Mobile Networks Module I – Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1
Outline � Motivation � Threat model and specific attacks � Security architecture � Security analysis � Certificate revocation � Data-centric trust � Conclusion 2
What is a VANET (Vehicular Ad hoc NETwork)? • Communication: typically over the Dedicated Short Range Communications (DSRC) (5.9 GHz) • Example of protocol: IEEE 802.11p 3 • Penetration will be progressive (over 2 decades or so)
Vehicular communications: why? � Combat the awful side-effects of road traffic • In the EU, around 40’000 people die yearly on the roads; more than 1.5 millions are injured • Traffic jams generate a tremendous waste of time and of fuel � Most of these problems can be solved by providing appropriate information to the driver or to the vehicle 4
Why is VANET security important? � Large projects have explored vehicular communications: Fleetnet, PATH (UC Berkeley),… No solution can be deployed if not properly secured � � The problem is non-trivial • Specific requirements (speed, real-time constraints) • Contradictory expectations � Industry front: standards are still under development and suffer from serious weaknesses • IEEE P1609.2: Standard for Wireless Access in Vehicular Environments - Security Services for Applications and Management Messages Research front � • A growing number of papers 5
A modern vehicle Event data recorder (EDR) (GPS) Positioning system Forward radar Communication facility Rear radar Display Computing platform Human-Machine Interface A modern vehicle is a network of sensors/actuators on wheels ! 6
Threat model � An attacker can be: • Insider / Outsider • Malicious / Rational • Active / Passive • Local / Extended � Attacks can be mounted on: • Safety-related applications • Traffic optimization applications • Payment-based applications • Privacy 7
Attack 1 : Bogus traffic information Traffic jam ahead � Attacker: insider, rational, active 8
Attack 2 : Generate “Intelligent Collisions” SLOW DOWN The way is clear � Attacker: insider, malicious, active 9
Attack 3: Cheating with identity, speed, or position Wasn’t me! � Attacker: insider, rational, active 10
Attack 4: Jamming Roadside base station Jammer 11
12 Attack 5: Tunnel
Attack 6: Tracking A * A enters the parking lot at time 3 t3 * A downloads from server X A B * A refuels at time 2 A t2 and location (x2,y2,z2) 1 * A at (x1,y1,z1) at time t1 13 * A communicates with B
Our scope � We consider communications specific to road traffic: safety and traffic optimization • Safety-related messages • Messages related to traffic information � We do not focus on more generic applications, e.g., toll collect, access to audio/video files, games,… 14
Security system requirements � Sender authentication � Verification of data consistency � Availability � Non-repudiation � Privacy � Real-time constraints 15
16 Security Architecture
Tamper-proof device � Each vehicle carries a tamper-proof device • Contains the secrets of the vehicle itself • Has its own battery • Has its own clock (notably in order to be able to sign timestamps) • Is in charge of all security operations • Is accessible only by authorized personnel Tamper-proof device ((( ))) Vehicle sensors Transmission On-board (GPS, speed and system CPU acceleration,…) 17
Digital signatures Symmetric cryptography is not suitable: messages are � standalone, large scale, non-repudiation requirement � Hence each message should be signed with a DS Liability-related messages should be stored in the EDR � Safety Verifier Verifier Cryptographic material message Signer {Position, speed, {Signer’s DS, Signer’s acceleration, direction, PK, CA’s certificate of PK} time, safety events} Verifier 18
VPKI (Vehicular PKI) Security services Positioning Confidentiality Privacy Shared session key ... PKI CA P A P B Authentication Authentication � Each vehicle carries in its T amper- P roof D evice ( TPD ): • A unique and certified identity: E lectronic L icense P late ( ELP ) • A set of certified anonymous public/private key pairs � Mutual authentication can be done without involving a server Authorities (national or regional) are cross-certified � 19
