An SSL-PUF Based Access Authentication and Key Distribution Scheme for the Space–Air–Ground Integrated Network

The Space–Air–Ground Integrated Network (SAGIN) expands cyberspace greatly. Dynamic network architecture, complex communication links, limited resources, and diverse environments make SAGIN’s authentication and key distribution much more difficult. Public key cryptography is a better choice for terminals to access SAGIN dynamically, but it is time-consuming. The semiconductor superlattice (SSL) is a strong Physical Unclonable Function (PUF) to be the hardware root of security, and the matched SSL pairs can achieve full entropy key distribution through an insecure public channel. Thus, an access authentication and key distribution scheme is proposed. The inherent security of SSL makes the authentication and key distribution spontaneously achieved without a key management burden and solves the assumption that excellent performance is based on pre-shared symmetric keys. The proposed scheme achieves the intended authentication, confidentiality, integrity, and forward security, which can defend against masquerade attacks, replay attacks, and man-in-the-middle attacks. The formal security analysis substantiates the security goal. The performance evaluation results confirm that the proposed protocols have an obvious advantage over the elliptic curve or bilinear pairings-based protocols. Compared with the protocols based on the pre-distributed symmetric key, our scheme shows unconditional security and dynamic key management with the same level performance.


Introduction
The Space-Air-Ground Integrated Network (SAGIN) is a heterogeneous network architecture consisting of satellite, aerial, and territorial segments [1]. Integrating different networks expands cyberspace from the traditional internet to the land, sea, sky, and outer space, making SAGIN vital for strategic importance [2]. Space information is a crucial point of society and cyberspace. Thus, the security of space information has to be strengthened [3]. As the first line of network defense, access authentication and key distribution schemes are crucial technology to prevent illegal terminals for the security of SAGINs [4].
The high mobility, low latency, and limited resource in SAGIN have put forward higher requirements for security issues, such as identity authentication and data security [5]. Besides, access at any time means high-quality network services, such as dynamic access and a smooth handover authentication mechanism caused by the movement of satellites.
A lightweight authentication protocol has been proposed based on different techniques. Public key cryptography is suitable for dynamic terminals to access SAGIN. Schemes based on elliptic curve cryptography and symmetric keys to provide anonymity and authentication were proposed [6][7][8][9][10]. However, the operation over the elliptic curve is timeconsuming. Some schemes based on the symmetric key, secret sharing, or group key are lightweight and need less communication overhead [11][12][13]. Nevertheless, the pre-shared 1.
A system model for access and key distribution based on SSL PUF is proposed. In the system model, various terminals are equipped with regular SSL chips. Meanwhile, satellites and the ground server are equipped with matched SSL pairs. The inherent security of SSL makes the authentication and key distribution spontaneously achieved without a key management burden and solves the assumption that excellent performance is based on pre-shared symmetric keys.

2.
Access authentication and handover authentication schemes are proposed, which achieve mutual access authentication and unconditionally secure key distribution.
In Section 2, background on the SSL is introduced. Section 3 describes the system model and security goals. The proposed scheme is illustrated in Section 4, and the security analysis is given in Section 5. Performance evaluation is in Section 6. The conclusion is the final part of Section 7.

Semiconductor Superlattice (SSL) PUF
The semiconductor superlattice (SSL) is an artificial, periodic, multilayer semiconductor material, which is composed of nanoscale materials GaAs/Al 0.45 Ga 0. 55 As. The schematic of SSL is shown as Figure 1.
security of SSL makes the authentication and key distribution spontaneously achieved without a key management burden and solves the assumption that excellent performance is based on pre-shared symmetric keys. 2. Access authentication and handover authentication schemes are proposed, which achieve mutual access authentication and unconditionally secure key distribution. The protocol maintains a lower cost and communication overhead by employing basic hash/hmac operations and symmetric encryption. 3. The proposed scheme achieves intended authentication, confidentiality, integrity, and forward security, which can defend against masquerade attacks, replay attacks, and man-in-the-middle attacks. The informal security analysis substantiates the security goal. 4. The performance evaluation results confirm that the proposed protocols have an obvious advantage over the elliptic curve or bilinear pairings-based protocols. Compared with the protocols based on a pre-distributed symmetric key, our scheme shows unconditional security and dynamic key management versus a somewhat weaker performance.
In Section 2, background on the SSL is introduced. Section 3 describes the system model and security goals. The proposed scheme is illustrated in Section 4, and the security analysis is given in Section 5. Performance evaluation is in Section 6. The conclusion is the final part of Section 7.

