A Two Level Privacy Preserving Pseudonymous Authentication ...

2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob)

A Two Level Privacy Preserving Pseudonymous Authentication Protocol for VANET Ubaidullah Rajput, Fizza Abbas, Hasoo Eun, Rasheed Hussain, and Heekuck Oh Deptt.of Computer Science and Engineering, Hanyang Univ. South Korea (ubaidullah,hkok)@hanyang.ac.kr

Abstract—Vehicular ad hoc network (VANET) is gaining significant popularity due to their role in improving traffic efficiency and safety. However, communication in VANET needs to be secure as well as authenticated. The vehicles in the VANET not only broadcast traffic messages known as beacons but also broadcast safety critical messages such as electronic emergency brake light (EEBL). Due to the openness of the network, a malicious vehicles can join the network and broadcast bogus messages that could result in accident. On one hand, a vehicle needs to be authenticated while on the other hand, its private data such as location and identity information must be prevented from misuse. In this paper, we propose an efficient pseudonymous authentication protocol with conditional privacy preservation to enhance the security of VANET. Most of the current protocols either utilize pseudonym based approaches with certificate revocation list (CRL) that causes significant communicational and storage overhead or group signature based approaches that are computationally expensive. Another inherent disadvantage is to have full trust on certification authorities, as these entities have complete user profiles. We present a new protocol that only requires honest-but-curious behavior from certification authority. We utilize a mechanism for providing a user with two levels of pseudonyms named as base pseudonym and short time pseudonyms to achieve conditional privacy. However, in case of revocation, there is no need to maintain the revocation list of pseudonyms. The inherent mechanism assures the receiver of the message about the authenticity of the pseudonym. In the end of the paper, we analyze our protocol by giving the communication cost as well as various attack scenarios to show that our approach is efficient and robust. Index Terms—Vehicular ad hoc networks (VANET), authentication, conditional privacy, pseudonyms.

I. I NTRODUCTION Vehicular ad hoc network (VANET) is getting increasing popularity due to their obvious role in efficiency and safety in transportation systems. VANET comprises of moving network nodes such as vehicles as well as stationary units such as roadside unit (RSU). These entities communicate in either vehicle-to-vehicle (V2V) or vehicle-to-infrastructure (V2I). The properties of VANET is depicted in Fig. 1. According to the dedicated short-range communication (DSRC) [1] in context of road-safety applications, the on-board unit (OBU) of vehicles are required to broadcast traffic messages (beacon). These beacons broadcast information such as vehicle’s position, direction, time, speed and traffic events. This information enables drivers to get a better awareness of the traffic conditions and enables them to take necessary action accordingly. However, attackers can beacon bogus information such as reporting traffic congestion to gain unfair advantage. In more

978-1-4673-7701-0/15/$31.00 ©2015 IEEE

severe cases an attacker can even cause an accident, which makes security of this information as well as authentication of a legitimate user a critical issue in VANET. Another important issue is the privacy of a vehicle. An attacker can eavesdrop the communication between vehicles moving in an open space. Therefore, private information belonging to vehicles e.g. license number, driver’s identification, travel route and current position must be kept private. This data can be intercepted, monitored, altered and forged by an attacker in order to launch a variety of attacks such as tracking a user. These scenarios make security and privacy an important challenge in VANET and for a successful deployment these issues need to be resolved [2] and [3]. The challenge is to authenticate a legitimate user without compromising his privacy and in case, if a malicious activity is detected, then system should be able to track the user. There have been many anonymous authentication schemes presented in past few years and can be divided into two broad categories. One is group signature-based schemes [4] and other is pseudonym-based scheme [3], [6] and [7]. These schemes address most of the problems related to security and privacy in VANET but each has its own limitations. These authentication schemes mostly implement public key infrastructure (PKI) by employing digital signatures to authenticate messages but this approach may lead to significant delays [9]. According to DSRC, the interval between two messages sent by a vehicle is 100-300 ms with a communication range of 300 m. A vehicle’s OBU is equipped with 400 MHz processor that requires about 20 ms to verify one signature [8]. If the number of vehicles are fairly low then this is not a problem but if the vehicles’ density increases then this may cause significant delays. Therefore, the limitations regarding computational power and available bandwidth raise questions about the performance of these approaches. In most of the pseudonymous authentication schemes, a certification authority (CA) issues a number of signed certificates as anonymous pseudonyms to a user. In case of revocation, the large size of certificate revocation list (CRL) causes significant overhead on OBUs. Moreover, there are longer transmission delays as the CRL size increases. Another problem is the limited bandwidth of wireless channel. Therefore, it is very inefficient for an RSU to send hundreds of pseudonym certificates to passing by vehicles while also providing them with other services e.g. entertainment. The group signature-based schemes have also disadvantages. Each of the checking operation, that is required to match signature

643


The rest of the paper is organized as follows. Section II presents the related work. Section III explains preliminaries of proposed protocol. In section IV , proposed pseudonymous authentication protocol is presented. Section V gives the analysis of the protocol with various attacking scenarios and comparison with other approaches while section VI concludes the paper. II. R ELATED W ORK

Fig. 1.

