Subscription-Period-Aware Key Management for Secure ... - IEEE Xplore

2 downloads 5814 Views 816KB Size Report
Nov 6, 2013 - DongHyun Je, Yoon-Ho Choi, and Seung-Woo Seo, Member, IEEE ... agement (SPKM), for cost-effective and secure vehicular multicast.
IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 9, NOVEMBER 2013

4213

Subscription-Period-Aware Key Management for Secure Vehicular Multicast Communications DongHyun Je, Yoon-Ho Choi, and Seung-Woo Seo, Member, IEEE

Abstract—As many applications based on wireless communications are being embedded on a vehicular platform, multicast communications have begun to be essential for efficient information delivery. Since multicast communications are vulnerable to unauthorized access, group key management (GKM) is expected to play an essential role as access control. However, we note that the legacy GKM schemes are not cost effective and adequate for use in vehicular environments. This is because the dynamic mobility of a large number of vehicles causes a high frequency of group rekeying, which is used to share a new group key (GK) among the authorized group members for every membership change. To overcome the high frequency of group rekeying, we propose a new GKM scheme, which is called subscription-period-aware key management (SPKM), for cost-effective and secure vehicular multicast group rekeying. As a design problem, we analyze its key management cost, including the communication, computation, and storage costs, for multicast group rekeying, and find an optimal condition to minimize the key management cost. Through simulations under different conditions, we show that the proposed SPKM scheme can greatly reduce the communication, computation, and storage complexity in multicast group rekeying from O(log N ) to O(1), where N is the number of vehicles in a single group rekeying process. In addition, we show that the key management cost of the proposed SPKM scheme is lower than those of the well-known GKM schemes for secure vehicular multicast communications. Index Terms—Access control, group key management (GKM), vehicle mobility, vehicular multicast services.

I. I NTRODUCTION

V

EHICULAR COMMUNICATIONS (VC), including vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications, plays an important role in keeping safer and more efficient driving conditions. By enabling various services, including road safety, driver assistance, and driver’s convenience [1]–[3], VC creates safer and more efficient driving conditions. To enable these services, VC deploys vehicular multicast communication protocols, each of which is a special communication protocol to support group communications. A vehicular multicast communication protocol enables a single Manuscript received September 29, 2012; revised February 14, 2013; accepted September 11, 2013. Date of publication October 3, 2013; date of current version November 6, 2013. This paper was supported by the National Research Foundation of Korea funded by the Ministry of Science, Information and Communication Technology, and Future Planning of Korea under Grant 2009-0083495 and Grant NRF-2013R1A1A1005991. The review of this paper was coordinated by Dr. T. Zhang. D. Je is with Samsung Electronics, Seoul 137-857, Korea (e-mail: jdh317@ gmail.com). Y.-H. Choi (Corresponding author) is with Kyonggi University, Suwon 443760, Korea (e-mail: [email protected]). S.-W. Seo (Corresponding author) is with Seoul National University, Seoul 151-742, Korea (e-mail: [email protected]). Digital Object Identifier 10.1109/TVT.2013.2284342

host, including a vehicle or a road-side unit (RSU), to communicate with a specific set of hosts. Vehicular multicast communication protocols must address several requirements, including: 1) the setup of a multicast group for secure group communications; 2) transport reliability; and 3) timely transmission of data. To set up a multicast group for secure group communications among these requirements, the identification of a specific set of hosts is required, each of which is an authorized service member. As such membership requires that all multicast traffic be delivered only to the authorized group of hosts, VC can maintain data confidentiality in vehicular multicast communication services, where data confidentiality allows communication data access by and disclosure to only authorized users. As a representative solution to guarantee data confidentiality, secure group key management (GKM) schemes, including logical key hierarchy (LKH) [4]–[8], [13] and topological matching key management (TMKM) [10], are generally used. The GKM scheme allows an authorized host to have a group key (GK); thus, only the authorized host with the GK can successfully encrypt the data and decrypt the encrypted data for secure group communications. However, to preserve data confidentiality through the GKM scheme, we need to determine how to share a GK among the authorized group members for every membership change, which is called group rekeying. This is because a group rekeying operation usually suffers by a scalability problem from a one-affect-all problem, where a single group member joining or leaving causes all the members in the same group to have key updates. Thus, solutions for the scalability problem aim at minimizing the number of GKs that should be distributed [4]– [8], [10], [13]. The scalability problem is a more serious bottleneck for efficient group rekeying in vehicular multicast communications. This is because, in vehicular networks, the large number of vehicles in narrow-area communication services and their dynamic mobility make the scalability problem more complex [10], [12]. That is, due to the dynamic mobility of the large number of vehicles, group rekeying frequently happens. High communication complexity and computation complexity from the frequent group rekeying cause the delayed key update, which may expose secure data to a previous member, whose membership is already expired [9]. To reduce the increase in the communication and computation complexity due to the dynamic mobility of vehicles, the TMKM scheme combines a logical tree of keys, which is called a key tree, with topology information, and thus reduces the communication overhead in delivering key update messages through multicast communications [10]. However,

0018-9545 © 2013 IEEE

4214

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 9, NOVEMBER 2013

problem is fundamentally inevitable. Thus, the proposed scheme can greatly reduce complexity from O(log N ) to O(1) for communication, computation, and storage in a single group rekeying, where N is the number of vehicles in a single group rekeying. 2) Low delay of group rekeying. Since, in the proposed scheme, a joining vehicle requires low computation complexity by deriving a new GK from the predelivered keys, the vehicle can obtain the next GK with less delay. 3) No topology management cost. Since the proposed scheme manages a GK without using topology information, it does not incur the topology management cost caused by the vehicle location change.

Fig. 1. Comparison of the legacy key tree structure and the key hierarchy of SPKM. (a) Legacy key tree structure (with topology information). (b) Key hierarchy of SPKM.

the TMKM scheme has the limitation that frequent topology change, according to the fast vehicle movement, can cause frequent update of GKs. As an alternative to reducing such frequent GK updates, the RSU-based distributed key management (RDKM) scheme decentralizes the management functions for movement across RSUs and the update of key encryption keys into each RSU, and thus reduces the communication overhead [12]. However, to manage vehicular movement information across RSUs, the RDKM scheme increases the number of leaf nodes in the key tree, which may cause an increase in storage overhead. In addition, the frequent exchange of vehicular movement information across RSUs can cause an increase in communication overhead. To overcome the given limitations, we propose a new GKM scheme for secure vehicular multicast communications, called subscription-period-aware key management (SPKM), which includes the following two distinctive features. First, as shown in Fig. 1, while the well-known secure GKM schemes, including those in [10] and [12], update a GK using the root key of a key hierarchy, the proposed SPKM scheme updates a GK by sequentially using leaf nodes of a key hierarchy combined with the service subscription time of a vehicle. Second, in delivering rekeying information from a key distribution center (KDC) to a vehicle, while the well-known secure GKM schemes use multicast communications, the proposed SPKM scheme uses the efficient combination of unicast and multicast communications. The contributions of this paper can be summarized as follows. 1) Minimum complexity in group rekeying. The proposed scheme individually derives a new GK using the predelivered keys and the subscription-period information received from the KDC instead of a key tree structure, where the scalability problem from a one-affect-all

The remainder of this paper is organized as follows. In Section II, we overview the well-known GKM schemes. In Section III, we give the basic models for designing the proposed SPKM scheme and describe the operation of the proposed SPKM scheme in Section IV. After analyzing the total costs associated with the proposed SPKM scheme in Section V, we formulate a cost optimization problem for designing an efficient GKM scheme and find the optimal solution in Section VI. We show the evaluation results of the proposed SPKM scheme in Section VII and describe the characteristics of the proposed SPKM scheme in Section VIII. Finally, we conclude this paper in Section IX. II. R ELATED W ORKS Most GKM schemes are designed using a key tree since a key tree shows good performance in reducing the communication and computation complexity through different key paths. Studies on GKM schemes show that the low communication and computation complexity are based on two categories: LKH and batch rekeying (BR). By using a layered key tree, the LKH scheme [5] reduces the communication complexity from O(N ) to O(log N ) in a single group rekeying. However, as the LKH scheme delivers key update information to the group members through multicast communications, the LKH scheme may require a high bandwidth over the transmission network. To avoid the high bandwidth requirement, BR schemes have been proposed [4]–[8], [13]. In the BR schemes, after a batch of join and leave requests has been collected in a certain period, the KDC rekeys. The BR schemes show good performance in reducing communication overhead through the low frequency of rekeying compared with that of individual rekeying, i.e., rekeying after each join or leave request. However, the BR schemes may sacrifice forward and backward confidentiality [5]. In vehicular networks, an RSU establishes the physical communication link with vehicles through multicast communications. When a KDC transmits data to a vehicle and vice versa, the mobility of the vehicle is managed by the RSU. For the stable management of each vehicular movement, the KDC and the RSU should continually keep track of the location of every vehicle under the high-speed vehicular mobility. Because of the high-speed mobility of vehicles in vehicular networks, the legacy GKM schemes, including the LKH and BR schemes, suffer from a critical design problem: the increase in the key

