Provably Secure Mutual Authentication and Key Agreement Scheme Using PUF in Internet of Drones Deployments

Abstract

Internet of Drones (IoD), designed to coordinate the access of unmanned aerial vehicles (UAVs), is a specific application of the Internet of Things (IoT). Drones are used to control airspace and offer services such as rescue, traffic surveillance, environmental monitoring, delivery and so on. However, IoD continues to suffer from privacy and security issues. Firstly, messages are transmitted over public channels in IoD environments, which compromises data security. Further, sensitive data can also be extracted from stolen mobile devices of remote users. Moreover, drones are susceptible to physical capture and manipulation by adversaries, which are called drone capture attacks. Thus, the development of a secure and lightweight authentication scheme is essential to overcoming these security vulnerabilities, even on resource-constrained drones. In 2021, Akram et al. proposed a secure and lightweight user–drone authentication scheme for drone networks. However, we discovered that Akram et al.’s scheme is susceptible to user and drone impersonation, verification table leakage, and denial of service (DoS) attacks. Furthermore, their scheme cannot provide perfect forward secrecy. To overcome the aforementioned security vulnerabilities, we propose a secure mutual authentication and key agreement scheme between user and drone pairs. The proposed scheme utilizes physical unclonable function (PUF) to give drones uniqueness and resistance against drone stolen attacks. Moreover, the proposed scheme uses a fuzzy extractor to utilize the biometrics of users as secret parameters. We analyze the security of the proposed scheme using informal security analysis, Burrows–Abadi–Needham (BAN) logic, a Real-or-Random (RoR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. We also compared the security features and performance of the proposed scheme and the existing related schemes. Therefore, we demonstrate that the proposed scheme is suitable for IoD environments that can provide users with secure and convenient wireless communications.

1. Introduction

Internet of Drones (IoD) [1], which is often referred to as an unmanned aerial vehicles (UAVs) network, is a layered network control architecture designed to coordinate the access of drones. Drones in IoD environments can perform various flight tasks by embedding various sensors, actuators, recorders, batteries, computations, and communication modules. Figure 1 shows the basic structure of a drone in IoD environments. With these modules, drones are used to control the airspace and offer services such as rescue, healthcare, traffic surveillance, environmental monitoring, delivery, and search to users [2]. The IoD architecture generally comprises remote users, a control server, and drones. Remote users query the information of drones to receive useful services. The control server is centrally located in the wireless communication flow, mediating and providing a seamless data exchange process between remote users and drones. Drones, located in their own flying zone, collect surrounding environment information and send it to users through the control center.

Although IoD environments offer useful services to users, they can suffer from several privacy and security issues [3]. Firstly, IoD environments can be vulnerable to various security attacks, such as eavesdropping, deleting, and intercepting, because all messages are transmitted via a public channel. Moreover, the mobile devices of remote users can be stolen/lost, and the sensitive stored data of these devices can threaten the whole IoD environment. Additionally, drones can be physically captured by malicious adversaries who can try to impersonate them using secret information extracted from drones using power analysis attacks. Finally, drones in IoD environments are designed to use restricted power, computation, and storage sources because the entire energy source is preferentially devoted to flying tasks. Thus, a secure and lightweight authentication scheme is necessary, considering the above security vulnerabilities and specific features of IoD environments.

In 2021, Akram et al. [4] proposed a user–drone access scheme designed to be secure and lightweight for drone networks. The authors claimed that the scheme resists user, control center, and drone impersonation attacks and provides anonymity and untraceability. However, we find that Akram et al.’s scheme is vulnerable to drone impersonation, verification table leakage, and denial of service (DoS) attacks. In addition, their scheme cannot ensure perfect forward secrecy and fails to guarantee correctness. To improve these vulnerabilities, we propose a mutual authentication and key agreement (MAKA) scheme that can provide convenient services to users with high security and efficiency for IoD environments. In the proposed scheme, we utilize biometrics [5] to resist various security attacks, such as offline guessing attacks on user devices. Moreover, we apply physical unclonable function (PUF) [6] technology to prevent cloning and physical attacks of drones using power analysis attacks. Considering real-time communication in IoD environments and the limited computation resources of user devices and drones, we only utilize hash functions and exclusive-OR operators, which are reliable in terms of computation and communication overheads.

1.1. Research Contributions

• We review and perform a security analysis of Akram et al.’s scheme. Then, we propose a MAKA scheme designed to ensure high security using biometrics and PUF. Hash functions and exclusive-OR operations are used for lightweight architecture, making the proposed scheme suitable for drone networks. Moreover, a fuzzy extractor and PUF are applied in the proposed scheme to enhance the security level.
• We prove the security robustness of the proposed scheme using the Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation tool [7,8], Real-or-Random (RoR) model [9], and Burrows–Abadi–Needham (BAN) logic [10].
• We perform an informal analysis to ensure that the proposed scheme can provide security against various attacks, including offline password guessing, session key disclosure, verification table leakage, impersonation, and DoS attacks. Additionally, we show that the proposed scheme can achieve mutual authentication, perfect forward secrecy, untraceability, and anonymity.
• We evaluate and compare the security features, communication, and computation costs of the proposed scheme with existing authentication schemes, including Akram et al.’s scheme.

1.2. Organization

In Section 2, we introduce existing studies on IoD environments. We provide a system model as well as an adversary model, fuzzy extractor, and PUF used in the proposed scheme in Section 3. Then, we show Akram et al.’s scheme in Section 4. Section 5 describes security vulnerabilities discovered in Akram et al.’s scheme. The proposed scheme is introduced in Section 6. Security analyses, i.e., BAN logic, RoR model, AVISPA, are shown in Section 7, and performance analyses, i.e., security features, communication, computation costs, are shown in Section 8. In Section 9, we conclude our paper and describe future works.

2. Related Works

Since the basic concept of IoD environments was introduced by Gharibi et al. [1], various authentication schemes have been proposed over the past few years. In 2018, Wazid et al. [11] proposed an authentication scheme to provide remote users with drone services based on three-factor technology. To apply lightweight communication services, Wazid et al. utilize hash function and exclusive-OR operators. However, their scheme cannot prevent privileged insider and impersonation attacks. In 2019, Teng et al. [12] analyzed security vulnerabilities, named “attacker mode”, which can happen in IoD environments. Thus, they proposed an authentication scheme utilizing the elliptic curve digital signature algorithm (ECDSA) to verify the legitimacy of identity signatures on drones. However, Teng et al.’s scheme was designed as an authentication scheme involving two-way authentication between drones based on ECC, which incurs a large computational overhead. Srinivas et al. [13] proposed a temporal credential-based authentication for IoD networks. Srinivas et al. argued that security and efficiency are the main requirements for the IoD environment, and a lightweight authentication protocol is essential to satisfy these requirements. In their scheme, the authors claimed that it can resist various security attacks such as a stolen mobile device, replay, MITM, ephemeral secret leakage (ESL), impersonation, password and/or biometric update, and remote drone capture attacks. In 2020, Ali et al. [14] pointed out that Srinivas et al.’s scheme [13] does not provide untraceability and resists stolen verifier attacks. To overcome that, Ali et al. suggested a lightweight authentication scheme for drones using symmetric key primitives and temporal credentials. Ever [15] suggested a framework for mobile sinks used in drones using bilinear pairing and ECC, which has a large computational cost. However, Ever’s protocol cannot provide user anonymity and untraceability [16]. In 2022, Wu et al. [17] proposed a drone communication scheme for 5G networks. They argued that several existing IoD protocols have high computation overheads because of using a public key infrastructure (PKI) mechanism. Therefore, they only utilized hash functions and exclusive-OR operators. In the same year, Tanveer et al. [18] proposed an authentication mechanism for IoD environments. They used an AES-CBC-256 cipher and ECC to ensure the anonymity of users. Although the above schemes [11,12,13,14,15,17,18] provide useful services such as healthcare, rescue, and traffic surveillance, they can suffer from physical attacks because each drone cannot protect security parameters from power analysis attacks.

To strengthen the authentication process and access control of drones, various PUF-based authentication schemes have been proposed. Alladi et al. [19] proposed a two-stage authentication protocol that divided drone hierarchies for smart drone networks. In Alladi et al.’s scheme, each drone equipped with PUF communicates with a ground station through a leader drone, reducing network overhead. Thus, the authors claimed their scheme does not require the storage of secret keys in drones, protecting it from impersonation, drone tampering, and MITM attacks. In the same years, Pu et al. [20] proposed an authentication protocol for drone environments using PUF and chaotic systems. The authors used the challenge–response pair of the PUF as the seed value of the chaotic system to jumble the message randomly. In 2021, Zhang et al. [21] suggested a three-party authentication scheme for IoD environments. In Zhang et al.’s scheme, the head drone manages member drones and mediates the communication between the ground station and member drones. The entire process of their scheme only uses hash functions and XOR operations. Moreover, the authors introduced PUF systems to prevent physical capture attacks.

In 2021, Akram et al. [4] suggested a scheme for secure and efficient drone access in IoD networks. The authors demonstrated that various security attacks, e.g., user, control center, and drone impersonation attacks, can be prevented in their scheme. However, our security analysis indicates that their scheme is vulnerable to DoS, session key disclosure, stolen-verifier, and drone impersonation attacks and cannot provide perfect forward secrecy.

We summarize the cryptographic techniques and the advantages and limitations of the existing related schemes [4,11,12,13,14,15,17,18,19,20,21] in

Table 1. Cryptographic technologies and properties of the related schemes for IoD environments.

