Authentication and Key Agreement Algorithm for Handover of Next-Generation High-Speed Railway

Chen, Yong; Liu, Wen; Zhang, Wei

doi:https://doi.org/10.1155/2023/2929889

Security and Communication Networks

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2023 | Article ID 2929889 | https://doi.org/10.1155/2023/2929889

Authentication and Key Agreement Algorithm for Handover of Next-Generation High-Speed Railway

Yong Chen,¹Wen Liu,¹and Wei Zhang²

Academic Editor: Chien-Ming Chen

Received10 Sept 2022

Revised04 Dec 2022

Accepted12 Dec 2022

Published12 Jan 2023

Abstract

In order to solve the problems that the handover key in the handover authentication protocol of 5 G-R wireless communication system under the next-generation high-speed railway does not have forward security and authentication efficiency is low, a novel 5 G-R handover authentication and key agreement algorithm is proposed. First, the authentication information is used to replace the identity information in the handover request message, which overcomes the shortcomings of the clear text transmission of the identity information. Second, a handover key update strategy based on lattice theory is designed. The dynamic update and forward and backward security of the handover key are realized by using the feature function and the auxiliary module function on the lattice. Third, the message authentication code is added to realize mutual authentication between communication parties, which can effectively prevent replay, the man in the middle, and other malicious attacks. Finally, the strand space formalization method is used for security verification. The results show that the proposed method not only has higher security and efficiency than other comparison methods but also can meet the high-security requirements of the next-generation 5 G-R handover authentication.

1. Introduction

With the vigorous development of the high-speed railway, the intelligent development of the high-speed railway has become a major strategic demand of the country [1]. As the next-generation mobile communication system of high-speed railway, 5 G for railway (5 G-R) has the advantages of large bandwidth, low delay, and large connection [2]. However, when the train uses the 5 G-R network, it will handover more frequently, which will make the mobility management and data privacy protection of 5 G more important [3]. Therefore, the research on 5 G-R train-to-ground communication technology is of great significance to ensure the safe, reliable, and efficient operation of railways and promote the development of the intelligent railway.

5 G-R adopts the 5 G-AKA protocol defined by 3GPP as the train-to-ground authentication key agreement protocol [4]. In order to further ensure the interconnection of trains in the handover process, prevent various attacks, and provide data integrity, confidentiality and security for train-to-ground communication, scholars at home and abroad have carried out a lot of research work on the handover authentication key agreement protocol.

In view of the problem that the key in the 5 G network handover authentication and key update mechanism does not realize forward security, In Reference [5] proposed a scheme combining initial authentication and handover authentication based on an elliptic curve algorithm, which realizes forward and backward security of the key and can defeat DoS attacks, redirection attacks, and other malicious operations. However, due to the use of more elliptic curve calculations, this scheme has a large computation overhead. In Reference [6] used an elliptic curve key exchange algorithm and random number generation to achieve key negotiation between the UE and the target base station, which can defeat various attacks such as man in the middle and replay, and reduce the computation overhead of the handover authentication key agreement protocol. However, in this scheme, the interactive signaling between the UE and the target base station increases, and the communication overhead increases. Reference [7] proposed a handover authentication key agreement protocol based on the certificateless algorithm of the elliptic curve. This scheme enables the mobile terminal to initiate a key update request actively and complete the key update by using a trusted third-party key generation center, but this scheme requires a large overhead. Reference [8] proposed a handover authentication key agreement protocol based on the collision characteristics of threshold hash function and the tamper resistance of blockchain, which realized the anonymity, traceability, perfect forward security, and other security attributes of the handover, but it was difficult to defeat man in the middle attacks and disguised user attacks. At the same time, due to its additional use of point multiplication key operations, the protocol had a huge overhead. Reference [9] proposed a secure handover authentication and key management protocol, which reduces the computation and communication overhead. However, in this scheme, the handover authentication information is encrypted and transmitted by the original session key, which is easy to be stolen by attackers. Reference [10] used an elliptic curve algorithm and anticollision hash function to reduce the computation overhead and communication overhead required for handover authentication key agreement protocol, but this scheme did not achieve handover anonymity and could not defeat quantum attacks. Reference [11] proposed a seamless handover authentication protocol based on identity encryption and an elliptic curve algorithm, which solved the problems of high computation efficiency and communication overhead in handover authentication. However, this scheme does not achieve traceability and is difficult to defeat man in the middle attacks. Reference [12] used the Chinese remainder theorem to reduce the computation and communication overheads of the handover authentication key agreement protocol, but the scheme did not achieve the anonymity and traceability of the handover.

