< < SU07 : SU08 : SU09 > >

SU08: Security and Credentials Management

This service package is used to ensure trusted communications between mobile devices and other mobile devices or roadside devices and protect data they handle from unauthorized access. The service package grants trust credentials to qualified mobile devices and infrastructure devices in the Connected Vehicle Environment so that those devices may be considered trusted by other devices that receive trust credentials from the SCM service package. The service package allows credentials to be requested and revoked and secures the exchange of trust credentials between parties, so that no other party can intercept and use those credentials illegitimately. The service package provides security to the transmissions between connected devices, ensuring authenticity and integrity of the transmissions. Additional security features include privacy protection, authorization and privilege class definition, as well as non-repudiation of origin.

Relevant Regions: Australia, Canada, European Union, and United States

Enterprise

Development Stage Roles and Relationships

Installation Stage Roles and Relationships

Operations Stage Roles and Relationships
(hide)

Source Destination Role/Relationship
Cooperative ITS Credentials Management System Manager Cooperative ITS Credentials Management System Manages
Cooperative ITS Credentials Management System Manager Credentials Management System Operator System Usage Agreement
Cooperative ITS Credentials Management System Owner Cooperative ITS Credentials Management System Owns
Cooperative ITS Credentials Management System Owner Cooperative ITS Credentials Management System Manager Operations Agreement
Cooperative ITS Credentials Management System Owner ITS Object Owner Security Credentials License and Usage Agreement
Cooperative ITS Credentials Management System Owner Other Credentials Management Systems Owner Information Exchange Agreement
Cooperative ITS Credentials Management System Supplier Cooperative ITS Credentials Management System Owner Warranty
Credentials Management System Operator Cooperative ITS Credentials Management System Operates
Identifier Registry Manager Identifier Registry Manages
Identifier Registry Owner Cooperative ITS Credentials Management System Owner Information Provision Agreement
Identifier Registry Owner Identifier Registry Owns
Identifier Registry Owner Identifier Registry Manager Operations Agreement
Identifier Registry Supplier Identifier Registry Owner Warranty
ITS Object Manager ITS Object Manages
ITS Object Owner Cooperative ITS Credentials Management System Owner Expectation of Information Provision
ITS Object Owner ITS Object Owns
ITS Object Owner ITS Object Manager Operations Agreement
ITS Object Supplier ITS Object Owner Warranty
Other Credentials Management Systems Manager Other Credentials Management Systems Manages
Other Credentials Management Systems Owner Cooperative ITS Credentials Management System Owner Information Exchange Agreement
Other Credentials Management Systems Owner Other Credentials Management Systems Owns
Other Credentials Management Systems Owner Other Credentials Management Systems Manager Operations Agreement
Other Credentials Management Systems Supplier Other Credentials Management Systems Owner Warranty

Maintenance Stage Roles and Relationships

Physical

The physical diagram can be viewed in SVG or PNG format and the current format is SVG.
SVG Diagram
PNG Diagram


Display Legend in SVG or PNG

Includes Physical Objects:

Physical Object Class Description
Cooperative ITS Credentials Management System Support The 'Cooperative ITS Credentials Management System' (CCMS) is a high-level aggregate representation of the interconnected systems that enable trusted communications between mobile devices and other mobile devices, roadside devices, and centers and protect data they handle from unauthorized access. Representing the different interconnected systems that make up a Public Key Infrastructure (PKI), this physical object represents an end user view of the credentials management system with focus on the exchanges between the CCMS and user devices that support the secure distribution, use, and revocation of trust credentials.
Credentials Management System Operator Support The 'Credentials Management System Operator' represents the person or people that monitor and manage the Cooperative ITS Credentials Management System. These personnel monitor and manage the secure distribution, use, and revocation of trust credentials.
Identifier Registry Support The 'Identifier Registry' maintains identifiers that must be unique to facilitate interoperability in the connected vehicle environment.
ITS Object ITS The general 'ITS Object' includes core capabilities common to any class of object.
Other Credentials Management Systems Support Representing another Cooperative ITS Credentials Management System (CCMS), 'Other Credentials Management Systems' is intended to provide a source and destination for information exchange between peer credentials management systems. It supports modeling of projects or regions that include multiple interconnected CCMS that manage credentials distribution and management in the connected vehicle environment.

