Efficient, Scalable, and Resilient Vehicle-Centric Certificate - - PowerPoint PPT Presentation

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in VANETs

Mohammad Khodaei and Panos Papadimitratos

Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH) Stockholm, Sweden

June 20, 2018

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 1 / 22

Secure Vehicular Communication (VC) Systems

Vehicular Public-Key Infrastructure (VPKI) Root CA (RCA) Long Term CA (LTCA) Pseudonym CA (PCA) Resolution Authority (RA) Lightweight Directory Access Protocol (LDAP) Roadside Unit (RSU) Trust established with RCA,

• r through cross certification

RSU 3/4/5G

PCA LTCA PCA LTCA RCA PCA LTCA B A A certifies B Cross-certification Communication link Domain A Domain B Domain C RA RA RA B

X-Cetify

LDAP LDAP Message dissemination

{Msg}(Piv),Pi

v

{Msg}(Piv),Pi

v

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 2 / 22

Challenges and Motivation

Traditional PKI vs. Vehicular PKI Dimensions (5 orders of magnitude more credentials) Balancing act: security, privacy, and efficiency

Honest-but-curious VPKI entities Performance constraints: safety- and time-critical operations (rates of 10 safety beacons per second)

Mechanics of revocation:

Highly dynamic environment with intermittent connectivity Short-lived pseudonyms, multiple per entity Resource constraints

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 3 / 22

Challenges and Motivation (cont’d)

Revocation challenges: Efficient and timely distribution of Certificate Revocation Lists (CRLs) to every legitimate vehicle in the system Strong privacy for vehicles prior to revocation events to every vehicle Computation and communication constraints of On-Board Units (OBUs) with intermittent connectivity to the infrastructure Peer-to-peer distribution is a double-edged sword: abusive peers could ‘‘pollute’’ the process, thus degrading the timely CRL distribution

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 4 / 22

System Model and Assumptions

F-LTCA PCA H-LTCA RCA B A A certifies B Communication link Home Domain (A) Foreign Domain (B) LDAP PCA RA RA

• 1. LTC
• 2. n-tkt
• I. f-tkt req.
• II. f-tkt III. n-tkt
• 3. psnym req.
• 4. psnyms acquisition
• IV. psnym req.
• V. psnyms acquisition

Figure: Pseudonym acquisition overview in the

home and foreign domains.

User controlled policy Oblivious policy Universally

policy

System Time

Trip Duration

}

}

}

}

}

}

}

}

}

}

}

}

}

}

}

}

}

}

}

Unused Pseudonyms

tstart

Expired Pseudonym

tend

Figure: Pseudonym Acquisition Policies.

• M. Khodaei, H. Jin, and P. Papadimitratos. IEEE T-ITS, vol. 19, no. 5, pp. 1430-1444, May 2018.
• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 5 / 22

Vehicle-Centric CRL Distribution

Trip Duration: D

Dv2 Dv1 Dv3 Dv4 Dv5

CRL

CRL

CRL

CRL

CRL

Partitioned Interval: ✟i

CRL

... ... ... ... ...

{ { { { {

Figure: CRL as a Stream:

V1 subscribes to {Γi

CRL, Γi+1 CRL, Γi+2 CRL};

V2 : {Γi

CRL, Γi+1 CRL};

V3 : {Γi+2

CRL};

V4 : {Γi+3

CRL};

V5 : {Γi+4

CRL}.

CRL

CRL

CRL

System Time

Trip Duration

Figure: A vehicle-centric approach: each

vehicle only subscribes for pieces of CRLs corresponding to its trip duration.

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 6 / 22

Vehicle-Centric CRL Distribution (cont’d)

CRL

τP

τP

H() H()

}

τP

}

τP

}

τP

}

τP

H() H() H() V1 V2 V3 V4 V5 V6 V7 V8 V9

(a) Revoked pseudonyms (b) CRL fingerprint construction Figure: CRL piece & fingerprint construction by the PCA.

