Secure Revocable Anonymous Authenticated Inter ... - CiteSeerX

Secure Revocable Anonymous Authenticated Inter-Vehicle Communication (SRAAC) Lars Fischer∗, Amer Aijaz†, Claudia Eckert∗, and David Vogt∗ November 13-15, 2006

Abstract

system warns the driver if the distance from the vehicle ahead decreases suddenly, as e. g. in case of emergency braking [PL06]. Such radar or camera based systems, allow On-Board-Units of vehicles to collect information about its immediate surroundings. With help of a vehicle-to-vehicle wireless communication system, vehicles could form vehicular ad-hoc networks (VANET) in order to communicate among themselves. Thereby vehicles will be warning each other of dangers. Encouraged by this potential of inter-vehicle communication, car manufacturers in US [US 05] and Europe1 have formed cooperative alliances and are working together with standardization bodies like IEEE, ISO, SAE, ASTM2 in order to define an inter-vehicle communication standard. Such a standard cannot be developed without considering security. Besides authenticity and trustworthiness of a safety message more complicated topics like privacy have to be addressed. Vehicle drivers have to be protected from unauthorised extraction of personal data from safety messages. The vehicle itself shall be untraceable within the network and missuse by single parties has to be prevented. Similar argumentation can be found in [Doe05]. Therefore, the safety message system proposed herein has to ensure that there will be at most as much personal information to be gained from the network as from the real world, without VANETs. The main focus is the enforcement of the many-eye principle for revocation of privacy. Other safety message systems do not fulfil those privacy requirements. Problems of the concept of

Modern vehicles have become aware of safety hazards in their immediate surroundings detected by sensors and camera systems. Vehicle manufacturers are currently working on inter-connecting vehicles with wireless communication technologies, for that vehicles are able to exchange traffic safety related information. That way a vehicle could be warned about danger situations detected by sensors of far away vehicles. Even though, wireless inter-networking among vehicles offers a high potential for saving lives, consumer acceptance of this technology might strongly depend on privacy considerations. This paper identifies the unresolved privacy issues within the concept of the IEEE WAVE group and enhances it with solutions learned from anonymous E-cash payment systems.

1 Introduction Over the past two decades, the automobile industry has delivered technologies that have made modern vehicles environment-friendlier, reliable and above all safer. Thanks to efficient braking systems like ABS and ESP [HPF05] many lives are saved every year. Special camera-options are available for vehicles today that help drivers see blinded obstacles while reversing, parking or driving in the dark. Most recently, upper class vehicles are offering a head-distance controlling radar system. This ∗ Darmstadt University of Technology, Department of Computer Science, IT Security Group, D-64289 Darmstadt, Germany, [email protected] † Volkswagen AG Research Group, Automotive Electronic Systems Department, P.O. Box 1776, D-38436 Wolfsburg, Germany, [email protected]

1 Car

2 Car Communication Consortium (C2CC) http:// www.car-to-car.org/ (July 26th 2006) 2 http://grouper.ieee.org/groups/scc32/dsrc/ namerica/index.html (July 26th 2006)

1

the IEEE WAVE group [US 05, Appendix H] will be discussed in this paper. From the WAVE concept a new proposal has been developed that fulfils the requirements. This concept is called Secure Revocable Anonymous Authenticated Inter-Vehicle Communication (SRAAC) is introduced in the remainder of the paper.

and is thus able to identify all certificates of a vehicle. The main focus of this paper is to reduce the danger of misuse by a single compromised authority and enforce the many-eye principle for revocation of privacy.

