1.1. Our Contribution

(1)

We propose a novel Software-defined MIoTs-based model providing security communication in underlying data plane. The outstanding computing power of control plane greatly relieves the overhead of upper layer, which offer users higher-quality services.

(2)

We design an authentication system to ensure the authenticity and reliability of messages, so that OLDs are encouraged to spread real information. Otherwise, they will ge punished. Besides, an emergency-dealing scheme is offered to provide in-time services based on multicast, which not only takes current networks situation into consideration, but also the prediction of instantaneously changing.

(3)

A security analysis proves that our proposed scheme is able to achieve the security goals of Software-defined MIoTs. In addition, adopting elliptic curve cryptography avoids heavy overhead brought by bilinear pairing operations, which is demonstrated by the comparison results.

3.1. System Model and Assumptions

(1)

GC:It’s the main controller of the control plane. In traditional SDN systems, the controller is a logically centralized point that has extremely outstanding storage and computing capabilities. Typically, it directs switches to deliver and forward packages by building routing rules. In our system, the GC is mainly responsible for generating system parameters, computing the movement path of the device, and building route tables for OF-Switches. When there are accidents or emergencies happening, it also selects impacted devices and forms a temporary multicast group. It generates a multicast tree for this group to inform them of conditions in time.

(2)

LCs:They are distributed geographically and manage a specific small area respectively. In our system, LCs exist mainly for balancing the computation and storage burdens of the GC. It can reduce realistic deployment costs as well. LCs set system parameters and communicate with OLDs. They can verify messages in their local areas and compute fine-grained navigation for OLDs. When there are road situations, they also compose of multicast nodes to inform and direct OLDs in their areas.

(3)

OF-Switches:Different from conventional switches, OF-Switches are OpenFlow-enabled data switches that communicate with external controllers over OpenFlow channel. OpenFlow protocol offers separation of programming network devices and underlying hardwares [32]. In our system, OF-Switches perform package lookup and forwarding according to flow tables installed on them.

(4)

OLDs:OLDs offer network access services via wireless communication capabilities, which have limited computing power and storage [33]. Also a tamper-proof equipment is embedded in each OLDs, which is robust and responsible for generating key cryptographical parameters, and performing many encryption and decryption operations [34].

(5)

BSs and APs:OLDs get access to Internet via various ways. Cellular networks like 5G network via BSs, and city WiFi via APs are both supported by our system. For Software-defined MIoTs, to balance heterogeneous networks and allow OLDs in different networks to communicate is much easier compared with conventional networks.

*

The GC is fully trusted and will not be compromised. It has ample computing power and storage space.

*

LCs are trustworthy, but in case it is compromised, we don’t provide them capabilities of trace OLDs’ real identities. LCs have sufficient computing and storage space.

*

The parameters and data stored in OLDs are not available for others.

3.2. Multicast Subsystem

3.3. Design Goals

(1)

Anonymity: OLDs in our system will not communicate with other entities with real identities. Only by virtue of messages sent by OLDs and some public information, malicious users are not able to obtain the sender’s real identity. By this, OLDs are allowed to send messages without exposing sensitive privacy.

(2)

Authentication and Privacy: All interactive parties in our system can authenticate each other to ensure the reliability and legitimacy. Especially, in different areas, messages sent by OLDs should reflect the present LC’s information without exposing them to adversaries, which makes sure the location privacy would not be damaged.

(3)

Traceability: We won’t exclude the possibility of malicious entities’ existences. They aim to interrupt or interfere normal communications, or spread false and deceptive messages to gain conveniences and benefits for themselves. When misbehavior occurs, the controller plane should be able to trace the real identities and punish them by cutting services or submitting their information to related authorities.

(4)

Unlinkability: The proposed scheme would not enable third parties to link scattered messages to the same OLDs. That is to say, no third party could know one specific OLD’s activities by analysing those intercepted messages.

(5)

Resistance to common attacks: The scheme should also be able to resist common attacks that happen in conventional networks. For instance, replay attack, impersonation attack, modification attack, and so on.

4.1. Control Plane Initialization

1)

GC Initialization:The GC randomly selects the master key $s\in Z_q$, and computes $P_{pub}=s·P$ as its public key, and makes $\alpha =s·h\left(P_{pub}\right)$. Then it selects $h:G$$\to Z_q^{*}$, $H0:G\times {\{0,1\}}^{*}\to Z_q^{*}$, $H1$$:{\{0,1\}}^{*}$$\to Z_q^{*}$, $H2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times G\times G\to Z_q^{*}$. It sends $\alpha$ to LCs and publishes {$P_{pub},p,q,a,b,P,H0,H1,H2$} as the system parameters. To ensure the security of the whole system, hash function h should be kept secret to GC.

