Description:FIELD OF THE INVENTION
[0001] The present invention relates to the field of network security and authentication protocols in distributed computing environments, and more particularly to a certificateless federated authentication and key agreement mechanism without using secure channel designed for secure, efficient, and privacy-preserving communication in the Internet of Vehicles (IoV) ecosystem. The invention addresses challenges of cross-domain authentication, identity management, and session key establishment in heterogeneous vehicular networks without relying on conventional Public Key Infrastructure (PKI) or digital certificates.
BACKGROUND FOR THE INVENTION:
[0002] The Internet of Vehicles (IoVs) is an emerging paradigm within the broader context of the Internet of Things (IoTs), characterized by the seamless integration of vehicles with communication infrastructure, cloud platforms, and intelligent systems. This interconnected environment facilitates real-time data exchange among vehicles (V2V), vehicles and infrastructure (V2I), vehicles and pedestrians (V2P), and ve- hicles and networks (V2N), forming a comprehensive vehicle- to-everything (V2X) communication framework. The primary goal of IoV is to enhance road safety, traffic efficiency, infotainment, and autonomous driving capabilities.
[0003] IoV supports a wide range of services, including intelligent traffic management, dynamic route planning, vehicle tracking, remote diagnostics, and multimedia content delivery. These services typically involve multiple entities, including auto- motive manufacturers, cloud service providers, infrastructure operators, and end users, creating a highly distributed and het- erogeneous ecosystem. As the number and complexity of these interconnected services grow, IoV faces significant challenges related to secure, efficient, and privacy-preserving authentication.
[0004] A key challenge in IoV is achieving secure, reliable, and interoperable authentication across multiple domains. The heterogeneity of services and participating entities in the IoV ecosystem results in a fragmented authentication framework, where users and vehicular devices are frequently required to authenticate multiple times across independent service platforms using distinct identities and credentials. This redundancy not only impairs user experience but also increases exposure to cyber threats such as identity spoofing, credential compromise, and session hijacking, and unauthorized access are prevalent due to weak or inconsistent authentication mech- anisms.
[0005] To address these limitations, single sign-on (SSO) mech- anisms allow users to authenticate once and gain access to multiple services within a single domain. Although SSO improves usability and reduces credential overhead, it remains limited in scope, lacking support for cross-domain authentication, a core requirement in the heterogeneous and distributed IoV ecosystem. Moreover, SSO typically relies on conventional Public Key Infrastructure (PKI), which intro- duces operational complexity related to certificate issuance and validation, thus affecting scalability and flexibility in dynamic vehicular environments.
[0006] To support secure identity verification across diverse do- mains, federated authentication frameworks have emerged to enable cross-domain authentication through trusted identity providers while improving privacy and interoperability. How- ever, conventional federated systems are still reliant on PKI, which introduces trust bottlenecks and operational complexity, especially detrimental in the dynamic and latency-sensitive context of IoV.
[0007] To address these limitations, we propose a first certifi- cateless federated authentication scheme for the IoV, which integrates the advantages of CL-PKC into a federated identity management framework. traditional digital certificates and facilitates seamless cross- domain authentication among multiple service providers with- out requiring users or vehicles to manage separate credentials for each domain while maintaining essential security proper- ties such as identity binding, non-repudiation, and resistance to impersonation attacks. By removing the overhead associated with certificate issuance and validation, the scheme enables lightweight, scalable, and privacy-preserving authentication suitable for dynamic and heterogeneous IoV environments.
OBJECTS OF THE INVENTION:
[0008] Some of the objects of the present disclosure, which at least one embodiment herein satisfies, are as follows.
[0009] The principal object of the present invention is to overcome the disadvantages of the prior art by providing the Title.
[0010] An object of the present invention is to propose a first certifi- cateless federated authentication scheme without using secure channel for the IoV, which integrates the advantages of CL-PKC into a federated identity management framework.
[0011] Another object of the present invention is to provide the Title, wherein traditional digital certificates and facilitates seamless cross- domain authentication among multiple service providers with- out requiring users or vehicles to manage separate credentials for each domain while maintaining essential security proper- ties such as identity binding, non-repudiation, and resistance to impersonation attacks.
[0012] Another object of the present invention is to provide the Title, wherein by removing the overhead associated with certificate issuance and validation, the scheme enables lightweight, scalable, and privacy-preserving authentication suitable for dynamic and heterogeneous IoV environments.
[0013] Other objects and advantages of the present disclosure will be more apparent from the following description, which is not intended to limit the scope of the present disclosure.
