3KeyIoTPKI

C-ITS and PKI

We are living in a world full of smart devices and connected infrastructure. Internet of Things is becoming  part of our everyday life with expected boom in the upcoming years.

This is especially noticeable in car industry. We are able to control the car, access various information  and automatically arrange the service needed using our smart devices. Cars are starting to be permanently connected to the Internet and interacting between each other.

The interaction between different vehicles, including cars, traffic infrastructure (such as traffic lights and road signs) is part of Cooperative Intelligent Transport Systems (C-ITS).

The European Commission has on 30th of November 2016 adopted a European Strategy on C-ITS, a milestone initiative towards cooperative, connected and automated mobility.

Some of the objectives of C-ITS are:

  • create a regulatory framework in EU
  • deploy mature C-ITS services and platform
  • international cooperation in all aspects of C-ITS
  • enhanced road safety, optimised traffic control, less traffic jams

In general, we are speaking about vehicles (V), and traffic / transport infrastructure (I). The communication between them is recognised as V2I (Vehicle to Infrastructure), I2V (Infrastructure to Vehicle), and V2V (Vehicle to Vehicle). V2V and V2I are also referenced as V2X together. Vehicles and infrastructure component are also commonly called ITS-Stations, or ITS-S.

C-ITS will be part of our everyday life. Due to its coverage of a wide range of services, constantly exchanging data that in most cases contain critical and sensitive user’s information, it is crucial to protect and secure the communication between vehicles and infrastructure.

This is where PKI comes into play.

C-ITS Trust Model

The C-ITS security management system is based on the following trust model:

C-ITS security management system follows the Certificate Trust List approach which was introduced for instance within the eIDAS regulation. The top-level governance roles are defined in C-ITS Platform Certificate Policy document. The entities responsible for the trust management of the C-ITS system (i.e. governing all aspects related to the operational PKI) are:

  • Certificate Policy Authority (CPA) – designates and authorizes the TLM and the CPOC to operate in the C-ITS Trust system. It decides if root CAs are trustable and approves/removes the Root CAs operation in C-ITS trust domain by notifying the TLM about approved/revoked Root CAs certificates
  • Trust List Manager (TLM) – responsible for creating the list of root CA certificates and TLM certificates and signing it
  • Central Point Of Contact (CPOC) – establish and contribute to ensure communication exchange between the Root CAs, to collect the Root CA certificates and provide them to the TLM, distributing the ECTL to any interested entities in the trust model 
The operational roles depicted in a trust model are:
Role Decription
Root CA
The Root CA is the highest level CA in the certification hierarchy. It provides EA and AA with proof that it may issue enrolment credentials, respectively authorization tickets
Enrolment Authority (EA)
Security management entity responsible for the life cycle management of enrolment credentials. Authenticates an ITS-S and grants it access to ITS communications
Authorization Authority (AA)
Security management entity responsible for issuing, monitoring the use of authorization tickets. Provides an ITS-S with authoritative proof that it may use specific ITS services
Sending ITS-S
Acquires rights to access ITS communications from Enrolment Authority
Negotiates rights to invoke ITS services from Authorization Authority
Sends single-hop and relayed broadcast messages
Relaying ITS-S
Receives broadcast message from the sending ITS-S and forwards them to the receiving ITS-S if required
Receiving ITS-S
Receives broadcast messages from the sending or relaying ITS-S
Manufacturer / Operator
Installs necessary information for security management in ITS-S at production and provides updates during its operation

Functional perspective of C-ITS PKI

The C-ITS trust model is based on a multiple root CA architecture. Root CA can be implemented by a commercial entity, a common interest group, a national organization, and/or an European organisation.

The Root CA certificates are transmitted periodically to the CPOC through a secure protocol. The CPOC transmits the received root CA certificates to TLM. These collect and sign the list of root CA certificates and send them back to the CPOC. After this process CPOC makes them publicly available to every entity.

