trust and trusted computing in vanet

Computer Science Journal Volume 1, Issue 2, August 2011

1

Trust and Trusted Computing in VANET

Irshad Ahmed Sumra1,Halabi Hasbullah1,Jamalul-lail2

1 Computer and Information Sciences Department

Universiti Teknologi PETRONAS, Bandar Seri Iskandar

31750, Tronoh, Perak, Malaysia.

2Advanced Information Security Cluster

MIMOS Berhad, Technology Park Malaysia.

[email protected],[email protected], [email protected]

Abstract

Last few years, vehicular networks are gaining more and more attraction from the researchers

and the automobile industries. The life saving factor is the key issue in this regard. Trust is key

part of security and it is undoubtedly a necessity to develop trust in vehicular network. The main

aim of this paper is to propose a trust model for vehicular environment. The proposed model

contains two different modules. First module is based on attackers and the attacks. An attacker is

one of the most significant entity who can intentionally change the behavior of the other entities

(Vehicle or Infrastructure) in the network. It is important to study and analyze the attackers and

attacks before designing the life saving networks. Second module is based on trust and trusting

computing technology. Trusted platform module (TPM) is a hardware security module and plays a

major role to develop trust in vehicles. Purpose of this study is to develop trust in vehicular

network. This trusted vehicular network model enforces all the entities of the network to behave in

a specified manner. We believe that this trusted model would be more helpful in serving the users

of the vehicular environment.

Keywords: Trust, Security, Attackers and Attacks, Trusted Platform Module (TPM), Users,

Safety and Non safety Application.

Received: September 2010, Published: April 2011

*Corresponding Author: [email protected]

I. Introduction

Safety of human lives is the major concern nowadays, because every year thousands

of peoples died in road accidents over the globe. Vehicular Ad hoc Network (VANET) is

special kind of network that aims to reduce death rate and improves traffic safety system.

In VANET, vehicles can send and receive safety messages to each other on the road to

ensure safety of human life [1]. Dedicated Short Range Communication (DSRC) is the

frequency band that is used as a communication medium between the Vehicle to Vehicle

(V2V) and Vehicle to Infrastructure (V2I). DSRC delivers safety and non safety

messages in entire network by using its safety and non safety channels. The importance

of safety applications are high because it provides information about any accident in

Irshad et al: Trust and Trusted Computing in VANET

2

some specific region and handles the situation by sending warning messages to other

vehicles. Warning messages and post crash warning/notification are some of example of

safety applications [2]. Non safety applications are related to comfort of the passengers

and to improve the traffic system. Parking availability and toll collection services are

examples of these applications.

Security is an important issue especially in this kind of network where one altered

message can creates problem for the users in many ways. Users can take benefit of these

applications if we can secure the communication between all entities (components) of

the network and hence no chances for attackers to create trouble for users in the network.

Attackers create problem directly and indirectly by launching different kind of attacks.

We focus our study on the attackers and its behavior of launching attacks on VANET.

Insider/outsider and active/passive attackers are some example of attackers. Every time

attacker strikes on its target they change their forms and then launch different kind of

attacks. We begin by classifying the different types of attackers.

This paper is divided into five sections; Section II discuss about the related work in

this area. Section III explains the proposed model and explains the all modules of the

model. First module is explained about the attackers and possible attacks. In next module

discuss the concept of trust and briefly described trusted computing and various trusted

entities in vehicular network. Three different Levels of trust and chain of trust in

VANET are also presented in this Section. In section IV we discussed some possible use

of trusted hardware modules including Trusted Platform Module (TPM) in VANET and

Section V conclude the paper.

II. Related Work

Security involves a combination of hardware and software. For VANET, there are

many types of embedded hardware module used in vehicle, none of which is specifically

meant for trust. Nowadays, TPM is being used in almost all new PCs and laptop for

secure communication. G.Guette [3, 4] described the main functionalities of TPM which

are used VANET. They discussed in detail the security requirements and two possible

application (Platoons and Event Reporting) in vehicular network. Main problem being

highlighted was to maintain the integrity of data and ensure secure and trusted

communication between other vehicles and also with infrastructure. The author also

discussed thread model which contain attacks such as Sybil attack, Vehicle

impersonation, sending false information and car tracking. Three security properties

were presented. They include vehicle and it must have a unique identifier, ensuring the

integrity of the messages which must be authentic with regards to vehicle identifier and

lastly, to ensure the trustfulness of the content of the messages that must be verified.

TPM-based solution is one of the more cost effective one which meets all security

properties and handle with security threats.

The main communication in VANET is divided into two: embedded sensors

communicate with applications and applications communicate with TPM for signing

data purposes. Endorsement key (EK) and Attestation identity key (AIK) are the two

main keys that are used for signing and attestation purposes. Trusted application

performs two types of communication, communication with sensors and with TPM. This

type of communication is called inside communication and its purpose is to sign and

keep the data safe in secure location. Trusted Application also communicates with


3

application of the other vehicle using parameters such as Position, Signature and

Credential. In [4], the author proposed TPM based security architecture to solve the

issues of security and privacy for successful deployment of VANET technology. Two

proposed protocols were simulated their protocol with AVISPA and SPAN.

The main focus point is management of cryptographic keys to provide security and

anonymity of vehicles communications. An advantage of this proposed solution is that

there is no need for infrastructure (RSU) along the road. Memory stacks replace the

place of infrastructure and store data about sensors and TPM keys. However, the

solution is quite less practical because keys are preloaded in the vehicle during the

construction phase and memory sticks are used to renew the certified keys to be used by

the proposed protocol. Software stack is used to protect and store data in shielded

locations. Inter-vehicle communication uses TPM keys for signing the messages, which

means that only trusted vehicles can communicate. If one vehicle application sends

request to the other vehicle it must first be signed using TPM keys. The other vehicle

receives this message and verifies its certificates and signature. Vehicle to infrastructure

communication also uses TPM keys to ensure trusted communication.

