A Practical Authentication Framework for VANETs

Wang, Baosheng; Wang, Yi; Chen, Rongmao

doi:https://doi.org/10.1155/2019/4752612

Security and Communication Networks

On this page

Abstract Introduction Related Work Background Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Privacy and Security of Information Processing in Industrial Big Data and Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2019 | Article ID 4752612 | https://doi.org/10.1155/2019/4752612

A Practical Authentication Framework for VANETs

Baosheng Wang,¹Yi Wang,¹and Rongmao Chen¹

Guest Editor: Fagen Li

Received14 Mar 2019

Revised29 Apr 2019

Accepted07 May 2019

Published23 May 2019

Abstract

In vehicular ad hoc networks (VANETs), conditional privacy preserving authentication (CPPA) scheme is widely deployed to solve security and privacy issues. Existing CPPA schemes usually require ideal tamper-proof devices (TPDs) on vehicles which, however, might be infeasible or do not exist in reality due to high security requirements. To address this problem, we propose a practical framework of CPPA scheme that supports more realistic TPDs which are less secure correspondingly. We demonstrate that this framework also manages to achieve nonframeability in addition to other security objectives including nonrepudiation, conditional privacy preserving, and unlinkability. Moreover, performance analysis shows that our framework has better efficiency in authentication. All these features make our framework practical for VANETs.

1. Introduction

As one form of mobile ad hoc network in the domain of vehicles, vehicular ad hoc network (VANET) is a promising solution for improving road safety and driving experience. Generally, a VANET is composed of roadside units (RSUs) and vehicles equipped with electronic components such as wheel rotation sensors, radars, and on-broad units (OBUs). Various sensors on vehicle provide continuous monitoring of driving information, such as speed, direction, and position. OBUs enable vehicles to communicate with not only each other but also RSUs via Dedicated Short Range Communications (DSRC) technique. Thus, there are plenty of potential applications on VANETs which can be categorized into safety-related, such as collision avoidance and automatic driving, and other applications, such as traffic navigation and infotainment.

For the security of VANET and its applications, especially safety-related applications, it is crucial to authenticate transmitted messages and identities of their senders; otherwise any unauthorized vehicle could disseminate bogus messages easily or conduct other malicious behaviours without being caught, which might cause great damages to urban transportation systems and even endanger the lives of drivers and pedestrians. To authenticate itself to other entities, vehicle might have to prove the possession of secret information which is usually saved in tamper-proof device (TPD) on vehicle. In addition to storage of secret data, TPD also provides computation service where secret information is involved. For instance, the simplest way to achieve authentication is using digital signature. Every vehicle is assigned to a public/private key pair, and TPD is responsible for storing private keys and generating signatures. Many authentication schemes [1–8] are designed under the assumption of using ideal TPD that can never be compromised by adversary to securely store secrets and to perform related calculations. However, this assumption might be too strong to be realistic in practice. Specifically, in VANET conditions, TPD might mistake normal shocks of vehicle caused by uneven road surface for malicious tampering and erase all the secrets [9]. Moreover, it is possible for adversary to collect sufficient information about secrets in TPD through side-channel attacks such as electromagnetic radiation [10] and power consumption analysis [11].

To address this problem, we loosen the security requirements on ideal TPD and consider a more realistic TPD for practical use. Comparing to ideal TPD, realistic TPD is less sensitive to vehicle shocks but might be compromised by sophisticated hardware tampering. To cope with such hardware tampering as well as aforementioned side-channel attacks, we assume that realistic TPD offers temporary storage of secrets and erases them regularly before adversary obtains substantial information about them. In this work, we propose an efficient framework of CPPA scheme based on identity-based cryptography (IBC) that only requires realistic TPD.

Our framework also aims at achieving nonframeability [12]. That is, trusted authority (TA) that serves particular region as certification authority and RSUs cannot forge messages to frame an innocent vehicle. TA in existing works (e.g., [6, 13]) usually holds all the secrets of vehicles, so it is quite simple for unrestricted TA to impersonate any vehicle and forge its signature. In our framework, the key used for authentication is independently generated by vehicle itself and stored in TPD. TA that does not possess the authentication key of vehicle cannot impersonate vehicle and successfully authenticate itself to RSU. Meanwhile, RSU’s master key which is used to generate the signatures of messages sent by vehicles in our framework is unknown to TA. Thus, TA also cannot forge the signature of vehicle. Besides, RSU cannot forge it either as the pseudo-identity generation also requires vehicle’s authentication key.

