A provably secure and lightweight mutual authentication protocol in fog-enabled social Internet of vehicles

The Internet of vehicles technology has developed rapidly in recent years and has become increasingly important. The social Internet of vehicles provides better resources and services for the development of the Internet of vehicles and provides better experience for users. However, there are still many security problems in social vehicle networking environments. Once the vehicle is networked, the biggest problem is data security according to the three levels of data collection, intelligent analysis, and decision control of the Internet of vehicles. Recently, Wu et al. proposed a lightweight vehicle social network security authentication protocol based on fog nodes. They claimed that their security authentication protocol could resist various attacks. However, we found that their authentication protocols are vulnerable to internal attacks, smart card theft attacks, and lack perfect forward security. In this study, we propose a new protocol to overcome these limitations. Finally, security and performance analyses show that our protocol perfectly overcomes these limitations and exhibits excellent performance and efficiency.


Introduction
At the Information Society Summit held in 2005, the International Telecommunication Union (ITU) formally introduced the concept of the Internet of Things (IoT) in the form of an Internet report. IoT is based on the Internet, which uses radio frequency automatic identification, wireless data communication, and other technologies, to achieve automatic identification of objects and information interconnection and sharing, to build a ''Internet of things'' that encompasses everything in the world. The scope of application of the IoT is gradually expanding, and its application in various industries, agriculture, transportation, and others has promoted the development of intelligence in these fields, making resources allocation more rational and improving the efficiency of these industries. The application in life-related areas, such as smart warehouses, smart medical care, smart electricity, and tourism services has substantially improved the quality of people's lives, from the scope of services and the way they are provided to the quality of services. Fog computing is an extension of cloud computing, an IoT-based distributed computing infrastructure that can use devices in edge networks to enable the delivery of data with extremely low latency. The application of fog computing reduces inter-network distances, increases efficiency, and reduces the amount of data required to be transmitted to the cloud for processing, analysis, and storage. Fog nodes are a key component of the fog computing architecture, and they can appear in different forms and be deployed in a variety of environments.
The Internet of Vehicles (IoV) is an automotive mobile IoT technology that provides different functional services in the operation of vehicles through advanced sensor technology, communication technology, data processing technology, network technology, and information dissemination technology. The devices on the vehicles effectively use the information in the network platform. The IoV can provide spacing between vehicles and reduce the risk of collisions; it can help vehicle owners navigate in real-time and improve the efficiency of traffic operations by communicating with other vehicles and network systems. With the advances in the application of IoT, IoT technology is being combined with social networks to form a new network called the social Internet of things (SIoT). The IoT will include not only the association of things and things and people, but also introduces the relationship between people and people, thus better depicting the connected world of all things. SIoT is a new application of IoT technology in social networks. Ordinary objects in our lives can be informatized in real-time using IoT's sensing and monitoring technology, and the information of the objects can be displayed online through network technology, cloud computing technology, and cloud storage technology.
With the development of modern technology, the IoV also requires the organic combination of traditional IoV functions and social networking of vehicles, resulting in the rise of social networking of vehicles (SIoV). The SIoV is a social approach to increase the viscosity of the user, thereby maintaining the profitability of SIoV and the related information reserve.
SIoV provides better resources and services for the development of IoV. Telematics can be better implemented and telematics services can be better enhanced, only by continuously improving the functions of social telematics enhancing the popularity of telematics. In the SIoV environment, relevant information is entered into the telematics database in the background, and then the vehicle owner can use the telematics social services like a social software, which can always keep learning to obtain information and help the vehicle owner to improve the efficiency of the trip, and even enable the vehicle's remote pre-diagnosis of itself to improve safety. The typical structure of SIoV is shown in Figure 1, which mainly includes vehicle, roadside unit (RSU), a fog node, and a cloud server (CS). The cloud server is an infrastructure as a service (IaaS) service that integrates computing, storage, and network resources based on a WEB service that provides an elastic cloud technology with customizable cloud hosting configurations. Vehicles are tangible users and beneficiaries. Vehicles can communicate with each other and owners can access information, share location, and so on, to make travel safer and smarter. The RSU can collect information about nearby vehicles, send it to the fog node, and receive information from the fog node. In the telematics environment, the deployment of fog nodes is strongly influenced by geographical location; however, the prevalence of content within the coverage area varies greatly, because fog nodes are usually deployed in different areas and the cached content has certain geographical characteristics. A fog node is responsible for collecting and processing data of vehicles in a certain area, and subsequently, it transmits the collected data to the cloud server, reducing the computational load on the cloud server.
However, there are still many security issues in the SIoV environment. Once a car is connected, the biggest problem is data security according to the three levels of data collection, intelligent analysis, and decision control. If we want to achieve data interoperability and data sharing, particularly, if we want to achieve decision control, ensuring data security is the most challenging issue of entire vehicle networking. In addition to traditional solution techniques such as authentication and access control, two other typical issues are how to verify the reliability of the data and protect the privacy of the data. This reflects the importance and criticality of data encryption, which encrypts data to achieve data concealment and thus protect data security. Encryption requires negotiation of a common session key between the participating actors to achieve reliable transmission. Wu et al. proposed a fog node-based secure authentication protocol for vehicular social networks and an authentication protocol that ensures user anonymity and security. Wu et al. claimed that their proposed secure authentication protocol was resistant to various attacks. However, we find that their authentication protocol is vulnerable to offline password guessing attacks, smart card theft attacks, and lacks perfect forward security, and there are also some design issues in this scheme. Here, we present these issues and make recommendations.
The main contributions of this article are as follows: 1. We perform a security analysis of the authentication protocol proposed by Wu et al. for SIoV and find that their authentication protocol is vulnerable to insider attacks, smart card theft attacks, and lacks perfect forward security. As a user, we focus on protecting the data anonymity and security of the vehicle, prioritize data security in the protocol design, and propose a new scheme to improve the shortcomings of Wu et al.'s protocol.
2. We use elliptic curve algorithms to encrypt the transmission of information, which can provide a higher level of security. We use the Real-or-Random (ROR) model, a formal proof tool, to verify the validity, correctness, and security of the protocol. In addition, a detailed informal analysis shows that our protocol is resistant to known attacks and break-ins. 3. We also systematically evaluate the protocol's computational performance and communication costs in addition to other factors, and show that it performs well.
The rest of this article is organized as follows. we propose a new scheme to improve the shortcomings of the old scheme. In section ''Security analysis,'' we perform a security analysis, which includes a formal analysis, security requirements analysis, and a security comparison, to demonstrate the security and stability of the new protocol in terms of these three aspects. In section ''Performance evaluation,'' we analyze the security and performance of the new protocol in terms of both performance evaluation and communication cost evaluation. Finally, we summarize the work in section ''Conclusion.''

