[PPT] - Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. PowerPoint Presentation

SLIDE 1

Prof. J.-P. Hubaux

Mobile Networks Module I – Part 2 Securing Vehicular Networks

1

SLIDE 2

Outline

Motivation
Threat model and specific attacks
Security architecture
Security analysis
Certificate revocation
Data-centric trust
Conclusion

2

SLIDE 3

What is a VANET (Vehicular Ad hoc NETwork)?

Communication: typically over the

Dedicated Short Range Communications (DSRC) (5.9 GHz)

Example of protocol: IEEE 802.11p
Penetration will be progressive (over 2 decades or so)

3

SLIDE 4

Vehicular communications: why?

Combat the awful side-effects of road traffic

In the EU, around 40’000 people die yearly on the roads;

more than 1.5 millions are injured

Traffic jams generate a tremendous waste of time and of fuel

Most of these problems can be solved by providing appropriate information to the driver or to the vehicle

4

SLIDE 5

Why is VANET security important?

Large projects have explored vehicular communications:

Fleetnet, PATH (UC Berkeley),…

No solution can be deployed if not properly secured
The problem is non-trivial
Specific requirements (speed, real-time constraints)
Contradictory expectations
Industry front: standards are still under development and suffer from

serious weaknesses

IEEE P1609.2: Standard for Wireless Access in Vehicular Environments
Security Services for Applications and Management Messages
Research front
A growing number of papers

5

SLIDE 6

A modern vehicle

Forward radar Computing platform Event data recorder (EDR) Positioning system Rear radar Communication facility Display (GPS) Human-Machine Interface

A modern vehicle is a network of sensors/actuators on wheels !

6

SLIDE 7

Threat model

An attacker can be:
Insider / Outsider
Malicious / Rational
Active / Passive
Local / Extended
Attacks can be mounted on:
Safety-related applications
Traffic optimization applications
Payment-based applications
Privacy

7

SLIDE 8

Attack 1 : Bogus traffic information

Traffic jam ahead

Attacker: insider, rational, active

8

SLIDE 9

Attack 2 : Generate “Intelligent Collisions”

SLOW DOWN The way is clear

Attacker: insider, malicious, active

9

SLIDE 10

Attack 3: Cheating with identity, speed, or position

Wasn’t me!

Attacker: insider, rational, active

10

SLIDE 11

Attack 4: Jamming

Roadside base station

Jammer 11

SLIDE 12

Attack 5: Tunnel

12

SLIDE 13

Attack 6: Tracking

A

* A at (x1,y1,z1) at time t1 * A communicates with B * A refuels at time t2 and location (x2,y2,z2) 1 2

A

B A

* A enters the parking lot at time t3 * A downloads from server X 3

13

SLIDE 14

Our scope

We consider communications specific to road traffic: safety and traffic optimization

Safety-related messages
Messages related to traffic information

We do not focus on more generic applications, e.g., toll collect, access to audio/video files, games,…

14

SLIDE 15

Security system requirements

Sender authentication Verification of data consistency Availability Non-repudiation Privacy Real-time constraints

15

SLIDE 16

Security Architecture

16

SLIDE 17

Tamper-proof device

Each vehicle carries a tamper-proof device

Contains the secrets of the vehicle itself
Has its own battery
Has its own clock (notably in order to be able to sign

timestamps)

Is in charge of all security operations
Is accessible only by authorized personnel

Tamper-proof device Vehicle sensors (GPS, speed and acceleration,…) On-board CPU Transmission system ((( )))

17

SLIDE 18

Digital signatures

Symmetric cryptography is not suitable: messages are

standalone, large scale, non-repudiation requirement

Hence each message should be signed with a DS
Liability-related messages should be stored in the EDR

Verifier Signer Verifier Verifier

Safety message Cryptographic material {Position, speed, acceleration, direction, time, safety events} {Signer’s DS, Signer’s PK, CA’s certificate of PK}

18

SLIDE 19

VPKI (Vehicular PKI)

PKI Security services

Positioning Confidentiality Privacy ... CA

PA PB Authentication Authentication Shared session key

Each vehicle carries in its Tamper-Proof Device (TPD):
A unique and certified identity: Electronic License Plate (ELP)
A set of certified anonymous public/private key pairs
Mutual authentication can be done without involving a server
Authorities (national or regional) are cross-certified

19

SLIDE 20

The CA hierarchy: two options

Country 1

Region 1 Region 2

District 1 District 2

Car A Car B Car A Car B

Manuf. 1
Manuf. 2
1. Governmental

Transportation Authorities

2. Manufacturers
The governments control certification
Long certificate chain
Keys should be recertified on borders to

ensure mutual certification

Vehicle manufacturers are trusted
Only one certificate is needed
Each car has to store the keys of all

vehicle manufacturers

20

SLIDE 21

Secure VC Building Blocks

Authorities
Trusted entities issuing

and managing identities and credentials

21

SLIDE 22

Secure VC Building Blocks

Authorities

Hierarchical organization
‘Forest’

22

SLIDE 23

Secure VC Building Blocks (cont’d)

Roadside Unit ‘Re-filling’ with or

btaining new

credentials Providing revocation information Roadside Unit Wire-line Connections

Identity and Credentials Management

23

SLIDE 24

Anonymous keys

Preserve identity and location privacy Keys can be preloaded at periodic checkups The certificate of V’s ith key: Keys renewal algorithm according to vehicle speed (e.g., ≈ 1 min at 100 km/h) Anonymity is conditional on the scenario The authorization to link keys with ELPs is distributed

[ ] [ ]

CA i SK i i V

ID PuK Sig PuK PuK Cert

CA

| | =

24

SLIDE 25

What about privacy: how to avoid the Big Brother syndrome?

At 3:00

Vehicle A spotted

at position P1 At 3:15

Vehicle A spotted

at position P2

Keys change over time
Liability has to be enforced
Only law enforcement agencies should be allowed to retrieve

the real identities of vehicles (and drivers)

25

SLIDE 26

DoS resilience

Vehicles will probably have several wireless technologies onboard In most of them, several channels can be used To thwart DoS, vehicles can switch channels or communication technologies In the worst case, the system can be deactivated

Network layer

DSRC UTRA-TDD Bluetooth Other

26

SLIDE 27

Data verification by correlation

Bogus info attack relies on false data
Authenticated vehicles can also send wrong data (on purpose or not)
The correctness of the data should be verified => data-centric trust
Correlation can help

27

SLIDE 28

Security analysis

How much can we secure VANETs? Messages are authenticated by their signatures Authentication protects the network from outsiders Correlation and fast revocation reinforce correctness Availability remains a problem that can be alleviated Non-repudiation is achieved because:

ELP and anonymous keys are specific to one vehicle
Position is correct if secure positioning is in place

28

SLIDE 29

Certificate revocation in VANETs

The CA has to revoke invalid certificates:

Compromised keys
Wrongly issued certificates
A vehicle constantly sends erroneous information

Using Certificate Revocation Lists (CRL) or online status checking is not appropriate There is a need to detect and revoke attackers fast

29

SLIDE 30

System model

There is a CA (Certification Authority) Each vehicle has a public/private key pair, a TC (Trusted Component = TPD), and an EDR (Event Data Recorder) Safety messages:

Are broadcast and signed
Include time and position

Several possible communication channels:

DSRC
Cellular
WiMax
Low-speed FM

30

SLIDE 31

Adversary model

The adversary can be:

Faulty node
Misbehaving node

Example attack: false information dissemination Adversaries have valid credentials Honest majority in the attacker’s neighborhood

31

SLIDE 32

Message validation TPD

(Tamper-Proof Device)

RTC

(Rev. of the Trusted Component )

LEAVE

(Local Eviction of Attackers by Voting Evaluators)

MDS

(Misbehavior Detection System)

Evidence Collection Revocation Information

CA (Certification Authority) and Infrastructure Functionality

Fail (ID)

Revocation Decision RC2RL

(Rev. by Compressed CRLs)

Node ID

Vehicle Functionality

CA Policies

Local Warning Messages Revocation Command

Scheme overview

32

SLIDE 33

Revocation protocols

We propose 2 protocols to revoke a vehicle’s keys:

Rev. of the Trusted Component (RTC): CA revokes all keys
Rev. by Compressed CRLs (RC2RL): if TC is not reachable

Local Eviction of Attackers by Voting Evaluators (LEAVE):

Initiated by peers
Generates a report to the CA, which triggers the actual

revocation by RTC/RC2RL

33

SLIDE 34

Revocation of the Trusted Component (RTC)

34

RSU: Road Side Unit; PuK = Public Key; T = Timestamp

SLIDE 35

Revocation by Compressed CRLs (RC2RL)

CRLs are compressed using Bloom filters Bloom filter: space-efficient probabilistic data-structure

Can be queried to check if an element is in a set or not
Configurable rate of false positives (but no false negatives)

1 2 3 m vector with m bits element “a” k different hash functions with range 1…m … H1(a) H2(a) Hk(a) … 1 1 1

35

SLIDE 36

Local Eviction of Attackers by Voting Evaluators (LEAVE)

36

SLIDE 37

Data-Centric Trust

37

Data Trust Decision on event

SLIDE 38

What is Data-Centric Trust?

SLIDE 39

Data-Centric Trust in Networks Packet forwarding Security associations Reputation

A M B

Data dissemination Insufficient Hard

39

Traditional ad hoc networks Ephemeral networks

Data Trust = Entity Trust Data Trust = F(Entity Trust, context)

SLIDE 40

Event‐specific trust Dynamic trust metric Security status

) ), ( (

j k

v f λ τ

) , (

j k l v λ

μ ) ( k v s

)) , ( ), ), ( ( ), ( (

j k l j k k

v v f v s F λ μ λ τ

A C B M

General Framework Trust Computation

Weights (data‐centric trust levels)

( )

k

v τ

is the default trustworthiness Location Time

Event reports

f type

from nodes

j

λ

k

v

j k

e

SLIDE 41

A C B M

General Framework Evidence Evaluation

( )

j B

F e

Decision Logic Decision on Reported Event

Report contents

Event reports

f type

from nodes

j

λ

k

v

j k

e

( )

j C

F e ( )

j M

F e

SLIDE 42

Decision Logics

Most trusted report Weighted voting Bayesian inference

Takes into account prior knowledge

Dempster-Shafer Theory

probability is bounded by belief and plausibility
Uncertainty (lack of evidence) does not refute nor support

evidence

SLIDE 43

Conclusion

Vehicular communications could lead to the largest mobile ad hoc

network (around 1 billion nodes)

The security of that network is a difficult and highly relevant problem
Car manufacturers seem to be poised to massively invest in this area
Slow penetration makes connectivity more difficult
Security leads to a substantial overhead and must be taken into

account from the beginning of the design process

The field offers plenty of novel research challenges
Pitfalls
Defer the design of security
Security by obscurity
More information at http://ivc.epfl.ch

43