We design our framework with an objective of improving the efficiency of mutual authentication between vehicle and RSU. Since the location and identity of RSU are relatively fixed, RSU-to-vehicle (R2V) authentication is rather trivial and can be efficiently achieved by periodically broadcasting signed messages. However, vehicle-to-RSU (V2R) authentication in existing works (e.g., [13, 14]) needs the cooperation of TA. In contrast, V2R authentication in our framework does not require real-time interactions between RSUs and TA. Precisely, TA maintains a dynamic list that contains authentication-related information of vehicles, and every RSU is asked to store a latest copy of this list in the background. This list enables RSUs to complete the anonymous authentication of vehicles by themselves, which reduces the workload of TA and promotes the efficiency of authentication. Generally, the main contributions of our work are as follows.(i)We propose an efficient IBC-based framework of CPPA scheme to solve security and privacy issues in VANETs. Due to the support of realistic TPD, our framework is a practical authentication solution in reality.(ii)Our framework has achieved nonframeability. The authentication of vehicle and the generation of a valid signature both require vehicle’s self-chosen authentication key, which prevents TA and RSUs from framing an innocent vehicle.(iii)In our framework, we design a mechanism to improve the efficiency of authentication. The overall workload of authentication is distributed to every RSU. Instead of participating in the process of authentication directly, TA just needs to maintain the latest information list for RSUs.(iv)We give a specific analysis of our framework in terms of security and performance. We prove that this framework has achieved all the security objectives in Section 3. Theoretical analysis on performance indicates that this framework provides excellent authentication efficiency.

The rest of the paper is organized as follows. Section 2 summarizes the related work on authentication schemes for VANETs. Section 3 introduces the architecture of VANETs and our design goals. Preliminary background of cryptographic primitives is provided in Section 4. In Section 5, we present our framework of CPPA scheme. Sections 6 and 7 give the comprehensive security analysis and performance evaluation of our framework, respectively. Section 8 concludes the paper.

A number of related studies have been reported on authentication issue in VANETs, and their proposed authentication schemes can be categorized into following four types.

Schemes based on Public Key Infrastructure (PKI) [9, 15]. PKI issues a bunch of public/private key pairs and public key certificates to vehicles. Before sending a message, vehicle has to attach a digital signature and a certificate to it, which might increase the communication overhead significantly. To achieve identity privacy and conditional anonymity, anonymous public keys are required for PKI and vehicles. The management of certificates including revocation could be a heavy burden to PKI.

Schemes based on symmetric cryptosystem [12, 16, 17]. Message authentication code (MAC) can be adopted to authenticate message and the verification of the message can be completed in extremely short time. However, the process of message authentication might need the aid of RSUs, and vehicle cannot authenticate received message independently. TESLA [18] is an efficient broadcast authentication protocol based on MAC and loose time synchronization between network nodes. Based on TESLA and the prediction of vehicle direction, it is possible to achieve instant verification of beacon messages sent by vehicles. Unfortunately, this protocol allows adversary to trace the trajectory of vehicle.

Schemes based on group signature [1, 4, 19–22]: group signature naturally provides privacy to group members because every member signs message on behalf the group. The group manager owns the master key of group and is able to learn the real identities of group members, which satisfies the requirement of conditional privacy preservation. However, the verification of group signature usually costs more time than that of traditional signature. Also, revoking compromised group members properly is still a problem.

Schemes based on IBC [2, 6, 7, 13, 14, 23–25]. In identity-based signature (IBS) scheme, the identity of vehicle could be used as the public key, and the corresponding private key is generated by the private key generator (PKG) using master key. Comparing to PKI, it avoids the management of certificates. To achieve conditional privacy, vehicles communicate with other entities using pseudo-identities that are retrievable to authorities. Unfortunately, due to bilinear pairing operations, the time efficiency of IBS schemes is relatively lower than other traditional signature schemes. To improve the performance, batch verification is adopted to verify multiple signatures at the same time. Moreover, efficient one-time IBS [6, 13], identity-based online/offline signature (IBOOS) [7], and IBS without bilinear pairing [6] also are used in authentication schemes.

3. Background

3.1. Network Architecture

A VANET commonly consists of vehicles, RSUs, and TA, as shown in Figure 1.

TA plays the role of administrator in VANET and manages the authentication of network nodes including vehicles and RSUs. To join the VANET, all the nodes must register themselves at TA in advance. Due to the mobility of vehicles, we consider a frequently changing group of vehicles that requires TA to provide real-time registration service via secure network infrastructure. In contrast, the locations and total number of RSUs usually stay unchanged for a relatively long period of time. The registration of RSUs can be finished during initialization phase. Also, TA maintains a list of registered vehicles and has responsibility for revealing real identities of misbehaving vehicles and revoking licenses of these vehicles in time.

RSUs as roadside infrastructure are scattered all over the region of TA. Communication between RSU and TA relies on wired channel while RSU communicates with vehicles via wireless channel using DSRC protocol. RSUs forward messages not only between TA and vehicles but also from one vehicle to another. A RSU and vehicles enrolled by it form a subgroup of VANET. Vehicles that newly enter the transmission range of RSU have to be authenticated by RSU.

Every vehicle is equipped with OBU to communicate with other entities in VANET and support DSRC protocol. Realistic TPD is also embedded in vehicle. It provides temporary storage of secret information and related computation service, which is more feasible than ideal TPD that never discloses any secrets. Therefore, secrets stored in TPD needs to be updated regularly with the assistance of TA.

