Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Analysis of V2X Revocation Protocols

Published byWanda Komorowska Modified over 5 years ago

Similar presentations

Presentation on theme: "Formal Analysis of V2X Revocation Protocols"— Presentation transcript:

1 Formal Analysis of V2X Revocation Protocols
Jorden Whitefield, Liqun Chen, Frank Kargl, Andrew Paverd, Steve Schneider, Helen Treharne and Stephan Wesemeyer University of Surrey, UK Ulm University, Germany Aalto University, Finland STM 2017, Oslo, Norway 10/04/2019 1

2 Outline Security challenges of Intelligent Transportation Systems
Revocation in Vehicle-to-Anything (V2X) communication   Formal Verification of REWIRE Protocols: PLAIN and R- TOKEN   O-TOKEN: Addressing the issues found 10/04/2019 2

3 Intelligent Transport Systems (ITS)
What are they? ITS’s are the combination of transport and ICT Systems to enable safer, coordinated, environmentally friendly, and smarter transportation networks. ITS's use Pseudonyms (short-lived certificates) for authenticated message exchange. Pseudonyms change frequently to protect privacy of vehicles. Standards  ISO   ETSI and;  IEEE WAVE 1 Minute Features of an Intelligent Transportation are Traffic control systems, cruise control, Navigation, parking guidance and Fleet management. But the application area goes so much further beyond the Automotive use case, techniques here could be applied to Rail, Aviation, Water, Connected Smart Cities, etc... There already exists a few standards which focus on the security and privacy of such systems ISO, ETSI and WAVE . ISO = Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 2: Security functional components 3

4 Safety / Run time Verification
Overview of V2X Security Trust Architecture Attestation Assurance Privacy Anonymity Pseudonymity Unlinkability Unobservability Authentication Authorisation Revocation There are four key areas for V2X security: Privacy: How can we defend against mass surveillance in V2X? Authentication: How can I authenticate to others in a timely manner? Where time is essential to safety and preserve privacy. What assurance do I have that the messages received are genuine? How can a member of the network participate without exposing their identity? Trust: Which parts of my system need to be secured to maintain system security? How can I be sure neighbour systems are in a trustable state? Are the other vehicles on the road actually vehicles? How can I be sure? Software: Software is eating the world, being written by unskilled people resulting in errors. Need to verify the design and runtime of system, both in and outside the car. Software is everywhere. How confident am I in my software system? I.E Doesn’t fail. Can I detect problems at run time and fix them? Software Safety / Run time Verification Assurance 4

5 Pseudonyms can enable:
Pseudonyms in V2X Pseudonyms can enable: Pseudonym certificates (pseudonyms) are the most commonly applied way to address privacy concerns and are also foreseen in emerging standards. Anonymity is a requirement in a V2X network as various privacy issues arise from the frequent and real-time broadcasting of the position of vehicles. Anonymity Pseudonymity Unlinkability Unobserveability 10/04/2019 5 5

6 1. Using Pseudonym Certificate Revocation Lists (does not scale)
How do you remove a rogue vehicle? In this example here we see the car-in-the-middle broadcasting bad messages to the surrounding vehicles. Bad messages could be the result of a faulty sensor or compromised vehicle. What needs to happen is this bad vehicle has to be removed from the network as to not cause harm to the other vehicles, this is known as 'Revocation'. Revocation needs to be timely, as state-of-the-art currently relies on CRLs being distributed, and privacy-preserving: removing vehicle without revealing its true identity.  1. Using Pseudonym Certificate Revocation Lists (does not scale) 2. Prevent vehicle from broadcasting network messages, by deleting its issued pseudonyms 10/04/2019 6 6

7 1. Using Pseudonym Certificate Revocation Lists (does not scale)
How do you remove a rogue vehicle? In this example here we see the car-in-the-middle broadcasting bad messages to the surrounding vehicles. Bad messages could be the result of a faulty sensor or compromised vehicle. What needs to happen is this bad vehicle has to be removed from the network as to not cause harm to the other vehicles, this is known as 'Revocation'. Revocation needs to be timely, as state-of-the-art currently relies on CRLs being distributed, and privacy-preserving: removing vehicle without revealing its true identity.  1. Using Pseudonym Certificate Revocation Lists (does not scale) 2. Prevent vehicle from broadcasting network messages, by deleting its issued pseudonyms 10/04/2019 7 7

