Dynamic Attribute Based Vehicle Authentication

Dynamic Attribute Based Vehicle Authentication (Extended Abstract) Shlomi Dolev∗ , Łukasz Krzywiecki† , Nisha Panwar∗ , Michael segal‡ ∗ Department of Computer Science Ben-Gurion University of the Negev, Israel. {dolev,panwar}@cs.bgu.ac.il † Institute of Mathematics and Computer Science Wroclaw University of Technology, Poland. [email protected] ‡ Department of Communication Systems Engineering Ben-Gurion University of the Negev, Israel. [email protected] we couple non-certified dynamic attribute (e.g., location and direction) of any vehicle along with the certified coupled list of static attributes and the public key of a vehicle. Vehicles must verify this coupling between the static and dynamic attributes, before the communication begins. We suggest to use technology assistance, such as laser technology to verify the dynamic attributes in a way that can be verified accurately. Since dynamic attributes cannot be certified beforehand, we propose to utilize a directional laser beam to bind the dynamic attributes with the certified coupled static attributes and the public key. We illustrate a scenario with multiple maliciously identical vehicles, whereas a communicating vehicle is not able to distinguish the authentic vehicle through the certified static attributes only. Every vehicle needs to generate and dispatch the messages from its own laser interface. Therefore, the sender is accountable for any fake messages sent and received by its own interface. Moreover, the corresponding receiver can also claim at the sender and then the sender is held responsible and can be penalized for sending fake messages. According to our previous work [33], vehicle public key is certified by a Certificate Authority (CA) along with the vehicle static attributes. A certificate recipient must first verify the digital signature over the certificate contents. Second, the coupling between the certified public key and the static attributes must also be verified, in order to authenticate the certificate sender. However, it remains to be shown that static attribute verification might not be enough to avoid an impersonation attack for multiple maliciously identical vehicle scenario. Abstract—In the near future, vehicles will establish a spontaneous connection over a wireless radio channel, coordinating actions and information. Security infrastructure is most important in such a hazardous scope of vehicles communication for coordinating actions and avoiding accidents on the roads. One of the first security issues that need to be established is authentication. Vehicle authentication with visual binding prior to establishing a wireless radio channel of communication is useful only when the vehicles possess unique visual attributes. These vehicle static attributes (e.g., licence number, brand and color) are certified together with the vehicle public key. Therefore, we consider the case of multiple malicious vehicles with identical visual static attributes. Apparently, dynamic attributes (e.g., location and direction) can uniquely define a vehicle and can be utilized to resolve the true identity of vehicles. However, unlike static attributes, dynamic attributes cannot be signed by a trusted authority beforehand. We propose an approach to verify the coupling between non-certified dynamic attributes and certified static attributes on an auxiliary communication channel, for example, a modulated laser beam. Furthermore, we illustrate that the proposed approach can be used to facilitate the usage of existing authentication protocols such as NAXOS, in the new scope of ad-hoc vehicle networks. Keywords—Certificate authority, security, vehicular networks. I. I NTRODUCTION Communication security in the scope of vehicle networks [7], [8], [26] introduces new sensitive challenges. A voluntary association among vehicles require a robust authentication mechanism. For example, an instant warning message from a vehicle in front requires an instant authentication before the receiving vehicle reacts according to that warning message. It might worsen into a life threatening situation if the adversary is able to fake these warning messages. The goal of this paper is to provide a secure communication over the wireless radio channel through a secure peer-to-peer visual binding over an auxiliary communication channel. The auxiliary communication channel is utilized to create a visual binding and to establish a secure session over the radio channel with the same peer vehicle visualized over the auxiliary channel. However, the constantly moving vehicles may not be identified solely on the basis of visual attributes. Therefore, Problem statement. We consider a scenario in which vehicles are allowed to communicate over the IEEE 802.11p wireless radio channel. However, the inherently vulnerability of radio communication might impose severe impersonation attacks leading to a strategic crash. The intended peer vehicle must be verified through some additional means of communication in order to ensure a secure session without any third party interference. Therefore, it is crucial for these vehicles to identify and locate the physical presence of peer vehicle in communication, specifically, in a group of multiple maliciously identical vehicles. The certified coupled static attribute verification might not be enough for this multiple identical vehicle scenario. Therefore, non-certified dynamic Accepted in 13th IEEE NCA 2014. 