3.2. Design Goals

As a framework of CPPA scheme, our framework should satisfy basic requirements: authentication, nonrepudiation, identity privacy preserving, and conditional traceability.(i)Authentication: there are two kinds of authentication: message and entity authentication. Message authentication is confirming that received messages are generated by valid vehicles and unmodified during transmission. Entity authentication, also called mutual authentication, requires that two entities into a session are able to identify each other.(ii)Nonrepudiation: this property refers to a situation where a receiver is able to prove to a third party that sender cannot deny its responsibility for generating messages. It prevents adversary from forging messages in other identities.(iii)Identity privacy preserving: vehicles on the roads are required to frequently broadcast messages including position, speed, direction, and driving status. Identity privacy preservation means that nobody could discover the binding between messages and real identities of vehicles.(iv)Conditional traceability: in certain circumstances (e.g., traffic accidents), the real identities of vehicles should be retrievable. Conditional traceability enables TA only to recover the real identities of vehicles from saved messages.

Considering the particular scenario of VANET, we also attempt to achieve other meaningful properties at the same time.(i)Nonframeability: this property requires no entities in VANETs including TA and RSUs could frame an innocent vehicle or accuse an honest vehicle for having misbehaved. To achieve this security goal, we assume that TA does not collude with RSUs.(ii)Ideal TPD freeness: under the premise of ensuring system security, this property proposed by Zhang et al. [13] permits the usage of realistic TPD or one with sufficient security level embedded in vehicle, instead of ideal one which can never be compromised by adversary.(iii)Unlinkability: let and be two messages sent by one vehicle; this property means that one cannot determine whether and originate from the same vehicle or not. Unlinkability prevents adversary from tracking vehicles and profiling drivers.(iv)Message confidentiality: in particular applications, messages should be transmitted to receivers in encrypted form and cannot be decoded by unauthorized entities.(v)Attack resistance: this property requires that proposed framework can withstand common attacks, such as replay attack, impersonation attack, modification attack, and side-channel attack.

4. Preliminaries

4.1. Cryptographic Schemes

A symmetric encryption scheme consists of three algorithms which are described as follows.(i): this algorithm takes as input security parameter and outputs key , where is the key space.(ii): this algorithm takes as input key and message and outputs ciphertext .(iii): this algorithm takes as input key and ciphertext and outputs message .

An identity-based signature (IBS) scheme is composed of four algorithms which are described as follows.(i): this algorithm takes as input security parameter and generates the public parameters and master key for private key generator (PKG). Note that is kept secret.(ii): this algorithm takes as input master key and an identity and outputs a private key .(iii): this algorithm takes as input private key and message and generates a signature of message .(iv): this algorithm outputs “accept” if is valid signature of message and outputs “reject” otherwise.

An identity-based online/offline signature (IBOOS) scheme is an IBS scheme where the process of generating signature can be divided into offline and online phases:(i): based on public parameters , this algorithm generates an offline signature .(ii): based on private key , offline signature , and message , this algorithm generates a signature of message .

An one-time identity-based signature (OT-IBS) scheme is an IBS scheme with one-time private key . Similar to signing key in one-time signature scheme, every private key in OT-IBS can be used only once.

4.2. Cryptographic Hardness Assumption

Computational Diffie-Hellman (CDH) assumption: let be a group with prime order and is a random generator of , and is a probabilistic polynomial-time (PPT) algorithm that takes as input a tuple and outputs . We define the CDH-advantage of to be . The CDH assumption is that there is no PPT algorithm that can compute with nonnegligible CDH-advantage.

5. Proposed Framework of CPPA Scheme

5.1. Overview

In initialization phase of our framework, TA generates parameters for the whole system. RSUs and vehicles are allowed to join VANET after registration. For vehicle that drives into a new RSU region, it also needs to conduct mutual authentication with RSU. To conceal the real identity of vehicle from RSU, V2R authentication needs the assistance of a list maintained by TA that consists of authentication-related information of vehicles. If this authentication succeeds, vehicle would receive the master key of RSU and be able to sign messages in pseudo-identities. Only TA can recover the real identity of vehicle from its pseudo-identities. There also is an efficient and secure mechanism of updating secrets (i.e., authentication key of vehicle and master key of RSU) in TPD before adversary has collected sufficient information via side-channel attacks. Notations used in our framework are defined as follows.(i): an IBS scheme that supports batch verification of multiple signatures.(ii): a symmetric encryption scheme with message space and key space .(iii): two cyclic groups with prime order .(iv): two generators of .(v): four hash functions , , , and .(vi): real identity of RSU or vehicle .(vii): pseudo-identity of vehicle .

5.2. System Initialization

In initialization phase, TA generates parameters for the whole system and all the RSUs and vehicles have to register themselves to TA before joining the VANET. Precisely, the system is initialized as follows.

TA Setup: TA runs algorithm to generate public parameters and system master key . TA also generates two cyclic groups with prime order and picks generators . Then it picks and computes which are used to generate pseudo-identities for vehicle. Hash functions , , , and are chosen by TA. The system public parameters are . TA also maintains a private list to record authentication information of registered vehicles as well as list that is only accessible to registered RSUs. The details of these lists are described later.

RSU Setup: since TA is the only party that owns in current system, RSU with identity obtains its private key from TA. Besides, each RSU has to generate their own public parameters and master key by running algorithm . For the sake of system security, we require RSU to update its public parameters and master key regularly and share its latest public parameters among all the registered RSUs.

