Professional Documents
Culture Documents
Abstract— Vehicular ad-hoc networks (VANETs) have been geometric and accident notifications. Mobility and the self-
researched with regard to enhance driver’s safety and comfort. organization of the network structure are also main features
In VANETs, all vehicles share their status and road condi- of VANETs. Since vehicle- and road-related factors, such as
tions with neighboring nodes by periodically generating safety
messages. To provide reliable VANET services, message authenti- vehicle density and the presence of obstacles, may lead to
cation is an important feature. In particular, anonymous message unstable communications among vehicles, several studies have
authentication has attracted considerable interest, because peri- examined how to provide reliable communication [2], [3],
odic broadcast messages from a vehicle can be used to track its and [4].
location. Unfortunately, previously proposed anonymous message However, a flexible wireless environment and periodic
authentication protocols had serious practical shortcomings,
including high communication, authentication, and revocation broadcast messages on VANETs can also pose security threats,
costs, as well as reliability issues. Thus, in this paper, we propose including malicious data injection attacks, data replay attacks,
an anonymous authentication protocol based on a cooperative and location tracking. To thwart these attacks, many crypto-
authentication method. The proposed method does not require graphic methods have been proposed. Among them, privacy-
mode synchronization between cooperative and non-cooperative preserving message authentication is a fundamental issue in
authentication. In addition, we design a two-layer pseudo-identity
generation method and construct a key update tree for efficient VANETs, and many privacy-preserving protocols have been
revocation. Simulations show that our protocol does not result proposed in [5]–[19].
in packet losses caused by authentication overheads, even when Calandriello et al. [5] and Jung et al. [6] use pseudonym-
the vehicle density is 200/km2 . based authentication schemes to enable vehicles to remain
Index Terms— Anonymity, cooperative authentication, anonymous. However, in these schemes, distributing the revo-
vehicular Ad-hoc NETworks, revocation. cation list (RL) is time consuming because the RL is expected
to be large. According to [7], an RL should include infor-
mation related to 2.5 million pseudonyms if 100 OBUs are
I. I NTRODUCTION
revoked, and each OBU has 25,000 pseudonyms. The delay
be performed properly. In the protocol in [16] and [18], each and private key pairs is preloaded on an OBU to provide both
RSU, acting as a group manager, issues a group-member key message authentication and anonymity. Each private key is
for each vehicle, which means that RSUs can trace the trajec- used to sign beacon messages during a short predefined inter-
tories of vehicles. The protocol in [17] has revocation prob- val. However, managing the certificate revocation list (CRL)
lems related to the size of the RL, because it also uses a large is challenging, because revoking a vehicle’s certificate causes
number of pseudonyms to ensure privacy. Then, the methods a large number of pre-loaded certificates to be revoked. To
in [18] and [19] might not perfectly verify all messages, solve the problems with certificates, protocols using a large set
because authentication mode synchronization between cooper- of pseudo-identities have been proposed. Unfortunately, these
ative and non-cooperative methods presents a difficult problem protocols also have problems, in this case related to distribut-
owing to unpredictable road conditions. In other words, the ing large RLs. In [21], the size of the RL is reduced using a
cooperative authentication methods proposed in [18] and [19] hash chain. However, this method cannot be applied directly
are able to verify all messages only in the case of high to V2V communication because the RL should be periodically
vehicle density on the road; if the vehicle density is low, these distributed to, and managed by vehicles. The RL management
protocols may affect the reliability of authentication, because overhead, including updating and sorting the RL, can be an
it is possible for several messages to be considered valid additional burden on vehicles. To remove this overhead from
without authentication. These protocols can also be exploited vehicles, a two-layered pseudonym generation method using
by modification attacks on location information because they a hash chain has been proposed by [22]. This protocol also
select messages for verification based on location information. allows an unrevoked vehicle to update its own certificates
In addition, [7] and [19] use a group key distribution technique using a semi-trusted entity, such as an RSU, by adopting proxy
for efficient revocation. However, their group key distribution re-signature cryptographic technology. Although this method
methods have security problems, which are explained in detail does not require that vehicles perform RL management, three
in Sections II and V. bilinear pairing operations are performed on a vehicle to verify
In this paper, we introduce a reliable cooperative authentica- the certificates of neighboring nodes.
tion protocol that offers efficient revocation. Our contributions Group-signature-based approaches have also been pro-
are as follows. posed for anonymous message authentication in [9]–[11].
