Improving the Authentication Scheme and Access Control Protocol for VANETs

Privacy and security are very important in vehicular ad hoc networks (VANETs). VANETs are negatively affected by any malicious user’s behaviors, such as bogus information and replay attacks on the disseminated messages. Among various security threats, privacy preservation is one of the new challenges of protecting users’ private information. Existing authentication protocols to secure VANETs raise challenges, such as certificate distribution and reduction of the strong reliance on tamper-proof devices. In 2011, Yeh et al. proposed a PAACP: a portable privacy-preserving authentication and access control protocol in vehicular ad hoc networks. However, PAACP in the authorization phase is breakable and cannot maintain privacy in VANETs. In this paper, we present a cryptanalysis of an attachable blind signature and demonstrate that the PAACP’s authorized credential (AC) is not secure and private, even if the AC is secretly stored in a tamper-proof device. An eavesdropper can construct an AC from an intercepted blind document. Any eavesdropper can determine who has which access privileges to access which service. For this reason, this paper copes with these challenges and proposes an efficient scheme. We conclude that an improving authentication scheme and access control protocol for VANETs not only resolves the problems that have appeared, but also is more secure and efficient. Entropy 2014, 16 6153


Introduction
VANETs are a special case of mobile ad hoc networks (MANETs) that aim to enhance the safety and efficiency of road traffic [1][2][3][4].A number of distinguishing features and limitations are related to the very nature of wireless communications in VANETs and the rapid movement of the vehicles involved in those communications.Compared to wired or other wireless networks, VANETs are very dynamic and their communications are volatile.In these networks, nodes are vehicles equipped with communication devices, known as on-board units (OBUs), and, depending on the applications, OBUs are used to establish communications with other vehicles or roadside units (RSUs), such as traffic lights or traffic signs.
In recent years, several research works on VANETs have been conducted by academics and various industries.Recently, some of these works addressed the security issues.As an instance of MANET, VANETs might suffer from any malicious user behaviors, such as bogus information and replay attacks on the disseminated messages.Among various security threats, privacy preservation in VANETs is one of the new challenges of protecting users' private information.For instance, Chen and Wei proposed a safe, distance-based location privacy scheme called SafeAnon [5,6].By simulating vehicular mobility in a cropped Manhattan map, they evaluated the performance of the SafeAnon scheme under various conditions to show that it could simultaneously achieve location privacy, as well as traffic safety.However, as Chen and Wei focused on the issues of the vehicles' location privacy, little emphasis was put on the initial authentication phase of communications among vehicles.
In 2005, Raya et al. [7] first proposed a solution that mentioned both the security and privacy issues of safety-related applications.Wang and others reviewed Raya and Hubaux's communication scheme in 2008 [8] and argued that Raya and Hubaux paid a great deal of attention to safety-related applications, such as emergency warnings, lane changing assistance, intersection coordination, traffic-sign violation warnings and road-condition warnings [9], but non-safety-related applications were neglected.In Raya and Hubaux's communication scheme, Safety messages do not contain any sensitive information.However, VANETs also provide non-safety applications that offer maps [10,11], advertisements and entertainment information [12].
Similar to safety applications, non-safety applications in VANETs have to take both security and privacy issues into consideration.In addition, designing a practical non-safety application for VANETs should take the following requirements into consideration [13,14]: Mutual authentication: providing mutual authentication between the two communicating parties, such as a vehicle-to-roadside communication device.
Context privacy: allowing mobile vehicles to anonymously interact with roadside devices to access services.Lower computational cost: a system must have light overhead in terms of computational costs and high efficiency.
Session key agreement: generating dynamic session keys to secure the communication between nodes in VANETs.Differentiated service access control: providing several services with different levels of access privileges for different users' requirements.
Confidentiality and integrity: providing data confidentiality and integrity in applications of communications.
Preventing eavesdropping: an intruder cannot be allowed to discover valuable information from communications between members in VANETs.Scalability: coping with the large-scale and dynamic environment presented by VANETs.
In 2008, Li et al. proposed a secure and efficient communication scheme named SECSPP [14] that employs authenticated key establishment for non-safety applications in VANETs.SECSPP is the first security scheme with explicit authentication procedures for non-safety applications.However, the speed of a vehicle can be extremely high in SECSPP.It is possible that the response sent from the service provider (SP) has not yet arrived, but the requesting vehicle has passed the RSUs' transmission range.Moreover, all requests made by non-safety applications must first be verified by the proper SP, which will become a bottleneck of SECSPP.The scalability issue rises in a popular SP if a large number of requests are made.
In 2011, Yeh et al. [13] proposed a PAACP: a portable privacy-preserving authentication and access control protocol for vehicular ad hoc networks.However, in the authorization phase, a PAACP is breakable and cannot maintain privacy in VANETs.Recently, Wu et al. [15] presented a cryptanalysis of an attachable blind signature and demonstrate that the PAACP's authorized credential (AC) is not secure and private, even if the AC is secretly stored in a tamper-proof device.This is because an eavesdropper is able to construct an AC from an intercepted blind document.Consequently, PAACP in the authorization phase is breakable and cannot maintain privacy in VANETs.Any outsiders can determine who has which access privileges to access which service.In addition, this paper efficiently copes with these challenges and proposes an efficient scheme.We conclude that improving an authentication scheme and access control protocol for VANETs will not only resolve the problems that have appeared, but will also be secure and efficient.
The remainder of this paper is organized as follows.Section 2 reviews the cryptanalysis of a PAACP.Section 3 introduces an improved scheme.In Section 4, we compare the performance of our schemes with PAACP and SECSPP and analyze various aspects of the security of our scheme.Finally, we conclude this paper and indicate some directions for future research in Section 5.

