[PPT] - Scalable & Resilient Vehicle-Centric Certificate Revocation List PowerPoint Presentation

SLIDE 1

KTH ROYAL INSTITUTE OF TECHNOLOGY

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular Communication Systems

Mohammad Khodaei and Panos Papadimitratos

Networked Systems Security Group (NSS) www.eecs.kth.se/nss

SLIDE 2

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion

2/52

SLIDE 3

Vehicular Communication (VC) Systems

Figure: Photo Courtesy of the Car2Car Communication Consortium (C2C-CC) 3/52

SLIDE 4

Security and Privacy for VC Systems1

Basic Requirements [1, 2]

◮ Authentication & integrity ◮ Non-repudiation ◮ Authorization and access control ◮ Conditional anonymity ◮ Unlinkability (long-term)

Vehicular Public-Key Infrastructure (VPKI)

◮ Pseudonymous authentication ◮ Trusted Third Party (TTP):

◮ Certification Authority (CA) ◮ Issues credentials & binds users to their pseudonyms

1P. Papadimitratos, et al. ‘‘Securing Vehicular Communications - Assumptions, Require-

ments, and Principles,’’ in ESCAR, Berlin, Germany, pp. 5-14, Nov. 2006.

P. Papadimitratos, et al. ‘‘Secure Vehicular Communication Systems: Design and Architec-

ture,’’ in IEEE Communications Magazine, vol. 46, no. 11, pp. 100-109, Nov. 2008.

4/52

SLIDE 5

Security and Privacy for VC Systems (cont’d)

◮ Sign packets with the private key, corresponding to the current

valid pseudonym

◮ Verify packets with the valid pseudonym ◮ Cryptographic operations in a Hardware Security Module (HSM)

5/52

SLIDE 6

Secure & Privacy-preserving VC Systems

◮

Root Certification Authority (RCA)

◮

Long Term CA (LTCA)

◮

Pseudonym CA (PCA)

◮

Resolution Authority (RA)

◮

Lightweight Directory Access Protocol (LDAP)

◮

Roadside Unit (RSU)

◮

Trust established with RCA, or through cross certification

RSU 3/4/5G

PCA LTCA PCA LTCA RCA PCA LTCA B A A certifies B Cross-certification Communication link Domain A Domain B Domain C RA RA RA B

X-Cetify

LDAP LDAP Message dissemination {Msg}(Piv),{Pi

v}(PCA)

{Msg}(Piv),{Pi

v}(PCA)

Figure: VPKI Overview 6/52

SLIDE 7

Challenges & Motivation Traditional PKI vs. Vehicular PKI

◮ Dimensions (5 orders of magnitude more credentials) ◮ Balancing act: security, privacy, and efficiency

◮ Honest-but-curious VPKI entities ◮ Performance constraints: safety- and time-critical

perations

(rates of 10 safety beacons per second)

◮ Mechanics of revocation:

◮ Highly dynamic environment with intermittent

connectivity

◮ Short-lived pseudonyms, multiple per entity ◮ Resource constraints

7/52

SLIDE 8

Challenges and Motivation (cont’d) Revocation challenges:

◮ Efficient and timely distribution of Certificate

Revocation Lists (CRLs) to every legitimate vehicle in the system

◮ Strong privacy for vehicles prior to revocation events

to every vehicle

◮ Computation and communication constraints of

On-Board Units (OBUs) with intermittent connectivity to the infrastructure

◮ Peer-to-peer distribution is a double-edged sword:

abusive peers could ‘‘pollute’’ the process, thus degrading the timely CRL distribution

8/52

SLIDE 9

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion

9/52

SLIDE 10

System Model and Assumptions

F-LTCA PCA H-LTCA RCA B A A certifies B Communication link Home Domain (A) Foreign Domain (B) LDAP PCA RA RA

1. LTC
2. n-tkt
I. f-tkt req.
II. f-tkt III. n-tkt
3. psnym req.
4. psnyms acquisition
IV. psnym req.
V. psnyms acquisition

Figure: Pseudonym acquisition overview in

the home and foreign domains.

User-controlled policy (P1) Oblivious policy (P2) Universally fixed policy (P3) ΓP3 ΓP3 ΓP3 System Time

Trip Duration

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

ΓP2 ΓP2

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

Unused Pseudonyms

tstart

Expired Pseudonym

tend

Figure: Pseudonym Acquisition Policies.

M. Khodaei, H. Jin, and P. Papadimitratos. IEEE T-ITS, vol. 19, no. 5, pp. 1430-1444, May 2018.

10/52

SLIDE 11

System Model and Requirements Adversarial Model:

◮ Excluding revoked pseudonym serial numbers from a CRL ◮ Adding valid pseudonyms by forging a fake CRL (piece) ◮ Preventing legitimate vehicles from obtaining genuine and the

most up-to-date CRL (pieces) or delaying the distribution

◮ Harming user privacy by the VPKI entities

Requirements:

◮ Fine-grained authentication, integrity, and non-repudiation ◮ Unlinkability (perfect-forward-privacy) ◮ Availability ◮ Efficiency ◮ Explicit and/or implicit notification on revocation events

11/52

SLIDE 12

Vehicle-Centric CRL Distribution

Trip Duration: D

Dv2 Dv1 Dv3 Dv4 Dv5

✁i

CRL

i+1

CRL

✂i+2

CRL

✄i+3

CRL

☎i+4

CRL

Partitioned Interval: ✆i

CRL

... ... ... ... ...

