Methods and effectiveness of pre-distribution for certificate management in VANETS

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Methods and effectiveness of pre-distribution for certificate management in VANETS"

Transcription

1 Eindhoven University of Technology MASTER Methods and effectiveness of pre-distribution for certificate management in VANETS Pielage, R.H.M. Award date: 2014 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain

2 Department of Mathematics and Computer Science Den Dolech 2, 5612 AZ Eindhoven P.O. Box 513, 5600 MB Eindhoven The Netherlands Supervisor dr. Nicola Zannone (TU/e) Section Security group Supervisor Michael Feiri, Dipl.-Inf. (UT) Section Services, Cybersecurity and Safety research group Supervisor Bert Tilmans MSc. (Deloitte) Methods and effectiveness of pre-distribution for certificate management in VANETS Master s Thesis ing. Rolf Pielage Section Cyber Risk Services Date December 15, 2014 Version 1.0 Where innovation starts

3 2

4 Abstract Although trac fatalities have been decreased worldwide over the last years, this decrease should be continued. In addition to applying passive safety features, such as airbags and advanced breaking systems, active safety features using Vehicular Communication (VC) can be used to safe lives. In addition, vehicle communication can provide enhanced driver experience and decreased impact on the environment as well. The eectiveness of vehicular ad-hoc networks depends on driver acceptation, on the provided features and on a sucient number of vehicles equipped with the technique to communicate with other vehicles. For vehicular communication to reach enough driver acceptation and to provide additional safety benets, privacy and security requirements have to be met. Leading standardization eorts have decided on the use of a public key infrastructure, in which signatures and certicates are used to provide message integrity and authentication, to address security requirements. In the context of vehicular networks, certicate dissemination and management is challenging because of the dynamic topology and privacy requirements. In this thesis we give an overview of currently proposed alternatives including a description of why these are insucient. In order to meet the privacy requirements the use of pseudonyms is proposed by academia, but leading standardization eorts plan to only implement this partially because of too much bandwidth would be consumed. Regular changing pseudonyms, such as creating silent or mix zones in which multiple vehicles will change their pseudonym in a coordinated fashion, are proposed to increase the dif- culty in tracking vehicles, however, having changing pseudonyms and thus more certicates creates a signicant larger bandwidth usage which results in too much information loss and degradation of service quality. Because of this reason leading standardization eorts are reluctant to fully implement mixing pseudonyms. Standards describe the use of certicate omission to selectively omit certicates in messages to reduce the network packet loss that occurs as the available bandwidth is consumed by mainly these certicates. Certicate 3

5 4 omission improves the quality of information, measured as awareness quality, but introduces unintentional side eects of not being able to verify all messages. In this research we propose a new technique called pre-distribution. This technique combines certicate omission and certicate pre-distribution in order to reduce communication overhead and to minimize cryptographic packet loss. Simulation results show that this technique improves awareness quality and thus is a technique that should be considered. Applying pre-distribution in combination with pseudonym changes increases the positive eect of predistribution even more, as simulations show. Pre-distribution would be a core solution for coordinated pseudonym changes, such as the pseudonym change strategy of using mix zones. Applying our solution would overall result in higher levels of privacy while increasing the quality of information vehicles have about their surrounding, providing great potential to prevent even more accidents with the use VC. Keywords: Pre-distribution, certicates, omission, pseudonym, security, privacy, VANET, ITS.

6 List of Figures 2.1 VANET overview [1] VANET broadcasting techniques [2] General overview of VANET applications [3] Overview of platooning (from [4]) Comparison of possible alternatives Overview of the pre-distribution of certicates between vehicles Omission of the certicate in a congested area Single-hop and multi-hop pre-distribution of certicates Congestion based Certicate omission Visualisation of the mix scheme for pre-distribution JIST environment image [5] JiST system architecture [5] SWANS system architecture [5] DUCKS execution framework [5] Results for certicate omission, with and without pre-distrution Awareness quality without and with geographic pre-distribution Awareness quality without and with temporal pre-distribution Awareness quality without and with mix pre-distribution Awareness quality and mix pre-distribution in omission gaps) 81 5

7 6 LIST OF FIGURES

8 List of Tables 7.1 Simulation parameters Cryptographic settings VanetMobiSim and IDM-IM settings General pre-distribution settings

9 8 LIST OF TABLES

10 Acronyms AQ Awareness Quality BSM Basic Safety Message C2C-CC CAR 2 CAR Communication Consortium CA Certicate Authority CAM Corporate Awareness Message CbCO Congestion Based Certicate Omission CHH Control Channel cits Cooperative Intelligent Transportation Systems CPL Cryptographic Packet Loss CRL Certicate Revocation List DCC Decentralised Congestion Control DRP Distributed Revocation Protocol DSRC Dedicated Short Range Communication ECDSA Elliptic Curve DSA EU European Union IDE Identity-based Encryption IDM-IM Intelligent Driver Model with Intersection Management IrDA Infrared JiST Java in Simulation Time JVM Java virtual machine Li-Fi Visual Light 9

11 10 Acronyms LTE Long Term Evolution MANET Mobile Ad-Hoc Network NbCO Neighbor-based Certicate Omission NPL Network Packet Loss OCSP Online Certicate Status Protocol OOB Out of Band PKI Public Key Infrastructure POoC Periodic Omission of Certicates RCCRL Revocation using Compressed Certicate Revocation Lists (RC- CRL or RC 2 RL) RSU Road Side Unit RTPD Revocation of the Tamper-Proof Device SCH Service Channels STRAW STreetRAndom Waypoint SWANS Scalable Wireless Ad hoc Network Simulator TPD Tamper-Proof Device TTP Trusted Third Party V2I Vehicle-to-Infrastructure V2V Vehicle-to-Vehicle V2X Vehicle-to-Anything VA Validation Authority VANET Vehicular Ad Hoc Network VAST VANET Authentication using Signatures and TESLA++ WAVE Wireless Access in Vehicular Environments

12 Contents List of Figures 5 List of Tables 7 1 Introduction Research Goals Contribution Scope Thesis Outline Vehicular Ad Hoc Network Overview of VANETs Unique Characteristics V2X Communication Use Cases Expectations for the Future Challenges in VANETs Attacker Model Security Requirements Privacy Requirements Fullling Security and Privacy Requirements Certicate Based Authentication Maintaining Privacy with the use Pseudonyms Bandwidth Problem Summary Related Work Decentralised Congestion Control Authentication Mechanisms PKI, Signatures & Certicates Pseudonym change strategy Certicate Omission Neighbor-based Certicate Omission

13 12 CONTENTS Periodic Omission of Certicates Congestion-based Certicate Omission Certicate Revocation Certicate Revocation List Online Certicate Status Protocol Certicate Revocation for VANETs Enhancement Strategies Alternative Channels in p Infrastructure and Road Side Unit Support Out Of Band Distribution Pre-distribution of Certicates Summary Pre-distribution of certicates Overview Single-hop and Multi-hop Distribution Amount of extra certicates Caching lifetime Selecting Certicates to Distribute Formatting the packets Privacy of multi-hop distribution Pre-distribution using Pseudonyms Utility classes Geographic pre-distribution Temporal pre-distribution Mix of geographic and temporal pre-distribution Simulation Environment Overview JiST SWANS Node mobility model DUCKS execution framework Extension to support pre-distribution of certicates Mobility Model and Message Parameters Pseudonym Change Ratio Simulations Setup Simulation Results and Discussion Measuring Performance Awareness quality Result - CbCO and pre-distribution Pre-distribution including pseudonym changes

14 CONTENTS Result - Pseudonym change and geographic pre-distribution Result - Pseudonym change and temporal pre-distribution Result - Pseudonym change and mixing pre-distribution Result - Pseudonym change and mix pre-distribution in omission gaps Discussion Conclusions and Future Work Conclusions Future Work Multi-hop Pre-distribution Using Out-of-Band Channels Improvement of Pre-distribution Bibliography 89

15 14 CONTENTS

16 Chapter 1 Introduction Although trac fatalities have been decreased worldwide over the last years, this decrease should continue [6]. Additionally, not only fatalities are important. Injuries, material damage, trac congestion and the environment are important as well, which all have a nancial impact on the society. Passive safety features such as airbags and advanced breaking systems are rapidly evolving, but are still insucient to prevent accidents. Applying active safety features using Vehicular Communication, which consists of Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I), commonly together referred to as Vehicle-to-Anything (V2X) communication, can help to save lives. Examples of active safety features include a high lane merging assistant and emergency vehicle notication. Information combined from multiple sensors can be communicated to systems such as base stations, Road Side Units (RSUs) and other vehicles, using V2X communication. Information is spread on the network by exchanging dierent kinds of messages between vehicles and infrastructure units that support V2X communication. Example techniques for disseminating messages are beaconing, geo-broadcast, position-based routing, situation-adaptive information dissemination and aggregation. In Section 2.3 a more extended overview of these algorithms is given. Some of these messages are categorised as more important, the so called safety messages, and are used for safety applications. Safety can be increased by, for example, violation warnings signaled by other trac or emergency vehicle signal preemption, indicating that emergency vehicles are nearby. Drivers can react on safety messages, such as hitting the brake or changing the lane in case of an accident. Increasing the electronic safety, esafety, is an important goal of the European Union (EU) and the rest of the world. In addition to esafety applications, applications that provide enhanced 15

