Professional Documents
Culture Documents
TEAM: Trust-Extended Authentication Mechanism For Vehicular Ad Hoc Networks
TEAM: Trust-Extended Authentication Mechanism For Vehicular Ad Hoc Networks
Abstract—The security in vehicular ad hoc networks (VANETs) is cryptography or a signature verification scheme, which results
receiving a significant amount of attention in the field of wireless in high computation costs, long authentication latency, or a
mobile networking because VANETs are vulnerable to malicious large storage space. Zhang et al. [9] proposed an RSU-aided
attacks. A number of secure authentication schemes based on messages authentication scheme (RAISE), which uses the
asymmetric cryptography have been proposed to prevent such
attacks. However, these schemes are not suitable for highly
symmetric key hash message authentication code (HMAC),
dynamic environments like VANETs, because they cannot cope instead of a public key infrastructure (PKI) based message
with the authentication procedure efficiently. Hence, this still signature, to reduce the signature cost. However, in RAISE,
calls for an efficient authentication scheme for VANETs. In this the authentication scheme and key agreement process also use
paper, we propose a decentralized lightweight authentication asymmetric cryptography, which leads to a high computation
scheme called Trust-Extended Authentication Mechanism cost. Hence, there is a need for an efficient authentication
(TEAM) for vehicle-to-vehicle (V2V) communication networks. scheme for VANETs.
TEAM adopts the concept of transitive trust relationships to To address the above need, we propose a decentralized
improve the performance of the authentication procedure. authentication scheme called the Trust-Extended
Moreover, TEAM satisfies the following security requirements:
anonymity, location privacy, mutual authentication to prevent
Authentication Mechanism (TEAM) for V2V communication
spoofing attacks, forgery attacks, modification attacks and replay networks. TEAM is a lightweight authentication scheme
attacks, as well as no clock synchronization problem, no because it only uses an XOR operation and a hash function.
verification table, fast error detection, and session key agreement. Although TEAM needs low computation cost, it still satisfies
To the best of our knowledge, this is the first work to propose a the following security requirements: anonymity, location
hash-based authentication scheme with high security properties privacy, mutual authentication to prevent spoofing attacks,
in VANETs. resistance to stolen-verified attacks, forgery attacks,
modification attacks and replay attacks, as well as no clock
Keywords-Vehicular ad hoc networks (VANETs); decentralized;
synchronization problem, fast error detection, and session key
lightweight; authentication; trust-extended
agreement.
The remainder of this paper is organized as follows. In
I. INTRODUCTION Section II, we introduce some preliminaries; and in section III,
Based on IEEE 802.11p, the Dedicated Short Range we describe the proposed scheme in detail. The security
Communications (DSRC) system [1] supports two kinds of analysis is presented in section IV. Then, in section V, we
communication environments: vehicle-to-vehicle (V2V) and summarize our conclusions and consider future research
vehicle-to-infrastructure (V2I) communications. A number of avenues.
studies [2] [3] [4] have focused on the problem of data
dissemination in VANETs. Recently, the security issues in II. PRELIMINARIES
vehicular ad hoc networks (VANETs) have attracted In this section, we introduce the concept of the transitive
increasing attention from both industry and academia [5]. An trust relationship and consider the security requirements of
authentication mechanism is a basic way to protect valid users. VANETs.
Raya et al. [6] pre-load each vehicle with a large number of
A. The Transitive Trust Relationships
anonymous public and private key pairs, as well as the
corresponding public key certificates. Each of the public key The major components of a VANET are the wireless on-
certificates contains a pseudo identity. Then, traffic messages board unit (OBU), the roadside unit (RSU), and the
are signed with a public key-based scheme, and each pair of authentication server (AS). OBUs are installed in vehicles to
public and private key has a short lifetime to preserve its provide wireless communication capability, while RSUs are
deployed on intersections or hotspots as an infrastructure to
privacy. However, the approach works with high computation
provide information or access to the Internet for vehicles within
cost, high storage cost, and high communication overhead.
their radio coverage. The AS is responsible for installing the
Freudiger et al. [7] and Sampigethava et al. [8] proposed secure parameters in the OBU to authenticate the user. In
schemes that protect location privacy. However, these VANET, the vehicle connects to the Internet through V2V
approaches [6] [7] [8] do not work well in highly dynamic communications when it does not locate in the service range of
environments like VANETs because they use asymmetric the RSU. Figure 1 shows the VANET network architecture.
