The Public Key Infrastructure (PKI) is a key element of the security and privacy concept of Intelligent Transport Systems (ITS) operating in the 5 GHz frequency band (ITS-G5), also known as V2X (Vehicle to X) communications. All ITS-stations (ITS-S), i.e. vehicles and roadside units, which are equipped with a V2X communication unit have to be registered with the V2X PKI. Only ITS-S with valid certificates are able to send authenticated messages that will be trusted by the receiving ITS-S. The certificates provided by the V2X PKI have to be stored in the security subsystem of an On-Board Unit (OBU), as exemplarily depicted in Figure 1.
Figure 1: Possible V2X PKI environment
In V2X communication particular restrictions occur, such as limited bandwidth, intermittent internet access, and privacy issues. Consequently, both the PKI and the format of the used certificates feature specific characteristics, as they are customized to fulfil requirements resulting from those restrictions.
CA (Certificate Authority) and a certification of OBUs ensure the trust between the systems of multiple vendors. On the other hand, an organizational separation of Enrolment Authority (EA) and Authorization Authority (AA) ensures privacy requirements. The EAs are responsible for the management of the ITS-S while the AAs are responsible for the generation of the Authorization Tickets (AT), the certificates used within the V2V and V2I communications.
Companies involved in the equipping of OBUs have to operate their own certificate authorities of the V2X PKI or have to use the service of an external EA and AA. In both cases, new enrolment processes are necessary that may affect existing production and distribution processes of vehicles and roadside units and require additional quality management tests.
At least two processes have to be run before an OBU is armed for V2X communication:
- Bootstrapping of V2X OBUs including station registration
- Acquisition of enrolment credentials and authorization ticket
Furthermore, there are a number of PKI processes related to the station’s life cycle. From regular certificate updates over end-of-life handling to unexpected incident management, several aspects should be considered. Being prepared for all circumstances may be important for involved companies before the first ITS-S with V2X communication facilities are distributed.
Fraunhofer SIT offers support in the V2X pre-operation phase in order to prepare for a productive V2X PKI. A fully functional test V2X PKI can be provided for internal and external integration tests and the evaluation of required processes. Furthermore, Fraunhofer SIT offers to support the V2X PKI integration phase by elaborating concepts and developing solutions for a secure and privacy friendly integration of the V2X PKI into the production and maintenance environment of interested companies.
A generic basis V2X PKI developed by Fraunhofer SIT can be easily enhanced and adapted according to the customer’s specific requirements. Besides the integration tests, a test V2X PKI can be used for quality management tests during production, independent from final V2X certificates that are used after distribution.
Finally, Fraunhofer SIT offers validation and penetration testing in order to ensure that the security and privacy protection demands are fulfilled.
The Fraunhofer SIT basis V2X PKI of Fraunhofer SIT provides the following key elements and functions:
- Pre-productive V2X PKI solution with Root CA (RCA), Enrolment Authority (EA), and Authorization Authority (AA) according to the PKI design of the Car-to-Car-Communication Consortium (C2C-CC), ETSI TS 102 940, and ETSI TS 102 941
- Security header and certificate formats according to ETSI TS 103 097 v1.2.1
- Different interfaces for datagram-based (i.e. UDP-IP) or session-based (i.e. SOAP web service using HTTPS) data transmission.
- A graphical user interface to easily operate and maintain the V2X PKI.
In summary, Fraunhofer SIT offers to provide a test V2X PKI solution:
- to support the V2X PKI integration into the customer company’s infrastructure in the pre-production phase and
- to allow V2X communication tests for quality management purposes.
For V2X PKI developers, distributors and operators, Fraunhofer SIT offers support tailored to the individual needs throughout the entire product life cycle.
Fraunhofer SIT is deeply involved in the European V2X security and privacy activities since 2004. In 2009 a first specialized V2X PKI was designed and subsequently implemented and operated within the German project simTD. From 2011, Fraunhofer SIT developed and currently operates partly the V2X PKI of the European project PRESERVE. Since 2013 the Pilot PKI of the C2C-CC is also partly operated by Fraunhofer SIT. Moreover, Fraunhofer SIT is deeply involved in the Task Force PKI of the working group Security of the C2C-CC and active as an expert in the security working group and its task forces of the European Telecommunications Standards Institute (ETSI) since 2010.
In order to identify possible future security and privacy issues Fraunhofer SIT is active in the scientific research for V2X PKI operation. Several reports were published and talks were given on international conferences in the field of misbehavior detection in V2X communications and the related revocation of attackers.