A Secure Communication Scheme without Trusted RSU Setting for VANET

신뢰 RSU 세팅이 필요 없는 VANET 보안통신 기법

Abstract

Secure communication has been one of the main challenges in vehicular ad hoc networks(VANET) since broadcast messages from nearby vehicles contain life-critical information for drivers and passengers. So far various secure communication schemes have been proposed to secure the communication in VANET, and they satisfy most security requirements. However most of them need to put trust on roadside units(RSUs), which are usually deployed in unattended area and vulnerable to compromise. In this paper, we propose a secure communication scheme, which does not need to put trust on RSUs. And we adopt a grouping technique to averagely divide the huge burden in the server without jeopardizing the anonymity of users. Moreover we design a complete set of protocols to satisfy common security requirements with a relatively lower hardware requirement. At last, we evaluate the scheme with respect to security requirements, communication overhead, storage overhead and network performance.

근접한 차량으로부터 수신한 브로드케스트 메시지는 운전자와 승객의 생명과 직간접적으로 연관이 있는 메시지를 포함하고 있기 때문에 VANET에서 보안 통신은 주요 과제 중 하나가 되어 왔다. 이 때문에 보안 통신에 대한 다양한 기법들이 제안되어 왔다. 하지만, 그 기법들의 대부분은, 직접적으로 관련되지 않는 즉 방치된, RSU를 신뢰해야 한다는 가정에 기반을 두고 있다. 본 논문은 RSU를 신뢰할 필요가 없는 보안 통신 기법을 제안하며 사용자의 익명성을 위태롭게 하는 것 없이 서버에 지워지는 부담을 평균적으로 나누기 위하여 그룹핑 기술을 적용하였다. 게다가 본 논문에서는 상대적으로 낮은 하드웨어 성능을 요구하는 보안 요구 사항을 만족시키기 위하여 완전 집합(Complete set)을 설계하였다. 마지막으로 본 논문은 보안 요구사항, 통신 오버헤드, 저장 용량, 그리고 네트워크 성능 측면에서 제안한 기법을 평가하였다.

Ⅰ. Introduction

Vehicular ad hoc networks (VANET) enable vehicles to communicate with each other and roadside units (RSU) by virtue of onboard unit(OBU) 양quipped in each vehicle and d 냔 dic&ted short range c* ommunica tions(DSRC(l]). With such networks the safety and efficiency in transportation systems can be improved. According to DSRC, each vehicle should periodically broadcast its routine traffic and safety information[2] which contains its current location, speed, changing of direction or some urgent situation. With such information, the recipient can be well aware of their driving environment and make appropriate decision to avoid traffic accident or jam.

All the attractive functionalities mentioned above should be based on a secure and privacy preserving authentication scheme. Receivers should not only be convinced that the message is intact and fresh, but also be convinced that it really come from the claimed source vehicle. At the same time, the user's personal information, such as the driver's name, license plate, etc, must be protected from leaking out, otherwise the attacker can track the driver's moving history and current location. For the police authority, it should be able to identify the real identity of the sender of any malicious message and stop his further misbehavior. Different from the conventional networks, the hardware resource on OBU is strictly limited and the wireless communication has a higher channel error rate than the one in conventional network, so the security protocols that work well in conventional networks may be no longer suitable for the VANET. In this paper, we are committed to design a secure communication scheme for VANET to solve these problems with a relatively lower hardware requirements on OBU.

1.1 Related Work

Many security protocols for VANET have been proposed. Security issues remain to be solved in VANET are surveyed in〔3〕. The attack types and a set of security primitives are discussed in〔4〕. Extensive studies have been reported on inter-vehicle communications (JVC) in〔5〕. A huge anonymous keys based protocol was proposed in 〔6〕, in that scheme each OBU is equipped with a huge number of certified key pairs(denoted as HAB in the following context). The OBU chooses one of them randomly to sign the traffic message in a certain period of time and changes the key pairs in next period of time in order to provide the sender with anonymity. To achieve traceability, the authority keeps all the certified key pairs that each vehicle possesses. In GSIS〔7〕, a group signature technique based scheme(denoted as GSB in the following context) was proposed, it integrates the techniques of group signaturee] and identity based signature (IBS〔9〕). In GSB the wireless communications are divided into two categories and secured with different approaches: group signature is used to sign the messages launched by OBUs and identity based signature is used to sign the messages launched by RSUs. In〔10〕, the authors proposed a VANET key management scheme, which is based on temporary anonymous certified keys (denoted as TACK in the following context) to achieve anonymous authentication and short revocation list. A conditional privacy preservation pro-tocoKdenoted as ECPP in the following context) was proposed in〔11〕. In ECPP, the privacy is divided into three levels and RSUs are responsible for issuing temporary public key certificates for vehicles.

