Abstract

Vehicular ad hoc networks (VANETs) have been widely researched in recent years. VANETs are used mostly for road safety and traffic efficiency; therefore, it is imperative that the communication between vehicles is rapid and secure in a VANET environment. In the present study, bilinear pairings were used to construct a complete message authentication scheme. This scheme provided the following features: (1) vehicle or roadside unit (RSU) parameters were determined via a hierarchical protocol, which prevented potentially a large computational overhead for a single node; (2) message broadcasts and private communications between vehicles in the transmission range of the same RSU were enabled; (3) message broadcasts and private communications between vehicles in the transmission ranges of different RSUs were enabled; (4) a fast handoff mechanism was established for vehicles in the transmission ranges of different RSUs; and (5) mechanisms for message broadcasts and private communication were established for vehicles in areas where RSUs were sparsely located. Based on the experimental results, our scheme was confirmed to be superior to previous schemes. In terms of security, our scheme offered the following features: confidentiality, message integrity, nonrepudiation, conditional anonymity, and conditional untraceability.

1. Introduction

Vehicular ad hoc networks (VANETs) have been widely researched in recent years. VANETs are mobile networks in which vehicles equipped with on-board units (OBUs) communicate with each other or roadside units (RSUs) [1, 2]. Vehicles can broadcast traffic information to one another over VANETs [3]. In addition, passengers can communicate with passengers in other vehicles or send electronic mail using hand-held devices over VANETs [4]. VANETs have drawn special attention for traffic safety and management [5, 6]. The information exchanged between vehicles over VANETs enhances road safety and improves traffic efficiency. Generally, there are two different modes in VANETs for sending messages: the message broadcast mode, in which neighboring vehicles may provide one another with up-to-date proximal vehicle state information via message broadcasts, and the one-hop broadcast mode, in which a vehicle can send messages to one other specific vehicle. One-hop broadcasts are mainly used for private communication between vehicles.

There are two vehicular communication modes in VANETs [7], vehicle-to-vehicle communication (IVC) and RSU-to-vehicle communication (RVC). IVC allows each vehicle to broadcast information to other vehicles or send information to one specific vehicle via others. RVC allows vehicles to exchange information with one another within the broadcast range or communicate with and obtain information from other vehicles via wireless-device equipped RSUs. VANETs enable vehicles to exchange up-to-date traffic information, which improves the flow of traffic and driving safety. However, if the information is modified or falsified by a malicious vehicle user, serious consequences such as traffic congestion and even a traffic accident can occur. A scheme for ensuring information security is proposed in the present study.

A message authentication scheme for VANETs should take the following problems into consideration: the exchange of information between vehicles in VANETs is accomplished through wireless communication. Therefore, to be timely, the volume of information cannot be excessively high nor can the method for message authentication be excessively complicated. Vehicles should be able to not only broadcast information but additionally communicate privately with other devices. Vehicles use a short-range wireless communication technique to communicate with RSUs and are usually moving at high speeds, requiring frequent handoffs with RSUs. Handoff schemes with long computation times adversely affect the communication quality. (4) RSUs may be available only on main roads and not on minor ones.

In the present study, a complete message authentication scheme is constructed using the bilinear pairings technique. The encryption scheme from bilinear pairings is appropriate for VANETs. The parameters for each node in this study are generated in a hierarchical way. The long-term parameters for each vehicle are generated by the trusted authority (TA). Vehicles use their long-term parameters to perform identity (ID) authentication with RSUs and then gain trust from them. RSUs then produce short-term parameters for the vehicles that allow them to broadcast information and conduct private communications. When the vehicles are not within the transmission range of any RSUs, they can use their long-term parameters to broadcast information and communicate privately with one another. The trust gained from one RSU enables the vehicle to perform handoffs with other RSUs. Based on the experimental results, the scheme proposed in this study shows excellent performance and is superior to other schemes in the literature.

2. Related Works

The conventional public key infrastructure (PKI) scheme was used in [8]. Assuming that a certificate authority (CA) provides each vehicle with a digital certificate of identity, that is, a private key together with its associated public key, the vehicle can then use the asymmetric key for signing and verifying a message. However, the computational complexity increases when a vehicle uses the PKI for message signature and verification, resulting in communication overhead. In addition, for the purposes of privacy and untraceability, a vehicle must constantly change its certificate, which adversely affects the CA overhead.

