Académique Documents
Professionnel Documents
Culture Documents
Florian Dötzer
BMW Group Research and Technology
Hanauerstrasse 46
80992 Munich, Germany
florian.doetzer@bmw.de
1 Introduction
2 Privacy Issues
– The police uses hello beacons4 to calculate driving behavior and issues
speeding tickets.
– An employer is overhearing the communications from cars on the com-
pany parking lot. After distinguishing which car-identifier belongs to
which employee he automatically gets exact arrival and departure
dates.
– A private investigator easily follows a car without being noticed by
extracting position information from messages and hello beacons.
– Insurance companies gather detailed statistics about movement pat-
terns of cars. In some cases individual persons may be charged for
traffic accidents based on gathered movement patterns.
– A criminal organization has access to stationary communication boxes
and uses the accumulated information to track law enforcement vehi-
cles. The same technique could be used by a foreign secret service to
track VIPs.
As we can see from these examples, most issues are related to position
and identifiers. More specifically, either keeping identifiers and relating
them to other received identifiers (re-recognition) or correlating the iden-
tifier with a real-world identity (identification). Analyzing the relations
of various position-identifier pairs, a multitude of attacks on privacy can
be carried out, where the given examples represent only a small subset.
The first example might be the easiest to resolve, because in most
countries a defendant is innocent until it can be proven that he is guilty.
In our case that means that the police must be able to prove that the
4
Hello beacons are used in mobile ad-hoc networks to maintain information about
the nodes’ neighborhood.
culprit is really the one who was speeding. So instead of using one’s orig-
inal identity in the system, a pseudonym may be used. Unless there is
no perfectly provable mapping between the pseudonym and real-world
identity, the police would have a hard time issuing a ticket. In the second
example this may not be enough, because the employer has other means
of correlating real-world identities and car-identifiers. And he may guess
as well. In this case, it would be desirable to change the car’s identifiers
from time to time. In the third example however, even these precautions
would not be sufficient. To prevent being followed, the car’s identifier
would have to be changed while moving. One possible approach are geo-
bound pseudonyms, discussed in section 5.2 Note that a concept consid-
ering changing identifiers on application layer also means that all lower
layers must change their addresses / identifiers at least as often as appli-
cation layer IDs. This would require frequent changes of MAC-addresses
and network addresses for instance. Some simple experiments with our
prototypes have shown that this is doable in principle, but remains an ex-
tremely challenging task for large systems. In addition this will definitely
decrease overall performance due to collisions and/or increased signaling
overhead.
In scenarios where a car communicates with a dedicated partner, we
assume that in some cases the car’s real identity will be required for service
usage. In such a case it is obvious that the communication partner has the
identity anyway, so the identity must only be protected from neighbors
overhearing the communication. In [5] we proposed a vehicle - traffic light
communication protocol that keeps the identity of the vehicle hidden from
third party observers.
A good thing about mobility is that real (communication-)traffic analy-
sis would probably be hard to do, since nodes usually move at high speed
and in large geographic areas. But nevertheless, an attacker might use the
properties of communicating vehicles as an aid for tracking a specific car.
Even if identifiers are anonymized and addresses are changed frequently,
there are ways to distinguish a node from others, such as characteristic
packet sizes, special timings, RF-fingerprints 5 .
3 Related Work
There has been some work in various areas relevant for us. Samfat, Molva
and Asokan provide a classification for mobile networks such as GSM
and CDPD, where they map privacy requirements to various network
entities (home domain, remote domain, legitimate network entities, and
eavesdroppers)[6]. They also discuss the effects of these requirements on
system design.
Golle, Greene and Staddon have presented a very useful paper [7] on
detection and correction of malicious data in VANETs. We share their
opinion that comparing the data of different information sources is a
fundamental approach to solve problems with aggregation of sensor data.
Concerning privacy they point out that there is a tradeoff between privacy
and detection of malicious data depending on how often an identifier is
changed. Hubaux, Capkun and Luo gave an overview on security and
privacy in VANETs in [8]. Others are investigating ”Metropolitan Area
Ad Hoc Networks” [9] and Yih-Chun Hu has shown how attackers can
get privacy-sensitive information in this context.
