TEAM: Trust-Extended Authentication Mechanism for Vehicular Ad Hoc Networks

Ming-Chin Chuang and Jeng-Farn Lee

Department of Computer Science and Information Engineering National Chung Cheng University, Chia-Yi, Taiwan, R.O.C. jflee@cs.ccu.edu.tw
AbstractThe security in vehicular ad hoc networks (VANETs) is receiving a significant amount of attention in the field of wireless mobile networking because VANETs are vulnerable to malicious attacks. A number of secure authentication schemes based on asymmetric cryptography have been proposed to prevent such attacks. However, these schemes are not suitable for highly dynamic environments like VANETs, because they cannot cope with the authentication procedure efficiently. Hence, this still calls for an efficient authentication scheme for VANETs. In this paper, we propose a decentralized lightweight authentication scheme called Trust-Extended Authentication Mechanism (TEAM) for vehicle-to-vehicle (V2V) communication networks. TEAM adopts the concept of transitive trust relationships to improve the performance of the authentication procedure. Moreover, TEAM satisfies the following security requirements: anonymity, location privacy, mutual authentication to prevent spoofing attacks, forgery attacks, modification attacks and replay attacks, as well as no clock synchronization problem, no verification table, fast error detection, and session key agreement. To the best of our knowledge, this is the first work to propose a hash-based authentication scheme with high security properties in VANETs. Keywords-Vehicular ad hoc networks (VANETs); decentralized; lightweight; authentication; trust-extended

I.

INTRODUCTION

Based on IEEE 802.11p, the Dedicated Short Range Communications (DSRC) system [1] supports two kinds of communication environments: vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications. A number of studies [2] [3] [4] have focused on the problem of data dissemination in VANETs. Recently, the security issues in vehicular ad hoc networks (VANETs) have attracted increasing attention from both industry and academia [5]. An authentication mechanism is a basic way to protect valid users. Raya et al. [6] pre-load each vehicle with a large number of anonymous public and private key pairs, as well as the corresponding public key certificates. Each of the public key certificates contains a pseudo identity. Then, traffic messages are signed with a public key-based scheme, and each pair of public and private key has a short lifetime to preserve its privacy. However, the approach works with high computation cost, high storage cost, and high communication overhead. Freudiger et al. [7] and Sampigethava et al. [8] proposed schemes that protect location privacy. However, these approaches [6] [7] [8] do not work well in highly dynamic environments like VANETs because they use asymmetric

cryptography or a signature verification scheme, which results in high computation costs, long authentication latency, or a large storage space. Zhang et al. [9] proposed an RSU-aided messages authentication scheme (RAISE), which uses the symmetric key hash message authentication code (HMAC), instead of a public key infrastructure (PKI) based message signature, to reduce the signature cost. However, in RAISE, the authentication scheme and key agreement process also use asymmetric cryptography, which leads to a high computation cost. Hence, there is a need for an efficient authentication scheme for VANETs. To address the above need, we propose a decentralized authentication scheme called the Trust-Extended Authentication Mechanism (TEAM) for V2V communication networks. TEAM is a lightweight authentication scheme because it only uses an XOR operation and a hash function. Although TEAM needs low computation cost, it still satisfies the following security requirements: anonymity, location privacy, mutual authentication to prevent spoofing attacks, resistance to stolen-verified attacks, forgery attacks, modification attacks and replay attacks, as well as no clock synchronization problem, fast error detection, and session key agreement. The remainder of this paper is organized as follows. In Section II, we introduce some preliminaries; and in section III, we describe the proposed scheme in detail. The security analysis is presented in section IV. Then, in section V, we summarize our conclusions and consider future research avenues. II. PRELIMINARIES

In this section, we introduce the concept of the transitive trust relationship and consider the security requirements of VANETs. A. The Transitive Trust Relationships The major components of a VANET are the wireless onboard unit (OBU), the roadside unit (RSU), and the authentication server (AS). OBUs are installed in vehicles to provide wireless communication capability, while RSUs are deployed on intersections or hotspots as an infrastructure to provide information or access to the Internet for vehicles within their radio coverage. The AS is responsible for installing the secure parameters in the OBU to authenticate the user. In VANET, the vehicle connects to the Internet through V2V communications when it does not locate in the service range of the RSU. Figure 1 shows the VANET network architecture.

