improve & restructure attack evaluation

This commit is contained in:
Trolli Schmittlauch 2018-07-02 19:42:15 +02:00
parent 762448d12e
commit 8a88d051fd
2 changed files with 25 additions and 7 deletions

View file

@ -15,6 +15,7 @@
\acro{HSM}{Hardware Security Module}
\acro{IPv6}{Internet Protocol version 6}
\acro{ITS}{Intelligent Transportation System}
\acroindefinite{ITS}{an}{an}
\acro{LLC}{Logical Link Control}
\acro{LS}{GeoNetworking Location Service}
\acro{LT}{GeoNetworking Location Table}

View file

@ -272,7 +272,7 @@ A widely chosen approach for restoring user privacy is the usage of temporary ps
\subsection{Pseudonym Schemes for ETSI ITS Systems}
\subsubsection{Pseudonym Management}
\subsubsection{Pseudonym Management}\label{sec:pseudonym_management}
\nocite{europeantelecommunicationsstandardsinstituteetsiETSITS1022010}The \ac{ETSI} standard on trust and privacy management \cite{europeantelecommunicationsstandardsinstituteetsiETSITS1022012} mentions the goal of pseudonymity and unlinkability of \ac{ITS} nodes and their messages as the way to achieve ITS privacy. This privacy goal is subdivided into two dimensions:
@ -314,7 +314,7 @@ A crucial parameter of pseudonym schemes has been left out so far: How and when
Another example: Let us look at a traffic jam with 10 cars standing within reception range of an observer. Now there are multiple cars around making the mapping of pseudonyms to cars not totally trivial. But if we assume that each car only changes pseudonyms every 24 hours and does this at an arbitrary time, the probability that only 1 vehicle changes pseudonyms within a short time range is very high, making linkage of pseudonyms easy again. \\
A last example so far: Focusing on one vehicle, let us assume it changes its pseudonym in a perfectly ambiguously way which can't be linked to the old one reliably. But after the pseudonym change, an already enqueued packet is sent, containing identifiers linkable to the previous pseudonyms.
These examples already show important points to take care of when changing pseudonyms: There needs to be some ambiguity regarding which node changed to which pseudonym there shall be other nodes present within the reception range, coordination and frequency of change matter, and all identifiers need to be changed simultaneously with buffers being flushed or discarded. The position needs to be updated during pseudonym change, too, to prevent re-identification through stale position coordinates included in GN packets.
These examples already show important points to take care of when changing pseudonyms: There needs to be some ambiguity regarding which node changed to which pseudonym there shall be other nodes present within the reception range, coordination and frequency of change matter, and all identifiers need to be changed simultaneously with buffers being flushed or discarded. The position needs to be updated during pseudonym change, too, to prevent re-identification through stale position coordinates included in GN packets. \todo{sequence number}
The \ac{ETSI} \ac{ITS} working group gathers a number of concepts for pseudonym change strategies in a technical report \cite{europeantelecommunicationsstandardsinstituteetsiETSITR1032018}: The parameters deciding about a pseudonym change (e.g. time period or way length) shall be randomized to prevent linkability by analyzing the periodicity of changes. After changing pseudonyms, random-length \textit{silent periods} shall be abided in which nodes stop sending any packages. When using a \textit{vehicle-centric} strategy, pseudonym change time, its frequency and duration of silent periods are influenced by the vehicle's mobility and trajectory to make linkage of pseudonyms based on broadcasted movement parameters harder. When using a density-based approach, pseudonyms are changed only if enough other vehicles are around to avoid unnecessary unambiguous pseudonym changes.
@ -404,31 +404,48 @@ Is the attacker an \textbf{insider} i.e. can it successfully authenticate at
So let us combine some of these characteristics to common attacker models and take them as a basis for evaluation: \\
Our first attacker is a \textit{multi-point passive outsider}\label{attacker:1} which we then further extend to a \textit{global passive outsider}\label{attacker:2}. \\
For our third attacker we look at the power of \textit{attackers in the infrastructure}\label{attacker:3}. \\ \todo{state authorities}
For our third attacker we look at the power of \textit{attackers in the infrastructure}\label{attacker:3}. \\
At last we take a brief look on the abilities of \ac{privileged authorities as attackers}. \\
These attacker models should cover the predominant adversaries trying to gather a user's location patterns: The main possibilities of accessing network messages are combined with different levels of privilege.
The trust assumptions of the ETSI ITS security services architecture are layed out in section 6.2.5 of \cite{europeantelecommunicationsstandardsinstituteetsiETSITS1022010}.
\subsection{Resilience against Attacks}
To show the necessity of different pseudonym scheme concepts, we start with a restricted attacker and the basic pseudonym scheme proposed by the \ac{ETSI} standards (\ref{sec:pseudonym_management} . From there on we choose a change strategy accordingly to protect against the attacks, while gradually increasing the attacker's abilities.
\subsubsection{multi-point passive outsider attacks}