2.1 Security Objectives 1.1 Outline

Before a protocol can be designed attacker models The paper is organised as follows: First the sce- and security objectives in VANETs have to anaan analysis can be found in [RPH06] nario and objectives are described in section 2. In lyzed. Such + section 3 we point to problems within existing solu- or [ABD 06]. Following objectives describe the fotions. In section 4 our approach to these problems cus of the protocol described within this paper. is described. Followed by a discussion in section 5 and a conclusion in section 6. Authenticity and Isolation The risk of misuse of a safety message system can be assessed as high due to the serious damage that might be inflicted by attacks. The first directive for any 2 Scenario C2C-communication scheme therefore is, that evA general scenario for authenticated traffic safety ery safety message has at least to be authenticated. messages is often described as follows: Vehi- As trust in the correctness of messages is rooted in cles carrying On-Board-Units (OBU) are exchang- trust in the manufacturers this relation has to be ening traffic safety messages, e.g. emergency brake, or sured by authentication. As vehicles and OBU may dangerous road condition. The message normally break and malfunction, misbehaving OBU must be includes positional data of the sending vehicle. isolated from the communication network. There The OBU is produced by a car manufacturer and must be a upper boundary for the maximum time equipped with an OBU Certificate for authenti- until any faulty OBU is isolated from the network, cation. The OBU itself has to be build tamper- this boundary is herein called isolation time interval. resistant. With the OBU Certificate the OBU can authen- Non-Interactivity and Low Overhead Because ticate itself at a certification authority (CA) and of the high speed and therefore short duration request Inter-Vehicle Communication Certificates within which communication between two cars (IVC Certificate). IVC Certificates are used for au- is possible, the communication has to be nonthentication of safety messages. Thus trustworthi- interactive and message overhead has to be very ness of safety messages is rooted in trust in the low. The urgency of safety messages implies that manufacturer. We assume that the CA has knowl- authentication must be instantly without addiedge of the mapping between OBU Certificate, IVC tional communication. Certificates and vehicle as well as vehicle owner. E. g. the CA is some governmental traffic agency. Messages are generally send together with the cer- Anonymity and Unlinkability Safety messages tificate to provide non-interactive communication include data that is dangerous to the personal privacy of vehicle owners. Most relevant is the danbetween vehicles. ger of tracking a vehicle through positional inforBy using different IVC Certificates for different mation and linkable pseudonyms3 . Thus, while messages, the messages become unlinkable to each preserving the security goals mentioned above, a other for anybody but the CA. Misbehaving OBU scheme has to provide privacy of vehicles and their can be isolated from the network by Certificate Re3 See [PH06] for a precise definition on terms related to vocation Lists (CRL). Besides, the CA as a single entity has complete knowledge about certificates anonymity. 2

3.1 Security Problems with WAVE

drivers. In detail, it must be provided that vehicle drivers are anonymous within the network. This includes that messages are unlinkable to each other. Moreover a driver should not be linkable to a vehicle and the messages it sends by a single authority to prevent misuse.

To provide unlinkability of messages WAVE introduces a special key k to generate each batch of keys from. The encryption function used to generate the IVC-keys from is choosen weak to allow for the authorities to break the unlinkability for single certificates. The first problem we have with WAVE is this protection of unlinkability of messages by only weak encryption. This renders the access control a simple question of computing power which is why we deem this practice unwise. The second problem of WAVE is its dependence on a single certification authority which issues all anonymous certificates and could easily link certificates and vehicles. This produces a situation where a single authority is able to link messages to vehicles even if certificates are changed frequently. Hence a single CA is technically able to trace individual vehicles from messages send by those vehicles alone. By doing so, the CA is potentially able to bypass legal permissions to revoke privacy. This is not only an organizational issue as we are able to enforce a many-eyes policy for privacy revocation which had to be enforced otherwise by legal instruments. The third problem we have with WAVE is the memory and bandwidth consumption for the OBU through usage of a certificate revocation list (CRL). For ∆trevo being the time interval between CRL broadcasts5 and m the number of IVC Certificates stored at any time at an OBU. We can calculate the memory and bandwidth consumption at the OBU as follows:

Revocable Privacy In case of emergencies and investigations of malicious or criminal behaviour of single subjects, legal authorities must be able to link messages to a OBU and the OBU to the vehicle owner. To prevent missuse by a single authority, enforcement of a multi-eye-principle has to be implemented.