Vehicle Setup: vehicle should register itself to local TA via secure network infrastructure as soon as it enters a new TA region. TPD on vehicle is initialized to preload system public parameters and all the identities of registered RSUs. Let be a vehicle with identity . Supposing that randomly picks at time , then its authentication key is . Vehicle computes and submits to TA. Then, TA picks and generates challenge and dynamic password for . Authentication key and challenge are saved in TPD on vehicle . Meanwhile, TA inserts tuple into list and tuple into list , where is the expiration date of these two tuples. When tuples in both lists have expired, TA forces corresponding vehicles to update their authentication keys.

5.3. Mutual Authentication

Mutual authentication between vehicle and RSU happens when vehicle is in the transmission range of RSU but does not possess its latest master key. The whole process consists of two stages.

R2V authentication: RSU broadcasts message periodically to authenticate itself to newly entered vehicles, where timestamp provides freshness, challenge that changes along with is used to authenticate vehicle in next stage, element is used to negotiate symmetric keys with vehicles (both are picked by RSU and kept secret), and is the signature of . After receiving the broadcast message, vehicle first checks whether identity has been preloaded into TPD at setup stage or not. If not, vehicle aborts this authentication; otherwise, it verifies signature by running . If algorithm outputs “reject”, vehicle aborts; otherwise, this authentication succeeds.

V2R authentication: to authenticate itself to RSU , vehicle has to recover its dynamic password in list and answer the challenge of RSU with authenticate key .(1)Vehicle computes and . Then, it picks and computes and . Key is used to encrypt with algorithm , where is the timestamp. Let be the ciphertext of , vehicle replies to RSU with message .(2)RSU first computes symmetric key and decrypts with . Supposing that is the output of , if , RSU aborts; otherwise, RSU searches list for tuple , where . If such tuple does not exists or has expired, or more than one tuple is found in list , RSU aborts; otherwise, it computes . If , then vehicle manages to authenticate itself to RSU without revealing its real identity.(3)RSU sends its master key to vehicle in ciphertext format , where is the expiry time of , is a timestamp, and , .(4)Vehicle decrypts and gets ). If , vehicle aborts; otherwise, it stores master key into TPD. Note that this master key will be erased automatically at time .

5.4. Pseudo-Identity Generation

In terms of privacy preservation, instead of real identities of vehicles, pseudo-identities are generated by TPD to hide the real-world identities of vehicles. Considering a vehicle with real identity in the transmission range of RSU , we define its pseudo-identity as , where is randomly picked by TPD and .

We remark that the computation of pseudo-identity of vehicle can be viewed as encrypting using Cramer-Shoup encryption scheme (CS scheme) [26] which is secure against adaptive chosen-ciphertext attack (CCA2 secure). The main advantage of such pseudo-identity is that TA could trace the real identity of vehicle by decrypting pseudo-identity. Besides, the nonmalleability of CS scheme does not allow anyone to derive a new and valid pseudo-identity from given one. Using CS scheme might be time-consuming for devices on vehicle, while this problem can be overcame by preparing sufficient pseudo-identities offline in storage device as the on-board storage capacity of vehicle could be extensive.

5.5. Message Signing and Verification

When vehicle locates in the region of RSU , before signing message, it first generates the private key of its pseudo-identity with master key and then signs message with and broadcasts to RSUs or vehicles around, where is a timestamp and , .

Message can be verified by running . However, for verifier that is not in the region of RSU , it has to request the public parameters of from nearby RSU. Since IBS scheme supports the batch verification of multiple signatures, the verifier is able to take advantage of this property to improve the performance of message verification.

5.6. Vehicle Tracing

Pseudo-identity protects the privacy of vehicles on the one hand and facilitates some malicious vehicles to disseminate bogus information on the other. Thus, it is of importance to track down the real identities of misbehaving vehicles which can only be done by TA. Particularly, let be one pseudo-identity of malicious vehicle , TA parses into and computes , . If , then this pseudo-identity is invalid; otherwise TA computes . If there exists one valid tuple in list with , then TA succeeds to find out the real identity of vehicle .

5.7. Secret Parameters Update

There are two secret parameters in TPD that need to be updated regularly: authentication key and RSU’s master key. Note that RSU’s master key is updated along with V2R authentication. Here, we focus on authentication key update.(1)Assuming that tuple reaches the expiration date , TA generates a pseudo-identity for vehicle , where . Then, TA picks and computes where challenge is a test for target vehicle , is a new challenge for and is used to negotiate key. TA then computes signature , where and and broadcasts , where is a timestamp.(2)Vehicle with real identity and authentication key that receives this message of TA would check whether , where . Only that possesses can recognize this pseudo-identity. Then, prepares to update authentication key. It runs . If signature is valid and timestamp is fresh, vehicle picks and computes , , , , , and . Then, vehicle sends message to TA, where is the timestamp, , and .(3)TA recovers to decrypt and obtains . If , TA aborts; otherwise, it computes . If , TA aborts; otherwise, vehicle passes the test of TA; then TA computes and updates with in list , where is the expiration time. Also, in list , tuple is updated with . TA picks , computes , , and broadcasts , where is a timestamp, is the signature of .(4)Vehicle checks the integrity and validity of message. If signature is valid and timestamp is fresh, vehicle computes . If , vehicle aborts; otherwise, current authentication key and challenge in TPD are replaced with and .

