A broadcast protocol with drivers anonymity for vehicle-to-vehicle communication networks

Transcription

1 Int. J. Vehcle Informaton and Communcaton Systems, Vol. 2, Nos. 1/2, A broadcast protocol wth drvers anonymty for vehcle-to-vehcle communcaton networks Nader Mazen Rabad and Syed Masud Mahmud* Electrcal and Computer Engneerng Department, Wayne State Unversty, 5050 Anthony Wayne Dr., Detrot, Mchgan 48202, USA Emal: nrabad@wayne.edu Emal: smahmud@eng.wayne.edu *Correspondng author Abstract: In Vehcle-to-Vehcle (V2V) communcaton networks, vehcles broadcast ther safety-crtcal nformaton to alert nearby vehcles of possble collsons. It s necessary to provde secure wreless communcatons for V2V safety applcatons to prevent unauthorsed enttes from tamperng wth the broadcast data. A Certfcate Authorty (CA) can provde trust and secure communcatons among drvers n V2V networks. However, the dsclosure of drvers unque publc keys from ther certfcates wll allow unauthorsed enttes to trace drvers movements and locatons they vst. Revealng such nformaton wthout consent from drvers s a volaton of ther prvacy. In ths paper, we propose a broadcast protocol for V2V safety applcatons that provdes anonymty for drvers. In our scheme, drvers frequently change ther publc keys usng the dgtal sgnature algorthm. The CA s not requred to authentcate the generated publc keys. The recpents of a sgned message can verfy the correctness of the sgnature wthout dentfyng the sgner. Keywords: anonymty; authentcaton; DSA; dgtal sgnature algorthm; V2V networks; vehcle-to-vehcle networks. Reference to ths paper should be made as follows: Rabad, N.M. and Mahmud, S.M. (2009) A broadcast protocol wth drvers anonymty for vehcle-to-vehcle communcaton networks, Int. J. Vehcle Informaton and Communcaton Systems, Vol. 2, Nos. 1/2, pp Bographcal notes: Nader Mazen Rabad has been workng as an Embedded Software Engneer n the automotve and the electrc meterng ndustres, snce He receved hs BSc degree n Electrcal and Computer Engneerng from Phladelpha Unversty, Amman, Jordan, n 1996, MSc degree n Computer Engneerng from Wayne State Unversty, MI, USA, n 1998 and PhD degree n Computer Engneerng from Wayne State Unversty n Hs research nterests nclude securty and anonymty n vehcle-to-vehcle and wreless communcaton networks, medum access control protocols, and ntellgent transportaton system technologes and applcatons. Syed Masud Mahmud s currently an Assocate Professor at Electrcal and Computer Engneerng Department, USA. He receved hs PhD degree n Electrcal Engneerng from the Unversty of Washngton, Seattle, USA, n Snce 1988, he has been wth Wayne State Unversty, Detrot, MI. Durng the last 20 years, he has been workng n the areas of herarchcal Copyrght 2009 Inderscence Enterprses Ltd.

2 2 N.M. Rabad and S.M. Mahmud multprocessors, herarchcal networks, performance analyss of computer systems, dgtal sgnal processng, embedded systems, n-vehcle networkng, performance analyss of networkng protocols, secure wreless communcatons, and prvacy protected nter-vehcle communcatons and smulaton technques. He has publshed over 100 peer-revewed ournal and conference proceedng papers. 1 Introducton Wth the ad of Intellgent Transportaton System (ITS) technologes, future vehcles wll be able to communcate wrelessly wth each other, and form Vehcle-to-Vehcle (V2V) communcaton networks (Intellgent Transportaton Socety of Amerca, 2007; Intellgent Transportaton Systems US Department of Transportaton, 2007). In V2V networks, vehcles broadcast ther safety-crtcal nformaton such as speed, acceleraton, headng and poston to nearby vehcles. Recevng vehcles wll process such nformaton and provde vsual and audble alerts to ther drvers to take preventve measures and avod collsons. V2V communcaton networks wll utlse the new Dedcated Short Range Communcatons (DSRC) (ASTM, 2003) at 5.9 GHz. A comprehensve lst of vehcle safety applcatons that are enabled by DSRC was compled (Natonal Hghway Traffc Safety Admnstraton US Department of Transportaton, 2005). More than 75 applcaton scenaros were dentfed and analysed such as ntersecton-collson avodance, rear-end collson avodance and post-crash warnng system. These safety applcatons requre a hgh processng speed, low communcaton latences and short message lengths. It s essental to provde secure communcatons among vehcles n V2V networks. Vehcles that are partcpants n V2V networks should be able to authentcate each other and verfy the ntegrty of the safety-crtcal nformaton. Unauthorsed enttes to the network can masquerade as trusted partcpants n V2V networks and can broadcast naccurate safety-crtcal nformaton to other vehcles. Furthermore, they can tamper wth the contents of the broadcasted messages and retransmt naccurate nformaton to vehcles on the road. The challenges of authentcaton and data ntegrty n V2V networks can be solved usng cryptographc publc-key algorthms, dgtal sgnatures and Publc Key Infrastructure (PKI). A level of trust between users of publc keys deemed necessary to establsh the publc-key certfcaton nfrastructure. PKI reles on trusted thrd-party Certfcate Authortes (CA) to verfy and authentcate the valdty of users nvolved n secure communcatons. The CA ssues a certfcate for endorsng the user s publc key. One of the well-known certfcate formats s the standard publc key certfcate framework X.509. The certfcaton s a process of bndng a publc key to ts owner. The certfcate contans nformaton about the dentty of the holder, the valdty perod, the certfcate ssuer name, the encrypton method used by the CA and the dgtal sgnature of the certfcate sgned by the CA. Fgure 1 shows our proposed n-vehcle network archtecture. Vehcles wll be equpped wth a DSRC Electronc Control Unt (ECU) that handles the transmsson and recepton of messages contanng safety-crtcal nformaton. In order to transmt a

