2005 RSA Conference: Safe at Any Speed

Safe at Any Speed:
Dedicated Short Range
Communications
(DSRC) and On-road
Safety and Security
William Whyte
NTRU Cryptosystems
Tuesday, February 15th, 2005

Aim
• Give an overview of Intelligent Transport Systems (ITS)
standards as they affect personal safety and security
• Discuss the specific communications security requirements of
5.9 GHz Dedicated Short Range Communications (DSRC)

Overview
• Why DSRC?
• Spectrum and Physical Configuration
• Wireless Stack Architecture
• Applications
• Communications Security Issues
• Deployment Schedule

Overview
• 2.8 trillion vehicle miles traveled in 2001
• Nearly 43,000 deaths per year from automobile accidents
– 1.59 per 100 million vehicle miles traveled
• 3 million people injured
• Automobile accidents cost $230B
• ITS America has established a vision for zero fatalities

ITS America
• National Intelligent Transportation Systems Program Plan has
an aim of a reduction of transportation-related fatalities by 10-
15% by 2011, saving 5,000-7,000 lives a year
– For example, reductions of 15-40% in on-ramp metering accidents
• Save 20 billion per year by enhancing throughput and reducing
congestion
• Save 1 billion gallons of gasoline per year
• Single payment medium for national and regional travel
– Currently fragmented, three incompatible RF tolling mechanisms in
place

Accident Statistics
• Run Off Road - 30% of all fatalities
• Intersections - 50% of all crashes
• Pedestrian/Bicycle - 14% of fatalities
• Speed - involved in 30% of all crashes
• Human Factors - drivers a causal factor for at least 80% of all
crashes
• Toll Plazas significant source of accidents
– Accidents five times more likely in the tenth of a mile near a
tollbooth than in the same space on an open road
– Due to looking for change, merging, unexpected pedestrian
traffic…

National ITS Program Plan (2)
• Safety-related applications and products
– information products
– diagnostic/prognostic products
– driver assistance products
– active safety products.
• Advanced Crash Avoidance technologies:
– Mustn’t interfere with driver’s attention
– Must address manufacturer’s proprietary concerns
– Must behave consistently

Achievements to date:
• Traffic Management Centers have been created in two-thirds of the
75 largest metropolitan areas.
• Traffic signals and ramp meters have been tuned to improve traffic
flow and safety.
• Travel information is more readily available to the public to assist in
their travel planning and decision-making.
• Electronic toll collection has been installed on 70% of existing toll
road mileage and over ten million toll tags have been issued in North
America. Non-toll electronic payment applications have begun to
appear.
• Thirty states have begun using transponders and roadside computers
to screen safe and compliant commercial vehicles past weigh stations
and other roadside facilities at up to mainline speeds
– Nearly 7,000 motor carrier fleets participate in these programs.

Why DSRC?
• Next step is to reduce driver error by improving driver
information
• Enable vehicle-to-vehicle and vehicle-to-infrastructure
communication using wireless transponders built to a single
standard
• This is primarily to be used for safety applications, but will
provide sufficient bandwidth to allow private applications
– Tolling
– Traffic information
– Commercial
• Spectrum already allocated for this use

Spectrum and Physical
Configuration

Existing Spectrum allocation
• Public safety:
– 25-50 MHz, 138-144 and 148-174 MHz, 220-222 MHz, 406-420 and 450-
470 MHz, 806-824 and 851-869 MHz for voice communications
– 90 MHz at 4.9 GHz for data communications
– 764-776 MHz and 794-806 MHz will be available once TV broadcasters
complete transition to DTV (12/31/06)
• Tolling
– 902-928 MHz already approved
• 5.9 GHz DSRC Spectrum
– First to be FCC-approved for both public safety and private use
• Prioritization issues, to be discussed later
– Japan, Europe have approved spectrum at 5.8 GHz for similar uses

Radio Taxonomy
• OBU – On Board Unit
– PSOBU – Public Safety On Board Unit
– OBUs are mobile, unlicensed users of spectrum (under FCC)
• RSU – RoadSide Unit
– Stationary units
• Allowed to move from site to site, but must be stationary to
operate
– Licensed by site (under FCC)
– Allowed to provide channel management to OBUs in their
communications zone