978-1-61284-459-6/11/$26.00 2011 IEEE

1758

Figure 2. Transitive trust relationships in TEAM 3) Location privacy: Each vehicle has a dynamic identity to prevent an adversary tracking it when the OBU performs the authentication procedure. 4) Mutual authentication: A mutual authentication procedure is implemented whereby the LE must verify that the OBU is a legal user and the OBU must ensure that the LE is genuine. III. TRUST-EXTENDED AUTHENTICATION MECHANISM (TEAM)

Figure 1. Network architecture In VANETs, vehicles can be classified into to the following roles: a law executor (LE), a mistrustful vehicle (MV), and a trustful vehicle (TV). A law executor, such as police car or public transportation, acts like a mobile authentication server. A vehicle is regarded as trustful if it can be authenticated successfully; otherwise, it is deemed to be mistrustful. To provide a secure communication environment, the OBU should be authenticated successfully before it can access the service. However, in V2V communication networks, as the number of law executors is finite, an LE is not always in the vicinity of the OBU. Even if the user is trustful, the vehicle must still wait for the nearest LE and then perform the authentication procedure. Hence, there is an urgent need for an efficient authentication scheme. In this paper, we propose a trustextended authentication mechanism (TEAM) to improve the performance of the authentication procedure in V2V communication networks. TEAM is based on the concept of transitive trust relationships, as illustrated in Fig. 2. Initially, there are three vehicles in a VANET: a trustful LE and two other mistrustful vehicles carrying OBUs (i.e., OBUi and OBUj in the figure). The state of the first mistrustful OBU (i.e., OBUi) becomes trustful and obtains the sufficient authorized parameter to authorize other mistrustful OBUs when it is authenticated successfully. Thus, the other mistrustful OBUs can be authenticated by any trustful OBU without necessarily finding a LE. Then, it plays the LE role temporarily to assist with the authentication procedure of OBUj. As a result, all vehicles in a VANET can complete the authentication procedure quickly. B. Security Requirements Since the authentication scheme is susceptible to malicious attacks, our objective is to design a scheme that is robust to such attacks. Based on related studies [6]-[12], we define the following key security requirements for VANETs. 1) Efficiency: The computational cost of vehicles must be as low as possible. 2) Anonymity: The anonymous authentication procedure verifies that an OBU does not use its real identity to execute the authentication procedure.

In this section, we describe the proposed scheme in detail. TEAM is a decentralized authentication scheme, and the LE needs not to keep the authentication information of the entire vehicle. The main operations of TEAM are initial registration, login, general authentication, and trust-extended authentication procedures. Before a vehicle can join a VANET, its OBU must register with the AS. When a user wants to access the service, he/she has to perform the login and the general authentication procedures. A. Assumptions We assume that each vehicles OBU is equipped with security hardware, including an event data recorder (EDR) and a tamper-proof device (TPD) [13], so that an attacker cannot obtain information about the vehicle from the OBU. The event data recorder is responsible for recording important data about the vehicle, such as the location, time, pre-load secret key, and access log. The tamper-proof device provides the cryptographic processing capabilities. In addition, the LE is trustful in this paper. B. Notations Let x denote a secret key of the AS; IDi denote the public identification of user i; PWi denote the password of user i; h( ) denote a one-way collision-resistant hash function; Ni denote a random number; PSK denote a secure key that is pre-shared among LEs and the AS; denote the XOR operator; and || denote the combination of strings. C. Initial Registration Procedure In TEAM, the LE only needs to hold a secure key PSK that is stored in the security hardware and it does not need to store the authentication information of the user.

1759

Other normal vehicles need to perform the initial registration procedure with the authentication server through the manufacturer or a secure channel. The steps of the procedure are as follows: Step 1: UserAS: A user sends the public identification IDi and its chosen password PWi to the AS via the manufacturer or a secure channel. Step 2: After receiving the users ID and password, the AS computes the following secret authentication parameters for the user: Ai=h(IDi||x), Bi=h2(IDi||x)=h(Ai), Ci= h(PWi)Bi, and Di=PSK Ai. Step 3: ASUser: The AS stores the parameters (i.e., IDi, Bi, Ci, Di, h( )) in the OBUs security hardware via the manufacturer or a secure channel. Note that the AS does not need to store the users verification information (e.g., the users password). Therefore, an adversary cannot obtain the information to launch a stolenverified attack. In addition, the registered user cannot impersonate to another valid user successfully when the user obtains the above parameters. This is because the user does not know the ASs secret (i.e., x). D. Login Procedure The login procedure is the first checkpoint. The OBU will detect an error event immediately if the user has malicious intentions. Step 1: UserOBU: When a user wants to access the service, he/she inputs IDi and PWi to the OBU. Step 2: The OBU checks the IDi and verifies that h(PWi)Ci is equal to Bi. If the information is correct, the OBU generates a nonce, N1, and calculates the message M1 as h(Bi)N1. Then, it computes the alias AIDi as h(N1) IDi, and generates the message M2 as h(N1||AIDi), where Bi and Ci are obtained from the initial registration procedure. E. General Authentication Procedure The OBU performs the general authentication procedure after the user completes the login procedure. Step 1: OBULE: The OBU sends an authentication request (i.e., AIDi, M1, M2, Di) to the LE. Note that Di is obtained from the initial registration procedure. Step 2: The LE verifies that the OBU is trustful: On receipt of the authentication request, the LE uses a secure pre-shared key (i.e., PSK) to obtain Ai (i.e., Ai= Di PSK). The LE retrieves the value of N1 (i.e., N1=M1 h2(Ai)) and then checks whether h(N1||AIDi) is equal to M2. It rejects the authentication request if h(N1||AIDi) and M2 do not match, which means the authentication message has been modified. Next, the LE computes IDi as AIDih(N1), generates a random number N2, and calculates a session key SKij as h(N1||N2). Finally, the LE computes the authentication reply message (i.e., M3, M4, M5), where M3 is N2h2(N1), M4 is Aih(IDi), and M5 is h(M4||N2).

