ISO 24534-5:2011

INTERNATIONAL ISO
STANDARD 24534-5
First edition
2011-12-15
Intelligent transport systems —
Automatic vehicle and equipment
identification — Electronic Registration
Identification (ERI) for vehicles —
Part 5:
Secure communications using
symmetrical techniques
Systèmes de transport intelligents — Identification automatique des
véhicules et des équipements — Identification d'enregistrement
électronique (ERI) pour les véhicules —
Partie 5: Communications sécurisées utilisant des techniques
symétriques
Reference number
©
ISO 2011
©  ISO 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2011 – All rights reserved

Contents Page
Foreword . iv
Introduction . v
1  Scope . 1
2  Normative references . 2
3  Terms and definitions . 2
4  Symbols and abbreviations . 8
5  System communications concept . 9
5.1  General . 9
5.2  Overview . 9
5.3  Security services . 13
5.4  Communication architecture description . 14
5.5  Interfaces . 16
6  Interface requirements . 17
6.1  Overview . 17
6.2  Abstract transaction definitions . 17
6.3  The onboard interface to the ERT . 27
6.4  The short-range air interface . 27
6.5  Remote access interface . 29
Annex A (normative) ASN.1 module definitions . 31
Annex B (informative) Operational scenarios . 34
Annex C (normative) PICS pro forma . 37
Bibliography . 39

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 24534-5 was prepared by Technical Committee ISO/TC 204, Intelligent transport systems.
This first edition of ISO 24534-5 cancels and replaces the first edition of ISO/TS 24534-5:2008.
ISO 24534 consists of the following parts, under the general title Intelligent transport systems — Automatic
vehicle and equipment identification — Electronic Registration Identification (ERI) for vehicles:
 Part 1: Architecture
 Part 2: Operational requirements
 Part 3: Vehicle data
 Part 4: Secure communications using asymmetrical techniques
 Part 5: Secure communications using symmetrical techniques
iv © ISO 2011 – All rights reserved

Introduction
A quickly emerging need has been identified within administrations to improve the unique identification of
vehicles for a variety of services. Situations are already occurring where manufacturers intend to fit lifetime
tags to vehicles. Various governments are considering the needs and benefits of electronic registration
identification (ERI), such as legal proof of vehicle identity with potential mandatory usages. There is a
commercial and economic justification both in respect of tags and infrastructure that a standard enable an
interoperable solution.
ERI is a means of uniquely identifying road vehicles. The application of ERI will offer significant benefits over
existing techniques for vehicle identification. It will be an enabling technology for the future management and
administration of traffic and transport, including applications in free flow, multi-lane, traffic conditions with the
capability of supporting mobile transactions. ERI addresses the need of authorities and other users for a
trusted electronic identification, including roaming vehicles.
This part of ISO 24534 specifies the interfaces for the exchange of data between an onboard component
containing the ERI data and an ERI reader or writer inside or outside the vehicle using symmetric
cryptographic techniques.
The exchanged identification data consists of a unique vehicle identifier and can also include data typically
found in the vehicle's registration certificate (see ISO 24534-3 for details). The authenticity of the exchanged
vehicle data can be further enhanced by using symmetric encryption techniques, i.e. techniques based on
secret keys shared by a particular community of users.
The ERI interface defined in this part of ISO 24534 supports confidentiality measures to adhere to
international and national privacy regulations and to prevent other misuse of electronic identification of
vehicles.
Following the events of September 11th, 2001, and the subsequent reviews of anti-terrorism measures, the
need for ERI has been identified as a possible anti-terrorism measure. The need for international
harmonization of such ERI is therefore important. It is also important to ensure that any ERI measures contain
protection against misuse by terrorists.
This part of ISO 24534 makes use of the basic automatic vehicle identification (AVI) provisions already
defined in ISO 14814 and ISO 14816. In addition, it includes provisions for security and the use of additional
registration data of a vehicle.