The above papers respectively addressed most of security problems that VANET encounters with, but they are not perfect. HAB[6] and GSB〔7〕both fall short in the aspects of requiring a huge storage for anonymous keys and safety message anonymous authentication. GSB〔7〕and TACKU이 both adopt group signature, which needs a strong computational capacity, however the hardware resource on OBU is strictly limited. GSB(7] and ECPPC₁₁] fall short of putting trust on th연 RSUs, which are usually deployed in the unattended area and more attractive and vulnerable to compromise.

1.2 Our Contribution

In this paper, we will propose an anonymous authentication w샹tocol that integrates most merits 랺f existing protocols listed in previous subsection.

Most of the existing schemes need to put trust on the RSUs, however RSUs are usually deployed in unattended area, this weakens the security level of the scheme. In our proposed scheme, the RSU only acts as a message forw윥rder between sever and vehicl슨. it does not need to process any se구si-tive information, cons즌quently there comes an obvious obstruction for such a architecture in VANET, it is the burden for the server. Becans연 there may be a huge number of vehicles in the scheme, the burden for th안 server could be unacceptable. We adopt a grouping technique, the vehicles are divided into small groups and each group is managed by one of distributed senzefs(DS), by which the burden of server can be divided averagely without jeopardizing the anonymity of the vehi시es.

To achieve the revocation, a revocation list(RL) is us연d in most of existing schemes. HAB and GSB both use the RL, and 나ley both need a large unacceptable storage space when the size of RL becomes big. In TACK, temporary anonymous certified keys is used to tackle the problem, The temporary anonymous certified keys are also used in our proposed protocol to achieve relative short RL.

Because of th언 strict limitation on hardware resource on OBUs, the scheme is designed to use a variant of ECDSA-192C12H13] and keyed-hash function(14J as main 當ypt。-graphic algorithms, both of them need relatively lower computing resource.

The remainder of the paper is organized as follows. In Section 2, the scheme architecture and some important detail will be described, followed by the 요젼curity analysis, communication overhead analysis and storage overhead analysis in Section 3. We present the simulation in Section 4. Finally we conclude the paper in Section 5.

Ⅱ. Proposed Scheme

2.1 System Model and Assumptions

Usually VANET hierarchically consists of three layers of entities as shown in Figure 1. The first layer is registration & certificates authority(RCA), which is assumed to be trusted by all parties and it is infeasible for any attacker to compromise. The second layer consists of the roadside units(RSUs), which are usually deployed in unattended area. Th얘 RSUs are considered as untrusted entities and wired-connected to the RCA, in proposed scheme the delay between RCA and RSU is assumed to be negligible. According to DSRC, the communication range of RSU and OBU is about 300m, so in the proposed scheme we assume that the RSUs are deployed along the road every 600m to guaran-tee that OBU can update its temporary certified key before it expires at all time. The third layer consists of all the vehicles. We assume that every vehicle is equipped with global positioning system(GPS)〔15〕, an accurate clock and tamper-proof device[16), which can protect the pre-shared sensitive information from leaking out. The number of OBUs in the whole scheme could be up to millions, the number of RSUs depends on the total distance of 호oads, and there is only one RCA.

(Figure 1) System Mod이

2.2 System Notations

The following notations are used to describe the scheme.

RCA- Registration & certificate authority.

Gk- The group id of the 貼 group.

: The maximum number of vehicles in one group.

DSk'- The 炉‘ distributed server.

VDe The 貼 vehicle database.

Z日아: The『 temporary id history database.

