Vehicular Ad Hoc Networks Essay Example for Free

Vehicular Ad Hoc Networks Essay ABSTRACT. Vehicular Ad Hoc Networks is a kind of special wireless ad hoc network, which has the characteristics of high node mobility and fast topology changes. The Vehicular Networks can provide wide variety of services, ranges from safety and crash avoidance to internet access and multimedia applications. Attacking and misusing such network could cause destructive consequences. It is therefore necessary to integrate security requirements into the design of VANETs and defend VANET systems against misbehaviour, in order to ensure correct and smooth operations of the network. In this paper, I propose a security system for VANETs to achieve privacy desired by vehicles and traceability required by law enforcement authorities, in addition to satisfying fundamental security requirements including authentication, nonrepudiation, message integrity, and confidentiality. Moreover, we propose a privacy-preserving defense technique for network authorities to handle misbehaviour in VANET access, considering the challenge that privacy provides avenue for misbehaviour. The proposed system employs an identitybased cryptosystem where certificates are not needed for authentication. I show the fulfilment and feasibility of our system with respect to the security goals and efficiency. 1 INTRODUCTION VEHICULAR ad hoc networks (VANETs) are receiving increasing attentions from academic and deployment efforts from industry, due to the various applications and potential tremendous benefits they offer for future VANET users. Safety information exchange enables life-critical applications, such as the alerting functionality during intersection traversing and lane merging, and thus, plays a key role in VANET applications. Valueadded services can enhance drivers’ traveling experience by providing convenient Internet access, navigation, toll payment services, etc. Other applications are also possible including different warning messages for congestion avoidance, detour notification, road conditions (e.g., slippery), etc., and alarm signals disseminated by emergency vehicles (e.g., ambulance) for road clearance. The attractive features of VANETs inevitably incur higher risks  if such networks do not take security into account prior to deployment. For instance, if the safety messages are modified, discarded, or delayed either intentionally or due to hardware malfunctioning, serious consequences such as injuries and even deaths may occur. This necessitates and urges the development of a functional, reliable, and efficient  security architecture before all other implementation aspects of VANETs.Fundamentally,VANET security design should guarantee authentication, nonrepudiation, integrity, and in some specific application scenarios, confidentiality, to protect the network against attackers. Besides the fundamental security requirements, sensitive information such as identity and location privacy should be reserved from the vehicle owner’s perspective, against unlawful tracing and user profiling, since otherwise it is difficult to attract vehicles to join the network. On the contrary, traceability is required where the identity information need be revealed by law enforcement authorities for liability issues, once accidents or crimes occur. In addition, privilege revocation is required by network authorities (e.g., network administrator) once misbehaviour is detected during network access. It is less difficult to prevent misbehavior of unauthorized users (i.e., outsiders)since legitimate users and roadside units (RSUs) can simply disregard communication requests from outsiders by means of authentication. Nevertheless, misbehaviour of legitimate users of VANETs (i.e., insiders) is more difficult and complex to prevent, the reason being that insiders possess credentials issued by the authority to perform authentication with peer vehicles or RSUs who canbe  easily tricked into trusting the insiders. Consequently, the insiders misbehaviour will have much larger impact on the network and will be the focus of this paper. I proposed system in this paper and many recent proposals on VANET security provide the option of using anonymous credentials in authentication, rendering it even more complex to handle misbehaviour in VANETs, since the user identity is hidden and cannot be linked arbitrarily which curbs the punishment of misbehaving users. Contributions. Given the conflicting goals of privacy and traceability, and the challenges in designing a privacy-preserving defense scheme for VANETs,  i motivated to propose a security system that can effectively and efficiently solve the conflic ts and challenges. Specifically, my main contributions in this paper include: 1. I propose a pseudonym-based scheme to assure vehicle user privacy and traceability. 2. I design a threshold signature-based scheme to achieve nonframeability in tracing law violators. In this scheme, an innocent vehicle cannot be framed by a corrupted law enforcement authority due to rolesplitting mechanism. 3. A novel privacy-preserving defense scheme is proposed leveraging threshold authentication. It guarantees that any additional authentication beyond the threshold will result in the revocation of the misbehaving users. This defense scheme differs from others mainly in that it yields flexibility in the revocation (i.e., not all types of misbehaviour should be punished). Moreover, the dynamic accumulators in the threshold authentication technique facilitates each user to place further restrictions (besides the threshold) on other communicating users, which is an attractive feature to service providers. 4. My design incorporates mechanisms that guarantee authentication, nonrepudiation, message integrity, and confidentiality. 2 RELATED WORK There is a large body of research work related to the security and privacy in VANETs. The most related works are on the design of privacypreserving schemes. Raya and Hubaux [1]investigated the privacy issue by proposing a pseudonym-based approach using anonymous public keys and the public key infrastructure (PKI), where the public key certificate is needed, giving rise to extra communication and storage overhead. The  authors also proposed three credential revocation protocols tailored for VANETs, namely RTPD,RC2RL, and DRP [5], considering that the certificate revocation list (CRL) needs to be distributed across the entire network in a timely manner. All the three protocols seem to work well under conventional public key infrastructure (PKI). However, the authors also proposed to use frequently updated anonymous public keys to fulfillusers requirement on identity and location privacy. If this privacy preserving technique is used in conjunction with RC2RL and DRP, th e CRL produced by the trusted authority will become huge in size, rendering the revocation protocols highly inefficient. A lightweight symmetric-key-based security scheme for balancing  auditability and privacy in VANETs is proposed in [2]. It bears the drawback that peer vehicles authenticate each other via a base station, which is unsuitable for inter vehicle communications. Gamage et al. [6] adopted an identity-based (IDbased) ring signature scheme to achieve signer ambiguity and hence fulfill the privacy requirement in VANET applications. The disadvantage of the ring signature scheme in the context of VANET applications, is the unconditional privacy, resulting in the traceability requirement unattainable. Group signature-based schemes are proposed in [4] where signer privacy is conditional on the group manager. As a result, all these schemes have the problem of identity escrow, as a group manager who possesses the group master key can arbitrarily reveal the identity of any group member. In addition, due to the limitation of group formation in VANETs (e.g., too few cars in the vicinity to establis h the group), the group-based schemes [4]may not be applied appropriately. The election of group leader will sometimes encounter difficulties since a trusted entity cannot be found amongst peer vehicles. There are also a number of defense techniques against misbehaviour in VANET literature besides those in [1]. An indirect approach via the aid of infrastructure is used in [4].The TA distributes the CRL to the infrastructure points which then take over the TA’s responsibility to execute the revocation protocol. The advantage of this approach is that vehicles never need to download the entire RL. Unfortunately, the conditional anonymity claimed in [4]. only applies to amongst peer vehicles, under the assumption that the infrastructure points are trusted. The infrastructure points can reveal the identity of any vehicle at any time even if the vehicle is honest. Recently, Tsang et al. [7]proposed a blacklistable anonymous credential system for blocking misbehavior without the trusted third party (TTP).The blacklisting technique can be applied to VANETs as: if the vehicle fails to prove that it is not on the blacklist of the current  authenticator, the authenticator will ignore the messages or requests sent by this vehicle. Although not proposed specifically for VANETs, the proposal in [7] has a similar claim as the capability of a TTP (network authority in this paper) to recover a user’s identity in any case is too strong a punishment and highly undesirable in some scenarios. The downside of this  technique is the lack of options to trace misbehaving users, since any user in the system(misbehaving or not)will by no means be identified by any entity including the authorities. I proposed a privacy-preserving defense scheme against misbehavior in [8] leveraging threshold authentication technique. This scheme and the scheme in [3] both preserve user privacy, and simultaneously provide trace ability (i.e., tracing law violators by enforcement authorities in [3] and tracing misbehaving users by network authorities in [8]). The major differences between these schemes are the different technical realizations of the privacy and traceability schemes, due to the different application 3 SYSTEM MODEL We describe the functionalities of our security system and define security requirements in this section. 3.1 Overview Major entities in a VANET environment are depicted in A VANET system diagram. As mentioned before, traceability is needed by law enforcement authorities (LEAs) who require the identity of a violating vehicle to be disclosed for investigating the cause of accidents or crimes. Due to the seriousness of liability issues, if a single authority (e.g., the police) is fully capable of revealing the vehicle identity, this privilege may be abused. It is desirable if two or more authorities (e.g., the police, judge, special agents, and other possible law enforcement authorities) are granted distributed control over the identity retrieval process. One benefit in doing so is that corrupted authorities (the number being less than the threshold) cannot arbitrarily trace vehicle users to compromise their privacy. Another benefit is that malicious authorities cannot falsely accuse (or frame) honest users. Such role-splitting is not required for network authorities since the threshold authentication technique in our defense scheme prevents a network authority from falsely accu sing honest users. The proposed security system primarily consists of techniques addressing the privacy, traceability, nonframeability, and revocation (only by network authorities) issues. The  logic diagram of the entities interactions is depicted in logic diagram, where the arrowed lines indicate the direction of packet flow or physical communications, the bracketed numbers near each line index the major events or procedures between the connected entities. The vehicle users are split into access group owners and members, whereas the RSUs can only be access  group owners. The entities and events/procedures are described in what follows. 3.2 Entities and Procedures The entities in this system are the regional transportation authorities (RTAs), law enforcement authorities (LEAs),network authorities, roadside infrastructure including border RSUs for pseudonym management and regular RSUs (simply RSUs) for Internet access, and vehicle users. Considering practical scenarios, the RSUs in this system are mainly responsible for providing infrastructure access and network services. The RSUs are assumed to be operated by third-party service providers (SPs) who have business contracts with the RTA to build access infrastructure in the RTA’s region. The RSUs are thus not owned by the RTA and have no preestablished trust relationship with the RTA. On the other hand, borders RSUs are owned and operated by the RTA, and can be considered as the agents who are delegated with the RTA’s authority. These entities are involved in the following procedure:  may be caused by malfunctioning hardware and thus is incidental. These types of misbehavior share a common feature, i.e., their occurrence or frequency is low, specifically, lower than a predetermined threshold. Threshold authentication-based defense further consists of six sub-procedures: Membership registration: RSUs and vehicle users register with the RTA to use VANETs. Upon successful registration, a member public/private key pair (mpk;msk) is issued to each RSU and vehicles. The RTA associates the member’s credential with the issued public key and includes this pair of information into a credential list IDlist. Access group setup: RSUs and vehicles setup their own access groups, the member of which is granted privilege to communicate with the access group owner. The group owner adds members to the group and updates related public information. Each added member obtains an access key mak for the group. Access group revoking: The access group owner revokes the granted privilege when deciding to stop communications with a member, due to some decision criteria for misbehaviour. The access group owner removes the member from the access group and updates related public information. Threshold authentication: This procedure is executed between an RSU and a vehicle, or between peer vehicles. We call the authenticator in this procedure Alice who announces the threshold k possibly different for each user being authenticated. The  authentication succeeds if and only if the following conditions are met simultaneously: the user Bob authenticating with Alice is a registered member of the VANET system, Bob is a legitimate member of Alice’s access group (if Alice is an access group owner) whose member privilege has not been revoked, and the authentication threshold has not been exceeded. Alice records the authentication transcripts in AUTHlog: Tracing: This procedure is used by Alice to trace a misbehaving member Mn who attempts to authenticate more than k times. Alice relies on the AUTHlog and public information, and obtains Mn’s credential n as the procedure output which is reported to the RTA.Revocation/recovery: Upon receiving the complaints from other entities in the system as the output of Tracing, the RTA decides if the misbehaving member’s credential needs to be revoked. The RTA then performs the identity recovery by looking up the same pseudonym lookup table PLT (cf.System setup above) which also records the correspondence between the credential n and identity IDn. Note that for the ease of presentation, we assume the RTAs to act as network authorities for the defense scheme in this paper. In reality, when the roles of RTA and network authority System setup: This procedure is executed by the RTA for initial VANET system setup including domain parameter publication, public/private key assignment for entities in the system to perform desired tasks, and database creation for storing necessary records (i.e., the pseudonym lookup table PLT). Pseudonym generation and authentication for privacy: RTA and border RSUs execute this procedure to assign pseudonym/private key pairs to both vehicles traveling in their home domain and vehicles from other RTAs’ domains, so that these vehicles are able to authenticate with RSUs and other vehicles to obtain services and useful messages. Threshold signature for nonframeability: This procedure is invoked by LEAs to share the secret information for recovering a guilty vehicle’s identity. Meanwhile, it prevents corrupted authorities from gathering full power to accuse an innocent vehicle. The functional component of this procedure is the threshold signature. Threshold-authentication-based defense: Designed for the network authorities, this procedure is used to revoke a misbehaving vehicle’s credential, refraining the vehicle from further disrupting system operations. As the core of this procedure, the threshold authentication  technique provides a mechanism to allow certain types of misbehavior that should not result in revocation. For instance, the misbehavior  are separate, the network authority can simply take charge as the RTA in the above sub procedures. Nonetheless, in the execution of Revocation/recovery, the network authority needs to establish trust with or be delegated by the RTA in order to access the PLT. When we mention network authorities in what follows, we implicitly refer to RTAs in the network authority role. 3.3 Security Requirements I define the security requirements for a VANET security system, and will show the fulfillment of these requirements after presenting the design details. 1. Privacy: The privacy requirement states that private information such as vehicle owner’s identity and location privacy is preserved against unlawful tracing and user profiling. 2. Traceability: It is required where the identity information of violators need be revealed by law enforcement authorities for liability purposes. The traceability requirement also indicates that a misbehaving user will be identified and the corresponding credential revoked, if necessary, by network authorities, to prevent this user from further disrupting system operations. Certain criteria have to be met for the traceability of a misbehaving user as explained in the next section. 3. Nonframeability: Nonframeability requires that no entity in the system can accuse an honest user for having violated the law or misbehaved. 4. Other requirements: A secure VANET system should satisfy several fundamental requirements, namely, authentication, nonrepudiation, message integrity, and confidentiality where sensitive information is being exchanged, to protect the system against unauthorized-message injection, denial of message disseminations, message alteration, and eavesdropping, respectively. Nonrepudiation also requires that violators or misbehaving users cannot deny the fact that they have violated the law or misbehaved. 4 CONCLUSIONS AND FUTURE WORK I have presented the VANET security system mainly achieving privacy, traceability, nonframeability, and privacy-preserving defense against misbehaviour and reducing traffic in the network. These functionalities are realized by the  pseudonym-based technique, the threshold signature, and the threshold authentication bas ed defense scheme. The ID-based cryptosystem facilitates  us to design communication and storage efficient schemes. Our future work consists of simulating the proposed security system and experimenting it in real VANET settings. REFERENCES [1] M. Raya and J-P. Hubaux, â€Å"Securing Vehicular Ad Hoc Networks,† J. Computer Security, special issue on security of ad hoc and sensor networks, vol. 15, no. 1, pp. 39-68, 2007. [2] J.Y. Choi, M. Jakobsson, and S. Wetzel, â€Å"Balancing Auditability and Privacy in Vehicular Networks,† Proc. First ACM Int’l WorkshopQoS and Security for Wireless and Mobile Networks (Q2SWinet ’05), pp. 79-87, Oct. 2005. [3] J. Sun, C. Zhang, and Y. Fang, â€Å"An Id-Based Framework Achieving Privacy and Non-Repudiation in Vehicular Ad Hoc Networks,† Proc. IEEE Military Comm. Conf., pp. 1-7, Oct. 2007. [4] X. Lin, X. Sun, P.-H. Ho, and X. Shen, â€Å"GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications,†IEEE Trans. Vehicular Technology, vol. 56, no. 6, pp. 3442-3456, Nov. 2007. [5] M. Raya, P. apadimitratos, I. Aad, D. Jungels, and J.-P. Hubaux,â€Å"Eviction of Misbehaving and Faulty Nodes in Vehicular Networks,† IEEE J. Sele cted Areas Comm., vol. 25, no. 8, pp. 15571568,Oct. 2007. [6] C. Gamage, B. Gras, B. Crispo, and A.S. Tanenbaum, â€Å"An Identity Based Ring Signature Scheme with Enhanced Privacy,† Proc.Second Int’l Conf. Security and Privacy in Comm. Networks (SecureComm ’06), Aug. 2006. [7] P. Tsang, M.H. Au, A. Kapadia, and S.W. Smith, â€Å"Blacklistable Anonymous Credentials: Blocking Misbehaving Users without TTPs,† Proc. ACM Conf. Computer and Comm. Security (CCS),pp. 72-81, 2007. [8] J. Sun and Y. Fang, â€Å"A Defense Technique against Misbehavior in VANETs Based on Threshold Authentication,† Proc. IEEE Military Comm. Conf., Nov. 2008.

Comparing the Role of the Ghost in Morrisons Beloved and Kingstons No

The Symbolic Role of the Ghost in Morrison's Beloved and Kingston's No Name Woman The eponymous ghosts which haunt Toni Morrison's Beloved and Maxine Hong Kingston's "No Name Woman" (excerpted from The Woman Warrior) embody the consequence of transgressing societal boundaries through adultery and murder. While the wider thematic concerns of both books differ, however both authors use the ghost figure to represent a repressed historical past that is awakened in their narrative retelling of the stories. The ghosts facilitate this retelling of stories that give voice to that which has been silenced, challenging this repression and ultimately reversing it. The patriarchal repression of Chinese women is illustrated by Kingston's story of No Name Woman, whose adulterous pregnancy is punished when the villagers raid the family home. Cast out by her humiliated family, she births the baby and then drowns herself and her child. Her family exile her from memory by acting as if "she had never been born" (3) -- indeed, when the narrator's mother tells the story, she prefaces it with a strict injunction to secrecy so as not to upset the narrator's father, who "denies her" (3). By denying No Name Woman a name and place in history, leaving her "forever hungry," (16) the patriarchy exerts the ultimate repression in its attempt to banish the transgressor from history. Yet her ghost continues to exist in a liminal space, remaining on the fringes of memory as a cautionary tale passed down by women, but is denied full existence by the men who "do not want to hear her name" (15). Kingston's narrator tackles this repression when she sympathetically frames No Name Woman's story as one of subjugation, pointing out that "women in the old Ch... ... "The Woman Warrior as a Search for Ghosts", Sato examines Kingston's symbolic use of the ghost figure as a means of approaching the dramatic structure of the text and appreciating its thematic search for identity amidst an often-paradoxical bicultural setting. Sonser makes this argument through a comparison of Beloved with Nathaniel Hawthorne's The Scarlet Letter. Her essay, "The Ghost in the Machine: Beloved and The Scarlet Letter", draws strong parallels between the two female protagonists, Sethe and Hester, who challenge the oppressive frameworks of their societies. Despite the ideological incongruity of Hawthorne's patriarchal Puritanism and Morrison's racist slavery, Sonser still finds a shared thematic "intersection of subjectivity and social power" (17) that resonates in the stories of two women's attempts at self-definition from the margins of society.

Puritans DBQ Essay

In the 1600’s, the Puritans migrated to the Americas using their more Christian and traditional values to influence the economical, political, and social development of the New England colonies. The Puritans traveled out of a desire to create a more â€Å"pure† and more Christian society, not of primarily economic interests. The Puritan’s idea of what God’s indication of a perfect humanity made a lasting impression on New England. The region’s economic success was second to religious beliefs. New England originally existed as a plantation of Religion, not a plantation of Trade. (Doc J). The Puritans believed that wealth was a sign of God’s favor, and they worked hard to make sure that they were at the â€Å"top of the hill†. They became merchants and participated in the commercial trading centers of the New World. The Puritan’s importance of being God’s favorite demonstrates the development of New England’s economy. Politically, the Puritans influenced the progress of New England by enforcing their strict moral code, morality succeeded all other concerns. The use of morality and religion in politics led to uprisings. An example of this is Roger Williams â€Å"Plea for Religious Liberty,† questioning authority. (Doc F). Nathanial Ward argues that liberty, conscience and moral laws have to be in balance in order for the â€Å"fiddle to be in tune,† and society to succeed. (Doc G). The Puritan’s beliefs in community and education caused New England to have bigger families and a better education. Puritan’s believed in educating new members of the â€Å"elite,† to inform new followers of their belief. Harvard University was created to teach Puritan ways. They longed for an advance in learning. (Doc E). The Puritans were a very close community. They rejoiced and mourned together. (Doc A). This steered to the development of towns and villages. In addition, the Puritans traveled to the new world in families, not individuals. This causes the region to have a balanced men and women ratio. All in all, the Puritan’s motivation for establishing a pure Christian society influenced the economic, political, and social development of New England. Economically, they made a center of mercantilism in the favor of  God. Politically, the Puritans used their moral beliefs to create a basic political structure for New England. Socially, they formed communities with a balanced male and female population.

F-117 Nighthawk Stealth Fighter Profile

The Lockheed F-117A Nighthawk was the worlds first operational stealth aircraft. Designed to evade enemy radar systems, the F-117A was developed as a stealth attack aircraft by Lockheeds famed Skunk Works unit in the late 1970s and early 1980s. Though in use in by 1983, the existence of the F-117A was not acknowledged until 1988 and the aircraft was not fully revealed to the public until 1990. Though used in 1989 over Panama, the F-117As first major conflict was Operation Desert Shield/Storm in 1990-1991. The aircraft remained in service until being formally retired in 2008. Stealth During the Vietnam War radar-guided, surface-to-air missiles began to take an increasingly heavy toll on American aircraft. As a result of these losses, American planners began seeking a way to make an aircraft invisible to radar. The theory behind their efforts was initially developed by Russian mathematician Pyotr Ya. Ufimtsev in 1964. Theorizing that the radar return of a given object was not related to its size but rather its edge configuration, he believed that he could calculate the radar cross-section across a wings surface and along its edge. Utilizing this knowledge, Ufimtsev conjectured that even a large aircraft could be made stealthy. Unfortunately, any aircraft taking advantage of his theories would be inherently unstable. As the technology of the day was incapable of producing the flight computers necessary to compensate for this instability, his concepts were shelved. Several years later, an analyst at Lockheed came across a paper about Ufimtsevs theories and, as technology had sufficiently advanced, the company began developing a stealth aircraft based on the Russians work. Development Development of the F-117 began as a top secret black project at Lockheeds famed Advanced Development Projects unit, better known as the Skunk Works. First developing a model of the new aircraft in 1975 dubbed the Hopeless Diamond due to its odd shape, Lockheed built two test aircraft under the Have Blue contract to test the designs radar-defying properties. Smaller than the F-117, the Have Blue planes flew night test missions over the Nevada desert between 1977 and 1979. Utilizing the F-16s single-axis fly-by-wire system, the Have Blue planes solved the instability issues and were invisible to radar. Lockheed Have Blue test aircraft. US Air Force Pleased with the programs results, the US Air Force issued a contract to Lockheed on November 1, 1978, for the design and production of a full-sized, stealth aircraft. Led by Skunk Works chief Ben Rich, with assistance from Bill Schroeder and Denys Overholser, the design team used specially designed software to create an aircraft which used facets (flat panels) to scatter over 99% of radar signals. The final result was an odd-looking aircraft that featured quadruple-redundant fly-by-wire flight controls, an advanced inertial guidance system, and sophisticated GPS navigation. To minimize the aircrafts radar signature, designers were forced to exclude onboard radar as well as minimize the engine inlets, outlets, and thrust. The result was a subsonic attack bomber capable of carrying 5,000 lbs. of ordnance in an internal bay. Created under the Senior Trend Program, the new F-117 first flew on June 18, 1981, only a mere thirty-one months after moving into full-scale development. Designated the F-117A Nighthawk, the first production aircraft was delivered the following year with operational capability reached in October 1983. All told 59 aircraft were built and delivered by 1990. F-117A Nighthawk GeneralLength: 69 ft. 9 in.Wingspan: 43 ft. 4 in.Height: 12 ft. 9.5 in.Wing Area: 780 sq. ft.Empty Weight: 29,500 lbs.Loaded Weight: 52,500 lbs.Crew: 1PerformancePower Plant: 2 Ãâ€" General Electric F404-F1D2 turbofansRange: 930 milesMax Speed: Mach 0.92Ceiling: 69,000 ft.Armament2 Ãâ€" internal weapons bays with one hard point each (total of two weapons) Operational History Due to the extreme secrecy of the F-117 program, the aircraft was first based at isolated Tonopah Test Range Airport in Nevada as part of the 4450th Tactical Group. To aid in protecting the secret, official records at the time listed the 4450th as being based at Nellis Air Force Base and flying A-7 Corsair IIs. It was not until 1988 that the Air Force acknowledged the existence of the stealth fighter and released a fuzzy photograph of the aircraft. Two years later, in April 1990, it was publicly revealed when two F-117As arrived at Nellis during daylight hours. F-117A Nighthawk. US Air Force Gulf War With the crisis in Kuwait developing that August, the F-117A, now assigned to the 37th Tactical Fighter Wing, deployed to the Middle East. Operation Desert Shield/Storm was the aircrafts first large-scale combat debut, though two had been secretly used as part of the invasion of Panama in 1989. A key component of the coalition air strategy, the F-117A flew 1,300 sorties during the Gulf War and struck 1,600 targets. The forty-two F-117As of the 37th TFW succeeded in scoring an 80% hit rate and were among the few aircraft cleared to strike targets in downtown Baghdad. Kosovo Returning from the Gulf, the F-117A fleet was shifted to Holloman Air Force Base in New Mexico in 1992 and became part of the 49th Fighter Wing. In 1999, the F-117A was used in the Kosovo War as part of Operation Allied Force. During the conflict, an F-117A flown by Lieutenant Colonel Dale Zelko was downed by a specially modified SA-3 Goa surface-to-air missile. Serbian forces were able to briefly detect the aircraft by operating their radar on unusually long wavelengths. Though Zelko was rescued, the remains of the aircraft were captured and some of the technology compromised. In the years after the September 11 attacks, the F-117A flew combat missions in support of both Operations Enduring Freedom and Iraqi Freedom. In the latter case, it dropped the opening bombs of the war when F-117s struck a leadership target in the conflicts opening hours in March 2003. Though a highly successful aircraft, the F-117As technology was becoming outmoded by 2005 and maintenance costs were rising. F-117A Nighthawk on display at the National Museum of the US Air Force. US Air Force Retirement With the introduction of the F-22 Raptor and development of the F-35 Lightning II, Program Budget Decision 720 (issued December 28, 2005) proposed retiring the F-117A fleet by October 2008. Though the US Air Force had intended to keep the aircraft in service until 2011, it decided to begin retiring it to enable the purchase of additional F-22s. Due to the sensitive nature of the F-117A, it was decided to retire the aircraft to its original base at Tonopah where they would be partially disassembled and placed in storage. While the first F-117As left the fleet in March 2007, the final aircraft departed active service on April 22, 2008. That same day official retirement ceremonies were held. Four F-117As remained in brief service with the 410th Flight Test Squadron at Palmdale, CA and were taken to Tonopah in August 2008.