-
Computer Science Journal Volume 1, Issue 2, August 2011
1
Trust and Trusted Computing in VANET
Irshad Ahmed Sumra1,Halabi Hasbullah1,Jamalul-lail2
1 Computer and Information Sciences Department
Universiti Teknologi PETRONAS, Bandar Seri Iskandar
31750, Tronoh, Perak, Malaysia.
2Advanced Information Security Cluster
MIMOS Berhad, Technology Park Malaysia.
[email protected],[email protected],
[email protected]
Abstract
Last few years, vehicular networks are gaining more and more
attraction from the researchers
and the automobile industries. The life saving factor is the key
issue in this regard. Trust is key
part of security and it is undoubtedly a necessity to develop
trust in vehicular network. The main
aim of this paper is to propose a trust model for vehicular
environment. The proposed model
contains two different modules. First module is based on
attackers and the attacks. An attacker is
one of the most significant entity who can intentionally change
the behavior of the other entities
(Vehicle or Infrastructure) in the network. It is important to
study and analyze the attackers and
attacks before designing the life saving networks. Second module
is based on trust and trusting
computing technology. Trusted platform module (TPM) is a
hardware security module and plays a
major role to develop trust in vehicles. Purpose of this study
is to develop trust in vehicular
network. This trusted vehicular network model enforces all the
entities of the network to behave in
a specified manner. We believe that this trusted model would be
more helpful in serving the users
of the vehicular environment.
Keywords: Trust, Security, Attackers and Attacks, Trusted
Platform Module (TPM), Users,
Safety and Non safety Application.
Received: September 2010, Published: April 2011
*Corresponding Author: [email protected]
I. Introduction
Safety of human lives is the major concern nowadays, because
every year thousands
of peoples died in road accidents over the globe. Vehicular Ad
hoc Network (VANET) is
special kind of network that aims to reduce death rate and
improves traffic safety system.
In VANET, vehicles can send and receive safety messages to each
other on the road to
ensure safety of human life [1]. Dedicated Short Range
Communication (DSRC) is the
frequency band that is used as a communication medium between
the Vehicle to Vehicle
(V2V) and Vehicle to Infrastructure (V2I). DSRC delivers safety
and non safety
messages in entire network by using its safety and non safety
channels. The importance
of safety applications are high because it provides information
about any accident in
-
Irshad et al: Trust and Trusted Computing in VANET
2
some specific region and handles the situation by sending
warning messages to other
vehicles. Warning messages and post crash warning/notification
are some of example of
safety applications [2]. Non safety applications are related to
comfort of the passengers
and to improve the traffic system. Parking availability and toll
collection services are
examples of these applications.
Security is an important issue especially in this kind of
network where one altered
message can creates problem for the users in many ways. Users
can take benefit of these
applications if we can secure the communication between all
entities (components) of
the network and hence no chances for attackers to create trouble
for users in the network.
Attackers create problem directly and indirectly by launching
different kind of attacks.
We focus our study on the attackers and its behavior of
launching attacks on VANET.
Insider/outsider and active/passive attackers are some example
of attackers. Every time
attacker strikes on its target they change their forms and then
launch different kind of
attacks. We begin by classifying the different types of
attackers.
This paper is divided into five sections; Section II discuss
about the related work in
this area. Section III explains the proposed model and explains
the all modules of the
model. First module is explained about the attackers and
possible attacks. In next module
discuss the concept of trust and briefly described trusted
computing and various trusted
entities in vehicular network. Three different Levels of trust
and chain of trust in
VANET are also presented in this Section. In section IV we
discussed some possible use
of trusted hardware modules including Trusted Platform Module
(TPM) in VANET and
Section V conclude the paper.
II. Related Work
Security involves a combination of hardware and software. For
VANET, there are
many types of embedded hardware module used in vehicle, none of
which is specifically
meant for trust. Nowadays, TPM is being used in almost all new
PCs and laptop for
secure communication. G.Guette [3, 4] described the main
functionalities of TPM which
are used VANET. They discussed in detail the security
requirements and two possible
application (Platoons and Event Reporting) in vehicular network.
Main problem being
highlighted was to maintain the integrity of data and ensure
secure and trusted
communication between other vehicles and also with
infrastructure. The author also
discussed thread model which contain attacks such as Sybil
attack, Vehicle
impersonation, sending false information and car tracking. Three
security properties
were presented. They include vehicle and it must have a unique
identifier, ensuring the
integrity of the messages which must be authentic with regards
to vehicle identifier and
lastly, to ensure the trustfulness of the content of the
messages that must be verified.
TPM-based solution is one of the more cost effective one which
meets all security
properties and handle with security threats.
The main communication in VANET is divided into two: embedded
sensors
communicate with applications and applications communicate with
TPM for signing
data purposes. Endorsement key (EK) and Attestation identity key
(AIK) are the two
main keys that are used for signing and attestation purposes.
Trusted application
performs two types of communication, communication with sensors
and with TPM. This
type of communication is called inside communication and its
purpose is to sign and
keep the data safe in secure location. Trusted Application also
communicates with
-
Computer Science Journal Volume 1, Issue 2, August 2011
3
application of the other vehicle using parameters such as
Position, Signature and
Credential. In [4], the author proposed TPM based security
architecture to solve the
issues of security and privacy for successful deployment of
VANET technology. Two
proposed protocols were simulated their protocol with AVISPA and
SPAN.
The main focus point is management of cryptographic keys to
provide security and
anonymity of vehicles communications. An advantage of this
proposed solution is that
there is no need for infrastructure (RSU) along the road. Memory
stacks replace the
place of infrastructure and store data about sensors and TPM
keys. However, the
solution is quite less practical because keys are preloaded in
the vehicle during the
construction phase and memory sticks are used to renew the
certified keys to be used by
the proposed protocol. Software stack is used to protect and
store data in shielded
locations. Inter-vehicle communication uses TPM keys for signing
the messages, which
means that only trusted vehicles can communicate. If one vehicle
application sends
request to the other vehicle it must first be signed using TPM
keys. The other vehicle
receives this message and verifies its certificates and
signature. Vehicle to infrastructure
communication also uses TPM keys to ensure trusted
communication.