Enormous shift in mindset
• Previously, the tag was the application
– Tolling tag enables tolling
– GPS receiver enables Neverlost
– Reflected in language – people talk about “900 MHz applications”
• Now the OBU is the network access point for many
applications
– Completely different security model

RSU - Roadside Unit; OBU - Onboard Unit; EV - Emergency Vehicle; EIRP - Effective Isotropic Radiated
Power; CSMA - Carrier Sense Multiple Access
5.9 GHz DSRC TECHNOLOGY
CHARACTERISTICS
• Approach: Active
• Bandwidth: 75 MHz (5.850 - 5.925 GHz)
• Modulation: QPSK OFDM (with 16QAM and 64QAM options) (BPSK preamble)
• Channels: 7 - 10 MHz channels (optional combinations of 10 and 20 MHz channels)
• Data Rate: 6, 9, 12, 18, 24, and 27 Mbps with 10 MHz Channels (3 Mbps preamble)
(or 6, 9, 12, 18, 24, 36, 48, and 54 Mbps with 20 MHz Channel option) (6 Mbps preamble)
• Max Tx Pwr: 28.8 dBm (at the antenna input)
• RSU EIRP: Nominal 0 - 33 dBm (1 mW - 2 W) / Max. 44.8 dBm (30 W)
• OBU EIRP: Nominal 0 - 20 dBm (1 - 100 mW) / Max. 44.8 dBm (30 W)
• RSU and OBU Sensitivity: - 82 dBm (QPSK) / - 65 dBm (64QAM)
• C/I: 4 - 6 dB (for QPSK @ 10-4 BER coded) / 16 - 17 dB (for 64QAM @ 10-4 BER coded)
• Band Sharing Strategy - Frequency Coordination. Selection of alternate channels for
adjacent zones. Use CSMA to prevent interference between users in the channel.
• Typical Successful Transmission rate: 50-60%

Range (ft)
1000
1200
1400
1600
1800
2000
2200
2400
2600
2800
3000
3200
3400
3600
200
400
600
800
DSRC PERFORMANCE ENVELOPES
DataRate(Mbps)
33
30
27
24
21
18
12
9
6
3
0
54
~
~
0.5 Mbps
902 - 928 MHz Band Performance Envelope
5850 - 5925 MHz Band
Performance Envelope
Emergency Vehicle Services
Safety Message Services
Data Transfer and
Internet Access Services
Toll and Payment Services
(Approximate)

Application Taxonomy (DSRC style)
• Vehicle safety
• Public safety
– Operated by emergency vehicles and other vehicles accredited by
a government agency
– Usually, but not exclusively, emergency response
• Other
– Tolling
– CVO fleet management

Application Taxonomy (FCC style)
• Public safety
– Anything that impacts the safety of the public
• Includes public safety and vehicle safety
• Also Tolling
n See above
• Other applications
• Distinction is significant because public safety applications can
broadcast at higher power

5.9 DSRC Standardization
• IEEE
– P802.11p – MAC and PHY
– P1556 – security services
– P1609 – networking stack
• ASTM E2213-03
– MAC and PHY
• Related:
– NTCIP – message sets and protocols for intelligent transport systems
– SAE – message sets for ITS
– IEEE 1512 – message sets for incident management (coordinates with
SAE)