I assume our attacker to be a multi-point passive outsider eavesdropping on the wireless communication and our \ac{ITS} network to use the pseudonym scheme proposed in the \ac{ETSI} standards. \\
As all communication to the \ac{AA} and \ac{EA} is securely encrypted, we can not get any information about the exchanged certificates and IDs from the eavesdropped communication to the PKI even if it happens to occur in our range of reception. Assuming that all identifiers are changed simultaneously, we now can only threaten a node's location privacy by managing to link its pseudonyms to each other. \\
The change strategy proposed by the Car-2-Car Communication Consortium defined in \ref{sec:change-strategies} is deliberately designed with our chosen adversary in mind: Way lengths of segments are chosen big enough to prevent a single radio station tracking multiple segments including the pseudonym change itself while the middle-segment change interval time is chosen short enough to prevent multiple stations tracking the same pseudonym at multiple points. So unless the adversary is lucky enough to have enough stations located at the correct points, we do not even need cooperative pseudonym change strategies so far. \\
When it comes to a global passive outsider though, the presence of other nodes and a cooperative pseudonym change strategy are necessary for reducing the linkability of pseudonyms well enough. Cooperative dynamic pseudonym change reduces the probability of correctly linking pseudonyms together with each change and with the number of cooperating vehicles. Silent periods in mix zones even improve the improbability as now projecting the last broadcasted trajectory into the the future includes too much entropy to reliably link pseudonyms. As we are dealing with an outsider we can even choose the concept of a cryptographic mix zone to keep safety features working. \\
This changes though as we move to an insider attacker: As all authenticated \ac{ITS} nodes get dealt the same symmetric key, our attacker can decrypt the broadcasted messages of all nodes, too, rendering this measure useless compared with a real silent period. Other cryptographic measures like using a group signature scheme within the mix zone might help with the indistinguishability of nodes, though correlations of the actual beaconing messages including positions and trajectories can still help with the linkage of pseudonyms. Additionally this can introduce other attack vectors like the \textit{Sybil attack} described later in this section.
The change strategy proposed by the Car-2-Car Communication Consortium defined in \ref{sec:change-strategies} is deliberately designed with our chosen adversary in mind: Way lengths of segments are chosen big enough to prevent a single radio station tracking multiple segments including the pseudonym change itself while the middle-segment change interval time is chosen short enough to prevent multiple stations tracking the same pseudonym at multiple points. So unless the adversary is lucky enough to have enough stations located at the correct points, we do not even need cooperative pseudonym change strategies so far.
Authority vehicles shall only use their non-anonymized privileged tickets when they clearly want to exhibit this privileged status. Ambulances or firefighter trucks using these non-anonymized \acp{AT} can be recognized immediately and are granted special privileges. Nevertheless there needs to be an additional mechanism of utilizing these privileges while being pseudonymous and not appearing as an authority node to everyone. Police cars need a possibility of being undercover without passive outsider adversaries just recognizing them as the authority they are, otherwise avoiding police cars without even seeing them becomes much easier. For executing their privileges they can authenticate themselves as a privileged authority over an encrypted connection, similar to the personal \acp{AT}.
\subsubsection{global passive outsider attacks}
When it comes to a global passive outsider though, the presence of other nodes and a cooperative pseudonym change strategy are necessary for reducing the linkability of pseudonyms well enough. Cooperative dynamic pseudonym change reduces the probability of correctly linking pseudonyms together with each change and with the number of cooperating vehicles. Silent periods in mix zones even improve the improbability as now projecting the last broadcasted trajectory into the the future includes too much entropy to reliably link pseudonyms. As we are dealing with an outsider we can even choose the concept of a cryptographic mix zone to keep safety features working.
\subsubsection{insider attackers}
This changes though as we move to an insider attacker: As all authenticated \ac{ITS} nodes get dealt the same symmetric key, our attacker can decrypt the broadcasted messages of all nodes, too, rendering this measure useless compared with a real silent period. Other cryptographic measures like using a group signature scheme within the mix zone might help with the indistinguishability of nodes, though correlations of the actual beaconing messages including positions and trajectories can still help with the linkage of pseudonyms. Additionally this can introduce other attack vectors like the \textit{Sybil attack} described later in this section.