1 Which one is original (v2 , l2 )? (3) Which one is original (v2 , l2 )? (v6 , l2 ) (v6 , l2 ) (v5 , l2 ) (v5 , l2 ) (1) Certif icate2 [(Attributes2 + P ublic key2 )||SignatureCA ] (v1 , l1 ) (v2 , l2 ) (v4 , l2 ) (v1 , l1 ) (v2 , l2 ) (2) Certif icate1 [(Attributes1 + P ublic key1 )||SignatureCA ] (v4 , l4 ) (v3 , l3 ) (v3 , l2 ) Step 1: v2 sends certificate, Cert2 , to v1 . Step 2: v1 verifies the certificate, Cert2 , and responds with the certificate, Cert1 , to v1 . Multiple maliciously identical vehicles appear after the wireless radio session is secured between v1 and v2 . Step 3: v1 cannot distinguish authentic v2 , surrounded by multiple maliciously identical vehicles (on left side). Similarly, v1 cannot distinguish original v2 with the authentic and certified static attributes, while group of maliciously identical vehicles appear before the wireless radio session is secured between v1 and v2 (on right side). Fig. 1: Multiple maliciously identical vehicles. device can receive and confirm this commitment data with the available public key. Unfortunately the attacker can still capture and/or fabricate the visible commitment data, as it is not coupled with the public key. In [16], the authors presented a scheme with commitment verification on a laser channel while using Diffie-Hellman [6] key exchange on a wireless radio channel beforehand. The drawback with this approach is that the initial key exchange phase on a wireless radio channel is still vulnerable to attack due to the inherently insecure radio communication. The survey in [18] presents a classification of one-way, two-way and group authentication protocols based on the commitment before knowledge principle. The authors in [5] present an experimental study on visual means of authentication. However, there are no instances of using the laser channel as a means of authentication in vehicular networks. attributes must be coupled with the certified static attributes for any vehicle. First, there must be a binding between the certified static attributes and the non-certified dynamic attributes of the vehicle. Second, there must be a binding between two communication channels, i.e., a directed laser beam to convey the certified attributes and a secure wireless radio channel to convey the session messages. Previous work. In this section, we illustrate the related work, concerning spontaneous wireless vehicle network security threats [10] such as message tempering [36], impersonation [37] and denial of service attack (DoS) [35]. It is important to mention that vehicles utilize wireless communication standard, i.e., IEEE 802.11p Wireless Access in Vehicular Environment (WAVE) based IEEE 1609 Dedicated Short Range Communication (DSRC) [1].Raya and Haubaux [19], [22], [23] proposed a Public Key Infrastructure (PKI) based vehicle security scheme. The drawback with this approach is that an active adversary may launch an impersonation attack and replace the public key certificate, moreover, roadside infrastructure is required to provide the most updated Certificate Revocation List. Our scheme removes the active participation of roadside units as well as the regional authorities. The state-of-the-art for the wireless and out-of-band channel association can be found in [12]. It is important to mention that the vehicles tracking through the laser beam pointing and scanning is feasible in practice [31], [32], [34] and can be installed and used by a moving vehicle. Laser communication in vehicular networks has been primarily used for distance and velocity estimation [21], [30]. In [2], [24], laser pointers are used for spontaneous ping among the hand held devices. The work in [20] presents a laser modulation technique to transmit the device network address. An adversary can also aim the laser beam with a fake network address and the recipient might not be able to distinguish the authentic laser beam. In [9], the authors suggest the transmission of the shared secret key through the laser modulation. It has the same drawback as with the previous approach [20] that is an adversary equipped with a high resolution camera might capture the laser beam modulation to recover the secret session key. Another work, in [17], presents a visual out-of-band channel. A device can display a two dimensional barcode that encodes the commitment data, hence, a camera equipped Our contribution. • We extend the authentication mechanism within the scope of non-certified dynamic attributes of any vehicle. The proposed approach provides a secure binding between two communication channels, i.e., auxiliary and radio communication channel for the authentication