privacy-preserving authentication schemes for vehicular ad hoc networks: a survey

WIRELESS COMMUNICATIONS AND MOBILE COMPUTINGWirel. Commun. Mob. Comput. (2014)

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/wcm.2558

RESEARCH ARTICLE

Privacy-preserving authentication schemes forvehicular ad hoc networks: a surveyHuang Lu1 and Jie Li2*

1 Yokohama Research Laboratory, Hitachi, Ltd.,Yokohama, Kanagawa, 244-0817, Japan2 Faculty of Engineering, Information and Systems, University of Tsukuba, Tsukuba Science City, Ibaraki, 305-8573, Japan

ABSTRACT

Vehicular ad hoc networks (VANETs) are expected in improving road safety and traffic conditions, in which securityis essential. In VANETs, the authentication of the vehicular access control is a crucial security service for both inter-vehicle and vehicle–roadside unit communications. Meanwhile, vehicles also have to be prevented from the misuse ofthe private information and the attacks on their privacy. There is a number of research work focusing on providing theanonymous authentication with preserved privacy in VANETs. In this paper, we specifically provide a survey on theprivacy-preserving authentication (PPA) schemes proposed for VANETs. We investigate and categorize the existing PPAschemes by their key cryptographies for authentication and the mechanisms for privacy preservation. We also provide acomparative study/summary of the advantages and disadvantages of the existing PPA schemes. Lastly, the open issues andfuture objectives are identified for PPA in VANETs. Copyright © 2014 John Wiley & Sons, Ltd.

KEYWORDS

vehicular ad hoc network; survey; authentication scheme; privacy preservation; key cryptography

*Correspondence

Jie Li, Faculty of Engineering, Information and Systems, University of Tsukuba, Tsukuba Science City, Ibaraki, 305-8573, Japan.E-mail: [email protected]

1. INTRODUCTION

A vehicular ad hoc network (VANET) is a mobile net-work that employs moving vehicles as nodes to providecommunications among vehicles and nearby fixed road-side units (RSUs) [1]. A VANET is similar to a mobilead hoc network (MANET), which turns every participatingvehicle into a wireless router or node and allows vehiclesin an approximately 300-m range to discover and connectwith each other [2,3]. A VANET is distinguished fromMANETs for the points as follows.

� Because of high speed movement of vehicles and fre-quently disconnected network caused by high speedmovement, a VANET has highly dynamic topologies.

� Vehicular nodes in a VANET have sufficient energyand storage for communication, and the vehicles havelonger transmission range compared with the onesin MANETs.

� VANETs are subject to geographical type of com-munication with mobility modeling and prediction onpredefined roads.

� Delay constraint is strict in the VANET commu-nication; for example, in collision avoidance andlife-critical-related situations.

As mobile wireless devices and wireless networks becomeincreasingly influential in recent years, the demand forvehicle-to-vehicle (V2V) communication and vehicle-to-RSU (V2R) communication increases continuously.

Vehicular ad hoc networks are utilized for a broad rangeof safety applications (such as collision warnings and traf-fic information) and non-safety applications (such as roadnavigation and mobile infotainment). Because of the pos-sibility of accidents and life-critical situations, the secureexchange of information among vehicles is essential [4].Security issues have received a great attention in VANETs.Authentication is a crucial security service for VANETsin both inter-vehicle and vehicle–RSU communication. Onthe other hand, vehicles/drivers have to be protected fromthe misuse of their private information and the attacks ontheir privacy, where they are capable of being investigatedfrom accidents or liabilities. Especially, the safety applica-tions require a strong mutual authentication, because mostof the safety-related messages may contain life-criticalinformation [5]. Thus, privacy-preserving authentication

Copyright © 2014 John Wiley & Sons, Ltd.

Privacy-preserving authentication schemes for VANETs: a survey H. Lu and J. Li

Figure 1. An illustration of VANET architecture.

(PPA) is required for routing and secure communications in

VANETs, which prevents malicious vehicles from abusing

anonymous authentication techniques to achieve malicious

goals or escape from their liabilities.

In this paper, different from general security solutions,

we specifically provide a survey on the PPA schemes pro-

posed for VANETs, by emphasizing classifications of the

existing literature, developing a perspective on PPA, and

evaluating trends. So far, many PPA schemes have been

proposed for VANETs in the literature in recent years; for

example, [6–12]. We investigate and summarize the char-

acteristics of PPA, and categorize the existing PPA schemes

by their key cryptographies and the mechanisms of pri-

vacy preservation. Furthermore, we address the open issues

and challenges for PPA to promote further research under

this topic and to help vehicular industry develop/adopt the

appropriate PPA schemes for practical use.

The rest parts of this survey are organized as follows.

Section 2 introduces the network architecture and issues

of PPA, as well as provides the attack models against

PPA and the objectives of designing the PPA schemes in

VANETs. Section 3 categorizes the existing solutions of

the PPA schemes in VANETs, by investigating the authen-

tication key cryptographies and the privacy preservation

mechanisms, respectively. In Section 4, several relatively

representative PPA schemes are reviewed with the high-

lighted motivation and overview. Furthermore, a general

comparative summary of the existing PPA schemes is

given for the various approaches discussed in Section 3.

Section 5 points out the open issues and challenges for the

future research in PPA for VANETs. Section 6 concludes

this paper.

2. VANET ARCHITECTURE,REQUIREMENTS, AND OBJECTIVESOF PPA

This section describes the fundamental network architec-ture and components in the PPA schemes for VANETs.The potential threats to authentication and vehicle pri-vacy, as well as the objectives of PPA for VANETs, areintroduced afterwards.

2.1. VANET architecture

A VANET with guaranteed security basically consists ofthree network components as shown in Figure 1: vehicles(users), RSUs, and regional trusted authorities (RTAs). Auser can be a vehicle or its driver; even the passengers ofthe vehicle could be users. In order to achieve physicallevel security, usually, vehicles in a VANET are equippedwith tamper-resistant trusted components or tamper-proofdevice [13]. RSUs are immobile and act as gateways toa VANET, which enables vehicles to establish connec-tions with the outside networks [14]. Conventionally, theVANET is separated into different regions (e.g., states orprovinces), and an RTA is assumed to be assigned in anindividual region. The RTA is a trusted party in a VANETfor security, which provides an authenticated recognitionto each vehicle in the network and is queried for investiga-tion in case of any disputes in the network. The RSUs assistthe RTA in queries for discovering, connecting, and revok-ing vehicles and in tracking the real identities of vehicles[15]. In most of the PPA schemes for VANETs, the mainfunctions of an RTA are as follows.

