Modelling of Security Principles within Car-ToCar Communications in Modern Cooperative Inteligent Transportation Systems

Intelligent transportation systems (ITS) bring advanced applications that provide innovative services for various transportation modes in the area of traffic control, and enable better awareness for different users. Communication connections between intelligent vehicles with the use of wireless communication standards, so called Vehicular Ad Hoc Networks (VANETs), require ensuring verification of validity of provided services as well as services related to transmission confidentiality and integrity. The goal of this paper is to analyze secure mechanisms utilised in VANET communication within Cooperative Intelligent Transportation Systems (C-ITS) with a focus on safety critical applications. The practical part of the contribution is dedicated to modelling of security properties of VANET networks via OPNET Modeler tool extended by the implementation of the OpenSSL library for authentication protocol realisation based on digital signature schemes. The designed models simulate a transmission of authorised alert messages in Car-to-Car communication for several traffic scenarios with recommended Elliptic Curve Integrated Encryption Scheme (ECIES). The obtained results of the throughput and delay in the simulated network are compared for secured and nosecured communications in dependence on the selected digital signature schemes and the number of mobile nodes. The OpenSSL library has also been utilised for the comparison of time demandingness of digital signature schemes based on RSA (Rivest Shamir Adleman), DSA (Digital Signature Algorithm) and ECDSA (Elliptic Curve Digital Signature Algorithm) for different key-lengths suitable for real time VANET communications for safety-critical applications of C-ITS.


Introduction
Traffic control under its constantly growing volume cannot get along without the support of information and communication technologies provided by the Intelligent Transportation Systems [1].Currently, a significant role is played by the development of a new generation of Cooperative Intelligent Transportation Systems which, together with wireless communication infrastructure, provides important information directly to a driver in a moving vehicle [2].
C-ITS introduce a technology which allows cars to communicate with each other or more precisely to communicate with the infrastructure.The reason of implementing such technology is to increase safety on the roads through raising awareness of the situation.Vehicles communicate with each other and with static units located along infrastructure by broadcasting critical and non-critical messages.These messages can contain information e.g. about location of vehicles, their speed and the information about unusual events on the road.
Many currently operating commercial systems of this type work on the principle of image information analysis, for example the Lane Departure Warning Systems (LDWS) [3], [4], [5], [6], which are based on a machine vision technology and monitor the position of a vehicle c 2016 ADVANCES IN ELECTRICAL AND ELECTRONIC ENGINEERING in the driving lane and alert the driver if the vehicle is departing or is going to depart the track [7].
Currently the problem of integration of the offered ITS services into a large complex is very actual [8].While implementing these goals it is necessary to form communication connections between intelligent vehicles with the use of wireless communication standards, so called Vehicular Ad Hoc Networks (VANETs), which also requires to ensure verification of validity of the provided services as well as the services related to the transmission confidentiality and integrity.
The Car 2 Car Communication Consortium (C2C-CC) [8] was established in Europe in 2004 by six European car companies (Audi, BMW, DaimlerChrysler, Fiat, Renault and Volkswagen) with the goal to create an open standard for inter-vehicle communication using a wireless technology (IEEE 802.11 standard).The communication in VANETs is realised using an On Board Unit (OBU) and a Road Side Unit (RSU).The OBU is a transceiver/receiver operating on a principle of Dedicated Short Radio Communications (DSRC).Typically, it is installed inside the vehicle or on the vehicle.Portable OBUs are also being considered.The OBU can be operational while the vehicle or the person is moving or is idle.The On Board Unit transmits data on a single or several channels.The OBUs installed within a vehicle communicate with the RSUs and with other OBUs.The RSU is a short-range DSRC transceiver/receiver (typically tens of meters) which is installed along a road or sidewalk.It can operate only in a stationary mode.The RSU transmits data into the OBUs or exchanges data with the OBUs in its communication areas.The RSU also performs a function of an access point according to IEEE 802.11 with other DSRC functions.Several research groups are currently participating in VANET development in distinct projects, for example CARLINK, SeVeCom, CAR 2 CAR, Safespot, CVIS, Watch -Over, Aktiv, PRECIOSA, simTD etc [9], [10], [11], [12], [13], [14].Generally, the applications utilising VANET can be categorised into: traffic control applications, logistics and freight traffic control, safety applications and safety-critical applications, maintenance and operational applications.The security of C2C communication in VANET is primarily dependent on the cryptographic algorithms and on the overall robustness of security mechanisms, including security protocols and organisational measures.Cryptographic algorithms and schemes are fundamental blocks of a security solution.The recommendations with orientation to secure services implemented in C-ITS and its application are described in IEEE 1609.2 [15].
The authors focus only on the safety oriented applications which require to ensure the nonrepudiation service and freshness of message, which is in many cases combined with the service of confidentiality and the in-tegrity is provided by distinct cryptographic constructions and must be realized in real time.

