RIDGSPj, IDCAj, CertGSPj, PubCAj, PubGSPj, RIDGSPj|| TS1||TS2). Next, it validates the session key verifier as (kGSPj, PkGSPj), PkCAj, Ep(u, v); h(⋅), G}. Moreover, the CAj for each SKVDNi,GSPj=h(SKDNi,GSPj ||BGSPj||CertGSPj||TS1 ||TS2) as well. There- GSPj, stores the public key PkGSPj in its repository and finally pub- after, the DNi matches the equality for SKVDNi,GSPj= SKVGSPj, DNi. If it lishes the keys {PubGSPj, PkGSPj} publicly. holds true, the DNi builds a fresh timestamp TS3 as well as an acknowledgement message as ACKDNi,GSPj= h(SKDNi,GSPj||TS2 ||TS3). 1 Registration of Drone DNi: Lastly, the DNi forwards the message Msg3 = {ACKDNi,GSPj, TS3} to GSPj through public channel. The CAj registers all drones DNi before its deployment in the corre- Step 5: After the receipt of message Msg3, the GSPj verifies the sponding flying zone by adopting the following steps: freshness of timestamp TS3. If this is valid, the GSPj calculates ACKGSPj, DNi = h(SKGSPj, DNi||TS2 ||TS3) and compare the equality for Step 1: Initially, the CAj chooses an identity IDDNi and also calculates ACKGSPj, DNi= ACKDNi, GSPj. If it holds true, and agreed session key the corresponding pseudo-identity RIDDNi = h(IDDNi || IDCAj || mkCAj SKDNi,GSPj (=SKDNi,GSPj) is established as between the drone DNi and || RTSDNi) in relation to each DNi, where RTSDNi denotes the regis- GSPj. tration timestamp. Step 2: Next, the CAj selects a certificate-based private key rDNi ϵ Zp*, 3.4. Secure data delivery and collection and calculate the related public key for each DNi as PubDNi = rDNi ⋅ G, while the signature-based private key is kDNi ϵ Zp* and the corre- This section elaborates on different Data Delivery And Collection sponding signature-based public key for each DNi as PkDNi = kDNi ⋅ G. (DDC)-based transactions among CAj, GSPj, and DNi in any flying zone Step 3: Then, CAj generates a certificate with respect to each drone FZj. We employ few transactions as given below: DNi as CertDNi = rDNi+ h(RIDDNi|| PubCAj || PubGSPj || PubDNi) * mkCAj (mod p). Next, it would delete IDDNi and rDNi from its repository. ⋅ We term the transaction as TrCA-GSP-rq between CAj to GSPj regarding Finally, it stores the parameters {RIDDNi, CertDNi, (kDNi, PkDNi), PkCAj, data delivery (DD) request from CAj to GSPj. This transaction is Ep(u, v), h(⋅), G} before deployment in a specific flying zone FZj. performed with secure encryption using the public key PkGSPj of GSPj. This encrypted transaction, i.e TrCA-GSP-rq, will be decrypted by 3.3. Mutual authentication between DNj and GSPj the GSPj with the help of its own private key kGSPj. ⋅ The transaction TrCA-GSP-rq represents the DD request from GSPj to In this phase, the drone DNi and the corresponding GSPj in a flying DNi that gets encrypted using the created session key SKDNi, GSPj zone FZj are mutually authenticated. Both of these entities are initialized between DNi and GSPj. After the decryption of TrCA-GSP-rq using with preliminary information in the registration phase. This procedure SKDNi, GSPj, the DNi may handover the package delivery (say medi- employs elliptic curve cryptography (ECC) to generate signatures, cine, food deliveries etc) to the appropriate destination. 6 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 ⋅ Likewise, another transaction TrDN-GSP-rq depicts the DDC response ensured with the use of created signature, Merkle tree, and the existing from DNi to GSPj, which may be encrypted using SKDNi, GSPj. block hash root in the blockchain [13]. In P2P GSP-based network with ⋅ There might be other application scenarios, say smart transportation nGSP number of GSPs, a leader say L is selected with the help of any or smart agriculture etc, where the drones DNi after deployment leader selection procedure or algorithm. Then, the block Blocki is for- require submitting the collected data in the form of secure trans- warded to the leader L to promote consensus for verification as well as actions, i.e. TrDN-GSP-data towards GSPj with the help of session key addition in blockchain, which is depicted in algorithm 1. The Practical SKDNi, GSPj. Byzantine Fault Tolerance (PBFT)-based consensus algorithm is employed [15]. The smart contract is deemed to be a digital agreement among the 3.5. Block creation, verification and addition in BC center entities which could be executed and verified digitally by the entities themselves, and it could be implemented irrespective of any human A block is created in this phase by the GSPj, and we assume a block involvement [16-17]. It enables the legal implementation of the trans- Blocki utilize the transactions as available to GSPj which is also shown in actions and contracts through online verification and validation pro- Fig. 3. A lots of transactions encrypted with the GSPj’s public key can be cedures. Moreover, the agreement implementations among the contained in a Blocki constituted by GSPj. The GSPj generates signatures participants are immutable, irreversible, and traceable. Following this, on the block using elliptic-curve digital signature algorithm (ECDSA) the blockchain system may act in a reliable, cost-effective, efficient and [14]. The immutability as well as transparency features of the block are Fig. 3. Proposed mutual authentication. 