professor pin-han ho ph.d. department of electrical and computer engineering university of waterloo,...

Professor Pin-Han Ho Ph.D.Department of Electrical and Computer Engineering

University of Waterloo, Canada

On Achieving Secure and Privacy-Preserving Vehicular Communications

Agenda

Some briefs

Introduction of VANETs

Privacy Issues

Verification Issues

Conclusions

2Speaker: Pin-Han Ho University of Waterloo

Traffic accidents– According to the Traffic Safety Facts Annual Report, over 6 million police-

reported motor vehicle crashes occurred in the United States alone in 2007. Nearly 1.95 million resulted in an injury, and 42,352 resulted in a death.

Millions of people daily commute in the city or the highway

– Congestion control is of importance

Why do we need Vehicular networks ?

3IntroductionSpeaker : Pin-Han Ho

System Model

Vehicular Ad Hoc Networks

4

Vehicle-to-Vehicle (V2V) Communication

Vehicle-to-Infrastructure (V2I or V2R) Communication

Vehicular ad hoc networks (VANETs)

Each vehicle is embedded with a WiFi-enable device

IntroductionSpeaker : Pin-Han Ho

Dedicated Short Range Communications

5

915 MHz Before December 17, 2003

Range < 30 meters

Data rate = 0.5 mbps

Designed for Electronic Toll Collection (ETC), but can be used for other applications

Single unlicensed channel

Vehicle to roadside

Command-response

New 5.9 GHz On December 17, 2003

Range to 1000 meters

Data rate 6 to 27 mbps

Designed for general internet access, can be used for ETC

7 licensed channels

Vehicle to roadside & vehicle to vehicle

Command-response & peer to peer

Reference: http://www.leearmstrong.com/DSRC/DSRCHomeset.htm


DSRC at 5.9G

6

75 MHz band has been allocated by the Federal Communication Commission (FCC) at 5.9 GHz

Band allows both safety and commercial applications to coexist

Safety application typically need <15% of capacity

Broadcast safety message every 100-300 ms


Safety-related Applications– According to Dedicated Short Range Communications

(DSRC) protocol, each vehicle one-hop broadcasts its traffic-related information every 100-300 ms.

Applications

7

What’s in front of that bus ?

On rainy daysOn foggy days

From: http://discolab.rutgers.edu/workshops/2006/helsinki/slides/shankar.ppt

TrafficView Outdoors


8

Curve speed warning,work zone warning etc

position, current time, direction, velocity, acceleration/

deceleration, etc

Tra

ffic

Me

ss

ag

e

Emergent Message


Applications

Entertainment-related Applications– Digital data downloading/uploading (Email, mp3,

video) – Location Information requiring (map, the nearest

restaurant/gas station/plaza, etc. )

Applications


Commercial applications– Commercial advertisements forwarding

Applications


Traffic control applications

Applications


– Optimize traffic flow

– Road side unit (RSU) at intersections real time collects traffic information (# of vehicle)

– A control center controls the traffic light

Privacy Issues

Protect user privacy– Each driver does not like expose his/her identity

and the corresponding location information to the third party.

Achieve conditional privacy– There should exist a trust authority (TA)– In case that an abuse happens, TA can trace the

real identity of a user/driver.

Privacy

13Privacy issuesSpeaker : Pin-Han Ho

Anonymous Certificate Approach

14

1 1 1

2 2 2

, ,

, ,

...

a a a

a a a

PK SK Cert

PK SK Cert

...

,,

,,

222

111

bbb

bbb

CertSKPK

CertSKPK

ELP(IDa)

ELP(IDb)

ELP(IDa)ELP(IDb)

…

ELP(IDj)

Disadvantage:

1. Huge storage cost 2. Management overhead

Anonymous certificate list M )(MSig sk pkCert

...1PiP

...1iP 2iP

...1PiP

...1iP 2iP

Public Key Infrastructure (PKI)-based approach

Speaker : Pin-Han Ho Privacy issues

M. Raya and J.-P. Hubaux, “The Security of Vehicular Ad Hoc Networks,” ACM workshop on Security of ad hoc and sensor networks (SASN'05), pp. 11-21, 2005.

Group signature Approach

15

Divide the communications into two parts:

no anonymity

requirement

X. Lin, X. Sun, P.-H. Ho and X. Shen. GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications. IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp. 3442-3456, 2007.

Group Signature Scheme

Id-based Signature scheme

RSU

Speaker : Pin-Han Ho Privacy issues

Communications between vehicles– Why use group signature scheme?

• It provides anonymity of the signers. • The verifiers can judge whether the signer belongs to a

group without knowing who the signer is in the group. • However, in exceptional situations, the group manager is

able to reveal the unique identity of the signature’s originator.

– Choose ‘short group signature’ scheme proposed by Dan Boneh[1]

16

[1] D. Boneh, X. Boyen, and H. Shacham. Short group signatures, In Proceedings of Crypto '04,2004.