In [9] and [10], a vehicle must check the revocation status
A. Contributions of anonymous signatures to avoid verifying signatures from
revoked vehicles. Unfortunately, this method requires 3 × n
• To solve RL management problems (the distribution
bilinear pairing operations if there are n revoked vehicles
and renewal of RL) that originate from the use of
in the RL. The protocol in [11] also requires n bi-linear
pseudonyms, we design a two-layered pseudonym gen-
pairing operations. Thus, group signature-based approaches
eration method based on a keyed hash chain. The keyed
can cause long authentication delays. As another approach,
hash chain and two-layer pseudonym generation method
RSU-aided message authentication protocols have been pro-
can reduce the size of the RL and the management cost
posed for efficient authentication in [14]–[16]. The protocols
of the RL, respectively. In addition, we adopt a secure
in [14] and [15] require that RSUs authenticate all beacon
group key distribution protocol that can eliminate the RL
messages, which are generated from their own domain, and
distribution process between RSUs and OBUs.
report the authentication results to the vehicles in their own
• We propose a basic cooperative authentication method
domain. However, these protocols cannot work if RSUs do
that does not require authentication mode synchronization
not cover all areas. In [16], RSUs issue group keys to
between non-cooperative and cooperative authentication.
vehicles after authenticating them based on their real identities.
Furthermore, we extend our method to improve the
Although this method can reduce revocation costs, the location
authentication performance. In our simulation, we find
of a vehicle can be traced by an RSU. The batch verification
that the improved method does not result in message
method in [23] can also reduce the message authentication
losses, when the vehicle density is set to 200/K m 2, while
time. However, an additional operation is required to find
the message loss ratios of basic cooperative authentication
invalid signatures if a batch contains such signatures.
and non-cooperative authentication are about 25 % and
Recently, cooperative authentication protocols ([17]–[19])
37%, respectively.
and group key (GK) distribution protocols ( [7], [19]) were
The remainder of the paper is organized as follows: Related proposed for efficient authentication and revocation. The pro-
works are discussed in Section II. Section III introduces our tocols in [17]–[19] take advantage of the fact that each
network model and the requirements for our work. The pro- vehicle can cooperate in the message verification processes by
posed protocol is presented in Section IV. In Section V and VI, selectively verifying its received signatures and by reporting
we evaluate and compare our protocol to others in terms of its own verification results to neighboring vehicles, because
security and performance. Finally, Section VII concludes the vehicles in same area possess nearly the same set of messages.
paper. However, the protocols in [18] and [19] do not consider
how to synchronize the authentication mode among vehicles.
II. R ELATED W ORKS Mode synchronization between a non-cooperative authentica-
In order to construct secure VANETs, many studies focus on tion mode and a cooperative authentication mode is difficult,
security and privacy. In [20], a large set of anonymous public because the number of nodes in each vehicle’s communication
JO et al.: RELIABLE COOPERATIVE AUTHENTICATION FOR VEHICULAR NETWORKS 1067
if many group members exist. Moreover, the protocol in [27] all messages should be transmitted without being
has a security flaw, which is described in [28]. changed, and each message should be verified, to confirm
its origin.
III. S YSTEM M ODEL AND R EQUIREMENTS • Conditional privacy preservation: Beacon messages,
including a vehicle’s location, may be used for illegal
In this section, we present the system model and the
tracking. Thus, the real identity of a vehicle should be
requirements for the proposed protocol.
hidden (anonymity) and unlinkable (unlinkability) from a
receiver. On the other hand, the real identity of a vehicle
A. System Model should be traced and linkable by the TA (traceability) in
As shown in Fig. 1, the proposed system model for VANETs order to deal with exceptional situations, such as liability
consists of a TA, RSUs, and OBUs [29]. Their clocks are investigations.
assumed to be loosely synchronized using an existing method, • Revocation: When vehicle misbehavior is detected, the
such as GPS-based time synchronization. misbehaving vehicle(s) should be excluded from the
1068 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 19, NO. 4, APRIL 2018
B. Registration
In our protocol, the TA issues a large set of pseudo-
identities and corresponding secret keys to each vehicle during
a vehicle inspection [35]. These values must be delivered via a
secure channel, such as TLS or physical access channels. The
TA performs the following process to register each vehicle
(|| denotes concatenation):
Fig. 2. Overview of the proposed scheme.
1) A vehicle Vi sends its own IDVi to the TA.