7 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 secure manner. In the proposed scheme (BOD5-IOD), the smart contract getting all of the related communication messages for any session, those may be employed in each GSP to verify the transactions as collected messages are brought into a sequence, and then term an identity sid of from different participating entities and the created blocks by the GSP in L ℓ for identifying the session of the current session. the framework. Consequently, a man-in-the middle-attack may be suc- Partnering: The interacting instances such as L ℓ1 and L ℓ2 serve as cessfully avoided in smart contracts due to robust integrity in the BC partners to one another in case those instances satisfy the conditions as system. Hence, the BC technology in support of smart contracts may be given below: used potentially for secure communication among the autonomous agents in the contributed scheme (BOD5-IOD). ⋅ The instances L ℓ1 and L ℓ2 must be in accepted states. ⋅ The instances L ℓ1 and L ℓ2 must share the same session identity sid 3.6. Adding drones dynamically into the system and authenticate each on a mutual basis. ⋅ The instances L ℓ1 and L ℓ2 must be partners serving on mutual The drones may also be captured physically or malfunctioned by an basis. attacker. Consequently, a few new drones can be added in the IOD-based ℓ1 ℓ2 environment. For instance, a new drone entity DNnew may be dynami- Freshness: The instances L DNi and L GSPj are regarded as fresh i cally added in any flying zone FZj. For the implementation of this task, if the constructed session key SKDNi, GSPj (=SKGSPj, DNi) between the the control authority CAj chooses a unique identity IDnew and computes entities DNi and GSPj is not revealed to the adversary with the use of DNi ℓ associated pseudo-identity RIDnew DNi = h(IDnew || ID || mk || RTSnew), Reveal (L ) query as shown in Table 3. The semantic security of the DNi CAj CAj DNi while RTSnew DNi being the registration timestamp. Thereafter, CAj selects a contributed model BOD5-IOD is defined in Definition 1, forming the private certificate key rnew new new basis of Theorem 1. DNi and an associated public key as PubDNi= rDNi . G, and then it picks private signature key knew DNi as well as public signature Definition 1. We assume an advantage for the attacker be key Pknew DNi =knew DNi . G for DNinew. Next, the CAj constructs a certificate in Adv BOD5− IOD (I p) in the polynomial amount of time I p in compro- relation to DNinew as = Certnew new new ADNi = rDNi+h(RIDDNi || PubCAj || PubGSPj || new mising the semantic security of BOD5-IOD in regards to calculating the PubDNi) * mkCAj (mod p). Eventually, the CAj stores the contents { RIDD- new new new new agreed session key SKDNi, GSPj (=SKGSPj, DNi) between GSPj and DNi for a Ni , CertDNi , (kDNi , PkDNi), PubCAj, Ep(u; v); h(⋅); G} before deploying DNinew specific session. Then in the flying zone FZj. Then, the CAj deletes the parameters IDnew DNi and rnew ( ) ′ DNi from its repository to boost the security. Adv BOD5− IODA I p = |2.Pr[b = b] − 1| (1) 4. Security analysis Where b’ and b represent guessed and correct bits, respectively. This section demonstrates formally and informally that BOD5-IOD Theorem 1. We assume an attacker A running in polynomial amount may resist several potential threats posed to other contemporary of time I p attempting to calculate the session key SKDNi, GSPj (=SKGSPj, authentication protocols tailored for IoD system environment. DNi), which is shared between DNi and GSPj as regards to any specific session in the suggested model, BOD5-IOD. If qsh, |hash|, and ECD− DHP 4.1. Formal security analysis employing ROR Model Adv A (I p) represent the number of hash function-based queries, the range capacity for cryptographic collision-resistant one-way hash In this analysis, we employ a widely adopted Real-Or-Random function h(.), the advantage for compromising the Elliptic-Curve Deci- (ROM) oracle model [18] as regards to BOD5-IOD for proving the sional Diffie-Hellman Problem (ECDDHP), respectively. Consequently, mutual authenticity of agreed session key between DNi and GSPi against ( ) q2 ( ) the malicious attacker A . A semantic security-based narrative on ROR Adv BOD5− IOD sh A I p ≤ + Adv ECD− DHP I (2) |hash A p| model is depicted is Definition 1 and Theorem 1. To achieve this objective, A implements the queries as defined in Table 3. Moreover, Proof. An attacker A plays three games, i.e. Gm Aj (j= 0, 1, 2) to the approach to “collision defiant, cryptographic one-way hash digest prove the security properties in BOD5-IOD. The Sucs A represents an function h(.)” is provided for all participating entities, including the Gmj attacker A . In BOD5-IOD, the function h(.) is modeled as a random event that the attacker may correctly guess the bit b on a random basis in oracle. game Gm A j . We can define the advantage of