Professor Pin-Han Ho Ph.D. Department of Electrical and Computer Engineering University of Waterloo, Canada On Achieving Secure and Privacy- Preserving Vehicular Communications

Agenda  Some briefs  Introduction of VANETs  Privacy Issues  Verification Issues  Conclusions 2Speaker: Pin-Han Ho University of Waterloo

 Traffic accidents – According to the Traffic Safety Facts Annual Report, over 6 million police- reported motor vehicle crashes occurred in the United States alone in Nearly 1.95 million resulted in an injury, and 42,352 resulted in a death.  Millions of people daily commute in the city or the highway – Congestion control is of importance Why do we need Vehicular networks ? 3 Introduction Speaker : Pin-Han Ho

 System Model Vehicular Ad Hoc Networks 4  Vehicle-to-Vehicle (V2V) Communication  Vehicle-to- Infrastructure (V2I or V2R) Communication Vehicular ad hoc networks (VANETs) Each vehicle is embedded with a WiFi-enable device Introduction Speaker : Pin-Han Ho

Dedicated Short Range Communications MHz  Before December 17, 2003  Range < 30 meters  Data rate = 0.5 mbps  Designed for Electronic Toll Collection (ETC), but can be used for other applications  Single unlicensed channel  Vehicle to roadside  C ommand-response New 5.9 GHz  On December 17, 2003  Range to 1000 meters  Data rate 6 to 27 mbps  Designed for general internet access, can be used for ETC  7 licensed channels  Vehicle to roadside & vehicle to vehicle  Command-response & peer to peer Reference: Introduction Speaker : Pin-Han Ho

DSRC at 5.9G 6  75 MHz band has been allocated by the Federal Communication Commission (FCC) at 5.9 GHz  Band allows both safety and commercial applications to coexist  Safety application typically need <15% of capacity  Broadcast safety message every ms Introduction Speaker : Pin-Han Ho

 Safety-related Applications – According to Dedicated Short Range Communications (DSRC) protocol, each vehicle one-hop broadcasts its traffic-related information every ms. Applications 7 What’s in front of that bus ? On rainy days On foggy days From: TrafficView Outdoors Introduction Speaker : Pin-Han Ho

8 Curve speed warning, work zone warning etc position, current time, direction, velocity, acceleration/ deceleration, etc Traffic Message Emergent Message Introduction Speaker : Pin-Han Ho Applications

 Entertainment-related Applications – Digital data downloading/uploading ( , mp3, video) – Location Information requiring (map, the nearest restaurant/gas station/plaza, etc. ) Applications 9Introduction Speaker : Pin-Han Ho

 Commercial applications – Commercial advertisements forwarding Applications 10Introduction Speaker : Pin-Han Ho

 Traffic control applications Applications 11Introduction Speaker : Pin-Han Ho –Optimize traffic flow –Road side unit (RSU) at intersections real time collects traffic information (# of vehicle) –A control center controls the traffic light

Privacy Issues

 Protect user privacy – Each driver does not like expose his/her identity and the corresponding location information to the third party.  Achieve conditional privacy – There should exist a trust authority (TA) – In case that an abuse happens, TA can trace the real identity of a user/driver. Privacy 13Privacy issues Speaker : Pin-Han Ho

Anonymous Certificate Approach 14 ELP(ID a ) ELP(ID b ) ELP(ID a ) ELP(ID b ) … ELP(ID j ) Disadvantage: 1. Huge storage cost 2. Management overhead Anonymous certificate list M  Public Key Infrastructure (PKI)-based approach Speaker : Pin-Han Ho Privacy issues M. Raya and J.-P. Hubaux, “The Security of Vehicular Ad Hoc Networks,” ACM workshop on Security of ad hoc and sensor networks (SASN'05), pp , 2005.

Group signature Approach 15  Divide the communications into two parts: no anonymity requirement X. Lin, X. Sun, P.-H. Ho and X. Shen. GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications. IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp , Group Signature Scheme Id-based Signature scheme RSU Speaker : Pin-Han Ho Privacy issues

 Communications between vehicles – Why use group signature scheme? It provides anonymity of the signers. The verifiers can judge whether the signer belongs to a group without knowing who the signer is in the group. However, in exceptional situations, the group manager is able to reveal the unique identity of the signature’s originator. – Choose ‘short group signature’ scheme proposed by Dan Boneh [1] 16 [1] D. Boneh, X. Boyen, and H. Shacham. Short group signatures, In Proceedings of Crypto '04,2004. Speaker : Pin-Han Ho Group signature Approach Privacy issues

 Brief protocol diagram 17 Speaker : Pin-Han Ho Group signature Approach Privacy issues