Principle of Message Authentication in Car-to-Car Communications
Research work in the sphere of vehicular networks is concentrated mainly on the following areas: routing protocols, power of antennas, elimination of error rate, control of mobility, realisation of database systems [?] but also on the solution of security architecture on the base of modern cryptographic constructions using PKI (Public Key Infrastructure) and CAs (Certification Authorities).The security architecture of VANET for C-ITS consists of several elements.It is concerned with widespread range of mechanisms located in a particular section of C-ITS.A more detailed description of it can be found e. g. in [16].
In the contribution, we present a secure architecture of V2V and V2I only for securing safety-related message transmissions in safety-critical applications.
According to the chosen digital signature scheme, the vendor assigns each node a pair of cryptographic keys, the public and the secret vehicle key K = P K V , SK V .These are the long-term keys.The Certification Authority (CA) assigns a long-term certificate for the public vehicle key P K V .Secret keys are stored in the vehicle in a so called Hardware Security Module (HSM), which at the same time provides a secure time base when generating the time-stamps for the digital signature.The HSM also manages all cryptographic operations with keys.In case of threatening this sensitive information they should be deleted from the HSM module.Digital signature schemes in contrary to common commercial applications (banking systems) utilise the pseudo-anonymous identification when authorising messages within vehicular communication networks, thus providing security and anonymity of the vehicle owner.In order to obtain a pseudonym, a set of key pairs is generated within the vehicle and public keys are sent to the corresponding CA via a secure communication channel.Then the certification authority signs each of the public keys and generates a set of pseudonyms for each vehicle.Each pseudonym contains an identifier of the CA, lifetime of the pseudonym, the public key and the signature of the CA, hence no information on vehicle identity is provided [17].
The frequency of pseudonym changes depends on the degree of the vehicle protection, input parameters (position, speed) and system settings.To ensure other pseudonyms, so called pseudonyms sets are being used.These pseudonyms are periodically supplemented from CA.In the moment, when a node transits from the pseudonym set 1 to the pseudonym set 2, it is no longer allowed to utilise any pseudonym from the set 1.
Before sending a safety related message a digital signature is generated in the security unit of the vehicle V 1 using its secret key SK V 1 .The signature is a function of message M as well as the header H, as in the principle depicted in Fig. 1.This way created cryptographic number is attached to the message together with the certificate Cert, which is coupled on the i-th anonymous sender public key P K iV 1 , which is certified by the corresponding CA.On the side of vehicle V 2 , the received certificate is validated first (if not done before) and the received digital signature is verified using the i-th public vehicle key P K iV 1 , which is downloaded in periodic intervals by the vehicle V 2 (or other vehicles).Simultaneously, the geo stamp information is verified from the header H and after these procedures the safety relevant message is accepted or not.
The process of generation of digital signature by vehicle V 1 can be mathematically described as follows: where: M represents the sending safety relevant message, H represents message header, for anonymous public key P K i1 ), represents the number of receivers (in case the message is sent to several vehicles).
The current certificate of vehicle V 1 valid in the i-th moment for the anonymous public vehicle key (P K i1 ) contains: where: Sign SK−CA represents the certificate signature of the corresponding certification authority based on its secret key SK − CA, ID CA represents a unique identification number of the corresponding certification authority.
A conceptual design of security functions for vehicular communications within a single node is presented in Fig. 2.

Analysis of Attacks to Car-to-Car Communications
Before designing the security architecture of C2C using VANET, it is necessary to address the analysis of risks which can occur during transmission of information messages in a wireless environment.Regarding an open transmission system, the number of network attacks is a variable which has to be monitored because the progress in cryptographic transmission development also implies the increase of development in possible attacks and related cryptographic attacks.It is necessary to consider attackers who do not attack only outside from network side, but directly in vehicle (inside attackers).To mention a few of them [18]: • Denial of Service (DoS) attack: A type of attack where the attacker either disrupts the communication channel or overloads computational resources of the vehicle.The attack can be performed by overloading the communication band or overloading by transmitting high number of messages.
• Message manipulation: The attacker injects fake messages into communication or holds the retransmission of messages.One motivation can be sending messages about road congestion and thereby forcing other vehicles to use an alternative route and clearing the road for the attacker.Another case can be faking a priority vehicle and thereby accelerating attackers drive.

• Retransmission of messages and tunnel attack:
The attack is similar to the previous by retransmitting a message after some time or in a different place via a tunnel using an external communication channel.
• Eavesdropping: The attack is based on capturing messages and their analysis.The attack violates privacy.
• Privacy violation: The attacker can monitor vehicles and drivers via their communication.The attack can be based on monitoring the RF fingerprint for identification and recognition of the vehicle.
• Masking and Sybil's attack: In masking the attacker impersonates themselves as another vehicle using fake identification, while in Sybil's attack they presents themselves as several vehicles.The attacker can generate data on road congestion or if the removal of corrupt devices is based on voting, they can vote with all fake identities for the removal of certain vehicle from the network.
• Discovery of secret keys: The attacker can gather secret keys from OBU or RSU.The attack is based on memory retrieval or utilisation of side-channel.
In this example of forgery attack attackers diffuse wrong information in the network to affect the behavior of other drivers (e.g., to divert traffic from a given road and thus free it for them, as illustrated in Fig. 3).

Parameters of Efficient and Robust Digital Signatures Schemes for Car-to-Car Authentication
Digital signatures are used for secure communications in VANETs.Messages are signed with the private keys corresponding to the current pseudonym.The messages in the schemes of digital signatures also contain the time stamps, the sender's clock value, geo stamps and the sender's coordinates at the sending time.
Currently, in the commercial sphere, following asymmetric cryptography digital signature schemes are being utilised [20]: • Digital signature scheme with the Rivest, Shamir, Adleman (RSA) algorithm.
• Digital Signature Algorithm (DSA) with the modified El Gamal's algorithm.
• Digital Signature Algorithm (ECDSA) scheme with the elliptic curve algorithm.
In the process of selection of digital signature schemes for car-to-car messages authentications, the following parameters are important: total message size, size of safety message, size of cryptographic overhead, throughput of vehicular network, number of communicating vehicles, message rate and maximum tolerable processing delay per message.
According to DSRC standard messages within VANET communications are transmitted with a periodicity of 100 to 300 ms.From this the upper bound on the processing time overhead T OH is defined by: where T Sign (M ), T T X (M | SIG prKV [M ]), T V er are necessary durations for signage, transmission and verification of the message.T sign (M ) is the time required for singing M , T V er is the time required for verifying M , Sign P rKv [M ] is the signature of message M from sender V and contains the key signed by Certification Authority and T tx (Sign P rKv [M ]) is the time required for transmitting a signature.