III. Proposed Trust Model

Trust is the key element in creating a trustable VANET environment which would

help promote a safer road environment. TCG defines trust [5] as

An entity can be trusted if it always behaves in the expected manner for intended purpose. Putting trust definition in the context of VANET, it would mean that all components of the network (vehicles and infrastructure) are behaving in an expected

manner (trusted communication between the components) and serve the users and save

human lives.

Figurre 1. Proposed Trust Model

So attackers are those people how change the behavior of the entity and break the

trust. So first of all we should studies the attackers and attacks because it is directly

change the behavior of the vehicle. If we want to achieve the trust and develop the

trusted computing environment then we should perform two tasks.


4

Figure 2. Three levels of trust and trusted computing

First Level: We should handle with attackers and attacks in vehicular network and study

the behavior of attackers and possible attacks to disturb the network.

Second Level: Explore the major entities of vehicular network that performs major role

to developing the trust in vehicle to vehicle communication and also with infrastructure.

Third Level: Main objective is to achieve third levels, develop trusted computing

environment between all entities in network. Trusted platform module (TPM) play a

major role to fulfill the third level of trust.

VANET User Requirement (VUR)

User is the main entity in vehicular work and objective of this new technology is to

serve users and safe their lives from road accidents. Safety and non safety VANET

applications meet the all users requirement during their journey like send or receive

safety message to other vehicles and use the entertainment services. There are following

basic user requirement. [6]

Security Privacy

Trust

Figure 3. User requirements in VANET


5

Security: Security is a first important users requirement in VANET. It is difficult to convince the users about any new technology that it is secure. Safety related applications

may not work properly without achieving minimum security level for example Extended

Brakes Light (EBL) application [7] needs security otherwise an attacker may generate

warning messages and create problems on road.

Privacy: User privacy is very important factor in vehicular environment if once the

users privacy is lost, it is very difficult to re-establish. Privacy in VANET is to secure the users personal data and his/her location. Users need privacy and may not allow seeing their personal data and their locations. They are always concern about their

privacy. Only authorized parties (such as police, law enforcement agencies) may use the

private/personal information. Name of driver, License plate of the vehicle, Speed of the

vehicle, Position/Location, Route for travelling are some of the user privacy information

[8] and user is worry about these information while communicating with other users or

with infrastructure.

Trust: Last user requirement is trust and trust [9] is the key element of security system.

When users receive any message from other vehicle or from infrastructure it should be

trusted because user reacts according to the message. To establish the trust, it is required

to provide trust between the users in the communication of vehicle to vehicle (V2V) and

vehicle to infrastructure (V2I). The attackers change the contents of the message and

break the trust between the Vehicles.

VANET Applications

The VANET is very important part of intelligent transport system (ITS). There are

many potential application of VANET. VANET applications are described and

categorized in different ways in many studies [10, 11, and 12]. Safety application is the

most important application of VANET because it is directly related to users and its

priority is high due to human life saving factor. The main goal of safety application is to

provide safety of cars and its passengers from road accidents. Today active safety

application is everything that helps to users on road to prevent an accident from

happening. In other word active safety system that work as pre crash applications [13].

Active safety applications [14] are based on control functions and the purpose of this to

exchange the sensor data or status information between the vehicle to vehicle

communications (V2V) or vehicles to infrastructure (V2I).The goal of sending this kind

of information to users and react accordingly and avoid the accident. Antilock Brake

system (ABS) and Electronic Stability Program (ESP) are example of active safety

system. Warning application provides warning related information to drivers such like

that post crash warning/notification, obstacle warning and also give warning about the

condition of the road. Passive safety applications work in inside the vehicles and protect

the passengers against injury in the event of accident. Safety belt and air bags are the

example of passive safety applications. Passive safety application can not provide help to

avoid accidents. But these kind of applications are very useful in case of accident,

criminal attacks, find the exist location of the users and provide services to effected

people [15].


6

Attackers and its Properties

Attacker create problem in the network by getting full access of communication medium

DSRC. Here we are discussing some properties and capability of the attackers which has

been mentioned in studies [16].

Coverage area: Coverage area is the main property of attacker when they

launch any kind of attacks. Attacker could cover the main area of road, and it

depends on the nature of the attacks. Basic level attacker has controlled one

DSRC channels and covers the range of at most 1000 meters but the extended

level attackers are more organized and cover more area using of hundred DSRC

channels.

Technical Expertise: Technical expertise of the attacker makes them stronger

for creating attacks in the network. It is difficult for attacker to mount attacks

on cryptographic algorithms. Chance is low for attacker to compromise the

infrastructure network and data capture from restricted area of network.

Attacker having ability to extracts the program code and secret keys of the

computing platform of OBU and RSU by launching physical attacks.

Resources: Budget, manpower and tools are the three main key resources and

attackers depend on it to achieve their goals. Need budget to borrow technical

expert and spend time to understand the configuration of specific network and

then disturb network with launching of different kind of attacks. Attacker can

use different kind of tools for launching attacks. These software tools can

develop by own self or buy from the market. Many business parties make setup

their business nears the road and provide non safety application services

(Internet, entertainment services). One business party can be used their own

maximum resources to create problems for other parties and destroy their

business with different kind of attacks.

