L’utilisation des blockchains pour renforcer la sécurité et améliorer la confiance dans les réseaux distribués
Vehicular ad-hoc networks and communications
In this section, we mainly focus on ITSs and vehicular communications. We detail the system model for a traditional ITS, the different communication technologies and protocol stacks. Then, we highlight the application scenarios in which vehicular communications play the lead role. We recall the resulting security requirements and challenges in light of the adversary model and corresponding attacks. Finally, we present some mitigation techniques and their limitations. Figure 2.1: Example of an Intelligent Transportation System.
Vehicular ad-hoc networks and communications 2
System Model Figure 2.1 illustrates an ITS [46]. It is composed of ad-hoc nodes, essentially the vehicles, equipped with sensors and radio access technologies that enable them to communicate, and infrastructure nodes, namely the RSUs, Base Stations and Wi-Fi hotspots. Vehicles are often loosely assimilated to the On-Board Unit (OBU) they embed [47]. Traditionally, the ITS architecture consists of four distinct components, the in-vehicle domain, the ad-hoc domain, the infrastructure domain, and the service domain, in which the vehicles can share and access data of various types and utilities [48]. In-vehicle domain. This domain relates to the communications inside the vehicle and depends on its inherent components. The system includes the Communications Control Unit (CCU), the OBU and the Human Machine Interface (HMI). The CCU handles communications from the physical layer (layer 1) to the network layer (layer 3) of the OSI model. It contains transceiver modules that enable interactions via different access technologies (such as Bluetooth or Wi-Fi). The OBU is equipped with hardware (with processing, storage, and communication capabilities, among others) and software to run the various applications that are partly responsible for the transmission of data. Finally, the HMI is a user interface that enables the drivers to exploit the OBU and CCU’s capabilities in different use cases and provide relevant information about the road events (e.g., traffic jams and accidents). The ad-hoc domain. In this domain, a wireless network is formed dynamically between the vehicles to empower inter-vehicle communications. The main protagonists involved in its creation are vehicles and RSUs. Communications can be one-hop, i.e. going from a node to another and stopping, or multi-hop, i.e. hopping from car to car. The RSU is often used to expand the range of communications of a car. The infrastructure domain. This domain refers to the backbone of the ITS. It includes roadside wireless infrastructure nodes, namely the RSUs, the Base Stations or the Wi-Fi hotspots, and the underlying wired network, which involves switches, routers 22 Background and gateways. These infrastructure nodes are often deployed by ITS authorities or telecommunication/service providers. The service domain. This domain is the top layer of the architecture. It supports the development of services, including traffic-related services (e.g., information on road status provided by competent public authorities) and generic ones (e.g., subscriptionbased proprietary services). The goal of ITSs is to facilitate communication among nearby vehicles. Within this four-domain-based architecture, a vehicle can communicate with surrounding peers via two types of communication patterns: • It uses V2V communications when addressing another vehicle in ad-hoc mode. In that case, it can receive, transmit and exchange valuable information on road and traffic conditions. • Or, it leverages V2I communications when retrieving information from an infrastructure node. It is also the connection chosen to access the Internet. However, these communication means are subject to many constraints due to the inherent characteristics of the ITS environment and nodes. More specifically, they must comply with the high mobility of the vehicles. As a consequence, they must adapt to the dynamic and almost-unpredictable topology of these networks. As a consequence of these two first specificities, there are frequent disconnections in the network and attenuations, worsen by the open nature of ITSs (i.e. due to climate interference or density of traffic). Other restrictions affect the transmission medium, namely the air. Although the air is unlimited, the competent authorities (e.g., the ETSI for Europe, the American National Standards Institute or ANSI in the U.S.) defined a standard of communications that restricts its use to a limited bandwidth of frequencies (subsection 2.1.2). Moreover, since the transmissions are wireless, anyone equipped with a transmitter can operate in the same frequency band as the actual users. Unlike other types of mobile networks, ITS nodes do not heavily suffer from energy, computing or storage capabilities problems, even though they remain limited due to the size of the 2.1 Vehicular ad-hoc networks and communications 23 systems. However, real-time processing is of utmost importance.