VANET overview [3]

with identity, needs two pairing calculations. This results in computation overhead for example 10−2 seconds as described in [5]. With a usual CRL size of 10 revoked identities and vehicle receiving rate is 20 messages in one second, the total cost of checking will be 2 seconds. Another disadvantage of group signature-based approaches is that the group managers have complete knowledge of the group members which enable them to track the members. Selection of group managers is also a critical issue. Moreover, if the groups are dynamic then group managers can leave the group at any time and newly selected group managers have all the information about members. There is another problem that has not been well addressed in most of these approaches. The certification authority (CA) has to be fully trusted and so do the RSUs. In reality, there is a fair chance of compromise of an RSU because they are located in open spaces. Also, if the database of CA is compromised then the attacker will get all the information regarding pseudonyms and related real world identities and consequently whole system will suffer. In this paper, a two level pseudonymous authentication protocol is presented that provides conditional privacy to the vehicles in VANET. The contributions of this paper are as follows: • The protocol only expects an honest-but-curious behavior from the certification authorities. • In case of CA’s database compromises, no valuable information is leaked to the attacker. • RSUs do not know about actual identity of a user. In case of any or all of RSUs compromise, no valuable information is revealed that can help an attacker identify a user. • The protocol only provides conditional privacy. In case of detection of any malicious behavior, the actual identity of the attacker can be made available on the request of law enforcement agencies. It also provides privacy guarantee for an honest user i.e. it is very hard for an attacker to get the real identity of a user.

There are a number of schemes in the literature that deal with the issue of security and conditional privacy preserving authentication in VANET. These schemes can be broadly divided into two major categories. (1) Pseudonymous authentication based schemes and (2) Group signature based schemes. Pseudonymous-based authentication schemes normally use anonymous public key infrastructure (PKI) based certificates to verify the messages signed by the associated anonymous private keys. These anonymous certificates are related to some pseudo identity that is used to hide the actual identity of a vehicle. In an earlier work Raya et al. [10] proposed a scheme that relies on distributing thousands of certificates and associated private keys. A vehicle selects any of the private key from this large pool of keys to sign the message. With the help of associated anonymous certificate, a verifier is able to verify the signature. This anonymous certificate preserves the real identity of a user and achieves user privacy. The certificates are distributed by a certification authority that also keeps the mapping of real identities to these certificates. In another work, Raya et al. [11] proposed the use of temper proof device (TPD) into thier scheme for the storage of keys and certificates for enhanced security. However, these schemes have obvious shortcomings. First, due to the presence of thousands of certificates per vehicle, the CRL grows quickly. It takes a large storage to store CRL and consequently takes a longer time to check CRL before checking the message. The other issue is with the CA. In case of revocation of a vehicle, the CA needs to revoke all the certificates held by the vehicle. This not only increases overhead for the CA but also consumes greater bandwidth. The approaches proposed by Sun et al. [12] uses hash chains to reduce the CRL size. They employ proxy re-signature technique to improve the certificate updating. Zhang et al. [13] used an identity-based batch verification scheme. In their privacy preserving authentication, they used TPD to generate random pseudo identity based certificates and associated private keys. This scheme is less efficient as compared to symmetric cryptography and is also prone to DoS attack. Lu et al. [6] introduced another conditional privacy preserving scheme that generates short time pseudonym keys between RSUs and OBUs but the problem with this scheme is the assumption of ubiquitous deployment of RSUs, otherwise certificate will not be updated. The main concept behind the group signature-based authentication is to form a group consisting of vehicles and then to hide the group members to preserve their real identity for privacy preservation. In one of the earlier work, Lin et al. [4] suggested a group signature based and identity based signature