SUMMARY OF THE INVENTION:
[0014] The increasing connectivity in the IoV necessitates secure and efficient authentication methods to ensure reliable communication among vehicles and service providers. Federated authentication and single sign on techniques are commonly employed to facilitate user verification across multiple domains. However, these approaches rely on centralized entities and involve complex certificate management, rendering them vulnerable to key escrow problems, scalability challenges, and attacks such as impersonation, replay, and ESL. Furthermore, they intro- duce substantial computational and communication overhead, making them unsuitable for delay-sensitive vehicular environ- ments. To overcome these limitations, this paper proposes the first certificateless federated authentication and key agreement without using the secure channel scheme (CLFAKA) for cross-domain IoV environments. The scheme is designed to enable efficient mutual authentication between vehicles and service providers without requiring the TA during real-time communication. The security of CLFAKA is formally proven under the RoR model, demonstrating its resistance to cryptographic attacks such as impersonation, replay, and man-in-the-middle. Additionally, the protocol is validated using the AVISPA tool, confirming its robustness against ad- versaries. Informally, CLFAKA guarantees critical security properties, including ESL resistance, KCI resistance, anonymity and unlinkability, as well as perfect forward and backward secrecy and replay protection. Performance evaluation results show that the proposed scheme significantly reduces execution time, communication cost, and memory overhead compared to existing federated authentication protocols, making it a practical and scalable solution for secure deployment in real-world IoV ecosystems.
[0015] In this paper, we proposed CLFAKA, a certificateless federated authentication and key agreement scheme without using the secure channel for secure and efficient cross-domain communication in the IoV. Unlike traditional federated or SSO-based authentication models, our scheme does not depend on a secure channel and eliminates the need for real-time interaction with the TA during the authentication phase. This design not only improves scalability but also enhances resilience by removing the single point of failure while authenticating and generating session keys. CLFAKA ensures vehicle anonymity and unlinkability, making it highly suitable for privacy-preserving vehicular communications. Through formal security analysis under the RoR model, the scheme is proven to be secure against various attacks, including impersonation, replay, man-in-the-middle, and KCI. The AVISPA tool further validates its robustness against both replay and man-in-the middle attacks, confirming its real-world security posture. The scheme supports a set of informal security properties, including ESL resistance, forward and backward secrecy, and anonymity, all without sacrificing performance. By avoiding expensive certificate management and adopting lightweight elliptic curve opera- tions, the proposed scheme significantly reduces execution time, communication cost, and memory overhead compared to existing federated authentication protocols. Experimental evaluations demonstrate that CLFAKA achieves practical efficiency for resource-constrained vehicular environments, while maintaining strong security guarantees. Overall, the proposed scheme strikes an effective balance between privacy, scalability, and performance, making it a viable solution for secure and privacy-preserving federated authentication in real- world IoV deployments.
BRIEF DESCRIPTION OF DRAWINGS:
[0016] Reference will be made to embodiments of the invention, examples of which may be illustrated in accompanying figures. These figures are intended to be illustrative, not limiting. Although the invention is generally described in the context of these embodiments, it should be understood that it is not intended to limit the scope of the invention to these particular embodiments.
[0017] Fig. 1: Network Model for Federated Authentication in IoV;
[0018] Fig. 2: CLFAKA scheme architecture and data flow;
[0019] Fig. 3: Registration processes of the proposed scheme;
[0020] Fig. 4: Authentication and key agreement processes of the proposed scheme;
[0021] Fig. 5: HLPSL specifications for the CLFAKA components;
[0022] Fig. 6: Session, Goal and Environment Role;
[0023] Fig. 7: Registration cost comparison across different federated authentication schemes;
[0024] Fig. 8: Execution time comparison across different federated authentication schemes;
[0025] Fig. 9: Overall execution time of different federated authenti- cation schemes versus the number of messages exchanged;
[0026] Fig. 10: Communication cost comparison across different federated authentication schemes;
[0027] Fig. 11: Communication cost comparison versus number of messages across different federated authentication schemes; and
[0028] Fig. 12: Memory Overhead vs Number of Messages for various federated authentication schemes.
DETAILED DESCRIPTION OF DRAWINGS:
[0029] While the present invention is described herein by way of example using embodiments and illustrative drawings, those skilled in the art will recognize that the invention is not limited to the embodiments of drawing or drawings described and are not intended to represent the scale of the various components. Further, some components that may form a part of the invention may not be illustrated in certain figures, for ease of illustration, and such omissions do not limit the embodiments outlined in any way. It should be understood that the drawings and the detailed description thereto are not intended to limit the invention to the particular form disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the scope of the present invention as defined by the appended claim.
