Using a Random Secret Pre-Distribution Scheme to Implement Message Authentication in VANETs

In recent years, the development of the Intelligent Transportation System (ITS) has increased the popularity of vehicular ad hoc networks (VANET). A VANET is designed to enable vehicles to exchange information about traffic or vehicle conditions to help other vehicles avoid traffic accidents or traffic jams. To resist malicious attacks, all vehicles must be anonymous and their routings must be untraceable, but still verifiable. The vehicles must trust each other and communicate confidentially. In a VANET, Road Side Units (RSU) are installed on traffic signs or streetlights to help vehicles maintain anonymity, to authenticate messages, or to support confidentiality. However, the coverage of an RSU is limited and the cost of widespread installation is high. RSU installations are incremental, so messages must be authenticated using dense RSUs or sparse RSUs. In this paper, the concept of random key pre-distribution that is used in Wireless Sensor Networks (WSN) is modified to random secret pre-distribution (RSP), which integrates identity-based cryptography (IBC) to produce a message authentication scheme for VANETs in a sparse RSU environment. In the proposed scheme, vehicles follow a process to determine a common secret, allowing them to OPEN ACCESS Appl. Sci. 2015, 5 974 authenticate each other and obtain the pairing value as a key for use in message authentication and private communication. Evaluation results show that the proposed scheme outperforms related schemes.


Introduction
A general VANET has a three-tier structure [1], which comprises a trusted authorizer (TA), many road side units (RSUs), and vehicles.The TA is the central trust tier, and it is connected to the RSU via a wired network.The communication between the RSUs and vehicles uses the wireless communication protocol IEEE 802.11p.IEEE 802.11p is a revision of 802.11 with the addition of Wireless Access in the Vehicular Environment (WAVE) [2].All RSUs (second tier) and vehicles (third tier) must register with the TA to obtain initial certification, identities or common secrets to enable them to make requests anonymously.RSUs are installed at the side of the road to help vehicles maintain anonymity and authenticate messages.The vehicles can broadcast, exchange, or receive messages about road conditions, traffic conditions, their positions, or their speed to avoid accidents and worsening traffic jams.Malicious attackers [3,4] may collect transmitted messages in VANETs to obtain the private information of users.To resist malicious attacks and maintain the privacy of the vehicles, each vehicle must remain anonymous, and its messages must be sent anonymously, so the authentication of messages in VANETs is an important issue.
In a VANET, communications can be classified into two types-without RSU and with RSU.In communication of the first type, each vehicle broadcasts messages to other vehicles or communicates confidentially with specific vehicles.In this scenario, vehicles must ensure their privacy, their confidentiality and the authentication of messages by themselves.In the second scenario, an RSU supports the privacy and confidentiality of vehicles, and message authentication.
In a VANET, messages are authenticated to ensure that received messages are valid and have been sent by a legal source.To preserve privacy, the real identity of a vehicle cannot be exposed or traced.In this paper, the concept of random key pre-distribution that is used in Wireless Sensor Networks (WSN) is modified to random secret pre-distribution (RSP) that integrates identity-based cryptography (IBC), to build an environment in which vehicles can maintain anonymity, communicate confidentially, authenticate messages, and resist malicious attacks with the assistance of RSUs or by themselves in a sparse RSU environment.In the proposed scheme, the TA maintains a large pool of secrets that will be pre-distributed randomly to all RSUs and vehicles as the original registration set.All RSUs have a pseudo random generator (PRNG) and the same seed value that is provided periodically by the TA, so they have the same secret pool from which to issue the randomly selected secret to vehicles.Based on the common secrets held in common either between RSUs and vehicles or among vehicles under an RSU, entities of both types can authenticate each other, authenticate messages, and communicate confidentially following the pairing process.The proposed scheme satisfies the security requirements of a VANET, including message authentication, identity verification, non-repudiation, confidentiality, conditional anonymity, and un-traceability.
In this paper, Section 2 introduces related works and techniques that are used herein.Section 3 describes the proposed schemes.Section 4 analyzes the security and performance of the proposed schemes.The final section draws conclusions and provides suggestions for future works.

