Download as PDF - Secunet

More documents

Recommendations

Info

National Challenges for PKI Systems in Vehicles Conventional solutions are not enough Because of the special nature of the clients (vehicles, charging infrastructure, traffic signals etc) which – unlike the computers in the company network – are not constantly reachable and which to some extent have much longer life cycles, they make specific requirements of their PKI systems that do not apply to most company PKIs. Similarly, specifications for Car2Car communication or Plug&Charge in the case of e-mobility define precisely what a PKI is expected to do. PKI systems have long been an established feature of inhouse networks and the internet. Based on asymmetric cryptography, authentication mechanisms have been created with which more people work than you might imagine. Whether for online banking, remote login to the corporate network from a home office or even the new German national identity card, a PKI working away in the background is generally responsible for secure communication. More recently, various applications requiring a PKI have been introduced in vehicles: - digital tachographs - securing diagnostic access and information consistent with Euro 5 and Euro 6 - securing onboard flashware for vehicle programming - securing TeleX services such as remote diagnostics and programming - internet in the vehicle - Car2Car communication - Plug&Charge for e-mobility For example, procedures and processes must be introduced to take into account the fact that parts of the PKI system may be available for online communication only on an intermittent basis. The distribution of revocation information is just one example of this problem. In a PKI for Car2Car or Car2X communication, the number of subscribers can rise exponentially. There will be hundreds of CA systems and millions of vehicles all around the world that have to be supplied with key material and certificates, and at the same time, data privacy protection legislation will require that each vehicle is equipped with several hundreds or even thousands of certificates. Car manufacturers may already be aware of some of these problems as a result of similar issues with their own company PKIs for employee badges or SSL certificates for web services. Nevertheless, these new special cases present them with unprecedented challenges in the management of cryptographic keys and certificates that cannot be resolved with the already established processes of introduced PKI systems and therefore require new approaches to the issue of PKI. More information: Andreas Ziska andreas.ziska@secunet.com 10 » 1 | 2013
National What a PKI does PKI involves more than just technology; it is also a question of infrastructure and processes. At the heart of the matter is key management, with the complete lifecycle of cryptographic keys and/or certifi cates. The main tasks to be performed by a PKI are: Key generation – determination of algorithms, the type of key generation (central as opposed to decentralised) and the processes for certifi cation of the public key as well as the identifi cation data of the certifi cate holder. Key distribution / Directory – the distribution of public keys and/or certifi - cates takes place via directory services such as LDAP. For the assignment of private keys, secure distribution paths or media are used. Blocking management / Revocation – for revoking a certifi cate (in case of a lost key or loss of confi dence), technical mechanisms such as revocation lists (CRLs) or online services (OCSP) are used. The CA operator receives the revocation requests, reviews and authorises them, revokes the certifi cate and publishes the revocation information. Key recovery / Destruction – by means of key recovery, data can be read and verifi ed even if key material has been lost. In addition, old or invalid key material is securely deleted. Key exchange (root, CA, client) – appropriate processes (e. g. online provisioning, the replacement of a secure element or mobile with NFC technology) specifi cally ensure the secure exchange of the public root and CA keys. There must be safeguards against a hacker insinuating his own root keys. Blocking management / Revocation (CRL / OCSP) Key recovery / Destruction Key generation Key distribution / Directory Key exchange (root, CA, client) Example of an eMob PKI complying with ISO 15118 eMob Root CA Already established because of the applicable standardisation regulations for smart metering in Germany optional optional EV OEM Root CA Energy supplier Root CA Charging supplier Root CA Meter Root CA Daimler BMW AUDI RWE EnBW e.on A B C A B C Vehicle certificates Contract certificates Charging station certificates SmartMeter certificates The companies named here have been chosen as examples only. This should not be taken as an indication of which ones will eventually appear under eMob Root CA. 1 | 2013 « 11
Page 1 and 2: The IT Security Report by Issue 1 |
Page 3 and 4: National Local High-Quality IT Prod
Page 5 and 6: National effect on cyberspace secur
Page 7 and 8: National Bavaria creates own Trust
Page 9: News in Brief HACKERSTORY #2 Budget
Page 13 and 14: Neben dem Beruf zum Bachelor & Mast
Page 15 and 16: International secunet’s face reco
Page 17 and 18: News in Brief secunet on Twitter, X
Page 19 and 20: Dates SINA meets the Secretary of D

Download as PDF - Secunet

Create successful ePaper yourself

Delete template?

Save as template?