Security, privacy and protection in different VANET applications afternoon session - PowerPoint PPT Presentation


Title: Security, privacy and protection in different VANET applications afternoon session


1
Security, privacy and protection in different
VANET applicationsafternoon session
  • Mario Gerla

2
Vehicular security tools/techniquesOutline
  • Conventional tools, Vehicle-PKI and secure
    positioning
  • New tools (e.g., anonymous routing routing
    attack secure incentives situation awareness
    community trust trust cloud of commuters -
    from the social net proposal)
  • Wormholes in the urban grid
  • Privacy v.s. security trade offs

3
Conventional techniques
  • Tamper-proof device
  • V-PKI
  • Anonymous keys
  • Secure Localization

4
Tamper-proof device
  • Each vehicle carries a tamper-proof device
  • Contains the secrets of the vehicle itself
  • Has its own battery
  • Has its own clock (notably in order to be able to
    sign timestamps)
  • Is in charge of all security operations
  • Is accessible only by authorized personnel

5
Digital signatures
  • Symmetric cryptography is not suitable messages
    are standalone, large scale, non-repudiation
    requirement
  • Hence each message should be signed with a DS
  • Liability-related messages should be stored in
    the EDR (event data recorder)

6
VPKI (Vehicular PKI)
Each vehicle carries in its Tamper-Proof Device
(TPD) A unique and certified identity
Electronic License Plate (ELP) A set of
certified anonymous public/private key
pairs Mutual authentication can be done without
involving a server Authorities (national or
regional) are cross-certified
7
The CA hierarchy two options
The governments control certification Long
certificate chain Keys should be recertified on
borders to ensure mutual certification
Vehicle manufacturers are trusted Only one
certificate is needed Each car has to store the
keys of all vehicle manufacturers
8
Anonymous keys
  • Preserve identity and location privacy
  • Keys can be preloaded at periodic checkups
  • The certificate of Vs ith key
  • Keys renewed according to vehicle speed (e.g., 1
    min at 100 km/h)
  • Anonymity is conditional on the scenario
  • The authorization to link keys with ELPs is
    distributed (say, police court)

9
Avoiding Big Brother
10
DoS resilience
  • Vehicles will probably have several wireless
    technologies onboard
  • To thwart DoS, vehicles can switch channels or
    communication technologies
  • Great market for Cognitive Radios

11
Data verification by correlation
?? Bogus info attack relies on false data ??
Authenticated vehicles can also send wrong data
(on purpose or not) ?? The correctness of the
data should be verified ?? Correlation can help
12
Security analysis
  • How much can we secure VANETs?
  • Messages are authenticated by their signatures
  • Authentication protects the network from
    outsiders
  • Correlation and fast revocation reinforce
    correctness
  • Availability remains a problem that can be
    alleviated
  • Non-repudiation is achieved because
  • ELP and anonymous keys are specific to one
    vehicle
  • Position is correct if secure positioning is in
    place

13
What PK cryptosystem to use?
  • Available options
  • RSA Sign most popular, but largest key size
  • ECDSA (Elliptic Curve) most compact
  • NTRUSign (Nth Truncated Polynomial) fastest in
    signing and verification
  • Signature verification speed matters the most
  • Further improvements that can help
  • Vehicles verify only relevant content
  • Several messages signed with same key

14
Performance comparison
15
Performance evaluation
ns-2 simulationsTwo scenarios drawn from
DSRCThe effect of message size (including the
security material) on delay, number of received
packets, and throughput is evaluated
Not to scale
16
How msg size affects Delay,
17
Number of received packets,
18
and Throughput
19
How to securely locate a vehicle
20
Positioning systems
  • Satellites
  • GPS, Galileo, Glonass(Outdoor, Radio Frequency
    (RF) Time of Flight (ToF))
  • General Systems
  • Active Badge(Indoor, Infrared(IR)), Olivetti
  • Active Bat, Cricket(Indoor, Ultrasound(US)-based),
    ATT Lab Cambridge, MIT
  • RADAR, SpotON, Nibble(Indoor/Outdoor, RF-Received
    Signal Strength), Microsoft, Univof Washington,
    UCLAXerox Palo Alto Lab
  • Ultra Wideband Precision Asset Location
    System,(Indoor/Outdoor, RF-(UWB)-ToF),
    Multispectral solutions, Inc.

21
Positioning systems (cont)
  • Ad hoc and sensor nets (no GPS)
  • Convex position estimation (Centralized), UC
    Berkeley
  • Angle of Arrival based positioning(Distributed,
    Angle of Arrival), Rutgers
  • Dynamic fine-grained localization (Distributed),
    UCLA
  • GPS-less low cost outdoor localization(Distributed
    , Landmark-based), UCLA
  • GPS-free positioning (Distributed), EPFL

22
GPS
23
GPS Security Example of attack
A GPS simulator can send strong fake signals to
mask authentic weak signals
24
GPS Security
  • Other vulnerabilities
  • Relaying attack connects the receiver to a
    remote antenna
  • Signal-synthesis attack feeds the receiver with
    false signals
  • Selective-delay attack predicts the signal ?t
    earlier
  • Security solutions
  • Tamper-resistant hardware
  • Symmetric crypto
  • Problem an authenticated receiver can hack the
    system
  • Asymmetric crypto
  • Problem additional delay

