1

Jean-Pierre Hubaux

With contributions from Srdjan Capkun¹, Panos Papadimitratos, and Maxim Raya

Laboratory for computer Communications and Applications (LCA)

¹Now with Safe and Secure IT-Systems Group, Informatics and Mathematical Modeling (IMM),

Technical University of Denmark

Securing Vehicular Communications

2

Outline

Motivation

Threat model and specific attacks

Security architecture

Security analysis

Performance evaluation

Certificate revocation

Secure positioning

Conclusion

3

What is a VANET(Vehicular Ad hoc NETwork)?

Roadside base station

Inter-vehicle communications

Vehicle-to-roadside communications

Emergency event

• Communication: typically over the Dedicated Short Range Communications (DSRC) (5.9 GHz)

• Example of protocol: IEEE 802.11p• Penetration will be progressive (over 2 decades or so)

4

Vehicular communications: why?

Combat the awful side-effects of road traffic• In the EU, around 40’000 people die yearly on the roads;

more than 1.5 millions are injured• Traffic jams generate a tremendous waste of time and of fuel

Most of these problems can be solved by providing appropriate information to the driver or to the vehicle

5

Why is VANET security important?

Large projects have explored vehicular communications: Fleetnet, PATH (UC Berkeley),…

No solution can be deployed if not properly securedThe problem is non-trivial• Specific requirements (speed, real-time constraints)• Contradictory expectations

Industry front: standards are still under development and suffer from serious weaknesses • IEEE P1609.2: Standard for Wireless Access in Vehicular Environments

- Security Services for Applications and Management Messages

Research front• Very few papers

6

A smart vehicle

Forward radar

Computing platform

Event data recorder (EDR)Positioning system

Rear radar

Communication facility

Display

(GPS)

Human-Machine Interface

7

Threat model

An attacker can be:

• Insider / Outsider

• Malicious / Rational

• Active / Passive

• Local / Extended

Attacks can be mounted on:

• Safety-related applications

• Traffic optimization applications

• Payment-based applications

• Privacy

8

Attack 1 : Bogus traffic information

Traffic jam

ahead

Attacker: insider, rational, active

9

Attack 2 : Disruption of network operation

SLOW DOWN

The way is clear

Attacker: insider, malicious, active

10

Attack 3: Cheating with identity, speed, or position

Wasn’t me!

Attacker: insider, rational, active

11

Attack 4: Jamming

Roadside base station

Jammer

12

Attack 5: Tunnel

13

Attack 6: Tracking

A

* A at (x1,y1,z1)at time t1

* A communicates with B

* A refuels at time t2 and location

(x2,y2,z2)

1

2

AB

A

* A enters the parking lot at time

t3* A downloads from server X

3

14

Penetration and connectivity

Courtesy of Pravin Varaiya

First level approximation:

15

Number of hops Vs penetration (1/2)

16

Hopping on vehicles in the reverse direction

17

Number of hops Vs penetration (2/2)

18

Proposed homework: compute connectivity in this case

Please send your solution to: jean-pierre.hubaux@epfl.ch

19

Our scope

We consider communications specific to road traffic:

safety and traffic optimization (including finding a parking

place)

• Safety-related messages

• Messages related to traffic information

We do not consider more generic applications,

e.g. toll collect, access to audio/video files, games,…

20

Security system requirements

Sender authentication

Verification of data consistency

Availability

Non-repudiation

Privacy

Real-time constraints

21

Security Architecture

Certificate Authority

≈ 100 bytes ≈ 140 bytesSafety

messageCryptographic

material

{Position, speed, acceleration, direction,

time, safety events}

{Signer’s digital signature, Signer’s public key PK, CA’s certificate of PK}

Authenticated message

Data verification

Secure positioning

Tamper-proof device

Event data recorder

Secure multihop routing

Services (e.g., toll payment or

infotainment)

22

Tamper-proof device

Each vehicle carries a tamper-proof device• Contains the secrets of the vehicle itself• Has its own battery• Has its own clock (notably in order to be able to sign

timestamps)• Is in charge of all security operations• Is accessible only by authorized personnel

Tamper-proof device

Vehicle sensors(GPS, speed and acceleration,…)

On-boardCPU

Transmissionsystem

((( )))

23

Digital signatures

Symmetric cryptography is not suitable: messages are standalone, large scale, non-repudiation requirement

Hence each message should be signed with a DS

Liability-related messages should be stored in the EDR

24

VPKI (Vehicular PKI)

PKI

Security servicesPositioning

ConfidentialityPrivacy

...

