Privacy-preserving secure relative localization in vehicular networks

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks. 2008; 1:195–204Published online 30 May 2008 in Wiley InterScience(www.interscience.wiley.com) DOI: 10.1002/sec.31

Privacy-preserving secure relative localization in vehicularnetworks‡

Lei Tang*,†, Xiaoyan Hong and Phillip G. BradfordDepartment of Computer Science, The University of Alabama, Box 870290, Tuscaloosa, AL 35487-0290, U.S.A.

Summary

Relative location information helps build vehicle topology maps. Such maps provide location information of nearbyvehicles to drivers. In building a vehicle topology, one must consider various attacks on vehicular networks. Alsothe localization system should protect the drivers’ identity and make it difficult for the adversary to track vehicles.Many techniques have been proposed for relative positioning and location verification. Due to the high speed andthe strict security requirements, the existing relative positioning and location verification techniques are not directlyapplicable to vehicular networks. Hence, we present a scheme called Privacy-preserving Secure Relative LocationDetermination (P-SRLD), which securely determines the relative locations of a set of wirelessly connected vehiclesbased on the relative locations of each vehicle’s surrounding vehicles. P-SRLD uses cryptographic keys to authen-ticate location messages and vehicle’s cryptographic pseudonym to identify the vehicle to protect vehicle’s driver’sprivacy. To defend against Sybil attacks, P-SRLD employs registration and relative location message verificationmechanisms. It defends wormhole and blackhole attacks by probabilistically monitoring losses of relative locationmessages. Analysis and simulation results show that P-SRLD is lightweight and is resilient to Sybil, wormhole andsome other attacks. Copyright © 2008 John Wiley & Sons, Ltd.

KEY WORDS: vehicle relative localization; privacy; security; vehicular networks

1. Introduction

Vehicle collision is the most common cause of injuriesand fatalities in crashes as reported in the fatality anal-ysis report [1] by National Highway Traffic Safety Ad-ministration. With the development of the vehicularnetworks, one goal is to improve the safety of driv-ing. Research and development has explored the use ofglobal location information in navigation, in services,and message delivery through building network topolo-

*Correspondence to: Lei Tang, Department of Computer Science, The University of Alabama, Box 870290, Tuscaloosa, AL35487-0290, U.S.A.†E-mail: [email protected]‡ Part of this paper was presented on 2nd International Conference on Mobile Ad-hoc and Sensor Networks, volume 4325,page 543–554, Hong Kong, China, December 2006.

gies. In all these cases, location information is very use-ful. In this paper, we propose an alternative approachthat does not need detailed global location informa-tion but only relative vehicle location information. Tojustify the importance of such an approach, we firstemphasize that aided by an accurate view of the rela-tive locations of vehicles nearby, a driver will be able todiscover nearby vehicles, including those at blind spotsavoiding accidents during lane changes and, therebymerges. Furthermore, in vehicular ad-hoc networks

Copyright © 2008 John Wiley & Sons, Ltd.

196 L. TANG, X. HONG AND P. G. BRADFORD

(VANETs), nodes’ relative location information canbe used to identify the relative location of a messagesource. So a driver can tell the relative position of thevehicle that is sending a passing/decelerating messageand take corresponding maneuver to prevent accidents.Also relative locations do not reveal vehicles’ accuratelocations, thereby protecting vehicles drivers locationprivacy.

Motivated by relative location methods, we considerthe vulnerability to malicious attacks in the vehicu-lar networks. As recognized that location informationis life-critical, using the location and relative locationmust be able to defend malicious attacks such as Sybil[2] and wormhole attacks [3]. To make sure that thelocation information is not forged or altered by mali-cious nodes, we need to determine the nodes’ locationand verify the authenticity of their location claims inthe presence of malicious nodes.

The vehicles’ relative locations can be computedfrom their accurate global locations, which canbe obtained by using GPS-based techniques. GPSposition technique can achieve an accuracy as muchas 2 cm [4]. However, since a GPS satellite simulatoris able to generate fake GPS signals that flood the realGPS signals [5], GPS-based solutions are not securein vehicular networks without authenticating GPSsignals. In addition, using vehicles’ precise locationsto compute their relative locations may raise privacyconcern of the drivers who are unwilling to exposetheir precise locations.

Location privacy is very important and someschemes [6–8] have been presented to protect the ve-hicle location privacy and communication privacy. Anadversary could illegally track a specific vehicle if thelocalization system exposes a vehicle’s identity. Usinga non-changing pseudonym as vehicle identity does notsolve the problem since the non-changing pseudonymstill provides a way to track a vehicle. Ideally, a drivershould be able to know the relative locations of nearbyvehicles, but all vehicles should not let other vehiclesknow their identity (e.g., license plate number, vehicleowner, and etc.) with the only exception that a drivercan see the license plate of another vehicle. Hence, wedesign our system in a way that a vehicle is representedby its cryptographic pseudonym that changes from timeto time, thereby making it difficult for a malicious vehi-cle to obtain vehicle identities and correlate a vehicle’srelative location to its identity. However, Departmentof Motor Vehicle (DMV) can still track the vehiclesbased on their public keys.

