Research on Password Application System in Vehicle Networking

1 Introduction The application of vehicle networking-related technologies can significantly reduce road traffic accidents, improve traffic efficiency, and achieve energy conservation and emission reduction. In recent years, there has been an accelerated development trend globally. China’s C-V2X technology has rapidly developed over the past few years, with a preliminary standard system established, an initial industrial chain formed, and related enterprises possessing strong technical capabilities, making it suitable for large-scale deployment and industrialization. With the rapid advancement of intelligent and connected vehicle networking, as well as the exposure of security incidents such as attacks on the “Tesla” series, the security issues of vehicle networking face enormous challenges. Currently, most internet-connected vehicles are equipped with infotainment systems that directly connect to the internet. Attackers can use these infotainment systems as a springboard to interfere with the vehicle’s intelligent driving system, impacting the driver’s normal operation. At present, the development of vehicle networking is at a critical juncture, and security threats to users’ lives and property are a pressing concern, making the strengthening of vehicle networking security guarantees an urgent priority.Password technology can not only achieve encryption protection and integrity protection for information but also provide secure authentication of entity identities and information sources. It is the core technology and foundational support for ensuring the security of vehicle networking and the most effective, reliable, and economical means to address vehicle networking security issues. Our country attaches great importance to password applications, successively issuing laws and regulations such as the “Commercial Password Management Regulations,” “Management Measures for the Security Assessment of Commercial Password Applications (Trial),” and the “Cybersecurity Law of the People’s Republic of China.” On October 26, 2019, the 14th meeting of the Standing Committee of the 13th National People’s Congress voted to pass the “Cryptography Law of the People’s Republic of China” (referred to as the “Cryptography Law”), which officially came into effect on January 1, 2020. The purpose of the Cryptography Law is to regulate password applications and management, promote the development of the password industry, safeguard network and information security, and maintain national security and social public interests. The implementation of the Cryptography Law will strongly promote the integrated application of commercial passwords in various fields.2 Commercial Password AlgorithmsThe Cryptography Law clearly stipulates that commercial passwords refer to the password technologies, products, and services used to encrypt and protect information that does not belong to state secrets. Therefore, in any application scenario, the fundamental role of commercial passwords is encryption protection and security authentication, ensuring the confidentiality, integrity, authenticity, and non-repudiation of information. To promote the compliant use of commercial passwords, the national password management department has formulated a series of password algorithm standards that have gradually become ISO/IEC international standards, including symmetric password algorithms, public key password algorithms, and hash algorithms. Among them, SM2[1] and SM9[2] are public key password algorithms, where SM2 is primarily used for encryption and signing, and SM9 is an identity algorithm based on bilinear pairing, widely used in environments with identification, such as using device IDs as keys in the Internet of Things; SM3[3] is a hash algorithm mainly used for data integrity verification, identity authentication, random number generation, etc.; SM4[4] and ZUC are symmetric password algorithms, with SM4 being a dedicated block cipher algorithm for wireless local area networks and trusted computing systems, also part of China’s WAPI standard, and can be used for data encryption protection in other environments. The ZUC stream cipher algorithm is an international standard password algorithm in the 4G LTE mobile communication network, and currently, Chinese experts are actively promoting ZUC-256 to become the international standard password algorithm in the 5G LTE mobile communication network. Figure 1 illustrates the password algorithms and their functional characteristics.Research on Password Application System in Vehicle NetworkingFigure 1 Password Algorithms and Their Functional Characteristics3 Application of Commercial Passwords in Vehicle Networking3.1 Relevant Standards for Password Applications in Vehicle NetworkingAs a vast Internet of Things application system, vehicle networking encompasses a large number of access devices, data, processing processes, and transmission nodes, requiring a complete security standard system to ensure identity authentication and data security. V2X refers to vehicle wireless communication technologies, including V2V (vehicle-to-vehicle), V2I (vehicle-to-infrastructure), and V2P (vehicle-to-pedestrian), which help achieve information exchange between vehicles and the outside world. Currently, the main choices for V2X technology are the two major factions of DSRC and C-V2X. DSRC is a dedicated short-range communication