1、 ETSI TR 103 415 V1.1.1 (2018-04) Intelligent Transport Systems (ITS); Security; Pre-standardization study on pseudonym change management TECHNICAL REPORT ETSI ETSI TR 103 415 V1.1.1 (2018-04) 2 Reference DTR/ITS-00527 Keywords ITS, privacy, security ETSI 650 Route des Lucioles F-06921 Sophia Antipo
2、lis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present doc
3、ument may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and
4、/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current s
5、tatus of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part ma
6、y be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing
7、restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizatio
8、nal Partners. oneM2M logo is protected for the benefit of its Members. GSMand the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI TR 103 415 V1.1.1 (2018-04) 3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g3Executive summary 5g31 Scop
9、e 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 8g34 Pseudonym change strategies . 9g34.1 Existing approaches in the literature 9g34.1.1 Overview 9g34.1.2 Fixed parameters . 9g34.1.3 Randomne
10、ss 9g34.1.4 Silent period 9g34.1.5 Vehicle-centric 9g34.1.6 Density-based . 10g34.1.7 Mix-zones . 10g34.1.7.1 General 10g34.1.7.2 Mix-zones at RSU . 10g34.1.7.3 Collaborative change. 10g34.1.7.4 Cryptographic mix-zones 10g34.1.8 Pseudonym swap 10g34.2 C-ITS proposed approaches for pseudonym change 1
11、1g34.2.1 Pseudonym change in the PRESERVE project . 11g34.2.2 Pseudonym change in the SCOOPF project 11g34.2.3 C2C-CC approach to Pseudonym change . 12g34.2.3.1 Pseudonym lifecycle management 12g34.2.3.2 Pseudonym change strategy 12g34.2.4 IFAL Protocol . 13g34.3 Standardization and Policies/legisla
12、tion framework. 13g34.3.1 SAE approach . 13g34.3.2 ETSI approach 13g34.3.2.1 Authorization Tickets 13g34.3.2.2 ETSI ITS PKI Design 13g34.3.2.3 Security profiles for CAM and DENM . 14g34.3.2.4 Pseudonym change locking in RHS use cases 15g34.3.2.5 Road safety applications requirements w.r.t. pseudonym
13、 change . 15g34.3.3 European Commission policies . 17g34.4 Issues Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI I
14、PR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks
15、The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of
16、those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Intelligent Transport Systems (ITS). Modal verbs terminology
17、In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except whe
18、n used in direct citation. Executive summary The present document is structured as follows: Introduction of the state-of-the-art on pseudonym change strategies by studying propositions from the literature and current C-ITS pre-deployment projects as well as the position of other standardization bodi
19、es. Definition of relevant metrics that may be used to quantify the level of safety and privacy provided by the different strategies. The evaluation of the pseudonym change strategies then follows. Note that in the present document the evaluation itself is not available and will be added in the next
20、 release. However, the methodology of evaluation is basically described. Definition of an exhaustive list of parameters that are related to pseudonym lifecycle. When available, those definitions come with implementation-specific concrete values springing from pre-deployment projects. Guidance and re
21、commendations for future versions of related ETSI specifications. ETSI ETSI TR 103 415 V1.1.1 (2018-04) 6 1 Scope The purpose of the present document is to realize a pre-standardization study on pseudonyms management for C-ITS in order to provide guidance and recommendations for the future versions
22、of related ETSI ITS specifications. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specif
23、ic references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The f
