Car2Car Communication Consortium...
Transcript of Car2Car Communication Consortium...
Car2CarCommunication Consortium C2C-CC
Secure Vehicular Communication:Results and Challenges Ahead
February 20th/21st 2008, Lausanne
Benjamin WeylBMW Group Research and Technology
Chair C2C-CC Security & Middleware Working Group
Benjamin WeylBMW Group Research and Technology20080220Page 2
Networking and communication.New applications in driver assistance.
“A well connected
driver is a well informed driver is a
safer driver.”
20080220 C2C-CC Security WG 3
Agenda
C2C-CC Overview
Security Discussion Areas and Technical Scope
C2C-CC Baseline Concepts & Solution Space
Summary, Conclusion and Challenges Ahead
20080220 C2C-CC Security WG 5
C2C-CC GoalsThe C2C-CC is a non-profit industry forum driven by the Automobilemanufacturers (OEMs). Among its main purposes are:
to work together for more safety on the roadjointly driving development, harmonization and adop toin of technologies for Car2Car systemsis to establish an open European industry standard for a Car2Car communication system, coordinating the approach towards and drive standardizing and regulating those technologies, is to promote the allocation of royalty-free European-wide frequency band for Car2Car applicationsis to enable the development of an open system supporting active safety applications as well as a broad range of information servicesis to take into consideration worldwide related activitiesis to develop realistic deployment strategies and business models to speed-up the market penetration
20080220 C2C-CC Security WG 6
C2C-CC ApplicationsThe C2C-CC is looking at a broad range of applications:
Critical safety applications requiring a dedicated frequency band, such as intersection assistance, traffic merging, forward collision warning/avoidanceSafety, and other public applications, such as traffic flow improvementCommercial applications, such as infotainment or generic internet connectivityProprietary applications, such as telemetry and telediagnostics
Priorities and interests:Key motivation is to standardize safety applicationsAgree and standardize essential non-safety applicationsEnsure co-existence with all other applicationsAccommodate commercial and public applications, allowing for multiple business models potentially pursued by OEMs and other stakeholders.
20080220 C2C-CC Security WG 8
C2C-CC: Protocol ArchitectureActive Safety
Application
Traffic Efficiency
Application
Infotainment
Application
Car2Car Transport TCP / UDP / Other
IPv6
Option Mobile IPv6 NEMOCar2Car Network
Car2Car Network
MAC / LLCIEEE 802.11 a,b,g
Other Radio
(e.g UMTS)
MAC / LLCCar2Car MAC Layer
Extension
European IEEE 802.11p
PHYIEEE 802.11 a,b,g
PHY European IEEE 802.11p
20080220 C2C-CC Security WG 9
I9
C2C-CC reference model
I2
I8
Vehicle
Vehicle
C2C IPv6Backbone
I5
C2COSS
I3
Road-SideUnit
I7
I1
I10
I6 TelcoSPP
I11
Telco IPv6Backbone, incl. heterog.
access network
I4
OtherServiceInfrast.
C2CServiceInfrast.
I12
20080220 C2C-CC Security WG 10
C2C-CC Cooperation
ITU
CEPT
FrequencyRegulation
VII
AVS3
USA
Japan
Standardization
ETSI
ISO
CENIEEE
CarTALK2000 GST
Prevent
Safespot ?
CIVIS ?
European Projects
COMeSafetyCOMeSafety
…?EASIS
VSC
NationalProjects
StatesAHSRA
Stakeholders
NOWInvent
INFONEBBIA
AIDA
FleetNet Telco
Road
Insurance
Member
Legislation
ITU
CEPT
FrequencyRegulation
VII
ASV3
USA
Japan
Standardization
ETSI
ISO
CENIEEE
CarTALK2000 GST
Prevent
Safespot
European Projects
COMeSafety
EASIS
VSC
NationalProjects
StatesAHSRA
Stakeholders
NOWInvent
INFONEBBIA
AIDA
FleetNet Telco
Road
Insurance
Member
Legislation
CVIS
SeVeCom
DAIDALOS
Veh . Manf .Veh . Manf .
Suppl .Suppl .
20080220 C2C-CC Security WG 11
C2C-CC Security
Overview of Security discussion areas
LegislationPrivacyLegisl. Law
Enforcement CommercialReq.
BusinessModels
OperationalConcepts
EndUser
Acceptance Credibility
Regulation
InfrastructurePKI
Telco Platforms
Concepts
Trust
LimitedConfidentiality
PrivacyProt.
SecureOnboard Env.
Standards
IEEEIETF W3C
Oasis Open /Liberty All.
3GPP
ISOIdentityManagem.
Partnerships
ETSI
Liability
20080220 C2C-CC Security WG 12
Security Motivation: Simulated Attack Scenario
Simulation:
400 honest vehiclesvariable number of attackers randomly put in scenario
Results:
3 attackers have hit already ≈ 20% honest vehicles10 attackers are able to interfere ≈ 50% of honest vehicles
20080220 C2C-CC Security WG 13
Technical Scope of SecurityAttacks on in-vehicular system infrastructure
must ensure not to be illegally tampered with:Attacks on internal vehicle infrastructure via physical accessAttacks on internal vehicle system via wireless interface
prevent that safety critical systems can not be influenced
The attacks on external communication:must be prevented orat least detected and contained,so that fake messages are properly identified and eliminated before influencing applications.
20080220 C2C-CC Security WG 14
C2C-CC Security BaselinesTrustworthy dissemination of data…
Integrity of messagesAuthenticity ensuring trustworthiness of the dataAccess control (node isolation)Confidentiality only where applicableAvailability and timely delivery
…while observing Privacy:Identity concealment e.g. to provide person/location privacyOver all layers: From PHY/MAC to application
Multiple identities may need to be managedVehicle identity in C2C-CC specific environmentVehicle identity in telco environmentVehicle identity in current legal framework
20080220 C2C-CC Security WG 15
Confidentiality
Usually not: C2C-CC information shall be openly shared to improve traffic efficiency and road safetyMessages need to be authentic, but their contents needn’t be encryptedPotential exception: where closed group communication can be more efficiently addressed through temporary peer authentication and subsequent secure sessionBut: this is dependent on business models
Infrastructure deployment may ride on business models requiring exclusive access to informationProprietary use cases co-existing with standardized use cases
20080220 C2C-CC Security WG 16
Privacy
Relevant for vehicles, not RSUProtect against typical privacy-infringing malicious profiling or accidental eavesdroppingEnsure system maintainability and stability:
Allow faulty/malicious vehicles to be identified and excludedProvide respective scalable re-keying mechanisms
Constraints:Location plausibility verification and inference from recorded message stream is possible – so why care about unlinkabilityof messages?Can this be countered for selected applications in areas and/or situations where recording is likely?
20080220 C2C-CC Security WG 17
C2C-CC Baseline: Addressing & Identities
For operational reasons we needFixed addresses per vehicle
IPv6 and/orUnique Vehicle ID
Permanent unique certificate per vehicle
But we mustn’t disclose them in communication over the air.
Hence we also needID-hopping: temporary addresses, in particular MAC & IPShort-lived certificatesConsidering scalability and efficiency
20080220 C2C-CC Security WG 18
Comparison of Technical Solutions
--
++
++
++
ComputationEffort
+++-PKI +
Dynamic Pseudonyms
-
++
++
Signature Length
+++PKI +Group
Signatures
+--Fixed
Pseudonym Pool
--++PKI +Digital
Signatures
PrivacyScalability
20080220 C2C-CC Security WG 19
Key, Certificate, and Identity Management
Vehicle
Vehicle
KeysCertificates
KeyManagement
C2C IPv6Backbone
TelcoSPP
Telco IPv6Backbone, incl. heterog.
access network
Road-SideUnitKeys
Certificates
TrustworthyMessage Exchange
TrustworthyMessage Exchange C2C
OSS
KeysCertificatesSIM
Identity Federation
OtherServiceInfrast.
C2CServiceInfrast.
20080220 C2C-CC Security WG 20
Summary: Baseline for C2C-CC SecurityAddressing:
One permanent set (private)One temporary set (used in over-the-air communication)
Trust and Privacy:Signing C2X-MessagesOne pseudonym certificate per vehicle, regularly updatedSecurity standards involved TPM, PKI, ECC (desirable)Pseudonym protocols under discussion
Technologies/standards to look at for C2I:SIMIPv6, EAP, DIAMETER, PANA (IETF)SAML (OASIS), Liberty Alliance1609.2, etc.
But …Technical concepts must follow commercial/political discussion
Regulation and LegislationBusiness modeling, policies, and operational conceptsEnsure user acceptance and credibility
20080220 C2C-CC Security WG 21
ConclusionC2C-CC Security WG activities:
Technical and non-technical security discussion areas Analysis of security use cases and requirementsDevelopment and harmonization of security measures for secure and privacy preserving Car2X communicationC2C-CC Sec WG has specified a Work Item within ETSI TC ITS WG5 Security for privacy preserving trustworthy message exchange
Approach for preserving privacy based on:Pseudonym-based signed messaged exchangeIntegrated with Telco-platforms where applicableIntegrated with application-specific infrastructure such as e.g. traffic management systems
20080220 C2C-CC Security WG 22
Challenges AheadPrivacy:
Research on pseudonym change ratesIntegration over all layers
Efficient distribution techniquesIntegration of different identity management concepts
Fake messages sent out from a node:Prevention or at least detection and containment of attackSecure node architecture employing soft- and hardware measuresApplying plausibility checks
Commercial and political discussion:Possible operational models
Regulation and legislation
20080220 C2C-CC Security WG 23
Further Information
http://www.car-2-car.orghttp://www.comesafety.org
Benjamin WeylBMW Group Research and Technology20080220Page 24
Thank you for your attention.
www.car-2-car.orgBMW GroupResearch and Technology
Benjamin WeylChair WG Security & Middleware