VANETs are a special case of mobile ad hoc
networks (MANETs) that aim to enhance the safety and efficiency of road traffic [1
]. A number of distinguishing features and limitations are related to the very nature of wireless communications in VANETs and the rapid movement of the vehicles involved in those communications. Compared to wired or other wireless networks, VANETs are very dynamic and their communications are volatile. In these networks, nodes are vehicles equipped with communication devices, known as on-board units (OBUs), and, depending on the applications, OBUs are used to establish communications with other vehicles or roadside units (RSUs), such as traffic lights or traffic signs.
In recent years, several research works on VANETs have been conducted by academics and various industries. Recently, some of these works addressed the security issues. As an instance of MANET, VANETs might suffer from any malicious user behaviors, such as bogus information and replay attacks on the disseminated messages. Among various security threats, privacy preservation in VANETs is one of the new challenges of protecting users’ private information. For instance, Chen and Wei proposed a safe, distance-based location privacy scheme called SafeAnon [5
]. By simulating vehicular mobility in a cropped Manhattan map, they evaluated the performance of the SafeAnon scheme under various conditions to show that it could simultaneously achieve location privacy, as well as traffic safety. However, as Chen and Wei focused on the issues of the vehicles’ location privacy, little emphasis was put on the initial authentication phase of communications among vehicles.
In 2005, Raya et al.
] first proposed a solution that mentioned both the security and privacy issues of safety-related applications. Wang and others reviewed Raya and Hubaux’s communication scheme in 2008 [8
] and argued that Raya and Hubaux paid a great deal of attention to safety-related applications, such as emergency warnings, lane changing assistance, intersection coordination, traffic-sign violation warnings and road-condition warnings [9
], but non-safety-related applications were neglected. In Raya and Hubaux’s communication scheme, Safety messages do not contain any sensitive information. However, VANETs also provide non-safety applications that offer maps [10
], advertisements and entertainment information [12
Similar to safety applications, non-safety applications in VANETs have to take both security and privacy issues into consideration. In addition, designing a practical non-safety application for VANETs should take the following requirements into consideration [13
Mutual authentication: providing mutual authentication between the two communicating parties, such as a vehicle-to-roadside communication device.
Context privacy: allowing mobile vehicles to anonymously interact with roadside devices to access services.
Lower computational cost: a system must have light overhead in terms of computational costs and high efficiency.
Session key agreement: generating dynamic session keys to secure the communication between nodes in VANETs.
Differentiated service access control: providing several services with different levels of access privileges for different users’ requirements.
Confidentiality and integrity: providing data confidentiality and integrity in applications of communications.
Preventing eavesdropping: an intruder cannot be allowed to discover valuable information from communications between members in VANETs.
Scalability: coping with the large-scale and dynamic environment presented by VANETs.
In 2008, Li et al.
proposed a secure and efficient communication scheme named SECSPP [14
] that employs authenticated key establishment for non-safety applications in VANETs. SECSPP is the first security scheme with explicit authentication procedures for non-safety applications. However, the speed of a vehicle can be extremely high in SECSPP. It is possible that the response sent from the service provider (SP) has not yet arrived, but the requesting vehicle has passed the RSUs’ transmission range. Moreover, all requests made by non-safety applications must first be verified by the proper SP, which will become a bottleneck of SECSPP. The scalability issue rises in a popular SP if a large number of requests are made.
In 2011, Yeh et al.
] proposed a PAACP: a portable privacy-preserving authentication and access control protocol for vehicular ad hoc
networks. However, in the authorization phase, a PAACP is breakable and cannot maintain privacy in VANETs. Recently, Wu et al.
] presented a cryptanalysis of an attachable blind signature and demonstrate that the PAACP’s authorized credential (AC) is not secure and private, even if the AC is secretly stored in a tamper-proof device. This is because an eavesdropper is able to construct an AC from an intercepted blind document. Consequently, PAACP in the authorization phase is breakable and cannot maintain privacy in VANETs. Any outsiders can determine who has which access privileges to access which service. In addition, this paper efficiently copes with these challenges and proposes an efficient scheme. We conclude that improving an authentication scheme and access control protocol for VANETs will not only resolve the problems that have appeared, but will also be secure and efficient.
