CHAPTER 2
BASIC CONCEPTS AND LITERATURE SURVEY
2.1
Introduction
This chapter begins with an overview of MANETs and VANETs, their characteristics and
applications. It then explores the VANET system model and preliminaries and analyses various wireless communication technologies. It also provides some of the important security
threats and security requirements of VANETs. It continues with the detailed literature survey
on various message authentication protocols categorized based on different techniques they
use for message authentication. Finally, it concludes with a brief introduction on the proposed
scheme.
2.2
Overview of Ad hoc Networks
Due to the interesting property of creating networks while movement, ad hoc networks received attention in industries and military applications. In general, Mobile Ad hoc Networks
(MANETs) and Vehicular Ad Hoc Networks (VANETs) are the two broad categories of ad
hoc networks. Since VANET is an extension of MANET, this section provides an overview of
MANETs and VANETs.
2.2.1
Mobile Adhoc Networks
2.2.1.1
General Concepts
Mobile ad hoc networks (MANETs) are autonomous systems which consist of a number of
mobile nodes that communicate each other using wireless transmission. The main advantage
of this type of network is, they can be set up and deployed anywhere and anytime due to the
11
12
simplicity in setting up its infrastructure and maintenance. With the extraordinary growth in
wireless technologies and the proliferation of mobile devices such as cell phones, laptops and
Personal Digital Assistance (PDA), there is a revolutionary change in the way information
is being handled. MANETs are highly useful for mobile users who need to communicate in
some critical situations, where wired infrastructures are hardly possible.
2.2.1.2
Characteristics
Generally, nodes in MANET are independent and mobile. Hence, connection between them is
possible only when they are adjacent. The communication between distant nodes are possible
with multi-hop communication as each node can perform both hosting and routing functions.
The unique characteristics of MANETs [30]-[34] that makes it differ from other wireless networks are detailed as follows:
• Autonomous nature: MANETs are infrastructure-less in nature and are based on
the peer-to-peer nodes that communicate with each other. Without any base station
or ﬁxed infrastructure, all nodes participate in the network. They themselves serve as
both routers and hosts.
• Variable Bandwidth: Wireless links which connect the MANET nodes have lower
bandwidth than wired links. This is because of the obstacles such as huge buildings,
trees, noise in the signal, etc.
• Dynamic Topology: MANET nodes are very dynamic by its movement; thus the nodes
can unpredictably enter and leave the network, and this nature often changes their links
and topologies and requires efﬁcient routing protocols.
• Smaller Devices: MANET devices are usually hand hold or small devices such as
PDAs, laptops, mobile phones, etc., and are easily portable from one place to another.
Due to this nature, these devices can be easily lost, stolen or damaged.
13
• Constrained Resources: Due to their smaller size, they only have restricted batterycapacity, small processing power and storage facilities.
• Short Range Connectivity: The connection between the nodes of MANET are considered to be in short range as they rely on radio frequency (RF) technology to get
connected. Due to this reason, the nodes need to be close to each other when they want
to communicate.
• Multi-hop communications: Due to its short range connectivity, communication between any two farer nodes is performed through numerous intermediary nodes whose
functions are to relay data-packets from one point to another. This is otherwise known
as multi-hop communications.
2.2.1.3
Applications
In actual, Defense Advanced Research Projects Agency (DARPA) Packet Radio Network
Project of 1972 set the base for MANETs. However, the research in MANETs were restricted
only to military purpose for a long time. Later, in 1990s, by the growth of wireless technologies and standards, MANETs are adopted for commercial purposes. There are many
applications of mobile ad hoc networks; these have been listed in [31, 35, 36, 38, 39]:
• Military Applications: For tactical networks, MANETs are used to establish communication between soldiers; setting up a ﬁxed infrastructure in enemy areas or in hostile
lands. Another application in this domain would be, coordinating military objects moving at high speeds, such as airplanes or warships.
• Emergency Services: MANETs can be used in rescue operations, disaster recovery,
ﬁre ﬁghting, search and rescue operations where the complete infrastructure has been
demolished or is unavailable. Implementing MANETs in such places can set up an
infrastructure quickly and save lives. MANETs also used in trafﬁc control and health
care services.
14
• Entertainment Services: For the purpose of entertainment, MANETs are used in multiuser games, outdoor internet access, theme parks and wireless peer to peer networking.
In such way, MANETs plays an important role in developing social networks.
• Educational Purposes: MANETs are also used in educational sectors for setting up
university and campus buildings, virtual classrooms, for ad hoc communications during
meetings, lectures and video conferencing facilities.
• Home and Commercial Networks: The use of MANETs in home environments is to
make communication between smart household appliances, such as home wireless networks and personal area networks (PAN). Roaming is suitable to businesses functions.
In addition, the applications of electronic payment anytime and anywhere, dynamic
database access, managing functions of transport ofﬁces and construction sites, etc.
• Sensor Network: Deployment of wireless sensor networks can assist to monitor and
control physical surroundings from distant places. They are also used in military applications such as battleﬁeld observation; and nuclear, biological and chemical attack
detection and reconnaissance.
• VANET Applications: The mobile nodes are vehicles here and these vehicles are free
to move and self organized. They can share information between themselves and Road
Side Units (RSUs), in order to increase safety in the roads through sending warning
messages to the drivers about ongoing critical situations. Another aspect VANETs is
to enhance the driver comfort through providing informations on near by petrol station,
restaurants location and price information, etc.
15
2.2.2
Vehicular Adhoc Networks
2.2.2.1
General Concepts
Vehicular ad hoc network (VANET) is a new emerging network technology derived from
ad hoc networks, which can provide wireless communication services between vehicles and
adjacent road side units; it is a promising technology for future smart vehicle systems and
intelligent transportation systems (ITS). ITS program led by American Department of Transportation conceived the idea of VANET since 1991. VANET systems are developed as a
means to enhance road safety, trafﬁc management and infotainment facilities for drivers and
passengers. Vimmi et al.[47] states that the vehicular networks can provide wide variety of
services, range from safety related warning systems to improved navigation mechanisms as
well as information and entertainment applications. These additional features make the routing and other services more challenging and cause vulnerability in network services. These
problems include network architecture, VANET protocols, routing algorithms, as well as security issues. An anonymous batch authenticated and key agreement for value added services
(ABAKA) scheme [102] was dedicated to entertainment services in VANETs.