{ { { { {

Figure: CRL as a Stream:

V1 subscribes to {Γi

CRL, Γi+1 CRL, Γi+2 CRL};

V2 : {Γi

CRL, Γi+1 CRL};

V3 : {Γi+2

CRL};

V4 : {Γi+3

CRL};

V5 : {Γi+4

CRL}.

Γ2

CRL

Γ1

CRL

Γ3

CRL

System Time

Trip Duration

Figure: A vehicle-centric approach: each

vehicle only subscribes for pieces of CRLs corresponding to its trip duration.

12/52

SLIDE 13

Bloom Filter Construction & Membership Checks

y

✵ 1 ✵ ✵ ✵ ✵ ✵ ✵ ✵ ✵ ✵

1

✵ ✵ ✵ ✵

1 1 1 1 1 1

x' = x z'

(false positive)

x z y'=y

Bloom Filter (BF) features:

◮ A space-efficient probabilistic data structure ◮ Fast membership checking ◮ No false negatives, but false positive matches are possible ◮ A query returns either ‘‘possibly in set’’ or ‘‘definitely not in set’’ ◮ No deletion is allowed in a BF; (Cuckoo Filter (CF) supports deletion)

13/52

SLIDE 14

Vehicle-Centric CRL Distribution (cont’d)

Γi

CRL

⑥

τ

P ⑥

τ

P ❍ ✝✞ ❍ ✝✞ ⑥

τ

P ⑥

τ

P ⑥

τ

P ⑥

τ

P ❍ ✝✞ ❍ ✝✞ ❍ ✝✞

V1 V2 V3 V4 V5 V6 V7 V8 V9

(a)Revoked

pseudonyms

(b) CRL fingerprint construction Figure: CRL piece & fingerprint construction by the PCA.

CRL Fingerprint:

◮ A signed fingerprint is broadcasted by RSUs ◮ Also integrated in a subset of recently issued pseudonyms ◮ A notification about a new CRL-update (revocation) event

14/52

SLIDE 15

Vehicle-centric ∆-CRL distribution

Γ j

CRL

New Revocation Event

H(Ki)

Ki-1 Ki Ki+1 Ki+2 Ki+3

H(Ki+1) H(Ki+4) H(Ki+2) H(Ki+3) H'(Ki-1) H'(Ki) H'(Ki+1) H'(Ki+2) H'(Ki+3)

K'i-1 K'i K'i+1 K'i+2 K'i+3

New Revocation Event New Revocation Event

Δ -CRLi Δ -CRLi+1 Δ -CRLi+3 Δ -CRLi+2

} } } }

Disclosure

f Ki

15/52

SLIDE 16

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion

16/52

SLIDE 17

Notation Used in the Protocols

Table: Notation Used in the Protocols.

Notation Description Notation Description (Pi

v)pca, Pi v

a valid psnym signed by the PCA Append() appending a revoked psnym SN to CRLs (K i

v, ki v)

psnym pub./priv. key pairs BFTest() BF membership test (Kpca; Lkpca) long-term pub./priv. key pairs p, K false positive rate, optimal hash functions (msg)σv signed msg with vehicle’s priv. key Γ interval to issue time-aligned psnyms LTC Long Term Certificate ΓCRL interval to release CRLs tnow, ts, te a fresh, starting, ending timestamp RIK revocation identifiable key Ttimeout response reception timeout B

max. bandwidth for CRL distribution

n-tkt, (n-tkt)ltca a native ticket R revocation rate Idreq, Idres request/response identifiers N total number of CRL pieces in each ΓCRL SN psnym serial number n number of remaining psnyms in each batch Sign(Lkca, msg) signing a msg with CA’s priv. key k index of the first revoked psnym Verify(LTCca, msg) verifying with the CA’s pub. key CRLv CRL version GenRnd(), rand(0, ∗)

GEN. a random number, or in range

∅ Null or empty vector Hk(), H hash function (k times), hash value k, j, m, ζ temporary variables

17/52

SLIDE 18

Pseudonym Acquisition Process

OBU LT CA PCA

1. (H(Idpca Rnd256), ts, te, LT Cv, N, t)
2. IKtkt ← H(LT Cv||ts||te||RndIKtkt)
3. tkt ← (H(IdpcaRndtkt), IKtkt, ts, te)
4. Cert(LT Cltca, tkt)
5. (tktσltca, N + 1, t)
6. (ts, te, (tkt)σltca, {(K1

v)σk1

v , · · · , (Kn

v )σkn

v }, N ′, tnow)

7. Verify(LT Cltca, (tkt)σltca)
8. Rndv ← GenRnd()
9. Verify(Ki

v, (Ki v)σki

v )

10. RIKP i

v ← H(IKtkt||Ki

v||ti s||ti e||Hi(Rndv))

