Towards Privacy Aware Pseudonymless
Strategy for Avoiding Profile Generation in
VANET
1Rasheed

Hussain, 2Sangjin Kim, and...
Agenda
Motivation
Profile Generations and Pseudonyms
Multiple Pseudonyms
Proposed Pseudonymless Scheme
Grouping
Updating k...
Motivation[1/2]
Application requirement in VANET: vehicle sends beacons
every 100-300 ms
Due to security requirements, bea...
Motivation[2/2]
Side effects of pseudonyms (specially single pseudonym
for each vehicle)
Profile generation

Remedy: mix z...
Framework

* Figure from Plobi et al.’s Scheme
© Information Security & Privacy Laboratory

-5-

Hanyang University
TRH
We assume that every vehicle is equipped with TRH
Stored information
Root CA’s certificate, TRH’s certificate(CertTRH)...
Multiple Pseudonyms[1/2]
Remedy within frame of pseudonymity
How about Multiple Pseudonyms?
Timestamp

Speed &
Position

P...
Multiple Pseudonyms[2/2]
GTTP (Geographically distributed Trusted Third Party):
responsible for revocation of a VRI if it ...
Proposed Pseudonymless Scheme
We don’t use any identity in beacons
‘GTTP’ will brute-forcely search the node if it needs t...
Is ‘No identity beacon’ practical?
Pseudonyms used for Privacy and anonymity
But they cause Profilation
Notion of insiders...
Why not single TTP?
Till now we used the term ‘GTTP’
With Pseudonymous strategy, GTTP were used which
covered relatively s...
Reducing the cost!
With ‘No Pseudonym’ the cost for search was O(n)
What if TTP organize the vehicles to groups somehow?
T...
Grouping[1/2]
Group secret key:
Group Secret key (Kg) is used for calculating HMAC1

Where Gid is group ID and we included...
Grouping[2/2]
Individual secret key:
Individual Secret key ( K v ) is used for calculating HMAC1
i

K vi is the individual...
Grouping strategy
Sequential Method
TTP assigns the entering vehicles, same group id up to certain
amount of time
At an in...
Key and Group Updation[1/2]
The amount of information disclosed in case of a key
compromise is reduced by changing the key...
Key and Group Updation[2/2]

KTRH-TTP is assumed to be established securely (may be by using
secure Diffie-Hellman method)...
Evaluation[1/2]
Security (beacon message and key updating protocol)
Beacon require integrity, privacy and revocation
We do...
Evaluation[2/2]
Privacy
HMAC1 provides privacy
No other party can revoke the message until K v is obtained
i
if we remove ...
Comparison with other schemes
Comparison with other schemes

H means HMAC calculation and E means Symmetric encryption

© ...
Merits of our system
Profile generation is avoided
GTTP, Mix Zones or silent period is NOT required
Better efficiency with...
© Information Security & Privacy Laboratory

-22-

Hanyang University
Upcoming SlideShare
Loading in …5
×

Towards Privacy Aware Pseudonymless Strategy for Avoiding Profile Generation in Vehicular Ad Hoc Networks

415 views
287 views

Published on

Presented at WISA 2009 conference.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
415
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Towards Privacy Aware Pseudonymless Strategy for Avoiding Profile Generation in Vehicular Ad Hoc Networks