and warning message exchange, respectively. • We emphasize that the laser out-of-band communication channel is useful to convey the certified coupled static attributes. It retains the binding between the dynamic and sense-able static attributes of the target vehicle. Vehicles are configured with directed communication capabilities, such as laser or directed antenna, used to change and verify periodically processed and digitally signed certificates. The proposed approach is efficient as it completes the certified public key exchange followed by the mutual authentication through visual binding, in two explicit steps (see Fig. 6). Previously existing authentication protocols can be accompanied with the proposed approach without breaching the security claims in the existing security models (e.g. NAXOS adaptation). Furthermore, the proposed authentication protocol is beneficial for channel contention among the communicating vehicles as it completes in two rounds. Consider an overcrowded road at peak traffic hours during 2 (2) Respond: visual or acoustic signal (2) Respond: visual or acoustic signal (v2 , l2 ) (1) Warn: emergency stop on right side (v2 , l2 ) (4) Blind spot: v4 hides v2′ s response (1) Warn: emergency stop on right side (v4 , l4 ) (v1 , l1 ) (v1 , l1 ) (v3 , l3 ) (v3 , l3 ) (5) Strategic crash (3) Imitate: v2′ s visual or acoustic response (3) Imitate: v2′ s visual or acoustic response Step 1: v1 warns an emergency stop to v2 . Step 2: v2 responds with visual or acoustic signal so that v1 can distinguish it from identical vehicle v3 . Step 3: v3 imitates every visual or acoustic signal of v2 , to impersonate as v2 in front of v1 . Step 4: v4 creates a blind spot and hides the response from v2 . v1 receives v3 ’s imitated response, and assumes it to be v2 . Step 5: a strategic crash takes place between v1 and v3 . Fig. 2: Strategic crash by maliciously identical vehicles. on the right side of Fig. 1. Apparently, sender vehicle v1 visualizes multiple similar vehicles, i.e., v2 , v4 , v5 on the channel and is forced to select a communicating partner, arbitrarily. However, in this case, sender v2 is able to verify the certified attributes only after sending his own certified attributes and receiving the certified attributes of the specific authentic receiver v2 in return. which each vehicle contends for the channel acquisition. The fewer rounds of certificate exchange significantly reduces the authentication overhead for the usage of shared communication band. We prove the security of our scheme using BAN Logic [3], [27] the proof is omitted from this extended abstract due to space restriction. Outline. Section II describes a crash scenario and we provide a solution to avoid such a scenario through secure visual binding with respect to auxiliary as well as radio communication channel. A detailed description of the proposed approach is given in Section III. Section IV explains the secure binding between the proposed approach and the existing authentication protocol, i.e., NAXOS. Next, a security discussion about the proposed approach is given in Section V. Section VI overviews a coalition attack scenario and the direction for solution in near future. Furthermore, Section VII concludes the discussion on the security of the proposed approach. II. Attack through visual misbinding. In Fig. 2, v1 establishes a session key with v2 as only the certified public key of v2 is coupled with (the sense-able) license number l2 . Apparently, v3 identifies the existence of communication activity between v1 and v2 , and subsequently, tries to mimic all out-of-band sense-able behavior of v2 , so that v1 will not be able to distinguish which one of v2 and v3 is v2 . For example, if v1 requests v2 to blink using the secured wireless communication, v3 will not be able to decrypt this blink request to v2 . However, v3 can observe these responses of v2 and act in the same way by blinking too. It is also important to mention that v2 cannot identify its own location, in a way that makes it distinguishable from v3 . At this point, v1 knows that it communicates with the original v2 , but cannot distinguish v2 from v3 . In addition, consider that v2 and v3 are, respectively, on left and right side of the leading vehicle v1 , and v3 ’s goal is to crash into v1 . If at some point v1 will perform an emergency stop, then v1 can notify v2 on this fact and if lucky stops in the left side of the road in front of v2 . However, v1 may believe that v3 is the vehicle it communicate with, v1 may stop on the right side of the road, allowing v3 to crash into it. The other way, an adversary might also launch the attack before any session establishment. In that case, multiple maliciously identical vehicles (similar as v2 ) appear immediately before the session setup between v1 and v2 . Consequently, v1 cannot distinguish between a group of maliciously identical vehicles and the original vehicle v2 . ATTACK S CENARIOS ON S TATIC ATTRIBUTE BASED S CHEME The static attribute verification seems imperfect in a scenario where the