SECMACE: Scalable and Robust Identity and Credential Infrastructure - - PowerPoint PPT Presentation

SLIDE 1

SECMACE: Scalable and Robust Identity and Credential Infrastructure in Vehicular Communication

IEEE Transactions on Intelligent Transportation Systems (IEEE ITS), vol. 19, no. 5, May 2018

Mohammad Khodaei, Hongyu Jin, and Panos Papadimitratos Networked Systems Security Group www.ee.kth.se/nss

1 / 54

SLIDE 2

Introduction

Vehicular communication systems (VCS)

Illustration: C2C-CC 2 / 54

SLIDE 3

Introduction

VCS security and privacy requirements∗

RSU RSU Warning: Emergency vehicle approaching In area (X,Y,Z); ! ! Warning: Ambulance approaching at (x,y,z) ! Slow down and yield

Vehicular communication Authentication & integrity Non-repudiation Authorization & access control Conditional anonymity Unlinkability (long-term)

∗Securing vehicular communications-assumptions, requirements, and principles, ESCAR 2006 3 / 54

SLIDE 4

Introduction

VCS security and privacy: Basic ideas∗

Warning: ¡ Accident ¡at ¡(x,y,z) ¡

! !

Payload ¡ ¡ Loca%on: ¡(xV,yV,zV) ¡ ¡ ¡ ¡ ¡ ¡ CertCA(V,KV,AV,T) ¡ Signature ¡with ¡kV ¡ ¡

Vehicle V

Time: ¡tV ¡ ¡

Vehicle U

Warning: ¡ Accident ¡at ¡(x,y,z) ¡

Ephemeral pseudonymous credentials; conditional anonymity Digitally signed V2X communications Hybrid approach: combination of anonymous and pseudonymous authentication

∗Secure vehicular communication systems: design and architecture, IEEE CommMag 2008 4 / 54

SLIDE 5

Introduction

VCS security and privacy: Basic ideas (cont’d)

First ¡demo, ¡2008 ¡ Final ¡event, ¡2015 ¡

5 / 54

SLIDE 6

Introduction

VCS security and privacy: Basic ideas (cont’d)

RSU 3/4G

PCA LTCA PCA LTCA RCA PCA LTCA

B A A certifies B Cross-certification Communication link

Domain A Domain B Domain C RA RA RA B

X-Cetify

LDAP LDAP

Message dissemination 6 / 54

SLIDE 7

Introduction

VCS security and privacy: Basic ideas (cont’d)

Vehicles registered with one Long Term CA (LTCA) (home domain) Pseudonym CA (PCA) servers in one or multiple domains Vehicles can obtain pseudonyms from any PCA (in home or foreign domains) Establish trust among entities with a Root CA (RCA) or with cross-certification Resolve a pseudonym with the help of a Resolution Authority (RA)

7 / 54

SLIDE 8

Introduction

VCS security and privacy: Basic ideas (cont’d)

Adversaries Malicious users/vehicles/nodes (On-Board Units (OBUs))

Arbitrary behavior “Sybil” users (each posing as multiple users) Collusion

Selfish users Honest-but-curious system infrastructure (security & privacy infrastructure servers)

Correct protocol execution Curious to infer private user information

8 / 54

SLIDE 9

VPKI

Designing the VCS security infrastructure

Focus: Vehicular Public-Key Infrastructure (VPKI) Design, analyze, implement and evaluate the VPKI

Management of credentials: provisioning, revocation, resolution Protocols for all vehicle-to-VPKI and intra-VPKI interactions

Challenges: complexity and constraints

Security and privacy Multiple and diverse entities, global deployment, long-lived entities Short-lived credentials, very large numbers Cost-driven platform resource constraints

9 / 54

SLIDE 10

VPKI

Designing the VCS security infrastructure: goals

Resilience to honest-but-curious VPKI entities Eradication of Sybil-based misbehavior Standard-compliant implementation Scalability

Multi-domain operation Efficiency

Revocation and resolution

10 / 54

SLIDE 11

VPKI

Designing the VCS security infrastructure: System instance

F-LTCA PCA H-LTCA RCA

B A A certifies B Communication link

Home Domain (A) Foreign Domain (B) LDAP PCA

RA RA

• 1. LTC
• 2. n-tkt
• I. f-tkt req.
• II. f-tkt III. n-tkt
• 3. psnym req.
• 4. psnyms acquisition
• IV. psnym req.
• V. psnyms acquisition

