23/4/19 1

Secure Vehicular CommunicationsSecure Vehicular Communications

Speaker: Xiaodong Lin

University of Waterloo

http://bbcr.uwaterloo.ca/~xdlin/

23/4/19 2

OutlineIntroductionRelated workTTESLA-based SSecurity protocol for

VVehicular CCommunication (TSVC)Conclusion and future work

23/4/19 3

Introduction

Curve speed warning,work zone warning etc

position, current time, direction, velocity, acceleration/

deceleration, etc

Tra

ffic

Me

ss

ag

e

Emergency Message

23/4/19 4

Introduction (cont’d)Vehicular Communications Network

Vehicles are equipped with communication, positioning and computation devices. They form a huge self-organized ad hoc network (VANET) to communicate with each other as well as roadside units.

VANET is a promising approach to increase road safetyroad safety, such as, such as avoid collision. avoid collision.facilitate traffic managementtraffic managementTremendous benefits

Traffic jam

ahead

23/4/19 5

Vehicular Communication Networks are Emerging

Many applicationsVehicle safety

applications Intersection Collision

Warning

However :There are many securitysecurity and privacyprivacy concerns with respect

to the messages exchanged and transmitted in VANETs.Need secure and privacy-preserving communication

protocols [VSCP2006] Vehicle Safety Communications Project. http://www-nrd.nhtsa.dot.gov/pdf/nrd-

12/060419-0843/PDFTOC.htm

23/4/19 6

Traffic jam

ahead

Introduction (cont’d)An Example of attack : Bogus traffic information

[RH07] M. Raya and J. P. Hubaux, Securing vehicular ad hoc networks, Journal of Computer Security, Vol. 15, No. 1, pp. 39-68, 2007.

23/4/19 7

At 3:00- Vehicle A spotted at position P1

At 3:15- Vehicle A spotted at position P2

Note: Privacy is a very important issue in vehicular networks

Vehicle A belongs to

John!

Introduction (cont’d)An Example of user privacy attack: Movement tracking

John was somewhere at

when!

23/4/19 8

An Example of Traceability

Note: Traceability is another very crucial issue in vehicular networks

We need to find someone who may be able to provide valuable information about the accident.

23/4/19 9

Security and Privacy Concerns:Sending bogus traffic

informationMessage integrity attackMessage replay attackImpersonation attackDenial of ServiceMovement tracking –

Anonymity

One desirable requirementIdentity traceability in

exceptional cases

Conditional Anonymity

Messages should be transmitted

unaltered from a trusted party

Introduction (cont’d)

23/4/19 10

Related WorkPrevious PKI based approach

[RH2005] M. Raya, J.P. Hubaux. The security of vehicular ad hoc networks. In Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks SASN '05. November, 2005.

...

,,

,,

222

111

aaa

aaa

CertSKPK

CertSKPK

...

,,

,,

222

111

bbb

bbb

CertSKPK

CertSKPK

ELP(IDa)

ELP(IDb)

ELP(IDa)ELP(IDb)

…

ELP(IDj)

Anonymous certificate list M )(MSig sk pkCert

...1P iP

...1iP 2iP

...1P iP

...1iP 2iP

23/4/19 11

Related Work (cont’d)Group signature based approach

[LSHS2007] X. Lin, X. Sun, P.-H. Ho and X. Shen. GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications. IEEE Transactions on Vehicular Technology. Vol. 56, No. 6, November, 2007.

group manager

Vehicle private key, group public key

Group signature:

1. A Group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group.

2. Essential to a group signature scheme is a group manager, who is in charge of adding group members and has the ability to reveal the original signer in the event of disputes.

23/4/19 12

Facts:Message are sent

100ms~300ms.666~2000 cars within the

communication range.666~2000 messages to

verify per second. Achieving the goals of

verifying all the messages in a timely manner and lower cryptographic overhead is a challenging work for all existed public key schemes.

100 - 200 bytes 100 - 600 bytesSafety

messageCryptographic payload

{Position, speed, acceleration, direction,

time, safety events}

{Signer’s DS, Signer’s PK, CA’s certificate of PK}

Signer

Verifier

SignerSigner

1km1km

666 messages to be verified for each vechile!

Challenges facing nowadays Challenges facing nowadays

in VANETsin VANETs

23/4/19 13

MotivationDesign an efficient and

secure scheme, which can allow each vehicle to verify all the received messages in a timely manner with lower message loss ratio and lower cryptographic overhead.

