Threat Model, Authentication, and Key Management

Security is an essential part of all vehicle networks. Communication among vehicles and roadside infrastructure needs to be secure, preserve vehicle privacy, and support efficient and effective removal of bad actors. The threat model for vehicle networks describes three categories of threat agents whose motives range from obtaining preferential treatment to tracking vehicles and disrupting transportation. Vehicle and roadside equipment, wireless communications, and network and software technologies are vulnerable to attack. The notion of privacy in vehicle networks encompasses the properties of anonymity and unlinkability. Vehicle tracking is a privacy threat that exploits vehicle communications, application transactions, and roadway conditions. Public Key Infrastructure is the predominant security architecture among vehicle networks, providing message authentication, integrity protection, and data encryption. The certificate management scheme affects privacy, the removal of bad actors, and system robustness. The combinatorial certificate scheme used in the US DOT proof-of-concept trial is an example of a shared certificate scheme. Removing bad actors in shared certificate schemes is challenging. Certificate revocation may affect many innocent vehicles, which may lose their network privileges. The short-lived, unlinked certificate scheme is an example of a unique certificate scheme that avoids the “one affects many” problem. It separates the certificate authority authorization and assignment functions and issues a large number of short-lived certificates, where certificate expiration may eliminate the need for revocation. Efficient and effective intrusion detection is critical to maintaining vehicle network integrity. Vehicle and roadside equipment, the certificate authority, application servers, and other network-based systems can participate in intrusion detection.