securing vehicular communicationslca vehicular communications.pdf · 1 jean-pierre hubaux with...
Post on 07-Apr-2019
217 Views
Preview:
TRANSCRIPT
1
Jean-Pierre Hubaux
With contributions from Srdjan Capkun¹, Panos Papadimitratos, and Maxim Raya
Laboratory for computer Communications and Applications (LCA)
¹Now with Safe and Secure IT-Systems Group, Informatics and Mathematical Modeling (IMM),
Technical University of Denmark
Securing Vehicular Communications
2
Outline
Motivation
Threat model and specific attacks
Security architecture
Security analysis
Performance evaluation
Certificate revocation
Secure positioning
Conclusion
3
What is a VANET(Vehicular Ad hoc NETwork)?
Roadside base station
Inter-vehicle communications
Vehicle-to-roadside communications
Emergency event
• Communication: typically over the Dedicated Short Range Communications (DSRC) (5.9 GHz)
• Example of protocol: IEEE 802.11p• Penetration will be progressive (over 2 decades or so)
4
Vehicular communications: why?
Combat the awful side-effects of road traffic• In the EU, around 40’000 people die yearly on the roads;
more than 1.5 millions are injured• Traffic jams generate a tremendous waste of time and of fuel
Most of these problems can be solved by providing appropriate information to the driver or to the vehicle
5
Why is VANET security important?
Large projects have explored vehicular communications: Fleetnet, PATH (UC Berkeley),…
No solution can be deployed if not properly securedThe problem is non-trivial• Specific requirements (speed, real-time constraints)• Contradictory expectations
Industry front: standards are still under development and suffer from serious weaknesses • IEEE P1609.2: Standard for Wireless Access in Vehicular Environments
- Security Services for Applications and Management Messages
Research front• Very few papers
6
A smart vehicle
Forward radar
Computing platform
Event data recorder (EDR)Positioning system
Rear radar
Communication facility
Display
(GPS)
Human-Machine Interface
7
Threat model
An attacker can be:
• Insider / Outsider
• Malicious / Rational
• Active / Passive
• Local / Extended
Attacks can be mounted on:
• Safety-related applications
• Traffic optimization applications
• Payment-based applications
• Privacy
9
Attack 2 : Disruption of network operation
SLOW DOWN
The way is clear
Attacker: insider, malicious, active
10
Attack 3: Cheating with identity, speed, or position
Wasn’t me!
Attacker: insider, rational, active
13
Attack 6: Tracking
A
* A at (x1,y1,z1)at time t1
* A communicates with B
* A refuels at time t2 and location
(x2,y2,z2)
1
2
AB
A
* A enters the parking lot at time
t3* A downloads from server X
3
18
Proposed homework: compute connectivity in this case
Please send your solution to: jean-pierre.hubaux@epfl.ch
19
Our scope
We consider communications specific to road traffic:
safety and traffic optimization (including finding a parking
place)
• Safety-related messages
• Messages related to traffic information
We do not consider more generic applications,
e.g. toll collect, access to audio/video files, games,…
20
Security system requirements
Sender authentication
Verification of data consistency
Availability
Non-repudiation
Privacy
Real-time constraints
21
Security Architecture
Certificate Authority
≈ 100 bytes ≈ 140 bytesSafety
messageCryptographic
material
{Position, speed, acceleration, direction,
time, safety events}
{Signer’s digital signature, Signer’s public key PK, CA’s certificate of PK}
Authenticated message
Data verification
Secure positioning
Tamper-proof device
Event data recorder
Secure multihop routing
Services (e.g., toll payment or
infotainment)
22
Tamper-proof device
Each vehicle carries a tamper-proof device• Contains the secrets of the vehicle itself• Has its own battery• Has its own clock (notably in order to be able to sign
timestamps)• Is in charge of all security operations• Is accessible only by authorized personnel
Tamper-proof device
Vehicle sensors(GPS, speed and acceleration,…)
On-boardCPU
Transmissionsystem
((( )))
23
Digital signatures
Symmetric cryptography is not suitable: messages are standalone, large scale, non-repudiation requirement
Hence each message should be signed with a DS
Liability-related messages should be stored in the EDR
24
VPKI (Vehicular PKI)
PKI
Security servicesPositioning
ConfidentialityPrivacy
...
CA
PA PB
AuthenticationAuthentication
Shared session key
Each vehicle carries in its Tamper-Proof Device (TPD):• A unique and certified identity: Electronic License Plate (ELP)• A set of certified anonymous public/private key pairs
Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified
25
The CA hierarchy: two options
Country 1
Region 1 Region 2
District 1 District 2
Car A Car B Car A Car B
Manuf. 1 Manuf. 2
1. Governmental Transportation Authorities 2. Manufacturers
The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers
26
Anonymous keys
Preserve identity and location privacy
Keys can be preloaded at periodic checkups
The certificate of V’s ith key:
Keys renewal algorithm according to vehicle speed
(e.g., ≈ 1 min at 100 km/h)
Anonymity is conditional on the scenario
The authorization to link keys with ELPs is distributed
[ ] [ ]CAiSKiiV IDPuKSigPuKPuKCertCA
||=
27
What about privacy: how to avoid the Big Brother syndrome?
At 3:00- Vehicle A spotted at position P1
At 3:15- Vehicle A spotted at position P2
Keys change over timeLiability has to be enforced Only law enforcement agencies should be allowed to retrieve the real identities of vehicles (and drivers)
28
DoS resilience
Vehicles will probably have several wireless technologies onboardIn most of them, several channels can be used To thwart DoS, vehicles can switch channels or communication technologies
In the worst case, the system can be deactivated
Network layer
DSRC UTRA-TDD Bluetooth Other
29
Data verification by correlation
Bogus info attack relies on false dataAuthenticated vehicles can also send wrong data (on purpose or not)The correctness of the data should be verified Correlation can help
30
Security analysis
How much can we secure VANETs?
Messages are authenticated by there signatures
Authentication protects the network from outsiders
Correlation and fast revocation reinforce correctness
Availability remains a problem that can be alleviated
Non-repudiation is achieved because:• ELP and anonymous keys are specific to one vehicle
• Position is correct if secure positioning is in place
31
What PK cryptosystem to use?
Available options:• RSA Sign: the most popular but also has the largest key size
• ECDSA: the most compact
• NTRUSign: the fastest in signing and verification
• Other (XTR, HEC, Braid groups, Merkle trees, …)
Signature verification speed matters the most
Further improvements that can help:• Vehicles verify only relevant content
• Several messages may be signed with the same key
32
Performance comparison
PKCS Key, Sig size (bytes) Ttx(Sig) (ms)RSA 256 0.171
ECDSA 28, 56 0.019, 0.038
NTRU 197 0.131
PKCS Generation (ms) Verification (ms)
ECDSA 3.255 7.617
NTRU 1.587 1.488Memory-constrained Pentium II 400 MHz workstation
Key and signature size
Signature generation and verification
33
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay, number of received packets, and throughput is evaluated
Not to scale
37
Certificate revocation in VANETs¹
The CA has to revoke invalid certificates:
• Compromised keys
• Wrongly issued certificates
• A vehicle constantly sends erroneous information
Using Certificate Revocation Lists (CRL) is not appropriate
We propose 3 protocols to revoke a vehicle’s keys:
• Rev. of the Tamper-Proof Device (RTPD): CA revokes all keys
• Rev. by Compressed CRLs (RCCRL): if TPD is not reachable
• Distributed Revocation Protocol (DRP): initiated by peers; generates a
report to the CA, which triggers the actual revocation by RTPD/RCCRL
¹In collaboration with Daniel Jungels and Imad Aad
38
Revocation of the Tamper-Proof Device (RTPD)
secure message
Paging area
broadcast
broadcast secure message
broadcast compressed CRL
ACK(via BS)
2. IP-broadcast3. low-speed broadcast
1. IP-routing
query last known locations from accusations
M
TPD: erases keys + stops signing
39
Revocation by Compressed CRLs(RCCRL)
set “blacklisted” query “blacklisted”+ currently valid
compressed CRL
ignore msg from M ignore msg from M
M
broadcast
Low-speed broadcast
40
Distributed Revocation Protocol(DRP)
M A
B
C acc.-db
acc.-db
acc.-db
“M” +sig. A+sig. C
“M” +sig. A
Accusation-msgs against M
“M” +sig. A+sig. C+sig. B
+sig. B
report to CA
Disregard-msgs with supporting sigs. Disregard M
+sig. C
forward
Disregard M
Disregard M
+sig. B
43
DRP coverage
An initially warned vehicle is aware of the attacker even before receiving messages from him
45
Positioning systems and prototypesSatellites: -GPS, Galileo, Glonass (Outdoor, Radio Frequency (RF) – Time of Flight (ToF))
General systems:- Active Badge (Indoor, Infrared(IR)), Olivetti- Active Bat, Cricket (Indoor, Ultrasound(US)-based), AT&T Lab Cambridge, MIT- RADAR, SpotON, Nibble (Indoor/Outdoor, RF- Received Signal Strength), Microsoft, Univof Washington, UCLA+Xerox Palo Alto Lab- Ultra Wideband Precision Asset Location System, (Indoor/Outdoor, RF-(UWB)-ToF), Multispectral solutions, Inc.
Ad Hoc/Sensor Network positioning systems (without GPS):- Convex position estimation (Centralized), UC Berkeley- Angle of Arrival based positioning (Distributed, Angle of Arrival), Rutgers- Dynamic fine-grained localization (Distributed), UCLA- GPS-less low cost outdoor localization (Distributed, Landmark-based), UCLA- GPS-free positioning (Distributed), EPFL
46
GPS
- A constellation of 24 Earth-orbiting operational satellites
- Each receiver can see at least 4 satellites simultaneously (to improve accuracy)
- Satellites emit low-power signals
- Positioning by 3-D trilateration
- Differential GPS can improve accuracy from several meters to a few centimeters.
47
GPS Security – Example of attack
A GPS simulator can send strong fake signals to mask authentic weak signals
GPS simulator
48
GPS Security
Other vulnerabilities• Relaying attack: connects the receiver to a remote antenna• Signal-synthesis attack: feeds the receiver with false signals• Selective-delay attack: predicts the signal Δt earlier
Security solutions• Tamper-resistant hardware• Symmetric crypto
• Problem: an authenticated receiver can hack the system• Asymmetric crypto
• Problem: additional delay
49
Distance measurement techniques
- Based on the speed of light (RF, Ir)
ts
A B(A and B are synchronized - ToF)
trdABm=(tr-ts)c
ts
- Based on the speed of sound (Ultrasound)
(A and B are NOT synchronized –Round trip ToF)
trdABm=(tr-ts-tprocB)c/2
tsA B
tr(RF)
dABm=(tr(RF)-tr(US))s
ts
tstr(US)
- Based on Received Signal Strength (RSS)
50
Attacks on RF and US ToF-based techniques
- Insider attacker: cheat on the time of sending (ts) or time of reception (tr)
ts1. Overhear and jam
2. Replay with a delay Δt
A B(A and B are assumed
to be synchronised)
trdABm=(tr-ts)c
ts (encrypted)
ts (enc.)
B
tr+Δt
dABm=(tr+Δt-ts)c
- Outsider attacker: 2 steps:
M
ts+Δt
M
=> dABm>dAB
51
Summary of possible attacks on distance measurement
Outsider attackers
RSS (Received Signal Strength)
Distance enlargement and
reduction
Distance enlargement and
reduction
Ultrasound Time of Flight
Distance enlargement and
reduction
Distance enlargement and
reduction
Radio Time of Flight
Distance enlargement and
reduction
Distance enlargement only
Insider attackers
52
The challenge of secure positioning
- Goals:- preventing an insider attacker from cheating about its own position
- preventing an outsider attacker from spoofing the position of an
honest node
- Our proposal: Verifiable Multilateration
53
Distance Bounding (RF)
ts
BS
NBS
Atr
- Introduced in 1993 by Brands and Chaum (to prevent the Mafia fraud attack)
ABS NN ⊕εt procA ≤
dreal ≤ db = (tr-ts)c/2 (db=distance bound)
54
Distance bounding characteristics
RSSDistance enlargement
and reduction Distance enlargement
and reduction
US ToFDistance enlargement
and reduction
Distance enlargement and
reduction
RF ToFDistance enlargement
and reductionDistance enlargement
only
RF Distance BoundingDistance enlargement
onlyDistance enlargement
only
US Distance BoundingDistance enlargement
onlyDistance enlargement
and reduction
Outsider attackersInsider attackers- RF distance bounding:- nanosecond precision required, 1ns ~ 30cm
- UWB enables clock precision up to 2ns and 1m
positioning indoor and outdoor (up to 2km)
- US distance bounding:- millisecond precision required,1ms ~ 35cm
55
Verifiable Multilateration(Trilateration)
x
y
(x,y)
BS1
BS2
BS3
Verification triangle
Distancebounding
A
56
Properties of Verifiable Multilateration- a vehicle located within the triangle cannot prove to be at another position within the triangle except at its true position.
- an outsider attacker cannot spoof the position of a vehicle such that it seems that the vehicle is at a position different from its real position within the triangle
- a vehicle located outside the triangle formed by the verifiers cannot prove to be at any position within the triangle
- an outsider attacker cannot spoof the position of a vehicle such that it seems that it is located at a position within the triangle, if the vehicle is out of the triangle
The same holds in 3-D, with a triangular pyramid instead of a triangleThe same holds in 3-D, with a triangular pyramid instead of a triangle
57
Conclusion on secure positioning
New research areaPositioning tout court is not yet completely solved (solutions will rely on GPS, on terrestrial base stations, and on mutual distance estimation)Time of flight seems to be the most appropriate technique
More information available at: http://spot.epfl.ch
Srdjan Capkun and Jean-Pierre Hubaux, Secure Positioning of Wireless Devices,Infocom 2005, JSAC Feb. 2006
58
Events and resources on Vehicular Networks
Conferences and journals• VANET, colocated with Mobicom• V2V-Com, co-located with Mobiquitous• WIT: Workshop on Intelligent Transportation• VTC: Vehicular Technology Conference• IV: Conference on Intelligent Vehicles• escar 2006: Workshop on Embedded security in Cars, Nov. 13-15,
Berlin (D) http://www.escarworkshop.org/• IEEE Transactions on Intelligent Transportation Systems• IEEE Transactions on Vehicular Technology
European industrial consortium: http://www.car-2-car.org/
http://ivc.epfl.ch
59
New European Project: SeVeCom• SeVeCom: Secure Vehicular Communications• http://www.sevecom.org• Started January 2006; Duration: 3 years; Total budget: 3 MEuros
60
Research topics
Topic Scope of work
A1 Key and identity management Fully addressed
A2 Secure communication protocols (including secure routing) Fully addressed
A3 Tamper proof device and decision on cryptosystem Fully addressed
A4 Intrusion Detection Investigation work
A5 Data consistency Investigation work
A6 Privacy Fully addressed
A7 Secure positioning Investigation work
A8 Secure user interface Investigation work
61
Conclusion
The security of vehicular communications is a difficult and highlyrelevant problemCar manufacturers seem to be poised to massively invest in thisareaSlow penetration makes connectivity more difficultSecurity leads to a substantial overhead and must be taken intoaccount from the beginning of the design processThe field offers plenty of novel research challengesPitfalls• Defer the design of security• Security by obscurity
More info at http://ivc.epfl.ch
top related