III. Proposed Trust Model
Trust is the key element in creating a trustable VANET
environment which would
help promote a safer road environment. TCG defines trust [5]
as
An entity can be trusted if it always behaves in the expected
manner for intended purpose. Putting trust definition in the
context of VANET, it would mean that all components of the network
(vehicles and infrastructure) are behaving in an expected
manner (trusted communication between the components) and serve
the users and save
human lives.
Figurre 1. Proposed Trust Model
So attackers are those people how change the behavior of the
entity and break the
trust. So first of all we should studies the attackers and
attacks because it is directly
change the behavior of the vehicle. If we want to achieve the
trust and develop the
trusted computing environment then we should perform two
tasks.
-
Irshad et al: Trust and Trusted Computing in VANET
4
Figure 2. Three levels of trust and trusted computing
First Level: We should handle with attackers and attacks in
vehicular network and study
the behavior of attackers and possible attacks to disturb the
network.
Second Level: Explore the major entities of vehicular network
that performs major role
to developing the trust in vehicle to vehicle communication and
also with infrastructure.
Third Level: Main objective is to achieve third levels, develop
trusted computing
environment between all entities in network. Trusted platform
module (TPM) play a
major role to fulfill the third level of trust.
VANET User Requirement (VUR)
User is the main entity in vehicular work and objective of this
new technology is to
serve users and safe their lives from road accidents. Safety and
non safety VANET
applications meet the all users requirement during their journey
like send or receive
safety message to other vehicles and use the entertainment
services. There are following
basic user requirement. [6]
Security Privacy
Trust
Figure 3. User requirements in VANET
-
Computer Science Journal Volume 1, Issue 2, August 2011
5
Security: Security is a first important users requirement in
VANET. It is difficult to convince the users about any new
technology that it is secure. Safety related applications
may not work properly without achieving minimum security level
for example Extended
Brakes Light (EBL) application [7] needs security otherwise an
attacker may generate
warning messages and create problems on road.
Privacy: User privacy is very important factor in vehicular
environment if once the
users privacy is lost, it is very difficult to re-establish.
Privacy in VANET is to secure the users personal data and his/her
location. Users need privacy and may not allow seeing their
personal data and their locations. They are always concern about
their
privacy. Only authorized parties (such as police, law
enforcement agencies) may use the
private/personal information. Name of driver, License plate of
the vehicle, Speed of the
vehicle, Position/Location, Route for travelling are some of the
user privacy information
[8] and user is worry about these information while
communicating with other users or
with infrastructure.
Trust: Last user requirement is trust and trust [9] is the key
element of security system.
When users receive any message from other vehicle or from
infrastructure it should be
trusted because user reacts according to the message. To
establish the trust, it is required
to provide trust between the users in the communication of
vehicle to vehicle (V2V) and
vehicle to infrastructure (V2I). The attackers change the
contents of the message and
break the trust between the Vehicles.
VANET Applications
The VANET is very important part of intelligent transport system
(ITS). There are
many potential application of VANET. VANET applications are
described and
categorized in different ways in many studies [10, 11, and 12].
Safety application is the
most important application of VANET because it is directly
related to users and its
priority is high due to human life saving factor. The main goal
of safety application is to
provide safety of cars and its passengers from road accidents.
Today active safety
application is everything that helps to users on road to prevent
an accident from
happening. In other word active safety system that work as pre
crash applications [13].
Active safety applications [14] are based on control functions
and the purpose of this to
exchange the sensor data or status information between the
vehicle to vehicle
communications (V2V) or vehicles to infrastructure (V2I).The
goal of sending this kind
of information to users and react accordingly and avoid the
accident. Antilock Brake
system (ABS) and Electronic Stability Program (ESP) are example
of active safety
system. Warning application provides warning related information
to drivers such like
that post crash warning/notification, obstacle warning and also
give warning about the
condition of the road. Passive safety applications work in
inside the vehicles and protect
the passengers against injury in the event of accident. Safety
belt and air bags are the
example of passive safety applications. Passive safety
application can not provide help to
avoid accidents. But these kind of applications are very useful
in case of accident,
criminal attacks, find the exist location of the users and
provide services to effected
people [15].
-
Irshad et al: Trust and Trusted Computing in VANET
6
Attackers and its Properties
Attacker create problem in the network by getting full access of
communication medium
DSRC. Here we are discussing some properties and capability of
the attackers which has
been mentioned in studies [16].
Coverage area: Coverage area is the main property of attacker
when they
launch any kind of attacks. Attacker could cover the main area
of road, and it
depends on the nature of the attacks. Basic level attacker has
controlled one
DSRC channels and covers the range of at most 1000 meters but
the extended
level attackers are more organized and cover more area using of
hundred DSRC
channels.
Technical Expertise: Technical expertise of the attacker makes
them stronger
for creating attacks in the network. It is difficult for
attacker to mount attacks
on cryptographic algorithms. Chance is low for attacker to
compromise the
infrastructure network and data capture from restricted area of
network.
Attacker having ability to extracts the program code and secret
keys of the
computing platform of OBU and RSU by launching physical
attacks.
Resources: Budget, manpower and tools are the three main key
resources and
attackers depend on it to achieve their goals. Need budget to
borrow technical
expert and spend time to understand the configuration of
specific network and
then disturb network with launching of different kind of
attacks. Attacker can
use different kind of tools for launching attacks. These
software tools can
develop by own self or buy from the market. Many business
parties make setup
their business nears the road and provide non safety application
services
(Internet, entertainment services). One business party can be
used their own
maximum resources to create problems for other parties and
destroy their
business with different kind of attacks.
