Trust and Trusted Computing in VANET - Semantic Scholar

Computer Science Journal

Volume 1, Issue 1, April 2011

Trust and Trusted Computing in VANET Irshad Ahmed Sumra1,Halabi Hasbullah1,Jamalul-lail2,Masood-ur-Rehman1 1 Computer and Information Sciences Department Universiti Teknologi PETRONAS, Bandar Seri Iskandar 31750, Tronoh, Perak, Malaysia. 2 Advanced Information Security Cluster MIMOS Berhad, Technology Park Malaysia. [email protected],[email protected], [email protected],[email protected]

Abstract Last few years, vehicular networks are gaining more and more attraction from the researchers and the automobile industries. The life saving factor is the key issue in this regard. Trust is key part of security and it is undoubtedly a necessity to develop trust in vehicular network. The main aim of this paper is to propose a trust model for vehicular environment. The proposed model contains two different modules. First module is based on attackers and the attacks. An attacker is one of the most significant entity who can intentionally change the behavior of the other entities (Vehicle or Infrastructure) in the network. It is important to study and analyze the attackers and attacks before designing the life saving networks. Second module is based on trust and trusting computing technology. Trusted platform module (TPM) is a hardware security module and plays a major role to develop trust in vehicles. Purpose of this study is to develop trust in vehicular network. This trusted vehicular network model enforces all the entities of the network to behave in a specified manner. We believe that this trusted model would be more helpful in serving the users of the vehicular environment. Keywords: Trust, Security, Attackers and Attacks, Trusted Platform Module (TPM), Users, Safety and Non safety Application.

Received: Sept 2010, Published: April 2011 *Corresponding Author: [email protected]

I. Introduction Safety of human lives is the major concern nowadays, because every year thousands of peoples died in road accidents over the globe. Vehicular Ad hoc Network (VANET) is special kind of network that aims to reduce death rate and improves traffic safety system. In VANET, vehicles can send and receive safety messages to each other on the road to ensure safety of human life [1]. Dedicated Short Range Communication (DSRC) is the frequency band that is used as a communication medium between the Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I). DSRC delivers safety and non safety messages in entire network by using its safety and non safety channels. The importance of safety applications are high because it provides information about any accident in some specific region and handles the situation by sending warning messages to other vehicles. Warning messages and post crash warning/notification are some of example of safety applications [2]. Non safety applications are related to comfort of the passengers

29

Irshad et al: Trust and Trusted Computing in VANET and to improve the traffic system. Parking availability and toll collection services are examples of these applications. Security is an important issue especially in this kind of network where one altered message can creates problem for the users in many ways. Users can take benefit of these applications if we can secure the communication between all entities (components) of the network and hence no chances for attackers to create trouble for users in the network. Attackers create problem directly and indirectly by launching different kind of attacks. We focus our study on the attackers and its behavior of launching attacks on VANET. Insider/outsider and active/passive attackers are some example of attackers. Every time attacker strikes on its target they change their forms and then launch different kind of attacks. We begin by classifying the different types of attackers. This paper is divided into five sections; Section II discuss about the related work in this area. Section III explains the proposed model and explains the all modules of the model.First module is explained about the attackers and possible attacks. In next module discuss the concept of trust and briefly described trusted computing and various trusted entities in vehicular network. Three different Levels of trust and chain of trust in VANET are also presented in this Section. In section IV we discussed some possible use of trusted hardware modules including Trusted Platform Module (TPM) in VANET and Section V conclude the paper.

II. Related Work Security involves a combination of hardware and software. For VANET, there are many types of embedded hardware module used in vehicle, none of which is specifically meant for trust. Nowadays, TPM is being used in almost all new PCs and laptop for secure communication. G.Guette [3, 4] described the main functionalities of TPM which are used VANET. They discussed in detail the security requirements and two possible application (Platoons and Event Reporting) in vehicular network. Main problem being highlighted was to maintain the integrity of data and ensure secure and trusted communication between other vehicles and also with infrastructure. The author also discussed thread model which contain attacks such as Sybil attack, Vehicle impersonation, sending false information and car tracking. Three security properties were presented. They include vehicle and it must have a unique identifier, ensuring the integrity of the messages which must be authentic with regards to vehicle identifier and lastly, to ensure the trustfulness of the content of the messages that must be verified. TPM-based solution is one of the more cost effective one which meets all security properties and handle with security threats. The main communication in VANET is divided into two: embedded sensors communicate with applications and applications communicate with TPM for signing data purposes. Endorsement key (EK) and Attestation identity key (AIK) are the two main keys that are used for signing and attestation purposes. Trusted application performs two types of communication, communication with sensors and with TPM. This type of communication is called inside communication and its purpose is to sign and keep the data safe in secure location. Trusted Application also communicates with application of the other vehicle using parameters such as Position, Signature and Credential. In [4], the author proposed TPM based security architecture to solve the issues of security and privacy for successful deployment of VANET technology. Two

30

Computer Science Journal

Volume 1, Issue 1, April 2011

proposed protocols were simulated their protocol with AVISPA and SPAN. The main focus point is management of cryptographic keys to provide security and anonymity of vehicles communications. An advantage of this proposed solution is that there is no need for infrastructure (RSU) along the road. Memory stacks replace the place of infrastructure and store data about sensors and TPM keys. However, the solution is quite less practical because keys are preloaded in the vehicle during the construction phase and memory sticks are used to renew the certified keys to be used by the proposed protocol. Software stack is used to protect and store data in shielded locations. Inter-vehicle communication uses TPM keys for signing the messages, which means that only trusted vehicles can communicate. If one vehicle application sends request to the other vehicle it must first be signed using TPM keys. The other vehicle receives this message and verifies its certificates and signature. Vehicle to infrastructure communication also uses TPM keys to ensure trusted communication.