11 / 54

SLIDE 12

VPKI

Designing the VCS security infrastructure: Pseudonym acquisition policies

User-controlled policy (P1) Oblivious policy (P2) Universally fixed policy (P3) ΓP3 ΓP3 ΓP3 System Time

Trip Duration

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

ΓP2 ΓP2

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

}

τP

Unused Pseudonyms

tstart

Expired Pseudonym

tend

P1 & P2: Requests could be user “fingerprints”: exact times of requests throughout the trip P3: Request intervals falling within “universally” fixed intervals ΓP 3; pseudonym lifetimes aligned with the PCA clock

12 / 54

SLIDE 13

VPKI

Ticket and pseudonym acquisition

V LTCA PCA

• 1. H(PCAID Rnd256), ts, te, LT Cv, N, t
• 2. Cert(LT Cltca, tkt)
• 3. tkt, N + 1, t
• 4. tkt, Rnd256, ts′, te′, {(K1

v)σk1

v , ..., (Kn

v )σkn

v }, N ′, t

• 5. Cert(LT Cpca, P i

v)

• 6. {P 1

v , . . . , P n v }, N ′ + 1, t 13 / 54

SLIDE 14

VPKI

Ticket acquisition protocols

Protocol 1 Ticket Request (from the LTCA)

1: procedure REQTICKET(Px, ΓPx, ts, te, tdate) 2:

if Px = P1 then

3:

(ts, te) ← (ts, te)

4:

else if Px = P2 then

5:

(ts, te) ← (ts, ts + ΓP2)

6:

else if Px = P3 then

7:

(ts, te) ← (tdate + Γi

P3), tdate + Γi+1 P3 )

8:

end if

9:

ζ ← (Idtkt-req, H(IdPCARndtkt), ts, te)

10:

(ζ)σv ← Sign(Lkv, ζ)

11:

return ((ζ)σv, LTCv, N, tnow)

12: end procedure Run over Transport Layer Security (TLS) with mutual authentication

Protocol 2 Issuing a Ticket (by the LTCA)

1: procedure ISSUETICKET((msg)σv, LTCv, N, tnow) 2:

Verify(LTCv, (msg)σv)

3:

IKtkt ← H(LTCv||ts||te||RndIKtkt)

4:

ζ ← (SN, H(IdPCARndtkt), IKtkt, RndIKtkt, ts, te, Exptkt)

5:

(tkt)σltca ← Sign(Lkltca, ζ)

6:

return ((tkt)σltca, N + 1, tnow)

7: end procedure “ticket identifiable key” (IKtkt): it binds a ticket to the corresponding Long Term Certificate (LTC) A faulty LTCA cannot resolve an LTC other than the one the ticket was issued for 14 / 54

SLIDE 15

VPKI

Pseudonym acquisition protocols

Protocol 3 Pseudonym Request (from the PCA)

1: procedure REQPSNYMS(ts, te, (tkt)σltca) 2:

for i:=1 to n do

3:

Begin

4:

Generate(Ki

v, ki v)

5:

(Ki

v)σki

v ← Sign(ki

v, Ki v)

6:

End

7:

psnymReq ← (Idreq, Rndtkt, ts, te, (tkt)σltca, {(K1

v)σk1

v , ..., (Kn

v )σkn

v }, N, tnow)

8:

return psnymReq

9: end procedure Run over TLS with unidirectional (server-only) authentication

Protocol 4 Issuing Pseudonyms (by the PCA)

1: procedure ISSUEPSNYMS(psnymReq) 2:

psnymReq → (Idreq, Rndtkt, ts, te, (tkt)σltca, {(K1

v)σk1

v , ..., (Kn

v )σkn

v }, N, tnow)

3:

Verify(LTCltca, (tkt)σltca)

4:

H(Idthis-PCARndtkt) ? = H(IdPCARndtkt)

5:

[ts, te] ? = ([ts, te])tkt

6:

for i:=1 to n do

7:

Begin

8:

Verify(Ki

v, (Ki v)σki

v )

9:

IKP i ← H(IKtkt||Ki

v||ti s||ti e||RndIKi

v)

10:

ζ ← (SNi, Ki

v, IKP i, RndIKi

v, ti

s, ti e)

11:

(P i

v)σpca ← Sign(Lkpca, ζ)

12:

End

13:

return ({(P 1

v )σpca, . . . , (P n v )σpca}, N+1, tnow)