3 A broadcast protocol wth drvers anonymty 3 message, several ECUs nsde a vehcle, such as GPS, compass, brake and speed ECUs, collect data from the vehcle s sensors about ts poston, drecton, deceleraton and speed, respectvely. Nowadays, vehcles have an nternal network communcaton bus, such as the controller area network, whch connects these ECUs together. The collected data are then sent through the vehcle s nternal network communcaton bus to a Crypto ECU. We assume there s a Crypto ECU that s connected to the nternal network communcaton bus. The Crypto ECU assembles these data nto a message and performs the necessary cryptographc algorthms and protocols on ths message to produce a cpher-text message. Then t sends the cpher-text message to the DSRC ECU, whch n turn broadcasts the message to nearby vehcles. Smlarly, when the DSRC ECU receves a cpher-text message, t forwards the message to the Crypto ECU. The Crypto ECU performs the necessary cryptographc algorthms to authentcate and valdate the ntegrty of the cpher-text message and extracts from t the plan-text message. Then, the Crypto ECU forwards the plan-text message to the Drver Informaton ECU for evaluaton and for ssung audble and warnng messages to the drver f necessary. The Crypto ECU wll also have the drver s certfcate that s ssued by the CA. When a vehcle s ready to broadcast a message that ncludes ts safety-crtcal nformaton, the Crypto ECU ncludes the drver s certfcate n the message as well. Vehcles that receve the broadcasted message authentcate the transmtter usng the ncluded certfcate. Accordngly, the transmtter s publc key wll be revealed to other drvers and to any unauthorsed enttes lstenng to the communcaton channel. Snce a publc key s bound to ts owner, the dsclosure of the drver s unque publc key from the drver s certfcate wll allow unauthorsed enttes to trace drver s movements and locatons ths drver vsts. Revealng such nformaton wthout consent from the drver s a volaton of the drver s prvacy. If an algorthm s used to keep the dentty of drvers anonymous, then t may not be easy to dentfy the source that sent forged nformaton or that caused accdents. In ths paper, we propose a broadcast communcaton protocol for V2V safety applcatons that provdes drvers wth anonymty, message authentcaton and data ntegrty. The man goal of ths work s to preserve drvers anonymty from any unauthorsed enttes lstenng to the channel durng the broadcast of safety-crtcal messages. The unauthorsed enttes may nclude other drvers, attackers and adversares to the V2V network. As we descrbe later n ths paper, CA, law enforcement agences or legal authortes may dentfy drvers n case of dsputes and emergences. We would lke to emphasse agan that the man goal of ths paper s not to preserve the anonymty of drvers from legal authortes ncludng the CA. The rest of the paper s organsed as follows. In Secton 2, we revew the related works. In Secton 3, we dscuss our motvaton and contrbutons n ths paper. In Secton 4, we present the securty framework for desgnng our proposed protocol. In Secton 5, we descrbe our proposed protocol. In Secton 6, we dscuss the anonymty and securty analyss. In Secton 7, we dscuss the key management n our protocol. In Secton 8, we present the performance analyss of our protocol. Fnally, we conclude the paper n Secton 9.

4 4 N.M. Rabad and S.M. Mahmud 2 Related work There are several papers that ponted out the mportance and necessty of protectng the prvacy of drvers (El Zark et al., 2002; Holtmanns, 2002; Brode et al., 2004; Raya and Hubaux, 2005). Current and future drvers may use moble commerce servces n ther vehcles for safe and effcent drvng. Such servces nclude emergency roadsde assstance, navgaton nformaton, emal, automatc toll payment and pay-for-use rental and nsurance. These servces may collect nformaton about the locaton of vehcles, personal health nformaton of drvers and the behavour of the drvers. Dur et al. (2004) and Bohrer et al. (2003) proposed a framework n whch drvers can choose the amount of dsclosed personal nformaton to these servces. Servce provders can provde drvers wth several polces wth dfferent degrees of protectng the prvacy of dsclosed personal nformaton. The hgher the degree, the more expensve the polcy s. Gollan and Menel (2002) addressed the problem of data prvacy when utlsng GPS devces. They suggested that f a consumer owns a vehcle, the consumer must have the opton to swtch off the locaton servce or to gve consent every tme the servce s used. Hubaux et al. (2004) proposed that authortes must provde each vehcle wth a prvate/publc key par, along wth a shared symmetrc key. Vehcles authentcate each other va authortes. They argued that the publc would accept and agree to trace ther movements for the sake of mproved safety. However, the authors suggested a scheme to protect user s prvacy. The certfed publc keys must be pseudonyms that change over tme. Only authortes should be able to determne the relatonshp between a pseudonym and ts real dentty. Blum and Eskandaran (2004) descrbed ther work of buldng a Secure Communcaton Archtecture (SecCar) for use wth V2V networks. SecCar wll be able to detect securty attacks, contnue operatons under attacks, restore the system s functonalty after an attack and lock out malcous users to prevent further attacks. The archtecture s based on PKI and dgtal sgnatures. In SecCar archtecture, an authentcaton servce can dscover the dentty of malcous users, whle preservng the prvacy of all other users. They also proposed to use a vrtual network nfrastructure where vehcles serve as the nfrastructure. The authors proposed that ths vrtual network would provde securty and scalablty n V2V networks where nfrastructure does not exst. Vehcles of vrtual networks would provde access control and guarantee message delvery. Sampgethaya et al. (2005) proposed a scheme, named CARAVAN, to protect the drvers locaton prvacy. Each vehcle n ther scheme s pre-loaded wth a set of pseudonyms, a par of publc/prvate keys and a correspondng publc key certfcate for each pseudonym. All communcatons from a vehcle must contan one of ts pseudonyms to avod traceablty. Only the trusted authorty has the assocaton between a vehcle s pseudonyms and the dentty of the vehcle s owner. They also proposed a slent perod between two consecutve transmssons to avod lnkablty. Furthermore, ther scheme reles on vehcles to form a group among each other. When a group of vehcles have the same drvng condtons on the road, then accordng to the authors, t s suffcent for one of the vehcles to communcate wth the trusted authorty on behalf of other members. The reason behnd formng ths group s to provde prvacy of drvers even whle communcatng wth trusted authortes. A group leader has the role of communcatng wth a trusted authorty nfrastructure to obtan a symmetrc key for one of the group member. Ths symmetrc key wll be used by the member of the group wth

