1. Introduction

With widespread adoption of electric vehicles (EVs) and internet-of-things (IoT), smart grids with IoT have become promising solutions to control distributed energy and electricity generation [1]. Internet-of-things is applicable to various forms for vehicular systems, such as vehicular ad hoc networks, vehicle to grid (V2G), vehicle to vehicle (V2V), and internet of vehicle (IoV). Vehicles generally have various communication and measuring sensors, including speed, position, Bluetooth, Wi-Fi and On-board units (OBU). The sensors in vehicle collect and share data such as speed, location, identity and movements. However, an adversary can intercept, modify and reuse the sensitive data of user, and then try to obatin user’s sensitive data because it is transmitted via public network. Therefore, secure mutual authentication and key agreement must be guaranteed to provide secure communication and protect user’s privacy.

In the past decades, the numerous authentication and key agreement schemes for vehicular systems in IoT have been studied to achieve essential security requirements [2,3,4,5,6,7,8,9,10]. Although these schemes try to ensure privacy and enhance efficiency, their scheme is vulnerable to various potential attacks such as distributed denial of service and privileged insider attacks because it is based on trusted third party to provide high security level. If the trusted third party is compromised, their schemes cannot provide services. For these reasons, authenticaion and key agreement schemes without a trusted third party must be proposed to achieve integrity, confidentiality, availability and reliability, considering resource-constrained devices

The smart grid provides reliable, sustainable, stable, and efficient electricity supply. EV charging management is a particularly important issue for smart grids, and related studies have been proposed [11,12,13,14,15,16], providing EV charging for users when they want to use it. However, traditional smart grid systems provide charging services based on a third party and are vulnerable to various attacks, including distributed denial of service and privileged insider attacks. If the third party is compromised, users cannot use EV charging, and smart grid systems with IoT must also consider efficiency, because EV sensors as OBU in EV also have low power and small memory.

Several studies have proposed blockchain approaches to overcome these security weaknesses and enhance efficiency [17,18,19,20,21,22]. Blockchain [17] technology guarantees decentralization, verification, and integrity, and is applicable to various fields, including smart grids, healthcare, finance, markets, and voting. Generally, blockchains consists of data blocks, called transactions, where each transaction includes data regarding previous transactions using a hash algorithm [18]. However, early blockchain studies focused on cryptocurrency, e.g., Bitcoin and Ethereum, which have significant scalability problems. Hyperledgers [19], which do not generate cryptocurrency, have been proposed to overcome these problems and solve scalability. Huang et al. [20] proposed blockchain based EV charging management security model using smart contracts and the lightning network.

This paper demonstrates that Huang et al.’s charging system [20] has inefficient charging mechanisms such as the deposit problem, generating transaction and cost of transaction fee. Huang et al.’s system also does not guarantee security of keys. Consequently, we propose a secure charging system for electric vehicles using a hyperledger to improve security and efficiency. Our main contributions are as follows.

(1)

We demonstrate security weaknesses of Huang et al.’s model, and highlight its inefficiencies.

(2)

We propose a secure charging system for EV based on blockchain to solve these security weaknesses and improve efficiency.

(3)

We perform informal analysis to demonstrate the proposed system is secure against various attacks, and prove that it provides secure mutual authentication using Burrows–Abadi–Needham (BAN) logic. We also perform formal security verification using the AVISPA tool and compare performances with previous schemes.

(4)

We analyze the computational and communication costs compared with other related existing schemes.

1.1. Organization

The remainder of this paper is organized as follows. Section 2 introduces the proposed blockchain-based EV charging model. Section 3 and Section 4 review Huang et al.’s scheme and analyze its security flaws. Section 5 proposes a secure charging system for EV based on blockchain. Section 6 provides informal analysis to verify the proposed system’s security and proves that the system mutual authentication using BAN logic. We also demonstrate that the proposed system is secure against replay and man-in-the-middle attacks using the AVISPA simulation tool. Section 7 compares the proposed system’s performance with related previous schemes. Finally, Section 8 summarizes and concludes the paper.

