Trust Issues for Vehicular Ad Hoc Networks

Philipp Wex∗ , Jochen Breuer∗ , Albert Held∗ , Tim Leinmüller+ and Luca Delgrossi ∗
∗
Daimler AG, Group Research and Advanced Engineering,
{philipp.wex|jochen.breuer|albert.held|luca.delgrossi}@Daimler.com
+
DENSO AUTOMOTIVE Deutschland GmbH, Technical Research Department,
t.leinmueller@denso-auto.de

Abstract— Characteristics and requirements of vehicular ad offline-infrastructure, since in contrast to what we call online-
hoc networks (VANETs) differ quite significantly compared to infrastructure, it is not available all the time but only during
standard ad hoc networks. Especially trust in VANETs is very (from the vehicles point of view) random periods of time.
important but still open issue, which will be addressed in this
paper. We will describe, discuss and assess approaches and Dynamic topology - One important characteristic of
concepts that were proposed in ordinary fixed networks and VANETs is that nodes move with high speed in respect to
mobile ad hoc networks and will show weak and strong spots. each other, which results in a very high rate of topology
As basis for our considerations, we will describe a detailed changes. Whereas for example during a conference people
automotive scenario, which relies on inter-vehicle communication carrying PDAs ”move” with a speed of 2 m s with respect to
for the exchange of safety relevant warning messages.
each other, cars on a highway normally easily achieve 55 m s
I. I NTRODUCTION when taking into account oncoming traffic.
Critical application requirements - Another important prop-
Vehicular ad hoc networks (VANETs) have some very erty is that applications within VANETs are often safety-
specific characteristics and solutions to security issues are still critical and time-critical (e.g. alert messages, warnings, see
in a very early stage of development. Especially the issue of section III for further details). Ad-hoc networks that mainly
trust between communicating vehicles (referred to as nodes) serve to distribute data do not underlie these aspects.
is an open question: How can one node trust a message it Auxiliary information - Furthermore, nodes in VANETs
received from another node? Thus, trust establishment is a are context aware, they have access to additional data such
major challenge in vehicular ad hoc networks as the outcome as car sensor data or GPS. The usage of these so called
of the trust establishment process is a trusted relation between ”side-channel” information can be valuable when evaluating
nodes. Especially in critical applications like hazard warning data obtained through communication with other nodes in the
a receiving node needs to ensure authenticity and trustability VANET.
of received messages before reacting to them. Beside the specific properties, the application scenario of
There are various types of trust models; some of them VANETs requires the achievement of special (security) goals.
(especially the PKI based models) are even widely deployed Privacy - In some cases services in a VANET are related
already. They differ in their architecture, their trust establish- to personal data, such as current location or current speed,
ment processes and flexibility. which requires anonymity in order to protect a driver’s privacy.
In this paper we firstly describe VANETs in general (section On the other hand, other services require identification and
2) and present VANET applications that are of high interest traceability.
(section 3). Then we show that the establishment of trust can Integration - Vehicles are not computers, applications or
be partitioned into two classes: infrastructure based trust and services in VANETs must work without interaction. Drivers
self organizing trust. Approaches and concepts for both classes can not act as administrators. For VANET nodes, battery power
will be discussed and presented (section 4). We conclude is not an issue (at least while driving).
with a basic assessment of existing approaches regarding their
applicability in VANETs (section 5). III. A PPLICATIONS OF VANET S
Applications within VANETs contain both inter-vehicle
II. C HARACTERISTICS OF VANET S
communication as well as vehicle to infrastructure commu-
Compared to standard ad hoc networks, VANETs have nication. Both communication types can be performed via in-
several properties that introduce particular security challenges, termediate nodes, which results in multi-hop ad hoc communi-
which are not of major concern in other mobile ad hoc cation. In [2] Franz et al. give an overview on applications and
networks. In [1] Zarki et al. provide a list of characteristics of services that could be provided in a VANET. They distinguish
future vehicular networks, which are in some terms equivalent three kind of different services: cooperative driver assistance
to what we see as major properties of VANETs. applications (safety-related applications), local floating car
Offline-infrastructure - Communication to a fixed infrastruc- data applications and user communication and information
ture is possible, but it is unlikely that there is a permanent services.
connection to this infrastructure. Infrastructure gateways are Since especially safety-related applications are important in
supposed to be located at gas stations, parking lots or even VANETs and in addition underlie special requirements and
on selected points at the road side but not everywhere along constraints, we use the following example scenario to clarify
the road side. We call this type of fixed infrastructure an the motivation of this paper. A car driving on a highway detects

978-1-4244-1645-5/08/$25.00 ©2008 IEEE 2800

 attribute certificates: those define the properties of a node
with a distinguished name (a verifier can now verify that
a prover node’s attributes have been certified by a trusted
authority). Properties can then be used during access control
for authorization decisions. The Simple Public Key Infrastruc-
ture (SPKI) is an example of this kind [5]: Within this
standard authorizations are directly bound to the public keys
of nodes (not incorporating the strenuous management issue of
names). Another novelty in this approach was the integration
of delegation capabilities; a special flag, which is bound to
Fig. 1. Classification of trust establishment approaches a right indicates whether this right can be delegated. Thus
verifiable certificate chains are built. Both developments, SDSI
and SPKI, were combined to SPKI/SDSI in 1997. SPKI/SDSI
emergency braking because of an accident and communicates alike systems, which rely on credentials are called Trust Man-
this event to other cars driving on the same highway. agement Systems. Keynote (and its predecessor PolicyMaker)
Cars driving behind the sender receive this message and is also a system of this kind: besides authorization information
have to decide whether to display warning messages to their within its credentials, also security policies (as done e.g. in
drivers or not. To be able to take this decision (and thus to some IPSec implementations) can be defined.
protect the system against cars/nodes sending wrong warning VANETs could benefit of those concepts: certificates can be
messages) the cars need means to evaluate the trustworthiness obtained from an offline infrastructure as defined in section 2
of the message (origin). and later be used for offline trust verification; this is especially
IV. T RUST E STABLISHMENT IN VANET S possible in a very dynamic environment with nodes one has
never seen before. There are some open questions that have
Generally, it is assumed that each node in a VANET
to be thought of though. Privacy is not a requirement in those
is equipped with a trust system, which can come to trust
systems making the certificates highly linkable to individual
decisions (verify statements, be aware of trust, etc.).
nodes. Furthermore, one has to carefully look at the time
There are two basic options for trust establishment: it can
requirements of the certificate verifications: safety applications
either statically rely on a security infrastructure or be built
are very time-critical and it should be possible to verify
up dynamically in a self-organizing manner (see fig. 1). The
certificates quickly.
former process relies on common, global, trusted and well-
known system parameters (e.g. a central CA), which can be 2) Kerberos: One cannot talk about infrastructure based
used for message authentication. The latter process lacks of trust systems without mentioning Kerberos [6], [7], which is a
this global knowledge and point of control and needs to take successor of the Needham-Schroeder protocol, which revealed
advantage of other trust supporting mechanisms. weaknesses in the sense of replay attacks. It relies on an online
interaction with a central ”Key Distribution Center” (KDC)
A. Infrastructure-based Trust Establishment for authentication in order to get a valid ”trust” token for a
In this section different approaches for infrastructure based service (contains a session key, a validity period preventing
trust will be addressed. This kind of trust relies on trust in replay and the requesting node’s identity encrypted with the
the according infrastructure and is static over time (trust in server’s secret key). The authorization information is kept
security infrastructure is not lost) and most often makes use at the services locally. Because of scalability problems in
of certificates. large environments, Kerberos V5 also allows for the central
1) Classical Certificate-based Systems: Probably the most management of authorization information and to integrate
popular and most adopted trust system is the one proposed those in the issued tokens.
in the X.509 standard [3]. X.509 certificates contain attributes Those approaches are not quite suited for VANETs: for
like the name of the issuing authority and of the subject node every new interaction (which might happen quite often in
(in form of a ”distinguished name”), the public key of the VANETs) an online certification process with a central author-
subject and a validity period. Because it binds the public key ity has to be launched (dependency of a permanent connection
of a node to its name, this kind of certificate is called identity to infrastructure). Furthermore this interaction is time consum-
certificate (a verifier can verify that a prover node’s pretended ing, which makes it problematic for time-critical applications.
name has been certified by a trusted authority). In order for Though, privacy can be established quite easily and unknown
this approach to work, the name of the node must be globally nodes’ trustability can be checked as well.
unique; this is established by the hierarchical structure of 3) Pseudonyms: Until now, each of the discussed trust
X.500 namespaces. The complexity of X.500 motivated Rivest concepts revealed the nodes’ identities (node linkability) when
and Lampson to think of other approaches for the management interacting with other nodes: either their name and according
of public keys and names resulting in an alternative mechanism public key is made public or the static public key with its
for binding names to public keys locally: Simple Distributed attributes. Though, vehicular ad hoc networks require a high
Security Infrastructure (SDSI) [4]. degree of privacy. A solution to this problem might be the use
In X.509 Version 3, additional fields within the certificates of pseudonyms, which can be changed over time (triggered
(e.g. access rights) can be defined. This leads the way to automatically or by the user himself). This would not establish

2801
anonymity but a higher degree of privacy. The central authority NIZK proofs is the prover’s and verifier’s access to a common
would be the only entity in the trust system, which can resolve random string (public randomness).
pseudonyms and associate it with real world identities (vehicle That is also the reason why NIZK proofs are a very
IDs, user IDs). promising concept for trust establishment in VANETs. The
This setting would reflect today’s real-world situation only problem we found is its still questionable applicability
(where there is always a central national authority that can (well-known algorithms, etc.).
resolve license plates to individuals) with the further enhance- 6) Digital Credentials: An approach combing both blind
ment that drivers’ license plates are changed periodically. signatures and zero knowledge proofs is proposed by Brands
With the integration of pseudonyms the above mentioned in [11]: Digital Credentials. In this concept, nodes holding
certificated based approaches could be enhanced to provide certificates can selectively disclose attributes contained in the
better privacy. certificate while hiding any other information. The basic idea
4) Blind Signature: Other concepts go a further step ahead behind this is that the attribute values themselves are part of
and introduce so-called blind signatures [8], i.e. anonymous each node’s secret and public keys and that a verifier could
certificates, within their trust systems. obtain all but one of the prover’s attributes without being able
Blind signatures allow a signer to digitally sign a statement to obtain all of the prover’s secret key.
without knowing the statement; it works as follows 7) Group Signatures: The still emerging field of group
signatures [12] is based on the following concept: in a group
• The requesting node uses a suitable blinding function f
signature scheme a single public key has a large number of
with a randomly chosen blinding factor b to compute s =
private keys. Each member of the group is issued a private
f (s, b), where s is the clear statement. He sends s to the
key, which can then be used to generate signatures that verify
authority.
with the according public key. Outsiders can only verify that
• The authority signs s using some ordinary signature
a signature was generated by some member of the group
algorithm sa and his private key kpriv to produce Sig  =
but cannot tell which member (granting a certain level of
sa(s , kpriv ). He sends Sig  back to the requesting node.
anonymity). Generally, in this approach there exists a central
• The node then applies the reverse blinding function f −1
authority, which can resolve signatures to individual nodes,
to compute Sig = sa(s, kpriv )
which were issued the according private key.
One example of this kind of systems is the following: a This concept seems also very promising as all major
node requesting a certificate creates n blinded certificates with requirements are met: no permanent online connection to
its attributes to be signed. The trusted authority will then infrastructure needed, works well in dynamic environments,
randomly ask the node in an authenticated session to disclose privacy can be established, and the verification process can be
n − 1 of these certificates and can thus check the attributes. If worked out relatively fast.
all the attributes were correct, the authority would sign the last 8) Threshold Cryptography: All of the above trust systems
blind certificate, thus not knowing for which pseudonym it was relied on a physically centralized trust system. The following
signed and so granting anonymity to the node. The probability approach, which is based on threshold cryptography will
1
that wrong attributes are signed has then decreased to 2n−1 . oppose to this property and makes only use of some centralized
Furthermore the authority can prevent nodes from attacking part for initialization. The concept of threshold cryptography
the trust system by flooding the authority with certification was first introduced by Adi Shamir [13]. The idea behind
requests: it can remember the frequency a node requests a a (n, t)-threshold cryptography system is to share a secret
certificate and forbid the issuing process in case of abuse. between n parties so that any t parties can rearrange the
This mechanism seems to be quite flexible as it is compliant secret. Such a system provides a greater robustness, because
to the above certificate based approaches and incorporates an malicious node has to attack at least t parties to obtain the
anonymity. One problem here is, that the requesting node has secret.
to create multiple statements for this to work. This concept can be used to share secrets or keys in an ad
5) Zero Knowledge / NIZKP: Zero-knowledge approaches hoc network [14], but the choice of t and n is quite hard.
can also be used for the establishment of anonymity: one The fatality of this problem arises, when less than t nodes
node proves to another node the truth of an assertion (its are available; then the whole system does not work. Due to
certified statement) with knowledge of secret information (its the extreme vitality and the dissimilarity of available nodes in
ID) without revealing it. VANETs, this is an important issue.
Zero-knowledge approaches [9] have become fundamental
cryptographic tools since the last 20 years. Simple zero- B. Self-organizing Trust Establishment
knowledge proofs are based on heavy interaction between Highly dynamic environments such as VANETs need an
communicating nodes (prover and verifier), which makes them adapted form of trust establishment. Decisions regarding trust
unsuitable for our targeted time-critical applications; especially to other nodes must be made autonomously because no online
if a high degree of mobility was one characteristic the stability connection to a security infrastructure is possible and must be
of the according communication links was a problem. based on partial information that is collected from unknown
Non-interactive zero knowledge (NIZK) proofs [10] pre- nodes during a short period of time only.
vent this heavy interaction by providing a mono-directional Therefore self organizing trust establishment is character-
interaction, from prover to verifier only. The main concept of ized by two properties

2802
 • there is no trusted third party such as an online infrastruc- 2) Terminodes: Hubaux and Buttyan propose in Termin-
ture involved odes [16] the use of a virtual currency called nuglets to cope
• there is no global knowledge shared among the partici- with selfish nodes in ad hoc networks. Either the routing of a
pating nodes packet has to be paid or the packet is dropped. The main goals
These properties imply that trust and the correspondent trust are on the one hand to encourage nodes to forward packets and
relationships are not static but dynamic. Trust in another node on the other hand to discourage nodes to flood the network
may increase, the longer this node is connected and reachable. with too many packets. Two different paying models were
Trust in nodes, which are visible only for a short period of introduced:
time may be low. The trust model has to take this into account. In the Packet Purse Model the sender has to pay nuglets for a
Mechanisms for self organizing trust establishment can be sent packet. The main advantage is that nodes are discouraged
classified as follows (see fig. 1) to overload the network, but the straightforward problem of
• direct: trust is established based on mutual communica- this approach is that the sender cannot know how many nuglets
tion with other nodes he has to pay as he does not know how many nodes have to
• indirect: nodes exchange information about other nodes forward the packet.
and the their trust relationships. This implies that trust In the Packet Trade Model every node along the route trades
relationships are transitive. in packets; they get payed for their forwarding service. The
• hybrid: combines both direct and indirect mechanisms overall cost for the sending have to be paid by the receiver.
In the following, several approaches for self organizing trust Here, the main disadvantages are the possibility of flooding
establishment will be discussed. the network and denial-of-service attacks against an arbitrary
1) CONFIDANT: The CONFIDANT protocol, which was receiver.
published by Buchegger and Le Boudec in [15], provides a This approach, like most currency-based systems, needs a
possibility to detect and isolate uncooperative nodes of a mo- secure place to store the credits. Tamper-proof hardware is one
bile ad hoc network. The protocol mainly focuses on routing possibility, but as seen in [17] this is not trivial. Furthermore
and forwarding aspects; it is intended to be an extension of a the system does not deal with attacks, only with selfishness.
reactive source-routing protocol like Dynamic Source Routing 3) SPRITE: Similar to Terminodes, SPRITE [18] also uses
(DSR). The basic principle of the protocol, namely punishing credits to encourage selfish nodes to cooperate in the network.
malicious and egoistic nodes, is derived from social behavior SPRITE mainly deals with the renumeration of forwarding
of birds in a biological experiment. messages. Every time a node receives a message he stores
There are four main components involved in the CONFI- a receipt of that message in his local database. Later these
DANT protocol, which have clearly defined responsibilities: collected receipts are sent to a central credit clearing service
• The Monitor gathers information about the neighborhood (CCS), which is only accessible when the nodes have an
by observing the routing protocol behavior using the online connection to the Internet. The CCS is used as a central
promiscuous mode. If deviant behavior is registered, the institution for accounting, i.e. it collects the receipts from the
reputation system is informed. forwarding nodes and balances the nodes’ accounts.
• The Trust Manager deals with ALARM messages, which The SPRITE approach does not need tamper-proof hard-
warn friendly nodes against misbehaving nodes. The ware, because this is managed by the CCS. The central CCS
trustworthiness of these messages should be achieved by could be established in VANETs, because frequent access to
a mechanism similar to PGP. the Internet seems possible. Like Terminodes, SPRITE also
• The Reputation System manages and updates the trust deals with selfish nodes but not with malicious nodes. A
value of the nodes. These values are derived from own serious problem could be the amount of receipts to be handled
experiences, observations of the neighborhood and the in the network.
incoming ALARM messages. These sources of trust are 4) Location Limited Side Channels: Another approach to
weighted according to their trustworthiness, e.g. own establish a trust relation between nodes in a VANET is the
experiences have a greater weight than observations. If use of a Location Limited Side Channel (LLSC). We use the
the trust value falls under a certain threshold the path term LLSC for a special channel, which is separated from the
manager is involved to act. main communication link. The LLSC is set up in a way that
• The Path Manager tries to isolate malicious nodes in an attacker cannot gain physical access to the channel (e.g. to
order to keep the vitality of the network alive. This read or inject messages). So two nodes are able to exchange
is achieved by routing packets around these nodes and critical information over a secure channel.
ignoring messages from them. The main applications for LLSCs are authentication and
The CONFIDANT protocol introduces a high-level modular pairing [19] of previously unknown nodes in an ad hoc
construction of a trust system. Anyway, there remain many network. Therefore, the involved nodes can exchange keys or
open issues, e.g. the building of the friend list or the security hashes of keys over the LLSC to pre-authenticate themselves.
of the protocol itself. The remaining steps for complete authentication are done
The deployment of the protocol in VANETs is even more over the normal wireless link [20]. These applications are
problematic. CONFIDANT mainly deals with routing infor- also relevant in VANETs, e.g. as a precondition for secure
mation, but in VANETs it is hard to distinguish between communication between two nodes.
misbehavior of nodes and errors due to fast topology changes. Possible technologies for establishing LLSC in VANETs are

2803
 no online dynamic privacy timelin. applicab.
infrastr. of only a single mechanism such as LLSC is not enough.
Certificates + 0 − 0 + Hence combinations of the mechanisms have to be taken into
Kerberos − 0 + − + account. So at the time being, no favorite mechanism could
Pseudonyms + 0 0 0 + be identified.
Blind Sign. + 0 0 0 +
ZKP + 0 + − + R EFERENCES
NIZKP + 0 + 0 +
Dig. Cred. + 0 0 0 + [1] M. El Zarki, S. Mehrotra, G. Tsudik, and N. Venkatasubramanian,
Group Sign. + 0 + 0 + “Security issues in a future vehicular network,” in Proceedings of
Thresh. Cryp. + − 0 0 − European Wireless 2002, 2002.
CONFIDANT + + 0 − + [2] W. Franz, R. Eberhardt, and T. Luckenbach, “FleetNet - Internet on the
Nuglets + + + 0 − Road,” 8th World Congress on Intelligent Transportation Systems, Oct
SPRITE + + 0 0 − 2001.
LLSC + + 0 + + [3] International Telecommunication Union: Telecom Standardization Sec-
tor, “Recommendation X.509: The Directory: Authentication Frame-
work,” 1997.
TABLE I [4] R. L. Rivest and B. Lampson, “SDSI – A simple distributed security
E VALUATION OF DIFFERENT MECHANISMS infrastructure,” Presented at CRYPTO’96 Rumpsession, 1996.
[5] C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and
T. Ylonen, “SPKI certificate theory,” Internet Draft, March 1998,
iETF Network Working Group RFC 2693. [Online]. Available:
http://www.ietf.org/rfc/rfc2693.txt
infrared and radar communication. These technologies have [6] J. Kohl and C. Neuman, “RFC 1510: The Kerberos Network
Authentication Service (V5),” Sept. 1993. [Online]. Available:
matured over the years, could provide acceptable interference http://www.ietf.org/rfc/rfc1510.txt
liability, and are possibly already integrated in vehicles. [7] S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer,
“Kerberos authentication and authorization system,” Massachusetts
V. C ONCLUSION Institute of Technology, Tech. Rep., 1987. [Online]. Available:
citeseer.ist.psu.edu/miller88kerbero.html
For a first evaluation, we assess the various mechanisms ac- [8] D. Chaum, “Blind signature system,” in Proceedings of Crypto ’83,
cording the characteristics of VANETs: is an online infrastruc- 1983.
[9] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity
ture needed, how does the mechanism handle the dynamics in of interactive proof-systems,” in Proceedings of the seventeenth annual
the system (e.g. how easily are new nodes integrated), does ACM symposium on Theory of computing. ACM Press, 1985, pp. 291–
the mechanism provide for privacy of the nodes, are time- 304.
[10] M. Blum, P. Feldman, and S. Micali, “Non-interactive zero-knowledge
critical safety applications supported (how long does it take and its applications,” in Proceedings of the twentieth annual ACM
to establish trust between nodes), is the mechanism suited for symposium on Theory of computing. ACM Press, 1988, pp. 103–112.
VANET applications? The ratings are as follows: + good, 0 [11] S. Brands, “A technical overview of digital credentials,” 2002. [Online].
Available: citeseer.ist.psu.edu/brands02technical.html
fair and − poor (see table I). Except Kerberos alike systems, [12] D. Chaum and E. van Heyst, “Group signatures,” Lecture Notes of Com-
all approaches can be run without an online infrastructure. puter Science, vol. 547, 1991. [Online]. Available: http://link.springer-
We rated the dynamics aspect of the infrastructure based ny.com/link/service/series/0558/papers/0547/05470257.pdf
[13] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,
approaches with ”0” as in all systems a node has to commu- pp. 612–613, 1979.
nicate with a trusted third party first in order to get its trust [14] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE Networks
material. Otherwise trust verification is not possible. Threshold Special Issue on Network Security, 1999.
[15] S. Buchegger and J.-Y. L. Boudec, “Nodes Bearing Grudges: Towards
cryptography was rated with ”−” as e.g. new nodes cannot Routing Security, Fairness, and Robustness in Mobile Ad Hoc
be integrated easily without starting a somewhat strenuous Networks,” in Proceedings of the Tenth Euromicro Workshop on
process. Parallel, Distributed and Network-based Processing. Canary Islands,
Spain: IEEE Computer Society, January 2002, pp. 403 – 410. [Online].
The privacy aspect of pseudonyms and blind signatures was Available: citeseer.ist.psu.edu/article/buchegger02nodes.html
rated with ”0” as the degree of privacy strongly depends on the [16] L. Buttyán and J. Hubaux, “Nuglets: a virtual currency to stimulate
frequency of changing pseudonyms respectively blind signa- cooperation in self-organized ad hoc networks,” EPFL, Tech. Rep., 2001.
[Online]. Available: citeseer.ist.psu.edu/article/buttyan01nuglets.html
tures. Blind signatures have the further privacy enhancement [17] M. G. Zapata, “How to design wireless security mechanisms,” in
that neither other nodes nor the trusted authority itself can Proceedings of Workshop on Security in Ad-Hoc Networks, Ruhr
resolve the certified ID of the node as the ID is signed blindly. University Bochum, Germany, december 2002. [Online]. Available:
www.crypto.rub.de/adhocsec/Abs Zapata.pdf
The timeliness aspect of the two trust classes has to be [18] S. Zhong, J. Chen, and Y. Yang, “Sprite: A simple, cheat-proof,
treated differentiated: whereas in the infrastructure based ap- credit-based system for mobile ad-hoc networks,” in Proceedings of
proaches the time-critical part is the somewhat time consuming IEEE Infocom, San Fransisco, CA, april 2003. [Online]. Available:
gunther.smeal.psu.edu/15502.html
verification of certificates, the self-organizing trust models [19] F. Stajano and R. Anderson, “The resurrecting duckling: Security
need quite lots of time to establish trust to other nodes issues for ad-hoc wireless networks,” in Security Protocols, 7th
dynamically (learning of each others trustworthiness, etc.) International Workshop Proceedings, 1999, pp. 172–194. [Online].
Available: citeseer.ist.psu.edu/article/stajano99resurrecting.html
before being able to cope with safety applications. [20] D. Balfanz, D. Smetters, P. Stewart, and H. Wong, “Talking
The applicability of Digital Credentials has to be treated to strangers: Authentication in adhoc wireless networks,” Feb.
carefully, as the proposed mechanisms were patented. This 2002, in Symposium on Network and Distributed Systems
Security (NDSS ’02), San Diego, California. [Online]. Available:
could limit the degree of usage quite significantly if millions citeseer.ist.psu.edu/balfanz02talking.html
of cars would have to be equipped with it. The evaluation
shows that some candidates (NIZKP, Group signatures, LLSC)
seem quite suitable. However for a real system, the usage

2804