Towards Privacy Aware Pseudonymless Strategy for Avoiding Profile Generation in Vehicular Ad Hoc Networks

© Information Security & Privacy Laboratory Hanyang University

Towards Privacy Aware Pseudonymless

Strategy for Avoiding Profile Generation in

VANET

1Rasheed Hussain, 2Sangjin Kim, and 1Heekuck Oh

1Hanyang University, Department of Computer

Science and Engineering 2Korea University of Technology and Education, School of Information and Media Engineering,

Republic of Korea

26-08-2009


Agenda

Motivation

Profile Generations and Pseudonyms

Multiple Pseudonyms

Proposed Pseudonymless Scheme

Grouping

Updating keys and groups

Evaluation

-2-


Motivation[1/2]

Application requirement in VANET: vehicle sends beacons

every 100-300 ms

Due to security requirements, beacons are normally

digitally signed

Signing cost is high

Verification cost is high

Scheuer et al. suggested using symmetric key for non-

critical messages (beacons) and necessary security

through TRH (Tamper-resistant Hardware)

For fast revocation, pseudonyms were used

-3-


Motivation[2/2]

Side effects of pseudonyms (specially single pseudonym

for each vehicle)

Profile generation

Remedy: mix zone, silent periods, GTTP

Multiple pseudonyms: (pseudonym, key) pairs

Extension of the framework outlined in *

* “A privacy aware and efficient security infrastructure for vehicular ad hoc networks,” by K. Plobi and

H. Federrath, Computer Standards & Interfaces, 2008

-4-


Framework

* Figure from Plobi et al.’s Scheme

-5-


TRH

We assume that every vehicle is equipped with TRH

Stored information

Root CA’s certificate, TRH’s certificate(CertTRH), vehicle’s

individual symmetric key ( ), vehicle’s VRI (Vehicle-related

Identitiy), common symmetric key (Kall) and group ID (Gid)

Part of operations of TRH, keys may be updated inside TRH by

requesting TTP and using “key and group ID updating protocol”

Only authentic configuration is possible for the owner of

the car at initialization or when the car is sold

All messages are assembled inside TRH

Keys are kept secure inside TRH (at least until TRH is

removed or replaced by new one)

-6-

ivK


Multiple Pseudonyms[1/2]

Remedy within frame of pseudonymity

How about Multiple Pseudonyms?

Using Multiple Pseudonyms overcome some of the

deficiencies of using single pseudonym

Downside!

Bad effects on space requirement

Inefficient Bootstrapping

Requires periodically refill strategy

-7-

Timestamp Speed &

Position PAi HMAC1 with HMAC2 with

iPAMACKallK

Encrypted with cK


Multiple Pseudonyms[2/2]

GTTP (Geographically distributed Trusted Third Party):

responsible for revocation of a VRI if it is required but

with CA(GTA (Government Transportation Authority))

The main threat for Profiling is the ‘identities’

Do we have certain mechanism in which we don’t need

to use identities, anonymously send beacons and the

functionality of the entities is still maintained?

We should think of a ‘Pseudonymless’ strategy

-8-


Proposed Pseudonymless Scheme

We don’t use any identity in beacons

‘GTTP’ will brute-forcely search the node if it needs to be

revoked

Cost will be O(n) where n is the number of users that are

currently entertained by GTTP

Beacon Format

Timestamp is for Freshness

is vehicle’s individual secret key that keeps on changing after a

specified amount of time (how?) and Kall is the common key

This beacon has no identity

-9-

ivK


Is ‘No identity beacon’ practical?

Pseudonyms used for Privacy and anonymity

But they cause Profilation

Notion of insiders and outsiders

Encryption may be essential

Need of Mixed Zones and Silent Period and their effect on

services provided by VANET

Message size and Security overhead is increased with

Pseudonymous strategy

How often GTTP will need to revoke the VRI?