Many non-GPS-based positioning and distance es-timation techniques have been proposed [9–15] to

determine the relative locations of nodes. However,since vehicles move at high speeds, all of the above-mentioned positioning techniques except [9] are not di-rectly applicable for vehicular networks. Indeed, mostof this work is designed for deployment in buildings.Furthermore, these techniques assume that all nodes arecooperative. Hence, these techniques are vulnerable tovarious attacks.

Methods for authenticating nodes’ location claimsin a hostile environment have been proposed in Refer-ences [16–18,5]. They can be classified into two types.One type exploits the properties of radio and soundwave and multilateration techniques [5,16,17,19]. Theother uses cryptographic keys to authenticate locationinformation [16]. The techniques using multilaterationmay be impractical for vehicular networks becausemost of time the number of nodes in the proximity is toofew to perform multilateration. The techniques usingultrasonic sound may be inaccurate since the vehiclesmove in a speed about 1/10 of the speed of sound waves.

Therefore, in this paper, we propose a scheme tosecurely determine the nodes’ relative locations in thevehicular network, named Privacy-preserving SecureRelative Location Determination (P-SRLD). P-SRLDis distinguished from existing relative positioningschemes in that it does not require GPS or otheraccurate location information but only the relativelocations of each vehicle’s surrounding vehicles.Essentially, with the technique introduced in the paper,every node is able to construct an image of the relativelocations of a set of nearby nodes that are wirelesslyconnected.

P-SRLD uses cryptographic keys to authenticate lo-cation messages and uses cryptographic pseudonymsas vehicle identifiers to protect the drivers’ privacy andmake it difficult for the adversary to track a vehicle. Todefend against Sybil attacks, it employs a registrationand relative location message verification mechanism.To defend wormhole and blackhole attacks, we designa mechanism that probabilistically monitors the lossesof relative location messages. We also analyze howP-SRLD defends the replay and denial-of-serviceattacks.

The rest of the paper is organized as follows.Section 2 introduces the existing relative positioning,location verification, and location privacy protectiontechniques. Section 3 describes the system modeland the problem statement. Section 4 presents thedesign of P-SRLD scheme, and section 5 analyzesthe resilience of P-SRLD against Sybil, wormhole,blackhole, replay, denial-of-service attacks, andthe privacy protections provided by P-SRLD. The

Copyright © 2008 John Wiley & Sons, Ltd. Security Comm. Networks. 2008; 1:195–204

DOI: 10.1002/sec

PRIVACY-PRESERVING SECURE RELATIVE LOCALIZATION 197

performance of P-SRLD is simulated in section 6.Finally, we conclude in section 7.

2. Previous Work

Security and privacy are two important issues in ve-hicular networks. In References [6–8] various schemesprotecting vehicle location privacy and communicationprivacy are discussed. Securely determining nodes’ rel-ative locations include determining relative locationsand verifying the authenticity of relative locations inthe presence of malicious nodes. The first problem isreferred to as the relative positioning problem and thesecond problem is referred to as the relative positionverification problem.

2.1. Relative Positioning Techniques

The nodes’ accurate positions obtained using GPS de-vices can be used to compute their relative locationsof nodes. Kukshya et al. [9] presented a technique toestimate the relative locations of neighboring vehiclesbased on the exchange of their individual GPS coordi-nates. It uses a trilateration technique to estimate rel-ative locations during GPS outages. The relative posi-tioning solution in References [9] requires vehicles toco-operate and does not consider security issues so it isvulnerable to various types of attacks. Moreover, GPSdevices can be spoofed by GPS satellite simulators [5],which generate fake GPS signals that overcome the realGPS signals [20].

There are a number of relative positioning tech-niques [11,12,14] that exploit radio beacons or ultra-sonic pulses to infer proximity to a collection of ref-erence points with known coordinates. However, dueto the fact that vehicles may move at a speed of 1/10,of the sound wave speed (about 331 m/s), the above-mentioned positioning techniques may be inaccuratein vehicular network scenario.

Furthermore, there are some IEEE 802.11 wirelessnetwork based positioning techniques [13,15], whichlearn the location of wireless devices by studying theradio signal property observed at base stations.

2.2. Position Verification Techniques

Positioning techniques introduced in Section 2.1 arevulnerable to malicious attacks. For instance, attack-ers may give false positions. Many techniques havebeen proposed to verify positions and to prevent ma-licious attacks. They can be classified into two types.

