Embed Size (px)
Citation preview
Prof. J.-P. Hubaux
Mobile Networks
Module I – Part 2Securing Vehicular Networks
1
Outline
Motivation
Threat model and specific attacks
Security architecture
Security analysis
Certificate revocation
Data-centric trust
Conclusion
2
What is a VANET(Vehicular Ad hoc NETwork)?
Roadside base station
Inter-vehicle communications
Vehicle-to-roadside communications
Emergency event
• Communication: typically over the
Dedicated Short Range Communications (DSRC) (5.9 GHz)
• Example of protocol: IEEE 802.11p
• Penetration will be progressive (over 2 decades or so)3
Vehicular communications: why?
Combat the awful side-effects of road traffic• In the EU, around 40’000 people die yearly on the roads;
more than 1.5 millions are injured
• Traffic jams generate a tremendous waste of time and of fuel
Most of these problems can be solved by providing appropriate information to the driver or to the vehicle
4
Why is VANET security important?
Large projects have explored vehicular communications: Fleetnet, PATH (UC Berkeley),…
No solution can be deployed if not properly secured
The problem is non-trivial
• Specific requirements (speed, real-time constraints)
• Contradictory expectations
Industry front: standards are still under development and suffer from serious weaknesses
• IEEE P1609.2: Standard for Wireless Access in Vehicular Environments - Security Services for Applications and Management Messages
Research front
• A growing number of papers
5
A modern vehicle
F o r w a r d r a d a r
C o m p u t i n g p l a t f o r m
E v e n t d a t a r e c o r d e r ( E D R )
P o s i t i o n i n g s y s t e m
R e a r r a d a r
C o m m u n i c a t i o n f a c i l i t y
D i s p l a y
(GPS)
Human-Machine Interface
A modern vehicle is a network of sensors/actuators on wheels !A modern vehicle is a network of sensors/actuators on wheels !
6
Threat model
An attacker can be:
• Insider / Outsider
• Malicious / Rational
• Active / Passive
• Local / Extended
Attacks can be mounted on:
• Safety-related applications
• Traffic optimization applications
• Payment-based applications
• Privacy
7
Attack 1 : Bogus traffic information
Traffic jam
ahead
Attacker: insider, rational, active8
Attack 2 : Generate “Intelligent Collisions”
SLOW DOWN
The way is clear
Attacker: insider, malicious, active9
Attack 3: Cheating with identity, speed, or position
Wasn’t me!
Attacker: insider, rational, active10
Attack 4: Jamming
Roadside base station
Jammer
11
Attack 5: Tunnel
Physical tunnel or jammed area
Wrong information
12
Attack 6: Tracking
A
* A at (x1,y1,z1)at time t1
* A communicates with B
* A refuels at time t2 and location
(x2,y2,z2)
1
2
AB
A
* A enters the parking lot at time
t3* A downloads from server X
3
13
Our scope
We consider communications specific to road traffic:
safety and traffic optimization
• Safety-related messages
• Messages related to traffic information
We do not focus on more generic applications,
e.g., toll collect, access to audio/video files, games,…
14
Security system requirements
Sender authentication
Verification of data consistency
Availability
Non-repudiation
Privacy
Real-time constraints
15
Security Architecture
16
Tamper-proof device
Each vehicle carries a tamper-proof device• Contains the secrets of the vehicle itself
• Has its own battery
• Has its own clock (notably in order to be able to sign timestamps)
• Is in charge of all security operations
• Is accessible only by authorized personnel
Tamper-proof device
Vehicle sensors(GPS, speed and acceleration,…)
On-boardCPU
Transmissionsystem
((( )))
17
Digital signatures
Symmetric cryptography is not suitable: messages are
standalone, large scale, non-repudiation requirement
Hence each message should be signed with a DS
Liability-related messages should be stored in the EDR
Verifier
Signer
VerifierVerifier Safety message
Cryptographic material
{Position, speed, acceleration, direction,
time, safety events}
{Signer’s DS, Signer’s PK, CA’s certificate of PK}
18
VPKI (Vehicular PKI)
A
B
PKI
Security servicesPositioning
ConfidentialityPrivacy
...
CA
PA PB
AuthenticationAuthentication
Shared session key
Each vehicle carries in its Tamper-Proof Device (TPD):
• A unique and certified identity: Electronic License Plate (ELP)
• A set of certified anonymous public/private key pairs
Mutual authentication can be done without involving a server
Authorities (national or regional) are cross-certified 19
The CA hierarchy: two options
Country 1
Region 1 Region 2
District 1 District 2
Car A Car B Car A Car B
Manuf. 1 Manuf. 2
1. Governmental Transportation Authorities
2. Manufacturers
The governments control certification
Long certificate chain
Keys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trusted
Only one certificate is needed
Each car has to store the keys of all vehicle manufacturers
20
Secure VC Building Blocks Authorities
• Trusted entities issuing and managing identities and credentials
21
Secure VC Building Blocks
Authorities• Hierarchical organization
• ‘Forest’
22
Secure VC Building Blocks (cont’d)
Roadside Unit
‘Re-filling’ with or obtaining new
credentials
Providing revocation information
Roadside Unit
Wire-lineConnections
Identity and Credentials Management
23
Anonymous keys
Preserve identity and location privacy
Keys can be preloaded at periodic checkups
The certificate of V’s ith key:
Keys renewal algorithm according to vehicle speed
(e.g., ≈ 1 min at 100 km/h)
Anonymity is conditional on the scenario
The authorization to link keys with ELPs is distributed
CAiSKiiV IDPuKSigPuKPuKCertCA
||
24
What about privacy: how to avoid the Big Brother syndrome?