3 Related Work Besides the authentication based approach that is followed in this paper reputation based approaches have been followed. [DFM05] and [JW04] are two examples. Although concepts for estimation of trustworthiness have been given, privacy has not been addressed. Security requirements, including privacy, have been analyzed for example in [RPH06] and [Doe05]. But proposals for communication schemes that do provide secure and private communications in VANETs are scarce. The Vehicle Safety Communication Consortium [US 05] made an initial proposal for an intervehicle wireless communication system: Wireless Access for the Vehicular Environment (WAVE). This proposal is now being pursued further by the IEEE 802.11p WAVE Task Group4 . The proposal studied various aspects of wireless communication and outlined changes needed in the IEEE 802.11 standard in order to support communication among fast moving vehicles. It was clear from this study that traffic dynamics allow vehicles very short time to send very short messages, limiting the security overhead to a bare minimum. Because our proposal described in section 4 is a further development of the work done in the WAVE Task Group, we shall briefly discuss our issues with WAVE.

MOBU

=

BOBU

=

mcertsize + staticdata + CRLsize (1) CRLsize (2) ∆trevo

At regular checks at the service station the OBU is provided with m IVC Certificates of size certsize through a secure line from the service station to the CA. To provide unlinkability of messages, each message has to be authenticated by a new, unused certificate. Thus m has to be chosen at least as large as the number of messages that will be send until the next service stop. The size of the CRL (CRLsize)

4 http://grouper.ieee.org/groups/802/11/Reports/ tgp_update.htm (July, 26th 2006)

5 ∆t revo is to be chosen smaller or equal the maximum isolation interval

3

against a single CA. But if an OBU sends wrong messages this anonymity has to be revocable by traffic authorities. SRAAC introduces a set of intermediate IVC certification servers (ICS) that are certified by the CA (see figure 1). Certificates are issued using MI-DSS that blinds IVC certificates, created by the OBU before the servers sign it. To have revocability a tag is generated that is linked to the vehicle and its owner. This tag is stored by the servers and can later be compared to a certificate attached to a faulty message if a revocation key xt is known.

linearly depends on the rate of faulty OBU to total number of OBU. staticdata denotes the size of other, static data, like the private key. OBU memory is more ”‘expensive”’ than memory in the CA because it has to conform to constraints for vehicle parts. This suggests a need to reduce the size of m and to remove the dependency from the total number of OBU included in the CRLsize. It is to be noticed that even with distributed CAservers each server has to store the complete CRL. Encouraged by these three problems, we studied WAVE for potential improvements. The resulting solution will be described in the following sections.

4 SRAAC-Protocol The proposed protocol can be divided into the parts OBU Registration, Certificate Issuance, Anonymity Revocation and the actual comunication including Signature and Verification of messages. We will first address the general concepts for privacy protection and dealing with malicious OBUs and then introduce the most important parts of the protocol. The protocol is described in detail in [Vog06]. Figure 1: Participants in Certification Scheme

4.1 Main Concepts

The key xt is protected by a (ts , n) shared secret scheme. Thus for revocation more than ts servers have to agree on the revocation. Revocation itself is allowed because a comparision of a tag and a certificate can be interpolated through the shared secret scheme without revealing xt . Isolation of an OBU from the network has to be undertaken, if a message can be proven to contain wrong or malicious information. This implies that either the vehicle’s sensors or the OBU are broken or that the vehicle is part of an attack. The OBU’s identity can be connected to the certificate within the message. The OBU then is isolated within a certain amount of time because IVC certificates are only valid for a certain time period and the OBU is identified and not issued new certificates. In summary anonymity of the vehicles driver is provided by separation of owner identity and vehicle/OBU identity. Traceability of a vehicle is prevented by severing the link between IVC certificates (thus messages) and the OBU certificates