In VANET, each vehicle is equipped with a communication device known as On Board
Units (OBUs) that facilitate them to communicate with other vehicles, RSUs located on the
road at different points and the TA (trusted authority) as well. In general, OBUs frequently
broadcasts routine trafﬁc related messages [40] with information about its position, current
time, direction, speed, acceleration/deceleration, trafﬁc events, etc. This helps the vehicle
to be warned with critical situations such as accidents, trafﬁc jams and so on, in addition to
predicting the movements of the nearby vehicles.
16
2.2.2.2
Characteristics
Though there are similarities between VANETs and MANETs such as low and variable bandwidth, short range connectivity, infrastructure-less, and self-organizations, VANETs can be
distinguished from MANETs with few characteristics such as high mobility and unreliable
channels. Moreover, most of the MANET routing protocols cannot be applied in VANETs, as
they suffer from poor performances due to the fast movement of vehicles. Still, vehicle movements in VANET can be predictable as they are restricted geographically by roads. Vehicles
in VANETs are also have much higher power than in MANETs [41]-[43]. The important
characteristics of VANETs are summarized as follows:
• Dynamic Topology: The topology of VANETs change frequently [44], due to the high
speed and random movements of vehicles. According to Ganis Zulfa and Monsoo Kang
[45] one of the distinguished attributes of VANETs is its high dynamic movement of
the nodes, thereby car density sometimes becomes so sparse that data collisions rarely
happen or car trafﬁc becomes so congested that the networks will severely experience
data collisions. Assuming that each vehicle has the same transmission range of 300
meters, if any two vehicles move in the same direction with the speed of 60 miles/hour
(26.6 meters/second), a link between them can be formed when the distance between is
less than 300 meters. Where as, if they move in opposite directions the connection can
still be lost for at most 11.2 seconds.
• Frequent disconnection: In VANET, any time a vehicle can enter or leave the network as they are free to move. Accordingly, the connectivity in VANETs would change
frequently which has an impact on the network structure services. For example, huge
buildings and tree in urban roads often weaken the network signals, which may lead to
connection break up between two communicating vehicles. Moreover, in city scenarios vehicles have the highest probability of changing their directions. Within VANETs,
vehicle mobility will cause the communication links between vehicles to frequently be
broken. Such link failures require a direct response from the routing protocols, leading
17
to a potentially excessive increase in the routing overhead and degradation in network
scalability [46].
• Enough storage and computational power: Another important VANET characteristics is that vehicles can have powerful wireless transceivers, high data rate, adequate
storage, and high processor. This is because, nodes in VANETs are vehicles that can be
made up of numerous electronic chips with enough power and storage capacity.
• Large-scale nature: VANETs are large scale in nature, as they can be extended further as long as the streets and roads are available. In addition, the necessity of people
movement keep increasing compared to the traditional time. Subsequently, the need of
vehicles and good road are increasing. All these reasons makes the VANET large scale
in nature.
• Mobility prediction: To some extend, it is possible to predict the future movement
of vehicles through their speed, road maps, etc., because the vehicles are restricted to
pre-built high ways, roads, and streets.
2.2.2.3
Message Types
The category of messages in VANETs is mainly based on the IEEE P1609.2 Trial-Use Standard [25]. The message exchange in VANETs can be broadly classiﬁed into two categories:
i) safety-related messages; and ii) value-added messages.
• Safety-related messages: The primary goal of VANET is to rely safety related messages. Two types of safety related message are: a) the beacon message, b) the emergency message.
(a) A beacon message is a periodically broadcasted message that usually contains the
speed, position of the vehicle, or trafﬁc status information, which is intended to enhance
driving safety. The location of a vehicle in a given moment, or the path followed along
18
a period of time are considered as personal data. It allows building that vehicles proﬁle
and, therefore, that of its driver for disaster rescue [48] .
(b) An emergency message is a kind of warning message intended to alert the drivers
about accidents, broken bridge, etc. Most of times it is deployed by an emergency
vehicle, such as a police car, ﬁre rescue vehicle, or ambulance. Because, vehicles that
send out this kind of message should be authorized by a government body. Otherwise,
it would be exploited by an adversary to inﬂuence the trafﬁc ﬂow for personal gain. An
expedite privacy-preserving emergency communication (EPEC) scheme is proposed by
L.Chen et al. [101] for the vehicles to securely connect with the others in the neighbor
area emergency communication cases.
• Value-added messages: These messages include infotainment and value added service messages such as the electronic toll collection (ETC) system, payment for parking,
internet service provision, or locating nearby hotels or petrol stations, downloading applications etc.
2.2.2.4
Applications
Like MANETs, VANETs are used in several applications. The important VANET applications
[49] are summarized in Table 2.1.
2.3
2.3.1
VANET Model and Preliminaries
System Model of VANETs
VANET architecture consists of three entities as in Figure 2.1: the Trusted Authority (TA), the
RSUs at the roadside, and the vehicles equipped with OBUs.
19
TABLE 2.1: VANET Applications
Application name
Emergency Electronic Brake Lights
Slow Vehicle Warning
Intersection Collision Warning
Hazardous Location Warning
Trafﬁc Signal Violation Warning
Pre-Crash Sensing
Lane Change Warning
Cooperative Forward Collision Warning
Intersection Management Infrastructure
Limited Access and Detour Warning
Cooperative Adaptive Cruise Control
Electronic Toll Collect
Remote Diagnosis JIT Repair Warning
Media Download
Map Download Update
Ecological Drive Assistance Infrastructure
Messaging type
Event-triggered
Periodic, permanent broadcast
Periodic, permanent broadcast
Event-triggered, time-limited, GeoCast
Event-triggered time-limited broadcast
Periodic broadcast, unicast
Periodic broadcast
Periodic, event-triggered broadcast, unicast
Periodic broadcast, unicast
Periodic Broadcast
Unicast, broadcast
Cellular Periodic broadcast, unicast
Unicast, broadcast, event-triggered
Unicast, broadcast, on-demand
Unicast, broadcast, on-demand
Unicast, broadcast,on-demand
F IGURE 2.1: VANET System Model
20
• TA: Trusted Authority (TA) is the top and trusted in-charge for the registration of RSUs
at the roadsides and the mobile OBUs each vehicle is equipped with. The TA alone is
able to disclose the real identity of a vehicle in a situation, when that particular vehicle
has been accused of misbehavior in the network, with enough evidences from RSU.