Cryptanalysis of A PAACP
In 2011, Yeh et al. [13] proposed a novel portable privacy-preserving authentication and access control protocol for vehicular ad hoc networks.To eliminate the communication with service providers, they proposed a novel portable access control method to store a portable service right list (SRL) into each vehicle, instead of keeping the SRLs with the service providers.In order to assure the validity and privacy of an SRL and prevent privilege elevation attacks, an attachable blind signature is used by PPACP.Recently, Wu et al. [15] proposed a cryptanalysis of an attachable blind signature and demonstrated that the PAACP's authorized credential (AC) is not secure and private, even if the AC is secretly stored in a tamper-proof device.Their analysis showed that in PAACP, an eavesdropper can construct the AC from an intercepted blind document.As a result, PAACP in the authorization phase is breakable, and as any outsider can determine who has which access privileges to access which service, the privacy of users in PAACP's scheme is jeopardized.Wu et al. presented Cryptanalysis 1, which shows that m cannot keep privacy, and Cryptanalysis 2 shows that an intruder can use public key P K St of the S t to compute authorized credential AC St i .The notation used throughout the remainder of this paper is shown in Table 1.
Table 1.Notation used in the remainder of the paper.

Notation Description
V i the i-th vehicle V ID i i-th vehicular node's real identification S t the t-th service provider SID t t-th service provider's real identification authorized credential made by S t and V i , respectively AC * i portable authorized credential for vehicle V i SRL St , SRL V i service right list made by S t and V i , respectively D k () a corresponding symmetric cryptosystem that uses the secret key k for decryption E k () a secure symmetric cryptosystem that uses the secret key k for encryption N i fresh nonce, randomly generated by V ID i N s fresh nonce, randomly generated by the service provider h() a collision-free and public one-way hash function a string concatenation X → Y : Z a sender X sends a message Z to receiver Y Cryptanalysis 1.To acquire a message m , an intruder can eavesdrop on the two blind documents BD 1 , BD 2 in the (U ser → Signer) channel and also eavesdrop on BD 1 , BD 2 in the (Signer → U ser) channel.After stealing BD 1 , BD 2 , BD 1 and BD 2 , the intruder can use public key e of the signer to compute the following equation: Cryptanalysis 2. Similarly, to acquire authorized credential AC V i i and AC St i , an intruder can eavesdrop on the two blind documents BD1 i , BD2 i in the (V ehicle → Service P rovider) channel and also eavesdrop on BD1 i , BD2 i in the (Service P rovider → V ehicle) channel.After stealing BD1 i , BD2 i , BD1 i and BD2 i , the intruder can use public key P K St of the Service Provider to compute the following equation: where AC * i consists of both AC V i i and AC St i .Yeh et al. [13] claimed that an attachable blind signature can keep privacy; no one could comprehend the access privileges in AC V i i , and no one can realize who is accessing those services.On the basis of our cryptanalysis, i } could be comprehended by outsiders who could then decode the service right lists SRL St i and SRL V i i , respectively.In a previous description, the service right list is as the following equation: where SV ID k denotes the index of the k-th service and AR k represents the granted access privileges of SV ID k .Hence, anyone can determine who has which access privileges to access which service even if AC * i is secretly stored in a tamper-proof device.

