Embed Size (px)
Citation preview
Safe at Any Speed: Dedicated Short Range Communications (DSRC) and On-road Safety and Security
William Whyte NTRU CryptosystemsTuesday, February 15th, 2005
Aim
• Give an overview of Intelligent Transport Systems (ITS) standards as they affect personal safety and security
• Discuss the specific communications security requirements of 5.9 GHz Dedicated Short Range Communications (DSRC)
Overview
• Why DSRC?
• Spectrum and Physical Configuration
• Wireless Stack Architecture
• Applications
• Communications Security Issues
• Deployment Schedule
Why DSRC?
Overview
• 2.8 trillion vehicle miles traveled in 2001
• Nearly 43,000 deaths per year from automobile accidents
– 1.59 per 100 million vehicle miles traveled
• 3 million people injured
• Automobile accidents cost $230B
• ITS America has established a vision for zero fatalities
ITS America
• National Intelligent Transportation Systems Program Plan has an aim of a reduction of transportation-related fatalities by 10-15% by 2011, saving 5,000-7,000 lives a year
– For example, reductions of 15-40% in on-ramp metering accidents
• Save 20 billion per year by enhancing throughput and reducing congestion
• Save 1 billion gallons of gasoline per year
• Single payment medium for national and regional travel
– Currently fragmented, three incompatible RF tolling mechanisms in place
Accident Statistics
• Run Off Road - 30% of all fatalities
• Intersections - 50% of all crashes
• Pedestrian/Bicycle - 14% of fatalities
• Speed - involved in 30% of all crashes
• Human Factors - drivers a causal factor for at least 80% of all crashes
• Toll Plazas significant source of accidents
– Accidents five times more likely in the tenth of a mile near a tollbooth than in the same space on an open road
– Due to looking for change, merging, unexpected pedestrian traffic…
National ITS Program Plan (2)
• Safety-related applications and products
– information products
– diagnostic/prognostic products
– driver assistance products
– active safety products.
• Advanced Crash Avoidance technologies:
– Mustn’t interfere with driver’s attention
– Must address manufacturer’s proprietary concerns
– Must behave consistently
Achievements to date:
• Traffic Management Centers have been created in two-thirds of the 75 largest metropolitan areas.
• Traffic signals and ramp meters have been tuned to improve traffic flow and safety.
• Travel information is more readily available to the public to assist in their travel planning and decision-making.
• Electronic toll collection has been installed on 70% of existing toll road mileage and over ten million toll tags have been issued in North America. Non-toll electronic payment applications have begun to appear.
• Thirty states have begun using transponders and roadside computers to screen safe and compliant commercial vehicles past weigh stations and other roadside facilities at up to mainline speeds– Nearly 7,000 motor carrier fleets participate in these programs.
Why DSRC?
• Next step is to reduce driver error by improving driver information
• Enable vehicle-to-vehicle and vehicle-to-infrastructure communication using wireless transponders built to a single standard
• This is primarily to be used for safety applications, but will provide sufficient bandwidth to allow private applications
– Tolling
– Traffic information
– Commercial
• Spectrum already allocated for this use
Spectrum and Physical Configuration
Existing Spectrum allocation
• Public safety:– 25-50 MHz, 138-144 and 148-174 MHz, 220-222 MHz, 406-420 and 450-
