A Distributed Key Management Framework With Cooperative Message Authentication in VANETs

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14

616 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO.

3, MARCH 2021

A Distributed Key Management Framework with


Cooperative Message Authentication in VANETs
Yong Hao, Student Member, IEEE, Yu Cheng, Senior Member, IEEE,
Chi Zhou, Senior Member, IEEE, and Wei Song

Abstract—In this paper, we propose a distributed key man- signature [6] is a promising security scheme to provide privacy
agement framework based on group signature to provision in VANETs. To the best of our knowledge, all of the existing
privacy in vehicular ad hoc networks (VANETs). Distributed key group signature schemes in VANETs [7]–[9] are based on
management is expected to facilitate the revocation of malicious
vehicles, maintenance of the system, and heterogeneous security centralized key management which preloads keys to vehicles
policies, compared with the centralized key management assumed off-line. The centralized key management has some disadvan-
by the existing group signature schemes. In our framework, each tages. For instance, the system maintenance is not flexible.
road side unit (RSU) acts as the key distributor for the group, Another issue regarding the centralized key management is
where a new issue incurred is that the semi-trust RSUs may be that many existing schemes assume a tamper-proof device
compromised. Thus, we develop security protocols for the scheme
which are able to detect compromised RSUs and their colluding [1] being installed in each vehicle. The tamper-proof device
malicious vehicles. Moreover, we address the issue of large normally costs several thousand dollars, such as IBM 4764
computation overhead due to the group signature implemen- card [10]. The framework to be developed in this paper does
tation. A practical cooperative message authentication protocol not require the expensive tamper-proof device.
is thus proposed to alleviate the verification burden, where
each vehicle just needs to verify a small amount of messages. In this paper, we propose and develop a secure distributed
Details of possible attacks and the corresponding solutions are key management framework. In our framework, the road side
discussed. We further develop a medium access control (MAC) units (RSUs) [11] are responsible for secure group private
layer analytical model and carry out NS2 simulations to examine keys distribution in a localized manner. When a vehicle
the key distribution delay and missed detection ratio of malicious
approaches an RSU, it gets the group private key from the
messages, with the proposed key management framework being
implemented over 802.11 based VANETs. RSU dynamically. All vehicles which get the group private key
from the same RSU form a group. A new issue induced by the
Index Terms—Vehicular ad hoc networks, privacy, distributed
key management, RSU compromise, cooperative authentication.
distributed key management framework is that compromised
RSUs may misbehave in the key distribution procedure. For
example, a compromised RSU may deliver other vehicles’
group private keys to its accomplice. Then, the accomplice can
I. I NTRODUCTION
send messages under the name of other vehicles. Therefore, we

T HE VEHICULAR ad hoc networks (VANETs) have


attracted a lot of attentions due to their interesting and
promising functionalities including vehicular safety, traffic
develop security protocols for the distributed key management
framework, which are capable of detecting the compromised
RSUs and their collusion with the malicious vehicles if any.
congestion avoidance, and location based services [1]. In this
Computation overhead is another critical issue in VANETs.
paper, we focus on safety driving application, where each
In the safety driving application, vehicles broadcast safety
vehicle periodically broadcasts messages including its current
messages every 300ms [1]. Since the group signature is expen-
position, direction and velocity, as well as road information.
sive, the computation overhead of each vehicle will become
Privacy is an important issue in VANETs [2]. As the wire-
intolerable when the density of vehicles is high [12]. In [13],
less communication channel is a shared medium, exchanging
the authors propose a promising protocol which let vehicles
messages without any security protection over the air can
verify messages cooperatively by employing probabilistic ver-
easily leak the information that users may want to keep private.
ification. However, in order to guarantee efficient cooperation,
Pseudonym based schemes [3]–[5] have been proposed to pre-
vehicles have to verify at least twenty-five messages within
serve the location privacy of vehicles. However, those schemes
300ms which is still a heavy computation burden for the
require the vehicles to store a large number of pseudonyms
on-board unit (OBU) installed on a vehicle. In addition, the
and certifications, and do not support some important secure
impact of packet loss at the medium access control (MAC)
functionalities such as authentication and integrity. The group
layer on security performance is not investigated in [13].
Manuscript received 5 January 2010; revised 7 May and 12 July 2010. This In this paper, we propose a more efficient and practical
work was supported in part by NSF grant CNS-0832093.
Y. Hao, Y. Cheng, and C. Zhou are with the Department of Electrical and cooperative message authentication protocol (CMAP) with
Computer Engineering, Illinois Institute of Technology, Chicago, IL 60616, an assumption that each safety message carries the location
USA (email: {yhao4, cheng, zhou}@iit.edu). information of the sender vehicle (which can be generated by
W. Song is with the Faculty of Computer Science, University of New
Brunswick, Fredericton, NB, 3EB 5A3, Canada (email: [email protected]). a global positioning system (GPS) device). Verifiers of each
Digital Object Identifi er 10.1109/JSAC.2021.110311. message are defined according to their locations in relation to
0733-8716/11/$25.00 c 2021 IEEE
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 617

the sender. Only the selected verifiers check the validity of a group leader, all group members’ privacy may be leaked by
the message while other vehicles rely on verification results the malicious leader.
from these verifiers. Compared with [13], our protocol has While the pure pseudonym schemes do not support the
smaller packet loss ratio, less computation and communication secure functionality of authentication, integrity, and nonre-
overhead, as well as better security performance. Hence, it pudiation, an anonymous signing protocol [1] is proposed to
is more efficient and practical in the real application. In provide such functions as well as privacy. In the protocol, each
summary, this paper has five-fold main contributions: vehicle preloads a large number of certificated anonymous
1) We propose a distributed key management framework public/private key pairs. A key pair will be used for a short
which has advantages in the revocation of malicious period of time and then be discarded. Each key pair is assigned
vehicles, system maintenance, and the implementation of to only one user, and authorities maintain the key distribution
heterogeneous security policies. records which can be used to trace possible malicious vehicles.
2) We develop a secure key distribution protocol with The shortcoming of this protocol is that it requires vehicles
the capability of preventing RSUs from misbehaving. to store a large number of pseudonyms and certifications,
The protocol guarantees the traceability of compromised where a revocation scheme for abrogating malicious vehicles
RSUs and malicious vehicles. is difficult to implement.
3) An efficient cooperative message authentication protocol The group signature [6] is a promising security scheme to
is developed, by which cooperative verifiers are intelli- provide privacy in VANETs. In the group signature, one group
gently selected to significantly reduce the computation public key is associated with multiple group private keys.
and communication overhead in the group signature Under the group signature scheme, although an eavesdropper
based implementation. can know that a message is sent by the group, it can not
4) A MAC layer analytical model is developed to quantita- identify the sender of the message. A general vehicular com-
tively evaluate the impact of number of verifiers and the munication framework based on group signature is given in
size of authentication messages on network utilization. [7]. Lin et. al. systematically discuss how to implement group
5) We carry out NS2 simulations of 802.11 based VANETs signature protocol in VANETs [8]. The work in [9] combines
to examine the key distribution delay and missed detec- pseudonym schemes with the group signature to avoid storing
tion ratio of malicious messages, with the proposed key pseudonyms and certifications in vehicles. While all these
management framework being applied. studies assume a centralized key management scheme, we
The remainder of this paper is organized as follows. develop a distributed key management framework in this paper
Section II reviews more related work. Section III describes to achieve privacy based on group signature.
the system model. Section IV presents the distributed key
management framework and associated security protocols for B. Computation Overhead
implementation. The cooperative message authentication pro- In the safety driving application with frequent message
tocol is developed in section V. Section VI and Section VII communication, it is important to design protocols with small
analyze the security performance and MAC layer performance, computation overhead for timely and reliable message pro-
respectively. Section VIII presents the NS2 simulation results. cessing. In [15], the authors propose to employ TESLA, which
Section IX gives the conclusion remarks. is a hash based protocol, to reduce the computation overhead.
However, the malicious vehicles could not be identified in this
II. R ELATED W ORK protocol. An aggregate signature and certificates verification
A. Privacy scheme is proposed in [16], which could verify all received
signatures and certificates at one time. This protocol is more
There have been several proposals for privacy preservation
efficient when the density of vehicles is high. An RSU aided
of VANETs. Using pseudonyms is a natural idea. It is prefer-
message authentication protocol is proposed in [14]. The
able to preserve the location privacy of a vehicle by breaking
protocols requires RSUs to cover all the area, because RSUs
the linkability between two locations, for which the vehicle
have to be involved in the authentication. A promising protocol
can update its pseudonym after each transmission. Considering
based on probabilistic verification is proposed in [13]. Through
that a powerful adversary may still link the new and old
cooperative verification, the number of messages to be authen-
pseudonyms by monitoring the temporal and spatial relations
ticated by each vehicle will be reduced considerably. In this
between new and old locations, the techniques of mix zone
paper, we adopt the concept of cooperative authentication, but
[3] and silent period [4] have been proposed to enhance the
design a new method to select verifiers. With our method, a
pseudonym scheme. Each vehicle in a mix zone will keep
similar security level could be achieved with a much smaller
silent in transmission, and randomly update its pseudonyms
number of verifiers, and the performance is more robust when
when it travels out of the mix zone and becomes reactivated.
the MAC-layer collision is nonignorable.
Given a reasonable large mix zone, the location privacy can
be well protected due to the untraceability of location and
pseudonym updating in the silent period. In the AMOEBA [5], C. Communication Protocols for VANETs
vehicles form groups. The messages of all group members are A vehicular network can be established over different
forwarded by the group leader, which implies that the privacy communication/networking protocols [11], [17], say, cellular
of group members is protected by sacrificing the privacy of networks, IEEE 802.16 (WiMAX), or IEEE 802.11. There are
group leader. Moreover, if a malicious vehicle is selected as already some cellular-based vehicular communication services
618 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021