2) Then, the TA generates a random value seedVi
and a revocation key RK Vi . It computes revocation
- TA Setup j
values RVi, j = H3,R K V (seedVi ) and RVi, j,k =
1) The TA randomly chooses a secret key x ∈ R Z p and i
Sig S K RSUi (T ||T i me R SUi ||ID R SUi ), and Cer t RSUi to its
own domain. When Vi passes by RSUi , it receives
this broadcast message at T W j and checks whether
the ID R SUi is new. If the ID R SUi is new, Vi validates
Cer t R SUi and Sig S K RSUi (T ||ID R SUi ) and performs time
synchronization with RSUi using T i me R SUi .
2) If the validation of Cer t R SUi and Sig S K RSUi (T ||ID R SUi )
is successful, Vi generates a random value, t ∈ Z p , and
computes T = t P, e = H2 (Ppub , P I Di,t wj , T , T, ci, j ),
and π = t − esi, j . Then, it computes a session
key κ = t T = t t P and performs encryption
E κ (P I Di,t wj ||ci, j ||π). Finally, Vi transmits a message,
including E κ (P I Di,t wj ||ci, j ||π) and T , to RSUi .
3) After receiving the message from Vi , RSUi computes
the session key κ = t T = tt P and decrypts the
message. Then, it checks whether RVi, j of P I Di,t wj is
included in the revocation list. If P I Di,t wj is not revoked,
P I Di,t wj , ci, j , T , and π are verified using the following
formula:
Fig. 4. Example of a logical key tree used for updates.
e = H2 (Ppub , P I Di,t wj , T , T, ci, j )
ci, j = H1(Ppub , P I Di,t wj , ci, j Ppub + e−1 (T − π P)).
at T W j (δ is a pre-defined system parameter). Then,
the TA broadcasts the revocation list to all RSUs at (3)
T W j . The RSU can update the revocation value RVi, j +1 4) If the verification is successful, RSUi assigns Vi as
from RVi, j using RK Vi and H3,key () at T W j +1 . Here, γ
a leaf node L Nα of the update key tree in the fol-
RVi, j −δ is used for the group key update, which is lowing order: 1 ≤ γ ≤ 2h , 1 ≤ α ≤ n where
explained in the next section. h is the height of a b-tree, and n is the number of
2) Revocation List Checking nodes in a n-tree. Then, RSUi forms a set, includ-
In T W j , given PIDti,wj = TW j || E t k (IDi ⊕ RVi, j ) ing update keys, composed of two parts, BU K h,β ∗
||RVi, j , from Vi , an RSU checks whether the RVi, j γ
and NU K α,∗ (obtained using Algorithms 1 and 2).
exists in the revocation list. If the revocation list includes An example of an update key set is shown in Fig. 4.
RVi, j , PIDti,wj is considered to be the revoked pseudo- Finally, RSUi generates E κ (G K ||BU K h,β ∗ ||NU K γ )
α,∗
identity. ∗ ||NU K γ )), and
and Sig S K RSUi (T ||E κ (G K ||BU K h,β α,∗
transmits these values to Vi .
D. Generation and Distribution of 5) After receiving T , E κ (G K ||BU K h,β ∗ || NU K γ ),
α,∗
Group Key and Update Keys ∗ γ
and Sig S K RSUi (T ||E κ (G K ||BU K h,β || NU K α,∗ )), Vi
- Generation of a Group key & Update keys ∗ ||NU K γ )).
verifies Sig S K RSUi (T ||E κ (G K ||BU K h,β α,∗
1) The TA generates a group key G K , which it periodically If the verification is successful, Vi decrypts
∗ ||NU K γ ) to obtain the group
E κ (G K ||BU K h,β
transmits to all RSUs via a secure channel. The lifetime α,∗
key G K and the sets of update keys, BU K h,β ∗ and
of a G K is a system parameter.
γ
2) Then, each RSU generates update keys, which will be NU K α,∗ .
used to transmit a new G K . These keys are assigned After the key distribution, RSUi stores the pair (P I Di,t wj
to vehicles, in order, that pass by the domain of the γ
and L Nβ ) in its database. If there are transmission errors, a
RSU. In the process of generating update keys, the vehicle should send a re-transmission request to RSUi .