17 16 CHAPTER 1. INTRODUCTION driver comfort are also possible by using V2X communication. Example applications include a visibility enhancer, providing point-of-interest locations or instant messaging (between vehicles). V2X can also be utilized by selfdriving vehicles, for example using other vehicles information to increase its situational awareness on trac. Additionally, maintenance and trac management applications could be used, for example, to assist in lane merging [7]. Because of the nature of the communication several challenges exist. Vehicles can be moving at high speed which becomes even higher in terms of relative speed when vehicles move in opposite direction. The available interval for the communication is thus very small and messages should be delivered quickly. Some parts of the road network might be populated with a large amount of vehicles, while other parts might only contain few vehicles. In the dense areas it is more easy to communicate with other vehicles as most likely at least one vehicle will be in range, while in the less dense areas this might not always be the case. Moreover, some messages are only relevant to the direct neighbors while others are intended for a wide range of vehicles. Therefore, dierent mechanisms exist to spread the messages throughout the network of vehicles and infrastructure units that are able to perform V2X communication. When considering the dierent kind of possible applications with V2X, the need for security is especially high in esafety applications. It is undesirable that attackers are able to give wrong vehicular location data resulting in accidents. The driver has to be sure that these messages are correct and delivered in time. Authenticity and integrity are thus required for safety messages and the communication should be protected. In order to have all vehicles cooperate among each other, a number of standards have been proposed. For instance, the ETSI standards [8] in the EU and the IEEE standards in the US [9]. These describe the technical specications of the V2X communication, such as the exact message details, the forwarding protocols and the method of communication. To provide the integrity and authenticity of messages currently the ETSI standards [8] describe to use a Public Key Infrastructure (PKI). Other possibilities to provide authentication and integrity include the use of symmetric pairwise keys and the use of asymmetric or symmetric group keys. For making a decision about which secure authentication mechanism to adopt, it is important to consider unique aspects of a vehicular network such as for example trac density and trac speed. Previous studies indicated that digital certicates are the better solution despite the overhead they generate [10]. Privacy is another aspect that is important, i.e. privacy sensitive information, such as vehicle location and vehicle and driver identity, should be

18 17 protected. There is a need however for local short-term tracking of vehicles for the cooperative awareness, but global long-term tracking should be avoided for privacy. On the other hand, law enforcements agencies should be able to identify someone in case of accidents or violations. This revocable privacy makes sure that privacy can be revoked under certain conditions. To achieve this a trusted resolver entity [11] can be used or threshold encryption [11] can be applied. An approach for preserving privacy under these conditions is the use of pseudonyms issued by a pseudonym provider. Vehicles have a bunch of these pseudonyms that they can use to authenticate and sign messages for other vehicles. Switching between these pseudonyms should prevent malicious users to track specic vehicles belonging to these pseudonyms. Some requirements that V2X communication systems should satisfy are [12]: Revocation of certicates: When certain vehicles are not allowed to have a valid certicate anymore, which can for example happen when a vehicle is stolen, all its pseudonyms should be revoked. This revocation should be known to all participants in the PKI. Tracking of pseudonyms: Tracking of switching between pseudonyms could still give indications to the actual vehicle using these pseudonyms. This can, for example, be determined if no other vehicles are present. The two detected pseudonyms should both belong to the same vehicle, making the pseudonyms rather ineective. Switching between pseudonyms should therefore be done in an ecient and secure way [13, 14]. Authorities should be able to link pseudonyms to vehicle owners. A proposed solution for this is using a shared signature scheme to make sure no single party can determine this link [11]. Intelligent systems that can communicate with each other, Cooperative Intelligent Transportation Systems (cits) [15], are expected to enable safety systems that safe lives. Systems without the above requirements for privacy and security are theoretically possible, but are unlikely to achieve acceptance. These additional requirements for security and privacy have a substantial amount of impact on the performance. Pseudonyms have a fast change rate and require certicates for each pseudonym. This requirement for privacy leads to additional signicant overhead in certicate management and degradation of service quality of cits. To compensate for the high overhead of digital certicates the concept of certicate omission schemes is introduced [16]. By default certicates are attached to every safety message in order to validate its origin and contents. With the concept of certicate omission however, certicates are

19 18 CHAPTER 1. INTRODUCTION omitted based on certain parameters such as presence of neighbour vehicles, Neighbor-based Certicate Omission (NbCO) [17], or time, Periodic Omission of Certicates (POoC) [18]. The disadvantage of applying certicate omissions is the introduction of Cryptographic Packet Loss (CPL), while the disadvantage of not applying certicate omission is the higher amount of Network Packet Loss (NPL). In the case of CPL, the packet is received correctly but the authenticity cannot be veried due to a missing certicate and thus the contents have to be ignored. In the case of NPL, the whole packet is not received and no data can be used. Both NPL and CPL result in loss of information. Measuring this loss of information could be achieved by measuring loss of awareness in [19, 16]. These certicates are used in safety messages, which are critical in time and correctness, and thus only received and veried safety messages can be used. In order to improve the safety of drivers and decrease the number of accidents it is vital that as much packets as possible are delivered and veriable. 1.1 Research Goals The main research goal is to improve the performance of certicate dissemination by minimizing the existing overhead and applying strategies to minimize the packet and information loss. Increasing the performance of communication with certicates could be achieved by pre-distributing certicates among multiple hops, where vehicles are considered as hops. The expectation is that when applying this solution the cryptographic packet loss and the network packet loss decreases. The main goal can be divided into three subgoals. 1. What techniques are available to pre-distribute certicates in order to improve the performance of certicate dissemination? 2. How eective is the proposed technique for improving certicate dissemination? 3. Exploring dierent options and comparing with the current proposal, is the proposed technique more eective? 1.2 Contribution The research done in this thesis is based on the security and privacy requirements for communication in a Vehicular Ad Hoc Network (VANET). Because of the unique characteristics of communication in this ad-hoc network and the security requirements a bandwidth problem occurs. This bandwidth problem is addressed in this thesis. Additional privacy requirements increase

20 1.3. SCOPE 19 this problem even more. A solution is provided to decrease the loss of information. Pre-distribution is proposed as a technique and combines certicate omission with certicate pre-distribution in order to reduce communication overhead and to minimize cryptographic packet loss. Simulation results show that this technique improves the quality of information. Applying pre-distribution in combination with pseudonym changes increases the positive eect of pre-distribution signicantly, as simulations show. Pre-distribution would be a core solution for coordinated pseudonym changes, such as the pseudonym change technique of using mix zones. 1.3 Scope The focus in this thesis is on the eectiveness of the proposed solution, pre-distribution of certicates. A short overview of alternative solutions is provided, but this does not belong to the scope. Although multiple standards exists for vehicle communication, the research focusses on the leading standards in Europe (ETSI). Standards mentioned throughout this paper thus refer to the EU ones. 1.4 Thesis Outline The remainder of this thesis is structured as follows: Chapter 2 describes the vehicular ad-hoc network and its unique characteristics. Chapter 3 describes the challenges that occur in a VANET. Chapter 4 describes the related work on providing security and privacy in VANETs. Chapter 5 provides a basic insight into several possible enhancement strategies. Chapter 6 describes our suggested solution in detail, namely pre-distribution of certicates. Chapter 7 describes which design and implementation are needed for the simulations to show the eectiveness of pre-distribution. Chapter 8 describes and discusses the simulation results. Chapter 9 describes conclusions that follow from this research and discusses the possible future work.

21 20 CHAPTER 1. INTRODUCTION

22 Chapter 2 Vehicular Ad Hoc Network In this chapter we present an overview on Vehicular Ad Hoc Networks (VANETs), along with their characteristics and features. A more in-depth description of relevant components is given in Chapter Overview of VANETs A VANET is a highly dynamic network with a fast changing network topology. In this network vehicles indirectly communicate with each other, Vehicleto-Vehicle (V2V) communication, by disseminating messages through other vehicles in the vicinity. Not only vehicles communicate with other vehicles but they also directly communicate with infrastructure units, Vehicle-to- Infrastructure (V2I) communication, that might be in place at certain areas. In Figure 2.1 an overview is given of the dierent communication possibilities such as V2V and V2I communication. Figure 2.1: VANET overview [1] 21

23 22 CHAPTER 2. VEHICULAR AD HOC NETWORK The goal of making this communication possible between vehicles and infrastructure is to exchange information. This information can exist in different forms and is meant for dierent applications. In order to improve safety, most messages describe location context of a vehicle, namely Corporate Awareness Messages (CAMs). To provide information about trac conditions, messages consist of data that describe the trac density at locations. Describing trac density is possible by combining information from multiple vehicles in the neighborhood. Other types of message are used for example to provide internet access in vehicles or to describe environment conditions such as snow. 2.2 Unique Characteristics At rst the VANET can look similar to a Mobile Ad-Hoc Network (MANET) but there are some unique characteristics that make it quite dierent. Therefore it is not trivial to apply existing MANET technologies to a VANET. Some of these unique characteristics are: Highly dynamic topology The vehicles move at high speed and when two vehicles are driving in opposite direction the relative speed is even twice that high. This causes the VANET to have a high dynamic topology as links between vehicles only exist for a very short period of time. Frequently disconnected network In this eld of moving vehicles it frequently occurs that a connection drops exactly when messages are being exchanged between two vehicles. Network disconnectivity occurs frequently and this makes it harder to build a reliable network that can trust on messages being delivered via one or more vehicles. Embedded battery power and storage In MANETs battery power and storage is very limited, however, in VANETs these two aspects are embedded and are not that limited. It is not desired to use excessive amounts of power or data storage, but the actual available power and data storage can be changed based on a specic need for it. This makes the VANET less restricted in regard to these aspects. Patterned Mobility Vehicles cannot drive in all places, as they have to follow the available infrastructure. Aspects that inuence the mobility are for example trac lights, speed limits and trac conditions. The conditions for communication can thus be very dierent among dierent locations. For example, while on the highway the messages can travel great distance true few vehicles, while the messages on a busy intersection can only achieve distance true a much larger amount of vehicles.