The CA hierarchy: two options 1. Governmental 2. Manufacturers Transportation Authorities Country 1 Manuf. 1 Manuf. 2 Region 1 Region 2 District 1 District 2 Car B Car A Car B Car A The governments control certification � � Vehicle manufacturers are trusted � Long certificate chain � Only one certificate is needed � Keys should be recertified on borders to � Each car has to store the keys of all ensure mutual certification vehicle manufacturers 20
Secure VC Building Blocks � Authorities • Trusted entities issuing and managing identities and credentials 21
Secure VC Building Blocks � Authorities • Hierarchical organization • ‘Forest’ 22
Secure VC Building Blocks (cont’d) � Identity and Credentials Management ‘Re-filling’ with or obtaining new credentials Roadside Unit Wire-line Providing revocation Connections information Roadside Unit 23
Anonymous keys � Preserve identity and location privacy � Keys can be preloaded at periodic checkups � The certificate of V ’s i th key: [ ] [ ] = | | Cert PuK PuK Sig PuK ID V i i SK i CA CA � Keys renewal algorithm according to vehicle speed (e.g., ≈ 1 min at 100 km/h) � Anonymity is conditional on the scenario � The authorization to link keys with ELPs is distributed 24
What about privacy: how to avoid the Big Brother syndrome? At 3:15 - Vehicle A spotted at position P2 At 3:00 - Vehicle A spotted at position P1 � Keys change over time � Liability has to be enforced Only law enforcement agencies should be allowed to retrieve � the real identities of vehicles (and drivers) 25
DoS resilience � Vehicles will probably have several wireless technologies onboard � In most of them, several channels can be used � To thwart DoS, vehicles can switch channels or communication technologies Network layer DSRC UTRA-TDD Bluetooth Other � In the worst case, the system can be deactivated 26
Data verification by correlation � Bogus info attack relies on false data � Authenticated vehicles can also send wrong data (on purpose or not) � The correctness of the data should be verified => data-centric trust � Correlation can help 27
Security analysis � How much can we secure VANETs? � Messages are authenticated by their signatures � Authentication protects the network from outsiders � Correlation and fast revocation reinforce correctness � Availability remains a problem that can be alleviated � Non-repudiation is achieved because: • ELP and anonymous keys are specific to one vehicle • Position is correct if secure positioning is in place 28
Certificate revocation in VANETs � The CA has to revoke invalid certificates: • Compromised keys • Wrongly issued certificates • A vehicle constantly sends erroneous information � Using Certificate Revocation Lists (CRL) or online status checking is not appropriate � There is a need to detect and revoke attackers fast 29
System model � There is a CA (Certification Authority) � Each vehicle has a public/private key pair, a TC (Trusted Component = TPD), and an EDR (Event Data Recorder) � Safety messages: • Are broadcast and signed • Include time and position � Several possible communication channels: • DSRC • Cellular • WiMax • Low-speed FM 30
Adversary model � The adversary can be: • Faulty node • Misbehaving node � Example attack: false information dissemination � Adversaries have valid credentials � Honest majority in the attacker’s neighborhood 31
Scheme overview CA (Certification Authority) and Vehicle Functionality Infrastructure Functionality Local Warning CA Policies Messages Evidence Collection LEAVE Revocation Decision ( L ocal E viction of A ttackers by V oting E valuators) Node ID MDS (Misbehavior Detection System) Revocation Information RC 2 RL ( R ev. by C ompressed TPD CRL s) (Tamper-Proof Device) RTC Fail Message validation ( R ev. of the (ID) T rusted Revocation Command 32 C omponent )
Revocation protocols � We propose 2 protocols to revoke a vehicle’s keys: • R ev. of the T rusted C omponent ( RTC ): CA revokes all keys • R ev. by C ompressed CRL s ( RC2RL ): if TC is not reachable � L ocal E viction of A ttackers by V oting E valuators ( LEAVE ): • Initiated by peers • Generates a report to the CA, which triggers the actual revocation by RTC/RC2RL 33
Revocation of the Trusted Component (RTC) 34 RSU: Road Side Unit; PuK = Public Key; T = Timestamp
Recommend
More recommend
