[51]Attacking Portable Privacy-Preserving Authentication and Access Control Protocol in Vehicular Ad Hoc Networks

Transcript

1. Shi-Jinn Horng1,2, Shiang-Feng Tzeng2 Attacking Portable Privacy-Preserving Authentication and Access

   Control Protocol in Vehicular Ad Hoc Networks 1School of Information Science and Technology, Southwest Jiaotong University, Chengdu 610031, Chengdu 2Department of Computer Science and Information Engineering,National Taiwan University of Science and Technology, 106 Taiwan [email protected], [email protected] National Science Council under contract number NSC-99-2916-I-011-002-A1 Conclusions For considering the stringent time requirement and differentiated service access control, Yeh et al. proposed a portable privacy-preserving authentication and access control protocol, named PAACP, for non-safety applications in VANETs. In this paper, we presented a cryptanalysis of PAACP. Our results show that PAACP is not secure. With the attack, some malicious vehicles can successfully conspire to elevate access privileges for desired services. Abstract Recently, Yeh et al. proposed a portable privacy-preserving authentication and access control protocol, named PAACP, for non-safety applications in vehicular ad hoc networks. PAACP not only accomplishes authentication, key establishment and privacy preservation, but also considers the scalability and differentiated service access control issues in the protocol design. However, this causes some security flaws. Our results show that PAACP is insecure against privilege elevation attack. In this attack, any two or more vehicles can conspire to elevate access privileges for desired Internet services. Blind signature System architecture Attack to Yeh et al.’s protocol In a conventional access control scheme, SPs are usually responsible for determining the validity of the access requests. To get rid of the communication between SPs and RSUs, Yeh et al. presented an access control method to store a portable service right list (SRL) in a portable authorized credential carried by the vehicle, instead of keeping the SRLs in the SPs. In order to assure the validity and privacy of an SRL, Yeh et al. also proposed an attachable blind signature. Based on the attachable blind signature, vehicles cannot tamper the SRL. Therefore, PAACP can prevent privilege elevation attacks. However, we will show that the malicious vehicles can forge the SRL. Any two or more vehicles can conspire to elevate the access privileges. We call this problem as privilege elevation attack by collusion. In this attack, the malicious vehicles cooperate to request other differentiated access privileges of un-purchased services. In a conventional access control scheme, SPs are usually responsible for determining the validity of the access requests. To get rid of the communication between SPs and RSUs, Yeh et al. [8] presented an access control method to store a portable service right list ( ) in a portable authorized credential carried by the vehicle, instead of keeping the SRLs in the SPs. In order to assure the validity and privacy of an SRL, Yeh et al. also proposed an attachable blind signature. Based on the attachable blind signature, vehicles cannot tamper the SRL. Therefore, PAACP can prevent privilege elevation attacks

2. Attacking Portable Privacy-Preserving Authentication and Access Control Protocol in Vehicular

   Ad Hoc Networks Shi-Jinn Horng School of Information Science and Technology, Southwest Jiaotong University, Chengdu 610031 Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, 106 Taiwan [email protected] Shiang-Feng Tzeng Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, 106 Taiwan [email protected] Abstract Recently, Yeh et al. proposed a portable privacy-preserving authentication and access control protocol, named PAACP, for non-safety applications in vehicular ad hoc networks. PAACP not only accomplishes authentication, key establishment and privacy preservation, but also considers the scalability and differentiated service access control issues in the protocol de- sign. However, this causes some security flaws. Our results show that PAACP is insecure against privilege elevation attack. In this attack, any two or more vehicles can conspire to elevate access privileges for desired Internet services. Key words: Access control, Authentication, Key establishment, Privacy, Vehicular ad hoc net- works. 1. Introduction The increasing demands of improving road safety, drivers’ driving experiences and traffic management on the road have brought us a wide interest in vehicular ad hoc networks (VANETs) [1][2]. VANETs have recently been paid much attention from not only the academia but the automobile industry and government as well. In addition, value-added applications, which are called non-safety applications, can also be envi- sioned to offer various entertaining services to drivers and passengers [4][5][6][7][8]. Recently, Yeh et al. [9] proposed a porta- ble privacy-preserving authentication and access control protocol, called PAACP. PAACP is de- veloped to provide differentiated service access control, which will facilitate the deployment of a variety of non-safety applications. Besides, con- sidering the stringent time requirement, the portability feature of PAACP can eliminate the backend communications with service providers. In order to assure the validity and privacy of the access authorization, Yeh et al. [9] also proposed an attachable blind signature to prevent privilege elevation attack [3][9]. In addition, PAACP is the first study supporting differentiated service access control without the scalability problem in VANETs. In this paper, we consider the possible se- curity flaw of the privilege elevation problem, i.e., while some malicious vehicles can conspire to elevate access privileges which are not grant- ed by the service providers. Those vehicles then can also forge access privileges of other unap- plied services. We observe that PAACP is vul- nerable to the above privilege elevation attack by collusion. The threat of the privilege elevation problem will limit the development of val- ue-added services in VANETs. The remainder of this paper is organized as follows: In Section 2, the brief review of Yeh et al.’s portable privacy-preserving authentication and access control protocol is given. Then a cryptanalysis is proposed in Section 3. Finally, the concluding remarks will be in the last sec- tion. 2. Review of Yeh et al.’s protocol We will review Yeh et al.’s protocol [9], named PAACP, for non-safety applications in VANETs. PAACP is composed of three types of entities: service providers (SPs), roadside units (RSUs) and onboard units (OBUs). The nota- tions of PAACP are summarized in Table 1. One property of PAACP is the support of differentiated access privileges for each service.