Related work
With the advancement of the application of IoT, IoT technology is combined with social networks to form a new network, that is, SIoT. With the combination of the IoV and SIoT, the social IoV has gradually emerged. Because the IoT environment, IoV environment, and SIoT environment have been proposed, many researchers have attempted studying how to realize data transmission safely and efficiently. Therefore, various authentication protocols have been proposed to protect the security and privacy of data transmissions. In 2014, Yang et al. 1 presented an abstract network model for IoV, described the technologies needed to create IoV, and different applications based on existing technologies, presented several open research challenges, and considered the development of IoV in future domains. In 2015, Sun et al. 2 reviewed IoVrelated security and privacy developments, including security and privacy requirements, types of attacks and solutions, and described the future IoV-related security and privacy developments and challenges. In 2017, Contreras-Castillo et al. 3 presented IoV-related architectures, protocols, and security and introduced communication protocols that enable seamless integration and operation of IoV. Dandala et al. 4 described the relation between the IoV environment and traffic management, and provided an IoV-based traffic management solution to overcome serious traffic management problems in real-life. Ferrag et al. 5 provided an overview of the previously proposed IoV-related protocols and classified these protocols according to the target environment, identified remaining issues, and proposed future directions for the research. In 2019, Chandrakar et al. 6 proposed a secure authentication protocol for vehicle ad hoc networks and claimed that the protocol is secure and efficient. In 2020, Xu et al. 7 proposed a blockchain-based protocol for RSU-assisted authentication and key management in vehicle networks, which they claimed to have low computational overhead, high efficiency, high authentication efficiency, and resistance to various common attacks.
Some of the research on SIoT is presented below. In 2011, Atzori et al. 8 presented the research concept of SIoT and a preliminary architecture for achieving SIoT in an object structure that follows the definition of potential social responsibility. In 2012, Atzori et al. 9 again presented the concept, architecture, and network of SIoT and analyzed the characteristics of the SIoT network structure through simulations. In 2015, Nitti et al. 10 discussed the link selection problem in SIoT, proposed heuristic algorithms for local link selection, and proposed a method to dynamically adjust the threshold of the number of connections according to the number of hubs in the network. In 2017, Shen et al. 11 proposed a privacy-preserving and lightweight key negotiation protocol based on V2G in social IoT and claimed that the protocol can withstand different types of attacks. In 2019, Park et al. 12 proposed a V2G dynamic privacy-preserving key management protocol for the SIoT and claimed that the protocol is resistant to a variety of attacks, such as simulations and offline passwords.
This final section presents the research work related to SIoV. In 2015, Alam et al. 13 presented concepts, structures, and applications of the architecture of SIoV environments and provided implementation details and experimental analysis to demonstrate the effectiveness of the proposed system. In 2016, Maglaras et al. 14 combined SIoV with smart cities, reviewing SIoV enabling technologies and key components, and presenting SIoV applications that can be deployed in smart cities. In 2018, Butt et al. 15 presented a scalable SIoV architecture based on the Restful web technology and highlighted the importance of web technology. In 2020, Ahmed et al. 16 proposed an anonymous key negotiation protocol for the V2G environment in SIoV and claimed that the protocol is not only lightweight, but also efficient in terms of communication and storage costs of other protocols. In 2021, Wu et al. 17 proposed a lightweight authentication key negotiation protocol for vehicular social networks based on fog nodes and claimed the protocol to be lightweight, secure, and efficient.