JE et al.: SPKM FOR SECURE VEHICULAR MULTICAST COMMUNICATIONS

4215

TABLE I T ERMS AND N OTATION

management cost, including the communication, computation and storage costs, from the frequent rekeying due to the highspeed mobility of vehicles. This is because the KDC and the RSU suffer from very frequent update of GKs caused by the large number of vehicles in the wide service area and their highspeed mobility [10], [12]. To reduce the increase in communication overhead in the cellular network, TMKM schemes, each of which is a type of LKH whose key tree is constructed by considering the network topology, have been proposed [10], [11]. However, TMKM schemes also have a limitation in reducing high communication overhead. The TMKM schemes should send additional rekeying messages for managing key tree structure, whenever the vehicles’ network topology is changed due to a handoff between RSUs. In addition, while processing the network topology information, the computation overhead at the KDC increases. As an alternative to reduce the increase in the mobility management complexity at the KDC, Park et al. proposed the RDKM scheme, which assigns some functional blocks of the KDC to RSUs [12]. To manage the key tree through the vehicular movement information exchange across RSUs, the RDKM scheme requires more leaf nodes in the key tree compared with the TMKM scheme. Thus, the key management complexity of the RDKM scheme increases because the weighted sum of the communication overhead and the storage overhead is logarithmically proportional to the number of leaf nodes. Compared with other GKM schemes for secure vehicular multicast communications, the proposed SPKM scheme can greatly reduce the complexity from O(log N ) to O(1) for communication, computation, and storage in a single group rekeying. In the following, we show the details of the proposed SPKM scheme.

III. M ODEL Here, we describe the network, service, vehicle, and key models for designing the proposed SPKM scheme. The notations used in this paper are given in Table I.

A. Network Model In V2I communications, while an RSU and a KDC communicate to each other using the wired networks, the RSU and vehicles communicate to each other using wireless networks such as the wireless access point (AP) of the IEEE 802.11 wireless local area network and IEEE 802.16e Worldwide Interoperability for Microwave Access [14], [15]. Since deploying such infrastructures requires a high monetary cost, we assume that vehicular multicast services will be provided in urban areas. Thus, we focus on the vehicular multicast service scenarios with heavy traffic. In addition, since the proposed SPKM scheme uses the subscription period of vehicles to generate GKs, we need to build the network model by using a time synchronization method. We assume that a time synchronization method such as a Network Time Protocol is used [16] for time synchronization of the KDC and vehicles.

B. Service Model We assume that vehicular multicast services use pay-perminute (PPM), where a subscriber can be served during the subscription period. To subscribe at the vehicular network services with PPM, it is assumed that each vehicle delivers the subscription period information to a KDC. In addition, in

4216

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 9, NOVEMBER 2013

such a service model, we assume three players: 1) the KDC in charge of managing GKs; 2) the vehicles that subscribe to the services and the received GKs; and 3) a service provider who provides the vehicular multicast services. Each vehicle will join the service group within the subscription period of the service. When a new vehicle joins the service group, the KDC updates a GK and delivers the rekeying information for generating the new GK to both the service provider and the vehicles in the service group. As every vehicle and the service provider derives the new GK from the shared rekeying information, the proposed SPKM scheme maintains data confidentiality during the subscription period. When a vehicle leaves the service group after the service subscription period is terminated, the KDC updates a GK in the same way. Since the key management cost of the service provider is not large, we focus on the key management process of the KDC and the vehicles. C. Vehicle Model We assume that vehicle vi ∈ Nu joins the service group at time tij and leaves the service group at time til , where tij < til . Here, Nu is the set of all possible vehicles served by the service provider. The valid set of vehicles is denoted by Nt = {vi |tij < t < til , vi ∈ Nu }. The SPI of vi , which is denoted by TSi , consists of tij and til , i.e., TSi = {tij , til }. For the simple analysis of vehicular dynamics, including vehicles joining (service subscription) and vehicles leaving (service expiration), we assume that each vehicle subscribes to the service once. That is, each vehicle can have a unique SPI, which means that, for vi and vj , tij = tjj , til = tjl , and tij = tjl . Since vehicles in Nu dynamically join and leave the service group, Nt also changes. We define the term membership to accommodate the vehicular dynamics as follows. Definition 3.1: Membership. Let v be an arbitrary vehicle in Nu . The membership at time t consists of vehicles in Nt , where v ∈ Nt . In vehicular multicast communications, vehicular dynamics, including vehicles joining (service subscription of vehicles) and vehicles leaving (service expiration of vehicles), lead to the membership change of the valid set of vehicles Nt . Thus, we define membership dynamics, which means the membership change of a vehicle from the vehicular mobility, as follows. Definition 3.2: Membership dynamics. Let δ be a small positive number, which means that, for any natural number n, 1/n > δ. Membership dynamics at time t exist if and only if the following requirement is satisfied, i.e., |Nt − Nt+δ | + |Nt+δ − Nt | > 0. Here, |Nt − Nt+δ | > 0 means that one or more than one vehicle leaves the service group because of service expiration at time t. In addition, |Nt+δ − Nt | > 0 means that one or more than one new vehicle subscribes to the service group at time t. Definition 3.3: Static period. Let Nt be a valid set of vehicles at time t. The time period, i.e., (a, b), is static if and only if the following requirements are satisfied for all possible t(a < t < b) : |Nt −Na |+|Na −Nt | = 0 and |Nt −Nb |+|Nb −Nt | = 0. Definitions 3.2 and 3.3 implies that the membership is static if and only if membership dynamics exist and that the time period is static at time period (ta , tb )(ta < tb ). Thus, the KDC does not have to update keys at static period (ta , tb ).

We also define key validity as follows. Definition 3.4: Key validity. Let K be a key. Key K is valid in a time period from ta to tb (ta < tb ) if and only if the KDC allocates key K, which is used between ta and tb , in a time period from ta to tb . D. Key Model To efficiently support our service model, where a vehicle subscribes at the vehicular network services with PPM, we consider the centralized GKM with a KDC. In the proposed SPKM scheme, we assume that only a KDC has the authority of group rekeying [21]. GKs can be generated from two oneway functions Fg (·) and Fd (·) at every vehicle. Each oneway function is implemented into one of the hash functions, such as the message–digest algorithm and the secure hash algorithm [23], [24]. We also assume that vehicle vi has a unique individual key (IK) to build the secure communication channel between vi and the KDC. IV. O PERATION OF S UBSCRIPTION -P ERIOD -AWARE K EY M ANAGEMENT After we describe the overall operation of the proposed SPKM scheme, we show the detailed operation. A. Overall Operation The overall operation of the proposed SPKM scheme can be summarized as follows. • Preprocess. Using Fg (·), the KDC generates SKs. Before membership dynamics occurs, each SK is used as a GK during Ps . • Membership-dynamic-based GK derivation by the KDC. When receiving the SPI of a joining vehicle, the KDC derives a new GK from the parent GKs, each of which can be used before the occurrence of membership dynamics from the SPI, including SKs. • GK management. When a vehicle joins, the KDC delivers a KP to the vehicle using unicast communications. In addition, when membership dynamics occur, the KDC delivers GKUI to every vehicle using multicast communications. Here, membership dynamics can occur from three membership events: service subscription, service extension, and service expiration. By combining the current GK and GKUI, including the path information of a key tree to derive from the current GK to the new GK, each vehicle can derive the new GK. Algorithm 1 Key Packing Algorithm (KPA) 1: Input: tj , tl , EKs 2: Arrange EKs between tj and tl in time order t 3: while Is there any sibling keys? do 4: Replace the sibling keys with their PK 5: end while 6: Make the rest of the keys as KPs

JE et al.: SPKM FOR SECURE VEHICULAR MULTICAST COMMUNICATIONS

Algorithm 2 KPA for Extension (KPAE) 1: Input: tj , tl , EKs 2: Arrange EKs between tj and tl in time order t 3: while Are there any sibling keys? do 4: Replace the sibling keys with their PK 5: endwhile 6: Select the earliest valid key in ascending time order among the keys 7: if Is the vehicle authorized to access the earliest valid key’s PK? then 8: Replace the earliest valid key’s sibling keys with its PK and record the number of keys. 9: goto 6 10: end if 11: Set the keys having the smallest number as KPs