on the market, for example, the GM OnStar service and the


BMW Assist service. However, cellular or WiMAX based
3 2 1
networking is limited to single-hop base station to vehicle
communications, and can hardly be applied to ad hoc vehicle 3 2 1
10km 10km
to vehicle communications. Moreover, cellular and WiMAX
networking heavily depend on the availability of infrastructure,
which is normally expensive and might not be available in Fig. 1. Group definition.
those underdeveloped areas. The cellular network is further
limited with bandwidth and not suitable for large scale multi- 1) Group Definition: Those vehicles getting keys from the
hop vehicle to vehicle networking. The 802.11 based protocol same RSU form a group, as illustrated in Fig. 1, where
has the flexibility in seamlessly supporting both single-hop the communication range of RSUs is 300 meters marked by
RSU to vehicle communications and multi-hop vehicle to dashed lines. We consider that RSUs are only deployed at
vehicle communications, and is the mainstream protocol for entrances/exits of the road segments. In a highway scenario,
VANETs [12]–[14], [18]–[20]. In this paper, we also focus on RSUs are normally far away from each other. In the region
the 802.11 based VANETs. out of the RSU coverage, vehicles in the same group can
communicate with each other in an ad hoc manner. In a city
III. S YSTEM M ODEL
area, RSUs might overlap with each other. We define that a
A. Network Model vehicle is only associated with one RSU at a moment to get
We consider infrastructure based VANETs in this paper, the service.
where entities can be classified into three categories: authori-
2) Channel Assignment: In the VANETs, vehicles share the
ties, road side infrastructure, and nodes.
wireless spectrum according to the 802.11p [18] which has
Authorities are responsible for key generation and mali-
seven communication channels. One is used as the control
cious vehicle judgement. Authorities have powerful firewalls
channel for management data and short messages exchange.
and other security protections. Therefore, they have the highest
There is also one accident avoidance channel for safety
security level. We assume that they can not be compromised.
messages broadcasting. In our system, the key distribution
Road side infrastructure consists of RSUs deployed at
process employs the control channel and regular broadcast
the road sides which are in charge of key management in
messages are transmitted in the accident avoidance channel.
our framework. Traffic lights or road signs can be used as
RSUs after renovation. RSUs communicate with authorities
through wired network. We assume a trusted platform module
is equipped in each RSU. It can resist software attacks but
not sophisticated hardware tampering. The cost of a trusted C. Security Model
platform module is only a few tens of dollars which is
affordable [1]. RSUs are semi-trust with the medium security In this paper, we assume that attackers are inside, rational,
level [5]. active, global [22] and parsimonious [23]. Inside attackers
Nodes are ordinary vehicles on the road that can commu- are legitimate members of VANETs. In this paper, attackers
nicate with each other and RSUs through radio. We assume can be network nodes or road side infrastructure. Rational
that each vehicle is equipped with a GPS receiver using DGPS attackers only attack for their own benefits. They know the
[21] with an accuracy on the order of centimeters and an on security mechanism and they want to attack without being
board unit (OBU) which is in charge of all communication detected. If there is a mechanism that can detect them and
and computation tasks. Nodes have the lowest security level. the punishment is severe enough, they tend not to attack.
Active attackers have the ability to send packets into wireless
B. Group Signature Based Privacy System channels. Global attackers have an unlimited scope which
In our framework, the communications can be divided into means they can hear any information in the network. Attackers
the key distribution phase and the regular broadcast phase. may have strong transmission power to communicate over long
Vehicles get keys dynamically in the key distribution phase distances. Adversarial parsimony means an attack involving a
and then start to broadcast their geographic and road condition few malicious nodes is more likely to happen than an attack
messages periodically in the regular broadcast phase. We that requires collusion among a large number of nodes.
resort to the group signature scheme for privacy provision. We assume that the overwhelming majority of vehicles
With group signature, members of a group sign messages and RSUs are honest which is reasonable in the civilian use
under the name of the group. In a group, there are one group system. We also assume vehicles will report to authorities
public key and many corresponding group private keys. A when they find that other vehicles send a false message. Wired
message that is signed by any group private keys can be network which connects RSUs and authorities transmits data
verified with the unique group public key, and the signer’s securely without packet loss. In the key distribution phase, our
identifier will not be revealed. However, authorities hold a protocol is used to judge whether a vehicle is a legitimate user.
tracing key which can be used to retrieve the group private If accusers and the accused are all legitimate users, we assume
key from the signature. If one group private key is assigned authorities have an evaluation system [24] to judge whether the
to only one user, the signer can be identified after authorities contents of messages are false or not. The evaluation system
get its group private key. design is out of the scope of this paper.
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 619