� An RTA acts as a certificate authority (CA), who gen-erates cryptographic keys and domain parameters for

Wirel. Commun. Mob. Comput. (2014) © 2014 John Wiley & Sons, Ltd.DOI: 10.1002/wcm

H. Lu and J. Li Privacy-preserving authentication schemes for VANETs: a survey

the RSUs and vehicles for mutual authentication inits region, and delivers these keys to them over securechannels. Upon the similar responsibilities, the CAmay have different names in the various existing PPAschemes, such as the membership manager (MM) [6]and the Motor Vehicles Division (MVD) [9].

� It manages a list of the vehicles of which participa-tions have been revoked, updates the list periodically,and advertises the list to the network to isolate thecompromised vehicles.

� If a message sent by a vehicle creates a problem on theroad, the RTA is responsible for tracing and identify-ing the source of the message to resolve the dispute.

The wireless communication in VANETs is classifiedmainly into V2R communication and V2V communica-tion. Other communications are usually assumed to besecure in the existing PPA schemes through secure chan-nels, such as inter-RSU communication and RSU–RTAcommunication.

2.2. Authentication and privacyrequirements

The desired secure and trustful data exchange plays a cru-cial role in data communication, which must be satisfiedwith several security requirements. It is essential to ensurethe data accuracy during communication in VANETs,because the exchanged data may affect driving and vehic-ular movements that related to user safety. Issues andtheir attack models against PPA are introduced in the nextsection. Authentication and privacy preservation are essen-tial to effective security, which may sometimes conflictwith each other. Because access control is generally basedon the identities of users, a desired user authenticationshould not violate the privacy requirement of its identity.

According to the previous point of view, it is desir-able to identify all the vehicles in a VANET and preservetheir privacy at first. Thus, it is necessary to authenticatethe vehicles, which are about to establish communicationin the VANET, to assure authenticity. Meanwhile, it isrequired to discover the specific vehicles, which deliveredmessages and have to undertake the corresponding respon-sibility. A desired VANET fulfills the requirements of bothauthentication and privacy preservation at the same time.Based on Standler [16], we provide the definition of PPAfor VANETs in the succeeding text.

Definition 1. In VANETs, PPA is any process, by whicha system verifies the approved identity of a user (vehicle)that wishes to access it, whereas its confidential privateinformation related to the user of reasonable sensitivitieswill not be disclosed.

This definition describes the basic demand on therequirements of conditional privacy preservation andtraceability in PPA, in which the confidential userinformation managed in a private place will not be dis-

closed to the third parties without the legal permissions.There exist many researches in the literature focusing onthe commitment of the requirements in PPA. We study therelated work in the next section, and their objectives areto provide required conditional privacy by using trustfulelectronic credentials instead of real identities.

2.3. Attacks on authentication and privacy

Once the V2R or V2V communication has been estab-lished for VANETs, many attacks can compromise thewireless communication channels. Thus, mechanismsresisting these attacks are required in PPA for VANETs.In this section, we investigate the attacks on authentica-tion and privacy preservation, respectively. We also explainhow they can be triggered and the potential consequences.

Attacks on authentication: There are two followingattacks related to authentication in VANETs [17].

(i) Impersonation attack: The attacker pretends to beother entities. This attack can be performed bystealing other vehicular entities’ credentials. As aconsequence, some warnings sent to a specific entitywould be sent to an undesired one.

(ii) Sybil attack: The attacker uses different identitiesat the same time. In this way, for example, a sin-gle attacker could pretend vehicles to report theexistence of a false bottleneck in traffic.

Attacks on privacy: Attacks on privacy over VANETsare related to illegally gathering the sensitive informationabout vehicles [17]. As there is a relation between a vehi-cle and its driver, the exposure of a vehicle’s sensitiveinformation/situation could affect its driver privacy.

(i) Identity revealing attack: Getting the owner’s iden-tity of a given vehicle could put its privacy at risk.Usually, a vehicle’s owner is also its driver, soit would simplify getting personal data about thatperson.

(ii) Location tracking attack: The location of a vehiclein a given moment or the path followed during aperiod is considered as personal data. It allows theattacker to build the vehicle’s profile and, therefore,tracking its driver.

Mechanisms resisting the attacks described earlier arerequired in PPA for VANETs, where they must satisfy thetrade-off between privacy and traceability.

2.4. Objectives of PPA

The primary objective of PPA is providing mutual authen-tication among vehicles in VANETs. However, the accessof authentication may lead to exposing the information ofvehicles or drivers, such as location, user IDs, and drivingpatterns, which is an important interference to driver pri-vacy. Therefore, it is essential to preserve driver privacy in



the access control of authentication. Another crucial goalin PPA is guaranteeing the real-time constraint in VANETs,which is related to the delay overhead introduced in PPAprocess. Besides authentication and privacy preservation,some other objectives are considered and preferred in theexisting work for the effective and efficient PPA. In thissurvey, we incorporate the common objectives in the exist-ing PPA schemes and focus on the following points in thePPA schemes for VANETs.

� Anonymity: Anonymity is to achieve user privacyin VANETs. Individual users (vehicles or drivers)should be protected against passive attacks fromunauthorized observations; that is, eavesdroppingon communication.

� Non-repudiation: In VANETs, non-repudiation isrelated to a fact that if a vehicle sends a message, thevehicle cannot deny that the message was sent by it.Conventionally, by producing digital signatures for amessage, the entity cannot later deny the message.

� Time constraint: Because of the high mobil-ity of vehicular movement, strict time constraintis required in VANETs, which means that thelower the delay overhead, the more efficient thetimely communication.

� System independency: Because of the possibility ofinfrastructure unavailability in VANETs, includingRSUs and RTAs, the desired PPA schemes should notquery and access infrastructures so frequently.