CA

PA PB

AuthenticationAuthentication

Shared session key

Each vehicle carries in its Tamper-Proof Device (TPD):• A unique and certified identity: Electronic License Plate (ELP)• A set of certified anonymous public/private key pairs

Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified

25

The CA hierarchy: two options

Country 1

Region 1 Region 2

District 1 District 2

Car A Car B Car A Car B

Manuf. 1 Manuf. 2

1. Governmental Transportation Authorities 2. Manufacturers

The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification

Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers

26

Anonymous keys

Preserve identity and location privacy

Keys can be preloaded at periodic checkups

The certificate of V’s ith key:

Keys renewal algorithm according to vehicle speed

(e.g., ≈ 1 min at 100 km/h)

Anonymity is conditional on the scenario

The authorization to link keys with ELPs is distributed

[ ] [ ]CAiSKiiV IDPuKSigPuKPuKCertCA

||=

27

What about privacy: how to avoid the Big Brother syndrome?

At 3:00- Vehicle A spotted at position P1

At 3:15- Vehicle A spotted at position P2

Keys change over timeLiability has to be enforced Only law enforcement agencies should be allowed to retrieve the real identities of vehicles (and drivers)

28

DoS resilience

Vehicles will probably have several wireless technologies onboardIn most of them, several channels can be used To thwart DoS, vehicles can switch channels or communication technologies

In the worst case, the system can be deactivated

Network layer

DSRC UTRA-TDD Bluetooth Other

29

Data verification by correlation

Bogus info attack relies on false dataAuthenticated vehicles can also send wrong data (on purpose or not)The correctness of the data should be verified Correlation can help

30

Security analysis

How much can we secure VANETs?

Messages are authenticated by there signatures

Authentication protects the network from outsiders

Correlation and fast revocation reinforce correctness

Availability remains a problem that can be alleviated

Non-repudiation is achieved because:• ELP and anonymous keys are specific to one vehicle

• Position is correct if secure positioning is in place

31

What PK cryptosystem to use?

Available options:• RSA Sign: the most popular but also has the largest key size

• ECDSA: the most compact

• NTRUSign: the fastest in signing and verification

• Other (XTR, HEC, Braid groups, Merkle trees, …)

Signature verification speed matters the most

Further improvements that can help:• Vehicles verify only relevant content

• Several messages may be signed with the same key

32

Performance comparison

PKCS Key, Sig size (bytes) Ttx(Sig) (ms)RSA 256 0.171

ECDSA 28, 56 0.019, 0.038

NTRU 197 0.131

PKCS Generation (ms) Verification (ms)

ECDSA 3.255 7.617

NTRU 1.587 1.488Memory-constrained Pentium II 400 MHz workstation

Key and signature size

Signature generation and verification

33

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay, number of received packets, and throughput is evaluated

Not to scale

34

How msg size affects Delay, …

NT

RU

No

secu

rity

EC

DSA

RSA

35

… Number of received packets, …

NT

RU

No

secu

rity

EC

DSA

RSA

36

… and Throughput

NT

RU

No

secu

rity

EC

DSA

RSA

37

Certificate revocation in VANETs¹

The CA has to revoke invalid certificates:

• Compromised keys

• Wrongly issued certificates

• A vehicle constantly sends erroneous information

Using Certificate Revocation Lists (CRL) is not appropriate

We propose 3 protocols to revoke a vehicle’s keys:

• Rev. of the Tamper-Proof Device (RTPD): CA revokes all keys

• Rev. by Compressed CRLs (RCCRL): if TPD is not reachable

• Distributed Revocation Protocol (DRP): initiated by peers; generates a

report to the CA, which triggers the actual revocation by RTPD/RCCRL

¹In collaboration with Daniel Jungels and Imad Aad

38

Revocation of the Tamper-Proof Device (RTPD)

secure message

Paging area

broadcast

broadcast secure message

broadcast compressed CRL

ACK(via BS)