• RSUs: Road Side Units (RSUs) are the trusted subordinates of the TA that store information coming from TA and OBUs in its storage unit. Usually, it acts upon the
commands of TA. RSUs are located at regular intervals in the road sides, mainly this
could be trafﬁc signals, street lamps, intersections. The major responsibilities of RSUs
could be helping OBUs in authentication, key management and supporting the TA in
tracking the adversary nodes when required. RSUs are DSRC transceivers that operate
only when stationary. They can be visualized as access points of IEEE 802.11 networks.
• OBUs: All vehicles are equipped with a hardware storage unit OBU, which is mainly
to store public system parameters issued by TA/RSU, in order to communicate with and
authenticate other vehicles by the time of sharing safety and trafﬁc related messages.
OBUs are DSRC transceivers present in vehicles that can operate when vehicles are in
motion. OBUs are millions in numbers and are fast moving in nature.
2.3.2
Wireless Communication Technologies for VANETs
In recent years various wireless network technologies have been developed to offer different
services, increased coverage area and data rates. This section provides an overview of them:
2.3.2.1
Wi-Fi
Wireless Fidelity (Wi-Fi) technology is based on the IEEE 802.11 standards [25]. Today,
most of the desktop computers, laptops, smart phones, personal digital assistants (PDAs) and
printers are equipped with Wi-Fi technology. Wi-Fi is commonly used to provide an internet
21
Local Area Network (LAN) connection to Wi-Fi enabled devices. These devices have to be
within range of an access point for wireless connectivity.
The most common Wi-Fi standards 802.11b and 802.11g are using 2.4 GHz under the
speed of 11 Mbps and 54 Mbps respectively, while 802.11n operates in both 2.4 and 5 GHz
with theoretical speed 600 Mbps [50]. Wi-Fi networks can be conﬁgured with WEP (Wired
Equivalent Privacy) or WPA and WPA2 (Wi-Fi Protected Access encryption) for secure access. The access may be restricted within the boundaries of a room or a small building.
2.3.2.2
WiMAX
Worldwide Interoperability of Microwave Access (WiMAX) is based on the IEEE 802.16
standard, which was formed in 2001 by the WiMax Forum, in order to endorse WiMax as a
standard [51].
WiMax links Wi-Fi hotspots together and replaced the “last mile” broadband delivery
rather than using wires. WiMax 802.16 standard operates at range of 10-66 GHz. Updated
standards of WiMax 802.16a and 802.16 operates at frequency range of 2-11 GHz and 2-6
GHz respectively [52].
WiMax technology is not affected by obstacles like buildings. WiMax is cost-effective to
provide the wireless access to countryside community where setting a traditional wire would
be more expensive. WiMax has much better encryption and less interference than Wi-Fi.
WiMax has the speed up to 70 Mbps with range coverage of 112 Km.
2.3.2.3
DSRC Standards
Dedicated Short-Range Communication (DSRC) spectrum was allocated by the U.S. Federal
Communication Commission (FCC) in 1999, for vehicle-vehicle communication at 5.9 GHz.
The main goal was to make public safety applications that rescue lives and increase of quality of trafﬁc ﬂow [53], [54], but it is now increasingly used for infotainment applications in
22
F IGURE 2.2: DSRC Channel
VANETs. The transmission range of DSRC standard is from 300 meters up to 1000 meters
with vehicle speed of 120 miles/hour. This enables better improvement in trafﬁc ﬂow, highway
safety, and other intelligent transport system (ITS) applications.
DSRC spectrum is composed of seven 10 MHz wide channels as shown in Figure 2.2.
Safety communications are exclusively used to control channel 178. Advanced accident avoidance and public safety applications are using the two side channels in the spectrum. Remaining
four channels are known as service channels and used for both safety and non safety usage
[55].
2.3.2.4
IEEE 1609 Family of Standards for Wireless Access in Vehicular Environments
(WAVE)
The IEEE 1609 family of standards consists of four trial-use standards (IEEE P1609.1, IEEE
P1609.2, IEEE P1609.3, and IEEE P1609.4), and two unpublished standards (IEEE 1609.0
and IEEE 1609.11). These standards provide a basis for the design of applications operating
in the WAVE environment. A summary of these standards [25] is given below.
• IEEE 1609.0-unpublished:
This standard will describe the WAVE architecture and essential services which enable
multi-channel DSRC/WAVE devices to communicate in a mobile vehicular network
environment.
23
• IEEE P1609.1-2006:
This standard speciﬁes the services and interfaces of the WAVE Resource Manager application and deﬁnes command message formats and data storage formats within the
WAVE architecture.
• IEEE P1609.2-2006:
This standard deﬁnes secure message formats, security mechanisms and processes. This
standard suggests employing a hybrid security method: the certiﬁcate-based public
key cryptosystem and symmetric key cryptosystem to secure message exchanges in the
WAVE system.
• IEEE P1609.3-2007:
This standard deﬁnes services within the network and transport layer, including addressing and routing to enable secure WAVE data exchange. It also deﬁnes the Wave Short
Messages Protocol (WSMD) to provide an alternative to IPv6 (Internet Protocol version
6) for applications.
• IEEE P1609.4-2006:
This standard describes multi-channel operation (channel coordination) to support a
multi-channel system with the IEEE 802.11 medium access control and physical layer
via a control channel and multiple service channels, to provide mechanisms for prioritized access, channel routing and coordination, and data transmission.
• IEEE P1609.11-unpublished:
This standard deﬁnes the essential security services and message format to support an
electronic payment system.
2.3.3
Security Threats and Requirements
Vehicular networks like all communication networks are vulnerable to attacks by misbehaving
entities that can affect the performance of the system. The following sub sections motivates
24
the need for security by enumerating some of the attached possible with their impacts. Also,
the security requirements currently considered to secure the network from various threats are
discussed.
2.3.3.1
Security Threats
Like every network system, VANET is also vulnerable to attacks. Raya and Habaux [57]
categorizes the capacities of attackers in 3 dimensions: (i) Insider vs outsider, (ii) malicious
vs rational, and (iii) active vs passive. These security threats in the VANET environment are
brieﬂy reviewed as follows.
