An experimental analysis of ECQV implicit certificates performance in VANETs Francesco Pollicino, Dario Stabili, Luca Ferretti and Mirco Marchetti University of Modena and Reggio Emilia, Italy Email: {francesco.pollicino, dario.stabili, luca.ferretti, mirco.marchetti}@unimore.it Abstract—Emerging Cooperative Intelligent Transportation VANETs in multiple scenarios. As an example, it does not Systems (C-ITS) enable improved driving experience and safety consider how security solutions may vary depending on the guarantees, but require secure Vehicular Ad-hoc NETworks number of connected devices or the constraints in terms of (VANETs) that must comply to strict performance constraints. Specialized standards have been defined to these aims, such as the end-to-end communication latencies. IEEE 1609.2 that uses network-efficient cryptographic protocols The paper includes two main contributions. First, we pro- to reduce communication latencies. The reduced latencies are pose an implementation of the Elliptic Curve Qu-Vanstone achieved through a combination of the Elliptic Curve Qu- (ECQV) implicit certificate scheme and the Elliptic Curve Vantstone (ECQV) implicit certificate scheme and the Elliptic Digital Signature Algorithm (ECDSA) that is compliant to Curve Digital Signature Algorithm (ECDSA), to guarantee data integrity and authenticity. However, literature lacks implementa- the IEEE 1609.2 standard, and describe an experimental tions and evaluations for vehicular systems. In this paper, we evaluation of the schemes when deployed on automotive- consider the IEEE 1609.2 standard for secure VANETs and grade boards [3]. To the best of our knowledge, this is the investigate the feasibility of ECQV and ECDSA schemes when first open implementation of implicit certificates for resource- deployed in C-ITSs. We propose a prototype implementation constrained devices in terms of computational power and of the standard ECQV scheme to evaluate its performance on automotive-grade hardware. To the best of our knowledge, this memory. Second, we investigate the feasibility of the schemes is the first open implementation of the scheme for constrained in multiple VANET scenarios characterized by different la- devices that are characterized by low computational power tency constraints discussed by the National Highway Traf- and low memory. We evaluate its performance against C-ITS fic Safety Administration (NHTSA) for vehicles safety [4]. communication latency constraints and show that, although even Guaranteeing security of automotive networks requires pro- highly constrained devices can support the standard, complying with stricter requirements demands for higher computational tecting connected vehicles from cyber-attacks. Security pro- resources. posals for intra-vehicular communications focus on defending against denial-of-service and message injection attacks by I. INTRODUCTION AND RELATED WORK using special-purpose anomaly detectors [5]–[7] and network The increasing popularity of connected vehicles allows to analysis tools [8], [9], and on protecting the integrity and enable Vehicular Ad-hoc NETworks (VANETs) [1], that is authenticity of the ECUs messages by using lightweight cryp- one of the intelligent components forming the Cooperative tographic schemes and architectures [10], [11]. The implicit Intelligent Transportation Systems (C-ITS) [2] with novel certificate schemes considered by this paper could also be of services and features that can improve driving experience interest for protecting the integrity of high-tier and future intra- through the cooperation between road-infrastructure services, vehicular networks that can support asymmetric cryptography road users and vehicles. However, designing and implementing schemes. However, in this paper we focus on inter-vehicular this complex system is a challenging task. As an example, networks, where their adoption on existing systems seems the novel communication networks must support a highly more promising. We leave further analyses on intra-vehicular heterogeneous environment, that comprises many vehicles and networks as a future work. boards manufacturers, and comply with the strict C-ITS con- The existing proposals [12]–[14] for vehicle-to-vehicle straints in terms of small latency and dynamic configuration of (V2V) communications that relate most with ours proposal are the network. In this paper, we investigate security solutions for architectures for guaranteeing communications integrity and VANETs and focus on integrity and authenticity guarantees authenticity, that require the adoption of proper cryptographic of vehicles communications. To this aim, we consider the protocols for identity and key management. They differ from security protocols of the IEEE 1609.2 standard, that defines standard Web protocols because they are designed to comply secure message formats for Wireless Access in Vehicular to the particular requirements of vehicles communications, Environments (WAVE), policies for the management of the including privacy protection against vehicles tracking and security certificates and the supported digital signature and vehicle safety requirements. Although they also build over encryption algorithms. Although the IEEE 1609.2 standard the IEEE 1609.2 standard, they do not consider the stricter represents a comprehensive proposal for secure vehicle com- workload requirements that characterize realistic vehicles com- munications, it does not provide recommendations that take munications (e.g., only consider messages sent every 100ms). into account the potentially different characteristics of the Moreover, they only consider using standard X.509 certifi- cates. In this paper, we analyze multiple stricter requirements Requester Client CA in terms of allowed latency and throughput, and analyze ID skCA PKCA the behavior of implicit certificates by using a prototype (CSR) CSRGen implementation. Similar to our proposal, the work presented in [15] analyzed if VANETs communications security based on sk CRTGen (CRT, r) ECQV certificates can satisfy latency constraints that are due Validation to enforce safety in a crash incident. Although their analyses sk PK are based on multiple standards (IEEE 1609.2 [16], ETSI ITS- U U G5 [17] and ARIB STD-T109 [18]), the proposed experimen- Fig. 1. Operation flow for the the generation of the ECQV certificate tal evaluation is based on a laptop computer and does not consider the timings of a proper implementation on hardware to delegate intermediate CAs to release certificate, called that typically characterizes automotive boards. The evaluation intermediate CAs, that can in turn delegate other CAs. Each proposed in this paper is focused on realistic automotive-grade delegation demands the delegating CA to sign a special- boards and is based on the first open prototype implementation purpose certificate, including the identity and the public key for ECQV and ECDSA. The prototype implementation is of the delegated CA. Moreover, a certificate chain includes the optimized for low-power devices and allows to better analyze public keys of the authorized user and of all the intermediate the performance of the implemented protocols in real-world CAs (for this reason it could also be called an explicit scenarios. certificate, in opposition to implicit certificates). For these The rest of the paper is organized as follows. We present reasons, the size of the certificate chain is proportional to the base knowledge on the IEEE 1609.2 standard, and on ECQV number of the intermediate CAs. Verifying the certificate chain implicit certificate and ECDSA schemes in Section II. We requires to verify the digital signature attached by each CA up describe the main design choices of the proposed implemen- to the Root Certificate. tation and micro-benchmarks on automotive-grade boards in Section III. We investigate the feasibility of the schemes in The implicit certificate scheme uses a more complex ap- VANETs in Section IV. Finally, we conclude the work in proach that leverages particular mathematical properties to Section V. bind identity information and public key without explicitly storing them. The most popular protocol for implicit cer- II. BASE KNOWLEDGE ON IEEE 1609.2 AND ECQV tificates, that is also included in the IEEE 1609.2 standard, The IEEE 1609.2 [16] standard specifies the recommenda- is ECQV. Intuitively, an ECQV certificate does not include tions for Wireless Access in Vehicular Environments (WAVE), the public key of the sender, but allows a recipient to re- including the framework of the security services that all the compute it by using the certificate of the sender and the devices must support, the formats used to exchange messages, public key of the CA, thus saving network usage. Although and the cryptographic schemes and algorithms that can be used implicit certificates seem very convenient thanks to their to protect messages. In this paper, we focus on the protocols space efficiency, they have a few disadvantages that limit used to guarantee integrity and authenticity of messages, that their adoption in common Web communications. Network include digital signatures and certificates. savings of implicit certificates can be considered negligible The reference standard for digital signatures is the Elliptic in most Web scenarios, because communications are mostly Curve Digital Signature Algorithm (ECDSA), that is a well- operated through channels exchanging large amounts of data known NIST standard already used to protect communications and certificates are only used once during