Secure Vehicular Communications Speaker: Xiaodong Lin University of Waterloo
Outline Introduction Related work TSV C TESLA-based Security protocol for Vehicular Communication (TSVC) Conclusion and future work
Introduction Curve speed warning, work zone warning etc position, current time, direction, velocity, acceleration/ deceleration, etc Traffic Message Emergency Message
Introduction (cont’d) Vehicular Communications Network Vehicles are equipped with communication, positioning and computation devices. They form a huge self-organized ad hoc network (VANET) to communicate with each other as well as roadside units. VANET is a promising approach to road safety, such as avoid collision. increase road safety, such as avoid collision. traffic management facilitate traffic management Tremendous benefits Traffic jam ahead
Vehicular Communication Networks are Emerging Many applications Vehicle safety applications Intersection Collision Warning However : securityprivacy There are many security and privacy concerns with respect to the messages exchanged and transmitted in VANETs. Need secure and privacy-preserving communication protocols [VSCP2006] Vehicle Safety Communications Project. 12/ /PDFTOC.htm
Traffic jam ahead Introduction (cont’d) An Example of attack : Bogus traffic information [RH07] M. Raya and J. P. Hubaux, Securing vehicular ad hoc networks, Journal of Computer Security, Vol. 15, No. 1, pp , 2007.
At 3:00 - Vehicle A spotted at position P1 At 3:15 - Vehicle A spotted at position P2 Note: Privacy is a very important issue in vehicular networks Vehicle A belongs to John! Introduction (cont’d) An Example of user privacy attack: Movement tracking John was somewhere at when!
An Example of Traceability Note: Traceability is another very crucial issue in vehicular networks We need to find someone who may be able to provide valuable information about the accident.
Security and Privacy Concerns: Sending bogus traffic information Message integrity attack Message replay attack Impersonation attack Denial of Service Movement tracking – Anonymity One desirable requirement Identity traceability in exceptional cases Conditional Anonymity Messages should be transmitted unaltered from a trusted party Introduction (cont’d)
Related Work Previous PKI based approach [RH2005] M. Raya, J.P. Hubaux. The security of vehicular ad hoc networks. In Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks SASN '05. November, ELP(ID a ) ELP(ID b ) ELP(ID a ) ELP(ID b ) … ELP(ID j ) Anonymous certificate list M
Related Work (cont’d) Group signature based approach [LSHS2007] X. Lin, X. Sun, P.-H. Ho and X. Shen. GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications. IEEE Transactions on Vehicular Technology. Vol. 56, No. 6, November, group manager Vehicle private key, group public key Group signature: 1. A Group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group. 2. Essential to a group signature scheme is a group manager, who is in charge of adding group members and has the ability to reveal the original signer in the event of disputes.
Facts: Message are sent 100ms~300ms. 666~2000 cars within the communication range. 666~2000 messages to verify per second. Achieving the goals of verifying all the messages in a timely manner and lower cryptographic overhead is a challenging work for all existed public key schemes. 666 messages to be verified for each vechile! Challenges facing nowadays in VANETs
Motivation Design an efficient and secure scheme, which can allow each vehicle to verify all the received messages in a timely manner with lower message loss ratio and lower cryptographic overhead.
Broadcast Authentication Broadcast is basic communication mechanism; Vehicular communication is broadcast in nature. Sender broadcasts data; Each receiver verifies data origin and integrity. Sender Bob M Carol M JohnAlice MM
TESLA (Time Efficient Stream Loss-Tolerant Authentication) Uses purely symmetric primitives In TESLA, each message is attached with a MAC tag only. Self-authenticating keys The sender makes use of a hash chain as cryptographic keys in the MAC operations. Delayed authentication technique Message receivers are loosely synchronized. Provides fast source authentication (1 MAC operation) with lower cryptographic overhead (20 bytes). [PCTS2002] Adrian Perrig, Ran Canetti, J. D. Tygar, Dawn Song. The TESLA Broadcast Authentication Protocol. In CryptoBytes, vol. 5, No. 2, Summer/Fall 2002, pp
Proposed TESLA-based security protocol Fact: each vehicle will receive a serial of messages from the same source. Vehicle Group Formation [LZSHS2007] X. Lin, C. Zhang, X. Sun, P.-H. Ho and X. Shen. Performance Enhancement for Secure Vehicular Communications. IEEE Global Communications Conference (GLOBECOM'07), Washington, DC, USA, Nov , 2007.
Each vehicle generates a hash chain initiated from a random seed S, where,, (i<j), according to each anonymous key pair and Cert i. Verify Signature Verify MAC sender receiver Interval 1 Interval 2 Interval i Delayed authentication Proposed TESLA-based security protocol
Some other discussions (1/4) The choice of key release delay Keys are released after all nodes have received the previous data packet. (We set as 100ms) Before verifying the message, the receiver should first check if the corresponding key has been released or not. M h source MAC h (M’)|M’
Some other discussions (2/4) The capability to deal with message loss. If data packet is lost, ignore it. If key release packet is lost, suppose h i is the last received value: Check if ? If so, go on to verify the message. hihi h i+1 h i+2 hjhj lost received
Some other discussions (3/4) Group member fluctuation The neighborhood of each car does not change seriously, but it is subject to fluctuation occasionally. The new comer will catch up with the new messages by repeatedly applying the hash function. Stores its information for a while Send the signed tip of the hash chain 1
Communication overhead (4/4) The comparison of the communication overhead Lifetime of the certificate10mins Message generating frequency300ms Group member fluctuation frequency10sec The length of ECDSA certificate125bytes Total information needs to be transmitted for ECDSA-2048 scheme576,000bytes Total information needs to be transmitted for TSVC scheme333,020bytes
Performance evaluation Impact of the traffic load on the MLR in highway scenario Impact of the traffic load on the MD in highway scenario Impact of the traffic load on the MLR in city scenario Impact of traffic load on the MD in city scenario
Conclusions Proposes a TSVC protocol to reduce the computation overhead. Retains the security properties. Allow each vehicle to verify all the received messages in a timely manner with lower message loss ratio and lower cryptographic overhead.
Future work How to improve the efficiency of the CRL check up procedure? Migrating the CRL check-up operations to the RSU side, which will instead perform the process and broadcast the check-up result to the vehicles in its communication range will be an interesting solution.
Questions & Comments ? 25 Thanks!