We remark that the centralized update of authentication key might incur DoS attack against TA. Fortunately, there are several effective ways to cope with such attack. First, TA in reality can provide the update service in parallel mode. That is, multiple servers are deployed to interact with vehicles simultaneously which can alleviate the burden on each server and accelerate the overall efficiency. Besides, since TA is the initiator of update procedure, it is able to adaptively adjust the interval of update according to practical situation without compromising the security of whole system. Also, if TA does not receive the reply of one vehicle within a period of time, it would abort the update process with this vehicle and refuse to interact with it temporarily.

6. Security Analysis

This section gives a comprehensive security analysis of our framework. We show that our framework has achieved all the security objectives mentioned in Section 3.

Authentication: one can notice that message authentication is guaranteed by IBS scheme immediately, so we mainly analyze the mutual authentication between vehicle and RSU. In R2V authentication, the generation of signature of broadcasted message needs RSU’s private key which is provided by TA. If received signature can be successfully verified with the identity of RSU, vehicle is convinced that current RSU is the sender of messages from the unforgeability of IBS scheme. In V2R authentication, for vehicle , it proves to RSU that it can recover the dynamic password of tuple in list and answer the dynamic password which is corresponding to new challenge generated by RSU. We claim that given and , other entities that do not possess the authentication key or picked by RSU cannot compute the correct if CDH problem is hard. Therefore, vehicles that send correct dynamic password pair can authenticate themselves to RSU. Since tuple and are independent of the real identity of , the whole process of authentication does not leak any information about vehicle’s identity.

Nonrepudiation: the pseudo-identity of vehicle, corresponding to private key and signature of message broadcasted by vehicle are all generated in TPD. Since pseudo-identity, signature, and timestamp are key components of message, a vehicle cannot deny its behavior of generating message via TPD at certain time. Moreover, the generation of pseudo-identity requires authentication key which is only accessible to vehicle itself. Due to the nonmalleability of CS scheme, we note that one cannot derive a new valid pseudo-identity from given one.

Identity privacy preserving: the pseudo-identity of vehicle is a ciphertext of in CS scheme. From the security of this encryption scheme, pseudo-identity does not leak any information about vehicle’s real identity. Moreover, the mutual authentication between vehicle and RSU does not leak real identity as well.

Conditional Traceability: the process of tracing vehicle has been described in Section 5 already. Only TA that possesses the private key is able to verify the validity of pseudo-identity, recover , and find the real identity in private list .

Nonframeability: since vehicle’s authentication key is only accessible to itself, TA cannot authenticate itself to RSU as a valid vehicle and obtain the RSU’s master key, let alone generating the private keys of pseudo-identities and forging the signatures of vehicles. On the other hand, although RSU owns master key, it cannot generate vehicle’s new pseudo-identities and valid signatures as the authentication key is required and collected pseudo-identities do not provide any useful information for pseudo-identity generation. Moreover, although RSU could collect a set of pseudo-identities of vehicles, due to unlinkability, it is impossible for RSU to distinguish certain vehicle’s pseudo-identities and to forge serial signatures of this vehicle. TA is also able to detect the reuse of pseudo-identities by decrypting them and querying recovered hash values in maintained list. If TA does not find them in list, then there exists the abuse of pseudo-identities.

Ideal TPD freshness: one can note that secrets in TPD are vehicle’s authentication key and RSU’s master key. TA is responsible for the update of vehicle’s authentication key and RSU would regularly update its master key. Thus, realistic TPD is secure enough to store these secrets and ideal TPD is not needed.

Unlinkability: in our framework, all messages of vehicle are signed with different pseudo-identities which are independent from each other. It is impossible to distinguish whether two random messages are sent by one vehicle or not. Thus, our framework satisfies unlinkability.

Message confidentiality: in V2R authentication, RSU sends its master key in ciphertext form to vehicles that complete current authentication. The master key of RSU is encrypted using symmetric encryption scheme and the negotiation of symmetric key follows the method of Diffie-Hellman key exchange. Thus, transmission of RSU’s master key is confidential and secure. Similarly, the same symmetric encryption scheme and key exchange method are applied in transmitting new authentication information of vehicle during updating secret parameters.

Attacks resistance: In proposed framework, we assume that the whole system is initialized in a secure environment, but mutual authentication, message signing and verification, and secret parameter update might suffer various attacks from adversary. We now demonstrate that our framework is resistant to following attacks.(i)Replay attack: every transmitted message is marked with timestamp. The receiver of message would check the freshness of message via timestamp and discard replayed messages.(ii)Impersonation attack: in mutual authentication, adversary might try to imitate a valid RSU and gain the trust of vehicles. However, the private key of RSU is generated in initialization phase and securely kept by RSU . Adversary cannot access to this private key. Thus, the signature of its message cannot be verified with the identity of . In secret parameters update, if adversary (e.g., registered vehicles or RSUs) wants to impersonate the TA and send update instruction to vehicle , it has to compute the special pseudo-identity of with public parameters . The hardness of computing with and can be reduced to CDH assumption. One update instruction is targeted at only one vehicle, but other irrelevant vehicles might also receive this instruction. If a malicious vehicle intends to imitate the target one , it has to answer the challenge of TA with dynamic password . Given and , it is still hard to compute according to CDH assumption. Thus, our framework could withstand impersonation attack.(iii)Modification attack: for signed message, making any modifications could result in the failure of verification from the correctness of IBS scheme. For encrypted message, the plaintext and its hash value are concatenated and encrypted together. If ciphertext is modified arbitrarily, the underlying plaintext cannot be verified with its hash value.(iv)Side-channel attack: this attack is mainly for vehicle’s TPD which stores sensitive data including authentication key and master key of RSU. It is worth mentioning that the real identity of vehicle is not stored in TPD. In our protocol, these secret parameters are updated frequently such that adversary cannot obtain sufficient data through side-channel analysis. Moreover, new secret parameters are independent of the old ones, so the leakage of old parameters does not benefit the guessing of new ones.