25
Distance measurement techniques
26
Attacks on RF and Ultra Sound ToF-based
techniques
27
The challenge of secure positioning
  • Goals
  • preventing an insider attacker from cheating
    about its own position
  • preventing an outsider attacker from spoofing the
    position of an honest node
  • Our proposal Verifiable Multilateration

28
Distance bounding
  • RF distance bounding
  • nanosecond precision required, 1ns 30cm
  • UWB enables clock precision up to 2ns and 1m
    positioning indoor and up to 2km outdoor
  • US distance bounding
  • millisecond precision required,1ms 35cm

29
Distance Bounding (RF)1993 (Brands and Chaum)
to prevent the Mafia fraud attack
The Bound (tr-ts)c/2 gt dreal
30
(No Transcript)
31
(No Transcript)
32
Conclusion on secure positioning
  • New research area
  • Positioning tout court is not yet completely
    solved (solutions will rely on GPS, on
    terrestrial base stations, and on mutual distance
    estimation)
  • Time of flight seems to be the most appropriate
    technique
  • More information available at http//spot.epfl.ch

33
New Tools on VANET Security and Privacy
  • Secure Routing
  • Security Incentives
  • Situation awareness Trust

34
A Secure Ad-hoc Routing Approach using Localized
Self-healing Communities
  • Jiejun Kong, Xiaoyan Hong, Yunjung Yi, Joon-Sang
    Park, Jun Liu, Mario Gerla
  • Computer Science Department Computer
    Science Department
  • University of California, Los Angeles
    University of Alabama, Tuscaloosa
  • jkong,yjyi,jspark,gerla_at_cs.ucla.edu
    jliu,hxycs.ua.edu

35
Problem Statement
  • Threats to on-demand routing
  • Active attack disruptive
  • Denial-of-service attacks
  • Packet loss, rushing attack, black-hole,
    gray-hole, wormhole
  • Passive attack protocol-compliant
  • Eavesdropper, traffic analyst ? anonymous routing
    needed
  • We will focus on active threats
    fromnon-cooperative (selfish or malicious)
    members (eg, INTRUDERS)

36
Typical On-demand Routing Attacks
  • Most active attacks cause repeated RREQs
  • Excessive RREQ repetitions exhaust network
    resource
  • Current mechanism to reduce of allowed RREQ
    floods per connection RREQ rate limit
  • NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND
    RREQ FLOODS
  • RREP DATA packet DROPS
  • Caused by rushing attack etc. Hu et al.,WiSe03
  • THEY Trigger more RREQ floods
  • Source will keep retrying, with repeated RREQ,
    causing massive congestion!!!!

37
RUSHING ATTACK
dest
source
  • Describe RUSHING ATTACK WITH ANIMATION
  • Explain Perrig solution here..

38
Outline
  • Review of current countermeasures
  • Community-based secure routing approach
  • Strictly localized w/ clearly-defined per-hop
    operation
  • Self-healing community substitutes single
    node
  • Our analytic models
  • Sub-polynomial model for network security
  • Stochastic model for mobile networks
  • Empirical simulation verification
  • Summary

39
Other countermeasures (for on-demand routing
against active attacks)
  • Cryptographic protections
  • Cannot stop internal non-cooperative network
    members they have the keys TESLA in Ariadne,
    PKI in ARAN
  • Network-based protections
  • Straight-forward RREQ rate limit DSR, AODV
  • Long RREQ interval causes non-trivial routing
    performance degradation
  • Multi-path secure routingAwerbuch,WiSe02
    Haas,WiSe03
  • Not localized, incurs global overhead, expensive
  • Node-disjoint multi-path preferred, but
    challenging
  • Perrig solution to rushing (is it also multi
    path?)

40
Our design
  • Goal Reduce of allowed RREQ floods (per
    connection) to minimum
  • Ideally, 1 initial on-demand RREQ flood for each
    e2e connection
  • In spite of attacks
  • Solution
  • Build multi-node self-healing communities to
    counter non-cooperative packet loss
  • approach applies to wide range of ad hoc routing
    protocols

41
Community 2-hop scenario
community
  • Explain two hop path intermediate nodes
    community
  • Community leader (to be defined later)

42
Community multi-hop scenario
  • community is dynamically reconfigured (self
    healing)

43
Community Based Security (CBS)
  • End-to-end communication between ad hoc terminals
  • Community-to-community forwarding (not
    node-to-node)
  • Challenge adversary knows CBS is operated in the
    network
  • It would prevent the network from forming
    communities
  • Network mobility etc. will disrupt CBS

44
Community formation re-configuration
  • On demand initial configuration
  • Communities formed during RREP
  • Simple heuristics promiscuously overheard 3
    consecutive (ACKs of) RREP packets? set
    community membership flag for the connection
  • Goal revisited reduce the need of RREQ floods
  • In spite of non-cooperative packet loss

45
Community formation around V
V1
V
U
E
V2
  • (Potentially non-cooperative) Vs community must
    be formed at RREP
  • Else V drops RREP and succeeds
  • V1 and V2 need to know Vs upstream