Step 3: LEOBU: The LE returns the authentication reply message (i.e., M3, M4, M5) to the OBU. Step 4: The OBU verifies that the LE is trustful: The OBU computes the value of h2(N1), retrieves the random number N2 (i.e., N2=M3h2(N1)), and checks whether h(M4||N2) is equal to M5. If the information is correct, the OBU calculates the value of Ai (i.e., Ai=M4 h(IDi)), computes the session key (i.e., SKij=h(N1||N2)), and stores Ai in the security hardware. Step 5: OBULE: The OBU sends the message (i.e., SKij h(N2)) to the LE. Step 6: The LE uses the session key SKij to retrieve the value (i.e., h(N2)),. It then checks this value to prevent an invalid OBU from executing a replay attack. In this time, this OBU becomes trustful and obtains an authorized parameter (i.e., PSK= Ai Di) when it is authenticated successfully. Thus, the other mistrustful OBUs can be authenticated by it without necessarily finding a LE. F. Trust-Extended Authentication Procedure We adopt the trust-extended mechanism based on the concept of transitive trust relationships to improve the performance of the authentication procedure. The state of a mistrustful OBU becomes trustful and then obtains an authorized parameter (i.e., PSK) when the OBU is authenticated successfully. Then, the trustful OBU plays the role of LE temporarily to assist with the authentication procedure of a mistrustful OBU. In this procedure, the trustful vehicle performs the authentication procedure and it still does not need to store the authentication information of the user. Hence, our scheme only has a few storage spaces. Then, the steps of the general authentication and the trust-extended authentication procedures are the same. As a result, all vehicles in a VANET can complete the authentication procedure quickly. IV. SECURITY ANALYSIS

The following points are relevant to the security analysis. (1) The security property of TEAM is based on a collision-free one-way hash function. For a one-way hash function h( ), when the value of x is given, it is straightforward to compute h(x); however, given the value of h(x), computing the value of x is very difficult or incurs a high computational cost. (2) In the login procedure, the security hardware has a retry limit to prevent the attacker using a force technique to guess the users password. We now consider the security features of TEAM. The mechanism satisfies the following security requirements. 1) Anonymity: Under the proposed scheme, the original identity of a user is converted into an alias that is based on a random number (i.e., Step 2 of the login procedure). Therefore, an adversary cannot determine the users original identity without knowing the random number N1 chosen by the OBU. 2) No verification table: The AS, LEs, and TVs do not need to store the users verification table. Therefore, even if an adversary can access the ASs database, he cannot obtain the users authentication information.

1760

3) Location privacy: Even if an adversary can intercept a number of messages during a certain period, he is hard to trace the users physical position because the systems anonymity mechanism uses a dynamic identification process, and generation of the session key is based on a nonce. Moreover, TEAM can utilize the random silent period scheme [7] to enhance the location privacy when the OBUs do not have to access the service. 4) Mutual authentication to prevent spoofing attacks: A mutual authentication process is necessary. The LE needs to verify that the OBU is a legal user, and the OBU needs to ensure that the LE is genuine. In the general authentication procedure, the LE authenticates the OBU in Step 2, and the OBU authenticates the LE in Step 4. Thus, this mutual authentication scheme prevents spoofing attacks. 5) Resistance to replay attacks: To protect the proposed scheme from replay attacks, we add a random number to the authentication message. If an adversary intercepted the message and tried to impersonate a valid OBU by replaying the message immediately, the LE would reject the request because the nonce in the replayed messages would be invalid. Moreover, the OBU also checks the random number sent by the LE to prevent replay attacks. 6) Session key agreement: The proposed approach only makes one round trip between the OBU and the LE to generate the session key. Then, the key is used to encrypt subsequent packets to ensure that the communications are confidential. Moreover, since the session key is generated by a random number and a hash function, the adversary is hard to guess or to derive the session key from the intercepted messages. 7) Clock synchronization is not required: In timestampbased authentication schemes, the clocks of all vehicles must be synchronized. In TEAM, we provide a noncebased authentication mechanism instead of timestamps, which cause serious time synchronization problems. 8) Resistance to modification attacks: An adversary can attempt to modify an OBUs authentication message. However, we use a one-way hash function to ensure that information cannot be modified. Therefore, this attack will be detected because an attacker has no way to obtain the value of the random number to generate the legitimate message. If an attacker transmits a modified packet to the LE, the packet can be easily identified by checking the hash values. 9) Resistance to forgery attacks: If a valid OBU attempts to forge another valid OBUs ID (i.e., AIDi*), the authentication will be unsuccessful. Even if the OBU knows the parameters (i.e., IDi, Bi, Ci, Di, h( )) and forges an alias ID (i.e., AIDi*= h(N1) IDi*), it cannot determine the valid authentication parameter (i.e., Di*) required to obtain authentication. This is because the OBU does not know the ASs secret key (i.e., x), so it cannot compute the value of Ai correctly. The secret key is protected by the one-way hash function h( ), and it is computationally infeasible to derive x from the value h(x).

