1

Towards Secure Vehicular Networks

NikSun WWSMC 2011

Some co-workers:

Tao Zhang

Stanley Pietrowicz

Hyong Shim

Yibei Ling

(Telcordia Technologies)

Speaker:

Giovanni Di Crescenzo

Senior Scientist

Telcordia Technologies

Piscataway, NJ, 08854

E-mail: giovanni@research.telcordia.com

Part of the work in this talk was performed under the United States VII initiative, and the CAMP-VSC consortium,

both funded by the United States Department Of Transportation. The views and conclusions contained in this

document are those of the speaker and should not be interpreted as representing the official policies,

either expressed or implied, of the U.S. Government.

2

Summary of talk

A Nationwide Vehicular Network:

Applications (safety, consumer and communication services, mobility, etc.)

Architecture (vehicle-to-infrastructure, vehicle-to-vehicle, etc.)

Basic Security and Privacy Challenges

Solution Approaches

Privacy-Preserving, Limited-Infrastructure, PKI

PKI properties and metrics

Privacy-preserving mechanisms

Distribution of Certificate Revocation Lists

Malicious Behavior Detection in concrete traffic-related abuses

Conclusions and Future Directions

3

Example Vehicular Network Applications

Safety

Intersection Collision Avoidance

Lane/Road Departure

Road Condition Warning

Emergency Electronic Brake Lights

Mobility Probe Data

– Average speed

– Travel Time

– Roadway Conditions & Incidents

Real-time traveler Info

– En-route alerts

– Congestion maps

– Dynamic routing & Navigation Assistance

– Weather Alerts

Traffic Signal Timing

Ramp Metering

Cooperative Adaptive Cruise Control

Emergency response

Consumer and Commercial

Services

Toll payment

Parking location assistance

Parking Access & Payment

Vehicle Diagnostics/Prognostics

Food Drive-through payment

Concierge assistance

Software/firmware updates

*Responsible for 50% of all crashes & fatalities, overall costing ~$60 billions/year

*

4

A Nationwide Vehicular Network: architecture

(OBE)

Applications

(V2I) On Board Equipment (OBE)

Road-side Equipment (RSE)

(RSE)

(OBE)

Vehicle-to-Vehicle (V2V)

Vehicle-to-Infrastructure (V2I)

5

Basic security and privacy requirements

Back-end infrastructure server

Front-endInfrastructure

Server

Back-end infrastructure

server

Security:

Authorization: Network communication by unauthorized vehicles is detected by any other vehicles or servers

Short-term Linkability: A vehicle’s activity is trackable within any sufficiently short time interval

Malicious Behavior Detection: Concrete insider abuse cases (i.e., vehicles deviating from prescribed traffic-

safety or other protocols) are detected by other vehicles or servers

Privacy:

Anonymity: Vehicle messages do not help identifying owner or driver

Unlinkability: Vehicle messages do not help tracking the same vehicle’s path

6

Challenges hint at a special type of PKI

Authorization and Authentication

Need to be available in both client-to-server and client-to-client interactions

Client-to-client interactions may happen for long time intervals and far from servers

Need capability to revoke or reissue authorization rights

Membership updates need to be promptly distributed to all clients

Short-term linkability: Need capability to analyze vehicle behavior within any given short time

Malicious Behavior Detection: attackers are arbitrarily changing message content and/or

message frequency, and causing accidents via false speeding, false braking, false congestion

claims, etc.

Back-end infrastructure server

Front-endInfrastructure

Server

Back-end infrastructure

server

7

Vehicular Network PKI: properties, metrics (1)

Classes of

properties

(Main) Properties Metrics (sketch)

Functionality Availability of non-expired keys time spent by vehicles with expired keys

Security Message-based short-term driver

linkability

probability of linking messages originated by

the same vehicle

Minimal impact of non-revoked

certificates

time that a vehicle (found to have

misbehaved) remains unrevoked

Minimal impact of non-updated CRL time that a vehicle is unaware of another

vehicle who was revoked

Security against Sybil attacks probability of linking messages originated by

the same vehicle pretending to act like

multiple ones

Authority traceability probability authority can link messages by

the same vehicle to their sender

Performance Minimum latency, running time,

communication complexity, memory,

deployment cost of PKI operations

Latency, running time, communication

complexity, memory, deployment cost of

vehicles and CA servers in PKI operations

8

Vehicular Network PKI: properties, metrics (2) Classes of

properties

(Main)