3. A service may provide different access privileges to satisfy distinct

   requirements of the users. For this, the access privileges for the service are represented by a bit string of bits. Each bit of denotes a distinct access privilege of the service . Assume a service provider pro- vides services with access privileges , . Suppose a vehicle is granted to access services, , with index { , , …, }. Let , , be the granted value of for . Then, the service right list for can be represented by a bit string with length . PAACP includes two phases: access au- thorization phase and access service phase. We explain the details of each phase as follows. As- sume that the vehicle has registered and paid the service money to the service provider , and it has allowed to access the desired ser- vices from the roadside unit . 2.1. Access authorization phase Step 1:  : < , , , > According to the purchase services and granted access privileges from the service pro- vider , a vehicle generates its service right list [3][9] as , where repre- sents the index of the th service, and denotes the granted access privileges of . The service right list would be signed by as part of an authorized credential. first picks random integers , and , then sets the authorized credential as . Those random integers are used as blind factors. Next, calculates blind documents and as ( ), ( ), where is ’s public key. Finally, sends out < , , , > to . TABLE 1 NOTATIONS Notation Descriptions The vehicle The identification of the vehicle The roadside unit The service provider The identification of the service provider The identification of the service The access privilege of ( , ) The private key and public key of vehicle ( , ) The private key and public key of roadside unit ( , ) The private key and public key of service provider A temporary session key between the road- side unit and the vehicle , , Random numbers , Authorized credential made by and , respectively Portable authorized credential for the vehi- cle SRL The service right list , The service right list made by and , respectively The valid expired time , The blind documents The encryption function with shared key The decryption function with shared key The message authentication code A collision-free and public one-way hash function A signature signed by secret key A large prime number A generator of a finite cyclic group with order Step 2:  : < , > Upon receiving message < , , , > sent out by , first confirms wheth- er the signature is valid by ’s public key. If it is valid, is successfully authenticated. Otherwise, this session is dropped. According to the selling contract for , creates the au- thorized credential and attaches it in to as ( ). then signs them as follows: ( ), ( ). Next, and are sent back to . After obtaining < , > from , unblinds them as follows: , . In order to get the portable authorized credential as , calcu-

4. lates . To confirm the portable authorized credential is certified,

   could verify the correctness of by checking whether is equal to . If it holds, keeps for the subsequent service request. Otherwise, will drop it and stop this session. 2.2 Access Service Phase Step 1:  : < , > When a legal vehicle wants to access the desired services from its neighboring road- side unit , will send a service request message with to , where is the identification of the desired services and , where is a random integer in . Step 2:  : <, { , }> Upon receiving , decrypts it by his own private key to ob- tain ( , , ). Next, computes to extract the access credential , which is authorized by . Then, examines whether and are included in and checks the validity of the authorized credential by . If the ver- ification holds, is legal and is granted to access the desired services from . Other- wise, the access request is denied and ter- minates this session. After is verified, selects a ran- dom integer in , calculates and generates a temporary session key as = ( , , ) for protecting the later communication. Finally, sends < , { , }> to . Step 3:  : < { }, > After receiving < , { , }>, calculates a tempo- rary session key as = ( , , ) and reveals ( , ) using to check the validity of . If it is valid, is success- fully authenticated. Otherwise, ceases this connection. Then, generates an encrypted by as = ( , , ) and calculates the message authentication code as = ( , { }). Finally, transmits < { }, > to . Step4: Upon receiving < { }, >, verifies to ensure the integrity, and computes = ( , , ) to decrypt { }. If could recog- nize , it is implied that indeed holds the corresponding . Finally, the later communications can be encrypted by the session key as = ( , , ) where , , …. 3. Attack to Yeh et al.’s protocol In a conventional access control scheme, SPs are usually responsible for determining the validity of the access requests. To get rid of the communication between SPs and RSUs, Yeh et al. [9] presented an access control method to store a portable service right list ( ) in a portable authorized credential carried by the vehicle, instead of keeping the SRLs in the SPs. In order to assure the validity and privacy of an SRL, Yeh et al. also proposed an attachable blind signature. Based on the attachable blind signature, vehicles cannot tamper the SRL. Therefore, PAACP can prevent privilege eleva- tion attacks [3]. However, we will show that the malicious vehicles can forge the SRL. Any two or more vehicles can conspire to elevate the access privi- leges. We call this problem as privilege eleva- tion attack by collusion. In this attack, the mali- cious vehicles cooperate to request other differ- entiated access privileges of un-purchased ser- vices. We explain the details of this attack as follows. For example, we assume that a service provider provides 8 Internet services and the travel guide is the 6th service with three differ- ent access privileges: viewing maps, download- ing coupons and watching videos, then and for . Assume that the vehicles and purchase the same services, access privileges and term of service. For example, and purchase the travel guide services with the access privilege of viewing maps, then their service right lists are and , respectively [3]. The service right lists will be signed by as part of an authorized credential. The malicious vehicles Vx and Vy collabo- ratively intend to launch the privilege elevation attack by collusion. They want to elevate the travel guide service with the access privileges such as downloading coupons and watching videos that are not granted by an . They forge

