Transcript PPT

Covert Communication based Privacy
Preservation in
Mobile Vehicular Networks
Rasheed Hussain*, Donghyun Kim**, Alade O. Tokuta**,
Hayk M. Melikyan**, and Heekuck Oh***
*Department of Computer Science, Innopolis University, Kazan, Russia
** Department of Mathematics and Physics, North Carolina Central University, Durham, NC, USA
***Department of Computer Science and Engineering, Hanyang University, South Korea
1
Agenda
• Introduction
• Problem Statement
• Covert Communication-based Privacy Preservation
– Protocol Outline
– Covert Communication
– Proposed Covert-based Scheme
• Quantitative Evaluation
• Conclusions and Future Work
2
Introduction
• Vehicular Ad hoc NETwork (VANET)
– Vehicle-to vehicle (V2V) and vehicle-to-infrastructure
(V2I) communication paradigms
– Driving safety-related and the other applications
– IEEE 802.11p standard mandates broadcasting
beacon messages in the order of milliseconds
3
Agenda
• Introduction
• Problem Statement
• Covert Communication-based Privacy Preservation
– Protocol Outline
– Covert Communication
– Proposed Covert-based Scheme
• Quantitative Evaluation
• Conclusions and Future Work
4
Problem Statement
• Privacy is of prime concern in VANET
• Current solutions include:
– Mix Zones, silent periods
– Identityless schemes
– Multiple pseudonyms (mostly used)
• However, even multiple pseudonyms
necessarily preserve the privacy
do
not
– Statistically, possible to link multiple pseudonyms to one entity [1]
5
[1]. Wiedersheim et al. “Privacy in inter-vehicular networks. Why simple pseudonym change is not enough,” IEEE WONS, pp.
176–183, 2010.
Problem Statement – cont’
• How to prevent the statistical attack?
– Assign multiple pseudonyms to nodes
– Let nodes exchange their pseudonyms with each other
• Pseudonyms exchange should be carried out on a covert
channel established on top of existing beaconing framework
– Exchange their pseudonyms in corrupt beacons with the
help of a shared secret (key) among the exchanging parties
• Revocation should be still possible
• [8] provides an outline, but is without a firm detail
6
Agenda
• Introduction
• Problem Statement
• Covert Communication-based Privacy Preservation
– Protocol Outline
– Covert Communication
– Proposed Covert-based Scheme
• Quantitative Evaluation
• Conclusions and Future Work
7
Protocol Outline
• Design Rationale
– Identity exchange-based privacy preservation
• Unintended should not determine whether the exchange happens
• Intermingle the exchange messages part of normal conversation
– Conditionally deniable
– Privacy-preserving
• Minimize the use of cryptography and use natural ways to secure the
communication
• No need for additional infrastructure or message structure to add this
functionality
• Using others’ pseudonyms is good until and unless you can trace
back when needed
8
Protocol Outline – cont’
• Design Goals
– Exchange pseudonyms for privacy preservation
– Use covert channel to exchange the pseudonyms
• Only intended receivers know the position of the information in the
corrupted beacon
– Provision of anonymity through pseudonym exchange
– Unlinkability through pseudonym-exchange
?
?
?
9
Covert Communication
• Observation: Wireless is Noisy
– Noise is a non-stationary and random process
– Idea: Use the random properties
channel noise to hide secret message
of
wireless
• Packet corruption can be caused by interference, multipath,
non-wifi, collisions, hidden terminals, low signal strength, etc.