• Threat on Integrity
Sybil attack: A Sybil attack is where an adversary steals or forges multiple identities
and can use it to impersonate a Road Side Unit or other vehicles. Isaac et al. [60] state
that the Sybil attack in VANETs can be where an adversary masquerades as multiple
identities of vehicular clients at the same time. Yan et al. [61] provides a solution to
Sybil attack using an on-board radar system to detect the existence of message senders.
However, if the message sender is outside the radar range, this solution is infeasible.
Replay Attack: The attacker re-injects in the networks already received message at another point of time in order to take advantage of the situation,which prevailed before. If
the attacker impersonates a genuine RSU by replaying the message from the RSU, it is
known as RSU replay attack.
Bogus message attack: Rahman and Falaki [62], and Raya and Hubaux [12] deﬁne a
bogus information attack or forgery attack as the adversary distributes false or modiﬁed
information in VANETs to inﬂuence trafﬁc ﬂow. For instance, the attackers may broadcast a false trafﬁc congestion message or emergency alarm to divert the trafﬁc ﬂow in
order to clear the trafﬁc.
• Threat on Availability
25
Denial of Service (DoS) Attack: Raya and Hubaux [12] state that, the adversary prevents
the user from having access to offered network service or resources. To do this, the
attacker can create congestion on the network communication channel or send ﬂood
messages ito overwhelm the computational system in VANETs. This type of attack may
cause accidents when the appropriate warning messages are disabled by the adversaries.
Black Hole Attack: In this attack, a node which is used to further propagate a message
toward a destination constantly drop out from the network or drop the message preventing the sender to reach its destination. In fact the malicious node can claim to have the
shortest path toward a destination causing thus all message to pass through him.
• Threat on the Privacy
Eavesdropping attack: Kempf [63] deﬁnes an eavesdropping attack as an active attack,
in which adversaries extract information of other vehicles for personal gain, or passively
listen in on a message exchange. Raya and Hubaux [12] state that, the position of a
vehicle can be tracked through its identity disclosure, while the adversaries actively
eavesdrop on the vehicular communication.
Big Brother attack: In this attack, the adversary disclose the ID of other vehicle in order
to track their location. An adversary for instance could blackmail a user based on the
gained location information.
2.3.3.2
Security Requirements
A safety application in VANET depending on its speciﬁcity should guaranty some of these
following features:
• Integrity or message authentication: Integrity is the service that detect the alteration
or destruction of information from unauthorized entities since it was created, transmitted
or stored.
26
• Source Authentication: Source authentication is the assurance that the received message come from a trusted source. In other words, the receiver verifying that senders are
who they claim they are.
• Conditional Privacy: Privacy is providing anonymity to the sender in order to prevent
the disclosure of real identity. This prevents the sender from being observed by an
attacker about his moments or to eavesdrop the messages broadcasted by him. At the
same time, it is necessary for the trusted authorities to reveal the real identities of target
vehicles when required.
• Availability: The system must be available any time to provide to its authorized users a
timely and reliable access to its service .
• Unlinkability: Any recipient cannot link two or more messages sent by a vehicle to
other vehicles. Unlinkablity of a message to its originator provides anonymity.
• Traceability: The authorities should be able to trace the sender of the message by
mapping the message with the real identity of the sender in case of any liability investigation. A defense technique for network authorities is important to handle misbehavior
in VANET access, considering the challenge that privacy provides avenue for misbehavior [66, 103]. Therefore, preserving a conditional privacy is one of the acceptable and
desired properties in vehicular communications.
• Scalability: Any application and communication mechanism of the vehicular networks
must be scalable to a large network. The efﬁciency of the system is based on how
scalable it is to a high dense network.
• Non repudiation: Non repudiation is the service that prevents either sender or receiver
from denying a transmission message.
27
2.3.4
Other System Preliminaries
2.3.4.1
Bilinear Pairing
Since bilinear maps are the basis of the proposed protocols, they are brieﬂy introduced here.
Boneh and Franklin [5] proposed an identity based encryption scheme built on bilinear pairing. Following Boneh and Franklin, bilinear pairings have been used to design ingenious
protocols for key agreement, identity based encryption and aggregate signatures. At this moment, pairing-based cryptography is a highly active ﬁeld of research, with several hundreds of
publication [72].
Let G be a cyclic additive group and GT be a cyclic multiplicative group with symmetric
properties of prime order q. P and g are the generators of G. Alternatively, G could be the
group of points on an elliptic curve. An efﬁcient admissible bilinear map eˆ : G × G → GT
satisﬁes the following properties.
• Bilinearity: For all P, Q, R ∈ G, and a, b ∈ Zq∗ , eˆ(Q, P + R) = eˆ(P + R, Q) =
eˆ(P, Q).ˆ
e(R, Q) In particular, eˆ(aP, bP ) = eˆ(P, bP )a = eˆ(aP, P )b = eˆ(P, P )ab
• Nondegeneracy: There exist P, Q ∈ G such that eˆ(P, Q) = 1GT
• Computability: There exists an efﬁcient algorithm to eˆ(P, Q) for any P, Q ∈ G.
The group that possesses such a map eˆ is called a bilinear group, on which two problems
are believed hard.
• Elliptic Curve Discrete Logarithm Problem (ECDLP): Given a point g of order p on an
elliptic curve, and a point Y on the same curve. The ECDLP problem is to determine
the integer x, 0 ≤ x ≤ q − 1, such that Y = g x .
• Computational Difﬁe-Hellman problem (CDH): Given two unknowns x, y ∈ Zq∗ , the
CDH problem is given g, g x , g y ∈ G, compute g xy ∈ G.
28
2.3.4.2
Difﬁe Hellmann key agreement (DH)
Difﬁe and Hellmann in 1976 [64] developed a key agreement protocol (DH) used by two
parties to agree a shared secret key over an insecure medium. This protocol work with two
public system parameters p and g. Parameter p is a prime number and g (commonly know as
the generator) is an integer less than p with the following property:
for every number n between 1 and p-1 inclusive, there is a power k of g such that n =
g k mod p.
