SIST-TP CEN/TR 16968:2016

SLOVENSKI STANDARD
SIST-TP CEN/TR 16968:2016
01-september-2016
Elektronsko pobiranje pristojbin - Ocena varnostnih ukrepov za aplikacije z
uporabo posebne komunikacije kratkega dosega
Electronic Fee Collection - Assessment of security measures for applications using
Dedicated Short-Range Communication
Elektronische Gebührenerhebung - Beurteilung von Sicherheitsmaßnehmen für
Anwendungen mit dedizierter Nahbereichskommunikation
Perception de télépéage - Évaluation des mesures de sécurité pour les applications
utilisant les communications dédiées à courte portée
Ta slovenski standard je istoveten z: CEN/TR 16968:2016
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
SIST-TP CEN/TR 16968:2016 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TP CEN/TR 16968:2016

---------------------- Page: 2 ----------------------

SIST-TP CEN/TR 16968:2016


CEN/TR 16968
TECHNICAL REPORT

RAPPORT TECHNIQUE

May 2016
TECHNISCHER BERICHT
ICS 35.240.60
English Version

Electronic Fee Collection - Assessment of security
measures for applications using Dedicated Short-Range
Communication
 Elektronische Gebührenerhebung - Beurteilung von
Sicherheitsmaßnahmen für Anwendungen mit
dedizierter Nahbereichskommunikation


This Technical Report was approved by CEN on 11 April 2016. It has been drawn up by the Technical Committee CEN/TC 278.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2016 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16968:2016 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Terms and definitions . 6
3 Abbreviations . 9
4 Method . 10
5 Security Objectives and Functional Requirements . 13
5.1 Target of evaluation . 13
5.2 Security objectives . 14
5.2.1 Introduction . 14
5.2.2 Confidentiality . 14
5.2.3 Availability . 14
5.2.4 Accountability . 14
5.2.5 Data integrity . 14
5.3 Functional security requirements . 15
5.3.1 Introduction . 15
5.3.2 Confidentiality . 15
5.3.3 Availability . 17
5.3.4 Accountability . 18
5.3.5 Data integrity . 20
5.4 Inventory of assets . 21
5.4.1 Functional Assets . 21
5.4.2 Data Assets. 22
6 Threat analysis . 22
7 Qualitative risk analysis . 24
7.1 Introduction . 24
7.1.1 General . 24
7.1.2 Likelihood of a threat . 24
7.1.3 Impact of a threat . 25
7.1.4 Classification of Risk . 26
7.2 Risk determination . 26
7.2.1 Definition of high and low risk context . 26
7.2.2 Threat T1: Access Credentials keys can be obtained . 27
7.2.3 Threat T2: Authentication keys can be obtained . 27
7.2.4 Threat T3: OBU can be cloned . 28
7.2.5 Threat T4: OBU can be faked. 28
7.2.6 Threat T5: Authentication of OBU data can be repudiated . 29
7.2.7 Threat T6: Application data can be modified after the transaction . 29
7.2.8 Threat T7: Data in the VST is not secure . 30
7.2.9 Threat T8: DSRC Communication can be eavesdropped . 30
7.2.10 Threat T9: Correctness of application data are repudiated . 31
7.2.11 Threat T10: Master keys may be obtained from RSE . 31
7.3 Summary . 31
2

---------------------- Page: 4 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
8 Proposals for new security measures . 32
8.1 Introduction. 32
8.2 Security measures to counter risks related to key recovery . 32
8.3 Recommended countermeasures . 34
8.4 Qualitative cost benefit analysis . 35
9 Impact of proposed countermeasures . 35
9.1 Current situation and level of fraud in existing EFC systems using CEN DSRC link . 35
9.2 EETS legislation . 36
9.3 Analysis of effects on existing EFC systems . 36
9.3.1 Affected roles . 36
9.3.2 The CEN DSRC equipment Manufacturers . 36
9.3.3 The Toll Service Providers . 37
9.3.4 The Toll Chargers . 37
10 Recommendations . 38
10.1 Add security levels and procedures to EN ISO 14906 . 38
10.2 Recommendation for other EFC standards . 39
10.3 New standards . 39
Annex A (informative) Current status of the DEA cryptographic algorithm . 40
A.1 Overview . 40
A.2 ISO/IEC 9797-1 (MAC Algorithm 1) . 40
A.3 FIPS 46 (DEA Specification – DES) . 40
A.4 ENISA recommendations . 41
Annex B (informative) Security considerations regarding DSRC in EFC Standards . 42
B.1 Security vulnerabilities in EN 15509 and EN ISO 14906 . 42
B.2 Security vulnerabilities in EN ISO 12813 (CCC) . 42
B.3 Security vulnerabilities in EN ISO 13141 (LAC) . 43
B.4 Security vulnerabilities in CEN/TS 16702-1 (SM-CC) . 43
Bibliography . 44

