RHyTHM: A Randomized Hybrid Scheme To Hide in the Mobile Crowd Mohammad Khodaei, Andreas Messing, and Panos Papadimitratos Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH) Stockholm, Sweden Nov. 28, 2017 M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 1 / 13
Secure Vehicular Communication (VC) Systems Vehicular Public Key Infrastructure (VPKI) RCA A certifies B A B Cross-certification Root Certification Authority (RCA) Communication link Message dissemination Domain A Domain B Domain C Long Term CA (LTCA) RA RA LTCA RA LTCA LTCA Pseudonym CA (PCA) X-Cetify PCA PCA PCA Resolution Authority (RA) LDAP LDAP Lightweight Directory Access 3/4/5G Protocol (LDAP) RSU {Msg} (P iv ) , {P i v } (PCA) Roadside Unit (RSU) Trust established with RCA, {Msg} (P iv ) , {P i v } (PCA) B or through cross certification M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 2 / 13
Pseudonym Refilling Strategies Preloading schemes Computationally costly, inefficient utilization, cumbersome revocation On-demand schemes Efficient in utilization & revocation; effective in fending off misbehavior The more frequent interactions, the more dependent on connectivity ❵❵❵❵❵❵❵❵❵❵❵❵❵ Strategies Preloading & Overlapping Preloading & Nonoverlapping On-demand & Overlapping On-demand & Nonoverlapping Metrics ❵ Storage size large large small small Pseudonym quantity fixed & low volume fixed & high volume varying varying Pseudonym lifetime long short varying varying V-VPKI communication frequency low low high high Communication overhead low low high high Efficient pseudonym utilization very low very low high high Pseudonym revocation difficult & challenging difficult & challenging no need (lower risk) no need (lower risk) Pseudonym vulnerability window wide wide narrow narrow Resilience to Sybil-based misbehavior × � × � User privacy protection (probability of linking privacy protection: high privacy protection: low privacy protection: high privacy protection: low sets of pseudonyms based on timing information) (probability of linking: low) (probability of linking: high) (probability of linking: low) (probability of linking: high) User privacy protection (duration for which a pseudonym provider can trivially link sets of pseudonyms privacy protection: low privacy protection: low privacy protection: high privacy protection: high for the same vehicle; the longer the duration, (long duration) (long duration) (short duration) (short duration) the higher the chance to link sets of pseudonyms) Effect on safety application operations low low high high Deployment cost (e.g. RSU) low low high high C2C-CC [1], PRESERVE [2], SRAAC [6], V-tokens [7], VeSPA, SEROSA, Proposals & schemes SeVeCom [5], Safety Pilot CAMP VSC3 [3, 4] CoPRA [8] SECMACE [9, 10], PUCA [11] M. Khodaei et al., “Evaluating On-demand Pseudonym Acquisition Policies in Vehicular Communication Systems,” in Proceedings of the IoV/VoI, Paderborn, Germany, July 2016. M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 3 / 13
On-demand Pseudonym Acquisition Policies t start t end Unused Trip Duration Pseudonyms User-controlled policy (P1) } } } } } τ P τ P τ P τ P τ P Γ P2 Γ P2 Oblivious policy (P2) } } } } } } τ P τ P τ P τ P τ P τ P Γ P3 Γ P3 Γ P3 Expired Pseudonym Universally fixed policy (P3) } } } } } } } } τ P τ P τ P τ P τ P τ P τ P τ P System Time P1 & P2: Requests could act as user “fingerprints” ; the exact time of requests and all subsequent requests until the end of trip could be unique, or one of few [12] P3: Requesting intervals fall within “universally” fixed interval Γ P 3 , and pseudonyms are aligned with VPKI clock [12] M. Khodaei et al., “Evaluating On-demand Pseudonym Acquisition Policies in Vehicular Communication Systems,” in Proceedings of the IoV/VoI, Paderborn, Germany, July 2016. M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 4 / 13
Problem Statement Challenges How to ensure vehicle operation without harming user privacy, if the VPKI is unreachable? Intermittent coverage (sparsely-deployed RSUs), highly overloaded cellular infrastructure, VPKI under an attack, e.g., DDoS [9] Baseline hybrid scheme: issuing on-the-fly self-certified pseudonyms [13] Vehicles without VPKI-provided pseudonyms would “stand out in a crowd”: different certificate format (Group Signatures (GS)-based) and timing information Contributions RHyTHM: A cooperative & adaptive scheme Improving privacy for VPKI-disconnected vehicles without deteriorate the privacy of others At the expense of a reasonable computational overhead Strong adversarial model Increased protection against honest-but-curious VPKI entities [9] Correct execution of protocols but motivated to profile users Compromising RHyTHM by performing Sybil-based misbehavior or DoS attacks M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 5 / 13