Let suppose, Alice and Bob want to agree on a shared secret key using the DH. They will
proceed as follow:
• Alice generates a random private value a ∈ N
• Bob generates a random private value b ∈ N
• Alice and Bob derive their respectively public values from parameter p, g, a and b:
xa = g a mod p; xb = g b mod p
• They exchange their public values
b
• Alice computes g ab = g ax , Bob computes g ba = g bx
2.3.4.3
a
One-way Hash Chains
One-way hash chains are recognized applications used in computer security to produce many
one-time keys for a single key or password. One-way hash chains were introduced by Lamport
[65] for the secure password authentication quickly gained importance in many other applications, such as stream cryptographic primitive data authentication, micropayment systems and
secure data forwarding in wireless ad hoc networks. The safe driving and infotainment services on the move can be develop by the usage of hash chaining concept of cryptography[68].
29
F IGURE 2.3: One-way Hash Chain Structure
The interesting property of hash chain is, it is computationally infeasible to invert, in spite of
its ease and efﬁciency to compute. A one-way hash chain is a repeated application of a hash
function h(s) to randomly selected seed s, which has the following properties [16]:
• h(x) can take a message of arbitrary-length input and produce a message digest of a
ﬁxed-length output;
• Given x, it is easy to compute y = h(x). However, it is hard to compute x = h−1 (y),
when given y.
• Given x, it is computationally infeasible to ﬁnd any two pair x and x such that x = x
and h(x ) = h(x).
One-way hash chain can be used for vehicular ad hoc networks for the purpose of reducing
the authentication overhead of a series of messages. If a hash chain can uniquely link a series
of public and private key pairs using a cryptographic hash function, it is possible to verify that
a public key is linked to the hash chain by applying a cryptographic hash function the right
number of times to that disclosed public key [69].
30
Figure 2.3 shows the application of the hash function H(x) on hn . To generate a chain
of length n − 1, the ﬁrst element of the chain hn is randomly picked and then the chain
is generated by successively applying a one-way function. In utilization and revelation of
these chain element, the reverse direction used for the chain generation starting fromh1 . Each
chain element hi is the commitment of the subsequent element in the chain, for example
h1 is the commitment of h2 , h3 , · · ·, hn . Any element of the chain hj can be veriﬁed from
hi (1 ≤ i < j ≤ n) to be an element of the chain by applying H successively j − i times, that
is, hj = Hj−i (hi ). The owner can create he chain all at once and stored it, or starting from hn
compute on demand the other element of the chain in this oder hn−1 , · · ·, h2 , h1 .
2.3.4.4
Message Authentication Code (MAC)
A MAC is a cryptographic primitive used to provide message authentication. Precisely, a
cryptographic checksum that is generated based on a message M of variable length using a
secret key K as follows: MAC = C(K,M). Before starting a communication the parties in
presence must agree on a shared secret key K as in the case of symmetric encryption. A
cryptographic hash function is used by the sender to produce a MAC. The MAC is then send
to the message receivers along with the message M. At receipt of the message, the receiver
computes a MAC on the received message M with the same key K and hash function as was
used by the sender. If the two value match, then the message is valid and the receiver can be
assured of the origin and the integrity of the message.
MAC algorithms can be constructed from other cryptographic primitives, such as cryptographic hash functions (called HMAC) or from block cipher algorithms. HMAC is a special
algorithm, which combines a cryptographic hash function and a secret key to generate a MAC.
Figure 2.4 illustrates the MAC protocol. In this example, the sender runs the message through
a MAC algorithm to produce a MAC data tag. The message and the MAC tag are then sent to
the receiver. The receiver in turn runs the message portion through the same MAC algorithm
using the same key, producing a second MAC data tag. The receiver then compares the ﬁrst
31
F IGURE 2.4: Illustration of MAC
MAC tag received in the transmission to the second generated MAC tag. If they are identical,
the receiver can safely assume that the integrity of the message was not compromised and the
message was not altered or tampered with, during transmission.
2.3.5
Batch Veriﬁcation
The requirement of veriﬁcation process is obligatory for a secured communication in VANET.
On the other hand, veriﬁcation of a bunch of signatures in a single time window signiﬁcantly
hinders the performance throughput of the system. Verifying multiple signatures at once is
an effective alternative to improve the system performance. The batch cryptography based on
RSA was introduced by Fiat [98] in 1989. According to J. Camenisch [104] who proposed
batch veriﬁcation without using random oracles, verifying n signatures takes the same time as
that of verifying a single signature. For example, if 3 pairing operations are required to verify
a single signature, verifying n signatures also takes 3 pairing operations instead of 3n pairing
operations. Therefore, the time spent on verifying a large number of signature can extensively
decrease the time spent on verifying a large number of signatures, which can achieve much
better scalability [15].
32
2.3.6
Simulation Environment and Parameters
Most of the research in ad hoc networks has been evaluated using the Network Simulator
(NS-2) [28]. Similarly NS-2 simulator was used to evaluate the performance of the proposed
protocols. Because NS-2 is an object-oriented network simulator, with the back end of the
simulator written in C++ to implement the protocols and to extend the NS-2 library, whereas
the front end of NS-2 is written in Tcl (Tool Command Language), it is simple to create and
control the simulation environment.
A mobile node consists of network components and parameters such as radio propagation
(TwoRayGround), Antenna type (OmniAntenna, Directional, Bi-directional), interface queue
(Queue/DropTail/PriQueue), Link Layer (LL), MAC layer type (Mac/802.11) and the wireless
channel through which nodes transmit and from which they receive signals. Additionally,
other parameters are deﬁned such as, the number of nodes simulated, simulation duration,
trafﬁc type, packet size and dimension of the topography will be used as the input variables.
Every time after running the Tcl ﬁle, a trace ﬁle is generated for different node sizes. Trace
ﬁles were analyzed using AWK utility to ﬁnd message loss ratio and communication overhead.
2.4
Message Authentication in VANETs
Many literatures have been reported on the message authentication of VANETs. They can be
categorized into four major groups as follows:
2.4.1
PKI Based Authentication Schemes
Raya et al. [70] described a PKI-based approach addressing authentication and privacy issues as fundamental features of VANETs. In their scheme, each OBU message is sent along
with a public key and its certiﬁcate from the trusted authority. Each message is subsequently
33
signed by the corresponding private key. The receiving vehicle checks the certiﬁcate for the
authentication of the public key and validates the signature for its trustworthiness. EllipticCurveCryptography(ECC) has been used in this approach to reduce the overheads. To address
the privacy issues, Raya et al. [70] suggested a huge number of short lived anonymous keys to
be pre-loaded in OBUs. These keys are certiﬁed by the trusted authority and will expire after
the usage. The vehicles use different keys for different messages so that the real identity of
them are kept preserved. However, the real identity can be revealed by the trusted authority, if
necessary. For example, according to Raya and Hubaux [57], each car needs a large number of
short-lived certiﬁcates (probably 43,800) for a year’s usage. Following this, many other studies [12, 13], [16]-[19] proposed similar schemes to store large number of anonymous public
key certiﬁcates in OBUs. However, certiﬁcate revocation of malicious node is an additional
overhead in these schemes.