A in winning Gm Aj for Participants: In BOD5-IOD, the four entities participate in the BOD5-IOD is defined as Adv BOD5− IOD AA , Gm = Pr[Sucs Gm ]. Each of the games j j mutual authentication phase, i.e. RC, CAj, DNi, and GSPj. The DNi and Gm A may be illustrated as under: GSPj mutually interact with each other to create session key without the j involvement of RC. We assume that the notations L ℓ1 ℓ2DNi and L GSPj Gm A0 : In this game, the adversary A launches an actual attack characterize ℓth 1 and ℓth 2 instances for the entities DNi and GSPj, against BOD5-IOD with the use of Real-Or-Random (ROR) model. For respectively. We term those instances as the random oracles. this, A chooses a random bit b before the initiation of game Gm A0 . The Accepted state: Upon the receipt of the legitimate last communi- semantic security as described in the Definition 1 can be represented as: cation message, the instance L ℓ comes to an accepted state. After ⃒ ⃒ Adv BOD5− IOD ( ) ( ) A I ⃒ ⃒ p = ⃒2 Adv ECD− DHPA , Gm I p − 1⃒ (3) 0 Table 3 Queries and their objectives. Gm A : The game Gm A1 1 may correspond to an eavesdropping game in Queries Objective which the adversary performs an Execute query as shown in Table 3. Execute( L l1DN , A employs this query to forge messages exchanged With the use of this query, the adversary may attempt to recover the i L l2 ) between DNi and GSPj GSP session key SK , j DNi GSPj (= SKGSPj, DNi) out of all seized communication Compromise_Drone A employs this query to get secret credentials from the messages on public channel, i.e. Msg1 = {AIDDNi, ADNi, ACertDNi, SigDNi, ( L l1DN ) memory of compromised DNi i TS1}, Msg2 = {AIDGSPj, ACertGSPj, BGSPj, SKVGSPj,DNi, TS2}, and Msg3 = Reveal (L ℓ) A employs this query to reveal session key as shared {ACKDNi,GSPj, TS3}. Then, the adversary performs the execution of Test between L ℓ and its associated partner and Reveal queries for verifying the recovered session key. In this Test (L ℓ) A employs this query to verify the revealed session key manner, it may discern whether the session key is legitimate or any by using the randomly flipped unbiased coin b random key. The legal session key is computed as SKDNi,GSPj= h(XDNi|| 8 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 XGSPj|| RIDDNi||RIDGSPj|| TS1||TS2), where XGSPj=kDNi.BGSPj and RIDGSPj= also helps to demonstrate the protocol model in a specified formal lan- AIDGSPj⊕XGSPj. This computation implies SKDNi, GSPj (= SKGSPj, DNi). This guage. It is implemented with various back-ends providing multiple also suggests that merely the eavesdropping of messages Msg1, Msg2 and heterogeneous state-of-the-art mechanisms for automatic protocol Msg3 may not increase the success probability for the adversary to analysis. The AVISPA can implement four back-ends: a) On the fly extract the long term secrets or the temporal credentials, this is because mode-checker (OFMC), (b) Constraint logic-oriented Attack Searcher of the fact both of these parameters are protected under the collision- (CL-AtSe), (c) SAT-oriented Model Checker (SATMC), and (d) Tree resistant one-way hash function h(.). Hence both of the above games Automata related to Automatic Approximations for Analyzing Security Gm A0 and Gm A1 remain indistinguishable in relation to eavesdropping Protocols (TA4SP). For security verification on a formal basis, we per- threat. Consequently, it results into the following equation: formed the simulation of BOD5-IOD using “Security Protocol Animator for AVISPA (SPAN)”. The corresponding results are reported in Fig. 3 Adv BOD5− IOD BOD5− IODA , Gm = Adv A , Gm (4) 1 0 using CL-AtSe and OFMC back-ends, while other back-ends such as TA4SP and SATMC lack the support for bitwise XOR operation were Gm A2 : In this game, the adversary models Hash as well as Com- ignored due to uncertain results. The Dolev-Yao (DY) based threat model promise_Drone queries for launching an active attack. For recovering the is adopted by AVISPA [20]. That is, a malicious adversary may edit, session key SKDNi, GSPj (= SKGSPj, DNi), the attacker requires XDNi and block, delete, or append the fake contents in the message during the XGSPj parameters. However, even if the adversary is able to successfully interaction, besides intercepting the communication message. In the eavesdrop the messages Msgi (1≤ i ≤ 3), he/she would still require kDNi simulation, under the back-end related to OFMC, the aggregate execu- to compute XGSPj or r1 parameter to compute XDNi. The critical creden- tion time was recorded as 398 milliseconds, whereas the number of tials are protected under the cryptographic one-way hash function. To depth and visited nodes were 6 plies and 85 nodes, respectively. Using recover these parameters, the attacker A must solve the ECD-DHP the back-end for CL-AtSe, one state was reported with the translation problem; nevertheless, it is a hard problem and unlikely to be solvable time as 0.17 sec. With respect to CL-AtSe and OFMC back-ends, it is in a polynomial amount of time. Moreover, with the use of Com- clearly manifested in