Car2Car Communication Consortium C2C-CC

Transcription

1 Car2Car Communication Consortium C2C-CC Secure Vehicular Communication: Results and Challenges Ahead February 20th/21st 2008, Lausanne Benjamin Weyl BMW Group Research and Technology Chair C2C-CC Security & Middleware Working Group

2 Benjamin Weyl BMW Group Research and Technology Page 2 Networking and communication. New applications in driver assistance. A well connected driver is a well informed driver is a safer driver.

3 Agenda C2C-CC Overview Security Discussion Areas and Technical Scope C2C-CC Baseline Concepts & Solution Space Summary, Conclusion and Challenges Ahead C2C-CC Security WG 3

4 Who is behind C2C-CC? C2C-CC Security WG 4

5 C2C-CC Goals The C2C-CC is a non-profit industry forum driven by the Automobile manufacturers (OEMs). Among its main purposes are: to work together for more safety on the road jointly driving development, harmonization and adoptoin of technologies for Car2Car systems is to establish an open European industry standard for a Car2Car communication system, coordinating the approach towards and drive standardizing and regulating those technologies, is to promote the allocation of royalty-free European-wide frequency band for Car2Car applications is to enable the development of an open system supporting active safety applications as well as a broad range of information services is to take into consideration worldwide related activities is to develop realistic deployment strategies and business models to speed-up the market penetration C2C-CC Security WG 5

6 C2C-CC Applications The C2C-CC is looking at a broad range of applications: Critical safety applications requiring a dedicated frequency band, such as intersection assistance, traffic merging, forward collision warning/avoidance Safety, and other public applications, such as traffic flow improvement Commercial applications, such as infotainment or generic internet connectivity Proprietary applications, such as telemetry and telediagnostics Priorities and interests: Key motivation is to standardize safety applications Agree and standardize essential non-safety applications Ensure co-existence with all other applications Accommodate commercial and public applications, allowing for multiple business models potentially pursued by OEMs and other stakeholders C2C-CC Security WG 6

7 C2C-CC: Frequency Allocation Status C2C-CC Security WG 7

8 C2C-CC: Protocol Architecture Active Safety Application Traffic Efficiency Application Infotainment Application Car2Car Transport TCP / UDP / Other Car2Car Network IPv6 Option Mobile IPv6 NEMO MAC / LLC Car2Car MAC Layer Extension European IEEE p PHY European IEEE p Car2Car Network MAC / LLC IEEE a,b,g PHY IEEE a,b,g Other Radio (e.g UMTS) C2C-CC Security WG 8

9 C2C-CC reference model I3 I7 C2C Service Infrast. Vehicle I2 Road-Side Unit I8 C2C IPv6 Backbone I9 I10 C2C OSS I12 I1 I5 I11 Vehicle I6 I4 Telco IPv6 Backbone, incl. heterog. access network Telco SPP Other Service Infrast C2C-CC Security WG 9

10 C2C-CC Cooperation Japan USA VSC VII AHSRA AVS3 ASV3 ISO IEEE CEN ETSI European Projects CarTALK2000 GST Prevent EASIS DAIDALOS Safespot? CIVIS CVIS? COMeSafety SeVeCom? Legislation Member States Standardization Frequency Regulation CEPT ITU AIDA NOW Invent FleetNet INFONEBBIA National Projects Suppl. Veh. Manf. Telco Road Insurance Stakeholders C2C-CC Security WG 10

11 Overview of Security discussion areas Trust Privacy Prot. Concepts Limited Confidentiality Liability Privacy Legisl. Identity Managem. Legislation Law Enforcement Acceptance C2C-CC Security Business Models End User Commercial Req. Credibility Partnerships Operational Concepts Regulation IEEE IETF W3C Standards Oasis Open / Liberty All. Infrastructure Telco Platforms Secure Onboard Env. ISO ETSI 3GPP PKI C2C-CC Security WG 11

12 Security Motivation: Simulated Attack Scenario Simulation: 400 honest vehicles variable number of attackers randomly put in scenario Results: 3 attackers have hit already 20% honest vehicles 10 attackers are able to interfere 50% of honest vehicles C2C-CC Security WG 12