644


privacy preserving authentication scheme. The characteristic of the group signature scheme [14] is that, the message is signed by the private key of the group member and is verified with the group public key. Identity-based signature [15] is used by RSUs to sign and authorize each message they produce. Therefore, the signature overhead can be significantly reduced. One of the important things is the reduced CRL size of group signatures as it grows linearly with the number of revoked vehicles. The disadvantage is the computational cost because each CRL checking operation incurs two pairing calculations. Calandriello et al. [5] proposed a hybrid scheme that has the combined features of group-signature based approaches and pseudonym-based approaches. This scheme is computationally not feasible as it needs to check if a message is from a revoked vehicle. Zhang et al. [16] employs RSUs as a group managers to manage and maintain groups that form on-thefly. The vehicles entering in a group as group member can send anonymous vehicle-to-vehicle (V2V) messages that can be verified by other group members of the group and also by neighboring groups. This scheme assumes the presence of numerous RSUs that share the system load and therefore the performance is not degraded significantly. However, this assumption is also the drawback of this scheme as it requires a very large number of RSUs deployments. It is evident that current approaches are not sufficient for a realistic deployment of VANET. Pseudonym-based approaches are suffering from long CRL computation, communication and revocation issues. Group signature-based approaches are having problem with computations and group management issues. Another problem is the requirement of fully trusted certification authorities and in some cases RSUs as well. In this paper, a pseudonymous authentication protocol is presented that uses two levels of pseudonyms. First is base pseudonyms, that are generated by CA and have a relatively longer life span, second are short time pseudonyms, generated by RSU. Our approach utilizes paillier cryptosystem to prevents a CA learning the current location of a vehicle during communication with an RSU for base pseudonym’s authentication process. Meanwhile RSUs also communicate with varying base pseudonym but it is very hard for them to establish the connection between base pseudonyms and real identity of the vehicle. III. P RELIMINARIES In this section we discuss system model, threat model, design goals, assumptions and cryptographic tools. A. System Model Each vehicle has a unique digital identifier or vehicle identity (VID) [22]. This VID is issued and installed in a vehicle’s OBU by a vehicle registration authority, such as the department of motor vehicles (DMV). The VID is considered as a long term digital certificate that uniquely authenticates a vehicle. Therefore, the VID is also referred to as an electronic license plate (ELP). Like in most of the pseudonymous authentication scheme, our protocol requires VID for pseudonymous issuance but the issuance of VID itself is not considered in this

paper. In our system model there are five participants namely Certification Authority (CA), Revocation Authority, Roadside Units (RSUs), Initiator Vehicle and Receiver Vehicle. Below is the description of each of them. 1) Certification Authority (CA): The responsibility of CA is to issue the base pseudonyms to the vehicles after registration. The registration typically involves validating a VID and then encrypting VID-to-pseudonym information by revocation authority’s (RA) public key. After that, the plain text information about VID is deleted. This encrypted escrow information is used to resolve the pseudonym-real identity relationship in case of a revocation. Note that, a base pseudonym has a longer life time than a short lived pseudonym in our protocol. 2) Revocation Authority (RA): Any misbehaving node is reported by law enforcement agencies to the RA. The RA then reports the base pseudonym to CA and provides the associated private key that is then used by CA to decrypt the escrow information. 3) Roadside Units (RSUs): RSU is the infrastructure with powerful communication capabilities. These are deployed with the roadside. RSUs are connected with CA and RA directly (preferably through wired medium). In our protocol, the responsibilities of RSUs are (i) to verify base pseudonym and issue short term pseudonyms (ii) provide base pseudonym of the misbehaving vehicle, whose short term pseudonym is reported to RA by law enforcement agencies. 4) Initiator Vehicle: The initiator vehicle is the broadcaster of the message. 5) The receiver vehicle: These are all those vehicles that receive the messages sent by the initiator vehicle. They need to authenticate the message they receive. B. Threat Model In our threat model, CA and RA are honest-but- curious i.e. these entities honestly follow the protocol but may try to infer more information than allowed. The proposed protocol considers both the insider and outsider attackers. It is important to note that, a legitimate initiator or receiver both can deviate from the protocol and try to get the actual identity of other vehicles. An attacker can broadcast forged messages or could launch a tracking attack against any user. Eavesdropping attacks on RSUs are also considered in the protocol where an attacker tries to listen to the communication between any of the participants. Most importantly, attacks on RSUs are also considered that can compromise their storage i.e. no valuable information is leaked. However, the protocol does not consider that a RSU is functional after compromise. C. Design Goals

645

The design goals of the proposed protocol are as under: • Privacy Preserving Authentication:


•

•

•

•

First and the most important is the privacy preserving authentication of a VANET user. This enables the receiver vehicle to check the authenticity of the sender (initiator vehicle) of the beacon message. Message Integrity: The protocol also preserves the message integrity. The content of the message sent by an initiator vehicle should be delivered to the receiver vehicle unaltered. Non-repudiation: The message initiator should not be able to deny the content of the message. This is necessary because in case of a malicious act is performed then the receiver vehicle will present the recordings of the message to the DMV and to the law enforcement agency. Pseudonym revocation: Once a pseudonym (either base or short-time) is revoked, an insider should not be able to use them again. Conditional anonymity: The protocol provides a vehicle with conditional anonymity. Until a user follows the protocol it provides privacy guarantee to the user. However, in case of a malicious activity detection, the user will no longer be anonymous.

