170 likes | 399 Views
An Efficient Identity-Based Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks. Author: Debiao He, Sherali Zeadally , Baowen Xu, Member, IEEE, and Xinyi Huang Publisher: 2015 IEEE Transactions On Information Forensics And Security Presenter : 柯懷貿
E N D
An Efficient Identity-Based ConditionalPrivacy-Preserving Authentication Schemefor Vehicular Ad Hoc Networks Author:Debiao He, SheraliZeadally, Baowen Xu, Member, IEEE, and Xinyi Huang Publisher:2015 IEEE Transactions On Information Forensics And Security Presenter: 柯懷貿 Date: 2019/05/29 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
Structure • Communications in VANETs can be divided into two types: Vehicle-to-Vehicle (V2V) communication and Vehicle-toInfrastructure (V2I) communication, which are controlled by the Dedicated Short Range Communication (DSRC) protocol. • The leakage of traveling routes violates drivers’ privacy and may result in serious consequences because those traveling routes may be used for crimes. To address this privacy issue, anonymity must be provided in VANETs but, it should still be extract the real identity from the message by a trusted authority. • Therefore, conditional privacy should be provided in VANETs. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Conditional Privacy-Preserving Authentication • The Conditional Privacy-Preserving Authentication (CPPA) scheme, is suitable for addressing the privacy issue in VANETs because it can support message authentication and conditional privacy. • Although previously proposed ID-based CPPA schemes could solve several weaknesses that exist in some PKI-based CPPA schemes, the performance of such schemes is not satisfactory because the computation costs of the bilinear pairing operation and the scalar multiplication operation are quite complex. • Therefore, we propose an ID-based CPPA scheme for VANETs without bilinear pairing. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Bilinear Pairing • Define , where G1 is an additive group generated by a point P on the super singular elliptic curve . • Traditional elliptic curve math lets you check linear constraints on the numbers (eg. if P = G * p, Q = G * q and R = G * r, checking 5 * P + 7 * Q = 11 * R is really checking that 5 * p + 7 * q = 11 * r), pairings let you check quadratic constraints (eg. checking e(P, Q) * e(G, G * 5) = 1 is really checking that p * q + 5 = 0). • The word “bilinear” here basically means that it satisfies the constraints: e(P, Q + R) = e(P, Q) * e(P, R) and e(P + S, Q) = e(P, Q) * e(S, Q) National Cheng Kung University CSIE Computer & Internet Architecture Lab
Network Model and Security Requirements • The upper layer of the network model consists of a Trusted Authority (TA) and an Application Server (AS), where they could communicate with each other through a secure channel that can be established through the Secure Socket Layer (SSL) protocol. • The bottom layer of the network model consists of a RSU and a vehicle, where they could communicate with each other through the DSRC protocol. • An ID-based CPPA scheme for VANETs should meet the following security requirements: message authentication, identity privacy preservation, traceability, un-linkability and resistance to attacks National Cheng Kung University CSIE Computer & Internet Architecture Lab
System Initialization • The TA assigns and pre-loads {RID, PWD, x} into each vehicle’s tamper-proof device, and then sends the system parameters {p, q, a, b, P, Ppub, h1, h2, h3} to all RSUs and vehicles, where • While the vehicle inputs its RID and PWD into its tamper-proof device, it checks if they are equal to the stored ones to decide whether the request should be reject or not. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Anonymous Identity Generation and Message Signing • The tamper-proof device generates a random number and compute • Then, the tamper-proof device gives {AIDi, ski, Ti} to the vehicle. • The vehicle generates a random number and compute 2 where Mi is a message about traffic statu, where Mi is a message about traffic status. Then, the vehicle broadcasts {Mi, AIDi, Ti, Ri, σi} to nearby RSUs and vehicles. • The verifier checks the freshness of Tifirst. If it’s not fresh, reject the message. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Single Verification of One Message • The verifier then checks the equationIf it does not hold, the verifier rejects the message; otherwise, the verifier accepts the message. • The bottom layer of the network model consists of traceability, un-linkability and resistance to attacks National Cheng Kung University CSIE Computer & Internet Architecture Lab
Batch Verification of Multiple Messages • To guarantee the non-repudiation of signatures using batch verification, we use the small exponent test technology where avector, consisting of small random integers, is used to quickly detect any modification of a batch of signatures. • The verifier chooses a vector v = {v1, v2,..., vn} randomly, where vi is a small random integer in [1, 2^t ] and t is a small integer and has very little computation overhead. Afterwards, the verifier checks if the following equation National Cheng Kung University CSIE Computer & Internet Architecture Lab