Speaker : Pin-Han Ho


Privacy issues

Brief protocol diagram

17Speaker : Pin-Han Ho


Privacy issues

Advantage:– GSIS reduce the number of private and public key

pairs stored at both vehicle side and TA side– Conditional privacy preservation. It is easy for TA to

trace the real identity of an internal attacker

Disadvantage:– High computation overhead (slow verify speed)

18Speaker: Pin-Han Ho


Privacy issues

Combine above two schemes– Each vehicle generates multiple public and private key

pairs, which are used for signing messages.

– Each vehicle is assigned a group private key, which is used for signing a certificate instead of for signing messages.

– The generated public and private key pairs are signed with a vehicle’s group private key. The signature is used as a certificate.

Hybrid Approach


G. Calandriello, P. Papadimitratos, .A. Lioy, J.-P. Hubaux, “Efficient and Robust seudonymous Authentication in VANET, ” ACM Workshop on VANET, 2007.

Privacy issues


Hybrid Approach

Advantage:– The hybrid approach can achieve a computation

tradeoff between the group signature scheme and the anonymous certificate approach

Disadvantage:– Still have scalability issues– Slow verification speed – A bottleneck in a high traffic density scenario

Privacy issues

21

With a VANET, a company (such as McDonald’s) could locate multiple access points (APs) on the road. These APs can provide an internet access.

Any two adjacent APs should overlap each other such as a vehicle can access the Internet seamlessly.

Speaker: Pin-Han Ho

Privacy issues during a handover

Issues:1.Two adjacent APs can distinguish the same car .2. APs can know the trajectory of the vehicle .

Privacy issues

Vehicle v1 and v2 pre-obtain a blind signature of the access point AP1. The blind signature are used for credentials when vehicles hand over.

AP1 can only verify whether a signature is valid or not, but cannot know which vehicle (i.e., v1 or v2) holds the signature

AP1 cannot distinguish v1 and v2 in this figure

The blind signature based solution


C. Zhang, R. Lu, P.-H. Ho, and A. Chen, A Location Privacy Preserving Authentication Scheme in Vehicular Networks, The IEEE Wireless Communications & Network Conference (WCNC), Las Vegas, Nevada, USA, 2008.

Privacy issues

Analysis


Blind Zone

The blind signature based solution

• The tracking probability depends on

― the number of vehicles in a blind zone

― the distance that a vehicle travels

Privacy issues

Verification Issues

25

Scalability

Verification issues

FactsAccording to DSRC, messages

are sent in every100 ~ 300 ms, e.g., 300 ms

Communication range of a vehicle is 300 m, i.e., radius = 300, for each vehicle, its communication range is π3002 sq.m.

Suppose that vehicles use ECDSA to sign a message. Verifying a signature takes 3.87 ms, i.e., maximally 78 vehicles can be verified in a cycle Goal

Speaker: Pin-Han Ho Verification Issues

Challenge It is hard for the existing public-

key based signature schemes to verify a large number of signatures in 300 ms

26

IEEE Std. 1609.2-2006 IEEE Trial-Use Standard for wireless access in vehicular

environments – Security Services

Challenge How to reduce communication overhead as much as possible. At

the same time, other security issues (e.g., privacy, scalability, etc.) should also be addressed

The second Goal

Communication Overhead

Speaker: Pin-Han Ho Verification Issues

27

The proposed scheme: RAISE Comparison

Public key based Symmetric key based

Speed slow fast

Communication Overhead high low

Broadcast Authentication Yes No (if using only key)

A hybrid approach

RAISE: An RSU-aided Message Authentication Scheme

RSU

Suppose the RSU is trusted

Speaker: Pin-Han Ho Verification Issues -- Approach I

C. Zhang, X. Lin, R. Lu, P. –H. Ho, and X. Shen, “An Efficient Message Authentication Scheme for Vehicular Communications”, IEEE Transactions on Vehicular Technology, Vol. 57, Issue 6, Nov. 2008

28

key1

key2

Mutual authentication

v1

v2

Message sending (on the vehicle side ) Each vehicle periodically broadcasts messages, which can be received

by its neighbors and the RSU

v1 Message and signature signed with key1v2

RSU

The Protocols of RAISE

Speaker: Pin-Han Ho

Vehicles and RSU authenticate each other.

Only the RSU can verify

Key1 and Key2 are different!

Verification Issues -- Approach I

29

Authenticity reporting After the RSU verifies the message of V1, the RSU reports the result

to its neighbors


Speaker: Pin-Han Ho

v1 Message and signature signed with key1

v3

RSU

v2

Result Result

Result aggregation (on the RSU side ) In a short time interval Δt, the RSU received multiple messages and

signatures. Then, the RSU reports all the results accumulated during Δt.


