[review feedback] 1: improve language, change author

This commit is contained in:
Trolli Schmittlauch 2018-07-02 01:16:52 +02:00
parent e123d77a9f
commit 762448d12e

View file

@ -41,6 +41,8 @@
\newcommand{\documenttitle}{An ETSI look at the State of the Art of pseudonym schemes in Vehicle-to-Everything (V2X) communication}
\pagenumbering{arabic}
\begin{document}
%----------------------------------------------------------------------
@ -48,26 +50,31 @@
%----------------------------------------------------------------------
\title{\documenttitle}
% % %
% In case of double blind submissions:
\author{
\IEEEauthorblockN{Anonymous}
\IEEEauthorblockA{Some Research Group\\
Some Institution\\
Some Email Addresses%
}
}
%\author{
% \IEEEauthorblockN{Oliver Schmidt}
% \IEEEauthorblockA{TU Dresden\\
% oliver.schmidt3$[$at$]$mailbox.tu-dresden.de%
% }
% \IEEEauthorblockN{Anonymous}
% \IEEEauthorblockA{Some Research Group\\
% Some Institution\\
% Some Email Addresses%
% }
%}
\author{
\IEEEauthorblockN{Oliver Schmidt}
\IEEEauthorblockA{TU Dresden\\
oliver.schmidt3$[$at$]$mailbox.tu-dresden.de%
}
}
\maketitle
% force pagenumbering
\thispagestyle{plain}
\pagestyle{plain}
% % %
% sources on writing papers:
% look for a /good/ outline at the end of this text, the /why/ is found at this link:
@ -111,12 +118,14 @@ There already are some surveys giving an overview about the usage of different \
This survey combines the current status of the European standardization efforts for \acp{ITS} by the \ac{ETSI} with state-of-the-art approaches from newer research.
Thereby it takes a look at how the middle layers of the \ac{ETSI} \ac{ITS} standard architecture are affected by the threat against privacy and what can be done about this.
In Section \ref{sec:background} I describe the background knowledge needed to judge the functionality of \ac{ETSI} \ac{ITS} networks by giving an overview of their architecture. Afterwards I describe the protocols involved in the middle layers of the networking stack and single out potential identifiers usable for the tracking of users.
In Section \ref{sec:background} we describe the background knowledge needed to judge the functionality of \ac{ETSI} \ac{ITS} networks by giving an overview of their architecture. Afterwards we describe the protocols involved in the middle layers of the networking stack and single out potential identifiers usable for the tracking of users.
In Section \ref{sec:schemes} I describe the pseudonym scheme proposed in the \ac{ETSI} standard, emphasize the importance of pseudonym change strategies and present some further cutting edge pseudonym schemes not covered by standards so far.
In Section \ref{sec:schemes} we describe the pseudonym scheme proposed in the \ac{ETSI} standard, emphasize the importance of pseudonym change strategies and present some further cutting edge pseudonym schemes not covered by standards so far.
Section \ref{sec:evaluation} defines attacker models, uses them to evaluate the privacy gained by the \ac{ETSI} pseudonym scheme and looks at the feasability of that approach from a performance perspective.
As this field introduces many new acronyms, the meaning of most of them can be looked up in the Glossary \ref{sec:glossary} at the end of this survey.
% % %
% Literature Survey and Background
\section{Background}
@ -129,13 +138,13 @@ This section gives a brief overview of the \ac{ETSI} architecture for Intelligen
\acp{VANET} have some special requirements: Due to many nodes being constantly on the move at higher speeds, tolerance for quickly changing topologies and low-latency communication are important points. Multi-hop mesh-networking is an important ability to keep the network functional in areas without designated infrastructure.
