Prof' J'P' Hubaux

1
Mobile NetworksModule I Part 2Securing
Vehicular Networks

• Prof. J.-P. Hubaux

2
Outline

• Motivation
• Threat model and specific attacks
• Security architecture
• Security analysis
• Certificate revocation
• Data-centric trust
• Conclusion

3
What is a VANET(Vehicular Ad hoc NETwork)?

• Communication typically over the Dedicated
  Short Range Communications (DSRC) (5.9 GHz)
• Example of protocol IEEE 802.11p
• Penetration will be progressive (over 2 decades
  or so)

4
Vehicular communications why?

• Combat the awful side-effects of road traffic
• In the EU, around 40000 people die yearly on the
  roads more than 1.5 millions are injured
• Traffic jams generate a tremendous waste of time
  and of fuel
• Most of these problems can be solved by providing
  appropriate information to the driver or to the
  vehicle

5
Why is VANET security important?

• Large projects have explored vehicular
  communications Fleetnet, PATH (UC Berkeley),
• No solution can be deployed if not properly
  secured
• The problem is non-trivial
• Specific requirements (speed, real-time
  constraints)
• Contradictory expectations
• Industry front standards are still under
  development and suffer from serious weaknesses
• IEEE P1609.2 Standard for Wireless Access in
  Vehicular Environments - Security Services for
  Applications and Management Messages
• Research front
• A growing number of papers

6
A modern vehicle
A modern vehicle is a network of
sensors/actuators on wheels !
7
Threat model

• An attacker can be
• Insider / Outsider
• Malicious / Rational
• Active / Passive
• Local / Extended
• Attacks can be mounted on
• Safety-related applications
• Traffic optimization applications
• Payment-based applications
• Privacy

8
Attack 1 Bogus traffic information
Traffic jam ahead

• Attacker insider, rational, active

9
Attack 2 Generate Intelligent Collisions
SLOW DOWN
The way is clear

• Attacker insider, malicious, active

10
Attack 3 Cheating with identity, speed, or
position
Wasnt me!

• Attacker insider, rational, active

11
Attack 4 Jamming
12
Attack 5 Tunnel
13
Attack 6 Tracking
14
Our scope

• We consider communications specific to road
  traffic safety and traffic optimization
• Safety-related messages
• Messages related to traffic information
• We do not focus on more generic applications,
  e.g., toll collect, access to audio/video files,
  games,

15
Security system requirements

• Sender authentication
• Verification of data consistency
• Availability
• Non-repudiation
• Privacy
• Real-time constraints

16
Security Architecture
17
Tamper-proof device

• Each vehicle carries a tamper-proof device
• Contains the secrets of the vehicle itself
• Has its own battery
• Has its own clock (notably in order to be able to
  sign timestamps)
• Is in charge of all security operations
• Is accessible only by authorized personnel

Tamper-proof device
((( )))
Vehicle sensors (GPS, speed and acceleration,)
Transmissionsystem
On-boardCPU
18
Digital signatures

• Symmetric cryptography is not suitable messages
  are standalone, large scale, non-repudiation
  requirement
• Hence each message should be signed with a DS
• Liability-related messages should be stored in
  the EDR

19
VPKI (Vehicular PKI)
Security services
Positioning
Confidentiality
Privacy
Shared session key
...
PKI
CA
P
P
A
B
Authentication
Authentication

• Each vehicle carries in its Tamper-Proof Device
  (TPD)
• A unique and certified identity Electronic
  License Plate (ELP)
• A set of certified anonymous public/private key
  pairs
• Mutual authentication can be done without
  involving a server
• Authorities (national or regional) are
  cross-certified

20
The CA hierarchy two options
1. Governmental Transportation Authorities
2. Manufacturers
Manuf. 1
Manuf. 2
Car B
Car A
Car B
Car A

• The governments control certification
• Long certificate chain
• Keys should be recertified on borders to ensure
  mutual certification

• Vehicle manufacturers are trusted
• Only one certificate is needed
• Each car has to store the keys of all vehicle
  manufacturers

21
Secure VC Building Blocks

• Authorities
• Trusted entities issuing and managing identities
  and credentials

22
Secure VC Building Blocks

• Authorities
• Hierarchical organization
• Forest

23
Secure VC Building Blocks (contd)

• Identity and Credentials Management

Re-filling with or obtaining new credentials
Roadside Unit
Wire-line Connections
Providing revocation information
Roadside Unit
24
Anonymous keys

• Preserve identity and location privacy
• Keys can be preloaded at periodic checkups
• The certificate of Vs ith key
• Keys renewal algorithm according to vehicle speed
  (e.g., 1 min at 100 km/h)
• Anonymity is conditional on the scenario
• The authorization to link keys with ELPs is
  distributed

25
What about privacy how to avoid the Big Brother
syndrome?
At 315 - Vehicle A spotted at position P2
At 300 - Vehicle A spotted at position P1