III. Proposed Trust Model Trust is the key element in creating a trustable VANET environment which would help promote a safer road environment. TCG defines trust [5] as “An entity can be trusted if it always behaves in the expected manner for intended purpose”. Putting “trust” definition in the context of VANET, it would mean that “all components of the network (vehicles and infrastructure) are behaving in an expected manner (trusted communication between the components) and serve the users and save human lives”.

Figurre 1. Proposed Trust Model

So attackers are those people how change the behavior of the entity and break the trust. So first of all we should studies the attackers and attacks because it is directly change the behavior of the vehicle. If we want to achieve the trust and develop the trusted computing environment then we should perform two tasks.

31

Irshad et al: Trust and Trusted Computing in VANET

Figure 2. Three levels of trust and trusted computing

First Level: We should handle with attackers and attacks in vehicular network and study the behavior of attackers and possible attacks to disturb the network. Second Level: Explore the major entities of vehicular network that performs major role to developing the trust in vehicle to vehicle communication and also with infrastructure. Third Level: Main objective is to achieve third levels, develop trusted computing environment between all entities in network. Trusted platform module (TPM) play a major role to fulfill the third level of trust. VANET User Requirement (VUR) User is the main entity in vehicular work and objective of this new technology is to serve users and safe their lives from road accidents. Safety and non safety VANET applications meet the all users requirement during their journey like send or receive safety message to other vehicles and use the entertainment services. There are following basic user requirement. [6] Security

Privacy

Trust

Figure 3. User requirements in VANET

Security: Security is a first important user’s requirement in VANET. It is difficult to convince the users about any new technology that it is secure. Safety related applications may not work properly without achieving minimum security level for example Extended Brakes Light (EBL) application [7] needs security otherwise an attacker may generate warning messages and create problems on road. Privacy: User privacy is very important factor in vehicular environment if once the users’ privacy is lost, it is very difficult to re-establish. Privacy in VANET is to secure

32

Computer Science Journal

Volume 1, Issue 1, April 2011

the user’s personal data and his/her location. Users need privacy and may not allow seeing their personal data and their locations. They are always concern about their privacy. Only authorized parties (such as police, law enforcement agencies) may use the private/personal information. Name of driver, License plate of the vehicle, Speed of the vehicle, Position/Location, Route for travelling are some of the user privacy information [8] and user is worry about these information while communicating with other users or with infrastructure. Trust: Last user requirement is trust and trust [9] is the key element of security system. When users receive any message from other vehicle or from infrastructure it should be trusted because user reacts according to the message. To establish the trust, it is required to provide trust between the users in the communication of vehicle to vehicle (V2V) and vehicle to infrastructure (V2I). The attackers change the contents of the message and break the trust between the Vehicles. VANET Applications The VANET is very important part of intelligent transport system (ITS). There are many potential application of VANET. VANET applications are described and categorized in different ways in many studies [10, 11, and 12]. Safety application is the most important application of VANET because it is directly related to users and its priority is high due to human life saving factor. The main goal of safety application is to provide safety of cars and its passengers from road accidents. Today active safety application is everything that helps to users on road to prevent an accident from happening. In other word active safety system that work as pre crash applications [13]. Active safety applications [14] are based on control functions and the purpose of this to exchange the sensor data or status information between the vehicle to vehicle communications (V2V) or vehicles to infrastructure (V2I).The goal of sending this kind of information to users and react accordingly and avoid the accident. Antilock Brake system (ABS) and Electronic Stability Program (ESP) are example of active safety system. Warning application provides warning related information to drivers such like that post crash warning/notification, obstacle warning and also give warning about the condition of the road. Passive safety applications work in inside the vehicles and protect the passengers against injury in the event of accident. Safety belt and air bags are the example of passive safety applications. Passive safety application can not provide help to avoid accidents. But these kind of applications are very useful in case of accident, criminal attacks, find the exist location of the users and provide services to effected people [15].

Attackers and its Properties Attacker create problem in the network by getting full access of communication medium DSRC. Here we are discussing some properties and capability of the attackers which has been mentioned in studies [16]. • Coverage area: Coverage area is the main property of attacker when they launch any kind of attacks. Attacker could cover the main area of road, and it depends on the nature of the attacks. Basic level attacker has controlled one DSRC channels and covers the range of at most 1000 meters but the extended level attackers are more organized and cover more area using of hundred DSRC

33

Irshad et al: Trust and Trusted Computing in VANET

•

•

channels. Technical Expertise: Technical expertise of the attacker makes them stronger for creating attacks in the network. It is difficult for attacker to mount attacks on cryptographic algorithms. Chance is low for attacker to compromise the infrastructure network and data capture from restricted area of network. Attacker having ability to extracts the program code and secret keys of the computing platform of OBU and RSU by launching physical attacks. Resources: Budget, manpower and tools are the three main key resources and attackers depend on it to achieve their goals. Need budget to borrow technical expert and spend time to understand the configuration of specific network and then disturb network with launching of different kind of attacks. Attacker can use different kind of tools for launching attacks. These software tools can develop by own self or buy from the market. Many business parties make setup their business nears the road and provide non safety application services (Internet, entertainment services). One business party can be used their own maximum resources to create problems for other parties and destroy their business with different kind of attacks.

There are many types of attackers that create the problems in VANET. The main goal of an attacker is to change the contents of message or create a message and use it for his/her own benefit. Maxim Raya and J.ean Pierren Habauz [17] described their attacker model and we extend this model further into two levels on the bases of previous work [18]. Figure 4 shown two levels of attackers. The following subsections provide its detail description.

