professor pin-han ho ph.d. department of electrical and computer engineering university of waterloo,...
TRANSCRIPT
Professor Pin-Han Ho Ph.D.Department of Electrical and Computer Engineering
University of Waterloo, Canada
On Achieving Secure and Privacy-Preserving Vehicular Communications
Agenda
Some briefs
Introduction of VANETs
Privacy Issues
Verification Issues
Conclusions
2Speaker: Pin-Han Ho University of Waterloo
Traffic accidents– According to the Traffic Safety Facts Annual Report, over 6 million police-
reported motor vehicle crashes occurred in the United States alone in 2007. Nearly 1.95 million resulted in an injury, and 42,352 resulted in a death.
Millions of people daily commute in the city or the highway
– Congestion control is of importance
Why do we need Vehicular networks ?
3IntroductionSpeaker : Pin-Han Ho
System Model
Vehicular Ad Hoc Networks
4
Vehicle-to-Vehicle (V2V) Communication
Vehicle-to-Infrastructure (V2I or V2R) Communication
Vehicular ad hoc networks (VANETs)
Each vehicle is embedded with a WiFi-enable device
IntroductionSpeaker : Pin-Han Ho
Dedicated Short Range Communications
5
915 MHz Before December 17, 2003
Range < 30 meters
Data rate = 0.5 mbps
Designed for Electronic Toll Collection (ETC), but can be used for other applications
Single unlicensed channel
Vehicle to roadside
Command-response
New 5.9 GHz On December 17, 2003
Range to 1000 meters
Data rate 6 to 27 mbps
Designed for general internet access, can be used for ETC
7 licensed channels
Vehicle to roadside & vehicle to vehicle
Command-response & peer to peer
Reference: http://www.leearmstrong.com/DSRC/DSRCHomeset.htm
IntroductionSpeaker : Pin-Han Ho
DSRC at 5.9G
6
75 MHz band has been allocated by the Federal Communication Commission (FCC) at 5.9 GHz
Band allows both safety and commercial applications to coexist
Safety application typically need <15% of capacity
Broadcast safety message every 100-300 ms
IntroductionSpeaker : Pin-Han Ho
Safety-related Applications– According to Dedicated Short Range Communications
(DSRC) protocol, each vehicle one-hop broadcasts its traffic-related information every 100-300 ms.
Applications
7
What’s in front of that bus ?
On rainy daysOn foggy days
From: http://discolab.rutgers.edu/workshops/2006/helsinki/slides/shankar.ppt
TrafficView Outdoors
IntroductionSpeaker : Pin-Han Ho
8
Curve speed warning,work zone warning etc
position, current time, direction, velocity, acceleration/
deceleration, etc
Tra
ffic
Me
ss
ag
e
Emergent Message
IntroductionSpeaker : Pin-Han Ho
Applications
Entertainment-related Applications– Digital data downloading/uploading (Email, mp3,
video) – Location Information requiring (map, the nearest
restaurant/gas station/plaza, etc. )
Applications
9IntroductionSpeaker : Pin-Han Ho
Commercial applications– Commercial advertisements forwarding
Applications
10IntroductionSpeaker : Pin-Han Ho
Traffic control applications
Applications
11IntroductionSpeaker : Pin-Han Ho
– Optimize traffic flow
– Road side unit (RSU) at intersections real time collects traffic information (# of vehicle)
– A control center controls the traffic light
Privacy Issues
Protect user privacy– Each driver does not like expose his/her identity
and the corresponding location information to the third party.
Achieve conditional privacy– There should exist a trust authority (TA)– In case that an abuse happens, TA can trace the
real identity of a user/driver.
Privacy
13Privacy issuesSpeaker : Pin-Han Ho
Anonymous Certificate Approach
14
1 1 1
2 2 2
, ,
, ,
...
a a a
a a a
PK SK Cert
PK SK Cert
...