CRL Fingerprint:

A signed fingerprint is broadcasted by RSUs Also integrated in a subset of recently issued pseudonyms A notification about a new CRL-update (revocation) event

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 7 / 22

Pseudonym Acquisition Process

OBU LT CA PCA

• 1. (H(Idpca Rnd256), ts, te, LT Cv, N, t)
• 2. IKtkt ← H(LT Cv||ts||te||RndIKtkt)
• 3. tkt ← (H(IdpcaRndtkt), IKtkt, ts, te)
• 4. Cert(LT Cltca, tkt)
• 5. (tktσltca, N + 1, t)
• 6. (ts, te, (tkt)σltca, {(K1

v)σk1

v , · · · , (Kn

v )σkn

v }, N ′, tnow)

• 7. Verify(LT Cltca, (tkt)σltca)
• 8. Rndv ← GenRnd()
• 9. Verify(Ki

v, (Ki v)σki

v )

• 10. RIKP i

v ← H(IKtkt||Ki

v||ti s||ti e||Hi(Rndv))

• 11. ζ ← (SN i, Ki

v, CRLv, BFΓi

CRL, RIKP i v, ti

s, ti e)

• 12. (P i

v)σpca ← Sign(Lkpca, ζ)

• 13. ({(P 1

v )σpca, . . . , (P n v )σpca}, Rndv, N + 1, tnow) 1: if i = 1 then 2: SNi ← H(RIKPi

v ||Hi(Rndv))

3: else 4: SNi ← H(SNi−1||Hi(Rndv)) 5: end if

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 8 / 22

CRL Publish/Subscribe

OBU1 OBU2

• 1. ζ ← (Idreq, Γi

CRL, [indexes])

• 2. (ζ)σv ← Sign(ki

v, ζ)

• 3. broadcast((ζ)σP i

v , P i

v)

• 4. {(Idreq, Γi

CRL, [indexes])} = receiveQuery((ζ)σP i

v )

• 5. V erify(P i

v, (ζ)σP i

v )

• 6. j ← rand(0, ∗)
• 7. broadcast({Idres, CRLj

Γi

CRL})

• 8. Piecej

Γi

CRL ← receiveBefore(t)

• 9. BFT est(Piecej

Γi

CRL, BFΓi CRL)

• 10. respfinal ← Store(Piecej

Γi

CRL)

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 9 / 22

Qualitative Analysis

Fine-grained authentication, integrity, and non-repudiation: signed fingerprints Unlinkability (perfect-forward-privacy): multi-session pseudonym requests, timely-aligned pseudonym lifetime, utilization of hash chains Availability: leveraging RSUs and car-to-car epidemic distribution Efficiency: Efficient construction of fingerprints, fast validation per piece, and implicitly binding of a batch Explicit and/or implicit notification on revocation events: Broadcasting signed fingerprints, also integrated into a subset of recently issued pseudonyms

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 10 / 22

Qualitative Analysis (cont’d)

50 100 150 200 250 300 350 400 450 500 550 600

Size of a Bloom Filter [Bytes]

10−1 10−5 10−10 10−15 10−20 10−25 10−30 10−35 10−40 10−45 10−50

False Positive Rate

Extra Overhead in a Pseudonym using a Bloom Filter

5 CRL pieces 10 CRL pieces 15 CRL pieces 20 CRL pieces

Figure: CRL Fingerprints overhead.

BF trades off communication

• verhead for false positive rate

BF size increases linearly as the false positive rate decreases An adversary targeting the Bloom Filter (BF) false positive rate:

Excluding revoked pseudonym serial numbers from a CRL Adding valid pseudonyms by forging a fake CRL (piece) With Antminer-S9 (14TH/s,$3,000), ΓCRL = 1 hour and p = 10−20 (K = 67):

132,936 Antminer-S9 ($400M) to generate a bogus piece in 1 hour ( 1020×67

14×1012 )

With AntPool (1, 604, 608 TH/s): 70 minutes to generate a fake piece!