There are many types of attackers that create the problems in VANET. The main goal

of an attacker is to change the contents of message or create a message and use it for

his/her own benefit. Maxim Raya and Jean Pierren Habauz [17] described their attacker

model and we extend this model further into two levels on the bases of previous work

[18]. Figure 4 shown two levels of attackers. The following subsections provide its detail

description.

Figure 4. Two Levels of Attackers


7

First Level of Attackers

In first level, the attackers are more seriously performed and intensity of the attacks

is higher as compared to second level. Figure 5 explains first level attackers, whereby

attackers launch different types of attacks on both infrastructure i.e., vehicle to vehicle

(V2V) and vehicle to infrastructure (V2I). The attackers are active and launch different

types of attacks at the same time in the network. Purpose of this kind of attack is not to

achieve any personal benefit but only to create problems in the network. The severity

level is high because attacker has control over the unique identity and authentic user of

the network. The scope of the first level attack is high because it creates such kind of

attacks that cover bigger geographical area. More details about first level of attackers are

given below.

Figure 5. First Level of Attacker

Insider: This type of attacker who is an authentic user of the network can creates

problem in the network by changing the certificate keys. Insider attacker might have

access to insider knowledge and this knowledge will be used for understanding the

design and configuration of network. When they have all information about the

configuration then its easy for them to launch attacks and create more problem as

compare to outsider attacker. We can simply say that insider attacker is the right man

doing the wrong job in the network.

Malicious: This type of attacker who has no personal recompense for launching the

attacks, but they want to achieve two goals:

To harm the other Vehicles of the network by sending any wrong information or alter the safety related applications information.

To create problem by agitating the right functionality of the network by sending of unnecessary frames to other Vehicles.

Active: This type of active attacker creates problems in the network whiles working in

two dimensions.

Generates some packets and sends them to other VANET Vehicles as well as to the infrastructure.

Generates and sends signals in the network and disturb the main frequency band.


8

Extended: This type of attacker extends and spread attacks across the network and

affecting many entities of the network. Privacy violations and wormhole are examples of

these kinds of attacks.

Intentional: These types of attacker intentionally disturb the network operation and

create problems for legitimate users to gain access the network.

Independent: This type of attacker has an unique identity and nature of the attacker is

independent in the network. For launching the attacks and may not dependent on the

other Vehicles.

Second Level of Attackers Second level attackers also have their own severity level which is lower as

compared to the first level. An attacker in second level is outsiders and the basic aim of

this kind of attacker is to seek their personal benefits. Figure 6 explains second level

attackers. In second level attackers, they just listen to the communication among various

vehicles, say vehicle A and vehicle B. Scope and effected area is somewhat limited e.g.

the circle shows that in Figure 6. Passive and dependent attackers are examples of

second level attackers. The level of severity is low as compared to first level attackers,

where attackers are active and independent for launching attacks in the network. More

details about second level attackers are given below.

Figure 6. Second Level of Attacker

Outsider: The outsider attacker is considered as an authentic Vehicle of the network. It

is a kind of intruder which aims to misuse the protocols of the network and the range of

such attacks are limited. Outsider attacker also has a limited diversity for launching

different kind of attacks as compare to insider attacker.

Rational: The rational attacker seeks to get their personal benefit and who defines

specific target and tries to achieve it. For example, sending erroneous information about

the road, diverting the whole traffic to other road and clear the road for ones own

benefit.

Passive: The passive attacker aims to just eavesdrop on the wireless medium among the

Vehicles and infrastructure of the network. It is a kind of privacy violation of s users on

the road.

Local: The scope and effect of the attack can be limited because the attacker can locally

control the VANET Vehicles or its infrastructure (RSU).The effects of this attack is in

specific region and do not disturb the other entities of the network.


9

Unintentional: The attackers do not intentionally want to get involved in the network

and to create some problems for the network users. This can be the case where errors

occur due to some network operations and transmission in the network.

Dependent: The group of attackers intentionally wants to attack the network as a

coordinated group in launching the attacks. In the group attack, the attackers are

dependent on each other and share the same interest.

Severity Level (SL)

In Eq.1, the equation shows the severity level of first and second level of attackers.

The severity level of first level attacker is greater as compared to second level of

attacker. Here we can select one attacker (Active attacker) from first level attacker and

compare it with one of the second level of attacker (Passive attacker). Severity level of

active attacker is high as compare to passive level attacker because active attacker

generates packets and sends these false packets to other vehicles and also with

infrastructure. Nature of the packet may be safety or non safety packets or some bogus

information consists in the packet but purpose of attacker is to disturb the network.

Figure 5 describe the behavior of the attacker who generate false packets and send these

packets to other vehicles and also infrastructure. Vehicle A and Vehicle B in the same

lane but they receive different kind of packets. But in Passive attacker, aim of attacker is

just listening the communication among the vehicles and also with infrastructure. No

need to generate and send packets into network. Figure 6 show that the attacker just

listen the communications between vehicle A and vehicle B.

SL = { L1 (Ak1, Ak2 ....... Akn) > L2 ( Ak1, Ak2..... Akn)} eq.(1)

Classes of Attacks

Attackers generate different attacks in this life saving vehicular network. In this

paper, we propose five different classes of attacks and every class is expected to provide

better perspective for the VANET security. The proposed solution is to classify and

identify of different attacks in VANET.

Attackers role is important in vehicular network due to launching different type of attacks. The objective of attackers is to create problems for other users of the network by

changing the contents type of messages. Researchers have been described different types

of attacks in their studies [17, 19, 20, and 21]. In addition to it, we propose five different

types of classes for attacks. Each class describes different types of attacks, their threat

level, and attacks priority. Along with this approach, we also propose some new attacks.