A \ac{VANET} consists of different kinds of ITS stations: \\
\acfp{OBU} residing inside vehicles can be divided into the communication and \acf{CCU}, managing the \ac{ITS} specific network communication over the car's wireless interfaces, and \acfp{AU} utilizing the network services provided by the \ac{CCU} to communicate transparently over a standard \acs{IPv6} stack. \\
\acfp{OBU} reside inside vehicles and can be divided into two different kinds of components: The \acf{CCU} manages the \ac{ITS} specific network communication over the car's wireless interfaces, and the \acfp{AU} utilize the network services provided by the \ac{CCU} to communicate transparently over a standard \acs{IPv6} stack. \\
On the stationary infrastructure side, \acfp{RSU} can either just provide some special local services or even be connected to a network operator's infrastructure and thus provide an uplink to the Internet (see Fig. \ref{fig:schema_internet_components}).
\begin{figure}
\includegraphics[width=0.48\textwidth]{figures/schema_internet_communication.png}
\caption{Components of an ITS network, communicating with the internet; source: \cite{sandonisVehicleInternetCommunications2016}}
\label{schema_internet_components}
\label{fig:schema_internet_components}
\end{figure}
@ -175,7 +184,7 @@ Every \ac{GN} node has to know its geographical position, e.g. through \acp{GNSS
For this to work, each node maintains a \ac{LT} with the positions of its direct neighbours. This \ac{LT} is populated with information from periodically-sent beaconing messages. These beacons advertise a node's position, \ac{GN} address, its speed, station type and heading (see \ref{GN-identifiers}). This information is also included in all other sent \ac{GN} packets. \ac{LT} entries have a lifetime attached, after which they expire if not refreshed periodically.
Security properties of \ac{GN} messages are ensured by signing (authenticity), encrypting (confidentiality) the messages and checking their plausibility and consistency. The necessary information for that is given in a security header \cite{europeantelecommunicationsstandardsinstituteetsiETSI302636412017}.
Security properties of \ac{GN} messages are ensured by signing (authenticity), encrypting (confidentiality) the messages and checking their plausibility and consistency. The necessary information for that is given in a security header \cite{europeantelecommunicationsstandardsinstituteetsiETSI302636412017}. Encryption is only available for messages addressed to certain GN nodes (multicast and unicast)\cite{europeantelecommunicationsstandardsinstituteetsiETSITS1022012}. Key management for multicast groups is left to application-specific mechanisms or existing systems.
\subsubsection{IPv6}
@ -201,7 +210,7 @@ The \textbf{Management Layer} takes care of software changes like updates and in
\subsection{Identifiers}
There are many different addresses, IDs or other identifying information scattered around the network layers. This sections gives a list of relevant identifiers and the information encoded in them. Media-dependent, that means bound to a certain physical or data link layer technology, additional identifiers are considered out-of-scope.
There are many different addresses, IDs or other identifying information scattered around the network layers. This section gives a list of relevant identifiers and the information encoded in them. Media-dependent, that means bound to a certain physical or data link layer technology, additional identifiers are considered out-of-scope.
\subsubsection{GeoNetworking}
\label{GN-identifiers}
@ -259,7 +268,7 @@ As shown in the previous section, \ac{ITS} communication contains many identifie
This is a clear threat to the vehicle user's privacy, more precisely the \textit{location privacy}. Complete anonymity of all network participants is no viable countermeasure, as security critical systems like these require certain levels of authenticity of data and accountability of the participants. Furthermore, request-response message schemes require at least short-term linkability of messages to establish a mutual session. This is needed e.g. for requesting data from infrastructure or managing automatical payment at car chargers.
A widely chosen approach for restoring user privacy is the usage of temporary pseudonyms for identification in the network. This section will look at the usage and kinds of pseudonym schemes in the ETSI standards, explore other approaches outside of the standardized ETSI world and look at the issue of when to change pseudonyms to minimize long-term linkability of nodes.
A widely chosen approach for restoring user privacy is the usage of temporary pseudonyms for identification in the network. This section will look at the usage and kinds of pseudonym schemes in the ETSI standards, explore other approaches outside of the standardized ETSI world and look at the issue of when to change pseudonyms to minimize long-term linkability of nodes.
