Peripheral Authentication for Parked Vehicles over Wireless Radio Communication111This is a full version of a short paper published in IEEE NCA 2016. In the cover letter, we provide details of the extended part in this version.
Peripheral authentication is an important aspect in the vehicle networks to provide services to only authenticated peripherals and a security to internal vehicle modules such as anti-lock braking system, power-train control module, engine control unit, transmission control unit, and tire pressure monitoring. This paper presents a vehicle to a peripheral device and peripheral device to vehicle authentication scheme that verifies a binding between a vehicle and an authentic user peripheral device. In particular, a three-way handshake scheme is proposed for a vehicle to a keyfob authentication. A keyfob is a key with a secure hardware that communicates and authenticates the vehicle over the wireless channel. Usually, a secret pin number is entered through the wireless keyfob and the pin must be verified before receiving an access to the vehicle. Conventionally, a vehicle to keyfob authentication is realized through a challenge-response verification protocol. An authentic coupling between the vehicle identity and the keyfob avoids any illegal access to the vehicle. However, these authentication messages can be relayed by an active adversary, thereby, can amplify the actual distance between an authentic vehicle and a keyfob. Eventually, an adversary can possibly gain access to the vehicle by relaying wireless signals and without any effort to generate or decode the secret credentials. Hence, the vehicle to keyfob authentication scheme must contain an additional attribute verification such as physical movement of a keyfob holder.
Our solution is a two-party and three-way handshake scheme with proactive and reactive commitment verification. The proposed solution also uses a time interval verification such that both vehicle and keyfob would yield a similar locomotion pattern of a dynamic keyfob within a similar observational time interval. Hence, the solution is different from the distance bounding protocols that require multiple iterations for the round-trip delay measurement. The proposed scheme is shown to be adaptable with the existing commitment scheme such as Schnorr identification scheme and Pedersen commitment scheme.
keywords:Authentication, access control, event data recorders, challenge-response pairs, verification.
2cm2cm2cm2cm \nobibliography* \pdfstringdefDisableCommands
Currently, vehicles are leveraged as a secure mobile information system model; secureit in the Internet of Things (IoT) environment such as smart cities, smart communities, smart contracts, smart homes, etc. In order to allow the wireless communication capabilities, these vehicles must be compliant with the Dedicated Short Range Communication (DSRC) IEEE 1609 eded; od based on Wireless Access in Vehicular Environment (WAVE) 802.11p tuto. There has been a tremendous amount of research on how to securely drive vehicles while simultaneously communicating with neighboring vehicles so that a warning can be received/predicted ahead of time. Examples for different types of communication among neighboring vehicles are vehicle platooning protocols for fuel efficiency, vehicle tracking protocols for traffic efficiency, data dissemination and offloading protocols for road side units (RSU), vehicle localization protocols for safety and infotainment routing, etc. However, another crucial aspect is to authorize an access to a vehicle via peripheral device connections beath. Our focus is to highlight the vulnerabilities attached to a static vehicle. It might be less intuitive to imagine the threat use cases for a static or parked vehicle. However, the static vehicle silhouette is even more vulnerable to all possible attacks once the vehicle is accessible to rogue peripheral devices. For example, an adversary can use repeaters to revive weak signals from a far distanced keyfob and thereby, receive an ahead of time access to the vehicle. Also, a brute-force method can be used to exhaustively compute the correct response and then forwarding it to the vehicle before the original response arrives at the vehicle. A more formal description regarding the attack scenarios is given in Section LABEL:sect:mod. Therefore, we provide a general authentication for these peripheral devices and also improve the mobile keyfob authentication in a separate scheme.
Peripheral authentication: A secure digital periphery of the vehicle is achieved via a secure authentication with respect to paired devices. Specifically, any temporary peripheral device connection with the vehicle must be authenticated for the extended functional security of the vehicle (see ISO 26262 vehicle functional security standard iso) while driving with a plugged-in rogue device. These peripheral devices such as keyfobs, USB sticks, cell phones, and, iPods provide extended services to the vehicle. Evidently, these ad hoc vehicle to device connections are potential exposure to external threats to break-in an otherwise static and secure vehicle periphery. Our motivation is to secure the peripheral device integration, especially, remote vehicle access via the keyfob. A keyfob () is a hardware security token to allow only an authentic access to a static vehicle () situated remotely.
In particular, the problem is beyond the effort to place a secure firewall for filtering any external threats due to a range of relay and impersonation attacks (as presented in Section LABEL:sect:mod). A secure remote access is most crucial among other peripheral device connections because vehicle access via a keyfob has a wider horizon of attacks. Therefore, it is important to identify, authenticate and pair the correct keyfob (while continuously approaching towards the parked vehicle) by measuring an active locomotion pattern of the keyfob and the keyfob holder. It must be noted that the proposed approach provides the event data history as a preliminary means to pair and authenticate any peripheral devices, however, in case of a keyfob an additional verification regarding keyfob dynamics is essential and provides stronger security against replay attacks.
V2X communication paradigm: There exist multiple dimensions to vehicular communication forte; for example, vehicle to infrastructure (V2I with road side units for service discovery across smart highways or smart cities), vehicle to cloud (V2C), vehicle to IoT (V2IoT communication with platoons or RFID enabled smart highways), vehicle to smart homes (V2SH), vehicle to peripheral device (V2PD for plug-in device authentication surgon), vehicle to vehicle (V2V) and vehicle to owner (V2O for personalized human-computer interaction).