46
Protocol details
  • (RREQ, upstream_node, )
  • (RREP, hop_count, )
  • The extra fields can be spared (in DSR or AODV)

47
ACK-based configurationRemove self healing - not
an essential attribute
communities (if C forwards a correct RREP)
C
D
E
C
B
dest
source
C
48
Community Concept helpsreduce RREQ in mobile
networks
  • How does this work?
  • Proactive re-configuration
  • Each community loses shape due to mobility?
    End-to-end proactive probing to maintain the
    shape
  • PROBE unicast
  • PROBE_REP unicast same as RREP

49
Reconfig in 2-hop scenario
Old community becomes amorphousdue to random
node mobility etc.
  • (PROBE, upstream, )
  • (PROBE_REP, hop_count, )
  • Unicast probing take-over in use

oldF
S
D
newF

50
Communities help in mobile scenario multi-hop
case
dest
source
  • Probing message can be piggybacked in data
    packets
  • Probing interval Tprobe determined by network
    dynamicsSimple heuristics Slow Increase Fast
    Decrease

51
Secure Incentives for Commercial Advertisement
Dissemination in Vehicular Networks
  • Suk-Bok Lee and Seung Hyun Pan
  • Tutor Joon-Sang Park
  • Professor Mario Gerla
  • CS 218 Class Project
  • Fall 2006
  • Accepted at Mobihoc 2007

52
Presentation Outline
  • Ad dissemination in VANET
  • Signature-Seeking Drive
  • Overview
  • One-level advertising
  • Multi-level advertising
  • Evaluations
  • Discussion

53
Ad Dissemination in VANET
  • Commercial Advertising via Car-to-Car
    communication
  • Very promising application
  • High mobility nature of vehicles
  • Currently proposed scenarios
  • Electronic coupon system, FleaNet, Digital
    Billboards

54
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
55
Advertising in VANET
u
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out
Burger
56
Ad Dissemination in VANET
  • In the real world
  • Non-cooperative behaviors
  • Selfish users
  • Malicious users
  • More serious threats
  • e.g. DoS attacks (making dummy ads propagate over
    the network.)
  • Even for naïve users
  • Why should they help forward those commercial
    ads for the benefit of the business companies?

57
Vehicular Ad System
  • Concerns in vehicular ad system
  • Advertisers want to use VANET
  • From a vehicle users viewpoint, the business
    companies are exploiting vehicle users resources
    for their own profit.
  • Graceful compromise
  • Advertisers pay for the incentives for users
  • Charges for network resources
  • Or advertising charges

58
Our framework
  • Signature-Seeking Drive (SSD)
  • Secure incentives for cooperative nodes
  • No tamper-proof h/w assumptions
  • No game theoretic approaches
  • Leverages a PKI (public key infrastructure)
  • A set of ad dissemination designs

59
SSD overview
Vehicular Authority (VA)
Certified Ad
Request for Ad permission
Ad Distribution Point (ADP)
ADI
After verifying ADI, Vehicle u may agree to
disseminate the ad.
u
60
Signature-Seeking Drive Overview
Rw
w
v
ADI
ADI
ADI
Rv
u
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
In return, receiving vehicles v, w provide
signed-receipts to u.
While driving its way, u may collect as many
receipts as it forwards ADI.
61
Signature-Seeking Drive Overview
Vehicular Authority (VA)
Transaction Record
Charge
Colleted receipts
ADI
ADI
ADI
Rw
Rv
. . .
Receipts are exchangeable with virtual cash at
Virtual Cashier (e.g. gas station) a small
portion is reserved for each receipt-providing
nodes, too.
VA charges In-N-Out Burger such virtual cash
induced by ADIs
62
Uncooperative Model
  • Selfish nodes
  • Seek to maximize their own profit
  • Malicious nodes
  • Try to intentionally disrupt the system
  • We may encourage selfish nodes to participate in
    the network with an incentive model, yet
    malicious nodes try to attack the weak point of
    the model.
  • ? Secure incentive !

63
Ad Dissemination Models
  • One-level advertisement
  • Local advertising
  • Most users receive the ad, with reasonable of
    forwarding nodes
  • Multi-level advertisement
  • Intensive advertising over the wide area

64
Notations
65
One-level advertisement
  • 1. Approval for advertisement (company I ??
    Vehicular Authority)

Ad permit
2. Agreement with Ad Distribution Point (Is ADP
?? vehicle u)
Voucher
  • ADP provides u with a voucher for us exclusive
    use.
  • The notion of a voucher limits the dissemination
    to one-level.

66
One-level advertisement
  • 3. Advertisement Dissemination (vehicle u ?
    vehicle v)

Ad permit
Signed receipt
4. Receipt Redemption (vehicle u ? Virtual
Cashier VC)
Voucher
Collected receipts
  • Each VC is connected with VA that maintains all
    the transactions.
  • VC examines whether u has never redeemed us
    voucher for ADI at any other VC before.

67
Multi-level advertisement
  • Level-free advertisement
  • No vouchers, any nodes can reuse ADS and cash
    receipts w/o a voucher
  • Simple and most intensive method for advertising
  • Heavy outlay for advertisement, due to too much
    redundancy
  • Compromise between one-level and level-free
  • n-level advertising
  • Company S sets a limit on the number of
    propagation levels
  • Two designs Hash-chain based, and Onion voucher
    based.