100 - 200 bytes 100 - 600 bytesSafety

messageCryptographic payload

{Position, speed, acceleration, direction,

time, safety events}

{Signer’s DS, Signer’s PK, CA’s certificate of PK}

23/4/19 14

Broadcast AuthenticationBroadcast is basic communication mechanism; Vehicular

communication is broadcast in nature.Sender broadcasts data;Each receiver verifies data origin and integrity.

Sender

Bob

M

Carol

M

JohnAliceMM

23/4/19 15

TESLA (Time Efficient Stream Loss-Tolerant Authentication)

TESLA (Time Efficient Stream Loss-Tolerant Authentication)Uses purely symmetric primitives

In TESLA, each message is attached with a MAC tag only.

Self-authenticating keysThe sender makes use of a hash chain as cryptographic

keys in the MAC operations.

Delayed authentication techniqueMessage receivers are loosely synchronized.

Provides fast source authentication (1 MAC operation) with lower cryptographic overhead (20 bytes).

[PCTS2002] Adrian Perrig, Ran Canetti, J. D. Tygar, Dawn Song. The TESLA Broadcast Authentication Protocol. In CryptoBytes, vol. 5, No. 2, Summer/Fall 2002, pp. 2-13.

23/4/19 16

Proposed TESLA-based security protocol

Fact: each vehicle will receive a serial of messages from the same source.

Vehicle Group Formation

[LZSHS2007] X. Lin, C. Zhang, X. Sun, P.-H. Ho and X. Shen. Performance Enhancement for Secure Vehicular Communications. IEEE Global Communications Conference (GLOBECOM'07), Washington, DC, USA, Nov. 26-30, 2007.

O1

N2N1

N3 O2

Group A Group B

23/4/19 17

Each vehicle generates a hash chain initiated from a random seed S, where , , (i<j), according to each anonymous key pair and Certi.

1h

1 2, ,..., nh h h

nh S ( )j ii jh H h

,i iPK SK

2h ih

1M 2M iM1M 1 1( )hMAC M2M 2 2( )hMAC M ...

...

iM ( )ih iMAC M

1h1( )skSign h

Verify Signature

VerifyVerify MACMAC

...

?

2 1( )H h h

VerifyVerify MACMAC VerifyVerify MACMAC

?

1( )i iH h h

sender

receiver

Interval 1Interval 1 Interval 2Interval 2 Interval iInterval i

Delayed authentication

Proposed TESLA-based security protocol

23/4/19 18

Some other discussions (1/4)The choice of key release delay

Keys are released after all nodes have received the previous data packet. (We set as 100ms)

Before verifying the message, the receiver should first check if the corresponding key has been released or not.

M

h

sourceMACh(M’)|M’

23/4/19 19

Some other discussions (2/4)The capability to deal with message loss.

If data packet is lost, ignore it.If key release packet is lost, suppose hi is the

last received value:

Check if ? If so, go on to verify the message.

hi hi+1 hi+2 hj

lost lostreceived received

...

( )j ij iH h h

23/4/19 20

Some other discussions (3/4)Group member fluctuation

The neighborhood of each car does not change seriously, but it is subject to fluctuation occasionally.

The new comer will catch up with the new messages by repeatedly applying the hash function.

Stores its information for

a while

Send the signed tip of the hash

chain

1

23/4/19 21

Communication overhead (4/4)

The comparison of the communication overhead

Lifetime of the certificate 10mins

Message generating frequency 300ms

Group member fluctuation frequency 10sec

The length of ECDSA certificate 125bytes

Total information needs to be transmitted for ECDSA-2048 scheme

576,000bytes

Total information needs to be transmitted for TSVC scheme

333,020bytes

23/4/19 22

Performance evaluation

Impact of the traffic load on the MLR in highway scenario

Impact of the traffic load on the MD in highway scenario

Impact of the traffic load on the MLR in city scenario

Impact of traffic load on the MD in city scenario

23/4/19 23

ConclusionsProposes a TSVC protocol to reduce the

computation overhead.Retains the security properties.Allow each vehicle to verify all the received messages

in a timely manner with lower message loss ratio and lower cryptographic overhead.

23/4/19 24

Future workHow to improve the efficiency of the CRL

check up procedure? Migrating the CRL check-up operations to the

RSU side, which will instead perform the process and broadcast the check-up result to the vehicles in its communication range will be an interesting solution.

23/4/19 25

Questions & Comments ?

25

Thanks!