A Distributed Key Management Framework With Cooperative Message Authentication in VANETs
A Distributed Key Management Framework With Cooperative Message Authentication in VANETs
A Distributed Key Management Framework With Cooperative Message Authentication in VANETs
3, MARCH 2021
Abstract—In this paper, we propose a distributed key man- signature [6] is a promising security scheme to provide privacy
agement framework based on group signature to provision in VANETs. To the best of our knowledge, all of the existing
privacy in vehicular ad hoc networks (VANETs). Distributed key group signature schemes in VANETs [7]–[9] are based on
management is expected to facilitate the revocation of malicious
vehicles, maintenance of the system, and heterogeneous security centralized key management which preloads keys to vehicles
policies, compared with the centralized key management assumed off-line. The centralized key management has some disadvan-
by the existing group signature schemes. In our framework, each tages. For instance, the system maintenance is not flexible.
road side unit (RSU) acts as the key distributor for the group, Another issue regarding the centralized key management is
where a new issue incurred is that the semi-trust RSUs may be that many existing schemes assume a tamper-proof device
compromised. Thus, we develop security protocols for the scheme
which are able to detect compromised RSUs and their colluding [1] being installed in each vehicle. The tamper-proof device
malicious vehicles. Moreover, we address the issue of large normally costs several thousand dollars, such as IBM 4764
computation overhead due to the group signature implemen- card [10]. The framework to be developed in this paper does
tation. A practical cooperative message authentication protocol not require the expensive tamper-proof device.
is thus proposed to alleviate the verification burden, where
each vehicle just needs to verify a small amount of messages. In this paper, we propose and develop a secure distributed
Details of possible attacks and the corresponding solutions are key management framework. In our framework, the road side
discussed. We further develop a medium access control (MAC) units (RSUs) [11] are responsible for secure group private
layer analytical model and carry out NS2 simulations to examine keys distribution in a localized manner. When a vehicle
the key distribution delay and missed detection ratio of malicious
approaches an RSU, it gets the group private key from the
messages, with the proposed key management framework being
implemented over 802.11 based VANETs. RSU dynamically. All vehicles which get the group private key
from the same RSU form a group. A new issue induced by the
Index Terms—Vehicular ad hoc networks, privacy, distributed
key management, RSU compromise, cooperative authentication.
distributed key management framework is that compromised
RSUs may misbehave in the key distribution procedure. For
example, a compromised RSU may deliver other vehicles’
group private keys to its accomplice. Then, the accomplice can
I. I NTRODUCTION
send messages under the name of other vehicles. Therefore, we
the sender. Only the selected verifiers check the validity of a group leader, all group members’ privacy may be leaked by
the message while other vehicles rely on verification results the malicious leader.
from these verifiers. Compared with [13], our protocol has While the pure pseudonym schemes do not support the
smaller packet loss ratio, less computation and communication secure functionality of authentication, integrity, and nonre-
overhead, as well as better security performance. Hence, it pudiation, an anonymous signing protocol [1] is proposed to
is more efficient and practical in the real application. In provide such functions as well as privacy. In the protocol, each
summary, this paper has five-fold main contributions: vehicle preloads a large number of certificated anonymous
1) We propose a distributed key management framework public/private key pairs. A key pair will be used for a short
which has advantages in the revocation of malicious period of time and then be discarded. Each key pair is assigned
vehicles, system maintenance, and the implementation of to only one user, and authorities maintain the key distribution
heterogeneous security policies. records which can be used to trace possible malicious vehicles.
2) We develop a secure key distribution protocol with The shortcoming of this protocol is that it requires vehicles
the capability of preventing RSUs from misbehaving. to store a large number of pseudonyms and certifications,
The protocol guarantees the traceability of compromised where a revocation scheme for abrogating malicious vehicles
RSUs and malicious vehicles. is difficult to implement.
