Mix zones for location privacy in vehicular networks
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Mix-Zones for Location Privacy in Vehicular Networks PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on
  • Presentation posted in: General

Mix-Zones for Location Privacy in Vehicular Networks. Julien Freudiger Maxim Raya, Márk Félegyházi , Panos Papadimitratos, and Jean-Pierre Hubaux August 14, 2007 WiN-ITS, Vancouver, BC, Canada. Motivation. Safety messages Position (p) Speed (s) Acceleration (a). Authenticated

Download Presentation

Mix-Zones for Location Privacy in Vehicular Networks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Mix zones for location privacy in vehicular networks

Mix-Zones for Location Privacy in Vehicular Networks

Julien Freudiger

Maxim Raya, Márk Félegyházi, Panos Papadimitratos, and Jean-Pierre Hubaux

August 14, 2007

WiN-ITS, Vancouver, BC, Canada


Motivation

Motivation

Safety messages

  • Position (p)

  • Speed (s)

  • Acceleration (a)

Authenticated

  • Digital Signature

  • Certificate


Mix zones for location privacy in vehicular networks

No

location

privacy


Outline

Outline

  • System and Threat Model

  • Mix-Zones

  • Vehicular Mix-Networks

  • Simulation Results


Vehicular networks

Vehicular Networks

  • Safety Messages

    • (p,s,a)

    • Timestamp

    • Authenticated

  • Certification Authority (CA)

    • CA distributes public/private key pairs (Ki,j,Ki,j-1) with j=1,…,F to each vehicle i

    • F is the size of the set of key pairs

    • Public keys certificates are referred to as pseudonyms

      => Vehicles are preloaded with a large set of pseudonyms and key pairs

  • Vehicles have tamper proof devices that guarantee the

    • Correct execution of cryptographic operations

    • Non-disclosure of private keying material


Adversary

Adversary

We assume an external, global, and passive adversary

  • Installs its own radio receivers

  • Collects GPS coordinates and pseudonyms of safety messages

  • Links pseudonym changes using GPS coordinates

  • WiFi operator (e.g., Google, EarthLink)

  • WiFicommunity network (e.g.,FON)

[http://www.earthlink.net/wifi/cities/]


Mix zone definition 1

Mix-Zone Definition (1)

A mix-zone is a restricted region where users cannot be located

Entering eventk = (n,) i.e., from road n at time 

Exiting eventl = (e,’)i.e., from road e at time ’

  • Adversary has statistical information about mix-zones

    • pn,e = Prob(“Vehicle enters from road n and exits from road e”)

    • qn,e(t) = Prob(“Time spent between road n and e is t”)

  • Statistical information depends on

    • The geometry of the mix-zone

    • The location of the mix-zone in the network topology


Mix zone definition 2

Mix-Zone Definition (2)

  • Mix-zones obscure the relation of incoming and outgoing vehicles

    • Unlinkability

  • An adversary estimates the mapping of entering and exiting events

    • With two vehicles

  • The probability of a mapping depends on the geometry of the mix-zone


Mix zone effectiveness

Mix-Zone Effectiveness

Entropy measures uncertainty of mapping

  • N models the mix-zone density

  • (pn,e, qn,e(t)) models the unpredictability of vehicles’ whereabouts

where N= # of mobiles in the mix-zone


Where to create mix zones

Where to create Mix-Zones?

Best mix-zone

  • High N

  • High vehicle whereabouts unpredictability (pn,e, qn,e(t))

    Road intersections


Mix zones for location privacy in vehicular networks

High

Uncertainty


How to create a mix zone

How to create a mix-zone?

  • Cryptographic Mix-zone (CMIX)

    • Encrypt Safety Messages (with a symmetric key SK)

    • Computational security


Cmix protocol 1 key establishment

CMIX Protocol(1) Key Establishment

Rely on presence of RSU at road intersection to establish a symmetric key

Request, Ts, Signi(Request,Ts), Certi,k

EKi,j(vi, SK, Ts, SignRSU(vi, SK, Ts)), CertRSU

Ack, Ts, Signi(Ack,Ts), Certi,k

SK = Symmetric Key

Ts = Time stamp

Signi = Signature of i

Certi,k = Certificate of i


Cmix protocol 2 key forwarding

CMIX Protocol(2) Key Forwarding

  • V2 unable to obtain key directly from RSU, thus to decrypt messages from V1

  • RSU leverages on vehicles already in the mix-zone to forward symmetric key

  • V2 broadcasts key requests until any vehicle in the mix-zone replies

  • Vehicles do not encrypt their messages before entering the mix-zone

EK2,j(v2, v1, SK,Ts, SignRSU(v1, SK, Ts))


Cmix protocol 3 key update

CMIX Protocol(3) Key Update

  • RSU initiates key update to

    • renew keys

    • revoke keys

  • Update is triggered when

    • Mix-zone is empty

  • CA is informed of new SK for liability issues

  • Asynchronous key updates across mix-zones improve system security


Vehicular mix network

Vehicular Mix-Network

Mix-network cumulative entropy for vehicle v

where L= Length of the path in

the mix-network


Simulation setup

Simulation Setup

  • 10X10 Manhattan network with 4 roads/intersection

  • N ~ Poisson() vehicles per intersection at network initialization

  • Vehicle inter arrival time  ~ Uniform[0,T] models

    • High traffic congestion

    • Low traffic congestion

  • Intersection characteristics

    • qn,e(t) ~ N(n,e, n,e) for each intersection

    • pn,e randomly chosen for each intersection


Vehicular mix zone

Vehicular Mix-Zone

  • Both network density and congestion affect the achievable location privacy

  • Confidence intervals are small because there is low variability within one mix-zone


Vehicular mix network1

Vehicular Mix-Network

  • Larger confidence interval due to varying number of vehicles and varying set of traversed mix-zones

  • Tracking probability is quickly insignificant

Mix-zones effectiveness is high


Conclusions

Conclusions

  • Mix-zone effectiveness depends on

    • Intersection’s congestion

    • Vehicle’s density

    • Vehicles’ whereabouts unpredictability

  • Vehicular mix-network effectiveness

    • Has large variance

    • But is overall high

  • Need more simulations

    • With realistic traffic traces

  • Efficiency of vehicular mix-network is independent of CMIX protocol

    • Alternative CMIX protocols could exploit location


References

References

  • L. Buttyán, T. Holczer, and I. Vajda. On the Effectiveness of Changing Pseudonyms to Provide Location Privacy in VANETs. ESAS 2007

  • A. R. Beresford. Mix-zones: User privacy in location-aware services. PerSec 2004

  • L. Huang, K. Matsuura, H. Yamane, and K. Sezaki. Silent cascade: Enhancing location privacy without communication QoS degradation. SPC 2005

  • M. Li, K. Sampigethaya, L. Huang, and R. Poovendran. Swing & Swap: User-centric Approaches Towards Maximizing Location Privacy. WPES 2006

  • M. Raya, P. Papadimitratos, and J.-P. Hubaux. Securing Vehicular Communications. IEEE Wireless Communications magazine, 2006


Cmix protocol analysis

CMIX Protocol Analysis

  • Transmission Complexity

    • Key requests scale with network condition

    • Avoid key reply flooding by backoff mechanism and key acknowledgement

  • Computational Complexity

    • The number of exponentiations is manageable

    • Load is shared among vehicles in the CMIX

  • Security

    • Impersonation/Instantiation attacks are unfeasible

    • Denial of service attacks are hard

    • Cost to become internal adversary is high


  • Login