A Study of Privacy Preserving Authentication for Safety Message Communication in VANET

Transcription

1 International Conference on Mathematical Computer Engineering - ICMCE A Study of Privacy Preserving Authentication for Safety Message Communication in VANET Y. Bevish Jinila 1, K. Komathy 2 1 Research Scholar, Department of Information Technology, Sathyabama University, Chennai, India 2 Professor, Department of Computer Science and Engineering, Easwari Engineering College, Chennai, India Abstract Vehicular ad hoc networks are tremendously used for safety related applications. A single point of failure may cause great havoc in the network. Security and privacy are the major concerns. Several solutions are addressed to solve these issues. In this paper we analyze the recent trends in authentication and privacy preservation based on the signature size, verification time and anonymity. Our investigation shows that the id based signatures are suitable for VANET based safety applications due to its reduced signature size. And, the usage of pseudo identities with id based signatures provides a better solution for privacy preservation. Based on this we propose a framework for privacy preserving authentication for safety messages which involves a self-delegation pseudo id generation, id based signatures and priority based verification for prioritized messages and batch verification for non-priority messages. Keywords : Authentication; privacy preservation; group signatures; public key infrastructure; pseudonyms; id based signatures. 1. Introduction The continuous growth of technology has made more advances in wireless communication where each vehicle on the road can communicate with other vehicles and the fixed Road Side Infrastructure to form a Vehicular Ad hoc Network (VANET). In VANETs, each vehicle is kitted with an On Board Unit (OBU) communication device to make the Vehicle to Vehicle and Vehicle to Infrastructure communication possible. In addition, there is a Centralized Authority (CA) who is responsible for the registration and renewal of the vehicles. These networks use the IEEE802.11p standard and offer a variety of services including both safety and non-safety applications which include the commercial services like public safety, internet access etc. Though the network offers safety and comfort to the public, there may be a situation where these safety messages can be compromised by an adversary where by the id of the vehicle can be revealed. So, security and privacy becomes an important concern in VANETs. Authentication when not addressed properly leads to impersonation attack. An adversary can impersonate some other legitimate user and utilize the resources. When solutions are given to satisfy the security requirement, it is mandatory that the privacy of the user should be preserved. We assume that user privacy relates to the privacy of the driver and the privacy of the vehicle. So, it can be the preservation of the driver id and the vehicle id. We denote the user privacy as U= (Did,Vid) where Did is the driver id and is the Vid vehicle id. In this paper we analyze the privacy preservation schemes related to vehicle id. So, user privacy here we mean the privacy of the vehicle id and not the driver id. Table 1. Safety Message Format Protocol Version Type Message Certificate Signature 1 byte 1 byte 67 bytes 125 bytes 56 bytes The IEEE trial use standard [5] provides a detailed description for security services in vehicular network. The security architecture of IEEE p has incorporated the elliptic curve digital signature algorithm (ECDSA) for authentication. Table 1 show the message format for safety messages used by the trial standard where a 125 bytes

2 International Conference on Mathematical Computer Engineering - ICMCE certificate and 56 bytes ECDSA signature for every 69 byte message is used for authentication and no pseudo id is provided for privacy preservation. The signature generation for authentication uses any cryptographic operations and privacy preservation requires the generation of pseudo identities. And, it is essential that the identities should be conditionally traceable by the authorities in case of any dispute. The generated signature has to be verified by the receiver to confirm the legitimacy of the sender. So, it is mandatory to have a signature verification scheme that verifies a collection of signatures within a short period of time. And, the privacy of the user is preserved due to the use of pseudo identities. In this paper, we have analyzed the recent solutions for authentication and privacy preservation for safety messages. Section 2 gives a detailed description of various recent solutions towards authentication and privacy preservation. In section 