INTERNATIONAL STANDARD ISO 24534-5:2011(E)

Intelligent transport systems — Automatic vehicle and
equipment identification — Electronic Registration
Identification (ERI) for vehicles —
Part 5:
Secure communications using symmetrical techniques
1 Scope
This International Standard provides the requirements for an electronic registration identification (ERI) using
symmetric encryption techniques that are based on an identifier assigned to a vehicle (e.g. for recognition by
national authorities), suitable to be used for
 electronic identification of local and foreign vehicles by national authorities,
 vehicle manufacturing, in-life maintenance and end-of-life identification (vehicle life-cycle management),
 adaptation of vehicle data, e.g. in case of international re-sales,
 safety related purposes,
 crime reduction,
 commercial services, and
 adhering to privacy and data protection regulations.
This part of ISO 24534 specifies the interfaces for a secure exchange of data between the electronic
registration tag (ERT), which is the onboard device containing the ERI data, and the ERI reader or ERI writer
in or outside the vehicle using symmetric encryption techniques.
Symmetric encryption techniques are based on secret keys shared by a particular community of users, i.e. in
closed user groups in which it is trusted that keys are not revealed to outsiders.
It includes
 the interface between an ERT and an onboard ERI reader or writer,
 the interface between the onboard ERI equipment and (roadside) reading and writing equipment, and
 security issues related to the communication with the ERT.
NOTE The vehicle identifiers and possible related vehicle information (as typically contained in a vehicle registration
certificate) are defined in ISO 24534-3.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 8825-2, Information technology — ASN.1 encoding rules: Specification of Packed Encoding Rules
(PER) — Part 2
ISO 14816, Road transport and traffic telematics — Automatic vehicle and equipment identification —
Numbering and data structure
ISO 15628, Road transport and traffic telematics — Dedicated short range communication (DSRC) — DSRC
application layer
EN 12834, Road transport and traffic telematics — Dedicated Short Range Communication (DSRC) — DSRC
application layer
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
access control
prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized
manner
[ISO 7498-2, definition 3.3.1]
3.2
access control list
list of entities, together with their access rights, which are authorized to have access to a resource
[ISO 7498-2, definition 3.3.2]
3.3
active threat
threat of a deliberate unauthorized change to the state of the system
[ISO 7498-2, definition 3.3.4]
EXAMPLE Modification of messages, replay of messages, insertion of spurious messages, masquerading as an
authorized entity and denial of service.
3.4
additional vehicle data
electronic registration identification (ERI) data in addition to the vehicle identifier
[ISO 24534-3, definition 3.1]
3.5
air interface
conductor-free medium between onboard equipment (OBE) and the reader/interrogator through which the
linking of the onboard equipment (OBE) to the reader/interrogator is achieved by means of electro-magnetic
signals
[ISO 14814, definition 3.2]
2 © ISO 2011 – All rights reserved