Review of Wu et al.'s protocol
The main entities included in the protocol are the vehicle, fog node, and cloud server. A fog node can detect unsafe driving behavior in real-time, provide early warning for the behavior, impose appropriate penalty when necessary, and share the pressure of the cloud server. Table 1 lists the symbols used in the protocol. The protocol has three phases as follows: vehicle registration, fog node registration, and login authentication.

Vehicle registration phase
The registration process of the vehicle V i is described as follows: 1. First, vehicle V i inputs its identity ID i , password PSW i , and a random number r i , calculates its pseudo-identity PID i = h(ID i k r i ), and then transmits the PID i to CS through the secure channel. 2. CS receives fPID i g, calculates the value of to 0, and stores fPID i , K V g in its database.
replaces HID i with the value of a i , and stores the fa i , P i , r i , K V g in its smart card.

Fog node registration phase
The registration process of the FN j is described as follows: 1. First, fog node FN j inputs its identity FID j and a random number r j , by FID j and r j , calculates its pseudo-identity PFID j = h(FID j k r j ), and sends fPFID j , FID j g to CS. 2. CS receives fPFID j , FID j g, selects a random number R j , calculates the value of

Login and authentication phase
In the login and authentication phase, V i , FN j , and CS complete authentication and establish session key SK, which is described as shown in Figure 2.
1. First, V i inputs its identity ID i , password PSW i , according to ID i , PSW i , and r i , calculates P Ã i = h(ID i k PSW i k r i ), and then compares P Ã i = ? P i . If equal, then V i logs successfully.
After successful login, V i selects a random number N 1 and calculates indexes K FN according to FPID j , then calculates If it is equal, it means that CS believes that FN j is legal. Otherwise, the authentication process is terminated. After authenticating V i and FN j , CS calculates believes that FN j and CS are legal. Otherwise, the authentication process is terminated.

Threat model
In this study, we define a potential attacker as A. He may be an external attacker who listens to or intercepts data, or a staff member or privileged user inside the server or fog node. When A acts as an external attacker, he can eavesdrop and intercept messages in the public channel without being detected by the subject protocol, can send or forge messages, and can participate in the operation of the protocol as a legitimate protocol participant. This is partially similar to the capabilities of the attacker assumed by the D À Y model. When A acts as an insider attacker, he may have some privilege to access parts of the server or fog node as part of the system participants. Based on existing research, we assume that A has the following capabilities:

1.
A can eavesdrop and intercept information transmitted through the public channel, and can forge, modify, delete, redirect, or replay messages transmitted through the public channel. 18 2. When a smart card or vehicle is lost or stolen, A can obtain the parameters and useful information that is stored in a smart card or vehicle. 19

3.
A may be a legitimate but malicious administrator or privileged user. 20

Insider attack
In an insider attack, the server can also be used as an attacker to steal user information, for example, by collecting the identifier and password submitted by the user during the registration phase and by collecting information from the user's smart card. 21 Assuming that A is an internal person, he can obtain the information stored in the smart card fa i , P i , r i , K V g. The attacker can guess the password repeatedly, calculate the authentication value, and complete the password guessing through the following steps: Step 1: A intercepts the information A 1 and PID i transmitted to the common channel, and then calcu- Step 2: because A obtains A 1 , r i , and N 1 , A can try to enter the value of ID i to calculate Step 3: A compares and verifies the calculated A Ã 1 with A 1 to obtain ID i .
Step 4: after A obtains ID i , A also knows P i , thus, he calculates P Ã i = h(ID i k PSW i k r i ) and verifies P Ã i = P i . If the verification is successful, A obtains ID i and PSW i . Therefore, attacker can complete the password guessing.

