Secure protocols for data propagation and group communication in vehicular networks

3.1. Vehicular network architecture and communication scenarios

Two types of communication modes, V2V and V2I, in the vehicle network are depicted in Figure 1. The position of one vehicle can be tracked by the neighboring vehicles in a short period through the announced GPS and velocity information [19]. The GPS data of vehicles should not be disclosed in VANETs at will, since adversaries easily track vehicles according to their GPS and speed data. Vehicle applications require that vehicles share their position to each other to achieve the computation or routing purposes. In this study, vehicles need to announce their GPS data to participate the delay propagation of traffic-related information and becoming a head for the V2V group communication. The VANET performs the real-time propagation of the emergency information in the V2V mode, when a traffic-related event is happening. The vehicles in movement on a roadway with the reverse direction, different on where the event happened will not participate in the propagation, even if received the information; moreover, the vehicles moving from the front of the event location on the roadway will also not propagate the information. For example, Car 2 has a traffic event in Figure 1, while Cars 1 and 10 will not participate in the propagation of the traffic event in the network.

Group communication is desirable in vehicle networks, while groups of friends drive vehicles to travel together. They can establish a group to share data such as multimedia and map information, even if their vehicles are moving close or apart from each other on the same roadway. Their group communication scenarios are implemented through the V2V or V2I mode in this study. A physical group with the subset of the vehicles moving closely each other in the V2V mode must have a mobile head, and the head always moves at a steady velocity up or down a slight degree incline. The head has one-hop neighboring vehicles as its members in the physical group. All of the physical groups only organized by the scattered vehicles form a hierarchical group, denoted as a global group. In Figure 1, Cars 7-9 know about each other and could organize a physical group, and Car 8 is the head. The other alternative of group communication is to establish a virtual group in the V2I mode. The vehicles organize multiple localized groups with the RSUs on the roadside of the travel path. One of the RSUs organizes a localized group with the subset of the vehicles; hence, all of the localized groups form a virtual group. The RSUs participating in the virtual group are denoted as head avatars to service for all of the vehicles. Still in the Figure 1, cars 6, 10, and 11 on the same roadway organize a virtual group with RSU1 and RSU2. The set of RSUs on the roadside is managed by the trusted server on the Internet; hence, the server must connect the trusted party to maintain the security requirements of the RSUs. If a vehicle tries to apply for a virtual group, then the server will select the appropriate RSUs for it. Consequently, V2V-based global and V2I-based virtual groups are addressed, with different ways of selecting their heads. A global group is appropriate to the vehicles without connection gaps, and a virtual group is appropriate to them with high-frequency broken connections.

3.2. Propagation delay mechanism

where, v limit is the maximum speed limit in the area where the vehicle moves, Speed _s and Speed _r are the velocities of s and r, individually, smaller than v limit, R_T is the transmission range of vehicles, Δdpj is the projection distance from s to r over the vector from the preceding sender of s to s, and α is a value proportional to the number of the rear neighboring nodes of r. For example, v _{i +1} , v _{i +2} , and v _i are represented as s, r, and the preceding sender of s in Figure 2. Vehicle v _{i +2} must wait a self-determined delay time as calculated in Equation (1), once v _{i +2} receives the traffic-related information from v _{i +1} . Vehicle v _{i +2} will continue to propagate if receives no same message from its rear neighboring vehicles, after waiting the delay time. To calculate the projection distance, v _{i +2} needs to gain the GPS positions and the velocities of v _i and v _{i +1} . The sensitive data of v _i and v _{i +1} are attached to the propagation from v _i to v _{i +2} , and furthermore v _{i +2} has to verify the data. Section 4.1 details the procedure of propagating a warning message within an authentication format.

3.3. Security requirements

A traffic-related message always involves safety-critical information. Attackers could try to endanger road-traffic or node-vehicle safety by broadcasting incorrect or tamping messages. For the reason, the propagation generated from a source must achieve data integrity and identity authentication. The propagation of a traffic-related message is attached with GPS data of vehicles for calculating their individual delay time; hence, the propagation procedure involves the verification of the sensitive data.