3.6
authorization
granting of rights, which includes the granting of access based on access rights
[ISO 7498-2, definition 3.3.10]
3.7
challenge
data item chosen at random and sent by the verifier to the claimant, which is used by the claimant, in
conjunction with secret information held by the claimant, to generate a response which is sent to the verifier
[ISO 9798-1, definition 3.3.5]
NOTE In this part of ISO 24534, the term challenge is also used in case an ERT does not have enabled encryption
capabilities and the challenge is merely copied without any secret information applied.
3.8
ciphertext
data produced, through the use of encipherment, the semantic content of which is not available
[ISO 7498-2, definition 3.3.14]
3.9
claimant
entity which is or represents a principal for the purposes of authentication, including the functions necessary
for engaging in authentication exchanges on behalf of a principal
[ISO/IEC 10181-2, definition 3.10]
3.10
cleartext
intelligible data, the semantic content of which is available
[ISO 7498-2, definition 3.3.15]
3.11
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
[ISO 7498-2, definition 3.3.16]
3.12
data integrity
integrity
property that data has not been altered or destroyed in an unauthorized manner
[ISO 7498-2, definition 3.3.21]
3.13
decipherment
decryption
reversal of a corresponding reversible encipherment
[ISO 7498-2, definition 3.23]
3.14
distinguishing identifier
information which unambiguously distinguishes an entity
[ISO 9798-1, definition 3.3.9]
3.15
electronic registration identification
ERI
action or act of identifying a vehicle with electronic means for purposes as mentioned in the scope of this part
of ISO 24534
3.16
electronic registration reader
ERR
device used to read or read/write data from or to an electronic registration tag (ERT)
NOTE 1 An ERR communicates directly, i.e. via an OSI data-link, with an ERT.
NOTE 2 An ERR can also be an ERI reader and/or an ERI writer or can act as a relay in the exchange of ERI data
protocol units between an ERT and an ERI reader/writer.
3.17
electronic registration tag
ERT
onboard ERI device that contains the ERI data, including the relevant implemented security provisions and
one or more interfaces to access that data
NOTE 1 In case of high security, the ERT is a type of secure application module (SAM).
NOTE 2 The ERT can be a separate device or can be integrated into an onboard device that also provides other
capabilities (e.g. DSRC communications).
3.18
encipherment
encryption
cryptographic transformation of data to produce ciphertext
NOTE 1 Encipherment can be irreversible, in which case the corresponding decipherment process cannot feasibly be
performed.
NOTE 2 Adapted from ISO 7498-2, definition 3.3.27.
3.19
end-to-end encipherment
encipherment of data within or at the source end system, with the corresponding decipherment occurring only
within or at the destination end system
[ISO 7498-2, definition 3.3.29]
3.20
entity authentication
corroboration that an entity is the one claimed
[ISO 9798-1, definition 3.3.11]
3.21
ERI data
vehicle identifying data which can be obtained from the ERT that consists of the vehicle identifier and possible
additional vehicle data
NOTE Adapted from ISO 24534-3, definition 3.4.
4 © ISO 2011 – All rights reserved

3.22
ERI reader
device used to read ERI data directly or indirectly from an ERT by invoking ERI transactions
NOTE 1 In case an ERI reader exchanges the ERI protocol data units directly via a data link with an ERT, it is also
called an ERR. In case it communicates via one or more nodes, only the last node in this sequence is called an ERR. As a
consequence, an external ERI reader can, depending on the onboard configuration, act for some vehicles as an ERR and
for others not.
NOTE 2 See also onboard ERI reader and external ERI reader.
3.23
ERI system operator
organization responsible for the operation of the ERI system and acting as the security authority for the ERI
security domain
3.24
ERI writer
device used to write ERI data directly or indirectly into an ERT by invoking ERI transactions
NOTE 1 In case an ERI writer exchanges the ERI protocol data units directly via a data link with an ERT, it is also
called an ERR. In case it communicates via one or more nodes, only the last node in this sequence is called an ERR. As a
consequence, an external ERI writer can, depending on the onboard configuration, act for some vehicles as an ERR and
for others not.
NOTE 2 See also onboard ERI writer and external ERI writer.
3.25
external ERI reader
ERI reader that is not part of the onboard ERI equipment
NOTE 1 An external ERI reader is not fitted within or on the outside of the vehicle.
NOTE 2 A distinction is made between proximity, short-range (DSRC), and remote external readers. A proximity reader
can e.g. be a PCD (Proximity Coupling Device) as specified in ISO 14443. A short-range external ERI reader can be (a
part of) roadside equipment, hand-held equipment, or mobile equipment. A remote external ERI reader can be part of the
back-office equipment (BOE).
3.26
external ERI writer
ERI writer that is not part of the onboard ERI equipment
NOTE 1 An external ERI writer is not fitted within or on the outside of the vehicle.
NOTE 2 A distinction is made between proximity, short-range (DSRC), and remote external writers. A proximity reader
can e.g. be a proximity coupling device (PCD) as specified in ISO 14443. A short-range external ERI writer can be (a part
of) roadside equipment, hand-held equipment, or mobile equipment. A remote external ERI writer can be part of the back-
office equipment (BOE).
3.27
identification
action or act of establishing identity
NOTE See also vehicle identification.
3.28
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment,
decipherment, cryptographic check function computation, signature generation, or signature verification)
[ISO 9798-1, definition 3.3.13]
3.29
lifetime
period of time during which an item of equipment exists and functions
NOTE Adapted from ISO 14815, definition 4.8.
3.30
manipulation detection
mechanism which is used to detect whether a data unit has been modified (either accidentally or intentionally)
[ISO 7498-2, definition 3.3.35]
3.31
masquerade
pretence by an entity to be a different entity
[ISO 7498-2, definition 3.3.36]
3.32
mutual authentication
entity authentication which provides both entities with assurance of each other’s identity
[ISO 9798-1, definition 3.3.14]
3.33
onboard ERI equipment
equipment fitted within or on the outside of the vehicle and used for ERI purposes
NOTE The onboard ERI equipment comprises an ERT and can also comprise any additional communication devices.
3.34
onboard ERI reader
ERI reader being part of the onboard ERI equipment
NOTE An onboard ERI reader can e.g. be a proximity coupling device (PCD) as specified in ISO 14443.
3.35
onboard ERI writer
ERI writer being part of the onboard ERI equipment
NOTE An onboard ERI writer can e.g. be a proximity coupling device (PCD) as specified in ISO 14443.
3.36
passive threat
threat of unauthorized disclosure of information without changing the state of the system
[ISO 7498-2, definition 3.3.38]
3.37
principal
entity whose identity can be authenticated
[ISO/IEC 10181-2, definition 3.15]
3.38
privacy
right of individuals to control or influence what information related to them may be collected and stored and by
whom and to whom that information may be disclosed
NOTE Because this term relates to the right of individuals, it cannot be very precise and its use should be avoided
except as a motivation for requiring security.
6 © ISO 2011 – All rights reserved

[ISO 7498-2, definition 3.3.43]
3.39
random number
time-variant parameter whose value is unpredictable
[ISO 9798-1, definition 3.3.24]
3.40
registration authority
organization responsible for writing the ERI data and security data into an ERT according to local legislation
NOTE It is expected that the registration authority with respect to the ERI data can be the same authority that keeps
the official register in which the vehicle and its owner or lessee are listed. This is, however, not required by this part of
ISO 24534.
3.41
secret key
key that is used with a symmetric cryptographic algorithm
NOTE 1 Possession of a secret key is restricted (usually to two entities).
NOTE 2 For ERI, there can be only one entity or several entities, depending on the key management policy.
NOTE 3 Adapted from ISO/IEC 10181-1, definition 3.3.15.
3.42
security
protection of information and data so that unauthorized persons or systems cannot read or modify them and
authorized persons or systems are not denied access to them
[ISO 12207, definition 4.39]
NOTE Security versus safety (informal):
Security: protection of a system against its environment; in this context the protection of the ERI system against attacks
or accidents;
Safety: protection of the environment against a system; in this context the protection of the driver, passengers,
vehicle, etc., against dangers of the ERI system.
3.43
security authority
entity that is responsible for the definition, implementation or enforcement of security policy
[ISO/IEC 10181-1, definition 3.3.17]
3.44
security domain
set of elements, security policy, security authority and set of security-relevant activities in which the set of
elements are subject to the security policy for the specified activities, and the security policy is administered
by the security authority for the security domain
[ISO/IEC 10181-1, definition 3.3.20]
3.45
security service
service, provided by a layer of communicating open systems, which ensures adequate security of the systems
or of data transfers
[ISO 7498-2, definition 3.3.51]
3.46
sequence number
time variant parameter whose value is taken from a specified sequence which is non-repeating within a certain
time period
[ISO 9798-1, definition 3.3.27]
3.47
system operator
organization responsible for the operation of the system
NOTE For this part of ISO 24534, a system operator also acts as the registration authority and the security authority
in his jurisdiction.
3.48
system operator key
access key for a system operator
3.49
threat
potential violation of security
[ISO 7498-2, definition 3.3.55]
3.50
vehicle identification
action or act of establishing the identity of a vehicle
3.51
verifier
entity which is or represents the entity requiring an authenticated identity
NOTE 1 A verifier includes the functions necessary for engaging in authentication exchanges.
NOTE 2 Adapted from ISO/IEC 10181-2, definition 3.20.
4 Symbols and abbreviations
AEI Automatic Equipment Identification
AES Advanced Encryption Standard
ASN.1 Abstract Syntax Notation One (as defined in ISO 8824)
AVI Automatic Vehicle Identification
BOE Back Office Equipment
DES Data Encryption Standard
EN European Standard (German: Europäische Norm)
ERI Electronic Registration Identification
ERR Electronic Registration Reader: a device used to read or read/write data from or to an ERT
ERT Electronic Registration Tag
8 © ISO 2011 – All rights reserved

