Intelligent transport systems — ITS station security services for secure session establishment and authentication between trusted devices

This document contains specifications for a set of ITS station security services required to ensure the authenticity of the source and integrity of information exchanged between trusted entities: — devices operated as bounded secured managed entities, i.e. "ITS Station Communication Units" (ITS-SCU) and "ITS station units" (ITS-SU) specified in ISO 21217, and — between ITS-SUs (composed of one or several ITS-SCUs) and external trusted entities such as sensor and control networks. These services include authentication and secure session establishment which are required to exchange information in a trusted and secure manner. These services are essential for many ITS applications and services including time-critical safety applications, automated driving, remote management of ITS stations (ISO 24102-2[5]), and roadside/infrastructure related services.

Titre manque

General Information

Status
Withdrawn
Publication Date
06-Aug-2019
Current Stage
9599 - Withdrawal of International Standard
Completion Date
07-Apr-2023
Ref Project

Relations

Buy Standard

Technical specification
ISO/TS 21177:2019 - Intelligent transport systems -- ITS station security services for secure session establishment and authentication between trusted devices
English language
83 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/TS
SPECIFICATION 21177
First edition
2019-08
Intelligent transport systems —
ITS station security services for
secure session establishment and
authentication between trusted devices
Reference number
ISO/TS 21177:2019(E)
©
ISO 2019

---------------------- Page: 1 ----------------------
ISO/TS 21177:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TS 21177:2019(E)

Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Overview . 3
5.1 Goals . 3
5.2 Architecture and functional entities . 4
5.3 Cryptomaterial handles . 7
5.4 Session IDs and state . 7
5.5 Access control and authorisation state . 8
5.6 Application level non-repudiation . 8
5.7 Service primitive conventions . 8
6 Process flows and sequence diagrams . 9
6.1 General . 9
6.2 Overview of process flows . 9
6.3 Sequence diagram conventions .10
6.4 Configure .11
6.5 Start Session .12
6.6 Send data .14
6.7 Send access control PDU .17
6.8 Receive PDU .18
6.9 Secure connection brokering .23
6.9.1 Goals .23
6.9.2 Prerequisites .24
6.9.3 Overview .24
6.9.4 Detailed specification .25
6.10 Force end session .33
6.11 Session terminated at session layer .35
6.12 Deactivate .35
6.13 Secure session example .36
7 Security Subsystem: interfaces and data types .38
7.1 General .38
7.2 Access control policy and state .39
7.3 Enhanced authentication .40
7.3.1 Definition and possible states .40
7.3.2 States for owner role enhanced authentication .40
7.3.3 State for accessor role enhanced authentication .41
7.3.4 Use by Access Control .42
7.3.5 Methods for providing enhanced authentication .42
7.3.6 Enhanced authentication using SPAKE2 .42
7.4 Extended authentication .43
7.5 Data types .44
7.5.1 General.44
7.5.2 Imports .44
7.5.3 Iso21177AccessControlPdu .44
7.5.4 AccessControlResult .44
7.5.5 ExtendedAuthPdu .44
7.5.6 ExtendedAuthRequest .45
7.5.7 InnerExtendedAuthRequest .45
7.5.8 AtomicExtendedAuthRequest .46
© ISO 2019 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TS 21177:2019(E)

7.5.9 ExtendedAuthResponse .46
7.5.10 ExtendedAuthResponsePayload .46
7.5.11 EnhancedAuthPdu .47
7.5.12 SpakeRequest.47
7.5.13 SpakeResponse .47
7.5.14 SpakeRequesterResponse .48
7.6 App-Sec Interface .48
7.6.1 App-Sec-Configure.request .48
7.6.2 App-Sec-Configure.confirm.49
7.6.3 App-Sec-StartSession.indication .49
7.6.4 App-Sec-Data.request .50
7.6.5 App-Sec-Data.confirm . .50
7.6.6 App-Sec-Incoming.request .51
7.6.7 App-Sec-Incoming.confirm .51
7.6.8 App-Sec-EndSession.request .52
7.6.9 App-Sec-EndSession.confirm .52
7.6.10 App-Sec-EndSession.indication.52
7.6.11 App-Sec-Deactivate.request .53
7.6.12 App-Sec-Deactivate.confirm .53
7.6.13 App-Sec-Deactivate.indication .53
7.7 Security Subsystem internal interface .54
7.7.1 General.54
7.7.2 Sec-AuthState.request .54
7.7.3 Sec-AuthState.confirm . .55
8 Adaptor Layer: Interfaces and data types .55
8.1 General .55
8.2 Data types .56
8.2.1 General.56
8.2.2 Iso21177AdaptorLayerPDU .56
8.2.3 Apdu . .57
8.2.4 Access Control .57
8.2.5 TlsClientMsg1 .57
8.2.6 TlsServerMsg1 .57
8.3 App-AL Interface .57
8.3.1 App-AL-Data.request .57
8.3.2 App-AL-Data.confirm .58
8.3.3 App-AL-Data.indication .58
8.3.4 App-AL-EnableProxy.request .59
8.4 Sec-AL Interface .61
8.4.1 Sec-AL-AccessControl.request.61
8.4.2 Sec-AL-AccessControl.confirm .61
8.4.3 Sec-AL-AccessControl.indication .61
8.4.4 Sec-AL-EndSession.request .62
8.4.5 Sec-AL-EndSession.confirm.62
9 Secure Session services .62
9.1 General .62
9.2 App-Sess interfaces .62
9.2.1 App-Sess-EnableProxy.request .62
9.3 Sec-Sess interface .63
9.3.1 Sec-Sess-Configure.request .63
9.3.2 Sec-Sess-Configure.confirm .65
9.3.3 Sec-Sess-Start.indication .65
9.3.4 Sec-Sess-EndSession.indication .66
9.3.5 Sec-Sess-Deactivate.request .66
9.3.6 Sec-Sess-Deactivate.confirm .67
9.4 AL-Sess interface .67
9.4.1 AL-Sess-Data.request .67
iv © ISO 2019 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TS 21177:2019(E)

9.4.2 AL-Sess-Data.confirm.67
9.4.3 AL-Sess-Data.indication .68
9.4.4 AL-Sess-EndSession.request .68
9.4.5 AL-Sess-EndSession.confirm .68
9.4.6 AL-Sess-ClientHelloProxy.request .69
9.4.7 AL-Sess-ClientHelloProxy.indication .69
9.4.8 AL-Sess-ServerHelloProxy.request .70
9.4.9 AL-Sess-ServerHelloProxy.indication .70
9.4.10 AL-Sess-EndSession.request .71
9.4.11 AL-Sess-EndSession.confirm .72
9.5 Permitted mechanisms .72
9.5.1 TLS 1.3 .72
9.5.2 DTLS 1.3.73
Annex A (informative) Usage scenarios .74
Annex B (normative) ASN.1 module .81
Bibliography .82
© ISO 2019 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/TS 21177:2019(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 204, Intelligent transport systems.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
vi © ISO 2019 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/TS 21177:2019(E)

Introduction
This document is about ITS station security services required to ensure the authenticity of the source
and confidentiality and integrity of application activities taking place between trusted devices.
The trust relation between two devices is illustrated in Figure 1. Two devices cooperate in a trusted
way, i.e. exchange information with optional explicit bi-directional protection.
Figure 1 — Interconnection of trusted devices
According to ISO 21217, an ITS station unit (ITS-SU), i.e. the physical implementation of the ITS station
(ITS-S) functionality, is a trusted device, and an ITS-SU may be composed of ITS station communication
units (ITS-SCU) that are interconnected via an ITS station-internal network. Thus an ITS-SCU is the
smallest physical entity of an ITS-SU that is referred to as a trusted device.
[15]
NOTE 1 ISO 21217 fully covers the functionality of EN 302 665 , which is a predecessor of ISO 21217.
NOTE 2 An ITS-SU can be composed of ITS-SCUs from different vendors where each ITS-SCU is linked to a
[5]
different ITS-SCU configuration and management centre specified in ISO 24102-2 and ISO 17419. Station-
[7]
internal management communications between ITS-SCUs of the same ITS-SU is specified in ISO 24102-4 .
European C-ITS regulation refers to the "ITS-SCU configuration and management centre" as "C-ITS station
operator" meaning the entity responsible for the operation of a C-ITS station. The C-ITS station operator can be
responsible for the operation of one single C-ITS station (fixed or mobile), or a C-ITS infrastructure composed of a
number of fixed C-ITS stations, or a number of mobile ITS-Stations.
Four implementation contexts of communication nodes in ITS communications networks are identified
in the ITS station and communication architecture ISO 21217, each comprised of ITS-station units (ITS-
SU) taking on a particular role; personal, vehicular, roadside, or central. These ITS-SUs are ITS-secured
communication nodes as required in ISO 21217 that participate in a wide variety of ITS services related
to, e.g. sustainability, road safety and transportation efficiency.
Over the last decade, ITS services have arisen that require secure access to data from Sensor and Control
Networks (SCN), e.g. from In-Vehicle Networks (IVN) and from Infrastructure/Roadside Networks
(IRN), some of which require secure local access to time-critical information; see Figures 2 and 3.
© ISO 2019 – All rights reserved vii

---------------------- Page: 7 ----------------------
ISO/TS 21177:2019(E)

Figure 2 — Example of a roadside ITS-SU connected with proprietary IRN
Figure 3 — Example of a vehicle ITS-SU connected with proprietary IRN
Trust in the ITS domain primarily is between ITS Station Communication Units (ITS-SCUs) introduced
in ISO 21217; see Figure 4.
viii © ISO 2019 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/TS 21177:2019(E)

Figure 4 — Interconnection of ITS-SCUs in an ITS-SU
ITS-SCUs are interconnected via an ITS station-internal network. Applying basic security means
specified in this document, the ITS-SCUs trust each other. Additionally, protocol data units exchanged
between ITS-SCUs may be further protected by additional means, e.g. applying encryption. Major
application domains of secure communications between ITS-SCUs of the same ITS-SU are local station
[4]
management specified in ISO 24102-1 using station-internal management communications specified
[7]
in ISO 24102-4 .
Trust in the ITS domain further is between ITS-SUs introduced in ISO 21217
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.