3

---------------------- Page: 5 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
European foreword
This document (CEN/TR 16968:2016) has been prepared by Technical Committee CEN/TC 278
“Intelligent transport systems”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
4

---------------------- Page: 6 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
Introduction
Security for dedicated short-range communication (DSRC) applications in the context of electronic fee
collection (EFC) has a long history in standardization. Currently the area is covered by several
standards and technical specifications, successively developed over time:
— EN ISO 14906 (Electronic fee collection - Application interface definition for dedicated short-range
communication) provides a toolbox of functions and security measures which can be used for DSRC
application.
— CEN ISO/TS 19299 (Electronic fee collection - Security framework) analyzes the threats to an EFC
system as a whole, and not specifically for the DSRC technology.
— EN ISO 12813 (Electronic fee collection - Compliance check communication for autonomous
systems) and EN ISO 13141 (Electronic fee collection - Localisation augmentation communication
for autonomous systems) mirrors the best-practice security measures of EN 15509.
— CEN/TS 16702-1 (Electronic fee collection - Secure monitoring for autonomous toll systems - Part
1: Compliance checking) provides an EFC enforcement concept, partially dependent on a DSRC
application.
— EN 15509 (Electronic fee collection - Interoperability application profile for DSRC) defines an
interoperable application profile which comprises a selection of such measures with a definition of
security algorithms associated to it. It is based on the experience of many EU projects related to
DSRC-EFC.
As the security domain has evolved, it is now necessary to analyze again the threats, vulnerabilities and
risks of using the CEN DSRC technology in all DSRC-based applications related to EFC. Technological
advances and proliferation of cryptographic tools and knowledge has made an attack on the security
procedures of DSRC more likely.
This technical report (TR) identifies context dependent risks on the DSRC link and proposes security
measures to counter them and the points out what new standard deliverables that are needed.
5

---------------------- Page: 7 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
1 Scope
This Technical Report includes a threat analysis, based on CEN ISO/TS 19299 (EFC - Security
Framework), of the CEN DSRC link as used in EFC applications according to the following Standards and
Technical Specification
— EN 15509:2014,
— EN ISO 12813:2015,
— EN ISO 13141:2015,
— CEN/TS 16702-1:2014.
This Technical Report contains:
— a qualitative risk analysis in relation to the context (local tolling system, interoperable tolling
environment, EETS);
— an assessment of the current recommended or defined security algorithms and measures to
identify existing and possible future security leaks;
— an outline of potential security measures which might be added to those already defined for DSRC;
— an analysis of effects on existing EFC systems and interoperability clusters;
— a set of recommendations on how to revise the current standards, or proposal for new work items,
with already made implementations taken into account.
The security analysis in this Technical Report applies only to Security level 1, with Access Credentials
and Message authentication code, as defined in EN 15509:2014.
It is outside the scope of this Technical Report to examine Non DSRC (wired or wireless) interfaces to
the OBE and RSE.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
access credentials
trusted attestation or secure module that establishes the claimed identity of an object or application
[SOURCE: EN 15509:2014, 3.1]
2.2
accountability
property that ensures that the actions of an entity may be traced uniquely to that entity
[SOURCE: ISO 7498-2:1989, 3.3.3, modified]
6

---------------------- Page: 8 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
2.3
asset
anything that has value to a stakeholder
[SOURCE: CEN ISO/TS 19299:2015, 3.3]
2.4
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use
of an asset
[SOURCE: CEN ISO/TS 19299:2015, 3.4]
2.5
attribute
addressable package of data consisting of a single data element or structured sequences of data
elements
[SOURCE: EN ISO 17575-1:2016, 3.2]
2.6
authentication
security mechanism allowing verification of the provided identity
[SOURCE: EN 301 175]
2.7
authenticator
data, possibly encrypted, that is used for authentication
[SOURCE: EN 15509:2014, 3.3]
2.8
confidentiality
prevention of information leakage to non-authenticated individuals, parties and/or processes
[SOURCE: CEN ISO/TS 19299:2015, 3.11]
2.9
data integrity
property that data has not been altered or destroyed in an unauthorized manner
[SOURCE: CEN ISO/TS 19299:2015, 3.28]
2.10
hacker
person who attempts or succeeds to gain unauthorized access to protected resources
[SOURCE: CEN ISO/TS 19299:2015, 3.19]
7