EU European Union
IEC International Electrotechnical Commission
ISO International Organization for Standardization
OBE Onboard Equipment
OSI Open Systems Interconnection (see ISO/IEC 7498-1)
PICS Protocol Implementation Conformance Statement(s)
PIN Personal Identification Number
SAM Secure Application Module
Triple-DES Triple-Data Encryption Standard
VIN Vehicle Identification Number
5 System communications concept
5.1 General
This clause provides an introduction of the context in which ERI data and security data may be read from or
written into the ERT and in which vehicles can be identified. It also outlines options that may or may not be
used in an actual implementation. The normative requirements for the interfaces are provided in Clause 6 and
Annex A. Annex C contains a form to specify the limitations of an actual communication protocol
implementation.
This clause only deals with interfaces using symmetric encryption techniques. Symmetric encryption
techniques are based on secret keys that are shared by a community of one or more users. Such a
community is essentially a closed user group in which it is trusted that secret keys are not revealed to
outsiders.
It is assumed that the users of the closed user group are all operating within the jurisdiction of one ERI system
operator responsible for key management and acting as the registration authority in his jurisdiction.
A more generic interface based on asymmetric techniques, with various (security) capability levels and
supporting cooperation between multiple (registration) authorities (i.e. multiple security domains) is defined in
ISO 24534-4.
5.2 Overview
5.2.1 Vehicle registration identification
ERI is the action or act of identifying a vehicle with electronic means for purposes as mentioned in the scope
of this part of ISO 24534.
The identifier used to identify a vehicle is called the vehicle identifier or vehicleld.
NOTE The preferred vehicle identifier is the VIN that is assigned to the vehicle by its manufacturer in accordance
with ISO 3779 but alternatives are supported as well. See ISO 24534-3, for details about the vehicle identifier and
additional vehicle data.
In this part of ISO 24534, the combination of the almost unique vehicleld and a unique ERT number is used as
the unambiguous distinguishing identifier.
5.2.2 System concept and supported interfaces
Figure 1 presents the interfaces specified in this part of ISO 24534.

Figure 1 — System concept and supported interfaces
The onboard component that provides a secure environment for the ERI data and security data is called the
ERT.
NOTE 1 An implementer may integrate other provisions into the ERT, as long as this does not compromise the security
of the ERT.
An ERT operates in one of two modes:
 Non-commissioned mode,
when the ERT contains no system operator keys.
When operating in the non-commissioned mode, the authentication phase (see below) is not supported
and the only operation allowed is to commission the ERT.
 Commissioned mode,
when a system operator has written its keys into the ERT.
When operating in the commissioned mode the authentication phase (see below) is supported.
A system operator may also decommission an ERT, i.e. delete all key from the ERT. The ERT then returns to
its non-commissioned mode and the only operation allowed is again to commission the ERT.
An ERT is tailored to a specific vehicle in one or more steps:
 First, the ERT is customized with the vehicle identifier and, optionally, additional ERI data.
This step can only be performed once in the lifetime of an ERT.
 Next, the system operator may register changes of the additional ERI data (i.e. the ERI data with the
exception of the vehicle identifier).
ERI data may only be written/updated in commissioned mode and only by the system operator.
It is assumed that all ERT and all onboard and external readers and writers will be part of the same security
domain, i.e. within the jurisdiction of one single ERI system operator responsible for the security policy and its
implementation.
10 © ISO 2011 – All rights reserved