Improved Scheme
In this section, we propose an improved scheme and offer an efficient authentication and access control protocol for VANETs.The security of this scheme depends on a secure one-way hash function, not the use of an attachable blind signature.This scheme consists of three phases: the registration phase, the authentication phase and the access phase.We demonstrate our scheme as follows.

The Registration Phase
A vehicle V i creates a service right list SRL V i i and an authorized credential AC V i i , just as Yeh et al. proposed.Let x be a secret key maintained by the service provider S t , and let h() be a secure one-way hash function with a fixed-length output.The registration phase is performed over a secure channel.
who submits his/her identity V ID i and his/her AC V i i to the S t for registration.
The S t also creates SRL St i and AC St i as Yeh et al. proposed.The S t then computes V i 's secret information y i = h(V ID i , x) and e i = y i ⊕ AC St i ⊕ AC V i i and writes h() and e i into the smart card of on-board units (OBUs) and issues the card to V i .
The S t also performs a multicast to send messages y i and AC St i to their road side units (RSUs) R j .

The Authentication Phase
After V i sends an authentication request message to the S t , the S t and V i will execute a mutual authentication between the vehicle and the service provider.First, let E k (•)/D k (•) be a symmetric encryption/decryption function with secret k, respectively.
When V i wishes to access services provided by S t , V i generates a nonce N i , where N i is a random and fresh number.Then, After receiving the authentication request message (V ID i , C, N i ), the S t and V i execute the following steps to facilitate a mutual authentication between the vehicle and the service provider.The S t performs the following operations: -Verifies that V ID i is a valid vehicle identity.If not, the authentication request is rejected.
-Computes y i = h(V ID i , x) and verifies whether y i = y i .If the verification fails, the request is rejected.
-Checks whether it received C = h(y i ⊕ AC St i , N i ).If not, the request is rejected; otherwise, the request proceeds to the next step.
-Generates a nonce N s , where N s is a random and fresh number.
and verify whether N i = N i .If the answer is yes, the mutual authentication is done.The portable authorized credential is AC i = AC V i i ⊕ AC St i , and we propose that AC V i i is not equal to AC St i .Either S t may reduce access privileges for some reason (for example, not paying before the deadline or breaking a contract) or V i may disable access privileges himself/herself for some reason (for example, privacy issue or lower communication costs).Therefore, AC i is AC V i i and performs an exclusive operation with AC St i that is reasonable and makes sense.

