V2X Security Credential Management System (SCMS) Proof-of-Concept Implementation funded by US DOT/NHTSA Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1
CAMP Partners Project funded by Supported by October 2015 2
What is V2X? Photo Source: U.S. DOT October 2015 3
Do Not Pass Warning Remote Vehicles sends position and speed Photo Source: Continental October 2015 4 4
Left Turn Assist Remote Vehicles sends position and speed Photo Source: Cadillac October 2015 5 5
Traffic Light Assistant Traffic light sends current state and time to next state Photo Source: Audi/jalopnik.com October 2015 6 Dept: VWGoA Safety Affairs
V2X Public Perception, Market and Mandate Activities GM announced V2V for the 2017 Cadillac CTS USDOT Secretary - Anthony Foxx “We’re doing it because it’s what customers around the “The Department wants to speed the nation toward an era when vehicle safety isn’t just about surviving world want. Through technology and innovation, we will make driving safer.” crashes. It’s about avoiding them” MIT Technology Review Announced V2X communication as one of the 10 breakthrough technologies 2015. http://www.technologyreview.com/featuredstory/534981/ car-to-car-communication October 2015 7
Establish Trust Photo Source: Shutterstock October 2015 8
Ensure Privacy Photo Source: Independent.co.uk October 2015 9
Avoid Intrusion Photo Source: moviepilot.com October 2015 10
Initialization Device receives keys and information to establish trusted connections to SCMS components Photo Source: Wikimedia Commons October 2015 11
Enrollment Device receives long-term certificate to use in interaction with SCMS components Photo Source: depositphotos.com October 2015 12
Pseudonym Certificates Short-term certificates to use in interactions with other devices Photo Source: REUTERS/Ricardo Moraes October 2015 13
Misbehavior Detection Device detects misbehavior and might report to MA or MA detects misbehavior on a global level Photo Source: Liudmila P. Sundikova October 2015 14
Penalty / device revocation Device should no longer be trusted - MA revokes certificates and informs devices and SCMS components Photo Source: Andy Devlin/NHLI via Getty Images October 2015 15
SCMS Architecture SCMS Manager SCMS Manager Policy Technical Root CA Intermediate Certification Misbehaviour Authority CA Lab Internal Global CRL Blacklist Detection Generator Manager Pseudonym Enrollment CA CA CRL Linkage Linkage CRL Store Broadcast Authority 1 Authority 2 Registration Authority Device Config. Location Manager Obscurer Proxy Legend Intrinsically Not Intrinsically Device 3 Device 1 Device 2 Device 3 Central Central Regular communication Out-of-band communication October 2015 16
A Security Credential Management System (SCMS) for Vehicle-to-Vehicle Communications William Whyte (CAMP VSC5) October 2015 17
Motivation • V2V system can alert the driver (thus help prevent crashes) by issuing different safety warnings, e.g.: • Forward Collision Warning (FCW) • Intersection Movement Assist (IMA) • Electronic Emergency Brake Light (EEBL) • Messages include information on current position, velocity, etc. • Messages received over the air: integrity and authentication required • CAMP VSC5 Choice: • Unencrypted messages with signature based on asymmetric cryptography (ECDSA-256) • Certificates (incl. public key) issued by a Public-Key-Infrastructure (PKI) October 2015 18
Contradicting requirements • Privacy (OEM privacy goals) • Prevent SCMS from collecting Personally Identifiable Information (PII) • Prevent trip tracking by outsiders: frequent change in pseudonym certificates • Prevent trip tracking by SCMS insiders: separation of duties and information such that trip tracking is only possible by a collusion of several SCMS components • Trustworthy messages • Incoming messages must be verifiable • Misbehaving units need to be removed October 2015 19
Privacy by Design: OEM Perspective • Privacy from attacks by an SCMS insider • Introduce extra SCMS components, e.g. 2 nd LA, LOP, etc. • Don’t link certificates to VIN • Separate operation of SCMS components: Two or more components should not be run by the same organization without “proper” separation if the combined information held by the components would allow the organization to track* a vehicle *predict next pseudonym certificate based on current one or find out whether two certificates belong to the same device October 2015 20
Basic Overview To Enrollment To Registration Certificate Authority: Show Authority: Enrollment Cert Prove Eligibility Certificate Participate Enrollment Provisioning in V2V Receive SET of Receive pseudonym ONE enrollment certificates certificate Current Assumptions on pseudonym certificates: • 3120 pseudonym certificates • 20 valid per week • Frequent change of pseudonym certificate (e.g. every 5 minutes) October 2015 21
SCMS Design SCMS Manager Policy Technical Root CA Intermediate Certification Misbehavior Authority CA Lab Internal Global CRL Blacklist Detection Generator Manager Enrollment Pseudonym CA CA CRL CRL Linkage Linkage Store Broadcast Authority 1 Authority 2 Registration Authority Device Config. Location Manager Obscurer Proxy Legend Intrinsically Not Intrinsically Central Central Regular communication Device 3 Device 1 Device 2 Device 3 Out-of-band communication October 2015 22
Certificate Update SCMS Manager Policy Technical Root CA Intermediate Certification Misbehavior Authority CA Lab Internal Global CRL Blacklist Detection Generator Manager Enrollment Pseudonym CA CA CRL CRL Linkage Linkage Broadcast Store Authority 1 Authority 2 Registration Authority Device Config. Location Manager Obscurer Proxy Legend Directly acts in Provides information this use case before execution Device 3 Device 1 Device 2 Device 3 October 2015 23
Misbehavior Reporting SCMS Manager Policy Technical Root CA Intermediate Certification Misbehavior Authority CA Lab Internal Global CRL Blacklist Detection Generator Manager Enrollment Pseudonym CA CA CRL CRL Linkage Linkage Store Broadcast Authority 1 Authority 2 Registration Authority Device Config. Location Manager Obscurer Proxy Legend Directly acts in Provides information this use case before execution Device 1 Device 2 Device 3 Device 3 October 2015 24
Revocation SCMS Manager Policy Technical Root CA Intermediate Certification Misbehavior Authority CA Lab Internal Global CRL Blacklist Detection Generator Manager Enrollment Pseudonym CA CA CRL CRL Linkage Linkage Broadcast Store Authority 1 Authority 2 Registration Authority Device Config. Location Manager Obscurer Proxy Legend Directly acts in Provides information this use case before execution Device 3 Device 1 Device 2 Device 3 October 2015 25
New SCMS Features • Certificate Top-Up • Device can top up certificates at any time • Certificates are pre-generated at the RA (e.g. on a week-by-week basis) • Group Revocation • Very efficient method of revoking multiple devices if needed • Optional Feature October 2015 26
New SCMS Features • Preliminary assessment of V2I applicability • Certificate types • OBE Enrollment certificate (V2V): enrollment certificate provided to OBE during bootstrap that OBE then uses to request application certificates • OBE Pseudonym certificate (V2V): Pseudonym certificates for BSM authentication • OBE Authorization certificate (V2I): e.g. for signal priority applications • RSE Enrollment certificate (V2I): enrollment certificate provided to RSE during bootstrap that RSE then uses to request application certificates • RSE Encryption and Authentication certificate (V2I): authenticated broadcast messages, confidential communication between OBE and RSE. October 2015 27
Future Plans regarding SCMS Implementation • Project ongoing to implement an SCMS that supports anticipated year-one certificate requests • All components except for Misbehavior Authority will be implemented in this phase • Misbehavior Authority will be implemented in a subsequent phase • Focus on Interface and Load Testing October 2015 28
Thank you October 2015 29
Recommend
More recommend
