Privacy in Vehicular Ad-hoc Networks

Nikolaos Alexiou, LCN, EE KTHalexiou@kth.se

2/10/2012

2012-10-04

Outline

• Introduction

•VANETs: an overview

•VANET privacy

- Anonymity- Location Privacy- VPKI

•Privacy Attacks

•Countermeasures

•Conclusion

Illustrations from Car2Car Consortium, unless specified otherwise

2012-10-04

VANETs: An overview

2012-10-04

VANETs: An overview (cont'd)

•V2V Communications:

- Safety applications- Location Based Services- Proprietary Applications

•Two types of messages:

- Cooperative Awareness Messages (CAM)

- Decentralized Enviromental Notification Messages (DENM)

2012-10-04

VANETs: An overview (cont'd)

•CAM messages:

- Beacons, periodically sent- Basic status information (speed, location, acceleration, vehicle

identifier)- Very important for safety applications- A vehicle's neighborhood receives these messages

•DENM messages:

- Report information related with events- Sent on event detection- Contain: event location, timestamp etc- Usually distributed to many vehicles over a large area

2012-10-04

VANETs: An overview (Cont'd)

•V2I Communications:

- Vehicle to RSU (Road Side Units)

- VANET Services:• Location based• Safety Applications• Proprietary: eg Tolling

Systems

- Privacy Services- 802.11p / LTE

Privacy & threats?

2012-10-04

V2V/V2I communications

•V2V and V2I communications expose sensitive data:

- To other vehicles- Eavesdroppers- To infrastructure

•[1] CAM messages contain information such as:

- Direction to be taken- Vehicle length- Vehicle width- Occupancy (passengers as percentage)

•Anonymity: conceal identity

•Location Privacy: position cannot be systematically recorded

[1]ETSI TS 102 637-2 V1.2.1 (2011-03)Picture:P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, "Secure Vehicular Communication Systems: Design and Architecture," IEEE Communications Magazine, November 2008.

2012-10-04

Authentication in VANETs

•Each vehicle should be identifiable

- To develop services and applications- To issue tickets- To resolve accidents

•Vehicle authentication can be achieved using a PKI → the Vehicular PKI (VPKI)

•Each vehicle will store:

- private keys to sign packets- public keys signed by a CA (eg the car manufacturer)

• Certificates• For other vehicles and infrastructure to verify packets

2012-10-04

VANET Privacy (Cont'd)

image: P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, J.-P. Hubaux, Secure Vehicular Communication Systems: Design and Architecture

2012-10-04

Generally about privacy: Why?

• If you have nothing to hide, why do you need privacy?

• If I have nothing to hide, you have no cause to watch me.

•Who defines what is wrong behavior or not?

Bruce Schneier on Security, Chapter 4: Privacy and Surveillance

2012-10-04

So far we know:

•V2V/V2I communications leak information

•Privacy threat

- Anonymity- Location Privacy

•VPKI needed to authenticate vehicles

- Certificates from a trusted CA

•The next question is...

How to protect privacy in VANETs?

2012-10-04

Pseudonyms: Anonymity

•Pseudonyms to provide anonymity

•Where and how to store pseudonyms at the car?

- Hardware Security Module (HSM) - Tamper-Proof crypto device- Corner stone of in-vehicle security

•How to obtain pseudonyms?

•How to protect location privacy?

•Why need many pseudonyms?

2012-10-04

Pseudonyms: Location Privacy

Each pseudonym is valid for a specific period of time

2012-10-04

The VANET Architecture

•Vehicular Public Key Infrastructure

- pseudonyms signed by CA• Pseudonym Certification

Authority (PCA)

- Why?• Trust in signatures

•PCA per manufacturer?

•Hierarchical VPKI

- Cross-certification between countries

2012-10-04

How to generate pseudonyms?

•Each vehicle can generate a set of:

- Private/Public keys in the HSM- A large set of keys (e.g to be enough for a week)- Short life-time

• Each needed for a limited number of beacons

•Public keys need to be signed by a CA

- Send over wireless to be signed

•Private keys stay in the HSM

•Pseudonymous Certificates: A signature of a CA over each of the public keys

A first bad VPKI architecture example

2012-10-04

Pseudonymous Certificates

EPuKpca{Sigv(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

PCA

*This is just an illustration example

2012-10-04

Pseudonymous Certificates (Cont'd)

Preserves location privacyand anonymity for V2V

The PCA knows who (alexiou)and which (pseudonyms)

PCA

EPuKpca{Sigv(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

2012-10-04

•The vehicle should be protected against the infrastructure

•The PCA must NOT learn the identity of the vehicle or the driver

•To achieve that, another authority is needed

•Long Term Certification Authority (LTCA)

- Holds real information of the vehicle (and possibly the drivers)

•The new architecture

- LTCA: knows only real identities- PCA: knows only pseudonyms

Pseudonymous Certificates (Cont'd)

A better VPKI architecture example

2012-10-04

PCA

SK_pcaPuK_pca

LTCA

SK_ltcaPuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t)

OK (You can grant pseudonyms)

EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Pseudonymous Certificates (Cont'd)

2012-10-04

PCA

SK_pcaPuK_pca

LTCA

SK_ltcaPuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t)

OK (You can grant pseudonyms)

EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Doesn't know who

Doesn't know which

Pseudonymous Certificates (Cont'd)

2012-10-04

Pseudonymous Certificates (Cont'd)

PCA

SK_pcaPuK_pca

LTCA

SK_ltcaPuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t)

OK (You can grant pseudonyms)

EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Doesn't know who

Doesn't know which

A possible threat??