\subsection{Pseudonym Schemes for ETSI ITS Systems}
@ -288,9 +297,9 @@ The overall trust model is sketched in Figure \ref{fig:pki}.
The second dimension of privacy covers the communication between \ac{ITS} stations. The obtained authorization tickets serve as pseudonyms for authenticating and signing messages with other \ac{ITS} services and nodes. ITS stations have to check the validity of the \ac{AT} certificates included in every message and can check the permissions for the message's action (e.g. sending messages to certain broadcast domains) or access to certain services. These pseudonyms are to be regularly changed to preserve the privacy of the node's user by achieving long-term unlinkability of messages by the ITS node. According to \cite{europeantelecommunicationsstandardsinstituteetsiETSI302636412017} the \ac{AT} may even be used to derive a \ac{GN}\_ADDR from.\\
There are different kinds of \acp{AT}: Those used by official role vehicles (e.g. state authorities) and \ac{ITS} infrastructure don't always need to preserve the node's privacy and thus can contain a long-lived identifier for the official role they are fulfilling. \acp{AT} of personal user nodes can contain further personal identifying information if required for service usage, but then shall only be sent to already authorized nodes over encrypted channels. For broadcasting, first contact and all other uses, personal user nodes shall only use minimal pseudonymous \acp{AT} which then can be sent even over non-encrypted channels.
There are different kinds of \acp{AT}: Those used by official role vehicles (e.g. state authorities) and \ac{ITS} infrastructure do not always need to preserve the node's privacy and thus can contain a long-lived identifier for the official role they are fulfilling. \acp{AT} of personal user nodes can contain further personal identifying information if required for service usage, but then shall only be sent to already authorized nodes over encrypted channels. For broadcasting, first contact and all other uses, personal user nodes shall only use minimal pseudonymous \acp{AT} which then can be sent even over non-encrypted channels.
The \ac{ETSI} standard \cite{europeantelecommunicationsstandardsinstituteetsiETSITS1022010} mentions the retaining of an audit log of incoming messages as the way of holding nodes \textbf{accountable} in case of misbehaviour. This only helps though if the \ac{EA} retains a mapping of enrollment certificates to the canonical identifiers they were given to and the \ac{AA} does the some for \acp{AT} and enrolment certificates. The legal and organisational framework for making sure that the information from the \ac{EA} and \ac{AA} are only combined for legitimate cases is crucial for maintaining user privacy, but is left out-of-scope of this survey.
The \ac{ETSI} standard \cite{europeantelecommunicationsstandardsinstituteetsiETSITS1022010} mentions the retaining of an audit log of incoming messages as the way of holding nodes \textbf{accountable} in case of misbehaviour. This only helps though if the \ac{EA} retains a mapping of enrollment certificates to the canonical identifiers they were given to and the \ac{AA} does the same for \acp{AT} and enrolment certificates. The legal and organisational framework for making sure that the information from the \ac{EA} and \ac{AA} are only combined for legitimate cases is crucial for maintaining user privacy, but is left out-of-scope of this survey.
For \textbf{revocation} of node access to the \ac{ITS} network, e.g. in case of misbehaviour, there exist multiple mechanisms: The \ac{EA} can be told to revoke the node's enrollment credentials to prevent it from updating its enrollment certificate and thus acquiring further \acp{AT}. Additionally, the \ac{EA} revokes the validity of the enrollment certificate and the \ac{AA} does the same for the authorization tickets. As ITS nodes are expected to check the validity of certificates using \acfp{CRL} and \acfp{CTL} \cite{europeantelecommunicationsstandardsinstituteetsiETSITR1032018}, messages of the revoked node are not accepted anymore.