technology developed based on the IEEE 802.11p standard, enabling communication between vehicles while achieving intelligent connections between vehicles and roads. C-V2X is a vehicle wireless communication technology formed based on the evolution of 3GPP cellular mobile communication, including LTE-V2X, 5G-V2X, and subsequent evolutions. C-V2X technology is based on cellular networks, providing Uu interfaces (cellular communication interfaces) and PC5 interfaces (direct communication interfaces)[5], allowing reuse of cellular network infrastructure, offering low latency, high reliability, high speed, and secure communication capabilities, with lower deployment costs and broader network coverage. Therefore, China tends to promote the use of C-V2X technology. Internationally, 3GPP has clarified the timetable for the formulation of C-V2X-related standards[6], and relevant Chinese units actively participate in standard formulation (see Table 1).Table 1 Domestic and International Vehicle Networking Security-Related StandardsResearch on Password Application System in Vehicle NetworkingRegarding password application-related standards, IEEE 1609.2, as a security mechanism standard in the IEEE 1609 standard system, defines the wireless communication scheme (Wireless Access in Vehicular Environment, WAVE) security services in vehicle networking, invoking the elliptic curve cryptography algorithms ECIES and ECDSA for asymmetric encryption and signature verification. This standard is currently the security layer standard for dedicated short-range communication technologies adopted in Europe and the United States. China’s Ministry of Industry and Information Technology, along with the National Standardization Administration, has jointly issued a series of documents such as the “National Guidelines for the Construction of Vehicle Networking Industry Standard System (General Requirements),” “National Guidelines for the Construction of Vehicle Networking Industry Standard System (Information Communication)” (referred to as “Information Communication”), and “National Guidelines for the Construction of Vehicle Networking Industry Standard System (Vehicle Intelligent Management)” (referred to as “Vehicle Intelligent Management”), accelerating the development of vehicle networking security standards. The “Information Communication” plan focuses on formulating security standards for vehicle networking communication technologies based on LTE, specifically targeting security identity authentication during vehicle-to-vehicle, vehicle-to-road, and vehicle-to-person communication processes based on LTE-V2X and 5G V2X. The “Vehicle Intelligent Management” plan aims to formulate 17 identity authentication and security-related standards, primarily supporting identity authentication between intelligent connected vehicles and road management systems and facilities, including identity and security of intelligent connected vehicles, identity and security of road traffic management facilities, identity authentication platforms, and electronic documents.To ensure secure authentication and communication between devices in V2X scenarios, the PKI mechanism based on public key certificates remains a recognized solution both domestically and internationally, implementing V2V/V2I/V2P direct communication security through techniques such as digital signatures. Due to bandwidth limitations of direct communication networks based on V2X vehicle networking, as well as the computational capabilities and storage space of onboard systems, traditional X.509 format digital certificates have become increasingly difficult to meet the security authentication and communication needs in C-V2X scenarios. The scale of certificate issuance in C-V2X scenarios is enormous, with high efficiency and performance requirements for terminal signing and verification, as well as issues regarding the time window for certificate revocation list (CRL) updates. Currently, some vehicle networking security working groups are designing digital certificates for the PKI system that comply with the latest national and industry standards and are suitable for C-V2X scenarios, capable of supporting the service demand for large-capacity and high-performance PKI certificates in vehicle-road collaboration scenarios.3.2 Typical Scenarios for Password Applications in Vehicle NetworkingVehicle networking technology aims to organically connect traffic participants such as “people-vehicles-roads-net-cloud.” Therefore, studying password applications in vehicle networking needs to be based on the three-level architecture of end-pipe-cloud[7], constructing a password application system in vehicle networking from three aspects: terminal security, network security, and cloud security.3.2.1 Terminal Security Password ApplicationTerminal devices include onboard cellular communication terminals (T-BOX), onboard V2X communication devices (OBU), roadside V2X communication devices (RSU), etc. Onboard terminals carry a large number of functions, including navigation, mobile office, vehicle control, assisted driving, entertainment, etc., thus having multiple access interfaces. Attackers can invade and control onboard terminals through physical access interfaces or wireless access interfaces, affecting the driver’s normal operation by controlling the CAN bus. Roadside devices include some traffic infrastructure, and attackers can illegally access and control roadside devices