Lack of perfect forward security
Forward security means that the leakage of a long-used master key does not lead to the leakage of a past session key SK. Forward security protects communications performed in the past from the threat of future exposure of passwords or keys. 22,23 We assume that the attacker can steal g in the login and mutual authentication phases because they are transmitted over a common channel. The attacker can calculate session key SK using the following steps: Step 1: the attacker can obtain K CS by the first attack, and then obtain HID i by calculating h(PID i k K CS ).
Step 2: obtain N 1 by calculating Therefore, the attacker can calculate the correct ses-

Smart card theft attack
A smart card theft attack occurs when secret information stored on a smart card is obtained by some unethical means, and the attacker uses the information obtained to crack the session key or cause damage to the protocol. 23 We assume that the attacker steals the smart card and obtains fa i , P i , r i , K V g. The attacker can steal g in the login and mutual authentication phase because they are transmitted over a common channel. The attacker can calculate session key SK using the following steps: Step 1: the attacker can obtain PSW i by the first attack, and then obtain HID i by calculating a i È h(PSW i k r i ).
Step 2: obtain N 1 by calculating A 1 È PID i .
Therefore, the attacker can calculate the correct session key SK = h(N 1 È N 2 È N 3 È HID j È HID i ).

The proposed protocol
In this section, we elaborate the various components of the protocol. First, the protocol involves three constituent entities as follows: (1) the vehicle V i , (2) the fog node F j , and (3) the cloud server CS. V i can establish a session key SK with the cloud server via the fog node, and then CS can exchange information to obtain useful information, such as real-time road conditions and weather conditions. F j is the equivalent of a trusted intermediary between V i and CS, which verifies the legitimacy of CS, accepts authentication and requests from V i and sends them to CS or receives feedback from CS and sends them to V i . CS has the function of processing data, saving and transmitting information, and it plays an important role in the protocol. CS registers the legal identity of V i and F j in the registration phase and provides legal authentication and key establishment for V i and F j in the authentication phase. The protocol consists of the following parts: (1) vehicle registration phase, (2) fog node registration phase, and (3) login and mutual authentication phase. Table 2 lists the symbols used in the protocol.

Vehicle registration phase
In the V i registration phase, V i sends the registration request to the CS over a secure channel, and the CS then computes a series of messages and returns them to V i , allowing V i to obtain a legitimate identity. The process diagram for this phase is shown in Figure 3, and the steps are detailed as follows: 1. First, V i selects and enters his identity VID i and password VPW i , and then V i transmits fVID i g to the CS via a secure channel. 2. Following receipt of the information from V i , CS generates the random number r 2 and computes HID i = h(VID i k r 2 ) and RID i = h(K c k r 2 ) È HID i , and then stores fRID i , r 2 g in its own memory and subsequently transmits the random number fr 2 g to V i via a secure channel. 3. Following receipt of the information from CS, V i generates a random number r 1 and then computes P i = h(VID i È VPW i k r 1 ) and A 1 = h(VPW i k r 1 ) È r 2 and stores fA 1 , P i , r 1 g in Table 2. Notations used in the improved protocol.

Symbol
Description Shared key of F j and CS K C Secret key of CS SK Session key T i The ith timestamp h(Á) Hash function È Bit-wise XOR operation k Concatenate operation the smart card. The V i registration phase is complete.

Fog node registration phase
In preparation for the authentication phase, F j sends a registration request to the CS and registers as a legitimate fog node. The detailed process diagram of this phase is shown in Figure 4, and the detailed steps are as follows: 1. F j selects a unique identity FID j and then transmits fFID j g to the CS through a secure channel. 2. After receiving the message from F j , CS generates a random number r 4 and calculates RFID j = FID j È K c and K fc = h(FID j k r 4 È K c ). Then, CS stores r 4 into memory according to its RFID j counterpart and subsequently transmits the message fK fc , RFID j g to F j through a secure channel. 3. Once F j receives the information from CS, he generates the random number r 3 and then starts computing A 2 = K fc È h(FID j k r 3 ), preferably storing fA 2 , RFID j , r 3 g in his own memory. This completes the F j registration phase.

Login and authentication phase
In the login and mutual authentication phase, the onboard login device verifies the correctness of the identifiers VID Ã i and VPW Ã i entered by V i , and only those V i that pass the verification will be allowed to use the system. During the mutual authentication phase, V i , F j , and CS negotiate a common session key SK to allow for quick information sharing during subsequent use. This phase is the most important stage of the protocol, and the detailed process is described in Figure 5, and the detailed steps are described as follows: 1. First, the on-board device verifies the correctness and legitimacy of the user, V i inputs VID Ã i and VPW Ã i , calculates P Ã i = h(VID Ã i k VPW Ã i k r 1 ) and then verifies that P Ã i = ? P i . If they are equal, authentication is successful; otherwise, login is denied. 2. After completing verification, V i computes r 2 = A 1 È h(VPW i k r 1 ) and HID i = h(VID i k r 2 ), and then generates a random number R 1 and timestamp T 1 . It encapsulates R 1 into B 1 by computing B 1 = h(HID i k r 2 ) È R 1 and then computes V 1 = h(HID i k r 2 ) and subsequently transmits the  message Msg 1 = fB 1 , V 1 , T 1 g to F j through the common channel. 3. Immediately after receiving the message Msg 1 from V i , F j verifies the timestamp parameter T 1 by computing jT 1 À T c j ¼