[0030] As used throughout this description, the word "may" is used in a permissive sense (i.e. meaning having the potential to), rather than the mandatory sense, (i.e. meaning must). Further, the words "a" or "an" mean "at least one” and the word “plurality” means “one or more” unless otherwise mentioned. Furthermore, the terminology and phraseology used herein are solely used for descriptive purposes and should not be construed as limiting in scope. Language such as "including," "comprising," "having," "containing," or "involving," and variations thereof, is intended to be broad and encompass the subject matter listed thereafter, equivalents, and additional subject matter not recited, and is not intended to exclude other additives, components, integers, or steps. Likewise, the term "comprising" is considered synonymous with the terms "including" or "containing" for applicable legal purposes. Any discussion of documents, acts, materials, devices, articles, and the like are included in the specification solely for the purpose of providing a context for the present invention. It is not suggested or represented that any or all these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention.
[0031] In this disclosure, whenever a composition or an element or a group of elements is preceded with the transitional phrase “comprising”, it is understood that we also contemplate the same composition, element, or group of elements with transitional phrases “consisting of”, “consisting”, “selected from the group of consisting of, “including”, or “is” preceding the recitation of the composition, element or group of elements and vice versa.
[0032] The present invention is described hereinafter by various embodiments with reference to the accompanying drawing, wherein reference numerals used in the accompanying drawing correspond to the like elements throughout the description. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete and will fully convey the scope of the invention to those skilled in the art. In the following detailed description, numeric values and ranges are provided for various aspects of the implementations described. These values and ranges are to be treated as examples only and are not intended to limit the scope of the claims. In addition, several materials are identified as suitable for various facets of the implementations. These materials are to be treated as exemplary and are not intended to limit the scope of the invention.
[0033] The present invention relates to a certificateless federated authentication and key agreement mechanism (CLFAKA) specifically designed for secure and efficient communication in the Internet of Vehicles (IoV). The IoV ecosystem is composed of vehicles equipped with onboard units (OBUs), roadside units (RSUs), service providers (SPs), and a trusted authority (TA) acting as the federated identity provider. Conventional federated authentication mechanisms rely on Public Key Infrastructure (PKI) and digital certificates, which introduce certificate management complexity, scalability issues, and significant communication and computation overhead. These limitations render traditional approaches unsuitable for highly dynamic and delay-sensitive vehicular environments. To overcome these challenges, the invention introduces a certificateless framework that eliminates the reliance on certificates and ensures lightweight, scalable, and privacy-preserving cross-domain authentication.
[0034] In the proposed system, the TA initializes the network by generating elliptic curve parameters, cryptographic hash functions, and master public keys, which are shared with all entities. Each vehicle and service provider undergoes a registration phase in which the TA issues only a partial secret key and a corresponding partial public key. The complete secret key is generated by the entity itself by combining the partial secret with its own private randomness, ensuring that the TA cannot reconstruct the full secret, thereby eliminating the key escrow problem. Vehicles further achieve anonymity and unlinkability by dynamically generating pseudonymous public keys using ephemeral secrets. These pseudonymous keys are updated periodically to prevent long-term identity exposure and tracking within the IoV ecosystem.
[0035] During the authentication and key agreement phase, a vehicle initiates authentication with a service provider by transmitting an encrypted request that conceals its actual identity. The service provider verifies the message integrity and authenticity using elliptic curve cryptographic computations and secure hash functions. Both the vehicle and the service provider independently compute a shared session key using ephemeral and long-term secret contributions. This session key is used to establish secure communication between the parties. Importantly, mutual authentication and session key agreement are achieved without requiring real-time involvement of the TA, which reduces dependency on centralized entities and eliminates single points of failure. The scheme ensures that the session key is indistinguishable from random under the Real-or-Random (RoR) model, thereby providing strong theoretical security guarantees.
[0036] The invention incorporates robust security protections against a wide range of threats. By construction, it prevents impersonation of vehicles, service providers, or the trusted authority because no single entity, including the TA, possesses complete private keys. The scheme ensures resistance to replay attacks through the use of timestamps and message freshness verification, while key compromise impersonation (KCI) resistance is achieved since the compromise of one entity’s private key does not allow adversaries to impersonate other parties. Furthermore, the invention is secure against ephemeral secret leakage (ESL) attacks, as the session key derivation requires both long-term and ephemeral secrets. It also guarantees forward secrecy and backward secrecy, such that compromise of present session keys does not compromise past or future session communications.