3) An efficient cooperative message authentication protocol The group signature [6] is a promising security scheme to
is developed, by which cooperative verifiers are intelli- provide privacy in VANETs. In the group signature, one group
gently selected to significantly reduce the computation public key is associated with multiple group private keys.
and communication overhead in the group signature Under the group signature scheme, although an eavesdropper
based implementation. can know that a message is sent by the group, it can not
4) A MAC layer analytical model is developed to quantita- identify the sender of the message. A general vehicular com-
tively evaluate the impact of number of verifiers and the munication framework based on group signature is given in
size of authentication messages on network utilization. [7]. Lin et. al. systematically discuss how to implement group
5) We carry out NS2 simulations of 802.11 based VANETs signature protocol in VANETs [8]. The work in [9] combines
to examine the key distribution delay and missed detec- pseudonym schemes with the group signature to avoid storing
tion ratio of malicious messages, with the proposed key pseudonyms and certifications in vehicles. While all these
management framework being applied. studies assume a centralized key management scheme, we
The remainder of this paper is organized as follows. develop a distributed key management framework in this paper
Section II reviews more related work. Section III describes to achieve privacy based on group signature.
the system model. Section IV presents the distributed key
management framework and associated security protocols for B. Computation Overhead
implementation. The cooperative message authentication pro- In the safety driving application with frequent message
tocol is developed in section V. Section VI and Section VII communication, it is important to design protocols with small
analyze the security performance and MAC layer performance, computation overhead for timely and reliable message pro-
respectively. Section VIII presents the NS2 simulation results. cessing. In [15], the authors propose to employ TESLA, which
Section IX gives the conclusion remarks. is a hash based protocol, to reduce the computation overhead.
However, the malicious vehicles could not be identified in this
II. R ELATED W ORK protocol. An aggregate signature and certificates verification
A. Privacy scheme is proposed in [16], which could verify all received
signatures and certificates at one time. This protocol is more
There have been several proposals for privacy preservation
efficient when the density of vehicles is high. An RSU aided
of VANETs. Using pseudonyms is a natural idea. It is prefer-
message authentication protocol is proposed in [14]. The
able to preserve the location privacy of a vehicle by breaking
protocols requires RSUs to cover all the area, because RSUs
the linkability between two locations, for which the vehicle
have to be involved in the authentication. A promising protocol
can update its pseudonym after each transmission. Considering
based on probabilistic verification is proposed in [13]. Through
that a powerful adversary may still link the new and old
cooperative verification, the number of messages to be authen-
pseudonyms by monitoring the temporal and spatial relations
ticated by each vehicle will be reduced considerably. In this
between new and old locations, the techniques of mix zone
paper, we adopt the concept of cooperative authentication, but
[3] and silent period [4] have been proposed to enhance the
design a new method to select verifiers. With our method, a
pseudonym scheme. Each vehicle in a mix zone will keep
similar security level could be achieved with a much smaller
silent in transmission, and randomly update its pseudonyms
number of verifiers, and the performance is more robust when
when it travels out of the mix zone and becomes reactivated.
the MAC-layer collision is nonignorable.
Given a reasonable large mix zone, the location privacy can
be well protected due to the untraceability of location and
pseudonym updating in the silent period. In the AMOEBA [5], C. Communication Protocols for VANETs
vehicles form groups. The messages of all group members are A vehicular network can be established over different
forwarded by the group leader, which implies that the privacy communication/networking protocols [11], [17], say, cellular
of group members is protected by sacrificing the privacy of networks, IEEE 802.16 (WiMAX), or IEEE 802.11. There are
group leader. Moreover, if a malicious vehicle is selected as already some cellular-based vehicular communication services
618 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021
1.broadcast {R pub , Sig CA ( R pub ), group public keys , identities of revoked neighbor RSUs}
3.{h(G pri k ), Sig Rpri (h(G prik ), N pub , R pub )}N pub
Vehicle
RSU
4.{( N pri , T )CA , T , Sig N pri ( h(G prik ), ( N pri , T )CA , T , N pub )}R pub
TABLE I
N OTATIONS AND D ESCRIPTIONS at that place will report such claim as a false message. The
accusation message format is shown in Table II. “Grp ID”
Notations Descriptions is the accuser’s group identifier. The “Msg.” field copies
Rpub /Rpri RSU’s public/private key pair (I-key) the whole message that the accusor considers false. An 8-
Npub /Npri Node(Vehicle)’s public/private key pair (I-key) bytes field is used to indicate “Reasons” for the accusation.
SigA (M ) Signature of message M signed by A’s private key “h(Npri ,T)” is the hash value of accuser’s I-private key and the
(M )k Message M is encrypted by k or k’s public key timestamp. The accuser signs the first six items in this message
Gpubk /Gprik Group public/private key pair (G-key) for user k by using its G-private key. The entire message should be
T Timestamp
encrypted by CA’s public key so that the accusation messages
h(.) A one-way hash function such as SHA-1
can not be read by others.