Algorithm 3 GK Update Algorithm (GKUA) 1: Input: Set the current GK as Kp , GKUI ←− NULL 2: while Is Kp not an SK? and Is prk(Kp ) not valid at tp+δ ? do 3: Set the element of prk(Kp ) as Kp , GKUI ←− GKUI + 00 4: end while 5: if Is Kp an SK? then 6: Get the next SK of Kp . Set the next SK as Kp , GKUI ←− GKUI + 00 7: else 8: Set the element of prk(Kp ) as Kp 9: end if 10: if Is Kp an EK? then 11: Return GKUI 12: else if Is Fd (Kp , 1) valid at tp+δ ? then 13: Set Fd (Kp , 1) as Kp , GKUI ←− GKUI + 10, go to 10 14: else if Is Fd (Kp , 2) valid at tp+δ ? then 15: Set Fd (Kp , 2) as Kp , GKUI ←− GKUI + 11, go to 10 16: else if Is Fd (Kp , 3) valid at tp+δ ? then 17: Set Fd (Kp , 3) as Kp , GKUI ←− GKUI + 01, go to 10 18: end if

Algorithm 4 GK Derivation Algorithm (GKDA) 1: Input: Set the current GK as Kp 2: while GKUI is not a NULL do 3: Get first the two digits of GKUI, delete the two digits in GKUI 4: if Is the two digit 00? then 5: if Is Kp a SK? then 6: Set the next SK as Kp 7: else 8: Set the element of prk(Kp ) as Kp

4217

9: end if 10: else if Is the two digit 10? then 11 Create Kp = Fd (Kp , 1), store Kp 12: else if Is the two digit 11? then 13: Create Kp = Fd (Kp , 2), store Kp 14: else if Is the two digit 01? then 15: Create Kp = Fd (Kp , 3), store Kp 16: end if 17: end while

B. Membership-Dynamic-Based Key Derivation To introduce the proposed membership-dynamic-based key derivation (MDKD), we consider two scenarios. One is that the joining and leaving times are within the valid periods of the different GKs, and the other is that the joining and leaving times are within the valid period of a single GK. In the first scenario, the KDC derives four new GKs using the SPI, where the SPI includes joining time tj and leaving time tl of a vehicle. As the group members may change at the joining time, one GK is derived to guarantee backward confidentiality, and the other GK is derived to guarantee forward confidentiality. In the same way, the other two GKs are derived based on the leaving time. In the second scenario, the KDC may derive new three GKs using the SPI for the same purpose as that of the first scenario. The only difference is that as the joining time and the leaving time is within the valid period of a single GK, one GK is derived to guarantee both forward confidentiality of the joining time and backward confidentiality of the leaving time. For example, in the first scenario, the new EKs are derived using tj and the EK that is valid at tj , and using tl and the EK that is valid at tl , respectively, as follows: K(ta , tj ) = Fd (K(ta , tb ), 1) and K(tj , tb ) = Fd (K(ta , tb ), 3) (ta < tj < tb and K(ta , tb ) is an EK), and K(tc , tl ) = Fd (K(tc , td ), 1) and K(tl , td ) = Fd (K(tc , td ), 3) (tc < tl < td and K(tc , td ) is an EK). In the second scenario, as a valid EK at time tj is the same as a valid EK at time tl , the new EKs are derived from Fd (·) in the following way: K(ta , tj ) = Fd (K(ta , tb ), 1), K(tj , tl ) = Fd (K(ta , tb ), 3), and K(tl , tb ) = Fd (K(ta , tb ), 2) (ta < tj < tl < tb and K(ta , tb ) is an EK). From K(ta , tj ) = Fd (K(ta , tb ), 1), the derived key K(ta , tj ) consists of child keys (CKs) in a key tree, and the original key K(ta , tb ) consists of parent keys (PKs). The relationship between a CK and a PK can be expressed as prk(K) = {Kp | K = Fd (Kp , i)} (i = 1, 2, 3), crk(K) = {Kc |Kc = Fd (K, i)} (i = 1, 2, 3), and sbk(K) = {Ki |prk(K) = prk(Ki )} (for all possible Ki ). Here, prk(K), crk(K), and sbk(K) are a set of PKs of key K, a set of CKs of key K, and the sibling keys of key K, respectively. From the given relationship between a CK and a PK, it is clear that any key cannot be an EK and a PK at the same time. In addition, among PKs, there exists an SK that satisfies |prk(SK)| = 0. That is, the SK is not the key derived from any key and should be thus generated by a KDC. For example, in Fig. 2, K(t1 , t7 ) is the SK, which cannot be derived from the other keys.

4218

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 9, NOVEMBER 2013

Fig. 4.

Fig. 2. Example of MDKD.

Example for explaining KPA, GKUA, and GKDA.

group service. Among the keys in the KP, an FK is delivered to the joining vehicle. By using the FK and Fd (·), the vehicle can derive a GK. To provide confidentiality of the message consisting of the FK, the KDC sends the FK that is encrypted by the vehicle’s IK. After sending the FK, the FK is deleted from the KP. In Algorithm 1, we show the operation of the proposed KPA in detail. By using the KPA shown in Algorithm 1, the KDC can generate a specific KP consisting of the keys that are used in deriving all the GKs at a specific subscription period. For example, when a new vehicle tries to subscribe over the subscription period from t2 to t18 in Fig. 4, the KDC generates a KP by using the KPA in the following way, where line numbers in Algorithm 1 are shown as follows. • Line 2: The KDC arranges EKs during the SPI in time order. KPx = {k2 , k3 , k7 , k9 , k10 , k11 , k13 , k14 , k15 , k16 , k18 }. • Line 4: Replace k2 and k3 , k9 and k10 , and k13 and k14 (the sibling keys) with k1 , k8 , and k12 (their PK), respectively. Then, KPx = {k1 , k7 , k8 , k11 , k12 , k15 , k16 , k18 }. • Lines 3 and 4: Because there are still sibling keys in KPx , replace k7 , k8 , k11 , k12 , k15 , and k16 with k5 and k6 . KPx = {k1 , k5 , k6 , k18 }. • Lines 3 and 4: There are still sibling keys (k5 , k6 , andk18 ). Therefore, they are replaced with k4 . KPx = {k1 , k4 }. • Line 6: Finally, the KDC makes a KP from KPx . (KP = {k1 , k4 }).

Fig. 3. Proposed SPKM scheme according to three membership events: service subscription, service extension, and service expiration.

C. GK Management 1) Service Subscription: In the case of a service subscription, the KDC manages the keys as shown in Fig. 3. When vehicle vi subscribes to a service, the vehicle sends a subscription request message, including its SPI. The KDC derives new EKs with the SPI and then, generates a KP, including the minimized number of keys. By using the keys in the KP, a vehicle derives all EKs between the joining time and leaving time. To generate the KP, we propose a new KP generation algorithm, which is called the KPA. The operation of the KPA is shown in Algorithm 1. In order of validity time, the keys in KP are delivered to the joining vehicle, which subscribes to a

Service Extension: In case of a service extension, the KDC manages the keys as shown in Fig. 3. When vehicle vi ∈ Nt tries to extend a service subscription period, the vehicle sends a service extension request message with the SPI consisting of a new leaving time to the KDC. After receiving the SPI, the KDC derives new EKs from the received SPI and generates a KP covering the extended time period through a KPAE, whose detailed operation is shown in Algorithm 2. The KPAE generates the KP in the same way as the KPA does. Compared with the KPA, the KPAE can further reduce the size of the KP because the keys in the KP before an extension request time can be used to generate a new KP. Among the keys in the KP, an FK is delivered to the vehicle as well. By using the FK, the vehicle can derive the next GK with a one-way function. To provide confidentiality of the message, including the FK, the KDC should send the FK encrypted through the vehicle’s IK. After sending the FK, the FK is deleted in the KP. In Algorithm 2, we show the detailed operation of the KPAE. For example, if a subscribed vehicle (t0 to t6 ) tries to extend service t6 to t27 , as shown in Fig. 5, the KDC generates a KP

JE et al.: SPKM FOR SECURE VEHICULAR MULTICAST COMMUNICATIONS

Fig. 5.

