trust and trusted computing in vanet
DESCRIPTION
this paper is related to Trust and Trusted Computing in VANET.TRANSCRIPT
-
Computer Science Journal Volume 1, Issue 2, August 2011
1
Trust and Trusted Computing in VANET
Irshad Ahmed Sumra1,Halabi Hasbullah1,Jamalul-lail2
1 Computer and Information Sciences Department
Universiti Teknologi PETRONAS, Bandar Seri Iskandar
31750, Tronoh, Perak, Malaysia.
2Advanced Information Security Cluster
MIMOS Berhad, Technology Park Malaysia.
[email protected],[email protected], [email protected]
Abstract
Last few years, vehicular networks are gaining more and more attraction from the researchers
and the automobile industries. The life saving factor is the key issue in this regard. Trust is key
part of security and it is undoubtedly a necessity to develop trust in vehicular network. The main
aim of this paper is to propose a trust model for vehicular environment. The proposed model
contains two different modules. First module is based on attackers and the attacks. An attacker is
one of the most significant entity who can intentionally change the behavior of the other entities
(Vehicle or Infrastructure) in the network. It is important to study and analyze the attackers and
attacks before designing the life saving networks. Second module is based on trust and trusting
computing technology. Trusted platform module (TPM) is a hardware security module and plays a
major role to develop trust in vehicles. Purpose of this study is to develop trust in vehicular
network. This trusted vehicular network model enforces all the entities of the network to behave in
a specified manner. We believe that this trusted model would be more helpful in serving the users
of the vehicular environment.
Keywords: Trust, Security, Attackers and Attacks, Trusted Platform Module (TPM), Users,
Safety and Non safety Application.
Received: September 2010, Published: April 2011
*Corresponding Author: [email protected]
I. Introduction
Safety of human lives is the major concern nowadays, because every year thousands
of peoples died in road accidents over the globe. Vehicular Ad hoc Network (VANET) is
special kind of network that aims to reduce death rate and improves traffic safety system.
In VANET, vehicles can send and receive safety messages to each other on the road to
ensure safety of human life [1]. Dedicated Short Range Communication (DSRC) is the
frequency band that is used as a communication medium between the Vehicle to Vehicle
(V2V) and Vehicle to Infrastructure (V2I). DSRC delivers safety and non safety
messages in entire network by using its safety and non safety channels. The importance
of safety applications are high because it provides information about any accident in
-
Irshad et al: Trust and Trusted Computing in VANET
2
some specific region and handles the situation by sending warning messages to other
vehicles. Warning messages and post crash warning/notification are some of example of
safety applications [2]. Non safety applications are related to comfort of the passengers
and to improve the traffic system. Parking availability and toll collection services are
examples of these applications.
Security is an important issue especially in this kind of network where one altered
message can creates problem for the users in many ways. Users can take benefit of these
applications if we can secure the communication between all entities (components) of
the network and hence no chances for attackers to create trouble for users in the network.
Attackers create problem directly and indirectly by launching different kind of attacks.
We focus our study on the attackers and its behavior of launching attacks on VANET.
Insider/outsider and active/passive attackers are some example of attackers. Every time
attacker strikes on its target they change their forms and then launch different kind of
attacks. We begin by classifying the different types of attackers.
This paper is divided into five sections; Section II discuss about the related work in
this area. Section III explains the proposed model and explains the all modules of the
model. First module is explained about the attackers and possible attacks. In next module
discuss the concept of trust and briefly described trusted computing and various trusted
entities in vehicular network. Three different Levels of trust and chain of trust in
VANET are also presented in this Section. In section IV we discussed some possible use
of trusted hardware modules including Trusted Platform Module (TPM) in VANET and
Section V conclude the paper.
II. Related Work
Security involves a combination of hardware and software. For VANET, there are
many types of embedded hardware module used in vehicle, none of which is specifically
meant for trust. Nowadays, TPM is being used in almost all new PCs and laptop for
secure communication. G.Guette [3, 4] described the main functionalities of TPM which
are used VANET. They discussed in detail the security requirements and two possible
application (Platoons and Event Reporting) in vehicular network. Main problem being
highlighted was to maintain the integrity of data and ensure secure and trusted
communication between other vehicles and also with infrastructure. The author also
discussed thread model which contain attacks such as Sybil attack, Vehicle
impersonation, sending false information and car tracking. Three security properties
were presented. They include vehicle and it must have a unique identifier, ensuring the
integrity of the messages which must be authentic with regards to vehicle identifier and
lastly, to ensure the trustfulness of the content of the messages that must be verified.
TPM-based solution is one of the more cost effective one which meets all security
properties and handle with security threats.
The main communication in VANET is divided into two: embedded sensors
communicate with applications and applications communicate with TPM for signing
data purposes. Endorsement key (EK) and Attestation identity key (AIK) are the two
main keys that are used for signing and attestation purposes. Trusted application
performs two types of communication, communication with sensors and with TPM. This
type of communication is called inside communication and its purpose is to sign and
keep the data safe in secure location. Trusted Application also communicates with
-
Computer Science Journal Volume 1, Issue 2, August 2011
3
application of the other vehicle using parameters such as Position, Signature and
Credential. In [4], the author proposed TPM based security architecture to solve the
issues of security and privacy for successful deployment of VANET technology. Two
proposed protocols were simulated their protocol with AVISPA and SPAN.
The main focus point is management of cryptographic keys to provide security and
anonymity of vehicles communications. An advantage of this proposed solution is that
there is no need for infrastructure (RSU) along the road. Memory stacks replace the
place of infrastructure and store data about sensors and TPM keys. However, the
solution is quite less practical because keys are preloaded in the vehicle during the
construction phase and memory sticks are used to renew the certified keys to be used by
the proposed protocol. Software stack is used to protect and store data in shielded
locations. Inter-vehicle communication uses TPM keys for signing the messages, which
means that only trusted vehicles can communicate. If one vehicle application sends
request to the other vehicle it must first be signed using TPM keys. The other vehicle
receives this message and verifies its certificates and signature. Vehicle to infrastructure
communication also uses TPM keys to ensure trusted communication.