At 3:00- Vehicle A spotted at position P1
At 3:15- Vehicle A spotted at position P2
Keys change over time
Liability has to be enforced
Only law enforcement agencies should be allowed to retrieve the real identities of vehicles (and drivers) 25
DoS resilience
Vehicles will probably have several wireless technologies onboard
In most of them, several channels can be used To thwart DoS, vehicles can switch channels or
communication technologies
In the worst case, the system can be deactivated
Network layer
DSRC UTRA-TDD Bluetooth Other
26
Data verification by correlation
Bogus info attack relies on false data
Authenticated vehicles can also send wrong data (on purpose or not)
The correctness of the data should be verified => data-centric trust
Correlation can help
27
Security analysis
How much can we secure VANETs?
Messages are authenticated by their signatures
Authentication protects the network from outsiders
Correlation and fast revocation reinforce correctness
Availability remains a problem that can be alleviated
Non-repudiation is achieved because:
• ELP and anonymous keys are specific to one vehicle
• Position is correct if secure positioning is in place
28
Certificate revocation in VANETs
The CA has to revoke invalid certificates:
• Compromised keys
• Wrongly issued certificates
• A vehicle constantly sends erroneous information
Using Certificate Revocation Lists (CRL) or online status
checking is not appropriate
There is a need to detect and revoke attackers fast
29
System model
There is a CA (Certification Authority)
Each vehicle has a public/private key pair, a TC (Trusted Component = TPD), and an EDR (Event Data Recorder)
Safety messages:• Are broadcast and signed
• Include time and position
Several possible communication channels:• DSRC
• Cellular
• WiMax
• Low-speed FM30
Adversary model
The adversary can be:
• Faulty node
• Misbehaving node
Example attack: false information dissemination
Adversaries have valid credentials
Honest majority in the attacker’s neighborhood
31
Message validation
TPD(Tamper-Proof Device)
RTC(Rev. of the
Trusted Component )
LEAVE(Local Eviction of Attackers by Voting Evaluators)
MDS(Misbehavior Detection System)
Evidence Collection
Revocation Information
CA (Certification Authority) and Infrastructure Functionality
Fail(ID)
Revocation Decision
RC2RL(Rev. by Compressed
CRLs)
Node ID
Vehicle Functionality
CA PoliciesLocal Warning
Messages
Revocation Command
Scheme overview
32
Revocation protocols
We propose 2 protocols to revoke a vehicle’s keys:
• Rev. of the Trusted Component (RTC): CA revokes all keys
• Rev. by Compressed CRLs (RC2RL): if TC is not reachable
Local Eviction of Attackers by Voting Evaluators
(LEAVE):
• Initiated by peers
• Generates a report to the CA, which triggers the actual
revocation by RTC/RC2RL
33
Revocation of the Trusted Component (RTC)
34RSU: Road Side Unit; PuK = Public Key; T = Timestamp
Revocation by Compressed CRLs (RC2RL)
CRLs are compressed using Bloom filters
Bloom filter: space-efficient probabilistic data-structure• Can be queried to check if an element is in a set or not
• Configurable rate of false positives (but no false negatives)
1 2 3 m
vector with m bits
element “a”k different hash functionswith range 1…m
…
H1(a) H2(a) Hk(a)…
111 0 0 000 0 0
35
Local Eviction of Attackers by Voting Evaluators(LEAVE)
36
Data-Centric Trust
37
Data Trust
Decision on event
What is Data-Centric Trust?
Data-Centric Trust in Networks
Packet forwarding
Security associations
Reputation
AM
B
Data dissemination
Insufficient
Hard
39
Traditional ad hoc networks
Ephemeral networks
Data Trust = Entity Trust Data Trust = F(Entity Trust, context)
Event-specific trust
Dynamic trust metricSecurity status
)),(( jkvf ),( jkl v )( kvs
)),(),),((),(( jkljkk vvfvsF
AC
B
M
General FrameworkTrust Computation
Weights (data-centric trust levels)
( )kv is the default trustworthiness
LocationTime
Event reports of type
from nodes jkv
jke
AC
B
M
General FrameworkEvidence Evaluation
( )jBF e
Decision Logic
Decision on Reported Event
Report contents
Event reportsof type
from nodes jkv
jke
( )jCF e ( )jMF e
Decision Logics
Most trusted report
Weighted voting
Bayesian inference• Takes into account prior knowledge
Dempster-Shafer Theory• probability is bounded by belief and plausibility
• Uncertainty (lack of evidence) does not refute nor support evidence
Conclusion
Vehicular communications could lead to the largest mobile ad hoc network (around 1 billion nodes)
The security of that network is a difficult and highly relevant problem Car manufacturers seem to be poised to massively invest in this area Slow penetration makes connectivity more difficult Security leads to a substantial overhead and must be taken into
account from the beginning of the design process The field offers plenty of novel research challenges Pitfalls
• Defer the design of security
• Security by obscurity
More information at http://ivc.epfl.ch
43