� Availability: The solution of a new PPA schemeis desired neither to overload the communicationand computation ability of a VANET nor to largelyincrease the network throughput. Meanwhile, the PPAscheme should not induce new threats to the primitiveVANET system.

3. CLASSIFICATION OF THEPPA SCHEMES

There is a number of research work related to PPA inVANETs during the last decade. Because the particularactual identities of vehicles are confidential for privacypreservation in PPA, authentication is generally basedon the encryption/decryption technologies. Thus, in thissection, we categorize the PPA schemes by authenticationkey cryptographies and privacy preservation mechanismsrespectively as follows.

3.1. Categorization on authentication

The common objectives of these PPA schemes are to lowercommunication overhead, preserve node anonymity, iso-late the misbehaving nodes, and non-repudiation. In thissurvey, according to the key cryptographies applied forauthentication in VANETs, we can categorize the existingPPA schemes as follows.

(i) Symmetric-key-based authentication (SKBA)schemes: The SKBA schemes use symmetric keycryptographies for message authentication, such asin [7] and [18]. In conventional SKBA schemes,each node uses its own key or a shared groupkey for creating/verifying message authenticationcodes (MACs).

(ii) Asymmetric-key-based authentication (AKBA)schemes: The AKBA schemes use public keycryptographies or digital signatures for sign-ing/verification in authentication. The public/privatekey pair can be the group-based public key withmultiple corresponding private keys or the node’sown public key with the individual private key forthe digital signature. Meanwhile, according to theprobability and frequency of infrastructure access(e.g., RSUs and RTAs), we can further categorizeAKBA schemes as follows.

� Public-key-infrastructure-based (PKI-based) authen-tication schemes: The PKI-based schemes requireinfrastructure access frequently to verify certificates,revoke keys, or gather new keys, such as in [6]and [19]. Conventional PKI-based schemes requireadditional communication to manage the certificaterevocation lists, which causes heavy overheads.

� Identity-based (ID-based) authentication schemes:the ID-based schemes have been proposed to reducecommunication overheads by using ID-based cryp-tosystems in authentication, such as in [20] and [9].Conventional ID-based schemes simplify the certifi-cate management process by using the vehicle’s iden-tity in signing and verification of digital signatures.

3.2. Categorization on privacy preservation

In VANETs, vehicles usually do not want their privateinformation such as name, position, moving routes, anduser data to be revealed against illegal tracing and user pro-filing. Thus, the authorization of the third parties, anony-mous communications, or the anonymity of user identitiesshould be supported to preserve privacy in VANETs [21].On the other hand, when traffic accidents or certain crimesoccur, vehicle anonymity should be conditional and theidentity information has to be revealed by the legal author-ity to establish the liability of accidents or crimes, which isso-called conditional privacy [4]. In this survey, accordingto the different mechanisms applied for privacy preserva-tion in VANETs, we categorize the mechanisms for privacypreservation as follows.

(i) Authorization-based privacy preservation (ABPP):The mechanisms used in ABPP usually applyanonymous key management to preserve privacyin authentication, such as in [22] and [23].Anonymous key pairs, which do not contain anyinformation of vehicle IDs, are certificated by theRTA or CA. In this way, the relationship between the



anonymous key pairs and the actual vehicle iden-tity cannot be discovered by a third party without aspecial authorization. Normally, a vehicle will man-age a set of anonymous keys to prevent tracking.The key point in ABPP is the distribution of autho-rized materials among authorities, where authoritiesaccess the database of key management and matchanonymous key pairs with the real vehicle identities.

(ii) Pseudonym-based privacy preservation (PBPP):The usage of pseudonyms to achieve vehicleanonymity is a superior solution for privacy preser-vation to PPA [5], which intimately links a real-world ID to the corresponding pseudonyms, suchas in [20] and [24]. The pseudonym may be gener-ated by RSUs, RTAs, the vehicle itself, or even canbe downloaded from a trusted site periodically. Theadoption of pseudonyms in PPA conceals the real-world identity of vehicles; even though peer vehi-cles cannot identify the sender of a specific message,it is still able to authenticate the sender. By fre-quently updating the pseudonyms during commu-nication, PBPP defends legitimate vehicles againstlocation tracing and user profiling.

Both ABPP and PBPP prevent malicious vehicles fromabusing anonymous authentication techniques to achievemalicious goals or escape from their liabilities. An idealPPA scheme in VANETs must have a mechanism to val-idate authenticated transmissions and conditional privacypreservation. In Figure 2, we draw an intuitional chart toillustrate the techniques and mechanisms used in the PPAschemes, and their categorizations.

4. OVERVIEW AND COMPARISONOF THE PPA SCHEMES

In this section, representatively, several highly citedapproaches of PPA for VANETs are reviewed. The moti-vation and overview of each scheme are highlighted.Moreover, a general up-to-date comparative summary ofthe existing PPA schemes is given, based on the variousapproaches discussed in the last section.

4.1. PPA scheme highlights

So far, a number of the PPA schemes for VANETshave been proposed. In order to present the features andcharacteristics of different types of the PPA schemesfor VANETs, here, we introduce relatively representa-tive and highly cited PPA schemes selectively. For bet-ter understanding, we study one PPA scheme for eachtype of the PPA schemes categorized in the last section;that is, the SKBA–ABPP schemes, the SKBA–PBPPschemes, the AKBA–ABPP schemes, and the AKBA–PBPP schemes, respectively.

4.1.1. TSVC: SKBA–PBPP scheme.

An SKBA–PBPP scheme, the timed efficient and securevehicular communication (TSVC) scheme, has been pro-posed for VANETs with privacy preservation by X. Lin etal. [7]. TSVC aims at minimizing the packet overhead.The communication and computation overhead of TSVCis reduced because of the short MAC tag attached in eachpacket for the packet authentication, by which a fast hashoperation is required to verify each packet.

The TSVC is based on Timed Efficient Stream Loss-tolerant Authentication (TESLA) [25] that needs to per-form symmetric MAC operation at the receiver to authen-ticate the source of the message. Each vehicle generatesa hash chain h1, h2, : : : , hn, initiated from a random seedS. Each element in the hash chain is in charge of generat-ing a number of MAC codes for a number of messages asthe cryptographic keys, which will be released after a shortdisclosure delay ı. The authentication process in TSVCscheme is illustrated in Figure 3.