IV. D ISTRIBUTED K EY MANAGEMENT B. Secure Key Distribution Protocol Design


A. Short Group Signature In this section, we propose a protocol to detect compro-
mised RSUs and their accomplices which is a brand new
We adopt short group signature [25] in this paper because
security issue induced by the distributed key management
it has smaller communication overhead than other group
framework. A misbehaved RSU will let authorities fail to
signature schemes. Meanwhile, in the short group signature
identify malicious vehicles. Our protocol allows vehicles to be
protocol, there is a group private key generator which can be
authenticated with their real identifiers under protection and
assigned to key distributors without revealing other secrets.
guarantees authorities to find compromised RSUs and identi-
The existence of the generator makes the third party possible
ties of malicious vehicles if there is a dispute. Our protocol
to be key distributors. Another attractive feature of the short
defines message types in registration, messages broadcasting
group signature is that it has a tracing key which can retrieve
and accusation. Authorities make decisions according to the
group private keys from signatures. The short group signature
registration information that vehicles provide. Hereby, the
works as following [26]:
registration procedure is the most important part.
1) Key Setup: Authorities generate cryptographic system in
We assume that each vehicle and RSU is preloaded with
this procedure. Let G1 and G2 be two bilinear multiplicative
a global, long term public/private key pair with key size of
groups with generators g1 and g2 of the same prime order p,
224 bits and a corresponding certificate of the public key
respectively. Let ψ be a computable isomorphism from G2
signed by the certification authority (CA). We define the pair
to G1 with ψ(g2 ) = g1 . For the group t, authorities select
as identity keys (I-keys). The group public key and group
ht ←G1 \{1G1 } and ξt1 , ξt2 , γt ←Zp∗ randomly and set μt , νt
private keys are local, short term keys in our scheme. We
∈G1 , such that μξt t1 = νtξt2 = ht , where Zp∗ is a multiplicative define them as group keys (G-keys). Both I-keys and G-keys
group of order p-1. Set ωt = g2γt . Authorities publish the group are unique. Thus they are considered as identifiers of vehicles
public key (g1 , g2 , μt , νt , ht , ωt ) and transmit the group and RSUs. CA’s public key size is 256 bits. Furthermore, a
private key generator γt to the key distributor of group t, in hash function h(x), such as SHA1, is known by authorities,
other words, RSUt , securely. The group tracing key Kt = (ξt1 , RSUs and all vehicles. In this paper, elliptical curve digital
ξt2 ) will be held by authorities. signature algorithm (ECDSA) is employed as the signing
2) Membership Registration: When a user k applies to join protocol and we use elliptical curve integrated encryption
the group t, the key distributor will generate group private key scheme (ECIES) as the encryption protocol. Since a reliable
1/(γ +x )
by selecting xtk ←Zp∗ randomly and sets Atk = g1 t tk . key distribution is the foundation for the whole system, all
The group private key for the user k is Gprik = (Atk , xtk ). It the messages in the key distribution procedure are transmitted
will be transmitted to the user securely after the RSUt receives over the transmission control protocol (TCP).
the valid information of the user, such as its real identifier. 1) Registration: The procedure of registration is shown in
Each group private key should only be assigned to one user. Fig. 2. In Table I, we list physical meanings of symbols.
3) Signing and Verification: Vehicles start to sign regular Message 1: RSUs broadcast I-public keys, G-public keys
broadcast messages by using the group private key after they of themselves and their neighbor RSUs with certificates and
pass the corresponding RSU. Receivers only accept messages identities of revoked RSUs in their neighborhoods regularly.
that are approved by group public key in the verification. Authorities employ benign RSUs around compromised RSUs
4) Key Retrieve: The group private key of the signer can be to implement revocation by regular broadcasting those com-
retrieved from the signature by authorities if there is a dispute. promised RSUs’ identities.
Authorities first check the validity of the signature after they Message 2: When a vehicle detects the hello message, it
identify the group through the group ID which is included starts registration by sending its I-public key and the certificate
in each message, such as group t, and then compute Ati to the RSU if the RSU is not revoked. Normally, a public key
ξt1 ξt2
as: Ati ←Tt3 /(Tt1 Tt2 ), where Tt1 , Tt2 , Tt3 are information should not be encrypted. However, in our system model, each
included in the signature. Then the corresponding vehicle can vehicle’s I-public key is unique, so it is also an identifier of
be identified by the group ID and Ati . the vehicle. We encrypt it to protect vehicle’s privacy.
Compared with existing schemes which preload keys into Message 3: The RSU sends the hash value of the G-private
the vehicle off-line, our key distribution framework has the fol- key which plans to be assigned to the vehicle and the signature
lowing advantages [27]. (1) The revocation is more efficient. In of the hash value, vehicle’s I-public key and RSU’s I-public
our scheme, the revocation list is stored in RSUs. However, key to the vehicle. RSU’s I-public key is also unique. The
in preload schemes, revocation list has to be transmitted to vehicle can identify the RSU’s legitimacy after it verifies this
every vehicles through wireless channels. Due to the large message because the RSU uses its I-private key in the message.
number of vehicles, the revocation list must be changed Message 4: The vehicle encrypts its Npri and the timestamp
quickly. Meanwhile, both adding or deleting an item in the by using authorities’ public key. Then, it sends the encryption
revocation list that distributes in so many vehicles is resource data with the timestamp and the signature of corresponding
and time consuming. (2) The system maintenance is easier and information, shown in Fig. 2 message 4, to the RSU. The
more flexible. In our scheme, the number of vehicles that are encryption of its Npri and the timestamp is a commitment.
affected by group-key updating is much smaller than that in We will use it to detect illegitimate users later. Meanwhile,
the preload scheme. (3) Heterogeneous security policies can the signature signed by the vehicle binds vehicle’s information
be implemented in our scheme. While, in preload schemes, and the assigned G-private key. Then, the RSU can not re-map
the policy is difficult to be changed after it is deployed. them because the RSU does not have vehicle’s I-private key.
620 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021

1.broadcast {R pub , Sig CA ( R pub ), group public keys , identities of revoked neighbor RSUs}

2.{N pub , Sig CA ( N pub )}R pub

3.{h(G pri k ), Sig Rpri (h(G prik ), N pub , R pub )}N pub

Vehicle
RSU

4.{( N pri , T )CA , T , Sig N pri ( h(G prik ), ( N pri , T )CA , T , N pub )}R pub

5.{G prik , Sig R pri (G prik )}N pub

Fig. 2. Registration message flow.

TABLE I
N OTATIONS AND D ESCRIPTIONS at that place will report such claim as a false message. The
accusation message format is shown in Table II. “Grp ID”
Notations Descriptions is the accuser’s group identifier. The “Msg.” field copies
Rpub /Rpri RSU’s public/private key pair (I-key) the whole message that the accusor considers false. An 8-
Npub /Npri Node(Vehicle)’s public/private key pair (I-key) bytes field is used to indicate “Reasons” for the accusation.
SigA (M ) Signature of message M signed by A’s private key “h(Npri ,T)” is the hash value of accuser’s I-private key and the
(M )k Message M is encrypted by k or k’s public key timestamp. The accuser signs the first six items in this message
Gpubk /Gprik Group public/private key pair (G-key) for user k by using its G-private key. The entire message should be
T Timestamp
encrypted by CA’s public key so that the accusation messages
h(.) A one-way hash function such as SHA-1
can not be read by others.
After receiving an accusation, authorities verify the signa-
ture in the accusation message by using Gpub . Then, author-
ities perform key retrieve operations to get the accuser’s and
Message 5: The RSU sends the G-private key to the vehicle.
the accused’s G-private keys. Whereafter, authorities contact
The vehicle finishes registration procedure after it gets a
RSUs which assign G-private keys to the accuser and the
valid G-private key. Then, the RSU stores the information, as
accused according to group IDs. RSUs will send correspond-
shown in Table II, in the local database. The signature in the
ing information back to authorities after they receive the
fifth item is the signature that the RSU receives in message
requests from authorities. After that, authorities will calculate
4. If authorities need the information of a vehicle when there
accuser’s and accused’s h(Npri ,T) by using vehicles’ I-private
is a dispute, the RSU has to send the vehicle’s corresponding
keys and timestamps which are obtained from the accusation
information to authorities.
message and the broadcast message respectively. If the value
Table II presents the message format and we also indicate
that authorities calculate is the same with the value they get
the size of each field. When the I-keys are involved, the
from the report, the user will be considered as legitimate. If
indicated sizes are determined by the ECDSA and ECIES
both of them are authorized users, authorities will start the
algorithms and the given key size. When the G-keys are
evaluation mechanism to decide which user tells the truth. The
involved, the indicated sizes are determined by the short group
evaluation system design is out of the scope of this paper. A
signature scheme. Numbers in Table II are sizes of each field
reference to this part of work is [24].
with unit of bytes. We allocate 4 bytes for the timestamp and increase
2 bytes for the group ID.
2) Messages Broadcasting: Vehicles can broadcast mes- V. C OOPERATIVE M ESSAGE AUTHENTICATION
sages under the name of the group after they get G-private In this section, we propose a cooperative message au-
keys from the RSU. In the broadcast message format, the “Grp thentication protocol, which augments the basic short group
ID” is the group ID which is used to identify a group. We add signature protocol by mitigating the computation overhead in
a hash value of vehicle’s I-private key and the timestamp in the the regular broadcast phase. According to [12], the verification
message. The vehicle signs the first five items in this message time for short group signature is 11ms with a 3 GHz Pentium
using the vehicle’s G-private key, resulting in the signature IV system. In a typical public safety application, each vehicle
item. We allocate 100 bytes to the “Payload” [8]. broadcasts safety messages every 300 ms, which implies that
3) Accusation: When a vehicle finds that other vehicles each vehicle can at most process messages from 27 (300/11)
send false messages, it will report to authorities. For example, other vehicles in a stable system. However, according to
a vehicle may maliciously detour traffic by claiming a traffic the measurement that is given by [28], there may exist as
jam at a certain place but there is not in fact. Other vehicles many as 87 vehicles broadcasting messages within the 300m
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 621

TABLE II

A packet
M ESSAGE F ORMATS
C ooperative A uthentication
Process
Registration Record Format CAM W ait for CAM D elete the
Gprik Npub (Npri , T )CA T Signature R B M or C A M
CAM R eceived RBM
N
22 29 85 4 56 No CAM

RBM
A ccept the

Retype and insert CRBM


w ithin 100m s RBM
Broadcast Message Format N
Grp ID Msg. Type Payload h(Npri , T ) T Signature M aintain the
D rop &
neighborhood list RBM Inform others
2 2 100 20 4 192
M essage CRBM D rop
Accusation Message Format Is it a verifier
type

h(Npri , T ) T

Invalid
Grp ID Msg. Type Msg. Reasons Signature

Y
2 2 320 8 20 4 192
C an be processed Process V erify
Y V alid
Cooperative Message Format in tim e Q ueue m essages
A ccept

Grp ID Msg. type h(Npri ,T) of the invalid msg T


2 2 20 4
Fig. 3. Work flow of the cooperative message authentication protocol.

