Car2Car Communication Consortium...

24
Car2Car Communication Consortium C2C-CC Secure Vehicular Communication: Results and Challenges Ahead February 20th/21st 2008, Lausanne Benjamin Weyl BMW Group Research and Technology Chair C2C-CC Security & Middleware Working Group

Transcript of Car2Car Communication Consortium...

Car2CarCommunication Consortium C2C-CC

Secure Vehicular Communication:Results and Challenges Ahead

February 20th/21st 2008, Lausanne

Benjamin WeylBMW Group Research and Technology

Chair C2C-CC Security & Middleware Working Group

Benjamin WeylBMW Group Research and Technology20080220Page 2

Networking and communication.New applications in driver assistance.

“A well connected

driver is a well informed driver is a

safer driver.”

20080220 C2C-CC Security WG 3

Agenda

C2C-CC Overview

Security Discussion Areas and Technical Scope

C2C-CC Baseline Concepts & Solution Space

Summary, Conclusion and Challenges Ahead

20080220 C2C-CC Security WG 4

Who is behind C2C-CC?

20080220 C2C-CC Security WG 5

C2C-CC GoalsThe C2C-CC is a non-profit industry forum driven by the Automobilemanufacturers (OEMs). Among its main purposes are:

to work together for more safety on the roadjointly driving development, harmonization and adop toin of technologies for Car2Car systemsis to establish an open European industry standard for a Car2Car communication system, coordinating the approach towards and drive standardizing and regulating those technologies, is to promote the allocation of royalty-free European-wide frequency band for Car2Car applicationsis to enable the development of an open system supporting active safety applications as well as a broad range of information servicesis to take into consideration worldwide related activitiesis to develop realistic deployment strategies and business models to speed-up the market penetration

20080220 C2C-CC Security WG 6

C2C-CC ApplicationsThe C2C-CC is looking at a broad range of applications:

Critical safety applications requiring a dedicated frequency band, such as intersection assistance, traffic merging, forward collision warning/avoidanceSafety, and other public applications, such as traffic flow improvementCommercial applications, such as infotainment or generic internet connectivityProprietary applications, such as telemetry and telediagnostics

Priorities and interests:Key motivation is to standardize safety applicationsAgree and standardize essential non-safety applicationsEnsure co-existence with all other applicationsAccommodate commercial and public applications, allowing for multiple business models potentially pursued by OEMs and other stakeholders.

20080220 C2C-CC Security WG 7

C2C-CC: Frequency Allocation Status

20080220 C2C-CC Security WG 8

C2C-CC: Protocol ArchitectureActive Safety

Application

Traffic Efficiency

Application

Infotainment

Application

Car2Car Transport TCP / UDP / Other

IPv6

Option Mobile IPv6 NEMOCar2Car Network

Car2Car Network

MAC / LLCIEEE 802.11 a,b,g

Other Radio

(e.g UMTS)

MAC / LLCCar2Car MAC Layer

Extension

European IEEE 802.11p

PHYIEEE 802.11 a,b,g

PHY European IEEE 802.11p

20080220 C2C-CC Security WG 9

I9

C2C-CC reference model

I2

I8

Vehicle

Vehicle

C2C IPv6Backbone

I5

C2COSS

I3

Road-SideUnit

I7

I1

I10

I6 TelcoSPP

I11

Telco IPv6Backbone, incl. heterog.

access network

I4

OtherServiceInfrast.

C2CServiceInfrast.

I12

20080220 C2C-CC Security WG 10

C2C-CC Cooperation

ITU

CEPT

FrequencyRegulation

VII

AVS3

USA

Japan

Standardization

ETSI

ISO

CENIEEE

CarTALK2000 GST

Prevent

Safespot ?

CIVIS ?

European Projects

COMeSafetyCOMeSafety

…?EASIS

VSC

NationalProjects

StatesAHSRA

Stakeholders

NOWInvent

INFONEBBIA

AIDA

FleetNet Telco

Road

Insurance

Member

Legislation

ITU

CEPT

FrequencyRegulation

VII

ASV3

USA

Japan

Standardization

ETSI

ISO

CENIEEE

CarTALK2000 GST

Prevent

Safespot

European Projects

COMeSafety

EASIS

VSC

NationalProjects

StatesAHSRA

Stakeholders

NOWInvent

INFONEBBIA

AIDA

FleetNet Telco

Road

Insurance

Member

Legislation

CVIS

SeVeCom

DAIDALOS

Veh . Manf .Veh . Manf .

Suppl .Suppl .

20080220 C2C-CC Security WG 11

C2C-CC Security

Overview of Security discussion areas

LegislationPrivacyLegisl. Law

Enforcement CommercialReq.

BusinessModels

OperationalConcepts

EndUser

Acceptance Credibility

Regulation

InfrastructurePKI

Telco Platforms

Concepts

Trust

LimitedConfidentiality

PrivacyProt.

SecureOnboard Env.

Standards

IEEEIETF W3C

Oasis Open /Liberty All.

3GPP

ISOIdentityManagem.