Example for explaining KPAE.

through the KPAE in the following way, where line numbers in Algorithm 2 are shown as follows. • Lines 2 to 4: The KDC generates KP0 = {k7 , k11 , k13 , k20 }. • Line 6: Among elements of KP0 , k7 is selected. • Line 7: Because the PK of k7 is k6 . • Line 8: Replace k7 with k6 . KP1 = {k6 , k11 , k13 , k20 }, and |KP1 | = 4. • Line 6: Among the elements of the KP, k6 is selected. • Line 7: In addition, k8 is the PK of k6 . • Line 8: Replace k6 , k11 , and k13 (sibling keys of k6 ) with k8 . KP2 = {k8 , k20 }. In addition, |KP2 | = 2. • Line 7: Since k8 is an SK. • Line 11: Among the KPx (x = 0, 1, 2) obtained from each steps, the KDC selects a KP having the least number of elements. Thus, KP2 is selected as a KP. 2) Service Expiration: In the case of a service expiration of a vehicle, the KDC manages the keys as shown in Fig. 3. Based on vehicles’ SPIs, the KDC is already aware of membership dynamics in a service group and all the key path information for generating GKs. Before a static period is over, the KDC generates GKUI for existing subscribed vehicles to derive the next EK through the proposed GKUA, whose operation is shown in Fig. 3. When the service expiration event occurs, the KDC multicasts GKUI. After receiving GKUI, vehicles can successfully derive the next GKs from their own FKs. Detailed operations of the GKUA are shown in Algorithm 3. For some vehicles, their FKs can be expired. The KDC should deliver the next FKs in their KP to the specific vehicles, and by using the next FKs, the vehicles derive the new GKs. For data confidentiality of the message, including the FK, the KDC should send the FK encrypted through the vehicle’s IK. After sending the FK, the FK is deleted in the KP. The GKUI is the path information used to derive the next EK from a present EK. GKUI consists of a series of twobit codes, each of which indicates a direction from a specific key: 00 (up), 10 (left), 01 (right), and 11 (middle). Here, up, left, right, and middle of k indicates prk(k), Fd (k, 1), Fd (k, 2), and Fd (k, 3), respectively. By way of exception, up of the SK indicates the next SK. The specific procedure of the GKUA is shown in Algorithm 3. For example, when a current GK is k3 in Fig. 4, the KDC can generate GKUI by using the GKUA in the following way, where line numbers in Algorithm 3 are shown as follows. • Line 1: Set GK k3 as Kp . KP = (·). • Line 2: k3 is not an SK, and prk(k3 ), k1 , is not valid at tp+δ . • Line 3: Set k1 as Kp , and GKUI = (00).

4219

• Lines 2 and 5: Since k1 is an SK. • Line 6: Get the next SK of k1 , i.e., k4 , and set k4 as Kp . Then, GKUI = (0000). • Line 10: k4 is not an EK. • Line 12: Since k5 , Fd (Kp , 1), is valid, • Line 13: Set k5 as Kp , and GKUI = (000010). • Line 10: k5 is also not an EK. • Line 12: Since k7 , Fd (Kp , 1), is valid as well, • Line 13: Set k7 as Kp , and GKUI = (00001010). • Line 10: Because k7 is an EK. • Line 11: Finally, the KDC obtains GKUI. When vehicles receive GKUI from the KDC, the vehicles begin to derive the next GK through the GK derivation algorithm (GKDA). Algorithm 4 shows the detailed operations of the GKDA for deriving a new GK from the current GK by using its own FK. Let us assume that the current GK is k3 and that a vehicle receives GKUI of 00001010. In addition, the vehicle is aware of k1 , k3 , k4 , as shown in Fig. 4. The vehicle can derive the next GK through GKDA in the following way, where line numbers in Algorithm 4 are shown as follows. • Line 1: A vehicle set k3 as Kp . • Line 3: The first digits of GKUI is 00, and the digits in GKUI should be deleted. • Lines 5 and 8: Since Kp is not an SK, prk of Kp , i.e., k1 , is set as Kp . • Lines 2 and 3: Because GKUI(001010) is not empty, get the first digit (00). • Lines 5 and 6: Since Kp is an SK, the next FK k4 is set as Kp . • Lines 2 and 3: Because GKUI(1010) is still not empty, get the first digit (10). • Line 11: Derive a CK of k4 , i.e., k5 = Fd (k4 , 1). • Lines 2 and 3: Since GKUI(10) is not empty, get the first digit (10) as well. • Line 11: Derive a CK of k5 , i.e., k7 = Fd (k5 , 1). • Lines 2 and 17: Because GKUI(·) is empty, a vehicle can set k7 as the next EK and use the EK as a GK. V. C OST A NALYSIS Here, we analyze the performance of the proposed SPKM scheme based on three different criteria, i.e., computation, storage, and communication costs. A. Computation Cost KDC: Since the time difference between the vehicular service subscription time and the vehicular service expiration time included in SPI is normally greater than the average valid period of GKs, the KDC commonly derives four keys following the first key derivation scenario, as in Section IV-B. That is, the vehicular joining time causes one dynamic following the vehicular service subscription; thus, the KDC derives two keys (: 2|Nt |/E[Pv ]), where E[Pv ] is the expected service subscription period. In addition, the vehicular leaving time causes another dynamic following the vehicular service expiration; thus, the KDC derives two keys (: 2|Nt |/E[Pv ]). As a result, the computation cost of a server is given as U s  4|Nt |/E[Pv ].

4220

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 9, NOVEMBER 2013

Vehicle: A vehicle should be unaware of membership dynamics of the other vehicles to guarantee the privacy of the vehicle. Whenever a new key is adopted (or whenever the present static period ends), vehicles should receive the new GKUI for deriving the next EK. On average, the number of key derivations by vehicles is the same as that by the KDC. That is, since each vehicle derives two keys following the vehicular service subscription (: 2|Nt |/E[Pv ]) and the other two keys following the vehicular service expiration (: 2|Nt |/E[Pv ]), the computation cost of a vehicle is given as U v = U s = 4|Nt |/E[Pv ]. B. Storage Cost KDC: Whenever a vehicle subscribes to a service, the KDC should generate four keys by using the joining time and the leaving time in SPI. Thus, the number of keys to be stored in server S s is 4|Nt |. Vehicle: A vehicle stores the keys from the SK to the current GK in a key tree path. Thus, the storage cost in a vehicle is the same as the depth of an EK. When the number of dynamics for a single SK is ζ, the number of EKs is ζ + 1. Note that the sum of the depth of EKs with ζ dynamics under a single SK is Dζ , and the average depth of GK is ADζ (= Dζ /ζ +1). For the additional one dynamics, Dζ increases as much as AD + 2(2(d + 1) − d = d + 2). According to the relation between additional dynamics and the sum of the depth of GKs for a single SK, we can derive the following recurrence formula: Dζ = Dζ−1 + ADζ + 2 =

ζ +1 Dζ−1 + 2. ζ

(1)

By further expanding (1), we can derive the following:   ζ ζ +1 Dζ−2 + 2 + 2 Dζ = ζ ζ −1 =

ζ +1 ζ +1 Dζ−2 + 2 + 2. ζ −1 ζ

(2)

In addition, by expanding (2) until ζ becomes zero, we can derive the following:   1 1 1 ζ +1 D0 + 2(ζ + 1) + + ··· Dζ = + 2. (3) 1 ζ ζ −1 2 Note that ζ = 0 means that there exist no dynamics while a single SK is valid. That is, since a single SK is used only as an EK during the valid period of the SK, the number of EKs is 1, i.e., D0 = 1. By assigning D0 = 1 into (3), it can be converted into Dζ = 2(ζ + 1)

ζ    1 i=1

i

− ζ + 1.

(4)

Thus, the average depth of GKs can be computed from dividing Dζ by (ζ + 1) as ADζ = Dζ /(ζ + 1). Since ζ = |Nt |Ps /E[Pv ], the storage cost of vehicles is given as follows: |Nt |Ps E[Pv ]

 1 2E[Pv ] − 1. S = ADζ = 2 + i |Nt |Ps + E[Pv ] i=1 v

(5)

Fig. 6.

Example for computing unicast communication cost of KPA.

C. Communication Cost The proposed SPKM scheme includes two kinds of communication costs. First, when subscribing to a service, a vehicle receives a unicast message, including the optimized KP. Second, when there is membership dynamics caused by other vehicles’ service subscription or expiration, vehicles receive multicast messages, including GKUI. Let us investigate these unicast and multicast communication costs. 1) Unicast Cost: Let us remember that, when a vehicle subscribes to a service, the KDC sends a KP, consisting of SKs and the CKs derived from SKs with the binary relation, to the vehicle using unicast communications. Here, the term binary relation means that only two CKs can be driven from a PK. Thus, unicast cost C u is expressed as the sum of the following three costs. The first cost is the delivery cost of keys derived between the joining time and the expiration time of an SK valid at the joining time (C ub ). The second cost is the delivery cost of SKs valid within the SPI (C us ). The final cost is the delivery cost of keys derived between the beginning time of an SK valid at the expiration time and the vehicle’s service expiration time (C ue ). That is C u = C ub + C us + C ue .