2)

LCs Initialization:After receiving $\alpha$ via secure channel in control plane, $L{C}_i$ computes $l_i=\alpha ·NL{C}_i$ as its secret key, where $NL{C}_i$ is a unique number of each LC and a list of them is only stored in the GC. Since s is unknown to any third party, and each $NL{C}_i$ also stays secret, it’s also difficult to compute $l_i$ based on public parameters. Then it computes $L_i=l_i·P$ as its public key, and adds $L_i$ in to GC’s system parameters. Finally, {$P_{pub},p,q,a,b,P,H0,H1,H2,L_i$} is the local system parameters of this specific area.

4.2. Online Learning Devices Initialization

4.3. One-time Key Generation and Message Signature

4.4. Emergency Location Extraction

4.5. Message Authentication

(1)

Single Verification

After receiving a message $\{M_i,T_t,P{K}_i,R_i,PI{D}_i\}$, to verify its validation, a receiver will perform following steps by order with the system parameters {$P_{pub},p,q,a,b,P,H0,H1,$$H2,L_i$}.

*

Check if the timestamp $T_t$ is fresh. If not, it abandons the received message. If so, keep performing.

*

The receiver performs $\sigma ·P$ and $P{K}_i+w_i·R_i$ and calculates if they equal. If does not, the receiver chooses to abandon it. If equals, it admit the validation of this message.

Since $P_{pub}=s·P$, $w_i=H2(M_i\parallel PI{D}_i\parallel T_t\parallel R_i\parallel P{K}_i)$, $R_i=r·P$, $P{K}_i=s{k}_i·P$, and $PI{D}_i=\{PI{D}_{i,1},PI{D}_{i,2}\}$, where $PI{D}_{i,1}=I{D}_i\oplus H0(s{k}_i·L_i\parallel T_t)$, $PI{D}_{i,2}=(s{k}_i·L_i)\oplus H1\left(T_t\right)$, and $\sigma =s{k}_i+w_i·r_{i}modq$, following equations can be derived.

$$\begin{array}{cc}\hfill \sigma ·P& =(s{k}_i+w_i·r_i)·P\hfill \\ \hfill & =s{k}_i·P+w_i·r_i·P\hfill \\ \hfill & =P{K}_i+w_i·R_i\hfill \end{array}$$

(3)

(2)

Batch Verification

When a receiver obtains n messages in a short interval, verifying them one by one will consume lots of time and computing power. So our scheme supports batch verification to save sources. Firstly, to ensure the non-repudiation of signatures using batch verification, we choose a vector consisting of small random integers. Let the vector $\zeta =\{{\zeta }_1,{\zeta }_2,{\zeta }_3,...,{\zeta }_n\}$, where ${\zeta }_i\in [1,2^{\xi }]$, and $\zeta$ is a secure parameter. After receiving a message $\{M_1,T_{t,1},P{K}_1,R_1,PI{D}_1\}$, $\{M_2,T_{t,2},P{K}_2,R_2,PI{D}_2\}$, ..., $\{M_n,T_{t,n},P{K}_n,R_n,PI{D}_n\}$, to verify its validation, a receiver will perform following steps by order with the system parameters {$P_{pub},p,q,a,b,P,H0,H1,H2,L_i$}.

*

Check if the timestamp $T_{t,1},T_{t,2},...,T_{t,i},...T_{t,n}(1<i\le n)$ are fresh. If not, it abandons the received message. If so, keep performing.

*

The receiver performs $\left(4\right)$ and calculates if they equal. If does not, the receiver will find the malicious message via the invalid signature search algorithm and chooses to abandon it[cite]. If equals, it admits the validation of this series of messages.

$$\begin{array}{cc}\hfill \sum _{i=1}^n({\zeta }_i·{\sigma }_i)·P& =(\sum _{i=1}^n{\zeta }_i·(s{k}_i+w_i·r_i))·P\hfill \\ \hfill & =\sum _{i=1}^n({\zeta }_i·(s{k}_i·P+w_i·r_i·P))\hfill \\ \hfill & =\sum _{i=1}^n({\zeta }_i·P{K}_i+{\zeta }_i·w_i·R_i)\hfill \\ \hfill & =\sum _{i=1}^n(\zeta ·P{K}_i)+\sum _{i=1}^n({\zeta }_i·w_i·R_i)\hfill \end{array}$$

(4)

