While cloud computing and Internet of Things (IoT) technologies have gradually matured, mobile intelligent transportation systems have begun to be widely used. In particular, the application of vehicular ad hoc networks (VANETs) is very convenient for real-time collection and analysis of traffic data. VANETs provide a great convenience for drivers and passengers, making it easier to choose routes. Currently, most research on VANETs obtains data through cloud servers. However, there are few studies on cloud servers obtaining vehicle information through the roadside unit (RSU). In the process of reading traffic information, there will be some private and sensitive information, which may be intercepted or tampered with in untrusted public channels. Therefore, it is necessary to propose a protocol to protect vehicle data during the information reading phase. In this paper, we propose a new provably secure authentication protocol to negotiate a session key before transmitting traffic information. This protocol can complete mutual authentication and generate a session key. Finally, security analysis and performance analysis show that our protocol is secure and efficient.

1. Introduction

Due to social and economic development, motor vehicles are rapidly spreading. At the same time, the rapid increase in the number of vehicles on the road has also made the traffic situation more complicated, and there will be many traffic problems, such as traffic accidents and road congestion. Therefore, researchers apply artificial intelligence [14], wireless networks, and sensor technology [5, 6] to road vehicle management, so that vehicles can share information and release relevant road information to alleviate traffic problems. This is the vehicular ad hoc network, which consists of vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication. In the VANETs, the vehicle is equipped with an on-board unit (OBU), so the vehicle can be regarded as a mobile network node that can communicate. Therefore, the vehicle can obtain the corresponding road information from the cloud server through the RSU and can also send the relevant information recorded by itself to the cloud server. The main goal of VANET technology is to improve traffic efficiency and increase driving experience. With the popularity and development of VANET, it plays a key role in user travel planning and road safety.

Although VANETs have various obvious benefits, their security and privacy issues [79] are still the keys to whether they can be widely used. In VANETs, the network environment is open; attackers can capture various messages transmitted in the network and can forge a legitimate vehicle to send wrong information. The transmission of wrong information will mislead the driver to make the wrong decision, bringing corresponding troubles and even dangers. First, before information transmission, mutual authentication must be performed, and a corresponding session key must be generated for subsequent information transmission. Then the integrity of the message must be verified every time a message is received. In addition, anonymity is indispensable in VANET, because if the vehicle transmits its identity on the network in clear text, the attacker captures the information, and the vehicle can be faked or the vehicle can be tracked.

However, several kinds of research in VANETs mainly focus on how to ensure that vehicles obtain corresponding road information. In other aspects, vehicles can receive current traffic conditions through RSU. Based on the information received, the driver can adjust the driving decision. Because the road conditions are changing, the RSU can actively establish a communication request with the vehicle to obtain the road condition information stored by the vehicle sensor (as shown in Figure 1). Based on our best knowledge, we propose a new provably secure mutual authentication scheme for negotiating session keys before transmitting traffic information in this paper. The main contributions of this paper are summarized as follows:(1)A three-party AKE scheme is proposed, with vehicles, RSU, and cloud servers. RSU actively sends a request, completes mutual authentication with the vehicle through the cloud server, and generates a session key.(2)Due to environmental constraints, the proposed scheme only performs simple operations, such as elliptic curve (ECC), bitwise XOR, and hash functions.(3)We conduct a security analysis of the protocol, including formal analysis, informal analysis, and ProVerif simulation.(4)Finally, the performance of the proposed protocol is evaluated. Compared with the existing methods, we show that our protocol is feasible.

The remainder of this paper is organized as follows. In Section 2, the latest research results of the AKE protocol and related research on security authentication in the VANET environment are reviewed. Section 3 describes our proposed protocol in detail. Then, in Sections 4 and 5, the security analysis and performance analysis of the protocol proposed in Section 3 are carried out. Finally, the article is summarized in Section 6.

Many researchers have conducted a series of studies on authentication and key exchange protocols in VANETs. However, with the changes of various needs and scenarios, many security issues have emerged in these studies.

