We are living in a world full of smart devices and connected infrastructure. Internet of Things is becoming part of our everyday life with expected boom in the upcoming years.
This is especially noticeable in car industry. We are able to control the car, access various information and automatically arrange the service needed using our smart devices. Cars are starting to be permanently connected to the Internet and interacting between each other.
The interaction between different vehicles, including cars, traffic infrastructure (such as traffic lights and road signs) is part of Cooperative Intelligent Transport Systems (C-ITS).
The European Commission has on 30th of November 2016 adopted a European Strategy on C-ITS, a milestone initiative towards cooperative, connected and automated mobility.
Some of the objectives of C-ITS are:
- create a regulatory framework in EU
- deploy mature C-ITS services and platform
- international cooperation in all aspects of C-ITS
- enhanced road safety, optimised traffic control, less traffic jams
In general, we are speaking about vehicles (V), and traffic / transport infrastructure (I). The communication between them is recognised as V2I (Vehicle to Infrastructure), I2V (Infrastructure to Vehicle), and V2V (Vehicle to Vehicle). V2V and V2I are also referenced as V2X together. Vehicles and infrastructure component are also commonly called ITS-Stations, or ITS-S.
C-ITS will be part of our everyday life. Due to its coverage of a wide range of services, constantly exchanging data that in most cases contain critical and sensitive user’s information, it is crucial to protect and secure the communication between vehicles and infrastructure.
This is where PKI comes into play.
C-ITS Trust Model
The C-ITS security management system is based on the following trust model:
C-ITS security management system follows the Certificate Trust List approach which was introduced for instance within the eIDAS regulation. The top-level governance roles are defined in C-ITS Platform Certificate Policy document. The entities responsible for the trust management of the C-ITS system (i.e. governing all aspects related to the operational PKI) are:
- Certificate Policy Authority (CPA) – designates and authorizes the TLM and the CPOC to operate in the C-ITS Trust system. It decides if root CAs are trustable and approves/removes the Root CAs operation in C-ITS trust domain by notifying the TLM about approved/revoked Root CAs certificates
- Trust List Manager (TLM) – responsible for creating the list of root CA certificates and TLM certificates and signing it
- Central Point Of Contact (CPOC) – establish and contribute to ensure communication exchange between the Root CAs, to collect the Root CA certificates and provide them to the TLM, distributing the ECTL to any interested entities in the trust model
The Root CA is the highest level CA in the certification hierarchy. It provides EA and AA with proof that it may issue enrolment credentials, respectively authorization tickets
Enrolment Authority (EA)
Security management entity responsible for the life cycle management of enrolment credentials. Authenticates an ITS-S and grants it access to ITS communications
Authorization Authority (AA)
Security management entity responsible for issuing, monitoring the use of authorization tickets. Provides an ITS-S with authoritative proof that it may use specific ITS services
Acquires rights to access ITS communications from Enrolment Authority
Negotiates rights to invoke ITS services from Authorization Authority
Sends single-hop and relayed broadcast messages
Receives broadcast message from the sending ITS-S and forwards them to the receiving ITS-S if required
Receives broadcast messages from the sending or relaying ITS-S
Manufacturer / Operator
Installs necessary information for security management in ITS-S at production and provides updates during its operation
Functional perspective of C-ITS PKI
The C-ITS trust model is based on a multiple root CA architecture. Root CA can be implemented by a commercial entity, a common interest group, a national organization, and/or an European organisation.
The Root CA certificates are transmitted periodically to the CPOC through a secure protocol. The CPOC transmits the received root CA certificates to TLM. These collect and sign the list of root CA certificates and send them back to the CPOC. After this process CPOC makes them publicly available to every entity.
The CPA appoints the TLM and therefore provides trust in the operation of the TLM to all participants. The CPA approves the root CA operation and confirms that the TLM can trust the root CA.
The following diagram provides an overview about the information flows between the PKI participants:
The root CA issues certificates to the EA and AA and therefore provide trust to their operation. The EA issues Enrolment Certificates to the sending and relaying ITS-Station (as End-Entity), providing trust in its operation. The AA issues Authorization Tickets to the ITS-Stations based on the trust in the EA.
The receiving and relaying ITS-Station (as relying party) can trust other ITS-Stations since the ATs are issued by an AA which is trusted by a root CA, which is trusted by the TLM and the CPA.
For a detailed description of the C-ITS trust model and its information flow refer to [4, 5, 6].
True meaning of connected car
The modern cars (and vehicles in general) are already equipped with the ability to communicate between themselves and the road traffic infrastructure using the wireless communication. This enables completely new approaches to enhance transport safety and driving experience.
The possibilities how to use the power of such data are basically endless and can possibly save many lives. But with such power comes the danger of compromise that could work in a completely opposite way.
Let’s work together on a secure and interoperable solutions that can bring all of the possibilities the C-ITS offers while protecting what matter most. The human life.
-  ETSI EN 302 665 V1.1.1: Intelligent Transport Systems (ITS); Communications Architecture
-  ETSI TR 102 893 V1.2.1: Intelligent Transport Systems (ITS); Security; Threat, Vulnerability and Risk Analysis (TVRA)
-  ETSI TS 102 731 V1.1.1: Intelligent Transport Systems (ITS); Security; Security Services and Architecture
-  ETSI TS 102 940 V1.3.1: Intelligent Transport Systems (ITS); Security; ITS communications security architecture and security management
-  ETSI TS 102 941 V1.3.1: Intelligent Transport Systems (ITS); Security; Trust and Privacy Management
-  Certificate Policy for Deployment and Operation of European Cooperative Intelligent Transport Systems (C-ITS) Release 1.1 June 2018
ITS Application Classes
|Application Class||Application||Use case|
|Active road safety||Driving assistance – Co-operative Awareness (CA)||Emergency vehicle warning|
|Slow vehicle indication|
|Across traffic turn collision risk warning|
|Merging Traffic Turn Collision Risk Warning|
|Co-operative merging assistance|
|Intersection collision warning|
|Co-operative forward collision warning|
|Lane Change Manoeuvre|
|Driving assistance – Road Hazard Warning (RHW)||Emergency electronic brake lights|
|Wrong way driving warning (infrastructure based)|
|Stationary vehicle – accident|
|Stationary vehicle – vehicle problem|
|Traffic condition warning|
|Signal violation warning|
|Decentralized floating car data – Hazardous location|
|Decentralized floating car data – Precipitations|
|Decentralized floating car data – Road adhesion|
|Decentralized floating car data – Visibility|
|Decentralized floating car data – Wind|
|Vulnerable road user Warning|
|Pre-crash sensing warning|
|Co-operative glare reduction|
|Cooperative traffic efficiency||Co-operative Speed Management (CSM)||Regulatory/contextual speed limits notification|
|Traffic light optimal speed advisory|
|Co-operative Navigation (CN)||Traffic information and recommended itinerary|
|Public transport information|
|Co-operative local services||Location Based Services (LBS)||Point of Interest notification|
|Automatic access control and parking management|
|ITS local electronic commerce|
|Global internet services||Communities Services (CS)||Insurance and financial services|
|Loading zone management|
|Theft related services/After theft vehicle recovery|
|ITS station Life Cycle Management (LCM)||Vehicle software/data provisioning and update|
|Vehicle and RSU data calibration|
|Transport related electronic financial transactions|