There are many types of attackers that create the problems in
VANET. The main goal
of an attacker is to change the contents of message or create a
message and use it for
his/her own benefit. Maxim Raya and Jean Pierren Habauz [17]
described their attacker
model and we extend this model further into two levels on the
bases of previous work
[18]. Figure 4 shown two levels of attackers. The following
subsections provide its detail
description.
Figure 4. Two Levels of Attackers
-
Computer Science Journal Volume 1, Issue 2, August 2011
7
First Level of Attackers
In first level, the attackers are more seriously performed and
intensity of the attacks
is higher as compared to second level. Figure 5 explains first
level attackers, whereby
attackers launch different types of attacks on both
infrastructure i.e., vehicle to vehicle
(V2V) and vehicle to infrastructure (V2I). The attackers are
active and launch different
types of attacks at the same time in the network. Purpose of
this kind of attack is not to
achieve any personal benefit but only to create problems in the
network. The severity
level is high because attacker has control over the unique
identity and authentic user of
the network. The scope of the first level attack is high because
it creates such kind of
attacks that cover bigger geographical area. More details about
first level of attackers are
given below.
Figure 5. First Level of Attacker
Insider: This type of attacker who is an authentic user of the
network can creates
problem in the network by changing the certificate keys. Insider
attacker might have
access to insider knowledge and this knowledge will be used for
understanding the
design and configuration of network. When they have all
information about the
configuration then its easy for them to launch attacks and
create more problem as
compare to outsider attacker. We can simply say that insider
attacker is the right man
doing the wrong job in the network.
Malicious: This type of attacker who has no personal recompense
for launching the
attacks, but they want to achieve two goals:
To harm the other Vehicles of the network by sending any wrong
information or alter the safety related applications
information.
To create problem by agitating the right functionality of the
network by sending of unnecessary frames to other Vehicles.
Active: This type of active attacker creates problems in the
network whiles working in
two dimensions.
Generates some packets and sends them to other VANET Vehicles as
well as to the infrastructure.
Generates and sends signals in the network and disturb the main
frequency band.
-
Irshad et al: Trust and Trusted Computing in VANET
8
Extended: This type of attacker extends and spread attacks
across the network and
affecting many entities of the network. Privacy violations and
wormhole are examples of
these kinds of attacks.
Intentional: These types of attacker intentionally disturb the
network operation and
create problems for legitimate users to gain access the
network.
Independent: This type of attacker has an unique identity and
nature of the attacker is
independent in the network. For launching the attacks and may
not dependent on the
other Vehicles.
Second Level of Attackers Second level attackers also have their
own severity level which is lower as
compared to the first level. An attacker in second level is
outsiders and the basic aim of
this kind of attacker is to seek their personal benefits. Figure
6 explains second level
attackers. In second level attackers, they just listen to the
communication among various
vehicles, say vehicle A and vehicle B. Scope and effected area
is somewhat limited e.g.
the circle shows that in Figure 6. Passive and dependent
attackers are examples of
second level attackers. The level of severity is low as compared
to first level attackers,
where attackers are active and independent for launching attacks
in the network. More
details about second level attackers are given below.
Figure 6. Second Level of Attacker
Outsider: The outsider attacker is considered as an authentic
Vehicle of the network. It
is a kind of intruder which aims to misuse the protocols of the
network and the range of
such attacks are limited. Outsider attacker also has a limited
diversity for launching
different kind of attacks as compare to insider attacker.
Rational: The rational attacker seeks to get their personal
benefit and who defines
specific target and tries to achieve it. For example, sending
erroneous information about
the road, diverting the whole traffic to other road and clear
the road for ones own
benefit.
Passive: The passive attacker aims to just eavesdrop on the
wireless medium among the
Vehicles and infrastructure of the network. It is a kind of
privacy violation of s users on
the road.
Local: The scope and effect of the attack can be limited because
the attacker can locally
control the VANET Vehicles or its infrastructure (RSU).The
effects of this attack is in
specific region and do not disturb the other entities of the
network.
-
Computer Science Journal Volume 1, Issue 2, August 2011
9
Unintentional: The attackers do not intentionally want to get
involved in the network
and to create some problems for the network users. This can be
the case where errors
occur due to some network operations and transmission in the
network.
Dependent: The group of attackers intentionally wants to attack
the network as a
coordinated group in launching the attacks. In the group attack,
the attackers are
dependent on each other and share the same interest.
Severity Level (SL)
In Eq.1, the equation shows the severity level of first and
second level of attackers.
The severity level of first level attacker is greater as
compared to second level of
attacker. Here we can select one attacker (Active attacker) from
first level attacker and
compare it with one of the second level of attacker (Passive
attacker). Severity level of
active attacker is high as compare to passive level attacker
because active attacker
generates packets and sends these false packets to other
vehicles and also with
infrastructure. Nature of the packet may be safety or non safety
packets or some bogus
information consists in the packet but purpose of attacker is to
disturb the network.
Figure 5 describe the behavior of the attacker who generate
false packets and send these
packets to other vehicles and also infrastructure. Vehicle A and
Vehicle B in the same
lane but they receive different kind of packets. But in Passive
attacker, aim of attacker is
just listening the communication among the vehicles and also
with infrastructure. No
need to generate and send packets into network. Figure 6 show
that the attacker just
listen the communications between vehicle A and vehicle B.
SL = { L1 (Ak1, Ak2 ....... Akn) > L2 ( Ak1, Ak2..... Akn)}
eq.(1)
Classes of Attacks
Attackers generate different attacks in this life saving
vehicular network. In this
paper, we propose five different classes of attacks and every
class is expected to provide
better perspective for the VANET security. The proposed solution
is to classify and
identify of different attacks in VANET.
Attackers role is important in vehicular network due to
launching different type of attacks. The objective of attackers is
to create problems for other users of the network by
changing the contents type of messages. Researchers have been
described different types
of attacks in their studies [17, 19, 20, and 21]. In addition to
it, we propose five different
types of classes for attacks. Each class describes different
types of attacks, their threat
level, and attacks priority. Along with this approach, we also
propose some new attacks.
