CN106713326A - Vehicle-mounted network message authentication protocol - Google Patents

Abstract

The invention provides a vehicle network message authentication protocol. The vehicle ad hoc network includes a trusted certification center, a vehicle unit and a roadside unit. The message authentication protocol uses a threshold proxy re-signature algorithm to protect vehicle privacy information, and the vehicle communication unit to The signature of the message is converted into the signature of the same message by the certification center, thereby reducing the risk of tracking the vehicle-mounted unit according to the signature, and realizing the anonymity of the communication message. The re-signature key is distributed to multiple roadside communication units for management through the threshold method, which reduces the success rate of deciphering the re-signature key and prevents the roadside communication unit from abusing the proxy signature right. The certification center solves the recall problem of violating vehicles by tracing back the real vehicles that issued false news. This protocol has high security and low storage overhead, unforgeability, robustness, message authentication, anti-replay attack and traceability, and can greatly improve the privacy of network member information.

Description

A message authentication protocol for vehicle network

technical field

The invention relates to a vehicle network message authentication protocol, which can be applied to the technical fields of privacy protection such as wireless VANET, sensor network, ad hoc network and wireless communication.

Background technique

Vehicle Ad hoc Network (VANET), also known as self-organizing traffic information system, is a fast mobile outdoor communication network. Vehicle ad hoc network is a mobile network designed to facilitate mutual communication between vehicles under the background of intelligent transportation. The nodes in the network are mainly composed of three parts, the on-board unit (OBU) installed on the vehicle, Roadside Units (Road-side Units, RSUs) deployed on both sides of the road or at intersections and Trusted Authorities (TAs) responsible for managing all OBUs and RSUs. The vehicle ad hoc network allows communication between OBUs or between OBUs and RSUs through a short-distance wireless communication (Dedicated Short Range Communication, DSRC) scheme.

The VANET includes two communication modes: Vehicle to Vehicle (V2V) communication and Vehicle to Infrastructure (V2I) communication. On the one hand, VANET enables vehicles to communicate with each other. Each vehicle can not only periodically broadcast its own basic vehicle information, but also broadcast relevant information in real time when traffic accidents occur, so that other vehicles can take corresponding measures in time to effectively improve traffic conditions. On the other hand, VANET also enables vehicles to communicate with roadside units. RSU can not only broadcast information related to life such as restaurants, hotels and gas stations within its jurisdiction, but also broadcast information related to traffic such as road conditions, parking warnings and vehicle congestion.

However, since the VANET communicates on wireless channels with unstable quality, it will be subject to many malicious threats and attacks, such as injecting false and wrong information, modifying or replaying previous information, etc. In terms of privacy information, these threats and attacks will become security risks of VANET. Therefore, how to ensure the security and privacy of VANET is an important problem that needs to be solved urgently in recent years.

Research on message authentication in VANET is a hot spot in information security research in recent years, especially since 2005, some representative research results have appeared. Raya M, Hubaux J P, etc. (Raya M, Hubaux JP. Securing vehicular ad hoc networks[J]. Journal of Computer Security, 2007.151: 39-68.) proposed a classic scheme HAB on VANET message authentication, in order to realize the sending of messages The traffic management center loads a large number of private keys and their corresponding anonymous certificates on the vehicle in advance, and the vehicle randomly selects an anonymous certificate each time when sending a message, and then signs the sent message with its corresponding private key. However, the cost of certificate distribution, management and storage in HAB is too high, resulting in weak practicability of HAB. In order to improve the shortcomings of the HAB scheme, Lin Xiaodong, Sun Xiaoting et al. (Xiaodong Lin, Xiaoting Sun, Xiaoyu Wang, Chenxi Zhang, Pin-Han Ho, Xuemin Shen: TSVC: timed efficient and secure vehicular communications with privacy preserving.IEEE Trans.Wireless Communications 7 (12-1): 4987-4998 (2008)) proposed a new VANET message authentication scheme GSB by using group signature, assigning a group private key to each vehicle in advance, and signing the sent message with the group private key, Although the message verifier can verify the correctness of the message, it does not know the real signer of the message. If a dispute arises afterwards, a trusted third party can use the group administrator to trace the true identity of the signer. However, in the GSB scheme, the group key needs to be changed frequently to revoke the vehicle identity, and the cost is too high. In the ECPP scheme proposed by LuRongxing, Lin Xiaodong et al. (Rongxing Lu, Xiaodong Lin, Haojin Zhu, Pin-Han Ho, XueminShen: ECPP: Efficient Conditional Privacy Preservation Protocol for Secure Vehicular Communications. INFOCOM 2008: 1229-1237), the authenticated legal RSU issues short-term on-the-fly group member certificates only applicable to the RSU area to legal OBUs, which can share part of the work for the traffic management center and improve the overall efficiency of the system. Moreover, if the traffic offender escapes, the traffic management center can directly track down the offender because the RSU retains the corresponding relationship between the short-term certificate on the road and the UWJ. However, ECPP relies on the credibility of RSU, and its application scenarios are relatively small. In order to reduce the credibility of RSU, Yang Tao, Hu Jianbin, etc. (Yang Tao, Hu Jianbin, Chen Zhong, a traceable authentication protocol for privacy protection of VANET [J] Computer Engineering 2013, 35(20): 176-183) proposed a Based on the VANET message authentication scheme based on proxy re-signature, the trusted authentication authority (TA) authorizes RSU to be a semi-trusted proxy to re-sign the message signed by OBU, which not only protects the basic information of the original signer OBU, Moreover, if there is a dispute afterwards, the real identity of the signer of the message can be obtained through the cooperation of TA and RSU. However, this scheme relies on the reliability of the RSU. If the RSU is dishonest or maliciously attacked and controlled by an attacker, it will lead to serious consequences such as disclosure of private information and loss of keys.