First of all, in terms of an authentication protocol, Lamport [10] proposed for the first time password authentication in an insecure channel. Immediately afterward, various two-party authentication schemes were proposed [11, 12]. But, for the VANETs environment, the communication between vehicles can use a two-party authentication scheme, and if the vehicle and the cloud server are authenticated, the two-party authentication will cause transmission delay, because two-party identity authentication is generally used in a single-server environment. In 2001, Li et al. [13] first proposed an authentication scheme in a multiserver environment, but their scheme is inefficient because it takes a lot of time to train neural networks. Later, to complete efficient and secure identity authentication, researchers began to introduce multifactor security. In addition to passwords, security factors such as smart cards and biological information were introduced [1416]. Recently, Irshad et al. [17] proposed an authentication scheme under a multiserver architecture based on the chaotic mapping. But Wu et al. [18] found that Irshad et al.’s protocol cannot guarantee user anonymity and is vulnerable to attacks by privileged insiders. Therefore, Wu et al. proposed an authentication protocol for distributed cloud environments, claiming that their protocol can resist various known attacks. However, Wu et al. [19] recently proposed an authentication key exchange protocol under a multiserver architecture and found that [18] has multiple security problems, including the inability to provide perfect forward secrecy () and being vulnerable to privileged internal attacks. Also, in a multiserver environment, in 2017, Truong et al. [20] proposed an ECC-based authentication scheme. Their article discussed that Yeh et al.’s [21] protocol cannot provide mutual authentication and the key agreement phase is incorrect. In 2018, Zhao et al. [22] proposed a secure and efficient authentication protocol based on passwords and smart cards. They claimed that the scheme of Truong et al. could not achieve the security authentication requirements of multiserver authentication and could not resist offline password guessing and impersonation attacks. However, Hassan et al. [23] conducted a security analysis on the scheme proposed by Zhao et al. and found that the scheme is vulnerable to anonymity and traceability issues and is not suitable for a multiserver environment. Then, on this basis, Hassan et al. proposed an improved multiserver authentication scheme.

Currently, there are two research focuses on the VANETs environment; one is efficient authentication, and the other is privacy protection. The former appeared because of the large number of vehicles in the VANETs environment, and data transmission and processing are very challenging. In order to solve this problem, cloud computing began to be applied to the VANETs [24]. In VANETs, cloud computing-based authentication schemes have also begun to be widely proposed [2529]. These solutions reduce the server-side service response time and improve authentication efficiency. However, due to the number of vehicles involved and management issues, network delays can also be caused. Then cloud computing began to decentralize and fog computing was used to solve the above shortcomings [15, 3032]. The latter is because, in an open network environment, the private information of vehicle users must be protected. Therefore, the Conditional Privacy Preservation Authentication (CPPA) agreement was proposed [33]. In this protocol, the attacker cannot obtain the true identity of the vehicle user through messages intercepted on the public channel, but a trusted third party can calculate the identity of the vehicle user who sent the message. In 2008, Zhang et al. [34] proposed an identity-based verification scheme and proved that their proposed scheme can practice conditional privacy protection, trusting the authority to retrieve the true identity of the vehicle from any false identity. In 2014, Chuang and Lee [35] proposed the first authentication mechanism using transitive trust relationship. Later, Zhou et al. [36] used elliptic curve cryptography (ECC) to propose a new mutual authentication scheme based on the mechanism proposed by Chuang and Lee and mentioned in their paper that the scheme of Chang and Lee cannot resist internal attacks. However, Wu et al. [37] found that Zhou et al.’s scheme could not guarantee anonymity and was vulnerable to identity guessing and impersonation attacks. At the same time, they designed a new privacy protection authentication protocol using ECC technology. Some researchers have proposed the use of fog computing for information processing in the VANET environment. In 2019, Ma et al. [30] proposed a new AKE protocol without bilinear pairing. They believed that the proposed protocol is safe and efficient. However, Eftekhari et al. [38] found that the protocol of Ma et al. had security problems, such as internal attacks, known session-specific temporary information attacks, and stolen smart card attacks, and then they proposed a safer and more efficient protocol. In 2017, Mohit et al. [39] proposed a new vehicle communication protocol and believed that their protocol could resist attacks such as stolen smart card attacks and impersonation attacks. However, Yu et al. [40] found that Mohit et al.’s scheme could not provide security attributes such as anonymity and mutual authentication and would suffer impersonation and traceability attacks. Then Yu et al. proposed a new security authentication protocol and proved that their protocol can resist various known attacks. In 2020, Sadri and Rajabzadeh Asaar [41] proved that Yu et al.’s protocol is vulnerable to tracking attacks, impersonation attacks, sensor capture attacks, and so forth and proposed a secure protocol for application in VANETs.