The aim of this approach is to easily identity these attacks and their association to

respective class. Figure. 7 shows the propose classes for attacks.


10

Network Attack

Application Attack

Timing Attack

Social Attack

Monitoring Attack

Figure 7. Classes for Attacks

First Class: Network Attack

Vehicular Vehicle and infrastructure are the main components of VANET. At this class,

attackers can directly affect other vehicle and infrastructure. These attacks are of high

priority because these affect the whole network. The main objective of these attacks is to

create problem for legitimate users of network. Some of the attacks are mentioned

below.

A. Denial of service (DOS) Attack The availability of network is very important in vehicular network environment

where all users rely on the network. Denial of Service (DOS) is one of the most serious

level attacks in vehicular network. In DOS attack, attacker jams the main communication

medium and network is no more available to legitimate users [17]. The main aim of DOS

attacker is to prevent the authentic users to access the network services [20]. Figure. 8

shows the whole scenario when the attacker launches DOS attack in vehicular network

and Jams the whole communication medium between V2V and V2R. As a result, users

can not communicate with other users as well as infrastructure.

Figure 8 DOS Attacks between V2V and V2R


11

B. Sybil Attack Sybil attack [21] also belongs to the first class. In Sybil attack, the attacker sends

multiple messages to other vehicles and each message contains different fabricated

source identity (ID). It provides illusion to other vehicle by sending some wrong

messages like traffic jam message [21, 22]. Figure 9 explains Sybil attack in which the

attacker creates multiple vehicles on the road with same identity [3]. The objective is to

enforce other vehicles on the road to leave the road for the benefits of the attacker.

Figure 9 Sybil Attack

C. Vehicle Impersonation Attack Each vehicle has a unique identifier in VANET and it is used to verify the message

whenever an accident happens by sending wrong messages to other vehicles [3, 17].

Figure 10 explains this scenario in which vehicle A involves in the accident at location

Z. When police identify the driver as it is associated with drivers identity, attacker changes his identity and simply refuses it.

Figure 10 Vehicle Impersonation Attack

Second Class: Application Attack (AP)

Safety and non safety are two types of potential vehicular applications. At this class

the main concern of the attacker is to change content of these applications and use it for

their own benefits. Importance of safety applications is greater; it is provided warning

messages to other users. The attackers change the content of the actual message and send

wrong or fake messages to other vehicle which causes accident. Bogus information

attack [17] is one of the attack examples, in which attacker send wrong information to

the network and these wrong messages directly affect the behavior of users on the road.

Warning messages is important messages that are use in safety applications. It is very

serious condition on the road if attackers change the warning messages, many accidents

are occurred on road. By using of security mechanism to avoid such attacks, to ensure


12

the truthfulness of the message. Figure. 11 shows the example in which attacker

launches the attack on safety application. Attacker receives one warning message Work Zone Warning from near by vehicle. So he changes the content of the message and sends this message Road is Clear to other vehicle. The important warning messages used in V2V or V2I communication are Blind Spot, Post Crash, Breakdown,Work Zone,

Curve Speed, Lane Change, Rail Collision, Wrong way driver, Stop Sign Violation,

Intersection Collision, Cooperative Collision, Traffic Signal Violation, Emergency

Vehicle at Scene, Emergency Vehicle Approaching and Infrastructure Based Road

Condition Warning [23].

Figure 11. Safety Application Attack

Non safety application is related to users comfort during their journey. These applications do not disturb safety applications. The role of non safety applications is to

comfort the passengers and to improve the traffic system. Car parking is one of the major

non safety applications; Road Side Unit (RSU) provides information about the

availability of parking in shopping mall and sport complex. Figure 12 explain this attack,

authentic user receive information Parking Slot available from road side unit (RSU) near the shopping mall. So he sends this message to other vehicle. This vehicle actually

attacker vehicle who receive this message. Now attacker alters this message No empty parking slot and passes this message to other vehicles. Entertainment, Toll Collection, Map Download, Restaurant Finding, Gas Station Finding, Parking Availability,

Shopping Mall Finding Services are some services that are considered into non-safety

applications [6].

Figure 12 Non Safety Application Attack


13

Third Class: Timing Attack

This is new type of attack in which attackers main objective is to add some time slot in original message and create delay in original message. Attackers do not disturb the

other content of message, only create delay in the message and these messages are

received after it requires time. Safety application is a time critical applications, if delay

occurred in these applications then main objective of the application are finished.

Figure.13 shows the complete scenario of the timing attack, in which attacker receive

warning message (Warning! Accident at location Y) from other vehicle and then pass

this message to other vehicle by adds some time. Whenever other user of the network

receive this message when accident actually occurred.

Figure 13 Timing Attack

Forth Class: Social Attack

All unmoral messages (Social Attack) are lie on this class. It is kind of emotional and

social attack. Purpose of these kinds of messages is to indirectly create problem in the

network. Legitimate users show angry behavior when they receive such kind of

messages. This is actually attacker wants by launching such attack. Figure. 14 explain

this condition, attacker passes this message You are Idiot to near by vehicle. When user receives this message is directly affect his driving behavior by increasing the speed

of his vehicle. This entire thing is indirectly disturb the other user in the network.

