Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
KTH ROYAL INSTITUTEOF TECHNOLOGY
Secure and Privacy Preserving
Vehicular Communication Systems:
Identity and Credential Management
Infrastructure
Mohammad KhodaeiNetworked Systems Security Group (NSS)
November 1, 2016
July 2, 2018
Outline
Secure Vehicular Communication (VC) Systems
Problem Statement
System Model
Security and Privacy Analysis
Performance Evaluation
Summary of Contributions and Future Steps
2/38
Vehicular Communication (VC) Systems
Figure: Photo Courtesy of the Car2Car CommunicationConsortium (C2C-CC)
3/38
Security and Privacy for VC Systems1
Basic Requirements
◮ Message authentication & integrity
◮ Message non-repudiation
◮ Access control
◮ Entity authentication
◮ Accountability
◮ Privacy protection
Vehicular Public-Key Infrastructure (VPKI)◮ Pseudonymous authentication
◮ Trusted Third Party (TTP):
◮ Certification Authority (CA)
◮ Issues credentials & binds users to their pseudonyms
1P. Papadimitratos, et al. “Securing Vehicular Communications - Assumptions, Require-
ments, and Principles,” in ESCAR, Berlin, Germany, pp. 5-14, Nov. 2006.P. Papadimitratos, et al. “Secure Vehicular Communication Systems: Design and Architec-
ture,” in IEEE Communications Magazine, vol. 46, no. 11, pp. 100-109, Nov. 2008.
4/38
Security and Privacy for VC Systems (cont’d)
◮ Sign packets with the private key, corresponding to the current
valid pseudonym
◮ Verify packets with the valid pseudonym
◮ Cryptographic operations in a Hardware Security Module (HSM)
5/38
State-of-the-art
Standardization and harmonization efforts
◮ IEEE 1609.2 [1], ETSI [2] and C2C-CC [3]
◮ VC related specifications for security and
privacy-preserving architectures
Projects
◮ SEVECOM, EVITA, PRECIOSA, OVERSEE,
DRIVE-C2X, Safety Pilot, PRESERVE, CAMP-VSC3
Proposals
◮ V-Token [4], CoPRA [5], SCMS [6], SEROSA [7],
PUCA [8]
6/38
Outline
Secure Vehicular Communication (VC) Systems
Problem Statement
System Model
Security and Privacy Analysis
Performance Evaluation
Summary of Contributions and Future Steps
7/38
Problem Statement and MotivationThe design of a VPKI
◮ Resilience
◮ Stronger adversarial model (than fully-trustworthy entities)
◮ User privacy protection against “honest-but-curious” entities◮ User privacy enhancement and service unlinkability
(inference of service provider or time)
◮ Pseudonym acquistion policies
◮ How should each vehicle interact with the VPKI, e.g., how
frequently and for how long?◮ Should each vehicle itself determine the pseudonym
lifetime?
◮ Operation across multiple domains, thus a scalable design
◮ Efficiency and robustness
8/38
Security and Privacy Requirements for the VPKIProtocols
◮ Authentication, communication integrity and confidentiality
◮ Authorization and access control
◮ Non-repudiation, accountability and eviction (revocation)
◮ Privacy◮ Anonymity (conditional)◮ Unlinkability
◮ Thwarting Sybil-based misbehavior
◮ Availability
9/38
Adversarial Model
External adversaries
Internal adversaries
Stronger adversarial model
Protection against honest-but-curious VPKI entities
◮ Correct execution of protocols but motivated to profile users
◮ Concealing pseudonym provider identity and acquisition time, and
reducing pseudonyms linkability (inference based on time)
Multiple VPKI entities could collude
10/38
Outline
Secure Vehicular Communication (VC) Systems
Problem Statement
System Model
Security and Privacy Analysis
Performance Evaluation
Summary of Contributions and Future Steps
11/38
Secure VC System
◮ Root Certification Authority (RCA)
◮ Long Term CA (LTCA)
◮ Pseudonym CA (PCA)
◮ Resolution Authority (RA)
◮ Lightweight Directory Access Protocol (LDAP)
◮ Roadside Unit (RSU)
◮ Trust established with RCA, or through cross
certification
RSU3/4/5G
PCA
LTCA
PCA
LTCA
RCA
PCA
LTCA
BAA certifies B
Cross-certificationCommunication link
Domain A Domain B Domain C
RARA
RA
B
X-Cetify
LDAP LDAP
Message dissemination
{Msg}(Piv),{Pi
v}(PCA)
{Msg}(Piv),{Pi
v}(PCA)
Figure: VPKI Overview
12/38
System Model
F-LTCA
PCA
H-LTCA
RCABAA certifies B
Communication link
Home Domain (A) Foreign Domain (B)LDAP
PCA
RA RA
1. LTC 2. n-tkt
I. f-tkt req.
II. f-tkt III. n-tkt
3. psnym req.
