As connected vehicle applications exchange information among vehicles, roadway infrastructure, traffic management centers, and wireless mobile devices, a security system is needed to ensure that users can trust in the validity of information received from other system users—indistinct users whom they have never met and do not know personally. To fulfil this need, the USDOT’s three Connected Vehicle Pilot Deployment sites – Wyoming Department of Transportation (WYDOT), New York City Department of Transportation (NYCDOT) and Tampa Hillsborough Expressway Authority (THEA) – will be using a commercial Security Credential Management System (SCMS). This commercial SCMS will provide enrollment and operating certificates to manage the security of the exchanges for both V2V and V2I in accordance with the IEEE 1609.2 standards.
For privacy reasons, the standards require that the vehicles’ security certificates change frequently to avoid the potential for a vehicle’s messages to be linked together and tracked over a long period of time. However, during development, the New York City Connected Vehicle Pilot Deployment (NYC CVPD) team identified an issue with the SAE J2945/1 Standard’s Certificate Change (CERTCHG) requirement criteria that was potentially putting the privacy of their participants at risk.
The CERTCHG requirement calls for certificates to be changed every five minutes but contains two exceptions: the first exception involves the “absolute distance” from the previous certificate change location and the second exception involves the setting of Critical Event Flags. The absolute distance exception states that a certificate change does not occur should the System be “separated by less than 2 kilometers (~1.6 miles) in absolute distance from the location at which the last certificate change occurred.” A vehicle’s certificates are protected, by this exemption, from disclosure to fixed DSRC devices should the vehicle be delayed in a small area due to an incident, congestion, or other cause for an extended time period.
This definition poses an issue for grid networks in large urban areas, such as NYC’s deployment area that encompasses Midtown Manhattan. The map below illustrates the area that a vehicle could travel within based on a certificate-change occurring at Times Square (marked by the red star). The line segments from Times Square are approximately one mile each and indicate the area that could be covered within the current 2 km absolute distance. Under the current absolute distance assumption, a vehicle traveling within this area would not trigger the certificate change mechanism.
While the CVPD sites are required to use existing ITS standards wherever viable, they also agreed to document their experiences with such standards to relay best practices and lessons learned for future deployers. Through the NYC CVPD team’s experience with the SAE J2945/1 Standard’s Certificate Change requirement criteria, the team concluded that the “absolute distance” is not the proper criteria for an exception, as it is possible for a vehicle to operate in a large area for an extended time period and not be required to change its certificate.
The NYC CVPD team documented this issue and their proposed solution of replacing the “absolute distance” with the System’s distance traveled during the time period for consideration by the SAE V2X Core Technical Committee. In doing so, the NYC CVPD team hopes to further refine the SAE J2945/1 standard to better accommodate urban networks in support of a nationwide deployment. The committee has included this item within their recently adopted work plan.