Other active insider attackers can attempt a \textit{pseudonym depletion attack} by initiating so many pseudonym changes that the victim node runs out of pseudonyms and has to keep the same pseudonym although a change would be due. One possibility for this can be deliberately creating colliding network interface identifiers e.g. on the link layer. As many identifiers are derived from the node's link layer address, such a collision breaks several functionality throughout the stack, one of them e.g. \ac{GN}. To evade this collision and restore functionality again, the victim node changes its network identifiers, triggering a pseudonym change. \\
For this to work, pseudonym refill needs to be obstructed, e.g. by preventing the connection to an \ac{AA}. A connection might fail due to bad network connectivity, possibly made worse by active jamming of the attacker, a denial-of-service attack to the \ac{AA} itself rendering it unusable or by collaboration of parts of the infrastructure (e.g. the \acp{RSU}) as our third attacker type suggests. The SCOOP@F change strategy (see \ref{sec:change-strategies}) allows pseudonym reuse and thus prevents pseudonym depletion. But this again can open an attack vector for \textit{Sybil attacks}.
If the attacker has access to infrastructure components the issues with cryptographic mix zones already mentioned arise, too. As all \acp{RSU} are connected to the internet, they can even collaborate to track all changes in (cryptographic) mix zones to become a long-term global active insider adversary. Only frequent cooperative pseudonym change with silent periods introduces enough entropy to obstruct reliable pseudonym linkage. \\
If the attacker has access to \textit{infrastructure components} the issues with cryptographic mix zones already mentioned arise, too. As all \acp{RSU} are connected to the internet, they can even collaborate to track all changes in (cryptographic) mix zones to become a long-term global active insider adversary. Only frequent cooperative pseudonym change with silent periods introduces enough entropy to obstruct reliable pseudonym linkage. \\
Thanks to router advertisement and stateless autoconfiguration node's IPv6 addresses can not be linked to each other by the \ac{RSU} serving as the subnet router, as nodes do not have to request an IPv6 address but just construct it themselves using the announced prefix and their own interface identifier. Thus also arbitrary IPv6 peers in the internet can not link the IPv6 addresses to recognize \ac{ITS} clients again.
Personal \acp{AT} sent to already authenticated \ac{ITS} stations can include additional personal data. This might be necessary for some kinds of services (e.g. payment information for charging services) but allows limited loaction tracking, especially if multiple stations of this kind and the same operator are located at different positions. They might exchange information about a node being close to them over the internet. As countermeasures it needs to be ensured that such personal identifying data is only included if it is really necessary. Additionally this data must be only sent to the service nodes when they are actually used, not just because they are within reception range.
If an insider active attacker node has access to multiple pseudonyms at once and can change between these at will, it can create the impression of additional spoofed \ac{ITS} nodes in the surrounding area, tricking victim nodes into assuming being surrounded by many other vehicles and doing an ineffective pseudonym change. This so called \textit{Sybil attack} can be prevented by limiting the number of available pseudonyms at a time, e.g by not exposing the pseudonym key material directly by storing it inside a \ac{HSM}.
\subsubsection{privileged authority attackers}
Privileged attackers from an authories like law enforcement have many options when trying to deanonymize \iac{ITS} station. The challenge here is that law enforcement agencies shall only be able to deanonymize a user for legitimate and lawful purposes, but shall not abuse this power.
For allowing accountability through official ways, the \acf{RA} has to retain a mapping between the canonical enrolment credentials and the given pseudonyms. This sensitive information must only be accessible in a lawful way, thus building a legal and organizational framework for that purpose is crucial. Technical measures can help with that by splitting and distributing the mapping over multiple authorities and domains of control. Furthermore it needs to be ensured that these mapping information are not exposed in vulnerable parts of the infrastructure like \acp{RSU}. \\
Given the legal basis for ordering the infrastructure operator to cooperate with law enforcement, authorities additionally have the capabilities of a global (within the scope of infrastructure coverage) active insider attacker. \\
Due to this maintaining both user privacy and accountability is only possible in areas with independent judicial systems and separation of powers.
Without access to infrastructure or mapping authorities, law enforcement agents still have the capabilities of multi-point passive outsiders. As this approach doesn't require any cooperation with other authorities, this is most likely to be abused when ther is no legal ground to take the official route.
\subsection{Influence of Pseudonyms on Performance}
Preserving user's privacy through the use of pseudonym schemes is an additional requirement likely to add additional overhead to \ac{ITS} networks. So we need to ask ourselves: Is this additional overhead still reasonable?