With p = 10−22 (K = 73): 5 days ( 1022×73

1.6×1018 = 126h)

With p = 10−23 (K = 76): 55 days ( 1023×76

1.6×1018 = 1, 319h)

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 11 / 22

Qualitative Analysis (cont’d)

1 5 10 15 20 25 30 35 40 45 50

• Avg. Number of Revoked Pseudonyms per Entity (per ΓCRL)

2K 4K 6K 8K 10K 12K 14K CRL Size [KB] Bloom Filter, p=1e-10 Bloom Filter, p=1e-20 Bloom Filter, p=1e-30 Bloom Filter, p=1e-40 Bloom Filter, p=1e-50 Vehicle-Centric Scheme

(a) CRL size comparison

1 10 20 30 40 50 60 70 80 90 100 110

• Avg. Number of Revoked Pseudonyms per Entity (per ΓCRL)

10−1 10−10 10−20 10−30 10−40 10−50 10−60 10−70 10−80 10−90 10−100 False Positive Rate 1 2 3 4 5 6 7 8 9 10 10−1 10−25 10−50 10−75 10−100

(b) C2RL [9] as a factor of false positive rate Figure: (a) CRL size comparison for C2RL and vehicle-centric scheme (10,000 revoked

vehicles). (b) Achieving vehicle-centric comparable CRL size for the C2RL scheme.

mBF = −N × M × ln p (ln2)2 , N is the total number of compromised vehicles, M is the average number of revoked pseudonyms per vehicle per ΓCRL. Significant improvement over C2RL, e.g., 2.6x reduction in CRL size when M = 10 and p = 10−30.

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 11 / 22

Quantitative Analysis

OMNET++ & Veins framework using SUMO Cryptographic protocols and primitives (OpenSSL): Elliptic Curve Digital Signature Algorithm (ECDSA)-256 and SHA-256 as per IEEE 1609.2 and ETSI standards V2X communication over IEEE 802.11p Placement of the RSUs: ‘‘highly-visited’’ intersections with non-overlapping radio ranges Comparison with the baseline scheme [8]: under the same assumptions and configuration with the same parameters Evaluation of: Efficiency (latency) Resilience (to pollution/DoS attacks) Resource consumption (computation/communication)

Figure: The LuST dataset, a full-day

realistic mobility pattern in the city of Luxembourg (50KM x 50KM) [Codeca et al. (2015)].

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 12 / 22

Quantitative Analysis (cont’d)

25 50 75 100 125 150 175 200

Delay to Fetch CRL [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability

τP = 30s τP = 60s τP = 300s τP = 600s 5 10 15 20 25 30 0.00 0.20 0.40 0.60 0.80 0.95

(a) Vehicle-centric scheme (B =10 KB/s)

25 50 75 100 125 150 175

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles

τP = 30s τP = 60s τP = 300s τP = 600s

(b) Vehicle-centric scheme (B =10 KB/s) Figure: (a) End-to-end latency to fetch CRL pieces. (b) Percentage of cognizant vehicles.

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 13 / 22

Quantitative Analysis (cont’d)

25 50 75 100 125 150 175 200 225 250 Number of RSUs 2 4 6 8 10 12 14 16 18 20 22 24 26

• Avg. E2E Delay to Download CRL [s]

Revocation Rate: 0.5% Revocation Rate: 1% Revocation Rate: 2% Revocation Rate: 3% Revocation Rate: 4% Revocation Rate: 5%

(a) Vehicle-centric scheme (B =25 KB/s)

50 100 150 200 250 300

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles

0% Reliable Connectivity (RSU-only) 1% Reliable Connectivity 5% Reliable Connectivity 10% Reliable Connectivity 20% Reliable Connectivity

(b) Vehicle-centric scheme (TX =5s) Figure:(a) Average end-to-end delay to download CRLs. (b) Dissemination of CRL fingerprints.