Schemes	Cryptographic Technologies	Advantages and Limitations
Wazid et al. [11]	* Hash functions * Fuzzy extractor	* Presented IoD environments and utilized biometrics information to ensure the security of remote users * Vulnerable to privileged insider and impersonation attacks
Teng et al. [12]	* ECDSA	* Defined security threats in IoD environments named “attacker mode” * Requires large computation overheads
Srinivas et al. [13]	* Hash functions * Fuzzy extractor	* Used temporal credentials for mutual authentication * Vulnerable to untraceability and stolen verifier attacks
Ali et al. [14]	* Hash functions * Fuzzy extractor * Symmetric key primitives	* Anonymous and lightweight security solution using temporal credentials and symmetric key primitives * Vulnerable to ESL, physical and cloning attacks
Ever et al. [15]	* Bilinear pairings * ECC	* Analyzed studies utilized UAVs as mobile sinks * Require high computation overheads * Cannot provide anonymity and untraceability
Wu et al. [17]	* Hash functions * Fuzzy extractor	* Proposed a drone-to-user authentication scheme for 5G networks * Vulnerable to physical attacks due to the stored parameters in UAV
Tanveer et al. [18]	* Hash functions * Fuzzy extractor * ECC * Symmetric key primitives	* Provides anonymous communication to users using AES and ECC * Vulnerable to physical attacks due to the stored parameters in UAV
Alladi et al. [19]	* PUF * Message authentication code * Symmetric key primitives	* Classified drones by layer and proposed PUF-based two-stage authentication protocol * Vulnerable to replay, insider, server spoofing, DoS attacks
Pu et al. [20]	* PUF * Chaotic system	* Used PUF and chaotic map technologies to generate random key * Vulnerable to physical attacks because of a stored challenge value in the memory of UAV
Zhang et al. [21]	* Hash functions * Fuzzy extractor * FourQ * Symmetric key primitives	* Proposed authentication scheme using FourQ and BPV pre-computation technologies * Require high computation and communication overheads * Cannot provide user anonymity
Akram et al. [4]	* Hash functions * Fuzzy extractor * Symmetric key primitives	* Provide privacy of location information to remote users and drones * Vulnerable to drone impersonation, stolen verifier, and DoS attacks, and have correctness problem

. Although previous authentication schemes can provide convenient services to users, they still have high computational and communication overhead and security drawback problems. Therefore, we propose a secure drone-access scheme to improve these security flaws considering lightweight communication characteristics of IoD environments. The proposed scheme can provide stolen mobile device and drone impersonation attacks using biometric and PUF technologies, respectively. Moreover, the proposed scheme can support efficient communications using only hash functions and exclusive-OR operators.

3. Preliminaries

We present the system model and adversary model for IoD environments. Moreover, we introduce some relevant preliminaries to understand this paper.

3.1. System Model

As shown in Figure 2, IoD environments consist of a control center, users and drones. According to the IoD environment model, various drones collect the data in their particular zones in a target field and transmit the data to the server. External users are required to connect to the server to obtain data from the deployed drones. For access, secure authentication is necessary between the user and drone via the control center. Subsequently, the user and drone pair share a session key and begin communication. The details of this process are as follows.

• Remote user ($U_m$): A remote user $U_m$ owns a mobile device to receive IoD services. To communicate with a drone $D_n$, $U_m$ must register with the control center. $U_m$ utilizes biometric technology in addition to identity and password to store sensitive information safely.
• Control center: The control center is a trusted third party with enough computation and storage capacities. Therefore, the control center perform a role as the system manager of IoD environments. Furthermore, the control center authenticates with both $U_m$ and $D_n$ information and helps $U_m$ to access the $D_n$. The control center generates secret keys for $U_m$ and $D_n$ against their identities.
• Drone ($D_n$): A drone $D_n$ collects the data in their particular flying zone and must be registered by the control center to communicate with $U_m$. Then, $D_n$ sends the data to =$U_m$ through the control center. Moreover, $D_n$ has restricted computation and storage capacities.

3.2. Adversary Model

We follow the widely used adversary model, named the “Dolev–Yao (DY) adversary model” [22,23]. Under the DY model, the entities involved in the IoD environments, i.e., $U_m$ and $D_n$, are not assumed to be trustworthy, and the communication of the channel is insecure. Therefore, an adversary $\mathcal{A}$ can modify or delete the transmitted messages and also can eavesdrop on the exchanged messages. Furthermore, drones move around in unattended hostile areas with collected sensor data. Thus, they are vulnerable to physical capture attacks [11,24], and the sensitive data stored in the drone can be extracted using the power analysis attacks.

3.3. Fuzzy Extractor

The fuzzy extractor [25] is widely accepted to verify the biometric authentication. A biometric key can be generated with a biometric template such as fingerprints, faces and irises. The fuzzy extractor is defined with the following two algorithms:

• $Gen\left(Bi{o}_m\right)=({\alpha }_m,{\beta }_m)$: It is a probabilistic algorithm to generate a secret key ${\alpha }_m$. The user inputs biometric $Bi{o}_m$, the output of this function is the secret parameter ${\alpha }_m$, and the public reproduction parameter ${\beta }_m$.
• $Rep(Bi{o}_m^{*},{\beta }_m)=\left({\alpha }_m\right)$: It is a deterministic algorithm to recreate the original ${\alpha }_m$. The function accepts a noisy user biometric $Bi{o}_m^{*}$ and controls the noise using the public reproduction parameter ${\beta }_m$. Then, this algorithm reproduces the original biometric secret key ${\alpha }_m$.

3.4. Physical Unclonable Function

PUF is a physical circuit that maps a bit-string pair called “challenge–response pair” [6]. When an input challenge value is entered into the PUF circuit, it produces a value that isan arbitrary string of bits. In this paper, we use PUF to generate secret values instead of stringing them in the memory of the drone and obtain a stable response good enough for security using fuzzy extractors. The property of PUF is as below.

• The PUF is a physical microstructure of the device.
• It is extremely difficult or impossible to clone the PUF circuit.
• An unpredictable response value must be output.
• It is possible to evaluate and implement a PUF circuit easily.

4. Revisit of Akram et al.’s Scheme

Akram et al. [4] suggested a drone-access authentication protocol for surveillance tasks in a smart city. Akram et al.’s scheme is composed of the following phases: (1) user registration; (2) drone registration; (3) authentication and key agreement (AKA) phases.

Table 2. Notations and descriptions.

Notation	Description
$I{D}_m,I{D}_n$	Identity of the user and drone
$SI{D}_c,SI{D}_m,SI{D}_n$	Pseudonym of the control center, user and drone
$Bi{o}_m$	Biometric of the user
$k_m,k_n$	Master private key of the user and drone
$s,MSK$	Secret keys of the control center
$Rep(.)$	Fuzzy biometric reproduction
$Gen(.)$	Fuzzy biometric generator
$a_1,a_2,a_3$	Random numbers
$SK$	Session key
$h(.)$	Hash function
$\left|\right|$	Concatenation operator
⊕	Exclusive-OR operator

shows the whole notation and description in their scheme.

4.1. Registration Phase

4.1.1. Remote User Registration Phase

Step 1: 

The user inputs their own $I{D}_m$, $P{W}_m$ and imprints $Bi{o}_m$. Then, $U_m$ calculates $Gen\left(Bi{o}_m\right)=({\alpha }_m,{\beta }_m)$ and sends $I{D}_m$ to the control center.

Step 2: 

The control center calculates $SI{D}_m=h(I{D}_m\left|\right|s)$, $k_m=h(SI{D}_m\left|\right|MSK)$ and generates a random number $a_m$. After that, the control center computes $MI{D}_m=En{c}_{MSK}$$\left(SI{D}_m\right|\left|{\alpha }_m\right)$ and sends $\{k_m,SI{D}_m,SI{D}_n\}$ to $U_m$.

Step 3: 

$U_m$ computes ${\gamma }_m=h(I{D}_m\left|\right|P{W}_m\left|\right|{\alpha }_m)\oplus k_m$, $SI{D}_m^u=h(I{D}_m\left|\right|P{W}_m)\oplus SI{D}_m$. Then, $U_m$ stores $\{{\gamma }_m,SI{D}_m^u,SI{D}_n\}$.

4.1.2. Drone Registration Phase

Step 1: 

$D_n$ selects $I{D}_n$ and sends it to the control center.

Step 2: 

The control center computes $SI{D}_n=h(I{D}_n\left|\right|s)$, $k_n=h(SI{D}_n\left|\right|MSK)$ and stores $\{I{D}_n,k_n,SI{D}_n\}$ in its database. Then, the control center sends $\{k_n,SI{D}_n\}$ to $D_n$.

Step 3: 

When $D_n$ receives $\{k_n,SI{D}_n\}$, $D_n$ saves them in the memory.

4.2. AKA Phase

Step 1: 

$U_m$ inputs $I{D}_m$, $P{W}_m$ and also imprints $Bi{o}_m$. Then, $U_m$ computes ${\alpha }_m$$=Rep(Bi{o}_m,$${\beta }_m)$, $SI{D}_m=SI{D}_m^u\oplus h(I{D}_m\left|\right|P{W}_m)$, $k_m={\gamma }_m\oplus h(I{D}_m\left|\right|P{W}_m\left|\right|{\alpha }_m)$. Afterward, $U_m$ generates $a_1$ and computes $A_1=h(SI{D}_m\left|\right|SI{D}_c\left|\right|k_m)\oplus a_1$, $A_2=h(SI{D}_m\left|\right|SI{D}_c\left|\right|k_m\left|\right|$$a_1)\oplus SI{D}_n$ and $A_3=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|k_m\left|\right|a_1)$. Finally, $U_m$ sends $\{MI{D}_m,$$A_1,A_2,A_3\}$ to the control center.

