Efficient Mechanisms to Provide Convoy Member and Vehicle Sequence Authentication in VANETs

Effiient Mehanisms to Provide Convoy Member and Vehile Sequene Authentiation in VANETs Ahren Studer, Mark Luk, Adrian Perrig Eletrial and Computer Engineering Carnegie Mellon University {astuder, mluk, adrian}@ee.mu.edu Abstrat Vehiular Ad ho Networks (VANETs) are on the verge of deployment. In the near future, wireless vehile-to-vehile and vehile-to-infrastruture ommuniation will enable numerous safety, onveniene, and business appliations. Seurity is a neessary pre-requisite for adoption of these tehnologies. As we demonstrate in this paper, VANETs require two new seurity properties: Convoy Member Authentiation (CMA) and Vehile Sequene Authentiation (VSA). These seurity properties detet a range of VANET attaks. We propose novel protools that provide CMA and VSA. We analyze and evaluate our protools and onlude that they represent an important step towards enhaning VANET seurity. I. INTRODUCTION In 2005, there were 43,443 traffi fatalities in the United States alone [17]! The government and many manufaturers and are pushing for inreased safety mehanisms in vehiles to address the rising number of fatalities and to redue the $260 billion spent annually on aident-related healthare [6]. Current state of the art automotive safety solutions use range finding lasers and other expensive hardware to provide drivers of high-end vehiles with more information about their surroundings. Within five years, manufaturers will deploy vehiles with dediated short range ommuniation (DSRC) apabilities at a fration of the ost of today s safety solutions to provide the same funtionality. DSRC allows a vehile s On Board Unit (OBU) to ommuniate with other OBUs and Road Side Units (RSUs) to form a Vehiular Ad Ho Network (VANET). In addition to safety appliations, VANETs will provide onveniene and ommerial appliations to redue time on the road and to improve driving experiene. Given the highly safety-sensitive nature of VANETs and the risks assoiated with their wireless ommuniation, it is lear that we need to seure these networks against adversarial ativity. Manufaturers will deploy a number of safety appliations one VANETs beome available [1]. These safety appliations inlude: Eletroni Emergeny Brake Light (EEBL), Road Hazard Condition Notifiation (RHCN), Road Feature Notifiation (RFN), Slow Vehile Alert (SVA), and Post Crash Notifiation (PCN). These appliations help alert other drivers of dangerous situations or onditions. EEBL alerts drivers when a vehile rapidly deelerates, to redue the hane of rear-end ollisions. RHCN broadasts alerts about debris (e.g., ie or trash) on the road. RFN alerts drivers when they approah a steep hill or a setion with a notably lower speed limit (e.g., a shool). SVA and PCN alert drivers of a slow vehile or a possible rash in the lanes ahead. Alerts from these VANET appliations provide drivers more time to reat to dangerous onditions, reduing the hane of an aident. Our key insight is that VANET safety appliations require authentiation of the physial properties of the sender for seurity, not just traditional ryptography based identity authentiation. Safety alerts are only relevant if the braking ar, path of ie, or aident is on the road in front of the reipient in what we all the Area of Relevane (AOR). A maliious entity ould falsely laim a position in front of reipients and broadast fake alerts as a way to disrupt traffi. To identify ars in the AOR, we introdue Convoy Member Authentiation (CMA) and Vehile Sequene Authentiation (VSA) to verify the sender of the alert is traveling with and in front of the reipient. If OBUs have CMA and VSA, attakers an only fool a reipient with a fake alert while physially in a vitim s AOR. Although several VANET seurity mehanisms have been proposed [10], [11], [18], [20], [21], [27], none of the proposed mehanisms that we are aware of address all of the requirements needed to seure VANET safety appliations. These works fous on authentiation of the identity of another OBU, rather than authentiation of the validity of the alert. More onretely, under previous approahes an attaker ould easily sign a spurious safety message, whih ould ause drivers to unneessarily apply their brakes or hange lanes. In essene, the problem we address in this paper is to verify that a given message indeed originates from a legitimate vehile driving on the same road ahead of the reipient s urrent loation (i.e., inside the Area Of Relevane (AOR)). Simultaneously, this seurity mehanism will also provide a useful filter against non-maliious useless messages: e.g., a braking alert from a vehile driving on a nearby road or in the opposite diretion on the same road. Sine DSRC messages have an expeted range on the order of 300 meters, suh a filter is ritial to avoid spurious false alarms. More speifially, there are three attaks in partiular that we will defend against in this paper: an attaker that attempts to injet alerts in opposing traffi, a stationary attaker on the side of the road that tries to

injet bogus alerts, and an attaker driving on the road who is trying to fake an alert to vehiles ahead of it, laiming to drive in front of them. Unfortunately, urrent approahes for seure positioning [4], [12] [15] address the dual problem, where a node attempts to orretly determine its own loation despite the presene of an adversary, as ompared to the hallenge in VANETs where nodes know their own loation and wish to verify the loation of other nodes. Mehanisms for seure loation verifiation [2], [3], [23] represent a more general approah for loation laim verifiation, however, prior approahes make use of trusted infrastruture whih may not be available in a VANET ontext. Moreover, the loation verifiation problem we address in this paper is a signifiantly simplified problem beause we only need to verify whether the vehile is in front or behind with respet to a line perpendiular to the urrent diretion thus, we hope to ahieve a muh more effiient mehanism. The IEEE 1609.2 standard [11]. The urrent IEEE standard provides guidelines for seure message formats and how to proess those messages in VANETs. This information is an important step when designing systems to operate in environments with entities from several manufaturers. However, the IEEE standard does not provide any speifi protool. The general framework suggests the use of a Publi Key Infrastruture. Unfortunately, a PKI does not fulfill the seurity requirements of many VANET safety appliations beause identifiation of the vehile that sends a message through authentiation or signature tehniques is often unneessary in VANETs. Instead, for safety messages, the important property that needs to be verified is that the sender is a legitimate vehile driving on the same road ahead of the reeiver. The urrent standard implies that digital signatures provide all of the authentiation needed for vehile-to-vehile and vehile-to-infrastruture (i.e., RSUs) ommuniation. Unfortunately, the urrent standard provides no provisions for verifying that a sender is a legitimate vehile driving on the road. Similarly, for safety appliations, the identity of the signer is often not the important property to authentiate, but loation and movement of the signer needs to be verified. Mehanisms that verify these physial properties will filter spurious alerts and detet a variety of maliious ativities. With suh mehanisms in plae, attakers are fored to drive in the AOR of the vehiles they desire to attak. Thus, the fous of prior work on vehile identifiation is insuffiient and not even neessary for several appliations. Paper Contributions. The main ontributions of this work inlude: We observe that identifiation of vehiles is of little importane to VANET safety appliations. Instead, we propose that the physial loation and movement of the sender requires verifiation. We provide formal definitions for the physial properties needed to help seure VANET safety appliations. Convoy Member Authentiation (CMA) allows a vehile to determine whih vehiles are driving in the same diretion on the same road. To determine the order of vehiles on a road, we introdue Vehile Sequene Authentiation (VSA). We present BCMA (Beaon-based Convoy Member Authentiation), a mehanism to provide CMA and TVSA (Timing-Based Vehile Sequene Authentiation), novel seurity mehanisms to provide VSA. We analyze, implement, and evaluate our seurity mehanisms in a realisti VANET simulator. Outline. In Setion II, we provide formal definitions for our attaker model, CMA, and VSA, and state our assumptions. We introdue our mehanism to provide CMA in Setion III. Setion IV introdues our mehanisms to provide VSA. We present simulation results of our CMA and VSA mehanisms in Setion V. We disuss how our work relates to previous publiations in Setion VI, and make onluding remarks in Setion VII. II. PROBLEM DEFINITION In this setion, we provide a onise problem definition, state our assumptions, and present our attaker model. A. Problem Definition Numerous papers have disussed the high level seurity requirements of VANETs suh as authentiation of parties, or how to provide privay. In this work we fous on the physial properties needed to ensure proper operation of safety appliations. More speifially, the hallenge is to verify that the soure of an alert is driving on the same road and in the same diretion as the reipient (Convoy Member Authentiation (CMA)), and that the sender is ahead on the road (Vehile Sequene Authentiation (VSA)). Figure 1 shows how the ombination of CMA and VSA helps identify whih vehiles are in a region we all the Area of Relevane (AOR). The size of the AOR should hange with speed to reflet how long it will take a vehile to reah the site of an alert. For example, a vehile on the highway traveling at 110km/h will have an AOR that inludes all of the lanes of traffi heading the same diretion 300 meters in front of the OBU (or roughly the region the vehile may traverse in the next 10 seonds). The same vehile in an urban environment may slow down to 40 km/h. At this slower speed, the AOR will derease to only inlude any traffi traveling the same diretion as the OBU and within 110 meters ahead of the vehile. If the OBU provides the driver with numerous spurious alerts from outside the AOR (e.g., debris on the other side of the road, a braking vehile a signifiant distane ahead on the road, or a rash behind the vehile), the driver will start ignoring the OBU and the appliations will fail to improve roadway safety. Instead, we must provide mehanisms that authentiate physial properties in the fae of inaurate loation laims from malfuntioning OBUs or maliious parties trying to ause onfusion. To help OBUs identify whih vehiles are traveling together on the same road we propose the Convoy Member property. We formally define a group of vehiles traveling together in the same diretion on the same road as Convoy(α,β). The same

g replaements Fig. 1. A CMA VSA AOR How vehile A ombines CMA & VSA to form the AOR. road is defined as any lanes of traffi without a physial barrier between them. If OBUs are sparse, the onvoy onsists of every vehile within a radius of α meters traveling the same diretion on the same road. The value of α hanges with vehile speed to reflet the area the vehile may enounter in the next ten seonds. If OBUs are dense, the OBU only monitors the β losest vehiles traveling the same diretion on the same road. We an afford to only monitor the β losest OBUs beause safety messages do not need to propagate as far when traffi is ongested and moving slowly. In Setion III, we introdue our mehanism to provide Convoy Member Authentiation (CMA). A positive for CMA is the detetion of an OBU that falsely laims a position in the onvoy. An aurate CMA mehanism has a low probability of exluding legitimate vehiles from the onvoy (low false positive), and a high probability of deteting vehiles that inorretly laim to be part of the onvoy (high true positive). CMA alone does not fulfill the requirements of some safety appliations. For example, it sounds reasonable for the OBU to alert the driver whenever a member of the onvoy generates an Eletroni Emergeny Brake Light alert. However, what if the sender of that message is a vehile traveling well above the speed-limit on the highway and is about to rear-end a vehile driving below the speed-limit? If the slow vehile brakes in response to this EEBL message from behind the vehile, the hane of an aident is inreased. The safest ation an OBU ould take may be to simply let the driver ontinue as though no alert was ever reeived. This example demonstrates the need for Vehile Sequene Authentiation (VSA). Vehile Sequene defines whih vehiles are in front of or behind the urrent OBU. For example, VSA detets and ignores a maliious party behind the OBU that laims a loation ahead of the OBU. A positive for VSA is the detetion of an OBU that makes loation laims whih ontradit the true vehile sequene. An aurate VSA mehanism has a high probability of deteting an OBU that makes a loation laim that breaks vehile sequene (high true positive) and a low probability of inorretly labeling a vehile whih makes legitimate loation laims (low false positive). B. Assumptions In this work we make assumptions about the key management in VANETs, presene of other VANET appliations, and the apabilities of the VANET partiipants. We assume every OBU possesses an Ellipti Curve Cryptography (ECC) publi/private key pair K OBU + /K 1 OBU and a ertifiate from a trusted authority (whih has a publi key K CA + trusted by all OBUs) to prove the validity of the publi key and to tie the vehile s identity to the publi key {Id,K OBU + } KCA 1 as proposed by the IEEE 1609.2 standard [11]. OBUs will digitally sign eah message using the Ellipti Curve Digital Signature Algorithm (ECDSA) so reipients an verify the message was not tampered en route. In addition, we assume the key management system in VANETs will provide timely revoation and verifiation of OBUs keys, suh that a single vehile an only have a single valid key at any given time. With only a single key, maliious nodes will only have a single identity and will not have an unfair advantage in protools that use voting to determine ruial values. We assume that every T seonds eah vehile will generate a signed beaon that inludes the vehile s position and trajetory. The purpose of these beaons is twofold. One, the VANET safety appliation Cooperative Collision Warning (CCW) uses these broadasts to determine when vehiles are about to ollide. Two, beaons provide additional information about the (true or laimed) loation and trajetory of vehiles on the road. If no beaons were used, a single alert when an event ours (e.g., a RHCN alert about debris on the road) may not provide reeiving vehiles enough information or time to determine if the alert is relevant and legitimate. We assume that legitimate nodes have orret loation information. GPS provides loation information within a few meters. However, GPS signals are not authentiated and are thus suseptible to spoofing. One simple mehanism to thwart GPS spoofing is through using map information and dead rekoning. 1 Given a orret initial position estimate, highresolution map information and loal trajetory information, dead rekoning provides a means to estimate the position despite intermediate lak of GPS information and to detet and filter out spoofed GPS information. C. Attaker Model To fous our disussion, we onsider a speifi attaker model against the safety appliations disussed in the introdution. From a high level, the basi seurity requirement is that the message originates from a vehile in the Area of Relevane (AOR) (thus, all EEBL or RHCN messages originating from vehiles outside of the AOR should be ignored or weighed with less importane). Without a seure mehanism in plae, attakers positioned outside of the reipients AORs ould fool drivers with maliious safety messages. In this paper we deal with three speifi attaks where vehiles falsely laim to be in the AOR: an attaker in opposing traffi that laims to be driving with the vehile, an attaker on the side of the road that laims to be a legitimate vehile, and 1 From Wikipedia.org: Dead rekoning (DR) is the proess of estimating a global position of a navigating agent by advaning a known position using diretion, speed, time and distane of travel.

an attaker behind the reeiver that laims to be in front of the reeiver. We assume attakers have valid ECC keys and ertifiates, are polynomial-time limited in omputation, have limited ontrol over the wireless network, and onstitute a small fration of the population of VANET partiipants. An attaker s valid redentials allow it to generate and sign VANET messages suh that reipients an verify the signature through the VANET PKI. The attakers are polynomial time bounded so hard problems that form the basis of publi key ryptography (i.e., disrete log) annot be broken. This prevents attakers from forging signatures for other OBUs or RSUs. Attakers an jam radio signals or use diretional antennae to broadast messages to a subset of the surrounding vehiles. However, the onfining nature of roads prevents an attaker with a diretional antenna from sending a message to an OBU several ars ahead without allowing loser OBUs to reeive the message (i.e., if OBUs A B C D E are driving in that order, OBU B annot send a paket to E without C and D hearing it). Finally, we assume maliious parties represent a small fration of the entire VANET population. If the majority of vehiles were dishonest, law enforement mehanisms would be effetive in urbing maliious behavior. III. BEACON-BASED CONVOY MEMBER AUTHENTICATION (BCMA) Convoy Member Authentiation (CMA) allows OBUs to determine what other OBUs are traveling in the same diretion on the same road. If VANETs lak a mehanism to provide CMA, OBUs ould inorretly alert drivers when OBUs driving in the opposite diretion or radios on the side of the road generate alerts. Vehiles traveling on roads have highly onstrained trajetories; other vehiles traveling on the same road in the same diretion are often in lose proximity for extended periods of time. Thus, if we ontinuously reeive beaons from other OBUs during a time period, we believe they are driving in the same diretion. Exploiting this observation, we propose the Beaon-based Convoy Member Authentiation (BCMA) protool. BCMA relies on ontinued presene to determine if a vehile is indeed in the viinity for an extended time period. Continued presene is defined through the use of a required number of beaons before a vehile is aepted as part of the onvoy (i.e., a vehile traveling with the message reipient). In BCMA, a vehile only onsiders another vehile part of the onvoy after it hears a threshold τ beaons during T (τ + x) seonds, where T is the minimum time between CCW beaons and x is the maximum number of aeptable lost beaons. Note that beaons from a single OBU that are more frequent than T are ignored. The assumption here is that a vehile traveling in the opposite diretion or a stationary radio will be in radio range for a shorter period of time when ompared to vehiles traveling in the same diretion. This idea is similar to the work by Golle et al. [8] where OBUs build a model of the VANET environment and selet the most probable (e.g., nodes traveling together will hear more of eah others beaons over a period of time). With BCMA in plae, vehile A in Figure 4 will reognize M as not belonging to the onvoy, sine A will not hear τ or more beaons during the time when M enters and leaves A s radio range. The value of τ depends mainly on the vehile s speed. With a large τ, vehile D may ignore B s alerts if B reently merged onto the road (a false positive). With a small τ, the OBU may inorretly believe slow onoming traffi or a radio on the side of the road is part of the onvoy (a false negative). This mehanism only provides CMA, and thus vehile B in Fig. 4 would believe M is in B s AOR if M laimed a position in front of B. However, this is a failure of vehile sequene authentiation not CMA. BCMA is meant to ahieve onvoy member authentiation and thus determine whih vehiles are traveling in the same diretion. The assumption here is that only onvoy members remain in a reipient s radio range for an extended period of time and an reah the reipient with broadast beaons for τ suessive intervals. A. BCMA Seurity Analysis BCMA is a rude heuristi to effiiently filter out the majority of maliious loations laims. However, attakers may still reah an OBU with the neessary τ beaons without driving in the onvoy. For example, an attaker traveling in the opposite diretion or stopped on the side of the road ould use a large transmission power to try and defeat BCMA. An attaker ould also travel on a parallel road in the same diretion and pass BCMA s onvoy membership test. VANETs should deploy TVSA in addition to BCMA for higher resiliene to suh attaks. IV. TIMING-BASED VEHICLE SEQUENCE AUTHENTICATION (TVSA) Convoy Member Authentiation allows OBUs to determine whih vehiles are traveling in the same diretion on the same road. However, when an OBU reeives a safety message, the OBU needs more speifi information to determine if the sender is in the AOR, in partiular, whih vehiles are in front of or behind the OBU. For the safety appliations disussed in the Introdution, only alerts from vehiles ahead are of use; debris or a rash behind the vehile is irrelevant. In a benign environment, alerts ould inlude the OBU s urrent loation and veloity, whih would suffie for determining whether the sender is in front or behind. However, an attaker ould laim a position further ahead, generate a false alert, ause an aident, and try to ollet insurane money or sue for more. We propose Timing-Based Vehile Sequene Authentiation (TVSA) as a simple, yet powerful mehanism for Vehile Sequene Authentiation (VSA). As the name implies, TVSA uses beaon reeption time information to determine the true sequene of vehiles on the road. We reognize that time-offlight is a popular mehanism to verify loation and review related work in Setion VI. First we present Timing-Based Vehile Sequene Authentiation-Global Synhronization (TVSA- GS), where OBUs use nanoseond time synhronization to

verify VSA. Perfet synhronization is diffiult to ahieve, but GPS an provide time information within ±20ns [16]. In Setion IV-B, we present Timing-Based Vehile Sequene Authentiation-No Synhronization (TVSA-NS) whih utilizes other OBUs to determine the differene between two OBUs internal loks when global synhronization is unavailable. We inlude an analysis of the mathematis that allow both types of TVSA to detet vehiles that try to break vehile sequene. Setion IV-D performs a seurity analysis of TVSA-GS and TVSA-NS. A. TVSA-Global Synhronization (GS) TVSA uses physial limitations and an honest majority to determine the sequene of vehiles on the road. The intuition behind TVSA is that the differene between beaon arrival times at different loations on the road an reveal the true loation of the soure of the beaon. An overview of TVSA is as follows. All vehiles provide a loation laim in their periodi beaons. To verify a loation laim, the reipient ats as the verifying vehile and uses third parties (e.g., another OBU or RSU) to aquire additional witness data. The verifying vehile estimates when the vehile in question broadast the beaon based on the reeption time of the beaon and the distane from the laimed loation. Next, the verifying vehile ompares this broadast time estimate with other vehiles estimates of the original sender s broadast time. If the estimates disagree by more than a threshold amount, the original sender must have lied about its loation laim and violated the true vehile sequene. Instead of having the verifying OBU query other OBUs for witness values, every OBU inludes timing and distane information in every beaon message in order to at as a witness to every other OBU. More speifially, OBUs periodially broadast beaons with several piees of information: loation and veloity, loal arrival time of other beaons, and the relative distane from the beaon sender s laimed loation when the beaon was reeived. Eah OBU that reeives a beaon will reord the loal arrival time (t SenderReeiver ) and how far away it was from the laimed loation (Dist(Sender, Reeiver) = Dist(Reeiver, Sender)), and broadasts that information in its next beaon. MAC layer timestamping [7] an provide the level of auray neessary when OBUs reord reeption times. Without MAC layer timestamping, network stak reeption delays will vary greatly aross vehiles and make TVSA ineffetive. For example, in the senario in Figures 2, 3, and 4, B ats as the verifying vehile for M s loation laim. To verify M s loation laim, B heks that M s beaon arrived at an appropriate time at eah witness given eah witness loation, M s laimed loation, and the times of reeption. To hek loation laims, in Step in Figure 3, B verifies that B s assumption for M s broadast time (t MB Dist(M,B), where is the speed of light) mathes witness W s assumed broadast time (t MW Dist(M,W) ) plus or minus some aeptable differene. If every OBU s internal lok is synhronized and no vehile makes false loation laims, the two values will be equal. The Note: For larity, authentiation and other data in the paket have been exluded. M : (M,Lo M,Vel M ) M broadasts its loation and veloity. B : (B,Lo B,Vel B ){(M,Dist(M,B),t MB )} B broadasts its loation, veloity, when it heard M s beaon, and the relative distane at that time. C : (C,Lo C,Vel C ){(B,Dist(B,C),t BC ),(M,Dist(M,C),t MC )} E : (E,Lo E,Vel E ){(B,Dist(B,E),t BE ),(C...),(M...)}. (Vehiles ontinue to broadast their beaons and witness values.) M : (M,Lo M2,Vel M2 ){(B,Dist(B,M),t BM ),(C,Dist(C,M),t CM,...} : Before reording M s new info, eah vehile heks M s old : loation laim. : Veri f yclaim(m) See Fig.3 Fig. 2. TVSA messages in example run level of OBU synhronization possible ditates the value of. If tight time synhronization is possible, a small will allow TVSA to detet false sequene laims without mislabeling legitimate laims as maliious. If synhronization between OBUs is loose, must be set large to prevent mislabeling of legitimate vehiles (false positives). However, if TVSA with a large analyzes the laims, verifying vehiles will not be able to detet maliious parties that laim a false vehile ordering (false negatives). PSfrag replaements //For eah witness B heard f or(w VehilesHeard && W! = M) //Compare the estimated broadast time for M. i f ( t MB Dist(M,B) VotesForM + + else VotesAgainstM + + i f (VotesForM > VotesAgainstM) Trust M s Claim E Fig. 3. (t MW Dist(M,W) ) ) Code OBU B uses to verify M s laim in TVSA M Dist(C, M) Fig. 4. D C Dist(B, M) A B Example traffi senario. Provided tight time synhronization, TVSA uses the distane between OBUs and beaon reeption time to detet false vehile ordering laims. In the next subsetion, we disuss how TVSA an work in the absene of time synhronization between OBUs. We onlude with two subsetions whih disuss exatly how TVSA detets vehile sequene violations and why a maliious party annot laim a false vehile sequene without being deteted.

B. TVSA-No Synhronization (NS) TVSA-GS relies on some soure for global synhronization aross all OBUs. GPS an provide synhronization or RSUs ould at as soures of referene broadasts [7]. However, physial obstrutions an blok GPS (e.g., buildings, tunnels, mountains, et.) and the installation of RSUs on every road would drastially inrease the ost of VANET deployment. Dead rekoning an help OBUs maintain aurate information about their own loation, but over time, lok drift will affet lok synhronization between OBUs. To address the degradation of lok synhronization, we propose using other witness vehiles beaons to alulate the lok offset between OBUs. When V 1 verifies X s loation laim in TVSA, V 1 onsiders all of the different witness reeption times and the relative distane between X and the witness at the time of reeption. In the absene of time synhronization, V 1 must disover the synhronization error between itself and a witness V 2 (δ V1 V 2 ). In TVSA-NS, V 1 uses data from another witness whih we all a referene vehile (V R ) to produe ˆδ V R V 1 V 2 (the time synhronization error estimate with respet to V R ). V 1 estimates the offset between its lok and V 2 s lok using the following equation: ˆδ V R V 1 V 2 = t VR V 1 t VR V 2 Dist(V R,V 1 ) + Dist(V R,V 2 ) The major problem with using other vehiles to provide referene broadasts is that one (or more) of the referene vehiles may be a maliious vehile that lies about its loation. If we base the error estimate purely on a single maliious party s referene beaon, the estimate will be inorret. Instead, the verifying vehile should alulate the synhronization error estimate for eah witness with respet to the beaon reeption times of every other witness. One the OBU alulates this set of n error estimates, the estimates are ordered from smallest to largest as ˆδ V 1 1 V 2,..., ˆδ V n n/2 1 V 2 and the median value ( ˆδ V 1 V 2 ) is seleted as the synhronization offset estimate. Although the mean offset might seem like a reasonable estimate, a maliious referene vehile s false loation laim ould lead to a very large or small mean offset. However, the median is only affeted after half of the vehiles make false loation laims [25]. After V 1 alulates the synhronization offset between itself and the witness V 2 as ˆδ n/2 V 1 V 2, V 1 replaes the inequality in the step denoted in Fig. 3 with the following inequality to determine if X s loation laim is valid. t XV1 Dist(X,V 1) (t XV2 Dist(X,V 2) + (1) ˆδ n/2 V 1 V 2 ) (2) In this setion we explained how other vehiles an help estimate the urrent witness s synhronization error. If this tehnique is used, TVSA no longer requires GPS or RSU based synhronization. Provided enough OBUs are present to provide both witness and referene times, TVSA-NS will work everywhere, even in the presene of large time synhronization errors. C. TVSA Mathematial Analysis We now disuss how OBUs using TVSA an detet when vehiles violate vehile sequene. The mathematis presented here are for the one-dimensional ase where all vehiles are traveling in a straight line and eah ar has perfet global synhronization (GS). TVSA operation is the same in the multidimensional ase where vehiles drive around urves or the road has multiple lanes. However, for simpliity of exposition we limit our disussion here to the one-dimensional ase. The mathematis presented here are analogous when global synhronization is not available. However, OBUs require the addition of lok offsets. Independent of where vehile X laims to be loated, X s true broadast time (t X ) and when V 1 reeives the beaon (t XV1 ) are related as follows: t XV1 = t X + Dist(X,V 1) (3) When a vehile laims loation X, the reipient s assumed broadast time (t X ) hanges aording to X s loation laim: t X = t XV1 Dist(X,V 1 ) Combining these two equations, we find the differene between the assumed broadast time and real broadast time is t X t X = Dist(X,V 1 ) Dist(X,V 1) If the loation laim is on the same side of V 1 as X s real loation, (i.e., the vehile sequene is X X V 1 ), V 1 s assumed broadast time for X an be redued to the following funtion of X s laimed loation (X ), the true broadast time, and X s true loation: t X = t X + Dist(X,X ) If the loation laim is on the opposite side of V 1 and violates vehile sequene, V 1 s assumed broadast time for X beomes a funtion of the true broadast time, the distane between the true (X) and laimed (X ) loations, and the distane between V 1 and the laimed loation. t X = t X + Dist(X,X ) 2Dist(X,V 1 ) When V 1 ompares reeption times and distane laims with V 2, the goal is to determine if the differene between the two assumed broadast times are within some aeptable range (i.e., t X 1 t X 2 < ). TVSA provides more than authentiation of the sequene of vehiles on the road. For vehiles within the onvoy, the loation an be determined. However, we use the term vehile sequene authentiation beause vehiles at the start and end of the sequene an make false loation laims. A vehile at the start or end of the sequene an laim a loation muh further away, or a few meters past the next losest vehile, and TVSA would not detet the false laim. (4) (5) (6) (7)

The graph on the top of Figure 5 represents the differene between V 1 s estimate for X s broadast time based on X s laimed loation and two witnesses V 2 and V 3. As expeted, whenever X laims a loation on the opposite side of our verifying vehile V 1, the assumed broadast times differ. It is important to note that V 1 s and V 3 s assumed broadast times agree when the attaker X laims a loation behind V 1. Beause we use a vote to determine if a loation laim is legitimate, V 1 may believe X s loation laim behind V 2. However, V 1 will only believe this false laim if V 2 is the only vehile behind X and there are multiple witnesses in front of V 1. In the same senario, when V 2 verifies loation laims, all of the broadast estimate differenes will show that X s loation laims are false, despite the use of voting. The fat that X an laim a loation further behind V 1 is aeptable sine TVSA is meant to prove g replaements or disprove an ordering of vehiles with respet to the verifier. As long as V 1 an detet a vehile whose loation laim rosses over V 1 we preserve the true vehile sequene. Estimate Diff. 2 Dist(X,V 2 ) 0 t X 1 t X 2 t X 1 t X 3 2 Dist(X,V 1 ) X s Lo. Claim V 2 X V 1 V 3 2 Dist(V 1,V 3 ) Fig. 5. Broadast estimate differene vs. varying loation laims. (t X I is I s estimate of X s broadast time) Even though OBUs never know the true broadast time and loation of a sender, reipients an alulate and ompare estimated broadast times in order to determine if the sender s loation laim agrees with or ontradits the true sequene of vehiles on the road. In the next setion we disuss how TVSA allows OBUs to determine the true sequene of vehiles on the road, even when a limited number of maliious parties intervene. D. TVSA Seurity Analysis The goal of TVSA is to provide vehiles with a proof of whih vehiles are driving in front of or behind them. In a region where OBUs do not purposely lie about their loation, TVSA helps isolate malfuntioning OBUs. However, maliious parties may lie about their position. In this setion, we examine why an attaker annot abuse TVSA and laim a false loation in a sequene of vehiles or laim a false reeption time to slander a third innoent vehile under the ondition that the majority of vehiles are not maliious. However, if the majority of the population is maliious and ollude, attakers an violate the true sequene of vehiles. When an attaker laims a position in a sequene of vehiles, other OBUs use TVSA to hek if the vehile truly is where it laims to be. As disussed in Setion IV-C, as long as other vehiles provide aurate loation and timing information, suh laims will be deteted. An attaker ontrols when its beaon is broadast, the loation laimed in beaons, and the true loation of the OBU. Reeiving OBUs use their own reeption time and distane from the laimed loation to estimate the time of broadast, so TVSA works independent of when an attaker laims a beaon is broadast. However, an attaker with diretional antennas an transmit a beaon at different times in different diretions and ause one vehile to believe an inorret vehile sequene. For example, if X in Figure 5 wanted to laim a position in front of V 1, X would transmit a beaon forward at t F and delay a set period of time before transmitting a beaon bakwards at time t R. We assume diretional antenna and the nature of roads prevent an attaker from sending a message suh that vehiles further ahead on the road reeive the message before vehiles diretionally in front of the attaker reeive the message. In our example, vehiles behind V 1 will agree with V 1 s broadast time estimate for X, but V 3 will have a differing broadast time estimate (i.e., the solid line in Figure 5 will remain, but the dotted line will beome zero). As suh, if there are more witnesses behind V 1 than in front of V 1, the attak will sueed. However, the relation between the time of an attaker s transmission forward (t F ) and bakward (t R ) depend on the distane between the loation of the attaker, its laimed loation, and the loation of the intended vitim in front of it. As a result of this dependeny, a t R that fools one vehile is different than a t R that makes a different vehile believe the attaker is in front of it. In our example, this limits X to fooling only V 1 or V 3 of a false vehile sequene. Even in the presene of attakers with diretional antennas, TVSA allows the majority of OBUs to detet false loation laims that impat the ordering of vehiles. In TVSA, OBUs rely on other OBUs to provide aurate loation and timing information. A maliious party ould laim a false reeption time as a way to slander a vitim and ause a verifying vehile to doubt the vitim s loation laim. To mitigate a slander attak, TVSA takes a vote between all broadast estimate omparisons to determine if a vehile s loation laim is true. Provided there is only a small fration of the population performing a slander attak, the legitimate votes for a vehile s loation laim should outnumber the maliious parties. If the majority of OBU s witness values are maliiously fabriated, TVSA will start to validate false loation laims that violate vehile sequene or start disarding true loation laims as a result of slander attaks. We assume law enforement mehanisms would be effetive in urbing widespread maliious ativities. A single attaker ould laim multiple identities to provide multiple witnesses and try to manipulate the voting in TVSA. A Sybil detetion mehanism suh as [26] an detet the false identities and filter out the invalid witnesses. Provided the majority of the OBUs in a region are not onspiring, an attaker annot onvine a onvoy of OBUs of a loation laim that violates the urrent vehile sequene or slander another OBU.

V. EVALUATION OF BCMA & TVSA We use ns-2 [24] to simulate the different authentiation mehanisms from Setion III and IV in highway and ity settings. Our simulated 1.5 kilometer square 4-lane highway is presented in Figure 6 (a). To represent ity traffi we use a traffi senario generator [22] and the 2 kilometer square ity topology presented in Figure 6 (b). In the simulation eah OBU has a 250 meter broadast range and broadasts two beaons every seond (T = 0.5). First we desribe our simulation environment and the measured quantities. In the following subsetions we analyze the different detetion apabilities of the mehanisms, how time synhronization impats TVSA- GS, if TVSA-NS an ounterat a lak of synhronization in VANETs, and the overhead assoiated with our mehanisms. During simulation we use an Area of Relevane (AOR) that inludes every vehile within radio range traveling in the same diretion as the reipient and in front of the vehile. In simulation, we measure the probability of a legitimate node deteting a maliious entity that laims to be in the AOR when it is not (a true positive) and the probability of a legitimate node ignoring/not believing an alert from a legitimate vehile in the AOR (a false positive). When analyzing the TVSA- GS as presented in Setion IV-A, we assume loks ould be synhronized within ±50ns, whih is a onservative estimate given urrent GPS system apabilities [16]. This lok error provides some realisti variane in the system that inreases the hane of believing attakers loation laims. We simulate three attaks: (#1) A mobile attaker laims a position with vehiles traveling in the opposite diretion. (#2) A stationary attaker impersonates a vehile traveling with traffi. (#3) An attaker traveling on the road laims a position further ahead in the same lane. The larger dark irles in the topologies (see Figure 6) indiate the loations of attakers radios for the simulations with a stationary attaker that laims to be moving (Attak 2). Eah senario was allowed to run for 10 minutes of simulated time and repeated several times (5 times for highway simulations and 10 times for ity simulations) with the results averaged aross all runs to redue variane. For eah simulation, we selet a single attaker and a subset of the total nodes at random to generate periodi alerts. A. General Results First, we simulated the ombination of BCMA & TVSA to determine the detetion auray of the two mehanisms with varying values for the threshold τ for BCMA. The results of the simulations are presented in Table I. τ = 0 represents TVSA by itself. Exluding attak #1 on the highway and attak #3 in ity traffi, TVSA detets over 85% of false loation laims. The addition of BCMA helps detet the majority of the remaining false loations at the ost of more false positives. TVSA has trouble deteting attak #1 in the highway senario beause of onoming traffi that laims a loation ahead of (a) Highway Topology Fig. 6. (b) City Topology Topologies Used to Simulate Traffi Senario attak FP/TP Rate τ = 0 τ = 2 τ = 5 Highway Topo. 1 0%/69% 4.5%/82% 10%/100% 40 ars/km 2 0%/90% 6.3%/93% 9.6%/93% 110 km/h (avg.) 3 0%/91% 6.4%/93% 11%/93% City Topology 1 0%/86% 17%/100% 22%/100% 200 ars 2 0%/95% 16%/99% 22%/100% 55 km/h (avg.) 3 0%/66% 16%/76% 22%/77% TABLE I HIGHWAY AND CITY SIMULATION RESULTS traffi agrees with the true vehile sequene; the attaker is in front of the verifying vehile. These errors demonstrate why VSA alone is not enough to properly identify whih vehiles are in the AOR; CMA and VSA are needed to determine whih vehiles are in the AOR. As the threshold τ inreases, BCMA identifies whih vehiles are part of the onvoy, and whih are attakers in the opposite diretion of traffi. TVSA fails to detet 34% of false loation laims in the ity beause of the synhronization error of ±50ns. The issue is that vehiles at stop lights or in ongestion are lose together and the maximum error between broadast estimates ( 2Dist(V 1,V 2 ) as shown in Setion IV-C) is smaller than the aepted error. Sine the error is within the aepted range, the vitims believe the loation laims that violate the true vehile sequene. Fig. 7. Cumulative Probability 100 80 60 40 20 CDF of Distane to Loation of FP Alert Highway FP τ = 5 City FP τ = 5 0 0 50 100 150 200 250 Distane to Loation of Alert (m) Distribution of Distane to the Loation of False Positives As expeted, the value of τ should be seleted based on speed and traffi patterns. On the highway vehiles stay in range for a long time so a τ of 5 improves detetion of attak #1 by 35% with fewer than 10% false positives. The same τ for the ity simulation detets 95% attak #1, but auses over 20% false positives. However, the false positive of BCMA are loation

dependent. As shown in Fig. 7, only 10% of the false positives orrespond to loations within 100 meters of the vehile. If the AOR were limited to 100 meters in front of the OBU, alerts past 100 meters would be ignored. The probability of a false positive would derease, and a driver traveling at highways speeds would have at least 3 seonds to respond to the alert (assuming the vehile s speed is < 120 km/h), an ample amount of time. Additional simulations were performed with numerous traffi onfigurations. However, due to spae onsiderations we are unable to inlude all results. We found that as traffi density inreases, network ontention auses paket loss. With more pakets dropped, the number of witnesses available for TVSA dereases and BCMA requires more time to reah the τ threshold of beaons. One solution would be to inrease T so beaons are sent less frequently. However, we also found that when vehiles travel at high speeds (145km/h), less frequent beaon broadasts redue detetion apabilities by 30%. To redue network ontention and maintain an aeptable detetion level, OBUs ould only broadast witness values for some subset of the beaons heard; for example, only the vehiles that laim a position within their onvoy. B. Impat of Time Synhronization Error on TVSA PSfrag replaements When TVSA is deployed in VANETs, a high level of time synhronization may not always be available for OBUs. However, for TVSA to detet maliious ativity an OBU needs to determine the differene between its internal time and the internal time of other witnesses. Here we examine how muh synhronization is needed and if the lok offset alulation mehanism from Setion IV-B an help. To determine the impat of time synhronization error on TVSA-GS and TVSA-NS, we ran multiple simulations with synhronization errors between 10ns and 500ns. For eah simulation of TVSA-GS, we assume the system knows the maximum legitimate synhronization error between OBUs and ould therefore adjust the aeptable broadast time estimate error. As expeted, a larger allows a fixed false positive rate of less than 0.5%, but the true positive rate varies. For TVSA-NS, remains at ±10ns independent of synhronization error without inreasing the false positive rate above 0.5% or dereasing the true positive rate. Figure 8 presents the detetion apabilities of TVSA with and without offset alulation for different amounts of synhronization error between OBUs for attak #3. As antiipated, TVSA with the offset alulation mehanism an detet loation laims that break vehile sequene even when OBUs are not synhronized. TVSA-NS outperforms TVSA-GS for attak #3 on the highway by 75% (90% versus 15%) and 80% in the ity (80% vs. 0%) when synhronization is no longer available. We also ran a simulation with a synhronization error of 1ms and found TVSA-NS ahieves the same detetion apabilities. Here we only present the results for attak #3. For attaks #1 and #2, BCMA an detet the attaker s inonsistent laims (i.e., the attaker s laimed loation is fored to move in True Positive Rate 1 0.8 0.6 0.4 0.2 Simulation of Synh. Error ±10 500ns Highway TVSA-GS Highway TVSA-NS City TVSA-GS City TVSA-NS 0 0 100 200 300 400 500 Synhronization Error (±ns) Fig. 8. True Positive Rate vs. Syn. Error for TVSA a sweeping motion or travel in the opposite diretion than it laims) before τ beaons are reeived, so TVSA is most suseptible to attak #3. The addition of offset alulation only improves detetion of attak #1 and #2 by 5-10%. The results in this setion show that TVSA an operate even if time synhronization between OBUs is not possible. If GPS signals are bloked or RSUs are too ostly to install, TVSA- NS an use offset alulation to detet when vehiles laim a loation that violates the true vehile sequene. C. BCMA + TVSA Overhead Analysis We analyze the additional overhead of BCMA and TVSA with respet to ommuniation and omputation. BCMA has no additional ommuniation overhead and only a few kilobytes of storage overhead. The CCW appliation already requires OBUs to broadast periodi beaons several times a seond. All BCMA requires is a ounter to trak how many beaons the OBU has heard from a speifi sender. Even in dense traffi with hundreds of vehiles in range, the storage and management of these ounters will require a few kilobytes of memory and minimal proessing power. TVSA introdues ommuniation overhead in the form of witness values in the paket and omputation overhead when OBUs need to estimate synhronization errors (see Setion IV-B). Here we examine the average number of witness values inluded in beaons for varying highway densities and the amount of omputation needed to alulate OBU lok offsets when GPS or RSUs are not available for time referenes. Figure 9 indiates the average number of witness values eah OBU inluded in a beaon for varying traffi densities in our simulations. The average number of beaons grows linearly with the inrease in traffi density. Eah witness value must inlude an identifier (the original beaon sender s publi key or a hash of it), the reeption time, and the relative distane. These three items will add 44 bytes or 76 bytes if the hash or entire publi key is inluded. Fourteen witness values add 1KB to a paket. To prevent a high overhead when traffi beomes ongested, vehiles ould limit their beaons to only inlude witness values for vehiles that laim to be part of a smaller onvoy (e.g., onvoy(100m,30) where the OBU onsiders only

Average Witness Values Per Beaon Fig. 9. 30 25 20 15 10 5 10 20 30 40 50 60 70 80 Vehile Density(ars/km) Witness Values The Average Number of Witness Values vs. Traffi Density the 30 losest OBUs within a 100 meter radius, above and below the threshold τ for BCMA). Under suh a mehanism, the interval between beaon broadasts an remain high while the overhead does not exeed a fixed predetermined value of 30 beaons or 2.2KB. When an OBU does not have a reliable soure for time synhronization, the OBU must alulate eah witness s lok offset. If an OBU hears beaons from n vehiles, the OBU may hek the laims in all n beaons. For eah verifiation, at worst, the OBU must alulate the error of all n 1 witnesses using the other n 2 witness values. The maximum amount of omputation is n(n 1)(n 2) alulations. An O(n 3 ) algorithm seems omputationally expensive but the number of witnesses a vehile enounters is limited to a small value at any given time. Even with 50 witnesses that all hear eah other (thus the full n(n 1)(n 2) operations, TVSA-NS only requires 117,600 effiient alulations. Assuming eah operation takes 10 yles on a 400Mhz mahine, TVSA alulation requires 3ms, or roughly half the time to perform 1 ECDSA verifiation [20]. Within VANETs, the majority of the omputation overhead is related to the verifiation and generation of digital signatures, not our mehanisms. We have found that our BCMA and TVSA mehanisms an aurately detet when vehiles try to laim a loation with opposing traffi or a loation that deviates from the real sequene of vehiles. In addition, TVSA-NS provides the same level of detetion apabilities independent of time synhronization error. Given the effiieny of BCMA and TVSA, we observe that they are pratial even for low-ost OBUs. VI. RELATED WORK Several artiles were published on general VANET seurity [10], [18], [20], [21], [27]. These artiles frame the general VANET seurity hallenges but onsider identifiation as the most important property for VANET seurity and do not address the physial properties we present in this paper. One of the entral seurity hallenges in VANETs is establishing trust among vehiles, taking into aount their realworld life yle. Some works suggest using government entities as ertifiate authorities to help identify valid vehiles [10], [20]. Other work suggests using ertifiates and TESLA [19], an authentiation sheme based on symmetri key operations and delayed key exposure, to establish trust in VANETs [9]. Suh an approah redues seurity overhead, a TESLA authentiator is 80 bits and takes muh less time to verify than a 512 bit ECDSA authentiator. However, TESLA does not provide non-repudiation. In another vein, researhers suggested group signatures or entanglement mehanisms to provide privay, however, they only present a high-level desription and did not work out the details [18]. Several reent works have addressed the issue of trust establishment in ad ho networks, but these mehanisms are not appliable to vehiular networks beause they are designed for human interations [5]. Several researhers onsidered defenses against speifi VANET attaks. For example, Xiao et al. [26] study the detetion of Sybil attaks through analysis of radio ommuniation. Our TVSA protool makes use of standard distane-bounding protools, as pioneered by Brands and Chaum [2]. Related to our approah is the area of position verifiation, where researhers suggested extensions to distane bounding in ad ho and sensor networks to help nodes determine their position [4], [12] [15]. In ontrast, loalization allows a node to obtain an estimate of the position of another node [2], [3], [23]. However, these works do not apply to VANETs sine they only determine if the node in question is within a given radius [2], [23] or rely on trusted infrastruture (whih may not be available) to make measurements [3]. VII. CONCLUSION VANETs are on the verge of wide-spread deployment. Initially, non-safety ritial appliations will be deployed, suh as road toll payments. However, in the very near future the wireless ommuniation apability of DSRC will enable ars to exhange safety-ritial information to redue the frequeny and severity of aidents. As we show in this paper, the seurity mehanisms proposed by the IEEE 1609.2 standard are insuffiient to over the seurity requirements of many appliations; in partiular the properties of Convoy Member Authentiation (CMA) and Vehile Sequene Authentiation (VSA) that we propose turn out to be ruial for defending against several attaks. We propose new mehanisms for ahieving CMA and VSA. Our approahes enable us to seure many position dependent safety appliations, whih will likely drive the deployment of VANETs. Simulation results show that our mehanisms effetively detet spurious and maliious loation laims on highways where vehile density is dereased. However, further work is required to develop tehniques with better detetion auray within urban environments. VIII. ACKNOWLEDGMENTS We would like to thank Fan Bai for insightful disussion and feedbak on this work. This researh was supported in part by CyLab at Carnegie Mellon under grant DAAD19-02-1-0389 from the Army Researh Offie, and by General Motors