Semiconductor Superlattice (SSL) PUF
The semiconductor superlattice (SSL) is an artificial, periodic, multilayer semiconductor material, which is composed of nanoscale materials / .
Under a certain bias voltage range, SSL shows a nonlinear chaotic status with multiple degrees of freedom due to the quantum resonance tunneling effect. Quantum resonance tunneling satisfies both energy conservation and wave vector conservation. The red lines in Figure 2 shows the electronics moving across different energy levels while quantum resonance tunneling occurs. The behavior of electronics travelling through the quantum wells are unpredictable in quantum resonance tunneling. The energy levels are extremely sensitive to the nanoscale layers / .
. , which contains millions of atoms. It is impossible to manipulate SSL atom to atom, which means that SSL is Under a certain bias voltage range, SSL shows a nonlinear chaotic status with multiple degrees of freedom due to the quantum resonance tunneling effect. Quantum resonance tunneling satisfies both energy conservation and wave vector conservation. The red lines in Figure 2 shows the electronics moving across different energy levels while quantum resonance tunneling occurs. The behavior of electronics travelling through the quantum wells are unpredictable in quantum resonance tunneling. The energy levels are extremely sensitive to the nanoscale layers GaAs/Al 0.45 Ga 0.55 As, which contains millions of atoms. It is impossible to manipulate SSL atom to atom, which means that SSL is physically unclonable and unpredictable. Simulating the structure of SSL mathematically is also impractical, even with a modest quantum computer [39,40]. physically unclonable and unpredictable. Simulating the structure of SSL mathematically is also impractical, even with a modest quantum computer [40,41]. The response signal is generated when SSL is inspired by a challenge signal, which makes SSL acts as a physical one-way function. SSL is a new chaotic material that works as a strong PUF [38], and a true random number generator (TRNG) was proposed based on SSL-PUF [37,39].
Strong PUF has the property that it is prohibitively hard to clone; a complete enumeration of all its CRPs is intractable [40]. Furthermore, an interesting characteristic of SSL is matched SSL pairs from the same wafer, which makes SSL suitable for full entropy key distribution techniques [38,[42][43].
According to the definition in [35,44], PUF seems to be a one-way physical function that replies with a response corresponding to the challenge. Equation (1) shows the physical function of SSL-PUF; PUF dedicates a piece of SSL chip, c is the challenge, and is the response. The detail mapping relation relies on the intrinsic structure introduced by the physical growth procedure, which is uncontrollable.
SSL also exhibits the unclonable and unpredictable properties of PUF, which are the security root of the PUF [44]. The matched pairs property gives SSL a higher chance in cryptography applications.
Unclonable: For a given SSL chip, , and challenge, , the corresponding = PUF ( ). For the same challenge, , the probability of finding another SSL chip, ′, with the same response, , is negligible, just as Equation (2) shows. Prob denotes probability, and ≤ 10 . The and ′ are from different wafers, so they are unmatched.
Unpredictable: For any given SSL chip, , the probability of predicting the response of any randomly selected challenge, , is negligible, just as Equation (3) shows.
Matched pairs: For SSL chips, and , in the same wafer and very close to each other, they are called matched pairs when Equation (4) holds.
For any challenge, c, the responses of matched pairs, and , are nearly the same, and only about 5% of the responses are different. HD denotes the Hamming Distance (HD), and denotes the bit length of response. Matched pairs are inspected and tested strictly, and the little difference can be erased by Information Reconciliation technology in cryptography [35]. Long-haul key distribution based on matched pairs can be The response signal is generated when SSL is inspired by a challenge signal, which makes SSL acts as a physical one-way function. SSL is a new chaotic material that works as a strong PUF [37], and a true random number generator (TRNG) was proposed based on SSL-PUF [36,38].
Strong PUF has the property that it is prohibitively hard to clone; a complete enumeration of all its CRPs is intractable [39]. Furthermore, an interesting characteristic of SSL is matched SSL pairs from the same wafer, which makes SSL suitable for full entropy key distribution techniques [37,41,42].
According to the definition in [34,43], PUF seems to be a one-way physical function that replies with a response corresponding to the challenge. Equation (1) shows the physical function of SSL-PUF; PUF SSL dedicates a piece of SSL chip, c is the challenge, and r is the response. The detail mapping relation relies on the intrinsic structure introduced by the physical growth procedure, which is uncontrollable.
SSL also exhibits the unclonable and unpredictable properties of PUF, which are the security root of the PUF [43]. The matched pairs property gives SSL a higher chance in cryptography applications.
Unclonable: For a given SSL chip, ssl, and challenge, c, the corresponding r = PUF ssl (c). For the same challenge, c, the probability of finding another SSL chip, ssl , with the same response, r, is negligible, just as Equation (2) shows. Prob denotes probability, and ε ≤ 10 −6 . The ssl and ssl are from different wafers, so they are unmatched.
Unpredictable: For any given SSL chip, ssl, the probability of predicting the response of any randomly selected challenge, c , is negligible, just as Equation (3) shows.
Prob find r and r = PUF ssl c ≤ ε. (3) Matched pairs: For SSL chips, ssl 1 and ssl 2 , in the same wafer and very close to each other, they are called matched pairs when Equation (4) holds.
For any challenge, c, the responses of matched pairs, ssl 1 and ssl 2 , are nearly the same, and only about 5% of the responses are different. HD denotes the Hamming Distance (HD), and l denotes the bit length of response. Matched pairs are inspected and tested strictly, and the little difference can be erased by Information Reconciliation technology in cryptography [34]. Long-haul key distribution based on matched pairs can be performed, and the key distribution arguments can be transported in the public channel even if the matched pairs are in a different city [42,44].

SSL Authentication and Key Distribution
The challenge mainly employs the authentication and key distribution scheme based on PUF and response pairs (CRPs) exchanged between the terminal and the authentication server [33,[45][46][47][48]. Since SSL's have unclonable and unpredictable properties, as the other PUFs, the CRPs for a certain SSL chip are fixed and unclonable to fake. The Ground Server (GS) pre-stores the CRPs of the SSL chip, and the Terminal with the SSL chip will send a challenge as an authentication message. The terminal authenticates successfully to the server with the same and nearly fixed response. "Nearly fixed" here is caused by the analog signal of the PUF response inevitably has a tiny difference for the same challenge [49]. However, the difference can be wiped out by Fuzzy Extractors, which usually contain Information Reconciliation (IR) and Privacy Amplification (PA) [49,50]. The IR corrects the analog deviation, and PA extracts sufficient information as a key used in cryptography. Figure 3 shows the key distribution procedure. The terminal selects a challenge, c, and the SSL outputs the response, r. The BCH (Bose, Ray Chaudhuri, and Hocquenghem) code is used as an IR procedure, which is efficient for error correcting code [49,51]. The Error Correcting Code (ECC), u, is sent to GS instead of the response, r, which has redundant information of r. The challenge, c, is sent to GS through the public channel too. The pre-stored r is selected from the database of GS and corrected by ECC, u. Finally, the key between the Terminal and GS is extracted by Privacy Amplification [49,50,52]. The related response, r , can be used only once to avoid a replay attack. performed, and the key distribution arguments can be transported in the public channel even if the matched pairs are in a different city [43,45].

SSL Authentication and Key Distribution
The challenge mainly employs the authentication and key distribution scheme based on PUF and response pairs (CRPs) exchanged between the terminal and the authentication server [34,[46][47][48][49]. Since SSL's have unclonable and unpredictable properties, as the other PUFs, the CRPs for a certain SSL chip are fixed and unclonable to fake. The Ground Server (GS) pre-stores the CRPs of the SSL chip, and the Terminal with the SSL chip will send a challenge as an authentication message. The terminal authenticates successfully to the server with the same and nearly fixed response. "Nearly fixed" here is caused by the analog signal of the PUF response inevitably has a tiny difference for the same challenge [50]. However, the difference can be wiped out by Fuzzy Extractors, which usually contain Information Reconciliation (IR) and Privacy Amplification (PA) [50,51]. The IR corrects the analog deviation, and PA extracts sufficient information as a key used in cryptography. Figure 3 shows the key distribution procedure. The terminal selects a challenge, , and the SSL outputs the response, . The BCH (Bose, Ray-Chaudhuri, and Hocquenghem) code is used as an IR procedure, which is efficient for error correcting code [50,52]. The Error Correcting Code (ECC), , is sent to GS instead of the response, , which has redundant information of r. The challenge, , is sent to GS through the public channel too. The pre-stored is selected from the database of GS and corrected by ECC, . Finally, the key between the Terminal and GS is extracted by Privacy Amplification [50,51,53]. The related response, , can be used only once to avoid a replay attack.

Matched SSL Pairs for Key Distribution
Compared to the regular SSL PUF, the key distribution scheme is simple and clear for matched SSL pairs, as shown in Figure 4. A SSL PUF chip, ssl i , matched to ssl i is installed in GS that has a similar response with the satellite, Sat ssl i , inspired by the same seed [49,52]. The KeyGen procedure generates helper data publicly sent together with the seed to associate the Key Recover procedure. The KeyGen and Key Recover procedure correspond to the BCH Encoder and Decoder algorithm. The final result, K Sat I , can be a key buffer pool for many symmetric keys. However, in this paper, we use K Sat i in short. All the information used for key distribution can be delivered publicly, which is a fascinating advantage compared to the other key distribution scheme.

Matched SSL Pairs for Key Distribution
Compared to the regular SSL PUF, the key distribution scheme is simple and clear for matched SSL pairs, as shown in Figure 4. A SSL PUF chip, ssl , matched to ssl is installed in GS that has a similar response with the satellite, Sat , inspired by the same seed [50,53]. The KeyGen procedure generates helper data publicly sent together with the seed to associate the Key Recover procedure. The KeyGen and Key Recover procedure correspond to the BCH Encoder and Decoder algorithm. The final result, K , can be a key buffer pool for many symmetric keys. However, in this paper, we use K in short. All the information used for key distribution can be delivered publicly, which is a fascinating advantage compared to the other key distribution scheme.

System Model
Derived from the Internet of Things (IoT), SAGIN is developed based on the Vehicular Ad-hoc Network (VANET) and Maritime Communication Network (MCN) [1,14] [ 54,55]. Various terminals, such as mobile phones, traffic terminals, vessels with sensors, and Unmanned Aerial Vehicles (UAVs), are working in various practical scenarios where they cannot always connect to the network services. The satellites broaden the communication of terminals to the global coverage. The terminals join the SAGIN through access authentication and have to deal with the handover authentication among the satellites. Figure 5 shows this paper's system model, consisting of a terminal, satellite, and ground server (GS). Every terminal is equipped with a SSL PUF as a unique physical identification, and the CRPs of the terminal are generated in the registration procedure. By the

System Model
Derived from the Internet of Things (IoT), SAGIN is developed based on the Vehicular Ad-hoc Network (VANET) and Maritime Communication Network (MCN) [1,14,53,54]. Various terminals, such as mobile phones, traffic terminals, vessels with sensors, and Unmanned Aerial Vehicles (UAVs), are working in various practical scenarios where they cannot always connect to the network services. The satellites broaden the communication of terminals to the global coverage. The terminals join the SAGIN through access authentication and have to deal with the handover authentication among the satellites. Figure 5 shows this paper's system model, consisting of a terminal, satellite, and ground server (GS). Every terminal is equipped with a SSL PUF as a unique physical identification, and the CRPs of the terminal are generated in the registration procedure. By the CRPs pre-stored in the GS, terminals accompany the access authentications through the satellites. Since the satellite network is changing in space, the terminal has to deal with the handover authentication with satellites. Match SSL PUF pairs are installed in the satellite and GS, which accompany the access authentication and build the secure communication channel between them. CRPs pre-stored in the GS, terminals accompany the access authentications through the satellites. Since the satellite network is changing in space, the terminal has to deal with the handover authentication with satellites. Match SSL PUF pairs are installed in the satellite and GS, which accompany the access authentication and build the secure communication channel between them.

Security Assumptions and Goals
In this paper, GS is assumed to be completely trustful, which means the CRPs of all the terminals are safely stored and used. The registration of the terminal is carried out in a secret channel. Moreover, the satellites are safe in the air and cannot be stolen. According to the Dolev-Yao Model, it is assumed that the adversary has the ability [56]. The interaction of the protocol in the air can be inspected, modified, or interrupted by the adversary. Thus, the proposed scheme should fulfill the following security goals: 1. Mutual Access Authentication: The terminals, satellites, and GS can achieve mutual access authentication with each other; 2. Handover Authentication: When the terminal inspects that the satellite communicates with the terminal and is going to move outside the service range, a handover authentication should react smoothly; 3. Key Distribution: The scheme proposed should distribute a secret session key for each participant in the authentication procedure; 4. Against regular security attacks and forward security: The scheme proposed should defend against masquerade attacks, replay attacks, man-in-the-middle attacks, and have forward security if the terminal with the SSL PUF is ever stolen.
Above all, the proposed scheme should have authentication, confidentiality, integrity, and forward security.

The Proposed Scheme
The proposed scheme consists of three participants: terminal , satellites , and ground server . The scheme is divided into three phases: terminal registration, authentication, and handover. Table 1 shows the notations used in this paper. and _ are the same , and are distinguished for easy understanding.

Security Assumptions and Goals
In this paper, GS is assumed to be completely trustful, which means the CRPs of all the terminals are safely stored and used. The registration of the terminal is carried out in a secret channel. Moreover, the satellites are safe in the air and cannot be stolen. According to the Dolev-Yao Model, it is assumed that the adversary has the ability [55]. The interaction of the protocol in the air can be inspected, modified, or interrupted by the adversary. Thus, the proposed scheme should fulfill the following security goals:

1.
Mutual Access Authentication: The terminals, satellites, and GS can achieve mutual access authentication with each other; 2.
Handover Authentication: When the terminal inspects that the satellite communicates with the terminal and is going to move outside the service range, a handover authentication should react smoothly; 3.
Key Distribution: The scheme proposed should distribute a secret session key for each participant in the authentication procedure; 4.
Against regular security attacks and forward security: The scheme proposed should defend against masquerade attacks, replay attacks, man-in-the-middle attacks, and have forward security if the terminal with the SSL PUF is ever stolen.
Above all, the proposed scheme should have authentication, confidentiality, integrity, and forward security.

The Proposed Scheme
The proposed scheme consists of three participants: terminal T, satellites Sat, and ground server GS. The scheme is divided into three phases: terminal registration, authentication, and handover. Table 1 shows the notations used in this paper. GS CRPs and GS ssl_i are the same GS, and are distinguished for easy understanding. Response of T ssl to c u Error correcting code of r TID The key between T ssl and GS CRPs K Sat i The key between Sat ssl_i and GS ssl_i K TSi The session key between T ssl and Sat ssl_i Seed The seed of Sat ssl_i Time Time in the system Hel per data Helper data for key distribution SCMD Pre-switch command CCMD Pre-switch confirm command Enc key (data) Encrypt data using key Hash (data) Hash function for data Hmac key (data) Hmac function for data using key || Concatenation operation

Terminal Registration Phase
The most important work in the terminal's registration phase is generating and storing the terminal's CRPs in GS. It is assumed that the GS is in a safe environment, and the registration procedure is executed in a secret channel.
Let N be the number of CRPs according to the application.

1.
GS CRPs select a random number as the starting point of the challenge, c start , and save it in the database, then set the challenge c = c start , and send c to terminal T ssl .

2.
T ssl saves c start = c as a starting point of the challenge. Inspire the SSL PUF chip by c, and get the response, r. Then send r to GS CRPs .
T ssl get the response, r, of the challenge, c, and return r to GS CRPs . 5.
Finally, T ssl saves the initial value of challenge c start , and GS CRPs saves c start and N groups CRPs of T ssl . Hash(TID||c) is transmitted and stored instead of c because the Hash(TID||c) will keep the forward security of the scheme. Even if T ssl was stolen, the attacker would not get the correct response, r, without the correct c.

Authentication Phase
The access authentication phase consists of satellite access authentication and terminal access authentication. The satellite access authentication realizes the secure key distribution based on matched SSL pairs, and the key buffer can be established in advance, reducing the communication overhead and improving efficiency. Terminal access authentication is implemented based on the common SSL. The procedures of the two phases are described below.

Satellite Access Authentication
Satellite Sat ssl_i and ground server GS ssl_i are equipped with matched SSL pairs, ssl_i and ssl_i . The access authentication procedure is shown in Figure 6.

1.
Sat ssl_i set Seed = SID i || Time , and inputs it to the Sequence Synchronization module, which produces challenge signals continuously to ssl_i. The BCH mode processes the output sequence, and the Hel per data is generated. Finally, the privacy amplifica-tion module extracts the symmetric key, K Sat i , from the output sequence. Sat ssl_i send SID i || Time||Hel per data to GS ssl_i publicly.

2.
GS ssl_i checks the SID i to verify the access authentication of the satellite and checks the Time to avoid a replay attack. Then, GS ssl_i gets nearly the same output sequence through ssl_i , recovered by the Hel per data. The secret key K Sat i is distributed after the privacy amplification module. GS ssl_i sends message SID i || Time||GID||Hmac K Sat i (SID i || Time||GID).

3.
Sat ssl_i gets the message and checks Hmac K Sat i (SID i || Time||GID) by the secret key, K Sat i , to confirm the key distribution protocol.

1.
_ set || , and inputs it to the Sequence Synchronization module, which produces challenge signals continuously to _ . The BCH mode processes the output sequence, and the is generated. Finally, the privacy amplification module extracts the symmetric key, , from the output sequence. , to confirm the key distribution protocol.
The secret key, , can also be a large key buffer that can be prepared as soon as the system is started. Thus, the satellite access authentication procedure will not cost much regarding calculation and communication consumption.

Terminal Access Authentication
In the terminal access authentication protocol, an SSL PUF chip is equipped in terminal , and its CRPs are stored in the ground server in the registration procedure.
_ serves as a transmitter in the protocol. and _ are the same ones, called in short. The _ and _ have established a secret channel before the terminal access authentication. Figure 7 shows the detailed processes. The secret key, K Sat i , can also be a large key buffer that can be prepared as soon as the system is started. Thus, the satellite access authentication procedure will not cost much regarding calculation and communication consumption.

Terminal Access Authentication
In the terminal access authentication protocol, an SSL PUF chip is equipped in terminal T ssl , and its CRPs are stored in the ground server GS CRPs in the registration procedure. Sat ssl_i serves as a transmitter in the protocol. GS CRPs and GS ssl_i are the same ones, called GS in short. The Sat ssl_i and GS ssl_i have established a secret channel before the terminal access authentication. Figure 7 shows the detailed processes.

1.
Terminal T ssl finds the starting point of challenge c start , sets c = c start , and updates c start = Hash(c start ). Then, it inspires ssl by challenge, c, and gets the response, r, error correct code, u. Then, K T is extracted from the response, r. The terminal T ssl sends a message TID||Time||u||Hash(TID||c) to the satellite, Sat ssl_i .

2.
The satellite Sat ssl_i checks the Time first to avoid a replay attack. Let message m = TID||Time||u||Hash(TID||c)||SID i . Satellite Sat ssl_i sends m Hmac K Sat i (m) to the GS.

3.
The ground server, GS, verifies Hmac K Sat i (m) with K Sat i first, and then checks the Time to avoid a replay attack. SID i and TID are checked if they were registered. Then, the pre-stored ( Hash(TID||c), r) was indexed by Hash(TID||c), and K T between T ssl and GS CRPs is extracted according to Figure 3 with ECC, u. Mark the index Hash(TID||c) to avoid a replay attack. 4.
The ground server, GS, generates a random number as the session key K TSi and gets the Time. Let message mt = K TSi ||Hash(TID||SID||Time||K TSi ). Let message ms = K TSi ||Hash(SID||TID||Time||K TSi ). GS sends TID||SID||Time Enc K T (mt) Enc K Sat i (ms) to Satellite Sat ssl_i .

5.
Satellite Sat ssl_i checks SID and Time first. Then, Enc K Sat i (ms) is decrypted by Sat ssl_i , the integrity of Hash(SID||TID||Time||K TSi ) is verified. Sat ssl_i gets the session key K TSi . Let mst = TID||SID||Time Enc K T (mt) . Sat ssl_i sends TID||SID||Time Enc K T (mt) Hmac K TSi (mst) to terminal T ssl . 6.
Terminal T ssl checks TID and Time first. Then, T ssl decrypts Enc K T (mt) with K T and gets the session key K TSi . Then, Hmac K TSi (mst) is verified with K TSi . Terminal access authentication and key distributed are verified.

Handover Authentication Phase
Since the satellites are switching around in the air space, the handover authentication is considered to provide continuous network service to terminals on the ground [8,12]. A pre-switch handover authentication protocol is proposed based on the SSL, as Figure 8 shows. Terminal T ssl can accomplish the pre-switch procedure before the handover switch so that the communication service is switched smoothly.

1.
When the terminal, T ssl , inspects that the satellite, Sat ssl_i , is going away from the service coverage, it sends a pre-switch request to Sat ssl_i . Let m 0 = TID||SID i ||Time||SCMD . Sends message m 0 Hmac K TSi (m 0 ) .

3.
The ground server, GS, verifies Hmac K Sat i (m 0 ) with K Sat i . Then checks TID, Time, and SID i . Next, GS calculates the next satellite, Sat ssl_j , to server the terminal T ssl . GS generates a new session key, K TSj , randomly. Let m 1 = TID SID j Time SCMD. Then, it sends m 1 Enc K Sat j K TSj Hmac K Sat j (m 1 K TSj ) to Sat ssl_j .