adversary encompasses multiple identical vehicles that indeed impersonate a target vehicle, see Fig. 1 and Fig. 2. Vehicles are moving from left to right in all the figures. Maliciously identical vehicles. A vehicle v1 can no longer perceive the difference between the communicating partner vehicle v2 and a group of maliciously identical vehicles around. Multiple identical vehicles appear immediately after a vehicle v1 has established a secret session with v2 , see Fig. 1. Although, v1 and v2 are in a secret session, still v1 cannot identify and locate v2 among the group of malicious vehicles that carry exactly similar static attributes as v2 does. A vehicle receives an authentic and certified list of static attributes with the corresponding public key, in order to establish a secret session ensuring information confidentiality. However, a vehicle in an open session with one of the similar looking vehicles, is unable to observe any physical difference. Therefore, the victim vehicle appears to be a member of these malicious vehicles or the other way around that is every identical vehicle seems to be authentic. A similar scenario arises where a group of multiple identical vehicles appear immediately before a secret radio session is to be established, III. DYNAMIC AND S TATIC ATTRIBUTES BASED S CHEME We aim to verify dynamic attributes along with the certified static attributes and the public key. The dynamic attribute verification is accomplished through an auxiliary laser communication channel. It is important to mention that a customized certificate structure (see Fig. 3) is used that conveys the certified coupled public key and static attributes, i.e., Cert 3 discrete logarithm function DL on public values (g, g α , g β ) is hard [15] within the cyclic group G. Proposed approach. In Fig. 4, a generalized form of the proposed authentication protocol has been shown. Each round includes the transmission of a customized certificate along with the authentication message. Accordingly, in the first round, sender vehicle selects a vehicle for communication and points the laser beam. Sender forwards its own certificate CertS over the laser channel. At this point the customized certificate structure is accompanied with an authentication message. The authentication message from sender, i.e., m1 is received and processed as per the associated security model. Receiver verifies the binding between certificate CertS and the message m1 followed by the binding between certified static attributes and the physical location of the vehicle. Now, the message m1 is recovered and used to compute the session key at receiver. Similarly, receiver forwards its own certificate CertR accompanied with the authentication message m2 over laser channel. Sender verifies the attribute binding with the public key and processes the message m2 as per the associated security model. Readers may refer to a detailed description about the proposed scheme in the Section IV. We utilize laser out-of-band communication channel for both the certified and non-certified attribute verification concurrently. Vehicle vS starts the communication on a modulated laser communication channel by aiming and pointing the laser beam on target recipient vR . Once the master session key is computed, both vehicles switch on to wireless radio communication and use symmetric encryption over the wireless radio channel. The receiver must create a binding between the certified attributes received on the laser communication channel and the dynamic attributes recovered from the laser beam, for example, the location attributes. All notations used for the proposed approach are given in Table I. World Manufacturer Identifier (geographic area, country, plant code) Vehicle Descriptor Section (model year, brand logo, body style, original color and texture, color repairs, roof racks, foot step, mud flap, front and rear guard) Vehicle Indicator Section (engine number, engine type, license number, chassis number) GPS Device Identification Wireless Device Fingerprint Procedures to Execute for Verifying the Attributes Certificate Sequence Number Certificate Expiration Date Public Key Digital Signature Fig. 3: Certificate structure Fig. 4: The proposed approach. = Attribute+P K||SignCA (Attribute+P K). Subsequently, third round of message exchange over the wireless radio channel is considered implicit. We next list our assumptions. Assumptions and mathematical background. • Vehicles communicate in the presence of Public Key Infrastructure that provides periodic certification service. • Only CA can certify the static attributes and public key using a secret key, however, vehicles verify those certificate using the corresponding public key of CA. • Vehicles are equipped with a high precision camera, optical autocollimator, laser beam source and laser beam scanner. • Laser beam pointed at the target vehicle cannot be interrupted by the attacker without prohibiting the beam to arrive at the target vehicle. • Vehicles are assumed to be active on a wireless radio channel in order to