The Access Phase
This phase is based on the key exchange protocol proposed by Diffie et al. [16].It is used to encrypt an individual conversation with a session key.The lifespan of a session key is the period of a particular communication session.A new session phase involves two public parameters, q and α, where q is a large prime number and α is a primitive element mod q.After V i sends a service request to its neighboring R j , R j will verify the authorized credential AC i by itself without further communication with S t .According to the access privileges stored in the authorized credential AC St i , R j could decide whether V i 's request is accepted or not.Furthermore, R j could detect whether V i is launching an elevation of privilege (EoP) attack.
mod q and sends W i to R j , where r v i is a random number.
• Rj → V i : S i Similarly, R j computes S i = α r R j mod q and sends S i to V i , where r R i is a random number.
V i computes K V = (S i ) rv i mod q, and R j computes K R = (W i ) r R j mod q.Then, both of them check whether K V = K R .If yes, a new session will be created.This is because: Session key = (S i ) rv i mod q = (α r R j mod q) rv i mod q = (α r R j rv i )mod q = (α rv i mod q) r R j mod q = (W i ) r R j mod q If V i wants to access service, it encrypts E K V (SV ID 1 AC i ) with K V as the service request message and sends it to R j .After R j receives the message, R j will decrypt the message: with K R to gain (SV ID 1 AC i ) and then derive AC i and SV ID 1 , because of K V = K R .When R j derives AC i , R j verifies it and is then convinced that V i is a legal user.
• V i → R j : (Service request message) nth When V i continues to access the n-th service, it encrypts the n-th service request message E K V +n (SV ID n AC i ) with K V + n and sends it to R j .After R j receives the n-th service request message, R j will decrypt the message: with K R + n to derive AC i and SV ID n .R j examines whether SID t , as well as SV ID n are included in AC St i and checks the validity of the authorized credential by T expired .If the verification succeeds, AC i is legitimate and V i is authorized; otherwise, R j terminates this session.

Analysis of the New Scheme
In this section, we roughly compare the security properties and performance of the related mechanisms discussed.The security properties comparisons between PAACP, SECSPP and our scheme in the authentication phase and access phase are shown in Table 1.The performance comparisons are shown in Table 2.In PAACP, authorized credential (AC) is not secure and private; b: In SECSPP, the session key T SK is determined by V and S, not V and R.

Performance
Since the computational load of the PKI (Public Key Infrastructure) cryptosystem is a heavy burden for all communicating nodes in the PPACP and SECSPP, we propose an efficient version without PKI cryptosystems.Furthermore, the speed of encryption/decryption with symmetric encryption schemes is faster than with asymmetric ones, namely PKI cryptosystems.For instance, it is known that DES (Data Encryption Standard) is 100-times faster than RSA in software and 1000-times faster in hardware [17].Consequently, we treat the computational load of a PKI operation as that of 100 symmetric operations.As listed in Table 3, the PPACP needs nearly 702 symmetric operations and SECSPP needs 740 symmetric operations in the related work, while it requires about 124 symmetric operations in our scheme.Moreover, it takes 0.0005 s to complete a one-way hash operation and 0.0087 s to finish a symmetric en-/de-cryption.We hence ignore the computational load of the one-way hash function, since it is quite lighter than that of a symmetric en-/de-cryption [18].As a result, computational loads can be reduced to 1.0788 s in our scheme.The following is based on the computation method in PAACP.Assume that n vehicles in the VANET request the services of the same services provider at the same time and the locations where these service requests are invoked are uniformly distributed within m RSUs.The transmission delay T trans−delay is the time in seconds to deliver a message from a vehicle, which is forwarded to the service provider by an RSU.The waiting time T waiting consists of the round-trip transmission delay and the time spent on verification by the service provider.In SECSPP, the average waiting time T waiting for a requesting vehicle can be estimated as: In PAACP and our scheme, the average waiting time T waiting for a requesting vehicle can be estimated as: In a uniform distribution of locations, the average number of requests pending in each RSU will be n m .Therefore, the average time spent for request verification in an RSU is (n/m+1) 2 × T Accss verif ication .Figure 1 shows that when m is equal to 10, the average waiting time T waiting for a service request from vehicle n increases from 1 to 50.Figures 2, 3 and 4 show that the average waiting time T waiting for a service request from vehicle n increases from 1 to 100 when m is equal to 10, 30 and 50, respectively.As Figure 2 shows, when 100 vehicles are requesting the desired services, the average waiting time T waiting to finish the authentication in PAACP is 14.32 s.In our scheme, the average waiting time T waiting is about 5.73 s.Similarly, as shown in Figure 3, our scheme takes about 2.28 s, compared to about 5.65 s for PAACP.Finally, our scheme takes about 1.59 s, compared to PAACP's average of about 3.94 s, as shown in Figure 4.In summary, the average waiting time T waiting decreases when RSU increases.

