malicious vehicles with legal certificates. ... guarantee than former road side infrastructure designs. ... congestion and road safety in vehicular ad hoc networks.
An autonomous road side infrastructure based system in secure VANETs Wenmao Liu, Hongli Zhang and Weizhe Zhang School of Computer Science and Technology, Harbin Institute of Technology Harbin, Heilongjiang, 150001 Email: {liuwenmao, zhl, zwz}@pact518.hit.edu.cn
Abstract—Road side infrastructures with certification and service aid are important in secure vehicular communication. Few road side infrastructure issues have been addressed in former studies. Lacking trusted certification, scalability, efficiency and intrusion detection in vehicle-only network causes various attacks. In this paper we propose an autonomous road side infrastructure network approach. Some road side infrastructures are preselected administratively and the others gather towards the formers autonomously. Road side infrastructures in the same autonomous network cache and forward certificates, which are invisible to other autonomous network. In our approach, CA cluster in different regions comply with corresponding scalability strategy and regional policy. A distributed IDS system integrated with the CA database provide further security protection from malicious vehicles with legal certificates. The certificate caching and forwarding schema accelerates authentication. In our analysis, our approach has a better efficiency, scalability and security guarantee than former road side infrastructure designs. Index Terms—Vehicular ad hoc networks, autonomous infrastructure network, security.
I. I NTRODUCTION Vehicles play a more important role in China’s transportation due to the significant economy growth. However, too many vehicles may cause heavy traffic congestion in cities like Beijing and Shanghai, more than 81 thousand people was killed in 2007 in traffic accidents and property valued at 1.2 billion RMB was destroyed in China. Intelligent transportation system (ITS) offers a promising solution for both traffic congestion and road safety in vehicular ad hoc networks (VANETs). Due to the vital impact of its real time live-ordeath policy, ITS should be trusted, robust and attack proof. Considerable research efforts have been made in VANET security issues in the past five years, nevertheless, most of which focus on the authentication, securing positioning and route of On-Board-Units(OBUs), meanwhile few attempts on the infrastructures communication and certification in the VANETs are made in building a scalable system. Most studies hold the assumptions that Road-Side-Unit(RSU) infrastructures will not be deployed in the near future, thus we have to take advantage of the OBUs themselves with predefined certification to accomplish a secure VANET with little or no help of external road infrastructures. We argue that even a vehicle with full knowledge of nearby objects is not able to determine legitimacy of the other nodes, the only approach is to explore a global online certification system providing completely trusted identification for arbitrary node.
Besides, some studies propose such authentication approach that an OBU needs to authenticates itself to the RSU every time it enters the range of a RSU. Given the fact that the distance between two RSUs is about 500m, the vehicle’s velocity is about 60km/h in city, so the vehicle has to perform the authentication routine every 30 seconds. When the authentication employs group signature, the computing overhead is really expensive. Moreover, frequent pseudonym changes may cause disastrous impact of geographic routing. Inter-RSU information sharing may reduce such impact. In fact, road side infrastructures occupy critically important position in the VANET system because only the road side infrastructures can build a skeleton of the whole distributed system. The deployment process crucially depends on administrative authority and commercial corporation. Pros and cons of large scale deployment of RSUs are still being discussed due to the high cost and unclear future. In the China’s eleventh five-year plan, official report announces that ”informational infrastructure construction” has achieved significant progress and the government aims to large scaled, informationized and sustainable modernized infrastructure development. Recent the Wireless city of Beijing is certainly such an effort. The initiative of US goverment is Vehicle Infrastructure Integration(VII), which launched SafeTrip-21 from Nov in 2008. Similiar projects such as SEVECOM(SEcure VEhicular COMmunications) are funded in Europa. Thereby we believe that road side infrastructures and central infrastructures will be deployed all over eventually. In this paper, we propose a road side infrastructure based framework mainly focusing on infrastructure management, we employ autonomy basis to deploy, classify and manage in a region ranging from a city district to the whole country. The framework is highly scalable, protocol-independent and supports common certification such as group signature, identity based verification, pseudonym pool, etc. The rest of the paper is organized as follows. Section II overviews related work. Section III describes the system model and attack model. Section IV presents the autonomous mechanism. Section V. Section VI draws a conclusion. II. R ELATED W ORK In 1999, B. McMillin et al. predict that a centralized management is inappropriate for VANETs due to a huge amount of real time computation [1], distributed architecture
978-1-4244-3693-4/09/$25.00 ©2009 IEEE
should be employed. The differences between the mobile network and the vehicular network are analyzed and possible solutions such as digital signature, time stamp and PKI are suggested in [2]. M. Raya [3] describe secure vulnerability and challenges in vehicular networks. The frequent short message exchange and real time communication are the main technology challenges for content related protocol redesign, network scalability should also be considered. [4] states that low torelence and high mobility are also required. Attack tree, which provides a standard and structural classification and refinement, is introduced to analyze the security of intervehicle communication in [5]. S. Eichler et al. introduce secure routing protocols in VANET and analyze some attacks such as wormhole attack[6]. Many other route attacks such as Sink hole attack and Sybil attack are discussed in [7]. P. Golle et al. discuss how to detect Sybil attack without a central authority, such detection may not be completely trusted due to lack of certification[8].B. Xiao et al. propose statistic approach of preventing Sybil attack. K. Sha et al. suggest a tuple < P, P L > to describe the mobile user’s privacy requirements, where P L is the privacy degree expected with probability P [9]. K. Sampigethava et al. suggest an anonymity schema that vehicles take a numerous pseudonyms and update frequently[10]. However, [11] points out that frequent change of pseudonyms may harm the network. To achieve anonymity requirement, [12] suggests group signature which hides individual’s identity in an anonymous group, yet [13] argues that group signature causes high computation overhead and propose an identity based approach. [14] proposes conditional privacy reserve approach based on group signature and identity based signature. III. S YSTEM M ODEL A. System Model and Assumption Figure 1 illustrates a typical communication among vehicles, road side infrastructures and central infrastructures.
Fig. 1.
System Model
1) CA server cluster: In a give region, a global certificate authority(CA) processes certificating requests from all the RSUs in the region, we adopt CA cluster with multiple CAs. All CAs trust each other so that any certificate chain between two CAs is trusted. Only one root CA stores the other
CAs’ private keys and certifications for CA revocation. The other CAs stores generates certifications and keys for vehicles and road side infrastructures and keep certificate revocation lists(CRLs). Geographically deployed CAs are connected within a high speed network distributely. The distributed strategy aims to save communication overhead between RSUs and CAs and prevent single point failure, which we will explain later. Since CAs in different regions are controlled by different administrative authorities with different regional laws and security levels, inter-region CAs need alternative trust strategy. The trust level may range from complete trust to no trust at all. Such trust difference may have impact on the authentication of a specific vehicle from a foreign region. 2) Log servers: Log servers store the positions and behaviors of active OBUs, once there is a crime or an accident, records from the log servers prevent cheaters from repudiation. A log server records mapping of certificate and pseudonym of OBUs for traceability in necessity. Once a CA assigns a pseudonym for an OBU, it asks a log server to store a tuple {OBUi , P SEi , RSUj , T }, which means RSUi obtains a pseudonym P SEi in the place of RSUj at time T . A RSU stores positional and behavioral information of nearby OBUs. When enough information is saved, it dumps all the information to the nearest log server. This action costs time and bandwidth so it can be performed in the midnight when traffic burden is low. Considering frequent communication with CAs and RSUs, the ideal deployment of log servers is near the CAs. Since RSUs tend to use the nearest CA, the communicating distance between the RSUs and the log server is relative short. 