1759
Other normal vehicles need to perform the initial Step 3: LEÆOBU: The LE returns the authentication reply
registration procedure with the authentication server through message (i.e., M3, M4, M5) to the OBU.
the manufacturer or a secure channel. The steps of the Step 4: The OBU verifies that the LE is trustful: The OBU
procedure are as follows: computes the value of h2(N1), retrieves the random
Step 1: UserÎAS: A user sends the public identification IDi number N2 (i.e., N2=M3Ͱh2(N1)), and checks whether
and its chosen password PWi to the AS via the h(M4||N2) is equal to M5. If the information is correct,
manufacturer or a secure channel. the OBU calculates the value of Ai (i.e., Ai=M4 Ͱ
Step 2: After receiving the user’s ID and password, the AS h(IDi)), computes the session key (i.e.,
computes the following secret authentication SKij=h(N1||N2)), and stores Ai in the security hardware.
parameters for the user: Ai=h(IDi||x), Step 5: OBUÆLE: The OBU sends the message (i.e., SKijͰ
Bi=h2(IDi||x)=h(Ai), Ci= h(PWi)УBi, and Di=PSKУ h(N2)) to the LE.
Ai. Step 6: The LE uses the session key SKij to retrieve the value
Step 3: ASÎUser: The AS stores the parameters (i.e., IDi, Bi, (i.e., h(N2)),. It then checks this value to prevent an
Ci, Di, h( )) in the OBU’s security hardware via the invalid OBU from executing a replay attack.
manufacturer or a secure channel. In this time, this OBU becomes trustful and obtains an
Note that the AS does not need to store the user’s authorized parameter (i.e., PSK= Ai Ͱ Di) when it is
verification information (e.g., the user’s password). Therefore, authenticated successfully. Thus, the other mistrustful OBUs
an adversary cannot obtain the information to launch a stolen- can be authenticated by it without necessarily finding a LE.
verified attack. In addition, the registered user cannot
impersonate to another valid user successfully when the user F. Trust-Extended Authentication Procedure
obtains the above parameters. This is because the user does We adopt the trust-extended mechanism based on the
not know the AS’s secret (i.e., x). concept of transitive trust relationships to improve the
D. Login Procedure performance of the authentication procedure. The state of a
mistrustful OBU becomes trustful and then obtains an
The login procedure is the first checkpoint. The OBU will authorized parameter (i.e., PSK) when the OBU is
detect an error event immediately if the user has malicious authenticated successfully. Then, the trustful OBU plays the
intentions. role of LE temporarily to assist with the authentication
Step 1: UserÎOBU: When a user wants to access the service, procedure of a mistrustful OBU. In this procedure, the trustful
he/she inputs IDi and PWi to the OBU. vehicle performs the authentication procedure and it still does
Step 2: The OBU checks the IDi and verifies that h(PWi)ͰCi not need to store the authentication information of the user.
is equal to Bi. If the information is correct, the OBU Hence, our scheme only has a few storage spaces. Then, the
generates a nonce, N1, and calculates the message M1 steps of the general authentication and the trust-extended
as h(Bi)ͰN1. Then, it computes the alias AIDi as h(N1) authentication procedures are the same. As a result, all vehicles
ͰIDi, and generates the message M2 as h(N1||AIDi), in a VANET can complete the authentication procedure
where Bi and Ci are obtained from the initial quickly.
registration procedure.