A solution is defined in [9] in which vehicles can generate public/private key pairs on their own. The benefits lie in the fact that a vehicle uses a different key each time it sends a message and that the vehicle is not required to update the related parameters with the CA. Assuming that there is a cryptographic device, or black box, installed in each vehicle and in each black box there are an asymmetric key and a certificate issued by the CA, the black box generates the public/private key pair for the vehicle. However, the public/private key pair is the continuous product of two values, resulting in each key pair having a long message length. This long message length may result in communication overhead when the vehicle is sending messages.

The scheme for vehicular communications used in [10] was constructed with a hierarchy in which the keys were generated in a top-to-bottom manner. The hierarchical method allows vehicles to generate parameters such as their IDs through RSUs, which mitigates the key escrow problem in the CA. The generated keys are reliable and nonforgeable. However, this scheme requires the use of vehicle certificates. Thus, the information exchanged between vehicles is verified via the contents of the certificates. The requirement for a certificate with each message may nevertheless result in data packet overhead. In addition, message encryption based on bilinear pairings may result in computation overhead.

In [11], to provide network access services, a vehicle must establish a common key with the recipient vehicle via a broadcast message. The common key ensures the security of the subsequent information exchange, authentication, message integrity, and nonrepudiation. However, the common key is established using the identity-based cryptography (IBC) scheme, which is based on bilinear pairings. The establishment of a shared common key with each vehicle may result in vehicle computation overhead. The authors in [11] did not discuss the problems of rekeying and pseudonym changes. These problems are significant in vehicle networks, warranting resolution. A dynamic, privacy-preserving key management scheme for location-based services in VANETs was proposed in [12]. This scheme ensures the anonymous authentication of a vehicle and enables double-registration detection. In addition, each vehicle can use a one-way hash function to update the vehicles new session key. However, the computations for message signature and verification presented in [12] are complicated, and the author did not investigate a private communication scheme.

In [13], an elliptic curve digital signature algorithm (ECDSA) was used for message authentication. The current position information is used together with the ECDSA for signing messages from anonymous IDs. Other vehicles do not require a third-party public key certificate for message authentication. However, the authors did not discuss the problems of rekeying and private communication.

The delay in long-term verification of centralized AAA architecture in literature [14] has been alleviated. In this paper, a set of network security approaches based on bilinear Diffie-Hellman (BDH) problem are proposed to protect the privacy of vehicles and network security of portable electronic currency in VANETs environment. However, the proposed method requires a key to be generated at regular intervals on each vehicle in advance for privacy, which is a big burden for the vehicle.

In literature [15], a set of network security mechanisms based on chameleon hashing was proposed to ensure vehicle privacy and network communications security in VANETs. However, owing to computational complexity and packet length of chameleon hashing, it constitutes a big burden for VANETs.

In literature [16], a set of network security mechanisms based on bilinear pairing was proposed. Although it can ensure network communications security of vehicles in VANETs, it does not provide private communications between vehicles. Besides, the changes of relevant parameters for vehicles involved have to be updated via TA. Therefore, it has a centralized authentication issue.

3. Background

This section will introduce the technologies used in the method developed in this study. Section 3.1 introduces bilinear pairing and hard problems, Section 3.2 discusses Boneh and Franklins ID-based encryption, Section 3.3 discusses Shamirs ID-based cryptosystem, and Section 3.4 covers bilinear Diffie-Hellman message authentication.

3.1. Bilinear Pairings and Hard Problems

Let and denote an additive and a multiplicative group and both of them with prime order . Let be generator of and let be a bilinear mapping with the following properties.(1)Bilinear:(2)Nondegeneracy: such that . That is, the mapping does not send all pairs in to the identity in .(3)Computable: there exists an efficient algorithm to compute for all .

The bilinear map can be implemented using the Weil [9] and Tate [10] pairings on elliptic curves. We consider the implementation of a Tate pairing on a Miyaji–Nakabayashi–Takano (MNT) curve [11] with embedding degree 6, where is represented by 161 bits and the order is represented by 160 bits.

The following part will define and specify various relevant mathematical problems [12] which will be applied in the essay subsequently.

Bilinear Diffie-Hellman problem: Given , where , compute .

Elliptic curve discrete logarithm problem (ECDLP): Given two elements , find an integer , such that .