Properties

Metrics (sketch)

Privacy Message-based

driver anonymity

Cost to reduce

anonymity

p-q, where p (resp., q) =

Prob [ adversary with some resources (e.g.,

monitoring points, auxiliary information) of a

certain cost can use VANET messages

(resp., traffic-related messages) to compute

sensitive info S about driver ]

Attacker’s cost to increase p-q to “high” level

Message-based long-

term driver

unlinkability

Cost to reduce

unlinkability

p-q, where p (resp., q) =

Prob [ adversary with some resources (e.g.,

monitoring points, auxiliary information) of a

certain cost can use VANET messages

(resp., traffic-related messages) to link m

messages to same driver ]

Attacker’s cost to increase p-q to “high” level

Infrastructure Minimum number of

infrastructure servers

Number of front-end CA infrastructure servers

9

Modeling vehicular network PKIs: paradigms and operations

Basic PKI functionality paradigm: CA and vehicles generate and manage cryptographic keys

vehicles to produce digital signatures and receive encrypted messages and associated certificates, and verify that cryptographic keys and associated attributes are certified by the CA

Basic PKI operations (during a PKI lifecycle): Certificate Generation and Distribution: vehicle obtains cryptographic keys

+ certificate from CA server

Certificate Renewal: vehicle renews cryptographic keys + certificates, either upon expiration or (cleared) revocation

Certificate Misuse Detection and Reporting, and CRL distribution: reporting vehicle(s) send to the CA server and/or other vehicles some evidence for potential vehicle key misuse. Afterwards, the updated CRL is distributed by the CA server to all vehicles.

Certificate Use for Secure Communication: A heartbeat message from a vehicle includes (at least) a time-stamp + traffic-related data (e.g., position, direction, speed, and recent trajectory); signature verification public key + certificate; CA’s signature of the above

10

Telcordia’s proposed PKI Solution (ACM DIM 2010)

Unique Features: A double hashing technique to

create linkage tags with provable long-term unlinkability

A method to set common and randomized certificate validity time periods to enhance scalability and unlinkability

Each vehicle maintains a small CRL and can efficiently determine whether a certificate is on the CRL

Selective backward unlinkabilityusing a third hashing step when creating linkage tags

Encrypted certificates to minimize communication in over-the-air certificate renewal

Basic Approach:

• Vehicle is assigned many digital

signature pairs of public + secret keys,

each with “anonymous” certificates

with “linkage tags”, to sign messages

(only) during certificate’s validity time

period and to allow efficient CRLs

• Using same certificate for short validity

time period helps towards short-term

linkability and other security

properties.

• Using different certificates in different

time periods + non-trivial certificate

change strategies helps towards long-

term unlinkability and privacy.

• To support certificate renewal,

misbehavior reporting and CRL

distribution: (1) Waiting for physical

proximity; (2) Geo-routing, geo-casting

11

PKI Solution: Certificates and fast CRL accessCertificate Structure CRL Structure and Management

pki: vehicle’s ith signature verification public key

vtpi: ith certificate’s validity time

period (empty if vtp is common or just expiry date if vtp is randomized)

htagi: linkage tag for the ith

certificate, calculated as a hash tag, as follows:

Certv,i = (pki, vtpi, htagi, signatureCA)

htagi = H(ki; pv), where ki=H(kv;vtpi)

Revokedv,t = (pv, kv)

• Step1: For each revoked vehicle

on CRL: compute htagi+1 for next

validity period vtpi+1; sort results

• Step2: Upon receiving certificate

with htagx from another vehicle,

perform binary search through list

of tags to see if htagx is on the list

• Note: unsynchronized clock are dealt with

by storing >1 tags

• Tag computation can be amortized across

all time intervals before vtp

12

PKI approach: distribute CRL via geo-casting (IEEE Globecom 2010)

From geo-routing to geo-casting: Analyzing geo-routing in area A is reduced to analyzing geo-casting in area B, where a density-based relationship between A and B is easily calculated

From geo-casting to broadcasting: Analyzing geo-casting in a vehicular network with given communication channel options (RSEs, special vehicles, inspection centers, etc.) is reduced to analyzing flooding/broadcasting protocols in a “regular” subarea with an arbitrary vehicle density (simulating cities/towns/rural areas as subareas with high/low/very low densities, and with decreasing-density neighborhood)