exchange safety critical warning messages. However, auxiliary communication through a laser beam is utilized for a point-to-point targeted communication where sender vehicle selects and points laser beam at target vehicle. Therefore, sender vehicle utilizes a laser channel in order to create a secure binding between the laser and radio communication channel with respect to a particular target vehicle. As the presented key agreement protocol and the associated authentication protocols are based on Diffie-Hellman (DH) key exchange, so we assume that corresponding computations are done within a group G = hgi of prime order q, where Computational Diffie-Hellman (CDH) assumption holds. (v3 , l3 ) 3) Send me ”Esession key (Hello)” 4) ”Erandom key (Hello)” (v2 , l2 ) 6) ”Esession key (Hello)” (v1 , l1 ) 5) Send me ”Esession key (Hello)” 2) ”Erandom key (Hello)” 1) Send me ”Esession key (Hello)” (v4 , l4 ) Step 1: v1 requests for session key encrypted message, Esession key (Hello), to v4 . Step 2: v4 with a random key encrypted message, Erandom key (Hello), to v1 . v1 declines v4 authentication. Step 3: v1 requests for session key encrypted message, Esession key (Hello), to v3 . Step 4: v3 responds with a random key encrypted message, Erandom key (Hello), to v1 . v1 declines v3 authentication. Step 5: v1 requests for session key encrypted message, Esession key (Hello), to v2 . Step 6: v2 responds with a session key encrypted message, Esession key (Hello), to v1 . v1 validates the v2 ’s re-authenticates, after verifying the current session key. Fig. 5: Re-authentication. In our scheme vS can identify vR among the group of maliciously identical vehicles (similar as v2 ), see Fig. 5. Vehicle vS might visualize multiple identical vehicles, but is already in a secret session with vR . Therefore, to accomplish the re-authentication, vS starts pointing laser beam at each of these identical vehicles, because only one of these Definition 1 (CDH assumption). Let hgi be a cyclic group generated by element g of order q. There is no efficient probabilistic algorithm ACDH that given (g, g α , g β ) produces g αβ , where α, β are chosen at random from G. The CDH assumption satisfies that the computation of a 4 Table I: Notations. S Sender R Receiver CertS Certificate of sender CertR Certificate of receiver P KCA Public key of CA SKCA Secret key of CA P KS Public key of S P KR Public key of R SKS Secret key of S SKR Secret key of R eSKS Ephemeral secret key of S eSKR Ephemeral secret key of R AttributeS Static attributes of S AttributeR Static attributes of R SNS Sequence number of S SNR Sequence number of R H Hash function for certificate verification K Session key with NAXOS adaptation X g H1 (eSKS ,SKS ) from S Y g H1 (eSKR ,SKR ) from R H1 Hashing function for X and Y H2 Hashing function for session key K EP K Encryption with the public key DP K Decryption with the public key ESK Encryption with the secret key DSK Decryption with the secret key v Vehicle l License number ◦ the ephemeral secret key of both parties, still cannot derive the session key. ◦ the long term secret key of one party and the ephemeral secret key of another party, still cannot derive the session key. ◦ the long term secret key of both parties, still cannot derive the session key. NAXOS protocol assumes that the public key has been exchanged in secure settings and requires additional two rounds to establish a secret session key among the parties. Apparently, this is not the case in our protocol, here it requires overall two explicit rounds of certificate exchange and session key establishment, without any previous identity or public key exchange. Our generalized solution merges the multiple rounds into two, see Fig. 6. However, the proposed protocol benefits from the existing secure authentication protocols, in addition, provides a certified visual binding and does not interfere with the security claims of associated authentication protocol. identical vehicles must respond through a correct session key encryption. It points a laser beam on a suspect vehicle and requests for a session key encrypted response. Now, if the suspect vehicle is the original vehicle vR that was already in an open secret session before the group of malicious vehicle appeared, than it must respond to vS with a correct session key encryption. Apparently, vS can locate the vehicle on which it aims and points the laser beam. Therefore, after vS receives the correct session key encrypted response from vR , it stops the re-authentication for the remaining identical vehicles, and follows the trajectory of vR for the rest of the session. IV. B INDING WITH THE E XISTING P ROTOCOL Our approach provides a straight binding between the vehicle location, certified static attributes and the public key. It is important to mention that our protocol can be combined with the well known existing authentication protocols, e.g., SIGMA [11], NAXOS [13], NAXOS+ [14], CMQV [29], SMQV [25] already proven to be secure in existing models such as CK [4], eCK [13] and seCK [25]. In that case message