Weimerskirch and Westhoff presented a protocol [10] that allows nodes
that do not have any additional knowledge to re-recognize themselves
when meeting again. Their approach allows maximum privacy while still
providing immutable and non-migratable identities. There has also been
some work on mapping identifiers and cryptographic material. In [11]
and [12] the authors describe a way to derive identifiers from pre-existing
cryptographic keys in such a way, that they are statistically unique and
cryptographically verifiable. Going the other way around and starting
with given identities such as email addresses, Shamir presented an iden-
tity based signature scheme in [13], but he was unable to do encryption
using this concept. It was Boneh / Franklin and Cocks who indepen-
dently proposed ways to do identity based encryption in [14] and [15]
respectively.
4.2 Architecture
In our recent work, we have been looking at a trusted third party approach
supported by smart cards. A major requirement has been the use of non-
interactive protocols, since most security-related messages will be sent in
broadcast6 style.
The fundamental idea in our architecture is that there will be an
authority A, that is trusted by all parties participating in the network:
customers, manufacturers, system operators, service providers, etc. Gor-
don Peredo has presented such an architecture in [16]. The authority must
be independent from other parties’ interests and obtain special legislative
protection. Authority A stores real-world identities and maps one or more
pseudonyms to each identity. The mapping is kept secret and will only be
revealed in exactly specified situations.
4.3 Assumptions
In order for our system to work, we assume that every car will be equipped
with a hard-mounted, non-removable tamper resistant device such as a
6
Note broadcast here is on application level. This does not necessarily mean that
data link layer transmission is broadcast
smart card. It offers two main features: secure memory to store secrets
and secure computation to execute small programs and cryptographic
algorithms. In our prototype implementation we use G&D’s Java Card
[17], [18]. We further assume that during production of a car a secure
connection between this device and authority A is available. This can be
realized using Smart Card Management Systems such as Visa’s Global
Platform [19], which enables ”secure channels” from smart cards to back-
end hardware security modules (HSMs) [20].
Fig. 2. Phase I
Initialization Phase Fig. 2 gives an overview on the entities in this ar-
chitecture. Each car is equipped with a smart card during its production
that is fixed physically and cannot be removed without destruction. The
smart card (and therefore also the car) is associated with a unique, im-
mutable and non-migratable electronic ID. A secure communication link
is established between the smart card and authority A. The smart card
transmits the ID (1) and the authority cryptographically derives a set
of pseudonyms from that ID after checking it. The pseudonyms are then
transmitted back to the smart card (2). Now the car is ready to subscribe
for various services. For every pseudonym (3) the car can get multiple
service subscriptions from organization O, typically a car manufacturer.
For every pseudonym organization O generates a set credentials, one for
each service and sends it back (4). The car is now ready for use.
Fig. 3. Phase II
5 Additional Considerations
The approach we presented in section 4 is one of many possible solutions.
There are some general issues that we believe have to be solved.
5.1 MIX-Zones
[21] defines anonymity as ”the state of being not identifiable within a set
of subjects, the anonymity set”. That is something to keep in mind when
proposing to change pseudonyms on the move. For example if a vehicle
using pseudonym A does not want to be tracked and therefore changes its
pseudonym to B. If an observer monitors all communication traffic around
this vehicle and if this vehicle sends messages during observation (such as
beacons), then the observer can relate pseudonym A and B as long as this
vehicle is the only one (or one of few) changing its pseudonym. In other
words, if you cannot hide in a crowd of pseudonym changing vehicles, you
must assume that an observer can link your old pseudonym and your new
one, making this process useless.
There are two straightforward approaches to this problem. First, you
don’t transmit something using your pseudonym for a sufficiently long
time before and after a pseudonym change. Or second, the system design
specifies times where all cars within a certain region, called MIX-zone,
change their pseudonym. Such a region would ideally be a place, where
a lot of vehicles are within communications range. There must be a suf-
ficient number of such places to ensure that vehicles can change their
pseudonyms frequently. It remains an open question what happens if there
are not enough other nodes changing their pseudonyms at the same place.