The aim of this approach is to easily identity these attacks and
their association to
respective class. Figure. 7 shows the propose classes for
attacks.
-
Irshad et al: Trust and Trusted Computing in VANET
10
Network Attack
Application Attack
Timing Attack
Social Attack
Monitoring Attack
Figure 7. Classes for Attacks
First Class: Network Attack
Vehicular Vehicle and infrastructure are the main components of
VANET. At this class,
attackers can directly affect other vehicle and infrastructure.
These attacks are of high
priority because these affect the whole network. The main
objective of these attacks is to
create problem for legitimate users of network. Some of the
attacks are mentioned
below.
A. Denial of service (DOS) Attack The availability of network is
very important in vehicular network environment
where all users rely on the network. Denial of Service (DOS) is
one of the most serious
level attacks in vehicular network. In DOS attack, attacker jams
the main communication
medium and network is no more available to legitimate users
[17]. The main aim of DOS
attacker is to prevent the authentic users to access the network
services [20]. Figure. 8
shows the whole scenario when the attacker launches DOS attack
in vehicular network
and Jams the whole communication medium between V2V and V2R. As
a result, users
can not communicate with other users as well as
infrastructure.
Figure 8 DOS Attacks between V2V and V2R
-
Computer Science Journal Volume 1, Issue 2, August 2011
11
B. Sybil Attack Sybil attack [21] also belongs to the first
class. In Sybil attack, the attacker sends
multiple messages to other vehicles and each message contains
different fabricated
source identity (ID). It provides illusion to other vehicle by
sending some wrong
messages like traffic jam message [21, 22]. Figure 9 explains
Sybil attack in which the
attacker creates multiple vehicles on the road with same
identity [3]. The objective is to
enforce other vehicles on the road to leave the road for the
benefits of the attacker.
Figure 9 Sybil Attack
C. Vehicle Impersonation Attack Each vehicle has a unique
identifier in VANET and it is used to verify the message
whenever an accident happens by sending wrong messages to other
vehicles [3, 17].
Figure 10 explains this scenario in which vehicle A involves in
the accident at location
Z. When police identify the driver as it is associated with
drivers identity, attacker changes his identity and simply refuses
it.
Figure 10 Vehicle Impersonation Attack
Second Class: Application Attack (AP)
Safety and non safety are two types of potential vehicular
applications. At this class
the main concern of the attacker is to change content of these
applications and use it for
their own benefits. Importance of safety applications is
greater; it is provided warning
messages to other users. The attackers change the content of the
actual message and send
wrong or fake messages to other vehicle which causes accident.
Bogus information
attack [17] is one of the attack examples, in which attacker
send wrong information to
the network and these wrong messages directly affect the
behavior of users on the road.
Warning messages is important messages that are use in safety
applications. It is very
serious condition on the road if attackers change the warning
messages, many accidents
are occurred on road. By using of security mechanism to avoid
such attacks, to ensure
-
Irshad et al: Trust and Trusted Computing in VANET
12
the truthfulness of the message. Figure. 11 shows the example in
which attacker
launches the attack on safety application. Attacker receives one
warning message Work Zone Warning from near by vehicle. So he
changes the content of the message and sends this message Road is
Clear to other vehicle. The important warning messages used in V2V
or V2I communication are Blind Spot, Post Crash, Breakdown,Work
Zone,
Curve Speed, Lane Change, Rail Collision, Wrong way driver, Stop
Sign Violation,
Intersection Collision, Cooperative Collision, Traffic Signal
Violation, Emergency
Vehicle at Scene, Emergency Vehicle Approaching and
Infrastructure Based Road
Condition Warning [23].
Figure 11. Safety Application Attack
Non safety application is related to users comfort during their
journey. These applications do not disturb safety applications. The
role of non safety applications is to
comfort the passengers and to improve the traffic system. Car
parking is one of the major
non safety applications; Road Side Unit (RSU) provides
information about the
availability of parking in shopping mall and sport complex.
Figure 12 explain this attack,
authentic user receive information Parking Slot available from
road side unit (RSU) near the shopping mall. So he sends this
message to other vehicle. This vehicle actually
attacker vehicle who receive this message. Now attacker alters
this message No empty parking slot and passes this message to other
vehicles. Entertainment, Toll Collection, Map Download, Restaurant
Finding, Gas Station Finding, Parking Availability,
Shopping Mall Finding Services are some services that are
considered into non-safety
applications [6].
Figure 12 Non Safety Application Attack
-
Computer Science Journal Volume 1, Issue 2, August 2011
13
Third Class: Timing Attack
This is new type of attack in which attackers main objective is
to add some time slot in original message and create delay in
original message. Attackers do not disturb the
other content of message, only create delay in the message and
these messages are
received after it requires time. Safety application is a time
critical applications, if delay
occurred in these applications then main objective of the
application are finished.
Figure.13 shows the complete scenario of the timing attack, in
which attacker receive
warning message (Warning! Accident at location Y) from other
vehicle and then pass
this message to other vehicle by adds some time. Whenever other
user of the network
receive this message when accident actually occurred.
Figure 13 Timing Attack
Forth Class: Social Attack
All unmoral messages (Social Attack) are lie on this class. It
is kind of emotional and
social attack. Purpose of these kinds of messages is to
indirectly create problem in the
network. Legitimate users show angry behavior when they receive
such kind of
messages. This is actually attacker wants by launching such
attack. Figure. 14 explain
this condition, attacker passes this message You are Idiot to
near by vehicle. When user receives this message is directly affect
his driving behavior by increasing the speed
of his vehicle. This entire thing is indirectly disturb the
other user in the network.