@ -329,7 +338,7 @@ Petit et al. made an extensive survey \cite{petitPseudonymSchemesVehicular2015}
The \ac{ETSI} standardized pseudonym scheme is one instance of the ones categorized as \textit{asymmetric cryptography schemes} in that survey. The class of these schemes is characterized by the use of asymmetric cryptography based on hierarchical certificates acquired from a \ac{PKI}. This PKI has to be divided into at least 2 different administrative and legal control domains to make sure pseudonym resolution using the retained pseudonym-to-identity escrow mapping information only happens under specific legal circumstances. Important parameters of these kinds of pseudonym schemes are the number of available pseudonyms acquired and available at a time, their lifetime, the used way of acquiring new pseudonyms (\textit{pseudonym refill}) and the number of collaborating different authorities to resolve the split information for pseudonym resolution.
Some approaches covered don't require contact to an external \ac{PKI} for pseudonym refill, but allow pseudonym self-issuance: Armknecht et al. \cite{armknechtCrosslayerPrivacyEnhancement2007} propose the self-issuance of pseudonym certificates with the node's own master keys. Verification of these pseudonyms utilizes zero-knowledge proofs and bilinear pairings while revocation of certificates works via changing the cryptographic system's parameters. \\
Some approaches covered do not require contact to an external \ac{PKI} for pseudonym refill, but allow pseudonym self-issuance: Armknecht et al. \cite{armknechtCrosslayerPrivacyEnhancement2007} propose the self-issuance of pseudonym certificates with the node's own master keys. Verification of these pseudonyms utilizes zero-knowledge proofs and bilinear pairings while revocation of certificates works via changing the cryptographic system's parameters. \\
Calandriello et al. \cite{calandrielloEfficientRobustPseudonymous2007} combine the classical certificate scheme with \textit{group signature schemes} (see \ref{sec:group-signatures}) for pseudonym generation with individual private keys, and verification with the public common group key.
When it comes to enhancing the privacy of pseudonym resolution, several approaches of further splitting and distributing identity mapping information over several authorities utilizing blind signature schemes or group signature schemes are mentioned.
@ -338,7 +347,7 @@ The IFAL protocol \cite{verheulIssueFirstActivate} introduces a mechanism tackli
The clear advantage of this class of schemes is the applicability to existing \ac{V2X} standards, as all major V2X Specifications use some kind of certificates.
These certificates have to be included into each message though and their storage and verification requires notable resources. Furthermore is the maintenance of the \ac{PKI} system quite complicated, both regarding infrastructure requirements and legal and organisational frameworks. Because of these disadvantaged, I now take a look at other cryptographic pseudonym schemes.
These certificates have to be included into each message though and their storage and verification requires notable resources. Furthermore is the maintenance of the \ac{PKI} system quite complicated, both regarding infrastructure requirements and legal and organisational frameworks. Because of these disadvantaged, we now take a look at other cryptographic pseudonym schemes.
\subsubsection{Identity-based Cryptographic Pseudonyms}
@ -353,15 +362,15 @@ With the \ac{TA} being involved in deriving the public key, pseudonym refill alw
\subsubsection{Group Signature Scheme based Pseudonyms}
\label{sec:group-signatures}
The idea behind group signature schemes is that all nodes of a group are using the same shared public key for signing their messages, but have individual private keys for creating these signatures. As every group member could have created the signature validated with that shared public key, all nodes of the group are using the same pseudonym and this are anonymous within the anonymity set of the group. Two messages of the same vehicle are not linkable to each other as they're not distinguishable from two messages of different vehicles which are members of the same group.
The idea behind group signature schemes is that all nodes of a group are using the same shared public key for signing their messages, but have individual private keys for creating these signatures. As every group member could have created the signature validated with that shared public key, all nodes of the group are using the same pseudonym and thus are anonymous within the anonymity set of the group. Two messages of the same vehicle are not linkable to each other as they are not distinguishable from two messages of different vehicles which are members of the same group.