and tamper with sensitive data, causing traffic information chaos within the coverage area, such as interfering with traffic lights.The password requirements for terminal security mainly manifest in key storage, key usage, firmware upgrades, identity authentication, user privacy data encryption, and access control. In hardware design, security chips and other password modules can be embedded to manage keys and perform encryption and decryption operations, enabling onboard terminals and roadside devices to store and compute sensitive data in isolation. Secondly, user login requires identity identification and verification, and device access should undergo access control, performing corresponding operations based on different user permissions, which can be verified through digital signature algorithms and digital certificates. Moreover, for information exchange between onboard information systems, the legality of incoming data should be verified, and critical information should be transmitted using a two-way encryption method to ensure the security of interactive data transmission. The main protective paths are between the T-BOX and VSP, and between the VSP and APP. The onboard operating system should be configured with an audit log function, including user operations and system logs. Additionally, critical data collected by roadside devices should be encrypted, such as traffic flow information. Access to roadside signal control devices and traffic guidance devices also requires access control. Currently, the market has seen the emergence of automotive terminal products utilizing password technology, such as encryption chips compatible with vehicle networking, smart password keys, and encryption software. The Car Connectivity Consortium (CCC) has proposed a “digital key” that allows automakers to use trusted service managers to transmit digital keys to smart devices, enabling drivers to lock, unlock, start the engine, or share vehicle access using smart devices.3.2.2 Network Security Password ApplicationIn cellular communication interface scenarios, vehicle networking communication systems mainly face security risks such as signaling/data eavesdropping, signaling/data tampering or replay, impersonation of terminals, and fake base stations. Attackers can eavesdrop on unprotected network signaling/business data directly transmitted between vehicle networking terminals and networks, obtaining valuable user information such as short messages, vehicle identification, status, and location, leading to user privacy leakage. Attackers can also initiate man-in-the-middle attacks to tamper with unprotected network signaling/business data directly transmitted between vehicle networking terminals and networks or resend expired network signaling/business data. Impersonating the identity of legitimate terminals to access the operator’s cellular network is also a concern. In the direct communication interface scenario of vehicle networking LTE-V2X, illegal terminals can impersonate legitimate terminals to access the system and publish false information or tamper with and replay the business information sent by legitimate users. All these will affect the normal operation of vehicle networking network services and severely endanger the road traffic safety of surrounding vehicles and pedestrians.During cellular communication, the terminal and service network should encrypt network signaling, support integrity and anti-replay protection, and encrypt user data to ensure that information is not eavesdropped, forged, tampered with, or replayed during transmission. Mutual authentication between the terminal and service network is required to confirm the legitimacy of each other’s identities. In direct communication, the system needs to authenticate the source of messages to ensure their legitimacy. It should support message integrity and anti-replay protection to ensure that messages are not forged, tampered with, or replayed during transmission. Depending on the needs, confidentiality protection for messages should be supported to prevent eavesdropping, safeguarding sensitive user information. The system should also hide real identity identifiers and location information to prevent user privacy leakage.3.2.3 Cloud Security Password ApplicationCloud-based vehicle networking applications, grounded in cellular communication, inherit existing security risks from the “cloud-pipe-end” model, including impersonation of users, impersonation of business servers, unauthorized access, and data security risks. Without authentication, attackers can impersonate legitimate vehicle networking users to access business servers and obtain services. Illegal service providers can impersonate legitimate vehicle networking service providers to deploy fake business servers, tricking terminal users into logging in to obtain user information. In the absence of access control, illegal users can access system business data freely, invoking system business functions, exposing the system to risks of information leakage and functional abuse, with business data facing risks of tampering, leakage, and other security threats during transmission, storage, and processing.Cloud security password applications require support from password infrastructure, with cloud server password machines providing password services to users in cloud environments. Important data such as keys must be transmitted securely through the national secret