3) Road side infrastructures: Road side infrastructures comprising certificating RSUs, intrusion detection RSUs and service RSUs are placed along the streets and highways, i.e. on traffic lights, alarm indicators and other traffic infrastructures. Certification RSUs receive vehicles’ authentication requests, accept or reject the requests after checking the remote Authority or local database, application RSUs enable specific application access to application servers requested by the vehicle, e.g. Internet services. In this paper, we use road side infrastructures and RSU interchangeably. Certification Authority stores mapping from vehicles’ real identity to digital certifications, RSUs are connected to CA with private or VPN network of high speed. Distributed CA can be deployed for data storage and computation overhead, which we will discuss in Section 4. Application servers provide various applications for vehicles, including multimedia entertainment, Internet surfing etc. 4) Vehicles: Each vehicle is equipped with a sensor to determine the relative distance between its neighbors and itself, alternatively it may use a GPS device and broadcasts its geographic location. The GPS device provides clock synchronization and more reliability and is harder to attack. Also a vehicle needs a processor or a specific hardware device for encryption and decryption. The above device is supplied with sufficient power. Besides location indicator and processor,
the vehicle should have a wireless network access device to communicate with infrastructures and other vehicles. We use vehicles and OBUs interchangeably. In a trusted ITS system, the following assumptions are held: • Central Registration All vehicles should obtain a legal certificate before it joins the corresponding region so that it can be identified. • Regular checking All vehicles should be checked regularly, e.g. annually, to ensure that all software and hardware of the OBUs work correctly. Moreover, the certificates of the drivers should be updated. • Law enforcement mechanism Relative law should be made to punish malicious drivers and prevent all kinds of harmful attacks.
in secure routing. Our approach combines adjacent RSUs together and forms an autonomous network. A. Autonomous system setup Figure 2 illustrates an autonomous road side infrastructures system. All the road side infrastructure aggregate into three autonomous networks, which are connected to a regional CA.
B. Adversary Model Vehicles broadcast their traffic-related information periodically, road side infrastructures communicate with vehicles to provide various services. However, the information can be received by anyone within a certain range. Several kinds of attacks have been addressed. 1) Eavesdropping: Unlike in a wired network, vehicles broadcast messages in VANET, any application or protocol in plain text may be heard by other objects, thereby application and protocol designer should be well aware of this. 2) Privacy Violence: An eavesdropper listens to messages from a vehicle, such as position, direction and speed, collects the desired information and makes sophisticated analysis. A vehicle suffers such an attack if it uses a real identity or a permanent pseudonym. 3) Message Injection and Modification: If an attacker hijacks a session of two nodes, it may modifies the message or inject fake information. Message integrity check mechanism such as HMAC(Message Authentication Code) should be applied. 4) DoS Attack: An adversary may challenge the system availability by jamming wireless channels, sending meaningless messages to nodes. Cryptography, asymmetric cryptography in particular, has a high computation overhead, a huge amount of certificate verification requests from an adversary would probably overburden a vehicle. 5) Routing Attack: An important routing attack is Sybil attack, where a malicious node creates an illusion of many non-exist nodes to impair routing topology, or it makes up fake traffic congestion so that other vehicles choose an alternative path.Another routing attack is sinkhole attack, where attacker controls all messages in a specific region. Wormhole attack is a subset of sinkhole attack where a malicious node claims that it connects to node B and C with the shortest path so that it induces message forwarding. IV. AUTONOMOUS ROAD S IDE I NFRASTRUCTURE M ECHANISM As we mentioned above, authentication to every RSU costs too much computation overhead and may cause disorder
Fig. 2.
Autonomous system
1) Node deployment: All RSUs are deployed in proper places in a given region. Initially the region may be small, when technology and economic conditions mature, those regions can be interconnected to form a larger region. Such an aggregation can be from districts to a city, from provices to a country, even to a global region eventually. 2) Backbone node generation: After the deployment, we select some nodes as backbone nodes from the deployed RSUs. Let M denotes the set of all RSUs, N denotes the set of chosen nodes and n =| N | denotes the number of the N . To determine the reasonable value of n, we can employ the divideand-conquer method, divide a large region into small area, calculate the number of desired backbone nodes ni =| Ni | in these sub area, find out the nodes, and finally add them together. In a given region or sub-region, n or ni is related to the vehicle density of the area. In a dense street, more nodes are chosen and vice versa. Once n is determined, the N generation can be performed either administratively or automatically. Some nodes must be chosen for special purpose. Once the static nodes are chosen, the other nodes are added according to a custom schema, which should prevent the corresponding backbone nodes being overloaded. Randomicity is a simple but efficient candidate. 3) Autonomous gather: After backbone node generation, the rest nodes, | M − N |, will gather towards the nearest backbone nodes. We define the word nearest as the shortest network latency and highest computation performance. Due to the large scalability, RSU networks can be heterogeneous. For instance, adjacent nodes may not be deployed in the same network, or the hardware and software of adjacent
nodes may differ significantly. If a node sends a request to its neighbor, it expects to receive the response as soon as possible. Basically time span includes network latency and computational overhead. Node i can evaluate backbone node p with the following formula: Pip = Latencyip + α × Pl where Latencyip is the network latency between node i and node p, Pl is the computation overhead of node p to process a message with a length of l, α is an overload factor of computational overhead to estimate the ratio of current condition compared to normal condition. If the backbone node carries too many nodes, the overload factor could be very high. Node i always tends to join the backbone node j with the smallest cost Pij . First node i gets information about all the available autonomous networks, including the network scale, the backbone node’s processing ability and the network latency. For example, node i queries information about any available autonomous network from node k, node k is in autonomous network N of n nodes, whose backbone node is p, the latency from p to k is Latencykp , and the process overhead of a l-length message is Pl , the node i also measures the latency from j to i, then node i calculates Pip = Latencyik + Latencykp + Pl Note that if node k is not in any autonomous network, it just return no available network. If node i could not find any available autonomous network, it just retries later in a regular time interval. If there is one backbone node, soon or later, all nodes will be notified the existence and will join this network. Considering possible hash chain signature by every node in the route path from node k to node i for information integrity, total overhead may take signature overhead into account. But if we assume RSUs are pre-certificated and trusted in the same autonomous network, such overhead can be avoided. B. Secure Communication A vehicle should identify itself before joining an autonomous network. After authentication, it can communicate with all members securely. 1) OBU authentication: Once the RSU is ready, any OBU entering its range needs to be verified. Such an authentication should be done bidirectionally. The RSU and the OBU have to response to the challenges from each other. In order to keep anonymity, technologies such as group signature[12] or identity based security[13] are introduced by many authentication approaches. In many schemas, real public key of OBU is always kept confidential, after authentication is finished. Our work focuses on the infrastructure scalability, authenticity and traceability, the anonymity is out of the paper’s scope, but we believe various anonymity algorithms work in the autonomous system. In some cases, a vehicle may want to join the VANETs without valid certificate, e.g. the certificate is in the CRL list. One possible trade-off is that a CA offers a temporary certificate or a RSU offers a temporary pseudonym with a time-to-live value and an untrustworthy symbol. If the timeto-live value expires, the certificate or pseudonym becomes
invalid. Such a temporary certificate or pseudonym is only used for trivial communication, any trusted application should never accept such a certificate for emergent or important message exchange. 2) Vehicle communication: Before a vehicle accesses the VANET, it is isolated from the RSU and the other vehicles on application layer. Once authentication is finished, the vehicle can communicate with other vehicles and the certification RSU, meanwhile the vehicle is able to send application request to the application RSU. All messages should be encrypted with a public pseudonym or a session key. According to DSRC, vehicles broadcast their traffic information in a regular time interval. RSUs receive the data, store it in a local database and upload it daily to the log server. 3) Pseudonym scope: A pseudonym is and only is valid inside the autonomous network where the OBU is authenticated, it will be rejected in other autonomous networks. This limited pseudonym scope protects anonymity further. A non-volatile pseudonym is easy to trace and breakable. Also a pseudonym held for a relatively long time saves computation overhead of RSUs in the autonomous network. A vehicle will not change its pseudonym until it enters another autonomous network, an alternative pseudonym is generated from the second autonomous network. All other vehicles should be notified of the pseudonym update, meanwhile all the application communication should not be interrupted. Thus pseudonym assignment, update and revocation mechanism works under the session layer and above the network layer. 4) Certificate Caching and Forward: As we mention before, frequent authentication overburdens the certification RSUs, the autonomous RSU system reduces this load significantly because the whole autonomous network shares the OBUs’ certificating information. Next we demonstrate how the sharing mechanism works. First we introduce certificate caching, once a RSU m authenticates an OBU n, it saves n’s traffic-related information in the local database. Then m calculates a�cache timeout for the r2 − (dmn sin α)2 + OBU n: Tcache = Length Speedn , Length = dmn cos α , where dmn is the distance between m and n, r is the communicating range of m, α is the angle denoting the direction of n, (xm , ym ) and (xn , yn ) are the GPS position of m and n. Figure 3 shows the detail. The Tcache offers an estimation how long the vehicle will stay in the current RSU covering area, although we do not take acceleration and deceleration into consideration, timed position broadcast from the OBU fixes possible positional inaccuracy. Each time when RSU m receives a broadcast traffic-related message, it re-calculates the cache timeout for the OBU n. If the cache expires, which means the OBU probably is out of the RSU’s communicating range, so RSU just deletes this record. If a RSU is overburdened, it just abandons some position calculations, which may cause little positional inaccuracy. Once the RSU m establishes a trusted relation with OBU n, m will notifies its neighbors {N eighborsn } of n. Thus n does
M
r
dmn α
N
Fig. 3.
Certificate Caching Timeout Calculation
not need authentication again when it enters N eighborsn . Considering the geographic situation, a vehicle will not probably enter region in its opposite driving direction. So the RSU m sends the notification to all the RSUs in front of OBU n. The notification message include certificate of n, current time and a T T L value: {Certif icaten , T, T T L}, the T T L value indicates the hops of the notification, or the number of nodes that should be notified . If a node receives a notification with a positive T T L value, it update T T L = T T L − 1 and forwards this notification to the nodes ahead when the updated T T L value is still positive. The forward progress stops when the T T L decreases to zero. This T T L values diff from RSU to RSU even if it is sent by the same source. For example, a RSU sends larger T T L value to the RSU node forwards than the RBU nodes backwards comparing to the OBU driving direction. Such a caching and forwarding certificate mechanism implemented by the T T L value enables adjacent RSUs to share OBU certificate information, which greatly eliminates the computation and communication overhead of RSUs and CAs. C. Intrusion Detection Secure communication is still not guaranteed even if all the objects are authenticated. A vehicle affected by virus does have a legal identity, but it may perform harmfully. Such abnormal actions should be detected and countermeasures should be executed as soon as possible. Detection such an intrusion only by vehicles themselves is not sufficient because lacking global certification makes security warning from a foreign vehicle untrusted. Here we introduce a distributed intrusion detection system(IDS). A intrusion detection RSU(ID-RSU) can be located anywhere along the street, it monitors all messages from all vehicles in a promiscuous mode and finds possible misbehavior in these messages. However, a vehicle stays only several seconds within a road side infrastructure’s communicating range, attack behavior is not easy to detect in such a short time. An IDRSU may only find out some abnormal hints of a vehicle. An analysis center is essential to gather all the potential harmful hints and recover possible attack scenario. Therefore, the distributed IDS comprises a analysis center
and a large number of ID-RSUs. Comparing to Internet, VANET has a lower virus spreading speed, more heterogeneous OBU operating systems and more restrictive law constraint. Thereby our IDS system employs a schema mixing anomaly detection and misuse detection. First an ID-RSU finds abnormal messages statistically and sends them to the analysis center. The analysis center collects all the abnormal messages together, and classifiers similar behavior by Bayesian clustering or neural network. Experts confirm real attacks from the suspicious evidence and conclude a set of rules indicating the corresponding attacks. All ID-RSUs apply these rules, when similar malicious behaviors appear, they take corresponding actions, like marking the malicious vehicle untrusted or just comprising the vehicle’s certificate. D. Backbone Overload Detection Consider only one backbone node exists in the whole given region, all other nodes will join this autonomous network. As the number of nodes exceeds a threshold, the autonomous network will be overloaded due to two reasons. First as the nodes increase, the distance between the backbone node and the farthest node is extremely long, the hops between the two nodes may cause significant network delay, which is unbearable in real time certification. Second, too many nodes will increase the computation overload of the backbone node, which may affect all the nodes in the autonomous network. Thereby detection of such an overload is important, it should be carried out by the RSUs. We assume the max time span of OBU’s short certification is T and transmission delay between the OBU and the RSU is Tprime . Any vehicle receives a certificate response in a time interval more than T − Tprime an overload event is detected, thus additional backbone node should be generated administratively or automatically. V. S ECURITY A NALYSIS We introduce some potential adversaries in VANETs. Our system protects vehicles and road side infrastructures from many attacks. A global certification mechanism promises a trusted VANET, everyone in the network is recognized as a honest node. Thereby most malicious tries are blocked by the trusted network. Key security attributes in VANETs are dealt as follows. • Confidentiality Cryptography, especially asymmetric cryptography, keeps the confidentiality of the message all the way. The encrypted message makes nonsense to the adversaries computationally. • Anonymity Pseudonym schema, such as group signature, identity-based security and symmetric key set[15], holds the anonymity of vehicles. Changing pseudonym in different autonomous networks makes the tracing even harder. • Integrity Message authentication code (HMAC) is provided to assure message integrity and time stamp is employed to detect replay attack.
•
•
Availability Distributed CA cluster prevents overburden on the CA server. Also overburden detection of road side infrastructures ensures the availability of RSU from the vehicle perspective. Verification before challenge answer reduces potential computation overhead thereby DoS attack is partially prevented. Post-attack Protection Most abnormal routing topology will be discovered by adjacent vehicles, an ID-RSU receives these route error reports and judges whether a malicious node causes a disorder. The ID-RSU is also able to find out an adversary taking the above attacks due to its abnormal behavior. VI. D ISCUSSION AND F UTURE W ORK
So far approaches focus on the vehicles side in secure vehicular communication, few works give suggestions on the RSUs’ deployment and management. The paper designs a secure vehicular communication system based on road side infrastructure. In section III, we introduce all participators in the system: CA server clusters, log servers, road side infrastructures and vehicles. The road side infrastructures form autonomous networks. We demonstrate how the administrative and automatic selection and aggregation schema works. The hybrid schema is highly extensible and controllable. Next we analyze the authentication of vehicles and road side infrastructures, the authentication is bidirectional and anonymous. We also introduce a caching and forwarding mechanism to save computation and communication overhead and eliminate application level error caused by pseudonym change. Due to the uncertainty of autonomy, overloaded backbone nodes should be detected, the burden should be moved to other backbone nodes or new backbone nodes should be generated. Finally, we design a distributed IDS to detect malicious nodes. The cooperation of distributed ID-RSUs and analysis center recover fragmented attack hints to a complete scenario thereby various attacks can be prevented. In the further, we will evaluate the efficiency of this system by simulation. However, the large scale of networks,infrastructures and vehicles are hard to simulate due to limited computer memory and computation. Meanwhile, some open problems needs to be explored: • Inter-region trust model Since CAs and RSUs in different region have different trust level, many problems may occur in authentication. A standardized schema should be developed to describe the trust graph between all the CAs and RSUs. A single direction edge in the graph indicates the trust level of a CA in region A by a RSU in region B. To determine such a huge graph is challenging. Efficient schema should be developed. Moreover, communication delay between two regions may be large, so the message exchange times should be few while the security goal is achieved. • Geographical backbone node selection and certificate forwarding Street layout in a city may be different. Most
streets in Beijing are vertical to the adjacent streets, but streets in Harbin are complicated. Given the fact that road side infrastructures are deployed along the streets, due to high relativity between road side infrastructure deployment and communication efficiency, geographical backbone node selection needs to be explored in further. Certificate forward also needs geographical knowledge support. ACKNOWLEDGMENT This paper was partially supported by the National Natural Science Foundation of China under Grant No.60703014, the National Grand Fundamental Research 973 Program of China under Grant No.G2005CB321806 and the National High Technology Research and Developement Program (863 program) of China under grant No.2009AA012437. R EFERENCES [1] B. McMillin, J. Sirois, R. Mahoney, and F. Budd, “Fault-tolerant and secure intelligent vehicle highway system software a safety prototype,” in IEEE International Conference on Intelligent Vehicles, 1998. [2] M. E. Zarki, S. Mehrotra, G. Tsudik, and N. Venkatasubramanian, “Security issues in a future vehicular network,” EuroWireless, 2002. [3] M. Raya, P. Papadimitratos, and J.-P. Hubaux, “Securing vehicular networks,” in Infocom’06 - Poster session, 2006. [4] B. Parno and A. Perrig, “Challenges in securing vehicular networks,” in Proceedings of the Fourth Workshop on Hot Topics in Networks (HotNets-IV), 2005. [5] A. Aijaz, B. Bochow, F. Dotzer, A. Festag, M. Gerlach, R. Kroh, and T. Leinmuller, “Attacks on inter vehicle communication systems - an analysis,” in 3rd International Workshop on Intelligent Transportation, 2006. [6] S. Eichler, F. Dotzer, C. Schwingenschlogl, J. Fabra, and J. Eberspacher, “Secure routing in a vehicular ad hoc network,” in IEEE VTC 2004 Fall, 2004. [7] E. Fonseca and A. Festag, “A survey of existing approaches for secure ad hoc routing and their applicability to vanets,” NEC Network Laboratories, Tech. Rep., 2006. [8] P. Golle, D. Greene, and J. Staddon, “Detecting and correcting malicious data in vanets,” in Proceedings of International workshop on Vehicular ad hoc networks (VANET), 2004. [9] K. Sha, Y. Xi, W. Shi, L. Schwiebert, and T. Zhang, “Adaptive privacypreserving authentication in vehicular networks,” in Proceedings of IEEE International Workshop on Vehicle Communication and Applications, 2006. [10] K. Sampigethava, L. Huang, M. Li, R. Poovendran, K. Matsuura, and K. Sezaki, “Caravan: Providing location privacy for vanet,” in Proceedings of International workshop on Vehicular ad hoc networks (VANET), 2006. [11] E. Schoch, F. Kargl, T. Leinmuller, S. Schlott, and P. Papadimitratos, “Impact of pseudonym changes on geographic routing in vanets,” in proceedings of the European Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS), 2006. [12] D. Boneh and H. Shacham, “Group signatures with verifier-local revocation,” in proceedings of the 11’th ACM conference on Computer and Communications Security (CCS), 2004. [13] P. Kamat, A. Baliga, and W. Trappe, “An identity-based security framework for vanets,” in International Conference on Mobile Computing and Networking Proceedings of the 3rd international workshop on Vehicular ad hoc networks, 2006. [14] X. Lin, X. Sun, P.-H. Ho, and X. Shen, “Gsis: A secure and privacy preserving protocol for vehicular communications,” in IEEE Transactions on Vehicular Technology, 2007. [15] Y. Xi, K. Sha, W. Shi, L. Scnwiebert, and T. Zhang, “Enforcing privacy using symmetric random key-set in vehicular networks,” in Eighth International Symposium on Autonomous Decentralized Systems (ISADS’07), 2007.