After receiving an accusation, authorities verify the signa-
ture in the accusation message by using Gpub . Then, author-
ities perform key retrieve operations to get the accuser’s and
Message 5: The RSU sends the G-private key to the vehicle.
the accused’s G-private keys. Whereafter, authorities contact
The vehicle finishes registration procedure after it gets a
RSUs which assign G-private keys to the accuser and the
valid G-private key. Then, the RSU stores the information, as
accused according to group IDs. RSUs will send correspond-
shown in Table II, in the local database. The signature in the
ing information back to authorities after they receive the
fifth item is the signature that the RSU receives in message
requests from authorities. After that, authorities will calculate
4. If authorities need the information of a vehicle when there
accuser’s and accused’s h(Npri ,T) by using vehicles’ I-private
is a dispute, the RSU has to send the vehicle’s corresponding
keys and timestamps which are obtained from the accusation
information to authorities.
message and the broadcast message respectively. If the value
Table II presents the message format and we also indicate
that authorities calculate is the same with the value they get
the size of each field. When the I-keys are involved, the
from the report, the user will be considered as legitimate. If
indicated sizes are determined by the ECDSA and ECIES
both of them are authorized users, authorities will start the
algorithms and the given key size. When the G-keys are
evaluation mechanism to decide which user tells the truth. The
involved, the indicated sizes are determined by the short group
evaluation system design is out of the scope of this paper. A
signature scheme. Numbers in Table II are sizes of each field
reference to this part of work is [24].
with unit of bytes. We allocate 4 bytes for the timestamp and increase
2 bytes for the group ID.
2) Messages Broadcasting: Vehicles can broadcast mes- V. C OOPERATIVE M ESSAGE AUTHENTICATION
sages under the name of the group after they get G-private In this section, we propose a cooperative message au-
keys from the RSU. In the broadcast message format, the “Grp thentication protocol, which augments the basic short group
ID” is the group ID which is used to identify a group. We add signature protocol by mitigating the computation overhead in
a hash value of vehicle’s I-private key and the timestamp in the the regular broadcast phase. According to [12], the verification
message. The vehicle signs the first five items in this message time for short group signature is 11ms with a 3 GHz Pentium
using the vehicle’s G-private key, resulting in the signature IV system. In a typical public safety application, each vehicle
item. We allocate 100 bytes to the “Payload” [8]. broadcasts safety messages every 300 ms, which implies that
3) Accusation: When a vehicle finds that other vehicles each vehicle can at most process messages from 27 (300/11)
send false messages, it will report to authorities. For example, other vehicles in a stable system. However, according to
a vehicle may maliciously detour traffic by claiming a traffic the measurement that is given by [28], there may exist as
jam at a certain place but there is not in fact. Other vehicles many as 87 vehicles broadcasting messages within the 300m
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 621
TABLE II
A packet
M ESSAGE F ORMATS
C ooperative A uthentication
Process
Registration Record Format CAM W ait for CAM D elete the
Gprik Npub (Npri , T )CA T Signature R B M or C A M
CAM R eceived RBM
N
22 29 85 4 56 No CAM
RBM
A ccept the
h(Npri , T ) T
Invalid
Grp ID Msg. Type Msg. Reasons Signature
Y
2 2 320 8 20 4 192
C an be processed Process V erify
Y V alid
Cooperative Message Format in tim e Q ueue m essages
A ccept
RSUs’ compromise if they cannot provide a legal record for a 2) Selfish Behaviors: Selfish behavior is inherent in the
G-private key. Those vehicles which do not get the G-private cooperative networks. In the regular broadcast procedure,
key, in case the RSU is a malicious, can join the next group. some nodes may not verify any messages. They only wait
3) Collusion Attacks: The compromised RSU and its ac- for reports from others. Or some nodes verify messages, but
complice vehicles will collude to attack. An RSU sends other they never report invalid messages to others. As we discussed
vehicle’s G-private key to its accomplice. Then, the malicious in the security model, the VANETs are civilian networks
vehicle can broadcast messages on behalf of others. that overwhelming majority of users are honest. Therefore,
In the registration procedure, a vehicle sends a commitment the proportion of selfish vehicles should be very small. The
to the RSU which is the encrypted vehicle’s I-private key and performance that is influenced by selfish vehicles can be
timestamp. Then, in every message that the vehicle broadcasts, illustrated by varying the number of verifiers.