� For an arbitrary sender O, it generates the MAC tagsof the messages using hj as the encryption keys. Inthe data packet sent by O, where Mj is the safetymessage, PVID is the pseudo ID of vehicle O, andTj is the time when the sender sends the data packet.

� Then, the sender O prepares the first key releasepacket kr_P1, by signing the commitment of thehash chain h1, where h1 is the key to generate theMAC tag for message M1, CertO is the currently

Figure 2. Techniques and mechanisms used in the PPA schemes.



Figure 3. An illustration of the TSVC scheme, redraw from the work in [7].

used anonymous public key certificate, SKO is thecorresponding private key to CertO, T 0 is the timewhen the sender sends the key release packet, andindex represents the index of the current hash valuein the hash chain.

� On receiving the first data package from the sender,the receivers will then store the information such asthe PVID and T1 in order to synchronize the laterpackets that are sent by the same source.

� When receiving data packet Pj, j > 1, the receiverssimply put the received packet in the buffer withouttrying to verify them. As soon as the next key releasepacket kr_Pj arrives, the receivers will start to verifythe previous data packet.

Enlightened by TESLA authentication protocol, the TSVCscheme only needs to perform symmetric MAC operationat the receiver, which is sufficient to authenticate the sourceof the message.

4.1.2. VAST: SKBA–ABPP scheme.

An SKBA-ABPP scheme, the VANET authenticationscheme using TESLA++ (VAST), has been proposed byStuder et al. [18]. VAST provides multi-hop authentica-tion in VANETs, by migrating the TESLA protocol [25] toVANETs, named TESLA++, to achieve efficient messageverification and its management in authentication.

In TESLA++ of VAST, it requires the receiver vehicleto store a self-generated MAC of the received messageMAC code. The message and the MAC key will not berevealed until the key expiration. For the privacy preserva-tion, vehicles may use a given key chain from the trustedauthority for the MAC in TESLA++ to achieve privacyin authentication. Note that VAST combines TESLA++with the elliptic curve digital signature algorithm (ECDSA)signatures, where ECDSA is utilized for message non-repudiation if necessary. ECDSA is only performed whena certain application queries non-repudiation or TESLA++authentication fails. In the proposed TESLA++, the senderfirst sends the message’s MAC MACS along with the key

index i, and when the key expires, it sends the correspond-ing message M, key Ki, and i. The receiver first computesthe MAC MACR using a local secret key KRecv. This valueis stored and later used for comparison in verification, andthe message is accepted if MAC is identical. The illus-tration of VAST is shown in Figure 4, where the senderbroadcasts an authenticated message M.

� Receivers perform two types of verification:

(1) A TESLA++ verification in steps 7, 8,and 9.

(2) The digital signature verification in step10 when the application requires non-repudiation or step 13 when TESLA++authentication fails (possibly due to a lostMAC) and if CPU utilization is below cer-tain thresholds. The thresholds provide flex-ibility within VAST, such that VANET’ssystem designers can mold the scheme tomeet application needs.

� TESLA++ provides authentication and a filter of thedata broadcast during times of high computationalload. The previously received and recorded MAC(steps 2 to 5) ensures the validity of the message andthe signature, while the hash chain ensures that theproper key is used (step 7).

� Under VAST, the digital signature is authenticatedusing TESLA++ (steps 7 to 9) before it is veri-fied, preventing the majority of computational andmemory-based denial of service (DoS) attacks.

� In the case where the receiver has no record of theTESLA++ MAC, the receiver will only verify thesignature of the message if the extra computationwill not lead to a DoS (until step 12).



Figure 4. An illustration of the VAST scheme, redraw from the work in [18].

Figure 5. An illustration of the GSIS scheme, redraw from the work in [6].

4.1.3. GSIS: AKBA–ABPP scheme.

An AKBA–ABPP scheme, by integrating the techniquesof group signature and identity-based signature (GSIS), hasbeen proposed for VANETs by X. Lin et al. [6]. GSISprovides node anonymity while allowing for revocableprivacy; meanwhile, it does not require extensive androbust infrastructure support.

In GSIS, group signature is used to secure the communi-cation between vehicles, where messages can securely andanonymously be signed by senders. It provides anonymity

of the signer and non-repudiation of authorized third par-ties. A signature scheme using ID-based cryptographyis adopted in RSUs to ensure authenticity, which usesthe identity of each RSU as the public key for sign-ing messages sent by RSUs. The GSIS scheme for V2Vauthentication contains five phases as illustrated inFigure 5, which is similar to V2R authentication.

� The first phase is the membership registration, inwhich an MM generates the vehicle’s private key.



� The second phase consists of signing a message.For any given message, a vehicle signs the messageas a function of both the group public key and thevehicle’s private key.

� Verification of a received message is processed inthe third phase. A time stamp is first verified, andif passed, signature verification is processed usingthe group public key and certain system parameters.If the message fails at any of verification steps, themessage is simply dropped.

� The fourth phase is for the membership traceabil-ity, which occurs whenever there is a query and thereal ID of the message signer is needed. This phaseconsists of three steps. In the first step, a tracingmanager first checks the validity of the signature andthen generates vehicle’s private key, and then sendsthe query message to the MM in the second step. Inthe third step, the MM looks up the actual ID of thevehicle for investigation.

� The last phase is the membership revocation.

4.1.4. PACP: AKBA–PBPP scheme.

An AKBA–PBPP scheme, the pseudonymousauthentication-based conditional privacy (PACP) scheme,has been proposed for vehicular communications by D.Huang et al. [9]. The construction of PACP is basedon pairing of identity-based encryption, which is amathematical structure based on elliptic curve cryp-tosystem assumptions. The main contribution of PACPis to allow vehicles to generate provably anonymousand computationally efficient pseudonyms to ensureconditional privacy.

In PACP, vehicles interact with RSUs to help themgenerate pseudonyms for anonymous authentication andprovide conditional privacy to the vehicles in VANETs.Pseudonym generation for a vehicle requires three typesof entities; namely, the vehicle, the MVD (i.e., the RTAor CA), and the RSU. The interaction between these threeentities is illustrated in Figure 6.