One type exploits the properties of radio and soundwave and multilateration technique [5,16,17,19]. Theother uses cryptographic keys to authenticate locationinformation [21]. We summarize some of them below.

Brands and Chaum presented a protocol to determinean upper-bound on the distance between the verifier andthe prover [16]. Liu et al. presented two attack-resistantlocation estimation techniques [19] provided that thebenign beacon signals account for the majority. Lazoset al. [21] proposed a secure localization scheme (SeR-Loc) for wireless sensor networks based on directionalantennas.

However, the above-mentioned location verificationtechniques are not directly applicable to the vehiclenetworks. First, the multilateration techniques are notsuitable for vehicular network because often the num-ber of nodes in the proximity are too few to performmultilateration, and directional antennas are not effi-cient when used on the linear topology of vehicularnetworks.

2.3. Privacy Protection Techniques

Sampigethaya et al. [6] proposed a scheme that ex-ploits silent period and mobility group to protect vehi-cle location privacy. Through extending silent periods,a vehicle is “hidden” among its neighboring vehicles.

Freudiger et al. [7] proposed using vehicular mix-zones to protect vehicles location privacy. Theirapproach exploits road intersections and vehicle mo-bility diversity to defend location tracking adversarialattacks.

In References [8], Guo et al. presented a groupsignature based privacy-preserving VANET commu-nication scheme. Based on the feature of the groupsignature scheme that the signatures are verifiable us-ing the group public key but are not traceable to thesigners, their scheme protects the privacy of the mes-sage signer. Compared with [8], a vehicle in P-SRLDdoes not carry a large number of cryptographic keys.Instead, a vehicle receives a public key from the trans-portation authority upon entering VANET and uses itto secure and anonymize the communication betweenthe vehicle and the transportation authority.

3. System Model

3.1. System Architecture

Our system consists of road-side access points (APs),DMV server, and wireless communication enabled


DOI: 10.1002/sec


Fig. 1. System architecture.

vehicles. The APs are able to connect to DMV serverthrough wired Internet to verify vehicles. Also they col-lectively provide a wireless radio that covers the entireroad. Vehicles carry public keys of Certification Au-thority (CA) to verify CA signatures of APs. Figure 1depicts such architecture.

3.2. Problem Statement and Assumptions

First of all, the notations and terminologies used in thispaper are defined as follows.

– PKv: public key of vehicle v;– SKv: private key of vehicle v;– LPv: license plate of vehicle v;– N: the number of wirelessly connected vehicles;– Tv: authentication ticket vehicle v;– Ek(·): encryption operation using key k;– E−1

k (·): decryption operation using key k;– a‖b: b is concatenated to a;– R: registration interval;– I: location beacon interval;– RLTi: relative location table of a vehicle i;– RLi: relative location of a vehicle i;– ψi: cryptographic pseudonym of a vehicle i.

In our adversarial model, we assume that DMV canbe trusted whereas roadside APs and vehicles may becompromised by the adversary. In this paper, when weuse the term node, we mean a vehicle in the network.

We study the problem of determining the vehicles’relative locations with the following design goals: (1)resist fake location claims; (2) decentralize relative lo-cation determination, meaning that each node com-

putes its own image of the network topology and theimages may vary due to the varying arrival times oflocation beacon messages; (3) protect vehicle identityand location privacy so that the adversary is unable totrack a vehicle.

We next list the assumptions in our relative locationdetermination protocol. These assumptions follow thecommon practices of the contemporary public key in-frastructure. Moreover, we focus on determining therelative location among a set of vehicles that are wire-lessly connected.

1. Vehicles are able to verify the Certification Author-ity (CA) certificates of the roadside APs (AccessPoints), and the communications between the nodesand the roadside APs are encrypted using asymmet-ric cryptography.

2. We use RSA public-key cryptography [22], and weassume a vehicle’s public key is uniquely linked toits license plate, which is verifiable at transporta-tion authorities (e.g., DMV (Department of MotorVehicle) in USA).

Assumption 1 can be implemented by using the au-thentication and key exchange mechanism of Trans-port Layer Security (TLS) scheme [23], through whicha node can both verify that the AP is not spoofed bymalicious attackers and negotiate an asymmetric cryp-tographic key.

For assumption 2, we follow earlier work [24] thatthe public keys and license plates of vehicles are reg-istered and verifiable at transportation authorities.