IV. SECURITY ANALYSIS
E. General Authentication Procedure
The following points are relevant to the security analysis. (1)
The OBU performs the general authentication procedure The security property of TEAM is based on a collision-free
after the user completes the login procedure. one-way hash function. For a one-way hash function h( ),
Step 1: OBUÆLE: The OBU sends an authentication request when the value of x is given, it is straightforward to compute
(i.e., AIDi, M1, M2, Di) to the LE. Note that Di is h(x); however, given the value of h(x), computing the value of
obtained from the initial registration procedure. x is very difficult or incurs a high computational cost. (2) In
Step 2: The LE verifies that the OBU is trustful: On receipt the login procedure, the security hardware has a retry limit to
of the authentication request, the LE uses a secure prevent the attacker using a force technique to guess the user’s
pre-shared key (i.e., PSK) to obtain Ai (i.e., Ai= DiͰ password. We now consider the security features of TEAM.
PSK). The LE retrieves the value of N1 (i.e., N1=M1Ͱ The mechanism satisfies the following security requirements.
h2(Ai)) and then checks whether h(N1||AIDi) is equal 1) Anonymity: Under the proposed scheme, the original
to M2. It rejects the authentication request if identity of a user is converted into an alias that is based on
h(N1||AIDi) and M2 do not match, which means the a random number (i.e., Step 2 of the login procedure).
authentication message has been modified. Next, the Therefore, an adversary cannot determine the user’s
LE computes IDi as AIDiͰh(N1), generates a random original identity without knowing the random number N1
number N2, and calculates a session key SKij as chosen by the OBU.
h(N1||N2). Finally, the LE computes the 2) No verification table: The AS, LEs, and TVs do not need
authentication reply message (i.e., M3, M4, M5), to store the user’s verification table. Therefore, even if an
where M3 is N2Ͱh2(N1), M4 is AiͰh(IDi), and M5 is adversary can access the AS’s database, he cannot obtain
h(M4||N2). the user’s authentication information.
1760
3) Location privacy: Even if an adversary can intercept a 10) Fast error detection: In the login procedure, the OBU
number of messages during a certain period, he is hard to will detect an error immediately if an attacker keys in the
trace the user’s physical position because the system’s wrong user ID or password.
anonymity mechanism uses a dynamic identification V. CONCLUSIONS AND FUTURE WORK
process, and generation of the session key is based on a
nonce. Moreover, TEAM can utilize the random silent In this paper, we propose a decentralized lightweight
period scheme [7] to enhance the location privacy when authentication scheme called TEAM to protect valid users in
the OBUs do not have to access the service. VANETs from malicious attacks. The amount of
4) Mutual authentication to prevent spoofing attacks: A cryptographic calculation under TEAM is substantially less
mutual authentication process is necessary. The LE needs than in existing schemes because it only uses an XOR
to verify that the OBU is a legal user, and the OBU needs operation and a hash function. Moreover, TEAM is based on
to ensure that the LE is genuine. In the general the concept of transitive trust relationships to improve the
authentication procedure, the LE authenticates the OBU performance of the authentication procedure.
in Step 2, and the OBU authenticates the LE in Step 4. In the future, we intend to develop an intrusion detection
Thus, this mutual authentication scheme prevents mechanism to enhance network security.
spoofing attacks. REFERENCES
5) Resistance to replay attacks: To protect the proposed [1] Dedicated Short Range Communications (DSRC), [Online]. Available:
scheme from replay attacks, we add a random number to http://grouper.ieee.org/groups/scc32/dsrc/index.html.
the authentication message. If an adversary intercepted [2] M. Nekovee and B. B. Bogason, “Reliable and Efficient Information
the message and tried to impersonate a valid OBU by Dissemination in Intermittently Connected Vehicular Ad hoc
Networks,” IEEE 65th Vehicular Technology Conference (VTC), pp.
replaying the message immediately, the LE would reject 2486-2490, 2007.
the request because the nonce in the replayed messages [3] Jing Zhao, Yang Zhang, and Guohong Cao, “Data Pouring and
would be invalid. Moreover, the OBU also checks the Buffering on the Road: A New Data Dissemination Paradigm for
random number sent by the LE to prevent replay attacks. Vehicular Ad Hoc Networks,” IEEE Transactions on Vehicular
6) Session key agreement: The proposed approach only Technology, Vol. 56, No. 6, Part 1, pp. 3266-3277, 2007.