� A vehicle Va provides the required identity informa-tion to the MVD as part of the registration process(step (1)).

� Then, the MVD issues Va a ticket (step (2)). Theticket uniquely identifies Va; however, it does notreveal Va’s true identity.

� When moving on the road, Va authenticates itselfwith the nearest RSU and obtains a pseudonymtoken (steps (3) and (4)).

� Then, Va uses the token to generate its pseudonyms(step (5)). Note that the RSU does not learn anyprivate information of the vehicle.

As a result, the RSU is unaware of the vehicle’s true iden-tity, and only can map a ticket to a pseudonym token andthe generated pseudonym. For authentication, PACP con-sists of three building blocks based on an identity-based

Figure 6. An illustration of the PACP scheme, redraw from thework in [9].

encryption scheme [26]; namely, registration, generation,and extraction.

4.2. PPA schemes: security analysis

The security efficacy of the PPA schemes relies on theapplied cryptographies and key managements in differentencryption algorithms, where the encryption algorithm issecure if the corresponding cipher-text cannot be decryptedwithout the corresponding keys. However, the security ofthe encryption algorithms cannot be compared because ofdifferent encryption types, key/cipher sizes, and algorithmsteps. Thus, in this paper, in order to analyze the securityof the existing PPA schemes, we investigate the cases whenan adversary (attacker) exists in the network introduced inSection 2.3, and detail the solutions and countermeasuresagainst various adversaries and attacks.

4.2.1. Solutions to attacks on authentication.

In the PPA schemes, authentication is guaranteed byapplied cryptographies, which deal with this attack modelon PPA. According to the classifications in Section 3,in SKBA schemes, symmetric key cryptographies areapplied for message authentication, where the messagesare usually protected by authentication codes. Whereasin AKBA schemes, asymmetric key cryptographies areapplied for message authentication, where messages areusually bounded with the corresponding digital signa-tures. Both the authentication codes and the digital sig-natures withstand the attacks on authentication, based onthe applied cryptographies and the corresponding encryp-tion keys. In this way, the adversaries cannot generate thecorrect authentication codes or digital signatures for therecipients to trigger the attacks on authentication.

4.2.2. Solutions to attacks on privacy.

In the PPA schemes, privacy preservation is guaranteedby applied anonymity techniques, which deal with thisattack model on PPA. For ABPP mechanisms, anonymous



Table I. Comparative summary of the existing PPA schemes.

Key cryptographies MechanismRelated security requirements

PPA scheme for for privacy Non- Time System(in chronological order) authentication preservation Anonymity repudiation constraint independency

GSIS [6], 2007 PKI-based AKBA ABPP Yes Yes � Low

Hybrid [27], 2007 PKI-based AKBA PBPP Yes Yes 4 High

ECPP [22], 2008 ID-based AKBA ABPP Yes Yes 4 Low

Kamat et al. [28], 2008 ID-based AKBA PBPP Yes Yes � Low

PPGCV [29], 2008 SKBA ABPP Yes No 4 High

PPAA [30], 2008 ID-based AKBA PBPP Yes Yes 4 High

TSVC [7], 2008 SKBA PBPP Yes No � Low

Zhang et al. [31], 2008 ID-based AKBA ABPP No No � Low

Xi et al. [32], 2008 PKI-based AKBA PBPP Yes No 4 Low

RAISE [8], 2008 SKBA PBPP Yes Yes � Low

Choi et al. [33], 2009 ID-based AKBA ABPP Yes Yes � Low

TACK [34], 2009 PKI-based AKBA PBPP Yes Yes 4 Low

VAST [18], 2009 SKBA ABPP No Yes 4 High

ESAP [35], 2010 ID-based AKBA PBPP Yes Yes � Low

PASS [19], 2010 PKI-based AKBA PBPP Yes Yes 4 Low

Salem et al. [36], 2010 PKI-based AKBA ABPP No No 4 Low

Sun et al. [20], 2010 ID-based AKBA PBPP Yes Yes � Low

Tan [37], 2010 ID-based AKBA PBPP Yes Yes 4 High

Biswas et al. [38], 2011 ID-based AKBA ABPP No Yes � Low

PACP [9], 2011 ID-based AKBA PBPP Yes Yes � Low

Chaurasia et al. [39], 2011 PKI-based AKBA ABPP No No � Low

MAPWPP [40], 2011 ID-based AKBA PBPP Yes Yes � Low

PAACP [23], 2011 PKI-based AKBA ABPP No Yes 4 Low

Burmester et al. [41], 2012 SKBA PBPP Yes Yes 4 Low

Lu et al. [24], 2012 ID-based AKBA PBPP Yes No � High

SPA [42], 2012 PKI-based AKBA ABPP Yes Yes 4 High

LPP [43], 2012 PKI-based AKBA PBPP Yes Yes � Low

CPAS [10], 2012 ID-based AKBA PBPP Yes Yes � Low

ACPN [44], 2013 ID-based AKBA PBPP Yes Yes � High

key managements are applied for privacy preservation,where the certificated anonymous key pairs are usuallyused for authentication. Whereas for PBPP mechanisms,vehicle anonymity is used for privacy preservation, wherethe corresponding vehicular pseudonyms are usually gen-erated for cryptographies in authentication. The adoptionof the ABPP and PBPP mechanisms conceals the real-world identities of vehicles in the VANET communica-tions, which defend the legitimate vehicles against locationtracing and user profiling from the adversaries.

4.3. PPA schemes: summaryand comparison

For an overall recognition and identification to the develop-ment of the PPA schemes, so far, we provide an up-to-datecomprehensive summary of the existing PPA schemes inthe literature shown in Table I. We arrange the existing

PPA schemes in a chronological order in the table, inwhich their categories and security requirements are listedbased on the explanations in Sections 2 and 3. We thencategorize them by the key cryptographies and privacy-preserving mechanisms applied in these PPA schemes,based on the classifications in Section 3. As mentioned inthe last section, the security efficacy of the PPA schemesrelies on the applied cryptographies and key managementsin different encryption algorithms, which is hard to com-pare. Thus, we mainly focus on the feasibility in VANETsand the computational efficiency of the PPA schemes, inthe comparative summary of the existing PPA schemes.

