Proposal for an achievable, cost effective Security Concept for EOBRs C. Hardinge / A. Lindinger.

Slides:

Advertisements

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Advertisements

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

Digital Signatures and Hash Functions. Digital Signatures.

Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Agenda Scope of Requirement Security Requirements

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Public Key Infrastructure Ammar Hasayen ….

CSCI 6962: Server-side Design and Programming

Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Chapter 10: Authentication Guide to Computer Network Security.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

Cryptography, Authentication and Digital Signatures

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

 A Web service is a method of communication between two electronic devices over World Wide Web.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Digital Signatures, Message Digest and Authentication Week-9.

DIGITAL SIGNATURE.

Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Digital Signatures and Digital Certificates Monil Adhikari.

Network Security Celia Li Computer Science and Engineering York University.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

IMAGE AUTHENTICATION TECHNIQUES Based on Automatic video surveillance (AVS) systems Guided by: K ASTURI MISHRA PRESENTED BY: MUKESH KUMAR THAKUR REG NO:

TAG Presentation 18th May 2004 Paul Butler

Key management issues in PGP

TAG Presentation 18th May 2004 Paul Butler

Chapter 5: The Art of Ensuring Integrity

Instructor Materials Chapter 5: The Art of Ensuring Integrity

Instructor Materials Chapter 5: The Art of Ensuring Integrity

Instructor Materials Chapter 5: Ensuring Integrity

Presentation transcript:

Proposal for an achievable, cost effective Security Concept for EOBRs C. Hardinge / A. Lindinger

Problem domain Solution General PKI Digital Signature Data Storage Certification Roadside Enforcement Summary Content Charles Hardinge & Andreas Lindinger © Continental AG

RODS Data is stored at different system nodes with no inherent protection Data can be modified without leaving any trace Enforcement cannot rely on the data Basic security goals not achieved: data integrity authenticity non-repudiation Problem Domain Charles Hardinge & Andreas Lindinger © Continental AG EOBR Host System servers Enforcement servers Secure communication Possible point of manipulation Enforcement device Secure communication

Focus on the protection of the data, not the communication path Protecting the complete communication path is costly and does not solve the problem of maintenance of data integrity Protecting the data allows cost effective transmission and storage of the data Any modification of the data, intentional or accidental can be easily detected Roadside enforcement can rely on the data authenticity, non- repudiation and integrity The data is protected using digital signatures provided by a Public Key Infrastructure (PKI) implementation State of the art. Encouraged by NIST for federal agencies (800-25) Solution – General Charles Hardinge & Andreas Lindinger © Continental AG

Solution – Public Key infrastructure Charles Hardinge & Andreas Lindinger © Continental AG

Solution – Public Key infrastructure Charles Hardinge & Andreas Lindinger © Continental AG Bob‘s Private Key BOB_SK Bob‘s Public Key BOB_PK Registration Authority Is Bob Bob ? Is Bob trustworthy? Certification Authority CA‘s Private Key CA_SK Please trust me OK to create certificate Bob’s Public Key Certificate data Signature CA_SK Generate certificate and sign with CA_SK

Solution – Digital Signature with asymmetrical cryptography Charles Hardinge & Andreas Lindinger © Continental AG Hash Function Message Signature EOBR Private Key Encryption Digest Message Decryption ExpectedDigestActualDigest Hash Function Signer - EOBR Receiver - Enforcement Channel DigestAlgorithm DigestAlgorithm EOBR certificate Validated EOBR Public Key EOBR certificate

Data storage based on RODS flat file format. New elements needed. Solution – Data Storage Charles Hardinge & Andreas Lindinger © Continental AG Data ElementData Element DefinitionTypeLengthSign EOBR ID Unique ID of the EOBR – same ID as in the certificate. N10 - TBDYes Session BeginDate and time of session beginN15Yes Session EndDate and time of session endN15Yes Digital Signature ASCII representation of Digital Signature of all relevant data elements since the last Digital Signature was recorded A40-500No Certificate ASCII representation of an EOBR public key certificate A No Record SignedIndicates whether the record has been signed or not (optional depending on data storage concept – see ) A1

Digital signatures calculated only using relevant original data Maximum flexibility provided, to maintain existing storage concepts Example of a simplified RODS file structure showing a Session with digital signature: Could interleave annotations but would need a „sign“ element. Solution – Data Storage Charles Hardinge & Andreas Lindinger © Continental AG

At least the following rules must be applied (non exhaustive list): whenever a new Session is started, a Session Begin is recorded whenever a Session is finished a Session End is recorded each Session must include an EOBR ID record the Digital Signature is calculated for all records between, and including, the Session begin and end records the Digital Signature is stored in the RODS file directly after the Session End the EOBR Certificate is stored in the RODS file directly after the Digital Signature the element Event Update Status Code must be excluded from the signature calculation (Sign = N) the EOBR must ensure that only, and all original records are signed, not annotations, regardless of the source of the annotation annotated records must not replace original records. Solution – Data Storage Rules Charles Hardinge & Andreas Lindinger © Continental AG

Independent EOBR certification is needed to ensure that the critical security and functional elements of the system are handled correctly and consistently by all manufacturers: EOBR generation, storage and processing of HOS/RODS records key generation and installation key storage Interoperability of EOBRs and enforcement devices The detailed EOBR security requirements must be defined in order to be able to perform a certification Possible certification standard: Common Criteria An EOBR and its manufacturer must have achieved security certification before they are permitted to install any “hot” keys. Solution – Certification Charles Hardinge & Andreas Lindinger © Continental AG

Roadside enforcement is the central issue of the EOBR. Without efficient enforcement, the EOBR is superfluous. With digitally signed data, roadside enforcement can rely on: the integrity of the data the authenticity of the data non-repudiation not being feasible An analysis of HOS using signed data and all data could be compared to determine the effect of the annotations Solution – Roadside Enforcement Charles Hardinge & Andreas Lindinger © Continental AG

Full Telematic solution Solution – Roadside Enforcement scenarios Charles Hardinge & Andreas Lindinger © Continental AG EOBR Host System servers Enforcement servers Secure comms Enforcement Device Secure comms EOBR Host System servers Enforcement Device Secure P2P comms EOBR Enforcement Device Secure P2P communication P2P / Telematic mixed solution Full Peer to Peer solution

It is recommended that the enforcement community be equipped with standard, dedicated mobile enforcement devices Such a device could support: USB interface Short range wireless interface Long-range wireless interface (if needed) Secure record storage until return to back-office Software upgrade in back-office Accepted interface to enforcement system This would be a robust, standardized and long term cost effective solution. Solution – Roadside Enforcement Equipment Charles Hardinge & Andreas Lindinger © Continental AG

Implementing the proposed PKI based security concept for data protection provides the following advantages: Deliberate or accidental modification of data is detectable Trustable data for enforcement – no more „comic books“ Simple, flexible, cost effective solution Reduced opportunities for driver harassment Supports following FMCSA requirements: Data at rest must be protected Data in Transit must be protected The EOBR shall protect EOBR data collected, stored, disseminated, or transmitted from inadvertent alteration, spoofing, tampering, and other deliberate corruption Summary Charles Hardinge & Andreas Lindinger © Continental AG

Any questions ? Charles Hardinge Andreas Lindinger Questions Charles Hardinge & Andreas Lindinger © Continental AG