[0037] To validate security, the scheme has been formally analyzed under the RoR model based on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP) and the Computational Diffie–Hellman Problem (CDHP). Additionally, the protocol has been simulated using the AVISPA tool under the Dolev–Yao adversarial model, confirming that the scheme is “SAFE” against man-in-the-middle and replay attacks. These validations demonstrate both formal and practical security guarantees.
[0038] The invention further addresses performance limitations of existing approaches. By employing lightweight elliptic curve operations rather than bilinear pairings or modular exponentiations, the scheme achieves significantly reduced computation cost, communication overhead, and memory requirements. Vehicles require minimal storage for pseudonyms, partial keys, and session tokens, making the scheme practical for resource-constrained OBUs. Comparative simulation results show that the proposed scheme achieves lower execution time for mutual authentication and session key generation than prior federated authentication protocols, with overall latency of approximately 10.64 ms compared to over 40–70 ms in competing approaches. Communication overhead is also minimized, with total cost reduced to nearly half of existing schemes, and memory usage is optimized to as low as 60 bytes on the vehicle side, making it suitable for large-scale deployment in real-world IoV environments.
[0039] Overall, the present invention provides a lightweight, privacy-preserving, and scalable authentication solution for IoV, enabling vehicles to seamlessly access multiple cross-domain services with a single credential while ensuring security against advanced adversarial attacks. It eliminates reliance on digital certificates, prevents key escrow, supports anonymity, and achieves formal security validation while maintaining operational efficiency. The proposed certificateless federated authentication and key agreement scheme strikes an effective balance between security, privacy, scalability, and performance, making it highly suitable for deployment in intelligent transportation systems and heterogeneous vehicular networks.
[0040] The disclosure has been described with reference to the accompanying embodiments herein and the various features and advantageous details thereof are explained with reference to the non-limiting embodiments in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein.
[0041] The foregoing description of the specific embodiments so fully revealed the general nature of the embodiments herein that others can, by applying current knowledge, readily modify and/or adapt for various applications such specific embodiments without departing from the generic concept, and, therefore, such adaptations and modifications should and are intended to be comprehended within the meaning and range of equivalents of the disclosed embodiments. It is to be understood that the phraseology or terminology employed herein is for the purpose of description and not of limitation. Therefore, while the embodiments herein have been described in terms of preferred embodiments, those skilled in the art will recognize that the embodiments herein can be practiced with modification within the scope of the embodiments as described herein. , Claims:We Claim:
1) A certificateless federated authentication and key agreement method for Internet of Vehicles (IoV), the method comprising:
- initializing public system parameters by a trusted authority (TA);
- registering a vehicle and a service provider (SP) with the TA by generating partial secret keys and corresponding public keys;
- combining the partial secret keys with entity-generated private randomness to form complete secret keys, thereby preventing key escrow by the TA;
- enabling a vehicle to generate pseudonymous public keys using ephemeral keys for anonymity;
- performing mutual authentication between the vehicle and SP without real-time TA involvement; and
- establishing a session key for secure communication using elliptic curve-based operations.
2) The method of claim 1, wherein the vehicle achieves anonymity and unlinkability by dynamically updating its public key using ephemeral randomness for each authentication session.
3) The method of claim 1, wherein the mutual authentication between the vehicle and SP is achieved by exchange of cryptographic messages validated through hash functions and elliptic curve operations, ensuring resistance to replay, impersonation, and man-in-the-middle attacks.
4) The method of claim 1, wherein the session key generated is indistinguishable from random under the Real-or-Random (RoR) model and provides forward and backward secrecy.
5) The method of claim 1, wherein the TA provides only partial secret keys such that the complete private keys of entities cannot be reconstructed by the TA, thereby eliminating the key escrow problem.
6) The method of claim 1, wherein the scheme supports TA-independent key updates, allowing a vehicle or SP to update its secret key by refreshing its private randomness without re-registration.
7) The method of claim 1, wherein security is validated by formal analysis under the RoR model and simulation under the AVISPA tool, confirming robustness against active and passive adversaries.
8) The method of claim 1, wherein the authentication and key agreement are performed using lightweight elliptic curve cryptography (ECC) operations without bilinear pairings or certificate management.
9) The method of claim 1, wherein the scheme provides reduced communication, memory, and computational overhead compared to existing federated authentication protocols, thereby being suitable for latency-sensitive IoV environments.
10) A system implementing the method of claim 1, wherein the system comprises:
- a trusted authority configured to issue partial secret keys and public parameters;
- an onboard unit (OBU) in a vehicle configured to generate full secret keys, update pseudonymous keys, and initiate authentication; and
- a service provider device configured to authenticate vehicles and establish session keys, wherein secure communication is enabled across multiple IoV domains without requiring certificate-based public key infrastructure.