Remarks: it is worth mentioning that Sybil attack is inevitable and ubiquitous in most of cryptographic schemes and thus the detection of such attack has been extensively studied [27]. Our framework is vulnerable to Sybil attack as any authenticated vehicle is accessible to the master key of RSU and can imitate other vehicles at the same time by forging their messages. However, we claim that it is possible to detect such attack by authorities in proposed framework. Precisely, misbehaving vehicle cannot imitate other vehicles as it does not know their authentication keys and cannot generate correct pseudo-identities. Collected pseudo-identities also do not help in computing new ones from the nonmalleability of CS scheme. Besides, the reuse of collected pseudo-identities can be detected by TA. Consequently, only pseudo-identities of misbehaving vehicle itself can be generated to conduct Sybil attack. The TA is able to detect such attack easily by revealing its real identity from pseudo-identities.

7. Performance Analysis

In this section, we evaluate both the computation and communication costs of authentication in our framework and make a comparison with existing works. To achieve 80-bit security, elliptic curve groups with 160-bit prime order , IBS scheme , and symmetric encryption scheme AES with 80-bit security are used in our protocol. In pairing-based IBS scheme , we use bilinear pairing to realize 80-bit security level, where is an additive group with 160-bit prime order on supersingular elliptic curve with embedding degree 2. The sizes of elements in and are 320 bits and 1024 bits. For the convenience of discussion, notations of execution time are defined in Table 1.

According to [6], bilinear pairing operation that takes is the most time-consuming operation. Other bilinear pairing-related operations cost more time than corresponding operations in ECC. That is, and . The execution time of multiplication operation is approximately 240 times greater than . In comparison to above execution time, , , and could be negligible.

7.1. Comparison of Different IBS Schemes

IBOOS and OT-IBS schemes usually might be more efficient than traditional IBS schemes. In IBOOS scheme, time-consuming operations can be completed in offline stage, and the actual signing time is determined by online stage. The structure of OT-IBS scheme is commonly much simpler than that of traditional IBS scheme because of the one-time usage of private key. Moreover, IBS schemes that support batch verification could amortize time-consuming operation over a bundle of signatures. Therefore, for better performance, we only investigate existing IBOOS and OT-IBS schemes that support batch verification.

Table 2 shows the comparison of signing time , verification time , and signature size. One can note that bilinear pairing-based IBS schemes XMS and ZWD are less efficient than ECC-based IBS schemes in both verification time and signature size. Schemes LBZ and HZS have same verification time. However, the signing time of LBZ is correlated with the bit length of message, so it might be greater than that of HZS for long messages. Moreover, scheme HZS enjoys the shortest signature among these schemes. Thus, in following discussion, we adopt scheme HZS as the IBS scheme in our framework.

7.2. Authentication Efficiency

When evaluating an authentication protocol, we are most concerned about the time and communication costs of authentication. In our framework, vehicle that just enters a new RSU region has to complete the mutual authentication with RSU in time; otherwise it cannot communicate with other entities. Thus, we consider the overhead of mutual authentication from the perspective of vehicle. Since RSU broadcasts messages periodically, it is reasonable to assume that vehicle receives these messages as soon as it drives into the region of RSU. The computational overhead of R2V authentication is mainly determined by . Before replying to RSU, vehicle has to spend time to generate message . In AES, the size of ciphertext is the same as plaintext, so ciphertext is 3202+160=800-bit long. Suppose that the size of identity of RSU is 160 bits, timestamps are 20 bits, and the length of message is 160+320+20+800=1300 bits. Then, RSU spends time to process the message from vehicle and prepare master key for it if authentication succeeds, where is the execution time of searching list . The length of message sent by RSU is 160+20+20+(160+160)=520 bits. Vehicle needs time to decrypt it and check the master key of RSU. Therefore, the overall computation overhead of mutual authentication is , and the communication overhead is 1300+520=1820 bits.

Similarly, we also analyze the efficiency of mutual authentication in existing works. In [7], LBZ scheme is used to sign messages during mutual authentication. Suppose that the sizes of code of vehicle’s home region, nonce , and join request are 20 bits and ciphertext of vehicle’s real identity is 320 bits; then the length of vehicle’s pseudo-identity is 20+320+20+160=520 bits. Then message sent by vehicle is 160+520+20+20+800=1520 bits. The offline signature of LBZ scheme actually could be preloaded by vehicle, so the message returned from RSU is 160+20+520+160+20+800=1680 bits. The total communication overhead is 3200 bits. The computation overhead is , where is correlated to the length of input.