Total number of pseudonyms is 1.7M (τP = 60s). Signed fingerprint of CRL pieces periodically broadcasted only by RSUs [11], or broadcasted by RSUs ( 365 bytes with TX = 5s) and, in addition, integrated into a subset of pseudonyms with 36 bytes of extra overhead (p = 10−30, R = 0.5%).

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 14 / 22

Quantitative Analysis (cont’d)

100 200 300 400 500 600

System Time [s]

0.5K 1K 1.5K 2K 2.5K 3K

Number of Cognizant Vehicles

Total Number of Vehicles Baseline Scheme Vehicle-Centric Scheme

(a) 7:00-7:10 am (B =25 KB/s)

200 400 600 800 1000 1200

Delay to Fetch CRL [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability

Baseline Scheme Vehicle-Centric Scheme

5 10 15 20 25 0.00 0.20 0.40 0.60 0.80 0.99

(b) 7-9 am, 5-7 pm (B =25 KB/s) Figure: End-to-end delay to fetch CRLs (R = 1%, τP = 60s).

Converging more than 40 times faster than the state-of-the-art: Baseline scheme: Fx(t = 626s) = 0.95 Vehicle-centric scheme: Fx(t = 15s) = 0.95

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 15 / 22

Quantitative Analysis (cont’d)

100 200 300 400 500 600

System Time [s]

0.5K 1.0K 1.5K 2.0K 2.5K 3.0K 3.5K 4.0K

Number of Cognizant Vehicles

Total Number of Vehicles Revocation Rate: 0.5% Revocation Rate: 1% Revocation Rate: 2% Revocation Rate: 3% Revocation Rate: 4% Revocation Rate: 5%

(a) Baseline scheme (B =50 KB/s)

100 200 300 400 500 600

System Time [s]

0.5K 1.0K 1.5K 2.0K 2.5K 3.0K 3.5K 4.0K

Number of Cognizant Vehicles

Total Number of Vehicles Revocation Rate: 0.5% Revocation Rate: 1% Revocation Rate: 2% Revocation Rate: 3% Revocation Rate: 4% Revocation Rate: 5%

30 60 90 120 150 180 200 400 600 800 1000

(b) Vehicle-centric scheme (B =50 KB/s) Figure: Cognizant vehicles with different revocation rates. T: the total number of pseudonyms; R: the revocation rate. Size of CRLs for the Baseline scheme: T × R, linearly increases with R Size of an effective CRL for vehicle-centric scheme: T × R

|ΓCRL| , where |ΓCRL|

is the number of intervals in a day, e.g., |ΓCRL| is 24 when ΓCRL = 1 hour.

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 16 / 22

Quantitative Analysis (cont’d)

100 200 300 400 500 600 700 800 900

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles No Attackers 1% Attackers 5% Attackers 10% Attackers 25% Attackers 50% Attackers

(a) Baseline scheme (B =25 KB/s)

100 200 300 400 500 600 700 800 900

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles No Attackers 1% Attackers 5% Attackers 10% Attackers 25% Attackers 50% Attackers

(b) Vehicle-centric scheme (B =25 KB/s) Figure: Resilience comparison against pollution and DDoS attacks.

Attackers periodically broadcast fake CRL pieces once every 0.5 second. The resilience to pollution and DDoS attacks stems from three factors: A huge reduction of the CRL size Efficient verification of CRL pieces Integrating the fingerprint of CRL pieces in a subset of pseudonyms

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 17 / 22

Quantitative Analysis (cont’d)

1 20 40 60 80 100

Number of CRL Pieces

10 20 30 40 50 60

Computation Latency [ms]

Signing Delay using the Baseline Scheme Verification Delay using the Baseline Scheme Signing Delay using Vehicle-Centric Scheme Verification Delay using Vehicle-Centric Scheme

(a) End-to-end latency

200 400 600 800 1000 1200 1400 1600 1800

System Time [s]

10 20 30 40 50 60 70 80

Security Comm. Overhead [KB/s]