SSL protocol, and critical sensitive data should undergo digital signature and integrity verification. Password technology should be applied to establish a user resource isolation mechanism, preventing unauthorized access to resources, ensuring the authenticity of business accessors and service providers, the legality of business content access, and conducting log audits for traceability. Additionally, a key management system should be established to manage key generation, distribution, computation, and destruction, ensuring the security of vehicle networking user keys.4 PKI Applications in Vehicle Networking LTE-V2X CommunicationThe vehicle networking LTE-V2X system uses a PKI mechanism based on public key certificates to ensure secure authentication and communication between devices, employing digital signatures and other technical means to achieve V2V/V2I/V2P direct communication security. Cryptographic algorithms are all based on the national password management bureau-approved national secret SM series algorithms, and the digital certificate format complies with the technical requirements of national or industry standards. Digital identity authentication technology applied to vehicle networking communication can achieve identity authentication for various roles, including onboard devices, roadside devices, application service providers, ensuring the authenticity of communication message sources, effectively preventing replay attacks, man-in-the-middle attacks, and identity impersonation, providing essential foundational security guarantees for safety alerts and efficiency improvements enabled by vehicle networking communication technology. The vehicle networking LTE-V2X certificate management institution CA issues certificates for users, responsible for issuing communication certificates (registration certificates, pseudonymous certificates, etc.) to vehicle networking devices (OBU/RSU/VSP), revoking certificates, and updating certificates (see Figure 2).Research on Password Application System in Vehicle NetworkingFigure 2 Application of Digital Certificates in Vehicle NetworkingThe main entities of V2X communication (OBU/RSU/VSP) generate their own signature public-private key pairs within their password modules, with the public key being part of the application materials for certificate requests to the CA management institution. V2X communication entities submit registration applications to the registration certificate authority (ECA) with initial trust credentials, and the registration certificate authority issues registration certificates (Enrollment Certificate, EC) to the communication entities as proof for obtaining pseudonymous certificates or application certificates. Onboard devices, roadside devices, and service providers can apply to the pseudonymous certificate authority (PCA) or application certificate authority (ACA) for pseudonymous certificates or application certificates used for signing human-vehicle-road-cloud communications. The application for pseudonymous certificates or application certificates is verified by the registration authority (RA), and certificates are issued by the pseudonymous certificate authority or application certificate authority. When sending data, the V2X communication entity (OBU/RSU/VSP) uses the digital certificate (pseudonymous certificate or application certificate) issued by the certificate management institution to digitally sign the business message it broadcasts, then packages the business message content, message signature value, and the digital certificate used for broadcasting; upon receiving data, the V2X communication entity (OBU/RSU/VSP) verifies the sender’s certificate, and upon successful verification, uses the public key in the sender’s certificate to verify the message, decrypts the message signature value with the sender’s public key, and hashes the business message to verify the message signature, thus completing identity authentication and checking the message’s integrity. To ensure privacy protection during vehicle networking communication, the LTE-V2X communication security process adopts pseudonymous certificate replacement and de-identification privacy protection mechanisms. Due to the high frequency of message sending in vehicle networking, there are high real-time requirements for information exchange, making the X.509 certificate system challenging to meet the demands of high-frequency communication in vehicle networking. Currently, the automotive, communication, and cryptography industries are collaboratively developing technical requirements for a security certificate management system based on LTE for vehicle networking communication, proposing a lightweight digital certificate format suitable for vehicle networking LTE-V2X communication, along with a reference architecture for a security certificate management system that includes registration certificate authorities, pseudonymous certificate authorities, and application certificate authorities.5 Development Suggestions for Vehicle Networking Password Applications5.1 Attach Great Importance to Vehicle Networking Password Applications and Promote Deep Integration of Vehicle Networking and PasswordsAs an important field of deep integration between information technology and industrialization, vehicle networking plays a significant role in promoting the integration and upgrading of the automotive, transportation, and information communication industries, ensuring urban traffic safety and citizens’ travel efficiency, with a very broad future development prospect. Passwords are an essential foundational technology for systematically ensuring the security of vehicle networking. In the face of new system components and new communication scenarios in vehicle networking businesses, the vehicle networking system should fully leverage the core security roles of commercial passwords in various aspects, including network communication, business applications, onboard terminals, and roadside devices, ensuring the confidentiality, integrity, authenticity, and non-repudiation of information, and guaranteeing the communication security of vehicle networking business data and the security of users’ privacy information. We should vigorously promote the deep integration and innovation of vehicle networking and passwords, building a new order of ubiquitous intelligence and connectivity based on passwords.5.2 Multi-Department Collaboration to Improve the Vehicle Networking PKI SystemTo effectively support the application layer security authentication and communication mechanisms based on the PKI public key system, vehicle networking needs to establish a complete commercial password certificate management system (CA system). The deployment and management of the CA system are closely related to the management mode of vehicle networking businesses, which involve multiple departments, including the Ministry of Industry and Information Technology, the Ministry of Transport, and the Ministry of Public Security. The deployment and management of the CA system require coordination from the National Password Management Bureau. Departments should strengthen top-level design based on the current development status of the vehicle networking CA system, reach a consensus on division of labor and collaboration mechanisms, and promote the development of the entire industrial chain from vehicle networking CA standards, CA products, to CA application deployment, establishing a deployment plan for a commercial password PKI system suitable for vehicle networking.5.3 Promote Testing and Verification, and Conduct Security Assessment of Commercial Password ApplicationsDuring the application of commercial passwords in vehicle networking, a testing and verification platform should be established, advancing phased testing and optimization of technical solutions to provide testing basis for the implementation of security technical solutions. With the implementation of the “Cryptography Law,” security assessments of commercial password applications (referred to as “password assessments”) have risen to a legal level. Key information infrastructure and systems above level three of graded protection must undergo password assessments annually. The vehicle networking system is an important component of key information infrastructure, and password assessment work should be introduced from the design phase of the vehicle networking system, with assessment results serving as an important basis for feasibility analysis. The system construction and operation phases should also undergo password assessments to ensure compliance, correctness, and effectiveness of commercial password applications, safeguarding the foundational security of the vehicle networking system.5.4 Multi-Party Collaboration to Build a Vehicle Networking Commercial Password Application EcosystemAll parties involved in vehicle networking commercial password applications should actively participate in formulating standards for commercial password applications in vehicle networking, continuously improving the security standard system for vehicle networking and the gradual implementation of related standards, providing comprehensive standard guidance for the safe development of vehicle networking. The primary goal of vehicle networking commercial password applications should be to meet the needs of automotive production and application. Automotive manufacturing enterprises should closely collaborate with password technology vendors to align with demands, jointly developing efficient and convenient password technology solutions. The password industry should actively explore and promote the enhancement of vehicle networking commercial password technology capabilities and product innovation, improving the security level of vehicle networking. Chip manufacturers should increase R&D investment to develop password modules that meet vehicle networking scenarios. All parties in the vehicle networking commercial password application ecosystem should collaborate to build a healthy and sustainable vehicle networking commercial password application ecosystem.6 ConclusionThe application of passwords in vehicle networking has entered a critical development period. With national policy support and the continuous improvement of related standards, major domestic automotive manufacturers are actively preparing to establish and use password protection systems to ensure the operational safety of intelligent connected vehicles. Moving forward, research on privacy protection in vehicle networking should be prioritized, a lightweight certificate system suitable for vehicle networking environments should be improved, and the development and application of vehicle networking password application products should be strengthened to promote the coordinated development of vehicle networking password applications upstream and downstream.

References

[1] National Quality Supervision, Inspection and Quarantine Administration, National Standardization Administration of China. GB/T 32918-2016 Information Security Technology SM2 Elliptic Curve Public Key Cryptography Algorithm [S]. Beijing: China Standards Press, 2016.

[2] National Quality Supervision, Inspection and Quarantine Administration, National Standardization Administration of China. GB/T 38635-2020 Information Security Technology SM9 Identity Cryptography Algorithm [S]. Beijing: China Standards Press, 2020.

[3] National Quality Supervision, Inspection and Quarantine Administration, National Standardization Administration of China. GB/T 32905-2016 Information Security Technology SM3 Cryptographic Hash Algorithm [S]. Beijing: China Standards Press, 2016.

[4] National Quality Supervision, Inspection and Quarantine Administration, National Standardization Administration of China. GB/T 32907-2016 Information Security Technology SM4 Block Cipher Algorithm [S]. Beijing: China Standards Press, 2016.

[5] Communication Industry Standard of the People’s Republic of China. YD/T 3594-2019 Security Technical Requirements for Vehicle Networking Communication Based on LTE [S]. Beijing: People’s Posts and Telecommunications Press, 2019.

[6] Chen Shanzhi, Hu Jinling, Shi Yan, et al. LTE-V2X Vehicle Networking Technology, Standards, and Applications [J]. Telecommunications Science, 2018, 34(4): 1-11.

[7] Feng Kai, Li Wei, Gong Jiezhong. Analysis of the Current Status of Cryptographic Algorithm Applications in Vehicle Networking [J]. China Information Security, 2019(9): 97-99.

Author Information

Research on Password Application System in Vehicle Networking

Xu Xiu

Engineer in the Financial Technology Department of the Cloud Computing and Big Data Research Institute, China Academy of Information and Communications Technology, PhD in Cryptography, mainly engaged in research on public key cryptography algorithms and the application of commercial passwords in important fields.

Research on Password Application System in Vehicle Networking

Tang Minghuan

Engineer in the Financial Technology Department of the Cloud Computing and Big Data Research Institute, China Academy of Information and Communications Technology, with research areas including commercial password applications, financial technology technologies and applications, and financial network security.

Research on Password Application System in Vehicle Networking

Ma Cong

Engineer in the Financial Technology Department of the Cloud Computing and Big Data Research Institute, China Academy of Information and Communications Technology, mainly engaged in research on commercial password-related policies, industries, and technical standards.

Research on Password Application System in Vehicle Networking

Yu Rundong

Engineer in the Technology and Standards Research Institute, China Academy of Information and Communications Technology, mainly engaged in research on V2X communication protocols, application functions, and security-related technical standards and testing validation in the field of vehicle networking.

Paper Citation Format:

XU Xiu, TANG Minghuan, MA Cong, et al. Research on Password Application System in Vehicle Networking [J]. Information Communication Technology and Policy, 2020(8): 46-51.

This article was published in “Information Communication Technology and Policy” 2020, Issue 8.

Research on Password Application System in Vehicle Networking

Organized by: China Academy of Information and Communications Technology

“Information Communication Technology and Policy” is a professional academic journal supervised by the Ministry of Industry and Information Technology and organized by the China Academy of Information and Communications Technology. The journal is positioned as a barometer of cutting-edge information communication technology and a think tank for exploring information society policies, focusing on technological trends in the information communication field, public policy, national/industry/enterprise strategy, publishing cutting-edge research results, analysis of focal issues, interpretation of hot policies, and promoting innovation and development of technologies and industries such as 5G, industrial internet, digital economy, artificial intelligence, blockchain, big data, and cloud computing, guiding national technology strategy choices and industrial policy formulation, and building a high-end academic exchange platform for production, learning, research, and application.

Proofread by | Chen Li, Shan Shan

Edited by | Ling Xiao

Leave a Comment