RSU constructs an update tree using a b-tree (height
= h) and n-trees using Algorithms 1 and 2 to reduce
the transmission overheads of the encrypted broadcast E. Message Authentication for V2V
message, which includes a new G K . (Algorithm 2 is In this section, we propose our cooperative message authen-
based on the C-Basic Chain scheme in [37].) Fig. 4 tication protocol.
shows an example of tree construction. - Generation of Beacon Messages
- Distribution of a Group Key and Update Keys Each vehicle periodically broadcasts a beacon message. In our
When Vi meets a new RSU, a key distribution process between protocol, both a signature algorithm [38] and a message
Vi and the RSU is performed, as follows: authentication code algorithm are applied to each beacon
1) RSUi generates a random value t ∈ Z p and com- message. The detailed processes are described as follows:
putes T = t P and Sig S K RSUi (T ||ID R SUi ). Then, RSUi 1) In time slot T S j,k , a non-revoked vehicle Vi generates
periodically broadcasts its own ID R SUi , T i me R SUi T , a beacon message Mi . Then, Vi chooses a random
JO et al.: RELIABLE COOPERATIVE AUTHENTICATION FOR VEHICULAR NETWORKS 1071
Algorithm 4: Generate NU K N with the non-expired keys obtained from Algorithm 3 in order
Input : Rev_info, n-ary tree, the height of b-tree (h), to broadcast this encrypted value to non-expired vehicles that
the length of hash chain (c) have already had expired keys. The non-expired vehicles can
update the expired keys using an XOR operation with the
Output: The set of non-compromised keys NU K N update parameter. In future studies, an algorithm that balances
the key trees, as accomplished by the algorithm in [39], should
for γ ← 1, 2h do be applied to the proposed method to minimize the cost of the
γ γ
Find disjoint intervals (Iα1 ,α1 , . . . , Iαm ,αm ) group key renewal process.
An interval consists of non-revoked vehicles in the n-ary
tree V. S ECURITY A NALYSIS
(The union of all disjoint intervals covers all A. Message Integrity and Source Authentication
non-revoked nodes)
In our protocol, each vehicle sends the signature
R = r P, ci, j,k = H1(Ppub , P I Di,t sj,k , Ri, j,k ), and
If there is a length of intervals > c
partition those intervals into several disjoint π = r − esi, j,k (e = H2 (Ppub , P I Di,t sj,k , M, R, ci, j,k )) for a
sub-intervals using c beacon message to its neighbor. By verifying the signature,
(the length of the last sub-interval is less than c) the receiver can ensure both the integrity and the origin
of the message. If an adversary wants to forge the signa-
γ γ
NU K N ← (NU K α1 ,β1 , . . . , NU K αm ,βm ) ture, he/she must obtain si, j,k from π. This means that the
end for adversary must compute r from R to obtain si, j,k . However,
this violates the elliptic curve discrete logarithm problem1
return NU K N (ECDLP). Another attack approach is to find a collision
pair of H2 (), such as H2(Ppub , P I Di,t sj,k , M, R, ci, j,k ) =
H2(Ppub , P I Di,t sj,k , M , R, ci, j,k ) (M = M ). However, H2(),
the cryptographic hash function, is assumed to be secure
- Renewal of Update Keys against collision attacks. Thus, our protocol provides message
If all update keys in the update tree are assigned to vehi- integrity and source authentication.
cles, the RSUs should update the b-tree and n-ary trees to
accommodate new vehicles. First, RSUi removes the oldest B. Conditional Privacy Preservation
n-ary tree and generates a new n-ary tree. Then, it finds all
• Anonymity and unlinkability
keys in the b-tree that existed in parent nodes of the removed
Anonymity: In our protocol, each vehicle uses its own
n-ary tree. Because these keys are considered to be expired
pseudo-identities to sign beacon and report messages.
keys, RSUi generates a new update parameter and performs
an XOR operation between the expired keys of the b-tree with 1 Given two points, P and x P, on an elliptic curve E, find x, where x ∈
the new parameter. Additionally, RSUi encrypts the parameter Z ∗ p, and p is a large prime order in E.
1074 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 19, NO. 4, APRIL 2018
E. Availability
The protocols in [17]–[19] and our protocol can improve
the efficiency of the authentication by employing cooperative
authentication. Specifically, the protocols in [18] and [19] use
location information to evenly distribute the authentication
load. In these protocols, a receiver computes the distance to
the message senders using location information in the received
beacon message. Next, the receiver attempts to determine Fig. 7. Roadmap for simulation.