D. Assumptions In our protocol, following assumptions have been made. 1) An honest-but-curious behavior is expected from CA, RA and RSUs, i.e. they will follow the protocol. 2) Any kind of collusion among CA, RA and RSUs has not been considered. 3) It is assumed that the OBU of the receiver vehicle can record messages sent by the initiators for a short time. In case of detection of a malicious activity these recordings can be presented to the law enforcement agencies. 4) All the participants keep their private keys safe. 5) Vehicles get the certified public keys of RSUs on demand. 6) All parties’ clocks are synchronized. E. Cryptographic Tools There are two separate cryptosystems have been used in this protocol. For simple public key infrastructure (PKI) operations the protocol utilizes Elliptic Curve Cryptography (ECC) [17], and [20], while for the homomorphic operations, Paillier homomorphic cryptosystem has been used. It should be noted that only CA needs to use this cryptosystem while the rest of the participants use ECC. Following are the details about ECC and the variant of Paillier homomorphic cryptosystem that is used in our protocol. This variant supports the negative computations. 1) Elliptic Curve Cryptography (ECC): The cubic equation of an elliptic curve has the form y 2 + axy + by = x3 + cx2 + dx+e, where a, b,c, d, and e are all real numbers. In an elliptic curve cryptography (ECC) system, the elliptic curve equation is defined as the form of Ep (a, b) : y 2 = x3 + ax + b(modp),

over a prime finite field Fp , where a, b ∈ Fp , p > 3, and 4a3 + 27b2 6= 0(modp) [23]. In general, the security of ECC depends on the difficulties of the following problems [24][25]. Definition 1: Elliptic Curve Discrete Logarithm Problem (ECDLP) Given two points P and Q over Ep (a, b), the elliptic curve discrete logarithm problem (ECDLP) finds an integer s ∈ Fp such that s· P = Q. Definition 2: Computational Diffie-Hellman Problem (CDLP) Given three points P , sP and tP over Eq(a, b) for s, t ∈ Fp , the computational Diffie-Hellman problem finds the point sP , tP over Ep(a, b). 2) Paillier Encryption: A Paillier encryption is a probabilistic cryptosystem [18]. In probabilistic encryption, the encryption results are probabilistic instead of deterministic. The same plaintext may map to two different ciphertexts at two different probabilistic encryption processes: C1 = Ek (M ), C2 = Ek (M ), C3 = Ek (M ), ..., Cn = Ek (M ) The Paillier Cryptosystem provides significant facilities to guarantee the security of the designed protocols. Paillier cryptosystem is an additive homomorphic cryptosystem; this means that, given only the public-key and the encryption of m1 and m2 , one can compute the encryption of m1 + m2 . Our protocol uses negative numbers to compare priorities of attributes encryption. We are using optimized version of pailier encryption [19]. For negative inputs the ring of n is divided into two parts and considers any plaintext m ≥ n2 as negative. Optimized Paillier cryptosystem have following steps: 3) Key Generation: Generate two large prime numbers p and q each with half the specified modulus bit length for the cryptosystem. • gcd(pq, (p − 1)(q − 1) = 1 and p 6= q. 2 • Modulus n = pq and pre-compute n . (p − 1)(q − 1) • Compute λ = lcm(p − 1), (q − 1) = . gcd(p − 1, q − 1) • g ← (1 + n). {optimized but originally select random g Zn∗2 such that n divides the order of g}. λ 2 • gcd(L(g mod n ), n =1 where u−1 L(u) = n .{Optimization: g λ mod n2 = (1+nλ) mod n2 }. • Pre-compute the modular multiplicative inverse µ = L(g λ mod n2 )−1 mod n. 2 • return Public Key : (n, n , g) and Private Key : (λ, µ) 4) Encryption: Require :Plaintext m Zn ∗ • Choose random r Zn . n 2 • return: Ciphertext c ← (1+mn) r mod n . {Optimized here but originally: c ← g m rn mod n2 }. 5) Decryption: Require: Ciphertext m Zn∗2 . λ 2 • return: Plaintext m ← L(c mod n )µ mod n. IV. P ROPOSED S CHEME This section explains the working of proposed protocol. First a user registers with the CA and get a base pseudonym.