The major contribution of this paper is as follows: first, this paper proposes a 5 G-R handover authentication key agreement scheme based on lattice difficulties. This scheme uses authentication information instead of identity information to transmit, which avoids the problem of clear text transmission of identity information, and realizes handover anonymity. Second, the session key is negotiated between the UE and the target base station by using the lattice-based feature function and auxiliary module function to achieve the forward and backward security of the handover key and ensure the integrity and confidentiality of the handover authentication communication session. Thirdly, the mutual authentication between the two parties of the protocol communication is completed by adding the timestamp and message authentication code of the train-to-ground handover authentication message, which can resist man in the middle attacks, replay attacks, quantum attacks, and other malicious attacks. Finally, the strand space method is used to verify the formal security of the scheme proposed in this paper. The analysis shows that the scheme not only has higher advantages in security but also has higher advantages in computation and communication overhead, which can meet the security and reliability requirements of 5 G-R train to ground handover authentication.

The remainder of this paper is organized as follows: We review 5 G-R handover foundation of high-speed railway in Section 2. Our proposed scheme is described in Section 3. The security analysis is expressed in Section 4. The performance analysis is conducted in Section 5. Finally, we draw a conclusion in Section 6.

2. 5 G-R Handover Foundation of High-Speed Railway

2.1. 5 G-R Handover Architecture

The handover architecture in 5 G-R is shown in Figure 1 [2]. The 5 G-R handover architecture of high-speed railway is mainly composed of user equipment (UE), radio access network (RAN), and core network 5 GC (5 GC). The wireless access network RAN is mainly composed of 5 G base stations (NR Node B and gNB). The core network 5 GC is mainly composed of the service network (SN) and the home network (HN). The service network SN allows the user equipment UE to access the core network 5 GC through the wireless access network RAN. The home network HN generates the identity authentication vector AV and stores the subscription permanent identifier (SUPI) and long-term key K shared with UE.

In Figure 1, 5 GC, the 5 G-R network core network mainly adopts a service-oriented architecture, which is composed of network elements belonging to SN, such as access and mobility management function (AMF), authentication server function (AUSF), unified data management (UDM), and other network elements belonging to HN. The 5 GC of the core network mainly realizes user authentication, user data management, session management, mobility management, policy management, and other basic functions.

2.2. 5 G-R Key Hierarchy

The 5 G key structure is shown in Figure 2. In the 5 G key structure, the UE and the core network HN share a long-term key K in advance, which is used to derive all subsequent session keys. During handover authentication, the UE and the core network HN calculate KSEAF and then derive the key KAMF, which can derive the keys KNASint, KNASenc, KgNB, and KN3IWF. The first two keys are used to ensure the confidentiality and integrity of NAS layer signaling. The key KN3IWF is used for the security of non-3GPP access, and the KgNB is used for protecting the communication security between the base station gNB and the UE in the 5 G. Finally, the UE and the gNB derive the remaining keys through the key KgNB and the next hop key NH in order to protect the confidentiality and integrity of the AS layer signaling and data. Among them, KUPint and KUPenc guarantee user plane security, and KRRCint and KRRCenc guarantee control plane security [4]. In Figure 2, the keys KAMF and KgNB are highlighted in red.

2.3. 5 G-R Handover Key Update Mechanism

In the 5 G-R network, when the UE handovers from the source base station gNB_s to the target base station gNB_t under the same AMF management, the handover key update process is shown in Figure 3.

As can be seen from Figure 3, the handover key is divided into a horizontal handover key and a vertical handover key. The negotiation key KgNB (also called ) between the UE and the gNB_t is derived from the gNB_s or the next hop key (NH). The key derived from the gNB_s is called a horizontal key. The key derived from NH is called a vertical key. The horizontal key derivation method and the vertical key derivation method are shown in the following formulas, respectively:where PCI (Physical Cell ID) is the physical identifier of the target cell, ARFCN-DL (absolute radio frequency channel number-down link) is the uplink and downlink absolute frequency channel number, NCC is the link count value, and NHNCC is the next hop key corresponding to NCC. The generation methods of NH and NHNCC are shown in the following formulas:

2.4. 5 G-R Handover Authentication Protocol

5 G-R network adopts the handover authentication key agreement protocol specified by 3GPP to ensure the safety of train-to-ground communication [4]. The entities participating in the protocol include the user equipment UE, the source base station gNB_s, the target base station gNB_t, and the access and mobility management function AMF. When the UE handovers from the source gNB_s to the target gNB_t under the same AMF management, it is called Xn handover. Table 1 presents the symbols and meanings of the agreement.