24 2.3. V2X COMMUNICATION 23 Propagation Model Communication messages in VANETs can generally not ow freely in all directions. Objects such as buildings, trees, vehicles or other obstacles can interfere with the communication. Interference can also occur because other vehicles and wireless devices interfere with the communication. 2.3 V2X Communication The standard for communication, p, is specically designed for Vehicleto-Vehicle and Vehicle-to-Infrastructure, commonly together referred to as V2X communication. This is done on a specic bandwidth specially reserved for vehicular communication and is called Dedicated Short Range Communication (DSRC). The p standard and other standards are combined and referred to as Wireless Access in Vehicular Environments (WAVE). Multiple channels exist in p for the purpose of disseminating dierent message types. The safety messages are of higher importance and thus have been dened to work on a separate channel. CAM are messages that belong to this safety category. Vehicles and infrastructure communicate with each other by broadcasting messages. It is indeed very dicult to provide direct end-to-end communication between two arbitrary vehicles or infrastructure units. Neither is it possible to verify that a message was actually delivered by providing some sort of delivery rapport. Reasons include the limited available network bandwidth and the problem of mutually verifying that a message reached its destination, also called the Coordinated Attack Problem [20]. Multi-hop message dissemination can be done by applying dierent algorithms. These algorithms can be used to make sure that either vehicles in a specic area, vehicles in the near vicinity of the sender or vehicles in the driving trajectory should receive the message. They should take into account that beforehand it is not known which exact vehicle should receive the message. These algorithms can roughly be divided into two types of algorithms, namely Topology Based Routing and Geographic Routing [21]. Topology based routing use links' information, information about the complete path to the destination, that is available in the network to send packets through the network. With geographic routing, the location of the sending vehicle, the location of vehicles within its direct range and the location of the destination are used to forward packets in the network. The nal path over which messages are send is not known upfront. Figure 2.2 provides an overview of some broadcasting techniques [2]. In the beaconing method information is, periodical or event-triggered, broad-

25 24 CHAPTER 2. VEHICULAR AD HOC NETWORK Figure 2.2: VANET broadcasting techniques [2] casted to link-layer neighbors. Typically vehicles broadcast their position, heading and speed to allow for cooperative awareness. The received information is typically not forwarded but only send to a single hop, even after the information is processed by an application. Geobroadcast broadcasts messages into a geographical region dened in the message packet header. They are rst send to all immediate neighbors, who forward the message if they are in the specied destination region. Broadcasting are event-based, where the message contents usually contain information about this particular event. Position-based routing is a form of unicast routing [2]. Unicast routing communicates messages to a single node or a remote destination node. Dierent routing schemes, that determine the fastest route, can increase performance signicantly. Position-based routing requires a location service mechanism so that the current location of peer nodes can be resolved. Situation-adaptive information dissemination [22] can broadcast information while bridging network partitions and handling dierent priorities for messages. Previously unreachable vehicles still receive messages intended for them and higher prioritized messages are delivered earlier. Messages can also be forwarded to a specic destination based on the vehicles context. Information aggregation combines information from multiple nodes instead of simply forwarding single messages. When events are detected by multiple nodes, this information can be compressed into a single message. Other more advanced forms of information processing and merging are also available. The communication can be single-hop or multiple-hop. A more complete overview of the dierent algorithms and their pros and cons is given in [21, 23].

26 2.4. USE CASES Use Cases There are a number of use case categories [24] for which VANETS are being developed. The main category is to provide esafety and improve driver safety and to reduce the number of accidents in trac. To provide all these applications, communication between vehicles is necessary. Communication, in the form of messages, is done over a modied form of the WLAN standard , namely p. In the beginning messages will appear to drivers upon which they can take action. Possible future versions facilitate automated driving by the vehicle. In contrary to possible self-driving vehicles, that drive solely based with on-board sensors, communication can take place over a much larger distance via multiple vehicles. Surrounding information can thus be determined earlier, such as for example emergency vehicles that are heading your way but are not in visible range yet. The following features are examples that can contribute to a higher safety level [25, 24]: Intersection collision warning Warn the driver of upcoming collisions at an intersection. Emergency vehicle approaching warning Warn the driver when a emergency vehicle is approaching and where he should drive to avoid interfering. Wrong way driver warning Warn the driver when he is driving in the wrong direction. Blind spot warning / lane change warning Warn the driver when a vehicle is in his blind spot or when a vehicle is next to him in the event that he is about to change lanes. Additional goals are Enhanced Driver Comfort, Trac Management and Maintenance. For each category numerous of applications exists for VANETs. Some example applications are listed below or can be seen in Figure 2.3: Highway merge assistant The driver can receive indications what the best possible moment would be to merge lanes on the highway. In the future this might be done automatically. Cooperative adaptive cruise control While adaptive cruise control basis the speed on the vehicle in front, cooperate adaptive cruise control can communicate with multiple vehicles in front of you. This makes it possible to react earlier on speed changes and allows vehicles to drive even closer to each other. Intelligent trac ow control Based on actual trac the routes with the least amount of trac can be chosen. Parking spot locator Receive information on where free parking spots are available in the area around your destination.

27 26 CHAPTER 2. VEHICULAR AD HOC NETWORK Software update and ashing Receive software updates over the wireless communication channel without having the need to go to your garage. Point-of-interest notication Receive notications of new points-of-interest in your vicinity that appear while you are driving. Figure 2.3: General overview of VANET applications [3] 2.5 Expectations for the Future The use of VANETs opens new business opportunities. Some business opportunities might be small enhancements, while others might be large enhancements. A large enhancement could be the linking of the VANET with other infrastructure such as combining information with public transport information. Safety on the roads can be improved, trac jams can be reduced and user experience can be boosted. While many applications are considered, possibly combined with eorts to create autonomous driving vehicles, some challenges still need to be addressed. In order for the public to accept and trust these new applications, the technique needs to be safe and adequately protected. The next chapter describes the requirements and challenges that are introduced in VANETs.

28 Chapter 3 Challenges in VANETs When using VANETs some challenges arise from the need to ensure the safety of the network and the drivers. We will describe the basic attacker model relevant for this research. Although more attackers can be considered, these are not described here as we only focus on specic areas. We assume that other attackers are adequately dealt with in related research. Based on the attacker model some security and privacy requirements are listed. Addressing these issues, by for example using an infrastructure with certicate based authentication raises dierent challenges. These challenges are described as well as the bandwidth problems that arise from aiming to meet certain security and privacy requirements. 3.1 Attacker Model Attackers in the eld of VANETs can be divided into dierent categories and target mainly the authenticity, availability and integrity of messages [26]. A distinction can be made between active and passive attackers, where the active attacker actively participates in the communication and where the passive attacker only listens to the communication. Active attackers are for example road-side attackers that are not actually driving a vehicle but are using a laptop to transmit fraudulent messages. Passive attackers for example just monitor the trac being sent on the network but do not interfere or actively engage them self, with the goal to track vehicles location or obtain movement patterns. Another distinction that can be made is whether attackers follow the implemented protocols, a correct entity, or attackers that deviate from the implemented protocols, a faulty entity. While correct entities can still deliver faults in the communication, for example by communication errors, fault tolerant techniques for vehicular communication are not considered in this research. Fault tolerant techniques are a separate area of research and 27

29 28 CHAPTER 3. CHALLENGES IN VANETS in this research we assume that faults only occur by attackers. Open standards of the vehicle communication protocols provide attackers with detailed knowledge about the protocols and operations. Active attackers can modify messages that are relayed by them but can also inject messages into the communication. An active adversary may also jam the communication and prevent other devices within its range to communicate, or replay messages previously send by other entities. Other important threats include denial of service, replay and repudiation, dened in the ETSI standards [27]. Attackers can either be equipped with cryptographic keys and credentials that allow them to participate in the network, called internal attackers, or they can be attackers without key, called external attackers. Possessing keys and credentials does however not guarantee correct operation of nodes, as attackers for example can possibly retrieve keys when tampering with the secure storage inside vehicles. In the network multiple adversarial nodes can be present at dierent locations. They can work independently or they may collude and share information or coordinate attacks. It is reasonable to expect that only a relatively small fraction of the nodes in the network will be adversarial. They will have only a limited range within the network, and most of the time only few adversarial will surround a legitimate node at maximum. To protect the VANET from attackers, certain security requirements have been proposed and will be described next. 3.2 Security Requirements Several security requirements have been proposed for a VANET network [10, 28, 12]. Dierent applications exist for VANETs and each have their own requirements related to security. Some security requirements which can be required by specic applications are message authentication, nonrepudiation and integrity, but also requirements such as verication of data consistency, availability, privacy and real-time constraints. The following requirements provide basic building blocks for more advanced requirements that dier per application. Message Authentication and Integrity Messages should not be altered by attackers before they are received by a vehicle. The receiver must con- rm the message originated from the sender but does not need to know the identity of the sender.

30 3.3. PRIVACY REQUIREMENTS 29 Message non-repudiation sent a message. The sender of a message cannot deny having Entity authentication The receiver is ensured of the sender generating a message and the receiver can assume the sender is a trusted entity. Message freshness The receiver can verify that the message is generated recently, it has no eect to receive location messages that are already outdated. The receiver is thus certain that a unmodied message was generated within an interval [t τ, t], with t the current time at the receiver and τ > 0 and a suciently small positive value. Access control Each type of node should have a distinct role within the network. Based on this role certain permissions are assigned which allow the node to only participate in certain protocols and to only insert certain messages in the network communication. Accountability Authorities should be able to map security related events to system entities. In the vehicular communication dierent aspects exists that need to be secure, such as for example the wireless communication and the hardware and sensors in the vehicle itself. Where for example the protection inside a vehicle is covered in [29], our focus is on issues that arise when requiring message authentication and integrity. Not only security requirements are dened, but also privacy requirements that are desirable for VANETs. 3.3 Privacy Requirements In a VANET there are several stakeholders involved such as the drivers, service providers and authorities. Privacy requirements for VANETs, such as anonymity and unlinkability, are dened in [12] and are described below. These requirements need to take into account the dierent stakeholders involved in a VANET. The aim is to provide an adequate level of privacy protection under various constraints. Minimum disclosure The amount of information that is revealed should be kept to a minimum. Although for the correct functioning of the VANET network and its applications, it is sometimes required that users send information about themselves, this should however be kept to a minimum and should only be done in special situations and not by default.