3.3. System Overview

A vehicle v stores the relative locations of the other ve-hicles in a table called Relative Location Table (RLT).An entry i in RLT is of the following format:

{RLi, ψi, TSi}

ψi denotes the pseudonym of a vehicle i whose relativelocation has been verified. RLi specifies the relative lo-cation of i. The TSi field records the most recent times-tamp of the relative location beacon message receivedfrom i. Every I seconds, a vehicle disseminates the rel-ative location information of its surrounding vehiclesto other vehicles using relative location beacon mes-sage B, and a vehicle also re-calculates its RLT everyI seconds. Since the vehicular network safe messagesending interval is usually on the order of hundredthsof milliseconds [6], here we simply set I as 800 ms. The


DOI: 10.1002/sec


focus of the paper is on privacy and security so we didnot further study how to configure I.

In our scheme, we use time-varying cryptographicpseudonyms to identify a vehicle rather than using itslicense plate number. Using a vehicle’s license platenumber as the vehicle identifier will expose the li-cense plate numbers of the vehicles on the road, whichmay raise privacy concerns. Using pseudonyms hasthe advantage of not revealing vehicle identity infor-mation to other drivers on the road, and it is hard forthe adversary to link a vehicle’s ever-changing crypto-graphic pseudonyms to the vehicle due to the lack ofdecryption key.

In the next section, we introduce how to constructRLT through P-SRLD protocol.

4. Design of the P-SRLD Protocol

Figure 2 illustrates a vehicular network comprisingmultiple lanes. The rationale of P-SRLD scheme isto construct a topology graph showing the relative lo-cations of vehicles within a few radio hops by usingthe relative location information of each vehicle’s sur-rounding vehicles. Usually, a driver does not need toknow the relative locations of the vehicles faraway.Also the practice of only calculating relative locationsof the vehicles in proximity reduces message overheadsand improves RLT calculation speed. So the system ad-ministrator could configure the TTL(time to live) pa-rameter of the location beacon messages according tovehicular network density. For instance, in busy city

Fig. 2. Relative locations graph.

traffic conditions, TTL of the location beacon messagecan be configured as a small number (e.g., 2), whichmeans a driver may know relative locations of the vehi-cles within a radius of approximately 500 m assumingradio transmission range to be 250 m.

To find out the relative locations of the surround-ing vehicles, each vehicle will use its video sensors toread the license plates of vehicles on front left, front,front right, rear left, rear and rear right (i.e., node 1,2, 3, 6, 7, 8 in Figure 2), and each vehicle uses direc-tional RFID reader to read the electronic license platesof the vehicles between front left and rear left (i.e., ve-hicle 4 in Figure 2) and the vehicle between front rightand rear right. Intuitively, if every node in a connectedgraph propagates the relative locations of its surround-ing nodes to other nodes, then eventually every nodewill be able to build a graph showing the relative loca-tions of all nodes in the graph. Using this approach, avehicle in P-SRLD constructs a topology graph show-ing the relative locations of the vehicles nearby. Thedetails of an algorithm constructing RLT are given inSection 4.2.

When nodes are on a single lane, each node onlyneeds to propagate its predecessor and successor in-formation instead of relative locations of all surround-ing nodes. But the way of determining vehicle relativelocations in multi-lane scenario is similar to the wayin single-lane scenario because in both scenarios ve-hicle relative locations are constructed using the rela-tive location information of each vehicle’s surroundingvehicles. The only difference is that the surroundingvehicles of a vehicle in single-lane scenario are its pre-decessor and successor whereas a vehicle could havemore surrounding vehicles in multi-lane scenario suchas that shown in Figure 2. The privacy-preserving andsecurity mechanism of both scenarios are the same. Dueto the above reason and the reason of reducing the for-mula length, we describe our scheme in a single-lanescenario.

4.1. P-SRLD Protocol

Through P-SRLD protocol, a vehicle distributedly con-structs its RLT using the relative location beaconsreceived from other vehicles. P-SRLD protocol hasthree main components: Vehicle Registration, VehiclePseudonym Authentication, and Location Beacon Dis-semination.

First component involves DMV authentication andvehicle registration to DMV. Upon registering into a ve-hicular network, a vehicle v will obtain a session publickey of DMV (i.e., PKDMV) and the DMV’s signature on


DOI: 10.1002/sec


PKDMV. To defend an adversary impersonating DMV,v verifies PKDMV using CA certificate of DMV andDMV’s signature on PKDMV. Also, every R seconds,v sends {EPKDMV (PKv), ESKv (PKv)} to DMV, whichdecrypts EPKDMV (PKv) to obtain PKv. If DMV findsthat E−1

PKv(ESKv (PKv)) equals PKv, DMV marks v as

a registered user and updates the registration time of v

in its database. The reason of requiring a vehicle v toperiodically register to DMV is to make it hard for theadversary to forge non-existent vehicles. The analysisof how the registration mechanism defends maliciousattacks is described in Section 5.1.

Second component involves requesting and au-thenticating cryptographic pseudonyms from vehi-cles. A vehicle requests a cryptographic pseudonymfrom each of its surrounding vehicles and verifiesthe validity of these pseudonyms. The cryptographicpseudonym obtained from a vehicle x will be usedto identify x during the relative location calculationprocess.

