A Secure and Privacy-Preserving Event Reporting Scheme for Vehicular Ad Hoc Networks

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2015; 00:1 11 RESEARCH ARTICLE A Secure and Privacy-Preserving Event Reporting Scheme for Vehicular Ad Hoc Networks Khaled Rabieh 1, Mohamed M. E. A. Mahmoud 1, Marianne Azer 2, and Mahmoud Allam 3, 1 Department of Electrical and Computer Engineering, Tennessee Tech University, Cookeville, TN, 38505, USA 2 National Telecommunication Institute, Nile University, Cairo, Egypt 3 Nile University, Cairo, Egypt ABSTRACT In Vehicular Ad Hoc Networks (VANETs), vehicles should report events to warn the drivers of unexpected hazards on the roads. While these reports can contribute to safer driving, VANETs suffer from various security threats; a major one is Sybil attacks. In these attacks, an individual attacker can pretend as several vehicles that report a false event. In this paper, we propose a secure event-reporting scheme that is resilient to Sybil attacks and preserves the privacy of drivers. Instead of using asymmetric key cryptography, we use symmetric key cryptography to decrease the computation overhead. We propose an efficient pseudonym generation technique. The vehicles receive a small number of long-term secrets to compute pseudonyms/keys to be used in reporting the events without leaking private information about the drivers. In addition, we propose a scheme to identify the vehicles that use their pool of pseudonyms to launch Sybil attacks without leaking private information to road side units (RSUs). We also study a strong adversary model assuming that attackers can share their pool of pseudonyms to launch colluding Sybil attacks. Our security analysis and simulation results demonstrate that our scheme can detect Sybil attackers effectively with low communication and computation overhead. Copyright c 2015 John Wiley & Sons, Ltd. KEYWORDS Security; Sybil attacks; Privacy preservation; Collusion attacks; Event-reporting schemes and Vehicular ad hoc networks Correspondence Department of Electrical and Computer Engineering, Tennessee Tech University, Cookeville, TN, 38505, USA Received INTRODUCTION VANETs have gained tremendous amount of attention in the last decade [1], [2], [3], [4], [5] because of their promising applications. They are a special type of mobile ad hoc networks, where the nodes are vehicles communicating with each other and with RSUs deployed along the roads. These networks can be used for disseminating safety messages to inform drivers about certain events in the road such as car accidents, urgent braking and traffic jams. As these safety-related messages have a substantial role, they should be sent from trusted vehicles and have credible and unaltered information. Moreover, these messages should not be used to violate the drivers location privacy. However, VANETs suffer from many security and privacy threats that should be resolved before they are widely deployed. Privacy preservation has been recognized as one of the most important requirements for VANETs [6]. In order to preserve the privacy of drivers, instead of using one identity, each vehicle is loaded with many certified pseudonyms obtained from a certificate authority (CA) [7]. Vehicles use the pseudonyms to report events and change them periodically to protect their location privacy [8]. Attackers can not reveal the real identity of the vehicles because they cannot link the pseudonyms of one vehicles. They also cannot link the pseudonyms to the vehicle s real identity. In addition, Sybil attack is one of the most severe threats to safety applications in VANETs. In Sybil attacks, a malicious vehicle tries to appear as multiple vehicles to persuade other vehicles with false events for its own benefit. What makes the attack easier to launch is that each vehicle is loaded with many pseudonyms to preserve the privacy of the drivers. The attackers can use the pool of pseudonyms to pretend as different vehicles. An example of what a Sybil attack can do is to trigger the vehicles to change the road by sending false traffic jam events. There Copyright c 2015 John Wiley & Sons, Ltd. 1 [Version: 2010/06/28 v2.00]

2 is a strong need to protect vehicles privacy and detect Sybil attackers at the same time. Attackers can launch Sybil attacks in two different scenarios. In the first scenario, a single attacker abuses holding multiple pseudonyms and reports false events with his/her own pool of pseudonyms to appear as different vehicles. In the other scenario, colluding attackers exchange their pools of pseudonyms to report false events using larger number of pseudonyms. Colluding attacks are usually more severe and more difficult to combat than the singular attacks. Vehicles need to use pseudonyms to report events to preserve their privacy, but it is inefficient to load each vehicle with a large number of pseudonyms and keys because this requires large storage area. Pseudonyms should not also be reused because this can degrade