1.2. Related Works

There are several authentication and key agreement schemes for wireless sensor networks to resolve privacy and security issues [23,24,25,26]. In 2011, Roman et al. [23] analyzed existing authentication and key management schemes for WSN in IoT to enhance security and performance. In 2014, Turkanovic et al. [24] first proposed an authentication and key agreement scheme based on IoT considering resource-constrained devices. However, in 2016, Amin et al. [25] showed that Turkanovic et al.’s scheme was vulnerable to smart card theft, offline identity-password guessing and user impersonation attacks, and proposed an enhanced authentication scheme to overcome these security problems. However, Lu [26] et al. pointed out that Amin et al.’s scheme did not prevent known session-specific temporary information attack and proposed improved authentication and key agreement scheme using symmetric key.

Numerous privacy protection schemes for a vehicular system in IoT ensure security and improve efficiency [2,3,4,5,6,7,8,9,10]. In 2016, Lo and Tasi [2] proposed an efficient authentication scheme for vehicular sensor networks to improve performance. Kumari et al. [3] also proposed a secure trust-extended authentication scheme for vehicular ad-hoc networks to ensure authenticity of messages. In 2017, Chin et al. [4] discussed the security vulnerabilities in the internet-of-things-based smart grid and Liu et al. [5] proposed efficient dual authentication and key agreement scheme in IoV. Mohit et al. [6] also proposed authentication protocol for smart vehicular system in IoT considering energy efficiency of sensor and Guo et al. [7] proposed secure information collection scheme for big data in large scale IoV. Zhou et al. [8] proposed an enhanced privacy-preserving authentication scheme for vehicle sensor network to overcome security weaknesses of the Kumari et al.’s scheme [3]. In 2018, Shen et al. [9] proposed privacy-preserving and lightweight key agreement scheme for V2G in social IoT to guarantee security of smart grid. In 2019, Wu et al. [10] proposed mutual authentication scheme for V2V in vehicular ad hoc network to achieve better performance and security.

Several previous studies have considered EV charging systems [11,12,13,14,15,16]. In 2013, Gan et al. [11] proposed a decentralized protocol for EV charging to improve charging efficiency. In 2016, Xu et al. [12] proposed dynamic EV scheduling using less laxity and longer remaining processing time principle. In 2010 and 2012, Lu et al. [13] and Kim et al. [14] proposed scheduling mechanisms to reduce waiting times at charging stations. In 2016, Tian et al. [15] proposed recommendation system in real-time to provide charging station information. Tang and Zhang [16] proposed a low complexity EV charging scheduling algorithm using near optimal solutions.

Many studies have guaranteed decentralization, verification, and integrity [17,19,21,22,27]. However, initial blockchain models have scalability problems. Lightning network [21] and hyperledger [19] networks have been proposed to overcome this problem and improve efficiency. Lightning networks establish trading channels outside the main blockchain to enhance network performance. Hyperledger solves scalability problem and removes the requirement for cryptocurrency transactions to enhance the performances. These systems incorporate smart contracts, a set of commitments, that improve performance and privacy without requiring a trusted third party [22,27].

Several blockchain-based EV charging management systems have been proposed to improve performance [20,28,29,30]. In 2017, Dubois et al. [28] proposed an app-based blockchain system using smart contracts to provide a charging service between EVs and charging stations without requiring a trusted third party. Knirsch et al. [29] proposed an EV charging system where the EV finds the best charging station by bidding on the blockchain. Li et al. [30] proposed a consortium blockchain for energy trading in the industrial IoT to guarantee fast and reliable energy trading using the Stackelberg game. In 2018, Huang et al. [20] proposed a blockchain-based EV charging management security model, incorporating authentication mechanisms using smart contracts and the lightning network. However, the lightning network has an inefficient charging mechanism and Huang et al.’s system does not guarantee security of keys.

2. System Model

This section presents a secure charging system model for EV based on blockchain and basic concept of hyperledger.

2.1. Hyperledger

Hyperledger [19] is an open source project proposed by the Linux Foundation in 2015. The purpose is to promote cross-industry cooperation with blockchain technology. Hyperledger focuses on enhancing blockchain performance and reliability without requiring cryptocurrency.

Hyperledger architecture comprises nine blockchain components.

1. Consensus layer: ensures agreement between transaction order and checks their validation.

2. Smart contract layer: processes transaction requests and verifies smart contracts are valid.

3. Communication layer: guarantees security for messages transmitted between nodes.

4. Data store abstraction: manages data.

5. Crypto abstraction: includes cryptographic algorithms or modules.

6. Identity service: sets up the blockchain network, manages user and system node registration, and provides authentication and authorization.

