DRIVERS ANONYMITY IN VEHICLE-TO-VEHICLE COMMUNICATION NETWORKS NADER MAZEN RABADI DISSERTATION. Submitted to the Graduate School

Transcription

1 DRIVERS ANONYMITY IN VEHICLE-TO-VEHICLE COMMUNICATION NETWORKS by NADER MAZEN RABADI DISSERTATION Submtted to the Graduate School of Wayne State Unversty, Detrot, Mchgan n partal fulfllment of the requrements for the degree of DOCTOR OF PHILOSOPHY 2008 MAJOR: COMPUTER ENGINEERING Approved by: Advsor Date

2 COPYRIGHT BY NADER MAZEN RABADI 2008 All Rghts Reserved

3 DEDICATION I dedcate ths work to my famly and frends.

4 ACKNOWLEDGMENTS I would lke to express my sncere grattude to my PhD dssertaton advsor, Dr. Syed Masud Mahmud. I thank Dr. Mahmud for hs valuable gudance, hs patence, and the long hours that he dedcated to my PhD work n mentorng and assstng me throughout ths work. Wth no hestaton, I wll defntely recommend Dr. Mahmud to anyone who wshes to pursue a PhD at Wayne State Unversty. Also, I would lke to thank Dr. Pepe Sy, Dr. Feng Ln, and Dr. Sheran Alles for beng members of my PhD dssertaton commttee. I would also lke to thank my PhD colleague Zaydoun Rawashdeh for hs help and for hs proactve atttude n gatherng sgnatures of my PhD commttee members, and ensurng that the sgned paper work for graduaton was submtted to the Graduate School whle I was outsde of Mchgan. I wsh hm the best n hs PhD work.

5 TABLE OF CONTENTS DEDICATION... ACKNOWLEDGMENTS... LIST OF TABLES...x LIST OF FIGURES... x CHAPTERS CHAPTER 1 INTRODUCTION... 1 CHAPTER 2 RELATED WORK AND BACKGROUND Related Work Cryptographc Background and Securty Framework Cryptographc Algorthms and Protocols Symmetrc and Asymmetrc Cryptography Dgtal Sgnatures Publc Key Infrastructure (PKI) Group Sgnatures Securty Attacks Man-n-the-mddle Attack Brute Force Attack Replay Attack Known-plantext attack Securty Framework Secure Hash Algorthm v

6 Keyed-Hash Message Authentcaton Code Advanced Encrypton Standard Dgtal Sgnature Standard Cryptographc Securty Modules Proposed Cryptographc Securty Module Mathematcal Background Fnte groups Modular arthmetc Groups defned by modular addton and multplcaton Subgroups Order of a Group Order of a Group Element Cyclc Group Fermat s Lttle Theorem The Dscrete Logarthm Problem The RSA Algorthm Foundaton of Dgtal Sgnatures The Zero Knowledge Protocol Schnorr s Identfcaton Protocol The Fat-Shamr Heurstc An Example of a Group Sgnature v

7 Strong-RSA Problem ElGamal Algorthm A Group Sgnature Algorthm CHAPTER 3 PROPOSED SOLUTIONS FOR DRIVERS ANONYMITY IN V2V COMMUNICATIONS Frst Proposed Soluton: Drvers Anonymty usng DSA Generatng Membershp Keys and Certfcaton Sgnng Messages Verfyng Sgnatures Openng Sgnatures Anonymty and Unlnkablty Securty Members of the Same Group and ther Generated Keys Key Revocaton The Valdty Perod of the Certfed Keys and the CSM Devce Number of Generated Keys Second Proposed Soluton: Drvers Anonymty usng HMAC and AES Publc Key Infrastructure Vehcle and Infrastructure Setup Proposed Protocol v

8 Communcatons between a Vehcle and a Core-CA Vehcle-to-Vehcle (V2V) Communcatons Securty Analyss Anonymty of Drvers Securty of Symmetrc Cryptographc Algorthms Message Replay Attack Man-n-the-Mddle Attack Denal of Servce (DoS) Attacks Internal Attacks Key Management and Revocaton Key Storage and Lfetme of Keys CHAPTER 4 PERFORMANCE ANALYSIS Performance Analyss of the Frst Proposed Soluton: Drvers Anonymty Usng DSA Performance Analyss of the Second Proposed Soluton: Drvers Anonymty Usng HMAC and AES Performance of V2V Communcaton Protocol Performance of V2I Communcatons v

9 CHAPTER 5 CONCLUSION CHAPTER 6 FUTURE RESEARCH WORK REFERENCES ABSTRACT AUTOBIOGRAPHICAL STATEMENT v

10 LIST OF TABLES Table 2.1 Performance Analyss of some Group Sgnatures x

11 LIST OF FIGURES Fgure 2.1 A depcton of a Cryptographc Securty Module based on the requrements of FIPS Fgure 3.1 The dstrbuton of DSA keys n a database where the prvate keys 1 2 m { x, x, K, x } are assocated wth a par of publc keys p, ) and the ( q second set of keys p, q, g, y, x ) ( Fgure 3.2 The dstrbuton of keys to members of V2V communcaton networks by a Certfcate Authorty, CA Fgure 3.3 The sgn procedure by the member M G on msg usng the DSA, z, z and the keys ( y, g, p, q, x ) and p, q, g, y, x ) ( Fgure 3.4 The verfy procedure usng the DSA verfcaton and the keys, z, z ( y, g, p, q ) and p, q, g, y ) ( Fgure 3.5 The CA's database wth the RSA publc keys P M for each member Fgure 3.6 A network of Core-CAs that s controlled by a Root-CA Fgure 3.7 The communcaton steps that are performed between a vehcle and a Core-CA, and between two Core-CAs, when a vehcle moves from one regon controlled by one Core-CA to another regon controlled by a dfferent Core-CA Fgure 3.8 The contents of a message that a vehcle prepares to be sent to a Core-CA x

12 Fgure 3.9 A herarchcal level of CAs that shows two Core-CAs where each one has four LRs Fgure 3.10 V2I System Archtecture: an area s dvded nto twelve geographcal regons. Each regon s controlled by a Core-CA, and each Core-CA has several LR devces (not shown n the fgure, t s shown n Fg. 3.9) Fgure 3.11 A mutual authentcaton protocol between a vehcle and a Core-CA to obtan regons' keys Fgure 3.12 A mutual authentcaton protocol between a CSM devce and ts Core- CA x

13 1 CHAPTER 1 INTRODUCTION The Intellgent Transportaton Socety of Amerca (ITSA) [1] and the Unted States Department of Transportaton [2] have been workng together for more than ffteen years on promotng the development and deployment of Intellgent Transportaton Systems (ITS) technologes. ITS technologes wll provde a safer traffc and wll reduce deaths, nures and economc losses from motor vehcle crashes. Such technologes nclude crash avodance, crash notfcaton systems, roadbed sensors, and on-board navgaton systems. The Unted States Federal Communcatons Commsson (FCC) authorzed the 5.9 GHz Dedcated Short Range Communcatons (DSRC) [4] for ITS technologes to be used n a wde range of advanced vehcle safety applcatons. The Natonal Hghway Traffc Safety Admnstraton (NHTSA) dstrbuted a publcaton [3] that dentfes ntellgent vehcle safety applcatons enabled by the DSRC. The authors n [3] compled a lst of 34 communcatons-based vehcle safety applcaton scenaros. Several of these safety-applcatons are selected as the hghest-rated mdterm applcatons, such as pre-crash warnng, cooperatve forward collson warnng, lane change warnng, and ntersecton collson avodance. The NHTSA publcaton [3] suggested the use of nfrastructure sensors and/or DSRC communcatons to detect and collect nformaton about the poston, headng, velocty and turnng status of all vehcles on the road. Wth the ad of ITS technologes, future vehcles wll be able to communcate wrelessly wth each other and form Vehcleto-Vehcle (V2V) communcaton networks, and to communcate wth nfrastructures to form Vehcle-to-Infrastructure (V2I) and Infrastructure-to-Vehcle (I2V) communcaton

14 2 networks [1]-[3]. In V2V communcaton networks, future vehcles wll be equpped wth a DSRC devce whch wll be used to broadcast ts vehcle s safety-crtcal nformaton such as speed, acceleraton, headng and poston to nearby vehcles. The recevng vehcles wll process such nformaton and provde vsual and audble alerts to ther drvers to take preventve measures and avod collsons. Smlarly, In V2I and I2V communcaton networks, future vehcles wll communcate wth nfrastructures usng the DSRC devce to ether receve nformaton about weather and traffc condtons and traffc sgnal status, or to broadcast ther safety-crtcal nformaton to nfrastructures. The nfrastructure wll n turn broadcast the receved nformaton to other vehcles that are out of the communcaton range of the transmtted vehcle. For the DSRC, there are seven non-overlappng 10 MHz channels n the GHz band. DSRC also supports data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps [4]. The advantages of the DSRC are ts capablty of provdng very low latency communcatons, and of transmttng broadcast messages to a maxmum range of 1000 meters. It s essental to provde secure communcatons among vehcles n V2V communcaton networks. The V2V communcaton networks shall provde secure communcatons that meet the followng mnmum set of requrements: (1) Source Authentcaton: In order for vehcles to receve safety-crtcal nformaton from other vehcles, a level of trust among vehcles s necessary for the operaton of V2V communcaton networks. Therefore, vehcles may only receve safety-crtcal nformaton from other vehcles that are partcpants n V2V communcaton networks. Partcpaton can be a formal process that s controlled by authortes.

15 3 Vehcles have to authentcate each other and verfy that they are partcpants n V2V communcaton networks when recevng safety-crtcal nformaton. In an nsecure communcaton network, an ntruder can mpersonate as a partcpant n the V2V communcaton networks and can transmt naccurate nformaton to other vehcles. (2) Data Integrty: An ntruder can record messages beng exchanged between vehcles, alter the contents of these messages, and re-transmt them back to the V2V communcaton networks. In a secure communcaton network, vehcles n V2V communcaton networks shall verfy that messages are receved wthout llegtmate modfcatons to ther contents. (3) Data Freshness: Vehcles n V2V communcaton networks shall verfy that receved messages are recent and not outdated. In an nsecure communcaton network, an ntruder may record messages between vehcles and replay the same messages at a later tme. Hence, replayng old messages may provde naccurate nformaton to vehcles. (4) Confdentalty: If vehcles need to exchange confdental nformaton, then vehcles n V2V communcaton networks shall be able to encrypt messages that requre confdentalty to ther contents. (5) Anonymty: The challenges of authentcaton and data ntegrty n V2V communcaton networks can be solved usng cryptographc publc-key algorthms and publc key nfrastructure (PKI). A level of trust between users of cryptographc algorthms deemed necessary to establsh the PKI. PKI reles on trusted thrd party Certfcate Authortes (CA) to verfy and authentcate the valdty of users nvolved n secure communcatons. The CA ssues a certfcate for endorsng the user s unque

16 4 dentfcaton, a large number, or as t s known n cryptography: a publc key. One of the well-known certfcate formats s the standard publc key certfcate framework X.509. The certfcaton s a process of bndng a unque publc key to ts owner. The certfcate contans nformaton about the dentty of the holder, the valdty perod, the certfcate ssuer name, the CA s endorsement of ths certfcate, and the cryptographc algorthms used by the CA to endorse ths certfcate. When a vehcle s ready to broadcast a message that ncludes ts safety-crtcal nformaton, the drver s certfcate wll be ncluded n the message as well. Vehcles that receve the broadcasted message wll authentcate the transmtter usng the ncluded certfcate. Accordngly, the transmtter s publc key wll be revealed to other drvers and to any unauthorzed enttes lstenng to the communcaton channel. The publc key wll be used to authentcate the transmtter. On one hand, snce a publc key s bounded to ts owner, the dsclosure of drvers unque publc keys from ther certfcates wll allow unauthorzed enttes to trace drvers movements and locatons they vst. Revealng peces of nformaton about drvers movements and locatons they vst wthout consent from drvers s a volaton of ther prvacy. On the other hand, f an algorthm s used to keep the dentty of drvers anonymous, then t may not be easy to dentfy the source that sent forgeable nformaton or that caused accdents. For example, a vehcle s nvolved n an accdent and the cause of the accdent s determned to be one of the messages that ths vehcle has receved. Then for an acceptable system, the CA should be able to dentfy the transmtter of that message. For another example, a vehcle s stolen and the stealer drves ths vehcle n such a way that could cause accdents to others. The CA can then dentfy

17 5 ths vehcle and ts locaton. Furthermore, f a drver s unque publc key s malcously used by unauthorzed enttes (such as securty attackers), then t s necessary to detect such actvtes n order to protect the network from further attacks and nform the owner of the malcous publc key. Therefore, f an algorthm s used to hde the dentty of drvers, then t wll be dffcult to dentfy the owner of the malcous publc key and, hence, the network wll be susceptble to further attacks. In V2V communcaton networks, t s necessary to provde low-latency and secure communcaton protocols wth mnmum processng tme, whle preservng the anonymty of drvers. The requrements n [3] specfy that the maxmum sze of the plantext messages beng broadcasted n V2V communcatons s 100 bytes, whle the maxmum sze of plantext messages n V2I communcatons s 430 bytes. The requrements n [3] also specfed that the communcaton latency s ~100ms n V2V and V2I communcatons. As I wll pont out n Chapter 2, the related work n V2V communcaton networks proposed securty frameworks and archtectures only. To ths date, there are no complete proposed solutons to protect the prvacy of drvers n V2V communcaton networks. Besdes, the number of research papers and the attenton that has been pad n ths subect s mnmal. The related works utlze the nfrastructure CA every tme a par of publc/prvate key s generated for sgnng messages. Further, new symmetrc keys have to be establshed wth nearby users n order to complete the authentcaton process. Ther approaches requre addtonal communcaton cost and processng tme to V2V communcaton networks. Due to the hgh moblty of vehcles n V2V communcaton

18 6 networks and the frequency of broadcastng safety-crtcal nformaton from vehcles, t s necessary to mnmze the communcatons wth the nfrastructure and allocate more bandwdth for V2V communcatons. There are other research works n cryptography that do not requre contnuous communcatons wth an nfrastructure. However, these works have not been standardzed and not been proved ts applcablty n wreless moble applcatons, such as V2V safety applcatons. Although these works are secure, there are two dsadvantages to the V2V communcaton networks. Frst, ther processng speed s very slow. Second, the sze of dgtal sgnatures generated by these research works s too long. In ths dssertaton, I propose two solutons to protect the prvacy of drvers n V2V communcaton networks. The frst soluton s based on asymmetrc cryptography, whle the second soluton s based on symmetrc cryptography. In the frst soluton, I propose to use the standardzed Dgtal Sgnature Algorthm (DSA). The proposed protocol provdes drvers wth anonymty, message authentcaton and data ntegrty. Drvers generate and change ther own set of publc keys frequently usng the DSA. Unlke related works, n my approach the CA s not requred to authentcate the frequently generated publc keys. I prove n three theorems and a lemma that the DSA can be used to generate a set of dstnct publc keys for a gven a prvate key. When a drver changes ts own publc keys, t s hard to trace the movements and locatons that a drver vsts. The recpents of a sgned message can verfy the correctness of the sgnature wthout dentfyng the sgner. In case of a dspute and malcous actvtes, the dentty of the drver who sgned the dsputed message can be revealed only by the CA.

19 7 In ths proposed protocol, I avoded the addtonal communcaton cost and processng tme that prevous related works have. In the second soluton, I acheve anonymty usng the HMAC [6], AES [7] and SHA [5] algorthms. I propose to dvde a geographcal area nto several regons. Each regon s assocated wth a unque secret key. The CA controls these regons and the generaton of secret keys. Vehcles need to know the regons through whch they are drvng and the regons secret keys. I show n ths dssertaton a smple technque usng the HMAC on how to preserve the anonymty of drvers. The recpents of a message can authentcate the source and valdate the ntegrty of the message wthout dentfyng the source. In case of a dspute and malcous actvtes, the dentty of the drver who broadcasted the dsputed message can be revealed only by the CA. In ths proposed protocol, I avoded the addtonal communcaton cost and processng tme that prevous related works have. The rest of the dssertaton s organzed as follows. Chapter 2 revews the related work n protectng the prvacy of drvers n V2V communcaton networks. Ths chapter also revews a general background n cryptography and ponts out the securty framework upon whch ths dssertaton s bult. Ths chapter also revews the mathematcal background that are used n cryptographc algorthms and whch I apply to one of my proposed solutons. Chapter 3 presents my two proposed solutons to preserve drvers anonymty n V2V communcaton networks. My frst proposed soluton s based on the Dgtal Sgnature Algorthm (DSA). My second proposed soluton s based on the HMAC and the AES algorthms. In my frst proposed soluton, I wll present three theorems and ther proofs

20 8 that the DSA can be used to preserve drvers anonymty n V2V communcatons. I wll also present my proposed protocol based on the DSA; I wll dscuss ts securty and key management n whch I present a lemma and ts proof. Thereafter, I wll present my second proposed soluton. I wll descrbe the system archtecture upon whch the protocol s bult. Then, I wll present my proposed protocol that s based on the HMAC and AES algorthms, and dscuss ts securty and key management. Chapter 4 dscusses the performance analyss of my two proposed solutons. Chapter 5 concludes ths dssertaton. Chapter 6 presents the future research work n the area of V2V securty.

21 9 CHAPTER 2 RELATED WORK AND BACKGROUND 2.1 Related Work There are several research papers that ponted out the mportance and necessty of protectng the prvacy of drvers [14]-[22]. Current and future drvers may use moble commerce servces n ther vehcles for safe and effcent drvng. Such servces nclude emergency roadsde assstance, navgaton nformaton, emal, automatc toll payment, and pay-for-use rental and nsurance [15] [19]. These servces may collect nformaton about the locaton of vehcles, personal health nformaton of drvers, and the behavor of the drvers. The authors n [19] [20] proposed a framework n whch drvers can choose the amount of dsclosed personal nformaton to these servces. The servce provders can provde drvers wth several polces wth dfferent degrees of protectng the prvacy of dsclosed personal nformaton. The hgher the degree, the more expensve the polcy s. The authors n [14]-[18] addressed the securty and prvacy concerns when vehcles utlze wreless communcatons to transmt ther safety-crtcal nformaton. In [15], the authors addressed the problem of data prvacy when utlzng GPS devces. They suggested that f a consumer owns a vehcle, the consumer must have the opton to swtch off the locaton servce or to gve consent every tme the servce s used. There are other research papers that proposed solutons usng cryptographc algorthms. In [16], the authors proposed that the authortes must provde each vehcle wth a publc/prvate key par, along wth a shared symmetrc key. Vehcles authentcate each other va authortes. They argued that the publc would accept and agree to trace

22 10 ther movements for the sake of mproved safety. However, the authors suggested a scheme to protect user s prvacy. The certfed publc keys must be pseudonym that changes over tme. Only the authortes should be able to determne the relatonshp between a pseudonym and ts real dentty. In [17], the authors descrbed ther work of buldng a Secure Communcaton Archtecture (SecCar) for use wth V2V communcaton networks. SecCar wll be able to detect securty attacks, to contnue operatons under attacks, to restore the system s functonalty after an attack, and to lock out malcous users to prevent further attacks. The archtecture s based on publckey nfrastructure (PKI) and dgtal sgnatures. In SecCar archtecture, an authentcaton servce can dscover the denttes of malcous users whle preservng the prvacy of all other users. They also proposed to use a vrtual network nfrastructure where vehcles serve as the nfrastructure. The authors proposed that ths vrtual network would provde securty and scalablty n V2V communcaton networks where nfrastructure does not exst. The vehcles of vrtual networks would provde access control and guarantee message delvery. In [23], the authors proposed a scheme, named CARAVAN, to protect the drvers locaton prvacy. Each vehcle n ther scheme s pre-loaded wth a set of pseudonyms, a par of publc/prvate key, and a correspondng publc key certfcate for each pseudonym. All communcatons from a vehcle must contan one of ts pseudonyms to avod traceablty. Only the trusted authorty has the assocaton between a vehcle s pseudonyms and the dentty of the vehcle s owner. They also proposed a slent perod between two consecutve transmssons to avod lnkablty. Further, ther scheme reles on vehcles to form a group among themselves. If a group

23 11 of vehcles have the same drvng condtons on the road, then accordng to the authors, t s suffcent for one of the vehcles to communcate wth the trusted authorty on behalf of other members. The reason behnd formng ths group s to provde prvacy of drvers even whle communcatng wth trusted authortes. A group leader has the role of communcatng wth a trusted authorty nfrastructure to obtan a symmetrc key for one of the group members. Ths symmetrc key wll be used by the member of the group wth the trusted authorty. The authors n [24]-[26] dscussed a set of securty requrements for V2V communcaton networks; such as message authentcaton and ntegrty, message non-repudaton, entty authentcaton, access control, message confdentalty, prvacy and anonymty, network avalablty, and lablty dentfcaton. They also proposed a system and communcaton model for securng V2V and V2I networks. The authors dscussed the use of anonymous publc keys n V2V communcaton networks that are frequently changed dependng on a vehcle s speed. They also dscussed the use of symmetrc keys to reduce the cryptographc overhead. They proposed that vehcles can form a group, and a group leader dstrbutes to ts members a symmetrc key usng the Group Key Management Protocol GKMP [27]. Several secure protocols were proposed for moble users n wreless networks [28]-[30]. These protocols assume the exstence of a key-management system or publc-key certfcaton nfrastructure PKI. In [31], the authors presented a Dynamc Publc Key scheme to protect anonymty and locaton prvacy. Ther approach s based on frequently changng node s cryptographc keys, whch enable users to avod beng dentfed by the locatons they vst. The network operator has access to the locatons and the dentfers of the regstered moble users. Each node has publc/prvate key

24 12 pars and certfcates sgned by the CA. The key pars can be generated ether by the node or by the CA. Then, usng the publc/prvate key par, each node establshes symmetrc secret keys wth ts neghbors. Each tme a node changes ts publc/prvate key par, the CA authentcates the new keys, and then ths node establshes new symmetrc keys wth ts neghbors. Ths approach s effcent but requres a hgh communcaton cost between the central authorty and moble users to certfy the new generated keys. Further, t requres an addtonal communcaton cost to establsh new symmetrc secret keys wth neghbors. In [32]-[35], the authors share a smlar approach n proposng an authentcaton scheme wth anonymty. The approach s based on ssung a temporary certfcate to a moble user. Frst, the user regsters at a local certfcate authorty (LCA) and obtans a smart card that contans the dentty of LCA. When a user enters an area where LCA s not avalable, the user has to establsh a secure lnk wth an avalable certfcate authorty, called remote certfcate authorty (RCA). RCA wll authentcate the user through LCA va routers usng the user s smart card. If RCA authentcates the user successfully, then RCA ssues a temporary certfcate to the user. Ths temporary certfcate can then be used when exchangng messages n V2V communcaton networks. Smlarly, ths approach requres a hgh communcaton cost and addtonal processng tme between several central authortes and moble users to certfy the temporary certfcate. There are several research works that deal wth anonymty of users. These works are based on the concept of group sgnatures [36]. Users are organzed nto groups. A group member sgns messages anonymously on behalf of the group. The

25 13 recpents of a sgned message can verfy the correctness of the sgnature wthout dentfyng the sgner. In case of a dspute, the dentty of the member who sgned the dsputed message can be revealed only by a desgnated entty (Certfcate Authorty, for example). Several group sgnatures have been proposed [37]-[44]. All these research works are proved secure under certan theoretcal problems, such as Strong RSA Problem and Dscrete Logarthm Problem. The basc operaton of these works s the transformaton of a secure honest-verfer Zero Knowledge (ZK) protocol nto dgtal sgnatures usng Fat-Shamr Heurstc [45]. These group sgnatures are computatonally ntensve and produce long sgnatures. Table 2.1 shows the performance analyss of some group sgnatures protocols. 2.2 Cryptographc Background and Securty Framework Cryptographc Algorthms and Protocols A cryptographc protocol s a seres of steps between two or more partes that desre to exchange nformaton n a secure manner usng cryptographc algorthms. Securty of nformaton may nclude concealng and non-repudaton of ts contents. Encrypton s the process of sendng concealed nformaton from one party to another. Ths process takes as an nput a meanngful message called a plantext and uses mathematcal technques to generate an unntellgble message called a cphertext. The recevng party of the secured nformaton apples a reverse process called Decrypton to restore the plantext from the cphertext. In general, the encrypton and decrypton operatons nvolve the use of one or more mathematcally-derved parameters called Cryptographc Keys or Keys for short. These keys, or a subset of these keys, should be shared among partes, who

26 14 wsh to exchange secured nformaton, n order to correctly operate the encrypton and decrypton operatons. Table 2.1 Performance Analyss of some Group Sgnatures. GROUP SIGNATURE CG [42] ACJT [41] PNBM [37] BBS [43] PROCESSING SPEED Sgn: 6 exponentatons wth a modulo sze length of 1600 bts. 1 exponentaton wth a modulo sze length of 2048 bts, and length of exponent s 1024 bts. 1 mult-base exponentaton wth a sze length of one of the exponents s 1244 bts, and length of other two exponents s 502 bts. Verfy: 3 two-base exponentaton wth a module sze length of 1600 bts. 1 mult-base exponentaton wth a modulo sze length of 2048 bts. Sgn: 4 exponentaton wth a modulo sze length of 1024 bts. 3 mult-based exponentaton, where the length of exponents may range from 2000 to 6000 bts. Verfy: 4 mult-based exponentaton, where the length of exponents may range from 2000 to 6000 bts. Sgn: 5 exponentatons wth a modulo sze length of 1200 bts, length of exponent between 240 and 670 bts. 3 mult-base exponentatons, where length of exponents between 240 and 670 bts. Verfy: Processng tme s same as Sgn procedure. Sgn: 5 exponentatons wth a modulo sze length of 170 bts. 3 mult-base exponentatons. Verfy: 5 mult-base exponentatons. SIGNATURE SIZE ~6500 bts (~812 bytes) >50Kbts (6.1Kbytes) > 100Kbts (12.2Kbytes) 1600 bts (200 bytes) Therefore, two or more partes should share the followng nformaton n order to secure ther transactons over a communcaton channel: 1. A readable meanngful message called a plantext. 2. An unntellgble message called a cphertext.

27 15 3. One or more encrypton and decrypton keys. 4. An encrypton algorthm. 5. A decrypton algorthm Symmetrc and Asymmetrc Cryptography There are manly two types of cryptographc algorthms that are defned by the type of keys beng used n the encrypton and decrypton operatons: Symmetrc Cryptography and Asymmetrc Cryptography. In symmetrc cryptography, the encrypton and decrypton algorthms use the same key to encrypt and decrypt messages, respectvely. Ths key s hence called a Symmetrc Key. The partes nvolve n a symmetrc cryptography must share ths key and must keep t secret. Revealng the value of ths key wll allow adversares on the communcaton channel to use the key to encrypt msleadng messages and to decrypt concealed and confdental nformaton. In an asymmetrc cryptography, there are two keys to operate the encrypton and decrypton operatons. The two keys are related mathematcally to each other and are owned and unque to one party. One key s called a Publc Key. From ts name, ths key can be avalable to anyone for use to verfy the dentty of ts owner, as an example. The other key s called a Prvate Key. The owner of ths prvate key must keep t secret and n a safe place. Revealng the value of the prvate key wll allow adversares to use the key to encrypt msleadng message and to decrypt concealed and confdental nformaton. In an asymmetrc cryptography, the encrypton algorthm uses the prvate key to encrypt a message, whle the decrypton algorthm uses the publc key to decrypt the cphertext and to restore the orgnal plantext message. In lterature, encryptng a

28 16 message usng a prvate key s referred to as sgnng a message. Snce the prvate key s owned and unque to one party, the cphertext of the encrypton operaton s also unque to ths party. Sgnng a message usng the prvate key mples that the message orgnates from the owner of the prvate key. Therefore, only the related publc key can decrypt the cphertext. Snce the publc key also belongs to the same owner, the decrypton operaton s used as a means of authentcatng the orgnator of the message. It s also desrable to send a secure message to a destned party such that only ths destned party can read the contents of ths message. In ths case, the sender can encrypt the message usng the publc key of the recever snce the publc key s avalable to anyone. Only the recever who owns the related prvate key can decrypt the message usng that prvate key. In ths case, the encrypton operaton s not referred to as sgnng. It s referred to as an encrypton Dgtal Sgnatures Securty of nformaton may also nclude the capablty of non-repudaton of the contents of nformaton. Non-repudaton means that the sender of secure nformaton cannot at a later tme repudate the contents of nformaton, and cannot clam that the contents were not orgnated by hm. Ths s acheved by the process of Dgtal Sgnature. The process s consdered to be an asymmetrc cryptography snce there are two keys nvolved n generatng dgtal sgnature. The prvate key s used to generate a small fxed-szed length cphertext called Sgnature, whle the publc key s used to verfy the contents of ths sgnature. The two keys are used wth several other parameters to generate and verfy sgnatures. The man dfference between a dgtal

29 17 sgnature and an encrypton process s that the message n the dgtal sgnature s sent n a plantext wth the sgnature. The recever needs only to verfy that the sgnature was ndeed generated by the sender. Dgtal sgnatures also provde the capablty of detectng unauthorzed modfcatons to the contents of the sgned message. Thus, a dgtal sgnature can be used as a means of data ntegrty. Dgtal sgnatures are usually operated wth another process called Hash Functon. Sgnng large messages s nfeasble snce the sgnature wll also be the same sze as the message tself. Therefore, hash functons are used to reduce the sze of the message to a fxed length before gettng sgned by the dgtal sgnature process Publc Key Infrastructure (PKI) In a communcaton channel between two dstant enttes, t s necessary for the two enttes to trust each others messages and ther publc keys. An attacker can generate publc and prvate keys and clam he s one of the two enttes. If these two enttes use asymmetrc algorthms for example, then they should have a mechansm to authentcate each others publc keys. These two enttes may trust each other through a thrd-party trusted ndvdual, organzaton, nsttuton or ncorporaton. In cryptography, the trusted thrd-party s called a Certfcate Authorty (CA). The CA uses asymmetrc algorthms to mathematcally generate the publc and prvate keys, and then to endorse these keys. The keys and the endorsement are used together as means of source authentcaton, data ntegrty and as a means for establshng a trusted communcaton channel. The use of a CA to endorse cryptographc keys s referred to as Publc Key Infrastructure (PKI).

30 18 The endorsement of cryptographc keys comes n a form called a Certfcate. A person, who wshes to obtan a par of publc and prvate keys, apples for one at a CA. Durng the applcaton process, ether the CA or the person generates ths par of publc and prvate keys usng specal software that s provded by the CA. At the end of ths applcaton, ths person keeps the prvate key securely at hs possesson, and provdes the assocated publc key to the CA. Fnally, the CA verfes the dentty of the applcant and creates an electronc certfcate that endorses the publc key of the applcant. The CA then sends ths certfcate to the applcant. One of the well-known certfcates s the nternatonal standard X.509. The certfcate contans nformaton about the ssuer, the holder dentty, the valdty perod of the certfcate, the publc key of the holder, and the endorsement of the publc key by the CA. The endorsement s performed usng a dgtal sgnature algorthm. Therefore, n order for recpents of ths certfcate to verfy ths endorsement, the certfcate contans also nformaton about the cryptographc algorthms used n generatng ths certfcate. The recpents of a certfcate need to know whch cryptographc algorthm to use to verfy ths endorsement. In addton to generatng asymmetrc keys and certfcates, the CA has to manage these keys and certfcates. Ths role s referred to as Key Management. A sold process of key management provdes the CA wth a trusted relatonshp wth users. If a CA does not have a key management process, then the whole trusted relatonshp falls apart between the CA and users. Key management process manly nvolves generatng keys, storng keys, updatng keys, and destroyng keys. The CA has to use a strong cryptographc

31 19 algorthm that has proven secure to generate cryptographc keys. The securty of any cryptographc algorthm reles n ts generated keys. If the keys can be easly compromsed and derved by attacker, then the cryptographc algorthm s not secure and hence the CA s not usng a strong key management process. The CA also has to secure the storage of cryptographc keys. Although the prvate key of a user s n control and n possesson of the user, t would be trval to assume that only the user should be responsble for storng hs prvate key securely. However, the CA also has the responsblty to secure ts own cryptographc keys that are used n sgnng users certfcates. The sgnature of the CA provdes a trusted communcaton channel between users. Therefore, f someone s able to get hold of the CA s keys, then t wll be dffcult to detect whether or not a certfcate s sgned by the CA or by someone else. In addton to generatng and storng keys, the CA should also provde a keyupdate management process to generate new cryptographc keys and replace the old ones wth the new generated keys. Usually, any cryptographc key should have a lfetme. Usng the same cryptographc key for a long perod of tme to encrypt plantext datum wll weaken ts securty and wll be easer to derve the secret prvate key. Therefore, the CA should mantan a database of all users publc keys and certfcates and detect whch user s certfcates need an update. The old certfcates and keys should be destroyed by the CA. Destroyng certfcates and keys ndcate that they should never be used agan. Therefore, the CA should mantan a database of all destroyed certfcates and keys for two reasons: (1) to detect whether or not any of these destroyed certfcates and keys are beng used agan, and (2) to detect whether

32 20 or not a new generated certfcate and a key match wth an old one. A lst of old destroyed certfcates and keys s referred to as Certfcate Revocaton Lst (CRL) Group Sgnatures I explaned n Secton that Dgtal sgnatures are manly used for verfyng the ntegrty of messages exchanged between enttes, and for the non-repudaton of ts contents. In 1991, a new type of dgtal sgnatures was proposed by Chaum and van Heyst [36] that provdes anonymty to the sgner,.e., the verfer of a sgnature cannot dentfy the sgner. Ths new type of dgtal sgnatures s called group sgnatures. In a group sgnature, there s a group that has many members and one manager. Members of ths group share a sngle group publc key. Each member has ts own secret prvate key. Each member uses hs own prvate key and the group publc key to generate a sgnature. A verfer of a sgnature can only know that the sgnature s sgned by a group, and cannot dentfy the member who generated the sgnature. The group manager has a secret prvate key on whch he can fnd the dentty of the sgner from the generated sgnature Securty Attacks Attackers are tempted to break cryptographc algorthms and protocols n order to read the concealed nformaton and to send forgeable nformaton. The followng s a descrpton of some of the well-known attacks on cryptographc protocols between two enttes who wsh to exchange secure nformaton Man-n-the-mddle Attack The man-n-the-mddle attack s an attack on publc-key cryptographc protocols. The attacker can lsten and modfy messages between two enttes wthout ether

33 21 entty s knowledge. Suppose the two enttes who wsh to exchange secure nformaton are Alce and Bob. Meanwhle, an attacker Mallory wshes to eavesdrop on the communcaton channel and delver a forgeable message to Bob. Intally, Alce must ask Bob for hs publc key n order for Alce to send a secure message that only Bob can read at a later tme usng hs prvate key. When Bob sends hs publc key n a message to Alce, the attacker Mallory can ntercept the message, substtute Bob s publc key wth Mallory s publc key, and send the modfed message to Alce. When Alce receves the modfed message, she beleves the publc key belongs to Bob. She encrypts her message wth Mallory's key and sends the cphertext message back to Bob. Mallory agan ntercepts the cphertext, decrypts t usng Mallory s prvate key, changes the contents of the message, and encrypts t usng the publc key that Bob orgnally sent to Alce. When Bob receves the newly encrypted message, he wll beleve t came from Alce. Ths type of attack can be prevented and protected by the use of certfcates and Certfcate Authortes. If both Alce and Bob use certfcates to endorse ther publc keys, then Alce wll be able to authentcate the receved publc key from Bob. If the authentcaton fals, then Alce wll reect the receved publc key and wll not send any secure nformaton usng the non-authentc publc key Brute Force Attack In a brute force attack, an attacker works through all possble prvate keys n order to decrypt a message. For example, f a prvate key s n-bt long, then an attacker needs to try all n 2 possble keys to fnd the correct key that decrypts a message. Therefore, the selecton of an approprate key length depends on the practcal feasblty

34 22 of performng a brute force attack. To ths date, the mnmum recommended length of a prvate key should be 128 bts Replay Attack Suppose the two enttes who wsh to exchange secure nformaton are Alce and Bob. In a replay attack, the attacker Mallory can eavesdrop on the communcaton channel between Alce and Bob, record these messages, and then replay the recorded messages at a later tme. Two well-known solutons to protect messages from such an attack are the use of tme stamps and the use of random numbers. The use of tme stamps requres both Alce and Bob to mantan a synchronzed and accurate tme clock. When Alce wshes to send a secure message to Bob, she ncludes a tme stamp to the message before encryptng the message. When Bob receves the message, he verfes that the tme stamp s wthn a pre-determned threshold. If the tme stamp s out of the range of the threshold, then Bob reects the message and ts contents. The use of random numbers requres both Alce and Bob to use a two-way communcaton protocol. When Alce wshes to exchange secure messages wth Bob, and she wshes to verfy that a message receved from Bob s recent, she generates a non-repeatng random number and ncludes t n a message before encryptng the message. When Bob receves the message and s ready to reply back to Alce wth a new message, he ncludes Alce s random number n the new message. When Alce receves the message from Bob, she verfes that the ncluded random number s ndeed the one that she has generated and sent to Bob.

35 Known-plantext attack The known-plantext attack s an attack where the attacker s able to get samples of both the plantext and ts cphertext. The obectve s to make use of them to reveal the value of the prvate key that s used to encrypt the plantext messages. Therefore, t s necessary n a secure communcaton channel to protect also the contents of plantext messages from beng eavesdropped and beng assocated wth ther cphertext messages Securty Framework In ths secton, I descrbe a set of cryptographc algorthms that wll be used n ths dssertaton. Ths set wll be used n my proposed protocols to meet the V2V securty requrements that are ponted out n Chapter 1. I wll also descrbe a securty module that wll be used to securely store the cryptographc keys and algorthms whch are used n ths dssertaton Secure Hash Algorthm The Secure Hash Algorthm (SHA) [5] s an algorthm approved by the Unted States Secretary of Commerce and ssued by the Natonal Insttute of Standards and Technology (NIST) for securng nformaton. The SHA s used for computng a reducedszed representaton of an nput data message. The output of ths computaton s called a message dgest. Accordng to [5], the message dgest may have one of four dfferent lengths dependng on the algorthm beng used. There are four algorthms: a. SHA-1 that generates a 20-byte message dgest. b. SHA-256 that generates a 32-byte message dgest. c. SHA-384 that generates a 48-byte message dgest.

36 24 d. SHA-512 that generates a 64-byte message dgest. Suppose the message dgest of (or the hashed value of) an nput message x s denoted by h (x). In general, a hash functon that s used to generate a message dgest s secure f t has the followng propertes: 1. Collson resstance. It should be computatonally nfeasble to fnd two dfferent nputs x, y, where x y, such that h ( x) = h( y). Ths property mples that an nput message has a unque message dgest. Therefore, a hash functon that meets ths property can be used to determne message ntegrty. Any change to the message wll result n a dfferent message dgest. 2. Pre-mage resstance. If a hash value h s gven, then t should be computatonally nfeasble to fnd an arbtrary nput x such that h ( x) = h. It mples that t s nfeasble to fnd the value of an nput message gven ts message dgest. Accordng to [5], the four hash algorthms are secure because these algorthms meet the two propertes of a hash functon Keyed-Hash Message Authentcaton Code The Keyed-Hash Message Authentcaton Code (HMAC) [6] s a mechansm for provdng source authentcaton and message ntegrty usng cryptographc hash functons, such as the secure hash algorthm (SHA). The HMAC operates on a message nput and on a shared secret symmetrc key that s known between the sender and the recever or a group of recevers. The nput message s sent along wth ts HMAC to recevers. The recevers use the same HMAC mechansm on the receved message and on the shared secret symmetrc key. If the computed HMAC s equal to

37 25 the receved HMAC, then the recevers authentcated the source and verfed the ntegrty of the receved message. Let the symbol denotes the concatenaton operaton. To compute the HMAC for data usng a shared secret key z and a hash functon H, the followng operaton s performed [6]: HMAC( z, data) = H (( z α) H (( z β ) data)) (2.1) The parameters ( α, β ) are constants. The key z equals to z f the length of z equals the length of the block sze of the nput to the appled hash functon H. Otherwse, a paddng technque s appled to z to produce z Advanced Encrypton Standard The Advanced Encrypton Standard (AES) [7] specfes an approved algorthm by the Unted States Secretary of Commerce and ssued by NIST for securng nformaton. The AES specfes a cryptographc algorthm that can be used to protect the confdentalty of a message over a communcaton channel. The AES algorthm takes as an nput a plantext message and encrypts t nto a cphertext one. Furthermore, the AES algorthm takes the cphertext as an nput and decrypts t back to ts orgnal plantext from. The AES algorthm s a symmetrc block cpher. It encrypts or decrypts an nput data one block at a tme. Accordng to [7], the block sze s fxed to 16 bytes. For example, f an nput data has a sze of 80 bytes, then the AES wll operate on 5 blocks, one block at a tme. The AES also uses one symmetrc key for both encrypton and decrypton operatons. The securty of AES reles on the sze of the symmetrc key. Accordng to

38 26 [7], the AES algorthm s capable of usng any of the key lengths 128, 192, or 256 bts. For example, f a key of length 128 bts s used to encrypt a message nto a cphertext, then the same key must be used to decrypt the chpertext Dgtal Sgnature Standard The Dgtal Sgnature Standard (DSS) [8] specfes an approved algorthm by the Unted States Secretary of Commerce and ssued by NIST) for securng nformaton. The algorthm s referred to as Dgtal Sgnature Algorthm (DSA). The DSA s used to provde data ntegrty, detect unauthorzed modfcatons to data and to authentcate the dentty of the party that sgned ths data. The DSA s used as a proof to the recpent of the sgnature that the sgnature was n fact generated by the sgner. Ths s known as non-repudaton snce the sgner cannot repudate the sgnature and clam that the sgnature was not generated by hm. The algorthm uses the followng parameters: p a prme modulus of 1024-bt long. q a 160-bt prme dvsor of p 1, where x a randomly generated number less than q. H (m) a one-way hash functon on message m < q < 2 ( p 1) / q h a number less than p 1 such that h mod p > 1 Then, ( p 1) / q g h mod p (2.2) y g x mod p (2.3) The publc keys are p, q, g, and y. The prvate key s x. To sgn a message, m, a user generates a random number k less than q. The parameter k must be regenerated for each sgnature. Then the user computes 160.

39 27 k r ( g mod p) mod q (2.4) s ( k 1 ( H ( m) + x r)) mod q (2.5) 1 The sgnature s ( r, s). To verfy the sgnature, compute w s mod q (2.6) u 1 ( H ( m) w) mod q (2.7) u 2 ( r w) mod q (2.8) u u v (( g 1 y 2 ) mod p) mod q (2.9) If v = r, then the sgnature s verfed Cryptographc Securty Modules The NIST publshes standards recommendng practces for securng nformaton and meda. The standards are called the Federal Informaton Processng Standards (FIPS) publcatons. These are ssued by NIST after approval by the Secretary of Commerce. One of the standards s FIPS [11] whch defnes securty requrements for cryptographc modules. A cryptographc module s a set of hardware, software or both that mplements cryptographc algorthms and key generaton. FIPS was developed by a U.S. government and ndustry workng group. The workng group dentfed eleven requrements for cryptographc modules [11] to conform to the standard, and four securty levels for each of the eleven requrements [11]. These securty levels provde cost-effectve solutons for dfferent applcatons and data protecton. Begnnng wth Level-0, each securty level s an ncrease n securty requrements over the precedng level. A bref representaton of the eleven requrements and the four securty levels s descrbed next.

40 28 Requrements for a Cryptographc Module Requrement 1: Cryptographc Module Specfcaton: t descrbes the components of a cryptographc module; hardware, software, frmware, and securty algorthms. It also specfes what the vendor of a cryptographc module should document n terms of the operaton of each component, hardware schematcs, and software requrements. Requrement 2: Cryptographc Module Ports and Interfaces: t descrbes the logcal nterfaces to a cryptographc module; specfes the requrements for data nput nterface, data output nterface, control nput nterface, status output nterface and power nterface. Requrement 3: Roles, Servces, and Authentcaton: t descrbes the specfcatons for a cryptographc module to dentfy and authentcate ts users: a rolebased or dentty-based authentcaton. It descrbes also the servces that a cryptographc module should provde to ts users, such as, status ndcators, self testng, and securty algorthms. Requrement 4: Fnte State Model: t descrbes the specfcatons for a cryptographc module to operate n a fnte state model. The requrement specfes that a cryptographc module should have operatonal and error states and should specfy the transton from one state to another and the nputs and outputs for each state. Requrement 5: Physcal Securty: t descrbes the specfcatons on how to protect a cryptographc module from physcal securty attacks. It also descrbes the specfcatons for a cryptographc module to operate under a range of envronmental condton, such as voltage and temperature. A cryptographc module should provde

41 29 assurance that ts securty cannot be compromsed f an attacker apples extreme envronmental condtons that reveals the contents of a cryptographc module. Requrement 6: Operatonal Envronment: t descrbes the specfcatons on usng an operatng system n a cryptographc module. Requrement 7: Cryptographc Key Management: t descrbes the specfcatons on the mechansms for generatng random numbers, generatng keys, establshng keys, storage of keys, and erasure of keys. Requrement 8: Electromagnetc Interference / Electromagnetc Compatblty (EMI/EMC): t descrbes the specfcatons for a cryptographc module to comply wth a standard EMI/EMC. Requrement 9: Self-Tests: t descrbes the specfcatons on the mechansms for self-testng the securty algorthms used n a cryptographc module, and testng the ntegrty of ts frmware to ensure that the module s workng and functonng as requred. Requrement 10: Desgn Assurance: t descrbes the specfcatons on the methods, processes, and best practces to ensure that the requrements, desgns, mplementaton and testng of a cryptographc module s well documented and that the module s properly desgned, developed, tested, delvered and nstalled at the user's locaton. Requrement 11: Mtgaton of Other Attacks: t descrbes the specfcatons for mtgaton of securty attacks that ths FIPS document dd not provde testable securty requrements at the tme t was publshed.

42 30 Securty Levels of a Cryptographc Module Securty Level 1: Securty Level 1 s the lowest level of securty. In ths level, at least one approved securty algorthm [35] shall be used n a cryptographc module. An example of a Securty Level 1 cryptographc module s a personal computer (PC) encrypton board. Securty Level 2: Securty Level 2 provdes an ncrease n securty over Level 1 by addng a physcal securty mechansm to a cryptographc module. Ths ncrease n securty shall be accomplshed by addng the requrement for a tamper-evdence mechansm. For example, the use of tamper-evdent coatngs or seals are placed on a cryptographc module n such a way that to gan physcal access to the module and to access ts plantext cryptographc keys and parameters, the coatng or seal must be broken. In addton to the physcal securty mechansm, Securty Level 2 requres the cryptographc module to authentcate the authorzaton and role of ts operator to perform a correspondng set of securty servces. Securty Level 3: Securty Level 3 provdes an ncrease n securty over Level 2 n tamper-evdent physcal securty mechansms. Securty Level 3 requres the cryptographc module to have a hgh probablty of detectng tamperng and physcal access, and s requred to use a tamper detecton/response crcutry that clears all plantext secret keys f the tamper-evdent mechansms are broken. Securty Level 3 also enhances the role-based authentcaton of Securty Level 2, by usng an dentty-based authentcaton mechansms. A cryptographc module

43 31 authentcates the dentty of an operator n order to perform a correspondng set of securty servces. Securty Level 3 also requres storng or readng plantext keys from a cryptographc module to be performed on dedcated nterfaces or ports that are not shared wth any other data. Plantext prvate keys may be entered nto or output from the cryptographc module n encrypted form. Securty Level 4: Securty Level 4 s the hghest level of securty defned n the standard. In ths level, the cryptographc module has a very hgh probablty to detect all unauthorzed attempts to access ts contents resultng n the mmedate erasure of all plantext prvate keys and securty parameters. Securty Level 4 cryptographc modules are useful for operaton n physcally unprotected envronments. In addton, Securty Level 4 protects a cryptographc module aganst envronmental condtons or fluctuatons outsde ts normal operatng range that can compromse ts securty. An attacker can apply ntentonal fluctuatons of voltage and temperature beyond the normal operatng ranges of the cryptographc module to thwart ts securty defenses. Thus, Securty Level 4 requres the use of specal envronmental protecton features desgned to detect fluctuatons and to erase the contents of the cryptographc module. A lst of valdated cryptographc modules aganst FIPS can be found at the NIST Cryptographc Module Valdaton Program (CMVP) webste [57]. In ths dssertaton, I refer to the module that meets the securty requrements and propertes that are descrbed n ths secton as a Cryptographc Securty Module (CSM).

44 Proposed Cryptographc Securty Module Fgure 2.1 shows my proposed CSM for use n V2V and V2I communcaton networks. In Fg. 2.1, a vehcle communcates wth other vehcles and the nfrastructure usng the DSRC nterface. The receved and transmtted data may contan plan text and cpher text data. Accordng to FIPS requrements, I assgn a dedcated nput port for receved messages and a dedcated output port for transmtted messages n the DSRC unt. The Processor performs the necessary cryptographc operatons on a receved message, such as sgnature verfcaton and data decrypton, and performs the necessary cryptographc operatons on a message to be transmtted, such as data encrypton and sgnature generaton. Accordng to FIPS requrements, the output nterface port should be nhbted when the cryptographc module operates self test, key generaton, key storage, and key erasure or f t s n an error state. Therefore, I assgn a control path from the Processor to the DSRC unt and to the Data Output Interface to nhbt these output ports under such operatng condtons. The CSM wll also need to nterface wth other modules nsde the vehcle, such as Brake Control Unt, Speed Control Unt, GPS Control Unt, and Compass Control Unt. The nformaton from these unts are collected nsde the CSM to be processed by the Processor and transmtted by the DSRC unt. Accordng to FIPS 140-2, I assgn a dedcated Data Input Interface for communcaton wth other modules. In addton, the CSM has a separate Control Input Interface for nput swtches, buttons or a keyboard that a drver may use. When a vehcle receves a message from other vehcles, the CSM wll process the receved message and forward the message to other modules nsde the vehcle for

45 33 evaluaton and alertng the drver. I assgn a dedcated Data Output Interface for ths purpose. Ths unt can also be used to report the status of the CSM operaton, such as error condtons through a dedcated Status Output Interface. Fgure 2.1 A depcton of a Cryptographc Securty Module based on the requrements of FIPS In Fg. 2.1, there are three memores nsde the module. I refer to one memory as the Operator Memory and to the others as the User Memory. The Operator Memory stores cryptographc keys that are used only by the ssuer of ths module. These keys wll be used by the module to operate an dentty-based authentcaton f the ssuer needs to access ths module and needs to perform actons, such as key erasure and

46 34 key replacement. The User Memory s for the user of ths module. The cryptographc keys of the user are stored n one of the User Memores. Accordng to FIPS 140-2, the CSM should have a tamper detecton capablty to detect physcal attacks. I assgned four Tamper Detecton Unts. One unt s embedded n the User Code Memory Unt, another unt s embedded n the User Data Memory Unt, a thrd unt s embedded n the Operator Memory Unt, and the fourth one s embedded n the CSM tself. If any of these unts detects a physcal attack, all cryptographc keys and securty parameters stored nsde ths module should be erased. Smlarly, the Voltage and Temperate Montor Unt should detect envronmental condtons that exceeds the normal operaton condton of the CSM, and should mmedately erase the cryptographc keys and securty parameters. An example of a cryptographc securty module s a smart card. Nowadays, smart cards [9] are used for authentcaton worldwde for many applcatons, ncludng transt, telecommuncatons, and secure dentfcaton. There were over 250 mllon smartcards used n the moble telephone ndustry world-wde. A hardware, such as smart cards, that contans cryptographc keys and algorthms s consdered secure f t has the followng propertes [10]: (1) Read-proof hardware: that s, a hardware that prevents an attacker from readng anythng about ts contents; (2) Tamper-proof hardware: that s, a hardware that prevents an attacker from changng ts contents; and (3) Self-destructng capablty: that s, a hardware that can destroy ts contents f an attacker tres to access t. Based on the functonalty of smart cards, the authors n [13] proposed a tamperresstant hardware that complements and mantans the propertes of smart cards. Ther

47 35 proposal s n a Master Key. A person carres one Master Key devce for varous authentcaton purposes nstead of multple smart cards. 2.3 Mathematcal Background In ths secton, I frst ntroduce the basc notons and operatons n modular arthmetc that are the foundatons for cryptography. I apply these notons and operatons n my dssertaton n my frst proposed soluton. Then, I ntroduce some of the mathematcal problems that are hard to solve whch are also the bases of asymmetrc cryptographc algorthms. Cryptographers use these hard problems as a strong proof that such algorthms are secure,.e. the prvate key cannot be deduced. Fnally, I show an example of a group sgnature (whch s dscussed n Secton 2.2.5) usng one of the ntroduced hard problems Fnte groups A group ( G, ) s a set G of numbers wth a bnary operaton defned on G that satsfes the followng propertes: 1. Closure: For all a, b G, there s a b G. 2. Identty: There s an element e G called the dentty of the group such that e a = a e = a for all a G. 3. Assocatvty: For all a, b, c G, there s ( a b) c = a ( b c). 4. Inverse: For each a G, there s a unque element b G called the nverse of a such that a b = b a = e. For example, a set of real numbers R under multplcaton operaton are groups that meet the four propertes wth e = 1 and 1 a s the multplcatve nverse.

48 Modular arthmetc Modular arthmetc s the man mathematcal concept n asymmetrc cryptography. If we have two ntegers a and b, and the dfference a b s an nteger multple of a postve number n (.e. n dvdes a b or n ( a b) ), then the two ntegers a and b are sad to be congruent modulo n. Ths s equvalent to a b mod n f a = b + kn for some nteger k. The nteger b s called the resdue of a modulo n, and the nteger a s called the congruent to b modulo n, and the symbol denotes congruence. In other words, f a s dvded by n, the quotent of ths dvson s k and the remander (resdue) s b. For every nteger a, ts resdue b s some nteger between 0 and n 1. The computatons nvolvng the modulus to determne remanders are called modular arthmetc, such as modular addton and modular multplcaton Groups defned by modular addton and multplcaton That s: Modular addton and multplcaton s commutatve, assocatve and dstrbutve. Commutatve: Assocatve: Dstrbutve: ( a ± b) mod n = ( b ± a) mod n, ( a b) mod n = ( b a) mod n, ( a ± b) mod n = (( a mod n) ± ( b mod n)) mod n, ( a b) mod n = (( a mod n) ( b mod n)) mod n, ( a ( b + c)) mod n = ((( a b) mod n) + (( a c) mod n)) mod n.

49 37 We can also form two groups usng modular addton and multplcaton. The addtve group modulo n over the group of ntegers Ζ s formed by usng addton modulo n, and s denoted by ( Ζ, ). The multplcatve group modulo n s formed n + n by usng multplcaton modulo n, and s denoted by ( Ζ, ). That s, for all a, a, b, b G, f a a mod n and b b mod n, then a + b a + b mod n, a b a b mod n. * The multplcatve group modulo n s the set Ζ n of elements that are relatvely prme to n. That s, the greatest common dvsor between an element of ( Ζ, ) and the modulo n s 1 (.e. gcd( a, n) = 1). For example, Ζ {1,2,4,7,8,11,13,14 }. The ntegers n ths group satsfy the four propertes of a group Subgroups * = 15 A subgroup of a group ( G, ) s a subset ( H, ) of ( G, ) whch s tself a group * n n * n n under the same operaton. We wrte H G to denote that H s a subgroup of G. For example, the group of ntegers Ζ s a subgroup of the group of real numbers R,.e. Ζ R Order of a Group The number of elements n a group ( G, ) s called the order of G and s denoted by # G. For example, the number of elements n ( Ζ, ) s # Z n = n. n + n

50 Order of a Group Element Let ( G, ) be a group and a G. The order of the element a s the smallest postve nteger that satsfes a = e (the dentty of the group), and s denoted by ord (a) Cyclc Group any A group ( G, ) s sad to be cyclc f there exsts an element a G such that for b G, there s an nteger such that b = a. The element a s called a generator of G, and G s called the group generated by a. When a group s generated by a, we can wrte * = 7 G = a. For example, n group Ζ {1,2,3,4,5,6 }, the number * 7 3 Ζ s a generator snce 3 1 mod7 = 3 (where * 7 3 Ζ ), 3 2 mod 7 = 2 (where * 7 2 Ζ ), 3 3 mod 7 = 6 (where * 7 6 Ζ ), 3 4 mod 7 = 4 (where * 7 4 Ζ ), 3 5 mod 7 = 5 (where * 7 5 Ζ ), 3 6 mod 7 = 1 (where * 7 1 Ζ ), 3 7 mod 7 = 3 (where 3 Ζ * 7 ), and the output of ths modular operaton keeps repeatng, thus the term cyclc group Fermat s Lttle Theorem If p s a prme number, then a p 1 1mod p for all * a Ζ p. For example, f p = 7, then 1 1 mod 7, 1 2 mod 7, 1 3 mod 7, 1 4 mod 7, 1 5 mod 7, and mod The Dscrete Logarthm Problem 6 6 Let G = g be a cyclc group of order n, and let y G. The dscrete logarthm of y to the base g s the smallest postve nteger x satsfyng g x = y. The parameters n,

51 39 g, y and G should be chosen such that computng the dscrete logarthm s nfeasble. That s, t s computatonally nfeasble to compute x such that x = log y. g The RSA Algorthm The RSA s an asymmetrc algorthm named after ts nventors Rvest, Shamr and Adleman. It gets ts securty from the dffculty of factorng large numbers. Its prmary use s t to encrypt/decrypt messages between two enttes. To generate the asymmetrc par of publc and prvate keys, choose two random large prme numbers p and q, and compute ther product n = pq. Then choose an encrypton key e such that ( p 1)( q 1) and e are relatvely prme. Fnally, compute the decrypton key d such that 1 = d e mod( p 1)( q 1) (2.10) The numbers e and n are the publc keys and the number d s the prvate key. The securty of the RSA reles on the dffculty of factorng n to fnd the two prme numbers p and q n order to derve the prvate key d. Therefore, the numbers p and q should never be revealed. Also, the securty of the RSA reles on solvng the dscrete logarthm problem to derve the prvate key d. For example, to encrypt a message m usng the RSA algorthm, compute: c = m e mod n (2.11) To decrypt c and get the orgnal message m, compute: m = c d mod n (2.12) Gven c and m, t s dffcult to solve d = log m. c The decrypton works snce by substtutng Eq. (2.11) n Eq. (2.12), we get: m = m ed mod n (2.13)

52 40 From Eq. (2.10) and the defnton of modular arthmetc, we get ed = k( p 1)( q 1) + 1 (2.14) Substtutng Eq. (2.14) n Eq. (2.13) gves k ( p 1)( q 1) + 1 m = m mod n (2.15) m = m m k ( p 1)( q 1) mod n = m 1 = m (2.16) by Fermat s Lttle Theorem Foundaton of Dgtal Sgnatures The Zero Knowledge Protocol An Interactve Proof (IP) protocol s a protocol between two users: a prover and a verfer. The prover, who sends nformaton to the verfer, has some secret knowledge that s not shared wth the verfer. The prover tres to prove to the verfer the correctness of ths nformaton wthout revealng the secret knowledge. The verfer wll be convnced that the nformaton comng from the prover s correct wthout knowng the secret knowledge. Ths protocol s called proof n the dark. That s the verfer gans no nformaton about the prover s prvate knowledge (or secret data). The IP protocol wth ths property s called a Zero-Knowledge (ZK) protocol. Furthermore, any other thrd party lstenng to the channel between the prover and the verfer cannot see any meanngful thng whch has taken place between the prover and the verfer. If the verfcaton process s performed n publc (that s anyone can see t and verfy t), then t s no longer proof n the dark. It s then called Proofof-Knowledge. And stll, no one can fnd out the secret nformaton of the prover, and t s stll called ZK protocol.

53 41 The prover has an nterest to convnce the verfer that hs nformaton s correct. In Zero-Knowledge Proof-of-Knowledge (ZKPK) protocol, the word knowledge n proof-of-knowledge can be: Dscrete Logarthm, Strong RSA, and any other hard problems. So, we end up havng the noton of: Zero-Knowledge Proof-of-Knowledge of the soluton to the Dscrete Logarthm problem, or Zero-Knowledge Proof-of-Knowledge of the soluton to the Strong RSA problem Schnorr s Identfcaton Protocol Suppose we have Alce and Bob that are communcatng wth each other. Schnorr s Identfcaton Protocol [55] s used for provng that Alce has n her possesson a key x such that t satsfes the dscrete logarthm of y to the base g. Let p and q be two prme numbers satsfyng q p 1 (.e. q dvdes p 1). Let g y 1mod p, and let x < q and y = g x mod p. The parameters ( p, q, g, y) are Alce s publc keys certfed by the CA. The parameter x s Alce s prvate key. Alce s tryng to prove to Bob that she possesses x that satsfes y = g x mod p. The protocol between Bob and Alce s as follows: 1. Alce chooses a random number k and computes Commt = g k mod p (2.17) 2. Bob chooses a random number Challenge and sends t to Alce. 3. Alce computes Response = k + x Challenge(mod p) (2.18) and sends t to Bob. 4. Bob verfes that

54 42 Response Challenge Commt = g y (mod p) (2.19) If the verfcaton fals, then Bob reects Alce s clam. The verfcaton works snce by substtutng Eq. (2.18) n Eq. (2.19) gves k+ x Challenge Challenge Commt = g y (mod p) (2.20) k x Challenge Challenge Commt = g g y (mod p) (2.21) Then, substtutng y n Eq. (2.21) gves k x Challenge x Challenge Commt = g g g (mod p) (2.22) whch computes to Commt = g k mod p (2.23) The Fat-Shamr Heurstc To construct a dgtal sgnature on a message m usng Schnorr s Identfcaton Protocol, Fat and Schamr [45] suggested a method for transformng a ZK protocol nto a dgtal sgnature scheme usng a hash functon H as follows: Challenge = H ( m Commt) (2.24) Ths mechansm allows us to transform the Schnorr s ZK protocol nto a nonnteractve one as follows: 1. Alce chooses a random number k and computes Commt = g k mod p (2.25) 2. Alce sgns her message m usng Fat-Schamr Heurstc and computes Challenge = H ( m Commt) (2.26) 3. Alce computes Response = k + x Challenge(mod p) (2.27)

55 43 4. Alce sends to Bob ( m, Commt,Response) (2.28) 5. Bob computes Challenge = H ( m Commt) (2.29) 6. Bob verfes that Response Challenge Commt = g y (mod p) (2.30) If the verfcaton fals, then Bob reects Alce s message An Example of a Group Sgnature I showed n the prevous sectons an example of a Zero-Knowledge Proof-of- Knowledge of the soluton to the Dscrete Logarthm problem, whch s the foundaton of dgtal sgnatures. In ths secton, I show an example of a Zero-Knowledge Proof-of- Knowledge of the soluton to the Strong RSA problem by usng a group sgnature protocol that s descrbed n [41]. Frst, I descrbe the Strong RSA problem, then I descrbe ElGamal algorthm that s used n the group sgnature, and fnally, I show an example of the group sgnature Strong-RSA Problem The authors [53] and [54] ntroduced a new hard problem called the Strong-RSA Problem whch assumes that fndng an th e -root modulo n s hard. Let n = pq be an RSA modulus. Let G be a cyclc subgroup of * Ζ of order # G. Gven z G n, the Strong- RSA Problem conssts of fndng u G and e Ζ satsfyng z = u e mod n.

56 ElGamal Algorthm The ElGamal scheme can be used for encrypton and t gets ts securty from solvng the dscrete logarthm problem. Let n be a prme number. Choose g < n and x < n, and let y = g x mod n. The publc keys are n, g, and y. The prvate key s x. To encrypt a message m, choose a random number r such that r s relatvely prme to n 1, and compute a = g r mod n (2.31) b = m y r mod n (2.32) The par a and b s the cphertext. To decrypt a and b, compute b m = n x a mod (2.33) A Group Sgnature Algorthm A group sgnature protocol comprsed of the followng fve procedures: SETUP: An algorthm generates a group publc key (n addton to several publc parameters) and the secret prvate key for the group manager. JOIN: A protocol between a user and the group manager n whch the user becomes a member of a group. The output of ths protocol s a secret prvate key and a membershp certfcate for the user. SIGN: An algorthm that generates a sgnature on a message usng the group publc key, the user s prvate key, and the user s membershp certfcate. VERIFY: An algorthm that verfes the generated sgnature. OPEN: An algorthm that s used by the group manager usng the group publc key and the group manager s prvate key, to fnd the dentty of the sgner.

57 45 As an example of a group sgnature that s based on the Zero-Knowledge Proofof-Knowledge of the soluton to the Strong RSA problem, let the fve procedures be performed as follows (for detaled operatons and addtonal nformaton of these procedures, refer to [41]): SETUP: 1. Select a random secret prmes p, q such that p = 2 p + 1 and q = 2 q + 1. Let the modulus n = pq. 2. Choose random elements a, a, g, h QR( n), where QR (n) s a set of quadratc 0 resdues modulo nteger n. Accordng to the authors n [41], t s a good habt to restrct operaton to the subgroup of quadratc resdues modulo n,.e., the cyclc subgroup QR (n) generated by an element of order p q. Ths s because the order p q of QR (n) has no small factors. 3. Choose a random secret element x Ζ and set y = g x mod n. p q 4. The group publc key s Y = ( n, a, a, y, g, h). 5. The Manager s secret key s S = ( p, q, x). JOIN: 1. The Group Manager randomly chooses α, β and sends them to user 2. User P generates a secret exponent x~ and computes 0 x = 2 λ1 + ( α ~ x + β mod 2 λ 2 ) (2.34) and sends to the Group Manager C = a x mod n (2.35) 2 P.

58 46 The values of λ 1, λ2 denote lengths of cryptographc parameters. 3. The Group Manager randomly chooses a prme e and computes A 1/ e 0 = ( C a ) mod n (2.36) 2 4. Fnally, the Group Manager sends to user P the new membershp certfcate A, e. 1. User SIGN: computes: w P generates a random number w, uses ElGamal algorthm to encrypt A and T = A y mod n (2.37) 1 T = g w mod n (2.38) 2 e w T = g h mod n (2.39) 3 In ths step, P s usng ElGamal algorthm to encrypt part of hs certfcate A such that only the Group Manager can decrypt t and dentfy P. The encrypton of A s the par T and T. However, P needs also to prove to the verfer that he owns the 1 2 other part of the certfcate e. In order to prove to the verfer that he owns generates T. Furthermore, P needs also to prove to the verfer that the par T and 3 1 T are ndeed the encrypton of A that used the group publc keys y and g. 2 Recall from Eq. (2.27) that: Response = k + x H ( m g )(mod p). So, n the second k e, P step below, P wll frst generate four random numbers that are equvalent to k, computes the equvalence to g k mod p, and fnally n the thrd step, computes the equvalence to the Response n Eq. (2.27).

59 47 2. User P randomly chooses r r, r, r and r, and computes: 1 T d = 1 mod n 1 r r3 a 2 y (2.40) r 1 T d = 2 mod n 2 r3 g (2.41) r d = g 4 mod n (2.42) 3 r r d = g 1h 4 mod n (2.43) 4 3. User P computes c = H ( m g h y a a T T T d d d d ) (2.44) γ s = r c( e 2 ) (2.45) 1 1 γ 1 s = r c( x 2 ) (2.46) 2 2 s 3 = r 3 ce w (2.47) s 4 = r 4 cw (2.48) 4. User P outputs the sgnature ( c, s, s, s, s, T, T, T ) x n 3 Ths group sgnature can be regarded as a sgnature of knowledge of the value A whch s encrypted usng ElGamal algorthm to generate T 1 and 4 T, and the 2 th e root n A represented n T. 3 VERIFY: A verfer can check the valdty of the sgnature ( c, s, s, s, s, T, T, T ) on the message m as follows: 1. The verfer computes:

60 48 c γ 1 s c2 1 a T 0 1 A = mod n (2.49) λ1 s2 c2 s 3 a y γ 1 s1 c2 T2 B = mod n (2.50) s3 g c 2 s4 C = T g mod n (2.51) c 3 s c2 γ 1 s D = T g 1 h 4 mod n (2.52) c = H ( m g h y a a T T T A B C D) (2.53) 2. The verfer accepts the sgnature f c = c. OPEN: Should the sgner be dentfed, the Group Manager uses hs own prvate key x and ElGamal decrypton algorthm to compute T w xw A y A g 1 mod n = mod n = mod n = A. x wx wx g g 2 T

61 49 CHAPTER 3 PROPOSED SOLUTIONS FOR DRIVERS ANONYMITY IN V2V COMMUNICATIONS 3.1 Frst Proposed Soluton: Drvers Anonymty usng DSA In ths secton, I present a broadcast secure protocol to preserve drvers anonymty usng the DSA. I wll frst descrbe the key-generaton process for vehcles to partcpate n V2V communcaton networks. Then I wll present three theorems and ther proofs whch wll be used n my proposed protocol. I wll then present my proposed protocol, dscuss ts securty analyss and key management n whch I present a lemma and ts proof Generatng Membershp Keys and Certfcaton Let G = G, G, L, G } be a set of n groups of vehcles, and let G G for { 1 2 n 1 2 m = 1,2, K, n. Let M = { M, M, L, M } be a set of m vehcles n G, and let M for G = 1,2, K,m. The CA randomly arranges regstered vehcles nto groups n ts secure database and generates two sets of keys: Frst Set of Keys: The CA uses DSA to generate a set P = { G1 ( p1, q1), G2 ( p2, q 2 ), K, Gn ( pn, qn )} of n dstnct par of publc keys. Each par of publc keys ( p, q ) P s certfed by the CA. Then, from a par of publc keys m m ( p, q ), the CA uses the DSA to generate a set X = { M x, M x, K, M x } of m dstnct prvate keys, where X X = X, X, L, X }. The CA mantans n ts { 1 2 n secure database the set X and ts assocated par of publc keys p, ). Fgure 3.1 ( q shows a database of the n dstnct par of publc keys n set P and ther m dstnct prvate keys n set X.

62 50 Second Set of Keys: The CA uses DSA to generate a set )},,,, (,, ),,,, (, ),,,, ( { n n n n n n x y g q p G x y g q p G x y g q p G P = K of n dstnct groups of publc and prvate keys. Each group of publc and prvate keys P x y g q p ),,,, ( s certfed by the CA. Fgure 3.1 shows the CA s database that contans all the necessary keys. Fgure 3.1 The dstrbuton of DSA keys n a database where the prvate keys },,, { 2 1 m x x x K are assocated wth a par of publc keys ), ( q p and the second set of keys ),,,, ( x y g q p. Before partcpatng n V2V communcaton networks, each drver apples for a certfcate from the CA. The CA assocates the drver s vehcle to a group G G, and allows the drver s vehcle to be a member G M. Assume a secure communcaton channel between the CA and a CSM devce. Then the CA stores nsde the CSM devce of M two sets of keys: the frst set of keys ),, ( x q p and the second set of keys ),,,, ( x y g q p. The CA securely nstalls the CSM devce nsde the drver s vehcle, M. Vehcle M s now ready to partcpate n V2V communcaton networks. Fgure 3.2

63 51 shows the assgnment of the frst and second set of keys among three groups of vehcles, where each group has four vehcles. Fgure 3.2 The dstrbuton of keys to members of V2V communcaton networks by a Certfcate Authorty, CA Sgnng Messages To protect the anonymty of drvers, each vehcle wth a CSM devce that s provded by the CA can sgn messages usng the DSA. The followng three theorems provde the bass for my proposed anonymty protocol that uses the DSA. Theorem 1 states that the generated publc keys that are used to sgn messages by a vehcle are dstnct. Hence, the anonymty of drvers s protected by these dstnct publc keys. Theorem 2 states n general that t s suffcent to choose a resdue from a range of

64 52 values n a set of r-th root resdues modulo n. Ths theorem provdes us wth a condton to generate dstnct publc keys. Therefore, Theorem 3 apples Theorem 2 to our proposed anonymty protocol that uses the DSA to generate the dstnct publc keys. THEOREM 1: For a gven par of DSA publc keys p, ) for M G, ( q M, 1,2, q generates q dstnct publc keys { g, g, L, g }. PROOF Accordng to DSA, let g ( p 1) / q h mod p for 1 h ( p 1). By the < defnton of the Order of a Group, the group of h ( p 1) / q s an order q subgroup of h snce ( p q 1)/ q s the least nteger satsfyng h 1 mod p, where q ( p 1)/ q q h P 1 mod p = h mod p = 1 by Fermat s Lttle Theorem. Hence, the q, 1,2, q subgroup h generate q dstnct publc keys { g, g, L, g }. It can also be concluded that the polynomal ( p h 1) / q k p = g, for some ntegers k, has ( p 1) / q roots for 1< h ( p 1). Hence, the number of dstnct g equals to ( p 1) ( p 1) / q = q. DEFINITION 1: Let nteger n > 1. For * a Ζ n, a s called r-th root resdue modulo n f r a x mod n for some x Ζn. The set of r-th root resdues module n s denoted by RR n. THEOREM 2: For a prme number p, the relatonshp r RRp = { x mod p 0 < x ( p 1) / 2} holds ff r s an even number.

65 53 PROOF Assume an nteger r a RRp such that a x mod n for some x ( p 1) / 2. ( p + 1) Assume that x > ( p 1) / 2, then p x < ( p + 1) / 2. Ths mples that p x 1 and 2 p x ( p 1) / 2 for a prme nteger p. Let a ( p x) mod p. Usng the bnomal formula, we get r a ( p x) r mod p ( p r( r 1)( r 2) p 3! r 3 r + rp ( x) 3 r 1 r( r 1) ( x) + 2! + L+ ( x) r ) mod p p r 2 ( x) 2 + Snce p mod p = 0, the relatonshp a ( p x) mod p ( x) mod p holds. If r s an even number, then a ( x) mod p a. Hence, r r RRp = { x mod p 0 < x ( p 1) / 2} = { x mod p ( p 1) / 2 < x ( p 1)}. THEOREM 3: For a gven par of DSA publc keys p, ) for M G, the publc r r ( q r key g, generated by the vehcle, satsfes the relaton g RR p ( p 1) / q = { h mod p 0 < h ( p 1) / 2}. PROOF Accordng to DSA, the publc key p s a prme modulus and the publc key q s a prme dvsor of p 1. Then, ( p 1) / q s an even number. Hence, by ( p 1) / q Theorem 2, we get g RR = { h mod p 0 < h ( p 1) / 2}. In other words, to p generate the publc key g t s suffcent to choose 1< h ( p 1) / 2 snce the same g wll also be generated for ( p 1) / 2 < h ( p 1).

66 54 Therefore, the CSM devce stored n the drver s vehcle M uses DSA and the keys ( p, q, x ) that are obtaned from the CA to generate ts own set of publc keys, 1,1,2,2, q, q, z, z Y = {( y, g ),( y, g ), L,( y, g )} from Eq. (2.3). The par ( y, g ) Y and x are the publc keys and prvate key of the vehcle M, respectvely. When the CSM devce, z, z frequently generates a dfferent par of publc keys ( y, g ), t s made mpossble to assocate those publc keys to a drver and trace the locatons that the drver vsts. I show n Secton the anonymty and securty analyss of the proposed protocol. If a, z, z generated par of publc keys ( y, g ) s constant and never changes,.e., 1,1,2,2, q, q Y = {( y, g ) = ( y, g ) = L = ( y, g )} as wth the standard DSA, then ths par of publc keys s always bounded to ts owner, the drver. As a result, t would be easy to trace ths ndvdual drver. After generatng the keys, the CSM devce performs DSA to generate a sgnature Sg 1( msg ) on message msg. The message msg contans, z, z DATA y g p q TmeStamp (where denotes concatenaton). The transmtted DATA contans the safety-crtcal nformaton of the transmttng vehcle. I use Tmestamp n sgnatures to protect the protocol from replay attacks., z, z The publc keys ( y, g, p, q ) are transmtted n plan text for use by the, z, z recevng vehcle to verfy the receved sgnature. Snce ( y, g ) are generated by M G and are not certfed by the CA, an unauthorzed entty lstenng to the network

67 55 channel can obtan the publc keys p, ) and then generate an arbtrary set of keys ( q, z. z ( y, g, x ) such that Eq. (2.3) s satsfed. Therefore, ths unauthorzed entty can generate a vald sgnature but wth forged nformaton. Consequently, the recevng vehcle wll successfully verfy and authentcate the receved forged nformaton. In addton, the assocaton between the par of publc keys p, ) and the prvate keys ( q m m X = { M x, M x, K, M x } that the CA mantans n ts secure database wll no longer be vald. To protect the protocol from ths attack, the CSM devce sgns the sgnature Sg 1( msg ) usng the second set of keys ( p, q, g, y, x ). Sgnng the sgnature usng the second keys ensures the authentcty of the transmtted message snce all the keys of the second set are certfed by the CA. As shown n Fgure 3.3, the message to be broadcasted to other vehcles s Tx = msg Sg1( msg) Sg2( Sg1( msg) msg),where z, z msg = DATA y, g p q p q g y TmeStamp Verfyng Sgnatures The recevng vehcle wth a CSM devce provded by the CA apples the DSA verfcaton algorthm to verfy the sgnatures Sg 2( Sg1 ( msg) msg) and Sg 1( msg ), as shown n Fgure 3.4. If the DSA verfcaton passes, then the recevng vehcle accepts ths message and ts contents. The message and ts sgnature are stored n a CSM devce of the recevng vehcle for use by the CA to open the sgnature, f t s needed, as explaned next.

68 56 Fgure 3.3 The sgn procedure by the member G M on msg usng the DSA and the keys ),,,, (,, z z x q p g y and ),,,, ( x y g q p. Fgure 3.4 The verfy procedure usng the DSA verfcaton and the keys ),,, (,, z z q p g y and ),,, ( y g q p Openng Sgnatures By storng ncomng messages nsde a CSM devce n the recevng vehcle, the CA can dentfy malcous members as follows. The CA obtans from the stored message, msg, the publc keys ),,, (,, z z q p g y. Then the CA gets from ts database the

69 m m set of prvate keys X = { M x, M x, K, M x } that are assocated wth the group publc keys ( p, q ). For each prvate key n set X, the CA apples Eq. (2.3), z, z usng ( y, g, p ). The prvate key, x, that gves, z x ) mod Y ( g p equals to z y, dentfes the vehcle that transmtted the message msg. Otherwse, the CA apples the next prvate key to ths process untl a key s dentfed Anonymty and Unlnkablty Unlnkablty s a property that must be met n communcaton protocols that provde anonymty. The sgnatures are unlnkable f t s computatonally hard and nfeasble to decde whether any two dfferent sgnatures have been computed and produced by the same person [37][38]. Assume n the proposed protocol that M, 1,1 generates two sgnatures: (A) sgnature ( r, s) usng ( y, g, p, q, x ), and then sgnng ( r, s) usng ( p, q, g, y, x ), (B) sgnature ~, ~, 2,2 ( r s ) usng ( y, g, p, q, x ), and then sgnng ( r ~, ~ s ) usng p, q, g, y, x ). Lnkng the two sgnatures ( r, s) and ( r ~, ~ s ), and (, 1,1, 2,2 ther publc keys ( y, g, p, q, x ) and ( y, g, p, q, x ), respectvely, s possble f,1,2 an attacker can decde from Eq. (2.3) that log ( y ) = log ( y ) x,1,2 attacker to solve log ( y ) or ( y ) g,1 log g,2 g 1 g,2 = to fnd,. In order for the x, t s generally known that solvng ths dscrete logarthm problem s computatonally hard. Snce the prvate key s unknown and cannot be computed, then t s computatonally hard to bnd the publc, 1,2, q, 1,2, q keys { g, g, L, g } and { y, y, L, y } to M G. Hence, t s dffcult to lnk the

70 58 sgnature (r) to (r ~ ) snce r ~ r. The use of the par of publc keys p, ) does not bnd ( q the two sgnatures to M G snce ths par bnds to all members M = { M, M, L, M } 1 2 m n G. Furthermore, t should be computatonally hard to fnd two messages m 1 and m 2 such that ther hash functons are equal,.e. h m ) = h( ). Ths property of hash ( 1 m2 functons s referred to as collson resstance. Therefore, lnkng the two sgnatures (s) and (s ~ ) s also hard snce k1 k2, h( m1 ) h( m2), and r ~ r (where k 1 and k 2 are two random numbers used n DSA to generate sgnatures as descrbed n Secton ). Recall also that the sgnatures ( r, s) and ( r ~, ~ s ) are then sgned usng DSA wth keys p, q, g, y, x ). Those keys are certfed by the CA and do not bnd to a sngle ( 1 2 m M G. Those keys bnd to all members M = { M, M, L, M } n G. Therefore, sgnatures n the proposed protocol are anonymous and unlnkable Securty The securty of the proposed protocol reles on the dffculty of solvng the dscrete logarthm problem and on the securty of the DSA. The authors n [46] proved the securty of a large class of known sgnature schemes, such as Schnorr Sgnature and DSA. They proved that sgnature schemes are resstant to adaptve chosenmessage attack. That s, t s nfeasble to fnd the prvate key from sgnatures. The proposed protocol s a broadcast one and not a handshake protocol. The man securty threat to the protocol s the replay attack. My assumpton of usng tme stamps and accurate tme synchronzaton among vehcles n V2V communcaton

71 59 networks guarantees operaton aganst replay attacks. Other securty attacks such as man-n-the-mddle attack do not pose a threat n the protocol snce those attacks requre a mutual authentcaton or a handshake protocol. I also ponted out n Secton that an attacker can obtan the publc keys, z. z ( p, q ) and then generate an arbtrary set of keys ( y, g, x ) such that Eq. (2.3) s satsfed. However, the same attacker needs also the second set of certfed keys ( p, q, g, y, x ) n order to complete the sgnature process and the attack. Snce only the prvate key x s unknown, then by means of the secure DSA, the attacker cannot masquerade as a partcpant to V2V communcaton networks and generate a sgnature Members of the Same Group and ther Generated Keys Assume there are two members ( M 1, M 2 ) G n the same group and a par of 1, z 1, z 2, z 2, z 1, z 1, z 2, z 2, z ther generated keys ( y, g ) and ( y, g ), respectvely. If ( y, g ) = ( y, g ), then the openng messages procedure wll dentfy two prvate keys 1 x and 2 x, where y 1 z z x g 2 1, 1, 2, z 2, z x ( ) mod p and y ( g ) mod p, respectvely. In ths case, t may be nfeasble to dentfy the sgner, and the system wll be consdered unrelable. LEMMA: Members n the same group cannot generate equal publc keys z y,. PROOF In the proposed protocol, t s possble that 1 M and 2 M generate the same key 1, z 2, z g = g. Assume that 1 M and 2 M also generate two equal keys z y, 1 and

72 60 z y, 1 x 2 1, z 1, z such that y g 2, z 2, z ( ) mod p and y ( g ) mod p, respectvely. Therefore, 2 x ( g 1 1, z x ) mod p 2 2, z x ) mod = ( g p whch mples that x x mod ( p 1) and x = x + k( p 1) for some nteger k. Hence, ( x x ) k( p 1). Snce q ( p 1) also, then the two members wll generate the same keys 1, z 2, z y = y f ( x x ) = nq 1 2 for some nteger n > 0. For ths reason, to avod generatng same keys, the CA chooses the prvate keys 1 x and 2 x to be less than q, accordng to the DSA, such that 1 2 ( x x ) < q Key Revocaton Group members are lkely to on or be excluded from the group. In cases of forgery (as an example), the CA may fnd t necessary to delete members from a group, hence, revokng ther prvate keys. A revoked member should not be allowed to generate a vald sgnature n the future. In addton, the CA should preserve the anonymty of group members after membershp revocaton (backward unlnkablty [40]). One smple soluton s to ssue a new par of publc keys, and new certfcates to all vald members whenever a member of a group s revoked. Therefore, all non-revoked members must be notfed by the CA of the change and of the new certfcates. Ths soluton s nconvenent and expensve n terms of communcatons. Another soluton s to have all non-revoked members look up revoked keys n a database. The approach s to provde a lst of revoked keys called Revocaton Lst (CRL) [38][39]. Ths lst contans nformaton about the revoked keys. Each tme a non-revoked member verfes a receved sgnature, ths member searches the lst of revoked keys and makes sure that

73 61 the sgnature s not created by any of the revoked keys. Ths soluton adds communcaton and computatonal costs to all non-revoked members. However, t s mpossble to revoke keys and dentfy messages sgned by these keys wthout the exstence of nfrastructure. Vehcles have to obtan the latest revocaton lst from the CA n order to look up revoked keys. In V2V safety applcatons, t s not feasble to search a revocaton lst snce t may cause hgh communcaton latences and addtonal processng tme. The problem of fndng an effcent key-revocaton scheme s not an easy one, especally for safetycrtcal applcatons such as V2V communcaton networks. The problem of fndng an effcent scheme to dentfy sgnatures that are sgned by revoked keys s stll open and under research. A soluton for key revocaton n V2V communcaton networks for my proposed protocol s that the CA mantans a database that has a lst of revoked prvate keys. When the CA revokes a prvate key, the CA updates ths database to nclude ths revoked key, and then performs a secure communcaton wth the CSM devce of the revoked key. Ths secure communcaton allows the CA to access the memory locatons ( where publc keys and prvate keys p, q, x, p, q, g, y, x ) are stored, and then zerong these memory locatons (mantenance role [11]). As a result, members wth revoked keys have a CSM devce wthout any key. Ths CSM devce wll not be able to generate sgnatures and transmt messages. Members wth revoked keys have to obtan a new CSM devce from the CA. The authors n [48][25] proposed a smlar approach n three revocaton protocols: RTPD (Revocaton Protocol of the Tamper-Proof Devce), RCCRL (Revocaton protocol usng Compressed Certfcate Revocaton Lsts), and DRP

74 62 (Dstrbuted Revocaton Protocol). In RTPD, the CA has to know the vehcle s locaton n order to communcate securely wth the CSM devce va base statons. If a vehcle s locaton s determned, the CA sends a secure revocaton message to erase the keys from the vehcle s CSM devce. The authors suggested a backup mechansm, n case the locaton of a vehcle cannot be determned, by broadcastng the revocaton message va the low-speed FM rado or va a satellte. In RCCRL, the CA revokes only a subset of a vehcle s keys. Accordng to [25], RCCRL can be used when the CSM devce of the target vehcle s unreachable (e.g., because of ammng) and can be used to warn the neghbors of a revoked vehcle. In DRP, the CA revokes msbehavng vehcles (vehcles that transmts malcous data). Vehcles communcatng wth each other can detect and collect nformaton about a neghborng msbehavng vehcle. Ths nformaton s reported to the CA whch n turn wll revoke the keys of the msbehavng vehcle The Valdty Perod of the Certfed Keys and the CSM Devce The second set of keys p, q, g, y, x ) that are certfed by the CA should have ( a valdty perod. When the valdty perod s about to expre or expred, a vehcle s CSM devce wth those keys communcates securely and anonymously wth the CA to obtan a new set of keys p, q, g, y, x ). The ISO/IEC [49] can be used to transfer ( the new keys p, q, g, y, x ) to a vehcle s CSM devce. I dscuss next a ( communcaton protocol between the CA and a vehcle s CSM devce that ncorporates my proposed anonymty scheme, descrbed n Secton 3.1.2, nto the ISO/IEC protocol.

75 63 Durng the procedure Generatng Membershp Keys and Certfcaton, the CA stores n a vehcle s CSM devce the CA s publc key P CA and an asymmetrc RSA par of publc and prvate keys P, X ) that belong to M G. The CA mantans the ( M M publc key P M n ts secure database as shown n Fgure 3.5. In a secure communcaton channel, ths vehcle s CSM devce provdes a request n a message m 1 to the CA, and generates message m2 = EncP ( EncX ( Sg( m1 )) m1 TmeStamp), where CA M Enc p& (m) means encryptng message m wth the key p&. The sgnature Sg m ) s sgned ( 1, z, z usng my proposed protocol n Secton wth the keys ( y, g, p, q, x ), and the message m 1 contans the publc keys ( y, g, p, q )., z, z Fgure 3.5 The CA's database wth the RSA publc keys P M for each member.

76 64 The CA gets the request from m 1 by decryptng m 2 usng the CA s prvate key Pv CA to obtan EncP ( Sg( m1 )) m1 TmeStamp. From the publc keys ( y, g, p, q ) n M, z, z m 1, the CA gets from ts database the prvate key, x, that gves y, z x ( g ) mod p., z Then, the CA gets from ts database the publc key P M of ths vehcle that s assocated wth x. Fnally, the CA performs a decrypton operaton usng the vehcle s publc key P M to verfy the sgnature on message m 1. The CA provdes the new keys, p, q, g, y, x ), n message ( m3 = EncPv ( EncP ( Sg( N) N) TmeStamp). The sgnature Sg (N ) s sgned usng some CA M set of DSA publc keys owned by the CA that s ncluded n message N. The vehcle s CSM devce gets N by decryptng m 3 wth the publc key of CA, P CA, and then by ts own prvate key X M. Fnally, the vehcle s CSM devce authentcates the sgnature and accepts the new set of keys p, q, g, y, x ) n message N. ( Number of Generated Keys Accordng to the U.S. Department of Transportaton [50], the total number of regstered vehcles n the Unted States n 2005 s 241,193,974 vehcles. For the purpose of calculatons, assume 242 mllon vehcles are arranged nto groups of vehcles each. Therefore, the CA has to generate dstnct par of publc keys p, ) and dstnct second-set of publc keys p, ), for a total of ( q ( q publc keys. Assume also that all those keys have a valdty perod of one day. In one

77 65 year, the CA has to ssue 17,666,000 publc keys. Accordng to the prme number theorem [51], f a publc modulus key p s of a sze 1024 bts, then the estmated total number of prme numbers that are less than p s Therefore, the CA has years to consume all publc keys. In a smlar analyss, vehcles generate q dstnct publc keys z g,. Assume that a vehcle wll generate those keys every fve seconds. Then ths vehcle wll generate 6,307,200 publc keys a year. Snce q s of sze 160 bts, then ths vehcle has years to consume all z g,. We should also keep n mnd that the DSA may be revsed n the near future to ncrease the sze of the prme modulus p to 2048 bts for ncreased securty. 3.2 Second Proposed Soluton: Drvers Anonymty usng HMAC and AES In ths secton, I present a broadcast secure protocol that preserve drvers anonymty usng symmetrc algorthms: HMAC and AES. I wll frst present the system archtecture n whch V2I and V2V communcaton networks wll be deployed. Then, I wll present my proposed protocol and dscuss ts securty and key management Publc Key Infrastructure Publc Key Infrastructure bascally contans a sngle CA that provdes securty servces (certfcates, key management, certfcate valdaton and status) to users. However, a sngle-pont of trust does not provde scalablty to support a very large number of users such as hgh-moble vehcles n vehcular network communcatons applcatons. Such applcatons requre fast servce tme n handlng several network messages from a large number of vehcles.

78 66 A typcal soluton to overcome the scalablty problem s to have several CAs connected together to support several geographcal regons and to create a certfcaton herarchy to support a larger and more feasble PKI, as shown n Fg I refer to a CA n ths network as a Core-CA. All Core-CAs are controlled by a hgher-authorty entty that I refer to as the Root-CA. The Root-CA oversees and montors the operatons of each Core-CA, sets up and nstalls new Core-CAs, generates certfcates for Core-CAs, and operates a key-management process. Each Core-CA has ts own unque certfcate that s generated and sgned by the Root-CA. Fgure 3.6 A network of Core-CAs that s controlled by a Root-CA. The man operatons of a Core-CA are: 1. A Core-CA trusts and communcates wth a neghborng Core-CA whch s wthn ts communcaton range. When two Core-CAs communcate wth each other, they run a mutual authentcaton protocol and valdate each other s certfcates. 2. A Core-CA generates and sgns certfcates for vehcles that are regstered n ts own geographcal regon.

79 67 3. When a vehcle and ts Core-CA communcate wth each other, the Core-CA valdates the certfcate of ths vehcle, authentcates the vehcle s message and processes ts request. 4. A Core-CA broadcasts ts certfcate for vehcles to use when vehcles communcate wth the Core-CA Ths type of network that Core-CAs form has the followng three attrbutes: Frst Attrbute: Network Confguraton Ths network may have three dfferent confguratons. Each confguraton has ts own pros and cons. ) In the frst confguraton, a vehcle ntally carres ts own certfcate, the certfcate of the Core-CA to whch t belongs and the Root-CA s certfcate. When a vehcle travels from one regon to another neghborng regon, the vehcle s certfcate also gets transmtted along the vehcle s path from one Core-CA to another. Fgure 3.7 shows an example of communcatons and authentcatons processes when a vehcle moves from one regon controlled by a Core-CA to another regon controlled by a dfferent Core-CA. Fgure 3.7 shows three Core-CAs: Core-CA1, Core-CA2 and Core- CA3. Each one has ts own database: Core-CA1 database, Core-CA2 database and Core-CA3 database. The fgure also shows a vehcle represented by ts memory: V s memory. Intally, Core-CA1 ssued a certfcate for vehcle V. The memory of vehcle V contans the vehcle s par of publc and prvate keys (the publc key s n the vehcle s certfcate), the Core-CA1 s certfcate and the Root-CA s certfcate. The database of Core-CA1 contans vehcle V s certfcate whle the databases of Core-CA2 and Core- CA3 do not have vehcle V s certfcate. The followng steps explan how a vehcle s

80 68 certfcate s beng transferred from one Core-CA to another. Note that, n the followng steps of operatons t s always mpled that Core-CAs run a mutual authentcaton protocol n order to authentcate each other and then exchange nformaton between them. Fgure 3.7 The communcaton steps that are performed between a vehcle and a Core-CA, and between two Core-CAs, when a vehcle moves from one regon controlled by one Core- CA to another regon controlled by a dfferent Core-CA. When a vehcle communcates wth a Core-CA, the vehcle prepares a message that contans a request, Re quest, the vehcle s dentty and an ndex to the Core-CA wth whch ths vehcle has last communcated. The request message, Re quest, contans nformaton about the type of the request, such as requestng new cryptographc keys. Fgure 3.8 shows an example of the contents of a message that a vehcle prepares to send to a Core-CA. I assume that the vehcle s dentfed usng four

81 69 bytes, and there are Core-CAs that are ndexed usng two bytes, and the request data has two bytes. Fgure 3.8 The contents of a message that a vehcle prepares to be sent to a Core-CA. In Step (1) of Fgure 3.7, when vehcle (V) communcates wth Core-CA1, the vehcle sgns ts message usng ts prvate key and encrypts the outcome usng Core- CA1 s publc key: ( V ) (Core - CA1) : Encrypt UCore CA 1 ( Sgn PV ( ID V IndexCA1 Re quest)) where U Core CA1 s the publc key of Core-CA1, P s the prvate key of vehcle (V), V ID V s the dentty of vehcle V, and IndexCA 1 s the ndex to Core-CA1 wth whch ths vehcle has last communcated. Core-CA1 uses ts own prvate key to decrypt the receved message. Then, Core-CA1 checks for the ndex of the Core-CA wth whch ths vehcle has last communcated. Core-CA1 fnds out that ths vehcle belongs to t, and hence t searches n ts database for the publc key of ths vehcle to valdate the receved sgnature. Suppose that vehcle V moves from the regon where Core-CA1 exsts to a new regon that s controlled by Core-CA2. Snce Core-CA2 broadcasts ts certfcate for vehcles to use, vehcle V gets Core-CA2 s certfcate from the broadcasted message and valdates ts authentcty usng Root-CA s publc key. In Step (2), vehcle V sgns ts message usng ts prvate key and encrypts the outcome usng Core-CA2 s publc key: ( V ) (Core - CA2) : Encrypt U Core CA2 ( Sgn P V ( ID V IndexCA1 Re quest))

82 70 where U Core CA2 s the publc key of Core-CA2. Then, Core-CA2 uses ts own prvate key to decrypt the receved message. Core-CA2 checks for the ndex of the Core-CA wth whch ths vehcle has last communcated. Core-CA2 fnds out that ths vehcle was n Core-CA1 s regon. Hence, n Steps (3) and (4), Core-CA2 runs a mutual authentcaton protocol wth Core-CA1 and requests from Core-CA1 to authentcate vehcle V s message. After a successful authentcaton, Core-CA1 sends vehcle V s certfcate to Core-CA2, and consequently Core-CA2 updates ts database to nclude vehcle V s publc key. In Step (5), Core-CA2 responds to vehcle V s request. Smlarly, when vehcle V moves from the regon that s controlled by Core-CA2 to a new regon that s controlled by Core-CA3, vehcle V gets Core-CA3 s certfcate from Core-CA3 s broadcast message and valdates ts authentcty usng Root-CA s publc key. In Step (6) vehcle V sgns ts message usng ts prvate key and encrypts the outcome usng Core-CA3 s publc key: ( V ) (Core - CA3) : Encrypt U Core CA3 ( Sgn P V ( ID V IndexCA2 Re quest)) where U s the publc key of Core-CA3, and IndexCA 2 s the ndex to Core-CA2 Core CA3 wth whch ths vehcle has last communcated. Then, Core-CA3 uses ts own prvate key to decrypt the receved message. Core-CA3 checks for the ndex of the Core-CA wth whch ths vehcle has last communcated. Core-CA3 fnds out that ths vehcle was n Core-CA2 s regon. Hence, n Steps (7) and (8), Core-CA3 runs a mutual authentcaton protocol wth Core-CA2 and requests from Core-CA2 to authentcate vehcle V s message. After a successful authentcaton, Core-CA2 sends vehcle s certfcate to Core-CA3. Consequently, Core-CA3 updates ts database to nclude vehcle V s publc key. Fnally, In Step (9), Core-CA3 responds to vehcle V s request.

83 71 ) In the second confguraton, the certfcates of each CA can be pre-nstalled n vehcles. Thus, vehcles can encrypt messages wth the publc key of a CA n the regon t s drvng. However, CAs stll need to communcate wth each other to valdate the authentcty of a vehcle. In ths confguraton, we need to ncrease the memory sze of vehcles that carres the certfcates of all CAs for a small tradeoff n processng tme and communcaton delays. Ths confguraton has scalablty problem due to two reasons. Frst, f the certfcate of a CA s to be revoked, then all vehcles must update ther memory to revoke the old certfcate and add the new one. Second, f new CAs are nstalled for newly developed regons, then all vehcles memory need to be updated wth the certfcates of the new CAs. Thus, ths confguraton may not be a feasble soluton for V2V communcatons. ) In the thrd confguraton, the certfcates of each CA can be pre-nstalled n vehcles, and each CA has the certfcates of all vehcles. Thus, CAs do not need to communcate wth each other to authentcate vehcles and, hence, reducng the communcaton delays produced by CA-to-CA communcatons. However, ths confguraton also has scalablty problem and does not provde a feasble key management and PKI. As a result, for V2V communcatons, ths confguraton s not a feasble soluton ether. For the rest of ths secton, I assume the frst confguraton of my proposed system archtecture. Second Attrbute: Expanson of the network of Core-CAs. The second attrbute of my proposed archtecture s that a new Core-CA can be set up and added to the network to support sub-regons or even new regons. The hgher-authorty Root-CA wll ssue a certfcate to the new Core-CA, and the new Core-

84 72 CA can then communcate wth other neghborng Core-CAs. Ths process s also transparent to vehcles, snce the authentcaton of vehcles s performed at the Core- CAs' level, as I ponted out earler. Thrd Attrbute: Load sharng wth Load-Router (LR) Devces. A Core-CA can control ts load by settng up devces and dstrbutng the load among these devces. I refer to these devces as Load-Router (LR). A sngle-server Core-CA may not be able to handle thousands of requests from vehcles n ts regon. Obvously, ths wll degrade the performance of the network and ntroduce delays n servce tmes to vehcles, whch s undesrable for hgh-moble vehcles. A Core-CA should be able to dstrbute the load among other several LR devces that are connected together. For example, Fgure 3.9 shows two Core-CAs and each has four LR devces. Fgure 3.9 A herarchcal level of CAs that shows two Core-CAs where each one has four LRs.