Juanjo Alins

COACH: COllaborative certificate stAtus CHecking mechanism for VANETs

Vehicular Ad Hoc Networks (VANETs) require mechanisms to authenticate messages, identify valid vehicles, and remove misbehaving vehicles. A public key infrastructure (PKI) can be used to provide these functionalities using digital certificates. However, if a vehicle is no longer trusted, its certificates have to be revoked and this status information has to be made available to other vehicles as soon as possible. In this paper, we propose a collaborative certificate status checking mechanism called COACH to efficiently distribute certificate revocation information in VANETs. In COACH, we embed a hash tree in each standard Certificate Revocation List (CRL). This dual structure is called extended-CRL. A node possessing an extended-CRL can respond to certificate status requests without having to send the complete CRL. Instead, the node can send a short response (less than 1 kB) that fits in a single UDP message. Obviously, the substructures included in the short responses are authenticated. This means that any node possessing an extended-CRL can produce short responses that can be authenticated (including Road Side Units or intermediate vehicles). We also propose an extension to the COACH mechanism called EvCOACH that is more efficient than COACH in scenarios with relatively low revocation rates per CRL validity period. To build EvCOACH, we embed an additional hash chain in the extended-CRL. Finally, by conducting a detailed performance evaluation, COACH and EvCOACH are proved to be reliable, efficient, and scalable.

EPA: An efficient and privacy-aware revocation mechanism for vehicular ad hoc networks

Abstract Security is vital for the reliable operation of vehicular ad hoc networks (VANETs). One of the critical security issues is the revocation of misbehaving vehicles. While essential, revocation checking can leak private information. In particular, repositories receiving the certificate status queries could infer the identity of the vehicles posing the query and the target of the query. An important loss of privacy results from this ability to tie the checking vehicle with the query’s target, due to their likely willingness to communicate. In this paper, we propose an Efficient and Privacy-Aware revocation Mechanism (EPA) based on the use of Merkle Hash Trees (MHT) and a Crowds-based anonymous protocol, which replaces the time-consuming certificate revocation lists checking process. EPA provides explicit, concise, authenticated and unforgeable information about the revocation status of each certificate while preserving the users’ privacy. Moreover, EPA reduces the security overhead for certificate status checking, and enhances the availability and usability of the revocation data. By conducting a detailed performance evaluation, EPA is demonstrated to be reliable, efficient, and scalable.

Toward revocation data handling efficiency in VANETs

Vehicular Ad Hoc Networks (VANETs) require some mechanism to authenticate messages, identify valid vehicles, and remove misbehaving ones. A Public Key Infrastructure (PKI) can provide this functionality using digital certificates, but needs an efficient mechanism to revoked misbehaving/compromised vehicles. The IEEE 1609.2 standard states that VANETs will rely on the use of certificate revocation lists (CRLs) to achieve revocation. However, despite their simplicity, CRLs present two major disadvantages that are highlighted in a vehicular network: CRL size and CRL request implosion. In this paper, we point out the problems when using CRLs in this type of networks. To palliate these issues, we propose the use of Authenticated Data Structures (ADS) that allow distributing efficiently revocation data. By using ADS, network entities can check the status of a certificate decreasing the peak bandwidth load in the distribution points.

XPLIT: A cross-layer architecture for TCP services over DVB-S2/ETSI QoS BSM

This article proposes XPLIT, a new architecture based on TCP cross-layering and splitting for optimizing the transport layer performance in a DVB-S2 satellite link that employs the ETSI QoS Broadband Satellite Multimedia Services (BSM) standard. The main novelty of our proposal is a complete architecture that perfectly fits this new DVB-S2/ETSI QoS BSM scenario. Our architecture includes the design of satellite-optimized cross-layer TCP protocol, called XPLIT-TCP that uses two control loops to properly manage the system load. The proposal has been implemented to be tested in the NS-2 simulator and we include the most interesting performance evaluation results, which show the excellent performance of our architecture for the intended scenario.

Cross‐layer packet scheduler for QoS support over Digital Video Broadcasting‐Second Generation broadband satellite systems

This article presents a cross-layer packet scheduler to provide end-to-end QoS guarantees for Digital Video Broadcasting-Second Generation (DVB-S2) broadband satellite systems. The scheduler design is based on a cross-layer mechanism defined between the physical and the network layer. It includes an algorithm to guarantee the required QoS specifications established in the service level agreement. The algorithm calculation depends basically on two parameters: the available bandwidth present in a DVB-S2 satellite link and the QoS requirements of each traffic class defined by the satellite operator. The cross-layer schedulers operation is demonstrated using the NS-2 simulator tool. The results show that the proposed mechanism maximizes the bandwidth utilization while enforcing the priority level of each service class when an extreme reduction of bandwidth caused by rain events is experienced. Copyright (C) 2012 John Wiley & Sons, Ltd.This article presents a cross-layer packet scheduler to provide end-to-end QoS guarantees for Digital Video Broadcasting-Second Generation (DVB-S2) broadband satellite systems. The scheduler design is based on a cross-layer mechanism defined between the physical and the network layer. It includes an algorithm to guarantee the required QoS specifications established in the service level agreement. The algorithm calculation depends basically on two parameters: the available bandwidth present in a DVB-S2 satellite link and the QoS requirements of each traffic class defined by the satellite operator. The cross-layer schedulers operation is demonstrated using the NS-2 simulator tool. The results show that the proposed mechanism maximizes the bandwidth utilization while enforcing the priority level of each service class when an extreme reduction of bandwidth caused by rain events is experienced.

BECSI: Bandwidth efficient certificate status information distribution mechanism for VANETs

Certificate revocation is a challenging task, especially in mobile network environments such as vehicular ad Hoc networks VANETs. According to the IEEE 1609.2 security standard for VANETs, public key infrastructure PKI will provide this functionality by means of certificate revocation lists CRLs. When a certificate authority CA needs to revoke a certificate, it globally distributes CRLs. Transmitting these lists pose a problem as they require high update frequencies and a lot of bandwidth. In this article, we propose BECSI, a Bandwidth Efficient Certificate Status Information mechanism to efficiently distribute certificate status information CSI in VANETs. By means of Merkle hash trees MHT, BECSI allows to retrieve authenticated CSI not only from the infrastructure but also from vehicles acting as mobile repositories. Since these MHTs are significantly smaller than the CRLs, BECSI reduces the load on the CSI repositories and improves the response time for the vehicles. Additionally, BECSI improves the freshness of the CSI by combining the use of delta-CRLs with MHTs. Thus, vehicles that have cached the most current CRL can download delta-CRLs to have a complete list of revoked certificates. Once a vehicle has the whole list of revoked certificates, it can act as mobile repository.

Performance evaluation of selected Transmission Control Protocol variants over a digital video broadcasting-second generation broadband satellite multimedia system with QoS

This paper presents an analysis of several Transmission Control Protocol (TCP) variants working over a digital video broadcasting-second generation (DVB-S2) satellite link with the support of the Differentiated Services (DiffServ) architecture to provide quality of service (QoS). This analysis is carried out using the NS-2 simulator tool. Three TCP variants are considered: SACK TCP, Hybla TCP, and CUBIC TCP. These TCP variants are taken as a starting point because they have proven to be the most suitable variants to deal with long delays present in satellite links. The DVB-S2 link also introduces the challenge of dealing with variable bandwidth, whereas the DiffServ architecture introduces the challenge of dealing with different priorities. In this paper, we propose a DiffServ model that includes a modified queuing mechanism to enhance the goodput of the assured forwarding traffic class. This modified DiffServ model is simulated and tested, considering the interaction of the selected TCP variants. In addition, we present evaluation metrics, significant simulations results, and conclusions about the performance of these TCP variants evaluated over the proposed scenario. As a general conclusion, we show that CUBIC TCP is the TCP variant that shows the best performance in terms of goodput, latency, and friendlinessThis paper presents an analysis of several Transmission Control Protocol (TCP) variants working over a digital video broadcasting-second generation (DVB-S2) satellite link with the support of the Differentiated Services (DiffServ) architecture to provide quality of service (QoS). This analysis is carried out using the NS-2 simulator tool. Three TCP variants are considered: SACK TCP, Hybla TCP, and CUBIC TCP. These TCP variants are taken as a starting point because they have proven to be the most suitable variants to deal with long delays present in satellite links. The DVB-S2 link also introduces the challenge of dealing with variable bandwidth, whereas the DiffServ architecture introduces the challenge of dealing with different priorities. In this paper, we propose a DiffServ model that includes a modified queuing mechanism to enhance the goodput of the assured forwarding traffic class. This modified DiffServ model is simulated and tested, considering the interaction of the selected TCP variants. In addition, we present evaluation metrics, significant simulations results, and conclusions about the performance of these TCP variants evaluated over the proposed scenario. As a general conclusion, we show that CUBIC TCP is the TCP variant that shows the best performance in terms of goodput, latency, and friendliness.

A Modeling of Certificate Revocation and Its Application to Synthesis of Revocation Traces

One of the hardest tasks of a public key infrastructure (PKI) is to manage revocation. New communication paradigms push the revocation system to the limit and an accurate resource assessment is necessary before implementing a particular revocation distribution system. In this context, a precise modeling of certificate revocation is necessary. In this paper, we analyze empirical data from real certification authorities (CAs) to develop an accurate and rigorous model for certificate revocation. One of the key findings of our analysis is that the certificate revocation process is statistically self-similar. The proposed model is based on an autoregressive fractionally integrated moving average (ARFIMA) process. Then, using this model, we show how to build a synthetic revocation generator that can be used in simulations for resource assessment. Finally, we also show that our model produces synthetic revocation traces that are indistinguishable for practical purposes from those corresponding to actual revocations.

RAR: Risk Aware Revocation Mechanism for Vehicular Networks

Vehicular Ad Hoc Networks (VANETs) require some mechanism to authenticate messages, identify valid vehicles, and remove misbehaving ones. A Public Key Infrastructure (PKI) can provide this functionality using digital certificates. In PKI, key management and corresponding issuance and revocation of digital certificates is one of the key issues that have to be solved. The IEEE 1609.2 standard states that VANETs will rely on the use of certificate revocation lists (CRLs) to achieve revocation. In this paper, we analyze the problems of using CRLs in these type of networks. Moreover, we describe the Risk Aware Revocation (RAR) mechanism that improves the traditional use of CRLs. RAR takes advantage of the two distinct channel types in VANETs to increase the freshness of the revocation information. Moreover, RAR allows users to gauge the risk of operating in a VANET when using CRLs.

Adaptive packet scheduling for the support of QoS over DVB-S2 satellite systems

This paper presents an adaptive algorithm for managing the weights of a weighted round robin (WRR) scheduler. The weights calculation depends on the capacity variations present in a Digital Video Broadcasting-Second Generation (DVB-S2) satellite link. The algorithm optimizes the bandwidth utilization while satisfying the QoS requirements for different traffic classes. The operation of the proposed algorithm is demonstrated by using the NS-2 simulator environment. The results show that the proposed adaptive WRR algorithm optimizes the bandwidth utilization while enforcing the priority level of each service class even in an extreme reduction of bandwidth caused by rain events.