Groups require a setup, during which the members of the group are determined and individual private keys are assigned to them by the \textit{group leader}. The group manager is an entity that determines the system parameters including the public group key, creates and assigns private keys based on them to members and may revoke pseudonymity for certain members. This role could be assigned to any node of the group, but as it allows certain privileged actions the process of group manager election needs to be concisely designed. Proposals include using \acp{RSU} as regional group managers, which gives infrastructure operators even more powerful potential tracking abilities.
Pseudonyms are only changed to manage group dynamics, i.e. change of members of the group. Then the group manager generates new system parameters and issues new keys. When this happens, already mentioned strategies like silent periods may be used. But individual network interface addresses still need to be unique per node and thus still have to change regularly like in other pseudonym schemes.
As an advantage of these schemes, nodes don't have to deal with generating, issuing and storing many pseudonym certificates.
As an advantage of these schemes, nodes do not have to deal with generating, issuing and storing many pseudonym certificates.
Revocation is more complicated in group signature schemes: As all group nodes are indistinguishable by their exposed pseudonym identifiers, it's not possible to distribute revocation lists. A re-setup of the group by changing system parameters can exclude certain nodes, but has a big overhead as all group members are required to change their keys. A proposed solution for that circumvents the problem by remote-controlling the \ac{HSM} to remove the keys from its memory.
Revocation is more complicated in group signature schemes: As all group nodes are indistinguishable by their exposed pseudonym identifiers, it is not possible to distribute revocation lists. A re-setup of the group by changing system parameters can exclude certain nodes, but has a big overhead as all group members are required to change their keys. A proposed solution for that circumvents the problem by remote-controlling the \ac{HSM} to remove the keys from its memory.
The keys from group signature schemes are not directly usable for public key encryption of messages due to the special relationship of one public and multiple private keys. They can be used though to authenticate key-exchange protocols like Diffie-Hellman which are unauthenticated by themselves.
@ -370,7 +379,7 @@ A special kind of group signature schemes not requiring setup and being more dyn
\subsubsection{Pseudonyms using Symmetric Cryptography}
There are also pseudonym schemes utilizing symmetric cryptography authentication using Message Authentication Codes. Symmetric crypto algorithms are often computationally more efficient which would fit the requirements of near-realtime processing in \acp{VANET}. \\
The big issue with these schemes is that creation and verification of signatures uses the same key. Thus every node having the key for verification purpose can also create valid signatures in the name of another node pseudonym. Thus signature verification can't be done by each node themselves. After a node got a vehicle-ID from an \ac{EA}, it creates several pseudonyms from it by hashing and combining with seed and counter values. These values then serve as pseudonym identifiers for connecting to \iac{RSU} and jointly creating a symmetric signature key. The \ac{RSU} retains a mapping of key and pseudonym identifier. \\
The big issue with these schemes is that creation and verification of signatures uses the same key. Thus every node having the key for verification purpose can also create valid signatures in the name of another node pseudonym. Thus signature verification can not be done by each node themselves. After a node got a vehicle-ID from an \ac{EA}, it creates several pseudonyms from it by hashing and combining with seed and counter values. These values then serve as pseudonym identifiers for connecting to \iac{RSU} and jointly creating a symmetric signature key. The \ac{RSU} retains a mapping of key and pseudonym identifier. \\
For verification a node has to send the message (or a hash of it, depending on the MAC scheme) and the supposed sender pseudonym to the \ac{RSU}. That station then verifies the signature using the retained mapping and sends the result back to the requesting node.
Thus symmetric pseudonym signature schemes heavily rely on infrastructure for signature verification and introduce additional delays due to the needed round trips. These issues make them hardly usable in practice.
@ -380,30 +389,31 @@ There are some attempts of getting rid of these issues. The TESLA protocol \cit
\section{Evaluation}
\label{sec:evaluation}
This section evaluates the security of the proposed pseudonym schemes with an emphasis on the goals of privacy and anonymity, and the pseudonym schemes proposed in the \ac{ETSI} standards. I also look at how much the pseudonym schemes influence the general functionality of the \ac{ITS} system.