3, analysis of various schemes based on signature size, signature verification time and anonymity is presented. Section 4 describes the proposed framework for authentication and privacy preservation. And, section 5 concludes the work. 2. Privacy Preserving Authentication The source of the message origin is checked for its authenticity by the receiver. During signature verification, to preserve the privacy of the user, it is required that the id of the vehicle should not be revealed. According to the analysis done, the schemes can be categorized based on group signatures, pseudonymous certificates, anonymous certificates based on public key infrastructure and id based signatures. Increased signature size creates overhead and there by increases the verification time. And, the id of the vehicle should not be revealed while checking authenticity. So, the key factor for authentication is the signature size and anonymization of the source vehicle id. The following categorization of recent solutions based on the key factors signature size, verification time and anonymization are analyzed Group Signatures In this scheme, a member of the group can sign a message on behalf of the group. This member remains anonymous in the group. But, a group manager can reveal the actual identity of the member. Lin et. Al. [18] proposed a group signature based technique which provides conditional privacy without pseudonym change. This is a centralized group signature protocol which also combines the features of id based signatures. According to them, a group public key pair should be updated for all non-revoked vehicles. Based on the number of revoked vehicles, time for signature verification grows linearly and the Verifier Local Revocation (VLR) procedure becomes too time consuming like Certificate Revocation List (CRL) in Public Key Infrastructure. Lei et. al. [10] proposed a privacy preserving authentication protocol. The authors have listed the drawbacks of GSIS protocol [18] and they have proposed a decentralized group signature protocol. This scheme doesn t strongly depend on any tamper proof device. In this approach, RSUs are used to maintain the on the fly generated group within their communication range. The limitation with this approach is that when a particular RSU fails, the vehicles moving in that area will be heavily affected. If there is an emergency situation to be communicated, a single point of failure can cause a great havoc to the vehicular applications. In this category of group signatures, group formation and selection of a group leader becomes an important issue Pseudonymous Certificates If the id of the vehicle is disclosed, there is a higher probability that the privacy of the user cannot be preserved. Certain authors have proposed the use of pseudonyms. These are alternate identifiers generated by the certificate authority during vehicle registration or renewal. These can be used to hide a vehicles unique identity. So, when a vehicle needs to report an event, it randomly picks one pseudonym and signs it using public key cryptography. This makes a third party difficult to track the vehicle simply by observing the pseudonym it uses. So, with this the privacy can be preserved. Calandriello et. al. [2] proposed the generation of pseudonyms by the vehicle itself on the fly. Their approach combines the features of both pseudonyms and group signatures. Tong et. al. [16] proposed a pseudonym based scheme using two level hashing to thwart Sybil attacks and there by preserving the privacy of the user. A set of pseudonyms are assigned to a vehicle during its yearly registration

3 International Conference on Mathematical Computer Engineering - ICMCE with the Department of Motor Vehicle. Two stage hashing is done to obtain the coarse and fine grained values. The corresponding coarse and fine grained hash values are alone stored with the authority. The fine grained hash is also distributed to all RSUs. In case, if two messages are received with the same hash at a particular time, the RSU checks if any Sybil attack has happened. If it s not sure, it confirms with the authority to check whether it is a Sybil attack or not. Though, this scheme has an efficient hash mechanism to check the abusing of pseudonyms, the limitation with this approach is that it incurs a lot of computation and storage overhead. The RSU has to store the fine grained values of all the vehicles. And, each vehicle should store a collection of pseudonyms generated by the authority and use it when required which incurs more storage overhead. Lu et. Al [11] have proposed an approach ECCP (Efficient Conditional Privacy Preserving Protocol). Anonymous keys are retrieved from the RSU to prevent the vehicles being traced and it