14: end procedure

“pseudonym identifiable key” (IKP i ): it binds a pseudonym to the corresponding ticket A faulty PCA cannot resolve pseudonyms

• ther than the ones issued for the ticket

15 / 54

SLIDE 16

VPKI

Roaming user: Foreign ticket authentication

16 / 54

SLIDE 17

VPKI

Ticket and pseudonym acquisition in a foreign domain

17 / 54

SLIDE 18

VPKI

Pseudonym revocation and resolution

RA PCA LT CA

• 1. Pi, N, t

2.Update CRL

• 3. tkt, N + 1, t

4.SNtkt, N ′, t 5.Resolve LT Cv 6.LT Cv, N ′ + 1, t

18 / 54

SLIDE 19

Analysis & evaluation

Security analysis

Communication integrity, confidentiality, and non-repudiation

Certificates, TLS and digital signatures

Authentication, authorization and access control

LTCA is the policy decision and enforcement point PCA grants the service Discovery of available servers: Lightweight Directory Access Protocol (LDAP)

Concealing PCAs, F-LTCA, and actual pseudonym acquisition times

Sending H(PCAidRnd256), ts, te, LTCv to the H-LTCA A PCA verifies whether [t′

s, t′ e] ⊆ [ts, te]

Thwarting Sybil-based misbehavior

An LTCA never issues valid tickets with overlapping lifetimes (for a given domain) A ticket is bound to a specific PCA A PCA keeps records of used tickets

19 / 54

SLIDE 20

Analysis & evaluation

Pseudonym linkability based on timing information

5 10 15 20 25 30 35 40 45 50 55 60 System Time [min.] 1 2 3 4 5 6 7 8 9 10

τP= 5 min.

5 10 15 20 25 30 35 40 45 50 55 60 System Time [min.] 1 2 3 4 5 6 7 8 9 10

τP= 5 min., ΓP2= 15min.

5 10 15 20 25 30 35 40 45 50 55 60 System Time [min.] 1 2 3 4 5 6 7 8 9 10

τP= 5 min., ΓP3= 15min.

(a) P1: User-controlled policy (b) P2: Oblivious policy (c) P3: Universally fixed policy

P1 & P2: Distinct lifetimes per vehicle make linkability easier (requests/pseudonyms could act as user ‘fingerprints’) P3: Uniform pseudonym lifetimes eliminate the timing fingerprints

20 / 54

SLIDE 21

Analysis & evaluation

Experimental setup

VPKI testbed

Implementation in C++ OpenSSL: TLS and Elliptic Curve Digital Signature Algorithm (ECDSA)-256 according to the standard [1] LTCA PCA RA Clients VM Number 2 5 1 25 Dual-core CPU (Ghz) 2.0 2.0 2.0 2.0 BogoMips 4000 4000 4000 4000 Memory 2GB 2GB 1GB 1GB Database MySQL MySQL MySQL MySQL Web Server Apache Apache Apache

• Emulated Threads
• 400

21 / 54

SLIDE 22

Analysis & evaluation

Experimental setup (cont’d)

TAPAS Cologne LuST [2] Number of vehicles 75,576 138,259 Number of trips 75,576 287,939 Duration of snapshot (hours) 24 24 Available duration of snapshot (hours) 2 (6-8 AM) 24 Average trip duration (seconds) 590.49 692.81 Total trip duration (seconds) 44,655,579 102,766,924

Main metric: Pseudonym acquisition latency (note: termed end-to-end)

From the initialization of the ticket acquisition protocol till the successful completion of pseudonym acquisition protocol

Note: PRESERVE Nexcom boxes: dual-core 1.66 GHz, 2GB Memory

22 / 54

SLIDE 23

Analysis & evaluation

Latency for P1, P2, and P3

Parameters: Improved privacy, thus short-lived pseudonyms, and frequent interactions with/high workload for the PCA Γ=5 min, τP =0.5 min, 5 min LuST dataset (τP = 0.5 min): P1: Fx(t = 167 ms) = 0.99 P2: Fx(t = 80 ms) = 0.99 P3: Fx(t = 74 ms) = 0.99

(P1) (P2) (P3)

TAPAS Cologne dataset LuST dataset

20 40 60 80 100 120

System Time [min.]

20 40 60 80 100 120 140

End-to-End Latency [ms] User-controlled Policy (P1): 1 LTCA and 1 PCA

τP= 0.5 min. τP= 5 min.

200 400 600 800 1000 1200 1400

System Time [min.]