Baseline Scheme Vehicle-Centric: 0% BF-Carrier Vehicle-Centric: 1% BF-Carrier Vehicle-Centric: 5% BF-Carrier Vehicle-Centric: 10% BF-Carrier Vehicle-Centric: 15% BF-Carrier Vehicle-Centric: 20% BF-Carrier

(b) Cryptographic overhead Figure: (a) Computation latency comparison. (b) Security overhead comparison, averaged

every 30s (R=1%, B = 50KB/s). Cryptographic protocols and primitives were executed on a VM (dual-core 2.0 GHz). Signed fingerprint broadcasted every 5s via RSUs (365 bytes long), also integrated into a subset of pseudonyms (36 bytes extra overhead, p = 10−30).

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 18 / 22

Conclusions and Future Work

Conclusions

A practical framework to effectively distribute CRLs in VC systems Highly efficient, scalable, and resilient design Viable solution towards catalyzing the deployment of the secure and privacy-protecting VC systems

Future Work

Investigating an optimal interval for ΓCRL Evaluating with different revocation event models and investigating their impact on CRL distribution

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 19 / 22

Bibliography I

[1]

• M. Khodaei and P. Papadimitratos, ‘‘The Key to Intelligent Transportation: Identity and Credential Management in

Vehicular Communication Systems,’’ IEEE VT Magazine, vol. 10, no. 4, pp. 63--69, Dec. 2015. [2]

• M. Khodaei, H. Jin, and P. Papadimitratos, ‘‘SECMACE: Scalable and Robust Identity and Credential Management

Infrastructure in Vehicular Communication Systems,’’ IEEE T-ITS, vol. 19, no. 5, pp. 1430--1444, May 2018. [3]

• -----, ‘‘Towards Deploying a Scalable & Robust Vehicular Identity and Credential Management Infrastructure,’’ in IEEE

VNC, Paderborn, Germany, Dec. 2014. [4]

• M. Khodaei and P. Papadimitratos, ‘‘Evaluating On-demand Pseudonym Acquisition Policies in Vehicular Communication

Systems,’’ in IoV/VoI, Paderborn, Germany, July 2016. [5]

• W. Whyte, A. Weimerskirch, V. Kumar, and T. Hehn, ‘‘A Security Credential Management System for V2V

Communications,’’ in IEEE VNC, Boston, MA, Dec. 2013. [6]

• V. Kumar and et al, ‘‘Binary Hash Tree based Certificate Access Management for Connected Vehicles,’’ in ACM WiSec,

Boston, USA, July 2017. [7]

• P. Papadimitratos and et al, ‘‘Certificate Revocation List Distribution in Vehicular Communication Systems,’’ in ACM

VANET, San Francisco, CA, Sep 2008. [8] J.-J. Haas, Y.-C. Hu, and K.-P. Laberteaux, ‘‘Efficient Certificate Revocation List Organization and Distribution,’’ IEEE JSAC, vol. 29, no. 3, pp. 595--604, 2011. [9]

• M. Raya and et al, ‘‘Certificate Revocation in Vehicular Networks,’’ Technical Report, EPFL, Switzerland, 2006.

[10]

• S. Tarkoma and et al, ‘‘Theory and Practice of Bloom Filters for Distributed Systems,’’ IEEE Communications Surveys &

Tutorials, vol. 14, no. 1, pp. 131--155, Apr. 2011. [11] V.-T. Nguyen and et al, ‘‘Secure Content Distribution in Vehicular Networks,’’ arXiv preprint arXiv:1601.06181, Jan. 2016, Accessed Date: 30-July-2017. [12]

• L. Fischer and et al, ‘‘Secure Revocable Anonymous Authenticated Inter-vehicle Communication (SRAAC),’’ in ESCAR,

Berlin, Germany, Nov. 2006.