In [13], the computational overhead of protocol is . Suppose that the length of authentication key is 160 bits, element is 1024 bits, then message sent by vehicle is 1024+160+(160+20)+20=1384 bits, where . RSU returns message which is 160+(20+160+160)=500 bits long to vehicle. Since RSU has to forward message sent by vehicle to TA, then the communication overhead is 13842+500=3268 bits.

Table 3 shows the comparison of computation and communication overhead of mutual authentication between vehicle and RSU, where computation overhead is represented as the multiples of . The improvement on computation is over [7] and over [13]. In communication overhead, there are and improvements over [7] and [13], respectively.

7.3. Secret Parameters Update Efficiency

At the beginning of update secret parameters, TA has to compute 3320=960-bit long pseudo-identity first, which costs time and then challenges , element , and signature . The overall broadcast message is 960+320+320+320+20+480=2420 bits long and TA spends time to generate it.

We assume that vehicle has computed its in advance and could recognize the update instruction from TA immediately after receiving the broadcast message. Vehicle first verifies the signature, picks new authentication key, and then responds TA with new authentication information which is 160+320+20+(320+160+320+160)=1460-bit long. This process would take .

After receiving the authentication information from vehicle , TA needs to spend time to check its integrity. If received information is complete and valid, TA has to prove to that it possesses the latest information of by broadcasting message whose length is 960+320+320+20+480=2100 bits. The time of generating message is .

Finally, vehicle takes to verify the message sent by TA, and the procedure of secret parameters update is finished. Overall, the time cost on the vehicle side is , and on the TA side. The communication costs are 1460 bits and 2420+2100=4520 bits for vehicle and TA, respectively.

8. Conclusions

In this paper, we propose a practical framework of CPPA scheme that does not rely on ideal TPD and supports realistic TPD. This feature makes our framework more suitable for practical use. In addition to traditional security requirements, such as nonrepudiation and conditional privacy preservation, our framework also achieves nonframeability that prevents TA and RSUs from framing innocent vehicles. Performance analysis shows that our framework outperforms existing schemes in terms of mutual authentication.

Data Availability

The data of execution time supporting the findings of this study are from previously reported studies, which have been cited.

Conflicts of Interest

The authors declare that there is no conflict of interest regarding the publication of this paper.

Acknowledgments

This work is supported by the National Key R&D Program of China under grants 2017YFB0802300, the National Natural Science Foundation of China 61702541, 61872087, the Young Elite Scientists Sponsorship Program by CAST [2017QNRC001], and the Science Research Plan Program by NUDT [ZK17-03-46].