We now describe how a vehicle v requests and au-thenticates a cryptographic pseudonym from the ve-hicle p immediately in front of it. First v obtains p’slicense plate number LPp using its front video camera.Then v requests an authentication ticket Tp from p andsends Tp to a AP to authenticate Tp. The format of Tp

is as follows:

Tp = {ψp, TSp, EPKDMV (LPp‖r), r, sigp}

r is a random string and TSp is the current time of p.ψp = EPKp (LPp‖TSp‖rp) and rp is a random stringknown only by p. And

sigp = ESKp (ψp‖TSp‖EPKDMV (LPp‖r)‖r)

Lastly, Tp is sent to DMV server to verify its valid-ity. DMV obtains LPp by decrypting EPKDMV (LPp‖r).Based on LPp, DMV finds PKp and uses PKp tocheck that E−1

PKp(sigp) = ψp‖TSp‖EPKDMV (LPp‖r)‖r

and the timestamp TSp is less than I seconds oldto prevent stale tickets. If Tp is valid, DMV returnssigDMV(ψp‖TSp) = ESKDMV (ψp‖TSp) to v. Similarly,v requests tickets from other surrounding vehicles andauthenticates them.

Third component is about the location beacon dis-semination and verification. Every I seconds, a vehicledisseminates its immediate predecessor and successorinformation to other nodes using the relative locationbeacon message B. Suppose B is generated by a vehi-cle v, whose predecessor is p and successor is s. The

format of B is as follows:

B = {ψp, TSp, ψv, TSv, ψs, TSs, sigDMV(ψp‖TSp),

sigDMV(ψv‖TSv), sigDMV(ψs‖TSs),

EPKDMV (LPv‖r), r, sig′},sig′ = ESKv (ψp‖TSp‖ψv‖TSv‖ψs‖TSs‖sigDMV

(ψp‖TSp)‖sigDMV(ψv‖TSv)‖sigDMV(ψs‖TSs)).

When other nodes receive B from v, they will verifythe validity of B. First of all, a receiver will requestDMV to check that the signature sig′ is valid. DMVwill obtain LPv by decrypting EPKDMV (LPv‖r) and findPKv corresponding to LPv. Then DMV using PKv toverify sig′. In addition, using PKDMV, the receiverchecks that sigDMV(ψp‖TSp), sigDMV(ψv‖TSv), andsigDMV(ψs‖TSs) are indeed the DMV’s signatures onψp, ψv, ψs, TSp, TSv, and TSs. Lastly, the receiververifies that TSp, TSv, and TSs are less than I secondsold. If any of the above verifications fail, the receiverswill ignore B. Otherwise, using the relative locationinformation in location beacon messages received, thereceiver re-calculates the relative locations of the vehi-cles, which are stored in its RLT.

Assuming there are N vehicles in a linear topologynetwork and Timeh is the time needed for propagat-ing B to a one-hop neighbor and processing it, we nowcompute how long it takes for a location beacon mes-sage to reach all vehicles. The largest number of hopstraveled by B ranges from N − 1 to �N

2 �. So on averagethe time for B to reach all vehicles is as follows:

Timeh × 1

N×

(N − 1 + N − 2 + · · · + N

2

+(

N

2+ 1

)+ · · · + N − 1

)= 0.75 × N × Timeh.

4.2. RLT Construction Algorithm

Now we present an algorithm to construct RLTusing the relative location beacons received. RLTconstruction algorithm is executed by a vehicle everyI seconds. The algorithm is as follows and its timecomplexity is O(N2).

1. From beacon messages received, search for a nodeh which has no predecessor. Add h to list L as listhead. Make pointer P point to h.


DOI: 10.1002/sec


Fig. 3. PMLD protocol.

2. Find the node s which is the successor of the nodepointed by P. Then add s to list L and make pointerP point to s.

3. Continue step 2 until all nodes in the beacon mes-sages are added to the list L. The relative locationof a node i in the list L is its relative location RLi inthe RLT. After determing the relative location of i,{RLi, ψi, TSi} is stored in RLT.

5. Security and Privacy Analysis

In this section, we analyze the privacy characteris-tics of P-SRLD and its resilience of to Sybil attacks,wormhole attacks, denial-of-service attacks, blackholeattacks, and location errors (discussed together withSybil attacks). The goal of the P-SRLD protocol is toprotect the location privacy of drivers and verify thatthe relative location information is not forged or alteredby malicious nodes.