B. Verifiers Selection Process


communication range of a receiving vehicle, far exceeding
its processing capability. Therefore, we propose a cooperative The verifiers selection process starts when the tagged vehi-
message authentication protocol to fill the gap between the cle receives a message. If an RBM is received, the tagged vehi-
workload and the processing capability. cle updates the neighborhood list and calculates the receiver-
sender distance (RSD) between itself and the sender at the
sending time. After that, it tries to decide whether it is the
verifier of the message by comparing its RSD with RSD of
A. Workflow Overview its neighbors. If the tagged vehicle is the verifier, it will insert
the RBM to the process queue on the condition that it can be
The work flow of cooperative message authentication pro- processed within the verification period, such as 100ms1 . If the
tocol is shown in Fig. 3. Each vehicle maintains two pro- tagged vehicle is not the verifier or the verifier can not process
cesses which are verifiers selection process and cooperative the message in time, the received message will be put into
authentication process, a neighborhood list, a process queue the buffer. When a CAM is received and the corresponding
and a buffer. The verifiers selection process is in charge RBM is found in the buffer, the tagged vehicle will change
of selecting verifiers, neighborhood list and process queue the message type of it from RBM to CRBM (CAM related
maintenance. The cooperative authentication process controls RBM) as well as delete it from the buffer. Then the tagged
message authentication and warning message sending. In other vehicle will insert the CRBM to the process queue. A CAM
words, verifiers selection process fills the process queue while without the corresponding RBM in the buffer will be dropped.
cooperative authentication process clears it up after verifi- Verifiers are decided in a distributed manner by vehicles
cations. The neighborhood list contains neighbor vehicles’ themselves according to their locations regarding to the sender.
geographic information. Messages which will not be processed A cartesian coordinate is set up for each sender at the
are stored in the buffer. When a vehicle receives a regular sending time and the location of the sender is its origin. Our
broadcast message (RBM), it extracts information of the lo- verifier selection algorithm is expected to generate verifiers
cation, speed, direction and acceleration of the sending vehicle symmetrically and uniformly around a sender. In a 2M-verifier
and decides whether to verify the message or not according to scenario, the closest vehicle to the sender at each side is a
geographic information. If a verifier finds an invalid RBM, it verifier. Then, we draw M-1 arcs to find other M-1 verifiers
will broadcast one-hop warning information, which is termed at each side. The first arc has radius of 280 meters from the
as cooperative authentication messages (CAM), to inform sender (20m for margins) and radii of the rest M-2 arcs are
others. A non-verifier resorts to the CAM broadcasted by other evenly distributed between 280 meters and 0 at each side.
vehicles to authenticate RBM. In our protocol, each vehicle Verifiers are vehicles closest to each arc with RSD less than
only needs to verify a very small amount of RBM. the radius of each arc. For example, in a six-verifier scenario,
Before discussing the details of the protocol, we would like as shown in Fig. 4, vehicles nearest to the sender and the
to demonstrate two concepts. In the key distribution phase, it is furthest ones from the sender with distances less than 280m
designed that vehicles will report false messages to authorities and 140m respectively are verifiers.
when there is a dispute. The false message means that the Our protocol ensures that each RBM will be verified by
content of the message is considered as wrong, but the sender’s 2M vehicles on average. In practice, the number of verifiers
signature can be verified. For example, a vehicle may claim a may fluctuate around 2M due to randomness. Our scheme
traffic jam somewhere; however in fact no traffic jam happens is equipped with an authentication mode switch mechanism
there. The other phrase we are to use in the cooperative to ensure that the CMAP is activated only when enough
message authentication is invalid message. An invalid message vehicles and thus verifiers exist; otherwise the message-by-
is a message that can not pass the group signature verification. message protocol is activated. Details about the authentication
In such a case, even authorities can not find the signer of an
invalid message. For convenience, we denote the vehicle under 1 The waiting time of a message can be estimated based on the number of
consideration as tagged vehicle. Tagged vehicle is false msg messages in the process queue.
updating vehicle
622 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021

Y of CAM that a vehicle needs to send. We will further discuss


V
140m U
140m
V the performance in the section VIII.
X I
V 2 80 m V V 2 80 m
N Q
V D. Authentication Mode Switching
V
Sender Verifers Non-verifiers
The CMAP is supposed to operate when the density of
vehicle is high. In a low density scenario, message-by-message
Fig. 4. Illustration of verifiers selection. verification is always preferred for a higher level of security.
Thus, in each message, one more bit, the authentication mode
mode switch mechanism is to be discussed later. Moreover, (A-Mode) flag bit should be added. When the vehicles are
the random density variation in a small area could lead to under the coverage of an RSU, the RSU could be a controller
unbalanced verifier distribution, where a vehicle might be a to initiate the authentication mode switching. However, the
verifier for many senders according to the selection process vehicle-initiated approach is more flexible. Based on the loca-
and thus be overloaded. If this overloaded vehicle is the only tion information carried by each regular broadcast message, a
verifier in an area for a sender, the overloading might lead vehicle can easily estimate the density in the area covered by
to missed detection when the sender is malicious. To avoid its communication range. When the estimated density is above
such a zero-verifier situation, we set a policy that a verifier a threshold, the vehicle can set the A-Mode flag to turn on
will process the RBMs from the closest sender with higher the cooperative authentication mode in the group. It is worth
priority over other RBMs; such a policy is termed as the noting that even after the cooperative authentication mode is
nearest-priority policy. This policy can guarantee that there turned on, a vehicle with enough processing capability can still
is at least one verifier at each side of the sender (if vehicles choose to operate the message-by-message verification for its
exist) that will definitely do the verification. own purpose, which will not impact the whole system.
Verifiers should be as far as possible from each other.
In Fig. 4, the border line of vehicle I’s interference range
VI. S ECURITY P ERFORMANCE A NALYSIS
is between vehicle Q and N, shown by the dashed arc. If
we choose vehicles Q, U and the left nearest V as verifiers Vehicles may be attacked in both the key distribution phase
instead of those three V vehicles at the left side of the and the regular broadcast phase. We discuss detailed attacks
sender, all vehicles at the left side will receive the message and give corresponding solutions to them in this section.
except these three verifiers when the sender and vehicle I send
simultaneously. Then, no one will do the verification. A. Key Distribution Phase
The number of verifiers should be neither too small nor too 1) Appropriating the ID of other vehicles: In the accusa-
large. A smaller M indicates lower computation overhead; tion, the compromised RSU can launch this attack by replying
however, some non-verifiers may not be able to receive the other vehicle’s information to authorities when it requests the
CAM if an RBM is invalid. While, a larger M means a higher registration record for a certain G-private key. Then, the user
computation overhead. The number of verifiers will be further of the G-private key can not be identified.
discussed in the section VIII. For the illustration purpose, we
In the registration record, each vehicle has to sign its unique
ignore some trivial procedures in Fig. 3, such as dropping the
I-public key, hash value of G-private key and other information
CAM if there is no corresponding RBM in the buffer.
by using its own I-private key. Then, the vehicle’s I-public key
and its assigned G-private keys are bound together. RSUs can
not re-map vehicles’ unique I-public keys and G-private keys
C. Cooperative Authentication Process
arbitrarily because RSUs do not have vehicles’ I-private keys.
The cooperative authentication process verifies messages in 2) Receiving key without acknowledgement: Both RSUs
the processing queue one by one. As shown in Fig. 3, if the and vehicles can be malicious in this attack. In the key
message is valid, it will be accepted. If a CRBM is invalid, it distribution procedure, RSUs have to get registration records,
will be dropped. An invalid RBM will be informed to others while vehicles need to obtain G-private keys. The one which is
by the tagged vehicle. The CAM formate is shown in Table II. defined to send the information later could refuse to transmit
In the CAM, there is no signature to guarantee the validity of after it gets secrets from the counterpart.
the whole message. There are several reasons. 1) The vehicle In our design, the RSU only sends the hash value of G-
will always check the validity of the RBM by itself after they private key and the signature of the hash value, RSU’s I-public
receive a CAM. Hence, the signature of CAM only wastes key and vehicle’s I-public key to the vehicle, as shown in
computing ability of the OBU. 2) A smart attacker would not Fig. 2, message 3. Then the vehicle has to submit a signature
attach the valid signature to the CAM if it tries to cheat. Note including its I-public key and the hash value of G-private key
that messages whose lifetime exceed the verification period to the RSU as a part of registration record. The RSU will
will be accepted if there is no CAM about it. send the G-private key to the vehicle only after it receives this
Missed detection means invalid RBM are considered as signature. We let RSUs transmit the critical information later
valid by receivers which is caused by packet loss due to because they are semi-trust which are more reliable. Moreover,
limited computation capacity of verifiers or the collisions in an RSU has to get the registration record before it assigns
wireless channel. Our protocol improves the performance by the G-private key, so each group private key must have a
reducing the computation overhead of OBUs and the number corresponding registration record. It would be easy to detect
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 623