31 30 CHAPTER 3. CHALLENGES IN VANETS Anonymity It would be ideal to achieve full anonymity for sending vehicles, however this is not possible due to the requirement of accountability [27]. Sender anonymity makes sure that no link can be established between the message contents and the sending vehicle. Only authorities have the ability to link credentials, that are included with messages, to their respective owner. Unlinkability For attackers it should not be possible to link messages, vehicles or owners to each other. Unlinkability of consecutive messages from the same vehicles is equally needed to be able to avoid tracking. Distributed resolution authority When authorities want to link a credential to a specic owner, the capability to do this should be distributed among multiple parties. The capability to do this thus requires a cooperation between a number of these parties. This requirement is related to the requirement of anonymity as both cannot be achieved at the same time. Accountability is thus important as a security requirement, but also as a privacy requirement. Perfect forward privacy The resolution of one credential should not reveal any information that aects the unlinkability of other credentials of the same user. There exist several relations between the security requirements and the privacy requirements. For example accountability and authentication limit the level of anonymity that can be provided by the mechanisms used by identity resolutions. As a result only conditional anonymity is achieved in vehicular communication systems. Other relations exist and are described in [12]. 3.4 Fullling Security and Privacy Requirements To fulll the above mentioned requirements some proposals are done by the leading standards, among proposals to use a public key infrastructure and to use pseudonyms. These solutions each have some challenges when being used in VANETs. A challenge coming forth from combining these multiple solutions is discussed in Section Certicate Based Authentication The leading standards propose the use of a Public Key Infrastructure (PKI) as the solution for message authentication and integrity. The PKI binds public keys with user identities by means of a Certicate Authority (CA).

32 3.4. FULFILLING SECURITY AND PRIVACY REQUIREMENTS 31 Obviously, every user must have a unique identity within each CA domain and this is assured by the Validation Authority (VA). To ensure that the public key is actually bound to the correct identity, in a way that ensures non-repudiation, the registration authority (RA) is used. This can, depending on the level of verication required, be done by an automated system or by a person. With the use of a public key infrastructure, however, some challenges arise. Besides certicate management a well known example is certicate distribution. The standard method for delivering certicates is to include them with the signed messages. This is commonly known in the context of S/MIME [30], where the size of messages is not a critical attribute. The alternative PGP/MIME solution [31] uses key servers as repositories of key material and web-of-trust-information. In the case of vehicular communication the bandwidth consumption is much more sensitive than mail delivery. Additionally, chances of not having connectivity between vehicles and key servers are much higher. For simple reasons of performance, the direct exchange of certicates through ad-hoc networking channels is preferred over remote infrastructure access. Even if the availability of key servers can be assumed, the round-trip time is expected to much higher than local wireless communication. Not only bandwidth and ensuring connectivity are diculties that arise, but for example certicate revocation is another diculty. Alternatives for these aspects are described in Chapter Maintaining Privacy with the use Pseudonyms Privacy sensitive information, such as vehicle location and vehicle and driver identity, should be protected. There is a need however for local short-term tracking of vehicles for cooperative awareness. In contrast, global long-term tracking should be avoided for privacy. However, law enforcements agencies should be able to identify someone in case of accidents or violations [10]. This revocable privacy makes sure that privacy can be revoked under certain conditions. An approach for preserving privacy under these conditions is the use of pseudonyms issued by a pseudonym provider. Instead of having one single identity per vehicle, each vehicle now has a set of multiple identities to present to other participants, such as road-side units or other vehicles. These pseudonyms are represented in the same certicates used for a single identity and for other parties no dierentiation can be made between certicates for a pseudonym or for a single identity. These

33 32 CHAPTER 3. CHALLENGES IN VANETS pseudonyms can again be used to authenticate or sign messages. In order to prevent long time tracking of a vehicle, through the identity it is attaching to safety messages, vehicles can thus switch between multiple identities or pseudonyms. According to the regulations in specic parts of the world, vehicles will receive a large bunch of pseudonyms or are required to retrieve a new set of pseudonyms once in for example a couple of months. Depending on the standards dierent options are dened for the lifetime and validity. They can be used within a specic amount of time, e.g. a month, where it is up to the vehicles software implementation when pseudonyms are used and how often is switched between them. Reusing pseudonyms is in this case a legitimate option. Another option is that each pseudonym is only valid for a small period of time, e.g. 5 minutes, where after each such period of time a new pseudonym has to be used. Strategies that determine the best time when a switch between pseudonyms should be done are at the moment actively being researched by academia. Switching between pseudonyms at the wrong time results in no added privacy. Even when pseudonym changes are done at the right time, it might even be possible to track vehicles based on the attackers capabilities. A short description of possible pseudonym change strategies is given in Section Bandwidth Problem To fulll the requirements for security (Section 3.2) and privacy (Section 3.3) one of the measures is to use pseudonyms. Specically, certicates are used to meet the security requirements such as message authentication, integrity and accountability. In addition to that, pseudonyms are used for the privacy requirements of preventing long-term tracking. Adding certicates to messages increase the total size of the message and thus consumes bandwidth. Because of the large amount of messages and data, this leads to performance problems, especially in congested areas. These performance problems especially appear in congested areas, where a large vehicle base is sending messages, signatures and their certicates over the network channel. Because of this large vehicle base and the high amount of certicates the network becomes congested and Network Packet Loss (NPL) occurs. NPL is the loss of packets when sending messages over the network, resulting in information loss. Adding pseudonyms to the system will increase this performance loss even more as the network becomes more congested.

34 3.6. SUMMARY 33 A strategy for reducing this NPL is by omitting certicates from time to time when sending messages. Omitting the certicates saves a considerable amount of bandwidth on the network and thus reduces the NPL. However, when no certicate is attached to a message the receiver cannot verify the message and therefore ignores the message. Certicate omission, based on a certain strategy as described in Section 4.5, thus introduces Cryptographic Packet Loss (CPL). CPL is the loss of information due to missing cryptographic material which results in not being able to verify messages. Although NPL and CPL are not desired, it does not always have to be harmful. If a vehicle does not receive the contents of a message from a particular vehicle, either by NPL or CPL, it could still be the case that he receives this information from another vehicle. Therefore, NPL and CPL are not used to measure information loss, but a dierent technique called Awareness Quality (AQ) is used. This technique measures the correctness of the information that a vehicle has about its surrounding neighbors. The goal is to decrease this information loss and thus to increase the safety of the VANET and the vehicles participating. For this purpose several strategies are proposed in Chapter 5 that are aimed at decreasing the amount of information loss. 3.6 Summary Some applications of vehicular communication can inuence safety-of-lives applications in vehicles and therefore need strong security. Security and privacy requirements have been dened and based on these the leading standardization eorts specify digital signatures and dedicated public key infrastructures to provide authentication and integrity of messages. Using digital signatures has a signicant impact on among others the usage of bandwidth. Reducing the bandwidth usage can be done in dierent areas, such as using a eective digital signature scheme or using an eective method for distributing certicates. Not only optimizations are possible by choosing correct signature schemes or distribution methods, but also optimizations can be done on the hardware level and decreasing for example the collisions in congested areas. An option for decreasing the bandwidth overhead is decentralized congestion control, described in Section 4.1. This however is not sucient and therefore other alternatives are investigated. The next chapter describes the related work on addressing these challenges in dierent ways.

35 34 CHAPTER 3. CHALLENGES IN VANETS

36 Chapter 4 Related Work Regarding VANETs in general and more specic about the security and privacy of these ad-hoc networks several related work exists. To understand why certain solutions are not viable to address the given performance problem a brief summary is given with their main characteristics. First, we provide an overview of solutions for reducing bandwidth overhead on the hardware and implementation level, so called decentralised congestion control. Then, we discuss alternative authentication schemes aiming to reduce CPL and NPL in dierent ways compared to the canonical schemes of ETSI and IEEE. A short overview is given on possible pseudonym change strategies, aimed at creating the highest level of privacy. Several strategies are also described for performing certicate omission and certicate revocation. 4.1 Decentralised Congestion Control Because only a limited bandwidth exist and it is desirable that all packages will reach their destination, several options have been proposed to improve the bandwidth control in general and to prevent network packet loss (NPL). For the communication between vehicles a special bandwidth channel is reserved, where in Europe a 30MHz spectrum in the range of to GHz is reserved for this. This bandwidth is divided into two dierent type of channels, namely one Control Channel (CHH) and one or more Service Service Channelss (SCHs). The CHH is used for critical road safety applications and location beacons and the SCHs are used for safety and trac eciency applications. In order for the critical safety messages to be delivered on time and with high certainty it is important to keep the CHH free of any congestion that might occur especially in areas with a high density of vehicles. In order to reduce the congestion at a local level, Decentralised Conges- 35

