A Secure Key Agreement Scheme for Unmanned Aerial Vehicles-Based Crowd Monitoring System

Bander Alzahrani,Ahmed Barnawi,Azeem Irshad,Areej Alhothali,Reem Alotaibi and Muhammad Shafiq

1Faculty of Computing and Information Technology,King Abdulaziz University,Jeddah,Saudi Arabia

2Department of Computer Science and Software Engineering,International Islamic University Islamabad,Pakistan

3Department of Information and Communication Engineering,Yeungnam University,Gyeongsan,38541,Korea

Abstract:Unmanned aerial vehicles(UAVs)have recently attracted widespread attention in civil and commercial applications.For example,UAVs(or drone)technology is increasingly used in crowd monitoring solutions due to its wider air footprint and the ability to capture data in real time.However,due to the open atmosphere, drones can easily be lost or captured by attackers when reporting information to the crowd management center.In addition,the attackers may initiate malicious detection to disrupt the crowd-sensing communication network.Therefore,security and privacy are one of the most significant challenges faced by drones or the Internet of Drones(IoD)that supports the Internet of Things(IoT).In the literature,we can find some authenticated key agreement(AKA)schemes to protect access control between entities involved in the IoD environment.However, the AKA scheme involves many vulnerabilities in terms of security and privacy.In this paper, we propose an enhanced AKA solution for crowd monitoring applications that require secure communication between drones and controlling entities.Our scheme supports key security features,including anti-forgery attacks,and confirms user privacy.The security characteristics of our scheme are analyzed by NS2 simulationand verified by a random oracle model.Our simulation results and proofs show that the proposed scheme sufficiently guarantees the security of crowd-aware communication.

Keywords: IoT; unmanned aerial vehicles; authentication; crowd monitoring

1 Introduction

Crowding usually occurs in major occasions, such as international games and sports competitions, cultural festivals, concerts, religious gatherings, etc.We cannot ignore the possibility of accidents in large gatherings, such as the Hajj 2006 or Love Parade 2010 in Germany, and the Kumbh Mela stampede reported in 2013 in the past few years [1,2].The demand for crowd management solutions in urban metropolises is also becoming more and more common.Such gatherings always have risks, so precautions need to be taken in advance to ensure public safety.In addition, it is also important to use technology to identify anti-social and atypical behaviors in the population, and to distinguish these factors in order to take preventive measures to enhance public safety and security.Recently, the pandemic riot phenomenon needs to perceive crowd behavior without involving human factors, and further requires technological innovation to deal with it.In order to ensure public safety, the administrator or event manager must foresee and check the indicators of real-time data captured from the crowded terrain, and finally make timely decisions to curb unforeseen situations.

In the follow-up of major catastrophic situations such as floods, earthquakes, fire outbreaks,and rescue operations, Unmanned Aerial Vehicles (UAVs) are the first responders.According to observations, surveillance is one of the emerging fields, which has expanded the application range of UAVs (or drones).The sensors in drones help these devices effortlessly expand the scope of mission execution, so they are very suitable for surveillance-based rescue and monitoring operations [3,4].The drone can focus on their target location and can easily provide the control team with key information about what is happening at that location.The economy of its use and the technological improvement of drones make these devices a strong competitor to improve the safety of surveillance and crowd monitoring operations.

UAVs can help police officers ensure the security and safety of large cities, because these devices can be introduced in real time to collect real-time updates on various actions on the spot.For example, police officers in the United Kingdom use drones to catch suspected robbers [5].However, it becomes very challenging to manage the efficiency and effectiveness of such monitoring systems in cities.Other agencies such as the US Congress and the US Department of Justice have allowed the use of drones to manage large-scale events in large cities [6].The combination of drones with multimedia streaming, safe wireless interaction, forensic applications, video detection technology for abnormal motion [7], and video recognition of human abnormal behavior [8] may help to achieve a peaceful living place.