4.
Sat ssl_j checks SID j and Time, and decrypts Enc K Sat j K TSj with K Sat j . Then, it verifies Hmac K Sat j (m 1 K TSj ) . Let m 2 = TID SID j Time CCMD . A confirmation message m 2 ||Hmac K Sat j (m 2 ) is sent back to GS.
Sat ssl_i verifies Hmac K Sat i (m 3 ) and sends m 3 ||Hmac K TSi (m 3 ) to terminal T ssl .

7.
Terminal, T ssl , verifies Hmac K TSi (m 3 ) with K TSi , checks TID and Time, decrypts Enc K T K TSj with K T , and verifies. Hmac K T TID SID j Time||CCMD||K TSj . The pre-switch protocol is finished.
shows. Terminal T can accomplish the pre-switch procedure before the handover switch so that the communication service is switched smoothly.

Mutual Authentication
The mutual authentication between the satellite, Sat ssl_i , and ground server, GS ssl_i , relays on the matched SSL pairs ssl_i and ssl_i . According to Equation (4), only the matched SSL pairs can achieve the same session key with the same Seed and publicly transfer Hel per data.
In terminal access authentication, the terminal, T ssl , and ground server, GS ssl_i , authenticate each other based on the pre-stored CRPs in GS ssl_i . Only the corresponding terminal with the correct SSL chips can authenticate with GS ssl_i . Concerning terminal, T ssl , and satellite, Sat ssl_i , the same symmetric secret key, K TSi , is the key point of authentication.
Hmac K TSi (mst) can be verified successfully by the legitimate Sat ssl_i with the same K TSi that the GS ssl_i distributes.
The new satellite, Sat ssl_j , authenticates with GS in the handover authentication scenario based on the matched SSL pairs. Terminal, T ssl , authenticates with GS based on the symmetric key, K T , between them.

Key Distribution
Similar to the mutual authentication scheme, the key distribution scheme employs the matched SSL pairs and pre-stored CRPs to accomplish the key distribution function. Only the legitimate terminal or satellite with the corresponding SSL PUF chips will achieve the symmetric secret key. Attackers without the SSL chips cannot recover the secret key successfully.

Against Masquerade Attack
Unclonable SSL PUF makes the masquerade attack impossible. The cost and resource to clone or fake certain SSL chip is enormous, which make it is impossible [35].

Against Replay Attack
The proposed scheme used Time to avoid replay attacks in the authentication and key distribution protocols. Furthermore, Time is added to the integrity by Hash or Hmac. In addition, the GS marks the used index Hash(TID||c) in case a replay authentication messes up the system. The replay attack can be detected by the authentication code or timestamp validation.

Against Man-in-the-Middle Attack
A man-in-the-middle attacker without SSL chips cannot generate the correct response, r, nor recover the correct symmetric secret key, K Sat i , or K T . The attacker cannot fake the Hmac or decrypt the session key K TSi , so no one can play the middle man in the protocol.

Forward Security
If terminal, T ssl , was hijacked, the attacker gets the legal SSL chip. In this scenario, the correct response will be captured by the attacker too. In our scheme, the terminal sends Hash(TID||c) instead of the exact challenge, c, as the index of the CRPs in the GS. According to the one-way function property of Hash, the attacker cannot get the correct challenge, c, from Hash(TID||c). Thus, even if T ssl was stolen, the attacker cannot get the correct response, r, without the correct challenge, c. The attacker cannot recover the forward messages, which are encrypted by response, r.

Quantum Computing Threat
Modern cryptographic systems need to be prepared to withstand the threats posed by the era of quantum computing. The SSL-PUF belongs to physical cryptography just as the quantum key distribution scheme does. The movement of the electronics in SSL-PUF is unpredictable, and the behaviors are extremely sensitive to the nanoscale layers GaAs/Al 0.45 Ga 0.55 As, which contains millions of atoms. Therefore, it is impossible to copy the exact SSL-PUF chip. Simulating the structure of SSL mathematically is also impractical, even with a modest quantum computer [39,40].

Formal Security Analysis
Since the satellite access authentication between the satellite and ground station relies on the matched SSL pairs, which can be seen as matched keys physically, the attackers could not fetch the correct session keys even if he has got the authentication information online. The Handover authentication protocol is also the same principle. Therefore, the formal security analysis will focus on the terminal access authentication protocol.
The formal security analysis is employed by the Mao Boyd logic, which is improved on the Ban logic [56]. We use T, Sat, and GS to represent the terminal, satellite, and ground station.
Following the definitions and rules in [56], we generated the idealized protocol below: 1.
According to [56], unnecessary information on authentication is omitted. In message (1), Time is the challenge from T to Sat. Hmac K Sat i (m) together with Time in message (2) are the challenges from Sat to GS. The first K TSi in message (3) is the response to Time. The second K TSi is the response to Hmac K Sat i (m). The cipher of K TSi ||Hash(TID||SID||Time||K TSi ) is sent in message (3), and the TID and SID are equivalently sent secretly. Note that the challenge and response are different from the concepts in PUF.
The goal of the formal analysis is to prove the statement "T believes K TSi is a good secret between T and Sat": The tableau for the procedure of proof is shown in Figure 9.