11. ζ ← (SN i, Ki

v, CRLv, BFΓi

CRL, RIKP i v, ti

s, ti e)

12. (P i

v)σpca ← Sign(Lkpca, ζ)

13. ({(P 1

v )σpca, . . . , (P n v )σpca}, Rndv, N + 1, tnow)

1: if i = 1 then 2:

SNi ← H(RIKPi

v||Hi(Rndv))

3: else 4:

SNi ← H(SNi−1||Hi(Rndv))

5: end if

18/52

SLIDE 19

Issuing Pseudonyms (by the PCA)

Protocol 1 Issuing Pseudonyms (by the PCA)

1: procedure ISSUEPSNYMS(Req) 2:

Req → (Idreq, ts, te, (tkt)σltca, {(K 1

v )σk1

v , · · · , (K n

v )σkn

v }, nonce, tnow)

3:

Verify(LTCltca, (tkt)σltca)

4:

Rndv ← GenRnd()

5:

for i:=1 to n do

6:

Begin

7:

Verify(K i

v, (K i v)σki

v )

8:

RIKPi

v ← H(IKtkt||K i

v||ti s||ti e||Hi(Rndv))

9:

if i = 1 then

10:

SNi ← H(RIKPi

v||Hi(Rndv))

11:

else

12:

SNi ← H(SNi−1||Hi(Rndv))

13:

end if

14:

ζ ← (SNi, K i

v, CRLv, BFΓi

CRL, RIKPi v, ti

s, ti e)

15:

(Pi

v)σpca ← Sign(Lkpca, ζ)

16:

End

17:

return (Idres, {(P1

v )σpca, . . . , (Pn v )σpca}, Rndv, nonce+1, tnow)

18: end procedure

19/52

SLIDE 20

CRL Construction (by the PCA)

Protocol 2 CRL Construction (by the PCA)

1: procedure GENCRL(Γi

CRL, B)

2:

PieceΓi

CRL ← ∅

3:

repeat

4:

{SNk

P, Hk Rndv, n} ← fetchRevokedPsnyms(Γi CRL)

⊲ k: the revoked

5:

if SNk

P = Null then

6:

PieceΓi

CRL ← Append({SNk

P, Hk Rndv, n})

7:

end if

8:

until SNk

P == Null

9:

N ← size(PieceΓi

CRL)

B

⊲ calculating number of pieces with a given B

10:

for j ← 0, N do ⊲ N: number of pieces in Γi

CRL

11:

Piecej

Γi

CRL ← Split(PieceΓi CRL, B, N)

⊲ splitting into N pieces

12:

end for

13:

return {(Piece1

Γi

CRL), . . . , (PieceN

Γi

CRL)}

14: end procedure

20/52

SLIDE 21

Publishing CRLs (by the OBUs)

Protocol 3 Publishing CRLs (by the OBUs)

1: procedure PUBLISHCRL()

⊲ The g.c.d. of a and b

2:

{(Idreq, Γi

CRL, [indexes])} = receiveQuery((ζ)σPi

v )

3:

Verify(Pi

v, (ζ)σPi

v )

4:

CRL∗

Γi

CRL = searchlocal(Γi

CRL)

⊲ search local repository

5:

j ← rand(0, ∗) ⊲ randomly select one of the available pieces

6:

if CRLj

Γi

CRL = ∅ then

7:

broadcast({Idres, CRLj

Γi

CRL})

8:

end if

9: end procedure

21/52

SLIDE 22

Subscribing to CRL Pieces (by the OBUs)

Protocol 4 Subscribing to CRL Pieces (by the OBUs)

1: procedure SUBSCRIBECRL(Γi

CRL, N)

2:

respfinal ← ∅, j ← 0, t ← tnow + Ttimeout

3:

repeat

4:

ζ ← (Idreq, Γi

CRL, [missing pieces indexes])

5:

(ζ)σv ← Sign(ki

v, ζ)

6:

broadcast((ζ)σPi

v , Pi

v)

7:

Piecej

Γi

CRL ← receiveBefore(t)

8:

if BFTest(Piecej

Γi

CRL, BFΓi CRL) then

9:

respfinal ← Store(Piecej

Γi

CRL)

⊲ storing in local repository

10:

end if

11:

j ← j + 1

12:

until j > N

13:

return respfinal

14: end procedure

22/52

SLIDE 23

Parsing a CRL Piece (by the OBUs)

Protocol 5 Parsing a CRL Piece (by the OBUs)

1: procedure PARSECRL(Piecej

Γi

CRL)

2:

{SNk, Hk(Rndv), n}

N ← Piecej

Γi

CRL

⊲ N: Number of Entires

3:

CRLΓi

CRL ← ∅

4:

for t ← 0, N do ⊲ N: Total number of CRL pieces

5:

for j ← 0, n do ⊲ n: Number of remaining psnyms in each batch

6:

SNj+1 ← H(SNj||Hj(Rndv))

7:

CRLΓi

CRL ← Append(H(SNj||Hj(Rndv)))

8:

end for

9:

end for

10:

return CRLΓi

CRL

11: end procedure

23/52

SLIDE 24

CRL Publish/Subscribe

OBU1 OBU2

1. ζ ← (Idreq, Γi

CRL, [indexes])