the hash value of its I-private key should be included in it. If
there is a dispute, authorities get vehicle’s information from VII. MAC-L AYER P ERFORMANCE A NALYSIS
RSUs. Then, they will calculate accuser’s and accused’s hash In this section, we develop an analytical model for MAC-
values by using vehicles’ I-private keys and timestamps. If layer performance analysis of the CMAP. We consider 802.11
values that authorities calculate are different from hash values based VANETs, where the broadcast from each vehicle is
in the accusation message, the attack can be detected. Both controlled with a distributed coordination function (DCF). It is
RSUs and malicious vehicles have no access to other vehicles’ assumed that the vehicles are uniformly distributed along the
I-private keys. So, we prevent RSUs and their accomplice from road, and thus the number of vehicles in an area has a Poisson
attacking. On the other hand, a malicious vehicle may fill a distribution [28]. Given the fixed road width, the density of
wrong hash value into a broadcast message to frame up a vehicles along the road, denoted as β, is represented as “ve-
normal RSU. When authorities find the mismatch, they will hicles per kilometer” along the length direction2. We assume
consider the RSU as a malicious. that all vehicles have the same communication range R, and
Authorities can not decide which is the malicious, the RSU the carrier sensing range equals the communication range.
or the vehicle or both, when they find a mismatch. But they For mathematical traceability, the hidden-terminal effect is
can be sure that, at least, there is one malicious. If authorities ignored. Our simulation results presented in Section VIII
check the RSU physically and find that the RSU is working will show that the analysis inaccuracy due to the hidden-
well, they can decide that the vehicle is a malicious one. terminal effect is small, because the cooperative authentication
As we discussed in the security model, RSUs are equipped scheme can effectively reduce the traffic load generated by
with trusted platform modules. Only hardware attacks can each vehicle.
compromise an RSU. Thus, it must be easy to check whether
an RSU is compromised or not. Moreover, we assumed that
attackers are rational. Malicious vehicles know that this attack A. Backoff Process in Broadcast
will be detected by authorities, so they tend not to attack in In the DCF based broadcast, each vehicle sense the chan-
this way. nel first before transmission. Upon sensing an idle channel,
the channel access is controlled by a backoff procedure. In
each backoff period, the backoff counter is initialized with a
B. Regular Broadcast Phase value randomly selected within a contention window W . The
backoff counter reduces by 1 each slot when channel is idle
1) Collusion and Sybil Attacks: If vehicles collude with and freezes when channel is busy. Transmission in an idle
each other, for example, verifiers are all accomplices of a slot is allowed when the backoff counter reaches zero. There
sender, then all invalid messages that are sent by the sender is no acknowledgement and retransmission in the broadcasting
will not be notified although the proportion of malicious mode, and the backoff window size W maintains constant in
vehicles may be not high. Or a malicious vehicle may launch a each transmission period.
sybil attack by creating fictitious vehicles to act as its verifiers. The backoff process can be described by a discrete-time
In our protocol, A-Mode is only implemented when the Markov chain, with the state of the chain defined as the
density of vehicles reaches a bottom line. Vehicles travel on backoff counter value [19]. Use k to denote a possible backoff
the road with high velocities, so it is not easy for accomplice counter value, the one-step transition probabilities of the
vehicles to get all verifiers’ positions at the same time. As we Markov chain can be expressed as
discussed in the security model, attackers are minority. Hereby,
it is more difficult to launch the attack when the number of Pk+1,k = 1, k ∈ [0, W − 2];
(1)
verifiers increases. Another way to defend collusion attack is P0,k = 1/W, k ∈ [0, W − 1].
choosing verifiers from the other side of the road. It would be
difficult for an adversary to have colluding vehicles on both Let πk (k ∈ [0, W − 1]) denote the steady-state probabilities
directions [29]. Due to limitation of the space, we leave details of the Markov chain, it can be computed that π0 = W2+1 [19].
of collusion attack defence as the future work. For sybil attack, Let τ denote the channel access probability in an idle slot. We
some techniques can be employed to defend it. For instance, have τ = π0 .
signal strength detection [30] in the physical layer can identify 2 The area covered by the transmission of a vehicle can be well approxi-
the real location of the sender. Rangefinders [31] which cost mated by a rectangle if the road width is much smaller than the transmission
about 100 EURO is another way to locate vehicles. range.
624 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021
B. MAC-layer Channel Behavior a carrier sensing area is V npmal λP DR. Thus, the proportion
We are interested in the MAC-layer channel behavior ob- of RBM packets over the aggregate traffic is
served by a tagged vehicle. Let pi , ps , and pc denote the 1
pRBM = . (6)
probabilities that the tagged vehicle observes an idle channel, a 1 + V pmal P DR
successful transmission (from other vehicles), and a collision, which is also the probability that a given packet in transmis-
respectively. Each vehicle can be modeled as a G/G/1 queue. sion is an RBM packet.