20 40 60 80 100 120 140

End-to-End Latency [ms] User-controlled Policy (P1): 1 LTCA and 1 PCA

τP= 0.5 min. τP= 5 min.

20 40 60 80 100 120

System Time [min.]

20 40 60 80 100 120 140

End-to-End Latency [ms] Oblivious Policy (P2): 1 LTCA and 1 PCA

τP= 0.5 min. τP= 5 min.

200 400 600 800 1000 1200 1400

System Time [min.]

20 40 60 80 100 120 140

End-to-End Latency [ms] Oblivious Policy (P2): 1 LTCA and 1 PCA

τP= 0.5 min. τP= 5 min.

20 40 60 80 100 120

System Time [min.]

20 40 60 80 100 120 140

End-to-End Latency [ms] Universally Fixed Policy (P3): 1 LTCA and 1 PCA

τP= 0.5 min. τP= 5 min.

200 400 600 800 1000 1200 1400

System Time [min.]

20 40 60 80 100 120 140

End-to-End Latency [ms] Universally Fixed Policy (P3): 1 LTCA and 1 PCA

τP= 0.5 min. τP= 5 min.

23 / 54

SLIDE 24

Analysis & evaluation

Latency for P1, P2, and P3 (cont’d)

1 2 3 4 5 6 7 8 9 10

Pseudonym Lifetime [min.]

10 20 30 40 50 60 70 80

Average End-to-End Latency [ms]

Average End-to-End Latency Comparison of P1, P2 and P3

P1 P2 (ΓP2= 10 min.) P3 (ΓP3= 10 min.)

24 / 54

SLIDE 25

Analysis & evaluation

Pseudonym utilization

200 400 600 800 1000 1200

Pseudonym Lifetime [sec.]

5 10 15 20

Average Number of Unused Pseudonyms Pseudonym Utilization with Oblivious Policy (P2)

ΓP2= 5 min. ΓP2= 10 min. ΓP2= 15 min. ΓP2= 20 min.

200 400 600 800 1000 1200

Pseudonym Lifetime [sec.]

5 10 15 20

Average Number of Unused Pseudonyms Pseudonym Utilization with Universally Fixed Policy (P3)

ΓP3= 5 min. ΓP3= 10 min. ΓP3= 15 min. ΓP3= 20 min.

P2: Oblivious Policy P3: Universally Fixed Policy LuST dataset for P2 & P3 25 / 54

SLIDE 26

Analysis & evaluation

Ticket and pseudonym acquisition

50 100 150 200 250 300

Processing Delay [ms]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability LTCA Server Performance: LuST Dataset

1 2 3 4 0.00 0.20 0.40 0.60 0.80 0.95

50 100 150 200

Processing Delay [ms]

0.0 0.2 0.4 0.6 0.8 1.0

Cumulative Probability PCA Server Performance: LuST Dataset

τP= 1 min τP= 3 min τP= 5 min 10 20 30 40 50 0.00 0.20 0.40 0.60 0.80 0.95

LTCA delay PCA delay Ticket Acquisition: Fx(t=4ms)=0.95 Pseudonym Acquisition: Fx(t=52ms)=0.95

26 / 54

SLIDE 27

Analysis & evaluation

Pseudonym resolution and revocation

0.01 0.05 0.1 0.5 1 5 Number of Pseudonyms in the PCA Database (×106)

50 100 150 200

End-to-End Latency [ms]

Resolution & Revocation in a Single Domain Client Side Operations All RA Operations All PCA Operations All LTCA Operations 0.01 0.05 0.1 0.5 1 5

Number of Pseudonyms in the PCA Database (×106)

50 100 150 200

End-to-End Latency [ms]

Resolution & Revocation Across Domains

Client Side Operations All RA Operations All PCA Operations All LTCA Operations All Cross Domain Operations

Single domain Across domains

On average 100 ms to resolve & revoke a pseudonym

27 / 54

SLIDE 28

Analysis & evaluation

Comparison with other implementations

Latency for 100 pseudonyms (without communication delay)

DelayPCA CPUPCA VeSPA [3] 817 ms 3.4 GHz SEROSA [4] 650 ms 2.0 GHz PUCA [5] 1000 ms 2.53 GHz PRESERVE PKI (Fraunhofer SIT) [6] ≈ 4000 ms N/A C2C-CC PKI (ESCRYPT) [7] 393 ms N/A SECMACE 260 ms 2.0 GHz

