Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 - - PowerPoint PPT Presentation

benedikt brecht camp principal investigator vwgoa october
SMART_READER_LITE
LIVE PREVIEW

Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 - - PowerPoint PPT Presentation

Sep 22, 2022 260 likes •565 views

V2X Security Credential Management System (SCMS) Proof-of-Concept Implementation funded by US DOT/NHTSA Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 CAMP Partners Project funded by Supported by October 2015 2 What is

slide-1
SLIDE 1

1 October 2015

V2X Security Credential Management System (SCMS) Proof-of-Concept Implementation funded by US DOT/NHTSA

Benedikt Brecht, CAMP Principal Investigator, VWGoA

slide-2
SLIDE 2

2 October 2015

CAMP Partners

Project funded by Supported by

slide-3
SLIDE 3

3 October 2015

What is V2X?

Photo Source: U.S. DOT

slide-4
SLIDE 4

4 October 2015 4

Remote Vehicles sends position and speed

Do Not Pass Warning

Photo Source: Continental

slide-5
SLIDE 5

5 October 2015 5

Remote Vehicles sends position and speed

Left Turn Assist

Photo Source: Cadillac

slide-6
SLIDE 6

6 October 2015

Traffic Light Assistant

Traffic light sends current state and time to next state

Dept: VWGoA Safety Affairs

Photo Source: Audi/jalopnik.com

slide-7
SLIDE 7

7 October 2015

V2X Public Perception, Market and Mandate Activities

GM announced V2V for the 2017 Cadillac CTS “We’re doing it because it’s what customers around the world want. Through technology and innovation, we will make driving safer.” USDOT Secretary - Anthony Foxx “The Department wants to speed the nation toward an era when vehicle safety isn’t just about surviving

  • crashes. It’s about avoiding them”

MIT Technology Review Announced V2X communication as one of the 10 breakthrough technologies 2015. http://www.technologyreview.com/featuredstory/534981/ car-to-car-communication

slide-8
SLIDE 8

8 October 2015

Establish Trust

Photo Source: Shutterstock

slide-9
SLIDE 9

9 October 2015

Ensure Privacy

Photo Source: Independent.co.uk

slide-10
SLIDE 10

10 October 2015

Photo Source: moviepilot.com

Avoid Intrusion

slide-11
SLIDE 11

11 October 2015

Initialization

Device receives keys and information to establish trusted connections to SCMS components

Photo Source: Wikimedia Commons

slide-12
SLIDE 12

12 October 2015

Enrollment

Device receives long-term certificate to use in interaction with SCMS components

Photo Source: depositphotos.com

slide-13
SLIDE 13

13 October 2015

Pseudonym Certificates

Short-term certificates to use in interactions with other devices

Photo Source: REUTERS/Ricardo Moraes

slide-14
SLIDE 14

14 October 2015

Misbehavior Detection

Device detects misbehavior and might report to MA or MA detects misbehavior on a global level

Photo Source: Liudmila P. Sundikova

slide-15
SLIDE 15

15 October 2015

Penalty / device revocation

Device should no longer be trusted - MA revokes certificates and informs devices and SCMS components

Photo Source: Andy Devlin/NHLI via Getty Images

slide-16
SLIDE 16

16 October 2015

Certification Lab Linkage Authority 1 Linkage Authority 2 Location Obscurer Proxy Root CA CRL Store Policy Technical SCMS Manager SCMS Manager Device 1 Device 2 Device 3 Device 3 Device Config. Manager CRL Broadcast Intermediate CA

Legend

Regular communication Out-of-band communication Not Intrinsically Central Intrinsically Central

Enrollment CA Pseudonym CA Internal Blacklist Manager Global Detection CRL Generator

Misbehaviour Authority

Registration Authority

SCMS Architecture

slide-17
SLIDE 17

17 October 2015

A Security Credential Management System (SCMS) for Vehicle-to-Vehicle Communications

William Whyte (CAMP VSC5)

slide-18
SLIDE 18

18 October 2015

Motivation

  • V2V system can alert the driver (thus help prevent crashes) by issuing different

safety warnings, e.g.:

  • Forward Collision Warning (FCW)
  • Intersection Movement Assist (IMA)
  • Electronic Emergency Brake Light (EEBL)
  • Messages include information on current position, velocity, etc.
  • Messages received over the air: integrity and authentication required
  • CAMP VSC5 Choice:
  • Unencrypted messages with signature based on asymmetric cryptography (ECDSA-256)
  • Certificates (incl. public key) issued by a Public-Key-Infrastructure (PKI)
slide-19
SLIDE 19

19 October 2015

Contradicting requirements

  • Privacy (OEM privacy goals)
  • Prevent SCMS from collecting Personally Identifiable

Information (PII)

  • Prevent trip tracking by outsiders: frequent change in

pseudonym certificates

  • Prevent trip tracking by SCMS insiders: separation of duties

and information such that trip tracking is only possible by a collusion of several SCMS components

  • Trustworthy messages
  • Incoming messages must be verifiable
  • Misbehaving units need to be removed
slide-20
SLIDE 20

20 October 2015

  • Privacy from attacks by an SCMS insider
  • Introduce extra SCMS components, e.g. 2nd LA, LOP, etc.
  • Don’t link certificates to VIN
  • Separate operation of SCMS components:

Two or more components should not be run by the same

  • rganization without “proper” separation

if

the combined information held by the components would allow the

  • rganization to track* a vehicle

*predict next pseudonym certificate based on current one or find

  • ut whether two certificates belong to the same device

Privacy by Design: OEM Perspective

slide-21
SLIDE 21

21 October 2015

Basic Overview

To Enrollment Certificate Authority: Prove Eligibility Receive ONE enrollment certificate

Certificate Provisioning Participate in V2V Enrollment

To Registration Authority: Show Enrollment Cert Receive SET of pseudonym certificates

Current Assumptions on pseudonym certificates:

  • 3120 pseudonym certificates
  • 20 valid per week
  • Frequent change of pseudonym certificate (e.g. every 5

minutes)

slide-22
SLIDE 22

22 October 2015

SCMS Design

Certification Lab Enrollment CA Pseudonym CA Linkage Authority 1 Linkage Authority 2 Registration Authority Location Obscurer Proxy Root CA Misbehavior Authority CRL Store Internal Blacklist Manager CRL Generator Global Detection Policy Technical SCMS Manager Device 1 Device 2 Device 3 Device 3 Device Config. Manager

Legend

Regular communication Out-of-band communication Not Intrinsically Central Intrinsically Central

CRL Broadcast Intermediate CA

slide-23
SLIDE 23

23 October 2015

Certificate Update

Certification Lab Enrollment CA Pseudonym CA Linkage Authority 1 Linkage Authority 2 Registration Authority Location Obscurer Proxy Root CA Misbehavior Authority CRL Store Internal Blacklist Manager CRL Generator Global Detection Policy Technical SCMS Manager Device 1 Device 2 Device 3 Device 3 Device Config. Manager

Legend

Provides information before execution Directly acts in this use case

CRL Broadcast Intermediate CA

slide-24
SLIDE 24

24 October 2015

Misbehavior Reporting

Certification Lab Enrollment CA Pseudonym CA Linkage Authority 1 Linkage Authority 2 Registration Authority Location Obscurer Proxy Root CA Misbehavior Authority CRL Store Internal Blacklist Manager CRL Generator Global Detection Policy Technical SCMS Manager Device 1 Device 2 Device 3 Device 3 Device Config. Manager

Legend

Provides information before execution Directly acts in this use case

CRL Broadcast Intermediate CA

slide-25
SLIDE 25

25 October 2015

Revocation

Certification Lab Enrollment CA Pseudonym CA Linkage Authority 1 Linkage Authority 2 Registration Authority Location Obscurer Proxy Root CA Misbehavior Authority CRL Store Internal Blacklist Manager CRL Generator Global Detection Policy Technical SCMS Manager Device 1 Device 2 Device 3 Device 3 Device Config. Manager

Legend

Provides information before execution Directly acts in this use case

CRL Broadcast Intermediate CA

slide-26
SLIDE 26

26 October 2015

New SCMS Features

  • Certificate Top-Up
  • Device can top up certificates at any time
  • Certificates are pre-generated at the RA (e.g. on a

week-by-week basis)

  • Group Revocation
  • Very efficient method of revoking multiple devices if

needed

  • Optional Feature
slide-27
SLIDE 27

27 October 2015

New SCMS Features

  • Preliminary assessment of V2I applicability
  • Certificate types
  • OBE Enrollment certificate (V2V): enrollment certificate provided

to OBE during bootstrap that OBE then uses to request application certificates

  • OBE Pseudonym certificate (V2V): Pseudonym certificates for

BSM authentication

  • OBE Authorization certificate (V2I): e.g. for signal priority

applications

  • RSE Enrollment certificate (V2I): enrollment certificate provided to

RSE during bootstrap that RSE then uses to request application certificates

  • RSE Encryption and Authentication certificate (V2I): authenticated

broadcast messages, confidential communication between OBE and RSE.

slide-28
SLIDE 28

28 October 2015

Future Plans regarding SCMS Implementation

  • Project ongoing to implement an SCMS that

supports anticipated year-one certificate requests

  • All components except for Misbehavior Authority will be

implemented in this phase

  • Misbehavior Authority will be implemented in a

subsequent phase

  • Focus on Interface and Load Testing
slide-29
SLIDE 29

29 October 2015

Thank you