Figure 14 Social Attack

Fifth Class: Monitoring Attack

Monitoring and tracking of the vehicles attacks are lying in this class. In monitoring

attack, the attacker just monitor the whole network, listen the communication between

V2V and V2I. If they find any related information then pass this information to concern


14

person. For example police are plan to perform some operation against criminal and they

communicate each other and guide about the exist location of the operation. Attacker

listen all communication and informed the criminal about the police operation. Every

vehicle has its own unique ID and attacker disclose the identity of other vehicles in the

network. Using of these unique ID, the attacker track the existing location of required

vehicle. Global observer monitors the target vehicle and sends virus to neighbour of the

target [17]. When neighbour is affected then they take data of target vehicle. Rental Car

companies are using this ID and track the location of their own vehicles. ID discloses

attack is related to user privacy, attacker easily track user location in a specific region

[24].

Vehicular Trusted Computing (VTC)

Trusted computing is a relatively new technology which has gained popularity

recently and Trusted Computing Group (TCG) [25] has been the main proponent of this

technology. The main aim of TCG is to enhance security in computer network by using

security hardware module (called Trusted Platform Module). Figure 15 shows how

trusted computing communication can be maintained between all entities of the network.

Vehicle A to Vehicle F is doing their task in proper manner. Vehicle D communicates

with RSU and RSU communicate with TOC and authenticates and provide valid

information. Vehicle D shares this information with other Vehicles in the network. This

is an ideal condition that we want to achieve in real vehicular network. Trust will be

built in two different ways in vehicular trusted computing. Trusted computing require

that these two basic properties are fulfilled: [26]

The sender who sends the information in vehicle to vehicle or vehicle to infrastructure is accepted as a trusted entity.

The contents of the message source is not changed during transmission, it meets the integrity requirement.

Figure 15. Vehicular Trusted Computing Communication


15

Trusted Entities of VANET

In this section we will explain six basic entities of trust and when all these entities

work together then will develops a chain of trust in the vehicular network. Eq.2 explains

that all modules are trusted and worked together for achieving chain of trust in system.

Detail discussions of all these entities are given below.

Trusted User (TU)

Trusted Vehicle (TV)

Trusted Applications (TA)

Trusted Routing (TR)

Trusted Medium (TM)

Trusted Infrastructure (TIF)

Chain of Trust (COT) = i= 0 ( TU + TV + TA + TR +TM + TIF ) eq. (2)

Trusted User: Users role is important in all technologies; and in particular for VANET applications we are directly concern with the protection of users life. The main purpose of the VANET applications is to serve the users by sending safety and non safety

messages from Vehicle to Vehicles and also with infrastructure. We have classified the

users into two types, trusted users and non trusted users.Trusted Users (TUs) are those

people who perform their task properly in the network. In vehicular environment the user

role is important for building the chain of trust. Chain of trust would be effected if user is

not performing their task accurately. In their respective Vehicles, users communicate

with application unit (AU) and send messages to other Vehicles in network. Trusted

users have following qualities.

Receive messages from other Vehicles, perform task according to message (safety or non safety) and pass this message to other Vehicles in the network.

Receive messages from infrastructure (RSU) and execute it and pass this message to Vehicles of the network.

Messages are generated by users according to situation e.g. if an accident has occurred in some specific place, messages are past to other Vehicles and as well as to the infrastructure in the network.

Non Trusted Users (NTUs) are those users that do not possess the trusted credentials and

could potentially be the kind of attackers who create problems for legitimate users by

launching of some attacks. In vehicular network, their role is more prominent because

they can potentially change the life critical information on the road. These are the

followings tasks that they perform in VANET.

Non-Trusted Users could potentially be an active attacker and launches attacks that can be of high intensity. Denial of service attack (DOS) and Sybil attack are example of such types of attacks. Main objective of NTUs attacks is to disturb directly the basic functionality of the network.


16

Non-Trusted Users can break the integrity of messages sent through the communication in vehicular environment. Attackers could change the content of the message, for example, Accident at Location X can become Road is clear.

Trusted Vehicle: The role of vehicle is important in all types of communication in

network. At the basic level of trust is to provide security in the vehicle (Trusted Vehicle)

and communication will be carried through trusted channels between the vehicle to

vehicle (V2V) and vehicle to infrastructure (V2I). Trusted Vehicle requires some

specific sensors to be a part of VANET. TPM is the hardware module that forms the

basic building block for trust inside the Vehicle by having its own root of trust, hashing and cryptographic functionalities that acts like a smart card. Electronic Control Unit

(ECU) and many other types of sensors work inside the Vehicles. Hardware (all types of

sensors) and software should be performing their task properly for building the trust

inside the Vehicle. Vehicle receive some information from their on-board units and some

information receives from outside network (other Vehicle or from infrastructure).

Trusted Applications: Safety and non safety applications are serve the users and make

their journey safe and comfortable. Active safety applications, warning applications and

position based routing require security from attackers and user trust will be build when

these applications perform their task accurately. Application should be trusted because

user take decision on these application information received from other Vehicles and as

well as infrastructure. M.Gerlach [9] discussed and proposed model for trusted

applications for VANET. This model defines the situation where the attributes of the

trust is relevant to the trustee and author has the three main contributions in this papers

which are given below.

Enable security architecture that integrated with different security measurement in vehicular environment.

Probabilities for presenting trust and trusted model for VANET applications by using the principle of trust tagging.

Author use the concept of mix content and it defines the way to change pseudonyms. It is not possible for attacker to link two messages that coming

from same vehicle and also preventing the location tracking.

Trusted Routing : Routing is key part of VANET and message moves from one vehicle

to other vehicle by using different route. Routing involve from hop to hop

communication and hop to multihop communication, open medium and dynamic

network topology makes the routing task is complex. Secure and trusted routing is

necessary for sending and receiving safety messages in the network. T.Chen [27]

discussed the trusted routing using of their own proposed trusted routing framework.

