Module 67 - CSE 201

Module CSE 201: Introduction to Security Credential Management System (SCMS) Part 2 of 2

HTML of the PowerPoint Presentation

(Note: This document has been converted from a PowerPoint presentation to 508-compliant HTML. The formatting has been adjusted for 508 compliance, but all the original text content is included, plus additional text descriptions for the images, photos and/or diagrams have been provided below.)

Slide 1:

A graphic with the word "Welcome" in large letters. ITS Training Standards "WELCOME" slide, with reference to the U.S. Department of Transportation Office of Assistant Secretary for Research and Technology

 

Slide 2:

A graphic with the word "Welcome", photo of Kenneth Leonard, Director ITS Joint Program Office - Ken.Leonard@dot.gov, and a screenshot of the ITS JPO website - www.pcb.its.dot.gov

 

Slide 3:

Module CSE201:

Introduction to Security Credential Management System (SCMS) Part 2 of 2

flowchart, described in detail below.

The title slide shows a graphic that provides an overview of the security credentials management system (SCMS) as defined in IEEE 1609.2.1. The figure shows a black cloud at the top labeled SCMS manager with two black boxes labeled "Policy" and "Management & Operations". Underneath the cloud is another black box labeled "Root Management Function" with three black boxes contained within it, labeled "Elector A", "Elector B", and "Elector C" and an ellipses. The Root Management Function box is connected via a "trust hierarchy" arrow to a green "Root CA" box. The Root CA box connects via a trust hierarchy arrow to a red "Misbehavior Authority" box on the right. The Root CA is also connected via a trust hierarchy arrow directed downward to an green "Intermediate CA" box. The Intermediate CA box is also connected via trust hierarchy arrows to an green "Authorization CA" box located immediately below it, to a green "Registration Authority" box located below the Authorization CA box, and to a green "Enrollment CA" box located off to the left. The Root, Intermediate, and Authorization CAs each have associated green "CRL Signer" boxes attached to and behind them. The red Misbehavior Authority box has SCMS communication arrows leading to the three CRL Signer boxes associated with the three CAs. It is also has bi-directional SCMS communication arrows connecting it to boxes representing the Registration Authority, the Authorization CA, and two green boxes labeled "Linkage Authority" 1 and 2. The Linkage Authority boxes are connected to the Registration Authority box via bi-directional SCMS communication arrows. The Registration Authority Box also has bi-directional SCMS communication arrows connecting it with the Authorization CA, and boxes representing the Enrollment CA and a green "Supplementary Authorization Server". The Enrollment CA also has a bi-directional SCMS communication arrow to a "Device Configuration Manager" box. Near the bottom of the diagram is a box depicting a car labeled "OBU" for on-board unit, a signal head labeled "RSU" for roadside unit, and a wireless handheld device labeled "ASD" for after-market safety device. This box is connected with bi-directional physical interface arrows to the Device Configuration Manager and Supplemental Authorization Server. It is also connected with a bi-directional physical interface arrow to the Registration Authority via a Location Obscurer Proxy. It also is designated as a receiver of a physical interface arrow via a Location Obscurer Proxy and from a "Distribution Center" box that receives SCMS communication from a box labeled "Certs, CRLs, and CTLs". The OBU/RSU/ASD box also has a logical interface arrow directly to the Enrollment CA and another to the Misbehavior Authority via the Registration Authority. Finally, the OBU/RSU/ASD box is a receiver of a logical interface arrow from the Authorization CA. The black boxes represent "Geo Domain Central" entities; the red box represents a "App Domain Central" entity, while the green boxes represent "non-central" entities.

Image source: IEEE P1609.2.1

 

Slide 4:

Instructors

Dr. William Whyte

Dr. William Whyte

Senior Director, Technical Standards

Qualcomm Technologies, Inc.

 

Dr. Virendra Kumar

Dr. Virendra Kumar

Senior Staff Engineer, Technical Standards

Qualcomm Technologies, Inc.

 

Slide 5:

Learning Objectives-Part 2 of 2

 

Slide 6:

Recap of Learning Objectives 1-3

Image of a list, described in detail below.