646


TABLE I N OTATIONS Notations Vi V IDi P Ki , SKi , P Ki0 , SKi0 , P Ki00 , SKi00 P KCA /SKCA P KCAP P KRSU /SKRSU TCA , TCA0 TRSU Beacon

Explanation Initiator Vehicle Initiator’s vehicle ID Public/ private key pairs of Vi CA’s public/private key CA’s paillier public key RSU Paillier public/ private key Expiration time of base pseudonym set by CA Expiration time of base pseudonym set by RSU Typical VANET message Fig. 2.

It should be noted that this base pseudonym has a life time and is subjected to change after that time period. Therefore, a user (vehicle) needs to change it after a certain time period. This time is mentioned as TCA in our protocol and is set by CA. Notations used in our protocol are explained in Table 1. Following are the steps involved in our protocol that are also shown in Fig. 2. A. System Initialization System is initialized by CA by establishing the Domain parameters p, a, b, G, n and h. 1) Let the field is defined by p 2) The cyclic group is defined by its base point G. 3) n is the order of G 4) a, b are curve constant 5) cofactor h = 1/n|E(Ep )| All the involved parties download these parameters from CA. CA randomly choose x ∈ Zp∗ as its private secret key. Similarly other participants generate their keys, that are shown in Table 1. B. Vehicle Registration During registration initiator vehicle (Vi ) generates a random number n ∈ Fp and a public/private ECC key pair P Ki /SKi .Vi sends this information along with V IDi to CA. Step 1: Vi → CA : n||P Ki ||V IDi . This information is needed to be sent securely via some secure channel (for example vehicle visits the CA) and is required only once. CA validates the V IDi . Upon verification, it encrypts V IDi with the public key of RA, encrypts n with its paillier public key P KCAP , generates an expiration time TCA and creates following database (DB) entries, that are shown is Table II. • CA → DB : (V IDi )P KRA ||TCA ||P Ki ||n • CA signs (TCA ||P Ki ||(n)P KCAP ), and assigns it to Vi as its base pseudonym. Step 2: CA→Vi : (TCA ||P Ki ||(n)P KCAP )SKCA C. Vehicle to RSU communication During the communication with RSU, the Vi generates another public/private key pair (P Ki0 /SKi0 ). It encrypts this newly generated public key, its base pseudonym, (−n) and a nonce in RSU’s public key and sends it to RSU.

Working of proposed protocol

Step 3 : Vi → RSU ((TCA ||P Ki ||(n)P KCAP )SKCA ||P Ki0 || − n||nonce)P KRSU . RSU verifies CA’s signature, encrypts −n with paillier public key of CA. RSU takes homomorphic sum of both (n)P KCAP and (−n)P KCAP , gets (R)P KCAP . Where (R)P KCAP =(n)P KCAP + (−n)P KCAP RSU sends (R)P KCAP to CA for verification. Step: 4 RSU → CA: (R)P KCAP CA decrypts R, finds 0 (n + (−n) = 0) and sends verified message to RA otherwise sends not verified. Step 5: CA → RSU: verified / not verified. D. Generation of short time Pseudonyms Upon getting verification that the message came from Vi , RSU prepares a short time pseudonym. It creates the expiration time TRSU , embed it with newly generated P Ki0 , signs it, encrypts in P Ki0 and sends it to Vi . Note that P ki0 has to be generated by Vi every time a short time pseudonym is requested. Step 6: RSU → Vi : ((TRSU ||P Ki0 )SKRSU )P Ki0 . Vi signs the beacon message with its secret key, attaches the pseudonym and broadcasts. Step 7: Vi Broadcasts: (beacon)SKi0 ||(TRSU ||P Ki0 )SKRSU The receiver of the message verifies the pseudonym by checking the RSU’s signature and then verifies beacon with Vi ’s signature (with the help of P Ki0 contain in the short time pseudonym). Step 1 through 7 is shown in Fig. 2. E. Re-acquiring The Base Pseudonym After TCA expires, Vi needs to acquire the base pseudonym again. In this regard, Vi randomly select some n0 ∈ Fp , generates a public/private ECC key pair P Ki00 /SKi00 , encrypts it in public key of CA along with n and sends to nearby RSU that forwards this to CA as shown in Fig. 3. Note that, for such a message, some special purpose bits in the message can be set to inform RSU to forward this message to CA. Step 8: Vi → RSU→ CA: (n||n0 ||P Ki00 )P KCA CA verifies this message with correct n, generates new expiration time TCA0 , update its database with new values of n0 , P Ki00 and the TCA0 . CA repeats step 2, but additionally

647


TABLE II E XAMPLE OF CA DATABASE User Serial ... n ... Fig. 3.