Security Analysis
The other security features of our new scheme are also discussed below: Forward secrecy: This security means that before a V i wants to access the (n + 1)-th service, he/she cannot decrypt the service request message that existed prior to his/her session key K V + n.Our scheme can attain forward secrecy because, if a V i requests next (Service request message) (n+1)−th , then a new K V + (n + 1) will be generated by the (n + 1)-th service.
Backward secrecy: After a user logs out of the server, he/she cannot receive any services belonging to the left server.After a V i accesses the n-th service, he/she cannot decrypt the service request message that existed posterior to his/her session key K V + (n + 1).Our scheme can attain backward secrecy, because after a V i requests next (Service request message) (n+1)−th , the session key K V + (n + 1) will be generated, and the K V + (n) will be invalid.
Authentication: A V i must submit his or her authentication request message (V ID i , C, N i ) to the service provider S t , and then, the S t acknowledges the V i .After receiving the authentication request message, the S t encrypts the message M = E y i ⊕AC S t i {N s , N i , AC St i } to facilitate a mutual authentication between the vehicle and the service provider.
Authorization: In the registration phase, the service provider creates a service right list by the following equation: where SV ID k denotes the index of the k-th service and AR k represents the granted access privileges of SV ID k .Hence, anyone can determine who has which access privileges to access which service.Only valid V i can encrypt E K V (SV ID 1 AC i ) with K V .After R j receives E K V (SV ID 1 AC i ), R j will decrypt the message:D K R (E K V (SV ID 1 AC i )) with K R to gain (SV ID 1 AC i ) and then derive AC i and SV ID 1 , because of K V = K R .Replay attack: In the registration phase, a V i submits his/her registration information over a secure channel, so there are not any replay attack issues.In the authorization phase, an old message was eavesdropped by an attacker.He/she may try to replay the old message (V ID i , C, N i ).It may fail because it is not always the same, and the nonce N i is a random number that is generated and has a value that has not been used before, to avoid replay attack and the serious time synchronization problem.

Conclusion
In this paper, we review a cryptanalysis of an attachable blind signature and demonstrate that the PAACP's AC is not secure and private, even if the AC is secretly stored in a tamper-proof device.An eavesdropper can construct the AC from an intercepted blind document.Consequently, during the authorization phase, PAACP is breakable and cannot maintain privacy in VANETs.Consequently, any outsiders can determine who has which access privileges to access which service.
Furthermore, this paper efficiently copes with these challenges and proposes an efficient scheme.We conclude that an improved authentication scheme and access control protocol for VANETs not only resolves the documented problems, but also is secure and efficient.Compared with PAACP and SECSPP, our scheme achieves more functionality and satisfies the security features required by VANETs.Future research can focus on the many commercial applications [19][20][21][22][23].

Author Contributions
Wei-Chen Wu was responsible for planning, design, analysis and writing the manuscript.Yi-Ming Chen reviewed the manuscript.Both authors have read and approved the final manuscript.

Figure 1 .
Figure 1.Average waiting time when m is equal to 10.

Figure 2 .
Figure 2. Average waiting time when m is equal to 10.

Figure 3 .
Figure 3. Average waiting time when m is equal to 30.

Figure 4 .
Figure 4. Average waiting time when m is equal to 50.

Table 1
lists important security properties in VANETs based on Yeh et al.'s proposals.As mentioned, with PAACP, an attachable blind signature, is breakable and cannot maintain privacy, and the PAACP's AC is not secure, even if the AC is secretly stored in a tamper-proof device.An eavesdropper is able to construct the AC from an intercepted blind document.Any outsiders in VANETs can know who has which access privileges to access which service.Consequently, PAACP cannot still satisfy context privacy properly.

Table 2 .
Comparison of security features.

Table 3 .
Comparison of efficiency.: Computational cost of one-way function; T xor : Computational cost of Exclusive-OR operation; T sym : Computational cost of symmetric encryption; T asym : Computational cost of asymmetric operation; T exp : Computational cost of modular exponentiation hash