10) Fast error detection: In the login procedure, the OBU will detect an error immediately if an attacker keys in the wrong user ID or password. V. CONCLUSIONS AND FUTURE WORK In this paper, we propose a decentralized lightweight authentication scheme called TEAM to protect valid users in VANETs from malicious attacks. The amount of cryptographic calculation under TEAM is substantially less than in existing schemes because it only uses an XOR operation and a hash function. Moreover, TEAM is based on the concept of transitive trust relationships to improve the performance of the authentication procedure. In the future, we intend to develop an intrusion detection mechanism to enhance network security. REFERENCES
[1] [2] Dedicated Short Range Communications (DSRC), [Online]. Available: http://grouper.ieee.org/groups/scc32/dsrc/index.html. M. Nekovee and B. B. Bogason, Reliable and Efficient Information Dissemination in Intermittently Connected Vehicular Ad hoc Networks, IEEE 65th Vehicular Technology Conference (VTC), pp. 2486-2490, 2007. Jing Zhao, Yang Zhang, and Guohong Cao, Data Pouring and Buffering on the Road: A New Data Dissemination Paradigm for Vehicular Ad Hoc Networks, IEEE Transactions on Vehicular Technology, Vol. 56, No. 6, Part 1, pp. 3266-3277, 2007. Jeng-Farn Lee, Chang-Sheng Wang and Ming-Chin Chuang, Fast and Reliable Emergency Message Dissemination Mechanism in Vehicular Ad Hoc Networks, IEEE Wireless Communications and Networking Conference (WCNC), pp. 1-6, 2010. J. P. Hubaux, S. Capkun, and J. Luo, The Security and Privacy of Smart Vehicles, IEEE Security and Privacy Magazine, Vol. 2, No. 3, pp. 49-55, 2004. M. Raya and J. P. Hubaux, Securing Vehicular Ad Hoc Networks, Journal of Computer Security, Vol. 15, No. 1, pp. 39-68, 2007. J. Freudiger, M. Raya, and M. Feleghhazi, Mix Zones for Location Privacy in Vehicular Networks, The First International Workshop on Wireless Networking for Intelligent Transportation Systems (WiN-ITS), pp. 1-7, 2007. K. Sampigethaya, Mi. Li, L. Huang, and R. Poovendran, AMOEBA: Robust Location Privacy Scheme for VANET, IEEE Journal on Selected Areas in Communications (JSAC), Special issue on Vehicular Networks, Vol. 25, No. 8, pp. 1569-1589, 2007. Chenxi Zhang, Xiaodong Lin, Rongxing Lu, and Pin-Han Ho, RAISE: An Efficient RSU-Aided Message Authentication Scheme in Vehicular Communication Networks, IEEE International Conference on Communications (ICC), pp. 1451-1457, 2008. Chenxi Zhang, Rongxing Lu, Xiaodong Lin, Pin-Han Ho, and Xuemin Shen, An Efficient Identity-Based Batch Verification Scheme for Vehicular Sensor Networks, IEEE International Conference on Computer Communications (INFOCOM), pp. 246-250, 2008. Rongxing Lu, Xiaodong Lin, Haojin Zhu, Pin-Han Ho, and Xuemin Shen, ECPP: Efficient Conditional Privacy Preservation Protocol for Secure Vehicular Communications, IEEE International Conference on Computer Communications (INFOCOM), pp. 1229-1237, 2008. Haojin Zhu, Rongxing Lu, Xuemin Shen, and Xiaodong Lin, Security in Service-Oriented Vehicular Networks, IEEE Wireless Communications, pp. 16-22, 2009. P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, Secure vehicular communication systems: design and architecture, IEEE Communications Magazine, vol. 46, no. 11, pp. 100-109, November 2008.

[3]

[4]

[5]

[6] [7]

[8]

[9]

[10]

[11]

[12]

[13]

1761