Proceedings of the 007 IEEE Intelligent Transortation Systes Conference Seattle, WA, USA, Set. 30 - Oct. 3, 007 WeC4.3 Analysis of a Secure Uload Technique in Advanced Vehicles using Wireless Links Irina Hossain, Student Meber, IEEE, Syed Masud Mahud, Meber, IEEE Abstract odules of an advanced vehicle can be udated using Reote Uload (RSU) techniques. The RSU eloys infrastructure-based wireless counication technique where the software sulier sends the software to the targeted vehicle via a roadside Base Station (BS). However, security is critically iortant in RSU to avoid any disasters due to alfunctions of the vehicle or to rotect the rorietary algoriths fro hackers, coetitors or eole with alicious intent. In this aer, we resent a echanis of secure software uload in an advanced vehicle. In order to increase the security level, we roose the vehicle to receive two coies of the software along with the Message Digest (MD) in each coy. The vehicle will install the new software only when it receives two identical coies of the software. To validate our roosition we find analytical exressions of average nuber of acket transissions for successful software udate. We investigate different cases deending on the vehicle s buffer size and verification ethods. Our analytical and siulation results show that it is sufficient to send two coies of software to the vehicle to thwart any security attack while uloading the software. Key words advanced vehicle, authentication, security, software uload and wireless counication. W I. INTRODUCTION ITH the use of inforation and couter-based technologies, advanced electronic systes, sensing and intelligent algoriths, an advanced vehicle incororates various advanced features, such as drive-bywire, teleatics, re-crash warning, reote diagnostics, highway guidance, traffic alert etc. Introduction of new features, iroveent of existing features, udating navigation inforation etc. will require software udate in vehicle s electronic odules fro tie to tie. On the other hand, evolution of wireless technologies has directly benefited the nation s transortation syste. The autootive industry and Intelligent Transortation Syste (ITS) use different wireless technologies for different alications including road safety, traffic anageent and driver assistance. In the sae way, software udate in vehicle s electronic odules could be benefited fro using the wireless technology. Reote software uload, using wireless counication links, will aid the udate rocess by saving Manuscrit was received Aril 5, 007. Irina Hossain is with the Deartent of Electrical and Couter Engineering, Wayne State University, Detroit, MI. Phone: 65-85-588; Fax: 65-305-4549; e-ail: ihossain@wayne.edu. Syed Masud Mahud is with the Deartent of Electrical and Couter Engineering, Wayne State University, Detroit, MI. Phone: 33-577-3855; Fax: 33-577-5845; e-ail: sahud@ece.eng.@wayne.edu. both consuers and auto anufacturers tie and oney []. When a articular vehicle exeriences soe robles with its functionality, then the software rovider can establish a oint-to-oint counication link with the vehicle via a roadside base station (BS) under which the vehicle resides and sends the necessary software to the non-functioning odule. However, transitting software ackets over radio channels akes eavesdroing, data altering, theft of service, and denial of service (DoS) attacks easier for adversaries. Hence, additional security echaniss are needed to rotect the counication over wireless network. This aer resents a secure architecture for reote software uload in a vehicle. The roosed technique authenticates software rovider as well as the vehicle to which software needs to be uloaded, and rovides integrity of the software being transitted fro vendor to vehicles. In order to increase the security level of the roosed echanis we analyze different scenarios with regard to vehicle s buffer size and software acket verification ethods using analytical and siulation odels. The aer is organized as follows. Section II resents background inforation about the technology used in this work and a brief review of ast researches done, Section III describes the Reote Uload (RSU) architecture we roosed and its analytical odeling, Section IV suarizes the results of analysis and siulation, and Section V resents the conclusion. II. BACKGROUND AND RELATED WORKS Since wireless counication technologies rovide various advantages, such as ortability, flexibility, lower installation cost and increased efficiency, they are becoing the counication infrastructure of choice in our everyday lives. Advances in wireless counication syste have otential value for nation s transortation syste. Using Global Positioning Syste (GPS) and voice-activated cellular syste, OnStar Cororation has successfully deloyed Advanced Autoatic Crash tification (AACN) syste in odern vehicles to reort accidents in reliable and tiely anner []. Auto anufacturers are exloring Bluetooth technology for in-vehicle Wireless Personal Area Network (WPAN) which will connect various on-board devices such as cell hones, PDAs, latos and GPS transceiver [3]. Although wireless technologies offer the users with additional conveniences over the wired technologies, they also introduce unique security challenges. Various threats -444-396-6/07/$5.00 007 IEEE. 00
