towards secure vehicular networks - niksun › presentations › day3 ›...
TRANSCRIPT
1
Towards Secure Vehicular Networks
NikSun WWSMC 2011
Some co-workers:
Tao Zhang
Stanley Pietrowicz
Hyong Shim
Yibei Ling
(Telcordia Technologies)
Speaker:
Giovanni Di Crescenzo
Senior Scientist
Telcordia Technologies
Piscataway, NJ, 08854
E-mail: [email protected]
Part of the work in this talk was performed under the United States VII initiative, and the CAMP-VSC consortium,
both funded by the United States Department Of Transportation. The views and conclusions contained in this
document are those of the speaker and should not be interpreted as representing the official policies,
either expressed or implied, of the U.S. Government.
2
Summary of talk
A Nationwide Vehicular Network:
Applications (safety, consumer and communication services, mobility, etc.)
Architecture (vehicle-to-infrastructure, vehicle-to-vehicle, etc.)
Basic Security and Privacy Challenges
Solution Approaches
Privacy-Preserving, Limited-Infrastructure, PKI
PKI properties and metrics
Privacy-preserving mechanisms
Distribution of Certificate Revocation Lists
Malicious Behavior Detection in concrete traffic-related abuses
Conclusions and Future Directions
3
Example Vehicular Network Applications
Safety
Intersection Collision Avoidance
Lane/Road Departure
Road Condition Warning
Emergency Electronic Brake Lights
Mobility Probe Data
– Average speed
– Travel Time
– Roadway Conditions & Incidents
Real-time traveler Info
– En-route alerts
– Congestion maps
– Dynamic routing & Navigation Assistance
– Weather Alerts
Traffic Signal Timing
Ramp Metering
Cooperative Adaptive Cruise Control
Emergency response
Consumer and Commercial
Services
Toll payment
Parking location assistance
Parking Access & Payment
Vehicle Diagnostics/Prognostics
Food Drive-through payment
Concierge assistance
Software/firmware updates
*Responsible for 50% of all crashes & fatalities, overall costing ~$60 billions/year
*
4
A Nationwide Vehicular Network: architecture
(OBE)
Applications
(V2I) On Board Equipment (OBE)
Road-side Equipment (RSE)
(RSE)
(OBE)
Vehicle-to-Vehicle (V2V)
Vehicle-to-Infrastructure (V2I)
5
Basic security and privacy requirements
Back-end infrastructure server
Front-endInfrastructure
Server
Back-end infrastructure
server
Security:
Authorization: Network communication by unauthorized vehicles is detected by any other vehicles or servers
Short-term Linkability: A vehicle’s activity is trackable within any sufficiently short time interval
Malicious Behavior Detection: Concrete insider abuse cases (i.e., vehicles deviating from prescribed traffic-
safety or other protocols) are detected by other vehicles or servers
Privacy:
Anonymity: Vehicle messages do not help identifying owner or driver
Unlinkability: Vehicle messages do not help tracking the same vehicle’s path
6
Challenges hint at a special type of PKI
Authorization and Authentication
Need to be available in both client-to-server and client-to-client interactions
Client-to-client interactions may happen for long time intervals and far from servers
Need capability to revoke or reissue authorization rights
Membership updates need to be promptly distributed to all clients
Short-term linkability: Need capability to analyze vehicle behavior within any given short time
Malicious Behavior Detection: attackers are arbitrarily changing message content and/or
message frequency, and causing accidents via false speeding, false braking, false congestion
claims, etc.
Back-end infrastructure server
Front-endInfrastructure
Server
Back-end infrastructure
server
7
Vehicular Network PKI: properties, metrics (1)
Classes of
properties
(Main) Properties Metrics (sketch)
Functionality Availability of non-expired keys time spent by vehicles with expired keys
Security Message-based short-term driver
linkability
probability of linking messages originated by
the same vehicle
Minimal impact of non-revoked
certificates
time that a vehicle (found to have
misbehaved) remains unrevoked
Minimal impact of non-updated CRL time that a vehicle is unaware of another
vehicle who was revoked
Security against Sybil attacks probability of linking messages originated by
the same vehicle pretending to act like
multiple ones
Authority traceability probability authority can link messages by
the same vehicle to their sender
Performance Minimum latency, running time,
communication complexity, memory,
deployment cost of PKI operations
Latency, running time, communication
complexity, memory, deployment cost of
vehicles and CA servers in PKI operations
8
Vehicular Network PKI: properties, metrics (2) Classes of
properties
(Main)
Properties
Metrics (sketch)
Privacy Message-based
driver anonymity
Cost to reduce
anonymity
p-q, where p (resp., q) =
Prob [ adversary with some resources (e.g.,
monitoring points, auxiliary information) of a
certain cost can use VANET messages
(resp., traffic-related messages) to compute
sensitive info S about driver ]
Attacker’s cost to increase p-q to “high” level
Message-based long-
term driver
unlinkability
Cost to reduce
unlinkability
p-q, where p (resp., q) =
Prob [ adversary with some resources (e.g.,
monitoring points, auxiliary information) of a
certain cost can use VANET messages
(resp., traffic-related messages) to link m
messages to same driver ]
Attacker’s cost to increase p-q to “high” level
Infrastructure Minimum number of
infrastructure servers
Number of front-end CA infrastructure servers
9
Modeling vehicular network PKIs: paradigms and operations
Basic PKI functionality paradigm: CA and vehicles generate and manage cryptographic keys
vehicles to produce digital signatures and receive encrypted messages and associated certificates, and verify that cryptographic keys and associated attributes are certified by the CA
Basic PKI operations (during a PKI lifecycle): Certificate Generation and Distribution: vehicle obtains cryptographic keys
+ certificate from CA server
Certificate Renewal: vehicle renews cryptographic keys + certificates, either upon expiration or (cleared) revocation
Certificate Misuse Detection and Reporting, and CRL distribution: reporting vehicle(s) send to the CA server and/or other vehicles some evidence for potential vehicle key misuse. Afterwards, the updated CRL is distributed by the CA server to all vehicles.
Certificate Use for Secure Communication: A heartbeat message from a vehicle includes (at least) a time-stamp + traffic-related data (e.g., position, direction, speed, and recent trajectory); signature verification public key + certificate; CA’s signature of the above
10
Telcordia’s proposed PKI Solution (ACM DIM 2010)
Unique Features: A double hashing technique to
create linkage tags with provable long-term unlinkability
A method to set common and randomized certificate validity time periods to enhance scalability and unlinkability
Each vehicle maintains a small CRL and can efficiently determine whether a certificate is on the CRL
Selective backward unlinkabilityusing a third hashing step when creating linkage tags
Encrypted certificates to minimize communication in over-the-air certificate renewal
Basic Approach:
• Vehicle is assigned many digital
signature pairs of public + secret keys,
each with “anonymous” certificates
with “linkage tags”, to sign messages
(only) during certificate’s validity time
period and to allow efficient CRLs
• Using same certificate for short validity
time period helps towards short-term
linkability and other security
properties.
• Using different certificates in different
time periods + non-trivial certificate
change strategies helps towards long-
term unlinkability and privacy.
• To support certificate renewal,
misbehavior reporting and CRL
distribution: (1) Waiting for physical
proximity; (2) Geo-routing, geo-casting
11
PKI Solution: Certificates and fast CRL accessCertificate Structure CRL Structure and Management
pki: vehicle’s ith signature verification public key
vtpi: ith certificate’s validity time
period (empty if vtp is common or just expiry date if vtp is randomized)
htagi: linkage tag for the ith
certificate, calculated as a hash tag, as follows:
Certv,i = (pki, vtpi, htagi, signatureCA)
htagi = H(ki; pv), where ki=H(kv;vtpi)
Revokedv,t = (pv, kv)
• Step1: For each revoked vehicle
on CRL: compute htagi+1 for next
validity period vtpi+1; sort results
• Step2: Upon receiving certificate
with htagx from another vehicle,
perform binary search through list
of tags to see if htagx is on the list