Partnerships

ETSI

Liability

20080220 C2C-CC Security WG 12

Security Motivation: Simulated Attack Scenario

Simulation:

400 honest vehiclesvariable number of attackers randomly put in scenario

Results:

3 attackers have hit already ≈ 20% honest vehicles10 attackers are able to interfere ≈ 50% of honest vehicles

20080220 C2C-CC Security WG 13

Technical Scope of SecurityAttacks on in-vehicular system infrastructure

must ensure not to be illegally tampered with:Attacks on internal vehicle infrastructure via physical accessAttacks on internal vehicle system via wireless interface

prevent that safety critical systems can not be influenced

The attacks on external communication:must be prevented orat least detected and contained,so that fake messages are properly identified and eliminated before influencing applications.

20080220 C2C-CC Security WG 14

C2C-CC Security BaselinesTrustworthy dissemination of data…

Integrity of messagesAuthenticity ensuring trustworthiness of the dataAccess control (node isolation)Confidentiality only where applicableAvailability and timely delivery

…while observing Privacy:Identity concealment e.g. to provide person/location privacyOver all layers: From PHY/MAC to application

Multiple identities may need to be managedVehicle identity in C2C-CC specific environmentVehicle identity in telco environmentVehicle identity in current legal framework

20080220 C2C-CC Security WG 15

Confidentiality

Usually not: C2C-CC information shall be openly shared to improve traffic efficiency and road safetyMessages need to be authentic, but their contents needn’t be encryptedPotential exception: where closed group communication can be more efficiently addressed through temporary peer authentication and subsequent secure sessionBut: this is dependent on business models

Infrastructure deployment may ride on business models requiring exclusive access to informationProprietary use cases co-existing with standardized use cases

20080220 C2C-CC Security WG 16

Privacy

Relevant for vehicles, not RSUProtect against typical privacy-infringing malicious profiling or accidental eavesdroppingEnsure system maintainability and stability:

Allow faulty/malicious vehicles to be identified and excludedProvide respective scalable re-keying mechanisms

Constraints:Location plausibility verification and inference from recorded message stream is possible – so why care about unlinkabilityof messages?Can this be countered for selected applications in areas and/or situations where recording is likely?

20080220 C2C-CC Security WG 17

C2C-CC Baseline: Addressing & Identities

For operational reasons we needFixed addresses per vehicle

IPv6 and/orUnique Vehicle ID

Permanent unique certificate per vehicle

But we mustn’t disclose them in communication over the air.

Hence we also needID-hopping: temporary addresses, in particular MAC & IPShort-lived certificatesConsidering scalability and efficiency

20080220 C2C-CC Security WG 18

Comparison of Technical Solutions

--

++

++

++

ComputationEffort

+++-PKI +

Dynamic Pseudonyms

-

++

++

Signature Length

+++PKI +Group

Signatures

+--Fixed

Pseudonym Pool

--++PKI +Digital

Signatures

PrivacyScalability

20080220 C2C-CC Security WG 19

Key, Certificate, and Identity Management

Vehicle

Vehicle

KeysCertificates

KeyManagement

C2C IPv6Backbone

TelcoSPP

Telco IPv6Backbone, incl. heterog.

access network

Road-SideUnitKeys

Certificates

TrustworthyMessage Exchange

TrustworthyMessage Exchange C2C

OSS

KeysCertificatesSIM

Identity Federation

OtherServiceInfrast.

C2CServiceInfrast.

20080220 C2C-CC Security WG 20

Summary: Baseline for C2C-CC SecurityAddressing:

One permanent set (private)One temporary set (used in over-the-air communication)

Trust and Privacy:Signing C2X-MessagesOne pseudonym certificate per vehicle, regularly updatedSecurity standards involved TPM, PKI, ECC (desirable)Pseudonym protocols under discussion

Technologies/standards to look at for C2I:SIMIPv6, EAP, DIAMETER, PANA (IETF)SAML (OASIS), Liberty Alliance1609.2, etc.

But …Technical concepts must follow commercial/political discussion

Regulation and LegislationBusiness modeling, policies, and operational conceptsEnsure user acceptance and credibility

20080220 C2C-CC Security WG 21

ConclusionC2C-CC Security WG activities:

Technical and non-technical security discussion areas Analysis of security use cases and requirementsDevelopment and harmonization of security measures for secure and privacy preserving Car2X communicationC2C-CC Sec WG has specified a Work Item within ETSI TC ITS WG5 Security for privacy preserving trustworthy message exchange

Approach for preserving privacy based on:Pseudonym-based signed messaged exchangeIntegrated with Telco-platforms where applicableIntegrated with application-specific infrastructure such as e.g. traffic management systems

20080220 C2C-CC Security WG 22

Challenges AheadPrivacy:

Research on pseudonym change ratesIntegration over all layers

Efficient distribution techniquesIntegration of different identity management concepts

Fake messages sent out from a node:Prevention or at least detection and containment of attackSecure node architecture employing soft- and hardware measuresApplying plausibility checks

Commercial and political discussion:Possible operational models

Regulation and legislation

20080220 C2C-CC Security WG 23

Further Information

http://www.car-2-car.orghttp://www.comesafety.org

Benjamin WeylBMW Group Research and Technology20080220Page 24

Thank you for your attention.

[email protected]

www.car-2-car.orgBMW GroupResearch and Technology

Benjamin WeylChair WG Security & Middleware