In Table I, “yes/no” indicates whether or not the pro-posed scheme satisfies the related security requirementsto PPA. “�/4” indicates whether or not the proposedPPA scheme is efficient in communication and compu-tation to meet the time constraint in VANETs, where� means low delay overhead and 4 means high delay



Table II. Acronyms and notations in Table I.

Character Explanation

AKBA : Asymmetric-key-based authenticationSKBA : Symmetric-key-based authenticationABPP : Authorization-based privacy preservationPBPP : Pseudonym-based privacy preservationYes/no : Whether or not the proposed scheme satisfies the related security

requirements to privacy-preserving authentication.�/4 : Whether or not the proposed scheme is efficient in communication

and computation to meet the time constraint in VANETs.High/low : The level of infrastructure support for privacy-preserving

authentication in the proposed scheme.

Table III. Summary of characteristics in the four categories of privacy-preserving authentication (PPA).

Related security requirements

PPA types Anonymity Non-repudiation Time constraint System independency

SKBA-ABPP schemes 4 � 4 �

SKBA-PBPP schemes � 4 � 4

AKBA-ABPP schemes 4 � 4 �

AKBA-PBPP schemes � 4 � 4

overhead. “High/low” indicates the level of infrastructuresupport for PPA in the proposed scheme, where “high sys-tem independency” means that the proposed scheme needscomparatively less infrastructure access, in both protocolinitialization and PPA process of communication, and viceversa. The values of the summarizing items in Table I aredecided based on our opinions on the references, which arerelated to the steps of verification calculations and the com-plexity of cryptographies. For convenience, the acronymsand notations used in Table I are listed in Table II.

Additionally, based on the study of the PPA schemesin Table I, we can further sum up the characteristics ineach type of the PPA schemes categorized in Figure 2of Section 3; that is, the SKBA–ABPP schemes, theSKBA–PBPP schemes, the AKBA–ABPP schemes, andthe AKBA–PBPP schemes in the following Table III. Sim-ilarly, to the notations in Table I, “�/4” indicates whetheror not this type of the PPA schemes are adequate or poten-tial to achieve the related security requirements, where 4means that the corresponding type of the PPA schemes stillhas room to develop.

5. OPEN ISSUES ANDCHALLENGES FOR VANET PPA

The current IEEE (the Institute of Electrical and Electron-ics Engineers) standard for VANET security, IEEE 1609.2[45], provides guidelines as a framework for secure mes-sage formats and message process in VANETs. However,IEEE 1609.2 does not provide any specific security proto-col for use. Although a number of PPA schemes have beenproposed, several challenges are still needed to be dealt

with for the practical PPA of secure communications inVANETs.

Infrastructure-free design of PPA: Most of existing workin designing PPA schemes requires infrastructure (RSUs,RTAs, etc.) access and support for protocol initializa-tion, authentication, or privacy preservation. Especially,mechanisms achieving conditional privacy preservation inthe existing PPA schemes are mainly realized by of thetrusted authority assistance. Generally, the less frequentthe infrastructure support, the higher the system indepen-dency. Infrastructure-free design of PPA is crucial, whereinfrastructure support is unavailable for certain scenarios inVANETs, for example, at rural countryside or in disaster.Therefore, because of the possible crisis of infrastructures,designing an infrastructure-free PPA scheme is an openissue in VANETs.

Trust in PPA: Trust in authentication and communica-tion is another research issue in VANETs, which refersto trustworthiness of the authenticating vehicles. Tech-niques in PPA can guarantee and identify the data originby cryptographies; however, the sensing data might be fal-sified or juggled by adversaries when being sensed. Thus,the original vehicle, who transmitted the false data, can-not be trusted any more. In such cases, detecting themalicious data in the authentication process is challeng-ing and necessary with other techniques [46]; meanwhile,the untrustworthy vehicle should be isolated from theVANET system.

Evaluation metrics and testbeds for security: Currently,the performance evaluation of VANETs, especially forsecurity and authentication, still lacks for metrics, simula-tors, and realistic testbeds. In the existing PPA schemes,security is evaluated in analysis, rather than real imple-mentations in simulations or testbeds. Even for the security



analysis, there does not exist the standard metrics forthe analysis and evaluation of security yet. Therefore, thesecurity aware simulations and good metrics are requiredin the future research, for examining security levels andoverheads of the PPA schemes in VANETs.

Combination with other networks: Along with thedeployment especially on roads, VANETs are expected tobe integrated with other types of wired or wireless net-works, for the purpose of a wide range of urban networkconnections. In this situation, vehicles in a VANET needto authenticate with identities in other networks, such asInternet, cellular, and sensor networks. This is challenging,because of the combination of the VANET PPA schemeswith different authentication schemes and techniques usedin other networks [21,46,47].

6. CONCLUSION

There have been a number of research work focusingon providing the anonymous authentication with privacypreservation in VANETs. In this paper, we have carriedout a survey of PPA schemes for VANETs and studied thedevelopment of PPA. We have categorized and summa-rized the existing PPA schemes with different aspects inauthentication key cryptographies and privacy preservationmechanisms. Lastly, we have addressed the open issues andchallenges that can be further investigated in the desiredPPA schemes for VANETs, which indicate that PPA is stilla good trend of research for effective security in VANETs.

ACKNOWLEDGEMENTS

This work has been partially supported by Grand-in-Aidfor Scientific Research from Japan Society for Promo-tion of Science (JSPS) and Research Collaboration Grantfrom NII.

REFERENCES

1. Zeadally S, Hunt R, Chen YS, Irwin A, Hassan A.Vehicular ad hoc networks (VANETS): status, results,and challenges. Telecommunication Systems 2012;50(4): 217–241.

2. Li F, Wang Y. Routing in vehicular ad hoc networks:a survey. IEEE Vehicular Technology Magazine 2007;2(2): 12–22.

3. Shi Z, Beard C, Mitchell K. Analytical models forunderstanding space, backoff and flow correlation inCSMA wireless networks. Wireless Networks 2013;19(3): 393–409.

4. Raya M, Pierre J. Securing vehicular ad hoc networks.Journal of Computer Security 2007; 15 (1): 39–68.http://jcs.stanford.edu [accessed on October 3, 2012].

