PKI AND ROAMING IN ITS

Transcription

1 PKI AND ROAMING IN ITS 7th ETSI Security Workshop Sophia Antipolis, France, on 18th 19th January 2012 Prepared by STF423: Scott Cadzow, Benjamin Glas, Siv-Hilde Houmb, Steve Randall, Andre Weimerskirch, William Whyte ETSI All rights reserved

2 Outline Introduction Certification authorities in ITS and establishing trust ITS Public Key Infrastructure solutions Deactivation or revocation of certificate Trust lifecycle Conclusions 2

3 Introduction This presentation focuses mainly on ITS safety applications and messages: Cooperative Awareness Messages (CAM): locally broadcasted and sent on a regular basis (several times a second) by each ITS-S and contain information such as vehicle type, dimension, 3D-position, speed, heading, brake and lighting status Decentralized Environmental Notification Messages (DENM): Event-based and sent to inform about a certain dangerous situation like an accident, broken-down vehicle, or unusual road conditions Security objectives: Integrity/Authenticity of CAM and DENM messages AND trustworthiness senders and privacy of users 3

4 Certifications authorities in ITS -1 Due to the broadcast nature of CAM and DENM, the trust relationship between ITS stations has to be verifiable AND scalable (hundreds of millions of nodes). To meet these requirements, the ITS enrolment and authorization for different services is delegated to Trusted Third Parties (TTP), i.e. two types of Certification Authorities (CAs): Enrolment Authority (EA): Validates that an ITS-S can be trusted. It issues a temporary identifier for the ITS-S and a proof of that identity Authorization Authority (AA): An ITS-S may apply for specific permissions, denoted by means of authorization certificates Within the ITS network, the EA provides an ITS-S with a pseudonym and related enrolment certificate (long term). The AA provides the ITS- S with multiple pseudonyms and the related authorization certificates (short term), to be used with the CAM and DENM messages. 4

5 Certifications authorities in ITS -2 Root CA Enrolment Authority (EA) Authorization Authority (AA) AT n-2 AT n AT n-1

6 ITS security functional elements and reference points Being finalised in TS

7 Message sequence for enrolment request and response 7

8 Message sequence for authorization request and response 8

9 Public Key Infrastructure (PKI) A typical PKI for distributing and certifying public keys may have two different approaches: A strictly hierarchical PKI: Is constructed as a tree with a single distinguished Root, which provides maximum control over all CAs in the hierarchy Cross-certificates: Occurs between autonomous CAs, where an autonomous CA can be either the Root CA in a hierarchical PKI, or a stand-alone CA 9

10 ITS PKI solutions -1 The ITS PKI system may consist of a number of Root CAs, which may cross-certify each other. Each Root CA is responsible for a certain authoritative domain and may also delegate certification to subordinate CAs: E.g. Root CAs could be operated by governments (EU/ national), vehicle manufacturers, or telecommunication providers In order to achieve flexibility, the PKI design for ITS communications should optionally support multiple different CA hierarchies for both EAs and AAs. 10

11 ITS PKI solutions -2 Root EA1 EA2 AA1 AA2 Simple (flat) hierarchy is good!! Of course there are other possible solutions!! 11

12 Deactivation or revocation of an ITS-S certificate Two possibilities: Distribution of a Certificate Revocation List (CRL); or Non-renewal of expired certificates and pseudonyms Timely distribution of CRLs in the ITS communications is challenging for several reasons: The European ITS network may potentially contain hundreds of millions of stations Authorisation certificates and pseudonyms could be issued in large quantities and short lived for privacy reasons!! Connectivity of ITS-S to the EA or AA is considered as very infrequent. This makes distribution of CRL and short lived certificates very difficult Two approaches to this problem: Enrolment certificate: Distribute CRLs to the EA and AA (not to ITS stations)!! Authorisation certificates: short lived and no CRLs distribution 12

13 Roaming issues In the early deployment phase of the ITS network, certificates of all EAs and AAs could be preloaded into every ITS-S. In full deployment phase, new authorities might be introduced for reasons such as: if EA/AAs are operated by vehicle OEMs, one OEM may split or be sold, or new OEMs may start manufacturing if EA/AAs are national, it is possible for countries to split: for example, it is conceivable that Scotland, Catalonia, Flanders, or Basque regions might become independent!! New EAs/AAs be introduced to the system using over the air updates and endorsed by a Root CA. With a single Root CA concept, an ITS-S can apply the same procedures to acquire enrolment and authorisation certificates from new authorities (roaming)!! 13

14 Trust system lifecycle At creation time, the ITS-S is provided in a secure environment with one or more Root certs used to issue EA or AA certificates, at least one EA certificate for it to use to apply for its own certificate, the set of current known trusted AA certificates. EA or AA Authorities could be added to or removed from the system in several ways: By over the air messages authorized by the Root CA At inspection time, the ITS-S may have authority certificates added or removed. Updating Root certificates is still an open issue!! 14

15 Conclusions Trust establishment and maintenance is difficult in a large scale and dynamic ITS system. For revocation of ITS stations: CRLs distributed to EA and AA (not all ITS stations) Short live certificates is a good alternative to CRL distribution New EAs/AAs can be introduced to the system using over the air updates or at inspection time. More research is needed: Reporting and deactivating bad ITS stations Updating Root certificates 15

16 Contact Details: STF 423 Scott Cadzow, Haitham Cruickshank, Benjamin Glas, Siv-Hilde Houmb, Steve Randall, André Weimerskirch, William Whyte H. Thank you! 16 ETSI All rights reserved