the simulation modeling report that our scheme promise_Drone query, A might even recover kDNi, yet without knowing BOD5-IOD is protected from both man-in-the-middle and replay attacks. r1, r2, and other related factors, it might not be able to compute session key SKDNi, GSPj (= SKGSPj, DNi). Hence, both of these games remain 4.3. Experimental results using MIRACL indistinguishable upon the exclusion of modeling for Compromise_Drone and Hash queries. This advantage of hash-based collision resistance and We measured the execution time of the employed cryptographic the hardness for ECD-DHP leads to the under-mentioned birthday primitives in designing the proposed scheme by using the widely paradox: recognized Multi-precision Integer and Rational Arithmetic Crypto- ⃒ ⃒ ⃒ BOD5 IOD BOD5 IOD⃒ graphic Library (MIRACL) [21]. The MIRACL is based upon C/C++⃒ Adv −A , Gm =Adv − 1 A , Gm ⃒2 software library and is widely adopted by the researchers as “gold standard open-source SDK for ECC” to research cryptography. The two q2 ≤ sh + Adv ECD− DHP ( ) I (5) cases were considered for computing the execution time regarding 2 Hash A p| | cryptographic operations concerning the exchange of messages between With the use of illustrated games, the adversary requires to guess a DNi and GSPj: bit b for winning game Gm A2 . Thus, we have, Case I. The server-based resources to implement MIRACL are 1 Adv BOD5− IOD assumed with the following setting: Ubuntu 20.04.1 LTS 64-bit OS A , Gm =2 2 with 8GB RAM, Intel Core i7 with a CPU of 2.3 GHz. The readings for According to Eq. (1) each cryptographic primitive were captured with 100 runs and ⃒ ⃒ recorded the maximum, minimum, and average timings in 1 ( ) ⃒ ⃒ .Adv BOD5− IOD 1 A I p = ⃒⃒Adv BOD5− IOD − ⃒ milliseconds. 2 A , Gm0 2⃒ Case II. The client-oriented platform regarding MIRACL was After solving the Eqs. (2), (3) and (4) and considering the triangular considered Raspberry PI 3B+ Rev 1.4 [22], having 64 bit CPU, 1GB inequality, we can derive the following equation: RAM, and Ubuntu OS 20.04.1 LTS. The readings for each crypto- graphic operation were recorded with 100 runs and noted the min- 1 .Adv BOD5− IOD ( ) I imum, maximum, and average timings in milliseconds. 2 A p ( ) ⃒ ⃒ 4.4. Informal security analysis = | Adv BOD5− IOD ⃒A , Gm I p − ⃒Adv BOD5− IOD⃒ 0 A , Gm ⃒2 In this section the informal security analysis for BOD5-IOD is ( ) ⃒ ⃒⃒ = | Adv BOD5− IOD I − ⃒Adv BOD5− IOD⃒ presented. A , Gm1 p A , Gm ⃒2 q2 4.4.1. Supports Mutual authentication ≤ sh ( ) + Adv ECD− DHPA I p (6) In the proposed scheme, unlike BSD2C-IOD, where only unilateral 2|Hash| authentication was supported, the GSPj and DNi mutually authenticate Ultimately, by using Eq (6) we get to the following derivation: each other with the help of respective certificates and signatures [32-34, 2 [40] 43-45]. In our scheme, the GSPj authenticates DNi on the basis of ECD DHP ( )− qsh ( )Adv I p ≤ + 2 Adv ECD− DHP I p (7) the comparison of ACertDNi⋅G against the computation employing PubCAj, A |Hash| A PkCAj and XDNi. Similarly, the DNi duly authenticates GSPj by calculating XGSPj and verifying the dynamic certificate as ACertGSPj.G against the 4.2. AVISPA-based formal security verification computation using PubGSPj, PubCAj, PkCAj and XGSPj. Hence, the BOD5-IOD ensures mutual authenticity for the involved participants. AVISPA [19,20] is an automated push-button tool to validate the features of authentication protocols and internet applications. The tool 4.4.2. Assured untraceability for DNi not only provides a modular approach to specify the security goals but In the proposed scheme, unlike BSD2C-IOD, the DNi remains 9 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 untraceable [35-36][41]. This is because the DNi, in the proposed rest of the contemporary schemes has been drawn, as summarized in scheme, submits pseudo-identity RIDDNi after encryption within the Table 4. According to this Table, our scheme takes a computational signature without being exposed in the public message. In this manner, delay of 13.017ms, which is quite low as compared to Luo et al. [24] and the BOD5-IOD can achieve mutual authentication between DNi and Li et al. [25] taking 32.393ms and 32.393, respectively. However, our GSPj, since the DNi remains untraceable by an adversary having access scheme takes more computational cost than Tian et al. [23] and Bera to public messages. et al. [13]. The Tian et al. scheme employs lightweight operations, is nonetheless vulnerable to session-specific temporary information attack, 4.4.3. Drone or GSPj impersonation attack and does not support mutual authentication and perfect forward se- Our scheme supports mutual authentication to both participants crecy. Bera et al. [13] also take a comparatively low computational cost since both participants verify the authenticities of one another by cer- of 11.022ms than our scheme, yet it is susceptible to GSP’s impersona- tificates and signatures. This property certifies that the adversary may tion attack, as well as lacking mutual authentication. not initiate DNi