68
Hash chain based n-level advertising
Contacting with Ss ADP
of levels S sets
Random by S
Advertisement Dissemination (u ? v)
Advertisement Dissemination (v ? x)
69
Hash chain based n-level advertising
Receipt Redemption (x ? VC)
  • VC first checks whether n-2 is non-zero and the
    legitimacy of the corresponding hash value.
  • Weaknesses
  • No coercive measures for nodes to reduce their
    permissible levels by 1
  • Malicious users can throw any permissible value
    open to the public

70
Onion voucher based n-level advertising
Example of onion voucher
Contacting with Ss ADP
Onion voucher for u
Advertisement Dissemination (u ? v)
Onion voucher for v
71
Onion voucher based n-level advertising
Example of onion voucher
Receipt Redemption (x ? VC)
xs Onion voucher
  • VC checks that of nodes included in OV is not
    bigger than n
  • Onion voucher secures n-level dissemination
  • Overhead by three-way handshake

72
Evaluations
  • Communication cost
  • Storage requirement
  • Computation overhead
  • Analysis
  • Incentive perspective
  • Security of Signature-Seeking Drive
  • Simulations on ns-2
  • Westwood area (4Km x 4Km) with 1,000 cars
  • West LA (10Km x 10Km) with 5,000 cars

73
Communication cost
  • One-level ad message format (utilizing Elliptic
    Curve Cryptography)
  • senders certificate (84 bytes), ad content (x
    bytes), ad provider ID (8 bytes), and senders
    signature (28 bytes) on ad permit
  • Total message size (120 x) bytes
  • Hash chain based n-level ad message format
  • One-level message size the permissible level
    value (1 byte) its corresponding hash value (20
    bytes in SHA-1) (141 x) bytes
  • Onion voucher based n-level ad message format (of
    a node in level d)
  • Two separate message due to three-way handshake.
  • First message size one-level message size
    (120 x) bytes
  • Second message size Onion voucher (28 bytes)
    the certificates included in onion voucher (d x
    84) (d x 84 28) bytes
  • Message size mainly depends on ad content size x

74
Storage requirement
  • One-level ad model (utilizing ECC)
  • Ad permit (28 bytes), ad content (x bytes),
    voucher (28 bytes), and K collected receipts (28
    bytes) and their corresponding certificates (84
    bytes)
  • Total storage requirement (K x 112 x
    56) bytes
  • Hash chain based n-level ad model
  • One-level storage requirement (excluding voucher)
    the permissible level value (1 byte) its
    corresponding hash value (20 bytes in SHA-1)
    (K x 112 x 49) bytes
  • Onion voucher based n-level ad model (of a node
    in level d)
  • One-level storage requirement (excluding voucher)
    Onion voucher (28 bytes) the certificates
    included in onion voucher (d x 84)
    (d x 84 K x 112 x 28) bytes
  • Note each car may have multiple kinds of ads at
    a time
  • The storage requirement mainly depends on the
    number of the collected receipts

75
Computation overhead
  • Ex. vehicle u has 100 neighbors within its
    communication range, and all the neighbors send
    out their ads at regular interval of r ms.
  • Hash chain based n-level ad model
  • Lower bound of processing time for each incoming
    ad verifying time x 2 signing time 18.45 ms
  • r ms / 100 gt 18.45 ms ? interval length gt
    1.845 sec
  • Onion voucher based n-level ad model
  • Due to three-way handshake ad process
  • Lower bound of processing time for each incoming
    ad receipt ad processing time (verifying time
    x 2 signing time 18.45 ms) receipt
    processing time (verifying time signing time
    10.87 ms) 29.32 ms
  • r ms / 100 gt 29.32 ms ? interval length gt
    2.932 sec
  • Note each car may have multiple kinds of ads at
    a time
  • The interval for each kind of ad may be multiple
    times of the above interval.

76
Upper bound of ad content size
  • For the worst case condition, we set the maximum
    throughput as 6 Mbps (the minimum data rate in
    DSRC)

77
Simulations
  • Running on ns-2
  • Mobility model from Saha et al.
  • Two scenarios
  • Westwood area (4x4Km) with 1,000 cars
  • West LA (10x10Km) with 5,000 cars

78
Unrealistic aspects in our simulation model
  • Mobility model
  • No traffic control
  • Always constant speed
  • Random starting point and destination for each
    node
  • All nodes are always moving within the target
    area.
  • No parked cars, no newcomers, or cars leaving the
    area
  • Number of nodes
  • Too few cars in our simulation model
  • More than 10,000 cars in Westwood area
  • More than 5 million cars in LA

79
Westwood area (4x4Km) with 1,000 cars
  • Ad coverage using varying number of Level 1 nodes
  • Ad coverage by time

80
Westwood area (4x4Km) with 1,000 cars
  • Number of forwarding nodes
  • Avg. received ads per vehicle

81
The END
View by Category
About This Presentation
Title:

Security, privacy and protection in different VANET applications afternoon session

Description:

Security, privacy and protection in different VANET applications afternoon session Mario Gerla – PowerPoint PPT presentation

Number of Views:229
Avg rating:3.0/5.0
Slides: 77
Provided by: ucl122
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Security, privacy and protection in different VANET applications afternoon session


1
Security, privacy and protection in different
VANET applicationsafternoon session
  • Mario Gerla

2
Vehicular security tools/techniquesOutline
  • Conventional tools, Vehicle-PKI and secure
    positioning
  • New tools (e.g., anonymous routing routing
    attack secure incentives situation awareness
    community trust trust cloud of commuters -
    from the social net proposal)
  • Wormholes in the urban grid
  • Privacy v.s. security trade offs

3
Conventional techniques
  • Tamper-proof device
  • V-PKI
  • Anonymous keys
  • Secure Localization

4
Tamper-proof device
  • Each vehicle carries a tamper-proof device
  • Contains the secrets of the vehicle itself
  • Has its own battery
  • Has its own clock (notably in order to be able to
    sign timestamps)
  • Is in charge of all security operations
  • Is accessible only by authorized personnel

5
Digital signatures
  • Symmetric cryptography is not suitable messages
    are standalone, large scale, non-repudiation
    requirement
  • Hence each message should be signed with a DS
  • Liability-related messages should be stored in
    the EDR (event data recorder)

6
VPKI (Vehicular PKI)
Each vehicle carries in its Tamper-Proof Device
(TPD) A unique and certified identity
Electronic License Plate (ELP) A set of
certified anonymous public/private key
pairs Mutual authentication can be done without
involving a server Authorities (national or
regional) are cross-certified
7
The CA hierarchy two options
The governments control certification Long
certificate chain Keys should be recertified on
borders to ensure mutual certification
Vehicle manufacturers are trusted Only one
certificate is needed Each car has to store the
keys of all vehicle manufacturers
8
Anonymous keys
  • Preserve identity and location privacy
  • Keys can be preloaded at periodic checkups
  • The certificate of Vs ith key
  • Keys renewed according to vehicle speed (e.g., 1
    min at 100 km/h)
  • Anonymity is conditional on the scenario
  • The authorization to link keys with ELPs is
    distributed (say, police court)

9
Avoiding Big Brother
10
DoS resilience
  • Vehicles will probably have several wireless
    technologies onboard
  • To thwart DoS, vehicles can switch channels or
    communication technologies
  • Great market for Cognitive Radios

11
Data verification by correlation
?? Bogus info attack relies on false data ??
Authenticated vehicles can also send wrong data
(on purpose or not) ?? The correctness of the
data should be verified ?? Correlation can help
12
Security analysis
  • How much can we secure VANETs?
  • Messages are authenticated by their signatures
  • Authentication protects the network from
    outsiders
  • Correlation and fast revocation reinforce
    correctness
  • Availability remains a problem that can be
    alleviated
  • Non-repudiation is achieved because
  • ELP and anonymous keys are specific to one
    vehicle
  • Position is correct if secure positioning is in
    place

13
What PK cryptosystem to use?
  • Available options
  • RSA Sign most popular, but largest key size
  • ECDSA (Elliptic Curve) most compact
  • NTRUSign (Nth Truncated Polynomial) fastest in
    signing and verification
  • Signature verification speed matters the most
  • Further improvements that can help
  • Vehicles verify only relevant content
  • Several messages signed with same key

14
Performance comparison
15
Performance evaluation
ns-2 simulationsTwo scenarios drawn from
DSRCThe effect of message size (including the
security material) on delay, number of received
packets, and throughput is evaluated
Not to scale
16
How msg size affects Delay,
17
Number of received packets,
18
and Throughput
19
How to securely locate a vehicle
20
Positioning systems
  • Satellites
  • GPS, Galileo, Glonass(Outdoor, Radio Frequency
    (RF) Time of Flight (ToF))
  • General Systems
  • Active Badge(Indoor, Infrared(IR)), Olivetti
  • Active Bat, Cricket(Indoor, Ultrasound(US)-based),
    ATT Lab Cambridge, MIT
  • RADAR, SpotON, Nibble(Indoor/Outdoor, RF-Received
    Signal Strength), Microsoft, Univof Washington,
    UCLAXerox Palo Alto Lab
  • Ultra Wideband Precision Asset Location
    System,(Indoor/Outdoor, RF-(UWB)-ToF),
    Multispectral solutions, Inc.