Figure 4. Two Levels of Attackers

First Level of Attackers In first level, the attackers are more seriously performed and intensity of the attacks is higher as compared to second level. Figure 5 explains first level attackers, whereby attackers launch different types of attacks on both infrastructure i.e., vehicle to vehicle (V2V) and vehicle to infrastructure (V2I). The attackers are active and launch different types of attacks at the same time in the network. Purpose of this kind of attack is not to achieve any personal benefit but only to create problems in the network. The severity

34

Computer Science Journal

Volume 1, Issue 1, April 2011

level is high because attacker has control over the unique identity and authentic user of the network. The scope of the first level attack is high because it creates such kind of attacks that cover bigger geographical area. More details about first level of attackers are given below.

Figure 5. First Level of Attacker

Insider: This type of attacker who is an authentic user of the network can creates problem in the network by changing the certificate keys. Insider attacker might have access to insider knowledge and this knowledge will be used for understanding the design and configuration of network. When they have all information about the configuration then it’s easy for them to launch attacks and create more problem as compare to outsider attacker. We can simply say that insider attacker is the right man doing the wrong job in the network. Malicious: This type of attacker who has no personal recompense for launching the attacks, but they want to achieve two goals: • To harm the other Vehicles of the network by sending any wrong information or alter the safety related applications information. • To create problem by agitating the right functionality of the network by sending of unnecessary frames to other Vehicles. Active: This type of active attacker creates problems in the network whiles working in two dimensions. • Generates some packets and sends them to other VANET Vehicles as well as to the infrastructure. Generates and sends signals in the network and disturb the main frequency band. Extended: This type of attacker extends and spread attacks across the network and affecting many entities of the network. Privacy violations and wormhole are examples of these kinds of attacks. Intentional: These types of attacker intentionally disturb the network operation and create problems for legitimate users to gain access the network. Independent: This type of attacker has an unique identity and nature of the attacker is independent in the network. For launching the attacks and may not dependent on the other Vehicles. •

35

Irshad et al: Trust and Trusted Computing in VANET Second Level of Attackers Second level attackers also have their own severity level which is lower as compared to the first level. An attacker in second level is outsiders and the basic aim of this kind of attacker is to seek their personal benefits. Figure 3 explains second level attackers. In second level attackers, they just listen to the communication among various vehicles, say vehicle A and vehicle B. Scope and effected area is somewhat limited e.g. the circle shows that in Figure 6. Passive and dependent attackers are examples of second level attackers. The level of severity is low as compared to first level attackers, where attackers are active and independent for launching attacks in the network. More details about second level attackers are given below.

Figure 6. Second Level of Attacker

Outsider: The outsider attacker is considered as an authentic Vehicle of the network. It is a kind of intruder which aims to misuse the protocols of the network and the range of such attacks are limited. Outsider attacker also has a limited diversity for launching different kind of attacks as compare to insider attacker. Rational: The rational attacker seeks to get their personal benefit and who defines specific target and tries to achieve it. For example, sending erroneous information about the road, diverting the whole traffic to other road and clear the road for one’s own benefit. Passive: The passive attacker aims to just eavesdrop on the wireless medium among the Vehicles and infrastructure of the network. It is a kind of privacy violation of s users on the road. Local: The scope and effect of the attack can be limited because the attacker can locally control the VANET Vehicles or its infrastructure (RSU).The effects of this attack is in specific region and do not disturb the other entities of the network. Unintentional: The attackers do not intentionally want to get involved in the network and to create some problems for the network users. This can be the case where errors occur due to some network operations and transmission in the network. Dependent: The group of attackers intentionally wants to attack the network as a coordinated group in launching the attacks. In the group attack, the attackers are dependent on each other and share the same interest.

36

Computer Science Journal

Volume 1, Issue 1, April 2011

Severity Level (SL) In Eq.1, the equation shows the severity level of first and second level of attackers. The severity level of first level attacker is greater as compared to second level of attacker. Here we can select one attacker (Active attacker) from first level attacker and compare it with one of the second level of attacker (Passive attacker). Severity level of active attacker is high as compare to passive level attacker because active attacker generates packets and sends these false packets to other vehicles and also with infrastructure. Nature of the packet may be safety or non safety packets or some bogus information consists in the packet but purpose of attacker is to disturb the network. Figure 5 describe the behavior of the attacker who generate false packets and send these packets to other vehicles and also infrastructure. Vehicle A and Vehicle B in the same lane but they receive different kind of packets. But in Passive attacker, aim of attacker is just listening the communication among the vehicles and also with infrastructure. No need to generate and send packets into network. Figure 6 show that the attacker just listen the communications between vehicle A and vehicle B. SL = { L1 (Ak1, Ak2 ....... Akn) > L2 ( Ak1, Ak2..... Akn)}

(1)

Classes of Attacks Attackers generate different attacks in this life saving vehicular network. In this paper, we propose five different classes of attacks and every class is expected to provide better perspective for the VANET security. The proposed solution is to classify and identify of different attacks in VANET. Attacker’s role is important in vehicular network due to launching different type of attacks. The objective of attackers is to create problems for other users of the network by changing the contents type of messages. Researchers have been described different types of attacks in their studies [17, 19, 20, and 21]. In addition to it, we propose five different types of classes for attacks. Each class describes different types of attacks, their threat level, and attacks priority. Along with this approach, we also propose some new attacks. The aim of this approach is to easily identity these attacks and their association to respective class. Figure. 7 shows the propose classes for attacks. Monitoring Attack Social Attack Timing Attack Application Attack Network Attack Figure 7. Classes for Attacks

37

Irshad et al: Trust and Trusted Computing in VANET First Class: Network Attack Vehicular Vehicle and infrastructure are the main components of VANET. At this class, attackers can directly affect other vehicle and infrastructure. These attacks are of high priority because these affect the whole network. The main objective of these attacks is to create problem for legitimate users of network. Some of the attacks are mentioned below. Denial of service (DOS) Attack The availability of network is very important in vehicular network environment where all users rely on the network. Denial of Service (DOS) is one of the most serious level attacks in vehicular network. In DOS attack, attacker jams the main communication medium and network is no more available to legitimate users [17]. The main aim of DOS attacker is to prevent the authentic users to access the network services [20]. Figure. 8 shows the whole scenario when the attacker launches DOS attack in vehicular network and Jams the whole communication medium between V2V and V2I. As a result, users can not communicate with other users as well as infrastructure.

Figure 8 DOS Attacks between V2V and V2I

Sybil Attack Sybil attack [21] also belongs to the first class. In Sybil attack, the attacker sends multiple messages to other vehicles and each message contains different fabricated source identity (ID). It provides illusion to other vehicle by sending some wrong messages like traffic jam message [21, 22]. Figure 9 explains Sybil attack in which the attacker creates multiple vehicles on the road with same identity [3]. The objective is to enforce other vehicles on the road to leave the road for the benefits of the attacker.

Figure 9 Sybil Attack

38

Computer Science Journal

Volume 1, Issue 1, April 2011

Vehicle Impersonation Attack Each vehicle has a unique identifier in VANET and it is used to verify the message whenever an accident happens by sending wrong messages to other vehicles [3, 17]. Figure 10 explains this scenario in which vehicle A involves in the accident at location Z. When police identify the driver as it is associated with driver’s identity, attacker changes his identity and simply refuses it.

Figure 10 Vehicle Impersonation Attack

Second Class: Application Attack (AP) Safety and non safety are two types of potential vehicular applications. At this class the main concern of the attacker is to change content of these applications and use it for their own benefits. Importance of safety applications is greater; it is provided warning messages to other users. The attackers change the content of the actual message and send wrong or fake messages to other vehicle which causes accident. Bogus information attack [17] is one of the attack examples, in which attacker send wrong information to the network and these wrong messages directly affect the behavior of users on the road. Warning messages is important messages that are use in safety applications. It is very serious condition on the road if attackers change the warning messages, many accidents are occurred on road. By using of security mechanism to avoid such attacks, to ensure the truthfulness of the message. Figure. 11 shows the example in which attacker launches the attack on safety application. Attacker receives one warning message “Work Zone Warning” from near by vehicle. So he changes the content of the message and sends this message “Road is Clear” to other vehicle. The important warning messages used in V2V or V2I communication are Blind Spot, Post Crash, Breakdown,Work Zone, Curve Speed, Lane Change, Rail Collision, Wrong way driver, Stop Sign Violation, Intersection Collision, Cooperative Collision, Traffic Signal Violation, Emergency Vehicle at Scene, Emergency Vehicle Approaching and Infrastructure Based Road Condition Warning [23].

Figure 11. Safety Application Attack

39

Irshad et al: Trust and Trusted Computing in VANET Non safety application is related to users’ comfort during their journey. These applications do not disturb safety applications. The role of non safety applications is to comfort the passengers and to improve the traffic system. Car parking is one of the major non safety applications; Road Side Unit (RSU) provides information about the availability of parking in shopping mall and sport complex. Figure 12 explain this attack, authentic user receive information “Parking Slot available” from road side unit (RSU) near the shopping mall. So he sends this message to other vehicle. This vehicle actually attacker vehicle who receive this message. Now attacker alters this message “No empty parking slot” and passes this message to other vehicles. Entertainment, Toll Collection, Map Download, Restaurant Finding, Gas Station Finding, Parking Availability, Shopping Mall Finding Services are some services that are considered into non safety applications [6].

Figure 12 Non Safety Application Attack

Third Class: Timing Attack This is new type of attack in which attacker’s main objective is to add some time slot in original message and create delay in original message. Attackers do not disturb the other content of message, only create delay in the message and these messages are received after it requires time. Safety application is a time critical applications, if delay occurred in these applications then main objective of the application are finished. Figure.13 shows the complete scenario of the timing attack, in which attacker receive warning message (Warning! Accident at location Y) from other vehicle and then pass this message to other vehicle by adds some time. Whenever other user of the network receive this message when accident actually occurred.

Figure 13 Timing Attack

40

Computer Science Journal

Volume 1, Issue 1, April 2011

Forth Class: Social Attack All unmoral messages (Social Attack) are lie on this class. It is kind of emotional and social attack. Purpose of these kinds of messages is to indirectly create problem in the network. Legitimate users show angry behavior when they receive such kind of messages. This is actually attacker wants by launching such attack. Figure. 14 explain this condition, attacker passes this message “You are Idiot” to near by vehicle. When user receives this message is directly affect his driving behavior by increasing the speed of his vehicle. This entire thing is indirectly disturb the other user in the network.

Figure 14 Social Attack

Fifth Class: Monitoring Attack Monitoring and tracking of the vehicles attacks are lying in this class. In monitoring attack, the attacker just monitor the whole network, listen the communication between V2V and V2I. If they find any related information then pass this information to concern person. For example police are plan to perform some operation against criminal and they communicate each other and guide about the exist location of the operation. Attacker listen all communication and informed the criminal about the police operation. Every vehicle has its own unique ID and attacker disclose the identity of other vehicles in the network. Using of these unique ID, the attacker track the existing location of required vehicle. Global observer monitors the target vehicle and sends virus to neighbour of the target [17]. When neighbour is affected then they take data of target vehicle. Rental Car companies are using this ID and track the location of their own vehicles. ID discloses attack is related to user privacy, attacker easily track user location in a specific region [24].

Vehicular Trusted Computing (VTC) Trusted computing is a relatively new technology which has gained popularity recently and Trusted Computing Group (TCG) [25] has been the main proponent of this technology. The main aim of TCG is to enhance security in computer network by using security hardware module (called Trusted Platform Module). Figure 15 shows how trusted computing communication can be maintained between all entities of the network. Vehicle A to Vehicle F is doing their task in proper manner. Vehicle D communicates with RSU and RSU communicate with TOC and authenticates and provide valid information. Vehicle D shares this information with other Vehicles in the network. This is an ideal condition that we want to achieve in real vehicular network. Trust will be

41

Irshad et al: Trust and Trusted Computing in VANET built in two different ways in vehicular trusted computing. Trusted computing require that these two basic properties are fulfilled: [26] • •

The sender who sends the information in vehicle to vehicle or vehicle to infrastructure is accepted as a trusted entity. The contents of the message source is not changed during transmission, it meets the integrity requirement.

Figure 15. Vehicular Trusted Computing Communication

Trusted Entities of VANET In this section we will explain five basic entities of trust and when all these entities work together then will develops a chain of trust in the vehicular network. Eq.2 explains that all modules are trusted and worked together for achieving chain of trust in system. Detail discussions of all these entities are given below. • • • • • •

Trusted User Trusted Vehicle Trusted Applications Trusted Routing Trusted Medium Trusted Infrastructure Chain of Trust (COT) =

(TU) (TV) (TA) (TR) (TM) (TIF)

∑

i= 0

( TU + TV + TA + TR +TM + TIF )

(2)

Trusted User: Users’ role is important in all technologies; and in particular for VANET applications we are directly concern with the protection of users’ life. The main purpose of the VANET applications is to serve the users by sending safety and non safety messages from Vehicle to Vehicles and also with infrastructure. We have classified the users into two types, trusted users and non trusted users.Trusted Users (TUs) are those people who perform their task properly in the network. In vehicular environment the user role is important for building the chain of trust. Chain of trust would be effected if user is not performing their task accurately. In their respective Vehicles, users communicate with application unit (AU) and send messages to other Vehicles in network. Trusted users have following qualities.

42

Computer Science Journal

Volume 1, Issue 1, April 2011

•

Receive messages from other Vehicles, perform task according to message (safety or non safety) and pass this message to other Vehicles in the network.

•

Receive messages from infrastructure (RSU) and execute it and pass this message to Vehicles of the network.

•

Messages are generated by users according to situation e.g. if an accident has occurred in some specific place, messages are past to other Vehicles and as well as to the infrastructure in the network.

Non Trusted Users (NTUs) are those users that do not possess the trusted credentials and could potentially be the kind of attackers who create problems for legitimate users by launching of some attacks. In vehicular network, their role is more prominent because they can potentially change the life critical information on the road. These are the followings tasks that they perform in VANET. •

Non-Trusted Users could potentially be an active attacker and launches attacks that can be of high intensity. Denial of service attack (DOS) and Sybil attack are example of such types of attacks. Main objective of NTUs attacks is to disturb directly the basic functionality of the network.

•

Non-Trusted Users can break the integrity of messages sent through the communication in vehicular environment. Attackers could change the content of the message, for example, “Accident at Location X” can become “Road is clear”.

Trusted Vehicle: The role of vehicle is important in all types of communication in network. At the basic level of trust is to provide security in the vehicle (Trusted Vehicle) and communication will be carried through trusted channels between the vehicle to vehicle (V2V) and vehicle to infrastructure (V2I). Trusted Vehicle requires some specific sensors to be a part of VANET. TPM is the hardware module that forms the basic building block for trust inside the Vehicle by having its own root of trust, hashing and cryptographic functionalities that acts like a smart card. Electronic Control Unit (ECU) and many other types of sensors work inside the Vehicles. Hardware (all types of sensors) and software should be performing their task properly for building the trust inside the Vehicle. Vehicle receive some information from their on-board units and some information receives from outside network (other Vehicle or from infrastructure). Trusted Applications: Safety and non safety applications are serve the users and make their journey safe and comfortable. Active safety applications, warning applications and position based routing require security from attackers and user trust will be build when these applications perform their task accurately. Application should be trusted because user take decision on these application information received from other Vehicles and as well as infrastructure. M.Gerlach [9] discussed and proposed model for trusted applications for VANET. This model defines the situation where the attributes of the trust is relevant to the trustee and author has the three main contributions in this papers which are given below. •

Enable security architecture that integrated with different security measurement in vehicular environment.

43

Irshad et al: Trust and Trusted Computing in VANET • •

Probabilities for presenting trust and trusted model for VANET applications by using the principle of trust tagging. Author use the concept of mix content and it defines the way to change pseudonyms. It is not possible for attacker to link two messages that coming from same vehicle and also preventing the location tracking.

Trusted Routing : Routing is key part of VANET and message moves from one vehicle to other vehicle by using different route. Routing involve from hop to hop communication and hop to multihop communication, open medium and dynamic network topology makes the routing task is complex. Secure and trusted routing is necessary for sending and receiving safety messages in the network. T.Chen [27] discussed the trusted routing using of their own proposed trusted routing framework. Proposed framework provides message authentication, trust between Vehicles and routability verification without support of online certificate authorities (CA). Trusted framework applied on OLSR (Optimized Link State Routing Protocol) routing protocol Trust establishes framework consist of three key parts which are designed to handle different types of threats in the network. I. Digital signature is used for message authentication and values of digital signature depend on secret values and these values are only known to signer that signed message. Hash function is used to generate fixed size message digest and sign this message instead of complete message. II. Vehicle to Vehicle authentication is also part of the trusted routing and main task of Vehicle authentication is identity authentication of Vehicle and defence it from attackers. Author divided Vehicle to Vehicle authentication procedure into three Phases. • Vehicle to Vehicle authentication the public/private key pairs and certificate are distributed to all authentic Vehicles of the network that is willing to join network. • Two Vehicles substitute certificates and verify each other by sending and receiving challenges. • In last phase if the connection between the Vehicles disconnect for a short period of time then they will try to re-authenticate with each other use the pre-share secret exchange. III. Routability verification is the last part of trusted routing. This mechanism is provided the pieces of evidence from neighbour Vehicle and connection from source to destination are verified and trusted. Each Vehicle builds their own trusted routing map by using of cumulative collect Routability Certificate (RC). This phase allows two Vehicles to make their connection quickly without repeat whole authentication phase. Trusted Medium: The role of the channel medium is important, dedicated short range communication (DSRC) frequency band is used for all types of communication in VANET. DSRC provides multiple channels and its transmission ranges from 5.850 to 5.925 GHz. DSRC are divided into seven channels and each channel range is 10 MHz. Every vehicle in the network receives messages from other vehicles or from

44

Computer Science Journal

Volume 1, Issue 1, April 2011

infrastructure. A secure and trusted content of message is the major concern of the users. The attackers will try hard to change the contents of the message and break the trust between the vehicles. When users receive any information (safety or non safety) from other vehicles or from infrastructure it must be trusted because user reacts according to the message. To establish the trust, we must provide secure and trusted channel (Trusted Medium) between the users in network. Whenever attackers launch any type of attack then we have the option of using others channels. Attackers will also use these channels and insert their false information to the network and create problems for legitimate users. Message exchange from vehicle to vehicle and vehicle to infrastructure should be reliable, accurate and confidential and this will be happened in the presence of secure communication medium. C. Laurendeau [28] explained the security threats in DSRC/wireless access in vehicular environment (WAVE) and if we are able to remove these threats, the medium becomes trusted. Trusted Infrastructure: Network Infrastructure (which consists of network components) is important to verify the users and providing the right information to users on the road. Infrastructure must be made trusted before they send safety related information to users, because all users rely on it. In case of channel jamming (DOS) user wants to communicate with infrastructure and sends/receives information to it. In this sense, accessibility and availability of network is directly concerned with the users’ trust levels. When network is not available due to any attack then users’ trust is seriously affected. The objective of trusted infrastructure is to ensure the security of the channel and information being passed among the users. There are many types of trust in the vehicular network and the level of trust will increase if we can ascertain the control of attackers from launching any attacks. Figure 16 shows the relationship of attackers (both levels) with trust types. When attacker is successful in launching any type of attack then the level of trust gradually decreases. Whenever there is control over the attackers’ then level of trust increases. Hence we can safely say that both (Attackers and Trust) is directly proportion to each others.

First Level of attackers

Second Level of attackers

Trust Trusted User

Do not consider yet.

Trusted Node Trusted Applications Trusted Routing

Attackers

Already studies done on it.

Trusted Medium Trusted Infrastructure

Figure 16 Relationship between Trust and Attackers

45

First Level of Attackers

Second Level of Attackers

Irshad et al: Trust and Trusted Computing in VANET

Levels of Trust Zero Trust is the first trust level in which the attacker is active and is able to use all kinds of entities in the network and create problem by launching different types of attacks (passive or active). Eq.3 describes that first and second level attackers are active and chain of trust in this condition will be zero. Zero Trust = ∑ (L1.Attackers + L2.Attackers) – (COT : = 0)

(3)

Second level of trust is called Weak Trust, in which the attacker is able to launch different kind of attacks and scope of the attacks are within some specific region. Some entities are effected with these attacks whereas other entities of the network performing their task properly and serve the users. In Eq.4 we represent a situation where all entities of the chain of trust and only trusted infrastructure (TIF) are affected due to attacks. Weak Trust = ∑ (TU + TV + TA +TR +TM) – (TIF)

(4)

Strong Trust is a third level of trust is which all entities of the network are trusted and work properly. There are no attackers in the network and this is a very ideal condition and every entity performing their task properly. In Eq.5. We assign zero value to both types of attackers. Strong Trust = COT – ∑ (L1.Attackers:=0 + L2.Attackers:= 0)

(5)

Table.1 explains the three different types of trust levels in vehicular network. Table 1.Levels of TRSUT Levels of Trust

Description

0

Zero Trust

1

Week Trust ( Some Entities are Trusted )

2

Strong Trust (all Entities are Trusted)

IV. Trusted Hardware Module (THM) Both hardware and software work together to achieve the security in the system and make possible secure communication between VANET Vehicles. There are two basic hardware modules that are used for security purposes in a VANET Vehicle. Security hardware module is called Event Data Recorder (EDR), which is a kind of black box similarly used in airplane. It is a non-volatile hardware module and provides tamper proof storage. The basic task of EDR is to record the data of critical situation in emergency conditions [29]. EDR provides secure storage of data only. The cost of EDR is low and easily embedded into VANET Vehicles. In many countries EDR is installed in many road vehicles (trucks). The drawback of EDR is that it has no ability to perform cryptographic functions.

46

Computer Science Journal

Volume 1, Issue 1, April 2011

Security hardware module is called Temper Proof Device (TPD), which has the ability to sign and also verify the messages that are received from other Vehicles in the network [20]. The key point of TPD is that it has processing ability. Cost of the TPD is so high; this is the only one drawback of TPD.These two security hardware modules do not provide trust in the VANET Vehicle. Hence we propose to use another hardware module called trusted platform module (TPM). Trusted Platform Module (TPM) Trusted Platform Module is a hardware chip designed for secure computing and can be used to measures the integrity of platform or system. It is piece of hardware and needs software to communicate with it to protect and store data in secure location. Capability of protection, measurement of integrity and reporting the integrity of data are the key features of TPM module. Random Number Generator (RNG), SHA-1 Engine, RSA and HMAC are the functional components of TPM that perform cryptography capabilities [3, 30]. By writing software to manage the integrity of data using the TPM, it can resist software attacks and it is advantageous because the cost of a TPM is lower as compared to other security modules (EDR or TPD). TPM will be embedded into the existing hardware module and with it we will perform the necessary software and hardware changes to make the Vehicle to be trusted in the vehicular network. Attacker and Trusted Platform Module (TPM) If attackers launch any kind of attacks (first or second level), trusted Vehicle (TN) in the car will first detect that there is a change in the values of the Platform Configuration Register (PCR) inside the TPM, and hence the application will then alert the TN to prevent any more communication with the untrusted Vehicle. Figure 17 explains the scenario where the attacker launches attack a change in the PCR values, alerts the TN to prevent any more communication with the attacker.

Vehicle Platform Configuration Register (PCR)

First Level of attackers

Attacks

TPM

Second Level of attackers

Endorsement Key (EK)

Attestation Identity Key (AIK)

Figure 17. Attackers and TPM

Platform Configuration Register (PCR) PCR is an internal register and used for storing the integrity measurement values in shielded location. PCR contain values that represent the system software and hardware configuration metric of TN. For any kind of attack on the TN, these PCR values will change which means the current configuration of hardware and software have been

47

Irshad et al: Trust and Trusted Computing in VANET attacked, the system detects the changes and takes acts appropriately [31]. Measurements, reporting and execution are three main processes [32] which are used to maintain the integrity of the system. Configuration of the platform attestation and chain of trust are two basic objectives of the contents of the PCR values. Eq. (6) [32] shows the old and new values of PCR register which is used inside the TPM. Total sixteen PCR registers are use in TPM, eight registers are used for hardware and eight are used for software to meet the integrity requirement. Ri+1 := SHA1 ( Ri || I )

(6)

Ri+1 = New Register Value Ri = Old register value I = Input value

State ← getCurrentPCRs()

(7)

Steps 1. 2. 3. 4. 5.

CRTM measures BIOS BIOS measures BL Boot Loader (BL) measures OS Operating System (OS) measures Applications User communicate with Applications

Figure 18. Integrity Measurement Process

Endorsement Key (EK): Endorsement Key (EK) [32] is a fundamental component of TPM and it must have an endorsement key pair. In the endorsement key pair, private key is more important and it is embedded in TPM. The purpose of the EK is to identify uniquely the platform. The TPM has a root of trust that is defined by the EK pair. Public and private portions are defined in RSA key pair. One major fact about the EK, is that once it has been created then it cannot be replaced or remove from the TPM. Attestation Identity Key (AIK): AIK [33] is a TPM key that is used for attestation of current platform and its configuration. AIK is also used as an alias for the endorsement key (EK) and it is a non-migratable signing key generated by the owner of TPM. Multiple AIKs can be generated by the TPM. PCA (Privacy Certification Attestation) and DAA (Direct Anonymous Attestation) are used for certification of attestation of AIK. VANET applications (Safety and non safety) are running inside the vehicle and TPM is performing the attesting task by using AIK. After attestation of the messages, these messages are sent to other Vehicle and infrastructure.

48

Computer Science Journal

Volume 1, Issue 1, April 2011

V. Conclusion and Future Work Security of VANET is an important issue to be addressed by designers of VANET infrastructure security. It can be useful in providing correct information to users and guide them about variant conditions on the road. The VANET applications are termed as an important solution for the security of the users on the road. Moreover it is believed that the Vehicular applications must be secured. Because the users are directly affected in case the attackers change the content of safety applications. Attackers change their attacking behavior and they launch different attacks at different times. Attackers always try to tamper the information and create troubles in the network. The level of trust develops in the network if the system is able to control attackers from distracting the information. TPM can play an important role in terms of resistance created for possible software attacks and in creation of trusted environment between Vehicles and the infrastructure. Cryptographic functional components are considered as one of key elements for trust building and maintaining data integrity in the past research work done. In future we would be addressing some attestation scheme such as property based attestation (PBA) for developing a secure and trusted environment in vehicular network.

Acknowledgement This work is funded by Universiti Teknologi PETRONAS Postgraduate Assistantship Scheme in collaboration with MIMOS Berhad.

References 1.

2. 3. 4. 5.

6.

7. 8. 9.

Y.Qian, N.Moayeri,”Design of Secure and Application Oriented Vanets”Vehicular Technology Conference, 2008. VTC Spring 2008. IEEE, 1114 May 2008, Singapore. J. Jakubiak, Y. Koucheryavy,”State of the Art and Research Challenges for VANETs” Consumer Communications and Networking Conference, 2008, 5th IEEE, date: 10-12 Jan. 2008, pp: 912-916. G. Guett, C. Bryce,” Using TPMs to Secure Vehicular Ad-Hoc Networks (VANETs)” IFIP 2008, WISTP 2008, LNCS 5019, pp.106-116. G.Guette,O.Heen,”A TPM-based Architecture for improved secuirty and Anonoymity in vehicular ad hoc networks”,IRIS France. A. Reza Sadeghi,”Trusted Computing-Special Aspects and challenges”, Lecture Notes Horst-Gortz-Institute(HGI) for IT-Security,Ruha-University Bochum, Germany.2007. I.Ahmed Sumra, H.B.Hasbullah, J.Ab Manan,"User requirements model for vehicular ad hoc network applications”, International Symposium on Information Technology 2010 (ITSim 2010), Malaysia. F.Kargl, Z.Ma , E.Schoch,“ Security Engineering for VANETs“ 4th Workshop on Embedded Security in Cars(escar 2006), Berlin, Germany. X.Lin,R. Lu,C. Zhang,H. Zhu,P. Han Ho , X. shen,“Security in Vehicular Adhoc Networks”,IEEE communication Magazine, April 2008. M.Gerlach, F. FOKUS,”Trust for Vehicular Applications” IEEE Computer Society, Proceedings of the Eighth International Symposium on Autonomous Decentralized Systems, p: 295-304, year of publication: 2007.

49

Irshad et al: Trust and Trusted Computing in VANET 10. R.Prasad,R. Kanjee,H. Zui,Pishro,Nik, Ni,”DSRC Accident Warning system at Intersection” Report October 19,2006. 11. D. Jiang,V.Taliwal, A. Meier,W.Holfelder, R. Herrtwich “Design of 5.9 GHz DSRC-based vehicular safety communication “Wireless Communications IEEE Vol. 13, No. 5. (2006), pp. 36-43. 12. S.Yousefi, M.Fathy”Metrics for performance evaluation of safety applications in vehicular ad hoc networks” Transport. Vilnius: Technika, 2008, Vol. 23, No.4, p. 291-298. 13. J. Jakubiak,Y. Koucheryavy, ”State of the Art and Research Challenges for VANETs” Consumer Communications and Networking Conference,2008, 5th IEEE, Date: 10-12 Jan. 2008, pp: 912-916. 14. National Highway Traffic Safety Administration,CAMP,Vehicle Safety Communications Project Task 3 Final Report,Identify Intelligent Vehicle Safety Applications Enabled by DSRC,DOT HS 809 859, National Highway Traffic Safety Administration,Washington, D.C.March 2005. 15. J. Cheambe, J. J. Tchouto, M. Gerlach “Security in Active Safety Applications” 2nd International workshop on Intelligent Transportation (WIT) 2005, Germany. 16. H.Hartenstein and K.P.Laberteaux,”VANET:Vehicular Applications and Internetworking Technologies”Chapter No.09 pp.309310.Wiley.www.vanetbook.com 17. M. Raya,J. Pierre, Hubaux,”Securing vehicular ad hoc Networks” Journal of Computer Security,vol.15,Issue no.1 January 2007, pp: 39-68. 18. H. Moustafa,Y. Zhang “Vehicular Networks techniques,standard and applications”, CRC Press,chapter no.12(Security in Vehicular Networks) pp:334. 19. B. Parno, A. Perrig, “Challenges in Securing Vehicular Networks”, Hot Topics in Networks (HotNets-IV), 2005. 20. A.Stampoulis, Z.Chai ”A Survey of Security in Vehicular Networks”. 21. J. Douceur,”The sybil Attack”, First international workshop on peer to peer(P2P) system,march 2002,pp:251-260. 22. G. Guette, B.Ducourthial," On the sybil attack detection in VANET", Laboratoire Heudiasyc UMR CNRS 6599, France. 23. T. Leinmuller, E. Schoch, F. Kargl, C. Maihofer, “Improved security in Geographic ad hoc routing through autonomous Position Verification”, 3rd international workshop on Vehicular ad hoc networks,VANET 2006.ISBN:159593-540-1. 24. M. Raya, P. Papadimitratos, J.P. Hubaux,” Secure vehicular communications”, IEEE Wireless Communication Magazine,specail issue on inter-vehicular communication, Oct 2006. 25. Trusted Computing Group.TCG specification architecture overview ,version 1.2,april 2004. 26. H. Hartenstein,Kenneth P.Laberteaux, Toyota Technical Center. “A Tutorial Survey on Vehicular Ad Hoc Networks”IEEE Communication Magazine, June 2008. 27. T.Chen,O.Mehani and R.Boreli,”Trusted Routing for VANET” 9th International Conference on Intelligent Transport Systems Telecommunications (20 October 2009), pp. 647-652. 28. C. Laurendeau, M. Barbeau,”Theat to security in DSRC/WAVE”, 5th International Conference on Ad Hoc Networks and Wireless (ADHOCNOW).LNCS 4104, pp.226-279, 2006. 29. M. Raya,J.Pierre,Hubaux ”The Security of vehicular ad hoc Networks” SASN’05,November 07,2005,Alexandria,Virginia USA.

50

Computer Science Journal

Volume 1, Issue 1, April 2011

30. M.Raya,”Introduction to the TPM 1.2” University of Birmingham, Draft of

March 23, 2009. 31. M. Strasser, H. Stamer,” A Software-Based Trusted Platform Module Emulator”, TRUST 2008, LNCS 4968, pp. 33-47, Springer Berlin. 32. A. Reza Sadeghi,”Trusted Computing-Special Aspects and challenges”,Lecture Notes Horst-Gortz-Institute(HGI) for IT-Security,Ruha-University Bochum, Germany.2007. 33. Trusted Platform Module Basics Using TPM in Embedded Systems by Steven Kinney Chapter No.03 Overview of the TPM Architecture,pp.26.

51