Contents of the invention

The technical problem to be solved by the present invention is to provide a vehicular ad hoc network authentication protocol with high security, good privacy and low storage overhead.

In order to solve the above technical problems, the technical solution of the present invention is to provide a vehicle-mounted network message authentication protocol, which is characterized in that: the vehicle-mounted network includes a trusted authentication center TA, an on-board unit OBU and a roadside unit RSU, and the message authentication protocol as follows:

1. Definition

1.1 Bilinear Mapping

Suppose G ₁ and G ₂ are two cyclic groups whose order is a prime number q, and the bilinear map e: G ₁ XG ₁ →G ₂ satisfies the following properties:

(1) Bilinear: For any g, h∈G ₁ and a, b∈Z _q ^* = (0, 1, 2, ... q-1), Z _q ^* represents the set of integers, e(g ^a , h ^b )=e(g, h) ^ab holds true; (2) Non-degenerate: there exists g, h∈G ₁ , making e(g, h)≠1, where "1"& is G ₂ unit: yuan;

(3) Computability: For all g, h∈G ₁ , there is an effective algorithm to calculate e(g, h);

1.2 Discrete logarithm problem

Suppose p is a large prime number, G is a cyclic group of order p, g is a generator of G, the discrete logarithm problem DLP on the group G is given (g, g ^a )∈G, calculate a∈Z _p = (0, 1, 2, ... q-1); Z _p represents a set of integers, if there is no probabilistic polynomial time algorithm that can solve the DLP problem on the group G with a probability of at least ε in time t, then it is called The (t, ε)-DLP assumption on the group G holds;

1.3 Shamir secret sharing scheme

The idea of the Shamir secret sharing scheme is to divide the secret information into several parts, and carry out fault-tolerant distribution among multiple participants with collaborative relationships to protect the secret information; the specific scheme is as follows:

(1) Secret distribution stage: Let p be a large prime number, s∈Z _p ^* is the secret information distributed to n members U _i (i=1, 2, 3..., n), and n is a positive integer; Randomly select t-1 elements a ₁ , a ₂ ,..., a _t-1 ∈ Z _p ^* , t is a positive integer not less than 1, and the constructor F(x)=s+a ₁ x+a ₂ x ² +...+a _t-1 x ^t-1 , calculate the secret share Xi = F( _i ), and send ( _i , Xi ) to the i-th member U _i ;

(2) Secret recovery stage: Set up And |Ψ|≥t, then the function in, is the Lagrangian interpolation coefficient, the integer variable _j∈Ψ ; any t legal members U _i , use their own secret share Xi to restore the secret

1.4 Threshold proxy re-signature

A threshold proxy re-signature scheme is a five-tuple {Keygen, Rekey, Sign, Resign, Verify} composed of a probabilistic polynomial time algorithm;

(1) {Keygen, Sign, Verigy} is the key generation, signature generation and verification algorithm in the standard signature algorithm;

(2) Given a public key/private key pair (pk _A , sk _A ) of a trustee and a public key/private key pair (pk _B , sk _B ) of a delegator, the re-signature key generation algorithm Rekey generates a trustee The re-signature key rk _A→B between the delegator and the delegator, and then divide rk _A→B into n subkeys rk ⁱ _A→B and distribute them to n agents for secret storage;

(3) The resignature generation algorithm Resign consists of the following two parts:

3.1) Partial re-signature generation algorithm: Given a re-signature subkey rk ⁱ _A→B , a public key pk _A , a message m and a signature σ _A , first verify the validity of σ _A , if Verigy(pk _A , m, σ _A )=1, Verify() means to perform authentication operation, then output a partial re-signature σ _B,i of message m; otherwise, output ⊥;

3.2) Threshold re-signature generation algorithm: Given t honest agents’ partial re-signature σ _{B of message m, i} outputs a threshold re-signature σ _{B of message m corresponding to public key pk B ;}

2. Agreement

2.1 System establishment

The trusted authentication center TA selects two cyclic groups G ₁ and G ₂ whose order is the same prime number p, g is a generator of G ₁ ; introduces bilinear mapping e: G ₁ ×G ₁ →G ₂ and anti-collision Hash Function H: {0, 1} ^* → G; choose a public key cryptosystem, let Enc() and Dec() denote the corresponding encryption algorithm and decryption algorithm respectively, public system parameter param: ={G ₁ , G ₂ , p, g, H, Enc(), Dec()};

Among them, H: {0, 1} ^* → G corresponding rule is: function H, domain of definition is {0, 1} ^* , mapping in cyclic group G;

2.2 Key Generation

The key generation steps are as follows:

Step 2.2.1: TA's secret key generation

The trusted authentication center TA randomly selects x _TA ∈ Z ^* as the system private key, Z ^* is an integer set, and calculates the system public key

Step 2.2.2: OBU key generation

Assuming that RID is the real identity obtained when each car OBU is registered, the steps to generate the public-private key pair of OBU are as follows:

2.2.2.1) Vehicle OBU is randomly selected R is a subscript, 1<R<p, as a private key, calculate the corresponding public key And store the public-private key pair (x _OBU , X _OBU ) and related anonymous certificates in the tamper-proof device of OBU;

2.2.2.2) Random selection of OBU Calculate u=H(g ^s ||RID) and v=(s+x _OBU u), and send the message {X _OBU , RID, u, v} to the trusted authentication center TA;

2.2.2.3) After TA receives {X _OBU , RID, u, v}, it verifies Whether it is true; if the equation is true, TA is sure that {X _OBU , RID} is the legal public key and real identity of OBU, and saves {X _OBU , RID} in the traceability table T;

2.3 Re-signature key generation

Given the private keys x _TA and x _OBU of the certification authority TA and the vehicle OBU, a trusted distributor D generates the re-signature key r _k between TA and OBU in the following way: (1) The distributor D first randomly selects t∈Z _p , and then send t to OBU; (2) OBU uses its own private key x _OBU to calculate and send t ₁ =x _OBU t(modp) to TA; modp means modulo operation on p; (3) TA Using its own private key x _TA , calculate and send t ₂ =x _TA /t ₁ (modp) to the distributor D; (4) The distributor D uses the parameter t to calculate the re-signature key _rk =tt ₂ =t(x _TA /(x _OBU t)) = x _TA /x _OBU (modp);

In order to distribute the re-signature key r _k =x _TA /x _OBU (modp) to n roadside communication units RSUi (i=1,2,...,n), the distributor D performs the following operations: (1) Randomly select t-1 elements a ₁ , a ₂ ,..., a _t-1 ∈ Z _p ^* ; (2) Constructor F(x)=r _k +a ₁ x, a ₂ x ² +.. .+a _t-1 x ^t-1 ; (3) Calculate Xi = F( _i ), and distribute Xi to the roadside communication unit RSUi ( _i =1, 2, ..., n) as a re-signature subkey

2.4 Vehicle Message Signature

The message sent by the vehicle OBU contains 4 fields: message type ID _type , message payload Payload, timestamp Timestamp and OBU’s signature on the first 3 fields; message IDtype indicates the type of message; message payload Payload consists of vehicle position, direction, speed, Composed of basic information such as traffic incidents; the timestamp Timestamp identifies the exact time when the message was generated; it is assumed that RSUi regularly broadcasts the public key to the OBU within its jurisdiction In order to send a message to the roadside communication unit RSU _i , the vehicle OBU performs the following operations:

2.4.1) Use the private key x _OBU to calculate the signature σ=H(M)x _OBU of the message M={ID _type ||Payload||Timestamp};

2.4.2) Select an encryption algorithm Enc() of a public key cryptosystem, and use the public key of RSU _i Encrypt (X _OBU , M, σ), and then convert the corresponding ciphertext (X _OBU , M, σ) is sent to n roadside units RSUi (i=1, 2,..., n);

2.5 Roadside communication unit message re-signature

The steps of re-signing the message of the roadside communication unit are as follows:

2.5.1) Generate partial resignature

The roadside communication unit RSU _i (i=1, 2, ..., n) receives the ciphertext message sent by the OBU (X _OBU , M, σ), first use your own re-signature subkey decrypt it Obtain the plaintext message (X _OBU , M, σ); then perform the following operations: 1) check whether the equation Verify(X _OBU , M, σ)=1 is established, and Verify() means to perform an authentication operation; 2) verify whether the timestamp Correct; if both operation 1) and operation 2) are true, calculate the partial resignature And send Y _i =(i, M, σ _i , σ, X _OBU ) to the synthesizer C of the signature, where C can be a designated roadside communication unit;

2.5.2) Generate threshold re-signature

When synthesizer C receives Y _i , if the equation If it is established, the message sent by OBU will be accepted; otherwise, Y _i will be rejected, if synthesizer C has received at least t copies of (i, M, σ _i ) for the same message M sent by different roadside communication units RSU _i , let all senders The set of serial number i of roadside communication unit RSU _i with legal information is ψ, and the verification equation If the equality does not hold, the output is on; otherwise, the output corresponds to the signature of the trusted certification authority (TA) in, Synthesizer C sends (M, σ', X _OBU ) to trusted authentication authority TA according to a predetermined strategy;

2.5.3) TA broadcast message

After receiving (M, σ', X _OBU ), the trusted authentication center TA first encrypts X _OBU with its own public key X _TA to generate ciphertext Then generate a new message M'={M||δ}; finally, the trusted message (M', σ') will be broadcast to all vehicle OBUs in the area;

2.6 Message Verification

Given a public key X, a message M, and a signature δ, verify that the following equation holds:

e(σ,g)=e(H(M),X)

If the above formula is true, it means that δ is the legal signature of the message M corresponding to the public key X, output 1; otherwise, output 0;

2.7 Traceability of false identities

If a malicious vehicle posts a false message The steps for the trusted authentication center TA to trace the true identity of the signer of the message M' are as follows: use your own private key Perform decryption calculation on M' Obtain the identity X _{OBU of the OBU} ; (2) If the equation e(σ′, g)=e(H(M), X _OBU ) is established, search for {X _OBU corresponding to X _OBU in the traceability table T stored locally by TA , RID} so that the exact identity RID traced back to the publishing message M' can be accurately located.

Preferably, in said 2.2.2.1), the relevant anonymous certificate is generated by the pseudo-identity PID of the OBU.

Aiming at the privacy protection problem of the vehicle ad hoc network, the present invention adopts the secret sharing technology and proposes a VANET message authentication scheme-MSBTP. The scheme uses the threshold proxy re-signature algorithm to protect the private information of the vehicle, and converts the signature of the message by the vehicle communication unit into the signature of the same message by the certification center, thereby reducing the risk of tracking the vehicle unit based on the signature and realizing the anonymity of the communication message. The re-signature key is distributed to multiple roadside communication units for management through the threshold method, which reduces the success rate of deciphering the re-signature key and prevents the roadside communication unit from abusing the proxy signature right. The certification center solves the recall problem of violating vehicles by tracing back the real vehicles that issued false news. Compared with similar schemes, MSBTP has higher security and lower storage overhead, and can greatly improve the confidentiality of network member information.

Compared with the prior art, the vehicle network message authentication protocol provided by the present invention has the following beneficial effects:

1. Key security. Solving the private key through the public key is equivalent to solving the discrete logarithm problem. From the intractability of the discrete logarithm problem, any entity in MSBTP has key security.

2. Unforgeability and robustness. MSBTP's signature algorithm is based on the "Threshold Proxy Re-Signature Algorithm", which has been proven to be unforgeable and robust. Threshold proxy re-signature not only reduces the dependence on a single roadside communication unit RSU, but also makes the scheme have higher security.

3. Message authenticity. The trusted authentication center TA authorizes the roadside communication unit RSU to act as a semi-trusted agent to convert the signature of the OBU to the message to the signature of the TA to hide the true identity of the signed message and eliminate the risk of tracking the vehicle OBU based on the signature , to achieve the anonymity of communication messages.

4. Anti-replay attack. The application of time stamps can not only ensure the freshness of messages, but also effectively resist replay message attacks.

5. Traceability. The publisher of the news, OBU, did not participate in the entire traceability process, which effectively guaranteed the objectivity of the traceability. Therefore, the MSBTP scheme satisfies the traceability of messages.

Description of drawings

Figure 1 is a schematic diagram of the vehicle ad hoc network system model.

detailed description

Below in conjunction with specific embodiment, further illustrate the present invention. It should be understood that these examples are only used to illustrate the present invention and are not intended to limit the scope of the present invention. In addition, it should be understood that after reading the teachings of the present invention, those skilled in the art can make various changes or modifications to the present invention, and these equivalent forms also fall within the scope defined by the appended claims of the present application.

1. Preliminary knowledge

1.1 Bilinear Mapping

Suppose G ₁ and G ₂ are cyclic groups with two orders of prime number q, the bilinear map e: G ₁ XG ₁ →G ₂ satisfies the following properties:

(1) Bilinear: For any g, h ∈ G ₁ and a, b ∈ Z _q ^* = (0, 1, 2, ... q-1); Z _Q represents an integer set, e(g ^a , h ^b )=e(g, h) ^ab holds.

(2) Non-degenerate: there exists g, h∈G ₁ such that e(g, h)≠1, where "1"& is the identity element in G ₂ .

(3) Computability: For all g, h∈G ₁ , there is an efficient algorithm to calculate e(g, h).

1.2 Discrete logarithm problem

Suppose p is a large prime number, G is a cyclic group of order p, g is a generator of G, and the discrete logarithm problem (Discrete Logarithm Problem, DLP) on the group G is given (g, g ^a )∈ G, calculate a ∈ Z _p = (o, 1, 2, . . . p-1); Z _p represents an integer set. The (t,ε)-DLP assumption on group G is said to hold if no probabilistic polynomial time algorithm can solve the DLP problem on group G with probability at least ε in time t.

1.3 Shamir secret sharing scheme

The idea of the Shamir secret sharing scheme is to divide the secret information into several parts, and carry out fault-tolerant distribution among multiple participants with cooperative relations to protect the secret information. The specific plan is as follows:

(1) Secret distribution stage: Let p be a large prime number, s∈Z _p ^* is the secret information distributed to n members U _i (i=1, 2, 3..., n), and n is a positive integer. Randomly select t-1 elements a ₁ , a ₂ ,..., a _t-1 ∈ Z _p ^* , t is a positive integer not less than 1, and the constructor F(x)=s+a ₁ x+a ₂ x ² +...+a _t-1 x ^t-1 , calculate the secret share Xi = F( _i ), and send ( _i , Xi ) to the i-th member U _i .

(2) Secret recovery stage: Set up And |Ψ|≥t, then the function in, Is the Lagrangian interpolation coefficient, the integer variable j∈Ψ. Any t legitimate members U _i use their own secret share _Xi to recover the secret

1.4 Threshold proxy re-signature

A threshold proxy re-signature scheme is a five-tuple (Keygen, Rekey, Sign, Resign, Verify) composed of a probabilistic polynomial time algorithm.

(1) (Keygen, Sign, Verigy) is the secret key generation, signature generation and verification algorithm in the standard signature algorithm.

(2) Given a public key/private key pair (pk _A , sk _A ) of a trustee and a public key/private key pair (pk _B , sk _B ) of a delegator, the re-signature key generation algorithm Rekey generates a trustee The re-signature key rk _A→B between the delegator and the delegator, and then divide rk _A→B into n subkeys rk ⁱ _A→B and distribute them to n agents for secret storage.

(3) The resignature generation algorithm Resign consists of the following two parts:

A) Partial re-signature generation algorithm: Given a re-signature subkey rk ⁱ _A→B , a public key pk _A , a message m and a signature σ _A , first verify the validity of σ _A , if Verigy(pk _A , m, σ _A )=1, Verify() means to perform authentication operation, then output a partial re-signature σ _B,i of message m; otherwise, output ⊥.

B) Threshold re-signature generation algorithm: Given t honest agents’ partial re-signature σ _{B of message m, i} outputs a threshold re-signature σ _B of message m corresponding to public key pk _B.

2. Vehicular ad hoc network message authentication scheme

2.1 Vehicle Ad Hoc Network System Model

The vehicle ad hoc network message authentication scheme mainly includes short-distance wireless communication technology and three basic roles: trusted authentication center TA, on-board unit OBU and roadside unit RSU.

(1) The trusted authentication center TA is to perform identity authentication, certificate distribution, revocation management and information storage for each node in the VANET. This organization is equivalent to the certification center CA (Certificate Authority) in the PKI system, and is managed by the relevant national or regional transportation authorities according to the actual area of VANET. Generally speaking, the center needs to carry out the highest level of security guarantee (perfect security system and security strategy), maintain a secure connection with the RSU in its jurisdiction, and be responsible for real-time monitoring of the driving safety and driving efficiency of VANET within its jurisdiction. For a specific VANET system, TA is the highest authority.

(2) On-board unit OBU is a necessary vehicle node in the vehicle ad hoc network, which is equivalent to a mobile terminal in the communication system. In the actual system, all legal OBUs must register with TA to join VANET, and pre-install system public security parameters and their own related key materials to a special tamper-proof device, which can only be accessed by TA authorized organizations. The number of OBUs depends on the coverage of the system. For typical urban scenarios, the number is generally above one million.

(3) The roadside unit RSU is the roadside infrastructure node in the vehicle ad hoc network. The RSU enables the VANET not only to form a separate network to achieve local communication, but also to connect to the backup network through the RSU as the gateway of the access point. Such as Internet. This node is similar to a communication base station in a communication system. For example, it can be a network communication device established in roadside gas stations, restaurants, shops, etc. signs and other existing road infrastructure. By installing and deploying RSU in key areas, the traffic control department can use RSU to collect the operation status of vehicles in real time on the one hand, improve the modernization and informatization level of road traffic management; on the other hand, broadcast road information to all driving vehicles in real time to ensure information release efficiency and safety. The number of RSUs is much less than that of OBUs (there can be hundreds of OBUs in an RSU jurisdiction), and for typical urban scenarios, it is generally above the thousand level.

(4) Short-range wireless communication (DSRC) is an efficient wireless communication base in the framework of the intelligent transportation system (ITS) standard system. On this basis, intelligent, real-time, and dynamic management of traffic can be realized. This solution organically connects entities in VANET by realizing vehicle-to-vehicle, vehicle-to-road communication mechanisms, and realizes accurate, reliable, and high-speed two-way transmission of images, voice, and data in a small area according to the requirements of upper-layer applications. Countries generally adopt the IEEE802.11P standard as the bottom layer scheme of DSRC.

The vehicle ad hoc network system model is shown in Figure 1.

2.2 Scheme description

2.2.1 System establishment

The trusted authentication authority (TA) selects two cyclic groups G ₁ and G ₂ whose orders are the same prime number p, and g is a generator of G ₁ . Introduce bilinear mapping e: G ₁ ×G ₂ →G ₂ and anti-collision Hash function H: {0, 1} ^* → G (the corresponding rule is function H, and the definition domain is {0, 1} ^* in the cyclic group G mapping in ). Select a public key cryptosystem (such as RSA, ECC, etc.), Enc() and Dec() represent the corresponding encryption algorithm and decryption algorithm respectively. Public system parameter param:={G ₁ , G ₂ , p, g, H, Enc(), Dec()}.

2.2.2 Key generation

The key generation steps are as follows:

(1) TA key generation (TA-Keygen)

The trusted authentication center TA randomly selects x _TA ∈ Z ^* as the system private key, Z ^* integer set. And calculate the system public key

(2) OBU key generation (OBU-Keygen)

Assuming that RID is the real identity obtained when each car OBU is registered, the steps to generate the public-private key pair of OBU are as follows:

1) The vehicle OBU is randomly selected (R is a subscript, 1<R<p) is used as the private key to calculate the corresponding public key And store the public-private key pair (x _OBU , X _OBU ) and related anonymous certificates (generated by the pseudo-identification PID of the OBU) in the special tamper-proof device of the OBU.

2) OBU randomly selected Calculate u=H(g ^s ||RID) and v=(s+x _OBU u), and send the message {X _OBU , RID, u, v} to the trusted authentication authority TA.

3) After receiving {X _OBU , RID, u, v}, TA verifies Whether it is established. If the equation is established, TA is sure that {X _OBU , RID} is the legal public key and real identity of OBU, and saves {X _OBU , RID} in the traceability table T at the same time.

2.2.3 Re-signature key generation

Given the private keys x _TA and x _OBU of the certification authority TA and the vehicle OBU, a trusted distributor D generates the re-signature key r _k between TA and OBU in the following way: (1) The distributor D first randomly selects t∈Z _p , and then send t to OBU; (2) OBU uses its own private key x _OBU to calculate and send t ₁ =x _OBU t(modp) to TA; modp means modulo operation on p; (3) TA Using its own private key x _TA , calculate and send t ₂ =x _TA /t ₁ (modp) to the distributor D; (4) The distributor D uses the parameter t to calculate the re-signature key _rk =tt ₂ =t(x _TA /(x _OBU t))=x _TA /x _OBU (modp).

Distributor D performs the following operations in order to distribute the re-signature key r _k =x _TA /x _OBU (modp) to n roadside communication units RSUi (i=1, 2, . . . , n): (1) randomly Select t-1 elements a ₁ , a ₂ ,..., a _t-1 ∈ Z _p ^* ; (2) Constructor F(x)=r _k +a ₁ x, a ₂ x ² +... +a _t-1 x ^t-1 ; (3) Calculate Xi = F( _i ), and distribute Xi to the roadside communication unit RSUi ( _i =1, 2,..., n) as a resignature key

2.2.4 Vehicle Message Signature

The message sent by the vehicle OBU contains 4 fields: message type ID _type , message payload Payload, timestamp Timestamp and OBU's signature on the first 3 fields. The message ID _type indicates the type of the message; the message payload Payload consists of basic information such as vehicle position, direction, speed, and traffic events; the timestamp Timestamp identifies the exact time when the message was generated, which can not only prevent message replay attacks, but also avoid single user Misidentified as a Sybil Attacker when reporting the same incident multiple times. Assume that RSUi broadcasts the public key to OBUs in its jurisdiction periodically (such as 5s) In order to send a message to the roadside communication unit RSU _i , the vehicle OBU performs the following operations:

(1) Using the private key x _OBU , calculate the signature σ=H(M)x _OBU of the message M={ID _type ||Payload||Timestamp}.

(2) Select an encryption algorithm Enc() of a public key cryptosystem (such as RSA, ECC, etc.), and use the public key of RSU _i Encrypt (X _OBU , M, σ), and then convert the corresponding ciphertext (X _OBU , M, σ) are sent to n roadside units RSUi (i=1, 2, . . . , n).

2.2.5 Roadside communication unit message re-signature

The steps of re-signing the message of the roadside communication unit are as follows:

(1) Generate partial resignature

The roadside communication unit RSU _i (i=1, 2, ..., n) receives the ciphertext message sent by the OBU (X _OBU , M, σ), first use your own re-signature subkey decrypt it Obtain the plaintext message (X _OBU , M, σ). Then perform the following operations: 1) Check whether the equation Verify(X _OBU , M, σ)=1 is established, and Verify() means to perform an authentication operation; 2) Verify whether the time stamp is correct. If both operation 1) and operation 2) are true, calculate the partial resignature And send Y _i =(i, M, σ _i , σ, X _OBU ) to the synthesizer C of the signature, where C may be a designated roadside communication unit.

(2) Generate threshold re-signature

When synthesizer C receives Y _i , if the equation If it is established, the message sent by OBU will be accepted; otherwise, Y _i will be rejected, if synthesizer C has received at least t copies of (i, M, σ _i ) for the same message M sent by different roadside communication units RSU _i , let all senders The set of serial number i of roadside communication unit RSU _i with legal information is ψ, and the verification equation If the equality does not hold, output ⊥; otherwise, output the signature corresponding to the trusted certification authority (TA) in, The synthesizer C sends (M, σ', X _OBU ) to the trusted authentication authority TA according to a predetermined policy.

(3) TA broadcast message

After receiving (M, σ', X _OBU ), the trusted authentication center TA first encrypts X _OBU with its own public key X _TA to generate ciphertext A new message M'={M||δ} is then generated. Finally, the trusted message (M', σ') will be broadcast to all vehicle OBUs in the area.

2.2.6 Message Verification

Given a public key X, a message M, and a signature δ, verify that the following equation holds:

e(σ,g)=e(H(M),X)

If the above formula is true, it means that δ is the legal signature of the message M corresponding to the public key X, output 1; otherwise, output 0.