5. the service right list as . In the access authorization

   phase, first creates its in as and blinds into two blind documents and . trans- mits its identity , signature and the blinded documents to . Next, sent back < , > to . After obtaining < , > from , unblinds them and get the portable authorized credential as . Finally, sends (or ) to . Upon receiving , decrypts it by her/his private key to obtain . After receiving ’s portable authorized creden- tial , selects random integers , and , and then sets and . These random integers are used as blind factors. calculates blind documents and as ( ), ( ). transmits its identity , signature and the blinded doc- uments to . Upon receiving message < , , , > sent from , first confirms whether the is valid by ’s public key. If valid, is successfully authenticated; other- wise, this session is dropped. Then creates the authorized credential as according to the selling contract for and attaches it into as ( ). signs them as follows: ( ), ( ). Next, and are sent back to . After obtaining < , > from , unblinds them as follows: ( ), ( ). In order to get the portable authorized credential as , cal- culates ( ), ( ). could verify the correctness of by checking whether is equal to . Note that and should be the same. Finally, sends (or ) to . In the access service phase, or sends an to its neighboring RSU , and then verifies the authorized credential by itself without further communication with . According to the access privileges stored in the authorized credential , could decide whether ’s or ’s request is accepted or not. calculates ( ) to extract the access credential , which is authorized by . then examines whether as well as is included in , and checks the validity of the authorized credential by . If the verification succeeds, is legitimate and or is authorized. Therefore, could not detect whether or is launching a privilege elevation attack by collusion. An attack is proposed to show that PAACP is not secure. 4. Conclusions For considering the stringent time require- ment and differentiated service access control, Yeh et al. [9] proposed a portable priva- cy-preserving authentication and access control protocol, named PAACP, for non-safety applica-

6. tions in VANETs. In this paper, we presented a cryptanalysis

   of PAACP. Our results show that PAACP is not secure. With the attack, some ma- licious vehicles can successfully conspire to el- evate access privileges for desired services. REFERENCES [1] IEEE Std 1609.2, IEEE Trial-Use Standard for Wireless Access in Vehicular Environ- ments - Security Services for Applications and Management Messages, 2006. [2] Dedicated Short Range Communications (DSRC) Home. [Online]. Available: http://www.leearmstrong.com/Dsrc/DSRCHo meset.htm. [3] 1Y. C. Chen and L. Y. Yeh, “An efficient authentication and access control scheme us- ing smart cards,” Proceedings of the 11th In- ternational Conference on Parallel and Dis- tributed Systems (ICPADS), pp. 78-82, 2005. [4] 2J. L. Huang, L. Y. Yeh, and H. Y. Chien, “ABAKA: An anonymous batch authenticat- ed and key agreement scheme for value-add services in vehicular ad hoc networks,” IEEE Transactions on Vehicular Technology, Vol. 60, No. 1, pp. 248-262, 2011. [5] 3C. T. Li, M. S. Hwang and Y. P. Chu, “A secure and efficient communication scheme with authenticated key establishment and privacy preserving for vehicular ad hoc net- works,” Computer Communications, Vol. 31, No. 12, pp. 2803-2814, 2008. [6] 4X. Lin, R. Lu, C. Zhang, H. Zhu, P.-H. Ho and X. Shen, “Security in Vehicular Ad Hoc Networks,” IEEE Communications Magazine, Vol. 46, No. 4, pp. 88-95, 2008. [7] 5X. Lin, X. Sun, P. H. Ho and X. Shen, “GSIS: a secure and privacy-preserving pro- tocol for vehicular communication,” IEEE Transactions on Vehicular Technology, Vol. 56, No. 6, pp.3442-3456, 2007. [8] 6M. Raya and J. P. Hubaux, “Securing vehic- ular ad hoc networks,” Journal of computer Security – Special Issue on Security of Ad-hoc and Sensor Network, Vol. 15, No. 1, pp. 39-68, 2007. [9] 7L. Y. Yeh, Y. C. Chen and J. L. Huang, “PAACP: A portable privacy-preserving au- thentication and access control protocol in vehicular ad hoc networks,” Computer Communications, Vol. 34, No. 3, pp. 447-456, 2011.