A session group key for a global or virtual group should be established quickly among participating vehicles, due to fast topology changes in VANETs. The vehicles use the valid group key to achieve secure communication in terms of data authentication, data confidentiality, and data integrity. Group communication in this study is designed with the purpose that groups of friends drive vehicles traveling together; hence, the vehicles always know about each other. To apply for a virtual group, one of them has to connect to the server on the Internet through one of its neighboring RSUs. The mutual authentication between Vehicle and BSU is necessary to prevent against adversaries masquerade as legal participants. An attacker could apply for a virtual group using a travel route of the digital map, where the vehicles are traveling at present; hence, it is important that how to prevent those applications from the attacker. Head avatars in a virtual group need to hold essential key materials for the vehicles, and thus, the vehicles on a travel route will share securely data through the head avatars in the virtual group. Two groups with different members cannot produce the same group key, even if they travel on the same route toward same destinations. Groups without any RSU need a global key to communicate securely among the vehicles.

4.1. Authentication of the delay propagation

If detecting a traffic-related event, one vehicle will broadcast a new warning message to the neighborhood, and as any of the neighboring vehicles receive the message will ignore the propagation if received other warnings recording the same event in advance. Basically, traffic-related events happen to close or same to the locations of the vehicle sources, and the neighboring vehicle can detect whether the propagations are same or not by comparing to the event type, the position of the event happenings, and timestamps provided by the sources.

4.2. Secure communication in a global group without RSUs

where the NumberOfTHs is the predictive number of THs, larger than or equal to the number of the practical THs (n), $\text{Δ}{d}_{\mathsf{\text{TH}}j\to \mathsf{\text{Dest}}}^{tp}$ is the approximate distance between the locations of TH _j and the traveling destination, Dest on the route of the digital map, the $\text{Max}(\{\text{Δ}{d}_{\text{TH}j\to \text{Dest}}^{tp}\text{})}$ as a function will return the maximum value of the set, $\{\text{Δ}{d}_{\text{TH}j\to \text{Dest}}^{tp}\text{}}$, and β is a value proportional to the average propagation delay of one hop. In Equation (2), vehicular computers using the map-based service APIs such as GoogleMap [20] can easily calculate the approximate distance between two locations on a route in the digital map. The announcement information contains the GPS position of the TH.

Each of the one-hop neighboring vehicles that receive the announcement will respond as it becomes a member of the TH. Each member selects only one TH as its head in the physical group.

Suppose one TH, TH _x , has as one-hop neighboring members, denoted {M _i }. TH _x broadcasts a request to {M _i } for establishing a group key, after appending its identity, velocity, GPS, and the list of {M _i } within a particular sequence, denoted as NList _x to the request. The vehicles in {M _i } moving on the front locations of the travel roadway have a high priority on the front of the arrangement of NList _x . The request is defined as follows:

TH _x → {M _i }: Req@(v _x , Speed _x , GPS _x , NList _x ), Sign(Req@, SK_THx), Cert _x .

Suppose that the vehicles {M₁, M₂, ..., M_(x-1)} in the NList _x are neighbors to TH _x , and {M _i } exchange the ECDH-based public keys each other. Each of M _i generates a private and public key pair, K₁ and K₁P, while P is a well-known generator. In addition, TH _x also has its key pair, K _x and K _x P. At the beginning of the key agreement protocol, M₁ as the first vehicle broadcasts its neighborhood immediately. M₂ cannot broadcast its K₂P until it receives the K₁P from M₁. Just like M₂, the others broadcast their public keys according to the order in NList _x . TH _x can help one of {M _i } forwarding its public key to the next member. After exchanging completely public keys, each M _i has to unicast the result (K₁K₂...K_(i-1)K_{(i+ 1)}...K_{(x- 1)}P) without the K _i P to TH _x . TH _x returns individually a response by multiplying its private key for M _i , such as (K₁K₂...K_(i-1)K_(i+1)...K_(x-1)K _x P). Finally, M _i multiplies the response with its private key to have granted the group key, $g{k}_x\left(={\prod }_{i=1}^x{K}_{i}P\right)$. Consequently, the group key is shared among the TH _x and its {M _i } in order to secure communication in the physical group.