Figure 14 Social Attack
Fifth Class: Monitoring Attack
Monitoring and tracking of the vehicles attacks are lying in
this class. In monitoring
attack, the attacker just monitor the whole network, listen the
communication between
V2V and V2I. If they find any related information then pass this
information to concern
-
Irshad et al: Trust and Trusted Computing in VANET
14
person. For example police are plan to perform some operation
against criminal and they
communicate each other and guide about the exist location of the
operation. Attacker
listen all communication and informed the criminal about the
police operation. Every
vehicle has its own unique ID and attacker disclose the identity
of other vehicles in the
network. Using of these unique ID, the attacker track the
existing location of required
vehicle. Global observer monitors the target vehicle and sends
virus to neighbour of the
target [17]. When neighbour is affected then they take data of
target vehicle. Rental Car
companies are using this ID and track the location of their own
vehicles. ID discloses
attack is related to user privacy, attacker easily track user
location in a specific region
[24].
Vehicular Trusted Computing (VTC)
Trusted computing is a relatively new technology which has
gained popularity
recently and Trusted Computing Group (TCG) [25] has been the
main proponent of this
technology. The main aim of TCG is to enhance security in
computer network by using
security hardware module (called Trusted Platform Module).
Figure 15 shows how
trusted computing communication can be maintained between all
entities of the network.
Vehicle A to Vehicle F is doing their task in proper manner.
Vehicle D communicates
with RSU and RSU communicate with TOC and authenticates and
provide valid
information. Vehicle D shares this information with other
Vehicles in the network. This
is an ideal condition that we want to achieve in real vehicular
network. Trust will be
built in two different ways in vehicular trusted computing.
Trusted computing require
that these two basic properties are fulfilled: [26]
The sender who sends the information in vehicle to vehicle or
vehicle to infrastructure is accepted as a trusted entity.
The contents of the message source is not changed during
transmission, it meets the integrity requirement.
Figure 15. Vehicular Trusted Computing Communication
-
Computer Science Journal Volume 1, Issue 2, August 2011
15
Trusted Entities of VANET
In this section we will explain six basic entities of trust and
when all these entities
work together then will develops a chain of trust in the
vehicular network. Eq.2 explains
that all modules are trusted and worked together for achieving
chain of trust in system.
Detail discussions of all these entities are given below.
Trusted User (TU)
Trusted Vehicle (TV)
Trusted Applications (TA)
Trusted Routing (TR)
Trusted Medium (TM)
Trusted Infrastructure (TIF)
Chain of Trust (COT) = i= 0 ( TU + TV + TA + TR +TM + TIF ) eq.
(2)
Trusted User: Users role is important in all technologies; and
in particular for VANET applications we are directly concern with
the protection of users life. The main purpose of the VANET
applications is to serve the users by sending safety and non
safety
messages from Vehicle to Vehicles and also with infrastructure.
We have classified the
users into two types, trusted users and non trusted
users.Trusted Users (TUs) are those
people who perform their task properly in the network. In
vehicular environment the user
role is important for building the chain of trust. Chain of
trust would be effected if user is
not performing their task accurately. In their respective
Vehicles, users communicate
with application unit (AU) and send messages to other Vehicles
in network. Trusted
users have following qualities.
Receive messages from other Vehicles, perform task according to
message (safety or non safety) and pass this message to other
Vehicles in the network.
Receive messages from infrastructure (RSU) and execute it and
pass this message to Vehicles of the network.
Messages are generated by users according to situation e.g. if
an accident has occurred in some specific place, messages are past
to other Vehicles and as well as to the infrastructure in the
network.
Non Trusted Users (NTUs) are those users that do not possess the
trusted credentials and
could potentially be the kind of attackers who create problems
for legitimate users by
launching of some attacks. In vehicular network, their role is
more prominent because
they can potentially change the life critical information on the
road. These are the
followings tasks that they perform in VANET.
Non-Trusted Users could potentially be an active attacker and
launches attacks that can be of high intensity. Denial of service
attack (DOS) and Sybil attack are example of such types of attacks.
Main objective of NTUs attacks is to disturb directly the basic
functionality of the network.
-
Irshad et al: Trust and Trusted Computing in VANET
16
Non-Trusted Users can break the integrity of messages sent
through the communication in vehicular environment. Attackers could
change the content of the message, for example, Accident at
Location X can become Road is clear.
Trusted Vehicle: The role of vehicle is important in all types
of communication in
network. At the basic level of trust is to provide security in
the vehicle (Trusted Vehicle)
and communication will be carried through trusted channels
between the vehicle to
vehicle (V2V) and vehicle to infrastructure (V2I). Trusted
Vehicle requires some
specific sensors to be a part of VANET. TPM is the hardware
module that forms the
basic building block for trust inside the Vehicle by having its
own root of trust, hashing and cryptographic functionalities that
acts like a smart card. Electronic Control Unit
(ECU) and many other types of sensors work inside the Vehicles.
Hardware (all types of
sensors) and software should be performing their task properly
for building the trust
inside the Vehicle. Vehicle receive some information from their
on-board units and some
information receives from outside network (other Vehicle or from
infrastructure).
Trusted Applications: Safety and non safety applications are
serve the users and make
their journey safe and comfortable. Active safety applications,
warning applications and
position based routing require security from attackers and user
trust will be build when
these applications perform their task accurately. Application
should be trusted because
user take decision on these application information received
from other Vehicles and as
well as infrastructure. M.Gerlach [9] discussed and proposed
model for trusted
applications for VANET. This model defines the situation where
the attributes of the
trust is relevant to the trustee and author has the three main
contributions in this papers
which are given below.
Enable security architecture that integrated with different
security measurement in vehicular environment.
Probabilities for presenting trust and trusted model for VANET
applications by using the principle of trust tagging.
Author use the concept of mix content and it defines the way to
change pseudonyms. It is not possible for attacker to link two
messages that coming
from same vehicle and also preventing the location tracking.
Trusted Routing : Routing is key part of VANET and message moves
from one vehicle
to other vehicle by using different route. Routing involve from
hop to hop
communication and hop to multihop communication, open medium and
dynamic
network topology makes the routing task is complex. Secure and
trusted routing is
necessary for sending and receiving safety messages in the
network. T.Chen [27]
discussed the trusted routing using of their own proposed
trusted routing framework.