This section evaluates the security of the proposed pseudonym schemes with an emphasis on the goals of privacy and anonymity, and the pseudonym schemes proposed in the \ac{ETSI} standards. We also look at how much the pseudonym schemes influence the general functionality of the \ac{ITS} system.
\subsection{Attacker Model}
In a security system for a network so ubiquitous like \ac{ITS} networks will be in our world with omnipresent nodes, users and infrastructure, we can have a wide range of different adversaries with different capabilities and interests. So let's try to categorize the possibilities:
In a security system for a network so ubiquitous like \ac{ITS} networks will be in our world with omnipresent nodes, users and infrastructure, we can have a wide range of different adversaries with different capabilities and interests. We can categorise them according to different characteristics:
We now consider the \textbf{reach} of an attacker: Is the attacker limited to a single position, do they have a set of access points or do they even have a nearly global view on the network and their participants? Are they accessing the network over wireless interfaces or are they part of the backbone infrastructure or internet?
We can consider the \textbf{reach} of an attacker: Is the attacker limited to a single position, do they have a set of access points or do they even have a nearly global view on the network and their participants? Are they accessing the network over wireless interfaces or are they part of the backbone infrastructure or internet?
Is the attacker \textbf{active}ly trying to create, forge, block, modify, \dots messages like a \textit{Dolev-Yao adversary} \cite{dolevSecurityPublicKey1983a} or just \textbf{passive}ly eavesdropping?
Is the attacker an \textbf{insider} - i.e. can it successfully authenticate at least with parts of the network or an \textbf{outsider}?
Is the attacker an \textbf{insider} i.e. can it successfully authenticate at least with parts of the network or an \textbf{outsider}?
So let us combine some of these characteristics to common attacker models and take them as a basis for evaluation: \\
Our first attacker is a \textit{multi-point passive outsider}\label{attacker:1} which we then further extend to a \textit{global passive outsider}\label{attacker:2}. \\
For our third attacker we look at the power of \textit{attackers in the infrastructure}\label{attacker:3}.
For our third attacker we look at the power of \textit{attackers in the infrastructure}\label{attacker:3}. \\ \todo{state authorities}
These attacker models should cover the predominant adversaries trying to gather a user's location patterns: The main possibilities of accessing network messages are combined with different levels of privilege.
The trust assumptions of the ETSI ITS security services architecture are layed out in section 6.2.5 of \cite{europeantelecommunicationsstandardsinstituteetsiETSITS1022010}.
\subsection{Resilience against Attacks}
I assume our attacker to be a multi-point passive outsider eavesdropping on the wireless communication and our \ac{ITS} network to use the pseudonym scheme proposed in the \ac{ETSI} standards. \\
As all communication to the \ac{AA} and \ac{EA} is securely encrypted, we can't get any information about the exchanged certificates and IDs from the eavesdropped communication to the PKI even if it happens to occur in our range of reception. Assuming that all identifiers are changed simultaneously, we now can only threaten a node's location privacy by managing to link its pseudonyms to each other. \\
The change strategy proposed by the Car-2-Car Communication Consortium defined in \ref{sec:change-strategies} is deliberately designed with our chosen adversary in mind: Way lengths of segments are chosen big enough to prevent a single radio station tracking multiple segments including the pseudonym change itself while the middle-segment change interval time is chosen short enough to prevent multiple stations tracking the same pseudonym at multiple points. So unless the adversary is lucky enough to have enough stations located at the correct points, we don't even need cooperative pseudonym change strategies so far. \\
As all communication to the \ac{AA} and \ac{EA} is securely encrypted, we can not get any information about the exchanged certificates and IDs from the eavesdropped communication to the PKI even if it happens to occur in our range of reception. Assuming that all identifiers are changed simultaneously, we now can only threaten a node's location privacy by managing to link its pseudonyms to each other. \\
