Formal Analysis of Privacy for Vehicular Mix-Zones

  • Morten Dahl
  • Stéphanie Delaune
  • Graham Steel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6345)


Safety critical applications for recently proposed vehicle to vehicle ad-hoc networks (VANETs) rely on a beacon signal, which poses a threat to privacy since it could allow a vehicle to be tracked. Mix-zones, where vehicles encrypt their transmissions and then change their identifiers, have been proposed as a solution to this problem.

In this work, we describe a formal analysis of mix-zones. We model a mix-zone and propose a formal definition of privacy for such a zone. We give a set of necessary conditions for any mix-zone protocol to preserve privacy. We analyse, using the tool ProVerif, a particular proposal for key distribution in mix-zones, the CMIX protocol. We show that in many scenarios it does not preserve privacy, and we propose a fix.


Privacy VANETs Mix-Zones Security Protocols 


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proc. 28th ACM Symposium on Principles of Programming Languages (POPL 2001), pp. 104–115. ACM Press, New York (2001)Google Scholar
  2. 2.
    Arapinis, M., Chothia, T., Ritter, E., Ryan, M.: Analysing unlinkability and anonymity using the applied pi calculus. In: Proc. 23rd IEEE Computer Security Foundations Symposium, CSF 2010 (to appear, 2010)Google Scholar
  3. 3.
    Beresford, A.R., Stajano, F.: Location privacy in pervasive computing. IEEE Pervasive Computing 2(1), 46–55 (2003)CrossRefGoogle Scholar
  4. 4.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. Journal of Logic and Algebraic Programming 75(1), 3–51 (2008)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Brusó, M., Chatzikokolakis, K., den Hartog, J.: Formal verification of privacy for RFID systems. In: Proc. 23rd IEEE Computer Security Foundations Symposium, CSF 2010 (to appear, 2010)Google Scholar
  6. 6.
    Buttyán, L., Holczer, T., Vajda, I.: On the effectiveness of changing pseudonyms to provide location privacy in VANETs. In: Stajano, F., Meadows, C., Capkun, S., Moore, T. (eds.) ESAS 2007. LNCS, vol. 4572, pp. 129–141. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Buttyán, L., Holczer, T., Weimerskirch, A., Whyte, W.: SLOW: A practical pseudonym changing scheme for location privacy in VANETs. In: IEEE Vehicular Networking Conference (VNC), Tokyo, Japan, October 2009, pp. 1–8 (2009)Google Scholar
  8. 8.
    Delaune, S., Kremer, S., Ryan, M.D.: Verifying privacy-type properties of electronic voting protocols. Journal of Computer Security 17(4), 435–487 (2009)Google Scholar
  9. 9.
    Delaune, S., Ryan, M.D., Smyth, B.: Automatic verification of privacy properties in the applied pi-calculus. In: Karabulut, Y., Mitchell, J., Herrmann, P., Jensen, C.D. (eds.) Proc. 2nd Joint iTrust and PST Conferences on Privacy, Trust Management and Security (IFIPTM 2008), Trondheim, Norway, June 2008. IFIP Conference Proceedings, vol. 263, pp. 263–278. Springer, Heidelberg (2008)Google Scholar
  10. 10.
    Doetzer, F.: Privacy issues in vehicular ad hoc networks. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 197–209. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Freudiger, J., Raya, M., Félegyházi, M., Papadimitratos, P., Hubaux, J.-P.: Mix-zones for location privacy in vehicular networks. In: Proc. of ACM Workshop on Wireless Networking for Intelligent Transportation Systems, WiN-ITS 2007 (2007)Google Scholar
  12. 12.
    Parno, B., Perrig, A.: Challenges in securing vehicular networks. In: Proc. 4th Workshop on Hot Topics in Networks (November 2005)Google Scholar
  13. 13.
    Sleet, D., Peden, M., Scurfield, R.: World report on traffic injury prevention. World Health Organization Report (2004)Google Scholar
  14. 14.
    Raya, M., Hubaux, J.-P.: The Security of Vehicular Ad Hoc Networks. In: Proc. 3rd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN 2005), pp. 11–21 (2005)Google Scholar
  15. 15.
    Safespot project (2006-2010),
  16. 16.
    Schneider, S., Sidiropoulos, A.: CSP and anonymity. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 198–218. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    IEEE standard. IEEE Trial-Use Standard for Wireless Access in Vehicular Environments – Security Services for Applications and Management Messages (approved June 8, 2006)Google Scholar
  18. 18.
    van Deursen, T., Mauw, S., Radomirovic, S.: Untraceability of RFID protocols. In: Onieva, J.A., Sauveron, D., Chaumette, S., Gollmann, D., Markantonakis, K. (eds.) WISTP 2008. LNCS, vol. 5019, pp. 1–15. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Morten Dahl
    • 1
    • 2
  • Stéphanie Delaune
    • 2
  • Graham Steel
    • 2
  1. 1.Department of Computer ScienceAalborg University 
  2. 2.LSVENS Cachan & CNRS & INRIA Saclay Île-deFrance

Personalised recommendations