LTE-based vehicular communication - Technical requirement of security certificate management system
1 Scope
This document specifies the technical requirement of LTE-based vehicular security certificate management system, mainly including the architecture of the security certificate management system and the related explicit certificate format and interaction process.
This document is applicable to LTE-V2X equipment and security certificate management systems.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 16262 (All parts) Information technology - Abstract syntax notation one (ASN.1)
GB/T 25056 Information security technology - Specifications of cryptograph and related security technology for certificate authentication system
GB/T 32905 Information security techniques - SM3 cryptographic hash algorithm
GB/T 32907 Information security technology - SM4 block cipher algorithm
GB/T 32918 (All parts) Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves
GB/T 36624 Information technology - Security techniques - Authenticated encryption
YD/T 3707-2020 Technical requirements of network layer of LTE-based vehicular communication
3GPP TS 33.220 Generic Authentication Architecture (GAA): Generic Bootstrapping Architecture (GBA)
ISO/EC8825-7 Information technology - ASN.1 encoding rules Part 7: Specification of Octet Encoding Rules (OER)
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1.1
V2X equipment
safety equipment for on board unit (OBU), road side unit (RSU) and V2X service provider (VSP)
3.1.2
V2X communication certificate
various certificates related to V2X communication and issued by certificate authority to V2X Equipment, for example, enrollment certificate, pseudonym certificate, application certificate and identity certificate
3.2 Abbreviations
For the purposes of this document, the following abbreviation applies.
AAA Authentication and Authorization Authority
AC Application Certificate
ACA Application Certificate Authority
AID Application Identifier
API Application Programming Interface
ARA Application Certificate Registration Authority
ASN.1 Abstract Syntax Notation dot one
BSF Bootstrapping Server Function
BSM Basic Safety Message
CA Certificate Authority
CRA Certificate Revocation Authority
CRL Certificate Revocation List
CTL Certificate Trust List
DCM Device Configuration Manager
EC Enrolment Certificate
ECA Enrolment Certificate Authority
GBA Generic Bootstrapping Architecture
HTTP Hyper Text Transfer Protocol
HTTPS Hyper Text Transfer Protocol Secure
ICA Intermediate CA
ID IDentity
LA Linkage Authority
LTE Long Term Evolution
LTE-V2X LTE-Vehicle to Everything
ls Linkage Seed
lv Linkage Value
MA Misbehavior Authority
NAF Network Application Function
OBU On Board Unit
PC Pseudonym Certificate
PCA Pseudonym Certificate Authority
PDU Protocol Data Unit
PKI Public Key Infrastructure
PRA Pseudonym Certificate Registration Authority
RA Registration Authority
Rscm Security Credential Management Reference point
Rsde Secure Data Exchange Reference point
RSU Road Side Unit
SCME Security Credential Management Entity
SCMF Security Credential Management Function
SDPF Secure Data Processing Function
SPDU Secured Protocol Data Unit
SSF Security Service Function
SSP Service Specific Permission
TCMF Trusted Certificate Management Function
TDCL Trusted Domain CA Certificates List
TLS Transport Layer Security
TRCL Trusted Root Certificate List
TRCLA Trusted Root Certificate List Authority
USIM Universal Subscriber Identity Module
V2X Vehicle to Everything
VSP V2X Service Provider
4 General
4.1 Composition of V2X communication security system
The reference model of vehicular communication security entity relationship is shown in Figure 1. The solid line in the figure represents the communication relationship between V2X equipment, and the dashed line represents the authorization relationship between entities. The reference model consists of the following entities.
——On Board Unit (OBU): An entity mounted on the vehicle and responsible for V2X communication. When data is sent, the OBU digitally signs the information it broadcasts using the private key corresponding to the digital certificate issued by CA and/or encrypts the data using the data recipient certificate; when the data is received, the OBU authenticates the message using the sender's public key and/or decrypts the encrypted message using the local private key.
——Road Side Unit (RSU): An entity responsible for V2X communication, installed in roadside traffic control equipment and traffic information distribution equipment. When data is sent, the RSU digitally signs the information it broadcasts using the private key corresponding to the digital certificate issued by CA and/or encrypts the data using the data recipient certificate; when the data is received, the RSU authenticates the message using the sender's public key and/or decrypts the encrypted message using the local private key.
——V2X Service Provider (VSP): A regulatory authority responsible for road traffic and a service authority that provides certain commercial services in a V2X system. When data is sent, the VSP digitally signs the information it broadcasts using the private key corresponding to the digital certificate issued by CA and/or encrypts the data using the data recipient certificate; when the data is received, the VSP authenticates the message using the sender's public key and/or decrypts the encrypted message using the local private key. Through a RSU with forwarding capability, the VSP can send and receive secure messages.
——Certificate Authority (CA): Responsible for issuing various communication certificates or certificate revocation list (CRL) to V2X equipment (OBU, RSU, VSP). For example eEnrollment CA, pPseudonym CA, application CA, Certificate Revocation Authority (CRA), etc.
1 Scope
2 Normative references
3 Terms, definitions and abbreviations
4 General
4.1 Composition of V2X communication security system
4.2 V2X communication security service architecture
5 Security requirements for LTE-V2X certification management
5.1 General
5.2 Security requirements for LTE-V2X messages
6 General technical requirements of LTE-V2X communication security authentication mechanism
6.1 Management system architecture of LTE-V2X certificate
6.2 LTE-V2X security certificate
6.3 Description of basic elements
6.4 Security protocol data unit
6.5 Digital certificate and certificate management data form
7 LTE-V2X communication security authentication interaction process and interface technical requirements
7.1 EC management process
7.2 PC application process
7.3 AC and identity certificate management process
7.4 CRL management process
7.5 Authority certificate management process
7.6 Misbehavior detection and reporting process
7.7 LA management architecture and process
8 Mutual trust technical requirements for LTE-V2X communication security authentication PKI
8.1 General
8.2 PKI mutual trust architecture
8.3 PKI mutual trust management procedures
8.4 PKI mutual trust authentication procedures
8.5 TRCL management policy
8.6 TDCL management policy
8.7 Checking on misbehavior of trusted domains
Annex A (Informative) Basic application modes of V2X communication security
Annex B (Informative) Token authorization mechanism based on OAUTH
Annex C (Normative) ASN.1 template
Annex D (Normative) Input and output of cryptographic algorithm
Annex E (Normative) Data format of interface between V2X equipment and security certificate management system
Annex F (Normative) Generation and usage of application layer session key of GBA mechanism
Annex G (Informative) Certificate life cycle and update scenario
Annex H (Informative) An algorithm proposal of key derivation process
Annex I (Normative) Relevant definition of linkage value
Annex J (Normative) Trusted domain CA certificates list and mutual trust authentication process
Annex K (Informative) Coding examples of algorithm