whether it is the verifier of the message by comparing the
distance values of its neighbors. However, the verifier selection
vehicles in the RL. The protocol of [18] using a different
algorithm based on location information can be exploited by a
group signature algorithm also requires 2 × n bilinear pair-
modification attack on the location information. For example,
ing operations. According to our implementation result, their
as shown in Fig. 6, vehicle D sends as many malicious
revocation processes take roughly 11 minutes and 7.3 minutes,
location messages to vehicle A as possible; it uses different
respectively, if 10, 000 vehicles are revoked. In anonymous
location information for each beacon message for its own
authentication in [5], [6], and [17], revocation requires RL
modified message to be selected as verification targets by
management overhead because the size of the RL increases
vehicle A. This attack can cause vehicle A to consume its own
linearly with both the number of pseudo-identities, which are
computation power verifying malicious messages. Thus, this
assigned one vehicle, and the number of revoked vehicles.
modification attack can affect the availability of authentication
To remove the RL management overhead from vehicles, a self-
protocols of [18] and [19]. In contrast, our protocol and the
pseudonym generation method using a proxy re-signature
protocol in [17] are secure against modification attacks on
algorithm is proposed in [22]. Although this method does
location information because these protocols randomly select
not require that vehicles perform RL management, vehicles
target messages for verification.
should perform three bilinear pairing operations to check
revocation. Furthermore, RSUs should generate all revoked
VI. P ERFORMANCE E VALUATION pseudo-identities of a revoked vehicle at once. If a vehicle Vi
In this section, we present the time required to perform is revoked and it has l pseudo-identities, RL includes a 4-tuple
a point multiplication and a bilinear pairing operation on an < n, m, Si,n
1 , S2
i,l−m+1 >, where n and m indicate the start and
elliptic curve, and evaluate our protocol performance using end times of a revocation period for Vi , and Si,n1 and S 2
i,l−m+1
the Pairing-Based Cryptography Library (PBC) [40] and the are the seed values used for generating Vi ’s revoked-identities.
Network Simulator (NS2) [41]. We divide the performance Then, the RSUs should compute all pseudo-identities from n
evaluation into three parts: 1) revocation, 2) group key distri- to m, P I Di,k (n ≤ k ≤ m), in advance, because pseudo-
bution and update, and 3) V2V communication authentication. identities are calculated from P I Di,k = h(Si,k 1 ⊕ S2
i,l−k+1 ),
- Implementation where Si,k = h (Si,n ) and Si,l−k+1 = h m−k (Si,l−m+1
1 k−n 1 2 2 )
We implement a point multiplication and bilinear pairing (h() is a cryptographic hash function). In other words, since
operation on an elliptic curve to measure the operation 2
Si,l−k+1 = h m−k (Si,l−m+1
2 ) is a reverse hash chain, computing
time. Measurement is conducted on an Intel Core i5-2500 2
the first value of Si,l−n+1 requires computing all values of
(at 3.3 GHz). In our implementation, the times required to 2
Si,l−k+1 (n + 1 ≤ k ≤ m).
perform a point multiplication (Tmul ) and bilinear pairing However, in our protocol, we use a group key based
(T par ) operation on an elliptic curve are 1.95 ms and 22 ms, revocation method, which only requires MAC operations for
respectively (using the Type F parameters of the PBC library). checking revocation. In addition, our method can update a
Lightweight operations, such as the cryptographic hash func- revocation list by keyed-hash operations whenever an update is
tion, are ignored, because they are negligible compared to the needed. This does not require that the RSUs generate and store
measured operations. all revoked pseudo-identities of a revoked vehicle in advance.
Thus, our method is more efficient than the existing methods
A. Evaluation of Revocation Overhead in [5], [6], [9], [10], [17], [18], [21] and [22].
It is important to check a revocation list before verifying
signatures. This means that checking a revocation list must B. Evaluation of Group Key Distribution and Update
also be performed efficiently. - Group Key Distribution
Revocation using a group signature algorithm in [9] and [10] In our protocol, the RSUs distribute the G K to non-revoked
requires 3 × n bilinear pairing operations if there are n revoked vehicles in their own domains. To evaluate the performance
1076 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 19, NO. 4, APRIL 2018
TABLE IV [3] H. Alshaer and E. Horlait, “An optimized adaptive broadcast scheme for
C OMPARISON OF C OOPERATIVE AUTHENTICATION P ROTOCOLS inter-vehicle communication,” in Proc. IEEE 61th Veh. Technol. Conf.
(VTC-Fall), vol. 5. May 2005, pp. 2840–2844.
[4] H. Alshaer, “Securing vehicular ad-hoc networks connectivity with road-
side units support,” in Proc. IEEE 8th GCC Conf. Exhibit. (GCCCE),
Feb. 2015, pp. 1–6.