The change strategy proposed by the Car-2-Car Communication Consortium defined in \ref{sec:change-strategies} is deliberately designed with our chosen adversary in mind: Way lengths of segments are chosen big enough to prevent a single radio station tracking multiple segments including the pseudonym change itself while the middle-segment change interval time is chosen short enough to prevent multiple stations tracking the same pseudonym at multiple points. So unless the adversary is lucky enough to have enough stations located at the correct points, we do not even need cooperative pseudonym change strategies so far. \\
When it comes to a global passive outsider though, the presence of other nodes and a cooperative pseudonym change strategy are necessary for reducing the linkability of pseudonyms well enough. Cooperative dynamic pseudonym change reduces the probability of correctly linking pseudonyms together with each change and with the number of cooperating vehicles. Silent periods in mix zones even improve the improbability as now projecting the last broadcasted trajectory into the the future includes too much entropy to reliably link pseudonyms. As we are dealing with an outsider we can even choose the concept of a cryptographic mix zone to keep safety features working. \\
This changes though as we move to an insider attacker: As all authenticated \ac{ITS} nodes get dealt the same symmetric key, our attacker can decrypt the broadcasted messages of all nodes, too, rendering this measure useless compared with a real silent period. Other cryptographic measures like using a group signature scheme within the mix zone might help with the indistinguishability of nodes, though correlations of the actual beaconing messages including positions and trajectories can still help with the linkage of pseudonyms. Additionally this can introduce other attack vectors like the \textit{Sybil attack} described later in this section.
@ -413,9 +423,9 @@ Other active insider attackers can attempt a \textit{pseudonym depletion attack}
For this to work, pseudonym refill needs to be obstructed, e.g. by preventing the connection to an \ac{AA}. A connection might fail due to bad network connectivity, possibly made worse by active jamming of the attacker, a denial-of-service attack to the \ac{AA} itself rendering it unusable or by collaboration of parts of the infrastructure (e.g. the \acp{RSU}) as our third attacker type suggests. The SCOOP@F change strategy (see \ref{sec:change-strategies}) allows pseudonym reuse and thus prevents pseudonym depletion. But this again can open an attack vector for \textit{Sybil attacks}.
If the attacker has access to infrastructure components the issues with cryptographic mix zones already mentioned arise, too. As all \acp{RSU} are connected to the internet, they can even collaborate to track all changes in (cryptographic) mix zones to become a long-term global active insider adversary. Only frequent cooperative pseudonym change with silent periods introduces enough entropy to obstruct reliable pseudonym linkage. \\
Thanks to router advertisement and stateless autoconfiguration node's IPv6 addresses can't be linked to each other by the \ac{RSU} serving as the subnet router, as nodes don't have to request an IPv6 address but just construct it themselves using the announced prefix and their own interface identifier. Thus also arbitrary IPv6 peers in the internet can't link the IPv6 addresses to recognize \ac{ITS} clients again.
Thanks to router advertisement and stateless autoconfiguration node's IPv6 addresses can not be linked to each other by the \ac{RSU} serving as the subnet router, as nodes do not have to request an IPv6 address but just construct it themselves using the announced prefix and their own interface identifier. Thus also arbitrary IPv6 peers in the internet can not link the IPv6 addresses to recognize \ac{ITS} clients again.
Personal \acp{AT} sent to already authenticated \ac{ITS} stations can include additional personal data. This might be necessary for some kinds of services (e.g. payment information for charging services) but allows limited loaction tracking, especially if multiple stations of this kind and the same operator are located at different positions. They might exchange information about a node being close to them over the internet. As countermeasures it needs to be ensured that such personal identifying data is only included if it's really necessary. Additionally this data must be only sent to the service nodes when they're actually used, not just because they're within reception range.