  1. 1. Towards Privacy Aware Pseudonymless Strategy for Avoiding Profile Generation in VANET 1Rasheed Hussain, 2Sangjin Kim, and 1Heekuck Oh 1Hanyang University, Department of Computer Science and Engineering 2Korea University of Technology and Education, School of Information and Media Engineering, Republic of Korea 26-08-2009 © Information Security & Privacy Laboratory Hanyang University
  2. 2. Agenda Motivation Profile Generations and Pseudonyms Multiple Pseudonyms Proposed Pseudonymless Scheme Grouping Updating keys and groups Evaluation © Information Security & Privacy Laboratory -2- Hanyang University
  3. 3. Motivation[1/2] Application requirement in VANET: vehicle sends beacons every 100-300 ms Due to security requirements, beacons are normally digitally signed Signing cost is high Verification cost is high Scheuer et al. suggested using symmetric key for noncritical messages (beacons) and necessary security through TRH (Tamper-resistant Hardware) For fast revocation, pseudonyms were used © Information Security & Privacy Laboratory -3- Hanyang University
  4. 4. Motivation[2/2] Side effects of pseudonyms (specially single pseudonym for each vehicle) Profile generation Remedy: mix zone, silent periods, GTTP Multiple pseudonyms: (pseudonym, key) pairs Extension of the framework outlined in * * “A privacy aware and efficient security infrastructure for vehicular ad hoc networks,” by K. Plobi and H. Federrath, Computer Standards & Interfaces, 2008 © Information Security & Privacy Laboratory -4- Hanyang University
  5. 5. Framework * Figure from Plobi et al.’s Scheme © Information Security & Privacy Laboratory -5- Hanyang University
  6. 6. TRH We assume that every vehicle is equipped with TRH Stored information Root CA’s certificate, TRH’s certificate(CertTRH), vehicle’s individual symmetric key K vi ), vehicle’s VRI (Vehicle-related ( Identitiy), common symmetric key (Kall) and group ID (Gid) Part of operations of TRH, keys may be updated inside TRH by requesting TTP and using “key and group ID updating protocol” Only authentic configuration is possible for the owner of the car at initialization or when the car is sold All messages are assembled inside TRH Keys are kept secure inside TRH (at least until TRH is removed or replaced by new one) © Information Security & Privacy Laboratory -6- Hanyang University
  7. 7. Multiple Pseudonyms[1/2] Remedy within frame of pseudonymity How about Multiple Pseudonyms? Timestamp Speed & Position PAi HMAC1 with Encrypted with K MACPA i HMAC2 with K all Kc Using Multiple Pseudonyms overcome some of the deficiencies of using single pseudonym Downside! Bad effects on space requirement Inefficient Bootstrapping Requires periodically refill strategy © Information Security & Privacy Laboratory -7- Hanyang University
  8. 8. Multiple Pseudonyms[2/2] GTTP (Geographically distributed Trusted Third Party): responsible for revocation of a VRI if it is required but with CA(GTA (Government Transportation Authority)) The main threat for Profiling is the ‘identities’ Do we have certain mechanism in which we don’t need to use identities, anonymously send beacons and the functionality of the entities is still maintained? We should think of a ‘Pseudonymless’ strategy © Information Security & Privacy Laboratory -8- Hanyang University
  9. 9. Proposed Pseudonymless Scheme We don’t use any identity in beacons ‘GTTP’ will brute-forcely search the node if it needs to be revoked Cost will be O(n) where n is the number of users that are currently entertained by GTTP Beacon Format Timestamp is for Freshness K viis vehicle’s individual secret key that keeps on changing after a specified amount of time (how?) and Kall is the common key This beacon has no identity © Information Security & Privacy Laboratory -9- Hanyang University
  10. 10. Is ‘No identity beacon’ practical? Pseudonyms used for Privacy and anonymity But they cause Profilation Notion of insiders and outsiders Encryption may be essential Need of Mixed Zones and Silent Period and their effect on services provided by VANET Message size and Security overhead is increased with Pseudonymous strategy How often GTTP will need to revoke the VRI? No-Pseudonym strategy may be practical © Information Security & Privacy Laboratory -10- Hanyang University
  11. 11. Why not single TTP? Till now we used the term ‘GTTP’ With Pseudonymous strategy, GTTP were used which covered relatively small area Handled pseudonym operations and encryption functions Reduces search space in case of revocation A compromise if any, is localized In our scheme By Grouping, no need of GTTP to reduce revocation cost To limit the amount of disclosed information in case of compromise, we update the keys Use of single TTP for key distribution, management and revocation Replication for ‘easy to access’, efficiency and interconnect through RSUs © Information Security & Privacy Laboratory -11- Hanyang University