[5] G. Calandriello, P. Papadimitratos, J.-P. Hubaux, and A. Lioy, “Efficient
and robust pseudonymous authentication in VANET,” in Proc. 4th
ACM Int. Workshop Veh. Ad Hoc Netw., New York, NY, USA, 2007,
pp. 19–28.
[6] C. D. Jung, C. Sur, Y. Park, and K.-H. Rhee, “A robust conditional
privacy-preserving authentication protocol in VANET,” in Security and
Privacy in Mobile Information and Communication Systems (Lecture
Notes of the Institute for Computer Sciences, Social Informatics and
Telecommunications Engineering), vol. 17. Berlin, Germany: Springer,
2009, pp. 35–45.
[7] A. Wasef and X. Shen, “EMAP: Expedite message authentication
protocol for vehicular ad hoc networks,” IEEE Trans. Mobile Comput.,
vol. 12, no. 1, pp. 78–89, Jan. 2013.
According to Table IV, the protocols in [18] and [19] suf- [8] P. Vijayakumar, M. Azees, A. Kannan, and L. J. Deborah, “Dual authen-
tication and key management techniques for secure data transmission in
fer from the mode synchronization problem and location vehicular ad hoc networks,” IEEE Trans. Intell. Transp. Syst., vol. 17,
modification attacks. In these protocols, RSUs can also link no. 4, pp. 1015–1028, Apr. 2016.
vehicle’s pseudo-identities. Although the protocol in [17] does [9] X. Lin, X. Sun, P.-H. Ho, and X. Shen, “GSIS: A secure and privacy-
not suffer from the mode synchronization problem or the preserving protocol for vehicular communications,” IEEE Trans. Veh.
Technol., vol. 56, no. 6, pp. 3442–3456, Nov. 2007.
location modification attack, it does suffer from the revocation [10] L. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, “A scalable
management problem. The revocation management overhead, robust authentication protocol for secure vehicular communications,”
which includes updating and sorting revocation lists, can be an IEEE Trans. Veh. Technol., vol. 59, no. 4, pp. 1606–1617, May 2010.
[11] L. Zhang, Q. Wu, B. Qin, J. Domingo-Ferrer, and B. Liu, “Practical
additional burden on vehicles, because every revoked vehicle secure and privacy-preserving scheme for value-added applications in
has a large set of pseudo-identities. In addition, the protocol VANETs,” Comput. Commun., vol. 71, pp. 50–60, Nov. 2015.
in [17] suffers packet losses when the vehicle density is [12] F. Wang, Y. Xu, H. Zhang, Y. Zhang, and L. Zhu, “2FLIP: A
200/km 2, as shown in Fig. 11, because it does not provide two-factor lightweight privacy-preserving authentication scheme for
VANET,” IEEE Trans. Veh. Technol., vol. 65, no. 2, pp. 896–911,
the delayed authentication mode. Thus, we believe that our Feb. 2016.
proposed protocol is an effective option for message authen- [13] P. Vijayakumar, M. Azees, and L. J. Deborah, “CPAV: Computation-
tication in VANETs. ally efficient privacy preserving anonymous authentication scheme for
vehicular ad hoc networks,” in Proc. IEEE 2nd Int. Conf. Cyber Secur.
Cloud Comput., Nov. 2015, pp. 62–67.
VII. C ONCLUSION [14] Y. Jiang, M. Shi, X. Shen, and C. Lin, “BAT: A robust signature scheme
for vehicular networks using binary authentication tree,” IEEE Trans.
We proposed an anonymous message authentication proto- Wireless Commun., vol. 8, no. 4, pp. 1974–1983, Apr. 2009.
col for the safe transmission of messages in VANETs. For [15] C. Zhang, X. Lin, R. Lu, and P.-H. Ho, “RAISE: An efficient RSU-aided
efficient authentication, we adopted a cooperative authenti- message authentication scheme in vehicular communication networks,”
cation technique. Although several cooperative authentication in Proc. ICC, May 2008, pp. 1451–1457.