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 20 / 22

Bibliography II

[13]

• F. Stumpf and et al, ‘‘Trust, Security and Privacy in VANETs – a Multilayered Security Architecture for

C2C-Communication,’’ Automotive Security, Nov. 2007. [14] K.-P. Laberteaux and et al, ‘‘Security Certificate Revocation List Distribution for VANET,’’ in ACM VehiculAr Inter-NETworking, New York, NY, USA, Sep. 2008. [15] J.-J. Haas and et al, ‘‘Design and Analysis of a Lightweight Certificate Revocation Mechanism for VANET,’’ in ACM Vehicular Internetworking, NY, USA, Sep. 2009. [16]

• M. Raya and et al, ‘‘Eviction of Misbehaving and Faulty Nodes in Vehicular Networks,’’ IEEE JSAC, pp. 1557--1568, Oct.

2007. [17]

• T. Moore and et al, ‘‘Fast Exclusion of Errant Devices from Vehicular Networks,’’ in IEEE SECON, San Francisco, CA,
• Jun. 2008.

[18]

• A. Wasef and X. Shen, ‘‘EDR: Efficient Decentralized Revocation Protocol for Vehicular Ad hoc Networks,’’ IEEE TVT,
• vol. 58, no. 9, pp. 5214--5224, 2009.

[19]

• N. Bißmeyer, ‘‘Misbehavior Detection and Attacker Identification in Vehicular Ad-Hoc Networks,’’ Ph.D. dissertation,

Technische Universit¨ at, Dec. 2014.

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 21 / 22

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in VANETs

Mohammad Khodaei and Panos Papadimitratos

Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH) Stockholm, Sweden

June 20, 2018

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

System Model and Requirements

Adversarial Model: Excluding revoked pseudonym serial numbers from a CRL Adding valid pseudonyms by forging a fake CRL (piece) Preventing legitimate vehicles from obtaining genuine and the most up-to-date CRL (pieces) or delaying the distribution Harming user privacy by the VPKI entities Requirements: Fine-grained authentication, integrity, and non-repudiation Unlinkability (perfect-forward-privacy) Availability Efficiency Explicit and/or implicit notification on revocation events

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Prior Work

CRL distribution via RSUs and car-to-car epidemic communication Revoking an ensemble of pseudonyms with a single entry (no perfect-forward-privacy) Revoking an ensemble of pseudonyms by leveraging a hash chain (trivially linked by the issuer) Compressing CRLs using a BF (scalability and efficiency challenges) Validating pseudonym status (revocation) information through Online Certificate Status Protocol (OCSP)

Problematic due to intermittent connectivity, significant usage of the bandwidth by time- and safety-critical operations, and substantial

• verhead for the VPKI

Temporarily ‘‘revoking’’ (isolating) them from further access to the system (not the ‘‘ultimate’’ decision)

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Notation Used in the Protocols

Table: Notation Used in the Protocols.

Notation Description Notation Description (Pi

v)pca, Pi v

a valid psnym signed by the PCA Append() appending a revoked psnym SN to CRLs (K i

v, ki v)

psnym pub./priv. key pairs BFTest() BF membership test (Kpca; Lkpca) long-term pub./priv. key pairs p, K false positive rate, optimal hash functions (msg)σv signed msg with vehicle’s priv. key Γ interval to issue time-aligned psnyms LTC Long Term Certificate ΓCRL interval to release CRLs tnow, ts, te a fresh, starting, ending timestamp RIK revocation identifiable key Ttimeout response reception timeout B

• max. bandwidth for CRL distribution

n-tkt, (n-tkt)ltca a native ticket R revocation rate Idreq, Idres request/response identifiers N total number of CRL pieces in each ΓCRL SN psnym serial number n number of remaining psnyms in each batch Sign(Lkca, msg) signing a msg with CA’s priv. key k index of the first revoked psnym Verify(LTCca, msg) verifying with the CA’s pub. key CRLv CRL version GenRnd(), rand(0, ∗)

• GEN. a random number, or in range

∅ Null or empty vector Hk(), H hash function (k times), hash value k, j, m, ζ temporary variables

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Simulation Parameters Information

Table: Simulation Parameters (LuST dataset).