5.1. Security Proof

• Setup-Oracle: $\mathcal{C}$ generates the private key and corresponding system parameters. Then it sends them to $\mathcal{A}$ when $\mathcal{A}$ revokes the query.
• $H0$-Oracle: $\mathcal{C}$ chooses a random point $d\in Z_q$, and insert $\{m,d\}$ into its list $L_{H0}$. Then it returns d to $\mathcal{A}$ when $\mathcal{A}$ revokes the query.
• $H1$-Oracle: $\mathcal{C}$ chooses a random number $d\in Z_q$, and insert $\{m,d\}$ into its list $L_{H1}$. Then it returns d to $\mathcal{A}$ when $\mathcal{A}$ revokes the query.
• $H2$-Oracle: $\mathcal{C}$ chooses a random point $d\in Z_q$, and insert $\{m,d\}$ into $L_{H2}$. Then it returns d to $\mathcal{A}$ when $\mathcal{A}$ revokes the query.
• Sign-Oracle: based on the $M_i$ sent by $\mathcal{A}$, $\mathcal{C}$ computes a $msg:\{M_i,T_t,P{K}_i,R_i,PI{D}_i\}$. Then $\mathcal{C}$ returns $\{M_i,T_t,P{K}_i,R_i,PI{D}_i\}$ to $\mathcal{A}$ when $\mathcal{A}$ revokes the query.

5.2. Security Analysis

(1)

Anonymity: OLDs in our system will not communicate with other entities with pseudo identities $PI{D}_i$, where $PI{D}_i=\{PI{D}_{i,1},PI{D}_{i,2}\},PI{D}_{i,1}=I{D}_i\oplus H0(s{k}_i·L_i\parallel T_t),PI{D}_{i,2}=(s{k}_i·L_i)\oplus H1\left(T_t\right)$. Malicious users are not able to obtain the sender’s privacy only via public parameters and messages it sent. By this, vehicles are allowed to send messages without exposing their real identities.

(2)

Authentication and Privacy: All messages sent by communicating parties should sign these messages before sending. They compute $\sigma =s{k}_i+w_i·r_{i}modq$, where $w_i=H2(M_i\parallel PI{D}_i\parallel T_t\parallel R_i\parallel P{K}_i)$. Then encapsulated messages $msg=\{M_i,T_t,P{K}_i,R_i,PI{D}_i\}$ are broadcasted. Thus, all interactive parties in our system can authenticate each other to ensure the reliability and legitimacy. Besides, an encapsulated message $msg$ include no LC’s $NL{C}_i$ explicitly, which will keep the basic location privacy of OLDs. But when it’s needed, the GC can derive the rough location of $v_i$ by computing $(PI{D}_{i,2}\oplus H1\left(T_t\right))·{(P{K}_i·\alpha )}^{-1}$ from the $msg$.

(3)

Traceability: When malicious messages are detected, the GC will extract vehicles’ real identities by computing $I{D}_i=H0(P{K}_i·\alpha ·NL{C}_i\parallel T_t)\oplus PI{D}_{i,1}$, since $s{k}_i·L_i=s{k}_i·\alpha ·NL{C}_i·P=P{K}_i·\alpha ·NL{C}_i$, and $NL{C}_i=(PI{D}_{i,2}\oplus H1\left(T_t\right))·{(P{K}_i·\alpha )}^{-1}$ can be easily derived via messages.

(4)

Unlinkability: Every time to generate a message $msg:\{M_i,T_t,P{K}_i,R_i,PI{D}_i\}$, a random number $r_i\in Z_q$ will be reselected, and a new $w_i=H2(M_i\parallel PI{D}_i\parallel T_t\parallel R_i\parallel P{K}_i)$ will be recomputed. Due to the randomness of $r_i$ and variability of $w_i$, a malicious party is unable to link messages sent by one OLDs to itself. Therefore, the proposed scheme offers unlinkability in interactive communications.

(5)

Resistance to common attacks: Our scheme can also be able to resist common attacks that happen in conventional networks. Such as,

*

Replay Attack: The encapsulated message contains timestamp $T_t$, which can prevent messages are saved then reforwarded. When receives messages, receivers check the freshness of messages at the very first beginning. If it’s still fresh, receiver will start to verify the validation of these messages. Otherwise, messages will be abandoned.

*

Impersonation Attack: If an adversary tries to impersonate a legal vehicle, it has to generate a signature of the message $msg$ which satisfies $\sigma ·P=P{K}_i+w_i·R_i$. But according to Theorem 1, no adversary can generate such messages in the polynomial time, which proofs that our scheme is able to resist impersonation attack.

*

Modification Attack: A signature $\sigma =s{k}_i+w_i·r_{i}modq$ is a digital signature related to $M_i$ since $w_i=H2(M_i\parallel PI{D}_i\parallel T_t\parallel R_i\parallel P{K}_i)$. If $M_i$ is modified by a malicious party, then $w_i$ will change consequently, which makes $\sigma$ change as well. Hence, the modification can be easily detected if message itself is modified. By that, our scheme is able to resist modification attack.

*

Sybil Attack: To start a sybil attack, the adversary must generate multiple identities to play multiple roles. However, the pseudo identities are computed by a tamper-proof device. An adversary must violate the device first to generate those identities, which is infeasible via current technologies. Therefore, our scheme is able to resist sybil attack.

6.1. Computation Cost Analysis

6.2. Communication Cost Analysis