The specific steps of the 5 G-AKA handover authentication process are as follows:(1)AMF ⟶ gNB_t: M1: {NH, NCC} The AMF completes the initialization construction and sends a security parameter establishment initialization request to the gNB_t.(2)gNB_s ⟶ UE: M2: {NH, NCC} After receiving the message, the gNB_s forwards the message M2 to the UE.(3)UE ⟶ gNB_s: M3: {Initialization response} After receiving the message, the UE sets and to complete the initialization of the next hop key. And sends an initialization response message M3 to the gNB_s.(4)gNB_s ⟶ gNB_t: M4: {Handover request} The gNB_s initiates a handover request message M4 to the gNB_t after making a handover decision according to the initialization response.(5)gNB_t ⟶ gNB_s: M5: {NCC, PCI} The gNB_t returns a handover response message M5 including the security parameters {NCC, NH}.(6)gNB_s ⟶ gNB_t: M6: {, NCC} The gNB_s updates the next hop key NH: if the NCC received by the gNB_s is larger than the NCC of the currently used KgNB, after step {NH, NCC}, perform vertical derivation according to formula (2), otherwise, perform horizontal derivation according to formula (1). And forwards the message M6 to the gNB_t.(7)gNB_t ⟶ gNB_s: M7: {NCC} The gNB_t updates the AS layer key and sends a handover command message M7 to the gNB_s.(8)gNB_s ⟶ UE: M8: {NCC, PCI, EARFCN-DL} The gNB_s forwards the message M8 to the UE after receiving the HO handover instruction.(9)UE ⟶ gNB_t: M9: {Handover confirmation} After receiving the message, if the NCC received by the UE is larger than the locally stored NCC, the NH is synchronized and stored according to formula (5), and then vertically derived according to formula (2), otherwise, perform horizontal derivation according to formula (1). The UE updates the key . And sends a message M9 to the gNB_t.(10)gNB_t ⟶ AMF: M10: {Handover request} The gNB_t sends a path handover request message M10 to the AMF.(11)AMF ⟶ gNB_t: M11: {NCC, NH, NSCI} AMF synchronizes NH, sets , and sends a handover response message M11.(12)gNB_t ⟶ AMF: M12: {NSCI response} The gNB_t sends a message M12 after saving the data.

3. Proposed Protocol

Lattice is a group of points with periodic structure in n-dimensional space. Most of the operations on the lattice are linear operations such as matrix-vector addition and multiplication, which have the characteristics of parallel computing and high efficiency [13] and have a small computation overhead. In addition, lattice also has high security; compared with traditional public key cryptography based on large integer decomposition and discrete logarithm problems, cryptography based on lattice difficulty problems can defeat quantum attacks.

Lattice-based RLWE (ring learning with errors) difficulties: searchable RLWE problem: define the integer coefficient polynomial ring as , where , . Let is a polynomial quotient ring whose module is prime integer q, selecting polynomial vector a and secret value s uniformly and randomly on R_q, and selecting error vector e randomly and uniformly on , if known , let . Then the problem of solving s by a and b is called a searchable RLWE problem.

Deterministic RLW problem: let , where , , , , uniformly and randomly select the secret value s on R_q, and randomly and uniformly select the error vector e on , compute , . Denoted as the distribution of (a, b), the problem of whether distribution (a, b) and the random uniform distribution on can be distinguished with a non-negligible advantage is called the deterministic RLWE problem [14].

Lattice RLWE difficult problems have been proved to be reduced to approximate shortest vector problem (SVP) in ideal lattices of polynomial rings. Such problems are NP-hard problems under random reduction and can defeat quantum attacks [15].

According to the characteristics of high security and high efficiency of lattice cryptography [16], this paper proposes a lattice-based handover authentication key agreement algorithm. This scheme negotiates the session key between the train UE and the target base station gNB_t through the characteristic function on the lattice and the auxiliary modular function, which ensures the forward and backward security of the session key and can defeat various attacks. The message authentication code is added to achieve mutual authentication between the communicators. In this scheme, only vertical handover is considered, so before the UE makes a handover authentication request, it needs to complete registration at the target base station gNB_t, and then perform handover authentication key negotiation.