P* K The public key of id

SKid: The private key of id

The 舟 vehicle with designated equipment

丑Z: The real identity of Vi

丑)S The fh temporary id of Vi

切vq(m): A symm얀trie-key encryption function on message m using th쟌 key

k

庭q(m): A symmetric-key decryption function on message m using the key

k

Keyed-hash message authentication code on message m using the key k

SIGuJe): Signature on message m with ID's private key

CERTe The fh temporary certificate of vehicle vt

LLK「Long-live key shared between 匕 and RCA

丑(m): A cryptographic hash function on messa흥얀 m

T湖I房 Valid time for lDtj

Tvalifi.吋顽: Th욘 alive time for a temporary id

£: A time threshold to check the freshness of messages.

tevent- The timestamp of event.

2.3 Scheme Description

2.3.1 RCA Initiation

RCA consists of n distributed servers (DSs), each DS manages a group of vehicles and maintains two databases: vehicle data-base(VD) and temporary id history database (THD). The number of users in one group is less than Ae8X in order to keep the time used for database operation small-

Vehicle database. VD keeps the current temporary id, current private key, Tvalid for current temporary id, last-used temporary id, real id and the LLK. The format of the record in VD is as follows-

#

Temporary id history database. THD records all the temporary ids that have be샨!! used by vehicle옪 and corresponding real id. This database is used for tracing the real identity of any malicious traffic message presented to RCA by police authorities.

2.3.2 Vehi이e Registration Phase

At first each vehicle must register at RCA before it can use the VANET system. The registration prgss is as follows:

1, When the vehicle « comes h) register, the vehicle is randomly assigned to a group Gk, in which the number of vehicles is less than 叫供・

2. RCA redirects the registration request to 나le DSk, and % submits its real id to DSk at tregister.

3. On receiving the ID{, DSk generates a symmetric key as ID;s long-live key (기and an asymmetric key pairs: RJ'same with lDiA) and SK【以 at random. Then DSk computes the Tvahd_IDa by the following equation:

#

Then DSk generates V/s first temporary certificate by the following equation;

#

4. Then DSk sends the lDn, S* tJ <, 血-叫, Gk and CERT让 to 匕 난irough a secure channel. Then DSk updates related databases.

5. On receiving the first temporary id and related information, 匕 saves ID讥, SKID&, 4血-丑w Gk and CERTn into the tamper-proof device on OBU.

Vehicle registration phase done.

2.3.3 Certificate Updating 마lase

Because the valid period of each temporary certificate is limited, the vehi시e needs to update its temporary certificate before it expires. The vehicle can update it with the help of RSUs. The certificate updating process is as follows -

1. 匕 sends the certificate updating requesting message(CURM) to the nearest RSU. The format of CURM is as follow:

#

2. On receiving the CURM from the 匕, RSU checks the freshness of the message by the following equation-

#

If the CURM is fresh, the RSU forwards

it to RCA, otherwise abandons it.

3. On receiving the CURM, the RCA forwards it to DSk.

4. On receiving the CURM, DSi looks up the vehicle database for ID& There are two cases:

Case 1: If the IDl3 is found in the "current temporary id" field, DSk generates a new asymmetric key pairs Q搭B)(same with 鶴(j+i)) and SK[f then computes the 农宀丑by the following equation:

#

DSk generates a new temporary certificate by the following equation:

#

At last DSk generates the certificate updating message(CUM) and updates related databases. The format of CUM is as following:

#

Case 2: If the ID“ is found in the "last used temporary id" field. It indicates that in last certificate updating session, the vehicle failed to receive the CUM and still used the old temporary id to apply for updating. If this happens, the DSk needs to do:

Gets the temporary id in 'current temporary id" field and the SKIDe in private key field, computes a new Tvalid_ID_^ by the following equation:

#

Then DSk generates a new temporary certificate by the following equation:

#

At last DSk generates the CUM and updates related databases.