Includes Functional Objects:

Functional Object Description Physical Object
CCMS Authorization 'CCMS Authorization' components provide authorization credentials (e.g., pseudonym certificates) to end entities. The end entity applies for and obtains authorization credentials, enabling the end entity to enter the "Operational" state. This function requires an interactive dialog, including at minimum a Certificate Request from the end entity desiring certificates. This request will be checked for validity, with the embedded enrollment certificate checked against an internal blacklist. If all checks are passed, this function will distribute a bundle of linked pseudonym certificates suitable for use by the requesting end entity, with the characteristics and usage rules of those certificates dependent on the operational policies of the CCMS. It also provides the secure provisioning of a given object's Decryption Key in response to an authorized request from that object. The retrieved Decryption Key will be used by the receiving object to decrypt the "next valid" batch within the set of previously retrieved Security Credential batches. Cooperative ITS Credentials Management System
CCMS Misbehavior Reporting and Action 'CCMS Misbehavior Reporting and Action' components process misbehavior reports from end entities. Misbehavior reports are analyzed and investigated if warranted. Investigated misbehavior reports are correlated with end entities and systemic issues are identified. If revocation is warranted, this component provides information to Authorization or Revocation components to initiate revocation and/or blacklisting, as appropriate. Cooperative ITS Credentials Management System
CCMS Provisioning 'CCMS Provisioning' components provide the end entity with material that allows it to enter the 'Unenrolled' state. This consists of root certificates and the crypto material that allows it to communicate securely with the Enrollment components. This function ensures the requesting entity meets requirements for provisioning and provides the certificates and relevant policy information to entities that meet the requirements. Cooperative ITS Credentials Management System
CCMS Revocation 'CCMS Revocation' components generate the internal blacklist and Certificate Revocation List (CRL) and distribute them to other CCMS components and end entities. Once placed on the CRL, an end entity is in the Unauthorized state. Once placed on the blacklist, an end entity is in the Unenrolled state. Cooperative ITS Credentials Management System
ITS Management Support 'ITS Management Support' provides management of the ITS Object. This includes management of regulatory information and policies, management of application processes, management of communication system configuration and update management, communications interfaces, protocol-specific techniques to ensure interoperability such as service advertisements, communications congestion management and interference management, local device states and communications information, billing management, fault management, service level and performance monitoring. ITS Object
ITS Security Support 'ITS Security Support' provides communications and system security functions to the ITS Object, including privacy protection functions. It may include firewall, intrusion management, authentication, authorization, profile management, identity management, cryptographic key management. It may include a hardware security module and security management information base. ITS Object

Includes Information Flows:

Information Flow Description
authorization coordination Sharing of pseudonym certificate policies and end entity enrollments and revocations to support authorization of end entities that are enrolled with another trusted CCMS.
credentials management operator input User input from the credentials management system operator including requests to monitor current system operation and inputs to affect system operation.
credentials management operator presentation Presentation of information to the credentials management system operator including current operational status of the credentials management system.
misbehavior analysis coordination Sharing of misbehavior policy, reports, and analysis results, including suspected and convicted end entities and other information that coordinates misbehavior detection, analysis, and resolution with another CCMS.
misbehavior report Notification of potential security issues encountered in processing messages, including message authentication or integrity failures, plausibility failures, or other issues appropriate to the CCMS' misbehavior policies.
revocation coordination Sharing of revocation policies, Certificate Revocation Lists (CRLs), and internal blacklists, and other information that supports revocation process coordination with another CCMS.
security credential revocations Certificate Revocation List; lists the certificates whose trust has been revoked by the CCMS.
security credentials The material used by an end-entity (vehicle, personal device, field device, center system etc.) to ensure privacy, integrity and authenticability of its data transmissions. This includes certificates with associated public and private verifying/signing and decrypting/encrypting keys.
security policy and networking information Security policy information describing the CCMS' enrollment, authorization, misbehavior and revocation policies, and communications information related to CCMS components; including contact information and public credentials of those components.
service identifiers Identifiers assigned to particular services, and the context necessary when and how to use these identifiers.