470 MHz, 806-824 and 851-869 MHz for voice communications
– 90 MHz at 4.9 GHz for data communications
– 764-776 MHz and 794-806 MHz will be available once TV broadcasters complete transition to DTV (12/31/06)
• Tolling– 902-928 MHz already approved
• 5.9 GHz DSRC Spectrum– First to be FCC-approved for both public safety and private use
• Prioritization issues, to be discussed later
– Japan, Europe have approved spectrum at 5.8 GHz for similar uses
Radio Taxonomy
• OBU – On Board Unit
– PSOBU – Public Safety On Board Unit
– OBUs are mobile, unlicensed users of spectrum (under FCC)
• RSU – RoadSide Unit
– Stationary units
• Allowed to move from site to site, but must be stationary to operate
– Licensed by site (under FCC)
– Allowed to provide channel management to OBUs in their communications zone
Enormous shift in mindset
• Previously, the tag was the application
– Tolling tag enables tolling
– GPS receiver enables Neverlost
– Reflected in language – people talk about “900 MHz applications”
• Now the OBU is the network access point for many applications
– Completely different security model
RSU - Roadside Unit; OBU - Onboard Unit; EV - Emergency Vehicle; EIRP - Effective Isotropic Radiated Power; CSMA - Carrier Sense Multiple Access
5.9 GHz DSRC TECHNOLOGY CHARACTERISTICS• Approach: Active
• Bandwidth: 75 MHz (5.850 - 5.925 GHz)
• Modulation: QPSK OFDM (with 16QAM and 64QAM options) (BPSK preamble)
• Channels: 7 - 10 MHz channels (optional combinations of 10 and 20 MHz channels)
• Data Rate: 6, 9, 12, 18, 24, and 27 Mbps with 10 MHz Channels (3 Mbps preamble)(or 6, 9, 12, 18, 24, 36, 48, and 54 Mbps with 20 MHz Channel option) (6 Mbps preamble)
• Max Tx Pwr: 28.8 dBm (at the antenna input)
• RSU EIRP: Nominal 0 - 33 dBm (1 mW - 2 W) / Max. 44.8 dBm (30 W)
• OBU EIRP: Nominal 0 - 20 dBm (1 - 100 mW) / Max. 44.8 dBm (30 W)
• RSU and OBU Sensitivity: - 82 dBm (QPSK) / - 65 dBm (64QAM)
• C/I: 4 - 6 dB (for QPSK @ 10-4 BER coded) / 16 - 17 dB (for 64QAM @ 10-4 BER coded)
• Band Sharing Strategy - Frequency Coordination. Selection of alternate channels for adjacent zones. Use CSMA to prevent interference between users in the channel.
• Typical Successful Transmission rate: 50-60%
Range (ft)
1000
1200
1400
1600
1800
2000
2200
2400
2600
2800
3000
3200
3400
360020
0
400
600
800
DSRC PERFORMANCE ENVELOPES
Data R
ate (Mbps)
33
30
27
24
21
18
12
9
6
3
0
54~
~
0.5 Mbps
902 - 928 MHz Band Performance Envelope
5850 - 5925 MHz BandPerformance Envelope
Emergency Vehicle ServicesSafety Message Services
Data Transfer and Internet Access Services
Toll and Payment Services
(Approximate)
Application Taxonomy (DSRC style)
• Vehicle safety
• Public safety
– Operated by emergency vehicles and other vehicles accredited by a government agency
– Usually, but not exclusively, emergency response
• Other
– Tolling
– CVO fleet management
Application Taxonomy (FCC style)
• Public safety
– Anything that impacts the safety of the public
• Includes public safety and vehicle safety
• Also Tolling
n See above
• Other applications
• Distinction is significant because public safety applications can broadcast at higher power
5.9 DSRC Standardization
• IEEE – P802.11p – MAC and PHY
– P1556 – security services
– P1609 – networking stack
• ASTM E2213-03– MAC and PHY
• Related:– NTCIP – message sets and protocols for intelligent transport systems
– SAE – message sets for ITS
– IEEE 1512 – message sets for incident management (coordinates with SAE)
Very Complicated!
• NTCIP Transportation Management Protocol - AASHTO 1103, AASHTO, 1103, No update, www.ntcip.org/order/
• NTCIP - CORBA Naming Convention Specification - AASHTO 1104, AASHTO, 1104, No update, www.ntcip.org/order/
• NTCIP - CORBA Security Service Specification - AASHTO 1105, AASHTO, 1105, No update, www.ntcip.org/order/
• NTCIP - CORBA Near-Real Time Data Service Specification - AASHTO 1106, AASHTO, 1106, No update, www.ntcip.org/order/
• NTCIP - Objects for Signal System Masters - AASHTO 1210, AASHTO, 1210, No update, www.ntcip.org/order/
• NTCIP Objects for Network Camera Operation, AASHTO, 1212, No update, www.ntcip.org/order/
• NTCIP - Electrical and Lighting Mgmt System Interoperability & Intercommunications Std - AASHTO 1213, AASHTO, 1213, No update, www.ntcip.org/order/
• NTCIP - Weather Report Message Set for ESS - AASHTO 1301, AASHTO, 1301, No update, www.ntcip.org/order/
• Generic Reference Model for C2C Communications, AASHTO, 1602, No update, www.ntcip.org/order/
• NTCIP - Application Profile for Common Object Request Broker Architecture (CORBA) - AASHTO 2305, AASHTO, 2305, No update, www.ntcip.org/order/
• NTCIP Application Profile for XML C2C Communications, AASHTO, 2306, No update, www.ntcip.org/order/
• NTCIP Structure and Identification of Management Information - NTCIP 8004, AASHTO, 8004, No update, www.ntcip.org/order/
• NTCIP Testing and Conformity Assessment Documentation within NTCIP Standards Publications, AASHTO, 8007, No update, www.ntcip.org/order/
• NTCIP XML in ITS Center-to-Center Communications, AASHTO, 9010, No update, www.ntcip.org/order/
• NTCIP Testing Guide for Users,AASHTO, 9012, No update, www.ntcip.org/order/
• NTCIP SEP for Communications Profile, AASHTO, 901X, No update, www.ntcip.org/order/
• TCIP Dialogs, APTA, TBD, No update, www.ntcip.org/order/
• Standard Specifications for Metadata Content for ITS-Generated Data - ASTM E-17.54.02.1, ASTM, E17.54.02.1, No update, www.astm.org
• Standard Specifications for Archiving ITS-Related Traffic Monitoring Data -ASTM E-17.54.02.2, ASTM, E17.54.02.2, No update, www.astm.org
• Standard for Common Traffic Incident Management Message Sets for Use in Entities External to Centers - IEEE 1512.4, IEEE, 1512.4, No update, www.ieee.org
• Standard for Dedicated Short Range Communications (DSRC) Resource Manager - IEEE 1609.1, IEEE, 1609.1, No update, www.ieee.org
• Standard for Dedicated Short Range Communications (DSRC) Application Layer - IEEE 1609-2, IEEE, 1609.2, No update, www.ieee.org
• Standard for IP Interface for Dedicated Short Range Comunications (DSRC) -IEEE 1609.3, IEEE, 1609.3, No update, www.ieee.org
• Standard for Dedicated Short Range Communications (DSRC) Channelization -IEEE 1609.4, IEEE, 1609.4, No update, www.ieee.org
• Standard for Security and Privacy of Vehicle/Roadside Communication Including Smart Card Comm. ? IEEE P1556, IEEE, P1556, No update, www.ieee.org
• Application Programming Interface (API) Standard for the Advanced Transportation Controller (ATC) - ITE 9603-1, ITE, 9603-1, No update, www.ite.org
• Standard for Data Dictionary and Message Sets for Dedicated Short Range Communcations (DSRC) - SAE J2xxx, SAE, J2xxx, No update, www.sae.org
Our focus: the network stack
• Need to manage channel switching
– Control channel + service channels
• High-priority messages and management messages on control channel
n Safety messages• Application data exchanged on safety channel
– Back to control channel every so often
• … and issues arising from that.
Wireless Stack Architecture
Wireless Networking Stack
PHY
MAC
LLC
IP
TCP / UDP
Applications
WSM
OtherApps
SafetyApps
Repetitive WSM
Medium Access Layer (MAC) andPhysical Layer (PHY)
Layers 1 and 2aASTM E2313-02
ISO 21215
Standards Structure
- Established Standards and procedures that are referenced or used as necessary
- Standards that must be modified or completed - Standards that must be written
Layer 2 Medium Access Control
(MAC)IEEE 802.11
Layer 1Physical Layer/
(PHY)IEEE 802.11a
5.9 GHzNorth American
ArchitectureSpecification
ASTM ????-A
5.9 GHz Test Procedure SpecificationASTM ????-T
Application Layer/Layers 3-7IEEE 1455
ApplicationManager
IEEE 1609.1
CORE DSRC STANDARDS STRUCTURE
OtherApplications
SAP SAPUpper LayerManager/
ASTM ZZZZSAP
SAP
Lower LayerManager/
ASTM YYYY
Application and Network LayersLayers 3 – 7IEEE 1609.3
(Streamlined ISO 21210)and IETF standards
SAP
SAP
SAP
SAP
SAP
SAP - Data Flow
- Management Flow
Logical Link Layer (LLC)Layer 2b
IEEE 802.21
1 - Only a subset of IEEE 802.2 functions are required to support Layer 3
SAP SAP 1 for Network Services
SAP 2 for Network Services SAP
SAP
Safety ApplicationsSAE
Resource ManagerIEEE 1455
What makes the solution complex?
• Communications points are moving at high speed
• Must operate as master/slave when talking to roadside, peer-to-peer directly
• Must acquire in milliseconds
• Must change channels in microseconds
• Must control power dynamically to decrease interference
• Must always get the most important message through first
• Must have bulletproof security
• Must preserve anonymity for end users
Radio
• The final selection between the Motorola entry and the OFDM forum entry was made by the ASTM E17.51 DSRC Standards Writing Group on August 24, 2001. THE WINNER was the OFDM forum entry.
• The writing group selection was confirmed by letter ballot vote of the Larger ASTM E17.51 subcommittee in October 2001.
• The ASTM DSRC STD E2313-02 was approved on 5/10/02, underwent validation and verification testing, and was reissued with slight modifications in 2003 as ASTM DSRC STD E2313-03
– Now forming the basis of IEEE 802.11p, whose PAR was recently moved.
Applications
DSRC APPLICATIONSPUBLIC SAFETY and PRIVATE
• APPROACHING EMERGENCY VEHICLE (WARNING) ASSISTANT (3)
• EMERGENCY VEHICLE SIGNAL PREEMPTION• ROAD CONDITION WARNING• LOW BRIDGE WARNING • WORK ZONE WARNING• IMMINENT COLLISION WARNING (D)• CURVE SPEED ASSISTANCE [ROLLOVER WARNING] (1)• INFRASTRUCTURE BASED – STOP LIGHT ASSISTANT (2)• INTERSECTION COLLISION WARNING/AVOIDANCE (4)• HIGHWAY/RAIL [RAILROAD] COLLISION AVOIDANCE (10)• COOPERATIVE COLLISION WARNING [V-V] (5)• GREEN LIGHT - OPTIMAL SPEED ADVISORY (8)• COOPERATIVE VEHICLE SYSTEM – PLATOONING (9)• COOPERATIVE ADAPTIVE CRUISE CONTROL [ACC] (11) • VEHICLE BASED PROBE DATA COLLECTION (B)• INFRASTRUCTURE BASED PROBE DATA COLLECTION • INFRASTRUCTURE BASED TRAFFIC MANAGEMENT – [DATA
COLLECTED from] PROBES (7)• TOLL COLLECTION• TRAFFIC INFORMATION (C)• TRANSIT VEHICLE DATA TRANSFER (gate)• TRANSIT VEHICLE SIGNAL PRIORITY• EMERGENCY VEHICLE VIDEO RELAY• MAINLINE SCREENING• BORDER CLEARANCE• ON-BOARD SAFETY DATA TRANSFER• VEHICLE SAFETY INSPECTION • DRIVER’S DAILY LOG
• ACCESS CONTROL• DRIVE-THRU PAYMENT• PARKING LOT PAYMENT• DATA TRANSFER / INFO FUELING (A)
– ATIS DATA
– DIAGNOSTIC DATA
– REPAIR-SERVICE RECORD
– VEHICLE COMPUTER PROGRAM UPDATES
– MAP and MUSIC DATA UPDATES
– VIDEO UPLOADS
• DATA TRANSFER / CVO / TRUCK STOP • ENHANCED ROUTE PLANNING and GUIDANCE (6)• RENTAL CAR PROCESSING • UNIQUE CVO FLEET MANAGEMENT • DATA TRANSFER / TRANSIT VEHICLE (yard)• TRANSIT VEHICLE REFUELING MANAGEMENT• LOCOMOTIVE FUEL MONITORING• DATA TRANSFER / LOCOMOTIVE
PRIVATEPUBLIC SAFETY
ATIS - Advanced Traveler Information SystemsCVO - Commercial Vehicle OperationsEV - Emergency VehiclesIDB - ITS Data BusTHRU – ThroughV-V – Vehicle to Vehicle(#) – Applications Submitted by GM/Ford/Chrysler(A- Z) – Applications Submitted by Daimler-Chrysler
Traffic Signal
Traffic Signal
Traffic Signal - Green
Traffic Signal- Red
COLLISION ANIMATION
FOLLOWS
TYPICAL INTERSECTION
EMERGENCY VEHICLE APPROACH WARNING
5.9 GHz DSRC VEHICLE TO VEHICLE APPLICATION
VEHICLE
FRONT
EMERG.
VEHICLE
REAR
EMERG.
Note 1: The Emergency OBU transmits a warning to ALERT other vehicles that it is coming.
In-Vehicle Displays and Annunciations
Traffic Signal
Traffic Signal
Emergency Vehicle
Not to Scale
up to 1000 m (3281 ft)
OBUs on Control Ch
Emergency Vehicle Approach Warning Communication Zone
~ ~~ ~
~ ~
VEHICLE
LEFT
EMERG.
VEHICLE
RIGHT
EMERG.
ANIMATIONFOLLOWS
EMERGENCY VEHICLE SIGNAL PREEMPTION
5.9 GHz DSRC ROADSIDE TO VEHICLE APPLICATION
~ ~
Traffic Signal
RSUHorizontal Support
RSU located in the center of the intersection
Traffic Signal
Traffic Signal
Emergency Vehicle
Not to Scale
up to 1000 m (3281 ft)
~ ~~ ~
OBU on Intersection Ch
RSU on Intersection ChNote 1: OBU Transmitting the Emergency Vehicle Signal Preemption Request on the Intersection Ch
up to 825 ft range
Mobile Radio
Traffic Signal
Traffic Signal
Intersection Radio
The Central Intersection Communications Subsystem
Intersection Collision Avoidance System Equipment Cabinet
Traffic Signal - Green
Traffic Signal- Red
Radio Communication
VEHICLE BASED / INFRASTRUCTURE ASSISTED COLLISION AVOIDANCE
w/ STOP LIGHT ASSISTANT
INFRASTRUCTURE ASSISTED COLLISION AVOIDANCE
Not to Scale
Car NOT Stopping
Vehicle A
Vehicle B
334 ft @ 35 mph
Dynamic Message Sign (DMS)
Mobile Radio Intersection Radio
Vehicle Brake Lights
334
ft @
35
mph
Traffic Signal - Green Traffic Signal- Red
Traffic Signal- Green
Traffic Signal- RedRadar Tracking
Radio Communication
Radar System
ANIMATION
SCP - Straight Crossing Path
STOP
COLLISION
LEFT
STOP
COLLISION
RIGHT
Car being Warned
INFRASTRUCTURE ASSISTED COLLISION AVOIDANCE
Not to Scale
Car NOT Stopping
Vehicle A
Vehicle B
334 ft @ 35 mph
Dynamic Message Sign (DMS)
Mobile Radio Intersection Radio
Vehicle Brake Lights
334
ft @
35
mph
Traffic Signal - Green Traffic Signal- Red
Traffic Signal- Green
Traffic Signal- RedRadar Tracking
Radio Communication
Radar System
ANIMATION
SCP - Straight Crossing Path
STOP
COLLISION
LEFT
STOP
COLLISION
RIGHT
Car being Warned
LOW BRIDGE WARNING and ROLL OVER WARNING
gantry
The tractor trailer receives curve parameters from the RSU in the rollover warning sign. The on-board computer calculates the proper speed for this vehicle’s loading and warns the driver if a rollover is indicated.
Tractor-trailer with OBU receiving rollover parameters from the warning sign at the curve on Control Channel
RSU located on a Tower Transmitting Bridge Clearance or Warning on Control Ch
Tractor-trailer being measured from the gantry and receiving link identification from OBU on Control Ch
Application submitted by Carl W. Compton,KANSAS TURNPIKE AUTHORITY
Not to Scale
RSU located in the the warning sign using Control
Tractor-trailer can pull over here if it is Over the Height limit for the bridge
Tractor-trailer can exit here if it is Over the Height limit for the bridge
Roadside to Vehicle Application
TOLL COLLECTION (Open Road) in service channelThe Toll Collection RSU operates on a Service Channel and is located on the gantry above the lanes gantry
= capture zone
RSU Antennas
Note 2: Users are allowed to proceed at highway normal speeds while the toll is paid.
Not to Scale
Micro Zone
OBU on Channel 174 slot B
OBU on Channel 174 slot A
RSU on Channel 174
Note 3: Implementers use Time Division to isolate vehicle communications and angle of signal arrival to locate vehicle.
30 m (98 ft)Note1: OBU approaching the toll zone are instructed to switch to a service channel in order to conduct the transaction.
RSU on Control Channel Toll Zone Announcement
OBU on Control Channel
TOLL COLLECTION (Lane Based) on the Service channelsRSUs are located on the gantry above the center of each lane gantry
= capture zone
RSU Antennas
Not to Scale
Traffic Signal
Traffic Signal
Concrete Median
Traffic Signal
Traffic Signal
Pico Zones
OBU on Service Channel 182
RSU on Channel 180
OBU on Channel 180
RSU on Channel 182
RSU on Control Channel 178
Toll Zone Announcement RSU on Control Channel
5.9 GHz DSRC ROADSIDE EQUIPMENT
Two different types of application
• Broadcast
– Safety messages
– Preempt use by other applications
• Transactional
– Tolling
– CVO
– Typically Client-Server Architecture
– Advertised by RSUs, consumed by OBUs
PSTs
• RSUs broadcast Provider Service Tables (PSTs) listing the services they provide and the channels they are provided on
• OBUs decide whether or not to consume that service, switch to the channel if so– Send back a response setting up a
link.
• PST size limited by MTU size, so typically a given RSU will support relatively few distinct applications
• Wave Router Advertisement (WRA) gives channel switch timing
Restaurant
MapsTraffic Info
Tolling
Communications Security Issues
Security Issues Overview
• Anonymity
• Authentication
– Need to ensure that fake messages can’t be inserted into the system
• Non public safety vehicles issue signal prioritization requests
• Non toll plazas request your tolling information
• Eavesdropping
– Don’t want competitors obtaining CVO data
• Of these, anonymity is the most difficult to address
• First, survey threats
Four Classes of Attacker
• Class 1: Attackers with a programmable radio transmitter
• Class 2: Attackers with an unmodified DSRC unit
• Class 3: Attackers with a modified DSRC unit and who have the keying materials
• Class 4: “Inside” attackers with access to manufacturers and OEMrecords
Example Attacks
• Class 1 Attacks– Replay/tunneling of legitimate messages
• Class 2 Attacks– Change of location
– Indicator mismatch
• Class 3 Attacks
– Generate any desired message
• Class 4 Attacks
– Key extraction
Out of scope threats
• Physical denial of service
• Radio jamming
• Attacks on the GPS infrastructure
• Software-based compromise of units
• Misconfiguration
Threat mitigation
• Authenticate messages
– Targets of messages are “all vehicles on the road”, so need public-key signatures
• Encrypt confidential data
• Messages must be as short as possible and transactions as fast as possible
– Long messages result in packet loss
• Current proposal: for broadcast, high-priority messages (public/vehicle safety) a new compact certificate format and a public key algorithm with particularly short keys
Trust Model
• Trust model varies application to application:
– For vehicle safety the operator is untrusted – applications need to be isolated from them.
– For public safety the operator is trusted
– For e-Commerce, trust model is the same as desktop trust model
• Although if I borrow your car I may be able to buy gas on your dime
– For CVO, drivers are not necessarily trusted to give accurate information
• This needs to be enforced at the OS level
Anonymity
• Potential abuses of vehicle tracking systems are rife
– Stalkers
– Terrorists
– Law Enforcement Tracking
– Automatically issued speeding tickets
– Rental car agencies issuing fines for going out of state
• But tracking is also sometimes useful
– Sometimes law enforcement have a need to track you
– Tolling agencies can charge per mile travelled if they know how many miles
Anonymity Requirements
• The privacy principles of ITS America include an “Anonymity Principle” that states: “Where practicable, individuals should have the ability to utilize Intelligent Transportation Systems on an anonymous basis.”
• Important in principle
– Also, people who are concerned about tracking might disable their radio, impacting the safety and other benefits.
– Need to reassure people that Big Brother isn’t in the passenger seat.
Anonymity in Practice
• Need to protect against:– Wireless-only attacker who links transmission to vehicle
– Attacker who links multiple transmissions to vehicle, and then links vehicle to a single transmission by (eg) physical observation – tracking.
• Need to ensure that:– It’s difficult for an attacker with off-the-shelf equipment to build a tracking
system
– It’s difficult for you to be tracked by an unknown party
• Users can opt in to services in the course of which they may be subject to tracking, but should not be tracked otherwise
• So:– Remove identifying marks, as much as possible, from broadcast
messages
– Encrypt transactional messages
Identifying marks
• MAC addresses
• IP addresses
• If messages are signed, certificates
Anonymous Certificates
• Broadcast messages from an OBU – must be authenticated
• Otherwise, attacker with radio could simply generate fake brake light messages and foul up traffic
– must not be traceable to a specific OBU
• Many techniques to do this– Group signatures
– Issue an OBU with a large number of certificates, which it works through at random
• Currently preferred approach
• 10,000 certificates allows a new certificate every five minutes for a month!
n Actual rollover algorithm will be more complicated• Each certificate contains a unique identifier, but no distinguishing information
– Must be compatible with revocation
• Can use unknown salt to increase work factor associated with revocation
• Cost should be comparable to installing a camera at a large number of intersections.
IP Addresses
• Long-lived IP addresses can in theory be used as a tracking token
• In practice, system is not designed for handoff of IP sessions from one RSU to another
– so long-lived IP sessions happen when you’re stationary
– Less of a risk from tracking
• All devices on IVN will change IP address when the OBU moves from one RSU communication zone to another
Private MACs: Random MACs
• Generate a random MAC– Out of the local address space
– Collision probability insignificant with small groups
• 46 random bits
• How many cars can fit in 300 meters?
• When to change MAC– At startup?
• Allows tracking for individual trips
• Not really acceptable
n Track me from point A to point Bn Real-life traffic analysis!
– When the signing key changes
• Order every 5-10 minutes
• Close monitoring can follow transitions
n But you can do that with signing keys anyway
Where will certs come from?
• Current plans:
• OBUs will be provisioned by manufacturer
– USDoT will be responsible for root cert
– Anonymous OBU certs will be signed by a pool of certs held by all manufacturers to ensure they don’t give away car make
• RSUs, Public Safety vehicles will be given certificates conforming to existing administrative hierarchies
– USDoTà State DoT à Local emergency services/public works departments à individual units
– The intermediate certificates may be distributed by separate service messages to reduce the size of time-critical messages
Revocation
• Safety Application certificates for OBUs:– Revocation makes system work more smoothly but is not essential
– All certificates for a given vehicle have identifiers derived from a single secret
– To revoke, recover and distribute the secret
– Must be distributed to all vehicles on road; requires infrastructure
• Public Safety Applications:– Potential audience for public safety messages is all vehicles
• Geographically limited, but could be limited to an area as large as a state
– Rather than distributing revocation information to all vehicles when a police car is stolen:
• Issue short-lived certificates to public safety vehicles for use in on-road operations
n Stolen vehicle only valid for one day (say)• Issue long-lived certs which are used to apply for operations certs
n Revoke this if vehicle stolen; audience for revocation information is now CAs (small group, online), not private vehicles (large group, offline)
Timetable
Timetable to deployment
• 2004-2006
– Finish/test/rework standards
– Finish prototype program and test prototypes
– Design realistic antennas
– Develop certification procedures
• 2006-2008
– Larger scale tests and resulting reworks
– Productization of design
• 2008
– Deployment decision
Deployment
• 2009-2014: Equip 400,000 intersections with DSRC transmitters.
• 2008: Decision to deploy in vehicles
– Usual process: 3-year design cycle, deployment starts in high-end vehicles and works down
• Both these could be accelerated in this case
• Perhaps 57 m out of 250-300 m US vehicles equipped in 2015.
Questions?