is based on elliptic curve cryptography. This scheme requires the effective distribution of the RSUs, Since, RSUs are prone to attacks, it cannot be completely trusted. Also, this scheme doesn t suggest any efficient revocation scheme. Sun et. al. [20] proposes solutions for revocation of anonymous certificates. This scheme fully relies upon the RSU. Since RSUs cannot be fully trusted as they are installed in the roadside they are vulnerable to compromise attack. So, such schemes are susceptible to malicious attacks and would be expensive. Authors in [8,13] proposed solutions for preserving the privacy by changing pseudonyms at mix zones like social spots. In [13], self-delegation of pseudonym generation is proposed where the authorised anonymous key is provided by the TA to the user during its registration. Authors in [17] claim that simple pseudonym change is not enough for privacy preservation using multi hypothesis tracking and kalman filtering Anonymous Certificates based on Public Key Infrastructure This scheme is a widely accepted solution. The security architecture developed by VSC (Vehicle safety and communication) Project uses a PKI based approach for securing messages. However, it doesn t address any privacy issues. Several works were based on this approach. This scheme gives rise to extra communication and storage overhead. The Certificate Revocation List (CRL) produced by the trusted authority will become huge in size. When a vehicle validates a certificate, it checks whether the sender is revoked by the certificate authority. If not, it validates the message. Also, they fail to satisfy the limited time requirement of vehicular communication applications. The IEEE [5] has proposed the use of ECDSA (Elliptic Curve Digital Signature Algorithm) for vehicular network authentications. This is a public key approach of digital signatures. Using, ECDSA incurs more processing delay at the receiver s side. Though the delay may be in order of certain milliseconds, there may be a possibility for the messages being discarded during heavy traffic conditions. Sensitive safety messages when discarded causes a great havoc in vehicular network. The authors in [7] have proposed a protocol ABAKA which is based on the elliptic curve cryptography for authentication. They have also proposed the pseudo identities for privacy preservation. The authors have compared their results with ECDSA and it is shown that ABAKA has less signature size and less verification time when compared to ECDSA. But, this scheme is suitable for value added services and the authors have not mentioned the use of their protocol for safety message communication. Xiaolei et.al [19] has proposed the use of CA based public key cryptography approach which is based on the technique of on path onion encryption which allows the message to be re encrypted during their transmission from source to destination in multihop mode. This enhances the privacy of the scheme. Compared to classical PKC, in this scheme the users maintain the partial public keys by themselves. The limitation with this scheme is the increased delay. Since, messages are encrypted in each hop though it provides adequate security it will also lead to delay which is unsuitable for safety message services Identity based Signatures Id based schemes use publicly known id strings like user names or user ids to represent an individual and to be used as a public key, instead of digital certificates used in Public Key Infrastructure. It involves users and a Private Key Generator (PKG) having a master public/secret key pair. This PKG is responsible for generating private keys

4 International Conference on Mathematical Computer Engineering - ICMCE for the user. Any pair of users can communicate with each other securely without exchanging private and public keys and without using the services of the third party. This feature reduces the complexity of generating certificates. Boneh and Franklin [3] introduced the first and efficient Id based encryption scheme based on bilinear pairings on elliptic curves. The security of these signatures is based on the assumption that the bilinear maps chosen are one way functions. It means, it is easy to calculate the result but, it is difficult to inverse. This feature is called Bilinear Diffie-Hellman Assumption. Using these signatures eliminates the need for a Certificate Revocation List (CRL) which is a major drawback in Public Key Infrastructure. Also, the transmission overhead can be greatly reduced. Jinyuan Sun et.al [6] have used threshold based signature scheme for authentication and Pseudonym for user privacy.. This scheme also uses group signatures with id based techniques to satisfy the security requirements. Since, group signatures create more computational overhead this scheme will not be suitable for safety applications in vehicular network. Kyung Shim [9] has proposed an efficient conditional privacy preserving scheme. In this scheme, each message send from the vehicle is mapped to a distinct pseudo identity. It supports the fastest batch verification by verifying 750 signatures simultaneously in less than 300 ms. This scheme uses a tamper proof device for storing the master secret and the MapToPoint function used by Zhang et. Al [1] is replaced. Though, the master secret is not stored in the tamper proof device for a long time, it is known that such tamper proof devices can be easily cracked by side channel attacks. This becomes a major drawback for this approach. Subir Biswas and Jelena Misic [15] have proposed a cross layer approach to privacy preserving authentication. In their scheme, a variation of ECDSA (Elliptic Curve Digital Signature Algorithm) is used in combination with Id based signature. For privacy preserving authentication, all the vehicles are assumed to have a common identifier. This common identifier is selected based on the common geographical area of all participating vehicles within a communication range. In this scheme, priority based message verification is done based on the MAC layer priorities where emergency messages are given higher priorities. In this scheme, though identities are anonymized by providing a common identifier, conditionally it cannot be traced on dispute. 3. Analysis of Existing Solutions The recent solutions proposed based on group signatures, id based signatures, pseudonyms and anonymous certificates based on public key infrastructure are analyzed. The analysis is done based on signature size, verification time and anonymity list out the following Signature Size For any communication to be secure, it is essential that the source of the message origin should be authenticated to the receiver. Any authentication done requires the generation of a signature at the source side. It is essential that the size of the signature should be probably small to have a quick verification time and less delay for reception. Table 2.Comparison of the signature size of various schemes Technique Signature Size(Bytes) Lin et. al [18] 201 Lu et. al [11] 189 Lei et. al [10] 368 WAVE [5] 182 Jiun et. al. [7] 84 Jinyuan et. al [6] 43 Sun et. al [20] 66 Kyung-Ah Shim [9] 60 Subir Biswas [15] 56

5 International Conference on Mathematical Computer Engineering - ICMCE Accordingly, the schemes provided by varied authors are analysed. From table1, it is evident that the signature size of [18],[10] are high and are based on group signatures. So, it can be known that higher the signature size, higher will be the computational overhead. The signature size of the schemes proposed by [11] and [4,20] are pseudonymous based. The signature size of scheme [11] is considerably high and the one proposed by [20] is quite low. Since, these pseudonymous certificates require the maintenance of revocation list handling a huge revocation list is critical for VANET based applications. The schemes proposed by [7] and [5] are PKC based. These schemes employ ECDSA and improved ECDSA for their schemes. Though, the signature size becomes evident in [9], it is known that handling huge revocation lists becomes difficult. The schemes proposed by [6], [9] and [15] are id based and the signature size is less when compared to other schemes. And, this approach will be better for VANET based applications due to its reduced signature size and nonrequirement for a certificate revocation list Signature Verification For applications like safety messaging in VANETs, it is mandatory that the time taken for signature verification should be less. As per the analysis done, the signature verification is done based on three categories which include random, batch and priority based verification. From Table 1 it is evident that in [18], [10], [7], [9], [1] the authors have used batch verification for signatures. In [15], priority based verification is applied. Random verification of signatures, leads to random verification attack. Batch verification is an efficient way of assuring the trust for multiple messages received in a unit time. But, there is a possibility for a false signature attack [15]. To reduce the verification time and to handle the safety messages without loss, the authors in [15] has proposed a priority based verification based on cross layer approach where the prioritized messages are identified using MAC layer priorities. In this case, there is a possibility for the drop of non-prioritized messages Privacy Though suitable mechanisms are available to ensure the security of the system, it is desirable that the