  12. 12. Reducing the cost! With ‘No Pseudonym’ the cost for search was O(n) What if TTP organize the vehicles to groups somehow? There must be limitation on group size! Cost will be reduced to O(g) instead of O(n) Group size should be trade-off between efficiency of TTP and privacy of vehicle © Information Security & Privacy Laboratory -12- Hanyang University
  13. 13. Grouping[1/2] Group secret key: Group Secret key (Kg) is used for calculating HMAC1 Where Gid is group ID and we included VRI in HMAC1 Kg is the group secret key used for HMAC1 Compromise of group key effects the whole group! © Information Security & Privacy Laboratory -13- Hanyang University
  14. 14. Grouping[2/2] Individual secret key: Individual Secret key ( K v ) is used for calculating HMAC1 i K vi is the individual secret key used for HMAC1 Inclusion of VRI in HMAC1 is not needed Revocation cost is still O(g) Compromise of secret key effects only single vehicle! © Information Security & Privacy Laboratory -14- Hanyang University
  15. 15. Grouping strategy Sequential Method TTP assigns the entering vehicles, same group id up to certain amount of time At an instant of time, only one group will be growing Threat for privacy in long term depending upon traffic density! Random Method TTP assigns the group ids to entering vehicles randomly At an instant of time, every group will be populating equally Random fashion preserves privacy and anonymity! Our scheme uses individual secret key with random grouping © Information Security & Privacy Laboratory -15- Hanyang University
  16. 16. Key and Group Updation[1/2] The amount of information disclosed in case of a key compromise is reduced by changing the keys periodically Vehicles switch between groups Requirements Mutual Authentication between TTP and TRH Confidentiality Integrity of updated Key ( K'Vi ) Availability of TTP Tamper Resistance of TRH Both the group ID and individual secret keys keep changing according to the counter maintained in TRH © Information Security & Privacy Laboratory -16- Hanyang University
  17. 17. Key and Group Updation[2/2] KTRH-TTP is assumed to be established securely (may be by using secure Diffie-Hellman method) K'Vi is the updated individual secret key for vehicle (TRH) Gid is the new group id and Rn is the random number We assume that the encrypted message provides integrity of inner content of the message TTP updates the database only if the acknowledgment is received © Information Security & Privacy Laboratory Hanyang University
  18. 18. Evaluation[1/2] Security (beacon message and key updating protocol) Beacon require integrity, privacy and revocation We do not consider the confidentiality No need for strong authentication Integrity is provided by calculating HMAC2 Integrity and confidentiality of updated key K'Vi depends upon the security of session key protocol Compromise of Kall and K vi ! Severe problem will arise if compromised Kall is used for injecting bogus information (e.g. false position) to the beacon Assumptions on TRH take care of that! © Information Security & Privacy Laboratory -18- Hanyang University
  19. 19. Evaluation[2/2] Privacy HMAC1 provides privacy No other party can revoke the message until K v is obtained i if we remove the possibility of identifying vehicles using HMAC1, there is no information in beacon by which vehicle can be identified Our scheme provides conditional anonymity Efficiency With SHA-256 (192bit key) for HMAC and AES (192bit key) Security overhead in terms of size is ( 2 x 256 + 16 ) = 66 bytes Beacon size is 366* bytes and security overhead is 18% TRH calculates only 2 HMACs for beaconing * Supposing that 300 bytes are reasonable for beacon, alarm and warning © Information Security & Privacy Laboratory -19- Hanyang University
  20. 20. Comparison with other schemes Comparison with other schemes H means HMAC calculation and E means Symmetric encryption © Information Security & Privacy Laboratory -20- Hanyang University
  21. 21. Merits of our system Profile generation is avoided GTTP, Mix Zones or silent period is NOT required Better efficiency with respect to Computational and Bandwidth cost Space requirements are less than that of Scheuer et al.’s scheme © Information Security & Privacy Laboratory -21- Hanyang University
  22. 22. © Information Security & Privacy Laboratory -22- Hanyang University

×