Efficient, Scalable, and Resilient Vehicle-Centric Certificate - PowerPoint PPT Presentation

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in VANETs Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH) Stockholm, Sweden June 20, 2018 M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 1 / 22

Secure Vehicular Communication (VC) Systems Vehicular Public-Key Infrastructure (VPKI) RCA A certifies B A B Cross-certification Root CA (RCA) Communication link Message dissemination Domain A Domain B Domain C Long Term CA (LTCA) RA RA LTCA RA LTCA LTCA Pseudonym CA (PCA) X-Cetify PCA PCA PCA Resolution Authority (RA) LDAP LDAP Lightweight Directory Access 3/4/5G Protocol (LDAP) RSU {Msg} (P iv ) , P i v Roadside Unit (RSU) {Msg} (P iv ) , P i Trust established with RCA, v B or through cross certification M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 2 / 22

Challenges and Motivation Traditional PKI vs. Vehicular PKI Dimensions (5 orders of magnitude more credentials) Balancing act: security, privacy, and efficiency Honest-but-curious VPKI entities Performance constraints: safety- and time-critical operations (rates of 10 safety beacons per second) Mechanics of revocation: Highly dynamic environment with intermittent connectivity Short-lived pseudonyms, multiple per entity Resource constraints M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 3 / 22

Challenges and Motivation (cont’d) Revocation challenges: Efficient and timely distribution of Certificate Revocation Lists (CRLs) to every legitimate vehicle in the system Strong privacy for vehicles prior to revocation events to every vehicle Computation and communication constraints of On-Board Units (OBUs) with intermittent connectivity to the infrastructure Peer-to-peer distribution is a double-edged sword: abusive peers could ‘‘pollute’’ the process, thus degrading the timely CRL distribution M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 4 / 22

System Model and Assumptions A certifies B A B t start t end RCA Communication link Unused User Trip Duration Pseudonyms controlled } } } } } policy ✄ P ✄ P ✄ P ✄ P ✄ P Home Domain (A) Foreign Domain (B) LDAP RA RA F-LTCA H-LTCA ✂ P2 ✂ P2 Oblivious I. f-tkt req. policy } } } } } } ✄ P ✄ P ✄ P ✄ P ✄ P ✄ P PCA PCA 1. LTC 2. n-tkt II. f-tkt III. n-tkt ✂ P3 ✂ P3 Universally ✂ P3 Expired 3. psnym req. IV. psnym req. Pseudonym ✁ xed } } } } } } } } policy ✄ P ✄ P ✄ P ✄ P ✄ P ✄ P ✄ P ✄ P 4. psnyms acquisition V. psnyms acquisition System Time Figure: Pseudonym acquisition overview in the Figure: Pseudonym Acquisition Policies. home and foreign domains. M. Khodaei, H. Jin, and P. Papadimitratos. IEEE T-ITS, vol. 19, no. 5, pp. 1430-1444, May 2018. M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 5 / 22

Vehicle-Centric CRL Distribution ✠ 1 ✠ 2 ✠ 3 Trip Dura tion: D CRL CRL CRL Partitioned Interval: ✟ i CRL � i ✆ i+2 ☎ i+1 ✝ i+3 ✞ i+4 CRL CRL CRL CRL CRL { { { { { ... ... ... ... ... Dv 2 Dv 3 Dv 4 Dv 5 Trip Duration Dv 1 System Time Figure: CRL as a Stream: Figure: A vehicle-centric approach: each CRL , Γ i +1 CRL , Γ i +2 V 1 subscribes to { Γ i vehicle only subscribes for pieces of CRLs CRL } ; corresponding to its trip duration. V 2 : { Γ i CRL , Γ i +1 CRL } ; V 3 : { Γ i +2 CRL } ; V 4 : { Γ i +3 CRL } ; V 5 : { Γ i +4 CRL } . M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 6 / 22

⑥ ⑥ Vehicle-Centric CRL Distribution (cont’d) ✡ i CRL H() H() H() H() H() V1 V2 V3 V4 V5 V6 V7 V8 V9 } } } } τ P τ P τ P τ P τ P τ P (a) Revoked pseudonyms (b) CRL fingerprint construction Figure: CRL piece & fingerprint construction by the PCA. CRL Fingerprint: A signed fingerprint is broadcasted by RSUs Also integrated in a subset of recently issued pseudonyms A notification about a new CRL-update (revocation) event M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 7 / 22

Pseudonym Acquisition Process OBU LT CA PCA 1 . ( H ( Id pca � Rnd 256 ) , t s , t e , LT C v , N, t ) 2 . IK tkt ← H ( LT C v || t s || t e || Rnd IK tkt ) 3 . tkt ← ( H ( Id pca � Rnd tkt ) , IK tkt , t s , t e ) 4 . Cert ( LT C ltca , tkt ) 5 . ( tkt σ ltca , N + 1 , t ) 6 . ( t s , t e , ( tkt ) σ ltca , { ( K 1 v , · · · , ( K n v ) σ k 1 v ) σ kn v } , N ′ , t now ) 7 . Verify( LT C ltca , ( tkt ) σ ltca ) 8 . Rnd v ← GenRnd () 9 . Verify( K i v , ( K i v ) σ ki v ) 1: if i = 1 then SN i ← H ( RIK P i v || H i ( Rnd v )) 2: 3: else v ← H ( IK tkt || K i v || t i s || t i e || H i ( Rnd v )) 10 . RIK P i SN i ← H ( SN i − 1 || H i ( Rnd v )) 4: 5: end if 11 . ζ ← ( SN i , K i v , t i s , t i v , CRL v , BF Γ i CRL , RIK P i e ) 12 . ( P i v ) σ pca ← Sign ( Lk pca , ζ ) 13 . ( { ( P 1 v ) σ pca , . . . , ( P n v ) σ pca } , Rnd v , N + 1 , t now ) M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 8 / 22

CRL Publish/Subscribe OBU 1 OBU 2 1 . ζ ← ( Id req , Γ i CRL , [ indexes ]) 2 . ( ζ ) σ v ← Sign ( k i v , ζ ) 3 . broadcast (( ζ ) σ P i v , P i v ) 4 . { ( Id req , Γ i CRL , [ indexes ]) } = receiveQuery (( ζ ) σ P i v ) 5 . V erify ( P i v , ( ζ ) σ P i v ) 6 . j ← rand (0 , ∗ ) 7 . broadcast ( { Id res , CRL j CRL } ) Γ i 8 . Piece j CRL ← receiveBefore ( t ) Γ i 9 . BFT est ( Piece j CRL , BF Γ i CRL ) Γ i 10 . resp final ← Store ( Piece j CRL ) Γ i M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 9 / 22

Qualitative Analysis � Fine-grained authentication, integrity, and non-repudiation: signed fingerprints � Unlinkability (perfect-forward-privacy): multi-session pseudonym requests, timely-aligned pseudonym lifetime, utilization of hash chains � Availability: leveraging RSUs and car-to-car epidemic distribution � Efficiency: Efficient construction of fingerprints, fast validation per piece, and implicitly binding of a batch � Explicit and/or implicit notification on revocation events: Broadcasting signed fingerprints, also integrated into a subset of recently issued pseudonyms M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 10 / 22

Qualitative Analysis (cont’d) BF trades off communication Extra Overhead in a Pseudonym using a Bloom Filter 10 − 1 overhead for false positive rate 5 CRL pieces 10 − 5 10 CRL pieces BF size increases linearly as the 10 − 10 False Positive Rate 15 CRL pieces 10 − 15 false positive rate decreases 20 CRL pieces 10 − 20 10 − 25 An adversary targeting the Bloom 10 − 30 10 − 35 Filter (BF) false positive rate: 10 − 40 10 − 45 Excluding revoked pseudonym serial 10 − 50 numbers from a CRL 0 50 100 150 200 250 300 350 400 450 500 550 600 Size of a Bloom Filter [Bytes] Adding valid pseudonyms by forging a Figure: CRL Fingerprints overhead. fake CRL (piece) With Antminer-S9 (14TH/s,$3,000), Γ CRL = 1 hour and p = 10 − 20 ( K = 67): 132,936 Antminer-S9 ($400M) to generate a bogus piece in 1 hour ( 10 20 × 67 14 × 10 12 ) With AntPool (1 , 604 , 608 TH / s ): 70 minutes to generate a fake piece! With p = 10 − 22 ( K = 73): 5 days ( 10 22 × 73 1 . 6 × 10 18 = 126 h ) With p = 10 − 23 ( K = 76): 55 days ( 10 23 × 76 1 . 6 × 10 18 = 1 , 319 h ) M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 11 / 22

Qualitative Analysis (cont’d) 10 − 1 14K Bloom Filter, p=1e-10 10 − 10 Bloom Filter, p=1e-20 12K 10 − 20 Bloom Filter, p=1e-30 False Positive Rate 10 − 30 10 − 1 10K CRL Size [KB] Bloom Filter, p=1e-40 10 − 40 Bloom Filter, p=1e-50 10 − 25 8K 10 − 50 Vehicle-Centric Scheme 10 − 50 10 − 60 6K 10 − 75 10 − 70 4K 10 − 80 10 − 100 1 2 3 4 5 6 7 8 9 10 2K 10 − 90 10 − 100 0 1 5 10 15 20 25 30 35 40 45 50 1 10 20 30 40 50 60 70 80 90 100 110 Avg. Number of Revoked Pseudonyms per Entity (per Γ CRL ) Avg. Number of Revoked Pseudonyms per Entity (per Γ CRL ) (a) CRL size comparison (b) C 2 RL [9] as a factor of false positive rate Figure: (a) CRL size comparison for C 2 RL and vehicle-centric scheme (10,000 revoked vehicles). (b) Achieving vehicle-centric comparable CRL size for the C 2 RL scheme. m BF = − N × M × ln p , N is the total number of compromised vehicles, M is the ( ln 2) 2 average number of revoked pseudonyms per vehicle per Γ CRL . Significant improvement over C 2 RL, e.g., 2.6x reduction in CRL size when M = 10 and p = 10 − 30 . M. Khodaei and P. Papadimitratos (KTH) ACM WiSec’18, Stockholm June 20, 2018 11 / 22