28 / 54

SLIDE 29

Additional ongoing work

Wrap-up

Solution for a challenging problem at hand

Security & privacy Complexity Cost and deployment constraints VC system constraints and scale

Modest workstations running the PCA and LTCA servers can handle tens of thousands of vehicles More work

Revocation: distribution of revocation information Misbehaviour/fault detection Dynamic scaling of the servers

System can be used in different contexts

Security and privacy for Location Based Services (LBSs)

Common ideas with other large-scale mobile systems

Security and privacy for Participatory Sensing systems

29 / 54

SLIDE 30

Additional ongoing work Efficient CRL distribution

CRL distribution in VCS: Challenges and motivation

Traditional PKI vs. Vehicular PKI Dimensions (5 orders of magnitude more credentials) Balancing act: security, privacy, and efficiency

Honest-but-curious VPKI entities Performance constraints: safety- and time-critical operations

“Mechanics” of revocation:

Highly dynamic environment with intermittent connectivity Short-lived pseudonyms, multiple per entity Resource constraints

30 / 54

SLIDE 31

Additional ongoing work Efficient CRL distribution

CRL distribution in VCS: Challenges and motivation

(cont’d)

Efficient and timely distribution of Certificate Revocation Lists (CRLs) to every legitimate vehicle in the system Strong privacy for vehicles prior to revocation events Computation and communication constraints for On-Board Units (OBUs), intermittent connectivity to the infrastructure Peer-to-peer distribution is a double-edged sword: abusive peers could “pollute” the process, thus degrading the timeliness of the CRL distribution

31 / 54

SLIDE 32

Additional ongoing work Efficient CRL distribution

Vehicle-Centric CRL Distribution∗

Trip Duration: D

Dv2 Dv1 Dv3 Dv4 Dv5

i CRL i+1 CRL i+2 CRL i+3 CRL i+4 CRL

Partitioned Interval: i

CRL

... ... ... ... ...

{ { { { {

Figure: CRL as a Stream:

V1 subscribes to {Γi

CRL, Γi+1 CRL, Γi+2 CRL};

V2 : {Γi

CRL, Γi+1 CRL};

V3 : {Γi+2

CRL};

V4 : {Γi+3

CRL};

V5 : {Γi+4

CRL}.

Γ2

CRL

Γ1

CRL

Γ3

CRL

System Time

Trip Duration

Figure: A vehicle-centric approach: each

vehicle only subscribes for pieces of CRLs corresponding to its trip duration.

∗Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List

Distribution in VANETs, ACM WiSec 2018

32 / 54

SLIDE 33

Additional ongoing work Efficient CRL distribution

Vehicle-Centric CRL Distribution (cont’d)

i

CRL

}

P

}

P H() H()

}

P

}

P

}

P

}

P H() H() H()

V1 V2 V3 V4 V5 V6 V7 V8 V9

(a)Revoked

pseudonyms

(b) CRL fingerprint construction

Figure: CRL piece & fingerprint construction by the PCA.

CRL Fingerprint

Signed, broadcast by Roadside Units (RSUs) Integrated in (a subset of) recently issued pseudonyms Notification about a new CRL-update (revocation event)

33 / 54

SLIDE 34

Additional ongoing work Efficient CRL distribution

Quantitative Analysis

OMNET++ & Veins framework using SUMO Cryptographic protocols and primitives (OpenSSL): ECDSA-256 and SHA-256 as per IEEE 1609.2 and ETSI standards V2X communication over IEEE 802.11p Placement of the RSUs: “highly-visited” intersections with non-overlapping radio ranges Comparison with the baseline scheme [8]: under the same assumptions and configuration with the same parameters Evaluation Efficiency (latency) Resilience (to pollution/DoS attacks) Resource consumption (computation/communication)

Figure: The LuST dataset, a

full-day realistic mobility pattern in the city of Luxembourg (50KM x 50KM) [Codeca et al. (2015)].

34 / 54

SLIDE 35

Additional ongoing work Efficient CRL distribution

Quantitative Analysis (cont’d)

100 200 300 400 500 600

System Time [s]

0.5K 1K 1.5K 2K 2.5K 3K

Number of Cognizant Vehicles

Total Number of Vehicles Baseline Scheme Vehicle-Centric Scheme

(a) 7:00-7:10 am (B =25 KB/s)

200 400 600 800 1000 1200

Delay to Fetch CRL [s]

0.00 0.20 0.40 0.60 0.80 0.95 1.00

Cumulative Probability

Baseline Scheme Vehicle-Centric Scheme

5 10 15 20 25 0.00 0.20 0.40 0.60 0.80 0.99

(b) 7-9 am, 5-7 pm (B =25 KB/s)

Figure: End-to-end delay to fetch CRLs (R = 1%, τP = 60s).