2. (ζ)σv ← Sign(ki

v, ζ)

3. broadcast((ζ)σP i

v , P i

v)

4. {(Idreq, Γi

CRL, [indexes])} = receiveQuery((ζ)σP i

v )

5. V erify(P i

v, (ζ)σP i

v )

6. j ← rand(0, ∗)
7. broadcast({Idres, CRLj

Γi

CRL})

8. Piecej

Γi

CRL ← receiveBefore(t)

9. BFT est(Piecej

Γi

CRL, BFΓi CRL)

10. respfinal ← Store(Piecej

Γi

CRL)

24/52

SLIDE 25

∆-CRL Construction (by the PCA)

1: procedure GENDELTACRL(Γj

CRL, i, Ki, B, tnow)

2:

Piece∆i

Γj

CRL

← ∅

3:

repeat ⊲ Fetching revoked pseudonym, not included in base-CRL

4:

SNP ← fetchRevokedPsnyms(Γj

CRL, i, tnow)

5:

if SNP = Null then

6:

Piece∆i

Γj

CRL

← Append(SNP)

7:

end if

8:

until SNP == Null

9:

Ki−1 ← H(Ki) ⊲ Calculating the key for interval i − 1

10:

K ′

i ← H′(Ki)

⊲ Calculating the key for interval i

11:

N ← size(Piece∆i

Γj

CRL

) B

⊲ Calculating number of pieces

12:

for w ← 0, N do ⊲ N: number of pieces

13:

ζ ← Split(Piece∆i

Γj

CRL

, B, N)

14:

Piece

∆w

i

Γj

CRL

← {ζ||MAC(K ′

i , ζ)||Ki−1}

15:

end for

16:

return {(Piece

∆1

i

Γj

CRL

), . . . , (Piece

∆N

i

Γj

CRL

)}

17: end procedure

25/52

SLIDE 26

Parsing a CRL Piece (by the OBUs)

1: procedure PARSECRL(Piecej

Γi

CRL, N)

2:

{SNz, Rndz, nz}

N ← Piecej

Γi

CRL

3:

CRLΓi

CRL ← ∅

4:

for z ← 1, N do ⊲ N: Number of entries in this piece

5:

for w ← 1, nz do ⊲ n: Number of remaining pseudonyms

6:

CRLΓi

CRL ← Append(H(SNz||Hw

z (Rndz)))

7:

SNz ← H(SNz||Hw

z (Rndz))

8:

end for

9:

end for

10:

return CRLΓi

CRL

11: end procedure

26/52

SLIDE 27

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion

27/52

SLIDE 28

Qualitative Analysis

◮ Fine-grained authentication, integrity, and non-repudiation:

signed fingerprints

◮ Unlinkability (perfect-forward-privacy): multi-session

pseudonym requests, timely-aligned pseudonym lifetime, utilization of hash chains

◮ Availability: leveraging RSUs and car-to-car epidemic

distribution

◮ Efficiency: Efficient construction of fingerprints, fast validation

per piece, and implicitly binding of a batch

◮ Explicit and/or implicit notification on revocation events:

Broadcasting signed fingerprints, also integrated into a subset of recently issued pseudonyms

28/52

SLIDE 29

Qualitative Analysis (cont’d)

1 5 10 15 20 25 30 35 40 45 50

Avg. Number of Revoked Pseudonyms per Entity (per ΓCRL)

2K 4K 6K 8K 10K 12K 14K CRL Size [KB] Bloom Filter, p=1e-10 Bloom Filter, p=1e-20 Bloom Filter, p=1e-30 Bloom Filter, p=1e-40 Bloom Filter, p=1e-50 Vehicle-Centric Scheme

(a) CRL size comparison

1 10 20 30 40 50 60 70 80 90 100 110

Avg. Number of Revoked Pseudonyms per Entity (per ΓCRL)

10−1 10−10 10−20 10−30 10−40 10−50 10−60 10−70 10−80 10−90 10−100 False Positive Rate (p) 1 2 3 4 5 6 7 8 9 10 10−1 10−25 10−50 10−75 10−100

(b) C2RL [6] as a factor of false positive rate Figure: (a) CRL size comparison for C2RL and vehicle-centric scheme (10,000 revoked vehicles). (b)

Achieving vehicle-centric comparable CRL size for the C2RL scheme.

◮

mBF = − N × M × ln p (ln2)2 , N is the total number of compromised vehicles, M is the average number of revoked pseudonyms per vehicle per ΓCRL.

◮

Significant improvement over C2RL: 2.6x reduction in CRL size when M = 10 and p = 10−30.