Let p0 denote the probability that the queue is empty; the
Let LH denote the packet header size including both the
probability that a vehicle access channel in an idle slot can
physical layer and MAC layer header; LRBM and LCAM
then be expressed as (1 − p0 )τ .
denote the average length of an RBM and CAM messages,
Let n (= 2βR) denote the average number of vehicles respectively; δ denote the propagation delay; DIF S denote
within the transmission range (equivalently the sensing range the DCF interframe space; and C denote the wireless channel
according to our assumption) of the tagged vehicle. We capacity. Use TRBM and TCAM to denote the average trans-
can have the channel idling probability regarding the tagged mission time of an RBM and CAM packet, respectively, we
vehicle have
∞ i−1 ni e−n
i=1 [1 − (1 − p0 )τ ] LH + LRBM
pi = i!
TRBM = + DIF S + δ. (7)
1 − e−n C
e−n(1−p0 )τ − e−n LH + LCAM
= . (2) TCAM = + DIF S + δ. (8)
[1 − (1 − p0 )τ ] (1 − e−n ) C
We use Tc to denote the average duration of a collision, and
where all the other vehicles within the sensing range do not
approximately set Tc = TRBM considering that the probability
transmit. Note that the normalization factor (1−e−n ) indicates
that collision happens just among CAM messages is small.
the condition that at least one vehicle (the tagged vehicle)
If we represent the transmission/collision time in terms of
exists in an area. The probability ps can be obtained when
number of slots, the PGF of packet transmission time can be
there is only one vehicle other than the tagged one transmits,
expressed as
thus,
TRBM TCAM
∞ i−2 ni e−n S(z) = pRBM z σ
+ (1 − pRBM )z σ
(9)
i=2 (i − 1)(1 − p0 )τ [1 − (1 − p0 )τ ]
ps = −n
i!
TCAM +σ Tc +σ
Then, the probability of observing a collision + ps (1 − pRBM )z σ
+ pc z σ
. (10)
TABLE III
PHYSICAL AND MAC LAYER PARAMETERS [19] involved in the collision will experience a delay at least
three seconds. A higher delay is due to further collisions
Parameter Value in the retransmissions. We define those vehicles which get
Preamble length 40 us G-keys more than three seconds as singularity vehicles. The
PLCP header length 8 us proportion of singularity vehicles against broadcast intervals at
Slot time σ 16 us
the density of 225 vehicles per kilometer is shown in Fig. 5(a).
SIFS 32 us
The proportion of singularity vehicles having more than
DIFS 64 us
9 seconds is much less for the intervals of 0.4 second and
0.8 second than other cases. The explanation is that the
MAC header size 28 bytes
TCP retransmissions in these two cases deviate from the
Wireless channel rate 6 Mbps
RSU broadcast epochs for further collisions, whereas the
Contention window W 16
retransmission (based on the timeout value of 3 seconds) will
collide with future broadcast epochs, if the broadcast interval
is 0.2, 0.6, or 1.0 second. Hence, we set the RSU broadcast
VIII. S IMULATION RESULTS interval as 0.4 second in our implementation.
In this section, we use NS2 [32] simulations to examine In order to reduce the collisions due to the simultaneous
the performance of the proposed key distribution framework key request, we introduce a random initiation scheme. After
and cooperative authentication protocol. We mainly consider a a vehicle receives the RSU broadcast message, instead of
highway scenario with three lanes in each direction as shown starting key request immediately, it will send the request
in Fig. 11. Vehicles are placed uniformly on the road and after a random initiation delay. We use WI to denote the
travel at speed of 30 ± 5m/s (roughly equivalent to the range maximum initiation delay, and each vehicle randomly pick its
of 56 ∼ 80 miles/hour). The highway setting gives us the initiation delay from (0, WI ). The proportion of singularity
convenience to evaluate the lower bound of the performance, vehicles against the maximum initiation delay in the highway
by deploying vehicles with higher speeds and higher densities scenario is shown in Fig. 5(b). From the figure, we can see that
to push RSUs into a high-load situation. We also simulate a when WI = 20 ms, only two percent of vehicles fail in the
typical city road scenario according to the settings in [20], first key request and incur retransmissions. In this scenario,
where the key distribution performance is indeed much better our simulations further show that all vehicles have a key
than that under a high-load highway situation. The physical distribution delay less than four seconds, giving a satisfying
and MAC layer parameters of the 802.11 broadcast protocol service start time.
used in our simulations are listed in Table III. 2) City Road Scenario. To show that the high-load highway
scenario indeed gives a lower bound of the performance, we
also simulate a typical city road scenario as shown in Fig. 6(a).