Data ... V IDP KRA ||TCA ||P Ki ...

Re-acquiring the base pseudonym

3) Non-repudiation The message in step 7 is signed by the private key of the vehicle. The corresponding public key is certified by RSU in short time pseudonym. Therefore, no other vehicle can sign this message. 4) Pseudonym Revocation Every base pseudonym has a signed expiration time in it. Every vehicle has to get a new base pseudonym after this time expires. Each RSU ensures about the validity of expiration time and generates short time pseudonyms. Because a short time pseudonym only lasts to broadcast a few messages, there is no need of revocation of short time pseudonym. If the RSUs are not available pervasively then TRSU can be set for a relatively longer period of time and similarly the TCA . For a pervasive RSU environment, short-time pseudonym can be generated for each new beacon. We argue that there is a trade-off here. In case of a place where a vehicle cannot reach to RSU then it will only be able to use its short time pseudonym until it reaches to some RSU’s jurisdiction. After that it will disappear from a malicious tracker. 5) Conditional Anonymity Once a malicious activity is detected against a pseudonym, not only the pseudonym will be revoked but also the real identity of the vehicle will be revealed. Conditional anonymity is necessary to reach to the actual malicious user in case of an attack. Otherwise, it guarantees the privacy of a legitimate user.

encrypts the base pseudonym in P Ki00 and sends back to Vi through RSU along with the signed n. Step 9: CA →:RSU ((TCA0 ||P Ki00 ||(n0 )P KCAP )SKCA )P Ki00 ||(n)SKCA RSU broadcast this message. Vi identifies it with old n, verifies CA’s signature, decrypt it and changes its base pseudonym. Due to encryption, RSU is unable to relate the new base pseudonym to Vi . F. Revocation As shown in Fig. 4 if a user is found to be involved in some malicious activity e.g. broadcasting of bogus message then the receiver can report the malicious act in the following way. • The receiver presents the message recordings of step 7 to the law enforcement agency. • Law enforcement agency contacts the RSU whose signature is present on short time pseudonym. • RSU provides law enforcement agency with the base pseudonym. • Law enforcement agency provides the base pseudonym to RA. • RA provides the corresponding secret key to CA along with a revocation request. • CA decrypt the V IDi of the malicious party and revokes it. V. A NALYSIS OF THE P ROPOSED S CHEME In this section we provide the analysis of our protocol with respect to design goals mentioned in section III. Further more, we analyze our proposed protocol through various attack scenarios and communication cost. In the end of this section we give comparison of our protocol with existing approaches. A. Security Analysis 1) Privacy Preserving Authentication In our protocol, only RA has the secret key of the encrypted real identity (VID). However, RA does not have access to encrypted values in CA database. Moreover, our protocol requires that a user vehicle should acquire a new base pseudonym after a certain time period that is set by CA ,therefore a RSU will not be able to correlate a user because of his changing base pseudonyms. At the RSU side, after few of the messages are broadcast, a new short-time pseudonym is used. Therefore it is hard for an attacker to correlate short pseudonyms of the vehicle. 2) Message Integrity The beacon message broadcast in step 7 are signed by the vehicle, therefore the message integrity is preserved.

B. Attack Scenarios Theorem 1:Communication between all the participants is semantically secure. Proof: All the communication in our protocol is encrypted using ECC cryptography. According to Diffie-Hellmen Problem (DLP) given an element g and the value g x , it is computationally infeasible for an attacker to compute secret x. Therefore, the communication is secure. Theorem 2: An attacker tries to impersonate initiator by replaying the message in step 4. Proof: If an attacker tries to impersonate the initiator, he needs to provide the correct value of n. This value is only known to the initiator or CA. Therefore, an impersonation attack is not possible. Theorem 3: If an attacker tries to replay the message in step 3. Proof: In step 3, we have used nonce. Therefore, a replay attack will not be succeed.

648


Fig. 4.