21
Positioning systems (cont)
  • Ad hoc and sensor nets (no GPS)
  • Convex position estimation (Centralized), UC
    Berkeley
  • Angle of Arrival based positioning(Distributed,
    Angle of Arrival), Rutgers
  • Dynamic fine-grained localization (Distributed),
    UCLA
  • GPS-less low cost outdoor localization(Distributed
    , Landmark-based), UCLA
  • GPS-free positioning (Distributed), EPFL

22
GPS
23
GPS Security Example of attack
A GPS simulator can send strong fake signals to
mask authentic weak signals
24
GPS Security
  • Other vulnerabilities
  • Relaying attack connects the receiver to a
    remote antenna
  • Signal-synthesis attack feeds the receiver with
    false signals
  • Selective-delay attack predicts the signal ?t
    earlier
  • Security solutions
  • Tamper-resistant hardware
  • Symmetric crypto
  • Problem an authenticated receiver can hack the
    system
  • Asymmetric crypto
  • Problem additional delay

25
Distance measurement techniques
26
Attacks on RF and Ultra Sound ToF-based
techniques
27
The challenge of secure positioning
  • Goals
  • preventing an insider attacker from cheating
    about its own position
  • preventing an outsider attacker from spoofing the
    position of an honest node
  • Our proposal Verifiable Multilateration

28
Distance bounding
  • RF distance bounding
  • nanosecond precision required, 1ns 30cm
  • UWB enables clock precision up to 2ns and 1m
    positioning indoor and up to 2km outdoor
  • US distance bounding
  • millisecond precision required,1ms 35cm

29
Distance Bounding (RF)1993 (Brands and Chaum)
to prevent the Mafia fraud attack
The Bound (tr-ts)c/2 gt dreal
30
(No Transcript)
31
(No Transcript)
32
Conclusion on secure positioning
  • New research area
  • Positioning tout court is not yet completely
    solved (solutions will rely on GPS, on
    terrestrial base stations, and on mutual distance
    estimation)
  • Time of flight seems to be the most appropriate
    technique
  • More information available at http//spot.epfl.ch

33
New Tools on VANET Security and Privacy
  • Secure Routing
  • Security Incentives
  • Situation awareness Trust

34
A Secure Ad-hoc Routing Approach using Localized
Self-healing Communities
  • Jiejun Kong, Xiaoyan Hong, Yunjung Yi, Joon-Sang
    Park, Jun Liu, Mario Gerla
  • Computer Science Department Computer
    Science Department
  • University of California, Los Angeles
    University of Alabama, Tuscaloosa
  • jkong,yjyi,jspark,gerla_at_cs.ucla.edu
    jliu,hxycs.ua.edu

35
Problem Statement
  • Threats to on-demand routing
  • Active attack disruptive
  • Denial-of-service attacks
  • Packet loss, rushing attack, black-hole,
    gray-hole, wormhole
  • Passive attack protocol-compliant
  • Eavesdropper, traffic analyst ? anonymous routing
    needed
  • We will focus on active threats
    fromnon-cooperative (selfish or malicious)
    members (eg, INTRUDERS)

36
Typical On-demand Routing Attacks
  • Most active attacks cause repeated RREQs
  • Excessive RREQ repetitions exhaust network
    resource
  • Current mechanism to reduce of allowed RREQ
    floods per connection RREQ rate limit
  • NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND
    RREQ FLOODS
  • RREP DATA packet DROPS
  • Caused by rushing attack etc. Hu et al.,WiSe03
  • THEY Trigger more RREQ floods
  • Source will keep retrying, with repeated RREQ,
    causing massive congestion!!!!

37
RUSHING ATTACK
dest
source
  • Describe RUSHING ATTACK WITH ANIMATION
  • Explain Perrig solution here..

38
Outline
  • Review of current countermeasures
  • Community-based secure routing approach
  • Strictly localized w/ clearly-defined per-hop
    operation
  • Self-healing community substitutes single
    node
  • Our analytic models
  • Sub-polynomial model for network security
  • Stochastic model for mobile networks
  • Empirical simulation verification
  • Summary

39
Other countermeasures (for on-demand routing
against active attacks)
  • Cryptographic protections
  • Cannot stop internal non-cooperative network
    members they have the keys TESLA in Ariadne,
    PKI in ARAN
  • Network-based protections
  • Straight-forward RREQ rate limit DSR, AODV
  • Long RREQ interval causes non-trivial routing
    performance degradation
  • Multi-path secure routingAwerbuch,WiSe02
    Haas,WiSe03
  • Not localized, incurs global overhead, expensive
  • Node-disjoint multi-path preferred, but
    challenging
  • Perrig solution to rushing (is it also multi
    path?)

40
Our design
  • Goal Reduce of allowed RREQ floods (per
    connection) to minimum
  • Ideally, 1 initial on-demand RREQ flood for each
    e2e connection
  • In spite of attacks
  • Solution
  • Build multi-node self-healing communities to
    counter non-cooperative packet loss
  • approach applies to wide range of ad hoc routing
    protocols

41
Community 2-hop scenario
community
  • Explain two hop path intermediate nodes
    community
  • Community leader (to be defined later)

42
Community multi-hop scenario
  • community is dynamically reconfigured (self
    healing)

43
Community Based Security (CBS)
  • End-to-end communication between ad hoc terminals
  • Community-to-community forwarding (not
    node-to-node)
  • Challenge adversary knows CBS is operated in the
    network
  • It would prevent the network from forming
    communities
  • Network mobility etc. will disrupt CBS

44
Community formation re-configuration
  • On demand initial configuration
  • Communities formed during RREP
  • Simple heuristics promiscuously overheard 3
    consecutive (ACKs of) RREP packets? set
    community membership flag for the connection
  • Goal revisited reduce the need of RREQ floods
  • In spite of non-cooperative packet loss