No-Pseudonym strategy may be practical

-10-


Why not single TTP? Till now we used the term ‘GTTP’

With Pseudonymous strategy, GTTP were used which

covered relatively small area

Handled pseudonym operations and encryption functions

Reduces search space in case of revocation

A compromise if any, is localized

In our scheme

By Grouping, no need of GTTP to reduce revocation cost

To limit the amount of disclosed information in case of compromise,

we update the keys

Use of single TTP for key distribution, management and revocation

Replication for ‘easy to access’, efficiency and interconnect through

RSUs

-11-


Reducing the cost!

With ‘No Pseudonym’ the cost for search was O(n)

What if TTP organize the vehicles to groups somehow?

There must be limitation on group size!

Cost will be reduced to O(g) instead of O(n)

Group size should be trade-off between efficiency of TTP

and privacy of vehicle

-12-


Grouping[1/2]

Group secret key:

Group Secret key (Kg) is used for calculating HMAC1

Where Gid is group ID and we included VRI in HMAC1

Kg is the group secret key used for HMAC1

Compromise of group key effects the whole group!

-13-


Grouping[2/2]

Individual secret key:

Individual Secret key ( ) is used for calculating HMAC1

is the individual secret key used for HMAC1

Inclusion of VRI in HMAC1 is not needed

Revocation cost is still O(g)

Compromise of secret key effects only single vehicle!

-14-

ivK

ivK


Grouping strategy

Sequential Method

TTP assigns the entering vehicles, same group id up to certain

amount of time

At an instant of time, only one group will be growing

Threat for privacy in long term depending upon traffic density!

Random Method

TTP assigns the group ids to entering vehicles randomly

At an instant of time, every group will be populating equally

Random fashion preserves privacy and anonymity!

Our scheme uses individual secret key with random grouping

-15-


Key and Group Updation[1/2]

The amount of information disclosed in case of a key

compromise is reduced by changing the keys periodically

Vehicles switch between groups

Requirements

Mutual Authentication between TTP and TRH

Confidentiality

Integrity of updated Key ( )

Availability of TTP

Tamper Resistance of TRH

Both the group ID and individual secret keys keep

changing according to the counter maintained in TRH

-16-

iVK '


KTRH-TTP is assumed to be established securely (may be by using

secure Diffie-Hellman method)

is the updated individual secret key for vehicle (TRH)

Gid is the new group id and Rn is the random number

We assume that the encrypted message provides integrity of inner

content of the message

TTP updates the database only if the acknowledgment is received

Key and Group Updation[2/2]

iVK '


Evaluation[1/2]

Security (beacon message and key updating protocol)

Beacon require integrity, privacy and revocation

We do not consider the confidentiality

No need for strong authentication

Integrity is provided by calculating HMAC2

Integrity and confidentiality of updated key depends upon the

security of session key protocol

Compromise of Kall and !

Severe problem will arise if compromised Kall is used for

injecting bogus information (e.g. false position) to the beacon

Assumptions on TRH take care of that!

-18-

iVK '

ivK


Evaluation[2/2]

Privacy

HMAC1 provides privacy

No other party can revoke the message until is obtained

if we remove the possibility of identifying vehicles using HMAC1,

there is no information in beacon by which vehicle can be identified

Our scheme provides conditional anonymity

Efficiency

With SHA-256 (192bit key) for HMAC and AES (192bit key)

Security overhead in terms of size is ( 2 x 256 + 16 ) = 66 bytes

Beacon size is 366* bytes and security overhead is 18%

TRH calculates only 2 HMACs for beaconing

* Supposing that 300 bytes are reasonable for beacon, alarm and warning

-19-

ivK


Comparison with other schemes

Comparison with other schemes

H means HMAC calculation and E means Symmetric encryption

-20-


Merits of our system

Profile generation is avoided

GTTP, Mix Zones or silent period is NOT required

Better efficiency with respect to Computational and

Bandwidth cost

Space requirements are less than that of Scheuer et al.’s

scheme

-21-

© Information Security & Privacy Laboratory Hanyang University -22-