13 Technical Scope of Security Attacks on in-vehicular system infrastructure must ensure not to be illegally tampered with: Attacks on internal vehicle infrastructure via physical access Attacks on internal vehicle system via wireless interface prevent that safety critical systems can not be influenced The attacks on external communication: must be prevented or at least detected and contained, so that fake messages are properly identified and eliminated before influencing applications C2C-CC Security WG 13

14 C2C-CC Security Baselines Trustworthy dissemination of data Integrity of messages Authenticity ensuring trustworthiness of the data Access control (node isolation) Confidentiality only where applicable Availability and timely delivery while observing Privacy: Identity concealment e.g. to provide person/location privacy Over all layers: From PHY/MAC to application Multiple identities may need to be managed Vehicle identity in C2C-CC specific environment Vehicle identity in telco environment Vehicle identity in current legal framework C2C-CC Security WG 14

15 Confidentiality Usually not: C2C-CC information shall be openly shared to improve traffic efficiency and road safety Messages need to be authentic, but their contents needn t be encrypted Potential exception: where closed group communication can be more efficiently addressed through temporary peer authentication and subsequent secure session But: this is dependent on business models Infrastructure deployment may ride on business models requiring exclusive access to information Proprietary use cases co-existing with standardized use cases C2C-CC Security WG 15

16 Privacy Relevant for vehicles, not RSU Protect against typical privacy-infringing malicious profiling or accidental eavesdropping Ensure system maintainability and stability: Allow faulty/malicious vehicles to be identified and excluded Provide respective scalable re-keying mechanisms Constraints: Location plausibility verification and inference from recorded message stream is possible so why care about unlinkability of messages? Can this be countered for selected applications in areas and/or situations where recording is likely? C2C-CC Security WG 16

17 C2C-CC Baseline: Addressing & Identities For operational reasons we need Fixed addresses per vehicle IPv6 and/or Unique Vehicle ID Permanent unique certificate per vehicle But we mustn t disclose them in communication over the air. Hence we also need ID-hopping: temporary addresses, in particular MAC & IP Short-lived certificates Considering scalability and efficiency C2C-CC Security WG 17

18 Comparison of Technical Solutions Scalability Signature Length Computation Effort Privacy PKI + Digital Signatures Fixed Pseudonym Pool PKI + Dynamic Pseudonyms PKI + Group Signatures C2C-CC Security WG 18

19 Key, Certificate, and Identity Management C2C Service Infrast. Vehicle Keys Certificates Trustworthy Message Exchange Road-Side Unit Keys Certificates C2C IPv6 Backbone C2C OSS Key Management Trustworthy Message Exchange Keys Certificates SIM Vehicle Telco IPv6 Backbone, incl. heterog. access network Identity Federation Telco SPP Other Service Infrast C2C-CC Security WG 19

20 Summary: Baseline for C2C-CC Security Addressing: One permanent set (private) One temporary set (used in over-the-air communication) Trust and Privacy: Signing C2X-Messages One pseudonym certificate per vehicle, regularly updated Security standards involved TPM, PKI, ECC (desirable) Pseudonym protocols under discussion Technologies/standards to look at for C2I: SIM IPv6, EAP, DIAMETER, PANA (IETF) SAML (OASIS), Liberty Alliance , etc. But Technical concepts must follow commercial/political discussion Regulation and Legislation Business modeling, policies, and operational concepts Ensure user acceptance and credibility C2C-CC Security WG 20

21 Conclusion C2C-CC Security WG activities: Technical and non-technical security discussion areas Analysis of security use cases and requirements Development and harmonization of security measures for secure and privacy preserving Car2X communication C2C-CC Sec WG has specified a Work Item within ETSI TC ITS WG5 Security for privacy preserving trustworthy message exchange Approach for preserving privacy based on: Pseudonym-based signed messaged exchange Integrated with Telco-platforms where applicable Integrated with application-specific infrastructure such as e.g. traffic management systems C2C-CC Security WG 21

22 Challenges Ahead Privacy: Research on pseudonym change rates Integration over all layers Efficient distribution techniques Integration of different identity management concepts Fake messages sent out from a node: Prevention or at least detection and containment of attack Secure node architecture employing soft- and hardware measures Applying plausibility checks Commercial and political discussion: Possible operational models Regulation and legislation C2C-CC Security WG 22

23 Further Information C2C-CC Security WG 23

24 Benjamin Weyl BMW Group Research and Technology Page 24 Thank you for your attention. Benjamin Weyl Chair WG Security & Middleware BMW Group Research and Technology