3.1. Handover Initialization Phase

During train-to-ground communication, when the train UE accesses the target base station gNB_t, it needs to complete the handover registration request at the gNB_t. The specific steps are as follows:(1)The UE sends a handover registration request to the target base station gNB_t(2)The gNB_t selects a random number and discretes Gaussian distribution , then selects , calculates the public key , and saves x(3)The gNB_t selects integer n and odd prime q that is , selects a hash function defined as (4)The gNB_t publishes parameters {n, q, c, P_i, h, } to the UE(5)The UE saves the parameters

3.2. Handover Authentication Phase

In order to ensure information security, integrity, and confidentiality in the handover authentication train-to-ground communication process, the train UE and the target base station gNB_t need to complete mutual authentication and negotiate the session key SK. The process of the handover authentication protocol is as follows:(1)UE ⟶ gNB_s: M1: {MAC_UE, T₁, C_UE, X_UE, G_UE, G₁, inau_UE} Before sending the handover authentication request information, the train UE needs to generate authentication parameters using the lattice-based feature function and the auxiliary modularization function. The detailed steps are as follows:①The UE generates time stamp T₁②Generates a random number r_u, randomly select f_u from the Gaussian sample distribution, and computes , ③Use characteristic function computes and auxiliary module function computes ④Computes and ⑤Computes , where the inau_UE contains relevant information of the target base station gNB_t, such as PCI and NCC⑥The UE sends a handover authentication request message M1 to the gNB_t(2)gNB_s ⟶ gNB_t: M2: {MAC_UE, T₁, C_UE, X_UE, G_UE, G₁, inau_UE} After receiving the message, the source base station gNB_s makes a handover decision, then look up the target base station gNB_t according to the PCI, and forwards the request message M2 to the gNB_t (3) gNB_t ⟶ UE: M3: {, T₂, , , G₂, } After the target base station, gNB_t receives the following message:①Generates time stamp T₂, verifies , if verification holds, reject the handover access request, otherwise, computes and , then to computes and , to verify . If they are equal, the accepted message has integrity, so that , , , then find the corresponding SUCI according to the IDUE, and use the user identifier decryption function (SIDF) to decrypt the SUPI from the SUCI.②Computes , verifies , if they are equal, the UE identity authentication is completed; otherwise, the handover authentication request is rejected.③Generates a random number r_t, randomly select f_t from the Gaussian sample distribution, and computes , . Use characteristic function computes and auxiliary module function computes .④Computes and .⑤Computes the session key between the gNB_t and UE: . Computes , where the inau_gNBt contains relevant information, such as PCI, ECI, and PLMN_ID.⑥Computes the next hop key and computes the vertical handover key .⑦The gNB_t sends a handover response message M3 to the UE. (4) After the UE receives the following message:①Generates time stamp T₃, verifies , if verification holds, reject the handover access request, otherwise, computes and verifies , if not, reject the handover response, otherwise, computes , , , then verifies , if they are equal, the accepted message has integrity, so that , .②Computes the session key between the UE and gNB_t: . Then, computes the next hop key and computes the vertical handover key .

To sum up, the train UE and the target base station gNB_t jointly negotiated the session key SK and derived the next hop key and the vertical handover key based on the key to ensure the security, integrity, and confidentiality of the subsequent call information.

4. Security Analysis

4.1. Informal Security Analysis

4.1.1. Key Forward/Backward Safety

In the handover authentication protocol, the handover key used to ensure the communication security between the train UE and the target base station gNB_t is easy to be stolen by an attacker to derive the previous/subsequent session key, which cannot really ensure the communication security.

In this scheme, the generation of the handover key depends on the session key SK between the UE and the target base station gNB_t, and SK is calculated using the lattice-based feature function and the auxiliary module function. If the attacker wants to crack SK, it must solve the RLWE problem on the lattice, which makes it impossible for attackers to distinguish distribution (a, b) of and the random uniform distribution on in polynomial time [14]. Therefore, this scheme has key forward/backward security.

4.1.2. Antireplay Attacks

In the handover authentication protocol, it is easy for an attacker to intercept messages transmitted in the wireless channel between the UE and the target base station gNB_t, thereby initiating a replay attack.

In this scheme, the authentication request message transmitted between the UE and the target base station gNB_t is {MAC_UE, T₁, C_UE, X_UE, G_UE, G₁, inau_UE}, and the message contains a timestamp T. the target base station gNB_t can judge whether it suffers from a replay attack by judging the validity of the timestamp. A replay attack can be avoided.

4.1.3. Anti-Man in the Middle Attack

In the handover authentication protocol, since mutual authentication is not performed between the UE and the target base station gNB_t, an attacker may tamper with, forward, or listen to the intercepted message as an intermediary.

In this scheme, the handover authentication request information sent between the UE and the target base station gNB_t is generated by using the lattice-based feature function and the auxiliary module function, and the communication parties judge whether they are attacked by the man in the middle by verifying the message integrity. If the attacker wants to obtain the handover authentication request information or response information, it needs to solve the RLWE problem on the lattice [15]. Therefore, the proposed scheme can defeat man in the middle attacks.