Related Works and Techniques
According to Hubaux et al. [5], a smart vehicle can record, compute, and specify its position.It uses the traditional public-key infrastructure (PKI).The complexity of computation is increased if the vehicle uses PKI to encrypt the messages.The computation overhead of the communication step is also then increased.Moreover, for privacy and un-traceability, the vehicle must frequently change its certificate, imposing a burden on the TA.
Zhang et al. [6] proposed a scheme in which RSUs were used to support message authentication by vehicles.When a vehicle enters the coverage range of an RSU, it establishes a secret key after mutual authentication.The vehicle will then generate a short message authentication code (MAC) using this secret key.The RSU will verify the authentication of MAC.However, exposure of the certificate creates the problem that the vehicles will become traceable.
In 2010, Wasef et al. [7] proposed the RSU-aided distributed certificate service (DCS), which enables vehicles to update their certificates from an RSU.A vehicle can update its certificate from any RSU, even when it is not in the coverage range of that RSU.The performance of the DCS depends on the density of the RSUs.
Sun et al. [8] proposed a pseudonymous authentication scheme with privacy preservation (PASS), which supports the DCS.The scheme can reduce the certificate-updating overhead and the revocation overhead.Attackers cannot trace legitimate vehicles, even when they compromise the RSU.However, the DCS has the loading of certificate and it can not work in sparse RSU environment.
Chen et al. [9] used chameleon hash values to perform anonymous authentication and used ID-based cryptography (CH-IBC) to perform key agreement.In this scheme, vehicles use a chameleon hash value as a disposable alias.They can verify message authentication and message integrity, but it still needs the assistance of an RSU.
Hung et al. [10] proposed a chameleon hash function-based message authentication scheme without RSUs, but they did not solve the problem of malicious revocation.Hung et al. [11] used the bilinear Diffie-Hellman method (BDH) to propose a message authentication scheme for a dense RSU environment, which involves certificate request RSU by RSU.Kuo [12] proposed a message authentication scheme that can get pairing value to establish mutual trust in intra-and inter-RSU environments based on the chameleon hash function, but this scheme suffers from malicious revocation.Section 4 will compare DCS [7], PASS [8], CH-IBC [9], BDH [11] and the proposed scheme in terms of functionality and performance.
Two problems are evident in all of the listed schemes.First, RSUs perform the most important roles in message authentication, but their performance worsens as they become sparser.The second problem concerns the certification base.The privacy of vehicles is maintained by making their identities and routes non-traceable.Accordingly, identities must be anonymous and changed frequently, generating heavy loads that are associated with certificate changing and informing of revoked certification.
To solve the two aforementioned problems, we propose a secure scheme for VANET.The installation of RSUs can be increased even in very sparse environment, and the vehicles establish mutual trust and obtain the pairing value based on the secret that is embedded in their anonymous identities instead of by certification.The following section presents in the scheme in detail.
In a WSN, the random key pre-distribution (RKP) [13] is used to perform mutual authentication using a common secret key.A random subset of keys in the pool will be embedded into the sensor nodes before node deployment.The nodes in the WSN can authenticate each other if they have common secret keys.The plain secret keys in the nodes make RKP vulnerable to compromise attacks [14].When some nodes are compromised, the attacker can make malicious nodes using the fake subset of secret keys that were collected from the compromised nodes.Hsieh et al. [15] modified RKP to RSP, in which the common secret is embedded in the private key.Pairing the private key [16] with the public key, nodes mutually authenticate using the common pairing value if their private key includes the common secret.