and GSPj impersonation attack following the BOD5-IOD Moreover, the scheme [13] does not support anonymity for the protocol. drones. Table 5 exhibited the security-based functionality features for compared schemes and proposed models. Besides, Fig. 4 shows the 4.4.4. Drone physical capture attack graph for computational and security comparisons. Referring to this If the drone DNi is physically captured by the adversary, it may Table, the schemes [23] and [24] do not support mutual authentication, recover the parameters RIDDNi, CertDNi, (kDNi, PkDNi), PkCAj from the dynamic drone addition, and blockchain-oriented verification. Also, memory of DNi [37-39, 42]. However, the adversary may not be able to [23] is not immune to drone physical capture attack as well as launch a physical capture attack on drones, since the recovered pa- session-specific Temporary Information Attack (SSTIA). The Tian et al. rameters may not be able to compute the previous session keys, i.e. does not support perfect forward secrecy neither provides resistance SKDNi,GSPj= SK GSPj,DNi = h(XDNi||XGSPj|| RIDDNi||RIDGSPj||TS1||TS2) as against SSTIA. Table 5 demonstrates that BOD5-IOD has a conspicuous established among the genuine participants. advantage over existing schemes in terms of functional features for se- curity. Moreover, unlike BSD2C-IOD, the DNi remains untraceable in the 5. Performance Evaluation Analysis proposed scheme, since drone DNi, submits pseudo-identity RIDDNi in encrypted form, which assures anonymity and untraceability for the In this section, a comparative analysis is performed based on security drones. In addition, the computational and communication efficiencies functionalities, computational and communicational overheads among in the proposed model are compared to previous studies, which are different schemes, including Tian et al. [23], Luo et al. [24], Li et al. quantified as 34.4% and 23.3%, respectively. As per the results, the [24], and BOD5-IOD [13]. The communication and computational costs involvement of the blockchain center in the proposed scheme promotes for the mutual authentication phase of BOD5-IOD between DNi and GSPj immutability and traceability of transactions and assists in eliminating is depicted in Table 4 and Table 6. We assume that the communication any trusted third party for secure data delivery and collection using delay analysis for timestamp, a hash function (SHA-256), elliptic curve decentralized management. point multiplication, random integer, and identity take 32, 256, 320 (160+160), 160 and 160 bits, respectively. We also assume that a 6. Conclusion cryptosystem of ECC-based 160-bit key provides an equivalent level of security as that of an RSA-based 1024-bit key. In BOD5-IOD, the The contributed model serves as an improvement over Bera et al. communication messages such as Msg1={AIDDNi, ADNi, ACertDNi, SigDNi, scheme that intended to provide a blockchain-based authenticated key TS1}, Msg2= { AIDGSPj, ACertGSPj, BGSPj, SKVGSPj,DNi, TS2} and Msg3= { ACKDNi,GSPj, TS3} take 928-bits, 1024-bits and 288-bits, respectively. Table 5 The analysis on communication delay for various schemes and Functionality comparison. BOD5-IOD is shown in Table 6. The communication cost for the pro- posed scheme is comparatively lower than [23-25]. However, it is [24] [25] [23] [13] [Ours] Resistance against RA ✓ ✓ ✓ ✓ ✓ equivalent to the communication cost of BSD2C-IOD as 2240 bits. Supports drone’s anonymity ✓ ✓ ✓ × ✓ For the comparison of computational delay, we assume Tme, Tbp, Tpa, Immune to MIDMA ✓ ✓ ✓ ✓ ✓ Tpm and Th represent the execution time of modular exponentiation, Supports mutual authentication × × × × ✓ bilinear pairing operation, elliptic curve-based point addition, elliptic Immune to DIA ✓ ✓ ✓ ✓ ✓ curve-based point multiplication, and collision-resistant one-way hash Resists GIA ✓ ✓ - × ✓ Resists SSTIA × × × ✓ ✓ function, respectively. In the contributed BOD5-IOD, the DNi calculates Immune to DPCA × × ✓ ✓ ✓ the computational delay as 5Th + 5TPM +2TPA, while the GSPj computes Supports FSV ✓ ✓ × ✓ ✓ the same as 5Th + 7TPM +2TPA. The experimental findings are applied as Supports BOV × × × ✓ ✓ shown in section VI for computing the execution times of various crypto- Supports DDA × × ✓ ✓ ✓ Achieves PFS ✓ ✓ × ✓ ✓ primitives by using MIRACL. We assume the execution delay for different crypto-primitives on Raspberry PI 3 as assumed in [13] for the RA: Replay Attack, MIDMA: Man-in-the-Middle attack, DIA: Drone Impersona- drone embedded with multiple IoT sensors and smart devices. Likewise, tion Attack, GIA: GSPj impersonation attack, SSTIA: session-specific temporary we assume the execution time of employed crypto-primitives on the end information attack, DPCA: Drone Physical capture attack, PFS: Perfect Forward of GSP server. Thereafter, on account of assumed computed delays for Secrecy, DDA: Dynamic drone Addition, BOV: Blockchain oriented verification, FSV: Formal Security Verification. executing those primitives, a comparison between BOD5-IOD and the Table 4 Computational cost. [24] [25] [23] [13] [Ours] DNi 