Some studies have begun to design the AKE protocol for the advantages of low latency and high reliability in the 5G environment [42]; and, for some special occasions, blockchain technology [43] is also used to complete the authentication key exchange. Research similar to VANET currently has similar flying ad hoc networks (FANETs). Moreover, this environment is also vulnerable to serious security threats. Due to these security threats, many security protocols have been proposed in this environment [4447]. Therefore, when studying VANETs, you can refer to some security solutions in FANETs. However, most of the research is carried out on the premise that the vehicle initiates a communication request. So, it is necessary to propose an authentication scheme in which a cloud server or RSU initiates a communication request to the vehicle user to meet the timely update of road condition information.

3. Proposed Scheme

In this section, we introduce in detail a new provably secure mutual authentication scheme used to negotiate session keys before transmitting traffic information. The communication entities in the proposed protocol include vehicle users, roadside units, and cloud servers. For the convenience of reading, the symbols used in the scheme are listed in Table 1. The proposed protocol has five phases, namely, the initialization phase, the vehicle registration phase, the RSU registration phase, the login phase, and the authentication phase.

3.1. Initialization Phase

(1)The cloud server selects two large prime numbers and and then constructs an elliptic curve defined about the domain for . The points on form a cyclic additive elliptic curve group , and the generator of is obtained.(2) selects two random numbers and and computes , where is the long-term key of the , is the private key, and is the public key.(3)Finally, chooses a one-way hash function .

3.2. Vehicle User Registration Phase

When the vehicle user wants to get the corresponding service, he/she must register through the cloud server . The main steps are as follows. Figure 2 describes the process of vehicle user registration in detail.(1) chooses its own and then sends it to through a secret channel.(2)On receiving , selects and computes and . Then, saves to memory and securely transmits to .(3)Finally, computes , , and and stores into OBU. Among them, is the ’s password, and is the ’s biological information.

3.3. RSU Registration Phase

Through the registration phase, can obtain the private key, as shown in Figure 3.(1) selects a random number and computes and then sends the identity and to securely.(2) selects the pseudoidentity of and the random number . Then computes and , stores in its database, and finally sends to .(3) computes and then verifies whether is equal to . If the verification is passed, the private key distribution is successful. Then is stored in memory.

3.4. Login Phase

Since the environment proposed by the scheme is to complete mutual authentication and key exchange during vehicle operation, the vehicle user login will be completed in advance. Figure 4 shows the login information of the vehicle user.

3.5. Authentication Phase

The entire authentication phase is initiated by , which wants to communicate with the running vehicle. The detailed information is shown in Figure 5.(1)First, makes a communication request and selects a random number to compute . sends and to .(2)After receives the communication request, it selects a random number and the current timestamp and computes (see equations (1)–(4)). Then it sends to .(3) verifies the validity of the timestamp (by ). computes (as shown in equations (5)–(7)). Finally, sends to .(4)After receives the message, it first verifies whether the timestamp is valid (by ). If the verification is passed, it computes and . Then it takes out from the memory through and computes . If and are equal, then perform the operation; otherwise, terminate the session. Then, computes and and then retrieves in the database through . After that, computes and completes the authentication operation. If authenticated, selects a random number and a timestamp and computes (see equations (8)–(13)). Finally, updates the values of and in memory and sends to .(5) also verifies the validity of the timestamp. Then it computes and verifies that is equal to . If authenticated, computes (see equations (14)–(16)). Then it updates the values of in memory. Finally, computes the session key and sends to .(6)After receives the message, it checks the freshness of timestamp. If it is confirmed, computes and and then verifies . If authenticated, computes a new and updates this value in the memory. Finally, computes the session key .

4. Security Analysis

In this section, we conduct a security analysis of the proposed protocol and use the ROR model and ProVerif tool to complete the formal security analysis [48, 49]; and, through informal security analysis, we verified that the proposed protocol has security features and can resist various known attacks.

4.1. Informal Security Analysis

This section is an informal security analysis of the proposed protocol. We verify the security attributes and attacks that the proposed protocol needs to have one by one.

4.1.1. Mutual Authentication

After receiving the authentication request from , computes and sends it to through . After receives the message, the computed contains the parameters . Only legitimate users can generate correct , so that can verify the identity of the user and the legitimacy of the information by verifying whether is equal to ; that is, authenticates . Similarly, the server computes , computes , and computes , respectively, indicating that has authenticated , has authenticated , and has authenticated . In summary, and can perform mutual authentication in the protocol.

