Upload
rasheed-hussain
View
152
Download
1
Embed Size (px)
DESCRIPTION
Presented at WISA 2009 conference.
Citation preview
© Information Security & Privacy Laboratory Hanyang University
Towards Privacy Aware Pseudonymless
Strategy for Avoiding Profile Generation in
VANET
1Rasheed Hussain, 2Sangjin Kim, and 1Heekuck Oh
1Hanyang University, Department of Computer
Science and Engineering 2Korea University of Technology and Education, School of Information and Media Engineering,
Republic of Korea
26-08-2009
© Information Security & Privacy Laboratory Hanyang University
Agenda
Motivation
Profile Generations and Pseudonyms
Multiple Pseudonyms
Proposed Pseudonymless Scheme
Grouping
Updating keys and groups
Evaluation
-2-
© Information Security & Privacy Laboratory Hanyang University
Motivation[1/2]
Application requirement in VANET: vehicle sends beacons
every 100-300 ms
Due to security requirements, beacons are normally
digitally signed
Signing cost is high
Verification cost is high
Scheuer et al. suggested using symmetric key for non-
critical messages (beacons) and necessary security
through TRH (Tamper-resistant Hardware)
For fast revocation, pseudonyms were used
-3-
© Information Security & Privacy Laboratory Hanyang University
Motivation[2/2]
Side effects of pseudonyms (specially single pseudonym
for each vehicle)
Profile generation
Remedy: mix zone, silent periods, GTTP
Multiple pseudonyms: (pseudonym, key) pairs
Extension of the framework outlined in *
* “A privacy aware and efficient security infrastructure for vehicular ad hoc networks,” by K. Plobi and
H. Federrath, Computer Standards & Interfaces, 2008
-4-
© Information Security & Privacy Laboratory Hanyang University
Framework
* Figure from Plobi et al.’s Scheme
-5-
© Information Security & Privacy Laboratory Hanyang University
TRH
We assume that every vehicle is equipped with TRH
Stored information
Root CA’s certificate, TRH’s certificate(CertTRH), vehicle’s
individual symmetric key ( ), vehicle’s VRI (Vehicle-related
Identitiy), common symmetric key (Kall) and group ID (Gid)
Part of operations of TRH, keys may be updated inside TRH by
requesting TTP and using “key and group ID updating protocol”
Only authentic configuration is possible for the owner of
the car at initialization or when the car is sold
All messages are assembled inside TRH
Keys are kept secure inside TRH (at least until TRH is
removed or replaced by new one)
-6-
ivK
© Information Security & Privacy Laboratory Hanyang University
Multiple Pseudonyms[1/2]
Remedy within frame of pseudonymity
How about Multiple Pseudonyms?
Using Multiple Pseudonyms overcome some of the
deficiencies of using single pseudonym
Downside!
Bad effects on space requirement
Inefficient Bootstrapping
Requires periodically refill strategy
-7-
Timestamp Speed &
Position PAi HMAC1 with HMAC2 with
iPAMACKallK
Encrypted with cK
© Information Security & Privacy Laboratory Hanyang University
Multiple Pseudonyms[2/2]
GTTP (Geographically distributed Trusted Third Party):
responsible for revocation of a VRI if it is required but
with CA(GTA (Government Transportation Authority))
The main threat for Profiling is the ‘identities’
Do we have certain mechanism in which we don’t need
to use identities, anonymously send beacons and the
functionality of the entities is still maintained?
We should think of a ‘Pseudonymless’ strategy
-8-
© Information Security & Privacy Laboratory Hanyang University
Proposed Pseudonymless Scheme
We don’t use any identity in beacons
‘GTTP’ will brute-forcely search the node if it needs to be
revoked
Cost will be O(n) where n is the number of users that are
currently entertained by GTTP
Beacon Format
Timestamp is for Freshness
is vehicle’s individual secret key that keeps on changing after a
specified amount of time (how?) and Kall is the common key
This beacon has no identity
-9-
ivK
© Information Security & Privacy Laboratory Hanyang University
Is ‘No identity beacon’ practical?
Pseudonyms used for Privacy and anonymity
But they cause Profilation
Notion of insiders and outsiders
Encryption may be essential
Need of Mixed Zones and Silent Period and their effect on
services provided by VANET
Message size and Security overhead is increased with
Pseudonymous strategy
How often GTTP will need to revoke the VRI?