5.1. Sybil Attack

A Sybil attack occurs when a malicious node illegiti-mately takes on multiple identities as Sybil nodes [2].First, malicious nodes may spoof roadside APs. Sec-ond, adversaries may lie about its relative locations(Figure 4(a)). Third, adversaries may inject relative lo-cation information of non-existent nodes (Figure 4(b)).Last, attackers may impersonate legitimate nodes (Fig-ure 4(c)).

For the first type of attacks, since nodes will firstverify the CA certificate of roadside APs and the com-

Fig. 4. Attacks against relative location determinationschemes. (a) Inject wrong location, (b) forge non-existent

nodes and (c) impersonate legitimate node.

munication between roadside APs and nodes are en-crypted using asymmetric cryptography, it is hard forthe attackers to impersonate APs, alter message con-tent, or fabricate messages between APs and vehicles.

For the second type of attacks, in P-SRLD, it is dif-ficult for an attacker to lie about its relative locations(e.g., who are its predecessor and successor). First, theadversary will not be able to obtain a location ticket Tp

from a vehicle p unless the adversary sees p’s licenseplate. Second, the attacks by re-using the stale ticketsoverheard will be defended by checking whether thetimestamps of the tickets have been expired. Finally,even if the adversary obtains valid location tickets fromother vehicles, it is hard to inject incorrect relative loca-tion information without being discovered. This is be-cause wrong location messages will conflict with otherlocation announcements sent by legitimate nodes. InReferences [25], Raya et al. proposed a system calledLEAVE to detect and evict misbehaving vehicles. At-tackers can be discovered in the situation when honestvehicles account for majority. With a mechanism simi-lar to LEAVE, a vehicle could detect possible attackersif the location beacon messages from these vehicles


DOI: 10.1002/sec


conflict with the majority. When discovering possibleattackers, a vehicle sends the received beacon messagesto APs, which identify the vehicles whose location bea-con messages conflict with the majority as possible at-tackers. If a vehicle is identified as a possible attackerfor many times, APs will fail the authentication of itslocation beacon messages and regard it as a maliciousnode in the network. In summary, every vehicle for-wards the beacon messages received from possible at-tackers to APs, which decrypt the identities of the bea-con initiators and fail the authentication of the locationbeacons from the attackers.

For the third type of attacks, malicious nodes are un-able to insert non-existent nodes because the receiverswill verify the registrations of the nodes included inthe relative location beacons. Moreover, every vehiclesigns on its location ticket, which is difficult to forge.

Similarly, for the fourth type of attacks, sincethe receiver verifies the authenticity of the locationbeacon signature and the signatures on cryptographicpseudonyms and corresponding timestamps, it isdifficult for malicious nodes to impersonate legitimatenodes and alter the location beacon messages sent bylegitimate nodes.

5.2. Wormhole Attack

Another significant attack is the wormhole attack,where malicious nodes collude to selectively discardrelative location messages of legitimate nodes. Figure 5illustrates a basic wormhole attack. The attackers con-trol node X and Y, which are connected by a tunnel link.Relative location messages received by X are tunneledto Y and re-transmitted at Y, and vice versa. By se-lectively discarding messages, colluding attackers maylaunch DoS attacks and prevent some nodes from be-ing known to others. For instance, X and Y may onlytransmit relative location messages initiated by A and Cwhile discarding all relative location messages initiatedby B. Thus, other nodes will not know the presence of B.

Some countermeasures have been presented to de-fend the wormhole attacks [3,26]. Hu et al. proposeda MAC layer protocol named TIK [26] to restrictthe packet’s maximum allowed transmission distance,which prevents wormhole attacks by detecting if the

Fig. 5. An example of wormhole attack.

packet traveled further than that is allowed. In Refer-ences [3], the authors presented an approach to detectwormhole attack, which depends on nodes maintainingaccurate sets of their neighbors.

However, there is no solution designed specificallyfor defending wormhole attacks in vehicular network.Hence, we propose Probabilistic Message Loss Detec-tion (PMLD) protocol, which defends wormhole at-tacks by probabilistically monitoring the losses of rel-ative location messages.

PMLD protocol is shown in Figure 3. In PMLD,we assume legitimate nodes account for majority andif a node A can hear node B then B can hear A.APs probabilistically select a beacon message Bselectand check if there are attackers discarding the se-lected beacon message. Since every location beaconwill be authenticated by AP, AP records the identityof a forwarder v of beacon Bselect when v authenti-cates Bselect at AP. Hence, AP knows the identitiesof the forwarders and malicious nodes expose them-selves when they discard Bselect. In PMLD protocol,monitoring is performed probabilistically so that mali-cious nodes will not know which messages are going tobe monitored.

5.3. Blackhole Attack

An attack similar to wormhole attack is blackhole at-tack [27], in which a malicious node behaves like ablackhole and discards all or a fraction of the relativelocation beacons passing it. Blackhole attacks may cre-ate network partition so that a vehicle is unable to knowthe relative location of interested vehicles due to thenetwork partition.