5. DSk sends 난圮 CUM to RCA.

6. On receiving 난le CUM, the RCA forwards it to the original RSU.

7. On receiving the CUM, the RSU forwards it to Vi immediately.

8. On receiving the CUM, the 匕 updates the temporary id and related information. Certificate updating phase done.

2.3.4 Message Authentication 가}ase

When 匕 broadcasts the traffic message M to its neighbors, the message authentication is needed. The message authentication process is as follows:

1. Vt generates a timestamp 如.血°心 and signs on the message M and #

#

Then 匕 constructs a traffic message(TM) and broadcasts it to its neighbors.

#

2. On receiving TM, the recipient needs to do the following steps to authenticate the message.

Step 1. Checks the freshness of the message by the following equation;

#

If it is not fresh, abandons the TM.

Step 2. Checks the revocation list to see if the ID置 has been revoked. If it has been revoked, abandons the TM.

Step 3. Verifies the temporary certificate CERT曙 with public key of RCA. If it is not valid, abandons the TM.

Step 4. Verifies SlGIDi(H{eoadcast)) with sender's temporary public key (7%). If it is valid, accepts M, otherwise abandons it.

Message authentication phase done.

2.3.5 Tracing and Revocation Phase

Given a malicious TM, RCA can identify the vehicle and stop its further misbehavior through the following steps'

1. RCA sends the IDX to the DS with group number Gk.

2. On receiving the IDX, DSk looks up the VD and the THD, gets the corresponding real identity ID讣 puts it into black list and checks the VD to see whether it still has alive temporary certificate. If it still has alive temporary certificate, DSk constructs a revocation message (RM).

The format of RM is as follows-

#

Then DSk sends the RM and real id(7R)to RCA.

3. On receiving the RM and IDiy DSk gives /D. to police authority and forward앙 the RM to all the RSUs.

4. On receiving the RM, RSUs broadcasts it to the vehicles within its coverage.

5. On receiving the RM, 匕 first verifies the signature signed by RCA with RCA's public key, if valid, 匕 add the .revoked temporary id IDX and Tvalid_/De into the revocation list on its OBU.

Tracing and revocation phase done.

2.4 Some Important Details

2.4.1 Countermeasure to Certificate Updating Failure

Proposed scheme provides an efficient mechanism to deal with the certificate updating failure caused by the high transmitting error rate in wireless channel. There are two cases of failure, the solutions for each are as follows:

1. The transmitting error happened to the CURM. If this happens, the RCA can not receive the CURM. The countermeasure is simple, the vehicle just waits for a certain period of time, if it does not get the CUM in the period, it sends the CURM again.

2. The transmitting error happened to the CUM from RCA to the vehicle. It indicates that the RCA indeed received the CURM, generated the new temporary id and sent the CUM to the vehicle, however the transmitting error happened to the CUM and the vehicle failed to receive the CUM. We address this problem with adding a ''last used temporary id" field into the vehicle database to records the old temporary id to keep the consistency of vehicle database. The detail has been described in Section 2.3.3.

2.4.2 Reducing Red나ndant Comp니tation

In some cases, some vehicles may be in the same area in a certain period, so there may be redundant computation on verifying the message sent by the same vehicle. In order to avoid such kind of redundant computation, we propose this optimization. To carry out the optimization we need to add a device into the OBU to record the valid PKe and corresponding Tsignetime. For instance, we assume V1 and V2 are the two vehicles running in the same area in a certain time, when % broadcasts a message to its neighbors with using temporary idQ%), if the message passes the authentication, its neighbors can save the 丑% and corresponding Tvalid_ID_. So its neighbors do not need to verify the certificate repeatedly until ID飪 expires.

2.4.3 Auto-removal of Expired Records in RL

Each temporary certified key pair has a valid time, if the key pair expires, the user can not use it anymore. As a result the RL does not need to record the revoked temporary id that expires. In proposed scheme, the OBU periodically checks the RL, if any revoked temporary id expires, the corresponding entry can be removed so as to keep RL in proposed scheme small.

Ⅲ. Analysis

In this section we will do analysis to our proposed scheme with respect to security properties, communication overhead, storage overhead and computation overhead.

3.1 Security Analysis

Authenticity. In the proposed scheme, message authentication is guaranteed through the digital signature signed by the sender with senders temporary private key, so the adversary can not generate the signature on modified message on behalf of original sender.