Personal \acp{AT} sent to already authenticated \ac{ITS} stations can include additional personal data. This might be necessary for some kinds of services (e.g. payment information for charging services) but allows limited loaction tracking, especially if multiple stations of this kind and the same operator are located at different positions. They might exchange information about a node being close to them over the internet. As countermeasures it needs to be ensured that such personal identifying data is only included if it is really necessary. Additionally this data must be only sent to the service nodes when they are actually used, not just because they are within reception range.
If an insider active attacker node has access to multiple pseudonyms at once and can change between these at will, it can create the impression of additional spoofed \ac{ITS} nodes in the surrounding area, tricking victim nodes into assuming being surrounded by many other vehicles and doing an ineffective pseudonym change. This so called \textit{Sybil attack} can be prevented by limiting the number of available pseudonyms at a time, e.g by not exposing the pseudonym key material directly by storing it inside a \ac{HSM}.
@ -426,10 +436,11 @@ Preserving user's privacy through the use of pseudonym schemes is an additional
As shown in the previous section, frequent pseudonym change is needed at least each few minutes to prevent linkability of pseudonyms. This requires all network identifiers to change with the same frequency, too, interrupting existing long-standing connections. Applications either need to tolerate this or adopt countermeasures like the usage of a NEMO mobile IP home agent.
\cite{RFC3963}
To prevent old identifiers being sent after pseudonym changes in packets already queued before the pseudonym change it is recommended to flush or drop all packet buffers before the change. This isn't necessary if one can be sure that there is no node identifying data in the queued packets. That is true for the \ac{GN} packet forwarding queue, as nodes don't add their own source address when forwarding packages. The same is true for \ac{LS} packets. The source address included in there is the address of the original requesting node and though gives no reliable information about the address of the packet's sender as that node can also just be forwarding the package.
To prevent old identifiers being sent after pseudonym changes in packets already queued before the pseudonym change it is recommended to flush or drop all packet buffers before the change. This is not necessary if one can be sure that there is no node identifying data in the queued packets. That is true for the \ac{GN} packet forwarding queue, as nodes do not add their own source address when forwarding packages. The same is true for \ac{LS} packets. The source address included in there is the address of the original requesting node and though gives no reliable information about the address of the packet's sender as that node can also just be forwarding the package.
Active pseudonym certificate revocation turns out quite problematic in pseudonym schemes using asymmetric certificates and a \ac{PKI}: \acp{CRL} or \acp{CTL} can quickly grow so big that they don't propagate through the network in reasonable times. Additionally checking each message against them quickly becomes too much for the limited computational resources of the node. So instead of active revocation, passive revocation by preventing misbehaving nodes from refilling their short-lived pseudonyms is the approach to choose.
Active pseudonym certificate revocation turns out quite problematic in pseudonym schemes using asymmetric certificates and a \ac{PKI}: \acp{CRL} or \acp{CTL} can quickly grow so big that they do not propagate through the network in reasonable times. Additionally checking each message against them quickly becomes too much for the limited computational resources of the node. So instead of active revocation, passive revocation by preventing misbehaving nodes from refilling their short-lived pseudonyms is the approach to choose.
Generally certificate checking is a quite computationally expensive process requiring either specialized hardware units like \acp{HSM} or high-performance CPUs, as the message frequency can easily reach hundreds of thousands broadcast messages per second. \cite{hamidaSecurityCooperativeIntelligent2015} But as this is a general issue of such PKI-based asymmetric cryptography and not directly related to pseudonym usage, these issues are left for other work to investigate.
\section{Summary}
% % %
@ -440,7 +451,10 @@ To counter this threat for a user's location privacy, various pseudonym schemes
As many advanced cryptographic schemes are not compatible with the standards proposed by \ac{ETSI} so far, future work should evaluate whether the standard could be changed to utilize some of these more modern approaches to counter current drawbacks.
Additionally, future work may investigate the issue of possible identifiers or other linkable information in the lower network layers (physical and data link) and in the message contents themselves (application layer).
\section{Glossary}
\label{sec:glossary}
\nobreak