III. Proposed Trust Model
Trust is the key element in creating a trustable VANET environment which would
help promote a safer road environment. TCG defines trust [5] as
An entity can be trusted if it always behaves in the expected manner for intended purpose. Putting trust definition in the context of VANET, it would mean that all components of the network (vehicles and infrastructure) are behaving in an expected
manner (trusted communication between the components) and serve the users and save
human lives.
Figurre 1. Proposed Trust Model
So attackers are those people how change the behavior of the entity and break the
trust. So first of all we should studies the attackers and attacks because it is directly
change the behavior of the vehicle. If we want to achieve the trust and develop the
trusted computing environment then we should perform two tasks.
-
Irshad et al: Trust and Trusted Computing in VANET
4
Figure 2. Three levels of trust and trusted computing
First Level: We should handle with attackers and attacks in vehicular network and study
the behavior of attackers and possible attacks to disturb the network.
Second Level: Explore the major entities of vehicular network that performs major role
to developing the trust in vehicle to vehicle communication and also with infrastructure.
Third Level: Main objective is to achieve third levels, develop trusted computing
environment between all entities in network. Trusted platform module (TPM) play a
major role to fulfill the third level of trust.
VANET User Requirement (VUR)
User is the main entity in vehicular work and objective of this new technology is to
serve users and safe their lives from road accidents. Safety and non safety VANET
applications meet the all users requirement during their journey like send or receive
safety message to other vehicles and use the entertainment services. There are following
basic user requirement. [6]
Security Privacy
Trust
Figure 3. User requirements in VANET
-
Computer Science Journal Volume 1, Issue 2, August 2011
5
Security: Security is a first important users requirement in VANET. It is difficult to convince the users about any new technology that it is secure. Safety related applications
may not work properly without achieving minimum security level for example Extended
Brakes Light (EBL) application [7] needs security otherwise an attacker may generate
warning messages and create problems on road.
Privacy: User privacy is very important factor in vehicular environment if once the
users privacy is lost, it is very difficult to re-establish. Privacy in VANET is to secure the users personal data and his/her location. Users need privacy and may not allow seeing their personal data and their locations. They are always concern about their
privacy. Only authorized parties (such as police, law enforcement agencies) may use the
private/personal information. Name of driver, License plate of the vehicle, Speed of the
vehicle, Position/Location, Route for travelling are some of the user privacy information
[8] and user is worry about these information while communicating with other users or
with infrastructure.
Trust: Last user requirement is trust and trust [9] is the key element of security system.
When users receive any message from other vehicle or from infrastructure it should be
trusted because user reacts according to the message. To establish the trust, it is required
to provide trust between the users in the communication of vehicle to vehicle (V2V) and
vehicle to infrastructure (V2I). The attackers change the contents of the message and
break the trust between the Vehicles.
VANET Applications
The VANET is very important part of intelligent transport system (ITS). There are
many potential application of VANET. VANET applications are described and
categorized in different ways in many studies [10, 11, and 12]. Safety application is the
most important application of VANET because it is directly related to users and its
priority is high due to human life saving factor. The main goal of safety application is to
provide safety of cars and its passengers from road accidents. Today active safety
application is everything that helps to users on road to prevent an accident from
happening. In other word active safety system that work as pre crash applications [13].
Active safety applications [14] are based on control functions and the purpose of this to
exchange the sensor data or status information between the vehicle to vehicle
communications (V2V) or vehicles to infrastructure (V2I).The goal of sending this kind
of information to users and react accordingly and avoid the accident. Antilock Brake
system (ABS) and Electronic Stability Program (ESP) are example of active safety
system. Warning application provides warning related information to drivers such like
that post crash warning/notification, obstacle warning and also give warning about the
condition of the road. Passive safety applications work in inside the vehicles and protect
the passengers against injury in the event of accident. Safety belt and air bags are the
example of passive safety applications. Passive safety application can not provide help to
avoid accidents. But these kind of applications are very useful in case of accident,
criminal attacks, find the exist location of the users and provide services to effected
people [15].
-
Irshad et al: Trust and Trusted Computing in VANET
6
Attackers and its Properties
Attacker create problem in the network by getting full access of communication medium
DSRC. Here we are discussing some properties and capability of the attackers which has
been mentioned in studies [16].
Coverage area: Coverage area is the main property of attacker when they
launch any kind of attacks. Attacker could cover the main area of road, and it
depends on the nature of the attacks. Basic level attacker has controlled one
DSRC channels and covers the range of at most 1000 meters but the extended
level attackers are more organized and cover more area using of hundred DSRC
channels.
Technical Expertise: Technical expertise of the attacker makes them stronger
for creating attacks in the network. It is difficult for attacker to mount attacks
on cryptographic algorithms. Chance is low for attacker to compromise the
infrastructure network and data capture from restricted area of network.
Attacker having ability to extracts the program code and secret keys of the
computing platform of OBU and RSU by launching physical attacks.
Resources: Budget, manpower and tools are the three main key resources and
attackers depend on it to achieve their goals. Need budget to borrow technical
expert and spend time to understand the configuration of specific network and
then disturb network with launching of different kind of attacks. Attacker can
use different kind of tools for launching attacks. These software tools can
develop by own self or buy from the market. Many business parties make setup
their business nears the road and provide non safety application services
(Internet, entertainment services). One business party can be used their own
maximum resources to create problems for other parties and destroy their
business with different kind of attacks.