Step 2: 

The control center retrieves $(SI{D}_m\left|\right|{\alpha }_m)=De{c}_{MSK}\left(MI{D}_m\right)$. Then, the control center computes $k_m=h(SI{D}_m\left|\right|$$MSK)$, $a_1^{*}=A_1\oplus h(SI{D}_m^{*}\left|\right|SIDc\left|\right|k_m^{*})$ and $SI{D}_n^{*}=A_2\oplus h(SI{D}_m^{*}\left|\right|SI{D}_c\left|\right|k_m^{*}\left|\right|a_1^{*})$, and verifies $k_n$ against $SI{D}_n^{*}$. Then, the control center computes $A_3^{*}=h(SI{D}_m^{*}\left|\right|SI{D}_n^{*}\left|\right|SI{D}_c\left|\right|k_m^{*}\left|\right|a_1^{*})$ and checks $A_3^{*}\stackrel{?}{=}{A}_3$. The control center generates $a_2$, $a_m^{new}$ and computes $MI{D}_m^{new}=En{c}_{MSK}(SI{D}_m\left|\right|a_m^{new})$, $A_4=h(SI{D}_n^{*}\left|\right|k_n)\oplus (a_1^{*}\left|\right|a_2\left|\right|MI{D}_m^{new})$, $A_5=h(SI{D}_n^{*}\left|\right|SI{D}_c\left|\right|k_n\left|\right|a_1^{*})\oplus SI{D}_m^{*}$ and $A_6=h(SI{D}_m^{*}\left|\right|SI{D}_n^{*}\left|\right|SI{D}_c\left|\right|k_n\left|\right|a_1^{*}\left|\right|a_2)$. Finally, the control center sends $\{A_4,A_5$, $A_6\}$ to the drone $D_n$.

Step 3: 

$D_n$ computes $(a_1^{**}\left|\right|a_2^{*}\left|\right|MI{D}_m^{new})=A_4\oplus h(SI{D}_n\left|\right|k_n)$, $SI{D}_m^{**}=A_5\oplus h(SI{D}_n\left|\right|SI{D}_c$$\left|\right|k_n\left|\right|a_1^{**})$ and $A_6^{*}=h(SI{D}_M^{**}\left|\right|SI{D}_n\left|\right|$$SI{D}_c\left|\right|k_n\left|\right|a_1^{**}\left|\right|a_2^{*})$. Then, $D_n$ checks $A_6^{*}\stackrel{?}{=}{A}_6$ and generates $a_3$. After that, $D_n$ computes $A_7=h(SI{D}_n\left|\right|SI{D}_m^{**}\left|\right|a_1^{**})\oplus (a_2\left|\right|a_3^{*}$$\left|\right|MI{D}_m^{new})$, $A_8=h(a_1^{**}\left|\right|a_2\left|\right|a_3^{*})$, $S{K}_{nm}=h(SI{D}_m^{**}\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|A_8)$ and $A_9=h(SI{D}_m^{**}\left|\right|SI{D}_n\left|\right|$$SI{D}_c\left|\right|a_2\left|\right|a_3^{*}\left|\right|A_8)$. Finally, $D_n$ sends $\{A_7$, $A_9\}$ to $U_m$.

Step 4: 

The $U_m$ computes $\left(a_2^{*}\right||$$a_3^{**}\left|\right|MI{D}_m^{new})=A_7\oplus h(SI{D}_n\left|\right|SI{D}_m\left|\right|a_1)$, $A_8^{*}=h(a_1\left|\right|a_2^{*}$$\left|\right|a_3^{**})$ and $A_9^{*}=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|$$a_2^{*}\left|\right|a_3^{**}\left|\right|A_8^{*})$. Then, it validates $A_9^{*}\stackrel{?}{=}{A}_9$ and computes $S{K}_{nm}=h(SI{D}_m^{**}\left|\right|SI{D}_n\left|\right|$$SI{D}_c\left|\right|A_8^{*})$.

5. Cryptanalysis of Akram et al.’s Scheme

According to Section 3.2, an adversary $\mathcal{A}$ can obtain a $\{{\gamma }_m,SI{D}_m^u,$$SI{D}_n\}$ from legitimate user’s mobile device. Moreover, $\mathcal{A}$ can obtain $\{k_n,SI{D}_n\}$ from a captured drone using a power analysis attack. With this information, various security attacks, i.e., session key disclosure, drone impersonation, stolen-verifier, DoS attacks, and perfect forward secrecy, can be executed by $\mathcal{A}$. The details are shown below.

5.1. Session Key Disclosure Attack

For $\mathcal{A}$ to generate a session key $S{K}_{nm}=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|A_8)$, $\mathcal{A}$ has to obtain $SI{D}_m,SI{D}_n$ and $A_8=h(a_1\left|\right|a_2\left|\right|a_3)$. The procedures are as follows.

Step 1: 

$\mathcal{A}$ computes $(a_1\left|\right|a_2\left|\right|MI{D}_m^{new})=A_4\oplus h(SI{D}_n\left|\right|$$k_n)$, $SI{D}_m=A_5\oplus h(SI{D}_n\left|\right|$$SI{D}_c\left|\right|k_n\left|\right|a_1)$, and $(a_2\left|\right|a_3\left|\right|MI{D}_m^{new})=A_7\oplus h(SI{D}_n\left|\right|SI{D}_m\left|\right|a_1)$.

Step 2: 

$\mathcal{A}$ calculates $S{K}_{nm}=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|A_8)$.

Thus, Akram et al.’s scheme is insecure against session key disclosure attacks.

5.2. Drone Impersonation Attack

In this attack, we assume that $\mathcal{A}$ can capture drones $D_n$ physically and obtain the value $\{SI{D}_n,k_n\}$ stored in the memory of $D_n$. In order to be able to forward message $\{A_7,A_9\}$ on behalf of legal $D_n$, then $\mathcal{A}$ has to calculate the value of $A_7=h(SI{D}_n\left|\right|SI{D}_m\left|\right|a_1)\oplus (a_2\left|\right|a_3\left|\right|MI{D}_m^{new})$, $A_9=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|a_2\left|\right|a_3\left|\right|A_8).$$\mathcal{A}$ can compute the $A_7$ and $A_9$ through the following below:

Step 1: 

The adversary $\mathcal{A}$ first intercepts $\{A_4,A_5,A_6\}$ transmitted by the public channel.

Step 2: 

$\mathcal{A}$ can obtain $a_1,a_2$, $MI{D}_m^{new}$ by computing $(a_1\left|\right|a_2\left|\right|MI{D}_m^{new})=A_4\oplus h(SI{D}_n\left|\right|k_n)$.

Step 3: 

$\mathcal{A}$ can compute $SI{D}_m$ through $SI{D}_m=A_5\oplus h(SI{D}_n\left|\right|SI{D}_c\left|\right|k_n\left|\right|a_1)$.

Step 4: 

$\mathcal{A}$ generates random $a_3^{*}$ and computes $A_8^{*}=h(a_1\left|\right|a_2\left|\right|a_3^{*})$.

Step 5: 

$\mathcal{A}$ can successfully compute $A_7^{*}=h(SI{D}_n\left|\right|SI{D}_m\left|\right|$$a_1)\oplus (a_2\left|\right|a_3^{*}\left|\right|MI{D}_m^{new})$, $A_9^{*}=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|$$a_2\left|\right|a_3^{*}\left|\right|A_8^{*})$.

Therefore, Akram et al.’s scheme cannot resist drone impersonation attacks.

5.3. Stolen-Verifier Attack

When $\mathcal{A}$ obtains the table information $\{k_n,SI{D}_n\}$ of the control center, $\mathcal{A}$ can calculate $S{K}_{nm}=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|A_8)$. The steps are the same as Section 5.1. Therefore, Akram et al.’s scheme is vulnerable to stolen-verifier attacks.

5.4. Perfect Forward Secrecy

Let us suppose that the control center’s long-term secret key MSK is compromised by the adversary $\mathcal{A}$, and $\mathcal{A}$ has captured all the previously transmitted messages $MI{D}_m,A_1,A_2$ and $A_4$ through the public channel. $\mathcal{A}$ can retrieve $SI{D}_m$ through $(SI{D}_m\left|\right|a_m)=De{c}_{MSK}$$\left(MI{D}_m\right)$, compute $k_m=h(SI{D}_m\left|\right|MSK)$, $a_1=A_1\oplus h(SI{D}_m\left|\right|SI{D}_c\left|\right|k_m)$, $SI{D}_n=A_2\oplus h(SI{D}_m\left|\right|SI{D}_c\left|\right|k_m\left|\right|a_1)$, and $k_n=h(SI{D}_n\left|\right|MSK)$. Furthermore, $\mathcal{A}$ can retrieve $a_1$ and $a_2$ through $(a_1\left|\right|a_2\left|\right|MI{D}_m^{new})=A_4\oplus h(SI{D}_n\left|\right|k_n)$ and compute $A_8=h(a_1\left|\right|a_2\left|\right|a_3)$. Finally, $\mathcal{A}$ computes the session key $S{K}_{nm}=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|A_8)$. Thus, Akram et al.’s scheme does not provide perfect forward secrecy.

5.5. DoS Attack

In the AKA phase, the login process is not executed normally in the remote user ($U_m$) side. Afterward, the inputs $I{D}_m$, $P{W}_m$, and $Bi{o}_m$, $U_m$ compute ${\alpha }_m$, $SI{D}_m$, and $k_m$. Then, $U_m$ immediately generates a random nonce and computes an authentication request message $\{MI{D}_m,A_1,A_3\}$. Therefore, the adversary $\mathcal{A}$ can send unlimited amounts of login authentication request messages to the control center if $\mathcal{A}$ obtains a stolen/lost mobile device of $U_m$ and inputs a randomly selected identity, password, and biometrics. These messages can threaten the load on the control center. Thus, Akram et al.’s scheme is vulnerable to DoS attacks.