Blackhole attackers can be detected by neighbor-ing nodes, which identify and put the attackers onblacklist. However, as Hu et al. pointed out in Ref-erences [27], the above watchdog-like method [28]may enable attackers to add legitimate nodes to black-lists and interfere the normal function of legitimatenodes.

In our system, we employ PMLD protocol as thecountermeasure of Blackhole attacks. The APs identifythe blackhole attackers by probabilistically monitor-ing message transmissions and fail the authenticationof the location beacons from the attackers. Comparedwith watchdog-like method, our approach exploits theauthority of APs and will not cause legitimate nodes tobe blackmailed by attackers, and even if an AP is com-promised, the compromised AP is unable to blackmaila legitimate vehicle since it cannot forge the legitimatevehicle’s signatures.


DOI: 10.1002/sec


5.4. Replay Attack and Denial-of-ServiceAttack

During replay attacks, attackers re-transmit stale loca-tion messages recorded previously. In P-SRLD, eachlocation message beacon message has time stamps andsignatures. Hence, it is hard for attackers to inject stalelocation messages since they are unable to forge thesignatures.

Moreover, malicious vehicles may initiate denial-of-service attacks such as constantly re-transmitting stalelocation messages or garbage messages; the normalwireless transmission around the malicious vehicleswill be severely affected due to the heavy radio col-lisions. Denial-of-service attacks are difficult to pre-vent due to the sharing nature of wireless medium.One way to resume communication in face of thedenial-of-service attacks is to switch channels. An-other way is to stop attacking vehicles physically.The affected drivers may record the license platesof the attacking vehicles and report their positionsto law enforcement department to stop the attackingvehicles.

5.5. Privacy Analysis

Ideally, a vehicle localization system will not allow anefarious user to violate the privacy of vehicular traffic.A vehicle using this system should have the relative lo-cation information of the vehicles in proximity, but allvehicles should not let other vehicles know their iden-tity (e.g., license plate number, vehicle owner, etc.).Clearly, visually, a person may see the license plateof another vehicle, but the number of license plates insight of the adversary is limited for any time—givinga solid measure of anonymity.

First we analyze the privacy of our system if avehicle x is compromised. A vehicle p is identi-fied by ψp = EPKp (LPp‖TS‖rp). The cryptographicpseudonym ψp changes based on time and the randomrp which is only known to p. Unless x has visuallyseen LPp and requested ψp from p, it will be hardfor x to link ψp to LPp due to the difficulty of de-crypting ψp and the fact that ψp changes from timeto time.

Next we analyze how a compromised AP, calledAPx, will affect privacy in our system. It is possiblefor APx to hear and store location tickets and locationbeacons. However, in all these location messages, a ve-hicle p’s pseudonyms are encrypted and change fromtime to time. So it is difficult for APx to correlate ψp

to p.

Fig. 6. Latency versus N and processing time.

6. Evaluation

In this section, we evaluate P-SRLD regarding the fol-lowing two metrics.

– location beacon latency: This metric measures themaximal time it takes for a location beacon messageto reach all nodes.

– location beacon overhead: This metric measures onaverage how many messages are sent on each nodeto propagate a location beacon to all nodes.

We conduct the simulations using Qualnet NetworkSimulator [29]. The nodes in the network maintain lin-ear topology with the mobility speed of the vehicleson the free way. The nodes use IEEE 802.11b radiowith 2 M bps data rate to communicate. When measur-ing location beacon latency, we vary N and the pro-cessing time (unit: ms) of a location beacon on eachnode. Figure 6 demonstrates that the larger the pro-cessing time the larger the location beacon latency andthe location beacon latency is linearly proportional toN. Moreover, we measure the influences of N and lo-cation beacon interval on location beacon overhead.

Fig. 7. Overhead versus N and beacon int.


DOI: 10.1002/sec


Figure 7 shows that when N becomes larger or whenbeacon interval shrinks, location beacon overhead in-creases due to the increase in radio collisions.

7. Conclusion

In this paper, we have presented P-SRLD, a privacy-preserving scheme for securely determining therelative locations of vehicles in vehicular networks.P-SRLD does not require any GPS or accurate positioninformation but only the relative locations of eachvehicle’s surrounding vehicles. P-SRLD uses crypto-graphic keys to authenticate relative location messagesand uses a vehicle’s cryptographic pseudonym toidentify the vehicle for protecting the driver’s privacy.The scheme is designed to defend against Sybil at-tacks, wormhole attacks, blackhole attacks, and replayattacks.

References

1. Fatality analysis reporting system (FARS) web-based encyclo-pedia. http://www-fars.nhtsa.dot.gov/

2. Newsome J, Shi R, Song D, Perrig A. The sybil attack in sensornetworks: analysis and defenses. In IPSN’04, April 2004.