29/52

SLIDE 30

Qualitative Analysis (cont’d)

50 100 150 200 250 300 350 400 450 500 550 600

Size of a Bloom Filter [Bytes]

10−1 10−5 10−10 10−15 10−20 10−25 10−30 10−35 10−40 10−45 10−50

False Positive Rate 5 CRL pieces 10 CRL pieces 15 CRL pieces 20 CRL pieces

(a) Vehicle-centric scheme

1 5 10 15 20

Number of CRL Pieces

200 400 600 800 1000 1200

Size of CRL Fingerprint [Bytes]

SHA-512 (512 bits) SHA-384 (384 bits) SHA-256 (256 bits) SHA-224 (224 bits) SHA-1 (160 bits) BF (p = 10−30) BF (p = 10−25)

(b) Precode-and-hash scheme [8] Figure: Extra overhead for CRL fingerprints. 30/52

SLIDE 31

Qualitative Analysis (cont’d)

◮ BF trades off communication overhead for false positive rate ◮ BF size increases linearly as the false positive rate decreases An adversary targeting the BF false positive rate: ◮ Excluding revoked pseudonym serial numbers from a CRL ◮ Adding valid pseudonyms by forging a fake CRL (piece)

2,500 5,000 7,500 10,000 12,500

Time to generate a bogus CRL piece [hour]

10−20 10−21 10−22 10−23 10−24

Probability of False Positive 1.2 hour 12.4 hours 129.7 hours 1350.2 hours

Figure: Query-only attack on the CRL

fingerprints; adversary’s computational power is 1.6 × 1018TH/sec. With Antminer-S9 (14TH/s,$3,000), ΓCRL = 1 hour and p = 10−20 (K = 67): ◮ 132,936 Antminer-S9 ($400M) to generate a bogus piece in 1 hour ( 1020×67

14×1012 )

With AntPool (1, 604, 608 TH/s): 70 minutes to generate a fake piece! ◮ With p = 10−22 (K = 73): 5 days ( 1022×73

1.6×1018 = 126h)

◮ With p = 10−23 (K = 76): 55 days ( 1023×76

1.6×1018 = 1, 319h)

31/52

SLIDE 32

Qualitative Analysis (cont’d)

100 200 300 400 500 600

Number of Inserted Items

0.0 0.2 0.4 0.6 0.8 1.0

Probability of False Positive

BF Size: 100B BF Size: 200B BF Size: 300B BF Size: 400B BF Size: 500B

(a)

5 10 15 20 25 30 35 40 45 50

Number of Inserted Items

0.00 0.05 0.10 0.15 0.20 0.25 0.30 0.35

Probability of False Positive 4.4e-74 6.3e-32 3.2e-17 1.8e-10 9.3e-07 0.00015 0.0035 BF Size: 100B

(b) Figure: Chosen-insertion attack on the CRL fingerprint. 32/52

SLIDE 33

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion

33/52

SLIDE 34

Quantitative Analysis

◮ OMNET++ & Veins framework using SUMO ◮ Cryptographic protocols and primitives (OpenSSL): Elliptic Curve Digital Signature Algorithm (ECDSA)-256 and SHA-256 as per IEEE 1609.2 and ETSI standards ◮ V2X communication over IEEE 802.11p ◮ Placement of the RSUs: ‘‘highly-visited’’ intersections with non-overlapping radio ranges ◮ Comparison with the baseline scheme [9]: under the same assumptions and configuration with the same parameters ◮ Evaluation of: efficiency (latency), resilience (to pollution/DoS attacks), resource consumption (computation/communication)

Figure: The LuST dataset, a

full-day realistic mobility pattern in the city of Luxembourg (15KM x 15KM) [Codeca et al. (2015)].

34/52

SLIDE 35

Quantitative Analysis (cont’d)

Table: Simulation Parameters (LuST dataset).

Parameters Value Parameters Value CRL/Fingerprint TX interval 0.5s/5s Pseudonym lifetime 30s-600s Carrier frequency 5.89 GHz Area size 15 KM × 15 KM TX power 20mW Number of vehicles 138,259 Physical layer bit-rate 18Mbps Number of trips 287,939 Sensitivity

89dBm

Average trip duration 692.81s Thermal noise

110dBm

Duration of simulation 4 hour (7-9, 17-19) CRL dist. Bandwidth (B) 10, 25, 50 KB/s Γ 1-60 min Number of RSUs 100 ΓCRL 60 min

Table: LuST Revocation Information (R = 1%, B = 10KB/s).

Pseudonym Lifetime Number of Psnyms Number of Revoked Psnyms Average Number per ΓCRL Number of Pieces τP=30s 3,425,565 34,256 1,428 12 τP=60s 1,712,782 17,128 710 6 τP=300s 342,556 3,426 143 2 τP=600s 171,278 1,713 72 1

35/52

SLIDE 36

Quantitative Analysis (cont’d)

25 50 75 100 125 150 175 200

Delay to Fetch CRL [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability

τP = 30s τP = 60s τP = 300s τP = 600s 5 10 15 20 25 30 0.00 0.20 0.40 0.60 0.80 0.95

(a) Vehicle-centric scheme (B =10

KB/s)

25 50 75 100 125 150 175

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles

τP = 30s τP = 60s τP = 300s τP = 600s

(b) Vehicle-centric scheme (B =10

KB/s)

Figure: (a) End-to-end latency to fetch CRL pieces. (b) Percentage of

cognizant vehicles.