There are many types of attackers that create the problems in VANET. The main goal
of an attacker is to change the contents of message or create a message and use it for
his/her own benefit. Maxim Raya and Jean Pierren Habauz [17] described their attacker
model and we extend this model further into two levels on the bases of previous work
[18]. Figure 4 shown two levels of attackers. The following subsections provide its detail
description.
Figure 4. Two Levels of Attackers
-
Computer Science Journal Volume 1, Issue 2, August 2011
7
First Level of Attackers
In first level, the attackers are more seriously performed and intensity of the attacks
is higher as compared to second level. Figure 5 explains first level attackers, whereby
attackers launch different types of attacks on both infrastructure i.e., vehicle to vehicle
(V2V) and vehicle to infrastructure (V2I). The attackers are active and launch different
types of attacks at the same time in the network. Purpose of this kind of attack is not to
achieve any personal benefit but only to create problems in the network. The severity
level is high because attacker has control over the unique identity and authentic user of
the network. The scope of the first level attack is high because it creates such kind of
attacks that cover bigger geographical area. More details about first level of attackers are
given below.
Figure 5. First Level of Attacker
Insider: This type of attacker who is an authentic user of the network can creates
problem in the network by changing the certificate keys. Insider attacker might have
access to insider knowledge and this knowledge will be used for understanding the
design and configuration of network. When they have all information about the
configuration then its easy for them to launch attacks and create more problem as
compare to outsider attacker. We can simply say that insider attacker is the right man
doing the wrong job in the network.
Malicious: This type of attacker who has no personal recompense for launching the
attacks, but they want to achieve two goals:
To harm the other Vehicles of the network by sending any wrong information or alter the safety related applications information.
To create problem by agitating the right functionality of the network by sending of unnecessary frames to other Vehicles.
Active: This type of active attacker creates problems in the network whiles working in
two dimensions.
Generates some packets and sends them to other VANET Vehicles as well as to the infrastructure.
Generates and sends signals in the network and disturb the main frequency band.
-
Irshad et al: Trust and Trusted Computing in VANET
8
Extended: This type of attacker extends and spread attacks across the network and
affecting many entities of the network. Privacy violations and wormhole are examples of
these kinds of attacks.
Intentional: These types of attacker intentionally disturb the network operation and
create problems for legitimate users to gain access the network.
Independent: This type of attacker has an unique identity and nature of the attacker is
independent in the network. For launching the attacks and may not dependent on the
other Vehicles.
Second Level of Attackers Second level attackers also have their own severity level which is lower as
compared to the first level. An attacker in second level is outsiders and the basic aim of
this kind of attacker is to seek their personal benefits. Figure 6 explains second level
attackers. In second level attackers, they just listen to the communication among various
vehicles, say vehicle A and vehicle B. Scope and effected area is somewhat limited e.g.
the circle shows that in Figure 6. Passive and dependent attackers are examples of
second level attackers. The level of severity is low as compared to first level attackers,
where attackers are active and independent for launching attacks in the network. More
details about second level attackers are given below.
Figure 6. Second Level of Attacker
Outsider: The outsider attacker is considered as an authentic Vehicle of the network. It
is a kind of intruder which aims to misuse the protocols of the network and the range of
such attacks are limited. Outsider attacker also has a limited diversity for launching
different kind of attacks as compare to insider attacker.
Rational: The rational attacker seeks to get their personal benefit and who defines
specific target and tries to achieve it. For example, sending erroneous information about
the road, diverting the whole traffic to other road and clear the road for ones own
benefit.
Passive: The passive attacker aims to just eavesdrop on the wireless medium among the
Vehicles and infrastructure of the network. It is a kind of privacy violation of s users on
the road.
Local: The scope and effect of the attack can be limited because the attacker can locally
control the VANET Vehicles or its infrastructure (RSU).The effects of this attack is in
specific region and do not disturb the other entities of the network.
-
Computer Science Journal Volume 1, Issue 2, August 2011
9
Unintentional: The attackers do not intentionally want to get involved in the network
and to create some problems for the network users. This can be the case where errors
occur due to some network operations and transmission in the network.
Dependent: The group of attackers intentionally wants to attack the network as a
coordinated group in launching the attacks. In the group attack, the attackers are
dependent on each other and share the same interest.
Severity Level (SL)
In Eq.1, the equation shows the severity level of first and second level of attackers.
The severity level of first level attacker is greater as compared to second level of
attacker. Here we can select one attacker (Active attacker) from first level attacker and
compare it with one of the second level of attacker (Passive attacker). Severity level of
active attacker is high as compare to passive level attacker because active attacker
generates packets and sends these false packets to other vehicles and also with
infrastructure. Nature of the packet may be safety or non safety packets or some bogus
information consists in the packet but purpose of attacker is to disturb the network.
Figure 5 describe the behavior of the attacker who generate false packets and send these
packets to other vehicles and also infrastructure. Vehicle A and Vehicle B in the same
lane but they receive different kind of packets. But in Passive attacker, aim of attacker is
just listening the communication among the vehicles and also with infrastructure. No
need to generate and send packets into network. Figure 6 show that the attacker just
listen the communications between vehicle A and vehicle B.
SL = { L1 (Ak1, Ak2 ....... Akn) > L2 ( Ak1, Ak2..... Akn)} eq.(1)
Classes of Attacks
Attackers generate different attacks in this life saving vehicular network. In this
paper, we propose five different classes of attacks and every class is expected to provide
better perspective for the VANET security. The proposed solution is to classify and
identify of different attacks in VANET.
Attackers role is important in vehicular network due to launching different type of attacks. The objective of attackers is to create problems for other users of the network by
changing the contents type of messages. Researchers have been described different types
of attacks in their studies [17, 19, 20, and 21]. In addition to it, we propose five different
types of classes for attacks. Each class describes different types of attacks, their threat
level, and attacks priority. Along with this approach, we also propose some new attacks.