Simulation
The simulation of regular PUF in the terminal or satellite is conducted on a standalone circuit board, as Figure 10 shows. The simulation circuit board transmits challenges and responses through a USB 2.0 port. The BCH encoder and decoder program run in a Field Programmable Gate Array (FPGA). A regular SSL chip is equipped in the circuit board to simulate the terminal and a matched SSL chip instead for satellite.

Simulation
The simulation of regular PUF in the terminal or satellite is conducted on a standalone circuit board, as Figure 10 shows. The simulation circuit board transmits challenges and responses through a USB 2.0 port. The BCH encoder and decoder program run in a Field Programmable Gate Array (FPGA). A regular SSL chip is equipped in the circuit board to simulate the terminal and a matched SSL chip instead for satellite.
The simulation for the GS is carried out on a circuit board, as shown in Figure 11. At the same time, four matched SSL pairs are equipped in the circuit board to simulate four satellites negotiating with GS. The simulation circuit board is designed by Suzhou Institute of Nano-tech and Nano-Bionics (SINANO), Chinese Academy of Sciences.
The performance of the proposed scheme is evaluated and compared in the computation overhead and communication overhead. Depending on the different emphasis, the performance of the access authentication is compared with the existing access authentication schemes, such as references [7][8][9][10]12]. The handover authentication scheme is compared with handover schemes in [8,11,12,14,18]. We choose SM4-128 bit [57] as the symmetric encryption algorithm, SM3 256 bit as the hash function, SM3-HMAC 256 bit [58] as Hmac, and set elliptic curve parameters as SM2 [59]. The simulation for the GS is carried out on a circuit board, as shown in Figure 11. At the same time, four matched SSL pairs are equipped in the circuit board to simulate four satellites negotiating with GS. The simulation circuit board is designed by Suzhou Institute of Nano-tech and Nano-Bionics (SINANO), Chinese Academy of Sciences. The performance of the proposed scheme is evaluated and compared in the computation overhead and communication overhead. Depending on the different emphasis, the performance of the access authentication is compared with the existing access authentication schemes, such as references [7][8][9][10]12]. The handover authentication scheme is compared with handover schemes in [8,11,12,14,18]. We choose SM4-128 bit [58] as the symmetric encryption algorithm, SM3 256 bit as the hash function, SM3-HMAC 256 bit [59] as Hmac, and set elliptic curve parameters as SM2 [60].

Computational Overhead
In order to evaluate the computational overhead, some typical operations are simulated and tested. Referring to [8], the terminal and satellite are simulated on Intel Core m3-6Y30 CPU@0.9 GHz, and the ground server is simulated on Intel Core i7-6600@2.6GHz. The runtime costs are evaluated by library openssl-1.0.2e, and details are in Table 2. The , , , and are special SSL PUFs, representing the cost of SSL response, BCH, and Privacy Amplification module. The computation cost of the compared schemes is calculated according to each protocol. Detail operation is abstracted from the protocol and accumulated based on the cost of each operation in Table 2.
The computation cost comparison of the terminal authentication scheme is in Table  3. The results show that our terminal authentication scheme has an obvious advantage compared with the scheme based on Elliptic Curve Cryptography [7][8][9][10] because the point  The simulation for the GS is carried out on a circuit board, as shown in Figure 11. At the same time, four matched SSL pairs are equipped in the circuit board to simulate four satellites negotiating with GS. The simulation circuit board is designed by Suzhou Institute of Nano-tech and Nano-Bionics (SINANO), Chinese Academy of Sciences. The performance of the proposed scheme is evaluated and compared in the computation overhead and communication overhead. Depending on the different emphasis, the performance of the access authentication is compared with the existing access authentication schemes, such as references [7][8][9][10]12]. The handover authentication scheme is compared with handover schemes in [8,11,12,14,18]. We choose SM4-128 bit [58] as the symmetric encryption algorithm, SM3 256 bit as the hash function, SM3-HMAC 256 bit [59] as Hmac, and set elliptic curve parameters as SM2 [60].

Computational Overhead
In order to evaluate the computational overhead, some typical operations are simulated and tested. Referring to [8], the terminal and satellite are simulated on Intel Core m3-6Y30 CPU@0.9 GHz, and the ground server is simulated on Intel Core i7-6600@2.6GHz. The runtime costs are evaluated by library openssl-1.0.2e, and details are in Table 2. The , , , and are special SSL PUFs, representing the cost of SSL response, BCH, and Privacy Amplification module. The computation cost of the compared schemes is calculated according to each protocol. Detail operation is abstracted from the protocol and accumulated based on the cost of each operation in Table 2.
The computation cost comparison of the terminal authentication scheme is in Table  3. The results show that our terminal authentication scheme has an obvious advantage compared with the scheme based on Elliptic Curve Cryptography [7][8][9][10] because the point Figure 11. Simulation circuit board for the terminal/satellite.