Parameters Value Parameters Value CRL/Fingerprint TX interval 0.5s/5s Pseudonym lifetime 30s-600s Carrier frequency 5.89 GHz Area size 50 KM × 50 KM TX power 20mW Number of vehicles 138,259 Physical layer bit-rate 18Mbps Number of trips 287,939 Sensitivity

• 89dBm

Average trip duration 692.81s Thermal noise

• 110dBm

Duration of simulation 4 hour (7-9, 17-19) CRL dist. Bandwidth (B) 10, 25, 50 KB/s Γ 1-60 min Number of RSUs 100 ΓCRL 60 min

Table: LuST Revocation Information (R = 1%, B = 10KB/s).

Pseudonym Lifetime Number of Psnyms Number of Revoked Psnyms Average Number per ΓCRL Number of Pieces τP=30s 3,425,565 34,256 1,428 12 τP=60s 1,712,782 17,128 710 6 τP=300s 342,556 3,426 143 2 τP=600s 171,278 1,713 72 1

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Simulation Parameters for LuST Dataset

Table: Simulation Parameters for LuST Dataset (τP = 60s).

Revocation Rate (R) Baseline Scheme Vehicle-Centric Scheme CRL Entries 10 KB/s 25 KB/s 50 KB/s CRL Entries 10 KB/s 25 KB/s 50 KB/s Pieces Pieces Pieces Pieces Pieces Pieces 0.5% 8,500 70 30 15 355 3 2 1 1% 17,000 140 59 30 710 6 3 2 2% 34,000 279 117 59 1,417 12 5 3 3% 51,000 419 175 89 2,125 18 8 4 4% 68,000 558 233 118 2,834 24 10 5 5% 85,000 697 291 148 3,542 30 13 7

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Qualitative Analysis

50 100 150 200 250 300 350 400 450 500 550 600

Size of a Bloom Filter [Bytes]

10−1 10−5 10−10 10−15 10−20 10−25 10−30 10−35 10−40 10−45 10−50

False Positive Rate

Extra Overhead in a Pseudonym using a Bloom Filter

5 CRL pieces 10 CRL pieces 15 CRL pieces 20 CRL pieces

(a) Vehicle-centric scheme

1 5 10 15 20

Number of CRL Pieces

100 200 300 400 500 600

Size of CRL Fingerprint [Bytes]

Extra Overhead in a Pseudonym using (Truncated) Hash Values

MD5 (128 bits) SHA-1 (160 bits) SHA-224 (224 bits) SHA-256 (256 bits)

(b) Precode-and-hash scheme [11] Figure: Extra overhead for CRL fingerprints.

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Issuing Pseudonyms (by the PCA)

Protocol 1 Issuing Pseudonyms (by the PCA)

1: procedure IssuePsnyms(Req) 2:

Req → (Idreq, ts, te, (tkt)σltca, {(K 1

v )σk1

v , · · · , (K n

v )σkn

v }, nonce, tnow)

3: Verify(LTCltca, (tkt)σltca) 4: Rndv ← GenRnd() 5: for i:=1 to n do 6: Begin 7: Verify(K i

v, (K i v)σki

v )

8: RIKPi

v ← H(IKtkt||K i

v||ti s||ti e||Hi(Rndv))

9: if i = 1 then 10: SNi ← H(RIKPi

v ||Hi(Rndv))

11: else 12: SNi ← H(SNi−1||Hi(Rndv)) 13: end if 14: ζ ← (SNi, K i

v, CRLv, BFΓi

CRL, RIKPi v , ti

s, ti e)

15: (Pi

v)σpca ← Sign(Lkpca, ζ)

16: End 17: return (Idres, {(P1

v )σpca, . . . , (Pn v )σpca}, Rndv, nonce+1, tnow)

18: end procedure

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

CRL Construction (by the PCA)

Protocol 2 CRL Construction (by the PCA)

1: procedure GenCRL(Γi

CRL, B)