• Analyzing broadcasting protocols:

We analyzed 7 known and

variants of known broadcasting

protocols:• Blind Flooding,

• Persistent Flooding,

• Neighbor Presence Broadcast,

• Probabilistic Neighbor Density

Broadcast,

• Neighbor Change Broadcast,

• Neighbor Count Change Broadcast,

• Neighbor Knowledge Broadcast

13

Models for estimating geo-casting delay

Conclusions:

• Neighbor Knowledge Broadcast has

attractive properties in terms of distribution

time and exchanged messages

• Neighbor Change Broadcast and Neighbor

Count Change Broadcast are almost as fast

and avoid one round of interaction

• Scaling to entire country: 40K servers cover

>95% of cars in <50 minutes (just an

example obtained with non-optimized data)

Setup:

• Manhattan Grid Mobility Model

• A grid of about 16 sq miles

• 500 nodes in the first figure, from 2 to

1000 nodes in the second figure

• Third figure: grid of ~ 4096 sq miles,

divided into 256 regions, each with

• its own vehicle density (simulating

distribution in real maps),

• 1 front-end CA server,

• 16 sq miles area.

14

Malicious behavior detection: Model, Techniques (IEEE VNC 2010)

Malicious behavior in vehicular networks can have undesirable consequences

traffic safety apps will demand repeated vehicle data transmission (e.g., position, speed, trajectory, time)

attackers might manipulate data and abuse any cryptosystem in place to harm other vehicles (e.g., causing

accidents) or the vehicular network (e.g., traffic redirection, insurance frauds, evading law enforcement)

Protecting against these attacks is very challenging as, for instance, they may have

short duration, involve few untrusted vehicles and rely on honest majority assumption

Previous work provided frameworks for abstract traffic threats and attacks avoided via

interactive voting / consensus protocols and/or cryptographic techniques

Recent Telcordia work:

Recognized need to minimize interaction from malicious behavior

Modeled and characterized specific traffic-related threats and attacks

Proposed non-interactive alert self-generation and abuse self-detection via simple and efficient voting and

greedy optimization algorithms

Alert self-generation algorithm: based on appropriate combination of speed condition, time condition,

geography condition, etc., evaluated over messages received from nearby vehicles

Abuse self-detection algorithm: non-interactively implementing a voting scheme based on data in

messages received from (possibly more) nearby vehicles, as well as auxiliary information

15

Specific Detection Techniques: design, analysis

Alert self-generation:

Each vehicle evaluates abuse-specific time, position, and velocity conditions

In false braking example below (sketch):

Time: messages are consecutive

Position: vehicle moves within a specific circle sector in the driving direction

Velocity: speed decreases very quickly

AE D C B

brakingvotingvotingreactingreacting

Abuse self-detection:

Upon alert, vehicle takes appropriate action

after evaluating the general voting formula

where

S is set of vehicles in the abuse-specific area and adv is the number of malicious vehicles in S, if known

v(i) is the vote derived from i-th vehicle in S and w(i) is a weight based on confidence, vehicle reputation, etc.

c is a tunable confidence parameter set, in our analysis, as a function of measurable geographic parameters

on top of this formula we use a very efficient greedy (knapsack) algorithm to choose only some of the nearby, based on relevance, reliability, etc.

16

Specific Detection Techniques: simulation results

Simulation of Urban Mobility (SUMO) Map imported from OpenStreetMap An area in the city of Chicago NW (41.96, -87.79) - SW (41.94, -87.76) S-N distance: 1mile, E-W distance: 1mile

Total length: 54km # of Streets: 591, # of traffic lights: 858 Avg speed = 15m/h, max speed = 35m/h 1700 non-interactive elections in 2000 sec AE D C B

brakingvotingvotingreactingreacting

0

5

10

15

20

25

30

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Conclusions: under rather conservative assumptions on transmission and cryptographic computation time delays,

D has 71% chance to successfully ignore A’s false braking claim

E has 94% chance

17

Conclusions

Research in vehicular networks is today considered mature for small-

scale deployment

Research in securing vehicular networks is catching up and going

beyond early stages

Field is rapidly advancing and visions for future vehicular networks are

quite ambitious