45
Community formation around V
V1
V
U
E
V2
  • (Potentially non-cooperative) Vs community must
    be formed at RREP
  • Else V drops RREP and succeeds
  • V1 and V2 need to know Vs upstream

46
Protocol details
  • (RREQ, upstream_node, )
  • (RREP, hop_count, )
  • The extra fields can be spared (in DSR or AODV)

47
ACK-based configurationRemove self healing - not
an essential attribute
communities (if C forwards a correct RREP)
C
D
E
C
B
dest
source
C
48
Community Concept helpsreduce RREQ in mobile
networks
  • How does this work?
  • Proactive re-configuration
  • Each community loses shape due to mobility?
    End-to-end proactive probing to maintain the
    shape
  • PROBE unicast
  • PROBE_REP unicast same as RREP

49
Reconfig in 2-hop scenario
Old community becomes amorphousdue to random
node mobility etc.
  • (PROBE, upstream, )
  • (PROBE_REP, hop_count, )
  • Unicast probing take-over in use

oldF
S
D
newF

50
Communities help in mobile scenario multi-hop
case
dest
source
  • Probing message can be piggybacked in data
    packets
  • Probing interval Tprobe determined by network
    dynamicsSimple heuristics Slow Increase Fast
    Decrease

51
Secure Incentives for Commercial Advertisement
Dissemination in Vehicular Networks
  • Suk-Bok Lee and Seung Hyun Pan
  • Tutor Joon-Sang Park
  • Professor Mario Gerla
  • CS 218 Class Project
  • Fall 2006
  • Accepted at Mobihoc 2007

52
Presentation Outline
  • Ad dissemination in VANET
  • Signature-Seeking Drive
  • Overview
  • One-level advertising
  • Multi-level advertising
  • Evaluations
  • Discussion

53
Ad Dissemination in VANET
  • Commercial Advertising via Car-to-Car
    communication
  • Very promising application
  • High mobility nature of vehicles
  • Currently proposed scenarios
  • Electronic coupon system, FleaNet, Digital
    Billboards

54
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
55
Advertising in VANET
u
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out
Burger
56
Ad Dissemination in VANET
  • In the real world
  • Non-cooperative behaviors
  • Selfish users
  • Malicious users
  • More serious threats
  • e.g. DoS attacks (making dummy ads propagate over
    the network.)
  • Even for naïve users
  • Why should they help forward those commercial
    ads for the benefit of the business companies?

57
Vehicular Ad System
  • Concerns in vehicular ad system
  • Advertisers want to use VANET
  • From a vehicle users viewpoint, the business
    companies are exploiting vehicle users resources
    for their own profit.
  • Graceful compromise
  • Advertisers pay for the incentives for users
  • Charges for network resources
  • Or advertising charges

58
Our framework
  • Signature-Seeking Drive (SSD)
  • Secure incentives for cooperative nodes
  • No tamper-proof h/w assumptions
  • No game theoretic approaches
  • Leverages a PKI (public key infrastructure)
  • A set of ad dissemination designs

59
SSD overview
Vehicular Authority (VA)
Certified Ad
Request for Ad permission
Ad Distribution Point (ADP)
ADI
After verifying ADI, Vehicle u may agree to
disseminate the ad.
u
60
Signature-Seeking Drive Overview
Rw
w
v
ADI
ADI
ADI
Rv
u
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
In return, receiving vehicles v, w provide
signed-receipts to u.
While driving its way, u may collect as many
receipts as it forwards ADI.
61
Signature-Seeking Drive Overview
Vehicular Authority (VA)
Transaction Record
Charge
Colleted receipts
ADI
ADI
ADI
Rw
Rv
. . .
Receipts are exchangeable with virtual cash at
Virtual Cashier (e.g. gas station) a small
portion is reserved for each receipt-providing
nodes, too.
VA charges In-N-Out Burger such virtual cash
induced by ADIs
62
Uncooperative Model
  • Selfish nodes
  • Seek to maximize their own profit
  • Malicious nodes
  • Try to intentionally disrupt the system
  • We may encourage selfish nodes to participate in
    the network with an incentive model, yet
    malicious nodes try to attack the weak point of
    the model.
  • ? Secure incentive !

63
Ad Dissemination Models
  • One-level advertisement
  • Local advertising
  • Most users receive the ad, with reasonable of
    forwarding nodes
  • Multi-level advertisement
  • Intensive advertising over the wide area

64
Notations
65
One-level advertisement
  • 1. Approval for advertisement (company I ??
    Vehicular Authority)

Ad permit
2. Agreement with Ad Distribution Point (Is ADP
?? vehicle u)
Voucher
  • ADP provides u with a voucher for us exclusive
    use.
  • The notion of a voucher limits the dissemination
    to one-level.

66
One-level advertisement
  • 3. Advertisement Dissemination (vehicle u ?
    vehicle v)

Ad permit
Signed receipt
4. Receipt Redemption (vehicle u ? Virtual
Cashier VC)
Voucher
Collected receipts
  • Each VC is connected with VA that maintains all
    the transactions.
  • VC examines whether u has never redeemed us
    voucher for ADI at any other VC before.