Privacy. In the proposed scheme, the user's privacy preserving is guaranteed by the using of LLK and temporary id. The RCA sends the encrypted certificate updating packet to the vehicle, only the vehicle who possesses the LLK in its tamper-proof device can decrypt the packet and get its new temporary id, private key and the corresponding temporary certificate. Then the vehicle uses its new temporary id to send the traffic message to its neighbors, nobody else can identity the temporary id except the RCA.

Short-term linkability. Proposed scheme achieves short-term linkability by using the temporary id, because each temporary id has a life time Tvalld_period, before the certificate updating, the vehicle can't send message with other temporary id.

Long-term unlinkability. Proposed scheme also achieves long-term unlinkability by using the temporary id, one temporary id can only used by one vehicle within a period of time Tvahd_period, after the certificate updating, the vehicle can get a new temporary id and use it to send message. As a result adversaries can no longer link the m연ssages sent by ri쟌w id with the ones sent with old id. The selection of Tvalid_pertod is important, if the Tvahd_p&riod is small, the unlinkability is better but the burden on DS becomes heavier. If it is big, the long-term unlinkability will be jeopardized. So in proposed scheme, the Tvalid_peTiod is set to 1 minute, the reason is described in TACKC₁₀].

Traceability and revocation. Proposed scheme provides the traceability and revocation mechanism. For traceability, all the temporary certificates that each vehicle has ever used are kept in the THD, if th즌 police authority wants to get the real identity of the sende!' of any malicious traffic message, the DS can get the identity by a simple database (wry operation efficiently. After a vehicle is traced, if it still has any alive temporary id, the RCA can construct a revocation message and send it to all the vehicles running on the road with the help of RSUs.

(Table 2) Comparison of Security Properties

Putting no trust on RSUs. In most exist-ing papers, th즌 RSUs are usually considered as trusted parties and responsible to process sensitive information. In fact the RSUs are usually deployed in unattended area, it is hard to manage and s걍the sensitive information in RSUs, so the property of p켰 ting no trust on RSUs should also be considered as an important property.

The comparison of security properties between our proposed scheme with other existing schemes are shown in〔Tab拒 2)

3.2 Communication Ov읂rhead on OBU

Th연r연 are four types of m@ssag얀s that 원 communicated in proposed scheme. They are listed as follows(Let £0 denote £h즌 length in bytes)-

Traffic message(TM). The messages broadcasted by a vehicle every certain time. According to DSRC, the interval is 0.1s or 0.3s. Most communication messages in proposed scheme are TMs. The length of TM is as follows:

#

Certificate updating requesting m는 s-sage(CURM). The OBU needs to send this message to th댱 nearest RSU for applying a new temporary certificate. Th연 length of CURM is as follows:

#

Certificate updating message(CUM). After receiving the CURM and the genegation of new temporary certificate for the applicant, the distributed server generat얀 the CUM, which contains the certificate updating information. The length of CUM is as follows:

#

Revocation message(RM). The length of RM is as follows:

#

3.3 Storage Overhead on OBU

In this subsection we compare the OBU storage overhead of our scheme with two previously reported protocols: HAB(6) and GSB(7). In the proposed scheme, each OBU stores a public key of 나}원 RCA, a anonymous certified key pair together with its anonymous certification issued by the RCA. Because the certified key has a valid period, the revoked temporary id can be removed wh량!! it expires, which has been shown in Section 2.4, 3. Assume that the number of revoked temporary id in a certain period of tim연 does not exceed Nrew)ked, and 안"h record occupies 29 bytes, so our $사】eme needs about 耳、e知2*29+115 bytes in total.

In HAB, assume that the number of the certified key pairs of a vehi신e is Nhuge and the number of revoked vehicles is n, the total storage space needed by HAB is 叫孩亨€*(*n2+597) bytes. Compared to proposed sch연me, the storage space requirement of HAB increases linearly as the number of revoked vehicles increases rapidly.

In GSB, each OBU needs to record one private key issued by 나比 TA, group id and a revocation list, in which n certificate ids and one signature block are saved. The storage space requirement of GSB also increases linearly as the number of revoked vehicles increases. Although it is not 나}at bad like the one in GSB, it is also unace쟌ptabl© when the number of revoked vehicles is big.