A. Key Distribution Performance
We follow the configurations used in [20] with a density of
In the key distribution phase, it is preferred that vehicles 150 vehicles per square kilometers and travel speeds in the
could get their G-private keys promptly for a short service start range of 15 ± 5m/s (roughly equivalent to the range of 22.5
time. Each RSU broadcasts its own public key, the associated ∼ 45 miles/hour). When a vehicle reaches an intersection, it
certificate, the G-Public keys of itself and its neighbors peri- will randomly choose to turn left, turn right or go forward.
odically in the control channel. When an approaching vehicle A vehicle hitting the boundary will be bounced back into the
receives the broadcast message, it then starts a TCP connection map to maintain a steady density of vehicles in the map. It is
with the corresponding RSU to get its G-private key. RSU not difficult to check that, in the city road scenario, the average
broadcasting and key distribution TCP connections share the number of vehicles in the area covered by an RSU is much
same control channel. To evaluate the delay performance, we less than that in the highway scenario considered in Fig. 5.
configure the computation overhead for signing, verification, Comparing the results in Fig. 6(b) to those in Fig. 5(a), we
encryption and decryption as that used in [33], assuming a can see the proportion of singularity vehicles is much smaller
3GHz Pentium IV CPU. in the city road scenario.
1) Highway Scenario. Our simulation results show that most
of the vehicles get their G-private keys very soon after they
start the TCP connection, while some vehicles experience a B. Cooperative Authentication Performance
delay of three or more seconds. Some other vehicles are not In this part, we evaluate the performance in the regular
able to get the G-keys. The extra delay is due to the collision broadcast phase by simulating packet delivery ratio, computa-
and the associated TCP timeout. The number of vehicles tion and communication overheads and missed detection ratio.
that will simultaneously start key-request TCP connections, We also compare both the theoretical and simulation results
after they hear the RSU broadcasting, is the product of under our protocol with those under the protocol in [13].
vehicles density, average speed and RSUs’ broadcast interval. Since the cooperative authentication protocol is of particular
Hence, we try to avoid collision by adjusting RSUs’ broadcast importance in the high-load scenario, we thus only focus on
interval. the highway scenario in this part. We assume six percent of the
For the TCP protocol, the initial round-trip time (RTT) vehicles are malicious in our simulations. Malicious vehicles
(used as the initial timeout value) is defined as three seconds always send invalid RBM, and they never send CAM to help
according to the RFC 2988 [34]. Thus, all the vehicles others. The missed detection ratio is defined as the percentage
626 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021
16 7
Get keys between 3s and 9s
2 1
0 0
0.2 0.4 0.6 0.8 1.0 0 10 20
RSU broadcast interval(s) Maximum initiation delay(ms)
(a) (b)
Fig. 5. Key distribution performance in the highway scenario. (a) Performance versus the RSU broadcast intervals. (b) Performance versus the initiation
delay.
7
500m
5
1000m
3
1000m 500m
2
0
0.2 0.4 0.6 0.8 1.0
RSU broadcast interval(s)
(a) (b)
Fig. 6. Key distribution performance in the city road scenario. (a) Road map. (b) Performance versus the RSU broadcast intervals.
of invalid RBM that are considered as valid by a receiver. The collisions, we also evaluate the scenario that vehicles may take
missed detection ratio is computed based on well behaved different average speeds, and the missed detection ratio in such
vehicles in our simulation. Considering that the performance a scenario is presented in Fig. 7 too. While the heterogeneous
of the highway scenario is more severe than that of the local average speeds tend to results in an uneven distribution of
scenario, we focus on highway scenario in this part and leave vehicles and a higher probability of overloaded verifiers, the
the local scenario case to the future work. missed detection ratio in this situation is in fact smaller. The
1) Number of Verifiers: As discussed in the section V, the reason is that the speed difference will stretch the area of
number of verifiers is a tradeoff between missed detection ratio vehicle distributions, and equivalently reduce the density of
and computation overhead of OBUs. The missed detection vehicles and the frequency of broadcast messages in an area.