4.1.2. Man-in-the-Middle Attacks

By intercepting the information in the public channel, may launch man-in-the-middle attacks. But after receives the message, it needs to verify and to authenticate the sender. Suppose that when tries to tamper with the information sent to , he needs to generate a new authentication information , but he cannot obtain the parameters , , and so forth. This means that cannot complete the verification after tampering with the information. Similarly, when tampered with the information sent to and , he could not complete the relevant authentication. This shows that the protocol can resist man-in-the-middle attacks.

4.1.3. Replay Attacks

In the protocol, when a new round of authentication is performed, new random numbers , , and will be generated; and every time the authentication is completed, the values stored in the memory such as and will be updated. The random number and the updated are used when generating the session key. Therefore, when resends the previous message, new random numbers and related parameters updated in the memory have been generated, and he cannot pass the verification and cannot compute the session key. Therefore, the proposed protocol can resist replay attacks.

4.1.4. Known Session-Specific Temporary Information Attacks

Under the CK attack model [50], can obtain the random number or generated during the authentication phase. Assuming that obtains the random number generated by ; then , , and can be calculated. However, since cannot obtain and , he still cannot compute the session key ; and when tries to use a random number to perform a man-in-the-middle attack or an impersonation attack, he cannot complete the verification by recalculating . Therefore, the proposed protocol can resist known session-specific temporary information attacks.

4.1.5. Perfect Forward Secrecy

This security feature requires that the leakage of the long-term key does not reveal the previously generated session key. in the scheme. That is, the long-term key of is not used in the calculation of the session key. Since the private key of does not change after each authentication, it is assumed that can get . Then can compute and ; that is, and , and the updated and . However, cannot obtain the random number or needed to compute , so there is no way to compute ; that is, the proposed protocol can provide perfect forward secrecy.

4.1.6. Internal Attacks

Assuming that is a internal staff, he can easily obtain the information transmitted during the registration phase, including , , , and . However, cannot compute and from this information. Therefore, the proposed protocol can resist internal attacks.

4.1.7. User Anonymity and Untraceability

During the authentication process, is used to compute and cannot obtain to guess . So, the scheme can guarantee anonymity. At the same time, due to the use of random numbers and the update of the pseudoidentity after each authentication, it is also ensured that cannot confirm the user’s identity by tracing a specific piece of information. Therefore, the protocol satisfies anonymity and untraceability.

4.1.8. Three-Factor Secrecy

The proposed protocol uses passwords, biological information, and storage devices (OBU) for security encryption, so it is a three-factor authentication protocol. For this type of protocol, it is assumed that the extreme case is that can obtain two of the three factors and can launch an attack on the protocol.

Assume that obtains , , and . It is necessary to compute when logging in, where , but is stored in OBU. In other words, cannot complete the login operation. The proposed protocol is safe in this situation. Assume that obtains , , and OBU. Since cannot be computed through , cannot compute and and cannot complete login verification. That is, the protocol is safe in this situation. Similarly, when knows and OBU, there is no way to compute because there is no password and identity. Therefore, the protocol is safe in the three situations, and the proposed protocol satisfies the three-factor security characteristics.

4.1.9. No Key Control

In this protocol, the session key can only be generated through negotiation between and ; that is, a single entity cannot generate by itself. When computing , needs to know and generated by . In the same way, needs to negotiate to obtain and during the calculation to compute . Therefore, the proposed protocol is satisfied with no key control property.

4.2. Formal Security Analysis Based on Random Oracle Model

In this section, a random oracle model (ROR model) is used to formally prove the security of our proposed protocol. This analysis model was proposed by Canetti et al. [51]. By launching different rounds of s, the ROR model can compute the probability of successfully guessing the in various situations and thus judge the security of the protocol. Assume that , , and , respectively, represent the communication of , the communication of , and the communication of . can initiate the following query, where .(i): through this query, can eavesdrop on the message transmitted on the public channel.(ii): executes the query and can get the hash value of the input parameter .(iii): executes the query, sends a message to , and can receive the corresponding response.(iv): executes this query to obtain the return result of current session key generated by .(v): by executing the query, can obtain some secret values, such as long-term private keys and temporary information.(vi): executes the query and judges the correctness of the session key by flipping coin . If the result is , will receive the correct session key returned; if the result is , will receive a random string.

Definition 1. (elliptic curve discrete logarithm problem (ECDLP)). Our proposed protocol uses elliptic curve cryptography (ECC). Here, we describe the computational difficulties and assumptions of ECC. Suppose that is an elliptic curve generation group. At the same time, given points and , where belongs to and belongs to , it is computationally infeasible to obtain . In polynomial time, the probability that solves this problem is defined as follows: . For a sufficiently small , we have .