8 Pseudonym Lifecycle For revocation to happen let us look at the typical lifecycle of pseudonyms. Abstractly a Intelligent Transportation System  has three trusted third parties: - CA: issues long-term credentials to vehicle. - PP: responsible for handing out shorter-lived pseudonym certificates. - RA: collects reports on misbehaviour, and takes decisions to revoke a misbehaving entities from the ITS. V1 authenticates itself with the CA to obtain a long-term credential, that it uses to get fresh pseudonyms from the PP. It presents the credential to download a set of pseudonyms which V1 then uses to have authenticated communication with another vehicle, V2. During the V2X communication V1 detects some strange behaviour from V2 and issues a report against the pseudonym V2 is currently using. Over time as other vehicles in the system also report V2, the RA creates a revocation request and broadcasts it onto the network that V2 will receive.  Once received V2 deletes its pseudonyms and confirms the revocation with the RA. 10/04/2019 8 8

9 Existing REWIRE Protocols
By D. Förster, H. Löhr, J. Zibuschka, F. Kargl at TRUST 2015 Use of Trusted Components (TC) to support revocation   TC = no Certificate Revocation Lists   Two schemes identified in paper PLAIN: Uses pseudonyms to sign "confirm revocation" messages   R-TOKEN: Link token scheme. Uses Long-term key pair for "confirm revocation" message signing 10/04/2019 9

10 Formal Analysis of REWIRE Protocols
Goals Authentication: Completion of the protocol confirms the intended vehicle has been revoked Functional Correctness: revocation happens even in presence of a change of pseudonym   Analysis performed using the TAMARIN Prover Symbolic protocol analysis Behavior defined as Multiset Rewrite rules Properties expressed on traces using logic 10/04/2019 10

11 Summary of Results PLAIN: is not functionally correct
Revocation can only occur when there is no change of pseudonym R-TOKEN: has an authentication flaw Revocation confirmation cannot be verified by the RA O-TOKEN: Improvement to the REWIRE protocols that ensures correct revocation 10/04/2019 11

12 PLAIN 10/04/2019 12

13 PLAIN 10/04/2019 13

14 R-TOKEN Creates pseudo-linkability between pseudonyms
Vehicles in this scheme have long term key-pair PKVj / SKVj   Introduces extra field 'R-TOKEN' in pseudonyms Pseudonym now consists of a key-pair and R-TOKEN. 10/04/2019 14

15 R-TOKEN Includes R-TOKEN Auth 10/04/2019 15

16 OBSCURE-TOKEN (O-TOKEN)
New key-pair "O keys" SKO / PKO    O-TOKEN is an encryption of SKO under vehicle long-term symmetric key:   Pseudonyms contain O-TOKEN and PKO  10/04/2019 16

17 O-TOKEN Auth Auth 10/04/2019 17

18 Use DAA to explore alternate architectures
Future research directions Finer grained model capture privacy Use DAA to explore alternate architectures

Download ppt "Formal Analysis of V2X Revocation Protocols"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Securing Vehicular Communications Author : Maxim Raya, Panos Papadimitratos, and Jean-Pierre Hubaux From : IEEE Wireless Communications Magazine, Special.

Securing Vehicular Communications Author : Maxim Raya, Panos Papadimitratos, and Jean-Pierre Hubaux From : IEEE Wireless Communications Magazine, Special.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
Trusted Computing Platform Alliance – Introduction and Technical Overview – Joe Pato HP Labs MIT 6.805/6.857 17 October 2002.

Trusted Computing Platform Alliance – Introduction and Technical Overview – Joe Pato HP Labs MIT 6.805/ October 2002.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Similar presentations

Ads by Google