Nevertheless, this development of drone network technology exposes new ways of cyber threats, such as eavesdropping, privacy, forgery, and data reconciliation issues, which makes crowd management very challenging.If any malicious adversary accesses surveillance-related data, it may disrupt the entire surveillance activity.If any legal mobile user wants to access the data collected by a specific drone introduced in the flight area, this must be possible in the follow-up process of the mutual authentication process, leading to an agreed session key.The gateway is a trusted entity that cannot be hacked by opponents, and the mobile user’s equipment and drones may be physically compromised.Therefore, designing a secure and lightweight authentication key agreement is essential for the Internet of Drones (IoD) architecture to overcome the above shortcomings.

The salient features of the contribution are as follows:

• We propose a secure key agreement scheme for UAVs-based crowd sensing system.In the proposed scheme, police or intelligence personnel can safely obtain the real-time status of crowd dynamics with mobile devices by using crowd-sensing drones.These drones are used to report the perceived crowd information to the mobile user/police officer (CMDi)through the reliable registration agency GRSjafter adopting an appropriate authentication process and using a mutually shared session key.However, this communication must be carried out between legitimate members after using a successful authentication procedure and establishing a mutually agreed session key

• We have verified the session key security of the proposed scheme using the ROR (Real-Or-Random) trusted model [9].In addition, an informal security analysis was conducted to prove the security function of the proposed schemes against a capable adversary.

• We developed a simulation in NS2 to verify the efficiency of the proposed model in terms of throughput and latency benchmarks.The performance evaluation results show that the proposed scheme is sufficiently safe and efficient in computation and communication.

The rest of this article is organized as follows.Section 2 describes the related work.Section 3 explains the system model and adversary model.Section 4 demonstrates the proposed model.Section 5 analyzes the methods proposed on the formal and informal routes.Section 6 introduces the performance evaluation and comparative study of the proposed models.The conclusion is drawn in the last section.

2 Related Works

We can find some research articles on protecting drone-based surveillance [10].In [11], for example, the authors proposed a UAV communication scheme for rescue operations.In [12],the authors demonstrated the advantages and disadvantages of using drones to monitor the US border.In [13], the authors proposed a security method based on multi-UAV architecture to manage catastrophic scenarios.In [14], the authors discussed equipment for monitoring crowds.In [15], the hierarchical intrusion detection is designed as a lightweight detection and response method to protect drone-based networks from known attacks.Since then, the Time Credentialbased Anonymous Lightweight Authentication Scheme (TCALAS) has tried to solve the problems in key protocols related to drone networks.In [16], a certificate-less group key authentication protocol for untrusted drone architecture is proposed.In [17], the authors proposed another lightweight authentication protocol for drone Internet.However, this scheme does not support mutual authentication and so lacks a secure key agreement.In [18], the authors proposed a mobile user authentication protocol for wireless sensor networks related to the Internet-of-Things (IoTs)framework, which establishes an agreed session key with sensor nodes.However, this protocol is particularly suitable for sensor nodes with insufficient resources only and so it uses minimal hash-based operations and XOR operations to support mutual authentication among sensor nodes, mobile users, and gateway server nodes.In [19], authors proved that the scheme in [18] is vulnerable because it does not support anonymity and untraceability.In addition, this solution is susceptible to forgery attacks, stolen card attacks, and man-in-the-middle attacks.In [20], authors proposed a novel and efficient signature-based authentication protocol for IoT-based architecture,in which data is accessed from IoT sensors in real time after a mutual authentication process.However, no solution can meet the goals of real-world online application scenarios to make full use of a secure drone-based crowd sensing system.