Sun et al. [71] addressed the revocation of anonymous certiﬁcates in VANETs. A bilinear
pairing based technique, as well as a one-way hash functions keep the size of the revocation
list linear with the number of revoked OBUs in VANET. In this approach, an OBU updates the
trusted third-party certiﬁcates by re-signing them with corresponding RSU-keys.However, this
scheme is prone to RSU compromise attack. Lu et al. [73] presented a solution that resolves
the issue of RSU compromise attack, while it requires multiple hand shaking between an
OBU and an RSU for vehicular authentication. Like Sun et al. scheme [71], this approach
also performs with high level RSU dependency and hence requires an uninterrupted coverage
of RSUs in theVANET.
Zhang et al. [21] proposed a scheme called COMET, to address the issues of lack of deployment/coverage of RSUs. This scheme has a probability p to verify the signature of the
message. That is, a vehicle chooses to verify the signature, it will inform neighbors if the
message is invalid and will stay silent otherwise. This invalid message will be broadcasted
to one-hop neighbors. If a vehicle chooses not to verify the message, it will wait for t milliseconds for other neighbor’s reports. If it receives a broadcast of an invalid message, the
vehicle will ensure the invalidity by cross verifying the message once again. If no reports are
34
received within the time threshold, it treats the message as valid by default. The property of
choosing to verify and one-hop communications reduce the message loss-ratio. However, if
there are no other neighbors or an attacker jam the area around the node, there is a chance that
the node would arbitrarily accept a false message since no node broadcasts that the message is
invalid. Moreover, this scheme requires a PKI-based authentication which keeps the certiﬁcate
burdens in every message.
P.Y. Shen et al. [24] proposed a public key management system by excluding the overheads caused by certiﬁcates in the conventional PKC method. During safety message transmission, a vehicle has to send its real identity to other vehicle and the receiving vehicle send
a query-request to the RSU, requesting for the senders public key. The RSU then searches for
the senders public key in the directory which is given by the TA (Trusted Authority), verify its
signature, search for requested public key in the directory, sign this message with TAs signing
key and send it back to the requesting vehicle. This scheme imposes a large amount of computation and communication overheads on the RSU side for every message. Moreover, TA must
update and disseminate the registry to all RSUs whenever there is a new vehicle registration.
On the other hand, a vehicle cannot simply broadcast the message to all its neighbors as it
shares session keys with its neighbors once it gets their public keys. Therefore, sending and
verifying a message requires a lot of encryptions and decryptions with different session keys.
Ankita et al. [74] compares various researches on VANET to analyze the current drawbacks
and objectives of VANET research.
Xiaoling Zhu et al. [80] proposed a distributed traceable pseudonym management scheme
in VANETs. A blind signature method is used to achieve the separation of issuance and
tracking. Based on the improved share generation scheme of the RSA keys, the distributed
tracking protocol is proposed to avoid a single point of failure. By searching for the optimal
number of messages with a pseudonym certiﬁcate, the efﬁcient pseudonym authentication
mechanism is given to reduce communication overhead. Yet, this scheme requires pseudonym
certiﬁcates, which in turn raises the communication overhead and scalability issues.
35
2.4.2
Group Based Authentication Schemes
Another category relies on group-based authentication. Group signatures have been investigated for many years. Mehrnaz Mottahedi et al. [77] claim that group approach(otherwise
known as clustering approach) is an efﬁcient solution to the scalability issue.
In a group signature scheme, there is a group manager or group leader who maintains
the group; other nodes are group members who depends on the group leader for message
dissemination. Group members may join or leave the group dynamically. The group will
normally possess a common group key and the members who are registered in that group can
anonymously sign any message on behalf of the group [75]. A group public key corresponds to
multiple private keys and each vehicles group private key is computed by a member manager
[76]. A veriﬁer can verify the group signature with the group public key, but cannot know who
is the message generator. However, the group manager (Trusted Authority in most cases) can
reveal the identity of the message originator in case of a dispute. For the shortcoming of the
demand for group manager, ring signature [59] met conditional privacy preservation without
group managers. However, these schemes inapplicable to VANETs, as the veriﬁcation cost for
group/ring signature is very high. The main advantage of the group signature based technique
is that it does not require a large number of anonymous certiﬁcates to be pre-loaded into the
OBUs as in public key as in anonymous public key key based authentication schemes.
A group-signature based approach has been proposed by Chaum et al. [75], where each
group member signs messages using the indistinctive group signature. User anonymity and
privacy are preserved in the approach to a greater extend. Same as COMET [21], Chaum et
al. [75] suggest a probabilistic veriﬁcation of signatures that is to verify only 3 messages for
ever 10 message. Though all these schemes [21, 75] address VANET authentication, they do
not essentially prioritize privacy and anonymity issues.
Sha et al. [78] suggested a group-based adaptive privacy-preserving authentication scheme,
where a user can choose his degree of privacy according to the network resources an OBU can
36
afford. High privacy requirement will incur a huge communication, computation and memory
overhead; while a low privacy level costs resources in small amount. In this scheme, each
OBU is pre-loaded with an ordered list of all public keys for the whole group. An OBU then
constructs a binary tree where public keys are at the leaves and each of the sub-tree root is
expressed by a binary number. All RSUs have the current version of this tree and the authentication process uses the tree for the shared secret veriﬁcation. RSU then prepares a challenge
string using all the public keys of the binary tree and sends to the OBU. An OBU partially
decrypts the challenge by its own private key to get the answer of the challenge and then encrypts the challenge message by all other public keys in the sub tree to check the validity of
the RSU. This scheme provides an opportunity for mutual authentication between an OBU
and an RSU, since both of them share the same tree of public keys. The major advantage is,
the level of required privacy can be preset by a user. Yet, this protocol has scalability problem,
and it can hardly be considered for a practical application. This is because, each OBU requires to keep the public key of every other vehicle in the group. The group size might change
quite frequently. Therefore, OBUs must be updated every now and then which would be very
inefﬁcient for a real time system like a vehicular network.
