210 likes | 383 Views
Survey of Vehicular Network Security. Jonathan Van Eenwyk. Contents. Design Issues Certificate-Based Solution Privacy Concerns Data Validation. 1. 2. 3. 4. Design Issues. The Security and Privacy of Smart Vehicles IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo
E N D
Survey of Vehicular Network Security Jonathan Van Eenwyk
Contents • Design Issues • Certificate-Based Solution • Privacy Concerns • Data Validation
1 2 3 4 Design Issues • The Security and Privacy of Smart Vehicles • IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo • Attacks on Inter-Vehicle Communication Systems-an Analysis • Aijaz, et al (supported by industry) • Challenges in Securing Vehicular Networks • HotNets-IV: Parno and Perrig • Security Issues in a Future Vehicular Network • European Wireless, 2002: Zarki, et al
1 2 3 4 Design Issues • The Security and Privacy of Smart Vehicles • IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo • System model • Ad-hoc communication between vehicles and base stations • Base stations provide services • Vehicles provide sensor data • Vehicles have more resources than most ad-hoc networks • Applications • Traffic and safety alerts • Travel tips • Infotainment (including Internet access)
1 2 3 4 Design Issues • The Security and Privacy of Smart Vehicles • IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo • Challenges • Authentication and data encryption • Auditing sensor data • Privacy (avoid tracking) • Infrastructure boot-strapping • Negative perception of smart vehicles
1 2 3 4 Design Issues • The Security and Privacy of Smart Vehicles • IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo • Key Features • Context sensors (front-end radar, ultra-sound, etc) • Event data recorder (i.e., “black box”) • Tamper-proof device to handle encrypted transmissions • Location detection (GPS or distance bounding) • Communication with road-side base stations
1 2 3 4 Certificate-Based Solution • The Security of Vehicular Networks • EPFL Technical Report, March 2005: Raya, Hubaux • Certificate Revocation in Vehicular Networks • LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux
1 2 3 4 Certificate-Based Solution • The Security of Vehicular Networks • EPFL Technical Report, March 2005: Raya, Hubaux • Attacks • Bogus information • Message tampering • Cheating (data manipulation, impersonation) • Identity disclosure for vehicle tracking • Denial of service
1 2 3 4 Certificate-Based Solution • The Security of Vehicular Networks • EPFL Technical Report, March 2005: Raya, Hubaux • Security Mechanisms • Electronic License Plate (post-mortem auditing) • Asymmetric encryption using public key infrastructure • Large number of anonymous keys (no identity information) • Vehicles frequently change keys to avoid tracking • Keys can be revoked (more later) • Physical layer protection against denial of service • Channel switching • Implement more than one communication technology
1 2 3 4 Certificate-Based Solution • Certificate Revocation in Vehicular Networks • LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux • Revocation using Compressed Certificate Revocation Lists (RC2RL) • Large number of vehicles, so potentially huge revocation list • Lossy compression using Bloom filter • Configurable rate of false positives • Definitely no false negatives • Bit vector of length m • Hash a with k hashing functions • Each function sets one bit • Later, verify membership if all k bits are set as expected
1 2 3 4 Certificate-Based Solution • Certificate Revocation in Vehicular Networks • LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux • Revocation of the Tamper-Proof Device (RTPD) • Send message to vehicle’s TPD to revoke all activity • Send to base stations nearest last known location • Broadcast over low-bandwidth radio (AM/FM) or satellite • Lower overhead approach as long as TPD is reachable • Send localized revocation list to surrounding area
1 2 3 4 Certificate-Based Solution • Certificate Revocation in Vehicular Networks • LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux • Distributed Revocation Protocol (DRP) • Vehicles that detect malicious nodes can warn others • Requires an honest majority • Warnings have lower weight if sending node has also been condemned by other nodes • Node 4 condemns node 2 • But this warning has less weight because node 4 has itself been condemned by nodes 1 and 3 1 4 2 3
1 2 3 4 Privacy Concerns • Balancing Auditability and Privacy in Vehicular Networks • Q2SWinet '05: Choi, Jakobsson, Wetzel • CARAVAN: Providing Location Privacy for VANET • ESCAR '05: Sampigethaya, Huang, Li, Poovendran, Matsuura, Sezaki
1 2 3 4 Privacy Concerns • Balancing Auditability and Privacy in Vehicular Networks • Q2SWinet '05: Choi, Jakobsson, Wetzel • Provide privacy • From peer-to-peer vehicles • From infrastructure authorities • Support auditability • Linkability between anonymous handles and owner identity • Requires off-line permission granting (court order, etc)
1 2 3 4 Privacy Concerns • Balancing Auditability and Privacy in Vehicular Networks • Q2SWinet '05: Choi, Jakobsson, Wetzel • Two-Level Infrastructure • Back-end (ombudsman) • Creates long-term “handle” from node identities • Nodes initialized with set of handles • Off-line approval can grant identity from pseudonym • Front-end (road-side base stations) • Uses short-term pseudonyms created from long-term handles • Pseudonym and shared key created from handle and timestamp
1 2 3 4 Privacy Concerns • CARAVAN: Providing Location Privacy for VANET • ESCAR '05: Sampigethaya, Huang, Li, Poovendran, Matsuura, Sezaki • Provide privacy from vehicle location tracking • Proposed Techniques • Update pseudonym after random silence period • Fixed-interval updates can be tracked by estimating trajectory • Silence period obscures nodes if other nodes are present • Designate group leader to proxy communications • Avoids redundant transmissions • Extends length of time to use each pseudonym
1 2 3 4 Data Validation • Probabilistic Validation of Aggregated Data in Vehicular Ad-hoc Networks • VANET '06: Picconi, Ravi, Gruteser, Iftode • Detecting and Correcting Malicious Data in VANETs • VANET '04: Golle, Grenne, Staddon
1 2 3 4 Data Validation • Probabilistic Validation of Aggregated Data in Vehicular Ad-hoc Networks • VANET '06: Picconi, Ravi, Gruteser, Iftode • Allow sensor data to be aggregated • Use signing certificates to validate data • Randomly force one complete record to be included • Relies heavily on tamper-proof device
1 2 3 4 Data Validation • Detecting and Correcting Malicious Data in VANETs • VANET '04: Golle, Grenne, Staddon • Nodes attempt to identify malicious data via information sharing • Nodes detect neighbors and contribute to global database • Malicious nodes may contribute invalid or spoofed data • May try to fake a traffic jam • Friendly nodes build models to explain database observations • Is there one malicious node attempting to spoof three other nodes? • Are all four nodes malicious? • Possible heuristic: choose scenario with fewest bad and spoofed nodes
1 2 3 4 Data Validation • Detecting and Correcting Malicious Data in VANETs • VANET '04: Golle, Grenne, Staddon • Example • Actual Scenario • Possible Explanations
1 2 3 4 Design Issues Certificate-Based Solution Privacy Concerns Data Validation Questions?