5.6. Correctness

In the user registration phase, the control center calculates the value of $MI{D}_m$. After that, the $MI{D}_m$ is not transmitted to $U_m$, and $U_m$ cannot compute it because the $MI{D}_m$ is masked with MSK, which is the control center’s secret key. However, in the AKA phase, $U_m$ sends the $MI{D}_m$ to the control center as the first transmitted message. Thus, Akram et al.’s scheme has a correctness problem.

6. Proposed Scheme

The proposed scheme consists of the following phases: (1) initialization; (2) user registration; (3) drone registration; (4) MAKA. We show the flowchart of the proposed scheme in Figure 3. The proposed scheme is lightweight as it uses only the cryptographic one-way hash function and exclusive-OR operations, apart from the fuzzy extractor and PUF technique that is needed for verification at the user side and drone side, respectively.

6.1. Initialization Phase

This phase describes that the control center selects an identity and a challenge for the drone $D_n$ before the registration phase. Detailed steps are illustrated in Figure 4. Additionally, this phase is performed via a secure channel.

Step 1: 

The control center selects an identity $I{D}_n$ and a challenge $C{H}_n$ and sends $\{I{D}_n,C{H}_n\}$ to the drone $D_n$.

Step 2: 

The drone stores $\{I{D}_n,C{H}_n\}$ in the memory.

6.2. Drone Registration Phase

In this phase, a drone $D_n$ is registered at the control center to its deployment in the IoD environments through a secure channel. Detailed steps are illustrated in Figure 5.

Step 1: 

The drone $D_n$ retrieves the challenge $C{H}_n$ stored in the memory and computes $R{E}_n=PUF\left(C{H}_n\right)$, and $Gen\left(R{E}_n\right)=({\alpha }_n,{\beta }_n)$. After that, the $D_n$ sends $\{I{D}_n,C{H}_n\}$ to the control center.

Step 2: 

The control center generates a random number $a_n$ and computes $SI{D}_n=h(I{D}_n\left|\right|s)$, $k_n=h(SI{D}_n\left|\right|s\left|\right|a_n)$, and saves $\{I{D}_n,SI{D}_n,a_n,C{H}_n\}$ in the database. Then, the control center sends $\{SI{D}_n,k_n\}$ to the $D_n$.

Step 3: 

Finally, the $D_n$ deletes the $C{H}_n$ and computes ${\gamma }_n=h(I{D}_n\left|\right|{\alpha }_n)\oplus k_n$, $SI{D}_n^D=h(I{D}_n\left|\right|{\alpha }_n\left|\right|k_n)\oplus SI{D}_n$, and stores $\left\{{\gamma }_n\right\}$ in its memory.

6.3. User Registration Phase

In the user registration phase, a remote user $U_m$ has to register at the control center to access the real-time information from an accessed drone $D_n$ in IoD environments. This procure performs via a secure channel with the following steps. Figure 6 shows the details.

Step 1: 

The user $U_m$ selects an identity $I{D}_m$, a password $P{W}_m$, and a biometric template $Bi{o}_m$. After that, the mobile device calculates $Gen\left(Bi{o}_m\right)=({\alpha }_m,{\beta }_m)$. The $U_m$ sends $\left\{I{D}_m\right\}$ to the control center.

Step 2: 

The control center generates random number $a_m$ and computes $SI{D}_m=h(I{D}_m$$\left|\right|s)$, $k_m=h(SI{D}_m\left|\right|s\left|\right|a_m)$, $SI{D}_m^{*}=SI{D}_m\oplus h\left(s\right||a_m)$ and $MI{D}_m=h(SI{D}_m\left|\right|a_m)$. Then, the control center stores $\{MI{D}_m,SI{D}_m^{*},a_m\}$ in the database, and sends $\{k_m,SI{D}_m$, $SI{D}_n,MI{D}_m\}$ to the $U_m$.

Step 3: 

The $U_m$ computes ${\gamma }_m=h(I{D}_m\left|\right|P{W}_m\left|\right|{\alpha }_m)\oplus k_m$, ${\delta }_m=h({\alpha }_m\left|\right|k_m\left|\right|SI{D}_m)$, $SI{D}_m^u$$=h(I{D}_m\left|\right|P{W}_m)\oplus SI{D}_m$, and $SI{D}_n^u=h(P{W}_m\left|\right|{\alpha }_m)\oplus SI{D}_n$, and stores $\{{\gamma }_m,{\delta }_m,$$SI{D}_m^u,SI{D}_n^u,MI{D}_m\}$ in the memory.

6.4. MAKA Phase

The following steps are performed among the $U_m$, the control center, and an accessed drone $D_n$ through a public channel. To establish a session key for secure communication among them, they need to perform the MAKA processes. Details are illustrated in Figure 7.

Step 1: 

The $U_m$ inputs $I{D}_m$ and $P{W}_m$, and imprints $Bi{o}_m$. After that, $U_m$ computes ${\alpha }_m=Rep(Bi{o}_m,{\beta }_m)$, $SI{D}_m=h(I{D}_m\left|\right|P{W}_m)\oplus SI{D}_m^u$, $SI{D}_n=h(P{W}_m\left|\right|{\alpha }_m)\oplus SI{D}_n^u$, $k_m=h(I{D}_m\left|\right|P{W}_m\left|\right|{\alpha }_m)\oplus {\gamma }_m$, and ${\delta }_m^{*}=h({\alpha }_m\left|\right|k_m\left|\right|SI{D}_m)$, and checks ${\delta }_m^{*}\stackrel{?}{=}{\delta }_m$. Then, the $U_m$ generates a random nonce $a_1$ and calculates $A_1=h(SI{D}_m\left|\right|SI{D}_c\left|\right|k_m)\oplus a_1$, $A_2=h(SI{D}_m\left|\right|SI{D}_c)\oplus SI{D}_n$, and $V_1=h(SI{D}_m\left|\right|SI{D}_n$$\left|\right|SI{D}_c\left|\right|k_m\left|\right|a_1)$. The $U_m$ sends $\{MI{D}_m,A_1,A_2,V_1\}$ to the control center.

Step 2: 

The control center checks whether $MI{D}_m=MI{D}_m^{old}$ or $MI{D}_m=MI{D}_m^{new}$. If $(MI{D}_m==MI{D}_m^{old})$ then, retrieves $\{SI{D}_m^{*},a_m\}$ against $MI{D}_m^{old}$, and if $(MI{D}_m==MI{D}_m^{new})$, retrieves $\{SI{D}_m^{*},a_m\}$ against $MI{D}_m^{new}$. After that, the control center computes $SI{D}_m=SI{D}_m^{*}\oplus h\left(s\right||a_m)$, $k_m=h(SI{D}_m\left|\right|s\left|\right|a_m)$, $a_1=A_1\oplus h(SI{D}_m\left|\right|SI{D}_c\left|\right|$$k_m)$, $SI{D}_n=A_2\oplus h(SI{D}_m\left|\right|SI{D}_c)$, and $V_1^{*}=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|k_m\left|\right|a_1)$. If $V_1^{*}\stackrel{?}{=}{V}_1$ is correct, the control center computes $MI{D}_m^{new}=h(SI{D}_m\left|\right|a_1)$ and updates $MI{D}_m^{new}$. Then, the control center checks for $I{D}_n,a_n,C{H}_n$ against $SI{D}_n$ from its database and computes $k_n=h(SI{D}_n\left|\right|s\left|\right|a_n)$. The control center calculates $A_3=h(SI{D}_n\left|\right|k_n)\oplus (a_1\left|\right|a_2)$, $A_4=h(SI{D}_n\left|\right|k_n\left|\right|a_1)\oplus SI{D}_m$, $A_5=h(SI{D}_c\left|\right|I{D}_n)\oplus C{H}_n$, and $V_2=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c\left|\right|k_n\left|\right|a_1\left|\right|a_2)$ and sends $\{A_3,A_4,A_5,V_2\}$ to the drone.

Step 3: 

The drone $D_n$ computes $C{H}_n=A_5\oplus h(SI{D}_c\left|\right|I{D}_n)$, $R{E}_n=PUF\left(C{H}_n\right)$, ${\alpha }_n=Rep(R{E}_n,{\beta }_n)$, $k_n={\gamma }_n\oplus h(I{D}_n\left|\right|{\alpha }_n)$, $SI{D}_n=SI{D}_n^D\oplus h(I{D}_n\left|\right|{\alpha }_n\left|\right|k_n)$, $(a_1\left|\right|a_2)=A_3\oplus h(SI{D}_n\left|\right|k_n)$, $SI{D}_m=A_4\oplus h(SI{D}_n\left|\right|k_n\left|\right|a_1)$, and $V_2^{*}=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c$$\left|\right|k_n\left|\right|a_1\left|\right|a_2)$. If $V_2^{*}\stackrel{?}{=}{V}_2$ is correct, the $D_n$ generates a random nonce $a_3$, and calculates $A_6=h(SI{D}_m\left|\right|SI{D}_n\left|\right|a_1)\oplus (a_2\left|\right|a_3)$, $A_7=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c)$, $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right|\left|a_3\right)$, and $V_3=h(A_7\left|\right|a_1\left|\right|a_3\left|\right|SK)$. Then, the $D_n$ sends $\{A_6,V_3\}$ to the $U_m$.

Step 4: 

The $U_m$ computes $(a_2\left|\right|a_3)=A_6\oplus h(SI{D}_m\left|\right|SI{D}_n$$\left|\right|a_1)$, $A_7=h(SI{D}_m\left|\right|SI{D}_n\left|\right|$$SI{D}_c)$, $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right|\left|a_3\right)$, and $V_3^{*}=h(A_7\left|\right|a_1\left|\right|a_3\left|\right|SK)$ and checks $V_3^{*}\stackrel{?}{=}{V}_3$. Then, the $U_m$ updates $MI{D}_m^{new}$.

