ISO 21177:2023
(Main)Intelligent transport systems — ITS station security services for secure session establishment and authentication between trusted devices
Intelligent transport systems — ITS station security services for secure session establishment and authentication between trusted devices
This document contains specifications for a set of ITS station security services required to ensure the authenticity of the source and integrity of information exchanged between trusted entities, i.e.: — between devices operated as bounded secured managed entities, i.e. "ITS Station Communication Units" (ITS-SCU) and "ITS station units" (ITS-SU) as specified in ISO 21217; and — between ITS-SUs (composed of one or several ITS-SCUs) and external trusted entities such as sensor and control networks. These services include the authentication and secure session establishment which are required to exchange information in a trusted and secure manner. These services are essential for many intelligent transport system (ITS) applications and services including time-critical safety applications, automated driving, remote management of ITS stations (ISO 24102-2), and roadside/infrastructure-related services.
Systèmes de transport intelligents — Services de sécurité des stations ITS pour l’établissement et l’authentification des sessions sécurisées entre dispositifs de confiance
Le présent document contient les spécifications d’un ensemble de services de sécurité des stations ITS nécessaires pour garantir l’authenticité de la source et l’intégrité des informations échangées entre des entités de confiance, c’est-à-dire: — entre des dispositifs exploités en tant qu’entités délimitées gérées de manière sécurisée, c’est-à-dire les «unités de communication de station ITS» (ITS-SCU) et les «unités de station ITS» (ITS-SU) comme spécifiées dans l’ISO 21217; et — entre les ITS-SUs (composées d’une ou plusieurs ITS-SCUs) et les entités de confiance externes telles que les réseaux de capteurs et de contrôle. Ces services comprennent l’authentification et l’établissement de sessions sécurisées, nécessaires pour échanger des informations dans le cadre d’une relation de confiance et de manière sécurisée. Ces services sont essentiels pour de nombreux services et applications de systèmes de transport intelligents (ITS), notamment les applications de sécurité revêtant un caractère d’urgence, la conduite automatisée, la gestion à distance des stations ITS (ISO 24102-2), et les services routiers liés aux infrastructures.
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO
STANDARD 21177
First edition
2023-04
Intelligent transport systems —
ITS station security services for
secure session establishment and
authentication between trusted
devices
Systèmes de transport intelligents — Services de sécurité des stations
ITS pour l’établissement et l’authentification des sessions sécurisées
entre dispositifs de confiance
Reference number
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword . vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview . 4
5.1 General description, relationship to transport layer security (TLS) and
relationship to application specifications . 4
5.2 Goals . 5
5.3 Architecture and functional entities . 5
5.4 Cryptomaterial handles . 10
5.5 Session IDs and state . 10
5.6 Access control and authorization state . 11
5.7 Application level non-repudiation . 11
5.8 Service primitive conventions . 11
6 Process flows and sequence diagrams .12
6.1 General .12
6.2 Overview of process flows . 12
6.3 Sequence diagram conventions . 13
6.4 Configure . 14
6.5 Start session . 15
6.6 Send data . 18
6.7 Send access control PDU . 21
6.8 Receive PDU . 22
6.9 Extend session . 27
6.9.1 Goals . 27
6.9.2 Processing .28
6.10 Secure connection brokering .28
6.10.1 Goals .28
6.10.2 Prerequisites .28
6.10.3 Overview . 29
6.10.4 Detailed specification .30
6.11 Force end session.38
6.12 Session terminated at session layer .40
6.13 Deactivate .40
6.14 Secure session example . 41
7 Security subsystem: interfaces and data types .43
7.1 General . 43
7.2 Access control policy and state .44
7.3 Enhanced authentication . 45
7.3.1 Definition and possible states . 45
7.3.2 States for owner role enhanced authentication . 45
7.3.3 State for accessor role enhanced authentication . 47
7.3.4 Use by access control . 47
7.3.5 Methods for providing enhanced authentication . 47
7.3.6 Enhanced authentication using SPAKE2 . 47
7.4 Extended authentication .48
7.5 Security Management Information Request .49
7.5.1 Rationale .49
7.5.2 General .50
7.6 Data types . 51
iii
7.6.1 General . 51
7.6.2 Imports . 51
7.6.3 “Helper” data types . 51
7.6.4 Iso21177AccessControlPdu . 52
7.6.5 AccessControlResult . 52
7.6.6 ExtendedAuthPdu . 52
7.6.7 ExtendedAuthRequest .53
7.6.8 InnerExtendedAuthRequest . 53
7.6.9 AtomicExtendedAuthRequest . 53
7.6.10 ExtendedAuthResponse .54
7.6.11 ExtendedAuthResponsePayload .54
7.6.12 EnhancedAuthPdu .54
7.6.13 SpakeRequest . 55
7.6.14 SpakeResponse .55
7.6.15 SpakeRequesterResponse . 55
7.6.16 SecurityMgmtInfoPdu .55
7.6.17 SecurityMgmtInfoRequest . 55
7.6.18 EtsiCrlRequest .56
7.6.19 CertChainRequest .56
7.6.20 SecurityMgmtInfoResponse.56
7.6.21 SecurityMgmtInfoErrorResponse . 57
7.6.22 EtsiCrlResponse .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.