?
DT , then generates the random number R 2 and timestamp T 2 , computes K fc = A 2 È h(FID j k r 3 ), B 2 = h(K fc k FID j ) È R 2 , and V 2 = h(FID j È K fc ), and finally the message Msg 1 = fRFID j , B 1 , B 2 , V 1 , V 2 , T 2 g is transmitted to the CS via the common channel. 4. After receiving the message Msg 2 from F j , CS verifies the timestamp T 2 and calculates FID j , FID j = RFID j È K c , K fc = h(FID j k r 4 È K c ), HID i = RID i È h(K c k r 2 ), V Ã 1 = h(HID i k r 2 ), and V Ã 2 = h(FID j È K fc ), and then verifies that V Ã 1 = ? V 1 to authenticate the legitimacy and validity of V i 's identity by verifying that V Ã 2 = ? V 2 to determine the legitimacy of the identity of F j . Then, CS computes R 1 = B 1 È h(HID i k r 2 ) and R 2 = B 2 È H(K fc k FID j ) to generate a random number R 3 and timestamp T 3 . Once this is complete, CS generates the session key SK, and V 3 = h(K fc k FID j È R 2 ), and then the message Msg 3 = fB 3 , B 4 , B 5 , V 3 , T 3 g is sent to F j through the common channel. 5. After F j receives the message Msg 3 , it starts verifying timestamp T 3 , and if T 3 passes the verification, the nominal message Msg 3 is considered to be a new and valid message. F j then computes V Ã 3 = h(K fc k FID j È R 2 ) and verifies that V Ã 3 = ? V 3 . If the verification passes, CS is a trusted server; otherwise, F j rejects the CS request and aborts the protocol process. If it passes, F j com- , and subsequently generates timestamp T 4 , computes V 4 = B 5 È h(FID j È K fc ), and transmits the message Msg 4 = fB 4 , V 4 , T 4 g to V i through the common channel. 6. V i receives the message Msg 4 back from F j and verifies the freshness and legitimacy of this message by jT 4 À T c j ¼
DT , and then verifies the legitimacy identity of F j by computing V Ã 4 = h(HID i k r 2 È R 1 ). If the authentication passes, V i computes the session key By completing the aforementioned steps, the login and authentication phase of the protocol is complete, and a common session key SK is established between the three parties V i , F j , and CS.

Security analysis
In this section, a formal security analysis, an analysis of security requirements, and a security comparison are performed to demonstrate the security of our proposed scheme. First, the formal analysis uses the real-orrandom (ROR) model, and then the analysis of security requirements demonstrates that our proposed protocol is resistant to insider attacks, smart card theft attacks, and ensures perfect forward security. Finally, by comparing the security of our protocol with that of Ma et al., 24 Jia et al., 25 Eftekhari et al., 26 and Wu et al., 17 we can observe that our protocol is secure and reliable.

Formal security analysis
In this section, the ROR model 27 is used to perform a formal security analysis. The ROR model is used to prove the semantic security of the proposed protocol. Using the ROR model, we successfully proved that the session key of the protocol is secure and reliable. Before proving the session key security of the proposed protocol in Theorem 1, we briefly discuss the ROR model. ROR model. In our ROR model, the attacker is represented by A, and the protocol has three participants: the vehicle, fog node, and cloud server and are represented by V , F, and CS, respectively. Assuming that z all denotes the communication between A and the protocol entity, then z i V denotes that A communicates with the ith instance of the vehicle, z j F denotes that A communicates with the jth instance of the fog node, and z CS denotes that A communicates with the cloud server. The attacker A can also obtain relevant information through the following queries: , where A can intercept and obtain information exchanged or transmitted between communicating entities V , F, and CS through the open channel. This query is often used to perform eavesdropping attacks. Send(z all , Msg): using this query, A can send a message Msg to any entity in z all and obtain the corresponding feedback. A can perform man-in-themiddle and simulated attacks. Hash(String): in this query, A can obtain the corresponding fixed value after executing the query by entering a fixed-length string. Corrupt(z all ): A can send this query to z i V and fetch the private value stored in the smart card of V i . Furthermore, A can send this query to z j F or z CS , which then obtains the long-term private key stored in the cloud server and the temporary information generated by the participant. A can perform forward secrecy attacks, privileged insider attacks, stolen smart card attacks, and vehicle simulation attacks with this query. Reveal(z all ): using this query, A can disclose the session key SK generated between z all entities to A. A can then simulate the known session key to perform the attack. Test(z all ): A can perform this query by flipping a uniformly textured coin . If is 1, the attacker will obtain the correct session key. Otherwise, the attacker will receive a null value. Theorem 1: if Adv AKE mathcalA (xi) is a function of the dominance of adversary mathcalA in breaching the SK security of the proposed authenticated key exchange (AKE) protocol, then q hans and q send denote the number of hash queries performed and the send queries performed, respectively. f denotes the length of a user's identity as well as the password, C 0 and b 0 denote the parameters of Zipf, 28