m1 and m2 can be computed with any one of these authentication protocols at sender and receiver, independently. Our paper illustrates the secure binding between the optical and wireless communication channel rather the security of existing authentication protocols, i.e., SIGMA, NAXOS and NAXOS+. Therefore, the interested readers may refer to the proven security features of these authentication protocols in the extended security models. Furthermore, without the loss of generality we combine the proposed approach with the NAXOS, in order to illustrate the vehicle authentication. NAXOS assumes that sender and receiver have already exchanged the public key/certificate and requires additional two rounds for the ephemeral key exchange and session key establishment. NAXOS is resistant to the following attacks, where adversary recovers: • Key-Compromise Impersonation ◦ the long-term secret key of S, still cannot impersonate others to S. ◦ the ephemeral secret key of S, still cannot impersonate others to S. • Session Key Retrieval V. S ECURITY D ISCUSSION In this section, we discuss the protocol security against the passive and active adversary. Passive adversary. The proposed approach is secure against the passive eavesdropping over the channel. The sender and receiver establish a laser communication channel, which is characterized by a directed point-to-point connection. Due to the physical constraints of this auxiliary authentication channel, passive listening is not possible. Passive eavesdropping on the laser channel will prohibit the data transmission between the sender and receiver, as it necessitates a line-of-sight for the beam pointing. Any kind of obstruction between the vehicles will absorb the light beam. Hence, no passive adversary can overhear the messages on a laser beam without stopping the beam to reach the intended recipient. Active adversary. An active impersonation, see Fig. 7, allows the adversary to intercept, remove, skip, delay, manipulate or insert fake messages, in a man-in-the-middle manner. Here, we assume that the adversary is equipped with the double laser interfaces (e.g. in front, and at the back of the car). Therefore, it can receive the messages from the 5 1) 2) 3) 4) Sender aims and points the laser beam at the selected vehicle, in order to convey the certified coupled public key and the static attributes. Sender computes the ephemeral secret key eSKS and then the secret hashed exponent H1 (eSKS , SKS ). Sender S sends the signed certificate with message X, i.e., CertS ||X. Where X is g H1 (eSKS ,SKS ) . Receiver R: a) Verifies the digital signature using the CA public key P KCA . b) Verifies the binding between the visual static attributes AttributeS and the location using out-of-band channels, i.e., thermal image camera and laser based autocollimator, respectively. c) Computes the ephemeral secret key eSKR and the exponent H1 (eSKR , SKR ). In addition, computes the secret session key K, i.e., H (eSKR ,SKR ) H2 (P KS 1 , X SKR , X H1 (eSKR ,SKR ) , S, R). d) Responds with the signed certificate CertR ||EP KS (ESKR (Y + SNS )). Consider Y as g H1 (eSKR ,SKR ) , also concatenated with the certificate sequence number SNS and signed with the P KS and SKR . Sender S: a) Verifies the digital signature using the CA public key P KCA . b) Verifies the binding between the visual static attributes AttributeR and the location using out-of-band channels, i.e., thermal image camera and laser based autocollimator, respectively. c) Decrypts the value Y and the concatenated certificate sequence number SNS , i.e., DSKS (DP KR (Y + SNS )). In addition, computes the secret 5) H (eSK ,SK ) S S , Y H1 (eSKS ,SKS ) , S, R). session key K, i.e., H2 (Y SKS , P KR 1 Sender and receiver exchange the session messages encrypted with the session key K. 6) Fig. 6: Adapted NAXOS protocol. they communicate directly to each other. Whereas, the active adversary with exactly matching static attributes sits in the middle and either modifies or injects fake message to each other, correspondingly. However, the binding between augmented certificate and laser communication channel does not weaken the security of the associated authentication protocol, such as NAXOS, which is already proven to be secure in the assumed model. Furthermore, our approach guarantees to resolve the vehicle identity in the presence of multiple identical vehicles. intended sender’s front interface towards its back interface. The active adversary forwards the same messages to the intended receiver’s back interface, using its own front interface. Similarly, it forwards the response messages from the intended receiver (in front) towards the intended sender (behind). Now, the active adversary can launch an active attack in either of the following two ways: • The active adversary with exactly matching static attributes tries to intercept, remove, and skip or delay the messages between the intended sender and receiver. The active adversary does not modify the messages and its goal is to convince the sender and the receiver that they