REWIRE — Revocation without resolution
We present the REWIRE revocation scheme and describe the intuition behind our approach first. Assume a vehicle Va sends a message m that contains invalid data and hence constitutes misbehavior. Vb detects this and sends a misbehavior report to the Revocation Authority (RA). The report contains the
Figure 4.5 The green vehicle reports observed misbehavior by the red vehicle to the RA (a). After checking its revocation policy the RA sends an OSR (order for self-revocation) via geocast to the surrounding area where the misbehavior occurred (b). The order is ignored by all except the designated vehicle, which complies by terminating V2X communication and deleting its key material.
pseudonym public key that was used to sign m, the GPS location where the message was received, and the type of misbehavior detected. Depending on its policy, the RA may require several independent reports before taking action. We recall that it is impossible to resolve VA’s identity from the information contained in the report because PUCA does not implement resolution. Instead, the RA constructs an order for self-revocation (OSR) and sends it via geocast to all vehicles in the area where the misbehavior was observed. The OSR message is constructed such that Va will recognize that it is the designated recipient (we call this self-identification), whereas all other vehicles will ignore the message. Upon receipt of the OSR, Va sends a confirmation message to the RA, immediately stops sending V2X messages, and deletes all key material used for pseudonymous V2X communication (possibly after a certain delay). Compliance to the request is enforced by a trusted component (TC) that is contained in every vehicle’s OBU and that ensures that its behavior cannot be altered, at least with regard to V2X communications. Figure 4.5 shows a high level sketch of the revocation procedure.
We discuss some aspects in more detail before we give the concrete protocols in the following sections.
Self-revocation When a participant receives an OSR directed to him, he must stop sending V2X messages immediately. He sends a confirmation message, signed with the pseudonym that is to be revoked, to the RA and deletes all his V2X key material after the timeout Tkeep has elapsed. Keeping the key material for some time is necessary because the RA may send more OSR messages that are directed to one of the participant’s other pseudonyms. Pseudonyms are unlinkable, hence the RA needs to send out separate OSRs for each pseudonym that was reported for misbehavior. Those orders must be confirmed with signed messages, too.
When a vehicle’s V2X unit is disabled, the driver should be informed that the vehicle requires maintenance. Once the reason for revocation (e.g., a malfunctioning sensor) has been identified and fixed, the V2X unit can be equipped with new key material and resume its operation.
Revocation policy The RA’s revocation policy determines its reaction to misbehavior reports. It should take into account the freshness of the messages reported as misbehavior and the validity periods of the reported pseudonym and the pseudonym used to sign the report. This is required to prevent the abuse of expired, possibly broken pseudonym keys to trigger an unjustified revocation. We do not suggest a specific policy because it may depend on the misbehavior detection mechanism employed. The policy is always a trade-off between avoiding false negatives (discard valid reports) and preventing denial-of-service attacks (someone deliberately files incorrect reports).
Geocast strategy The RA will send out OSRs periodically every Trepeat seconds until it receives a confirmation message or Tsend seconds elapsed. With every iteration the radius of the target area is increased as the target vehicle may have moved further away from the location the misbehavior was observed. Depending on the specific geocast mechanism, messages may be sent to road-side units in the target area that distribute them to passing vehicles, broadcast via DAB, or sent to vehicles in the target area via cellular communication. Some geocast protocols also use forwarding between participants for message dissemination.