37 36 CHAPTER 4. RELATED WORK tion Control (DCC) [32] uses dierent techniques to achieve this. Example techniques part of DCC are dynamic beaconing intervals and dynamic transmission power. With dynamic transmission power, the power is adapted based on the local channel load [33, 34]. These techniques are combined with dierent algorithms to gain better results. Results are dened by three aspects: dissemination area, latency and reliability. However, for these algorithms to perform eciently it is required to have knowledge of the actual channel load. Simulations that describe dierent power levels are done in [35]. The basic communication setup, including the dierent layers on which DCC is applied to, is described in the WAVE and DSRC standards [36]. Although the communication diers from the standards for wireless communication, it is important for the inter-operability among dierent vehicle manufactures and dierent parts of the wold to achieve cooperative standards. 4.2 Authentication Mechanisms Besides the proposal by standardization eorts alternative authentication mechanisms are proposed [10]. Pairwise keys, secure group communication and the TESLA protocol are such mechanisms. Extensions of this TESLA protocol, namely TESLA++ and VANET Authentication using Signatures and TESLA++ (VAST) are proposed in [37, 38]. Identity-based encryption and certicateless encryption are two more proposals [39, 40]. In an Identity-based Encryption (IDE) scheme the public key of a user can be an arbitrary string [41]. The goal of IDE is to simplify certicate management, mainly used in systems. Encryption, or in this case signing, can be done using the identity of the receiver as public key. So in case Alice sends a message to Bob she can encrypt or sign with the public key string or with another string identifying Bob such as for example the license plate. IDE has several disadvantages when being applied to VANETs. First of all, the identity of the receiver needs to be known before sending the message. IDE is based on bilinear maps between groups, however for the purpose of VANETs the pairing is too slow. Certicateless signatures are introduced in order to solve the key-escrow problem of identity-based signatures. The key-escrow problem is that the private keys are always available to another identity than the actual owner of the private key. In certicateless signatures the private key is not fully determined by the user nor by the trusted third party. The Trusted Third Party (TTP) generates partial private keys and users can compose a fully

38 4.3. PKI, SIGNATURES & CERTIFICATES 37 private key based on the partial private key and a self-created random secret value. The TTP does not receive this user-generated secret and can thus not access the users' secret keys. This authentication system however, is also not suitable for VANETs as the pairing based crypto that is required is too slow. Studying these authentication mechanisms into great detail does not belong to the scope of this research. These alternative authentication mechanisms are not considered suitable, mainly because of the performance being considerable slower than a plain PKI. The performance of symmetric key solutions (also HMAC keyed hash solutions) would be better than solutions based on asymmetric key operations. Symmetric key based solutions, such as TESLA, are not considered because they can not provide non-repudiation. TESLA in this case also implies a latency of one beacon cycle before verication can occur. 4.3 PKI, Signatures & Certicates Digital certicates are used to verify that a particular vehicle belongs to a certain identity. The PKI is a system that facilitates the creation, storage, distribution and revocation of these certicates. To ensure that digital certicates are valid, they are digitally signed by the CA using its own private key. All the trust of the signed users key is thus placed in this single CA. In more complex systems there are several CA in the certicate chain, which in the end will all be signed by the single root CA that is dened as a base of trust. For safety messages, integrity and authenticity are two important requirements. To ensure that these requirements are met, digital certicates issued by the CA are used and added to messages. Not only the certicates are added to the messages, but also signatures are added to ensure integrity. The certicates make sure the authenticity can be veried, while the signatures make sure the integrity of the messages is guaranteed. For this research we assume that all valid certicates are actually correct and still valid, while theoretically there could be a delay for all users are aware of the revocation of a certicate. Dierent approaches to perform certicate revocation are described in Section 4.6. The use of certicates in VANETs can be illustrated as follows with a concrete example. Vehicle A wants to send a safety message to vehicle B, while B must be sure that the message is not altered and is indeed send by A. To this intend A has a private A s, and a public A p, key. The following

39 38 CHAPTER 4. RELATED WORK steps describe the signing and verication procedure. 1. Vehicle A will send the message, a signature of the message and his certicate to vehicle B: (message, SIG M, A p ). 2. Vehicle B will receive the message, signature and certicate. Using the received certicate he can verify the message. 3. Based upon the validity of the message, Vehicle B can decide to ignore or use the information in the message. In this simple example it is assumed that there is only one single trusted CA, which issues a certicate for A. In a realistic situation more CAs exist and vehicle A will actually attach a chain of certicates to provide authentication up to the root certicate authority. 4.4 Pseudonym change strategy As described in Chapter 3 pseudonyms are used to prevent attackers from tracking individual vehicles over long distances. Pseudonyms should be changed frequently to ensure a sucient level of privacy [42]. Pseudonym change strategies are still a matter of active research [43]. Simply changing the pseudonym randomly is not enough as several studies [44, 42, 45] have shown that linkability can be achieved due to interpretation of position and trajectory information. Several proposals have been done on how and when to perform pseudonym changes. For example changing pseudonyms randomly [46], by introducing silent zones after switching to a new pseudonym [47, 48, 49, 50], by introducing errors in the position information [51] or using a mixed-content approach [52], in which vehicles change pseudonym based on the surroundings of the vehicle. Precise data quality is required for some safety applications and doing pseudonym changes according to one of the above strategies might have a negative impact on this data quality. For example, Levèfre et al. [53] show that, in the context of intersection collision avoidance, pseudonym changes with silent periods can cause drastic degradation of service quality. Open announcements for locally synchronized pseudonym changes [49] might be a solution to avoid degradation of service quality. This could include periods of Road Side Units (RSU) assisted or group-based encrypted communication to preserve unlinkability [54, 55]. However, it is not clear if the VANET topology can provide groups that are stable enough or if RSUs can be assumed

40 4.5. CERTIFICATE OMISSION 39 to be available throughout the network. Degradation of service quality by disruptions in local linkability are thus an important consideration when deciding upon the implementation of pseudonyms. The solution proposed in this research could provide reason to increase the use of pseudonyms or to change the standarized strategy for pseudonym changes. 4.5 Certicate Omission The measures described in Section 4.1 about applying DCC describes possibilities to apply congestion control on certain layers. These measures, however, do not take into account several aspects such as the need for certicates as well as the amount of certicates needed for pseudonym usage. Certicates are added to safety messages in order for the receiver to validate the validity of the messages. See also Section 4.3 for a more extended description of the digital certicates in VANETS. An issue that arises is the performance of the message dissemination and the congestion of the network. Using certicates increases the message size and therefore increases the likelihood for collisions, which can result in less messages being delivered. To address this problem, certicate omission is introduced. Certicate omission schemes are used to omit the certicates belonging to messages in certain cases. These omission schemes aim to achieve a lower NPL, by reducing the bandwidth that is sent over the network. Certicate omission however introduces another problem, namely Cryptographic Packet Loss (CPL). CPL occurs when a message is received correctly, but when the certicate needed to verify the message is missing. In this case the receiver is thus not able to verify the message. Dierent omission schemes have been proposed to decrease the NPL and to keep the CPL to a minimum Neighbor-based Certicate Omission In Neighbor-based Certicate Omission (NbCO) [17] certicates are omitted based on a strategy that takes the direct neighbors into account. Each vehicle has, up to a certain degree, an idea about its neighbors that are in the wireless transmission range. Before sending a message each vehicle will rst determine if there are new neighbors since the last message send. If there a no new neighbors, and the neighbor table stays the same eectively, the message is send without certicate. However, if new neighbors are detected,

41 40 CHAPTER 4. RELATED WORK the certicate is attached to the message Periodic Omission of Certicates In Periodic Omission of Certicates (POoC) [18] certicates are omitted in the message based on a xed interval. In this scheme only the i th message contains a certicate, where the other messages are send without certicate. The most important metric is the beacon interval, which is the period until a node can verify a signature, and is calculated as (n 1) b with b as the beacon interval and a certicate is attached to every n th packet. In this schema communication overhead is obviously reduced, but it also creates situations where messages can not be veried due to a missing certicate. Also, this scheme is independent from the vehicle context. This is important because when the vehicle has a speed of 80 km/h, the scheme might be appropriate. When this vehicle however is driving with twice that speed safety margins can be violated as more distance is required to verify a signature with certainty Congestion-based Certicate Omission In Congestion Based Certicate Omission (CbCO) [16] certicates are omitted based on the estimated channel congestion. As discussed before omitting certicates will result in messages that can not be veried, introducing CPL. CbCO is aimed towards minimizing the combined information loss of NPL and CPL combined instead of maximizing the number of omissions. The idea is to nd an optimal balance between NPL and CPL by varying certicate omission based on channel congestion, without aecting the message interval or other normal operations. 4.6 Certicate Revocation As described before the VANET security model is based on a PKI. The certicates are used for identifying entities and signing content. Other real-live examples with a similar setup could be found in websites or encryption such as PGP and S-MIME. Certicates are issued and distributed by a CA. Certicates can be signed by multiple CAs and thus creating a certicate chain, where the root CA is dened as a base of trust. An important aspect of the entire PKI and certicate management is the revocation of certicates. Revocation of certicates is for example needed in case a vehicle gets stolen or in case a vehicle is no longer allowed to be driven in. Some possibilities exist for revoking certicates, however not all

42 4.6. CERTIFICATE REVOCATION 41 options are completely suitable because of the nature of the network, such as fast changing identities and the lack of connectivity. Examples are Certicate Revocation List (CRL) and Online Certicate Status Protocol (OCSP). Specically for VANETs some other possibilities such as Revocation of the Tamper-Proof Device (RTPD), Revocation using Compressed Certicate Revocation Lists (RCCRL or RC 2 RL) (RCCRL) and the Distributed Revocation Protocol (DRP) [56] Certicate Revocation List The most used solution to revoke certicates is the use of a Certicate Revocation List (CRL) [57]. The CRL is a list that contains all certicates that are revoked by the CA. Composition and distribution of the CRL is done by the CA and is usually spread on a periodic interval or upon revocation of a certicate. Clients are required to implement checking functionality in order to validate the certicates presented by the various entities and are responsible for requesting a new CRL if the expiration time and date has passed. The distribution of a CRL can be done through a variety of protocols such as http, ldap or other services. There may however be a need to provide more frequent updates to the revoked certicates. Another disadvantage of the use of CRLs is that they could become very large and could cause problems in memory cache size and network bandwidth Online Certicate Status Protocol The Online Certicate Status Protocol (OCSP) [57] enables a more frequent check of revoked certicates by providing an online mechanism to determine the validity of certicates. In the OCSP a client can query the OCSP server upon presentation of a certicate to retrieve the actual status and validity. A possibility is to use the OCSP in combination with a CRL, where the OCSP servers uses an internal CRL while the client communicates with the OCSP server. Another possibility is to integrate the OSCP server with the PKI to directly query the certicate database. The end client will thus not receive the full CRL and this will save a substantial amount of bandwidth. In combination with the small amount of data required for an OCSP request this makes it a more ecient operation that using a standard CRL. Using the OCSP can thus prevent having a large load on the PKI and the associated network due to large CRL les. The OCSP is however not suitable for VANETs due to the requirements for live queries.