Proposed framework provides message authentication, trust
between Vehicles and
routability verification without support of online certificate
authorities (CA). Trusted
framework applied on OLSR (Optimized Link State Routing
Protocol) routing protocol
Trust establishes framework consist of three key parts which are
designed to handle
different types of threats in the network.
-
Computer Science Journal Volume 1, Issue 2, August 2011
17
I. Digital signature is used for message authentication and
values of digital signature depend on secret values and these
values are only known to signer
that signed message. Hash function is used to generate fixed
size message
digest and sign this message instead of complete message.
II. Vehicle to Vehicle authentication is also part of the
trusted routing and main task of Vehicle authentication is identity
authentication of Vehicle and defence
it from attackers. Author divided Vehicle to Vehicle
authentication procedure
into three Phases.
Vehicle to Vehicle authentication the public/private key pairs
and certificate are distributed to all authentic Vehicles of the
network that
is willing to join network.
Two Vehicles substitute certificates and verify each other by
sending and receiving challenges.
In last phase if the connection between the Vehicles disconnect
for a short period of time then they will try to re-authenticate
with each
other use the pre-share secret exchange.
III. Routability verification is the last part of trusted
routing. This mechanism is provided the pieces of evidence from
neighbour Vehicle and connection from
source to destination are verified and trusted. Each Vehicle
builds their own
trusted routing map by using of cumulative collect Routability
Certificate (RC).
This phase allows two Vehicles to make their connection quickly
without repeat
whole authentication phase.
Trusted Medium: The role of the channel medium is important,
dedicated short range
communication (DSRC) frequency band is used for all types of
communication in
VANET. DSRC provides multiple channels and its transmission
ranges from 5.850 to
5.925 GHz. DSRC are divided into seven channels and each channel
range is 10 MHz.
Every vehicle in the network receives messages from other
vehicles or from
infrastructure. A secure and trusted content of message is the
major concern of the users.
The attackers will try hard to change the contents of the
message and break the trust
between the vehicles. When users receive any information (safety
or non safety) from
other vehicles or from infrastructure it must be trusted because
user reacts according to
the message. To establish the trust, we must provide secure and
trusted channel (Trusted
Medium) between the users in network. Whenever attackers launch
any type of attack
then we have the option of using others channels. Attackers will
also use these channels
and insert their false information to the network and create
problems for legitimate users.
Message exchange from vehicle to vehicle and vehicle to
infrastructure should be
reliable, accurate and confidential and this will be happened in
the presence of secure
communication medium. C. Laurendeau [28] explained the security
threats in
DSRC/wireless access in vehicular environment (WAVE) and if we
are able to remove
these threats, the medium becomes trusted.
Trusted Infrastructure (RSU): Network Infrastructure (which
consists of network
components) is important to verify the users and providing the
right information to users
on the road. Infrastructure must be made trusted before they
send safety related
information to users, because all users rely on it. In case of
channel jamming (DOS) user
wants to communicate with infrastructure and sends/receives
information to it. In this
-
Irshad et al: Trust and Trusted Computing in VANET
18
sense, accessibility and availability of network is directly
concerned with the users trust levels. When network is not
available due to any attack then users trust is seriously affected.
The objective of trusted infrastructure is to ensure the security
of the channel
and information being passed among the users. There are many
types of trust in the
vehicular network and the level of trust will increase if we can
ascertain the control of
attackers from launching any attacks. Figure 16 shows the
relationship of attackers (both
levels) with trust types. When attacker is successful in
launching any type of attack then
the level of trust gradually decreases. Whenever there is
control over the attackers then level of trust increases. Hence we
can safely say that both (Attackers and Trust) is
directly proportion to each others.
Trusted User
Trusted Node
Trusted Applications
Trusted Routing
Trusted Medium
Trusted Infrastructure
Second Level of attackers
First Level of attackers
Attackers
Trust
Figure 16 Relationship between Trust and Attackers
Levels of Trust
Zero Trust is the first trust level in which the attacker is
active and is able to use all
kinds of entities in the network and create problem by launching
different types of
attacks (passive or active). Eq.3 describes that first and
second level attackers are active
and chain of trust in this condition will be zero.
Zero Trust = (L1.Attackers + L2.Attackers) (COT : = 0)
eq.(3)
Second level of trust is called Weak Trust, in which the
attacker is able to launch
different kind of attacks and scope of the attacks are within
some specific region. Some
entities are effected with these attacks whereas other entities
of the network performing
Already studies done on it.
Do not consider yet. First Level of Attackers
Second Level of Attackers
-
Computer Science Journal Volume 1, Issue 2, August 2011
19
their task properly and serve the users. In Eq.4 we represent a
situation where all entities
of the chain of trust and only trusted infrastructure (TIF) are
affected due to attacks.
Weak Trust = (TU + TV + TA +TR +TM) (TIF) eq.(4)
Strong Trust is a third level of trust is which all entities of
the network are trusted and
work properly. There are no attackers in the network and this is
a very ideal condition
and every entity performing their task properly.
Strong Trust = COT (L1.Attackers:=0 + L2.Attackers:= 0)
eq.(5)
In Eq.5. We assign zero value to both types of attackers and all
components are fully
trusted and work properly and serve the users in network.
Table.1 explains the three
different types of trust levels in vehicular network.
Table 1.Levels of TRUST
Levels of Trust Description
0 Zero Trust
1 Weak Trust ( Some Entities are Trusted )
2 Strong Trust (all Entities are Trusted)
IV. Trusted Hardware Module (THM)
Both hardware and software work together to achieve the security
in the system and
make possible secure communication between VANET Vehicles. There
are two basic
hardware modules that are used for security purposes in a VANET
Vehicle. Security
hardware module is called Event Data Recorder (EDR), which is a
kind of black box
similarly used in airplane. It is a non-volatile hardware module
and provides tamper
proof storage. The basic task of EDR is to record the data of
critical situation in
emergency conditions [29]. EDR provides secure storage of data
only. The cost of EDR
is low and easily embedded into VANET Vehicles. In many
countries EDR is installed
in many road vehicles (trucks). The drawback of EDR is that it
has no ability to perform
cryptographic functions.