Proposed framework provides message authentication, trust between Vehicles and

routability verification without support of online certificate authorities (CA). Trusted

framework applied on OLSR (Optimized Link State Routing Protocol) routing protocol

Trust establishes framework consist of three key parts which are designed to handle

different types of threats in the network.


17

I. Digital signature is used for message authentication and values of digital signature depend on secret values and these values are only known to signer

that signed message. Hash function is used to generate fixed size message

digest and sign this message instead of complete message.

II. Vehicle to Vehicle authentication is also part of the trusted routing and main task of Vehicle authentication is identity authentication of Vehicle and defence

it from attackers. Author divided Vehicle to Vehicle authentication procedure

into three Phases.

Vehicle to Vehicle authentication the public/private key pairs and certificate are distributed to all authentic Vehicles of the network that

is willing to join network.

Two Vehicles substitute certificates and verify each other by sending and receiving challenges.

In last phase if the connection between the Vehicles disconnect for a short period of time then they will try to re-authenticate with each

other use the pre-share secret exchange.

III. Routability verification is the last part of trusted routing. This mechanism is provided the pieces of evidence from neighbour Vehicle and connection from

source to destination are verified and trusted. Each Vehicle builds their own

trusted routing map by using of cumulative collect Routability Certificate (RC).

This phase allows two Vehicles to make their connection quickly without repeat

whole authentication phase.

Trusted Medium: The role of the channel medium is important, dedicated short range

communication (DSRC) frequency band is used for all types of communication in

VANET. DSRC provides multiple channels and its transmission ranges from 5.850 to

5.925 GHz. DSRC are divided into seven channels and each channel range is 10 MHz.

Every vehicle in the network receives messages from other vehicles or from

infrastructure. A secure and trusted content of message is the major concern of the users.

The attackers will try hard to change the contents of the message and break the trust

between the vehicles. When users receive any information (safety or non safety) from

other vehicles or from infrastructure it must be trusted because user reacts according to

the message. To establish the trust, we must provide secure and trusted channel (Trusted

Medium) between the users in network. Whenever attackers launch any type of attack

then we have the option of using others channels. Attackers will also use these channels

and insert their false information to the network and create problems for legitimate users.

Message exchange from vehicle to vehicle and vehicle to infrastructure should be

reliable, accurate and confidential and this will be happened in the presence of secure

communication medium. C. Laurendeau [28] explained the security threats in

DSRC/wireless access in vehicular environment (WAVE) and if we are able to remove

these threats, the medium becomes trusted.

Trusted Infrastructure (RSU): Network Infrastructure (which consists of network

components) is important to verify the users and providing the right information to users

on the road. Infrastructure must be made trusted before they send safety related

information to users, because all users rely on it. In case of channel jamming (DOS) user

wants to communicate with infrastructure and sends/receives information to it. In this


18

sense, accessibility and availability of network is directly concerned with the users trust levels. When network is not available due to any attack then users trust is seriously affected. The objective of trusted infrastructure is to ensure the security of the channel

and information being passed among the users. There are many types of trust in the

vehicular network and the level of trust will increase if we can ascertain the control of

attackers from launching any attacks. Figure 16 shows the relationship of attackers (both

levels) with trust types. When attacker is successful in launching any type of attack then

the level of trust gradually decreases. Whenever there is control over the attackers then level of trust increases. Hence we can safely say that both (Attackers and Trust) is

directly proportion to each others.

Trusted User

Trusted Node

Trusted Applications

Trusted Routing

Trusted Medium

Trusted Infrastructure

Second Level of attackers

First Level of attackers

Attackers

Trust

Figure 16 Relationship between Trust and Attackers

Levels of Trust

Zero Trust is the first trust level in which the attacker is active and is able to use all

kinds of entities in the network and create problem by launching different types of

attacks (passive or active). Eq.3 describes that first and second level attackers are active

and chain of trust in this condition will be zero.

Zero Trust = (L1.Attackers + L2.Attackers) (COT : = 0) eq.(3)

Second level of trust is called Weak Trust, in which the attacker is able to launch

different kind of attacks and scope of the attacks are within some specific region. Some

entities are effected with these attacks whereas other entities of the network performing

Already studies done on it.

Do not consider yet. First Level of Attackers

Second Level of Attackers


19

their task properly and serve the users. In Eq.4 we represent a situation where all entities

of the chain of trust and only trusted infrastructure (TIF) are affected due to attacks.

Weak Trust = (TU + TV + TA +TR +TM) (TIF) eq.(4)

Strong Trust is a third level of trust is which all entities of the network are trusted and

work properly. There are no attackers in the network and this is a very ideal condition

and every entity performing their task properly.

Strong Trust = COT (L1.Attackers:=0 + L2.Attackers:= 0) eq.(5)

In Eq.5. We assign zero value to both types of attackers and all components are fully

trusted and work properly and serve the users in network. Table.1 explains the three

different types of trust levels in vehicular network.

Table 1.Levels of TRUST

Levels of Trust Description

0 Zero Trust

1 Weak Trust ( Some Entities are Trusted )

2 Strong Trust (all Entities are Trusted)

IV. Trusted Hardware Module (THM)

Both hardware and software work together to achieve the security in the system and

make possible secure communication between VANET Vehicles. There are two basic

hardware modules that are used for security purposes in a VANET Vehicle. Security

hardware module is called Event Data Recorder (EDR), which is a kind of black box

similarly used in airplane. It is a non-volatile hardware module and provides tamper

proof storage. The basic task of EDR is to record the data of critical situation in

emergency conditions [29]. EDR provides secure storage of data only. The cost of EDR

is low and easily embedded into VANET Vehicles. In many countries EDR is installed

in many road vehicles (trucks). The drawback of EDR is that it has no ability to perform

cryptographic functions.