The aim of this approach is to easily identity these attacks and their association to
respective class. Figure. 7 shows the propose classes for attacks.
-
Irshad et al: Trust and Trusted Computing in VANET
10
Network Attack
Application Attack
Timing Attack
Social Attack
Monitoring Attack
Figure 7. Classes for Attacks
First Class: Network Attack
Vehicular Vehicle and infrastructure are the main components of VANET. At this class,
attackers can directly affect other vehicle and infrastructure. These attacks are of high
priority because these affect the whole network. The main objective of these attacks is to
create problem for legitimate users of network. Some of the attacks are mentioned
below.
A. Denial of service (DOS) Attack The availability of network is very important in vehicular network environment
where all users rely on the network. Denial of Service (DOS) is one of the most serious
level attacks in vehicular network. In DOS attack, attacker jams the main communication
medium and network is no more available to legitimate users [17]. The main aim of DOS
attacker is to prevent the authentic users to access the network services [20]. Figure. 8
shows the whole scenario when the attacker launches DOS attack in vehicular network
and Jams the whole communication medium between V2V and V2R. As a result, users
can not communicate with other users as well as infrastructure.
Figure 8 DOS Attacks between V2V and V2R
-
Computer Science Journal Volume 1, Issue 2, August 2011
11
B. Sybil Attack Sybil attack [21] also belongs to the first class. In Sybil attack, the attacker sends
multiple messages to other vehicles and each message contains different fabricated
source identity (ID). It provides illusion to other vehicle by sending some wrong
messages like traffic jam message [21, 22]. Figure 9 explains Sybil attack in which the
attacker creates multiple vehicles on the road with same identity [3]. The objective is to
enforce other vehicles on the road to leave the road for the benefits of the attacker.
Figure 9 Sybil Attack
C. Vehicle Impersonation Attack Each vehicle has a unique identifier in VANET and it is used to verify the message
whenever an accident happens by sending wrong messages to other vehicles [3, 17].
Figure 10 explains this scenario in which vehicle A involves in the accident at location
Z. When police identify the driver as it is associated with drivers identity, attacker changes his identity and simply refuses it.
Figure 10 Vehicle Impersonation Attack
Second Class: Application Attack (AP)
Safety and non safety are two types of potential vehicular applications. At this class
the main concern of the attacker is to change content of these applications and use it for
their own benefits. Importance of safety applications is greater; it is provided warning
messages to other users. The attackers change the content of the actual message and send
wrong or fake messages to other vehicle which causes accident. Bogus information
attack [17] is one of the attack examples, in which attacker send wrong information to
the network and these wrong messages directly affect the behavior of users on the road.
Warning messages is important messages that are use in safety applications. It is very
serious condition on the road if attackers change the warning messages, many accidents
are occurred on road. By using of security mechanism to avoid such attacks, to ensure
-
Irshad et al: Trust and Trusted Computing in VANET
12
the truthfulness of the message. Figure. 11 shows the example in which attacker
launches the attack on safety application. Attacker receives one warning message Work Zone Warning from near by vehicle. So he changes the content of the message and sends this message Road is Clear to other vehicle. The important warning messages used in V2V or V2I communication are Blind Spot, Post Crash, Breakdown,Work Zone,
Curve Speed, Lane Change, Rail Collision, Wrong way driver, Stop Sign Violation,
Intersection Collision, Cooperative Collision, Traffic Signal Violation, Emergency
Vehicle at Scene, Emergency Vehicle Approaching and Infrastructure Based Road
Condition Warning [23].
Figure 11. Safety Application Attack
Non safety application is related to users comfort during their journey. These applications do not disturb safety applications. The role of non safety applications is to
comfort the passengers and to improve the traffic system. Car parking is one of the major
non safety applications; Road Side Unit (RSU) provides information about the
availability of parking in shopping mall and sport complex. Figure 12 explain this attack,
authentic user receive information Parking Slot available from road side unit (RSU) near the shopping mall. So he sends this message to other vehicle. This vehicle actually
attacker vehicle who receive this message. Now attacker alters this message No empty parking slot and passes this message to other vehicles. Entertainment, Toll Collection, Map Download, Restaurant Finding, Gas Station Finding, Parking Availability,
Shopping Mall Finding Services are some services that are considered into non-safety
applications [6].
Figure 12 Non Safety Application Attack
-
Computer Science Journal Volume 1, Issue 2, August 2011
13
Third Class: Timing Attack
This is new type of attack in which attackers main objective is to add some time slot in original message and create delay in original message. Attackers do not disturb the
other content of message, only create delay in the message and these messages are
received after it requires time. Safety application is a time critical applications, if delay
occurred in these applications then main objective of the application are finished.
Figure.13 shows the complete scenario of the timing attack, in which attacker receive
warning message (Warning! Accident at location Y) from other vehicle and then pass
this message to other vehicle by adds some time. Whenever other user of the network
receive this message when accident actually occurred.
Figure 13 Timing Attack
Forth Class: Social Attack
All unmoral messages (Social Attack) are lie on this class. It is kind of emotional and
social attack. Purpose of these kinds of messages is to indirectly create problem in the
network. Legitimate users show angry behavior when they receive such kind of
messages. This is actually attacker wants by launching such attack. Figure. 14 explain
this condition, attacker passes this message You are Idiot to near by vehicle. When user receives this message is directly affect his driving behavior by increasing the speed
of his vehicle. This entire thing is indirectly disturb the other user in the network.