Security hardware module is called Temper Proof Device (TPD),
which has the
ability to sign and also verify the messages that are received
from other Vehicles in the
network [20]. The key point of TPD is that it has processing
ability. Cost of the TPD is
so high; this is the only one drawback of TPD.These two security
hardware modules do
not provide trust in the VANET Vehicle. Hence we propose to use
another hardware
module called trusted platform module (TPM).
-
Irshad et al: Trust and Trusted Computing in VANET
20
Trusted Platform Module (TPM)
Trusted Platform Module is a hardware chip designed for secure
computing and can
be used to measures the integrity of platform or system. It is
piece of hardware and needs
software to communicate with it to protect and store data in
secure location. Capability
of protection, measurement of integrity and reporting the
integrity of data are the key
features of TPM module. Random Number Generator (RNG), SHA-1
Engine, RSA and
HMAC are the functional components of TPM that perform
cryptography capabilities [3,
30]. By writing software to manage the integrity of data using
the TPM, it can resist
software attacks and it is advantageous because the cost of a
TPM is lower as compared
to other security modules (EDR or TPD). TPM will be embedded
into the existing
hardware module and with it we will perform the necessary
software and hardware
changes to make the Vehicle to be trusted in the vehicular
network.
Attacker and Trusted Platform Module (TPM)
If attackers launch any kind of attacks (first or second level),
trusted Vehicle (TN) in the
car will first detect that there is a change in the values of
the Platform Configuration
Register (PCR) inside the TPM, and hence the application will
then alert the TN to
prevent any more communication with the untrusted Vehicle.
Figure 17 explains the
scenario where the attacker launches attack a change in the PCR
values, alerts the TN to
prevent any more communication with the attacker.
TPM
Platform Configuration Register (PCR)
Attacks Endorsement Key (EK)
Attestation Identity Key (AIK)
Vehicle
First Level of attackers
Second Level of attackers
Figure 17. Attackers and TPM
Platform Configuration Register (PCR)
PCR is an internal register and used for storing the integrity
measurement values in
shielded location. PCR contain values that represent the system
software and hardware
configuration metric of TN. For any kind of attack on the TN,
these PCR values will
change which means the current configuration of hardware and
software have been
attacked, the system detects the changes and takes acts
appropriately [31].
Measurements, reporting and execution are three main processes
[32] which are used to
maintain the integrity of the system. Configuration of the
platform attestation and chain
-
Computer Science Journal Volume 1, Issue 2, August 2011
21
of trust are two basic objectives of the contents of the PCR
values, the old and new
values of PCR register which is used inside the TPM. Total
sixteen PCR registers are use
in TPM, eight registers are used for hardware and eight are used
for software to meet the
integrity requirement.
Ri+1 := SHA1 ( Ri || I )
Ri+1 = New Register Value
Ri = Old register value
I = Input value
State getCurrentPCRs()
Steps
1. CRTM measures BIOS 2. BIOS measures BL 3. Boot Loader (BL)
measures OS 4. Operating System (OS) measures Applications 5. User
communicate with Applications
Figure 18. Integrity Measurement Process
Endorsement Key (EK): Endorsement Key (EK) [32] is a fundamental
component of
TPM and it must have an endorsement key pair. In the endorsement
key pair, private key
is more important and it is embedded in TPM. The purpose of the
EK is to identify
uniquely the platform. The TPM has a root of trust that is
defined by the EK pair. Public
and private portions are defined in RSA key pair. One major fact
about the EK, is that
once it has been created then it cannot be replaced or remove
from the TPM.
Attestation Identity Key (AIK): AIK [33] is a TPM key that is
used for attestation of
current platform and its configuration. AIK is also used as an
alias for the endorsement
key (EK) and it is a non-migratable signing key generated by the
owner of TPM.
Multiple AIKs can be generated by the TPM. PCA (Privacy
Certification Attestation)
and DAA (Direct Anonymous Attestation) are used for
certification of attestation of
AIK. VANET applications (Safety and non safety) are running
inside the vehicle and
TPM is performing the attesting task by using AIK. After
attestation of the messages,
-
Irshad et al: Trust and Trusted Computing in VANET
22
these messages are sent to other Vehicle and infrastructure.
V. Conclusion and Future Work
Security of VANET is an important issue to be addressed by
designers of VANET
infrastructure security. It can be useful in providing correct
information to users and
guide them about variant conditions on the road. The VANET
applications are termed as
an important solution for the security of the users on the road.
Moreover it is believed
that the Vehicular applications must be secured. Because the
users are directly affected
in case the attackers change the content of safety applications.
Attackers change their
attacking behavior and they launch different attacks at
different times. Attackers always
try to tamper the information and create troubles in the
network. The level of trust
develops in the network if the system is able to control
attackers from distracting the
information. TPM can play an important role in terms of
resistance created for possible
software attacks and in creation of trusted environment between
Vehicles and the
infrastructure. Cryptographic functional components are
considered as one of key
elements for trust building and maintaining data integrity in
the past research work done.
In future we would be addressing some attestation scheme such as
property based
attestation (PBA) for developing a secure and trusted
environment in vehicular network.
Acknowledgement
This work is funded by Universiti Teknologi PETRONAS
Postgraduate Assistantship
Scheme in collaboration with MIMOS Berhad.
References
1. Y.Qian, N.Moayeri,Design of Secure and Application
Oriented
VanetsVehicular Technology Conference, 2008. VTC Spring 2008.
IEEE, 11-14 May 2008, Singapore.
2. J. Jakubiak, Y. Koucheryavy,State of the Art and Research
Challenges for VANETs Consumer Communications and Networking
Conference, 2008, 5th IEEE, date: 10-12 Jan. 2008, pp: 912-916.
