Privacy Preservation through Uniformity

Khodaei, Mohammad; Noroozi, Hamid; Papadimitratos, Panos

doi:10.1145/3212480.3226101

Cited by 5 publications

(10 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Despite a huge reduction in size, such schemes do not provide perfect-forward-privacy [17]: upon a revocation event and CRL release, all the ''non-revoked'' but previously expired pseudonyms belonging to the evicted entity would be linked as well. Although forward-privacy can be achieved by leveraging a hash chain [18], the pseudonyms' issuer can trivially link all pseudonyms belonging to a vehicle, and thus the pseudonymously authenticated messages [38], [39], [40], towards tracking it for the entire duration of its presence in the system [13], [14], [15], [16], [18]. More precisely, the CA specifies a ''time interval'' so that each vehicle receives D pseudonyms during the pseudonym acquisition process [18].…”

Section: Related Workmentioning

confidence: 99%

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distribution in Vehicular Communication Systems

Khodaei

Papadimitratos

2021

IEEE Trans. on Mobile Comput.

Self Cite

View full text Add to dashboard Cite

In spite of progress in securing Vehicular Communication (VC) systems, there is no consensus on how to distribute Certificate Revocation Lists (CRLs). The main challenges lie exactly in (i) crafting an efficient and timely distribution of CRLs for numerous anonymous credentials, pseudonyms, (ii) maintaining strong privacy for vehicles prior to revocation events, even with honest-but-curious system entities, (iii) and catering to computation and communication constraints of on-board units with intermittent connectivity to the infrastructure. Relying on peers to distribute the CRLs is a double-edged sword: abusive peers could "pollute" the process, thus degrading the timely CRLs distribution. In this paper, we propose a vehicle-centric solution that addresses all these challenges and thus closes a gap in the literature. Our scheme radically reduces CRL distribution overhead: each vehicle receives CRLs corresponding only to its region of operation and its actual trip duration. Moreover, a "fingerprint" of CRL 'pieces' is attached to a subset of (verifiable) pseudonyms for fast CRL 'piece' validation (while mitigating resource depletion attacks abusing the CRL distribution). Our experimental evaluation shows that our scheme is efficient, scalable, dependable, and practical: with no more than 25 KB/s of traffic load, the latest CRL can be delivered to 95% of the vehicles in a region (15×15 KM) within 15s, i.e., more than 40 times faster than the state-of-the-art. Overall, our scheme is a comprehensive solution that complements standards and can catalyze the deployment of secure and privacy-protecting VC systems.

show abstract

Section: Related Workmentioning

confidence: 99%

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distribution in Vehicular Communication Systems

Khodaei

Papadimitratos

2021

IEEE Trans. on Mobile Comput.

Self Cite

View full text Add to dashboard Cite

show abstract

“…As a mitigation, vehicles could change their pseudonyms when their speed drops below 30 km/h [8]. But, an adversary can still conduct syntactic linking due to a lack of synchronization among vehicles [9], or track vehicles across pseudonym changes by predicting their trajectories [15].…”

Section: Related Workmentioning

confidence: 99%

“…Syntactic and semantic linking [7], [8] exploit the circumstances under which vehicles change pseudonyms. Based on the time of a transition, an attacker might especially observe an isolated pseudonym change, and associate the old and new identifiers through syntactic linking [8], [9]. During a semantic linking attack, the adversary uses physical constraints of the road layout, velocity, and heading of a victim's vehicle to predict its trajectory and link pseudonyms [7], [10].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Nowhere to hide? Mix-Zones for Private Pseudonym Change using Chaff Vehicles