Theorem 1. If attempts to initiate some queries in polynomial time, then the advantage that he can break through the proposed protocol is as follows: where represents the number of times to execute queries, represents the number of times to execute queries, represents the number of times to queries, represents the number of bits of the operation, and and are constants in Zipf’s law [52].

Proof. We use the game sequence to verify the above theorem. represents the probability of ’s success in game . Finally, using the query to determine , the specific description is as follows:(i) represents a real attack, and did not initiate any query at this time. Therefore, in , the probability of cracking is .(ii) adds Execute query on the basis of , and there is no difference in the others. So, .(iii) adds query on the basis of . According to Zipf’s law, we get .(iv) adds query on the basis of . According to the birthday paradox, we can get the maximum probability of hash collision as ; the maximum probability of collision in the transmitted text is ; and so .(v) In this game, we consider the security of the session key. Here, we divide the discussion into two situations. The first is to obtain a long-term private key to verify perfect forward secrecy; the second is to provide temporary information leakage to verify whether the known session-specific temporary information attacks can be resisted.Perfect forward secrecy: uses to try to get the private key of or uses or to try to get a certain secret value in the registration phaseKnown session-specific temporary information attacks: uses or or to try to obtain temporary information of one partyIn both cases, ECDLP needs to be solved to compute the session key . For , in the first case, even if and are calculated by , the random number is unknown. While getting through , cannot get . In the second case, even if is calculated through , the long-term private key is unknown. Similarly, for the second formula also holds, .(i) uses to query; can get the information in OBU. The user uses the password and biological information to register. wants to guess +, but the possibility of guessing the biological characteristics is , which can be almost ignored. Using Zipf’s law, we can get .(ii) the purpose of this game is to verify forgery attacks. In , if issues or query, the game is terminated. At this point, the probability of guessing is . Because the probability of success and unsuccess of is half,  = 1/2.In summary, we can get the following conclusions:Thus, we can obtain

4.3. ProVerif Security Analysis

ProVerif [53] is a formal cryptographic protocol security verification tool proposed by Bruno Blanchet in 2001 and developed using the Prolog language. The tool is based on the DY model and can handle basic cryptographic operations such as symmetric encryption and decryption, public-key encryption and decryption, hash operations, and XOR operations. The security attributes that can be verified are confidentiality, authentication, consistency, and equivalence between processes. Through the use of code to achieve the registration and authentication phases of vehicle users, RSU, and cloud server, a protocol simulation experiment is created in this section. The following is the whole process:(1)The definition of the channel is and . The former is a common channel used in the login and authentication phases, and the latter is a secure channel used in the registration phase. and are the session keys generated by and . The subsequent definitions are string concatenation operations, XOR operations, hash functions, and fuzzy extractor functions. Next is to use some queries to verify the security requirements. The entire definition is shown in Figure 6.(2)The process of is shown in Figure 7.(3)The process of is shown in Figure 8.(4)The process of is shown in Figure 9.(5)In Figure 10, we show the results of the verification. We use VehicleStarted(), VehicleAuthed(), ServerAcVehicle(), ServerAcRSU(), RSUAcServer(), and VehicleAcRSU() to declare the beginning and the end of the agreement and whether the mutual authentication between the vehicle user, RSU, and CS is correct. The verification result shows that the session key we established has withstood the attack, and the mutual authentication is successful and correct. The protocol proposed in this chapter has passed the security verification of ProVerif.

5. Security and Performance Comparisons

This section will analyze the performance of the proposed protocol and verify the performance of the protocol by comparing its security, computing consumption, and communication consumption among similar protocols.

5.1. Security Comparisons

In this section, we compare the security of the proposed protocol with Ma et al.’s scheme [30], Jia et al.’s scheme [31], Eftekhari et al.’s scheme [38], and Liu et al.’s scheme [54]. The details are shown in Table 2. According to the informal security analysis above, it can be seen that the current common network attacks mainly include A1: mutual authentication; A2: man-in-the-middle attacks, A3: replay attacks, A4: known session-specific temporary information attacks, A5: perfect forward secrecy, A6: internal attacks, A7: user anonymity, A8: three-factor secrecy, A9: no key control, and A10: impersonation attacks. means that it can resist this attack or has this security feature.