Goals and Objectives

Associated Planning Factors and Goals

Planning Factor Goal
C. Increase the security of the transportation system for motorized and nonmotorized users; Improve the security of the transportation system

Associated Objective Categories

Objective Category
Security: Crime
Security: Terrorism, Natural Disasters, and Hazardous Material Incidents

Associated Objectives and Performance Measures

Objective Performance Measure
Enhance tracking and monitoring of sensitive Hazmat shipments Number of Hazmat shipments tracked in real-time
Reduce exposure due to Hazmat & homeland security incidents Homeland security incident response time
Reduce exposure due to Hazmat & homeland security incidents Number of Hazmat incidents
Reduce exposure due to Hazmat & homeland security incidents Number of homeland security incidents
Reduce security risks to motorists and travelers Number of critical sites with security surveillance
Reduce security risks to motorists and travelers Number of security incidents on roadways
Reduce security risks to transit passengers and transit vehicle operators Number of security incidents at transit facilities
Reduce security risks to transit passengers and transit vehicle operators Number of security incidents on transit vehicles
Reduce security risks to transit passengers and transit vehicle operators Number of transit facilities and vehicles under security surveillance
Reduce security risks to transportation infrastructure Number of critical sites with hardened security enhancements
Reduce security risks to transportation infrastructure Number of critical sites with security surveillance
Reduce security risks to transportation infrastructure Number of security incidents on transportation infrastructure


 
Since the mapping between objectives and service packages is not always straight-forward and often situation-dependent, these mappings should only be used as a starting point. Users should do their own analysis to identify the best service packages for their region.

Needs and Requirements

Need Functional Object Requirement
01 The CCMS Operator needs to grant trust credentials to qualified end entities including mobile devices so that those devices may be considered trusted by other devices that receive trust credentials from the CCMS. CCMS Authorization 03 The Center shall verify information received in pseudonym requests.
04 The Center shall coordinate the distribution of credentials with other Centers.
06 The Center shall provide Vehicle pseudonymous credentials in response to valid Vehicle pseudonym requests.
07 The Center shall provide Personal Device pseudonymous credentials in response to valid Personal Device pseudonym requests.
08 The Center shall provide Center pseudonymous credentials in response to valid Center pseudonym requests.
09 The Center shall provide Connected Vehicle Roadside Equipment pseudonymous credentials in response to valid Connected Vehicle Roadside Equipment pseudonym requests.
CCMS Provisioning 01 The Center shall provide security and regulatory policy information to ITS Objects.
02 The Center shall provide its credentials information to ITS Objects.
03 The Center shall provide the operator with mechanisms for monitoring the status of all credential-granting activities without compromising any other requirement.
ITS Security Support 01 The ITS Object shall obtain security policy information from the Cooperative Intelligent Transportation System Credentials Management System (CCMS).
02 The ITS Object shall request enrollment credentials from the CCMS.
11 The ITS Object shall request pseudonymous credentials from the CCMS.
02 The CCMS Operator needs to be able to revoke the credentials it distributes, so that a misbehaving or malfunctioning device can be recognized as such. CCMS Misbehavior Reporting and Action 02 The Center shall analyze misbehavior reports.
03 The Center shall coordinate misbehavior analysis with other Centers.
CCMS Revocation 01 The Center shall place certificates on the revocation list of those certificates that are associated with misbehavior.
02 The Center shall provide to ITS Objects a list of credentials whose trust as been revoked.
ITS Security Support 08 The ITS Object shall obtain a list of revoked credentials from the CCMS.
03 The CCMS Operator needs to secure the exchange of trust credentials between itself and its intended user, so that no other party can intercept and use those credentials illegitimately. CCMS Provisioning 02 The Center shall provide its credentials information to ITS Objects.
ITS Security Support 03 The ITS Object shall obtain the CCMS' trust credentials.
06 The ITS Object shall provide a mechanism for on-board applications to encrypt messages using keys secured by the CCMS' trust authority.
07 The ITS Object shall provide a mechanism for on-board applications to decrypt messages using keys secured by the CCMS' trust authority.
10 The ITS Object shall maintain cryptographic secret information so that those secrets are accessible only to ITS Security Support, and not to any other Functional Object.
04 The CCMS Operator needs its systems to be constructed in such a way that the cooperation of at least two parties within the CCMS' structure are required to link the identity of a user with a set of trust credentials, to protect user privacy. CCMS Authorization 01 The Center shall generate credential identifiers using facilities that are independently owned and operated from one another.
02 The Center shall assign two or more non-unique identifiers, that when combined are unique, to each credential it distributes.
05 The CCMS Operator needs its systems to be constructed in such a way that the cooperation of at least two parties within the CCMS' structure are required to associate multiple credentials that were distributed to a user, to protect user privacy. CCMS Authorization 05 The Center shall store credential identifiers using facilities that are independently owned and operated from one another.
06 The CCMS Operator needs to accept misbehavior reports from users, so that malfunctioning and misbehaving users may be identified and their privileges within the CVE revoked if necessary. CCMS Misbehavior Reporting and Action 01 The Center shall accept misbehavior reports from ITS Objects.
ITS Security Support 12 The ITS Object shall provide messages (that it receives) that indicate potential misbehavior/malfunction to the CCMS.
07 ITS Object operators need to be able to authenticate messages received so that they can determine if the originator is a trusted source. ITS Security Support 04 The ITS Object shall provide a mechanism for on-board applications to digitally sign messages using keys secured by the CCMS' trust authority.
05 The ITS Object shall provide a mechanism for on-board applications to authenticate messages secured by the CCMS' trust authority.
09 The ITS Object shall make the list of revoked credentials available to on-board applications.
08 ITS Object operators need to be able to determine the privileges a message sender is entitled to so that they can determine if the originator's suggested action should be considered for action. ITS Security Support 04 The ITS Object shall provide a mechanism for on-board applications to digitally sign messages using keys secured by the CCMS' trust authority.
05 The ITS Object shall provide a mechanism for on-board applications to authenticate messages secured by the CCMS' trust authority.
09 The ITS Object shall make the list of revoked credentials available to on-board applications.
09 ITS Object operators need to be able to communicate with other users in such a way as to make it difficult to associate messages with one another, to help maintain user privacy. CCMS Authorization 06 The Center shall provide Vehicle pseudonymous credentials in response to valid Vehicle pseudonym requests.
ITS Security Support 06 The ITS Object shall provide a mechanism for on-board applications to encrypt messages using keys secured by the CCMS' trust authority.
07 The ITS Object shall provide a mechanism for on-board applications to decrypt messages using keys secured by the CCMS' trust authority.
10 ITS Object operators need to be able to exchange messages in a secure fashion, so that no other party can easily understand the contents of the message. CCMS Authorization 07 The Center shall provide Personal Device pseudonymous credentials in response to valid Personal Device pseudonym requests.
08 The Center shall provide Center pseudonymous credentials in response to valid Center pseudonym requests.
09 The Center shall provide Connected Vehicle Roadside Equipment pseudonymous credentials in response to valid Connected Vehicle Roadside Equipment pseudonym requests.
ITS Security Support 06 The ITS Object shall provide a mechanism for on-board applications to encrypt messages using keys secured by the CCMS' trust authority.
07 The ITS Object shall provide a mechanism for on-board applications to decrypt messages using keys secured by the CCMS' trust authority.
11 ITS Object operators need to be able to exchange messages within the regulatory bounds of the jurisdiction in which the ITS Object is operating. ITS Management Support 06 The ITS Object shall acquire regulatory information relevant to the operation of the ITS Object from the CCMS.