Adv AKE
Security proof Proof. In the following proof, we define six games named GM(i), i 2 [0, 6], and each game has its own rule. We define Succ GM i A (j) (i = 0, 1, 2, 3, 4, 5, 6) to represent the probability of success of the game under each rule. In addition, ''A's advantage in winning a match GM i '' is expressed and defined by Adv AKE A, GM i (j). The specific proof procedure is as follows: GM 0 : in GM 0 , this round simulates A for the actual attack, and because the bit is selected randomly at the start of GM 0 , we obtain GM 1 : GM 1 adds the Execute operation to GM 0 , which is equivalent to A intercepting and obtaining information on the public channel {Msg 1 , Msg 2 , Msg 3 , Msg 4 }, and A executes the Test operation, thus, we obtain GM 2 : GM 2 adds the Send operation to GM 1 , and A can send messages to the entity through the common channel, thus, we can obtain GM 3 : GM 3 adds another Hash operation to GM 2 , and A can use hash queries to obtain specific values and strings. Using the theory of the birthday paradox, we obtain GM 4 : in GM 4 , we have added the partial functionality of the Corrupt operation to GM 3 that allows A to obtain the long-term key K fc between CS and F j or to crack any random number in the protocol authentication process. Under these conditions, we consider the A threats to the session key SK, verifying that the protocol has perfect forward security and is resistant to known session-specific temporary information attacks.
1. Perfect forward secrecy: we assume A uses Corrupt queries to obtain the long-term key K c , and then A uses Execute, Send, Hash, and Corrupt operations to attempt to obtain the protocol's session key SK. After A obtains K c , A can obtain RFID j in the message Msg 2 on the public channel using the Execute operation, and then FID j = RFID j È K c to compute FID j . If A computes K fc , A can compute R 2 by R 2 = B 2 È H(K fc k FID j ). Then, HID i È R 3 k R 1 = B 3 È h(FID j È K fc ) computes HID i È R 3 k R 1 to compute SK. Thus, everything points to K fc , however, as K fc = h(FID j k r 4 È K c ), A cannot obtain r 4 ; therefore, he cannot compute K fc , and cannot threaten the protocol SK.

Known session-specific temporary information
attacks: we assume A uses the Corrupt query to obtain a random number R 2 that is most likely to crack SK, and then A uses the Execute operation to obtain the information B 2 and B 3 on the common channel. Subsequently, A can calculate h(K fc k FID j ) = B 2 È R 2 to obtain h(K fc k FID j ), and then calculate However, A cannot compute or intercept the acquisition of FID j ; thus, A cannot threaten the protocol SK. As a result, the probability of this round is GM 5 : in GM 5 , we have added additional parts of the Corrupt operation to GM 4 to allow A to access the information stored in the smart card via V i to verify that the protocol is resistant to offline password guessing attacks. We assume that A has access to the information stored on the smart card fA 2 , RFID j , r 3 g, because A has no other useful information about V i , A cannot decrypt the information about V i , thus, cannot compute the session key SK. Using Zipf's law, 28 the probability that A succeeds in guessing the user's password is 1/2, and the probability that A can successfully guess the user's password is greater than 1/2 when the number of bits transmitted ends ł 106. Thus, we obtain GM 6 : GM 6 is used to verify that the proposed protocol is resistant to simulation attacks. In GM 6 , A issues a h(FID j È R 2 È HID i È R 3 k R 1 ) query to determine whether it is possible to obtain SK. Here, the game was aborted. Thus, we can obtain the possibility of GM 6 as Because GM 6 has an equal probability of success and failure, the From the aforementioned formula above, we can obtain Then, we obtain Thus, we can use the ROR model to demonstrate that our proposed new protocol is resistant to common attacks (such as smart card theft attacks, offline password guessing attacks, man-in-middle attacks, and known session-specific temporary information attacks) and provides perfect forward security.