Security hardware module is called Temper Proof Device (TPD), which has the

ability to sign and also verify the messages that are received from other Vehicles in the

network [20]. The key point of TPD is that it has processing ability. Cost of the TPD is

so high; this is the only one drawback of TPD.These two security hardware modules do

not provide trust in the VANET Vehicle. Hence we propose to use another hardware

module called trusted platform module (TPM).


20

Trusted Platform Module (TPM)

Trusted Platform Module is a hardware chip designed for secure computing and can

be used to measures the integrity of platform or system. It is piece of hardware and needs

software to communicate with it to protect and store data in secure location. Capability

of protection, measurement of integrity and reporting the integrity of data are the key

features of TPM module. Random Number Generator (RNG), SHA-1 Engine, RSA and

HMAC are the functional components of TPM that perform cryptography capabilities [3,

30]. By writing software to manage the integrity of data using the TPM, it can resist

software attacks and it is advantageous because the cost of a TPM is lower as compared

to other security modules (EDR or TPD). TPM will be embedded into the existing

hardware module and with it we will perform the necessary software and hardware

changes to make the Vehicle to be trusted in the vehicular network.

Attacker and Trusted Platform Module (TPM)

If attackers launch any kind of attacks (first or second level), trusted Vehicle (TN) in the

car will first detect that there is a change in the values of the Platform Configuration

Register (PCR) inside the TPM, and hence the application will then alert the TN to

prevent any more communication with the untrusted Vehicle. Figure 17 explains the

scenario where the attacker launches attack a change in the PCR values, alerts the TN to

prevent any more communication with the attacker.

TPM

Platform Configuration Register (PCR)

Attacks Endorsement Key (EK)

Attestation Identity Key (AIK)

Vehicle

First Level of attackers

Second Level of attackers

Figure 17. Attackers and TPM

Platform Configuration Register (PCR)

PCR is an internal register and used for storing the integrity measurement values in

shielded location. PCR contain values that represent the system software and hardware

configuration metric of TN. For any kind of attack on the TN, these PCR values will

change which means the current configuration of hardware and software have been

attacked, the system detects the changes and takes acts appropriately [31].

Measurements, reporting and execution are three main processes [32] which are used to

maintain the integrity of the system. Configuration of the platform attestation and chain


21

of trust are two basic objectives of the contents of the PCR values, the old and new

values of PCR register which is used inside the TPM. Total sixteen PCR registers are use

in TPM, eight registers are used for hardware and eight are used for software to meet the

integrity requirement.

Ri+1 := SHA1 ( Ri || I )

Ri+1 = New Register Value

Ri = Old register value

I = Input value

State getCurrentPCRs()

Steps

1. CRTM measures BIOS 2. BIOS measures BL 3. Boot Loader (BL) measures OS 4. Operating System (OS) measures Applications 5. User communicate with Applications

Figure 18. Integrity Measurement Process

Endorsement Key (EK): Endorsement Key (EK) [32] is a fundamental component of

TPM and it must have an endorsement key pair. In the endorsement key pair, private key

is more important and it is embedded in TPM. The purpose of the EK is to identify

uniquely the platform. The TPM has a root of trust that is defined by the EK pair. Public

and private portions are defined in RSA key pair. One major fact about the EK, is that

once it has been created then it cannot be replaced or remove from the TPM.

Attestation Identity Key (AIK): AIK [33] is a TPM key that is used for attestation of

current platform and its configuration. AIK is also used as an alias for the endorsement

key (EK) and it is a non-migratable signing key generated by the owner of TPM.

Multiple AIKs can be generated by the TPM. PCA (Privacy Certification Attestation)

and DAA (Direct Anonymous Attestation) are used for certification of attestation of

AIK. VANET applications (Safety and non safety) are running inside the vehicle and

TPM is performing the attesting task by using AIK. After attestation of the messages,


22

these messages are sent to other Vehicle and infrastructure.

V. Conclusion and Future Work

Security of VANET is an important issue to be addressed by designers of VANET

infrastructure security. It can be useful in providing correct information to users and

guide them about variant conditions on the road. The VANET applications are termed as

an important solution for the security of the users on the road. Moreover it is believed

that the Vehicular applications must be secured. Because the users are directly affected

in case the attackers change the content of safety applications. Attackers change their

attacking behavior and they launch different attacks at different times. Attackers always

try to tamper the information and create troubles in the network. The level of trust

develops in the network if the system is able to control attackers from distracting the

information. TPM can play an important role in terms of resistance created for possible

software attacks and in creation of trusted environment between Vehicles and the

infrastructure. Cryptographic functional components are considered as one of key

elements for trust building and maintaining data integrity in the past research work done.

In future we would be addressing some attestation scheme such as property based

attestation (PBA) for developing a secure and trusted environment in vehicular network.

Acknowledgement

This work is funded by Universiti Teknologi PETRONAS Postgraduate Assistantship

Scheme in collaboration with MIMOS Berhad.

References

1. Y.Qian, N.Moayeri,Design of Secure and Application Oriented

VanetsVehicular Technology Conference, 2008. VTC Spring 2008. IEEE, 11-14 May 2008, Singapore.

2. J. Jakubiak, Y. Koucheryavy,State of the Art and Research Challenges for VANETs Consumer Communications and Networking Conference, 2008, 5th IEEE, date: 10-12 Jan. 2008, pp: 912-916.