7. Security Analysis

To prove the security robustness of the proposed scheme, BAN logic, RoR model, and AVISPA simulation are used in this section. Using informal security analysis, we analyze the theoretical security of the proposed scheme.

7.1. BAN Logic

BAN logic [10] is a widely known formal proof used by many researchers to show mutual authentication of protocols [26,27,28]. Therefore, we apply the proposed scheme to BAN logic proof and verify mutual authentication. We introduce notations and descriptions for BAN logic in

Table 3. Basic notations in BAN logic.

Notation	Description
${\mathcal{PR}}_1,{\mathcal{PR}}_2$	Principals
$MS{G}_1,MS{G}_2$	Statements
$SK$	Session key
${\mathcal{PR}}_1|\equiv MS{G}_1$	${\mathcal{PR}}_1$ believes $MS{G}_1$
${\mathcal{PR}}_1|\sim MS{G}_1$	${\mathcal{PR}}_1$ once said $MS{G}_1$
${\mathcal{PR}}_1⤇MS{G}_1$	${\mathcal{PR}}_1$ controls $MS{G}_1$
${\mathcal{PR}}_1⊲MS{G}_1$	${\mathcal{PR}}_1$ receives $MS{G}_1$
$\#MS{G}_1$	$MS{G}_1$ is fresh
${\left(MS{G}_1\right)}_{KEY}$	$MS{G}_1$ is encrypted with $KEY$
${\mathcal{PR}}_1\stackrel{KEY}{\leftrightarrow }{\mathcal{PR}}_2$	${\mathcal{PR}}_1$ and ${\mathcal{PR}}_2$ have shared key $KEY$

.

7.1.1. Rules

In BAN logic, there are five logical rules: message meaning rule (MMR), nonce verification rule (NVR), jurisdiction rule (JR), belief rule (BR), and freshness rule (FR). Details are as follows.

1. 

MMR:

$$\frac{{\mathcal{PR}}_1|\equiv {\mathcal{PR}}_1\stackrel{KEY}{\leftrightarrow }{\mathcal{PR}}_2,{\mathcal{PR}}_1⊲{\left(MS{G}_1\right)}_{KEY}}{{\mathcal{PR}}_1|\equiv {\mathcal{PR}}_2|\sim MS{G}_1}$$

2. 

NVR:

$$\frac{{\mathcal{PR}}_1|\equiv \#\left(MS{G}_1\right),{\mathcal{PR}}_1|\equiv {\mathcal{PR}}_2|\sim MS{G}_1}{{\mathcal{PR}}_1|\equiv {\mathcal{PR}}_2|\equiv MS{G}_1}$$

3. 

JR:

$$\frac{{\mathcal{PR}}_1|\equiv {\mathcal{PR}}_2⤇MS{G}_1,{\mathcal{PR}}_1|\equiv {\mathcal{PR}}_2|\equiv MS{G}_1}{{\mathcal{PR}}_1|\equiv MS{G}_1}$$

4. 

BR:

$$\frac{{\mathcal{PR}}_1|\equiv (MS{G}_1,MS{G}_2)}{{\mathcal{PR}}_1|\equiv MS{G}_1}$$

5. 

FR:

$$\frac{{\mathcal{PR}}_1|\equiv \#\left(MS{G}_1\right)}{{\mathcal{PR}}_1|\equiv \#(MS{G}_1,MS{G}_2)}$$

7.1.2. Goals

In the proposed scheme, there are four goals for the BAN logic. Let the user, control center, and drone be $U_m$, $CC$, and $D_n$, respectively.

Goal 1: 

$D_n|\equiv D_n\stackrel{SK}{\leftrightarrow }{U}_m$

Goal 2: 

$D_n|\equiv U_m|\equiv D_n\stackrel{SK}{\leftrightarrow }{U}_m$

Goal 3: 

$U_m|\equiv D_n\stackrel{SK}{\leftrightarrow }{U}_m$

Goal 4: 

$U_m|\equiv D_n|\equiv D_n\stackrel{SK}{\leftrightarrow }{U}_m$

7.1.3. Idealized Forms

Three messages, i.e., $\{MI{D}_m,A_1,A_2,V_1\}$, $\{A_3,A_4,A_5,V_2\}$, and $\{A_6,V_3\}$, are transmitted via open channels in the proposed scheme. These messages are converted to idealized forms in BAN logic as below.

$Me{s}_1$

: $U_m\to CC:{\{a_1,SI{D}_n\}}_{SI{D}_m}$

$Me{s}_2$

: $CC\to D_n:{\{a_1,a_2,SI{D}_m\}}_{k_n}$

$Me{s}_3$

: $D_n\to U_m:{\{a_2,a_3\}}_{SI{D}_m}$

7.1.4. Assumptions

We show the assumptions using in BAN logic as follows.

$A{S}_1$:

$CC|\equiv \#(a_1)$

$A{S}_2$:

$D_n|\equiv \#(a_2)$

$A{S}_3$:

$U_m|\equiv \#\left(a_3\right)$

$A{S}_4$:

$D_n|\equiv U_m⤇(D_n\stackrel{SK}{\leftrightarrow }{U}_m)$

$A{S}_5$:

$U_m|\equiv D_n⤇(D_n\stackrel{SK}{\leftrightarrow }{U}_m)$

$A{S}_6$:

$CC|\equiv CC\stackrel{SI{D}_m}{\leftrightarrow }{U}_m$

$A{S}_7$:

$D_n|\equiv CC\stackrel{k_n}{\leftrightarrow }{D}_n$

$A{S}_8$:

$U_m|\equiv D_n\stackrel{SI{D}_m}{\leftrightarrow }{U}_m$

7.1.5. BAN Logic Proof

Step 1: 

We can obtain $R{A}_1$ from the message $Me{s}_1$.

$$R{A}_1:CC⊲{\{a_1,SI{D}_n\}}_{SI{D}_m}$$

Step 2: 

We can obtain $R{A}_2$ from the rule MMR using $R{A}_1$ and $A{S}_6$.

$$R{A}_2:CC|\equiv U_m|\sim (a_1,SI{D}_n)$$

Step 3: 

We can obtain $R{A}_3$ from the rule FR using $S_3$ and $A{S}_1$.

$$R{A}_3:CC|\equiv \#(a_1,SI{D}_n)$$

Step 4: 

We can obtain $R{A}_4$ from the rule NVR using $R{A}_2$ and $R{A}_3$.

$$R{A}_4:CC|\equiv U_m|\equiv (a_1,SI{D}_n)$$

Step 5: 

We can obtain $R{A}_5$ from the message $Me{s}_2$.

$$R{A}_5:D_n⊲{\{a_1,a_2,SI{D}_m\}}_{k_n}$$

Step 6: 

We can obtain $R{A}_6$ from the MMR using $R{A}_5$ and $A{S}_7$.

$$R{A}_6:D_n|\equiv CC|\sim (a_1,a_2,SI{D}_m)$$

Step 7: 

We can obtain $R{A}_7$ from the FR using $R{A}_6$ and $A{S}_2$.

$$R{A}_7:D_n|\equiv \#(a_1,a_2,SI{D}_m)$$

Step 8: 

We can obtain $R{A}_8$ from the NVR using $R{A}_6$ and $R{A}_7$.

$$R{A}_8:D_n|\equiv CC|\equiv (a_1,a_2,SI{D}_m)$$

Step 9: 

We can obtain $R{A}_9$ from the message $Me{s}_3$.

$$R{A}_9:U_m⊲{\{a_2,a_3\}}_{SI{D}_m}$$

Step 10: 

We can obtain $R{A}_{10}$ from the MMR using $R{A}_9$ and $A{S}_8$.

$$R{A}_{10}:U_m|\equiv D_n|\sim (a_2,a_3)$$

Step 11: 

We can obtain $R{A}_{11}$ from the NVR using $R{A}_{10}$ and $A{S}_3$.

$$S_{11}:U_m|\equiv D_n|\equiv (a_2,a_3)$$

Step 12: 

We can obtain $R{A}_{12}$ and $R{A}_{13}$ from $R{A}_8$ and $R{A}_{11}$. Therefore, $U_m$ and $D_n$ can compute the session key $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right|\left|a_3\right)$, where $A_7=h(SI{D}_m\left|\right|SI{D}_n\left|\right|SI{D}_c)$.

$$R{A}_{12}:D_n|\equiv U_m|\equiv (D_n\stackrel{SK}{\leftrightarrow }{U}_m)\hspace{1em}\mathbf{(Goal\; 2)}$$

$$R{A}_{13}:U_m|\equiv D_n|\equiv (D_n\stackrel{SK}{\leftrightarrow }{U}_m)\hspace{1em}\mathbf{(Goal\; 4)}$$

Step 13: 

We can obtain $R{A}_{14}$ and $R{A}_{15}$ from the jurisdiction rule using $R{A}_{12}$ and $A{S}_4$, and $R{A}_{13}$ and $A{S}_5$, respectively.

$$R{A}_{14}:D_n|\equiv \left(D_n\stackrel{SK}{\leftrightarrow }{U}_m\right)\hspace{1em}\mathbf{(Goal\; 1)}$$

$$R{A}_{15}:U_n|\equiv \left(D_n\stackrel{SK}{\leftrightarrow }{U}_m\right)\hspace{1em}\mathbf{(Goal\; 3)}$$

7.2. RoR Model

The Real-or-Random model [9] is a formal proof analysis that proves the session key security of the protocol. Thus, we establish a premise for applying the proposed scheme to the RoR model. There are participants, adversaries and queries in our scheme. Participants are the entities that communicate with each other in the proposed scheme. Therefore, participants are as follows: $PA{R}_U^i$, $PA{R}_C^j$, and $PA{R}_D^k$, where i, j, and k are the instances of user, control center, and drone, respectively. The adversary in RoR model can modify, delete, and eavesdrop the exchanged messages. With this ability, the adversary can perform various queries such as $Execute$, $CorruptDevice$, $Send$, and $Test$. We describe the details of these queries as below.