36/52

SLIDE 37

Quantitative Analysis (cont’d)

25 50 75 100 125 150 175 200 225 250 Number of RSUs 2 4 6 8 10 12 14 16 18 20 22 24 26

Avg. E2E Delay to Download CRL [s]

Revocation Rate: 0.5% Revocation Rate: 1% Revocation Rate: 2% Revocation Rate: 3% Revocation Rate: 4% Revocation Rate: 5%

(a) Vehicle-centric scheme

(B =25 KB/s)

50 100 150 200 250 300

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles

0% Reliable Connectivity (RSU-only) 1% Reliable Connectivity 5% Reliable Connectivity 10% Reliable Connectivity 20% Reliable Connectivity

(b) Vehicle-centric scheme

(TX =5s)

Figure:(a) Average end-to-end delay to download CRLs. (b) Dissemination of

CRL fingerprints. ◮

Total number of pseudonyms is 1.7M (τP = 60s).

◮

Signed fingerprint of CRL pieces periodically broadcasted only by RSUs [8], or broadcasted by RSUs ( 365 bytes with TX = 5s) and, in addition, integrated into a subset of pseudonyms with 36 bytes of extra overhead (p = 10−30, R = 0.5%).

37/52

SLIDE 38

Quantitative Analysis (cont’d)

100 200 300 400 500 600

System Time [s]

0.5K 1K 1.5K 2K 2.5K 3K

Number of Cognizant Vehicles

Total Number of Vehicles Baseline Scheme Vehicle-Centric Scheme

(a) 7:00-7:10 am (B =25 KB/s)

200 400 600 800 1000 1200

Delay to Fetch CRL [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability

Baseline Scheme Vehicle-Centric Scheme

5 10 15 20 25 0.00 0.20 0.40 0.60 0.80 0.99

(b) 7-9 am, 5-7 pm (B =25 KB/s) Figure: End-to-end delay to fetch CRLs (R = 1%, τP = 60s).

Converging more than 40 times faster than the state-of-the-art:

◮ Baseline scheme: Fx(t = 626s) = 0.95 ◮ Vehicle-centric scheme: Fx(t = 15s) = 0.95

38/52

SLIDE 39

Quantitative Analysis (cont’d)

100 200 300 400 500 600

System Time [s]

0.5K 1.0K 1.5K 2.0K 2.5K 3.0K 3.5K 4.0K

Number of Cognizant Vehicles

Total Number of Vehicles Revocation Rate: 0.5% Revocation Rate: 1% Revocation Rate: 2% Revocation Rate: 3% Revocation Rate: 4% Revocation Rate: 5%

(a) Baseline scheme (B =50 KB/s)

100 200 300 400 500 600

System Time [s]

0.5K 1.0K 1.5K 2.0K 2.5K 3.0K 3.5K 4.0K

Number of Cognizant Vehicles

Total Number of Vehicles Revocation Rate: 0.5% Revocation Rate: 1% Revocation Rate: 2% Revocation Rate: 3% Revocation Rate: 4% Revocation Rate: 5%

30 60 90 120 150 180 200 400 600 800 1000

(b) Vehicle-centric scheme (B =50

KB/s)

Figure: Cognizant vehicles with different revocation rates.

◮ T: the total number of pseudonyms; R: the revocation rate. ◮ Size of CRLs for the Baseline: T × R, linearly increases with R ◮ Size of an effective CRL for vehicle-centric: T × R

|ΓCRL| , where |ΓCRL| is the

number of intervals in a day, e.g., |ΓCRL| is 24 when ΓCRL = 1h.

39/52

SLIDE 40

Quantitative Analysis (cont’d)

0.5% 1% 2% 3% 4% 5% Revocation Rates 100 200 300 400 500 600 700 800 900

Avg. E2E Delay to Download CRL [s]

0% Selfish Nodes 5% Selfish Nodes 10% Selfish Nodes 25% Selfish Nodes 50% Selfish Nodes

(a) Baseline scheme

0.5% 1% 2% 3% 4% 5% Revocation Rates −5 5 10 15 20 25 30 35

Avg. E2E Delay to Download CRL [s]

0% Selfish Nodes 5% Selfish Nodes 10% Selfish Nodes 25% Selfish Nodes 50% Selfish Nodes

(b) Vehicle-centric scheme Figure: Resilience comparison against selfish nodes with different revocation

rates (7:00-7:30, τp = 30s, B = 50KB/s). ◮ Selfish nodes do not perform any ‘‘active’’ attacks; rather, they become silent and they never respond to a CRL piece request.

40/52

SLIDE 41

Quantitative Analysis (cont’d)

100 200 300 400 500 600 700 800 900

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles No Attackers 1% Attackers 5% Attackers 10% Attackers 25% Attackers 50% Attackers

(a) Baseline scheme (B =25 KB/s)

100 200 300 400 500 600 700 800 900

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles No Attackers 1% Attackers 5% Attackers 10% Attackers 25% Attackers 50% Attackers

(b) Vehicle-centric scheme (B =25 KB/s) Figure: Resilience comparison against DoS attacks.

