Drivers’ Anonymity with a Short Message Length for Vehicle-to-Vehicle Communications Network

Nader Mazen Rabadi, Member, IEEE and Syed Masud Mahmud, Member, IEEE Electrical and Computer Engineering Department, Wayne State University

Detroit, Michigan 48202 USA nrabadi@wayne.edu , smahmud@eng.wayne.edu

Abstract—In this paper, we propose a broadcast protocol to preserve drivers' anonymity in vehicle-to-vehicle (V2V) communications network using the keyed-hash message authentication code (HMAC). Future vehicle safety applications will allow vehicles to broadcast their safety-critical information to alert neighboring vehicles of possible collisions. Such safety applications has a very low bandwidth and low communication latencies. We propose to use the keyed-hash message authentication code (HMAC) to provide anonymity, authentication and message integrity. The advantages of HMAC over asymmetric cryptographic algorithms are faster processing speed and a shorter message length which makes it suitable for V2V communications. We show that the additional number of bytes to a broadcasted message in our proposed protocol is 49 bytes. The recipients of the broadcasted message can authenticate the sender and verify the integrity of the message without identifying the source. In case of a dispute, only a Trusted Authority can identify the source of broadcasted messages.

Keywords-anonymity; authentication; V2V communications.

I. INTRODUCTION Advanced vehicle safety applications, such as collision

avoidance, will utilize the Dedicated Short Range Communications (DSRC) for its capability for low latency communications and transmitting broadcast messages [1]. The DSRC will support wireless data for vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications. In V2V communications, vehicles broadcast their safety-critical information (such as speed, direction, and location) to alert neighboring vehicles of possible collisions on highways or intersections. The high mobility of vehicles requires very short message lengths to be broadcasted and processed in a timely manner in order for drivers to react and avoid collisions.

It is also necessary to provide secure V2V communications to prevent unauthorized entities from tampering with the broadcasted messages and from impersonating as legitimate participants in V2V network. Public key infrastructure (PKI) and certificates can be used to provide data integrity and source authentication. However, there are several disadvantages for using PKI and certificates in V2V communications: (1) long message lengths and slow processing speed. PKI and certificates rely on asymmetric cryptographic algorithms where the size of public keys should be long enough to prevent adversaries from attacking the algorithms and deriving the associated private keys. In addition, most asymmetric algorithms use modular

exponentiation which in turn provides a slow processing speed. (2) PKI and certificates provide a unique public key for each entity. A concern of using a unique public key in V2V communications is that unauthorized entities may trace drivers’ movements and locations they visit using their unique public keys. Revealing such information without consent from drivers is a violation of their privacy.

The concept of group signatures has been evolved for the last 15 years that deal with anonymity of users [2][3]. Group signatures are asymmetric algorithms based on the transformation of a secure honest-verifier Zero Knowledge (ZK) protocol into a digital signature using Fiat-Shamir Heuristic. A node signs messages anonymously on behalf of its group. The recipients of a signed message can verify the signature without identifying the signer. Only a designated entity, such as a Certificate Authority, can identify the signer. These group signatures are computationally intensive and produce long signatures which are not suitable for V2V communications.

The authors in [4] discussed the use of anonymous public keys in V2V networks that are frequently changed depending on a vehicle’s speed. They also discussed the use of symmetric keys to reduce the cryptographic overhead. Similarly, the authors in [5] proposed an authentication scheme with anonymity that is based on PKI and certificates. A Certificate Authority issues temporary certificates frequently to users to prevent unauthorized entities from tracing users.

In this paper, we propose a broadcast protocol that is based on symmetric cryptographic algorithms and present the preliminary analysis of the protocol. The advantage of a symmetric algorithm over an asymmetric algorithm is the shorter message length and the faster processing speed. We propose to use the standard keyed-hash message authentication code (HMAC) [6] that is approved by the NIST to provide source authentication and message integrity. We use the HMAC to preserve drivers’ anonymity in V2V communications in addition to source authentication and message integrity.

II. PROPOSED PROTOCOL The HMAC is a mechanism for providing source

authentication and message integrity using cryptographic hash functions, such as the secure hash algorithm (SHA). The HMAC operates on a message input and on a shared secret symmetric key that is known between the sender and the receiver or a group of receivers. The input message is sent

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE CCNC 2008 proceedings.

1-4244-1457-1/08/$25.00 © IEEE132

along with its HMAC to receivers. The receivers use the same HMAC mechanism on the received message and on the shared secret symmetric key. If the computed HMAC is equal to the received HMAC, then the receivers authenticated the source and verified the integrity of the received message. To compute HMAC for data using a shared secret key s and a hash function H , the following operation is performed:

)||)((||)((),( dataDsHCsHdatasHMAC ⊕′⊕′= . The parameters ),( DC are constants. The key s′ equals to s if the length of s′ equals the length of s . Otherwise, a padding technique is applied to s to produce s′ .

To preserve drivers’ anonymity from unauthorized entities, assume the following parameters: (1) an input message m that contains safety-critical information of a vehicle, (2) a secret identification ID per vehicle that is generated by a Trusted Authority (TA) (such as a Certificate Authority), (3) a shared symmetric secret key s among a group of vehicles that is generated by the TA, and (4) a timestamp T for message freshness. Let BA || denotes the concatenation of A and B . Let ),( msHMAC denotes the HMAC operation on an input message m using the shared secret key s . We also assume that each vehicle is equipped with a tamper-resistant hardware device that contains its ID and the shared symmetric secret key s . In addition, the TA maintains a secure database that contains the ID for each vehicle in the network and the shared group symmetric key s .

When a vehicle is ready to broadcast its safety-critical information to its neighboring vehicles, this vehicle calculates )||||,( IDTmsHMACA = , and includes A in the calculation of )||||,( TAmsHMACB = , and then broadcasts TBAmX ||||||= . The recipients get TAm |||| from X and use the same HMAC function to calculate )||||,( TAmsHMACC = . If C equals to B in the received message X , then the recipients authenticated the source and verified the integrity of the message m . An adversary must have the shared secret key s and the secret ID to calculate A and then to include A in the calculation of B . Since B depends on A , the adversary cannot replay A and B separately from each other. Thus, the protocol is protected from replay attacks on A and on B .

In this broadcast protocol, the recipients do not know the identity of the sender and cannot trace the sender. The identity of the sender ID is hashed along with a timestamp T and a message m in the variable A . Since the timestamp T is a variable, and if the input message m is also a variable, then A is a random variable. Hence, the recipients of a message X cannot trace an individual vehicle. Only the TA can

identify the sender as follows. We assume here that the broadcasted message X is stored in the tamper-resistant hardware device at the recipient’s vehicles. In case of a dispute, the TA gets Tm || from X and gets a set of

sID' from its database. The ID that gives )||||,( IDTmsHMAC equals to A identifies the vehicle that

sent the broadcasted message X .

In our proposed broadcast protocol, we assume that the timestamp T has a length of 9 bytes (year, month, day, hour, minute, second, millisecond, microsecond), and the SHA-1 is used that generates a 20-byte message digest. Then the additional number of bytes to the broadcasted message m is 49 bytes (T has 9 bytes + A has 20 bytes + B has 20 bytes).

The authors in [7] studied the performance of several public-key algorithms and hash functions. They showed that on 8-bit commercial microcontrollers running at 8 MHz, the processing time of SHA is 5 ms. In our proposed protocol, a vehicle calculates an HMAC twice, and each HMAC contains two SHA. Thus, the estimated time to prepare a broadcast message X is 20 ms in our proposed protocol. Similarly, the recipients of the message X need to calculate one HMAC which will take 10 ms.

III. CONCLUSION Symmetric cryptographic algorithms can be used in V2V

communications to preserve drivers’ anonymity in addition to source authentication and data integrity. We showed that by using the HMAC algorithm, our proposed broadcast protocol can add 49 bytes to the safety-critical information and can be processed within 20 ms on an 8 MHz processor. Furthermore, it is necessary to update the symmetric key s frequently to protect it from security attacks. The ISO/IEC 11770-3 [8] can be used to transfer the new key from the TA to a vehicle’s tamper-resistant hardware. Our future work will describe a complete broadcast protocol among vehicles, and a protocol for updating and revoking keys. Detailed performance analysis including threat analysis of our protocol and comparison of our protocol versus other existing protocols will be shown in our future publications.

REFERENCES [1] U.S Department of Transportation, National Highway Traffic Safety

Administration, Vehicle Safety Communications Project; Task 3 Final Report; Identify Intelligent Vehicle Safety Applications Enabled by DSRC, March 2005.

[2] D. Chaum and E. van Heyst, “Group signatures,” in Advances in Cryptology, EUROCRYPT ’91, volume 547 of Lecture Notes in Computer Science, pp. 257-265, Springer-Verlag, 1991.

[3] J. Camenisch and J. Groth, "Group signatures: better efficiency and new theoretical aspects" 4th Int. Conf. on Security in Communication Networks, SCN 2004, Lecture Notes in Computer Science 3352, Springer, 2005.

[4] P. Papadimitratos, V. Gligor, and J.-P. Hubaux, "Securing vehicular communications - assumptions, requirements, and principles," in Proc. of the Workshop on Embedded Security in Cars (ESCAR) 2006, Berlin, Germany, November 2006.

[5] J. Zhu and J. Ma, ”A new authentication scheme with anonymity for wireless environments,” IEEE Transactions on Consumer Electronics, vol. 50, issue 1, pp. 231 –235, Feb 2004.

[6] The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication, FIPS PUB 198, National Institute of Standards and Technology (NIST), March 6, 2002.

[7] H. Handschuh and P. Paillier, “Smart card crypto-coprocessors for public-key cryptography,” Smart Card Research and Applications, Lecture Notes in Computer Science, vol. 1820, pp. 386-394, Springer-Verlag, 2000.

[8] ISO/IEC 11770-3, Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques, First edition,1999.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE CCNC 2008 proceedings.

133