Scaling secure systems like vehicle-to-vehicle communication presents challenges around growing the number of devices, maintaining them securely over long periods of time, and managing privacy across international borders. The biggest constraint is ensuring the many human decisions needed are made correctly and at scale. Centralizing some decisions, like device certification requirements and revocation criteria, while decentralizing others, like authorization, can help reduce the number of human judgments needed. Proper data management is also crucial to balance security, privacy, and accountability. Attention to future threats from quantum computers and evolving standards will further support scalability over time.
2. About Security Innovation
• Authority in Software Security
– 15+ years research on vulnerabilities
– Security Testing methodology adopted by Adobe,
Microsoft, Symantec, McAfee, and others
– Security partner for Dell, Microsoft, Cisco, HP, IBM, PCI
SSC, FS-ISAC, NXP, and others
– Authors of 16 books, 4 co-authored with
Microsoft
– 9 Patents
3. About me
• Standards
– Chair of IEEE P1363, vice-chair of IEEE P1609
• Large-scale design
– Member of design team for Secure Credential Management System for V2V deployment
• Deployment
– Working with New York City Pilot Deployment to develop Security Management
Operating Concept
• Cryptography
– Member of research team developing NTRU and related cryptographic technologies
• Major professional focus: How can we get a 300 million device system to work
securely?
5. Outline
• Growing systems securely
• Securely
– Setting them up
– Maintaining them
– Data management and privacy
6. Outline
• Growing systems securely
• Securely
– Setting them up
– Maintaining them
– Data management and privacy
• Growing
– Across number of devices
– Around the world
– Through time
7. Our main setting: Vehicle-to-Anything (V2X)
Illustrations from https://www.itsconnect-pc.org/en/about_its_connect/service.html
8. Our main setting: Vehicle-to-Anything (V2X)
• Peer-to-peer applications
– Multiple different suppliers
• “Centralized” security management
– Not always contactable
– May be different across applications
– May be different across countries
• Long-lived devices
– Cost sensitive
– Limited central connectivity
– Limited P2P bandwidth
• Huge scale
– 300 million cars on the road in the US, mandate coming
11. People taking responsibility is the bottleneck
• Individual decisions made centrally by humans don’t scale
– Lumpy
– Hard to plan for
– Slow
• Edge decisions made by humans can scale so long as there aren’t too many of
them
• Scalable decisions made centrally by humans do scale
– Write this code, push this update, …
• Systems scale successfully when decisions made by humans can be scaled
• Scaling is a risk when those decisions are wrong
• How can we leverage central decisions to make sure my car gets good data from
your car?
12. Peer-to-peer
• How can my car be sure that your car’s data is good?
• Bad faith / poor execution
• Need 300m devices that are:
– Authenticated
– Certified
– Well-implemented
– And have 1000+ certificates per year
• … without needing 300 billion human decisions
13. V2V Security Credential Management System
• Standard PKI plus…
• Large-scale revocation
• Privacy protection
• Lots of devices
• How do we manage central
decisions made by people?
– Enrolment v authorization certs
– Device certification
– Revocation and misbehavior
investigation
14. Enrolment v authorization
• Enrolment certificate at the start of
device’s lifetime
– Used only for SCMS communications
• Authorization certificate refreshes
during device’s lifetime
– Used for peer communications
• Down to 17m decisions per year!
• Now the problem is to make sure
the Enrolment CA makes the right
decisions
18. Device certification
• Device is correctly implemented
– We have the requirements right
– It is properly tested
– It will stay secure
19. Device certification
• Device is correctly implemented
– We have the requirements right
– It is properly tested
– It will stay secure
• If we can guarantee this then we only need
type certification
– But…
20. Device certification issues
• Testing against requirements is expensive
– $100,000 for Common Criteria conformance
– Bug fixes could require recertification
• Requirements change
– Attacks evolve
• Different labs have different standards
– … because different countries have different standards
• US/EU/Australia Harmonization Task Group 6 on Intelligent Transportation Systems Security
– US status of type certification for V2V devices is still open
• Ability to scale is a problem of governance, not a problem of technology
21. Disaster recovery in large systems
• Removing bad actors
– Privacy v security
• Repairing faults
22. Removing bad actors
• Cars can report suspicious
messages
– “Ghost vehicles”
• Advantage: misbehavior can be
detected
• Disadvantage: innocent users can
be tracked
• How to enable misbehavior
detection without widespread
tracking?
– Careful data management processes
• Is this a universal problem?
23. Removing bad actors: and finally…
• Can a removal decision be
legally challenged?
• If so, this becomes one of
those human decisions we
were trying to
minimize
24. Outline
• Growing systems securely
• Securely
– Setting them up
– Maintaining them
– Data management and privacy
• Growing
– Across number of devices
– Around the world
– Through time
25. Future threats & mitigations
• Quantum computers
– Can break all current popular public-key
cryptography
• Threat to application messages
– Research going on through, e.g.,
http://pqcrypto.eu.org/
• Threat to secure update
– Secure post-quantum signatures exist but…
– Currently no hardware support
26. Conclusions
• Minimizing human decisions
– Device certification
• International agreement on requirements
• International agreement on conformance testing
culture
– Clear decision criteria for revocation
• Proper data management
– Preserve privacy for
• General users of the system
• Innocent users accidentally included in misbehavior
reports
• Users suspected of violations?
• Secure update
– Crypto algorithm agility
– As little reliance as possible on hardware for
application messages
– Hardware support for post-quantum secure
update
When building a secure, large-scale, peer-to-peer, privacy preserving,
international, long-lived, poorly connected system, pay attention to…