A new secure offloading approach for internet of vehicles in fog-cloud federation

The Internet of Vehicles (IoV) plays a crucial role in advancing intelligent transportation systems. However, due to limited processing power, IoV faces challenges in independently handling large volumes of data, necessitating the use of offloading as a solution. Offloading data in wireless environments raises security concerns, highlighting the need for robust data protection mechanisms. This study introduces a secure offloading (SO) scheme within the Fog-Cloud Federation for IoV. The proposed NSO-VFC scheme undergoes both informal and formal analysis using the Avispa tool, demonstrating resilience against active and passive attacks. Performance evaluations indicate that the security measures of NSO-VFC meet acceptable standards compared to similar approaches. Nonetheless, the heightened focus on security incurs higher computational and communication costs than alternative strategies. Simulation experiments using the NS3 tool involve varying numbers of IoVs (50, 70, and 100), revealing that increased IoV density correlates with enhanced packet delivery rates and throughput within the NSO-VFC scheme.


Network system
The NSOS-VFC scheme is a sophisticated network system that is designed to efficiently handle communication and processing tasks within a hierarchical structure.At the core of this system are cloud servers, which are strategically placed in the first layer.These servers are centralized and possess high processing power, making them ideal for handling complex tasks.They are able to communicate with the trusted authority and the lower layers of the network.The second layer of the system is comprised of fog nodes, which are distributed throughout the network.These nodes have less processing power compared to the cloud servers, but they are able to manage communication within their own layer and with the upper and lower layers.The fog nodes are coordinated by a fog center, which ensures efficient communication and task distribution among the nodes.The third layer of the network system is where the end devices, known as IoVs, are located.These devices have limited processing power and rely on the fog layer for assistance with complex tasks.If an IoV is unable to handle a process due to its processing limitations, it can offload the task to the fog layer, which will then take care of processing it.
Overall, the NSOS-VFC scheme is a well-structured network system that leverages the strengths of cloud servers, fog nodes, and IoVs to ensure efficient communication and processing capabilities.This hierarchical approach allows for seamless coordination and task distribution within the network.Figure 1 shows the network system.

System threat model
In our network system, we introduce the Dolev-Yao (DY) representative attack model, which is utilized within the scheme of the NSO-VFC scheme.As per the assumptions outlined in "System assumption", the communication channels within the network system are deemed insecure.This vulnerability opens up avenues for attackers to intercept, eavesdrop on, and manipulate messages exchanged between IoV and RSU entities.The attacker may also compromise both public and session keys utilized in the communication process.Within this attack model, all network connections are susceptible to exploitation by malicious actors.Mitigating eavesdropping and safeguarding against attacker interference present significant challenges in ensuring the security objectives of the NSO-VFC scheme.The attack model encompasses various threats, including Replay attacks, Man-in-themiddle (MITM) attacks, guessing attacks, brute-force attacks, Sniffer attacks, Impersonation attacks, Rainbow table attacks, and Stolen verifier attacks, all of which have the potential to compromise the security of the NSO-VFC scheme.

System assumption
• The NSOS-VFC scheme operates under the assumption that a malicious entity can impersonate any com- municating party at any point during the communication process.• There is a possibility of active and passive attacks in the stage of offloading.
• It is assumed that the attacker has high processing power and can perform attacks such as rainbow and brute force.• Communication channels within the network are deemed insecure, leaving them vulnerable to interception and manipulation.• There are no corrupt or rogue nodes that send data to the attacker.
• IoVs are unaware of the identities of access points, fog nodes, and cloud servers.
• Mutual awareness exists between the fog layer and cloud servers.
• Cloud servers are safeguarded against vulnerabilities.
• Data is not lost in cloud servers.
• The fog layer and access points have mutual knowledge of each other's identities.
• Each fog knows its subset of fog nodes.
• Data stored within the fog layer is secure and remains uncompromised.• RSUs cannot alone act as representative devices for task offloading.
• The fog center can make decisions regarding device selection for offloading based on processing power.
• The fog center possesses information regarding the energy status of all IoVs.
• The device to be proposed for offloading has already been authenticated.
• Cloud servers must be informed by the fog center when a device is selected for offloading.
• Due to limited memory in RSUs, all encryption keys are centrally stored within the fog center.
• All IoVs within the fog and cloud environments operate on synchronized time settings.