and vulnerabilities associated with wireless network and hand held devices are listed in [4]. Hence, additional echaniss are needed to rotect the security, i.e., integrity, authenticity and confidentiality of counication over wireless networks. In revious, secure software udate techniques in obile devices over IP network have been roosed [5-6]. Since security rotocols in WLAN and WWAN have security flaws, they roosed both syetric and asyetric/ublic-key crytograhic techniques and the cobination of two (syetric and asyetric). In order to increase the security level, we roose the vehicle to uload two coies of the software and the essage digest (MD) in each coy. Since the vehicle will not accet the software unless the ackets in two coies atch, there is no chance that the vehicle will uload the software that is changed by the hacker. III. THE SECURE SOFTWARE UPLOAD ARCHITECTURE The detail descrition of Reote Uload (RSU) technique in a vehicle using wireless counication link was described in []. In our architecture, we assue that the Auto Coany (AC) ight have its own software distribution center or it has agreeent with a third arty Vendor (SV) to rovide the required software. Each vehicle has its wireless unit installed in it to counicate with each other as well as with the BSs. The AC, the SV and BSs are connected through high-seed wired/wireless networks, whereas the vehicles that travel between cells, can counicate with underlying network via BSs using long-range wireless counication links, e.g., cellular or Wi-Fi links. The BS, under which the targeted vehicle resides, receives software ackets fro the SV using secure counication technique such as SSL/TLS and transits the ackets to the targeted vehicle through secure wireless link (Fig. ). A. Authentication and Key Agreeent Process While a wireless device is installed in a vehiclev, a set n authentication keys kv = ( k V, L, kv ) is rovided to it. Each key is used to authenticate V at each software distribution session. A coy of these keys will also be ket in a secure Central Server (CS) which is aintained by the AC or any trusted arty. The key anageent rocess for vehicle s authentication key was described in []. The AC or any other Certification Authority (CA) issues Digital Certificates to the SV and all BSs which contain their authentic ublic-keys. We assue that all the vehicles and the BSs have a coy of the SV s authentic ublic key and the BSs have each others ublic key. When the AC decides to uload software to a vehicle V, j it sends an unused authentication key k and the odule V nuber to which software needs to be uloaded to the SV using a secure link such as SSL/TLS. Uon receiving the essage, the SV creates a SW_udate_join_request essage that consists of a essage ID, a Vehicle s ID (VID, could be a art of its VIN nuber), a odule ID to which the software needs to be udated, the version nuber of the software and a session key k. The SV digitally signs it, j encryts the essage and the signature using k and sends V it to the BS under which V is currently located. The BS honestly relays the essage tov. After receiving the SW_udate_join_request essage, V decryts the essage j using k, verifies the signature and version nuber of the V software and sends a join_accetance essage. If authentication fails, the vehicle V ignores the essage. BS Sulier BS Fig. Reote Distribution Network using Wireless Link B. Sending the Packets Packet Wireless link High-seed wired link After successful authentication of both the vehicle and the SV, the SV starts sending the software ackets encryted with the session key k. The SV can use this key to create a MAC (Message Authentication Code) value of each software acket and send it along with the acket. The vehicle verifies the authenticity of the acket by checking the MAC, and the integrity of the acket by coaring the hash value of the received acket and the one contained in the MAC. Since both arties share the sae secret key, anyone who has the key could generate the MAC, thus it does not guarantee non-reudiation in case of disute between the SV and the vehicle. Moreover, if an intruder could successfully change both the acket and the MAC value then there is no way that the vehicle could verify the software. A better solution for software uload was roosed in [] where it was suggested that the vehicle receives two coies of the software along with the Message Digest (MD) in each coy. If soe ackets of the first coy do not atch with the corresonding ackets in the second coy, the vehicle requests to send the unatched ackets. After receiving both the coies along with the MDs, the vehicle calculates an MD based on the received software and coares it with the received MD. The vehicle accets the software only when the calculated MD and received MD atch. Fig. shows the flow diagra of the technique. In the next section we resent several ways how the vehicle 0
Vehicle receives two coies of software with MD in each coy Vehicle decryts both coies Are the both MDs sae? Vehicle starts air-wise acket coarison between two coies, requests retransission of unatched ackets until two coies atch using one of the techniques entioned here Vehicle coutes MD Received MD = Couted MD? Vehicle requests retransission of MD Fig.. Two-coy Uload Technique receives two coies of the software and find analytical exressions for average nuber of acket transissions (N) for successful software recetion in each case. In order to do the coarison, we also resent the exression of N for single- coy software uload technique. ) tation The sybols and notations that will be used throughout the aer are resented in Table I. Vehicle coutes MD for each coy Received MD = Couted MD? TABLE I NOTATIONS USED IN RSU TECHNIQUE Sybol Significance Vehicle accets the software Received MD = Couted MD? Vehicle rejects the software M Total nuber of software ackets without MD Nuber of ackets in a segent M S Nuber of segents = Packet error robability due to hacking Probability that a acket-air do not atch air due to hacking Probability that the received software is in soft error due to hacking T Average nuber of trial to send one acket or one segent or total software successfully Probability of success in i th trial i N Average nuber of acket transission to receive one good acket N Average nuber of acket transission for successful software uload ) Definitions Fig. 3 shows different software uload techniques that we consider in our analysis. a) Single-coy Uload If there is only one buffer in vehicle s software odule to accet the new software and one coy of the software ackets is sent aended with the MD then it is called Single-coy Uload. Uload Single-coy Uload with Pair Transission Segented Single-coy Uload Fig 3. Different Uload Technique b) Segented Single-coy Uload If the software ackets are divided into segents of certain nuber of ackets and each segent is sent with the MD then it is called the Segented Single-coy Uload. c) Multile-coy Uload If there are ore than one buffer and ultile coies of the software ackets are sent with the MD in each coy unless there is a atch found then it is called the Multilecoy Uload. d) Infinite Buffer Case Case with Rando Packet Delete Multile-coy Uload Infinite Buffer Case Finite buffer with Consecutive Good Packets If there are infinite nuber of buffers to accet ultile coies of a acket to coare a new coy of the acket with the ackets already received until a atch is found then it is called the Infinite Buffer Case. This is the ideal case and not ractical, which requires iniu nuber of acket transissions for a successful software uload. 0
e) Case If there are two buffers to accet two coies of a acket and one or both of the ackets are relaced by the new ackets transitted until the vehicle receives a good acket then it is called the Finite buffer Case. f) with Pair Transission If a acket-air do not atch then the vehicle could delete both ackets and request to send another air until a atched air is found. This case is defined as the Finite Buffer with Pair Transission. g) with Rando Packet Delete If a acket-air do not atch then the vehicle could delete one randoly chosen acket and request to send another acket until a atched air is found. This case is defined as the with Rando Packet Delete. h) with Two Consecutive Good Packets If a acket-air do not atch then the vehicle always deletes the older acket and requests to send another acket until a atched air is found. This case is defined as the with Two Consecutive Good Packets. 3) Single-coy Uload After receiving all the encryted software ackets and the MD, the receiving vehicle decryts the ackets, calculates an MD and coares it with the received MD. If both the MDs atch, then the vehicle accets the software. Otherwise, it requests the sulier to retransit the entire software. In this ethod, if a hacker changes at least one software acket, then the calculated MD will differ fro the received MD. Since the vehicle or the sulier does not know which acket has been changed, the sulier needs to retransit the entire software including the MD which requires ore network bandwidth. Moreover, if a hacker can successfully change a acket fro every transission, it is not ossible at all to uload the software successfully. For acket error robability due to hacking, the robability that the software is in error is: M + ( ) = () soft The average nuber of trials required to send the software successfully is i T = soft isoft = = soft () The average nuber of ackets transission for successful software uload is M + N = ( M + ) T = (3) M + ) 4) Segented Single-coy Uload In case of Single-coy Transission, if the nuber of software ackets M increases, the average nuber of acket transission for successful software uload increases exonentially (). An alternative aroach could be to soft divide M software ackets into S segents with ackets in each segent. Then the average nuber of trials required sending one segent successfully is T = + ) (4) Average nuber of acket transission needed for successful uload of S segents is ( + ) S N = + ST = (5) + ) 5) Multile-coy Uload Infinite Buffer Case For each software acket, the vehicle first receives two coies of the acket. If the ackets do not atch, it requests to send another coy of the acket. The third coy is coared with the revious two. If no atch is found it requests for another coy. Since there is infinite nuber of th buffers, after receiving i acket it coares the acket with revious i ackets. The rocess continues until a atched-air is found. The robability that a acket is received successfully in th the i trial is i ), i =,,3L, i = i (6) The average nuber of acket transission for successful uload of one acket is N ( i + ) = i = = i The average nuber of acket transission for successful software uload is ( M + ) N = M + N = (8) 6) with Pair Transission In this case, if both the coies of a acket do not atch, the sulier will send another air of ackets. The robability that a air does not atch is air ( ) (7) = (9) The average nuber of trials to send one acket successfully is T = i ) ) i = i ) ) air i air T = = (0) air The average nuber of acket transissions for successful software uload is ( M + ) N = M + T = () ) 7) with Two Consecutive Good Packets When the two received coies of a acket do not atch, the vehicle relaces the first coy in buffer with the second coy in buffer, requests to send another coy and laces in buffer. The average nuber of acket transissions for 03
successful uload of one acket is The average nuber of acket transissions for successful uload of one acket is N = ( i + ) Pi = () ) Then the average nuber of acket transissions for successful software uload is ( M + )( ) N = M + N = (3) IV. SIMULATION RESULTS We now resent siulation results to validate the analytical exressions develoed for different software uload Techniques. For a articular acket error robability due to hacking, we generated a uniforly distributed rando nuber using drand48() function in C++ with gcc coiler. If the rando nuber is less than then the acket was considered as a bad acket and vise versa. Fig. 4 and Table II show the reseblance between the analytical and siulation results for the average nuber of acket transissions for the Single-coy and Multile-coy software uload techniques, resectively. For the Singlecoy transission, at higher the average nubers of acket transissions (N) for successful software uload increases exonentially as the software size increases. However, if the software is sent in segented for, it reduces N considerably. Fig. 5 exelifies the effect of segentation for the software size with 04 ackets and different nuber of segents. The ore the nuber of segents, the lesser is the nuber of acket transissions necessary for successful software uload. Conversely, as the nuber of segents increases, it ight take ore tie to encryt, decryt and transit all the segents. Hence, there should be a trade-off between nuber of segents and rocessing tie. The Two-coy software uload is always suerior to the Single-coy software uload as long as security is concerned. Since the second coy will be transitted after a rando tie interval in a rando acket order, it is very unlikely that an intruder would know whether a second coy will be transitted or not. Moreover, even if an intruder changes one acket of the first coy, it would be difficult for hi to change the sae acket in the second coy due to the randoness of acket transission. Fig. 6 reresents the average nuber of acket transissions (N ) to uload a single acket successfully in the ultile-coy software uload scenario. Unlike the single-coy software uload, the total nuber of acket transissions necessary to uload the entire software is linearly deendent on the software size (eq. (8), () and (3)). Fro Fig. 6 it is also observed that for low values of, on average only two ackets need to be transitted for any of the techniques we entioned above. For a high value of, with Rando Packet Delete rovides the least Average Nuber of Packet Transission, N 60 400 0 Fig. 4. Coarison of Analytical and Siulation results for Singlecoy Uload Technique 800 Average Nuber of acket Transission, N 3000 600 400 00 000 800 x 0 4.5 0.5.5 * + Single-coy Transission 0-6 -5 - - Packet Error Probability () 0 - S = S = 4 S = 8 S = 6 M = 04, Siulation M = 04, Analytical M = 5, Siulation M = 5, Analytical Effect of Segentation 00 0-6 0-5 0-4 0-3 Packet Error Probability () Fig. 5. Effect of segentation on Single-coy Uload for M = 04 nuber of acket transissions with resect to the ideal case where we have infinite nuber of buffers. In general, the hacking robability is very low. Thus, any of the techniques could be used if there are one or ore unatched acket airs. In addition, N does not vary notably between the two buffer case and the infinite buffer case. Addition of ore buffers would not increase the erforance of software uload rearkably. Consequently, we roose to use not ore than two buffers in vehicle s software odules to uload two coies of software. At lower, single-coy software uloads requires fewer nuber of acket transissions than the ultile-coy software uloads. However, the later technique offers additional security if the software ackets are transitted in rando order and the second coy is transitted after a rando tie interval with a very long average value. Hence, we recoend that initially the sulier should send two coies of the software in the vehicle. 04
TABLE II. COMPARISON OF ANALYTICAL AND SIMULATION RESULT FOR DOUBLE-COPY TRANSMISSION N (Siulation) Infinite Buffer N (Analytical) with Pair Transission N (Siulation) N (Analytical) with Two Consecutive Good Packets N (Siulation) N (Analytical) with Rando Packet Delete N (Siulation) 0..8..4704.469.3443.3457.847 0.0.004.00.0406.0406.0303.0304.053 0.00.000.000.0040.0040.003.0030.004 0.000.000.000.0004.0004.0003.0003.0003 0.0000.0000.0000.0000.0000.0000.0000.0000 Average nuber of acket transission, N 03 0 0 Two-coy Transission Infinite buffer Finite buffer with air transission Finite buffer with consecutive good ackets Finite buffer with rando acket delete 00 0-6 0-5 0-4 0-3 0-0 - 00 Packet error Probability () Fig. 6. Average nuber of acket transission (N ) for successful uload of a single acket for Two-coy software uload Technique V. CONCLUSION The aer resents detail architecture of RSU in an advanced vehicle s software odules using an existing wireless counication technology such as Wi-Fi or cellular. In this architecture, the BSs act as roxies to reliably and honestly relaying the software ackets fro the SV to the vehicle. Since they do not have access to the software ackets, it eliinates any security threat that ight exist if the BSs locally decryt and encryt the ackets. The architecture rovides utual authentication of the SV and the vehicle. A vehicle s authentication keys are shared between the AC and the vehicle, and Different authentication keys are used for different software distribution sessions which revent known-key attack. We suggest the SV to send two coies of the software to the vehicle to increase the level of security. Moreover, digital The RSU will have huge deand in Auto industry in the near future. If it could be ileented successfully, it will save both AC and consuers tie and oney. REFERENCES [] Syed Masud Mahud, Shobhit Shanker and Irina Hossain, Secure Uload in an Intelligent Vehicle via Wireless Counication Links, in Proc. of the 005 IEEE Intelligent Vehicles Syosiu, June 6-8, 005, Las Vegas, Nevada, USA,. 587-59. [] htt://www.onstar.co [3] Syed Masud Mahud and Shobhit Shanker, An In-Vehicle Secure Wireless Personal Area Network (SWPAN), in the IEEE Transactions on Vehicular Technology, Vol. 55,. 3,. 05-06, May 006. [4] To Karygiannis and Les Owens, "Wireless Network Security 80., Bluetooth and Handheld Devices," NIST Secial Publication 800-48, U.S. Deartent of Coerce, Technology Adinistration, and National Institute of Standards and Technology. htt://csrc.nist.gov/ublications/nistubs/800-48/nist_sp_800-48.df [5] C. Y. Yeun and T. Farnha, Secure Download for Prograable Mobile User Equient, in Proc. of 3rd Generation Conference on 3G Mobile Counication Technologies, 8-0 May, 00,. 505-50. [6] Wael Adi, Ali Al-Qayedi, Khaled Neg, Ali Mabrouk and Sarhan M. Musa, Secured Mobile Device Udate over IP Network, in Proc. of IEEE SoutheastCon, 6-9 March, 004,. 7-74. signature of the SV ensures non-reudiation and the MD of the entire software rovides integrity of the software. This aer focuses on the software uload in a single vehicle. However, if the AC needs to uload software to a large nuber of vehicles, then wireless ulticasting would be a better solution than ultile unicasting to individual vehicles. 05