We chose to provide a secure authentication protocol for a vehicle to peripheral device (V2PD) communication. In general, our solution provides a secure binding between the vehicle and authentic peripheral devices. Furthermore, the solution is extended with an additional customization for vehicle to keyfob binding via user authentication. Basically, the solution considers a static vehicle and securely bind the available services at the vehicle via user authentication. It must be noted that a dynamic vehicle is vulnerable to a wider attack surface, yet a static vehicle offers the key to a variety of V2X communication paradigms (as mentioned above), hence it is more sensitive. Therefore, the protocol design requires a two-fold interactive authentication paradigm based on challenge-response verification along with the anthropomorphic features that include human aspects into verification. The internal vehicle networks are supposed to provide a secure identifying gateway to these external devices. However, every transient connection between the peripheral device and the vehicle must be verifiable.
The proposed solution verifies the driver authenticity via a three-way handshake that promises a two-fold authentication. Furthermore, the handshake scheme derives all subsequent messages with an initial round of authentication associated to an initiator. A secure mutual pairing between the vehicle and peripheral devices kumar analogs ad hoc device pairing such as on Bluetooth. However, the proposed solution avoids any unauthorized access to a vehicle by using cryptographic commitment schemes as a building block. The proposed scheme avoids any consequent privileges to maliciously start the engine of a parked vehicle through peripheral device access. Our motivation is to strengthen an access control over a static/parked vehicle such that firstly, an owner must be authenticated based on pre-defined challenge-response pairs (CRP), secondly, verification of actively measured dynamics as an attribution of owners’ characteristics.
The digital periphery (meaning physical as well as wireless signal periphery) of a vehicle must utilize reactive and proactive commitment verification towards an access grantee. In general, a vehicle is supposed to receive a request for safe pairing and a subsequent access to various internal vehicle modules, e.g., anti-lock braking system (ABS), powertrain control module (PCM), engine control unit (ECU), transmission control unit (TCU), tire pressure monitoring (TPM), active control module (ACM), relay control module (RCM), heat ventilation and air condition (HVAC) systems. Evidently, the security of these modules is related to the secure pairing with peripheral devices. However, the secure pairing is even more crucial when a peripheral device (e.g., keyfob) requests a remote access to the vehicle.
1.1 Problem Statement
Figure 1 illustrates a problem scenario where an attacker can get an access to a vehicle. A required solution must avoid an unauthorized remote vehicle access via fabricated radio frequency identification (RFID) enabled keyfob. Also, we focus on finding ways to provide an anthropomorphic link to the bonding between the vehicle and peripheral devices such as RFID enabled keyfob. Conventionally, keyless entry systems provide an autonomous222Note that the system settings are defined within the scope of autonomous vehicles, i.e., availability of IEEE 802.11p zerop, IEEE 1609.2 eded, and, Black Box IEEE 1616 motor. sensing such that the parked vehicle keep sensing (through heartbeat messages) the presence of an authentic keyfob in the proximity, e.g., via regular beacon solicitation method. The authentic keyfob must be present in the proximity and respond back to these soliciting beacons from the parked vehicle. However, the absence of the authentic keyfob within the sensed region can be amplified with another RFID enabled keyfob. The malicious keyfob would create an illusion of the shorter distance by amplifying and relaying the signals between both parties. In addition, these RFID signals are vulnerable to other sophisticated attacks as detailed in kelo while assuming an adaptive adversary model. In particular, an adversary recovers an exhaustive number of CRP transcripts and based on that knowledge might fabricate a duplicate keyfob.
1.2 Design Requirements
An authentication protocol construction must incorporate the verification of a pre-shared secret, an active response and a specific anthropomorphic feature. For example, the personalized locomotion pattern of a keyfob holder might learn an identifying information (more accurately with the passage of time). In particular, our design involves following factors and synergizes into a multi-dimensionally secure access control scheme. Essentially, design requirements can be summarized as:
Reciprocal authentication: A primary requirement is to provide a mutual authentication between a vehicle and a peripheral device such as keyfob. In general, the vehicle to keyfob pairing is initiated from vehicle’s side and keyfob as a responder. However, the vehicle as an initiator is more vulnerable to attack exposures as compared to the other way around. In our scheme, the keyfob is an initiator and the vehicle is a responder to validate a specific service access grantee such as an authentic keyfob. In this case, the vehicle authenticates the initiator and reciprocates a secret challenge along with the vehicle identity.
Identification based on pre-shared state: In our solution, an initial pairing is secured using an internal state record of the vehicle that is pro-actively synchronized with the recorded internal state inside the keyfob. The initial pairing must witness a matching internal state (inside the vehicle and an authentic keyfob) as a part of pre-shared knowledge verification phase.
Reactive verification: The pro-active commitment (verification based on an internal vehicle state) must be coupled with a reactive commitment verification. This handshake ordering would avoid an attack scenario in which the adversary might respond with any random response to an authentic challenge. CRP based reactive verification avoids misbinding attacks and satisfies a non-injective authentication property, i.e., to guarantee the participation of other party without the ability to distinguish it across multiple protocol executions. Thus, the vehicle must be able to verify the validity of the response, i.e., the response should be in correspondence with the current challenge.
Anthropomorphic features: The personification of user traits (unique behavior or attribute of the keyfob owner) must be verified during the handshake. In particular, we need to verify velocity vs location with respect to the keyfob holder. Also, this locomotion pattern would become somewhat obvious and distinguishable over a period of time, i.e., any locomotion information collected over multiple authentication phases (between a specific vehicle and paired keyfob) would result into a personification of this locomotion pattern of the authentic owner. The human attribution of the owner’s gait and active verification of the corresponding locomotion pattern is the classic form of authentication. In particular, this customization provides more intuitive authentication to an identical vehicle and keyfob over different sessions.