Revealing Real ID of initiator in case of detection of malicious behavior

Theorem 4: If RSU tries to correlate the pseudonyms of the initiator. Proof: RSUs only issue short time pseudonyms on the basis of base pseudonym. An initiator only uses a base pseudonym for a short period of time and after that it securely gets the base pseudonym from CA without the knowledge of RSU. It is, therefore, very hard for RSU to establish any link between two base pseudonyms. Theorem 5: If the receiver of the beacon message tries to correlate the short time pseudonyms of a user. Proof: As per the recommendations of the protocol, the initiator changes its short time pseudonym after almost each beacon broadcast. Therefore, every time a receiver listens to a different pseudonym. Thus, so it is very hard for a receiver to establish any correlation between entirely different short time pseudonyms. Theorem 6: If an attacker succeeds in compromising RSU. Proof: The only information RSU has is the mapping between current base pseudonym and associated short time pseudonym. The base pseudonyms are subject to change after a short time as well. Therefore, it is very hard for an attacker to get any useful information by compromising any of the RSUs. Theorem 7:If an attacker succeeds in compromising CA database. Proof: CA contains encrypted VIDs. Therefore an attacker only gets encrypted VIDs and current associated base pseudonym. Unless, the attacker has the private keys of the RA, he cannot get the real identity of the initiator. However,this prevention does not secure the system if the compromised CA continues to be operational. C. Communicational Cost Analysis Following is the communication cost of our protocol. 1) Step 2: Base pseudonym size: (TCA ||P Ki ||(n)P KCAP )SKCA where • TCA =2 byte, P Ki =32 byte (one point on ECC curve), (n)P KCAP =256 and signature= 64. The total size is 354 bytes 2) Step 3: Vi to RSU communication : ((TCA ||P Ki ||(n)P KCAP )SKCA ||P Ki0 || − n||nonce)P KRSU . where

(TCA ||P Ki ||(n)P KCAP )SKCA = 354 bytes, P Ki0 =32 bytes, n= 10 bytes, nonce= 10 bytes, P KRSU =32 bytes, padding= 10 bytes and HMAC 20 bytes. The total size is 468 bytes 3) Step 6: Short time pseudonym size: 0 0 • TRSU = 2 bytes and P Ki = 32 bytes (ciphertext),P Ki 32 bytes (public key), signature = 64 bytes, padding = 14 bytes and HMAC = 20 bytes This total size is 164 bytes. 4) Re-acquiring of Base pseudonyms: (n||n0 ||P Ki00 )P KCA 0 00 • n = 10 bytes, n = 10 bytes, P Ki = 32 bytes, P KCA = 32 bytes , padding = 12 bytes and HMAC= 20 bytes Total size of message is 116 bytes. The maximum message size is less than 500 bytes. We argue that current VANET infrastructure can easily handle this communication overhead. •

D. Comparison With Current Approaches This section provides the comparison of our protocols with existing approaches such as pseudonymous authentication based and group signature based. First of all, our protocol does not require the creation and distribution of a large number of pseudonyms. Due to this reason, our protocol does not need storage required for storing a large pool of pseudonyms. Not using a Certificate Revocation List (CRL) is another major advantage. As there is no CRL management requirements as well as computational and communicational overhead related to CRLs. The protocol also does not utilize any of the concept of group based approaches. Hence, there is no need of group management and costly group signature computations. Finally, our protocol does not require trusted entities like CA or RSU. If a server is compromised, no valuable information is leaked that reveals the real identity of the user. Table 3 shows the comparison of the protocol with existing approaches. VI. C ONCLUSION AND F UTURE W ORK In this paper, we presented a light weight pseudonymous authentication protocol that utilize two level pseudonyms. Our protocol gives several advantages over existing work such that, no valuable information is leaked in case of a breach of CA or RSU data, RSUs are unaware of the actual identity of user. Moreover, it expects only an honest-but-curious behavior

649


TABLE III C OMPARISON W ITH E XISTING A PPROACHES Parameters Creation and management of multiple Pseudonyms Management of Revocation list Group management Server compromised

Pseudonym based

Group based based

Proposed Scheme

X

×

×

X × X

X X X

× × ×

from the participants that are normally considered fully trusted entities in the VANET. It also provides an efficient mechanism to enforce conditional anonymity and in case of detection of a malicious behavior the real identity of the attacker is revealed. Furthermore, with the help of communicational analysis we demonstrate that our protocol is lightweight and suitable for VANET applications. In the future, we aim to optimize and implement our protocol. ACKNOWLEDGMENTS This research was supported in part by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2015H8501-15-1007) supervised by the IITP (Institute for Information and communications Technology Promotion). This research was also supported in part by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2015H8501-15-1018) supervised by the IITP (Institute for Information and communications Technology Promotion). This work was also supported in part by the NRF (National Research Foundation of Korea) grant funded by the Korea government MEST (Ministry of Education, Science and Technology) (No. NRF2012R1A2A2A01046986)

