Presentation on theme: "Efficient Privacy-Preserving Authentication for Vehicular Ad Hoc Networks Presenter ：楊尚光 Date ： 2014.12.15."— Presentation transcript:
Efficient Privacy-Preserving Authentication for Vehicular Ad Hoc Networks Presenter ：楊尚光 Date ： 2014.12.15
Outline Introduction System Model and Preliminaries Proposed Scheme Cooperative Authentication Security Analysis Performance Evaluation Related Work Conclusion
Introduction In general setting, a VANETs is composed of three components: On board Units (OBUs) equipped in mobile vehicles Fixed Roadside Units (RSUs) A central Trust Authority (TA) System model of VANETs
Introduction VANETs are expected to improve the driving experience, traffic safety, and multimedia infotainment dissemination for drivers and passengers. Vehicles communicate with each other, as well as with RSUs, through an open wireless channel, in which attackers can easily get users’ private information, such as identity, tracing, preference, etc., if they are not properly protected. Another characteristic of VANETs is high-speed mobility, leading to limited communication time among RSUs and vehicles.
Introduction As a result, we need to design an efficient authentication scheme with privacy preservation for VANETs. In VANETs, group signature is widely used for vehicles to achieve anonymous authentication since it allows any group member to sign a message on behalf of the group without revealing its real identity.
System Model and Preliminaries Trust Authority is a trusted management center of the network. It provides registration and certification for RSUs and OBUs when they join the network. It also divides the whole precinct into several domains, generates the group key and group signature materials for every domain, and then sends these materials to the RSUs in the domain. As usual, we assume that TA is powerful enough in terms of communication, computation, and storage capability, and it is infeasible for any adversary to compromise.
System Model and Preliminaries RSUs manage and communicate with vehicles in their communication range. They are bridges between TA and users, which connect with TA by wire and OBUs by wireless channel. RSUs are assumed to be semi-trust, i.e., they can operate as expected but may reveal data to an adversary. RSUs are also responsible for issuing the group key materials and group signature related keys to validate OBUs when OBUs join the domain.
System Model and Preliminaries OBUs periodically broadcast traffic-related status information containing its location, speed, and direction to improve the road environment, traffic safety, and multimedia infotainment dissemination for drivers and passengers. Each vehicle has a tamper-proof device (TPD) to store security-related materials
System Model and Preliminaries 預備知識 系統架構 比較和介紹、 TA 、 RSU 、 OBU 的特性和各自的方法 Hash Function, Hash Chain, HMAC Bilinear Pairing
System Model and Preliminaries Hash Function, Hash Chain, and HMAC HMAC is used to authenticate the source of a message and its integrity by attaching a message authentication code (MAC) to the message, which is accomplished by a cryptographic keyed hash function (such as MD5, SHA-256). In this paper, we use HMAC for two purposes: 1) ensuring the validity of senders’ identities, since only valid users can generate correct HMACs; and 2) checking the integrity of messages before batch verification, thus achieving the efficiency of batch verification.
Preliminaries Bilinear Pairing Bilinear e(u a,v b ) = e(u,v) ab for all u ∈ G 1, v ∈ G 2 and a, b ∈ Z p. Nondegeneracy e(g 1, g 2 ) ≠ 1 GT Admissible Map e and isomorphism ψ are efficiently computable.
Proposed Scheme A.System Initialization B.RSU’s Certificate Issuing C.Vehicle’s Certificate Issuing D.Secure Group Key Distribution and Batch Authentication
Proposed Scheme – System Initialization System Initialization Prime p and q such that q | p-1, q ≧ 2 140 and p ≧ 2 512 α ∈ Z p with order q, i.e., α q = 1(mod p), and α ≠ 1 a one-way hash function h: (0,1) ∗ → (0,1) l a random number s ∈ Z p * as its own private key so that SK TA = s Then, TA computes its public key PK TA = p s and publishes the tuple (p,q,α,h,PK TA ) as the system parameters.
Proposed Scheme – RSU’s and Vehicle’s Certificate Issuing TA divides its precinct into a few domains, each of which includes several RSUs. For RSU R x in domain D A, TA verifies its identity and issues the certificate Cert TA,Rx as follows. RSU’s Certificate Issuing 1.TA chooses a random number SK Rx ∈ Z ∗ q as the private key of R x and computes the public key PK Rx = p SKRx for R x. 2.TA generates the signature σ TA,Rx, where σ TA,Rx = Sig SKTA (PK Rx || D A ) 3.TA delivers SK Rx and Cert TA,Rx to R x, where Cert TAR The delivery of SK Rx must be via a secure channel, such as Secure Sockets Layer.
Proposed Scheme – RSU’s and Vehicle’s Certificate Issuing For vehicle V i, TA issues certificate Cert TA,Vi after verifying its identity as follows. Vehicle’s Certificate Issuing 1.TA chooses a random number SK Vi ∈ Z ∗ q as the privateVi key of V i and computes public key PK Vi = p SK for V i. 2.TA generates the certificate Cert TA,Vi of V i, where CertTA,Vi = Sig SKTA (PKV i ) 3.TA securely delivers SK Vi and Cert TA,Vi to V i offline during the vehicle inspection.
Proposed Scheme – Secure Group Key Distribution and Batch Authentication Secure Group Key Distribution and Batch Authentication 1.TA selects random generator g 2 ∈ G 2 and computes g 1 = ψ(g 2 ), where g 1 is the generator of G 1, and ψ is an isomorphism from G 2 to G 1 such as g 1 = ψ(g 2 ). 2.TA selects random numbers h, u, v ∈ 2G 1, and selects numbers s 1, s 2 ∈ Z p, such that u s 1 = v s = h. 3.TA selects random numbers γ ∈ Z p and and sets
Proposed Scheme – Secure Group Key Distribution and Batch Authentication
Rx stores the information as Vi also stores the information as Proposed Scheme – Algorithm 3 GK
Proposed Scheme – Algorithm 4 Algorithm 4: Message signed by V i Require: g 1, g 2, u, v, h, GPK DA, GSK DA,Vi. 1: Select random numbers α, β ∈ Z p. 2: Set t 1,i = αu, t 2,i = βv, t 3,i = A i + ( α + β )h. 3:Set δ = αx i and μ = βx i. 4: Select random number r α, r β, r x, r δ, r μ ∈ Z p. 5: Set S 1 = r α u S 2 = r β v S 3 = e(t 3,i, g 2 ) rx e(h, ( − r α − r β )w+( − r δ − r μ )g 2 ) S 4 = r x t 1,i − r δ u S 5 = r x t 2,i − r μ v 6: Set c=(S 3 λ H(M_Tstamp)+t1, i+t2, i+t3, i+S1+S2+S3+S4+S5 ) mod p. 7: Set s α = r α + c α s β = r β + c β s x = r x + cx i s δ = r δ + c δ s μ = r μ + c μ 8: σ = (t 1,i, t 2,i, t 3,i, c, s α, s β, s x, s δ, s μ ). 9: return msg = (M, T stamp, σ ).
Security Analysis Against RSU’s Compromission 1.Against False Charge 2.Nonrepudiation of Giving the Group Private Key to a Vehicle 3.Preventing Colluding With Vehicles Conditional Privacy Message Integrity and Source Authentication