5. Dok H, Fu H, Echevarria R, Weerasinghe H. Pri-vacy issues of vehicular ad-hoc networks. International

Journal of Future Generation Communication and Net-working 2010; 3(1): 17–32.

6. Lin X, Sun X, Ho PH, Shen X. GSIS: a secure andprivacy-preserving protocol for vehicular communi-cations. IEEE Transactions on Vehicular Technology2007; 56(6): 3442–3456.

7. Lin X, Sun X, Wang X, Zhang C, Ho PH, Shen X.TSVC: timed efficient and secure vehicular communi-cations with privacy preserving. IEEE Transactions onWireless Communications 2008; 7(12): 4987–4998.

8. Zhang C, Lin X, Lu R, Ho PH, Shen X. An efficientmessage authentication scheme for vehicular commu-nications. IEEE Transactions on Vehicular Technology2008; 57(6): 3357–3368.

9. Huang D, Misra S, Verma M, Xue G. PACP: anefficient pseudonymous authentication-based condi-tional privacy protocol for VANETs. IEEE Trans-actions on Intelligent Transportation Systems 2011;12(3): 736–746.

10. Shim KA. CPAS: an efficient conditional privacy-preserving authentication scheme for vehicular sensornetworks. IEEE Transactions on Vehicular Technology2012; 61(4): 1874–1883.

11. Choi J, Jung S. Unified security architecture and pro-tocols using third party identity in V2V and V2I net-works. Wireless Communications & Mobile Computing2012; 12(15): 1326–1337.

12. Almulla M, Zhang Q, Boukerche A, Ren Y. Anefficient k-means authentication scheme for digitalcertificates revocation validation in vehicular ad hocnetworks. Wireless Communications & Mobile Com-puting 2014; 14(16): 1546–1563.

13. Raya M, Papadimitratos P, Hubaux JP. Securing vehic-ular networks. IEEE Wireless Communications Maga-zin 2006; 13(5): 8–15.

14. Shi Z, Beard C, Mitchell K. Competition, coopera-tion, and optimization in multi-hop CSMA networkswith correlated traffic. International Journal ofNext-Generation Computing 2012; 3 (3): 228–246.http://www.innovationunlimited.net/ojs/index.php/ijngc[accessed on October 3, 2012].

15. Shi Z. Stochastic Modeling, Correlation, Competi-tion, and Cooperation in a CSMA Wireless Network.ProQuest, UMI Dissertation Publishing: Ann Arbor,Michigan, USA, 2011.

16. Standler RB. Privacy law in the USA, 1997. Avail-able from: http://www.rbs2.com/privacy.htm [accessedon October 3, 2012].

17. Fuentes JM, González-Tablas AI, Ribagorda A.Overview of security issues in vehicular ad-hoc net-works. Handbook of Research on Mobility and Com-puting: Evolving Technologies and Ubiquitous Impacts


http://jcs.stanford.edu

http://www.innovationunlimited.net/ojs/index.php/ijngc

http://www.rbs2.com/privacy.htm


2011: 894–911, Available from: http://hdl.handle.net/10016/9395 [accessed on October 3, 2012].

18. Studer A, Bai F, Bellur B, Perrig A. Flexible,extensible, and efficient VANET authentication. Jour-nal of Communications and Networks 2009; 11 (6):574–588, Available from: http://www.jcn.or.kr/home/journal/ [accessed on October 3, 2012].

19. Sun Y, Lu R, Lin X, Shen X, Su J. An efficientpseudonymous authentication scheme with strong pri-vacy preservation for vehicular communications. IEEETransactions on Vehicular Technology 2010; 59 (7):3589–3603.

20. Sun J, Zhang C, Zhang Y, Fang Y. An identity-based security system for user privacy in vehicularad hoc networks. IEEE Transactions on Parallel andDistributed Systems 2010; 21(9): 1227–1239.

21. Nacher M, Calafate CT, Cano JC, Manzoni P. Anoverview of anonymous communications in mobile adhoc networks. Wireless Communications and MobileComputing 2012; 12(8): 661–675.

22. Lu R, Lin X, Zhu H, Ho PH, Shen X. ECPP: efficientconditional privacy preservation protocol for securevehicular communications. In Proceedings of the IEEEINFOCOM, Vol. 2008, Phoenix, AZ, USA, 2008;1229–1237.

23. Yeh LY, Chen YC, Huang JL. PAACP: a portableprivacy-preserving authentication and access controlprotocol in vehicular ad hoc networks. Computer Com-munications 2011; 34(3): 447–456.

24. Lu H, Li J, Guizani M. A novel ID-based authenti-cation framework with adaptive privacy preservationfor VANETs. In Proceedings of the ComComAp 2012,Hong Kong, China, 2012; 345–350.

25. Perrig A, Canetti R, Tygar JD, Song D. The TESLAbroadcast authentication protocol. RSA CryptoBytes2005; 5 (2): 2–13. http://repository.cmu.edu/epp/62[accessed on October 3, 2012].

26. Boneh D, Franklin M. Identity-based encryption fromthe Weil pairing. In Advances in Cryptology - CRYPTO2001, LNCS, Vol. 2139, 2001; 213–229.

27. Calandriello G, Papadimitratos P, Hubaux JP, Lioy A.Efficient and robust pseudonymous authentication inVANET. In Proceedings of ACM VANET’07, Montreal,Canada, 2007; 19–28.

28. Kamat P, Baliga A, Trappe W. Secure, pseudonymous,and auditable communication in vehicular ad hoc net-works. Security and Communication Networks 2008; 1(3): 233–244.

29. Wasef A, Shen X. PPGCV: Privacy Preserving GroupCommunications Protocol for Vehicular Ad Hoc Net-works. In Proceedings of IEEE ICC’08, Beijing, China,2008; 1458–1463.

30. Tsang PP, Smith SW. PPAA: peer-to-peer anonymousauthentication. In Appl. Cryptogr. Netw. Secur. - ACNS2008, LNCS, Vol. 5037, New York, NY, USA, 2008;55–74.

31. Zhang C, Liu R, Ho PH, Chen A. A location pri-vacy preserving authentication scheme in vehicularnetworks. In Proceedings of IEEE WCNC, Vol. 2008,Las Vegas, NV, USA, 2008; 2543–2548.

