Strong and Affordable Location Privacy in VANETS: Identity Diffusion Using Time-Slots and Swapping
Vehicular Ad Hoc Networks (VANETs) need a way to help authorize messages, remove malevolent vehicles, and find valid vehicles. A public Key Infrastructure (PKI) can offer this operation using fixed public keys and certificates. However, the used of fixed keys allow an adversary to associate a key with a place and a vehicle, thus compromising the privacy of a driver. The use of Temporary Anonymous Certified Keys (TACKS) is a scheme management by VANET to improve diver’s privacy. The approach of this scheme efficiently hinders eavesdropping from associating different keys and gives timely revocation of participants misbehaving while sustaining less or the same overhead for car-to-car communication like the current IEEE 1609.2 standard used in VANET security.
The major concern for deploying VANET in the public is the achievement of effective and simple security mechanisms. Insecurity in VANET translates a broad system open to a number of security attacks such as suppression of real warning messages as well as propagation of false messages of warning, thereby leading to many accidents. The vulnerability of vehicles to security attacks in VANET makes security a major concern when coming up with such systems (Eckhoff).
Privacy is introduced into a VANET network system by using pseudonyms in the form of more block of private of public keys which are provided to the user. The keys are used for a short period and then become changed frequently. The keys are made in a way that they do not bear identity associated information but have the capability of being traced back to the user in the liability linked cases. The follow-up is usually done by Central Authorities (CA). Pseudonyms get used because they make sure that the vehicle a vehicle does not get attacked by an adversary or any other attacker and a message cannot be associated to its sender by other cars.
Instead of equipping vehicle nodes with a lot of pseudonyms, each node bears a time-clotted pool of pseudonyms with slot length t, so that p/t time-slots span the length period p. every single time-slot is assigned exactly one pseudonym, leading to p/t pseudonyms for each vehicle, and a single valid pseudonym for each arbitrary point in time. When a particular slot of time passes, a change of pseudonym gets initiated. This mechanism is usually achieved by use of clocks, which are synchronized with the Global Positioning System (GPS) signal.
The use of non-overlapping pseudonyms, similar to time-slots, implies that nodes in this scenario have the advantage of reusing pseudonyms. When the last time-slot—p/t the time-slot—has passed, time-slot 1 will get activated again, meaning that periodic time will then reload from the beginning.
A good choice of the values of p and t is very important to make sure security is realized. For instance, if t= 20 minutes and p is one week, then the pseudonym generated becomes valid, such as, Monday 7:00 a.m. till 7:20 a.m. it is vital for one to notice that the above pseudonym is then, in fact admissible on every Monday for the said 20 minutes. It is clear from the above scenario that place privacy that comes with time-slotted pool alone depends not only on the time slot-length (t) that determines the frequency of change for a node pseudonym, but also on the reliability of the periodic behavior of the node, such as, beginning the work-commute every Monday 7:00 a.m.
The exchange of pseudonyms can improve the privacy of drivers in VANET by complicating tracking for an attacker. When nodes have the ability to exchange pseudonyms in secrecy by use of encryption and keep third parties at bay from tracking nodes, which have exchanged pseudonyms, then a possible way of mapping authority also becomes admissible. The time-slotted mechanism allows only valid pseudonyms for a particular time-period to be exchanged; otherwise there is usually no guarantee that each car has exactly one pseudonym per time-slot (Chaurisia and Verma).
A node usually scan its surrounding ( such as speed, heading of its neighbors, and vehicle number) and then comes up with a decision on whether change of pseudonym if important or not, so that attackers cannot infer node pseudonyms simply after the swapping by elongating their expected place according to their last known speed and heading.
By a careful choice of limits of similarity, people can increase the possibility of both swap vehicles being unknown in terms of place. An adversary can then never know whether a pseudonym swap took place or not. The efficacy of this approach, of course, is greatly dependent on the positional and frequency accuracy of the beacons emitted by each car. The driver privacy achieved by use of this mechanism can be augmented by using silent time-slots, meaning two vehicles will not send beacons for a while after a possible swap of pseudonyms (Sun et al.).
An advantage that comes with time-slotted mechanism over pseudonym pool is its characteristic of making sure that, ideally, a car always has a pseudonym to take part in the ITS as provided it has received its p/t pseudonyms during the setup period. Whether a CA is not reachable or the vehicle was not used for longer period the car will not exhaust the pseudonyms because it has the chance of reusing old pseudonyms.
The mechanism also comes up with upper bounds of disk space and, importantly, the volume of traffic. This simplifies the make-up of the on-board units and cuts the costs of communication, bring affordability to the deployment of an ITS. The size of the pool of pseudonyms is cut to a value of p/t * s bytes and, importantly, workload of the CA no longer depends on the number vehicular nodes taking part in the network but on the ones entering it.
The use of GPS synchronized clocks and time-slots, by every node will make sure that nodes swap pseudonyms at the same time. Density of traffic and rate of penetration dependency increases traffic driver’s privacy. Further use of pseudonym exchange much improves the security of drivers (chaurasia and verma).
A common problem associated with the time-slot mechanism is that when cars swap currently valid pseudonyms—their current identifier—each vehicle will begin using the same pseudonym every p/t slots, due to the fact that a new slot n + 1 has begun, the pseudonym previously used in the slot will then be reactivated. This way, an adversary, or authority, is able to associate two positions to a single node. The current one (such as, Monday 7:00:00 a.m.) and the one from the earlier time the slot was active (such as, 7:19:59 a.m.). Moreover, each time a new vehicle gets into a time-slot for the first time, which will occur p/t times after being attached with the ITS device, the operator can associate the first place in this time-slot to a vehicle.
A diagram to illustrate the swapping of pseudonyms by two vehicles
Eckhoff, Dacid et al. Strong And Affordable Location Privacy In VANETS: Identity Diffusion Using Time-Slots And Swapping. Gaimersheim: University of Erlangen.
Chaurasia and verma. Optimizing Pseudonym Updation for Anonymity in Vanets. Allahabad, Indian Inst. Technol., 2008.
Sun, Jinyuan et al. An Identity-Based Security System for User Privacy in Vehicular Ad Hoc Networks. Knoxville: Univ. of Tennessee, September, 2010.
Chaurisia and Verma. Maximizing Anonymity of A Vehicle. Allahabad: Indian Inst. Technol., 2008.