ETSI TS 102 941-2018 Intelligent Transport Systems (ITS) Security Trust and Privacy Management (V1 2 1).pdf

1、 ETSI TS 102 941 V1.2.1 (2018-05) Intelligent Transport Systems (ITS); Security; Trust and Privacy Management G1G2G3G4G5G6G3G7G8G9G10G11G2G3G6G12G6G3G7G1G6G13G5G9ETSI ETSI TS 102 941 V1.2.1 (2018-05)2 Reference RTS/ITS-00524 Keywords interoperability, ITS, management, security ETSI 650 Route des Luc

2、ioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/stand

3、ards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in content

4、s between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. I

5、nformation on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyri

6、ght Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The c

7、opyright and the foregoing restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members

8、and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSMand the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI TS 102 941 V1.2.1 (2018-05)3 Contents Intellectual Property Rights . 5G1Foreword 5G1Modal verbs terminology . 5G

9、11 Scope . 6G12 References . 6G12.1 Normative references . 6G12.2 Informative references . 7G13 Definitions, abbreviations and notation . 8G13.1 Definitions . 8G13.2 Abbreviations 8G13.3 Notation . 9G14 ITS authority hierarchy 9G15 Privacy in ITS 10G16 Trust and privacy management 11G16.1 ITS-S Secu

10、rity Lifecycle 11G16.1.1 ITS-S Life-cycle management 11G16.1.2 Manufacture 12G16.1.3 Enrolment 12G16.1.4 Authorization 13G16.1.5 Maintenance 14G16.1.6 End of life .14G16.2 Public Key Infrastructure 14G16.2.0 General 14G16.2.0.1 Messages format 14G16.2.0.2 Signed and encrypted data structures 16G16.2

11、.1 CA certificate request17G16.2.2 Enrolment/Authorization assumption and requirements .20G16.2.3 Message Sequences .22G16.2.3.1 Introduction .22G16.2.3.2 Enrolment Management 23G16.2.3.2.0 Overview .23G16.2.3.2.1 Enrolment request 23G16.2.3.2.2 Enrolment response .26G16.2.3.3 Authorization Manageme

12、nt .27G16.2.3.3.0 Overview .27G16.2.3.3.1 Authorization request .28G16.2.3.3.2 Authorization response 33G16.2.3.4 Authorization Validation protocol .34G16.2.3.4.0 Overview .34G16.2.3.4.1 Authorization validation request 34G16.2.3.4.2 Authorization validation response .36G16.3 Generation, distributio

13、n and use of Trust information lists 38G16.3.1 Generation and distribution of CTL by TLM 38G16.3.2 Generation and distribution of CTL by RCA 39G16.3.3 Generation and distribution of CRL by RCA 40G16.3.4 Specification of Full CTL and Delta CTL 40G16.3.5 Transmission of CTL and CRL .41G16.3.6 CTL and

14、CRL use by ITS-Ss 41G17 Security association and key management between ITS Stations . 42G17.0 Introduction 42G17.1 Broadcast SAs 42G17.2 Multicast SAs .42G1ETSI ETSI TS 102 941 V1.2.1 (2018-05)4 7.3 Unicast SAs 43G1Annex A (normative): ITS security management messages specified in ASN.1 45G1A.1 ITS

15、 trust and privacy messages specified in ASN.1 45G1A.2 Security management messages structures 45G1A.2.1 Security data structures .45G1A.2.2 Security Management messages for CA .46G1A.2.3 Security Management messages for ITS-S_WithPrivacy .48G1A.2.4 Security Management messages for ITSS_NoPrivacy .4

16、9G1A.2.5 Enrolment and authorization data types51G1A.2.5.1 Enrolment 51G1A.2.5.2 Authorization 52G1A.2.5.3 AuthorizationValidation53G1A.2.6 Offline message structures 54G1A.2.7 Trust lists data types .54G1Annex B (normative): Service specific parameters (SSPs) definition . 58G1B.1 Overview . 58G1B.2

17、 CTL SSPs definition 58G1B.3 CRL SSPs definition 59G1B.4 Certificate request messages SSPs definition 59G1B.5 Security Management certificate permissions . 60G1Annex C (informative): Communication profiles for security credential provisioning services (EC request, AT request) 61G1Annex D (normative)

18、: Communication profiles for CTL and CRL . 65G1D.1 CTL request and response protocol . 65G1D.2 CRL request and response protocol . 65G1D.3 Broadcast communication of CTL/CRL 66G1Annex E (informative): Encryption of a message from a sender to a receiver 67G1Annex F (informative): Bibliography 69G1Ann

19、ex G (informative): Change history . 70G1History . 71G1ETSI ETSI TS 102 941 V1.2.1 (2018-05)5 Intellectual Property Rights Essential patents IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information pertaining to these essential IPRs, if any, i

20、s publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on th

21、e ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may b

22、e, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right

23、 to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Specification (TS) has been produced by ETSI Technical

24、Committee Intelligent Transport Systems (ITS). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the exp

25、ression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 102 941 V1.2.1 (2018-05)6 1 Scope The present document specifies the trust and privacy management for Intelligent Transport System (ITS) communications. Based upon the

26、 security services defined in ETSI TS 102 731 1 and the security architecture defined in ETSI TS 102 940 5, it identifies the trust establishment and privacy management required to support security in an ITS environment and the relationships that exist between the entities themselves and the element

27、s of the ITS reference architecture defined in ETSI EN 302 665 2. The present document identifies and specifies security services for the establishment and maintenance of identities and cryptographic keys in an Intelligent Transport System (ITS). Its purpose is to provide the functions upon which sy

28、stems of trust and privacy can be built within an ITS. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific reference