Text contained in the image:

  • IEEE 1609.2 specifies security services cryptography and data validation services that can be used to protect data in transit
  • In the 1609.2 system, a receiver knows a sender is trusted to send a message (or command) of a particular type because the sender has a certificate that says they are entitled to do so and the 1609.2 processing cryptographically links the certificate to the message to show that only that certificate holder could have generated that message
  • The SCMS is in charge of issuing certificates to actors in the system. Its primary responsibility is to make sure that certificates are issued to actors who are entitled to them by carrying out checks that
    • The actor was entitled to the certificate in the first place
    • The actor has not become malicious, untrustworthy, or otherwise unreliable since the certificate was issued
  • The SCMS and the 1609.2 certificate system is designed to preserve privacy from eavesdroppers in the field and from insiders at the SCMS
  • Major challenges in SCMS deployment include
    • Enrolling devices establishing that they are entitled to certificates, especially for specialized applications
    • Keeping devices provisioned with certificates this requires regular access to the Internet
    • Understanding which devices should have their certificates withdrawn (revocation)
  • It is recommended that deployers work with an SCMS service provider rather than trying to run SCMS Services themselves

The list item that reads "Enrolling devices establishing that they are entitled to certificates, especially for specialized applications" is highlighted in gray to represent learning objective 4, and the items "Keeping devices provisioned with certificates this requires regular access to the Internet" and "Understanding which devices should have their certificates withdrawn (revocation)" are highlighted in purple to represent learning objective 5.

 

Slide 7:

Learning Objective 4

 

Slide 8:

Security Requirements for Devices

“Supplement” grpahic indicating items or information that are further explained/detailed in the Student Supplement

 

Slide 9:

Baseline Security Requirements

figure of three architectures, described in detail below

This slide contains a figure of three architectures.

  • At the top, the "Integrated architecture" is shown as a box labeled "Shared Processor (Host Processor and HSM)". HSM stands for Hardware Security Module. Inside of the box are two smaller boxes, labeled "Privileged Applications" and "Cryptographic Operations".
  • In the middle of the figure, the "Connected architecture" is shown as two primary boxes. The first is labeled "Host Processor" and it contains a smaller box labeled "Privileged Applications". The Host Processor box is connected to the second primary box with a thick gray line. The second primary box is labeled HSM and contains a smaller box labeled "Cryptographic operations". The Host Processor has a network connection.
  • At the bottom of the figure, the "Networked architecture" is shown. This includes three primary boxes connected to each other via a network. The first box is labeled "Host Processor" and contains a smaller box labeled "Privileged Applications". The second primary box is labeled "Other processor". The third primary box is labeled HSM and contains a smaller box labeled "Cryptographic operations".

 

Slide 10:

Baselines Security Requirements (2)

graphic image of a person interacting with a smartphone, which is displaying a sign-in screen with fields for username and password

“Supplement” grpahic indicating items or information that are further explained/detailed in the Student Supplement

 

Slide 11:

Baseline Security Requirements (3)

Graphic of a hooded person fishing with a fishing pole at the bottom of an over-large smartphone. The fishing line enters the center of the smartphone screen as if it were a pool of water. An open lock is displayed where the fishing line comes into contact with the smartphone screen.

 

Slide 12:

Security Certification via OmniAir

the registered OmniAir Consortium logo

 

Slide 13:

Special Permissions

Bar chart showing monthly and total visitors for the first quarter 2014 for sites 1 to 3, described in detail below.
This slide depicts a connected police car interacting with a connected car. The police car is displaying a certificate that has been issued by a certification authority. Boxes on the diagram indicate that the certificate authority issues certificates based on a policy, proof of ownership, certification lab reports, and perhaps other materials (depicted as an ellipsis).

 

Slide 14:

Additional Functionality via New Software

This slide depicts a connected traffic signal interacting with a connected car. The police car is displaying a certificate that has been issued by a certification authority. Boxes on the diagram indicate that the certificate authority issues certificates based on a policy, proof of ownership, certification lab reports, and perhaps other materials (depicted as an ellipses).

 

Slide 15:

Activity Placeholder: This slide has the word "Activity" in large letters at the top of the slide, with a graphic of a hand on a computer keyboard below it.

 

Slide 16:

Question 4

Which of these is required for a device to be secure enough to run V2X applications?

Answer Choices

  1. The device requires a user to log in before it will send any V2X messages.
  2. The device requires user permission for updates.
  3. The device supports virtualization.
  4. The device protects its keys with a hardware security module.