To fulfill the objective of unlinkability each vehicle is provided with a large set of certificates, similar to the WAVE concept. To implement the objectives of anonymity and many-eye anonymity revocation magic-ink signatures with shared secrets are used. Jakobson’s magic-ink signatures with DSS (MI-DSS*) are described in [Jak97] and Shamir’s shared secrets are explained in [Sha79]. Similar to WAVE the linkability of messages is prevented by issuance of a large number of IVC certificates to the OBU. The OBU thus is able to change certificates frequently enough to be untraceable even if positional data is included in the messages. The calculation of the exact number of IVC certificates needed is out of scope of this paper. IVC certificates are issued periodically and are valid only for a considerable short time period. Revocable Anonymity combines the objectives of anonymity and revocable privacy. An OBU, during normal operations, has to be anonymous even 4

by way of blind signatures. The linkability of the messages of a vehicle is prevented by frequently changing the IVC certificates used for authentication.

tication of safety messages. The IVC has to be signed with the private part x of the DSS key (x, y) known to all ICS. The public part is known to every OBU. OBU Certification consists of two parts: First the OBU authenticates itself against the Identity Authority which authorizes the OBU to request IVC Certificates from the IVC Certification Servers. During authentication tickets are provided to the OBU that authenticate the OBU against the ICS and provide session keys to protect the communication of OBU and ICS. Safety Communication includes the selection of a valid IVC Certificate to authenticate the communication and the message broadcast. With every message the related IVC Certificate is broadcasted, to provide non-interactive communication. The receivers of a safety message validate the certificate which is (blindly) signed with the private key of the ICS. The corresponding public key has to be known to every OBU. Afterwards the signed message is validated. For simplicity reasons this paper includes only detailed descriptions of OBU Certification and Anonymity Revocation as the most interesting parts of the protocol.

4.2 Protocol Overview The Certificate Authority (CA) remains the trust anchor and signs the certificates of the Privacy Authority (PA) and the Identity Authority (IA), which in turn constitute the certification infrastructure for the On-Board-Units (OBU). The IA sets up trust relations with the OBU Authorities that equip the OBUs with OBU Certificates. The secret signing key used for IVC Certification is shared by means of Secret Sharing amongst multiple IVC Certification Servers (ICS) provided by the IA and PA. (See figure 1.) The proposed protocol consists of four parts depicted in figure 2: OBU Registration, OBU Certification, Anonymity Revocation and Safety Communication. (Safety Comunication itself consists of the two parts message generation and reception.)

4.3 OBU Certification At regular time intervals an OBU has to trigger OBU Certification to obtain new certificates to authenticate its messages with. A central part of the protocol is the issuance of new certificates. Certificates are issued, using magic-ink blind signatures from a shared secret between privacy and identity authorities. This procedure ensures that (a) safety messages are authenticated and the source can be identified by the authorities (b) the drivers anonymity is guaranteed and messages are unlinkable (c) anonymity can be revoked, malicious OBUs can be isolated and (d) revocation and isolaFigure 2: Protocol Overview tion are secured against a certain number of malicious authorities. (As described in section 4.1.) The vehicle registration includes OBU RegistraDescribed below is a protocol to distributedly tion. During this registration OBU Certificate and calculate an IVC certificate for an OBU through a Owner Identity are connected to each other in the quorum Q of n servers Si . Under normal conditions vehicle registration office’s database. The OBU is all available ICS are part of the quorum. provided with the OBU Certificate which then can In preparation of the following steps the OBU be used for OBU Certification. has been authenticated by the identity authority Main objective of the OBU Certification is to pro- and has established secret and protected commuvide the OBU with a IVC to be used for authen- nications with each server. Data on the values of 5

