Policy Management for Secure Data Access Control in Vehicular Networks

Abstract

The state-of-the-art research in vehicular network security does not address the need for low latency message access control in vehicular applications with tight connection time and message delay requirements. In existing security solutions, the major limitation is that no trust establishment mechanisms that adapt to rapidly changing scenarios and highly mobile environments (mainly because of key management delay, processing overhead, and changing communication peers). To address this issue, we present a policy management framework for secure data access control in vehicular networks. Our solution address two interrelated research areas to achieve efficiency and scalability for data access control and policy management in highly dynamic vehicular networks. The main contributions are in two-fold: (a) efficient key management and group-based policy enforcement using attribute-based cryptography; and (b) dynamic security policy management framework and methodology to manage credentials based on role, time, location and other situation dependent attributes. Our solution utilizes efficient attribute-based cryptography algorithm to achieve unprecedented speedups in message processing time to meet the real-time requirement. To demonstrate the effectiveness of our proposed solution, a systematic and comprehensive evaluation is produced to valid our proposed solution.

Appendices

Appendix 1: CP-ABE Decrypt Protocol

The cryptographic construction of PGDA is based on CP-ABE. PGDA proposes extensions of CP-ABE for vehicular networks and the system is initialized by using a set of publicly known parameters for vehicle i:

$$ params_i=\langle e, {\mathbb{G}}_0, {\mathbb{G}}_1, g, p, h, \zeta, H, {\mathcal{S}}^s_i, {\mathcal{SK}}^s_i, Cert_i\rangle. $$

The params _i can be stored in vehicle i by the GTA at the time of registration. We use i to represent a unique vehicle ID. The detailed explanation of params is given in Table 3.

Table 3 Publicly known system parameters for vehicle i

The Protocol 4 presents a sketch of Decrypt protocol presented in [18]. To complete the presentation of our solutions, we present the CP-ABE Decrypt protocol in details. For correctness and security proof of CP-ABE scheme, interested readers should refer to [18].

We first define a function \(DecryptNode(\mathcal{CT},\mathcal{SK},x)\) that takes as input a ciphertext \(\mathcal{CT}\), a private key \(\mathcal{SK}\), which is associated with a set \(\mathcal{S}\) of attributes, and a node x from the attribute tree \(\mathcal{T}\). If j is the attribute value of the node x and x is a leaf node, then we can compute the following formulas for vehicle i:

$$ \begin{aligned} DecryptNode({\mathcal{CT}},{\mathcal{SK}},x) &= \frac{e(D_i,C_x)} {e(D_i',C_x')}\\ &= \frac{e(g^{r_i} \cdot H(j)^{r_j},g^{q_x(0)})} {e(g^{r_j},H(j)^{q_x(0)})}\\ &= \frac{e(g^{r_i},g^{q_x(0)}) \cdot e(H(j)^{r_j},g^{q_x(0)})} {e(g^{r_j},H(j)^{q_x(0)})}\\ &= e(g,g)^{r_iq_x(0)} \end{aligned} $$

We now consider the recursive case when x is a non-leaf node. The algorithm \(DecryptNode(\mathcal{CT},\mathcal{SK}, x)\) then proceeds as follows: For all nodes z that are children of x, it calls \(DecryptNode(\mathcal{CT}, \mathcal{SK}, z)\) and stores the output as F _z . Let \(\mathcal{S}_x\) be an arbitrary k _x -sized set of child nodes z such that \(F_z \neq \bot\). If no such set exists then the node was not satisfied and the function returns \(\bot\). Otherwise, compute

$$ \begin{aligned} F_x &=\prod_{z \in {\mathcal{S}}_x}F_z^{\Updelta_{j,{\mathcal{S}}_x'(0)}},\\ &= \prod_{z \in {\mathcal{S}}_x}(e(g,g)^{r_iq_z(0)})^{\Updelta_{j,{\mathcal{S}}_x' }(0)},\\ &= \prod_{z \in {\mathcal{S}}_x}(e(g, g)^{r q_{{\bf parent}(z)({\bf index}(z))}})^{\Updelta_{j,{\mathcal{S}}_x' }(0)},\\ &= \prod_{z \in {\mathcal{S}}_x}e(g, g)^{r_iq_x(j) \cdot \Updelta_{j,{\mathcal{S}}_x' }(0)},\\ &= e(g,g)^{r_iq_x(0)}, (\hbox {using polynomial interpolation}) \end{aligned} $$

where j = index(z) and \(\mathcal{S}_x'=\{{\bf index}(z):z \in \mathcal{S}_x\}\). We define the Lagrange coefficient \(\Updelta_{i,S}\) for \( i \in {\mathbb{Z}}_p \) and a set S, of elements in \({\mathbb{Z}}_p\):