Analysis of security requirements
This section presents an analysis of our security requirements for the proposed protocol, which shows that our protocol can withstand attacks that the protocol proposed by Wu et al. 17 cannot, as well as other common attacks. In the following, we use A to represent the attacker, as demonstrated by the following: Resist insider attacks. Assuming A obtains V i in the smart card fA 1 , P i , r 1 g, he can attempt to compute P Ã i = h(VID Ã i k VPW Ã i k r 1 ). However, guessing both VID i and VPW i is nearly impossible, and A would be unable to obtain the user's identifier and password by collecting information from the user. Thus, our protocol is resistant to internal attacks.
Ensure perfect forward secrecy. In the protocol, assuming that the long-term key K c of CS is compromised, A can obtain FID j by calculating FID j = RFID j È K c because RFID j is a public channel transmission. However, A cannot calculate K fc . This is because in K fc = h(FID j k r 4 È K c ), A cannot obtain the value of r 4 and cannot compute useful concrete information. Thus, our protocol has a perfect forward security.
Resist stolen smart card attacks. Assuming that A obtains the information in V i 's smart card fA 1 , P i , r 1 g. Because A cannot obtain V i 's identifier VID i and password VPW i , A cannot decrypt the relevant information about V i , and thus, cannot compute the session key SK. Therefore, our protocol is resistant to stolen smart card attacks.
Ensure mutual authentication. During the login authentication phase, V i , F j , and CS can authenticate each other and establish the same session key in a secure manner. The V 1 in the Msg 1 message contains information about V i . F j receives Msg 1 and encapsulates V 1 and its own information V 2 in Msg 2 and transmits it to CS, which authenticates V i and F j by verifying V 1 and V 2 . F j can achieve authentication of CS by verifying V 3 in the message Msg 3 , and V i achieves authentication of F j by verifying V 4 in message Msg 4 . Thus, mutual authentication is ensured among the three participants in our protocol.
Ensure user anonymity. In the protocol, we do not use V i 's real identity VID i but a pseudo-identity HID i , and no information related to V i 's identity is transmitted on the public channel which effectively protects user privacy. If A wants to trace V i , the timestamped validation also prevents A from using expired feedback to obtain useful information about the user. Thus, our protocol ensures user anonymity.
Resist replay attacks. Replay attacks can occur during any network communication and are one of the common attacks used by hackers in the computer world. It refers to the attacker sending a packet that has already been received by the destination host for the purpose of spoofing the system, and is mainly used in the authentication process to undermine the accuracy of the authentication. In our protocol, we add timestamps T to all messages fMsg 1 , Msg 2 , Msg 3 , Msg 4 g, to ensure the timeliness and freshness of the transmitted information, to ensure that the transmission of the message is completed within a valid time, and to prevent the attacker from replaying the message to obtain valid feedback. Thus, our protocol can resist replay attacks.
Resist offline password guessing attacks. In the login and authentication phase, V i must enter both VID Ã i , and VPW Ã i , and then compute P Ã i = h(VID Ã i k VPW Ã i k r 1 ) when logging in. Even if A obtains the information r 1 in the smart card, it cannot guess both VID i and VPW i ; thus, A cannot obtain V i 's identifier and password through the guessing attack.
Resist known session-specific temporary information attacks. During the login authentication phase, three random numbers are generated: R 1 , R 2 , and R 3 . These three random numbers are also part of the session key. Assuming that A learns the random number R 1 , he can only obtain h(HID i k r 2 ) by computing B 1 = h(HID i k r 2 ) È R 1 and nothing else. Assuming that A learns the random number R 2 , because B 2 and B 3 are transmitted on a common channel, A can obtain h(K fc k FID j ) by computing R 2 = B 2 È h(K fc k FID j ), and then can obtain HID i È R 3 k R 1 by computing . However, A cannot obtain FID j , and therefore cannot compute SK. We assume that A learns the random number R 3 ; however, he cannot compute useful information. Therefore, our protocol is resistant to known session-speculative temporary information attacks.
Resist man-in-the-middle attacks. A man-in-the-middle attack is performed by intercepting normal network communication data and performing data tampering and sniffing without the knowledge of the two parties communicating. In the framework environment, F j does not authenticate V i but sends its own authentication information along with that of V i to CS, which promptly authenticates V i and F j . If A tampers with the data during the process, it will be subjected to a double test of the timestamp and CS authentication. Clearly, A will not be able to pass authentication safely and will be denied access. Therefore, our protocol is resistant to man-in-themiddle attacks.

Security comparisons
As shown in Table 3, we compare the security analysis of the protocol and use ü and ß to indicate whether the protocol meets the relevant security requirements. As shown in the table, the protocol of Ma et al. 24 is considered by Eftekhari et al. 26 to be unable to resist insider attacks, provide anonymity and untraceability, and resist known session-specific temporary information attacks and stolen smart card/vehicle attacks. Furthermore, the protocol of Jia et al. 25 cannot provide mutual authentication and cannot resist known sessionspecific temporary information attacks. Therefore, in 2021, Eftekhari et al. 26 proposed a security-enhanced three-party pairwise shared key agreement protocol for fog-based vehicle communication. They claimed that they can save approximately 23:65% of the computing costs. However, the protocol of Eftekhari et al. 26 cannot guarantee perfect forward secrecy. In addition, Wu et al. 17 proposed a lightweight authentication key protocol based on a fog node in SIoV. In this study, we demonstrated that it cannot guarantee perfect forward security and cannot resist insider attacks and stolen smart card attacks.

