System model and scenario
We assume an inter-vehicular communication system with the following entities.
- 1. Participating vehicles Vi equipped with a V2X on-board unit (OBU), which use pseudonym certificates to sign their outgoing messages. The OBUs contain a trusted component (TC) to store secret keys and perform security-sensitive operations, e.g., the “Evita HSM Full Version” .
- 2. Prior to its deployment, each vehicle is registered with the Long-Term Certificate Authority (LTCA), which keeps track of all participants.
- 3. When a vehicle’s pool of pseudonyms is depleted, it requests new pseudonyms from the Pseudonym Certificate Authority (PCA), e.g., through a cellular connection or via road-side units.
- 4. The Revocation Authority (RA) receives reports about misbehaving vehicles and may revoke their permission to participate in the system.
The interactions within the system can be split into different phases, which we will later refer to. The phases are an adaptation of the “abstract pseudonym lifecycle” by Petit et al. . Figure 4.1 gives an overview over the entities’ interactions.
Figure 4.1 Interactions in our system model: Vi is registered with the LTCA which issues a iong-term credential (a). Vi requests new pseudonym certificates from the PCA (b), which may reiy on the LTCA to validate the vehicle’s authentication @. Vi uses the pseudonyms to secure its communication with other participants (3). Any observed misbehavior is reported to the RA @, which may decide to revoke the reported vehicle ©.
Initialization Giobai system setup; this phase is only executed once when the V2X system is estabiished.
Vehicle setup Add a new vehicie to the system and provide it with a iong-term authentication token @.
Pseudonym issuance Vehicies obtain pseudonyms from the PCA after authentication with their iong-term authentication token ©. The PCA may reiy on the LTCA to vaiidate the authentication ©.
Pseudonym use Vehicies communicate among each using ad-hoc radio communication and use the pseudonym certificates to sign their messages @. We aiso caii this phase the communication phase.
Pseudonym change In order to prevent iong-term tracking, vehicies change their active pseudonym certificate every once in a whiie (cf. Chapter 3).
(Pseudonym) revocation When vehicie is detected to send invaiid messages, its credentiais (both pseudonyms and iong-term) must be revoked in order to prevent further disruption of the network’s operation ©. This inciudes reporting of observed misbehavior to the RA by other vehicles We use the following terminology: Revocation refers to the (forced) removal of a misbehaving participant from the system, whereas invalidation of a credential can be triggered either by misbehavior or by a user’s request to leave the system.
We omit the pseudonym resolution phase, which is included in Petit et adds original pseudonym lifecycle, because our privacy requirements explicitly forbid resolution of pseudonyms.
We assume that a misbehavior detection mechanism is in place that allows vehicles to detect messages with implausible or invalid content (cf. Bifimeyer ). Furthermore, we assume the availability of a geocast mechanism, e.g., the one proposed by the CONVERGE project .