It is also assumed that the system operator is also acting as the registration authority in their jurisdiction.
NOTE 2 In order to accommodate the needs of different system operators, different selections of additional ERI data
can be included in an ERT (see ISO 24534-3 for details).
The onboard communication provisions shall be capable to transfer data from or to the ERT without modifying
that data.
NOTE 3 The onboard communication provisions can e.g. be part of an onboard platform for transport applications.
A communication device may communicate with a short-range ERI reader/writer or remote with back office
equipment (BOE).
A onboard communication device external to the ERT that communicates with an external ERI reader/writer
acts as a relay between this external ERI reader/writer and the onboard ERI reader/writer. A communication
device may also be used for other applications.
5.2.3 Roles involved
Within the context of this part of ISO 24534, the following roles for natural or legal persons are distinguished.
a) A system operator, who is responsible for the operation of the ERI system. An ERI system operator is
also the security authority for the ERI security domain and responsible for generating secret keys to be
used for authentication. A system operator also acts as the registration authority, i.e. as the authority for
writing vehicle-related data into the ERT.
NOTE 1 It is expected that the registration authority with respect to the ERI data is the same authority that keeps
the register in which the vehicle is listed. This is, however, not required by this part of ISO 24534.
NOTE 2 It is assumed that each vehicle is listed in a register that contains the vehicle identifier and additional data
related to the vehicle. It is implicitly assumed that this register also identifies the one(s) responsible for the vehicle
(e.g. its owner, operator, keeper, lessee, and/or regular driver).
b) Authorities, who are entitled (e.g. by the virtue of public legislation) and authorized by the system operator
to read the ERI data and encrypted access control list entries from a vehicle.
NOTE 3 Roles and requirements related to the specification, design and manufacturing (including testing) of an
ERT are outside the scope of this part of ISO 24534.
5.2.4 The communications context for reading
Figure 2 presents the communications context for reading data from an ERT.
An onboard or external ERI reader is used to read data from the ERT. An onboard ERI reader communicates
directly with the ERT. An external ERI reader communicates either directly or indirectly with the ERT: directly
in case of a hand-held reader or an integrated ERI device, or indirectly via an onboard communication module
and an onboard ERI reader. The onboard communication module may also be used for other applications.
A sensor system (which is outside the scope of this part of ISO 24534) may be used to trigger an external ERI
reader when it senses the presence of a vehicle.
The various parties that can read ERI data from an ERT are described in 5.3.3. The access rights of the
various entities are described in 5.3.5.
Figure 2 — Communication context for reading from an ERT
The equipment used by an entity in an office (i.e. not at the roadside) is called back office equipment (BOE).
The distribution of functions between BOE and an external ERI reader is outside the scope of this part of
ISO 24534.
5.2.5 The communications context for writing
Figure 3 presents the communications context for writing data into an ERT.
The onboard or external ERI writer is used to write data into the ERT. An onboard ERI writer communicates
directly with the ERT. An external ERI writer communicates either directly or indirectly with the ERT: directly in
case of a hand-held reader or an integrated ERI device, or indirectly via an onboard communication module
and the onboard ERI writer. The onboard communication module may also be used for other applications.
The various parties that can write ERI (security) data into an ERT are described in 5.3.3. The access rights of
the various entities are described in 5.3.5.
The distribution of functions between BOE and an external ERI writer is outside the scope of this part of
ISO 24534. A system operator may e.g. commission a writer to operate on its behalf or it may use e.g. the
writer only as a relay device for remote writing from its back office.