24、ollowing referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 J. Petit, F. Schaub, F. Kargl: “Pseudonym schemes in vehicular networks: a survey“, ACM Computing Surveys, August 2014. i.2 D. Eckhoff, C
25、. Sommer, T. Gansen, R. German, F. Dressler: “Strong and affordable location privacy in VANETs: identity diffusion using time-slots and swapping“, IEEE Vehicular Networking Conference (VNC10), 2010. i.3 PRESERVE project Technical Report 2: “V2X Privacy Protection Position Statement“, 2012. i.4 PRESE
26、RVE project deliverable D5.3: “Deployment issues report v3“, 2013. NOTE: Available at https:/www.preserve-project.eu/deliverables. i.5 S. Lefvre, J. Petit, R. Bajcsy, C. Laugier, F. Kargl: “Impact of V2X Privacy Strategies on Intersection Collision Avoidance Systems“, IEEE Vehicular Networking Confe
27、rence (VNC13), 2013. i.6 A. Pfitzmann, M. Hansen: “Anonymity, unobservability, and pseudonymity: a proposal for terminology“, Designing Privacy Enhancing Technologies, 2000. i.7 A. Serjantov, G. Danezis: “Towards an information theoretic metric for anonymity“, Designing Privacy Enhancing Technologie
28、s, 2002. i.8 C. Diaz, S. Seys, J. Claessens, B. Preneel: “Towards measuring anonymity“, Designing Privacy Enhancing Technologies, 2002. i.9 J. Yin, T. Elbatt, G. Yeung, B. Ryu, S. Habermas, H. Krishnan, T. Talty: “Performance evaluation of safety applications over DSRC vehicular ad hoc networks“, VA
29、NET04: Proceedings of the 1st ACM International Workshop on Vehicular Ad hoc Network, 2004. i.10 S. Yousefi, M. Fathy: “Metrics for performance evaluation of safety applications in vehicular ad hoc networks“, Transport, 2008. i.11 G. Korkmaz, E. Ekici, F. zgner, . zgner: “Urban multi-hop broadcast p
30、rotocol for inter-vehicle communication systems“, VANET04: Proceedings of the 1st ACM International Workshop on Vehicular Ad hoc Network, 2004. ETSI ETSI TR 103 415 V1.1.1 (2018-04) 7 i.12 Q. Xu, T. Mak, J. Ko, R. Sengupta: “Vehicle-to-vehicle safety messaging in DSRC“, VANET04: Proceedings of the 1
31、st ACM International Workshop on Vehicular Ad hoc Network, 2004. i.13 J. Freudiger, M.H. Manshaei, J.-P. Hubaux, D.C. Parkes: “On non-cooperative location privacy: a game-theoretic analysis“, CCS09: Proceedings of the 16th ACM conference on Computer and Communications Security, 2009. i.14 J. Freudig
32、er, M. Raya, M. Felegyhazi, P. Papadimitratos, J.-P. Hubaux: “Mix-zones for location privacy in vehicular networks“, WiN-ITS07: ACM Workshop on Wireless Networking for Intelligent Transportation Systems, 2007. i.15 A.R. Beresford, F. Stajano: “Location Privacy in Pervasive Computing“, Journal IEEE P
33、ervasive Computing, 2003. i.16 ETSI TS 101 539-1 (V1.1.1) (08-2013): “Intelligent Transport Systems (ITS); V2X Applications; Part 1: Road Hazard Signalling (RHS) application requirements specification“. i.17 R. K. Schmidt, R. Lasowski, T. Leinmller, C. Linnhoff-Popien, G. Schfer: “An approach for se
34、lective beacon forwarding to improve cooperative awareness“, Vehicular Networking Conference (VNC), 2010. i.18 C2C-CC: PKI Memo V 1.7: “C2C-CC public key infrastructure memo,“ CAR 2 CAR Communication Consortium, Tech. Rep., February 2011. i.19 C2C-CC Basic System Profile version 1.1.0, dated 21.12.2
35、015. i.20 Eric R. Verheul: “Issue First Activate Later Certificates for V2X- Combining ITS efficiency with privacy“. NOTE: Available at https:/eprint.iacr.org/2016/1158.pdf. i.21 Bai F, Krishnan H.: “Reliability Analysis of DSRC Wireless Communication for Vehicle Safety Applications“. Proc 2006 IEEE
36、 Intell Transp Syst Conf. 2006;355-62. i.22 ETSI TS 103 097: “Intelligent Transport Systems (ITS); Security; Security header and certificate formats“. i.23 ETSI TS 102 940: “Intelligent Transport Systems (ITS); Security; ITS communications security architecture and security management“. i.24 ETSI EN