Vaas

Khodaei

Papadimitratos

et al. 2018

2018 IEEE Vehicular Networking Conference (VNC)

Self Cite

View full text Add to dashboard Cite

In vehicular communication systems, cooperative awareness messages provide contextual information required for transportation safety and efficiency applications. However, without the appropriate design, these messages introduce a new attack vector to compromise passenger privacy. The use of ephemeral credentialspseudonyms-was therefore proposed, essentially to split a journey into unlinkable segments. To protect segment transitions, encrypted mix-zones provide regions where vehicles can covertly change their pseudonyms. While previous work focused on the placement, shape, and protocols for mixzones, attacks that correlate vehicles entering and existing these zones still remain a problem. Furthermore, existing schemes have only considered homogeneous traffic, disregarding variations in vehicle density due to differences in driver population, road layout, and time of day. Without realistic experimental results, any conclusion on real-world applicability is precarious. In this paper, we address this challenge and present a novel scheme that works independent of vehicles' mobility patterns. More precisely, our system generates fictive chaff vehicles when needed and broadcasts their traces, while it remains unobtrusive if sufficiently many vehicles are present. This greatly improves privacy protection in situations with inherently low traffic density, e.g., suburban areas, and during low traffic periods. Our scheme ensure that an external attacker cannot distinguish between real and chaff vehicles, while legitimate vehicles can recognize chaff messages; this is important, because chaff vehicles (and messages) must not affect the operation of safety applications. In our evaluation, we compare our chaff-based approach with an existing cryptographic mix-zone scheme. Our results under realistic traffic conditions show that by introducing fictive vehicles, traffic flow variations can be smoothed and privacy protection can be enhanced up to 76%.

show abstract

“…Although pseudonymous authentication is a promising approach to protect user privacy, an adversary, eavesdropping all traffic in an area, could link successive pseudonymously authenticated messages. An adversary might observe an isolated pseudonym change, and associate the old and the new pseudonymous identifier through syntactic linking, e.g., [10], [11], [12], [13]. Alternatively, an adversary could leverage the physical constraints of the road layout [14], together with data in message payloads, e.g., location, velocity, time, acceleration, the length and width 1 of a victim's vehicle, to predict its trajectory towards linking messages semantically, e.g., [11], [14], [18], [19].…”

Section: Introductionmentioning

confidence: 99%

Cooperative Location Privacy in Vehicular Networks: Why Simple Mix-zones are not Enough

Khodaei,

Papadimitratos

2020

Preprint

Self Cite

View full text Add to dashboard Cite

Vehicular communications disclose rich information about the vehicles and their whereabouts. Pseudonymous authentication secures communication while enhancing user privacy. To enhance location privacy, cryptographic mix-zones were proposed to facilitate vehicles covertly transition to new ephemeral credentials. The resilience to (syntactic and semantic) pseudonym linking (attacks) highly depends on the geometry of the mix-zones, mobility patterns, vehicle density, and arrival rates. We introduce a tracking algorithm for linking pseudonyms before and after a cryptographically protected mix-zone. Our experimental results show that an eavesdropper, leveraging standardized vehicular communication messages and road layout, could successfully link ≈73% of pseudonyms during non-rush hours and ≈62% of pseudonyms during rush hours after vehicles change their pseudonyms in a mix-zone. To mitigate such inference attacks, we present a novel cooperative mix-zone scheme that enhances user privacy regardless of the vehicle mobility patterns, vehicle density, and arrival rate to the mix-zone. A subset of vehicles, termed relaying vehicles, are selected to be responsible for emulating non-existing vehicles. Such vehicles cooperatively disseminate decoy traffic without affecting safety-critical operations: with 50% of vehicles as relaying vehicles, the probability of linking pseudonyms (for the entire interval) drops from ≈68% to ≈18%. On average, this imposes 28 ms extra computation overhead, per second, on the Road-Side Units (RSUs) and 4.67 ms extra computation overhead, per second, on the (relaying) vehicle side; it also introduces 1.46 KB/sec extra communication overhead by (relaying) vehicles and 45 KB/sec by RSUs for the dissemination of decoy traffic. Thus, user privacy is enhanced at the cost of low computation and communication overhead.

show abstract

Privacy Preservation through Uniformity

Cited by 5 publications

References 13 publications

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distribution in Vehicular Communication Systems

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distribution in Vehicular Communication Systems

Nowhere to hide? Mix-Zones for Private Pseudonym Change using Chaff Vehicles

Cooperative Location Privacy in Vehicular Networks: Why Simple Mix-zones are not Enough

Contact Info

Product

Resources

About