makes one round trip between the OBU and the LE to [4] Jeng-Farn Lee, Chang-Sheng Wang and Ming-Chin Chuang, “Fast and
Reliable Emergency Message Dissemination Mechanism in Vehicular
generate the session key. Then, the key is used to encrypt Ad Hoc Networks,” IEEE Wireless Communications and Networking
subsequent packets to ensure that the communications are Conference (WCNC), pp. 1-6, 2010.
confidential. Moreover, since the session key is generated [5] J. P. Hubaux, S. Capkun, and J. Luo, “The Security and Privacy of
by a random number and a hash function, the adversary is Smart Vehicles,” IEEE Security and Privacy Magazine, Vol. 2, No. 3,
pp. 49-55, 2004.
hard to guess or to derive the session key from the
[6] M. Raya and J. P. Hubaux, “Securing Vehicular Ad Hoc Networks”,
intercepted messages. Journal of Computer Security, Vol. 15, No. 1, pp. 39-68, 2007.
7) Clock synchronization is not required: In timestamp- [7] J. Freudiger, M. Raya, and M. Feleghhazi, “Mix Zones for Location
based authentication schemes, the clocks of all vehicles Privacy in Vehicular Networks,“ The First International Workshop on
must be synchronized. In TEAM, we provide a nonce- Wireless Networking for Intelligent Transportation Systems (WiN-ITS),
based authentication mechanism instead of timestamps, pp. 1-7, 2007.
which cause serious time synchronization problems. [8] K. Sampigethaya, Mi. Li, L. Huang, and R. Poovendran, “AMOEBA:
Robust Location Privacy Scheme for VANET,” IEEE Journal on
8) Resistance to modification attacks: An adversary can Selected Areas in Communications (JSAC), Special issue on Vehicular
attempt to modify an OBU’s authentication message. Networks, Vol. 25, No. 8, pp. 1569-1589, 2007.
However, we use a one-way hash function to ensure that [9] Chenxi Zhang, Xiaodong Lin, Rongxing Lu, and Pin-Han Ho, “RAISE:
information cannot be modified. Therefore, this attack An Efficient RSU-Aided Message Authentication Scheme in Vehicular
Communication Networks,” IEEE International Conference on
will be detected because an attacker has no way to obtain Communications (ICC), pp. 1451-1457, 2008.
the value of the random number to generate the legitimate [10] Chenxi Zhang, Rongxing Lu, Xiaodong Lin, Pin-Han Ho, and Xuemin
message. If an attacker transmits a modified packet to the Shen, “An Efficient Identity-Based Batch Verification Scheme for
LE, the packet can be easily identified by checking the Vehicular Sensor Networks,” IEEE International Conference on
hash values. Computer Communications (INFOCOM), pp. 246-250, 2008.
9) Resistance to forgery attacks: If a valid OBU attempts [11] Rongxing Lu, Xiaodong Lin, Haojin Zhu, Pin-Han Ho, and Xuemin
Shen, “ECPP: Efficient Conditional Privacy Preservation Protocol for
to forge another valid OBU’s ID (i.e., AIDi*), the Secure Vehicular Communications,” IEEE International Conference on
authentication will be unsuccessful. Even if the OBU Computer Communications (INFOCOM), pp. 1229-1237, 2008.
knows the parameters (i.e., IDi, Bi, Ci, Di, h( )) and forges [12] Haojin Zhu, Rongxing Lu, Xuemin Shen, and Xiaodong Lin, “Security
an alias ID (i.e., AIDi*= h(N1) IDi*), it cannot determine in Service-Oriented Vehicular Networks,” IEEE Wireless
Communications, pp. 16-22, 2009.
the valid authentication parameter (i.e., Di*) required to
[13] P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M.
obtain authentication. This is because the OBU does not Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, “Secure vehicular
know the AS’s secret key (i.e., x), so it cannot compute communication systems: design and architecture,” IEEE
the value of Ai correctly. The secret key is protected by Communications Magazine, vol. 46, no. 11, pp. 100-109, November
2008.
the one-way hash function h( ), and it is computationally
infeasible to derive x from the value h(x).
1761