Problem statement
IoVs, being mobile entities, are inherently constrained by limitations in memory and processing power.To address the challenges posed by heavy processing tasks, IoVs employ offloading strategies to offload tasks to external resources.However, the reliance on offloading introduces security vulnerabilities within the fog-cloud federation environment.Previous research often assumed a level of trust among vehicles in the fog environment, neglecting the potential threats associated with offloading.In this study, we aim to bridge the gap between theoretical assumptions and real-world scenarios by acknowledging the presence of security threats such as MITM attacks, replay attacks, and forgery attacks in our environment.It is imperative for IoVs to establish mutual trust and verify each other's identities before engaging in offloading tasks within the fog-cloud federation.Developing a robust authentication mechanism capable of securely confirming the identities of communication parties and resilient against both active and passive attacks is paramount in ensuring the integrity and security of the system.

NSO-VFC scheme
This section organizes the NSO-VFC into nine steps for description.Figure 2 shows the roadmap of the NSO-VFC.

Notations
Table 2 shows the Notations used in the NSO-VFC.

Initialization phase
The first, IdRi and IdVisf, select the elements aRi, bRi, aVisf, bVisf, and ∈ zp and satisfy the condition ( y 2 = x 3 + ax + b ) (mod p) on the elliptic curve.In an elliptic curve, G is the base point, with the first order of  ).XR and Xvisf are randomly chosen as secret keys of IdRi and IdIisf.The public key can be generated by multiplying the secret key in G. Figure 3 shows the initialization phase.
Step 3: IdFi and IdTA check the time stamp; if it is smaller than the expiration time, IdFi stores CFi′ and CFi is stored by IdTA in database.

Request offloading phase
Step 1: In some cases, Idvi has heavy tasks that are beyond his power and energy.In this case, he must offload his data to another device for processing.Because it does not know the processing power of nearby devices, it computes Rf = h (Idvi′ ⊕ Pr ⊕ TVi) and Send {Rf, Idvi′, Pr, TVi} to IdRi. Step

Completion of the offloading phase
Step 1: After authenticating and receiving the offloading for processing from Idvi, it starts processing and after finishing the processing, it sends {Processing result, IdIi, IdIisf} to Idvi and {Completion offloading, IdIisf, IdRi, BuIdVisf} to IdRi.

Security analysis
This section presents an informal and formal security analysis of the NSO-VFC.

Informal analysis
This section presents an informal analysis of the attacks defined as threats to the NSO-VFC in "System threat model".

Replay attack
In this attack, the main goal of the attacker is to record the exchanged message in the network so that he can re-inject the recorded messages in the network after some time.In NSO-VFC, the attacker may want to capture the messages exchanged in all phases and use it as a legal tool to intrude.In the NSO-VFC, the time stamp TCs, TFi, TRi, TVi and TVisf is defined for the roles Cs, F, R, Vi, and in all exchanged messages, the time stamp is checked first before each action; if it is smaller than ∆T, the relevant operation is performed.

MITM attack
In this attack, the attacker is placed between two communication parties, the main goal of the attacker is to control the communication between the communication parties.In NSO-VFC mutual authentication is done between Idvi, IdRi and Idvi, IdVisf which disables MITM attack.Sections "Login and authentication phase" and "Mutual authentication and offloading phase" show the steps of mutual authentication.

Brute-force attack
In this attack, the attacker checks all the possible state space to break the public or private keys used in the communication.To attack NSO-VFC, the attacker must extract all parameters of (Pvar1, Pvar2, Pvar3, Pvar4, Pvar5, Pvar6, Pvar7, Pvar8) and (Pofv1 Pofv2 Pofv3 Pofv4 Pofv5 Pofv6, Pofv7, Pofv8) from the messages, which is practically impossible due to checking ∆T; however, if the attacker can extract these parameters, he cannot do non-virtual work because the keys of XR and Xvisf is unknown to him, and there is nothing for him to randomly sense the numbers r1, r2, r3, r4, R1, and R2.

Impersonation attack
In this attack, the attacker monitors the legal messages sent in the network and tries to use the contents of the monitored messages for valid requests in the following sessions to gain illegal access.Assuming that the attacker wants to falsify the identity of Idvi, since the values are in memory and it is impossible to access them correctly, and that the attacker cannot forge the identity of Idvi without knowing the points of Pvar1 and Pvar2 and the secret key of PK = h (((IdRi ⊕ XR)||(IdRi ⊕ IdFi) ⊕ R1) ⊕ (Ps ⊕ Psw))).

Guessing attack
In this attack, the attacker aims to guess the password offline and online.Considering that Idvi calculates Pi = h (Idvi||TVi), Ps = h (Pwvi ⊕ Pi), Pw = h (Pow ⊕ Pi), Psw = h (((Ps||Pw) ⊕ Pi) ⊕ TVi), at the beginning and sends it to IdRi, no one except Idvi knows the contents of the transmitted data.Offline and online solutions are impossible without knowing the identity and password, so the NSO-VFC resists guessing attack.