n, ts , g, p, q had been agreed upon by the servers and step 2 The servers calculate v and A by shared secommunicated to the OBU. ts ≤ n is the number of cret interpolation from the received vi and Ai −1 servers required to recover the anonymity revocaand send r = [Av ]p to the OBU. tion key xt . g, p, q are public parts in DSS where p is prime and has length l, where l is a multiple of step 3 The OBU wants a public key k ∈ Zq to be signed blindly by the servers. It generates 64 and 512 ≤ l ≤ 1024. q is a prime divisor of p − 1 randomly two blinding factors α, β ∈ Zq . Then and g is an element of order q in Zq . [Nat00] −β In figure 3 the communication pattern of this it computes r = [[r ]p ]q , µ = [kα]q and ρ = certificate generation is shown to clarify the fol[rα]q . Afterwards it sends each Si a share µi lowing description. An arrow to/from Si denotes a from a (ts , n) secret sharing scheme for µ with message to/from each server individually. ”‘all S”’ public information gµi and ρi of a (ts , n) secret denotes the broadcasts channel of the servers. sharing of ρ with public information hρi . See [CGMA85] for further reference on verifiable x mod y is denoted [x] y in the following calculations. secret sharings. By this the OBU enforces the privacy concepts described in section 4.1 by ensuring that every ICS knows only a share of xt and the IVC Certificate is blinded.

ISCs all S (vi , Ai )

Si

OBU r

step 4 Each server verifies its share by checking that (Mi , Ri ) = ([gµi ]p , [hρi ]p ). If any of the shares is not passing the verification the servers halt. Otherwise the quorum interpolates and stores tag = [(gµ , hρ )]q without revealing the individual shares. The blinded signature σ is generated by interpolation of σ = [k(µ + xρ)]q and send to the OBU.

(µi , ρi )

σ

Figure 3: Certificate Issuance Communication Before the protocol can be unrolled the servers have to generate an asymmetric key pair (x, y) where x is a shared secret between the servers and y the corresponding public key which is must be certified by the Certificate Authority. The protocol will generate a signed IVC Certificate (m, r, s) for the OBU to use in inter-vehicle communication with a corresponding tag tag for storage in a tag database. Further there will be a shared secret tagging key xt shared by the servers with corresponding public key h to protect mapping between tag and the corresponding IVC Certificate.

step 5 The OBU unblinds the signature by calculating s := [σα−1 β−1 ]q and verifies the triple (k, r, s) is a valid signature.6 The OBU now is in possession of a IVC Certificate signed by the authorities common DSS-key x. The ICS quorum knows tag related to some OBU. The next section explains how a tag can be related to a message.

4.4 Anonymity Revocation Each safety message includes the IVC Certificate corresponding to the signature. Certificate and message are related to each other. Anonymity Revocation enables the more than ts authorities to link IVC Certificates to tags stored during OBU Certification. The mapping from IVC Certificates to OBU Certificates can only be resolved through the tracking

step 1 In advance all Si have to randomly pick two random secrets k, a from two distinct (tn , n) secret sharing schemes in Zq [Sha79] with shares ki , ai . Additionally two zero-sharings (2ts, n) and (3tn , n) are calculated where each Si has knowledge of shares bi , ci . From this knowledge each server Si computes and broadcasts vi := [(ki ai +bi )]q and Ai := [gai ]p to the quorum. (See figure 3.)

6 See

6

[Vog06] for details on handling of errors.

key xt which is protected by means of a (ts , n) secret by our proposal. Thus SRAAC provides the technical means to protect from miss use motivated by sharing scheme. solitary interests. Both privacy protection and the ability to isolate and trace faulty OBU is provided. Another advantage is a lower consumption of OBU memory which is discussed in the subsection below.

5.1 Costs Considering bandwidth and memory cost, SRAAC is able to improve costs by reducing the memory needed in the OBU. Similar to equation (1) and (2) in section 3.1 memory and bandwidth consumption of SRAAC can be calculated as follows:

Figure 4: Privacy Revocation

step 1 From on IVC Certificate (m, r, s) are retrieved and the servers compute −1 (tracea , traceb ) := ([tagrm ]p , tagb ) for each a potential tag (taga, tagb ).

