How a leading automaker uses the Nexus PKI platform to protect Car2X communication
One of the largest automakers in the world has opted for identity and security company Nexus Group’s public key infrastructure (PKI) platform to protect car-to-everything (Car2X) communication. “This is a great endorsement of the reliability, security and high performance of our standards-based PKI platform. It is also yet a confirmation of our ability to implement and manage a large-scale, business-critical PKI system,” says Magnus Malmström, vice president with responsibility for Product & Delivery at Nexus.
The ways we use cars and control traffic are rapidly changing. With the goal of improving safety and perfect road utilization – by optimizing speed and shortening the distance between vehicles, for instance – cars and trucks will communicate directly with each other and pedestrians. They will also communicate with roadside equipment and other entities affecting traffic such as traffic lights, construction sites, poles, and lane mergers.
Supporting assisted and autonomous driving
“The vehicles and other traffic related entities will exchange information in real time, which can contribute to effective warning systems, assisted driving, and autonomous driving, among other things,” says Tamás Horváth, product manager for PKI as a Service at Nexus.
The same infrastructure can also be used to communicate with other infrastructure and backend systems to deliver services such as infotainment, parking assistance, and automatic toll payments. The technology is therefore called vehicle-to-everything (V2X) or car-to-everything (Car2X, C2X) communication. Other names sometimes used are WAVE (wireless access in vehicular environments) and DSRC (dedicated short-range communication).
A series of new communication standards
During the past decade, the automotive and electronics industries, research institutes and standardization organizations have created a series of new communication standards (IEEE 802.11p, the IEEE 1609 series, SAE 2735 and derived specifications of the ETSI Technical Committee ITS) for reliable and interoperable V2X communication.
“This impressive amount of research and engineering work has laid the foundation for V2X communication in the form of a completely new communication protocol stack from the physical layer to the application layer,” says Horváth.
Two main security and privacy requirements
As parts of these standards, security mechanisms and protocols are defined in IEEE 1609.2 and ETSI TS 103 097. A security policy for the implementation and operation of the certificate infrastructure – called C-ITS Certificate Policy – was added in 2017 by the European Commission.
The two main security and privacy requirements of the V2X standards are that:
- Each party (vehicle or other entity) should be able to verify whether a V2X message is authentic. That is, that it originates from an authorized and registered entity, and whether the entity is authorized to send that specific V2X message, such as an ambulance siren.
- It must not be possible for external observers to track any vehicle by monitoring its communication at any point in the infrastructure, for privacy reasons.
The use of a PKI system is prescribed
To meet these requirements, the V2X standards and policies prescribe the use of a public key infrastructure (PKI) system with two types of certificate authorities (CAs).
“The first type of CA, called the enrolment authority, registers vehicles and issues digital identities based on PKI certificates to them. The second type of CA, called the authorization authority, produces authorization tickets – which are in principle pseudonym PKI certificates – that hide the identities of the vehicles and certify the vehicles’ authenticities and authorizations to send their messages,” says Horváth.
Each vehicle randomly uses 60 pseudonym certificates to blur traces of the vehicle in the wireless space, and starts using a new set of 60 certificates every week. This amounts to more than 3,000 certificates per vehicle every year.
A scalable and high-performance PKI platform
“Our new automaker customer will introduce V2X technology in major car series in 2019 and will rely on a new PKI system for this. The biggest challenge for the PKI system is to be able to produce billions of certificates every year and make them available for download, so that the vehicles can replace their current set of certificates weekly,” says Horváth.
After evaluation of PKI solutions on the global market, the automaker finally opted for the Nexus PKI platform.
“Nexus is a PKI software pioneer. We have developed one of the most comprehensive, scalable and high-performing PKI products in the world. It is compliant with the V2X technical standards and can provide the required capacity and security,” says Martin Furuhed, product manager of the PKI platform at Nexus.
A standard product that can meet all needs
The Nexus PKI platform is already used by a large number of enterprises around the globe to enable trusted corporate IDs; issue and manage digital citizen IDs; protect the infrastructure in telecom networks; and secure various IoT applications.
“But this is the first time our PKI platform will be used for a V2X application. The automotive product area is known for tough demands on the reliability and availability of services, and on the timeliness of releases,” says Horváth.
The Nexus PKI platform is very well suited for this challenge, according to Furuhed.
“We support nearly any certificate format and provide all standardized interfaces for certificate management. We follow international standards and are happy to see numerous new applications of PKI in the automotive industry. Our strategy is to integrate any industry-specific technical aspects – such as interfaces, certificate formats and policies – into the standard product. The improvements we have made on the product to cope with the high certificate volumes of V2X applications are available to all of our customers, regardless of industry,” says Furuhed.
Hosted in a private cloud environment
The Nexus PKI platform is available both as a service and for on-premises installation.
“We established the online PKI platform as a response to the market need for a price-efficient and compliant PKI platform that can be consumed as a service. Most of our customers, including our new automaker customer, want to concentrate on their core business and let external experts operate and manage their PKI,” says Horváth.
The automaker’s PKI is hosted in a private cloud environment to achieve high security, scalability, and global, high availability.
Tight cooperation during implementation
“During the implementation of the PKI, we had a very tight and strong cooperation with the automaker and its electronics suppliers’ teams to minimize the risks in the project and to fulfil policy requirements. Our own experienced managed services team operates and supports the service,” says Horváth.
The fact that one of the world’s leading manufacturers of automobiles and commercial vehicles has opted for the Nexus PKI platform is not only an endorsement of the product, according to Malmström.
“It’s also a confirmation of our capability for innovation and business agility, and of our ability to collaborate in complex projects with many parties and tight deadlines. I am proud both of my team and of our PKI platform, as it will help society to enhance road safety and enable sustainable mobility,” says Malmström.
Used in 100+ large-scale PKI systems
The main reasons why the automaker opted for the Nexus PKI platform are that:
- Its reliability is verified by its use in more than 100 large-scale PKI systems.
- It’s being certified according to Common Criteria EAL4+.
- Its entry level performance is 10,000 certificates per second, which can be scaled further by redundancy and distribution of the service.
- It complies with technical standards, certificate policies, and regulations.
- The Nexus team has many years of experience managing PKI systems for customers.
- The Nexus organization complies with ISO 27001 and is being assessed for VDA-ISA / TISAX (Trusted Information Security Assessment Exchange).