5 A broadcast protocol wth drvers anonymty 5 the trusted authorty. Papadmtratos et al. (2006) and Raya et al. (2006a, 2006b) dscussed a set of securty requrements for V2V networks; such as message authentcaton and ntegrty, message non-repudaton, entty authentcaton, access control, message confdentalty, prvacy and anonymty, network avalablty and lablty dentfcaton. They also proposed a system and communcaton model for securng V2V and Vehcle-to-Infrastructure (V2I) networks. The authors dscussed the use of anonymous publc keys n V2V networks that are frequently changed dependng on a vehcle s speed. They also dscussed the use of symmetrc keys to reduce the cryptographc overhead. They proposed that vehcles can form a group and a group leader dstrbutes to ts members a symmetrc key usng the Group Key Management Protocol GKMP (Harney and Muckenhrn, 1997). Several secure protocols were proposed for moble users n wreless networks (Papadmtratos and Haas, 2003; Zhu et al., 2004; Zhou et al., 2005). These protocols assume the exstence of a key-management system or publc-key certfcaton nfrastructure. Capkun et al. (2004) presented a Dynamc Publc Key scheme to protect anonymty and locaton prvacy. Ther approach s based on frequently changng node s cryptographc keys, whch enable users to avod beng dentfed by locatons they vst. The network operator has access to locatons and dentfers of regstered moble users. Each node has publc/prvate key pars and certfcates sgned by the CA. Key pars can be generated ether by the node or by the CA. Then, usng the publc/prvate key, each node establshes symmetrc secret keys wth ts neghbours. Each tme a node changes ts publc/prvate key par, the CA authentcates the new par. Then, ths node establshes new symmetrc keys wth ts neghbours. Ths approach s effcent but requres a hgh communcaton cost between the central authorty and moble users to certfy new generated keys. Furthermore, t requres an addtonal communcaton cost to establsh new symmetrc secret keys wth neghbours. Zhu and Ma (2004), Asokan (1994), Samfat and Molva (1994), Askwth et al. (1997) share a smlar approach n proposng an authentcaton scheme wth anonymty. The approach s based on ssung a temporary certfcate to a moble user. Frst, the user regsters at a Local Certfcate Authorty (LCA) and obtans a smart card that contans the dentty of the LCA. When a user enters an area where the LCA s not avalable, the user has to establsh a secure lnk wth an avalable CA, called Remote Certfcate Authorty (RCA). The RCA wll authentcate the user through the LCA va routers usng the user s smart card. If the RCA authentcates the user successfully, then the RCA ssues a temporary certfcate to the user. Ths temporary certfcate can then be used when exchangng messages n V2V networks. Smlarly, ths approach requres a hgh communcaton cost and addtonal processng tme between several central authortes and moble users to certfy the temporary certfcate. There are several research works that deal wth anonymty of users. These works are based on the concept of group sgnatures (Chaum and van Heyst, 1991). Users are organsed nto groups. A group member sgns messages anonymously on behalf of the group. Recpents of a sgned message can verfy the correctness of the sgnature wthout dentfyng the sgner. In case of a dspute, the dentty of the member who sgned the dsputed message can be revealed only by a desgnated entty (e.g. CA). Several group sgnatures have been proposed (Atenese et al., 2000; Bresson and Stern, 2001; Song, 2001; Atenese and Tsudk, 2002; Goh and Jareck, 2003; Popescu et al., 2003; Boneh et al., 2004; Camensch and Groth, 2005). All these research works are proved secure

6 6 N.M. Rabad and S.M. Mahmud under certan theoretcal assumptons such as strong RSA assumpton and strong Dffe-Hellman assumpton. The basc operaton of these works s the transformaton of a secure honest-verfer zero knowledge protocols nto dgtal sgnatures usng the Fat-Shamr heurstc (Fat and Shamr, 1987). These group sgnatures are computatonally ntensve and produce long sgnatures. 3 Motvaton and contrbuton 3.1 Motvaton In V2V networks, t s necessary to provde low-latency and secure communcaton protocols wth mnmum processng tme, whle preservng the anonymty of drvers. Furthermore, every broadcast message wll be sgned by ts transmtter to support source authentcaton and data ntegrty. Accordng to Boneh et al. (2004), there s a hard requrement that the length of each sgnature be under 250 bytes. As we dscussed n the prevous secton, the related work utlse the nfrastructure CA frequently n request for a new par of prvate/publc key. Furthermore, new symmetrc keys have to be establshed wth nearby users n order to complete the authentcaton process. Ther approaches requre addtonal communcaton cost and processng tme to V2V networks. Furthermore, the research works that proposed group sgnatures have not been standardsed and not been proved ts applcablty n wreless moble applcatons such as V2V safety applcatons. Although these works n group sgnatures are secure, there are two dsadvantages to V2V networks. Frst, the processng speed s very slow. Second, the sze of dgtal sgnatures generated by these research works s too long. However, Boneh et al. (2004) proposed a group sgnature that generates a sgnature of length ~192 bytes. In ths paper, we were motvated to provde anonymty for drvers wth a sgnature length less than 192 bytes. Furthermore, we were motvated to reduce the communcaton cost between vehcles and the nfrastructure CA. 3.2 Contrbuton In ths paper, we propose a broadcast protocol that provdes drvers wth anonymty, message authentcaton and data ntegrty usng the Dgtal Sgnature Algorthm (DSA). The length of the sgnature n DSA s 40 bytes. Thus, compared wth the work of Boneh et al. (2004), we mprove the message sgnature overhead by 152 bytes (79%). Drvers generate and change ther own set of publc keys frequently usng the DSA. Unlke prevous works (Asokan, 1994; Samfat and Molva, 1994; Askwth et al., 1997; Capkun et al., 2004; Zhu and Ma, 2004; Zhu et al., 2004; Zhou et al., 2005), n our approach the CA s not requred to authentcate the frequently generated publc keys. When a drver changes ts own publc keys, t s hard to trace drver s movements and locatons that drver vsts. Recpents of a sgned message can verfy the correctness of the sgnature wthout dentfyng the sgner. In case of a dspute and malcous actvtes, the dentty of the drver who sgned the dsputed message can be revealed only by the CA. In our proposed protocol, we avoded the addtonal communcaton cost and processng tme

