ADVANCES IN ITS SECURITY STANDARDSPublic Workshop C2C-‐CC, ETSI and HTG#6, Stockholm, 17th June 2015
© ETSI 2014. All rights reserved
Brigitte LONC, ETSI TC ITS WG 5 Chairman ITS(15)000XXX
Overview
Introduction: • ITS standardization activities in ETSICooperative ITS Security frameworkETSI ITS Trust model (PKI)Single message services (TS 103 097)Security association• adapt & reuse e.g. TLS extension for ITSPlugtest validation of security stdNext Steps & extensions
© ETSI 2014. All rights reserved2
ITS security standards in Europe
ETSI TC ITS is organized in 5 working groups: • applications requirements,• architecture cross layer,• transport networks,• media & data link layer• Security: secure and privacy preserving Vehicular Communications
ETSI TCITS WG2
Management
© ETSI 2014. All rights reserved
3
C-‐ITS Security Framework
© ETSI 2014. All rights reserved
TR 102 893Risk analysis TVRA
TS 102 731 Security services
TS 103 097Security headers,
Certificates
TS 102 940ITS security
architecture & sec management
TS 102 941Trust & Privacy
TS 102 943Confidentiality
TS 102 942Access control
New version published(v1.2.1)
Under revision, extensions:• scalability & extensibility (PKI entities)• maintainability, crypto-agility
4
ETSI ITS architectureSecurity architecture
Security processing services• Sign & verify Message,
Encrypt & Decrypt data, manage security association (SA)
Security management• Enrolment, Authorization,
Identity management, report misbehaviour
HSM requirements• Secure key storage• Heavy computational
operations (crypto)• Trusted running environment
Facilities
Station-externalinterfaces
MI
IN
Management Information Base (MIB)
Station-internalinterfaces
ITS Local Network
IN
MN
Networking & Transport
Access
...IPv6 +Mobility extensions
NF
Geo-Routing
MI
MN
MF
Management
Application support
NF
MF
Other protocols
e.g.GPS
e.g.2G/3G/...
e.g.BlueTooth
e.g.Ethernet
e.g.IR, MM, M5
Security
SISI
SNSN
SFSF
Security Management Information Base (S-MIB)
(Identity, crypto-key and certificate managment)
Session / communication support
MS
ITS Transport TCP/UDP
Information support
ApplicationsTrafficefficiency
Roadsafety
Otherapplications
FA
SA
SAMA
MA FA
MS
Hardware Security Module (HSM)
Authentication, authorization, profile management
Firewall and Intrusion management
Regulatory
management
Cross-layer
management
Application
management
Station
management
ITS StationSecurity Services
Hardware Security
Module (HSM)
SF SAP
SN SAP
SI SAP
MS SAP
© ETSI 2014. All rights reserved
5
Security & privacy services(ETSI TS 102 94x)
© ETSI 2014. All rights reserved
Service category Security service Security Service Name
Single Message Signature Service
Authorize Single MessageValidate Authorization on Single Message
SIGN
VERIFY
Data Encryption Service
Encrypt Single MessageDecrypt Single Message
ENCRYPT
DECRYPT
Replay Protection services
Replay Protection Based on Timestamp
used by SIGN,
VERIFY
Plausibility service Validate Data Plausibilityused by SIGN,
VERIFY
Security Associationsmanagement
Establish Security AssociationUpdate security associationSend Secured MessageReceive Secured MessageRemove Security association
ref to IETF standards:
e.g. Draft RFC TLS extension for ITS
Privacy concerns are introduced:• by message content and by the message signature• cryptographic certificate allows trackingPrivacy protection by changing frequently the pseudonymous certificates (ID change)
6
ETSI ITS Trust model (PKI)
© ETSI 2014. All rights reserved
7
BC ATn
ATn-1
ATn-2
EnrolmentAuthority (EA)
Authorization Authority (AA)
ECBC
Canonical ID& public key
Enrolment ID
ECATATATAT
Enrolment ID
PseudonymousAuthorizationCertificates
Root CA
AT
Secured message
Bootstrap Certificate(self signed)
ITS-S(vehicle, road-side,
personal)
ITS Certifications authorities
Due to the broadcast nature of CAM and DENM, the trust relationship between ITS stations has to be:• scalable (hundreds of millions of nodes)• instantaneously verifiable.To meet these requirements, the ITS-‐S enrolment and authorization for different services is delegated to Trusted Third Parties (TTP), i.e. two types of Certification Authorities (CAs):• Enrolment Authority (EA): Validates that an ITS-‐S can be trusted. It issues an
enrolment identifier for the ITS-‐S and a proof of identity (Enrolment certificate)
• Authorization Authority (AA): An ITS-‐S may apply for specific permissions. These privileges are denoted by means of authorization certificates
Within the ITS network, the EA provides an ITS-‐S with an enrolment ID and related enrolment certificate (long term). The AA provides the ITS-‐S with multiple pseudonyms and the related authorization certificates (short term), to be used in V2X communication.
8 © ETSI 2014. All rights reserved
Deactivation or revocation of an ITS-‐S certificate
Two possibilities:• Distribution of a Certificate Revocation List (CRL); or• Non-‐renewal of expired certificates and pseudonymsTimely distribution of CRLs in large system is challenging :• The European ITS network may potentially contain hundreds of millions
of stations • Authorisation certificates and pseudonyms could be issued in large
quantities and short lived for privacy reasons • Connectivity of ITS-‐S to the EA or AA is considered infrequent. Large CRLs
would overload the ITS network
Preferred solution for revocation:• CRLs for revoked Enrolment certificates should be distributed to EA and
AA (not all ITS stations)• Authorisation certificates with short life-‐time is an alternative to CRLs
9 © ETSI 2014. All rights reserved
ETSI 103 097 single message authentication & confidentiality services
3 Security profiles: CAM, DENM, genericcertificates formats for ITS stations & CAsSigned Message with Pseudonym Certificate
• Signed Message with certificate digest
10
Header Fields Payload Trailer FieldsSignatureCertificate
Header Fields Payload Trailer Fields
SignatureCertificateDigest
© ETSI 2014. All rights reserved
AT
Security Association management
Reuse or adapt existing standardse.g. draft RFC TLS extension for ITS certificate• A new version is provided to IETF TLS group• Submitted for next meeting (Prague 19-‐24/07/2015) • Objective: extend TLS protocol such that clients and servers can be authenticated using C-‐ITS certificates(ETSI TS 103 097, IEEE 1609.2)• Use case: secured communication between an ITS-‐S station and an ITS-‐S Center on the Internet• Next: planned implementation in ISE project(SystemX)
© ETSI 2014. All rights reserved11
Security Association management: RFC TLS extension for ITS overview
© ETSI 2014. All rights reserved
TLS handshake protocol
For the extension ‘cert_type, new values have to be allocated by IANA12
Plugtest validation of security standard
4th ITS CMS ETSI Plugtest, 17 – 27 March 2015Security standard testing (TS 103 097)Conformance and Interoperability testing• Extended number of tests based on ETSI TS 103 096-‐1, -‐2, -‐3• 64 test cases for conformance • More than 20 vendors, 8 different security implementations
Development of test will continue, new test sessions planned in next Plugtest in 2016
© ETSI 2014. All rights reserved13
Next Steps & extensions
Security maintainability • Due to lifetime of ITS stations (vehicles, RSUs), security erosion will happen• Crypto-‐agility is recommended• Key size, curve parameters, signature algorithm
• But issues for existing systems:• updatability in the field, limited HW (HSM, crypto accelerator), lower implementation performances
© ETSI 2014. All rights reserved14
Roaming issues• It would be easier with a single Root CA (Euro Root CA) • but road authorities in EU countries may wish to operate their Root CA• Multiple PKIs, multiple Root CAs must cooperate• Standards extensions needed to support trust relationship between PKIs• New RCAs/EAs/AAs introduced using ‘over the air updates’ when endorsed by the (home) Root CA• Protocol to obtain enrolment and authorisationcertificates© ETSI 2014. All rights reserved15