4.1.4. Antiquantum Attack

In the handover authentication protocol, the wireless channel is used between the UE and the target base station gNB_t for mutual transmission of communication signaling, which is vulnerable to attack.

In this scheme, the communication information between the UE and the target base station gNb_t is constructed by the lattice difficulty problem, which has been proven to be able to defeat quantum attacks [15], so this method can defeat quantum attacks.

4.2. Formal Security Analysis Using the Strand Space Model

The strand space model is a formal model used to analyze security protocols. This model can effectively analyze protocol security and realize mutual authentication between communication parties in the protocol [17, 18].

In this scheme, the communication parties participating in the handover authentication key agreement protocol are the UE and the target base station gNB_t. The strand space-directed figure of the method in this paper is shown in Figure 4.

According to the strand space-directed figure of the method in this paper, its initialization is defined as follows:(1)Name aggregate T_name, which includes UE and gNB_t(2)Suppose the strand space is Σ, s, t, Σ①Strand of UE s Init[UE, gNB_t, T₁, r_u, f_u, inau_UE, T₂, r_t, f_t, ], with the trace: tr(s) = <+{MAC_UE, T₁, C_UE, X_UE, G_UE, G₁, inau_UE}, −{, T₂, , , G₂, }>, where UE, gNBt T_name②Strand of gNB_tt Resp[UE, gNB_t, T₁, r_u, f_u, inau_UE, T₂, r_t, f_t, ], with the trace: tr(t) = <−{MAC_UE, T₁, C_UE, X_UE, G_UE, G₁, inau_UE}, +{, T₂, , , G₂, }>, where UE, gNB_t T_name③Attacker’s strand , is an aggregate of keys for attackers(3)After the definition and description of the strand space model are completed, the identity authentication and certification of the UE by the gNB_t will be performed. The formal certification process is as follows:①Construct test component, let C is a bundle, and , r_u uniquely originates at a node <s, 1>, the edge is r_u’s outgoing test in CUE. Similarly, the edge is f_u’s outgoing test in X_UE.②According to the outgoing test [17], there is a normal node m, , so that C_UE is the component of m and is a transformed edge of r_u. Similarly, there is a normal node n, , so that X_UE is the component of n and is a transformed edge of f_u.③According to the transformed edge [17], node m is a negative node. Suppose that m is a node in a strand t′ of gNB_t, and the strand t′ = [, , inau_UE′, , , , ′], so , .④Compare the components of the strand, by comparing the components in <s′, 1> and UE strand, we can get , Similarly, . Thus, the remaining components can be obtained , . Because the UE message authentication code is , the gNB_t realizes the identity authentication of the UE. The parameters r_u and f_u have freshness, so SK has freshness and security. The UE and the target base station gNB_t can communicate using the session key SK.(4)The formal steps for the UE to authenticate the identity of the gNB_t are as follows:①Construct test component, let C is a bundle, and , r_t uniquely originates at a node <t, 1>, the edge is r_t’s outgoing test in . Similarly, the edge is f_t’s outgoing test in .②According to the outgoing test [17], there is a normal node m, , so that is the component of m and is a transformed edge of r_t. Similarly, there is a normal node n, , so that is the component of n and is a transformed edge of f_t.③According to the transformed edge [17], node m is a negative node. Suppose that m is a node in a strand s′ of UE, and the strand s′ = [T₁′, r_u′, f_u′, inau_UE′, T₂′, r_t′, f_t′, ′], so , .④Compare the components of the strand, by comparing the components in <t′, 1> and gNBt strand, we can get , Similarly, . Thus, the remaining components can be obtained , . Because the gNB_t message authentication code is , the UE realizes the identity authentication of the gNB_t. The parameters r_t and f_t have freshness, according to , SK has freshness and safety. The target base station gNB_t and the UE can communicate using the session key SK.

From the above proof, it can be seen that in the handover authentication process, the train UE and the target base station gNB_t have realized mutual authentication and ensured the security and freshness of the interactive information, thus proving that the session SK can ensure the security of the interactive information.

Combining the above informal security analysis and the formal proof based on the strand space model, it can be concluded that in the method proposed in this paper, mutual authentication can be realized between the UE of the high-speed train and the target base station gNB_t, and its session key SK has freshness and security, and the handover key derived from SK has strong security, which is not easy to be obtained by attackers, so the proposed method has strong security. The security of communication information in the process of high-speed railway handover authentication can be guaranteed.

5. Performance Analysis

In order to prove the effectiveness of the scheme in this paper, the proposed scheme is compared with the methods in References [7, 10, 12].