An approximate comparison of key lengths (in bits)
for the most widely used patterns of digital signature using asymmetric algorithms is introduced in Tab. 1.
A short key-length (in comparison with RSA and DSA schemes) and the related low computational demandingness predestines the ECDSA for deployment in devices with limited computational capacity and limited memory, which includes intelligent vehicle applications.In order to accelerate the computation (for mathematically complex schemes utilising asymmetric cryptographic algorithms), the tendency of integrated schemes is pushed forward.These perform two or three security functions in a single algorithm.This direction has also been chosen by the researchers in the SeVe-Com project, who recommend to use not the original, but the modified ECDSA scheme [21].
Within the SeVeCom project, the hybrid ECDSA scheme -Elliptic Curve Integrated Encryption Scheme (ECIES) has been selected within the digital signature scheme implementation, which supported secure services authentication of messages with the combination of confidentiality and message integrity.

Model Realisation of an Authentication Processor
For model realisation of an authentication processor which simulates a part of HSM module in OBU units within C2C communications, the authors utilised the OPNET Modeler tool [22].The OPNET software supports libraries written in C or C++ languages.This enables the utilisation of distinct libraries source codes related to security, for example the OpenSSL library.In this work, the OpenSSL-1.0.1f version has been used for models design.
In the OpenSSL library, we use our modified Ccode for signing messages using ECIES scheme, which was recommended as effective cryptography scheme for VANET applications [23].
Figure 4 shows the placement of security blocks within the designed model.The "Authentication processor" block controls the entire data flow from the source (moving vehicle) into VANET and performs security operations (encryption and digital signature using the ECIES).The "Verification processor" block on the receiver side (in vehicle or Road Side Unit) controls the data flow from the network to a node and performs the verification of received messages.
Functions performed in the authentication processor: • Generation of hash code H-MAC (Hash -Message Authentication Code) on the base of SHA-1 (Secure Hash Alhorithm) -digest.
• Authentication of this output by the ECDSA algorithm, resp.generation of digital signaturesignature.
The model of the authentication processor designed in the process editor is shown in Fig. 4. It is a state diagram consisting of two states St_0 and St_1.
The generation of hash code is performed in state 0 (St_0) and the digital signature is generated in state 1 (St_1).State 0 is implicit and its output value is a hash code (the digest variable in source code) and return value hmac_done.The variable hmac_done acquires value 1 in case of a successful hash code generation.After getting this value, the condition for a transition to state 1 is valid.If this state occurs, the generated hash code is signed and output variables signature and state are created.The signature variable represents the signature attached to a message and the state variable after getting value 1 passes the condition to perform the MAC_PACKET_HANDLE function.This function forwards the message into the next level (ARP, wireless_lan_MAC, wlan_port), which consequently sends it to VANET.

Functions performed in the verification processor:
• Generation of hash code from the message using H-MAC -digest.
The state diagram of verification processor is shown in Fig. 5.It is composed of two states.In state 1 (St_1), the same operation is performed as in the authentication processor, i.e a hash code is generated from the received message using H-MAC (SHA-1).After generating the hash code the condition for transition into state 2 (St_2) is valid and the signature verification operation can be performed -verify.The input variables of this function are the key (eckey), hash code (digest) and the signature (signature).The return value of this function is the variable ret.In case of value 1, the signature has been evaluated as valid and a transition is activated, which enables to perform the IP_PACKET_HANDLE action.This action enables access to the message from the lower level (in Fig. 6 denoted Internet Protocol).In case the ret variable gets another value, the DROP_PACKET action is performed -the signature is not valid.This action also deletes the invalid message.For the encryption of the message, we utilised the aes_cbc.csource code from the OpenSSL project to create a hash code hmac.c.The source code includes functions not only for signature generation, but also for the verification of integrated digital scheme -the ecdsa.hfunction.The source code with predefined parameters for digital signatures operations was joint to output data from the previous state (H_MAC output, keys).For a proper operation of these subprograms, it is necessary to include the used libraries (INCLUDE) into the OPNET installation directory.A link to these libraries has to be inserted into the header block, not directly into the individual states.These subprograms are able to operate within the separated signature and authentication part (with modifications), but also within a single unit (see Fig. 7).
The OpenSSL project contains several predefined elliptic curves.A list of all available elliptic curves can be found in [20].For the simulation purpose, we chose the P-384 elliptic curve, in OpenSSL denoted as follows: secp384r1: NIST/SECG curve over a 384 bit prime field.It is the elliptic curve (EC) E p (a, b) defined over a finite body F p (p=384), where p is an even prime number and represents the key length.According to [21], the prime number EC is more advantageous for the software implementation in comparison to EC over a finite body F m 2 or Koblitz curves.The overall communication security model using the ESCIS scheme is shown in Fig. 7.