Stolen verifier attack
In this attack, the attacker tries to attack the database to steal the stored usernames and passwords and use them for legitimate access.In the NSO-VFC, it is assumed that the fog layer and the cloud are not vulnerable; however, if the attacker can access the information stored in the cloud, a secret key and guessing random numbers are needed to calculate the CFi = ((IdCs ⊕ Fvi)||IdTA), CFi′ = h ((IdCs ⊕ Fvi)||(IdTA ⊕ TCs), with the CFi in hand, the attacker cannot Create a legitimate request for authentication.

Rainbow table attack
In this attack, the attacker uses a pre-computed database to break hash functions.The NSO-VFC is used in all stages of sending and receiving timestamped messages.If the time stamp of any sent packets is greater than the expiration time, the next step will not be performed, so the NSO-VFC is resistant to Rainbow table attack.

Sniffer attack
In this attack, the attacker tries to access the confidential data of the correct users by commenting and monitoring the network.Then she can establish legal communication between the parties.In the NSO-VFC, the messages sent between the communication parties are sent in the form of a hash; for this reason, the attacker cannot monitor the security parameters.

Provides confidentiality
In this, we used the hash function and ECC to SO for IoV.In this scheme, only authorized devices are allowed legal access.The examined items from "Replay attack" to "Sniffer attack" show that the proposed scheme is resistant to known attacks.

Formal analysis
This section provides a formal security analysis with Avispa for NSO-VFC.

AVISPA
AVISPA tool is a tool for formal security evaluation of protocols, and the simulation results show the safe or unsafe security of the protocol 29 .First, the protocol is written in HLPSL language to evaluate the security, HLPSL is a role-based language 30 .Each role is independent of other roles, and communication between roles is possible through channels.In the HLPSL language, the attacker is modeled by the DY model in this tool 31 .First, HLPSL codes are converted into IF by the hlpsl2if translator and then executed as AVISPA input; IF is a lowlevel language compared to the HLPSL language, and the translation of HLPSL codes to IF is hidden from the user 32 .Avispa has four backends, (OFMC) 33 , a (CL-AtSe) 34 , (SATMC) 35 , (TA4SP) 36 , Can be used to test whether a protocol is secure or insecure.

Simulation results
Tool Avispa gives us three mechanisms to check the scheme proposal.In the first mechanism, the replay attack is investigated in the DY model, and the second mechanism is designed with the protocol specifications and activates intruder recognition.The third mechanism examines the MITM attack.The NSO-VFC has been investigated with three mechanisms defined in the Avispa tool.The results show that it resists repetition attacks, active intruders, and MITM attacks.Figures 10 and 11 show the output results of OFMC and CL-AtSe.

Performance analysis
The proposed of NSO-VFC consists of 7 phases; in the first phase, considering that the devices have a preagreement on the elliptic equations, it is not considered in the performance phase (this is a fair assumption that is applied in other similar methods produced has been.We have divided the remaining 6 phases into six situations to analyze and read the performance, followed by the Communication cost and the number of bits and the analysis of the Computation cost.In the end, the Security requirements are expressed in this section.Manual methods are used in all articles to calculate the communication and Computation cost, which is a possibility of human error.We used E3C to reduce human error in calculating Computation and communication costs 37 .The combined manual and E3C methods results are in "Communication cost" and "Computation cost".

Communication cost
To calculate the communication cost in the NSO-VFC, we considered the 160-bit integers, the hash function of the 160-bit SHA1, and the elliptic curve encryption type with a key size of 160.In other words, each point (P) on the curve is P = (Px + Py), 160 + 160 = 320 bits; 32 bits are considered for the time stamp, flag, and identity.Table 3 shows the message fields and their size in bits.The NSO-VFC is compared to the AKMF-IoV 38 , which consists of three states; the number of bits used in the system are 1024 bits, 1344 bits, and 1024 bits, respectively.Considering the nature of the NSO-VFC scheme and the number of phases for SO, an increase in communication costs can be expected.Table 4 shows the comparison of the communication cost and the number of bits used in each state.

