A novel key management protocol for vehicular cloud security

Vehicular cloud computing (VCC) is a new hybrid technology which has become an outstanding area of research. VCC combines salient features of cloud computing and wireless communication technology to help drivers in network connectivity, storage space availability and applications. VCC is formed by dynamic cloud formation by moving vehicles. Security plays an important role in VCC communication. Key management is one of the important tasks for security of VCC. This paper proposes a novel key management protocol for VCC security. Proposed scheme is based on Elliptical Curve Cryptography (ECC). The simulation results demonstrated that the proposed protocol is efficient compared to existing key management algorithms in terms of key generation time, memory usage and cpu utilization


System Model and Problem Definition
In this section, we discuss environment, assumptions and problem statement.

Environment
We consider VCC architecture in which vehicles are willing to share their unutilized resources. Vehicles should be in close proximity, should have relatively small speed difference between vehicles and travel in same direction. A broker is chosen randomly among the users. Broker owns responsibility of creation, maintenance and deletion of vehicular cloud. Permission to host VCC is obtained from CA by broker and he invites other users join VCC. Cloud is automatically formed by combining and resources form available number of vehicles like sensors, storage space and computational power. Vehicles involved in VCC have a basic trust relationship between them. Figure 1 illustrates the system model, which consists of network

Assumptions
The following assumptions are made in deployment of the proposed protocol: a. All vehicles are equipped with wireless communication devices, Global Positioning System (GPS), digital maps and optional sensors for reporting vehicle conditions. b. CA is trusted by all entities involved in VCC, has powerful firewalls and is not compromised. c. Every RSU deployed on the road or highway has a unique id (RSU ID ) and is registered to a CA. d. VCC users approach physically to CA, provide all essential data like vehicle id, name, phone number, email id, unique identity number and get registered with CA. e. OBU, RSU and CA communicate to each other via high bandwidth, low bit error and low delay links [13,24,25]. f. Data messages are encrypted at OBU before uploading it to vehicular cloud. This will reduce computation burden to VCC server. g. Decryption process of data messages is carried out at receivers OBU. VCC stores the encrypted data. The system thus separates storage of keys, encryption/decryption schemes from data which provides good security.

Problem Statement
The objective of the work is to design and develop an efficient key management protocol with resource optimization to secure communication in VCC environment to facilitate storage as a service model. The objective is achieved by 1) Key generation 2) Secure key distribution 3) Encrypted key storage 4) Compromised key revocation.

Proposed Scheme
The proposed key management protocol consists of four parts: key generation, key distribution, key storage and revocation. Table 1 illustrates notations used in this paper.

Key Management
This section discusses various phases like: generation, distribution, storage and revocation for cryptographic key used for VCC security. Before key generation for any entity like vehicle user or RSU, registration with CA is necessary. Registration process is carried out by Registration Authority (RA), which is part of CA.

Key generation
During registration procedure user interacts with registration authority. Initially vehicle user submits all required data to registration authority. CA verifies complete information of user requested for registration. Registration process results in binding keying material to information associated to an entity. This binding is a cryptographic process. CA generates unique id for vehicles and RSU (V ID )/(RSU ID ) for vehicle or RSU and the same is communicated. All the communication and verification needs this number. Public and private keys for vehicle/RSU are generated and the same are mapped to that particular vehicle id (V ID )/(RSU ID ). Algorithm 1 describes key generation procedure. CA chooses the system secret V PR , where 1<V PR <n, and computes {V PB =(V PR ) G}. CA maps key pair generated with unique identification number V ID . After successful registration and key generation, CA provides user with a smart card which contains private key, CA certificate. CA certificate contains public key of CA. All these details are stored in vehicles OBU using smart card. Algorithm1---Key Generation //Inputs: Domain parameters, V ID , RSU ID //Outputs: Output: Public key V PBi /RSU PUj

Key distribution
A certificate binds an identity to a public key. CA generates a public/private key pair V PBi /V PRi and transmits a message to user consisting of public key V PB , time of registration (T 0 ) and a unique identification number V IDi . Before sending signed certificate, CA and user should set up a secure communication channel. Key distribution process is explained in algorithm 2. User requests for public key, sending an encrypted message. Message is encrypted using public key of CA which is available with authenticated user. Message consists of user's unique id and time of registration with RA. This request is decrypted by CA using its private key. CA verifies the user unique id; registration details. Post verification, a response message is sent to user. This message is encrypted with CA private key.
The response message consists time of verification. User now sends a request for signed certificate from CA. User can send this certificate to VCC broker for secure communication. Certificate issued by CA to users will have limited expiry time and a unique serial number. This helps to protect from malicious users storing certificate illegally. Public key of a user is available to other users with this certificate. Received certificate will have timestamp and expiry details. The same certificate cannot be cached by other users for malpractice or by the same user again. Algorithm 2--Key Distribution //Inputs: Request //Outputs: Certificate/Reject

Key revocation
On proving the identity disclosure, a CA may decide revoke the permission for the vehicle in order to prevent future attacks on the vehicular cloud. CA must maintain a list consisting of all revoked but not expired certificates, known as the Certificate Revocation List (CRL). Each entry consists of the serial number of a certificate and revocation date for that certificate. Because serial numbers are unique within CA, the serial number is sufficient to identify the certificate. In revocation process, CA first develops a message using CA ID , V IDi , RSU IDj , vehicles public key, timestamp and encrypts this message using public key of CA. User after receiving this revocation message deletes all the keys sends an acknowledgement to CA. Key revocation procedure is explained in algorithm 4.

Implementation
In this section we explain the implementation of the work. We have used Java programming for ECDSA based key management protocol implementation. In the Java architecture, the Security API is one of the main interfaces of the language. It has been implemented on a computer with Intel core i5-4200 M CPU 2.50 GHz and 4GB RAM. We focused on the ECDSA digital signatures with key length 160,192,224, 256 bits. The obtained results have been plotted for memory consumption and time performance.

Results and Discussion
In this section we analyse the computational complexity, time complexity and space complexity of our proposed novel key management protocol. ECDSA signature key generation is compared with DSA, RSA and ElGamal cryptographic technique based key generation schemes.

Computational Complexity
DSA and RSA key generation algorithms require prime number testing, which is not cost effective. Besides, prime tests are probabilistic, which results into varying execution time. ECC cryptography based key generation algorithms involve only scalar point multiplication. In Figure 2 CPU utilization for key generation of different cryptographic algorithm are compared. Results show that ECDSA scheme is computationally more effective as greater security is achieved with smaller key size in comparison to RSA, Elgamal and DSA based key generation algorithms.

Memory Space Complexity
Different types of public key algorithms are compared for key generation. They are DSA, RSA, and ElGamal. The proposed protocol consumes less memory for key generation. Figure 3 shows the memory usage of the ECDSA key generation.

Time Complexity
Major factor for the key generation is the time consumption. Efficient system should consume less time for key generation. Table 2 shows the time for key generation for different key sizes. The time of generation is represented in seconds. The ECDSA can create keys in superior speed compared to other cryptographic algorithms of same key lengths. We can see that key generation time for RSA algorithm for lower key bit size is less. As key size increases, time taken for the key generation of increases. DSA and Elgamal algorithm have comparatively less time to RSA algorithm. ECDSA algorithm has less time compared to all algorithms. This results in faster processing times, and lower demands on memory and bandwidth which is well suited for VCC environment.  Figure 2. CPU Utilization Time Figure 3. Memory Utilization

Performance Analysis
The graphical results shown in Figure 4 are used to compare the key computation time at CA for our proposed key management protocol with the existing methods. It compares the results obtained from our proposed work with DAKM [13], CRGK [22], and NTRU [23]. From Figure 4, it is observed that when the key is 512 bits, the group key computation time of CA is found to be 14 msec in our proposed approach, which is better in comparison with the other existing schemes.  Table 3 shows computation and storage complexities. Among the existing key management works that we have considered, the Number Theory Research Unit (NTRU) [23] uses convolution product for calculating multiplication for key generation. It includes addition (A), division (D) and finding inverse using extended Euclidian Algorithm (EEA). It takes more computations. CRGK [22] and DAKM [13] perform only 1 subtraction(S) or addition (A) operation. Proposed key generation based on ECDSA is the simplest with performs scalar multiplication (M) and squaring (Sq). Our scheme being centralized does not need key generation every time a new user joins or leaves the group. This provides a less calculations among the scheme compared. In all other schemes key secrete is owned by one of the group member, but in proposed scheme key secrete is maintained by CA. N is total number of users. Proposed scheme is very secure in distribution of the keys. Every time a secure channel is set up between CA and user for key distribution. Key storage is very simple and easy in the proposed scheme because they are encrypted with block ciphers and stored at CA secure data base. Therefore only N (number of users) keys will not have multiple storage complexity in proposed method. Communication complexity is more in proposed scheme compared to CRGK [22] and DAKM [13] as every user needs individual, secure key distribution.

Conclusion and Future Work
In this paper we presented a novel key management system for VCC. Focus is given to key generation, distribution, storage and revocation. Extensive simulations are presented to evaluate the performance of the proposed techniques. Our proposed protocol provides greater security and more efficient performance than the existing key management techniques. Algorithm design supports dynamic nature of VCC. Scheme improved response time without affecting the communication time. The future work aims to measure the parameters like maximum storage in VCC, storage time available, cost per storage etc.in VCC environment.