MOBU

=

BOBU

=

m ∗ Certsize + staticdata mCertIssuance ∆tc ert

(3) (4)

No new static keying material has to be stored thus staticdata doesn’t change compared to WAVE. But m can be chosen much smaller in SRAAC as the issuance of new certificates is not related to any service interval. Thus memory can be reduced at the leftmost part of the sum. Need for a CRL is avoided. Thus the memory size is independend from the ratio of faulty or the total number of OBU in SRAAC. On the contrary, by introducing OBU Certification independent from service stops, other communication mediums have to be used at time intervals ∆tcert . Again, ∆tcert determines the maximum isolation interval. The number of IVC certificates needed per time is equal in WAVE and SRAAC for an comparable grade of unlinkability. Thus the maximum isolation interval can be reduced down to a minimum value of m needed for unlinkability. And the bandwidth cost per OBU Certification CertIssuance is constant. Compared to (2) this removes another linear dependency to the ratio of faulty and total number of OBU from the costs. Considering memory costs of the authorities it can be shown that memory costs for WAVE and SRAAC both are linear to the number of OBU. The only difference is with the bandwidth cost because certificate revocation lists can be distributed by a broadcast medium e.g. nation-wide radio.

?

step 2 If log g h = logtracea traceb then the tag (taga , tagb ) corresponds to the IVC Certificate. The relation between tag and OBU Certificate is stored as part of the identity information. Following [Jak97] the discrete logarithm in step 2 is efficiently computable if the secret key xt is known. As depicted in figure 4 the tag database is searched until the corresponding tag is found. From this tag the OBU Certificate and the vehicle owner can be found by the Identity Authority.

5 Discussion The main advantage of SRAAC over WAVE is the cryptographic protection of anonymity and unlinkability. All anonymous certificates issued to the vehicles carry no linkage value that could relate them to other anonymous certificates issued to the vehicle. While WAVE protects privacy by computation costs that increases linearly with the number of attacked vehicles, breaking privacy in SRAAC is, following [Jak97], computational infeasable without knowledge of xt for any vehicle. By distributing the ICS well between chosen authorities the many-eyes principle can be enforced 7

OBU Certification implies individual communication with single OBU at approximately periodical time intervals. While bandwidth costs in WAVE is only relative to the size of the CRL, they are relative to the number of OBU and the number of IVC Certificates used per ∆tcert .

It eliminates the necessity of certificate revocation list thus reducing the memory needed at the vehicle and network size-depended communication costs. Within the paper anonymity and untraceability besides authenticity of safety messages has been addressed. The objectives within this work are different from previous work insofar as single certification authorities have been identified as potential attackers to the driver’s privacy. In previous works information that links the vehicles identity with the certificate has been within the power of single authorities. Within SRAAC a quorum of more then ts authorities has to agree on the revocation of the driver’s anonymity. Bandwidth and memory costs of SRAAC have been discussed. Memory and bandwidth costs at the vehicle do scale with growing network size. SRAAC uses cryptographic schemes developed for e-cash because the defined objectives are quite similar. Nevertheless this proposal leaves open the question how the ICS can take control over some parts of the blinded certificate they sign. Most important is the validity time of the IVC Certificate because it determines the maximum isolation interval. This problem has been discussed and solutions have been suggested. This paper presents a step towards authenticated communication in privacy-sensible message broadcasts in highly mobile environments.