3 Preliminaries

There is always a communication security threat between entities in the IoD environment.This requires the development of effective and efficient authentication protocols.The network model of the proposed framework is shown in Fig.1, including three participating roles, such as control room (CR), ground registration station (GRSj), mobile user (MUi), and crowd monitoring drone(CMDi).The IoD network consists of multiple flight zones with specific identifiers (FZi), and a specific UAV is deployed to any specific FZi, and at the same time it can fly and communicate with other GRSjand drones of the same FZi.GRSjacts as a trusted entity and is connected to the CR endpoint.GRSjregisters all mobile users and remote drones by providing long-term keys based on their identity.Mobile user MUior police officer with smart device obtain is/her own long-term key through GRSj.The drone CMDiintroduced in a specific FZican report to GRSjin real time after scanning and monitoring crowd-based information.

Figure 1: System model

We use the Dolev-Yao (DY) threat model to assume the capabilities of malicious adversaries.Under the DY threat model, adversaryAcan intercept, delete, modify, append or replay any eavesdropping messages exchanged on public channels.The adversary can physically capture the deployed drone in any FZi, steal the information stored in its memory and manipulate it to achieve its malicious objectives.It may also attempt to use this information to expose secret network communications by disrupting the data exchanged between the hijacked drone and other un-compromised drones.In addition, theAcan also obtain smart card credentials such as identity, password, and biometric secrets by using power differential analysis attacks [21].For the current solution, compared with the DY model, we assume another powerful threat model, namely the adversary model of Canetti and Krawczyk (also known as the CK-adversary model).Under the CK model,Acan physically access the credentials of a single entity by recovering its content and calculating its corresponding session key and its session state.However, a sound agreement must retain the forward and backward secrecy under the CK model in the follow-up actions of the exposed credentials.In addition, assume that GRSjis deployed in a physically protected lock system as a trusted entity in our IoD-based architecture, which is reliably protected from malicious attackers.

4 Proposed Scheme

Our proposed scheme consists of three sub-phases, namely the network establishment phase,the MUiregistration phase, the CMDiregistration phase and the mutual authentication procedure.Before we proceed, we have listed a summary of the symbols used in Tab.1.

4.1 Network Setup

In the network setting, entities in the IoD network are initialized with key secret parameters before deployment on site.First, GRSjconstructs its master secret key and auxiliary parameters required in the protocol, as shown in the following.

• The GRSjselects its 160-bit master secret keyKGas well as bit-mask keymkalong with a high entropy parametern.

• The GRSjselects its identityIDGRand calculatesPIDG=h(IDGR||mk).

• Next, GRSjstores the parameters (KG,mk) secretly and publicizes the vector (h,n,PIDG).

Table 1: Summary of the notations

4.2 MUi Registration Phase

In the MUiregistration phase,the user MUibecomes part of the IoD system through the registration process.GRSjuses confidential channels to perform MUiregistration by issuing secret parameters.This stage includes the following steps:

• The MUichooses its identityIDuand passwordPWu, and submits the identityIDuas request message for registration towards GRSj.

• Upon the receipt of registration message request from MUi, the GRSjcalculatesPIDu=h(IDu ||k),Bi=h(IDu ||KG).Then, it stores the factors {IDu,Bi,PIDu} in its repository,and forwards the message {Bi,PIDu,PIDd} to MUias shown in Fig.2.

• The MUiafter receiving the message calculatesBi’= h(IDu || PWu)⊕Bi, PIDu’=h(IDu ||PWu)⊕PIDu, and finally stores (Bi′,PIDu′,PIDd) in its memory.

4.3 CMDi Registration Phase

The crowd monitoring drone CMDiregisters itself withGRSjand becomes part of the IoD environment.In order to complete the registration, CMDiperforms the following steps:

• The CMDichooses its identityIDdon random basis, and submits the same towards GRSjto initiate the registration process.

• The GRSj, then computesPIDd =h(IDd ||k),Bj=h(IDd ||KG)and stores the parameters{IDd,Bj,PIDd}in its repository, and forwards the message{Bj,PIDd}to CMDi.

• The CMDi, ultimately stores the same factors in its memory.