(6)

As the vehicular service subscription rate to a service follows the characteristics of the Poisson distribution [26], the vehicles’ subscription time is well balanced over the entire group service period. This balance characteristic indicates that C ub and C ue are the same on average. Thus, (6) can be expressed as follows: C u = C ub + C us + C ue = C us + 2C ue .

(7)

In addition, it is very likely that the service subscription period is much longer than the average key update period. Thus, the keys under a single SK in a key tree can be normally maintained with binary relation. Given k-level binary relation, there are 2k elementary keys under a single SK. Fig. 6 shows an example that describes key relations in a KP. Fig. 6(a)–6(c) compose the structured keys, where k1 , k2 , and k5 are SKs, each of which is valid at (t1 , t2 ), (t3 , t5 ), and (t6 , t10 ), respectively. When vehicles subscribe to a service before t1 , t3 , and t6 , and leave before t2 , t5 , and t10 , respectively, the number of keys in a KP under a single SK can be analyzed in

JE et al.: SPKM FOR SECURE VEHICULAR MULTICAST COMMUNICATIONS

4221

the following way. In Fig. 6(a), there is no dynamics between t1 and t2 . Thus, when a vehicle leaves a service group at time t2 , the number of keys in the KP will be 1 (k1 ). For L = 2 (i.e., the layer is two), there are two cases of vehicles’ leaving scenarios. If a vehicle leaves at t4 , the number of keys in the KP is 1 (k3 ). If a vehicle leaves at t5 , the number of keys in the KP is also 1 (k2 ). This is because a vehicle can derive low-layered keys k3 and k4 from k2 . In the same way, the number of keys in the KP can be simply derived following vehicles’ service expiration times, as shown in Fig. 6(c). In Fig. 6(c), the sum of the number of keys against all possible KP cases (CLu , where L is the number of key layers) is 5(= 1 + 1 + 2 + 1). Since, the structure of A1 is the same u . In addition, as those of A2 and A3 in Fig. 6(c), CLu = 2CL−1 when the KDC makes the KP valid for (t6 , t9 ) or (t6 , t9 ), the KP includes key k6 on the top of A2 . Since the number u is modified to of dynamics cases in A3 is 2L−2 , CLu = 2CL−1 L−2 u u CL = 2CL−1 + 2 . By way of exception, when the subscription period covers the entire valid period of the SK (e.g., (t6 , t10 ), the KP includes not lower layer keys k6 and k7 but SK k5 , which subtracts 1 from CLu . As a result, we can obtain CLu = u + 2L−2 − 1(C1u = 1). From the previous equation of 2CL−1 u CL , we can derive the recurrence formula as follows:

Since there are |Nt | vehicles during E[Pv ] period, the multicast cost is expressed as

u L−2 CLu = 2C −1   L−1u + 2 L−3 − 1 + 2L−2 − 1 = 2 2CL−2 + 2 u + 2 · 2L−2 − 1 − 2. = 22 · CL−2

12|Nt | E[Pv ] = (bits). |Nt | E[Pv ]

(11)

Since the multicast message consumes much more network resources, the multicast cost should be considered the network overhead. Chuang et al. showed that the network resource usage of multicast is |groupsize|0.8 times greater than that of unicast [19], where |groupsize|0.8 = Θ is the network overhead ratio between unicast and multicast messages. Thus, the multicast cost is expressed as C m = Θ · C mo = |Nt |0.8 · C mo .

(12)

3) Communication Cost: As the proposed SPKM scheme uses both unicast and multicast methods, the communication cost of the proposed SPKM scheme is expressed as the sum of the multicast and unicast costs [17], [18]. Thus, we can express the communication cost as C SPKM = C u + C m .

(13)

VI. C OST O PTIMIZATION (8)

If we continuously expand the equation until L is 1, we can derive the following equation: CLu = 2L−1 · C1u + (L − 1) · 2L−2 − 2L−1 + 1. Since C1u = 1, (8) is simplified into CLu = (L − 1) · 2L−2 + 1.

C mo = 12(bits)/

(9)

Thus, CLu /2L is the average number of keys for generating a KP, which stands for C ue . Note that 2L−1 − 1 = the average number of dynamics in a single SK = 2|Nt |/(E[Pv ]/Ps ). From (7) and (9), we can derive the unicast communication overhead into the average number of keys in a KP with a heavy traffic scenario (2L−1  1) as follows:     L−1 E[Pv ] 1 C u = C us + 2C ue ≈ − +2 P 2 2  s    E[Pv ] |Nt |Ps 1 + + log2 = . (10) Ps 2 E[Pv ] 2) Multicast cost: Since each vehicle has the keys for deriving new EKs over their subscription period, multicast overhead comes only from the GKUI messages issued whenever vehicular dynamics exist. When a vehicle subscribes to a service, the next GK is derived from a current EK based on the subscription time of a vehicle. Each SPI makes vehicles perform a key derivation. Since the key derivation requires to deliver four-bit direction information, the multicast cost per vehicle subscription is four bits (two bits for a direction information). On the other hand, for the service expiration of a vehicle, each expiration time information in SPI makes vehicles perform two times the key derivations. Thus, multicast cost per vehicular service expiration is eight bits.

To find the conditions for optimizing the key management cost, we show the performance analysis of the proposed SPKM scheme in a statistical way, i.e., by using M/G/∞. A. M/G/∞ System To model vehicular dynamics as a statistical queening system, we assume that λ follows a Poisson distribution with mean rate λs . In addition, we assume that the vehicle subscription period follows a Gaussian distribution G(·) with E[Pv ] and Dv . These assumptions are commonly used in modeling group behavior [27], [28]. In addition, since vehicles’ dynamics are independent to one another, we model vehicles’ dynamics by using the M/G/∞ queuing model. Based on the assumption of M/G/∞, the probability that the number of vehicles in a group at time t equals to k is expressed as Pk (t) = P r [N (t) = k] ∞  e−λs t (λs t)n = Pk (t|V (t) = n) · n!

(14)

n=k

where N (t) = k means that k vehicles before time t are in service. Let us consider a single vehicle vi that subscribed before time t. Pr[vi subscribed at time x, vi is in service at time t|vi subscribed at time(0, t]] = Pr[vi subscribed at time (x, x + dx)|vi subscribed at time (0, t]]· Pr [vi is in service at time t|vi arrived at time (0, t]] = 1/tdx · Pr[vi ’s service is not over during the time period (t − x)] = 1/t · [1 − G(t − x)]dx. If we substitute y for x, we can obtain the following: t 0

1 1 · [1 − G(t − x)] dx = t t

t [1 − G(y)] dy. 0

(15)

4222

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 9, NOVEMBER 2013

Now, let us expand (15) for a single vehicle into that for n(≥ 2) number of vehicles. V (t) = n represents that n vehicles subscribed during the time period (0, t]. The number of cases that k vehicles are still in service among n number of vehicles is the same as that of picking out k samples among the identically same n samples. Thus, (14) can be expressed as ⎡ t ⎤k 1 [1 − G(y)] dy ⎦ Pk (t|V (t) = n) = Ckn · ⎣ t ⎡ 0 ⎤n−k t 1 × ⎣1 − [1 − G(y)] dy ⎦ . (16) t 0

From (14)–(16), we can derive the following: ⎡ t ⎤k ∞  1 Pk (t) = Ckn · ⎣ [1 − G(y)] dy ⎦ t n=k 0 ⎡ ⎤n−k t 1 e−λs t (λs t)n . · ⎣1 − [1 − G(y)] dy ⎦ · t n!

Since the subscription and extension events of a vehicle occur independently, just by replacing λs with λ, the number in the M/G/∞ system obeys a Poisson distribution with the mean of ρ = λE[Pv ], i.e., λ = λs + λe , where λe is the vehicle extension rate. From the characteristics of the Poisson distribution, EPk [k] = ρ = λE[Pv ] = |Nt |. By applying the findings from M/G/∞ to the communication, computation and storage costs in Section V, the computation costs of the KDC and a vehicle per unit time is expressed as U s = U v = 4λ

the storage costs of the KDC and a vehicle per unit time are expressed as Ss

(17)

(23)

= λE[Pv

], S v

λPs    1 2 −1 =2 + i λPs + 1 i=1

(24)

the unicast communication cost per unit time is expressed as   E[Pv ] 1 u C = + + (log2 λPs ) Ps 2

0

If we substitute x + k for n in (17), (17) can be expressed as ⎡ t ⎤k ∞  (x + k)! ⎣ 1 · [1 − G(y)] dy ⎦ k!(x)! t x=0 0 ⎡ ⎤x t 1 e−λs t (λs t)x+k . (18) · ⎣1 − [1 − G(y)] dy ⎦ · t (x + k)!

and the multicast communication cost per unit time is expressed as C m = 12λ(λ · E[Pv ])0.8 (bits). From the unicast communication cost and the multicast communication cost, the communication cost C SPKM can be expressed as 1 2 + (log2 λPs ) + 12 (E[Pv ])0.8 · (λ)1.8 .

