Identities for vehicle-to-everything - V2X PKI
Nexus' solution for protecting vehicle-to-everything (V2X, Car2X) communication with PKI certificates is high-performing, compliant with common standards and proven in large-scale applications.
V2X communication includes road safety applications, for example by warning the driver about collisions, lane change and speed limits, better road utilization and saved fuel costs by platooning, as well as emerging autonomous driving use cases. These use cases involves the passing of information between vehicles as well as between vehicles and other entities, such as road infrastructure, road safety applications or pedestrian devices.
Why secure V2X with PKI?
Security is an essential part of the V2X ecosystem in order to function safely and securely. Potential threats include privacy breach by monitoring of individuals and personal data and cyberterrorism by faking or hiding vehicles or traffic signals, which can lead to traffic jam or accidents. To avoid those threats, authenticity of the communicated data as well as privacy of the driver, must be ensured.
Public key infrastructure (PKI) is the perfect fit for securing V2X communication. Based on trusted identities and digital signatures, the integrity of each message and the authorization of its sender can be guaranteed while preserving privacy. PKI is prescribed by the V2X standards, such as IEEE, 5GAA, and ETSI, and independent of communication technology, that is, C-V2X or DSRC.
With PKI, authenticity is ensured by digitally signing every message. Privacy is upheld by the specific V2X setup of two different CAs and short-lived, so called pseudonym certificates that are frequently changed, which means that no unique information about the vehicle or driver is sent over the network.
How does it work?
RA - Registration Authority
Knows and controls the vehicle identity
Functions like an Enrollment Authority (EA)
PCA - Pseudonym Certificate Authority
Does not know the vehicle identity
Functions like an Authorization Authority (AA)
V2X messages carry data that enables the receiving devices to display relevant information to their users or even take intelligent decisions by themselves.
To ensure authenticity and privacy, the following procedure is used:
Each V2X vehicle or device is provisioned with a unique longterm ID. For vehicles, this is known as vehicle ID. For more information, see PKI for vehicle ID.
The vehicle requests short-lived communication certificates from the Registration Authority (RA), and authenticates with the vehicle ID. In turn, the RA requests certificates from the Pseudonym Certificate Authority (PCA).
A number of short-lived certificates are issued to the vehicle. These certificates are pseudonym certificates, which means that they do not contain any personal data or vehicle ID. They only prove the authorization of the vehicle to send V2X messages and are therefore also called 'authorization tickets'. The vehicle sets one of the pseudonym certificates to be active and frequently changes the active certificate through rotation.
When a V2X message is sent to or from a vehicle, the active certificate or 'authorization ticket' is used for authorization. V2X messages include Cooperative Awareness Message (CAM) or Decentralized Environmental Notification Message (DENM).
Periodically, the vehicle requests new shortterm certificates from the RA.
Nexus' V2X PKI solution
Features
Nexus' V2X PKI solution is based on Smart ID Certificate Manager, which has the following features:
High performance
Guaranteed high performance with a proven capacity to issue 10,000 certificates per second
Offered as a service, with guaranteed SLA and capacity as you grow
Support for butterfly cryptography for the sake of high performance and low network load
Compliance
The solution fulfills automotive requirements by compliance with US and European standards, such as the following:
US standard IEEE 1609.2 for digital certificates and CRL formats and interfaces
EU standard ETSI TS 103 097 for digital certificates and CRL formats
EU standard ETSI TS 102 941 for V2X root CA, online PKI solution, certificate request and response messages
Protecting drivers' privacy
Prevents unauthorized access to the backend services, by authenticating vehicles at certificate enrollment
Protects drivers’ privacy in compliance with requirements, such as C-ITS
Supports GDPR removal of information that could link to identified vehicle
Proven security
Quality-assured, high-security, Common Criteria EAL 4+ certified CA software
Nexus has solid PKI expertise since > 20 years and numerous large-scale references
Nexus’ data center and organization comply with ISO 27001
Nexus’ organization comply with the VDA ISA requirements in TISAX (Trusted Information Security Assessment Exchange), the information security standard for the automotive industry
Support for HSM-based CA keys
Mature, future-safe, highly reliable, continuously tested and maintained software
Scalable platform
Highly scalable horizontally by adding service nodes.
Multi-CA and multi-tenancy enabled platform helps you adapt the PKI hierarchy, administration and reporting to your needs.
Common Criteria certified PKI platformSmart ID Certificate Manager (CM) and Nexus OCSP Responder have been certified in compliance with Common Criteria EAL4+. For more information, see Common Criteria certification. |