◮ Attackers periodically broadcast fake CRL pieces once every 0.5 second. ◮ The resilience to pollution and DoS attacks stems from three factors:

◮ A huge reduction of the CRL size ◮ Efficient verification of CRL pieces ◮ Integrating the fingerprint of CRL pieces in a subset of pseudonyms

41/52

SLIDE 42

Quantitative Analysis (cont’d)

0.5% 1% 2% 3% 4% 5% Revocation Rates 100 200 300 400 500 600 700 800

Avg. E2E Delay to Download CRL [s]

00

0% Attackers 1% Attackers 5% Attackers 10% Attackers 25% Attackers 50% Attackers

(a) Baseline scheme

0.5% 1% 2% 3% 4% 5% Revocation Rates 10 20 30 40 50 60 70 80 90

Avg. E2E Delay to Download CRL [s]

0% Attackers 1% Attackers 5% Attackers 10% Attackers 25% Attackers 50% Attackers

(b) Vehicle-centric scheme Figure: Resilience comparison against pollution and DoS attacks with

different revocation rates (7:00-7:10, τp = 30s, B = 50KB/s). ◮ Attackers periodically broadcast fake CRL pieces once every 0.5 second. ◮ The resilience to pollution and DoS attacks stems from three factors:

◮ A huge reduction of the CRL size ◮ Efficient verification of CRL pieces ◮ Integrating the fingerprint of CRL pieces in a subset of pseudonyms

42/52

SLIDE 43

Quantitative Analysis (cont’d)

5 10 25 50 75 100 Maximum Bandwidth 5 10 20 30 40 50 60 70 80 90

Avg. E2E Delay to Download CRL [s]

Revocation Rate: 0.5% Revocation Rate: 1% Revocation Rate: 2% Revocation Rate: 3% Revocation Rate: 4% Revocation Rate: 5%

(a) Vehicle-centric scheme

50 100 150 200 250 300 350 400

Delay to Fetch CRL [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability

Bandwidth: 5 KB/s Bandwidth: 10 KB/s Bandwidth: 25 KB/s Bandwidth: 50 KB/s Bandwidth: 75 KB/s Bandwidth: 100 KB/s

25 50 75 100 125 150 175 0.00 0.20 0.40 0.60 0.80 0.95

(b) Vehicle-centric scheme Figure: (a) Bandwidth-delay trade off (τP = 60s). (b) CDF of end-to-end delay with different bandwidth (τP = 30s, R = 5%). 43/52

SLIDE 44

Quantitative Analysis (cont’d)

60 120 180 240 300

System Time [s]

0.5K 1K 1.5K 2K 2.5K 3K 3.5K 4K

Number of Cognizant Vehicles

Total Number of Vehicles ∆-CRL Pieces ∆-CRL Validation Keys

(a) 7:05-7:10 am (B =10 KB/s)

10 20 30 40 50 60

End-to-end Latency [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability ∆-CRL Pieces ∆-CRL Validation Keys

(b) 7:05-7:10 am (B =10 KB/s) Figure: End-to-end delay to fetch ∆-CRL pieces and validation keys for vehicle-centric scheme (τP = 60 sec., R = 5%, γkey = 0.5, γpiece = 2). 44/52

SLIDE 45

Quantitative Analysis (cont’d)

300 600 900 1200 1500 1800

System Time [s]

0.0 0.2 0.4 0.6 0.8 1.0

Percentage of Cognizant Vehicles

Baseline Scheme Vehicle-Centric Scheme

50 100 150 200 250 300 0.0 0.2 0.4 0.6 0.8 1.0

(a) 7:00-7:10 am (B =25 KB/s)

200 400 600 800 1000 1200

Delay to Fetch CRL [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability

Baseline Scheme Vehicle-Centric Scheme

5 10 15 20 25 0.00 0.20 0.40 0.60 0.80 0.99

(b) 7-9 am, 5-7 pm (B =25 KB/s) Figure: End-to-end delay to fetch CRLs (τP = 60s, R = 1%). 45/52

SLIDE 46

Quantitative Analysis (cont’d)

100 200 300 400 500

Delay to Fetch CRL [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability

Baseline Scheme: 50% Attackers Vehicle-Centric: 50% Attackers

50 100 150 200 250 300 0.00 0.20 0.40 0.60 0.80 0.95

(a) CDF of delays under a DoS attack

0% 1% 5% 10% 25% 50% Percentage of Attackers −0.1 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 CRL Download Failure Ratio

0.179 0.197 0.250 0.296 0.451 0.590 0.015 0.015 0.015 0.015 0.019 0.020

Baseline Scheme Vehicle-centric Scheme

(b) Probability of failure Figure: (a) CDF of latency to successfully obtain CRL pieces (50% attackers). (b) CRL download failure ratio as a function of DoS attackers (τP = 30s, B = 50KB/s). 46/52

SLIDE 47

Quantitative Analysis (cont’d)

