standards for cooperative its - european commission · 2016. 9. 28. · standards for cooperative...

STANDARDS FORCOOPERATIVE ITS

Steve Randall and Siv Hilde HoumbPersonal Data Protection &

ITS WorkshopBrussels, 12th June 2012

Click t

o buy NOW!

PDF-XChange

www.docu-track.com Clic

k to buy N

OW!PDF-XChange

www.docu-track.com

http://www.docu-track.com/buy/


Speakers

Steve RANDALL & Siv Hilde HOUMB• Members of the expert team developing core ITS

security and privacy standards and activeparticipants in ETSI TC-ITS.

2 © 2012 – Proprietary Information of ETSI

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Outline

ETSI’s role in ITS StandardizationCooperative ITS CommunicationsPrivacy Challenges in ITSITS Privacy Concerns and MechanismsUsing Standards in the Protection of Identityand PrivacyShort-term certificates as a privacy measureStatus of ITS Privacy Standardization


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



ETSI

European standards organisation specifyingglobally-applicable standards in ICT includingfixed, mobile, radio, converged, broadcast andInternet technologiesIndependent, not-for-profit, created in 1988Direct member participation750+ member companies and organisationsfrom 63 countries and five continentsOver 23,000 publications


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



ETSI’s ITS focus

ITS is often classified into a number ofdifferent categories, including:• Advanced Traveller Information Systems (ATIS)• Vehicle-to-Infrastructure Integration (VII)• Vehicle-to-Vehicle Integration (V2V)

ETSI focuses on:• V2V and V2I (VII) cooperative awareness in

support of safer transport• ITS-S as source of data and as processor of data


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Primary role of ETSI TC ITS WG5

Provide standardisation such that ITS is:• Legal, Interoperable and interworkable• Low risk to the user, the OEM and the “ITS

Operator”

Standardize ITS security on behalf of the ESOsProvide guidance on the risks involved in ITSIdentify security mechanisms to meetoperational requirements


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Basic ITS Messages

Cooperative Awareness Messages (CAM)• 5.9GHz broadcast every 100ms• Single hop• Current vehicle/device status

Decentralized Environment Messages (DENM)• 5.9GHz broadcast, one-time only• Multi-hop, relayed• Reporting an event (e.g. accident) of interest to

other vehicles/devices


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Simple Collision Avoidance Scenario

© 2010 – Proprietary Information of ETSI8

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com





Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com





Both vehicles are aware of eachother’s presence and position andare able to avoid a collision.

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com





Vehicles travelling in the oppositedirection on a segregatedcarriageway can be ignored.

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Transmitted information


The vehicles do not need to know each other’sidentityThe vehicles need enough information to trackeach other in order to:• avoid collision (heading, size, position…)• distinguish one vehicle from another close by

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Privacy Challenges in ITS

CAM payload includes privacy-revealinginformation• Identifiers across the stack (pseudonym)• Vehicle attributes, location, time and speed• Information broadcasted frequently• No control over the receivers

Need to balance details in ITS messages(specifically CAM) with privacy requirements• Delicate balance between safety and privacy


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Privacy Concerns in ITS

• Message content (e.g.vehicle length)

• Security and communicationidentifiers (e.g. certificateand MAC address)

• Misuse of data• Malpractice

• Communication over-head (e.g. sender andreceiver IP address)

• Rogue RSE© 2012 – Proprietary Information of ETSI14

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Tracking Information

15

Many road safety applications depend on thetracking of other vehiclesThe information necessary for collisionavoidance can be used by an attackerIt is impossible to distinguish betweenlegitimate and illicit trackingETSI’s standards provide identity protectionmechanisms but cannot totally protect privacy

© 2012 – Proprietary Information of ETSI

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



ITS Privacy Objectives

Anonymity (pseudonomity)• There should be no pointer to any real-world

identity (e.g. VIN, license plate number, ownername, static IP address, etc.).

Long-term unlinkability• It shall not be possible to link transmissions from

the same vehicle over a long time period (e.g. linktwo transmissions broadcast on different days).


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



ITS Privacy Mechanisms

Real identity never used in ITS messagesSeparation between identification andauthorizationPseudonomity across the stack when sendingITS messagesAuthenticity of ITS messages

Short-term certificates


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Short-Term Certificates

ITS must respect and comply with theEuropean Data Protection DirectiveHowever, it is unclear how to apply EuropeanData Protection Directive to ITS stations inV2V mode• E.g., how often do we need to change certificates

to satisfy the directive?• The US solution is to change certificate every five

minutes


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Revocation and Privacy

It is useful to have a service to revokecertificates as devices may becomecompromisedThere is an unfortunate relationship betweenrevocation and privacy• The ability to revoke certificates is a contradicting

objective to privacy• Example: a scheme that has perfect privacy makes it

impossible to pinpoint a single device, thus there is noway to detect and revoke that device.

© 2012 – Proprietary Information of ETSI

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



ETSI ITS Standardization – Anonymity

Anonymity is difficult as safety applicationsneed to track and distinguish betweenvehiclesStatus of ETSI ITS Standardization:• Pseudonymity across the stack• Separation between identification and

authorization• Protection of the real identity• Supports revocation by CRL and infrastructure-

based revocation, but does not specify how• Does not specify the frequency of certificate

change© 2012 – Proprietary Information of ETSI20

Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



ETSI ITS Standardization – Linkability

Long-term unlinkability is challenging becausesafety applications need to track anddistinguish between vehiclesStatus ETSI ITS Standardization:• Separation between identification and

authorization• Pseudonymity of sender of ITS messages• Short-term certificates


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



ETSI ITS Standardization – Status

Challenges not yet addressed by ETSI ITSStandards:• Revocation of authorizations (long-term

certificate, short-term certificates, authorities)• Misbehaviour reporting• Authority hierarchy and roles• Frequency of pseudonym change• Pseudonym change across the ITS stack• Granularity of ITS messages contents is too fine


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



VehicleVehicle

PDA

Roadside Unit

ITS CAM/DENM

Authorization

Enrolment

AuthorizationAuthority

EnrolmentAuthority

ITS Authorities - Overview


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Conclusions (1)

ITS messages (CAM) broadcast details aboutvehicles (identifiers, speed, length, width, etc.)Safety messages need to distinguish betweenvehicles and track vehiclesPerfect privacy is not possibleNeed a reasonable privacy-by-designPrivacy concerns can be found in mostnetwork layers


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Conclusions (2)

ETSI ITS standards support revocation by CRLand infrastructure-based revocation, but doesnot specify howETSI ITS standards do not specify thefrequency of certificate change


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Acknowledgements

The work and analysis incorporated in thispresentation has received funding from:• EU support to ETSI’s standardisation work

programme under EC/EFTA Contract referenceSA/ETSI/ENTR/453/2010-09.

The authors are solely responsible for it, itdoes not represent the opinion of theCommission, and the Commission is notresponsible for any use that might be made ofinformation contained therein.


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



Thank you for your attention


Click t

o buy NOW!

PDF-XChange


k to buy N

OW!PDF-XChange

www.docu-track.com



standards for cooperative its - european commission · 2016. 9. 28. · standards for cooperative...

Documents