Computation cost
To calculate the Computation cost of the NSO-VFC, we have used the expressions Tfh, Tfr, and Tfecm for the hash function with an arithmetic mean of 0.0023 and the symbol Tfecm for point multiplication of an elliptic curve with an arithmetic mean of 2.226, and the symbol Tfr for random numbers with an arithmetic mean is 0.539, the arithmetic mean of the defined symbols is calculated from reference 39 .
According to the things mentioned in "Communication cost", the NSO-VFC consists of 6 states, considering that the 6th state does not use hash functions and random numbers, and multiplication of an elliptic curve does not have the ability to calculate in the evaluation.

Random numbers 160
Timestamp 32 Identity 32 Flag 32 The results of the Computation cost of the NSO-VFC compared to AKMF-IoV scheme, which has a Computation cost of 0.0299 ms in the first case, 8.9247 ms in case 2, and 0.0299 ms in case 3, considering that AKMF-IoV has less number of cases than the NSO-VFC.It has a lower Computation cost than our NSO-VFC.The high Computation cost is justified because our NSO-VFC provides SO for the IoV environment.Table 5 shows the comparison of the Computation cost of the NSO-VFC.

Security requirements comparison
Table 6 shows the comparison of the NSO-VFC in terms of security features with the AKMF-IoV.According to the table, it can be seen that both the NSO-VFC and AKMF-IoV can support the SOSF1, SOSF2, SOSF3, SOSF4, SOSF6, SOSF9, SOSF10, SOSF11, SOSF12, SOSF13, and SOSF14 security features, one of the features of NSO-VFC is that it has more steps than AKMF-IoV.However, it can provide SO and supports SOSF5, SOSF7, SOSF8, and SOSF15, which the AKMF-IoV lacks these items.

Simulation result
AODV routing is used to implement NSO-VFC in the NS3.In AODV, a specific route is not created and maintained for every possible destination in the network, but when the source node has a packet to send, the routes are established based on the existing need.Of course, for recently used routes, routing information is stored in the routing table.Therefore, when a new route request message arrives, there is no flooding in the network because each node can only send packets to the destinations in its routing table.Considering the size of the simulation environment and taking into account that the cars are randomly arranged in the environment, there is a high probability that the cars are not next to each other or near RSU.This makes the origin unable to deliver the sent packet to its final destination and the packet gets lost on the way.For this reason, in conditions where the vehicle density is low, the end-to-end delay rate and packet loss are increasing, and the Packet delivery and Throughput are decreasing.In a situation where the traffic density is increasing, the end-to-end delay and packet loss will decrease, and the package delivery and Throughput will increase.The Figs. 12, 13, 14, and 15 compare Packet delivery, Throughput, Packet loss, and End-to-end delay, respectively.According to the simulation results, the more the number of IOVs, the higher the performance of the NSO-VFC in the network.In the performance assessment of the NSO-VFC, the security aspects of the NSO-VFC outperform an AKMF-IoV scheme; however, there is an increase in communication and computational overheads due to the emphasis on security.Results obtained using NS3 indicate that with an escalation in the IoV population, the proposed scheme exhibits enhanced performance in terms of throughput and packet delivery.Future research prospects could involve the development of secure Offloading mechanisms based on blockchain networks and the Metaverse.

Ethical approval
All procedures performed in studies without human participants.This article does not contain any studies with animals performed by any of the authors.The present study is part of a Ph.D.

Figure 6
Shows storage phase.

Figure 5 .
Figure 5. Login and authentication of the NSOS-VFC.

Figure 9 .
Figure 9. Completion of the offloading of the NSOS-VFC.

state 5 :
Mutual Authentication and offloading phase.state 6: Completion of the offloading phase.

Table 2 .
Notations used in the NSOS-VFC.

Table 5 .
Comparison of computation cost.

Table 6 .
Comparison of security features.
SimulationThis section describes how the NSO-VFC is practically implemented in the Ns3 software on an Ubuntu-23.04operating system.The simulation was conducted on a Dell 6430 laptop equipped with an Intel Core i7 processor, 8 GB RAM, and a 2 TB SSD.In the simulation scenario, 10 Road Side Units (RSUs) are utilized for 10, 20, and 30 Instances of Vehicles (IoV) with one fog and one cloud.A Random Waypoint Mobility model is employed for the movement of IoVs, with a constant speed of 60 m/s and no pauses.The RSUs, fog, and cloud nodes have a stationary mobility at 0 m/s.The simulation area measures 400*1500 units, using the Two-Ray Ground Loss model and the AODV routing protocol.The transmission power is set at 8 dBm, with the medium access control type as IEEE 802.11 and the wireless protocol as 802.11p.The communication ranges between IoV and IoV, fog node and IoV, fog node and fog, and fog to cloud are set at 50 m, 100 m, 150 m, and 300 m respectively.The simulation duration is 100 s.