2012-10-04

PCA

SK_pcaPuK_pca

LTCA

SK_ltcaPuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t)

OK (You can grant pseudonyms)

EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Doesn't know who

Doesn't know which

Pseudonym Resolution

Resolution Authority

Tell me which?

2012-10-04

PCA

SK_pcaPuK_pca

LTCA

SK_ltcaPuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t)

OK (You can grant pseudonyms)

EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Doesn't know who

Doesn't know which

Pseudonym Resolution

Resolution Authority

Tell me who?

2012-10-04

Pseudonym Resolution

•When does the resolution happen?

- Accidents- Misbehavior

•Alternative resolution methods exist

- [2]: encrypting vehicle's identity with Res. CA's PuK- Others: additional CA's for:

• Misbehavior, Grant of Access, Legal Aspects

[2] Kargl, F. ; Zhendong Ma ; Weber, M. , V-Tokens for Conditional Pseudonymity in VANETs

2012-10-04

Pseudonym Revocation

•Certificates will eventually expire

•Vehicles may

- Misbehave- Destroyed- Retired

•Revocation of pseudonym certificates to prevent malicious behavior

2012-10-04

Other Pseudonymous Schemes

•Group Signatures

- Hide the identity within a group of vehicles- Each vehicle stores:

• A group secret key• A group public key• Tokens for revocation

•Problems:

- Efficiency- More difficult to handle revocations- Difficult to handle dynamic groups

Attacks against location privacy

2012-10-04

Tracking attacks: Location Privacy

•Each beacon contains the vehicle's location/direction etc

•Adversaries can collect the beacons

•LP is highly dependable on the anonymity set

- E.g. how many cars on the road?

•Cannot assume that vehicles can change pseudonyms for each packet transmitted

2012-10-04

Tracking attacks: Location Privacy

•Change pseudonyms to avoid tracking

•Beacon frequency e.g. 10Hz

•Given that there are many cars on the road:

- It should be very difficult to track a vehicle

• Is this the case?

- Multi-hypothesis testing, kalman filters

2012-10-04

Multi-Hypothesis testing: An overview

•Tracking as data association problem

- Position & velocity

•For each measurement a new set of data association hypothesis

- Essentially guessing the next state

•New measurements arrive

•Probability of association of the guess to the measurement

•Higher probability is chosen

2012-10-04

Tracking Results

Images: B. Wiedersheim, F. Kargl, Z. Ma, and P. Papadimitratos, “Privacy in Inter-Vehicular Networks: Why simple pseudonym change is not enough”

2012-10-04

Reasoning about Location Privacy

•How to increase:

- Increasing pseudonym changing frequency- Spatial noise

• Impact on safety?

•Adversarial models

- Eavesdropper: needs many devices- Internal: is the most dangerous one

•What else could be done?

- Mixing zones

2012-10-04

• Idea: change pseudonym where it is harder to link two successory ones

•Force pseudonym changes within regions

•Where can this be done?

- Road junctions - Traffic lights

Mix-Zones

Image: Julien Freudiger, Reza Shokri, and Jean-Pierre HubauxOn the Optimal Placement of Mix Zones

2012-10-04

•An RSU at the intersection

•Distributes a secret key to the vehicles within the mix-zone

•They beacon using signing with the group key

•The vehicle uses its regular pseudonym when leaving the mix-zone

Mix-Zones (cont'd)

Image: J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, and J.-P. Hubaux, "Mix-Zones for Location Privacy in Vehicular Networks”

2012-10-04

Mix-Zones: Some results

Images: J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, and J.-P. Hubaux, "Mix-Zones for Location Privacy in Vehicular Networks”

2012-10-04

Conclusion

•Anonymity through pseudonymous certificates

•Location privacy through changing certificates

•Tracking attacks from:

- Eavesdroppers- Internal adversaries

•VPKI architecture to minimize the probability of tracking by a trusted party

•Mix-zones/pseudonym change frequency to avoid eavesdroppers

2012-10-04

References

•Suggested:

- P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M.Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, "Secure Vehicular Communication Systems: Design and Architecture," IEEE Communications Magazine, November 2008

- B. Wiedersheim, F. Kargl, Z. Ma, and P. Papadimitratos, “Privacy in Inter-Vehicular Networks: Why simple pseudonym change is not enough,” IEEE/IFIP International Conference on Wireless On-demand Network Systems and Services (IEEE/IFIP WONS), Kranjska Gora, Slovenia, February 2010

•Further Reading:

- http://preserve-project.eu/

- M. Raya and J.-P. Hubaux. The Security of Vehicular Ad Hoc Networks. In Proc. of Third ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN 2005), Alexandria, USA, Nov. 2005.

- J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, and J.-P. Hubaux, "Mix-Zones for Location Privacy in Vehicular Networks," ACM Workshop on Wireless Networking for Intelligent Transportation Systems (ACM WiN-ITS 2007), Vancouver, BC, Canada, August 2007

- Giorgio Calandriello, Panos Papadimitratos, Jean-Pierre Hubaux, and Antonio Lioy. 2007. Efficient and robust pseudonymous authentication in VANET. In Proceedings of the fourth ACM international workshop on Vehicular ad hoc networks (VANET '07). ACM, New York, NY, USA, 19-28.

- F. Schaub, F. Kargl, Z. Ma, and M. Weber, "V-tokens for Conditional Pseudonymity in VANETs", IEEE Wireless Communications & Networking Conference (IEEE WCNC 2010), Sydney, Australia, IEEE, 04/2010.

Questions