The remainder of this paper is organized as follows. Section 2 reviews the cryptanalysis of a PAACP. Section 3 introduces an improved scheme. In Section 4, we compare the performance of our schemes with PAACP and SECSPP and analyze various aspects of the security of our scheme. Finally, we conclude this paper and indicate some directions for future research in Section 5.
2. Cryptanalysis of A PAACP
In 2011, Yeh et al.
] proposed a novel portable privacy-preserving authentication and access control protocol for vehicular ad hoc
networks. To eliminate the communication with service providers, they proposed a novel portable access control method to store a portable service right list (SRL) into each vehicle, instead of keeping the SRLs with the service providers. In order to assure the validity and privacy of an SRL and prevent privilege elevation attacks, an attachable blind signature is used by PPACP. Recently, Wu et al.
] proposed a cryptanalysis of an attachable blind signature and demonstrated that the PAACP’s authorized credential (AC) is not secure and private, even if the AC is secretly stored in a tamper-proof device. Their analysis showed that in PAACP, an eavesdropper can construct the AC from an intercepted blind document. As a result, PAACP in the authorization phase is breakable, and as any outsider can determine who has which access privileges to access which service, the privacy of users in PAACP’s scheme is jeopardized. Wu et al.
presented Cryptanalysis 1, which shows that m′
cannot keep privacy, and Cryptanalysis 2 shows that an intruder can use public key PKSt
of the St
to compute authorized credential
. The notation used throughout the remainder of this paper is shown in Table 1
Cryptanalysis 1. To acquire a message m′, an intruder can eavesdrop on the two blind documents BD1, BD2 in the (User → Signer) channel and also eavesdrop on,
in the (Signer → User) channel. After stealing BD1, BD2,
and, the intruder can use public key e of the signer to compute the following equation:
Cryptanalysis 2. Similarly, to acquire authorized credential and, an intruder can eavesdrop on the two blind documents BD1i, BD2i in the (Vehicle → Service Provider) channel and also eavesdrop on,
in the (Service Provider → Vehicle) channel. After stealing BD1i, BD2i,
and, the intruder can use public key PKSt of the Service Provider to compute the following equation:
Finally, according to
is equal to
consists of both
. Yeh et al.
] claimed that an attachable blind signature can keep privacy; no one could comprehend the access privileges in
, and no one can realize who is accessing those services. On the basis of our cryptanalysis,
could be comprehended by outsiders who could then decode the service right lists
, respectively In a previous description, the service right list is as the following equation:
where SVIDk denotes the index of the k-th service and ARk represents the granted access privileges of SVIDk. Hence, anyone can determine who has which access privileges to access which service even if
is secretly stored in a tamper-proof device.
4. Analysis of the New Scheme
In this section, we roughly compare the security properties and performance of the related mechanisms discussed. The security properties comparisons between PAACP, SECSPP and our scheme in the authentication phase and access phase are shown in Table 1
. The performance comparisons are shown in Table 2
lists important security properties in VANETs based on Yeh et al.
’s proposals. As mentioned, with PAACP, an attachable blind signature, is breakable and cannot maintain privacy, and the PAACP’s AC is not secure, even if the AC is secretly stored in a tamper-proof device. An eavesdropper is able to construct the AC from an intercepted blind document. Any outsiders in VANETs can know who has which access privileges to access which service. Consequently, PAACP cannot still satisfy context privacy properly.
