ETSI TR 103 415 V1.1.1 (2018-04)

ETSI TR 103 415 V1.1.1 (2018-04)






TECHNICAL REPORT
Intelligent Transport Systems (ITS);
Security;
Pre-standardization study on pseudonym change management

---------------------- Page: 1 ----------------------
2 ETSI TR 103 415 V1.1.1 (2018-04)



Reference
DTR/ITS-00527
Keywords
ITS, privacy, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2018.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.
®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 103 415 V1.1.1 (2018-04)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Executive summary . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definitions and abbreviations . 8
3.1 Definitions . 8
3.2 Abbreviations . 8
4 Pseudonym change strategies . 9
4.1 Existing approaches in the literature . 9
4.1.1 Overview . 9
4.1.2 Fixed parameters . 9
4.1.3 Randomness . 9
4.1.4 Silent period . 9
4.1.5 Vehicle-centric . 9
4.1.6 Density-based . 10
4.1.7 Mix-zones . 10
4.1.7.1 General . 10
4.1.7.2 Mix-zones at RSU . 10
4.1.7.3 Collaborative change . 10
4.1.7.4 Cryptographic mix-zones . 10
4.1.8 Pseudonym swap . 10
4.2 C-ITS proposed approaches for pseudonym change . 11
4.2.1 Pseudonym change in the PRESERVE project . 11
4.2.2 Pseudonym change in the SCOOP@F project . 11
4.2.3 C2C-CC approach to Pseudonym change . 12
4.2.3.1 Pseudonym lifecycle management . 12
4.2.3.2 Pseudonym change strategy . 12
4.2.4 IFAL Protocol . 13
4.3 Standardization and Policies/legislation framework. 13
4.3.1 SAE approach . 13
4.3.2 ETSI approach . 13
4.3.2.1 Authorization Tickets . 13
4.3.2.2 ETSI ITS PKI Design. 13
4.3.2.3 Security profiles for CAM and DENM . 14
4.3.2.4 Pseudonym change locking in RHS use cases . 15
4.3.2.5 Road safety applications requirements w.r.t. pseudonym change . 15
4.3.3 European Commission policies . 17
4.4 Issues & Discussion. 17
4.4.0 General . 17
4.4.1 ID change impacting sender behaviour . 17
4.4.2 Misleading neighbour vehicles in safety situations . 18
4.4.3 Trade-off between safety and privacy . 18
4.4.4 The Sybil attack . 19
4.4.5 Pseudonym lock . 19
4.4.5.1 Current status . 19
4.4.5.2 Issue . 20
4.4.6 Pseudonym reuse . 20
5 Metrics for performances evaluation & comparison . 21
5.1 Metrics for privacy assessment . 21
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 103 415 V1.1.1 (2018-04)
5.1.1 General . 21
5.1.2 Anonymity-based metrics . 21
5.1.2.1 Definition of anonymity . 21
5.1.2.2 Definition of entropy . 21
5.1.2.3 Metric 1: Effective anonymity set size . 21
5.1.2.4 Metric 2: Degree of anonymity . 22
5.1.2.5 Example of application on pseudonym change strategies . 22
5.1.3 User-centric metrics . 22
5.1.3.1 Metric 1: Location privacy model . 22
5.1.4 Pseudonym reuse KPIs . 23
5.2 Metrics for safety assessment . 23
5.2.1 General . 23
5.2.2 Network-level metrics . 23
5.2.2.1 Metric 1: Reception rate/packet losses . 23
5.2.2.2 Metric 2: Delay/latency . 24
5.2.2.3 Metric 3: Wireless channel overhead . 24
5.2.3 Application-level metrics . 24
5.2.3.1 Metric 1: Message inter-arrival duration . 24
5.2.3.2 Metric 2: Cooperative awareness quality . 24
5.2.3.3 Metric 3: Application Reliability . 25
5.3 Metrics for cost assessment . 25
6 Evaluation . 25
6.1 General . 25
6.2 Void . 25
7 Pseudonym lifecycle. 25
7.1 General . 25
7.2 Parameters definitions . 26
7.3 Examples of parameters values . 26
8 Conclusions and Recommendations . 28
Annex A: Parameters of C-ITS early implementations . 30
A.1 SCOOP@F project . 30
A.2 Car-2-Car Communication Consortium . 30
A.3 SAE . 31
History . 32


ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 103 415 V1.1.1 (2018-04)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Intelligent Transport Systems (ITS).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The present document is structured as follows:
• Introduction of the state-of-the-art on pseudonym change strategies by studying propositions from the
literature and current C-ITS pre-deployment projects as well as the position of other standardization bodies.
• Definition of relevant metrics that may be used to quantify the level of safety and privacy provided by the
different strategies. The evaluation of the pseudonym change strategies then follows. Note that in the present
document the evaluation itself is not available and will be added in the next release. However, the
methodology of evaluation is basically described.
• Definition of an exhaustive list of parameters that are related to pseudonym lifecycle. When available, those
definitions come with implementation-specific concrete values springing from pre-deployment projects.
• Guidance and recommendations for future versions of related ETSI specifications.

ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 103 415 V1.1.1 (2018-04)
1 Scope
The purpose of the present document is to realize a pre-standardization study on pseudonyms management for C-ITS in
order to provide guidance and recommendations for the future versions of related ETSI ITS specifications.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] J. Petit, F. Schaub, F. Kargl: "Pseudonym schemes in vehicular networks: a survey", ACM
Computing Surveys, August 2014.
[i.2] D. Eckhoff, C. Sommer, T. Gansen, R. German, F. Dressler: "Strong and affordable location
privacy in VANETs: identity diffusion using time-slots and swapping", IEEE Vehicular
Networking Conference (VNC'10), 2010.
[i.3] PRESERVE project Technical Report 2: "V2X Privacy Protection Position Statement", 2012.
[i.4] PRESERVE project deliverable D5.3: "Deployment issues report v3", 2013.
NOTE: Available at https://www.preserve-project.eu/deliverables.
[i.5] S. Lefèvre, J. Petit, R. Bajcsy, C. Laugier, F. Kargl: "Impact of V2X Privacy Strategies on
Intersection Collision Avoidance Systems", IEEE Vehicular Networking Conference (VNC'13),
2013.
[i.6] A. Pfitzmann, M. Hansen: "Anonymity, unobservability, and pseudonymity: a proposal for
terminology", Designing Privacy Enhancing Technologies, 2000.
[i.7] A. Serjantov, G. Danezis: "Towards an information theoretic metric for anonymity", Designing
Privacy Enhancing Technologies, 2002.
[i.8] C. Diaz, S. Seys, J. Claessens, B. Preneel: "Towards measuring anonymity", Designing Privacy
Enhancing Technologies, 2002.
[i.9] J. Yin, T. Elbatt, G. Yeung, B. Ryu, S. Habermas, H. Krishnan, T. Talty: "Performance evaluation
of safety applications over DSRC vehicular ad hoc networks", VANET'04: Proceedings of the 1st
ACM International Workshop on Vehicular Ad hoc Network, 2004.
[i.10] S. Yousefi, M. Fathy: "Metrics for performance evaluation of safety applications in vehicular ad
hoc networks", Transport, 2008.
[i.11] G. Korkmaz, E. Ekici, F. Özgüner, Ü. Özgüner: "Urban multi-hop broadcast protocol for inter-
vehicle communication systems", VANET'04: Proceedings of the 1st ACM International
Workshop on Vehicular Ad hoc Network, 2004.
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TR 103 415 V1.1.1 (2018-04)
[i.12] Q. Xu, T. Mak, J. Ko, R. Sengupta: "Vehicle-to-vehicle safety messaging in DSRC", VANET'04:
Proceedings of the 1st ACM International Workshop on Vehicular Ad hoc Network, 2004.
[i.13] J. Freudiger, M.H. Manshaei, J.-P. Hubaux, D.C. Parkes: "On non-cooperative location privacy: a
game-theoretic analysis", CCS'09: Proceedings of the 16th ACM conference on Computer and
Communications Security, 2009.
[i.14] J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, J.-P. Hubaux: "Mix-zones for location
privacy in vehicular networks", WiN-ITS'07: ACM Workshop on Wireless Networking for
Intelligent Transportation Systems, 2007.
[i.15] A.R. Beresford, F. Stajano: "Location Privacy in Pervasive Computing", Journal IEEE Pervasive
Computing, 2003.
[i.16] ETSI TS 101 539-1 (V1.1.1) (08-2013): "Intelligent Transport Systems (ITS); V2X Applications;
Part 1: Road Hazard Signalling (RHS) application requirements specification".
[i.17] R. K. Schmidt, R. Lasowski, T. Leinmüller, C. Linnhoff-Popien, G. Schäfer: "An approach for
selective beacon forwarding to improve cooperative awareness", Vehicular Networking
Conference (VNC), 2010.
[i.18] C2C-CC: PKI Memo V 1.7: "C2C-CC public key infrastructure memo," CAR 2 CAR
Communication Consortium, Tech. Rep., February 2011.
[i.19] C2C-CC Basic System Profile version 1.1.0, dated 21.12.2015.
[i.20] Eric R. Verheul: "Issue First Activate Later Certificates for V2X- Combining ITS efficiency with
privacy".
NOTE: Available at https://eprint.iacr.org/2016/1158.pdf.
[i.21] Bai F, Krishnan H.: "Reliability Analysis of DSRC Wireless Communication for Vehicle Safety
Applications". Proc 2006 IEEE Intell Transp Syst Conf. 2006;355-62.
[i.22] ETSI TS 103 097: "Intelligent Transport Systems (ITS); Security; Security header and certificate
formats".
[i.23] ETSI TS 102 940: "Intelligent Transport Systems (ITS); Security; ITS communications security
architecture and security management".
[i.24] ETSI EN 302 637-2: "Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set
of Applications; Part 2: Specification of Cooperative Awareness Basic Service".
[i.25] ETSI EN 302 637-3: "Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set
of Applications; Part 3: Specifications of Decentralized Environmental Notification Basic
Service".
[i.26] ETSI TS 102 941: "Intelligent Transport Systems (ITS); Security; Trust and Privacy
Management".
[i.27] ETSI TS 102 723-8: "Intelligent Transport Systems (ITS); OSI cross-layer topics; Part 8: Interface
between security entity and network and transport layer".
[i.28] ETSI TS 102 636-6-1: "Intelligent Transport Systems (ITS); Vehicular Communications;