Proposed Scheme: RSP-Based Message Authentication for VANET
In the proposed scheme, one day is split into n time slots ( ~ ), and the maintains a large secret pool that will be pre-distributed randomly to all RSUs and vehicles as information about the original registration set (ORG) at .With a pseudo random generator and the same seed value that is provided by the in ~ , all RSUs have the same secret pool from which to issue the random secret in response to registration requests from vehicles.Every day, in or the first time slot ( ), a vehicle enters the coverage of an RSU, and requests the new registration set (NRG) using the information in its ORG.In another time slot, the vehicle can request the new registration set using the information in its NRG; set this NRG as its previous registration set (PRG), and set the new registration as its new NRG.Accordingly, the ORG, PRG and NRG that are maintained by a vehicle are requested at , , respectively.The information of the registration set includes issuer, time slot, set of identities, set of secret indices and set of private keys.The public key can be derived from the identity and the time slot, and in the public keys are embedded the indexed secret value to form the private keys.At any time, a vehicle can choose randomly one of its identities in ORG, PRG or NRG as its identity and announce this anonymous identity to all neighbors.An anonymous identity has the form (issuer, time slot, identity, set of secret indexes).Based on the information in a vehicle's anonymous identity, neighboring vehicles can find the common secret, calculate the pairing value, or find a neighbor that can help with message authentication or confidential communication.This section will describe this process in detail.Table 1 presents the associated notation and definitions.

Table 1. Notation and definitions.
is a finite field that is formed by mod q, where q is a large prime number.

G,P,
G is an EC addition group with mod q; P is the generator of G.
is the value on the x axis.M M is a character stream or bit stream.

H(M)
H(M) is a hash function that maps M to .HMAC(M) K HMAC(M) K is a hash function that maps M to with key K.
and are the IDs of the TA and RSUa. is the secret pool of the TA that is generated by a pseudo random generator with seed ; S has secrets.Symmetric encryption of m using key k.

Original Registration Set (ORG)
All RSUs and vehicles must register with the TA to receive the original registration set (ORGR or ORGV).The TA will record the original information, including the original ID and the information about the original registration set, as in Table 2.

Obtaining New Registration with
At or the first time ( ), a vehicle enters the coverage of an RSU, and requests the new registration set from that RSU (Ra).The steps are as follows.
S1. randomly chooses one of its in , , to form the information of its anonymous identity and selects new anonymous ID ( ′ ) , before sending the request to . where Otherwise, passes the request to its neighbor, .
processes step 2 in a manner similar to the processing by until the positive response is sent back from to ; then, the response is returned to S3. receives the response , and then sets = { , , ′ , ′ , ′ } where may be or Now, receives its , and or records the corresponding registration information, including and the anonymous identity in , as in Table 3.  and the anonymous identity in as in Table 3, but the anonymous identities in .

Constructing Set of Neighbors
At any time in , the time slots in the PRG and the NRG in a vehicle may be ( , ) or ( , ).To construct the set of neighbors, every vehicle will say "hello" to all neighbors to announce its presence, and will periodically disclose its anonymous identity.Every vehicle must maintain a set of neighbors, which includes information about the neighbors and the expiration time.When receives a hello message from , will determine whether is in the set of neighbors; if it is, then presets the expiration time of .If is a new vehicle, then will set the ′ information in the neighbor set and preset the expiration time.The expiration time will be counted on continuously.When the expiration time of is reached, the information of will be removed.

Communicating Confidentially
Two neighbors ( , ) can communicate confidentially using , as an encryption key to encrypting the message and the time stamp.If and have no common secret but do have a common neighbor ( ), then has a common secret with and .can communicate confidentially with passing to the common neighbor .

In a Sparse RSU Environment
A vehicle is associated with two sets of registration information (PRG and NRG).This information can be used for message authentication or confidential communication.If the longest distance between two neighboring RSUs is less than the distance through which a vehicle moves in two time slots, then a vehicle can always receive new registration information before the NRG expires.Therefore, RSUs can be incrementally deployed.Since all RSUs have the same SP , the concept of the RSP can be applied to all vehicles even if they register with different RSUs.If the vehicle cannot find any RSU to request the new registration, it still can use its ORG for message authentication.