Table 2 presents the comparison of safety performance between the scheme in this paper and the comparative methods. It can be seen from Table 2 that the traditional 5 G-R handover protocol cannot defeat most attacks and has large security vulnerabilities. In Reference [7], since no measures against replay attacks are taken during the transmission of communication information, it is easy for an attacker to intercept messages from the UE and launch replay attacks. Second, this scheme cannot defeat quantum attacks. In Reference [10], this scheme uses an elliptic curve key algorithm and hash function to realize the forward and backward security of the key and mutual authentication between the two sides of the communication. However, because the identity information is transmitted in plain text in the wireless channel, the anonymity of handover is not satisfied, which makes it easy for attackers to launch attacks against the target base station gNB_t. In addition, the scheme is also vulnerable to quantum attacks. Reference [12], proposed a handover authentication key agreement scheme based on the Chinese remainder theorem, which realizes the forward/backward security of the session key. However, mutual authentication between the two communication parties is not carried out in this scheme, which will make it easy for an attacker to launch a disguised user attack. In addition, this scheme uses the original key KAMF to encrypt the communication information, and the key KAMF is easy to be intercepted by an attacker so that the transmitted handover authentication information can be known, but communication security cannot be truly guaranteed.

As can be seen from Table 2, our proposed scheme not only realizes the key negotiation between the UE and the target base station gNB_t through the use of the feature function based on the lattice and the auxiliary module function, which has the forward and backward security of the key but also adds a time stamp to the authentication message, which can well defeat replay attacks. By using the authentication information, it realizes the anonymity of the handover, which can defeat masquerading user attacks and man in the middle attacks and has high-security performance.

Table 3 presents the comparison between this method and the existing comparative literature in terms of computation and communication overhead.

Since the Mod operation is only completed by the AND operation, the Mod operation overhead is ignored when comparing the computation overhead. According to the literature [10, 19], the relationship of various operations can be obtained as follows: T_PM > T_AES > T_f > T_Cha. It can be found from Table 3 that in terms of computation overhead: 5 G handover protocol < Our scheme < Reference [12] < Reference [10] < Reference [7]. 5 G handover protocol only uses hash operation to realize the security of handover authentication protocol, and this operation overheads less than other operations, so its computation overhead is the least. Although a large number of symmetric operations are used in Reference [12], the computation overhead of this operation is less than that of point multiplication, so the overhead is also less. Reference [10] uses a small amount of elliptic curve point multiplication and hash operations, so its computation overhead is less than that of Reference [7]. In Reference [7], in order to realize mutual authentication and key agreement between the two communication parties, more elliptic curve point multiplication operations are used, so its computation overhead is the highest. In our scheme, the feature function and hash function based on the lattice are used to realize mutual authentication and key agreement between the two sides of the communication, and the computation overhead of the feature function operation is the lowest among all the operations, so the computation overhead of this scheme is slightly higher than that of 5 G handover protocol.

In communication overhead, the 5 G handover protocol, as a traditional handover authentication key agreement protocol, requires the highest communication overhead. The reason is that when the UE handover to the target base station gNB_t, it requires the participation of the source base station gNB_s and the serving network AMF, and the number of information exchanges increases. Therefore, the 5 G handover protocol has the highest communication overhead. According to Table 2, it also has the lowest security, and cannot be directly applied to the 5 G-R handover authentication process. The communication overhead Reference [10] is the least. It can be seen from Table 2 that it cannot defeat quantum attacks and disguised user attacks and cannot meet the handover anonymity. The communication overhead of References [7, 12] is similar. Both methods reduce the communication overhead required in the handover authentication process by transmitting less authentication information. However, according to Table 2, Reference [7] cannot defeat replay attacks and quantum attacks. Reference [12] cannot defeat masquerading user attacks and quantum attacks and does not satisfy mutual authentication and handover anonymity. The communication overhead of our scheme is second only to the 5 G handover protocol because the scheme in this paper adds authentication information, message authentication code, and other communication information in order to realize the integrity and security transmission of communication signaling in the handover authentication process, so it has high communication overhead. However, according to the security performance analysis in Table 2, the scheme in this paper has the highest security performance and can meet the needs of handover authentication key negotiation.

In order to further verify the effectiveness of the scheme in this paper, the impact of the change of UE number on the computation overhead and communication overhead of the train-to-ground authentication key agreement protocol will be analyzed. When measuring the computation overhead required by the protocol, the time required for a single operation in the literature [10, 19] is used as the reference value, where the key/key derivation function/MAC function/hash operation is 0.0194 ms, elliptic curve point multiplication operation is 1.023 ms, the symmetric operation is 0.109 ms, and characteristic function operation is 0.0000355 ms. Substitute the above values into the computation overhead s obtained in Table 3. The comparison results of calculation computation overheads with the number of UEs are shown in Figure 5.