$$ \Updelta_{ i,S}(x) = \prod_{(j \in S, j\neq i)} \frac{x-j}{i-j}. $$

The decryption algorithm begins by calling the DecryptNode function on the root node R of the tree T. If the tree is satisfied by \(\mathcal{S}\) we set \(\zeta = DecryptNode(\mathcal{CT},\mathcal{SK}, R) = e(g, g)^{r_iq_R(0)} = e(g, g)^{r_is}.\) The algorithm decrypts by computing:

$$ \begin{aligned} DecryptCipher({\mathcal{CT}},{\mathcal{SK}},R) &=\frac{\widetilde{C}\cdot DecryptNode({\mathcal{CT}},{\mathcal{SK}},R)}{e(C,D_i)}\\ &=\frac{k\cdot e(g,g)^{\alpha s}e(g, g)^{r_is}}{e(h^s, g^{(\alpha+r_i)/\beta })}\\ &= \frac{k\cdot e(g,g)^{\alpha s}e(g, g)^{r_is}}{e(g^{\beta s}, g^{(\alpha+r_i)/\beta })}\\ &= k. \end{aligned} $$

(2)

Appendix 2: Integration of Policy Trees

The detailed ABE key generation, encryption and decryption algorithms are described in Appendix 9. Here, we just preset how to use them at the functional level to describe our solutions. Using dynamic and static attributes, a vehicle can construct versatile policies.

In Fig. 9, we present the ways to combine static and dynamic attributes, where s tree and d tree represent policy trees formed by static and dynamic attributes, respectively. Combining two trees side-by-side is shown in Fig. 10a. Using XOR operator, we can derive the DEK \(k=k_d\oplus k_s\). In Fig. 10b, c, we present two ways to combine two trees in a top-down fashion. The intersection of two trees is a combined node by integrate a leaf node in the upper tree and the root of the lower tree. In Fig. 10d, we present an example of combining multiple static and dynamic trees. The critical issue of combining multiple trees in a top-down fashion is how to form a combined node from two set of attributes used for different system parameters.

Fig. 10

Integration a policy tree to a node

In Fig. 10, we present a method to make a combined node from two policy trees: \(\mathcal{PT}_1\) and \(\mathcal{PT}_2\), where the notations are presented in Table 4 of Appendix 1. The ciphertexts produced by \(\mathcal{PT}_1\) and \(\mathcal{PT}_2\) is presented as follows:

$$ {\mathcal{CT}}_1= \langle {\mathcal{PT}}_1 ; \widetilde{C} = k\zeta^s; C = h^s;\forall j \in {\mathcal{S}}_1:\left\{\begin{array}{ll}C_j = g^{q_j(0)}, C_j'= H(j)^{q_j(0)}\rangle,& j\,\hbox{ is not combined};\\ \hat{C}_j= g^{q_j(0)}\oplus k', \hat{C}_j'= H(j)^{q_j(0)}\oplus k'\rangle, & j\,\hbox {is combined}. \end{array}\right. $$

\(\mathcal{CT}_1\) is created by checking if a node in \(\mathcal{PT}_1\) is a combined node. If a node is not a combined node, then the ciphertext component is computed using the normal procedure specified in the Encrypt protocol. If a node is a combined node, then the Encrypt protocol needs to use a masking value k′ (a.k.a., one-time pad) randomly selected to encrypt the ciphertext components C _j and C′ _j . Once \(\mathcal{CT}_1\) is computed, the Encrypt protocol needs to use the masking value k′ as the encrypted message to construct \(\mathcal{CT}_2\) using a different set of public parameters following the procedure of Encrypt protocol:

$$ {\mathcal{CT}}_2 = \langle {\mathcal{PT}}_2 ; \widetilde{C} = k'\zeta^{s'}; C = h^{s'};\forall j \in {\mathcal{S}}_2 : C_j = g^{q_j(0)}; \forall j \in {\mathcal{S}}_2 : C_j'= H(j)^{q_j(0)}\rangle. $$

Combining \(\mathcal{CT}_1\) and \(\mathcal{CT}_2\), we have the integrated ciphertext:

$$ {\mathcal{CT}}=\langle {\mathcal{CT}}_1, {\mathcal{CT}}_2 \rangle. $$

The decryption procedure is straightforward. A ciphertext receiver first needs to use the Decrypt protocol to decrypt the masking value k′ in \(\mathcal{CT}_2\); and then it performs the following bit-wise XOR operations

$$ {\mathcal{C}}_j=\hat{{\mathcal{C}}}_j\oplus k' \hbox { and } {\mathcal{C}}'_j=\hat{{\mathcal{C}}}'_j\oplus k' $$

to recover the masked values \(\mathcal{C}_j\) and \(\mathcal{C}'_j\) in \(\mathcal{CT}_1\). Finally, the receiver can use Decrypt protocol again to decrypt the DEK encrypted in \(\mathcal{CT}_1\). We must note that the system parameters used in two decryption procedures are different. When there are multiple combined nodes, the above described decryption procedure will be repeated until a message receiver can successfully reach the root and derive the DEK.

Table 4 CP-ABE protocols