[16] J. Shao, X. Lin, R. Lu, and C. Zuo, “A threshold anonymous authenti-
protocols are based on failure reports for efficiency, we chose cation protocol for VANETs,” IEEE Trans. Veh. Technol., vol. 65, no. 3,
the success report based on the cooperative authentication pp. 1711–1720, Mar. 2016.
method. The benefit of using the success report is that there is [17] X. Lin and X. Li, “Achieving efficient cooperative message authentica-
tion in vehicular ad hoc networks,” IEEE Trans. Veh. Technol., vol. 62,
no synchronization problem between the non-cooperative and no. 7, pp. 3339–3348, Sep. 2013.
cooperative modes. Using a security analysis and simulation, [18] Y. Hao, Y. Cheng, C. Zhou, and W. Song, “A distributed key manage-
we find that our protocol does not require mode synchroniza- ment framework with cooperative message authentication in VANETs,”
tion, nor does it result in message losses, even when the vehicle IEEE J. Sel. Areas Commun., vol. 29, no. 3, pp. 616–629, Mar. 2011.
[19] X. Zhu, S. Jiang, L. Wang, and H. Li, “Efficient privacy-preserving
density is set to 200/km 2 . In addition, we can reduce the over- authentication for vehicular ad hoc networks,” IEEE Trans. Veh.
head of RL management using two-layered pseudo-identities. Technol., vol. 63, no. 2, pp. 907–919, Feb. 2014.
Furthermore, we presented a key management architecture for [20] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”
J. Comput. Secur., vol. 15, no. 1, pp. 39–68, 2007.
efficient revocation. Using a binary tree and an n-ary tree can [21] H. J. Jo, J. H. Paik, and D. H. Lee, “Efficient privacy-preserving authen-
reduce the transmission size of update messages for a new tication in wireless mobile networks,” IEEE Trans. Mobile Comput.,
group key. In future, we will design a novel key management vol. 13, no. 7, pp. 1469–1481, Jul. 2014.
framework, including self-healing functionality to preserve the [22] Y. Sun, R. Lu, X. Lin, X. Shen, and J. Su, “An efficient pseudony-
mous authentication scheme with strong privacy preservation for vehic-
success of group key updates, even when there are vehicles ular communications,” IEEE Trans. Veh. Technol., vol. 59, no. 7,
that miss the update messages. pp. 3589–3603, Sep. 2010.
[23] P. Vijayakumar, S. Bose, and A. Kannan, “Improved HARN batch digital
signature algorithm for multicast authentication,” J. Discrete Math. Sci.
R EFERENCES Cryptography, vol. 17, nos. 5–6, pp. 435–442, 2014.
[1] Dedicated Short Range Communications (DSRC) Home, accessed on [24] W. Du and M. He, “Self-healing key distribution with revocation and
Jun. 13, 2017. [Online]. Available: http://www.its.dot.gov/dsrc/ resistance to the collusion attack in wireless sensor networks,” in
[2] H. Alshaer and E. Horlait, “Emerging client-server and ad-hoc approach Provable Security (Lecture Notes in Computer Science), vol. 5324,
in inter-vehicle communication platform,” in Proc. IEEE 60th Veh. J. Baek, F. Bao, K. Chen, and X. Lai, Eds. Berlin, Germany: Springer,
Technol. Conf. (VTC-Fall), vol. 6. Sep. 2004, pp. 3955–3959. 2008, pp. 345–359.
JO et al.: RELIABLE COOPERATIVE AUTHENTICATION FOR VEHICULAR NETWORKS 1079
[25] P. Vijayakumar and M. Azees, “CEKD: Computationally efficient key [40] PBC (Pairing-Based Cryptography) Library, accessed on Jun. 13, 2017.
distribution scheme for vehicular ad-hoc networks,” Austral. J. Basic [Online]. Available: http://crypto.stanford.edu/pbc/
Appl. Sci., vol. 10, no. 2, pp. 171–175, 2016. [41] The Network Simulator—NS-2, accessed on Jun. 13, 2017. [Online].
[26] P. Vijayakumar, S. Bose, and A. Kannan, “Chinese remainder theorem Available: http://www.isi.edu/nsnam/ns/
based centralised group key management for secure multicast commu- [42] M. Boban, G. Misek, and O. K. Tonguz, “What is the best achievable
nication,” Inf. Secur., vol. 8, no. 3, pp. 179–187, May 2014. QoS for unicast routing in VANETs?” in Proc. IEEE GLOBECOM
[27] P. Vijayakumar, S. Bose, and A. Kannan, “Centralized key distribution Workshops, Nov. 2008, pp. 1–10.
protocol using the greatest common divisor method,” Comput. Math. [43] H. J. Huang and J. Wang, “Vehicle density based forwarding protocol
Appl., vol. 65, no. 9, pp. 1360–1368, 2013. for safety message broadcast in VANET,” Sci. World J., vol 2014,
[28] A. Peinado, Flaws in the Application of Number Theory in Key Distri- Art. no. 584164, Jul. 2014.
bution Schemes for Multicast Networks. Cham, Switzerland: Springer,
2016, pp. 181–187.