 Advantage: – GSIS reduce the number of private and public key pairs stored at both vehicle side and TA side – Conditional privacy preservation. It is easy for TA to trace the real identity of an internal attacker  Disadvantage: – High computation overhead (slow verify speed) 18 Speaker: Pin-Han Ho Group signature Approach Privacy issues

 Combine above two schemes – Each vehicle generates multiple public and private key pairs, which are used for signing messages. – Each vehicle is assigned a group private key, which is used for signing a certificate instead of for signing messages. – The generated public and private key pairs are signed with a vehicle’s group private key. The signature is used as a certificate. Hybrid Approach 19 Speaker: Pin-Han Ho G. Calandriello, P. Papadimitratos,.A. Lioy, J.-P. Hubaux, “Efficient and Robust seudonymous Authentication in VANET, ” ACM Workshop on VANET, Privacy issues

20 Speaker: Pin-Han Ho Hybrid Approach  Advantage: – The hybrid approach can achieve a computation tradeoff between the group signature scheme and the anonymous certificate approach  Disadvantage: – Still have scalability issues – Slow verification speed – A bottleneck in a high traffic density scenario Privacy issues

21  With a VANET, a company (such as McDonald’s) could locate multiple access points (APs) on the road. These APs can provide an internet access.  Any two adjacent APs should overlap each other such as a vehicle can access the Internet seamlessly. Speaker: Pin-Han Ho Privacy issues during a handover Issues: 1.Two adjacent APs can distinguish the same car. 2. APs can know the trajectory of the vehicle. Privacy issues

 Vehicle v1 and v2 pre-obtain a blind signature of the access point AP1. The blind signature are used for credentials when vehicles hand over.  AP1 can only verify whether a signature is valid or not, but cannot know which vehicle (i.e., v1 or v2) holds the signature  AP1 cannot distinguish v1 and v2 in this figure The blind signature based solution 22 Speaker: Pin-Han Ho C. Zhang, R. Lu, P.-H. Ho, and A. Chen, A Location Privacy Preserving Authentication Scheme in Vehicular Networks, The IEEE Wireless Communications & Network Conference (WCNC), Las Vegas, Nevada, USA, Privacy issues

 Analysis 23Speaker: Pin-Han Ho Blind Zone The blind signature based solution The tracking probability depends on ―the number of vehicles in a blind zone ―the distance that a vehicle travels Privacy issues

Verification Issues

25  Scalability Verification issues Facts According to DSRC, messages are sent in every100 ~ 300 ms, e.g., 300 ms Communication range of a vehicle is 300 m, i.e., radius = 300, for each vehicle, its communication range is π300 2 sq.m. Suppose that vehicles use ECDSA to sign a message. Verifying a signature takes 3.87 ms, i.e., maximally 78 vehicles can be verified in a cycle Goal Speaker: Pin-Han Ho Verification Issues Challenge It is hard for the existing public- key based signature schemes to verify a large number of signatures in 300 ms

26 IEEE Std IEEE Trial-Use Standard for wireless access in vehicular environments – Security Services Challenge How to reduce communication overhead as much as possible. At the same time, other security issues (e.g., privacy, scalability, etc.) should also be addressed The second Goal Communication Overhead Speaker: Pin-Han Ho Verification Issues

27 The proposed scheme: RAISE  Comparison Public key based Symmetric key based Speed slow fast Communication Overhead high low Broadcast Authentication Yes No (if using only key)  A hybrid approach RAISE: An RSU-aided Message Authentication Scheme RSU Suppose the RSU is trusted Speaker: Pin-Han Ho Verification Issues -- Approach I C. Zhang, X. Lin, R. Lu, P. –H. Ho, and X. Shen, “An Efficient Message Authentication Scheme for Vehicular Communications”, IEEE Transactions on Vehicular Technology, Vol. 57, Issue 6, Nov. 2008

28 key1 key2  Mutual authentication v1v1 v2v2  Message sending (on the vehicle side ) Each vehicle periodically broadcasts messages, which can be received by its neighbors and the RSU v1v1 Message and signature signed with key1 v2v2 RSU The Protocols of RAISE Speaker: Pin-Han Ho Vehicles and RSU authenticate each other. Only the RSU can verify Key1 and Key2 are different! Verification Issues -- Approach I

29  Authenticity reporting After the RSU verifies the message of V1, the RSU reports the result to its neighbors The Protocols of RAISE Speaker: Pin-Han Ho v1v1 Message and signature signed with key1 v3v3 RSU v2v2  Result aggregation (on the RSU side ) In a short time interval Δt, the RSU received multiple messages and signatures. Then, the RSU reports all the results accumulated during Δt. Verification Issues -- Approach I

30  The whole process The Protocols of RAISE Speaker: Pin-Han Ho v1v1 RSU v2v2 v3v3 : Result Aggregation Verification Issues -- Approach I

31  Issues caused by loss in contention and lossy channel RSU-to-vehicle Make the vehicle, which does not receive result aggregation, fail in verifying a message Vehicle-to-RSU Make the RSU fail in receiving a message, thus all the other surrounding vehicles cannot verify the message from the vehicle Issues in RAISE Speaker: Pin-Han Ho Verification Issues -- Approach I

32 Performance Evaluation of RAISE Fig. 1. Average loss ratio vs. Traffic load As the number of vehicles increases, the loss ratio increases. However, RAISE has the lowest loss ratio. Clearly, RAISE has the lowest communication overhead since it uses MAC tag instead of PKI-based signatures Fig. 2. Communication overhead (in 1min) vs. Traffic load Speaker: Pin-Han Ho Verification Issues -- Approach I

33 To Further Probe  RSU may not be pervasive – RSUs may not cover all the busy streets of a city or a highway (e.g., at the early stage of VANETs' deployment) – Physical damage of some RSUs, or simply for economic considerations  What if there is no RSU? – TESLA-based approach (called TSVC ) – Batch verification approach Speaker: Pin-Han Ho Verification Issues -- Approach I

34 TSVC:TESLA based security protocol  What is TESLA ( Time Efficient Stream Loss-Tolerant Authentication ) – In TESLA, Each message is attached a MAC tag only. – The sender makes use of a hash chain as cryptographic keys in the MAC operations. – The hash keys are released a certain period of time later than the messages. – Message receivers are loosely synchronized.  Provides fast source authentication with lower communication overhead. X. Lin, X. Sun, X. Wang, C. Zhang, P.-H. Ho and X. Shen. TSVC: Timed Efficient and Secure Vehicular Communications with Privacy Preserving. IEEE Transactions on Wireless Communications, to appear. Speaker: Pin-Han Ho Verification Issues -- Approach II

35  Each vehicle generates a hash chain initiated from a random seed S, where,,(i<j), according to each anonymous Verify Signature Verify MAC sender receiver Interval 1 Interval 2 Interval i TSVC:TESLA based security protocol Speaker: Pin-Han Ho Verification Issues -- Approach II

36  The choice of key release delay – Keys are released after all nodes have received the previous data packet. (We set as 100ms) – Before verifying the message, the receiver should first check if the corresponding key has been released or not. M h source MAC h (M’)|M’ TSVC:TESLA based security protocol Speaker: Pin-Han Ho Verification Issues -- Approach II

37  We compare the performances of the four schemes: – PKI, GSIS, TSVC(GSIS), TSVC(PKI) Impact of the vehicle’s moving speed on Message Delay in highway scenario Impact of the vehicle’s moving speed on Message Loss Ratio in highway scenario Performance Evaluation of TSVC Verification Issues -- Approach II

 Accelerate verification speed  Choose Batch verification – The speed of verifying a batch of signatures is faster than that of verifying each of signatures one by one – We use a pairing technique to achieve this [ZLLHS08] 38 Speaker: Pin-Han Ho Batch verification Verification Issues -- Approach III [ZLLHS08] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An Efficient Identity- based Batch Verification Scheme for Vehicular Sensor Networks”, The IEEE Conference on Computer Communications (INFOCOM), Phoenix, USA, 2008.

 Analogy Batch verification 39 Speaker: Pin-Han Ho Energy ++ = ＞ Verification Issues -- Approach III

Batch verification  To accelerate verify speed, we do verification on a batch of signatures once. M1, Sig(M1)M2, Sig(M2)Mn, Sig(Mn) … Batch: Sig(M1)+Sig(M2)+…+Sig(Mn), then verify the summation Accelerate the speed of verifying multiple signatures 40 Speaker: Pin-Han Ho Verification Issues -- Approach III

 We compare our scheme with BLS signature and ECDSA signature schemes  The larger the total number of signature is, the faster the whole verify speed is 41 Verify speed Speaker: Pin-Han Ho Verification Issues -- Approach III Verification delay vs. Traffic density

 Since our scheme is identity-based, a message does not included a certificate  Here, 30,000 corresponds to the number of messages sent by 150 vehicles in 1 minute 42 Communication overhead Speaker: Pin-Han Ho Verification Issues -- Approach III Transmission overhead vs. the number of messages received by an RSU in 1 minute

Conclusions  Introduction of VANETs - Applications - Issues on Privacy Preservation and Verification 43 Speaker: Pin-Han Ho

Thanks! Questions?