• Keys change over time
• Liability has to be enforced
• Only law enforcement agencies should be allowed
  to retrieve the real identities of vehicles (and
  drivers)

26
DoS resilience

• Vehicles will probably have several wireless
  technologies onboard
• In most of them, several channels can be used
• To thwart DoS, vehicles can switch channels or
  communication technologies
• In the worst case, the system can be deactivated

27
Data verification by correlation

• Bogus info attack relies on false data
• Authenticated vehicles can also send wrong data
  (on purpose or not)
• The correctness of the data should be verified gt
  data-centric trust
• Correlation can help

28
Security analysis

• How much can we secure VANETs?
• Messages are authenticated by their signatures
• Authentication protects the network from
  outsiders
• Correlation and fast revocation reinforce
  correctness
• Availability remains a problem that can be
  alleviated
• Non-repudiation is achieved because
• ELP and anonymous keys are specific to one
  vehicle
• Position is correct if secure positioning is in
  place

29
Certificate revocation in VANETs

• The CA has to revoke invalid certificates
• Compromised keys
• Wrongly issued certificates
• A vehicle constantly sends erroneous information
• Using Certificate Revocation Lists (CRL) or
  online status checking is not appropriate
• There is a need to detect and revoke attackers
  fast

30
System model

• There is a CA (Certification Authority)
• Each vehicle has a public/private key pair, a TC
  (Trusted Component TPD), and an EDR (Event Data
  Recorder)
• Safety messages
• Are broadcast and signed
• Include time and position
• Several possible communication channels
• DSRC
• Cellular
• WiMax
• Low-speed FM

31
Adversary model

• The adversary can be
• Faulty node
• Misbehaving node
• Example attack false information dissemination
• Adversaries have valid credentials
• Honest majority in the attackers neighborhood

32
Scheme overview
CA (Certification Authority) and Infrastructure
Functionality
Vehicle Functionality
Local Warning Messages
CA Policies
Evidence Collection
LEAVE(Local Eviction of Attackers by Voting
Evaluators)
Revocation Decision
Node ID
MDS (Misbehavior Detection System)
Revocation Information
RC2RL (Rev. by Compressed CRLs)
Message validation
TPD(Tamper-Proof Device)
RTC (Rev. of the Trusted Component )
Fail(ID)
Revocation Command
33
Revocation protocols

• We propose 2 protocols to revoke a vehicles
  keys
• Rev. of the Trusted Component (RTC) CA revokes
  all keys
• Rev. by Compressed CRLs (RC2RL) if TC is not
  reachable
• Local Eviction of Attackers by Voting Evaluators
  (LEAVE)
• Initiated by peers
• Generates a report to the CA, which triggers the
  actual revocation by RTC/RC2RL

34
Revocation of the Trusted Component (RTC)
RSU Road Side Unit PuK Public Key T
Timestamp
35
Revocation by Compressed CRLs (RC2RL)

• CRLs are compressed using Bloom filters
• Bloom filter space-efficient probabilistic
  data-structure
• Can be queried to check if an element is in a set
  or not
• Configurable rate of false positives (but no
  false negatives)

element a
k different hash functions with range 1m
H1(a)
H2(a)
Hk(a)

vector with m bits

1
1
1
0
0
0
0
0
0
0
1
2
3
m
36
Local Eviction of Attackers by Voting
Evaluators(LEAVE)
37
Data-Centric Trust
Data Trust
Decision on event
38
What is Data-Centric Trust?
39
Data-Centric Trust in Networks
Traditional ad hoc networks
Ephemeral networks
Data dissemination Insufficient Hard

• Packet forwarding
• Security associations
• Reputation

Data Trust Entity Trust
Data Trust F(Entity Trust, context)
40
General FrameworkTrust Computation
B
C
A
M
Location Time
Event-specific trust
Dynamic trust metric
Security status
is the default trustworthiness
Weights (data-centric trust levels)
41
General FrameworkEvidence Evaluation
B
C
A
M
Decision Logic
Report contents
Decision on Reported Event
42
Decision Logics

• Most trusted report
• Weighted voting
• Bayesian inference
• Takes into account prior knowledge
• Dempster-Shafer Theory
• probability is bounded by belief and plausibility
• Uncertainty (lack of evidence) does not refute
  nor support evidence

43
Conclusion

• Vehicular communications could lead to the
  largest mobile ad hoc network (around 1 billion
  nodes)
• The security of that network is a difficult and
  highly relevant problem
• Car manufacturers seem to be poised to massively
  invest in this area
• Slow penetration makes connectivity more
  difficult
• Security leads to a substantial overhead and must
  be taken into account from the beginning of the
  design process
• The field offers plenty of novel research
  challenges
• Pitfalls
• Defer the design of security
• Security by obscurity
• More information at http//ivc.epfl.ch