Vehicular communications
ETSI has designed a dedicated protocol stack to comply with the inherent characteristics of ITSs to provide the necessary media of communications, and facilitated the sharing of traffic-related information. It consists of four piled-up and two transverse layers (Figure 2.2). Applications Facilities Network and transport Access ITS-G5, Wi-Fi, 3G, LTE, Other… Management Security Figure 2.2: ETSI Layers The access layer corresponds to layers 1 and 2 of the OSI model. The dedicated standard is ETSI-ES-202-663 [49]. It describes the standards related to the Physical and MAC layers. The network & transport layer replaces layers 3 and 4 of the OSI model. It is covered by the ETSI-EN-302-636 series of documents [50] referred to as GeoNetworking protocol standards. The facilities layer corresponds to OSI layers 5 and 6, and is presented in the standard ETSI-TS-102-894-1 [51]. It constitutes the intermediary layer between the application and the network & transport layers. It supports several services, among which the Cooperative Awareness (CA) [5] and the Decentralized Environment Notification (DEN) [6] services. They are two messaging standards that leverage vehicular communications to contribute to safety preservation within the system. The corresponding messages notify a vehicle of the state of 24 Background nearby nodes (e.g., speed, direction, location) and events on the road (e.g., road hazard warning). These messages are used in the application layer by the Basic Set of Applications, that include Active Road Safety (cooperative awareness and road hazard warning) and Cooperative traffic efficiency (speed management and cooperative navigation), as detailed in the ETSI-TR-102-638 document [52]. In addition to these four primary layers, there are two additional sets of standards for security and management. The standard [53] specifies the security architecture and security management for vehicular communications. It goes through the various topics of certificate formats, trust and privacy management, authentication and authorization services and confidentiality of information. Similarly to the security layer, the management layer is transverse to the whole stack as management functions can be implemented at the access layer, the networking & transport layer or the facilities layer. It defines Decentralized Congestion Control (DCC) mechanisms to balance and optimize the use of the stations’ resources.
Applications
This stack and corresponding communications standards are designed to provide some essential services to ITS nodes. There are several classifications of ITS applications [54– 57]. Overall, there are two major categories: the safety applications, and the non-safety applications. As indicated, the non-safety applications do not participate in safety preservation. Instead, they propose other services related to mobility, environment, infotainment. They can be sub-categorized into comfort applications, interactive entertainment, and urban sensing. For example, comfort applications enable a driver to get real-time information on weather, gas station, or restaurant location. Interactive entertainment aims to deliver relevant, entertaining information to the driver and passengers, including internet access, distributed games, or music download. Finally, urban sensing leverages the data collected by the vehicles’ onboard sensors to monitor the environmental conditions and social activities in urban areas. They can be used to detect when the air is over-polluted for instance. These applications mainly rely on third parties and telecommunication operators to access the Internet and provide the requested services. 2.1 Vehicular ad-hoc networks and communications 25 As such, vehicular communications involved in non-safety applications can be treated as any other Mobile Ad-hoc NETwork (MANET) communications. The safety applications instead promote the sharing of information that directly helps preventing road accidents and are therefore closely linked to the ITS environment. They include services related to the safety of the users (e.g., avoiding collisions) and the overall system’s efficiency (e.g., reducing road congestion). They rely on the aforementioned dedicated messaging patterns, namely the CAMs and DENMs, to avoid and decrease the number of casualties on road. In this thesis, we are interested in securing the content and delivery of these messages w.r.t. the security requirements that we now introduce.
Security requirements and challenges
The previous sub-section highlights how the widespread adoption of ITSs can empower safety on the road. However, there is a famous quote from Blum and Eskandarian [58] saying: “A wireless network of intelligent vehicles can make highway travel safer and faster. But can hackers use the system to cause accidents?” Safety in ITSs is critical because it affects the life of human beings. Therefore, it is essential that the data in the various aforementioned safety-related services is trusted and cannot be compromised. Over the years, there has been a consensus on the security requirements for an ITS system. They go as follows: • Requirement 1:Authentication, identification, non-repudiation and accountability. This requirement asks that messages are legitimate, i.e. generated by senders that are known and authorized to send them. A sender should not be able to deny the transmission of a message. Consequently, due to the critical nature of ITSs, any vehicle must be uniquely identifiable. When a node performs an action that opposes the safety of others or the well-functioning of the systems, it should be held accountable and accordingly be judged. 26 Background • Requirement 2: Data consistency and integrity. This property implies that the message content should be judged plausible (w.r.t. the ITS situation) by users evolving in tight space and time with its source. In addition, integrity mechanisms must also be implemented to detect any alteration of messages, performed on purpose, during transit between the source and the destination. • Requirement 3: Availability. In case the network is attacked, the aforementioned safety applications should still be accessible to road users. • Requirement 4: Privacy and confidentiality. On top of these mandatory security requirements that directly impact the trust one put in a transmitted message, users do not want to expose their identity or personal information while contributing to the system safety. Therefore, even in the case of safety applications, the system must provide a way to protect the data being shared from unauthorized eavesdroppers as it may contain personal identifiers. • Requirement 5: Real-time. Finally, since the usefulness of safety messages are limited in time, so are the delivery and subsequent integrity, authentication checks. Another parameter that complexifies the design of a security framework for vehicular communications is the variety of entities that composes the system, as shown in Figure 2.1. These include the aforementioned users (which equally refers to the driver, the vehicle or the OBU), RSUs, TAs (also called TTPs) but also the attacker. In the context of ITSs, an attacker is one or more compromised entities working together to violate the security of honest users. There exist different types of attackers and scenarios of attacks which we detail in the following sub-section.