29、s, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at https:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the tim

30、e of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 ETSI TS 102 731: “Intelligent Transport Systems (ITS); Security; Security Services and Architecture“. 2 ETSI EN 302 665: “Intelligent Tran

31、sport Systems (ITS); Communications Architecture“. 3 ETSI TS 103 097: “Intelligent Transport Systems (ITS); Security; Security header and certificate formats“. 4 ETSI TS 102 942: “Intelligent Transport Systems (ITS); Security; Access control“. 5 ETSI TS 102 940: “Intelligent Transport Systems (ITS);

32、 Security; ITS communications security architecture and security management“. 6 ISO/IEC 8824-1:2015: “Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation“. 7 Recommendation ITU-T X.696 (08/2014): “Information Technology-Specification of Octet Encoding Rules

33、 (OER)“. 8 Void. 9 ETSI TS 102 943: “Intelligent Transport Systems (ITS); Security; Confidentiality services“. 10 ETSI EN 302 637-2: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Applications; Part 2: Specification of Cooperative Awareness Basic Service“. 11 ETSI EN 30

34、2 637-3: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Applications; Part 3: Specifications of Decentralized Environmental Notification Basic Service“. 12 ETSI TS 103 301: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Applications; Facili

35、ties layer protocols and communication requirements for infrastructure services“. ETSI ETSI TS 102 941 V1.2.1 (2018-05)7 13 NIST FIPS PUB 198-1: “The Keyed-Hash Message Authentication Code (HMAC)“. 14 Void. 15 IETF RFC 4862: “IPv6 Stateless Address Autoconfiguration“. 16 ETSI EN 302 636-6-1: “Intell

36、igent Transport Systems (ITS); Vehicular Communications; GeoNetworking; Part 6: Internet Integration; Sub-part 1: Transmission of IPv6 Packets over GeoNetworking Protocols“. 17 Void. 18 ETSI EN 302 636-4-1: “Intelligent Transport Systems (ITS); Vehicular communications; GeoNetworking; Part 4: Geogra

37、phical addressing and forwarding for point-to-point and point-to-multipoint communications; Sub-part 1: Media-Independent Functionality“. 19 ETSI TS 102 965: “Intelligent Transport Systems (ITS); Application Object Identifier (ITS-AID); Registration“. 20 IEEE 802.11: “IEEE Standard for Information t

38、echnology - Telecommunications and information exchange between systems - Local and metropolitan area networks-Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications“. 2.2 Informative references References are either specific (identified by

39、date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause wer

40、e valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ISO/IEC 15408-2: “Information technology - Secur

41、ity techniques - Evaluation criteria for IT security; Part 2: Security functional components“. i.2 ETSI TR 102 638: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Applications; Definitions“. i.3 IETF RFC 4046: “Multicast Security (MSEC) Group Key Management Architecture

42、“. i.4 IETF RFC 4301: “Security Architecture for the Internet Protocol“. i.5 IETF RFC 4302: “IP Authentication Header“. i.6 IETF RFC 4303: “IP Encapsulating Security Payload (ESP)“. i.7 IETF RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2“. i.8 IETF RFC 3547: “The Group Domain of

43、Interpretation“. i.9 IETF RFC 3830: “MIKEY: Multimedia Internet KEYing“. i.10 IETF RFC 4535: “GSAKMP: Group Secure Association Key Management Protocol“. i.11 IETF RFC 4306: “Internet Key Exchange (IKEv2) Protocol“, December 2005. i.12 IETF RFC 4877: “Mobile IPv6 Operation with IKEv2 and the Revised

44、IPsec Architecture“. i.13 ETSI TS 102 723-8: “Intelligent Transport Systems (ITS); OSI cross-layer topics; Part 8: Interface between security entity and network and transport layer“. ETSI ETSI TS 102 941 V1.2.1 (2018-05)8 i.14 CVRIA: “Connected Vehicle Reference Implementation Architecture“. NOTE: A

45、vailable at http:/ i.15 ISO 21210-2010: “Intelligent Transport Systems (ITS) - Communications access for land mobiles (CALM) - Ipv6 networking“. 3 Definitions, abbreviations and notation 3.1 Definitions For the purposes of the present document, the terms and definitions given in ETSI TS 102 731 1, E

46、TSI TS 102 940 5, ISO/IEC 15408-2 i.1 and the following apply: delta CTL: partial CTL that only contains CTL entries that have been updated since the issuance of the prior, base CTLG13.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI EN 302 636-4-1 18 and the

47、 following apply: AA Authorization Authority ASN Abstract Syntax Notation AT Authorization Ticket CA Certification Authority CCH Control CHannel CCMS Cooperative-ITS Certificate Management System COER Canonical Octet Encoding Rule CPOC C-ITS Point Of Contact CRL Certificate Revocation List CTL Certi

48、ficate Trust List CVRIA Connected Vehicle Reference Implementation Architecture DC Distribution Centre DENM Decentralized Environmental Notification Message EA Enrolment Authority EC Enrolment Credential ECC Elliptic Curve Cryptography ECTL European Certificate Trust List EV Electric Vehicle GET com

49、mand HTTP GET GN/BTP GeoNetworking/Basic Transport Protocol GN6 GeoNetworking-IPv6 HMAC keyed-Hash Message Authentication Code HTTP Hyper Text Transfer Protocol IP Internet Protocol ITS-AID ITS Application ID LTE Long Term Evolution (4G) MSEC Multicast SECurity OBD On-Board Diagnosis PA Policy Authority PDU Protocol Data Unit PII Personally Identifiable Information POP Proof Of Possession RCA Root Certification Authority SCH Service CHannel SLAAC StateLess Address Auto