Very Complicated!
• NTCIP Transportation Management Protocol - AASHTO
1103, AASHTO, 1103, No update, www.ntcip.org/order/
• NTCIP - CORBA Naming Convention Specification - AASHTO
• NTCIP - CORBA Security Service Specification - AASHTO
• NTCIP - CORBA Near-Real Time Data Service Specification - AASHTO
• NTCIP - Objects for Signal System Masters- AASHTO
• NTCIP Objects for Network Camera Operation, AASHTO, 1212, No
update, www.ntcip.org/order/
• NTCIP - Electrical and Lighting Mgmt System Interoperability &
Intercommunications Std - AASHTO 1213, AASHTO, 1213, No
• NTCIP - Weather Report Message Set for ESS - AASHTO
• Generic Reference Model for C2C Communications, AASHTO, 1602, No
• NTCIP - Application Profile for Common Object Request Broker Architecture
(CORBA) - AASHTO 2305, AASHTO, 2305, No update, www.ntcip.org/order/
• NTCIP Application Profile for XML C2C Communications, AASHTO, 2306, No
• NTCIP Structure and Identification of Management Information - NTCIP
• NTCIP Testing and Conformity Assessment Documentation within NTCIP
Standards Publications, AASHTO, 8007, No update, www.ntcip.org/order/
• NTCIP XML in ITS Center-to-Center Communications, AASHTO, 9010, No
• NTCIP Testing Guide for Users,AASHTO, 9012, No
• NTCIP SEP for Communications Profile, AASHTO, 901X, No
• TCIP Dialogs, APTA, TBD, No update, www.ntcip.org/order/
• Standard Specifications for Metadata Content for ITS-Generated Data - ASTM
E-17.54.02.1, ASTM, E17.54.02.1, No update, www.astm.org
• Standard Specifications for Archiving ITS-Related Traffic Monitoring Data -
ASTM E-17.54.02.2, ASTM, E17.54.02.2, No update, www.astm.org
• Standard for Common Traffic Incident Management Message Sets for Use in
Entities External to Centers - IEEE 1512.4, IEEE, 1512.4, No
update, www.ieee.org
• Standard for Dedicated Short Range Communications (DSRC) Resource
Manager - IEEE 1609.1, IEEE, 1609.1, No update, www.ieee.org
• Standard for Dedicated Short Range Communications (DSRC) Application Layer
- IEEE 1609-2, IEEE, 1609.2, No update, www.ieee.org
• Standard for IP Interface for Dedicated Short Range Comunications (DSRC) -
IEEE 1609.3, IEEE, 1609.3, No update, www.ieee.org
• Standard for Dedicated Short Range Communications (DSRC) Channelization -
IEEE 1609.4, IEEE, 1609.4, No update, www.ieee.org
• Standard for Security and Privacy of Vehicle/Roadside Communication Including
Smart Card Comm. ? IEEE P1556, IEEE, P1556, No update, www.ieee.org
• Application Programming Interface (API) Standard for the Advanced
Transportation Controller (ATC) - ITE 9603-1, ITE, 9603-1, No
update, www.ite.org
• Standard for Data Dictionary and Message Sets for Dedicated Short Range
Communcations (DSRC) - SAE J2xxx, SAE, J2xxx, No update, www.sae.org

Our focus: the network stack
• Need to manage channel switching
– Control channel + service channels
• High-priority messages and management messages on
control channel
n Safety messages
• Application data exchanged on safety channel
– Back to control channel every so often
• … and issues arising from that.

Wireless Networking Stack
PHY
MAC
LLC
IP
TCP / UDP
Applications
WSM
Other
Apps
Safety
Apps
Repetitive WSM

Medium Access Layer (MAC) and
Physical Layer (PHY)
Layers 1 and 2a
ASTM E2313-02
ISO 21215
Standards Structure
- Established Standards and procedures that are referenced or used as necessary
- Standards that must be modified or completed - Standards that must be written
Layer 2
Medium Access Control
(MAC)
IEEE 802.11
Layer 1
Physical Layer/
(PHY)
IEEE 802.11a
5.9 GHz
North American
Architecture
Specification
ASTM ????-A
5.9 GHz
Test Procedure
Specification
ASTM ????-T
Application Layer/
Layers 3-7
IEEE 1455
Application
Manager
IEEE 1609.1
CORE DSRC STANDARDS STRUCTURE
Other
Applications
SAP SAPUpper Layer
Manager/
ASTM ZZZZ
SAP
SAP
Lower Layer
Manager/
ASTM YYYY
Application and Network Layers
Layers 3 – 7
IEEE 1609.3
(Streamlined ISO 21210)
and IETF standards
SAP
SAP
SAP
SAP
SAP
SAP - Data Flow
- Management Flow
Logical Link Layer (LLC)
Layer 2b
IEEE 802.21
1 - Only a subset of IEEE 802.2 functions are required to support Layer 3
SAP
SAP 1 for
Network
Services
SAP 2 for Network Services
SAP
SAP
Safety Applications
SAE
Resource Manager
IEEE 1455

What makes the solution complex?
• Communications points are moving at high speed
• Must operate as master/slave when talking to roadside, peer-
to-peer directly
• Must acquire in milliseconds
• Must change channels in microseconds
• Must control power dynamically to decrease interference
• Must always get the most important message through first
• Must have bulletproof security
• Must preserve anonymity for end users

Radio
• The final selection between the Motorola entry and the OFDM forum
entry was made by the ASTM E17.51 DSRC Standards Writing
Group on August 24, 2001. THE WINNER was the OFDM forum
entry.
• The writing group selection was confirmed by letter ballot vote of the
Larger ASTM E17.51 subcommittee in October 2001.
• The ASTM DSRC STD E2313-02 was approved on 5/10/02,
underwent validation and verification testing, and was reissued with
slight modifications in 2003 as ASTM DSRC STD E2313-03
– Now forming the basis of IEEE 802.11p, whose PAR was recently
moved.

DSRC APPLICATIONS
PUBLIC SAFETY and PRIVATE
• APPROACHING EMERGENCY VEHICLE (WARNING) ASSISTANT
(3)
• EMERGENCY VEHICLE SIGNAL PREEMPTION
• ROAD CONDITION WARNING
• LOW BRIDGE WARNING
• WORK ZONE WARNING
• IMMINENT COLLISION WARNING (D)
• CURVE SPEED ASSISTANCE [ROLLOVER WARNING] (1)
• INFRASTRUCTURE BASED – STOP LIGHT ASSISTANT (2)
• INTERSECTION COLLISION WARNING/AVOIDANCE (4)
• HIGHWAY/RAIL [RAILROAD] COLLISION AVOIDANCE (10)
• COOPERATIVE COLLISION WARNING [V-V] (5)
• GREEN LIGHT - OPTIMAL SPEED ADVISORY (8)
• COOPERATIVE VEHICLE SYSTEM – PLATOONING (9)
• COOPERATIVE ADAPTIVE CRUISE CONTROL [ACC] (11)
• VEHICLE BASED PROBE DATA COLLECTION (B)
• INFRASTRUCTURE BASED PROBE DATA COLLECTION
• INFRASTRUCTURE BASED TRAFFIC MANAGEMENT – [DATA
COLLECTED from] PROBES (7)
• TOLL COLLECTION
• TRAFFIC INFORMATION (C)
• TRANSIT VEHICLE DATA TRANSFER (gate)
• TRANSIT VEHICLE SIGNAL PRIORITY
• EMERGENCY VEHICLE VIDEO RELAY
• MAINLINE SCREENING
• BORDER CLEARANCE
• ON-BOARD SAFETY DATA TRANSFER
• VEHICLE SAFETY INSPECTION
• DRIVER’S DAILY LOG
• ACCESS CONTROL
• DRIVE-THRU PAYMENT
• PARKING LOT PAYMENT
• DATA TRANSFER / INFO FUELING (A)
– ATIS DATA
– DIAGNOSTIC DATA
– REPAIR-SERVICE RECORD
– VEHICLE COMPUTER PROGRAM UPDATES
– MAP and MUSIC DATA UPDATES
– VIDEO UPLOADS
• DATA TRANSFER / CVO / TRUCK STOP
• ENHANCED ROUTE PLANNING and GUIDANCE (6)
• RENTAL CAR PROCESSING
• UNIQUE CVO FLEET MANAGEMENT
• DATA TRANSFER / TRANSIT VEHICLE (yard)
• TRANSIT VEHICLE REFUELING MANAGEMENT
• LOCOMOTIVE FUEL MONITORING
• DATA TRANSFER / LOCOMOTIVE
PRIVATEPUBLIC SAFETY
ATIS - Advanced Traveler Information Systems
CVO - Commercial Vehicle Operations
EV - Emergency Vehicles
IDB - ITS Data Bus
THRU – Through
V-V – Vehicle to Vehicle
(#) – Applications Submitted by GM/Ford/Chrysler
(A- Z) – Applications Submitted by Daimler-Chrysler

Traffic Signal
Traffic Signal
Traffic Signal - Green
Traffic Signal- Red
COLLISION
ANIMATION
FOLLOWS
TYPICAL INTERSECTION

EMERGENCY VEHICLE APPROACH WARNING
5.9 GHz DSRC VEHICLE TO VEHICLE APPLICATION
VEHICLE
FRONT
EMERG.
VEHICLE
REAR
EMERG.
Note 1: The Emergency OBU transmits a warning to
ALERT other vehicles that it is coming.
In-Vehicle
Displays and
Annunciations
Traffic Signal
Traffic Signal
Emergency Vehicle
Not to Scale
up to 1000 m (3281 ft)
OBUs on Control Ch
Emergency Vehicle Approach
Warning Communication Zone
~
~
~
~
~
~
VEHICLE
LEFT
EMERG.
VEHICLE
RIGHT
EMERG.
ANIMATION
FOLLOWS

EMERGENCY VEHICLE SIGNAL PREEMPTION
5.9 GHz DSRC ROADSIDE TO VEHICLE APPLICATION
~
~
Traffic Signal
RSU
Horizontal
Support
RSU located in the
center of the
intersection
Traffic Signal
Traffic Signal
Emergency Vehicle
Not to Scale
up to 1000 m (3281 ft)
~
~
~
~
OBU on Intersection Ch
RSU on Intersection Ch
Note 1: OBU Transmitting
the Emergency Vehicle
Signal Preemption Request
on the Intersection Ch

up to 825 ft
range
Mobile Radio
Traffic Signal
Traffic Signal
Intersection Radio
The Central Intersection Communications Subsystem
Intersection Collision
Avoidance System
Equipment Cabinet
Traffic Signal - Green
Traffic Signal- Red
Radio Communication
VEHICLE BASED / INFRASTRUCTURE ASSISTED COLLISION AVOIDANCE
w/ STOP LIGHT ASSISTANT

INFRASTRUCTURE ASSISTED COLLISION AVOIDANCE
Not to Scale
Car NOT Stopping
Vehicle A
Vehicle B
334 ft @ 35 mph
Dynamic Message
Sign (DMS)
Mobile Radio
Intersection Radio
Vehicle Brake Lights
334ft@35mph
Traffic Signal - Green Traffic Signal- Red
Traffic Signal- Green
Traffic Signal- Red
Radar Tracking
Radio Communication
Radar System
ANIMATION
SCP - Straight Crossing Path
STOP
COLLISION
LEFT
STOP
COLLISION
RIGHT
Car being Warned

LOW BRIDGE WARNING and ROLL OVER WARNING
gantry
The tractor trailer receives curve
parameters from the RSU in the
rollover warning sign. The on-board
computer calculates the proper
speed for this vehicle’s loading and
warns the driver if a rollover is
indicated.
Tractor-trailer with OBU
receiving rollover parameters
from the warning sign at the
curve on Control Channel
RSU located on a
Tower Transmitting
Bridge Clearance or
Warning on Control Ch
Tractor-trailer being
measured from the
gantry and receiving
link identification from
OBU on Control Ch
Application submitted by
Carl W. Compton,
KANSAS TURNPIKE AUTHORITY
Not to Scale
RSU located in the
the warning sign
using Control
Tractor-trailer can
pull over here if it
is Over the Height
limit for the bridge
Tractor-trailer can
exit here if it is
Over the Height
limit for the bridge
Roadside to Vehicle Application

TOLL COLLECTION (Open Road) in service channel
The Toll Collection RSU
operates on a Service
Channel and is located on
the gantry above the lanes gantry
= capture zone
RSU Antennas
Note 2: Users are allowed to
proceed at highway normal speeds
while the toll is paid.
Not to Scale
Micro Zone
OBU on Channel 174 slot B
OBU on Channel 174 slot A
RSU on Channel 174
Note 3: Implementers use Time
Division to isolate vehicle
communications and angle of signal
arrival to locate vehicle.
30 m (98 ft)
Note1: OBU approaching the toll
zone are instructed to switch to a
service channel in order to conduct
the transaction.
RSU on Control Channel Toll
Zone Announcement
OBU on Control
Channel

TOLL COLLECTION (Lane Based) on the Service channels
RSUs are located
on the gantry
above the center of
each lane gantry
= capture zone
RSU Antennas
Not to Scale
Traffic Signal
Traffic Signal
Concrete Median
Traffic Signal
Traffic Signal
Pico Zones
OBU on Service Channel 182
RSU on Channel 180
OBU on Channel 180
RSU on Channel 182
RSU on Control Channel 178
Toll Zone Announcement RSU
on Control Channel
5.9 GHz DSRC ROADSIDE EQUIPMENT

Two different types of application
• Broadcast
– Safety messages
– Preempt use by other applications
• Transactional
– Tolling
– CVO
– Typically Client-Server Architecture
– Advertised by RSUs, consumed by OBUs

PSTs
• RSUs broadcast Provider Service
Tables (PSTs) listing the services
they provide and the channels they
are provided on
• OBUs decide whether or not to
consume that service, switch to the
channel if so
– Send back a response setting up a
link.
• PST size limited by MTU size, so
typically a given RSU will support
relatively few distinct applications
• Wave Router Advertisement (WRA)
gives channel switch timing
Restaurant
Maps
Traffic Info
Tolling

Communications
Security Issues

Security Issues Overview
• Anonymity
• Authentication
– Need to ensure that fake messages can’t be inserted into the
system
• Non public safety vehicles issue signal prioritization requests
• Non toll plazas request your tolling information
• Eavesdropping
– Don’t want competitors obtaining CVO data
• Of these, anonymity is the most difficult to address
• First, survey threats

Four Classes of Attacker
• Class 1: Attackers with a programmable radio transmitter
• Class 2: Attackers with an unmodified DSRC unit
• Class 3: Attackers with a modified DSRC unit and who have the
keying materials
• Class 4: “Inside” attackers with access to manufacturers and OEM
records

Example Attacks
• Class 1 Attacks
– Replay/tunneling of legitimate messages
• Class 2 Attacks
– Change of location
– Indicator mismatch
• Class 3 Attacks
– Generate any desired message
• Class 4 Attacks
– Key extraction

Out of scope threats
• Physical denial of service
• Radio jamming
• Attacks on the GPS infrastructure
• Software-based compromise of units
• Misconfiguration

Threat mitigation
• Authenticate messages
– Targets of messages are “all vehicles on the road”, so need public-
key signatures
• Encrypt confidential data
• Messages must be as short as possible and transactions as
fast as possible
– Long messages result in packet loss
• Current proposal: for broadcast, high-priority messages
(public/vehicle safety) a new compact certificate format and a
public key algorithm with particularly short keys

Trust Model
• Trust model varies application to application:
– For vehicle safety the operator is untrusted – applications need to
be isolated from them.
– For public safety the operator is trusted
– For e-Commerce, trust model is the same as desktop trust model
• Although if I borrow your car I may be able to buy gas on your
dime
– For CVO, drivers are not necessarily trusted to give accurate
information
• This needs to be enforced at the OS level

Anonymity
• Potential abuses of vehicle tracking systems are rife
– Stalkers
– Terrorists
– Law Enforcement Tracking
– Automatically issued speeding tickets
– Rental car agencies issuing fines for going out of state
• But tracking is also sometimes useful
– Sometimes law enforcement have a need to track you
– Tolling agencies can charge per mile travelled if they know how
many miles

Anonymity Requirements
• The privacy principles of ITS America include an “Anonymity
Principle” that states: “Where practicable, individuals should
have the ability to utilize Intelligent Transportation Systems on
an anonymous basis.”
• Important in principle
– Also, people who are concerned about tracking might disable their
radio, impacting the safety and other benefits.
– Need to reassure people that Big Brother isn’t in the passenger
seat.

Anonymity in Practice
• Need to protect against:
– Wireless-only attacker who links transmission to vehicle
– Attacker who links multiple transmissions to vehicle, and then links vehicle
to a single transmission by (eg) physical observation – tracking.
• Need to ensure that:
– It’s difficult for an attacker with off-the-shelf equipment to build a tracking
system
– It’s difficult for you to be tracked by an unknown party
• Users can opt in to services in the course of which they may be
subject to tracking, but should not be tracked otherwise
• So:
– Remove identifying marks, as much as possible, from broadcast
messages
– Encrypt transactional messages

Identifying marks
• MAC addresses
• IP addresses
• If messages are signed, certificates

Anonymous Certificates
• Broadcast messages from an OBU
– must be authenticated
• Otherwise, attacker with radio could simply generate fake brake light
messages and foul up traffic
– must not be traceable to a specific OBU
• Many techniques to do this
– Group signatures
– Issue an OBU with a large number of certificates, which it works through at random
• Currently preferred approach
• 10,000 certificates allows a new certificate every five minutes for a month!
n Actual rollover algorithm will be more complicated
• Each certificate contains a unique identifier, but no distinguishing information
– Must be compatible with revocation
• Can use unknown salt to increase work factor associated with revocation
• Cost should be comparable to installing a camera at a large number of
intersections.

IP Addresses
• Long-lived IP addresses can in theory be used as a tracking
token
• In practice, system is not designed for handoff of IP sessions
from one RSU to another
– so long-lived IP sessions happen when you’re stationary
– Less of a risk from tracking
• All devices on IVN will change IP address when the OBU
moves from one RSU communication zone to another

Private MACs: Random MACs
• Generate a random MAC
– Out of the local address space
– Collision probability insignificant with small groups
• 46 random bits
• How many cars can fit in 300 meters?
• When to change MAC
– At startup?
• Allows tracking for individual trips
• Not really acceptable
n Track me from point A to point B
n Real-life traffic analysis!
– When the signing key changes
• Order every 5-10 minutes
• Close monitoring can follow transitions
n But you can do that with signing keys anyway

Where will certs come from?
• Current plans:
• OBUs will be provisioned by manufacturer
– USDoT will be responsible for root cert
– Anonymous OBU certs will be signed by a pool of certs held by all
manufacturers to ensure they don’t give away car make
• RSUs, Public Safety vehicles will be given certificates
conforming to existing administrative hierarchies
– USDoT à State DoT à Local emergency services/public works
departments à individual units
– The intermediate certificates may be distributed by separate
service messages to reduce the size of time-critical messages

Revocation
• Safety Application certificates for OBUs:
– Revocation makes system work more smoothly but is not essential
– All certificates for a given vehicle have identifiers derived from a single secret
– To revoke, recover and distribute the secret
– Must be distributed to all vehicles on road; requires infrastructure
• Public Safety Applications:
– Potential audience for public safety messages is all vehicles
• Geographically limited, but could be limited to an area as large as a state
– Rather than distributing revocation information to all vehicles when a police car is
stolen:
• Issue short-lived certificates to public safety vehicles for use in on-road
operations
n Stolen vehicle only valid for one day (say)
• Issue long-lived certs which are used to apply for operations certs
n Revoke this if vehicle stolen; audience for revocation information is
now CAs (small group, online), not private vehicles (large group,
offline)

Timetable to deployment
• 2004-2006
– Finish/test/rework standards
– Finish prototype program and test prototypes
– Design realistic antennas
– Develop certification procedures
• 2006-2008
– Larger scale tests and resulting reworks
– Productization of design
• 2008
– Deployment decision

Deployment
• 2009-2014: Equip 400,000 intersections with DSRC
transmitters.
• 2008: Decision to deploy in vehicles
– Usual process: 3-year design cycle, deployment starts in high-end
vehicles and works down
• Both these could be accelerated in this case
• Perhaps 57 m out of 250-300 m US vehicles equipped in 2015.

2005 RSA Conference: Safe at Any Speed

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2005 RSA Conference: Safe at Any Speed

Similar to 2005 RSA Conference: Safe at Any Speed (20)

More from Security Innovation

More from Security Innovation (20)

Recently uploaded

Recently uploaded (20)

2005 RSA Conference: Safe at Any Speed