• $Execute(PA{R}_U^i,PA{R}_C^j,PA{R}_D^k)$: In this query, the adversary eavesdrop messages are transmitted via an open channel. Therefore, the adversary can obtain messages generated from $PA{R}_U^i$, $PA{R}_C^j$, and $PA{R}_D^k$. This query is a passive attack.
• $CorruptDevice\left(PA{R}_U^i\right)$: In this query, the adversary can obtain secret parameters from $PA{R}_U^i$ using a power analysis attack. Therefore, the query CorruptDevice is an active attack.
• $Send\left(PAR\right)$: In this query, the adversary can send messages to all participants $PA{R}_U^i$, $PA{R}_C^j$, and $PA{R}_D^k$. Furthermore, the adversary can obtain returned messages from these participants. Thus, this query is an active attack
• $Test\left(PAR\right)$: Before starting the game, an unbiased coin $UC$ is flipped in this query. The adversary obtains $UC=1$ when the session key is fresh. The adversary can also obtain $UC=0$ when the session key of the proposed scheme cannot guarantee freshness. If not, the adversary obtains a “null value” ⊥. To achieve a secure session key agreement, the adversary cannot discriminate between the session key and the random number.

Security Proof

Theorem 1. 

The adversary $AD$ attempts to compute the session key $SK=h\left(A_7\right|\left|a_1\right||a_2$$\left|\right|a_3)$ in polynomial time. Therefore, we define the possibility that $AD$ breaks the security of the session key as ${\mathcal{MA}}_{AD}\left(P\right)$. Moreover, we define that $HA$ and $PU$ are the range space of the function $h(.)$ and $PUF(.)$, respectively. The number of $HA$, $PU$, and $Send$ queries are $q{u}_{ha}$, $q{u}_{pu}$, and $q{u}_{se}$, respectively. We define the secret biometric bits as $B_m$. At last, we define the Zipf’s parameter [29] as $C^{\prime }$ and $s^{\prime }$.

$${\mathcal{MA}}_{AD}\left(P\right)\le \frac{q{u}_{ha}^2}{\left|HA\right|}+\frac{q{u}_{pu}^2}{\left|PU\right|}+2max\{C^{\prime }q{u}_{se}^{s^{\prime }},\frac{q{u}_{se}}{2^{B_m}}\}$$

Proof. 

The security proof in the proposed scheme is composed of five games $G{A}_n$$(n=0,1,2,3,4)$. Before starting the game, we define $A_{G{A}_n}$ as the probability that $AD$ wins the game and $AD\left[A_{G{A}_k}\right]$ as the advantage of $A_{G{A}_k}$. We follow the security proof according to [30,31,32].

$G{A}_0$:  

In $G{A}_0$, the adversary selects a random bit r. Thus, we obtain the following equation.

$${\mathcal{MA}}_{AD}\left(P\right)=|2AD\left[A_{G{A}_0}\right]-1|$$

(1)

$G{A}_1$:  

In $G{A}_1$, the adversary eavesdrops messages $\{MI{D}_m,A_1,A_2,V_1\}$, $\{A_3,A_4,A_5,$$V_2\}$, and $\{A_6,V_3\}$ using $Execute$ query. Then, the adversary performs the $Test$ query to obtain the session key $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right|\left|a_3\right)$. To compute $SK$, the adversary must obtain the random nonces $a_1$, $a_2$, and $a_3$. Moreover, $A_7$ is composed of $SI{D}_m$, $SI{D}_n$, and $SI{D}_c$, where $SI{D}_m$ is the secret parameter of user. Therefore, the adversary cannot calculate $SK$. Therefore, we can obtain the following equation.

$$|AD\left[A_{G{A}_1}\right]|=|AD\left[A_{G{A}_0}\right]|$$

(2)

$G{A}_2$:  

In $G{A}_2$, the adversary utilizes $Send$ and $HA$ to attack the network. However, all of the parameters are masked in a cryptographic hash function that can prevent the hash collision problem. For this reason, the adversary cannot obtain the session key $SK$. According to the birthday paradox [33], we can obtain the following inequation.

$$|AD\left[A_{G{A}_2}\right]-AD\left[A_{G{A}_1}\right]|\le \frac{q{u}_{ha}^2}{\left|HA\right|}$$

(3)

$G{A}_3$:  

Similar to $G{A}_2$, the adversary utilizes queries $Send$ and $PU$ in this game. According to Section 3.4, the PUF is extremely difficult or impossible to clone. This means the adversary has no advantage in $G{A}_3$.

$$|AD\left[A_{G{A}_3}\right]-AD\left[A_{G{A}_2}\right]|\le \frac{q{u}_{pu}^2}{\left|PU\right|}$$

(4)

$G{A}_4$:  

This game is the final game in which the adversary extracts secret parameters $\{{\gamma }_m,{\delta }_m,SI{D}_m^u,SI{D}_n^u,MI{D}_m\}$ from the device of the user using the query $CorruptDevice$. The adversary attempts to calculate $SK$ from these parameters. However, each parameter consists of a password and the biometrics of a user, and this means that the adversary must guess the password and biometrics at the same time. Since this task is computationally infeasible, the adversary cannot compute $SK$. Therefore, we can obtain the following inequation using Zipf’s law [29].

$$|AD\left[A_{G{A}_4}\right]-AD\left[A_{G{A}_2}\right]|\le max\{C^{\prime }q{u}_{se}^{s^{\prime }},\frac{q{u}_{se}}{2^{B_m}}\}$$

(5)

After the game, the adversary guesses the result bits r, and we can make the following equation.

$$AD\left[A_{G{A}_4}\right]=\frac{1}{2}$$

(6)

We can calculate and obtain Equation (7) using (1) and (2).

$$\frac{1}{2}{\mathcal{MA}}_{AD}\left(P\right)=|AD\left[A_{G{A}_0}\right]-\frac{1}{2}|=|AD\left[A_{G{A}_1}\right]-\frac{1}{2}|$$

(7)

Then, we can calculate and obtain Equation (8) from (6) and (7).

$$\frac{1}{2}{\mathcal{MA}}_{AD}\left(P\right)=|AD\left[A_{G{A}_1}\right]-AD\left[A_{G{A}_4}\right]|$$

(8)

The result (9) can be obtained using the triangular inequality.

$$\frac{1}{2}{\mathcal{MA}}_{AD}\left(P\right)=|AD\left[A_{G{A}_1}\right]-AD\left[A_{G{A}_4}\right]|$$

$$\le |AD\left[A_{G{A}_1}\right]-AD\left[A_{G{A}_3}\right]|$$

$$+|AD\left[A_{G{A}_3}\right]-AD\left[A_{G{A}_4}\right]|$$

$$\le |AD\left[A_{G{A}_1}\right]-AD\left[A_{G{A}_2}\right]|$$

$$+|AD\left[A_{G{A}_2}\right]-AD\left[A_{G{A}_3}\right]|$$

$$+|AD\left[A_{G{A}_3}\right]-AD\left[A_{G{A}_4}\right]|$$

$$\le \frac{q{u}_{ha}^2}{2\left|HA\right|}+\frac{q{u}_{pu}^2}{2\left|PU\right|}+max\{C^{\prime }q{u}_{se}^{s^{\prime }},\frac{q{u}_{se}}{2^{B_m}}\}$$

(9)

After multiplying (9) by 2, we can obtain the required result inequation.

$${\mathcal{MA}}_{AD}\left(P\right)\le \frac{q{u}_{ha}^2}{\left|HA\right|}+\frac{q{u}_{pu}^2}{\left|PU\right|}+2max\{C^{\prime }q{u}_{se}^{s^{\prime }},\frac{q{u}_{se}}{2^{B_m}}\}$$

Therefore, we can demonstrate that the proposed scheme can ensure the session key security by proving the Theorem 1. □

7.3. AVISPA Simulation

AVISPA [7,8] is a simulation tool that proves the security robustness of the proposed scheme against replay and MITM attacks. Therefore, various security protocols [23,34,35] are proved by using AVISPA. In this section, we explain the main data flow of AVISPA and show the simulation result.

Firstly, we need to write the proposed scheme as a programming language named “High-Level Protocol Specification Language (HLPSL)” in AVISPA. After writing in HLPSL code, the proposed scheme is converted to “Intermediate Format (IF)”. Then, the translator in AVISPA starts analyzing the IF through the four backends: “On-the-Fly Model Checker (OFMC)”, “Three Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP)”, “SAT-based Model Checker (SATMC)”, and “Constraint Logic-based Attack Searcher (CL-AtSe)”. Because OFMC and CL-AtSe only support an exclusive-OR operator, the proposed scheme is executed in these backends. The analyzed result is recorded and summarized in the “Output Format (OF)”. If there is a result of “SAFE” in OF, we can demonstrate that the proposed scheme can prevent replay and MITM attacks.

In AVISPA, we define roles to be suitable for the proposed scheme. Therefore, there are three roles in the proposed scheme: the user $US$, control center $CC$, and drone $DR$. Moreover, we show the session and environment roles in Figure 8.

