Vehicular Ad-hoc Networks (VANETs) are expected to enable increased safety, enhanced driving experience, and improved traffic efficiency. These networks are characterized by short-lived pairwise connections, which makes the network topology highly dynamic. Furthermore, single trip of a vehicle may involve communication with a large number of other vehicles. Dependence on such technology, however, may turn hazardous if not implemented securely, particularly due to the vulnerability of the wireless medium to passive and active attacks.
Messages exchanged in a VANET have different roles, thus requiring different security measures. For instance, securing safety messages requires the deployment of a scheme that would privilege authentication over confidentiality [1], since the information contained in the message is not particularly sensitive and may be of interest to multiple users, while the legitimacy of the source is important. These applications lie at the heart of vehicular networks, and perhaps for that reason it is generally considered that integrity and authentication are of greater concern than confidentiality. Therefore, most security schemes adopt vehicular public key infrastructures (PKI), e.g., [2], [3] that, in general, make use of public key cryptography (PKC) for authentication. A large number of applications and services that could be deployed in VANETs may depend on confidential data transmission. These applications range from driver assistance systems (e.g., [4]) to traffic information systems (e.g., [5]) and infotainment applications (e.g., [6). Although PKC could also be used for encryption, efficiency dictates that the best course of action to provide confidential transmission is to use symmetric encryption with a shared secret [7]. However, PKC solutions are not adequate for noisy environments since they generally employ several rounds of interaction between users. Furthermore, in dense networks, the overhead of message transmission and signature verification can be prohibitive [1].
Due to the vital role of authentication, proposed VANET security frameworks rely heavily on PKC. Consequently, most of the research focuses on the design of PKI-based key management systems for pairwise or group communication (e.g., [1], [9]). When symmetric encryption is required, it is expected that nodes perform some well-known key agreement schemes or use integrated encryption schemes. In particular, the IEEE 1609.2 standard specifies the Elliptic Curve Integrated Encryption Scheme as the asymmetric encryption algorithm [3], which is based on Diffie-Hellman key agreement. In [9], an architecture was proposed for secure vehicular communications, which includes a key management scheme. Certification authorities (CAs) are responsible for managing the identity and credentials of vehicles registered within a given region. Each node is registered only in a given CA, which provides it with a unique ID, a long-term pair of private/public keys and a long-term certificate. To achieve secure communication, short-term private-public key pairs and certificates are used. These are internally generated by the node and signed by the CA. Raya and Hubaux [1] designed a security framework for VANETs based on PKI. A protocol is proposed which uses the geographic location of vehicles. In the protocol, a geographic group is formed, which elects a group leader, responsible for distributing a group key to its members, enabling secure communication within the group. In any scenario where the protocol cannot function properly, the fallback to a simple digital signature scheme is ensured.
In practice, VANETs are characterized by a dynamic topology and link disconnections are frequent. Moreover, sporadic and burst errors are common due to the presence of signal propagation obstacles that lead to shadowing [10]. Therefore, it is crucial that the key agreement protocol makes use of the least possible interaction between users in order to minimize the overall delay in the key establishment procedure as well as maximizing the probability of success. This can be achieved by means of probabilistic key distribution schemes. However, due to the size and dynamic nature of these networks, key pre-distribution is unfeasible.