[ppt] survey of vehicular network security
DESCRIPTION
VANET securityTRANSCRIPT
Survey of Vehicular Network Survey of Vehicular Network SecuritySecurity
Jonathan Van Eenwyk
2
ContentsContentsDesign IssuesCertificate-Based SolutionPrivacy ConcernsData Validation
3
Design IssuesDesign Issues The Security and Privacy of Smart Vehicles
IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo
Attacks on Inter-Vehicle Communication Systems-an Analysis Aijaz, et al (supported by industry)
Challenges in Securing Vehicular Networks HotNets-IV: Parno and Perrig
Security Issues in a Future Vehicular Network European Wireless, 2002: Zarki, et al
1 2 3 4
4
Design IssuesDesign IssuesThe Security and Privacy of Smart Vehicles
IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo
System modelAd-hoc communication between vehicles and base
stationsBase stations provide servicesVehicles provide sensor dataVehicles have more resources than most ad-hoc networks
ApplicationsTraffic and safety alertsTravel tipsInfotainment (including Internet access)
1 2 3 4
5
Design IssuesDesign IssuesThe Security and Privacy of Smart Vehicles
IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo
ChallengesAuthentication and data encryptionAuditing sensor dataPrivacy (avoid tracking)Infrastructure boot-strappingNegative perception of smart vehicles
1 2 3 4
6
Design IssuesDesign IssuesThe Security and Privacy of Smart Vehicles
IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo
Key FeaturesContext sensors (front-end radar, ultra-sound, etc)Event data recorder (i.e., “black box”)Tamper-proof device to handle encrypted
transmissionsLocation detection (GPS or distance bounding)Communication with road-side base stations
1 2 3 4
7
Certificate-Based SolutionCertificate-Based SolutionThe Security of Vehicular Networks
EPFL Technical Report, March 2005: Raya, Hubaux
Certificate Revocation in Vehicular Networks LCA Report 2006: Raya, Jungels, Papadimitratos, Aad,
Hubaux
1 2 3 4
8
Certificate-Based SolutionCertificate-Based SolutionThe Security of Vehicular Networks
EPFL Technical Report, March 2005: Raya, Hubaux
AttacksBogus informationMessage tamperingCheating (data manipulation, impersonation)Identity disclosure for vehicle trackingDenial of service
1 2 3 4
9
Certificate-Based SolutionCertificate-Based SolutionThe Security of Vehicular Networks
EPFL Technical Report, March 2005: Raya, Hubaux
Security MechanismsElectronic License Plate (post-mortem auditing)Asymmetric encryption using public key infrastructure
Large number of anonymous keys (no identity information)Vehicles frequently change keys to avoid trackingKeys can be revoked (more later)
Physical layer protection against denial of serviceChannel switchingImplement more than one communication technology
1 2 3 4
10
Certificate-Based SolutionCertificate-Based SolutionCertificate Revocation in Vehicular Networks
LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux
Revocation using Compressed Certificate Revocation Lists (RC2RL)Large number of vehicles, so potentially huge
revocation listLossy compression using Bloom filter
Configurable rate of false positivesDefinitely no false negatives
Bit vector of length mHash a with k hashing functionsEach function sets one bitLater, verify membership if all k bits are set as
expected
1 2 3 4
11
Certificate-Based SolutionCertificate-Based SolutionCertificate Revocation in Vehicular Networks
LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux
Revocation of the Tamper-Proof Device (RTPD)Send message to vehicle’s TPD to revoke all
activitySend to base stations nearest last known locationBroadcast over low-bandwidth radio (AM/FM) or
satelliteLower overhead approach as long as TPD is
reachableSend localized revocation list to surrounding area
1 2 3 4
12
Certificate-Based SolutionCertificate-Based SolutionCertificate Revocation in Vehicular Networks
LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux
Distributed Revocation Protocol (DRP)Vehicles that detect malicious nodes can warn othersRequires an honest majorityWarnings have lower weight if sending node has also
been condemned by other nodes
Node 4 condemns node 2But this warning has less weight because node 4 has
itself been condemned by nodes 1 and 3
1
2 3
4
1 2 3 4
13
Privacy ConcernsPrivacy ConcernsBalancing Auditability and Privacy in Vehicular
Networks Q2SWinet '05: Choi, Jakobsson, Wetzel
CARAVAN: Providing Location Privacy for VANET ESCAR '05: Sampigethaya, Huang, Li, Poovendran, Matsuura,
Sezaki
1 2 3 4
14
Privacy ConcernsPrivacy ConcernsBalancing Auditability and Privacy in Vehicular
Networks Q2SWinet '05: Choi, Jakobsson, Wetzel
Provide privacyFrom peer-to-peer vehiclesFrom infrastructure authorities
Support auditabilityLinkability between anonymous handles and owner
identityRequires off-line permission granting (court order,
etc)
1 2 3 4
15
Privacy ConcernsPrivacy ConcernsBalancing Auditability and Privacy in Vehicular
Networks Q2SWinet '05: Choi, Jakobsson, Wetzel
Two-Level InfrastructureBack-end (ombudsman)
Creates long-term “handle” from node identitiesNodes initialized with set of handlesOff-line approval can grant identity from pseudonym
Front-end (road-side base stations)Uses short-term pseudonyms created from long-term
handlesPseudonym and shared key created from handle and
timestamp
1 2 3 4
16
Privacy ConcernsPrivacy ConcernsCARAVAN: Providing Location Privacy for
VANET ESCAR '05: Sampigethaya, Huang, Li, Poovendran, Matsuura,
Sezaki
Provide privacy from vehicle location trackingProposed Techniques
Update pseudonym after random silence periodFixed-interval updates can be tracked by estimating
trajectorySilence period obscures nodes if other nodes are present
Designate group leader to proxy communicationsAvoids redundant transmissionsExtends length of time to use each pseudonym
1 2 3 4
17
Data ValidationData ValidationProbabilistic Validation of Aggregated Data in
Vehicular Ad-hoc Networks VANET '06: Picconi, Ravi, Gruteser, Iftode
Detecting and Correcting Malicious Data in VANETs VANET '04: Golle, Grenne, Staddon
1 2 3 4
18
Data ValidationData ValidationProbabilistic Validation of Aggregated Data in
Vehicular Ad-hoc Networks VANET '06: Picconi, Ravi, Gruteser, Iftode
Allow sensor data to be aggregatedUse signing certificates to validate dataRandomly force one complete record to be
includedRelies heavily on tamper-proof device
1 2 3 4
19
Data ValidationData ValidationDetecting and Correcting Malicious Data in
VANETs VANET '04: Golle, Grenne, Staddon
Nodes attempt to identify malicious data via information sharingNodes detect neighbors and contribute to global databaseMalicious nodes may contribute invalid or spoofed data
May try to fake a traffic jamFriendly nodes build models to explain database observations
Is there one malicious node attempting to spoof three other nodes?
Are all four nodes malicious? Possible heuristic: choose scenario with fewest bad and spoofed
nodes
1 2 3 4
20
Data ValidationData ValidationDetecting and Correcting Malicious Data in
VANETs VANET '04: Golle, Grenne, Staddon
ExampleActual Scenario
Possible Explanations
1 2 3 4
21
Questions?Questions?
1 2 3 4
Design Issues Certificate-Based Solution
Privacy Concerns
Data Validation