4. psnyms acquisition
IV. psnym req.
V. psnyms acquisition
Figure: VPKI Architecture
13/38
Pseudonym Acquisition Policies
User-controlled policy (P1)
Oblivious policy (P2)
Universally fixed policy (P3)
ΓP3ΓP3 ΓP3
System Time
Trip Duration
}τP
}τP
}
τP
}
τP
}
τP
}
τP
}
τP
}
τP
ΓP2ΓP2
}
τP
}
τP
}
τP
}
τP
}
τP
}τP
}τP
}
τP
}
τP
}
τP
}τP
Unused
Pseudonyms
tstart
Expired
Pseudonym
tend
◮ P1 & P2: Requests could act as user “fingerprints”; the exact time
of requests and all subsequent requests until the end of trip could
14/38
Vehicle Registration and Long Term Certificate(LTC) Update
V H-LTCA
1. LKv, Lkv
2. (LKv)σLkv, N, t
3. Cert(LTCltca, LKv)
4. LTCv, N + 1, t
15/38
Ticket and Pseudonym Acquisition
V H-LTCA PCA
1. H(PCAID ‖Rnd256), ts, te, LTCv, N, t
2. Cert(LTCltca, tkt)
3. tkt,N + 1, t
4. tkt, Rnd256, ts′ , te′ , {(K1
v )σk1v
, ..., (Knv )σkn
v
}, N ′, t
5. Cert(LTCpca, Piv)
6. {P 1
v , . . . , Pnv }, N
′ + 1, t
16/38
Roaming User: Foreign Ticket Authentication
V LDAP H-LTCA
1. LDAP Req.
2.LDAP Search
3. LDAP Res.
4. H(F -LTCAID ‖Rnd256), ts, te, LTCv, N, t
5. Cert(LTCltca, f -tkt)
6. f -tkt,N + 1, t
17/38
Native Ticket and Pseudonym Acquisition in theForeign Domain
V F -LTCA PCA
1. f -tkt,H(PCAID||Rnd′256
), Rnd256, N, t
2.Cert(LTCltca, n-tkt)
3. n-tkt,N + 1, t
4. n-tkt, Rnd′256
, ts′ , te′ , {(K1
v)σk1v
, ..., (Knv )σkn
v
}, N ′, t
5. Cert(LTCpca, Piv)
6. {P 1
v , . . . , Pnv }, N
′ + 1, t
18/38
Pseudonym Revocation and Resolution
RA PCA LTCA
1. Pi, N, t
2.Update CRL
3. tkt,N + 1, t
4.SNtkt, N′, t
5.Resolve LTCv
6.LTCv, N′ + 1, t
19/38
Outline
Secure Vehicular Communication (VC) Systems
Problem Statement
System Model
Security and Privacy Analysis
Performance Evaluation
Summary of Contributions and Future Steps
20/38
Security and Privacy Analysis◮ Communication integrity, confidentiality, and non-repudiation
◮ Certificates, TLS and digital signatures
◮ Authentication, authorization and access control◮ LTCA is the policy decision and enforcement point◮ PCA grants the service◮ Security association discovery through LDAP
◮ Concealing PCAs, F-LTCA, actual pseudonym acquisition period◮ Sending H(PCAid‖Rnd256), ts , te , LTCv to the H-LTCA◮ PCA verifies if [t ′s, t ′e ] ⊆ [ts , te]
◮ Thwarting Sybil-based misbehavior◮ LTCA never issues valid tickets with overlapping lifetime (for a given
domain)◮ A ticket is bound to a specific PCA◮ PCA keeps records of ticket usage
21/38
Linkability based on Timing Informationof Credentials
0 5 10 15 20 25 30 35 40 45 50 55 60
System Time [min.]
0
1
2
3
4
5
6
7
8
9
10
τP= 5min.
0 5 10 15 20 25 30 35 40 45 50 55 60
System Time [min.]
0
1
2
3
4
5
6
7
8
9
10
τP= 5min., ΓP2= 15min.