2.2.7 Traceability of false identities

If a malicious vehicle posts a false message The steps for the trusted authentication center TA to trace the true identity of the signer of the message M' are as follows: use your own private key Perform decryption calculation on M' Obtain the identity X _{OBU of the OBU} ; (2) If the equation e(σ', g)=e(H(M), X _OBU ) is established, search for {X _OBU corresponding to X _OBU in the traceability table T stored locally by TA , RID} so that the exact identity RID traced back to the publishing message M' can be accurately located.

Claims (2)

1. A vehicle network message authentication protocol, characterized by: the vehicle-mounted ad hoc network comprises a trusted authentication center TA, a vehicle-mounted unit OBU and a roadside unit RSU, and the message authentication protocol is as follows:

a, define

1.1 bilinear mapping

Let G₁And G₂For two cyclic groups of order prime q, bilinear mapping e: g₁X G₁→G₂The following properties are satisfied:

(1) bilinear for arbitrary G, h ∈ G₁And a, b ∈ Z_q ^*＝(0，1，2，...q-1)；Z_qRepresenting an integer set, having e (g)^a，h^b)＝e(g，h)^abIf true;

(2) non-degradability in the presence of G, h ∈ G₁Such that e (g, h) ≠ 1, where "1&Is G₂A unit cell of (1);

(3) calculability of h ∈ G for all G₁There is an efficient algorithm to compute e (g, h);

1.2 discrete logarithm problem

Let p be a large prime number, G be a cyclic group of order p, G be a generator of G, and the discrete logarithm problem DLP on group G be given (G, G)^a) ∈ G, calculation of a ∈ Z_p＝(0，1，2，...p-1)；Z_pRepresenting a set of integers; the (t,) -DLP hypothesis on group G is said to hold if none of the probabilistic polynomial time algorithms is able to solve the DLP problem on group G with at least a probability over time t;

1.3 Shamir secret sharing scheme

The idea of the Shamir secret sharing scheme is to divide secret information into a plurality of parts, and perform fault-tolerant dispersion among a plurality of participants with a cooperative relationship to protect the secret information; the specific scheme is as follows:

(1) secret distribution phase, let p be a large prime number, s ∈ Z_p ^*Is distributed to n member U_iSecret information of (i ═ 1, 2, 3.., n), n being a positive integer; randomly selecting t-1 elements a₁，a₂，...，a_t-1∈Z_p ^*T is a positive integer not less than 1, and the structural function f (x) is s + a₁x+a₂x²+...+a_t-1x^t-1Calculating secret shares X_i(ii) and (i, X) is_i) Is sent to the ith member U_i；

(2) Secret recovery phase: collection tableAnd | Ψ | ≧ t, then the functionWherein,is the lagrange interpolation coefficient; any t legal members U_iUsing its own secret share X_iRecovering secrets

1.4 threshold proxy re-signing

A threshold proxy re-signature scheme is a quintuple { Keygen, Rekey, Sign, Resign, Verify } formed by a probabilistic polynomial time algorithm;

(1) { Keygen, Sign, Verigy } is a key generation, signature generation, and verification algorithm in the standard signature algorithm;

(2) given a public/private key pair (pk) of a trustee_A，sk_A) And a public/private key pair (pk) of the principal_B，sk_B) The re-signing key generation algorithm Rekey generates a re-signing key rk between the trustee and the delegator_A→BThen rk is added_A→BSplitting into n sub-keys rkⁱ _A→BSecret keeping distributed to n agents;

(3) the re-signature generation algorithm Resign consists of two parts:

3.1) partial re-signature generation algorithm: given a re-signed sub-key rkⁱ _A→BA public key pk_AOne message m and one signature σ_AFirst, verify σ_AIf Verigy (pk)_A，m，σ_A) 1, a partial re-signature σ of the outgoing message m is output_B，i(ii) a Otherwise, outputting;

3.2) threshold re-signature generation algorithm: partial re-signature σ of message m given t honest agents_B，iOutputting a public key pk_BOf message m, is re-signed by a threshold_B；

Two, protocol

2.1 System set-Up

Trusted authorityThe certificate center TA selects two cyclic groups G with the same prime number p₁And G₂G is G₁A generator of (2); introducing a bilinear map e: g₁×G₂→G₂And the collision-resistant Hash function H: {0,1}^*→ G; selecting a public key cryptosystem, setting Enc () and Dec () to respectively represent corresponding encryption algorithm and decryption algorithm, and disclosing system parameters param: (ii) G₁，G₂，p，g，H，Enc()，Dec()}；

2.2 Key Generation

The key generation steps are as follows:

step 2.2.1: key generation for TA

Trusted authentication center TA random selection x_TA∈Z^*As the system private key and calculates the system public key

Step 2.2.2: key generation for OBU

Setting RID as the real mark obtained when each OBU registers to house, generating the public and private key pair of OBU as follows:

2.2.2.1) vehicle OBU random pickAs private key, the corresponding public key is calculatedAnd storing a public and private key pair (x) in a tamper resistant device of the OBU_OBU，X_OBU) And associated anonymous certificates;

2.2.2.2) OBU random selectionCalculating u-H (g)^s| RID) and v ═ s + x_OBUu) and the message { X)_OBURID, u, v is sent to the credible authentication center TA;

2.2.2.3) TA receipt { X_OBUAfter RID, u, v }, verificationWhether the result is true or not; if the equation is true, TA is confident { X }_OBURID is the legal public key and the real identification of the OBU, while X will be_OBURID is stored in a trace table T;

2.3 Re-signed Key Generation

Given the private key x of the certificate authority TA and the vehicle OBU_TAAnd x_OBUA trusted distributor D generates a re-signed key r between a TA and an OBU as follows_k(1) distributor D first chooses randomly t ∈ Z_pThen, sending t to the OBU; (2) the OBU utilizes its private key x_OBUCalculating and transmitting t₁＝x_OBUt (modp) to TA; (3) TA utilizes its own private key x_TACalculating and transmitting t₂＝x_TA/t₁(modp) to distributor D; (4) distributor D calculates re-signing secret key r by using parameter t_k＝t t₂＝t(x_TA/(x_OBUt))＝x_TA/x_OBU(modp)；

Distributor D in order to re-sign key r_k＝x_TA/x_OBU(modp) to n roadside communication units RSUi (i ═ 1, 2.. times, n), the following operations are performed: (1) randomly selecting t-1 elements a₁，a₂，...，a_t-1∈Z_p ^*(ii) a (2) The constructor F (x) r_k+a₁x，a₂x²+...+a_t-1x^t-1(ii) a (3) Calculating X_i(ii) and (ii) converting X into (II)_iDistributed to roadside communication units RSUi (i ═ 1, 2.. multidata, n) as re-signing subkeys

2.4 vehicle message signatures

The message sent by the vehicle OBU contains 4 fields: message type ID_typeMessage Payload, Timestamp and signature of OBU on the first 3 fields; message ID_typeIndicates the type of message; the message load Payload is formed by basic information of vehicle position, direction, speed, traffic event and the likeForming; the Timestamp identifies the exact time the message was generated; suppose that RSUi periodically broadcasts a public key to OBUs within its jurisdictionFor transmitting messages to roadside communication units RSU_iThe vehicle OBU performs the following operations:

2.4.1) Using the private Key x_OBUCalculating message M ═ { ID ═ ID_typeThe signature σ ═ h (m) x of | | | Payload | | | Timestamp }_OBU；

2.4.2) selecting an encryption algorithm Enc () of a public key cryptosystem, and utilizing the public key of RSUiTo (X)_OBUM, σ) is encrypted and then the corresponding ciphertext is generated(X_OBUM, σ) to n roadside units RSUi (i ═ 1, 2...., n);

2.5 roadside communication Unit message Re-signing

The roadside communication unit message re-signing step specifically comprises the following steps:

2.5.1) generating partial re-signatures

Roadside communication unit RSU_i(i 1, 2.. n.) receiving cryptograph message sent by OBU(X_OBUM, σ), first signs the subkey with its own re-signatureDecrypt itObtain a plaintext message (X)_OBUM, σ); the following operations are then performed: 1) examine the equation Verify (X)_OBUWhether M, σ) is true or not; 2) authenticationWhether the timestamp is correct; if both operation 1) and operation 2) are true, a partial re-signature is calculatedAnd a radical of Y_i＝(i，M，σ_i，σ，X_OBU) Sending to the synthesizer C of the signature, wherein C can be a designated roadside communication unit;

2.5.2) generating a threshold weight signature

When synthesizer C receives Y_iIf the equation isIf yes, receiving a message sent by the OBU; otherwise, rejecting Y_iIf the synthesizer C receives at least t parts of RSUs from different roadside communication units_iTransmitted (i, M, sigma) for the same message M_i) All roadside communication units RSU which send legal information_iSet number i is psi, verify equationIf the equation is not true, ⊥ is output, otherwise, a signature corresponding to a trusted certificate authority (TA) is outputWherein,the synthesizer C will (M, σ', X) according to a predetermined strategy_OBU) Sending the information to a trusted authentication center (TA);

2.5.3) TA broadcast message

Trusted certificate authority TA receives (M, σ', X)_OBU) Then, first use its own public key X_TATo X_OBUPerforming encryption to generate ciphertextThen generating a new message M' ═ { M | }; finally, all the vehicle OBUs in the area are broadcastedTrusted messages (M ', σ');

2.6 message authentication

Given a public key X, a message M and a signature, it is verified whether the following equation holds:

e(σ，g)＝e(H(M)，X)

if the above formula is true, the message M is a legal signature corresponding to the public key X, and 1 is output; otherwise, outputting 0;

2.7 false identity tracing

If a malicious vehicle issues a false messageThe steps of tracing the true identity of the signer of the message M' by the trusted authentication center TA are as follows: by its own private keyPerforming decryption calculation on MObtaining identity X of OBU_OBU(ii) a (2) If equation e (σ', g) ═ e (h (m), X_OBU) If yes, searching X in a tracing table T locally stored in TA_OBUCorresponding { X_OBURID) to be able to accurately locate the exact identity RID traced back to the published message M'.

2. A vehicle network message authentication protocol according to claim 1, wherein: 2.2.2.1), the relevant anonymous certificate is generated by the pseudo-identification PID of the OBU.