For privacy-friendly message authentication, a scheme of changing pseudonym certificates (short: pseudonyms) has been proposed [140, 141] and is included in emerging standards [71, 108]. Outgoing V2X messages are signed with short-lived pseudonym certificates, which do not contain any information about their holder. Any incoming messages that do not bear a valid signature are discarded. To prevent tracking based on pseudonymous identifiers, pseudonyms are changed “every once in a while”.
A multitude of different pseudonym systems have been proposed  and we will cover them in more detail in the following chapters. In this section, we describe the pseudonym issuance process according to the basic pseudonym scheme due to the European CAR 2 CAR Communication Consortium . See Figure 2.2 for an overview.
A Root CA acts as a system-wide trust anchor and issues CA certificates to the Long-Term Certificate Authority (LTCA, sometimes also called Enrollment Authority) and the Pseudonym Certificate Authority (PCA, sometimes also called Authorization Authority). New vehicles are registered with the LTCA and receive a long-term certificate when joining the system. They obtain pseudonym certificates from the PCA after authenticating with their long-term certificate.
For each pseudonym the PCA issues, it stores the mapping to the corresponding long-term certificate in its mapping database. This mapping information is required if a participant is sending invalid or malicious messages and must be removed from the system. Based on any of his signed messages, his corresponding long-term certificate can be resolved and added to a certificate revocation list (CRL), thus preventing him to obtain any more pseudonym certificates. In contrast to the pseudonym scheme that will likely be used for U.S. deployments , the basic pseudonym scheme does not foresee revocation of pseudonym certificates. This delays the effectiveness of a vehicle’s revocation until all of its pseudonyms have expired. Identification of misbehaving participants, misbehavior detection, is described by Bifimeyer . It is a research area on its own and not in the scope of this work.
Privacy-friendly pseudonym issuance can be implemented by a separation of responsibilities between the LTCA and the PCA: When requesting pseudonyms, the vehicle encrypts its long-term certificate with the LTCA’s public key. The PCA, unable to check the certificate itself, forwards it to the LTCA for validation, which only reports back authentication success or failure. Neither of the parties learns the mapping between the long-term certificate and the pseudonyms issued. If resolution is required, they can jointly determine the mapping by decrypting the long-term certificate which is stored in the mapping database in encrypted
Figure 2.2 The basic pseudonym scheme : A vehicle V obtains pseudonym certificates after authentication with his long-term certificate. The root CA acts as a system-wide trust anchor. Privacy protection can be implemented by separation of responsibilities between the LTCA and the PCA.
form. Note, that the protection is based on an organizational control only and is void if both parties are compromised.
Pseudonyms can be obtained via a cellular connection to the back-end systems, via road-side units (RSUs), or can be pre-loaded during maintenance. We present an alternative, more privacy-friendly protocol for pseudonym issuance in Chapter 4.