CAR 2 CAR: New pilot PKI complies with latest security standards
In V2X communication, IT security is essential for ensuring the reliable and trustworthy exchange of information between vehicles within the Cooperative Intelligent Transportation System (C-ITS). In February 2019, automotive security specialist ESCRYPT launched a new pilot public key infrastructure (PKI) for the CAR 2 CAR Communication Consortium (C2C-CC). This PKI issues certificates which can be used by C2C-CC members for testing and pilot operations based on the ETSI TS 103 097 v.1.3.1 security standard. This latest version of the security standard, a harmonization of IEEE 1609.2 and ETSI, helps reducing the effort for onboard unit (OBU) vendors and operators.
Registration process developed in conjunction with the BSI
Obtaining certificates from the new C2C-CC pilot PKI requires secure registration, based on a process that ESCRYPT developed together with the German Federal Office for Information Security (BSI). After an initial one-time registration of the end-entity manufacturer or operator, the V2X OBU is registered and subsequently enrolled with a long-term certificate and equipped with pseudonymous short-term certificates using the standardized ETSI TS 102 941 v1.3.1 protocol. By using this ETSI protocol, the pilot PKI issues a trust list (RCA-CTL) and a certificate revocation list (CRL). Both lists can be downloaded from a publicly available and standardized web interface provided by the PKI’s distribution center (DC).
The CRL is used only to revoke CA certificates of that PKI and will not list long-term and short-term OBU certificates. As a result, the vehicles need to periodically update their pool of pseudonymous certificates, each of which has a short validity of one week maximum. However, the pool can be filled with pseudonymous certificates for up to three months in advance. Taking the next step toward productive V2X communication, the OBU should be equipped if possible with a hardware security module (HSM) to handle all secret keys inside a security element. ESCRYPT supports the integration of OBUs into the PKI by providing various tools that help analyze the PKI protocol messages in detail, handle the initial registration of new OBUs, and create sample and test certificates.
Proven conformity and interoperability
With the new C2C-CC pilot PKI implementation, ESCRYPT meets the technical requirements as laid out in the European Certificate Policy (CP) release 1.1. It therefore handles all PKI secret keys in secure elements of smartcards and HSMs. The root CA private key is protected through technically restricted root key operations according to the four-eyes principle on a dedicated offline system without any network connection.
Interoperability with other European C-ITS pilot activities will be considered with the aim of adding the pilot PKI’s root certificate to the European Certificate Trust List (ECTL) as soon as the former becomes available. The conformity and interoperability of PKI implementation has been proven as part of the “ITS Cooperative Mobility Services Event 6”.
More information and access details are available here.
New pilot public key infrastructure for the CAR 2 CAR Communication Consortium