[11] M. Raya, P. Papadimitratos, and J.Hubaux,“Securing vehicular communications,” IEEE Wireless Communication, vol. 13, no. 1, pp. 8-15, 2006. [12] Y. Sun, R. Lu, X. Lin, and XS. Shen,“An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications,” IEEE Transaction on Vehicular Technology, vol. 59, no. 1, pp. 3589-3603, 2010. [13] C. Zhang, R. Lu, X. Lin, Ho P, and XS. Shen, “An efficient identitybased batch verification scheme for vehicular sensor networks, ”IEEE INFOCOM, pp. 246-250. 2008. [14] D. Cham and E. V. Heyst, “Group signatures,” EUROCRYPT, pp 257265, 1991. [15] A. Shamir, “Identity-based cryptosystems and signature schemes,” Springer Advances in Cryptology, pp. 47-53, 1984. [16] L. Zhang, Q. Wu, A. Solanas, and F.J. Domingo, “A scalable robust authentication protocol for secure vehicular communications,” IEEE Transaction on Vehicular Technology, vol. 59, no. 1, pp. 1606-1617, 2010. [17] International Engineering Task Force (IETF) document , [Online]. Available: http://www.ietf.org/rfc/rfc4754.txt [18] P. Paillier, and D. Pointcheval, “Efficient public-key cryptosystems provably secure against active adversaries,” Advances in CryptologyASIACRYPT, pp. 165-179, Springer Berlin Heidelberg, 1999. [19] A. Basu, J. Vaidya, H. Kikuchi, T. Dimitrakos, and S. K. Nair, “Privacy preserving collaborative filtering for SaaS enabling PaaS clouds,” Journal of Cloud Computing, vol. 1, no. 1, pp. 1-14, 2012. [20] Certicom Research, Sec 1: Elliptic Curve Cryptography, [Online] Available: http://www.secg.org/sec1-v2.pdf [21] Certicom Research, Sec 2: Recommended Elliptic Curve Domain Parameters, [Online]. Available: http://www.secg.org/sec2-v2.pdf [22] J. Petit, F. Schaub, M. Feiri, and F. Kargl, “Pseudonym schemes in vehicular networks: a survey,” IEEE Communications Surveys and Tutorials, vol. 17, no. 1, pp. 228-255, 2015 [23] D. Hankerson, A. J. Menezes, and S. Vanstone “Guide to elliptic curve cryptography,” Springer Science and Business Media, 2006. [24] F. Li, X. Xin, and Y Hu, “Identity-based broadcast signcryption,”Computer Standard and Interfaces, vol. 30, no. 1-2, pp. 89-94, Jan. 2008. [25] J. H Yang, and C. Chang, “An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem,”Computer Security, vol. 28, no. 3-4, pp. 138-143, 2009.

R EFERENCES [1] DSRC Technology, Intelligent Transportation Systems. [Online]. Available: http://www.its.dot.gov/dsrc/ [2] B. Parno, and A. Perrig, “Challenges in securing vehicular networks,” in Workshop on Hot Topics in Networks (HotNets-IV), pp. 1-6. 2005. [3] M. Raya and J. P. Hubaux, “Securing vehicular ad hoc networks,” Journal of Computer Security, vol. 15, no. 1, pp. 39-68, 2007. [4] X. Lin, X. Sun, P. H. Ho, and X. Shen, “GSIS: A secure and privacy preserving protocol for vehicular communications,” IEEE Transaction on Vehicular Technology, vol. 56, no. 6, pp. 3442-3456, 2007. [5] G. Calandriello, P. Papadimitratos, J. P. Hubaux, and A. Lioy, “Efficient and robust pseudonymous authentication in VANET,” 4th ACM International Workshop on Vehicular Ad hoc Networks, pp. 19-28, 2007. [6] R. Lu, X. Lin, H. Zhu, P. H. Ho, and X. Shen, “ECPP: Efficient conditional privacy preservation protocol for secure vehicular communications,” IEEE INFOCOM, pp. 1229-1237, 2008. [7] B. Bellur, “Certificate assignment strategies for a PKI-based security architecture in a vehicular network,” IEEE GLOBECOM, pp. 1-6, 2008. [8] M. Wang, D. Liu, L. Zhu, Y. Xu, and F. Wang, “LESPP: lightweight and efficient strong privacy preserving authentication scheme for secure VANET communication,” Springer Journal of Computing, pp. 1-24, 2014. [9] H. Hsiao, A. Studer, C. Chen, A. Perrig,F. Bai, and B. Bellur,“Floodingresilient broadcast authentication for VANET,” 17th annual international conference on mobile computing and networking (MobiCom), pp. 193204, 2011. [10] M. Raya, and J. Hubaux, “The security of vehicular ad Hoc networks, ” 3rd ACM Workshop on Security of Ad hoc and Sensor Networks, pp. 11-21. 2005.

650