 

Slide 17:

Review of Answers

red and yellow X icon representing incorrecta) The device requires a user to log in before it will send any V2X messages.
Incorrect. Many types of devices, such as standard on-board units in cars, are expected to start broadcasting without requiring the user to log in.

red and yellow X icon representing incorrectb) The device requires user permission for updates.
Incorrect. Updates must be secured, meaning that they must be authenticated as coming from a trusted source, but they do not need the user’s explicit permission. It is a courtesy to inform the user that an update is taking place, but user permission is not required so long as the device can ensure that the update is taking place under safe conditions.

red and yellow X icon representing incorrectc) The device supports virtualization
Incorrect. Virtualization can improve security by sandboxing different applications, preventing one application from interfering with another’s operations, but it is not a requirement - especially for devices like standard on-board units that only send one type of message.

green and yellow check mark icon representing correctd) The device protects its keys with a hardware security module.
Correct! If the keys are not protected with a hardware security module, an attacker who gets access to the device can potentially obtain a copy of the keys and use them to forge messages.

 

Slide 18:

Learning Objective 5

 

Slide 19:

SCMS Design: SCMS In ARC-IT

SCMS services are fully described in ARC-IT and their deployment can be planned using the same tools that are used to plan the deployment of other Connected Vehicle services.

Bar chart showing monthly and total visitors for the first quarter 2014 for sites 1 to 3, described in detail below.
This slide shows the diagram from the Architecture Reference for Cooperative and Intelligent Transportation (ARC-IT) for the SU08 service package entitled "Security and Credentials Management" from May 9, 2019. The figure shows a box for each physical object on the diagram, which includes the Credentials Management System Operator, the Cooperative ITS Credentials Management System, Other Credentials Management Systems, the Identifier Registry, and an ITS Object. The diagram also shows the information flows that must be exchanged between each of the physical objects shown to realize this service package.

 

Slide 20:

Security Management Operating Concept

This slide shows the cover page of the USDOT report FHWA-JPO-16-300 for the "Connected Vehicle Pilot Deployment Program Phase 1: Security Management Operating Concept – New York City", dated May 18, 2016.

 

Slide 21:

Security Management Operating Concept

flowchart, described in detail below.
In the upper left is a rounded rectangle that is labeled "Analyze information flows". Two arrows lead from this rectangle. One leads to a rounded rectangle labeled "Communications security mechanisms", which then has an arrow leading to a rounded box labeled "1609.2 profiles" which then has an arrow leading to a rounded text box with the label "Certificate issuance policy." The other arrow from the "Analyze information flows" rectangle leads to a rounded rectangle labeled with "Device security requirements", which then has a leading arrow to the same "Certificate issuance policy" identified above. Finally, the "Certificate issuance policy" rectangle has an arrow that leads to a rectangle with square corners labeled "SCMS Provider."

 

Slide 22:

This slide contains a graphic with the word "Case Study" in large letters. A placeholder graphic of a traffic control center indicating that a real-world case study follows.

 

Slide 23:

Case Studies

 

Slide 24:

Lessons Learned

 

Slide 25:

Lessons Learned Continued

 

Slide 26:

Other Lessons Learned

  1. Ensure certificate top-off is robust against losing connectivity mid-top-off
    • Protocols are meant to give robustness, but implementations need to be tested
  2. Ensure certificate top-off succeeds even if a device has not successfully topped off for some time
    • If certificate lifetime is a week and devices top-off up to 2 weeks in advance, make sure that a device that has been out of contact for a month can connect
  3. Ensure that repeated requests for a certificate for a particular time period cause only a single certificate to be generated, not one certificate per request
    • Provides protection against "sybil attacks"
  4. Test enrollment certificate expiry and rollover

 

Slide 27:

Other Lessons Learned

  1. Test that certificate management software works across expiry of an ACA certificate or an ECA certificate
    • Both for devices that get certs from that ACA/ECA, and for devices that trust them.
  2. Ensure that new CA certificates can be distributed in a timely way
    • If there is a new ACA, ensure that trust of the new ACA certificate does not act as a gatekeeper for access to certificate updates.
    • For example, in one case, network connectivity was provided by RSUs that started to use a certificate from a new ACA to advertise that connectivity: OBUs that did not already have the new ACA certificate could not trust the advertisement, and so could not connect to update the ACA certificate.
  3. Ensure there is a good way to get feedback to SCMS Manager and other governance bodies

 