2: PieceΓi

CRL ← ∅

3: repeat 4: {SNk

P, Hk Rndv , n} ← fetchRevokedPsnyms(Γi CRL)

⊲ k: the revoked 5: if SNk

P = Null then

6: PieceΓi

CRL ← Append({SNk

P, Hk Rndv , n})

7: end if 8: until SNk

P == Null

9: N ← size(PieceΓi

CRL)

B

• ⊲ calculating number of pieces with a given B

10: for j ← 0, N do ⊲ N: number of pieces in Γi

CRL

11: Piecej

Γi

CRL ← Split(PieceΓi CRL, B, N)

⊲ splitting into N pieces 12: end for 13: return {(Piece1

Γi

CRL), . . . , (PieceN

Γi

CRL)}

14: end procedure

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Publishing CRLs (by the OBUs)

Protocol 3 Publishing CRLs (by the OBUs)

1: procedure PublishCRL() ⊲ The g.c.d. of a and b 2: {(Idreq, Γi

CRL, [indexes])} = receiveQuery((ζ)σPi

v )

3: Verify(Pi

v , (ζ)σPi

v )

4: CRL∗

Γi

CRL = searchlocal(Γi

CRL)

⊲ search local repository 5: j ← rand(0, ∗) ⊲ randomly select one of the available pieces 6: if CRLj

Γi

CRL = ∅ then

7: broadcast({Idres, CRLj

Γi

CRL})

8: end if 9: end procedure

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Subscribing to CRL Pieces (by the OBUs)

Protocol 4 Subscribing to CRL Pieces (by the OBUs)

1: procedure SubscribeCRL(Γi

CRL, N)

2: respfinal ← ∅, j ← 0, t ← tnow + Ttimeout 3: repeat 4: ζ ← (Idreq, Γi

CRL, [missing pieces indexes])

5: (ζ)σv ← Sign(ki

v, ζ)

6: broadcast((ζ)σPi

v , Pi

v)

7: Piecej

Γi

CRL ← receiveBefore(t)

8: if BFTest(Piecej

Γi

CRL, BFΓi CRL) then

9: respfinal ← Store(Piecej

Γi

CRL)

⊲ storing in local repository 10: end if 11: j ← j + 1 12: until j > N 13: return respfinal 14: end procedure

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Parsing a CRL Piece (by the OBUs)

Protocol 5 Parsing a CRL Piece (by the OBUs)

1: procedure ParseCRL(Piecej

Γi

CRL)

2: {SNk, Hk(Rndv), n}

N ← Piecej

Γi

CRL

⊲ N: Number of Entires 3: CRLΓi

CRL ← ∅

4: for t ← 0, N do ⊲ N: Total number of CRL pieces 5: for j ← 0, n do ⊲ n: Number of remaining psnyms in each batch 6: SNj+1 ← H(SNj||Hj(Rndv)) 7: CRLΓi

CRL ← Append(H(SNj||Hj(Rndv)))

8: end for 9: end for 10: return CRLΓi

CRL

11: end procedure

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22

Linkability based on Timing Information of Credentials

5 10 15 20 25 30 35 40 45 50 55 60 System Time [min.] 1 2 3 4 5 6 7 8 9 10

τP= 5 min.

5 10 15 20 25 30 35 40 45 50 55 60 System Time [min.] 1 2 3 4 5 6 7 8 9 10

τP= 5 min., ΓP2= 15min.

5 10 15 20 25 30 35 40 45 50 55 60 System Time [min.] 1 2 3 4 5 6 7 8 9 10

τP= 5 min., ΓP3= 15min.

User-controlled policy (P1) Oblivious policy (P2) Universally fixed policy (P3)

Non-overlapping pseudonym lifetimes from eavesdroppers’ perspective Distinct lifetimes per vehicle make linkability easier Uniform pseudonym lifetime results in no distinction among obtained pseudonyms set, thus less probable to link pseudonyms

• M. Khodaei and P. Papadimitratos (KTH)

ACM WiSec’18, Stockholm June 20, 2018 22 / 22