Significant developments took place over the past few years in the area of vehicular communication (VC) systems. Now, it is well-understood in the community that security and protection of private user information are a prerequisite for the deployment of the technology. This is so exactly because the benefits of VC systems, with the mission to enhance transportation safety and efficiency, are at stake. Without the integration of strong and practical security and privacy enhancing mechanisms, VC systems could be disrupted or disabled even by relatively unsophisticated attackers. We address this problem within the SeVeCom project, having developed a security architecture that provides a comprehensive and practical solution. We present our results in a set of two papers in this issue. In this first one, we analyze threats and types of adversaries, we identify security and privacy requirements, and present a spectrum of mechanisms to secure VC systems. We provide a solution that can be quickly adopted and deployed. Our progress towards implementation of our architecture, along with results on the performance of the secure VC system, are presented in the second paper. We conclude with an investigation, based on current results, of upcoming elements to be integrated in our secure VC architecture.
Abstract-Inter-vehicle communication (IVC) systems disclose rich location information about vehicles. State-of-the-art security architectures are aware of the problem and provide privacy enhancing mechanisms, notably pseudonymous authentication. However, the granularity and the amount of location information IVC protocols divulge, enable an adversary that eavesdrops all traffic throughout an area, to reconstruct long traces of the whereabouts of the majority of vehicles within the same area. Our analysis in this paper confirms the existence of this kind of threat. As a result, it is questionable if strong location privacy is achievable in IVC systems against a powerful adversary. I. INTRODUCTIONInter-vehicle communication (IVC) systems have been actively researched over the past years. Vehicles that can communicate with each other and road-side units (RSUs) enable a range of applications. For example, applications that provide warnings on road dangers and traffic jams, or those that offer comfort enhancements (e.g., automated update of point-ofinterest information to car navigation systems). Many of the envisioned IVC protocols and applications rely on position and time information. This requires all vehicles frequently broadcasting their position, combined with a time stamp of the message generation, openly to all of its neighbors.As vehicle transmissions can be eavesdropped by anyone within radio range, there exists a clear threat: location information could be collected and misused [18]. By establishing a network of RSUs, any public, private, commercial, or criminal attacker can collect these packets and create detailed location profiles of vehicles and consequently their drivers. Possession of such location profiles could easily breach the privacy of drivers, as there is usually a strong correlation between a vehicle and its driver; most vehicles are used by only very few drivers [8].IVC protocols and applications provide various identifiers of the vehicle, in particular the vehicular communication equipment. This can be an identifier for a networking protocol or an identifier for an application. We abstract away implementation details and consider the basic problem at hand: the correlation of an identifier ID with a time t and a location l. The (ID, t, l) tuple is called a location sample, and a location profile is set of multiple tuples (ID, t i , l i ) for the same identifier ID, with i simply the index of sample.In order to enhance privacy, one could blur the information such a profile provides. For example, by decreasing the
Privacy is an important requirement in vehicle networks, because vehicles broadcast detailed location information. Also of importance is accountability due to safety critical applications. Conditional pseudonymity, i.e., usage of resolvable pseudonyms, is a common approach to address both. Often, resolvability of pseudonyms is achieved by authorities maintaining pseudonym-identity mappings. However, these mappings are privacy sensitive and require strong protection to prevent abuse or leakage. We present a new approach that does not rely on pseudonym-identity mappings to be stored by any party. Resolution information is directly embedded in pseudonyms and can only be accessed when multiple authorities cooperate. Our privacy-preserving pseudonym issuance protocol ensures that pseudonyms contain valid resolution information but prevents issuing authorities from creating pseudonym-identity mappings. II. RELATED WORKPrivacy and pseudonymity have been discussed in many research projects like PRIME and there are resulting frame-This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2010 proceedings.978-1-4244-6398-5/10/$26.00 ©2010 IEEE Authorized licensed use limited to: UNIVERSITEIT TWENTE. Downloaded on July 22,2010 at 09:05:11 UTC from IEEE Xplore. Restrictions apply.K(CA h ) = {id CA h , id V , req, id, exp, C 1 , . . . , C n , m i } . P P learns the presented V-token V i and the pseudonym P i it issues, but not id V :Further, we define the identity set I(V ) = {id V } and the anonymity set A(V ) = {V i , P i } for vehicle V . An adversary can only link a pseudonym to V if it knows at least one item from I(V ) and one from A(V ) after protocol execution. Thus, to prevent linking the following condition must be fulfilled:This holds true for CA h and also for P P :Therefore, neither CA h nor P P can link P i and id V on their own. We can further show that linking is not possible even if CA h and P P collude. Because authentication and acquisition phase are decoupled, a shared information set between CA h and P P would be required for linking:This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2010 proceedings.Authorized licensed use limited to: UNIVERSITEIT TWENTE. Downloaded on July 22,2010 at 09:05:11 UTC from IEEE Xplore. Restrictions apply.
The increasing integration of computational components and physical systems creates cyber-physical system, which provide new capabilities and possibilities for humans to control and interact with physical machines. However, the correlation of events in cyberspace and physical world also poses new safety and security challenges. This calls for holistic approaches to safety and security analysis for the identification of safety failures and security threats and a better understanding of their interplay. This paper presents the application of two promising methods, i.e. Failure Mode, Vulnerabilities and Effects Analysis (FMVEA) and Combined Harm Assessment of Safety and Security for Information Systems (CHASSIS), to a case study of safety and security co-analysis of cyber-physical systems in the automotive domain. We present the comparison, discuss their applicabilities, and identify future research needs.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.