Survey of Vehicular Network Security

1
Survey of Vehicular Network Security

• Jonathan Van Eenwyk

2
Contents

• Design Issues
• Certificate-Based Solution
• Privacy Concerns
• Data Validation

3
Design Issues

• The Security and Privacy of Smart Vehicles
• IEEE Security and Privacy, May/June 2004 Hubaux,
  Capkun, Luo
• Attacks on Inter-Vehicle Communication Systems-an
  Analysis
• Aijaz, et al (supported by industry)
• Challenges in Securing Vehicular Networks
• HotNets-IV Parno and Perrig
• Security Issues in a Future Vehicular Network
• European Wireless, 2002 Zarki, et al

4
Design Issues

• The Security and Privacy of Smart Vehicles
• IEEE Security and Privacy, May/June 2004 Hubaux,
  Capkun, Luo
• System model
• Ad-hoc communication between vehicles and base
  stations
• Base stations provide services
• Vehicles provide sensor data
• Vehicles have more resources than most ad-hoc
  networks
• Applications
• Traffic and safety alerts
• Travel tips
• Infotainment (including Internet access)

5
Design Issues

• The Security and Privacy of Smart Vehicles
• IEEE Security and Privacy, May/June 2004 Hubaux,
  Capkun, Luo
• Challenges
• Authentication and data encryption
• Auditing sensor data
• Privacy (avoid tracking)
• Infrastructure boot-strapping
• Negative perception of smart vehicles

6
Design Issues

• The Security and Privacy of Smart Vehicles
• IEEE Security and Privacy, May/June 2004 Hubaux,
  Capkun, Luo
• Key Features
• Context sensors (front-end radar, ultra-sound,
  etc)
• Event data recorder (i.e., black box)
• Tamper-proof device to handle encrypted
  transmissions
• Location detection (GPS or distance bounding)
• Communication with road-side base stations

7
Certificate-Based Solution

• The Security of Vehicular Networks
• EPFL Technical Report, March 2005 Raya, Hubaux
• Certificate Revocation in Vehicular Networks
• LCA Report 2006 Raya, Jungels, Papadimitratos,
  Aad, Hubaux

8
Certificate-Based Solution

• The Security of Vehicular Networks
• EPFL Technical Report, March 2005 Raya, Hubaux
• Attacks
• Bogus information
• Message tampering
• Cheating (data manipulation, impersonation)
• Identity disclosure for vehicle tracking
• Denial of service

9
Certificate-Based Solution

• The Security of Vehicular Networks
• EPFL Technical Report, March 2005 Raya, Hubaux
• Security Mechanisms
• Electronic License Plate (post-mortem auditing)
• Asymmetric encryption using public key
  infrastructure
• Large number of anonymous keys (no identity
  information)
• Vehicles frequently change keys to avoid tracking
• Keys can be revoked (more later)
• Physical layer protection against denial of
  service
• Channel switching
• Implement more than one communication technology

10
Certificate-Based Solution

• Certificate Revocation in Vehicular Networks
• LCA Report 2006 Raya, Jungels, Papadimitratos,
  Aad, Hubaux
• Revocation using Compressed Certificate
  Revocation Lists (RC2RL)
• Large number of vehicles, so potentially huge
  revocation list
• Lossy compression using Bloom filter
• Configurable rate of false positives
• Definitely no false negatives
• Bit vector of length m
• Hash a with k hashing functions
• Each function sets one bit
• Later, verify membership if all k bits are set as
  expected

11
Certificate-Based Solution

• Certificate Revocation in Vehicular Networks
• LCA Report 2006 Raya, Jungels, Papadimitratos,
  Aad, Hubaux
• Revocation of the Tamper-Proof Device (RTPD)
• Send message to vehicles TPD to revoke all
  activity
• Send to base stations nearest last known location
• Broadcast over low-bandwidth radio (AM/FM) or
  satellite
• Lower overhead approach as long as TPD is
  reachable
• Send localized revocation list to surrounding area

12
Certificate-Based Solution

• Certificate Revocation in Vehicular Networks
• LCA Report 2006 Raya, Jungels, Papadimitratos,
  Aad, Hubaux
• Distributed Revocation Protocol (DRP)
• Vehicles that detect malicious nodes can warn
  others
• Requires an honest majority
• Warnings have lower weight if sending node has
  also been condemned by other nodes
• Node 4 condemns node 2
• But this warning has less weight because node 4
  has itself been condemned by nodes 1 and 3

1
4
2
3
13
Privacy Concerns

• Balancing Auditability and Privacy in Vehicular
  Networks
• Q2SWinet '05 Choi, Jakobsson, Wetzel
• CARAVAN Providing Location Privacy for VANET
• ESCAR '05 Sampigethaya, Huang, Li, Poovendran,
  Matsuura, Sezaki

14
Privacy Concerns

• Balancing Auditability and Privacy in Vehicular
  Networks
• Q2SWinet '05 Choi, Jakobsson, Wetzel
• Provide privacy
• From peer-to-peer vehicles
• From infrastructure authorities
• Support auditability
• Linkability between anonymous handles and owner
  identity
• Requires off-line permission granting (court
  order, etc)

15
Privacy Concerns

• Balancing Auditability and Privacy in Vehicular
  Networks
• Q2SWinet '05 Choi, Jakobsson, Wetzel
• Two-Level Infrastructure
• Back-end (ombudsman)
• Creates long-term handle from node identities
• Nodes initialized with set of handles
• Off-line approval can grant identity from
  pseudonym
• Front-end (road-side base stations)
• Uses short-term pseudonyms created from long-term
  handles
• Pseudonym and shared key created from handle and
  timestamp

16
Privacy Concerns

• CARAVAN Providing Location Privacy for VANET
• ESCAR '05 Sampigethaya, Huang, Li, Poovendran,
  Matsuura, Sezaki
• Provide privacy from vehicle location tracking
• Proposed Techniques
• Update pseudonym after random silence period
• Fixed-interval updates can be tracked by
  estimating trajectory
• Silence period obscures nodes if other nodes are
  present
• Designate group leader to proxy communications
• Avoids redundant transmissions
• Extends length of time to use each pseudonym

17
Data Validation

• Probabilistic Validation of Aggregated Data in
  Vehicular Ad-hoc Networks
• VANET '06 Picconi, Ravi, Gruteser, Iftode
• Detecting and Correcting Malicious Data in VANETs
• VANET '04 Golle, Grenne, Staddon

18
Data Validation

• Probabilistic Validation of Aggregated Data in
  Vehicular Ad-hoc Networks
• VANET '06 Picconi, Ravi, Gruteser, Iftode
• Allow sensor data to be aggregated
• Use signing certificates to validate data
• Randomly force one complete record to be included
• Relies heavily on tamper-proof device

19
Data Validation

• Detecting and Correcting Malicious Data in VANETs
• VANET '04 Golle, Grenne, Staddon
• Nodes attempt to identify malicious data via
  information sharing
• Nodes detect neighbors and contribute to global
  database
• Malicious nodes may contribute invalid or spoofed
  data
• May try to fake a traffic jam
• Friendly nodes build models to explain database
  observations
• Is there one malicious node attempting to spoof
  three other nodes?
• Are all four nodes malicious?
• Possible heuristic choose scenario with fewest
  bad and spoofed nodes

20
Data Validation

• Detecting and Correcting Malicious Data in VANETs
• VANET '04 Golle, Grenne, Staddon
• Example
• Actual Scenario
• Possible Explanations

21
Questions?