If the last step is excluded, there are the extra encryption/decryption overheads. The secure group communication from M _i to the others is then detailed as follows:

M _i → TH _i :

Stream#(M _i , Multimedia, Tstamp), MAC(Stream#, gk _i ), or

E(Stream#(v₁, Multimedia, Tstamp), gk _i ), MAC(E(...), gk _i )

TH _i → {TH _j | j ∈ 1 - n, j! = i}:

Stream#, MAC(Stream#, GGK), or E(Stream#, GGK), MAC(E(...), GGK)

TH _j → {M _j }:

Stream#, MAC(Stream#, gk _j ), or E(Stream#, vgk _j ), MAC(E(...), gk _j ), where {M_j} are the members of TH _j .

4.3. Secure communication in a virtual group with multiple RSUs

According to the vehicle architecture in Section 3.1, legal RSUs on the roadside are managed by a number of servers on Internet. The servers are assumed to be able to connect to the trusted third parties. The scattered vehicles moving in the trip can organize a virtual group with the RSUs. Figure 3 illustrates that v₁ asks for a virtual group to establish group communication, while the vehicles (v₁-v _n ) travel on the route toward the common destination. The others (v₂-v _n ) could also apply for the group through their neighboring RSUs during traveling. Suppose that the v₁ sends a request with the travel-related information to a valid RSU, RSU _i . The RSU _i checks whether v₁ and the request are valid, by examining the certificate and the attached timestamp. If the request is not yet expired, RSU _i checks its local storage whether the RSU set exists or not, in order to serve the same vehicles on the route within the same trip period. RSU _i responds immediately to v₁, if the set is always available in the storage; otherwise, if the set is not existent or has been expired, RSU _i will forward the request to its server on the Internet, denoted as Root. The procedure is that v₁ applies for a set of the RSUs using the information of a travel route which is detailed as follows:

Phase 1. Vehicle v₁ sends Req# to RSU _i , and attaching with the identities of the vehicles, the required trip period (ΔT), the current timestamp (Tstamp), and the travel route in a digital map (TP_map). The request is signed with its private key.

v₁ → RSU _i : Req# (v₁, ΔT, Tstamp, TP_map, {v _i |i ∈ 1-n}), Sign(Req#, SK _{v 1}), Cert _{v 1}

Phase 2. Suppose that the set of RSUs is not existent for the request. RSU _i forwards the request to the Root with an attached MAC code, while sharing a common key with the Root. If RSU _i and Root have no common key, the signature of RSU _i will replace the MAC code.

RSU _i → Root:

Req# (v₁, ΔT, Tstamp, TP_map, {v _i }), Sign(Req#, SK_v1), Cert _{v 1}, MAC(Req#||Sign, K_{Root, RSUi}), or

Req# (v₁, ΔT, Tstamp, TP_map, {v _i }), Sign(Req#, SK_v1), Sign(Req#, SK_RSUi), Cert _{v 1}, Cert_RSUi

Phase 3. Root authenticates the Req# using the v₁'s PK_v1, and RSU _i is verified through the MAC code or its signature. If the authentication is successful, Root determines the subset of RSUs located on the route, TP_map, and sends an encrypted Resp# back to RSU _i . The Resp# is attached with the identities of the selected RSU _j , the TP_map, and an expiration time (ETime), a VGK, and a key pair for {R _j }, (GK_set, GK_setP) (i.e., set = hash(tp||ΔT||{R _j }||{v _i }||Tstamp)). The response is encrypted by the key shared between RSU _i and Root, or the public key of RSU _i to prevent eavesdropping and modification from attackers on the Internet.

Root→RSU _i :

E#(Resp#'_tp, Sign#_Root, E(Resp#_tp, Sign#_Root, PK _{v 1}), K_{Root, RSUi}), MAC(E#, K_{Root, RSUi}), or

E#(Resp#'_tp, Sign#'_Root, E(Resp#_tp, Sign#_Root, PK _{v 1}), PK_RSUi), where Resp#_tp is generated for the vehicles (i.e., Resp#_tp = Resp#({R _j }, TP_map, ETime)), Resp#'_tp is generated for the chosen RSUs (i.e., Resp#'_tp = Resp#(VGK, GK_set, GK_setP, {R _j }, {v _i }, TP_map, ETime, ΔT)), and Sign#_Root (or Sign'#_Root) represents that the Resp#_tp (or Resp#'_tp) is signed by SK_Root.