5.2 IVC Certificate Validity Time

Due to the fact that the certificates are generated by the vehicles and contents blinded to the ICS quorum, it is possible for the vehicle to generate certificates that include a validity period larger than maximum isolation interval. Although an OBU, detected as malicious, would be issued no new IVC Certificates, is not necessarily isolated because it might own up to m IVC Certificates valid for an arbitrary time. There are three proposals how to resolve this problem. The first proposal introduces a maximum length for the validity period which can be verified by the OBU that verifies the certificate. This would allow for a malicious OBU to be only active for a period of m times this maximum length. After this period the OBU will, assuming its bad behavior is detected, be isolated from the network. Remember that the owner of this car will still be identified and liable due to the possibility of anonymity revocation. Another way to counter this attack would be changes to the OBU Certification protocol that would allow for the ICS quorum to set or verify certain defined parts of the Certificate. Up to now the authors know of no scheme with the needed References properties. + A third way might be provided by proxy signa- [ABD 06] Amer Aijaz, Bernd Bochow, Florian Dotzer, ¨ Andreas Festag, Matthias tures [MUO96]. Gerlach, Rainer Kroh, and Tim This issue is part of ongoing research. Leinmuller. ¨ Attacks on intervehicle communication systems - an analysis. In Proceedings of the 3nd International 6 Summary Workshop on Intelligent Transportation, Hamburg, Germany, March 2006. This paper introduced Secure Revocable Anonymous Authenticated Inter-Vehicle Communication (SRAAC), a protocol that allows for distribution of [CGMA85] Benny Choc, Shafi Goldwasser, Silvio certificates for non-interactive, anonymous mesMicali, and Baruch Awerbuch. Verisage authentication with quorum based blinded fiable secret sharing and achieving sicertificate issuance, anonymity revocation and isomultaneity in the presence of faults. lation of misbehaving vehicles. The protocol In Annual Symposium on Foundations of makes use of Magic Ink-DSS with shared secrets. Computer Science (Proceedings), pages 8

managment - a consolidated proposal for terminology. Technical Report v0.27, TU-Dresden, February 2006.

383–395. IEEE, New York, NY, USA, 1985. [DFM05]

[Doe05]

[HPF05]

[Jak97]

Florian Doetzer, Lars Fischer, and Przemyslaw Magiera. Vars: A vehicle ad-hoc network reputation system. In Proceedings of the IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, Taormina, Italy, June 2005.

[PL06]

Florian Doetzer. Privacy issues in vehicular ad hoc networks. In Workshop [RPH06] on Privacy Enhancing Technologies, Cavtat, Croatia, May 2005. Amy Houser, John Pierowicz, and Dan Fuglewicz. Concept of operations and [Sha79] voluntary operational requirements for vehicular stability systems (vss) on-board commercial motor vehicles. [US 05] Technical Report FMCSA-MCRR-05006, US Department of Transportation, Federal Motor Carrier Safety Administration (FMCSA), July 2005. [Vog06] M. Jakobsson. Privacy vs. Authenticity. PhD thesis, University of California, San Diego, 1997.

[JW04]

Markus Jakobsson and Susanne Wetzel. Efficient attribute authentication with applications to ad hoc networks. In VANET ’04: Proceedings of the 1st ACM international workshop on Vehicular ad hoc networks, pages 38–46, New York, NY, USA, 2004. ACM Press.

[MUO96]

Masahiro Mambo, Keisuke Usuda, and Eiji Okamoto. Proxy signatures: Delegation of the power to sign messages. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer, E79-A(9):1338– 1354, 1996.

[Nat00]

National Institute of Standards and Technology (NIST). DIGITAL SIGNATURE STANDARD (DSS), 2000.

[PH06]

Andreas Pfitzmann and Marit Hansen. Anonymity, unlinkability, unobservability, pseudonymity, and identity 9

Sean Peirce and Jane Lappin. Private sector deployment of intelligent transportation systems: Current status and trends. Technical report, United States Department of Transportation, Intelligent Transportation Systems Joint Program Office, February 2006. Maxim Raya, Panos Papadimitratos, and Jean-Pierre Hubaux. Securing vehicular communications. IEEE Wireless Communications Magazine, 2006. Adi Shamir. How to share a secret. Commun. ACM, 22(11):612–613, 1979. US Department of Transportation, National Highway Traffic Safety Administration (NHTSA). Vehicle Safety Communications Project: Final Report, 2005. David Vogt. Authentication for privacy-sensitive vehicle-to-vehicle message broadcast. Master’s thesis, Technische Universit¨at Darmstadt, 2006.