Secure and Privacy Preserving Vehicular Communication Systems: - PowerPoint PPT Presentation

KTH ROYAL INSTITUTE OF TECHNOLOGY Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management Infrastructure Mohammad Khodaei Networked Systems Security Group (NSS) November 1, 2016 July 2, 2018

Outline Secure Vehicular Communication (VC) Systems Problem Statement System Model Security and Privacy Analysis Performance Evaluation Summary of Contributions and Future Steps 2/38

Vehicular Communication (VC) Systems Figure: Photo Courtesy of the Car2Car Communication Consortium (C2C-CC) 3/38

Security and Privacy for VC Systems 1 Basic Requirements ◮ Message authentication & integrity ◮ Message non-repudiation ◮ Access control ◮ Entity authentication ◮ Accountability ◮ Privacy protection Vehicular Public-Key Infrastructure (VPKI) ◮ Pseudonymous authentication ◮ Trusted Third Party (TTP): ◮ Certification Authority (CA) ◮ Issues credentials & binds users to their pseudonyms 1P . Papadimitratos, et al. “Securing Vehicular Communications - Assumptions, Require- ments, and Principles,” in ESCAR, Berlin, Germany, pp. 5-14, Nov. 2006. 4/38 P . Papadimitratos, et al. “Secure Vehicular Communication Systems: Design and Architec- ture,” in IEEE Communications Magazine, vol. 46, no. 11, pp. 100-109, Nov. 2008.

Security and Privacy for VC Systems (cont’d) ◮ Sign packets with the private key, corresponding to the current valid pseudonym ◮ Verify packets with the valid pseudonym ◮ Cryptographic operations in a Hardware Security Module (HSM) 5/38

State-of-the-art Standardization and harmonization efforts ◮ IEEE 1609.2 [1], ETSI [2] and C2C-CC [3] ◮ VC related specifications for security and privacy-preserving architectures Projects ◮ SEVECOM, EVITA, PRECIOSA, OVERSEE, DRIVE-C2X, Safety Pilot, PRESERVE, CAMP-VSC3 Proposals ◮ V-Token [4], CoPRA [5], SCMS [6], SEROSA [7], PUCA [8] 6/38

Outline Secure Vehicular Communication (VC) Systems Problem Statement System Model Security and Privacy Analysis Performance Evaluation Summary of Contributions and Future Steps 7/38

Problem Statement and Motivation The design of a VPKI ◮ Resilience ◮ Stronger adversarial model (than fully-trustworthy entities) ◮ User privacy protection against “honest-but-curious” entities ◮ User privacy enhancement and service unlinkability (inference of service provider or time) ◮ Pseudonym acquistion policies ◮ How should each vehicle interact with the VPKI, e.g., how frequently and for how long? ◮ Should each vehicle itself determine the pseudonym lifetime? ◮ Operation across multiple domains, thus a scalable design ◮ Efficiency and robustness 8/38

Security and Privacy Requirements for the VPKI Protocols ◮ Authentication, communication integrity and confidentiality ◮ Authorization and access control ◮ Non-repudiation, accountability and eviction (revocation) ◮ Privacy ◮ Anonymity (conditional) ◮ Unlinkability ◮ Thwarting Sybil-based misbehavior ◮ Availability 9/38

Adversarial Model External adversaries Internal adversaries Stronger adversarial model Protection against honest-but-curious VPKI entities ◮ Correct execution of protocols but motivated to profile users ◮ Concealing pseudonym provider identity and acquisition time, and reducing pseudonyms linkability (inference based on time) Multiple VPKI entities could collude 10/38

Outline Secure Vehicular Communication (VC) Systems Problem Statement System Model Security and Privacy Analysis Performance Evaluation Summary of Contributions and Future Steps 11/38

Secure VC System RCA A certifies B A B Cross-certification Communication link Message dissemination Domain A Domain B Domain C RA RA LTCA RA LTCA LTCA ◮ Root Certification Authority (RCA) X-Cetify PCA PCA PCA ◮ LDAP LDAP Long Term CA (LTCA) ◮ Pseudonym CA (PCA) 3/4/5G RSU {Msg} (P iv ) , {P i v } (PCA) ◮ Resolution Authority (RA) ◮ Lightweight Directory Access Protocol (LDAP) {Msg} (P iv ) , {P i v } (PCA) B ◮ Roadside Unit (RSU) ◮ Trust established with RCA, or through cross Figure: VPKI Overview certification 12/38

System Model A certifies B A B RCA Communication link Home Domain (A) Foreign Domain (B) LDAP RA RA F-LTCA H-LTCA I. f-tkt req. PCA PCA 1. LTC 2. n-tkt II. f-tkt III. n-tkt 3. psnym req. IV. psnym req. 4. psnyms acquisition V. psnyms acquisition Figure: VPKI Architecture 13/38

Pseudonym Acquisition Policies t start t end Unused Trip Duration Pseudonyms User-controlled policy (P1) } } } } } τ P τ P τ P τ P τ P Γ P2 Γ P2 Oblivious policy (P2) } } } } } } τ P τ P τ P τ P τ P τ P Γ P3 Γ P3 Γ P3 Expired Pseudonym Universally fixed policy (P3) } } } } } } } } τ P τ P τ P τ P τ P τ P τ P τ P System Time ◮ P1 & P2: Requests could act as user “fingerprints” ; the exact time 14/38 of requests and all subsequent requests until the end of trip could

Vehicle Registration and Long Term Certificate (LTC) Update V H - LT CA 1 . LK v , Lk v 2 . ( LK v ) σ Lkv , N, t 3 . Cert ( LT C ltca , LK v ) 4 . LT C v , N + 1 , t 15/38