32. Xi Y, Sha KW, Shi WS, Schwiebert L, Zhang T. Proba-bilistic adaptive anonymous authentication in vehicularnetworks. Journal of Computer Science and Technol-ogy 2008; 23(6): 916–928.

33. Choi J, Jung S. A security framework with strong non-repudiation and privacy in VANETs. In Proceedings ofIEEE CCNC’09, Las Vegas, NV, USA, 2009; 1–5.

34. Studer A, Shi E, Fan B, Perrig A. TACKing togetherefficient authentication, revocation, and privacy inVANETs. In Proceedings of IEEE SECON’09, Rome,Italy, 2009; 1–9.

35. Weerasinghe H, Fu H. ESAP: efficient and scal-able authentication protocol with conditional privacyfor secure vehicular communications. In Proceedingsof IEEE GLOBECOM 2010 Workshops, Miami, FL,USA, 2010; 1729–1734.

36. Salem FM, Ibrahim MH, Ibrahim II. Non-interactiveauthentication scheme providing privacy amongdrivers in vehicle-to-vehicle networks. In Proceedingsof ICNS, Vol. 2010, Cancun Mexico, 2010; 156–161.

37. Tan Z. A privacy-preserving mutual authenticationprotocol for vehicle ad hoc networks. Journal ofConvergence Information Technology 2010; 5 (7):180–186.

38. Biswas S, Misic J, Misic V. ID-based safety messageauthentication for security and trust in vehicular net-works. In Proceedings of ICDCSW 2011 Workshops,Minneapolis, MN, USA, 2011; 323–331.

39. Chaurasia BK, Verma S. Infrastructure based authen-tication in VANETs. International Journal of Multi-media and Ubiquitous Engineerin 2011; 6 (2): 41–53. http://www.sersc.org/journals/IJMUE/ [accessedon October 3, 2012].

40. Behera S, Mishra B, Nayak P, Jena D. A secure andefficient message authentication protocol for vehicularad hoc networks with privacy preservation (MAP-WPP). In Proceedings of IEEE IMSAA, Bangalore,Karnataka, India, 2011; 1–6.

41. Burmester M, Magkos E, Secure Chrissikopoulos V,Privacy-preserving timed vehicular communications.International Journal of Ad Hoc and Ubiquitous Com-puting 2012; 10(4): 219–229.

42. Zhang J, Cui Y, Chen Z. SPA: self-certified PKC-basedprivacy-preserving authentication protocol for vehicu-lar ad hoc networks. International Journal of Security


http://hdl.handle.net/10016/9395

http://hdl.handle.net/10016/9395

http://www.jcn.or.kr/home/journal/

http://www.jcn.or.kr/home/journal/

http://repository.cmu.edu/epp/62

http://www.sersc.org/journals/IJMUE/


and Its Applications 2012; 6 (2): 409–414. http://www.sersc.org/journals/IJSIA/ [accessed on October3, 2012].

43. Shen AN, Guo S, Zeng D, Guizani M. A lightweightprivacy-preserving protocol using chameleon hashingfor secure vehicular communications. In Proceed-ings of IEEE WCNC 2012, Shanghai, China, 2012;2543–2548.

44. Li J, Lu H, Guizani M. ACPN: a novel authentica-tion framework with conditional privacy-preservationand non-repudiation for VANETs. IEEE Transac-tions on Parallel and Distributed Systems 2013, DOI:10.1109/TPDS.2014.2308215.

45. IEEE 1609.2, trial use standard for wireless access invehicular environments (WAVE)—security services forapplications and management messages, 2006.

46. Leligou HC, Trakadas P, Maniatis S, Karkazis P,Zahariadis T. Combining trust with location informa-tion for routing in wireless sensor networks. WirelessCommunications and Mobile Computing 2012; 12(12):1091–1103.

47. Hsieh WB, Leu JS. Anonymous authentication proto-col based on elliptic curve Diffie–Hellman for wire-less access networks. Wireless Communications andMobile Computing 2014; 14(10): 995–1006.

AUTHORS’ BIOGRAPHIES

Huang Lu studied in Harbin Instituteof Technology, Harbin, China, beforehe went to Japan for overseas exchange.He received the BS degree in Informa-tion and Network Science from ChibaInstitute of Technology, Chiba, Japan,the MS and the PhD (Eng) degreesin Computer Science from University

of Tsukuba, Tsukuba, Japan, in 2007, 2009, and 2014,respectively. Since April 2014, he has been a researcherat the Yokohama Research Laboratory, Hitachi, Ltd.,Yokohama, Japan. His research interests include com-puter networks, wireless communications, network secu-rity, and computational engineering. He is a memberof IEEE.

Jie Li received the BE degree in Com-puter Science from Zhejiang Univer-sity, Hangzhou, China, and the MEdegree in Electronic Engineering andCommunication Systems from ChinaAcademy of Posts and Telecommuni-cations, Beijing, China. He receivedthe Dr Eng degree from the Univer-

sity of Electro-Communications, Tokyo, Japan. He hasbeen with the University of Tsukuba, Japan, where heis a professor in the Faculty of Engineering, Informa-tion and Systems. His research interests are in mobiledistributed computing and networking, cloud computingand big data, OS, network security, modeling, and per-formance evaluation of information systems. He receivedthe best paper award from IEEE NAECON ’97. He isa senior member of IEEE and ACM, and a member ofInformation Processing Society of Japan (IPSJ). He hasserved as a secretary for Study Group on System Eval-uation of IPSJ and on several editorial boards for IPSJJournal and so on, and on Steering Committees of the SIGof System EVAluation (EVA) of IPSJ, the SIG of DataBaseSystem (DBS) of IPSJ, and the SIG of MoBiLe com-puting and ubiquitous communications (MBL) of IPSJ.He has been a co-chair of several international sym-posia and workshops. He has also served on the programcommittees for several international conferences such asIEEE ICDCS, IEEE INFOCOM, IEEE GLOBECOM, andIEEE MASS.


http://www.sersc.org/journals/IJSIA/

http://www.sersc.org/journals/IJSIA/

privacy-preserving authentication schemes for vehicular ad hoc networks: a survey

Documents