6 Conclusion
7 Acknowledgements
We would like to thank Uwe Baumgarten for inspiring discussions and
valuable comments. We would also like to thank the anonymous reviewers,
whose comments and suggestions stimulated new thoughts and helped to
improve the paper.
References
1. Doetzer, F., Kosch, T., Strassberger, M.: Classification for traffic related inter-
vehicle messaging. In: Proceedings of the 5th IEEE International Conference on
ITS Telecommunications, Brest, France (2005)
2. Franz, W., Eberhardt, R., Luckenbach, T.: Fleetnet - internet on the road. In:
Proceedings of the 8th World Congress on Intelligent Transportation Systems.
(2001)
3. Kosch, T.: Local danger warning based on vehicle ad-hoc networks: Prototype and
simulation. In: Proceedings of 1st International Workshop on Intelligent Trans-
portation (WIT 2004). (2004)
4. Newsome, J., Shi, E., Song, D., Perrig, A.: The sybil attack in sensor networks:
analysis & defenses. In: IPSN’04: Proceedings of the third international symposium
on Information processing in sensor networks, ACM Press (2004) 259–268
5. Dötzer, F., Kohlmayer, F., Kosch, T., Strassberger, M.: Secure communication
for intersection assistance. In: Proceedings of the 2nd International Workshop on
Intelligent Transportation, Hamburg, Germany (2005)
6. Samfat, D., Molva, R., Asokan, N.: Anonymity and untraceability in mobile net-
works. ACM International Conference on Mobile Computing and Networking
(1995)
7. Golle, P., Greene, D., Staddon, J.: Detecting and correcting malicious data in
vanets. In: VANET ’04: Proceedings of the first ACM workshop on Vehicular ad
hoc networks, ACM Press (2004) 29–37
8. Hubaux, J.P., Capkun, S., Luo, J.: Security and privacy of smart vehicles. IEEE
Security & Privacy 2 (2004) 49–55
9. Jetcheva, J., Hu, Y.C., PalChaudhuri, S., Saha, A., Johnson, D.: Design and eval-
uation of a metropolitan area multitier wireless ad hoc network architecture. In:
Proceedings of the 5th IEEE Workshop on Mobile Computing Systems & Appli-
cations, Monterey, CA, USA, IEEE (2003) 32 – 43
10. Weimerskirch, A., Westhoff, D.: Zero common-knowledge authentication for per-
vasive networks. In: Selected Areas in Cryptography. (2003) 73–87
11. O’Shea, G., Roe, M.: Child-proof authentication for mipv6 (cam). SIGCOMM
Comput. Commun. Rev. 31 (2001) 4–8
12. Montenegro, G., Castelluccia, C.: Statistically unique and cryptographically ver-
ifiable (sucv) identifiers and addresses. In: Proceedings of the Network and Dis-
tributed System Security Symposium (NDSS). (2002)
13. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Proceedings
of CRYPTO ’84, Springer-Verlag (1984) 47–53
14. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In:
Proceedings of CRYPTO 2001, Springer-Verlag (2001) 213–229
15. Cocks, C.: An identity based encryption scheme based on quadratic residues. In:
Proceedings of IMA 2001, Springer-Verlag (2001) 360–363
16. Peredo, G.: Brake-ing news – technologies for inter-vehicle communication (2003)
17. Sun Microsystems: Java card 2.2 runtime environment specification (2002)
18. Sun-Microsystems: Java card 2.2 virtual machine specification (2002)
19. Global Platform: Global platform card specification (version 2.1) (2001)
20. Dötzer, F.: Aspects of multi-application smart card management systems. Master’s
thesis, Technical University Munich (2002)
21. Pfitzmann, A., Köhntopp, M.: Anonymity, unobservability, and pseudonymity -
a proposal for terminology. In Federrath, H., ed.: Proceedings of Workshop on
Design Issues in Anonymity and Unobservability, Springer (2001) 1–9
22. Independent Centre for Privacy Protection: First partial success for an.on (2003)
23. Wright, J., Stepney, S., Clark, J., Jacob, J.: Designing anonymity - a formal basis
for identity hiding. Internal yellow report, York University, York, UK (2004)