Presented by: Reut Barazani Limor Levy

Contents Introduction Digital signature broadcast message authentication TESLA broadcast message authentication Identification Other authentication mechanisms

Introduction One of the main challenges of securing broadcast communication is source authentication. Authentication- enabling receivers of broadcast data to verify that the received data really originates from the claimed source and was not modified in route This problem is complicated by mutually untrusted receivers and unreliable communication environments where the sender does not retransmit lost packets.

Authentication methods can be studied in two groups: message authentication and Entity (or Identification) authentication. Exmple: A and B, communicate using a message protocol. A is the sender of a message M, and B is the receiver. Depending on the type of communication or network, B would require one or more of the following on receipt of the message:

(1) Authentication of the message, (2) Integrity of the data included in the message, (3) Authentication of sender A. Message authentication provides assurance of the identity of A, the originator of the message M. This type of authentication also includes an evidence of data integrity because if M is modified during transmission, A cannot be the originator. Entity authentication assures B of both the identity of A and his active participation. To avoid replay attacks(i.e., a intruder masquerades as A, and sends a previously used message), time-variant data (sequence numbers, time stamps, etc.) can be added to the message.

VANET Authentication Authentication is the core security requirement in VANET VANET pose unique challenges, such as real-time constraints, processing limitations, memory constraints, extensibility and flexibility for future requirements, etc. Currently no proposed technique addresses all of these requirements.

Digital signature broadcast message authentication Mechanism that is default for VANET, commonly using public-private key cryptography. Example: authenticating vehicles beacon messages and safety messages

Broadcast message authentication algorithm 1. Node A signs a message m as S and broadcasts (m,S,C(A)) 2. Receiver B runs extracts algorithm and extracts A’s public key 3. B verifies the CRL for C(A) 4. B checks whether Ver PKA (m,S)=‘valid’

Pairwise authentication Pairwise example: vehicle is daily approaching the RSU for information in case of 1:1 relationship we apply different authentication protocol, only useful if there are repeated interactions We use MAC (Message Authentication Code) MAC is much more faster than digital signature and often based on hash algorithms.

MAC algorithm Require: nodes A and B share a common secret key K 1. Node A computes M=MAC(m,K) and sends (m,M) to B 2. B receives (m’,M’) and compute =MAC(m’,K) 3. B accepts the message if and only if =M’

Key agreement scheme In VANET predistributed keys are not feasible, therefore shared secret keys needs to be derived by means of a key agreement scheme. Correct design executes good key agreement scheme and then uses a KDF (Key Derivation Function) to derive 2 separate keys used for the authentication

Groupwise authentication Similar to pairwise message authentication, the different is that a group of vehicles communicate with one vehicles. A group of vehicles use common secret key K and key agreement scheme needs to be excuted. Useful only if group member exchange several messages before break up or regroup of vehicles, otherwise using broadcast authentication scheme provides superior preformance

TESLA broadcast message authentication Timed Efficient Stream Loss-tolerant Authentication TESLA provides run-time efficient authentication based on a mixture of digital signatures (in our case ECDSA) and MACs generated using symmetric cryptography at the cost of authentication delay at the receivers’ side. TESLA was originally intended for authenticating broadcast streams where a delay in authentication is negligible (such as authentication of a multimedia file stream or a stock market ticker)

Huand Laberteaux (2006) applied TESLA to VANET, and conclude that, despite some obstacles, TESLA is an appropriate authentication mechanism for VANET. TESLA uses time to provide asymmetric signature properties with symmetric functions.

TESLA Algorithm broadcast authentication. 1. Initially, A signs S := SigSKA(k0) and broadcasts S, C(A). 2. Each receiver B runs CERT_CHECK and verifies S. 3. for message mi in time interval ti, i = 1 to n do 4. A computes Mi := MAC(mi, ki) and broadcasts Mi, mi. 5. B checks whether it received Mi, mi in time interval ti and buffers it. 6. end for 7. for message mi in time interval ti+1, i = 1 to n do 8. A broadcasts ki. 9. B checks whether Mi?=MAC(mi, ki). 10: end for

TESLA Algorithm explanation : The sender attaches a MAC to each packet. The MAC is computed over the contents of the packet. For each packet, the sender uses the current key from the one-way chain as a cryptographic key to compute the MAC. The sender discloses a key from the one-way chain after some pre-defined time delay (e.g., the key used in time interval i is disclosed at time interval i+3). The receiver receives the packet. He knew the schedule for disclosing keys and it can check that the key used to compute the MAC was not yet disclosed by the sender.

If it was not, then the receiver buffers the packet. Otherwise the packet is dropped due to inability to authenticate. The receiver checks that the disclosed key belongs to the hash-chain (by checking against previously released keys in the chain) and then checks the correctness of the MAC. If the MAC is correct, the receiver accepts the packet.

The protocol principals: There needs to be time synchronization between sender and receiver (Otherwise, after a key was opened an attacker could use that key to forge messages) The vehicles in VANET come with GPS units and thus are constantly synchronized to a single global time signal such that accurate time synchronization can be assumed.

Advantages and disadvantages TESLA protocol offers authenticity at reduced costs without involving any shared secret between senders and receivers. For this advantage the protocol was suited even in constrained environments such as sensor networks.

Identification Unlike message authentication, identification (or entity authentication) enables a claimer to prove knowledge of a secret that only the claimer knows, thus proving its identity. An identification process needs to include timeliness in order to prove that the claimer definitely has knowledge of the secret. Timeliness might be proven by an interactive challenge–response protocol or by authenticating a timestamp

Since there is a globally accurate time source available in VANET, we suggest using the timestamp method describe here: Entity authentication with timestamp: 1. A computes S := SigSKA(t B) and sends S, t, Cert(A) to B. 2. B runs CERT_CHECK, verifies that the timestamp t is acceptable, and checks whether VerPKA (S, t B) ?=valid. There are several variations of this scheme (the digital signature can be replaced by a symmetric MAC or by encryption)

We expect that identification will be applied to identify a vehicle to an RSU or to a service provider, e.g., for tolling, payment services, and subscription services.

Other authentication mechanisms One-time and k-time signature scheme, a so-called signature propagation that authenticate several packets with single signature. For instance, the hash-value of the first packet is attached to the second, and so on. The last packet of such a chain is finally signed. The receiver needs to buffer all messages until it finally authenticates all packets of the chain by verifying the digital signature.

A. BiBa scheme-Bins and Balls Signature Perrig’s BiBa broadcast authentication (2001) – require very large public keys in the range of 10 Kbyte. Not suited for VANET having low bandwidth communication channels.

B. ID-based signature scheme Recently had a revival based on pairing based cryptography. ID-based schemes have an advantage in VANET since they don’t require distributing certificates and by that saving bandwidth.

ID-based signature scheme example:

Group signatures Each member of the group holds a private key, and there is a single public key for the group. Each group member is able to create signature and the message will be verified by the group’s public key. The verifier don’t know which group member signed the message. Slower than ECDSA