The CPA appoints the TLM and therefore provides trust in the operation of the TLM to all participants. The CPA approves the root CA operation and confirms that the TLM can trust the root CA.

The following diagram provides an overview about the information flows between the PKI participants:

The root CA issues certificates to the EA and AA and therefore provide trust to their operation. The EA issues Enrolment Certificates to the sending and relaying ITS-Station (as End-Entity), providing trust in its operation. The AA issues Authorization Tickets to the ITS-Stations based on the trust in the EA.

The receiving and relaying ITS-Station (as relying party) can trust other ITS-Stations since the ATs are issued by an AA which is trusted by a root CA, which is trusted by the TLM and the CPA.

For a detailed description of the C-ITS trust model and its information flow refer to [4, 5, 6].

True meaning of connected car

The modern cars (and vehicles in general) are already equipped with the ability to communicate between themselves and the road traffic infrastructure using the wireless communication. This enables completely new approaches to enhance transport safety and driving experience.

The possibilities how to use the power of such data are basically endless and can possibly save many lives. But with such power comes the danger of compromise that could work in a completely opposite way.

Let’s work together on a secure and interoperable solutions that can bring all of the possibilities the C-ITS offers while protecting what matter most. The human life.

Need help?

Do not hesitate to get in touch with us!

Get in touch with us!

security | data intelligence | consulting

Contact us!
References
  • [1] ETSI EN 302 665 V1.1.1: Intelligent Transport Systems (ITS); Communications Architecture
  • [2] ETSI TR 102 893 V1.2.1: Intelligent Transport Systems (ITS); Security; Threat, Vulnerability and Risk Analysis (TVRA)
  • [3] ETSI TS 102 731 V1.1.1: Intelligent Transport Systems (ITS); Security; Security Services and Architecture
  • [4] ETSI TS 102 940 V1.3.1: Intelligent Transport Systems (ITS); Security; ITS communications security architecture and security management
  • [5] ETSI TS 102 941 V1.3.1: Intelligent Transport Systems (ITS); Security; Trust and Privacy Management
  • [6] Certificate Policy for Deployment and Operation of European Cooperative Intelligent Transport Systems (C-ITS) Release 1.1 June 2018
ITS Application Classes
Application ClassApplicationUse case
Active road safetyDriving assistance – Co-operative Awareness (CA) Emergency vehicle warning
  Slow vehicle indication
  Across traffic turn collision risk warning
  Merging Traffic Turn Collision Risk Warning
  Co-operative merging assistance
  Intersection collision warning
  Co-operative forward collision warning
  Lane Change Manoeuvre 
 Driving assistance – Road Hazard Warning (RHW)Emergency electronic brake lights
  Wrong way driving warning (infrastructure based)
  Stationary vehicle – accident
  Stationary vehicle – vehicle problem
  Traffic condition warning
  Signal violation warning
  Roadwork warning
  Decentralized floating car data – Hazardous location
  Decentralized floating car data – Precipitations
  Decentralized floating car data – Road adhesion
  Decentralized floating car data – Visibility
  Decentralized floating car data – Wind
  Vulnerable road user Warning
  Pre-crash sensing warning
  Co-operative glare reduction
Cooperative traffic efficiency Co-operative Speed Management (CSM) Regulatory/contextual speed limits notification
  Curve Warning
  Traffic light optimal speed advisory
 Co-operative Navigation (CN)Traffic information and recommended itinerary
  Public transport information
  In-vehicle signage
Co-operative local servicesLocation Based Services (LBS)Point of Interest notification
  Automatic access control and parking management
  ITS local electronic commerce
Global internet servicesCommunities Services (CS)Insurance and financial services
  Fleet management
  Loading zone management
  Theft related services/After theft vehicle recovery
 ITS station Life Cycle Management (LCM)Vehicle software/data provisioning and update
  Vehicle and RSU data calibration
 Transport related electronic financial transactions