• Hide messages in corrupted packets
• Challenge: Make message indistinguishable from “normal”
corruption
10
Covert Communication – cont’
• Chaffing and Winnowing [9]
– Chaff
• the actual corrupted frames on the channel due to packet
corruption
– Grain
• the crafted frames which are deliberately corrupted by the
sender for the secret communication
• Two main security measures
– Geolock key: spatio-temporal group secret
– Session key: help to locate pseudonym from a
corrupted-looking beacon
Rivest et al. “Chaffing and Winnowing: Confidentiality without Encryption.” Cryptobytes 4:1 pp. 12–17. 1998
11
Proposed Covert-based Scheme
• Security Goals
– Deniable
• Ability to deny the communication
– Anonymous
• Cannot be identified specifically
– Confidential
• Adversary cannot recover message
– Robustness
• Cannot be disrupted
12
Proposed Covert-based Scheme
• Threat Model
– Passive adversary
• Figure out the possible hidden communication
• Wireless comm. is prone to such experiences
– From the messages, adversary wants to figure out who exchange
identity with whom
• This leads to the traditional privacy and profilation problems
– Adversary is semi-global for some physical area
• Accumulates the messages in that area to figure out the identity
exchange messages
– Ephemeral networks are going to be a challenge for even
sophisticated adversary
13
Proposed Covert-based Scheme [1/11]
• Network Model
14
Proposed Covert-based Scheme [2/11]
• Baseline
–
–
–
–
–
Beacon-based communication
Play with the beacons frequency for covert communications
Make some beacons (frames) corrupted for intended purpose
The secret key is shared beforehand
CIT (Corrupt→Insert→Transmit)
• Roadmap
– Use the observable properties of the channel and exchange
information among users based on that channel
15
Proposed Covert-based Scheme [3/11]
• Pseudonym Generation
𝑃𝑠𝑢𝑒𝑋𝑖 = 𝜖 𝐾𝑝𝑠𝑢 || 𝜖⨁𝑉𝐼𝑁
𝐾𝑂𝐵𝑈 ||𝑛𝑖 ||𝑉𝑎𝑙𝑖𝑑𝑖𝑡𝑦
−
𝐾𝐷𝑀𝑉
𝜖 = 𝑐𝑖𝑛𝑖𝑡 + 𝑛𝑖 𝑎𝑣
– 𝑛𝑖 is the current count of generated pseudonyms
– VIN is identification no. and contains 17 alphanumeric
elements according to ISO 3780
– Pseudonyms databases maintained at DMV at Ras
(revocation authorities) indexed with 𝑛
16
Proposed Covert-based Scheme [4/11]
• Pseudonym table at DMV
• Pseudonym table at RA
17
Proposed Covert-based Scheme [5/11]
– Encrypt two secret keys (𝐾𝑝𝑠𝑢 and 𝐾𝑂𝐵𝑈 ) and store in
RAs
– Secret key 𝑘 is divided and each RA gets a share 𝑘𝑖
– DMV is trusted and saves the issued credentials
(𝑉𝐼𝑁, 𝑐𝑖𝑛𝑖𝑡 , 𝑎𝑣 )
18
Proposed Covert-based Scheme [6/11]
• IEEE 802.11 frame format
• Corrupt beacon
Length of
pseudonym
Can be intentionally corrupted
Replace CRC
Sender’s pseudonym
– 𝑃𝐸𝐶𝐵 = 𝑆𝑖𝑧𝑒, 𝑆𝑎𝑙𝑡, 𝑃𝑠𝑢𝑉𝑒
Actual pseudonym to be
exchanged
– 𝑆𝑎𝑙𝑡 = 𝑂𝑓𝑓𝑠𝑒𝑡 = 𝐻𝑀𝐴𝐶 ( 𝐵𝐼𝐷 , 𝐾𝑔𝑒𝑜𝑙𝑜𝑐𝑘 , 𝐾𝑡𝑒𝑚𝑝 )
Shared key
• Same pseudonyms must be used during exchange
process
19
Proposed Covert-based Scheme [7/11]
– 𝑃𝑙 is normal beacon payload
– 𝐿 is the length of the covert content (pseudonym)
– 𝑜𝑓𝑓𝑠𝑒𝑡 is calculated and known to both parties
• To make it more indistinguishable, some salt is added
• It is randomized
• Calculated with 𝐵𝐼𝐷 (public), 𝐾𝑔𝑒𝑜𝑙𝑜𝑐𝑘 (group secret), 𝐾𝑡𝑒𝑚𝑝
• HMAC with session key for integrity because corrupted frame
has no other mean to check integrity
– Location-based Encryption (geolock) is used for
location confidentiality
20
Proposed Covert-based Scheme [8/11]
• Geolock key (𝑲𝒈𝒆𝒐𝒍𝒐𝒄𝒌 ) construction
Only small number of
spatio-temporal users can
make this
21
Hussain et al. “Secure and privacy-aware traffic information as a service in VANET-based clouds” in press, Pervasive and
Mobile Computing, Elsevier, 2015
Proposed Covert-based Scheme [9/11]
• Exchange Initiation
– Covert channel in broadcast is more challenging
– 𝑖𝑛𝑡𝑒𝑛𝑡 flag is included (deliberate false alarms!)