67
Multi-level advertisement
  • Level-free advertisement
  • No vouchers, any nodes can reuse ADS and cash
    receipts w/o a voucher
  • Simple and most intensive method for advertising
  • Heavy outlay for advertisement, due to too much
    redundancy
  • Compromise between one-level and level-free
  • n-level advertising
  • Company S sets a limit on the number of
    propagation levels
  • Two designs Hash-chain based, and Onion voucher
    based.

68
Hash chain based n-level advertising
Contacting with Ss ADP
of levels S sets
Random by S
Advertisement Dissemination (u ? v)
Advertisement Dissemination (v ? x)
69
Hash chain based n-level advertising
Receipt Redemption (x ? VC)
  • VC first checks whether n-2 is non-zero and the
    legitimacy of the corresponding hash value.
  • Weaknesses
  • No coercive measures for nodes to reduce their
    permissible levels by 1
  • Malicious users can throw any permissible value
    open to the public

70
Onion voucher based n-level advertising
Example of onion voucher
Contacting with Ss ADP
Onion voucher for u
Advertisement Dissemination (u ? v)
Onion voucher for v
71
Onion voucher based n-level advertising
Example of onion voucher
Receipt Redemption (x ? VC)
xs Onion voucher
  • VC checks that of nodes included in OV is not
    bigger than n
  • Onion voucher secures n-level dissemination
  • Overhead by three-way handshake

72
Evaluations
  • Communication cost
  • Storage requirement
  • Computation overhead
  • Analysis
  • Incentive perspective
  • Security of Signature-Seeking Drive
  • Simulations on ns-2
  • Westwood area (4Km x 4Km) with 1,000 cars
  • West LA (10Km x 10Km) with 5,000 cars

73
Communication cost
  • One-level ad message format (utilizing Elliptic
    Curve Cryptography)
  • senders certificate (84 bytes), ad content (x
    bytes), ad provider ID (8 bytes), and senders
    signature (28 bytes) on ad permit
  • Total message size (120 x) bytes
  • Hash chain based n-level ad message format
  • One-level message size the permissible level
    value (1 byte) its corresponding hash value (20
    bytes in SHA-1) (141 x) bytes
  • Onion voucher based n-level ad message format (of
    a node in level d)
  • Two separate message due to three-way handshake.
  • First message size one-level message size
    (120 x) bytes
  • Second message size Onion voucher (28 bytes)
    the certificates included in onion voucher (d x
    84) (d x 84 28) bytes
  • Message size mainly depends on ad content size x

74
Storage requirement
  • One-level ad model (utilizing ECC)
  • Ad permit (28 bytes), ad content (x bytes),
    voucher (28 bytes), and K collected receipts (28
    bytes) and their corresponding certificates (84
    bytes)
  • Total storage requirement (K x 112 x
    56) bytes
  • Hash chain based n-level ad model
  • One-level storage requirement (excluding voucher)
    the permissible level value (1 byte) its
    corresponding hash value (20 bytes in SHA-1)
    (K x 112 x 49) bytes
  • Onion voucher based n-level ad model (of a node
    in level d)
  • One-level storage requirement (excluding voucher)
    Onion voucher (28 bytes) the certificates
    included in onion voucher (d x 84)
    (d x 84 K x 112 x 28) bytes
  • Note each car may have multiple kinds of ads at
    a time
  • The storage requirement mainly depends on the
    number of the collected receipts

75
Computation overhead
  • Ex. vehicle u has 100 neighbors within its
    communication range, and all the neighbors send
    out their ads at regular interval of r ms.
  • Hash chain based n-level ad model
  • Lower bound of processing time for each incoming
    ad verifying time x 2 signing time 18.45 ms
  • r ms / 100 gt 18.45 ms ? interval length gt
    1.845 sec
  • Onion voucher based n-level ad model
  • Due to three-way handshake ad process
  • Lower bound of processing time for each incoming
    ad receipt ad processing time (verifying time
    x 2 signing time 18.45 ms) receipt
    processing time (verifying time signing time
    10.87 ms) 29.32 ms
  • r ms / 100 gt 29.32 ms ? interval length gt
    2.932 sec
  • Note each car may have multiple kinds of ads at
    a time
  • The interval for each kind of ad may be multiple
    times of the above interval.

76
Upper bound of ad content size
  • For the worst case condition, we set the maximum
    throughput as 6 Mbps (the minimum data rate in
    DSRC)

77
Simulations
  • Running on ns-2
  • Mobility model from Saha et al.
  • Two scenarios
  • Westwood area (4x4Km) with 1,000 cars
  • West LA (10x10Km) with 5,000 cars

78
Unrealistic aspects in our simulation model
  • Mobility model
  • No traffic control
  • Always constant speed
  • Random starting point and destination for each
    node
  • All nodes are always moving within the target
    area.
  • No parked cars, no newcomers, or cars leaving the
    area
  • Number of nodes
  • Too few cars in our simulation model
  • More than 10,000 cars in Westwood area
  • More than 5 million cars in LA

79
Westwood area (4x4Km) with 1,000 cars
  • Ad coverage using varying number of Level 1 nodes
  • Ad coverage by time

80
Westwood area (4x4Km) with 1,000 cars
  • Number of forwarding nodes
  • Avg. received ads per vehicle

81
The END
About PowerShow.com