7. Policy services: provide various policies for blockchain systems.

8. APIs: provide various blockchain interfaces.

9. Interoperation: allows interoperation among blockchain instances.

Hyperledger provides scalability, confidentiality, complexity, essential security requirements, and compliance; and can also provide distributed ledgers, smart contracts, and friendly interfaces. Therefore, hyperledgers can be applied to various fields and disseminate blockchain technologies for cross-industry applications.

2.2. System Model

Figure 1 presents the proposed charging system for EV based on blockchain and our charging system comprises three entities: operator, energy aggregator (EAG), and user/EV; and incorporates four phases: initialization, registration, authentication, and charging, as follows.

1. EV registers their identity with the operator to access charging services.

2. EV and EAG authenticate each other.

3. EAG generates transactions.

4. EAG verifies the transaction is valid and records transactions on blockchain networks.

3. Review of Huang et al.’s Scheme

This section reviews Huang et al.’s blockchain based EV charging system [20], comprising four phases: registration, scheduling, authentication, and charging.

3.1. Registration Phase

Figure 2 shows how Huang scheme charging management includes EVs, charging piles (CPs) and operators (OP). Each participant is required to register in the open blockchain system. In Huang et al.’s scheme, lightning network transaction management system adopts an internet based cloud platform. The detailed steps are as follows.

Step 1:

EVs{_V1,_V2,⋯,_Vn}choose a random numberx∈_Zn*and calculate_Qi=_xiP. The EVs request a registration in a blockchain and broadcast_mi=I_Di||I_Dj||T,(1≤j≤n,i≠j), and(_mi,si_gi(H(_mi))).

Step 2:

CPs check whether the received signature is valid, and then compute signature_αi=f(_{xi xi+1})_xi+2Pand_Ci=_Epwi(_αi). Then, CPs send_mi=I_Di||s||_Ci||Tand(_mi′,si_gi(H(_mi′)))to the OP in the blockchain.

Step 3:

OP verifies the received the signature is valid and reusesP_Wi, whereP_Wiis shared with each participant to decrypt_αi. Subsequently OP computes_Ki=_EPWi(∑_αj)(1≤j≤n,i≠j)and broadcasts it in the blockchain.

Step 4:

After receiving key_Kifrom the OP, each participant decrypts_Kiand computes session keyK=_αi+∑_αj=_{∑i=1n αi}=f(_{x1 x2}P)_x3P+⋯+f(_{xn x1}P)_x2P. When a request is recorded in the blockchain, it is checked by all CPs.

3.2. Scheduling Phase

Figure 3 shows the Huang scheme includes four scheduling strategies to provide charging services and improve charging efficiency: minimum time, minimum waiting time, minimum total cost, and shortest path.

3.3. Authentication Phase

Figure 4 shows that EV and CP perform point-to-point (P2P) transactions under the Huang scheme, followed with mutual authentication to improve trading flexibility. Depending on scheduling strategies, the EV receives the recommendation from the OP, then EV and the selected CP authenticate each other, with mutual authentication performed between EV and CP when the EV arrives at the CP. The detailed authentication steps are as follows.

Step 1:

EV sends identityI_DEVto the CP, and then the CP checks whether it is valid through the blockchain networks. If it is valid, the CP returns charging request to the EV.

Step 2:

After receiving the charging request from the CP, the EV sends{_QCP,_PCP,I_DCP,_HCP,K}to the CP.

Step 3:

CP selects a random numberb∈_Zq*, current timestamp_Ti, and calculatesPI_DEV=RI_DEV⊕_H1(b_PCP),_QEV=bP⊕K,_HtEV=_H2(I_DEV,PI_DEV,_QEV,_TEV)andS_KEV=b+ϵ_HtEV. Then, the CP sends{PI_DEV,_QEV,_TEV,S_KEV}to the EV.

Step 4:

EV selects a random numberc∈_Zq*, calculates_REV=_cEVP,_HEV=_H3(I_DCP,PI_DEV,_QEV,_REV,_TEV)and_ξEV=S_KEV+_{cEV HEV}, and sends{I_DCP,PI_DEV,_QEV,_REV,_TEV,_ξEV}to the CP via the secure channel.

Step 5:

After receiving the message from the EV, the CP computes_HtEV=_H2(I_DEV,PI_DEV,_QEV,_TEV)and_HEV=_H3(I_DCP,PI_DEV,_QEV,_REV,_TEV), and checks the received signature. If it is not valid, the CP aborts the authentication phase. Otherwise, the CP selects a random numberd∈_Zq*and computes_RCP=dP,SK=_H4(d_REV,I_DCP,PI_DEV,_QEV,_TEV),_HCP=_H5(I_DCP,RI_DCP,_QEV,SK,d_REV), and_ξCP=_ϵCP+d_HCP. Finally, the CP sends{I_DEV,PI_DEV,_RCP,_ξCP}to the EV.