Computational Overhead
In order to evaluate the computational overhead, some typical operations are simulated and tested. Referring to [8], the terminal and satellite are simulated on Intel Core m3-6Y30 CPU@0.9 GHz, and the ground server is simulated on Intel Core i7-6600@2.6 GHz. The runtime costs are evaluated by library openssl-1.0.2e, and details are in Table 2. The T pu f , T BCHE , T BCHD , and T PA are special SSL PUFs, representing the cost of SSL response, BCH, and Privacy Amplification module. The computation cost of the compared schemes is calculated according to each protocol. Detail operation is abstracted from the protocol and accumulated based on the cost of each operation in Table 2. The computation cost comparison of the terminal authentication scheme is in Table 3. The results show that our terminal authentication scheme has an obvious advantage compared with the scheme based on Elliptic Curve Cryptography [7][8][9][10] because the point multiplication over an elliptic curve is somewhat more time-consuming than hash and symmetric encryption, as shown in Figure 12. From the aspect of the total cost, our scheme is a little slower than the scheme based on a pre-distributed symmetric key [12], but still at the same level. However, the symmetric key distribution and management is cryptography's most important and difficult point. Thus, our scheme, based on SSL PUF, has achieved the unconditional security key distribution with full entropy.

Communication Overhead
Communication overhead is also a performance for the authentication scheme since SAGIN has a complex network structure and diverse communication protocol that the communication link is weak and narrow. The authentication schemes are compared based on the same communication parameters in reference [8]. The SSL PUF parameters and others are listed in Table 5. The challenge, , response, , error correcting code, , and are 511 bits because the SSL PUF chip has a 5% deviation for the same challenge. BCH and Privacy Amplification modules are used to correct the deviation, and full entropy is ensured by the min-entropy of SSL [53].
The communication overhead of the terminal authentication protocol is in Table 6. Similar to the computational overhead in Table 3, the scheme based on SSL needs less communication bandwidth than the schema based on Elliptic Curve Cryptography [7][8][9][10], since the public key transmitted needs more bits. The schema based on a pre-distributed symmetric key [12] uses the minimum overhead. The communication overhead of the handover authentication protocol in Table 7 shows the same conclusion. The schemes in references [8,14] pre-negotiate the handover information while our scheme performs handover dynamically and needs only a few bits compared to the pre-distributed scheme. The results show that our scheme is much more appropriate for handover authentication.
Compared with the communication overhead, the interactive times are also a heavy burden in a protocol. The interactive times of the terminal authentication and handover authentication are listed separately in Tables 6 and 7. The data shows that our scheme The computational cost comparison of handover authentication also shows a similar conclusion in Table 4. References [10][11][12] and our scheme are much faster than the scheme base on Elliptic Curve Cryptography [8] and bilinear pairings [14]. However, our scheme solved the key distribution problem properly and has a similar computation cost compared to references [10][11][12]. Since the handover authentication cost disparity is too big to show in one Figure, no comparison results are shown, as in Figure 12.

Communication Overhead
Communication overhead is also a performance for the authentication scheme since SAGIN has a complex network structure and diverse communication protocol that the communication link is weak and narrow. The authentication schemes are compared based on the same communication parameters in reference [8]. The SSL PUF parameters and others are listed in Table 5. The challenge, c, response, r, error correcting code, u, and Hel per data are 511 bits because the SSL PUF chip has a 5% deviation for the same challenge. BCH and Privacy Amplification modules are used to correct the deviation, and full entropy is ensured by the min-entropy of SSL [52]. The communication overhead of the terminal authentication protocol is in Table 6. Similar to the computational overhead in Table 3, the scheme based on SSL needs less communication bandwidth than the schema based on Elliptic Curve Cryptography [7][8][9][10], since the public key transmitted needs more bits. The schema based on a pre-distributed symmetric key [12] uses the minimum overhead. The communication overhead of the handover authentication protocol in Table 7 shows the same conclusion. The schemes in references [8,14] pre-negotiate the handover information while our scheme performs handover dynamically and needs only a few bits compared to the pre-distributed scheme. The results show that our scheme is much more appropriate for handover authentication.  Compared with the communication overhead, the interactive times are also a heavy burden in a protocol. The interactive times of the terminal authentication and handover authentication are listed separately in Tables 6 and 7. The data shows that our scheme needs fewer times in the terminal authentication procedure. Compared with the handover authentication of [18] and [14] without a server, our scheme behaves normally, because our scheme needs the ground station to switch to a new satellite.
In Section 4.1, GS needs to save N groups (Hash(TID||c), r) for each terminal. In this case, Hash(TID||c) is 128 bits and r is 511 bits. For each terminal, if it needs to authenticate 5000 times in one day, GS needs almost 5000 × 365 × 10 × 80 ≈ 1393 Mb for 10 years of service life. One GS services 1000~2000 terminals easily.

Conclusions
Many solutions are proposed regarding the high mobility and low latency in SAGIN. Among them, the flexible access requirement is fulfilled over public key cryptography; however, it is time-consuming. Protocols based on pre-shared symmetric keys show excellent performance, but how to share the symmetric keys is a difficult assumption, especially for the enormous and flexible terminals. The inherent security of SSL PUF makes it suitable to be the physical security root for SAGIN. A mutual access authentication and key distribution scheme are proposed based on SSL PUF. The security analysis shows that the protocol achieves unconditionally secure key distribution and can defend against masquerade attacks, replay attacks, and man-in-the-middle attacks. The performance evaluation results show that the proposed protocols have an obvious advantage over the elliptic curve or bilinear pairings-based protocols and settle down the pre-share symmetric key problem in SAGIN in case of little performance cost. Our scheme reveals excellent authentication function and sufficient efficiency. In the future, the group key distribution among SSL PUF chips will be the main focus of our research.