WO2012007609A1

WO2012007609A1 - System for securely communicating in a spontaneous self-managed ad-hoc vehicular network

Info

Publication number: WO2012007609A1
Application number: PCT/ES2011/000220
Authority: WO
Inventors: Pino Caballero Gil; Candido Caballero Gil; Jezabel Molina Gil
Original assignee: Universidad De La Laguna
Priority date: 2010-06-29
Filing date: 2011-06-29
Publication date: 2012-01-19
Also published as: ES2372841A1; ES2372841B2

Abstract

System for securely communicating in a spontaneous self-managed ad-hoc vehicular network, without infrastructures on either the road or in vehicles, using only mobile devices with a global satellite navigation system receiver and with wireless communication and computation capability such as mobile telephones, PDAs and portable computers. The operating mode envisaged in the invention is completely distributed and decentralized and takes into account the protection of the privacy of the drivers and defence against possible attacks.

Description

Secure communications system in a spontaneous and self-managed vehicular ad-hoc network The present invention relates to a secure communications system in a spontaneous and self-managed ad-hoc vehicular (or VANET) network.

The invention is applicable in the field of telecommunications, especially in mobile and wireless communications between vehicles.

Background of the invention

The present invention relates to the security of communications in ad-hoc vehicular networks or VANETs (Vehicular Ad-hoc NETworks). This security currently represents a challenge to be solved since it is anticipated that these networks will be an important revolution for the safety and comfort of road transport in the not too distant future.

In the VANETs, the messages exchanged between the vehicles will influence the behavior of their drivers as they, for example, will reduce speed and / or choose alternative routes based on the information received. Any malicious user could try to exploit this situation, carrying out any of the following attacks:

- Injection of false information, modified or repeated, spreading erroneous data that may affect the rest of vehicles, either for the benefit of the attacker, for example, when a road is released, or simply for bad intentions, for example, to produce a traffic jam.

- Forgery of identity (posing as an emergency vehicle, for example) or manipulation of the information sent (altering data such as position, address, speed, etc.), for example, to try to escape responsibilities by causing an accident.

- Tracking drivers and / or vehicles, threatening their privacy and anonymity.

- Denial of service, causing loss of network connectivity. Therefore, the security of communications is an essential factor in preventing such threats and enabling the deployment of VANETs.

There are various initiatives both from the industry and from the academic environment aimed at making possible the future exploitation of VANETs. However, all existing proposals have in common the hypothetical previous existence of an infrastructure on the road or RSU (Road-Side Unit) and / or the use of mobile telephony, and / or Internet and / or devices on board vehicles or OBUs (On-Board Units). For example, the draft communications standard for VANETs, [IEEE 802.1 lp WAVE (Wireless Access for Vehicular Environments, http://grouper.ieee.org/groups/802/ll/Reports)] that is being developed by the consortium Car-2-Car (http://www.car-to-car.org), presupposes that VANETs will combine several wireless technologies such as Cellular, Satellite, WiMAX (Woridwide Interoperability for Microwave ACCess, http: //www.ieee802. org / 16) and DSR (Dedicated Short Rangé) communications.

Similarly, the CALM architecture (Communications, Air interface, Long and Medium range, http://www.isotc204wgl6.org/concept), also in the process of standardization by the ISO (International Organization for Standard dizatiori) organization, aims to give support for communications in mobile environments and in particular in ITSs (Intelligent Transportation Systems), through the combined use of various wireless technologies such as WAVE, UMTS (Universal Mobile Telecommunications System, http://www.3GPP.org), WiMAX or RFID ( Radio Frequency IDentification), and the application of various international standards, interfaces and media, such as IEEE 802.11, 802.1 lp, 802.15, 802.16e, 802.20, 2G / 3G / 4G mobile telephony, and national ITSs.

In both standards, the security of communications is based on the combination of the mentioned technologies, in general assuming the use of public key infrastructure with certification based on centralized authorities, which implies the need for prior implementation of MSWs on roads and OBUs in vehicles. On the other hand, the solutions proposed in various research projects are based on the availability of OBUs in vehicles, and / or RSUs on the road, which would imply a large initial outlay by the State and / or by users. In fact, most of the research efforts in this field are being made from the automobile companies, so that in the proposals it is normally assumed that in the OBUs integrated in the vehicles there is a black box, a certified identity, sensors to detect obstacles, a human-machine interface, and a counterfeit-proof device for calculations, in addition to a receiver of a Global Satellite Navigation System and a Wi-Fi device.

Among the scientific publications related to safety in VANETs, the following stand out:

- [Philippe Golle, Dan Greene and Jessica Staddon, "Detecting and correcting malicious data in VANETs", lst ACM international workshop on Vehicular ad hoc networks pp. 29-37. 2004]. Proposes the use of sensors to detect incorrect information.

- [Maxim Raya and Jean-Pierre Hubaux, "The security of vehicular ad hoc networks", 3rd ACM workshop on Security of ad hoc and sensor networks pp. 11-21. 2005]. It assumes the existence of certification authorities to issue certificates to vehicles, proposing that they be government authorities or vehicle manufacturers.

- [Florian Dótzer, "Privacy Issues in Vehicular Ad Hoc Networks", Lecture Notes in Computer Science 3856 pp. 197-209. 2006]. It involves the participation of vehicle manufacturers since during the production of each vehicle a secure connection must be established with a certifying authority that validates the OBU.

Patents include the following documents related to VANETs.

US2008002635 and US2008002574: propose a method to manage communications traffic, measuring local levels and defining a microutility of the data to be transmitted to select the transmission medium. - US20080279141: describes a method of assigning channels to multihop communications between one node and another, for sending information via routing.

- WO2008092475: proposes the dissemination of information through unicast.

- WO2008104673: proposes the estimation of the density of nodes by dividing them into geographic cells in which the node closest to the center is responsible for adding and retransmitting the information.

- WO2008119948: it is based on the use of mobile telephony to define an information routing algorithm between two nodes.

- WO2009024945: describes a method for synchronizing radio-communicated devices by means of periodic beacons that include clock signals.

- WO2009053657: proposes that in the intersections of roads the diffusion of information is carried out through a node chosen within a group based on the estimated time to reach the intersection.

- WO2010020260: presents a method for sending information from a source node to a destination node by routing through intermediate nodes.

- WO2010040372: it presupposes the use of an infrastructure on the road to control the communications load of the wireless channel, defining priorities over the messages to establish its sending characteristics. However, no precedent has been found that describes a safe and cheaper solution than the proposals so far.

Description of the invention From what has been described above, it is an object of the present invention to provide a secure and self-managed ad-hoc vehicular (or VANET) network of secure communications.

Said objective is achieved by means of a secure communications system in a spontaneous and self-managed vehicular ad hoc network comprising:

- a module for generating identity and digital signature keys;

- a module containing client / server architecture with the possibility of connecting to multiple users at the same time; - a module for multicast sending and wireless reception of beacons with variable pseudonyms;

- a module for mutual authentication of nodes, with exchange of fixed public keys, temporary secret keys, and public key stores based on an interactive challenge-response scheme;

- a module for updating public key stores;

- a node reputation module, which deletes dishonest nodes from stores, by erasing their public key from certificate stores;

- a module for the encrypted exchange of data on static and dynamic elements of the road, through the use of a temporary secret key of the transmitter;

- a data authentication module by checking matches with other messages received through data aggregation. In this sense, the invention avoids the need to install any type of infrastructure either in the vehicle or on the road, which implies savings in economic investment and in waiting time for the development of the multiple applications of vehicle networks, allowing to put VANETs are underway without any investment from governments, car companies or telephone companies.

A secure communications system is presented here in a spontaneous and self-managed vehicular ad-hoc network, without infrastructures either on the road or in vehicles, using only mobile devices with a receiver of a global satellite navigation system, and wireless and wireless communication capability. computing, such as mobile phones, PDAs and laptops.

The mode of operation provided for in the invention is fully distributed and decentralized, and takes into account the protection of drivers' privacy and defense against possible attacks. Both issues imply the possibility of progressive deployment with effective functionality and security from the start. The key factors of the proposed design are: scalability and economy, authentication of nodes and information, privacy, promotion of cooperation, and low delay and stability of communications. A system is proposed that can be integrated into specific mobile devices, or implemented in existing devices on the market such as mobile phones equipped with appropriate software.

The first fundamental element of the present invention is a self-managed authentication method, which does not require the intervention of certification authorities since it is the nodes themselves that certify the validity of the public keys of the nodes they trust, issuing the corresponding certificates , which are stored in local stores and updated by an algorithm described here. In addition, the proposal of authentication of nodes includes a cryptographic protocol, which allows each node to convince another node of the possession of a certain secret without allowing the transmitted information to discover anything about said secret, preventing possible impersonation attacks.

A second fundamental element of this invention is a symmetric encryption algorithm used in different phases. For its design, all known parameters that guarantee the security of non-linear filtering in flow ciphers are contemplated.

Finally, the present invention also contemplates as a third fundamental element an aggregation scheme of data that includes the generation of aggregated packages from groups created as-hoc for it, and the verification of digital signatures in a probabilistic way.

In the present invention it is assumed that each node of the network is characterized by the following parameters:

ID, (KUID, KRID), {IDÍ, KUIDÍ, Cert (KU _IDi )} IOi and Warehouse including:

- a unique IDentifier (denoted ID), obtained by applying a unidirectional function over a unique value. For example, if the device used is a telephone mobile number can be used, while in other cases you can use an email address. The unidirectional function could be a hash function, such as MD5.

- a fixed pair of public / private keys (denoted (KU, KR) and so-called identity keys for use in an asymmetric cryptosystem, such as RSA for example.

- a store containing several IDs, and corresponding public keys KUs and certificates, which the node keeps at all times updated, in the form:

KU _ID i, Cert (KU _1D1 )

KU _ID2 , Cert (KU _1D2 )

KU _ID3 , Cert (KU _ID3 )

IDlím KUroiím, Cert (KU _IDIÍm )

According to a preferred embodiment of the invention, the communications system can be used for the reduction of road jams in which:

- the module for generating identity and digital smoking keys is based on the generation of the decimal value of the binary representation corresponding to the upper triangular submatrix of the adjacent symmetric matrix containing the elements corresponding to a Hamiltonian circuit in a graph;

- the module for multicast sending and wireless reception of beacons with variable pseudonyms is based on the hash of the list of IDs of the nodes present in your public keystore at that time;

- the module for mutual authentication of nodes is based on the fact that a node B that wishes to establish contact with a node A first asks for the list of IDs of its warehouse at that time, check that its hash matches the pseudonym sent by A in your beacon, and respond by indicating an X key present at the intersection of both stores. Then, there is a demonstration of mutual null knowledge about the public key X so that each node builds from that key, considering it as a Hamiltonian circuit, a graph G in which X is a solution to the difficult problem of the Hamiltonian circuit, and sends it to the other node. Then at least two iterations of the demonstration are performed so that in a first step each node sends an isomorphic GI graph to the other as a compromise to the previously sent graph. Each node then sends the other a random challenge indicating whether it wishes to receive from the other node the isomorphism between both graphs or a Hamiltonian circuit in the isomorphic graph. At the end of the demonstration of null knowledge, both nodes know that they share the public key X, which they use to encrypt using the symmetric encryption described below, and send their own public identity key to the other node. Then they exchange their encrypted temporary secret keys with the public key of the other node and finally each uses their own temporary secret key to encrypt with the symmetric encryption described below, and send encrypted their keystore, which is contrasted against the pseudonym forwarded in the beacon and the list of IDs sent in the first step of the authentication;

- The module for updating public key stores is based on using an algorithm in each node that chooses to store in its store those public key certificates of the nodes that have issued or received more valid certificates. The certificates and nodes of the store are treated in said algorithm respectively as edges and vertices of a graph;

- the node reputation module is based on reflecting the conduct of a dishonest node by assigning in the warehouse a negative weight to the edges corresponding to certificates issued or received by it, so that upon receiving said certificates a negative weight, the vertex will leave progressively being present in updated stores. This scheme is combined in the warehouse update algorithm with an assignment of weights to edges in the warehouse, according to the following criteria: 2 for certificates issued or received directly by the node, 1 for other certificates, -2 for denounced certificates directly by the node, and -1 for certificates denounced by other nodes;

- the data encryption exchange module is based on a binary flow encryption using a declined and non-linear filtering generator with a buffer, of a shift register with primitive feedback polynomial on GF (2) of equal degree L to the length of the key used in each moment, fed with the seed formed by said key, and with feedback polynomial given by the primitive polynomial of lower non-zero coefficients and number of said coefficients given by the smallest possible number greater than 0.07 * L. The nonlinear function of filtering has as its order the prime number p closest to L / 2, includes a linear term corresponding to its order, in addition to a number of terms of each order i = l, 2, ..., p given for the entire part of L / i, obtained by multiplying successive stages. The output of said non-linear filtering is irregularly declined so that the log output determines at any time whether the corresponding filtrate output is used or discarded, being introduced in the first case in a size 4 buffer;

- the data authentication module is based on a data aggregation scheme based on reactive groups in which each leader is responsible for building the package and adding the signatures of all the vehicles in their group, and where the verification is carried out according to a probabilistic protocol that depends on the geographical area in which each vehicle is located;

- an automatic anomaly detection module is added for speed calculation, based on the information received from a receiver of a global satellite navigation system. Brief description of the figures

For a better understanding of how much has been exposed, some drawings are attached in which, schematically and only by way of non-limiting example, a practical case of realization is represented.

In the drawings,

Figure 1 shows a conceptual scheme of the communications system according to the invention including its 8 basic modules of Key Generation and Signature (Cl), Client / Server Architecture (C2), Sending and Receiving Beacons (C3), Authentication of Nodes (C4), Warehouse Update (C5), Reputation Scheme (C6), Encrypted Exchange (C7) and Data Authentication (C8). The execution of these modules is not necessarily sequential, since C5 and C6 do not require interaction between nodes, while C7 and C8 yes, so that C5 and C6 can run in parallel with C7 and C8. In fact, in the described implementation proposal two modes are proposed such that in one of them the execution of modules C7 and C8 is not required;

Figure 2 shows a scheme representing the client / server architecture with connection to multiple users at the same time, and also the multicast sending and wireless reception of the beacons;

Figure 3 shows a mutual authentication scheme based on an interactive demonstration of null knowledge between a pair of nodes A and B. In the step of sending beacons B, it commits to node A with the object to be demonstrated by sending a witness (DI ). If A wishes to establish contact with B, it sends a random challenge (D2). Finally B returns the answer (D3) corresponding to the challenge and the witness;

Figure 4 shows a scheme that represents the ownership of the six degrees of separation in the environment of the certification of public keys between vehicles;

Figure 5 illustrates a scheme showing the proposal for carrying out the invention using the mobile phone first associated with the hands-free device of a vehicle, so that before starting the vehicle the user enters his destination and route preference , and when the mobile receives information about abnormal speeds from its neighbors, it recalculates the recommended route and suggests it to the driver;

Figure 6 shows an Exemplification of the proposed generation of the public identity key KUro from a graph and its adjacency matrix, using the elements of the upper triangular submatrix corresponding to a Hamiltonian circuit in the graph;

Figure 7 shows a scheme that represents all the interactions between two nodes A and B. First A sends the hash {VDIDe Warehouse _A } (Pl) to B, in step (P2) B requests node A to list the IDs of its warehouse, then A sends the set {WarehouseID _A } (P3) to B, B checks if there is an Xe key {Warehouse _A Store} and then sends it to node A, (P4). Then A builds and sends a graph GA (X) (P5) to B. Then at least two three-step iterations are performed in which first A sends a graph GU (X) (P6) isomorphic to graph GA (X), then B sends a random binary challenge (P7) to node A, and according to its value A returns to B the isomorphism between both graphs or a Hamiltonian circuit in GIA (X) (P8). At the end, A uses X to encrypt its KUA key and send the result EX (KUA) (P9) to B, then B uses the KU key _A to encrypt its key ¾ and send the result KUA (K _b ) to node A ( CHEEP). Finally, A uses its KA key to encrypt its store and send E _KA (Warehouse _A ) encryption to B (Pl l); Figure 8 shows an encryption sequence generator based on a shift register with primitive coefficient feedback polynomial (CL, CL- _15... , C of lower non-zero values, such that the weight of said coefficient vector is the lower value greater than 0.07 * L. It includes a filtering function f of order equal to the prime number p closest to L / 2, corresponding linear term ap, and number of terms of each order i = l, 2, .. ., p equal to [L / i] The output of said filtrate is decimated according to the register output, and the decimated output is introduced into a size 4 buffer;