Our Solution: RHyTHM Protocol 1 RHyTHM Initiation Protocol VPKI-provided pseudonyms Self-certified pseudonyms 1: procedure RHyTHMInit ( t s , t e ) for i:=1 to n do Processing time to generate 2: a self-certified pseudonym Begin 3: Generate( K i v , k i v ) 4: V 1 b = False b = True b = True b = False ζ ← ( K i v , t i s , t i e ) 5: V 2 b = True b = True b = False b = False ( K i v ) Σ ki v ← Sign( gsk v , ζ ) 6: V 3 b = True b = False b = False b = True End 7: V 4 b = False b = True b = False b = True Flag rhythm ← True 8: V 5 CAM ← { Fields , Flag rhythm , t now } 9: } } } } } τ τ τ τ τ v ← Sign( CAM , K i ( CAM ) σ ki v ) 10: P P P P P Γ t now 11: end procedure System Time Registration phase: LTCA and Baseline Scheme RHyTHM Scheme Group Manager (GM) 1 . 0 1 . 0 Using VPKI-provided Pseudonyms A universally fixed interval, Γ, to Using Self-certified Pseudonyms 0 . 8 0 . 8 Percentage of Nodes Percentage of Nodes refill pseudonyms pool 0 . 6 0 . 6 Using VPKI-provided Pseudonyms Aligning pseudonyms lifetimes Using Self-certified Pseudonyms 0 . 4 0 . 4 Elliptic Curve Digital Signature 0 . 2 0 . 2 Algorithm (ECDSA) key pairs 0 . 0 0 . 0 0 300 600 900 1200 1500 1800 0 300 600 900 1200 1500 1800 If b = True , the vehicle will utilize its System Time [sec] System Time [sec] 1% of nodes run out of pseudonyms ( τ P = 60 sec , r = 0 . 5) self-certified pseudonym; otherwise, it relies on its VPKI-provided pseudonym. M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 6 / 13
Security & Privacy Analysis Non-repudiation, authentication and integrity Pseudonyms, group signing key, and digital signatures Thwarting Sybil-based misbehavior Hardware Security Module (HSM) ensures signatures under one private key of a single valid pseudonym Employing “n-times anonymous authentication” scheme [14, 13] Revocation Interacting RA with the PCA, GM, and LTCA, to resolve and possibly revoke a misbehaving vehicle Distributing Certificate Revocation Lists (CRLs) Thwarting clogging Denial of Service (DoS) attack Ignoring RHyTHM initiation query if VPKI is reachable RHyTHM only lasts while the VPKI is out of reach M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 7 / 13
Security & Privacy Analysis (cont’d) N: Vehicles with VPKI-provided pseudonyms, The Baseline Scheme The RHyTHM Scheme 1.0 1.0 joining RHyTHM With VPKI Psnyms With VPKI Psnyms 0.9 0.9 Without VPKI Psnyms Without VPKI Psnyms 0.8 0.8 M: Vehicles without VPKI-provided Probability of Linking 0.7 0.7 0.20 0.20 pseudonyms, joining RHyTHM 0.15 0.15 0.6 0.6 0.10 0.10 0.5 0.5 r: The probability of switching to self-certified 0.05 0.05 0.4 0.4 0.00 0.00 pseudonyms 0 20 40 60 80 100 0 20 40 60 80 100 0.3 0.3 0.2 0.2 Privacy metric: Probability of linking two 0.1 0.1 pseudonyms belonging to the same vehicle 0.0 0.0 0 20 40 60 80 100 0 20 40 60 80 100 If all vehicles join RHyTHM: M M Figure : Comparing the probability of Baseline scheme: Pr vpki -2- vpki = 1 N linking two successive pseudonyms using RHyTHM scheme: baseline and RHyTHM schemes N − ( r × N ) = 1 (1 − r ) Pr vpki -2- vpki = ( N = 100 , r = 0 . 2). N RHyTHM scheme r 1 Pr vpki -2- selfcertifed = M +( r × N ) = N + M r 1 < 1 ( N , if M > 0) N + M r M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 8 / 13
Security & Privacy Analysis (cont’d) A fraction of vehicles never join RHyTHM 0.020 Average Probability K: Vehicles with VPKI-provided pseudonyms, Vehicles Not Using RHyTHM 0.018 Probability of Linking Vehicles Using RHyTHM never joining RHyTHM 0.016 0.014 K Pr = [ K +( N − K ) × (1 − r )] 2 + 0.012 0.010 N − r × ( N − K ) − K [ K +( N − K ) × (1 − r )] 2 × (1 − r ) 0.008 0.006 If K=0 or K=N, the probability of linking on 0 20 40 60 80 100 K 1 average becomes N . Figure : Probability of linking two The probability of linking two successive VPKI-provided pseudonyms, VPKI-provided pseudonyms, if participating belonging to a given vehicle ( N = 100 , r = 0 . 5). in RHyTHM, is always less than the one if not joining RHyTHM. M. Khodaei, A. Messing, P. Papadimitratos (KTH) IEEE VNC 2017 Nov. 28, 2017 9 / 13
Recommend
More recommend