3. G. Guett, C. Bryce, Using TPMs to Secure Vehicular Ad-Hoc Networks (VANETs) IFIP 2008, WISTP 2008, LNCS 5019, pp.106-116.

4. G.Guette,O.Heen,A TPM-based Architecture for improved secuirty and Anonoymity in vehicular ad hoc networks,IRIS France.

5. A. Reza Sadeghi,Trusted Computing-Special Aspects and challenges, Lecture Notes Horst-Gortz-Institute(HGI) for IT-Security,Ruha-University Bochum,

Germany.2007.

6. I.Ahmed Sumra, H.B.Hasbullah, J.Ab Manan,"User requirements model for

vehicular ad hoc network applications, International Symposium on Information Technology 2010 (ITSim 2010), Malaysia.

7. F.Kargl, Z.Ma , E.Schoch, Security Engineering for VANETs 4th Workshop on Embedded Security in Cars(escar 2006), Berlin, Germany.

8. X.Lin,R. Lu,C. Zhang,H. Zhu,P. Han Ho , X. shen,Security in Vehicular Adhoc Networks,IEEE communication Magazine, April 2008.

9. M.Gerlach, F. FOKUS,Trust for Vehicular Applications IEEE Computer


23

Society, Proceedings of the Eighth International Symposium on Autonomous

Decentralized Systems, p: 295-304, year of publication: 2007.

10. R.Prasad,R. Kanjee,H. Zui,Pishro,Nik, Ni,DSRC Accident Warning system at Intersection Report October 19,2006.

11. D. Jiang,V.Taliwal, A. Meier,W.Holfelder, R. Herrtwich Design of 5.9 GHz DSRC-based vehicular safety communication Wireless Communications IEEE Vol. 13, No. 5. (2006), pp. 36-43.

12. S.Yousefi, M.FathyMetrics for performance evaluation of safety applications in vehicular ad hoc networks Transport. Vilnius: Technika, 2008, Vol. 23, No.4, p. 291-298.

13. J. Jakubiak,Y. Koucheryavy, State of the Art and Research Challenges for VANETs Consumer Communications and Networking Conference,2008, 5th IEEE, Date: 10-12 Jan. 2008, pp: 912-916.

14. National Highway Traffic Safety Administration,CAMP,Vehicle Safety Communications Project Task 3 Final Report,Identify Intelligent Vehicle Safety Applications Enabled by DSRC,DOT HS 809 859, National Highway Traffic Safety Administration,Washington, D.C.March 2005.

15. J. Cheambe, J. J. Tchouto, M. Gerlach Security in Active Safety Applications 2nd International workshop on Intelligent Transportation (WIT) 2005,

Germany. 16. H.Hartenstein and K.P.Laberteaux,VANET:Vehicular Applications and Inter-

networking TechnologiesChapter No.09 pp.309-310.Wiley.www.vanetbook.com

17. M. Raya,J. Pierre, Hubaux,Securing vehicular ad hoc Networks Journal of Computer Security,vol.15,Issue no.1 January 2007, pp: 39-68.

18. H. Moustafa,Y. Zhang Vehicular Networks techniques,standard and applications, CRC Press,chapter no.12(Security in Vehicular Networks) pp:334.

19. B. Parno, A. Perrig, Challenges in Securing Vehicular Networks, Hot Topics in Networks (HotNets-IV), 2005.

20. A.Stampoulis, Z.Chai A Survey of Security in Vehicular Networks. 21. J. Douceur,The sybil Attack, First international workshop on peer to

peer(P2P) system,march 2002,pp:251-260.

22. G. Guette, B.Ducourthial," On the sybil attack detection in VANET", Laboratoire Heudiasyc UMR CNRS 6599, France.

23. T. Leinmuller, E. Schoch, F. Kargl, C. Maihofer, Improved security in Geographic ad hoc routing through autonomous Position Verification, 3rd international workshop on Vehicular ad hoc networks,VANET 2006.ISBN:1-59593-540-1.

24. M. Raya, P. Papadimitratos, J.P. Hubaux, Secure vehicular communications, IEEE Wireless Communication Magazine,specail issue on inter-vehicular communication, Oct 2006.

25. Trusted Computing Group.TCG specification architecture overview ,version 1.2,april 2004.

26. H. Hartenstein,Kenneth P.Laberteaux, Toyota Technical Center. A Tutorial Survey on Vehicular Ad Hoc NetworksIEEE Communication Magazine, June 2008.

27. T.Chen,O.Mehani and R.Boreli,Trusted Routing for VANET 9th International Conference on Intelligent Transport Systems Telecommunications (20 October 2009), pp. 647-652.

28. C. Laurendeau, M. Barbeau,Theat to security in DSRC/WAVE, 5th International Conference on Ad Hoc Networks and Wireless (ADHOC-NOW).LNCS 4104, pp.226-279, 2006.


24

29. M. Raya,J.Pierre,Hubaux The Security of vehicular ad hoc Networks SASN05,November 07,2005,Alexandria,Virginia USA.

30. M.Raya,Introduction to the TPM 1.2 University of Birmingham, Draft of March 23, 2009.

31. M. Strasser, H. Stamer, A Software-Based Trusted Platform Module Emulator, TRUST 2008, LNCS 4968, pp. 33-47, Springer Berlin.

32. A. Reza Sadeghi,Trusted Computing-Special Aspects and challenges,Lecture Notes Horst-Gortz-Institute(HGI) for IT-Security,Ruha-University Bochum, Germany.2007.

33. Trusted Platform Module Basics Using TPM in Embedded Systems by Steven Kinney Chapter No.03 Overview of the TPM Architecture,pp.26.

trust and trusted computing in vanet

Documents