C SPKM = C u + C m = [E[Pv ]/Ps ] +

(25)

0

Equation (18) can be further simplified into  t k  λs [1 − G(y)] dy

B. Key Management Cost

0

·

 k! x t ∞ λs t − λs 0 [1 − G(y)] dy · e−λs t  x=0

x!

.

(19)

to the Taylor series of exponential function ex = According ∞ n n=0 x /n!, (19) is given as   k t t λs 0 [1 − G(y)] dy −λs ·e [1 − G(y)] dy. (20) k! 0

We analyze the key management cost of the proposed SPKM scheme, which is denoted as KMCSPKM . Let us remember that KMCSPKM is the weighted sum of the communication, computation, and storage costs. To sum up the different kinds of cost, we adopt the coefficients to apply appropriate weights. γSs and γSv denote the costs required to store a unit key in the KDC and vehicles, respectively. γUs and γUv denote the costs required to compute a unit computation by a server and a vehicle, u m and γC denote the costs required to transmit respectively. γC a unit data through unicast and multicast communications, respectively. Using these cost variables, we express the key management cost as KMCSPKM (Ps ) = γSs S s + γSv S v + γUs U s + γUv U v

Thus, we can express Pk (t) as    k t t exp −λs 0 [1−G(y)] dy · λs 0 [1−G(y)] dy . (21) Pk (t) = k!

C. Cost Optimization

Let us note that  t (21) follows a Poisson distribution with the mean of λs 0 [1 − G(y)]dy. Thus, we can calculate the probability of the number of vehicles equals to k in a steady state as follows:

From (26), we now formulate the design problem to optimize the weighted sum of the costs of SPKM. From the results in Section IV-B, KMCSPKM (Ps ) can be written as a simplified function with the design parameter Ps as follows:

Pk = lim Pk (t) = t−>∞

e−ρs (ρs )k , k!

(ρs = λs E[Pv ]) .

(22)

+ γC C SPKM .

KMCSPKM (Ps )  α

1 +β log Ps +δ (α, β, δ ∈ R+). Ps

(26)

(27)

JE et al.: SPKM FOR SECURE VEHICULAR MULTICAST COMMUNICATIONS

From (23)–(25), (26) can be expressed as KMCSPKM (Ps ) = γSs λE[Pv ] + (γUs + γUv ) 4λ   λP   s 1 2 v −1 + γS 2 + i λPs + 1 i=1  1 + γC [E[Pv ]/Ps ] + + (log2 λPs ) 2  + 12 (E[Pv ])0.8 · (λ)1.8 . (28) By comparing (27) with (28), we obtain the coefficients of (27) in the following way: α = 2γSv /λ + E[Pv ]γC , β = 2γSv + γC / log 2, and δ = λE[Pv ]γSs + (2 log λ − 1)γSv + 4λ(γUs + γUv ) + (1/2 + 12(E[Pv ])0.8 (λ)1.8 + log λ)γC . From (27), we can formulate the cost optimization problem into KMCSPKM (Ps∗ ) = arg min KMCSPKM (Ps )(Ps ∈ Z+). (29) α,β,δ∈R+

Since ∇KMCSPKM (Ps ) = 0 for Ps = α/β, KMCSPKM (·) is optimized when Ps∗ = α/β. VII. E VALUATION R ESULTS We evaluate the performance of the proposed SPKM under various aspects in vehicular group service scenarios. As a metric for evaluating the performance, communication, computation, and storage costs are used. Since each cost can change under various parameters, we compute the average cost according to the expected service subscription period E[Pv ], standard deviation of the service subscription period Dv , and the service subscription rate λ. After we show the computation, storage, and communication costs of the proposed SPKM under various parameters, we compare the key management cost of the proposed SPKM with those of the well-known GKMs for vehicular multicast communications. To evaluate the performance of the proposed SPKM scheme, we implement the simulator by using Microsoft Visual Studio C++ 2010. In our simulation scenario, we assume vehicular multicast services. We assume that vehicular service subscription rate follows Poisson distribution, and the service subscription period of each vehicle follows Gaussian distribution. This is because a vehicle’s service subscription event is independent from that of the other vehicles in the vehicular service group. As a ciphering and derivation algorithm, we adopted Advanced Encryption Standard (AES) and SHA-1, and we set the size of keys into 128 bits [22], [24]. Details of parameter values are separately shown according to simulation scenarios. A. Performance Evaluation of the Proposed SPKM Scheme Based on the computation, storage, and communication costs, we show the performance analysis results of the proposed SPKM scheme and the RDKM scheme under the influence of various parameters, including λ, E[Pv ], and Ps . To compare two schemes under the same condition, by following [12], it is

4223

TABLE II C OMPUTATION C OSTS OF THE P ROPOSED SPKM S CHEME (U s , U v ) AND THE RDKM S CHEME (U Server + U RSU , U v )

assumed that the average moving distance is 10 km, the RSU coverage is 1 km, the number of RSUs is 40, the number of the independent subkey trees (ISTs) is 4, and the degree of IST structure is 5. 1) Computation Cost: Given E[Pv ] = 66.7(min) and Ps = 16.7(min), we investigate the influence of λ on the computation costs of the KDC and vehicles since λ is the main cause of the increase in the computation costs. In Table II, we show the measured computation costs. We assume that, since cryptographic operation by either the AES or the SHA-1 algorithm is done under a few microseconds and a few nanoseconds in the vehicular environments, the computation delay in the process of deriving new keys is approximately negligible [20]. In Table II, it is shown that, as λ increases, U s and U v also increase. However, we observe that the average number of computations per minute linearly increases proportionally to the increase in λ. To compare the computation costs of the SPKM scheme with those of the RDKM scheme, we refer to the computation cost ratio, denoted as AES-128 bits encryption/description cost over the SHA-1 derivation cost, in Crypto benchmarks [20]. This is because, as a main function for key management, the SPKM scheme and the RDKM scheme use a derivation function and encryption/decryption functions, respectively. In Table II, we observe that the proposed SPKM scheme can greatly reduce computation costs of the RDKM scheme. 2) Storage Cost: Given Ps = 16.7(min), we investigate the influence of λ and the expected vehicle subscription period E[Pv ] to the storage costs S s and S v . In Table III, we show the influence of λ to the storage costs. Since the number of computations changes by the influence of vehicular dynamics, we observe that S s linearly increases proportionally to the increase in λ. Although we use 128-bit size key, it is shown that the amount of keys to be stored is not a burden to the KDC. In addition, in Table IV, it is observed that S v slightly increases according to the increase in λ. This is because, in the vehicle, the new keys from λ can be derived from the minimized keys in the KP. As shown in S s , this result implies that the amount of keys to be stored is not a burden to vehicles at all. In Table III, we show the influence of E[Pv ] to the storage costs. We observe that S s is proportional to E[Pv ]. This is because, given λ, the number of vehicles in a service group increases proportionally to the increase in E[Pv ]. On the other hand, in Table IV, it is shown that E[Pv ] does not influence on S v since the average depth of GKs is independent of E[Pv ]. To compare the storage costs of the SPKM scheme with those of the RDKM scheme, it is assumed that, during 33.3 min, a vehicle moves 10 km in an urban area on average. In Table III, we observe that the server storage cost of the proposed SPKM

4224

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 9, NOVEMBER 2013

TABLE III S TORAGE C OSTS OF A S ERVER OF THE P ROPOSED SPKM S CHEME AND RDKM S CHEME (S s )