Related Sources

Document Name Version Publication Date
Core System Concept of Operations (ConOps) Final revE 10/24/2011
Harmonization Task Group #1 Service and Security Management to Support safety and sustainability applications: Current Status of Security Standards Draft 8/29/2012
Harmonization Task Group #6, HTG6-4 Cooperative-ITS Credential Management System Functional Analysis and Recommendations for Harmonization 2015-04-03 4/3/2015
Security Credential Management System Design Draft 4/13/2012
Security Credentials Distribution ConOps
Security Credentials Distribution System Requirements
Security Credentials Management Entity ConOps (CME Task 2 Report)


Security

In order to participate in this service package, each physical object should meet or exceed the following security levels.

Physical Object Security
Physical Object Confidentiality Integrity Availability Security Class
Cooperative ITS Credentials Management System High High High Class 5
Identifier Registry Low High Low Class 3
ITS Object High High High Class 5
Other Credentials Management Systems High High High Class 5



In order to participate in this service package, each information flow triple should meet or exceed the following security levels.

Information Flow Security
Source Destination Information Flow Confidentiality Integrity Availability
Basis Basis Basis
Cooperative ITS Credentials Management System Credentials Management System Operator credentials management operator presentation Not Applicable High High
System core flows should have some protection from casual viewing, as otherwise imposters could gain illicit control over core equipment Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Cooperative ITS Credentials Management System ITS Object security credential revocations Low High High
Revocations should be available to all entities in the C-ITS environment. There may be a point where a third party may learn something they shouldn't by observing this flow, but such a use case has not been defined to date. Thus, LOW. Revocations must be correct, or one of two potentially disastrous scenarios could occur: an entity with important information becomes untrusted and receivers ignore messages with high potential impact, or an untrustworty transmitter maintains its ability to be listened to, and receivers erroneously react to messages from what should be an untrustworthy source. It is unlikely that revocations will be sent more than a few times per day. However, when provided the information needs to be delivered, or the receiving party may trust entities that have been revoked and should not trust.
Cooperative ITS Credentials Management System ITS Object security credentials High High Moderate
Credentials need to be delivered to their intended target only. Interception and potential use by a third party compromises the C-ITS trust model. Credentials need to be correct and intact on delivery, or they will not be functional. Without functional credentials, the end entity cannot operate Credentials will be granted as needed but generally not in real-time; that is, an end entity will request credentials a significant time in advance of actually needing them. Thus, occasional downtime can be managed. For those entities accessing the Credentials Registry through wireless mediums only, the additional uncertainties provided by those mediums reinforce MODERATE availability.
Cooperative ITS Credentials Management System ITS Object security policy and networking information Low High High
Policy information is expected to be made generally available to all C-ITS devices. Likely no harm in observation by actors outside of ITS. Certificate policy for example is often openly published. Policy information must be correct, or end entities may make decisions that lead to them becoming untrusted, which if occuring over a wide scale, would cripple the C-ITS environment. Policy information distribution must occur prior to an end entity encountering a change in policy. For example, at border crossings.
Cooperative ITS Credentials Management System Other Credentials Management Systems authorization coordination High High High
Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Cooperative ITS Credentials Management System Other Credentials Management Systems misbehavior analysis coordination High High High
Coordination of misbehavior handling should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors related to misbehavior analysis and detection, and devise attacks to exploit that behavior. Coordination of misbehavior analysis needs to be correct at all times, or trust/lack-of-trust may not be correctly revoked. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment. Coordination of misbehavior analysis needs to be correct at all times, or trust/lack-of-trust may not be correctly revoked. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Cooperative ITS Credentials Management System Other Credentials Management Systems revocation coordination High High High
Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Credentials Management System Operator Cooperative ITS Credentials Management System credentials management operator input Not Applicable High High
System core flows should have some protection from casual viewing, as otherwise imposters could gain illicit control over core equipment Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Identifier Registry Cooperative ITS Credentials Management System service identifiers Low High Low
Likely openly published information. Identifiers are used with associated permissions to determine who/what can perform various activities. A compromise in this information would significantly compromise all of C-ITS that was affected. Identifiers are expected to be updated infrequently, thus requiring only intermittent connectivity to the CCMS.
ITS Object Cooperative ITS Credentials Management System misbehavior report Moderate Moderate Low
Misbehavior reports will contain some kind of identification, in many cases pseudonyms, but at some point in the life cycle linkable to a device and device owner. Even if a pseudonym is the reference, the contents of the report should not be openly readable as compromised could be used to further abuse the target, such as by spamming other (false) misbehavior reports, or simply not trusting that party when the actual trust anchor has made no such determination. Misbheavior reports provide the basic data for misbehavior analysis, the purpose of which is the removal of misbehaving or malfunctioning actors from the C-ITS environment. So naturally the misbehavior report must be correct. This is not HIGH because presumably, multiple reports must be received regarding the same actor in order to process a revocation. Successful revocation depends on receipt of accurate and timely misbehavior reports. Reports from center-based objects are more likely to be taken with greater weight, and due to the structure of the system, also likely to be less frequent. This makes center-based reports more dependent on availability, so center-based reports receive a MODERATE availability, while those from more frequent generating field sources (RSEs, OBEs, PIDs etc.) LOW availability.
Other Credentials Management Systems Cooperative ITS Credentials Management System authorization coordination High High High
Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Other Credentials Management Systems Cooperative ITS Credentials Management System misbehavior analysis coordination High High High
Coordination of misbehavior handling should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors related to misbehavior analysis and detection, and devise attacks to exploit that behavior. Coordination of misbehavior analysis needs to be correct at all times, or trust/lack-of-trust may not be correctly revoked. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment. Coordination of misbehavior analysis needs to be correct at all times, or trust/lack-of-trust may not be correctly revoked. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Other Credentials Management Systems Cooperative ITS Credentials Management System revocation coordination High High High
Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.

Standards

The following table lists the standards associated with physical objects in this service package. For standards related to interfaces, see the specific information flow triple pages.

Name Title Physical Object
FIPS 140-2 Security Requirements for Cryptographic Modules ITS Object
ISO 21217 Architecture Intelligent transport systems -- Communications access for land mobiles (CALM) -- Architecture ITS Object