30

The whole process


Speaker: Pin-Han Ho

v1

RSU

v2

v3MMM

MMM

MMM

: Result Aggregation


31

Issues caused by loss in contention and lossy channel

RSU-to-vehicle

Make the vehicle, which does not receive result aggregation, fail in verifying a message

Vehicle-to-RSU Make the RSU fail in receiving a message, thus all the other

surrounding vehicles cannot verify the message from the vehicle

Issues in RAISE


32

Performance Evaluation of RAISE

Fig. 1. Average loss ratio vs. Traffic load

As the number of vehicles increases, the loss ratio increases. However, RAISE has the lowest loss ratio.

Clearly, RAISE has the lowest communication overhead since it uses MAC tag instead of PKI-based signatures

Fig. 2. Communication overhead (in 1min) vs. Traffic load


33

To Further Probe RSU may not be pervasive

– RSUs may not cover all the busy streets of a city or a highway (e.g., at the early stage of VANETs' deployment)

– Physical damage of some RSUs, or simply for economic considerations

What if there is no RSU?– TESLA-based approach (called TSVC)– Batch verification approach


34

TSVC:TESLA based security protocol

What is TESLA (Time Efficient Stream Loss-Tolerant Authentication)– In TESLA, Each message is attached a MAC tag only. – The sender makes use of a hash chain as cryptographic

keys in the MAC operations. – The hash keys are released a certain period of time later

than the messages.– Message receivers are loosely synchronized.

Provides fast source authentication with lower communication overhead.

X. Lin, X. Sun, X. Wang, C. Zhang, P.-H. Ho and X. Shen. TSVC: Timed Efficient and Secure Vehicular Communications with Privacy Preserving. IEEE Transactions on Wireless Communications, to appear.

Speaker: Pin-Han Ho Verification Issues -- Approach II

35

Each vehicle generates a hash chain initiated from a random seed S, where , ,(i<j), according to each anonymous

1h

1 2, ,..., nh h h

nh S ( )j ii jh H h

,i iPK SK

2h ih

1M 2M iM1M 1 1( )hMAC M

2M2 2( )hMAC M ...

...

iM ( )ih iMAC M

1h1( )skSign h

Verify Signature

VerifyVerify MACMAC

...

?

2 1( )H h h

VerifyVerify MACMAC VerifyVerify MACMAC

?

1( )i iH h h

sender

receiver

Interval 1Interval 1 Interval 2Interval 2 Interval iInterval i



36

The choice of key release delay– Keys are released after all nodes have received the previous data

packet. (We set as 100ms)

– Before verifying the message, the receiver should first check if the corresponding key has been released or not.

M

h

sourceMACh(M’)|M’



37

We compare the performances of the four schemes:– PKI, GSIS, TSVC(GSIS), TSVC(PKI)

0 10 20 30 40

0.02

0.04

0.06

0.08

0.1

0.12

Vehicle moving speed (m/s)

Ave

rage

mes

sage

del

ay (

s)

GSISPKITSVC(GSIS)TSVC(PKI)

0 10 20 30 400

0.1

0.2

0.3

0.4

0.5

Vehicle moving speed (m/s)A

vera

ge m

essa

ge lo

ss r

atio

(%

)

GSISPKITSVC(GSIS)TSVC(PKI)

Impact of the vehicle’s moving speed on Message Delay in highway scenario

Impact of the vehicle’s moving speed on Message Loss Ratio in highway scenario

Performance Evaluation of TSVC

Verification Issues -- Approach II

Accelerate verification speed

Choose Batch verification– The speed of verifying a batch of signatures is

faster than that of verifying each of signatures one by one

– We use a pairing technique to achieve this [ZLLHS08]


Batch verification

Verification Issues -- Approach III

[ZLLHS08] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An Efficient Identity-based Batch Verification Scheme for Vehicular Sensor Networks”, The IEEE Conference on Computer Communications (INFOCOM), Phoenix, USA, 2008.

Analogy

Batch verification


Energy + +

= ＞

Verification Issues -- Approach III

Batch verification

To accelerate verify speed, we do verification on a batch of signatures once.

M1, Sig(M1) M2, Sig(M2) Mn, Sig(Mn)…

Batch: Sig(M1)+Sig(M2)+…+Sig(Mn), then verify the summation

Accelerate the speed of verifying multiple

signatures

40Speaker: Pin-Han Ho Verification Issues -- Approach III

We compare our scheme with BLS signature and ECDSA signature schemes

The larger the total number of signature is, the faster the whole verify speed is

41

Verify speed

Speaker: Pin-Han Ho Verification Issues -- Approach III

Verification delay vs. Traffic density

Since our scheme is identity-based, a message does not included a certificate

Here, 30,000 corresponds to the number of messages sent by 150 vehicles in 1 minute

42

Communication overhead

Speaker: Pin-Han Ho Verification Issues -- Approach III

Transmission overhead vs. the number of messages received by an RSU in 1 minute

Conclusions

Introduction of VANETs

- Applications

- Issues on Privacy Preservation and Verification


Thanks!

Questions?

professor pin-han ho ph.d. department of electrical and computer engineering university of waterloo,...

Documents