It can be seen from Figure 4 that in the process of handover authentication, with the increase in the number of UEs, the computation overhead required for authentication increases. Among them, the 5 G handover protocol requires the least computation overhead in all the comparative literature because the 5 G handover protocol requires a simple operation, with the least computation overhead. However, from the comparative analysis of security performance in Table 2, it can be concluded that the security performance of the 5 G handover protocol is also the lowest in all comparative literature, and it cannot meet the security communication requirements of the 5 G-R handover authentication. Reference [12] uses symmetric operation and hash operation to reduce the computation overhead required by the handover authentication process. Both References [7, 10] use elliptic curve operations to ensure handover security. However, Reference [7] uses more elliptic curve operations, so its computation overhead is higher than Reference [10]. Table 2 shows that the schemes proposed in the above literature have security vulnerabilities. The computation overhead of the scheme in this paper is second only to that of the 5 G handover protocol because the lattice-based feature function and hash function are used to reduce the computation overhead. At the same time, the scheme in this paper not only achieves mutual authentication, key forward and backward security, and other security performances but also can resist many malicious attacks such as masquerading user attacks, quantum attacks, and so on, with high security.

Finally, we get the comparison results of communication overhead, as shown in Figure 6.

As can be seen in Figure 6, with the increase in the number of UEs, the amount of transmission information in the authentication process increases, and the communication overhead also increases. In addition, Reference [10] reduces the number of interactions between the two sides of the two-way communication and requires the least communication overhead. However, this scheme does not meet the requirements of handover anonymity, and its security performance is poor. The communication overhead of References [7, 12] is similar, but it can be seen from Table 2 that Reference [7] cannot resist replay attacks and quantum attacks and does not meet the security requirements of handover authentication. Reference [12] does not achieve security performance such as mutual authentication and handover anonymity. The 5 G handover protocol has the highest communication overhead because in the handover authentication process, in order to ensure that the UE of the train accesses the target base station gNB_t, the service network and the source base station need to participate. The number of interactions increases, and the communication overhead increases. The communication overhead of the scheme in this paper is only inferior to the 5 G handover authentication protocol. In order to realize the secure transmission of signaling between communication parties, a series of additional information such as timestamps, message authentication codes, and authentication messages are added to the scheme in this paper, which increases the traffic.

To sum up, our scheme has strong not only advantages in security but also has certain advantages in communication and computation overhead, thus verifying that the proposed scheme can meet the security requirements of 5 G-R handover authentication.

6. Conclusions

Aiming at a series of security and efficiency problems in the 5 G-R handover authentication process, this paper proposes a 5 G-R handover authentication key agreement algorithm based on lattice difficulties. The lattice feature function and auxiliary module function are used to ensure the integrity and security of information in the communication process. The dynamic update and forward and backward security of the handover key are realized. Finally, the strand space method is used for formal verification and analysis. The results show the following:(1)The authentication information is used to replace the identity information for transmission, which avoids the problem of clear text transmission of identity information, and realizes the anonymity of handover and the integrity of handover request information.(2)The session key is negotiated between UE and the target base station using the lattice-based feature function and auxiliary module function, which realizes the forward and backward security of the handover key and ensures the security and confidentiality of the handover authentication communication session.(3)By adding the time stamp and message authentication code of the train to ground handover authentication message, the mutual authentication between the two parties of the protocol communication is completed, which can resist man in the middle attack, replay attack, camouflage user attack, and other malicious attacks.(4)The strand space method is used to verify the formal security of the scheme proposed in this paper. Because the method used in this paper is constructed based on lattice difficult problems, it improves the computation efficiency of the protocol, can resist quantum attacks, has high security, and can better meet the security requirements of 5 G-R handover authentication.

Recently, some authors also point out that the protection mechanism of SQN can be defeated due to its use of XOR in the 5 G-AKA protocol. We will further study this security problem in the future.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This study was supported in part by the National Natural Science Foundation of China under grant nos. 61963023 and 61841303, in part by the Lanzhou Jiaotong University Basic Top-Notch Personnel Project under grant no. 2022JC36, and in part by the Tianyou Innovation Team of Lanzhou Jiaotong University under grant no. TY202003.