Obtained Results
The authors in parallel performed a comparison of time demandingness of ECDSA scheme generation and verification in dependence on key length on simulated OBU units.
We created a simple simulation to demonstrate the computational demandingness of chosen digital signatures.It has been tested on a computer with Intel Dual Core processor with frequency of 2.3 GHz.We performed the calculations using a virtual device that we created for this purpose using the VirtualBox software and additional software, needed for the proper OpenSSL operation.We focused on the ECDSA digital signatures with key length 160,192,224,256,384 and 521 bits for several types of elliptic curves (EC) on the base prime field, binary Koblitz curve and pseudorandom curves.Within the simulation, the message with a predefined length was signed by a private key with a measured length and the number of signatures during the 10-second interval has been noted.Consequently, the message verification using a public key during the 10-second interval has been done.
At first, we compared demandingness of different EC in the process of signing and verification, where we found out that ECDSA prime field curves are the fastest (Fig. 8(a) and Fig. 8(b)).Next we chose ECDSA Prime field curve and compared it to RSA, DSA cryptographic schemes.
The obtained results of measured time of generation and verification are presented in Tab. 2 which contains (from the left): the algorithm name, the key length, the number of messages signed during 10 seconds, the number of messages verified during 10 seconds, the average time of signing of one message and the average time of verification of one message in seconds.The graphical results for three selected digital signatures schemes (RSA, DSA and ECDSA) are shown in Fig. 9  From the obtained results we can see that the RSA scheme is faster in the verification process, which is important because vehicle will be signing just its own messages, but it needs to verify messages from all vehicles which are within the range.RSA is now one of the fastest algorithms in the verification process, but by the increase of key length during the next 30 years, RSA starts to be slower (Fig. 10).This is one of the  reasons why ECDSA is deployed to the VANET networks as a perspective cryptographic scheme.
The second reason for using ECDSA is to save the frequency band of communication.From Fig. 11 we can see how the frequency band is loaded when several vehicles communicate using different size of messages.

Conclusion
With the development of intelligent transportation systems, it is necessary to handle the problems of transmission security in the C2X applications.Several cryptographic constructions have to be used; they have to be computationally secure and fast at the same time and do not load the VANET composed of a variable number of moving nodes.Nowadays, the development of integrated cryptographic schemes is being promoted, including several security services.The authors implemented a model of an authentication processor  OpenSSL libraries, the authors analysed the performance and time demandingness of the ECDSA scheme for different key lengths and different shapes of elliptic curves as well as a comparison of time relation of digital signature schemes RSA, DSA and ECDSA has been performed.For several transport scenarios for a given number of vehicles the throughput parameter of VANET network was determined in dependence on message size.

Fig. 1 :
Fig. 1: The transmission of authorized messages between vehicles.

Fig. 6 :
Fig. 6: Implementation of security blocks at the IP layer.

Fig. 7 :
Fig. 7: Demonstration of overall communication security model in OPNET Modeler.
Tab. 1: Comparison of key lengths for digital signature schemes.
Tab. 2: The results of measured time for generation and verification of digital signature.