,,
,,
222
111
bbb
bbb
CertSKPK
CertSKPK
ELP(IDa)
ELP(IDb)
ELP(IDa)ELP(IDb)
…
ELP(IDj)
Disadvantage:
1. Huge storage cost 2. Management overhead
Anonymous certificate list M )(MSig sk pkCert
...1PiP
...1iP 2iP
...1PiP
...1iP 2iP
Public Key Infrastructure (PKI)-based approach
Speaker : Pin-Han Ho Privacy issues
M. Raya and J.-P. Hubaux, “The Security of Vehicular Ad Hoc Networks,” ACM workshop on Security of ad hoc and sensor networks (SASN'05), pp. 11-21, 2005.
Group signature Approach
15
Divide the communications into two parts:
no anonymity
requirement
X. Lin, X. Sun, P.-H. Ho and X. Shen. GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications. IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp. 3442-3456, 2007.
Group Signature Scheme
Id-based Signature scheme
RSU
Speaker : Pin-Han Ho Privacy issues
Communications between vehicles– Why use group signature scheme?
• It provides anonymity of the signers. • The verifiers can judge whether the signer belongs to a
group without knowing who the signer is in the group. • However, in exceptional situations, the group manager is
able to reveal the unique identity of the signature’s originator.
– Choose ‘short group signature’ scheme proposed by Dan Boneh[1]
16
[1] D. Boneh, X. Boyen, and H. Shacham. Short group signatures, In Proceedings of Crypto '04,2004.
Speaker : Pin-Han Ho
Group signature Approach
Privacy issues
Brief protocol diagram
17Speaker : Pin-Han Ho
Group signature Approach
Privacy issues
Advantage:– GSIS reduce the number of private and public key
pairs stored at both vehicle side and TA side– Conditional privacy preservation. It is easy for TA to
trace the real identity of an internal attacker
Disadvantage:– High computation overhead (slow verify speed)
18Speaker: Pin-Han Ho
Group signature Approach
Privacy issues
Combine above two schemes– Each vehicle generates multiple public and private key
pairs, which are used for signing messages.
– Each vehicle is assigned a group private key, which is used for signing a certificate instead of for signing messages.
– The generated public and private key pairs are signed with a vehicle’s group private key. The signature is used as a certificate.
Hybrid Approach
19Speaker: Pin-Han Ho
G. Calandriello, P. Papadimitratos, .A. Lioy, J.-P. Hubaux, “Efficient and Robust seudonymous Authentication in VANET, ” ACM Workshop on VANET, 2007.
Privacy issues
20Speaker: Pin-Han Ho
Hybrid Approach
Advantage:– The hybrid approach can achieve a computation
tradeoff between the group signature scheme and the anonymous certificate approach
Disadvantage:– Still have scalability issues– Slow verification speed – A bottleneck in a high traffic density scenario
Privacy issues
21
With a VANET, a company (such as McDonald’s) could locate multiple access points (APs) on the road. These APs can provide an internet access.
Any two adjacent APs should overlap each other such as a vehicle can access the Internet seamlessly.
Speaker: Pin-Han Ho
Privacy issues during a handover
Issues:1.Two adjacent APs can distinguish the same car .2. APs can know the trajectory of the vehicle .
Privacy issues
Vehicle v1 and v2 pre-obtain a blind signature of the access point AP1. The blind signature are used for credentials when vehicles hand over.
AP1 can only verify whether a signature is valid or not, but cannot know which vehicle (i.e., v1 or v2) holds the signature
AP1 cannot distinguish v1 and v2 in this figure
The blind signature based solution
22Speaker: Pin-Han Ho
C. Zhang, R. Lu, P.-H. Ho, and A. Chen, A Location Privacy Preserving Authentication Scheme in Vehicular Networks, The IEEE Wireless Communications & Network Conference (WCNC), Las Vegas, Nevada, USA, 2008.
Privacy issues
Analysis
23Speaker: Pin-Han Ho
Blind Zone
The blind signature based solution
• The tracking probability depends on
― the number of vehicles in a blind zone
― the distance that a vehicle travels
Privacy issues
Verification Issues
25
Scalability
Verification issues
FactsAccording to DSRC, messages
are sent in every100 ~ 300 ms, e.g., 300 ms
Communication range of a vehicle is 300 m, i.e., radius = 300, for each vehicle, its communication range is π3002 sq.m.
Suppose that vehicles use ECDSA to sign a message. Verifying a signature takes 3.87 ms, i.e., maximally 78 vehicles can be verified in a cycle Goal
Speaker: Pin-Han Ho Verification Issues
Challenge It is hard for the existing public-
key based signature schemes to verify a large number of signatures in 300 ms
26
IEEE Std. 1609.2-2006 IEEE Trial-Use Standard for wireless access in vehicular
environments – Security Services
Challenge How to reduce communication overhead as much as possible. At
the same time, other security issues (e.g., privacy, scalability, etc.) should also be addressed
The second Goal
Communication Overhead
Speaker: Pin-Han Ho Verification Issues
27
The proposed scheme: RAISE Comparison
Public key based Symmetric key based
Speed slow fast
Communication Overhead high low
Broadcast Authentication Yes No (if using only key)
A hybrid approach
RAISE: An RSU-aided Message Authentication Scheme
RSU
Suppose the RSU is trusted
Speaker: Pin-Han Ho Verification Issues -- Approach I
C. Zhang, X. Lin, R. Lu, P. –H. Ho, and X. Shen, “An Efficient Message Authentication Scheme for Vehicular Communications”, IEEE Transactions on Vehicular Technology, Vol. 57, Issue 6, Nov. 2008
28
key1
key2
Mutual authentication
v1
v2
Message sending (on the vehicle side ) Each vehicle periodically broadcasts messages, which can be received
by its neighbors and the RSU
v1 Message and signature signed with key1v2
RSU
The Protocols of RAISE
Speaker: Pin-Han Ho
Vehicles and RSU authenticate each other.
Only the RSU can verify
Key1 and Key2 are different!
Verification Issues -- Approach I
29
Authenticity reporting After the RSU verifies the message of V1, the RSU reports the result
to its neighbors
The Protocols of RAISE
Speaker: Pin-Han Ho
v1 Message and signature signed with key1
v3
RSU
v2
Result Result
Result aggregation (on the RSU side ) In a short time interval Δt, the RSU received multiple messages and
signatures. Then, the RSU reports all the results accumulated during Δt.
Verification Issues -- Approach I
30
The whole process
The Protocols of RAISE
Speaker: Pin-Han Ho
v1
RSU
v2
v3MMM
MMM
MMM
: Result Aggregation
Verification Issues -- Approach I
31
Issues caused by loss in contention and lossy channel
RSU-to-vehicle
Make the vehicle, which does not receive result aggregation, fail in verifying a message
Vehicle-to-RSU Make the RSU fail in receiving a message, thus all the other
surrounding vehicles cannot verify the message from the vehicle
Issues in RAISE
Speaker: Pin-Han Ho Verification Issues -- Approach I
32
Performance Evaluation of RAISE
Fig. 1. Average loss ratio vs. Traffic load
As the number of vehicles increases, the loss ratio increases. However, RAISE has the lowest loss ratio.
Clearly, RAISE has the lowest communication overhead since it uses MAC tag instead of PKI-based signatures
Fig. 2. Communication overhead (in 1min) vs. Traffic load
Speaker: Pin-Han Ho Verification Issues -- Approach I
33
To Further Probe RSU may not be pervasive
– RSUs may not cover all the busy streets of a city or a highway (e.g., at the early stage of VANETs' deployment)
– Physical damage of some RSUs, or simply for economic considerations
What if there is no RSU?– TESLA-based approach (called TSVC)– Batch verification approach
Speaker: Pin-Han Ho Verification Issues -- Approach I
34
TSVC:TESLA based security protocol
What is TESLA (Time Efficient Stream Loss-Tolerant Authentication)– In TESLA, Each message is attached a MAC tag only. – The sender makes use of a hash chain as cryptographic
keys in the MAC operations. – The hash keys are released a certain period of time later
than the messages.– Message receivers are loosely synchronized.
Provides fast source authentication with lower communication overhead.
X. Lin, X. Sun, X. Wang, C. Zhang, P.-H. Ho and X. Shen. TSVC: Timed Efficient and Secure Vehicular Communications with Privacy Preserving. IEEE Transactions on Wireless Communications, to appear.
Speaker: Pin-Han Ho Verification Issues -- Approach II
35
Each vehicle generates a hash chain initiated from a random seed S, where , ,(i<j), according to each anonymous
1h
1 2, ,..., nh h h
nh S ( )j ii jh H h
,i iPK SK
2h ih
1M 2M iM1M 1 1( )hMAC M
2M2 2( )hMAC M ...
...
iM ( )ih iMAC M
1h1( )skSign h
Verify Signature
VerifyVerify MACMAC
...
?
2 1( )H h h
VerifyVerify MACMAC VerifyVerify MACMAC
?
1( )i iH h h
sender
receiver
Interval 1Interval 1 Interval 2Interval 2 Interval iInterval i
TSVC:TESLA based security protocol
Speaker: Pin-Han Ho Verification Issues -- Approach II
36
The choice of key release delay– Keys are released after all nodes have received the previous data
packet. (We set as 100ms)
– Before verifying the message, the receiver should first check if the corresponding key has been released or not.
M
h
sourceMACh(M’)|M’
TSVC:TESLA based security protocol
Speaker: Pin-Han Ho Verification Issues -- Approach II
37
We compare the performances of the four schemes:– PKI, GSIS, TSVC(GSIS), TSVC(PKI)
0 10 20 30 40
0.02
0.04
0.06
0.08
0.1
0.12
Vehicle moving speed (m/s)
Ave
rage
mes
sage
del
ay (
s)
GSISPKITSVC(GSIS)TSVC(PKI)
0 10 20 30 400
0.1
0.2
0.3
0.4
0.5
Vehicle moving speed (m/s)A
vera
ge m
essa
ge lo
ss r
atio
(%
)
GSISPKITSVC(GSIS)TSVC(PKI)
Impact of the vehicle’s moving speed on Message Delay in highway scenario
Impact of the vehicle’s moving speed on Message Loss Ratio in highway scenario
Performance Evaluation of TSVC
Verification Issues -- Approach II
Accelerate verification speed
Choose Batch verification– The speed of verifying a batch of signatures is
faster than that of verifying each of signatures one by one
– We use a pairing technique to achieve this [ZLLHS08]
38Speaker: Pin-Han Ho
Batch verification
Verification Issues -- Approach III
[ZLLHS08] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An Efficient Identity-based Batch Verification Scheme for Vehicular Sensor Networks”, The IEEE Conference on Computer Communications (INFOCOM), Phoenix, USA, 2008.
Analogy
Batch verification
39Speaker: Pin-Han Ho
Energy + +
= >
Verification Issues -- Approach III
Batch verification
To accelerate verify speed, we do verification on a batch of signatures once.
M1, Sig(M1) M2, Sig(M2) Mn, Sig(Mn)…
Batch: Sig(M1)+Sig(M2)+…+Sig(Mn), then verify the summation
Accelerate the speed of verifying multiple
signatures
40Speaker: Pin-Han Ho Verification Issues -- Approach III
We compare our scheme with BLS signature and ECDSA signature schemes
The larger the total number of signature is, the faster the whole verify speed is
41
Verify speed
Speaker: Pin-Han Ho Verification Issues -- Approach III
Verification delay vs. Traffic density
Since our scheme is identity-based, a message does not included a certificate
Here, 30,000 corresponds to the number of messages sent by 150 vehicles in 1 minute
42
Communication overhead
Speaker: Pin-Han Ho Verification Issues -- Approach III
Transmission overhead vs. the number of messages received by an RSU in 1 minute
Conclusions
Introduction of VANETs
- Applications
- Issues on Privacy Preservation and Verification
43Speaker: Pin-Han Ho
Thanks!
Questions?