Figure 9 shows the role of user $US$ written in HLPSL code. State 1 is the user registration phase that $US$ sends $\left\{I{D}_m\right\}$ to the $CC$ through a secure channel. After receiving return message $\{k_m,SI{D}_m,SI{D}_n,MI{D}_m\}$ from $CC$, $US$ computes and stores ${\gamma }_m$, ${\delta }_m$, $SI{D}_m^u$, and $SI{D}_n^u$ in state 2. Then, $US$ computes a login request message $\{MI{D}_m,A_1,A_2,V_1\}$ to the $CC$. Note that $witness(US,CC,us\_cc\_aa1,Aa{1}^{\prime })$ and $witness(US,DR,us\_dr\_aa1,Aa{1}^{\prime })$ are functions to prove the freshness of random nonce $a_1$. Finally, $US$ receives $\{A_6,V_3\}$ from $DR$ and computes the session key $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right||$$a_3)$. The code $request(DR,US,dr\_us\_aa3,Aa{3}^{\prime })$ means the acceptance of freshness for $a_3$.

The AVISPA result is shown in Figure 10. As we mentioned before, we execute the proposed scheme in OFMC and CL-AtSe backends, and the summary of the result is “SAFE”. Therefore, we prove that the proposed scheme can prevent replay and MITM attacks.

7.4. Informal Security Analysis

We conduct an informal analysis of the proposed scheme to demonstrate the theoretical security robustness. Details are as below.

7.4.1. Stolen/lost Mobile Device Attack

If an adversary $\mathcal{A}$ obtains a lost mobile device of $U_m$, it can extract secret parameters $\{{\gamma }_m,{\delta }_m,SI{D}_m^u,SI{D}_n^u,MI{D}_m\}$ using power analysis attacks. However, all of secret parameters are masked in the identity $I{D}_m$, password $P{W}_m$, and biometrics $Bi{o}_m$ information. Therefore, $\mathcal{A}$ must guess $I{D}_m$, $P{W}_m$, and $Bi{o}_m$ at the same time and this process is not practical. Thus, the proposed scheme is secure against stolen/lost mobile device attacks.

7.4.2. Offline Password-Guessing Attack

An adversary $\mathcal{A}$ can attempt an offline guessing attack using $\{MI{D}_m,A_1,A_2,V_1\}$, $\{A_3$, $A_4$$,A_5,V_2\}$ and $\{A_6,V_3\}$, and the extracted values $\{{\gamma }_m,{\delta }_m,$$SI{D}_m^u,SI{D}_n^u,MI{D}_m\}$, $\left\{{\gamma }_n\right\}$ from mobile device and drone, respectively. Using a password dictionary, $\mathcal{A}$ can guess $P{W}_A^{*}$. However, $\mathcal{A}$ cannot know that $P{W}_A^{*}$ is valid or not. It is because ${\delta }_m$ is masked with biometric secret key ${\alpha }_m$. Therefore, the proposed scheme prevents offline password-guessing attacks.

7.4.3. Impersonation Attack

(1)

User impersonation attack: In this attack, an adversary $\mathcal{A}$ tries to disguise a legitimate user $U_m$. $\mathcal{A}$ has to make a valid login request message $\{MI{D}_m,A_1,A_2,V_1\}$. $\mathcal{A}$ can obtain $MI{D}_m$ from the mobile device. However, without having the credentials $SI{D}_m,SI{D}_n$, and $k_m$, it is a difficult task for $\mathcal{A}$ to calculate $MI{D}_m,A_1,A_2,V_1$. Thus, $\mathcal{A}$ cannot generate a valid login request message on behalf of $U_m$. Hence, the proposed scheme provides protection against user impersonation attacks.

(2)

Control center impersonation attack: For this attack, let us suppose that $\mathcal{A}$ tries to send the message $\{A_3,A_4,A_5,V_2\}$ to the $D_n$ on behalf of the CC. However, without having the credentials $SI{D}_m,SI{D}_n,k_n,I{D}_n$, and random nonce $a_1$, it is computationally hard for $\mathcal{A}$ to make a valid message. Therefore, the proposed scheme is resilient against the CC impersonation attack.

(3)

Drone impersonation attack: This attack is a disguise attack in which a malicious adversary $\mathcal{A}$ conceals its identity information and attempts to behave as $D_n$. To do this, $\mathcal{A}$ computes $C{H}_A^{*}=A_3\oplus h(I{D}_n\left|\right|{\gamma }_n)$. Since $PUF(.)$ is a physical unclonable circuit, $\mathcal{A}$ cannot compute $R{E}_n$. Therefore, it is impossible to compute ${\alpha }_n=Rep(R{E}_n,{\beta }_n)$, $SI{D}_n=h(I{D}_n\left|\right|{\alpha }_n)$, $k_n={\gamma }_n\oplus SI{D}_n$, $(SI{D}_m\left|\right|a_1\left|\right|a_2)=A_2\oplus h(SI{D}_n\left|\right|SI{D}_c\left|\right|k_n)$ to calculate $A_4=h(SI{D}_m\left|\right|SI{D}_n\left|\right|a_1)\oplus (a_2\left|\right|a_3)$. Thus, the proposed scheme can prevent drone impersonation attacks.

7.4.4. Replay and MITM Attacks

In the proposed scheme, all messages are masked in random nonce $a_1$, $a_2$, and $a_3$ to maintain the freshness. Moreover, each participant, e.g., remote user, control center, drone, checks the validity of the message by calculating and checking $V_1^{*}$, $V_2^{*}$, and $V_3^{*}$. Therefore, the proposed scheme can prevent replay and MITM attacks.

7.4.5. Physical and Cloning Attacks

For this attack, an adversary $\mathcal{A}$ intercepts a drone $D_n$ and extracts the secret parameters $\left\{{\gamma }_n\right\}$ from the memory. However, $\mathcal{A}$ cannot compute the session key $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right|\left|a_3\right)$ because each parameter in the message $\{A_3,A_4,A_5,V_2\}$ is masked in the PUF technology, which has an unclonable property. Thus, $\mathcal{A}$ cannot obtain any advantages from $D_n$, and this means that the proposed scheme is secure against physical or cloning attacks.

7.4.6. Privileged Insider Attack

In this attack, an adversary $\mathcal{A}$ is a privileged insider of the proposed system. Thus, $\mathcal{A}$ can obtain the registration request message $\left\{I{D}_m\right\}$ and secret parameters $\{{\gamma }_m,{\delta }_m,SI{D}_m^u,SI{D}_n^u,MI{D}_m\}$ from the remote user $U_m$. However, without having $P{W}_m$ and biometric secret key ${\alpha }_m$ of $U_m$, deriving secret credentials $SI{D}_m=h(I{D}_m\left|\right|P{W}_m)\oplus SI{D}_m^u$ and $k_m=h(I{D}_m\left|\right|P{W}_m\left|\right|{\alpha }_m)\oplus {\gamma }_m$ is computationally infeasible. Thus, the proposed scheme prevents privileged insider attacks.

7.4.7. Ephemeral Security Leakage Attack

To prevent this security attack, the proposed scheme must maintain security even if random numbers are leaked. Thus, $\mathcal{A}$ obtains $a_1,a_2,a_3$, which are used during the AKA phase. However, $\mathcal{A}$ cannot calculate $SI{D}_m,k_m$, and $k_n$ without knowing the secret key s to the control center. Additionally, $\mathcal{A}$ cannot obtain any advantages to impersonate as a legitimate user $U_m$. Thus, the proposed scheme prevents ephemeral secret leakage (ESL) attacks.

7.4.8. Stolen-Verifier Attack

We can assume that an adversary $\mathcal{A}$ obtains table data $\{I{D}_n,SI{D}_n,a_n,C{H}_n\}$ and $\{MI{D}_m,SI{D}_m^{*},a_m\}$ from the database of the control center and attempts to calculate the session key $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right|\left|a_3\right)$ or impersonate the control center. However, $\mathcal{A}$ cannot calculate the secret parameter $SI{D}_m,k_m$ and $k_n$ without the secret keys of the control center and also cannot obtain random number $a_1,a_2,a_3$. Thus, $\mathcal{A}$ cannot compute $SK$ or impersonate the control center. This means that the proposed scheme is resilient to stolen-verifier attacks.

7.4.9. User Anonymity and Untraceability

An adversary $\mathcal{A}$ cannot reveal the real identity $I{D}_m$ of a legitimate user because of a cryptographic one-way hash function $h(.)$ masks $I{D}_m$ with the secret key of the control center. Therefore, the proposed scheme provides the user’s anonymity.

7.4.10. Perfect Forward Secrecy

If the master key s of the control center is leaked to an adversary $\mathcal{A}$, it can attempt to compute $SK$ to attack the previous session. However, $\mathcal{A}$ cannot obtain the $SK$ because $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right|\left|a_3\right)$ does not include s. Moreover, if master secret key s of the control center is compromised, $\mathcal{A}$ cannot obtain $SI{D}_m,SI{D}_n,a_1,a_2,a_3$ because $\mathcal{A}$ cannot compute $SI{D}_m=h(I{D}_m\left|\right|s)$ without the real identity of the $U_m,SI{D}_n=h(I{D}_n\left|\right|{\alpha }_n)$ and without the secret key ${\alpha }_n$. Therefore, $\mathcal{A}$ does not obtain any advantages over $SK$. This means that the proposed scheme guarantees perfect forward secrecy.

7.4.11. Mutual Authentication

In the MAKA phase, there are three messages $\{MI{D}_m,A_1,A_2,V_1\}$, $\{A_3,A_4,A_5,V_2\}$, $\{A_6,V_3\}$ transmitted via public channels. Thus, each participant checks the legitimacy of the other participants and messages using $V_1$, $V_2$, and $V_3$ in the proposed scheme. If this process is successful, we can ensure authentication. Thus, the proposed scheme guarantees mutual authentication.