privacy of the user should be preserved. So, it is essential to anonymize the id of the user. Anonymization techniques like k-anonymity can be used for privacy preservation, by anonymizing the id of the vehicle, but conditional traceability is difficult. Also, the authors in [15] have proposed the use of pseudo identities which is the use of a common id like the id of the RSU or a common geographical location. This scheme of generating pseudo identities is too conditionally untraceable. Using group signatures and public key cryptosystem alone doesn t satisfy the concept of privacy. Authors in [9,16] adopt the generation of pseudonymous certificates where any revocation of certificates requires a revocation list to store the certificates. When revocation list becomes huge, it becomes difficult to handle. But, an adversary can easily trace a vehicle by its location leading to traffic analysis attack and thereby identifying the id of the vehicle. One method proposed by Zhang et.al [1] for pseudo id generation is referred by [7,9]. In [9], the pseudo id generation is computed as follows, A vehicle Vi computes (1) for Ki Z*q and sends (RIDi, PIDi,1) to the TA where, RID is the real id and PID is the pseudo id. After confirming RIDi the TA computes, (2) Where, is the life time of the pseudo id and is the public parameter generated by the TA. Then pseudo id is computed as follows, (3) This pseudo id is provided to the PKG for private key generation. The other method proposed by Tong et.al [16], uses a 2 stage hashing for pseudonym generation. The pseudonym is generated by the TA and is issued during vehicle registration. It generates a set of coarse grained and fine grained group of pseudonyms as follows,

6 International Conference on Mathematical Computer Engineering - ICMCE (4) (5) Where m is equation (4) is the set of coarse grained group of pseudonyms and n in equation (5) is the set of fine grained group of pseudonyms which is assigned to each vehicle. The TA stores the ( m n) as the vehicles secure plate number. This incurs more computation and communication overhead. RongXing Lu et. Al [13] has proposed the self-delegation of pseudonym generation by the vehicle itself. This scheme reduces the overhead of the TA by issuing an anonymous key to the user where the user generates a set of pseudonyms for each trip. This paper addresses the issue on changing the pseudonyms to preserve the privacy of the user and proposes solutions to change the pseudonyms at social spots. 4. Proposed Framework Based on the analysis done from the existing approaches we propose a framework for privacy preserving authentication. As VANET based safety applications are time stringent, it is known that reduced signature size and fast verification works well. SOURCE VEHICLE TA RECEIVER VEHICLE / INFRASTRUCTURE Signature Key, Ki Verification Priority Batch Privacy Pseudo id Based Based Preservation generation Yes No Authentication Signature Generation Priority Data MAC Layer Priorities Figure 1: Proposed privacy preserving Authentication framework From Table 2 it is evident that the id based signatures incur less signature size when compared to other approaches. And, concerned with verification, the priority method [15] is adopted where it is assured that the prioritized messages are verified than less preferred non-priority messages. The idea of self-delegated pseudonym generation [13] has been adopted in our framework. Though it is a PKI based approach, the idea of self-delegation alone is inculcated. It is assumed that the master secret is stored in the TA and a key ki is generated by encrypting with the master secret and is issued to the user during vehicle registration. From figure 2 it is evident that after receiving the key, the pseudonyms can be generated in the vehicle itself for each trip.the received message is verified for priority in the MAC layer where the signatures of highly prioritized messages are verified [15]. And, all other non-prioritized messages are verified as a batch either by the vehicle or by the infrastructure based on the applications Steps in our Approach Step 1: The TA using its master secret computes the authorized key Ki for each vehicle Vi during the time of registration. Step 2: The vehicle Vi generates a set of pseudo identities for each trip by providing the input as the authorised key.