Figure 3 — Communication context for writing into an ERT
5.2.6 Service levels supported
This part of ISO 24534 supports a secure communication with an ERT within one jurisdiction based on
symmetric encryption techniques.
A more generic interface based on asymmetric techniques, with various (security) capability levels and
supporting cooperation between multiple (registration) authorities (i.e. security domains) is defined in
ISO 24534-4.
12 © ISO 2011 – All rights reserved

5.3 Security services
5.3.1 Assumptions
The security concept for the exchange of data between an ERT and an ERI reader or writer is based on the
following assumptions.
a) The use of an ERT may be mandatory and, therefore, should be fraud resistant. Using ISO 7498-2
terminology, the ERT should be resistant against active threats (e.g. modification of messages, replay of
messages, insertion of spurious messages, and masquerading).
b) A reading of an ERT should be suitable as legal evidence.
c) ERI shall have the capability to provide a high level of privacy protection (i.e. it should not be easily
possible to monitor mobility patterns of a vehicle and, hence, of its regular driver); consequently, an ERT
should also be resistant against passive threats.
d) ERI shall have the capability to provide protection measures to prevent ERI from being used to trigger an
attack on a vehicle.
e) The performance of security mechanisms must be achievable within the time available for
communications whilst the vehicle is moving.
EXAMPLE Reading a vehicle at 180 km/h within a 10 m read range should be achieved within 200 ms.
5.3.2 Entity authentication while reading ERI data
Trust in the authenticity of an ERI reading depends on the following authentication aspects which shall be
completely fulfilled to fully trust a reading.
a) The ERT is customized with the correct vehicle identifier and is attached to the correct vehicle.
b) The ERT cannot be removed from the vehicle without rendering it inoperable.
c) The ERI data is read from a genuine ERT, i.e. from a legitimate device (it is not a replicated message
from a fake one).
d) The ERI data is correctly read from the ERT (data integrity, manipulation detection). This is achieved by
standard mechanisms used in data communications and, as a side effect, by encrypting the ERI data
(decipherment of corrupted ciphertext will not produce anything useful).
e) When ERI data has been correctly read from a genuine ERT upon a particular request, it shall be difficult
to be disputed later on that this data was not read from this component upon that request. This is
achieved by encrypting the ERI data together with a challenge code provided by the ERI reader.
NOTE 1 This part of ISO 24534 only deals with c), d), and e). The items a) and b) are specified in ISO 24534-2.
NOTE 2 Using technical (ISO/IEC 9798-2) terminology, c) and e) are supported using a three pass mutual
authentication mechanism with unidirectional keys. Uniqueness/timeliness is controlled by generating and checking
random numbers and sequence numbers.
5.3.3 Confidentiality while reading ERI data
This International Standard supports confidentiality by delivering ERI data in ciphertext. The encrypted ERI
data can then be made freely available but can only be decrypted and interpreted by authorized
persons/equipment (end-to-end encipherment).
To prevent that encrypted ERI data can be used as a pseudonym, a sequence or random number may be
added to the ERI data before encryption.
Confidentiality is only required for reading ERI data from an ERT, not for writing data into an ERT.
5.3.4 Keys for authentication and confidentiality
The same secret key is used for both authentication and confidentiality.
A vehicle may be registered for many years and during those years many other vehicles are registered and
deregistered. As a consequence, a system operator has either to use always the same keys, or to use
different keys for different vehicles. In order to support this latter option, a key can be identified with a key
identifier and both an ERT as well as an ERI reader/writer may use multiple keys.
In order to allow ERT with one or multiple keys to be interoperable with ERI readers/writers with one or
multiple keys, the following procedure is used.
a) In case an ERI reader/writer wants to select an ERT key, it sends the ERT list a key numbers form which
the ERT may select one to be used for its responses.
b) In case an ERT has one of the requested keys, it uses one of them. If an ERT does not contain a
requested key but has one or more other keys, it may choose any key it has for its responses. If the ERT
does not (yet) contain any key, it simply does not use any key.
c) In case an ERT wants to select an ERI reader/writer key, it sends the reader/writer a list of key numbers
to choose from for its responses.
d) In case an ERI reader/writer has one of the requested keys, it uses one of them. If not, the reader/writer
uses for its responses the same key as used by the ERT its request.
5.3.5 Access control to ERI data
There is no access control unless at least one key is loaded into the ERT.
If one or more keys are loaded into an ERT, access control is based on a mutual authentication procedure
using unidirectional secret keys.
There are two groups of keys: one for system operators and one for authorities.
A system operator key provides full read/write access to both the ERI data and the security data.
An authority key only provides read access to:
a) The ERI data: the vehicle identifier and the additional vehicle data;
b) The historical data, if available;
c) Access control list entries (see below) in ciphertext that can be decrypted by the system operator.
5.4 Communication architecture description
5.4.1 Overall communication concept for identifying vehicles
Figure 4 presents the communication concept for the identification of a vehicle.
14 © ISO 2011 – All rights reserved