---------------------- Page: 9 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
2.11
key management
generation, distribution, storage, application and revocation of encryption keys
[SOURCE: CEN ISO/TS 17574:2009, 3.13 modified]
2.12
message authentication code
MAC
string of bits which is the output of a MAC algorithm
[SOURCE: ISO/IEC 9797-1:2011, 3.9]
2.13
non-repudiation
ability to prove the occurrence of a claimed event or action and its originating entities
[SOURCE: CEN ISO/TS 19299:2015, 3.27]
2.14
on-board equipment
OBE
all required equipment on-board a vehicle for performing required EFC functions and communication
services
2.15
on-board unit
OBU
single electronic unit on-board a vehicle for performing specific EFC functions and for communication
with external systems
Note 1 to entry: An OBU always includes, in this context, at least the support of the DSRC interface
2.16
reliability
ability of a device or a system to perform its intended function under given conditions of use for a
specified period of time or number of cycles
[SOURCE: CEN ISO/TS 14907-1:2015, 3.17]
2.17
roadside equipment
RSE
equipment located along the road, either fixed or mobile
[SOURCE: CEN ISO/TS 14907-1:2015, 3.17]
2.18
security target
set of security requirements and specifications to be used as the basis for evaluation of an identified
TOE
[SOURCE: CEN ISO/TS 17574:2009, 3.25]
8

---------------------- Page: 10 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
2.19
target of evaluation
TOE
set of software, firmware and/or hardware possibly accompanied by guidance
[SOURCE: ISO/IEC 15408-1:2009, 3.1.70]
2.20
threat
potential cause of an unwanted information security incident, which may result in harm
[SOURCE: CEN ISO/TS 19299:2015, 3.39]
2.21
threat agent
entity that has the intention to act adversely on an asset
[SOURCE: CEN ISO/TS 19299:2015, 3.40]
2.22
threat analysis
systematic detection, identification, and evaluation of threats
[SOURCE: CEN ISO/TS 19299:2015, 3.41]
2.23
toll charger
TC
entity which levies toll for the use of vehicles in a toll domain
[SOURCE: ISO 17573:2010, 3.16 modified]
2.24
toll service provider
TSP
entity providing toll services in one or more toll domains
[SOURCE: ISO 17573:2010, 3.23 modified]
2.25
transaction counter
data value in the on-board unit that is incremented by the roadside equipment at each transaction
[SOURCE: EN 15509:2014, 3.23]
2.26
vulnerability
weakness of an asset or control that can be exploited by an attacker
[SOURCE: CEN ISO/TS 19299:2015, 3.51]
3 Abbreviations
For the purposes of this document, the following symbols and abbreviations apply.
9

---------------------- Page: 11 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
AES Advanced Encryption Standard
CCC Compliance check communication (EN ISO 12813)
COTS Commercial Off-the-Shelf
DEA Data Encryption Algorithm
DES Data Encryption Standard
DSRC Dedicated Short-Range Communication (EN ISO 14906)
EETS European Electronic Toll Service
IAP Interoperable Application Profile
LAC Localisation augmentation communication (EN ISO 13141)
MAC Message authentication code
NIST National Institute of Standards and Technology
OBE On-board Equipment
OBU On-board Unit
RSE Roadside Equipment
SM-CC Secure Monitoring Compliance Check (CEN/TS 16702–1:2014)
TOE Target Of Evaluation
TVRA Threat, Vulnerability and Risk Analysis
VST Vehicle Service Table
4 Method
The method in this technical report is based on the method of ETSI/TS 102 165-1 which defines a 10
step method which in turn is based on ISO/IEC 15408 and is especially adapted to communication
interfaces. This approach is also used in ETSI/TR 102 893. The 10 steps are listed below:
1) Identification of the Target of Evaluation (TOE) resulting in a high-level description of the main
assets of the TOE and the TOE environment and a specification of the goal, purpose and scope of the
Threat, Vulnerability and Risk Analysis (TVRA). See 5.1.
2) Identification of the objectives resulting in a high-level statement of the security aims and issues to
be resolved. See 5.2.
3) Identification of the functional security requirements, derived from the objectives from step 2.
See 5.3.
4) Inventory of the assets as refinements of the high-level asset descriptions from step 1 and
additional assets as a result of steps 2 and 3. See 5.4.
5) Identification and classification of the vulnerabilities in the system, the threats that can exploit
them, and the unwanted incidents that may result. See Clause 6.
6) Quantifying the occurrence likelihood and impact of the threats. See 7.1.
7) Establishment of the risks. See 7.2.
10

---------------------- Page: 12 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
8) Identification of countermeasures framework (conceptual) resulting in a list of alternative security
services and capabilities needed to reduce the risk. See 8.2.
9) Countermeasure cost-benefit analysis (including security requirements cost-benefit analysis
depending on the scope and purpose of the TVRA) to identify the best fit security services and
capabilities amongst alternatives from step 8. See Clause 9.
10) Specification of detailed requirements for the security services and capabilities from step 9.
See Clause 10.
Steps 6-10 will be adapted to the generic case of DSRC communication addressed by this technical
report. Furthermore, the analysis under step 5 and step 8 specifically takes CEN ISO/TS 19299 into
account. The adapted methodology used in this report is illustrated in Figure 1.
11