communicate with the intended car, i.e., visually identified. The active adversary has exactly similar static attributes as the intended recipient carries in order to impersonate the recipient. However, vehicles receive certified attributes, which are then visually verified before the processing of messages of the accompanying authentication protocol. Therefore, to act as a forwarder the proxy adversary should look like the sender in front of the receiver and the intended receiver in front of the sender (both at the same time), in order to qualify the attribute verification on both sides. This if not impossible still is very unlikely, and can be disregarded, see Fig. 8 on the left side. VI. We are not considering the coalition attack scenario in this paper, see Fig. 8. According to the coalition scenario, there exists two or more malicious vehicles between the sender and the receiver. One of these malicious vehicles impersonates sender and the other impersonates receiver by carrying exactly similar static attributes. Moreover, these malicious vehicles communicate over a separate communication channel to relay the messages between actual sender and receiver. Although malicious vehicles may not be able to decipher the messages, however, malicious vehicles can create an illusion of correct visual binding. The sender believes that it forwards message to receiver while actually forwarding it to one of the malicious vehicle impersonating the receiver and vice versa. It must be noticed that coalition scenario cannot be avoided with the proposed configurations and additional assumptions are required. In order to mitigate this coalition attack scenario and to identify the recipient vehicle (while keeping the directed nature of the channel), we plan to utilize an enhanced wireless fingerprinting approach in near future. I think I talk with S. This is the closest car in front of me. I think I talk with R. This is the closest car in front of me. R S C OALITION OF A DVERSARIES A VII. The paper presents a vehicle authentication scheme based on secure binding between the static and dynamic attributes of a vehicle. The spontaneous vehicle authentication is accomplished through an auxiliary communication channel in association with the conventional radio channel for message exchange. We utilize the fact that every vehicle occupies a unique combination of dynamic attributes such as location, distance, velocity and direction. A focused laser beam is used In this Fig., adversary A carries same static attributes as R and impersonates as R in front of S. Fig. 7: Misbinding scenario. • C ONCLUSION The active adversary tries to manipulate or insert fake messages. The intended sender and receiver exchange the messages with a false impression that 6 A1 S R R A S A2 On the left side scenario, adversary A in the middle has some visible attributes of both S and R at the same time which is relatively unlikely. However, scenario on right side illustrates the coalition of adversaries that requires additional assumptions to avoid such a scenario. Accordingly, A1 impersonates S and A2 impersonates R by assuming similar visible static attributes. Henceforth, adversaries communicate over some additional channel and relay the messages between S and R, without deciphering those messages. As a result of which S misinterprets A2 as R and R misinterprets A1 as S. Fig. 8: Coalition of adversaries. to verify the vehicle dynamics and to transmit the certified attributes coupled with a public key. Therefore, the laser auxiliary communication channel enables a secure message exchange over radio communication channel. The proposed authentication scheme consider to avoid a new attack scenario with multiple identical vehicles. In addition, we illustrate that the proposed approach enhances the security over radio communication channel through the binding with the existing and proven authentication protocols. [12] [13] [14] [15] [16] ACKNOWLEDGMENT The work of the first author is partially supported by Orange Labs under external research contract number 0050012310-C04021, the Rita Altura Trust Chair in Computer Sciences, Lynne and William Frankel Center for Computer Sciences, and Israel Science Foundation (grant number 428/11). The work of the second author is partially supported by fundings from Polish National Science Center (decision number DEC-2013/09/B/ST6/02251). The work of the last author is partially supported by General Motors. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [17] [18] [19] R EFERENCES Dedicated Short Range Communications (DSRC) available at URL: http://grouper.ieee.org/groups/scc32/Attachments.html. M. Beigl. Point & click - interaction in smart environments. In Handheld and Ubiquitous Computing, 1999. M. Burrows, M. Abadi, and R. Needham. A logic of authentication. ACM Trans. Comput. Syst., 1990. R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In Advances in Cryptology EUROCRYPT 2001. M. K. Chong and H. Gellersen. Usability classification for spontaneous device association. Personal Ubiquitous Comput., 2012. W. Diffie and M. Hellman. New directions in cryptography. Information Theory, IEEE Transactions on, 1976. H. Hartenstein and K. Laberteaux. A tutorial survey on vehicular ad hoc networks. Communications Magazine, IEEE, 2008. E. Hossain, G. Chow, V. C. M. Leung, R. D. McLeod, J. Mišić, V. W. S. Wong, and O. Yang. Vehicular telematics over heterogeneous wireless networks: A survey. Comput. Commun., 2010. T. Kindberg and K. Zhang. Secure spontaneous device association. In Ubiquitous Computing. 