Step 6:

After receiving the message from the CP, the EV computesSK=_H4(c_RCP,I_DCP,RI_DEV,_QEV,_TEV),_HCP=_H5(RI_DEV, andI_DCP,_QEV,SK,d_RCP). The CP checks the received signature. If valid, the EV and CP achieve mutual authentication. Otherwise, the EV aborts mutual authentication. After mutual authentication, the session keySKis used to encrypt messages to ensure secure communications.

3.4. Charging Phase

Figure 5 shows the Huang scheme charging phase. After completing authentication, the EV performs charging and updates the transactions. The commitment is recorded in the blockchain. The detailed steps are as follows.

Step 1:

EV calculates commitmentC=_H5(I_DEV,_RCP,_ξCPP)including EV’s identity, random parameter, and signature.

Step 2:

CP verifies whether commitmentC=_H5(I_DEV,_{RCP ξCP}P)and current time stamps are valid. If valid, the CP starts charging for EV. Otherwise, this phase is aborted.

4. Problems of Huang et al.’s Scheme

This section discusses problems of Huang et al.’s scheme, such as deposit problem, inefficient transaction generation mechanism, and transaction cost.

4.1. Deposit Problem

In the scheduling phase of Huang et al.’s scheme, the OP recommends an efficient charging station using four strategies. However, the system has a deposit problem where EV needs to establish many payment channels for charging. In lightning networks, a deposit is used to establish a payment channel between two participants. However, an EV is mobile and cannot efficiently choose optimal charging stations because a payment channel must be established with each new charging station. Therefore, an EV unnecessarily spends many deposits, i.e., the mechanism is inefficient.

4.2. Inefficient Mechanism for Generating Transaction

The lightning network records a transaction in the blockchain when opening and closing a payment channel. When charging is completed at a charging station, the commitment transaction is generated and recorded in the blockchain. However, an EV already makes a transaction in the registration phase to allows access to the service, hence, two transactions are generated for one trade, i.e., an inefficient charging mechanism.

4.3. Cost of Transaction Fee

The Huang et al.’s scheme charges a transaction fee when a payment channel is opened or closed. However, after completing charging, an EV needs to re-register with the OP to use the service, hence re-opening the payment channel and incurring a transaction fee. Therefore, the Huang et al.’s scheme results in high transaction fees.

4.4. Security of Key

Huang et al. claimed their scheme provided known key security because the shared secret key K included unique random numbers for each participant. However, an adversary can steal the EV on-board unit (OBU) [31] and extract sensitive data stored in its memory using the power analysis attack [32,33]. Consequently, an adversary can obtain shared secret keys stored in the OBU, avoiding known key security.

5. Proposed Charging System for EV Based on Blockchain

This section proposes a blockchain based EV charging system that addresses the identified problems. Table 1 details the notation used for the proposed phases: initialization, registration, authentication, and charging.

5.1. Initialization Phase

The operator conducts system initialization to set up the networks and EAG is registered in network. The details initialization process is as follows.

Step 1:

OP selects a base point G on the elliptic curve_Epwith order n, where n is a large prime number.

Step 2:

EAG generates public key, private key, and random number_b1.

Step 3:

OP defines network configuration including channel members and policies, records it in a blockchain, and shares it with system participants.

5.2. Registration Phase

When it wants to access the charging system, EV_i generates its identity, password, public/private key pair, and then receives a random number from OP. Figure 6 shows the registration phase, with detailed steps as follows.

Step 1:

EV_iselects their identityI_Di, passwordP_Wi, generates random numbers_a1and_rEV, calculates a public key_rEV·GandHI_Di=h(I_Di||_a1), and then sendsHI_Diand_a1to OP through a secure channel.

Step 2:

OP chooses a random number_kopand calculates public keyP_Kop=_rop·G,_Ai=h(HI_Di||_a1),_Bi=_Ai⊕_kop, and_Ci=h(HI_Di||_a1||_kop). Finally, OP sends{_Bi,_Ci}to EV_i, modifies network configurations, and stores details in the blockchain.

Step 3:

EV_icomputes_Di=h(I_Di||P_Wi)⊕_ai,_Ei=h(_a1||I_Di||P_Wi)⊕_rEV; and stores{_Bi,_Ci,_Di, and_Ei}in memory.

5.3. Authentication Phase

When EV_iwants to use the charging service, EV_i and EAG must authenticate each other, and then generate a common session key. Figure 7 shows the authentication phase with detailed steps as follows

Step 1:

EV_iinputs identityI_Diand passwordP_Wi; and calculates_a1=_Di⊕h(I_Di||P_Wi),_rEV=h(_a1||I_Di||P_Wi)⊕_Ei,_Ai=h(HI_Di||_ai),_kop=_Bi⊕_Ai, and_Ci*=h(HI_Di||_a1||_kop). Then, EV_ichecks whether_Ci*=?_Ci. If valid, EV_icomputes_M1={_rEV·G,(_a1||HI_Di||_Ti)+_rEV·P_KEAG}, and_M2=h(_a1||HI_Di||_T1); and sends{_M1,_M2,_T1}to EAG.

Step 2:

After receiving{_M1,_M2,_T1}from EV_i, EAG calculates(_a1||HI_Di||_T1)=(_a1||HI_Di||_T1)+_rEV·P_KEAG−_rEAG·(_rEV·G)using the private key_rEAG. Then EAG computes_M2*=h(_a1||HI_Di||_T1)and verifies_M2*=?_M2. If valid, EAG authenticates EV_iand calculates_M3=_b1⊕_a1,_M4=h(I_DEAG||_a1||_b1||_T2), and session keySK=h(HI_Di||I_DEAG||_a1||_b1). Finally, EAG sends{_M3,_M4,_T2}to EV_i.

Step 3:

When EV_ireceives{_M3,_M4,_T2}from EAG, it computes_b1=_M3⊕_a1and_M4*=h(I_EEAG||_a1||_b1||_T2), and verifies_M4*=?_M4. If valid, mutual authentication between EV_iand EAG has been accomplished. EV_icalculates a shared session key,SK=h(HI_Di||I_DEAG||_a1||_b1).

5.4. Charging Phase

Charging commences after successfully completing authentication. Figure 8 shows the charging phase with detailed steps as follows.

Step 1:

EV_igenerates a transaction_TxincludingHI_Di;I_DEAG; charging records, prices, charging timeC_Ti, signature of EV_iand information of payment, and EV_icomputes_Di=h(HI_Di||I_DEAG||S_Ki). After that, EV_isends{_Tx,_Di}to the EAG.

Step 2:

After receiving the message from EV_i, EAG checks whether_Di*=?_Di. If it is correct, EAG checks whether the transaction information_Txis correct. Then, EAG adds the own signature to the transaction. Finally, the charging is started and EAG records the transaction_Txon the blockchain.

6. Security Analysis

This section demonstrates that the proposed system is secure against various attacks using informal analysis and proves the system provides secure mutual authentication using BAN logic [34], a widely accepted formal security analysis. We also show it is secure against replay and man-in-the-middle attacks using automated validation of internet security protocols and applications (AVISPA) [35] which is a formal security verification tool.

6.1. Informal Security Analysis

We perform informal security analysis to evaluate the proposed system security, and show the system can resist impersonation, replay, perfect forward secrecy, and session key disclosure attacks; and also provides secure mutual authentication and anonymity.

6.1.1. Impersonation Attack

If adversary EV_Aattempts to impersonate a legitimate user EV_i, EV_Amust successfully generate a request message_M2=h(_a1||HI_Di||_T1). However, EV_Acannot calculate the request message because they cannot obtain EV_i’s random number_a1, and real identityI_Di. EV_Aalso cannot obtain EV_i’s sensitive information because transmitted message_M1is encrypted by EV_i. Therefore, the proposed protocol prevents impersonation attack.

6.1.2. Session Key Disclosure Attack

In the proposed system, the adversary EV_Acannot generate a valid session keyh(HI_Di||I_DEAG||_a1||_b1)because EV_Acannot obtain EV_i’s real identityI_Di; or random numbers,_a1and_b1, generated by EAG. EV_Aalso cannot decrypt_M1without EV_i’s private key_rEV. Therefore, the proposed protocol can resist session key disclosure attack.

6.1.3. Perfect Forward Secrecy

Even if an EV_ilong-term private parameter of EV_iis compromised, EV_Adoes not obtain the previous session key. Suppose the long-term private parameter_a1is leaked. EV_Acannot obtainI_Dibecause they cannot decrypt_M1without the correct private key. Therefore, the proposed protocol guarantees perfect forward secrecy.

6.1.4. Replay Attack

Suppose EV_Aattempted a replay attack using previous transmitted messages. However, EV_Acannot reuse previous messages, because all transmitted messages include timestamps, and EV_iand EAG check all transmitted messages including the timestamps are correct. Therefore, the proposed protocol prevents replay attack.

6.1.5. Mutual Authentication

Section 6.1.1 and Section 6.1.2 demonstrate that EV_Acannot impersonate EV_iand obtain the session key. All transmitted parameters are checked by EV_iand EV_A. When EAG receives the request message{_M1,_M2,_T1}from EV_i, EAG decrypts_M1using its own private key, and verifies_M2. If valid, EAG authenticates EV_i. When EV_ireceives response{_M3,_M4,_T2}from EAG, it computes_b1=_M3⊕h(HI_Di||_a1)and_M4*=h(I_DEAG||_a1||_b1||_T2), and then verifies_M4*=h(I_DEAG||_a1||_b1||_T2). If valid, EV_iauthenticates EAG. Therefore, the proposed system provides secure mutual authentication because EV_iand EAG successfully authenticate each other using private keys.

6.1.6. Anonymity

Suppose EV_Aintercepts all previous transmitted messages to attempt to obtain EV_i’s real identity. However, all EV_iparameters, includingI_Di, are masked by hash or encryption. Therefore, the proposed protocol ensures anonymity.

6.2. Security Analysis Using BAN Logic

We perform a security analysis using BAN logic to demonstrate the proposed system provides secure mutual authentication between EV and EAG. Table 2 introduces BAN logic notations and defines the goals, rules, idealized forms, and assumptions to perform BAN logic analysis.

BAN Logic Rules

The BAN logic rules are as follows.

1.

Message meaning rule:

A|≡A↔KB,A⊲_XKA≡B∼X

2.

Nonce verification rule:

A≡#(X),A≡B|∼XA≡B≡X

3.

Jurisdiction rule:

A≡B⟹X,A≡B≡XA|≡X

4.

Freshness rule:

A|≡#(X)A|≡#X,Y

5.

Belief rule:

A|≡X,YA|≡X.

6.3. Goals

We define the following security goals to prove the proposed system ensures secure mutual authentication.

Goal 1:

EV∣≡(EV⟷SKEAG)

Goal 2:

EV∣≡EAG∣≡(EV⟷SKEAG)

Goal 3:

EAG∣≡(EV⟷SKEAG)

Goal 4:

EAG∣≡EV∣≡(EV⟷SKEAG)

6.3.1. Idealized Forms

The idealized forms are given below.

Ms_g1:

EV→EAG:(_a1,HI_Di,_T1)_⟶EAGP_KEAG

Ms_g2:

EAG→EV:_{(b1,IDEAG,T2)a1}

6.3.2. Assumptions

We define the following initial assumptions for the BAN logic proof.

_A1:

EAG∣≡#(_T1)

_A2:

EV∣≡#(_T2)

_A3:

EV∣≡(EAG⟷_a1EV)

_A4:

EAG∣≡#(P_KEAG)

_A5:

EAG∣≡#(_a1)

_A6:

EV∣≡#(_b1)

_A7:

EV∣≡EAG⇒(EV⟷SKEAG)

_A8:

EAG∣≡EV⇒(EV⟷SKEAG)

6.3.3. Proof using BAN Logic

The detailed steps of the BAN logic proof are as follows.

Step 1:

FromMs_g1,

_S1:EAG⊲(_a1,HI_Di,_T1)_⟶EAGP_KEAG

Step 2:

From the message meaning rule with_S1and_A4,

_S2:EAG∣≡EV∼(_a1,HI_Di,_T1)

Step 3:

Using the freshness rule with_A1,

_S3:EAG∣≡#(_a1,HI_Di,_T1)

Step 4:

From the nonce verification rule with_S2and_S3,

_S4:EAG∣≡EV∣≡(_a1,HI_Di,_T1)

Step 5:

Since the session keySK=h(HI_Di||I_DEAG||_a1||_b1), from_S4and_A5,

_S5:EAG∣≡EV∣≡(EV⟷SKEAG)(Goal4)

Step 6:

From the jurisdiction rule with_S6and_A8,

_S6:EAG∣≡(EV⟷SKEAG)(Goal3)

Step 7:

From theMs_g2,

_S7:EV⊲_{(b1,IDEAG,T2)a1}

Step 8:

Using the message meaning rule with_S8and_A3,

_S8:EV∣≡EAG∼_{(b1,IDEAG,T2)a1}

Step 9:

From the freshness rule with_A2,

_S9:EV∣≡#_{(b1,IDEAG,T2)a1}

Step 10:

From the nonce verification rule with_S9and_S10,

_S10:EV∣≡EAG∣≡_{(b1,IDEAG,T2)a1}

Step 11:

Since the session keySK=h(HI_Di||I_DEAG||_a1||_b1), from_S11and_A6,

_S11:EV∣≡EAG∣≡(EV⟷SKEAG)(Goal2)

Step 12:

From the jurisdiction rule with_S13and_A7,

_S12:EV∣≡(EV⟷SKEAG)(Goal1)

Therefore, the proposed protocol achieves secure mutual authentication between EV and EAG.

6.4. Formal Security AVISPA Tool for Formal Security Verification

To prove the proposed system is secure against replay and man-in-the-middle attacks, we performed formal security analysis using AVISPA [35], a widely accepted formal security verification tool to check systems or protocols can resist replay and man-in-the-middle attacks [36,37,38,39].

The AVISPA module was written in a high level protocol specification language (HLPSL) [40] and consists of four backends: Tree Automate-based Protocol Analyser (TA4SP), SAT-based Model-Checker (SATMC), CL-based Attack Searcher(CL-AtSe) [41] and On-the-Fly Model-Checker(OFMC) [42]. Detailed AVISPA and HLPSL are presented in [35,40].

6.4.1. HLPSL Specification of AVISPA Simulation

The HLPSL consists of three components: role, session, and environment, where role denotes entity, session includes system parameters, and environment includes intruder knowledge, security goal and authentication goal. Figure 9, Figure 10 and Figure 11 show HLPSL specifications for EV, EAG, and OP, respectively. Figure 12 shows session and environment roles.

Figure 9 shows the role for EV. In state 0, EV receives the start request and performs registration. EV sends the registration request{HI_Di,_a1}to OP via a secure channel, updates the state value to 2, and then checks whether the entity is a legitimate user using the secret function.

In state 4, EV receives response{_Bi,_Ci}from OP through a secure channel and sends the login request{_M1,_M2,_T1}to EAG via an open channel. EV also declares witness(EV,EAG,ev_eag_m2,A^1′)to prove that_a1is a weakness authentication factor. EV receives the response{_M3,_M4,_T2}from OP, and then calculates the session key and updates the state value to 6.

In state 6, EV declares request(EAG,EV,eg_{ge vm}4,B^1′) to authenticate each other. The HLPSL specifications for EAG and OP roles are described similarly (see Figure 10 and Figure 11).

6.4.2. AVISPA Verification Results

We used AVISPA with security protocol animator (SAPN) [43] to evaluate whether the proposed system was secure against replay and man-in-the-middle attacks. HLPSL is translated to intermediate format (IF) and the simulation results are presented in output format (OF). OFMC and CL-AtSe check whether our proposed system prevent replay and man-in-the-middle attacks. Figure 13 shows that OFMC backend visited 114 nodes with 0.72 s search time, and CL-AtSe backend analyzed the 2 states with 0.05 s translation time.

7. Performance Analysis

This section compares the proposed system computation and communication costs with related schemes [20,44,45]. Figure 14, Figure 15 and Figure 16 present the actual data workflow transmitted on our system to help understand the results of performance analysis. In Figure 14, operator provides the data for scheduling to EV and consensus nodes on blockchain verifty the validity of transactions.

7.1. Computation Cost

We compare computation overheads for the proposed system with related schemes [20,44,45], using the parameters from [46,47].

1. Bilinear pairing,_Tbp=4.211ms.

2. Scalar multiplication with bilinear pairing,_Tsm-bp=1.709ms.

3. Point addition with bilinear pairing,_Tpa-bp=0.007ms.

4. Scalar multiplication with elliptic curve cryptography,_Tsm−ecc=0.442ms.

5. Point addition with elliptic curve cryptography,_Tpa−ecc=0.0018ms.

6. Encryption with elliptic curve cryptography,_Tenc−ecc=1.17ms.

7. Decryption with elliptic curve cryptography,_Tdec−ecc=0.61ms.

8. Hash,_Th=0.0001ms.

9. Map-to-point,_Tmtp=4.302ms.

Table 3 compares computation costs for the considered schemes. In Figure 15, the EV’s computation costs of our system are (1.1707 + 0.0002 = 1.1709 ms), including_Tenc−eccand9_Th . In Figure 16, the EAG’s computation costs of our system are (0.6103 + 0.0001 = 0.6104 ms), including_Tdec-eccand4_Th.