43 42 CHAPTER 4. RELATED WORK Certicate Revocation for VANETs Even though using CRLs is currently the most eective solution, CRLs and the OCSP are not ecient enough to be used in VANETs. It is dicult to transfer large amounts of data and connectivity between the nodes is not always guaranteed. Moreover, no direct connection between nodes exists but everything is distributed through other vehicles or road side units. In combination with the high amount of certicates that are required for pseudonym changes this proposes some real challenges. Specically for VANETs some protocols have been developed that address the issues of connectivity and available bandwidth. Revocation using Compressed Certicate Revocation Lists (RCCRL or RC 2 RL), Revocation of the Tamper-Proof Device (RTPD) and Distributed Revocation Protocol (DRP) are proposed. Revocation using Compressed Certicate Revocation Lists (RCCRL or RC 2 RL) (RCCRL) [58] tries to tackle the major drawback of CRLs, namely scalability. In RCCRL the CRLs are compressed using a Bloom lter, "a simple space-ecient randomized data structure for representing a set in order to support member-ship queries" [59], which leads to much smaller CRLs that can be distributed more easily. RTPD [56] is useful in case all certicates of a single vehicle needs to be revoked. This can of course be done by adding all these certicates to the CRL, but this has a large impact on performance and is not ecient. RTPD instead revokes the entire vehicle, and thus automatically all its certicates without dening these individually, and does this by disabling the Tamper-Proof Device (TPD) of the vehicle. The TPD is used to safely store protected material such as certicates. Upon revocation of the TPD these certicates can no longer be used. In VANETs, connectivity is sometimes limited or might not even be available at all. In this case, when no connectivity is available, the DRP [56] is suitable. In DRP a temporary revocation of a vehicle is possible by combining the eort of surrounding vehicles, this until the connection with the CA has been restored. The surrounding vehicles will use a trust based model to determine which vehicles are malicious and together they will temporary revoke this vehicle. Note that no single vehicle can revoke any other vehicle, but revocation of a vehicle is done by a number of vehicles combined, where the assumption is that the majority of vehicles are trusted. The industry CAR 2 CAR Communication Consortium (C2C-CC) however does not expect to deal with certication revocation at all. The focus

44 4.6. CERTIFICATE REVOCATION 43 instead is to use pseudonyms with short lifetimes.

45 44 CHAPTER 4. RELATED WORK

46 Chapter 5 Enhancement Strategies In order to eectively mitigate the bandwidth problem, given the requirements, a number of dierent approaches are briey considered. A short non-exhaustive overview of these alternative approaches is given, including some advantages and disadvantages. Based on a few criteria on how well the alternative is performing a comparison is made between these approaches. It is important to note that grading these alternatives on the indicators is not achieved by absolute measurements, but merely by indications about what the expectations are. The following criteria are used to analyze and compare some alternatives. Solutions are mainly based on two general ideas, namely the increase of the available bandwidth for disseminating certicates and the reduction of the network load caused by the dissemination of messages and cryptographic material. Increase of available bandwidth The approach will increase the available bandwidth for the dissemination of messages and cryptographic material. Decreasing the amount of packets sent so that more bandwidth becomes available is considered not to belong to this category. Decrease the number of packets The approach will decrease the number of packets sent on the network. This is achieved by disseminating less messages, smaller messages, or a combination of both. Highly independent of penetration The approach is highly independent of the penetration of V2X enabled vehicles among all vehicles on the road. This is especially interesting in the early deployment stages of the V2X network. Highly independent indicates the approach is able to function, with and without a high amount of V2X enabled vehicles. Low impact on other services The approach will have low impact on other services available. Services include for example maintenance, 45

47 46 CHAPTER 5. ENHANCEMENT STRATEGIES internet or other entertainment features of the V2X network. Having low impact means the services are aected insignicantly or not at all. 5.1 Alternative Channels in p The ETSI and IEEE standards currently describe the use of one safety channel. This channel is solely used for disseminating safety messages, including signatures and certicates, while the other non-safety channels are used for all non-safety messages. The safety messages are more critical than nonsafety messages, in terms of timing and correctness. As a result a dedicated channel is used for safety messages and dierent requirements have been de- ned, such as the requirement of timely delivery. To prevent the safety channel from being congested by safety messages and the corresponding cryptographic material, a possibility is to spread the load among multiple channels in p. The messages, with or without certicates, can be disseminated using multiple channels and therefore the safety channel becomes less congested. For this purpose, either new channels have to be added, or existing non-safety channels have to be used to disseminates safety messages and cryptographic material. The advantage of this scenario is that quite a large amount of additional bandwidth will be available due to the use of non-safety channels. In the initial stages of the V2X deployment only a limited number of non-safety applications are available. This ensures that there is enough free capacity on the non-safety channels to be utilized for disseminating safety messages. The disadvantage however is that in the future more non-safety applications will exist that require bandwidth. The bandwidth on the non-safety channels that is available in the initial stages of the V2X deployment might not be available anymore at a later stage when these additional applications are available. Using the non-safety channels for safety messages might also congest these channels which will result in the same eect as solely using safety channels for safety messages, namely information loss in the form of NPL or CPL. In addition, the standards need to be modied to be able to support safety messages over non-safety channels. The approach is thus not deemed very suitable for the future. This approach increases the available bandwidth for safety messages and cryptographic material, but decreases bandwidth for other applications. It is independent of the penetration as the approach also works with low penetration in early the deployment of V2X. It is however less eective in the future, when more applications are available. Other services are not aected

48 5.2. INFRASTRUCTURE AND ROAD SIDE UNIT SUPPORT 47 much in the beginning, but could be in the future. 5.2 Infrastructure and Road Side Unit Support The performance problem occurs mainly in areas with high vehicle density. With many vehicles present and because each ITS-enabled vehicle will broadcast messages and certicates to its neighbors an overhead is created. This overhead can possible be reduced by using Road Side Units (RSUs) near congested areas. RSUs are static units near the road that are capable of communicating through the V2X network and that for example can provide information about road or trac conditions near that RSU. An approach would be to let RSUs spread certicate material instead of solely relying on local wireless communication between vehicles. For example trac lights at intersections can be used to provide additional infrastructure for certicate dissemination. This approach provides two main possible benets. The rst possible benet is that within the transmitting range of this RSU the certicate material can be disseminated by the RSU itself instead of by vehicles driving in this transmitting range. The number of transmissions can be reduced as more vehicles can be reached in the congested area, which is exactly where the RSU is placed. Vehicles can omit all certicates while driving in the communication range of the RSU. In order for the RSU to have the correct certicates, i.e. of the actual vehicles in the communication range, it should receive these from vehicles entering this area. Entering vehicles will only have to send their certicate once to the RSU. This prevents vehicles from sending their certicates multiple times in order to reach every vehicle at the congested area. The second possible benet is that RSUs can be connected to other RSUs via Long Term Evolution (LTE) or other internet connections, proving a faster and exhaustive bandwidth channel. Transferring certicates between dierent RSUs is benecial if vehicles are driving between dierent locations that are supported by these RSUs. Besides simply transferring certicates from one RSU to another, connecting RSUs could also provide cloud based key servers that can be accessed via LTE. This approach reduces little amount of bandwidth that is needed as certicates can be distributed less by using a RSU at congested areas. It also increases the available bandwidth as certicates can now be distributed between RSUs via e.g. LTE. As no changes are required in the protocol, other services are not aected by applying this approach. However, the approach is highly dependent on the available infrastructure. It is thus not dependent

49 48 CHAPTER 5. ENHANCEMENT STRATEGIES on the penetration of vehicles in the V2X network, but on the penetration of RSUs. Congestion can still occur on locations without available RSUs, such as for example in trac jams, near accidents or on unsupported roads. 5.3 Out Of Band Distribution Out of Band (OOB) distribution is another approach in which more alternative bandwidth channels are used beside the currently standardized p. This approach looks similar to the alternative channels approach, see Section 5.1, but instead it uses dierent communication mechanisms. Examples of alternative communication channels are communication by Visual Light (Li-Fi), Infrared (IrDA) or by communication on the 60Ghz frequency. Figure 5.1: Overview of platooning (from [4]) The alternative communication channels can be used to disseminate messages or cryptographical material between vehicles. This approach thus increases the available bandwidth for VANET communication. The main disadvantage of for example Li-Fi and IrDA is that communication only works in a short range. Vehicles will thus have to drive closely to each other in order to make communication using Li-Fi and IrDA possible. Vehicles will drive very closely to each other in the case of platooning, which is a technique in which vehicles will be combined in a semi-autonomous 'road train' of vehicles, which allows them to accelerate or brake simultaneously. Messages about location, direction and speed are shared between members of the platoon and all vehicles will receive information from the vehicle directly in front of them. In Figure 5.1 an overview is given, with the green vehicles

50 5.4. PRE-DISTRIBUTION OF CERTIFICATES 49 as part of the platoon. Platooning is especially suitable to be combined with Li-Fi or IrDa. Using alternative communication channels increases the available bandwidth for disseminating messages and cryptographic material. Although available bandwidth is added, these communication techniques cannot always be used. They require that enough vehicles are available that are also driving closely together, making it dependent on the penetration. Combining these alternative communication channels with, for example, platooning provides a suitable option to decrease the loss of information. Other services of the V2X network are not aected by using dierent additional communication channels. 5.4 Pre-distribution of Certicates Pre-distribution of certicates is a technique we propose and that decrease the loss of information by pre-distributing cryptographic material in less congested areas in order to increase the availability of this material in congested areas. Vehicles broadcast safety messages, including signature and certicate. Validity and integrity of the messages are veried by using the attached signature and certicate. When omission schemes are used, see Section 4.5, some CPL is created because of missing certicates. Pre-distribution decreases this CPL by making this certicate material available even if the message does not contain a certicate. When disseminating messages, they are not pre-distributed to neighboring vehicles, but are re-composed by each individual vehicle. Each vehicle thus attaches his own certicate to safety messages. In the case of predistribution, additional certicates are distributed on top of the standard message data, signature and certicate. Vehicles will not only add their own certicate to a message, but also one or more certicates of vehicles a certicate has been received from before. In the case that CPL should occur without pre-distribution, the certicate could still be available by applying pre-distribution. Pre-distribution works by decreasing amount of packets that are needed in congested areas. With the same amount of message a higher quality of information is achieved. It makes better use of the available bandwidth in less-congested areas by disseminating extra certicate material in those areas. It is little dependent on the penetration of the number of vehicles in the VANET as disseminating cryptographic material can be achieved with low or high penetration. This approach has no aect on other services oered by the V2X communication.

51 50 CHAPTER 5. ENHANCEMENT STRATEGIES 5.5 Summary For each of the above approaches a short description is given. Figure 5.2 provides an overview of how each alternative aects the performance on the indicators dened in the beginning of this chapter. As can be seen the approaches of using alternative channels and OOB distribution are both applicable for two criteria. For the alternative channels approach these are the increase of available bandwidth and the highly independence of penetration, while for OOB distribution these are increase of available bandwidth and low impact on other services. The approaches of using infrastructure & RSU support and pre-distribution of certicates are both applicable for more than two criteria. Because of the expected cost of providing sucient infrastructure and RSUs the option of doing pre-distribution of certicates seems the most suitable of the above described approached. Alternative Channels in p Infrastructure Out Of and RSU Band Support Distribution Predistribution Increase of available bandwidth Yes Yes Yes No Decrease the number of packets No Little No Little Highly independent of penetration Yes No No Yes Low impact on other services No Yes Yes Yes Figure 5.2: Comparison of possible alternatives In this report the approach of applying pre-distribution of certicates is investigated. This approach is especially suitable to be combined with certicate omission, which is proposed in the leading standards. This approach can also be used in the early stages of the V2X deployment as it is deemed highly independent of the penetration of vehicles using the V2X communication technique. Although the other approaches are also viable options, it is for example the expectation that Out Of Band distribution also provides substantial benets, these are not investigated in this report.

52 Chapter 6 Pre-distribution of certicates As described earlier in Section 3.5, a bandwidth problem exists in vehicle communication. Currently, the ETSI standards describe to use certicate omission as a possible solution to reduce the information loss. Besides lowering the NPL, using certicate omission also introduces CPL. Pre-distribution aims to reduce the CPL and thus to decrease the information loss. First an overview is given of how pre-distribution works. After that some parameters and major design decisions are discussed. 6.1 Overview In order to minimize the number of events where certicates are not available to verify the integrity and authenticity of the message, certicates could be pre-distributed in less congested areas. As a result it is more likely that in congested areas, where the certicate is not attached to the message due to certicate omission, the certicate will be available because it has been received and stored earlier. Pre-distribution delivers certicates not only to direct neighbors but makes sure these are distributed further. We consider Figure 6.1 as an example, in which we consider three vehicles: A, B and C. Pre-distribution has the most eect when additional certicates are sent in non congested areas and when these certicates are available in congested areas. Figure 6.1 represents the non congested area. Pre-distribution consists of the following steps: 1. Vehicle A broadcasts a message, which includes the data (D A ), signature (SIG A ) and certicate (CERT A ). The information is received by vehicle B, but not by vehicle C. The left dashed line indicated the end of the transmission range for vehicle B and the right line indicates this for vehicle A. 2. Vehicle B receives the message from A and validates the data. 51

53 52 CHAPTER 6. PRE-DISTRIBUTION OF CERTIFICATES Radio range Vehicle B DB, SIGB, CERTB, CERTA D: data SIG: signature CERT: certificate Vehicle A Vehicle B Vehicle C DA, SIGA, CERTA Radio range Vehicle A Figure 6.1: Overview of the pre-distribution of certicates between vehicles 3. Vehicle B broadcasts his own data (D B ), signature (SIG B ) and certicate (CERT B ). Vehicle B will also add one additional certicate to the message he disseminates, namely CERT A. Adding this additional certicate is key for the pre-distribution. The information is received by vehicle C (and vehicle A). 4. Vehicle C receives the message from B and validates the data. The additional certicate, CERT A, is not needed to validate the data but is cached. Vehicle B thus pre-distributed CERT A to its neighbors, vehicle C (and vehicle A) in this case, which provides benets in a later stage. This later and congested stage is used in Figure 6.2. The vehicles A and B, which are the same vehicles as described above, are modelled and are driving in a congested area. The following steps occur: 1. Vehicle A omits the certicate as part of the message and only sends D A and SIG A. This due to the certicate omission scheme being used, see Section Vehicle C receives the message from vehicle A, but is not able to verify the message. 3. From the pre-distribution applied by vehicle A in the non congested area, Vehicle C will have CERT A cached and is still able to verify the message and to use the information. Pre-distribution increases the likelihood of having a certicate available for the message verication. The previously described CPL, see Section 3.5, decreases and as a result so is the total loss of information. It might even be

54 6.2. SINGLE-HOP AND MULTI-HOP DISTRIBUTION 53 Vehicle A Vehicle C DA, SIGA Figure 6.2: Omission of the certicate in a congested area possible to omit more certicates in congested areas because this is compensated by the pre-distribution. Omitting more certicates in congested areas is interesting because this aects the NPL, see Section 3.5. More bandwidth is available due to less certicates being distributed and the NPL decreases. However, if more certicates are omitted in congested areas, without "compensation" via pre-distribution of the certicate, then the CPL increases again due to more missing cryptographic material. Balancing the NPL and CPL is thus required making sure that the total loss of information is as low as possible. Applying pre-distribution is especially suitable for VANETs because of the dynamic topology. Vehicles are expected to change their location often compared to neighboring vehicles. When disseminating certicates without pre-distribution the reach between vehicles varies, i.e. vehicles most likely disseminate certicates to a dierent set of vehicles every time. Increasing this reach, by allowing certicates to be disseminate further than the immediate neighbors, increases the eectiveness of pre-distribution. Doing pre-distribution can be achieved in various ways and using dierent parameters. Below an overview is given of important options considered in this research. 6.2 Single-hop and Multi-hop Distribution Using pre-distribution, certicates are forwarded to (one of the) next radio blobs to increase the reach. The certicate which belongs to the message originating vehicle, is disseminated by vehicles one or more hops down the road. If no limit is set on the amount of times the certicates are pre-

55 54 CHAPTER 6. PRE-DISTRIBUTION OF CERTIFICATES distributed, they could theoretically be disseminated for a long period, while the originating vehicle matching the certicate might be in a totally dierent area. We consider single-hop pre-distribution and multi-hop pre-distribution. Figure 6.3 gives an overview of pre-distribution of certicates in both cases. Single-hop pre-distribution is displayed in the left part of the image and the whole image including the left part represents multi-hop pre-distribution. Pre-distribution Single vs Multi Hop Vehicle C CA Vehicle F CA Vehicle A CA Vehicle B CA Vehicle D CA Vehicle G CA Vehicle E CA Vehicle H Single-Hop Multi-Hop Figure 6.3: Single-hop and multi-hop pre-distribution of certicates Single-hop pre-distribution is described by the following steps. Vehicle A in Figure 6.3 is considered as the beginning of the chain of disseminated certicates. The example only describes and displays relevant communication for the pre-distribution and not all data and cryptographic material is displayed. The following steps describe the single-hop scenario: 1. Vehicle A broadcasts a messages including this certicate, C A. Vehicles C, D, E (and F, G, H) are out of range and, hence, do not receive this information directly from A. 2. The message and certicate are received by vehicle B. Vehicle B will broadcast a message including CERT A to its neighbors, vehicles C,D and E. The certicate is for the rst time pre-distributed to the vehicles in his communication range. 3. Vehicles C, D and E (and A) receive the message from vehicle B, including C A.

56 6.3. AMOUNT OF EXTRA CERTIFICATES 55 Multi-hop distribution makes sure that certicates are pre-distributed among multiple hops. The above example, in which certicate A is predistributed by vehicle B, is considered single-hop pre-distribution because vehicle B received this C A directly from vehicle A. The following additional steps are considered multi-hop pre-distribution and occur after the previous single hop steps: 1. After vehicle C, D or E receive C A from vehicle B, they will forward this pre-distributed certicate. As can be seen in Figure 6.3, vehicle C will pre-distribute C A to vehicle F and vehicle D will pre-distribute C A to vehicle G and G. Certicate C A is added on top of the regular message and cryptographic material. 2. Vehicles F,G and H can continue pre-distributing certicate C A to next vehicles in the chain. In the case of single-hop pre-distribution it is clear how many times a pre-distributed certicate is forwarded, namely once. Multi-hop distribution pre-distributes the certicates more than once. The exact amount of hops that a certicate is pre-distributed in the multi-hop scenario can be dened via dierent settings, such as setting a expiration time for the certicate. 6.3 Amount of extra certicates Certicate pre-distribution is added on top of the regular message and certicate dissemination. A regular message consists of the data, a signature and possibly a certicate. The certicate can be omitted due to the certicate omission scheme used and is thus optional. In the event that a certicate is attached, extra certicates can be added for pre-distribution purposes. The pre-distribution strategy is closely linked to the used certicate omission scheme, see Section 4.5, as pre-distribution certicates are added when the omission scheme also yields adding a certicate. Adding the extra certicates for pre-distribution increases the total message size by 140 bytes for each additional certicate. More than one additional certicate can be added, possible resulting in a much larger message size. Adding more additional certicates might make the packet size too large, by restrictions on the maximal message as dened by the ETSI standards or by consuming too much bandwidth resulting in additional NPL. 6.4 Caching lifetime In order to use previously received certicates these certicates need to be stored or cached when received. These certicates can be cached until the expiration time or until no storage space is available anymore. The certicates

57 56 CHAPTER 6. PRE-DISTRIBUTION OF CERTIFICATES can also be cached for a limited time in order to make the pre-distribution of cached certicates more ecient. The next section, Section 6.5, describes which of the cached certicates are pre-distributed in which order. For any of these selection methods it is more eective to only cache the certicates which are most likely to be needed in the future. Deciding which certicate might be needed can be achieved by using additional information of the vehicle belonging to the certicate, such as the vehicles location or speed. Therefore, caching until the expiration time might not proof to be the most eective solution. 6.5 Selecting Certicates to Distribute From all the certicates that are stored in the cache an appropriate one for the next pre-distribution message needs to be selected. It is not possible to just simply add all cached certicates to the next message, as described in Section 6.3, but only one or maybe a few can be selected. Several strategies exist for selecting a certicate from the cache. These strategies work for a single or for multiple added certicates. Random The selection of a certicate can be done randomly. Amount of times pre-distributed A certicate can be selected based on the amount of times a specic certicate is pre-distributed. If all certicates in the cache are pre-distributed an equal amount of times and only one certicate is pre-distributed less, this certicate is selected. Location proximity The selection can be based on the location of the vehicle matching a certicate. It is not likely that the exact location of a vehicle is known, but this can be achieved based on the last known location. Certicates of vehicles which are closest to the vehicle doing the pre-distribution are selected rst. Destination and trajectory Based on the direction in which the predistributing vehicle is driving, certicates of vehicles are selected who are in close proximity of that trajectory. 6.6 Formatting the packets When pre-distributing certicates, additional certicates are added to the standard message contents. Figure 6.4 describes the basic workings of the CbCO scheme, described in Section 4.5.3, and displays the message contents for multiple messages. The message consist of the actual data, a signature and depending on the congestion a certicate is omitted by the CbCO scheme.

58 6.7. PRIVACY OF MULTI-HOP DISTRIBUTION 57 cert signature data size congestion time Figure 6.4: Congestion based Certicate omission Pre-distribution can add certicates in dierent situations and this is described using Figure 6.4. The dierent options for adding certicates are: 1. Adding a pre-distribution certicate to messages that contain the data, signature and certicate. This option is called pre-distribution in large packets throughout this paper. 2. Adding a pre-distribution certicate to messages that only contain data and the signature. This option is called pre-distribution in omission gaps throughout this paper. The rst option adds an additional certicate to the 1 st, 2 nd, 3 rd, 7 th and 8 th message displayed in Figure 6.4. This increases the size of the message, hence the name of large packets. The second option add an additional certicate to the 4 rd, 5 th and 6 th message displayed in Figure 6.4. This add certicates to gaps in the omission scheme, hence the name of omission gaps. The option to pre-distribute in omission gaps might be be counter intuitive, as this counters the eect of doing certicate omission. Therefore, pre-distribution should not take place in all of the omission gaps but only in a limited amount. 6.7 Privacy of multi-hop distribution Previously dened privacy requirements, see Section 3.3, mention the need to prevent long-term tracking of vehicles or its identities. However, shortterm tracking is needed for the correct working of the V2X safety features especially in regard to having correct and timely location data of nearby vehicles. Using multi-hop pre-distribution, certicates are not only send to vehicles in the direct communication range but possible beyond that as well.

59 58 CHAPTER 6. PRE-DISTRIBUTION OF CERTIFICATES The identity of a vehicle is thus distributed further than without multi-hop pre-distribution and this might aect the privacy as long-term tracking could become possible. 6.8 Pre-distribution using Pseudonyms In previous sections a pre-distribution setup and corresponding settings are described. Not described is the use of pseudonyms when applying predistributing. Pseudonyms can be used to improve the privacy of a vehicle owner, making long-term tracking more dicult. Using pre-distribution in combination with pseudonyms changes some of the settings. For example, it has little eect to pre-distribute a specic certicate, or pseudonym, when the vehicle matching that identity will switch to a new identity in a short time period. After the pseudonym switch, assuming the old identity cannot be switched back to, the earlier distributed pseudonym becomes useless. Pre-distributing the new pseudonym before it is actually being used is an option that can be applied in certicate pre-distribution. 6.9 Utility classes For the pre-distribution of certicates we consider two basic utility classes, namely geographic and temporal pre-distribution. We consider utility classes to be a main characteristic of the pre-distribution strategy that can each have several settings. These utility classes describe what sort of certicates, i.e. neighbors or pseudonyms, are pre-distributed and when this takes place. In this thesis we also consider and analyze a mix of geographic and temporal pre-distribution Geographic pre-distribution Geographic pre-distribution is the utility class that only handles neighbor certicates, while pseudonyms are not considered. It aims at delivering certicates in the region where they are expected. This is for example done by pre-distribution certicates in the direction in which vehicles are driving. When vehicles arrive at their destination the required certicates are already present among neighbors in that area. Neighbor certicates are thus disseminated among one or multiple hops from which vehicles driving into dierent geographic regions can prot from Temporal pre-distribution Temporal pre-distribution is the utility class that also considers pseudonym changes. Whenever vehicles changes their pseudonym, the new pseudonym

60 6.9. UTILITY CLASSES 59 is not known yet among any other vehicle. Because of the switch to a complete new identity the quality of information drops signicantly. In order to circumvent this signicant loss of information, temporal pre-distribution distributes the future pseudonym that a vehicle is going to use. This predistribution of future certicates results in the pseudonym already being known by other vehicles in the network, so upon a pseudonym change it is more likely that neighbors already know the identity of the pseudonym. This results in a lower drop of information quality when the pseudonym change occurs. The future pseudonym changes are distributed only a limited time before the actual pseudonym change in order to minimize the long-term tracking possibilities for attackers, optimize bandwidth usage and optimize the eectiveness of the distribution Mix of geographic and temporal pre-distribution Using one of the above utility classes an attacker might be able to determine which class is used and also might be able to make a distinction between pseudonyms and actual neighbors. Therefore, a combination of geographical and temporal pre-distribution is investigated as the expectation is that this makes it harder for the attacker as he does not know whether a pseudonym or whether a neighbor certicate is being distributed. Mixing the two basic utility classes is achieved by using geographical pre- Geographical Distribution Temporal Distribution Pseudonym Switch 20 beacon cycles Pseudonym Switch time Figure 6.5: Visualisation of the mix scheme for pre-distribution distribution as a base case, and is visualized in Figure 6.5. Temporal predistribution is used whenever a pseudonym change is almost occurring and is done until the actual pseudonym change has occurred. As certicates from neighbours have the same structure as certicates being used as pseudonyms, it is not possible to make a distinction between these certicates. Using this mix scheme it is more dicult for an attacker to make the distinction between certicates and it is more dicult to perform long-term tracking of vehicles. Not only the scheme itself is mixed, but also during the temporal pre-distribution phase neighbors certicates are mixed with pseudonyms. If in the temporal pre-distribution phase only future pseudonyms of the vehicle itself are send, the attacker can observe multiple identical certicates during this time frame and can deduct it is a future pseudonym. Mixing future

61 60 CHAPTER 6. PRE-DISTRIBUTION OF CERTIFICATES pseudonyms with neighbor certicates during the temporal pre-distribution phase prevents this.

62 Chapter 7 Simulation Environment In this chapter an overview is given of the simulation environment used to perform the simulations. Dierent components of this environment are described as well as the specic extensions developed for this research to support pre-distribution. Next, a description of parameters used in the simulations is given followed by an overview of the dierent simulations performed. 7.1 Overview In order to eectively measure our proposed solution we simulated an ad-hoc vehicular network. Simulating is necessary as no real network of vehicles is deployed yet. The environment used for the simulations is based on a number of components as described below. Figure 7.1 provides a high level overview of the dierent systems that are working together in the simulation environment. The basic system is Java in Simulation Time (JiST) [60], which is a Java based discrete-event simulation engine. Scalable Wireless Ad hoc Network Simulator (SWANS)) [61] runs on top of JiST and is meant as general wireless network simulator. To be able to apply this setup to VANETs extensions have been made by the UULM university that provide geographic routing. Extensions by the North Western University includes STreetRAndom Waypoint (STRAW) [62], a street mobility model that is able to dene the infrastructure and movement of vehicles. In order to run automated simulations and to support automatic results gathering the DUCKS execution framework 1 was developed by researchers at the UULM university. 1 Website: 61

63 62 CHAPTER 7. SIMULATION ENVIRONMENT 7.2 JiST Figure 7.1: JIST environment image [5] The general idea of JiST is to introduce virtual time and make use of modern language concepts. All components of the JiST system architecture, depicted in Figure 7.2, are written in pure Java and the advantages of the Java language, such as reection, interfaces and libraries, are thus available. The Figure 7.2: JiST system architecture [5] Java source les are compiled with the regular Java compiler. The bytecode rewriter modies the compiled classes to run over a simulation kernel and to introduce simulation time semantics. Virtual time progresses independently of the program progress and can be explicitly advanced via JistAPI.sleep(). The entire simulation is run over a standard and unmodied JJava virtual machine (JVM). In Listing 7.1 a simple example of a simulation is given which increases a counter at each virtual time increment. The call to myevent on line 15 is recursive and running this example without the JiST runtime produces