No-Pseudonym strategy may be practical
-10-
© Information Security & Privacy Laboratory Hanyang University
Why not single TTP? Till now we used the term ‘GTTP’
With Pseudonymous strategy, GTTP were used which
covered relatively small area
Handled pseudonym operations and encryption functions
Reduces search space in case of revocation
A compromise if any, is localized
In our scheme
By Grouping, no need of GTTP to reduce revocation cost
To limit the amount of disclosed information in case of compromise,
we update the keys
Use of single TTP for key distribution, management and revocation
Replication for ‘easy to access’, efficiency and interconnect through
RSUs
-11-
© Information Security & Privacy Laboratory Hanyang University
Reducing the cost!
With ‘No Pseudonym’ the cost for search was O(n)
What if TTP organize the vehicles to groups somehow?
There must be limitation on group size!
Cost will be reduced to O(g) instead of O(n)
Group size should be trade-off between efficiency of TTP
and privacy of vehicle
-12-
© Information Security & Privacy Laboratory Hanyang University
Grouping[1/2]
Group secret key:
Group Secret key (Kg) is used for calculating HMAC1
Where Gid is group ID and we included VRI in HMAC1
Kg is the group secret key used for HMAC1
Compromise of group key effects the whole group!
-13-
© Information Security & Privacy Laboratory Hanyang University
Grouping[2/2]
Individual secret key:
Individual Secret key ( ) is used for calculating HMAC1
is the individual secret key used for HMAC1
Inclusion of VRI in HMAC1 is not needed
Revocation cost is still O(g)
Compromise of secret key effects only single vehicle!
-14-
ivK
ivK
© Information Security & Privacy Laboratory Hanyang University
Grouping strategy
Sequential Method
TTP assigns the entering vehicles, same group id up to certain
amount of time
At an instant of time, only one group will be growing
Threat for privacy in long term depending upon traffic density!
Random Method
TTP assigns the group ids to entering vehicles randomly
At an instant of time, every group will be populating equally
Random fashion preserves privacy and anonymity!
Our scheme uses individual secret key with random grouping
-15-
© Information Security & Privacy Laboratory Hanyang University
Key and Group Updation[1/2]
The amount of information disclosed in case of a key
compromise is reduced by changing the keys periodically
Vehicles switch between groups
Requirements
Mutual Authentication between TTP and TRH
Confidentiality
Integrity of updated Key ( )
Availability of TTP
Tamper Resistance of TRH
Both the group ID and individual secret keys keep
changing according to the counter maintained in TRH
-16-
iVK '
© Information Security & Privacy Laboratory Hanyang University
KTRH-TTP is assumed to be established securely (may be by using
secure Diffie-Hellman method)
is the updated individual secret key for vehicle (TRH)
Gid is the new group id and Rn is the random number
We assume that the encrypted message provides integrity of inner
content of the message
TTP updates the database only if the acknowledgment is received
Key and Group Updation[2/2]
iVK '
© Information Security & Privacy Laboratory Hanyang University
Evaluation[1/2]
Security (beacon message and key updating protocol)
Beacon require integrity, privacy and revocation
We do not consider the confidentiality
No need for strong authentication
Integrity is provided by calculating HMAC2
Integrity and confidentiality of updated key depends upon the
security of session key protocol
Compromise of Kall and !
Severe problem will arise if compromised Kall is used for
injecting bogus information (e.g. false position) to the beacon
Assumptions on TRH take care of that!
-18-
iVK '
ivK
© Information Security & Privacy Laboratory Hanyang University
Evaluation[2/2]
Privacy
HMAC1 provides privacy
No other party can revoke the message until is obtained
if we remove the possibility of identifying vehicles using HMAC1,
there is no information in beacon by which vehicle can be identified
Our scheme provides conditional anonymity
Efficiency
With SHA-256 (192bit key) for HMAC and AES (192bit key)
Security overhead in terms of size is ( 2 x 256 + 16 ) = 66 bytes
Beacon size is 366* bytes and security overhead is 18%
TRH calculates only 2 HMACs for beaconing
* Supposing that 300 bytes are reasonable for beacon, alarm and warning
-19-
ivK
© Information Security & Privacy Laboratory Hanyang University
Comparison with other schemes
Comparison with other schemes
H means HMAC calculation and E means Symmetric encryption
-20-
© Information Security & Privacy Laboratory Hanyang University
Merits of our system
Profile generation is avoided
GTTP, Mix Zones or silent period is NOT required
Better efficiency with respect to Computational and
Bandwidth cost
Space requirements are less than that of Scheuer et al.’s
scheme
-21-