In Huang et al.’s system [20], EV’s total computation costs are (0.4459 + 0.0001 = 0.4460 ms), including_Tsm-ecc,2_Tpa-eccand4_Th. EAG’s total computation cost is 0.8882 ms, including2_Tsm-ecc,2_Tpa-eccand7_Th.

The total cost for the proposed and Huang et al.’s scheme = 1.7811 and 1.3343 ms, respectively. Although the proposed protocol computation cost of somewhat higher than the Huang et al.’s scheme, it provides better efficiency and security than other related schemes.

7.2. Communication Cost

We compare communication overheads for the proposed system with related schemes [20,44,45]. We assume timestamp, random number and identity are 32, 64, and 128 bits, respectively [48,49,50]; and elliptic curve cryptography encryption and hash function are 320 and 160 bits, respectively. For the proposed system, we assume group G is generated by P with order q on elliptic curve cryptography^y2=^x3+ax+bmod p, where p and q are 160 bits prime numbers. Similarly,_G1,_G2 , and G are 1024, 160, and 320 bits, respectively. In Figure 15, the EV’s communication costs of our system are (512 + 736 = 1248 bits), including charging request messages{_M1,_M2,_T1}and transaction_Tx . In Figure 16, the EAG’s communication costs of our system are (256 + 320 = 576 bits), including response messages{_M3,_M4,_T2}and transaction_Tx*.

In Huang et al.’s system [20], EV’s total communication costs are (2368 + 160 = 2528 bits), including charging requset messages{I_DCP,_QCP,_PCP,K}, response messages{I_DCP,PI_DEV,_QEV,_REV,_TEV,_ζEV}and charging request messages_H5(I_DEV,_RCP,_ζCP,P). EAG’s total communication costs are 1760 bits, including response messages{PI_DEV,_QEV,_TEV,S_KEV}and{I_DEV,PI_DEV,_RCP,_ζCP}.

Table 4 shows communication cost results for all considered schemes. More particularly, the communication cost is efficient compared with other schemes in view of EVs. It is a very important advantage because EV is equipped with resourse-constrained devices as sensors. Thus, the proposed system provides more efficient communication than all other considered schemes.

8. Conclusions

With the rapid development of the IoT and embedded technologies, drivers can access various services. However, these services are vulnerable to potential attacks such as replay, impersonation and session key disclosure attacks because they are provided through public channels. Many traditional cryptographic algorithms such as RSA also are suitable to vehicular networks because a vehicle is equipped with resource-constrained sensors. Therefore, secure mutual authentication and key agreement are very important security requirements to guarantee privacy of users, considering the resource-constrained sensors.

This paper demonstrated that Huang et al.’s scheme does not provide high efficiency and security of keys, and has various authentication flaws, including excess deposits, inefficient transaction generation, and excess transaction fees. We proposed a secure charging system for electric vehicles based on blockchain to address these weaknesses, providing high efficiency, anonymity, perfect forward secrecy, and secure mutual authentication. We demonstrated that the proposed system prevents impersonation, session key disclosure, and replay attacks, proved secure mutual authentication between EV and EAG using BAN logic, and confirmed resistance to replay and man-in-the-middle attacks using AVISPA. We compared computation and communication costs with related schemes, and showed that the proposed scheme was superior to all considered schemes. Thus, the proposed system could be applied to IoT-based practical EV charging systems for resource-constrained devices.

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

Author Contributions

Conceptualization, M.K.; Formal analysis, K.P. and S.Y.; Software, J.L.; Supervision, Y.P.; Validation, K.P. and Y.P.; Writing—original draft, M.K.; Writing—review & editing, K.P., S.Y., Y.P., S.-W.L. and B.C.

Funding

This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIT) (No.2018-0-00312, Developing technologies to predict, detect, respond, and automatically diagnose security threats to automotive Ethernet-based vehicle).

Conflicts of Interest

The authors declare no conflict of interest.