5 10 15 20 25 30 35 40 45 48

CRL Pieces Indices

0.0 0.1 0.2 0.3 0.4 0.5 0.6

Probability of Reception 0.095 0.005 0.002 0.004 0.010 0.603

(a) Baseline: no

attackers

5 10 15 20 25 30 35 40 45 48

CRL Pieces Indices

0.0 0.1 0.2 0.3 0.4 0.5 0.6

Probability of Reception 0.102 0.006 0.005 0.012 0.021 0.276

(b) Baseline: 10%

attackers

5 10 15 20 25 30 35 40 45 48

CRL Pieces Indices

0.0 0.1 0.2 0.3 0.4 0.5 0.6

Probability of Reception 0.177 0.019 0.012 0.011 0.014 0.058

(c) Baseline: 50%

attackers

1 2 3

CRL Pieces Indices

0.0 0.2 0.4 0.6 0.8 1.0

Probability of Reception 0.012 0.002 0.005 0.981

(d)Vehicle-centric:

no attackers

1 2 3

CRL Pieces Indices

0.0 0.2 0.4 0.6 0.8 1.0

Probability of Reception 0.012 0.001 0.007 0.980

(e) Vehicle-centric:

10% attackers

1 2 3

CRL Pieces Indices

0.0 0.2 0.4 0.6 0.8 1.0

Probability of Reception 0.014 0.006 0.007 0.974

(f) Vehicle-centric:

50% attackers

Figure: Probability of successful CRL pieces reception (τP = 30s,

B = 50KB/s). (a) and (d): no attacks. (b), (c), (e), (f): under a DoS attack.

47/52

SLIDE 48

Quantitative Analysis (cont’d)

1 20 40 60 80 100

Number of CRL Pieces

10 20 30 40 50 60

Computation Latency [ms]

Signing Delay using the Baseline Scheme Verification Delay using the Baseline Scheme Signing Delay using Vehicle-Centric Scheme Verification Delay using Vehicle-Centric Scheme

(a) End-to-end latency

200 400 600 800 1000 1200 1400 1600 1800

System Time [s]

10 20 30 40 50 60 70 80

Security Comm. Overhead [KB/s]

Baseline Scheme Vehicle-Centric: 0% BF-Carrier Vehicle-Centric: 1% BF-Carrier Vehicle-Centric: 5% BF-Carrier Vehicle-Centric: 10% BF-Carrier Vehicle-Centric: 15% BF-Carrier Vehicle-Centric: 20% BF-Carrier

(b) Cryptographic overhead Figure: (a) Computation latency comparison. (b) Security overhead

comparison, averaged every 30s (R=1%, B = 50KB/s). ◮ Cryptographic protocols were executed on a VM (dual-core 2.0 GHz). ◮ Signed fingerprint broadcasted every 5s via RSUs (365 bytes long), also integrated into a subset of pseudonyms (36 bytes extra overhead, p = 10−30).

48/52

SLIDE 49

Outline Challenges for Revocation in VC Systems System Overview Security Protocols Qualitative Analysis Quantitative Analysis Conclusion

49/52

SLIDE 50

Conclusion

◮ A practical framework to effectively distribute CRLs in

VC systems

◮ Highly efficient, scalable, and resilient design ◮ Viable solution towards catalyzing the deployment of

the secure and privacy-protecting VC systems

50/52

SLIDE 51

Bibliography

[1]

P. Papadimitratos and et al, ‘‘Securing Vehicular Communications-Assumptions, Requirements, and

Principles,’’ in ESCAR, Berlin, Germany, Nov. 2006. [2]

-----, ‘‘Secure Vehicular Communication Systems: Design and Architecture,’’ IEEE Comm. Mag.,
vol. 46, no. 11, pp. 100--109, Nov. 2008.

[3]

W. Whyte, A. Weimerskirch, V. Kumar, and T. Hehn, ‘‘A Security Credential Management System for

V2V Communications,’’ in IEEE VNC, Boston, MA, Dec. 2013. [4]

V. Kumar and et al, ‘‘Binary Hash Tree based Certificate Access Management for Connected

Vehicles,’’ in ACM WiSec, Boston, USA, July 2017. [5]

M. Khodaei, H. Jin, and P. Papadimitratos, ‘‘SECMACE: Scalable and Robust Identity and Credential

Management Infrastructure in Vehicular Communication Systems,’’ IEEE T-ITS, vol. 19, no. 5, pp. 1430--1444, May 2018. [6]

M. Raya and et al, ‘‘Certificate Revocation in Vehicular Networks,’’ Technical Report, EPFL,

Switzerland, 2006. [7]

S. Tarkoma and et al, ‘‘Theory and Practice of Bloom Filters for Distributed Systems,’’ IEEE

Communications Surveys & Tutorials, vol. 14, no. 1, pp. 131--155, Apr. 2011. [8] V.-T. Nguyen and et al, ‘‘Secure Content Distribution in Vehicular Networks,’’ arXiv preprint arXiv:1601.06181, Jan. 2016, Accessed Date: 30-July-2017. [9] J.-J. Haas, Y.-C. Hu, and K.-P. Laberteaux, ‘‘Efficient Certificate Revocation List Organization and Distribution,’’ IEEE JSAC, vol. 29, no. 3, pp. 595--604, 2011. [10]

M. Khodaei and P. Papadimitratos, ‘‘Efficient, Scalable, and Resilient Vehicle-Centric Certificate

Revocation List Distribution in VANETs,’’ in ACM WiSec, Stockholm, Sweden, June 2018.

51/52

SLIDE 52