7.4.12. DoS Attack

If an adversary $\mathcal{A}$ tries to transmit $\{MI{D}_m,A_1,A_2,V_1\}$ to the control center as a replay message, $\mathcal{A}$ has to pass the login phase by verifying the values of ${\delta }_m=h({\alpha }_m\left|\right|k_m\left|\right|SI{D}_m)$. However, $\mathcal{A}$ cannot construct a valid ${\delta }_m$ because $\mathcal{A}$ cannot obtain ${\alpha }_m,k_m,SI{D}_m$. Therefore, the replay message would not be sent to the control center. Thus, this proposed scheme can resist DoS attacks.

7.4.13. Drone Capture Attack

If an adversary $\mathcal{A}$ captures a drone $D_n$ and obtains $\left\{{\gamma }_n\right\}$, $\mathcal{A}$ can try to threaten another legitimate drone $D_{n1}$. However, all of the drones are secure in PUF technology according to Section 7.4.5, and ${\gamma }_n=h(I{D}_n\left|\right|{\alpha }_n)\oplus k_n$ is an independent parameter. Therefore, the proposed scheme can prevent drone capture attacks.

7.4.14. Session Key Disclosure Attack

To compute the session key $SK=h\left(A_7\right|\left|a_1\right|\left|a_2\right|\left|a_3\right)$, an adversary $\mathcal{A}$ has to obtain $SI{D}_m,SI{D}_n,a_1,a_2$ and $a_3$. However, $\mathcal{A}$ cannot obtain any of these values because $SI{D}_m$ and $SI{D}_n$ are masked with secret key s and $a_1,a_2$ and $a_3$ are random numbers that are temporarily used in a session. Therefore, the proposed scheme is secure against session key disclosure attacks.

8. Performance Analysis

We demonstrate the security features of the proposed scheme with a related sch- eme [4,14,18,21,24] in terms of “security functionalities”, “communication costs”, and “computation costs”.

8.1. Security Features Comparison

In order to provide visualized information, we offer comprehensive security properties of the proposed scheme and related schemes [4,14,17,18,21,24] in a table. As shown in

Table 4. Security and functionality features (SFF) comparison.

SFF	[14]	[17]	[18]	[21]	[24]	[4]	Proposed
$SP1$	✓	✓	✓	✓	✓	✓	✓
$SP2$	✓	✓	✓	✓	✓	✓	✓
$SP3$	✓	✓	✓	✓	✓	✓	✓
$SP4$	✓	✓	✓	✓	✓	✓	✓
$SP5$	✓	✓	✓	✓	×	✓	✓
$SP6$	×	×	×	×	×	×	✓
$SP7$	×	✓	✓	✓	✓	✓	✓
$SP8$	✓	✓	✓	✓	×	×	✓
$SP9$	✓	✓	✓	✓	✓	✓	✓
$SP10$	×	✓	✓	✓	✓	✓	✓
$SP11$	✓	✓	✓	✓	✓	✓	✓
$SP12$	✓	✓	✓	✓	✓	×	✓
$SP13$	✓	✓	✓	✓	✓	✓	✓
$SP14$	✓	✓	✓	✓	✓	×	✓
$SP15$	✓	✓	✓	✓	✓	×	✓

Note: SP1: stolen smart card/mobile device attack; SP2: offline password guessing attack; SP3: impersonation attack; SP4: replay attack; SP5: privileged-insider attack; SP6: physical and cloning attack; SP7: ESL attack; SP8: stolen-verifier attack; SP9: user anonymity; SP10: perfect forward secrecy; SP11: mutual authentication; SP12: DoS attack; SP13: untraceability; SP14: device/drone capture attack; SP15: correctness; ✓: Provide or support SFF. ×: Do not provide or support SFF.

, we consider various security functionalities and attacks, including “stolen smart card/mobile device”, “offline password guessing ”, “impersonation”, “replay”, “privileged-insider”, “physical and cloning”, “ESL”, “verification table leakage”, “user anonymity”, “perfect forward secrecy”, “mutual authentication”, “DoS”, “untraceability”, “device/drone capture”, and “correctness”. Thus, our scheme offers secure and functional features as compared to the related schemes [4,14,18,21,24].

8.2. Communication Costs Comparison

We demonstrate the comparison analysis for communication costs of the proposed scheme with the other related schemes [4,14,17,18,21,24]. We refer to [4] and assume that the bit lengths for the hash function, random number, identity, PUF challenge, ECC point, and enc-decryption are 256, random, 160, 32, 160, and 128 bits, respectively. Thus, during the MAKA process of our scheme, the exchanged messages $\{MI{D}_m,A_1,A_2,V_1\}$ require ($256+256+256+256=1024$ bits), the message $\{A_3,A_4,A_5,V_2\}$ requires ($256+256+256+256=1024$ bits), and the message $\{A_6,V_3\}$ requires ($256+256=512$ bits), respectively.

Table 5. Comparison study of communication costs.

Schemes	Total Costs	Number of Messages
Ali et al. [14]	1696 bits	3 messages
Wu et al. [17]	3360 bits	3 messages
Tanveer et al. [18]	2240 bits	3 messages
Zhang et al. [21]	5760 bits	4 messages
Tanveer et al. [24]	1856 bits	3 messages
Akram et al. [4]	2304 bits	3 messages
Proposed	2560 bits	3 messages

shows the total communication costs of the proposed scheme and the related schemes.

Although our scheme has slightly higher communication costs than Akram et al.’s scheme [4], we offer better security functionalities and efficient computation costs compared to the related schemes [14,17,18,21,24]. Figure 11 illustrates the total communication costs of the proposed scheme and the related schemes.

8.3. Computation Costs Comparison

We estimate the computation costs of the proposed scheme and [4,14,17,18,21,24] in the AKA phase. Referring to [18,21,24], we define that $T_H$, $T_{ECC}$, $T_{ENC}$, $T_{FE}$, $T_{AC}$, $T_{p{m}_{F}ourQ}$, $T_M$, and $T_O$ denote the hash function(≈0.029 ms), ECC multiplication(≈0.605 ms), enc-decryption time(≈0.036 ms), fuzzy extractor(≈0.605 ms), AEGIS(≈0.07 ms), FourQ point multiplication(≈1.199 ms), HMAC(≈0.053 ms), and BPV-online function(≈2.117 ms), respectively.

Table 6. Comparison study of computation costs.

Schemes	Remote User Side	Control Center Side	Drone Side	Total	Total Costs (s)
[14]	$10T_H+1T_{FE}$	$7T_H$	$7T_H$	$24T_H+1T_{FE}$	≈1.301 ms
[17]	$12T_H+1T_{FE}$	$9T_H$	$8T_H$	$29T_H+1T_{FE}$	≈1.446  ms
[18]	$9T_H+4T_{ENC}$ $+3T_{ECC}$	$4T_H+3T_{ENC}+1T_{ECC}$	$7T_H+2T_{ENC}$ $+2T_{ECC}$	$20T_H+9T_{ENC}+6T_{ECC}$	≈4.534 ms
[21]	$7T_H+3T_{pmFourQ}+$ $1T_{ENC}+1T_O+1T_M$	$5T_H+1T_{pmFourQ}$ $+2T_{ENC}+1T_M$	$4T_H+1T_{pmFourQ}$ $+1T_{ENC}+1T_O$	$16T_H+5T_{pmFourQ}$ $+4T_{ENC}+2T_O+2T_M$	≈10.943 ms
[24]	$6T_H+3T_{AC}$ $+3T_{ECC}+1T_{FE}$	$2T_H+1T_{ECC}+3T_{AC}$	$3T_H+2T_{ECC}+2T_{AC}$	$11T_H+6T_{ECC}$ $+8T_{AC}+1T_{FE}$	≈5.114 ms
[4]	$9T_H$	$7T_H+2T_{ENC}$	$7T_H$	$23T_H+2T_{ENC}$	≈0.739 ms
Ours	$11T_H+1T_{FE}$	$11T_H$	$10T_H+1T_{FE}$	$32T_H+2T_{FE}$	≈2.138 ms

shows the total computation costs of the proposed scheme and the related schemes.

Compared with the proposed scheme and Akram et al.’s scheme, the proposed scheme consumes more computation costs. However, the proposed scheme utilizes the fuzzy extractor and PUF technologies and, therefore, provides much higher security to the entire IoD network systems than [4]. Figure 12 illustrates that the computational cost (delay) increases at the control center with an increasing number of users.

9. Conclusions

In this study, we reviewed Akram et al.’s scheme, which was proposed for secure authentication between users and drones in IoD networks. In Akram et al.’s scheme, there are several security vulnerabilities, such as session key disclosure, drone impersonation, and stolen-verifier attacks. In addition, their scheme cannot ensure perfect forward secrecy and has correctness problems. To overcome the security flaws of their scheme and provide various functional features, we proposed a secure MAKA scheme using biometrics and PUF technologies. The proposed scheme can provide robustness to withstand various attacks, including session key disclosure, verification table leakage, impersonation, ESL, and privileged insider attacks. Moreover, the proposed scheme can achieve mutual authentication, perfect forward secrecy, and anonymity. To prove the session key security and mutual authentication, we analyzed the proposed scheme using an RoR model and BAN logic, respectively. Furthermore, we simulated the proposed scheme using AVISPA and showed that the proposed scheme is resilient against replay and MITM attacks. A comparative study of functionality features, efficiency, and security shows the effectiveness of the proposed scheme. Therefore, we can demonstrate that the proposed scheme has security robustness compared to existing user authentication protocols for IoD environments with reasonable computation and communication overheads. These characteristics show that the proposed scheme can provide users with high security reliability and high-speed communication in IoD environments. In future work, we intend to implement the proposed scheme in real environments using the mobile device as a user, a desktop as a server, and Raspberry PI 4 as a drone.