ratios versus different number of verifiers are shown in Fig. 7. The reduced traffic load will then result in less MAC collisions
It can be seen the performance under 8 verifiers is obviously and thus smaller missed detection ratio.
better than that under 6 ones. Nevertheless, the number of 2) Packet Delivery Ratio: The packet delivery ratio is
verifiers could not be too large. If the number is large enough defined as the proportion of transmissions that can be success-
to ensure a good CAM for an RBM, the extra number of fully received. The PDR is a critical performance measure af-
verifiers will lead to negative impact by incurring unnecessary fecting both the network utilization and security performance.
communication and computation overhead. Our simulation A low PDR (or a high packet loss ratio due to collision)
results suggest that 8 verifiers can achieve a good tradeoff. means a low bandwidth utilization, and the loss of CAM tends
We would like to emphasize that our nearest-priority policy to result in missed detection. In [13], the authors present a
in cooperative authentication guarantees that every sender has probabilistic verification protocol, in which a vehicle receiving
at least one verifier at each side to do the verification. Thus, an RBM decides to be a verifier with a probability. However,
the missed detection is mainly due to packet losses caused in order to guarantee that there are verifiers selected at both
by MAC layer collisions. To demonstrate the impact of MAC sides of the sender, on average 25 verifiers should be randomly
HAO et al.: A DISTRIBUTED KEY MANAGEMENT FRAMEWORK WITH COOPERATIVE MESSAGE AUTHENTICATION IN VANETS 627
0.12
6 verifiers with fixed average speed 100
6 verifiers with heterogeneous average speeds
90
0.08 70
Missed detection ratio (%)
60
0.06 50
40
0.04
30
20
0.02
10 Probabilistic verification (V = 25)
CMAP (V = 8)
0 0
50 75 100 125 150 175 50 75 100 125 150 175
Vehicle density (No. of vehicles per kilometer) Vehicle density (No. of vehicles per kilometer)
Fig. 7. Missed detection ratio versus the number of verifiers. Fig. 9. Communication overhead due to cooperative authentication messages.
100 0.7
CMAP(V = 8)
90 Probabilistic verification (V=25)
0.6 Probabilistic verification (V=8)
80
Packet delivery ratio(%)
0.5
Missed detection ratio (%)
70
60
0.4
50
0.3
40
30 0.2
20 Theorectical value of CMAP (V = 8)
Simulation result of CMAP (V = 8) 0.1
10 Theorectical value of probabilistic verification (V = 25)
Simulation result of probabilistic verification (V = 25)
0 0
50 75 100 125 150 175 50 75 100 125 150 175
Vehicle density (No. of vehicles per kilometer) Vehicle density (No. of vehicles per kilometer)
Fig. 8. Packet delivery ratio versus the density of vehicles. Fig. 10. Missed detection ratio versus the density of vehicles.
incurred for each RBM according to the protocol. Another verification protocol in Fig. 9, which shows the proportion
difference between our CMAP and the protocol in [13] is that of cooperative authentication messages over the total traffic,
CMAP allows a much shorter CAM. considered as communication overhead. For the comparison
We show the theoretical values and simulation results of purpose, we normalize the communication overhead under
PDR for CMAP and probabilistic verification protocol in the CMAP against that under the probabilistic protocol. It is
Fig. 8. The theoretical PDR is computed by (5). We can see clearly shown that CMAP has a communication overhead less
that the theoretical values are close to simulation results in than 40% of that under the probabilistic protocol.
both scenarios. Note that the MAC-layer analytical model de- 4) Missed Detection Ratio and Computation Overhead:
veloped in Section VII can also be applied to the probabilistic Fig. 10 compares the CMAP with the probabilistic verification
verification protocol with a good accuracy. The theoretical protocol in terms of missed detection ratio. We can see that
values are anyhow lightly higher than the simulation results; with the same number verifiers V = 8, the performance
it is because that the analysis is optimistic by ignoring the of probabilistic verification protocol deteriorates significantly,
hidden-terminal effect and result in a higher PDR. The PDR because V = 8 can not ensure with high probability that
under CMAP is higher than that under the protocol in [13]; it verifiers exist on both sides of a sender. The good performance
is because the smaller number of verifiers and shorter CAM of CMAP is because the pattern of selecting verifiers is fixed
in CMAP gives a smaller traffic load, which thus results in according to position information.