Slide 28:

Misbehavior Reporting and CRL Download

 

Slide 29:

SCMS Design: Misbehavior Management - open questions

 

Slide 30:

Traffic on the Infrastructure Owners and Operators (IOO) Network

Network Connectivity Architecture interconnnectivity diagram, described in detail below.
In the middle-right of the diagram is a grey rectangle labeled "OBU ASD" that represents an onboard unit or after-market safety device. Adjacent to this box and in the upper-middle to center-middle of the diagram is a blue rectangle representing a single field location. Inside of this blue rectangle are three grey rectangles labeled "RSE", which represents the roadside unit, "Traffic Controller" and "NYCWin Wireless Router". The three rectangles inside of the blue rectangle are connected to each other through connectors labeled "Ethernet". The RSE is additionally connected to the OBU ASD by a lightning bolt connector labeled "DSRC" for dedicated short-range wireless. The traffic controller rectangle is also connected to a traffic signal head that is inside of the blue box. The NYCWiN Router is connected to a blue cloud labeled "NYCWiN", which is external to the blue rectangle. The NYCWiN is then connected to a small blue rectangle labeled "Network Operation Center", with a note that it is operated by DOiTT. Below the Network Operation Center is a large apricot colored rectangle labeled "Traffic Management Center". Within the Traffic Management Center are two grey rectangles, two firewalls and two networks. A Network Operation Center is connected to one firewall with a connector labeled "Fiber". The firewall is then connected to the Traffic Control Network, which has three other connections. One connection connects the Traffic Control Network to the "Traffic Control System Servers". Another connection connects the Traffic Control Network to the "TMC Network". The third connection connects the Traffic Control Network to the "CV Back Office Support Systems", which is also connected to the TMC Network. Finally, the TMC Network is connected to a firewall that then leads out of the Traffic Management Center and connects with the Internet cloud. The Internet cloud connects to four grey rectangles: the "SCMS", representing the "Security and Credentials Management System"; the "RDE" (Research Data Excahnge); the "IE Storage" (Independent Evaluator); and the "PID" (Personal Information Device). Finally, a satellite is depicted in the upper right that demonstrates that several devices might receive global navigation satellite system (GNSS) data.

 

Slide 31:

Traffic on the IOO Network contd.

 

Slide 32:

Incident Detection and Response

 

Slide 33:

Data Management

“Supplement” grpahic indicating items or information that are further explained/detailed in the Student Supplement

 

Slide 34:

Activity Placeholder: This slide has the word "Activity" in large letters at the top of the slide, with a graphic of a hand on a computer keyboard below it.

 

Slide 35:

Question 5

Which of these is a correct statement about data collection and management?

Answer Choices

  1. Only vehicles can produce personally identifying information.
  2. Individuals must give consent to their data being collected.
  3. If there is concern that data may reveal driver behavior that violates the law, it should be immediately shared with law enforcement.
  4. Data must be managed in a manner consistent with local data protection regulations.

 

Slide 36:

Review of Answers

red and yellow X icon representing incorrecta) Only vehicles can produce personally-identifying information.
Incorrect. A deployment might include pedestrian devices which directly generate personally-identifying information. Additionally, fixed devices like cameras can generate information that might be linked to individuals.

red and yellow X icon representing incorrectb) Individuals must give consent to their data being collected.
Incorrect. This depends on the applicable local data protection regulation.

red and yellow X icon representing incorrectc) If there is concern that data may reveal driver behavior that violates the law, it should be immediately shared with law enforcement.
Incorrect. This will depend on the applicable local data protection regulation and other laws, but there is, in general, no requirement to be proactive about sharing data with law enforcement.

green and yellow check mark icon representing correctd) Data must be managed in a manner consistent with local data protection regulations.
Correct! A deployer must be aware of local data protection regulations and ensure that they are complied with.

 

Slide 37:

Module Summary Part 2 of 2

 

Slide 38:

Module Summary

 

Slide 39:

Introduction to SCMS Curriculum

green and yellow check mark iconCSE 201:
Introduction to Security Credential Management System Part 1 of 2

green and yellow check mark iconCSE 201:
Introduction to Security Credential Management System Part 2 of 2

 

Slide 40:

Thank you for completing this module. Feedback

Please use the Feedback link below to provide us with your thoughts and comments about the value of the training.

Thank you!

↑ Return to top