Figure 14 Social Attack
Fifth Class: Monitoring Attack
Monitoring and tracking of the vehicles attacks are lying in this class. In monitoring
attack, the attacker just monitor the whole network, listen the communication between
V2V and V2I. If they find any related information then pass this information to concern
-
Irshad et al: Trust and Trusted Computing in VANET
14
person. For example police are plan to perform some operation against criminal and they
communicate each other and guide about the exist location of the operation. Attacker
listen all communication and informed the criminal about the police operation. Every
vehicle has its own unique ID and attacker disclose the identity of other vehicles in the
network. Using of these unique ID, the attacker track the existing location of required
vehicle. Global observer monitors the target vehicle and sends virus to neighbour of the
target [17]. When neighbour is affected then they take data of target vehicle. Rental Car
companies are using this ID and track the location of their own vehicles. ID discloses
attack is related to user privacy, attacker easily track user location in a specific region
[24].
Vehicular Trusted Computing (VTC)
Trusted computing is a relatively new technology which has gained popularity
recently and Trusted Computing Group (TCG) [25] has been the main proponent of this
technology. The main aim of TCG is to enhance security in computer network by using
security hardware module (called Trusted Platform Module). Figure 15 shows how
trusted computing communication can be maintained between all entities of the network.
Vehicle A to Vehicle F is doing their task in proper manner. Vehicle D communicates
with RSU and RSU communicate with TOC and authenticates and provide valid
information. Vehicle D shares this information with other Vehicles in the network. This
is an ideal condition that we want to achieve in real vehicular network. Trust will be
built in two different ways in vehicular trusted computing. Trusted computing require
that these two basic properties are fulfilled: [26]
The sender who sends the information in vehicle to vehicle or vehicle to infrastructure is accepted as a trusted entity.
The contents of the message source is not changed during transmission, it meets the integrity requirement.
Figure 15. Vehicular Trusted Computing Communication
-
Computer Science Journal Volume 1, Issue 2, August 2011
15
Trusted Entities of VANET
In this section we will explain six basic entities of trust and when all these entities
work together then will develops a chain of trust in the vehicular network. Eq.2 explains
that all modules are trusted and worked together for achieving chain of trust in system.
Detail discussions of all these entities are given below.
Trusted User (TU)
Trusted Vehicle (TV)
Trusted Applications (TA)
Trusted Routing (TR)
Trusted Medium (TM)
Trusted Infrastructure (TIF)
Chain of Trust (COT) = i= 0 ( TU + TV + TA + TR +TM + TIF ) eq. (2)
Trusted User: Users role is important in all technologies; and in particular for VANET applications we are directly concern with the protection of users life. The main purpose of the VANET applications is to serve the users by sending safety and non safety
messages from Vehicle to Vehicles and also with infrastructure. We have classified the
users into two types, trusted users and non trusted users.Trusted Users (TUs) are those
people who perform their task properly in the network. In vehicular environment the user
role is important for building the chain of trust. Chain of trust would be effected if user is
not performing their task accurately. In their respective Vehicles, users communicate
with application unit (AU) and send messages to other Vehicles in network. Trusted
users have following qualities.
Receive messages from other Vehicles, perform task according to message (safety or non safety) and pass this message to other Vehicles in the network.
Receive messages from infrastructure (RSU) and execute it and pass this message to Vehicles of the network.
Messages are generated by users according to situation e.g. if an accident has occurred in some specific place, messages are past to other Vehicles and as well as to the infrastructure in the network.
Non Trusted Users (NTUs) are those users that do not possess the trusted credentials and
could potentially be the kind of attackers who create problems for legitimate users by
launching of some attacks. In vehicular network, their role is more prominent because
they can potentially change the life critical information on the road. These are the
followings tasks that they perform in VANET.
Non-Trusted Users could potentially be an active attacker and launches attacks that can be of high intensity. Denial of service attack (DOS) and Sybil attack are example of such types of attacks. Main objective of NTUs attacks is to disturb directly the basic functionality of the network.
-
Irshad et al: Trust and Trusted Computing in VANET
16
Non-Trusted Users can break the integrity of messages sent through the communication in vehicular environment. Attackers could change the content of the message, for example, Accident at Location X can become Road is clear.
Trusted Vehicle: The role of vehicle is important in all types of communication in
network. At the basic level of trust is to provide security in the vehicle (Trusted Vehicle)
and communication will be carried through trusted channels between the vehicle to
vehicle (V2V) and vehicle to infrastructure (V2I). Trusted Vehicle requires some
specific sensors to be a part of VANET. TPM is the hardware module that forms the
basic building block for trust inside the Vehicle by having its own root of trust, hashing and cryptographic functionalities that acts like a smart card. Electronic Control Unit
(ECU) and many other types of sensors work inside the Vehicles. Hardware (all types of
sensors) and software should be performing their task properly for building the trust
inside the Vehicle. Vehicle receive some information from their on-board units and some
information receives from outside network (other Vehicle or from infrastructure).
Trusted Applications: Safety and non safety applications are serve the users and make
their journey safe and comfortable. Active safety applications, warning applications and
position based routing require security from attackers and user trust will be build when
these applications perform their task accurately. Application should be trusted because
user take decision on these application information received from other Vehicles and as
well as infrastructure. M.Gerlach [9] discussed and proposed model for trusted
applications for VANET. This model defines the situation where the attributes of the
trust is relevant to the trustee and author has the three main contributions in this papers
which are given below.
Enable security architecture that integrated with different security measurement in vehicular environment.
Probabilities for presenting trust and trusted model for VANET applications by using the principle of trust tagging.
Author use the concept of mix content and it defines the way to change pseudonyms. It is not possible for attacker to link two messages that coming
from same vehicle and also preventing the location tracking.
Trusted Routing : Routing is key part of VANET and message moves from one vehicle
to other vehicle by using different route. Routing involve from hop to hop
communication and hop to multihop communication, open medium and dynamic
network topology makes the routing task is complex. Secure and trusted routing is
necessary for sending and receiving safety messages in the network. T.Chen [27]
discussed the trusted routing using of their own proposed trusted routing framework.
Proposed framework provides message authentication, trust between Vehicles and
routability verification without support of online certificate authorities (CA). Trusted
framework applied on OLSR (Optimized Link State Routing Protocol) routing protocol
Trust establishes framework consist of three key parts which are designed to handle
different types of threats in the network.
-
Computer Science Journal Volume 1, Issue 2, August 2011
17
I. Digital signature is used for message authentication and values of digital signature depend on secret values and these values are only known to signer
that signed message. Hash function is used to generate fixed size message
digest and sign this message instead of complete message.
II. Vehicle to Vehicle authentication is also part of the trusted routing and main task of Vehicle authentication is identity authentication of Vehicle and defence
it from attackers. Author divided Vehicle to Vehicle authentication procedure
into three Phases.
Vehicle to Vehicle authentication the public/private key pairs and certificate are distributed to all authentic Vehicles of the network that
is willing to join network.
Two Vehicles substitute certificates and verify each other by sending and receiving challenges.
In last phase if the connection between the Vehicles disconnect for a short period of time then they will try to re-authenticate with each
other use the pre-share secret exchange.
III. Routability verification is the last part of trusted routing. This mechanism is provided the pieces of evidence from neighbour Vehicle and connection from
source to destination are verified and trusted. Each Vehicle builds their own
trusted routing map by using of cumulative collect Routability Certificate (RC).
This phase allows two Vehicles to make their connection quickly without repeat
whole authentication phase.
Trusted Medium: The role of the channel medium is important, dedicated short range
communication (DSRC) frequency band is used for all types of communication in
VANET. DSRC provides multiple channels and its transmission ranges from 5.850 to
5.925 GHz. DSRC are divided into seven channels and each channel range is 10 MHz.
Every vehicle in the network receives messages from other vehicles or from
infrastructure. A secure and trusted content of message is the major concern of the users.
The attackers will try hard to change the contents of the message and break the trust
between the vehicles. When users receive any information (safety or non safety) from
other vehicles or from infrastructure it must be trusted because user reacts according to
the message. To establish the trust, we must provide secure and trusted channel (Trusted
Medium) between the users in network. Whenever attackers launch any type of attack
then we have the option of using others channels. Attackers will also use these channels
and insert their false information to the network and create problems for legitimate users.
Message exchange from vehicle to vehicle and vehicle to infrastructure should be
reliable, accurate and confidential and this will be happened in the presence of secure
communication medium. C. Laurendeau [28] explained the security threats in
DSRC/wireless access in vehicular environment (WAVE) and if we are able to remove
these threats, the medium becomes trusted.
Trusted Infrastructure (RSU): Network Infrastructure (which consists of network
components) is important to verify the users and providing the right information to users
on the road. Infrastructure must be made trusted before they send safety related
information to users, because all users rely on it. In case of channel jamming (DOS) user
wants to communicate with infrastructure and sends/receives information to it. In this
-
Irshad et al: Trust and Trusted Computing in VANET
18
sense, accessibility and availability of network is directly concerned with the users trust levels. When network is not available due to any attack then users trust is seriously affected. The objective of trusted infrastructure is to ensure the security of the channel
and information being passed among the users. There are many types of trust in the
vehicular network and the level of trust will increase if we can ascertain the control of
attackers from launching any attacks. Figure 16 shows the relationship of attackers (both
levels) with trust types. When attacker is successful in launching any type of attack then
the level of trust gradually decreases. Whenever there is control over the attackers then level of trust increases. Hence we can safely say that both (Attackers and Trust) is
directly proportion to each others.
Trusted User
Trusted Node
Trusted Applications
Trusted Routing
Trusted Medium
Trusted Infrastructure
Second Level of attackers
First Level of attackers
Attackers
Trust
Figure 16 Relationship between Trust and Attackers
Levels of Trust
Zero Trust is the first trust level in which the attacker is active and is able to use all
kinds of entities in the network and create problem by launching different types of
attacks (passive or active). Eq.3 describes that first and second level attackers are active
and chain of trust in this condition will be zero.
Zero Trust = (L1.Attackers + L2.Attackers) (COT : = 0) eq.(3)
Second level of trust is called Weak Trust, in which the attacker is able to launch
different kind of attacks and scope of the attacks are within some specific region. Some
entities are effected with these attacks whereas other entities of the network performing
Already studies done on it.
Do not consider yet. First Level of Attackers
Second Level of Attackers
-
Computer Science Journal Volume 1, Issue 2, August 2011
19
their task properly and serve the users. In Eq.4 we represent a situation where all entities
of the chain of trust and only trusted infrastructure (TIF) are affected due to attacks.
Weak Trust = (TU + TV + TA +TR +TM) (TIF) eq.(4)
Strong Trust is a third level of trust is which all entities of the network are trusted and
work properly. There are no attackers in the network and this is a very ideal condition
and every entity performing their task properly.
Strong Trust = COT (L1.Attackers:=0 + L2.Attackers:= 0) eq.(5)
In Eq.5. We assign zero value to both types of attackers and all components are fully
trusted and work properly and serve the users in network. Table.1 explains the three
different types of trust levels in vehicular network.
Table 1.Levels of TRUST
Levels of Trust Description
0 Zero Trust
1 Weak Trust ( Some Entities are Trusted )
2 Strong Trust (all Entities are Trusted)
IV. Trusted Hardware Module (THM)
Both hardware and software work together to achieve the security in the system and
make possible secure communication between VANET Vehicles. There are two basic
hardware modules that are used for security purposes in a VANET Vehicle. Security
hardware module is called Event Data Recorder (EDR), which is a kind of black box
similarly used in airplane. It is a non-volatile hardware module and provides tamper
proof storage. The basic task of EDR is to record the data of critical situation in
emergency conditions [29]. EDR provides secure storage of data only. The cost of EDR
is low and easily embedded into VANET Vehicles. In many countries EDR is installed
in many road vehicles (trucks). The drawback of EDR is that it has no ability to perform
cryptographic functions.
Security hardware module is called Temper Proof Device (TPD), which has the
ability to sign and also verify the messages that are received from other Vehicles in the
network [20]. The key point of TPD is that it has processing ability. Cost of the TPD is
so high; this is the only one drawback of TPD.These two security hardware modules do
not provide trust in the VANET Vehicle. Hence we propose to use another hardware
module called trusted platform module (TPM).
-
Irshad et al: Trust and Trusted Computing in VANET
20
Trusted Platform Module (TPM)
Trusted Platform Module is a hardware chip designed for secure computing and can
be used to measures the integrity of platform or system. It is piece of hardware and needs
software to communicate with it to protect and store data in secure location. Capability
of protection, measurement of integrity and reporting the integrity of data are the key
features of TPM module. Random Number Generator (RNG), SHA-1 Engine, RSA and
HMAC are the functional components of TPM that perform cryptography capabilities [3,
30]. By writing software to manage the integrity of data using the TPM, it can resist
software attacks and it is advantageous because the cost of a TPM is lower as compared
to other security modules (EDR or TPD). TPM will be embedded into the existing
hardware module and with it we will perform the necessary software and hardware
changes to make the Vehicle to be trusted in the vehicular network.
Attacker and Trusted Platform Module (TPM)
If attackers launch any kind of attacks (first or second level), trusted Vehicle (TN) in the
car will first detect that there is a change in the values of the Platform Configuration
Register (PCR) inside the TPM, and hence the application will then alert the TN to
prevent any more communication with the untrusted Vehicle. Figure 17 explains the
scenario where the attacker launches attack a change in the PCR values, alerts the TN to
prevent any more communication with the attacker.
TPM
Platform Configuration Register (PCR)
Attacks Endorsement Key (EK)
Attestation Identity Key (AIK)
Vehicle
First Level of attackers
Second Level of attackers
Figure 17. Attackers and TPM
Platform Configuration Register (PCR)
PCR is an internal register and used for storing the integrity measurement values in
shielded location. PCR contain values that represent the system software and hardware
configuration metric of TN. For any kind of attack on the TN, these PCR values will
change which means the current configuration of hardware and software have been
attacked, the system detects the changes and takes acts appropriately [31].
Measurements, reporting and execution are three main processes [32] which are used to
maintain the integrity of the system. Configuration of the platform attestation and chain
-
Computer Science Journal Volume 1, Issue 2, August 2011
21
of trust are two basic objectives of the contents of the PCR values, the old and new
values of PCR register which is used inside the TPM. Total sixteen PCR registers are use
in TPM, eight registers are used for hardware and eight are used for software to meet the
integrity requirement.
Ri+1 := SHA1 ( Ri || I )
Ri+1 = New Register Value
Ri = Old register value
I = Input value
State getCurrentPCRs()
Steps
1. CRTM measures BIOS 2. BIOS measures BL 3. Boot Loader (BL) measures OS 4. Operating System (OS) measures Applications 5. User communicate with Applications
Figure 18. Integrity Measurement Process
Endorsement Key (EK): Endorsement Key (EK) [32] is a fundamental component of
TPM and it must have an endorsement key pair. In the endorsement key pair, private key
is more important and it is embedded in TPM. The purpose of the EK is to identify
uniquely the platform. The TPM has a root of trust that is defined by the EK pair. Public
and private portions are defined in RSA key pair. One major fact about the EK, is that
once it has been created then it cannot be replaced or remove from the TPM.
Attestation Identity Key (AIK): AIK [33] is a TPM key that is used for attestation of
current platform and its configuration. AIK is also used as an alias for the endorsement
key (EK) and it is a non-migratable signing key generated by the owner of TPM.
Multiple AIKs can be generated by the TPM. PCA (Privacy Certification Attestation)
and DAA (Direct Anonymous Attestation) are used for certification of attestation of
AIK. VANET applications (Safety and non safety) are running inside the vehicle and
TPM is performing the attesting task by using AIK. After attestation of the messages,
-
Irshad et al: Trust and Trusted Computing in VANET
22
these messages are sent to other Vehicle and infrastructure.
V. Conclusion and Future Work
Security of VANET is an important issue to be addressed by designers of VANET
infrastructure security. It can be useful in providing correct information to users and
guide them about variant conditions on the road. The VANET applications are termed as
an important solution for the security of the users on the road. Moreover it is believed
that the Vehicular applications must be secured. Because the users are directly affected
in case the attackers change the content of safety applications. Attackers change their
attacking behavior and they launch different attacks at different times. Attackers always
try to tamper the information and create troubles in the network. The level of trust
develops in the network if the system is able to control attackers from distracting the
information. TPM can play an important role in terms of resistance created for possible
software attacks and in creation of trusted environment between Vehicles and the
infrastructure. Cryptographic functional components are considered as one of key
elements for trust building and maintaining data integrity in the past research work done.
In future we would be addressing some attestation scheme such as property based
attestation (PBA) for developing a secure and trusted environment in vehicular network.
Acknowledgement
This work is funded by Universiti Teknologi PETRONAS Postgraduate Assistantship
Scheme in collaboration with MIMOS Berhad.
References
1. Y.Qian, N.Moayeri,Design of Secure and Application Oriented
VanetsVehicular Technology Conference, 2008. VTC Spring 2008. IEEE, 11-14 May 2008, Singapore.
2. J. Jakubiak, Y. Koucheryavy,State of the Art and Research Challenges for VANETs Consumer Communications and Networking Conference, 2008, 5th IEEE, date: 10-12 Jan. 2008, pp: 912-916.
3. G. Guett, C. Bryce, Using TPMs to Secure Vehicular Ad-Hoc Networks (VANETs) IFIP 2008, WISTP 2008, LNCS 5019, pp.106-116.
4. G.Guette,O.Heen,A TPM-based Architecture for improved secuirty and Anonoymity in vehicular ad hoc networks,IRIS France.
5. A. Reza Sadeghi,Trusted Computing-Special Aspects and challenges, Lecture Notes Horst-Gortz-Institute(HGI) for IT-Security,Ruha-University Bochum,
Germany.2007.
6. I.Ahmed Sumra, H.B.Hasbullah, J.Ab Manan,"User requirements model for
vehicular ad hoc network applications, International Symposium on Information Technology 2010 (ITSim 2010), Malaysia.
7. F.Kargl, Z.Ma , E.Schoch, Security Engineering for VANETs 4th Workshop on Embedded Security in Cars(escar 2006), Berlin, Germany.
8. X.Lin,R. Lu,C. Zhang,H. Zhu,P. Han Ho , X. shen,Security in Vehicular Adhoc Networks,IEEE communication Magazine, April 2008.
9. M.Gerlach, F. FOKUS,Trust for Vehicular Applications IEEE Computer
-
Computer Science Journal Volume 1, Issue 2, August 2011
23
Society, Proceedings of the Eighth International Symposium on Autonomous
Decentralized Systems, p: 295-304, year of publication: 2007.
10. R.Prasad,R. Kanjee,H. Zui,Pishro,Nik, Ni,DSRC Accident Warning system at Intersection Report October 19,2006.
11. D. Jiang,V.Taliwal, A. Meier,W.Holfelder, R. Herrtwich Design of 5.9 GHz DSRC-based vehicular safety communication Wireless Communications IEEE Vol. 13, No. 5. (2006), pp. 36-43.
12. S.Yousefi, M.FathyMetrics for performance evaluation of safety applications in vehicular ad hoc networks Transport. Vilnius: Technika, 2008, Vol. 23, No.4, p. 291-298.
13. J. Jakubiak,Y. Koucheryavy, State of the Art and Research Challenges for VANETs Consumer Communications and Networking Conference,2008, 5th IEEE, Date: 10-12 Jan. 2008, pp: 912-916.
14. National Highway Traffic Safety Administration,CAMP,Vehicle Safety Communications Project Task 3 Final Report,Identify Intelligent Vehicle Safety Applications Enabled by DSRC,DOT HS 809 859, National Highway Traffic Safety Administration,Washington, D.C.March 2005.
15. J. Cheambe, J. J. Tchouto, M. Gerlach Security in Active Safety Applications 2nd International workshop on Intelligent Transportation (WIT) 2005,
Germany. 16. H.Hartenstein and K.P.Laberteaux,VANET:Vehicular Applications and Inter-
networking TechnologiesChapter No.09 pp.309-310.Wiley.www.vanetbook.com
17. M. Raya,J. Pierre, Hubaux,Securing vehicular ad hoc Networks Journal of Computer Security,vol.15,Issue no.1 January 2007, pp: 39-68.
18. H. Moustafa,Y. Zhang Vehicular Networks techniques,standard and applications, CRC Press,chapter no.12(Security in Vehicular Networks) pp:334.
19. B. Parno, A. Perrig, Challenges in Securing Vehicular Networks, Hot Topics in Networks (HotNets-IV), 2005.
20. A.Stampoulis, Z.Chai A Survey of Security in Vehicular Networks. 21. J. Douceur,The sybil Attack, First international workshop on peer to
peer(P2P) system,march 2002,pp:251-260.
22. G. Guette, B.Ducourthial," On the sybil attack detection in VANET", Laboratoire Heudiasyc UMR CNRS 6599, France.
23. T. Leinmuller, E. Schoch, F. Kargl, C. Maihofer, Improved security in Geographic ad hoc routing through autonomous Position Verification, 3rd international workshop on Vehicular ad hoc networks,VANET 2006.ISBN:1-59593-540-1.
24. M. Raya, P. Papadimitratos, J.P. Hubaux, Secure vehicular communications, IEEE Wireless Communication Magazine,specail issue on inter-vehicular communication, Oct 2006.
25. Trusted Computing Group.TCG specification architecture overview ,version 1.2,april 2004.
26. H. Hartenstein,Kenneth P.Laberteaux, Toyota Technical Center. A Tutorial Survey on Vehicular Ad Hoc NetworksIEEE Communication Magazine, June 2008.
27. T.Chen,O.Mehani and R.Boreli,Trusted Routing for VANET 9th International Conference on Intelligent Transport Systems Telecommunications (20 October 2009), pp. 647-652.
28. C. Laurendeau, M. Barbeau,Theat to security in DSRC/WAVE, 5th International Conference on Ad Hoc Networks and Wireless (ADHOC-NOW).LNCS 4104, pp.226-279, 2006.
-
Irshad et al: Trust and Trusted Computing in VANET
24
29. M. Raya,J.Pierre,Hubaux The Security of vehicular ad hoc Networks SASN05,November 07,2005,Alexandria,Virginia USA.
30. M.Raya,Introduction to the TPM 1.2 University of Birmingham, Draft of March 23, 2009.
31. M. Strasser, H. Stamer, A Software-Based Trusted Platform Module Emulator, TRUST 2008, LNCS 4968, pp. 33-47, Springer Berlin.
32. A. Reza Sadeghi,Trusted Computing-Special Aspects and challenges,Lecture Notes Horst-Gortz-Institute(HGI) for IT-Security,Ruha-University Bochum, Germany.2007.
33. Trusted Platform Module Basics Using TPM in Embedded Systems by Steven Kinney Chapter No.03 Overview of the TPM Architecture,pp.26.