3.2. ID-Based Encryption

We used ID-based encryption [17] to encrypt and decrypt messages. A private key generator (PKG) chooses a random number as its master key and selects two distinct hash functions, and . Given a user with an identity , any party can obtain the user’s public key . The PKG sets the user’s private key . User chooses as her/his own secret value and sets . In the final step, the PKG publishes the system parameters and withholds .

Encrypt. To encrypt a message for the user with identity is as follows.(1)Choose a random number .(2)Set the cipher text to be

Decryption. Let . To decrypt using the secret value , compute , where

3.3. ID-Based Cryptosystem

The advantage of ID-based cryptosystems [17] is that public key certificates are no longer needless, and this possibly causes a saving of space requirements. Besides, it also reduces the key management cost, which is a heavy burden in conventional public key infrastructure (PKI). However, it has a serious drawback, called key escrow problem. PKG is responsible for generating a user’s private key, so it can decrypt any ciphertext or forge any user’s signature on any message.

3.4. Message Authentication Based on the Bilinear Hard Problems (BHD) Method

In this study, message signatures and verification are established based on the BDH method. In this scheme, user selects a random number as the secret value, calculates the public value (), and then broadcasts to all other users. Notations of the BDH list the notation used in this study. User broadcasts message by executing the following steps.(1)User calculates .(2)User calculates , where represents the quotient and represents the remainder.(3)User broadcasts .

Other users can then verify the message upon receipt by executing the following steps.(1)Calculate .(2)Check whether .

If the equality in step is satisfied, then this condition verifies that the user sent the message. During the verification process, other users receive only , , and . Based on elliptic curves and the discrete logarithm problem (ECDLP), cannot be calculated without and . Therefore, message security is ensured. Furthermore, because belongs to the user alone, nonrepudiation of the message is also ensured.

4. Message Authentication Scheme

The scheme proposed in this study consists of five parts: (1) system initialization and RSU registration; intra-RSU message authentication; (3) inter-RSU message authentication; (4) handoff; and (5) message authentication when RSUs are not available.

4.1. System Model

Figure 1 shows the system environment used in this study. We assume that the TA is a legal organization and is responsible for the security of the entire network. When there is an attack on the network infrastructure from a malicious node, the TA will broadcast the true identity of the node and take necessary action. We further assume that RSUs are installed on streetlights or traffic signs on main roads and there are no RSUs installed on minor roads. Each vehicle is equipped with an OBU. Communication between the TA and RSUs is via a wired network, whereas communication between OBUs and the TA is via an IEEE 802.11p wireless network. Notation used in this paper lists the notation used in this study.

Figure 1 

System environment.

4.2. System Initialization

Given the bilinear parameters as defined in Section 3.1, the TA sets up the system by executing the following steps.(1)The TA chooses as its secret value.(2)The TA selects three hash functions: , , and .(3)The TA calculates as its public value.(4)The TA sets .(5)The TA sets .(6)The TA sets .

The TA broadcasts the parameters , while remain undisclosed. In addition, the TA sets the related parameters for each RSU by executing the following steps.(1)The node chooses as its secret value.(2)It calculates as its public value.(3)It sets .(4)It sets .

The TA sets up the system by executing the following steps.(1)Set .(2)Calculate .(3)Calculate ,  .

The RSU broadcasts the parameters and does not disclose the parameters . All nodes can verify the legitimacy of the ID of the RSU by executing the following steps.(1)Calculate .(2)Calculate .(3)Check if

The TA generates the related parameters for the vehicle by executing the following steps.(1)The node chooses as its secret value.(2)It calculates as its public value.(3)It sets .(4)It selects an anonymous identity , and all users can obtain its public key by computing .

The TA sets up the system by executing the following steps.(1)Set .(2)Calculate .(3)Calculate ,  .

Each vehicle broadcasts the parameters and does not disclose the parameters . The TA records the parameters for each vehicle.

Each vehicle or RSU can verify the legitimacy of the vehicle ID by executing the following steps.(1)Calculate .(2)Calculate .(3)Check if . If the equality is satisfied, then the user is legal.