3. Hu L, Evans D. Using directional antennas to prevent wormholeattacks. In Network and Distributed System Security Symposium(NDSS), February, 2004.

4. Roth S, Singh S. Application of robust, high-accuracy position-ing for autonomous ground vehicles. In AUVSI Unmanned Sys-tems North America 2004, August 2004.

5. Capkun S, Hubaux J-P. Secure positioning of wireless deviceswith application to sensor networks. In IEEE INFOCOM, 2005.

6. Sampigethaya K, Li M, Huang L, Poovendran R. Amoeba: robustlocation privacy scheme for vanet. IEEE Journal on SelectedAreas in Communications 2007; 25(8): 1569–1589.

7. Freudiger J, Raya M, Feleghhazi M. Mix zones for location pri-vacy in vehicular networks. In WiN-ITS 07, 2007.

8. Guo J, Baugh J, Wang S. A group signature based secureand privacy-preserving vehicular communication framework. InProceedings of the Mobile Networking for Vehicular Environ-ments (MOVE) Workshop in Conjunction with IEEE INFOCOM,2007.

9. Kukshya V, Krishnan H, Kellum C. Design of a system solutionfor relative positioning of vehicles using vehicle-to-vehicle ra-

dio communications during gps outages. Vehicular TechnologyConference 2005, 2005; 2: 1313–1317.

10. Shang Y, Ruml W, Zhang Y, Fromherz MPJ. Localization frommere connectivity. In MobiHoc’03, 2003; 201–212.

11. Bulusu N, Heidemann J, Estrin D. GPS-less low cost outdoorlocalization for very small devices. IEEE Personal Communica-tions Magazine 2000; 7(5): 28–34.

12. Ward A, Jones A, Hopper A. A new location technique for theactive office. IEEE Personal Communications Magazine 1997;4(5): 42–47.

13. Bahl P, Padmanabhan VN. RADAR: an in-building RF-baseduser location and tracking system. In IEEE Infocom 2000, 2000;2: 775–784.

14. Priyantha NB, Chakraborty A, Balakrishnan H. The cricketlocation-support system. In MobiCom’00, 2000; 32–43.

15. Castro P, Chiu P, Kremenek T, Muntz RR. A probabilistic roomlocation service for wireless networked environments. In Ubi-Comp’01, 2001; 18–34.

16. Brands S, Chaum D. Distance-bounding protocols, In EURO-CRYPT’93, 1994; 344–359.

17. Sastry N, Shankar U, Wagner D. Secure verification of locationclaims. In WiSe’03, New York, NY, USA, 2003; 1–10.

18. Singelee D, Preneel B. Location verification using secure dis-tance bounding protocols. International Workshop on Wirelessand Sensor Networks Security, 2005.

19. Liu D, Ning P, Du W. Attack-resistant location estimation inwireless sensor networks. In IPSN’05, Los Angeles, California,USA, 2005; 99–106.

20. Warner JS, Johnston RG. Think GPS cargo tracking = high secu-rity? Think again. Technical report, Los Alamos National Lab-oratory, 2003.

21. Lazos L, Poovendran R. SeRLoc: robust localization for wirelesssensor networks. ACM Transactions on Sensor Networks 2005;1(1): 73–100.

22. Rivest RL, Shamir A, Adleman L. A method for obtaining digitalsignatures and public-key cryptosystems. Communications ACM1983; 26(1): 96–99.

23. Blake-Wilson S, Nystrom M, Hopwood D, Mikkelsen J, WrightT. RFC 3546: Transport Layer Security (TLS) Extensions, 2003.

24. Hubaux J-P, Capkun S, Luo J. The security and privacy of smartvehicles. IEEE Security and Privacy 2004; 2(3): 49–55.

25. Raya M, Papadimitratos P, Aad I, Jungels D, Hubaux J-P. Evic-tion of misbehaving and faulty nodes in vehicular networks.IEEE Journal on Selected Areas in Communications 2007; 25(8):1557–1568.

26. Hu Y, Perrig A, Johnson D. A defense against wormhole attacksin wireless ad hoc networks. In Proceedings of INFOCOM 2003,San Francisco, CA, USA, 2003.

27. Hu Y-C, Perrig A, Johnson DB. Ariadne: a secure on-demandrouting protocol for ad hoc networks. In MobiCom’02, 2002;12–23.

28. Marti S, Giuli TJ, Lai K, Baker M. Mitigating routing mis-behavior in mobile ad hoc networks. In MobiCom’00, 2000;255–265.

29. Qualnet Network Simulator. http://www.qualnet.com/


DOI: 10.1002/sec

Documents

Privacy-preserving secure relative localization in vehicular networks