RSUs’ compromise if they cannot provide a legal record for a 2) Selfish Behaviors: Selfish behavior is inherent in the
G-private key. Those vehicles which do not get the G-private cooperative networks. In the regular broadcast procedure,
key, in case the RSU is a malicious, can join the next group. some nodes may not verify any messages. They only wait
3) Collusion Attacks: The compromised RSU and its ac- for reports from others. Or some nodes verify messages, but
complice vehicles will collude to attack. An RSU sends other they never report invalid messages to others. As we discussed
vehicle’s G-private key to its accomplice. Then, the malicious in the security model, the VANETs are civilian networks
vehicle can broadcast messages on behalf of others. that overwhelming majority of users are honest. Therefore,
In the registration procedure, a vehicle sends a commitment the proportion of selfish vehicles should be very small. The
to the RSU which is the encrypted vehicle’s I-private key and performance that is influenced by selfish vehicles can be
timestamp. Then, in every message that the vehicle broadcasts, illustrated by varying the number of verifiers.
the hash value of its I-private key should be included in it. If
there is a dispute, authorities get vehicle’s information from VII. MAC-L AYER P ERFORMANCE A NALYSIS
RSUs. Then, they will calculate accuser’s and accused’s hash In this section, we develop an analytical model for MAC-
values by using vehicles’ I-private keys and timestamps. If layer performance analysis of the CMAP. We consider 802.11
values that authorities calculate are different from hash values based VANETs, where the broadcast from each vehicle is
in the accusation message, the attack can be detected. Both controlled with a distributed coordination function (DCF). It is
RSUs and malicious vehicles have no access to other vehicles’ assumed that the vehicles are uniformly distributed along the
I-private keys. So, we prevent RSUs and their accomplice from road, and thus the number of vehicles in an area has a Poisson
attacking. On the other hand, a malicious vehicle may fill a distribution [28]. Given the fixed road width, the density of
wrong hash value into a broadcast message to frame up a vehicles along the road, denoted as β, is represented as “ve-
normal RSU. When authorities find the mismatch, they will hicles per kilometer” along the length direction2. We assume
consider the RSU as a malicious. that all vehicles have the same communication range R, and
Authorities can not decide which is the malicious, the RSU the carrier sensing range equals the communication range.
or the vehicle or both, when they find a mismatch. But they For mathematical traceability, the hidden-terminal effect is
can be sure that, at least, there is one malicious. If authorities ignored. Our simulation results presented in Section VIII
check the RSU physically and find that the RSU is working will show that the analysis inaccuracy due to the hidden-
well, they can decide that the vehicle is a malicious one. terminal effect is small, because the cooperative authentication
As we discussed in the security model, RSUs are equipped scheme can effectively reduce the traffic load generated by
with trusted platform modules. Only hardware attacks can each vehicle.
compromise an RSU. Thus, it must be easy to check whether
an RSU is compromised or not. Moreover, we assumed that
attackers are rational. Malicious vehicles know that this attack A. Backoff Process in Broadcast
will be detected by authorities, so they tend not to attack in In the DCF based broadcast, each vehicle sense the chan-
this way. nel first before transmission. Upon sensing an idle channel,
the channel access is controlled by a backoff procedure. In
each backoff period, the backoff counter is initialized with a
B. Regular Broadcast Phase value randomly selected within a contention window W . The
backoff counter reduces by 1 each slot when channel is idle
1) Collusion and Sybil Attacks: If vehicles collude with and freezes when channel is busy. Transmission in an idle
each other, for example, verifiers are all accomplices of a slot is allowed when the backoff counter reaches zero. There
sender, then all invalid messages that are sent by the sender is no acknowledgement and retransmission in the broadcasting
will not be notified although the proportion of malicious mode, and the backoff window size W maintains constant in
vehicles may be not high. Or a malicious vehicle may launch a each transmission period.
sybil attack by creating fictitious vehicles to act as its verifiers. The backoff process can be described by a discrete-time
In our protocol, A-Mode is only implemented when the Markov chain, with the state of the chain defined as the
density of vehicles reaches a bottom line. Vehicles travel on backoff counter value [19]. Use k to denote a possible backoff
the road with high velocities, so it is not easy for accomplice counter value, the one-step transition probabilities of the
vehicles to get all verifiers’ positions at the same time. As we Markov chain can be expressed as
discussed in the security model, attackers are minority. Hereby, 
it is more difficult to launch the attack when the number of Pk+1,k = 1, k ∈ [0, W − 2];
(1)
verifiers increases. Another way to defend collusion attack is P0,k = 1/W, k ∈ [0, W − 1].
choosing verifiers from the other side of the road. It would be
difficult for an adversary to have colluding vehicles on both Let πk (k ∈ [0, W − 1]) denote the steady-state probabilities
directions [29]. Due to limitation of the space, we leave details of the Markov chain, it can be computed that π0 = W2+1 [19].
of collusion attack defence as the future work. For sybil attack, Let τ denote the channel access probability in an idle slot. We
some techniques can be employed to defend it. For instance, have τ = π0 .
signal strength detection [30] in the physical layer can identify 2 The area covered by the transmission of a vehicle can be well approxi-
the real location of the sender. Rangefinders [31] which cost mated by a rectangle if the road width is much smaller than the transmission
about 100 EURO is another way to locate vehicles. range.
624 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021

B. MAC-layer Channel Behavior a carrier sensing area is V npmal λP DR. Thus, the proportion
We are interested in the MAC-layer channel behavior ob- of RBM packets over the aggregate traffic is
served by a tagged vehicle. Let pi , ps , and pc denote the 1
pRBM = . (6)
probabilities that the tagged vehicle observes an idle channel, a 1 + V pmal P DR
successful transmission (from other vehicles), and a collision, which is also the probability that a given packet in transmis-
respectively. Each vehicle can be modeled as a G/G/1 queue. sion is an RBM packet.
Let p0 denote the probability that the queue is empty; the
Let LH denote the packet header size including both the
probability that a vehicle access channel in an idle slot can
physical layer and MAC layer header; LRBM and LCAM
then be expressed as (1 − p0 )τ .
denote the average length of an RBM and CAM messages,
Let n (= 2βR) denote the average number of vehicles respectively; δ denote the propagation delay; DIF S denote
within the transmission range (equivalently the sensing range the DCF interframe space; and C denote the wireless channel
according to our assumption) of the tagged vehicle. We capacity. Use TRBM and TCAM to denote the average trans-
can have the channel idling probability regarding the tagged mission time of an RBM and CAM packet, respectively, we
vehicle have
∞ i−1 ni e−n
i=1 [1 − (1 − p0 )τ ] LH + LRBM
pi = i!
TRBM = + DIF S + δ. (7)
1 − e−n C
e−n(1−p0 )τ − e−n LH + LCAM
= . (2) TCAM = + DIF S + δ. (8)
[1 − (1 − p0 )τ ] (1 − e−n ) C
We use Tc to denote the average duration of a collision, and
where all the other vehicles within the sensing range do not
approximately set Tc = TRBM considering that the probability
transmit. Note that the normalization factor (1−e−n ) indicates
that collision happens just among CAM messages is small.
the condition that at least one vehicle (the tagged vehicle)
If we represent the transmission/collision time in terms of
exists in an area. The probability ps can be obtained when
number of slots, the PGF of packet transmission time can be
there is only one vehicle other than the tagged one transmits,
expressed as
thus,
TRBM TCAM
∞ i−2 ni e−n S(z) = pRBM z  σ 
+ (1 − pRBM )z  σ 
(9)
i=2 (i − 1)(1 − p0 )τ [1 − (1 − p0 )τ ]
ps = −n
i!