Figure 4 — Overall local communication concept for identification
This part of ISO 24534 deals with the air interface between the onboard ERI equipment in a vehicle and a
short-range external ERI reader.
NOTE The vehicle–external ERI-reader interface corresponds to the DELTA reference point, the air interface in
Annex A of ISO 14814:2006; see 5.5.1 for details. The external ERI-reader–back-office interface corresponds to the
ALPHA reference point in this annex.
The interface between an external ERI reader and the BOE of a back office is outside the scope of this part of
ISO 24534. It may e.g. be used for commissioning the ERI reader, the exchange of white or black lists and/or
uploading the reading results. It may e.g. be a local interface in the back office or a wide area network
interface.
5.4.2 Overall communication concept for remote access
This part of ISO 24534 also supports remote access to an ERT. A system operator may e.g. use remote
access, if implemented, to check or update the additional ERI data or the security data.
Figure 5 presents the communication concept for remote access to a vehicle’s ERT.

Figure 5 — Overall communication concept for remote access
This part of ISO 24534 deals with the network interface between the onboard ERI equipment in a vehicle and
a remote external ERI reader/writer.
NOTE Whether or not remote access capabilities are implemented is outside the scope of this part of ISO 24534.
5.4.3 The onboard communication
Figure 6 presents an abstract overview of a possible onboard communication architecture.

Figure 6 — The onboard architecture
NOTE Figure 6 does not imply that the ERT and the communication device shall be separate components. This can
or cannot be the case for a specific implementation.
5.5 Interfaces
5.5.1 The short-range air interface
The communication between the onboard ERI equipment and a short-range external ERI reader/writer uses
the protocol stack as shown in Figure 7.
AVI layer (shall conform to ISO 14816 plus additional services)
ERI layer (adding ERI security and management services)
An application layer, e.g. the DSRC application layer (shall conform to ISO 15628 or EN 12834) or a similar
layer
Lower layers
Figure 7 — Protocol stack air interface
The relation between these layers and the reference points BETA to ZETA in Annex A of ISO 14814:2006 is
depicted in Figure 8: (reference point ALPHA is located between the ERI reader and the BOE of a back office).

Figure 8 — The location of the ERI layer in the ISO 14814 reference architecture
16 © ISO 2011 – All rights reserved

5.5.2 The onboard interface with the ERT
The communication between an ERT and an onboard ERI reader/writer uses the protocol stack as shown in
Figure 9.
AVI layer (shall conform to ISO 14816 plus additional services)
ERI layer (adding ERI security and management services)
A transmission layer, e.g. ISO 14443
Lower layers, e.g. ISO 14443, ISO 15693, etc.
Figure 9 — Protocol stack ERT interface
6 Interface requirements
6.1 Overview
Clause 6 defines the interface to access the ERI data in the ERT and contains the following subclauses:
 6.2 provides an abstract definition;
 6.3 defines the onboard interface with the ERT;
 6.4 defines the short-range air interface between the onboard ERI equipment and an external ERI
reader/writer;
 6.5 defines the interface for remote access.
The onboard interface is defined as an implementation of the abstract definitions in 6.2.
The external interfaces as defined in 6.4 and 6.5 are either used to communicate directly with the ERT in case
the onboard communication provisions are integrated into the ERT, or used indirectly to relay the ERI protocol
data units to the onboard ERI reader/writer. (See Figure 1).
6.2 Abstract transaction definitions
6.2.1 Transaction overview
Table 1 defines the ERT transactions.
Table 1 — Required and optional transactions
Subclause Transaction Req Description
6.2.4 mutualAuthenticate1 R Required for mutual authentic
...