2003. K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. Experimental security analysis of a modern automobile. In In IEEE Symposium on Security and Privacy (SP), 2010. H. Krawczyk. Sigma: The ’sign-and-mac’ approach to authenticated Diffie-Hellman and its use in the ike-protocols. In CRYPTO, 2003. [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] 7 A. Kumar, N. Saxena, G. Tsudik, and E. Uzun. A comparative study of secure device pairing methods. Pervasive and Mobile Computing, 2009. B. LaMacchia, K. Lauter, and A. Mityagin. Stronger security of authenticated key exchange. In Provable Security. 2007. J. Lee and J. H. Park. Authenticated key exchange secure under the computational diffie-hellman assumption. IACR Cryptology ePrint Archive, 2008. U. M. Maurer and S. Wolf. The relationship between breaking the diffie–hellman protocol and computing discrete logarithms. SIAM J. Comput., 1999. R. Mayrhofer and M. Welch. A human-verifiable authentication protocol using visible laser light. In Availability, Reliability and Security, 2007. J. McCune, A. Perrig, and M. Reiter. Seeing-is-believing: Using camera phones for human-verifiable authentication. In Security and Privacy, 2005 IEEE Symposium on. L. H. Nguyen and A. W. Roscoe. Authentication protocols based on low-bandwidth unspoofable channels: A comparative survey. J. Comput. Secur., 2011. P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux. Secure vehicular communication systems: Design and architecture. Communications Magazine, IEEE, 2008. S. Patel and G. Abowd. A 2-way laser-assisted selection scheme for handhelds in a physical environment. In Ubiquitous Computing, Lecture Notes in Computer Science. 2003. F. Ponte Mller, L. Navajas, and T. Strang. Characterization of a laser scanner sensor for the use as a reference system in vehicular relative positioning. In Communication Technologies for Vehicles. 2013. M. Raya and J.-P. Hubaux. The security of vanets. In Proceedings of the 2nd ACM international workshop on Vehicular ad hoc networks, 2005. M. Raya and J.-P. Hubaux. Securing vehicular ad-hoc networks. Journal of Computer Security, 2007. M. Ringwald. Spontaneous interaction with everyday devices using a pda, 2002. In Proc. Supporting Spontaneous Interaction in Ubiquitous Computing Settings, a workshop held at Ubicomp, 2002. http://www.dcs.gla.ac.uk/ pd/Workshops/papers/ringwald.pdf. A. Sarr, P. Elbaz-Vincent, and J.-C. Bajard. A new security model for authenticated key agreement. In Security and Cryptography for Networks. 2010. M. Sichitiu and M. Kihl. Inter-vehicle communication systems: A survey. Communications Surveys Tutorials, IEEE, 2008. Sufatrio and R. H. C. Yap. Extending ban logic for reasoning with modern pki-based protocols. In IFIP International Conference on Network and Parallel Computing, 2008. L. Ulrich. Whiter brights with lasers. In IEEE Spectrum, 2013. B. Ustaoglu. Obtaining a secure and efficient key agreement protocol from (h)mqv and naxos. Designs, Codes and Cryptography, 2008. [30] [31] [32] [33] [34] Transportation Systems Conference, IEEE, 2006. T. Yashiro, T. Kondo, K. Ariyasu, and Y. Matsushita. An inter-vehicle networking method using laser media. In Vehicular Technology Conference, IEEE 44th, 1994. Fortin, B. and Lherbier, R. and Noyer, J.C. A PHD approach for multiple vehicle tracking based on a polar detection method in laser range data. In Systems Conference (SysCon), IEEE International, 2013. Thuy, M. and Leon, F.P. Non-linear, shape independent object tracking based on 2d lidar data. In Intelligent Vehicles Symposium, IEEE, 2009. S. Dolev, L. Krzywiecki, N. Panwar, and M. Segal. Certificating Vehicle Public Key with Vehicle Attributes. In ASCoMS (Architecting Safety in Collaborative Mobile Systems) at SAFECOMP, 2013. MacLachlan, R.A. and Mertz, C. Tracking of Moving Objects from a Moving Vehicle Using a Scanning Laser Rangefinder. Intelligent [35] O. Abumansoor, and A. Boukerche. Preventing a DoS Threat in Vehicular Ad-hoc Networks using Adaptive Group Beaconing. Proceedings of the 8th ACM symposium on QoS and security for wireless and mobile networks, 2012. [36] S. Capkun, M. Cagalj, R.K. Rengaswamy, I. Tsigkogiannis, J.P. Hubaux, and M.B. Srivastava. Integrity Codes: Message Integrity Protection and Authentication over Insecure Channels. IEEE Trans. Dependable Sec. Comput., 2008. [37] M. Barbeau, J. Hall, and E. Kranakis. Detecting Impersonation Attacks in Future Wireless and Mobile Networks. Proceedings of the First international conference on Secure Mobile Ad-hoc Networks and Sensors (MADNES), 2005. 8