Adversaries and attacks
An attacker’s model is usually defined by its location w.r.t. the system (inside or outside), its motivation (malicious or rational), its capabilities (active or passive), and its scope (local or extended) [54, 59, 60]. In the following paragraphs, we outline some 2.1 Vehicular ad-hoc networks and communications 27 examples of attacks against the aforementioned security requirements and detail the corresponding model of attackers. Attacks on availability. They mainly focus on disabling the system by preventing communications between nodes. Denial of Service (DoS) attacks are prevalent and target the availability of the network services by, for instance, flooding the channel with high volumes of messages that cannot be processed. In that case, the attacker is either inside or outside the ITS and compromises the network locally. It is malicious, meaning that it gains no personal benefit out of the compromising of the system. Its goal is to harm users or the functionality of the network, and to this end, it is active and may employ unlimited resources. A similar attack performed at the physical layer is called a jamming attack. The attacker acts likewise by producing interference to disrupt the signal and prevent the communications. Other fatal attacks include greedy behaviour attack, blackhole, grayhole, sinkhole and wormhole attacks, broadcasting tampering… [55]. Attacks on authenticity. Sybil attacks, Global Positioning System (GPS) spoofing, tunnelling attacks are all examples of attacks that target the authenticity and identification requirement. For instance, in a Sybil attack, the attacker creates a large number of pseudonymous identities and uses them to gain a disproportionately large power within the system and influence it. If Sybil attacks were not mitigated in blockchains, one could rewrite the entire history of transactions and undermine the immutability property of this technology. In the tunnelling attack, the attacker creates a virtual channel, called tunnel, to connect distant network parts. This attack is often jointly performed with a GPS spoofing attack to deceive the vehicle from detecting the malicious node. Yet, the most scathing attack is the node impersonation attack. In that case, the attacker can obtain a valid identifier that traces back to another legitimate vehicle in the network. This attack goes against the uniqueness of the vehicle identifier. The attacker is either inside or outside the ITS and actively engages in the corruption of the system. It usually has a rational motivation as it seeks to hide behind another 28 Background user to perform actions and gain (or at least not lose) from them. In a similar spirit, key and/or certificate replication attacks consist of duplicate keys and/or certificates commonly used for proof of identification. In that case, it introduces ambiguity and violates the accountability requirement. Attacks on integrity. These attacks range from the simple re-transmission of outdated information (e.g., replay attacks) to the fabrication of bogus messages (e.g., illusion attacks). Among them, we find attacks that focus on tampering, suppressing or altering messages. The active attacker, either from inside or outside of the system, may falsify received data, for instance, by not indicating that a route is congested, to deceive users and increase traffic jams. Attacks on accountability. The loss of events traceability is of significant concern in ITSs since the users may endanger others’ lives. As such, the system should guarantee that they are held accountable for their actions and their messages. Nonrepudiation attacks, for instance, focus on the erasure of actions traces and creating confusion for the auditing entity. They often go together with other availability attacks such as Sybil attacks. Attacks on privacy. They represent an essential violation of drivers’ privacy as ITS users. Among them, we find tracking attacks that concentrate on pursuing a vehicle during its journey by analyzing its actions traces. In this example, the passive attacker can be inside or outside the ITS and is rational to target identified nodes. It is considered an extended attacker as the impacts of the attack can lead to the exposure of the drivers’ identities outside the ITS. Other attacks such as Man-in-themiddle attacks and brute force attacks can breach data confidentiality in addition to the privacy threat. Timing attacks. The type of attacks that target the real-time dimension of ITSs is referred to as timing attacks. The active attacker delays the transmission of the messages to prevent further processing once released.
Acknowledgements |