Nowhere to hide? Mix-Zones for Private Pseudonym Change using Chaff Vehicles Christian Vaas 1 , Mohammad Khodaei 2 , Panos Papadimitratos 2 , Ivan Martinovic 1 University of Oxford 1 , KTH, Stockholm 2 VNC, 6 December 2018
Motivation: Vehicle Tracking • Static credentials to sign CAM messages • Wireless eavesdropper • Attacker records full route ➢ Identify individuals [1] ➢ Movement profiles VNC 2018 2
Pseudonym Change • Frequently changing credentials • Attacker records route segments ➢ How to make segments unlinkable? VNC 2018 3
Segment Unlinkability 1. Syntactic linking ➢ Synchronization 2. Semantic linking ➢ Obfuscate CAMs t 0 t 1 VNC 2018 4
Mix-zones: Principle • Covers intersections • Prevent pseudonym linking • Obfuscate CAMs • Silent or encrypted periods • Private change of ECDSA credentials ➢ Recording entry-exit pairs Q B Y ? C P A R VNC 2018 5
Crypto Mix-zones: Problem • Dependence on vehicle availability • Low traffic regions • Low traffic hours • Driver population • Arrival timings ➢ Correlation attack Q A VNC 2018 6
Our Solution ➢ Chaff vehicles • Substitute for real vehicles • RSUs generate chaff CAMs • CAMs signed with chaff pseudonyms • CAMs broadcast by RSUs and OBUs • Must not impair safety P Q P’ Y’ ? R Y A R’ VNC 2018 7
Chaff-based CMIX Scheme Protocols & Services 1. Key provisioning 2. Chaff-trace generation A A A A B B 3. Chaff notification • D to B 4. Filter update ➢ Safety preserving Real vehicle v Real vehicle v Real vehicle v Real vehicle v Real vehicle v' Real vehicle v' Real vehicle v' Real vehicle v' ➢ C C D D Maximize mixing Chaff vehicles Chaff vehicles Chaff vehicles VNC 2018 8
Simulation Environment LuST Luxembourg SUMO Traffic Scenario PREXT Privacy Extension for Veins VANET Simulator CMIX Mix-Zones for Location Privacy in Vehicular Networks VNC 2018 9
Simulation Scenarios • Three different areas • Suburban – low traffic • Residential – medium traffic • Central – high traffic • Encryption radius fixed • Tracking probability based metric 𝑛 𝑞 𝑤 𝑜 𝑗 ∗ 𝑚 𝑓 𝑗 𝑤 = σ 𝑗=0 𝑄 𝑈 |𝑈 𝑤 | 𝑓 𝑗 𝑜 𝑗 Q A VNC 2018 10
Simulation Results • Encryption radius 50 m • Attacker strength 100% Central Central Central CMIX scheme CMIX scheme CMIX scheme 0.8 0.8 0.8 Residential Residential Residential Chaff-based scheme Normalized pseudonym change exposure Normalized pseudonym change exposure Normalized pseudonym change exposure 4000 4000 Suburban Suburban Suburban Traffic density Traffic density 0.7 0.7 0.7 0.6 0.6 0.6 Active real vehicles [# ] Active real vehicles [# ] 3000 3000 0.5 0.5 0.5 0.4 0.4 0.4 2000 2000 0.3 0.3 0.3 0.2 0.2 0.2 1000 1000 0.1 0.1 0.1 0.0 0.0 0.0 0 0 0:00 0:00 0:00 7:30 7:30 7:30 13:00 13:00 13:00 18:30 18:30 18:30 24:00 24:00 24:00 Simulation time [HH:mm] Simulation time [HH:mm] Simulation tim e [HH:mm] VNC 2018 11
Simulation Results • Encryption radius 50-250 m • Attacker strength 30%/100% Residential - 30% Residential - 100% Normalized pseudonym change exposure 0.8 0.8 CMIX schem e CMIX scheme Chaff-based scheme Chaff-based scheme 0.6 0.6 0.4 0.4 0.2 0.2 0.0 0.0 50 100 150 200 250 50 100 150 200 250 Mix-zone encryption rad ius [m] VNC 2018 12
System Feasibility Mix-zone Encryption Radius [m] 50 100 150 200 250 Max. Active Chaff Pseudonyms [#] 68 176 165 99 66 Max. CAM Generation [msg/s] 240 848 1321 831 634 B • 30 * 60 * 176 = 316,800 chaff pseudonyms • Cuckoo Filter with 3.63 MB ✓ Transmission speed 6 Mbit/s in IEEE 802.11p • Generate 6742 ECDSA signatures per second Real vehicle v ✓ NEXCOM (Dual-core 1.66 GHz, 1GB Real vehicle v' D Chaff vehicles memory) with crypto module VNC 2018 13
Conclusion • New pseudonym change strategy based on chaff vehicles and chaff messages • Independent of operation area, mix-zone encryption radius, time of day, and driver population • System performance: up to 76% improvement over CMIX • Preserves safety application functionality • Acceptable resource requirements Future Work • Resilience against internal attackers • Impact of honest-but-curious VPKI entities VNC 2018 14
Nowhere to hide? Mix-Zones for Private Pseudonym Change using Chaff Vehicles Thank you! christian.vaas@cs.ox.ac.uk
References [1] Golle, P., & Partridge, K. (2009, May). On the anonymity of home/work location pairs. In International Conference on Pervasive Computing (pp. 390-397). Springer, Berlin, Heidelberg. [2] L. Codeca, R. Frank, S. Faye and T. Engel, "Luxembourg SUMO Traffic (LuST) Scenario: Traffic Demand Evaluation" in IEEE Intelligent Transportation Systems Magazine, vol. 9, no. 2, pp. 52-63, Summer 2017. [3] PREXT: Privacy Extension for Veins VANET Simulator", IEEE Vehicular Networking Conference (VNC), Dec. 2016, Columbus, Ohio, USA [4] Freudiger, J., Raya, M., Félegyházi, M., Papadimitratos, P., & Hubaux, J. P. (2007). Mix- zones for location privacy in vehicular networks. In ACM Workshop on Wireless Networking for Intelligent Transportation Systems (WiN-ITS) (No. LCA-CONF-2007-016). VNC 2018 16
Simulation Results 0.06 Traffic density Central 4000 Suburban 0.05 Residential Chaff vehicles per real vehicle Active real vehicles [# ] 0.04 3000 0.03 2000 0.02 1000 0.01 0.00 0 0:00 4:00 8:00 12:00 16:00 20:00 24:00 Simulation time [HH:mm] VNC 2018 17
Simulation Parameters Area 1.31 km 2 0.61 km 2 1.38 km 2 Junctions 69 34 61 Mix-zones 31 18 28 Avg. Number of 1825 4631 6500 vehicles per zone VNC 2018 18
Recommend
More recommend