Converging more than 40 times faster than the state-of-the-art Baseline scheme: Fx(t = 626s) = 0.95 Vehicle-centric scheme: Fx(t = 15s) = 0.95

35 / 54

SLIDE 36

Additional ongoing work Location Based Services

LBS Privacy

{loc, restaurant}

Service Attribute

Adversary: honest-but-curious LBS server

36 / 54

SLIDE 37

Additional ongoing work Location Based Services

LBS Privacy (cont’d)

SLIDE 38

Additional ongoing work Location Based Services

Decentralized LBS Privacy∗

SLIDE 39

Additional ongoing work Location Based Services

Decentralized LBS Privacy and Security

Misbehaving peers?

Active: Masquerading, tampering, DoS... Passive: Eavesdrop queries and responses

Accountability Privacy protection

39 / 54

SLIDE 40

Additional ongoing work Location Based Services

Decentralized LBS Privacy and Security (cont’d)∗

SLIDE 41

Additional ongoing work Location Based Services

Decentralized LBS Privacy and Security (cont’d)

The PCA randomly assigns a small fraction of system nodes as serving nodes The serving period can be coincide with pseudonym request interval Serving nodes proactive request Point of Interest (PoI) data for the whole region and announce their presence and available data Any interested node listens to beacons and requests PoI data Can request responses from N > 1 serving nodes for cross-checking

41 / 54

SLIDE 42

Additional ongoing work Location Based Services

Security and Privacy Analysis - Quantitative

ExpoDeg(IdLTC, C) =

• Idi∈ID(IdLT C,C)

T(Idi) T(IdLTC) ∗ RH(Idi) R(IdLTC) (1) ID(IdLTC, C): set of identities corresponding to IdLTC exposed to honest-but-curious (possibly colluding) entities T(Id): trip duration of a node under identity Id R(Id): number of regions the node visits as Id RH(Id): number of visited regions exposed ExpoDeg: accuracy of reconstructed node trajectories based on recorded node queries, taking into account pseudonymous authentication

42 / 54

SLIDE 43

Additional ongoing work Location Based Services

Security and Privacy Analysis - Quantitative (cont’d)

0.00 0.02 0.04 0.06 0.08 0.10 0.12 Prserve 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Exposure Degree

No collusion with CA Collusion with PCA Collusion with LTCA and PCA

(a)

0.0 0.1 0.2 0.3 0.4 0.5 Ratioadv 0.00 0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 Exposure Degree

No collusion with CA Collusion with PCA Collusion with LTCA and PCA

(b)

0.0 0.1 0.2 0.3 0.4 0.5 Ratioadv 0.00 0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 Exposure Degree

No collusion with CA Collusion with PCA Collusion with LTCA and PCA

(c)

Figure: (a) Exposure degree to the LBS server as a function of Prserve. Exposure degree to colluding passive adversaries as a function of Ratioadv (b) with and (c) without encryption for P2P communication.

43 / 54

SLIDE 44

Additional ongoing work Location Based Services

Security and Privacy Analysis - Quantitative (cont’d)

10 20 30 40 50 60

System Time (min)

0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08

• Adv. Serving Node Ratio

Over All Nodes Over Serving Nodes

(a) 0.0 0.1 0.2 0.3 0.4 0.5 Ratioadv 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 Attacked Response Ratio 1e 2

1 false out of 1 response(s) 1 false out of 2 response(s) 2 false out of 2 response(s) 1 false out of 3 response(s) 2 false out of 3 response(s) 3 false out of 3 response(s)

(b)

Figure: (a) Malicious serving node ratio during simulation (1 p.m. - 2 p.m.) with default settings. (b) Attacked LBS query ratio as a function of Ratioadv.