3.4 Computation Overhead on OBU

In this section we compare proposed scheme with three previously mentioned schemes with respect to computation overhead. The computation overhead on OBU dep얀nds on the most expensive cryptographic operation it adopts. In proposed scheme, the most expensive cryptographic operation Is ECDSA signing&verifying operation. In HAB, the most exp샹nsive cryptographic operation is also ECDSA signing&verifying operation. In GSB, group signature is used to authenticate the traffic messages sent by vehicles. In TACK, group signature is used to update temporary certificate. [Table 3] shows that proposed scheme and HAB need less computation resource than GSB and TACK, the outcome is measured on a Centrino machine with clock speed set at 1.5 GHz in [18].

〔Table 3) Comparison Between ECDSA-192 and Group Signature

Ⅳ. Network Perh)rmance

In this section, we evaluate the proposed scheme with respect to network performance. To evaluate the network performance, we simulate our proposed scheme with NS2[17], In order to achieve relatively real simulation, two road models are used to do the simulation, one is highway model, the other is city model. The density of the vehicles on the road is th죤 main factor that has a major impact on th쟝 system performance, it also decides the total number of messages received by each vehicle. We simulate the proposed scheme in the two models to get average loss ratio and transmission delay with different density setting, then compare the proposed scheme with GSB〔7〕 with respect to packet loss ratio.

4.1 Hi하iway Model

For the highway model, we simulated 8 kilometer long 4-lane highway. The vehicles runs at velocity between 20m/s to 40m/s. The simulation configuration parameters are listed in [Table 4]

[Table 4〕Simulation Configuration for Highway Model

According to the simulation results, we found that the transmission delay is not related to the density of vehicles, it is only related to the size of the packet, in our case, when the size of the packet is 229 bytes, the transmission delay is only 2.30ms. The loss ratio of the simulation in highway model is shown in [Figure 2), we can find that the message loss ratio increases as the traffic load increases. When the number of vehicles in the simulation area reaches 200, the packet loss ratio reaches 75%, though this value seems to be big, it is also acceptable because this traffic load is the case where the road is in a severe traffic jam, and in the air there are so many repeated messages sent by vehicles. And in most cases there are usually about 50 vehicles in the same area, so the packet loss ratio 20% is acceptable. The [Figure 2] also shows that the our scheme has lower packet loss ratio than the one in〔7〕in highway model.

[Figure 2) Average Loss Ratio in Highway Model

4.2 City Model

For the city model, we simulated a 4*40000m m city area, In this model, the vehicles are dense and the average velocity of vehicles is less. The simulation configuration parameters are listed in [Table 5]

[Table 5) Simulation Configuration for City Model

In city model, the transmission delay is the same with the one in highway model. Average loss ratio in city model is shown in [Figure 3], we can find that the message loss ratio increases higher as the traffic load increases, when number of vehicles reaches 120, the packet loss ratio reaches 80%, which is unacceptable. In the city, most of the time the density of vehicles is big, so the packet loss ratio will be too high to tolerate. The solution is prolonging the interval of traffic messages, and the simulation shows that if traffic message interval is set to 0.3s, the packet loss ratio can be significantly reduced to about 20% in the densest case.

[Figure 3〕Average Loss Ratio in City Mod숞I

Ⅴ. Conclusions

In this paper, we have proposed an anonymous authentication s나leme for VANET. Based on the temporary certificated keys, the proposed scheme only needs a small storage space for the revocation list. The RSUs are usually deployed in unattended area and vulnerable to compromise, for achieving stronger security level, the proposed scheme does not need to put trust on RSUs. We also adopted a grouping technique to averagely divide the burden in the RCA without jeopardizing the anonymity of the users. And th으 proposed scheme enables recipient to authenticate the traffic messages, at the same time the anonymity of sender can be preserved. If any vehicle is found to send malicious traffic message, the authority can identify it and stop its further misbehavior.

For future work, we intend to study how to determine the maximum number of vehicles in one group to achieve the optimal tradeoff between performance and cost.

* 본 연구는 지식경제부 및 한국산업기술평가관리원의 산업원천기술개발사업(정보통신)의 일환으로 수행하였음.