Figure 9 shows a formation of reactive group generated ad-hoc from the detection of a jam;

Figure 10 shows a scheme representing the three geographical areas defined for the authentication of data called danger zone (Zl), uncertainty zone (Z2) and security zone (Z3); Y

Figure 11 shows a graphical representation of use of calculating the speed from the distance s traveled in time t by a node, allowing the device to automatically recalculate time t _and estimated initially recommended and compare it to the route Initially estimated time h for that route, so if you »th, and there is an alternative route with estimated time t _a « t _e , the device recommends this route to the driver.

Description of a preferred embodiment of the invention

Although the general approach of the invention can be used in different applications of the VANETs, the analyzes carried out and the concrete embodiment described as an embodiment are focused on the objective of reducing road jams. In this case, mobile phones are used as mobile devices, so that the node representing the vehicle within the vehicular network at all times is the passenger's mobile phone first associated with the hands-free device of the vehicle. This last assumption avoids the possibility that in a vehicle there are several devices of its passengers that may be included in the VANET, since this would lead to erroneous conclusions about the density of vehicles on the road. In addition, when the mobile phone is synchronized as the first device associated with the hands-free device, the mobile phone automatically changes from 'pedestrian mode' to 'vehicle mode'. In mode Pedestrian 'The mobile phone only has active components C2, C3, C4, C5 and C6, which allow you to update your keystore.

To use this invention the user does not have to perform any specific action while driving. Before starting the vehicle, enter your destination and route preference into the device. The proposal implies that the device receives and sends information automatically, using only the vehicular network and without requiring the driver's collaboration at any time (see Figure 5). When the device detects that the vehicle is traveling at an abnormal speed with respect to the road, it generates a warning and sends it to all its neighbors via broadcast. With the information received, the device automatically recalculates the recommended route and suggests it to the driver.

Figure 1 shows a preferred embodiment of the secure communications system according to the invention. In this preferred embodiment, the secure communications system in a spontaneous and self-managed vehicular ad-hoc network comprises the following modules:

Cl. Identity key v digital signature generation module

It is part of the first fundamental element of the invention. This generation is necessary since the authentication of nodes proposed in this invention is based on self-managed public key cryptography without requiring certification authorities at any time. Instead, each node is responsible for generating its own public / private key pairs, which are essential for authentication processes, and for digital signature of the messages it sends once authenticated. Each node has a fixed pair of public / private keys (identity keys) whose validity is certified in a self-managed way through the public key stores of the nodes themselves.

C2 Client / server architecture with the possibility of connecting to multiple users at the same time It is necessary for the first fundamental element of the invention. It is that each node (client) makes requests to another node (server), which responds to it (see Figure 2). This idea is very useful in distributed multi-user systems such as the vehicular network object of this invention because thus the process capacity is shared between the clients and the servers. In particular in this invention this component is necessary for the interconnection of the nodes since it allows sending and receiving messages from many clients and to many servers at the same time as each user is both client and server.

C3 Multicast sending and wireless reception of beacons with variable pseudonyms

It is part of the first fundamental element of the invention. The sending / receiving of beacons messages containing variable pseudonyms of the sending nodes is necessary for the process of discovering active nodes, and avoiding possible follow-ups (see Figure 2).

C4 Mutual authentication of nodes, with exchange of fixed public keys, temporary secret keys, and public key stores:

It is the basis of the first fundamental element of the invention. The exchange of messages between pairs of nodes is intended to show each other that he knows a secret without revealing anything about it. The proposed scheme is based on an interactive challenge-response scheme, as shown in Figure 3. In the step of sending beacons each node commits itself to its neighbors with what it intends to demonstrate, sending them a witness (DI). If a node A wishes to establish contact with another node B, it sends a random challenge (D2). Then B returns the answer (D3) corresponding to the challenge and the witness. After these steps, both nodes share a key that they use to encrypt and send their public identity key to the other. Their encrypted temporary secret keys are then exchanged with the public key of the other node. Finally each uses its own secret key to encrypt and send encrypted keystore. This module allows to guarantee to each node the authenticity of the other, as well as to exchange the secret keys that are used in the module C7, and to update the stores of public keys necessary for the later verification of the validity of the public keys of identity used for the Message signing

C5 Optimal update of public key stores

It is an important part of the first fundamental element of the invention. It allows to limit the number of stored keys to a value denoted limit, so that said value is generally lower than the number of users that form the vehicular network, and equal to the minimum number that allows, taking advantage of the property of the six degrees of consistent separation in which any node can connect to any other through a chain with no more than six links (see Figure 4), store only the keys necessary to authenticate any other node with a high probability. C6 Node reputation scheme, which erases dishonest nodes from warehouses It is part of the first fundamental element of the invention. It allows to isolate those nodes for which incorrect or corrupt behaviors have been detected, by deleting their public key from the certificate stores.

01. Encrypted exchange of data on static and dynamic road elements

This module constitutes the second fundamental element of the invention. The encrypted exchange of information obtained on the road and traffic, which nodes have stored at that time is necessary to avoid passive behavior of users who intend to take advantage of the VANET without cooperating for its operation. The use of a secret key cryptosystem is recommended given the size of the data file. Our invention proposes to use a temporary secret key of the issuer. C8 Data authentication

The third fundamental element of the invention is part of this module. For the proper functioning of the network it is essential to verify the integrity and origin of the data received by digital signature, evaluation of verifiable characteristics (freshness, location, relevance, correction, etc.) and verification of coincidences with aggregation, since it is due check at all times that the retransmitted information is authentic, current and valid. In this self-managed invention this is only possible by combining techniques of integrity and origin verification, evaluation of verifiable characteristics, and verification of coincidences with other messages received through data aggregation. Several concepts and algorithms proposed as a preferred embodiment of the invention are described below, with the specific objective mentioned.

For module Cl, it is proposed as a particular embodiment that the public identity key be generated as a decimal value of the binary representation corresponding to the upper triangular submatrix of the adjacent symmetric matrix containing the elements corresponding to a Hamiltonian circuit in a graph ( see Figure 6). In module C3 we propose in this specific embodiment, that the variable pseudonym of each node be the hash of the list of IDs of the nodes present in its public keystore at that time. Since this store varies, the pseudonym also varies. In addition, it is possible to verify that the IDs sent in the first authentication step correspond to the hash sent in the corresponding beacon.

In module C4 we propose for this specific embodiment, as shown in Figure 7, that a node B that wishes to establish contact with a node A first asks you to list its store IDs at that time, check its match hash with the pseudonym sent by A in your beacon, and respond by indicating an X key present at the intersection of both stores. Then, the demonstration of mutual null knowledge is carried out on the public key X so that each node builds from said key, considering it as a Hamiltonian circuit, a graph G in which X is a solution to the difficult problem of the Hamiltonian circuit, and what Send to the other node. Then at least two iterations of the demonstration are performed so that in a first step each node sends an isomorphic GI graph to the other as a compromise to the previously sent graph. Each node then sends the other a random challenge indicating whether it wishes to receive from the other node the isomorphism between both graphs or a Hamiltonian circuit in the isomorphic graph. At the end of the demonstration of null knowledge, both nodes know that they share the public key X, which they use to encrypt using the symmetric encryption described below, and send their own public identity key to the other node. Then they exchange their encrypted temporary secret keys with the public key of the other node and finally each uses their own temporary secret key to encrypt with the symmetric encryption described below, and send encrypted their keystore, which is contrasted against the pseudonym forwarded in the beacon and the list of IDs sent in the first authentication step.

For the implementation of the C5 module we propose that the warehouse update algorithm described below be used. In it, each node chooses to store in its warehouse those public key certificates of the nodes that have issued or received more valid certificates, since this maximizes the probability of intersection between warehouses, required in module C4. The certificates and nodes of the store are treated in said algorithm respectively as edges and vertices of a graph. Update Function _Store ()

Initialize data structures;

u: = B;

For each (u, ID) and Warehouse _A ^ Store

If weighted_degree (ID)> maximum (weighted_degree (WarehouseA ^ WarehouseB)

If cardinal (Warehouse _B ) <limit

weighted_degree (ID)> maximum (weighted_degree (WarehouseB))

Add (u, ID) to Almacéne;

u: = ID;

End yes

End for

End of function For the implementation of module C6 we propose that the dishonest node, instead of directly deleting its public key from the warehouse after improper behavior, reflects its conduct by assigning a negative weight to the edges corresponding to certificates issued or received by he, so that upon receiving said certificates a negative weight, the vertex will progressively cease to be present in the updated warehouses. This scheme is combined in the warehouse update algorithm with an assignment of weights to edges in the warehouse, according to the following criteria: 2 for certificates issued or received directly by the node, 1 for other certificates, -2 for denounced certificates directly by the node, and -1 for certificates denounced by other nodes. For use in the C7 module, as well as for the secret key encryption contemplated in the C4 module we propose efficient symmetric encryption. This efficiency is essential since in its first use in module C4 the length of the key used, as it is a public key, is generally greater than that established as safe for symmetric encryption, while in its second use in C4 , the keystore in general is a very large file. Also in the C7 module itself the file to be encrypted containing the traffic and road data will in general be very large. Thus, we propose as symmetric encryption the binary flow encryption using as an encrypted sequence generator the one described in Figure 8, which is based on a shift register with primitive feedback polynomial on GF (2), 1+ C! X + c ₂ x ² + - + CLX ^L , of degree L equal to the length of the key used at any time, and fed with the seed formed by said key. The register feedback polynomial is given by the primitive polynomial of lower non-zero coefficients and number of said coefficients given by the smallest possible number greater than 0.07 * L, to improve efficiency. The order of the filtering function is the prime number p closest to L / 2, to ensure large linear complexity. This function includes a linear term corresponding to its order, in addition to a number of terms of each order i = l, 2, ..., p given by the integer part of L / i, obtained by multiplying successive stages, to achieve pseudo-randomness and confusion. To avoid correlation attacks, the output of said non-linear filtering is irregularly declined so that the log output determines at any time whether the corresponding filtrate output is used or discarded. Finally, in order to guarantee a stable output, a size 4 buffer is included.

As a specific proposal for the implementation of the C8 module, we propose that the verification of matches by aggregation of data be carried out according to a probabilistic protocol based on reactive groups, that is, generated ad-hoc to produce an aggregate package (see Figure 9). There are three situations in which vehicles can be found in relation to an incident: Vehicles that are capable of detecting an obstacle or incident on the road and are responsible for generating the corresponding warning messages; Vehicles that receive warning messages and can confirm that the information is true because they have direct contact with the incident; and Vehicles that receive warning messages but are not able to confirm or deny such information since they are out of range. On the other hand, since in most cases the information generated at a given point is of interest to us outside a certain distance radius from that point, three geographical areas are considered in relation to an incident (see Figure 10): Danger (Zl) or central area of the area where the hazard can be detected directly by the vehicle; Zone of uncertainty (Z2) that surrounds the danger zone and where it is not possible to confirm the information directly but where the decision-making must be quick and efficient because in a short period of time the vehicle will enter the danger zone; and Security Zone (Z3), where the nodes behave following the store-and-carry paradigm gathering evidence about the same danger obtained through different packages. We also propose the establishment of reactive groups when a hazard is detected, so that vehicles cooperate forming groups within their range, in the same geographical cell and generating aggregate information avoiding collisions, delays, network overloads and repetitions of information. With the use of groups we intend to prevent the number of packages generated in a danger zone to warn of a problem grow infinitely, in addition to allowing the reduction of the number of signatures contained in a package. The center of the geographical area corresponds to the location of the existing danger and from it the different groups are generated. In each group there is a leader in charge of building the package and adding the signatures of all the vehicles in his group. Verification of an aggregation message is only performed on those vehicles that are unable to directly verify the information, that is, when a vehicle receives a warning message about an incident that is outside the coverage of its antenna and wants to confirm the authenticity of the message received. The verification carried out by the vehicles depends on the direction of travel and the geographical area in which it is located. In the area of uncertainty, if a vehicle receives an aggregation message containing n signatures, it uses the offset register of length n defined in module C7 fed with the first bit of each of the signatures to generate n bits and verify only the signatures indicated by said exit. In the security zone, the vehicles check a series of signatures contained in the package as described in the previous case, but in addition the vehicles will be able to perform other verifications that provide them with a higher level of reliability on the information received. Thus, being in this area, it is possible to receive several aggregate packages corresponding to the same danger but coming from different groups.

To the 8 basic modules of the system described, a final module is added for the specific implementation, which allows automatic detection of anomalous road conditions in order to notify drivers in advance to avoid or reduce traffic jams.

C9. Speed calculation, anomalous traffic conditions and alternative routes:

This module uses the information received from a receiver of a global satellite navigation system. It is necessary to be able to use the network in order to help driving without having to install any type of infrastructure either in the vehicle or on the road (see Figure 11).

Although a specific embodiment of the present invention has been described and represented, it is clear that the person skilled in the art will be able to introduce variants and modifications, or replace the details with technically equivalent ones, without departing from the scope of protection defined by the appended claims.

Claims

1. Secure communications system in a spontaneous and self-managed vehicular ad-hoc network comprising:

- a module for generating identity and digital signature keys;

- a module containing client / server architecture with the possibility of connecting to multiple users at the same time;

- a module for multicast sending and wireless reception of beacons with variable pseudonyms;

- a module for updating public key stores;

- a data authentication module by checking matches with other messages received through data aggregation.

2. Secure communications system in a spontaneous and self-managed vehicular ad-hoc network according to claim 1 for the reduction of road jams in which:

- the module for generating identity and digital signature keys is based on the generation of the decimal value of the binary representation corresponding to the upper triangular submatrix of the adjacent symmetric matrix containing the elements corresponding to a Hamiltonian circuit in a graph;

- the module for mutual authentication of nodes is based on the fact that a node B that wishes to establish contact with a node A first requests the list of IDs from your store at that time, check your hash match with the pseudonym sent by A on your beacon, and respond by indicating an X key present at the intersection of both stores. Then, a demonstration of mutual null knowledge about the public key X is carried out so that each node builds from said key, considering it as a Hamiltonian circuit, a graph G in which X is a solution to the difficult problem of the Hamiltonian circuit, and what Send to the other node. Then at least two iterations of the demonstration are performed so that in a first step each node sends an isomorphic GI graph to the other as a compromise to the previously sent graph. Each node then sends the other a random challenge indicating whether it wishes to receive from the other node the isomorphism between both graphs or a Hamiltonian circuit in the isomorphic graph. At the end of the demonstration of null knowledge, both nodes know that they share the public key X, which they use to encrypt using the symmetric encryption described below, and send their own public identity key to the other node. Then they exchange their encrypted temporary secret keys with the public key of the other node and finally each uses their own temporary secret key to encrypt with the symmetric encryption described below, and send encrypted their keystore, which is contrasted against the pseudonym forwarded in the beacon and the list of IDs sent in the first step of the authentication;

- the node reputation module is based on reflecting the conduct of a dishonest node by assigning in the warehouse a negative weight to the edges corresponding to certificates issued or received by it, so that upon receiving said certificates a negative weight, the vertex will leave progressively being present in updated stores. This scheme is combined in the warehouse update algorithm with an assignment of weights to edges in the warehouse, according to the following criteria: 2 for certificates issued or received directly by the node, 1 for the rest of the certificates, -2 for certificates denounced directly by the node, and -1 for certificates denounced by other nodes;

- The encrypted data exchange module is based on a binary flow encryption using a declined and non-linear filtering generator with a buffer, of a shift register with primitive feedback polynomial on GF (2) of equal degree L to the length of the key used at any time, fed with the seed formed by said key, and with feedback polynomial given by the primitive polynomial of lower non-zero coefficients and number of said coefficients given by the smallest possible number greater than 0, 07 * L. The nonlinear function of filtering has as its order the prime number p closest to L / 2, includes a linear term corresponding to its order, in addition to a number of terms of each order i = l, 2, ..., p given for the entire part of L / i, obtained by multiplying successive stages. The output of said non-linear filtering is irregularly declined so that the log output determines at any time whether the corresponding filtrate output is used or discarded, being introduced in the first case in a size 4 buffer;

- an automatic anomaly detection module is added for speed calculation, based on the information received from a receiver of a global satellite navigation system.