44 / 54

SLIDE 45

Additional ongoing work Participatory Sensing

Urban Sensing Systems

Illustration: complexitys.com 45 / 54

SLIDE 46

Additional ongoing work Participatory Sensing

Security & Privacy Requirements∗

People- Centric Sensing

Security Commu- nication Security Data Trustwor- thiness Account- ability Privacy User Anonymity Location Privacy Data Trustwor- thiness Incentives

Protect the users from the system (privacy)

Anonymity (conditional) Unlinkability

Protect the system from the users (security)

Authentication & Authorization Accountability Misbehavior detection

User incentives

∗Trustworthy People-Centric Sensing: Privacy, Security and User Incentives Road-Map, IEEE/IFIP MedHocNet 2014 46 / 54

SLIDE 47

Additional ongoing work Participatory Sensing

SPPEAR Overview∗

Seperation of Duty

∗SPPEAR: security & privacy-preserving architecture for participatory-sensing applications, ACM WiSec 2014 47 / 54

SLIDE 48

Additional ongoing work Participatory Sensing

Analysis

Confidentiality, integrity (TLS and digital signatures) Access control, authorization (GM = PDP and IdP = PEP) Sybil-proof (non-overlapping pseudonyms) GM does not know the user task(s) (OT for token retrieval) Unlinkable and unobservable interactions (TOR) Accountability, exculpability (Revocation protocol + interactive mode for BBS)

48 / 54

SLIDE 49

Additional ongoing work Participatory Sensing

Analysis (cont’d)

ProVerif protocol checker Model with π-Calculus Entities (infrastructure components and users) described as processes Protocol modelled as a parallel composition of multiple copies of the processes Basic cryptographic primitives modelled as symbolic operations

• ver bit-strings representing messages, encoded with

constructors and destructors Dolev-Yao adversaries (eavesdrop, modify, craft and inject messages based on the keys they possess) We can prove secrecy (i.e., values are secret) and strong-secrecy (the adversary cannot infer changes over secret values) properties

49 / 54

SLIDE 50

Additional ongoing work Participatory Sensing

Secure and Privacy-preserving Participatory Sensing∗

Users Probability Mass Transformer Concept Drift Checker DB- Scan/Region Merger Composition NB/NN Random Forest Training Phase Classification Phase [vi] mi yes mi training mi mi predi predi

∗Security, Privacy and Incentive Provision for Mobile Crowd Sensing Systems, IEEE IoT Journal, 2016 50 / 54

SLIDE 51

Additional ongoing work Participatory Sensing

Bibliography I

[1] “IEEE Standard for Wireless Access in Vehicular Environments - Security Services for Applications and Management Messages,” Mar. 2016. [2]

• L. Codeca and et al, “Luxembourg Sumo Traffic (LuST) Scenario: 24 Hours of Mobility for Vehicular Networking Research,”

in IEEE VNC, Kyoto, Japan, Dec. 2015. [3]

• N. Alexiou, M. Laganà, S. Gisdakis, M. Khodaei, and P

. Papadimitratos, “VeSPA: Vehicular Security and Privacy-preserving Architecture,” in ACM HotWiSec, Budapest, Hungary, Apr. 2013. [4]

• S. Gisdakis, M. Laganà, T. Giannetsos, and P

. Papadimitratos, “SEROSA: SERvice Oriented Security Architecture for Vehicular Communications,” Boston, MA, USA, Dec. 2013, pp. 111–118. [5]

• D. Förster, F. Kargl, and H. Löhr, “PUCA: A Pseudonym Scheme with User-Controlled Anonymity for Vehicular Ad-Hoc

Networks,” in IEEE VNC, Paderborn, Germany, Dec. 2014. [6] “PRESERVE Project,” www.preserve-project.eu/, Jun. 2015. [7] “PKI Memo C2C-CC,” http://www.car-2-car.org/, Feb. 2011. [8] J.-J. Haas, Y.-C. Hu, and K.-P . Laberteaux, “Efficient Certificate Revocation List Organization and Distribution,” IEEE JSAC,

• vol. 29, no. 3, pp. 595–604, 2011.

51 / 54

SLIDE 52

Additional Publications

Other publications

• S. Gisdakis, V. Manolopoulos, S. Tao, A. Rusu, and P. P., Secure and Privacy-Preserving Smartphone-based Traffic

Information Systems, IEEE Trans. on ITS, Vol. 16, No. 3, pp. 1428-1436, June 2015

• M. Khodaei, H. Jin, and P. P., Towards Deploying a Scalable & Robust Vehicular Identity and Credential Management

Infrastructure, IEEE VNC, Paderborn, Germany, Dec. 2014 H Jin and P. P. Proactive Certificate Validation for VANETs, IEEE Vehicular Networking Conference (IEEE VNC), Columbus, OH, USA, December 2016