7 A broadcast protocol wth drvers anonymty 7 that prevous related works have. We also prove n Sectons 5 and 6 that the DSA can be used to provde anonymty and securty for drvers n V2V networks. We also dscuss n Secton 7 key management and propose a communcaton protocol between vehcles and the CA for updatng the requred keys when the valdty perod of keys expres. Fnally, we compare our protocol wth the prevous related works n group sgnatures. 4 Securty framework The man obectve of ths work s to buld a secure communcaton broadcast protocol that s based on two exstng technologes: (1) tamper-resstant hardware and (2) the standardsed DSA. 4.1 Tamper-resstant hardware The Natonal Insttute of Standards and Technology (NIST) (whch s an agency of the US Department of Commerce) publsh standards recommendng practces for securng nformaton and meda. The standards are called the Federal Informaton Processng Standards (FIPS) publcatons. These are ssued by NIST after approval by the Secretary of Commerce. One of the standards s FIPS (Natonal Insttute of Standards and Technology, FIPS PUB 140-2, 2001) whch defnes securty requrements for cryptographc modules. A cryptographc module s a set of hardware, software or both that mplements cryptographc algorthms and key generaton. FIPS was developed by a US government and ndustry workng group. The workng group dentfed 11 requrements for cryptographc modules to conform to the standard, and four securty levels for each of the 11 requrements. These securty levels provde cost-effectve solutons for dfferent applcatons and data protecton. Begnnng wth Level 0, each securty level s an ncrease n securty requrements over the precedng level. The requrements also refer to the Over-The-Ar-Rekeyng (OTAR) (New Technology Standards Proect, OTAR protocol, 1996) protocol, f key generaton and delvery over the ar s desred between a management entty (e.g. a CA) and a moble node. A bref representaton of the 11 requrements and the four securty levels s descrbed next. For detaled and complete descrptons of these requrements and ther securty levels, we refer the reader to FIPS Requrements for a cryptographc module Requrement 1: Cryptographc module specfcaton t descrbes the components of a cryptographc module; hardware, software, frmware and securty algorthms. It also specfes what the vendor of a cryptographc module should document n terms of the operaton of each component, hardware schematcs and software requrements. Requrement 2: Cryptographc module ports and nterfaces t descrbes logcal nterfaces to a cryptographc module; specfes requrements for data nput nterface, data output nterface, control nput nterface, status output nterface and power nterface.

8 8 N.M. Rabad and S.M. Mahmud Requrement 3: Roles, servces, and authentcaton t descrbes specfcatons for a cryptographc module to dentfy and authentcate ts users: a role- or dentty-based authentcaton. It descrbes also servces that a cryptographc module should provde to ts users such as status ndcators, self-testng and securty algorthms. Requrement 4: Fnte state model t descrbes specfcatons for a cryptographc module to operate n a fnte state model. The requrement specfes that a cryptographc module should have operatonal and error states and should specfy the transton from one state to another and the nputs and outputs for each state. Requrement 5: Physcal securty t descrbes specfcatons on how to protect a cryptographc module from physcal securty attacks. It also descrbes the specfcatons for a cryptographc module to operate under a range of envronmental condton such as voltage and temperature. A cryptographc module should provde assurance that ts securty cannot be compromsed f an attacker apples extreme envronmental condtons that reveals the contents of a cryptographc module. Requrement 6: Operatonal envronment t descrbes specfcatons on usng an operatng system n a cryptographc module. Requrement 7: Cryptographc key management t descrbes specfcatons on the mechansms for generatng random numbers, generatng keys, establshng keys, storage of keys and erasure of keys. Requrement 8: Electromagnetc Interference/Electromagnetc Compatblty (EMI/EMC) t descrbes specfcatons for a cryptographc module to comply wth a standard EMI/EMC. Requrement 9: Self-tests t descrbes specfcatons on the mechansms for self-testng the securty algorthms used n a cryptographc module, and testng the ntegrty of ts frmware to ensure that the module s workng and functonng as requred. Requrement 10: Desgn assurance t descrbes specfcatons on methods, processes and best practces to ensure that the requrements, desgns, mplementaton and testng of a cryptographc module s well documented and that the module s properly desgned, developed, tested, delvered and nstalled at the user s locaton. Requrement 11: Mtgaton of other attacks t descrbes specfcatons for mtgaton of securty attacks that ths FIPS document dd not provde testable securty requrements at the tme t was publshed. 2 Securty levels of a cryptographc module Securty Level 1: It s the lowest level of securty. In ths level, at least one approved securty algorthm [Natonal Insttute of Standards and Technology FIPS PUB (2007), Annex A] shall be used n a cryptographc module.

9 A broadcast protocol wth drvers anonymty 9 Securty Level 2: It provdes an ncrease n securty over Level 1 by addng a physcal securty mechansm to a cryptographc module. Ths ncrease n securty shall be accomplshed by addng the requrement for a tamper-evdence mechansm. For example, the use of tamper-evdent coatngs or seals are placed on a cryptographc module n such a way that to gan physcal access to the module and to access ts plantext cryptographc keys and parameters, the coatng or seal must be broken. In addton to the physcal securty mechansm, Securty Level 2 requres the cryptographc module to authentcate the authorsaton and role of ts operator to perform a correspondng set of securty servces. Securty Level 3: It provdes an ncrease n securty over Level 2 n tamper-evdent physcal securty mechansms. Securty Level 3 requres the cryptographc module to have a hgh probablty of detectng tamperng and physcal access, and s requred to use a tamper detecton/response crcutry that clears all plantext secret keys f the tamper-evdent mechansms are broken. Securty Level 3 also enhances the role-based authentcaton of Securty Level 2, by usng dentty-based authentcaton mechansms. A cryptographc module authentcates the dentty of an operator n order to perform a correspondng set of securty servces. Securty Level 3 also requres storng or readng plantext keys from a cryptographc module to be performed on dedcated nterfaces or ports that are not shared wth any other data. Plantext prvate keys may be entered nto or output from the cryptographc module n encrypted form. Securty Level 4: It s the hghest level of securty defned n the standard. In ths level, the cryptographc module has a very hgh probablty to detect all unauthorsed attempts to access ts contents resultng n the mmedate erasure of all plantext prvate keys and securty parameters. Securty Level 4 cryptographc modules are useful for operaton n physcally unprotected envronments. In addton, Securty Level 4 protects a cryptographc module aganst envronmental condtons or fluctuatons outsde ts normal operatng range that can compromse ts securty. An attacker can apply ntentonal fluctuatons of voltage and temperature beyond the normal operatng ranges of the cryptographc module to thwart ts securty defences. Thus, Securty Level 4 requres the use of specal envronmental protecton features desgned to detect fluctuatons and erase the contents of the cryptographc module. A lst of valdated cryptographc modules aganst FIPS can be found at the NIST Cryptographc Module Valdaton Program (CMVP) webste (Natonal Insttute of Standards and Technology, CMVP, 2008). Nowadays, smart cards (Smart Card Allance, 2007) are used worldwde for authentcaton for many applcatons. A hardware devce, such as a smart card, that contans cryptographc keys and algorthms s consdered secure f t has the followng propertes (Gennaro et al., 2004): (1) read-proof hardware: that s, a hardware devce that prevents an attacker from readng anythng about ts contents; (2) tamper-proof hardware: that s, a hardware devce that prevents an attacker

10 10 N.M. Rabad and S.M. Mahmud from changng ts contents and (3) self-destructng capablty: that s, a hardware devce that can destroy ts contents f an attacker tres to access t. In ths paper, we refer to the hardware devce that meets the securty requrements and propertes that are descrbed n ths secton as a tamper-resstant hardware. The Crypto ECU that s shown n Fgure 1 s assumed to be a tamper-resstant hardware that meets Level 4. Fgure 1 A set of ECUs connected through a vehcle s nternal communcaton bus 4.2 Dgtal sgnature algorthm Dgtal sgnature algorthm s an algorthm used only for dgtally sgnng messages. The NIST proposed t for use n ther dgtal sgnature standard. The algorthm uses the followng parameters: p a 1024-bt prme number q a 160-bt prme dvsor of p 1, where < q < x a randomly generated number less than q H(m) a one-way hash functon of message m h a number less than p 1 such that h (p 1)/q mod p > 1. Then, ( p 1)/ q g h mod p (1) y g x mod p. (2) The publc keys are p, q, g and y. The prvate key s x. To sgn a message, m, a user generates a random number k less than q. The parameter k must be regenerated for each k sgnature. Then the user computes r ( g mod p) mod q and s ( k 1 ( H( m) + x r) )

11 A broadcast protocol wth drvers anonymty 11 mod q. The sgnature s (r, s). To verfy the sgnature, compute w s l mod u1 u2 q, u1 ( H( m) w) modq, 2 ( )mod v ( g y )mod p modq. If v = r, then the sgnature s verfed. u r w q and ( ) 5 Proposed protocol In ths secton, we descrbe our proposed protocol to preserve the anonymty of drvers n V2V networks. Our proposed protocol conssts of four procedures: (1) generatng membershp keys and certfcaton, (2) sgnng messages, (3) verfyng messages and (4) openng messages. The followng s a descrpton of these four procedures. 5.1 Generatng membershp keys and certfcaton Let G = { G1, G2,, Gn} be a set of n groups of vehcles, and let G G. Let 1 2 m M = { M, M, M } be a set of m vehcles n G and let M G. The CA randomly arranges regstered vehcles nto groups n ts secure database and generates two sets of keys: Frst set of keys: The CA uses DSA to generate a set p = { G1 ( p1, q1), G2 ( p2, q2),, Gn ( pn, qn) } of n dstnct par of publc keys. Each par of publc keys ( p, q ) P s certfed by the CA. Then, from a par of publc keys ( p, q ), the CA uses the DSA to generate a set m m =,, { } X M x M x M x of m dstnct prvate keys, where X X = { X1, X 2,, X n}. The CA mantans n ts secure database the set X and ts assocated par of publc keys ( p, q ). Fgure 2 shows a database of the n dstnct par of publc keys n set P and ther m dstnct prvate keys n set X. Second set of keys: The CA uses DSA to generate a set P = { G1 ( p 1, q 1, g 1, y 1, x 1), G2 ( p 2, q 2, g 2, y 2, x 2),, Gn ( p n, q n, g n, y n, x n) } of n dstnct groups of publc and prvate keys. Each group of publc and prvate keys ( p, q, g, y, x ) P s certfed by the CA. Fgure 2 shows the CA s database that contans all the necessary keys. Before partcpatng n V2V networks, each drver apples for a certfcate from the CA. The CA assocates the drver s vehcle to a group G G, and allows the drver s vehcle to be a member M G. Assume a secure communcaton channel between the CA and a tamper-resstant hardware. Then the CA stores nsde the tamper-resstant hardware of M two sets of keys: the frst set of keys ( p, q, x ) and the second set of keys ( p,,,, q g y x ). The CA securely nstalls the tamper-resstant hardware nsde the drver s vehcle, M. Vehcle M s now ready to partcpate n V2V networks. Fgure 3 shows the assgnment of the frst and second set of keys among three groups of vehcles, where each group has four vehcles.

12 12 N.M. Rabad and S.M. Mahmud Fgure 2 The dstrbuton of DSA keys n a database where the prvate keys 1 2 m x, x,, x are assocated wth a par of publc keys (p, q ) and { } the second set of keys ( p, q, g, y, x ) Fgure 3 The dstrbuton of keys to members of V2V network by a CA

13 A broadcast protocol wth drvers anonymty Sgnng messages To protect the anonymty of drvers, each vehcle wth a tamper-resstant hardware that s provded by the CA can sgn messages usng the DSA. The followng three theorems provde the bass for our proposed anonymty protocol that uses the DSA. Theorem 1 states that the generated publc keys that are used to sgn messages by a vehcle are dstnct. Hence, the anonymty of drvers s protected by these dstnct publc keys. Theorem 2 states n general that t s suffcent to choose a resdue from a range of values n a set of rth root resdues modulo n. Ths theorem provdes us wth a condton to generate dstnct publc keys. Therefore, Theorem 3 apples Theorem 2 to our proposed anonymty protocol that uses the DSA to generate dstnct publc keys. Theorem 1: For a gven par of DSA publc keys ( p, q ) for M G, M generates q,1,2 q, dstnct publc keys {,, } g g g. ( p 1)/ q Proof: Accordng to DSA, let g h mod p for 1 < h ( p 1) By the defnton ( p 1)/ q of the Order of a Group, the group of h s an order q subgroup of h snce q s ( p 1)/ q q ( p 1)/ q q p 1 the least nteger satsfyng ( h ) 1mod p, where ( h ) mod p = h mod p = 1 by Fermat s Lttle Theorem. Hence, the q subgroup h generate q dstnct,1,2 q, g, g,, g. It can also be concluded that the polynomal publc keys { } ( p 1)/ q h kp = g, for some ntegers k, has ( p 1)/ q roots for 1 < h ( p 1). ( p 1) Hence, the number of dstnct g equals to = q. ( p 1)/ q Defnton 1: Let nteger n > 1. For a r x mod n for some n * n a Z, a s called rth root resdue modulo n f x Z. The set of rth root resdues modulo n s denoted by RR n. r Theorem 2: For a prme number p, the relatonshp RRp = { x mod p 0 < x ( p 1)/2} holds f r s an even number. Proof: Assume an nteger a RR such that a x r mod n for some x ( p 1)/2. p ( p + 1) Assume that x > (p 1)/2, then p x < (p + 1)/2. Ths mples that p x 1 and 2 p x ( p 1)/2 for a prme nteger p. Let a' (p x) r mod p. Usng the bnomal formula, we get the followng: 1 rr ( 1) 2 2 rr ( 1)( r 2) 3 3 a ( p x) r mod p p r + rp r ( x) + p r ( x) + p r ( x) + + ( x) r mod p. 2! 3! Snce p mod p = 0, a ( p x) r mod p ( x) r mod p. If r s an even number, then a ( x) r RR = x r mod p 0 < x ( p 1)/2, whch s also equal to mod p a. Hence, p { } r { xmodp ( p 1)/2 < x ( p 1) }.

14 14 N.M. Rabad and S.M. Mahmud Theorem 3: For a gven par of DSA publc keys (p, q ) for M G, the publc key g, generated by the vehcle, satsfes the relaton ( p 1)/ q g RR = h mod p 0 < h ( p 1)/2. { } p Proof: Accordng to DSA, the publc key p s a prme modulus and the publc key q s a prme dvsor of p 1. Then, (p 1)/q s an even number. Hence, by Theorem 2, we get ( p 1)/ q g RRp = { h mod p 0 < h ( p 1)/2}. In other words, to generate the publc key g t s suffcent to choose 1 < h ( p 1)/2 snce the same g wll also be generated for ( p 1)/2 < h ( p 1). Therefore, the tamper-resstant hardware stored n the drver s vehcle M uses DSA and the keys ( p, q, x ) that are obtaned from the CA to generate ts own set of publc keys,1,1,2,2 q {(, ),(, ),,(, q,, )} Y = y g y g y g from (2). The par y g Y (where the z, z, (, ) ndex z = 1, 2,, q ) and x are the publc keys and prvate key of the vehcle M, respectvely. When the tamper-resstant hardware frequently generates a dfferent par of z, z, publc keys ( y, g ), t s made hard to assocate those publc keys to a drver and trace locatons the drver vsts. We show n Secton 6 the anonymty and securty analyss of z, z, our protocol. If a generated par of publc keys ( y, g ) s constant and never changes,,1,1,2,2 q.e. {(, ) (, ) (, q,, Y = y g = y g = = y g )} as wth the standard DSA, then ths par of publc keys s always bound to ts owner, the drver. As a result, t would be easy to trace ths ndvdual drver. After generatng the keys, the tamper-resstant hardware uses DSA to generate a sgnature Sg 1 (msg) on message msg. The message msg contans z, z, DATA y g p q TmeStamp (where denotes concatenaton). The transmtted DATA contans the safety-crtcal nformaton of the transmttng vehcle. We use TmeStamp n sgnatures to protect the protocol from replay attacks. z, z, The publc keys ( y, g, p, q ) are transmtted n plantext for use by the recevng z, z, vehcle to verfy the receved sgnature. Snce ( y, g ) are generated by M G and are not certfed by the CA, an unauthorsed entty lstenng to the network channel can,, obtan the publc keys ( p, q ) and then generate an arbtrary set of keys ( z, z y, g x ) such that (2) s satsfed. Therefore, ths unauthorsed entty can generate a vald sgnature but wth forged nformaton. Consequently, the recevng vehcle wll successfully verfy and authentcate the receved forged nformaton. In addton, the assocaton between the par of publc keys ( p, q ) and prvate keys m m {,,, } X = M x M x M x that the CA mantans n ts secure database wll no longer be vald. To protect our protocol from ths attack, the tamper-resstant hardware sgns the sgnature Sg 1 (msg) usng the second set of keys ( p,,,, q g y x ). Sgnng the sgnature usng the second keys ensures the authentcty of the transmtted message snce all keys

15 A broadcast protocol wth drvers anonymty 15 of the second set are certfed by the CA. As shown n Fgure 4, the message to be broadcasted to other vehcles s Tx = msg Sg 1 (msg) Sg 2 (Sg 1 (msg) msg), where z, z, msg = DATA y g p q p q g y TmeStamp. Fgure 4 The sgn procedure by the member M G on msg usng the DSA and z, z, the keys ( y, g, p, q, x ) and ( p, q, g, y, x ) 5.3 Verfyng sgnatures The recevng vehcle wth a tamper-resstant hardware provded by the CA apples the DSA verfcaton algorthm to verfy the sgnatures Sg 2 (Sg 1 (msg) msg) and Sg 1 (msg), as shown n Fgure 5. If the DSA verfcaton passes, then the recevng vehcle accepts ths message and ts contents. The message and ts sgnature are stored n the tamperresstant hardware of the recevng vehcle for use by the CA to open the sgnature, f t s needed, as explaned next. Fgure 5 The verfy procedure usng the DSA verfcaton and the keys z, z, ( y, g, p, q ) and ( p, q, g, y )

16 16 N.M. Rabad and S.M. Mahmud 5.4 Openng sgnatures By storng ncomng messages nsde a tamper-resstant hardware n the recevng vehcle, the CA can dentfy malcous members as follows. The CA obtans from z, z, the stored message, msg, the publc keys ( y, g, p, q ). Then the CA gets from m m ts database the set of prvate keys X = { M, x, M x,, M x } that s assocated wth group publc keys ( p, q ). For each prvate key n set X, the CA apples (2) usng z, z, z, (,, ) y g p. The prvate key, x, that gves Y g z, x ( ) mod p equals to y dentfes the vehcle that transmtted the message msg. Otherwse, the CA apples the next prvate key to ths process untl a key s dentfed. 6 Anonymty and securty analyss 6.1 Anonymty and unlnkablty Unlnkablty s a property that must be met n communcaton protocols that provde anonymty. Sgnatures are unlnkable f t s computatonally hard to decde whether any two dfferent sgnatures have been computed and produced by the same person (Atenese and Tsudk, 2002; Popescu et al., 2003). Assume n our protocol that M generates two,1,1 sgnatures: (1) sgnature (r, s) usng ( y, g, p, q, x ), and then sgnng (r, s) usng,2,2 ( p, q, g, y, x ). (2) Sgnature ( rs, ) usng ( y, g, p, q, x ), and then sgnng ( rs, ) usng ( p, q, g, y, x ). Lnkng the two sgnatures (r, s) and ( rs, ), and ther,1,1,2,2 publc keys ( y, g, p, q, x ) and ( y, g, p, q, x ), respectvely, s possble f log y,1,2 = log y = x. In order for the an attacker can decded from (2) that,1 ( ),2 g ( ) g,1,2 attacker to solve log,1 ( y ) or log,2 ( y ) to fnd, g g x t s generally beleved that solvng ths dscrete logarthm problem s computatonally hard. Snce the prvate key s unknown and cannot be computed, then t s computatonally hard from (2) to bnd the,1,2 q, publc keys {,,,,1,2 q, g g g } and {,,, y y y } to M G. Hence, t s dffcult to lnk the sgnature (r) to ( r ) snce r r. The use of the par of publc keys ( p, q ) does not bnd the two sgnatures to M G snce ths par bnds to all members 1 2 m {,,, } M = M M M n G. Furthermore, t should be computatonally hard to fnd two messages m 1 and m 2 such that ther hash functons are equal,.e. h(m 1 ) = h(m 2 ). Ths property of hash functons s referred to as collson resstance. Therefore, lnkng the two sgnatures (s) and ( s ) s also dffcult snce k 1 k 2, hm ( 1 ) hm ( 2 ) and r r (where k 1 and k 2 are two random numbers used n DSA to generate sgnatures as descrbed n Secton 4).

17 A broadcast protocol wth drvers anonymty 17 Recall also that sgnatures (r, s) and ( rs, ) are then sgned usng DSA wth keys ( p, q, g, y, x ). Those keys are certfed by the CA and do not bnd to a sngle 1 2 m M G. Those keys bnd to all members M = { M, M,, M } n G. Therefore, sgnatures n our proposed protocol are anonymous and unlnkable. 6.2 Securty The securty of our proposed protocol reles on the dffculty of solvng the dscrete logarthm problem and on the securty of the DSA. Pontcheval and Sterrn (2000) proved the securty of a large class of known sgnature schemes, such as Schnorr Sgnature, n the random oracle model (Bellare and Rogaway, 1993). They proved that sgnature schemes are resstant to adaptve chosen-message attack. That s, t s computatonally hard to fnd the prvate key from sgnatures. Snce the DSA s a varant of Schnorr Sgnature and snce the DSA matches the defnton of a sgnature scheme n Pontcheval and Sterrn (2000), then the DSA s secure n the random oracle model. Our proposed protocol s a broadcast one and not a handshake protocol. The man securty threat to our protocol s the replay attack. Our assumpton of usng tme stamps and accurate tme synchronsaton among vehcles n V2V networks guarantees operaton aganst replay attacks. Other securty attacks such as reflecton attack or man-n-themddle attack do not pose a threat n our protocol snce those attacks requre a mutual authentcaton or a handshake protocol. We also ponted out n Secton 5 that a masquerade attack s possble f an attacker,, obtans the publc keys (p, q ) and then generates an arbtrary set of keys ( z, z y, g x ) such that (2) s satsfed. However, the same attacker needs also the second set of certfed keys ( p, q, g, y, x ) n order to complete the sgnature process and the attack. Snce only the prvate key x s unknown, by means of the secure DSA, the attacker cannot masquerade as a partcpant to V2V networks and generate a sgnature. 6.3 Members of the same group and ther generated keys 1 2 Assume there are two members ( M, M ) G n the same group and a par of ther 1, z 1, z 2, z 2, z 1, z 1, z 2, z 2, z generated keys ( y, g ) and ( y, g ), respectvely. If ( y, g ) = ( y, g ), then the openng messages procedure wll dentfy two prvate keys x 1 and x 2, where 1 x 2 1, z 1, z ( ) 2, z 2, z x y g mod p and y ( ) g mod p, respectvely. In ths case, t may be dffcult to dentfy the sgner, and the system wll be consdered unrelable. Lemma: Members n the same group cannot generate equal publc keys Proof: In our proposed protocol, t s possble that M 1 and M 2 generate the same key 1, z 2, z 1 2 g = g. Assume that M and M also generate two equal keys y 1,z 1 2,z 1, z 1, z x and y such that ( ) 2 2, z 2, z x y g mod p and y ( ) g mod p, respectvely , z x 2, z x 1 2 Therefore, ( g ) mod p = ( g ) mod p whch mples that x x mod( p 1) and y z,.

18 18 N.M. Rabad and S.M. Mahmud x x + k( p 1) for some nteger k. Hence, 1 2 also, then the two members wll generate the same keys 1 2 ( x x) k( p 1). Snce q ( p 1) y = y f ( x x ) = nq for 1, z 2, z 1 2 some nteger n > 0. For ths reason, the CA chooses the prvate keys x 1 and x 2 be less 1 2 than q, accordng to the DSA, such that ( x x ) < q. 7 Key management 7.1 Key revocaton Group members are lkely to on or be excluded from the group. In cases of forgery (as an example), the CA may fnd t necessary to delete members from a group, hence, revokng ther prvate keys. A revoked member should not be allowed to generate a vald sgnature n the future. In addton, the CA should preserve the anonymty of group members after membershp revocaton [backward unlnkablty (Song, 2001)]. One smple soluton s to ssue a new par of publc keys, and new certfcates to all vald members whenever a member of a group s revoked. Therefore, all non-revoked members must be notfed by the CA of the change and of new certfcates. Ths soluton s nconvenent and expensve n terms of communcatons. Another soluton s to have all non-revoked members look up revoked keys n a database. The approach s to provde a lst of revoked keys called Certfcate Revocaton Lst (CRL) (Bresson and Stern, 2001; Atenese and Tsudk, 2002). Ths lst contans nformaton about revoked keys. Each tme a non-revoked member verfes a receved sgnature, ths member searches the lst of revoked keys and makes sure that the sgnature s not sgned by any of the revoked keys. Ths soluton adds communcaton and computatonal costs to all non-revoked members. However, t s mpossble to revoke keys and dentfy messages sgned by these keys wthout the exstence of nfrastructure. Vehcles have to obtan the latest revocaton lst from the CA n order to look up revoked keys. In V2V safety applcatons, t s not feasble to search a revocaton lst snce t may cause hgh communcaton latences and addtonal processng tme. The problem of fndng an effcent key-revocaton scheme s not an easy one, especally for safetycrtcal applcatons such as V2V networks. The problem of fndng an effcent scheme to dentfy sgnatures that are sgned by revoked keys s stll open and under research. A possble soluton for key revocaton n our proposed protocol s that the CA mantans a database that has a lst of revoked prvate keys. When the CA revokes a prvate key, the CA updates ths database to nclude ths revoked key, and then performs a secure communcaton wth the tamper-resstant hardware of the revoked key. Such secure communcatons should be mplemented as Over-The-Ar-Rekeyng (OTAR) specfcaton protocol. We also ndcated n Subsecton 4.1 that FIPS has a requrement for a cryptographc module to dentfy and authentcate ts users. Such a requrement can be acheved usng one of several avalable authentcaton protocols [Natonal Insttute of Standards and Technology FIPS PUB 196, Publc Key Cryptography Standards (PKCS; Transport Layer Securty (TLS) Protocol; These protocols can be used to provde secure communcatons between the CA and the tamper-resstant hardware. Ths secure communcaton allows the CA to access the memory locatons where publc keys and

19 A broadcast protocol wth drvers anonymty 19 prvate keys ( p,, q x, p, q, g, y, x ) are stored, and then zerong these memory locatons (mantenance role, FIPS 140-2). As a result, members wth revoked keys have a tamper-resstant hardware wthout any key. Ths tamper-resstant hardware wll not be able to generate sgnatures and transmt messages. Members wth revoked keys have to obtan a new tamper-resstant hardware from the CA. Raya and Hubaux (2007) and Raya et al. (2006b) proposed a smlar approach n three revocaton protocols: Revocaton Protocol of the Tamper-Proof Devce (RTPD), Revocaton Protocol usng Compressed Certfcate Revocaton Lsts (RCCRL) and Dstrbuted Revocaton Protocol (DRP). In RTPD, the CA has to know the vehcle s locaton n order to communcate securely wth the tamper-resstant hardware va base statons. If a vehcle s locaton s determned, the CA sends a secure revocaton message to erase the keys from the vehcle s tamper-resstant hardware. The authors suggested a backup mechansm, n case the locaton of a vehcle cannot be determned, by broadcastng the revocaton message va the low-speed FM rado or va a satellte. In RCCRL, the CA revokes only a subset of a vehcle s keys. Accordng to Raya et al. (2006b), RCCRL can be used when the tamper-resstant hardware of the target vehcle s unreachable (e.g. because of ammng) and can be used to warn the neghbours of a revoked vehcle. In DRP, the CA revokes msbehavng vehcles (vehcles that transmts malcous data). Vehcles communcatng wth each other can detect and collect nformaton about a neghbourng msbehavng vehcle. Ths nformaton s reported to the CA whch n turn wll revoke the keys of the msbehavng vehcle. 7.2 The valdty perod of the certfed keys and the tamper-resstant hardware The second set of keys ( p, q, g, y, x ) that are certfed by the CA should have a valdty perod. When the valdty perod s about to expre or expred, a vehcle s tamper-resstant hardware wth those keys communcates securely and anonymously wth the CA to obtan a new set of keys ( p, q, g, y, x ). The ISO/IEC (1999) can be used to transfer the new keys ( p, q, g, y, x ) to a vehcle s tamper-resstant hardware. We dscuss next a communcaton protocol between the CA and a vehcle s tamper-resstant hardware that ncorporates our proposed anonymty scheme, descrbed n Secton 5, nto the ISO/IEC protocol. Durng the procedure Generatng Membershp Keys and Certfcaton, the CA stores n a vehcle s tamper-resstant hardware the CA s publc key P CA and an asymmetrc RSA par of publc and prvate keys ( P, X ) that belong to M. M M G The CA mantans the publc key P n ts secure database as shown n Fgure 6. M In a secure communcaton channel, ths vehcle s tamper-resstant hardware provdes a request n a message m 1 to the CA, and generates message m2 = EncP ( ( 1)) 1, CA EncX Sg m m TmeStamp M where Encp ( m) means encryptng message m wth the key p. The sgnature Sg(m 1 ) s sgned usng our proposed protocol z, z, n Secton 5 wth the keys ( y, g, p, q, x ), and the message m 1 contans the publc z, z, keys ( y, g, p, q ).

20 20 N.M. Rabad and S.M. Mahmud Fgure 6 The CA s database wth the RSA publc keys P for each member M The CA gets the request from m 1 by decryptng m 2 usng the CA s prvate key Pv CA to z, z, obtan EncX ( Sg( m1)) m1 TmeStamp. From the publc keys ( y, g, p, q ) n m 1, M z, z, x the CA gets from ts database the prvate key, x, that gves ( ) y g mod p. Then, the CA gets from ts database the publc key P of ths vehcle that s assocated wth x. Fnally, the CA performs a decrypton operaton usng the vehcle s publc key P M to verfy the sgnature on message m 1. The CA provdes the new keys, ( p, q, g, y, x ), n message M m3 = EncPv ( ( ). CA EncP Sg N N TmeStamp M The sgnature Sg(N) s sgned usng some set of DSA publc keys owned by the CA that s ncluded n message N. The vehcle s tamper-resstant hardware gets N by decryptng m 3 wth the publc key of CA, P CA, and then by ts own prvate key X. Fnally, the vehcle s tamper-resstant M hardware authentcates the sgnature and accepts the new set of keys ( p, q, g, y, x ) n message N. Our proposed anonymty protocol that we descrbed n prevous sectons reles on the securty of the tamper-resstant hardware and on the securty of the DSA. As wth any cryptographc protocol that has keys wth a valdty perod, the tamper-resstant hardware should also have a valdty perod. These hardware devces should be updated