Revocation
At any time, if a malicious vehicle is found using the information of anonymous identity that is claimed by the malicious vehicle, and the registration table is recorded in all RSUs, then the ORG, PRGs and NRGs of the malicious vehicle will be explored and revoked by the TA and all RSUs, so the malicious vehicle will not be able to request any new registration information in the next time slot.Only ORG revocation must always be recorded.Revoked PRGs and NRGs can be withdrawn in the next two time slots.Thus, the overhead of the revocation list is small.To trace the original registration information, all RSUs must keep a record of registration information for one day.The overhead of recording the registration table is also light.
For example, vehicle i registers its original registration set in TA with its real identity as the information in Table 5.1.At Tt-2, it registers a new registration set in RSUa, , , ′ , ′ , ′ with its anonymous identity, , , , as the information in Table 5.2.Then, the vehicle obtains a new registration set from RSUb and RSUc at Tt-1 and Tt as the information in Tables 5.3 and 5.4.When it was found that it use the anonymous identity , , ‴ , ‴ to perform a malicious attack in time slot Tt.According to the information in anonymous identity, Table 5.4 will be checked, and be traced back from Tables 5.4, 5.3, and 5.2 to Table 5.1 in TA.TA will revoke the right of vehicle i, and inform the information about the original registration set and the new registration sets in Tables 5.3 and 5.4 to all RSUs to deny the new anonymous request from vehicle i.

Broadcasting of Seed Value from TA to All RSUs
In every time slot, TA must broadcast a seed value to all RSUs to generate a new secret pool.Based on the same secret pool, all of new registration set requested in the same time slot will have the same properties of random secret pre-distribution.However, when an RSU is found to be performing a malicious attack, its right to respond to a new registration request in the following time slots must be suspended.To revoke the right of a malicious RSU to respond, the secret index of the malicious RSU is appended to the set of revoking secret indexes ( ), and is made the set of secret indexes for broadcasting the new seed value.
will be used by the TA to broadcast the seed value , as follows.TA receives and sets as an empty set.
S1.For all valid RSUs, Ri, TA selects any one new secret index in , but not in and ; this new secret index is added to .
and decrypt Ek2′(.) to retrieve the new seed value to generate a new secret pool in time slot Tt.
Because the secret indexes of malicious RSU are not included in , even it quests the secret index in , but it has not the respective private key, so it can not get the decrypted key k2′ to retrieve the new seed value.

Analysis of Security and Performance
A VANET is vulnerable to various malicious attacks, including masquerading attacks, forgery attacks and reply attacks.To ensure the privacy of vehicles, the proposed scheme must support anonymity, confidential communication, and conditional un-traceability.When a legal vehicle makes a malicious attack, it will be traced and revoked.

Security Analysis
In the proposed schemes, the public key is formed by the hash value of the identity of the issuer, an anonymous identity, and the time slot, according to Equation (3).Any vehicle's public key can be calculated by any other vehicle.A vehicle's private keys are formed by the indexing secret and the vehicle's public key, according to Equation (4).Vehicles know the secret index but cannot retrieve the indexing secret because the ECDLP (Elliptic Curve Discrete Logarithm Problem) is hard.The pairing values are used to establish mutual trust and perform negotiation.The pairing values are bilinear mappings of one vehicle's private key and another vehicle's public key, which can be calculated by a vehicle without any negotiation.In the processes of requesting a new registration and building a neighbor set, the only exposed information is anonymous identity { , , , }. , can not be fake because they will be used to calculate the public key and the associated private key. is exposed but does not include any information of secret value in secret pool.The information that is involved in message authentication is the message and pairing values that are derived by the vehicle.The following section discusses security in greater detail.

Masquerading Attacks
In the proposed scheme, one vehicle ( ) uses the information of anonymous identity included ( , , , ), to say "hello", and it uses to generate a pairing value for message authentication or communication.
, which is one , can be used only in .For any in , the public key and private key are as follows.
= H( ∥ knows , and but it cannot retrieve ( ) because the ECDLP (Elliptic Curve Discrete Logarithm Problem) is a hard problem.Therefore, cannot masquerade as having another anonymous ID without information of the secret pool.In message authentication and the construction of a set of neighbors, the only exposed information is , , F(x) and ( ∥ ) , so an attacker cannot retrieve any private information about the private keys.Therefore, masquerading attacks are impossible.

Forgery Attacks
In a broadcast message, ( , , ), (M, ) and (F(x), ( ∥ ) ), constitute the identity ( ), the broadcast message (M), and the polynomial function (F(x)) that is embedded the HMAC key K, and the HMAC of message.Without the pairing value that is derived with the common secret that is embedded in the private key, the HMAC key cannot be retrieved, and without the HMAC key, an attacker cannot forge a message that can pass the HMAC check.In the "hello" message, are broadcast with attached so, without the secret pool ( or ), an attacker cannot obtain the pairing values with other vehicles.