• 𝑖𝑛𝑡𝑒𝑛𝑡 maybe 𝑂𝑁 sometimes even when no exchange happen
• Only when there
• The exchange takes place only when both the 𝑖𝑛𝑡𝑒𝑛𝑡 flags are
𝑂𝑁
• Pseudonym Exchange
– At initiator (𝑐𝑜𝑟𝑟𝑢𝑝𝑡 → 𝑒𝑚𝑏𝑒𝑑 → 𝑠𝑒𝑛𝑑)
– Establish session key
– At receiver (𝑟𝑒𝑐𝑒𝑖𝑣𝑒 𝑐𝑜𝑛𝑓𝑖𝑟𝑚 → 𝑐𝑜𝑟𝑟𝑢𝑝𝑡 → 𝑒𝑚𝑏𝑒𝑑 →
𝑠𝑒𝑛𝑑)
22
Proposed Covert-based Scheme [10/11]
• Revocation
– RAs collude and get the warrant
– Search for the used pseudonym with the value 𝑛
– Search the exchange record in PER table
– Construct 𝑘 from 𝑘𝑖
– The session leader decrypts the keys
– Decrypt 𝜖
𝐾𝑝𝑠𝑢
to extract 𝑉𝐼𝑁
23
Proposed Covert-based Scheme [11/11]
• Revocation algorithm
24
Agenda
• Introduction
• Problem Statement
• Covert Communication-based Privacy Preservation
– Protocol Outline
– Covert Communication
– Proposed Covert-based Scheme
• Quantitative Evaluation
• Conclusions and Future Work
25
Quantitative Evaluation [1/4]
• Security and Conditional Privacy
– Exchange process is confidential
– Without knowing 𝐾𝑡𝑒𝑚𝑝 , hard to follow the exchange
process
– 𝐾𝑔𝑒𝑜𝑙𝑜𝑐𝑘 is used to secure the beacon from outsiders
and insiders
– When beacon with wrong CRC is received, only the
intended receivers try to retrieve the information from it
– Revocation is possible at any level of the pseudonym
exchange and 𝑉𝐼𝑁 of the immediate user of the
pseudonym is subject to revocation
26
Quantitative Evaluation [2/4]
• Theorem III.1. Proposed scheme increases the
privacy of the user through exchanged pseudonyms
– Suppose 𝑉1 at 𝑡𝑖 uses a pseudonym 𝑃𝑠𝑒𝑢𝑉𝑖 1 at 𝑙𝑜𝑐𝑖
– Same 𝑃𝑠𝑒𝑢𝑉𝑖 1 was used by 𝑉2 at 𝑙𝑜𝑐𝑗 at 𝑡𝑖−𝑗
– If 𝑉1 and 𝑉2 are at ‘safe distance’ then ∆𝑙𝑜𝑐 > ∆𝑑
• 𝑑 is the distance travelled by the vehicle
• Theorem III.2. Revocation at any level is possible
– Pseudonym exchange history table
• Which pseudonym was exchanged at what time
• Latest pseudonym exchange will help to find out the immediate
user of the pseudonym
27
Quantitative Evaluation [3/4]
• Computation and Communication Overhead
– Comm. overhead is the modified beacon frequency
– Revocation cost
• Direct revocation
• Indirect revocation
Direct revocation is done when the
sender of pseudonym is the owner
of pseudonym, whereas indirect
revocation is done when the
pseudonym is exchanged with
someone else
28
Quantitative Evaluation [4/4]
• Comparison with known schemes
29
Agenda
• Introduction
• Problem Statement
• Covert Communication-based Privacy Preservation
– Protocol Outline
– Covert Communication
– Proposed Covert-based Scheme
• Quantitative Evaluation
• Conclusions and Future Work
30
Conclusions and Future Directions
• Privacy preservation in VANET
• Identity-exchange based mechanism
– Pseudonyms are exchanged on a covert channel
– Conditional privacy guarantees revocation
• Future Work
– Implementation of covert communication
– Incorporate the protocol to existing work for privacy
enhancement
– Optimize covert channel in broadcast environment
– Pseudonym exchange at multiple levels
31