Formal Analysis of V2X Revocation Protocols

Research on vehicular networking (V2X) security has produced a range of securitymechanisms and protocols tailored for this domain, addressing both security and privacy. Typically, the security analysis of these proposals has largely been informal. However, formal analysis can be used to expose flaws and ultimately provide a higher level of assurance in the protocols. This paper focusses on the formal analysis of a particular element of security mechanisms for V2X found in many proposals, that is the revocation of malicious or misbehaving vehicles from the V2X system by invalidating their credentials. This revocation needs to be performed in an unlinkable way for vehicle privacy even in the context of vehicles regularly changing their pseudonyms. The Rewire scheme by Forster et al. and its subschemes Plain and R-token aim to solve this challenge by means of cryptographic solutions and trusted hardware. Formal analysis using the Tamarin prover identifies two flaws: one previously reported in the lierature concerned with functional correctness of the protocol, and one previously unknown flaw concerning an authentication property of the R-token scheme. In response to these flaws we propose Obscure Token (O-token), an extension of Rewire to enable revocation in a privacy preserving manner. Our approach addresses the functional and authentication properties by introducing an additional key-pair, which offers a stronger and verifiable guarantee of successful revocation of vehicles without resolving the long-term identity. Moreover O-token is the first V2X revocation protocol to be co-designed with a formal model.

[1]  Panagiotis Papadimitratos,et al.  Secure vehicular communication systems: design and architecture , 2008, IEEE Communications Magazine.

[2]  Michael Weber,et al.  V-Tokens for Conditional Pseudonymity in VANETs , 2010, 2010 IEEE Wireless Communication and Networking Conference.

[3]  Michael Backes,et al.  A Novel Approach for Reasoning about Liveness in Cryptographic Protocols and Its Application to Fair Exchange , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[4]  Anis Laouiti,et al.  Vehicle Ad Hoc networks: applications and related technical issues , 2008, IEEE Communications Surveys & Tutorials.

[5]  Cas J. F. Cremers,et al.  Operational Semantics and Verification of Security Protocols , 2012, Information Security and Cryptography.

[6]  Kpatcha M. Bayarou,et al.  Copra: Conditional pseudonym resolution algorithm in VANETs , 2013, 2013 10th Annual Conference on Wireless On-demand Network Systems and Services (WONS).

[7]  Frank Kargl,et al.  Pseudonym Schemes in Vehicular Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[8]  Michael Weber,et al.  Pseudonym-On-Demand: A New Pseudonym Refill Strategy for Vehicular Communications , 2008, 2008 IEEE 68th Vehicular Technology Conference.

[9]  Stéphanie Delaune,et al.  A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols , 2017, J. Log. Algebraic Methods Program..

[10]  Ben Smyth,et al.  ProVerif 1.85: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial , 2011 .

[11]  Graham Steel,et al.  Formal Analysis of Privacy for Vehicular Mix-Zones , 2010, ESORICS.

[12]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[13]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[14]  Panagiotis Papadimitratos,et al.  Eviction of Misbehaving and Faulty Nodes in Vehicular Networks , 2007, IEEE Journal on Selected Areas in Communications.

[15]  Frank Kargl,et al.  Formal Verification of Privacy Properties in Electric Vehicle Charging , 2015, ESSoS.

[16]  Prathima Agrawal,et al.  Analysis of Certificate Revocation List Distribution Protocols for Vehicular Networks , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[17]  Yih-Chun Hu,et al.  Efficient Certificate Revocation List Organization and Distribution , 2011, IEEE Journal on Selected Areas in Communications.

[18]  Cas J. F. Cremers,et al.  Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[19]  Jan Zibuschka,et al.  REWIRE - Revocation Without Resolution: A Privacy-Friendly Revocation Mechanism for Vehicular Ad-Hoc Networks , 2015, TRUST.

[20]  Rohit Chadha,et al.  Automated Verification of Equivalence Properties of Cryptographic Protocols , 2012, ACM Trans. Comput. Log..

[21]  Panagiotis Papadimitratos,et al.  Scalable & Resilient Vehicle-Centric Certificate Revocation List Distribution in Vehicular Communication Systems , 2020, IEEE Transactions on Mobile Computing.

[22]  Theodore L. Willke,et al.  A survey of inter-vehicle communication protocols and their applications , 2009, IEEE Communications Surveys & Tutorials.

[23]  Tim Leinmüller,et al.  Survey on Misbehavior Detection in Cooperative Intelligent Transportation Systems , 2016, IEEE Communications Surveys & Tutorials.

[24]  Frank Kargl,et al.  PUCA: A pseudonym scheme with strong privacy guarantees for vehicular ad-hoc networks , 2016, Ad Hoc Networks.

[25]  J.-P. Hubaux,et al.  Architecture for Secure and Private Vehicular Communications , 2007, 2007 7th International Conference on ITS Telecommunications.

[26]  Zhendong Ma,et al.  Privacy Requirements in Vehicular Communication Systems , 2009, 2009 International Conference on Computational Science and Engineering.

[27]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[28]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[29]  C. Eckert,et al.  Secure Revocable Anonymous Authenticated Inter-Vehicle Communication ( SRAAC ) , 2006 .

[30]  E. Nowatkowski Michael,et al.  Scalable certificate revocation list distribution in vehicular ad hoc networks , 2010, 2010 IEEE Globecom Workshops.

[31]  Ralf Sasse,et al.  Automated Symbolic Proofs of Observational Equivalence , 2015, CCS.

[32]  Frank Kargl,et al.  Formal model of certificate omission schemes in VANET , 2014, 2014 IEEE Vehicular Networking Conference (VNC).

[33]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[34]  R. Gmbh,et al.  Securing Vehicular On-Board IT Systems : The EVITA Project , 2009 .