The Key to Intelligent Transportation: Identity and Credential Management in Vehicular Communication Systems Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group Dec, 2015 M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 1 / 11
Secure Vehicular Communication (VC) System RCA A certifies B A B Cross-certification Communication link Message dissemination Domain A Domain B Domain C RA LTCA LTCA LTCA RA PCA X-Cetify PCA PCA LDAP LDAP RA 3/4G RSU B M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 2 / 11
Hierarchical Organization of the VC Security Infrastructure A Certifies B A B Cross-Certification Communication Link HCA 1 HCA 2 HCA K LTCA 1 LTCA 2 LTCA 3 LTCA L PCA 1 PCA 2 PCA 3 PCA 4 PCA 5 PCA M M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 3 / 11
VPKI Architecture M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 4 / 11
State-of-the-art Projects SEVECOM, EVITA, PRECIOSA, OVERSEE, DRIVE-C2X, PRESERVE, CAMP-VSC3 Standarization and Harmonization IEEE 1609.2, ETSI and C2C-CC: VC related specifications for privacy-preserving architectures Vehicular Public Key Infrastructure (VPKI) Do we indeed have a corner-stone to build upon secure and privacy-protecting VC systems? More precisely, do we have all answers needed to deploy an identity and credential management infrastructure for VC? M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 5 / 11
Privacy Challenges Stronger adversarial model 1 User privacy protection against honest-but-curious entities Inference of service provider or time LTCA infers relevant information from the requests 2 Direct (C2C-CC design) or indirect (ticket-based designs) approaches Actual pseudonym acquisition period Targeted PCA that the vehicle seeks to obtain credentials from Trivially linking pseudonyms issued by the PCA Fully-trusted proxy-based scheme (CAMP) 3 that shuffles the requests Honest-but-curious proxy? 1 Gisdakis et al., 2013 and Khodaei et al., 2014. 2 Khodaei et al., 2014. 3 Whyte et al. 2013 M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 6 / 11
Resilience Considerations Sybil-based misbehavior Acquisition of multiple simultaneously valid credentials Allow several pseudonymous valid simultaneously for a specific period of time (C2C-CC or CAMP project) Changing the certificate in a critical traffic situation (e.g., intersection, accident) Safety applications necessitate partial linkability But what if a vehicle gets compromised? Injecting multiple erroneous hazard notification VPKI should ensure a compromised vehicle cannot obtain multiple pseudonyms valid simultaneously 4 along with enforcing a policy on the vehicle side Standardization bodies and harmonization efforts do not preclude such misbehavior 4 Khodaei et al., 2014. M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 7 / 11
Pseudonym Lifetime Policy Ideally one pseudonym for a Sybil-based misbehavior → single message authentication Non-overlapping lifetime But costly, e.g. 10 beacons per sec. Flexible access to PCA → undermine unlinkability Safety applications necessitate Timing information makes sets of partial linkability pseudonyms linkable E.g. collision avoidance: inferring a 10 collision hazard based on unlinkable 9 CAMs is hard; requires precise 8 location information 7 6 5 4 No conclusive view or guideline 3 for pseudonym lifetime policy 2 1 0 5 10 15 20 25 30 35 40 45 50 55 60 Pseudonym Lifetime [sec] M. Khodaei, et. al, “ Towards Deploying a Scalable & Robust Vehicular Identity and Credential Management M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 8 / 11 Infrastructure, ” in IEEE VNC, Paderborn, Germany, Dec. 2014.
Revocation Eviction of the wrong doers in case of misbehavior Not straightforward in the VC systems Multiplicity of pseudonyms Very large number of pseudonyms, thus huge revocation list Efficient distribution of the revocation list among mobile entities Limited memory and bandwidth consumption for OBU through usage of CRL Diminish such vulnerability Requiring the vehicles to interact with the VPKI regularly or at least as frequently as dissemination of information by PCA The remaining challenge: No consensus on the need and the method C2C-CC recommendation to preload with 1500 pseudonyms for a year and let them expire (no revocation) Timely dissemination of credential validity information Time, cost, bandwidth, network accessibility, etc. M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 9 / 11
Other Challenges Extending to anonymous authentication primitives Group signature schemes 5 Zero-knowledge proof 6 Extensive experimental validation SEROSA 7 SR-VPKI 8 Operational challenges: Who is in charge of the identity and credential management How to establish the trust: [Saab, Scania, Volvo] and [Volkswagen, BMW] [EU] and [US] 5 Papadimitratos et al., 2007 & Perrig et al., 2009 6 F¨ orster et al., 2014 7 Gisdakis et al., 2013 8 Khodaei et al., 2014 M. Khodaei and P. Papadimitratos (KTH) LCN Seminar Dec, 2015 10 / 11
Identity and Credential Management in Vehicular Communication Systems Questions and Discussion Mohammad Khodaei (KTH) LCN Seminar 11 / 11
Pseudonym Lifetime Policy 10 10 9 9 8 8 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 5 10 15 20 25 30 35 40 45 50 55 60 0 5 10 15 20 25 30 35 40 45 50 55 60 Pseudonym Lifetime [sec] Pseudonym Lifetime [sec] Flexible lifetimes Fixed lifetimes Non-overlapping pseudonym lifetimes from eavesdroppers’ perspective Distinct lifetimes per vehicle make linkability easier Uniform pseudonym lifetime in a domain No distinction among obtained pseudonyms set, thus less probable to link pseudonyms Mohammad Khodaei (KTH) LCN Seminar 11 / 11
Recommend
More recommend