Lin et al. [13] introduced a concrete group signature scheme to sign each message. They
presented GSIS, a conditional privacy-preserving vehicular communication protocol based on
short group signatures, and ID-based signatures. In this scheme, each vehicle has only one
public and private key pair. The public key is the same for all vehicles, and the private key
of each vehicle is different. During inter-vehicle communication, a vehicle only knows the
authenticity of the signature, and the vehicle has no information on the identity of the message sender. Despite reducing the overhead of pre-loading a large number of anonymous key
materials in each vehicle, this scheme does not provide a reliable solution to efﬁciently update
the system parameters for the participating vehicles. This protocol uses a hybrid revocation
method, in which if the number of revoked nodes is below a predetermined threshold, a veriﬁer local revocation(VLR) scheme is used. Yet, VLR is efﬁcient only for a small number of
37
compromised entities. Additionally, from the simulation results, the message loss ratio drastically increases as the number of vehicles within communication range increases which makes
this scheme un-scalable.
Calandriello et al. [82] developed a similar scheme in which, a vehicle can generate public
and private key pairs by itself using a group key. This scheme acts as a tradeoff between the
group-signature-based scheme and the Public Key Infrastructure (PKI) based scheme. But,
in group signature based authentication schemes many issues related to reliability, especially
regarding mechanisms that permit vehicles to evaluate the reliability of information they receive and the avoidance of attackers who pretend himself as another entities while sending
messages are questionable. Moreover, the vehicles have to update their private key and group
public key with the group manager when, the number of revoked vehicles exceeds some limit,
in order to preserve the privacy of the signer, which is a more crucial problem in these types
of schemes.
Verma and Huang [83] proposed a framework called Secure Group Communication (SeGCom), to provide support for V2I communication. The basic assumption in this scheme is,
RSUs are connected to each other to share the information of vehicles, and the roads are partitioned into multiple segments of equal length and each segment is monitored by an RSU.
Therefore, if any vehicle enters a speciﬁc region, it registers itself with that RSU. However,
this approach does not provide an extensive analysis on the performance of the RSU when the
number of nodes increases.
Huang et al. [84] proposed an Attribute-Based Encryption (ABE). This Situation-Aware
Trust (SAT) Architecture containing three components, one of which was an attribute based
policy control model for VANETs to address a number of trust situations and application
scenarios on-road. They assumed that each vehicle has two sets of attributes called, dynamic
and static attributes. These attributes are depending on whether they change frequently or
stay the same during the time period. Vehicles that satisfy a set of descriptive attributes form a
group is called a policy group or a policy group can be a group of vehicles which have the same
attributes, common interests, security or service requirements, or environmental restriction
38
(for example street name, time, driving direction, etc). The idea of policy group is that it is
organized without depending on a trust party to manage the group.
Wu et al. [85] proposed a message linkable group signature (MLGS) for anonymous
authentication in VANETs. With this approach, sybil attacks can be thwarted, as the actual
identity of the sender is detected if it signs a message more than once. This scheme relies
on bilinear-pairing groups, and a cryptographic primitive called threshold cryptography [86],
where an adaptive algorithm enables a receiver to trust a message only if the message is endorsed by at least a predeﬁned number of anonymous vehicles.
Hao et al. [81] proposed a distributed key management framework, which has advantages
in the revocation of malicious vehicles and system maintenance. An efﬁcient cooperative
message authentication protocol is developed to reduce the computation and communication
overhead in the group signature to address the scalability issue. Though some measures are
adopted in this approach to prevent RSU from misbehaving, authorities cannot decide which is
the malicious, RSU or the vehicle or both, when they ﬁnd a mismatch. In addition this scheme
sufferes from private key revealing attacks, in which the private-key issuer knows each users
private key.
2.4.3
RSU Aided Authentication Schemes
And the third category is, schemes that depend on the Road Side Units (RSU) for authentication. An RSU in a VANET serves as a gateway to the internet backbone, several different
road-safety applications and other services from the VANET providers. For example, an RSU
may transmit periodic status for a parking assistance application [87] or DDoS Attack on
WAVE-enabled VANETs. It can also broadcast trafﬁc safety messages like ‘maximum curve
turning speed’ or ‘construction ahead’ notiﬁcations to the vehicles in its communication range
[88]. In addition to this, RSUs can also assist the OBUs in authenticating V2V messages.
39
Zhang et al. [21] proposed an RSU-aided message authentication scheme called RAISE,
which makes the RSUs responsible for verifying the authenticity of messages sent from vehicles and for sending notiﬁcations back to vehicles. This scheme is built on HMAC and
data aggregation, where the RSU authenticates all the messages coming from the vehicles and
broadcasts them back to the vehicles. Bo Yu et al. argues that [20] data aggregate is an efﬁcient technique for minimizing the redundant data and improve communication efﬁciency.
Compared to the solutions previously mentioned, this scheme enables lower computation and
communication overheads for each vehicle. However, vehicles in this scheme completely depends on the RSU for message passing. Any single point failure will immediately hang the
communications completely.
Independently, Lu et al. [73] proposed a conditional privacy preservation scheme called
ECPP, in which the communication between vehicles and RSUs is based on generating onthe-ﬂy short-lived anonymous keys. These keys enable fast anonymous authentication and
conditional privacy.
Also, Zhang et al. [15] developed an identity-based batch veriﬁcation scheme called IBV,
in which a short length pseudo-id is used to protect privacy, with the help of tamper proof
device. But, this scheme requires additional hardware to be installed on OBUs (On Board
Units) to generate pseudo identities. Though, these RSU-supported schemes achieves better
efﬁciency, [15, 21] support only V2I communication.
Biswas et al. [58] designed another identity (ID)-based authentication scheme which uses
an ID-based proxy signature on ECDSA in order to address the security and authentication for
road-safety and other emergency application messages. Security features of ID-based systems
as well as the proxy signature are incorporated to accomplish the authentication requirements
for infrastructure-generated vehicular safety messages. The CA issues road-trafﬁc application
messages along with some signature credentials to deliver to the corresponding RSUs. RSU
signs the message on behalf of the CA and broadcasts to OBUs in the communication range.
A receiver can verify the received messages by using its own location information without
requiring any third-party certiﬁcates.