---------------------- Page: 13 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)

Figure 1 — Adapted TVRA methodology used in this report
12

---------------------- Page: 14 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
5 Security Objectives and Functional Requirements
5.1 Target of evaluation
There are two potential Targets of Evaluation (TOE) for security analysis purposes:
— The OBU
— The RSE
Per definition, a TOE can only be attacked through its exposed interfaces and the presence of a threat
agent is necessary to launch an attack. The scope of this analysis is the communication link over 5.8 GHz
CEN DSRC, see Figure 2. Communication over the other interfaces identified in Figure 2 is out of scope
for this TR.

Figure 2 — TOE
NOTE Figure 2 is copied from Figure 1 in EN 15509.
The CEN DSRC link is the communication link between the RSE and OBU according to EN 15509:2014
(DSRC-EFC), EN ISO 12813:2015 (CCC), EN ISO 13141:2015 (LAC) and CEN/TS 16702-1:2014 (SM-CC).
For the sake of this Technical Report analysis it is assumed that a valid OBU is issued by and is in the
domain of the Toll Service Provider (TSP) and likewise that the road side equipment (RSE) is in the
domain of the Toll Charger (TC) managing a given toll domain. However, most of the analysis will hold
true even in the case of a different assignement of responsibilities.
13

---------------------- Page: 15 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
The analysis only applies to EN 15509 Security Level 1 with Access Credentials and Message
authentication code. Security level 0 is not considered.
5.2 Security objectives
5.2.1 Introduction
In accordance with NIST Special Publication 800-33 the security objectives considered are: availability,
integrity, confidentiality and accountability.
The fifth NIST security objective “assurance”, which is the basis for confidence that the security
measures, both technical and operational, work as intended, is not considered here, as this TR does not
cover implementation aspects.
NOTE Authentication, authorization and access control are security services that focus on preventing a
security breach and are used to fulfil the objectives.
5.2.2 Confidentiality
The following security objectives relative to the confidentiality of stored and transmitted information
are specified:
— Co1 Information relating to the identity of a Service User should not be revealed to any
unauthorized 3rd party
— Co2 Information held within the OBU and RSE should be protected from unauthorized access.
— Co3 Information sent from an OBU to an authorized RSE should not reveal the vehicle's travel
history to any party not authorized to receive the information.
— Co4 Data exchange guarantees data confidentiality
5.2.3 Availability
The following security objective relative to the availability of services is specified:
— Av1 Access to and the operation of DSRC-EFC/CCC/LAC/SM-CC services should not be prevented by
malicious activity performed on the TOE.
5.2.4 Accountability
The following security objective relative to the accountability of services is specified:
— Ac1 The data exchanged should provide authentication and non-repudiation for the respective
service.
5.2.5 Data integrity
The following security objectives relative to the integrity of data in the TOE:
— In1 Information stored within an OBU or RSE should be protected from unauthorized
modification and deletion.
— In2 Information sent to or from an OBU or RSE should be protected against unauthorized or
malicious modification or manipulation during transmission.
14

---------------------- Page: 16 ----------------------

SIST-TP CEN/TR 16968:2016
CEN/TR 16968:2016 (E)
5.3 Functional security requirements
5.3.1 Introduction
The following clauses present a number of functional security requirements that covers the security
objectives listed in 5.2.
As far as possible this has been done by selecting appropriate requirements from CEN
ISO/TS 19299:2015. Those have been given identifiers according to the template RQ.TC/TSP.XX with
the corresponding requirement description copied from CEN ISO/TS 19299:2015.
NOTE It was considered to only reference to the requirements in CEN ISO/TS 19299:2015, and not to repeat
these in this Technical Report. However, this approach was discarded as it would significantly have hampered the
readability of this Technical Report. As a consequence of the adopted approach, to reference the requirements
identifiers and to cite the associated requirements, is that this Technical Report contains “shall” statements in 5.3.
For those objectives not fully covered by CEN ISO/TS 19299:2015 functional security requirements
original to this technical report have been defined. They are given identifiers according to the template
DSRC-SEC.RQ.TC/TSP.XX.
5.3.2 Confidentiality
Table 1 — Toll charger confidentiality requirements
Obj. Objective Req. Id. Requirement
Id.
Co3 Information sent from an OBU RQ.TC.01 DSRC-EFC, CCC, LAC and SM-CC applications
to an authorized RSE should not shall either not request information about the
reveal the vehicle's travel vehicle's travel history or protect its
hist
...