Performance evaluation
In this section, we compare the performance of the proposed protocol with the protocol in Table 3, which includes calculation evaluation and communication evaluation. In terms of computing evaluation, we used more real simulation experiments. The use of mobile phones and computers to simulate an environment can more accurately reflect the computing performance of the protocol.

Hardware environment
We used the mobile phone MEIZU À MX5 to simulate the on-board equipment, the computer model Lenovo À M715E to simulate the fog node, and the computer model MSI À GP63 to simulate the cloud server. Table 4 shows the platform used for the equipment.

Computation evaluation
Based on the aforementioned platform, we also calculated the following cryptographic operations according to the time consumption: hash function, point encryption, symmetric key encryption/decryption, scalar multiplication, and binary pairing. Here, the time consumption of the XOR operation and connection operation is very small to be ignored, and the abbreviations and consumption times corresponding to various operations are shown in Table 5. Table 3. Comparisons of security.

Security properties
Ma et al. 24 Jia et al. 25 Eftekhari et al. 26 Wu et al. 17  To evaluate the calculation cost of the protocol, we divide the time cost of each protocol into four parts: V i , F j , CS, and the total calculation cost, and calculate the time spent in each part to more accurately reflect the performance of the protocol. The specific calculation costs are shown in Table 6. After a detailed comparison, we can observe that the time cost of our protocol is similar to that of Wu et al.; 17 however, our protocol provides higher security and reliability. Compared with Ma et al., 24 Jia et al., 25 and Eftekhari et al., 26 the proposed protocol is much faster and saves considerable computing costs. In addition to saving costs, our protocol can ensure high security, while requiring less time.

Communication evaluation
In terms of computation cost evaluation, we define the output of the hash function to account for 160 bits, the random/non-random number as 160 bits, the elliptic curve points as 320 bits, the identifier as 64 bits, and the timestamp as 32 bits. The message sent by V i in our protocol is Msg 1 = fB 1 , V 1 , T 1 g and the communication cost is [160 + 160 + 32], the message sent by F j is Msg 2 = fRFID j , B 1 , B 2 , V 1 , V 2 , T 2 g and Msg 4 = fB 4 , V 4 , T 4 g and the communication cost is [160 + 160 + 160 + 160 + 160 + 160 + 160 + 32 + 160 + 160 + 32], and the CS sends a message with Msg 3 = fB 3 , B 4 , B 5 , V 3 , T 3 g with a communication cost of [160 + 160 + 160 + 160 + 160 + 32], adding up to a total cost of 2208 bits. After our calculation of the message data size transmitted by the protocol in Figure 6 at each stage, the total calculation is shown in Figure 6. At stage V i , our protocol spends the least amount of communication, imposing the least amount of computational stress on the vehicle user. In stage F j , our fog node computational pressure is not significantly different from Wu et al.'s 17 protocol; however, it is much better than other protocols and can reduce communication costs. For the cloud server, the communication cost of our protocol is the same as that of Jia et al. 25 and is not much different from that of Wu et al. 17 in terms of overall communication cost, and our protocol is the least expensive in terms of communication cost, which is less than half of that of Ma et al. 24 In short, although our protocol has a negligible difference in computational cost compared to Wu et al.'s protocol, we are better than Wu et al.'s protocol in terms of communication cost, not to mention that our protocol has better security than Wu et al.'s protocol and can withstand attacks that Wu et al. cannot. All things considered, our protocol is very efficient and secure.   25 6T h + 2T sm + 1T bp 4T h + 2T sm + 1T bp 11T h + 3T sm + 1T bp 21T h + 7T sm + 3T bp ' 83.2275 Eftekhari et al. 26 11T h + 3T sm + 1T ad 12T h + 3T sm + 1T ad 15T h + 3T sm + 2T ad 38T h + 9T sm + 4T ad ' 52.1903 Wu et al. 17 7T

Conclusion
In this study, we improved the protocol proposed by Wu et al. in social telematics. The improved protocol is a fast and secure authentication protocol based on the fog node that operates in the SIoV, which does not ensure perfect forward security and is not resistant to insider and smart card theft attacks. The improved protocol not only compensates for the vulnerabilities and flaws of the existing protocol and can successfully resist attacks that the original protocol cannot, but can also resist replay attacks, insider attacks, simulated attacks, and more aggressive known session-specific temporary information attacks. It also exhibits excellent performance and efficiency in terms of security and computational cost. Therefore, it can be considered more suitable for use in fog-based SIoV. Contemporary research needs to address not only connected vehicle problems, but also some ancillary classes of problems, such as high precision maps. Currently, there are technical challenges for high precision maps, as well as policy and regulatory challenges, and this aspect is beyond the scope of this article. In the future, SIoV will become a new starting point and a new pursuit for IoV development. SIoV will help vehicles become fully intelligent and greatly improve the user's travel experience. We should be thankful that we live in an era of rapid social change, and I hope this article will provide a reference to address the security of SIoV data.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.