a smaller collision probability and a higher PDR. The higher Another interesting observation is that in the cases of high
PDR under CMAP will lead to a better network utilization density, the performance of CMAP is still better than the
and security performance. probabilistic protocol even when it uses 25 verifiers. The
3) Communication Overhead: The communication over- reason is due to the hidden-terminal effect as shown in Fig. 11.
head of CMAP is explicitly compared with the probabilistic In the scenario, the hidden terminals at both sides of a sender
628 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 29, NO. 3, MARCH 2021
[30] B. Xiao, B. Yu and C. Gao, “Detection and localization of sybil nodes Chi Zhou (SM’09) received two B.S. degrees in
in VANETs,” in Proc. ACM/SIGMOBILE Workshop on Dependability both Automation and Business Administration from
Issues in Wireless Ad Hoc Networks and Sensor Networks, 2006. Tsinghua University, China, in 1997.She received
[31] K. Ibrahim, M. C. Weigle and G. Yan, “Light-weight laser-aided position the M.S. and Ph.D. degrees in Electrical and Com-
verification for CASCADE,” in Proc. International Conference on puter Engineering from Northwestern University in
WAVE, Dearborn, MI, Dec. 2008. 2000 and 2002, respectively. Between 2002 and
[32] The network simulator-NS2, http://www.isi.edu/nsnam/ns/tutorial/index. 2006, she worked in Florida International University
html/. as assistant professor. Since 2006, she has served
[33] Shamus Software. MIRACL library, http://www.shamus.ie/index.php? as an Assistant Professor in the Department of
page=Elliptic-Curve-point-multiplication. Electrical and Computer Engineering, Illinois Insti-
[34] V. Paxson and M. Allman, “Computing TCP’s Retransmission Timer”, tute of Technology. Her primary research interests
IETF RFC 2988. include wireless sensor networks for smart grid application, scheduling
for OFDMA/MIMO systems, network coding for wireless mesh networks,
integration of optical and wireless networks, and security for VANETs.
Yong Hao (S’10) received the B.E. and M.E. de- Wei Song received her Ph.D. degree in electrical
grees in Electrical Engineering from Huazhong Uni- and computer engineering from the University of
versity of Science and Technology, Wuhan, Hubei, Waterloo, Canada, in 2007. Since 2008, she has been
China, in 2003 and 2007 respectively. He is currently supported by the Natural Science and Engineering
pursuing the Ph.D degree in the Department of Research Council (NSERC) of Canada and worked
Electrical and Computer Engineering, Illinois Insti- as a postdoctoral research fellow at the Department
tute of Technology, Chicago, IL, U.S.A. His current of Electrical Engineering and Computer Sciences,
research interests include wireless network security University of California, Berkeley. In July 2009, she
and vehicular ad hoc networks. joined the Faculty of Computer Science, University
of New Brunswick, as an assistant professor. She
received a Top 10% Award from IEEE Workshop
on Multimedia Signal Processing (MMSP) 2009, an NSERC postdoctoral
fellowship in 2008, and a Best Paper Award from IEEE WCNC 2007. Her
current research interests include the interworking of cellular networks and
Yu Cheng (S’01-M’04-SM’09) received the B.E. wireless local area networks (WLANs), resource allocation for heterogeneous
and M.E. degrees in Electrical Engineering from Ts- wireless networks, vehicular ad hoc networks, and cross-layer optimization
inghua University, Beijing, China, in 1995 and 1998, for multimedia quality-of-service (QoS) provisioning.
respectively, and the Ph.D. degree in Electrical and
Computer Engineering from the University of Wa-
terloo, Ontario, Canada, in 2003. From September
2004 to July 2006, he was a postdoctoral research
fellow in the Department of Electrical and Com-
puter Engineering, University of Toronto, Ontario,
Canada. Since August 2006, he has been with the
Department of Electrical and Computer Engineering,
Illinois Institute of Technology, Chicago, Illinois, USA, as an Assistant
Professor. His research interests include next-generation Internet architecture
and management, wireless network performance analysis, network security,
and wireless/wireline interworking. He received a Postdoctoral Fellowship
Award from the Natural Sciences and Engineering Research Council of
Canada (NSERC) in 2004, and a Best Paper Award from the International
Conference on Heterogeneous Networking for Quality, Reliability, Security
and Robustness (QShine’07), Vancouver, British Columbia, August, 2007.
He served as a Technical Program Co-Chair for the Wireless Networking
Symposium of IEEE ICC 2009. He is an Associated Editor for IEEE
Transactions on Vehicular Technology and an Area Editor for Elsevier Journal
of Computer Networks.