1TBP+1TH 1TBP+1TH 8TME+9TH 6TH+4TPM+1TPA 5TH+5TPM+2TPA ≈ 32.393ms ≈ 32.393ms ≈ 4.605ms ≈ 11.022ms ≈ 13.017ms GSPj 3TPM+3TBP+3TH+1TPA +1TME ≈ 16.409ms 3TPM+4TBP+1TH+2TPA +1TME ≈ 20.945ms - 6TH+6TPM+2TPA 5TH+7TPM+2TPA ≈ 4.378ms ≈ 4.997ms Total delay ≈48.802ms ≈ 53.338ms ≈ 4.605ms ≈ 15.4ms ≈ 18.014ms 10 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 Table 6 [4] S. Malani, J. Srinivas, A.K. Das, K. Srinathan, M. Jo, Certificate Based Anonymous Comparison of Communication cost (bits). Device Access Control Scheme for IoT Environment, IEEE Internet of Things J. 6 (6) (2019) 9762–9773. Number of messages Communication Cost (bits) [5] M. Wazid, A.K. Das, V. Odelu, N. Kumar, W. Susilo, Secure Remote User [24] 2 3040 Authenticated Key Establishment Protocol for Smart Home Environment, IEEE [25] 2 3488 Trans. Dependable Secure Comput. 17 (2) (2020) 391–406. [23] 2 11712 [6] S. Mandal, B. Bera, A.K. Sutrala, A.K. Das, K.R. Choo, Y. Park, Certificateless [13] 3 2240 Signcryption-Based Three-Factor User Access Control Scheme for IoT Environment, [Ours] 3 2240 IEEE Internet of Things J. 7 (4) (2020) 3184–3197. [7] Jangirala, A.K. Das, A.V. Vasilakos, ‘Designing secure lightweightblockchain- enabled RFID-based authentication protocol for supply chainsin 5G mobile edge computing environment, IEEE Trans. Ind. Informat. 16 (11) (Nov. 2020) 7081–7093. [8] J. Srinivas, A.K. Das, N. Kumar, J.J. Rodrigues, TCALAS: Temporal credential- based anonymous lightweight authentication scheme for Internet of drones environment, IEEE Trans. Veh. Technol. 68 (7) (2019) 6903–6916. [9] A. Yazdinejad, R.M. Parizi, A. Dehghantanha, H. Karimipour, G. Srivastava, M. Aledhari, Enabling Drones in the Internet of Things with Decentralized Blockchain-based Security, IEEE Internet of Things J. (2020). [10] D. Dolev, A. Yao, On the security of public key protocols, IEEE Trans. Inf. Theory 29 (2) (1983) 198–208. [11] R. Canetti, H. Krawczyk, Universally Composable Notions of Key Exchange and Secure Channels, in: International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’02), Amsterdam, The Netherlands, 2002, pp. 337–351. [12] B.D. Deebak, F. Al-Turjman, A smart lightweight privacy preservation scheme for IoT-based UAV communication systems, Comput. Commun. 162 (2020) 102–117. [13] B. Bera, S. Saha, A.K. Das, N. Kumar, P. Lorenz, M. Alazab, Blockchain-envisioned secure data delivery and collection scheme for 5G-based IoT-enabled internet of drones environment, IEEE Trans. Veh. Technol. 69 (8) (2020) 9097–9111. [14] D. Johnson, A. Menezes, S. Vanstone, The Elliptic Curve Digital Signature Algorithm (ECDSA, Int. J. Inf. Secur. 1 (1) (2001) 36–63. [15] M. Castro, B. Liskov, Practical Byzantine fault tolerance and proactive recovery, ACM Trans. Comput. Syst. 20 (4) (2002) 398–461. [16] D. Magazzeni, P. McBurney, W. Nash, Validation and Verification of Smart Contracts: A Research Agenda, IEEE Computer 50 (9) (2017) 50–57. [17] Y. Zhang, S. Kasahara, Y. Shen, X. Jiang, J. Wan, Smart contract based access Fig. 4. Graph exhibiting computational delay and security. control for the internet of things, IEEE Internet of Things J. 6 (2) (2019) 1594–1605. [18] M. Abdalla, P.A. Fouque, D. Pointcheval, Password-based authenticated key agreement scheme for drones. The Bera et al., bearing serious problems exchange in the three-party setting, in: 8th International Workshop on Theory and in its model, was unable to support anonymity or untraceability for the Practice in Public Key Cryptography (PKC’05), Lecture Notes in Computer Science, drones. Furthermore, an adversary may initiate a Ground Station Server Les Diablerets, Switzerland 3386, 2005, pp. 65–84. impersonation attack against the drones, which serves as a serious [19] S.D. Kumar, R. Amin, V. Satyanarayana, R. Chaudhry, Blockchain-based secured event-information sharing protocol in internet of vehicles for smart cities, implication for the practicability of Bera et al. scheme. This paper pro- Computers & Electrical Engineering 86 (106719) (2020). posed an enhanced blockchain-enabled authentication protocol BOD5- [20] AVISPA, “Automated Validation of Internet Security Protocols and Applications,” IOD for authenticating the registered drones in the system. The BOD5- 2019, http://www.avispa-project.org/. Accessed on October 2019. [21] “MIRACL Cryptographic SDK: Multiprecision Integer and Rational Arithmetic IOD, other than supporting a robust access control mechanism be- Cryptographic Library,” 2020, Accessed on April 2020. [Online]. Available: htt tween drones and GSS, also ensures safe transactions among all mem- ps://github.com/miracl/MIRACL. bers in the IoD environment. The formal analysis and performance [22] “Raspberry Pi 3 Model B+,” 2020, Accessed on April 2020. [Online]. Available: https://www.raspberrypi.org/products/raspberry-pi-3-model-b-plus/. evaluation exhibit that our scheme supports all security requirements [23] Y. Tian, J. Yuan, H. Song, Efficient privacy-preserving authentication framework with computational and communication efficiencies. We shall work on for edge-assisted Internet of Drones, J. Inf. Secur. Appl. 48 (2019), 102354. bringing the computational cost further down by either eliminating the [24] M. Luo, Y. Luo, Y. Wan, Z. Wang, Secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the IoT, Secur. Commun. public key certificates or minimizing the elliptic curve point multipli- Netw. (2018) 1–10, https://doi.org/10.1155/2018/6140978 [Online]. Available:. cation operations from the authentication process. [25] F. Li, Y. Han, C. Jin, Practical access control for sensor networks in the context of the Internet of Things, Comput. Commun. 89-90 (2016) 154–164. [26] M. Wazid, B. Bera, A. Mitra, A.K. Das, R. Ali, Private blockchain-envisioned Authors’ contributions security framework for AI-enabled IoT-based drone-aided healthcare services, in: Proceedings of the 2nd ACM MobiCom Workshop on Drone Assisted Wireless All authors contributed equally to this work. Communications for 5G and Beyond, 2020, pp. 37–42. [27] M. Wazid, A.K. Das, S. Shetty, J.J. Rodrigues, On the design of secure communication framework for blockchain-based internet of intelligent battlefield Declaration of Competing Interest things environment, in: IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops, 2020, pp. 888–893. The authors declare that they have no known competing financial [28] ... T. Li, J. Ma, X. Ma, C. Gao, H. Wang, C. Ma, J. Zhang, Lightweight secure communication mechanism towards UAV networks, in: 2019 IEEE Globecom interests or personal relationships that could have appeared to influence Workshops, 2019, pp. 1–6. the work reported in this paper. [29] V. Hassija, V. Saxena, V. Chamola, A blockchain-based framework for drone- mounted base stations in tactile internet environment, in: IEEE INFOCOM 2020- IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), References 2020, pp. 261–266. [30] G. Cho, J. Cho, S. Hyun, H. Kim, Sentinel: A secure and efficient authentication [1] Federal Aviation Administration. FAA Aerospace Forecast, 2016-2036. https: framework for unmanned aerial vehicles, Appl. Sci. 10 (9) (2020). //www.faa.gov/data_research/aviation/aerospace_forecasts/media/FY2016- [31] M. Bilal, S. Pack, Secure Distribution of Protected Content in Information-Centric 36_FAA_Aerospace_Forecast.pdf [Accessed December, 2020]. Networking, IEEE Syst. J. 14 (2) (2020) 1921–1932, https://doi.org/10.1109/ [2] B. Li, Z. Fei, Y. Zhang, UAV Communications for 5G and Beyond: Recent Advances JSYST.2019.2931813. and Future Trends, IEEE Internet of Things J. 6 (2) (2019) 2241–2263. [32] S.K. Dwivedi, R. Amin, S. Vollala, R. Chaudhry, Blockchain-based secured event- [3] A.K. Das, M. Wazid, N. Kumar, A.V. Vasilakos, J.J.P.C. Rodrigues, Biometrics-Based information sharing protocol in Internet of vehicles for smart cities, Comput. Privacy-Preserving User Authentication Scheme for Cloud-Based Industrial Internet Electr. Eng. 86 (2020), 106719. of Things Deployment, IEEE Internet of Things J. 5 (6) (2018) 4900–4913. [33] S.K. Dwivedi, R. Amin, S. Vollala, Blockchain based secured information sharing protocol in supply chain management system with key distribution mechanism, J. Inf. Secur. Appl. 54 (2020), 102554. 11 A. Irshad et al. C o m p u t e r N e t w o r k s 195 (2021) 108219 [34] A. Irshad, M. Usman, S.A. Chaudhry, H. Naqvi, M. Shafiq, A provably secure and Shehzad Ashraf Chaudhry received the master’s and Ph.D. efficient authenticated key agreement scheme for energy internet-based vehicle-to- degrees (with Distinction) from International Islamic Univer- grid technology framework, IEEE Trans. Ind. Appl. 56 (4) (2020) 4425–4435, sity Islamabad, Pakistan, in 2009 and 2016, respectively. He is https://doi.org/10.1109/TIA.2020.2966160. currently working as an Associate Professor with the Depart- [35] S.A. Chaudhry, Correcting “PALK: Password-based anonymous lightweight key ment of Computer Engineering, Faculty of Engineering and agreement framework for smart grid, Int. J. Electr. Power Energy Syst. 125 (2021), Architecture, Istanbul Gelisim University, Istanbul, Turkey. He 106529. has authored over 120 scientific publications appeared in [36] S.A. Chaudhry, M.S. Farash, N. Kumar, M.H. Alsharif, PFLUA-DIoT: a pairing free different international journals and proceedings, including lightweight and unlinkable user access control scheme for distributed IoT more than 86 in SCI/E journals. With an H-index of 29 and an I- environments, IEEE Syst. J. (2020), https://doi.org/10.1109/ 10 index 57, his work has been cited over 2420 times. He has JSYST.2020.3036425. also supervised over 40 graduate students in their research. His [37] M. Bilal, SG. Kang, A secure key agreement protocol for dynamic group, Cluster current research interests include lightweight cryptography, Comput. 20 (2017) 2779–2792. [38] A. Irshad, S.A. Chaudhry, O.A. Alomari, K. Yahya, N. Kumar, A novel pairing-free elliptic/hyper elliptic curve cryptography, multimedia security, E-payment systems, lightweight authentication protocol for mobile cloud computing framework, IEEE MANETs, SIP authentication, smart grid security, IP multimedia subsystem, and next Syst. J. (2020), https://doi.org/10.1109/JSYST.2020.2998721. generation networks. He occasionally writes on issues of higher education in Pakistan. Dr. [39] S.A. Chaudhry, K. Yahya, F. Al-Turjman, M.-H. Yang, A secure and reliable device Chaudhry was a recipient of the Gold Medal for achieving 4.0/4.0 CGPA in his Masters. access control scheme for IoT based sensor cloud systems, IEEE Access 8 (2020) Considering his research, Pakistan Council for Science and Technology granted him the 139244–139254, https://doi.org/10.1109/ACCESS.2020.3012121. Prestigious Research Productivity Award, while affirming him among Top Productive [40] S.A. Chaudhry, H. Alhakami, A. Baz, F. Al-Turjman, Securing demand response Computer Scientist in Pakistan. Recently, he is listed among Top 2% Computer Scientists management: a certificate-based access control in smart grid edge computing across the world in Stanford University’s report. He is also serving as guest editor for many infrastructure, IEEE Access 8 (2020) 101235–101243, https://doi.org/10.1109/ WoS indexed journals and have served/serving as a TPC member of various international ACCESS.2020.2996093. conferences. He is also an active reviewer of many WoS indexed journals. [41] M. Rana, A. Shafiq, I. Altaf, M. Alazab, S.A.Chaudhry K.Mahmood, Y.B. Zikria, A secure and lightweight authentication scheme for next generation IoT infrastructure, Comput. Commun. 165 (2021) 85–96. Dr. Anwar Ghani is a faculty member at the Department of [42] Y. Wu, H.N. Dai, H. Wang, K.K.R Choo, Blockchain-based privacy preservation for Computer Science & Software Engineering, International Is- 5g-enabled drone communications, IEEE Network 35 (1) (2021) 50–56. lamic University Islamabad. He received his Doctorate in [43] L. Tan, H. Xiao, K. Yu, M. Aloqaily, Y. Jararweh, A blockchain-empowered Computer Science and MS Computer Science from the crowdsourcing system for 5G-enabled smart cities, Comput. Standards Interfaces Department of Computer Science & Software Engineering, In- 76 (2021), 103517. ternational Islamic University Islamabad in 2016 and 2011. He [44] M Bilal, S-G. Kang, An Authentication Protocol for Future Sensor Networks, Sensors received his BS in Computer Science from the University of 17 (5) (2017) 979. Malakand K.P.K, Pakistan in 2007. Dr. Ghani worked as a [45] A.K. Sutrala, M.S. Obaidat, S. Saha, A.K. Das, M. Alazab, Y. Park, Authenticated key Software Engineer in Bioman Technologies from 2007 to agreement scheme with user anonymity and untraceability for 5G-enabled 20011. He was selected as an exchange student under – softwarized industrial cyber-physical systems, IEEE Trans. Intell. Transp. Syst. EURECA program in 2009 for VU University Amsterdam (2021). Netherland, and EXPERT program in 2011 for Masaryk University Czech Republic, funded EUROPEAN commission. His broad research interests Azeem Irshad received master’s degree from Arid Agriculture include wireless sensor networks, Next Generation Networks, Information Security, En- University, Rawalpindi, Pakistan. Then he completed his PhD ergy Efficient Collaborative Communication. from International Islamic University, Islamabad, Pakistan. He has authored more than 64 international journal and confer- ence publications, including 33 SCI-E journal publications. His research work has been cited over 646 times with 12h-index Muhammad Bilal received the B.Sc. degree in computer sys- and 14 i-10-index. He received Top Peer-Reviewer Award tems engineering from the University of Engineering and from Publons in 2018 with 126 verified reviews. He has served Technology, Peshawar, Pakistan, in 2008, the M.S. degree in as a reviewer for more than 40 reputed journals including IEEE computer engineering from the Chosun University, Gwangju, Systems Journal, IEEE Communications Magazine, IEEE TII, South Korea, in 2012, and the Ph.D. degree in information and IEEE Consumer Electronics Magazine, IEEE Sensors Journal, communication network engineering from the School of Elec- IEEE TVT, IEEE IAS, Computer Networks, Information tronics and Telecommunications Research Institute (ETRI), Korea University of Science and Technology, in 2017. He was a Sciences, CAEE, Cluster Computing, AIHC, JNCA and FGCS, notably. His research interests Postdoctoral Research Fellow at Smart Quantum Communica- include strengthening of authenticated key agreements in Cloud-IoT, smart grid, pervasive tion Center, Korea University, Seoul, South Korea, in 2017/ edge computing, CPS, 5G networks, WSN, Ad hoc Networks, e-health clouds, SIP, and 2018. Currently, he is an Assistant Professor with the Division multi-server architectures. of Computer and Electronic Systems Engineering, Hankuk University of Foreign Studies, Yongin, South Korea. His research interests include design and analysis of network protocols, network architecture, network security, IoT, named data networking, Blockchain, cryptology, and future Internet. . He is an editor of IEEE Future Directions Ethics and Policy in Technology Newsletter and IEEE Internet Policy Newsletter. 12