 1 − e  where σ denotes the length of a physical slot.


n(1 − p0 )τ e−n(1−p0 )τ − e−n For a vehicle operating under the CMAP, it is not difficult
= to see that the PGF of the backoff counter transition time (by
[1 − (1 − p0 )τ ] (1 − e−n )
  which the backoff counter decreases one slot) can be expressed
(1 − p0 )τ e−n(1−p0 )τ − e−n − (1 − (1 − p0 )τ )ne−n
− 2 . as
[1 − (1 − p0 )τ ] (1 − e−n ) TRBM +σ
(3) Hd (z) = pi z + ps pRBM z  σ 

TCAM +σ Tc +σ
Then, the probability of observing a collision + ps (1 − pRBM )z  σ 
+ pc z  σ 
. (10)

pc = 1 − pi − ps . (4) Furthermore, according to the state transition diagram of the


backoff counter [19], the PGF of the average packet service
Note that when the tagged vehicle has a packet to send in time can be expressed as
an idle slot, it is not difficult to see that the packet delivery
W −1
ratio (PDR) equals the value pi , i.e., S(z)  i
Q(z) = H (z). (11)
W i=0 d
e−n(1−p0 )τ − e−n
P DR = pi = . (5)
[1 − (1 − p0 )τ ] (1 − e−n ) Let μ denote the average service rate in terms of “packets per
slot”, based on the PGF Q(z), the average service time can
C. Average Packet Service Time be computed as
The average packet service time is defined as the average 1 
= Q (z) |z=1 . (12)
time period from the instant that a packet becomes the head μ
of the queue and starts to contend for transmission to the In order to derive the average service time, the p0 should
instant when that the packet is transmitted. We resort to the be determined. We define p0 as
probability generating function (PGF) technique to derive the
λ
average packet service time. p0 = 1 − . (13)
With the CMAP, there are two types of packets, one carrying μ
an RBM message and the other carrying a CAM message. Let We can now solve the MAC-layer performance based on
λ denote the average rate of generating RBM messages in a the equations we have obtained. Given the traffic load λ
vehicle. Use pmal to denote the probability that an RBM is and configurations of the VANETs, the results in (2) to (10)
generated by a malicious vehicle, and V denotes the average can be incorporated with (12) to obtain one equation around
number of verifiers for each RBM. The total average rate of parameters p0 and μ. Such an equation can then be jointly
generating CAM messages for verifying the RBM messages in solved with equation (13) to obtain the values of p0 and μ.
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 625

TABLE III
PHYSICAL AND MAC LAYER PARAMETERS [19] involved in the collision will experience a delay at least
three seconds. A higher delay is due to further collisions
Parameter Value in the retransmissions. We define those vehicles which get
Preamble length 40 us G-keys more than three seconds as singularity vehicles. The
PLCP header length 8 us proportion of singularity vehicles against broadcast intervals at
Slot time σ 16 us
the density of 225 vehicles per kilometer is shown in Fig. 5(a).
SIFS 32 us
The proportion of singularity vehicles having more than
DIFS 64 us
9 seconds is much less for the intervals of 0.4 second and
0.8 second than other cases. The explanation is that the
MAC header size 28 bytes
TCP retransmissions in these two cases deviate from the
Wireless channel rate 6 Mbps
RSU broadcast epochs for further collisions, whereas the
Contention window W 16
retransmission (based on the timeout value of 3 seconds) will
collide with future broadcast epochs, if the broadcast interval
is 0.2, 0.6, or 1.0 second. Hence, we set the RSU broadcast
VIII. S IMULATION RESULTS interval as 0.4 second in our implementation.
In this section, we use NS2 [32] simulations to examine In order to reduce the collisions due to the simultaneous
the performance of the proposed key distribution framework key request, we introduce a random initiation scheme. After
and cooperative authentication protocol. We mainly consider a a vehicle receives the RSU broadcast message, instead of
highway scenario with three lanes in each direction as shown starting key request immediately, it will send the request
in Fig. 11. Vehicles are placed uniformly on the road and after a random initiation delay. We use WI to denote the
travel at speed of 30 ± 5m/s (roughly equivalent to the range maximum initiation delay, and each vehicle randomly pick its
of 56 ∼ 80 miles/hour). The highway setting gives us the initiation delay from (0, WI ). The proportion of singularity
convenience to evaluate the lower bound of the performance, vehicles against the maximum initiation delay in the highway
by deploying vehicles with higher speeds and higher densities scenario is shown in Fig. 5(b). From the figure, we can see that
to push RSUs into a high-load situation. We also simulate a when WI = 20 ms, only two percent of vehicles fail in the
typical city road scenario according to the settings in [20], first key request and incur retransmissions. In this scenario,
where the key distribution performance is indeed much better our simulations further show that all vehicles have a key
than that under a high-load highway situation. The physical distribution delay less than four seconds, giving a satisfying
and MAC layer parameters of the 802.11 broadcast protocol service start time.
used in our simulations are listed in Table III. 2) City Road Scenario. To show that the high-load highway
scenario indeed gives a lower bound of the performance, we
also simulate a typical city road scenario as shown in Fig. 6(a).
A. Key Distribution Performance
We follow the configurations used in [20] with a density of
In the key distribution phase, it is preferred that vehicles 150 vehicles per square kilometers and travel speeds in the
could get their G-private keys promptly for a short service start range of 15 ± 5m/s (roughly equivalent to the range of 22.5
time. Each RSU broadcasts its own public key, the associated ∼ 45 miles/hour). When a vehicle reaches an intersection, it
certificate, the G-Public keys of itself and its neighbors peri- will randomly choose to turn left, turn right or go forward.
odically in the control channel. When an approaching vehicle A vehicle hitting the boundary will be bounced back into the
receives the broadcast message, it then starts a TCP connection map to maintain a steady density of vehicles in the map. It is
with the corresponding RSU to get its G-private key. RSU not difficult to check that, in the city road scenario, the average
broadcasting and key distribution TCP connections share the number of vehicles in the area covered by an RSU is much
same control channel. To evaluate the delay performance, we less than that in the highway scenario considered in Fig. 5.
configure the computation overhead for signing, verification, Comparing the results in Fig. 6(b) to those in Fig. 5(a), we
encryption and decryption as that used in [33], assuming a can see the proportion of singularity vehicles is much smaller
3GHz Pentium IV CPU. in the city road scenario.
1) Highway Scenario. Our simulation results show that most
of the vehicles get their G-private keys very soon after they
start the TCP connection, while some vehicles experience a B. Cooperative Authentication Performance
delay of three or more seconds. Some other vehicles are not In this part, we evaluate the performance in the regular
able to get the G-keys. The extra delay is due to the collision broadcast phase by simulating packet delivery ratio, computa-
and the associated TCP timeout. The number of vehicles tion and communication overheads and missed detection ratio.
that will simultaneously start key-request TCP connections, We also compare both the theoretical and simulation results
after they hear the RSU broadcasting, is the product of under our protocol with those under the protocol in [13].
vehicles density, average speed and RSUs’ broadcast interval. Since the cooperative authentication protocol is of particular
Hence, we try to avoid collision by adjusting RSUs’ broadcast importance in the high-load scenario, we thus only focus on
interval. the highway scenario in this part. We assume six percent of the
For the TCP protocol, the initial round-trip time (RTT) vehicles are malicious in our simulations. Malicious vehicles
(used as the initial timeout value) is defined as three seconds always send invalid RBM, and they never send CAM to help
according to the RFC 2988 [34]. Thus, all the vehicles others. The missed detection ratio is defined as the percentage
626 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021

16 7
Get keys between 3s and 9s

Proportion of singularity vehicles(%)


Get keys between 3s and 9s

Proportion of singularity vehicles(%)


14 Get keys in more than 9s 6 Get keys more than 9s
Can not get keys
12
5
10
4
8
3
6
2
4

2 1

0 0
0.2 0.4 0.6 0.8 1.0 0 10 20
RSU broadcast interval(s) Maximum initiation delay(ms)
(a) (b)

Fig. 5. Key distribution performance in the highway scenario. (a) Performance versus the RSU broadcast intervals. (b) Performance versus the initiation
delay.