2. IP-broadcast3. low-speed broadcast

1. IP-routing

query last known locations from accusations

M

TPD: erases keys + stops signing

39

Revocation by Compressed CRLs(RCCRL)

set “blacklisted” query “blacklisted”+ currently valid

compressed CRL

ignore msg from M ignore msg from M

M

broadcast

Low-speed broadcast

40

Distributed Revocation Protocol(DRP)

M A

B

C acc.-db

acc.-db

acc.-db

“M” +sig. A+sig. C

“M” +sig. A

Accusation-msgs against M

“M” +sig. A+sig. C+sig. B

+sig. B

report to CA

Disregard-msgs with supporting sigs. Disregard M

+sig. C

forward

Disregard M

Disregard M

+sig. B

41

Simulation scenarios

Afton Oaks (AO) Area: 1900mWest University (WU) Area: 2400m

Freeway (FW)

42

DRP speed

43

DRP coverage

An initially warned vehicle is aware of the attacker even before receiving messages from him

44

How to securely locate a vehicle

45

Positioning systems and prototypesSatellites: -GPS, Galileo, Glonass (Outdoor, Radio Frequency (RF) – Time of Flight (ToF))

General systems:- Active Badge (Indoor, Infrared(IR)), Olivetti- Active Bat, Cricket (Indoor, Ultrasound(US)-based), AT&T Lab Cambridge, MIT- RADAR, SpotON, Nibble (Indoor/Outdoor, RF- Received Signal Strength), Microsoft, Univof Washington, UCLA+Xerox Palo Alto Lab- Ultra Wideband Precision Asset Location System, (Indoor/Outdoor, RF-(UWB)-ToF), Multispectral solutions, Inc.

Ad Hoc/Sensor Network positioning systems (without GPS):- Convex position estimation (Centralized), UC Berkeley- Angle of Arrival based positioning (Distributed, Angle of Arrival), Rutgers- Dynamic fine-grained localization (Distributed), UCLA- GPS-less low cost outdoor localization (Distributed, Landmark-based), UCLA- GPS-free positioning (Distributed), EPFL

46

GPS

- A constellation of 24 Earth-orbiting operational satellites

- Each receiver can see at least 4 satellites simultaneously (to improve accuracy)

- Satellites emit low-power signals

- Positioning by 3-D trilateration

- Differential GPS can improve accuracy from several meters to a few centimeters.

47

GPS Security – Example of attack

A GPS simulator can send strong fake signals to mask authentic weak signals

GPS simulator

48

GPS Security

Other vulnerabilities• Relaying attack: connects the receiver to a remote antenna• Signal-synthesis attack: feeds the receiver with false signals• Selective-delay attack: predicts the signal Δt earlier

Security solutions• Tamper-resistant hardware• Symmetric crypto

• Problem: an authenticated receiver can hack the system• Asymmetric crypto

• Problem: additional delay

49

Distance measurement techniques

- Based on the speed of light (RF, Ir)

ts

A B(A and B are synchronized - ToF)

trdABm=(tr-ts)c

ts

- Based on the speed of sound (Ultrasound)

(A and B are NOT synchronized –Round trip ToF)

trdABm=(tr-ts-tprocB)c/2

tsA B

tr(RF)

dABm=(tr(RF)-tr(US))s

ts

tstr(US)

- Based on Received Signal Strength (RSS)

50

Attacks on RF and US ToF-based techniques

- Insider attacker: cheat on the time of sending (ts) or time of reception (tr)

ts1. Overhear and jam

2. Replay with a delay Δt

A B(A and B are assumed

to be synchronised)

trdABm=(tr-ts)c

ts (encrypted)

ts (enc.)