References

X. Lin, X. Sun, P.-H. Ho, and X. Shen, “GSIS: a secure and privacy-preserving protocol for vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp. 3442–3456, 2007.
View at: Publisher Site | Google Scholar
C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in Proceedings of the 27th IEEE Communications Society Conference on Computer Communications (INFOCOM '08), pp. 246–250, IEEE, Phoenix, Ariz, USA, April 2008.
View at: Publisher Site | Google Scholar
Y. Jiang, M. Shi, X. Shen, and C. Lin, “BAT: a robust signature scheme for vehicular networks using binary authentication tree,” IEEE Transactions on Wireless Communications, vol. 8, no. 4, pp. 1974–1983, 2009.
View at: Publisher Site | Google Scholar
J. Sun, C. Zhang, Y. Zhang, and Y. Fang, “An identity-based security system for user privacy in vehicular ad hoc networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 9, pp. 1227–1239, 2010.
View at: Publisher Site | Google Scholar
J.-L. Huang, L.-Y. Yeh, and H.-Y. Chien, “ABAKA: an anonymous batch authenticated and key agreement scheme for value-added services in vehicular ad hoc networks,” IEEE Transactions on Vehicular Technology, vol. 60, no. 1, pp. 248–262, 2011.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.
View at: Publisher Site | Google Scholar
J. Li, H. Lu, and M. Guizani, “ACPN: A novel authentication framework with conditional privacy-preservation and non-repudiation for VANETs,” IEEE Transactions on Parallel and Distributed Systems, vol. 26, no. 4, pp. 938–948, 2015.
View at: Publisher Site | Google Scholar
F. Wang, Y. Xu, H. Zhang, Y. Zhang, and L. Zhu, “2FLIP: A two-factor lightweight privacy-preserving authentication scheme for VANET,” IEEE Transactions on Vehicular Technology, vol. 65, no. 2, pp. 896–911, 2016.
View at: Publisher Site | Google Scholar
M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,” Journal of Computer Security, vol. 15, no. 1, pp. 39–68, 2007.
View at: Publisher Site | Google Scholar
J. Quisquater and D. Samyde, “Electromagnetic analysis (ema): Measures and counter-measures for smart cards,” in Proceedings of the International Conference on Research in Smart Cards, pp. 200–210, Springer, Berlin, Germany, 2001.
View at: Publisher Site | Google Scholar
P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proceedings of the Annual International Cryptology Conference, vol. 1666 of Lecture Notes in Computer Science, pp. 388–397, Springer, Berlin, Germany, 1999.
View at: Publisher Site | Google Scholar
C. Zhang, X. Lin, R. Lu, P.-H. Ho, and X. Shen, “An efficient message authentication scheme for vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 57, no. 6, pp. 3357–3368, 2008.
View at: Publisher Site | Google Scholar
L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and C. Hu, “Distributed aggregate privacy-preserving authentication in VANETs,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp. 516–526, 2016.
View at: Publisher Site | Google Scholar
S.-J. Horng, S.-F. Tzeng, Y. Pan et al., “B-SPECS+: batch verification for secure pseudonymous authentication in VANET,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 11, pp. 1860–1875, 2013.
View at: Publisher Site | Google Scholar
R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: efficient conditional privacy preservation protocol for secure vehicular communications,” in Proceedings of the 27th IEEE Communications Society Conference on Computer Communications (INFOCOM '08), pp. 1229–1237, IEEE, April 2008.
View at: Publisher Site | Google Scholar
C. Lyu, D. Gu, Y. Zeng, and P. Mohapatra, “PBA: prediction-based authentication for vehicle-to-vehicle communications,” IEEE Transactions on Dependable and Secure Computing, vol. 13, no. 1, pp. 71–83, 2016.
View at: Publisher Site | Google Scholar
J. Shen, T. Zhou, F. Wei, X. Sun, and Y. Xiang, “Privacy-preserving and lightweight key agreement protocol for v2g in the social internet of things,” IEEE Internet of Things Journal, vol. 5, no. 4, pp. 2526–2536, 2018.
View at: Google Scholar
A. Perrig, R. Canetti, D. J. Tygar et al., “The TESLA broadcast authentication protocol,” Rsa Cryptobytes, vol. 5, no. 2, pp. 2–13, 2002.
View at: Google Scholar
A. Studer, E. Shi, F. Bai, and A. Perrig, “TACKing together efficient authentication, revocation, and privacy in VANETs,” in Proceedings of the 6th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks, SECON 2009, pp. 1–9, IEEE, Italy, June 2009.
View at: Google Scholar
Q. Wu, J. Domingo-Ferrer, and Ú. González-Nicolás, “Balanced trustworthiness, safety, and privacy in vehicle-to-vehicle communications,” IEEE Transactions on Vehicular Technology, vol. 59, no. 2, pp. 559–573, 2010.
View at: Publisher Site | Google Scholar
L. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, “A scalable robust authentication protocol for secure vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 59, no. 4, pp. 1606–1617, 2010.
View at: Publisher Site | Google Scholar
X. Zhu, S. Jiang, L. Wang, and H. Li, “Efficient privacy-preserving authentication for vehicular Ad Hoc networks,” IEEE Transactions on Vehicular Technology, vol. 63, no. 2, pp. 907–919, 2014.
View at: Publisher Site | Google Scholar
K.-A. Shim, “CPAS: An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks,” IEEE Transactions on Vehicular Technology, vol. 61, no. 4, pp. 1874–1883, 2012.
View at: Publisher Site | Google Scholar
X. Lin and X. Li, “Achieving efficient cooperative message authentication in vehicular ad hoc networks,” IEEE Transactions on Vehicular Technology, vol. 62, no. 7, pp. 3339–3348, 2013.
View at: Publisher Site | Google Scholar
J. Liu, Y. Yu, Y. Zhao et al., “An efficient privacy preserving batch authentication scheme with deterable function for VANETs,” in Proceedings of the International Conference on Network and System Security, pp. 288–303, Cham, Swizerland, 2018.
View at: Google Scholar
R. Cramer and V. Shoup, “Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, L. R. Knudsen, Ed., vol. 2332 of Lecture Notes in Computer Science, pp. 45–64, Springer, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
K. Zhang, X. Liang, R. Lu, and X. Shen, “Sybil attacks and their defenses in the internet of things,” IEEE Internet of Things Journal, vol. 1, no. 5, pp. 372–383, 2014.
View at: Publisher Site | Google Scholar
S. Xu, Y. Mu, and W. Susilo, “Efficient authentication scheme for routing in mobile ad hoc networks,” in Proceedings of the International Conference on Embedded and Ubiquitous Computing, vol. 3823 of Lecture Notes in Computer Science, pp. 854–863, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar
J. K. Liu, J. Baek, J. Zhou, Y. Yang, and J. W. Wong, “Efficient online/offline identity-based signature for wireless sensor network,” International Journal of Information Security, vol. 9, no. 4, pp. 287–296, 2010.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2019 Baosheng Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

3095

Downloads

1411

Citations

Security and Communication Networks

Privacy and Security of Information Processing in Industrial Big Data and Internet of Things

A Practical Authentication Framework for VANETs

Abstract

1. Introduction

2. Related Work

3. Background

3.1. Network Architecture

3.2. Design Goals

4. Preliminaries

4.1. Cryptographic Schemes

4.2. Cryptographic Hardness Assumption

5. Proposed Framework of CPPA Scheme

5.1. Overview

5.2. System Initialization

5.3. Mutual Authentication

5.4. Pseudo-Identity Generation

5.5. Message Signing and Verification

5.6. Vehicle Tracing

5.7. Secret Parameters Update

6. Security Analysis

7. Performance Analysis

7.1. Comparison of Different IBS Schemes

7.2. Authentication Efficiency

7.3. Secret Parameters Update Efficiency

8. Conclusions

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright