Skip to main content
Skip table of contents

Identities for vehicle-to-everything - V2X PKI

Nexus' solution for protecting vehicle-to-everything (V2X, Car2X) communication with PKI certificates is high-performing, compliant with common standards and proven in large-scale applications. 

V2X communication includes road safety applications, for example by warning the driver about collisions, lane change and speed limits, better road utilization and saved fuel costs by platooning, as well as emerging autonomous driving use cases. These use cases involves the passing of information between vehicles as well as between vehicles and other entities, such as road infrastructure, road safety applications or pedestrian devices. 

Why secure V2X with PKI?

Security is an essential part of the V2X ecosystem in order to function safely and securely. Potential threats include privacy breach by monitoring of individuals and personal data and cyberterrorism by faking or hiding vehicles or traffic signals, which can lead to traffic jam or accidents. To avoid those threats, authenticity of the communicated data as well as privacy of the driver, must be ensured.

Public key infrastructure (PKI) is the perfect fit for securing V2X communication. Based on trusted identities and digital signatures, the integrity of each message and the authorization of its sender can be guaranteed while preserving privacy. PKI is prescribed by the V2X standards, such as IEEE, 5GAA, and ETSI, and independent of communication technology, that is, C-V2X or DSRC.

With PKI, authenticity is ensured by digitally signing every message. Privacy is upheld by the specific V2X setup of two different CAs and short-lived, so called pseudonym certificates that are frequently changed, which means that no unique information about the vehicle or driver is sent over the network.

How does it work?

RA - Registration Authority

  • Knows and controls the vehicle identity

  • Functions like an Enrollment Authority (EA)

PCA - Pseudonym Certificate Authority 

  • Does not know the vehicle identity

  • Functions like an Authorization Authority (AA)

V2X messages carry data that enables the receiving devices to display relevant information to their users or even take intelligent decisions by themselves. 

To ensure authenticity and privacy, the following procedure is used: 

  1. Each V2X vehicle or device is provisioned with a unique longterm ID. For vehicles, this is known as vehicle ID. For more information, see PKI for vehicle ID.

  2. The vehicle requests short-lived communication certificates from the Registration Authority (RA), and authenticates with the vehicle ID. In turn, the RA requests certificates from the Pseudonym Certificate Authority (PCA)

  3. A number of short-lived certificates are issued to the vehicle. These certificates are pseudonym certificates, which means that they do not contain any personal data or vehicle ID. They only prove the authorization of the vehicle to send V2X messages and are therefore also called 'authorization tickets'.​ The vehicle sets one of the pseudonym certificates to be active and frequently changes the active certificate through rotation. 

  4. When a V2X message is sent to or from a vehicle, the active certificate or 'authorization ticket' is used for authorization. V2X messages include Cooperative Awareness Message (CAM) or Decentralized Environmental Notification Message (DENM).

  5. Periodically, the vehicle requests new shortterm certificates from the RA. 

Nexus' V2X PKI solution

Features

Nexus' V2X PKI solution is based on Smart ID Certificate Manager, which has the following features: 

High performance

  • Guaranteed high performance with a proven capacity to issue 10,000 certificates per second

  • Offered as a service, with guaranteed SLA and capacity as you grow 

  • Support for butterfly cryptography for the sake of high performance and low network load 

Compliance

The solution fulfills automotive requirements by compliance with US and European standards, such as the following:  

  • US standard IEEE 1609.2 for digital certificates and CRL formats and interfaces

  • EU standard ETSI TS 103 097 for digital certificates and CRL formats

  • EU standard ETSI TS 102 941 for V2X root CA, online PKI solution, certificate request and response messages

Protecting drivers' privacy

  • Prevents unauthorized access to the backend services, by authenticating vehicles at certificate enrollment

  • Protects drivers’ privacy in compliance with requirements, such as C-ITS 

  • Supports GDPR removal of information that could link to identified vehicle

Proven security

  • Quality-assured, high-security, Common Criteria EAL 4+ certified CA software

  • Nexus has solid PKI expertise since > 20 years and numerous large-scale references 

  • Nexus’ data center and organization comply with ISO 27001

  • Nexus’ organization comply with the VDA ISA requirements in TISAX (Trusted Information Security Assessment Exchange), the information security standard for the automotive industry

  • Support for HSM-based CA keys

  • Mature, future-safe, highly reliable, continuously tested and maintained software

Scalable platform

  • Highly scalable horizontally by adding service nodes.

  • Multi-CA and multi-tenancy enabled platform helps you adapt the PKI hierarchy, administration and reporting to your needs. 

Common Criteria certified PKI platform

Smart ID Certificate Manager (CM) and Nexus OCSP Responder have been certified in compliance with Common Criteria EAL4+.

For more information, see Common Criteria certification


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.