7
500m

Proportion of singularity vehicles(%)


Get keys between 3s and 9s
6 Get keys in more than 9s

5
1000m

3
1000m 500m
2

0
0.2 0.4 0.6 0.8 1.0
RSU broadcast interval(s)
(a) (b)

Fig. 6. Key distribution performance in the city road scenario. (a) Road map. (b) Performance versus the RSU broadcast intervals.

of invalid RBM that are considered as valid by a receiver. The collisions, we also evaluate the scenario that vehicles may take
missed detection ratio is computed based on well behaved different average speeds, and the missed detection ratio in such
vehicles in our simulation. Considering that the performance a scenario is presented in Fig. 7 too. While the heterogeneous
of the highway scenario is more severe than that of the local average speeds tend to results in an uneven distribution of
scenario, we focus on highway scenario in this part and leave vehicles and a higher probability of overloaded verifiers, the
the local scenario case to the future work. missed detection ratio in this situation is in fact smaller. The
1) Number of Verifiers: As discussed in the section V, the reason is that the speed difference will stretch the area of
number of verifiers is a tradeoff between missed detection ratio vehicle distributions, and equivalently reduce the density of
and computation overhead of OBUs. The missed detection vehicles and the frequency of broadcast messages in an area.
ratios versus different number of verifiers are shown in Fig. 7. The reduced traffic load will then result in less MAC collisions
It can be seen the performance under 8 verifiers is obviously and thus smaller missed detection ratio.
better than that under 6 ones. Nevertheless, the number of 2) Packet Delivery Ratio: The packet delivery ratio is
verifiers could not be too large. If the number is large enough defined as the proportion of transmissions that can be success-
to ensure a good CAM for an RBM, the extra number of fully received. The PDR is a critical performance measure af-
verifiers will lead to negative impact by incurring unnecessary fecting both the network utilization and security performance.
communication and computation overhead. Our simulation A low PDR (or a high packet loss ratio due to collision)
results suggest that 8 verifiers can achieve a good tradeoff. means a low bandwidth utilization, and the loss of CAM tends
We would like to emphasize that our nearest-priority policy to result in missed detection. In [13], the authors present a
in cooperative authentication guarantees that every sender has probabilistic verification protocol, in which a vehicle receiving
at least one verifier at each side to do the verification. Thus, an RBM decides to be a verifier with a probability. However,
the missed detection is mainly due to packet losses caused in order to guarantee that there are verifiers selected at both
by MAC layer collisions. To demonstrate the impact of MAC sides of the sender, on average 25 verifiers should be randomly
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 627

0.12
6 verifiers with fixed average speed 100
6 verifiers with heterogeneous average speeds
90

Proportion of authentication messages(%)


8 verifiers with fixed average speed
0.1 8 verifiers with heterogeneous average speeds
80

0.08 70
Missed detection ratio (%)

60

0.06 50

40
0.04
30

20
0.02
10 Probabilistic verification (V = 25)
CMAP (V = 8)
0 0
50 75 100 125 150 175 50 75 100 125 150 175
Vehicle density (No. of vehicles per kilometer) Vehicle density (No. of vehicles per kilometer)

Fig. 7. Missed detection ratio versus the number of verifiers. Fig. 9. Communication overhead due to cooperative authentication messages.

100 0.7
CMAP(V = 8)
90 Probabilistic verification (V=25)
0.6 Probabilistic verification (V=8)
80
Packet delivery ratio(%)

0.5
Missed detection ratio (%)
70

60
0.4
50
0.3
40

30 0.2
20 Theorectical value of CMAP (V = 8)
Simulation result of CMAP (V = 8) 0.1
10 Theorectical value of probabilistic verification (V = 25)
Simulation result of probabilistic verification (V = 25)
0 0
50 75 100 125 150 175 50 75 100 125 150 175
Vehicle density (No. of vehicles per kilometer) Vehicle density (No. of vehicles per kilometer)

Fig. 8. Packet delivery ratio versus the density of vehicles. Fig. 10. Missed detection ratio versus the density of vehicles.

incurred for each RBM according to the protocol. Another verification protocol in Fig. 9, which shows the proportion
difference between our CMAP and the protocol in [13] is that of cooperative authentication messages over the total traffic,
CMAP allows a much shorter CAM. considered as communication overhead. For the comparison
We show the theoretical values and simulation results of purpose, we normalize the communication overhead under
PDR for CMAP and probabilistic verification protocol in the CMAP against that under the probabilistic protocol. It is
Fig. 8. The theoretical PDR is computed by (5). We can see clearly shown that CMAP has a communication overhead less
that the theoretical values are close to simulation results in than 40% of that under the probabilistic protocol.
both scenarios. Note that the MAC-layer analytical model de- 4) Missed Detection Ratio and Computation Overhead:
veloped in Section VII can also be applied to the probabilistic Fig. 10 compares the CMAP with the probabilistic verification
verification protocol with a good accuracy. The theoretical protocol in terms of missed detection ratio. We can see that
values are anyhow lightly higher than the simulation results; with the same number verifiers V = 8, the performance
it is because that the analysis is optimistic by ignoring the of probabilistic verification protocol deteriorates significantly,
hidden-terminal effect and result in a higher PDR. The PDR because V = 8 can not ensure with high probability that
under CMAP is higher than that under the protocol in [13]; it verifiers exist on both sides of a sender. The good performance
is because the smaller number of verifiers and shorter CAM of CMAP is because the pattern of selecting verifiers is fixed
in CMAP gives a smaller traffic load, which thus results in according to position information.
a smaller collision probability and a higher PDR. The higher Another interesting observation is that in the cases of high
PDR under CMAP will lead to a better network utilization density, the performance of CMAP is still better than the
and security performance. probabilistic protocol even when it uses 25 verifiers. The
3) Communication Overhead: The communication over- reason is due to the hidden-terminal effect as shown in Fig. 11.
head of CMAP is explicitly compared with the probabilistic In the scenario, the hidden terminals at both sides of a sender
628 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021