0 5 10 15 20 25 30 35 40 45 50 55 60
System Time [min.]
0
1
2
3
4
5
6
7
8
9
10
τP= 5min., ΓP3= 15min.
(a) P1: User-controlled policy (b) P2: Oblivious policy (c) P3: Universally fixed policy
◮ Non-overlapping pseudonym lifetimes from eavesdroppers’ perspective
◮ P1 & P2: Distinct lifetimes per vehicle make linkability easier(requests/pseudonyms could act as user ‘fingerprints’)
◮ P3: Uniform pseudonym lifetime results in no distinction
22/38
Outline
Secure Vehicular Communication (VC) Systems
Problem Statement
System Model
Security and Privacy Analysis
Performance Evaluation
Summary of Contributions and Future Steps
23/38
Experimental Setup (#1)
◮ VPKI testbed
◮ Implementation in C++
◮ OpenSSL: Transport Layer Security (TLS)
and Elliptic Curve Digital Signature
Algorithm (ECDSA)-256 according to the
standard [1]
◮ Network connectivity
◮ Varies depending on the actual OBU-VPKI
connectivity
◮ Reliable connectivity to the VPKI (e.g., RSU,
Cellular, opportunistic WiFi)
Table: Servers and Clients Specifications
LTCA PCA RA Clients
VM Number 2 5 1 25
Dual-core CPU (Ghz) 2.0 2.0 2.0 2.0
BogoMips 4000 4000 4000 4000
Memory 2GB 2GB 1GB 1GB
Database MySQL MySQL MySQL MySQL
Web Server Apache Apache Apache -
Load Balancer Apache Apache - -
Emulated Threads - - - 400
◮ Use cases◮ Pseudonym provision
◮ Performing a DDoS attack
24/38
Client and LTCA Performance Evaluation
1 10 100 200 500 10000
200
400
600
800
1000
1200
1400
1600
1800
2000
2200
2400
Number of Pseudonyms in a Request
En
tire
Tim
e [
ms]
Entire Ticket OperationsEntire Operations on PCANetworking DelayVehicle Pseudonym Verification
0 600 1200 1800 2400 3000 36000
4
8
12
16
20
24
Time [sec]
Pro
ce
ssin
g T
ime
[m
s]
One ticket per request
Client processing time LTCA performance
◮ Delay to obtain pseudonyms◮ LTCA response time to issue a ticket
25/38
PCA Performance Evaluation
0 600 1200 1800 2400 3000 36000
100
200
300
400
500
600
Time [sec]
Pro
ce
ssin
g T
ime
[m
s]
100 psnyms per request
Server failure
0 100 200 300 400 500 600 700 8000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Processing Time [msec]
Cu
mu
lative
Pro
ba
bili
ty
Empirical CDF
10 psnyms per request
20 psnyms per request
50 psnyms per request
100 psnyms per request
200 psnyms per request
Issuing 100 pseudonyms per request PCA performance under different configuration
◮ PCA response time, including a crash failure
◮ Efficient provision for pseudonyms, with different configurations
◮ Obtaining 200 pseudonyms: Fx (t=500)=0.9 or Pr{t≤500}=0.9
26/38
The VPKI Servers under a DDoS Attack
0 200 500 1K 2K 5K 10K 20K0
1
2
3
4
5
6
7
8
9
Attackers Number
Ave
rag
e N
um
be
r o
f L
eg
itim
ate
Re
q.
(pe
r S
ec.)
0 200 500 1K 2K 5K 10K 20K0
0.5
1
1.5
2
2.5
3
3.5
Attackers Number
Ave
rag
e N
um
be
r o
f L
eg
itim
ate
Re
q.
(pe
r S
ec.)
LTCA performance PCA performance
◮ 10K legitimate vehicles, requesting 100 pseudonyms every 10 minutes
◮ Up to 20K attackers, sending requests every 10 seconds
◮ An LTCA is more resistant to DDoS than a PCA
27/38
Experimental Setup (#2)
Table: Mobility Traces Information
TAPASCologne LuST
Number of vehicles 75,576 138,259
Number of trips 75,576 287,939
Duration of snapshot (hour) 24 24
Available duration of snapshot (hour) 2 (6-8 AM) 24
Average trip duration (sec.) 590.49 692.81
Total trip duration (sec.) 44,655,579 102,766,924
◮ Main metric
◮ End-to-end pseudonym
acquisition latency from the
initialization of ticket acquisition
protocol till successful
completion of pseudonym
acquisition protocol
Table: Servers & Clients Specifications
LTCA PCA Client
Number of entities 1 1 1
Dual-core CPU (Ghz) 2.0 2.0 2.0
BogoMips 4000 4000 4000
Memory 2GB 2GB 1GB
Database MySQL MySQL MySQL
◮ N.B. PRESERVE Nexcom boxes specs:
dual-core 1.66 GHz, 2GB Memory
28/38
End-to-end Latency for P1, P2, and P3
Choice of parameters:
◮ Frequency of interaction and volume
of workload to a PCA
◮ Γ=5 min., τP=0.5 min., 5 min.