References

Z. Xue, B. Ai, G. Y. Ma, Y. Y. Ma, and G. Q. Li, “A novel multiple access approach for 5G-R massive IoT scenario,” Journal of the China Railway Society, vol. 44, no. 2, pp. 56–63, 2022.
View at: Google Scholar
W. Guo, Z. J. Ren, J. Liu, W. F. Zhang, R. Wei, and X. M. Wang, “Signal safety communication protocol for high-speed train control system based on 5G architecture,” Journal of the China Railway Society, vol. 44, no. 9, pp. 55–64, 2022.
View at: Google Scholar
J. Kim, P. V. Astillo, I. You, and Dmm-Sep, “DMM-SEP: secure and efficient protocol for distributed mobility management based on 5G networks,” IEEE Access, vol. 8, pp. 76028–76042, 2020.
View at: Publisher Site | Google Scholar
3Gpp Ts33 501, “Technical specification 3rd generation partnership project,” Technical Specification Group Services and System Aspects, ETSI, Sophia Antipolis, France, 2022.
View at: Google Scholar
A. Sharma, I. Sharma, and A. Jain, “A construction of security enhanced and efficient handover AKA protocol in 5G communication cutwork,” in Proceedings of the International Conference on Computing, Communication and Technologies, pp. 1–6, Baniatangi, Bhubaneswar, India, June 2019.
View at: Google Scholar
J. Kim, D. G. Duguma, P. V. Astillo et al., “A formally verified security scheme for inter-gNB-DU handover in 5G vehicle-to-everything,” IEEE Access, vol. 9, pp. 119100–119117, 2021.
View at: Publisher Site | Google Scholar
Q. M. Cui, W. J. Zhao, X. Y. Gu et al., “Efficient handover authentication and secure key-updating mechanism for B5G networks,” Journal on Communications, vol. 42, no. 12, pp. 96–108, 2021.
View at: Google Scholar
Y. H. Zhang, R. H. Deng, E. Bertino, and D. Zheng, “Robust and universal seamless handover authentication in 5G hetnets,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 2, pp. 858–874, 2021.
View at: Publisher Site | Google Scholar
J. Q. Huang and Y. Qian, “A secure and efficient handover authentication and key management protocol for 5G networks,” Journal of Communications and Information Networks, vol. 5, no. 1, pp. 40–49, 2020.
View at: Publisher Site | Google Scholar
S. Gupta, B. L. Parne, N. S. Chaudhari, and S. Saxena, “SEAI: secrecy and efficiency aware inter-gNB handover authentication and key agreement protocol in 5G communication network,” Wireless Personal Communications, vol. 122, no. 4, pp. 2925–2962, 2022.
View at: Publisher Site | Google Scholar
A. Ozhelvaci and M. Ma, “A fast and secure uniform handover authentication scheme for 5G hetnets,” Lecture Notes in Computer Science, vol. 12616, pp. 119–131, 2021.
View at: Google Scholar
Z. Xie, X. S. Ji, and W. You, “Handover authentication method and key agreement protocol between gNBs based on CRT,” Application Research of Computers, vol. 39, no. 11, pp. 3450–3454, 2022.
View at: Google Scholar
R. Bavdekar, E. J. Chopde, A. Bhatia, K. Tiwari, S. J. Daniel, and Atul, “Post quantum cryptography: techniques, challenges, standardization, and directions for future research,” vol. abs/2202, Article ID 02826, 2022, https://arxiv.org/abs/2202.02826.
View at: Google Scholar
C. Wang, Y. L. Han, X. W. Duan, and Y. Li, “NTRU-type proxy re-encryption scheme based on RLWE difficult assumption,” Journal of Cryptologic Research, vol. 8, no. 5, pp. 909–920, 2021.
View at: Google Scholar
V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” Journal of the ACM, vol. 60, no. 6, pp. 1–35, 2013.
View at: Publisher Site | Google Scholar
G. Xu, Y. B. Cao, S. Y. Xu et al., “A searchable encryption scheme based on lattice for log systems in blockchain,” Computers, Materials and Continua, vol. 72, no. 3, pp. 5429–5441, 2022.
View at: Publisher Site | Google Scholar
M. Buragohain, N. Sarma, and Pksn, “A pairing based key management scheme for heterogeneous sensor network,” in Proceedings of the 2018 10th International Conference on Communication Systems and Networks, pp. 198–205, Bengaluru, India, January 2018.
View at: Google Scholar
M. M. Yao, J. Zhang, and X. Weng, “Research of formal analysis based on extended strand space theories,” Lecture Notes in Computer Science, vol. 11644, pp. 651–661, 2019.
View at: Google Scholar
S. Rana and D. Mishra, “Lattice-based key agreement protocol under ring-LWE problem for IoT-enabled smart devices,” Sādhanā, vol. 46, no. 2, pp. 84–11, 2021.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2023 Yong Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies