www.preserve-project.eu

Report on PRESERVE Final Event

fkargl — Sun, 28 Jun 2015 11:32:24 +0000

On 17th and 18th of June, 2015, the Royal Institute of Technology (KTH) in Stockholm, Sweden, was hosting a unique event on security and privacy of cooperative Intelligent Transportation Systems (cITS). Not only was the European FP7 project PRESERVE holding its final event, but PRESERVE was joined by partners from the Car-2-Car Communication Consortium's security working group, represented by its chairman Henrik Broberg from Volvo Cars, by ETSI TC ITS Working Group 5, represented by its chair Brigitte Lonc, and by the Harmonization Task Group 6 of the International ITS Cooperation task force, represented by Suzanne Sloan from the US Department of Transportation and Wolfgang Höfs from the European Commission.

About 45 participants mostly from Europe and the U.S. joined the two day event to experience the results of the PRESERVE project and discuss one overarching question: is cooperative ITS security ripe for deployment? Participants came in equal shares from academia, OEMs, suppliers, and public organizations. As a result, discussions reflected the full spectrum of viewpoints on cITS security.

C2C-CC Security WG Status

Day one was devoted to on-going activities in standardization and harmonization. After a warm welcome from Frank Kargl (University of Twente), coordinator of the PRESERVE project, Henrik Broberg kicked off the day by giving a detailed insight into the work and achievements of the C2C-CC's security working group that he is chairing.

One focus of his talk and the discussion was the status of the C2C-CC pilot PKI and production root CA, the later one is expected to become available later this year. Another topic of interest was the work of the in-vehicle task force. A major issue here, which was repeatedly discussed throughout the two days, is the matter of security evolution and flexibility. Too static demands and standards would prevent the security system from reacting to new threats. Therefore, we need to establish standards that are adaptable and allow the security system including the cryptographic mechanisms to evolve as the threats evolve.

Broberg also discussed the complementing relationship of the work in C2C-CC and in ETSI and warned that a reasonable minimum level of security is required to avoid a 'race to the bottom' in which cost advantages help those that implement weak security. This requires a certification process to be established to ensure this minimum level to be kept by all players. He also highlighted the fact that besides all the technical challenges, the cITS security community now also has to solve many organizational and economical issues to become ready for deployment and that the role of harmonization and standardization is crucial.

ETSI TC ITS WG 5 Status

This idea was taken up by Brigitte Lonc who is chairing the ETSI TC ITS working group 5 on security. In her talk, she reported about recent advancements in ETSI's ITS security standardization. She also stressed that the evolution of the security system to ensure scalability, extensibility, maintainability, and crypto-agility is currently being seen as one of the major challenges. ETSI's view on security services, PKI structure, and message formats and headers aligns nicely with the view of C2C-CC, showing the good level of harmonization achieved here. An interesting activity is the on-going work to extend IETF's TLS standard to allow vehicular certificates to be used in TLS authentication. Many participants welcomed this convergence of the ITS and Internet world.

Harmonization Task Group 6 Results

After lunch, the second half of the first day was devoted to the results of the Harmonization Task Group 6, which is active since 2014 and now presented their preliminary results on cITS security policy harmonization. The HTG raised the issue how one could ensure interoperability of systems if cars cross international borders and what level of international harmonization would be required especially with respect to PKI policies in order to allow, e.g., a European car to recognize a certificate from a US car. But also considerations regarding full car lifecycle including, e.g., private resale, are on HTG 6's agenda.

The challenge is to ensure that nearing operational deployments in various areas of the world will not be based on fundamentally incompatible assumptions regarding their security systems that would prevent this interoperability in the mid-term future. Here, the HTG presented a harmonized model of a trust management architecture termed CCMS or Cooperative-ITS Credential Management System and their recommendations of policy and trust harmonization. Like the previous speakers, flexibility and crypto-agility were also listed among the important requirements.

Overall, the HTG sees a strong need to act quickly on harmonization regarding operational processes for CCMS-CCMS and Inter-CCMS trust, auditing of PKIs, and identification of compliance standards, PKI bootstrap (installation, enrollment, certification), CA data center management, and vetting of organizations/personnel. As a multi-CCMS world is likely to occur, they recommend the development of a CCMS federation that regulates accreditation of new CCMS entities, sets policies with CCMS boards for the priority areas for harmonization, and takes ownership of standards to ensure that they are updated and evolved as needed.

With this, the first day of the workshop ended. Day two was then focusing on the achievements of the PRESERVE project. The second day was staged nicely in a former hospital chapel at KTH, the perfect place to 'preach' about the importance of security and privacy protection in cITS.

PRESERVE Final Event

The presentations started with an overview over the origins and results of PRESERVE, given by the project coordinator Frank Kargl from University of Twente. He illustrated how the idea for PRESERVE was built on top of results of a series of previous projects, namely SeVeCom, PRECIOSA, EVITA, and to some extent Oversee, from which PRESERVE also recruited most of its partners. The idea was to integrate their results in a way that they would become accessible to FOTs and pilot projects to be used in their work. Another goal of PRESERVE was to investigate scalability of security mechanisms and provide extensive testing results on the performance aspects of cITS security. Finally, at the time PRESERVE started there were still many open questions related to deployment of cITS security but also related to various research challenges that PRESERVE aimed to address.

This all culminates in the mission statement of PRESERVE: to design, implement, and test a secure and scalable V2X Security Subsystem for realistic deployment scenarios. Towards this goal, PRESERVE contributed many results that were presented throughout the day.

The first area of PRESERVE work focused on a harmonized V2X Security Architecture (VSA) which was presented by Norbert Bissmeyer from Fraunhofer SIT. The PRESERVE VSA, available in project deliverable D1.3, refines ETSI's ITS station reference architecture by detailing the various elements necessary for cITS security in the areas of ID management, message integrity, privacy protection, and misbehavior detection. The VSA also outlines their interactions and gives guidelines regarding implementation. Following discussions centered around communication with the backend, need for revocation mechanisms, and mechanisms for re-filling of pseudonyms via Road-Side Units (RSUs).

The VSA constitutes the basis for the implementation of PRESERVE's V2X Security Subsystem (VSS), which was presented in the following talk by Martin Moser from ESCRYPT. The VSS implements all major components of the VSA needed for a day 1 deployment both inside the vehicle and external PKI components. For the components on the vehicle side PRESERVE provides a software-only, open-source version of the VSS available for free download from the PRESERVE website. It already implements the full functionality of the VSS and runs on a variety of hardware including major CPU architectures (x86, ARM, MIPS, PPC).

The VSS comes in the form of a library which is integrated into the communication stack by means of a flexible API interface called harmonization layer. This harmonization layer allows fast and easy integration, as PRESERVE was able to show by integrating the VSS with communication stacks from Hitachi, NEC, Denso, and others. While the VSS can rely on software-backends like OpenSSL or ESCYPT Cycurlib for all cryptographic operations, it only unfolds its full power when adding the PRESERVE Hardware Security Module (HSM), an ASIC that was designed and built during the project. The HSM offers additional functionality like secure key storage, cryptographic acceleration, and a true random number generator (TRNG). As the HSM became available only shortly before this event, Martin Moser reported only preliminary benchmarks at reduced clock speed. For the most important performance figure, the ECDSA signature verifications, the measurements resulted in 805 verifications per second. For the final clock speed, we can interpolate a rate of 1,238 ver./s, well above the target rate of 1,000 ver./s that PRESERVE aimed for.

An external part of the VSS is the PKI backend. In close cooperation with C2C-CC and ETSI, PRESERVE partners SIT and ESCRYPT designed and realized two independent and interoperable implementations of the vehicular public key infrastructure which they then extended into C2C-CC's pilot PKI.

The following talk by Norbert Bissmeyer was then dedicated to PRESERVE's testing results. Over its lifetime, PRESERVE had a series of internal and external testing campaigns. After a first internal functional test of the VSS Kit in 2012, we conducted joint tests with the French Score@F project at the Versailles-Satory test track near Paris. Furthermore, PRESERVE participated in the two ETSI plugtests in 2013 and 2015 where it could demonstrate its good compatibility with ETSI standards and interoperability with other platforms. Finally, PRESERVE also conducted extensive tests in its internal testbed consisting of up to 25 NEXCOM OBUs setup at KTH. Here, we investigated how large security payload leads to significantly increased packet loss in loaded channels and how the HSM can help to handle high verification loads which regular OBUs cannot handle anymore in software.

The next talk, given by Christophe Jouvray from Trialog, now focused on availability and exploitation of PRESERVE results. He reported that the VSS Kit was already downloaded more than 50 times since the availability of the VSS Kit 2 software-only version via the PRESERVE website in December 2014. Interested parties are requested to voluntarily fill-in a small form when downloading. From this we learned that the downloading organizations include 6 car makers, 21 solution providers, 10 research laboratories, and 5 standardization groups from countries in Europe (Germany, France, UK, Austria, Lithuania) and the rest of the world (China, India, Japan, Mexico, US, Israel, Taiwan). Our partners Trialog (VSS Software), ESCYPT (HSM, PKI), and Fraunhofer (SIT) are dedicated to continue exploitation of the main PRESERVE results beyond the end of the project.

The lunch break featured an integrated demo session, where participants could see a total of four demos from PRESERVE: One demo illustrated how the VSS can protect from external attackers, a second demo showed the PKI operations including refilling of pseudonyms from the pseudonym CA, a performance demo visualized HSM benchmarks, and the fourth demo consisted of a guided tour through the testbed.

After lunch, Panos Papadimitratos from KTH then continued with a presentation giving an overview over the work of PRESERVE on deployment and research challenges. With over 50 peer-reviewed scientific publications and over 100 presentations about project results given at conferences and other venues, PRESERVE made a substantial contribution to the state of the art in the field of cITS security and privacy. Through our close cooperation with C2C-CC Security WG and ETSI TC ITS WG 5 and active participation in Harmonization Task Groups 1 and 6, we also ensured that those results were disseminated and taken into consideration in harmonization and standardization. Other events like organization of the PRESERVE / EIT-ICTlabs summer school, the PRESERVE / C2C-CC security architecture workshop, research seminars, workshops, and conferences also contributed to keeping the research community connected and to ensure best use and uptake of research results in the process towards deployment.

The event continued with a panel discussion where William Whyte (Security Innovations, HTG), Henrik Broberg (Volvo Cars, C2C-CC), Panos Papadimitratos (KTH, PRESERVE), and Frank Kargl (University of Twente, PRESERVE) discussed the question whether we can finally implement and deploy security in cITS given the results from PRESERVE and other efforts. The experts agreed that the overall framework is well defined, but some work may be required within the subsystems, e.g., on misbehavior detection. It remains to be discussed whether all these problems need and even can be solved for a day 1 deployment or could better be solved stepwise in later revisions.

The panlists also realized that cITS is still a rapidly moving target and progress at times outpaces what is laid down in standards. Frank Kargl cautioned that a step-wise approach may be difficult once that first systems are deployed. As can be seen in the Internet, successful deployment in volume creates the need for backwards compatibility and makes introduction of novel features to core technologies a lot more complicated.

The following discussion centered a lot around the cost argument where industry warned about the dangers of too high costs, e.g., of HSMs. The question is which security level should be mandated from developers to not allow a race to the bottom where the one with least security enjoys the cost benefits but endangers security of all communicating parties. The group also discussed the effect a legal requirement for cITS deployment like currently discussed in the US would have. The discussion then moved on towards a more long-term perspective, where cITS may converge with the vision of automated driving. This will inevitably require a higher level of security and privacy protection compared to some day 1 applications.

This discussion was a good lead-over to the following invited talk by Jonathan Petit from University College Cork who spoke on 'Security and Privacy Challenges for Automated Vehicles'. He stressed that for automated vehicles we require a broader view on security including the sensors providing data but also the control algorithms that then make a vehicle react on such data. He highlighted the problem of secure sensor data by showing results from successful experiments on attacking an industrial LIDAR scanner. Another aspect of the talk focused on required privacy protection.

Conclusions

In the final wrap-up, Frank Kargl from PRESERVE and Wolfgang Höfs from the European Commission agreed that the two day event was a unique and very successful meeting of cITS experts from various domains that was very helpful in exchanging results and positions. Since the early days of initial research, cITS in general and the cITS security community involving researchers, developers, industry, and political stakeholders in specific managed to stay very well connected. This led to a fast and well harmonized development of standards based on initial results from academic research.

There was a general agreement that – also thanks to the contributions of PRESERVE – cITS security and privacy protection is well understood up to a level that, from our perspective, a day 1 deployment can move forward. At the same time, everyone is aware that this deployment but also future applications like automated driving will create new challenges and attacks and this requires the security system to be flexible and adaptable. The research activities should therefore not stop and the good dialogue and interchange between academia, industry, and political stakeholders should continue in the future. As this is a world-wide challenge, it should also be addressed in a world-wide, harmonized way.

As a project, PRESERVE hopes to have contributed to the vision of secure and privacy-preserving cITS that will make our mobility safer, more comfortable, more efficient, and also more friendly to our environment.

All slides from the event are available at: https://www.preserve-project.eu/final-event

PRESERVE Final Event approaching

fkargl — Fri, 05 Jun 2015 11:24:54 +0000

The PRESERVE final event is approaching fast. Make sure you are registered.

On March 17th and 18th, KTH's premises at Stockholm, Sweden will be the focus of the ITS security world. Besides the PRESERVE final event, the security working groups of C2C-CC and ETSI as well as the Harmonization Task Group #6 will give updates on their work and status. PRESERVE will report on its final results and demonstrate its V2X Security Subsystem #2 consisting of software-part and a Hardware Security Module. The software part is available open-source and can be downloaded free of charge for evaluation and testing purposes from our website.

So if you are interested in ITS security, this is the place to be. We have more than 40 persons registered, but if you want to join on short notice, make sure to register asap as registration will be closing next week.

PRESERVE Final Event with Public Workshop of C2C-CC WG SEC, ETSI TC ITS WG5 and HTG#6 in June 2015

nbissmeyer — Thu, 23 Apr 2015 08:33:35 +0000

We would like to cordially invite you to the PRESERVE Final Event with co-located public workshops of C2C-CC WG SEC, ETSI TC ITS WG5 and HTG#6. The two-day event takes place on the 17th and 18th of June 2015 at the KTH Royal Institute of Technology in Stockholm, Sweden (http://www.kth.se/en/ees/kontakt/besokare-till-ee-1.22051).

This event is a unique chance to get a complete overview about the status of security and privacy protection in cooperative Intelligent Transport Systems and C2X communication including

results and demos from the PRESERVE project,
status and current work focus of C2C-CC and ETSI TC ITS WG5, and
latest results from harmonization activities involving Europe, the U.S., and Australia

You can find additional information on the event including tentative agenda at https://www.preserve-project.eu/final-event

Participation to this two-day event is free of charge but requires a registration at https://www.preserve-project.eu/final-event#registration

Best regards
Frank Kargl and Norbert Bissmeyer
PRESERVE Coordination

PRESERVE and Compass4D sign a Memorandum of Understanding

nbissmeyer — Fri, 23 Jan 2015 10:36:28 +0000

In January 2015, PRESERVE and Compass4D (http://www.compass4d.eu) signed a Memorandum of Understanding (MoU) that describes the ongoing cooperation for integrating the PRESERVE VSS within the Compass4D platform. This integration aims for running security-protected V2X communications in field operational testing and pre-deployment of secure V2X systems to evaluate the functionality and performance of the PRESERVE security subsystem under real-world conditions, and to assess the effects of the security on overall test results.

PRESERVE VSS now available for download

fkargl — Tue, 09 Dec 2014 20:01:16 +0000

We are now providing the PRESERVE V2X Security Subsystem as free download to all interested parties.

You are only required to fill in a form with name, email, and organization so that we have an overview over who may be interested to use it.

At http://www.preserve-project.eu/vss-download you can download a binary version of the V2X Security Subsystem. The source code will be provided in a little while via a github repository.

PRESERVE at VNC 2014

fkargl — Tue, 09 Dec 2014 19:46:30 +0000

PRESERVE presented four papers at IEEE VNC 2014. 4 out of 7 papers presenting security topics had involvement from PRESERVE which we consider a huge success.

Our contributions were:

"PUCA: A Pseudonym Scheme with User-Controlled Anonymity for Vehicular Ad-Hoc Networks (VANET)"; David Foerster and Hans Loehr (Robert Bosch GmbH, Germany); Frank Kargl (Ulm University & University of Twente, Germany)
"Towards Deploying a Scalable & Robust Vehicular Identity and Credential Management Infrastructure"; Mohammad Khodaei (KTH, Sweden); Hongyu Jin (KTH Royal Institute of Technology, Sweden); Panagiotis (Panos) Papadimitratos (KTH, Sweden)
"Formal Model of Certificate Omission Schemes in VANET"; Michael Feiri (University of Twente, The Netherlands); Jonathan Petit (University College Cork, Ireland); Frank Kargl (Ulm University & University of Twente, Germany)
"Redundancy-based Statistical Analysis for Insider Attack Detection in VANET Aggregation Schemes"; Stefan Dietzel, Julian Gürtler, and Rens van der Heijden (Ulm University, Germany); Frank Kargl (Ulm University & University of Twente, Germany)

Presentation of PRESERVE results at WIVEC 2014

petitj — Sat, 20 Sep 2014 17:05:19 +0000

The 6th International Symposium on Wireless Vehicular Communications was held on September 14-15, 2014 in Vancouver. The University of Twente presented some PRESERVE results on realistic attacker model in smart vehicles. Check out the publication "Jonathan Petit, Michael Feiri, Frank Kargl, "Revisiting Attacker Model for Smart Vehicles", IEEE WIVEC 2014!

International ITS Harmonization Workshop 2014

petitj — Mon, 21 Jul 2014 11:40:22 +0000

PRESERVE actively participates in the Harmonization Task Group #6, which will organize a public workshop to share information on work-in-progress and gather stakeholder feedback. For more information, see http://www.preserve-project.eu/node/106

PRESERVE at the DRIVE C2X Final Event

petitj — Wed, 16 Jul 2014 08:27:07 +0000

On July 16-17, 2014, DRIVE C2X presents its final results in Berlin. Interesting presentations and demonstrations show the work performed and the future challenges for cooperative driving. PRESERVE integrated with DRIVE C2X and worked on a secure solution. Congratulations to DRIVE C2X and thank you for the pleasant collaboration!

Participation to focus group on security and privacy for the Cooperative ITS Corridor project

petitj — Wed, 09 Jul 2014 09:46:11 +0000

July 8th, 2014 - Helmond (NL) - Jonathan Petit (University of Twente) participated as security expert to a group discussion organized by the Cooperative ITS Corridor project. The meeting gathered experts from IT security, cyberforensics, road operators and industries to discuss the security and privacy issues of the two applications that will be deployed in the Cooperative ITS corridor on the highway route Rotterdam-Frankfurt/M-Vienna.