LuST dataset (τP = 0.5 min):
◮ P1: Fx(t = 167 ms) = 0.99
◮ P2: Fx(t = 80 ms) = 0.99
◮ P3: Fx(t = 74 ms) = 0.99
(P1)
(P2)
(P3)
TAPASCologne dataset LuST dataset
0 20 40 60 80 100 120System Time [min.]
0
20
40
60
80
100
120
140
End-to-E
ndLatency
[ms]
User-controlled Policy (P1): 1 LTCA and 1 PCA
τP= 0.5min.
τP= 5min.
0 200 400 600 800 1000 1200 1400System Time [min.]
0
20
40
60
80
100
120
140
End-to-E
ndLatency
[ms]
User-controlled Policy (P1): 1 LTCA and 1 PCA
τP= 0.5min.
τP= 5min.
0 20 40 60 80 100 120System Time [min.]
0
20
40
60
80
100
120
140
End-to-E
ndLatency
[ms]
Oblivious Policy (P2): 1 LTCA and 1 PCA
τP= 0.5min.
τP= 5min.
0 200 400 600 800 1000 1200 1400System Time [min.]
0
20
40
60
80
100
120
140
End-to-E
ndLatency
[ms]
Oblivious Policy (P2): 1 LTCA and 1 PCA
τP= 0.5min.
τP= 5min.
0 20 40 60 80 100 120System Time [min.]
0
20
40
60
80
100
120
140
End-to-E
ndLatency
[ms]
Universally Fixed Policy (P3): 1 LTCA and 1 PCA
τP= 0.5min.
τP= 5min.
0 200 400 600 800 1000 1200 1400System Time [min.]
0
20
40
60
80
100
120
140
End-to-E
ndLatency
[ms]
Universally Fixed Policy (P3): 1 LTCA and 1 PCA
τP= 0.5min.
τP= 5min.
29/38
The VPKI Servers under a DDoS Attack
0 200 400 600 800 1000Faked Requests [per sec.]
0
50
100
150
200
250
300
350
400
Overh
ead[m
s]
The VPKI Servers under a DDoS Attack: 1 LTCA and 1 PCA
No countermeasure
With countermeasure (L=5)
Figure: Overhead to obtain pseudonyms, LuST dataset with P1 (τP = 5 min.)
30/38
Outline
Secure Vehicular Communication (VC) Systems
Problem Statement
System Model
Security and Privacy Analysis
Performance Evaluation
Summary of Contributions and Future Steps
31/38
Summary of Contributions
1. Facilitating multi-domain operation
2. Offering increased user privacy protection◮ Honest-but-curious system entities◮ Eliminating pseudonym linking based on timing information
3. Eradication of Sybil-based misbehavior
4. Proposing multiple generally applicable pseudonym
acquisition policies
5. Detailed analysis of security and privacy protocols
6. Extensive experimental evaluation◮ Efficiency, scalability, and robustness◮ Achieving significant performance improvement◮ Modest VMs can serve sizable areas or domain
32/38
Future Steps
VPKI enhancements
◮ Evaluation of the level of privacy, i.e., unlinkability, based on
the timing information of the pseudonyms for each policy
◮ Evaluation of actual networking latency, e.g., OBU-RSU
◮ Rigorous analysis of the security and privacy protocols
Efficient distribution of revocation information
◮ How to disseminate pseudonyms validity information
without interfering with vehicles operations?
33/38
Original Work◮ N. Alexiou, M. Laganà, S. Gisdakis, M. Khodaei, and P. Papadimitratos, “VeSPA: Vehicular Security
and Privacy-preserving Architecture,” in ACM HotWiSec, Budapest, Hungary, Apr. 2013.
◮ M. Khodaei, H. Jin, and P. Papadimitratos, “Towards Deploying a Scalable & Robust Vehicular
Identity and Credential Management Infrastructure,” in IEEE VNC, Paderborn, Germany, Dec. 2014.
◮ M. Khodaei and P. Papadimitratos, “The Key to Intelligent Transportation: Identity and Credential
Management in Vehicular Communication Systems,” IEEE VT Magazine, vol. 10, no. 4, pp. 63-69,
Dec. 2015.
◮ M. Khodaei and P. Papadimitratos, “Evaluating On-demand Pseudonym Acquisition Policies in
Vehicular Communication Systems,” in ACM MobiHoc, Workshop on Internet of Vehicles and
Vehicles of Internet (IoV-VoI), Paderborn, Germany, July 2016.
◮ M. Khodaei, H. Jin, and P. Papadimitratos, “SECMACE: Scalable and Robust Identity and
Credential Management Infrastructure in Vehicular Communication Systems,” Submitted to the
IEEE Transactions on Intelligent Transportation Systems.
34/38
Bibliography I
[1] “IEEE Standard for Wireless Access in Vehicular Environments - Security Services for Applicationsand Management Messages,” IEEE Std 1609.2-2016 (Revision of IEEE Std 1609.2-2013), Mar. 2016.
[2] T. ETSI, “ETSI TS 103 097 v1. 1.1-Intelligent Transport Systems (ITS); Security; Security Header andCertificate Formats, Standard, TC ITS,” Apr. 2013.
[3] Car-to-Car Communication Consortium (C2C-CC), June 2013. [Online]. Available:http://www.car-2-car.org/
[4] F. Schaub, F. Kargl, Z. Ma, and M. Weber, “V-tokens for Conditional Pseudonymity in VANETs,” inIEEE WCNC, NJ, USA, Apr. 2010.
[5] N. Bißmeyer, J. Petit, and K. M. Bayarou, “CoPRA: Conditional Pseudonym Resolution Algorithm inVANETs,” in IEEE WONS, Banff, Canada, pp. 9–16, Mar. 2013.
35/38
Bibliography II
[6] W. Whyte, A. Weimerskirch, V. Kumar, and T. Hehn, “A Security Credential Management System forV2V Communications,” in IEEE VNC, Boston, MA, pp. 1–8, Dec. 2013.
[7] S. Gisdakis, M. Laganà, T. Giannetsos, and P. Papadimitratos, “SEROSA: SERvice Oriented SecurityArchitecture for Vehicular Communications,” in IEEE VNC, Boston, MA, USA, Dec. 2013.
[8] D. Förster, H. Löhr, and F. Kargl, “PUCA: A Pseudonym Scheme with User-Controlled Anonymity forVehicular Ad-Hoc Networks (VANET),” in IEEE VNC, Paderborn, Germany, Dec. 2014.
[9] M. Khodaei, “Secure Vehicular Communication Systems: Design and Implementation of a VehicularPKI (VPKI),” Master’s thesis, Lab of Communication Networks (LCN), KTH University, Oct. 2012.
[10] N. Alexiou, M. Laganà, S. Gisdakis, M. Khodaei, and P. Papadimitratos, “VeSPA: Vehicular Securityand Privacy-preserving Architecture,” in Proceedings of the 2nd ACM workshop on Hot topics onwireless network security and privacy, Budapest, Hungary, pp. 19–24, Apr. 2013.
36/38
Bibliography III
[11] M. Khodaei, H. Jin, and P. Papadimitratos, “Towards Deploying a Scalable & Robust Vehicular Identityand Credential Management Infrastructure,” in IEEE Vehicular Networking Conference (VNC),Paderborn, Germany, pp. 33–40, Dec. 2014.
[12] M. Khodaei and P. Papadimitratos, “The Key to Intelligent Transportation: Identity and CredentialManagement in Vehicular Communication Systems,” IEEE VT Magazine, vol. 10, no. 4, pp. 63–69,Dec. 2015.
[13] ——, “Evaluating On-demand Pseudonym Acquisition Policies in Vehicular Communication Systems,”in Proceedings of the First International Workshop on Internet of Vehicles and Vehicles of Internet,Paderborn, Germany, pp. 7–12, July 2016.
[14] “Preparing Secure Vehicle-to-X Communication Systems - PRESERVE.” [Online]. Available:http://www.preserve-project.eu/
37/38
Secure and Privacy Preserving VehicularCommunication Systems: Identity andCredential Management Infrastructure
Licentiate Defense
Mohammad Khodaei
Networked Systems Security Group (NSS)
www.ee.kth.se/nss
38/38