standards for cooperative its - european commission · 2016. 9. 28. · standards for cooperative...
TRANSCRIPT
STANDARDS FORCOOPERATIVE ITS
Steve Randall and Siv Hilde HoumbPersonal Data Protection &
ITS WorkshopBrussels, 12th June 2012
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Speakers
Steve RANDALL & Siv Hilde HOUMB• Members of the expert team developing core ITS
security and privacy standards and activeparticipants in ETSI TC-ITS.
2 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Outline
ETSI’s role in ITS StandardizationCooperative ITS CommunicationsPrivacy Challenges in ITSITS Privacy Concerns and MechanismsUsing Standards in the Protection of Identityand PrivacyShort-term certificates as a privacy measureStatus of ITS Privacy Standardization
3 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
ETSI
European standards organisation specifyingglobally-applicable standards in ICT includingfixed, mobile, radio, converged, broadcast andInternet technologiesIndependent, not-for-profit, created in 1988Direct member participation750+ member companies and organisationsfrom 63 countries and five continentsOver 23,000 publications
4 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
ETSI’s ITS focus
ITS is often classified into a number ofdifferent categories, including:• Advanced Traveller Information Systems (ATIS)• Vehicle-to-Infrastructure Integration (VII)• Vehicle-to-Vehicle Integration (V2V)
ETSI focuses on:• V2V and V2I (VII) cooperative awareness in
support of safer transport• ITS-S as source of data and as processor of data
5 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Primary role of ETSI TC ITS WG5
Provide standardisation such that ITS is:• Legal, Interoperable and interworkable• Low risk to the user, the OEM and the “ITS
Operator”
Standardize ITS security on behalf of the ESOsProvide guidance on the risks involved in ITSIdentify security mechanisms to meetoperational requirements
6 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Basic ITS Messages
Cooperative Awareness Messages (CAM)• 5.9GHz broadcast every 100ms• Single hop• Current vehicle/device status
Decentralized Environment Messages (DENM)• 5.9GHz broadcast, one-time only• Multi-hop, relayed• Reporting an event (e.g. accident) of interest to
other vehicles/devices
7 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Simple Collision Avoidance Scenario
© 2010 – Proprietary Information of ETSI8
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Simple Collision Avoidance Scenario
© 2010 – Proprietary Information of ETSI9
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Simple Collision Avoidance Scenario
© 2010 – Proprietary Information of ETSI10
Both vehicles are aware of eachother’s presence and position andare able to avoid a collision.
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Simple Collision Avoidance Scenario
© 2010 – Proprietary Information of ETSI11
Vehicles travelling in the oppositedirection on a segregatedcarriageway can be ignored.
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Transmitted information
© 2010 – Proprietary Information of ETSI12
The vehicles do not need to know each other’sidentityThe vehicles need enough information to trackeach other in order to:• avoid collision (heading, size, position…)• distinguish one vehicle from another close by
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Privacy Challenges in ITS
CAM payload includes privacy-revealinginformation• Identifiers across the stack (pseudonym)• Vehicle attributes, location, time and speed• Information broadcasted frequently• No control over the receivers
Need to balance details in ITS messages(specifically CAM) with privacy requirements• Delicate balance between safety and privacy
© 2012 – Proprietary Information of ETSI13
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Privacy Concerns in ITS
• Message content (e.g.vehicle length)
• Security and communicationidentifiers (e.g. certificateand MAC address)
• Misuse of data• Malpractice
• Communication over-head (e.g. sender andreceiver IP address)
• Rogue RSE© 2012 – Proprietary Information of ETSI14
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Tracking Information
15
Many road safety applications depend on thetracking of other vehiclesThe information necessary for collisionavoidance can be used by an attackerIt is impossible to distinguish betweenlegitimate and illicit trackingETSI’s standards provide identity protectionmechanisms but cannot totally protect privacy
© 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
ITS Privacy Objectives
Anonymity (pseudonomity)• There should be no pointer to any real-world
identity (e.g. VIN, license plate number, ownername, static IP address, etc.).
Long-term unlinkability• It shall not be possible to link transmissions from
the same vehicle over a long time period (e.g. linktwo transmissions broadcast on different days).
© 2012 – Proprietary Information of ETSI16
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
ITS Privacy Mechanisms
Real identity never used in ITS messagesSeparation between identification andauthorizationPseudonomity across the stack when sendingITS messagesAuthenticity of ITS messages
Short-term certificates
© 2012 – Proprietary Information of ETSI17
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Short-Term Certificates
ITS must respect and comply with theEuropean Data Protection DirectiveHowever, it is unclear how to apply EuropeanData Protection Directive to ITS stations inV2V mode• E.g., how often do we need to change certificates
to satisfy the directive?• The US solution is to change certificate every five
minutes
© 2012 – Proprietary Information of ETSI18
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Revocation and Privacy
It is useful to have a service to revokecertificates as devices may becomecompromisedThere is an unfortunate relationship betweenrevocation and privacy• The ability to revoke certificates is a contradicting
objective to privacy• Example: a scheme that has perfect privacy makes it
impossible to pinpoint a single device, thus there is noway to detect and revoke that device.
© 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
ETSI ITS Standardization – Anonymity
Anonymity is difficult as safety applicationsneed to track and distinguish betweenvehiclesStatus of ETSI ITS Standardization:• Pseudonymity across the stack• Separation between identification and
authorization• Protection of the real identity• Supports revocation by CRL and infrastructure-
based revocation, but does not specify how• Does not specify the frequency of certificate
change© 2012 – Proprietary Information of ETSI20
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
ETSI ITS Standardization – Linkability
Long-term unlinkability is challenging becausesafety applications need to track anddistinguish between vehiclesStatus ETSI ITS Standardization:• Separation between identification and
authorization• Pseudonymity of sender of ITS messages• Short-term certificates
© 2012 – Proprietary Information of ETSI21
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
ETSI ITS Standardization – Status
Challenges not yet addressed by ETSI ITSStandards:• Revocation of authorizations (long-term
certificate, short-term certificates, authorities)• Misbehaviour reporting• Authority hierarchy and roles• Frequency of pseudonym change• Pseudonym change across the ITS stack• Granularity of ITS messages contents is too fine
© 2012 – Proprietary Information of ETSI22
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
VehicleVehicle
PDA
Roadside Unit
ITS CAM/DENM
Authorization
Enrolment
AuthorizationAuthority
EnrolmentAuthority
ITS Authorities - Overview
23 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Conclusions (1)
ITS messages (CAM) broadcast details aboutvehicles (identifiers, speed, length, width, etc.)Safety messages need to distinguish betweenvehicles and track vehiclesPerfect privacy is not possibleNeed a reasonable privacy-by-designPrivacy concerns can be found in mostnetwork layers
© 2012 – Proprietary Information of ETSI24
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Conclusions (2)
ETSI ITS standards support revocation by CRLand infrastructure-based revocation, but doesnot specify howETSI ITS standards do not specify thefrequency of certificate change
© 2010 – Proprietary Information of ETSI25
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Acknowledgements
The work and analysis incorporated in thispresentation has received funding from:• EU support to ETSI’s standardisation work
programme under EC/EFTA Contract referenceSA/ETSI/ENTR/453/2010-09.
The authors are solely responsible for it, itdoes not represent the opinion of theCommission, and the Commission is notresponsible for any use that might be made ofinformation contained therein.
26 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com
Thank you for your attention
27 © 2012 – Proprietary Information of ETSI
Click t
o buy NOW!
PDF-XChange
www.docu-track.com Clic
k to buy N
OW!PDF-XChange
www.docu-track.com