Phase 4. RSU _i forwards the Resp#'_tp to the other RSUs in the {R _j }. Any two RSUs connecting to the Internet can easily establish a shared secret key, K_{RSUi, RSUj}. In addition, RSU _i has to forward the encrypted Resp#_tp to v 1.

RSU _i → {RSU _j |j ∈ 1-n, j! = i}:

E(Resp#'_tp, Sign#'_Root, K_{RSUi, RSUj}), MAC(E(...), K_{RSUi, RSUj})

RSU _i → v₁: E(Resp#_tp, Sign#_Root, PK _{v 1})

Phase 5. Each of {RSU _j } stores the tuple, (GK_set, GK_setP, {R _j }, {v _i }, TP_map, ETime, ΔT), in the storage until the ETime is expired. {RSU _j } sends a notification to {v _i }, if the vehicles is moving in their transmission ranges.

Each RSU _i → a subset of {v _i }:

Notify# (the RSU set is ready for your trip), Sign(Notify#, SK_RSUi), Cert_RSUi

{RSU _j } as head avatars assist the scattered vehicles in aggregating a VGK within their transmission ranges. Suppose that one of {RSU _j }, R _x , has a few of the vehicles {v _y |y ∈ 1-j, n > j} within its transmission range, exactly as a cluster. The members in {v _y } are arranged in a sequence, when v _j always moves behind v _{j -1}. Figure 4 depicts a localized key agreement process among R _x and {v _y }, with the following steps:

The vehicles will share a VGK, if completing all steps of the five phases. Each of the vehicles shares securely data with the others, when the data are encrypted by the VGK. If the last step of the fifth phase is excluded, head avatars will have the extra encryption/decryption overheads. The secure group communication without the last step from v_i to the others is detailed as follows:

v _i → R _i :

Stream#(v₁, Multimedia, Tstamp), MAC(Stream#, vgk _i ), or

E(Stream#(v₁, Multimedia, Tstamp), vgk _i ), MAC(E(...), vgk _i )

R _i → {R _j |j ∈ 1-n, j! = i}:

Stream#, MAC(Stream#, VGK), or E(Stream#, VGK), MAC(E(...), VGK)

R _j → {v _j }:

Stream#, MAC(Stream#, vgk _j ), or E(Stream#, vgk _j ), MAC(E(...), vgk _j ), where each vehicle in {v _j } is moving within the transmission range of R _j .

5.1. Security of the propagation of traffic-related information

A Warn# message with the signature and warrant/certificate of a vehicle source can achieve the identity and data authentication, after verifying using the public key. Each of the vehicles in the propagation procedure can trust the sensitive data of the two preceding senders as their GPS positions and speeds, after verifying successfully their signatures.

In the only V2V mode, attackers without the valid key pair issued by the trusted third party cannot create or forward an incorrect warning message. A compromised vehicle could go through a wrong warning propagation and try to modify a warning propagation. If a compromised vehicle fixed in a location creates a wrong propagation to attack the network, it is most probably without success. The detection range of event-based sensors is smaller than the transmission range of 802.11p in vehicles, and therefore the neighboring vehicles can easily find no event happening in its neighborhood. Already compromised vehicle does not modify easily the propagation, since the propagation is signed by its two preceding senders and the vehicle source is found in the propagation path. The compromised vehicle could conspire with them to fabricate an incorrect warning; however, the adversaries could be found with a high probability by their valid neighbor vehicles.

As the network supports the V2I mode, the trusted RSUs service as guards may accuse a compromised vehicle that creates or forwards incorrect Warn# message. If the number of accusations against a suspected vehicle achieves a threshold, the certificate of the vehicle will be expired and added in the certificate revocation list (CRL) by the trusted party. If a trusted vehicle accuses a suspect vehicle, the accusation will be verified by a number of its neighboring RSUs. If the accusation is correct, then the RSUs will report the result to the trusted third party through its management servers.

A replay attack could be generated, while the two neighboring vehicles in a propagation path collude to propagate repetitively a warning message. The vehicle receiving the replay message can check whether the warning is expired or not according to the timestamp given by the vehicle source. Three timestamps are attached in a Warn# message: one is attached by the source, and the others are attached by collusive vehicles. The difference in time between the two previous timestamps of the Warn# is represented as the actual elapsed time of the event happening. The vehicle can determine whether the event happening is expired or not, when each event type has a stable reparation period announced by the government responsible for the traffic event. Consequently, the propagation of a traffic-related message reaches the security degrees consisting of source non-repudiation, data integrity, the prevention of replication attacks, and delay effect.

5.2. Propagation delay

where a' is set to (x _{i +1} - x _{i +2})/2, b' is set to (y _{i +1} - y _{i +2})/2, and EarthRadius is set to 63, 78, 137 m.

Vehicle v _{i +2} and v _{i +3} moving within the transmission range of v _{i +1} have the projection distance, 64.15 (m) and 103.03 (m) over the vector from v _i to v _{i +1} . In the HH, v _{i +2} moves more faster than v _{i +1} , and v _{i +3} moves slower than v _{i +1} . Vehicle v _{i +3} must propagate the traffic-related information faster than the propagation of v _{i +2} . Basically, v _{i +2} will listen and gain the propagation from v _{i +3} , then be able to stop its propagation to avoid broadcast storms. In the RR, v _{i +2} moves slowly and v _{i +3} moves fast toward v _{i +1} . Vehicle v _{i +2} must propagate the traffic-related information faster than the propagation of v _{i +3} . The vehicle v _{i +3} will decide not to propagate for collision avoidance, after waiting a period as the delay time of v _{i +2}.

5.3. Security of V2I group communication

Vehicles and RSU can authenticate each other through the asymmetric cryptography. RSUs are maintained by the servers on the Internet, and the servers are supported with the trusted third party. If an invalid RSU was recorded in the CRL, then servers will eliminate it from the establishment procedure of virtual groups. An attacker without the servers' support masquerades difficultly itself as a valid RSU to attend the head avatars of any virtual group.

Group communication is designed for the groups of friends driving vehicles to travel together; hence, any of vehicles always holds their total identities. It is impossible that an outside attacker joins easily and successfully their trip in the V2I mode. During the period of applying for a new virtual group, to deliver the Req# from a vehicle to the Root through a RSU can achieve data integrity, source authentication, and non-repudiation of transmission. If the RSU uses a secret key shared with the Root to encrypt their operations with a MAC code, then delivering Req# or Resp# between them will achieve data confidentiality and integrity. In addition, any two BSUs communicate securely each other using a secret key or their public keys. In this case, the communication achieves data confidentiality and integrity.

A compromised vehicle cannot apply for the same virtual group by sending the same set of the vehicles' identities and the travel path to a valid RSU, unless it belongs to one of them. In other words, any two sets of the VGK and the key materials (GK_set, GK_setP) determined by the Root (i.e., a server with the trusted third party) cannot be same, only if the values of the parameters, tp, ΔT, {R _j }, {v _i }, and Tstamp are the same in two different applications.

To perform the key agreement protocol for a localized group, the members exchange their ECDH-based public keys and send particular products to the BSU, individually. The delivery of the products is secure using the GK_setP to prevent the middle attack. Group communication in a localized group can achieve data confidentiality and integrity, when the members adopt the localized group key to encrypt their communication.

5.4. Security of V2V group communication

The V2V group communication can be implemented, following the conditions: no connection gap among the traveling vehicles, and enough THs moving at steady speeds. The vehicles are divided into different one-hop physical groups. The delivery of a Req@ from one TH to its neighboring members achieves data integrity, source authentication, and non-repudiation, since the TH's signature was appended to the request. Each TH cooperates with its one-hop members in key agreement to gain a common key gk _x . Since THs move on the roadway in an order, they can cooperate to get a common key, GGK, after an exchange of ECDH products to make a round trip from the head TH to the tail TH and back again. Both of the key agreements are safe unless attackers solve the elliptic curve discrete logarithm problem. The confidentiality and integrity of data sharing among the vehicle in a physical or global group can be reached.

The compromised vehicle can easily be detected, while each TH knows which vehicles are moving within which of physical groups.