[PPT] - Privacy in Vehicular Ad-hoc Networks Nikolaos Alexiou, LCN, EE KTH PowerPoint Presentation

SLIDE 1

Privacy in Vehicular Ad-hoc Networks

Nikolaos Alexiou, LCN, EE KTH alexiou@kth.se 2/10/2012

SLIDE 2

2012-10-04

Outline

Introduction
VANETs: an overview
VANET privacy
Anonymity
Location Privacy
VPKI
Privacy Attacks
Countermeasures
Conclusion

Illustrations from Car2Car Consortium, unless specified otherwise

SLIDE 3

2012-10-04

VANETs: An overview

SLIDE 4

2012-10-04

VANETs: An overview (cont'd)

V2V Communications:
Safety applications
Location Based Services
Proprietary Applications
Two types of messages:
Cooperative Awareness

Messages (CAM)

Decentralized Enviromental

Notification Messages (DENM)

SLIDE 5

2012-10-04

VANETs: An overview (cont'd)

CAM messages:
Beacons, periodically sent
Basic status information (speed, location, acceleration, vehicle

identifier)

Very important for safety applications
A vehicle's neighborhood receives these messages
DENM messages:
Report information related with events
Sent on event detection
Contain: event location, timestamp etc
Usually distributed to many vehicles over a large area

SLIDE 6

2012-10-04

VANETs: An overview (Cont'd)

V2I Communications:
Vehicle to RSU (Road Side

Units)

VANET Services:
Location based
Safety Applications
Proprietary: eg Tolling

Systems

Privacy Services
802.11p / LTE

SLIDE 7

Privacy & threats?

SLIDE 8

2012-10-04

V2V/V2I communications

V2V and V2I communications expose sensitive data:
To other vehicles
Eavesdroppers
To infrastructure
[1] CAM messages contain information such as:
Direction to be taken
Vehicle length
Vehicle width
Occupancy (passengers as percentage)
Anonymity: conceal identity
Location Privacy: position cannot be systematically recorded

[1]ETSI TS 102 637-2 V1.2.1 (2011-03)

Picture:P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, "Secure Vehicular Communication Systems: Design and Architecture," IEEE Communications Magazine, November 2008.

SLIDE 9

2012-10-04

Authentication in VANETs

Each vehicle should be identifiable
To develop services and applications
To issue tickets
To resolve accidents
Vehicle authentication can be achieved using a PKI → the

Vehicular PKI (VPKI)

Each vehicle will store:
private keys to sign packets
public keys signed by a CA (eg the car manufacturer)
Certificates
For other vehicles and infrastructure to verify packets

SLIDE 10

2012-10-04

VANET Privacy (Cont'd)

image: P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, J.-P. Hubaux, Secure Vehicular Communication Systems: Design and Architecture

SLIDE 11

2012-10-04

Generally about privacy: Why?

If you have nothing to hide, why do you need privacy?
If I have nothing to hide, you have no cause to watch me.
Who defines what is wrong behavior or not?

Bruce Schneier on Security, Chapter 4: Privacy and Surveillance

SLIDE 12

2012-10-04

So far we know:

V2V/V2I communications leak information
Privacy threat
Anonymity
Location Privacy
VPKI needed to authenticate vehicles
Certificates from a trusted CA
The next question is...

SLIDE 13

How to protect privacy in VANETs?

SLIDE 14

2012-10-04

Pseudonyms: Anonymity

Pseudonyms to provide anonymity
Where and how to store pseudonyms at the car?
Hardware Security Module (HSM)
Tamper-Proof crypto device
Corner stone of in-vehicle security
How to obtain pseudonyms?
How to protect location privacy?
Why need many pseudonyms?

SLIDE 15

2012-10-04

Pseudonyms: Location Privacy

Each pseudonym is valid for a specific period of time

SLIDE 16

2012-10-04

The VANET Architecture

Vehicular Public Key

Infrastructure

pseudonyms signed by CA
Pseudonym Certification

Authority (PCA)

Why?
Trust in signatures
PCA per manufacturer?
Hierarchical VPKI
Cross-certification between

countries

SLIDE 17

2012-10-04

How to generate pseudonyms?

Each vehicle can generate a set of:
Private/Public keys in the HSM
A large set of keys (e.g to be enough for a week)
Short life-time
Each needed for a limited number of beacons
Public keys need to be signed by a CA
Send over wireless to be signed
Private keys stay in the HSM
Pseudonymous Certificates: A signature of a CA over each of

the public keys

SLIDE 18

A first bad VPKI architecture example

SLIDE 19

2012-10-04

Pseudonymous Certificates

EPuKpca{Sigv(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

PCA

*This is just an illustration example

SLIDE 20

2012-10-04

Pseudonymous Certificates (Cont'd)

Preserves location privacy and anonymity for V2V The PCA knows who (alexiou) and which (pseudonyms) PCA

EPuKpca{Sigv(Alexiou, KBZ 5567,t),Certv(PuKv)}*

EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

SLIDE 21

2012-10-04

The vehicle should be protected against the infrastructure
The PCA must NOT learn the identity of the vehicle or the driver
To achieve that, another authority is needed
Long Term Certification Authority (LTCA)
Holds real information of the vehicle (and possibly the drivers)
The new architecture
LTCA: knows only real identities
PCA: knows only pseudonyms

Pseudonymous Certificates (Cont'd)

SLIDE 22

A better VPKI architecture example

SLIDE 23

2012-10-04

PCA

SK_pca PuK_pca

LTCA

SK_ltca PuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t) OK (You can grant pseudonyms) EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}* EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Pseudonymous Certificates (Cont'd)

SLIDE 24

2012-10-04

PCA

SK_pca PuK_pca

LTCA

SK_ltca PuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t) OK (You can grant pseudonyms) EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}* EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Doesn't know who Doesn't know which

Pseudonymous Certificates (Cont'd)

SLIDE 25

2012-10-04

Pseudonymous Certificates (Cont'd)

PCA

SK_pca PuK_pca

LTCA

SK_ltca PuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t) OK (You can grant pseudonyms) EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}* EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Doesn't know who Doesn't know which

A possible threat??

SLIDE 26

2012-10-04

PCA

SK_pca PuK_pca

LTCA

SK_ltca PuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t) OK (You can grant pseudonyms) EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}* EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Doesn't know who Doesn't know which

Pseudonym Resolution

Resolution Authority

Tell me which?

SLIDE 27

2012-10-04

PCA

SK_pca PuK_pca

LTCA

SK_ltca PuK_ltca

EpuK_ltca(Alexiou,KBZ5567,t) OK (You can grant pseudonyms) EPuKpca{EPuKLTCA(Alexiou, KBZ 5567,t),Certv(PuKv)}* EPuKv{Sigpca(Sheldon1)...Sigpca(Sheldonx)}*

Doesn't know who Doesn't know which

Pseudonym Resolution

Resolution Authority

Tell me who?

SLIDE 28

2012-10-04

Pseudonym Resolution

When does the resolution happen?
Accidents
Misbehavior
Alternative resolution methods exist
[2]: encrypting vehicle's identity with Res. CA's PuK
Others: additional CA's for:
Misbehavior, Grant of Access, Legal Aspects

[2] Kargl, F. ; Zhendong Ma ; Weber, M. , V-Tokens for Conditional Pseudonymity in VANETs

SLIDE 29

2012-10-04

Pseudonym Revocation

Certificates will eventually expire
Vehicles may
Misbehave
Destroyed
Retired
Revocation of pseudonym certificates to prevent malicious

behavior

SLIDE 30

2012-10-04

Other Pseudonymous Schemes

Group Signatures
Hide the identity within a group of vehicles
Each vehicle stores:
A group secret key
A group public key
Tokens for revocation
Problems:
Efficiency
More difficult to handle revocations
Difficult to handle dynamic groups

SLIDE 31

Attacks against location privacy

SLIDE 32

2012-10-04

Tracking attacks: Location Privacy

Each beacon contains the

vehicle's location/direction etc

Adversaries can collect the

beacons

LP is highly dependable on

the anonymity set

E.g. how many cars on the

road?

Cannot assume that vehicles

can change pseudonyms for each packet transmitted

SLIDE 33

2012-10-04

Tracking attacks: Location Privacy

Change pseudonyms to avoid

tracking

Beacon frequency e.g. 10Hz
Given that there are many

cars on the road:

It should be very difficult to

track a vehicle

Is this the case?
Multi-hypothesis testing,

kalman filters

SLIDE 34

2012-10-04

Multi-Hypothesis testing: An overview

Tracking as data association problem
Position & velocity
For each measurement a new set of data association

hypothesis

Essentially guessing the next state
New measurements arrive
Probability of association of the guess to the measurement
Higher probability is chosen

SLIDE 35

2012-10-04

Tracking Results

Images: B. Wiedersheim, F. Kargl, Z. Ma, and P. Papadimitratos, “Privacy in Inter-Vehicular Networks: Why simple pseudonym change is not enough”

SLIDE 36

2012-10-04

Reasoning about Location Privacy

How to increase:
Increasing pseudonym changing frequency
Spatial noise
Impact on safety?
Adversarial models
Eavesdropper: needs many devices
Internal: is the most dangerous one
What else could be done?
Mixing zones

SLIDE 37

2012-10-04

Idea: change pseudonym

where it is harder to link two successory ones

Force pseudonym changes

within regions

Where can this be done?
Road junctions
Traffic lights

Mix-Zones

Image: Julien Freudiger, Reza Shokri, and Jean-Pierre Hubaux On the Optimal Placement of Mix Zones

SLIDE 38

2012-10-04

An RSU at the intersection
Distributes a secret key to the

vehicles within the mix-zone

They beacon using signing

with the group key

The vehicle uses its regular

pseudonym when leaving the mix-zone

Mix-Zones (cont'd)

Image: J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, and J.-P. Hubaux, "Mix-Zones for Location Privacy in Vehicular Networks”

SLIDE 39

2012-10-04

Mix-Zones: Some results

Images: J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, and J.-P. Hubaux, "Mix-Zones for Location Privacy in Vehicular Networks”

SLIDE 40

2012-10-04

Conclusion

Anonymity through pseudonymous certificates
Location privacy through changing certificates
Tracking attacks from:
Eavesdroppers
Internal adversaries
VPKI architecture to minimize the probability of tracking by a

trusted party

Mix-zones/pseudonym change frequency to avoid

eavesdroppers

SLIDE 41

2012-10-04

References

Suggested:
P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M.Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux,

"Secure Vehicular Communication Systems: Design and Architecture," IEEE Communications Magazine, November 2008

B. Wiedersheim, F. Kargl, Z. Ma, and P. Papadimitratos, “Privacy in Inter-Vehicular Networks: Why simple pseudonym

change is not enough,” IEEE/IFIP International Conference on Wireless On-demand Network Systems and Services (IEEE/IFIP WONS), Kranjska Gora, Slovenia, February 2010

Further Reading:
http://preserve-project.eu/
M. Raya and J.-P. Hubaux. The Security of Vehicular Ad Hoc Networks. In Proc. of Third ACM Workshop on Security of Ad

Hoc and Sensor Networks (SASN 2005), Alexandria, USA, Nov. 2005.

J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, and J.-P. Hubaux, "Mix-Zones for Location Privacy in Vehicular

Networks," ACM Workshop on Wireless Networking for Intelligent Transportation Systems (ACM WiN-ITS 2007), Vancouver, BC, Canada, August 2007

Giorgio Calandriello, Panos Papadimitratos, Jean-Pierre Hubaux, and Antonio Lioy. 2007. Efficient and robust

pseudonymous authentication in VANET. In Proceedings of the fourth ACM international workshop on Vehicular ad hoc networks (VANET '07). ACM, New York, NY, USA, 19-28.

F. Schaub, F. Kargl, Z. Ma, and M. Weber, "V-tokens for Conditional Pseudonymity in VANETs", IEEE Wireless

Communications & Networking Conference (IEEE WCNC 2010), Sydney, Australia, IEEE, 04/2010.

SLIDE 42