TABLE V C OMMUNICATION C OSTS OF THE P ROPOSED SPKM S CHEME AND THE RDKM S CHEME

TABLE IV S TORAGE C OSTS OF A V EHICLE OF THE P ROPOSED SPKM S CHEME AND THE RDKM S CHEME (S v )

scheme is less than that of the RDKM scheme. In addition, although the vehicle storage cost of the proposed SPKM scheme is slightly larger than that of the RDKM scheme in Table IV, we observe that the difference between storage costs of the proposed SPKM scheme and the RDKM scheme is negligible. 3) Communication Cost Through Unicast: In Table V, we investigate the influence of E[Pv ], Dv , and λ to C u . Specifically, we measure C u by the influence of: 1) E[Pv ] under Dv = 1.67(min) and λ = 7.2(min); 2) Dv under E[Pv ] = 50.0(min) and λ = 7.2(min); and 3) λ under E[Pv ] = 16.7(min) and Dv = 1.67(min). In Table V, we observe that the number of keys in the KP increases proportionally to the increase in E[Pv ], and C u is not influenced by Dv . From C u under various λ, we also observe that C u is O(λ), which comes from the number of GK updates according to the vehicular service subscription. That is, C u is O(1) at a single GK update. These observations imply that, while the legacy GKM schemes requires O(log λ) = O(log |Nt |) (|Nt | = λ · E[Pv ]), the proposed SPKM scheme can avoid the one-affect-all problem through unicast communications. In Table V, we also observe that, under different values of E[Pv ] and λ, the unicast communication cost of the proposed SPKM scheme is smaller than that of the RDKM scheme. 4) Communication Cost Through Multicast: We investigate the influence of E[Pv ], Dv , and λ to C m under the same conditions as those of unicast. C m consists of three components: the network overhead of multicast communications Θ, the frequency of GK updates, and the number of messages at a single GK update. In Table V, we observe that C m is influenced by E[Pv ] and λ. In Table V, we also observe that C m increases as E[Pv ] increases due to Θ. λ influences on C m

because of two reasons. First, as λ increases, the number of GK update increases. Second, as λ increases, the Nt increases, which causes Θ. In Table V, we observe that the proposed SPKM scheme shows O(1) at a single GK update in terms of multicast cost, whereas the legacy schemes have O(log(N )) [10], [12]. These results imply that the proposed SPKM scheme is scalable in vehicular multicast communications without a severe network burden. In Table V, we also observe that, under different values of E[Pv ] and λ, the proposed SPKM scheme shows the smaller multicast communications cost than the RDKM scheme. B. Comparison of Key Management Costs We compare the key management cost of the proposed scheme with those of TMKM and RDKM. We assume 20 km × 20 km for the vehicles that are moving, 1 km for the coverage of RSUs, and 400 for the number of RSUs. We also assume that the degree of the key tree of TMKM and RDKM is 5, λ = 48(min)(|Nt | = 20 000 on average), and Ps = 83.3(min). Based on the market prices of various devices, such as Flash memory and the price of data rate in a cellular network, we assume the values of the coefficients: γSs = 0.0001, γSv = 0.0005, u m = γC = 3. It is assumed γUs = 0.0002, γUv = 0.001, and γC that the unicast and multicast messages are delivered through a cellular network. In Fig. 7, we show the key management costs of three different GKM schemes, including SPKM, TMKM, and RDKM, under various vehicular moving distance (vehicle mobility) from 5 to 40 km. Regardless of vehicular moving distance, we observe that the proposed SPKM scheme shows a good performance compared with TMKM and RDKM. Specifically, it is shown that the key management cost of the proposed SPKM scheme is not related to the average moving distance of vehicle, whereas those of TMKM and RDKM is proportional to the average moving distance of the vehicle. This

JE et al.: SPKM FOR SECURE VEHICULAR MULTICAST COMMUNICATIONS

4225

VIII. D ISCUSSION A. Influence of SPKM on the IEEE 802.11p MAC and PHY Layers

Fig. 7. Comparison of key management cost for the TMKM, RDKM, and SPKM schemes. TABLE VI C OMPARISON OF K EY M ANAGEMENT C OSTS OF THE TMKM, RDKM, AND SPKM S CHEMES U NDER G AUSSIAN D ISTRIBUTION OF Pv

is because, regardless of vehicle subscription, TMKM causes the rapid increase in the key management cost whenever a vehicle moves from one RSU to other RSU. Regardless of vehicle subscription, RDKM also causes the increase in the key management cost whenever a vehicle moves from one RSU to another RSU. This is because, when the vehicle moves from one RSU to another RSU, RDKM should allocate an additional node for vehicle moving information to the key tree of the RSU. That is, since the number of additional nodes increases proportionally to the increase in the vehicle’s moving distance, the key management cost of RDKM proportionally increases as the vehicle’s moving distance increases. On the other hand, since the proposed SPKM scheme does not require topology information, the key management cost of the proposed SPKM scheme is not influenced by the vehicle moving distance. In addition, the minimum key management cost in Fig. 7 can be obtained by using both unicast and multicast communications efficiently.

C. Key Management Costs Under Uniform Distribution of pv To show how different distributions of the service subscription period influence on key management costs, we measure key management costs of the GKM schemes under uniform distribution. Under uniform distribution of Pv , we measure that key management costs of the proposed SPKM scheme is 98 100, which is slightly higher than 96 400 under Gaussian distribution of Pv . From the comparison with key management costs of the other GKM schemes in Table VI, we observe that even under uniform distribution, key management costs of the proposed SPKM scheme are lower than the TMKM and RDKM schemes.

While multicasting secure GK update messages, the application data, including GKUI, will be embedded into a frame and may thus have influence on the communication overhead of the IEEE 802.11p medium-access-control (MAC) and physical (PHY) layers for VCs. From the empirical IEEE 802.11p performance evaluation results [29], we investigate how the proposed SPKM scheme would affect the 802.11p MAC and PHY layers in terms of communication delay while multicasting the secure GK update messages. To measure the latency of IP, MAC, and PHY layers, latency is defined as the time from the generation of a frame at the emitting device to the reception at the receptor device. In this experiment, a frame consists of a typical 20-B payload, 8 B of User Datagram Protocol header, 20 B of IP header, 8 B for logical link control, and additional 28 B of overhead, including the 802.11 MAC preamble and header, as well as the cyclic redundancy code sequence. The size of a frame is 84 B in total. In [29], the average latency values are measured at velocities of 30, 50, 70, 130, and 170 km/h, and the average latency is centered around 1.5 ms. Let us remind that the sizes of application data are four bits for multicasting message per vehicular service subscription and eight bits for multicasting message per vehicular service expiration, respectively. Thus, at most 1 B will be embedded into the payload of a frame. Since 1 B is much smaller than a typical 20-B payload, the influence of secure GK update messages on the MAC and PHY layers in terms of communication bandwidth requirements can be ignored. B. Influence of Service Subscription Rate Let us remember that, under membership dynamics of vehicles, the legacy GKM scheme is used to distribute the GKs to service subscription vehicles for secure group communications. To design the practical GKM scheme under membership dynamics, it is necessary that the rekeying time should be less than the static period, where there is no key update due to no dynamics. In the proposed SPKM scheme, the rekeying time consists of transmission delay Ttrans and key derivation time Tdev , and the static period is expressed as 1/λ. Thus, to make the proposed SPKM scheme practical, the sum of transmission delay and key derivation time should be less than 1/λ. That is, the so-called marginal rekeying time, which is denoted as Tmargin , should be larger than zero, i.e., Tmargin = 1/λ − (Tdelay )  0

(30)

where Tdelay = Ttrans + Tdev . When considering the worst case, where the marginal rekeying time is less than or equal to zero, it is impossible to successfully update keys. This is because, as the service subscription rate dramatically increases, a GK can be expired before the GK is shared among members. Thus, we investigate the influence of λ on Tmargin under different values of Tdelay . Based on the empirical IEEE 802.11p performance evaluation results [29],

4226

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 9, NOVEMBER 2013

Fig. 8. Influence of λ on marginal rekeying time.

we set Tdelay to 1.5, 5, and 10 ms. In Fig. 8, we observe that, as the service subscription rate increases, the marginal rekeying time gradually approaches to zero. This is because, as the service subscription rate increases, the static period decreases. Specifically, Tmargin approaches to zero when λ equals to 35 200, 11 500, and 5900 min for Tdelay of 1.5, 5, and 10 ms, respectively. However, in a realistic vehicular environment, such extremely large values of λ are not observed. This implies that the proposed SPKM algorithm can be effectively employed in a realistic vehicular environment. IX. C ONCLUSION To overcome the high frequency of group rekeying in vehicular multicast communications, we proposed a new GKM scheme, which is called SPKM. By efficiently combining the unicast and multicast communications, the proposed SPKM scheme minimizes key management complexity in group rekeying. From the evaluation results under various conditions, we show that the proposed SPKM scheme can greatly reduce the computation, storage, and communication complexity from O(log N ) to O(1) in every group rekeying. It is also shown that compared with the well-known GKM schemes for secure vehicle communications, the proposed SPKM scheme can show good performance in terms of computation, storage, and communication costs. Based on these results, we believe that the proposed SPKM scheme can be effectively used for secure vehicular multicast communications. R EFERENCES [1] “National highway traffic safety administration, CAMP vehicle safety communications, vehicle safety communications project, Task 3 final report,” Nat. Highway Traffic Admin., Washington, DC, USA, DOT HS 809 859, Mar. 2005, Identify intelligent vehicle safety application enabled by DSRC. [2] M. Nekovee, “Sensor networks on the road: The promises and challenges of vehicular ad hoc networks and vehicular grids,” in Proc. Workshop Ubiquitous Comput. e-Res., Edinburgh, U.K., May 2005, pp. 1–5. [3] J. Blum, A. Eskandarian, and L. Hoffmman, “Challenges of intervehicle ad hoc networks,” IEEE Trans. Intell. Transp. Syst., vol. 5, no. 4, pp. 347– 351, Dec. 2004.