40
Also, Biswas et al. [79] proposed an identity-based anonymous authentication and veriﬁcation scheme for the IEEE Wireless Access in Vehicular Communications (WAVE)-based
vehicular ad hoc networks (VANETs). This scheme used elliptic curve digital signature algorithm (ECDSA) in combination with the identity-based (ID-based) signature, where current
position information on a vehicle is utilized as the ID of the corresponding vehicle and the
messages of each trafﬁc class are veriﬁed following the VANET’s medium access control
(MAC) layer priorities. Though these scheme prioritizes the certiﬁcate overhead and scalability issues, they use location information as a vehicles identity, which is not a suitable variable
as it is prone to incessant change. Moreover, these schemes highly depend on V2I communications.
W. Hsin-Te et al. [23] proposed a message authentication scheme to enable the message
authentication in intra and inter RSU range. In this protocol, when a vehicle enters into a RSUs
range, it is given a pseudo-id and they both share a common secret key during mutual authentication. Using this key, the RSU then performs a one-way hash chain to compute m session
keys for that vehicle to be used at different RSUs in the region. Such key table is transmitted
to the nearby RSUs through the network and stored in the vehicle as well. Intra RSU communication is performed same as RAISE [21]. However, for inter RSU communication; it needs
additional transactions for every message, which imposes additional transmission overhead.
L.Zhang et al. [67] proposed a scalable robust authentication protocol. In this scheme,
RSU generates and sends the group private key to the vehicle. They serve as the issuer of
vehicles private key, and a signcryption method is employed to distribute the keys securely.
However, this scheme suffers from private key revealing attacks, in which the private-key
issuer knows each users private key.
41
2.4.4
Hash Chain Based Authentication Schemes
The fourth category schemes are based on hash chains. Lamport [65] was the ﬁrst to propose
the use of one way hash chains as a password protection in an insecure communication channel. In this protocol, after an authenticated initial password exchange between the client and
the server, the server store n and the n-fold hash of the password: [n, hn (pwd)]. For each authentication, the user logs in the server, which trigger it to respond with a prompt n. The user
machine calculates then x = hn − 1(pwd) and send this to the server. The server computes
h(x). If the value obtained after the hash function match the one it has stored before, then the
login is successful. The server update its values [n = n − 1, x]. When n reach 1,the password
need to be reset. Although widely used for authentication in ad hoc network, Lamports hash
chain does not provide entity authentication. Also, to authenticate the user, the server must
know the sequence of the hash chain.
Perrig et al. [89] proposed a Timed Efﬁcient Stream Loss-tolerant Authentication (TESLA)
scheme, which is an efﬁcient broadcast authentication protocol. The main idea is that after
time synchronization between communication partners, the sender generates a one way hash
chain keys know only to itself and then reveals these values in the opposites order. More precisely, the sender divides the time into uniform intervals and assign to each interval one key of
the one way chain. Before sending a message at the current time interval, the sender computes
the packets with his correspondent key and send it to the receivers. The receivers buffers the
received packet without being able to authenticate it. After a speciﬁc time, which is known as
key disclosure delay, the sender disclose his correspondent key and the receivers is able to authenticate the packet or the packets he has buffered following the principle of commitment of
the one way hash chain. However, in highly dynamic networks such as VANETs this scheme
may become impractical, due to the mechanism of clock synchronization, delay estimation,
etc.
Weimerskirch and Westhoff [90] proposed a Zero Common Knowledge (ZCK), a very
lightweight security protocol aiming to recognize a foreign partner whenever the meet for the
42
ﬁrst time. Zero common-knowledge authentication deﬁnes its secure objective as follow: A
recognizes B, if A is able to identify again the authority that runs B or; B authenticate to A,
if B is able to convince A that both had some relation in the past. The private keys in this
scheme are actually anchors from a one way chain, which after n applications of an one way
function. But, vehicles in this scheme have to retain information about every vehicle or RSU
they encounter in oder to recognize them the next time they meet. This is unrealistic and quite
impossible, since doing so will require a large amount of storage.
G. Kounga et al. [69] proposed a scheme that overcomes this problem and allows the
generation of one-way hash chains of public and private key pairs and the use of a public
key involved proving knowledge of the corresponding private key. This impedes an attacker
from building a successful public key replay attack. Also, nodes would be able to prove the
authenticity of their provided public key by proving that it is correctly linked to the hash code
in their certiﬁcate. However, this scheme is not scalable when the number of key pairs is more,
as a signiﬁcant amount of computational overhead is potentially involved. Also, this scheme
has to deal with clock synchronization between vehicles. Moreover, this approach is feasible
for devices such as mobile phones where there is no ﬁxed timeline for communication.
R. Lu et al.[91] propose a dynamic privacy-preserving key management scheme, called
DIKE. DIKE introduces a privacy-preserving authentication technique, which enables doubleregistration detection. In this scheme the session is divided into several time slots so that
each time slot holds a different session key, when no vehicle user departs from the service
session, each joined user can use one-way hash function to autonomously update the new
session key for achieving forward secrecy. It also integrates a dynamic threshold technique in
traditional V2V and V2I communications for achieving session keys backward-secrecy, i.e.,
when a vehicle user departs from the service session, more than a threshold number of joined
users can cooperatively update the new session key. However, this scheme requires the session
keys to be updated frequently, which is a complex task with the dynamic mobility pattern of
the vehicles.
43
2.4.5
The Proposed Scheme
Though, there are numerous message authentication mechanisms have been studied in VANET,
not all of them are scalable for large networks. The reason is that most of the protocols require
certiﬁcate attachment in every message, which increases the veriﬁcation burden. In order to
address these issues, a new framework is proposed in this research to elimination the certiﬁcate
overheads in message authentication process.
The proposed protocols are intended to support both V2I and V2V communications and
to reduce the computation and communication overheads. The eviction of certiﬁcates, introduction of aggregation and batch veriﬁcation processes would allow the proposed protocols to
be better scalable for high density networks.
2.4.6
Conclusion
This chapter provided an overview of two broad categories of ad hoc networks, MANETs
and VANETs. The basic characteristics, requirements and applications of these networks are
discussed. It then explored the different types wireless communication technologies used
for VANET communication. Also, some system preliminaries that are going to be used in
further chapters are introduced. Continually, a detailed literature survey on various message
authentication protocols, the techniques they use and the drawbacks of them were explained.