• M. Khodaei and P. P., Evaluating On-demand Pseudonym Acquisition Policies in Vehicular Communication Systems,

ACM MobiHoc Workshop on Internet of Vehicles and Vehicles of Internet (ACM MobiHoc IoV-VoI), Paderborn, Germany, July 2016

• H. Jin and P. P., Scaling VANET Security Through Cooperative Message Verification, IEEE Vehicular Networks

Conference (IEEE VNC), Kyoto, Japan, December 2015

• K. Zhang, R. A. Tuhin, and P. P., Detection and Exclusion RAIM Algorithm against Spoofing/Replaying Attacks,

International Symposium on GNSS, Kyoto, Japan, November 2015

• K. Zhang and P. P., GNSS Receiver Tracking Performance Analysis under Distance-Decreasing Attacks, International

Conference on Localization and GNSS (ICL-GNSS), Gothenburg, Sweden, June 2015

• H. Jin, M. Khodaei, and P. P., Security and Privacy for Vehicular Social Networks, Vehicular Social Networks, A. M. Vegni,
• V. Loscri, A. V. Vasilakos, Eds., CRC Taylor & Francis Group, 2016

P . Ardelean and P. P., Secure and Privacy-Enhancing Vehicular Communication, IEEE Symposium on Wireless Vehicular Communications (IEEE WiVec), Calgary, AL, Canada, September 2008 52 / 54

SLIDE 53

Additional Publications

Other publications (cont’d)

• P. P. and A. Jovanovic, Method to secure GNSS based locations in a device having GNSS receiver, US Patent 8,159,391,

April 2012

• M. Khodaei and P. P., The Key To Intelligent Transportation: Identity and Credential Management in Vehicular

Communication Systems, IEEE Vehicular Technology Magazine, Vol. 10, No. 4, pp. 63-69, December 2015

• S. Gisdakis, M. Lagana, T. Giannetsos, and P. P., SEROSA: Service Oriented Security Architecture for Vehicular

Communications, IEEE VNC, Boston, MA, USA, Dec. 2013

• N. Alexiou, S. Gisdakis, M. Laganà, and P. P., Towards a Secure and Privacy-preserving Multi-service Vehicular

Architecture, IEEE D-SPAN, Madrid, June 2013

• N. Alexiou, M. Laganà, S. Gisdakis, and P. P., VeSPA: Vehicular Security and Privacy-preserving Architecture, ACM

HotWiSec, Budapest, April 2013

• V. Manolopoulos, S. Tao, A. Rusu, and P. P., HotMobile Demo: Smartphone-based Traffic Information System for

Sustainable Cities, ACM MC2R, vol. 16, no. 4, pp. 30-31, Oct. 2012

• M. Poturalski, P. P., and J.-P

. Hubaux, Formal Analysis of Secure Neighbor Discovery in Wireless Networks, IEEE Transactions on Dependable and Secure Computing (IEEE TDSC), Vol. 10, No. 6, pp. 355 - 367, Nov.-Dec. 2013

• M. Fiore, C. Casetti, C.-F

. Chiasserini, and P. P., Discovery and Verification of Neighbor Positions in Mobile Ad Hoc Networks, IEEE Transactions on Mobile Computing (IEEE TMC), Vol. 12, No. 2, pp. 289?303, February 2013

• M. Poturalski, M. Flury, P. P., J.-P

. Hubaux, and J.-Y. Le Boudec, On Secure and Precise IR-UWB Ranging, IEEE Transactions on Wireless Communications (IEEE TWC), Vol.11, No.3, pp. 1087?1099, March 2012

• G. Calandriello, P. P., A. Lioy, and J.-P

. Hubaux, On the Performance of Secure Vehicular Communication Systems, IEEE Transactions on Dependable and Secure Computing (IEEE TDSC), Vol. 8, No. 6, pp. 898?912, Nov.-Dec. 2011

• P. P., L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P

. Hubaux, Secure Vehicular Communication Systems: Design and Architecture, IEEE Communications Magazine, Vol. 46, No. 11, pp. 100-109, November 2008 53 / 54

SLIDE 54

Additional Publications

SECMACE: Scalable and Robust Identity and Credential Infrastructure in Vehicular Communication

IEEE Transactions on Intelligent Transportation Systems (IEEE ITS), vol. 19, no. 5, May 2018

Mohammad Khodaei, Hongyu Jin, and Panos Papadimitratos Networked Systems Security Group www.ee.kth.se/nss

54 / 54