Security Analysis • We have evaluated the security of the proposed ID-based CPPA scheme for VANETs and demonstrated that the proposed scheme is secure in the random oracle model consisting of Setup−Oracle, h1/h2/h3−Oracle and Sign−Oracle. • Suppose there’s an adversary A can violate the authentication of the CPPA scheme and forge a message {Mi, AID1, Ti, Ri, σi}. We can construct a challenger C, which could solve the DL problem with a non-negligible probability by running A as a subroutine. Given an instance (P, Q = x · P) of the DL problem, C simulates oracles queried by A as follows. • Setup−Oracle: C sets Ppub ← Q, and sends the system parameters = {p, q, a, b, P, Ppub, h1, h2, h3} to A. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Random Oracle Model • h1/h2/h3−Oracle: C keeps a list L1/L2/L3 with the form of / / , which is initialized to empty. Upon receiving A’s query with the message / / , C checks whether a corresponding tuple exists in L1/L2/L3first. If so, C sends τ to A; otherwise, C generates a random number τ ∈ Zq , adds tuple in L1/L2/L3and sends to A. • Sign−Oracle: Upon receiving A’s query with the message Mi , C generates three random numbers σi, αi, βi ∈ Z∗ q , chooses a random point and computes C adds into L2 and add into L3. Finally, C sends the message {Mi, AIDi, Ti, Ri, σi} to A. Therefore, all signatures generated by C are indistinguishable from those generated by legal vehicles. National Cheng Kung University CSIE Computer & Internet Architecture Lab
The Hardness of The DL Problem • At last, A outputs a message {Mi, AIDi, Ti, Ri, σi}. C checks whether the following equation holds to decide using it. • A could output another valid message {Mi, AIDi, Ti, Ri, σ’i} if we repeat the process with a different choice of h2. In this case, we could get the following equation C outputs (αi − α i)^(−1)*(σi − σ i) as the answer of the DL problem. The ability of solving the DL problem contradicts the hardness of the DL problem. Therefore, the verifier could check the validity and integrity of the message. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Privacy Analysis • Preserving identity privacy: The vehicle’s real identity RID is involved in AIDi generated by the vehicle. To extract RID from the adversary computes and needs wi or x. • Traceability: TA computes and extracts the real identity by computing RID = • Un-linkability: Due to the randomness of wi and ri , no adversary could link two anonymous identities or two signatures generated by the same vehicle. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Resistant Against Various Types of Attacks • The adversary must generate a message {Mi, AIDi, Ti, Ri, σi} satisfying the equation , but he cannot. Therefore,we can avoid Impersonation attack, Modification attack and Man-in-the-middle attack. • RSUs and other vehicles could find the Replay attackof the message by checking the freshness of the timestamp Ti. • Neither the RSU nor the vehicle maintains a verifier table for message authentication because they just needs to store their own private key. Then, the adversary cannot steal any verifier table for Stolen verifier table attack. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Computation Analysis • We compute the execution time using MIRACL, a famous library with widely used cryptographic operations to implement in many environments. Our HW platform consists of an Intel I7-4770 processor with 3.40 GHz clock frequency, 4 GB memory and runs Win7. • Let AIDGMS and SVOM and BVMM denote the anonymous identity generation and message signing, the single verification of one message and the batch verification of multiple messages steps respectively. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Computation Cost • To demonstrate the major benefit of the proposed ID-based CPPA scheme in the batch verification of multiple messages, we compare the execution times of batch verification in the proposed scheme. National Cheng Kung University CSIE Computer & Internet Architecture Lab
Communication Cost Analysis • Since the sizes of p is 20 bytes (160 bits) and the sizes of the elements in G1 is 20 × 2 = 40 bytes. Besides, let the sizes of the general hash function’s output and timestamp be 20 bytes and 4 bytes respectively. We only consider the size of signature without messages about traffic status are not the fixed length. • The vehicle in the proposed CPPA scheme broadcasts the anonymous identity and signature {AIDi, Ti, Ri, σi} to the verifier, where AIDi = Therefore, the communication cost of the proposed CPPA scheme is 40 × 3 + 20 + 4 = 144 bytes. National Cheng Kung University CSIE Computer & Internet Architecture Lab