3. G. Guett, C. Bryce, Using TPMs to Secure Vehicular Ad-Hoc
Networks (VANETs) IFIP 2008, WISTP 2008, LNCS 5019, pp.106-116.
4. G.Guette,O.Heen,A TPM-based Architecture for improved
secuirty and Anonoymity in vehicular ad hoc networks,IRIS
France.
5. A. Reza Sadeghi,Trusted Computing-Special Aspects and
challenges, Lecture Notes Horst-Gortz-Institute(HGI) for
IT-Security,Ruha-University Bochum,
Germany.2007.
6. I.Ahmed Sumra, H.B.Hasbullah, J.Ab Manan,"User requirements
model for
vehicular ad hoc network applications, International Symposium
on Information Technology 2010 (ITSim 2010), Malaysia.
7. F.Kargl, Z.Ma , E.Schoch, Security Engineering for VANETs 4th
Workshop on Embedded Security in Cars(escar 2006), Berlin,
Germany.
8. X.Lin,R. Lu,C. Zhang,H. Zhu,P. Han Ho , X. shen,Security in
Vehicular Adhoc Networks,IEEE communication Magazine, April
2008.
9. M.Gerlach, F. FOKUS,Trust for Vehicular Applications IEEE
Computer
-
Computer Science Journal Volume 1, Issue 2, August 2011
23
Society, Proceedings of the Eighth International Symposium on
Autonomous
Decentralized Systems, p: 295-304, year of publication:
2007.
10. R.Prasad,R. Kanjee,H. Zui,Pishro,Nik, Ni,DSRC Accident
Warning system at Intersection Report October 19,2006.
11. D. Jiang,V.Taliwal, A. Meier,W.Holfelder, R. Herrtwich
Design of 5.9 GHz DSRC-based vehicular safety communication
Wireless Communications IEEE Vol. 13, No. 5. (2006), pp. 36-43.
12. S.Yousefi, M.FathyMetrics for performance evaluation of
safety applications in vehicular ad hoc networks Transport.
Vilnius: Technika, 2008, Vol. 23, No.4, p. 291-298.
13. J. Jakubiak,Y. Koucheryavy, State of the Art and Research
Challenges for VANETs Consumer Communications and Networking
Conference,2008, 5th IEEE, Date: 10-12 Jan. 2008, pp: 912-916.
14. National Highway Traffic Safety Administration,CAMP,Vehicle
Safety Communications Project Task 3 Final Report,Identify
Intelligent Vehicle Safety Applications Enabled by DSRC,DOT HS 809
859, National Highway Traffic Safety Administration,Washington,
D.C.March 2005.
15. J. Cheambe, J. J. Tchouto, M. Gerlach Security in Active
Safety Applications 2nd International workshop on Intelligent
Transportation (WIT) 2005,
Germany. 16. H.Hartenstein and K.P.Laberteaux,VANET:Vehicular
Applications and Inter-
networking TechnologiesChapter No.09
pp.309-310.Wiley.www.vanetbook.com
17. M. Raya,J. Pierre, Hubaux,Securing vehicular ad hoc Networks
Journal of Computer Security,vol.15,Issue no.1 January 2007, pp:
39-68.
18. H. Moustafa,Y. Zhang Vehicular Networks techniques,standard
and applications, CRC Press,chapter no.12(Security in Vehicular
Networks) pp:334.
19. B. Parno, A. Perrig, Challenges in Securing Vehicular
Networks, Hot Topics in Networks (HotNets-IV), 2005.
20. A.Stampoulis, Z.Chai A Survey of Security in Vehicular
Networks. 21. J. Douceur,The sybil Attack, First international
workshop on peer to
peer(P2P) system,march 2002,pp:251-260.
22. G. Guette, B.Ducourthial," On the sybil attack detection in
VANET", Laboratoire Heudiasyc UMR CNRS 6599, France.
23. T. Leinmuller, E. Schoch, F. Kargl, C. Maihofer, Improved
security in Geographic ad hoc routing through autonomous Position
Verification, 3rd international workshop on Vehicular ad hoc
networks,VANET 2006.ISBN:1-59593-540-1.
24. M. Raya, P. Papadimitratos, J.P. Hubaux, Secure vehicular
communications, IEEE Wireless Communication Magazine,specail issue
on inter-vehicular communication, Oct 2006.
25. Trusted Computing Group.TCG specification architecture
overview ,version 1.2,april 2004.
26. H. Hartenstein,Kenneth P.Laberteaux, Toyota Technical
Center. A Tutorial Survey on Vehicular Ad Hoc NetworksIEEE
Communication Magazine, June 2008.
27. T.Chen,O.Mehani and R.Boreli,Trusted Routing for VANET 9th
International Conference on Intelligent Transport Systems
Telecommunications (20 October 2009), pp. 647-652.
28. C. Laurendeau, M. Barbeau,Theat to security in DSRC/WAVE,
5th International Conference on Ad Hoc Networks and Wireless
(ADHOC-NOW).LNCS 4104, pp.226-279, 2006.
-
Irshad et al: Trust and Trusted Computing in VANET
24
29. M. Raya,J.Pierre,Hubaux The Security of vehicular ad hoc
Networks SASN05,November 07,2005,Alexandria,Virginia USA.
30. M.Raya,Introduction to the TPM 1.2 University of Birmingham,
Draft of March 23, 2009.
31. M. Strasser, H. Stamer, A Software-Based Trusted Platform
Module Emulator, TRUST 2008, LNCS 4968, pp. 33-47, Springer
Berlin.
32. A. Reza Sadeghi,Trusted Computing-Special Aspects and
challenges,Lecture Notes Horst-Gortz-Institute(HGI) for
IT-Security,Ruha-University Bochum, Germany.2007.
33. Trusted Platform Module Basics Using TPM in Embedded Systems
by Steven Kinney Chapter No.03 Overview of the TPM
Architecture,pp.26.