V2X communication promises to improve roadside safety, transportation efficiency and support the evolution of automated driving. Nearly two decades of global research has concluded the value of V2V and V2I use cases consisting of left turn assist and emergency vehicle preemption that have automakers and road operators excited for both near-term and longer-term benefits. However, it is both necessary and required that each message is trusted through the use of digital signatures provided by certificates handled through Public Key Infrastructure (PKI).
PKI is a widely used technology which is present today in our everyday lives, though unnoticed. This is present as the tiny lock in our internet browsers, behind-the-scenes supporting our banking systems (banking applications, money transfers). We use PKI to sign documents electronically, access servers, and identify ourselves with our passports.
In the realm of Vehicle-to-Everything (V2X) communication, trust is needed to value messages received, and they must be considered authentic yet handled with anonymity. Along these lines, V2X messages that are already electronically signed use an agreed-upon PKI system, Cooperative Intelligent Transportation System Credential Management System (CCMS) in Europe and Security Credential Management System (SCMS) in the US to secure safety by delivering trust.
CCMS and SCMS are each V2X PKI solutions which grant secure communication for V2X radios (both ITS-G5 and C-V2X), and do it in a way that privacy is maintained. These technologies can support the anonymity and pseudonymity of vehicles and deliver trust in communication by issue electronic signing certificates. These PKI servers can also ensure that only the proper devices or vehicles can use various services by managing permissions. An example of permission management is allowing an emergency vehicle to preempt a traffic signal.
Both CCMS and SCMS are PKI-based systems which use the same certificate and message formats, and each is building on IEEE 1609.2 security services for application and management messages. However, they each have variances in profiles and methodologies for certificate management. Fortunately, EU and US standardized differences in ETSI and IEEE are architecturally shrinking because of harmonization work and strong cooperation between those entities which are leveraging reasonable solutions from each other’s standards, such as butterfly key expansion and canonical ID based enrollment.
Though many similarities, some of the PKI architecture, the Certificate Authority (CA) certificates, the certificate profiles, and the methodologies for end-user certificate management are quite different.
The CCMS system applies short certificate validity periods and does not use end-user certificate revocation. Also, it is more simplistic regarding the certificate chains, the number of components and the centralized trust management (ECTL).
The SCMS system is very robust with different requirements on the PKI and ITSS (Intelligent Transport System Station). The system uses newer cryptographic solutions and manages the certificate revocation on every level. The cost of this complexity is there are problematic grey zones. For example, the non-centralized elector-based system generates a lot of questions. Also, the growing end-user certificate revocation lists could become problematic.
The IEEE further specified 1609.2.1 to provide a commercial framework for PKI across North America, building on advances in security technology with particular consideration towards scalability and learnings from the prototype PKI platform that was developed as part of the Collision Avoidance Metrics Partnership (CAMP) research on V2X. These days, automakers and road operators alike are keen to have commercial deployments leverage 1609.2.1 and OmniAir is busy ensuring solutions become available. In Europe, between ETSI and the European Commission, they have ratified a policy framework and already enable auditing of the CCMS to ensure compliance.
Altogether, we would say that the two standards are becoming more similar, whereby architecture and approaches remain different primarily due to legal and governmental environments. The CCMS now supports the butterfly key expansion, which can reduce the network traffic, enables asynchronous communication, and makes it possible to get thousands of credentials and preload them for years. The SCMS also applied canonical ID-based enrollment, an easy common secret-based enrollment procedure which simplifies device registration and device management. Having helped with standards and offering solutions for both CCMS and SCMS, we have a unique appreciation and understanding of how each environment operates and how to deliver to customers a single platform that can support vehicles in both regions.
OEMs are dealing with greater volumes of endpoints than road operators, so they find themselves needing to work on reducing costs of both the CCMS and SCMS by taking on some of the security offering, though they too will still rely on 3rd party V2X PKI providers for aspects of the solution. We are supporting automakers today and can help you find the balance that makes the most sense for your business needs.
Microsec has been delivering security solutions for nearly 40 years and has more than 25 years of experience in different PKI solutions and earned the right to be a Qualified Trust Service Provider (QTSP). We have developed a solution for CCMS and SCMS CA suit, which can be used as a SaaS or on-premise solution. Our private and geo-redundant data centers can support the highest security requirements within the EU and the US and deliver clients a unified view of multiple regions.
We are working hard to bring the best possible experience for our customers, including existing clients such as Die Autobahn Motorways in Germany, and simplify this complex solution as far as possible to make the future of connected mobility available for everyone, especially those looking to start small and scale deployments of vehicles and/or RSUs over time.
In addition to offering CCMS and SCMS solutions and a sandbox environment to gain familiarity with the system, Microsec has for decades provided consulting services to clients.
Microsec will be attending the ITS World Congress in Los Angeles, California from September 18th to the 22nd and are available to meet. To coordinate a meeting, please email email@example.com or visit us at v2x-pki.com.
© 2023 Microsec Ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41