B

tr+Δt

dABm=(tr+Δt-ts)c

- Outsider attacker: 2 steps:

M

ts+Δt

M

=> dABm>dAB

51

Summary of possible attacks on distance measurement

Outsider attackers

RSS (Received Signal Strength)

Distance enlargement and

reduction

Distance enlargement and

reduction

Ultrasound Time of Flight

Distance enlargement and

reduction

Distance enlargement and

reduction

Radio Time of Flight

Distance enlargement and

reduction

Distance enlargement only

Insider attackers

52

The challenge of secure positioning

- Goals:- preventing an insider attacker from cheating about its own position

- preventing an outsider attacker from spoofing the position of an

honest node

- Our proposal: Verifiable Multilateration

53

Distance Bounding (RF)

ts

BS

NBS

Atr

- Introduced in 1993 by Brands and Chaum (to prevent the Mafia fraud attack)

ABS NN ⊕εt procA ≤

dreal ≤ db = (tr-ts)c/2 (db=distance bound)

54

Distance bounding characteristics

RSSDistance enlargement

and reduction Distance enlargement

and reduction

US ToFDistance enlargement

and reduction

Distance enlargement and

reduction

RF ToFDistance enlargement

and reductionDistance enlargement

only

RF Distance BoundingDistance enlargement

onlyDistance enlargement

only

US Distance BoundingDistance enlargement

onlyDistance enlargement

and reduction

Outsider attackersInsider attackers- RF distance bounding:- nanosecond precision required, 1ns ~ 30cm

- UWB enables clock precision up to 2ns and 1m

positioning indoor and outdoor (up to 2km)

- US distance bounding:- millisecond precision required,1ms ~ 35cm

55

Verifiable Multilateration(Trilateration)

x

y

(x,y)

BS1

BS2

BS3

Verification triangle

Distancebounding

A

56

Properties of Verifiable Multilateration- a vehicle located within the triangle cannot prove to be at another position within the triangle except at its true position.

- an outsider attacker cannot spoof the position of a vehicle such that it seems that the vehicle is at a position different from its real position within the triangle

- a vehicle located outside the triangle formed by the verifiers cannot prove to be at any position within the triangle

- an outsider attacker cannot spoof the position of a vehicle such that it seems that it is located at a position within the triangle, if the vehicle is out of the triangle

The same holds in 3-D, with a triangular pyramid instead of a triangleThe same holds in 3-D, with a triangular pyramid instead of a triangle

57

Conclusion on secure positioning

New research areaPositioning tout court is not yet completely solved (solutions will rely on GPS, on terrestrial base stations, and on mutual distance estimation)Time of flight seems to be the most appropriate technique

More information available at: http://spot.epfl.ch

Srdjan Capkun and Jean-Pierre Hubaux, Secure Positioning of Wireless Devices,Infocom 2005, JSAC Feb. 2006

58

Events and resources on Vehicular Networks

Conferences and journals• VANET, colocated with Mobicom• V2V-Com, co-located with Mobiquitous• WIT: Workshop on Intelligent Transportation• VTC: Vehicular Technology Conference• IV: Conference on Intelligent Vehicles• escar 2006: Workshop on Embedded security in Cars, Nov. 13-15,

Berlin (D) http://www.escarworkshop.org/• IEEE Transactions on Intelligent Transportation Systems• IEEE Transactions on Vehicular Technology

European industrial consortium: http://www.car-2-car.org/

http://ivc.epfl.ch

59

New European Project: SeVeCom• SeVeCom: Secure Vehicular Communications• http://www.sevecom.org• Started January 2006; Duration: 3 years; Total budget: 3 MEuros

60

Research topics

Topic Scope of work

A1 Key and identity management Fully addressed

A2 Secure communication protocols (including secure routing) Fully addressed

A3 Tamper proof device and decision on cryptosystem Fully addressed

A4 Intrusion Detection Investigation work

A5 Data consistency Investigation work

A6 Privacy Fully addressed

A7 Secure positioning Investigation work

A8 Secure user interface Investigation work

61

Conclusion

The security of vehicular communications is a difficult and highlyrelevant problemCar manufacturers seem to be poised to massively invest in thisareaSlow penetration makes connectivity more difficultSecurity leads to a substantial overhead and must be taken intoaccount from the beginning of the design processThe field offers plenty of novel research challengesPitfalls• Defer the design of security• Security by obscurity

More info at http://ivc.epfl.ch