[29] M. Azees, P. Vijayakumar, and L. J. Deborah, “Comprehensive survey
on security services in vehicular ad-hoc networks,” IET Intell. Transp. Hyo Jin Jo received the B.S. degree in indus-
Syst., vol. 10, no. 6, pp. 379–388, 2016. trial engineering and the Ph.D. degree in informa-
[30] L. Zhang, C. Hu, Q. Wu, J. Domingo-Ferrer, and B. Qin, “Privacy- tion security from Korea University, Seoul, South
preserving vehicular communication authentication with hierarchical Korea, in 2009 and 2016, respectively. He is a
aggregation and fast response,” IEEE Trans. Comput., vol. 65, no. 8, Post-Doctoral Researcher with the Department of
pp. 2562–2574, Aug. 2016. Computer and Information System, University of
[31] U. Khan, S. Agrawal, and S. Silakari, “A detailed survey on misbehavior Pennsylvania, Philadelphia, PA, USA. His research
node detection techniques in vehicular ad hoc networks,” in Information interests include cryptographic protocols in authen-
Systems Design and Intelligent Applications, vol. 339. New Delhi, India: tication, applied cryptography, security and privacy
Springer, 2015, pp. 11–19. in ad hoc networks, and smart car security.
[32] N. Kumar and N. Chilamkurti, “Collaborative trust aware intelligent
intrusion detection in VANETs,” Comput. Electr. Eng., vol. 40, no. 6,
pp. 1981–1996, 2014.
[33] K. Kostiainen, N. Asokan, and J.-E. Ekberg, “Practical property-based In Seok Kim received the B.S. degree in computer
attestation on mobile devices,” in Trust Trustworthy Computing (Lecture science from Hongik University, Seoul, in 1973;
Notes in Computer Science), vol. 6740, J. M. McCune, B. Balacheff, the M.S. degree in information security from the
A. Perrig, A.-R. Sadeghi, A. Sasse, and Y. Beres, Eds. Berlin, Germany: Graduate School of Information Security, Dong Guk
Springer, 2011, pp. 78–92. University, Seoul, in 2003; and the Ph.D. degree
[34] W. Xu, X. Zhang, H. Hu, G.-J. Ahn, and J.-P. Seifert, “Remote attestation in information security from the Graduate School
with domain-based integrity model and policy analysis,” IEEE Trans. of Information Security, Korea University, in 2008.
Depend. Sec. Comput., vol. 9, no. 3, pp. 429–442, May 2012. He is a Professor with the Graduate School of
[35] A. Studer, E. Shi, F. Bai, and A. Perrig, “TACKing together effi- Information Security, Korea University. His research
cient authentication, revocation, and privacy in VANETs,” in Proc. interests include security information in electronic
6th Annu. IEEE Commun. Soc. Conf. Sensor, Mesh Ad Hoc Commun. financial services.
Netw. (SECON), Jun. 2009, pp. 1–9.
[36] Q. Wang, P. Fan, and K. B. Letaief, “On the joint V2I and V2V
scheduling for cooperative VANETs with network coding,” IEEE Trans. Dong Hoon Lee (F’06) received the B.S. degree
Veh. Technol., vol. 61, no. 1, pp. 62–73, Jan. 2012. from the Department of Economics, Korea Univer-
[37] J. H. Cheon, N. S. Jho, M. H. Kim, and E. S. Yoo, “Skipping, cascade, sity, Seoul, in 1985, and the M.S. and Ph.D. degrees
and combined chain schemes for broadcast encryption,” IEEE Trans. in computer science from University of Oklahoma,
Inf. Theory, vol. 54, no. 11, pp. 5155–5171, Nov. 2008. Norman, in 1988 and 1992, respectively. He is a
[38] R. W. Zhu, G. Yang, and D. S. Wong, “An efficient identity-based key Professor with the Graduate School of Information
exchange protocol with KGS forward secrecy for low-power devices,” Security, Korea University. His research interests
Theor. Comput. Sci., vol. 378, no. 2, pp. 198–207, 2007. include the design and analysis of cryptographic
[39] P. Vijayakumar, S. Bose, and A. Kannan, “Rotation based secure protocols.
multicast key management for batch rekeying operations,” Netw. Sci.,
vol. 1, no. 1, pp. 39–47, 2012.