7 International Conference on Mathematical Computer Engineering - ICMCE Step 3: Pseudo id generation is done similar to the Zhang et.al [1] approach. Step 4: Id based signatures are used for signature generation. Step 5: The received message is checked for MAC layer priority. Step 6: Highly prioritized messages are verified using priority based approach [15]. Step 7: Non prioritized messages are verified in batch. 5. Conclusion and Future Work In this paper, we have analyzed the recent solutions to user privacy preservation in vehicular networks. The solutions are surveyed based on the level of security provided by the technique, signature size, privacy provided and the time required for signature verification. Based on the analysis, it is evident that id based signatures are suitable for VANET applications since they incur less computational overhead and less signature size. These signatures can be used as a best solution for authentication and in order to preserve the privacy of the source of message origin it is mandatory to use pseudo identities. We conclude that id based signatures when combined with pseudo identities make a better secure and privacy preserved VANET. In future, we will experimentally analyze our approach and extend our work towards the relationship between the id of the vehicle and the driver id, and privacy preserving schemes for driver privacy. References [1] C. Zhang, RongXing Lu, Xiadong, Pinhan and Shen, An efficient identity based batch verification scheme for vehicular sensor networks, IEEE INFOCOM, [2] Calandriello. G, P. Papadimitratos, J.P. Hubaux and A.Lioy, Efficient and Robust Pseudonymous Authentication in VANET, Proc. 4th ACM Int. Workshop VANRT, Montreal, QC, Canada, pp , Sept [3] D. Boneh and M. Franklin, Identity based encryption from the Weil pairing, SIAM Journal of Computing, volume 32, No. 3, pp , [4] Dijiang Huang, Satyajayant Misra, Mayank Verma and Guoliang Xue, PACP: An Efficient Pseudonymous Authentication-Based Conditional Privacy Protocol for VANETs, IEEE Transactions on Intelligent Transportation Systems, volume 12, No. 3, September [5] IEEE Trial Use Standard for Wireless Access in Vehicular Environments (WAVE) Security Services for Applications and Management Messages, IEEE Std , July [6] Jinyuan Sun, Chi Zhang, Yanchao Zhang, and Yuguang Fang, An Identity based Security System for User Privacy in Vehicular Adhoc Networks, IEEE Transactions on Parallel and Distributed Systems, volume 21, No. 9, September [7] Jiun-Long Huang, Lo-Yao Yeh, and Hung-Yu Chien, ABAKA: An Anonymous Batch Authenticated and Key Agreement Scheme for Value- Added Services in Vehicular Ad Hoc Networks, IEEE Transactions On Vehicular Technology, volume 60, NO. 1, January [8] Julien,M. Raya, Mark, Panos, J.P. Hubaux, Mix Zones for Location Privacy in Vehicular Networks, WinITS [9] Kyung-Ah Shim, CPAS: An Efficient Conditional Privacy Preserving Authentication Scheme for Vehicular Sensor Networks, IEEE Transactions on Vehicular Technology, volume 61, No.4, May [10] Lei Zhang, Qianhong Wu, Agusti Solanas, Josep, A Scalable Robust Authentication Protocol for Secure Vehicular Communications, IEEE Transactions on Vehicular Technology, volume 59, No. 4, May [11] R. Lu, X. Lin, H. Zhu, P. Ho, and X. Shen, ECPP: Efficient conditional privacy preservation protocol for secure vehicular communications, in Proc. IEEE INFOCOM, Apr. 2008, pp [12]Raya M, Hubaux J.P, Efficient Secure Aggregation in VANETs, Proceedings of the third international workshop on Vehicular Adhoc Networks, New York, USA, ACM, [13] RongXing Lu et.al, Pseudonym changing at social spots: An effective strategy for location privacy in VANETs, IEEE Transactions on Vehicular Technology, volume 61, No. 1, January [14] Sampigethaya.K, M.Y. Huang, L.P, Poovendran. R, Amoeba : Robust Location Privacy Scheme for VANET, IEEE Journal on Selected Areas in Communication, 25(8), [15]Subir Biswas and Jelena Misic, A Cross-Layer Approach to Privacy Preserving Authentication in WAVE-Enabled VANETs, IEEE Transactions on Vehicular Technology, volume 62, No.5, June [16]Tong Zhou, Romit Roy Choudhury, Peng Ning, Krishnendu Chakrabarty, Privacy Preserving Detection of Abuses of Pseudonyms : Sybil Attacks Detection in Vehicular Ad hoc Networks, IEEE Journal on Selected Areas in Communication, volume 29, No. 3, March [17] Wiedersheim. B, Ma Z, Z. Kargi, F. Papadimitratos, Privacy in Inter Vehicular Networks: Why simple pseudonym change is not enough, Seventh International Conference on wireless on-demand network systems and services (WONS) [18] X. Lin, X. Sun, P.-H. Ho, and X. Shen, GSIS: A secure and privacy preserving protocol for vehicular communication, IEEE Trans. Veh.Technology, volume 56, no. 6, pp , Nov [19] Xiaolei Dong, Haojin Zhu, Zhenfu, Licheng, An efficient privacy preserving data forwarding scheme for service-oriented vehicular adhoc networks,ieee Transactions on Vehicular Technology, volume 60, No. 2, February [20]Y. Sun, R.Lu, X. Lin, X.S.Shen and J.Su, An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications, IEEE Transactions on Vehicular Technology, volume 59, No. 7, pp , Sept 2010.