37、 302 637-2: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Applications; Part 2: Specification of Cooperative Awareness Basic Service“. i.25 ETSI EN 302 637-3: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Applications; Part 3: Specificati
38、ons of Decentralized Environmental Notification Basic Service“. i.26 ETSI TS 102 941: “Intelligent Transport Systems (ITS); Security; Trust and Privacy Management“. i.27 ETSI TS 102 723-8: “Intelligent Transport Systems (ITS); OSI cross-layer topics; Part 8: Interface between security entity and net
39、work and transport layer“. i.28 ETSI TS 102 636-6-1: “Intelligent Transport Systems (ITS); Vehicular Communications; GeoNetworking; Part 6: Internet Integration; Sub-part 1: Transmission of IPv6 Packets over GeoNetworking Protocols“. i.29 ETSI TR 102 893: “Intelligent Transport Systems (ITS); Securi
40、ty; Threat, Vulnerability and Risk Analysis (TVRA)“. i.30 ETSI TS 101 539-3 (V1.1.1) (11-2013) “Intelligent Transport Systems (ITS); V2X Applications; Part 3: Longitudinal Collision Risk Warning (LCRW) application requirements specification“. i.31 SAE J2945/1: “On-board System Requirements for V2V S
41、afety Communications“. ETSI ETSI TR 103 415 V1.1.1 (2018-04) 8 i.32 “Deutsches Zentrum fr Luft- und Raumfahrt“ (German Aeronautics and Space Research Center - DLR). i.33 ETSI TS 101 539-2: “Intelligent Transport System (ITS); V2X Applications; Intersection Collision Risk Warning (ICRW) application r
42、equirements specification“. i.34 NHTSA: “Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application“, August 2014. i.35 C-ITS Platform - Year1 Report - WG1 Annex 2 Cost-Benefits analysis Summary Report. NOTE: Available at https:/ec.europa.eu/transport/themes/its/c-its_en. i.36 Se
43、curity Policy Bretagne; Paris-Strasbourg highway; Bordeaux and its by-pass road; and County roads in the Isre “dpartement“. Vehicles exchange with the infrastructures and other connected vehicles some information about their position, speed, obstacles, etc. Roads broadcast about traffic conditions,
44、works, speed limit, accidents, obstacles, etc. In order to protect the privacy of the road users, a regular change of pseudonym is required. SCOOPF project proposed a pseudonym storage and change strategy for C-ITS network (see figure 1). The provisioned pseudonym are stored in form of pools for a s
45、pecific duration (Time Slot: TS) corresponding to their common validity period. In fact, the vehicle selects a new pseudonym from its pool based on a Round-Robin algorithm and so on until the expiration of period of validity of the pseudonym pool. It is noteworthy that thanks to the Round-Robin mech
46、anism, the re-use of a pseudonym is not performed in the same order which prevents any attempt of tracking. ETSI ETSI TR 103 415 V1.1.1 (2018-04) 12 Figure 1: Pseudonym change strategy in SCOOPF project The list of parameters for the pseudonym change strategy can be found in clause A.1. 4.2.3 C2C-CC
47、 approach to Pseudonym change 4.2.3.1 Pseudonym lifecycle management Car-2-Car Communication Consortium recommendations regarding the pseudonym lifecycle management are described in i.18 and i.19. They propose several values for the pseudonym lifecycle parameters that are detailed in clause A.2 and
48、included in table 4. 4.2.3.2 Pseudonym change strategy Recently C2C-CC proposed an innovative pseudonym change strategy in their privacy position paper. The strategy is described below. The pseudonym change strategy is based on the paradigm that location linking should be avoided whilst enabling roa
49、d safety applications to function correctly. Therefore it has be chosen as a general rule to separate each trip in at least three unlinkable segments: The first segment from the start of a trip, i.e. a location relevant to an individual, to the mid segment. The mid segment, where location data are anonymous because they cannot be associated to a location relevant to an individual. The last segment that connects the mid segment to the end of the trip, i.e. a