• Note: unsynchronized clock are dealt with
by storing >1 tags
• Tag computation can be amortized across
all time intervals before vtp
12
PKI approach: distribute CRL via geo-casting (IEEE Globecom 2010)
From geo-routing to geo-casting: Analyzing geo-routing in area A is reduced to analyzing geo-casting in area B, where a density-based relationship between A and B is easily calculated
From geo-casting to broadcasting: Analyzing geo-casting in a vehicular network with given communication channel options (RSEs, special vehicles, inspection centers, etc.) is reduced to analyzing flooding/broadcasting protocols in a “regular” subarea with an arbitrary vehicle density (simulating cities/towns/rural areas as subareas with high/low/very low densities, and with decreasing-density neighborhood)
• Analyzing broadcasting protocols:
We analyzed 7 known and
variants of known broadcasting
protocols:• Blind Flooding,
• Persistent Flooding,
• Neighbor Presence Broadcast,
• Probabilistic Neighbor Density
Broadcast,
• Neighbor Change Broadcast,
• Neighbor Count Change Broadcast,
• Neighbor Knowledge Broadcast
13
Models for estimating geo-casting delay
Conclusions:
• Neighbor Knowledge Broadcast has
attractive properties in terms of distribution
time and exchanged messages
• Neighbor Change Broadcast and Neighbor
Count Change Broadcast are almost as fast
and avoid one round of interaction
• Scaling to entire country: 40K servers cover
>95% of cars in <50 minutes (just an
example obtained with non-optimized data)
Setup:
• Manhattan Grid Mobility Model
• A grid of about 16 sq miles
• 500 nodes in the first figure, from 2 to
1000 nodes in the second figure
• Third figure: grid of ~ 4096 sq miles,
divided into 256 regions, each with
• its own vehicle density (simulating
distribution in real maps),
• 1 front-end CA server,
• 16 sq miles area.
14
Malicious behavior detection: Model, Techniques (IEEE VNC 2010)
Malicious behavior in vehicular networks can have undesirable consequences
traffic safety apps will demand repeated vehicle data transmission (e.g., position, speed, trajectory, time)
attackers might manipulate data and abuse any cryptosystem in place to harm other vehicles (e.g., causing
accidents) or the vehicular network (e.g., traffic redirection, insurance frauds, evading law enforcement)
Protecting against these attacks is very challenging as, for instance, they may have
short duration, involve few untrusted vehicles and rely on honest majority assumption
Previous work provided frameworks for abstract traffic threats and attacks avoided via
interactive voting / consensus protocols and/or cryptographic techniques
Recent Telcordia work:
Recognized need to minimize interaction from malicious behavior
Modeled and characterized specific traffic-related threats and attacks
Proposed non-interactive alert self-generation and abuse self-detection via simple and efficient voting and
greedy optimization algorithms
Alert self-generation algorithm: based on appropriate combination of speed condition, time condition,
geography condition, etc., evaluated over messages received from nearby vehicles
Abuse self-detection algorithm: non-interactively implementing a voting scheme based on data in
messages received from (possibly more) nearby vehicles, as well as auxiliary information
15
Specific Detection Techniques: design, analysis
Alert self-generation:
Each vehicle evaluates abuse-specific time, position, and velocity conditions
In false braking example below (sketch):
Time: messages are consecutive
Position: vehicle moves within a specific circle sector in the driving direction
Velocity: speed decreases very quickly
AE D C B
brakingvotingvotingreactingreacting
Abuse self-detection:
Upon alert, vehicle takes appropriate action
after evaluating the general voting formula
where
S is set of vehicles in the abuse-specific area and adv is the number of malicious vehicles in S, if known
v(i) is the vote derived from i-th vehicle in S and w(i) is a weight based on confidence, vehicle reputation, etc.
c is a tunable confidence parameter set, in our analysis, as a function of measurable geographic parameters
on top of this formula we use a very efficient greedy (knapsack) algorithm to choose only some of the nearby, based on relevance, reliability, etc.
16
Specific Detection Techniques: simulation results
Simulation of Urban Mobility (SUMO) Map imported from OpenStreetMap An area in the city of Chicago NW (41.96, -87.79) - SW (41.94, -87.76) S-N distance: 1mile, E-W distance: 1mile
Total length: 54km # of Streets: 591, # of traffic lights: 858 Avg speed = 15m/h, max speed = 35m/h 1700 non-interactive elections in 2000 sec AE D C B
brakingvotingvotingreactingreacting
0
5
10
15
20
25
30
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Conclusions: under rather conservative assumptions on transmission and cryptographic computation time delays,
D has 71% chance to successfully ignore A’s false braking claim
E has 94% chance