TESLA Authentication and Digital Signatures for V2X Messages
Publication Date: 2008-Oct-09
The IP.com Prior Art Database
This report describes a protocol in which each message is authenticated by both a digital signature as well as a TESLA Message Authentication Code (MAC). The protocol is motivated by the observation that for the effective operation of collision-avoidance applications, it is not necessary for a given receiver to know the current kinematic state of every vehicle. Intuitively, it is sufficient if the receiver has current (i.e., up-to-date) information of the kinematic state of vehicles in its immediate vicinity, and delayed information regarding vehicles that are further away from it. Also, note that with increasing vehicle densities, the number of vehicles that are further away from a given tagged receiver increases significantly. Independently, another protocol to combine the benefits of digital signatures and TESLA++ has also been developed.
1 Introduction and Background
Vehicle-to-vehicle (V2V) safety applications such as Blind Spot Warning (BSW) and Co-operative Collision Warning (CCW), rely on the repeated exchange of kinematical information amongst neighboring vehicles by means of V2V communications as per the wireless Dedicated Short Range Communications (DSRC) standard . These messages are typically transmitted periodically, at the frequency of 10 Hz per vehicle, and are authenticated using digital signatures based on an underlying Public Key Infrastructure (PKI), in accordance with the IEEE 1609.2 standard specification . However, generating and verifying digital signatures consumes a significant amount of the share of the automotive processor. As the penetration of V2V-based active safety applications increases, there is a need for computationally efficient mechanisms for verification of messages since V2V-equipped vehicles would have to verify an increasing number of messages.
Figure 1: Categories of attacks at different layers of the protocol stack.
Required Attributes of a Broadcast Authentication Protocol in V2X context We enumerate below the required attributes of a protocol to authenticate broadcast messages at the security layer (see Figure 1).
• Message integrity and entity authentication: At the security layer, the primary functionality of the
broadcast authentication protocol is to filter bogus messages (i.e., those messages with the correct format but invalid signature or authentication tag). Note that broadcast authentication requires the asymmetric property that that only the sender is able to generate the signature (or, authentication tag), and any receiver is able to only verify the signature (or authentication tag). The security strength of the broadcast authentication protocol is measured in n-bits of security i.e., an attacker needs to
perform O(2n) operations in order to generate a signature or authentication tag on a message of his choice. The IEEE 1609.2 Standard recommends 128-bits of security.
• Non-repudiation: The recipient of a message is able to prove later on that the sender, in fact, transmit- ted the message. This is a required attribute in order to develop malicious node detection algorithms above the security layer.
• Interoperability with the existing IEEE 1609.2 Standard.
• Resilience to computational Denial of Service (DoS) attacks: To verify whether a (bogus) message
is genuine or not consumes computational resources at a given node. Hence, it should not be easy for a malicious entity without access to compromised keying material to create a bogus message. Unfortunately, digital signatures based on asymmetric key cryptography are particularly vulnerable to computational DoS attacks. A possible metric to capture...