Acknowledgment
3.4 Formal Modeling and Verification
encrypt (M={Vid, position, timestamp, loc cert, sign (M, PKVj–1)}, PKRSk)
Position verification RSUk
Vj
Figure 3.6: Communication from vehicle to RSU with previous location certificate Evaluation. In this scheme, the Sybil node detection happens at two lev- els. Each RSU can verify the node (vehicle) based on location information, and the CA can check whether the node registration occurred anywhere in the net- work using a unique ID. An attacker cannot send a legitimate request to the CA, since the CA can check the validity of the message using the vehicle’s public key. Each RSU requires less storage space because it stores information only of those vehicles that are within its range—an RSU erases a vehicle’s details after it moves to the next RSU. Without a location certificate, vehicles cannot com- municate with other vehicles and this prevents a Sybil node from taking part in further communication. If an RSU or the CA detects a Sybil attack, it informs nearby RSUs, which in turn can reject a vehicle request without going through the remaining process.
Proctype CA
CA_RSU_CHAN[1] CA_RSU_CHAN[2]
VEH_RSU_CHAN[2]
VEH_RSU_CHAN[2]
VEH_RSU_CHAN[1] RSU_VEH_CHAN[1]
RSU_RES_CHAN[1]
RSU_REQ_CHAN[2]
RSU_CA_CHAN
Proctype RSU[2]
Proctype RSU[1]
Proctype Vehicle[1]
Proctype Vehicle[2]
Proctype Vehicle[3]
Proctype Vehicle[4]
Figure 3.7: Promela channels and process types
typedef CER_REQ {byte veh_ID; byte veh_loc; byte rsu_ID;
int loc_cert; int time;
} typedef CER_RES {byte veh_ID; byte rsu_ID; int loc_cert;}
The typeloc certcontains a positive value for a valid certificate. After obtain- ing a valid certificate from the RSU, the vehicle process increments the RSU ID by one and tries to associate with it using the current location certificate. The vehicle proctype is detailed in Appendix 3A.1. The RSU uses two other channels to communicate with the CA: one for communication from the RSU to the CA (rsu ca chan) and the other from the CA to the RSU (ca rsu chan).
chan rsu_ca_chan=[0] of {RSU_REQ};
chan ca_rsu_chan[NO_OF_RSU+1]=[0] of {CO_RES}
According to the proposed scheme, the RSS (received signal strength) method is used at each RSU for location verification. It is difficult to model such an environment in SPIN. Therefore, here we are using a simpler method for location verification. The RSU checks that the location is within a 4 km range of the RSU.
If this is so and the request contains an invalid certificate, then the RSU forwards it to the CA using theRSU REQdata structure.
typedef RSU_REQ {byte veh_ID; byte rsu_ID; bit update;}
Theupdatefield inRSU REQis set to zero for a request with an invalid certificate.
If a request from a vehicle contains a valid certificate, the request is forwarded to the RSU which issued the current certificate. To communicate with nearby RSUs, each RSU maintains a request and response channel.
chan rsu_req_chan[NO_OF_RSU+1]=[0] of {CER_REQ,byte}
chan rsu_res_chan[NO_OF_RSU+1]=[0] of {CO_RES}
Hiva-Network.Com
Here,CO RESis the common response format of an RSU:
typedef CO_RES {byte veh_ID; bit status;}
After receiving a positive request from a nearby RSU or the CA, the RSU issues the new certificate through thecer res chanchannel. To update the certificate, the RSU informs the CA of the newrsu ID. Here, we again use the CA REQ structure with an enabledupdatebit. The CA maintains a database withveh ID andrsu IDinformation, which effectively maps the vehicle identity to the RSU identity under which it is present.
typedef VEHID_STORE {byte veh_ID; byte rsu_ID;}
The CA can check whether a vehicle is registered in any other RSU using the database. If it is already registered, the CA informs the RSU about a possible Sybil attack attempt. In this situation, the RSU updates its local storage with the invalid certificate for the particular vehicle. This will prevent the vehicle from obtaining a valid certificate on a subsequent request. The complete RSU and CA proctypes are detailed in Appendices 3A.2 and 3A.3, respectively.
Verification. The verification process ensures that no vehicle has a valid loca- tion certificate from two different RSUs at the same time. Each RSU maintains a copy of the currently active location certificate within its range. We use an observer process to verify this property, by having it scan different RSUs and ensuring that each vehicle has only one valid location certificate. In the specifi- cation below, theassertclause fails if two RSUs have a valid certificate for the same vehicle.
active proctype Observer(){
int i;
int j;
do
:: for (i : 1 .. NO_OF_RSU) { atomic{
for(j:1 .. NO_OF_RSU){
if
:: (i!=j && rsu_pids[i] > 0 && rsu_pids[j] > 0) ->
for(k:1 .. NO_OF_VEH){
assert(!(RSU[rsu_pids[i]]:loc_cert[k] > 0 &&
RSU[rsu_pids[j]]:loc_cert[k] > 0));
}
:: else -> skip;
fi }}}
od }
Figure 3.8 shows the kind of output produced by SPIN. We briefly explain this output:
0:CA 1 3 5 7 9 11 13 15 17 23 25 27 29 35 37 39 41 43 45 47 49 55 57 59
rsu_ca_chan?1,1,0,0 ca_rsu_chan[1]!1,1 rsu_ca_chan?1,2,0,0 ca_rsu_chan[2]!1,0 rsu_ca_chan?1,1,0,0 ca_rsu_chan[1]!1,0 rsu_veh_chan[1]!1,1,–1
rsu_ca_chan!1,1,0,0
veh_rsu_chan[1]?1,4,2,–1,3
veh_rsu_chan[2]?1,4,2,4,2
veh_rsu_chan[2]!1,4,1,4,2
rsu_veh_chan[2]!1,2,–1
rsu_veh_chan[1]?1,1,4
rsu_veh_chan[1]!1,1,4
rsu_ca_chan!1,1,0,0 ca_rsu_chan[2]?1,0
ca_rsu_chan[1]?1,1 rsu_ca_chan!1,2,0,0 veh_rsu_chan[1]!1,4,2,–1,3
veh_rsu_chan[2]!1,4,0,–1,1
veh_rsu_chan[1]!1,4,0,–1,0 veh_rsu_chan[1]?1,4,0,–1,0 veh_rsu_chan[2]?1,4,0,–1,1 rsu_veh_chan?[1]?1,1,–1
rsu_veh_chan[2]?1,2,–1 ca_rsu_chan[1]?1,0
1:Observer2::init: 3:RSU 4:RSU 5:Vehicle 6:Vehicle Figure3.8:SPINsequencediagram.ThemaliciousVehicle6isaSybilnodeandtriestoimpersonateVehicle5butkeepsobtaining invalidcertificates.
5:Vehicleis a legitimate node with identity 1, and 6:Vehicleis a malicious (Sybil) node that is using the same ID as5:Vehicle.
The input received by veh rsu chan[1]?1,4,0,-1,0 represents the location certificate requested by5:Vehiclethrough RSU 3:RSU. This RSU consults with the CA and assigns a valid certificate through rsu veh chan[1]?1,1,4.
The Sybil node,6:Vehicle, tries to associate with4:RSUbut obtains an invalid certificate from the RSU viarsu veh chan[2]?1,2,-1).
The Sybil node repeatedly tries to obtain a valid certificate, but does not succeed.