1556-6013 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TIFS.2015.2473820, IEEE Transactions on Information Forensics and Security
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
3
Infrastructure (PKI) is modified to implement functions of
authentication and integrity. To hide the vehicle’s real identity,
many public/private key pairs and corresponding certificates
are pre-loaded into vehicles’ OBUs. In each communication,
the vehicle’s OBU chooses a pair of public/private key
randomly and uses them to implement functions of
authentication and integrity. Raya and Hubaux’s scheme [9]
suffers from the following weaknesses: 1) Each vehicle should
have very large storage space to store its public/private key
pairs and the corresponding certificates; 2) The authority
should also have a very large storage space to store all vehicles’
certificates; 3) It is difficult to find the adversary’s real identity
when he/she sends the wrong message because the authority
has to perform an exhaustive search of all stored certificates.
To address the weaknesses in Raya and Hubaux’s scheme,
Lu et al. [12] proposed a new CPPA scheme using anonymous
certificates. The vehicle in Lu et al.’s CPPA scheme obtains a
temporary anonymous certificate when it passes by a RSU. To
achieve conditional privacy, each vehicle has to request a new
anonymous certificate from a RSU frequently because the
adversary could trace a vehicle if a certificate is used for a long
time. However, frequent interactions with RSUs are not
efficient. Therefore, Lu et al.’s CPPA scheme cannot satisfy the
requirement of efficiency in VANETs [13]. To overcome the
weakness in Lu et al.’s CPPA scheme, Freudiger et al. [13]
combined technologies of anonymous certificates and
mix-zones to design a new CPPA scheme. However, in this
modified CPPA scheme, the vehicles and the RSUs have to
store a large number of anonymous certificates. Zhang et al. [14]
used the Hash Message Authentication Code (HMAC) to
construct an efficient CPPA scheme for VANETs where the
key for the HMAC is generated through a key agreement
protocol executed between the vehicle and the RSU. To achieve
privacy, the vehicle must use different private/public key pair
along with the corresponding certificate in each communication
with the RSU. Therefore, vehicles have to store a large number
of private/public key pairs and the corresponding certificates.
To address the certificate management problem in the
above PKI-based CPPA schemes [11-14], Zhang et al. [15, 16]
incorporated the IDentity-based Public Key Cryptography
(ID-based PKC) into the design of CPPA schemes. The concept
of the ID-based PKC was proposed by Shamir [17] in 1984.
The identity (such as name, email and phone number) of the
user in the ID-based PKC is his/her public key and his/her
private key is generated by a trusted third party called the
Private Key Generator (PKG). In this case, no certificate is
needed to bind the user’s identity to his/her public key.
Therefore, the ID-based PKC could solve the certificate
management problem in the PKI. Zhang et al. [15, 16] proposed
an Identity-Based Signature (IBS) scheme and used it in an
Identity-based Conditional Privacy-Preserving Authentication
(ID-based CPPA) scheme for VANETs. Neither the vehicle nor
the RSU in Zhang et al.’s ID-based CPPA scheme needs to
store a certificate. Besides, their scheme incurs a lower
verification cost because it supports the function of batch
verification, i.e., it could verify the validity of many messages
simultaneously. Therefore, Zhang et al.’ ID-based CPPA
scheme could overcome weaknesses in previous PKI-based
CPPA schemes [11-14].
However, as Lee and Lai [18] pointed out, Zhang et al.’
ID-based CPPA scheme [15, 16] is vulnerable to the replay
attack and cannot satisfy the property of non-repudiation. Later,
Chim [19] pointed Zhang et al.’s ID-based CPPA scheme is
vulnerable to the impersonation attack and the anti-traceability
attack. Chim [19] also proposed another ID-based CPPA
scheme for VANETs. With only two shared secrets, Chim’s
ID-based CPPA scheme [19] could satisfy the privacy
requirements in VANETs. Besides, Chim’s ID-based CPPA
scheme [19] has lower communication costs than previously
proposed ID-based CPPA schemes. However, Horng et al. [20]
found that Chim’s ID-based CPPA scheme was vulnerable to
the impersonation attack, i.e., a malicious vehicle could
impersonate any another vehicle to broadcast counterfeit
messages. To improve performance, Shim [21] proposed an
efficient IBS scheme and used it to design an efficient ID-based
CPPA schemes. Unfortunately, Liu et al. [22] pointed out that a
security flaw exists in the proof of Shim’s IBS scheme and
Shim’s ID-based CPPA scheme suffers from a modification
attack, i.e., the adversary can generate a new legal message by
modifying a previous message.
Recently, Zhang et al. [23] and Bayat et al. [24] found that
Lee and Lai’s ID-based CPPA scheme [18] cannot withstand
the impersonation attack, i.e., a malicious vehicle could
impersonate any other vehicle to broadcast a forged message.
Zhang et al. [23] also pointed out that Lee and Lai’s ID-based
CPPA scheme [18] cannot provide non-repudiation of
messages. To enhance the security of previous schemes, Zhang
et al. [23] and Bayat et al. [24] also proposed two improved
ID-based CPPA schemes for VANETs. By modifying the
process of generating the anonymous identity and the digital
signature, Zhang et al.’s ID-based CPPA scheme [23] and
Bayat et al.’s ID-based CPPA scheme [24] could solve security
problems in Lee and Lai’s ID-based CPPA scheme [18] and
have better computation performance results. Despite these
improvements, Zhang et al. ID-based CPPA scheme [23] and
Bayat et al.’s ID-based CPPA scheme [24] still suffer from the
modification attack proposed by Liu et al. [22].
III.
BACKGROUND
A.
Network model
According to novel research [27-29], the two-layer
network model is very suitable for VANETs. The various
components of the network model are shown in Fig. 1.
The upper layer of the network model consists of a
Trusted Authority (TA) and an Application Server (AS), where
they could communicate with each other through a secure
channel that can be established through the Secure Socket
Layer (SSL) protocol. The bottom layer of the network model
consists of a RSU and a vehicle, where they could communicate
with each other through the DSRC protocol. The details of
those four participants are described as follows.