Y [3] J. Freudiger, M. Raya, M. Feleghhazi,P. Papadimitratos and J.-


300m 4 P.Hubaux., “Mix zones for location privacy in vehicular networks,”
3 300m
X in Proc. International Workshop on Wireless Networking for Intelligent
H 1 2 6 00 m H Transportation Systems, Vancouver, British Columbia, Aug., 2007.
6 00 m
[4] L. Huang, K. Matsuura, H. Yamane, and K. Sezaki, “Enhancing wireless
5
location privacy using silent period,” in Proc. IEEE WCNC, pp. 1187-
H 1192, 2005.
Sender Hidden terminals [5] K.Sampigethava, L.Huang, M.Li, R.Poovendran, K.Matsuura and
K.Sezaki, “AMOEBA: Robust location privacy scheme for VANET,”
Fig. 11. Impact of hidden-terminals on cooperative authentication. in IEEE J. Sel. Areas Commun., vol. 25, no. 8, pp.1569-1589, 2007.
[6] D. Chaum and E. van Heyst, “Group signatures,” in Proc. Advances in
Cryptology - Eurocrypt, vol. 547, pp. 257-265, 1991.
[7] J. Guo, J.-P. Baugh and S. Wang, “A group signature based secure and
will result in that most of the vehicles around the sender can privacy-preserving vehicular communication framework,” in Proc. IEEE
not receive the broadcast message. Only a small number of INFOCOM, Anchorage, Alaska, May 2007.
[8] X. Lin, X. Sun, P.-H. Ho and X. Shen, “GSIS: a secure and privacy
vehicles close to the sender may receive the message, but preserving protocol for vehicular communications,” IEEE Trans. Veh.
the small number of survivors may not generate any verifiers Technol., vol. 56, no. 6, pp. 3442-3456, 2007.
according to the pre-configured verifier selection probability. [9] G. Calandriello, P. Papadimitratos, A. Lloy, and J.-P. Hubaux, “Efficient
and robust pseudonymous authentication in VANET,” in Proc. ACM
Nevertheless, CMAP always requires the two vehicles on both Mobicom, pp. 19-28, QC, Canada, Sept. 2007.
sides of and closest to the sender to be verifiers; thus in the [10] IBM 4764 PCI-X Cryptographic Coprocessor. http://www-03.ibm.com/
scenario shown in Fig. 11, CMAP still performs well while security/cryptocards/pcixcc/order4764.shtml.
[11] N. Banerjee, M.D. Corner, D. Towsley and B.N. Levine, “Relays, base
the probabilistic protocol leads to missed detection. station and meshes: enhancing mobile networks with infrastructure,” in
We also evaluate the computation overhead through sim- Proc. ACM Mobicom, San francisco, California, Sep. 2008.
ulations, based on the configuration suggested in [12]. We [12] X. Sun, “Anonymous, secure and efficient vehicular communications,”
Master Thesis, Univeristy of Waterloo, 2007.
define the CPU usage as the average proportion of the time [13] C. Zhang, X. Lin, R. Lu, P.-H. Ho and X. Shen, “An efficient message
that vehicles spend on verification. Our simulation results authentication scheme for vehicular communications,” IEEE Trans. Veh.
show that the CPU usage under CMAP never reaches 50% Technol., vol. 57, no. 6, pp. 3357-3368, 2008.
[14] C. Zhang, X. Lin, R. Lu and P.-H. Ho., “RAISE: an efficient RSU-aided
while that under probabilistic verification is always more than message authentication scheme in vehicular communication networks,”
90%. Since the number of verifiers directly determines the in Proc. IEEE ICC, Beijing, China, May 19-23, 2008.
computation overhead, Fig. 10 also implies that if CMAP uses [15] X. Lin, C. Zhang, X. Sun, P.-H. Ho and X. Shen, “Performance
enhancement for secure vehicular communications,” in Proc. IEEE
the same CPU resource (i.e., the same number of verifiers) Global Telecommunications Conference, pp.480-485, Washington DC,
as that used by the probabilistic verification protocol, CMAP Nov. 2007.
achieves much better performance in missed detection ratio. [16] A. Wasef and X. Shen, “ASIC: aggregate signatures and certificates
verification scheme for vehicular networks”, in Proc. IEEE Globecom,
Honolulu, Hawaii, USA, Nov. 30 - Dec. 4, 2009.
[17] A. Studer, E. Shi, F. Bai and A. Perrig, “TACKing together efficient
IX. C ONCLUSIONS authentication revocation, and privacy in VANETs,” in Proc. IEEE
SECON, 2009.
In this paper, we propose a novel distributed key manage- [18] D. Jiang and L. Delgrossi, “IEEE 802.11p: towards an international
ment scheme based on the short group signature to provision standard for wireless access in vehicular environments,” in Proc. IEEE
privacy in the VANETs. The distributed key management is VTC, May 2008.
[19] X. Ma, X. Chen and H. Refai, “Unsaturated performance of IEEE 802.11
further enhanced with a cooperative message authentication broadcast service in vehicle-to-vehicle networks,” in Proc. IEEE VTC,
protocol to alleviate the heavy computation overhead. We Oct., 2007.
investigate the challenging issue that semi-trust RSUs may be [20] G. Marfia, G. Pau, E. De Sena, E. Giordano and M. Gerla, “Evalu-
ating vehicle network strategies for downtown Portland: opportunistic
compromised, and compromised RSUs may even collude with infrastructure and the importance of realistic mobility models,” in
malicious vehicles. We design a security protocol to prevent International MobiSys Workshop on Mobile Opportunistic Networking,
compromised RSUs and malicious vehicles from attacking. San Juan, 2007.
[21] P. Enge, “Retooling the global positioning system,” Scientific American,
Our design guarantees that RSUs distribute keys fairly and May 2004.
provide some mechanisms to detect compromised RSUs and [22] M. Raya and J.-P. Hubaux, “The security of vehicular ad hoc networks,”
malicious vehicles. Moreover, by a cooperative message au- Workshop on Security in Ad hoc and Sensor Networks, 2005.
[23] P. Golle, D. Greene and J. Staddon, “Detecting and correcting malicious
thentication protocol, a vehicle only needs to verify a small data in VANETs,” in Proc. ACM VANET, Philadelphia, 2004.
amount of messages, and the computation burden of vehicles is [24] M. Raya, P. Papadimitratos, V.-D. Gligor and J.-P. Hubaux, “On data-
reduced greatly. We give detailed analysis of possible security centric trust establishment in ephemeral ad hoc networks,” in Proc.
IEEE INFOCOM, pp. 1238-1246, Apr. 2008.
attacks and the corresponding defence, as well as develop a [25] D. Boneh, X. Boyen and H. Shamcham, “Short group signatures,” in
MAC layer analytical model. Extensive NS2 simulations are Proc. Advances in Cryptography - Crypto’ 04, ser. LNCS, vol.3152,
also presented to evaluate the performance of the proposed Springer-Verlag, pp. 41-55, 2004.
[26] X. Sun, X. Lin and P.-H. Ho, “Secure vehicular communications based
techniques. on group signature and ID-based signature scheme,” in Proc. IEEE ICC,
Scotland, Jun., 2007.
[27] Y. Hao, Y. Cheng and K. Ren, “Distributed key management with
R EFERENCES protection against RSU compromise in group signature based VANETs,”
in Proc. IEEE Globecom, New Orleans, Nov., 2008.
[1] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,” [28] N. Wisitpongphan, F. Bai, P. Mudalige, V. Sadekar and O. Tonguz,
Journal of Computer Security, vol. 15, no. 1, pp. 39-68, 2007. “Routing in sparse vehicular ad hoc wireless networks,” IEEE J. Sel.
[2] R. Lu, X. Lin and X. Shen, “SPRING: A social-based privacy-preserving Areas Commun., vol. 25, no. 8, pp.1538-1556, 2007.
packet forwarding protocol for vehicular delay tolerant networks”, in [29] S. Park and C.C.Zou, “Reliable traffic information propagation in
Proc. IEEE INFOCOM, San Diego, California, 2010. vehicular ad-hoc networks,” IEEE Sarnoff Symposium, Apr. 2008.
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 629

[30] B. Xiao, B. Yu and C. Gao, “Detection and localization of sybil nodes Chi Zhou (SM’09) received two B.S. degrees in
in VANETs,” in Proc. ACM/SIGMOBILE Workshop on Dependability both Automation and Business Administration from
Issues in Wireless Ad Hoc Networks and Sensor Networks, 2006. Tsinghua University, China, in 1997.She received
[31] K. Ibrahim, M. C. Weigle and G. Yan, “Light-weight laser-aided position the M.S. and Ph.D. degrees in Electrical and Com-
verification for CASCADE,” in Proc. International Conference on puter Engineering from Northwestern University in
WAVE, Dearborn, MI, Dec. 2008. 2000 and 2002, respectively. Between 2002 and
[32] The network simulator-NS2, http://www.isi.edu/nsnam/ns/tutorial/index. 2006, she worked in Florida International University
html/. as assistant professor. Since 2006, she has served
[33] Shamus Software. MIRACL library, http://www.shamus.ie/index.php? as an Assistant Professor in the Department of
page=Elliptic-Curve-point-multiplication. Electrical and Computer Engineering, Illinois Insti-
[34] V. Paxson and M. Allman, “Computing TCP’s Retransmission Timer”, tute of Technology. Her primary research interests
IETF RFC 2988. include wireless sensor networks for smart grid application, scheduling
for OFDMA/MIMO systems, network coding for wireless mesh networks,
integration of optical and wireless networks, and security for VANETs.

Yong Hao (S’10) received the B.E. and M.E. de- Wei Song received her Ph.D. degree in electrical
grees in Electrical Engineering from Huazhong Uni- and computer engineering from the University of
versity of Science and Technology, Wuhan, Hubei, Waterloo, Canada, in 2007. Since 2008, she has been
China, in 2003 and 2007 respectively. He is currently supported by the Natural Science and Engineering
pursuing the Ph.D degree in the Department of Research Council (NSERC) of Canada and worked
Electrical and Computer Engineering, Illinois Insti- as a postdoctoral research fellow at the Department
tute of Technology, Chicago, IL, U.S.A. His current of Electrical Engineering and Computer Sciences,
research interests include wireless network security University of California, Berkeley. In July 2009, she
and vehicular ad hoc networks. joined the Faculty of Computer Science, University
of New Brunswick, as an assistant professor. She
received a Top 10% Award from IEEE Workshop
on Multimedia Signal Processing (MMSP) 2009, an NSERC postdoctoral
fellowship in 2008, and a Best Paper Award from IEEE WCNC 2007. Her
current research interests include the interworking of cellular networks and
Yu Cheng (S’01-M’04-SM’09) received the B.E. wireless local area networks (WLANs), resource allocation for heterogeneous
and M.E. degrees in Electrical Engineering from Ts- wireless networks, vehicular ad hoc networks, and cross-layer optimization
inghua University, Beijing, China, in 1995 and 1998, for multimedia quality-of-service (QoS) provisioning.
respectively, and the Ph.D. degree in Electrical and
Computer Engineering from the University of Wa-
terloo, Ontario, Canada, in 2003. From September
2004 to July 2006, he was a postdoctoral research
fellow in the Department of Electrical and Com-
puter Engineering, University of Toronto, Ontario,
Canada. Since August 2006, he has been with the
Department of Electrical and Computer Engineering,
Illinois Institute of Technology, Chicago, Illinois, USA, as an Assistant
Professor. His research interests include next-generation Internet architecture
and management, wireless network performance analysis, network security,
and wireless/wireline interworking. He received a Postdoctoral Fellowship
Award from the Natural Sciences and Engineering Research Council of
Canada (NSERC) in 2004, and a Best Paper Award from the International
Conference on Heterogeneous Networking for Quality, Reliability, Security
and Robustness (QShine’07), Vancouver, British Columbia, August, 2007.
He served as a Technical Program Co-Chair for the Wireless Networking
Symposium of IEEE ICC 2009. He is an Associated Editor for IEEE
Transactions on Vehicular Technology and an Area Editor for Elsevier Journal
of Computer Networks.

You might also like