Replay Attacks
The "hello" message is used to claim that the vehicle is present, and neighboring vehicles use the "hello" message to generate pairing value.Hence, replaying the hello message affects one more neighbor, but this neighbor cannot perform a mutual pairing to perform any attack without the private keys.The time stamp in the HMAC of a broadcast message and a communicated message can resist the replay attack.

Anonymity and Conditional Un-Traceability
In ORG, PRG or NRG, N anonymous IDs can be used for anonymity.At any time, a vehicle can randomly choose one of them to claim an identity.Since the identity can be changed at any time, the running path of the vehicle will be untraceable.However, since ORG, PRG, or NRG information is recorded in the TA or RSUs, the real identity of a vehicle that makes a malicious attack can be traced.

Message Authentication and Confidential Communication
In the construction of a set of neighbors, the pairing value between two vehicles that have a common secret is calculated mutually.

Performance Analysis
The construction of a neighbor set is performed offline, so the load associated with pairing is ignored.During message authentication, the message must be signed to show that it has been sent by a legal vehicle and the signature must be verified.The numbers of computations in message signing and verification are measured.The computations may be bilinear pairing ( ), EC multiplication ( ), exponential ( ) or HMAC.The computation times for , , and HMAC, measured on a 3 GHZ Pentium 4 PC [16,17] are 4.5 ms, 0.6 ms, 0.54 ms and 0.002 ms, respectively.Table 7 shows the number of computations and times required by the proposed and other schemes.In the proposed scheme, the generation of F(x) in signing and the calculation of the HMAC key K are computations of a polynomial function.The computing time can be ignored, so the computations that are involved in signing or verifying in the proposed scheme are HMAC computations only.

Conclusions and Future Work
This paper proposed the concept of the RSP for constructing a message authentication scheme for use in VANETs.In the proposed scheme, all RSUs and vehicles must register with the TA to receive the original registration set (ORG).At any time, all RSUs have a common secret pool that is generated by a PRNG with a common seed value that is sent by the TA in every time slot.The RSUs act as issuers that can assign a sub-set of secrets to any vehicles that have been authenticated with their ORG or NRG, which were obtained in the previous time slot.For every T1, or whenever vehicles enter the VANET for the first time, vehicles request the new registration set (NRG) with the information in ORG.In other time slots, the vehicles can obtain the new registration set with the information in NRG to generate a new NRG.In the proposed scheme, vehicles randomly choose one of their IDs in NRG and the set of secret index to announce their presence periodically.Using the ID and secret index set, neighboring vehicles can compute the mutual pairing value or find vehicles that can help them with message authentication.
In message authentication, a polynomial function is formed by the pairing values and the HMAC key.The HMAC of the message with the key will be attached to the broadcast message.Vehicles that receive a broadcast message use their pairing value to retrieve the HMAC key and to authenticate the message.Some vehicles are asked to rebroadcast the message for vehicles that do not have a common secret with the sender.The proposed scheme is very simple but satisfies all the requirements of a VANET, such as defense against masquerade, forgery and replay attacks, anonymity, un-traceability, message authentication, confidential communication, and a light revocation list.The only computation that is involved in signing and verification for message authentication is that associated with HMAC, so the proposed scheme outperforms previously proposed schemes.
In message authentication, the index-set of a secret sub-set must be broadcast, potentially leaking information of the secret pool, so future work should seek to hide the index set while ensuring that the load associated with message authentication is light.

Table 2 .
Information about the original registration set in TA.

Table 3 .
Recorded information about the anonymous identity and the new registration set ( ) in RSUA.

Table 5 .
Example of request for anonymous identities.
The pairing value is calculated as ê ( not have a common secret, but they have a common trusted neighboring vehicle, then they can communicate confidentially through the mutually trusted vehicle, or make message authentication from rebroadcasting message.

Table 6 .
Comparison of functionality.

Table 7 .
Comparison of schemes in terms of number of computations and time required.