[4] D. M. Wallner, E. J. Harder, and R. C. Agee, “Key management for multicast: Issues and architectures,” Internet Eng. Task Force, Fremont, CA, USA, RFC 2627, 1999. [5] X. S. Li, Y. R. Yang, M. G. Gouda, and S. S. Lam, “Batch rekeying for secure group communications,” presented at the 10th Int. WWW Conf., Hong Kong, 2001, Paper ACM 1-58113-348-0/01/0005. [6] J. Pegueroles and F. Rico-Novella, “Balanced batch LKH: New proposal, implementation and performance evaluation,” in Proc. IEEE ISCC, 2003, pp. 815–820. [7] J. Pegueroles, F. Rico-Novella, J. Hernandez-Serrano, and M. Soriano, “Improved LKH for batch rekeying in multicast groups,” in Proc. ITRE, 2003, pp. 269–273. [8] S. Xu, Z. Yang, Y. Tan, W. Liu, and S. Sesay, “An efficient batch rekeying scheme based on one-way function tree,” in Proc. IEEE ISCIT, 2005, pp. 490–493. [9] D. Je, J. Lee, Y. Park, and S. Seo, “Computation-and-storage-efficient key tree management protocol for secure multicast communications,” Comput. Commun., vol. 33, no. 2, pp. 136–148, Feb. 2010. [10] Y. Sun, W. Trappe, and K. J. R. Liu, “A scalable multicast key management scheme for heterogeneous wireless networks,” IEEE/ACM Trans. Netw., vol. 12, no. 4, pp. 653–666, Aug. 2004. [11] J.-H. Son, J.-S. Lee, and S.-W. Seo, “Topological key hierarchy for energy-efficient group key management in wireless sensor networks,” Int. J. Wireless Pers. Commun., vol. 52, no. 2, pp. 359–382, Jan. 2009. [12] M. Park, G. Gwon, S. Seo, and H. Jeong, “RSU-based Distributed Key Management (RDKM) for secure vehicular multicast communication,” IEEE J. Sel. Areas Commun., vol. 29, no. 3, pp. 644–658, Mar. 2001. [13] X. B. Zhang, S. S. Lam, D.-Y. Lee, and Y. R. Yang, “Protocol design for scalable and reliable group rekeying,” IEEE/ACM Trans. Netw., vol. 11, no. 6, pp. 908–922, Dec. 2003. [14] IEEE Standard for Information Technology. Telecommunications and Information Exchange Between Systems. Local and Metropolitan Area Networks—Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Std. 802.11-2007, 2007. [15] IEEE Standard for Local and Metropolitan Area Networks Part 16: Air Interface for Broadband Wireless Access Systems, IEEE Std. 802.16-2009, 2009. [16] D. L. Mills, J. Martin, J. Burbank, and W. Kasch, “Network time protocol version 4: Protocol and algorithms specification,” Internet Eng. Task Force, Fremont, CA, USA, RFC 5905, 2010. [17] T. Billhartz, J. Cain, E. Farrey-Goudreau, D. Fieg, and S. Batsell, “Performace and resource cost comparisons for the CBT and PIM multicast routing protocols,” IEEE J. Sel. Areas Commun., vol. 15, no. 3, pp. 304– 315, Apr. 1997. [18] H. Salama, D. Reeves, and Y. Viniotis, “Evaluation of multicast routing algorithms for real-time communication on high-speed networks,” IEEE J. Sel. Areas Commun., vol. 15, no. 3, pp. 332–345, Apr. 1997. [19] J. Chuang and M. Sirbu, “Pricing multicast communication: A cost-based approach,” Telecommun. Syst., vol. 17, no. 3, pp. 281–297, Jul. 2001. [20] Crypto+ 5.6 Benchmarks. [Online]. Available: http://www.cryptopp.com/ benchmarks.html [21] S. Paul, Multicasting on the Internet and Its Applications. Boston, MA, USA: Kluwer, 1998. [22] J. Daemen and V. Rjimen, AES Proposal: Rijndael, 1999. [23] R. Rivest, “The MD5 message-digest algorithm,” Internet Eng. Task Force, Fremont, CA, USA, RFC 1321, 1992. [24] “US Secure Hash Algorithm (SHA),” Internet Eng. Task Force, Fremont, CA, USA, RFC 3174, 2001. [25] Y. Ji and S. Seo, “Optimizing the batch mode of group rekeying: Lower bound and new protocols,” in Proc. IEEE/ACM INFOCOM, 2010, pp. 1–9. [26] Y. Sun and K. J. Ray Liu, “Hierarchical group access control for secure multicast communications,” IEEE/ACM Trans. Netw., vol. 15, no. 6, pp. 1514–1526, Dec. 2007. [27] K. Almeroth and M. Ammar, “Collecting and modeling the join/leave behavior of multicast group members in the MBone,” in Proc. 5th IEEE Int. Symp. High Performance Distrib. Comput., 1996, pp. 209–216. [28] K. Almeroth and M. Ammar, “Multicast group behavior in the Internet’s multicast backbone (MBone),” IEEE Commun. Mag., vol. 35, no. 6, pp. 224–229, Jun. 1997. [29] S. Demmel, A. Lambert, D. Gruyer, A. Rakotonirainy, and E. Monacelli, “Empirical IEEE 802.11p performance evaluation on test tracks,” in Proc. IEEE IV Symp., Jun. 2012, pp. 837–842.

JE et al.: SPKM FOR SECURE VEHICULAR MULTICAST COMMUNICATIONS

4227

DongHyun Je received the B.S. and Ph.D. degrees in electrical engineering from Seoul National University, Seoul, Korea, in 2006 and 2012, respectively. He was a Researcher with the Institute of New Media and Communications and the Intelligent Vehicle Information Technology Research Center (funded by the Government of Korea and the automotive industries), Seoul National University. He is currently working as a Senior Engineer of telecommunication-systems business with Samsung Electronics, Seoul, designing Long-Term Evolution system architecture. His current research interests include wireless networks, vehicular communication networks, and computer and network security. Dr. Je has received scholarship grants from Seoul National University, Brain Korea 21, and Samsung Electronics.

Seung-Woo Seo (M’97) received the B.S. and M.S. degrees from Seoul National University, Seoul, Korea, and the Ph.D. degree from Pennsylvania State University, University Park, PA, USA, all in electrical engineering. He was with the Faculty of the Department of Computer Science and Engineering, Pennsylvania State University, and served as a Research Staff Member with the Department of Electrical Engineering, Princeton University, Princeton, NJ, USA. In 1996, he joined the Faculty of the School of Electrical Engineering and the Institute of New Media and Communications. Seoul National University. He served for five years as a Director of the Information Security Center, Seoul National University. He is currently a Professor of electrical engineering and the Director of the Intelligent Vehicle Information Technology Research Center (funded by the Korean Government and the automotive industries), Seoul National University. His research interests include vehicular electronics for intelligent vehicles, communication networks, computer and network security, and system optimization. Dr. Seo has served as a Chair or a Committee Member for various international conferences and workshops, including the IEEE Conference on Computer Communications, IEEE Global Communications Conference, the IEEE Symposium on Personal, Indoor and Mobile Radio Communications, IEEE Vehicular Technology Conference, the International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, and the Vitae Researcher Development International Conference.

Yoon-Ho Choi received the M.S. and Ph.D. degrees from Seoul National University, Seoul, Korea, in 2004 and 2008, respectively. From September 2008 to December 2008, he was a Postdoctoral Scholar with Seoul National University. From January 2009 to December 2009, he was a Postdoctoral Scholar with Pennsylvania State University, University Park, PA, USA. While working as a Senior Engineer with Samsung Electronics from May 2010 to February 2012, he had been deeply involved in the development of a commercial Long-Term Evolution cloud communication center system. He is currently an Assistant Professor with the Department of Convergence Security, Kyonggi University, Suwon, Korea. His research interests include Deep Packet Inspection, high-speed intrusion prevention, mobile computing security, vehicular network security, and social network service security. Dr. Choi has served as a member of several technical program committees in various international conferences and journals.