Ticket and Pseudonym Acquisition V H-LTCA PCA 1 . H ( PCA ID � Rnd 256 ) , t s , t e , LT C v , N, t 2 . Cert ( LT C ltca , tkt ) 3 . tkt, N + 1 , t 4 . tkt, Rnd 256 , t s ′ , t e ′ , { ( K 1 v , ..., ( K n v ) σ k 1 v ) σ kn v } , N ′ , t 5 . Cert ( LT C pca , P i v ) v } , N ′ + 1 , t 6 . { P 1 v , . . . , P n 16/38

Roaming User: Foreign Ticket Authentication V LDAP H - LT CA 1 . LDAP Req. 2 .LDAP Search 3 . LDAP Res. 4 . H ( F - LT CA ID � Rnd 256 ) , t s , t e , LT C v , N, t 5 . Cert ( LT C ltca , f - tkt ) 6 . f - tkt, N + 1 , t 17/38

Native Ticket and Pseudonym Acquisition in the Foreign Domain V F - LT CA PCA 1 . f - tkt, H ( PCA ID || Rnd ′ 256 ) , Rnd 256 , N, t 2 .Cert ( LT C ltca , n - tkt ) 3 . n - tkt, N + 1 , t 256 , t s ′ , t e ′ , { ( K 1 v , ..., ( K n 4 . n - tkt, Rnd ′ v ) σ k 1 v ) σ kn v } , N ′ , t 5 . Cert ( LT C pca , P i v ) v } , N ′ + 1 , t 6 . { P 1 v , . . . , P n 18/38

Pseudonym Revocation and Resolution RA PCA LT CA 1 . P i , N, t 2 .Update CRL 3 . tkt, N + 1 , t 4 .SN tkt , N ′ , t 5 .Resolve LT C v 6 .LT C v , N ′ + 1 , t 19/38

Outline Secure Vehicular Communication (VC) Systems Problem Statement System Model Security and Privacy Analysis Performance Evaluation Summary of Contributions and Future Steps 20/38

Security and Privacy Analysis ◮ Communication integrity, confidentiality, and non-repudiation ◮ Certificates, TLS and digital signatures ◮ Authentication, authorization and access control ◮ LTCA is the policy decision and enforcement point ◮ PCA grants the service ◮ Security association discovery through LDAP ◮ Concealing PCAs, F-LTCA, actual pseudonym acquisition period ◮ Sending H ( PCA id � Rnd 256 ) , t s , t e , LTC v to the H-LTCA ◮ PCA verifies if [ t ′ s , t ′ e ] ⊆ [ t s , t e ] ◮ Thwarting Sybil-based misbehavior ◮ LTCA never issues valid tickets with overlapping lifetime (for a given domain) ◮ A ticket is bound to a specific PCA ◮ PCA keeps records of ticket usage 21/38

Linkability based on Timing Information of Credentials τ P = 5 min. τ P = 5 min., Γ P 2 = 15 min. τ P = 5 min., Γ P 3 = 15 min. 10 10 10 9 9 9 8 8 8 7 7 7 6 6 6 5 5 5 4 4 4 3 3 3 2 2 2 1 1 1 0 0 0 0 5 10 15 20 25 30 35 40 45 50 55 60 0 5 10 15 20 25 30 35 40 45 50 55 60 0 5 10 15 20 25 30 35 40 45 50 55 60 System Time [min.] System Time [min.] System Time [min.] (a) P1: User-controlled policy (b) P2: Oblivious policy (c) P3: Universally fixed policy ◮ Non-overlapping pseudonym lifetimes from eavesdroppers’ perspective ◮ P1 & P2: Distinct lifetimes per vehicle make linkability easier (requests/pseudonyms could act as user ‘fingerprints’ ) ◮ P3: Uniform pseudonym lifetime results in no distinction 22/38

Outline Secure Vehicular Communication (VC) Systems Problem Statement System Model Security and Privacy Analysis Performance Evaluation Summary of Contributions and Future Steps 23/38

Experimental Setup (#1) ◮ VPKI testbed ◮ Implementation in C++ Table: Servers and Clients Specifications ◮ OpenSSL: Transport Layer Security (TLS) LTCA PCA RA Clients and Elliptic Curve Digital Signature VM Number 2 5 1 25 Algorithm (ECDSA)-256 according to the Dual-core CPU (Ghz) 2.0 2.0 2.0 2.0 BogoMips 4000 4000 4000 4000 standard [1] Memory 2GB 2GB 1GB 1GB ◮ Network connectivity Database MySQL MySQL MySQL MySQL Web Server Apache Apache Apache - ◮ Varies depending on the actual OBU-VPKI Load Balancer Apache Apache - - Emulated Threads - - - 400 connectivity ◮ Reliable connectivity to the VPKI (e.g., RSU, ◮ Use cases Cellular, opportunistic WiFi) ◮ Pseudonym provision ◮ Performing a DDoS attack 24/38

Client and LTCA Performance Evaluation 2400 24 Entire Ticket Operations One ticket per request 2200 Entire Operations on PCA 2000 20 Networking Delay 1800 Vehicle Pseudonym Verification Processing Time [ms] Entire Time [ms] 1600 16 1400 1200 12 1000 800 8 600 400 4 200 0 0 1 10 100 200 500 1000 0 600 1200 1800 2400 3000 3600 Time [sec] Number of Pseudonyms in a Request Client processing time LTCA performance ◮ Delay to obtain pseudonyms ◮ LTCA response time to issue a ticket 25/38