GeoNetworking; Part 6: Internet Integration; Sub-part 1: Transmission of IPv6 Packets over
GeoNetworking Protocols".
[i.29] ETSI TR 102 893: "Intelligent Transport Systems (ITS); Security; Threat, Vulnerability and Risk
Analysis (TVRA)".
[i.30] ETSI TS 101 539-3 (V1.1.1) (11-2013) "Intelligent Transport Systems (ITS); V2X Applications;
Part 3: Longitudinal Collision Risk Warning (LCRW) application requirements specification".
[i.31] SAE J2945/1: "On-board System Requirements for V2V Safety Communications".
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TR 103 415 V1.1.1 (2018-04)
[i.32] "Deutsches Zentrum für Luft- und Raumfahrt" (German Aeronautics and Space Research Center -
DLR).
[i.33] ETSI TS 101 539-2: "Intelligent Transport System (ITS); V2X Applications; Intersection Collision
Risk Warning (ICRW) application requirements specification".
[i.34] NHTSA: "Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application",
August 2014.
[i.35] C-ITS Platform - Year1 Report - WG1 Annex 2 Cost-Benefits analysis Summary Report.
NOTE: Available at https://ec.europa.eu/transport/themes/its/c-its_en.
[i.36] Security Policy & Governance Framework for Deployment and Operation of European
Cooperative Intelligent Transport Systems (C-ITS), Release 1, December 2017.
NOTE: Available at https://ec.europa.eu/transport/sites/transport/files/c-its_security_policy_release_1.pdf.
[i.37] Certificate Policy for Deployment and Operation of European Cooperative Intelligent Transport
Systems (C-ITS), Release 1, June 2017.
NOTE: Available at https://ec.europa.eu/transport/sites/transport/files/c-its_certificate_policy_release_1.pdf.
[i.38] SAE J2735: "Dedicated Short Range Communications (DSRC) Message Set Dictionary™".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in ETSI TS 102 940 [i.23], ETSI
TS 102 941 [i.26], ETSI TR 102 893 [i.29] and the following apply:
attacker: one or more collaborative nodes that exploit the system in order to get benefits or to disrupt it
tracking: action of rebuilding the path of an ITS-S based on the information it provides in its V2X messages
3.2 Abbreviations
For the purposes of the present document, the abbreviations given in ETSI TS 102 940 [i.23], ETSI TS 102 941 [i.26],
ETSI TR 102 893 [i.29] and the following apply:
ADAS Advanced Driver-Assistance Systems
AID Application ID
AID-SSP AID Service Specific Permissions
AT Authorization Ticket
BSP Basic System Profile (C2C-CC document)
C2C-CC Car-2-Car Communication Consortium
CAPEX Capital Expenditure
C-ITS Cooperative ITS
CTL Certificate Trust List
EC Enrolment Credential
ID Identifier
IFAL Issue First, Activate Later (certificate issuance process design)
ITS-G5 802.11p radio access technology in the 5,9 GHz band
KPI Key Performance Indicator
OBU On-Board Unit
OPEX Operational Expenditure
RCA Root Certificate Authority
RHS Road Hazard Signalling
SDO Standards Developing Organization
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TR 103 415 V1.1.1 (2018-04)
SN-SAP Security/Network Service Access Point
SSP Service Specific Permission
TCO Total Cost of Ownership
V2X Vehicle-to-any communication
4 Pseudonym change strategies
4.1 Existing approaches in the literature
4.1.1 Overview
Many research works on pseudonym change strategies have been conducted over the last years. In [i.1] authors present
an interesting and exhaustive survey that depicts the current status of this topic.
The clauses below describe the strategies identified in the literature. For more details about a specific strategy, refer to
the references indicated in the strategy description.
4.1.2 Fixed parameters
One of the easiest strategy to implement consists of defining a fixed pseudonym change parameter. Many parameters
can be considered such as time (e.g. change pseudonym each 5 minutes), number of V2X signed messages (e.g. change
pseudonym each 100 messages) or distance (e.g. change pseudonym each 500 m).
The main drawback of such strategy remains in its simplicity. It is indeed quite easy for an eavesdropping attacker to
determine the parameter value of a specific vehicle, making tracking of this vehicle trivial.
Also note that a combination of several parameters can be considered. For instance, a strategy may define that
pseudonym is changed every 10 minutes or 1 000 m, whichever condition is met first.
4.1.3 Randomness
In order to cope with the predictability of the previous strategy, randomness can be inserted. The pseudonym is still
changed according to a fixed parameter to which a random value is added. For instance, a pseudonym can be changed
after 5 minutes of use plus or minus 1 minute, after moving 1 000 m plus or minus 200 m, etc.
The addition of a random factor helps to prevent attackers for determining the pseudonym change periodicity. However,
the linkage of pseudonyms remains possible and
...