4.3. Registration

When a vehicle is within the transmission range of RSU , the vehicle and will send an ID verification request to each other. After successful verification, RSU will then generate the short-term parameters for . Vehicle can retain its anonymity and security using the short-term parameters by executing the following steps.(1)Use the identity-based cryptography (IBC) technique to generatethe common session key for RSU and vehicle . Vehicle uses its own private key and the public key of RSU to generate the common session key. The public key of RSU is calculated from the true ID of RSU . Therefore, vehicle does not require the public key of RSU . The calculation is as follows:  Because the TA generates the private keys for both RSU and vehicle , the common session keys generated from RSU and vehicle are the same. Therefore, RSU and vehicle can communicate with each other privately.(2) generates the short-term parameters , , and and uses symmetric encryption to encrypt the common session key () as a security key. The encryption is supplemented by the plain-text parameters . The calculation is as follows: Vehicle sends the message to .(3)When RSU receives the message, first verifies whether the parameters of vehicle are within the valid limits through the following steps.(3.1)Calculate .(3.2)Calculate .(3.3)Check if . If the equality is satisfied, then the user is legal.(4)To decrypt the encrypted message, RSU first calculates the common session key shared with vehicle . Then, RSU uses the common session key to decrypt the message. The calculation is as follows:

(5)RSU calculates the private key, the common secret key, and the signature of . The calculations are as follows.(5.1) calculates as its private key.(5.2) chooses as its common secret key.(5.3) calculates , , .(6)RSU encrypts the parameters using the common session key. The calculation is as follows: RSU sends the message to vehicle .(7)When vehicle receives the message, the vehicle uses the common session key to decrypt the message.(8) records and publishes to all vehicles in its domain.

To improve the efficiency of the handoff process, RSU generates a common secret key for vehicle and each RSU. RSU uses a one-way hash chain [13] to generate keys . The method for generating the keys is as follows:RSU uses a one-way hash chain [13] to generate anonymous IDs . The method for generating the IDs is as follows:

Each RSU has two tables, an RID-key table and an SID-key table. The RID-key table is used to store the related parameters generated by RSU (Table 1). RSU uses the common session key that it shares with each RSU to encrypt the common secret key that vehicle has with each RSU and the anonymous ID. RSU then sends the encrypted message to other RSUs. When another RSU receives the encrypted message, that RSU first uses the common session key that it shares with RSU to decrypt the message and then stores the parameters for vehicle in the table (Table 2). Because vehicle has the related parameters , it can generate a common secret key shared with each RSU and an anonymous ID on its own. The parameters are stored in the table (Table 3). The parameters for vehicle do not permit any one RSU to obtain the parameters that vehicle shares with other RSUs. Because other RSUs cannot obtain the private key and the common secret key of vehicle , the security of vehicle is ensured.

4.4. Intra-RSU Message Authentication

Vehicle broadcasts messages to other vehicles within the transmission range of an RSU. The calculations are as follows.(1)Vehicle uses the BDH method to authorize a message signature. The calculations are as follows.(1.1)Vehicle calculates .(1.2)Vehicle calculates , °.(1.3)Vehicle broadcasts the message to other vehicles within range.(2)When other vehicles receive the message, they can verify the authenticity of the message. The calculations are as follows.(2.1)Calculate °.(2.2)Calculate .(2.3)Check if . If the equality is satisfied, then vehicle sent the message.

Assuming that two vehicles within the transmission range of a given RSU want to send private messages to each other (Figure 1), vehicle and vehicle will calculate their common key. The calculation is as follows:

Then, vehicle uses the common session key () to first encrypt the message and then send it to vehicle . When receives the encrypted message, the vehicle uses the common session key () to decrypt the message and then obtain the contents of the message. The benefits of using IBC lie in the fact that the other vehicle’s public key can be easily calculated based on its ID and that the common session key can be calculated based on the other vehicle’s public key and its own private key. Conversely, the other vehicle can also calculate the common session key because the secret value of the common session key is the same.

4.5. Inter-RSU Message Authentication

Assuming that vehicle wants to broadcast a message within the transmission ranges of several RSUs and uses the BDH signature to ensure the security of the message, vehicle will first send the parameters , to nearby RSUs, and then the RSUs will relay the message to other vehicles. Then, other vehicles will first verify the legitimacy of vehicle by calculating and then calculating . If it is the case, then it proves that vehicle is the legitimate user of RSU .

Other vehicles will verify the authenticity of the message from vehicle by first calculating and then calculating . If it is the case, then the message was sent from vehicle .