Figure 2: Proposed authentication model

4.4 Login and Authentication Phase

The MUiand CMDiparticipate in this stage to establish a mutual authentication session key at the end of the authentication session so that these entities can safely forward their data.The main steps at this stage can be described as follows:

5 Security Evaluations and Analysis

We here formally prove that our scheme can resist the known attacks under the random oracle model.In addition, we informally stated that our plan is protected from contemporary threats.The following subsections consider both formal and informal security analysis.

5.1 Formal Security Analysis

We describe a model related to formal security analysis, which is described with the help of a game played between maliciousAand challengerL.The adversaryAis modeled as a Turing machine, which is simulated to operate in a possible polynomial amount of time (PPT) [22].The challengerLmodels each oracle in the system.represents the xthinstance of the interactive participantg= (MUi, GRSj, CMDi).These oracles allow opponents to randomly issue a series of queries and trigger corresponding responses.The hash-based oracle keeps the hash listLHs.IfAwould execute hash-based query on message y, the challenger initially verifies the parameter usingLHs.Upon the successful verification, the challenger returns the responseh(y)to the adversary and stores the vector (y, Y) in the listLHs.This query indicates the ability of an attacker to destroy a legitimate drone and obtain its private key.After the attacker executes the extraction query on the UAVIDu’s identity, the query returns the relevant key to the attacker.This oracle represents the capability of adversary for initiating an active attack.Upon submitting m tothe attacker may receive the response fromalong with messagem.In relation to the new oracle instancethe attacker may launch submitting “Send (∏xg,Start)” towards oracle.

The “Reveal” query models the erroneous use of the session key in the session.Upon the execution of Reveal query, in case the instance is effectively created, the challenger would return the session key SK for the instanceOn the other hand, it will return ⊥.Using the Execute query (Execute (MUi,CMDi)), the adversary may eavesdrop all communication messages exchanged previously on insecure channel.

After the use of Test query (Test (the attacker may distinguish among original session key and the randomly selected key.The adversary may execute this query just one time.The challenger selects a bitb ϵ (0,1)at random and would return valid session key to adversary in caseb=1.On the other hand, it would return randomly selected secret key of the same size (i.e.,b=0).Alternatively, in case the queried oracle does not about the session key, challenger would return ⊥to adversary.

The adversary may employ the above mentioned queries, i.e.,Send, Reveal, Extractafter initiating theTestquery [23].Here, one disadvantage toAis that it may not launch the Reveal query either for oracle or the pattern oracle which employed the Test query for its execution.Finally, the adversary returns the outputΦ’after making its guessΦ.Here we can remark that the adversary could auspiciously win this game as a result of breaking the authenticated key agreement (AKE) of contributed protocol∑in caseΦ’becomes equal toΦ.The benefit ofAmay be described as= |2Pr [Φ’=Φ]-1|.

Definition 1 (AKE-secure): When there is a negligible polynomial probability, the adversary may auspiciously win that game with a non-negligible benefitand we may infer that the contributed protocol∑is AKE-secure.

The adversary may positively compromise the mutual authenticity of the contributed protocol∑, in case the adversary could forge the legitimate authentication message, i.e., either authentication request or corresponding response.Suppose EMU-GRSrepresents the event that the adversary forges the MUiand constructs the login request acknowledged by GRSj.Also EMU-CMDcharacterizes the event thatAmasquerades the CMDiand produces the response which is acknowledged by MUi.The benefit of the adversary for being successful in this game can be described as= Pr[EMU-GRS] + Pr[EMU-CMD].

Definition 2 (ME-secure): In case there exists no probability for any polynomial time attacker such that one may auspiciously win the game with considerable benefitwe term the proposed protocol∑as ME-Secure.

5.2 Proof

We acknowledge that there lies no adversaryAthat may impersonate as a legitimate authentication and response message with non-negligible chance.This certifies that the contributed protocol is AKE-secure and ME-secure regarding the provable security strength.

Lemma1: We assume that a polynomial time attackerAmay compute a legitimate authentication request and response message with non-negligible chance.Thus, there lies a challenger C who may estimate a 160-bit randomly defined integer with success having non-negligible probability.

Proof: The challenger chooses a 160-bit randomly generated integerq, and submits the factors{h, n} towards the adversary.The challenger produces a new hash-listLHs, which is blank on initial basis, and is meant for recording the query inputs as well as outputs for hash-based oracles.Then, it chooses two random drone identities, such asIDUandIDDto proceed.We assume that the rest of the oracles may be queried once the hash-based oracles perform their function.The queries’responses are illustrated as under:

h(yi): The challenger initially verifies the occurrence ofyiin theLHslist.If it exists in the list, the challenger would returnYito attacker.Otherwise, it selects a random integerYi, inserts(yi,Yi) in theLHslist and returns the sameYito attacker.

We assumeqsd,qLRandqLHsrepresent the number ofSend,LRandLHsqueries executed by the adversary.

wherearepresents the valid record index in Sendoracle, while b characterizes the frequency of Sendqueries.Thus, the challenger would guess 160-bit random integer auspiciously with non-negligible prospect as shown in Eqs.(1) and (2).

Nonetheless, this shows the contradiction regarding the hardness for guessing 160-bit random integer as shown in Eq.(3).Alternatively, the attacker may not construct a legitimate login request or response message, so the drones in the protocol may verify the authenticity of one another.

Theorem 1.The proposed protocol is ME-Secure for rigid guessing of 160-bit random integer.

According to Lemma1, no adversary may construct a legitimate login request or response message for guessing the high entropy 160-bit random integer.Thus, the contributed protocol is ME-Secure.

Theorem 2.The proposed protocol is AKE-Secure for rigid guessing of 160-bit random integer.

Proof.We assume that the probabilistic polynomial-time attacker produces the validb’=bwith non-negligible chanceϵupon the execution of Test oracle query.Consequently the challenger may deduce 160-bit randomly defined integer with success having non-negligible prospect.For calculating the advantage of challenger, the understated events are described here:

• ESKi: The adversary may get the legitimate session key upon the execution of Test query.

• EMU: The adversary runs the Test query for the instanceauspiciously.

• ECMD: The adversary runs the Test query with success for the instance

EMUi-GRSj-CMDi: The adversary may disrupt the authentication session between MUiand GRSj, as well as between MUiand CMDi.It is known that the attacker may guess the validbwith the missing information ofbasHence we have the equation Pr[ESKi] ≥ϵ/2

Hence

In relation to Pr[ECMDiEMUi-GRSj-CMDi] = Pr[ECMDi]

5.3 Informal Security Analysis

5.3.1 Mutual Authentication

The next day the whole family was busy cooking and straightening up the house for Christmas Day, wrapping last-minute presents and trying hard not to burst with excitement. But even with all the activity and eagerness, a flurry of new straws piled up in the crib, and by nightfall it was overflowing. At different times while passing by, each member of the family, big and small, would pause and look at the wonderful pile for a moment, then smile before going on. It was almost time for the tiny crib to be used. But was it soft enough? One straw might still make a difference.

The proposed scheme provides mutual authenticity to both participants by devising a unique and mutual agreed session key between them.We know that the benefit that adversary may take by launching the login as well as an authentication request and response message is quite negligible due to illustrated lemma1 in above section [24].Hence, the MUiand CMDicould mutually authenticate one another with the assistance of GRSj.Hence, the proposed approach supports mutual authentication.

5.3.2 Anonymity

In the contributed protocol the MUidoes not send its identity plainly on pubic channel,rather it is masked in the form ofPIDu =h(IDu || k).Furthermore,PIDuis integrated in the messageR1=h(PIDG ||T1)⊕PIDuduring mutual authentication process.It is hard problem in polynomial terms to recover the 160-bit random integer on account of guessing the values [25], so it is not feasible to calculate the legitimate identity of mobile drone CMDiwithout compromising the high entropy factork.Thus our scheme affirms anonymity to the participants in protocol.

5.3.3 Un-traceability

We employ random integersa1anda2along with fresh timestamps in different sessions which enable the constructed messages (R1, R2, R3, R4) in a session to be unique each time these are generated [26,27].The attacker may not be able to distinguish the exchanged messages among for MUiand CMDiacross various sessions.Furthermore, the legal identifies such asIDuorPIDuare used in collision-resistant one hash function which enables the protocol in affording the untraceability feature.

5.3.4 Protected Session Key

5.3.5 Impersonation Threat

In case the adversary is able to capture the legal drone physically, it may access all of the stored information in its memory including pseudonym identities for CMDi[28,29].Then if the adversary attempts to forge the legal MUi, it would construct the legal messages (R1, R4) and submit towards GRSj.Now the adversary may compute the correctR1=h(PIDG||T1)⊕PIDuandR4= h(PIDu || PIDd || PIDG || h(Bi || a1|| T1)), whilea1andBidepict the random integers as chosen by the adversary for random number and the protected key, respectively.After the receipt of (R1,R4), the GRSjinitially would parse fromR1and recover the related secret asBiin the list LHs.Thereafter, the GRSjcalculates the parameterR4’along with another factorBiand verifies the equation validity asR1’=R1.Therefore, the attacker does not expose the valid parameterBi,and make the GRSjdistinguish the MUufrom legal user.

5.3.6 Server Masquerading Attack

The attacker may impersonate himself as GRSjand submits the messageR7towards the CMDi.Then the attacker calculatesR7′j || a′1), whereBjacts as a random integer chosen as CMDi’s private key by the adversary.After the receipt ofR7, the CMDiconstructsR4’along withBjand also checks the equality forR7’?=R7.Nonetheless, the adversary may not access theBjparameter or the CMDiaccesses the malicious server.Thus, our scheme is resistant to the spoofing attack.

5.3.7 CMDi Capture Threat

The drones are vulnerable in the hands of adversaries, and could be physically compromised at any time.We assume that the adversary capturesenumber of drones and access the stored contents includingBj=h(IDd ||KG),PIDd =h(IDd ||k), andSKud=h(PIDu||PIDd ||PIDG||)wherej=(1≤j≤e)[30].The master secretKGand other masking key k are also used to mask the crucial factors in collision resistant hash function.Despite the access of information in the compromised several drones e, the adversary might not be able to access theKGandk.At the same time, the session keySKud=h(PIDu||PIDd ||PIDG||)is composed of random integers and pseudonyms, the attacker may not calculate the subsequent session keys if it is not able to access the random integers.Consequently, our proposed model is immune to all physical drone capture threats.

5.3.8 Stolen MUi’s Smart Device Threat

In case the adversary is able to approach the MUi’s smart device and recover its contents () using differential analysis, where⊕Biand⊕PIDu.The attacker may guess the password fromB′ionly if it can test its accuracy, however without the MUi’s identity it cannot verify it.Thus, our scheme is resistant to the stolen device threat.

5.3.9 Replay Attack

The participants MUiand GRSjselect random numbers and compute the login request message and response message asR4andR10, respectively.Since the random nonces are fresh,the participants GRSj, CMDiand MUimight discern the legitimate requests from the replayed messages through verification checks.Hence, our scheme is immune to this replay attack threat.

5.3.10 Known Session Key Attack

If an attacker becomes familiar about the current session key of any session in our scheme,it may not compute the previous session keys employing the current session key [31].This is because the attacker needs to approach crucial pseudonym parameters besides the random nonces to construct the legal session key, however these parameters are protected under collision resistant one way hash function and cannot be compromised in polynomial amount of time.

6 Performance Evaluations

This section evaluates the performance of contributed protocol against the comparative studies including Wazid et al., Singh et al., Challa et al., and Turkanovic et al.on the basis of computational and communicational costs.The execution latency for the crypto-primitives employed by the comparative schemes [17,18,20,22] is depicted asTfeto execute fuzzy extractor operation,Thto execute one-way hash operation,Texto execute modular exponentiation operation,Tmto execute modular multiplication operation,Tecmto execute (Elliptic Curve Cryptography) ECCbased point multiplication [31].These crypto-primitive operations have been implemented for mobile user device as client and desktop computer as server.The mobile drones or user devices are equipped with biochemical detectors, infrared, microphone and camera-based sensors.We calculate the cost of computations with the help of MIRACL library [23] and Android-enabled MUi/CMDiclient (Lenovo Zuk Z1 having 2.5Ghz Quad-core microprocessor, Android V5.1.2 OS,and 4GB RAM).To simulate the GRSjenvironment we used desktop computer (HP E8300 Core i5 2.96Ghz, Ubuntu 16.12 OS and 8GB RAM).The experiments were conducted on the discussed client and server hardware platform that provides varying execution costs for various primitives.We select a multiplicative cyclic group G with ordernhaving 160-bit prime integer.

This group G helps to achieve the 1024-bit RSA level of security.Using the above simulation,the execution timing of various crypto-primitives such asTfe≈Tecm,Th,Tex,TmandTecmis computed as 16.403, 0.078, 3.943, 0.012 and 0.012 ms for MUi/CMDi, and 6.276, 0.013, 0.438,0.003 and 0.003 ms, respectively.In [17], the mobile user takes 1Tfe+16Thcomputational cost with 17.6 ms of execution latency.The CMDitakes sevenThoperations and GRSjincurs eightThoperations with computational cost 0.54 ms and 0.104 ms respectively.In [22], the GRSjdoes not participate in the mutual authentication process.Therefore, in this phase the MUiand CMDirequire 2Tex+5Tmand 2Tex+7Tm, i.e., 7.946 ms and 7.97 ms of computational cost, respectively.In [20], the MUiand CMDientities bear 98.8 ms and 65.8 ms computational cost with given primitives 1Tfe+5Tecm+5Thand 3Th+4Tecmrespectively.On the server’s end, it bears 31.43 ms of computational latency with 4Th+5Tecmcomputations [18] bears 0.54 ms latency for both MUiand CMDiwith 7 hash operations (7Th) each, while on the GRSj’s end it incurs 19 hash operations with 1.482 ms computational latency.The proposed scheme employs 10Th, 7Th, 7Thoperations with 0.78 ms, 0.54 ms, and 0.54 ms of computational costs for MUi, CMDiand GRSj,respectively.Tab.2 describes the computational costs of [17,18,20,22] that are compared with the proposed schemes.For being lightweight symmetric crypto-operation, the hash functionh(.)withThis suitable for crowd sensing drone-based ecosystem to save the energy of mobile devices and ultimately improve their uptime.

In order to compare communication costs, we assume that |G| characterize 1024-bit element size, while |Zn| represents the 160-bit of each element inZn.Similarly, the |ID| depict the 32-bit size of timestamp as well as MUi’s identity.We make the functionality comparison of our scheme against Wazid, Singh, Challa and Turkanovic et al.schemes in Tab.4.The incurred communication cost of protocols [17,18,20,22] is compared against the proposed scheme as shown in Tab.3.The Wazid et al.[17] bears the communication cost of 1696-bits which is calculated as 10|Zn| + 3|ID| having 10Znoperations and 3 ID operations.Similarly, the [18,20,22] bear 4256-bits, 2528-bits, 2720-bits against 4|G| + 4|ID|, 10|Zn| + 3|ID| and 10|Zn| + 3|ID| cryptooperations, respectively.In comparison with other schemes, the proposed scheme has remarkably less communication cost of 1472-bits against 9|Zn| + |ID| operations.

Table 2: Computational cost

Table 3: Communication cost

Table 4: Functionality comparison

We now discuss the simulation details of the proposed model based on NS2 and the simulation details of the comparison schemes in [17,18,20,22].We performed the simulation by using Ubuntu 14.04 long-term support (LTS platform) on the NS2 2.35 simulator [27].We discussed the simulation parameters in Tab.5.The total time taken by simulation is set as 2400 s (40 min).The entities CMDi, MUi, and Sj symbolize for ithdrone, ithmobile user device, and jthIoT sensor in the compared schemes.We consider the various mobility parameters as 20, 30 and 40 mps for CMDi, MUi and Sj.We also assume a fixed server gateway across all of these schemes.The communication messages as exchanged among these participants are shown in Tab.3.In the simulated experiment, three network performance-based benchmarks are evaluated, i.e., packet loss rate (number of packets), EED (sec) and throughput (bps).We now discuss the impact on these factors in the experiment in the following.

Table 5: Simulation parameters

6.1 Throughput

We calculate the throughput based on the number of bits transmitted per unit of time i.e.,(rp×|ps|)/Ts, whereTsrepresents the total amount of time in seconds, |ps| shows the size of the packet, andrprepresents the received The total number of packets.The total simulation time is 2400 s.Fig.3 shows that the throughput of contribution models [17,18,20,22] are 297.21, 225.34,216.53, 284.76 and 267.12 bps, respectively.Obviously, the throughput of our model is higher than other protocols.This ensures that the proposed solution generates less communication cost for the small-sized communication messages exchanged during the protocol.

Figure 3: Throughput

6.2 End-to-End Delay(EED)

The EED shows the average time of packets to get to the sink or destination.This factor may be represented in numeric terms aswhereTrandTsshow the receiving and forwarding time of the exchanged packet, andnpktshows the number of packets to the destination.According to the Fig.4, the EED values for [17,18,20,22] and proposed scheme are 0.041, 0.105, 0.29152, 0.04621, 0.033 sec, respectively.It is obvious that the EED factor of the contributed model is considerably less than the compared schemes and this attributes to the small size of the authentication messages.

Figure 4: End-to-end delay

6.3 Packet Loss Rate(PLR)

The PLR factor describes the number of lost data packets per unit time and can be expressed as (nip/Td), whereTdrepresents the total time in seconds, andniprepresents the number of lost data packets.This factor must be as small as possible to make network-based communication more reliable.Fig.5 shows the packet loss rate of different scenarios considering the comparison scheme and the contribution model.Obviously, the contribution model has a lower PLR compared with other schemes.

Figure 5: Packet loss ratio

7 Conclusions

The security and privacy requirements for reliable distribution of aerial monitoring and surveillance-based services have received increasing attention due to the vulnerability of the drone terrain.If the underlying authentication key agreement between the participating entities is not secure, the attacker may launch various attacks to disrupt the communication.In order to solve the security and privacy issues in such networks, we demonstrated a new identity verification protocol based on crowd monitoring drones, which enables participants to establish an agreed session key between them, and secure communication afterwards.Formal analysis under the Random Oracle Model (ROM) proved the proposed scheme.In addition, we used NS2 simulation to compare the proposed scheme with the existing scheme.Our analysis proves that the proposed scheme outperforms other schemes in terms of throughput, end-to-end delay and packet loss rate.Performance evaluation and benchmark factors show that the proposed scheme is secure compared with other contemporary studies in the same field.In the future, we can explore the prospect of using distributed systems based on blockchain to protect air surveillance.

Acknowledgement:The authors express their gratitude to the Deputyship for Research & Innovation, Ministry of Education in Saudi Arabia for funding this research work through the Project Number (227).

Funding Statement:This work was supported by the Deputyship for Research & Innovation,Ministry of Education (in Saudi Arabia) through the Project Number (227).

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.