5.2. Performance Comparisons

In the performance analysis of the AKE protocol, the computation cost is an important part to be considered. In the VANETs environment, due to the mobility of vehicles, the required computational time needs to be less, which reduces the time required for key establishment and makes the proposed protocol more practical. The experimental environment we used here is shown in Table 3 to test the time-consuming performance of different encryption and decryption algorithms. The algorithm was run 30 times on the device to find the average value. The results are shown in Table 4. We found that the time of the fuzzy extraction function is similar to that of the hash function during the experiment, so we use the fuzzy extraction function as a hash function.

Compared with other phases, in order to ensure the security of the session key, the authentication phase will be executed multiple times, so the calculation cost in this section only considers the calculation performed in the authentication phase. The comparison is shown in Table 5. Substitute the execution data in Table 4 to get the computation cost histogram in Figure 11.

Next, we analyze the communication consumption of the proposed protocol and compare it with related protocols. We use the number of bits specified in [11]. For example, the point of the ECC is 320 bits, the hash function is set to 256 bits, the length of the identity information is 64 bits, and the length of the random number and timestamp is 32 bits.

The protocol we propose has four transmission rounds in the authentication phase, and the transmitted information is {}. It contains 4 ECC points, 8 hash function outputs, and 4 timestamps’ information. That is, a total of 3456 bits of information are transmitted.

The protocol of Liu et al. transmits 4 rounds, and the transmitted information is , , and , including 3 hash outputs, 4 identification information, 4 timestamps’ information, 3 ECC points, and 3 symmetric encryptions’ information (calculated according to 128 bits). Therefore, a total of 2496 bits of information are transmitted.

The protocol of Jia et al. transmits 4 rounds, and the transmitted information is , , , and . It includes 6 ECC points, 9 hash function outputs, and 5 timestamps’ information. Therefore, a total of 4384 bits of information are transmitted.

The protocol of Ma et al. transmits 4 rounds, and the transmitted information is {}. It contains 7 ECC points, 3 hash function outputs, and 4 timestamps’ information. A total of 3904 bits of information are transmitted.

The protocol of Eftekhari et al. transmits 4 rounds, and the transmitted information is , , , and . It contains 6 ECC points, 14 hash function outputs, and 2 timestamps’ information. A total of 5568 bits of information are transmitted. The comparison of communication consumption is shown in Table 6. In order to see the comparison effect more clearly, we have generated Figure 12.

Combined with Tables 2, 5, and 6, we discussed the results of the performance analysis. The protocol of Eftekhari et al. has no obvious security vulnerabilities, and the computation cost is similar to that of the protocol we proposed; the main computation cost gap is on the server side. Because the server has strong computing power, it has little effect on the overall computation cost; and, from Table 6 we can see that the communication cost of Eftekhari et al.’s protocol is much higher than that of the proposed protocol. Also, the proposed protocol is similar to Jia et al.’s protocol in terms of computation cost, but Jia et al.’s protocol has security vulnerabilities. The communication cost of all the schemes participating in the comparison is slightly higher than that of the protocol of Liu et al. It can be seen from Figure 11 that the computation cost of the protocol of Liu et al. is the highest, and the security performance is very poor. The computation cost and communication cost of Ma et al.’s protocol are relatively average, but both are slightly higher than those of our proposed protocol, and their protocol is vulnerable to known session-specific temporary information attacks and internal attacks and cannot guarantee user anonymity. In general, it is more reasonable for the proposed protocol to combine security, computation cost, and communication cost analysis.

6. Conclusion

Based on ECC, this paper designs a new provably safe AKE scheme before transmitting road condition information. We first reviewed the research status of AKE protocol in the VANET environment and found that it is necessary to propose a scheme to protect vehicle data in the information reading phase. We conducted an informal security analysis of the proposed protocol from mutual authentication, anonymity, perfect forward secrecy, man-in-the-middle attacks, internal attacks, and so forth and passed strict formal security analyses, such as the ROR model and ProVerif security verification tools, indicating that the proposed protocol is secure. Through the comparison of security and performance, the proposed protocol is secure, more effective, and more reasonable than the existing protocol. The application of authentication and key exchange in the VANETs environment is the general trend of the development of the VANETs. With the continuous development of the VANETs, subsequent application scenarios are also diverse, such as social Internet of Vehicles, which involve more user privacy information, and this topic will have great research value and research space in the future. Therefore, the communication security of the VANETs environment must also be a key research topic for scholars.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest.