Scalable & Resilient Vehicle-Centric Certificate Revocation List - PowerPoint PPT Presentation

KTH ROYAL INSTITUTE OF TECHNOLOGY Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular Communication Systems Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group (NSS) www.eecs.kth.se/nss

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion 2/52

Vehicular Communication (VC) Systems Figure: Photo Courtesy of the Car2Car Communication Consortium (C2C-CC) 3/52

Security and Privacy for VC Systems 1 Basic Requirements [1, 2] ◮ Authentication & integrity ◮ Non-repudiation ◮ Authorization and access control ◮ Conditional anonymity ◮ Unlinkability (long-term) Vehicular Public-Key Infrastructure (VPKI) ◮ Pseudonymous authentication ◮ Trusted Third Party (TTP): ◮ Certification Authority (CA) ◮ Issues credentials & binds users to their pseudonyms 1P. Papadimitratos, et al. ‘‘Securing Vehicular Communications - Assumptions, Require- ments, and Principles,’’ in ESCAR, Berlin, Germany, pp. 5-14, Nov. 2006. 4/52 P. Papadimitratos, et al. ‘‘Secure Vehicular Communication Systems: Design and Architec- ture,’’ in IEEE Communications Magazine, vol. 46, no. 11, pp. 100-109, Nov. 2008.

Security and Privacy for VC Systems (cont’d) ◮ Sign packets with the private key, corresponding to the current valid pseudonym ◮ Verify packets with the valid pseudonym ◮ Cryptographic operations in a Hardware Security Module (HSM) 5/52

Secure & Privacy-preserving VC Systems RCA A certifies B A B Cross-certification Communication link Message dissemination Domain A Domain B Domain C ◮ RA Root Certification Authority (RCA) RA LTCA RA LTCA LTCA X-Cetify ◮ Long Term CA (LTCA) PCA PCA PCA LDAP LDAP ◮ Pseudonym CA (PCA) ◮ Resolution Authority (RA) 3/4/5G RSU {Msg} (P iv ) , {P i v } (PCA) ◮ Lightweight Directory Access Protocol (LDAP) {Msg} (P iv ) , {P i v } (PCA) ◮ Roadside Unit (RSU) B ◮ Trust established with RCA, or through cross Figure: VPKI Overview certification 6/52

Challenges & Motivation Traditional PKI vs. Vehicular PKI ◮ Dimensions (5 orders of magnitude more credentials) ◮ Balancing act: security, privacy, and efficiency ◮ Honest-but-curious VPKI entities ◮ Performance constraints: safety- and time-critical operations (rates of 10 safety beacons per second) ◮ Mechanics of revocation: ◮ Highly dynamic environment with intermittent connectivity ◮ Short-lived pseudonyms, multiple per entity ◮ Resource constraints 7/52

Challenges and Motivation (cont’d) Revocation challenges: ◮ Efficient and timely distribution of Certificate Revocation Lists (CRLs) to every legitimate vehicle in the system ◮ Strong privacy for vehicles prior to revocation events to every vehicle ◮ Computation and communication constraints of On-Board Units (OBUs) with intermittent connectivity to the infrastructure ◮ Peer-to-peer distribution is a double-edged sword: abusive peers could ‘‘pollute’’ the process, thus degrading the timely CRL distribution 8/52

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion 9/52

System Model and Assumptions A certifies B A B RCA Communication link Home Domain (A) LDAP Foreign Domain (B) RA RA t start t end F-LTCA H-LTCA Unused Trip Duration Pseudonyms User-controlled policy (P1) I. f-tkt req. } } } } } τ P τ P τ P τ P τ P Γ P2 Γ P2 Oblivious policy (P2) PCA PCA } } } } } } 1. LTC 2. n-tkt II. f-tkt III. n-tkt τ P τ P τ P τ P τ P τ P 3. psnym req. IV. psnym req. Γ P3 Γ P3 Γ P3 Expired Universally fixed policy (P3) Pseudonym 4. psnyms acquisition V. psnyms acquisition } } } } } } } } τ P τ P τ P τ P τ P τ P τ P τ P System Time Figure: Pseudonym acquisition overview in Figure: Pseudonym Acquisition Policies. the home and foreign domains. M. Khodaei, H. Jin, and P. Papadimitratos. IEEE T-ITS, vol. 19, no. 5, pp. 1430-1444, May 2018. 10/52

System Model and Requirements Adversarial Model: ◮ Excluding revoked pseudonym serial numbers from a CRL ◮ Adding valid pseudonyms by forging a fake CRL (piece) ◮ Preventing legitimate vehicles from obtaining genuine and the most up-to-date CRL (pieces) or delaying the distribution ◮ Harming user privacy by the VPKI entities Requirements: ◮ Fine-grained authentication, integrity, and non-repudiation ◮ Unlinkability (perfect-forward-privacy) ◮ Availability ◮ Efficiency ◮ Explicit and/or implicit notification on revocation events 11/52

Vehicle-Centric CRL Distribution Γ 1 Γ 2 Γ 3 Trip Duration: D CRL CRL CRL Partitioned Interval: ✆ i CRL ✁ i ✂ i+2 ☎ i+4 � i+1 ✄ i+3 CRL CRL CRL CRL CRL { { { { { ... ... ... ... ... Dv 2 Dv 3 Dv 4 Dv 5 Trip Duration Dv 1 System Time Figure: CRL as a Stream: Figure: A vehicle-centric approach: each CRL , Γ i + 1 CRL , Γ i + 2 V 1 subscribes to { Γ i CRL } ; vehicle only subscribes for pieces of CRLs V 2 : { Γ i CRL , Γ i + 1 CRL } ; corresponding to its trip duration. V 3 : { Γ i + 2 CRL } ; V 4 : { Γ i + 3 CRL } ; V 5 : { Γ i + 4 CRL } . 12/52

Bloom Filter Construction & Membership Checks y x z ✵ 1 1 1 1 1 1 1 1 ✵ ✵ ✵ ✵ ✵ ✵ ✵ ✵ ✵ ✵ ✵ ✵ ✵ y'=y x' = x z' (false positive) Bloom Filter (BF) features: ◮ A space-efficient probabilistic data structure ◮ Fast membership checking ◮ No false negatives, but false positive matches are possible ◮ A query returns either ‘‘possibly in set’’ or ‘‘definitely not in set’’ ◮ No deletion is allowed in a BF; (Cuckoo Filter (CF) supports deletion) 13/52

⑥ ⑥ ⑥ ⑥ ⑥ ⑥ Vehicle-Centric CRL Distribution (cont’d) Γ i CRL ❍ ✝✞ ❍ ✝✞ ❍ ✝✞ ❍ ✝✞ ❍ ✝✞ V1 V2 V3 V4 V5 V6 V7 V8 V9 τ τ τ τ τ τ P P P P P P (a) Revoked (b) CRL fingerprint construction pseudonyms Figure: CRL piece & fingerprint construction by the PCA. CRL Fingerprint: ◮ A signed fingerprint is broadcasted by RSUs ◮ Also integrated in a subset of recently issued pseudonyms ◮ A notification about a new CRL-update (revocation) event 14/52

Vehicle-centric ∆ - CRL distribution Γ j CRL H(K i ) H(K i+1 ) H(K i+2 ) H(K i+3 ) H(K i+4 ) K i-1 K i K i+1 K i+2 K i+3 H'(K i ) H'(K i+2 ) H'(K i-1 ) H'(K i+1 ) H'(K i+3 ) K' i-1 K' i K' i+1 K' i+2 K' i+3 Disclosure of K i New Revocation Event New Revocation Event New R evocation Event } } } } Δ -CRL i Δ -CRL i+1 Δ -CRL i+2 Δ -CRL i+3 15/52

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion 16/52

Notation Used in the Protocols Table: Notation Used in the Protocols. Notation Description Notation Description ( P i v ) pca , P i a valid psnym signed by the PCA Append () appending a revoked psnym SN to CRLs v ( K i v , k i v ) psnym pub./priv. key pairs BFTest() BF membership test ( K pca ; Lk pca ) long-term pub./priv. key pairs p , K false positive rate, optimal hash functions ( msg ) σ v signed msg with vehicle’s priv. key Γ interval to issue time-aligned psnyms LTC Long Term Certificate Γ CRL interval to release CRLs t now , t s , t e a fresh, starting, ending timestamp RIK revocation identifiable key T timeout response reception timeout B max. bandwidth for CRL distribution n - tkt , ( n - tkt ) ltca a native ticket revocation rate R Id req , Id res request/response identifiers N total number of CRL pieces in each Γ CRL SN psnym serial number n number of remaining psnyms in each batch Sign ( Lk ca , msg ) signing a msg with CA’s priv. key k index of the first revoked psnym Verify ( LTC ca , msg ) verifying with the CA’s pub. key CRL v CRL version GenRnd () , rand ( 0 , ∗ ) GEN. a random number, or in range ∅ Null or empty vector H k () , H hash function ( k times), hash value k, j, m, ζ temporary variables 17/52

Pseudonym Acquisition Process OBU LT CA PCA 1 . ( H ( Id pca � Rnd 256 ) , t s , t e , LT C v , N, t ) 2 . IK tkt ← H ( LT C v || t s || t e || Rnd IK tkt ) 3 . tkt ← ( H ( Id pca � Rnd tkt ) , IK tkt , t s , t e ) 4 . Cert ( LT C ltca , tkt ) 5 . ( tkt σ ltca , N + 1 , t ) 6 . ( t s , t e , ( tkt ) σ ltca , { ( K 1 v ) σ k 1 v , · · · , ( K n v ) σ kn v } , N ′ , t now ) 7 . Verify( LT C ltca , ( tkt ) σ ltca ) 8 . Rnd v ← GenRnd () 9 . Verify( K i v , ( K i v ) σ ki v ) 1: if i = 1 then SN i ← 2: v || H i ( Rnd v )) 10 . RIK P i v ← H ( IK tkt || K i v || t i s || t i e || H i ( Rnd v )) H ( RIK P i 3: else SN i 4: ← 11 . ζ ← ( SN i , K i v , CRL v , BF Γ i CRL , RIK P i v , t i s , t i e ) H ( SN i − 1 || H i ( Rnd v )) 5: end if 12 . ( P i v ) σ pca ← Sign ( Lk pca , ζ ) 13 . ( { ( P 1 v ) σ pca , . . . , ( P n v ) σ pca } , Rnd v , N + 1 , t now ) 18/52