the vehicles privacy. Moreover, frequently contacting the department of motor vehicle (DMV) for pseudonym refilling may create a bottleneck at the DMV due the network scalability. A good event reporting scheme in VANETs should balance between privacy preservation and the overhead of distributing/storing of pseudonyms. It should also be resilient to Sybil attacks. To cope with the aforementioned problems, in this paper, we propose a novel privacy-preserving and secure scheme for event reporting in VANETs. In our scheme, vehicles receive a set of long-term secrets to compute locally a large number of pseudonyms and keys to report the events. The computations of the pseudonyms by vehicles can significantly decrease the overhead of frequently contacting the DMV to send pseudonyms/keys. It can also reduce the storage overhead at the vehicles. The low overhead of computing pseudonyms can also help boost the privacy efficiently by using each pseudonym for only one event. Different from the existing schemes [6], [7], [8], [9], our scheme uses symmetric key cryptography instead of asymmetric key cryptography because it is more efficient. Moreover, the RSUs should not be able to obtain any private information about the vehicles because they are deployed on the roads with almost no physical security. We divide the vehicles into groups and the RSUs can know the vehicles group number but they cannot know their identities or link their pseudonyms. If the number of vehicles in each group is large enough, the RSU cannot know any private information. The RSUs suspect a singular Sybil attack if the pseudonyms used to report an event belong to the same group. In this case, the RSUs send the pseudonyms to the DMV. A Sybil attack is detected if the DMV finds that the suspected pseudonyms belong to an individual vehicle. We also propose a novel technique to detect colluding Sybil attack when an attacker reports a false traffic jam using pseudonyms of other colluding vehicles. In VANETs, vehicles send a beacon packet every around 100 ms [10], [11]. The beacons should have the vehicles locations and speed. The RSUs can detect Sybil attack by checking for inconsistency in the reported events and the received beacons. In order to verify whether the reported traffic jam events are credible, the RSUs use radars to measure the vehicles speed. The RSUs send the pseudonyms of the attackers that report wrong events to the DMV. To assess the performance of our scheme, we simulated it using NS-2. Our simulation results demonstrate that our scheme can achieve the desired security objectives with low computation and communication overhead. In addition, the evaluations indicate that our pseudonym generation technique can generate a large number of pseudonyms using a small number of secrets. The remainder of this paper is organized as follows. Section 2 discusses the related work. In section 3, we present the network and the adversary models. In section 4, we present the proposed scheme in details. Security/privacy preservation evaluations and simulation results are presented in sections 5 and 6, respectively. Finally, section 7 concludes the paper and presents future directions. 2. RELATED WORK Resource testing technique is used in [12], [13], [14], [15] to detect Sybil attack. It is based on the assumption that the nodes have limited resources which could be the computation power, storage capabilities, communication bandwidth, etc. To detect the Sybil attack, the verifier should check if the nodes possess fewer resources than expected. However, Douecer [16] has shown that Sybil attacks cannot be mitigated using limited resource testing when attackers have more resources than the other nodes. In [13], Newsome et. al propose radio resource testing technique to identify Sybil attack in sensor networks. The node sends a message to its neighbors and chooses a random radio channel to receive the reply back. The Sybil node is detected if it is not able to reply back on the assigned random channel. However, the attacker can use more than one radio channel to deceive other nodes and launch Sybil attack. Moreover, some devices are capable of simultaneously sending and receiving on more than one channel at the same time. In [6], Zhou et. al propose P2DAP protocol to detect Sybil attack. The DMV generates certified pseudonyms for each vehicle. The pseudonyms are divided into groups using a first level keyed hash function to form coarsegrained groups. Then, for every group, the pseudonyms are grouped again into subgroups using a second level keyed hash function to form fine-grained groups. The DMV loads each vehicle with a unique fine-grained group of pseudonyms. The RSUs receive the first level key from the DMV to be able to know the vehicles groups. To preserve the vehicles privacy, the RSUs do not know the second level key that maps the vehicles pseudonyms to their identities. Whenever an RSU receives pseudonyms 2 Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd.

3 which maps to the same coarse-grained group, it sends the suspected pseudonyms to the DMV to check whether the pseudonyms belong to the same vehicle. Different from this work, we use symmetric key cryptography instead of public key cryptography. This work focuses only on Sybil attack detection but we propose an event reporting scheme. We also address colluding attacks that are not address in [6]. In [17], Sybil attack is detected by using physical layer parameters such as received signal strength and angle of signal. The RSU measures these values from the broadcasted beacon packets and exchange these measurements with other RSUs. Every RSU in the road calculates the deviation between its measurements and others measurements. Sybil nodes are detected if the deviation exceeds a certain threshold. In [18], Park et. al propose a timestamp based approach to detect Sybil attack in VANETs. Each vehicle collects digitally signed timestamps from the RSUs it passes by. When a vehicle reports an event, it attaches the most recent timestamps with the event. Vehicles are not able to report events unless they obtain at least two different timestamps from different RSUs. The Sybil attack can be detected when events have the same timestamps. This approach assumes that it is rare that two different vehicles pass by an RSU at exactly the same time. In [19], Rabieh et. al propose a Public Key Cryptography (PKC) based scheme to detect Sybil attacks in VANETs. The driver encrypts the event by a one-time symmetric key that is encrypted by the DMV s public key. Then, he/she signs the event and unicasts it to the DMV. This scheme requires that the drivers have tokens or smart cards to be able to sign the events. The RSUs act as a relay for all the events to the DMV and they can not detect the Sybil attack. The DMV decrypts the events and Sybil attack is detected if more than one event is sent from the same driver in a specific period of time. In [20], Chang et. al propose a mechanism for detecting Sybil attack in VANETs called Footprint. When a vehicle passes by an RSU, the RSU generates a signed message containing the current timestamp and sends it to the vehicle. The signed message is a proof of the vehicle s presence at a specific location at a certain time. While a vehicle is moving, it obtains different signed messages from different RSUs to form a trajectory. Vehicles report events by attaching the trajectory to the events. Sybil attack can be detected if the verifier vehicle notices that many similar trajectories report the same event. However, a Sybil node can report events with subset trajectories of the actual trajectory without being detected. Guette et. al [21] introduce the Trusted Platform Modules (TPMs) to secure communications between vehicles. TPM is a hardware module that is able to store the needed cryptographic keys and credentials in a tamper proof device. The TPMs use integrity checks on the stored data to prevent the attacker from modifying/installing applications or fabricating pseudonyms. However, the TPMs are costly and require special devices to be installed in each vehicle. Location verification schemes [22], [23], [24], [25] are used to detect Sybil attacks. The underline idea is that the Sybil attacker can not be physically located at more than one location in the same time. A cross layer scheme is proposed in [22] for verifying the location of vehicles in VANETs by utilizing the physical, network and application layers. Every vehicle is equipped with a radar and a standard Global Positioning System (GPS) device. The physical layer compares the location obtained from the GPS with the one obtained from the radar. The network layer verifies the position of a suspected remote vehicle by asking neighboring vehicles. In the application layer, the Sybil nodes are filtered by plotting the collected locations in a grid. Then, the locations far from the cluster bounds are accused of Sybil attack. In [23], the RSUs are equipped with a directional antenna which enables them to beamform the packets to a certain location. The RSU sends a challenge packet to the suspected vehicle at its expected location. A vehicle is expected to reply back by a response packet as a proof of its presence at this location. A vehicle is accused of Sybil attack if it is not able to reply back with a valid reply. Public key cryptography and hash function are used to secure the challenge and response packets. Fogue et. al [24] propose a proactive cooperative neighbor position and verification scheme based on a two-round message exchange between vehicles. Vehicles broadcast anonymous hello messages at random time in the first round. After constant time called guard time, they broadcast a new hello message having their identities in the second round. Once the message exchange is done, each vehicle can calculate the distance that separates it from its neighbors by using time of flight based radio frequency ranging. The transmission time of the first-round message and the reception time of the second message are used to calculate the distance between the vehicle and its neighbors. Abu-Elkheir et. al [25] propose a position verification scheme in VANETs. Vehicles define a plausible area based on the broadcasted beacon messages received from other vehicles. The vehicles attach their one hop neighbors to their beacon messages before broadcasting them to the neighboring vehicles. When a vehicle receives a beacon message, it can know its two-hop neighbors and calculate the plausible area. To verify a vehicle s location, the verifier checks if the claimed location lies in the plausible area or not, i.e., the location is farther than the farthest twohop neighbor or not. The Sybil attack can be detected if the claimed location lies outside the plausible area. In [26], a privacy-preserving route reporting scheme for traffic management is proposed. Roads are divided into segments and vehicles should report their encrypted routes segments to the RSUs. The RSUs aggregate the routes segments using homomorphic encryption and sends them to the traffic management center (TMC). The TMC can only know the total number of vehicles in each Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd. 3

4 Table I. A Sample of a vehicle s keys and credentials shared with the DMV in hexadecimal numbers. Plate number Shared secret key Long-term secrets Group ID 987-ESW D C 42 FC 3B D9 9D 83 2D A0 A CD, E 84 08, F9 AC 5A AF A4 4F, FF B 87, B9 DF 5A FD 5F 50, E8 F5 AF A3 F5 06, A F Figure 1. The considered network model. segment without knowing the individual route of each vehicle to preserve the privacy of drivers. The TMC can predict the expected traffic jams locations and sends a warning message to the vehicles to try to avoid traffic jam before it happens. 3. SYSTEM MODELS 3.1. Network Model The considered network model is shown in Figure 1. It has the following entities:- Vehicles: Most of the nodes in VANETs are vehicles. They are equipped with Onboard Units (OBU) that can perform cryptographic operations. Additionally, vehicles have storage memory to store required credentials and cryptographic keys. Vehicles use the 5.9 GHz dedicated short range communications (DSRC) identified by IEEE p [27]. A sample of a vehicle s cryptographic keys and credentials is given in table I. DMV: The DMV is a trusted authority that is responsible for providing vehicles with plates and security credentials during the registration renewal time. The DMV is responsible for securing the network and it can penalize attackers whenever they abuse the network, e.g., by reporting false events. RSUs: RSUs are spread along the roads acting as access points that receive events from vehicles. They communicate with the DMV through a wired/wireless channel. The DMV supplies the RSUs with the credentials that enable them to communicate with vehicles. When RSUs suspect Sybil vehicles, they send their pseudonyms to the DMV. Radars: In order to verify the credibility of event messages, RSUs use radars to measure the passing vehicles speed Adversary Model The DMV is a trusted party that is interested in securing VANETs. In order to preserve the driver s privacy, the RSUs should not be able to know any private information about drivers. When RSUs suspect a Sybil attack, they send the suspected vehicles pseudonyms to the DMV that can confirm whether there is a Sybil attack or not. Vehicles can be potential attackers and are not trusted. They can launch Sybil attacks by sending a false event many times using different pseudonyms to pretend that the event is sent from different vehicles. In singular Sybil attack, the attackers use pseudonyms from their own pool, but in colluding Sybil attack, the attackers use the pseudonyms of their own pool in addition to the pool of other colluding vehicles. Moreover, other attackers are interested to obtain some sensitive information, e.g., by linking the pseudonyms used to report events or linking events to the real identity of a vehicle. Figure 2 shows a potential scenario for a successful Sybil attack. An attacker reports false traffic congestion alert event with different pseudonyms to deceive the RSU. If the RSU is not able to identify this Sybil attack, it believes that there is a congestion on the road. As a result, it broadcasts a congestion alert message to the RSUs and vehicles in its vicinity to warn them from the congestion. When the vehicles receive the alert message, they change 4 Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd.

5 Figure 3. Pseudonym generation technique. Figure 2. Sybil attack scenario. their road to avoid the (false) congestion area. If the attack is successful, the attacker can clear its road from vehicles. As a side effect, by directing vehicles to a different road, a real traffic congestion may be created. 4. PROPOSED SCHEME In this section, we first present the initialization phase carried out by the DMV. Then, we describe the pseudonym generation technique and the structure of the event packets. Finally, we explain our schemes to detect singular and colluding Sybil attacks Initialization Phase The DMV divides the vehicles into groups, where each group has enough number of vehicles to preserve their privacy. The RSUs can know the vehicles groups but they cannot identify the individual vehicles in each group. The underline idea of using groups is that instead of sending all the event packets to the DMV to check for Sybil attacks, the RSU suspects a Sybil attack if the received pseudonyms belong to the same group. During the periodic registration renewals, the DMV loads the vehicles with a long-term shared symmetric key and a small number of secrets to be used for generating pseudonyms and the associated keys. Then, it calculates the pseudonyms and the corresponding keys of all vehicles and distribute them to the RSUs. As will be explained later, the vehicles pseudonyms and keys can be used only during a time window, e.g., a month. This can reduce the required storage area for the vehicles pseudonyms and keys at the RSUs because the RSUs need only to store the pseudonyms and keys that can be used in the current time window. Before the end of a time window, the DMV needs to distribute the pseudonyms and keys of the next time window Pseudonym Generation Technique The DMV distributes a small number of long-term secrets to enable the vehicles to compute the pseudonyms and the corresponding keys locally. As shown in Figure 3, to calculate a one-time pseudonym and its associated key, the vehicle should first select a combination of the long-term secrets. Then, a one-time pseudonym can be calculated by hashing the combination with time information such as the current month. To compute the associate key, the vehicle uses the same combination of secrets and a secret key shared with the DMV as a key for a keyed hash function. The corresponding key is the output of the keyed hash function. Eq. 1 gives the total number of pseudonyms/keys that can be generated using different combinations of t secrets where n is the total number of secrets each vehicle has. The number of secrets in the combinations can be between one and n. Also, the secrets with different order are considered different combinations, e.g., {S 1, S 2, S 3} is different from {S 2, S 1, S 3} although they have the same secrets. This is because when they are hashed, they produce different pseudonyms and keys. n 1 n 2 n! + (n t)! t=1 The pseudonyms and keys are computed at the DMV and the vehicles. The DMV supplies the RSUs with the pseudonyms and the corresponding keys. Figure 4 given the relation between the number of pseudonyms and keys that can be computed from n secrets. It can be seen that a large number of pseudonyms can be generated by using a small of secrets. For example, only seven secrets are enough to generate more than 8000 pseudonyms and keys which should be enough for a large number of events Singular Sybil Attack Detection Before we explain how our proposed scheme can detect the Sybil attack, we need to explain the structure of the event packets. An event packet should have the following fields: (1) Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd. 5

6 Table II. A sample of an RSU s table. Pseudonym Corresponding key A A 2D BE B7 CE F 00 1 D D EF E6 9C 7B AC 98 5C 96 1 C8 BF 9E FD F FF C2 64 6C 74 BD 2B 8D 3A EA F6 0D 20 C1 81 F3 CF B8 D1 71 DA D E8 85 D0 67 2D AE 23 B1 3D B 7A D CC C8 AD C F2 5E 68 BA 2B E8 2 Group number Figure 4. A large number of pseudonyms/keys can be computed with a small number of secrets (n). One-time pseudonym : The proposed pseudonym generation technique that is discussed earlier in section 4.2 can be used to compute the pseudonym. Timestamp: The timestamp is used to ensure the freshness of the packets to thwart event replay attacks. Event Type: Events are categorized into types, and each type is expressed by a symbol, such as Severe Accident, Simple Accident, Traffic Jam, etc. Event Location: The location co-ordinates of the reported event. Heading: The direction of the vehicle reporting the event. It can be obtained using the GPS. Relative Direction: This field is used to distinguish the traffic jam locations, i.e., the reporting vehicle s same direction or opposite. It is a single bit that is set if the vehicle is moving in the direction of the event and cleared if the vehicle is moving in the opposite direction. Event Message: A description to the event can be added by the event reporter. It is an optional field that can be used when the reporter wants to send additional information about the event that can help the authority, e.g., if there is an accident, this field can be used to state whether there is fire or injuries. The symmetric encryption of the packet by the key associated to the pseudonym. We explained earlier how the corresponding key can be computed in section 4.2. Attacker can launch Sybil attacks by using his pseudonyms to report different fake events to appear as they are reported by different vehicles. This can give more credibility to the event than reporting it by one pseudonym. In our scheme, the RSU takes part in the detection of Sybil attackers. As mentioned earlier, the RSU can know the vehicles group but it can not know the individual vehicles identities. When an RSU receives an event, it first checks whether the event s pseudonym exists in its table or not. A sample of an RSU table that has the pseudonyms, the corresponding keys and the group number is given in table II. If the pseudonym is not found in the table, the RSU discards the event. When the RSU receives several packets for the same event, it examines if these events are sent from vehicles in the same group. In this case, the RSU suspects a Sybil attack and sends the suspected pseudonyms to the DMV. The DMV can know whether the pseudonyms belong to one vehicle or not. It accuses a vehicle of launching Sybil attacks when it uses different pseudonyms to send the same event several times. Our scheme can be implemented without real-time online communications between RSUs and DMV but with more Sybil detection delay. In this case, RSUs can accumulate and send the suspicious pseudonyms once per day Colluding Sybil Attack Detection To launch a colluding Sybil attack, the attacker reports events with valid pseudonyms of colluding vehicles. Colluding Sybil attacks are strong and have not been well studied yet. We consider the scenario where an attacker wants to report a false traffic jam to clear the road for him/herself. In this case, the RSU receives enough number of traffic jam events from the attacker to convince it that the event is credible. However, the beacons received from benign vehicles have their correct speeds. The RSU matches the traffic jam events with beacons looking for anomalies. This technique is based on the fact that the attacker s objective is to convince the vehicles and/or the RSU with a false traffic jam, but the benign vehicles send beacons having correct speed which is not consistent with the attackers reports of traffic jam. The pseudo code of colluding Sybil attack detection is provided in algorithm 1, where Beacons[] is an array of received beacons, Events[] is an array of received events in a specific period of time, and Beacons[i] represents the i th beacon in a list of beacons. The speed threshold is a configurable constant that represents the maximum speed of vehicles in case of traffic jam. evt state is an event type that represents a traffic jam in our scheme. If the vehicles speeds reported in the beacons are inconsistent with the traffic jam events sent by some vehicles, the RSU uses a radar to measure the vehicles 6 Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd.

7 Algorithm 1 Colluding Sybil attack detection 1: speed threshold = maximum vehicle speed in traffic jam 2: For all received Beacons[i] 3: For all received Events[j] 4: Bcnt = length.beacons[] 5: Ecnt = length.events[] 6: while i < Bcnt do 7: for all j < Ecnt do 8: evt state = Events[j].EventType 9: if Beacon[i].speed > speed threshold AND evt state = Traffic Jam then 10: radar speed = the measured speed of vehicles by the radar 11: if radar speed > speed threshold then 12: Suspected colluding Sybil attack 13: Send the pseudonyms to the DMV for investigation 14: i++ 15: end if 16: end if 17: end for 18: i++ 19: end while speed to resolve this conflict. By using a radar, the RSU can ensure whether the vehicles that send the beacons or those that send the events misbehave. If the measured speed is above a threshold, the vehicles that send the event are accused of sending false events; otherwise, the vehicles that send the beacons are accused of sending wrong data. The RSU forwards the misbehaving vehicles pseudonyms to the DMV to revoke them. This technique requires the vehicles to periodically broadcast beacon packets which is mandated in the Wireless Access in Vehicular Environments (WAVE) standard [11]. 5. SECURITY AND PRIVACY PRESERVATION EVALUATIONS In order to boost the privacy of the drivers, a one-time pseudonym is used for every reported event. Instead of computing/distributing a large number of pseudonyms and keys, vehicles compute pseudonyms locally to report events using our pseudonym generation technique. Comparing to the PKC based schemes, our pseudonym generation technique can achieve two objectives: a) the DMV does not need to compute too many signatures to generate the certificates of the pseudonyms; and b) vehicles can enjoy high privacy preservation level with low storage overhead because pseudonyms can be computed locally, and thus they do not need to store too many certified pseudonyms. Singular Sybil attacks are launched by using the pool of pseudonyms where each vehicle pretends to appear as different nodes. The RSU cannot detect the attack because it does not know the individual vehicles pseudonyms to preserve privacy. In order to detect the attack and prevent RSUs from getting sensitive information, the RSU sends the pseudonyms to the DMV when it finds that the same event is reported by pseudonyms in the same group. The RSU can know the vehicle s group which is not sensitive information when the group is large enough. The DMV can know whether the pseudonyms belong to one vehicle or not. It accuses a vehicle of launching Sybil attacks when it uses different pseudonyms to send the same event several times. If an attacker tries to launch a replay attack by collecting and replaying the vehicles events packets, the RSU can detect this attack. When an RSU receives an event packet, it examines the packet s timestamp and discards the packet if the timestamp is stale. Linking pseudonyms enables the attacker to collect too much information about the activities of the driver, which can help identify the real identity of the driver, e.g., from the locations he/she visits. Our pseudonym generation technique generates unlinkable pseudonyms by changing the combinations of secrets that are used as an input to the hash function. In order to secure our scheme, it should be impossible to find the input of the hash function from the output hash value. Fortunately, secure hash functions should have this property such as SHA-1. Without knowing both of the secret key and the long-term secrets, the attacker and the RSU are not able to link the pseudonyms. We also adopted the separation of knowledge concept between vehicles, RSUs and the DMV. This concept is explained in table III. The RSUs can know if two vehicles are in the same group, but they can not know the real identities of the vehicles. They cannot know the pseudonyms of one vehicle. Vehicles do not know their group number or the other vehicles group numbers. They cannot also know other vehicles pseudonyms or real identities. The DMV is trusted and can know all the information, but it needs reports from RSUs to accuse vehicles of Sybil attacks. Our scheme also targets a strong adversary model assuming that Sybil attackers can collude together and exchange their pseudonyms. The underline idea is that attacker has control on his event packets but he has no control on the beacon packets sent by benign vehicles. RSUs can suspect Sybil attack when there is a conflict between beacons and events. 6. SIMULATION RESULTS 6.1. Experimental Setup In our simulations, we consider different numbers of benign vehicles and Sybil attackers as indicated in table IV. Vehicles move with constant speed on a straight road. An RSU is located at the middle of the road and Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd. 7

8 Entities Table III. Separation of knowledge between different entities knows the real identity of vehicles knows if two vehicles are in the same group Vehicles No No No RSU No Yes No DMV Yes Yes Yes knows the pool of pseudonyms of other vehicles Table IV. Simulation parameters Parameter Value Number of benign vehicles 60, 70, 80 and 100 Number of Sybil attackers 10, 20, 30 and 40 Encryption algorithm Hash algorithm Vehicles transmission range Wired connection speed Advanced encryption standard (AES) with key size of 128 bits SHA meters 100 Mbytes/sec MAC protocol p receives events from vehicles passing by. We assume that IEEE p is the underlying protocol for vehicle to vehicle and vehicle to RSU communications. The proposed scheme is simulated using NS-2 simulator [28]. We also assume that there is a wired connection between the DMV and the RSU. We developed an agent using C language to compute the cryptographic operations carried out by the OBUs and the RSUs such as encryption, decryption and hash operations. Vehicles send two packets every second. We divide the vehicles into groups and the number of vehicles in each group is 10% of the total number of vehicles. Our simulation is executed for 100 seconds Performance Metrics The following performance metrics are considered for assessing the proposed scheme. Communication overhead: Basically, this metric measures the number of packets exchanged between vehicles and RSUs and between RSUs and the DMV. As will be explained later, we also compare the packet size of our scheme with PKC based scheme that uses RSA cryptosystem. Sybil attack detection time: This metric indicates the time needed to detect a Sybil attack. 1. Communication overhead We compare our scheme with RSA based event reporting scheme where vehicles use certified Figure 5. Number of packets received by an RSU. pseudonyms to report events. We measured the number of packets sent from vehicles to the RSU and from the RSU to the DMV at different number of benign vehicles and Sybil attackers. The results are given in Figures 5 and 6 respectively. It can be seen that our scheme has low communication overhead compared with RSA based scheme. This can be attributed to the fact that the symmetric-key encryption generates ciphertext that is shorter the RSA signatures. In addition, the results indicate that the number of packets sent from the RSU to the DMV is significantly less than the number of packets sent from the vehicles to the RSU. This is because the RSUs send the packets to the DMV only when events are reported from same group vehicles. By this way, the DMV is not involved in the decryption of every single event. 2. Sybil attack detection time The time it takes to suspect a Sybil attack depends on the arrival rate of events, the latency of packet delivery, and the decryption time of the received events. We measured the encryption and decryption time on a host running Linux OS and has a single Intel core CPU of 2.00 GHz and memory of 1.00 Gigabyte. The AES encryption and decryption time of one event is 5 ms and 10 ms, respectively. The packet delivery latency is the time an event packet takes to be sent from the vehicles to the RSU. We found that the average packet delivery latency is 0.17 seconds. Table V gives the taken time to suspect a Sybil attacker at different attacks 8 Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd.

9 7. CONCLUSIONS AND FUTURE WORK Figure 6. Number of packets received by a DMV. Figure 7. The Sybil attack s detection time in our scheme is less than that of PKC based scheme. rate, i.e., an attacker sends an event multiple times using his pool of pseudonyms. It is clear that the computational time of the received events is significantly low. The required time to verify an event by an RSU is less than that of the PKC based scheme. The detection time of Sybil attacks by the DMV depends on the time it takes to search for a specific record in the database and the number of suspected events received from the RSU. We examined an Oracle database table having 500,000 records hosted on an Intel Celeron CPU of 3.06 GHz and memory of 2.00 GHz server. The database supports indexing which is necessary to speed up the time for search and detection of attacks. It was found that the average database search time is 15 ms. Table VI gives the detection time of the Sybil attack. In Figure 7, we compare the detection time of our scheme with the PKC based scheme. It can be seen that our scheme has less detection time than PKC based scheme because the decryption time of symmetric encryption is significantly less than the verification time of the PKC signatures. In this paper, we have proposed a secure and privacypreserving event reporting scheme that can detect Sybil attacks in VANETs. We preserve the privacy of the event reporter which is very desirable in VANETs. Long-term secrets are assigned by the DMV to vehicles during their periodic registration to report events. Pseudonyms are computed onboard using a combination of the secrets. Each pseudonym is used for only one time to boost vehicles privacy. Moreover, our scheme uses the symmetric key cryptography instead of the asymmetric key cryptography to reduce the overhead. We also proposed a new technique to mitigate the Sybil attack in a stronger adversary model where an attacker colludes with other vehicles to report events using their valid pseudonyms. Our scheme is based on the concept of the separation of knowledge between the RSUs, vehicles and the DMV. The RSU can know the vehicles groups but cannot link their pseudonyms. On the other hand, the DMV can reveal attacker s identity when a Sybil attack is detected. Extensive simulation was programmed to evaluate the scheme at different numbers of benign vehicles and attackers. We measured the communication overhead and the detection delay of the Sybil attack. Our evaluations and simulation results indicate that our scheme can preserve the drivers privacy with significantly low communication and computation overhead. Further studies are needed to enable vehicles to thwart the Sybil attacks without the intervention of a centralized authority. We will investigate a scheme to enable the vehicles to cooperate in detecting Sybil attacks. The scheme should be resilient to collusion attacks and false accusations. ACKNOWLEDGEMENT THE AUTHORS WOULD LIKE TO THANK TONG ZHOU THE AUTHOR OF P2DAP PROTOCOL [6] FOR HER SUPPORT. REFERENCES 1. G. Yan, D. Wen, S. Olariu, and M. Weigle, Security challenges in vehicular cloud computing, IEEE Transactions on Intelligent Transportation Systems, vol. 14, no. 1, pp , March R. G. Engoulou, M. Bellache, S. Pierre, and A. Quintero, Vanet security surveys, Computer Communications, vol. 44, no. 0, pp. 1 13, X. Lin, X. Sun, P.-H. Ho, and X. Shen, Gsis: A secure and privacy-preserving protocol for vehicular communications, IEEE Transactions on Vehicular Technology, pp , Nov Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd. 9

10 Table V. An RSU s suspicion time delay. Number of events reported by same-group pseudonyms Latency time Decryption time Time to suspect a Sybil attack Number of suspected pseudonyms Table VI. Sybil attack s detection time. Decryption time Latency Search Time Certificate verification time Detection time in seconds M. N. Mejri, J. Ben-Othman, and M. Hamdi, Survey oncvanet security challenges and possible cryptographic solutions, Vehicular Communications, vol. 1, no. 2, pp , K. Ota, M. Dong, H. Zhu, S. Chang, and X. Shen, Traffic information prediction in urban vehicular networks: A correlation based approach, Proceedings of the IEEE Wireless Communications and Networking Conference, pp , T. Zhou, R. Choudhury, P. Ning, and K. Chakrabarty, P2dap sybil attacks detection in vehicular ad hoc networks, IEEE Journal on Selected Areas in Communications, vol. 29, no. 3, pp , R. Lu, X. Li, T. Luan, X. Liang, and X. Shen, Pseudonym changing at social spots: An effective strategy for location privacy in vanets, IEEE Transactions on Vehicular Technology, vol. 61, pp , Jan G. Calandriello, P. Papadimitratos, J.-P. Hubaux, and A. Lioy, Efficient and robust pseudonymous authentication in vanet, Proceedings of the Fourth ACM International Workshop on Vehicular Ad Hoc Networks, pp , M. Raya and J.-P. Hubaux, Securing vehicular ad hoc networks, Journal of Computer Security, vol. 15, no. 1, pp , R. Reinders, E. van Eenennaam, G. Karagiannis, and Heijenk, Contention window analysis for beaconing in vanets, Proceedings of the Seventh IEEE International Wireless Communications and Mobile Computing conference, pp , July European telecommunications standards institute 2009, ETSI TR V1.1.1 ( ) : Intelligent Transport Systems (ITS);Vehicular Communications;Basic Set of Applications;Definitions, P. Maniatis, M. Roussopoulos, T. J. Giuli, D. S. Rosenthal, and M. Baker, The lockss peer-to-peer digital preservation system, ACM Transactions on Computer Systems (TOCS), vol. 23, no. 1, pp. 2 50, J. Newsome, E. Shi, D. Song, and A. Perrig, The sybil attack in sensor networks: analysis defenses, Proceedings of the third International Symposium on Information Processing in Sensor Networks, pp , April J. Ledlie and M. Seltzer, Distributed, secure load balancing with skew, heterogeneity and churn, Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 2, pp , P. Maniatis, D. S. Rosenthal, M. Roussopoulos, M. Baker, T. J. Giuli, and Y. Muliadi, Preserving peer replicas by rate-limited sampled voting, Proceedings of the ACM SIGOPS Operating Systems Review, vol. 37, no. 5, pp , J. R. Douceur, The sybil attack, Proceedings of the first International Workshop on Peer-to-Peer Systems, pp , J. Grover, M. S. Gaur, and V. Laxmi, A novel defense mechanism against sybil attacks in vanet, Proceedings of the 3rd International Conference on Security of Information and Networks, pp , S. Park, B. Aslam, D. Turgut, and C. Zou, Defense against sybil attack in vehicular ad hoc network based 10 Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd.

11 on roadside unit support, Proceedings of the military IEEE Communications Conference, MILCOM 2009, pp. 1 7, Oct K. Rabieh and M. Azer, Combating sybil attacks in vehicular ad hoc networks, Proceedings of the Recent Trends in Wireless and Mobile Networks, vol. 162, pp , S. Chang, Y. Qi, H. Zhu, J. Zhao, and X. Shen, Footprint: Detecting sybil attacks in urban vehicular networks, IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 6, pp , G. Guette and C. Bryce, Using tpms to secure vehicular ad-hoc networks (vanets), Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks, vol. 5019, pp , J. L. Gongjun Yan, Weiming Yang and D. B. Rawat, Cross-layer location information security in vehicular networks, JNIT: Journal of Next Generation Information Technology, vol. 3, no. 2, pp , K. Rabieh, M. Mahmoud, T. Guo, and M. Younis, Cross-layer scheme for detecting large-scale colluding sybil attack in vanets, Proc. of IEEE International Conference on Communications (ICC), London, UK, no. 1, pp. 8 12, June M. Fogue, F. Martinez, P. Garrido, M. Fiore, C.-F. Chiasserini, C. Casetti, J.-C. Cano, C. Calafate, and P. Manzoni, On the use of a cooperative neighbor position verification scheme to secure warning message dissemination in vanets, Proceedings of IEEE Conference on Local Computer Networks (LCN), pp , Oct M. Abu-Elkheir, S. Hamid, H. Hassanein, I. Elhenawy, and S. Elmougy, Position verification for vehicular networks via analyzing two-hop neighbors information, Proceedings of the 36th IEEE Conference on Local Computer Networks (LCN), pp , Oct K. Rabieh, M. Mahmoud, and M. Younis, Privacypreserving route reporting scheme for traffic management in vanets, Proc. of IEEE International Conference on Communications (ICC), London, UK, no. 1, pp. 8 12, June X. Lin, Lsr: Mitigating zero-day sybil vulnerability in privacy-preserving vehicular peer-to-peer networks, IEEE Journal on Selected Areas in Communications, vol. 31, pp , September Network simulator 2. [Online]. Available: http: // Security Comm. Networks 2015; 00:1 11 c 2015 John Wiley & Sons, Ltd. 11