Since the computational load of the PKI (Public Key Infrastructure) cryptosystem is a heavy burden for all communicating nodes in the PPACP and SECSPP, we propose an efficient version without PKI cryptosystems. Furthermore, the speed of encryption/decryption with symmetric encryption schemes is faster than with asymmetric ones, namely PKI cryptosystems. For instance, it is known that DES (Data Encryption Standard) is 100-times faster than RSA in software and 1000-times faster in hardware [17
]. Consequently, we treat the computational load of a PKI operation as that of 100 symmetric operations. As listed in Table 3
, the PPACP needs nearly 702 symmetric operations and SECSPP needs 740 symmetric operations in the related work, while it requires about 124 symmetric operations in our scheme. Moreover, it takes 0.0005 s to complete a one-way hash operation and 0.0087 s to finish a symmetric en-/de-cryption. We hence ignore the computational load of the one-way hash function, since it is quite lighter than that of a symmetric en-/de-cryption [18
]. As a result, computational loads can be reduced to 1.0788 s in our scheme.
The following is based on the computation method in PAACP. Assume that n vehicles in the VANET request the services of the same services provider at the same time and the locations where these service requests are invoked are uniformly distributed within m RSUs. The transmission delay Ttrans_delay is the time in seconds to deliver a message from a vehicle, which is forwarded to the service provider by an RSU. The waiting time Twaiting consists of the round-trip transmission delay and the time spent on verification by the service provider. In SECSPP, the average waiting time Twaiting for a requesting vehicle can be estimated as:
In PAACP and our scheme, the average waiting time Twaiting for a requesting vehicle can be estimated as:
In a uniform distribution of locations, the average number of requests pending in each RSU will be
. Therefore, the average time spent for request verification in an RSU is
. Figure 1
shows that when m
is equal to 10, the average waiting time Twaiting
for a service request from vehicle n
increases from 1 to 50. Figures 2
show that the average waiting time Twaiting
for a service request from vehicle n
increases from 1 to 100 when m
is equal to 10, 30 and 50, respectively. As Figure 2
shows, when 100 vehicles are requesting the desired services, the average waiting time Twaiting
to finish the authentication in PAACP is 14.32 s. In our scheme, the average waiting time Twaiting
is about 5.73 s. Similarly, as shown in Figure 3
, our scheme takes about 2.28 s, compared to about 5.65 s for PAACP. Finally, our scheme takes about 1.59 s, compared to PAACP’s average of about 3.94 s, as shown in Figure 4
. In summary, the average waiting time Twaiting
decreases when RSU increases.
4.3. Security Analysis
The other security features of our new scheme are also discussed below:
Forward secrecy: This security means that before a Vi wants to access the (n + 1)-th service, he/she cannot decrypt the service request message that existed prior to his/her session key KV + n. Our scheme can attain forward secrecy because, if a Vi requests next (Service request message)(n+1)−th, then a new KV + (n + 1) will be generated by the (n + 1)-th service.
Backward secrecy: After a user logs out of the server, he/she cannot receive any services belonging to the left server. After a Vi accesses the n-th service, he/she cannot decrypt the service request message that existed posterior to his/her session key KV + (n + 1). Our scheme can attain backward secrecy, because after a Vi requests next (Service request message)(n+1)−th, the session key KV + (n + 1) will be generated, and the KV + (n) will be invalid.
Authentication: A Vi must submit his or her authentication request message (VIDi, C, Ni) to the service provider St, and then, the St acknowledges the Vi. After receiving the authentication request message, the St encrypts the message
to facilitate a mutual authentication between the vehicle and the service provider.
Authorization: In the registration phase, the service provider creates a service right list by the following equation:
where SVIDk denotes the index of the k-th service and ARk represents the granted access privileges of SVIDk. Hence, anyone can determine who has which access privileges to access which service. Only valid Vi can encrypt
with KV. After Rj receives
, Rj will decrypt the message:
with KR to gain (SVID1 || ACi) and then derive ACi and SVID1, because of KV = KR.
Replay attack: In the registration phase, a Vi submits his/her registration information over a secure channel, so there are not any replay attack issues. In the authorization phase, an old message was eavesdropped by an attacker. He/she may try to replay the old message (VIDi, C, Ni). It may fail because it is not always the same, and the nonce Ni s a random number that is generated and has a value that has not been used before, to avoid replay attack and the serious time synchronization problem.